diff --git a/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee b/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee index d6ca4d7a717..08e29e49e8c 100644 --- a/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee +++ b/app/coffeescripts/views/quizzes/LDBLoginPopup.coffee @@ -261,7 +261,7 @@ define [ # @config {String} url # # (POST) Endpoint for creating and destroying sessions (login). - url: "/login?nonldap=true" + url: "/login/canvas" # @config {Function} template # diff --git a/app/coffeescripts/views/registration/SelfEnrollmentForm.coffee b/app/coffeescripts/views/registration/SelfEnrollmentForm.coffee index cfc24da6ce8..f794b72094a 100644 --- a/app/coffeescripts/views/registration/SelfEnrollmentForm.coffee +++ b/app/coffeescripts/views/registration/SelfEnrollmentForm.coffee @@ -53,7 +53,7 @@ define [ @$el.attr 'action', switch @action when 'create' then '/users' - when 'log_in' then '/login' + when 'log_in' then '/login/canvas' when 'enroll' then @enrollUrl success: (data) => diff --git a/config/routes.rb b/config/routes.rb index 134f29099a0..32d6053a330 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -686,8 +686,6 @@ CanvasRails::Application.routes.draw do get 'login/canvas' => 'login/canvas#new', as: :canvas_login post 'login/canvas' => 'login/canvas#create' - # deprecated alias - post 'login' => 'login/canvas#create' get 'login/ldap' => 'login/ldap#new' post 'login/ldap' => 'login/ldap#create' diff --git a/spec/apis/auth_spec.rb b/spec/apis/auth_spec.rb index 74f9b7039a9..ef4d0f564f6 100644 --- a/spec/apis/auth_spec.rb +++ b/spec/apis/auth_spec.rb @@ -57,7 +57,7 @@ describe "API Authentication", type: :request do before :each do # Trust the referer allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true) - post '/login', params: {'pseudonym_session[unique_id]' => 'test1@example.com', 'pseudonym_session[password]' => 'test1234'} + post '/login/canvas', params: {'pseudonym_session[unique_id]' => 'test1@example.com', 'pseudonym_session[password]' => 'test1234'} end it "should not need developer key when we have an actual application session" do @@ -170,7 +170,7 @@ describe "API Authentication", type: :request do it "should not prepend the csrf protection even if the post has a session" do user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234') - post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} + post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} code = SecureRandom.hex(64) code_data = { 'user' => @user.id, 'client_id' => @client_id } Canvas.redis.setex("oauth2:#{code}", 1.day, code_data.to_json) @@ -282,7 +282,7 @@ describe "API Authentication", type: :request do user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234') course_with_teacher(:user => @user) allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true) - post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} + post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} # step 2 expect(response).to be_redirect @@ -328,7 +328,7 @@ describe "API Authentication", type: :request do follow_redirect! expect(response).to be_success allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true) - post "/login", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} + post "/login/canvas", params: {:pseudonym_session => { :unique_id => 'test1@example.com', :password => 'test1234' }} # step 3 expect(response).to be_redirect @@ -395,7 +395,7 @@ describe "API Authentication", type: :request do follow_redirect! expect(response).to be_success allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true) - post "/login", params: {:pseudonym_session => {:unique_id => 'test1@example.com', :password => 'test1234'}} + post "/login/canvas", params: {:pseudonym_session => {:unique_id => 'test1@example.com', :password => 'test1234'}} expect(response).to be_redirect expect(response['Location']).to match(%r{/login/oauth2/confirm$}) @@ -954,7 +954,7 @@ describe "API Authentication", type: :request do it "should prepend the CSRF protection for API endpoints, when session auth is used" do user_with_pseudonym(:active_user => true, :username => 'test1@example.com', :password => 'test1234') allow_any_instance_of(Account).to receive(:trusted_referer?).and_return(true) - post "/login", params: {"pseudonym_session[unique_id]" => "test1@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "test1@example.com", "pseudonym_session[password]" => "test1234"} assert_response 302 get "/api/v1/users/self/profile" diff --git a/spec/integration/live_events_spec.rb b/spec/integration/live_events_spec.rb index c1c631d0e30..1f5823b3f6b 100644 --- a/spec/integration/live_events_spec.rb +++ b/spec/integration/live_events_spec.rb @@ -23,7 +23,7 @@ describe LiveEvents do it 'should trigger a live event on login' do expect(Canvas::LiveEvents).to receive(:logged_in).once user_with_pseudonym(:username => 'jtfrd@instructure.com', :active_user => true, :password => 'qwertyuiop') - post '/login', params: {:pseudonym_session => { :unique_id => 'jtfrd@instructure.com', :password => 'qwertyuiop'}} + post '/login/canvas', params: {:pseudonym_session => { :unique_id => 'jtfrd@instructure.com', :password => 'qwertyuiop'}} expect(response).to be_redirect end diff --git a/spec/integration/security_spec.rb b/spec/integration/security_spec.rb index 19b32961a8d..bb493062167 100644 --- a/spec/integration/security_spec.rb +++ b/spec/integration/security_spec.rb @@ -86,14 +86,14 @@ describe "security" do u.save! https! - post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf"} assert_response 302 c = response['Set-Cookie'].lines.grep(/\A_normandy_session=/).first expect(c).not_to match(/expires=/) reset! https! - post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1"} assert_response 302 @@ -107,7 +107,7 @@ describe "security" do :password => "asdfasdf" u.save! https! - post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf"} assert_response 302 c1 = response['Set-Cookie'].lines.grep(/\Apseudonym_credentials=/).first @@ -122,7 +122,7 @@ describe "security" do :username => "nobody@example.com", :password => "asdfasdf" u.save! - post "/login", params: { "pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1" }, headers: { 'HTTP_ACCEPT' => 'application/json' } @@ -192,7 +192,7 @@ describe "security" do expect(response).to redirect_to login_url expect(flash[:warning]).not_to be_empty - post "/login", params: {:pseudonym_session => { :unique_id => @p.unique_id, :password => 'asdfasdf' }} + post "/login/canvas", params: {:pseudonym_session => { :unique_id => @p.unique_id, :password => 'asdfasdf' }} expect(response).to redirect_to settings_profile_url expect(session[:used_remember_me_token]).not_to be_truthy @@ -234,7 +234,7 @@ describe "security" do end it "should generate and return a token when remember_me is checked" do - post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1"} assert_response 302 @@ -252,7 +252,7 @@ describe "security" do it "should destroy the token both user agent and server side on logout" do expect { - post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1"} }.to change(SessionPersistenceToken, :count).by(1) @@ -271,11 +271,11 @@ describe "security" do s1.https! s2 = open_session s2.https! - s1.post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + s1.post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1"} c1 = s1.cookies['pseudonym_credentials'] - s2.post "/login", params: {"pseudonym_session[unique_id]" => "nobody@example.com", + s2.post "/login/canvas", params: {"pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf", "pseudonym_session[remember_me]" => "1"} c2 = s2.cookies['pseudonym_credentials'] @@ -341,7 +341,7 @@ describe "security" do end def bad_login(ip) - post "/login", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "failboat" }, headers: { "REMOTE_ADDR" => ip } follow_redirect! while response.redirect? @@ -353,7 +353,7 @@ describe "security" do bad_login("5.5.5.5") expect(response.body).to match(/Too many failed login attempts/) # should still fail - post "/login", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" }, headers: { "REMOTE_ADDR" => "5.5.5.5" } follow_redirect! while response.redirect? @@ -368,7 +368,7 @@ describe "security" do bad_login("5.5.5.7") # different IP, but too many total failures expect(response.body).to match(/Too many failed login attempts/) # should still fail - post "/login", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" }, headers: { "REMOTE_ADDR" => "5.5.5.7" } follow_redirect! while response.redirect? @@ -382,7 +382,7 @@ describe "security" do # schools like to NAT hundreds of people to the same IP, so we don't # ever block the IP address as a whole user_with_pseudonym(:active_user => true, :username => "second@example.com", :password => "12341234").save! - post "/login", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "second@example.com", "pseudonym_session[password]" => "12341234" }, headers: { "REMOTE_ADDR" => "5.5.5.5" } follow_redirect! while response.redirect? @@ -401,7 +401,7 @@ describe "security" do bad_login("5.5.5.7") # different IP, but too many total failures expect(response.body).to match(/Too many failed login attempts/) # should still fail - post "/login", + post "/login/canvas", params: { "pseudonym_session[unique_id]" => "nobody@example.com", "pseudonym_session[password]" => "asdfasdf" }, headers: { "REMOTE_ADDR" => "5.5.5.5" } follow_redirect! while response.redirect? @@ -562,7 +562,7 @@ describe "security" do expect(response).to redirect_to login_url expect(flash[:warning]).not_to be_empty - post "/login", params: {:pseudonym_session => { :unique_id => @admin.pseudonyms.first.unique_id, :password => 'password' }} + post "/login/canvas", params: {:pseudonym_session => { :unique_id => @admin.pseudonyms.first.unique_id, :password => 'password' }} expect(response).to redirect_to user_masquerade_url(@student) expect(session[:used_remember_me_token]).not_to be_truthy diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 7db8e1b920a..ad2fffc831f 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -467,7 +467,7 @@ RSpec.configure do |config| #**************************************************************** def login_as(username = "nobody@example.com", password = "asdfasdf") - post "/login", + post "/login/canvas", params: {"pseudonym_session[unique_id]" => username, "pseudonym_session[password]" => password} follow_redirect! while response.redirect?