trabajo-afectivo/spec/requests/session_spec.rb

require 'rails_helper'

RSpec.describe 'Sessions endpoints', type: :request do

  describe 'GET /signshow' do

    context 'user logged in' do

      subject(:user) { create(:agent, password: password) }

      let(:password) { SecureRandom.urlsafe_base64(20) }
      let(:fingerprint) { SecureRandom.urlsafe_base64(40) }

      before do
        params = {
          fingerprint: fingerprint,
          username:    user.login,
          password:    password
        }
        post '/api/v1/signin', params: params, as: :json
      end

      it 'leaks no sensitive data' do
        params = { fingerprint: fingerprint }
        get '/api/v1/signshow', params: params, as: :json

        expect(json_response['session']).not_to include('password')
      end
    end
  end

  describe 'GET /auth/sso (single sign-on)' do
    context 'with invalid user login' do
      let(:login) { User.pluck(:login).max.next }

      context 'in "REMOTE_USER" request env var' do
        let(:env) { { 'REMOTE_USER' => login } }

        it 'returns unauthorized response' do
          get '/auth/sso', as: :json, env: env

          expect(response).to have_http_status(:unauthorized)
        end
      end

      context 'in "HTTP_REMOTE_USER" request env var' do
        let(:env) { { 'HTTP_REMOTE_USER' => login } }

        it 'returns unauthorized response' do
          get '/auth/sso', as: :json, env: env

          expect(response).to have_http_status(:unauthorized)
        end
      end

      context 'in "X-Forwarded-User" request header' do
        let(:headers) { { 'X-Forwarded-User' => login } }

        it 'returns unauthorized response' do
          get '/auth/sso', as: :json, headers: headers

          expect(response).to have_http_status(:unauthorized)
        end
      end
    end

    context 'with valid user login' do
      let(:user) { User.last }
      let(:login) { user.login }

      context 'in Maintenance Mode' do
        before { Setting.set('maintenance_mode', true) }

        context 'in "REMOTE_USER" request env var' do
          let(:env) { { 'REMOTE_USER' => login } }

          it 'returns 401 unauthorized' do
            get '/auth/sso', as: :json, env: env

            expect(response).to have_http_status(:unauthorized)
            expect(json_response).to include('error' => 'Maintenance mode enabled!')
          end
        end

        context 'in "HTTP_REMOTE_USER" request env var' do
          let(:env) { { 'HTTP_REMOTE_USER' => login } }

          it 'returns 401 unauthorized' do
            get '/auth/sso', as: :json, env: env

            expect(response).to have_http_status(:unauthorized)
            expect(json_response).to include('error' => 'Maintenance mode enabled!')
          end
        end

        context 'in "X-Forwarded-User" request header' do
          let(:headers) { { 'X-Forwarded-User' => login } }

          it 'returns 401 unauthorized' do
            get '/auth/sso', as: :json, headers: headers

            expect(response).to have_http_status(:unauthorized)
            expect(json_response).to include('error' => 'Maintenance mode enabled!')
          end
        end
      end

      context 'in "REMOTE_USER" request env var' do
        let(:env) { { 'REMOTE_USER' => login } }

        it 'returns a new user-session response' do
          get '/auth/sso', as: :json, env: env

          expect(response).to redirect_to('/#')
        end

        it 'sets the :user_id session parameter' do
          expect { get '/auth/sso', as: :json, env: env }
            .to change { request&.session&.fetch(:user_id) }.to(user.id)
        end
      end

      context 'in "HTTP_REMOTE_USER" request env var' do
        let(:env) { { 'HTTP_REMOTE_USER' => login } }

        it 'returns a new user-session response' do
          get '/auth/sso', as: :json, env: env

          expect(response).to redirect_to('/#')
        end

        it 'sets the :user_id session parameter' do
          expect { get '/auth/sso', as: :json, env: env }
            .to change { request&.session&.fetch(:user_id) }.to(user.id)
        end
      end

      context 'in "X-Forwarded-User" request header' do
        let(:headers) { { 'X-Forwarded-User' => login } }

        it 'returns a new user-session response' do
          get '/auth/sso', as: :json, headers: headers

          expect(response).to redirect_to('/#')
        end

        it 'sets the :user_id session parameter on the client' do
          expect { get '/auth/sso', as: :json, headers: headers }
            .to change { request&.session&.fetch(:user_id) }.to(user.id)
        end
      end
    end
  end
end
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`require 'rails_helper'`

			`RSpec.describe 'Sessions endpoints', type: :request do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00
Enhancement: Limit data send back to the browser for valid session. 2020-02-12 14:25:31 +00:00			`describe 'GET /signshow' do`

			`context 'user logged in' do`

Refactoring: Restore consistency by replacing *_user suffix factories with just customer, admin and agent factory name. 2020-06-19 09:17:18 +00:00			`subject(:user) { create(:agent, password: password) }`
Enhancement: Limit data send back to the browser for valid session. 2020-02-12 14:25:31 +00:00
			`let(:password) { SecureRandom.urlsafe_base64(20) }`
			`let(:fingerprint) { SecureRandom.urlsafe_base64(40) }`

			`before do`
			`params = {`
			`fingerprint: fingerprint,`
			`username: user.login,`
			`password: password`
			`}`
			`post '/api/v1/signin', params: params, as: :json`
			`end`

			`it 'leaks no sensitive data' do`
			`params = { fingerprint: fingerprint }`
			`get '/api/v1/signshow', params: params, as: :json`

			`expect(json_response['session']).not_to include('password')`
			`end`
			`end`
			`end`

Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`describe 'GET /auth/sso (single sign-on)' do`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`context 'with invalid user login' do`
			`let(:login) { User.pluck(:login).max.next }`

			`context 'in "REMOTE_USER" request env var' do`
			`let(:env) { { 'REMOTE_USER' => login } }`

Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`it 'returns unauthorized response' do`
			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to have_http_status(:unauthorized)`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`
			`end`

			`context 'in "HTTP_REMOTE_USER" request env var' do`
			`let(:env) { { 'HTTP_REMOTE_USER' => login } }`

Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`it 'returns unauthorized response' do`
			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to have_http_status(:unauthorized)`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`
			`end`

			`context 'in "X-Forwarded-User" request header' do`
			`let(:headers) { { 'X-Forwarded-User' => login } }`

Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`it 'returns unauthorized response' do`
			`get '/auth/sso', as: :json, headers: headers`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to have_http_status(:unauthorized)`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`
			`end`
			`end`

			`context 'with valid user login' do`
			`let(:user) { User.last }`
			`let(:login) { user.login }`

			`context 'in Maintenance Mode' do`
			`before { Setting.set('maintenance_mode', true) }`

			`context 'in "REMOTE_USER" request env var' do`
			`let(:env) { { 'REMOTE_USER' => login } }`

			`it 'returns 401 unauthorized' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
			`expect(response).to have_http_status(:unauthorized)`
			`expect(json_response).to include('error' => 'Maintenance mode enabled!')`
			`end`
			`end`

			`context 'in "HTTP_REMOTE_USER" request env var' do`
			`let(:env) { { 'HTTP_REMOTE_USER' => login } }`

			`it 'returns 401 unauthorized' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
			`expect(response).to have_http_status(:unauthorized)`
			`expect(json_response).to include('error' => 'Maintenance mode enabled!')`
			`end`
			`end`

			`context 'in "X-Forwarded-User" request header' do`
			`let(:headers) { { 'X-Forwarded-User' => login } }`

			`it 'returns 401 unauthorized' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, headers: headers`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
			`expect(response).to have_http_status(:unauthorized)`
			`expect(json_response).to include('error' => 'Maintenance mode enabled!')`
			`end`
			`end`
			`end`

			`context 'in "REMOTE_USER" request env var' do`
			`let(:env) { { 'REMOTE_USER' => login } }`

			`it 'returns a new user-session response' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to redirect_to('/#')`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`

			`it 'sets the :user_id session parameter' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect { get '/auth/sso', as: :json, env: env }`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`.to change { request&.session&.fetch(:user_id) }.to(user.id)`
			`end`
			`end`

			`context 'in "HTTP_REMOTE_USER" request env var' do`
			`let(:env) { { 'HTTP_REMOTE_USER' => login } }`

			`it 'returns a new user-session response' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, env: env`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to redirect_to('/#')`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`

			`it 'sets the :user_id session parameter' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect { get '/auth/sso', as: :json, env: env }`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`.to change { request&.session&.fetch(:user_id) }.to(user.id)`
			`end`
			`end`

			`context 'in "X-Forwarded-User" request header' do`
			`let(:headers) { { 'X-Forwarded-User' => login } }`

			`it 'returns a new user-session response' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`get '/auth/sso', as: :json, headers: headers`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect(response).to redirect_to('/#')`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`end`

			`it 'sets the :user_id session parameter on the client' do`
Existing user session when requesting SSO session create endpoint will fail device check because of missing fingerprint param (which is required as soon as a user/session is present). 2019-09-30 17:34:13 +00:00			`expect { get '/auth/sso', as: :json, headers: headers }`
Feature: Single sign-on (SSO). 2019-09-05 14:02:31 +00:00			`.to change { request&.session&.fetch(:user_id) }.to(user.id)`
			`end`
			`end`
			`end`
			`end`
			`end`