ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove deprecate POST /login route 

refs CNVS-39869

Change-Id: Iee9571b2e4ea3aae2331fa76ae531d28913f66ba
Reviewed-on: https://gerrit.instructure.com/129108
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
Product-Review: Cody Cutrer <cody@instructure.com>
QA-Review: Cody Cutrer <cody@instructure.com>
This commit is contained in:
Cody Cutrer 2017-10-09 21:44:25 -06:00
parent 1cd230a7b2
commit eff1494309
7 changed files with 25 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/coffeescripts/views/quizzes/LDBLoginPopup.coffee
View File

@ -261,7 +261,7 @@ define [
# @config {String} url
#
# (POST) Endpoint for creating and destroying sessions (login).
url: "/login?nonldap=true"
url: "/login/canvas"
# @config {Function} template
#

2
app/coffeescripts/views/registration/SelfEnrollmentForm.coffee
View File

@ -53,7 +53,7 @@ define [
@$el.attr 'action', switch @action
when 'create' then '/users'
when 'log_in' then '/login'
when 'log_in' then '/login/canvas'
when 'enroll' then @enrollUrl
success: (data) =>

2
config/routes.rb
View File

@ -686,8 +686,6 @@ CanvasRails::Application.routes.draw do
get 'login/canvas' => 'login/canvas#new', as: :canvas_login
post 'login/canvas' => 'login/canvas#create'
# deprecated alias
post 'login' => 'login/canvas#create'
get 'login/ldap' => 'login/ldap#new'
post 'login/ldap' => 'login/ldap#create'

12
spec/apis/auth_spec.rb
View File

@ -57,7 +57,7 @@ describe "API Authentication", type: :request do
before :each do
# Trust the referer
allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true)
post '/login', params: {'pseudonym_session[unique_id]' => 'test1@example.com', 'pseudonym_session[password]' => 'test1234'}
post '/login/canvas', params: {'pseudonym_session[unique_id]' => 'test1@example.com', 'pseudonym_session[password]' => 'test1234'}
end
it "should not need developer key when we have an actual application session" do
@ -170,7 +170,7 @@ describe "API Authentication", type: :request do
it "should not prepend the csrf protection even if the post has a session" do
user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234')
post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
code = SecureRandom.hex(64)
code_data = { 'user' => @user.id, 'client_id' => @client_id }
Canvas.redis.setex("oauth2:#{code}", 1.day, code_data.to_json)
@ -282,7 +282,7 @@ describe "API Authentication", type: :request do
user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234')
course_with_teacher(:user => @user)
allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true)
post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
# step 2
expect(response).to be_redirect
@ -328,7 +328,7 @@ describe "API Authentication", type: :request do
follow_redirect!
expect(response).to be_success
allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true)
post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }}
# step 3
expect(response).to be_redirect
@ -395,7 +395,7 @@ describe "API Authentication", type: :request do
follow_redirect!
expect(response).to be_success
allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true)
post "/login", params: {:pseudonym_session => {:unique_id => 'test1@example.com', :password => 'test1234'}}
post "/login/canvas", params: {:pseudonym_session => {:unique_id => 'test1@example.com', :password => 'test1234'}}
expect(response).to be_redirect
expect(response['Location']).to match(%r{/login/oauth2/confirm$})
@ -954,7 +954,7 @@ describe "API Authentication", type: :request do
it "should prepend the CSRF protection for API endpoints, when session auth is used" do
user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234')
allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true)
post "/login", params: {"pseudonym_session[unique_id]" => "test1@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "test1@example.com",
"pseudonym_session[password]" => "test1234"}
assert_response 302
get "/api/v1/users/self/profile"

2
spec/integration/live_events_spec.rb
View File

@ -23,7 +23,7 @@ describe LiveEvents do
it 'should trigger a live event on login' do
expect(Canvas::LiveEvents).to receive(:logged_in).once
user_with_pseudonym(:username => 'jtfrd@instructure.com', :active_user => true, :password => 'qwertyuiop')
post '/login', params: {:pseudonym_session => { :unique_id => 'jtfrd@instructure.com', :password => 'qwertyuiop'}}
post '/login/canvas', params: {:pseudonym_session => { :unique_id => 'jtfrd@instructure.com', :password => 'qwertyuiop'}}
expect(response).to be_redirect
end

30
spec/integration/security_spec.rb
View File

@ -86,14 +86,14 @@ describe "security" do
u.save!
https!
post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf"}
assert_response 302
c = response['Set-Cookie'].lines.grep(/\A_normandy_session=/).first
expect(c).not_to match(/expires=/)
reset!
https!
post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1"}
assert_response 302
@ -107,7 +107,7 @@ describe "security" do
:password => "asdfasdf"
u.save!
https!
post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf"}
assert_response 302
c1 = response['Set-Cookie'].lines.grep(/\Apseudonym_credentials=/).first
@ -122,7 +122,7 @@ describe "security" do
:username => "nobody@example.com",
:password => "asdfasdf"
u.save!
post "/login", params: { "pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1" },
headers: { 'HTTP_ACCEPT' => 'application/json' }
@ -192,7 +192,7 @@ describe "security" do
expect(response).to redirect_to login_url
expect(flash[:warning]).not_to be_empty
post "/login", params: {:pseudonym_session => { :unique_id => @p.unique_id, :password => 'asdfasdf' }}
post "/login/canvas", params: {:pseudonym_session => { :unique_id => @p.unique_id, :password => 'asdfasdf' }}
expect(response).to redirect_to settings_profile_url
expect(session[:used_remember_me_token]).not_to be_truthy
@ -234,7 +234,7 @@ describe "security" do
end
it "should generate and return a token when remember_me is checked" do
post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1"}
assert_response 302
@ -252,7 +252,7 @@ describe "security" do
it "should destroy the token both user agent and server side on logout" do
expect {
post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1"}
}.to change(SessionPersistenceToken, :count).by(1)
@ -271,11 +271,11 @@ describe "security" do
s1.https!
s2 = open_session
s2.https!
s1.post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
s1.post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1"}
c1 = s1.cookies['pseudonym_credentials']
s2.post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
s2.post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com",
"pseudonym_session[password]" => "asdfasdf",
"pseudonym_session[remember_me]" => "1"}
c2 = s2.cookies['pseudonym_credentials']
@ -341,7 +341,7 @@ describe "security" do
end
def bad_login(ip)
post "/login",
post "/login/canvas",
params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "failboat" },
headers: { "REMOTE_ADDR" => ip }
follow_redirect! while response.redirect?
@ -353,7 +353,7 @@ describe "security" do
bad_login("5.5.5.5")
expect(response.body).to match(/Too many failed login attempts/)
# should still fail
post "/login",
post "/login/canvas",
params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" },
headers: { "REMOTE_ADDR" => "5.5.5.5" }
follow_redirect! while response.redirect?
@ -368,7 +368,7 @@ describe "security" do
bad_login("5.5.5.7") # different IP, but too many total failures
expect(response.body).to match(/Too many failed login attempts/)
# should still fail
post "/login",
post "/login/canvas",
params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" },
headers: { "REMOTE_ADDR" => "5.5.5.7" }
follow_redirect! while response.redirect?
@ -382,7 +382,7 @@ describe "security" do
# schools like to NAT hundreds of people to the same IP, so we don't
# ever block the IP address as a whole
user_with_pseudonym(:active_user => true, :username => "second@example.com", :password => "12341234").save!
post "/login",
post "/login/canvas",
params: { "pseudonym_session[unique_id]" => "second@example.com", "pseudonym_session[password]" => "12341234" },
headers: { "REMOTE_ADDR" => "5.5.5.5" }
follow_redirect! while response.redirect?
@ -401,7 +401,7 @@ describe "security" do
bad_login("5.5.5.7") # different IP, but too many total failures
expect(response.body).to match(/Too many failed login attempts/)
# should still fail
post "/login",
post "/login/canvas",
params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" },
headers: { "REMOTE_ADDR" => "5.5.5.5" }
follow_redirect! while response.redirect?
@ -562,7 +562,7 @@ describe "security" do
expect(response).to redirect_to login_url
expect(flash[:warning]).not_to be_empty
post "/login", params: {:pseudonym_session => { :unique_id => @admin.pseudonyms.first.unique_id, :password => 'password' }}
post "/login/canvas", params: {:pseudonym_session => { :unique_id => @admin.pseudonyms.first.unique_id, :password => 'password' }}
expect(response).to redirect_to user_masquerade_url(@student)
expect(session[:used_remember_me_token]).not_to be_truthy

2
spec/spec_helper.rb
View File

@ -467,7 +467,7 @@ RSpec.configure do |config|
#****************************************************************
def login_as(username = "nobody@example.com", password = "asdfasdf")
post "/login",
post "/login/canvas",
params: {"pseudonym_session[unique_id]" => username,
"pseudonym_session[password]" => password}
follow_redirect! while response.redirect?