sorcery 0.1.3 → 0.1.4

data/spec/rails3/controller_brute_force_protection_spec.rb

@@ -1,6 +1,13 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe ApplicationController do
+  before(:all) do
+    ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate/brute_force_protection")
+  end
+  
+  after(:all) do
+    ActiveRecord::Migrator.rollback("#{Rails.root}/db/migrate/brute_force_protection")
+  end
   
   # ----------------- SESSION TIMEOUT -----------------------
   describe ApplicationController, "with brute force protection features" do
@@ -14,59 +21,35 @@ describe ApplicationController do
       plugin_set_controller_config_property(:user_class, User)
     end
     
-    it "should have configuration for 'login_retries_amount_allowed' per session" do
-      plugin_set_controller_config_property(:login_retries_amount_allowed, 32)
-      Sorcery::Controller::Config.login_retries_amount_allowed.should equal(32)
-    end
-    
-    it "should have configuration for 'login_retries_counter_reset_time'" do
-      plugin_set_controller_config_property(:login_retries_time_period, 32)
-      Sorcery::Controller::Config.login_retries_time_period.should equal(32)
-    end
-    
-    it "should count login retries per session" do
+    it "should count login retries" do
       3.times {get :test_login, :username => 'gizmo', :password => 'blabla'}
-      session[:failed_logins].should == 3
+      User.find_by_username('gizmo').failed_logins_count.should == 3
     end
     
-    it "should reset the counter if enough time has passed" do
-      plugin_set_controller_config_property(:login_retries_amount_allowed, 5)
-      plugin_set_controller_config_property(:login_retries_time_period, 0.2)
-      get :test_login, :username => 'gizmo', :password => 'blabla'
-      sleep 0.4
-      get :test_login, :username => 'gizmo', :password => 'blabla'
-      session[:failed_logins].should == 1
+    it "should reset the counter on a good login" do
+      plugin_set_model_config_property(:consecutive_login_retries_amount_allowed, 5)
+      3.times {get :test_login, :username => 'gizmo', :password => 'blabla'}
+      get :test_login, :username => 'gizmo', :password => 'secret'
+      User.find_by_username('gizmo').failed_logins_count.should == 0
     end
     
-    it "should ban session when number of retries reached within an amount of time" do
-      plugin_set_controller_config_property(:login_retries_amount_allowed, 1)
-      plugin_set_controller_config_property(:login_retries_time_period, 50)
-      get :test_login, :username => 'gizmo', :password => 'blabla'
+    it "should lock user when number of retries reached the limit" do
+      User.find_by_username('gizmo').lock_expires_at.should be_nil
+      plugin_set_model_config_property(:consecutive_login_retries_amount_allowed, 1)
       get :test_login, :username => 'gizmo', :password => 'blabla'
-      session[:banned].should == true
+      User.find_by_username('gizmo').lock_expires_at.should_not be_nil
     end
 
-    it "should clear ban after ban time limit passes" do
-      plugin_set_controller_config_property(:login_retries_amount_allowed, 1)
-      plugin_set_controller_config_property(:login_retries_time_period, 50)
-      plugin_set_controller_config_property(:login_ban_time_period, 0.2)
+    it "should unlock after lock time period passes" do
+      plugin_set_model_config_property(:consecutive_login_retries_amount_allowed, 2)
+      plugin_set_model_config_property(:login_lock_time_period, 0.2)
       get :test_login, :username => 'gizmo', :password => 'blabla'
       get :test_login, :username => 'gizmo', :password => 'blabla'
-      session[:banned].should == true
+      User.find_by_username('gizmo').lock_expires_at.should_not be_nil
       sleep 0.3
       get :test_login, :username => 'gizmo', :password => 'blabla'
-      session[:banned].should == nil
-    end
-    
-    it "banned session calls the configured banned action" do
-      plugin_set_controller_config_property(:login_retries_amount_allowed, 1)
-      plugin_set_controller_config_property(:login_retries_time_period, 50)
-      plugin_set_controller_config_property(:login_ban_time_period, 50)
-      get :test_login, :username => 'gizmo', :password => 'blabla'
-      get :test_login, :username => 'gizmo', :password => 'blabla'
-      get :test_login, :username => 'gizmo', :password => 'blabla'
-      session[:banned].should == true
-      response.body.should == " "
+      User.find_by_username('gizmo').lock_expires_at.should be_nil
     end
+
   end
 end

data/spec/rails3/controller_http_basic_auth_spec.rb

@@ -9,6 +9,10 @@ describe ApplicationController do
       create_new_user
     end
     
+    after(:each) do
+      logout_user
+    end
+    
     it "requests basic authentication when before_filter is used" do
       get :test_http_basic_auth
       response.code.should == "401"
@@ -36,5 +40,11 @@ describe ApplicationController do
       get :test_http_basic_auth
       response.headers["WWW-Authenticate"].should == "Basic realm=\"Salad\""
     end
+    
+    it "should sign in the user's session on successful login" do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{@user.username}:secret")
+      get :test_http_basic_auth, nil, :http_authentication_used => true
+      session[:user_id].should == User.find_by_username(@user.username).id
+    end
   end
 end

data/spec/rails3/controller_session_timeout_spec.rb

@@ -45,5 +45,6 @@ describe ApplicationController do
       session[:user_id].should be_nil
       response.should be_a_redirect
     end
+    
   end
 end

data/spec/rails3/controller_spec.rb

@@ -93,8 +93,8 @@ describe ApplicationController do
       subject.logged_in_user.should == false
     end
     
-    it "should respond to 'require_user_login'" do
-      should respond_to(:require_user_login)
+    it "should respond to 'require_login'" do
+      should respond_to(:require_login)
     end
     
     it "should call the configured 'not_authenticated_action' when authenticate before_filter fails" do
@@ -104,7 +104,7 @@ describe ApplicationController do
       response.body.should == "test_not_authenticated_action"
     end
     
-    it "require_user_login before_filter should save the url that the user originally wanted" do
+    it "require_login before_filter should save the url that the user originally wanted" do
       get :some_action
       session[:user_wanted_url].should == "http://test.host/some_action"
       response.should redirect_to("http://test.host/")

data/spec/rails3/spec_helper.rb

@@ -1,17 +1,17 @@
 $: << File.join(File.dirname(__FILE__), '..', '..', 'lib' )
 
-require 'simplecov'
-SimpleCov.root File.join(File.dirname(__FILE__), "app_root" )
-SimpleCov.start do
-  add_filter "/config/"
-  
-  add_group 'Controllers', 'app/controllers'
-  add_group 'Models', 'app/models'
-  add_group 'Helpers', 'app/helpers'
-  add_group 'Libraries', 'lib'
-  add_group 'Plugins', 'vendor/plugins'
-  add_group 'Migrations', 'db/migrate'
-end
+# require 'simplecov'
+# SimpleCov.root File.join(File.dirname(__FILE__), "app_root" )
+# SimpleCov.start do
+#   add_filter "/config/"
+#   
+#   add_group 'Controllers', 'app/controllers'
+#   add_group 'Models', 'app/models'
+#   add_group 'Helpers', 'app/helpers'
+#   add_group 'Libraries', 'lib'
+#   add_group 'Plugins', 'vendor/plugins'
+#   add_group 'Migrations', 'db/migrate'
+# end
 
 # Set the default environment to sqlite3's in_memory database
 ENV['RAILS_ENV'] ||= 'in_memory'
@@ -41,7 +41,8 @@ RSpec.configure do |config|
 end
 
 #----------------------------------------------------------------
-#require File.join(File.dirname(__FILE__), 'app_root','app','models','user')
+# needed when running individual specs
+require File.join(File.dirname(__FILE__), 'app_root','app','models','user')
 
 class TestUser < ActiveRecord::Base
   activate_sorcery!
@@ -62,15 +63,27 @@ module Sorcery
   end
 end
 
-def create_new_user
-  user_attributes_hash = {:username => 'gizmo', :email => "bla@bla.com", :password => 'secret'}
+SUBMODUELS_AUTO_ADDED_CONTROLLER_FILTERS = [:register_last_activity_time_to_db, :deny_banned_user, :validate_session]
+
+def create_new_user(attributes_hash = nil)
+  user_attributes_hash = attributes_hash || {:username => 'gizmo', :email => "bla@bla.com", :password => 'secret'}
   @user = User.new(user_attributes_hash)
   @user.save!
+  @user
+end
+
+def login_user(user = nil)
+  user ||= @user
+  subject.send(:login_user,user)
+  subject.send(:after_login!,user,[user.username,'secret'])
+end
+
+def logout_user
+  subject.send(:logout)
 end
 
-def login_user
-  subject.send(:login_user,@user)
-  subject.send(:after_login!,@user,['gizmo','secret'])
+def clear_user_without_logout
+  subject.instance_variable_set(:@logged_in_user,nil)
 end
 
 # TODO: rename to sorcery_reload!(subs = [], model_opts = {}, controller_opts = {})
@@ -81,10 +94,15 @@ def plugin_model_configure(submodules = [], options = {})
   ::Sorcery::Controller::Config.init!
   ::Sorcery::Controller::Config.reset!
   
+  # remove all plugin before_filters so they won't fail other tests.
+  # I don't like this way, but I didn't find another.
+  # hopefully it won't break until Rails 4.
+  ApplicationController._process_action_callbacks.delete_if {|c| SUBMODUELS_AUTO_ADDED_CONTROLLER_FILTERS.include?(c.filter) }
+  
   # configure
   ::Sorcery::Controller::Config.submodules = submodules
   ::Sorcery::Controller::Config.user_class = nil # the next line will reset it to User
-  ApplicationController.send(:include,::Sorcery::Controller)
+  ActionController::Base.send(:include,::Sorcery::Controller)
   
   User.activate_sorcery! do |config|
     options.each do |property,value|
@@ -109,6 +127,8 @@ end
 
 private
 
+# reload user class between specs
+# so it will be possible to test the different submodules in isolation
 def reload_user_class
   Object.send(:remove_const,:User)
   load 'user.rb'

data/spec/rails3/user_activity_logging_spec.rb

@@ -0,0 +1,36 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "User with activity logging submodule" do
+  before(:all) do
+  end
+  
+  after(:all) do
+  end
+
+  # ----------------- PLUGIN CONFIGURATION -----------------------
+  describe User, "loaded plugin configuration" do
+    before(:all) do
+      plugin_model_configure([:activity_logging])
+    end
+  
+    after(:each) do
+      User.sorcery_config.reset!
+    end
+    
+    it "should allow configuration option 'last_login_at_attribute_name'" do
+      plugin_set_model_config_property(:last_login_at_attribute_name, :login_time)
+      User.sorcery_config.last_login_at_attribute_name.should equal(:login_time)
+    end
+    
+    it "should allow configuration option 'last_logout_at_attribute_name'" do
+      plugin_set_model_config_property(:last_logout_at_attribute_name, :logout_time)
+      User.sorcery_config.last_logout_at_attribute_name.should equal(:logout_time)
+    end
+    
+    it "should allow configuration option 'last_activity_at_attribute_name'" do
+      plugin_set_model_config_property(:last_activity_at_attribute_name, :activity_time)
+      User.sorcery_config.last_activity_at_attribute_name.should equal(:activity_time)
+    end
+  end
+
+end

data/spec/rails3/user_brute_force_protection_spec.rb

@@ -0,0 +1,76 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "User with brute_force_protection submodule" do
+  before(:all) do
+    ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate/brute_force_protection")
+  end
+  
+  after(:all) do
+    ActiveRecord::Migrator.rollback("#{Rails.root}/db/migrate/brute_force_protection")
+  end
+
+  # ----------------- PLUGIN CONFIGURATION -----------------------
+  describe User, "loaded plugin configuration" do
+  
+    before(:all) do
+      plugin_model_configure([:brute_force_protection])
+      create_new_user
+    end
+  
+    after(:each) do
+      User.sorcery_config.reset!
+    end
+    
+    it "should respond to 'failed_logins_count'" do
+      @user.should respond_to(:failed_logins_count)
+    end
+    
+    it "should respond to 'lock_expires_at'" do
+      @user.should respond_to(:failed_logins_count)
+    end
+ 
+    it "should enable configuration option 'failed_logins_count_attribute_name'" do
+      plugin_set_model_config_property(:failed_logins_count_attribute_name, :my_count)
+      User.sorcery_config.failed_logins_count_attribute_name.should equal(:my_count)    
+    end
+    
+    it "should enable configuration option 'lock_expires_at_attribute_name'" do
+      plugin_set_model_config_property(:lock_expires_at_attribute_name, :expires)
+      User.sorcery_config.lock_expires_at_attribute_name.should equal(:expires)    
+    end
+    
+    it "should enable configuration option 'consecutive_login_retries_amount_allowed'" do
+      plugin_set_model_config_property(:consecutive_login_retries_amount_allowed, 34)
+      User.sorcery_config.consecutive_login_retries_amount_allowed.should equal(34)    
+    end
+    
+    it "should enable configuration option 'login_lock_time_period'" do
+      plugin_set_model_config_property(:login_lock_time_period, 2.hours)
+      User.sorcery_config.login_lock_time_period.should == 2.hours    
+    end
+  end
+
+  # ----------------- PLUGIN ACTIVATED -----------------------
+  describe User, "when activated with sorcery" do
+  
+    before(:all) do
+      plugin_model_configure([:brute_force_protection])
+    end
+  
+    before(:each) do
+      User.delete_all
+    end
+
+    # it "should increment failed_logins_count on a failed login" do
+    #   create_new_user
+    #   
+    # end
+    # 
+    # it "should set lock expiry (effectively lock user) when failed_logins_count reaches max within max period" do
+    #   create_new_user
+    #   @user.lock_expires_at.should == Time.now.utc + 30
+    # end
+ 
+  end
+  
+end

data/spec/rails3/user_reset_password_spec.rb

@@ -0,0 +1,198 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe "User with reset_password submodule" do
+  before(:all) do
+    ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate/reset_password")
+  end
+  
+  after(:all) do
+    ActiveRecord::Migrator.rollback("#{Rails.root}/db/migrate/reset_password")
+  end
+
+  # ----------------- PLUGIN CONFIGURATION -----------------------
+  describe User, "loaded plugin configuration" do
+  
+    before(:all) do
+      plugin_model_configure([:reset_password], :reset_password_mailer => ::SorceryMailer)
+    end
+  
+    after(:each) do
+      User.sorcery_config.reset!
+    end
+    
+    it "should respond to 'deliver_reset_password_instructions!'" do
+      create_new_user
+      @user.should respond_to(:deliver_reset_password_instructions!)
+    end
+    
+    it "should respond to 'reset_password_token_valid?'" do
+      create_new_user
+      @user.should respond_to(:reset_password_token_valid?)
+    end
+    
+    it "should respond to 'reset_password!" do
+      create_new_user
+      @user.should respond_to(:reset_password!)
+    end
+    
+    it "should respond to 'load_from_reset_password_token'" do
+      create_new_user
+      User.should respond_to(:load_from_reset_password_token)
+    end
+    
+    it "should allow configuration option 'reset_password_token_attribute_name'" do
+      plugin_set_model_config_property(:reset_password_token_attribute_name, :my_code)
+      User.sorcery_config.reset_password_token_attribute_name.should equal(:my_code)
+    end
+    
+    it "should allow configuration option 'reset_password_mailer'" do
+      plugin_set_model_config_property(:reset_password_mailer, TestUser)
+      User.sorcery_config.reset_password_mailer.should equal(TestUser)
+    end
+    
+    it "should allow configuration option 'reset_password_email_method_name'" do
+      plugin_set_model_config_property(:reset_password_email_method_name, :my_mailer_method)
+      User.sorcery_config.reset_password_email_method_name.should equal(:my_mailer_method)
+    end
+    
+    it "should allow configuration option 'reset_password_expiration_period'" do
+      plugin_set_model_config_property(:reset_password_expiration_period, 16)
+      User.sorcery_config.reset_password_expiration_period.should equal(16)
+    end
+    
+    it "should allow configuration option 'reset_password_email_sent_at_attribute_name'" do
+      plugin_set_model_config_property(:reset_password_email_sent_at_attribute_name, :blabla)
+      User.sorcery_config.reset_password_email_sent_at_attribute_name.should equal(:blabla)
+    end
+    
+    it "should allow configuration option 'reset_password_time_between_emails'" do
+      plugin_set_model_config_property(:reset_password_time_between_emails, 16)
+      User.sorcery_config.reset_password_time_between_emails.should equal(16)
+    end
+  end
+
+  # ----------------- PLUGIN ACTIVATED -----------------------
+  describe User, "when activated with sorcery" do
+  
+    before(:all) do
+      plugin_model_configure([:reset_password], :reset_password_mailer => ::SorceryMailer)
+    end
+  
+    before(:each) do
+      User.delete_all
+    end
+
+    it "load_from_reset_password_token should return user when token is found" do
+      create_new_user
+      @user.deliver_reset_password_instructions!
+      User.load_from_reset_password_token(@user.reset_password_token).should == @user
+    end
+    
+    it "load_from_reset_password_token should NOT return user when token is NOT found" do
+      create_new_user
+      @user.deliver_reset_password_instructions!
+      User.load_from_reset_password_token("a").should == nil
+    end
+    
+    it "load_from_reset_password_token should return user when token is found and not expired" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_expiration_period, 500)
+      @user.deliver_reset_password_instructions!
+      User.load_from_reset_password_token(@user.reset_password_token).should == @user
+    end
+    
+    it "load_from_reset_password_token should NOT return user when token is found and expired" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_expiration_period, 0.1)
+      @user.deliver_reset_password_instructions!
+      sleep 0.5
+      User.load_from_reset_password_token(@user.reset_password_token).should == nil
+    end
+    
+    it "load_from_reset_password_token should return nil if token is blank" do
+      User.load_from_reset_password_token(nil).should == nil
+      User.load_from_reset_password_token("").should == nil
+    end
+    
+    it "'deliver_reset_password_instructions!' should generate a reset_password_token" do
+      create_new_user
+      @user.reset_password_token.should be_nil
+      @user.deliver_reset_password_instructions!
+      @user.reset_password_token.should_not be_nil
+    end
+
+    it "the reset_password_token should be random" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_time_between_emails, 0)
+      @user.deliver_reset_password_instructions!
+      old_password_code = @user.reset_password_token
+      @user.deliver_reset_password_instructions!
+      @user.reset_password_token.should_not == old_password_code
+    end
+
+    it "should send an email on reset" do
+      create_new_user
+      old_size = ActionMailer::Base.deliveries.size
+      @user.deliver_reset_password_instructions!
+      ActionMailer::Base.deliveries.size.should == old_size + 1
+    end
+
+    it "when reset_password! is called, should delete reset_password_token" do
+      create_new_user
+      @user.deliver_reset_password_instructions!
+      @user.reset_password_token.should_not be_nil
+      @user.reset_password!(:password => "blabulsdf")
+      @user.save!
+      @user.reset_password_token.should be_nil
+    end
+    
+    it "code isn't valid if expiration passed" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_expiration_period, 0.1)
+      @user.deliver_reset_password_instructions!
+      sleep 0.5
+      @user.reset_password_token_valid?.should == false
+    end
+    
+    it "code is valid if it's the same code and expiration period did not pass" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_expiration_period, 300)
+      @user.deliver_reset_password_instructions!
+      @user.reset_password_token_valid?.should == true
+    end
+    
+    it "code is valid if it's the same code and expiration period is nil" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_expiration_period, nil)
+      @user.deliver_reset_password_instructions!
+      @user.reset_password_token_valid?.should == true
+    end
+    
+    it "should not send an email if time between emails has not passed since last email" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_time_between_emails, 10000)
+      old_size = ActionMailer::Base.deliveries.size
+      @user.deliver_reset_password_instructions!
+      ActionMailer::Base.deliveries.size.should == old_size + 1
+      @user.deliver_reset_password_instructions!
+      ActionMailer::Base.deliveries.size.should == old_size + 1
+    end
+    
+    it "should send an email if time between emails has passed since last email" do
+      create_new_user
+      plugin_set_model_config_property(:reset_password_time_between_emails, 0.5)
+      old_size = ActionMailer::Base.deliveries.size
+      @user.deliver_reset_password_instructions!
+      ActionMailer::Base.deliveries.size.should == old_size + 1
+      sleep 0.5
+      @user.deliver_reset_password_instructions!
+      ActionMailer::Base.deliveries.size.should == old_size + 2
+    end
+    
+    it "if mailer is nil on activation, throw exception!" do
+      expect{plugin_model_configure([:reset_password])}.to raise_error(ArgumentError)
+    end
+    
+  end
+  
+end