solidus_auth_devise_devise_token_auth 2.1.0

data/spec/controllers/spree/user_sessions_controller_spec.rb

@@ -0,0 +1,113 @@
+RSpec.describe Spree::UserSessionsController, type: :controller do
+  let(:user) { create(:user) }
+
+  before { @request.env['devise.mapping'] = Devise.mappings[:spree_user] }
+
+  context "#create" do
+    let(:format) { :html }
+    let(:password) { 'secret' }
+
+    subject do
+      post(:create, {
+        params: {
+          spree_user: {
+            email: user.email,
+            password: password
+          },
+          format: format
+        }
+      })
+    end
+
+    context "when using correct login information" do
+      context 'with a guest token present' do
+        before do
+          request.cookie_jar.signed[:guest_token] = 'ABC'
+        end
+
+        it 'assigns orders with the correct token and no user present' do
+          order = create(:order, email: user.email, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          subject
+
+          order.reload
+          expect(order.user_id).to eq user.id
+          expect(order.created_by_id).to eq user.id
+        end
+
+        it 'assigns orders with the correct token and no user or email present' do
+          order = create(:order, guest_token: 'ABC', user_id: nil, created_by_id: nil)
+          subject
+
+          order.reload
+          expect(order.user_id).to eq user.id
+          expect(order.created_by_id).to eq user.id
+        end
+
+        it 'does not assign completed orders' do
+          order = create(:order, email: user.email, guest_token: 'ABC',
+                         user_id: nil, created_by_id: nil,
+                         completed_at: 1.minute.ago)
+          subject
+
+          order.reload
+          expect(order.user_id).to be_nil
+          expect(order.created_by_id).to be_nil
+        end
+
+        it 'does not assign orders with an existing user' do
+          order = create(:order, guest_token: 'ABC', user_id: 200)
+          subject
+
+          expect(order.reload.user_id).to eq 200
+        end
+
+        it 'does not assign orders with a different token' do
+          order = create(:order, guest_token: 'DEF', user_id: nil, created_by_id: nil)
+          subject
+
+          expect(order.reload.user_id).to be_nil
+        end
+      end
+
+      context "when html format is requested" do
+        it "redirects to default after signing in" do
+          subject
+          expect(response).to redirect_to spree.root_path
+        end
+      end
+
+      context "when js format is requested" do
+        let(:format) { :js }
+
+        it "returns a json with ship and bill address" do
+          subject
+          parsed = ActiveSupport::JSON.decode(response.body)
+          expect(parsed).to have_key("user")
+          expect(parsed).to have_key("ship_address")
+          expect(parsed).to have_key("bill_address")
+        end
+      end
+    end
+
+    context "when using incorrect login information" do
+      let(:password) { 'wrong' }
+
+      context "when html format is requested" do
+        it "renders new template again with errors" do
+          subject
+          expect(response).to render_template(:new)
+          expect(flash[:error]).to eq I18n.t(:'devise.failure.invalid')
+        end
+      end
+
+      context "when js format is requested" do
+        let(:format) { :js }
+        it "returns json with the error" do
+          subject
+          parsed = ActiveSupport::JSON.decode(response.body)
+          expect(parsed).to have_key("error")
+        end
+      end
+    end
+  end
+end

data/spec/controllers/spree/users_controller_spec.rb

@@ -0,0 +1,38 @@
+RSpec.describe Spree::UsersController, type: :controller do
+
+  let(:admin_user) { create(:user) }
+  let(:user) { create(:user) }
+  let(:role) { create(:role) }
+
+  before { allow(controller).to receive(:spree_current_user) { user } }
+
+  context '#load_object' do
+    it 'redirects to signup path if user is not found' do
+      allow(controller).to receive(:spree_current_user) { nil }
+      put :update, params: { user: { email: 'foobar@example.com' } }
+      expect(response).to redirect_to spree.login_path
+    end
+  end
+
+  context '#create' do
+    it 'creates a new user' do
+      post :create, params: { user: { email: 'foobar@example.com', password: 'foobar123', password_confirmation: 'foobar123' } }
+      expect(assigns[:user].new_record?).to be false
+    end
+  end
+
+  context '#update' do
+    context 'when updating own account' do
+      it 'performs update' do
+        put :update, params: { user: { email: 'mynew@email-address.com' } }
+        expect(assigns[:user].email).to eq 'mynew@email-address.com'
+        expect(response).to redirect_to spree.account_url(only_path: true)
+      end
+    end
+
+    it 'does not update roles' do
+      put :update, params: { user: { spree_role_ids: [role.id] } }
+      expect(assigns[:user].spree_roles).to_not include role
+    end
+  end
+end

data/spec/factories/confirmed_user.rb

@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :confirmed_user, parent: :user do
+    confirmed_at { Time.now }
+    confirmation_sent_at { Time.now }
+    confirmation_token "12345"
+  end
+end

data/spec/features/account_spec.rb

@@ -0,0 +1,58 @@
+RSpec.feature 'Accounts', type: :feature do
+
+  context 'editing' do
+    scenario 'can edit an admin user' do
+      user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')
+      visit spree.login_path
+
+      fill_in 'Email', with: user.email
+      fill_in 'Password', with: user.password
+      click_button 'Login'
+
+      click_link 'My Account'
+      expect(page).to have_text 'admin@person.com'
+    end
+
+    scenario 'can edit a new user' do
+      Spree::Auth::Config.set(signout_after_password_change: false)
+      visit spree.signup_path
+
+      fill_in 'Email', with: 'email@person.com'
+      fill_in 'Password', with: 'password'
+      fill_in 'Password Confirmation', with: 'password'
+      click_button 'Create'
+
+      click_link 'My Account'
+      expect(page).to have_text 'email@person.com'
+      click_link 'Edit'
+
+      fill_in 'Password', with: 'foobar'
+      fill_in 'Password Confirmation', with: 'foobar'
+      click_button 'Update'
+
+      expect(page).to have_text 'email@person.com'
+      expect(page).to have_text 'Account updated'
+    end
+
+    scenario 'can edit an existing user account' do
+      Spree::Auth::Config.set(signout_after_password_change: false)
+      user = create(:user, email: 'email@person.com', password: 'secret', password_confirmation: 'secret')
+      visit spree.login_path
+
+      fill_in 'Email', with: user.email
+      fill_in 'Password', with: user.password
+      click_button 'Login'
+
+      click_link 'My Account'
+      expect(page).to have_text 'email@person.com'
+      click_link 'Edit'
+
+      fill_in 'Password', with: 'foobar'
+      fill_in 'Password Confirmation', with: 'foobar'
+      click_button 'Update'
+
+      expect(page).to have_text 'email@person.com'
+      expect(page).to have_text 'Account updated'
+    end
+  end
+end

data/spec/features/admin/orders_spec.rb

@@ -0,0 +1,30 @@
+RSpec.feature 'Admin orders', type: :feature do
+
+  background do
+    create(:store)
+    sign_in_as! create(:admin_user)
+  end
+
+  # Regression #203
+  scenario 'can list orders' do
+    expect { visit spree.admin_orders_path }.not_to raise_error
+  end
+
+  # Regression #203
+  scenario 'can new orders' do
+    FactoryBot.create(:country)
+    expect { visit spree.new_admin_order_path }.not_to raise_error
+  end
+
+  # Regression #203
+  scenario 'can not edit orders' do
+    expect { visit spree.edit_admin_order_path('nodata') }.to raise_error(ActiveRecord::RecordNotFound)
+  end
+
+  # Regression #203
+  scenario 'can edit orders' do
+    create(:order, number: 'R123')
+    visit spree.edit_admin_order_path('R123')
+    expect(page).not_to have_text 'Authorization Failure'
+  end
+end

data/spec/features/admin/password_reset_spec.rb

@@ -0,0 +1,24 @@
+RSpec.feature 'Admin - Reset Password', type: :feature do
+
+  let!(:store) { create(:store) }
+
+  background do
+    ActionMailer::Base.default_url_options[:host] = 'http://example.com'
+  end
+
+  scenario 'allows a user to supply an email for the password reset' do
+    user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
+    visit spree.admin_login_path
+    click_link 'Forgot Password?'
+    fill_in 'Email', with: 'foobar@example.com'
+    click_button 'Reset my password'
+    expect(page).to have_text 'You will receive an email with instructions'
+  end
+
+  scenario 'shows errors if no email is supplied' do
+    visit spree.admin_login_path
+    click_link 'Forgot Password?'
+    click_button 'Reset my password'
+    expect(page).to have_text "Email can't be blank"
+  end
+end

data/spec/features/admin/products_spec.rb

@@ -0,0 +1,9 @@
+RSpec.feature 'Admin products', type: :feature do
+
+  context 'as anonymous user' do
+    # Regression test for #1250
+    scenario 'redirects to login page when attempting to access product listing' do
+      expect { visit spree.admin_products_path }.not_to raise_error
+    end
+  end
+end

data/spec/features/admin/sign_in_spec.rb

@@ -0,0 +1,44 @@
+RSpec.feature 'Admin - Sign In', type: :feature do
+
+  background do
+    @user = create(:user, email: 'email@person.com')
+    visit spree.admin_login_path
+  end
+
+  scenario 'asks user to sign in' do
+    visit spree.admin_path
+    expect(page).not_to have_text 'Authorization Failure'
+  end
+
+  scenario 'lets a user sign in successfully' do
+    fill_in 'Email', with: @user.email
+    fill_in 'Password', with: 'secret'
+    click_button 'Login'
+
+    expect(page).to have_text 'Logged in successfully'
+    expect(page).not_to have_text 'Login'
+    expect(page).to have_text 'Logout'
+    expect(current_path).to eq '/'
+  end
+
+  scenario 'shows validation erros' do
+    fill_in 'Email', with: @user.email
+    fill_in 'Password', with: 'wrong_password'
+    click_button 'Login'
+
+    expect(page).to have_text 'Invalid email or password'
+    expect(page).to have_text 'Login'
+  end
+
+  scenario 'allows a user to access a restricted page after logging in' do
+    user = create(:admin_user, email: 'admin@person.com')
+    visit spree.admin_path
+
+    fill_in 'Email', with: user.email
+    fill_in 'Password', with: 'secret'
+    click_button 'Login'
+
+    expect(page).to have_text 'admin@person.com'
+    expect(current_path).to eq '/admin/orders'
+  end
+end

data/spec/features/admin/sign_out_spec.rb

@@ -0,0 +1,22 @@
+RSpec.feature 'Admin - Sign Out', type: :feature do
+
+  given!(:user) do
+   create :user, email: 'email@person.com'
+  end
+
+  background do
+    visit spree.admin_login_path
+    fill_in 'Email', with: user.email
+    fill_in 'Password', with: 'secret'
+    # Regression test for #1257
+    check 'Remember me'
+    click_button 'Login'
+  end
+
+  scenario 'allows a signed in user to logout' do
+    click_link 'Logout'
+    visit spree.admin_login_path
+    expect(page).to have_text 'Login'
+    expect(page).not_to have_text 'Logout'
+  end
+end

data/spec/features/admin_permissions_spec.rb

@@ -0,0 +1,46 @@
+RSpec.feature 'Admin Permissions', type: :feature do
+
+  context 'orders' do
+    background do
+      user = create(:admin_user, email: 'admin@person.com', password: 'password', password_confirmation: 'password')
+      Spree::Ability.register_ability(AbilityDecorator)
+      visit spree.login_path
+
+      fill_in 'Email', with: user.email
+      fill_in 'Password', with: user.password
+      click_button 'Login'
+    end
+
+    context 'admin is restricted from accessing orders' do
+      scenario 'can not list orders' do
+        visit spree.admin_orders_path
+        expect(page).to have_text 'Authorization Failure'
+      end
+
+      scenario 'can not edit orders' do
+        create(:order, number: 'R123')
+        visit spree.edit_admin_order_path('R123')
+        expect(page).to have_text 'Authorization Failure'
+      end
+
+      scenario 'can not new orders' do
+        visit spree.new_admin_order_path
+        expect(page).to have_text 'Authorization Failure'
+      end
+    end
+
+    context "admin is restricted from accessing an order's customer details" do
+      given(:order) { create(:order_with_totals) }
+
+      scenario 'can not list customer details for an order' do
+        visit spree.admin_order_customer_path(order)
+        expect(page).to have_text 'Authorization Failure'
+      end
+
+      scenario "can not edit an order's customer details" do
+        visit spree.edit_admin_order_customer_path(order)
+        expect(page).to have_text 'Authorization Failure'
+      end
+    end
+  end
+end

data/spec/features/change_email_spec.rb

@@ -0,0 +1,26 @@
+RSpec.feature 'Change email', type: :feature do
+
+  background do
+    Spree::Auth::Config.set(signout_after_password_change: false)
+
+    user = create(:user)
+    visit spree.root_path
+    click_link 'Login'
+
+    fill_in 'spree_user[email]', with: user.email
+    fill_in 'spree_user[password]', with: 'secret'
+    click_button 'Login'
+
+    visit spree.edit_account_path
+  end
+
+  scenario 'work with correct password' do
+    fill_in 'user_email', with: 'tests@example.com'
+    fill_in 'user_password', with: 'password'
+    fill_in 'user_password_confirmation', with: 'password'
+    click_button 'Update'
+
+    expect(page).to have_text 'Account updated'
+    expect(page).to have_text 'tests@example.com'
+  end
+end

data/spec/features/checkout_spec.rb

@@ -0,0 +1,181 @@
+RSpec.feature 'Checkout', :js, type: :feature do
+  given!(:store) { create(:store) }
+  given!(:country) { create(:country, name: 'United States', states_required: true) }
+  given!(:state)   { create(:state, name: 'Maryland', country: country) }
+  given!(:shipping_method) do
+    shipping_method = create(:shipping_method)
+    calculator = Spree::Calculator::Shipping::PerItem.create!(calculable: shipping_method, preferred_amount: 10)
+    shipping_method.calculator = calculator
+    shipping_method.tap(&:save)
+  end
+
+  given!(:zone)    { create(:zone) }
+  given!(:address) { create(:address, state: state, country: country) }
+  given!(:payment_method){ create :check_payment_method }
+
+  background do
+    @product = create(:product, name: 'RoR Mug')
+    @product.master.stock_items.first.update_column(:count_on_hand, 1)
+
+    # Bypass gateway error on checkout | ..or stub a gateway
+    Spree::Config[:allow_checkout_on_gateway_error] = true
+
+    visit spree.root_path
+  end
+
+  # Regression test for https://github.com/solidusio/solidus/issues/1588
+  scenario 'leaving and returning to address step' do
+    Spree::Auth::Config.set(registration_step: true)
+    click_link 'RoR Mug'
+    click_button 'Add To Cart'
+    within('h1') { expect(page).to have_text 'Shopping Cart' }
+    click_button 'Checkout'
+
+    within '#guest_checkout' do
+      fill_in 'Email', with: 'test@example.com'
+    end
+    click_on 'Continue'
+
+    click_on 'Cart'
+
+    click_on 'Checkout'
+
+    expect(page).to have_content "Billing Address"
+  end
+
+  context 'without payment being required' do
+    scenario 'allow a visitor to checkout as guest, without registration' do
+      click_link 'RoR Mug'
+      click_button 'Add To Cart'
+      within('h1') { expect(page).to have_text 'Shopping Cart' }
+      click_button 'Checkout'
+
+      expect(page).to have_content(/Checkout as a Guest/i)
+
+      within('#guest_checkout') { fill_in 'Email', with: 'spree@test.com' }
+      click_button 'Continue'
+
+      expect(page).to have_text(/Billing Address/i)
+      expect(page).to have_text(/Shipping Address/i)
+
+      str_addr = 'bill_address'
+      select 'United States', from: "order_#{str_addr}_attributes_country_id"
+      %w(firstname lastname address1 city zipcode phone).each do |field|
+        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+      end
+      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      check 'order_use_billing'
+
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Place Order'
+
+      expect(page).to have_text 'Your order has been processed successfully'
+    end
+
+    scenario 'associate an uncompleted guest order with user after logging in' do
+      user = create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
+      click_link 'RoR Mug'
+      click_button 'Add To Cart'
+
+      visit spree.login_path
+      fill_in 'Email', with: user.email
+      fill_in 'Password', with: user.password
+      click_button 'Login'
+      click_link 'Cart'
+
+      expect(page).to have_text 'RoR Mug'
+      within('h1') { expect(page).to have_text 'Shopping Cart' }
+
+      click_button 'Checkout'
+
+      str_addr = 'bill_address'
+      select 'United States', from: "order_#{str_addr}_attributes_country_id"
+      %w(firstname lastname address1 city zipcode phone).each do |field|
+        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+      end
+      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      check 'order_use_billing'
+
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Place Order'
+
+      expect(page).to have_text 'Your order has been processed successfully'
+      expect(Spree::Order.first.user).to eq user
+    end
+
+    # Regression test for #890
+    scenario 'associate an incomplete guest order with user after successful password reset' do
+      user = create(:user, email: 'email@person.com', password: 'password', password_confirmation: 'password')
+      click_link 'RoR Mug'
+      click_button 'Add To Cart'
+
+      visit spree.login_path
+      click_link 'Forgot Password?'
+      fill_in 'spree_user_email', with: 'email@person.com'
+      click_button 'Reset my password'
+
+      # Need to do this now because the token stored in the DB is the encrypted version
+      # The 'plain-text' version is sent in the email and there's one way to get that!
+      reset_password_email = ActionMailer::Base.deliveries.first
+      token_url_regex = /\/user\/spree_user\/password\/edit\?reset_password_token=(.*)$/
+      token = token_url_regex.match(reset_password_email.body.to_s)[1]
+
+      visit spree.edit_spree_user_password_path(reset_password_token: token)
+      fill_in 'Password', with: 'password'
+      fill_in 'Password Confirmation', with: 'password'
+      click_button 'Update'
+
+      click_link 'Cart'
+      click_button 'Checkout'
+
+      str_addr = 'bill_address'
+      select 'United States', from: "order_#{str_addr}_attributes_country_id"
+      %w(firstname lastname address1 city zipcode phone).each do |field|
+        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+      end
+      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      check 'order_use_billing'
+
+      click_button 'Save and Continue'
+
+      expect(page).not_to have_text 'Email is invalid'
+    end
+
+    scenario 'allow a user to register during checkout' do
+      click_link 'RoR Mug'
+      click_button 'Add To Cart'
+      click_button 'Checkout'
+
+      expect(page).to have_text 'Registration'
+
+      click_link 'Create a new account'
+
+      fill_in 'Email', with: 'email@person.com'
+      fill_in 'Password', with: 'spree123'
+      fill_in 'Password Confirmation', with: 'spree123'
+      click_button 'Create'
+
+      expect(page).to have_text 'You have signed up successfully.'
+
+      str_addr = 'bill_address'
+      select 'United States', from: "order_#{str_addr}_attributes_country_id"
+      %w(firstname lastname address1 city zipcode phone).each do |field|
+        fill_in "order_#{str_addr}_attributes_#{field}", with: "#{address.send(field)}"
+      end
+      select "#{address.state.name}", from: "order_#{str_addr}_attributes_state_id"
+      check 'order_use_billing'
+
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Save and Continue'
+      click_button 'Place Order'
+
+      expect(page).to have_text 'Your order has been processed successfully'
+      expect(Spree::Order.first.user).to eq Spree::User.find_by_email('email@person.com')
+    end
+  end
+end