Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Redirect local user back to application after they login #21

Merged
merged 4 commits into from

2 participants

@karenc
Owner

Description of bug:
After logging in as a local user successfully, the user will stay on the
openstax accounts site instead of getting redirected back to the
application they came from.

We use session[:return_to] to store where the user came from (See
config/initializers/doorkeeper.rb). This is set before the user gets to
the sign in form. Between the user submitting the sign in form and
SessionsController#authenticated, the session was cleared. So we were
not able to redirect the user back to the application.

The reason the session was cleared was because the openstax accounts
site has CSRF protection enabled for POST requests. The sign in form
did not have a CSRF token so session was wiped.

@karenc karenc closed this
jpslav and others added some commits
@jpslav jpslav Merge pull request #24 from jpslav/user-registration-profile
User registration profile page plus a number of related pieces
f23271a
@karenc karenc Load seed data before running tests 0310ded
@karenc karenc Update tests after terms and profile form have been added 768cf71
@karenc karenc Redirect local user back to application after they login
Description of bug:
After logging in as a local user successfully, the user will stay on the
openstax accounts site instead of getting redirected back to the
application they came from.

We use session[:return_to] to store where the user came from (See
config/initializers/doorkeeper.rb).  This is set before the user gets to
the sign in form.  Between the user submitting the sign in form and
SessionsController#authenticated, the session was cleared.  So we were
not able to redirect the user back to the application.

The reason the session was cleared was because the openstax accounts
site has CSRF protection enabled for POST requests.  The sign in form
did not have a CSRF token so session was wiped.
f87dc35
@karenc karenc reopened this
@karenc karenc referenced this pull request
Merged

Rename handlers #25

@jpslav jpslav merged commit 0035c7a into openstax:master
@karenc karenc deleted the karenc:fix-local-user-login-redirect branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 7, 2014
  1. @jpslav

    Merge pull request #24 from jpslav/user-registration-profile

    jpslav authored
    User registration profile page plus a number of related pieces
  2. @karenc
  3. @karenc
  4. @karenc

    Redirect local user back to application after they login

    karenc authored
    Description of bug:
    After logging in as a local user successfully, the user will stay on the
    openstax accounts site instead of getting redirected back to the
    application they came from.
    
    We use session[:return_to] to store where the user came from (See
    config/initializers/doorkeeper.rb).  This is set before the user gets to
    the sign in form.  Between the user submitting the sign in form and
    SessionsController#authenticated, the session was cleared.  So we were
    not able to redirect the user back to the application.
    
    The reason the session was cleared was because the openstax accounts
    site has CSRF protection enabled for POST requests.  The sign in form
    did not have a CSRF token so session was wiped.
This page is out of date. Refresh to see the latest.
View
6 app/views/sessions/new.html.erb
@@ -22,7 +22,7 @@
</div>
<div id="password-login">
- <form method='post' action='/auth/identity/callback'>
+ <%= form_tag '/auth/identity/callback' do %>
<label for='auth_key'>Username</label><input type='text' id='auth_key' name='auth_key'/>
<label for='password'>Password</label><input type='password' id='password' name='password'/>
<div class='password-actions'>
@@ -32,8 +32,8 @@
<div class="password-actions">
<span><%= link_to 'Forgot password?', forgot_password_path %></span>
</div>
- </form>
-</div>
+ <% end %>
+ </div>
</div>
View
10 spec/factories/user.rb
@@ -12,6 +12,14 @@
is_temp false
end
+ trait :terms_agreed do
+ after(:create) do |user, evaluator|
+ FinePrint::Contract.all.each do |contract|
+ FinePrint.sign_contract(user, contract)
+ end
+ end
+ end
+
factory :user_with_emails do
ignore do
emails_count 2
@@ -30,4 +38,4 @@
end
end
-end
+end
View
81 spec/features/user_signs_in_spec.rb
@@ -3,51 +3,54 @@
feature 'User logs in as a local user', js: true do
scenario 'authenticates against the default (bcrypt) password hashes' do
- create_user 'user'
- visit '/'
- expect(page).to have_content('Sign Up or Sign in')
- click_link 'Sign in'
-
- fill_in 'Username', with: 'user'
- fill_in 'Password', with: 'pass'
- click_button 'Sign in'
- expect(page).to have_content('Incorrect username or password')
- expect(page).not_to have_content('Welcome, user')
-
- fill_in 'Username', with: 'user'
- fill_in 'Password', with: 'password'
- click_button 'Sign in'
- expect(page).to have_content('Welcome, user')
+ with_forgery_protection do
+ create_application
+ create_user 'user'
+ visit_authorize_uri
+ expect(page).to have_content("Sign in to #{@app.name} with your one OpenStax account!")
+
+ fill_in 'Username', with: 'user'
+ fill_in 'Password', with: 'pass'
+ click_button 'Sign in'
+ expect(page).to have_content('Incorrect username or password')
+
+ fill_in 'Username', with: 'user'
+ fill_in 'Password', with: 'password'
+ click_button 'Sign in'
+ expect(page.current_url).to match(app_callback_url)
+ end
end
scenario 'authenticates against plone (ssha) password hashes' do
- create_user_with_plone_password
- visit '/'
- expect(page).to have_content('Sign Up or Sign in')
- click_link 'Sign in'
-
- fill_in 'Username', with: 'plone_user'
- fill_in 'Password', with: 'pass'
- click_button 'Sign in'
- expect(page).to have_content('Incorrect username or password')
- expect(page).not_to have_content('Welcome, plone_user')
-
- fill_in 'Username', with: 'plone_user'
- fill_in 'Password', with: 'password'
- click_button 'Sign in'
- expect(page).to have_content('Welcome, plone_user')
+ with_forgery_protection do
+ create_application
+ create_user_with_plone_password
+ visit_authorize_uri
+
+ expect(page).to have_content("Sign in to #{@app.name} with your one OpenStax account!")
+ fill_in 'Username', with: 'plone_user'
+ fill_in 'Password', with: 'pass'
+ click_button 'Sign in'
+ expect(page).to have_content('Incorrect username or password')
+
+ fill_in 'Username', with: 'plone_user'
+ fill_in 'Password', with: 'password'
+ click_button 'Sign in'
+ expect(page.current_url).to match(app_callback_url)
+ end
end
scenario 'with an unknown username' do
- visit '/'
- expect(page).to have_content('Sign Up or Sign in')
- click_link 'Sign in'
-
- fill_in 'Username', with: 'user'
- fill_in 'Password', with: 'password'
- click_button 'Sign in'
- expect(page).to have_content('Incorrect username or password')
- expect(page).not_to have_content('Welcome, user')
+ with_forgery_protection do
+ create_application
+ visit_authorize_uri
+ expect(page).to have_content("Sign in to #{@app.name} with your one OpenStax account!")
+
+ fill_in 'Username', with: 'user'
+ fill_in 'Password', with: 'password'
+ click_button 'Sign in'
+ expect(page).to have_content('Incorrect username or password')
+ end
end
scenario 'with a password that is expired' do
View
6 spec/features/user_signs_up_spec.rb
@@ -17,6 +17,12 @@
click_link 'I have not made'
expect(page).to have_content('Welcome, testuser')
+ expect(page).to have_content('Complete your profile information')
+ fill_in 'First Name', with: 'Test'
+ fill_in 'Last Name', with: 'User'
+ find(:css, '#register_i_agree').set(true)
+ click_button 'Register'
+
click_link 'Sign out'
expect(page).to have_content('Signed out!')
expect(page).not_to have_content('Welcome, testuser')
View
3  spec/spec_helper.rb
@@ -5,6 +5,9 @@
require 'rspec/autorun'
require 'capybara/poltergeist'
+# load seed data
+load "#{Rails.root}/db/seeds.rb"
+
Capybara.javascript_driver = :poltergeist
# Requires supporting ruby files with custom matchers and macros, etc,
View
29 spec/support/features_helpers.rb
@@ -1,6 +1,6 @@
-def create_user username, password='password'
+def create_user(username, password='password')
return if User.find_by_username(username).present?
- user = FactoryGirl.create :user_with_person, username: username
+ user = FactoryGirl.create :user_with_person, :terms_agreed, username: username
identity = FactoryGirl.create :identity, user: user, password: password
FactoryGirl.create :authentication, provider: 'identity', uid: identity.id.to_s, user: user
return user
@@ -70,3 +70,28 @@ def password_reset_email_sent?(user)
@reset_link = "/do/reset_password?code=#{user.identity.reset_code}"
expect(mail.body.encoded).to include("http://nohost#{@reset_link}")
end
+
+def create_application
+ @app = FactoryGirl.create(:doorkeeper_application, :trusted,
+ redirect_uri: 'http://www.example.com/callback')
+ token = FactoryGirl.create(:doorkeeper_access_token,
+ application: @app, resource_owner_id: nil)
+ @app
+end
+
+def with_forgery_protection
+ begin
+ ActionController::Base.any_instance.stub(:allow_forgery_protection).and_return(true)
+ yield if block_given?
+ ensure
+ ActionController::Base.any_instance.unstub(:allow_forgery_protection)
+ end
+end
+
+def visit_authorize_uri
+ visit "/oauth/authorize?redirect_uri=#{@app.redirect_uri}&response_type=code&client_id=#{@app.uid}"
+end
+
+def app_callback_url
+ /^#{@app.redirect_uri}\?code=.+$/
+end
Something went wrong with that request. Please try again.