dawarich/spec/requests/users/omniauth_callbacks_spec.rb

# frozen_string_literal: true

require 'rails_helper'

RSpec.describe 'Users::OmniauthCallbacks', type: :request do
  let(:email) { 'oauth_user@example.com' }

  before do
    Rails.application.env_config['devise.mapping'] = Devise.mappings[:user]
  end

  shared_examples 'successful OAuth authentication' do |provider, provider_name|
    context "when user doesn't exist" do
      it 'creates a new user and signs them in' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
          get "/users/auth/#{provider}/callback"
        end.to change(User, :count).by(1)

        expect(response).to redirect_to(root_path)

        user = User.find_by(email: email)
        expect(user).to be_present
        expect(user.encrypted_password).to be_present
      end
    end

    context 'when user already exists' do
      let!(:existing_user) { create(:user, email: email) }

      it 'signs in the existing user without creating a new one' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
          get "/users/auth/#{provider}/callback"
        end.not_to change(User, :count)

        expect(response).to redirect_to(root_path)
      end
    end

    context 'when user creation fails' do
      before do
        allow(User).to receive(:create).and_return(
          User.new(email: email).tap do |u|
            u.errors.add(:email, 'is invalid')
          end
        )
      end

      it 'redirects to registration with error message' do
        Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[provider]
        get "/users/auth/#{provider}/callback"

        expect(response).to redirect_to(new_user_registration_url)
      end
    end
  end

  # Self-hosted configuration (SELF_HOSTED=true) uses OpenID Connect
  describe 'GET /users/auth/openid_connect/callback' do
    before do
      mock_openid_connect_auth(email: email)
    end

    include_examples 'successful OAuth authentication', :openid_connect, 'OpenID Connect'

    context 'when OIDC auto-registration is disabled' do
      around do |example|
        original_value = ENV['OIDC_AUTO_REGISTER']
        ENV['OIDC_AUTO_REGISTER'] = 'false'
        example.run
        ENV['OIDC_AUTO_REGISTER'] = original_value
      end

      context "when user doesn't exist" do
        it 'rejects the user with an appropriate error message' do
          expect do
            Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
            get '/users/auth/openid_connect/callback'
          end.not_to change(User, :count)

          expect(response).to redirect_to(root_path)
          expect(flash[:alert]).to include('Your account must be created by an administrator')
        end
      end

      context 'when user already exists (account linking)' do
        let!(:existing_user) { create(:user, email: email) }

        it 'signs in the existing user and links OIDC provider' do
          expect do
            Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
            get '/users/auth/openid_connect/callback'
          end.not_to change(User, :count)

          expect(response).to redirect_to(root_path)
          expect(flash[:notice]).to include('OpenID Connect')

          existing_user.reload
          expect(existing_user.provider).to eq('openid_connect')
          expect(existing_user.uid).to be_present
        end
      end
    end
  end

  describe 'OAuth flow integration with OpenID Connect' do
    context 'with OpenID Connect (Authelia/Authentik/Keycloak)' do
      before { mock_openid_connect_auth(email: 'oidc@example.com') }

      it 'completes the full OAuth flow' do
        expect do
          Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
          get '/users/auth/openid_connect/callback'
        end.to change(User, :count).by(1)

        user = User.find_by(email: 'oidc@example.com')
        expect(user).to be_present
        expect(user.email).to eq('oidc@example.com')
        expect(response).to redirect_to(root_path)
      end
    end
  end

  describe 'CSRF protection' do
    it 'does not raise CSRF error for OpenID Connect callback' do
      mock_openid_connect_auth(email: email)

      expect do
        Rails.application.env_config['omniauth.auth'] = OmniAuth.config.mock_auth[:openid_connect]
        get '/users/auth/openid_connect/callback'
      end.not_to raise_error
    end
  end
end