spec/omniauth_heroku_spec.rb in omniauth-heroku-0.2.0.pre vs spec/omniauth_heroku_spec.rb in omniauth-heroku-0.2.0

@@ -27,16 +27,12 @@
     assert_equal ["http://example.org/auth/heroku/callback"],
       redirect_params["redirect_uri"]
   end
 
   it "receives the callback" do
-    # start the callback, get the session state
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
-
     # trigger the callback setting the state as a param and in the session
+    state = SecureRandom.hex(8)
     get "/auth/heroku/callback", { "state" => state },
       { "rack.session" => { "omniauth.state" => state }}
     assert_equal 200, last_response.status
 
     omniauth_env = MultiJson.decode(last_response.body)
@@ -56,15 +52,12 @@
     }
     stub_request(:get, "https://api.heroku.com/account").
       with(headers: { "Authorization" => "Bearer #{@token}" }).
       to_return(body: MultiJson.encode(account_info))
 
-    # do the oauth dance
-    get "/auth/heroku"
-    assert_equal 302, last_response.status
-    state = last_response.headers["Location"].match(/state=([\w\d]+)/)[1]
-
+    # hit the OAuth callback
+    state = SecureRandom.hex(8)
     get "/auth/heroku/callback", { "state" => state },
       { "rack.session" => { "omniauth.state" => state }}
     assert_equal 200, last_response.status
 
     # now make sure there's additional info in the omniauth env
@@ -72,7 +65,25 @@
     assert_equal "heroku", omniauth_env["provider"]
     assert_equal @user_id, omniauth_env["uid"]
     assert_equal "john@example.org", omniauth_env["info"]["email"]
     assert_equal "John", omniauth_env["info"]["name"]
     assert_equal account_info, omniauth_env["extra"]
+  end
+
+  describe "error handling" do
+    it "renders an error when client_id is not informed" do
+      @app = make_app(client_id: nil)
+      get "/auth/heroku"
+      assert_equal 302, last_response.status
+      redirect = URI.parse(last_response.headers["Location"])
+      assert_equal "/auth/failure", redirect.path
+    end
+
+    it "renders an error when client_secret is not informed" do
+      @app = make_app(client_secret: "") # should also handle empty strings
+      get "/auth/heroku"
+      assert_equal 302, last_response.status
+      redirect = URI.parse(last_response.headers["Location"])
+      assert_equal "/auth/failure", redirect.path
+    end
   end
 end