rails5 can't access session in ActionDispatch::IntegrationTest #23386
Comments
rubys
changed the title
|
The session is an internal structure for the controller. Integration test is more black box than controller tests were. I don't think we should be testing internals of the controller like this. I would rework the test to test something visible in the UI instead. |
|
I fully understand removing access to low level details. But in this case, that just exposes what is the real problem here: http://api.rubyonrails.org/classes/ActionDispatch/Integration/RequestHelpers.html is woefully deficient. Don't get me wrong, it is fine if you are testing a single controller action in isolation. But once you want to test anything that involves session logic in your controller, you end up needing things like this: https://github.com/jnicklas/capybara#clicking-links-and-buttons and https://github.com/jnicklas/capybara#interacting-with-forms. I don't think that these methods would be hard to write (Rails already has access to response.body and css_selector logic). I don't think they could make the current Rails 5 schedule. I don't think that access to a session should be removed until the higher level functions are in place. Looking at the problem I'm seeing, it appears that the issue is that the session isn't created yet. Doing an unrelated action (like a get) would create a session. |
|
We tested all of Basecamp 3 with controller tests driven by ActionDispatch::IntegrationTest, and I didn't find a need for capybara-style button clickers etc. I think it'd be nice to offer this as an additional level-up, but it's not a blocker in my book. If that's something you'd like to take a swing at, please do! Would make a great addition to Rails 5.1. |
|
@dhh Can you explain your technique for this? Do you actually test "should get new" do
user = users(:john)
post login_url, params: { email: user.email, password: user.password }
get new_post_url
assert_response :success
endSorry to bug you but I haven't found any docs in the wider world that explain this new recommended controller testing paradigm. |
|
That's exactly it. We've wrapped that into a helper method that we usually then use in the setup of a controller. So: # helper method
def sign_in_as(name)
post login_url, params: { sig: users(name).perishable_signature )
end
class SomeControllerTest
setup { sign_in_as 'david' }
test 'the truth' do
.. |
|
Thank you sir! I'm liking the feel of these new controller-integration hybrid tests so far. |
|
@dhh Hi |
|
If you still need this (I did def session_header(session)
session = session.reverse_merge(session_id: SecureRandom.hex)
key_generator = ActiveSupport::KeyGenerator.new(ENV.fetch('SECRET_KEY_BASE'), iterations: 1000)
secret = key_generator.generate_key('encrypted cookie')
sign_secret = key_generator.generate_key('signed encrypted cookie')
encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: 'SHA1', serializer: ActiveSupport::MessageEncryptor::NullSerializer)
{ 'Cookie' => "_your_app_session=#{encryptor.encrypt_and_sign(session.to_json)}" }
endYou can use it like so: get '/needs/session', headers: session_header('some' => 'data')This works with the current 5.0 versions, but can break any time for newer versions. Use at your own risk! The better way would be to follow @dhh's advise:
|
|
When authentication depends on an external service, sometimes it might not be available for proper integration tests; for instance, it might be behind some firewall. Therefore - one has to either stub the authentication service or create a fake test login controller. The second will need to assess the session and that would run contrary to the idea that session is not available for the purposes of running integration tests. Stubbing the service is also extra work. Perhaps adding an official login method, available from the test cases and not giving full access to session would be a good compromise. Otherwise, we just have an extra stumbling block in the way of testing. |
This operates more at the API level, but it appears that Rails5.1 has taken away access to the session variable, so it becomes necessary to interact with multiple different controller endpoints, instead of simply preconfiguring a value in the session. Apparently, DHH thinks this is an "implementation detail", and that it's better to require hitting multiple endpoints for any single test (Or, authenticate through header values). The man does not care about test efficency, or any of the myriad corner cases in a typical session-based app, in the slightest. rails/rails#23386
This operates more at the API level, but it appears that Rails5.1 has taken away access to the session variable, so it becomes necessary to interact with multiple different controller endpoints, instead of simply preconfiguring a value in the session. Apparently, DHH thinks this is an "implementation detail", and that it's better to require hitting multiple endpoints for any single test (Or, authenticate through header values). The man does not care about test efficency, or any of the myriad corner cases in a typical session-based app, in the slightest. rails/rails#23386
|
2 years later, and my custom code above bit me when upgrading to 5.2. But thankfully I can now use the technique suggested by @dhh. So, thx again man! |
Originally, the `authenticated_as` spec helper
made it impossible to persist session state in request specs.
This made it impossible to test external_credentials#callback
or any other controller actions that rely on session state.
This commit fixes that.
=== How exactly was `authenticated_as` broken?
`authenticated_as` passes user credentials via request headers.
In practice, this auth method is for API requests by machine clients,
since they don't have cookies or store session state.
Because machine clients don't use cookies or session state anyway,
Zammad disables them for this auth method:
# app/controllers/application_controller/authenticates.rb
1 module ApplicationController::Authenticates
42 def authentication_check_only(auth_param = {})
57 request.session_options[:skip] = true
As a result, in tests using `authenticated_as`,
session data is discarded between every single request.
Some controller actions will not work without session data,
so this limitation made testing these actions impossible.
=== Why couldn't we just set the session values directly in test setup?
This is possible in controller tests,
but the Rails & RSpec team soft-deprecated controller tests
in favor of integration tests (request specs) a long time ago.
For more details, consider the following comments:
> The session is an internal structure for the controller.
> Integration test is more black box than controller tests were.
> I don't think we should be testing internals of the controller like this.
> I would rework the test to test something visible in the UI instead.
>
> --@dhh via rails/rails#23386
> Integration tests doesn't allow you to set session.
>
> --@rafaelfranca via rails/rails#25394
=== Solution
This commit adds a `via: :browser` option to the spec helper
which simply prepends a valid sign-in request to the spec example.
Reproduction scenario:
Test results: throwaway.txt
[this is with rails master]
Note: I reran rails test with BACKTRACE set as the actual error is inside action_dispatch/testing/test_process.
Example with similar code working in Rails 4.2:
Code: http://intertwingly.net/projects/AWDwR4/checkdepot-215-42/section-10.4.html#cmd3
Test: http://intertwingly.net/projects/AWDwR4/checkdepot-215-42/section-10.4.html#cmd8
Results for same example in Rails 5 (master):
http://intertwingly.net/projects/AWDwR4/checkdepot/section-10.4.html#cmd8
The text was updated successfully, but these errors were encountered: