← Back to Upcase

Testing authorization/authentication gems

(Josh Clayton) #1

I recently received this testing question:

how do you preceed with testing if you want to use a authorization gem like devise? Only some integration tests to check if a user can sign in?

Great question!

If you’re only using the gem for basic sign in/sign out/sign up functionality, I’d end up testing one aspect directly: sign up. Sign up is often such an important part of the application that it deserves a test to make sure the user can do it successfully, the application delivers a welcome email, and the application gathers the correct information (since most sign-up forms will gather additional information like date of birth and name). Signing in and out with an account often get handled in other tests - for example, in a todo app, I’d write a test to sign in, create a todo, sign out, sign in as another user, and ensure I don’t see the first user’s todo (this ensures that I’m only displaying todos for the current user). That single test alone handles the other aspects of basic authentication so explicit tests aren’t usually necessary.

Devise, on the other hand, is something I’d typically write more tests around for the sole reason that it adds much more behavior to the application. If you were running a site which required additional security, you may use the lockable module to ensure users can’t brute-force their way into an account easily. This additional behavior is likely a requirement for the application itself and should be tested to make sure it’s in place at all times. Similarly, Devise can add functionality allowing a user to have his session remembered (so he doesn’t have to sign in again after closing the browser), which should often be tested. In these sorts of tests, I wouldn’t put Devise through the ringer and reproduce its acceptance tests, merely ensure that they’re enabled and seem to be working correctly. A quick way to test the lockable behavior would be to try to sign in with an invalid password too many times, attempt signing in with the valid password, and ensure that the user is not signed in.