heartcombo--devise/test/integration/rememberable_test.rb

require 'test_helper'

class RememberMeTest < ActionController::IntegrationTest
  def create_user_and_remember(add_to_token='')
    user = create_user
    user.remember_me!
    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
    cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
    user
  end

  def generate_signed_cookie(raw_cookie)
    request = ActionDispatch::TestRequest.new
    request.cookie_jar.signed['raw_cookie'] = raw_cookie
    request.cookie_jar['raw_cookie']
  end

  def signed_cookie(key)
    controller.send(:cookies).signed[key]
  end

  def cookie_expires(key)
    cookie  = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
    expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
    Time.parse(expires).utc
  end

  test 'do not remember the user if he has not checked remember me option' do
    user = sign_in_as_user
    assert_nil request.cookies["remember_user_cookie"]
  end

  test 'handles unverified requests gets rid of caches' do
    swap UsersController, :allow_forgery_protection => true do
      post exhibit_user_url(1)
      assert_not warden.authenticated?(:user)

      create_user_and_remember
      post exhibit_user_url(1)
      assert_equal "User is not authenticated", response.body
      assert_not warden.authenticated?(:user)
    end
  end

  test 'generate remember token after sign in' do
    user = sign_in_as_user :remember_me => true
    assert request.cookies["remember_user_token"]
  end

  test 'generate remember token after sign in setting cookie options' do
    # We test this by asserting the cookie is not sent after the redirect
    # since we changed the domain. This is the only difference with the
    # previous test.
    swap Devise, :rememberable_options => { :domain => "omg.somewhere.com" } do
      user = sign_in_as_user :remember_me => true
      assert_nil request.cookies["remember_user_token"]
    end
  end

  test 'generate remember token after sign in setting session options' do
    begin
      Rails.configuration.session_options[:domain] = "omg.somewhere.com"
      user = sign_in_as_user :remember_me => true
      assert_nil request.cookies["remember_user_token"]
    ensure
      Rails.configuration.session_options.delete(:domain)
    end
  end

  test 'remember the user before sign in' do
    user = create_user_and_remember
    get users_path
    assert_response :success
    assert warden.authenticated?(:user)
    assert warden.user(:user) == user
    assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
  end

  test 'remember the user before sign up and redirect him to his home' do
    user = create_user_and_remember
    get new_user_registration_path
    assert warden.authenticated?(:user)
    assert_redirected_to root_path
  end

  test 'cookies are destroyed on unverified requests' do
    swap ApplicationController, :allow_forgery_protection => true do
      user = create_user_and_remember
      get users_path
      assert warden.authenticated?(:user)
      post root_path, :authenticity_token => 'INVALID'
      assert_not warden.authenticated?(:user)
    end
  end

  test 'does not extend remember period through sign in' do
    swap Devise, :extend_remember_period => true, :remember_for => 1.year do
      user = create_user
      user.remember_me!

      user.remember_created_at = old = 10.days.ago
      user.save

      sign_in_as_user :remember_me => true
      user.reload

      assert warden.user(:user) == user
      assert_equal old.to_i, user.remember_created_at.to_i
    end
  end

  test 'do not remember other scopes' do
    user = create_user_and_remember
    get root_path
    assert_response :success
    assert warden.authenticated?(:user)
    assert_not warden.authenticated?(:admin)
  end

  test 'do not remember with invalid token' do
    user = create_user_and_remember('add')
    get users_path
    assert_not warden.authenticated?(:user)
    assert_redirected_to new_user_session_path
  end

  test 'do not remember with expired token' do
    user = create_user_and_remember
    swap Devise, :remember_for => 0 do
      get users_path
      assert_not warden.authenticated?(:user)
      assert_redirected_to new_user_session_path
    end
  end

  test 'do not remember the user anymore after forget' do
    user = create_user_and_remember
    get users_path
    assert warden.authenticated?(:user)

    get destroy_user_session_path
    assert_not warden.authenticated?(:user)
    assert_nil warden.cookies['remember_user_token']

    get users_path
    assert_not warden.authenticated?(:user)
  end

  test 'changing user password expires remember me token' do
    user = create_user_and_remember
    user.password = "another_password"
    user.password_confirmation = "another_password"
    user.save!

    get users_path
    assert_not warden.authenticated?(:user)
  end
end
Compatibility with Ruby 1.9.1 and 1.9.2. 2010-03-26 06:27:19 -04:00			`require 'test_helper'`
Bring rememberable back. 2010-01-14 09:47:14 -05:00
			`class RememberMeTest < ActionController::IntegrationTest`
			`def create_user_and_remember(add_to_token='')`
			`user = create_user`
			`user.remember_me!`
Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`raw_cookie = User.serialize_into_cookie(user).tap { \|a\| a.last << add_to_token }`
			`cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user`
			`end`

Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`def generate_signed_cookie(raw_cookie)`
Compatibility with Rails beta 3. 2010-04-05 05:46:26 -04:00			`request = ActionDispatch::TestRequest.new`
Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`request.cookie_jar.signed['raw_cookie'] = raw_cookie`
			`request.cookie_jar['raw_cookie']`
			`end`

Add extend_remember_period, closes #340. 2010-07-23 10:31:42 -04:00			`def signed_cookie(key)`
			`controller.send(:cookies).signed[key]`
			`end`

			`def cookie_expires(key)`
rememberable cookie now is httponly by default 2010-12-25 06:04:04 -05:00			`cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first`
			`expires = cookie.split(";").map(&:strip).grep(/^expires=/).first`
Fixing test error when dealing with multiple time zones 2011-02-22 13:41:23 -05:00			`Time.parse(expires).utc`
Add extend_remember_period, closes #340. 2010-07-23 10:31:42 -04:00			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'do not remember the user if he has not checked remember me option' do`
			`user = sign_in_as_user`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`assert_nil request.cookies["remember_user_cookie"]`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

Ensure handle_unverified_request clean up any cached signed-in user 2011-06-28 21:13:35 -04:00			`test 'handles unverified requests gets rid of caches' do`
			`swap UsersController, :allow_forgery_protection => true do`
			`post exhibit_user_url(1)`
			`assert_not warden.authenticated?(:user)`

			`create_user_and_remember`
			`post exhibit_user_url(1)`
			`assert_equal "User is not authenticated", response.body`
			`assert_not warden.authenticated?(:user)`
			`end`
			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'generate remember token after sign in' do`
			`user = sign_in_as_user :remember_me => true`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`assert request.cookies["remember_user_token"]`
			`end`

cookie_domain is deprecated in favor of cookie_options which uses session_options by default. 2010-09-25 15:13:54 -04:00			`test 'generate remember token after sign in setting cookie options' do`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`# We test this by asserting the cookie is not sent after the redirect`
			`# since we changed the domain. This is the only difference with the`
			`# previous test.`
Clean up remember token related config. 2012-02-16 06:26:10 -05:00			`swap Devise, :rememberable_options => { :domain => "omg.somewhere.com" } do`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`user = sign_in_as_user :remember_me => true`
			`assert_nil request.cookies["remember_user_token"]`
			`end`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

cookie_domain is deprecated in favor of cookie_options which uses session_options by default. 2010-09-25 15:13:54 -04:00			`test 'generate remember token after sign in setting session options' do`
			`begin`
			`Rails.configuration.session_options[:domain] = "omg.somewhere.com"`
			`user = sign_in_as_user :remember_me => true`
			`assert_nil request.cookies["remember_user_token"]`
			`ensure`
			`Rails.configuration.session_options.delete(:domain)`
			`end`
			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'remember the user before sign in' do`
			`user = create_user_and_remember`
			`get users_path`
			`assert_response :success`
			`assert warden.authenticated?(:user)`
			`assert warden.user(:user) == user`
Fix failing test. 2011-05-23 12:22:32 -04:00			`assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

User cannot access sign up and similar pages if he is already signed in through a cookie or token, closes #1036. 2011-04-29 02:56:35 -04:00			`test 'remember the user before sign up and redirect him to his home' do`
			`user = create_user_and_remember`
			`get new_user_registration_path`
			`assert warden.authenticated?(:user)`
			`assert_redirected_to root_path`
			`end`

Implement Rails' handle unverified request. 2011-02-15 04:58:38 -05:00			`test 'cookies are destroyed on unverified requests' do`
			`swap ApplicationController, :allow_forgery_protection => true do`
			`user = create_user_and_remember`
			`get users_path`
			`assert warden.authenticated?(:user)`
			`post root_path, :authenticity_token => 'INVALID'`
			`assert_not warden.authenticated?(:user)`
			`end`
			`end`

More about extend remember period feature. 2010-07-23 17:57:31 -04:00			`test 'does not extend remember period through sign in' do`
			`swap Devise, :extend_remember_period => true, :remember_for => 1.year do`
			`user = create_user`
			`user.remember_me!`

			`user.remember_created_at = old = 10.days.ago`
			`user.save`

			`sign_in_as_user :remember_me => true`
			`user.reload`

			`assert warden.user(:user) == user`
Tests green on mongoid as well. 2010-07-26 14:25:02 -04:00			`assert_equal old.to_i, user.remember_created_at.to_i`
More about extend remember period feature. 2010-07-23 17:57:31 -04:00			`end`
			`end`

Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`test 'do not remember other scopes' do`
Update warden which fixes a security issue. 2010-02-23 13:47:45 -05:00			`user = create_user_and_remember`
			`get root_path`
			`assert_response :success`
			`assert warden.authenticated?(:user)`
			`assert_not warden.authenticated?(:admin)`
			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'do not remember with invalid token' do`
			`user = create_user_and_remember('add')`
			`get users_path`
			`assert_not warden.authenticated?(:user)`
No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3. 2010-04-03 05:43:31 -04:00			`assert_redirected_to new_user_session_path`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`test 'do not remember with expired token' do`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user = create_user_and_remember`
All tests passing (except two which are errors in Rails). Now generators and initialization process. 2010-02-16 15:23:58 -05:00			`swap Devise, :remember_for => 0 do`
			`get users_path`
			`assert_not warden.authenticated?(:user)`
No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3. 2010-04-03 05:43:31 -04:00			`assert_redirected_to new_user_session_path`
All tests passing (except two which are errors in Rails). Now generators and initialization process. 2010-02-16 15:23:58 -05:00			`end`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

Allow to Rememberable to work without remember_token relying on salt if possible. This comes with the benefit that if you change your password, all remember tokens expires, and it also requires one field less in the database. The downside is that if you want remember_me_across_browser to be false, it won't work unless you use the token. It also requires you to be using database_authenticable. Using salt is now the default in Devise. 2010-09-25 06:37:06 -04:00			`test 'do not remember the user anymore after forget' do`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user = create_user_and_remember`
			`get users_path`
			`assert warden.authenticated?(:user)`
Allow to Rememberable to work without remember_token relying on salt if possible. This comes with the benefit that if you change your password, all remember tokens expires, and it also requires one field less in the database. The downside is that if you want remember_me_across_browser to be false, it won't work unless you use the token. It also requires you to be using database_authenticable. Using salt is now the default in Devise. 2010-09-25 06:37:06 -04:00
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`get destroy_user_session_path`
			`assert_not warden.authenticated?(:user)`
Allow to Rememberable to work without remember_token relying on salt if possible. This comes with the benefit that if you change your password, all remember tokens expires, and it also requires one field less in the database. The downside is that if you want remember_me_across_browser to be false, it won't work unless you use the token. It also requires you to be using database_authenticable. Using salt is now the default in Devise. 2010-09-25 06:37:06 -04:00			`assert_nil warden.cookies['remember_user_token']`

			`get users_path`
			`assert_not warden.authenticated?(:user)`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

Allow to Rememberable to work without remember_token relying on salt if possible. This comes with the benefit that if you change your password, all remember tokens expires, and it also requires one field less in the database. The downside is that if you want remember_me_across_browser to be false, it won't work unless you use the token. It also requires you to be using database_authenticable. Using salt is now the default in Devise. 2010-09-25 06:37:06 -04:00			`test 'changing user password expires remember me token' do`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user = create_user_and_remember`
Allow to Rememberable to work without remember_token relying on salt if possible. This comes with the benefit that if you change your password, all remember tokens expires, and it also requires one field less in the database. The downside is that if you want remember_me_across_browser to be false, it won't work unless you use the token. It also requires you to be using database_authenticable. Using salt is now the default in Devise. 2010-09-25 06:37:06 -04:00			`user.password = "another_password"`
			`user.password_confirmation = "another_password"`
			`user.save!`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`get users_path`
			`assert_not warden.authenticated?(:user)`
			`end`
Added assertion testing that remember_user_token cookie is flagged as HttpOnly. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-12-22 00:04:54 -05:00			`end`