publiclab · jywarren · Jun 10, 2018 · Jun 8, 2018 · Jun 8, 2018 · Jun 10, 2018
diff --git a/app/controllers/home_controller.rb b/app/controllers/home_controller.rb
@@ -121,7 +121,7 @@ def activity
       .where('node_revisions.status = 1')
       .where('timestamp - node.created > ?', 300) # don't report edits within 5 mins of page creation
       .limit(10)
-      .group('node.title')
+      .group(['node.title', 'node.nid'])
     # group by day: http://stackoverflow.com/questions/5970938/group-by-day-from-timestamp
     revisions = revisions.group('DATE(FROM_UNIXTIME(timestamp))') if Rails.env == 'production'
     revisions = revisions.to_a # ensure it can be serialized for caching

diff --git a/app/controllers/openid_controller.rb b/app/controllers/openid_controller.rb
@@ -114,7 +114,7 @@ def resume
     end
   end
 
-  def show_decision_page(oidreq, message = 'Do you trust this site with your identity?')
+  def show_decision_page(oidreq, message = 'The site shown below is asking to use your PublicLab.org account to log you in. Do you trust this site?')
     session[:last_oidreq] = oidreq
     @oidreq = oidreq
 

diff --git a/app/views/openid/decide.html.erb b/app/views/openid/decide.html.erb
@@ -2,7 +2,7 @@
 <input type='hidden' name='authenticity_token' value="<%= form_authenticity_token %>"/>
 
 <table class="table">
-  <tr><th>Site</th><td><%= @oidreq.trust_root %></td></tr>
+  <tr><th width="20%">Site requesting</th><td><%= @oidreq.trust_root %></td></tr>
 
   <% if @oidreq.id_select %>
     <tr>
@@ -17,7 +17,7 @@
       <td><input type="text" name="id_to_send" size="25" /></td>
     </tr>
   <% else %>
-    <tr><th>Identity</th><td><%= @oidreq.identity %></td></tr>
+    <tr><th>Account username</th><td><%= @oidreq.identity.split('/').last %></td></tr>
   <% end %>
 </table>
 

diff --git a/config/routes.rb b/config/routes.rb
@@ -56,6 +56,7 @@
   #resources :users
 
   get 'openid' => 'openid#index'
+  post 'openid' => 'openid#index'
   # Try to get rails to accept params with periods in the keyname?
   # The following isn't right and it may be about param parsing rather than routing?
   # match 'openid' => 'openid#index', :constraints => { 'openid.mode' => /.*/ }

diff --git a/test/integration/openid_test.rb b/test/integration/openid_test.rb
@@ -0,0 +1,90 @@
+require 'test_helper'
+
+class LoginFlowTest < ActionDispatch::IntegrationTest
+
+  test 'attempt to openid authenticate (like from MapKnitter) without being logged in' do
+  end
+
+  test 'incorrect openid authentication request shows error' do
+
+    # log in
+    post '/user_sessions', params: { user_session: { username: users(:jeff).username, password: 'secretive' } } 
+    follow_redirect!
+
+    get '/openid', params: { 
+      'openid.claimed_id': 'https://spectralworkbench.org/openid/warren',
+      'openid.identity': 'https://spectralworkbench.org/openid/warren',
+      'openid.mode': 'checkid_setup',
+      'openid.ns': 'http://specs.openid.net/auth/2.0',
+      'openid.ns.sreg': 'http://openid.net/extensions/sreg/1.1',
+      'openid.realm': 'https://spectralworkbench.org/',
+      'openid.return_to': 'https://spectralworkbench.org/session/new?authenticity_token=RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5%2FSrQzNxB%2B4%3D&back_to=&open_id=warren&return_to=',
+      'openid.sreg.required': 'nickname,email'
+    }
+
+    assert_equal "You are requesting access to an account that's not yours. Please <a href='/logout'>log out</a> and use the correct account, or <a href='https://spectralworkbench.org/'>try to login with the correct username</a>", flash[:error]
+
+    assert_response :redirect
+
+  end
+
+  test 'openid authentication request goes to index page' do
+
+    # log in
+    post '/user_sessions', params: { user_session: { username: users(:jeff).username, password: 'secretive' } } 
+    follow_redirect!
+
+    get '/openid', params: { 
+      'openid.claimed_id': "https://spectralworkbench.org/openid/#{users(:jeff).username}",
+      'openid.identity': "https://spectralworkbench.org/openid/#{users(:jeff).username}",
+      'openid.mode': 'checkid_setup',
+      'openid.ns': 'http://specs.openid.net/auth/2.0',
+      'openid.ns.sreg': 'http://openid.net/extensions/sreg/1.1',
+      'openid.realm': 'https://spectralworkbench.org/',
+      'openid.return_to': "https://spectralworkbench.org/session/new?authenticity_token=RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5%2FSrQzNxB%2B4%3D&back_to=&open_id=#{users(:jeff).username}&return_to=",
+      'openid.sreg.required': 'nickname,email'
+    }
+
+    assert_nil flash[:error]
+    assert_equal 'The site shown below is asking to use your PublicLab.org account to log you in. Do you trust this site?', flash[:notice]
+
+    assert_response :success
+    assert_routing({ path: path, method: :get }, { controller: 'openid', action: 'index' })
+
+    ## now same with POST
+
+    # More complete parameters:
+    # {"authenticity_token"=>"RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5/SrQzNxB+4=", "back_to"=>"/", "open_id"=>"warren", "openid.assoc_handle"=>"{HMAC-SHA1}{5b1d5a10}{bGMKfQ==}", "openid.claimed_id"=>"http://localhost:3000/openid/warren", "openid.identity"=>"http://localhost:3000/openid/warren", "openid.mode"=>"check_authentication", "openid.ns"=>"http://specs.openid.net/auth/2.0", "openid.ns.sreg"=>"http://openid.net/extensions/sreg/1.1", "openid.op_endpoint"=>"http://localhost:3000/openid", "openid.response_nonce"=>"2018-06-10T17:04:16ZSTb7YI", "openid.return_to"=>"http://localhost:3001/session/new?authenticity_token=RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5%2FSrQzNxB%2B4%3D&back_to=%2F&open_id=warren&return_to=%2F", "openid.sig"=>"cElPJYRTb7IDCsZe3eLx639cchg=", "openid.signed"=>"assoc_handle,claimed_id,identity,mode,ns,ns.sreg,op_endpoint,response_nonce,return_to,signed,sreg.email,sreg.nickname", "openid.sreg.email"=>"jeff@unterbahn.com", "openid.sreg.nickname"=>"warren", "return_to"=>"/"}
+    post '/openid?openid.claimed_id=' + users(:jeff).username, params: { 
+      'openid.claimed_id': "https://spectralworkbench.org/openid/#{users(:jeff).username}",
+      'openid.identity': "https://spectralworkbench.org/openid/#{users(:jeff).username}",
+      'openid.mode': 'checkid_setup',
+      'openid.ns': 'http://specs.openid.net/auth/2.0',
+      'openid.ns.sreg': 'http://openid.net/extensions/sreg/1.1',
+      'openid.realm': 'https://spectralworkbench.org/',
+      'openid.return_to': "https://spectralworkbench.org/session/new?authenticity_token=RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5%2FSrQzNxB%2B4%3D&back_to=&open_id=#{users(:jeff).username}&return_to=",
+      'openid.sreg.required': 'nickname,email'
+    }
+
+    assert_nil flash[:error]
+    assert_equal 'The site shown below is asking to use your PublicLab.org account to log you in. Do you trust this site?', flash[:notice]
+
+    assert_response :success
+    assert_routing({ path: path, method: :post }, { controller: 'openid', action: 'index' })
+
+    # Then, 'openid authentication approval goes to decision page'  -- based on same session
+
+    # log in
+    post '/user_sessions', params: { user_session: { username: users(:jeff).username, password: 'secretive' } } 
+    follow_redirect!
+
+    post '/openid/decision', params: { 
+      "authenticity_token": "RcLcGH3lzSTCC24UpPnNm56sllNaMrHg5%2FSrQzNxB%2B4%3D",
+      "yes": "Yes"
+    }
+
+    # redirects back to originating site
+    assert_match /https:\/\/spectralworkbench.org\/session\/new/, @response.redirect_url
+  end
+
+end