Merge pull request #31 from G5/rc-v1-0-3

RC v1.0.3
G5 · Jan 7, 2020 · 0997fbf · 0997fbf
2 parents 85f9508 + f774c46
commit 0997fbf
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 7 deletions.
diff --git a/app/controllers/devise_g5_authenticatable/sessions_controller.rb b/app/controllers/devise_g5_authenticatable/sessions_controller.rb
@@ -14,8 +14,12 @@ def omniauth_passthru
     end
 
     def create
-      self.resource = resource_class.find_and_update_for_g5_oauth(auth_data)
-      resource ? sign_in_resource : register_resource
+      if authorized?
+        sign_in_or_register
+      else
+        params = { restricted: base_url }
+        redirect_to(restricted_application_redirect_url + '?' + params.to_query)
+      end
     end
 
     def destroy
@@ -26,6 +30,27 @@ def destroy
 
     protected
 
+    def authorized?
+      accessible_applications.map(&:url).include?(base_url) || accessible_applications.map(&:url).include?('global')
+    end
+
+    def base_url
+      request.base_url
+    end
+
+    def accessible_applications
+      auth_data.extra.raw_info.accessible_applications
+    end
+
+    def restricted_application_redirect_url
+      auth_data.extra.raw_info.restricted_application_redirect_url
+    end
+
+    def sign_in_or_register
+      self.resource = resource_class.find_and_update_for_g5_oauth(auth_data)
+      resource ? sign_in_resource : register_resource
+    end
+
     def auth_data
       @auth_data ||= request.env['omniauth.auth']
       session['omniauth.auth'] = @auth_data
@@ -46,7 +71,7 @@ def local_sign_out
     end
 
     def remote_sign_out
-      redirect_url = URI.join(request.base_url,
+      redirect_url = URI.join(base_url,
                               after_sign_out_path_for(resource_name))
       redirect_to auth_client.sign_out_url(redirect_url.to_s)
     end

diff --git a/lib/devise_g5_authenticatable/models/g5_authenticatable.rb b/lib/devise_g5_authenticatable/models/g5_authenticatable.rb
@@ -127,7 +127,7 @@ def new_with_session(params, session)
         private
 
         def without_auth_callback
-          skip_callback :save, :before, :auth_user
+          skip_callback :save, :before, :auth_user, raise: false
           yield
           set_callback :save, :before, :auth_user
         end

diff --git a/lib/devise_g5_authenticatable/version.rb b/lib/devise_g5_authenticatable/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseG5Authenticatable
-  VERSION = '1.0.0'
+  VERSION = '1.0.3'
 end
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
@@ -41,7 +41,13 @@
         uid: '45',
         info: { name: 'Foo Bar',
                 email: '[email protected]' },
-        credentials: { token: 'abc123' }
+        credentials: { token: 'abc123' },
+        extra: {
+          raw_info: {
+            accessible_applications: [{ url: 'global' }],
+            restricted_application_redirect_url: 'https://imc.com'
+          }
+        }
       )
     end
     before { request.env['omniauth.auth'] = auth_hash }
@@ -148,6 +154,53 @@
         end
       end
     end
+
+    context 'when user does not have access to application' do
+      let(:auth_hash) do
+        OmniAuth::AuthHash.new(
+          provider: 'g5',
+          uid: '45',
+          info: { name: 'Foo Bar',
+                  email: '[email protected]' },
+          credentials: { token: 'abc123' },
+          extra: {
+            raw_info: {
+              accessible_applications: [],
+              restricted_application_redirect_url: 'https://imc.com'
+            }
+          }
+        )
+      end
+
+      let(:model) do
+        stub_model(model_class,
+                   provider: auth_hash.provider,
+                   uid: auth_hash.uid,
+                   email: auth_hash.email,
+                   g5_access_token: auth_hash.credentials.token,
+                   save!: true,
+                   update_g5_credentials: true,
+                   email_changed?: false)
+      end
+
+      before do
+        allow(model_class).to receive(:find_and_update_for_g5_oauth)
+          .and_return(model)
+      end
+
+      let(:model_class) { User }
+      let(:scope) { :user }
+
+      it 'should redirect the user to the restricted_application_redirect_url' do
+        create_session
+        params = { restricted: subject.request.base_url }
+        expect(subject).to redirect_to(auth_hash.extra.raw_info.restricted_application_redirect_url + '?' + params.to_query)
+      end
+
+      it 'should not sign in a user' do
+        expect { create_session }.to_not change { controller.current_user }
+      end
+    end
   end
 
   describe '#destroy' do

diff --git a/spec/support/user_omniauth_methods.rb b/spec/support/user_omniauth_methods.rb
@@ -6,7 +6,13 @@ def stub_g5_omniauth(user, options = {})
       uid: user.uid,
       provider: 'g5',
       info: { email: user.email },
-      credentials: { token: user.g5_access_token }
+      credentials: { token: user.g5_access_token },
+      extra: {
+        raw_info: {
+          accessible_applications: [{ url: 'global' }],
+          restricted_application_redirect_url: 'https://imc.com'
+        }
+      }
     }.merge(options))
   end