sorcery 0.13.0 → 0.16.1

data/spec/controllers/controller_spec.rb

@@ -150,6 +150,16 @@ describe SorceryController, type: :controller do
       end
     end
 
+    it 'require_login before_action does not save the url for JSON requests' do
+      get :some_action, format: :json
+      expect(session[:return_to_url]).to be_nil
+    end
+
+    it 'require_login before_action does not save the url for XHR requests' do
+      get :some_action, xhr: true
+      expect(session[:return_to_url]).to be_nil
+    end
+
     it 'on successful login the user is redirected to the url he originally wanted' do
       session[:return_to_url] = 'http://test.host/some_action'
       post :test_return_to, params: { email: 'bla@bla.com', password: 'secret' }
@@ -161,7 +171,7 @@ describe SorceryController, type: :controller do
     # --- auto_login(user) ---
     specify { should respond_to(:auto_login) }
 
-    it 'auto_login(user) los in a user instance' do
+    it 'auto_login(user) logs in a user instance' do
       session[:user_id] = nil
       subject.auto_login(user)
 

data/spec/providers/example_provider_spec.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'sorcery/providers/base'
+
+describe Sorcery::Providers::ExampleProvider do
+  before(:all) do
+    sorcery_reload!([:external])
+    sorcery_controller_property_set(:external_providers, [:example_provider])
+  end
+
+  context 'fetching a multi-word custom provider' do
+    it 'returns the provider' do
+      expect(Sorcery::Controller::Config.example_provider).to be_a(Sorcery::Providers::ExampleProvider)
+    end
+  end
+end

data/spec/providers/example_spec.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'sorcery/providers/base'
+
+describe Sorcery::Providers::Example do
+  before(:all) do
+    sorcery_reload!([:external])
+    sorcery_controller_property_set(:external_providers, [:example])
+  end
+
+  context 'fetching a single-word custom provider' do
+    it 'returns the provider' do
+      expect(Sorcery::Controller::Config.example).to be_a(Sorcery::Providers::Example)
+    end
+  end
+end

data/spec/rails_app/app/assets/config/manifest.js

@@ -0,0 +1 @@
+{}

data/spec/rails_app/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/spec/rails_app/app/controllers/sorcery_controller.rb

@@ -1,11 +1,12 @@
 require 'oauth'
 
-class SorceryController < ActionController::Base
+class SorceryController < ApplicationController
   protect_from_forgery
 
   before_action :require_login_from_http_basic, only: [:test_http_basic_auth]
   before_action :require_login, only: %i[
     test_logout
+    test_logout_with_forget_me
     test_logout_with_force_forget_me
     test_should_be_logged_in
     some_action
@@ -50,6 +51,13 @@ class SorceryController < ActionController::Base
     head :ok
   end
 
+  def test_logout_with_forget_me
+    remember_me!
+    forget_me!
+    logout
+    head :ok
+  end
+
   def test_logout_with_force_forget_me
     remember_me!
     force_forget_me!
@@ -142,6 +150,10 @@ class SorceryController < ActionController::Base
     login_at(:slack)
   end
 
+  def login_at_test_line
+    login_at(:line)
+  end
+
   def login_at_test_with_state
     login_at(:facebook, state: 'bla')
   end
@@ -154,6 +166,14 @@ class SorceryController < ActionController::Base
     login_at(:auth0)
   end
 
+  def login_at_test_discord
+    login_at(:discord)
+  end
+
+  def login_at_test_battlenet
+    login_at(:battlenet)
+  end
+
   def test_login_from_twitter
     if (@user = login_from(:twitter))
       redirect_to 'bla', notice: 'Success!'
@@ -268,6 +288,30 @@ class SorceryController < ActionController::Base
     end
   end
 
+  def test_login_from_line
+    if @user = login_from(:line)
+      redirect_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
+  def test_login_from_discord
+    if (@user = login_from(:discord))
+      redirect_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
+  def test_login_from_battlenet
+    if (@user = login_from(:battlenet))
+      redirect_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
   def test_return_to_with_external_twitter
     if (@user = login_from(:twitter))
       redirect_back_or_to 'bla', notice: 'Success!'
@@ -382,6 +426,30 @@ class SorceryController < ActionController::Base
     end
   end
 
+  def test_return_to_with_external_line
+    if @user = login_from(:line)
+      redirect_back_or_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
+  def test_return_to_with_external_discord
+    if (@user = login_from(:discord))
+      redirect_back_or_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
+  def test_return_to_with_external_battlenet
+    if (@user = login_from(:battlenet))
+      redirect_back_or_to 'bla', notice: 'Success!'
+    else
+      redirect_to 'blu', alert: 'Failed!'
+    end
+  end
+
   def test_create_from_provider
     provider = params[:provider]
     login_from(provider)

data/spec/rails_app/config/routes.rb

@@ -11,6 +11,7 @@ AppRoot::Application.routes.draw do
     get :test_login_from_cookie
     get :test_login_from
     get :test_logout_with_remember
+    get :test_logout_with_forget_me
     get :test_logout_with_force_forget_me
     get :test_invalidate_active_session
     get :test_should_be_logged_in
@@ -32,6 +33,9 @@ AppRoot::Application.routes.draw do
     get :test_login_from_slack
     get :test_login_from_instagram
     get :test_login_from_auth0
+    get :test_login_from_line
+    get :test_login_from_discord
+    get :test_login_from_battlenet
     get :login_at_test
     get :login_at_test_twitter
     get :login_at_test_facebook
@@ -47,6 +51,9 @@ AppRoot::Application.routes.draw do
     get :login_at_test_slack
     get :login_at_test_instagram
     get :login_at_test_auth0
+    get :login_at_test_line
+    get :login_at_test_discord
+    get :login_at_test_battlenet
     get :test_return_to_with_external
     get :test_return_to_with_external_twitter
     get :test_return_to_with_external_facebook
@@ -62,6 +69,9 @@ AppRoot::Application.routes.draw do
     get :test_return_to_with_external_slack
     get :test_return_to_with_external_instagram
     get :test_return_to_with_external_auth0
+    get :test_return_to_with_external_line
+    get :test_return_to_with_external_discord
+    get :test_return_to_with_external_battlenet
     get :test_http_basic_auth
     get :some_action_making_a_non_persisted_change_to_the_user
     post :test_login_with_remember

data/spec/shared_examples/user_reset_password_shared_examples.rb

@@ -14,6 +14,8 @@ shared_examples_for 'rails_3_reset_password_model' do
     context 'API' do
       specify { expect(user).to respond_to :deliver_reset_password_instructions! }
 
+      specify { expect(user).to respond_to :change_password }
+
       specify { expect(user).to respond_to :change_password! }
 
       it 'responds to .load_from_reset_password_token' do
@@ -314,13 +316,27 @@ shared_examples_for 'rails_3_reset_password_model' do
       end
     end
 
-    it 'when change_password! is called, deletes reset_password_token' do
+    it 'when change_password! is called, deletes reset_password_token and calls #save!' do
       user.deliver_reset_password_instructions!
 
       expect(user.reset_password_token).not_to be_nil
+      expect(user).to_not receive(:save)
+      expect(user).to receive(:save!)
 
       user.change_password!('blabulsdf')
-      user.save!
+
+      expect(user.reset_password_token).to be_nil
+    end
+
+    it 'when change_password is called, deletes reset_password_token and calls #save' do
+      new_password = 'blabulsdf'
+
+      user.deliver_reset_password_instructions!
+      expect(user.reset_password_token).not_to be_nil
+      expect(user).to_not receive(:save!)
+      expect(user).to receive(:save)
+
+      user.change_password(new_password)
 
       expect(user.reset_password_token).to be_nil
     end

data/spec/shared_examples/user_shared_examples.rb

@@ -54,6 +54,13 @@ shared_examples_for 'rails_3_core_model' do
       expect(User.sorcery_config.custom_encryption_provider).to eq Array
     end
 
+    it "enables configuration option 'pepper'" do
+      pepper = '*$%&%*++'
+      sorcery_model_property_set(:pepper, pepper)
+
+      expect(User.sorcery_config.pepper).to eq pepper
+    end
+
     it "enables configuration option 'salt_join_token'" do
       salt_join_token = '--%%*&-'
       sorcery_model_property_set(:salt_join_token, salt_join_token)
@@ -459,6 +466,14 @@ shared_examples_for 'rails_3_core_model' do
       expect(User.encrypt(@text)).to eq Sorcery::CryptoProviders::SHA512.encrypt(@text)
     end
 
+    it 'if encryption algo is bcrypt it works' do
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # comparison is done using BCrypt::Password#==(raw_token), not by String#==
+      expect(User.encrypt(@text)).to be_an_instance_of BCrypt::Password
+      expect(User.encrypt(@text)).to eq @text
+    end
+
     it 'salt is random for each user and saved in db' do
       sorcery_model_property_set(:salt_attribute_name, :salt)
 
@@ -488,6 +503,54 @@ shared_examples_for 'rails_3_core_model' do
 
       expect(user.crypted_password).to eq Sorcery::CryptoProviders::SHA512.encrypt('secret', user.salt)
     end
+
+    it 'if pepper is set uses it to encrypt' do
+      sorcery_model_property_set(:salt_attribute_name, :salt)
+      sorcery_model_property_set(:pepper, '++@^$')
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # password comparison is done using BCrypt::Password#==(raw_token), not String#==
+      bcrypt_password = BCrypt::Password.new(user.crypted_password)
+      allow(::BCrypt::Password).to receive(:create) do |token, options = {}|
+        # need to use common BCrypt's salt when genarating BCrypt::Password objects
+        # so that any generated password hashes can be compared each other
+        ::BCrypt::Engine.hash_secret(token, bcrypt_password.salt)
+      end
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret')
+
+      Sorcery::CryptoProviders::BCrypt.pepper = ''
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+
+      Sorcery::CryptoProviders::BCrypt.pepper = User.sorcery_config.pepper
+
+      expect(user.crypted_password).to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+    end
+
+    it 'if pepper is empty string (default) does not use pepper to encrypt' do
+      sorcery_model_property_set(:salt_attribute_name, :salt)
+      sorcery_model_property_set(:pepper, '')
+      sorcery_model_property_set(:encryption_algorithm, :bcrypt)
+
+      # password comparison is done using BCrypt::Password#==(raw_token), not String#==
+      bcrypt_password = BCrypt::Password.new(user.crypted_password)
+      allow(::BCrypt::Password).to receive(:create) do |token, options = {}|
+        # need to use common BCrypt's salt when genarating BCrypt::Password objects
+        # so that any generated password hashes can be compared each other
+        ::BCrypt::Engine.hash_secret(token, bcrypt_password.salt)
+      end
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret')
+
+      Sorcery::CryptoProviders::BCrypt.pepper = 'some_pepper'
+
+      expect(user.crypted_password).not_to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+
+      Sorcery::CryptoProviders::BCrypt.pepper = User.sorcery_config.pepper
+
+      expect(user.crypted_password).to eq Sorcery::CryptoProviders::BCrypt.encrypt('secret', user.salt)
+    end
   end
 
   describe 'ORM adapter' do

data/spec/sorcery_crypto_providers_spec.rb

@@ -148,6 +148,7 @@ describe 'Crypto Providers wrappers' do
     before(:all) do
       Sorcery::CryptoProviders::BCrypt.cost = 1
       @digest = BCrypt::Password.create('Noam Ben-Ari', cost: Sorcery::CryptoProviders::BCrypt.cost)
+      @tokens = %w[password gq18WBnJYNh2arkC1kgH]
     end
 
     after(:each) do
@@ -181,5 +182,64 @@ describe 'Crypto Providers wrappers' do
       # stubbed in Sorcery::TestHelpers::Internal
       expect(Sorcery::CryptoProviders::BCrypt.cost).to eq 1
     end
+
+    it 'matches token encrypted with salt from upstream' do
+      # note: actual comparison is done by BCrypt::Password#==(raw_token)
+      expect(Sorcery::CryptoProviders::BCrypt.encrypt(@tokens)).to eq @tokens.flatten.join
+    end
+
+    it 'respond_to?(:pepper) returns true' do
+      expect(Sorcery::CryptoProviders::BCrypt.respond_to?(:pepper)).to be true
+    end
+
+    context 'when pepper is provided' do
+      before(:each) do
+        Sorcery::CryptoProviders::BCrypt.pepper = 'pepper'
+        @digest = Sorcery::CryptoProviders::BCrypt.encrypt(@tokens) # a BCrypt::Password object
+      end
+
+      it 'matches token encrypted with salt and pepper from upstream' do
+        # note: actual comparison is done by BCrypt::Password#==(raw_token)
+        expect(@digest).to eq @tokens.flatten.join.concat('pepper')
+      end
+
+      it 'matches? returns true when matches' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be true
+      end
+
+      it 'matches? returns false when pepper is replaced with empty string' do
+        Sorcery::CryptoProviders::BCrypt.pepper = ''
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be false
+      end
+
+      it 'matches? returns false when no match' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, 'a_random_incorrect_password')).to be false
+      end
+    end
+
+    context "when pepper is an empty string (default)" do
+      before(:each) do
+        Sorcery::CryptoProviders::BCrypt.pepper = ''
+        @digest = Sorcery::CryptoProviders::BCrypt.encrypt(@tokens) # a BCrypt::Password object
+      end
+
+      # make sure the default pepper '' does nothing
+      it 'matches token encrypted with salt only (without pepper)' do
+        expect(@digest).to eq @tokens.flatten.join # keep consistency with the older versions of #join_token
+      end
+
+      it 'matches? returns true when matches' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be true
+      end
+
+      it 'matches? returns false when pepper has changed' do
+        Sorcery::CryptoProviders::BCrypt.pepper = 'a new pepper'
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, *@tokens)).to be false
+      end
+
+      it 'matches? returns false when no match' do
+        expect(Sorcery::CryptoProviders::BCrypt.matches?(@digest, 'a_random_incorrect_password')).to be false
+      end
+    end
   end
 end

data/spec/support/migration_helper.rb

@@ -1,7 +1,9 @@
 class MigrationHelper
   class << self
     def migrate(path)
-      if ActiveRecord.version >= Gem::Version.new('5.2.0')
+      if ActiveRecord.version >= Gem::Version.new('6.0.0')
+        ActiveRecord::MigrationContext.new(path, schema_migration).migrate
+      elsif ActiveRecord.version >= Gem::Version.new('5.2.0')
         ActiveRecord::MigrationContext.new(path).migrate
       else
         ActiveRecord::Migrator.migrate(path)
@@ -9,11 +11,19 @@ class MigrationHelper
     end
 
     def rollback(path)
-      if ActiveRecord.version >= Gem::Version.new('5.2.0')
+      if ActiveRecord.version >= Gem::Version.new('6.0.0')
+        ActiveRecord::MigrationContext.new(path, schema_migration).rollback
+      elsif ActiveRecord.version >= Gem::Version.new('5.2.0')
         ActiveRecord::MigrationContext.new(path).rollback
       else
         ActiveRecord::Migrator.rollback(path)
       end
     end
+
+    private
+
+    def schema_migration
+      ActiveRecord::Base.connection.schema_migration
+    end
   end
 end