Merge pull request #1033 from jsdalton/fix-mock-call

Ensure mock call verifies authenticity tokens with same logic as real call

lib/omniauth/strategy.rb

@@ -299,7 +299,6 @@ def options_request?
     # in test mode.
     def mock_call!(*)
       begin
-        OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
         return mock_request_call if on_request_path? && OmniAuth.config.allowed_request_methods.include?(request.request_method.downcase.to_sym)
         return mock_callback_call if on_callback_path?
       rescue StandardError => e
@@ -313,7 +312,10 @@ def mock_request_call
       setup_phase
 
       session['omniauth.params'] = request.GET
+
+      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase
       OmniAuth.config.before_request_phase.call(env) if OmniAuth.config.before_request_phase
+
       if options.origin_param
         if request.params[options.origin_param]
           session['omniauth.origin'] = request.params[options.origin_param]

spec/omniauth/strategy_spec.rb

@@ -1001,6 +1001,26 @@ def make_env(path = '/auth/test', props = {})
       OmniAuth.config.test_mode = false
       expect(strategy.call(make_env).first).to eq 302
     end
+
+    context 'when in test mode and path not on request path' do
+      let(:path) { '/foo/bar' }
+
+      before do
+        OmniAuth.config.test_mode = true
+        OmniAuth.config.request_validation_phase = OmniAuth::AuthenticityTokenProtection
+        allow(OmniAuth::AuthenticityTokenProtection).to receive(:call).and_raise(OmniAuth::AuthenticityError)
+      end
+
+      it 'does not verify token' do
+        expect(strategy).not_to receive(:fail!)
+        strategy.call(make_env(path))
+      end
+
+      after do
+        OmniAuth.config.test_mode = false
+        OmniAuth.config.request_validation_phase = false
+      end
+    end
   end
 
   context 'setup phase' do