From 62c48c5a14ea0c1221216c3e40eb82ef594f2771 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Apr 2013 14:20:55 +0200 Subject: send salt on Session#create without srp ephemeral A --- users/app/controllers/v1/sessions_controller.rb | 7 ++++++- users/test/functional/v1/sessions_controller_test.rb | 11 ++++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb index 0551ca9..9365d76 100644 --- a/users/app/controllers/v1/sessions_controller.rb +++ b/users/app/controllers/v1/sessions_controller.rb @@ -13,7 +13,12 @@ module V1 def create logout if logged_in? - authenticate! + if params['A'] + authenticate! + else + @user = User.find_by_login(params['login']) + render :json => {salt: @user.salt} + end end def update diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index be085ce..535da52 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -7,7 +7,7 @@ class V1::SessionsControllerTest < ActionController::TestCase setup do @request.env['HTTP_HOST'] = 'api.lvh.me' - @user = stub :login => "me", :id => 123 + @user = stub_record :user @client_hex = 'a123' end @@ -36,6 +36,15 @@ class V1::SessionsControllerTest < ActionController::TestCase post :create, :login => @user.login, 'A' => @client_hex end + test "should send salt" do + User.expects(:find_by_login).with(@user.login).returns(@user) + + post :create, :login => @user.login + + assert_equal @user, assigns(:user) + assert_json_response salt: @user.salt + end + test "should authorize" do request.env['warden'].expects(:authenticate!) @controller.expects(:current_user).returns(@user) -- cgit v1.2.3 From d781dbdd61d1d24ec4828859a28815b55310154d Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Apr 2013 16:56:11 +0200 Subject: send more meaningful error message on completely failed login attempt --- .../controller_extension/authentication.rb | 16 +++++++++++++- users/config/locales/en.yml | 1 + users/test/functional/sessions_controller_test.rb | 11 ++++++++-- .../test/functional/v1/sessions_controller_test.rb | 16 -------------- users/test/integration/api/account_flow_test.rb | 6 ++++-- users/test/integration/api/login_test.rb | 25 ++++++++++++++++++++++ 6 files changed, 54 insertions(+), 21 deletions(-) create mode 100644 users/test/integration/api/login_test.rb diff --git a/users/app/controllers/controller_extension/authentication.rb b/users/app/controllers/controller_extension/authentication.rb index f2184d9..f0a6564 100644 --- a/users/app/controllers/controller_extension/authentication.rb +++ b/users/app/controllers/controller_extension/authentication.rb @@ -8,13 +8,27 @@ module ControllerExtension::Authentication end def authentication_errors - return unless errors = warden.winning_strategy.try(:message) + return unless attempted_login? + errors = get_warden_errors errors.inject({}) do |translated,err| translated[err.first] = I18n.t(err.last) translated end end + def get_warden_errors + if strategy = warden.winning_strategy + strategy.message + else + { login: :all_strategies_failed } + end + end + + def attempted_login? + request.env['warden.options'] && + request.env['warden.options'][:attempted_path] + end + def logged_in? !!current_user end diff --git a/users/config/locales/en.yml b/users/config/locales/en.yml index 9e7d4b2..2077858 100644 --- a/users/config/locales/en.yml +++ b/users/config/locales/en.yml @@ -6,6 +6,7 @@ en: login: "Login" login_message: "Please login with your account." invalid_user_pass: "Not a valid username/password combination" + all_strategies_failed: "Could not understand your login attempt. Please first send your login and a SRP ephemeral value A and then send the client_auth in the same session (using cookies)." update_login_and_password: "Update Login and Password" cancel_account: "Cancel your account" remove_account: "Remove Account" diff --git a/users/test/functional/sessions_controller_test.rb b/users/test/functional/sessions_controller_test.rb index f99c0d7..b22c3a3 100644 --- a/users/test/functional/sessions_controller_test.rb +++ b/users/test/functional/sessions_controller_test.rb @@ -11,7 +11,6 @@ class SessionsControllerTest < ActionController::TestCase end test "should get login screen" do - request.env['warden'].expects(:winning_strategy) get :new assert_response :success assert_equal "text/html", response.content_type @@ -19,13 +18,13 @@ class SessionsControllerTest < ActionController::TestCase end test "renders json" do - request.env['warden'].expects(:winning_strategy) get :new, :format => :json assert_response :success assert_json_error nil end test "renders warden errors" do + request.env['warden.options'] = {attempted_path: '/1/sessions/asdf.json'} strategy = stub :message => {:field => :translate_me} request.env['warden'].stubs(:winning_strategy).returns(strategy) I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") @@ -34,6 +33,14 @@ class SessionsControllerTest < ActionController::TestCase assert_json_error :field => "translation stub" end + test "renders failed attempt message" do + request.env['warden.options'] = {attempted_path: '/1/sessions/asdf.json'} + request.env['warden'].stubs(:winning_strategy).returns(nil) + get :new, :format => :json + assert_response 422 + assert_json_error :login => I18n.t(:all_strategies_failed) + end + # Warden takes care of parsing the params and # rendering the response. So not much to test here. test "should perform handshake" do diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 535da52..1226c9d 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -11,22 +11,6 @@ class V1::SessionsControllerTest < ActionController::TestCase @client_hex = 'a123' end - test "renders json" do - request.env['warden'].expects(:winning_strategy) - get :new, :format => :json - assert_response :success - assert_json_error nil - end - - test "renders warden errors" do - strategy = stub :message => {:field => :translate_me} - request.env['warden'].stubs(:winning_strategy).returns(strategy) - I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") - get :new, :format => :json - assert_response 422 - assert_json_error :field => "translation stub" - end - # Warden takes care of parsing the params and # rendering the response. So not much to test here. test "should perform handshake" do diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index e618541..d1a97e9 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -75,7 +75,8 @@ class AccountFlowTest < ActiveSupport::TestCase test "signup and wrong password login attempt" do srp = SRP::Client.new @login, :password => "wrong password" server_auth = srp.authenticate(self) - assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"}) + assert_json_error login: "Not a valid username/password combination", + password: "Not a valid username/password combination" assert !last_response.successful? assert_nil server_auth["M2"] end @@ -86,7 +87,8 @@ class AccountFlowTest < ActiveSupport::TestCase assert_raises RECORD_NOT_FOUND do server_auth = srp.authenticate(self) end - assert_json_error({:login => "Not a valid username/password combination", :password => "Not a valid username/password combination"}) + assert_json_error login: "Not a valid username/password combination", + password: "Not a valid username/password combination" assert !last_response.successful? assert_nil server_auth end diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb new file mode 100644 index 0000000..ba82c8e --- /dev/null +++ b/users/test/integration/api/login_test.rb @@ -0,0 +1,25 @@ +require 'test_helper' + +CONFIG_RU = (Rails.root + 'config.ru').to_s +OUTER_APP = Rack::Builder.parse_file(CONFIG_RU).first + +class AccountFlowTest < ActiveSupport::TestCase + include Rack::Test::Methods + include Warden::Test::Helpers + include LeapWebCore::AssertResponses + + def app + OUTER_APP + end + + def setup + @login = "integration_test_user" + end + + test "require json requests" do + put "http://api.lvh.me:3000/1/sessions/" + @login, + :client_auth => "This is not a valid login anyway" + assert_json_error login: I18n.t(:all_strategies_failed) + end + +end -- cgit v1.2.3 From f4172ac9ea7a484659fa2019119533bc9569880f Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 3 Apr 2013 11:21:00 +0200 Subject: fixed tests to use setup and teardown blocks --- users/test/integration/api/account_flow_test.rb | 17 ++++------------- users/test/integration/api/login_test.rb | 15 +++------------ 2 files changed, 7 insertions(+), 25 deletions(-) diff --git a/users/test/integration/api/account_flow_test.rb b/users/test/integration/api/account_flow_test.rb index d1a97e9..1698105 100644 --- a/users/test/integration/api/account_flow_test.rb +++ b/users/test/integration/api/account_flow_test.rb @@ -1,18 +1,9 @@ require 'test_helper' +require_relative 'rack_test' -CONFIG_RU = (Rails.root + 'config.ru').to_s -OUTER_APP = Rack::Builder.parse_file(CONFIG_RU).first +class AccountFlowTest < RackTest -class AccountFlowTest < ActiveSupport::TestCase - include Rack::Test::Methods - include Warden::Test::Helpers - include LeapWebCore::AssertResponses - - def app - OUTER_APP - end - - def setup + setup do @login = "integration_test_user" User.find_by_login(@login).tap{|u| u.destroy if u} @password = "srp, verify me!" @@ -26,7 +17,7 @@ class AccountFlowTest < ActiveSupport::TestCase @user = User.find_by_login(@login) end - def teardown + teardown do @user.destroy if @user Warden.test_reset! end diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb index ba82c8e..fb761e5 100644 --- a/users/test/integration/api/login_test.rb +++ b/users/test/integration/api/login_test.rb @@ -1,18 +1,9 @@ require 'test_helper' +require_relative 'rack_test' -CONFIG_RU = (Rails.root + 'config.ru').to_s -OUTER_APP = Rack::Builder.parse_file(CONFIG_RU).first +class AccountFlowTest < RackTest -class AccountFlowTest < ActiveSupport::TestCase - include Rack::Test::Methods - include Warden::Test::Helpers - include LeapWebCore::AssertResponses - - def app - OUTER_APP - end - - def setup + setup do @login = "integration_test_user" end -- cgit v1.2.3 From 654ab25fa4659119d5ddaa9ae116fce69a386ab1 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 3 Apr 2013 11:22:16 +0200 Subject: make sure user tests also run when run from users subdir * The APP_CONFIG needs to be initialized in core so that is required from other engines * paths for load_views need to be relative to the model - not to rails root. --- config/initializers/load_config.rb | 7 ------- core/config/initializers/load_config.rb | 7 +++++++ help/app/models/ticket.rb | 3 ++- users/app/models/user.rb | 3 ++- users/test/integration/api/rack_test.rb | 12 ++++++++++++ 5 files changed, 23 insertions(+), 9 deletions(-) delete mode 100644 config/initializers/load_config.rb create mode 100644 core/config/initializers/load_config.rb create mode 100644 users/test/integration/api/rack_test.rb diff --git a/config/initializers/load_config.rb b/config/initializers/load_config.rb deleted file mode 100644 index b2b0318..0000000 --- a/config/initializers/load_config.rb +++ /dev/null @@ -1,7 +0,0 @@ -def load_config_file(file) - File.exists?(file) ? YAML.load_file(file)[Rails.env] : {} -end - -defaults = load_config_file("#{Rails.root}/config/defaults.yml") || {} -config = load_config_file("#{Rails.root}/config/config.yml") || {} -APP_CONFIG = defaults.merge(config).with_indifferent_access diff --git a/core/config/initializers/load_config.rb b/core/config/initializers/load_config.rb new file mode 100644 index 0000000..b2b0318 --- /dev/null +++ b/core/config/initializers/load_config.rb @@ -0,0 +1,7 @@ +def load_config_file(file) + File.exists?(file) ? YAML.load_file(file)[Rails.env] : {} +end + +defaults = load_config_file("#{Rails.root}/config/defaults.yml") || {} +config = load_config_file("#{Rails.root}/config/config.yml") || {} +APP_CONFIG = defaults.merge(config).with_indifferent_access diff --git a/help/app/models/ticket.rb b/help/app/models/ticket.rb index a456fe5..738487a 100644 --- a/help/app/models/ticket.rb +++ b/help/app/models/ticket.rb @@ -47,7 +47,8 @@ class Ticket < CouchRest::Model::Base view :by_is_open_and_created_at view :by_is_open_and_updated_at - load_views(Rails.root.join('help', 'app', 'designs', 'ticket')) + own_path = Pathname.new(File.dirname(__FILE__)) + load_views(own_path.join('..', 'designs', 'ticket')) end validates :title, :presence => true diff --git a/users/app/models/user.rb b/users/app/models/user.rb index c9b367f..62c5054 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -47,7 +47,8 @@ class User < CouchRest::Model::Base timestamps! design do - load_views(Rails.root.join('users', 'app', 'designs', 'user')) + own_path = Pathname.new(File.dirname(__FILE__)) + load_views(own_path.join('..', 'designs', 'user')) view :by_login view :by_created_at end diff --git a/users/test/integration/api/rack_test.rb b/users/test/integration/api/rack_test.rb new file mode 100644 index 0000000..da960f2 --- /dev/null +++ b/users/test/integration/api/rack_test.rb @@ -0,0 +1,12 @@ +CONFIG_RU = (Rails.root + 'config.ru').to_s +OUTER_APP = Rack::Builder.parse_file(CONFIG_RU).first + +class RackTest < ActiveSupport::TestCase + include Rack::Test::Methods + include Warden::Test::Helpers + include LeapWebCore::AssertResponses + + def app + OUTER_APP + end +end -- cgit v1.2.3