sparkly-auth 1.0.2 → 1.1.0

data/spec/behaviors/core/controller_extensions_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe Auth::Behavior::Core::ControllerExtensions do
+  if Rails::VERSION::MAJOR == 2
+    subject { ApplicationController.call(Rack::MockRequest.env_for("/").merge('REQUEST_URI' => '')).template.controller }
+  elsif Rails::VERSION::MAJOR == 3
+    include RSpec::Rails::ControllerExampleGroup
+
+    # How's this for ANNOYING: at least in its current (admittedly beta) form, RSpec 2 hard codes controller_class to
+    # #describes -- which means the setter, self.controller_class=, is useless. Took me much longer than it should
+    # have to figure that out.
+    def self.controller_class
+      ApplicationController
+    end
+
+    subject { controller }
+    before(:each) do
+      get :not_found
+    end
+  end
+  
+  configure_auth do |config|
+    config.authenticate :user
+    config.session_duration = nil
+  end
+  
+  before(:each) do
+    unless User.count == 1
+      u = User.new(:email => "generic4@example.com")
+      u.password = u.password_confirmation = "Generic12"
+      u.save!
+    end
+  end
+  
+  it "should let users authenticate with single access token" do
+    subject.params = { :single_access_token => User.first.single_access_token }
+    subject.current_user.should be_kind_of(User)
+  end
+  
+  it "should not raise nil errors when Auth.session_duration is nil" do
+    if subject.respond_to?(:session=) # Rails2
+      subject.session = { :session_token => User.first.persistence_token }
+    else                              # Rails3
+      request.session = { :session_token => User.first.persistence_token }
+    end
+    
+    subject.current_user.should be_kind_of(User)
+  end
+end

data/spec/{lib/auth/behavior → behaviors}/core_spec.rb

@@ -1,11 +1,16 @@
 require 'spec_helper'
 
 describe "Behavior: Core" do
-  subject { Auth::Model.new(:user, :behaviors => [:core], :password_update_frequency => 30.days) }
-  
-  before(:each) do
-    subject.apply_options!
+  configure_auth do |conf|
+    conf.authenticate :user
+    conf.behaviors = :core
+    conf.password_update_frequency = 30.days
   end
+#  subject { Auth::Model.new(:user, :behaviors => [:core], :password_update_frequency => 30.days) }
+#  
+#  before(:each) do
+#    subject.apply_options!
+#  end
   
   context "user" do
     it "should not be able to reuse a previous password" do
@@ -50,11 +55,10 @@ describe "Behavior: Core" do
       password = "Ab12345"
       
       User.destroy_all
-      returning(User.new(:email => email)) { |user|
-        user.password = password
-        user.password_confirmation = password
-        user.save!
-      }
+      user = User.new(:email => email)
+      user.password = password
+      user.password_confirmation = password
+      user.save!
 
       User.find_by_email(email).password_matches?(password).should == true
     end
@@ -135,7 +139,11 @@ describe "Behavior: Core" do
     
     pw.secret_confirmation = "Hello1"
     pw.valid?
-    pw.errors.on(:secret).should == "doesn't match confirmation"
+    if Rails::VERSION::MAJOR == 2
+      pw.errors.on(:secret).should == "doesn't match confirmation"
+    else
+      pw.errors[:secret].should == ["doesn't match confirmation"]
+    end
     
     pw.secret_confirmation = "Hello12"
     pw.should be_valid
@@ -150,13 +158,17 @@ describe "Behavior: Core" do
   end
 
   it 'should validate password complexity' do
-    error_on(Password, :secret, "Ab12345").should == nil
+    error_on(Password, :secret, "Ab12345").should be_nil
     error_on(Password, :secret, "1234567").should ==
              "must contain at least 1 uppercase, 1 lowercase and 1 number"
     error_on(Password, :secret, "abcdefg").should ==
              "must contain at least 1 uppercase, 1 lowercase and 1 number"
     error_on(Password, :secret, "ABCDEFG").should ==
              "must contain at least 1 uppercase, 1 lowercase and 1 number"
+    error_on(Password, :secret, "a2dfgha").should ==
+             "must contain at least 1 uppercase, 1 lowercase and 1 number"
+    error_on(Password, :secret, "A2BASDF").should ==
+             "must contain at least 1 uppercase, 1 lowercase and 1 number"
   end
   
   it 'should add has_many :passwords to User' do
@@ -171,7 +183,12 @@ describe "Behavior: Core" do
   end
   
   context "with password update frequency 90 days" do
-    subject { Auth::Model.new(:user, :behaviors => [:core], :password_update_frequency => 90.days) }
+    configure_auth do |conf|
+      conf.authenticate :user
+      conf.behaviors = :core
+      conf.password_update_frequency = 90.days
+    end
+#    subject { Auth::Model.new(:user, :behaviors => [:core], :password_update_frequency => 90.days) }
 
     it "should expire passwords after 90 days or if no password is available" do
       (u = User.new).password_expired?.should be_true # because there're no passwords yet

data/spec/behaviors/remember_me/configuration_spec.rb

@@ -0,0 +1,16 @@
+require 'spec_helper'
+
+describe Auth::Behavior::RememberMe::Configuration do
+  configure_auth do |config|
+    config.authenticate :user
+    config.behaviors = :core, :remember_me
+  end
+  
+  it "should be accessible from a model" do
+    User.sparkly_config.remember_me.should be_kind_of(Auth::Behavior::RememberMe::Configuration)
+  end
+  
+  it "should be enabled" do
+    Auth.remember_me.should be_enabled
+  end
+end

data/spec/behaviors/remember_me_spec.rb

@@ -0,0 +1,167 @@
+require 'spec_helper'
+
+if RSPEC_VERSION == 1
+  require 'spec/rails'
+end
+
+describe 'Behavior: Remember Me', :type => :controller do
+  if Rails::VERSION::MAJOR == 2
+    # nothing, because we overrode self.controller_class
+  elsif Rails::VERSION::MAJOR == 3
+    include RSpec::Rails::ControllerExampleGroup
+  end
+  
+  subject { controller }
+
+  # How's this for ANNOYING: at least in its current (admittedly beta) form, RSpec 2 hard codes controller_class to
+  # #describes -- which means the setter, self.controller_class=, is useless. Took me much longer than it should
+  # have to figure that out.
+  #
+  # Also, RSpec 1 doesn't make it very easy (read: nigh unto impossible) to lazy load the controller class like we
+  # need to do -- so it's been overridden here for all versions.
+  def self.controller_class
+    SparklySessionsController
+  end
+  
+  def cookies
+    subject.send(:cookies)
+  end
+  
+  def reset_auth!
+    # the lack of a current user will trigger authentication of various flavors, making these tests possible.
+    subject.instance_variable_set("@current_user", nil)
+  end
+  
+  configure_auth do |config|
+    config.authenticate :user
+    config.behaviors = :core, :remember_me
+    config.remember_me.duration = 6.months
+  end
+  
+  before(:each) do
+    u = User.new(:email => "generic12@example.com")
+    u.password = u.password_confirmation = "Generic12"
+    u.save!
+  end
+  
+  context "login" do
+    context "with remember_me disabled" do
+      before(:each) do
+        post :create, { :model => "User", :user => { :email => "generic12@example.com", :password => "Generic12", :remember_me => false } }
+      end
+
+      it("should log in successfully") { subject.current_user.should_not be_nil }
+
+      it "should not set a remembrance token cookie" do
+        session[:session_token].should_not be_blank
+        RemembranceToken.count.should == 0
+        cookies[:remembrance_token].should be_blank
+      end
+    end
+    
+    context "with remember_me enabled" do
+      before(:each) do
+        post :create, { :model => "User", :user => { :email => "generic12@example.com", :password => "Generic12", :remember_me => true } }
+      end
+
+      it("should log in successfully") { subject.current_user.should_not be_nil }
+
+      it "should set a remembrance token cookie" do
+        session[:session_token].should_not be_blank
+    
+        # There should be a token in the remebered_tokens table. We can use that data to decide
+        # what should be in the cookie.
+        RemembranceToken.count.should == 1
+    
+        # We're looking for a string containing password model ID, series token, and auth token.
+        token = RemembranceToken.first
+    
+        cookies[:remembrance_token].should == token.value
+      end
+    end
+  end
+  
+  context "a user with a remember token" do
+    before(:each) do
+      post :create, { :model => "User", :user => { :email => "generic12@example.com", :password => "Generic12", :remember_me => true } }
+    end
+    
+    shared_examples_for "an expired or missing session" do
+      it "should authenticate with the auth token cookie" do
+        subject.current_user.should_not be_nil
+      end
+      
+      it "should generate a new auth token cookie" do
+        token = cookies[:remembrance_token]
+        subject.current_user
+        cookies[:remembrance_token].should_not == token
+      end
+      
+      it "should not change the series identifier" do
+        subject.current_user
+        subject.current_user.remembrance_tokens.first.series_token == @series_identifier
+      end
+      
+      context "and an invalid token id but valid series id" do
+        before(:each) do
+          cookies[:remembrance_token] = { :value => cookies[:remembrance_token]+"1", :expires => 6.months.from_now }
+          reset_auth!
+        end
+        
+        it "should be considered a theft" do
+          # because the token is changed every time - if the wrong token is used it is due either to tampering or to
+          # using an expired token, indicating that someone has stolen and used the one-use token.
+          subject.current_user
+          flash[:error].should == Auth.remember_me.token_theft_message
+        end
+        
+        it "should delete all remembrance tokens" do
+          subject.current_user.remembrance_tokens.count.should == 0
+        end
+      end
+      
+      context "and token data is not present" do
+        before(:each) do
+          cookies[:remembrance_token] = { :value => "", :expires => 6.months.from_now }
+          reset_auth!
+        end
+        
+        it "should not authenticate the user" do
+          subject.current_user.should == false
+        end
+      end
+      
+      context "and token is missing" do
+        before(:each) do
+          cookies.delete(:remembrance_token)
+          #cookies[:remembrance_token] = nil
+          reset_auth!
+        end
+        
+        it "should not authenticate the user" do
+          subject.current_user.should == false
+        end
+      end
+    end
+    
+    context "and an expired session" do
+      before(:each) do
+        @series_identifier = subject.current_user.remembrance_tokens.first.series_token
+        session[:active_at] = 30.days.ago # i'm pretty sure this is past the session duration.
+        reset_auth!
+      end
+      
+      it_should_behave_like "an expired or missing session"
+    end
+    
+    context "and a missing session" do
+      before(:each) do
+        @series_identifier = subject.current_user.remembrance_tokens.first.series_token
+        session.clear
+        reset_auth!
+      end
+      
+      it_should_behave_like "an expired or missing session"
+    end
+  end
+end

data/spec/generators/sanity_checks_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+
+# Sanity checks that remind me to change a template when I change the corresponding code, or
+# to add a file that I might otherwise forget.
+
+describe :sparkly do
+  def self.it_should_generate_and_match(to_gen, existing = to_gen)
+    it "should generate #{to_gen} which matches #{existing}" do
+      existing = File.join(File.dirname(__FILE__), '../../', existing)
+      subject.should generate(to_gen) { |content| File.read(existing).strip.should == content.strip }
+    end
+  end
+  
+  before(:each) do
+    Auth.configuration.authenticate(:user,
+                                    :accounts_controller => 'sparkly_accounts',
+                                    :sessions_controller => 'sparkly_sessions')
+    Auth.kick!
+  end
+  
+  context "sanity checks" do
+    with_args "config", '-q' do
+      # configs can vary widely but the test here is to verify that the default generated config matches
+      # the one we're currently using. That way we can verify that it'll at least work out of the box.
+      if Rails::VERSION::MAJOR == 3
+        it_should_generate_and_match("config/initializers/sparkly_authentication.rb", "spec_env/rails3/config/initializers/sparkly_authentication.rb")
+      else
+        it_should_generate_and_match("config/initializers/sparkly_authentication.rb", "spec_env/rails2/config/initializers/sparkly_authentication.rb")
+      end
+    end
+    
+    context "migrations", '-q' do
+      # migrations take care of themselves because I simply add them in place and then regenerate them
+      # in the test projects directly.
+    end
+    
+    with_args 'views', '-q' do
+      base = File.join(Auth.path, "../")
+      Dir[File.join(base, "app/views/**/*")].each do |fi|
+        if File.file?(fi)
+          it_should_generate_and_match(fi.gsub(/^#{Regexp::escape base}/, ''))
+        end
+      end
+#      it_should_generate_and_match('app/views/sparkly_accounts/edit.html.erb')
+#      it_should_generate_and_match('app/views/sparkly_accounts/new.html.erb')
+#      it_should_generate_and_match('app/views/sparkly_accounts/show.html.erb')
+#      
+#      it_should_generate_and_match('app/views/sparkly_sessions/new.html.erb')
+    end
+
+    with_args 'controllers', '-q' do
+      it_should_generate_and_match('app/controllers/sparkly_accounts_controller.rb')
+      it_should_generate_and_match('app/controllers/sparkly_sessions_controller.rb')
+      it_should_generate_and_match('app/helpers/sparkly_accounts_helper.rb')
+      it_should_generate_and_match('app/helpers/sparkly_sessions_helper.rb')
+    end
+  end
+end

data/spec/lib/auth/configuration_spec.rb

@@ -0,0 +1,61 @@
+# The majority of the configuration object is transient and is tested between auth_spec and the behaviors.
+
+require 'spec_helper'
+
+describe Auth::Configuration do
+  it "should have #configuration_keys" do
+    subject.configuration_keys.should_not be_empty
+  end
+  
+  context "given a single behavior" do
+    before(:each) { subject.behaviors = :core }
+    
+    it "should return an array" do
+      subject.behaviors.should == [:core]
+    end
+  end
+  
+  context "with an authenticated model" do
+    before(:each) { subject.authenticate :user }
+    
+    it "should have a password update frequency option" do
+      subject.authenticated_models.first.options.keys.should include(:password_update_frequency)
+    end
+    
+    it "should use the default password frequency in the model options" do
+      subject.authenticated_models.first.options[:password_update_frequency].should == 30.days
+    end
+    
+    context "and a single behavior" do
+      before(:each) { subject.behavior = :core }
+      
+      it "should return an array" do
+        subject.authenticated_models.first.behaviors.should == [:core]
+      end
+    end
+    
+    context "and two behaviors" do
+      before(:each) { subject.behaviors = :core, :remember_me }
+      
+      it "should use both behaviors in the authenticated model" do
+        subject.authenticated_models.first.behaviors.should == [:core, :remember_me]
+      end
+    end
+    
+    context "and a password update frequency" do
+      before(:each) { subject.password_update_frequency = 60.days }
+      
+      it "should use the high level password frequency in the model options (because it lacks an overriding setting)" do
+        subject.authenticated_models.first.options[:password_update_frequency].should == 60.days
+      end
+      
+      context "followed by an overridden password update frequency" do
+        before(:each) { subject.password_update_frequency = 90.days }
+        
+        it "should use the most recent level password frequency in the model options (because it lacks an overriding setting)" do
+          subject.authenticated_models.first.options[:password_update_frequency].should == 90.days
+        end
+      end
+    end
+  end
+end

data/spec/lib/auth/model_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Auth::Model do
   context "given nonexisting model name" do
-    subject { Auth::Model.new(:nonexisting_user) }
+    subject { Auth::Model.new(:nonexisting_user, :behaviors => [:core]) }
     
     it "should fail silently during initialization because it might not have been generated yet" do
       proc { subject }.should_not raise_error
@@ -10,11 +10,10 @@ describe Auth::Model do
   end
   
   context "with default options" do
-    subject { Auth::Model.new(:user) }
+    subject { Auth::Model.new(:user, :behaviors => [:core]) }
     
     before(:each) do
-      Dispatcher.cleanup_application
-      Dispatcher.reload_application
+      reload!
       subject.apply_options!
     end
     
@@ -30,23 +29,21 @@ describe Auth::Model do
   context "with an empty :behaviors option" do
     subject { Auth::Model.new(:user, :behaviors => []) }
     before(:each) do
-      Dispatcher.cleanup_application
-      Dispatcher.reload_application
+      reload!
       subject.apply_options!
     end
     it "should have no behaviors" do subject.behaviors.should be_empty end
   end
   
   context "with a hash for :with option" do
-    subject { Auth::Model.new(:user, :with => {
+    subject { Auth::Model.new(:user, :behaviors => [:core], :with => {
             :secret => :passwd,
             :format => /^.{8}$/,
             :message => "must be exactly 8 characters"
     })}
     
     before(:each) do
-      Dispatcher.cleanup_application
-      Dispatcher.reload_application
+      reload!
       subject.apply_options!
     end