discourse/spec/requests/associate_accounts_controll...

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe Users::AssociateAccountsController do
  fab!(:user) { Fabricate(:user) }
  fab!(:user2) { Fabricate(:user) }

  before do
    OmniAuth.config.test_mode = true
  end

  after do
    Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] = nil
    OmniAuth.config.test_mode = false
  end

  context 'when attempting reconnect' do
    before do
      SiteSetting.enable_google_oauth2_logins = true
      OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(
        provider: 'google_oauth2',
        uid: '12345',
        info: {
          email: 'someemail@test.com',
        },
        extra: {
          raw_info: {
            email_verified: true,
          }
        },
      )

      Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]
    end

    it 'should work correctly' do
      sign_in(user)

      # Reconnect flow:
      post "/auth/google_oauth2?reconnect=true"
      expect(response.status).to eq(302)
      expect(session[:auth_reconnect]).to eq(true)

      OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
      get "/auth/google_oauth2/callback.json"
      expect(response.status).to eq(302)

      expect(session[:current_user_id]).to eq(user.id) # Still logged in
      expect(UserAssociatedAccount.count).to eq(0) # Reconnect has not yet happened

      # Request associate info
      uri = URI.parse(response.redirect_url)
      get "#{uri.path}.json"
      data = response.parsed_body
      expect(data["provider_name"]).to eq("google_oauth2")
      expect(data["account_description"]).to eq("someemail@test.com")

      # Make the connection
      events = DiscourseEvent.track_events { post "#{uri.path}.json" }
      expect(events.any? { |e| e[:event_name] == :before_auth }).to eq(true)
      expect(events.any? { |e| e[:event_name] === :after_auth && Auth::GoogleOAuth2Authenticator === e[:params][0] && !e[:params][1].failed? }).to eq(true)

      expect(response.status).to eq(200)
      expect(UserAssociatedAccount.count).to eq(1)

      # Token cannot be reused
      get "#{uri.path}.json"
      expect(response.status).to eq(404)
    end

    it 'should only work within the current session' do
      sign_in(user)

      post "/auth/google_oauth2?reconnect=true"
      expect(response.status).to eq(302)
      expect(session[:auth_reconnect]).to eq(true)

      OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"
      get "/auth/google_oauth2/callback.json"
      expect(response.status).to eq(302)

      expect(session[:current_user_id]).to eq(user.id) # Still logged in
      expect(UserAssociatedAccount.count).to eq(0) # Reconnect has not yet happened

      uri = URI.parse(response.redirect_url)
      get "#{uri.path}.json"
      data = response.parsed_body
      expect(data["provider_name"]).to eq("google_oauth2")
      expect(data["account_description"]).to eq("someemail@test.com")

      cookies.delete "_forum_session"

      get "#{uri.path}.json"
      expect(response.status).to eq(404)
    end

    it "returns the correct response for non-existent tokens" do
      sign_in(user)

      get "/associate/12345678901234567890123456789012.json"
      expect(response.status).to eq(404)

      get "/associate/shorttoken.json"
      expect(response.status).to eq(404)
    end

    it "requires login" do
      # XHR should 403
      get "/associate/#{SecureRandom.hex}.json"
      expect(response.status).to eq(403)
    end
  end
end
DEV: Add test to ensure :after_auth event is triggered (#8400) Follow-up to ee8669d778ad46cb65265042eac4c58e9af0bf16. 2019-11-25 07:31:57 -05:00			`# frozen_string_literal: true`

			`require 'rails_helper'`

			`RSpec.describe Users::AssociateAccountsController do`
			`fab!(:user) { Fabricate(:user) }`
			`fab!(:user2) { Fabricate(:user) }`

			`before do`
			`OmniAuth.config.test_mode = true`
			`end`

			`after do`
			`Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2] = nil`
			`OmniAuth.config.test_mode = false`
			`end`

			`context 'when attempting reconnect' do`
			`before do`
			`SiteSetting.enable_google_oauth2_logins = true`
			`OmniAuth.config.mock_auth[:google_oauth2] = OmniAuth::AuthHash.new(`
			`provider: 'google_oauth2',`
			`uid: '12345',`
			`info: {`
			`email: 'someemail@test.com',`
			`},`
			`extra: {`
			`raw_info: {`
			`email_verified: true,`
			`}`
			`},`
			`)`

			`Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[:google_oauth2]`
			`end`

			`it 'should work correctly' do`
			`sign_in(user)`

			`# Reconnect flow:`
			`post "/auth/google_oauth2?reconnect=true"`
			`expect(response.status).to eq(302)`
			`expect(session[:auth_reconnect]).to eq(true)`

			`OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"`
			`get "/auth/google_oauth2/callback.json"`
			`expect(response.status).to eq(302)`

			`expect(session[:current_user_id]).to eq(user.id) # Still logged in`
			`expect(UserAssociatedAccount.count).to eq(0) # Reconnect has not yet happened`

			`# Request associate info`
			`uri = URI.parse(response.redirect_url)`
			`get "#{uri.path}.json"`
DEV: Use `response.parsed_body` in specs (#9615) Most of it was autofixed with rubocop-discourse 2.1.1. 2020-05-07 11:04:12 -04:00			`data = response.parsed_body`
DEV: Add test to ensure :after_auth event is triggered (#8400) Follow-up to ee8669d778ad46cb65265042eac4c58e9af0bf16. 2019-11-25 07:31:57 -05:00			`expect(data["provider_name"]).to eq("google_oauth2")`
			`expect(data["account_description"]).to eq("someemail@test.com")`

			`# Make the connection`
			`events = DiscourseEvent.track_events { post "#{uri.path}.json" }`
DEV: Introduce `:before_auth` DiscourseEvent (#11233) This is useful for plugins to manipulate the auth hash from OmniAuth before it is read by the Authenticator class 2020-11-13 09:41:54 -05:00			`expect(events.any? { \|e\| e[:event_name] == :before_auth }).to eq(true)`
DEV: Add test to ensure :after_auth event is triggered (#8400) Follow-up to ee8669d778ad46cb65265042eac4c58e9af0bf16. 2019-11-25 07:31:57 -05:00			`expect(events.any? { \|e\| e[:event_name] === :after_auth && Auth::GoogleOAuth2Authenticator === e[:params][0] && !e[:params][1].failed? }).to eq(true)`

			`expect(response.status).to eq(200)`
			`expect(UserAssociatedAccount.count).to eq(1)`

			`# Token cannot be reused`
			`get "#{uri.path}.json"`
			`expect(response.status).to eq(404)`
			`end`

DEV: Update associate_accounts_controller to use secure_session This is much cleaner than using redis directly. It also opens the door to more complex association change flows which may happen during login. 2021-08-10 09:09:30 -04:00			`it 'should only work within the current session' do`
			`sign_in(user)`

			`post "/auth/google_oauth2?reconnect=true"`
			`expect(response.status).to eq(302)`
			`expect(session[:auth_reconnect]).to eq(true)`

			`OmniAuth.config.mock_auth[:google_oauth2].uid = "123456"`
			`get "/auth/google_oauth2/callback.json"`
			`expect(response.status).to eq(302)`

			`expect(session[:current_user_id]).to eq(user.id) # Still logged in`
			`expect(UserAssociatedAccount.count).to eq(0) # Reconnect has not yet happened`

			`uri = URI.parse(response.redirect_url)`
			`get "#{uri.path}.json"`
			`data = response.parsed_body`
			`expect(data["provider_name"]).to eq("google_oauth2")`
			`expect(data["account_description"]).to eq("someemail@test.com")`

			`cookies.delete "_forum_session"`

			`get "#{uri.path}.json"`
			`expect(response.status).to eq(404)`
			`end`

FIX: misspelling in associate_accounts_controller_spec.rb non-existant -> non-existent 2021-06-04 01:30:29 -04:00			`it "returns the correct response for non-existent tokens" do`
DEV: Improve robustness of associate_accounts_controller This handles a few edge cases which are extremely rare (due to the UI layout), but still technically possible: - Ensure users are authenticated before attempting association. - Add a message and logic for when a user already has an association for a given auth provider. 2021-08-05 12:36:34 -04:00			`sign_in(user)`

DEV: Add test to ensure :after_auth event is triggered (#8400) Follow-up to ee8669d778ad46cb65265042eac4c58e9af0bf16. 2019-11-25 07:31:57 -05:00			`get "/associate/12345678901234567890123456789012.json"`
			`expect(response.status).to eq(404)`

			`get "/associate/shorttoken.json"`
			`expect(response.status).to eq(404)`
			`end`
DEV: Improve robustness of associate_accounts_controller This handles a few edge cases which are extremely rare (due to the UI layout), but still technically possible: - Ensure users are authenticated before attempting association. - Add a message and logic for when a user already has an association for a given auth provider. 2021-08-05 12:36:34 -04:00
			`it "requires login" do`
			`# XHR should 403`
			`get "/associate/#{SecureRandom.hex}.json"`
			`expect(response.status).to eq(403)`
			`end`
DEV: Add test to ensure :after_auth event is triggered (#8400) Follow-up to ee8669d778ad46cb65265042eac4c58e9af0bf16. 2019-11-25 07:31:57 -05:00			`end`
			`end`