feat: openid connect support (#2873)

spec/models/user_spec.rb

@@ -11,6 +11,8 @@
 #  email_verified_at                :datetime
 #  first_name                       :string(255)
 #  last_name                        :string(255)
+#  oidc_issuer                      :string(255)
+#  oidc_uid                         :string(255)
 #  password_digest                  :string(255)
 #  password_reset_token             :string(255)
 #  password_reset_token_valid_until :datetime
@@ -27,34 +29,105 @@
 require "rails_helper"
 
 describe User do
-  context "model" do
-    subject(:user) { create(:user) }
+  subject(:user) { build(:user) }
+
+  describe "validations" do
+    it { is_expected.to validate_presence_of(:first_name) }
+    it { is_expected.to validate_presence_of(:last_name) }
+    it { is_expected.to validate_presence_of(:email_address) }
+    it { is_expected.to validate_presence_of(:password) }
+    it { is_expected.to validate_uniqueness_of(:email_address).case_insensitive }
+    it { is_expected.to allow_value("test@example.com").for(:email_address) }
+    it { is_expected.to allow_value("test@example.co.uk").for(:email_address) }
+    it { is_expected.to allow_value("test+tagged@example.co.uk").for(:email_address) }
+    it { is_expected.to allow_value("test+tagged@EXAMPLE.COM").for(:email_address) }
+    it { is_expected.to_not allow_value("test+tagged").for(:email_address) }
+    it { is_expected.to_not allow_value("test.com").for(:email_address) }
+
+    it "does not require a password when OIDC is enabled" do
+      allow(Postal::Config.oidc).to receive(:enabled?).and_return(true)
+      user.password = nil
+      expect(user.save).to be true
+    end
+  end
+
+  describe "relationships" do
+    it { is_expected.to have_many(:organization_users) }
+    it { is_expected.to have_many(:organizations) }
+  end
+
+  describe "creation" do
+    before { user.save }
 
     it "should have a UUID" do
       expect(user.uuid).to be_a String
       expect(user.uuid.length).to eq 36
     end
+
+    it "has a default timezone" do
+      expect(user.time_zone).to eq "UTC"
+    end
   end
 
-  context ".authenticate" do
-    it "should not authenticate users with invalid emails" do
-      expect { User.authenticate("nothing@nothing.com", "hello") }.to raise_error(Postal::Errors::AuthenticationError) do |e|
-        expect(e.error).to eq "InvalidEmailAddress"
+  describe "#organizations_scope" do
+    context "when the user is an admin" do
+      it "returns a scope of all organizations" do
+        user.admin = true
+        scope = user.organizations_scope
+        expect(scope).to eq Organization.present
       end
     end
 
-    it "should not authenticate users with invalid passwords" do
-      user = create(:user)
-      expect { User.authenticate(user.email_address, "hello") }.to raise_error(Postal::Errors::AuthenticationError) do |e|
-        expect(e.error).to eq "InvalidPassword"
+    context "when the user not an admin" do
+      it "returns a scope including only orgs the user is associated with" do
+        user.admin = false
+        user.organizations << create(:organization)
+        scope = user.organizations_scope
+        expect(scope).to eq user.organizations.present
       end
     end
+  end
 
-    it "should authenticate valid users" do
+  describe "#name" do
+    it "returns the name" do
+      user.first_name = "John"
+      user.last_name = "Doe"
+      expect(user.name).to eq "John Doe"
+    end
+  end
+
+  describe "#password?" do
+    it "returns true if the user has a password" do
+      user.password = "password"
+      expect(user.password?).to be true
+    end
+
+    it "returns false if the user does not have a password" do
+      user.password = nil
+      expect(user.password?).to be false
+    end
+  end
+
+  describe "#to_param" do
+    it "returns the UUID" do
+      user.uuid = "123"
+      expect(user.to_param).to eq "123"
+    end
+  end
+
+  describe "#email_tag" do
+    it "returns the name and email address" do
+      user.first_name = "John"
+      user.last_name = "Doe"
+      user.email_address = "john@example.com"
+      expect(user.email_tag).to eq "John Doe <john@example.com>"
+    end
+  end
+
+  describe ".[]" do
+    it "should find a user by email address" do
       user = create(:user)
-      auth_user = nil
-      expect { auth_user = User.authenticate(user.email_address, "passw0rd") }.to_not raise_error
-      expect(auth_user).to eq user
+      expect(User[user.email_address]).to eq user
     end
   end
 end