wordjelly-auth 0.0.3 → 0.0.4

data/spec/requests/search_request_spec.rb

@@ -0,0 +1,173 @@
+require "rails_helper"
+
+RSpec.describe "search request spec",:search => true, :type => :request do 
+
+	before(:all) do 
+		ActionController::Base.allow_forgery_protection = false
+        User.delete_all
+        Auth::Client.delete_all
+        Shopping::Product.delete_all
+        Shopping::CartItem.delete_all
+
+        puts "deleting user index #{User.es.index.delete}"
+        puts "creating user index: #{User.es.index.create}"
+
+
+        puts "deleting product index #{Shopping::Product.es.index.delete}"
+        puts "creating product index: #{Shopping::Product.es.index.create}"
+
+
+        puts "deleting cart_item index #{Shopping::CartItem.es.index.delete}"
+        puts "creating cart_item index: #{Shopping::CartItem.es.index.create}"
+
+
+        ## CREATE A USER
+        @u = User.new(attributes_for(:user_confirmed))
+        @u.versioned_create
+
+        @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+        @c.redirect_urls = ["http://www.google.com"]
+        @c.versioned_create
+        @u.client_authentication["test_app_id"] = "test_es_token"
+        @u.confirm!
+        sr = @u.save
+        @ap_key = @c.api_key
+        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => @u.authentication_token, "X-User-Es" => @u.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"}
+        
+
+        ### CREATE ONE ADMIN USER
+        @admin = Admin.new(attributes_for(:admin_confirmed))
+        @admin.client_authentication["test_app_id"] = "test_es_token"
+        @admin.versioned_create
+        @admin_headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-Admin-Token" => @admin.authentication_token, "X-Admin-Es" => @admin.client_authentication["test_app_id"], "X-Admin-Aid" => "test_app_id"}
+
+        ## create a product.
+		@product = Shopping::Product.new
+		@product.name = "Cobas e411"
+		@product.price = 500.00
+		@product.signed_in_resource = @admin
+		@product.resource_id = @admin.id.to_s
+		@product.resource_class = @admin.class.name.to_s
+		sp = @product.save
+		puts "product successfully saved: #{sp.to_s}"
+
+		## create another product
+		@product = Shopping::Product.new
+		@product.name = "Roche 423"
+		@product.price = 500.00
+		@product.signed_in_resource = @admin
+		@product.resource_id = @admin.id.to_s
+		@product.resource_class = @admin.class.name.to_s
+		sp = @product.save
+		puts "product successfully saved: #{sp.to_s}"
+
+		## create a cart item based on above product
+		@cart_item = Shopping::CartItem.new
+		@cart_item.product_id = @product.id.to_s
+		@cart_item.resource_class = @u.class.name.to_s
+		@cart_item.resource_id = @u.id.to_s
+		@cart_item.signed_in_resource = @u
+		su = @cart_item.save
+		puts "cart item saved: #{su.to_s}"
+
+
+		## create one more user who shouldnt be able to see this cart item.
+		@u2 = User.new(attributes_for(:user_confirmed))
+		@u2.versioned_create
+        @u2.client_authentication["test_app_id"] = "test_es_token"
+        @u2.save
+        @u2_headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => @u2.authentication_token, "X-User-Es" => @u2.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"}
+
+
+        ## refresh all indices
+        puts "refreshing user index"
+        puts User.es.index.refresh
+        puts "refreshing product index"
+        puts Shopping::Product.es.index.refresh
+        puts "refrehsing cart item index"
+        puts Shopping::CartItem.es.index.refresh
+
+	end
+
+
+	context " -- signed in user -- " do 
+
+		context " -- public resource -- " do 
+			
+			it " -- allows user to search -- ",:purr => true do 
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Coba", size:10}}),nil,@headers
+				
+				puts response.body.to_s
+				results = JSON.parse(response.body)
+
+				expect(results.size).to eq(1)
+			end
+
+			it " -- allows admin to search -- " do 
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Coba", size:10}}),nil,@admin_headers
+
+				results = JSON.parse(response.body)
+				puts results.to_s
+				expect(results.size).to eq(1)
+			end
+		end
+
+		context " -- private resource -- " do 
+			
+			
+
+			it " -- allows user to search if he owns resource -- ", :pr_user => true do 
+
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Roc", size:10}}),nil,@headers
+
+				results = JSON.parse(response.body)
+				expect(results.size).to eq(2)
+
+			end
+
+			it " -- allows user to find itself -- ", :search_self => true do 
+
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: @u.email[0..4]}}),nil,@headers
+				results = JSON.parse(response.body)
+				puts "this is the response body."
+				puts results.to_s
+				expect(results.size).to eq(1)
+			end
+
+
+			
+			it " -- allows admin to search -- " do 
+
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Roch", size:10}}),nil,@admin_headers
+
+				results = JSON.parse(response.body)
+				expect(results.size).to eq(2)
+
+			end
+
+			it " -- doesnt allow user to search if he doesnt own the resource -- ", :pr_na do 
+
+				get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Roc", size:10}}),nil,@u2_headers
+
+				results = JSON.parse(response.body)
+				#puts "this is the response body"
+				#puts results.to_s
+				expect(results.size).to eq(1)
+
+			end
+
+		end
+
+	end
+
+	context " -- no signed in user -- " do 
+		it " -- returns not authenticated -- " do 
+			get authenticated_user_search_index_path({api_key: @ap_key, :current_app_id => "test_app_id", query: {query_string: "Roc", size:10}}),nil,{ "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+			
+			expect(response.code).to eq("401")
+		end
+	end
+
+
+
+end

data/spec/requests/topic_request_spec.rb

@@ -0,0 +1,138 @@
+require "rails_helper"
+
+RSpec.describe "token request spec", :type => :request,topic: true do 
+
+	before(:all) do 
+
+                ActionController::Base.allow_forgery_protection = true
+                User.delete_all
+                Auth::Client.delete_all
+                @u = User.new(attributes_for(:user_confirmed))
+                @u.save
+                Auth.configuration.token_regeneration_time = 1.day
+                @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test")
+                @c.redirect_urls = ["http://www.google.com"]
+                @c.app_ids << "test_app_id"
+                @c.versioned_create
+                @u.client_authentication["test_app_id"] = "test_es"
+                @u.save
+
+                @ap_key = @c.api_key
+                @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => @u.authentication_token, "X-User-Es" => @u.client_authentication["test_app_id"], "X-User-Aid" => @c.app_ids[0]}
+
+                @admin = Admin.new(attributes_for(:admin_confirmed))
+                
+                @admin.client_authentication["test_app_id"] = "test_es_token"
+                
+                @admin.save
+                
+                @admin_headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-Admin-Token" => @admin.authentication_token, "X-Admin-Es" => @admin.client_authentication["test_app_id"], "X-Admin-Aid" => "test_app_id"}
+             	
+    end
+
+     
+
+        context "-- API JSON token authentication tests " do 
+
+                it " - authenticates  ",:topic_focus => true do 
+                        get new_topic_path, nil, @headers
+                        expect(response.code).to eq("200")
+                end
+
+                it " - authenticates and sets resource ", :topic_focus => true do 
+                        get new_topic_path, nil, @headers
+                        expect(assigns(:resource)).to be_truthy      
+                end
+
+                it " - does not authenticate without es", :defocus => true do 
+                       
+                        get new_topic_path, nil, { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => @u.authentication_token, "X-User-Aid" => @c.app_ids[0]}
+                        expect(response.code).to eq("401")
+                end
+
+                it " - does not authenticate without app id", :focus => true do 
+                       
+                        get new_topic_path, nil, { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => @u.authentication_token, "X-User-Es" => @u.client_authentication["test_app_id"]}
+                        expect(response.code).to eq("401")     
+                end
+
+        end
+
+        context " -- authenticates admin as well as user models -- ", :token_tests => true do 
+
+            it " -- authenticates an admin user using a token -- " do
+
+                 get new_topic_path, nil, @admin_headers
+                 
+                 expect(response.code).to eq("200")
+
+            end
+
+
+            it " -- doesnt attempt authentication of admin user if the normal user gets authenticated -- " do 
+
+                 get new_topic_path, nil, @headers
+                
+                 expect(response.code).to eq("200")
+
+            end
+
+
+        end
+
+
+        context " -- it sets authentication_token_expires_at alongwith auth token-- " do 
+
+                before(:all) do 
+                        $earlier_auth_token = nil
+                end
+
+                it " - authenticates and sets resource, with token expires at ", :topic_focus => true do 
+                        get new_topic_path, nil, @headers
+                        expect(assigns(:resource)).to be_truthy
+                        resource = assigns(:resource)
+                        expect(resource.authentication_token_expires_at).not_to be_nil  
+                end
+
+                it " - doesnt authenticate if token has expired -- " do 
+
+                        Auth.configuration.token_regeneration_time = 1
+                        user = User.new(attributes_for(:user_confirmed))
+                        user.client_authentication["test_app_id"] = "test_es"
+                        user.save
+                        $earlier_auth_token = user.authentication_token
+                        Auth.configuration.token_regeneration_time = 1.day
+                        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => user.authentication_token, "X-User-Es" => user.client_authentication["test_app_id"], "X-User-Aid" => @c.app_ids[0]}                        
+                        sleep(2)
+                        get new_topic_path, nil, @headers
+                        expect(response.code).to eq("401")
+
+                end
+
+                it " -- on signing in with this user , it will return the new authentication token and es -- " do 
+                        last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        ActionController::Base.allow_forgery_protection = false
+                        post user_session_path ,{user: {login: last_user_created.email, password: "password"}}
+                        ActionController::Base.allow_forgery_protection = true
+                        user_returned = assigns(:user)
+
+                        expect(user_returned.authentication_token).not_to eq($earlier_auth_token)
+
+                        expect(user_returned.authentication_token).not_to be_nil
+                        expect(user_returned.authentication_token_expires_at > Time.now.to_i).to be_truthy
+                end
+
+                it  " -- subsequently it will sign in using the new authentication token and es -- " do 
+
+                        user = User.order_by(:confirmation_sent_at => 'desc').first
+                         ##now use this authentication token and es.
+                         @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json", "X-User-Token" => user.authentication_token, "X-User-Es" => user.client_authentication["test_app_id"], "X-User-Aid" => @c.app_ids[0]}                        
+                        
+                        get new_topic_path, nil, @headers
+                        expect(response.code).to eq("200")
+
+                end
+
+        end
+
+end

data/spec/requests/user/additional_login_param_and_email_validation_spec.rb

@@ -0,0 +1,673 @@
+##this checks the validation rules set on both the additional_login_param and email.
+require "rails_helper"
+
+RSpec.describe "Additional login param and email flow requests", :alp_email => true, :authentication => true, :type => :request do
+  before(:all) do 
+    User.delete_all
+    Auth::Client.delete_all
+    module Devise
+
+      RegistrationsController.class_eval do
+
+        def sign_up_params
+          ##quick hack to make registrations controller accept confirmed_at, because without that there is no way to send in a confirmed admin directly while creating the admin.
+          params.require(:user).permit(
+            :email, :password, :password_confirmation,
+            :confirmed_at, :redirect_url, :api_key, :additional_login_param
+          )
+        end
+
+      end
+
+    end
+
+  end
+
+  context " -- json requests -- " do 
+
+    before(:all) do 
+        ActionController::Base.allow_forgery_protection = true
+        User.delete_all
+        Auth::Client.delete_all
+        @u = User.new(attributes_for(:user_confirmed))
+        @u.save
+        @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+        @c.redirect_urls = ["http://www.google.com"]
+        @c.versioned_create
+        @u.client_authentication["test_app_id"] = "test_es_token"
+        @u.save
+        @ap_key = @c.api_key
+        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+        @otp = 1234
+        Auth.configuration.stub_otp_api_calls = true
+    end
+
+    context " -- on creating account -- " do 
+
+    	it "creating an account with email and additional login param produces a validation error." do 
+    		usr_attrs = attributes_for(:user)
+    		usr_attrs[:additional_login_param] = "9822028511"
+    		post user_registration_path, {user: usr_attrs,:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+    		expect(assigns(:user).errors).not_to be_empty
+    	end
+
+        context " -- mobile validations -- ", :mobile_validations => true do 
+
+        	context " -- additional login param validations " do 
+
+                before(:all) do 
+                        ActionController::Base.allow_forgery_protection = true
+                        User.delete_all
+                        Auth::Client.delete_all
+                        @u = User.new(attributes_for(:user_confirmed))
+                        @u.save
+                        @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                        @c.redirect_urls = ["http://www.google.com"]
+                        @c.versioned_create
+                        @u.client_authentication["test_app_id"] = "test_es_token"
+                        @u.save
+                        @ap_key = @c.api_key
+                        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                        @otp = 1234
+                        Auth.configuration.stub_otp_api_calls = true
+                end
+
+                it " --- gives a validation error if additional login param is not a valid mobile on CREATE -- " do 
+                    post user_registration_path, {user: attributes_for(:user_mobile_invalid),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                    @user_created = assigns(:user)
+                    @cl = assigns(:client)
+                    user_json_hash = JSON.parse(response.body)
+                    expect(user_json_hash.keys).to match_array(["errors","nothing"])
+                end
+
+
+            end
+
+            context " --- validation flow first create a valid mobile, confirm it, then try to update with an invalid mobile -- should throw validation errors " do 
+
+                    before(:all) do 
+                        ActionController::Base.allow_forgery_protection = true
+                        User.delete_all
+                        Auth::Client.delete_all
+                        @u = User.new(attributes_for(:user_confirmed))
+                        @u.save
+                        @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                        @c.redirect_urls = ["http://www.google.com"]
+                        @c.versioned_create
+                        @u.client_authentication["test_app_id"] = "test_es_token"
+                        @u.save
+                        @ap_key = @c.api_key
+                        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                        @otp = 1234
+                        Auth.configuration.stub_otp_api_calls = true
+                    end
+
+                    before(:all) do 
+                        $otp_session_id = nil
+                    end
+
+                    after(:all) do 
+                        $otp_session_id = nil
+                    end
+
+                    it " -- on creating unconfirmed user with a mobile number, it sends otp -- " do 
+            
+                        post user_registration_path, {user: attributes_for(:user_mobile),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                        @user_created = assigns(:user)
+                        @cl = assigns(:client)
+                        user_json_hash = JSON.parse(response.body)
+                        
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                        
+                    end
+
+                    it " -- accepts otp at the verify otp endpoint -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        $otp_session_id = $redis.hget(@last_user_created.id.to_s + "_two_factor_sms_otp","otp_session_id")
+                        
+                        get verify_otp_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                        
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    end
+
+                    it " -- short polls for verification status, returns auth_token, es"  do    
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        
+                       
+                        get otp_verification_result_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                       
+                        expect(user_json_hash["verified"]).to eq(true)
+                    expect(user_json_hash["resource"]).not_to include("authentication_token","es")
+                    end
+
+                    it " -- has errors if we try to update with an invalid mobile number now -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                       
+
+                        a = {:id => @last_user_created.id, :user => {:additional_login_param => Faker::Name.name, :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                        put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                        @user_updated = assigns(:user)
+                        expect(@user_updated.errors).not_to be_empty
+                        user_json_hash = JSON.parse(response.body)
+                        expect(user_json_hash.keys).to match_array(["nothing","errors"])
+                    end
+
+
+            end
+            
+            ##with redirect the targets are as follows:
+            ## => should redirect with mobile flow
+            ## => should be able to switch off redirect functionality
+
+            context " -- validation flow - create account with confirmed email, then add invalid mobile - should throw error " do 
+
+                     before(:all) do 
+                        ActionController::Base.allow_forgery_protection = true
+                        User.delete_all
+                        Auth::Client.delete_all
+                        @u = User.new(attributes_for(:user_confirmed))
+                        @u.save
+                        @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                        @c.redirect_urls = ["http://www.google.com"]
+                        @c.versioned_create
+                        @u.client_authentication["test_app_id"] = "test_es_token"
+                        @u.save
+                        @ap_key = @c.api_key
+                        @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                        @otp = 1234
+                        Auth.configuration.stub_otp_api_calls = true
+                    end
+
+
+                    it "-- creates confirmed email account " do 
+
+                        post user_registration_path, {user: attributes_for(:user_confirmed),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                        @user_created = assigns(:user)
+                        @cl = assigns(:client)
+                        user_json_hash = JSON.parse(response.body)
+                        
+                       
+                        expect(user_json_hash.keys).to match_array(["authentication_token","es"])
+
+                    end
+
+                    it " -- fails to update with invalid mobile number -- " do 
+
+                         @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                       
+
+                        a = {:id => @last_user_created.id, :user => {:additional_login_param => Faker::Name.name, :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                        put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                        @user_updated = assigns(:user)
+                        expect(@user_updated.errors).not_to be_empty
+                        user_json_hash = JSON.parse(response.body)
+                        expect(user_json_hash.keys).to match_array(["nothing","errors"])
+
+                    end
+
+
+            end
+
+        end
+
+        context " -- flow test --- " do 
+            
+            context " --- create and confirm an account with a mobile number, then try to delete the mobile -- should give a validation error -- " do 
+
+                before(:all) do 
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    Auth.configuration.stub_otp_api_calls = true
+                end
+
+                before(:all) do 
+                    $otp_session_id = nil
+                end
+
+                after(:all) do 
+                    $otp_session_id = nil
+                end
+
+                it " -- on creating unconfirmed user with a mobile number, it sends otp -- " do 
+        
+                    post user_registration_path, {user: attributes_for(:user_mobile),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                    @user_created = assigns(:user)
+                    @cl = assigns(:client)
+                    user_json_hash = JSON.parse(response.body)
+                    expect(user_json_hash.keys).to match_array(["nothing"])
+                    
+                end
+
+                it " -- accepts otp at the verify otp endpoint -- " do 
+
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    $otp_session_id = $redis.hget(@last_user_created.id.to_s + "_two_factor_sms_otp","otp_session_id")
+                    
+                    get verify_otp_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                    user_json_hash = JSON.parse(response.body)
+                    
+                    expect(user_json_hash.keys).to match_array(["nothing"])
+                end
+
+                it " -- short polls for verification status, returns auth_token, es"  do    
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    
+                   
+                    get otp_verification_result_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                    user_json_hash = JSON.parse(response.body)
+                   
+                    expect(user_json_hash["verified"]).to eq(true)
+                expect(user_json_hash["resource"]).not_to include("authentication_token","es")
+                end
+
+                it " -- has errors if we try to delete the mobile now -- " do 
+
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                   
+
+                    a = {:id => @last_user_created.id, :user => {:additional_login_param => "", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                    put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                    @user_updated = assigns(:user)
+                    expect(@user_updated.errors).not_to be_empty
+                    
+                end
+
+            end
+
+            context " -- create an confirm a mobile number, try to change it, -- should fail, without a confirmed email " do 
+
+                 before(:all) do 
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    Auth.configuration.stub_otp_api_calls = true
+                end 
+
+                 before(:all) do 
+                    $otp_session_id = nil
+                 end
+
+                 after(:all) do 
+                    $otp_session_id = nil
+                 end
+
+                    it " -- on creating unconfirmed user with a mobile number, it sends otp -- " do 
+            
+                        post user_registration_path, {user: attributes_for(:user_mobile),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                        @user_created = assigns(:user)
+                        @cl = assigns(:client)
+                        user_json_hash = JSON.parse(response.body)
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    
+                    end
+
+                    it " -- accepts otp at the verify otp endpoint -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        $otp_session_id = $redis.hget(@last_user_created.id.to_s + "_two_factor_sms_otp","otp_session_id")
+                        
+                        get verify_otp_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                        
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    end
+
+                    it " -- short polls for verification status, returns auth_token, es"  do    
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        
+                       
+                        get otp_verification_result_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                       
+                        expect(user_json_hash["verified"]).to eq(true)
+                    expect(user_json_hash["resource"]).not_to include("authentication_token","es")
+                    end
+
+                    it " -- has errors if we try to update the mobile now -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                       
+
+                        a = {:id => @last_user_created.id, :user => {:additional_login_param => "9561137096", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                        put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                        @user_updated = assigns(:user)
+                        expect(@user_updated.errors).to be_empty
+                        
+                    end
+
+
+            end
+
+            
+            context " --- create and confirm an account with a mobile number,add an unconfirmed email,try to change the mobile -> should fail ---" do 
+                
+                 before(:all) do 
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    Auth.configuration.stub_otp_api_calls = true
+                end
+
+
+                 before(:all) do 
+                    $otp_session_id = nil
+                 end
+
+                 after(:all) do 
+                    $otp_session_id = nil
+                 end
+
+                    it " -- on creating unconfirmed user with a mobile number, it sends otp -- " do 
+            
+                        post user_registration_path, {user: attributes_for(:user_mobile),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                        @user_created = assigns(:user)
+                        @cl = assigns(:client)
+                        user_json_hash = JSON.parse(response.body)
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    
+                    end
+
+                    it " -- accepts otp at the verify otp endpoint -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        $otp_session_id = $redis.hget(@last_user_created.id.to_s + "_two_factor_sms_otp","otp_session_id")
+                        
+                        get verify_otp_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                        
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    end
+
+                    it " -- short polls for verification status, returns auth_token, es"  do    
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        
+                       
+                        get otp_verification_result_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                       
+                        expect(user_json_hash["verified"]).to eq(true)
+                    expect(user_json_hash["resource"]).not_to include("authentication_token","es")
+                    end
+
+
+                    it "-- update with a valid email. -- " do 
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                   
+                        a = {:id => @last_user_created.id.to_s, :user => {:email => "rihanna@gmail.com", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+                               
+                        put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                        @user_updated = assigns(:user)
+                        expect(@user_updated.unconfirmed_email).to eq("rihanna@gmail.com")
+                        expect(@user_updated.errors).to be_empty
+                        expect(response.code).to eq("200")
+
+
+                    end
+
+                    it " -- has errors if we try to update the mobile now -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                       
+
+                        a = {:id => @last_user_created.id, :user => {:additional_login_param => "9822028511", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                        put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                        @user_updated = assigns(:user)
+                        expect(@user_updated.errors).not_to be_empty
+                        
+                    end
+            end
+
+            
+
+            ##create an confirm an account with an email address
+            ##add an unconfirmed mobile.
+            ##try to change the email -> should fail
+            ##try to change the mobile -> should fail.
+            context " -- create a confirmed email, then change the email , it should pass -- " do 
+
+
+                before(:all) do 
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    Auth.configuration.stub_otp_api_calls = true
+                end
+
+
+                it "-- creates confirmed email account " do 
+
+                    post user_registration_path, {user: attributes_for(:user_confirmed),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                    @user_created = assigns(:user)
+                    @cl = assigns(:client)
+                    user_json_hash = JSON.parse(response.body)
+                    
+                   
+                    expect(user_json_hash.keys).to match_array(["authentication_token","es"])
+
+                end
+
+                it "-- updates with a new email id -- " do 
+
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    auth_token = @last_user_created.authentication_token
+                    es = @last_user_created.client_authentication["test_app_id"]
+                    
+                    a = {:id => @last_user_created.id.to_s, :user => {:email => "jeronimo1122334@gmail.com", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                    put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+
+                    @user_updated = assigns(:user)
+                    user_json_hash = JSON.parse(response.body)
+                    puts user_json_hash.to_s
+                    expect(user_json_hash.keys).to match_array(["nothing"])
+                    expect(response.code.to_s).to eq("200")
+                    expect(@user_updated.errors).to  be_empty
+                end
+
+            end
+
+            ##create an account with email
+            ##then confirm
+            ##should return auth_token and es
+            ##now add mobile unconfirmed
+            ##should return auth_token and es -> but auth_token should be different from earlier one.
+            context " -- regeneration and return of auth_token and es even when unconfirmed additional_login_param added ", :problem => true do 
+                
+
+                before(:all) do 
+
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    
+                end
+
+                it "-- creates confirmed email account " do 
+
+                    post user_registration_path, {user: attributes_for(:user_confirmed),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                    @user_created = assigns(:user)
+                    @cl = assigns(:client)
+                    user_json_hash = JSON.parse(response.body)
+                    
+                   
+                    expect(user_json_hash.keys).to match_array(["authentication_token","es"])
+
+                end
+
+                it " -- updates with a mobile number " do 
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    auth_token = @last_user_created.authentication_token
+                    es = @last_user_created.client_authentication["test_app_id"]
+                    
+                    a = {:id => @last_user_created.id.to_s, :user => {:additional_login_param => "9822028511", :current_password => 'password'}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                    put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                    @user_updated = assigns(:user)
+                    expect(response.code.to_s).to eq("200")
+                    user_json_hash = JSON.parse(response.body)
+                    expect(user_json_hash.keys).to match_array(["authentication_token","es"])
+                    expect(@user_updated.authentication_token).not_to eq(auth_token)
+                    expect(@user_updated.client_authentication["test_app_id"]).to eq(es)
+                end
+
+            end
+
+            context " -- regeneration and return of auth_token and es even when unconfirmed email is added " do 
+
+                before(:all) do 
+
+                    ActionController::Base.allow_forgery_protection = true
+                    User.delete_all
+                    Auth::Client.delete_all
+                    @u = User.new(attributes_for(:user_confirmed))
+                    @u.save
+                    @c = Auth::Client.new(:resource_id => @u.id, :api_key => "test", :app_ids => ["test_app_id"])
+                    @c.redirect_urls = ["http://www.google.com"]
+                    @c.versioned_create
+                    @u.client_authentication["test_app_id"] = "test_es_token"
+                    @u.save
+                    @ap_key = @c.api_key
+                    @headers = { "CONTENT_TYPE" => "application/json" , "ACCEPT" => "application/json"}
+                    @otp = 1234
+                    
+                end 
+
+                it " -- on creating unconfirmed user with a mobile number, it sends otp -- " do 
+            
+                        post user_registration_path, {user: attributes_for(:user_mobile),:api_key => @ap_key, :current_app_id => "test_app_id"}.to_json, @headers
+                        @user_created = assigns(:user)
+                        @cl = assigns(:client)
+                        user_json_hash = JSON.parse(response.body)
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    
+                    end
+
+                    it " -- accepts otp at the verify otp endpoint -- " do 
+
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        $otp_session_id = $redis.hget(@last_user_created.id.to_s + "_two_factor_sms_otp","otp_session_id")
+                        
+                        get verify_otp_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                        
+                        expect(user_json_hash.keys).to match_array(["nothing"])
+                    end
+
+                    it " -- short polls for verification status, returns auth_token, es"  do    
+                        @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                        
+                       
+                        get otp_verification_result_url({:resource => "users",:user => {:additional_login_param => @last_user_created.additional_login_param, :otp => $otp_session_id},:api_key => @ap_key, :current_app_id => "test_app_id"}),nil,@headers
+                        user_json_hash = JSON.parse(response.body)
+                       
+                       expect(user_json_hash["verified"]).to eq(true)
+                         expect(user_json_hash["resource"]).not_to include("authentication_token","es")
+                    end
+
+
+                it " -- does not return auth_token or es in case of any validation errors " do 
+
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    auth_token = @last_user_created.authentication_token
+                   
+                    es = @last_user_created.client_authentication["test_app_id"]
+                    ##here the current password is intentionally not sent to simulate a situation where there will be some validation errors.
+                    a = {:id => @last_user_created.id.to_s, :user => {:email => "doggon@gmail.com"}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                    put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                    @user_updated = assigns(:user)
+                    expect(response.code.to_s).to eq("200")
+                    user_json_hash = JSON.parse(response.body)
+                    expect(user_json_hash).not_to include("authentication_token","es")
+                end
+
+                it " -- returns auth token and es, after adding an email account, and even before confirmation " do 
+
+                    @last_user_created = User.order_by(:confirmation_sent_at => 'desc').first
+                    auth_token = @last_user_created.authentication_token
+                   
+                    es = @last_user_created.client_authentication["test_app_id"]
+                    
+                    a = {:id => @last_user_created.id.to_s, :user => {:email => "doggon@gmail.com", :current_password => "password"}, api_key: @ap_key, :current_app_id => "test_app_id"}
+
+                    put user_registration_path, a.to_json,@headers.merge({"X-User-Token" => @last_user_created.authentication_token, "X-User-Es" => @last_user_created.client_authentication["test_app_id"], "X-User-Aid" => "test_app_id"})
+                    @user_updated = assigns(:user)
+                    expect(response.code.to_s).to eq("200")
+                    user_json_hash = JSON.parse(response.body)
+
+                    expect(user_json_hash.keys).to match_array(["authentication_token","es"])
+                    expect(@user_updated.authentication_token).not_to eq(auth_token)
+                    expect(@user_updated.client_authentication["test_app_id"]).to eq(es)
+
+                end
+
+            end
+
+        end
+
+    end
+
+  end
+
+
+end