# frozen_string_literal: true

require 'test_helper'

#  was the web request successful?
#  was the user redirected to the right page?
#  was the user successfully authenticated?
#  was the correct object stored in the response?
#  was the appropriate message delivered in the json payload?

class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
  describe DeviseTokenAuth::PasswordsController do
    describe 'Password reset' do
      before do
        @resource = create(:user, :confirmed)
        @redirect_url = 'http://ng-token-auth.dev'
      end

      describe 'not email should return 401' do
        before do
          @auth_headers = @resource.create_new_auth_token
          @new_password = Faker::Internet.password

          post :create,
               params: { redirect_url: @redirect_url }
          @data = JSON.parse(response.body)
        end

        test 'response should fail' do
          assert_equal 401, response.status
        end

        test 'error message should be returned' do
          assert @data['errors']
          assert_equal @data['errors'],
                       [I18n.t('devise_token_auth.passwords.missing_email')]
        end
      end

      describe 'not redirect_url should return 401' do
        before do
          @auth_headers = @resource.create_new_auth_token
          @new_password = Faker::Internet.password

          post :create,
               params: { email: 'chester@cheet.ah' }
          @data = JSON.parse(response.body)
        end

        test 'response should fail' do
          assert_equal 401, response.status
        end

        test 'error message should be returned' do
          assert @data['errors']
          assert_equal(
            @data['errors'],
            [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
          )
        end
      end

      describe 'request password reset' do
        describe 'unknown user should return 404' do
          before do
            post :create,
                 params: { email: 'chester@cheet.ah',
                           redirect_url: @redirect_url }
            @data = JSON.parse(response.body)
          end

          test 'unknown user should return 404' do
            assert_equal 404, response.status
          end

          test 'errors should be returned' do
            assert @data['errors']
            assert_equal @data['errors'],
                         [I18n.t('devise_token_auth.passwords.user_not_found',
                                 email: 'chester@cheet.ah')]
          end
        end

        describe 'successfully requested password reset' do
          before do
            post :create,
                 params: { email: @resource.email,
                           redirect_url: @redirect_url }

            @data = JSON.parse(response.body)
          end

          test 'response should not contain extra data' do
            assert_nil @data['data']
          end
        end

        describe 'case-sensitive email' do
          before do
            post :create,
                 params: { email: @resource.email,
                           redirect_url: @redirect_url }

            @mail = ActionMailer::Base.deliveries.last
            @resource.reload
            @data = JSON.parse(response.body)

            @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
            @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
            @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
          end

          test 'response should return success status' do
            assert_equal 200, response.status
          end

          test 'response should contains message' do
            assert_equal \
              @data['message'],
              I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
          end

          test 'action should send an email' do
            assert @mail
          end

          test 'the email should be addressed to the user' do
            assert_equal @mail.to.first, @resource.email
          end

          test 'the email body should contain a link with redirect url as a query param' do
            assert_equal @redirect_url, @mail_redirect_url
          end

          test 'the client config name should fall back to "default"' do
            assert_equal 'default', @mail_config_name
          end

          test 'the email body should contain a link with reset token as a query param' do
            user = User.reset_password_by_token(reset_password_token: @mail_reset_token)

            assert_equal user.id, @resource.id
          end

          describe 'password reset link failure' do
            test 'response should return 404' do
              assert_raises(ActionController::RoutingError) do
                get :edit,
                    params: { reset_password_token: 'bogus',
                              redirect_url: @mail_redirect_url }
              end
            end
          end

          describe 'password reset link success' do
            before do
              get :edit,
                  params: { reset_password_token: @mail_reset_token,
                            redirect_url: @mail_redirect_url }

              @resource.reload

              raw_qs = response.location.split('?')[1]
              @qs = Rack::Utils.parse_nested_query(raw_qs)

              @access_token   = @qs['access-token']
              @client_id      = @qs['client_id']
              @client         = @qs['client']
              @expiry         = @qs['expiry']
              @reset_password = @qs['reset_password']
              @token          = @qs['token']
              @uid            = @qs['uid']
            end

            test 'response should have success redirect status' do
              assert_equal 302, response.status
            end

            test 'response should contain auth params' do
              assert @access_token
              assert @client
              assert @client_id
              assert @expiry
              assert @reset_password
              assert @token
              assert @uid
            end

            test 'response auth params should be valid' do
              assert @resource.valid_token?(@token, @client_id)
              assert @resource.valid_token?(@access_token, @client)
            end
          end
        end

        describe 'case-insensitive email' do
          before do
            @resource_class = User
            @request_params = {
              email:        @resource.email.upcase,
              redirect_url: @redirect_url
            }
          end

          test 'response should return success status if configured' do
            @resource_class.case_insensitive_keys = [:email]
            post :create, params: @request_params
            assert_equal 200, response.status
          end

          test 'response should return failure status if not configured' do
            @resource_class.case_insensitive_keys = []
            post :create, params: @request_params
            assert_equal 404, response.status
          end
        end

        describe 'Cheking reset_password_token' do
          before do
            post :create, params: {
              email:        @resource.email,
              redirect_url: @redirect_url
            }

            @mail = ActionMailer::Base.deliveries.last
            @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
            @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]

            @resource.reload
          end

          describe 'reset_password_token is valid' do

            test 'mail_reset_token should be the same as reset_password_token' do
              assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
            end

            test 'reset_password_token should be rewritten by origin mail_reset_token' do
              get :edit, params: {
                reset_password_token: @mail_reset_token,
                redirect_url: @mail_redirect_url
              }
              @resource.reload

              assert_equal @mail_reset_token, @resource.reset_password_token
            end

            test 'response should return success status' do
              get :edit, params: {
                reset_password_token: @mail_reset_token,
                redirect_url: @mail_redirect_url
              }

              assert_equal 302, response.status
            end

            test 'reset_password_token should be valid only one first time' do
              get :edit, params: {
                reset_password_token: @mail_reset_token,
                redirect_url: @mail_redirect_url
              }

              @resource.reload
              assert_equal @mail_reset_token, @resource.reset_password_token

              assert_raises(ActionController::RoutingError) {
                get :edit, params: {
                  reset_password_token: @mail_reset_token,
                  redirect_url: @mail_redirect_url
                }
              }

              @resource.reload
              assert_equal @mail_reset_token, @resource.reset_password_token
            end

            test 'reset_password_sent_at should be valid' do
              assert_equal @resource.reset_password_period_valid?, true

              get :edit, params: {
                reset_password_token: @mail_reset_token,
                redirect_url: @mail_redirect_url
              }

              @resource.reload
              assert_equal @mail_reset_token, @resource.reset_password_token
            end

            test 'reset_password_sent_at should be expired' do
              assert_equal @resource.reset_password_period_valid?, true

              @resource.update reset_password_sent_at: @resource.reset_password_sent_at - Devise.reset_password_within - 1.seconds
              assert_equal @resource.reset_password_period_valid?, false

              assert_raises(ActionController::RoutingError) {
                get :edit, params: {
                  reset_password_token: @mail_reset_token,
                  redirect_url: @mail_redirect_url
                }
              }
            end
          end

          describe 'reset_password_token is not valid' do
            test 'response should return error status' do
              @resource.update reset_password_token: 'koskoskoskos'

              assert_not_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token

              assert_raises(ActionController::RoutingError) {
                get :edit, params: {
                  reset_password_token: @mail_reset_token,
                  redirect_url: @mail_redirect_url
                }
              }
            end
          end
        end
      end

      describe 'Using default_password_reset_url' do
        before do
          @resource = create(:user, :confirmed)
          @redirect_url = 'http://ng-token-auth.dev'

          DeviseTokenAuth.default_password_reset_url = @redirect_url

          post :create,
               params: { email: @resource.email,
                         redirect_url: @redirect_url }

          @mail = ActionMailer::Base.deliveries.last
          @resource.reload

          @sent_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
        end

        teardown do
          DeviseTokenAuth.default_password_reset_url = nil
        end

        test 'response should return success status' do
          assert_equal 200, response.status
        end

        test 'action should send an email' do
          assert @mail
        end

        test 'the email body should contain a link with redirect url as a query param' do
          assert_equal @redirect_url, @sent_redirect_url
        end
      end

      describe 'Using redirect_whitelist' do
        before do
          @resource = create(:user, :confirmed)
          @good_redirect_url = Faker::Internet.url
          @bad_redirect_url = Faker::Internet.url
          DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
        end

        teardown do
          DeviseTokenAuth.redirect_whitelist = nil
        end

        test 'request to whitelisted redirect should be successful' do
          post :create,
               params: { email: @resource.email,
                         redirect_url: @good_redirect_url }

          assert_equal 200, response.status
        end

        test 'request to non-whitelisted redirect should fail' do
          post :create,
               params: { email: @resource.email,
                         redirect_url: @bad_redirect_url }

          assert_equal 422, response.status
        end
        test 'request to non-whitelisted redirect should return error message' do
          post :create,
               params: { email: @resource.email,
                         redirect_url: @bad_redirect_url }

          @data = JSON.parse(response.body)
          assert @data['errors']
          assert_equal @data['errors'],
                       [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
                               redirect_url: @bad_redirect_url)]
        end
      end

      describe 'change password with current password required' do
        before do
          DeviseTokenAuth.check_current_password_before_update = :password
        end

        after do
          DeviseTokenAuth.check_current_password_before_update = false
        end

        describe 'success' do
          before do
            @auth_headers = @resource.create_new_auth_token
            request.headers.merge!(@auth_headers)
            @new_password = Faker::Internet.password
            @resource.update password: 'secret123', password_confirmation: 'secret123'

            put :update,
                params: { password: @new_password,
                          password_confirmation: @new_password,
                          current_password: 'secret123' }

            @data = JSON.parse(response.body)
            @resource.reload
          end

          test 'request should be successful' do
            assert_equal 200, response.status
          end
        end

        describe 'success with after password reset' do
          before do
            # create a new password reset request
            post :create, params: { email: @resource.email,
                                    redirect_url: @redirect_url }

            @mail = ActionMailer::Base.deliveries.last
            @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
            @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]

            # confirm via password reset email link
            get :edit, params: { reset_password_token: @mail_reset_token,
                                 redirect_url: @mail_redirect_url }

            @resource.reload
            @allow_password_change_after_reset = @resource.allow_password_change

            @auth_headers = @resource.create_new_auth_token
            request.headers.merge!(@auth_headers)
            @new_password = Faker::Internet.password

            put :update, params: { password: @new_password,
                                   password_confirmation: @new_password }

            @data = JSON.parse(response.body)
            @resource.reload
            @allow_password_change = @resource.allow_password_change
            @resource.reload
          end

          test 'request should be successful' do
            assert_equal 200, response.status
          end

          test 'changes allow_password_change to true on reset' do
            assert_equal true, @allow_password_change_after_reset
          end

          test 'sets allow_password_change false' do
            assert_equal false, @allow_password_change
          end
        end

        describe 'current password mismatch error' do
          before do
            @auth_headers = @resource.create_new_auth_token
            request.headers.merge!(@auth_headers)
            @new_password = Faker::Internet.password

            put :update, params: { password: @new_password,
                                   password_confirmation: @new_password,
                                   current_password: 'not_very_secret321' }
          end

          test 'response should fail unauthorized' do
            assert_equal 422, response.status
          end
        end
      end

      describe 'change password' do
        describe 'success' do
          before do
            @auth_headers = @resource.create_new_auth_token
            request.headers.merge!(@auth_headers)
            @new_password = Faker::Internet.password

            put :update, params: { password: @new_password,
                                   password_confirmation: @new_password }

            @data = JSON.parse(response.body)
            @resource.reload
          end

          test 'request should be successful' do
            assert_equal 200, response.status
          end

          test 'request should return success message' do
            assert @data['message']
            assert_equal @data['message'],
                         I18n.t('devise_token_auth.passwords.successfully_updated')
          end

          test 'new password should authenticate user' do
            assert @resource.valid_password?(@new_password)
          end
        end

        describe 'password mismatch error' do
          before do
            @auth_headers = @resource.create_new_auth_token
            request.headers.merge!(@auth_headers)
            @new_password = Faker::Internet.password

            put :update, params: { password: 'chong',
                                   password_confirmation: 'bong' }
          end

          test 'response should fail' do
            assert_equal 422, response.status
          end
        end

        describe 'unauthorized user' do
          before do
            @auth_headers = @resource.create_new_auth_token
            @new_password = Faker::Internet.password

            put :update, params: { password: @new_password,
                                   password_confirmation: @new_password }
          end

          test 'response should fail' do
            assert_equal 401, response.status
          end
        end
      end
    end

    describe 'Alternate user class' do
      setup do
        @request.env['devise.mapping'] = Devise.mappings[:mang]
      end

      teardown do
        @request.env['devise.mapping'] = Devise.mappings[:user]
      end

      before do
        @resource = create(:mang_user, :confirmed)
        @redirect_url = 'http://ng-token-auth.dev'

        post :create, params: { email: @resource.email,
                                redirect_url: @redirect_url }

        @mail = ActionMailer::Base.deliveries.last
        @resource.reload

        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
      end

      test 'response should return success status' do
        assert_equal 200, response.status
      end

      test 'the email body should contain a link with reset token as a query param' do
        user = Mang.reset_password_by_token(reset_password_token: @mail_reset_token)

        assert_equal user.id, @resource.id
      end
    end

    describe 'unconfirmed user' do
      before do
        @resource = create(:user)
        @redirect_url = 'http://ng-token-auth.dev'

        post :create, params: { email: @resource.email,
                                redirect_url: @redirect_url }

        @mail = ActionMailer::Base.deliveries.last
        @resource.reload

        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]

        get :edit, params: { reset_password_token: @mail_reset_token,
                             redirect_url: @mail_redirect_url }

        @resource.reload
      end
    end

    describe 'unconfirmable user' do
      setup do
        @request.env['devise.mapping'] = Devise.mappings[:unconfirmable_user]
      end

      teardown do
        @request.env['devise.mapping'] = Devise.mappings[:user]
      end

      before do
        @resource = unconfirmable_users(:user)
        @redirect_url = 'http://ng-token-auth.dev'

        post :create, params: { email: @resource.email,
                                redirect_url: @redirect_url }

        @mail = ActionMailer::Base.deliveries.last
        @resource.reload

        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]

        get :edit, params: { reset_password_token: @mail_reset_token,
                             redirect_url: @mail_redirect_url }

        @resource.reload
      end
    end

    describe 'alternate user type' do
      before do
        @resource = create(:user, :confirmed)
        @redirect_url = 'http://ng-token-auth.dev'
        @config_name  = 'altUser'

        post :create, params: { email: @resource.email,
                                redirect_url: @redirect_url,
                                config_name: @config_name }

        @mail = ActionMailer::Base.deliveries.last
        @resource.reload

        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
      end

      test 'config_name param is included in the confirmation email link' do
        assert_equal @config_name, @mail_config_name
      end
    end
  end
end