Files
fizzy/test/controllers/sessions_controller_test.rb
Rosa Gutierrez c059e0b216 Add JSON format support to session destroy for native API clients
This is so that native API clients can get the session record deleted
server-side. They still need to take care of clearing any cookies
they've set in web views.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 19:59:30 +01:00

132 lines
3.5 KiB
Ruby

require "test_helper"
class SessionsControllerTest < ActionDispatch::IntegrationTest
test "new" do
untenanted do
get new_session_path
end
assert_response :success
end
test "new redirects authenticated users" do
sign_in_as :kevin
untenanted do
get new_session_path
assert_redirected_to root_url
end
end
test "create" do
identity = identities(:kevin)
untenanted do
assert_difference -> { MagicLink.count }, 1 do
post session_path, params: { email_address: identity.email_address }
end
assert_redirected_to session_magic_link_path
assert_nil flash[:magic_link_code]
end
end
test "create for a new user" do
untenanted do
assert_difference -> { MagicLink.count }, +1 do
assert_difference -> { Identity.count }, +1 do
post session_path,
params: { email_address: "nonexistent-#{SecureRandom.hex(6)}@example.com" }
end
end
assert_redirected_to session_magic_link_path
assert MagicLink.last.for_sign_up?
end
end
test "create for a new user when single tenant mode already has a tenant" do
with_multi_tenant_mode(false) do
untenanted do
assert_no_difference -> { MagicLink.count } do
assert_no_difference -> { Identity.count } do
post session_path,
params: { email_address: "nonexistent-#{SecureRandom.hex(6)}@example.com" }
end
end
assert_redirected_to session_magic_link_path
end
end
end
test "create with invalid email address" do
# Avoid Sentry exceptions when attackers try to stuff invalid emails. The browser performs form
# field validation that should normally prevent this from occurring, so I'm not worried about
# returning proper validation errors.
without_action_dispatch_exception_handling do
untenanted do
assert_no_difference -> { Identity.count } do
post session_path, params: { email_address: "not-a-valid-email" }
end
assert_response :redirect
assert_redirected_to new_session_path
end
end
end
test "destroy" do
sign_in_as :kevin
untenanted do
delete session_path
assert_redirected_to new_session_path
assert_not cookies[:session_token].present?
end
end
test "create via JSON" do
untenanted do
post session_path(format: :json), params: { email_address: identities(:david).email_address }
assert_response :created
end
end
test "create for a new user via JSON" do
new_email = "new-user-#{SecureRandom.hex(6)}@example.com"
untenanted do
assert_difference -> { Identity.count }, 1 do
assert_difference -> { MagicLink.count }, 1 do
post session_path(format: :json), params: { email_address: new_email }
end
end
assert_response :created
assert @response.parsed_body["pending_authentication_token"].present?
assert MagicLink.last.for_sign_up?
end
end
test "create with invalid email address via JSON" do
untenanted do
assert_no_difference -> { Identity.count } do
post session_path(format: :json), params: { email_address: "not-a-valid-email" }
end
assert_response :unprocessable_entity
end
end
test "destroy via JSON" do
sign_in_as :kevin
untenanted do
delete session_path(format: :json)
assert_response :no_content
assert_not cookies[:session_token].present?
end
end
end