Add reset password mutation

mcelicalderon · mcelicalderon · commit f591fb7a5736 · 2019-09-02T00:20:08.000-05:00
diff --git a/app/graphql/graphql_devise/mutations/base.rb b/app/graphql/graphql_devise/mutations/base.rb
@@ -9,6 +9,10 @@ def raise_user_error(message)
         raise GraphqlDevise::UserError, message
       end
 
+      def raise_user_error_list(message, errors:)
+        raise GraphqlDevise::DetailedUserError.new(message, errors: errors)
+      end
+
       def remove_resource
         controller.resource = nil
         controller.client_id = nil
@@ -31,6 +35,10 @@ def resource_class
         context[:resource_class]
       end
 
+      def recoverable_enabled?
+        resource_class.devise_modules.include?(:recoverable)
+      end
+
       def current_resource
         context[:current_resource]
       end
diff --git a/app/graphql/graphql_devise/mutations/login.rb b/app/graphql/graphql_devise/mutations/login.rb
@@ -17,7 +17,7 @@ def resolve(email:, password:)
 
           yield resource if block_given?
 
-          { success: true, authenticable: resource, errors: [] }
+          { authenticable: resource}
         elsif resource && !active_for_authentication?(resource)
           if locked?(resource)
             raise_user_error(I18n.t('graphql_devise.mailer.unlock_instructions.account_lock_msg'))
diff --git a/app/graphql/graphql_devise/mutations/update_password.rb b/app/graphql/graphql_devise/mutations/update_password.rb
@@ -0,0 +1,44 @@
+module GraphqlDevise
+  module Mutations
+    class UpdatePassword < Base
+      argument :password,              String, required: true
+      argument :password_confirmation, String, required: true
+      argument :current_password,      String, required: false
+
+      def resolve(current_password: nil, **attrs)
+        if current_resource.blank?
+          raise_user_error(I18n.t('graphql_devise.not_authenticated'))
+        elsif current_resource.provider != 'email'
+          raise_user_error(
+            I18n.t('graphql_devise.passwords.password_not_required', provider: current_resource.provider.humanize)
+          )
+        end
+
+        if update_cresource_password(current_password, attrs)
+          current_resource.allow_password_change = false if recoverable_enabled?
+          current_resource.save!
+
+          yield current_resource if block_given?
+
+          { authenticable: current_resource }
+        else
+          raise_user_error_list(
+            I18n.t('graphql_devise.passwords.update_password_error'),
+            errors: current_resource.errors.full_messages
+          )
+        end
+      end
+
+      private
+
+      def update_cresource_password(current_password, attrs)
+        allow_password_change = recoverable_enabled? && current_resource.allow_password_change == true
+        if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
+          current_resource.public_send(:update, attrs)
+        else
+          current_resource.public_send(:update_with_password, attrs.merge(current_password: current_password))
+        end
+      end
+    end
+  end
+end
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -1,6 +1,11 @@
 en:
   graphql_devise:
+    not_authenticated: "User is not logged in."
     user_not_found: "User was not found or was not logged in."
+    passwords:
+      update_password_error: "Unable to update user password"
+      missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
+      password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."
     sessions:
       bad_credentials: "Invalid login credentials. Please try again."
       not_confirmed: "A confirmation email was sent to your account at '%{email}'. You must follow the instructions in the email before your account can be activated"
diff --git a/lib/graphql_devise.rb b/lib/graphql_devise.rb
@@ -9,3 +9,4 @@ class Error < StandardError; end
 end
 
 require 'graphql_devise/user_error'
+require 'graphql_devise/detailed_user_error'
diff --git a/lib/graphql_devise/detailed_user_error.rb b/lib/graphql_devise/detailed_user_error.rb
@@ -0,0 +1,14 @@
+module GraphqlDevise
+  class DetailedUserError < GraphQL::ExecutionError
+    def initialize(message, errors:)
+      @message = message
+      @errors  = errors
+
+      super(message)
+    end
+
+    def to_h
+      super.merge(extensions: { code: 'USER_ERROR', detailed_errors: @errors })
+    end
+  end
+end
diff --git a/lib/graphql_devise/rails/routes.rb b/lib/graphql_devise/rails/routes.rb
@@ -19,16 +19,17 @@ def mount_graphql_devise_for(resource, opts = {})
                            GraphqlDevise::Types::AuthenticableType
 
       default_mutations = {
-        login:  GraphqlDevise::Mutations::Login,
-        logout: GraphqlDevise::Mutations::Logout
+        login:           GraphqlDevise::Mutations::Login,
+        logout:          GraphqlDevise::Mutations::Logout,
+        update_password: GraphqlDevise::Mutations::UpdatePassword
       }.freeze
 
       default_mutations.each do |action, mutation|
         used_mutation = if mutation_options[action].present?
           mutation_options[action]
         else
           new_mutation = Class.new(mutation)
-          new_mutation.graphql_name("#{resource}#{action.to_s.titleize}")
+          new_mutation.graphql_name("#{resource}#{action.to_s.camelize(:upper)}")
           new_mutation.field(:authenticable, authenticable_type, null: true)
 
           new_mutation
diff --git a/spec/dummy/config/initializers/devise_token_auth.rb b/spec/dummy/config/initializers/devise_token_auth.rb
@@ -5,7 +5,7 @@
   # client is responsible for keeping track of the changing tokens. Change
   # this to false to prevent the Authorization header from changing after
   # each request.
-  # config.change_headers_on_each_request = true
+  config.change_headers_on_each_request = false
 
   # By default, users will need to re-authenticate after 2 weeks. This setting
   # determines how long tokens will remain valid after they are issued.
@@ -35,7 +35,7 @@
   # Uncomment to enforce current_password param to be checked before all
   # attribute updates. Set it to :password if you want it to be checked only if
   # password is updated.
-  # config.check_current_password_before_update = :attributes
+  config.check_current_password_before_update = :password
 
   # By default we will use callbacks for single omniauth.
   # It depends on fields like email, provider and uid.
diff --git a/spec/requests/mutations/login_spec.rb b/spec/requests/mutations/login_spec.rb
@@ -18,7 +18,7 @@
     GRAPHQL
   end
 
-  before { post '/api/v1/graphql_auth', *graphql_params }
+  before { post_request }
 
   context 'when user is able to login' do
     context 'when credentials are valid' do
diff --git a/spec/requests/mutations/logout_spec.rb b/spec/requests/mutations/logout_spec.rb
@@ -7,14 +7,14 @@
   let(:query) do
     <<-GRAPHQL
       mutation {
-        userLogout{
+        userLogout {
           authenticable { email }
         }
       }
     GRAPHQL
   end
 
-  before { post '/api/v1/graphql_auth', *graphql_params }
+  before { post_request }
 
   context 'when user is logged in' do
     let(:headers) { user.create_new_auth_token }
diff --git a/spec/requests/mutations/update_password_spec.rb b/spec/requests/mutations/update_password_spec.rb
@@ -0,0 +1,113 @@
+require 'rails_helper'
+
+RSpec.describe 'Update Password Requests' do
+  shared_examples 'successful password update' do
+    it 'updates the password' do
+      expect do
+        post_request
+        user.reload
+      end.to change(user, :encrypted_password)
+
+      expect(response).to include_auth_headers
+      expect(json_response[:data][:userUpdatePassword]).to match(
+        authenticable: { email: user.email }
+      )
+      expect(json_response[:errors]).to be_nil
+    end
+  end
+
+  include_context 'with graphql query request'
+
+  let(:password)              { 'safePassw0rd!' }
+  let(:password_confirmation) { 'safePassw0rd!' }
+  let(:original_password)     { 'current_password' }
+  let(:current_password)      { original_password }
+  let(:allow_password_change) { false }
+  let(:user)                  { create(:user, :confirmed, password: original_password, allow_password_change: allow_password_change) }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userUpdatePassword(
+          password: "#{password}",
+          passwordConfirmation: "#{password_confirmation}",
+          currentPassword: "#{current_password}"
+        ) {
+          authenticable { email }
+        }
+      }
+    GRAPHQL
+  end
+
+  context 'when user is logged in' do
+    let(:headers) { user.create_new_auth_token }
+
+    context 'when currentPassword is not provided' do
+      let(:current_password) { nil }
+
+      context 'when allow_password_change is true' do
+        let(:allow_password_change) { true }
+
+        it_behaves_like 'successful password update'
+
+        it 'sets allow_password_change to false' do
+          expect do
+            post_request
+            user.reload
+          end.to change(user, :allow_password_change).from(true).to(false)
+        end
+      end
+
+      context 'when allow_password_change is false' do
+        it 'does not update the password' do
+          expect do
+            post_request
+            user.reload
+          end.not_to change(user, :encrypted_password)
+
+          expect(response).to include_auth_headers
+          expect(json_response[:data][:userUpdatePassword]).to be_nil
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Current password can't be blank"] }
+            )
+          )
+        end
+      end
+    end
+
+    context 'when currentPassword is provided' do
+      context 'when allow_password_change is true' do
+        let(:allow_password_change) { true }
+
+        it_behaves_like 'successful password update'
+
+        it 'sets allow_password_change to false' do
+          expect do
+            post_request
+            user.reload
+          end.to change(user, :allow_password_change).from(true).to(false)
+        end
+      end
+
+      context 'when allow_password_change is false' do
+        it_behaves_like 'successful password update'
+      end
+    end
+  end
+
+  context 'when user is not logged in' do
+    it 'does not update the password' do
+      expect do
+        post_request
+        user.reload
+      end.not_to change(user, :encrypted_password)
+
+      expect(response).not_to include_auth_headers
+      expect(json_response[:data][:userUpdatePassword]).to be_nil
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User is not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end
diff --git a/spec/support/contexts/graphql_request.rb b/spec/support/contexts/graphql_request.rb
@@ -8,4 +8,8 @@
       [{ query: query, variables: variables }, headers]
     end
   end
+
+  def post_request
+    post '/api/v1/graphql_auth', *graphql_params
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,4 @@ class Error < StandardError; end`
`9`	`9`	`end`
`10`	`10`
`11`	`11`	`require 'graphql_devise/user_error'`
	`12`	`+require 'graphql_devise/detailed_user_error'`