# frozen_string_literal: true
require 'spec_helper'
class DummyAuthController < ApplicationController; end
describe 'Auth concern', type: :controller do
controller DummyAuthController do
# Defining a dummy action for an anynomous controller which inherits from the described class.
def authenticate_blank
authenticate
end
def authenticate_unknown_group
authenticate('nooby')
end
def authenticate_pickups
authenticate('pickups')
head :ok unless performed?
end
def authenticate_finance_or_orders
authenticate('finance_or_orders')
head :ok unless performed?
end
def try_authenticate_membership_or_admin
authenticate_membership_or_admin
end
def try_authenticate_or_token
authenticate_or_token('xyz')
head :ok unless performed?
end
def call_deny_access
deny_access
end
def call_current_user
current_user
end
def call_login_and_redirect_to_return_to
user = User.find(params[:user_id])
login_and_redirect_to_return_to(user)
end
def call_login
user = User.find(params[:user_id])
login(user)
end
end
# unit testing protected/private methods
describe 'protected/private methods' do
let(:user) { create :user }
let(:wrong_user) { create :user }
describe '#current_user' do
before do
login user
routes.draw { get 'call_current_user' => 'dummy_auth#call_current_user' }
end
describe 'with valid session' do
it 'returns current_user' do
get_with_defaults :call_current_user, params: { user_id: user.id }, format: JSON
expect(assigns(:current_user)).to eq user
end
end
describe 'with invalid session' do
it 'not returns current_user' do
session[:user_id] = nil
get_with_defaults :call_current_user, params: { user_id: nil }, format: JSON
expect(assigns(:current_user)).to be_nil
end
end
end
describe '#deny_access' do
it 'redirects to root_url' do
login user
routes.draw { get 'deny_access' => 'dummy_auth#call_deny_access' }
get_with_defaults :call_deny_access
expect(response).to redirect_to(root_url)
end
end
describe '#login' do
before do
routes.draw { get 'call_login' => 'dummy_auth#call_login' }
end
it 'sets user in session' do
login wrong_user
get_with_defaults :call_login, params: { user_id: user.id }, format: JSON
expect(session[:user_id]).to eq user.id
expect(session[:scope]).to eq FoodsoftConfig.scope
expect(session[:locale]).to eq user.locale
end
end
describe '#login_and_redirect_to_return_to' do
it 'redirects to already set target' do
login user
session[:return_to] = my_profile_url
routes.draw { get 'call_login_and_redirect_to_return_to' => 'dummy_auth#call_login_and_redirect_to_return_to' }
get_with_defaults :call_login_and_redirect_to_return_to, params: { user_id: user.id }
expect(session[:return_to]).to be_nil
end
end
end
describe 'authenticate' do
describe 'not logged in' do
it 'does not authenticate' do
routes.draw { get 'authenticate_blank' => 'dummy_auth#authenticate_blank' }
get_with_defaults :authenticate_blank
expect(response).to have_http_status(:redirect)
expect(response).to redirect_to(login_path)
expect(flash[:alert]).to match(I18n.t('application.controller.error_authn'))
end
end
describe 'logged in' do
let(:user) { create :user }
let(:pickups_user) { create :user, :role_pickups }
let(:finance_user) { create :user, :role_finance }
let(:orders_user) { create :user, :role_orders }
it 'does not authenticate with unknown group' do
login user
routes.draw { get 'authenticate_unknown_group' => 'dummy_auth#authenticate_unknown_group' }
get_with_defaults :authenticate_unknown_group
expect(response).to have_http_status(:redirect)
expect(response).to redirect_to(root_path)
expect(flash[:alert]).to match(I18n.t('application.controller.error_denied', sign_in: ActionController::Base.helpers.link_to(I18n.t('application.controller.error_denied_sign_in'), login_path)))
end
it 'does not authenticate with pickups group' do
login pickups_user
routes.draw { get 'authenticate_pickups' => 'dummy_auth#authenticate_pickups' }
get_with_defaults :authenticate_pickups
expect(response).to have_http_status(:success)
end
it 'does not authenticate with finance group' do
login finance_user
routes.draw { get 'authenticate_finance_or_orders' => 'dummy_auth#authenticate_finance_or_orders' }
get_with_defaults :authenticate_finance_or_orders
expect(response).to have_http_status(:success)
end
it 'does not authenticate with orders group' do
login orders_user
routes.draw { get 'authenticate_finance_or_orders' => 'dummy_auth#authenticate_finance_or_orders' }
get_with_defaults :authenticate_finance_or_orders
expect(response).to have_http_status(:success)
end
end
end
describe 'authenticate_membership_or_admin' do
describe 'logged in' do
let(:pickups_user) { create :user, :role_pickups }
let(:workgroup) { create :workgroup }
it 'redirects with not permitted group' do
group_id = workgroup.id
login pickups_user
routes.draw { get 'try_authenticate_membership_or_admin' => 'dummy_auth#try_authenticate_membership_or_admin' }
get_with_defaults :try_authenticate_membership_or_admin, params: { id: group_id }
expect(response).to have_http_status(:redirect)
expect(response).to redirect_to(root_path)
expect(flash[:alert]).to match(I18n.t('application.controller.error_members_only'))
end
end
end
describe 'authenticate_or_token' do
describe 'logged in' do
let(:token_verifier) { TokenVerifier.new('xyz') }
let(:token_msg) { token_verifier.generate }
let(:user) { create :user }
before { login user }
it 'authenticates token' do
routes.draw { get 'try_authenticate_or_token' => 'dummy_auth#try_authenticate_or_token' }
get_with_defaults :try_authenticate_or_token, params: { token: token_msg }
expect(response).not_to have_http_status(:redirect)
end
it 'redirects on faulty token' do
routes.draw { get 'try_authenticate_or_token' => 'dummy_auth#try_authenticate_or_token' }
get_with_defaults :try_authenticate_or_token, params: { token: 'abc' }
expect(response).to have_http_status(:redirect)
expect(response).to redirect_to(root_path)
expect(flash[:alert]).to match(I18n.t('application.controller.error_token'))
end
it 'authenticates current user on empty token' do
routes.draw { get 'try_authenticate_or_token' => 'dummy_auth#try_authenticate_or_token' }
get_with_defaults :try_authenticate_or_token
expect(response).to have_http_status(:success)
end
end
end
end