TDD step 7: OIDC callback request specs

Drives the full OmniAuth handshake through the dummy Rails app to cover
the five real-world callback outcomes: new user, existing provider/uid
match, legacy identity-attribute migration, hook denial, and strategy
failure. Adds `Devise.omniauth_path_prefix = "/admin/auth"` and the
matching strategy path_prefix so OmniAuth middleware intercepts
ActiveAdmin-scoped auth URLs.

Author: Fivell

spec/dummy/app/assets/config/manifest.js

@@ -1 +1,2 @@
-// no assets needed for the dummy app
+//= link active_admin.css
+

spec/dummy/app/assets/stylesheets/active_admin.css

@@ -0,0 +1 @@
+/* stub for specs — ActiveAdmin layout references this file */

spec/dummy/config/application.rb

@@ -32,8 +32,6 @@ class Application < Rails::Application
 
     config.action_controller.allow_forgery_protection = false
     config.session_store :cookie_store, key: "_dummy_session"
-    config.middleware.use ActionDispatch::Cookies
-    config.middleware.use config.session_store, config.session_options
 
     config.action_dispatch.show_exceptions = :none
     config.consider_all_requests_local = true

spec/dummy/config/initializers/devise.rb

@@ -4,6 +4,10 @@
   config.mailer_sender = "please-change-me@example.com"
   require "devise/orm/active_record"
 
+  # ActiveAdmin mounts Devise under /admin, so OmniAuth middleware must
+  # intercept /admin/auth/:provider instead of the default per-model prefix.
+  config.omniauth_path_prefix = "/admin/auth"
+
   config.case_insensitive_keys = [:email]
   config.strip_whitespace_keys = [:email]
   config.skip_session_storage = [:http_auth]
@@ -23,6 +27,7 @@
 
   config.omniauth :openid_connect,
                   name:          :oidc,
+                  path_prefix:   "/admin/auth",
                   issuer:        "https://idp.example.com",
                   discovery:     false,
                   scope:         %i[openid email profile],

spec/rails_helper.rb

@@ -22,3 +22,10 @@
 
 OmniAuth.config.test_mode = true
 OmniAuth.config.logger = Logger.new(File::NULL)
+# Skip OmniAuth 2.x's POST CSRF validation in request specs so we can drive
+# the callback flow without generating a real authenticity token.
+OmniAuth.config.request_validation_phase = ->(_env) { }
+# Let the request phase short-circuit via test mode mock_auth without
+# trying to hit an actual IdP for discovery.
+OmniAuth.config.allowed_request_methods = %i[get post]
+OmniAuth.config.silence_get_warning    = true if OmniAuth.config.respond_to?(:silence_get_warning=)

spec/requests/omniauth_callback_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+# BDD-style request spec for the OIDC callback flow. Exercises the real
+# Devise + OmniAuth + ActiveAdmin + engine stack via the dummy Rails app.
+#
+# OmniAuth test mode short-circuits the IdP roundtrip: POST /admin/auth/oidc
+# immediately invokes the callback action with the mocked auth hash.
+RSpec.describe "OIDC callback", type: :request do
+  before do
+    OmniAuth.config.test_mode = true
+    OmniAuth.config.mock_auth[:oidc] = nil
+
+    ActiveAdmin::Oidc.configure do |c|
+      c.issuer    = "https://idp.example.com"
+      c.client_id = "client-abc"
+      c.on_login  = ->(admin_user, _claims) { true }
+    end
+
+    AdminUser.delete_all
+  end
+
+  after do
+    OmniAuth.config.mock_auth[:oidc] = nil
+  end
+
+  def build_auth_hash(uid:, email:, extra: {})
+    OmniAuth::AuthHash.new(
+      provider: "oidc",
+      uid:      uid,
+      info:     { "email" => email, "name" => "Alice" },
+      extra:    { "raw_info" => { "sub" => uid, "email" => email }.merge(extra) }
+    )
+  end
+
+  # Drive the full OmniAuth handshake: POST /admin/auth/oidc → 302 to
+  # /admin/auth/oidc/callback → the gem's callbacks controller runs.
+  # Leaves `response` pointed at the controller's own redirect (to the
+  # signed-in landing page or the login page on failure).
+  def trigger_callback
+    post "/admin/auth/oidc"
+    follow_redirect! if response.redirect?
+  end
+
+  context "new user, on_login hook accepts" do
+    it "creates the AdminUser, signs it in, and stores the raw OIDC info" do
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-new", email: "new@example.com")
+
+      expect {
+        trigger_callback
+      }.to change(AdminUser, :count).by(1)
+
+      user = AdminUser.find_by(provider: "oidc", uid: "sub-new")
+      expect(user).not_to be_nil
+      expect(user.email).to eq("new@example.com")
+      expect(user.oidc_raw_info).to include("sub" => "sub-new", "email" => "new@example.com")
+
+      # Devise's default is the app root; the dummy app redirects `/` to /admin.
+      expect(response).to be_redirect
+      expect(response.location).to match(%r{\Ahttps?://[^/]+/(\z|admin)})
+    end
+  end
+
+  context "existing user matched by (provider, uid)" do
+    it "signs in without creating a new record" do
+      AdminUser.create!(
+        email:    "alice@example.com",
+        provider: "oidc",
+        uid:      "sub-existing"
+      )
+
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-existing", email: "alice@example.com")
+
+      expect {
+        trigger_callback
+      }.not_to change(AdminUser, :count)
+
+      expect(response).to be_redirect
+    end
+  end
+
+  context "existing user matched by identity_attribute (email) with no provider/uid yet" do
+    it "migrates the record in place and signs it in" do
+      legacy = AdminUser.create!(email: "legacy@example.com")
+
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-legacy", email: "legacy@example.com")
+
+      expect {
+        trigger_callback
+      }.not_to change(AdminUser, :count)
+
+      legacy.reload
+      expect(legacy.provider).to eq("oidc")
+      expect(legacy.uid).to eq("sub-legacy")
+      expect(response).to be_redirect
+    end
+  end
+
+  context "on_login hook denies the user" do
+    before do
+      ActiveAdmin::Oidc.config.on_login = ->(_admin_user, _claims) { false }
+    end
+
+    it "does not persist the user, redirects to the login page, and sets the access-denied flash" do
+      OmniAuth.config.mock_auth[:oidc] =
+        build_auth_hash(uid: "sub-denied", email: "denied@example.com")
+
+      expect {
+        trigger_callback
+      }.not_to change(AdminUser, :count)
+
+      expect(response).to redirect_to("/admin/login")
+      expect(flash[:alert]).to eq(ActiveAdmin::Oidc.config.access_denied_message)
+    end
+  end
+
+  context "OmniAuth strategy failure (e.g. invalid_credentials)" do
+    before do
+      OmniAuth.config.mock_auth[:oidc] = :invalid_credentials
+    end
+
+    it "lands on the failure action, redirects to login, and shows the access-denied flash" do
+      trigger_callback
+
+      expect(response).to redirect_to("/admin/login")
+      expect(flash[:alert]).to eq(ActiveAdmin::Oidc.config.access_denied_message)
+    end
+  end
+end