Allow configuration of enabled environments for auth backdoor

NEWS.md

@@ -9,6 +9,8 @@ complete changelog, see the git history for each version via the version links.
 
 - Update the `HttpOnly` cookie setting for the remember token to default to
   true, which prevents the value from being available to JavaScript.
+- Add configuration option to allow the auth backdoor to work in specified
+  environments (defaults to `test`, `development`, `ci`).
 
 [Unreleased]: https://github.com/thoughtbot/clearance/compare/v1.16.2...HEAD
 

lib/clearance/back_door.rb

@@ -31,8 +31,8 @@ module Clearance
   #   visit new_feedback_path(as: user)
   class BackDoor
     def initialize(app, &block)
-      unless ENV["RAILS_ENV"] == "test"
-        raise "Can't use backdoor outside test environment"
+      unless environment_is_allowed?
+        raise error_message
       end
 
       @app = app
@@ -65,5 +65,27 @@ def find_user(user_param)
         Clearance.configuration.user_model.find(user_param)
       end
     end
+
+    # @api private
+    def environment_is_allowed?
+      allowed_environments.include? ENV["RAILS_ENV"]
+    end
+
+    # @api private
+    def allowed_environments
+      Clearance.configuration.allowed_backdoor_environments || []
+    end
+
+    # @api private
+    def error_message
+      unless allowed_environments.empty?
+        <<-EOS.squish
+          Can't use auth backdoor outside of
+          configured environments (#{allowed_environments.join(", ")}).
+        EOS
+      else
+        "BackDoor auth is disabled."
+      end
+    end
   end
 end

lib/clearance/configuration.rb

@@ -90,17 +90,23 @@ class Configuration
     # @return [ActiveRecord::Base]
     attr_accessor :user_model
 
+    # The array of allowed environments where `Clearance::BackDoor` is enabled.
+    # Defaults to ["test", "ci", "development"]
+    # @return [Array<String>]
+    attr_accessor :allowed_backdoor_environments
+
     def initialize
       @allow_sign_up = true
-      @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
+      @allowed_backdoor_environments = ["test", "ci", "development"]
       @cookie_domain = nil
-      @cookie_path = '/'
+      @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
       @cookie_name = "remember_token"
+      @cookie_path = '/'
       @httponly = true
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
-      @routes = true
       @rotate_csrf_on_sign_in = nil
+      @routes = true
       @secure_cookie = false
       @sign_in_guards = []
     end

spec/clearance/back_door_spec.rb

@@ -41,10 +41,45 @@
     expect(result).to eq mock_app.call(env)
   end
 
-  it "can't be used outside the test environment" do
+  it "can't be used outside the allowed environments" do
     with_environment("RAILS_ENV" => "production") do
       expect { Clearance::BackDoor.new(mock_app) }.
-        to raise_exception "Can't use backdoor outside test environment"
+        to raise_exception "Can't use auth backdoor outside of configured \
+          environments (test, ci, development).".squish
+    end
+  end
+
+  context "when the environments are disabled" do
+    before do
+      Clearance.configuration.allowed_backdoor_environments = nil
+    end
+
+    it "raises an error for a default allowed env" do
+      with_environment("RAILS_ENV" => "test") do
+        expect { Clearance::BackDoor.new(mock_app) }.
+          to raise_exception "BackDoor auth is disabled."
+      end
+    end
+  end
+
+  context "when the environments are not defaults" do
+    before do
+      Clearance.configuration.allowed_backdoor_environments = ['demo']
+    end
+
+    it "can be used with configured allowed environments" do
+      with_environment("RAILS_ENV" => "demo") do
+        user_id = "123"
+        user = double("user")
+        allow(User).to receive(:find).with(user_id).and_return(user)
+        env = env_for_user_id(user_id)
+        back_door = Clearance::BackDoor.new(mock_app)
+
+        result = back_door.call(env)
+
+        expect(env[:clearance]).to have_received(:sign_in).with(user)
+        expect(result).to eq mock_app.call(env)
+      end
     end
   end