From b8d1fa4efeec9ad1b242deb4ae949c9f0c240317 Mon Sep 17 00:00:00 2001 From: Jonathan Porta Date: Sat, 10 Jan 2015 16:15:26 -0800 Subject: [PATCH 1/5] Add handlers are for authentication --- app/controllers/application_controller.rb | 21 ++++++++++++++++++++- app/controllers/sessions_controller.rb | 2 ++ config/routes.rb | 1 + 3 files changed, 23 insertions(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index cb32e9d..bb150e4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -5,6 +5,14 @@ class ApplicationController < ActionController::Base private + def access_token + request.headers['HTTP_ACCESS_TOKEN'] + end + + def api_version + request.headers['HTTP_API_VERSION'] + end + def current_user # logger.debug request.headers.inspect logger.debug request.headers['HTTP_ACCESS_TOKEN'] @@ -12,7 +20,7 @@ def current_user if session[:user_id] logger.warn 'Getting user because the session had a user_id.' @current_user ||= User.find(session[:user_id]) if session[:user_id] - elsif request.headers['HTTP_ACCESS_TOKEN'] + elsif access_token logger.warn 'Getting user because request had an access token.' @urrent_user ||= User.find_by_access_token request.headers['HTTP_ACCESS_TOKEN'] end @@ -23,5 +31,16 @@ def current_user redirect_to '/logout' end + def require_authentication + unless current_user + unauthorized + end + end + + def unauthorized + render nothing: true, status: 401 + end + helper_method :current_user + before_filter :require_authentication end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 5045fbd..52842a7 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,4 +1,6 @@ class SessionsController < ApplicationController + skip_before_action :require_authentication, only: [:create] + def create logger.debug env['omniauth.auth'] user = User.from_omniauth env['omniauth.auth'] diff --git a/config/routes.rb b/config/routes.rb index 500ece6..3f0bf25 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -19,6 +19,7 @@ # You can have the root of your site routed with "root" root 'sessions#show', format: 'json' + get 'me', to: 'sessions#show', format: 'json' match 'auth/:provider/callback', to: 'sessions#create', via: [:get, :post] match 'auth/failure', to: redirect('/'), via: [:get, :post] From ef238b896a2f3c0545083aa81df857a134d83614 Mon Sep 17 00:00:00 2001 From: Jonathan Porta Date: Sun, 11 Jan 2015 17:57:14 -0800 Subject: [PATCH 2/5] Add password column and ensure email address are unique --- db/migrate/20150112014931_add_password_to_user.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 db/migrate/20150112014931_add_password_to_user.rb diff --git a/db/migrate/20150112014931_add_password_to_user.rb b/db/migrate/20150112014931_add_password_to_user.rb new file mode 100644 index 0000000..4b30f82 --- /dev/null +++ b/db/migrate/20150112014931_add_password_to_user.rb @@ -0,0 +1,6 @@ +class AddPasswordToUser < ActiveRecord::Migration + def change + add_column :users, :password, :string + add_index :users, :email, unique: true + end +end From 87df02c88d32ab68b9786f2ac699a0fb7f3745ad Mon Sep 17 00:00:00 2001 From: Jonathan Porta Date: Sun, 11 Jan 2015 21:40:18 -0800 Subject: [PATCH 3/5] Add basic user authentication and creation --- Gemfile | 1 + Gemfile.lock | 4 ++++ app/controllers/application_controller.rb | 12 ++++------ app/controllers/users_controller.rb | 17 ++++++++++++++ app/models/user.rb | 22 ++++++++++++++++++- app/views/users/show.json.jbuilder | 2 ++ config/routes.rb | 4 ++-- .../20150112014931_add_password_to_user.rb | 3 ++- db/schema.rb | 6 ++++- .../auth_providers_controller_spec.rb | 6 ++++- spec/factories/users.rb | 1 + spec/models/user_spec.rb | 21 ++++++++++++++++++ spec/requests/auth_providers_spec.rb | 2 ++ 13 files changed, 87 insertions(+), 14 deletions(-) create mode 100644 app/views/users/show.json.jbuilder diff --git a/Gemfile b/Gemfile index 2e82053..473cb56 100644 --- a/Gemfile +++ b/Gemfile @@ -21,6 +21,7 @@ gem 'omniauth-facebook-access-token','0.1.6' gem 'koala' gem 'apns' gem 'librato-rails' +gem 'bcrypt-ruby', require: 'bcrypt' gem 'draper', '1.3.1' gem 'verbs', '2.1.4' diff --git a/Gemfile.lock b/Gemfile.lock index 3952a16..cf8f9aa 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -37,6 +37,9 @@ GEM ast (2.0.0) astrolabe (1.3.0) parser (>= 2.2.0.pre.3, < 3.0) + bcrypt (3.1.9) + bcrypt-ruby (3.1.5) + bcrypt (>= 3.1.3) better_errors (2.0.0) coderay (>= 1.0.0) erubis (>= 2.6.6) @@ -349,6 +352,7 @@ PLATFORMS DEPENDENCIES annotate apns + bcrypt-ruby better_errors binding_of_caller capybara diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index bb150e4..d4745d1 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base private def access_token + logger.debug request.headers['HTTP_ACCESS_TOKEN'] request.headers['HTTP_ACCESS_TOKEN'] end @@ -14,15 +15,12 @@ def api_version end def current_user - # logger.debug request.headers.inspect - logger.debug request.headers['HTTP_ACCESS_TOKEN'] - # logger.debug request.headers['access_token'] if session[:user_id] logger.warn 'Getting user because the session had a user_id.' @current_user ||= User.find(session[:user_id]) if session[:user_id] elsif access_token logger.warn 'Getting user because request had an access token.' - @urrent_user ||= User.find_by_access_token request.headers['HTTP_ACCESS_TOKEN'] + @current_user ||= User.find_by_access_token access_token end rescue ActiveRecord::RecordNotFound => e @@ -32,9 +30,7 @@ def current_user end def require_authentication - unless current_user - unauthorized - end + unauthorized unless current_user end def unauthorized @@ -42,5 +38,5 @@ def unauthorized end helper_method :current_user - before_filter :require_authentication + before_action :require_authentication end diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 3b8cc92..8290b0a 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1,5 +1,17 @@ class UsersController < ApplicationController before_action :set_user, only: [] + skip_before_action :require_authentication, only: [:create] + + # POST /users.json + def create + @user = User.new user_params + + if @user.save + render :show, status: :created, location: @user + else + render json: @user.errors, status: :unprocessable_entity + end + end private @@ -7,4 +19,9 @@ class UsersController < ApplicationController def set_user @user = User.find(params[:id]) end + + # Never trust parameters from the scary internet, only allow the white list through. + def user_params + params.require(:user).permit(:email, :first_name, :last_name, :password) + end end diff --git a/app/models/user.rb b/app/models/user.rb index 895c650..432dcee 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,4 +1,6 @@ class User < ActiveRecord::Base + attr_accessor :password + has_many :devices has_many :activities has_many :messages @@ -11,8 +13,11 @@ class User < ActiveRecord::Base has_many :auth_providers - validates :email, :first_name, :last_name, presence: true validates :id, absence: true, on: :create + validates :email, :first_name, :last_name, presence: true + validates :email, uniqueness: true + + before_save :hash_password after_save do Librato.measure 'users.count', User.count, sporadic: true @@ -43,6 +48,21 @@ def self.from_omniauth(auth) user end + def self.authenticate(email, password) + user = find_by_email email + if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt) + user + else + nil + end + end + + def hash_password + return unless password.present? + self.password_salt = BCrypt::Engine.generate_salt + self.password_hash = BCrypt::Engine.hash_secret(password, password_salt) + end + def self.from_facebook(user_hash) facebook_auth_provider = AuthProvider.where(provider: 'facebook', uid: user_hash['id']).first facebook_auth_provider.user if facebook_auth_provider diff --git a/app/views/users/show.json.jbuilder b/app/views/users/show.json.jbuilder new file mode 100644 index 0000000..c664460 --- /dev/null +++ b/app/views/users/show.json.jbuilder @@ -0,0 +1,2 @@ +user = @user.decorate +json.extract! user, :id, :email, :first_name, :last_name diff --git a/config/routes.rb b/config/routes.rb index 3f0bf25..4878d2a 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -20,13 +20,13 @@ # You can have the root of your site routed with "root" root 'sessions#show', format: 'json' get 'me', to: 'sessions#show', format: 'json' + get 'user' => 'sessions#show', format: 'json' + post 'users' => 'users#create', format: 'json' match 'auth/:provider/callback', to: 'sessions#create', via: [:get, :post] match 'auth/failure', to: redirect('/'), via: [:get, :post] match 'logout', to: 'sessions#destroy', as: 'logout', via: [:get, :post] - get 'user' => 'sessions#show', format: 'json' - get 'messages', to: redirect('activities') get 'messages/sent' => 'messages#sent' get 'messages/received' => 'messages#received' diff --git a/db/migrate/20150112014931_add_password_to_user.rb b/db/migrate/20150112014931_add_password_to_user.rb index 4b30f82..e3c1f6c 100644 --- a/db/migrate/20150112014931_add_password_to_user.rb +++ b/db/migrate/20150112014931_add_password_to_user.rb @@ -1,6 +1,7 @@ class AddPasswordToUser < ActiveRecord::Migration def change - add_column :users, :password, :string + add_column :users, :password_hash, :string + add_column :users, :password_salt, :string add_index :users, :email, unique: true end end diff --git a/db/schema.rb b/db/schema.rb index 43ce387..52730a8 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141206021950) do +ActiveRecord::Schema.define(version: 20150112014931) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -77,6 +77,10 @@ t.string "birthday" t.datetime "created_at" t.datetime "updated_at" + t.string "password_hash" + t.string "password_salt" end + add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree + end diff --git a/spec/controllers/auth_providers_controller_spec.rb b/spec/controllers/auth_providers_controller_spec.rb index eabcdd8..e66accc 100644 --- a/spec/controllers/auth_providers_controller_spec.rb +++ b/spec/controllers/auth_providers_controller_spec.rb @@ -20,6 +20,10 @@ RSpec.describe AuthProvidersController, type: :controller do + before :each do + @user = FactoryGirl.create :user + end + # This should return the minimal set of attributes required to create a valid # AuthProvider. As you add validations to AuthProvider, be sure to # adjust the attributes here as well. @@ -30,7 +34,7 @@ # This should return the minimal set of values that should be in the session # in order to pass any filters (e.g. authentication) defined in # AuthProvidersController. Be sure to keep this updated too. - let(:valid_session) { {} } + let(:valid_session) { { user_id: @user.id } } describe 'GET index' do it 'assigns all auth_providers as @auth_providers' do diff --git a/spec/factories/users.rb b/spec/factories/users.rb index 81b6545..f96371b 100644 --- a/spec/factories/users.rb +++ b/spec/factories/users.rb @@ -6,6 +6,7 @@ first_name { Faker::Name.first_name } last_name { Faker::Name.last_name } birthday { Faker::Business.credit_card_expiry_date } + password 'password' factory :user_with_facebook_auth do after(:create) do |user| diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 47dc088..750a75c 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -77,4 +77,25 @@ expect(@user.friends.first).to eq(@friend) end end + + describe 'User authentication' do + before :each do + @user = FactoryGirl.create :user + @email = @user.email + @password = @user.password + end + + it 'Should authenticate a user and return a model' do + user = User.authenticate @email, @password + expect(user).to eq(@user) + end + + it 'Should hash the user\'s password' do + user = User.authenticate @email, @password + expect(user).to eq(@user) + expect(user.password).to be_nil + expect(user.password_hash).to be_truthy + expect(user.password_salt).to be_truthy + end + end end diff --git a/spec/requests/auth_providers_spec.rb b/spec/requests/auth_providers_spec.rb index fd491e3..e3f6d8c 100644 --- a/spec/requests/auth_providers_spec.rb +++ b/spec/requests/auth_providers_spec.rb @@ -3,6 +3,8 @@ RSpec.describe 'AuthProviders', type: :request do describe 'GET /auth_providers' do it 'works! (now write some real specs)' do + login_with_oauth + get auth_providers_path expect(response.status).to be(200) end From bf17d0a8a2bcec7532470fec454ad4b6c1287c49 Mon Sep 17 00:00:00 2001 From: Jonathan Porta Date: Sun, 11 Jan 2015 22:28:39 -0800 Subject: [PATCH 4/5] User the built in has_secure_password function --- app/models/user.rb | 17 ++--------------- .../20150112014931_add_password_to_user.rb | 3 +-- db/schema.rb | 3 +-- spec/models/user_spec.rb | 8 -------- 4 files changed, 4 insertions(+), 27 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 432dcee..452ba10 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,6 +1,4 @@ class User < ActiveRecord::Base - attr_accessor :password - has_many :devices has_many :activities has_many :messages @@ -17,7 +15,7 @@ class User < ActiveRecord::Base validates :email, :first_name, :last_name, presence: true validates :email, uniqueness: true - before_save :hash_password + has_secure_password validations: false after_save do Librato.measure 'users.count', User.count, sporadic: true @@ -49,18 +47,7 @@ def self.from_omniauth(auth) end def self.authenticate(email, password) - user = find_by_email email - if user && user.password_hash == BCrypt::Engine.hash_secret(password, user.password_salt) - user - else - nil - end - end - - def hash_password - return unless password.present? - self.password_salt = BCrypt::Engine.generate_salt - self.password_hash = BCrypt::Engine.hash_secret(password, password_salt) + User.find_by(email: email).try :authenticate, password end def self.from_facebook(user_hash) diff --git a/db/migrate/20150112014931_add_password_to_user.rb b/db/migrate/20150112014931_add_password_to_user.rb index e3c1f6c..85d6c98 100644 --- a/db/migrate/20150112014931_add_password_to_user.rb +++ b/db/migrate/20150112014931_add_password_to_user.rb @@ -1,7 +1,6 @@ class AddPasswordToUser < ActiveRecord::Migration def change - add_column :users, :password_hash, :string - add_column :users, :password_salt, :string + add_column :users, :password_digest, :string add_index :users, :email, unique: true end end diff --git a/db/schema.rb b/db/schema.rb index 52730a8..7029ff2 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -77,8 +77,7 @@ t.string "birthday" t.datetime "created_at" t.datetime "updated_at" - t.string "password_hash" - t.string "password_salt" + t.string "password_digest" end add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 750a75c..89241b9 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -89,13 +89,5 @@ user = User.authenticate @email, @password expect(user).to eq(@user) end - - it 'Should hash the user\'s password' do - user = User.authenticate @email, @password - expect(user).to eq(@user) - expect(user.password).to be_nil - expect(user.password_hash).to be_truthy - expect(user.password_salt).to be_truthy - end end end From ac49a9f835cafc9cbf931d6f0011e07559f7f7ae Mon Sep 17 00:00:00 2001 From: Jonathan Porta Date: Mon, 12 Jan 2015 04:56:08 -0800 Subject: [PATCH 5/5] Implement api_token for user authentication --- app/controllers/application_controller.rb | 14 ++++----- app/controllers/sessions_controller.rb | 31 +++++++++++++++++-- app/models/user.rb | 27 ++++++++++++---- app/views/sessions/show.json.jbuilder | 13 ++------ config/routes.rb | 7 +++-- .../20150112014931_add_password_to_user.rb | 3 ++ db/schema.rb | 2 ++ .../application_controller_spec.rb | 6 ++-- 8 files changed, 70 insertions(+), 33 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d4745d1..0c494a8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,13 +1,14 @@ class ApplicationController < ActionController::Base # Prevent CSRF attacks by raising an exception. # For APIs, you may want to use :null_session instead. - protect_from_forgery with: :null_session + before_action :require_authentication + # protect_from_forgery with: :null_session private - def access_token - logger.debug request.headers['HTTP_ACCESS_TOKEN'] - request.headers['HTTP_ACCESS_TOKEN'] + def api_token + logger.debug request.headers['HTTP_API_TOKEN'] + request.headers['HTTP_API_TOKEN'] end def api_version @@ -18,9 +19,9 @@ def current_user if session[:user_id] logger.warn 'Getting user because the session had a user_id.' @current_user ||= User.find(session[:user_id]) if session[:user_id] - elsif access_token + elsif api_token logger.warn 'Getting user because request had an access token.' - @current_user ||= User.find_by_access_token access_token + @current_user ||= User.authenticate_by_api_token api_token end rescue ActiveRecord::RecordNotFound => e @@ -38,5 +39,4 @@ def unauthorized end helper_method :current_user - before_action :require_authentication end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 52842a7..52da689 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -1,18 +1,28 @@ class SessionsController < ApplicationController - skip_before_action :require_authentication, only: [:create] + skip_before_action :require_authentication, only: [:create, :login] + # GET /auth/:provider/callback def create logger.debug env['omniauth.auth'] user = User.from_omniauth env['omniauth.auth'] - session[:user_id] = user.id + current_session user redirect_to root_url end + # POST /login + def login + user = User.authenticate login_params[:email], login_params[:password] + current_session user + redirect_to root_url + end + + # GET /logout def destroy - session[:user_id] = nil + current_session nil redirect_to root_url end + # GET /user def show @user = current_user end @@ -21,4 +31,19 @@ def failure # TODO: Need to think about what should actually happen here. redirect_to root_url end + + private + + def current_session(user) + if user + session[:user_id] = user.id + else + session[:user_id] = nil + end + end + + # Never trust parameters from the scary internet, only allow the white list through. + def login_params + params.permit(:email, :password) + end end diff --git a/app/models/user.rb b/app/models/user.rb index 452ba10..9351ffd 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,4 +1,6 @@ class User < ActiveRecord::Base + before_create :generate_api_token + has_many :devices has_many :activities has_many :messages @@ -14,6 +16,7 @@ class User < ActiveRecord::Base validates :id, absence: true, on: :create validates :email, :first_name, :last_name, presence: true validates :email, uniqueness: true + validates :api_token, uniqueness: true has_secure_password validations: false @@ -21,12 +24,6 @@ class User < ActiveRecord::Base Librato.measure 'users.count', User.count, sporadic: true end - def self.find_by_access_token(token) - # TODO: Fix this when verb authprovider gets implemented - auth_provider = AuthProvider.where(provider: 'facebook', token: token).first - auth_provider.user if auth_provider - end - def self.from_omniauth(auth) auth_provider = AuthProvider.from_omniauth auth @@ -50,6 +47,15 @@ def self.authenticate(email, password) User.find_by(email: email).try :authenticate, password end + def self.authenticate_by_api_token(api_token) + User.find_by api_token: api_token + end + + def self.authenticate_by_auth_provider(provider, token) + auth_provider = AuthProvider.where(provider: provider, token: token).first + auth_provider.user if auth_provider + end + def self.from_facebook(user_hash) facebook_auth_provider = AuthProvider.where(provider: 'facebook', uid: user_hash['id']).first facebook_auth_provider.user if facebook_auth_provider @@ -79,4 +85,13 @@ def friendship_requests_sent def friendship_requests_received inverse_friendships.where approved: nil end + + private + + def generate_api_token + self.api_token ||= loop do + random_token = SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz') + break random_token unless self.class.exists?(api_token: random_token) + end + end end diff --git a/app/views/sessions/show.json.jbuilder b/app/views/sessions/show.json.jbuilder index 48945e1..3722d95 100644 --- a/app/views/sessions/show.json.jbuilder +++ b/app/views/sessions/show.json.jbuilder @@ -1,11 +1,2 @@ -if @user - json.(@user, - :id, - :first_name, - :last_name, - :birthday - ) -else - json.error 'Not authed. Goto /auth/facebook' - json.todo 'TODO: raise a proper 401 :-)' -end +@user.decorate +json.extract! @user, :id, :email, :first_name, :last_name, :birthday diff --git a/config/routes.rb b/config/routes.rb index 4878d2a..da280b2 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -19,14 +19,15 @@ # You can have the root of your site routed with "root" root 'sessions#show', format: 'json' - get 'me', to: 'sessions#show', format: 'json' get 'user' => 'sessions#show', format: 'json' - post 'users' => 'users#create', format: 'json' - + post 'login' => 'sessions#login', format: 'json' match 'auth/:provider/callback', to: 'sessions#create', via: [:get, :post] match 'auth/failure', to: redirect('/'), via: [:get, :post] match 'logout', to: 'sessions#destroy', as: 'logout', via: [:get, :post] + # Registration route when not using an auth_provider + post 'users' => 'users#create', format: 'json' + get 'messages', to: redirect('activities') get 'messages/sent' => 'messages#sent' get 'messages/received' => 'messages#received' diff --git a/db/migrate/20150112014931_add_password_to_user.rb b/db/migrate/20150112014931_add_password_to_user.rb index 85d6c98..0ba0476 100644 --- a/db/migrate/20150112014931_add_password_to_user.rb +++ b/db/migrate/20150112014931_add_password_to_user.rb @@ -1,6 +1,9 @@ class AddPasswordToUser < ActiveRecord::Migration def change add_column :users, :password_digest, :string + add_column :users, :api_token, :string + add_index :users, :email, unique: true + add_index :users, :api_token, unique: true end end diff --git a/db/schema.rb b/db/schema.rb index 7029ff2..e26c089 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -78,8 +78,10 @@ t.datetime "created_at" t.datetime "updated_at" t.string "password_digest" + t.string "api_token" end + add_index "users", ["api_token"], name: "index_users_on_api_token", unique: true, using: :btree add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree end diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 580fddf..a99d129 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -12,7 +12,7 @@ def index before :each do @user = FactoryGirl.create :user_with_facebook_auth - @valid_auth_token = @user.auth_providers.first.token + @valid_auth_token = @user.api_token @invalid_auth_toke = 'INVALIDAUTHTOKEN' end @@ -27,13 +27,13 @@ def index end it 'returns correct user when valid header token is set' do - request.headers['HTTP_ACCESS_TOKEN'] = @valid_auth_token + request.headers['HTTP_API_TOKEN'] = @valid_auth_token get :index, {} expect(assigns(:current_user)).to eq(@user) end it 'returns nil when invalid header token is set' do - request.headers['HTTP_ACCESS_TOKEN'] = @invalid_auth_token + request.headers['HTTP_API_TOKEN'] = @invalid_auth_token get :index, {} expect(assigns(:current_user)).to eq(nil) end