Display and revoke active sessions

2 files changed, 158 insertions, 0 deletions

diff --git a/spec/features/profiles/active_sessions_spec.rb b/spec/features/profiles/active_sessions_spec.rb
new file mode 100644
index 00000000000..4045cfd21c4
--- /dev/null
+++ b/spec/features/profiles/active_sessions_spec.rb
@@ -0,0 +1,89 @@
+require 'rails_helper'
+
+feature 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do
+  let(:user) do
+    create(:user).tap do |user|
+      user.current_sign_in_at = Time.current
+    end
+  end
+
+  around do |example|
+    Timecop.freeze(Time.zone.parse('2018-03-12 09:06')) do
+      example.run
+    end
+  end
+
+  scenario 'User sees their active sessions' do
+    Capybara::Session.new(:session1)
+    Capybara::Session.new(:session2)
+
+    # note: headers can only be set on the non-js (aka. rack-test) driver
+    using_session :session1 do
+      Capybara.page.driver.header(
+        'User-Agent',
+        'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0'
+      )
+
+      gitlab_sign_in(user)
+    end
+
+    # set an additional session on another device
+    using_session :session2 do
+      Capybara.page.driver.header(
+        'User-Agent',
+        'Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12B466 [FBDV/iPhone7,2]'
+      )
+
+      gitlab_sign_in(user)
+    end
+
+    using_session :session1 do
+      visit profile_active_sessions_path
+
+      expect(page).to have_content(
+        '127.0.0.1 ' \
+        'This is your current session ' \
+        'Firefox on Ubuntu ' \
+        'Signed in on 12 Mar 09:06'
+      )
+
+      expect(page).to have_selector '[title="Desktop"]', count: 1
+
+      expect(page).to have_content(
+        '127.0.0.1 ' \
+        'Last accessed on 12 Mar 09:06 ' \
+        'Mobile Safari on iOS ' \
+        'Signed in on 12 Mar 09:06'
+      )
+
+      expect(page).to have_selector '[title="Smartphone"]', count: 1
+    end
+  end
+
+  scenario 'User can revoke a session', :js, :redis_session_store do
+    Capybara::Session.new(:session1)
+    Capybara::Session.new(:session2)
+
+    # set an additional session in another browser
+    using_session :session2 do
+      gitlab_sign_in(user)
+    end
+
+    using_session :session1 do
+      gitlab_sign_in(user)
+      visit profile_active_sessions_path
+
+      expect(page).to have_link('Revoke', count: 1)
+
+      accept_confirm { click_on 'Revoke' }
+
+      expect(page).not_to have_link('Revoke')
+    end
+
+    using_session :session2 do
+      visit profile_active_sessions_path
+
+      expect(page).to have_content('You need to sign in or sign up before continuing.')
+    end
+  end
+end
diff --git a/spec/features/users/active_sessions_spec.rb b/spec/features/users/active_sessions_spec.rb
new file mode 100644
index 00000000000..631d7e3bced
--- /dev/null
+++ b/spec/features/users/active_sessions_spec.rb
@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+feature 'Active user sessions', :clean_gitlab_redis_shared_state do
+  scenario 'Successful login adds a new active user login' do
+    now = Time.zone.parse('2018-03-12 09:06')
+    Timecop.freeze(now) do
+      user = create(:user)
+      gitlab_sign_in(user)
+      expect(current_path).to eq root_path
+
+      sessions = ActiveSession.list(user)
+      expect(sessions.count).to eq 1
+
+      # refresh the current page updates the updated_at
+      Timecop.freeze(now + 1.minute) do
+        visit current_path
+
+        sessions = ActiveSession.list(user)
+        expect(sessions.first).to have_attributes(
+          created_at: Time.zone.parse('2018-03-12 09:06'),
+          updated_at: Time.zone.parse('2018-03-12 09:07')
+        )
+      end
+    end
+  end
+
+  scenario 'Successful login cleans up obsolete entries' do
+    user = create(:user)
+
+    Gitlab::Redis::SharedState.with do |redis|
+      redis.sadd("session:lookup:user:gitlab:#{user.id}", '59822c7d9fcdfa03725eff41782ad97d')
+    end
+
+    gitlab_sign_in(user)
+
+    Gitlab::Redis::SharedState.with do |redis|
+      expect(redis.smembers("session:lookup:user:gitlab:#{user.id}")).not_to include '59822c7d9fcdfa03725eff41782ad97d'
+    end
+  end
+
+  scenario 'Sessionless login does not clean up obsolete entries' do
+    user = create(:user)
+    personal_access_token = create(:personal_access_token, user: user)
+
+    Gitlab::Redis::SharedState.with do |redis|
+      redis.sadd("session:lookup:user:gitlab:#{user.id}", '59822c7d9fcdfa03725eff41782ad97d')
+    end
+
+    visit user_path(user, :atom, private_token: personal_access_token.token)
+    expect(page.status_code).to eq 200
+
+    Gitlab::Redis::SharedState.with do |redis|
+      expect(redis.smembers("session:lookup:user:gitlab:#{user.id}")).to include '59822c7d9fcdfa03725eff41782ad97d'
+    end
+  end
+
+  scenario 'Logout deletes the active user login' do
+    user = create(:user)
+    gitlab_sign_in(user)
+    expect(current_path).to eq root_path
+
+    expect(ActiveSession.list(user).count).to eq 1
+
+    gitlab_sign_out
+    expect(current_path).to eq new_user_session_path
+
+    expect(ActiveSession.list(user)).to be_empty
+  end
+end