heartcombo--devise/test/integration/rememberable_test.rb

require 'test_helper'

class RememberMeTest < ActionController::IntegrationTest

  def create_user_and_remember(add_to_token='')
    user = create_user
    user.remember_me!
    raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
    cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
    user
  end

  def generate_signed_cookie(raw_cookie)
    request = ActionDispatch::TestRequest.new
    request.cookie_jar.signed['raw_cookie'] = raw_cookie
    request.cookie_jar['raw_cookie']
  end

  def signed_cookie(key)
    controller.send(:cookies).signed[key]
  end

  def cookie_expires(key)
    cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
    cookie.split(";").map(&:strip).grep(/^expires=/)
    Time.parse($')
  end

  test 'do not remember the user if he has not checked remember me option' do
    user = sign_in_as_user
    assert_nil request.cookies["remember_user_cookie"]
    assert_nil user.reload.remember_token
  end

  test 'generate remember token after sign in' do
    user = sign_in_as_user :remember_me => true
    assert request.cookies["remember_user_token"]
    assert user.reload.remember_token
  end

  test 'generate remember token after sign in setting cookie domain' do
    # We test this by asserting the cookie is not sent after the redirect
    # since we changed the domain. This is the only difference with the
    # previous test.
    swap User, :cookie_domain => "omg.somewhere.com" do
      user = sign_in_as_user :remember_me => true
      assert_nil request.cookies["remember_user_token"]
    end
  end

  test 'remember the user before sign in' do
    user = create_user_and_remember
    get users_path
    assert_response :success
    assert warden.authenticated?(:user)
    assert warden.user(:user) == user
  end

  test 'does not extend remember period through sign in' do
    swap Devise, :extend_remember_period => true, :remember_for => 1.year do
      user = create_user
      user.remember_me!

      user.remember_created_at = old = 10.days.ago
      user.save

      sign_in_as_user :remember_me => true
      user.reload

      assert warden.user(:user) == user
      assert_equal old, user.remember_created_at
    end
  end

  test 'if both extend_remember_period and remember_across_browsers are true, sends the same token with a new expire date' do
    swap Devise, :remember_across_browsers => true, :extend_remember_period => true, :remember_for => 1.year do
      user  = create_user_and_remember
      token = user.remember_token

      user.remember_created_at = old = 10.minutes.ago
      user.save!

      get users_path
      assert (cookie_expires("remember_user_token") - 1.year) > (old + 5.minutes)
      assert_equal token, signed_cookie("remember_user_token").last
    end
  end

  test 'if both extend_remember_period and remember_across_browsers are false, sends a new token with old expire date' do
    swap Devise, :remember_across_browsers => false, :extend_remember_period => false, :remember_for => 1.year do
      user  = create_user_and_remember
      token = user.remember_token

      user.remember_created_at = old = 10.minutes.ago
      user.save!

      get users_path
      assert (cookie_expires("remember_user_token") - 1.year) < (old + 5.minutes)
      assert_not_equal token, signed_cookie("remember_user_token").last
    end
  end

  test 'do not remember other scopes' do
    user = create_user_and_remember
    get root_path
    assert_response :success
    assert warden.authenticated?(:user)
    assert_not warden.authenticated?(:admin)
  end

  test 'do not remember with invalid token' do
    user = create_user_and_remember('add')
    get users_path
    assert_not warden.authenticated?(:user)
    assert_redirected_to new_user_session_path
  end

  test 'do not remember with expired token' do
    user = create_user_and_remember
    swap Devise, :remember_for => 0 do
      get users_path
      assert_not warden.authenticated?(:user)
      assert_redirected_to new_user_session_path
    end
  end

  test 'forget the user before sign out' do
    user = create_user_and_remember
    get users_path
    assert warden.authenticated?(:user)
    get destroy_user_session_path
    assert_not warden.authenticated?(:user)
    assert_nil user.reload.remember_token
  end

  test 'do not remember the user anymore after forget' do
    user = create_user_and_remember
    get users_path
    assert warden.authenticated?(:user)
    get destroy_user_session_path
    get users_path
    assert_not warden.authenticated?(:user)
  end
end
Compatibility with Ruby 1.9.1 and 1.9.2. 2010-03-26 06:27:19 -04:00			`require 'test_helper'`
Bring rememberable back. 2010-01-14 09:47:14 -05:00
			`class RememberMeTest < ActionController::IntegrationTest`

			`def create_user_and_remember(add_to_token='')`
			`user = create_user`
			`user.remember_me!`
Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`raw_cookie = User.serialize_into_cookie(user).tap { \|a\| a.last << add_to_token }`
			`cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user`
			`end`

Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`def generate_signed_cookie(raw_cookie)`
Compatibility with Rails beta 3. 2010-04-05 05:46:26 -04:00			`request = ActionDispatch::TestRequest.new`
Use message verifier in cookies. Previous implementation allowed brute force attacks by cookies. Even though it is impossible for the brute force attack to succeed, the current implementation blocks the attacker even before hitting the database. 2010-03-31 07:31:45 -04:00			`request.cookie_jar.signed['raw_cookie'] = raw_cookie`
			`request.cookie_jar['raw_cookie']`
			`end`

Add extend_remember_period, closes #340. 2010-07-23 10:31:42 -04:00			`def signed_cookie(key)`
			`controller.send(:cookies).signed[key]`
			`end`

			`def cookie_expires(key)`
			`cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first`
			`cookie.split(";").map(&:strip).grep(/^expires=/)`
			`Time.parse($')`
			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'do not remember the user if he has not checked remember me option' do`
			`user = sign_in_as_user`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`assert_nil request.cookies["remember_user_cookie"]`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`assert_nil user.reload.remember_token`
			`end`

			`test 'generate remember token after sign in' do`
			`user = sign_in_as_user :remember_me => true`
Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`assert request.cookies["remember_user_token"]`
			`assert user.reload.remember_token`
			`end`

			`test 'generate remember token after sign in setting cookie domain' do`
			`# We test this by asserting the cookie is not sent after the redirect`
			`# since we changed the domain. This is the only difference with the`
			`# previous test.`
			`swap User, :cookie_domain => "omg.somewhere.com" do`
			`user = sign_in_as_user :remember_me => true`
			`assert_nil request.cookies["remember_user_token"]`
			`end`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

			`test 'remember the user before sign in' do`
			`user = create_user_and_remember`
			`get users_path`
			`assert_response :success`
			`assert warden.authenticated?(:user)`
			`assert warden.user(:user) == user`
			`end`

More about extend remember period feature. 2010-07-23 17:57:31 -04:00			`test 'does not extend remember period through sign in' do`
			`swap Devise, :extend_remember_period => true, :remember_for => 1.year do`
			`user = create_user`
			`user.remember_me!`

			`user.remember_created_at = old = 10.days.ago`
			`user.save`

			`sign_in_as_user :remember_me => true`
			`user.reload`

			`assert warden.user(:user) == user`
			`assert_equal old, user.remember_created_at`
			`end`
			`end`

Add extend_remember_period, closes #340. 2010-07-23 10:31:42 -04:00			`test 'if both extend_remember_period and remember_across_browsers are true, sends the same token with a new expire date' do`
			`swap Devise, :remember_across_browsers => true, :extend_remember_period => true, :remember_for => 1.year do`
			`user = create_user_and_remember`
			`token = user.remember_token`

			`user.remember_created_at = old = 10.minutes.ago`
			`user.save!`

			`get users_path`
			`assert (cookie_expires("remember_user_token") - 1.year) > (old + 5.minutes)`
			`assert_equal token, signed_cookie("remember_user_token").last`
			`end`
			`end`

			`test 'if both extend_remember_period and remember_across_browsers are false, sends a new token with old expire date' do`
			`swap Devise, :remember_across_browsers => false, :extend_remember_period => false, :remember_for => 1.year do`
			`user = create_user_and_remember`
			`token = user.remember_token`

			`user.remember_created_at = old = 10.minutes.ago`
			`user.save!`

			`get users_path`
			`assert (cookie_expires("remember_user_token") - 1.year) < (old + 5.minutes)`
			`assert_not_equal token, signed_cookie("remember_user_token").last`
			`end`
			`end`

Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`test 'do not remember other scopes' do`
Update warden which fixes a security issue. 2010-02-23 13:47:45 -05:00			`user = create_user_and_remember`
			`get root_path`
			`assert_response :success`
			`assert warden.authenticated?(:user)`
			`assert_not warden.authenticated?(:admin)`
			`end`

Bring rememberable back. 2010-01-14 09:47:14 -05:00			`test 'do not remember with invalid token' do`
			`user = create_user_and_remember('add')`
			`get users_path`
			`assert_not warden.authenticated?(:user)`
No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3. 2010-04-03 05:43:31 -04:00			`assert_redirected_to new_user_session_path`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

Add tests to cookie domain, closes #254. 2010-05-16 08:13:43 -04:00			`test 'do not remember with expired token' do`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`user = create_user_and_remember`
All tests passing (except two which are errors in Rails). Now generators and initialization process. 2010-02-16 15:23:58 -05:00			`swap Devise, :remember_for => 0 do`
			`get users_path`
			`assert_not warden.authenticated?(:user)`
No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3. 2010-04-03 05:43:31 -04:00			`assert_redirected_to new_user_session_path`
All tests passing (except two which are errors in Rails). Now generators and initialization process. 2010-02-16 15:23:58 -05:00			`end`
Bring rememberable back. 2010-01-14 09:47:14 -05:00			`end`

			`test 'forget the user before sign out' do`
			`user = create_user_and_remember`
			`get users_path`
			`assert warden.authenticated?(:user)`
			`get destroy_user_session_path`
			`assert_not warden.authenticated?(:user)`
			`assert_nil user.reload.remember_token`
			`end`

			`test 'do not remember the user anymore after forget' do`
			`user = create_user_and_remember`
			`get users_path`
			`assert warden.authenticated?(:user)`
			`get destroy_user_session_path`
			`get users_path`
			`assert_not warden.authenticated?(:user)`
			`end`
			`end`