From 2fe1c1f23d5ac09f3eda68fa247e1efdf31f520b Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 2 Apr 2013 10:35:02 +0200
Subject: added vim tempfiles to gitignore

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 5536c6f..73cd22e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -28,3 +28,4 @@ public/config/*
 public/provider.json
 config/config.yml
 bin
+.*.swp
-- 
cgit v1.2.3


From aedfab27b9a03f41638fefb1b39857ca66a99257 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 2 Apr 2013 10:35:21 +0200
Subject: initial token model and unit test

---
 users/app/models/token.rb     | 10 ++++++++++
 users/test/unit/token_test.rb | 24 ++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 users/app/models/token.rb
 create mode 100644 users/test/unit/token_test.rb

diff --git a/users/app/models/token.rb b/users/app/models/token.rb
new file mode 100644
index 0000000..9de6850
--- /dev/null
+++ b/users/app/models/token.rb
@@ -0,0 +1,10 @@
+class Token < CouchRest::Model::Base
+
+  use_database :tokens
+
+  property :user_id, String, accessible: false
+
+  validates :user_id, presence: true
+
+end
+
diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb
new file mode 100644
index 0000000..d409265
--- /dev/null
+++ b/users/test/unit/token_test.rb
@@ -0,0 +1,24 @@
+require 'test_helper'
+
+class ClientCertificateTest < ActiveSupport::TestCase
+
+  setup do
+    @user = FactoryGirl.create(:user)
+  end
+
+  teardown do
+    @user.destroy
+  end
+
+  test "new token for user" do
+    sample = Token.new(:user_id => @user.id)
+    assert sample.valid?
+    assert_equal @user.id, sample.user_id
+  end
+
+  test "token checks for user" do
+    sample = Token.new
+    assert !sample.valid?, "Token should require a user record"
+  end
+
+end
-- 
cgit v1.2.3


From 08ce330fd3676ba0b51d604a2aa653c680fffea5 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 2 Apr 2013 10:58:13 +0200
Subject: let's use safe ids instead of the default couch ones

Couch uses partly random partly sequential ids by default. We could
change that in couch config to be all random. But this is probably more
safe.
---
 users/app/models/token.rb     |  7 +++++++
 users/test/unit/token_test.rb | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/users/app/models/token.rb b/users/app/models/token.rb
index 9de6850..44a6dfe 100644
--- a/users/app/models/token.rb
+++ b/users/app/models/token.rb
@@ -6,5 +6,12 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  def initialize(*args)
+    super
+    self.id = SecureRandom.urlsafe_base64(32)
+  end
+
+  design do
+  end
 end
 
diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb
index d409265..bff6b71 100644
--- a/users/test/unit/token_test.rb
+++ b/users/test/unit/token_test.rb
@@ -16,6 +16,19 @@ class ClientCertificateTest < ActiveSupport::TestCase
     assert_equal @user.id, sample.user_id
   end
 
+  test "token id is secure" do
+    sample = Token.new(:user_id => @user.id)
+    other = Token.new(:user_id => @user.id)
+    assert sample.id,
+      "id is set on initialization"
+    assert sample.id[0..10] != other.id[0..10],
+      "token id prefixes should not repeat"
+    assert /[g-zG-Z]/.match(sample.id),
+      "should use non hex chars in the token id"
+    assert sample.id.size > 16,
+      "token id should be more than 16 chars long"
+  end
+
   test "token checks for user" do
     sample = Token.new
     assert !sample.valid?, "Token should require a user record"
-- 
cgit v1.2.3


From 2bd36ec96d42f0b4585a15759f33ff7f89075dcc Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 2 Apr 2013 12:45:58 +0200
Subject: return token on successful login via api

---
 core/lib/extensions/testing.rb                     |  9 +++++++-
 users/app/controllers/v1/sessions_controller.rb    |  3 ++-
 .../test/functional/v1/sessions_controller_test.rb | 25 ++++++++++++++--------
 3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/core/lib/extensions/testing.rb b/core/lib/extensions/testing.rb
index 925c023..aad7fc1 100644
--- a/core/lib/extensions/testing.rb
+++ b/core/lib/extensions/testing.rb
@@ -14,10 +14,17 @@ module LeapWebCore
         get_response.headers["Content-Disposition"]
     end
 
+    def json_response
+      response = JSON.parse(get_response.body)
+      response.respond_to?(:with_indifferent_access) ?
+        response.with_indifferent_access :
+        response
+    end
+
     def assert_json_response(object)
       if object.is_a? Hash
         object.stringify_keys! if object.respond_to? :stringify_keys!
-        assert_equal object, JSON.parse(get_response.body)
+        assert_equal object, json_response
       else
         assert_equal object.to_json, get_response.body
       end
diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb
index 9365d76..e3459d6 100644
--- a/users/app/controllers/v1/sessions_controller.rb
+++ b/users/app/controllers/v1/sessions_controller.rb
@@ -23,6 +23,7 @@ module V1
 
     def update
       authenticate!
+      @token = Token.create(:user_id => current_user.id)
       render :json => login_response
     end
 
@@ -35,7 +36,7 @@ module V1
 
     def login_response
       handshake = session.delete(:handshake)
-      handshake.to_hash.merge(:id => current_user.id)
+      handshake.to_hash.merge(:id => current_user.id, :token => @token.id)
     end
 
   end
diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb
index 1226c9d..7c6b595 100644
--- a/users/test/functional/v1/sessions_controller_test.rb
+++ b/users/test/functional/v1/sessions_controller_test.rb
@@ -11,6 +11,22 @@ class V1::SessionsControllerTest < ActionController::TestCase
     @client_hex = 'a123'
   end
 
+  test "renders json" do
+    request.env['warden'].expects(:winning_strategy)
+    get :new, :format => :json
+    assert_response :success
+    assert_json_error nil
+  end
+
+  test "renders warden errors" do
+    strategy = stub :message => {:field => :translate_me}
+    request.env['warden'].stubs(:winning_strategy).returns(strategy)
+    I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub")
+    get :new, :format => :json
+    assert_response 422
+    assert_json_error :field => "translation stub"
+  end
+
   # Warden takes care of parsing the params and
   # rendering the response. So not much to test here.
   test "should perform handshake" do
@@ -20,15 +36,6 @@ class V1::SessionsControllerTest < ActionController::TestCase
     post :create, :login => @user.login, 'A' => @client_hex
   end
 
-  test "should send salt" do
-    User.expects(:find_by_login).with(@user.login).returns(@user)
-
-    post :create, :login => @user.login
-
-    assert_equal @user, assigns(:user)
-    assert_json_response salt: @user.salt
-  end
-
   test "should authorize" do
     request.env['warden'].expects(:authenticate!)
     @controller.expects(:current_user).returns(@user)
-- 
cgit v1.2.3


From 53e3198196033f2dd77c09be6919cbef72f3f5d8 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Tue, 9 Apr 2013 21:04:48 +0200
Subject: adopting tests to new behavior

---
 users/test/functional/v1/sessions_controller_test.rb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb
index 7c6b595..0c4e325 100644
--- a/users/test/functional/v1/sessions_controller_test.rb
+++ b/users/test/functional/v1/sessions_controller_test.rb
@@ -12,13 +12,13 @@ class V1::SessionsControllerTest < ActionController::TestCase
   end
 
   test "renders json" do
-    request.env['warden'].expects(:winning_strategy)
     get :new, :format => :json
     assert_response :success
     assert_json_error nil
   end
 
   test "renders warden errors" do
+    request.env['warden.options'] = {attempted_path: 'path/to/controller'}
     strategy = stub :message => {:field => :translate_me}
     request.env['warden'].stubs(:winning_strategy).returns(strategy)
     I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub")
@@ -38,7 +38,7 @@ class V1::SessionsControllerTest < ActionController::TestCase
 
   test "should authorize" do
     request.env['warden'].expects(:authenticate!)
-    @controller.expects(:current_user).returns(@user)
+    @controller.stubs(:current_user).returns(@user)
     handshake = stub(:to_hash => {h: "ash"})
     session[:handshake] = handshake
 
@@ -46,7 +46,8 @@ class V1::SessionsControllerTest < ActionController::TestCase
 
     assert_nil session[:handshake]
     assert_response :success
-    assert_json_response handshake.to_hash.merge(id: @user.id)
+    assert json_response.keys.include?("id")
+    assert json_response.keys.include?("token")
   end
 
   test "logout should reset warden user" do
-- 
cgit v1.2.3