dawarich/spec/requests/users/omniauth_callbacks_spec.rb

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe 'Users::OmniauthCallbacks', type: :request do
  let(:email) { 'oauth_user@example.com' }

  before do
    Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]
  end

  shared_examples 'successful OAuth authentication' do |provider, provider_name|
    context "when user doesn't exist" do
      it 'creates a new user and signs them in' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
          get "/users/auth/#{provider}/callback"
        end.to change(User, :count).by(1)

        expect(response).to redirect_to(root_path)

        user = User.find_by(email: email)
        expect(user).to be_present
        expect(user.encrypted_password).to be_present
      end
    end

    context 'when user already exists' do
      let!(:existing_user) { create(:user, email: email) }

      it 'signs in the existing user without creating a new one' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
          get "/users/auth/#{provider}/callback"
        end.not_to change(User, :count)

        expect(response).to redirect_to(root_path)
      end
    end

    context 'when user creation fails' do
      before do
        allow(User).to receive(:create).and_return(
          User.new(email: email).tap do |u|
            u.errors.add(:email, 'is invalid')
          end
        )
      end

      it 'redirects to registration with error message' do
        Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
        get "/users/auth/#{provider}/callback"

        expect(response).to redirect_to(new_user_registration_url)
      end
    end
  end

  # Self-hosted configuration (SELF_HOSTED=true) uses OpenID Connect
  describe 'GET /users/auth/openid_connect/callback' do
    before do
      mock_openid_connect_auth(email: email)
    end

    include_examples 'successful OAuth authentication', :openid_connect, 'OpenID Connect'

    context 'when OIDC auto-registration is disabled' do
      around do |example|
        original_value = ENV['OIDC_AUTO_REGISTER']
        ENV['OIDC_AUTO_REGISTER'] = 'false'
        example.run
        ENV['OIDC_AUTO_REGISTER'] = original_value
      end

      context "when user doesn't exist" do
        it 'rejects the user with an appropriate error message' do
          expect do
            Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
            get '/users/auth/openid_connect/callback'
          end.not_to change(User, :count)

          expect(response).to redirect_to(root_path)
          expect(flash[:alert]).to include('Your account must be created by an administrator')
        end
      end

      context 'when user already exists (account linking)' do
        let!(:existing_user) { create(:user, email: email) }

        it 'signs in the existing user and links OIDC provider' do
          expect do
            Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
            get '/users/auth/openid_connect/callback'
          end.not_to change(User, :count)

          expect(response).to redirect_to(root_path)
          expect(flash[:notice]).to include('OpenID Connect')

          existing_user.reload
          expect(existing_user.provider).to eq('openid_connect')
          expect(existing_user.uid).to be_present
        end
      end
    end
  end

  describe 'OAuth flow integration with OpenID Connect' do
    context 'with OpenID Connect (Authelia/Authentik/Keycloak)' do
      before { mock_openid_connect_auth(email: 'oidc@example.com') }

      it 'completes the full OAuth flow' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
          get '/users/auth/openid_connect/callback'
        end.to change(User, :count).by(1)

        user = User.find_by(email: 'oidc@example.com')
        expect(user).to be_present
        expect(user.email).to eq('oidc@example.com')
        expect(response).to redirect_to(root_path)
      end
    end
  end

  describe 'CSRF protection' do
    it 'does not raise CSRF error for OpenID Connect callback' do
      mock_openid_connect_auth(email: email)

      expect do
        Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
        get '/users/auth/openid_connect/callback'
      end.not_to raise_error
    end
  end
end
0.36.0 (#1952) * Implement OmniAuth GitHub authentication * Fix omniauth GitHub scope to include user email access * Remove margin-bottom * Implement Google OAuth2 authentication * Implement OIDC authentication for Dawarich using omniauth_openid_connect gem. * Add patreon account linking and patron checking service * Update docker-compose.yml to use boolean values instead of strings * Add support for KML files * Add tests * Update changelog * Remove patreon OAuth integration * Move omniauthable to a concern * Update an icon in integrations * Update changelog * Update app version * Fix family location sharing toggle * Move family location sharing to its own controller * Update changelog * Implement basic tagging functionality for places, allowing users to categorize and label places with custom tags. * Add places management API and tags feature * Add some changes related to places management feature * Fix some tests * Fix sometests * Add places layer * Update places layer to use Leaflet.Control.Layers.Tree for hierarchical layer control * Rework tag form * Add hashtag * Add privacy zones to tags * Add notes to places and manage place tags * Update changelog * Update e2e tests * Extract tag serializer to its own file * Fix some tests * Fix tags request specs * Fix some tests * Fix rest of the tests * Revert some changes * Add missing specs * Revert changes in place export/import code * Fix some specs * Fix PlaceFinder to only consider global places when finding existing places * Fix few more specs * Fix visits creator spec * Fix last tests * Update place creating modal * Add home location based on "Home" tagged place * Save enabled tag layers * Some fixes * Fix bug where enabling place tag layers would trigger saving enabled layers, overwriting with incomplete data * Update migration to use disable_ddl_transaction! and add up/down methods * Fix tag layers restoration and filtering logic * Update OIDC auto-registration and email/password registration settings * Fix potential xss 2025-11-24 13:45:09 -05:00			`# frozen_string_literal: true`

			`require 'rails_helper'`

			`RSpec.describe 'Users::OmniauthCallbacks', type: :request do`
			`let(:email) { 'oauth_user@example.com' }`

			`before do`
			`Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]`
			`end`

			`shared_examples 'successful OAuth authentication' do \|provider, provider_name\|`
			`context "when user doesn't exist" do`
			`it 'creates a new user and signs them in' do`
			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]`
			`get "/users/auth/#{provider}/callback"`
			`end.to change(User, :count).by(1)`

			`expect(response).to redirect_to(root_path)`

			`user = User.find_by(email: email)`
			`expect(user).to be_present`
			`expect(user.encrypted_password).to be_present`
			`end`
			`end`

			`context 'when user already exists' do`
			`let!(:existing_user) { create(:user, email: email) }`

			`it 'signs in the existing user without creating a new one' do`
			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]`
			`get "/users/auth/#{provider}/callback"`
			`end.not_to change(User, :count)`

			`expect(response).to redirect_to(root_path)`
			`end`
			`end`

			`context 'when user creation fails' do`
			`before do`
			`allow(User).to receive(:create).and_return(`
			`User.new(email: email).tap do \|u\|`
			`u.errors.add(:email, 'is invalid')`
			`end`
			`)`
			`end`

			`it 'redirects to registration with error message' do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]`
			`get "/users/auth/#{provider}/callback"`

			`expect(response).to redirect_to(new_user_registration_url)`
			`end`
			`end`
			`end`

			`# Self-hosted configuration (SELF_HOSTED=true) uses OpenID Connect`
			`describe 'GET /users/auth/openid_connect/callback' do`
			`before do`
			`mock_openid_connect_auth(email: email)`
			`end`

			`include_examples 'successful OAuth authentication', :openid_connect, 'OpenID Connect'`

			`context 'when OIDC auto-registration is disabled' do`
			`around do \|example\|`
			`original_value = ENV['OIDC_AUTO_REGISTER']`
			`ENV['OIDC_AUTO_REGISTER'] = 'false'`
			`example.run`
			`ENV['OIDC_AUTO_REGISTER'] = original_value`
			`end`

			`context "when user doesn't exist" do`
			`it 'rejects the user with an appropriate error message' do`
			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]`
			`get '/users/auth/openid_connect/callback'`
			`end.not_to change(User, :count)`

			`expect(response).to redirect_to(root_path)`
			`expect(flash[:alert]).to include('Your account must be created by an administrator')`
			`end`
			`end`

			`context 'when user already exists (account linking)' do`
			`let!(:existing_user) { create(:user, email: email) }`

			`it 'signs in the existing user and links OIDC provider' do`
			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]`
			`get '/users/auth/openid_connect/callback'`
			`end.not_to change(User, :count)`

			`expect(response).to redirect_to(root_path)`
			`expect(flash[:notice]).to include('OpenID Connect')`

			`existing_user.reload`
			`expect(existing_user.provider).to eq('openid_connect')`
			`expect(existing_user.uid).to be_present`
			`end`
			`end`
			`end`
			`end`

			`describe 'OAuth flow integration with OpenID Connect' do`
			`context 'with OpenID Connect (Authelia/Authentik/Keycloak)' do`
			`before { mock_openid_connect_auth(email: 'oidc@example.com') }`

			`it 'completes the full OAuth flow' do`
			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]`
			`get '/users/auth/openid_connect/callback'`
			`end.to change(User, :count).by(1)`

			`user = User.find_by(email: 'oidc@example.com')`
			`expect(user).to be_present`
			`expect(user.email).to eq('oidc@example.com')`
			`expect(response).to redirect_to(root_path)`
			`end`
			`end`
			`end`

			`describe 'CSRF protection' do`
			`it 'does not raise CSRF error for OpenID Connect callback' do`
			`mock_openid_connect_auth(email: email)`

			`expect do`
			`Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]`
			`get '/users/auth/openid_connect/callback'`
			`end.not_to raise_error`
			`end`
			`end`
			`end`