2010-03-26 10:27:19 +00:00
require 'test_helper'
2010-01-24 02:38:52 +00:00
class TokenAuthenticationTest < ActionController :: IntegrationTest
2010-04-01 17:09:33 +00:00
test 'authenticate with valid authentication token key and value through params' do
2010-02-02 12:21:00 +00:00
swap Devise , :token_authentication_key = > :secret_token do
2010-04-01 17:09:33 +00:00
sign_in_as_new_user_with_token
assert_response :success
2010-09-25 18:28:14 +00:00
assert_current_url " /users?secret_token= #{ VALID_AUTHENTICATION_TOKEN } "
2010-04-01 17:09:33 +00:00
assert_contain 'Welcome'
assert warden . authenticated? ( :user )
end
end
2011-07-23 15:45:45 +00:00
test 'authenticate with valid authentication token key and value through params, when params with the same key as scope exist' do
swap Devise , :token_authentication_key = > :secret_token do
user = create_user_with_authentication_token
post exhibit_user_path ( user ) , Devise . token_authentication_key = > user . authentication_token , :user = > { :some = > " data " }
assert_response :success
assert_contain 'User is authenticated'
assert warden . authenticated? ( :user )
end
end
2010-09-25 18:28:14 +00:00
test 'authenticate with valid authentication token key but does not store if stateless' do
2011-12-11 19:39:41 +00:00
swap Devise , :token_authentication_key = > :secret_token , :skip_session_storage = > [ :token_auth ] do
2010-09-25 18:28:14 +00:00
sign_in_as_new_user_with_token
assert warden . authenticated? ( :user )
get users_path
assert_redirected_to new_user_session_path
assert_not warden . authenticated? ( :user )
end
end
2010-04-01 17:09:33 +00:00
test 'authenticate with valid authentication token key and value through http' do
swap Devise , :token_authentication_key = > :secret_token do
sign_in_as_new_user_with_token ( :http_auth = > true )
2010-01-24 02:38:52 +00:00
assert_response :success
2010-05-16 17:13:20 +00:00
assert_match '<email>user@test.com</email>' , response . body
2010-01-24 02:38:52 +00:00
assert warden . authenticated? ( :user )
end
end
2010-04-01 17:09:33 +00:00
test 'does authenticate with valid authentication token key and value through params if not configured' do
swap Devise , :token_authentication_key = > :secret_token , :params_authenticatable = > [ :database ] do
sign_in_as_new_user_with_token
assert_contain 'You need to sign in or sign up before continuing'
assert_contain 'Sign in'
assert_not warden . authenticated? ( :user )
end
end
test 'does authenticate with valid authentication token key and value through http if not configured' do
swap Devise , :token_authentication_key = > :secret_token , :http_authenticatable = > [ :database ] do
sign_in_as_new_user_with_token ( :http_auth = > true )
assert_response 401
assert_contain 'Invalid email or password.'
assert_not warden . authenticated? ( :user )
end
end
test 'does not authenticate with improper authentication token key' do
2010-02-02 12:21:00 +00:00
swap Devise , :token_authentication_key = > :donald_duck_token do
sign_in_as_new_user_with_token ( :auth_token_key = > :secret_token )
2010-04-03 09:43:31 +00:00
assert_equal new_user_session_path , @request . path
2010-01-24 02:38:52 +00:00
2010-02-02 12:21:00 +00:00
assert_contain 'You need to sign in or sign up before continuing'
assert_contain 'Sign in'
assert_not warden . authenticated? ( :user )
end
2010-01-24 02:38:52 +00:00
end
2010-04-01 17:09:33 +00:00
test 'does not authenticate with improper authentication token value' do
2010-04-03 11:11:45 +00:00
store_translations :en , :devise = > { :failure = > { :invalid_token = > 'LOL, that was not a single character correct.' } } do
2010-01-24 02:38:52 +00:00
sign_in_as_new_user_with_token ( :auth_token = > '*** INVALID TOKEN ***' )
2010-04-03 09:43:31 +00:00
assert_equal new_user_session_path , @request . path
2010-01-24 02:38:52 +00:00
assert_contain 'LOL, that was not a single character correct.'
assert_contain 'Sign in'
assert_not warden . authenticated? ( :user )
end
end
2011-02-14 15:45:00 +00:00
test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
2011-12-11 19:39:41 +00:00
swap Devise , :token_authentication_key = > :secret_token , :skip_session_storage = > [ :token_auth ] , :timeout_in = > ( 0 . 1 ) . second do
2011-02-14 15:45:00 +00:00
user = sign_in_as_new_user_with_token
assert warden . authenticated? ( :user )
2011-02-15 09:07:08 +00:00
# Expiring does not work because we are setting the session value when accessing it
sleep 0 . 3
2011-02-14 15:45:00 +00:00
get_users_path_as_existing_user ( user )
assert warden . authenticated? ( :user )
end
end
2012-04-04 20:27:41 +00:00
test 'should reset token and not authenticate when expire_auth_token_on_timeout is set to true, timeoutable is enabled and we have a timed out session' do
2012-04-02 16:48:23 +00:00
swap Devise , :token_authentication_key = > :secret_token , :expire_auth_token_on_timeout = > true , :timeout_in = > ( - 1 ) . minute do
user = sign_in_as_new_user_with_token
assert warden . authenticated? ( :user )
token = user . authentication_token
get_users_path_as_existing_user ( user )
assert_not warden . authenticated? ( :user )
user . reload
assert_not_equal token , user . authentication_token
end
end
2011-03-07 23:54:55 +00:00
test 'should not be subject to injection' do
swap Devise , :token_authentication_key = > :secret_token do
user1 = create_user_with_authentication_token ( )
2011-03-11 19:46:08 +00:00
# Clean up user cache
@user = nil
2011-03-07 23:54:55 +00:00
2011-03-11 19:46:08 +00:00
user2 = create_user_with_authentication_token ( :email = > " another@test.com " )
2012-08-05 12:24:10 +00:00
user2 . update_attribute ( :authentication_token , " ANOTHERTOKEN " )
2011-03-07 23:54:55 +00:00
2011-03-11 19:46:08 +00:00
assert_not_equal user1 , user2
visit users_path ( Devise . token_authentication_key . to_s + '[$ne]' = > user1 . authentication_token )
2012-01-09 21:08:39 +00:00
assert_nil warden . user ( :user )
2011-03-07 23:54:55 +00:00
end
end
2010-01-24 02:38:52 +00:00
private
2010-02-06 00:33:32 +00:00
def sign_in_as_new_user_with_token ( options = { } )
2011-02-15 09:07:08 +00:00
user = options . delete ( :user ) || create_user_with_authentication_token ( options )
2010-02-02 12:21:00 +00:00
2011-02-15 09:07:08 +00:00
options [ :auth_token_key ] || = Devise . token_authentication_key
options [ :auth_token ] || = user . authentication_token
2010-02-02 12:21:00 +00:00
2010-04-01 17:09:33 +00:00
if options [ :http_auth ]
2012-01-09 21:08:27 +00:00
header = " Basic #{ Base64 . encode64 ( " #{ VALID_AUTHENTICATION_TOKEN } :X " ) } "
2010-05-16 17:13:20 +00:00
get users_path ( :format = > :xml ) , { } , " HTTP_AUTHORIZATION " = > header
2010-04-01 17:09:33 +00:00
else
visit users_path ( options [ :auth_token_key ] . to_sym = > options [ :auth_token ] )
end
2010-01-24 02:38:52 +00:00
user
end
2011-03-11 19:46:08 +00:00
def create_user_with_authentication_token ( options = { } )
2011-02-15 09:07:08 +00:00
user = create_user ( options )
2011-03-11 19:46:08 +00:00
user . authentication_token = VALID_AUTHENTICATION_TOKEN
2011-02-15 09:07:08 +00:00
user . save
user
2011-02-14 15:45:00 +00:00
end
2011-02-15 09:07:08 +00:00
def get_users_path_as_existing_user ( user )
sign_in_as_new_user_with_token ( :user = > user )
end
2011-03-07 23:54:55 +00:00
2012-01-09 21:08:39 +00:00
end