2013-02-05 14:16:51 -05:00
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
describe SessionController do
|
|
|
|
|
2014-02-24 22:30:49 -05:00
|
|
|
describe '.sso_login' do
|
|
|
|
|
|
|
|
before do
|
|
|
|
@sso_url = "http://somesite.com/discourse_sso"
|
|
|
|
@sso_secret = "shjkfdhsfkjh"
|
|
|
|
|
|
|
|
SiteSetting.stubs("enable_sso").returns(true)
|
|
|
|
SiteSetting.stubs("sso_url").returns(@sso_url)
|
|
|
|
SiteSetting.stubs("sso_secret").returns(@sso_secret)
|
|
|
|
end
|
|
|
|
|
2014-02-25 17:58:30 -05:00
|
|
|
def get_sso(return_path)
|
2014-02-24 22:30:49 -05:00
|
|
|
nonce = SecureRandom.hex
|
|
|
|
dso = DiscourseSingleSignOn.new
|
|
|
|
dso.nonce = nonce
|
2014-02-25 17:58:30 -05:00
|
|
|
dso.register_nonce(return_path)
|
2014-02-24 22:30:49 -05:00
|
|
|
|
|
|
|
sso = SingleSignOn.new
|
|
|
|
sso.nonce = nonce
|
|
|
|
sso.sso_secret = @sso_secret
|
|
|
|
sso
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'can take over an account' do
|
2014-02-25 17:58:30 -05:00
|
|
|
sso = get_sso("/")
|
2014-02-24 22:30:49 -05:00
|
|
|
user = Fabricate(:user)
|
|
|
|
sso.email = user.email
|
|
|
|
sso.external_id = "abc"
|
|
|
|
|
|
|
|
get :sso_login, Rack::Utils.parse_query(sso.payload)
|
|
|
|
|
|
|
|
response.should redirect_to('/')
|
|
|
|
logged_on_user = Discourse.current_user_provider.new(request.env).current_user
|
|
|
|
logged_on_user.email.should == user.email
|
|
|
|
|
|
|
|
logged_on_user.single_sign_on_record.external_id.should == "abc"
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows you to create an account' do
|
2014-02-25 17:58:30 -05:00
|
|
|
sso = get_sso('/a/')
|
2014-02-24 22:30:49 -05:00
|
|
|
sso.external_id = '666' # the number of the beast
|
|
|
|
sso.email = 'bob@bob.com'
|
|
|
|
sso.name = 'Sam Saffron'
|
|
|
|
sso.username = 'sam'
|
|
|
|
|
|
|
|
get :sso_login, Rack::Utils.parse_query(sso.payload)
|
2014-02-25 17:58:30 -05:00
|
|
|
response.should redirect_to('/a/')
|
2014-02-24 22:30:49 -05:00
|
|
|
|
|
|
|
logged_on_user = Discourse.current_user_provider.new(request.env).current_user
|
|
|
|
|
|
|
|
logged_on_user.email.should == 'bob@bob.com'
|
|
|
|
logged_on_user.name.should == 'Sam Saffron'
|
|
|
|
logged_on_user.username.should == 'sam'
|
|
|
|
|
|
|
|
logged_on_user.single_sign_on_record.external_id.should == "666"
|
2014-02-25 18:28:03 -05:00
|
|
|
logged_on_user.active.should == true
|
2014-02-24 22:30:49 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'allows login to existing account with valid nonce' do
|
|
|
|
|
2014-02-25 17:58:30 -05:00
|
|
|
sso = get_sso('/hello/world')
|
2014-02-24 22:30:49 -05:00
|
|
|
sso.external_id = '997'
|
|
|
|
|
|
|
|
user = Fabricate(:user)
|
|
|
|
user.create_single_sign_on_record(external_id: '997', last_payload: '')
|
|
|
|
|
|
|
|
get :sso_login, Rack::Utils.parse_query(sso.payload)
|
|
|
|
|
|
|
|
user.single_sign_on_record.reload
|
|
|
|
user.single_sign_on_record.last_payload.should == sso.unsigned_payload
|
|
|
|
|
|
|
|
response.should redirect_to('/hello/world')
|
|
|
|
logged_on_user = Discourse.current_user_provider.new(request.env).current_user
|
|
|
|
|
|
|
|
user.id.should == logged_on_user.id
|
|
|
|
|
|
|
|
# nonce is bad now
|
|
|
|
get :sso_login, Rack::Utils.parse_query(sso.payload)
|
|
|
|
response.code.should == '500'
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-05 14:16:51 -05:00
|
|
|
describe '.create' do
|
|
|
|
|
|
|
|
let(:user) { Fabricate(:user) }
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
context 'when email is confirmed' do
|
2013-02-05 14:16:51 -05:00
|
|
|
before do
|
2013-02-11 11:18:26 -05:00
|
|
|
token = user.email_tokens.where(email: user.email).first
|
|
|
|
EmailToken.confirm(token.token)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it "raises an error when the login isn't present" do
|
2013-07-23 23:02:42 -04:00
|
|
|
lambda { xhr :post, :create }.should raise_error(ActionController::ParameterMissing)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
describe 'invalid password' do
|
|
|
|
it "should return an error with an invalid password" do
|
|
|
|
xhr :post, :create, login: user.username, password: 'sssss'
|
|
|
|
::JSON.parse(response.body)['error'].should be_present
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-11-07 13:53:32 -05:00
|
|
|
describe 'suspended user' do
|
2013-06-27 15:14:42 -04:00
|
|
|
it 'should return an error' do
|
2013-11-07 13:53:32 -05:00
|
|
|
User.any_instance.stubs(:suspended?).returns(true)
|
|
|
|
User.any_instance.stubs(:suspended_till).returns(2.days.from_now)
|
2013-06-27 15:14:42 -04:00
|
|
|
xhr :post, :create, login: user.username, password: 'myawesomepassword'
|
|
|
|
::JSON.parse(response.body)['error'].should be_present
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
describe 'success by username' do
|
|
|
|
before do
|
|
|
|
xhr :post, :create, login: user.username, password: 'myawesomepassword'
|
|
|
|
user.reload
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it 'sets a session id' do
|
|
|
|
session[:current_user_id].should == user.id
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it 'gives the user an auth token' do
|
|
|
|
user.auth_token.should be_present
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it 'sets a cookie with the auth token' do
|
2013-02-23 13:40:21 -05:00
|
|
|
cookies[:_t].should == user.auth_token
|
2013-02-11 11:18:26 -05:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
describe 'strips leading @ symbol' do
|
|
|
|
before do
|
|
|
|
xhr :post, :create, login: "@" + user.username, password: 'myawesomepassword'
|
|
|
|
user.reload
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it 'sets a session id' do
|
|
|
|
session[:current_user_id].should == user.id
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
describe 'also allow login by email' do
|
2013-02-05 14:16:51 -05:00
|
|
|
before do
|
|
|
|
xhr :post, :create, login: user.email, password: 'myawesomepassword'
|
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
it 'sets a session id' do
|
|
|
|
session[:current_user_id].should == user.id
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-07-23 23:02:42 -04:00
|
|
|
context 'login has leading and trailing space' do
|
|
|
|
let(:username) { " #{user.username} " }
|
|
|
|
let(:email) { " #{user.email} " }
|
|
|
|
|
|
|
|
it "strips spaces from the username" do
|
|
|
|
xhr :post, :create, login: username, password: 'myawesomepassword'
|
|
|
|
::JSON.parse(response.body)['error'].should_not be_present
|
|
|
|
end
|
|
|
|
|
|
|
|
it "strips spaces from the email" do
|
|
|
|
xhr :post, :create, login: email, password: 'myawesomepassword'
|
|
|
|
::JSON.parse(response.body)['error'].should_not be_present
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
describe "when the site requires approval of users" do
|
|
|
|
before do
|
|
|
|
SiteSetting.expects(:must_approve_users?).returns(true)
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'with an unapproved user' do
|
|
|
|
before do
|
|
|
|
xhr :post, :create, login: user.email, password: 'myawesomepassword'
|
|
|
|
end
|
|
|
|
|
|
|
|
it "doesn't log in the user" do
|
|
|
|
session[:current_user_id].should be_blank
|
|
|
|
end
|
2013-06-05 21:21:19 -04:00
|
|
|
|
|
|
|
it "shows the 'not approved' error message" do
|
|
|
|
expect(JSON.parse(response.body)['error']).to eq(
|
|
|
|
I18n.t('login.not_approved')
|
|
|
|
)
|
|
|
|
end
|
2013-02-11 11:18:26 -05:00
|
|
|
end
|
2013-08-06 16:51:29 -04:00
|
|
|
|
|
|
|
context "with an unapproved user who is an admin" do
|
|
|
|
before do
|
|
|
|
User.any_instance.stubs(:admin?).returns(true)
|
|
|
|
xhr :post, :create, login: user.email, password: 'myawesomepassword'
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'sets a session id' do
|
|
|
|
session[:current_user_id].should == user.id
|
|
|
|
end
|
|
|
|
end
|
2013-02-11 11:18:26 -05:00
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-11 11:18:26 -05:00
|
|
|
context 'when email has not been confirmed' do
|
2013-06-05 21:21:19 -04:00
|
|
|
def post_login
|
2013-02-11 11:18:26 -05:00
|
|
|
xhr :post, :create, login: user.email, password: 'myawesomepassword'
|
|
|
|
end
|
|
|
|
|
|
|
|
it "doesn't log in the user" do
|
2013-06-05 21:21:19 -04:00
|
|
|
post_login
|
2013-02-11 11:18:26 -05:00
|
|
|
session[:current_user_id].should be_blank
|
|
|
|
end
|
|
|
|
|
2013-06-05 21:21:19 -04:00
|
|
|
it "shows the 'not activated' error message" do
|
|
|
|
post_login
|
|
|
|
expect(JSON.parse(response.body)['error']).to eq(
|
|
|
|
I18n.t 'login.not_activated'
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
context "and the 'must approve users' site setting is enabled" do
|
|
|
|
before { SiteSetting.expects(:must_approve_users?).returns(true) }
|
|
|
|
|
|
|
|
it "shows the 'not approved' error message" do
|
|
|
|
post_login
|
|
|
|
expect(JSON.parse(response.body)['error']).to eq(
|
|
|
|
I18n.t 'login.not_approved'
|
|
|
|
)
|
|
|
|
end
|
2013-02-11 11:18:26 -05:00
|
|
|
end
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
describe '.destroy' do
|
|
|
|
before do
|
|
|
|
@user = log_in
|
|
|
|
xhr :delete, :destroy, id: @user.username
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'removes the session variable' do
|
|
|
|
session[:current_user_id].should be_blank
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
it 'removes the auth token cookie' do
|
|
|
|
cookies[:_t].should be_blank
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '.forgot_password' do
|
|
|
|
|
|
|
|
it 'raises an error without a username parameter' do
|
2013-06-06 03:14:32 -04:00
|
|
|
lambda { xhr :post, :forgot_password }.should raise_error(ActionController::ParameterMissing)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
context 'for a non existant username' do
|
2013-02-25 11:42:20 -05:00
|
|
|
it "doesn't generate a new token for a made up username" do
|
2013-04-14 20:20:33 -04:00
|
|
|
lambda { xhr :post, :forgot_password, login: 'made_up'}.should_not change(EmailToken, :count)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-25 11:42:20 -05:00
|
|
|
it "doesn't enqueue an email" do
|
2013-02-05 14:16:51 -05:00
|
|
|
Jobs.expects(:enqueue).with(:user_mail, anything).never
|
2013-04-14 20:20:33 -04:00
|
|
|
xhr :post, :forgot_password, login: 'made_up'
|
2013-02-25 11:42:20 -05:00
|
|
|
end
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
context 'for an existing username' do
|
|
|
|
let(:user) { Fabricate(:user) }
|
|
|
|
|
2013-02-25 11:42:20 -05:00
|
|
|
it "generates a new token for a made up username" do
|
2013-04-14 20:20:33 -04:00
|
|
|
lambda { xhr :post, :forgot_password, login: user.username}.should change(EmailToken, :count)
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|
|
|
|
|
2013-02-25 11:42:20 -05:00
|
|
|
it "enqueues an email" do
|
2013-02-05 14:16:51 -05:00
|
|
|
Jobs.expects(:enqueue).with(:user_email, has_entries(type: :forgot_password, user_id: user.id))
|
2013-04-14 20:20:33 -04:00
|
|
|
xhr :post, :forgot_password, login: user.username
|
2013-02-25 11:42:20 -05:00
|
|
|
end
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
|
|
|
|
end
|
|
|
|
|
2014-02-05 13:46:24 -05:00
|
|
|
describe '.current' do
|
|
|
|
context "when not logged in" do
|
|
|
|
it "retuns 404" do
|
|
|
|
xhr :get, :current
|
|
|
|
response.should_not be_success
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context "when logged in" do
|
|
|
|
let!(:user) { log_in }
|
|
|
|
|
|
|
|
it "returns the JSON for the user" do
|
|
|
|
xhr :get, :current
|
|
|
|
response.should be_success
|
|
|
|
json = ::JSON.parse(response.body)
|
|
|
|
json['current_user'].should be_present
|
|
|
|
json['current_user']['id'].should == user.id
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2013-02-05 14:16:51 -05:00
|
|
|
end
|