solidus_auth_devise_devise_token_auth 2.1.0

data/lib/views/frontend/spree/user_registrations/new.html.erb

@@ -0,0 +1,21 @@
+<% @body_id = 'signup' %>
+
+<%= render 'spree/shared/error_messages', target: resource %>
+
+<div id="new-customer">
+  <h6><%= Spree.t(:new_customer) %></h6>
+
+  <div data-hook="signup">
+    <%= form_for resource, as: :spree_user, url: spree.registration_path(resource) do |f| %>
+      <div data-hook="signup_inside_form">
+        <%= render partial: 'spree/shared/user_form', locals: { f: f } %>
+        <p><%= f.submit Spree.t(:create), class: 'button primary' %></p>
+      </div>
+    <% end %>
+    <%= Spree.t(:or) %>&nbsp;<%= link_to Spree.t(:login_as_existing), spree.login_path %>
+
+  </div>
+
+</div>
+
+<div data-hook="login_extras"></div>

data/lib/views/frontend/spree/user_sessions/authorization_failure.html.erb

@@ -0,0 +1,4 @@
+<div style="height:50px; padding-top:20px;">
+  <strong><%= Spree.t(:authorization_failure) %></strong>
+</div>
+<!-- Add your own custom access denied message here if you like -->

data/lib/views/frontend/spree/user_sessions/new.html.erb

@@ -0,0 +1,13 @@
+<% if flash[:alert] %>
+  <div class="flash errors"><%= flash[:alert] %></div>
+<% end %>
+
+<% @body_id = 'login' %>
+<div id="existing-customer">
+  <h6><%= Spree.t(:login_as_existing) %></h6>
+  <div data-hook="login">
+    <%= render partial: 'spree/shared/login' %>
+    <%= Spree.t(:or) %>&nbsp;<%= link_to Spree.t(:create_a_new_account), spree.signup_path %> | <%= link_to Spree.t(:forgot_password), spree.recover_password_path %>
+  </div>
+</div>
+<div data-hook="login_extras"></div>

data/lib/views/frontend/spree/users/edit.html.erb

@@ -0,0 +1,14 @@
+<%= render partial: 'spree/shared/error_messages', locals: { target: @user } %>
+
+<div id="edit-account">
+  <h1><%= Spree.t(:editing_user) %></h1>
+
+  <div data-hook="account_edit">
+    <%= form_for Spree::User.new, as: @user, url: spree.user_path(@user), method: :put do |f| %>
+      <%= render partial: 'spree/shared/user_form', locals: { f: f } %>
+      <p>
+        <%= f.submit Spree.t(:update), class: 'button primary' %>
+      </p>
+    <% end %>
+  </div>
+</div>

data/lib/views/frontend/spree/users/show.html.erb

@@ -0,0 +1,43 @@
+<h1><%= accurate_title %></h1>
+
+<div data-hook="account_summary" class="account-summary">
+  <dl id="user-info">
+    <dt><%= Spree.t(:email) %></dt>
+    <dd><%= @user.email %> (<%= link_to Spree.t(:edit), spree.edit_account_path %>)</dd>
+  </dl>
+</div>
+
+<div data-hook="account_my_orders" class="account-my-orders">
+
+  <h3><%= Spree.t(:my_orders) %></h3>
+  <% if @orders.present? %>
+    <table class="order-summary">
+      <thead>
+      <tr>
+        <th class="order-number"><%= I18n.t(:number, scope: 'activerecord.attributes.spree/order') %></th>
+        <th class="order-date"><%= Spree.t(:date) %></th>
+        <th class="order-status"><%= Spree.t(:status) %></th>
+        <th class="order-payment-state"><%= Spree.t(:payment_state) %></th>
+        <th class="order-shipment-state"><%= Spree.t(:shipment_state) %></th>
+        <th class="order-total"><%= Spree.t(:total) %></th>
+      </tr>
+      </thead>
+      <tbody>
+      <% @orders.each do |order| %>
+        <tr class="<%= cycle('even', 'odd') %>">
+          <td class="order-number"><%= link_to order.number, order_url(order) %></td>
+          <td class="order-date"><%= l order.completed_at.to_date %></td>
+          <td class="order-status"><%= Spree.t("order_state.#{order.state}").titleize %></td>
+          <td class="order-payment-state"><%= Spree.t("payment_states.#{order.payment_state}").titleize if order.payment_state %></td>
+          <td class="order-shipment-state"><%= Spree.t("shipment_states.#{order.shipment_state}").titleize if order.shipment_state %></td>
+          <td class="order-total"><%= order.display_total %></td>
+        </tr>
+      <% end %>
+      </tbody>
+    </table>
+  <% else %>
+    <p><%= Spree.t(:you_have_no_orders_yet) %></p>
+  <% end %>
+  <br />
+
+</div>

data/solidus_auth_devise.gemspec

@@ -0,0 +1,41 @@
+# encoding: UTF-8
+
+Gem::Specification.new do |s|
+  s.platform    = Gem::Platform::RUBY
+  s.name        = 'solidus_auth_devise_devise_token_auth'
+  s.version     = '2.1.0'
+  s.summary     = 'Provides authentication and authorization services for use with Solidus by using Devise and CanCan (devise_token_auth revised version)'
+  s.description = s.summary
+
+  s.author       = 'Michał Siwek (skycocker)'
+  s.email        = 'mike21@aol.pl'
+
+  s.required_ruby_version = '>= 2.1'
+  s.license     = %q{BSD-3}
+
+  s.files        = `git ls-files`.split($\)
+  s.test_files   = `git ls-files -- spec/*`.split($\)
+  s.require_path = 'lib'
+  s.requirements << 'none'
+
+  solidus_version = ['>= 1.2.0', '< 3']
+
+  s.add_dependency 'solidus_core_devise_token_auth', solidus_version
+  s.add_dependency 'solidus_support_devise_token_auth', '>= 0.1.3'
+  s.add_dependency 'devise', '~> 4.1'
+  s.add_dependency 'devise-encryptable', '0.2.0'
+
+  s.add_development_dependency 'capybara', '~> 2.14'
+  s.add_development_dependency 'capybara-screenshot'
+  s.add_development_dependency 'coffee-rails'
+  s.add_development_dependency 'database_cleaner', '~> 1.6'
+  s.add_development_dependency 'ffaker'
+  s.add_development_dependency 'poltergeist', '~> 1.5'
+  s.add_development_dependency 'rspec-rails', '~> 3.3'
+  s.add_development_dependency 'sass-rails'
+  s.add_development_dependency 'shoulda-matchers', '~> 3.1'
+  s.add_development_dependency 'simplecov', '~> 0.14'
+  s.add_development_dependency 'solidus_backend_devise_token_auth',  solidus_version
+  s.add_development_dependency 'solidus_frontend_devise_token_auth', solidus_version
+  s.add_development_dependency 'sqlite3'
+end

data/spec/controllers/spree/checkout_controller_spec.rb

@@ -0,0 +1,196 @@
+RSpec.describe Spree::CheckoutController, type: :controller do
+
+  let(:order) { create(:order_with_line_items, email: nil, user: nil, guest_token: token) }
+  let(:user)  { build(:user) }
+  let(:token) { 'some_token' }
+  let(:cookie_token) { token }
+
+  before do
+    request.cookie_jar.signed[:guest_token] = cookie_token
+    allow(controller).to receive(:current_order) { order }
+    allow(order).to receive(:confirmation_required?) { true }
+  end
+
+  context '#edit' do
+    context 'when registration step enabled' do
+      context 'when authenticated as registered user' do
+        before { allow(controller).to receive(:spree_current_user) { user } }
+
+        it 'proceeds to the first checkout step' do
+          get :edit, params: { state: 'address' }
+          expect(response).to render_template :edit
+        end
+      end
+
+      context 'when not authenticated as guest' do
+        it 'redirects to registration step' do
+          get :edit, params: { state: 'address' }
+          expect(response).to redirect_to spree.checkout_registration_path
+        end
+      end
+
+      context 'when authenticated as guest' do
+        before { order.email = 'guest@solidus.io' }
+
+        it 'proceeds to the first checkout step' do
+          get :edit, params: { state: 'address' }
+          expect(response).to render_template :edit
+        end
+
+        context 'when guest checkout not allowed' do
+          before do
+            Spree::Config.set(allow_guest_checkout: false)
+          end
+
+          after do
+            Spree::Config.set(allow_guest_checkout: true)
+          end
+
+          it 'redirects to registration step' do
+            get :edit, params: { state: 'address' }
+            expect(response).to redirect_to spree.checkout_registration_path
+          end
+        end
+      end
+    end
+
+    context 'when registration step disabled' do
+      before do
+        Spree::Auth::Config.set(registration_step: false)
+      end
+
+      context 'when authenticated as registered' do
+        before { allow(controller).to receive(:spree_current_user) { user } }
+
+        it 'proceeds to the first checkout step' do
+          get :edit, params: { state: 'address' }
+          expect(response).to render_template :edit
+        end
+      end
+
+      context 'when authenticated as guest' do
+        it 'proceeds to the first checkout step' do
+          get :edit, params: { state: 'address' }
+          expect(response).to render_template :edit
+        end
+      end
+    end
+  end
+
+  context '#update' do
+    context 'when in the confirm state' do
+      before do
+        order.update_column(:email, 'spree@example.com')
+        order.update_column(:state, 'confirm')
+
+        # So that the order can transition to complete successfully
+        allow(order).to receive(:payment_required?) { false }
+      end
+
+      context 'with a token' do
+        before { allow(order).to receive(:guest_token) { 'ABC' } }
+
+        it 'redirects to the tokenized order view' do
+          request.cookie_jar.signed[:guest_token] = 'ABC'
+          post :update, params: { state: 'confirm' }
+          expect(response).to redirect_to spree.token_order_path(order, 'ABC')
+          expect(flash.notice).to eq Spree.t(:order_processed_successfully)
+        end
+      end
+
+      context 'with a registered user' do
+        before do
+          allow(controller).to receive(:spree_current_user) { user }
+          allow(order).to receive(:user) { user }
+          allow(order).to receive(:guest_token) { nil }
+        end
+
+        it 'redirects to the standard order view' do
+          post :update, params: { state: 'confirm' }
+          expect(response).to redirect_to spree.order_path(order)
+        end
+      end
+    end
+  end
+
+  context '#registration' do
+    it 'does not check registration' do
+      expect(controller).not_to receive(:check_registration)
+      get :registration
+    end
+
+    it 'checks if the user is authorized for :edit' do
+      expect(controller).to receive(:authorize!).with(:edit, order, token)
+      request.cookie_jar.signed[:guest_token] = token
+      get :registration, params: {}
+    end
+  end
+
+  context '#update_registration' do
+    subject { put :update_registration, params: { order: { email: email } } }
+    let(:email) { 'foo@example.com' }
+
+    it 'does not check registration' do
+      expect(controller).not_to receive(:check_registration)
+      subject
+    end
+
+    it 'redirects to the checkout_path after saving' do
+      subject
+      expect(response).to redirect_to spree.checkout_path
+    end
+
+    # Regression test for https://github.com/solidusio/solidus/issues/1588
+    context 'order in address state' do
+      let(:order) do
+        create(
+          :order_with_line_items,
+          email: nil,
+          user: nil,
+          guest_token: token,
+          bill_address: nil,
+          ship_address: nil,
+          state: 'address'
+        )
+      end
+
+      # This may seem out of left field, but previously there was an issue
+      # where address would be built in a before filter and then would be saved
+      # when trying to update the email.
+      it "doesn't create addresses" do
+        expect {
+          subject
+        }.not_to change { Spree::Address.count }
+        expect(response).to redirect_to spree.checkout_path
+      end
+    end
+
+    context 'invalid email' do
+      let(:email) { 'invalid' }
+
+      it 'renders the registration view' do
+        subject
+        expect(flash[:registration_error]).to eq I18n.t(:email_is_invalid, scope: [:errors, :messages])
+        expect(response).to render_template :registration
+      end
+    end
+
+    context 'with wrong order token' do
+      let(:cookie_token) { 'lol_no_access' }
+
+      it 'redirects to login' do
+        put :update_registration, params: { order: { email: 'foo@example.com' } }
+        expect(response).to redirect_to(login_path)
+      end
+    end
+
+    context 'without order token' do
+      let(:cookie_token) { nil }
+
+      it 'redirects to login' do
+        put :update_registration, params: { order: { email: 'foo@example.com' } }
+        expect(response).to redirect_to(login_path)
+      end
+    end
+  end
+end

data/spec/controllers/spree/products_controller_spec.rb

@@ -0,0 +1,27 @@
+RSpec.describe Spree::ProductsController, type: :controller do
+
+  let!(:product) { create(:product, available_on: 1.year.from_now) }
+  let!(:user)    { build(:user) }
+
+  it 'allows admins to view non-active products' do
+    allow(controller).to receive(:before_save_new_order)
+    allow(controller).to receive(:spree_current_user) { user }
+    allow(user).to receive(:has_spree_role?) { true }
+    get :show, params: { id: product.to_param }
+    expect(response.status).to eq(200)
+  end
+
+  it 'cannot view non-active products' do
+    allow(controller).to receive(:before_save_new_order)
+    allow(controller).to receive(:spree_current_user) { user }
+    allow(user).to receive(:has_spree_role?) { false }
+    if SolidusSupport.solidus_gem_version < Gem::Version.new('2.5.x')
+      get :show, params: { id: product.to_param }
+      expect(response.status).to eq(404)
+    else
+      expect {
+        get :show, params: { id: product.to_param }
+      }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+  end
+end

data/spec/controllers/spree/user_passwords_controller_spec.rb

@@ -0,0 +1,44 @@
+RSpec.describe Spree::UserPasswordsController, type: :controller do
+
+  let(:token) { 'some_token' }
+
+  before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
+
+  describe 'GET edit' do
+    context 'when the user token has not been specified' do
+      it 'redirects to the new session path' do
+        get :edit
+        expect(response).to redirect_to(
+          'http://test.host/user/spree_user/sign_in'
+        )
+      end
+
+      it 'flashes an error' do
+        get :edit
+        expect(flash[:alert]).to include(
+          "You can't access this page without coming from a password reset " +
+          'email'
+        )
+      end
+    end
+
+    context 'when the user token has been specified' do
+      it 'does something' do
+        get :edit, params: { reset_password_token: token }
+        expect(response.code).to eq('200')
+      end
+    end
+  end
+
+  context '#update' do
+    context 'when updating password with blank password' do
+      it 'shows error flash message, sets spree_user with token and re-displays password edit form' do
+        put :update, params: { spree_user: { password: '', password_confirmation: '', reset_password_token: token } }
+        expect(assigns(:spree_user).kind_of?(Spree::User)).to eq true
+        expect(assigns(:spree_user).reset_password_token).to eq token
+        expect(flash[:error]).to eq I18n.t(:cannot_be_blank, scope: [:devise, :user_passwords, :spree_user])
+        expect(response).to render_template :edit
+      end
+    end
+  end
+end

data/spec/controllers/spree/user_registrations_controller_spec.rb

@@ -0,0 +1,96 @@
+RSpec.describe Spree::UserRegistrationsController, type: :controller do
+
+  before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
+
+  context '#create' do
+    before do
+      allow(controller).to receive(:after_sign_up_path_for) do
+        spree.root_path(thing: 7)
+      end
+    end
+
+    let(:password_confirmation) { 'foobar123' }
+
+    subject do
+      post(:create, {
+        params: {
+          spree_user: {
+            email: 'foobar@example.com',
+            password: 'foobar123',
+            password_confirmation: password_confirmation
+          }
+        }
+      })
+    end
+
+    context 'when user created successfuly' do
+      it 'saves the user' do
+        expect { subject }.to change { Spree::User.count }.from(0).to(1)
+      end
+
+      it 'sets flash message' do
+        subject
+        expect(flash[:notice]).to eq('Welcome! You have signed up successfully.')
+      end
+
+      it 'signs in user' do
+        expect(controller.warden).to receive(:set_user)
+        subject
+      end
+
+      it 'sets spree_user_signup session' do
+        subject
+        expect(session[:spree_user_signup]).to be true
+      end
+
+      it 'redirects to after_sign_up path' do
+        subject
+        expect(response).to redirect_to spree.root_path(thing: 7)
+      end
+
+      context 'with a guest token present' do
+        before do
+          request.cookie_jar.signed[:guest_token] = 'ABC'
+        end
+
+        it 'assigns orders with the correct token and no user present' do
+          order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          subject
+          user = Spree::User.find_by_email('foobar@example.com')
+
+          order.reload
+          expect(order.user_id).to eq user.id
+          expect(order.created_by_id).to eq user.id
+        end
+
+        it 'does not assign orders with an existing user' do
+          order = create(:order, guest_token: 'ABC', user_id: 200)
+          subject
+
+          expect(order.reload.user_id).to eq 200
+        end
+
+        it 'does not assign orders with a different token' do
+          order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+          subject
+
+          expect(order.reload.user_id).to be_nil
+        end
+      end
+    end
+
+    context 'when user not valid' do
+      let(:password_confirmation) { 'foobard123' }
+
+      it 'resets password fields' do
+        expect(controller).to receive(:clean_up_passwords)
+        subject
+      end
+
+      it 'renders new view' do
+        subject
+        expect(:response).to render_template(:new)
+      end
+    end
+  end
+end