AtHeartEngineer/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-01-10 08:08:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5347 from heartcombo/ca-build

Browse Source 
Support Ruby 3+ officially, remove final Rails 6.1 deprecations, drop test dependency for XML serialization
This commit is contained in:
Carlos Antonio da Silva
2021-02-16 17:35:19 -03:00
committed by GitHub
parent 1bb5fcbbec 1ba53dc369
commit 0cd72a56f9
20 changed files with 182 additions and 250 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.github/workflows/test.yml vendored
View File

@@ -21,6 +21,7 @@ jobs:
- 2.5
- 2.6
- 2.7
- 3.0
env:
- DEVISE_ORM=active_record
- DEVISE_ORM=mongoid
@@ -59,8 +60,6 @@ jobs:
gemfile: gemfiles/Gemfile-rails-4-2
- ruby: 2.7
gemfile: gemfiles/Gemfile-rails-4-1
- ruby: 2.7
gemfile: gemfiles/Gemfile-rails-4-1
- ruby: 2.7
gemfile: gemfiles/Gemfile-rails-4-2
- ruby: 2.7
@@ -69,6 +68,16 @@ jobs:
gemfile: gemfiles/Gemfile-rails-5-1
- ruby: 2.7
gemfile: gemfiles/Gemfile-rails-5-2
- ruby: 3.0
gemfile: gemfiles/Gemfile-rails-4-1
- ruby: 3.0
gemfile: gemfiles/Gemfile-rails-4-2
- ruby: 3.0
gemfile: gemfiles/Gemfile-rails-5-0
- ruby: 3.0
gemfile: gemfiles/Gemfile-rails-5-1
- ruby: 3.0
gemfile: gemfiles/Gemfile-rails-5-2
- env: DEVISE_ORM=mongoid
gemfile: Gemfile
- env: DEVISE_ORM=mongoid
@@ -91,7 +100,7 @@ jobs:
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true # runs bundle install and caches installed gems automatically
bundler: ${{ env.BUNDLER_VERSION || 'latest' }}
bundler: ${{ env.BUNDLER_VERSION || '2.2.9' }}
- uses: supercharge/mongodb-github-action@1.3.0
if: ${{ matrix.env == 'DEVISE_ORM=mongoid' }}
- run: bundle exec rake

2
CHANGELOG.md
View File

@@ -4,6 +4,8 @@
* Devise now enables the upgrade of OmniAuth 2+. Previously Devise would raise an error if you'd try to upgrade. Please note that OmniAuth 2 is considered a security upgrade and recommended to everyone. You can read more about the details (and possible necessary changes to your app as part of the upgrade) in [their release notes](https://github.com/omniauth/omniauth/releases/tag/v2.0.0). [Devise's OmniAuth Overview wiki](https://github.com/heartcombo/devise/wiki/OmniAuth:-Overview) was also updated to cover OmniAuth 2.0 requirements.
- Note that the upgrade required Devise shared links that initiate the OmniAuth flow to be changed to `method: :post`, which is now a requirement for OmniAuth, part of the security improvement. If you have copied and customized the Devise shared links partial to your app, or if you have other links in your app that initiate the OmniAuth flow, they will have to be updated to use `method: :post`, or changed to use buttons (e.g. `button_to`) to work with OmniAuth 2. (if you're using links with `method: :post`, make sure your app has `rails-ujs` or `jquery-ujs` included in order for these links to work properly.)
- As part of the OmniAuth 2.0 upgrade you might also need to add the [`omniauth-rails_csrf_protection`](https://github.com/cookpad/omniauth-rails_csrf_protection) gem to your app if you don't have it already. (and you don't want to roll your own code to verify requests.) Check the OmniAuth v2 release notes for more info.
* Add support for Ruby 3.
* Add support for Rails 6.1.
* Move CI to GitHub Actions.
* deprecations

3
Gemfile
View File

@@ -9,8 +9,6 @@ gem "omniauth"
gem "omniauth-oauth2"
gem "rdoc"
gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
gem "rails-controller-testing", github: "rails/rails-controller-testing"
gem "responders", "~> 3.0"
@@ -18,6 +16,7 @@ gem "responders", "~> 3.0"
group :test do
gem "omniauth-facebook"
gem "omniauth-openid"
gem "rexml"
gem "timecop"
gem "webrat", "0.7.3", require: false
gem "mocha", "~> 1.1", require: false

130
Gemfile.lock
View File

@@ -1,12 +1,3 @@
GIT
remote: https://github.com/rails/activemodel-serializers-xml.git
revision: 694f4071c6b16e4c8597cc323c241b5f787b3ea8
specs:
activemodel-serializers-xml (1.0.2)
activemodel (>= 5.0.0.a)
activesupport (>= 5.0.0.a)
builder (~> 3.1)
GIT
remote: https://github.com/rails/rails-controller-testing.git
revision: 4b15c86e82ee380f2a7cc009e470368f7520560a
@@ -29,60 +20,60 @@ PATH
GEM
remote: https://rubygems.org/
specs:
actioncable (6.1.1)
actionpack (= 6.1.1)
activesupport (= 6.1.1)
actioncable (6.1.2.1)
actionpack (= 6.1.2.1)
activesupport (= 6.1.2.1)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.1.1)
actionpack (= 6.1.1)
activejob (= 6.1.1)
activerecord (= 6.1.1)
activestorage (= 6.1.1)
activesupport (= 6.1.1)
actionmailbox (6.1.2.1)
actionpack (= 6.1.2.1)
activejob (= 6.1.2.1)
activerecord (= 6.1.2.1)
activestorage (= 6.1.2.1)
activesupport (= 6.1.2.1)
mail (>= 2.7.1)
actionmailer (6.1.1)
actionpack (= 6.1.1)
actionview (= 6.1.1)
activejob (= 6.1.1)
activesupport (= 6.1.1)
actionmailer (6.1.2.1)
actionpack (= 6.1.2.1)
actionview (= 6.1.2.1)
activejob (= 6.1.2.1)
activesupport (= 6.1.2.1)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (6.1.1)
actionview (= 6.1.1)
activesupport (= 6.1.1)
actionpack (6.1.2.1)
actionview (= 6.1.2.1)
activesupport (= 6.1.2.1)
rack (~> 2.0, >= 2.0.9)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.1.1)
actionpack (= 6.1.1)
activerecord (= 6.1.1)
activestorage (= 6.1.1)
activesupport (= 6.1.1)
actiontext (6.1.2.1)
actionpack (= 6.1.2.1)
activerecord (= 6.1.2.1)
activestorage (= 6.1.2.1)
activesupport (= 6.1.2.1)
nokogiri (>= 1.8.5)
actionview (6.1.1)
activesupport (= 6.1.1)
actionview (6.1.2.1)
activesupport (= 6.1.2.1)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
activejob (6.1.1)
activesupport (= 6.1.1)
activejob (6.1.2.1)
activesupport (= 6.1.2.1)
globalid (>= 0.3.6)
activemodel (6.1.1)
activesupport (= 6.1.1)
activerecord (6.1.1)
activemodel (= 6.1.1)
activesupport (= 6.1.1)
activestorage (6.1.1)
actionpack (= 6.1.1)
activejob (= 6.1.1)
activerecord (= 6.1.1)
activesupport (= 6.1.1)
activemodel (6.1.2.1)
activesupport (= 6.1.2.1)
activerecord (6.1.2.1)
activemodel (= 6.1.2.1)
activesupport (= 6.1.2.1)
activestorage (6.1.2.1)
actionpack (= 6.1.2.1)
activejob (= 6.1.2.1)
activerecord (= 6.1.2.1)
activesupport (= 6.1.2.1)
marcel (~> 0.3.1)
mimemagic (~> 0.3.2)
activesupport (6.1.1)
activesupport (6.1.2.1)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 1.6, < 2)
minitest (>= 5.1)
@@ -90,7 +81,7 @@ GEM
zeitwerk (~> 2.3)
bcrypt (3.1.16)
builder (3.2.4)
concurrent-ruby (1.1.7)
concurrent-ruby (1.1.8)
crass (1.0.6)
erubi (1.10.0)
faraday (1.3.0)
@@ -101,7 +92,7 @@ GEM
globalid (0.4.2)
activesupport (>= 4.2.0)
hashie (4.1.0)
i18n (1.8.7)
i18n (1.8.9)
concurrent-ruby (~> 1.0)
jwt (2.2.2)
loofah (2.9.0)
@@ -120,7 +111,7 @@ GEM
multi_json (1.15.0)
multi_xml (0.6.0)
multipart-post (2.1.1)
nio4r (2.5.4)
nio4r (2.5.5)
nokogiri (1.11.1)
mini_portile2 (~> 2.5.0)
racc (~> 1.4)
@@ -130,7 +121,7 @@ GEM
multi_json (~> 1.3)
multi_xml (~> 0.5)
rack (>= 1.2, < 3)
omniauth (2.0.1)
omniauth (2.0.2)
hashie (>= 3.4.6)
rack (>= 1.6.2, < 3)
rack-protection
@@ -152,29 +143,29 @@ GEM
rack
rack-test (1.1.0)
rack (>= 1.0, < 3)
rails (6.1.1)
actioncable (= 6.1.1)
actionmailbox (= 6.1.1)
actionmailer (= 6.1.1)
actionpack (= 6.1.1)
actiontext (= 6.1.1)
actionview (= 6.1.1)
activejob (= 6.1.1)
activemodel (= 6.1.1)
activerecord (= 6.1.1)
activestorage (= 6.1.1)
activesupport (= 6.1.1)
rails (6.1.2.1)
actioncable (= 6.1.2.1)
actionmailbox (= 6.1.2.1)
actionmailer (= 6.1.2.1)
actionpack (= 6.1.2.1)
actiontext (= 6.1.2.1)
actionview (= 6.1.2.1)
activejob (= 6.1.2.1)
activemodel (= 6.1.2.1)
activerecord (= 6.1.2.1)
activestorage (= 6.1.2.1)
activesupport (= 6.1.2.1)
bundler (>= 1.15.0)
railties (= 6.1.1)
railties (= 6.1.2.1)
sprockets-rails (>= 2.0.0)
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
rails-html-sanitizer (1.3.0)
loofah (~> 2.3)
railties (6.1.1)
actionpack (= 6.1.1)
activesupport (= 6.1.1)
railties (6.1.2.1)
actionpack (= 6.1.2.1)
activesupport (= 6.1.2.1)
method_source
rake (>= 0.8.7)
thor (~> 1.0)
@@ -183,6 +174,7 @@ GEM
responders (3.0.1)
actionpack (>= 5.0)
railties (>= 5.0)
rexml (3.2.4)
ruby-openid (2.9.2)
ruby2_keywords (0.0.4)
sprockets (4.0.2)
@@ -193,8 +185,8 @@ GEM
activesupport (>= 4.0)
sprockets (>= 3.0.0)
sqlite3 (1.4.2)
thor (1.0.1)
timecop (0.9.2)
thor (1.1.0)
timecop (0.9.4)
tzinfo (2.0.4)
concurrent-ruby (~> 1.0)
warden (1.2.9)
@@ -212,7 +204,6 @@ PLATFORMS
ruby
DEPENDENCIES
activemodel-serializers-xml!
devise!
mocha (~> 1.1)
omniauth
@@ -223,6 +214,7 @@ DEPENDENCIES
rails-controller-testing!
rdoc
responders (~> 3.0)
rexml
sqlite3 (~> 1.4)
timecop
webrat (= 0.7.3)

2
gemfiles/Gemfile-rails-5-0
View File

@@ -9,8 +9,6 @@ gem "omniauth"
gem "omniauth-oauth2"
gem "rdoc"
gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
gem "rails-controller-testing"
gem "responders", "~> 2.1"

2
gemfiles/Gemfile-rails-5-1
View File

@@ -7,8 +7,6 @@ gem "omniauth"
gem "omniauth-oauth2"
gem "rdoc"
gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
gem "rails-controller-testing"
gem "responders", "~> 2.1"

2
gemfiles/Gemfile-rails-5-2
View File

@@ -7,8 +7,6 @@ gem "omniauth"
gem "omniauth-oauth2"
gem "rdoc"
gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
gem "rails-controller-testing"
gem "responders", "~> 2.1"

5
gemfiles/Gemfile-rails-6-0
View File

@@ -2,13 +2,11 @@ source "https://rubygems.org"
gemspec path: ".."
gem "rails", '~> 6.0.0'
gem "rails", '~> 6.0.0', github: 'rails/rails', branch: '6-0-stable'
gem "omniauth"
gem "omniauth-oauth2"
gem "rdoc"
gem "activemodel-serializers-xml", github: "rails/activemodel-serializers-xml"
gem "rails-controller-testing", github: "rails/rails-controller-testing"
gem "responders", "~> 3.0"
@@ -16,6 +14,7 @@ gem "responders", "~> 3.0"
group :test do
gem "omniauth-facebook"
gem "omniauth-openid"
gem "rexml"
gem "timecop"
gem "webrat", "0.7.3", require: false
gem "mocha", "~> 1.1", require: false

10
test/failure_app_test.rb
View File

@@ -220,8 +220,8 @@ class FailureTest < ActiveSupport::TestCase
end
test 'works for any navigational format' do
swap Devise, navigational_formats: [:xml] do
call_failure('formats' => Mime[:xml])
swap Devise, navigational_formats: [:json] do
call_failure('formats' => Mime[:json])
assert_equal 302, @response.first
end
end
@@ -236,7 +236,7 @@ class FailureTest < ActiveSupport::TestCase
context 'For HTTP request' do
test 'return 401 status' do
call_failure('formats' => Mime[:xml])
call_failure('formats' => Mime[:json])
assert_equal 401, @response.first
end
@@ -258,13 +258,13 @@ class FailureTest < ActiveSupport::TestCase
end
test 'return WWW-authenticate headers if model allows' do
call_failure('formats' => Mime[:xml])
call_failure('formats' => Mime[:json])
assert_equal 'Basic realm="Application"', @response.second["WWW-Authenticate"]
end
test 'does not return WWW-authenticate headers if model does not allow' do
swap Devise, http_authenticatable: false do
call_failure('formats' => Mime[:xml])
call_failure('formats' => Mime[:json])
assert_nil @response.second["WWW-Authenticate"]
end
end

33
test/integration/authenticatable_test.rb
View File

@@ -462,14 +462,6 @@ class AuthenticationOthersTest < Devise::IntegrationTest
end
end
test 'sign in stub in xml format' do
get new_user_session_path(format: 'xml')
assert_match '<?xml version="1.0" encoding="UTF-8"?>', response.body
assert_match %r{<user>.*</user>}m, response.body
assert_match '<email></email>', response.body
assert_match '<password nil="true"', response.body
end
test 'sign in stub in json format' do
get new_user_session_path(format: 'json')
assert_match '{"user":{', response.body
@@ -492,27 +484,27 @@ class AuthenticationOthersTest < Devise::IntegrationTest
refute warden.authenticated?(:admin)
end
test 'sign in with xml format returns xml response' do
test 'sign in with json format returns json response' do
create_user
post user_session_path(format: 'xml'), params: { user: {email: "user@test.com", password: '12345678'} }
post user_session_path(format: 'json'), params: { user: {email: "user@test.com", password: '12345678'} }
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
assert_includes response.body, '{"user":{'
end
test 'sign in with xml format is idempotent' do
get new_user_session_path(format: 'xml')
test 'sign in with json format is idempotent' do
get new_user_session_path(format: 'json')
assert_response :success
create_user
post user_session_path(format: 'xml'), params: { user: {email: "user@test.com", password: '12345678'} }
post user_session_path(format: 'json'), params: { user: {email: "user@test.com", password: '12345678'} }
assert_response :success
get new_user_session_path(format: 'xml')
get new_user_session_path(format: 'json')
assert_response :success
post user_session_path(format: 'xml'), params: { user: {email: "user@test.com", password: '12345678'} }
post user_session_path(format: 'json'), params: { user: {email: "user@test.com", password: '12345678'} }
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
assert_includes response.body, '{"user":{'
end
test 'sign out with html redirects' do
@@ -527,13 +519,6 @@ class AuthenticationOthersTest < Devise::IntegrationTest
assert_current_url '/'
end
test 'sign out with xml format returns no content' do
sign_in_as_user
delete destroy_user_session_path(format: 'xml')
assert_response :no_content
refute warden.authenticated?(:user)
end
test 'sign out with json format returns no content' do
sign_in_as_user
delete destroy_user_session_path(format: 'json')

54
test/integration/confirmable_test.rb
View File

@@ -214,42 +214,34 @@ class ConfirmationTest < Devise::IntegrationTest
end
end
test 'resent confirmation token with valid E-Mail in XML format should return valid response' do
test 'resent confirmation token with valid e-mail in JSON format should return empty and valid response' do
user = create_user(confirm: false)
post user_confirmation_path(format: 'xml'), params: { user: { email: user.email } }
assert_response :success
assert_equal({}.to_xml, response.body)
end
test 'resent confirmation token with invalid E-Mail in XML format should return invalid response' do
create_user(confirm: false)
post user_confirmation_path(format: 'xml'), params: { user: { email: 'invalid.test@test.com' } }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
end
test 'confirm account with valid confirmation token in XML format should return valid response' do
user = create_user(confirm: false)
get user_confirmation_path(confirmation_token: user.raw_confirmation_token, format: 'xml')
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
end
test 'confirm account with invalid confirmation token in XML format should return invalid response' do
create_user(confirm: false)
get user_confirmation_path(confirmation_token: 'invalid_confirmation', format: 'xml')
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
end
test 'request an account confirmation account with JSON, should return an empty JSON' do
user = create_user(confirm: false)
post user_confirmation_path, params: { user: { email: user.email }, format: :json }
post user_confirmation_path(format: 'json'), params: { user: { email: user.email } }
assert_response :success
assert_equal({}.to_json, response.body)
end
test 'resent confirmation token with invalid e-mail in JSON format should return invalid response' do
create_user(confirm: false)
post user_confirmation_path(format: 'json'), params: { user: { email: 'invalid.test@test.com' } }
assert_response :unprocessable_entity
assert_includes response.body, '{"errors":{'
end
test 'confirm account with valid confirmation token in JSON format should return valid response' do
user = create_user(confirm: false)
get user_confirmation_path(confirmation_token: user.raw_confirmation_token, format: 'json')
assert_response :success
assert_includes response.body, '{"user":{'
end
test 'confirm account with invalid confirmation token in JSON format should return invalid response' do
create_user(confirm: false)
get user_confirmation_path(confirmation_token: 'invalid_confirmation', format: 'json')
assert_response :unprocessable_entity
assert_includes response.body, '{"confirmation_token":['
end
test "when in paranoid mode and with a valid e-mail, should not say that the e-mail is valid" do
swap Devise, paranoid: true do
user = create_user(confirm: false)

23
test/integration/http_authenticatable_test.rb
View File

@@ -22,10 +22,10 @@ class HttpAuthenticationTest < Devise::IntegrationTest
swap Devise, skip_session_storage: [] do
sign_in_as_new_user_with_http
assert_response 200
assert_match '<email>user@test.com</email>', response.body
assert_match '"email":"user@test.com"', response.body
assert warden.authenticated?(:user)
get users_path(format: :xml)
get users_path(format: :json)
assert_response 200
end
end
@@ -34,10 +34,10 @@ class HttpAuthenticationTest < Devise::IntegrationTest
swap Devise, skip_session_storage: [:http_auth] do
sign_in_as_new_user_with_http
assert_response 200
assert_match '<email>user@test.com</email>', response.body
assert_match '"email":"user@test.com"', response.body
assert warden.authenticated?(:user)
get users_path(format: :xml)
get users_path(format: :json)
assert_response 401
end
end
@@ -51,8 +51,8 @@ class HttpAuthenticationTest < Devise::IntegrationTest
test 'uses the request format as response content type' do
sign_in_as_new_user_with_http("unknown")
assert_equal 401, status
assert_equal "application/xml; charset=utf-8", headers["Content-Type"]
assert_match "<error>Invalid Email or password.</error>", response.body
assert_equal "application/json; charset=utf-8", headers["Content-Type"]
assert_match '"error":"Invalid Email or password."', response.body
end
test 'returns a custom response with www-authenticate and chosen realm' do
@@ -67,7 +67,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
swap Devise, authentication_keys: [:username] do
sign_in_as_new_user_with_http("usertest")
assert_response :success
assert_match '<email>user@test.com</email>', response.body
assert_match '"email":"user@test.com"', response.body
assert warden.authenticated?(:user)
end
end
@@ -76,7 +76,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
swap Devise, authentication_keys: { username: false, email: false } do
sign_in_as_new_user_with_http("usertest")
assert_response :success
assert_match '<email>user@test.com</email>', response.body
assert_match '"email":"user@test.com"', response.body
assert warden.authenticated?(:user)
end
end
@@ -85,7 +85,7 @@ class HttpAuthenticationTest < Devise::IntegrationTest
swap Devise, authentication_keys: { email: false, username: false }, http_authentication_key: :username do
sign_in_as_new_user_with_http("usertest")
assert_response :success
assert_match '<email>user@test.com</email>', response.body
assert_match '"email":"user@test.com"', response.body
assert warden.authenticated?(:user)
end
end
@@ -101,14 +101,13 @@ class HttpAuthenticationTest < Devise::IntegrationTest
private
def sign_in_as_new_user_with_http(username = "user@test.com", password = "12345678")
user = create_user
get users_path(format: :xml), headers: { "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("#{username}:#{password}")}" }
get users_path(format: :json), headers: { "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("#{username}:#{password}")}" }
user
end
# Sign in with oauth2 token. This is just to test that it isn't misinterpreted as basic authentication
def add_oauth2_header
user = create_user
get users_path(format: :xml), headers: { "HTTP_AUTHORIZATION" => "OAuth #{Base64.encode64("#{user.email}:12345678")}" }
get users_path(format: :json), headers: { "HTTP_AUTHORIZATION" => "OAuth #{Base64.encode64("#{user.email}:12345678")}" }
end
end

31
test/integration/lockable_test.rb
View File

@@ -130,46 +130,39 @@ class LockTest < Devise::IntegrationTest
end
end
test 'user should be able to request a new unlock token via XML request' do
test 'user should be able to request a new unlock token via JSON request and should return empty and valid response' do
user = create_user(locked: true)
ActionMailer::Base.deliveries.clear
post user_unlock_path(format: 'xml'), params: { user: {email: user.email} }
post user_unlock_path(format: 'json'), params: { user: {email: user.email} }
assert_response :success
assert_equal({}.to_xml, response.body)
assert_equal({}.to_json, response.body)
assert_equal 1, ActionMailer::Base.deliveries.size
end
test 'unlocked user should not be able to request a unlock token via XML request' do
test 'unlocked user should not be able to request a unlock token via JSON request' do
user = create_user(locked: false)
ActionMailer::Base.deliveries.clear
post user_unlock_path(format: 'xml'), params: { user: {email: user.email} }
post user_unlock_path(format: 'json'), params: { user: {email: user.email} }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
assert_includes response.body, '{"errors":{'
assert_equal 0, ActionMailer::Base.deliveries.size
end
test 'user with valid unlock token should be able to unlock account via XML request' do
test 'user with valid unlock token should be able to unlock account via JSON request' do
user = create_user()
raw = user.lock_access!
assert user.access_locked?
get user_unlock_path(format: 'xml', unlock_token: raw)
get user_unlock_path(format: 'json', unlock_token: raw)
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
assert_includes response.body, '{"user":{'
end
test 'user with invalid unlock token should not be able to unlock the account via XML request' do
get user_unlock_path(format: 'xml', unlock_token: 'invalid_token')
test 'user with invalid unlock token should not be able to unlock the account via JSON request' do
get user_unlock_path(format: 'json', unlock_token: 'invalid_token')
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
end
test "when using json to ask a unlock request, should not return the user" do
user = create_user(locked: true)
post user_unlock_path(format: "json", user: {email: user.email})
assert_response :success
assert_equal({}.to_json, response.body)
assert_includes response.body, '{"unlock_token":['
end
test "in paranoid mode, when trying to unlock a user that exists it should not say that it exists if it is locked" do

46
test/integration/recoverable_test.rb
View File

@@ -261,63 +261,53 @@ class PasswordTest < Devise::IntegrationTest
end
end
test 'reset password request with valid E-Mail in XML format should return valid response' do
test 'reset password request with valid e-mail in JSON format should return empty and valid response' do
create_user
post user_password_path(format: 'xml'), params: { user: {email: "user@test.com"} }
post user_password_path(format: 'json'), params: { user: {email: "user@test.com"} }
assert_response :success
assert_equal({}.to_xml, response.body)
assert_equal({}.to_json, response.body)
end
test 'reset password request with invalid E-Mail in XML format should return valid response' do
test 'reset password request with invalid e-mail in JSON format should return valid response' do
create_user
post user_password_path(format: 'xml'), params: { user: {email: "invalid.test@test.com"} }
post user_password_path(format: 'json'), params: { user: {email: "invalid.test@test.com"} }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
assert_includes response.body, '{"errors":{'
end
test 'reset password request with invalid E-Mail in XML format should return empty and valid response' do
test 'reset password request with invalid e-mail in JSON format should return empty and valid response in paranoid mode' do
swap Devise, paranoid: true do
create_user
post user_password_path(format: 'xml'), params: { user: {email: "invalid@test.com"} }
post user_password_path(format: 'json'), params: { user: {email: "invalid@test.com"} }
assert_response :success
assert_equal({}.to_xml, response.body)
assert_equal({}.to_json, response.body)
end
end
test 'change password with valid parameters in XML format should return valid response' do
test 'change password with valid parameters in JSON format should return valid response' do
create_user
request_forgot_password
put user_password_path(format: 'xml'), params: { user: {
put user_password_path(format: 'json'), params: { user: {
reset_password_token: 'abcdef', password: '987654321', password_confirmation: '987654321'
}
}
} }
assert_response :success
assert warden.authenticated?(:user)
end
test 'change password with invalid token in XML format should return invalid response' do
test 'change password with invalid token in JSON format should return invalid response' do
create_user
request_forgot_password
put user_password_path(format: 'xml'), params: { user: {reset_password_token: 'invalid.token', password: '987654321', password_confirmation: '987654321'} }
put user_password_path(format: 'json'), params: { user: {reset_password_token: 'invalid.token', password: '987654321', password_confirmation: '987654321'} }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
assert_includes response.body, '{"errors":{'
end
test 'change password with invalid new password in XML format should return invalid response' do
test 'change password with invalid new password in JSON format should return invalid response' do
user = create_user
request_forgot_password
put user_password_path(format: 'xml'), params: { user: {reset_password_token: user.reload.reset_password_token, password: '', password_confirmation: '987654321'} }
put user_password_path(format: 'json'), params: { user: {reset_password_token: user.reload.reset_password_token, password: '', password_confirmation: '987654321'} }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
end
test "when using json requests to ask a confirmable request, should not return the object" do
user = create_user(confirm: false)
post user_password_path(format: :json), params: { user: { email: user.email } }
assert_response :success
assert_equal "{}", response.body
assert_includes response.body, '{"errors":{'
end
test "when in paranoid mode and with an invalid e-mail, asking to reset a password should display a message that does not indicates that the e-mail does not exists in the database" do

37
test/integration/registerable_test.rb
View File

@@ -283,13 +283,6 @@ class RegistrationTest < Devise::IntegrationTest
assert_redirected_to new_user_registration_path
end
test 'a user with XML sign up stub' do
get new_user_registration_path(format: 'xml')
assert_response :success
assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
assert_no_match(/<confirmation-token/, response.body)
end
test 'a user with JSON sign up stub' do
get new_user_registration_path(format: 'json')
assert_response :success
@@ -297,47 +290,47 @@ class RegistrationTest < Devise::IntegrationTest
assert_no_match(/"confirmation_token"/, response.body)
end
test 'an admin sign up with valid information in XML format should return valid response' do
post admin_registration_path(format: 'xml'), params: { admin: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'new_user123' } }
test 'an admin sign up with valid information in JSON format should return valid response' do
post admin_registration_path(format: 'json'), params: { admin: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'new_user123' } }
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<admin>)
assert_includes response.body, '{"admin":{'
admin = Admin.to_adapter.find_first(order: [:id, :desc])
assert_equal 'new_user@test.com', admin.email
end
test 'a user sign up with valid information in XML format should return valid response' do
post user_registration_path(format: 'xml'), params: { user: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'new_user123' } }
test 'a user sign up with valid information in JSON format should return valid response' do
post user_registration_path(format: 'json'), params: { user: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'new_user123' } }
assert_response :success
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
assert_includes response.body, '{"user":{'
user = User.to_adapter.find_first(order: [:id, :desc])
assert_equal 'new_user@test.com', user.email
end
test 'a user sign up with invalid information in XML format should return invalid response' do
post user_registration_path(format: 'xml'), params: { user: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'invalid' } }
test 'a user sign up with invalid information in JSON format should return invalid response' do
post user_registration_path(format: 'json'), params: { user: { email: 'new_user@test.com', password: 'new_user123', password_confirmation: 'invalid' } }
assert_response :unprocessable_entity
assert_includes response.body, %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<errors>)
assert_includes response.body, '{"errors":{'
end
test 'a user update information with valid data in XML format should return valid response' do
test 'a user update information with valid data in JSON format should return valid response' do
user = sign_in_as_user
put user_registration_path(format: 'xml'), params: { user: { current_password: '12345678', email: 'user.new@test.com' } }
put user_registration_path(format: 'json'), params: { user: { current_password: '12345678', email: 'user.new@test.com' } }
assert_response :success
assert_equal 'user.new@test.com', user.reload.email
end
test 'a user update information with invalid data in XML format should return invalid response' do
test 'a user update information with invalid data in JSON format should return invalid response' do
user = sign_in_as_user
put user_registration_path(format: 'xml'), params: { user: { current_password: 'invalid', email: 'user.new@test.com' } }
put user_registration_path(format: 'json'), params: { user: { current_password: 'invalid', email: 'user.new@test.com' } }
assert_response :unprocessable_entity
assert_equal 'user@test.com', user.reload.email
end
test 'a user cancel their account in XML format should return valid response' do
test 'a user cancel their account in JSON format should return valid response' do
sign_in_as_user
delete user_registration_path(format: 'xml')
delete user_registration_path(format: 'json')
assert_response :success
assert_equal 0, User.to_adapter.find_all.size
end

15
test/models/serializable_test.rb
View File

@@ -7,21 +7,6 @@ class SerializableTest < ActiveSupport::TestCase
@user = create_user
end
test 'should not include unsafe keys on XML' do
assert_match(/email/, @user.to_xml)
assert_no_match(/confirmation-token/, @user.to_xml)
end
test 'should not include unsafe keys on XML even if a new except is provided' do
assert_no_match(/email/, @user.to_xml(except: :email))
assert_no_match(/confirmation-token/, @user.to_xml(except: :email))
end
test 'should include unsafe keys on XML if a force_except is provided' do
assert_no_match(/<email/, @user.to_xml(force_except: :email))
assert_match(/confirmation-token/, @user.to_xml(force_except: :email))
end
test 'should not include unsafe keys on JSON' do
keys = from_json().keys.select{ |key| !key.include?("id") }
assert_equal %w(created_at email facebook_token updated_at username), keys.sort

1
test/rails_app/app/active_record/user.rb
View File

@@ -5,7 +5,6 @@ require 'shared_user'
class User < ActiveRecord::Base
include Shim
include SharedUser
include ActiveModel::Serializers::Xml if Devise::Test.rails5_and_up?
validates :sign_in_count, presence: true

3
test/rails_app/app/controllers/users_controller.rb
View File

@@ -3,7 +3,8 @@
class UsersController < ApplicationController
prepend_before_action :current_user, only: :exhibit
before_action :authenticate_user!, except: [:accept, :exhibit]
respond_to :html, :xml
clear_respond_to
respond_to :html, :json
def index
user_session[:cart] = "Cart"

12
test/routes_test.rb
View File

@@ -209,7 +209,7 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in', method: :get})
assert_raise ExpectedRoutingError do
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in.xml', method: :get})
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_in.json', method: :get})
end
end
@@ -219,7 +219,7 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes(expected_params, {path: '/htmlonly_admin/password', method: :post})
assert_raise ExpectedRoutingError do
assert_recognizes(expected_params, {path: '/htmlonly_admin/password.xml', method: :post})
assert_recognizes(expected_params, {path: '/htmlonly_admin/password.json', method: :post})
end
end
@@ -229,7 +229,7 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up', method: :get})
assert_raise ExpectedRoutingError do
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up.xml', method: :get})
assert_recognizes(expected_params, {path: '/htmlonly_admin/sign_up.json', method: :get})
end
end
@@ -239,7 +239,7 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation', method: :get})
assert_raise ExpectedRoutingError do
assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation.xml', method: :get})
assert_recognizes(expected_params, {path: '/htmlonly_users/confirmation.json', method: :get})
end
end
@@ -249,12 +249,12 @@ class CustomizedRoutingTest < ActionController::TestCase
assert_recognizes(expected_params, {path: '/htmlonly_users/unlock', method: :get})
assert_raise ExpectedRoutingError do
assert_recognizes(expected_params, {path: '/htmlonly_users/unlock.xml', method: :get})
assert_recognizes(expected_params, {path: '/htmlonly_users/unlock.json', method: :get})
end
end
test 'map with format false is not permanent' do
assert_equal "/set.xml", @routes.url_helpers.set_path(:xml)
assert_equal "/set.json", @routes.url_helpers.set_path(:json)
end
test 'checks if mapping has proper configuration for omniauth callback' do

6
test/test/controller_helpers_test.rb
View File

@@ -101,12 +101,12 @@ class TestControllerHelpersTest < Devise::ControllerTestCase
end
test "returns the content type of a failure app" do
get :index, params: { format: :xml }
get :index, params: { format: :json }
if Devise::Test.rails6?
assert_includes response.media_type, 'application/xml'
assert_includes response.media_type, 'application/json'
else
assert_includes response.content_type, 'application/xml'
assert_includes response.content_type, 'application/json'
end
end