discourse/spec/models/user_auth_token_spec.rb

require 'rails_helper'

describe UserAuthToken do

  it "can remove old expired tokens" do

    SiteSetting.verbose_auth_token_logging = true

    freeze_time Time.zone.now
    SiteSetting.maximum_session_age = 1

    user = Fabricate(:user)
    token = UserAuthToken.generate!(user_id: user.id,
                                    user_agent: "some user agent 2",
                                    client_ip: "1.1.2.3")

    freeze_time 1.hour.from_now
    UserAuthToken.cleanup!

    expect(UserAuthToken.where(id: token.id).count).to eq(1)

    freeze_time 1.second.from_now
    UserAuthToken.cleanup!

    expect(UserAuthToken.where(id: token.id).count).to eq(1)

    freeze_time UserAuthToken::ROTATE_TIME.from_now
    UserAuthToken.cleanup!

    expect(UserAuthToken.where(id: token.id).count).to eq(0)

  end

  it "can lookup hashed" do
    user = Fabricate(:user)

    token = UserAuthToken.generate!(user_id: user.id,
                                    user_agent: "some user agent 2",
                                    client_ip: "1.1.2.3")

    lookup_token = UserAuthToken.lookup(token.unhashed_auth_token)

    expect(user.id).to eq(lookup_token.user.id)

    lookup_token = UserAuthToken.lookup(token.auth_token)

    expect(lookup_token).to eq(nil)
  end

  it "can validate token was seen at lookup time" do

    user = Fabricate(:user)

    user_token = UserAuthToken.generate!(user_id: user.id,
                                         user_agent: "some user agent 2",
                                         client_ip: "1.1.2.3")

    expect(user_token.auth_token_seen).to eq(false)

    UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)

    user_token.reload
    expect(user_token.auth_token_seen).to eq(true)

  end

  it "can rotate with no params maintaining data" do

    user = Fabricate(:user)

    user_token = UserAuthToken.generate!(user_id: user.id,
                                         user_agent: "some user agent 2",
                                         client_ip: "1.1.2.3")

    user_token.update_columns(auth_token_seen: true)
    expect(user_token.rotate!).to eq(true)
    user_token.reload
    expect(user_token.client_ip.to_s).to eq("1.1.2.3")
    expect(user_token.user_agent).to eq("some user agent 2")
  end

  it "expires correctly" do

    user = Fabricate(:user)

    user_token = UserAuthToken.generate!(user_id: user.id,
                                         user_agent: "some user agent 2",
                                         client_ip: "1.1.2.3")

    UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)

    freeze_time (SiteSetting.maximum_session_age.hours - 1).from_now

    user_token.reload

    user_token.rotate!
    UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)

    freeze_time (SiteSetting.maximum_session_age.hours - 1).from_now

    still_good = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)
    expect(still_good).not_to eq(nil)

    freeze_time 2.hours.from_now

    not_good = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)
    expect(not_good).to eq(nil)
  end

  it "can properly rotate tokens" do

    user = Fabricate(:user)

    user_token = UserAuthToken.generate!(user_id: user.id,
                                         user_agent: "some user agent 2",
                                         client_ip: "1.1.2.3")

    prev_auth_token = user_token.auth_token
    unhashed_prev = user_token.unhashed_auth_token

    rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")
    expect(rotated).to eq(false)

    user_token.update_columns(auth_token_seen: true)

    rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")
    expect(rotated).to eq(true)

    user_token.reload

    expect(user_token.rotated_at).to be_within(5.second).of(Time.zone.now)
    expect(user_token.client_ip).to eq("1.1.2.4")
    expect(user_token.user_agent).to eq("a new user agent")
    expect(user_token.auth_token_seen).to eq(false)
    expect(user_token.seen_at).to eq(nil)
    expect(user_token.prev_auth_token).to eq(prev_auth_token)

    # ability to auth using an old token
    freeze_time

    looked_up = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)
    expect(looked_up.id).to eq(user_token.id)
    expect(looked_up.auth_token_seen).to eq(true)
    expect(looked_up.seen_at).to be_within(1.second).of(Time.zone.now)

    looked_up = UserAuthToken.lookup(unhashed_prev, seen: true)
    expect(looked_up.id).to eq(user_token.id)

    freeze_time(2.minute.from_now)

    looked_up = UserAuthToken.lookup(unhashed_prev)
    expect(looked_up).not_to eq(nil)

    looked_up.reload
    expect(looked_up.auth_token_seen).to eq(false)

    rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")
    expect(rotated).to eq(true)
    user_token.reload
    expect(user_token.seen_at).to eq(nil)
  end

  it "keeps prev token valid for 1 minute after it is confirmed" do

    user = Fabricate(:user)

    token = UserAuthToken.generate!(user_id: user.id,
                                    user_agent: "some user agent",
                                    client_ip: "1.1.2.3")

    UserAuthToken.lookup(token.unhashed_auth_token, seen: true)

    freeze_time(10.minutes.from_now)

    prev_token = token.unhashed_auth_token

    token.rotate!(user_agent: "firefox", client_ip: "1.1.1.1")

    freeze_time(10.minutes.from_now)

    expect(UserAuthToken.lookup(token.unhashed_auth_token, seen: true)).not_to eq(nil)
    expect(UserAuthToken.lookup(prev_token, seen: true)).not_to eq(nil)

  end

  it "can correctly log auth tokens" do
    SiteSetting.verbose_auth_token_logging = true

    user = Fabricate(:user)

    token = UserAuthToken.generate!(user_id: user.id,
                                    user_agent: "some user agent",
                                    client_ip: "1.1.2.3")

    expect(UserAuthTokenLog.where(
      action: 'generate',
      user_id: user.id,
      user_agent: "some user agent",
      client_ip: "1.1.2.3",
      user_auth_token_id: token.id,
    ).count).to eq(1)

    UserAuthToken.lookup(token.unhashed_auth_token,
      seen: true,
      user_agent: "something diff",
      client_ip: "1.2.3.3"
    )

    UserAuthToken.lookup(token.unhashed_auth_token,
      seen: true,
      user_agent: "something diff2",
      client_ip: "1.2.3.3"
    )

    expect(UserAuthTokenLog.where(
      action: "seen token",
      user_id: user.id,
      auth_token: token.auth_token,
      client_ip: "1.2.3.3",
      user_auth_token_id: token.id
    ).count).to eq(1)

    fake_token = SecureRandom.hex
    UserAuthToken.lookup(fake_token,
                         seen: true,
                         user_agent: "bob",
                         client_ip: "127.0.0.1",
                         path: "/path"
                        )

    expect(UserAuthTokenLog.where(
      action: "miss token",
      auth_token: UserAuthToken.hash_token(fake_token),
      user_agent: "bob",
      client_ip: "127.0.0.1",
      path: "/path"
    ).count).to eq(1)

    freeze_time(UserAuthToken::ROTATE_TIME.from_now)

    token.rotate!(user_agent: "firefox", client_ip: "1.1.1.1")

    expect(UserAuthTokenLog.where(
      action: "rotate",
      auth_token: token.auth_token,
      user_agent: "firefox",
      client_ip: "1.1.1.1",
      user_auth_token_id: token.id
    ).count).to eq(1)

  end

  it "will not mark token unseen when prev and current are the same" do
    user = Fabricate(:user)

    token = UserAuthToken.generate!(user_id: user.id,
                                    user_agent: "some user agent",
                                    client_ip: "1.1.2.3")

    lookup = UserAuthToken.lookup(token.unhashed_auth_token, seen: true)
    lookup = UserAuthToken.lookup(token.unhashed_auth_token, seen: true)
    lookup.reload
    expect(lookup.auth_token_seen).to eq(true)
  end

end
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`require 'rails_helper'`

			`describe UserAuthToken do`

			`it "can remove old expired tokens" do`

FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`SiteSetting.verbose_auth_token_logging = true`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`freeze_time Time.zone.now`
			`SiteSetting.maximum_session_age = 1`

			`user = Fabricate(:user)`
			`token = UserAuthToken.generate!(user_id: user.id,`
			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`

			`freeze_time 1.hour.from_now`
			`UserAuthToken.cleanup!`

			`expect(UserAuthToken.where(id: token.id).count).to eq(1)`

			`freeze_time 1.second.from_now`
			`UserAuthToken.cleanup!`

			`expect(UserAuthToken.where(id: token.id).count).to eq(1)`

			`freeze_time UserAuthToken::ROTATE_TIME.from_now`
			`UserAuthToken.cleanup!`

			`expect(UserAuthToken.where(id: token.id).count).to eq(0)`

			`end`

FEATURE: remove support for legacy auth tokens 2018-05-03 20:11:58 -04:00			`it "can lookup hashed" do`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`user = Fabricate(:user)`

			`token = UserAuthToken.generate!(user_id: user.id,`
			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`

			`lookup_token = UserAuthToken.lookup(token.unhashed_auth_token)`

			`expect(user.id).to eq(lookup_token.user.id)`

			`lookup_token = UserAuthToken.lookup(token.auth_token)`

			`expect(lookup_token).to eq(nil)`
			`end`

			`it "can validate token was seen at lookup time" do`

			`user = Fabricate(:user)`

			`user_token = UserAuthToken.generate!(user_id: user.id,`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00
			`expect(user_token.auth_token_seen).to eq(false)`

			`UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`

			`user_token.reload`
			`expect(user_token.auth_token_seen).to eq(true)`

			`end`

			`it "can rotate with no params maintaining data" do`

			`user = Fabricate(:user)`

			`user_token = UserAuthToken.generate!(user_id: user.id,`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00
			`user_token.update_columns(auth_token_seen: true)`
			`expect(user_token.rotate!).to eq(true)`
			`user_token.reload`
			`expect(user_token.client_ip.to_s).to eq("1.1.2.3")`
			`expect(user_token.user_agent).to eq("some user agent 2")`
			`end`

FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`it "expires correctly" do`

			`user = Fabricate(:user)`

			`user_token = UserAuthToken.generate!(user_id: user.id,`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00
			`UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`

			`freeze_time (SiteSetting.maximum_session_age.hours - 1).from_now`

			`user_token.reload`

			`user_token.rotate!`
			`UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`

			`freeze_time (SiteSetting.maximum_session_age.hours - 1).from_now`

			`still_good = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`
			`expect(still_good).not_to eq(nil)`

			`freeze_time 2.hours.from_now`

			`not_good = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`
			`expect(not_good).to eq(nil)`
			`end`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`it "can properly rotate tokens" do`

			`user = Fabricate(:user)`

			`user_token = UserAuthToken.generate!(user_id: user.id,`
Add rubocop to our build. (#5004) 2017-07-27 21:20:09 -04:00			`user_agent: "some user agent 2",`
			`client_ip: "1.1.2.3")`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00
			`prev_auth_token = user_token.auth_token`
			`unhashed_prev = user_token.unhashed_auth_token`

			`rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")`
			`expect(rotated).to eq(false)`

			`user_token.update_columns(auth_token_seen: true)`

			`rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")`
			`expect(rotated).to eq(true)`

			`user_token.reload`

			`expect(user_token.rotated_at).to be_within(5.second).of(Time.zone.now)`
			`expect(user_token.client_ip).to eq("1.1.2.4")`
			`expect(user_token.user_agent).to eq("a new user agent")`
			`expect(user_token.auth_token_seen).to eq(false)`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`expect(user_token.seen_at).to eq(nil)`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`expect(user_token.prev_auth_token).to eq(prev_auth_token)`

			`# ability to auth using an old token`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`freeze_time`

			`looked_up = UserAuthToken.lookup(user_token.unhashed_auth_token, seen: true)`
			`expect(looked_up.id).to eq(user_token.id)`
			`expect(looked_up.auth_token_seen).to eq(true)`
			`expect(looked_up.seen_at).to be_within(1.second).of(Time.zone.now)`

			`looked_up = UserAuthToken.lookup(unhashed_prev, seen: true)`
FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`expect(looked_up.id).to eq(user_token.id)`

FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00			`freeze_time(2.minute.from_now)`

			`looked_up = UserAuthToken.lookup(unhashed_prev)`
FIX: attempt to handle ios edge case where token is seen but unsaved This relaxes our security in the following way - prev auth token is always accepted as long as rotation date is within our window of SiteSetting.maximum_session_age.hours (previously old token expired within a minute of new one being seen) - new auth token is marked unseen if we are presented with an old token after we already saw new one This attempts to fix an issue where ios webkit is not committing new cookies 2017-02-26 17:09:57 -05:00			`expect(looked_up).not_to eq(nil)`

			`looked_up.reload`
			`expect(looked_up.auth_token_seen).to eq(false)`
FIX: token rotation not accounting for overlapping tokens correctly also... freeze_time has no block form, correct all usages and specs 2017-02-15 10:58:18 -05:00
			`rotated = user_token.rotate!(user_agent: "a new user agent", client_ip: "1.1.2.4")`
			`expect(rotated).to eq(true)`
			`user_token.reload`
			`expect(user_token.seen_at).to eq(nil)`
			`end`

			`it "keeps prev token valid for 1 minute after it is confirmed" do`

			`user = Fabricate(:user)`

			`token = UserAuthToken.generate!(user_id: user.id,`
			`user_agent: "some user agent",`
			`client_ip: "1.1.2.3")`

			`UserAuthToken.lookup(token.unhashed_auth_token, seen: true)`

			`freeze_time(10.minutes.from_now)`

			`prev_token = token.unhashed_auth_token`

			`token.rotate!(user_agent: "firefox", client_ip: "1.1.1.1")`

			`freeze_time(10.minutes.from_now)`

			`expect(UserAuthToken.lookup(token.unhashed_auth_token, seen: true)).not_to eq(nil)`
			`expect(UserAuthToken.lookup(prev_token, seen: true)).not_to eq(nil)`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`end`

FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`it "can correctly log auth tokens" do`
			`SiteSetting.verbose_auth_token_logging = true`

			`user = Fabricate(:user)`

			`token = UserAuthToken.generate!(user_id: user.id,`
			`user_agent: "some user agent",`
			`client_ip: "1.1.2.3")`

			`expect(UserAuthTokenLog.where(`
			`action: 'generate',`
			`user_id: user.id,`
			`user_agent: "some user agent",`
			`client_ip: "1.1.2.3",`
			`user_auth_token_id: token.id,`
			`).count).to eq(1)`

			`UserAuthToken.lookup(token.unhashed_auth_token,`
			`seen: true,`
			`user_agent: "something diff",`
			`client_ip: "1.2.3.3"`
			`)`

			`UserAuthToken.lookup(token.unhashed_auth_token,`
			`seen: true,`
			`user_agent: "something diff2",`
			`client_ip: "1.2.3.3"`
			`)`

			`expect(UserAuthTokenLog.where(`
			`action: "seen token",`
			`user_id: user.id,`
			`auth_token: token.auth_token,`
			`client_ip: "1.2.3.3",`
			`user_auth_token_id: token.id`
			`).count).to eq(1)`

			`fake_token = SecureRandom.hex`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`UserAuthToken.lookup(fake_token,`
			`seen: true,`
			`user_agent: "bob",`
			`client_ip: "127.0.0.1",`
			`path: "/path"`
			`)`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00
			`expect(UserAuthTokenLog.where(`
			`action: "miss token",`
			`auth_token: UserAuthToken.hash_token(fake_token),`
			`user_agent: "bob",`
FIX: Improve token rotation and increase logging - avoid access denied on bad cookie, instead just nuke it - avoid marking a token unseen for first minute post rotation - log path in user auth token logs 2017-03-07 13:27:34 -05:00			`client_ip: "127.0.0.1",`
			`path: "/path"`
FEATURE: add hidden setting for verbose auth token logging This is only needed to debug auth token issues, will result in lots of logging 2017-02-13 14:01:01 -05:00			`).count).to eq(1)`

			`freeze_time(UserAuthToken::ROTATE_TIME.from_now)`

			`token.rotate!(user_agent: "firefox", client_ip: "1.1.1.1")`

			`expect(UserAuthTokenLog.where(`
			`action: "rotate",`
			`auth_token: token.auth_token,`
			`user_agent: "firefox",`
			`client_ip: "1.1.1.1",`
			`user_auth_token_id: token.id`
			`).count).to eq(1)`

			`end`

FIX: on initial token issue stop unmarking token as unseen prev and current are the same so we need special logic to bypass 2017-02-28 10:38:22 -05:00			`it "will not mark token unseen when prev and current are the same" do`
			`user = Fabricate(:user)`

			`token = UserAuthToken.generate!(user_id: user.id,`
			`user_agent: "some user agent",`
			`client_ip: "1.1.2.3")`

			`lookup = UserAuthToken.lookup(token.unhashed_auth_token, seen: true)`
			`lookup = UserAuthToken.lookup(token.unhashed_auth_token, seen: true)`
			`lookup.reload`
			`expect(lookup.auth_token_seen).to eq(true)`
			`end`

FEATURE: per client user tokens Revamped system for managing authentication tokens. - Every user has 1 token per client (web browser) - Tokens are rotated every 10 minutes New system migrates the old tokens to "legacy" tokens, so users still remain logged on. Also introduces weekly job to expire old auth tokens. 2017-01-31 17:21:37 -05:00			`end`