2015-10-11 10:41:23 +01:00
require 'rails_helper'
2013-02-05 14:16:51 -05:00
describe SessionController do
2014-10-07 12:25:25 -04:00
describe 'become' do
let! ( :user ) { Fabricate ( :user ) }
it " does not work when not in development mode " do
Rails . env . stubs ( :development? ) . returns ( false )
get :become , session_id : user . username
2015-01-09 14:04:02 -03:00
expect ( response ) . not_to be_redirect
expect ( session [ :current_user_id ] ) . to be_blank
2014-10-07 12:25:25 -04:00
end
it " works in developmenet mode " do
Rails . env . stubs ( :development? ) . returns ( true )
get :become , session_id : user . username
2015-01-09 14:04:02 -03:00
expect ( response ) . to be_redirect
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2014-10-07 12:25:25 -04:00
end
end
2014-02-25 14:30:49 +11:00
describe '.sso_login' do
before do
@sso_url = " http://somesite.com/discourse_sso "
@sso_secret = " shjkfdhsfkjh "
2015-01-22 12:20:17 -05:00
request . host = Discourse . current_hostname
2014-11-26 17:25:54 +11:00
SiteSetting . enable_sso = true
SiteSetting . sso_url = @sso_url
SiteSetting . sso_secret = @sso_secret
2014-02-26 10:52:11 +11:00
# We have 2 options, either fabricate an admin or don't
# send welcome messages
Fabricate ( :admin )
# skip for now
# SiteSetting.stubs("send_welcome_message").returns(false)
2014-02-25 14:30:49 +11:00
end
2014-02-26 09:58:30 +11:00
def get_sso ( return_path )
2014-02-25 14:30:49 +11:00
nonce = SecureRandom . hex
dso = DiscourseSingleSignOn . new
dso . nonce = nonce
2014-02-26 09:58:30 +11:00
dso . register_nonce ( return_path )
2014-02-25 14:30:49 +11:00
sso = SingleSignOn . new
sso . nonce = nonce
sso . sso_secret = @sso_secret
sso
end
it 'can take over an account' do
2014-02-26 09:58:30 +11:00
sso = get_sso ( " / " )
2014-02-25 14:30:49 +11:00
user = Fabricate ( :user )
sso . email = user . email
2014-02-27 16:48:46 -08:00
sso . external_id = 'abc'
sso . username = 'sam'
2014-02-25 14:30:49 +11:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
2015-01-09 14:04:02 -03:00
expect ( response ) . to redirect_to ( '/' )
2014-02-25 14:30:49 +11:00
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2015-01-09 14:04:02 -03:00
expect ( logged_on_user . email ) . to eq ( user . email )
expect ( logged_on_user . single_sign_on_record . external_id ) . to eq ( " abc " )
expect ( logged_on_user . single_sign_on_record . external_username ) . to eq ( 'sam' )
2014-02-25 14:30:49 +11:00
end
2015-02-25 15:59:11 -05:00
def sso_for_ip_specs
2015-02-23 15:58:45 -05:00
sso = get_sso ( '/a/' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
2015-02-25 15:59:11 -05:00
sso
end
2015-02-23 15:58:45 -05:00
2015-02-25 15:59:11 -05:00
it 'respects IP restrictions on create' do
2015-02-23 15:58:45 -05:00
screened_ip = Fabricate ( :screened_ip_address )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( screened_ip . ip_address )
2015-02-25 15:59:11 -05:00
sso = sso_for_ip_specs
2015-02-23 15:58:45 -05:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
expect ( logged_on_user ) . to eq ( nil )
end
2015-02-25 15:59:11 -05:00
it 'respects IP restrictions on login' do
sso = sso_for_ip_specs
2015-03-27 09:57:43 +11:00
_user = DiscourseSingleSignOn . parse ( sso . payload ) . lookup_or_create_user ( request . remote_ip )
2015-02-25 15:59:11 -05:00
sso = sso_for_ip_specs
screened_ip = Fabricate ( :screened_ip_address )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( screened_ip . ip_address )
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
expect ( logged_on_user ) . to be_blank
end
2015-02-23 17:14:54 -05:00
it 'respects email restrictions' do
sso = get_sso ( '/a/' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
ScreenedEmail . block ( 'bob@bob.com' )
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
expect ( logged_on_user ) . to eq ( nil )
end
2014-11-27 12:39:00 +11:00
it 'allows you to create an admin account' do
sso = get_sso ( '/a/' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
sso . custom_fields [ " shop_url " ] = " http://my_shop.com "
sso . custom_fields [ " shop_name " ] = " Sam "
sso . admin = true
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2015-01-09 14:04:02 -03:00
expect ( logged_on_user . admin ) . to eq ( true )
2015-01-22 12:20:17 -05:00
end
it 'redirects to a non-relative url' do
sso = get_sso ( " #{ Discourse . base_url } /b/ " )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
expect ( response ) . to redirect_to ( '/b/' )
end
it 'redirects to root if the host of the return_path is different' do
sso = get_sso ( '//eviltrout.com' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
2014-11-27 12:39:00 +11:00
2015-01-22 12:20:17 -05:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
expect ( response ) . to redirect_to ( '/' )
end
it 'redirects to root if the host of the return_path is different' do
sso = get_sso ( 'http://eviltrout.com' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
expect ( response ) . to redirect_to ( '/' )
2014-11-27 12:39:00 +11:00
end
2014-02-25 14:30:49 +11:00
it 'allows you to create an account' do
2014-02-26 09:58:30 +11:00
sso = get_sso ( '/a/' )
2014-02-25 14:30:49 +11:00
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
2014-04-22 13:52:13 +10:00
sso . custom_fields [ " shop_url " ] = " http://my_shop.com "
sso . custom_fields [ " shop_name " ] = " Sam "
2014-02-25 14:30:49 +11:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
2015-01-09 14:04:02 -03:00
expect ( response ) . to redirect_to ( '/a/' )
2014-02-25 14:30:49 +11:00
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2014-04-22 13:52:13 +10:00
# ensure nothing is transient
logged_on_user = User . find ( logged_on_user . id )
2015-01-09 14:04:02 -03:00
expect ( logged_on_user . admin ) . to eq ( false )
expect ( logged_on_user . email ) . to eq ( 'bob@bob.com' )
expect ( logged_on_user . name ) . to eq ( 'Sam Saffron' )
expect ( logged_on_user . username ) . to eq ( 'sam' )
expect ( logged_on_user . single_sign_on_record . external_id ) . to eq ( " 666 " )
expect ( logged_on_user . single_sign_on_record . external_username ) . to eq ( 'sam' )
expect ( logged_on_user . active ) . to eq ( true )
expect ( logged_on_user . custom_fields [ " shop_url " ] ) . to eq ( " http://my_shop.com " )
expect ( logged_on_user . custom_fields [ " shop_name " ] ) . to eq ( " Sam " )
expect ( logged_on_user . custom_fields [ " bla " ] ) . to eq ( nil )
2014-02-25 14:30:49 +11:00
end
2014-04-22 13:52:13 +10:00
2015-05-15 12:01:30 -05:00
context 'when sso emails are not trusted' do
context 'if you have not activated your account' do
it 'does not log you in' do
sso = get_sso ( '/a/' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
2015-05-19 11:16:02 -05:00
sso . require_activation = true
2015-05-15 12:01:30 -05:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
expect ( logged_on_user ) . to eq ( nil )
end
it 'sends an activation email' do
2016-04-07 14:38:43 +10:00
Jobs . expects ( :enqueue ) . with ( :critical_user_email , has_entries ( type : :signup ) )
2015-05-15 12:01:30 -05:00
sso = get_sso ( '/a/' )
sso . external_id = '666' # the number of the beast
sso . email = 'bob@bob.com'
sso . name = 'Sam Saffron'
sso . username = 'sam'
2015-05-19 11:16:02 -05:00
sso . require_activation = true
2015-05-15 12:01:30 -05:00
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
end
end
context 'if you have activated your account' do
it 'allows you to log in' do
sso = get_sso ( '/hello/world' )
sso . external_id = '997'
sso . sso_url = " http://somewhere.over.com/sso_login "
2015-05-19 11:16:02 -05:00
sso . require_activation = true
2015-05-15 12:01:30 -05:00
user = Fabricate ( :user )
user . create_single_sign_on_record ( external_id : '997' , last_payload : '' )
user . stubs ( :active? ) . returns ( true )
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
expect ( user . id ) . to eq ( logged_on_user . id )
end
end
end
2014-02-25 14:30:49 +11:00
it 'allows login to existing account with valid nonce' do
2014-02-26 09:58:30 +11:00
sso = get_sso ( '/hello/world' )
2014-02-25 14:30:49 +11:00
sso . external_id = '997'
2014-11-26 17:25:54 +11:00
sso . sso_url = " http://somewhere.over.com/sso_login "
2014-02-25 14:30:49 +11:00
user = Fabricate ( :user )
user . create_single_sign_on_record ( external_id : '997' , last_payload : '' )
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
user . single_sign_on_record . reload
2015-01-09 14:04:02 -03:00
expect ( user . single_sign_on_record . last_payload ) . to eq ( sso . unsigned_payload )
2014-02-25 14:30:49 +11:00
2015-01-09 14:04:02 -03:00
expect ( response ) . to redirect_to ( '/hello/world' )
2014-02-25 14:30:49 +11:00
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2015-01-09 14:04:02 -03:00
expect ( user . id ) . to eq ( logged_on_user . id )
2014-02-25 14:30:49 +11:00
# nonce is bad now
get :sso_login , Rack :: Utils . parse_query ( sso . payload )
2015-05-20 12:35:22 +10:00
expect ( response . code ) . to eq ( '419' )
2014-02-25 14:30:49 +11:00
end
2014-03-26 15:39:44 +11:00
2015-10-25 10:30:19 +05:30
describe 'can act as an SSO provider' do
before do
SiteSetting . enable_sso_provider = true
SiteSetting . enable_sso = false
SiteSetting . enable_local_logins = true
SiteSetting . sso_secret = " topsecret "
@sso = SingleSignOn . new
@sso . nonce = " mynonce "
@sso . sso_secret = SiteSetting . sso_secret
@sso . return_sso_url = " http://somewhere.over.rainbow/sso "
@user = Fabricate ( :user , password : " frogs " , active : true , admin : true )
EmailToken . update_all ( confirmed : true )
end
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
it " successfully logs in and redirects user to return_sso_url when the user is not logged in " do
get :sso_provider , Rack :: Utils . parse_query ( @sso . payload )
expect ( response ) . to redirect_to ( " /login " )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
xhr :post , :create , login : @user . username , password : " frogs " , format : :json
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
location = cookies [ :sso_destination_url ]
# javascript code will handle redirection of user to return_sso_url
expect ( location ) . to match ( / ^http: \/ \/ somewhere.over.rainbow \/ sso / )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
payload = location . split ( " ? " ) [ 1 ]
sso2 = SingleSignOn . parse ( payload , " topsecret " )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
expect ( sso2 . email ) . to eq ( @user . email )
expect ( sso2 . name ) . to eq ( @user . name )
expect ( sso2 . username ) . to eq ( @user . username )
expect ( sso2 . external_id ) . to eq ( @user . id . to_s )
expect ( sso2 . admin ) . to eq ( true )
expect ( sso2 . moderator ) . to eq ( false )
end
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
it " successfully redirects user to return_sso_url when the user is logged in " do
log_in_user ( @user )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
get :sso_provider , Rack :: Utils . parse_query ( @sso . payload )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
location = response . header [ " Location " ]
expect ( location ) . to match ( / ^http: \/ \/ somewhere.over.rainbow \/ sso / )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
payload = location . split ( " ? " ) [ 1 ]
sso2 = SingleSignOn . parse ( payload , " topsecret " )
2014-11-26 17:25:54 +11:00
2015-10-25 10:30:19 +05:30
expect ( sso2 . email ) . to eq ( @user . email )
expect ( sso2 . name ) . to eq ( @user . name )
expect ( sso2 . username ) . to eq ( @user . username )
expect ( sso2 . external_id ) . to eq ( @user . id . to_s )
expect ( sso2 . admin ) . to eq ( true )
expect ( sso2 . moderator ) . to eq ( false )
end
2014-11-26 17:25:54 +11:00
end
2014-03-26 15:39:44 +11:00
describe 'local attribute override from SSO payload' do
2014-02-27 16:48:46 -08:00
before do
SiteSetting . stubs ( " sso_overrides_email " ) . returns ( true )
SiteSetting . stubs ( " sso_overrides_username " ) . returns ( true )
SiteSetting . stubs ( " sso_overrides_name " ) . returns ( true )
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
@user = Fabricate ( :user )
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
@sso = get_sso ( '/hello/world' )
@sso . external_id = '997'
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
@reversed_username = @user . username . reverse
@sso . username = @reversed_username
@sso . email = " #{ @reversed_username } @garbage.org "
@reversed_name = @user . name . reverse
@sso . name = @reversed_name
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
@suggested_username = UserNameSuggester . suggest ( @sso . username || @sso . name || @sso . email )
2014-12-10 14:17:49 +08:00
@suggested_name = User . suggest_name ( @sso . name || @sso . username || @sso . email )
2014-02-27 16:48:46 -08:00
@user . create_single_sign_on_record ( external_id : '997' , last_payload : '' )
end
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
it 'stores the external attributes' do
get :sso_login , Rack :: Utils . parse_query ( @sso . payload )
@user . single_sign_on_record . reload
2015-01-09 14:04:02 -03:00
expect ( @user . single_sign_on_record . external_username ) . to eq ( @sso . username )
expect ( @user . single_sign_on_record . external_email ) . to eq ( @sso . email )
expect ( @user . single_sign_on_record . external_name ) . to eq ( @sso . name )
2014-02-27 16:48:46 -08:00
end
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
it 'overrides attributes' do
get :sso_login , Rack :: Utils . parse_query ( @sso . payload )
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2015-01-09 14:04:02 -03:00
expect ( logged_on_user . username ) . to eq ( @suggested_username )
expect ( logged_on_user . email ) . to eq ( " #{ @reversed_username } @garbage.org " )
2015-03-27 13:14:50 +11:00
expect ( logged_on_user . name ) . to eq ( @sso . name )
2014-02-27 16:48:46 -08:00
end
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
it 'does not change matching attributes for an existing account' do
@sso . username = @user . username
@sso . name = @user . name
@sso . email = @user . email
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
get :sso_login , Rack :: Utils . parse_query ( @sso . payload )
2014-03-26 15:39:44 +11:00
2014-02-27 16:48:46 -08:00
logged_on_user = Discourse . current_user_provider . new ( request . env ) . current_user
2015-01-09 14:04:02 -03:00
expect ( logged_on_user . username ) . to eq ( @user . username )
expect ( logged_on_user . name ) . to eq ( @user . name )
expect ( logged_on_user . email ) . to eq ( @user . email )
2014-02-27 16:48:46 -08:00
end
2014-03-26 15:39:44 +11:00
end
2014-02-25 14:30:49 +11:00
end
2013-02-05 14:16:51 -05:00
describe '.create' do
let ( :user ) { Fabricate ( :user ) }
2013-02-11 11:18:26 -05:00
context 'when email is confirmed' do
2013-02-05 14:16:51 -05:00
before do
2014-05-06 14:41:59 +01:00
token = user . email_tokens . find_by ( email : user . email )
2013-02-11 11:18:26 -05:00
EmailToken . confirm ( token . token )
2013-02-05 14:16:51 -05:00
end
2013-02-11 11:18:26 -05:00
it " raises an error when the login isn't present " do
2015-01-09 14:04:02 -03:00
expect { xhr :post , :create } . to raise_error ( ActionController :: ParameterMissing )
2013-02-05 14:16:51 -05:00
end
2013-02-11 11:18:26 -05:00
describe 'invalid password' do
it " should return an error with an invalid password " do
xhr :post , :create , login : user . username , password : 'sssss'
2015-01-09 14:04:02 -03:00
expect ( :: JSON . parse ( response . body ) [ 'error' ] ) . to be_present
2013-02-11 11:18:26 -05:00
end
2013-02-05 14:16:51 -05:00
end
2014-09-11 12:22:11 -07:00
describe 'invalid password' do
it " should return an error with an invalid password if too long " do
User . any_instance . expects ( :confirm_password? ) . never
xhr :post , :create , login : user . username , password : ( 's' * ( User . max_password_length + 1 ) )
2015-01-09 14:04:02 -03:00
expect ( :: JSON . parse ( response . body ) [ 'error' ] ) . to be_present
2014-09-11 12:22:11 -07:00
end
end
2013-11-07 13:53:32 -05:00
describe 'suspended user' do
2013-06-27 15:14:42 -04:00
it 'should return an error' do
2013-11-07 13:53:32 -05:00
User . any_instance . stubs ( :suspended? ) . returns ( true )
User . any_instance . stubs ( :suspended_till ) . returns ( 2 . days . from_now )
2013-06-27 15:14:42 -04:00
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( :: JSON . parse ( response . body ) [ 'error' ] ) . to be_present
2013-06-27 15:14:42 -04:00
end
end
2014-04-28 13:46:28 -04:00
describe 'deactivated user' do
it 'should return an error' do
User . any_instance . stubs ( :active ) . returns ( false )
xhr :post , :create , login : user . username , password : 'myawesomepassword'
expect ( JSON . parse ( response . body ) [ 'error' ] ) . to eq ( I18n . t ( 'login.not_activated' ) )
end
end
2013-02-11 11:18:26 -05:00
describe 'success by username' do
2014-03-26 15:39:44 +11:00
it 'logs in correctly' do
2013-02-11 11:18:26 -05:00
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2014-03-26 15:39:44 +11:00
2013-02-11 11:18:26 -05:00
user . reload
2013-02-05 14:16:51 -05:00
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
expect ( user . auth_token ) . to be_present
expect ( cookies [ :_t ] ) . to eq ( user . auth_token )
2013-02-11 11:18:26 -05:00
end
2014-03-26 15:39:44 +11:00
end
2013-02-05 14:16:51 -05:00
2014-03-26 15:39:44 +11:00
describe 'local logins disabled' do
it 'fails' do
SiteSetting . stubs ( :enable_local_logins ) . returns ( false )
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( response . status . to_i ) . to eq ( 500 )
2013-02-11 11:18:26 -05:00
end
2013-02-05 14:16:51 -05:00
end
2015-02-25 15:59:11 -05:00
describe 'with a blocked IP' do
before do
screened_ip = Fabricate ( :screened_ip_address )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( screened_ip . ip_address )
xhr :post , :create , login : " @ " + user . username , password : 'myawesomepassword'
user . reload
end
it " doesn't log in " do
expect ( session [ :current_user_id ] ) . to be_nil
end
end
2013-02-11 11:18:26 -05:00
describe 'strips leading @ symbol' do
before do
xhr :post , :create , login : " @ " + user . username , password : 'myawesomepassword'
user . reload
end
2013-02-05 14:16:51 -05:00
2013-02-11 11:18:26 -05:00
it 'sets a session id' do
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2013-02-11 11:18:26 -05:00
end
2013-02-05 14:16:51 -05:00
end
2013-02-11 11:18:26 -05:00
describe 'also allow login by email' do
2013-02-05 14:16:51 -05:00
before do
xhr :post , :create , login : user . email , password : 'myawesomepassword'
end
2013-02-11 11:18:26 -05:00
it 'sets a session id' do
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2013-02-05 14:16:51 -05:00
end
end
2013-07-23 23:02:42 -04:00
context 'login has leading and trailing space' do
let ( :username ) { " #{ user . username } " }
let ( :email ) { " #{ user . email } " }
it " strips spaces from the username " do
xhr :post , :create , login : username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( :: JSON . parse ( response . body ) [ 'error' ] ) . not_to be_present
2013-07-23 23:02:42 -04:00
end
it " strips spaces from the email " do
xhr :post , :create , login : email , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( :: JSON . parse ( response . body ) [ 'error' ] ) . not_to be_present
2013-07-23 23:02:42 -04:00
end
end
2013-02-11 11:18:26 -05:00
describe " when the site requires approval of users " do
before do
SiteSetting . expects ( :must_approve_users? ) . returns ( true )
end
context 'with an unapproved user' do
before do
xhr :post , :create , login : user . email , password : 'myawesomepassword'
end
it " doesn't log in the user " do
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to be_blank
2013-02-11 11:18:26 -05:00
end
2013-06-05 18:21:19 -07:00
it " shows the 'not approved' error message " do
expect ( JSON . parse ( response . body ) [ 'error' ] ) . to eq (
I18n . t ( 'login.not_approved' )
)
end
2013-02-11 11:18:26 -05:00
end
2013-08-06 16:51:29 -04:00
context " with an unapproved user who is an admin " do
before do
User . any_instance . stubs ( :admin? ) . returns ( true )
xhr :post , :create , login : user . email , password : 'myawesomepassword'
end
it 'sets a session id' do
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2013-08-06 16:51:29 -04:00
end
end
2013-02-11 11:18:26 -05:00
end
2014-09-04 18:50:27 -04:00
context 'when admins are restricted by ip address' do
let ( :permitted_ip_address ) { '111.234.23.11' }
before do
Fabricate ( :screened_ip_address , ip_address : permitted_ip_address , action_type : ScreenedIpAddress . actions [ :allow_admin ] )
2015-09-21 16:56:25 -04:00
SiteSetting . stubs ( :use_admin_ip_whitelist ) . returns ( true )
2014-09-04 18:50:27 -04:00
end
it 'is successful for admin at the ip address' do
User . any_instance . stubs ( :admin? ) . returns ( true )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( permitted_ip_address )
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2014-09-04 18:50:27 -04:00
end
it 'returns an error for admin not at the ip address' do
User . any_instance . stubs ( :admin? ) . returns ( true )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( " 111.234.23.12 " )
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( JSON . parse ( response . body ) [ 'error' ] ) . to be_present
expect ( session [ :current_user_id ] ) . not_to eq ( user . id )
2014-09-04 18:50:27 -04:00
end
it 'is successful for non-admin not at the ip address' do
User . any_instance . stubs ( :admin? ) . returns ( false )
ActionDispatch :: Request . any_instance . stubs ( :remote_ip ) . returns ( " 111.234.23.12 " )
xhr :post , :create , login : user . username , password : 'myawesomepassword'
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to eq ( user . id )
2014-09-04 18:50:27 -04:00
end
end
2013-02-05 14:16:51 -05:00
end
2013-02-11 11:18:26 -05:00
context 'when email has not been confirmed' do
2013-06-05 18:21:19 -07:00
def post_login
2013-02-11 11:18:26 -05:00
xhr :post , :create , login : user . email , password : 'myawesomepassword'
end
it " doesn't log in the user " do
2013-06-05 18:21:19 -07:00
post_login
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to be_blank
2013-02-11 11:18:26 -05:00
end
2013-06-05 18:21:19 -07:00
it " shows the 'not activated' error message " do
post_login
expect ( JSON . parse ( response . body ) [ 'error' ] ) . to eq (
I18n . t 'login.not_activated'
)
end
context " and the 'must approve users' site setting is enabled " do
before { SiteSetting . expects ( :must_approve_users? ) . returns ( true ) }
it " shows the 'not approved' error message " do
post_login
expect ( JSON . parse ( response . body ) [ 'error' ] ) . to eq (
I18n . t 'login.not_approved'
)
end
2013-02-11 11:18:26 -05:00
end
end
2013-02-05 14:16:51 -05:00
end
describe '.destroy' do
before do
@user = log_in
xhr :delete , :destroy , id : @user . username
end
it 'removes the session variable' do
2015-01-09 14:04:02 -03:00
expect ( session [ :current_user_id ] ) . to be_blank
2013-02-05 14:16:51 -05:00
end
it 'removes the auth token cookie' do
2015-01-09 14:04:02 -03:00
expect ( cookies [ :_t ] ) . to be_blank
2013-02-05 14:16:51 -05:00
end
end
describe '.forgot_password' do
it 'raises an error without a username parameter' do
2015-01-09 14:04:02 -03:00
expect { xhr :post , :forgot_password } . to raise_error ( ActionController :: ParameterMissing )
2013-02-05 14:16:51 -05:00
end
context 'for a non existant username' do
2013-02-25 19:42:20 +03:00
it " doesn't generate a new token for a made up username " do
2015-01-09 14:04:02 -03:00
expect { xhr :post , :forgot_password , login : 'made_up' } . not_to change ( EmailToken , :count )
2013-02-05 14:16:51 -05:00
end
2013-02-25 19:42:20 +03:00
it " doesn't enqueue an email " do
2013-02-05 14:16:51 -05:00
Jobs . expects ( :enqueue ) . with ( :user_mail , anything ) . never
2013-04-15 02:20:33 +02:00
xhr :post , :forgot_password , login : 'made_up'
2013-02-25 19:42:20 +03:00
end
end
2013-02-05 14:16:51 -05:00
context 'for an existing username' do
let ( :user ) { Fabricate ( :user ) }
2014-03-26 15:39:44 +11:00
it " returns a 500 if local logins are disabled " do
2014-08-18 10:55:30 +10:00
SiteSetting . enable_local_logins = false
2014-03-26 15:39:44 +11:00
xhr :post , :forgot_password , login : user . username
2015-01-09 14:04:02 -03:00
expect ( response . code . to_i ) . to eq ( 500 )
2014-03-26 15:39:44 +11:00
end
2013-02-25 19:42:20 +03:00
it " generates a new token for a made up username " do
2015-01-09 14:04:02 -03:00
expect { xhr :post , :forgot_password , login : user . username } . to change ( EmailToken , :count )
2013-02-05 14:16:51 -05:00
end
2013-02-25 19:42:20 +03:00
it " enqueues an email " do
2016-04-07 14:38:43 +10:00
Jobs . expects ( :enqueue ) . with ( :critical_user_email , has_entries ( type : :forgot_password , user_id : user . id ) )
2013-04-15 02:20:33 +02:00
xhr :post , :forgot_password , login : user . username
2013-02-25 19:42:20 +03:00
end
end
2013-02-05 14:16:51 -05:00
2014-12-10 14:17:49 +08:00
context 'do nothing to system username' do
2015-11-09 17:37:33 +01:00
let ( :system ) { Discourse . system_user }
2014-12-10 14:17:49 +08:00
it 'generates no token for system username' do
2015-11-09 17:37:33 +01:00
expect { xhr :post , :forgot_password , login : system . username } . not_to change ( EmailToken , :count )
2014-12-10 14:17:49 +08:00
end
it 'enqueues no email' do
Jobs . expects ( :enqueue ) . never
2015-11-09 17:37:33 +01:00
xhr :post , :forgot_password , login : system . username
end
end
context 'for a staged account' do
let! ( :staged ) { Fabricate ( :staged ) }
it 'generates no token for staged username' do
expect { xhr :post , :forgot_password , login : staged . username } . not_to change ( EmailToken , :count )
end
it 'enqueues no email' do
Jobs . expects ( :enqueue ) . never
xhr :post , :forgot_password , login : staged . username
2014-12-10 14:17:49 +08:00
end
end
2013-02-05 14:16:51 -05:00
end
2014-02-05 13:46:24 -05:00
describe '.current' do
context " when not logged in " do
it " retuns 404 " do
xhr :get , :current
2015-01-09 14:04:02 -03:00
expect ( response ) . not_to be_success
2014-02-05 13:46:24 -05:00
end
end
context " when logged in " do
let! ( :user ) { log_in }
it " returns the JSON for the user " do
xhr :get , :current
2015-01-09 14:04:02 -03:00
expect ( response ) . to be_success
2014-02-05 13:46:24 -05:00
json = :: JSON . parse ( response . body )
2015-01-09 14:04:02 -03:00
expect ( json [ 'current_user' ] ) . to be_present
expect ( json [ 'current_user' ] [ 'id' ] ) . to eq ( user . id )
2014-02-05 13:46:24 -05:00
end
end
end
2013-02-05 14:16:51 -05:00
end
