defmodule PhilomenaWeb.UserAuthTest do use PhilomenaWeb.ConnCase, async: true alias Philomena.Users alias PhilomenaWeb.UserAuth import Philomena.UsersFixtures setup %{conn: conn} do conn = conn |> Map.replace!(:secret_key_base, PhilomenaWeb.Endpoint.config(:secret_key_base)) |> assign(:fingerprint, "d015c342859dde3") |> init_test_session(%{}) %{user: user_fixture(), conn: conn} end describe "log_in_user/3" do test "stores the user token in the session", %{conn: conn, user: user} do conn = UserAuth.log_in_user(conn, user) assert token = get_session(conn, :user_token) assert get_session(conn, :live_socket_id) == "users_sessions:#{Base.url_encode64(token)}" assert redirected_to(conn) == "/" assert Users.get_user_by_session_token(token) end test "clears everything previously stored in the session", %{conn: conn, user: user} do conn = conn |> put_session(:to_be_removed, "value") |> UserAuth.log_in_user(user) refute get_session(conn, :to_be_removed) end test "redirects to the configured path", %{conn: conn, user: user} do conn = conn |> put_session(:user_return_to, "/hello") |> UserAuth.log_in_user(user) assert redirected_to(conn) == "/hello" end test "writes a cookie if remember_me is configured", %{conn: conn, user: user} do conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"}) assert get_session(conn, :user_token) == conn.cookies["user_remember_me"] assert %{value: signed_token, max_age: max_age} = conn.resp_cookies["user_remember_me"] assert signed_token != get_session(conn, :user_token) assert max_age == 31_536_000 end end describe "totp_auth_user/3" do test "stores the user token in the session", %{conn: conn, user: user} do conn = UserAuth.totp_auth_user(conn, user) assert token = get_session(conn, :totp_token) assert redirected_to(conn) == "/" assert Users.user_totp_token_valid?(user, token) end test "redirects to the configured path", %{conn: conn, user: user} do conn = conn |> put_session(:user_return_to, "/hello") |> UserAuth.totp_auth_user(user) assert redirected_to(conn) == "/hello" end test "writes a cookie if remember_me is configured", %{conn: conn, user: user} do conn = conn |> fetch_cookies() |> UserAuth.totp_auth_user(user, %{"remember_me" => "true"}) assert get_session(conn, :totp_token) == conn.cookies["user_totp_auth"] assert %{value: signed_token, max_age: max_age} = conn.resp_cookies["user_totp_auth"] assert signed_token != get_session(conn, :totp_token) assert max_age == 31_536_000 end end describe "logout_user/1" do test "erases session and cookies", %{conn: conn, user: user} do user_token = Users.generate_user_session_token(user) totp_token = Users.generate_user_totp_token(user) conn = conn |> put_session(:user_token, user_token) |> put_session(:totp_token, totp_token) |> put_req_cookie("user_remember_me", user_token) |> put_req_cookie("user_totp_auth", totp_token) |> fetch_cookies() |> UserAuth.log_out_user() refute get_session(conn, :user_token) refute get_session(conn, :totp_token) refute conn.cookies["user_remember_me"] refute conn.cookies["user_totp_auth"] assert %{max_age: 0} = conn.resp_cookies["user_remember_me"] assert %{max_age: 0} = conn.resp_cookies["user_totp_auth"] assert redirected_to(conn) == "/" refute Users.get_user_by_session_token(user_token) refute Users.user_totp_token_valid?(user, totp_token) end test "broadcasts to the given live_socket_id", %{conn: conn} do live_socket_id = "users_sessions:abcdef-token" PhilomenaWeb.Endpoint.subscribe(live_socket_id) conn |> put_session(:live_socket_id, live_socket_id) |> UserAuth.log_out_user() assert_receive %Phoenix.Socket.Broadcast{ event: "disconnect", topic: "users_sessions:abcdef-token" } end test "works even if user is already logged out", %{conn: conn} do conn = conn |> fetch_cookies() |> UserAuth.log_out_user() refute get_session(conn, :user_token) assert %{max_age: 0} = conn.resp_cookies["user_remember_me"] assert redirected_to(conn) == "/" end end describe "fetch_current_user/2" do test "authenticates user from session", %{conn: conn, user: user} do user_token = Users.generate_user_session_token(user) conn = conn |> put_session(:user_token, user_token) |> UserAuth.fetch_current_user([]) assert conn.assigns.current_user.id == user.id end test "authenticates user from cookies", %{conn: conn, user: user} do logged_in_conn = conn |> fetch_cookies() |> UserAuth.log_in_user(user, %{"remember_me" => "true"}) user_token = logged_in_conn.cookies["user_remember_me"] %{value: signed_token} = logged_in_conn.resp_cookies["user_remember_me"] conn = conn |> put_req_cookie("user_remember_me", signed_token) |> UserAuth.fetch_current_user([]) assert get_session(conn, :user_token) == user_token assert conn.assigns.current_user.id == user.id end test "does not authenticate if data is missing", %{conn: conn, user: user} do _ = Users.generate_user_session_token(user) conn = UserAuth.fetch_current_user(conn, []) refute get_session(conn, :user_token) refute conn.assigns.current_user end end describe "redirect_if_user_is_authenticated/2" do test "redirects if user is authenticated", %{conn: conn, user: user} do conn = conn |> assign(:current_user, user) |> UserAuth.redirect_if_user_is_authenticated([]) assert conn.halted assert redirected_to(conn) == "/" end test "does not redirect if user is not authenticated", %{conn: conn} do conn = UserAuth.redirect_if_user_is_authenticated(conn, []) refute conn.halted refute conn.status end end describe "require_authenticated_user/2" do test "redirects if user is not authenticated", %{conn: conn} do conn = conn |> fetch_flash() |> UserAuth.require_authenticated_user([]) assert conn.halted assert redirected_to(conn) == ~p"/sessions/new" assert Phoenix.Flash.get(conn.assigns.flash, :warning) == "You must log in to access this page." end test "stores the path to redirect to on GET", %{conn: conn} do halted_conn = %{conn | request_path: "/foo?bar"} |> fetch_flash() |> UserAuth.require_authenticated_user([]) assert halted_conn.halted assert get_session(halted_conn, :user_return_to) == "/foo?bar" halted_conn = %{conn | request_path: "/foo?bar", method: "POST"} |> fetch_flash() |> UserAuth.require_authenticated_user([]) assert halted_conn.halted refute get_session(halted_conn, :user_return_to) end test "does not redirect if user is authenticated", %{conn: conn, user: user} do conn = conn |> assign(:current_user, user) |> UserAuth.require_authenticated_user([]) refute conn.halted refute conn.status end end end