Merge pull request #40 from azul/feature/token-auth

Token auth with a database of it's own

6 files changed, 84 insertions, 13 deletions

diff --git a/.gitignore b/.gitignore
index 5536c6f..73cd22e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,3 +28,4 @@ public/config/*
 public/provider.json
 config/config.yml
 bin
+.*.swp
diff --git a/core/lib/extensions/testing.rb b/core/lib/extensions/testing.rb
index 925c023..aad7fc1 100644
--- a/core/lib/extensions/testing.rb
+++ b/core/lib/extensions/testing.rb
@@ -14,10 +14,17 @@ module LeapWebCore
         get_response.headers["Content-Disposition"]
     end
 
+    def json_response
+      response = JSON.parse(get_response.body)
+      response.respond_to?(:with_indifferent_access) ?
+        response.with_indifferent_access :
+        response
+    end
+
     def assert_json_response(object)
       if object.is_a? Hash
         object.stringify_keys! if object.respond_to? :stringify_keys!
-        assert_equal object, JSON.parse(get_response.body)
+        assert_equal object, json_response
       else
         assert_equal object.to_json, get_response.body
       end
diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb
index 9365d76..e3459d6 100644
--- a/users/app/controllers/v1/sessions_controller.rb
+++ b/users/app/controllers/v1/sessions_controller.rb
@@ -23,6 +23,7 @@ module V1
 
     def update
       authenticate!
+      @token = Token.create(:user_id => current_user.id)
       render :json => login_response
     end
 
@@ -35,7 +36,7 @@ module V1
 
     def login_response
       handshake = session.delete(:handshake)
-      handshake.to_hash.merge(:id => current_user.id)
+      handshake.to_hash.merge(:id => current_user.id, :token => @token.id)
     end
 
   end
diff --git a/users/app/models/token.rb b/users/app/models/token.rb
new file mode 100644
index 0000000..44a6dfe
--- /dev/null
+++ b/users/app/models/token.rb
@@ -0,0 +1,17 @@
+class Token < CouchRest::Model::Base
+
+  use_database :tokens
+
+  property :user_id, String, accessible: false
+
+  validates :user_id, presence: true
+
+  def initialize(*args)
+    super
+    self.id = SecureRandom.urlsafe_base64(32)
+  end
+
+  design do
+  end
+end
+
diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb
index 1226c9d..0c4e325 100644
--- a/users/test/functional/v1/sessions_controller_test.rb
+++ b/users/test/functional/v1/sessions_controller_test.rb
@@ -11,6 +11,22 @@ class V1::SessionsControllerTest < ActionController::TestCase
     @client_hex = 'a123'
   end
 
+  test "renders json" do
+    get :new, :format => :json
+    assert_response :success
+    assert_json_error nil
+  end
+
+  test "renders warden errors" do
+    request.env['warden.options'] = {attempted_path: 'path/to/controller'}
+    strategy = stub :message => {:field => :translate_me}
+    request.env['warden'].stubs(:winning_strategy).returns(strategy)
+    I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub")
+    get :new, :format => :json
+    assert_response 422
+    assert_json_error :field => "translation stub"
+  end
+
   # Warden takes care of parsing the params and
   # rendering the response. So not much to test here.
   test "should perform handshake" do
@@ -20,18 +36,9 @@ class V1::SessionsControllerTest < ActionController::TestCase
     post :create, :login => @user.login, 'A' => @client_hex
   end
 
-  test "should send salt" do
-    User.expects(:find_by_login).with(@user.login).returns(@user)
-
-    post :create, :login => @user.login
-
-    assert_equal @user, assigns(:user)
-    assert_json_response salt: @user.salt
-  end
-
   test "should authorize" do
     request.env['warden'].expects(:authenticate!)
-    @controller.expects(:current_user).returns(@user)
+    @controller.stubs(:current_user).returns(@user)
     handshake = stub(:to_hash => {h: "ash"})
     session[:handshake] = handshake
 
@@ -39,7 +46,8 @@ class V1::SessionsControllerTest < ActionController::TestCase
 
     assert_nil session[:handshake]
     assert_response :success
-    assert_json_response handshake.to_hash.merge(id: @user.id)
+    assert json_response.keys.include?("id")
+    assert json_response.keys.include?("token")
   end
 
   test "logout should reset warden user" do
diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb
new file mode 100644
index 0000000..bff6b71
--- /dev/null
+++ b/users/test/unit/token_test.rb
@@ -0,0 +1,37 @@
+require 'test_helper'
+
+class ClientCertificateTest < ActiveSupport::TestCase
+
+  setup do
+    @user = FactoryGirl.create(:user)
+  end
+
+  teardown do
+    @user.destroy
+  end
+
+  test "new token for user" do
+    sample = Token.new(:user_id => @user.id)
+    assert sample.valid?
+    assert_equal @user.id, sample.user_id
+  end
+
+  test "token id is secure" do
+    sample = Token.new(:user_id => @user.id)
+    other = Token.new(:user_id => @user.id)
+    assert sample.id,
+      "id is set on initialization"
+    assert sample.id[0..10] != other.id[0..10],
+      "token id prefixes should not repeat"
+    assert /[g-zG-Z]/.match(sample.id),
+      "should use non hex chars in the token id"
+    assert sample.id.size > 16,
+      "token id should be more than 16 chars long"
+  end
+
+  test "token checks for user" do
+    sample = Token.new
+    assert !sample.valid?, "Token should require a user record"
+  end
+
+end