1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00
heartcombo--devise/test/integration/rememberable_test.rb
2011-02-24 21:55:52 +01:00

189 lines
6 KiB
Ruby

require 'test_helper'
class RememberMeTest < ActionController::IntegrationTest
def create_user_and_remember(add_to_token='')
user = create_user
user.remember_me!
raw_cookie = User.serialize_into_cookie(user).tap { |a| a.last << add_to_token }
cookies['remember_user_token'] = generate_signed_cookie(raw_cookie)
user
end
def create_admin_and_remember
admin = create_admin
admin.remember_me!
raw_cookie = Admin.serialize_into_cookie(admin)
cookies['remember_admin_token'] = generate_signed_cookie(raw_cookie)
admin
end
def generate_signed_cookie(raw_cookie)
request = ActionDispatch::TestRequest.new
request.cookie_jar.signed['raw_cookie'] = raw_cookie
request.cookie_jar['raw_cookie']
end
def signed_cookie(key)
controller.send(:cookies).signed[key]
end
def cookie_expires(key)
cookie = response.headers["Set-Cookie"].split("\n").grep(/^#{key}/).first
expires = cookie.split(";").map(&:strip).grep(/^expires=/).first
Time.parse(expires).utc
end
test 'do not remember the user if he has not checked remember me option' do
user = sign_in_as_user
assert_nil request.cookies["remember_user_cookie"]
end
test 'generate remember token after sign in' do
user = sign_in_as_user :remember_me => true
assert request.cookies["remember_user_token"]
end
test 'generate remember token after sign in setting cookie options' do
# We test this by asserting the cookie is not sent after the redirect
# since we changed the domain. This is the only difference with the
# previous test.
swap Devise, :cookie_options => { :domain => "omg.somewhere.com" } do
user = sign_in_as_user :remember_me => true
assert_nil request.cookies["remember_user_token"]
end
end
test 'generate remember token after sign in setting session options' do
begin
Rails.configuration.session_options[:domain] = "omg.somewhere.com"
user = sign_in_as_user :remember_me => true
assert_nil request.cookies["remember_user_token"]
ensure
Rails.configuration.session_options.delete(:domain)
end
end
test 'remember the user before sign in' do
user = create_user_and_remember
get users_path
assert_response :success
assert warden.authenticated?(:user)
assert warden.user(:user) == user
assert_match /remember_user_token[^\n]*HttpOnly\n/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
end
test 'cookies are destroyed on unverified requests' do
swap ApplicationController, :allow_forgery_protection => true do
user = create_user_and_remember
get users_path
assert warden.authenticated?(:user)
post root_path, :authenticity_token => 'INVALID'
assert_not warden.authenticated?(:user)
end
end
test 'does not extend remember period through sign in' do
swap Devise, :extend_remember_period => true, :remember_for => 1.year do
user = create_user
user.remember_me!
user.remember_created_at = old = 10.days.ago
user.save
sign_in_as_user :remember_me => true
user.reload
assert warden.user(:user) == user
assert_equal old.to_i, user.remember_created_at.to_i
end
end
test 'if both extend_remember_period and remember_across_browsers are true, sends the same token with a new expire date' do
swap Devise, :remember_across_browsers => true, :extend_remember_period => true, :remember_for => 1.year do
admin = create_admin_and_remember
token = admin.remember_token
admin.remember_created_at = old = 10.minutes.ago
admin.save!
get root_path
assert (cookie_expires("remember_admin_token") - 1.year) > (old + 5.minutes)
assert_equal token, signed_cookie("remember_admin_token").last
end
end
test 'if both extend_remember_period and remember_across_browsers are false, sends a new token with old expire date' do
swap Devise, :remember_across_browsers => false, :extend_remember_period => false, :remember_for => 1.year do
admin = create_admin_and_remember
token = admin.remember_token
admin.remember_created_at = old = 10.minutes.ago
admin.save!
get root_path
assert (cookie_expires("remember_admin_token") - 1.year) < (old + 5.minutes)
assert_not_equal token, signed_cookie("remember_admin_token").last
end
end
test 'do not remember other scopes' do
user = create_user_and_remember
get root_path
assert_response :success
assert warden.authenticated?(:user)
assert_not warden.authenticated?(:admin)
end
test 'do not remember with invalid token' do
user = create_user_and_remember('add')
get users_path
assert_not warden.authenticated?(:user)
assert_redirected_to new_user_session_path
end
test 'do not remember with expired token' do
user = create_user_and_remember
swap Devise, :remember_for => 0 do
get users_path
assert_not warden.authenticated?(:user)
assert_redirected_to new_user_session_path
end
end
test 'do not remember the user anymore after forget' do
user = create_user_and_remember
get users_path
assert warden.authenticated?(:user)
get destroy_user_session_path
assert_not warden.authenticated?(:user)
assert_nil warden.cookies['remember_user_token']
get users_path
assert_not warden.authenticated?(:user)
end
test 'do not remember the admin anymore after forget' do
admin = create_admin_and_remember
get root_path
assert warden.authenticated?(:admin)
get destroy_admin_session_path
assert_not warden.authenticated?(:admin)
assert_nil admin.reload.remember_token
assert_nil warden.cookies['remember_admin_token']
get root_path
assert_not warden.authenticated?(:admin)
end
test 'changing user password expires remember me token' do
user = create_user_and_remember
user.password = "another_password"
user.password_confirmation = "another_password"
user.save!
get users_path
assert_not warden.authenticated?(:user)
end
end