spree_auth_devise 4.3.3 → 4.4.2

data/lib/spree/testing_support/auth_helpers.rb

@@ -1,34 +1,42 @@
 module Spree
   module TestingSupport
     module AuthHelpers
-      def log_in(email:, password:, remember_me: true)
-        visit spree.login_path
+      def login_button
+        Spree.version.to_f == 4.1 ? Spree.t(:log_in) : Spree.t(:login)
+      end
+
+      def logout_button
+        Spree.version.to_f == 4.1 ? Spree.t('nav_bar.log_out') : Spree.t(:logout).upcase
+      end
+
+      def log_in(email:, password:, remember_me: true, locale: nil)
+        visit spree.login_path(locale: locale)
 
-        fill_in 'Email', with: email
-        fill_in 'Password', with: password
+        fill_in Spree.t(:email), with: email
+        fill_in Spree.t(:password), with: password
 
         # Regression test for #1257
-        first('label', text: 'Remember me').click if remember_me
-        click_button 'Log in'
+        first('label', text: Spree.t(:remember_me)).click if remember_me
+        click_button login_button
 
-        expect(page).to have_content 'Logged in successfully'
+        expect(page).to have_content Spree.t(:logged_in_successfully)
       end
 
       def log_out
         show_user_menu
-        click_link 'LOG OUT'
+        click_link logout_button
 
         expect(page).to have_content 'Signed out successfully'
       end
 
       def show_user_menu
-        find("button[aria-label='Show user menu']").click
+        find("button[aria-label='#{Spree.t('nav_bar.show_user_menu')}']").click
       end
 
       def show_user_account
         within '#nav-bar' do
           show_user_menu
-          click_link 'MY ACCOUNT'
+          click_link Spree.t(:my_account).upcase
         end
       end
     end

data/lib/views/backend/spree/admin/user_passwords/edit.html.erb

@@ -1,15 +1,16 @@
-<%= render :partial => 'spree/shared/error_messages', :locals => { :target => @spree_user } %>
+<%= render partial: 'spree/admin/shared/error_messages', locals: { target: @spree_user } %>
+
 <h2><%= Spree.t(:change_my_password) %></h2>
 
-<%= form_for @spree_user, :as => :spree_user, :url => spree.update_password_path, :method => :put do |f| %>
-  <p>
-    <%= f.label :password, Spree.t(:password) %><br />
-    <%= f.password_field :password %><br />
-  </p>
-  <p>
-    <%= f.label :password_confirmation, Spree.t(:confirm_password) %><br />
-    <%= f.password_field :password_confirmation %><br />
-  </p>
+<%= form_for @spree_user, as: :spree_user, url: spree.admin_update_password_path, method: :put do |f| %>
+  <div class="form-group">
+    <%= f.label :password, Spree.t(:password) %>
+    <%= f.password_field :password, class: 'form-control', required: true %>
+  </div>
+  <div class="form-group">
+    <%= f.label :password_confirmation, Spree.t(:confirm_password) %>
+    <%= f.password_field :password_confirmation, class: 'form-control', required: true %>
+  </div>
   <%= f.hidden_field :reset_password_token %>
-  <%= f.submit Spree.t(:update), :class => 'button primary' %>
+  <%= f.submit Spree.t(:update), class: 'btn btn-primary btn-block' %>
 <% end %>

data/lib/views/backend/spree/admin/user_passwords/new.html.erb

@@ -1,17 +1,15 @@
-<%= render :partial => 'spree/shared/error_messages', :locals => { :target => @spree_user } %>
+<%= render partial: 'spree/admin/shared/error_messages', locals: { target: @spree_user } %>
 
-<div id="forgot-password">
-  <h6><%= Spree.t(:forgot_password) %></h6>
+<div id="forgot-password" class="col-lg-6">
+  <h1><%= Spree.t(:forgot_password) %></h1>
 
   <p><%= Spree.t(:instructions_to_reset_password) %></p>
 
-  <%= form_for Spree.user_class.new, :as => :spree_user, :url => spree.reset_password_path do |f| %>
-    <p>
-      <%= f.label :email, Spree.t(:email) %><br />
-      <%= f.email_field :email %>
-    </p>
-    <p>
-      <%= f.submit Spree.t(:reset_password), :class => 'button primary' %>
-    </p>
+  <%= form_for Spree.user_class.new, :as => :spree_user, :url => spree.admin_reset_password_path, data: { turbo: false } do |f| %>
+    <div class="form-group">
+      <%= f.label :email, Spree.t(:email) %>
+      <%= f.email_field :email, class: 'form-control', required: true %>
+    </div>
+    <%= f.submit Spree.t(:reset_password), class: 'btn btn-primary' %>
   <% end %>
 </div>

data/lib/views/backend/spree/admin/user_sessions/new.html.erb

@@ -8,7 +8,7 @@
       <div id="password-credentials">
         <div class="form-group text-center">
           <%= f.label :email, Spree.t(:email) %>
-          <%= f.email_field :email, class: 'form-control', tabindex: 1, placeholder: Spree.t(:email) %>  
+          <%= f.email_field :email, class: 'form-control', tabindex: 1, placeholder: Spree.t(:email) %>
         </div>
         <div class="form-group text-center">
           <%= f.label :password, Spree.t(:password) %>
@@ -21,12 +21,12 @@
             <%= f.label :remember_me do %>
               <%= f.check_box :remember_me, :tabindex => 3 %>
               <%= Spree.t(:remember_me) %>
-            <% end %>  
+            <% end %>
           </div>
           <div class="col-lg-6 text-right">
             <%= link_to Spree.t(:forgot_password), spree.admin_recover_password_path %>
-          </div>  
-        </div>      
+          </div>
+        </div>
       </div>
       <div class="form-group">
         <%= f.submit Spree.t(:login), :class => 'btn btn-primary btn-block', :tabindex => 4 %>

data/spec/controllers/spree/user_sessions_controller_spec.rb

@@ -137,7 +137,7 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
           request.cookie_jar.signed[:guest_token] = 'ABC'
           request.cookie_jar.signed[:token] = 'DEF'
         end
-          
+
         it 'assigns the correct token attribute for the order' do 
           if Spree.version.to_f > 3.6
             order = create(:order, email: user.email, token: 'ABC', user_id: nil, created_by_id: nil)
@@ -157,6 +157,18 @@ RSpec.describe Spree::UserSessionsController, type: :controller do
           post :create, params: { spree_user: { email: user.email, password: 'secret' }}
           expect(response).to redirect_to spree.account_path
         end
+
+        context 'different locale' do
+          before do
+            Spree::Store.default.update(default_locale: 'en', supported_locales: 'en,fr') if Spree.version.to_f >= 4.2
+          end
+
+          it 'redirects to localized account path after signing in' do
+            skip if Spree.version.to_f < 4.2
+            post :create, params: { spree_user: { email: user.email, password: 'secret' }, locale: 'fr' }
+            expect(response).to redirect_to spree.account_path(locale: 'fr')
+          end
+        end
       end
 
       context "and js format is used" do

data/spec/controllers/spree/users_controller_spec.rb

@@ -25,7 +25,7 @@ RSpec.describe Spree::UsersController, type: :controller do
       it 'performs update' do
         put :update, params: { user: { email: 'mynew@email-address.com' } }
         expect(assigns[:user].email).to eq 'mynew@email-address.com'
-        expect(response).to redirect_to spree.account_url(only_path: true)
+        expect(response).to redirect_to spree.account_path
       end
     end
 

data/spec/features/account_spec.rb

@@ -10,7 +10,7 @@ RSpec.feature 'Accounts', type: :feature do
 
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
 
       show_user_account
       expect(page).to have_text 'admin@person.com'
@@ -43,7 +43,7 @@ RSpec.feature 'Accounts', type: :feature do
 
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
 
       show_user_account
       expect(page).to have_text 'email@person.com'

data/spec/features/admin/orders_spec.rb

@@ -1,6 +1,7 @@
 RSpec.feature 'Admin orders', type: :feature do
   background do
-    sign_in_as! create(:admin_user)
+    user = create(:admin_user)
+    log_in email: user.email, password: user.password
   end
 
   # Regression #203
@@ -15,7 +16,8 @@ RSpec.feature 'Admin orders', type: :feature do
 
   # Regression #203
   scenario 'can not edit orders' do
-    expect { visit spree.edit_admin_order_path('nodata') }.to raise_error(ActiveRecord::RecordNotFound)
+    visit spree.edit_admin_order_path('nodata')
+    expect(page).to have_text('Order is not found')
   end
 
   # Regression #203

data/spec/features/admin/password_reset_spec.rb

@@ -7,7 +7,7 @@ RSpec.feature 'Admin - Reset Password', type: :feature do
     user = create(:user, email: 'foobar@example.com', password: 'secret', password_confirmation: 'secret')
     visit spree.admin_login_path
     click_link 'Forgot password?'
-    fill_in 'Email', with: 'foobar@example.com'
+    fill_in 'Email', with: user.email
     click_button 'Reset my password'
     expect(page).to have_text 'You will receive an email with instructions'
   end

data/spec/features/admin/sign_in_spec.rb

@@ -13,8 +13,8 @@ RSpec.feature 'Admin - Sign In', type: :feature do
     log_in(email: @user.email, password: 'secret')
     show_user_menu
 
-    expect(page).not_to have_text 'Login'
-    expect(page).to have_text 'LOG OUT'
+    expect(page).not_to have_text login_button.upcase
+    expect(page).to have_text logout_button.upcase
     expect(current_path).to eq '/account'
   end
 
@@ -33,13 +33,13 @@ RSpec.feature 'Admin - Sign In', type: :feature do
 
     fill_in 'Email', with: user.email
     fill_in 'Password', with: 'secret'
+    click_button login_button
+
     if Spree.version.to_f > 4.1
-      click_button 'Login'
-      within '.navbar .dropdown-menu' do
+      within '.navbar .dropdown-menu-right' do
         expect(page).to have_text 'admin@person.com'
       end
     else
-      click_button 'Log in'
       within '.user-menu' do
         expect(page).to have_text 'admin@person.com'
       end

data/spec/features/admin/sign_out_spec.rb

@@ -1,4 +1,4 @@
-RSpec.feature 'Admin - Sign Out', type: :feature do
+RSpec.feature 'Admin - Sign Out', type: :feature, js: true do
   given!(:user) do
    create :user, email: 'email@person.com'
   end
@@ -9,13 +9,13 @@ RSpec.feature 'Admin - Sign Out', type: :feature do
     fill_in 'Password', with: 'secret'
     # Regression test for #1257
     check 'Remember me'
-    click_button 'Login'
+    click_button Spree.t(:login)
   end
 
-  scenario 'allows a signed in user to logout', js: true do
+  scenario 'allows a signed in user to logout' do
     log_out
     visit spree.admin_login_path
-    expect(page).to have_button 'Login'
-    expect(page).not_to have_text 'Logout'
+    expect(page).to have_button Spree.t(:login)
+    expect(page).not_to have_text Spree.t(:logout)
   end
 end

data/spec/features/admin_permissions_spec.rb

@@ -7,7 +7,7 @@ RSpec.feature 'Admin Permissions', type: :feature do
 
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
     end
 
     context 'admin is restricted from accessing orders' do

data/spec/features/checkout_spec.rb

@@ -55,7 +55,7 @@ RSpec.feature 'Checkout', :js, type: :feature do
       visit spree.login_path
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
       expect(page).to have_text('Logged in successfully')
       find('a.cart-icon').click
 

data/spec/features/order_spec.rb

@@ -17,7 +17,7 @@ RSpec.feature 'Orders', :js, type: :feature do
       visit spree.login_path
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
 
       visit spree.cart_path
       expect(page).to have_text 'RoR Mug'
@@ -29,7 +29,7 @@ RSpec.feature 'Orders', :js, type: :feature do
       visit spree.login_path
       fill_in 'Email', with: user.email
       fill_in 'Password', with: user.password
-      click_button 'Log in'
+      click_button login_button
 
       # Order should have been merged with first session
       visit spree.cart_path

data/spec/features/sign_in_spec.rb

@@ -13,15 +13,15 @@ RSpec.feature 'Sign In', type: :feature do
     log_in(email: @user.email, password: @user.password)
     show_user_menu
 
-    expect(page).not_to have_text 'Login'
-    expect(page).to have_text 'LOG OUT'
+    expect(page).not_to have_text login_button.upcase
+    expect(page).to have_text logout_button.upcase
     expect(current_path).to eq '/account'
   end
 
   scenario 'show validation erros' do
     fill_in 'Email', with: @user.email
     fill_in 'Password', with: 'wrong_password'
-    click_button 'Log in'
+    click_button login_button
 
     expect(page).to have_text 'Invalid email or password'
     expect(page).to have_text 'Log in'
@@ -35,12 +35,12 @@ RSpec.feature 'Sign In', type: :feature do
     fill_in 'Password', with: user.password
 
     if Spree.version.to_f > 4.1
-      click_button 'Login'
-      within '.navbar .dropdown-menu' do
+      click_button login_button
+      within '.navbar .dropdown-menu-right' do
         expect(page).to have_text 'admin@person.com'
       end
     else
-      click_button 'Log in'
+      click_button login_button
       within '.user-menu' do
         expect(page).to have_text 'admin@person.com'
       end
@@ -52,7 +52,29 @@ RSpec.feature 'Sign In', type: :feature do
     visit spree.account_path
     fill_in 'Email', with: @user.email
     fill_in 'Password', with: @user.password
-    click_button 'Log in'
+    click_button login_button
     expect(current_path).to eq '/account'
   end
+
+  context 'localized' do
+    before do
+      if Spree.version.to_f >= 4.2
+        add_french_locales
+        Spree::Store.default.update(default_locale: 'en', supported_locales: 'en,fr')
+        I18n.locale = :fr
+      end
+    end
+
+    after { I18n.locale = :en }
+
+    scenario 'let a user sign in successfully', js: true do
+      skip if Spree.version.to_f < 4.2
+      log_in(email: @user.email, password: @user.password, locale: 'fr')
+      show_user_menu
+
+      expect(page).not_to have_text Spree.t(:login).upcase
+      expect(page).to have_text Spree.t(:logout).upcase
+      expect(current_url).to match(/\/account\?locale\=fr$/)
+    end
+  end
 end

data/spec/features/sign_out_spec.rb

@@ -16,8 +16,8 @@ RSpec.feature 'Sign Out', type: :feature, js: true do
     visit spree.root_path
     show_user_menu
 
-    expect(page).to have_link 'LOG IN'
-    expect(page).not_to have_link 'LOG OUT'
+    expect(page).to have_link login_button.upcase
+    expect(page).not_to have_link logout_button.upcase
   end
 
   describe 'before_logout' do

data/spec/models/user_spec.rb

@@ -27,6 +27,33 @@ RSpec.describe Spree::User, type: :model do
     end
   end
 
+  describe 'validations' do
+    context 'email' do
+      let(:user) { build(:user, email: nil) }
+
+      it 'cannot be empty' do
+        expect(user.valid?).to be false
+        expect(user.errors.messages[:email].first).to eq "can't be blank"
+      end
+    end
+
+    context 'password' do
+      let(:user) { build(:user, password_confirmation: nil) }
+
+      it 'password confirmation cannot be empty' do
+        expect(user.valid?).to be false
+        expect(user.errors.messages[:password_confirmation].first).to eq "doesn't match Password"
+      end
+
+      let(:user) { build(:user, password: 'pass1234', password_confirmation: 'pass') }
+
+      it 'passwords has to be equal to password confirmation' do
+        expect(user.valid?).to be false
+        expect(user.errors.messages[:password_confirmation].first).to eq "doesn't match Password"
+      end
+    end
+  end
+
   context '#destroy' do
     it 'will soft delete with uncompleted orders' do
       order = build(:order)

data/spec/requests/spree/api/v2/storefront/account_confirmation_spec.rb

@@ -35,14 +35,5 @@ describe 'Storefront API v2 Account Confirmation spec', type: :request do
         expect(JSON.parse(response.body)['error']).to eq("Confirmation token is invalid")
       end
     end
-
-    context 'blank confirmation_token param' do
-      let(:user) { build(:user) }
-      let(:confirmation_token) { '' }
-
-      it 'return 301 status' do
-        expect(response.code).to eq('301')
-      end
-    end
   end
 end

data/spec/requests/spree/frontend/user_update_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+RSpec.feature 'User update', type: :request do
+  context 'CSRF protection' do
+    %i[exception reset_session null_session].each do |strategy|
+      # Completely clean the configuration of forgery protection for the
+      # controller and reset it after the expectations. However, besides `:with`,
+      # the options given to `protect_from_forgery` are processed on the fly.
+      # I.e., there's no way to retain them. The initial setup corresponds to the
+      # dummy application, which uses the default Rails skeleton in that regard.
+      # So, if at some point Rails changed the given options, we should update it
+      # here.
+      around do |example|
+        controller = Spree::UsersController
+        old_allow_forgery_protection_value = controller.allow_forgery_protection
+        old_forgery_protection_strategy = controller.forgery_protection_strategy
+        controller.skip_forgery_protection
+        controller.allow_forgery_protection = true
+        controller.protect_from_forgery with: strategy
+
+        example.run
+
+        controller.allow_forgery_protection = old_allow_forgery_protection_value
+        controller.forgery_protection_strategy = old_forgery_protection_strategy
+      end
+
+      it "is not possible to take account over with the #{strategy} forgery protection strategy" do
+        user = create(:user, email: 'legit@mail.com', password: 'password')
+
+        post '/login', params: "spree_user[email]=legit@mail.com&spree_user[password]=password"
+        begin
+          put '/users/123456', params: 'user[email]=hacked@example.com'
+        rescue
+          # testing that the account is not compromised regardless of any raised
+          # exception
+        end
+
+        expect(user.reload.email).to eq('legit@mail.com')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -9,10 +9,14 @@ require 'spree_dev_tools/rspec/spec_helper'
 # in spec/support/ and its subdirectories.
 Dir[File.join(File.dirname(__FILE__), 'support/**/*.rb')].sort.each { |f| require f }
 
+require 'spree/testing_support/locale_helpers' if Spree.version.to_f >= 4.2
+
 RSpec.configure do |config|
   config.before(:each) do
     allow(RSpec::Rails::ViewRendering::EmptyTemplateHandler)
       .to receive(:call)
       .and_return(%("")) if Rails.gem_version >= Gem::Version.new('6.0.0.beta1')
   end
+
+  config.include Spree::TestingSupport::LocaleHelpers if defined?(Spree::TestingSupport::LocaleHelpers)
 end

data/spec/support/confirm_helpers.rb

@@ -15,6 +15,7 @@ RSpec.configure do |config|
 
   config.before do |example|
     if example.metadata.key?(:confirmable)
+      Rails.cache.clear
       Spree::Auth::Config[:confirmable] = example.metadata[:confirmable]
 
       Spree.send(:remove_const, :User)

data/spree_auth_devise.gemspec

@@ -33,7 +33,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'devise', '~> 4.7'
   s.add_dependency 'devise-encryptable', '0.2.0'
 
-  spree_version = '>= 4.1', '< 5.0'
+  spree_version = '>= 4.3.0.rc1'
   s.add_dependency 'spree_core', spree_version
   s.add_dependency 'spree_extension'