From aedfab27b9a03f41638fefb1b39857ca66a99257 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Apr 2013 10:35:21 +0200 Subject: initial token model and unit test --- users/app/models/token.rb | 10 ++++++++++ users/test/unit/token_test.rb | 24 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+) create mode 100644 users/app/models/token.rb create mode 100644 users/test/unit/token_test.rb (limited to 'users') diff --git a/users/app/models/token.rb b/users/app/models/token.rb new file mode 100644 index 0000000..9de6850 --- /dev/null +++ b/users/app/models/token.rb @@ -0,0 +1,10 @@ +class Token < CouchRest::Model::Base + + use_database :tokens + + property :user_id, String, accessible: false + + validates :user_id, presence: true + +end + diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb new file mode 100644 index 0000000..d409265 --- /dev/null +++ b/users/test/unit/token_test.rb @@ -0,0 +1,24 @@ +require 'test_helper' + +class ClientCertificateTest < ActiveSupport::TestCase + + setup do + @user = FactoryGirl.create(:user) + end + + teardown do + @user.destroy + end + + test "new token for user" do + sample = Token.new(:user_id => @user.id) + assert sample.valid? + assert_equal @user.id, sample.user_id + end + + test "token checks for user" do + sample = Token.new + assert !sample.valid?, "Token should require a user record" + end + +end -- cgit v1.2.3 From 08ce330fd3676ba0b51d604a2aa653c680fffea5 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Apr 2013 10:58:13 +0200 Subject: let's use safe ids instead of the default couch ones Couch uses partly random partly sequential ids by default. We could change that in couch config to be all random. But this is probably more safe. --- users/app/models/token.rb | 7 +++++++ users/test/unit/token_test.rb | 13 +++++++++++++ 2 files changed, 20 insertions(+) (limited to 'users') diff --git a/users/app/models/token.rb b/users/app/models/token.rb index 9de6850..44a6dfe 100644 --- a/users/app/models/token.rb +++ b/users/app/models/token.rb @@ -6,5 +6,12 @@ class Token < CouchRest::Model::Base validates :user_id, presence: true + def initialize(*args) + super + self.id = SecureRandom.urlsafe_base64(32) + end + + design do + end end diff --git a/users/test/unit/token_test.rb b/users/test/unit/token_test.rb index d409265..bff6b71 100644 --- a/users/test/unit/token_test.rb +++ b/users/test/unit/token_test.rb @@ -16,6 +16,19 @@ class ClientCertificateTest < ActiveSupport::TestCase assert_equal @user.id, sample.user_id end + test "token id is secure" do + sample = Token.new(:user_id => @user.id) + other = Token.new(:user_id => @user.id) + assert sample.id, + "id is set on initialization" + assert sample.id[0..10] != other.id[0..10], + "token id prefixes should not repeat" + assert /[g-zG-Z]/.match(sample.id), + "should use non hex chars in the token id" + assert sample.id.size > 16, + "token id should be more than 16 chars long" + end + test "token checks for user" do sample = Token.new assert !sample.valid?, "Token should require a user record" -- cgit v1.2.3 From 2bd36ec96d42f0b4585a15759f33ff7f89075dcc Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 2 Apr 2013 12:45:58 +0200 Subject: return token on successful login via api --- users/app/controllers/v1/sessions_controller.rb | 3 ++- .../test/functional/v1/sessions_controller_test.rb | 25 ++++++++++++++-------- 2 files changed, 18 insertions(+), 10 deletions(-) (limited to 'users') diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb index 9365d76..e3459d6 100644 --- a/users/app/controllers/v1/sessions_controller.rb +++ b/users/app/controllers/v1/sessions_controller.rb @@ -23,6 +23,7 @@ module V1 def update authenticate! + @token = Token.create(:user_id => current_user.id) render :json => login_response end @@ -35,7 +36,7 @@ module V1 def login_response handshake = session.delete(:handshake) - handshake.to_hash.merge(:id => current_user.id) + handshake.to_hash.merge(:id => current_user.id, :token => @token.id) end end diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 1226c9d..7c6b595 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -11,6 +11,22 @@ class V1::SessionsControllerTest < ActionController::TestCase @client_hex = 'a123' end + test "renders json" do + request.env['warden'].expects(:winning_strategy) + get :new, :format => :json + assert_response :success + assert_json_error nil + end + + test "renders warden errors" do + strategy = stub :message => {:field => :translate_me} + request.env['warden'].stubs(:winning_strategy).returns(strategy) + I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") + get :new, :format => :json + assert_response 422 + assert_json_error :field => "translation stub" + end + # Warden takes care of parsing the params and # rendering the response. So not much to test here. test "should perform handshake" do @@ -20,15 +36,6 @@ class V1::SessionsControllerTest < ActionController::TestCase post :create, :login => @user.login, 'A' => @client_hex end - test "should send salt" do - User.expects(:find_by_login).with(@user.login).returns(@user) - - post :create, :login => @user.login - - assert_equal @user, assigns(:user) - assert_json_response salt: @user.salt - end - test "should authorize" do request.env['warden'].expects(:authenticate!) @controller.expects(:current_user).returns(@user) -- cgit v1.2.3 From 53e3198196033f2dd77c09be6919cbef72f3f5d8 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 9 Apr 2013 21:04:48 +0200 Subject: adopting tests to new behavior --- users/test/functional/v1/sessions_controller_test.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'users') diff --git a/users/test/functional/v1/sessions_controller_test.rb b/users/test/functional/v1/sessions_controller_test.rb index 7c6b595..0c4e325 100644 --- a/users/test/functional/v1/sessions_controller_test.rb +++ b/users/test/functional/v1/sessions_controller_test.rb @@ -12,13 +12,13 @@ class V1::SessionsControllerTest < ActionController::TestCase end test "renders json" do - request.env['warden'].expects(:winning_strategy) get :new, :format => :json assert_response :success assert_json_error nil end test "renders warden errors" do + request.env['warden.options'] = {attempted_path: 'path/to/controller'} strategy = stub :message => {:field => :translate_me} request.env['warden'].stubs(:winning_strategy).returns(strategy) I18n.expects(:t).with(:translate_me).at_least_once.returns("translation stub") @@ -38,7 +38,7 @@ class V1::SessionsControllerTest < ActionController::TestCase test "should authorize" do request.env['warden'].expects(:authenticate!) - @controller.expects(:current_user).returns(@user) + @controller.stubs(:current_user).returns(@user) handshake = stub(:to_hash => {h: "ash"}) session[:handshake] = handshake @@ -46,7 +46,8 @@ class V1::SessionsControllerTest < ActionController::TestCase assert_nil session[:handshake] assert_response :success - assert_json_response handshake.to_hash.merge(id: @user.id) + assert json_response.keys.include?("id") + assert json_response.keys.include?("token") end test "logout should reset warden user" do -- cgit v1.2.3