1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
require 'test_helper'
require_relative 'rack_test'
class AccountFlowTest < RackTest
setup do
@login = "integration_test_user"
Identity.find_by_address(@login + '@' + APP_CONFIG[:domain]).tap{|i| i.destroy if i}
User.find_by_login(@login).tap{|u| u.destroy if u}
@password = "srp, verify me!"
@srp = SRP::Client.new @login, :password => @password
@user_params = {
:login => @login,
:password_verifier => @srp.verifier.to_s(16),
:password_salt => @srp.salt.to_s(16)
}
post 'http://api.lvh.me:3000/1/users.json', :user => @user_params
@user = User.find_by_login(@login)
end
teardown do
if @user.reload
@user.identity.destroy
@user.destroy
end
Warden.test_reset!
end
# this test wraps the api and implements the interface the ruby-srp client.
def handshake(login, aa)
post "http://api.lvh.me:3000/1/sessions.json",
:login => login,
'A' => aa,
:format => :json
response = JSON.parse(last_response.body)
if response['errors']
raise RECORD_NOT_FOUND.new(response['errors'])
else
return response['B']
end
end
def validate(m)
put "http://api.lvh.me:3000/1/sessions/" + @login + '.json',
:client_auth => m,
:format => :json
return JSON.parse(last_response.body)
end
test "signup response" do
assert_json_response :login => @login, :ok => true
assert last_response.successful?
end
test "signup and login with srp via api" do
server_auth = @srp.authenticate(self)
assert last_response.successful?
assert_nil server_auth["errors"]
assert server_auth["M2"]
end
test "signup and wrong password login attempt" do
srp = SRP::Client.new @login, :password => "wrong password"
server_auth = srp.authenticate(self)
assert_json_error "base" => "Not a valid username/password combination"
assert !last_response.successful?
assert_nil server_auth["M2"]
end
test "signup and wrong username login attempt" do
srp = SRP::Client.new "wrong_login", :password => @password
server_auth = nil
assert_raises RECORD_NOT_FOUND do
server_auth = srp.authenticate(self)
end
assert_json_error "base" => "Not a valid username/password combination"
assert !last_response.successful?
assert_nil server_auth
end
test "update password via api" do
@srp.authenticate(self)
@password = "No! Verify me instead."
@srp = SRP::Client.new @login, :password => @password
@user_params = {
# :login => @login,
:password_verifier => @srp.verifier.to_s(16),
:password_salt => @srp.salt.to_s(16)
}
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
:user => @user_params,
:format => :json
server_auth = @srp.authenticate(self)
assert last_response.successful?
assert_nil server_auth["errors"]
assert server_auth["M2"]
end
test "prevent changing login without changing password_verifier" do
server_auth = @srp.authenticate(self)
original_login = @user.login
new_login = 'zaph'
User.find_by_login(new_login).try(:destroy)
Identity.by_address.key(new_login + '@' + APP_CONFIG[:domain]).each do |identity|
identity.destroy
end
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:login => new_login}, :format => :json
assert last_response.successful?
# does not change login if no password_verifier is present
assert_equal original_login, @user.login
end
test "upload pgp key" do
server_auth = @srp.authenticate(self)
key = FactoryGirl.build :pgp_key
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json
assert_equal key, Identity.for(@user).keys[:pgp]
end
# eventually probably want to remove most of this into a non-integration
# functional test
test "prevent uploading invalid key" do
server_auth = @srp.authenticate(self)
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => :blah}, :format => :json
assert_nil Identity.for(@user).keys[:pgp]
end
test "prevent emptying public key" do
server_auth = @srp.authenticate(self)
key = FactoryGirl.build :pgp_key
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => ""}, :format => :json
assert_equal key, Identity.for(@user).keys[:pgp]
end
end
|