Controller testing new authentication generator.

[gobijan]

In Rails 8 Beta 1 we got the new authentication generator.
This now opens the question how we test controllers that need a signed in user.

Performance wise it might be nice to have a programatic login_as(user) method that does NOT rely on creating a POST request in front of every request to log a user in as seen in this solution:

def sign_in(user, password: "password")
  post session_url, params: { email_address: user.email_address, password: }
end

In the new authentication scope we have:

def find_session_by_cookie
  Session.find_by(id: cookies.signed[:session_id])
end

But Rack::Test::CookieJar doesn't define signed.

eval error: undefined method `signed' for an instance of Rack::Test::CookieJar

I monkey patched in my test helpers like it's 2009:

ENV["RAILS_ENV"] ||= "test"
require_relative "../config/environment"
require "rails/test_help"

module ActiveSupport
  class TestCase
    # Run tests in parallel with specified workers
    parallelize(workers: :number_of_processors)

    # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
    fixtures :all

    # Add more helper methods to be used by all tests here...
    def login_as(user)
      session = user.sessions.create!(user_agent: "test", ip_address: "127.0.0.1")
      Current.session = session
      cookies[:session_id] = session.id
    end

  end
end

# Monkey-patch the Authentication concern for test environment
module Authentication
 private
   def find_session_by_cookie
     Session.find_by(id: cookies[:session_id])
   end
end

Maybe we do something here? Any suggestions? Implement a signed on the Rack::Test::CookieJar?
Should the generator come up with a test helper?

[victorsmoreira]

To avoid the post request you can just create the cookie with

SIGNED_COOKIE_SALT = "signed cookie"

def sign_in(user)
  cookies[:session_id] = Rails.application.message_verifier(SIGNED_COOKIE_SALT).generate(user.sessions.create.id)
end

it would be nice to have this helper out of the box, but I didn't found the right place for it

[evdevdev]

Just thought I'd call out that #53255 seems like it is striking on a similar issue. There are a couple of sharp edges around testing that I've been cutting myself on, specifically the eval error: undefined method signed' for an instance of Rack::Test::CookieJar` error.

[kylekeesling]

I came up with the following solution, and while not quite happy with it, it gets the job done until (hopefully) better support is added/figured out:

1. Add a sign_in method to TestCase co I can easily use it in my tests

# test_helper.rb

class ActiveSupport::TestCase

 #...

  def sign_in(user)
    user.sessions.create!(user_agent: "Rails Test", ip_address: "127.0.0.1").tap do |session|
      Current.session = session
      cookies[:session_id] = session.id if try(:cookies)
    end
  end

2. Add a conditional to the Authentication module (this is the part that feels yucky to me, but works in my case)

# app/controllers/concerns/authentication.rb

module Authentication
  extend ActiveSupport::Concern

  #...

def find_session_by_cookie
    # this has to be done because system tests do have access to signed cookies
    # but integration tests do not
    if Rails.env.test?
      if cookies.signed[:session_id]
        Session.find_by(id: cookies.signed[:session_id])
      else
        Session.find_by(id: cookies[:session_id])
      end
    else
      Session.find_by(id: cookies.signed[:session_id])
    end
  end

 #...
end

[evdevdev]

@kylekeesling Thanks for sharing that. I've also come up with a solution I'm not too happy with.

@gobijan I was able to tweak your code a little to get it working without the monkey patch. Check this out:

  def login_as(user)
    session = user.sessions.create!
    Current.session = session
    request = ActionDispatch::Request.new(Rails.application.env_config)
    cookies = request.cookie_jar
    cookies.signed[:session_id] = {value: session.id, httponly: true, same_site: :lax}
  end

Honestly, I don't love this, but it does have my tests passing.

[kylekeesling]

My gut tells me the most straightforward solution would be adding/stubbing out signed cookie support in Rack::Test::CookieJar but I'm not fully aware of the broader implications of this and how willing Rack would be to make this change as opposed to a self-contained sollution inside of Rails.

[kylekeesling]

@evdevdev no problem - I like your solution better than mine as it's much more contained and avoids a conditional call to check for the test environment.

[alec-c4]

Hey!
Yesterday I met the same problem, so I'd like to pump this issue up. It looks like everyone is talking about how to SET cookie, but issue author is asking about how to READ cookie. I have a similar issue - I'd like to create a current_user method. My code looks like

module AuthenticationHelpers
  def current_user
    if cookies.signed[:session_id].present?
      Session.find_by(id: cookies.signed[:session_id])&.user
    elsif cookies[:remember_token]
      Session.find_by(remember_token: cookies[:remember_token])&.user
    end
  end
end

but every test run I see

  1) Authentication::Sessions sign in should login and create active session if confirmed
     Failure/Error: if cookies.signed[:session_id].present?

     NoMethodError:
       undefined method `signed' for an instance of Rack::Test::CookieJar
     # ./spec/support/authentication_helpers.rb:29:in `current_user'

Is there any idea how to access cookie from test case?

PS: thanks a lot @kylekeesling @evdevdev for sign_in method code samples - I thought how to avoid post requests :)

[alec-c4]

I've googled around and found that this problem isn't so fresh - at least 12 years old 😱
https://stackoverflow.com/questions/43690796/setup-cookie-signed-in-rails-5-controller-integration-tests/43699666
https://collectiveidea.com/blog/archives/2012/01/05/capybara-cucumber-and-how-the-cookie-crumbles/
https://sikac.hu/reconstruct-a-cookie-jar-and-read-signed-cookie-in-capybara-f71df387f9ff

[alec-c4]

fixed with following code

  def cookies
    if defined?(page)
      ActionDispatch::Request.new(page.driver.request.env).cookie_jar
    else
      ActionDispatch::Request.new(request.env).cookie_jar
    end
  end

  def current_user
    if cookies.signed[:session_id].present?
      Session.find_by(id: cookies.signed[:session_id])&.user
    elsif cookies[:remember_token]
      Session.find_by(remember_token: cookies[:remember_token])&.user
    end
  end

thanks to https://sikac.hu/reconstruct-a-cookie-jar-and-read-signed-cookie-in-capybara-f71df387f9ff

[jbarbarosa]

To avoid the post request you can just create the cookie with

SIGNED_COOKIE_SALT = "signed cookie"

def sign_in(user)
  cookies[:session_id] = Rails.application.message_verifier(SIGNED_COOKIE_SALT).generate(user.sessions.create.id)
end

it would be nice to have this helper out of the box, but I didn't found the right place for it

Tried this and it worked perfectly on my end. Is there any problem with blessing this solution with a helper that also gets generated with the auth code?

[gobijan]

I will work on a PR now:
WIP main...gobijan:rails:auth_testing

[gobijan]

@kylekeesling Thanks for sharing that. I've also come up with a solution I'm not too happy with.

@gobijan I was able to tweak your code a little to get it working without the monkey patch. Check this out:

  def login_as(user)
    session = user.sessions.create!
    Current.session = session
    request = ActionDispatch::Request.new(Rails.application.env_config)
    cookies = request.cookie_jar
    cookies.signed[:session_id] = {value: session.id, httponly: true, same_site: :lax}
  end

Honestly, I don't love this, but it does have my tests passing.

My thought would be to go with this one by @evdevdev as we don't need to monkey patch as in my original solution. Any obligations? My test suite runs fine with this approach.