moving users: app and test files

author: Azul <azul@leap.se> 2014-04-08 11:49:14 +0200
committer: Azul <azul@leap.se> 2014-04-08 11:49:14 +0200
commit: b6d14dc19dd350a807826e3e097738a36613e083 (patch)
tree: 093dc5f2f1e773e3ad009d28d1fd24667d3c0ba6 /test/integration
parent: 2e11e3ca2c7b02fdb5ff54f0bcd766cc5fa39975 (diff)
15 files changed, 767 insertions, 0 deletions
diff --git a/test/integration/api/Readme.md b/test/integration/api/Readme.md
new file mode 100644
index 0000000..04363bd
--- /dev/null
+++ b/test/integration/api/Readme.md
@@ -0,0 +1,23 @@
+API tests
+==========
+
+
+Testing the restful api from a simple python client as that's what we'll be using.
+
+This test so far mostly demoes the API. We have no SRP calc in there.
+
+TODO: keep track of the cookies during login. The server uses the session to keep track of the random numbers A and B.
+
+The output of signup_and_login_wrong_password pretty well describes the SRP API:
+
+```
+POST: http://localhost:9292/users.json
+    {"user[password_salt]": "54321", "user[password_verifier]": "12345", "user[login]": "SWQ055"}
+ -> {"password_salt":"54321","login":"SWQ055"}
+POST: http://localhost:9292/sessions
+    {"A": "12345", "login": "SWQ055"}
+ -> {"B":"1778367531e93a4c7713c76f67649f35a4211ebc520926ae8c3848cd66171651"}
+PUT: http://localhost:9292/sessions/SWQ055
+    {"M": "123ABC"}
+ -> {"errors":[{"login":"Not a valid username/password combination"},{"password":"Not a valid username/password combination"}]}
+```
diff --git a/test/integration/api/login_test.rb b/test/integration/api/login_test.rb
new file mode 100644
index 0000000..92d153f
--- /dev/null
+++ b/test/integration/api/login_test.rb
@@ -0,0 +1,50 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class LoginTest < SrpTest
+
+  setup do
+    register_user
+  end
+
+  test "requires handshake before validation" do
+    validate("bla")
+    assert_json_error login: I18n.t(:all_strategies_failed)
+  end
+
+  test "login with srp" do
+    authenticate
+    assert_equal ["M2", "id", "token"], server_auth.keys
+    assert last_response.successful?
+    assert_nil server_auth["errors"]
+    assert server_auth["M2"]
+  end
+
+  test "wrong password login attempt" do
+    authenticate password: "wrong password"
+    assert_json_error "base" => "Not a valid username/password combination"
+    assert !last_response.successful?
+    assert_nil server_auth["M2"]
+  end
+
+  test "wrong username login attempt" do
+    assert_raises RECORD_NOT_FOUND do
+      authenticate login: "wrong login"
+    end
+    assert_json_error "base" => "Not a valid username/password combination"
+    assert !last_response.successful?
+    assert_nil server_auth
+  end
+
+  test "logout" do
+    authenticate
+    logout
+    assert_equal 204, last_response.status
+  end
+
+  test "logout requires token" do
+    authenticate
+    logout(nil, {})
+    assert_equal 422, last_response.status
+  end
+end
diff --git a/test/integration/api/pgp_key_test.rb b/test/integration/api/pgp_key_test.rb
new file mode 100644
index 0000000..4c7fb4c
--- /dev/null
+++ b/test/integration/api/pgp_key_test.rb
@@ -0,0 +1,35 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class PgpKeyTest < SrpTest
+
+  setup do
+    # todo: prepare user and login without doing the srp dance
+    register_user
+    authenticate
+  end
+
+  test "upload pgp key" do
+    update_user public_key: key
+    assert_equal key, Identity.for(@user).keys[:pgp]
+  end
+
+  # eventually probably want to remove most of this into a non-integration
+  # functional test
+  test "prevent uploading invalid key" do
+    update_user public_key: "invalid key"
+    assert_nil Identity.for(@user).keys[:pgp]
+  end
+
+  test "prevent emptying public key" do
+    update_user public_key: key
+    update_user public_key: ""
+    assert_equal key, Identity.for(@user).keys[:pgp]
+  end
+
+  protected
+
+  def key
+    @key ||= FactoryGirl.build :pgp_key
+  end
+end
diff --git a/test/integration/api/python/flow_with_srp.py b/test/integration/api/python/flow_with_srp.py
new file mode 100755
index 0000000..9fc168b
--- /dev/null
+++ b/test/integration/api/python/flow_with_srp.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python
+
+# under development
+
+import requests
+import json
+import string
+import random
+import srp._pysrp as srp
+import binascii
+
+safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x)
+
+# using globals for now
+# server = 'https://dev.bitmask.net/1'
+server = 'http://api.lvh.me:3000/1'
+
+def run_tests():
+  login = 'test_' + id_generator()
+  password = id_generator() + id_generator()
+  usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
+  print_and_parse(signup(login, password))
+
+  auth = print_and_parse(authenticate(usr))
+  verify_or_debug(auth, usr)
+  assert usr.authenticated()
+
+  usr = change_password(auth['id'], login, auth['token'])
+
+  auth = print_and_parse(authenticate(usr))
+  verify_or_debug(auth, usr)
+  # At this point the authentication process is complete.
+  assert usr.authenticated()
+
+# let's have some random name
+def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+# log the server communication
+def print_and_parse(response):
+  request = response.request
+  print request.method + ': ' + response.url
+  if hasattr(request, 'data'):
+    print "    " + json.dumps(response.request.data)
+  print " -> " + response.text
+  try: 
+    return json.loads(response.text)
+  except ValueError:
+    return None
+
+def signup(login, password):
+  salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+  user_params = {
+      'user[login]': login,
+      'user[password_verifier]': binascii.hexlify(vkey),
+      'user[password_salt]': binascii.hexlify(salt)
+      }
+  return requests.post(server + '/users.json', data = user_params, verify = False)
+
+def change_password(user_id, login, token):
+  password = id_generator() + id_generator()
+  salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+  user_params = {
+      'user[password_verifier]': binascii.hexlify(vkey),
+      'user[password_salt]': binascii.hexlify(salt)
+      }
+  auth_headers = { 'Authorization': 'Token token="' + token + '"'}
+  print user_params
+  print_and_parse(requests.put(server + '/users/' + user_id + '.json', data = user_params, verify = False, headers = auth_headers))
+  return srp.User( login, password, srp.SHA256, srp.NG_1024 )
+
+
+def authenticate(usr):
+  session = requests.session()
+  uname, A = usr.start_authentication()
+  params = {
+      'login': uname,
+      'A': binascii.hexlify(A)
+      }
+  init = print_and_parse(session.post(server + '/sessions', data = params, verify=False))
+  M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) )
+  return session.put(server + '/sessions/' + uname, verify = False,
+      data = {'client_auth': binascii.hexlify(M)})
+
+def verify_or_debug(auth, usr):
+  if ( 'errors' in auth ):
+    print '    u = "%x"' % usr.u
+    print '    x = "%x"' % usr.x
+    print '    v = "%x"' % usr.v
+    print '    S = "%x"' % usr.S
+    print '    K = "' + binascii.hexlify(usr.K) + '"'
+    print '    M = "' + binascii.hexlify(usr.M) + '"'
+  else:
+    usr.verify_session( safe_unhexlify(auth["M2"]) )
+
+run_tests()
diff --git a/test/integration/api/python/login_wrong_username.py b/test/integration/api/python/login_wrong_username.py
new file mode 100755
index 0000000..390f250
--- /dev/null
+++ b/test/integration/api/python/login_wrong_username.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+params = {
+    'login': 'python_test_user_'+id_generator(),
+    'A': '12345',
+    }
+r = requests.post(server + '/sessions', data = params)
+print r.url
+print r.text
diff --git a/test/integration/api/python/signup.py b/test/integration/api/python/signup.py
new file mode 100755
index 0000000..0d3a4e0
--- /dev/null
+++ b/test/integration/api/python/signup.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+user_params = {
+    'user[login]': 'python_test_user_'+id_generator(),
+    'user[password_verifier]': '12345',
+    'user[password_salt]': '54321'
+    }
+r = requests.post(server + '/users.json', data = user_params)
+print r.url
+print r.text
diff --git a/test/integration/api/python/signup_and_login.py b/test/integration/api/python/signup_and_login.py
new file mode 100755
index 0000000..ac611d7
--- /dev/null
+++ b/test/integration/api/python/signup_and_login.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+
+# FAILS
+#
+# This test is currently failing for me because the session is not kept.
+# Played with it a bunch - is probably messed up right now as well.
+
+
+server = 'http://localhost:3000'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+def print_and_parse(response):
+  print response.request.method + ': ' + response.url
+  print "    " + json.dumps(response.request.data)
+  print " -> " + response.text
+  return json.loads(response.text)
+
+def signup(session):
+  user_params = {
+      'user[login]': id_generator(),
+      'user[password_verifier]': '12345',
+      'user[password_salt]': 'AB54321'
+      }
+  return session.post(server + '/users.json', data = user_params)
+
+def authenticate(session, login):
+  params = {
+      'login': login,
+      'A': '12345',
+      }
+  init = print_and_parse(session.post(server + '/sessions', data = params))
+  return session.put(server + '/sessions/' + login, data = {'client_auth': '123'})
+
+session = requests.session()
+user = print_and_parse(signup(session))
+# SRP signup would happen here and calculate M hex
+auth = print_and_parse(authenticate(session, user['login']))
diff --git a/test/integration/api/python/signup_and_login_wrong_password.py b/test/integration/api/python/signup_and_login_wrong_password.py
new file mode 100755
index 0000000..9efffa1
--- /dev/null
+++ b/test/integration/api/python/signup_and_login_wrong_password.py
@@ -0,0 +1,43 @@
+#!/usr/bin/env python
+
+server = 'http://localhost:9292'
+
+import requests
+import json
+import string
+import random
+
+def id_generator(size=6, chars=string.ascii_uppercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+def print_and_parse(response):
+  print response.request.method + ': ' + response.url
+  print "    " + json.dumps(response.request.data)
+  print " -> " + response.text
+#  print " () " + json.dumps(requests.utils.dict_from_cookiejar(response.cookies))
+  return json.loads(response.text)
+
+def signup():
+  user_params = {
+      'user[login]': id_generator(),
+      'user[password_verifier]': '12345',
+      'user[password_salt]': '54321'
+      }
+  return requests.post(server + '/users.json', data = user_params)
+
+def handshake(login):
+  params = {
+      'login': login,
+      'A': '12345',
+      }
+  return requests.post(server + '/sessions', data = params)
+
+def authenticate(login, M):
+  return requests.put(server + '/sessions/' + login, data = {'M': M})
+
+
+user = print_and_parse(signup())
+handshake = print_and_parse(handshake(user['login']))
+# SRP signup would happen here and calculate M hex
+M = '123ABC'
+auth = print_and_parse(authenticate(user['login'], M))
diff --git a/test/integration/api/python/umlauts.py b/test/integration/api/python/umlauts.py
new file mode 100755
index 0000000..96fecbf
--- /dev/null
+++ b/test/integration/api/python/umlauts.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python
+# coding: utf-8
+
+# under development
+
+import requests
+import json
+import string
+import random
+import srp._pysrp as srp
+import binascii
+
+safe_unhexlify = lambda x: binascii.unhexlify(x) if (len(x) % 2 == 0) else binascii.unhexlify('0'+x)
+
+# using globals for now
+# server = 'https://dev.bitmask.net/1'
+server = 'http://api.lvh.me:3000/1'
+
+def run_tests():
+  login = 'test_' + id_generator()
+  password = id_generator() + "äöì" + id_generator()
+  usr = srp.User( login, password, srp.SHA256, srp.NG_1024 )
+  print_and_parse(signup(login, password))
+
+  auth = print_and_parse(authenticate(usr))
+  verify_or_debug(auth, usr)
+  assert usr.authenticated()
+
+
+# let's have some random name
+def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
+  return ''.join(random.choice(chars) for x in range(size))
+
+# log the server communication
+def print_and_parse(response):
+  request = response.request
+  print request.method + ': ' + response.url
+  if hasattr(request, 'data'):
+    print "    " + json.dumps(response.request.data)
+  print " -> " + response.text
+  try: 
+    return json.loads(response.text)
+  except ValueError:
+    return None
+
+def signup(login, password):
+  salt, vkey = srp.create_salted_verification_key( login, password, srp.SHA256, srp.NG_1024 )
+  user_params = {
+      'user[login]': login,
+      'user[password_verifier]': binascii.hexlify(vkey),
+      'user[password_salt]': binascii.hexlify(salt)
+      }
+  print json.dumps(user_params)
+  return requests.post(server + '/users.json', data = user_params, verify = False)
+
+def authenticate(usr):
+  session = requests.session()
+  uname, A = usr.start_authentication()
+  params = {
+      'login': uname,
+      'A': binascii.hexlify(A)
+      }
+  init = print_and_parse(session.post(server + '/sessions', data = params, verify=False))
+  M = usr.process_challenge( safe_unhexlify(init['salt']), safe_unhexlify(init['B']) )
+  return session.put(server + '/sessions/' + uname, verify = False,
+      data = {'client_auth': binascii.hexlify(M)})
+
+def verify_or_debug(auth, usr):
+  if ( 'errors' in auth ):
+    print '    u = "%x"' % usr.u
+    print '    x = "%x"' % usr.x
+    print '    v = "%x"' % usr.v
+    print '    S = "%x"' % usr.S
+    print '    K = "' + binascii.hexlify(usr.K) + '"'
+    print '    M = "' + binascii.hexlify(usr.M) + '"'
+  else:
+    usr.verify_session( safe_unhexlify(auth["M2"]) )
+
+run_tests()
diff --git a/test/integration/api/signup_test.rb b/test/integration/api/signup_test.rb
new file mode 100644
index 0000000..236c547
--- /dev/null
+++ b/test/integration/api/signup_test.rb
@@ -0,0 +1,20 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class SignupTest < SrpTest
+
+  setup do
+    register_user
+  end
+
+  test "signup response" do
+    assert_json_response :login => @login, :ok => true
+    assert last_response.successful?
+  end
+
+  test "signup creates user" do
+    assert @user
+    assert_equal @login, @user.login
+  end
+end
+
diff --git a/test/integration/api/srp_test.rb b/test/integration/api/srp_test.rb
new file mode 100644
index 0000000..946450e
--- /dev/null
+++ b/test/integration/api/srp_test.rb
@@ -0,0 +1,104 @@
+class SrpTest < RackTest
+
+  teardown do
+    if @user
+      cleanup_user
+    end
+    Warden.test_reset!
+  end
+
+  # this test wraps the api and implements the interface the ruby-srp client.
+  def handshake(login, aa)
+    post "http://api.lvh.me:3000/1/sessions.json",
+      :login => login,
+      'A' => aa,
+      :format => :json
+    response = JSON.parse(last_response.body)
+    if response['errors']
+      raise RECORD_NOT_FOUND.new(response['errors'])
+    else
+      return response['B']
+    end
+  end
+
+  def validate(m)
+    put "http://api.lvh.me:3000/1/sessions/" + @login + '.json',
+      :client_auth => m,
+      :format => :json
+    return JSON.parse(last_response.body)
+  end
+
+  protected
+
+  attr_reader :server_auth
+
+  def register_user(login = "integration_test_user", password = 'srp, verify me!')
+    cleanup_user(login)
+    post 'http://api.lvh.me:3000/1/users.json',
+      user_params(login: login, password: password)
+    @user = User.find_by_login(login)
+    @login = login
+    @password = password
+  end
+
+  def update_user(params)
+    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+      user_params(params),
+      auth_headers
+  end
+
+  def authenticate(params = nil)
+    @server_auth = srp(params).authenticate(self)
+  end
+
+  def auth_headers
+    return {} if @server_auth.nil?
+    {
+      "HTTP_AUTHORIZATION" => encoded_token
+    }
+  end
+
+  def encoded_token
+    ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"])
+  end
+
+  def logout(params=nil, headers=nil)
+    delete "http://api.lvh.me:3000/1/logout.json",
+      params || {format: :json},
+      headers || auth_headers
+  end
+
+  def cleanup_user(login = nil)
+    login ||= @user.login
+    Identity.by_address.key(login + '@' + APP_CONFIG[:domain]).each do |identity|
+      identity.destroy
+    end
+    if user = User.find_by_login(login)
+      user.destroy
+    end
+  end
+
+  def user_params(params)
+    if params.keys.include?(:password)
+      srp_process_password(params)
+    end
+    return { user: params, format: :json }
+  end
+
+  def srp_process_password(params)
+    params.reverse_merge! login: @login, salt: @salt
+    @srp = SRP::Client.new params[:login], password: params.delete(:password)
+    @salt = srp.salt.to_s(16)
+    params.merge! :password_verifier => srp.verifier.to_s(16),
+      :password_salt => @salt
+  end
+
+  def srp(params = nil)
+    if params.nil?
+      @srp
+    else
+      params.reverse_merge! password: @password
+      SRP::Client.new(params.delete(:login) || @login, params)
+    end
+  end
+end
diff --git a/test/integration/api/update_account_test.rb b/test/integration/api/update_account_test.rb
new file mode 100644
index 0000000..63429e7
--- /dev/null
+++ b/test/integration/api/update_account_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+require_relative 'srp_test'
+
+class UpdateAccountTest < SrpTest
+
+  setup do
+    register_user
+  end
+
+  test "require authentication" do
+    update_user password: "No! Verify me instead."
+    assert_access_denied
+  end
+
+  test "require token" do
+    authenticate
+    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+      user_params(password: "No! Verify me instead.")
+    assert_access_denied
+  end
+
+  test "update password via api" do
+    authenticate
+    update_user password: "No! Verify me instead."
+    authenticate
+    assert last_response.successful?
+    assert_nil server_auth["errors"]
+    assert server_auth["M2"]
+  end
+
+  test "change login with password_verifier" do
+    authenticate
+    new_login = 'zaph'
+    cleanup_user new_login
+    update_user login: new_login, password: @password
+    authenticate
+    assert last_response.successful?
+    assert_equal new_login, @user.reload.login
+  end
+
+  test "prevent changing login without changing password_verifier" do
+    authenticate
+    original_login = @user.login
+    new_login = 'zaph'
+    cleanup_user new_login
+    update_user login: new_login
+    assert last_response.successful?
+    # does not change login if no password_verifier is present
+    assert_equal original_login, @user.reload.login
+  end
+end
diff --git a/test/integration/browser/account_test.rb b/test/integration/browser/account_test.rb
new file mode 100644
index 0000000..a5677ad
--- /dev/null
+++ b/test/integration/browser/account_test.rb
@@ -0,0 +1,147 @@
+require 'test_helper'
+
+class AccountTest < BrowserIntegrationTest
+
+  teardown do
+    Identity.destroy_all_disabled
+  end
+
+  test "normal account workflow" do
+    username, password = submit_signup
+    assert page.has_content?("Welcome #{username}")
+    click_on 'Logout'
+    assert page.has_content?("Log In")
+    assert_equal '/', current_path
+    assert user = User.find_by_login(username)
+    user.account.destroy
+  end
+
+  test "successful login" do
+    username, password = submit_signup
+    click_on 'Logout'
+    attempt_login(username, password)
+    assert page.has_content?("Welcome #{username}")
+    within('.sidenav li.active') do
+      assert page.has_content?("Overview")
+    end
+    User.find_by_login(username).account.destroy
+  end
+
+  test "failed login" do
+    visit '/'
+    attempt_login("username", "wrong password")
+    assert_invalid_login(page)
+  end
+
+  test "account destruction" do
+    username, password = submit_signup
+    click_on I18n.t('account_settings')
+    click_on I18n.t('destroy_my_account')
+    assert page.has_content?(I18n.t('account_destroyed'))
+    attempt_login(username, password)
+    assert_invalid_login(page)
+  end
+
+  test "handle blocked after account destruction" do
+    username, password = submit_signup
+    click_on I18n.t('account_settings')
+    click_on I18n.t('destroy_my_account')
+    submit_signup(username)
+    assert page.has_content?('has already been taken')
+  end
+
+  test "default user actions" do
+    username, password = submit_signup
+    click_on "Account Settings"
+    assert page.has_content? I18n.t('destroy_my_account')
+    assert page.has_no_css? '#update_login_and_password'
+    assert page.has_no_css? '#update_pgp_key'
+  end
+
+  test "default admin actions" do
+    username, password = submit_signup
+    with_config admins: [username] do
+      click_on "Account Settings"
+      assert page.has_content? I18n.t('destroy_my_account')
+      assert page.has_no_css? '#update_login_and_password'
+      assert page.has_css? '#update_pgp_key'
+    end
+  end
+
+  test "change password" do
+    with_config user_actions: ['change_password'] do
+      username, password = submit_signup
+      click_on "Account Settings"
+      within('#update_login_and_password') do
+        fill_in 'Password', with: "other password"
+        fill_in 'Password confirmation', with: "other password"
+        click_on 'Save'
+      end
+      click_on 'Logout'
+      attempt_login(username, "other password")
+      assert page.has_content?("Welcome #{username}")
+      User.find_by_login(username).account.destroy
+    end
+  end
+
+  test "change pgp key" do
+    with_config user_actions: ['change_pgp_key'] do
+      pgp_key = FactoryGirl.build :pgp_key
+      username, password = submit_signup
+      click_on "Account Settings"
+      within('#update_pgp_key') do
+        fill_in 'Public key', with: pgp_key
+        click_on 'Save'
+      end
+      page.assert_selector 'input[value="Saving..."]'
+      # at some point we're done:
+      page.assert_no_selector 'input[value="Saving..."]'
+      assert page.has_field? 'Public key', with: pgp_key.to_s
+      user = User.find_by_login(username)
+      assert_equal pgp_key, user.public_key
+      user.account.destroy
+    end
+  end
+
+
+  # trying to seed an invalid A for srp login
+  test "detects attempt to circumvent SRP" do
+    user = FactoryGirl.create :user
+    visit '/login'
+    fill_in 'Username', with: user.login
+    fill_in 'Password', with: "password"
+    inject_malicious_js
+    click_on 'Log In'
+    assert page.has_content?("Invalid random key")
+    assert page.has_no_content?("Welcome")
+    user.destroy
+  end
+
+  test "reports internal server errors" do
+    V1::UsersController.any_instance.stubs(:create).raises
+    submit_signup
+    assert page.has_content?("server failed")
+  end
+
+  def attempt_login(username, password)
+    click_on 'Log In'
+    fill_in 'Username', with: username
+    fill_in 'Password', with: password
+    click_on 'Log In'
+  end
+
+  def assert_invalid_login(page)
+    assert page.has_selector? 'input.btn-primary.disabled'
+    assert page.has_content? I18n.t(:invalid_user_pass)
+    assert page.has_no_selector? 'input.btn-primary.disabled'
+  end
+
+  def inject_malicious_js
+    page.execute_script <<-EOJS
+      var calc = new srp.Calculate();
+      calc.A = function(_a) {return "00";};
+      calc.S = calc.A;
+      srp.session = new srp.Session(null, calc);
+    EOJS
+  end
+end
diff --git a/test/integration/browser/session_test.rb b/test/integration/browser/session_test.rb
new file mode 100644
index 0000000..3a41b3a
--- /dev/null
+++ b/test/integration/browser/session_test.rb
@@ -0,0 +1,27 @@
+require 'test_helper'
+
+class SessionTest < BrowserIntegrationTest
+
+  setup do
+    @username, password = submit_signup
+  end
+
+  teardown do
+    user = User.find_by_login(@username)
+    id = user.identity
+    id.destroy
+    user.destroy
+  end
+
+  test "valid session" do
+    assert page.has_content?("Welcome #{@username}")
+  end
+
+  test "expired session" do
+    assert page.has_content?("Welcome #{@username}")
+    pretend_now_is(Time.now + 40.minutes) do
+      visit '/'
+      assert page.has_no_content?("Welcome #{@username}")
+    end
+  end
+end
diff --git a/test/integration/navigation_test.rb b/test/integration/navigation_test.rb
new file mode 100644
index 0000000..eec8c0e
--- /dev/null
+++ b/test/integration/navigation_test.rb
@@ -0,0 +1,9 @@
+require 'test_helper'
+
+class NavigationTest < ActionDispatch::IntegrationTest
+
+  # test "the truth" do
+  #   assert true
+  # end
+end
+
author	Azul <azul@leap.se>	2014-04-08 11:49:14 +0200
committer	Azul <azul@leap.se>	2014-04-08 11:49:14 +0200
commit	b6d14dc19dd350a807826e3e097738a36613e083 (patch)
tree	093dc5f2f1e773e3ad009d28d1fd24667d3c0ba6 /test/integration
parent	2e11e3ca2c7b02fdb5ff54f0bcd766cc5fa39975 (diff)