2019-04-30 08:27:42 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2017-03-01 11:58:24 +08:00
|
|
|
require 'rails_helper'
|
2019-05-13 14:45:24 +08:00
|
|
|
require 'single_sign_on'
|
2017-03-01 11:58:24 +08:00
|
|
|
|
2017-08-24 11:01:11 +08:00
|
|
|
RSpec.describe Users::OmniauthCallbacksController do
|
2019-05-07 11:12:20 +08:00
|
|
|
fab!(:user) { Fabricate(:user) }
|
2017-03-01 11:58:24 +08:00
|
|
|
|
|
|
|
before do
|
|
|
|
OmniAuth.config.test_mode = true
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
2017-05-09 11:26:24 +08:00
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] = nil
|
2017-03-01 11:58:24 +08:00
|
|
|
OmniAuth.config.test_mode = false
|
|
|
|
end
|
|
|
|
|
2018-03-01 15:33:00 +08:00
|
|
|
describe ".find_authenticator" do
|
|
|
|
it "fails if a provider is disabled" do
|
|
|
|
SiteSetting.enable_twitter_logins = false
|
|
|
|
|
|
|
|
expect do
|
|
|
|
Users::OmniauthCallbacksController.find_authenticator("twitter")
|
|
|
|
end.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "fails for unknown" do
|
|
|
|
expect do
|
|
|
|
Users::OmniauthCallbacksController.find_authenticator("twitter1")
|
|
|
|
end.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "finds an authenticator when enabled" do
|
|
|
|
SiteSetting.enable_twitter_logins = true
|
|
|
|
|
|
|
|
expect(Users::OmniauthCallbacksController.find_authenticator("twitter"))
|
|
|
|
.not_to eq(nil)
|
|
|
|
end
|
2018-07-09 12:25:58 +08:00
|
|
|
|
|
|
|
context "with a plugin-contributed auth provider" do
|
|
|
|
|
|
|
|
let :provider do
|
2018-07-31 23:18:50 +08:00
|
|
|
provider = Auth::AuthProvider.new
|
2018-07-23 23:51:57 +08:00
|
|
|
provider.authenticator = Class.new(Auth::Authenticator) do
|
|
|
|
def name
|
|
|
|
'ubuntu'
|
|
|
|
end
|
|
|
|
|
|
|
|
def enabled?
|
|
|
|
SiteSetting.ubuntu_login_enabled
|
|
|
|
end
|
|
|
|
end.new
|
|
|
|
|
2018-07-09 12:25:58 +08:00
|
|
|
provider.enabled_setting = "ubuntu_login_enabled"
|
|
|
|
provider
|
|
|
|
end
|
|
|
|
|
|
|
|
before do
|
2018-07-23 23:51:57 +08:00
|
|
|
DiscoursePluginRegistry.register_auth_provider(provider)
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
DiscoursePluginRegistry.reset!
|
2018-07-09 12:25:58 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "finds an authenticator when enabled" do
|
|
|
|
SiteSetting.stubs(:ubuntu_login_enabled).returns(true)
|
|
|
|
|
|
|
|
expect(Users::OmniauthCallbacksController.find_authenticator("ubuntu"))
|
|
|
|
.to be(provider.authenticator)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "fails if an authenticator is disabled" do
|
|
|
|
SiteSetting.stubs(:ubuntu_login_enabled).returns(false)
|
|
|
|
|
|
|
|
expect { Users::OmniauthCallbacksController.find_authenticator("ubuntu") }
|
|
|
|
.to raise_error(Discourse::InvalidAccess)
|
|
|
|
end
|
|
|
|
end
|
2018-03-01 15:33:00 +08:00
|
|
|
end
|
|
|
|
|
2017-03-01 11:58:24 +08:00
|
|
|
context 'Google Oauth2' do
|
|
|
|
before do
|
|
|
|
SiteSetting.enable_google_oauth2_logins = true
|
|
|
|
end
|
|
|
|
|
2019-08-08 22:49:09 +08:00
|
|
|
it "should display the failure message if needed" do
|
|
|
|
get "/auth/failure"
|
|
|
|
expect(response.status).to eq(200)
|
2019-08-12 17:55:02 +08:00
|
|
|
expect(response.body).to include(I18n.t("login.omniauth_error.generic"))
|
2019-08-08 22:49:09 +08:00
|
|
|
end
|
|
|
|
|
2019-08-08 18:57:28 +08:00
|
|
|
describe "request" do
|
|
|
|
it "should error for non existant authenticators" do
|
|
|
|
post "/auth/fake_auth"
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
get "/auth/fake_auth"
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
|
2019-08-12 17:55:02 +08:00
|
|
|
it "should error for disabled authenticators" do
|
|
|
|
SiteSetting.enable_google_oauth2_logins = false
|
|
|
|
post "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
get "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(403)
|
|
|
|
end
|
|
|
|
|
|
|
|
it "should handle common errors" do
|
|
|
|
OmniAuth::Strategies::GoogleOauth2.any_instance.stubs(:mock_request_call).raises(
|
|
|
|
OAuth::Unauthorized.new(mock().tap { |m| m.stubs(:code).returns(403); m.stubs(:message).returns("Message") })
|
|
|
|
)
|
|
|
|
post "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.location).to include("/auth/failure?message=request_error")
|
|
|
|
|
|
|
|
OmniAuth::Strategies::GoogleOauth2.any_instance.stubs(:mock_request_call).raises(JWT::InvalidIatError.new)
|
|
|
|
post "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.location).to include("/auth/failure?message=invalid_iat")
|
|
|
|
end
|
|
|
|
|
2019-08-08 18:57:28 +08:00
|
|
|
it "should only start auth with a POST request" do
|
|
|
|
post "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
get "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
end
|
|
|
|
|
|
|
|
context "with CSRF protection enabled" do
|
|
|
|
before { ActionController::Base.allow_forgery_protection = true }
|
|
|
|
after { ActionController::Base.allow_forgery_protection = false }
|
|
|
|
|
|
|
|
it "should be CSRF protected" do
|
|
|
|
post "/auth/google_oauth2"
|
2019-08-12 17:55:02 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.location).to include("/auth/failure?message=csrf_detected")
|
2019-08-08 18:57:28 +08:00
|
|
|
|
|
|
|
post "/auth/google_oauth2", params: { authenticity_token: "faketoken" }
|
2019-08-12 17:55:02 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.location).to include("/auth/failure?message=csrf_detected")
|
2019-08-08 18:57:28 +08:00
|
|
|
|
|
|
|
get "/session/csrf.json"
|
2020-05-07 23:04:12 +08:00
|
|
|
token = response.parsed_body["csrf"]
|
2019-08-08 18:57:28 +08:00
|
|
|
|
|
|
|
post "/auth/google_oauth2", params: { authenticity_token: token }
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
end
|
2019-08-09 21:44:03 +08:00
|
|
|
|
|
|
|
it "should not be CSRF protected if it is the only auth method" do
|
|
|
|
get "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.enable_local_logins = false
|
|
|
|
get "/auth/google_oauth2"
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
end
|
2019-08-08 18:57:28 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-05-05 03:35:03 +08:00
|
|
|
context "without an `omniauth.auth` env" do
|
|
|
|
it "should return a 404" do
|
|
|
|
get "/auth/eviltrout/callback"
|
2017-05-09 04:33:43 +08:00
|
|
|
expect(response.code).to eq("404")
|
2017-05-05 03:35:03 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-09-05 05:54:50 +08:00
|
|
|
describe 'when user not found' do
|
|
|
|
let(:email) { "somename@gmail.com" }
|
|
|
|
before do
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: '123545',
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: email,
|
2019-05-13 14:45:24 +08:00
|
|
|
name: 'Some Name',
|
2019-03-07 19:31:04 +08:00
|
|
|
first_name: "Some",
|
2019-05-13 14:45:24 +08:00
|
|
|
last_name: "Name"
|
2018-09-05 05:54:50 +08:00
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: email,
|
|
|
|
family_name: 'Huh',
|
2019-05-13 14:45:24 +08:00
|
|
|
given_name: "Some Name",
|
2018-09-05 05:54:50 +08:00
|
|
|
gender: 'male',
|
|
|
|
name: "Some name Huh",
|
|
|
|
)
|
2019-03-07 19:31:04 +08:00
|
|
|
}
|
2018-09-05 05:54:50 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
2019-05-15 16:55:31 +08:00
|
|
|
destination_url = '/somepath'
|
2018-09-05 05:54:50 +08:00
|
|
|
Rails.application.env_config["omniauth.origin"] = destination_url
|
|
|
|
|
2019-11-25 20:31:57 +08:00
|
|
|
events = DiscourseEvent.track_events { get "/auth/google_oauth2/callback.json" }
|
|
|
|
expect(events.any? { |e| e[:event_name] === :after_auth && Auth::GoogleOAuth2Authenticator === e[:params][0] && !e[:params][1].failed? }).to eq(true)
|
2018-09-05 05:54:50 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-09-05 05:54:50 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
2018-09-05 05:54:50 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(data["email"]).to eq(email)
|
|
|
|
expect(data["username"]).to eq("Some_Name")
|
|
|
|
expect(data["auth_provider"]).to eq("google_oauth2")
|
|
|
|
expect(data["email_valid"]).to eq(true)
|
|
|
|
expect(data["omit_username"]).to eq(false)
|
|
|
|
expect(data["name"]).to eq("Some Name")
|
|
|
|
expect(data["destination_url"]).to eq(destination_url)
|
2018-09-05 05:54:50 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'should include destination url in response' do
|
2019-05-15 16:55:31 +08:00
|
|
|
destination_url = '/cookiepath'
|
2018-09-05 05:54:50 +08:00
|
|
|
cookies[:destination_url] = destination_url
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
|
|
|
expect(data["destination_url"]).to eq(destination_url)
|
2018-09-05 05:54:50 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-03-01 11:58:24 +08:00
|
|
|
describe 'when user has been verified' do
|
|
|
|
before do
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: '123545',
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: user.email,
|
|
|
|
name: 'Some name'
|
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: user.email,
|
|
|
|
family_name: 'Huh',
|
|
|
|
given_name: user.name,
|
|
|
|
gender: 'male',
|
|
|
|
name: "#{user.name} Huh",
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
2017-06-08 07:05:33 +08:00
|
|
|
expect(user.email_confirmed?).to eq(false)
|
|
|
|
|
2017-06-01 16:19:42 +08:00
|
|
|
events = DiscourseEvent.track_events do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
end
|
|
|
|
|
2017-06-08 07:05:33 +08:00
|
|
|
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
|
2017-03-01 11:58:24 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2017-03-01 11:58:24 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
2017-03-01 11:58:24 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(data["authenticated"]).to eq(true)
|
|
|
|
expect(data["awaiting_activation"]).to eq(false)
|
|
|
|
expect(data["awaiting_approval"]).to eq(false)
|
|
|
|
expect(data["not_allowed_from_ip_address"]).to eq(false)
|
|
|
|
expect(data["admin_not_allowed_from_ip_address"]).to eq(false)
|
2017-06-08 07:05:33 +08:00
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email_confirmed?).to eq(true)
|
|
|
|
end
|
|
|
|
|
2020-03-22 04:24:49 +08:00
|
|
|
it 'should return the authenticated response with the correct path for subfolders' do
|
|
|
|
set_subfolder "/forum"
|
|
|
|
events = DiscourseEvent.track_events do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(response.headers["Set-Cookie"].match(/^authentication_data=.*; path=\/forum/)).not_to eq(nil)
|
|
|
|
|
|
|
|
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
|
|
|
|
data = JSON.parse(response.cookies["authentication_data"])
|
|
|
|
|
|
|
|
expect(data["authenticated"]).to eq(true)
|
|
|
|
expect(data["awaiting_activation"]).to eq(false)
|
|
|
|
expect(data["awaiting_approval"]).to eq(false)
|
|
|
|
expect(data["not_allowed_from_ip_address"]).to eq(false)
|
|
|
|
expect(data["admin_not_allowed_from_ip_address"]).to eq(false)
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email_confirmed?).to eq(true)
|
|
|
|
end
|
|
|
|
|
2017-06-08 07:05:33 +08:00
|
|
|
it "should confirm email even when the tokens are expired" do
|
|
|
|
user.email_tokens.update_all(confirmed: false, expired: true)
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email_confirmed?).to eq(false)
|
|
|
|
|
|
|
|
events = DiscourseEvent.track_events do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2017-06-08 07:05:33 +08:00
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email_confirmed?).to eq(true)
|
2017-03-01 11:58:24 +08:00
|
|
|
end
|
|
|
|
|
2019-08-28 19:49:11 +08:00
|
|
|
it "should unstage staged user" do
|
2017-12-12 20:08:57 +08:00
|
|
|
user.update!(staged: true, registration_ip_address: nil)
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.staged).to eq(true)
|
|
|
|
expect(user.registration_ip_address).to eq(nil)
|
|
|
|
|
|
|
|
events = DiscourseEvent.track_events do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2017-12-12 20:08:57 +08:00
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.staged).to eq(false)
|
|
|
|
expect(user.registration_ip_address).to be_present
|
|
|
|
end
|
|
|
|
|
2019-08-28 19:49:11 +08:00
|
|
|
it "should activate user with matching email" do
|
|
|
|
user.update!(password: "securepassword", active: false, registration_ip_address: "1.1.1.1")
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.active).to eq(false)
|
|
|
|
expect(user.confirm_password?("securepassword")).to eq(true)
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.active).to eq(true)
|
|
|
|
|
|
|
|
# Delete the password, it may have been set by someone else
|
|
|
|
expect(user.confirm_password?("securepassword")).to eq(false)
|
|
|
|
end
|
|
|
|
|
2020-01-15 18:27:12 +08:00
|
|
|
context 'when user has TOTP enabled' do
|
2018-03-01 15:47:07 +08:00
|
|
|
before do
|
|
|
|
user.create_totp(enabled: true)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-03-01 15:47:07 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
2018-03-01 15:47:07 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(data["email"]).to eq(user.email)
|
|
|
|
expect(data["omniauth_disallow_totp"]).to eq(true)
|
2018-05-30 12:14:04 +08:00
|
|
|
|
|
|
|
user.update!(email: 'different@user.email')
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(JSON.parse(cookies[:authentication_data])["email"]).to eq(user.email)
|
2018-03-01 15:47:07 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2020-01-15 18:27:12 +08:00
|
|
|
context 'when user has security key enabled' do
|
|
|
|
before do
|
|
|
|
Fabricate(:user_security_key_with_random_credential, user: user)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
|
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
|
|
|
|
|
|
|
expect(data["email"]).to eq(user.email)
|
|
|
|
expect(data["omniauth_disallow_totp"]).to eq(true)
|
|
|
|
|
|
|
|
user.update!(email: 'different@user.email')
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(JSON.parse(cookies[:authentication_data])["email"]).to eq(user.email)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2018-10-05 02:31:08 +08:00
|
|
|
context 'when sso_payload cookie exist' do
|
|
|
|
before do
|
|
|
|
SiteSetting.enable_sso_provider = true
|
|
|
|
SiteSetting.sso_secret = "topsecret"
|
|
|
|
|
|
|
|
@sso = SingleSignOn.new
|
|
|
|
@sso.nonce = "mynonce"
|
|
|
|
@sso.sso_secret = SiteSetting.sso_secret
|
|
|
|
@sso.return_sso_url = "http://somewhere.over.rainbow/sso"
|
|
|
|
cookies[:sso_payload] = @sso.payload
|
|
|
|
|
2019-03-07 19:31:04 +08:00
|
|
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
|
2018-10-05 02:31:08 +08:00
|
|
|
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: '12345',
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
name: 'Some name'
|
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
family_name: 'Huh',
|
|
|
|
given_name: user.name,
|
|
|
|
gender: 'male',
|
|
|
|
name: "#{user.name} Huh",
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-10-05 02:31:08 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
2018-10-05 02:31:08 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(data["destination_url"]).to match(/\/session\/sso_provider\?sso\=.*\&sig\=.*/)
|
2018-10-05 02:31:08 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2017-03-01 11:58:24 +08:00
|
|
|
context 'when user has not verified his email' do
|
|
|
|
before do
|
2019-03-07 19:31:04 +08:00
|
|
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
|
2017-03-01 11:58:24 +08:00
|
|
|
user.update!(active: false)
|
|
|
|
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: '12345',
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
name: 'Some name'
|
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
family_name: 'Huh',
|
|
|
|
given_name: user.name,
|
|
|
|
gender: 'male',
|
|
|
|
name: "#{user.name} Huh",
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should return the right response' do
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2017-03-01 11:58:24 +08:00
|
|
|
|
2019-10-08 19:10:43 +08:00
|
|
|
data = JSON.parse(cookies[:authentication_data])
|
2017-03-01 11:58:24 +08:00
|
|
|
|
|
|
|
expect(user.reload.active).to eq(false)
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(data["authenticated"]).to eq(false)
|
|
|
|
expect(data["awaiting_activation"]).to eq(true)
|
2017-03-01 11:58:24 +08:00
|
|
|
end
|
|
|
|
end
|
2019-03-19 20:39:13 +08:00
|
|
|
|
|
|
|
context 'with full screen login' do
|
|
|
|
before do
|
|
|
|
cookies['fsl'] = true
|
|
|
|
end
|
|
|
|
|
|
|
|
it "doesn't attempt redirect to external origin" do
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?origin=https://example.com/external"
|
2019-03-19 20:39:13 +08:00
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
expect(response.status).to eq 302
|
|
|
|
expect(response.location).to eq "http://test.localhost/"
|
2019-05-15 16:55:31 +08:00
|
|
|
|
|
|
|
cookie_data = JSON.parse(response.cookies['authentication_data'])
|
|
|
|
expect(cookie_data["destination_url"]).to eq('/')
|
2019-03-19 20:39:13 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "redirects to internal origin" do
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?origin=http://test.localhost/t/123"
|
2019-03-19 20:39:13 +08:00
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
expect(response.status).to eq 302
|
|
|
|
expect(response.location).to eq "http://test.localhost/t/123"
|
2019-05-15 16:55:31 +08:00
|
|
|
|
|
|
|
cookie_data = JSON.parse(response.cookies['authentication_data'])
|
|
|
|
expect(cookie_data["destination_url"]).to eq('/t/123')
|
2019-03-19 20:39:13 +08:00
|
|
|
end
|
|
|
|
|
2020-01-09 01:06:03 +08:00
|
|
|
it "never redirects to /auth/ origin" do
|
|
|
|
post "/auth/google_oauth2?origin=http://test.localhost/auth/google_oauth2"
|
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
expect(response.status).to eq 302
|
|
|
|
expect(response.location).to eq "http://test.localhost/"
|
|
|
|
|
|
|
|
cookie_data = JSON.parse(response.cookies['authentication_data'])
|
|
|
|
expect(cookie_data["destination_url"]).to eq('/')
|
|
|
|
end
|
|
|
|
|
2019-03-19 20:39:13 +08:00
|
|
|
it "redirects to relative origin" do
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?origin=/t/123"
|
2019-03-19 20:39:13 +08:00
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
expect(response.status).to eq 302
|
|
|
|
expect(response.location).to eq "http://test.localhost/t/123"
|
2019-05-15 16:55:31 +08:00
|
|
|
|
|
|
|
cookie_data = JSON.parse(response.cookies['authentication_data'])
|
|
|
|
expect(cookie_data["destination_url"]).to eq('/t/123')
|
2019-03-19 20:39:13 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "redirects with query" do
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?origin=/t/123?foo=bar"
|
2019-03-19 20:39:13 +08:00
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
expect(response.status).to eq 302
|
|
|
|
expect(response.location).to eq "http://test.localhost/t/123?foo=bar"
|
2019-05-15 16:55:31 +08:00
|
|
|
|
|
|
|
cookie_data = JSON.parse(response.cookies['authentication_data'])
|
|
|
|
expect(cookie_data["destination_url"]).to eq('/t/123?foo=bar')
|
2019-03-19 20:39:13 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it "removes authentication_data cookie on logout" do
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?origin=https://example.com/external"
|
2019-03-19 20:39:13 +08:00
|
|
|
get "/auth/google_oauth2/callback"
|
|
|
|
|
|
|
|
provider = log_in_user(Fabricate(:user))
|
|
|
|
|
|
|
|
expect(cookies['authentication_data']).to be
|
|
|
|
|
|
|
|
log_out_user(provider)
|
|
|
|
|
|
|
|
expect(cookies['authentication_data']).to be_nil
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
cookies.delete('fsl')
|
|
|
|
end
|
|
|
|
end
|
2017-03-01 11:58:24 +08:00
|
|
|
end
|
2017-09-12 23:36:17 +08:00
|
|
|
|
2018-12-11 21:19:00 +08:00
|
|
|
context 'when attempting reconnect' do
|
2019-05-07 11:12:20 +08:00
|
|
|
fab!(:user2) { Fabricate(:user) }
|
2018-12-11 21:19:00 +08:00
|
|
|
before do
|
2019-03-07 19:31:04 +08:00
|
|
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '12345', user: user)
|
|
|
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", provider_uid: '123456', user: user2)
|
2018-12-11 21:19:00 +08:00
|
|
|
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: '12345',
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
name: 'Some name'
|
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: 'someother_email@test.com',
|
|
|
|
family_name: 'Huh',
|
|
|
|
given_name: user.name,
|
|
|
|
gender: 'male',
|
|
|
|
name: "#{user.name} Huh",
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'should not reconnect normally' do
|
|
|
|
# Log in normally
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2"
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(session[:auth_reconnect]).to eq(false)
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(session[:current_user_id]).to eq(user.id)
|
|
|
|
|
|
|
|
# Log into another user
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2"
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(session[:auth_reconnect]).to eq(false)
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(session[:current_user_id]).to eq(user2.id)
|
2019-03-07 19:31:04 +08:00
|
|
|
expect(UserAssociatedAccount.count).to eq(2)
|
2018-12-11 21:19:00 +08:00
|
|
|
end
|
|
|
|
|
2019-07-17 19:34:02 +08:00
|
|
|
it 'should redirect to associate URL if parameter supplied' do
|
2018-12-11 21:19:00 +08:00
|
|
|
# Log in normally
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?reconnect=true"
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(session[:auth_reconnect]).to eq(true)
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(session[:current_user_id]).to eq(user.id)
|
|
|
|
|
|
|
|
# Clear cookie after login
|
|
|
|
expect(session[:auth_reconnect]).to eq(nil)
|
|
|
|
|
|
|
|
# Disconnect
|
2019-03-07 19:31:04 +08:00
|
|
|
UserAssociatedAccount.find_by(user_id: user.id).destroy
|
2018-12-11 21:19:00 +08:00
|
|
|
|
|
|
|
# Reconnect flow:
|
2019-08-08 18:57:28 +08:00
|
|
|
post "/auth/google_oauth2?reconnect=true"
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(session[:auth_reconnect]).to eq(true)
|
|
|
|
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
2019-07-17 19:34:02 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
expect(response.redirect_url).to start_with("http://test.localhost/associate/")
|
|
|
|
|
2018-12-11 21:19:00 +08:00
|
|
|
expect(session[:current_user_id]).to eq(user.id)
|
2019-07-24 18:45:36 +08:00
|
|
|
expect(UserAssociatedAccount.count).to eq(1) # Reconnect has not yet happened
|
2018-12-11 21:19:00 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
2017-09-12 23:36:17 +08:00
|
|
|
context 'after changing email' do
|
|
|
|
def login(identity)
|
|
|
|
OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
|
|
|
|
provider: 'google_oauth2',
|
|
|
|
uid: "123545#{identity[:username]}",
|
|
|
|
info: OmniAuth::AuthHash::InfoHash.new(
|
|
|
|
email: identity[:email],
|
|
|
|
name: 'Some name'
|
|
|
|
),
|
|
|
|
extra: {
|
|
|
|
raw_info: OmniAuth::AuthHash.new(
|
|
|
|
email_verified: true,
|
|
|
|
email: identity[:email],
|
|
|
|
family_name: 'Huh',
|
|
|
|
given_name: identity[:name],
|
|
|
|
gender: 'male',
|
|
|
|
name: "#{identity[:name]} Huh",
|
|
|
|
)
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
|
|
|
|
|
|
|
|
get "/auth/google_oauth2/callback.json"
|
2019-10-08 19:10:43 +08:00
|
|
|
expect(response.status).to eq(302)
|
|
|
|
JSON.parse(cookies[:authentication_data])
|
2017-09-12 23:36:17 +08:00
|
|
|
end
|
|
|
|
|
|
|
|
it 'activates the correct email' do
|
|
|
|
old_email = 'old@email.com'
|
|
|
|
old_identity = { name: 'Bob',
|
|
|
|
username: 'bob',
|
|
|
|
email: old_email }
|
|
|
|
user = Fabricate(:user, email: old_email)
|
|
|
|
new_email = 'new@email.com'
|
|
|
|
new_identity = { name: 'Bob',
|
|
|
|
username: 'boguslaw',
|
|
|
|
email: new_email }
|
|
|
|
|
2020-02-20 07:52:21 +08:00
|
|
|
updater = EmailUpdater.new(guardian: user.guardian, user: user)
|
2017-09-12 23:36:17 +08:00
|
|
|
updater.change_to(new_email)
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email).to eq(old_email)
|
|
|
|
|
|
|
|
response = login(old_identity)
|
|
|
|
expect(response['authenticated']).to eq(true)
|
|
|
|
|
|
|
|
user.reload
|
|
|
|
expect(user.email).to eq(old_email)
|
|
|
|
|
2018-07-25 23:33:42 +08:00
|
|
|
delete "/session/#{user.username}" # log out
|
|
|
|
|
2017-09-12 23:36:17 +08:00
|
|
|
response = login(new_identity)
|
|
|
|
expect(response['authenticated']).to eq(nil)
|
|
|
|
expect(response['email']).to eq(new_email)
|
|
|
|
end
|
|
|
|
end
|
2017-03-01 11:58:24 +08:00
|
|
|
end
|
|
|
|
end
|