Merge branch '18000-remember-me-for-oauth-login' into 'master'

Honor the "Remember me" parameter for OAuth-based login

Closes #18000

See merge request !11963

5 files changed, 160 insertions, 1 deletions

diff --git a/spec/features/oauth_login_spec.rb b/spec/features/oauth_login_spec.rb
new file mode 100644
index 00000000000..452b920307c
--- /dev/null
+++ b/spec/features/oauth_login_spec.rb
@@ -0,0 +1,112 @@
+require 'spec_helper'
+
+feature 'OAuth Login', js: true do
+  def enter_code(code)
+    fill_in 'user_otp_attempt', with: code
+    click_button 'Verify code'
+  end
+
+  def stub_omniauth_config(provider)
+    OmniAuth.config.add_mock(provider, OmniAuth::AuthHash.new(provider: provider.to_s, uid: "12345"))
+    Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]
+    Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
+  end
+
+  providers = [:github, :twitter, :bitbucket, :gitlab, :google_oauth2,
+               :facebook, :authentiq, :cas3, :auth0]
+
+  before(:all) do
+    # The OmniAuth `full_host` parameter doesn't get set correctly (it gets set to something like `http://localhost`
+    # here), and causes integration tests to fail with 404s. We set the `full_host` by removing the request path (and
+    # anything after it) from the request URI.
+    @omniauth_config_full_host = OmniAuth.config.full_host
+    OmniAuth.config.full_host = ->(request) { request['REQUEST_URI'].sub(/#{request['REQUEST_PATH']}.*/, '') }
+  end
+
+  after(:all) do
+    OmniAuth.config.full_host = @omniauth_config_full_host
+  end
+
+  providers.each do |provider|
+    context "when the user logs in using the #{provider} provider" do
+      context 'when two-factor authentication is disabled' do
+        it 'logs the user in' do
+          stub_omniauth_config(provider)
+          user = create(:omniauth_user, extern_uid: 'my-uid', provider: provider.to_s)
+          login_via(provider.to_s, user, 'my-uid')
+
+          expect(current_path).to eq root_path
+        end
+      end
+
+      context 'when two-factor authentication is enabled' do
+        it 'logs the user in' do
+          stub_omniauth_config(provider)
+          user = create(:omniauth_user, :two_factor, extern_uid: 'my-uid', provider: provider.to_s)
+          login_via(provider.to_s, user, 'my-uid')
+
+          enter_code(user.current_otp)
+          expect(current_path).to eq root_path
+        end
+      end
+
+      context 'when "remember me" is checked' do
+        context 'when two-factor authentication is disabled' do
+          it 'remembers the user after a browser restart' do
+            stub_omniauth_config(provider)
+            user = create(:omniauth_user, extern_uid: 'my-uid', provider: provider.to_s)
+            login_via(provider.to_s, user, 'my-uid', remember_me: true)
+
+            clear_browser_session
+
+            visit(root_path)
+            expect(current_path).to eq root_path
+          end
+        end
+
+        context 'when two-factor authentication is enabled' do
+          it 'remembers the user after a browser restart' do
+            stub_omniauth_config(provider)
+            user = create(:omniauth_user, :two_factor, extern_uid: 'my-uid', provider: provider.to_s)
+            login_via(provider.to_s, user, 'my-uid', remember_me: true)
+            enter_code(user.current_otp)
+
+            clear_browser_session
+
+            visit(root_path)
+            expect(current_path).to eq root_path
+          end
+        end
+      end
+
+      context 'when "remember me" is not checked' do
+        context 'when two-factor authentication is disabled' do
+          it 'does not remember the user after a browser restart' do
+            stub_omniauth_config(provider)
+            user = create(:omniauth_user, extern_uid: 'my-uid', provider: provider.to_s)
+            login_via(provider.to_s, user, 'my-uid', remember_me: false)
+
+            clear_browser_session
+
+            visit(root_path)
+            expect(current_path).to eq new_user_session_path
+          end
+        end
+
+        context 'when two-factor authentication is enabled' do
+          it 'does not remember the user after a browser restart' do
+            stub_omniauth_config(provider)
+            user = create(:omniauth_user, :two_factor, extern_uid: 'my-uid', provider: provider.to_s)
+            login_via(provider.to_s, user, 'my-uid', remember_me: false)
+            enter_code(user.current_otp)
+
+            clear_browser_session
+
+            visit(root_path)
+            expect(current_path).to eq new_user_session_path
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/javascripts/fixtures/oauth_remember_me.html.haml b/spec/javascripts/fixtures/oauth_remember_me.html.haml
new file mode 100644
index 00000000000..7886e995e57
--- /dev/null
+++ b/spec/javascripts/fixtures/oauth_remember_me.html.haml
@@ -0,0 +1,5 @@
+#oauth-container
+  %input#remember_me{ type: "checkbox" }
+
+  %a.oauth-login.twitter{ href: "http://example.com/" }
+  %a.oauth-login.github{ href: "http://example.com/" }
diff --git a/spec/javascripts/oauth_remember_me_spec.js b/spec/javascripts/oauth_remember_me_spec.js
new file mode 100644
index 00000000000..f90e0093d25
--- /dev/null
+++ b/spec/javascripts/oauth_remember_me_spec.js
@@ -0,0 +1,26 @@
+import OAuthRememberMe from '~/oauth_remember_me';
+
+describe('OAuthRememberMe', () => {
+  preloadFixtures('static/oauth_remember_me.html.raw');
+
+  beforeEach(() => {
+    loadFixtures('static/oauth_remember_me.html.raw');
+
+    new OAuthRememberMe({ container: $('#oauth-container') }).bindEvents();
+  });
+
+  it('adds the "remember_me" query parameter to all OAuth login buttons', () => {
+    $('#oauth-container #remember_me').click();
+
+    expect($('#oauth-container .oauth-login.twitter').attr('href')).toBe('http://example.com/?remember_me=1');
+    expect($('#oauth-container .oauth-login.github').attr('href')).toBe('http://example.com/?remember_me=1');
+  });
+
+  it('removes the "remember_me" query parameter from all OAuth login buttons', () => {
+    $('#oauth-container #remember_me').click();
+    $('#oauth-container #remember_me').click();
+
+    expect($('#oauth-container .oauth-login.twitter').attr('href')).toBe('http://example.com/');
+    expect($('#oauth-container .oauth-login.github').attr('href')).toBe('http://example.com/');
+  });
+});
diff --git a/spec/support/capybara_helpers.rb b/spec/support/capybara_helpers.rb
index b57a3493aff..3eb7bea3227 100644
--- a/spec/support/capybara_helpers.rb
+++ b/spec/support/capybara_helpers.rb
@@ -35,6 +35,11 @@ module CapybaraHelpers
     visit 'about:blank'
     visit url
   end
+
+  # Simulate a browser restart by clearing the session cookie.
+  def clear_browser_session
+    page.driver.remove_cookie('_gitlab_session')
+  end
 end
 
 RSpec.configure do |config|
diff --git a/spec/support/login_helpers.rb b/spec/support/login_helpers.rb
index 4c88958264b..99e7806353d 100644
--- a/spec/support/login_helpers.rb
+++ b/spec/support/login_helpers.rb
@@ -62,6 +62,16 @@ module LoginHelpers
     Thread.current[:current_user] = user
   end
 
+  def login_via(provider, user, uid, remember_me: false)
+    mock_auth_hash(provider, uid, user.email)
+    visit new_user_session_path
+    expect(page).to have_content('Sign in with')
+
+    check 'Remember Me' if remember_me
+
+    click_link "oauth-login-#{provider}"
+  end
+
   def mock_auth_hash(provider, uid, email)
     # The mock_auth configuration allows you to set per-provider (or default)
     # authentication hashes to return during integration testing.
@@ -108,6 +118,7 @@ module LoginHelpers
     end
     allow(Gitlab::OAuth::Provider).to receive_messages(providers: [:saml], config_for: mock_saml_config)
     stub_omniauth_setting(messages)
-    expect_any_instance_of(Object).to receive(:omniauth_authorize_path).with(:user, "saml").and_return('/users/auth/saml')
+    allow_any_instance_of(Object).to receive(:user_saml_omniauth_authorize_path).and_return('/users/auth/saml')
+    allow_any_instance_of(Object).to receive(:omniauth_authorize_path).with(:user, "saml").and_return('/users/auth/saml')
   end
 end