sso 0.1.0.alpha5 → 0.1.0.alpha6

data/spec/dummy/config/initializers/sso.rb

@@ -4,20 +4,24 @@
 
 SSO.configure do |config|
 
-  config.find_user_for_passport = proc do |passport, ip|
+  config.find_user_for_passport = proc do |passport:|
     # This is your chance to modify the user instance before it is handed out to the OAuth client apps.
+    # The Passport has already been updated with the most recent IP metadata, so you can take that into consideration.
 
     progname = 'SSO.config.find_user_for_passport'
-    Rails.logger.debug(progname) { "Looking up User #{passport.owner_id} belonging to Passport #{passport.id} surfing with IP #{ip}..." }
+    Rails.logger.debug(progname) { "Looking up User #{passport.owner_id.inspect} belonging to Passport #{passport.id.inspect} surfing with IP #{passport.ip} or #{passport.ip}..." }
     user = User.find_by_id passport.owner_id
     return unless user
 
     # The IP address, for example, might be used to set certain flags on the user object.
-    # If these flags are included in the #user_state base (see below), all OAuth client apps are immediately aware of the change.
-    if ip == '198.51.100.74'
+    # Note that the IP can be nil in which case we don't know it.
+
+    if passport.ip == '198.51.100.74'
       user.tags << :is_at_the_office
-    else
+    elsif passport.ip
       user.tags << :is_working_from_home
+    else
+      user.tags << :location_is_unknown
     end
 
     user
@@ -26,7 +30,7 @@ SSO.configure do |config|
   config.user_state_base = proc do |user|
     # Include the end-user credentials to force all OAuth client apps to refetch the end-user Passports.
     # This way you can revoke all relevant Passports on SSO-logout and the OAuth client apps are immediately aware of it.
-    [user.email, user.password, user.tags.sort].join
+    [user.email, user.password, user.tags.map(&:to_s).sort].join
   end
 
   # This is a rather static key used to calculate whether a user state changed and needs to be propagated to the OAuth clients.

data/spec/dummy/config/initializers/warden.rb

@@ -1,4 +1,6 @@
 # POI
+# This is the logic to retrieve a user object given
+
 ::Warden::Strategies.add :password do
   def valid?
     params['username'].present?
@@ -6,17 +8,6 @@
 
   def authenticate!
     Rails.logger.debug(progname) { 'Authenticating from username and password...' }
-
-    # Note that at this point you might want to log the end-user IP for the attempted login.
-    # That's up to you to solve, but remember one thing:
-    # If you both have an untrusted OAuth client (iPhone) and a trusted one (Alpha Rails app)
-    # and the login at Alpha is performed using the "Resource Owner Password Credentials Grant"
-    # Then you will get Alphas IP, but not the end-users IP. So you might have to pass on the
-    # end user IP from Alpha via params. But you cannot trust params, since the iPhone Client
-    # is not trusted. Thus, in this particular scenario, you cannot blindly trust params['ip']
-    # but you'd have to work with the "insider" and "outsider" doorkeeper application scope
-    # restrictions much like SSO::Server::Authentications::Passport#ip does.
-
     user = ::User.authenticate params['username'], params['password']
 
     if user
@@ -33,6 +24,7 @@
   end
 end
 
+
 # POI
 Warden::Manager.after_authentication(&::SSO::Server::Warden::Hooks::AfterAuthentication.to_proc)
 Warden::Manager.before_logout(&::SSO::Server::Warden::Hooks::BeforeLogout.to_proc)

data/spec/dummy/db/migrate/20150303132931_create_passports_table.rb

@@ -7,32 +7,46 @@
 class CreatePassportsTable < ActiveRecord::Migration
   def change
     enable_extension 'uuid-ossp'
+    enable_extension 'hstore'
 
     create_table :passports, id: :uuid do |t|
-      t.integer :oauth_access_grant_id
-      t.integer :oauth_access_token_id
-      t.integer :application_id, null: false
-      t.integer :owner_id, null: false
-      t.string :group_id, null: false
-      t.string :secret, null: false, unique: true
-      t.inet :ip, null: false
-      t.string :agent
-      t.string :location
-      t.datetime :activity_at, null: false
-      t.datetime :revoked_at
-      t.string :revoke_reason
-      t.timestamps null: false
+      # Relationships with Doorkeeper-internal tables
+      t.integer :oauth_access_grant_id     # OAuth Grant Token
+      t.integer :oauth_access_token_id     # OAuth Access Token
+      t.boolean :insider                   # Denormalized: Is the client app trusted?
+
+      # Passport information
+      t.integer :owner_id, null: false               # User ID
+      t.string :secret, null: false, unique: true    # Random secret string
+
+      # Passport activity
+      t.datetime :activity_at, null: false   # Timestamp of most recent usage
+      t.inet :ip, null: false                # Most recent IP which used this Passport
+      t.string :agent                        # Post recent User Agent which used this Passport
+      t.string :location                     # Human-readable city of the IP (geolocation)
+      t.string :device                       # Mobile client hardware UUID (if applicable)
+      t.hstore :stamps                       # Keeping track of *all* IPs which use(d) this Passport
+
+      # Revocation
+      t.datetime :revoked_at                 # If set, consider this record to be deleted
+      t.string :revoke_reason                # Slug describing why deleted (logout, timeout, etc)
+      t.timestamps null: false               # Internal Rails created_at and updated_at columns
     end
 
+    # Doorkeeper is not guaranteed to create a new access token upon each login, it may just return an existing one
+    # That's why we need to check for `revoked_at`, only valid passports bear the constraint
     add_index :passports, [:owner_id, :oauth_access_token_id], where: 'revoked_at IS NULL AND oauth_access_token_id IS NOT NULL', unique: true, name: :one_access_token_per_owner
 
     add_index :passports, :oauth_access_grant_id
     add_index :passports, :oauth_access_token_id
-    add_index :passports, :application_id
+    add_index :passports, :insider
     add_index :passports, :owner_id
-    add_index :passports, :group_id
     add_index :passports, :secret
+    add_index :passports, :activity_at
     add_index :passports, :ip
+    add_index :passports, :location
+    add_index :passports, :device
+    add_index :passports, :revoked_at
     add_index :passports, :revoke_reason
   end
 end

data/spec/dummy/db/schema.rb

@@ -16,6 +16,7 @@ ActiveRecord::Schema.define(version: 20150303132931) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
   enable_extension "uuid-ossp"
+  enable_extension "hstore"
 
   create_table "oauth_access_grants", force: :cascade do |t|
     t.integer  "resource_owner_id", null: false
@@ -60,28 +61,32 @@ ActiveRecord::Schema.define(version: 20150303132931) do
   create_table "passports", id: :uuid, default: "uuid_generate_v4()", force: :cascade do |t|
     t.integer  "oauth_access_grant_id"
     t.integer  "oauth_access_token_id"
-    t.integer  "application_id",        null: false
+    t.boolean  "insider"
     t.integer  "owner_id",              null: false
-    t.string   "group_id",              null: false
     t.string   "secret",                null: false
+    t.datetime "activity_at",           null: false
     t.inet     "ip",                    null: false
     t.string   "agent"
     t.string   "location"
-    t.datetime "activity_at",           null: false
+    t.string   "device"
+    t.hstore   "stamps"
     t.datetime "revoked_at"
     t.string   "revoke_reason"
     t.datetime "created_at",            null: false
     t.datetime "updated_at",            null: false
   end
 
-  add_index "passports", ["application_id"], name: "index_passports_on_application_id", using: :btree
-  add_index "passports", ["group_id"], name: "index_passports_on_group_id", using: :btree
+  add_index "passports", ["activity_at"], name: "index_passports_on_activity_at", using: :btree
+  add_index "passports", ["device"], name: "index_passports_on_device", using: :btree
+  add_index "passports", ["insider"], name: "index_passports_on_insider", using: :btree
   add_index "passports", ["ip"], name: "index_passports_on_ip", using: :btree
+  add_index "passports", ["location"], name: "index_passports_on_location", using: :btree
   add_index "passports", ["oauth_access_grant_id"], name: "index_passports_on_oauth_access_grant_id", using: :btree
   add_index "passports", ["oauth_access_token_id"], name: "index_passports_on_oauth_access_token_id", using: :btree
   add_index "passports", ["owner_id", "oauth_access_token_id"], name: "one_access_token_per_owner", unique: true, where: "((revoked_at IS NULL) AND (oauth_access_token_id IS NOT NULL))", using: :btree
   add_index "passports", ["owner_id"], name: "index_passports_on_owner_id", using: :btree
   add_index "passports", ["revoke_reason"], name: "index_passports_on_revoke_reason", using: :btree
+  add_index "passports", ["revoked_at"], name: "index_passports_on_revoked_at", using: :btree
   add_index "passports", ["secret"], name: "index_passports_on_secret", using: :btree
 
   create_table "users", force: :cascade do |t|

data/spec/integration/oauth/authorization_code_spec.rb

@@ -3,12 +3,20 @@ require 'spec_helper'
 RSpec.describe 'OAuth 2.0 Authorization Grant Flow', type: :request, db: true do
 
   let!(:user)        { create :user }
-  let!(:client)      { create :unscoped_doorkeeper_application }
+  let!(:client)      { create :outsider_doorkeeper_application }
   let(:redirect_uri) { client.redirect_uri }
 
-  let(:grant_params)    { { client_id: client.uid, redirect_uri: redirect_uri, response_type: :code, scope: :insider, state: 'some_random_string' } }
-  let(:latest_grant)    { Doorkeeper::AccessGrant.last }
-  let(:latest_passport) { SSO::Server::Passport.last }
+  let(:scope)           { :outsider }
+  let(:grant_params)    { { client_id: client.uid, redirect_uri: redirect_uri, response_type: :code, scope: scope, state: 'some_random_string' } }
+  let(:result)          { JSON.parse(response.body) }
+
+  let(:latest_grant)        { ::Doorkeeper::AccessGrant.last }
+  let(:latest_access_token) { ::Doorkeeper::AccessToken.last }
+  let(:access_token_count)  { ::Doorkeeper::AccessToken.count }
+  let(:grant_count)         { ::Doorkeeper::AccessGrant.count }
+
+  let(:latest_passport)     { ::SSO::Server::Passport.last }
+  let(:passport_count)      { ::SSO::Server::Passport.count }
 
   before do
     get_via_redirect '/oauth/authorize', grant_params
@@ -37,19 +45,81 @@ RSpec.describe 'OAuth 2.0 Authorization Grant Flow', type: :request, db: true do
       expect(latest_passport.oauth_access_grant_id).to eq latest_grant.id
     end
 
+    it 'does not generate multiple authorization grants' do
+      expect(grant_count).to eq 1
+    end
+
     context 'Exchanging the Authorization Grant for an Access Token' do
-      let(:grant)        { ::Rack::Utils.parse_query(URI.parse(response.location).query).fetch('code') }
-      let(:grant_type)   { :authorization_code }
-      let(:params)       { { client_id: client.uid, client_secret: client.secret, code: grant, grant_type: grant_type, redirect_uri: redirect_uri } }
-      let(:access_token) { JSON.parse(response.body).fetch 'access_token' }
+      let(:grant)      { ::Rack::Utils.parse_query(URI.parse(response.location).query).fetch('code') }
+      let(:grant_type) { :authorization_code }
+      let(:params)     { { client_id: client.uid, client_secret: client.secret, code: grant, grant_type: grant_type, redirect_uri: redirect_uri } }
+      let(:token)      { JSON.parse(response.body).fetch 'access_token' }
 
       before do
         post '/oauth/token', params
       end
 
-      it 'gets the access token' do
-        expect(access_token).to be_present
+      it 'succeeds' do
+        expect(response.status).to eq 200
       end
+
+      it 'responds with JSON serialized params' do
+        expect(result).to be_instance_of Hash
+      end
+
+      it 'includes the access_token' do
+        expect(result['access_token']).to eq latest_access_token.token
+      end
+
+      it 'generates a passport with the grant token attached to it' do
+        expect(latest_passport.oauth_access_token_id).to eq latest_access_token.id
+      end
+
+      it 'does not generate multiple passports' do
+        expect(passport_count).to eq 1
+      end
+
+      it 'does not generate multiple access tokens' do
+        expect(access_token_count).to eq 1
+      end
+
+      it 'succeeds' do
+        expect(response.status).to eq 200
+      end
+
+      context 'Exchanging the Access Token for a Passport' do
+        before do
+          SSO.config.passport_chip_key = SecureRandom.hex
+          post '/oauth/sso/v1/passports', access_token: token
+        end
+
+        it 'succeeds' do
+          expect(response.status).to eq 200
+        end
+
+        it 'gets the passport' do
+          expect(result['passport']).to be_present
+        end
+
+        it 'is the passport for that access token' do
+          expect(result['passport']['id']).to eq latest_passport.id
+          expect(latest_passport.oauth_access_token_id).to eq latest_access_token.id
+        end
+
+        it 'is an outsider passport' do
+          expect(latest_passport).to_not be_insider
+        end
+
+        context 'insider application' do
+          let!(:client) { create :insider_doorkeeper_application }
+          let(:scope)   { :insider }
+
+          it 'is an insider passport' do
+            expect(latest_passport).to be_insider
+          end
+        end
+      end
+
     end
   end
 

data/spec/integration/oauth/{password_verification_spec.rb → password_spec.rb}

@@ -3,18 +3,20 @@ require 'spec_helper'
 RSpec.describe 'OAuth 2.0 Resource Owner Password Credentials Grant', type: :request, db: true do
 
   let!(:user)    { create :user }
-  let!(:client)  { create :unscoped_doorkeeper_application }
+  let!(:client)  { create :outsider_doorkeeper_application }
 
+  let(:scope)    { :outsider }
   let(:password) { user.password }
-  let(:params)   { { grant_type: :password, client_id: client.uid, client_secret: client.secret, username: user.email, password: password } }
+  let(:params)   { { grant_type: :password, client_id: client.uid, client_secret: client.secret, username: user.email, password: password, scope: scope } }
   let(:headers)  { { 'HTTP_ACCEPT' => 'application/json' } }
 
+  let(:latest_access_token) { ::Doorkeeper::AccessToken.last }
   let(:latest_passport)     { ::SSO::Server::Passport.last }
   let(:passport_count)      { ::SSO::Server::Passport.count }
-  let(:latest_access_token) { ::Doorkeeper::AccessToken.last }
   let(:result)              { JSON.parse(response.body) }
 
   before do
+    SSO.config.passport_chip_key = SecureRandom.hex
     post '/oauth/token', params, headers
   end
 
@@ -38,6 +40,40 @@ RSpec.describe 'OAuth 2.0 Resource Owner Password Credentials Grant', type: :req
     it 'does not generate multiple passports' do
       expect(passport_count).to eq 1
     end
+
+    context 'Exchanging the Access Token for a Passport' do
+      let(:token) { JSON.parse(response.body).fetch 'access_token' }
+
+      before do
+        post '/oauth/sso/v1/passports', access_token: token
+      end
+
+      it 'succeeds' do
+        expect(response.status).to eq 200
+      end
+
+      it 'gets the passport' do
+        expect(result['passport']).to be_present
+      end
+
+      it 'is the passport for that access token' do
+        expect(result['passport']['id']).to eq latest_passport.id
+        expect(latest_passport.oauth_access_token_id).to eq latest_access_token.id
+      end
+
+      it 'is an outsider passport' do
+        expect(latest_passport).to_not be_insider
+      end
+
+      context 'insider application' do
+        let!(:client) { create :insider_doorkeeper_application }
+        let(:scope)   { :insider }
+
+        it 'is an insider passport' do
+          expect(latest_passport).to be_insider
+        end
+      end
+    end
   end
 
   context 'wrong password' do

data/spec/lib/sso/client/authentications/passport_spec.rb

@@ -0,0 +1,92 @@
+require 'spec_helper'
+
+RSpec.describe SSO::Client::Authentications::Passport, type: :request, db: true do
+
+  # Untrusted Client
+  let(:request_method)    { 'GET' }
+  let(:request_path)      { '/some/resource' }
+  let(:request_params)    { { passport_chip: passport_chip } }
+  let(:signature_token)   { Signature::Token.new passport_id, passport_secret }
+  let(:signature_request) { Signature::Request.new(request_method, request_path, request_params) }
+  let(:auth_hash)         { signature_request.sign signature_token }
+  let(:query_params)      { request_params.merge auth_hash }
+  let(:ip)                { '198.51.100.74' }
+  let(:agent)             { 'IE7' }
+
+  # Trusted Client
+  let(:rack_request)    { double :rack_request, request_method: request_method, ip: ip, user_agent: agent, path: request_path, query_parameters: query_params.stringify_keys, params: query_params.stringify_keys }
+  let(:warden_env)      { {} }
+  let(:warden_request)  { double :warden_request, ip: ip, user_agent: agent, env: warden_env }
+  let(:warden)          { double :warden, request: warden_request }
+  let(:client_user)     { double :client_user }
+  let(:client_passport) { ::SSO::Client::Passport.new id: passport_id, secret: passport_secret, state: passport_state, user: client_user }
+  let(:authentication)  { described_class.new rack_request }
+  let(:operation)       { authentication.authenticate }
+  let(:passport)        { operation.object }
+
+  # Shared
+  let(:passport_id)     { server_passport.id }
+  let(:passport_state)  { server_passport.state }
+  let(:passport_secret) { server_passport.secret }
+  let(:passport_chip)   { server_passport.chip! }
+
+  # Server
+  let(:insider)          { false }
+  let!(:server_user)     { create :user, name: 'Emily', tags: %i(cool nice) }
+  let!(:server_passport) { create :passport, user: server_user, owner_id: server_user.id, ip: ip, agent: agent, insider: insider }
+
+  before do
+    SSO.config.passport_chip_key = SecureRandom.hex
+  end
+
+  context 'no changes' do
+    before do
+      operation
+    end
+
+    context 'outsider passport' do
+      it 'succeeds' do
+        expect(operation).to be_success
+      end
+
+      it 'verifies the passport' do
+        expect(passport).to be_verified
+      end
+
+      it 'tracks the immediate request IP' do
+        expect(server_passport.reload.ip).to eq '127.0.0.1'
+      end
+
+      it 'attaches the user attributes to the passport' do
+        expect(passport.user).to be_instance_of Hash
+        expect(passport.user['name']).to eq 'Emily'
+        expect(passport.user['email']).to eq 'emily@example.com'
+        expect(passport.user['tags'].sort).to eq %w(cool is_working_from_home nice).sort
+      end
+    end
+
+    context 'insider passport' do
+      let(:insider) { true }
+
+      it 'succeeds' do
+        expect(operation).to be_success
+      end
+
+      it 'verifies the passport' do
+        expect(passport).to be_verified
+      end
+
+      it 'tracks the untrusted client IP' do
+        expect(server_passport.reload.ip).to eq ip
+      end
+
+      it 'attaches the user attributes to the passport' do
+        expect(passport.user).to be_instance_of Hash
+        expect(passport.user['name']).to eq 'Emily'
+        expect(passport.user['email']).to eq 'emily@example.com'
+        expect(passport.user['tags'].sort).to eq %w(cool is_at_the_office nice).sort
+      end
+    end
+  end
+
+end

data/spec/{integration/oauth → lib/sso/client/warden/hooks}/after_fetch_spec.rb

@@ -4,14 +4,15 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
 
   # Client side
   let(:warden_env)      { {} }
-  let(:warden_request)  { double :warden_request, ip: ip, user_agent: agent, env: warden_env }
+  let(:client_params)   { { udid: 'unique device identifier' } }
+  let(:warden_request)  { double :warden_request, ip: ip, user_agent: agent, params: client_params, env: warden_env }
   let(:warden)          { double :warden, request: warden_request }
   let(:hook)            { described_class.new passport: client_passport, warden: warden, options: {} }
   let(:client_user)     { double :client_user }
   let(:client_passport) { ::SSO::Client::Passport.new id: passport_id, secret: passport_secret, state: passport_state, user: client_user }
 
   # Shared
-  let!(:oauth_app)      { create :unscoped_doorkeeper_application }
+  let!(:oauth_app)      { create :outsider_doorkeeper_application }
   let(:passport_id)     { server_passport.id }
   let(:passport_state)  { server_passport.state }
   let(:passport_secret) { server_passport.secret }
@@ -20,7 +21,7 @@ RSpec.describe SSO::Client::Warden::Hooks::AfterFetch, type: :request, db: true
 
   # Server side
   let!(:server_user)     { create :user }
-  let!(:server_passport) { create :passport, user: server_user, owner_id: server_user.id, ip: ip, agent: agent, application_id: oauth_app.id }
+  let!(:server_passport) { create :passport, user: server_user, owner_id: server_user.id, ip: ip, agent: agent }
 
   context 'no changes' do
     it 'verifies the passport' do

data/spec/lib/sso/server/middleware/passport_destruction_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+RSpec.describe SSO::Server::Middleware::PassportDestruction, type: :request, db: true do
+
+  let(:updated_passport) { ::SSO::Server::Passports.find(passport.id).object }
+
+  before do
+    Timecop.freeze
+  end
+
+  context 'passport exists' do
+    let!(:passport) { create :passport }
+
+    it 'succeeds' do
+      delete "/oauth/sso/v1/passports/#{passport.id}"
+      expect(response.status).to eq 200
+    end
+
+    it 'revokes the passport' do
+      delete "/oauth/sso/v1/passports/#{passport.id}"
+      expect(updated_passport.revoked_at.to_i).to eq Time.now.to_i
+    end
+
+    it 'logs out from warden' do
+      Warden.on_next_request do |proxy|
+        expect(proxy).to receive(:logout)
+      end
+
+      delete "/oauth/sso/v1/passports/#{passport.id}"
+    end
+  end
+
+end

data/spec/lib/sso/server/passports_spec.rb

@@ -0,0 +1,104 @@
+require 'spec_helper'
+
+RSpec.describe SSO::Server::Passports do
+  let(:passports) { described_class }
+
+  before do
+    Timecop.freeze
+  end
+
+  describe '.update_activity' do
+    let(:env)             { { 'REMOTE_ADDR' => ip, 'rack.input' => '', 'HTTP_USER_AGENT' => 'Safari', 'QUERY_STRING' => 'agent=Chrome&ip=198.51.100.1&device_id=my_device_id' } }
+    let(:ip)              { '198.51.100.99' }
+    let(:request)         { Rack::Request.new env  }
+
+    let(:another_env)     { { 'REMOTE_ADDR' => another_ip, 'rack.input' => '', 'HTTP_USER_AGENT' => 'Opera', 'QUERY_STRING' => 'agent=Firefox&ip=198.51.100.2&device_id=another_my_device_id' } }
+    let(:another_ip)      { '198.51.100.100' }
+    let(:another_request) { Rack::Request.new another_env  }
+
+    let(:insider)         { false }
+    let(:passport)        { create :passport, activity_at: 1.week.ago, insider: insider }
+
+    before do
+      passports.update_activity passport_id: passport.id, request: request
+    end
+
+    context 'outsider' do
+      it 'creates a brand new stamp' do
+        expect(passport.reload.stamps).to eq '198.51.100.99' => Time.now.to_i.to_s
+      end
+
+      it 'tracks the imediate IP' do
+        expect(passport.reload.ip).to eq '198.51.100.99'
+        expect(passport.reload.agent).to eq 'Safari'
+        expect(passport.reload.device).to eq 'my_device_id'
+      end
+
+      it 'updates activity_at' do
+        expect(passport.reload.activity_at.to_i).to eq Time.now.to_i
+      end
+
+      context 'another request' do
+        before do
+          Timecop.freeze 5.minutes.from_now
+          passports.update_activity passport_id: passport.id, request: another_request
+        end
+
+        it 'adds another stamp' do
+          expect(passport.reload.stamps).to eq '198.51.100.99' => 5.minutes.ago.to_i.to_s, '198.51.100.100' => Time.now.to_i.to_s
+        end
+
+        it 'updates activity_at' do
+          expect(passport.reload.activity_at.to_i).to eq Time.now.to_i
+        end
+
+        it 'updates the imediate IP' do
+          expect(passport.reload.ip).to eq '198.51.100.100'
+          expect(passport.reload.agent).to eq 'Opera'
+          expect(passport.reload.device).to eq 'another_my_device_id'
+        end
+      end
+    end
+
+    context 'insider' do
+      let(:insider) { true }
+
+      it 'creates a brand new stamp' do
+        expect(passport.reload.stamps).to eq '198.51.100.1' => Time.now.to_i.to_s
+      end
+
+      it 'tracks the proxied IP' do
+        expect(passport.reload.ip).to eq '198.51.100.1'
+        expect(passport.reload.agent).to eq 'Chrome'
+        expect(passport.reload.device).to eq 'my_device_id'
+      end
+
+      it 'updates activity_at' do
+        expect(passport.reload.activity_at.to_i).to eq Time.now.to_i
+      end
+
+      context 'another request' do
+        before do
+          Timecop.freeze 5.minutes.from_now
+          passports.update_activity passport_id: passport.id, request: another_request
+        end
+
+        it 'adds another stamp' do
+          expect(passport.reload.stamps).to eq '198.51.100.1' => 5.minutes.ago.to_i.to_s, '198.51.100.2' => Time.now.to_i.to_s
+        end
+
+        it 'updates activity_at' do
+          expect(passport.reload.activity_at.to_i).to eq Time.now.to_i
+        end
+
+        it 'updates the proxied IP' do
+          expect(passport.reload.ip).to eq '198.51.100.2'
+          expect(passport.reload.agent).to eq 'Firefox'
+          expect(passport.reload.device).to eq 'another_my_device_id'
+        end
+      end
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -23,6 +23,7 @@ RSpec.configure do |config|
 
   config.include FactoryGirl::Syntax::Methods
   config.include SSO::Test::Helpers
+  config.include Warden::Test::Helpers
 
   config.color = true
   config.disable_monkey_patching!
@@ -45,6 +46,7 @@ RSpec.configure do |config|
 
   config.after :each do
     Timecop.return
+    Warden.test_reset!
   end
 
   config.after :each, db: true do

data/spec/support/factories/doorkeeper/application.rb

@@ -9,9 +9,6 @@ FactoryGirl.define do
       scopes { :outsider }
     end
 
-    factory :unscoped_doorkeeper_application do
-    end
-
     uid          { SecureRandom.hex }
     secret       { SecureRandom.hex }
     name         { %w(Alpha Beta Gamma Delta Epsilon).sample }

data/spec/support/factories/server/passport.rb

@@ -1,10 +1,14 @@
 FactoryGirl.define do
+  sequence(:owner_id)  { |n| (n * 2) + 424242 }
+  sequence(:ip)        { |n| IPAddr.new("198.51.100.#{n}").to_s }
+
   factory :parent_of_all_passports, class: SSO::Server::Passport do
 
     factory :passport do
     end
 
-    group_id { SecureRandom.hex }
+    owner_id { generate(:owner_id) }
+    ip       { generate(:ip) }
 
   end
 end