Add more extend_remember_period tests

If the session expires then a re-authentication will occur via the remember token, which could automatically extend it via the authentication process instead of the extend process. The remember period needs to be extended even if the session has not yet expired. Arrange for this to happen and then let the session expire late enough that the remember token must have been extended for the user to still be logged in. Ensure that remember me isn't set by the extend process when remember me is not being used for the current session.
heartcombo · Nov 7, 2021 · 308fac2 · 308fac2
1 parent 55c9f2d
commit 308fac2
Showing 1 changed file with 148 additions and 5 deletions.
diff --git a/test/integration/rememberable_test.rb b/test/integration/rememberable_test.rb
@@ -142,21 +142,21 @@ def cookie_expires(key)
     end
   end
 
-  test 'extends remember period on every authenticated request when extend remember period config is true' do
+  test 'extends remember period on every authenticated request when extend remember period config is true (session expires)' do
     swap Devise, extend_remember_period: true, remember_for: 1.year, timeout_in: 6.hours do
       user = create_user_and_remember
 
       get root_path
       assert_response :success
 
       travel_to 1.day.from_now do
-        # tomorrow remember period is extended
+        # tomorrow, still logged in (by remember me), remember period is extended
         get root_path
         assert_response :success
       end
 
       travel_to 6.months.from_now do
-        # 6 months later, still logged in
+        # 6 months later, still logged in (by remember me), remember period is extended
         get root_path
         assert_response :success
       end
@@ -181,20 +181,21 @@ def cookie_expires(key)
     end
   end
 
-  test 'does not extend remember period when extend period config is false' do
+  test 'does not extend remember period when extend period config is false (session expires)' do
     swap Devise, extend_remember_period: false, remember_for: 1.year, timeout_in: 6.hours do
       user = create_user_and_remember
 
       get root_path
       assert_response :success
 
       travel_to 1.day.from_now do
+        # tomorrow, still logged in (by remember me), remember period is extended
         get root_path
         assert_response :success
       end
 
       travel_to 6.months.from_now do
-        # 6 months later, still logged in
+        # 6 months later, still logged in (by remember me), remember period is extended
         get root_path
         assert_response :success
       end
@@ -207,6 +208,148 @@ def cookie_expires(key)
     end
   end
 
+  test 'extends remember period on every authenticated request when extend remember period config is true (session still active; only session expires)' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year, timeout_in: 8.months do
+      user = create_user_and_remember
+
+      get root_path
+      assert_response :success
+
+      travel_to 1.day.from_now do
+        # tomorrow, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 6.months.from_now do
+        # 6 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 13.months.from_now do
+        # 13 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 20.months.from_now do
+        # 20 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 29.months.from_now do
+        # don't access for over 8 months, session is now expired, still logged in (by remember me)
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 42.months.from_now do
+        # don't access for over a year, session and remember me are now expired, we get logged out
+        get root_path
+        assert_response :redirect
+      end
+    end
+  end
+
+  test 'extends remember period on every authenticated request when extend remember period config is true (session still active; both expire at the same time)' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year, timeout_in: 8.months do
+      user = create_user_and_remember
+
+      get root_path
+      assert_response :success
+
+      travel_to 1.day.from_now do
+        # tomorrow, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 6.months.from_now do
+        # 6 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 13.months.from_now do
+        # 13 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 20.months.from_now do
+        # 20 months later, still logged in (by session), remember period is extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 33.months.from_now do
+        # don't access for over a year, session and remember me are now expired, we get logged out
+        get root_path
+        assert_response :redirect
+      end
+    end
+  end
+
+  test 'does not extend remember period when extend period config is false (session still active)' do
+    swap Devise, extend_remember_period: false, remember_for: 1.year, timeout_in: 8.months do
+      user = create_user_and_remember
+
+      get root_path
+      assert_response :success
+
+      travel_to 1.day.from_now do
+        # tomorrow, still logged in (by session), remember period is not extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 6.months.from_now do
+        # 6 months later, still logged in (by session), remember period is not extended
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 13.months.from_now do
+        # 13 months after remember_created_at was first set, we are no longer remembered
+        # because the period was not extended but still logged in by the session
+        get root_path
+        assert_response :success
+      end
+
+      travel_to 22.months.from_now do
+        # don't access for over a year, session is now expired, we get logged out
+        get root_path
+        assert_response :redirect
+      end
+    end
+  end
+
+  test 'do not start remember period when remember me is not used' do
+    swap Devise, extend_remember_period: true, remember_for: 1.year, timeout_in: 6.hours do
+      sign_in_as_user
+      assert_nil request.cookies["remember_user_cookie"]
+
+      get root_path
+      assert_response :success
+
+      travel_to 1.hour.from_now do
+        # 1 hour later, still logged in (by session), remember me is not set
+        get root_path
+        assert_response :success
+        assert_nil request.cookies["remember_user_cookie"]
+      end
+
+      travel_to 8.hours.from_now do
+        # 8 hours later, session has expired and remember me is not set
+        get root_path
+        assert_response :redirect
+        assert_nil request.cookies["remember_user_cookie"]
+      end
+    end
+  end
+
   test 'do not remember other scopes' do
     create_user_and_remember
     get root_path