analytics/test/plausible_web/controllers/auth_controller_test.exs
Adam Rutkowski 5de43b758d
Run tests in async mode where applicable (#2542)
* Set pg pool size for MIX_ENV=test

* Include slow tests in CI run

* Exclude slow tests by default

* Mark tests slow/async where applicable

* Restructure captcha mocks

* Revert async where env is relied upon

* Add --max-failures=1 to CI run

* Set warnings as errors

* Disable async where various mocks are used

* Revert "Disable async where various mocks are used"

This reverts commit 2446b72a29.

* Disable async for test using vcr
2022-12-26 10:20:29 -03:00

780 lines
23 KiB
Elixir

defmodule PlausibleWeb.AuthControllerTest do
use PlausibleWeb.ConnCase, async: true
use Bamboo.Test
use Plausible.Repo
import Mox
setup :verify_on_exit!
describe "GET /register" do
test "shows the register form", %{conn: conn} do
conn = get(conn, "/register")
assert html_response(conn, 200) =~ "Enter your details"
end
end
describe "POST /register" do
setup do
mock_captcha_success()
:ok
end
test "registering sends an activation link", %{conn: conn} do
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == "user@example.com"
assert subject =~ "is your Plausible email verification code"
end
test "user is redirected to activate page after registration", %{conn: conn} do
conn =
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert redirected_to(conn, 302) == "/activate"
end
test "creates user record", %{conn: conn} do
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
user = Repo.one(Plausible.Auth.User)
assert user.name == "Jane Doe"
end
test "logs the user in", %{conn: conn} do
conn =
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert get_session(conn, :current_user_id)
end
test "user is redirected to activation after registration", %{conn: conn} do
conn =
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert redirected_to(conn) == "/activate"
end
end
describe "GET /register/invitations/:invitation_id" do
test "shows the register form", %{conn: conn} do
inviter = insert(:user)
site = insert(:site, members: [inviter])
invitation =
insert(:invitation,
site_id: site.id,
inviter: inviter,
email: "user@email.co",
role: :admin
)
conn = get(conn, "/register/invitation/#{invitation.invitation_id}")
assert html_response(conn, 200) =~ "Enter your details"
end
end
describe "POST /register/invitation/:invitation_id" do
setup do
mock_captcha_success()
inviter = insert(:user)
site = insert(:site, members: [inviter])
invitation =
insert(:invitation,
site_id: site.id,
inviter: inviter,
email: "user@email.co",
role: :admin
)
{:ok, %{site: site, invitation: invitation}}
end
test "registering sends an activation link", %{conn: conn, invitation: invitation} do
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == "user@example.com"
assert subject =~ "is your Plausible email verification code"
end
test "user is redirected to activate page after registration", %{
conn: conn,
invitation: invitation
} do
conn =
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert redirected_to(conn, 302) == "/activate"
end
test "creates user record", %{conn: conn, invitation: invitation} do
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
user = Repo.get_by(Plausible.Auth.User, email: "user@example.com")
assert user.name == "Jane Doe"
end
test "leaves trial_expiry_date null when invitation role is not :owner", %{
conn: conn,
invitation: invitation
} do
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
user = Repo.get_by(Plausible.Auth.User, email: "user@example.com")
assert is_nil(user.trial_expiry_date)
end
test "logs the user in", %{conn: conn, invitation: invitation} do
conn =
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert get_session(conn, :current_user_id)
end
test "user is redirected to activation after registration", %{conn: conn} do
conn =
post(conn, "/register",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert redirected_to(conn) == "/activate"
end
end
describe "captcha failure" do
setup do
mock_captcha_failure()
inviter = insert(:user)
site = insert(:site, members: [inviter])
invitation =
insert(:invitation,
site_id: site.id,
inviter: inviter,
email: "user@email.co",
role: :admin
)
{:ok, %{site: site, invitation: invitation}}
end
test "renders captcha errors in case of captcha input verification failure", %{
conn: conn,
invitation: invitation
} do
conn =
post(conn, "/register/invitation/#{invitation.invitation_id}",
user: %{
name: "Jane Doe",
email: "user@example.com",
password: "very-secret",
password_confirmation: "very-secret"
}
)
assert html_response(conn, 200) =~ "Please complete the captcha"
end
end
describe "GET /activate" do
setup [:create_user, :log_in]
test "if user does not have a code: prompts user to request activation code", %{conn: conn} do
conn = get(conn, "/activate")
assert html_response(conn, 200) =~ "Request activation code"
end
test "if user does have a code: prompts user to enter the activation code from their email",
%{conn: conn} do
conn =
post(conn, "/activate/request-code")
|> get("/activate")
assert html_response(conn, 200) =~ "Please enter the 4-digit code we sent to"
end
end
describe "POST /activate/request-code" do
setup [:create_user, :log_in]
test "associates an activation pin with the user account", %{conn: conn, user: user} do
post(conn, "/activate/request-code")
code =
Repo.one(
from c in "email_verification_codes",
where: c.user_id == ^user.id,
select: %{user_id: c.user_id, issued_at: c.issued_at}
)
assert code[:user_id] == user.id
assert Timex.after?(code[:issued_at], Timex.now() |> Timex.shift(seconds: -10))
end
test "sends activation email to user", %{conn: conn, user: user} do
post(conn, "/activate/request-code")
assert_delivered_email_matches(%{to: [{_, user_email}], subject: subject})
assert user_email == user.email
assert subject =~ "is your Plausible email verification code"
end
test "redirets user to /activate", %{conn: conn} do
conn = post(conn, "/activate/request-code")
assert redirected_to(conn, 302) == "/activate"
end
end
describe "POST /activate" do
setup [:create_user, :log_in]
test "with wrong pin - reloads the form with error", %{conn: conn} do
conn = post(conn, "/activate", %{code: "1234"})
assert html_response(conn, 200) =~ "Incorrect activation code"
end
test "with expired pin - reloads the form with error", %{conn: conn, user: user} do
Repo.insert_all("email_verification_codes", [
%{
code: 1234,
user_id: user.id,
issued_at: Timex.shift(Timex.now(), days: -1)
}
])
conn = post(conn, "/activate", %{code: "1234"})
assert html_response(conn, 200) =~ "Code is expired, please request another one"
end
test "marks the user account as active", %{conn: conn, user: user} do
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
code =
Repo.one(
from c in "email_verification_codes", where: c.user_id == ^user.id, select: c.code
)
|> Integer.to_string()
conn = post(conn, "/activate", %{code: code})
user = Repo.get_by(Plausible.Auth.User, id: user.id)
assert user.email_verified
assert redirected_to(conn) == "/sites/new"
end
test "redirects to /sites if user has invitation", %{conn: conn, user: user} do
site = insert(:site)
insert(:invitation, inviter: build(:user), site: site, email: user.email)
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
code =
Repo.one(
from c in "email_verification_codes", where: c.user_id == ^user.id, select: c.code
)
|> Integer.to_string()
conn = post(conn, "/activate", %{code: code})
assert redirected_to(conn) == "/sites"
end
test "removes the user association from the verification code", %{conn: conn, user: user} do
Repo.update!(Plausible.Auth.User.changeset(user, %{email_verified: false}))
post(conn, "/activate/request-code")
code =
Repo.one(
from c in "email_verification_codes", where: c.user_id == ^user.id, select: c.code
)
|> Integer.to_string()
post(conn, "/activate", %{code: code})
refute Repo.exists?(from c in "email_verification_codes", where: c.user_id == ^user.id)
end
end
describe "GET /login_form" do
test "shows the login form", %{conn: conn} do
conn = get(conn, "/login")
assert html_response(conn, 200) =~ "Enter your email and password"
end
end
describe "POST /login" do
test "valid email and password - logs the user in", %{conn: conn} do
user = insert(:user, password: "password")
conn = post(conn, "/login", email: user.email, password: "password")
assert get_session(conn, :current_user_id) == user.id
assert redirected_to(conn) == "/sites"
end
test "email does not exist - renders login form again", %{conn: conn} do
conn = post(conn, "/login", email: "user@example.com", password: "password")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 200) =~ "Enter your email and password"
end
test "bad password - renders login form again", %{conn: conn} do
user = insert(:user, password: "password")
conn = post(conn, "/login", email: user.email, password: "wrong")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 200) =~ "Enter your email and password"
end
test "limits login attempts to 5 per minute" do
user = insert(:user, password: "password")
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
conn =
build_conn()
|> put_req_header("x-forwarded-for", "1.1.1.1")
|> post("/login", email: user.email, password: "wrong")
assert get_session(conn, :current_user_id) == nil
assert html_response(conn, 429) =~ "Too many login attempts"
end
end
describe "GET /password/request-reset" do
test "renders the form", %{conn: conn} do
conn = get(conn, "/password/request-reset")
assert html_response(conn, 200) =~ "Enter your email so we can send a password reset link"
end
end
describe "POST /password/request-reset" do
test "email is empty - renders form with error", %{conn: conn} do
conn = post(conn, "/password/request-reset", %{email: ""})
assert html_response(conn, 200) =~ "Enter your email so we can send a password reset link"
end
test "email is present and exists - sends password reset email", %{conn: conn} do
mock_captcha_success()
user = insert(:user)
conn = post(conn, "/password/request-reset", %{email: user.email})
assert html_response(conn, 200) =~ "Success!"
assert_email_delivered_with(subject: "Plausible password reset")
end
test "renders captcha errors in case of captcha input verification failure", %{conn: conn} do
mock_captcha_failure()
user = insert(:user)
conn = post(conn, "/password/request-reset", %{email: user.email})
assert html_response(conn, 200) =~ "Please complete the captcha"
end
end
describe "GET /password/reset" do
test "with valid token - shows form", %{conn: conn} do
token = Plausible.Auth.Token.sign_password_reset("email@example.com")
conn = get(conn, "/password/reset", %{token: token})
assert html_response(conn, 200) =~ "Reset your password"
end
test "with invalid token - shows error page", %{conn: conn} do
conn = get(conn, "/password/reset", %{token: "blabla"})
assert html_response(conn, 401) =~ "Your token is invalid"
end
end
describe "POST /password/reset" do
alias Plausible.Auth.{User, Token, Password}
test "with valid token - resets the password", %{conn: conn} do
user = insert(:user)
token = Token.sign_password_reset(user.email)
post(conn, "/password/reset", %{token: token, password: "new-password"})
user = Plausible.Repo.get(User, user.id)
assert Password.match?("new-password", user.password_hash)
end
test "with valid token - redirects the user to login", %{conn: conn} do
user = insert(:user)
token = Token.sign_password_reset(user.email)
conn = post(conn, "/password/reset", %{token: token, password: "new-password"})
assert redirected_to(conn, 302) == "/login"
end
end
describe "GET /settings" do
setup [:create_user, :log_in]
test "shows the form", %{conn: conn} do
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Account settings"
end
test "shows subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "558018", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10k pageviews"
assert html_response(conn, 200) =~ "monthly billing"
end
test "shows yearly subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "590752", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "100k pageviews"
assert html_response(conn, 200) =~ "yearly billing"
end
test "shows free subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "free_10k", user: user)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10k pageviews"
assert html_response(conn, 200) =~ "N/A billing"
end
test "shows enterprise plan subscription", %{conn: conn, user: user} do
insert(:subscription, paddle_plan_id: "123", user: user)
insert(:enterprise_plan,
paddle_plan_id: "123",
user: user,
monthly_pageview_limit: 10_000_000,
billing_interval: :yearly
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10M pageviews"
assert html_response(conn, 200) =~ "yearly billing"
end
test "shows current enterprise plan subscription when user has a new one to upgrade to", %{
conn: conn,
user: user
} do
insert(:subscription, paddle_plan_id: "123", user: user)
insert(:enterprise_plan,
paddle_plan_id: "123",
user: user,
monthly_pageview_limit: 10_000_000,
billing_interval: :yearly
)
insert(:enterprise_plan,
paddle_plan_id: "1234",
user: user,
monthly_pageview_limit: 20_000_000,
billing_interval: :yearly
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "10M pageviews"
assert html_response(conn, 200) =~ "yearly billing"
end
test "shows invoices for subscribed user", %{conn: conn, user: user} do
insert(:subscription,
paddle_plan_id: "558018",
paddle_subscription_id: "redundant",
user: user
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Dec 24, 2020"
assert html_response(conn, 200) =~ "€11.11"
assert html_response(conn, 200) =~ "Nov 24, 2020"
assert html_response(conn, 200) =~ "$22.00"
end
test "shows 'something went wrong' on failed invoice request'", %{conn: conn, user: user} do
insert(:subscription,
paddle_plan_id: "558018",
paddle_subscription_id: "invalid_subscription_id",
user: user
)
conn = get(conn, "/settings")
assert html_response(conn, 200) =~ "Invoices"
assert html_response(conn, 200) =~ "Something went wrong"
end
test "does not show invoice section for a user with no subscription", %{conn: conn} do
conn = get(conn, "/settings")
refute html_response(conn, 200) =~ "Invoices"
end
test "does not show invoice section for a free subscription", %{conn: conn, user: user} do
Plausible.Billing.Subscription.free(%{user_id: user.id, currency_code: "EUR"})
|> Repo.insert!()
conn = get(conn, "/settings")
refute html_response(conn, 200) =~ "Invoices"
end
end
describe "PUT /settings" do
setup [:create_user, :log_in]
test "updates user record", %{conn: conn, user: user} do
put(conn, "/settings", %{"user" => %{"name" => "New name"}})
user = Plausible.Repo.get(Plausible.Auth.User, user.id)
assert user.name == "New name"
end
test "redirects user to /settings", %{conn: conn} do
conn = put(conn, "/settings", %{"user" => %{"name" => "New name"}})
assert redirected_to(conn, 302) == "/settings"
end
test "renders form with error if form validations fail", %{conn: conn} do
conn = put(conn, "/settings", %{"user" => %{"name" => ""}})
assert html_response(conn, 200) =~ "can't be blank"
end
end
describe "DELETE /me" do
setup [:create_user, :log_in, :create_new_site]
use Plausible.Repo
test "deletes the user", %{conn: conn, user: user, site: site} do
Repo.insert_all("intro_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("feedback_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("create_site_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
Repo.insert_all("check_stats_emails", [
%{
user_id: user.id,
timestamp: NaiveDateTime.utc_now()
}
])
insert(:google_auth, site: site, user: user)
insert(:subscription, user: user, status: "deleted")
conn = delete(conn, "/me")
assert redirected_to(conn) == "/"
end
test "deletes sites that the user owns", %{conn: conn, user: user, site: owner_site} do
viewer_site = insert(:site)
insert(:site_membership, site: viewer_site, user: user, role: "viewer")
delete(conn, "/me")
assert Repo.get(Plausible.Site, viewer_site.id)
refute Repo.get(Plausible.Site, owner_site.id)
end
end
describe "POST /settings/api-keys" do
setup [:create_user, :log_in]
import Ecto.Query
test "can't create api key into another site", %{conn: conn, user: me} do
my_site = insert(:site)
insert(:site_membership, site: my_site, user: me, role: "owner")
other_user = insert(:user)
other_site = insert(:site)
insert(:site_membership, site: other_site, user: other_user, role: "owner")
conn =
post(conn, "/settings/api-keys", %{
"api_key" => %{
"user_id" => other_user.id,
"name" => "all your code are belong to us",
"key" => "swordfish"
}
})
assert conn.status == 302
refute Plausible.Auth.ApiKey |> where(user_id: ^other_user.id) |> Repo.one()
end
end
describe "DELETE /settings/api-keys/:id" do
setup [:create_user, :log_in]
alias Plausible.Auth.ApiKey
test "can't delete api key that doesn't belong to me", %{conn: conn} do
other_user = insert(:user)
insert(:site_membership, site: insert(:site), user: other_user, role: "owner")
assert {:ok, %ApiKey{} = api_key} =
%ApiKey{user_id: other_user.id}
|> ApiKey.changeset(%{"name" => "other user's key"})
|> Repo.insert()
assert_raise Ecto.NoResultsError, fn ->
delete(conn, "/settings/api-keys/#{api_key.id}")
end
assert Repo.get(ApiKey, api_key.id)
end
end
describe "GET /auth/google/callback" do
test "shows error and redirects back to settings when authentication fails", %{conn: conn} do
site = insert(:site)
callback_params = %{"error" => "access_denied", "state" => "[#{site.id},\"import\"]"}
conn = get(conn, Routes.auth_path(conn, :google_auth_callback), callback_params)
assert redirected_to(conn, 302) == Routes.site_path(conn, :settings_general, site.domain)
assert get_flash(conn, :error) =~ "unable to authenticate your Google Analytics"
end
end
defp mock_captcha_success() do
mock_captcha(true)
end
defp mock_captcha_failure() do
mock_captcha(false)
end
defp mock_captcha(success) do
expect(
Plausible.HTTPClient.Mock,
:post,
fn _, _, _ ->
{:ok,
%Finch.Response{
status: 200,
headers: [{"content-type", "application/json"}],
body: %{"success" => success}
}}
end
)
end
end