rails--rails/actionpack/test/controller/http_token_authentication_t...

require 'abstract_unit'

class HttpTokenAuthenticationTest < ActionController::TestCase
  class DummyController < ActionController::Base
    before_action :authenticate, only: :index
    before_action :authenticate_with_request, only: :display
    before_action :authenticate_long_credentials, only: :show

    def index
      render :text => "Hello Secret"
    end

    def display
      render :text => 'Definitely Maybe'
    end

    def show
      render :text => 'Only for loooooong credentials'
    end

    private

    def authenticate
      authenticate_or_request_with_http_token do |token, options|
        token == 'lifo'
      end
    end

    def authenticate_with_request
      if authenticate_with_http_token { |token, options| token == '"quote" pretty' && options[:algorithm] == 'test' }
        @logged_in = true
      else
        request_http_token_authentication("SuperSecret")
      end
    end

    def authenticate_long_credentials
      authenticate_or_request_with_http_token do |token, options|
        token == '1234567890123456789012345678901234567890' && options[:algorithm] == 'test'
      end
    end
  end

  AUTH_HEADERS = ['HTTP_AUTHORIZATION', 'X-HTTP_AUTHORIZATION', 'X_HTTP_AUTHORIZATION', 'REDIRECT_X_HTTP_AUTHORIZATION']

  tests DummyController

  AUTH_HEADERS.each do |header|
    test "successful authentication with #{header.downcase}" do
      @request.env[header] = encode_credentials('lifo')
      get :index

      assert_response :success
      assert_equal 'Hello Secret', @response.body, "Authentication failed for request header #{header}"
    end
    test "successful authentication with #{header.downcase} and long credentials" do
      @request.env[header] = encode_credentials('1234567890123456789012345678901234567890', :algorithm => 'test')
      get :show

      assert_response :success
      assert_equal 'Only for loooooong credentials', @response.body, "Authentication failed for request header #{header} and long credentials"
    end
  end

  AUTH_HEADERS.each do |header|
    test "unsuccessful authentication with #{header.downcase}" do
      @request.env[header] = encode_credentials('h4x0r')
      get :index

      assert_response :unauthorized
      assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header}"
    end
    test "unsuccessful authentication with #{header.downcase} and long credentials" do
      @request.env[header] = encode_credentials('h4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0r')
      get :show

      assert_response :unauthorized
      assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header} and long credentials"
    end
  end

  test "authentication request with badly formatted header" do
    @request.env['HTTP_AUTHORIZATION'] = "Token foobar"
    get :index

    assert_response :unauthorized
    assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"
  end

  test "authentication request without credential" do
    get :display

    assert_response :unauthorized
    assert_equal "HTTP Token: Access denied.\n", @response.body
    assert_equal 'Token realm="SuperSecret"', @response.headers['WWW-Authenticate']
  end

  test "authentication request with invalid credential" do
    @request.env['HTTP_AUTHORIZATION'] = encode_credentials('"quote" pretty')
    get :display

    assert_response :unauthorized
    assert_equal "HTTP Token: Access denied.\n", @response.body
    assert_equal 'Token realm="SuperSecret"', @response.headers['WWW-Authenticate']
  end

  test "token_and_options returns correct token" do
    token = "rcHu+HzSFw89Ypyhn/896A=="
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token" do
    token = 'rcHu+=HzSFw89Ypyhn/896A==f34'
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token" do
    token = 'rcHu+\\\\"/896A'
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  test "token_and_options returns correct token" do
    token = '\"quote\" pretty'
    actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first
    expected = token
    assert_equal(expected, actual)
  end

  private

  def sample_request(token)
    @sample_request ||= OpenStruct.new authorization: %{Token token="#{token}"}
  end

  def encode_credentials(token, options = {})
    ActionController::HttpAuthentication::Token.encode_credentials(token, options)
  end
end
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`require 'abstract_unit'`

			`class HttpTokenAuthenticationTest < ActionController::TestCase`
			`class DummyController < ActionController::Base`
update documentation and code to use _action callbacks 2012-12-07 19:46:06 +00:00			`before_action :authenticate, only: :index`
			`before_action :authenticate_with_request, only: :display`
			`before_action :authenticate_long_credentials, only: :show`
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00
			`def index`
			`render :text => "Hello Secret"`
			`end`

			`def display`
			`render :text => 'Definitely Maybe'`
			`end`
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 05:13:00 +00:00
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`def show`
			`render :text => 'Only for loooooong credentials'`
			`end`

			`private`

			`def authenticate`
			`authenticate_or_request_with_http_token do \|token, options\|`
			`token == 'lifo'`
			`end`
			`end`

			`def authenticate_with_request`
			`if authenticate_with_http_token { \|token, options\| token == '"quote" pretty' && options[:algorithm] == 'test' }`
			`@logged_in = true`
			`else`
			`request_http_token_authentication("SuperSecret")`
			`end`
			`end`
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 05:13:00 +00:00
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`def authenticate_long_credentials`
			`authenticate_or_request_with_http_token do \|token, options\|`
			`token == '1234567890123456789012345678901234567890' && options[:algorithm] == 'test'`
			`end`
			`end`
			`end`

			`AUTH_HEADERS = ['HTTP_AUTHORIZATION', 'X-HTTP_AUTHORIZATION', 'X_HTTP_AUTHORIZATION', 'REDIRECT_X_HTTP_AUTHORIZATION']`

			`tests DummyController`

			`AUTH_HEADERS.each do \|header\|`
			`test "successful authentication with #{header.downcase}" do`
			`@request.env[header] = encode_credentials('lifo')`
			`get :index`

			`assert_response :success`
			`assert_equal 'Hello Secret', @response.body, "Authentication failed for request header #{header}"`
			`end`
			`test "successful authentication with #{header.downcase} and long credentials" do`
			`@request.env[header] = encode_credentials('1234567890123456789012345678901234567890', :algorithm => 'test')`
			`get :show`
Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 05:13:00 +00:00
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`assert_response :success`
			`assert_equal 'Only for loooooong credentials', @response.body, "Authentication failed for request header #{header} and long credentials"`
			`end`
			`end`

			`AUTH_HEADERS.each do \|header\|`
			`test "unsuccessful authentication with #{header.downcase}" do`
			`@request.env[header] = encode_credentials('h4x0r')`
			`get :index`

			`assert_response :unauthorized`
			`assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header}"`
			`end`
			`test "unsuccessful authentication with #{header.downcase} and long credentials" do`
			`@request.env[header] = encode_credentials('h4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0rh4x0r')`
			`get :show`

			`assert_response :unauthorized`
			`assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication didn't fail for request header #{header} and long credentials"`
			`end`
			`end`

Don't raise an error if http auth token isn't well formatted When someone sends malformed authorization header, like: Authorization: Token foobar given token should be just ignored and resource should not be authorized, instead of raising error. Before this patch controller would return 401 header only for well formed tokens, like: Authorization: Token token=foobar and would return 500 in former case. 2012-07-10 23:56:38 +00:00			`test "authentication request with badly formatted header" do`
Fix indentation. 2012-07-11 00:07:25 +00:00			`@request.env['HTTP_AUTHORIZATION'] = "Token foobar"`
			`get :index`
Don't raise an error if http auth token isn't well formatted When someone sends malformed authorization header, like: Authorization: Token foobar given token should be just ignored and resource should not be authorized, instead of raising error. Before this patch controller would return 401 header only for well formed tokens, like: Authorization: Token token=foobar and would return 500 in former case. 2012-07-10 23:56:38 +00:00
Fix indentation. 2012-07-11 00:07:25 +00:00			`assert_response :unauthorized`
			`assert_equal "HTTP Token: Access denied.\n", @response.body, "Authentication header was not properly parsed"`
Don't raise an error if http auth token isn't well formatted When someone sends malformed authorization header, like: Authorization: Token foobar given token should be just ignored and resource should not be authorized, instead of raising error. Before this patch controller would return 401 header only for well formed tokens, like: Authorization: Token token=foobar and would return 500 in former case. 2012-07-10 23:56:38 +00:00			`end`

add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`test "authentication request without credential" do`
			`get :display`

			`assert_response :unauthorized`
			`assert_equal "HTTP Token: Access denied.\n", @response.body`
			`assert_equal 'Token realm="SuperSecret"', @response.headers['WWW-Authenticate']`
			`end`

			`test "authentication request with invalid credential" do`
			`@request.env['HTTP_AUTHORIZATION'] = encode_credentials('"quote" pretty')`
			`get :display`

			`assert_response :unauthorized`
			`assert_equal "HTTP Token: Access denied.\n", @response.body`
			`assert_equal 'Token realm="SuperSecret"', @response.headers['WWW-Authenticate']`
			`end`

Refactoring the token_and_options method to fix bugs Adding a test for the equal trun bug Adding a test for the after equal trunc bug Adding a test for the slash bug Adding a test for the slash quote bug Adding a helper method for creating a sample request object with token Writing a method to create params array from raw params Writing a method to rewrite param values in the params Writing a method to get the token params from an authorization value Refactoring the token_and_options method to fix bugs Removing unnessecary test A constant for this shared regex seemed appropriate Wanting to split up this logic Adding small documentation pieces 2012-10-07 22:36:01 +00:00			`test "token_and_options returns correct token" do`
			`token = "rcHu+HzSFw89Ypyhn/896A=="`
			`actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first`
			`expected = token`
			`assert_equal(expected, actual)`
			`end`

			`test "token_and_options returns correct token" do`
			`token = 'rcHu+=HzSFw89Ypyhn/896A==f34'`
			`actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first`
			`expected = token`
			`assert_equal(expected, actual)`
			`end`
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00
Refactoring the token_and_options method to fix bugs Adding a test for the equal trun bug Adding a test for the after equal trunc bug Adding a test for the slash bug Adding a test for the slash quote bug Adding a helper method for creating a sample request object with token Writing a method to create params array from raw params Writing a method to rewrite param values in the params Writing a method to get the token params from an authorization value Refactoring the token_and_options method to fix bugs Removing unnessecary test A constant for this shared regex seemed appropriate Wanting to split up this logic Adding small documentation pieces 2012-10-07 22:36:01 +00:00			`test "token_and_options returns correct token" do`
			`token = 'rcHu+\\\\"/896A'`
			`actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first`
			`expected = token`
			`assert_equal(expected, actual)`
			`end`

			`test "token_and_options returns correct token" do`
			`token = '\"quote\" pretty'`
			`actual = ActionController::HttpAuthentication::Token.token_and_options(sample_request(token)).first`
			`expected = token`
			`assert_equal(expected, actual)`
add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`end`

			`private`

Refactoring the token_and_options method to fix bugs Adding a test for the equal trun bug Adding a test for the after equal trunc bug Adding a test for the slash bug Adding a test for the slash quote bug Adding a helper method for creating a sample request object with token Writing a method to create params array from raw params Writing a method to rewrite param values in the params Writing a method to get the token params from an authorization value Refactoring the token_and_options method to fix bugs Removing unnessecary test A constant for this shared regex seemed appropriate Wanting to split up this logic Adding small documentation pieces 2012-10-07 22:36:01 +00:00			`def sample_request(token)`
			`@sample_request \|\|= OpenStruct.new authorization: %{Token token="#{token}"}`
			`end`

add HTTP Token Authorization support to complement Basic and Digest Authorization. 2010-04-30 14:46:30 +00:00			`def encode_credentials(token, options = {})`
			`ActionController::HttpAuthentication::Token.encode_credentials(token, options)`
			`end`
			`end`