spec/requests/api/session_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

require 'spec_helper'

describe API::Session, api: true  do
  include ApiHelpers

  let(:user) { create(:user) }

  describe "POST /session" do
    context "when valid password" do
      it "returns private token" do
        post api("/session"), email: user.email, password: '12345678'
        expect(response).to have_http_status(201)

        expect(json_response['email']).to eq(user.email)
        expect(json_response['private_token']).to eq(user.private_token)
        expect(json_response['is_admin']).to eq(user.is_admin?)
        expect(json_response['can_create_project']).to eq(user.can_create_project?)
        expect(json_response['can_create_group']).to eq(user.can_create_group?)
      end

      context 'with 2FA enabled' do
        it 'rejects sign in attempts' do
          user = create(:user, :two_factor)

          post api('/session'), email: user.email, password: user.password

          expect(response).to have_http_status(401)
          expect(response.body).to include('You have 2FA enabled.')
        end
      end
    end

    context 'when email has case-typo and password is valid' do
      it 'returns private token' do
        post api('/session'), email: user.email.upcase, password: '12345678'
        expect(response.status).to eq 201

        expect(json_response['email']).to eq user.email
        expect(json_response['private_token']).to eq user.private_token
        expect(json_response['is_admin']).to eq user.is_admin?
        expect(json_response['can_create_project']).to eq user.can_create_project?
        expect(json_response['can_create_group']).to eq user.can_create_group?
      end
    end

    context 'when login has case-typo and password is valid' do
      it 'returns private token' do
        post api('/session'), login: user.username.upcase, password: '12345678'
        expect(response.status).to eq 201

        expect(json_response['email']).to eq user.email
        expect(json_response['private_token']).to eq user.private_token
        expect(json_response['is_admin']).to eq user.is_admin?
        expect(json_response['can_create_project']).to eq user.can_create_project?
        expect(json_response['can_create_group']).to eq user.can_create_group?
      end
    end

    context "when invalid password" do
      it "returns authentication error" do
        post api("/session"), email: user.email, password: '123'
        expect(response).to have_http_status(401)

        expect(json_response['email']).to be_nil
        expect(json_response['private_token']).to be_nil
      end
    end

    context "when empty password" do
      it "returns authentication error with email" do
        post api("/session"), email: user.email

        expect(response).to have_http_status(400)
      end

      it "returns authentication error with username" do
        post api("/session"), email: user.username

        expect(response).to have_http_status(400)
      end
    end

    context "when empty name" do
      it "returns authentication error" do
        post api("/session"), password: user.password

        expect(response).to have_http_status(400)
      end
    end

    context "when user is blocked" do
      it "returns authentication error" do
        user.block
        post api("/session"), email: user.username, password: user.password

        expect(response).to have_http_status(401)
      end
    end

    context "when user is ldap_blocked" do
      it "returns authentication error" do
        user.ldap_block
        post api("/session"), email: user.username, password: user.password

        expect(response).to have_http_status(401)
      end
    end
  end
end