2010-03-26 06:27:19 -04:00
require 'test_helper'
2010-01-14 09:47:14 -05:00
2013-01-22 20:17:17 -05:00
class RememberMeTest < ActionDispatch :: IntegrationTest
2010-01-14 09:47:14 -05:00
def create_user_and_remember ( add_to_token = '' )
user = create_user
user . remember_me!
2010-03-31 07:31:45 -04:00
raw_cookie = User . serialize_into_cookie ( user ) . tap { | a | a . last << add_to_token }
cookies [ 'remember_user_token' ] = generate_signed_cookie ( raw_cookie )
2010-01-14 09:47:14 -05:00
user
end
2010-03-31 07:31:45 -04:00
def generate_signed_cookie ( raw_cookie )
2010-04-05 05:46:26 -04:00
request = ActionDispatch :: TestRequest . new
2010-03-31 07:31:45 -04:00
request . cookie_jar . signed [ 'raw_cookie' ] = raw_cookie
request . cookie_jar [ 'raw_cookie' ]
end
2010-07-23 10:31:42 -04:00
def signed_cookie ( key )
controller . send ( :cookies ) . signed [ key ]
end
def cookie_expires ( key )
2010-12-25 06:04:04 -05:00
cookie = response . headers [ " Set-Cookie " ] . split ( " \n " ) . grep ( / ^ #{ key } / ) . first
expires = cookie . split ( " ; " ) . map ( & :strip ) . grep ( / ^expires= / ) . first
2011-02-22 13:41:23 -05:00
Time . parse ( expires ) . utc
2010-07-23 10:31:42 -04:00
end
2013-12-02 04:02:17 -05:00
test 'do not remember the user if they have not checked remember me option' do
2013-04-18 00:54:38 -04:00
sign_in_as_user
2010-05-16 08:13:43 -04:00
assert_nil request . cookies [ " remember_user_cookie " ]
2010-01-14 09:47:14 -05:00
end
2013-08-05 04:24:11 -04:00
test 'handle unverified requests gets rid of caches' do
2014-02-25 11:42:55 -05:00
swap ApplicationController , allow_forgery_protection : true do
2011-06-28 21:13:35 -04:00
post exhibit_user_url ( 1 )
assert_not warden . authenticated? ( :user )
create_user_and_remember
post exhibit_user_url ( 1 )
assert_equal " User is not authenticated " , response . body
assert_not warden . authenticated? ( :user )
end
end
2013-08-05 04:24:11 -04:00
test 'handle unverified requests does not create cookies on sign in' do
2014-02-25 11:42:55 -05:00
swap ApplicationController , allow_forgery_protection : true do
2013-08-05 04:24:11 -04:00
get new_user_session_path
assert request . session [ :_csrf_token ]
2014-02-25 11:42:55 -05:00
post user_session_path , authenticity_token : " oops " , user :
{ email : " jose.valim@gmail.com " , password : " 123456 " , remember_me : " 1 " }
2013-08-05 04:24:11 -04:00
assert_not warden . authenticated? ( :user )
assert_not request . cookies [ 'remember_user_token' ]
end
end
2010-01-14 09:47:14 -05:00
test 'generate remember token after sign in' do
2014-02-25 11:42:55 -05:00
sign_in_as_user remember_me : true
2013-08-05 04:24:11 -04:00
assert request . cookies [ 'remember_user_token' ]
2010-05-16 08:13:43 -04:00
end
2010-09-25 15:13:54 -04:00
test 'generate remember token after sign in setting cookie options' do
2010-05-16 08:13:43 -04:00
# We test this by asserting the cookie is not sent after the redirect
# since we changed the domain. This is the only difference with the
# previous test.
2014-02-25 11:42:55 -05:00
swap Devise , rememberable_options : { domain : " omg.somewhere.com " } do
sign_in_as_user remember_me : true
2010-05-16 08:13:43 -04:00
assert_nil request . cookies [ " remember_user_token " ]
2013-01-20 14:07:51 -05:00
end
end
test 'generate remember token with a custom key' do
2014-02-25 11:42:55 -05:00
swap Devise , rememberable_options : { key : " v1lat_token " } do
sign_in_as_user remember_me : true
2013-01-20 14:07:51 -05:00
assert request . cookies [ " v1lat_token " ]
2010-05-16 08:13:43 -04:00
end
2010-01-14 09:47:14 -05:00
end
2010-09-25 15:13:54 -04:00
test 'generate remember token after sign in setting session options' do
begin
Rails . configuration . session_options [ :domain ] = " omg.somewhere.com "
2014-02-25 11:42:55 -05:00
sign_in_as_user remember_me : true
2010-09-25 15:13:54 -04:00
assert_nil request . cookies [ " remember_user_token " ]
ensure
Rails . configuration . session_options . delete ( :domain )
end
end
2010-01-14 09:47:14 -05:00
test 'remember the user before sign in' do
user = create_user_and_remember
get users_path
assert_response :success
assert warden . authenticated? ( :user )
assert warden . user ( :user ) == user
2011-05-23 12:22:32 -04:00
assert_match / remember_user_token[^ \ n]*HttpOnly / , response . headers [ " Set-Cookie " ] , " Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie. "
2010-01-14 09:47:14 -05:00
end
2013-12-02 04:02:17 -05:00
test 'remember the user before sign up and redirect them to their home' do
2013-04-18 00:54:38 -04:00
create_user_and_remember
2011-04-29 02:56:35 -04:00
get new_user_registration_path
assert warden . authenticated? ( :user )
assert_redirected_to root_path
end
2010-07-23 17:57:31 -04:00
test 'does not extend remember period through sign in' do
2014-02-25 11:42:55 -05:00
swap Devise , extend_remember_period : true , remember_for : 1 . year do
2010-07-23 17:57:31 -04:00
user = create_user
user . remember_me!
user . remember_created_at = old = 10 . days . ago
user . save
2014-02-25 11:42:55 -05:00
sign_in_as_user remember_me : true
2010-07-23 17:57:31 -04:00
user . reload
assert warden . user ( :user ) == user
2010-07-26 14:25:02 -04:00
assert_equal old . to_i , user . remember_created_at . to_i
2010-07-23 17:57:31 -04:00
end
end
2010-05-16 08:13:43 -04:00
test 'do not remember other scopes' do
2013-04-18 00:54:38 -04:00
create_user_and_remember
2010-02-23 13:47:45 -05:00
get root_path
assert_response :success
assert warden . authenticated? ( :user )
assert_not warden . authenticated? ( :admin )
end
2010-01-14 09:47:14 -05:00
test 'do not remember with invalid token' do
2013-04-18 00:54:38 -04:00
create_user_and_remember ( 'add' )
2010-01-14 09:47:14 -05:00
get users_path
assert_not warden . authenticated? ( :user )
2010-04-03 05:43:31 -04:00
assert_redirected_to new_user_session_path
2010-01-14 09:47:14 -05:00
end
2010-05-16 08:13:43 -04:00
test 'do not remember with expired token' do
2013-04-18 00:54:38 -04:00
create_user_and_remember
2014-02-25 11:42:55 -05:00
swap Devise , remember_for : 0 do
2010-02-16 15:23:58 -05:00
get users_path
assert_not warden . authenticated? ( :user )
2010-04-03 05:43:31 -04:00
assert_redirected_to new_user_session_path
2010-02-16 15:23:58 -05:00
end
2010-01-14 09:47:14 -05:00
end
2010-09-25 06:37:06 -04:00
test 'do not remember the user anymore after forget' do
2013-04-18 00:54:38 -04:00
create_user_and_remember
2010-01-14 09:47:14 -05:00
get users_path
assert warden . authenticated? ( :user )
2010-09-25 06:37:06 -04:00
2010-01-14 09:47:14 -05:00
get destroy_user_session_path
assert_not warden . authenticated? ( :user )
2010-09-25 06:37:06 -04:00
assert_nil warden . cookies [ 'remember_user_token' ]
get users_path
assert_not warden . authenticated? ( :user )
2010-01-14 09:47:14 -05:00
end
2010-09-25 06:37:06 -04:00
test 'changing user password expires remember me token' do
2010-01-14 09:47:14 -05:00
user = create_user_and_remember
2010-09-25 06:37:06 -04:00
user . password = " another_password "
user . password_confirmation = " another_password "
user . save!
2010-01-14 09:47:14 -05:00
get users_path
assert_not warden . authenticated? ( :user )
end
2014-11-08 18:39:24 -05:00
test 'valid sign in calls after_remembered callback' do
user = create_user_and_remember
User . expects ( :serialize_from_cookie ) . returns user
user . expects :after_remembered
get new_user_registration_path
end
2010-12-22 00:04:54 -05:00
end