gitlab-org--gitlab-foss/spec/requests/api/session_spec.rb

require 'spec_helper'

describe API::Session, api: true  do
  include ApiHelpers

  let(:user) { create(:user) }

  describe "POST /session" do
    context "when valid password" do
      it "returns private token" do
        post api("/session"), email: user.email, password: '12345678'
        expect(response).to have_http_status(201)

        expect(json_response['email']).to eq(user.email)
        expect(json_response['private_token']).to eq(user.private_token)
        expect(json_response['is_admin']).to eq(user.admin?)
        expect(json_response['can_create_project']).to eq(user.can_create_project?)
        expect(json_response['can_create_group']).to eq(user.can_create_group?)
      end

      context 'with 2FA enabled' do
        it 'rejects sign in attempts' do
          user = create(:user, :two_factor)

          post api('/session'), email: user.email, password: user.password

          expect(response).to have_http_status(401)
          expect(response.body).to include('You have 2FA enabled.')
        end
      end
    end

    context 'when email has case-typo and password is valid' do
      it 'returns private token' do
        post api('/session'), email: user.email.upcase, password: '12345678'
        expect(response.status).to eq 201

        expect(json_response['email']).to eq user.email
        expect(json_response['private_token']).to eq user.private_token
        expect(json_response['is_admin']).to eq user.admin?
        expect(json_response['can_create_project']).to eq user.can_create_project?
        expect(json_response['can_create_group']).to eq user.can_create_group?
      end
    end

    context 'when login has case-typo and password is valid' do
      it 'returns private token' do
        post api('/session'), login: user.username.upcase, password: '12345678'
        expect(response.status).to eq 201

        expect(json_response['email']).to eq user.email
        expect(json_response['private_token']).to eq user.private_token
        expect(json_response['is_admin']).to eq user.admin?
        expect(json_response['can_create_project']).to eq user.can_create_project?
        expect(json_response['can_create_group']).to eq user.can_create_group?
      end
    end

    context "when invalid password" do
      it "returns authentication error" do
        post api("/session"), email: user.email, password: '123'
        expect(response).to have_http_status(401)

        expect(json_response['email']).to be_nil
        expect(json_response['private_token']).to be_nil
      end
    end

    context "when empty password" do
      it "returns authentication error with email" do
        post api("/session"), email: user.email

        expect(response).to have_http_status(400)
      end

      it "returns authentication error with username" do
        post api("/session"), email: user.username

        expect(response).to have_http_status(400)
      end
    end

    context "when empty name" do
      it "returns authentication error" do
        post api("/session"), password: user.password

        expect(response).to have_http_status(400)
      end
    end

    context "when user is blocked" do
      it "returns authentication error" do
        user.block
        post api("/session"), email: user.username, password: user.password

        expect(response).to have_http_status(401)
      end
    end

    context "when user is ldap_blocked" do
      it "returns authentication error" do
        user.ldap_block
        post api("/session"), email: user.username, password: user.password

        expect(response).to have_http_status(401)
      end
    end
  end
end
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`require 'spec_helper'`

Changed API spec files to describe the correct class Restore changes for api spec files Fix error in rspec Users Delete extra space Repositories-spec 2016-11-23 15:14:08 -05:00			`describe API::Session, api: true do`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`include ApiHelpers`

Remove backward compatibility of factories. 2012-11-05 22:31:55 -05:00			`let(:user) { create(:user) }`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00
			`describe "POST /session" do`
			`context "when valid password" do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "returns private token" do`
Fix session spec because of password length Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2013-11-25 15:33:04 -05:00			`post api("/session"), email: user.email, password: '12345678'`
Use HTTP matchers if possible 2016-06-27 14:10:42 -04:00			`expect(response).to have_http_status(201)`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 13:17:35 -05:00			`expect(json_response['email']).to eq(user.email)`
			`expect(json_response['private_token']).to eq(user.private_token)`
Remove the User#is_admin? method 2017-04-08 22:20:57 -04:00			`expect(json_response['is_admin']).to eq(user.admin?)`
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 13:17:35 -05:00			`expect(json_response['can_create_project']).to eq(user.can_create_project?)`
			`expect(json_response['can_create_group']).to eq(user.can_create_group?)`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`
Added checks for 2FA to the API `/sessions` endpoint and the Resource Owner Password Credentials flow. 2016-08-12 17:16:12 -04:00
			`context 'with 2FA enabled' do`
			`it 'rejects sign in attempts' do`
			`user = create(:user, :two_factor)`

			`post api('/session'), email: user.email, password: user.password`

			`expect(response).to have_http_status(401)`
Small refactor and syntax fixes. 2016-08-17 18:39:20 -04:00			`expect(response.body).to include('You have 2FA enabled.')`
Added checks for 2FA to the API `/sessions` endpoint and the Resource Owner Password Credentials flow. 2016-08-12 17:16:12 -04:00			`end`
			`end`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`

Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`context 'when email has case-typo and password is valid' do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it 'returns private token' do`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`post api('/session'), email: user.email.upcase, password: '12345678'`
			`expect(response.status).to eq 201`

			`expect(json_response['email']).to eq user.email`
			`expect(json_response['private_token']).to eq user.private_token`
Remove the User#is_admin? method 2017-04-08 22:20:57 -04:00			`expect(json_response['is_admin']).to eq user.admin?`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`expect(json_response['can_create_project']).to eq user.can_create_project?`
			`expect(json_response['can_create_group']).to eq user.can_create_group?`
			`end`
			`end`

			`context 'when login has case-typo and password is valid' do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it 'returns private token' do`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`post api('/session'), login: user.username.upcase, password: '12345678'`
			`expect(response.status).to eq 201`

			`expect(json_response['email']).to eq user.email`
			`expect(json_response['private_token']).to eq user.private_token`
Remove the User#is_admin? method 2017-04-08 22:20:57 -04:00			`expect(json_response['is_admin']).to eq user.admin?`
Session API: Use case-insensitive authentication like in UI 2014-10-22 11:29:26 -04:00			`expect(json_response['can_create_project']).to eq user.can_create_project?`
			`expect(json_response['can_create_group']).to eq user.can_create_group?`
			`end`
			`end`

I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`context "when invalid password" do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "returns authentication error" do`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`post api("/session"), email: user.email, password: '123'`
Use HTTP matchers if possible 2016-06-27 14:10:42 -04:00			`expect(response).to have_http_status(401)`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00
Updated rspec to rspec 3.x syntax Signed-off-by: Jeroen van Baarsen <jeroenvanbaarsen@gmail.com> 2015-02-12 13:17:35 -05:00			`expect(json_response['email']).to be_nil`
			`expect(json_response['private_token']).to be_nil`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`
			`end`

			`context "when empty password" do`
Grapify the session API 2016-11-09 11:36:35 -05:00			`it "returns authentication error with email" do`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`post api("/session"), email: user.email`

Grapify the session API 2016-11-09 11:36:35 -05:00			`expect(response).to have_http_status(400)`
			`end`

			`it "returns authentication error with username" do`
			`post api("/session"), email: user.username`

			`expect(response).to have_http_status(400)`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`
			`end`
API: session documentation updated and test added 2013-02-27 06:58:06 -05:00
			`context "when empty name" do`
adds second batch of tests changed to active tense 2016-08-01 11:00:44 -04:00			`it "returns authentication error" do`
API: session documentation updated and test added 2013-02-27 06:58:06 -05:00			`post api("/session"), password: user.password`

Grapify the session API 2016-11-09 11:36:35 -05:00			`expect(response).to have_http_status(400)`
API: session documentation updated and test added 2013-02-27 06:58:06 -05:00			`end`
			`end`
Don't allow blocked users to authenticate through other means Gitlab::Auth.find_with_user_password is currently used in these places: - resource_owner_from_credentials in config/initializers/doorkeeper.rb, which is used for the OAuth Resource Owner Password Credentials flow - the /session API call in lib/api/session.rb, which is used to reveal the user's current authentication_token In both cases users should only be authenticated if they're in the active state. 2017-01-18 05:23:25 -05:00
			`context "when user is blocked" do`
			`it "returns authentication error" do`
			`user.block`
			`post api("/session"), email: user.username, password: user.password`

			`expect(response).to have_http_status(401)`
			`end`
			`end`

			`context "when user is ldap_blocked" do`
			`it "returns authentication error" do`
			`user.ldap_block`
			`post api("/session"), email: user.username, password: user.password`

			`expect(response).to have_http_status(401)`
			`end`
			`end`
I want be able to get token via api. Used for mobile applications 2012-09-20 10:44:44 -04:00			`end`
			`end`