summaryrefslogtreecommitdiff
path: root/users/test/integration/api/account_flow_test.rb
blob: edd08597a8108f8252758e267fb136842ea98ffd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

require 'test_helper'
require_relative 'rack_test'

class AccountFlowTest < RackTest

  setup do
    @login = "integration_test_user"
    Identity.find_by_address(@login + '@' + APP_CONFIG[:domain]).tap{|i| i.destroy if i}
    User.find_by_login(@login).tap{|u| u.destroy if u}
    @password = "srp, verify me!"
    @srp = SRP::Client.new @login, :password => @password
    @user_params = {
      :login => @login,
      :password_verifier => @srp.verifier.to_s(16),
      :password_salt => @srp.salt.to_s(16)
    }
    post 'http://api.lvh.me:3000/1/users.json', :user => @user_params
    @user = User.find_by_login(@login)
  end

  teardown do
    if @user.reload
      @user.identity.destroy
      @user.destroy
    end
    Warden.test_reset!
  end

  # this test wraps the api and implements the interface the ruby-srp client.
  def handshake(login, aa)
    post "http://api.lvh.me:3000/1/sessions.json",
      :login => login,
      'A' => aa,
      :format => :json
    response = JSON.parse(last_response.body)
    if response['errors']
      raise RECORD_NOT_FOUND.new(response['errors'])
    else
      return response['B']
    end
  end

  def validate(m)
    put "http://api.lvh.me:3000/1/sessions/" + @login + '.json',
      :client_auth => m,
      :format => :json
    return JSON.parse(last_response.body)
  end

  test "signup response" do
    assert_json_response :login => @login, :ok => true
    assert last_response.successful?
  end

  test "signup and login with srp via api" do
    server_auth = @srp.authenticate(self)
    assert last_response.successful?
    assert_nil server_auth["errors"]
    assert server_auth["M2"]
  end

  test "signup and wrong password login attempt" do
    srp = SRP::Client.new @login, :password => "wrong password"
    server_auth = srp.authenticate(self)
    assert_json_error "base" => "Not a valid username/password combination"
    assert !last_response.successful?
    assert_nil server_auth["M2"]
  end

  test "signup and wrong username login attempt" do
    srp = SRP::Client.new "wrong_login", :password => @password
    server_auth = nil
    assert_raises RECORD_NOT_FOUND do
      server_auth = srp.authenticate(self)
    end
    assert_json_error "base" => "Not a valid username/password combination"
    assert !last_response.successful?
    assert_nil server_auth
  end

  test "update password via api" do
    @srp.authenticate(self)
    @password = "No! Verify me instead."
    @srp = SRP::Client.new @login, :password => @password
    @user_params = {
    #  :login => @login,
      :password_verifier => @srp.verifier.to_s(16),
      :password_salt => @srp.salt.to_s(16)
    }
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
      :user => @user_params,
      :format => :json
    server_auth = @srp.authenticate(self)
    assert last_response.successful?
    assert_nil server_auth["errors"]
    assert server_auth["M2"]
  end

  test "prevent changing login without changing password_verifier" do
    server_auth = @srp.authenticate(self)
    original_login = @user.login
    new_login = 'zaph'
    User.find_by_login(new_login).try(:destroy)
    Identity.by_address.key(new_login + '@' + APP_CONFIG[:domain]).each do |identity|
      identity.destroy
    end
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:login => new_login}, :format => :json
    assert last_response.successful?
    # does not change login if no password_verifier is present
    assert_equal original_login, @user.login
  end

  test "upload pgp key" do
    server_auth = @srp.authenticate(self)
    key = FactoryGirl.build :pgp_key
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json
    assert_equal key, Identity.for(@user).keys[:pgp]
  end

  # eventually probably want to remove most of this into a non-integration
  # functional test
  test "prevent uploading invalid key" do
    server_auth = @srp.authenticate(self)
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => :blah}, :format => :json
    assert_nil Identity.for(@user).keys[:pgp]
  end

  test "prevent emptying public key" do
    server_auth = @srp.authenticate(self)
    key = FactoryGirl.build :pgp_key
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => key}, :format => :json
    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json', :user => {:public_key => ""}, :format => :json
    assert_equal key, Identity.for(@user).keys[:pgp]
  end

end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 03:58:17 +0000