Merge branch 'registry-700' into registry-694

# Conflicts:
#	db/structure.sql

.codeclimate.yml

@@ -1,5 +1,4 @@
----
+plugins:
-engines:
   brakeman:
     enabled: true
   bundler-audit:
@@ -14,8 +13,6 @@ engines:
       languages:
       - ruby
       - javascript
-      - python
-      - php
   eslint:
     enabled: true
   fixme:
@@ -33,24 +30,9 @@ engines:
     checks:
       IrresponsibleModule:
         enabled: false
-ratings:
+exclude_patterns:
-  paths:
+- "config/"
-  - Gemfile.lock
+- "db/"
-  - "**.erb"
+- "vendor/"
-  - "**.haml"
+- "spec/"
-  - "**.rb"
+- "test/"
-  - "**.rhtml"
-  - "**.slim"
-  - "**.css"
-  - "**.coffee"
-  - "**.inc"
-  - "**.js"
-  - "**.jsx"
-  - "**.module"
-  - "**.php"
-  - "**.py"
-exclude_paths:
-- config/
-- db/
-- spec/
-- vendor/

.reek

@@ -34,7 +34,6 @@ UncommunicativeVariableName:
   - Admin::SettingsController#create
   - Epp::DomainsController#renew
   - Epp::DomainsController#update
-  - Epp::SessionsController#connection_limit_ok?
   - Epp::SessionsController#login
   - EppController
   - EppController#create_full_selectors
@@ -172,7 +171,6 @@ DuplicateMethodCall:
   - Epp::PollsController#ack_poll
   - Epp::PollsController#poll
   - Epp::PollsController#req_poll
-  - Epp::SessionsController#connection_limit_ok?
   - Epp::SessionsController#ip_white?
   - Epp::SessionsController#login
   - Epp::SessionsController#login_params
@@ -538,7 +536,6 @@ IrresponsibleModule:
   - DomainStatus
   - DomainTransfer
   - Epp::Contact
-  - EppSession
   - Invoice
   - InvoiceItem
   - Keyrelay
@@ -960,7 +957,6 @@ FeatureEnvy:
   - ActionDispatch::Flash#call
   - Ransack::Adapters::ActiveRecord::Context#evaluate
   - EppConstraint#matches?
-  - Requests::SessionHelpers#sign_in_to_epp_area
 TooManyMethods:
   exclude:
   - Epp::ContactsController
@@ -1027,7 +1023,6 @@ PrimaDonnaMethod:
   - Contact
   - Domain
   - Epp::Domain
-  - EppSession
   - RegistrantVerification
   - Registrar
 BooleanParameter:

.rubocop_todo.yml

@@ -655,11 +655,6 @@ Performance/StringReplacement:
     - 'app/models/directo.rb'
     - 'app/models/dnskey.rb'
 
-# Offense count: 1
-Security/MarshalLoad:
-  Exclude:
-    - 'app/models/epp_session.rb'
-
 # Offense count: 4
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedStyle, SupportedStyles.

app/controllers/epp/sessions_controller.rb

@@ -74,7 +74,7 @@ class Epp::SessionsController < EppController
       success = false
     end
 
-    if success && !connection_limit_ok?
+    if success && EppSession.limit_reached?(@api_user.registrar)
       epp_errors << {
         msg: 'Authentication error; server closing connection (connection limit reached)',
         code: '2501'
@@ -91,8 +91,10 @@ class Epp::SessionsController < EppController
         end
       end
 
-      epp_session[:api_user_id] = @api_user.id
+      epp_session = EppSession.new
-      epp_session.update_column(:registrar_id, @api_user.registrar_id)
+      epp_session.session_id = epp_session_id
+      epp_session.user = @api_user
+      epp_session.save!
       render_epp_response('login_success')
     else
       response.headers['X-EPP-Returncode'] = '2500'
@@ -113,17 +115,16 @@ class Epp::SessionsController < EppController
     true
   end
 
-  def connection_limit_ok?
-    return true if Rails.env.test? || Rails.env.development?
-    c = EppSession.where(
-      'registrar_id = ? AND updated_at >= ?', @api_user.registrar_id, Time.zone.now - 1.second
-    ).count
-
-    return false if c >= 4
-    true
-  end
-
   def logout
+    unless signed_in?
+      epp_errors << {
+        code: 2201,
+        msg: 'Authorization error'
+      }
+      handle_errors
+      return
+    end
+
     @api_user = current_user # cache current_user for logging
     epp_session.destroy
     response.headers['X-EPP-Returncode'] = '1500'

app/controllers/epp_controller.rb

@@ -4,11 +4,12 @@ class EppController < ApplicationController
   protect_from_forgery with: :null_session
   skip_before_action :verify_authenticity_token
 
+  before_action :ensure_session_id_passed
   before_action :generate_svtrid
   before_action :latin_only
   before_action :validate_against_schema
   before_action :validate_request
-  before_action :update_epp_session
+  before_action :update_epp_session, if: 'signed_in?'
 
   around_action :catch_epp_errors
 
@@ -86,41 +87,13 @@ class EppController < ApplicationController
     @params_hash ||= Hash.from_xml(params[:frame]).with_indifferent_access
   end
 
-  # SESSION MANAGEMENT
   def epp_session
-    cookies # Probably does some initialization
+    EppSession.find_by(session_id: epp_session_id)
-    cookie = env['rack.request.cookie_hash'] || {}
-    EppSession.find_or_initialize_by(session_id: cookie['session'])
-  end
-
-  def update_epp_session
-    iptables_counter_update
-    e_s = epp_session
-    return if e_s.new_record?
-
-    if !Rails.env.development? && (e_s.updated_at < Time.zone.now - 5.minutes)
-      @api_user = current_user # cache current_user for logging
-      e_s.destroy
-      response.headers['X-EPP-Returncode'] = '1500'
-
-      epp_errors << {
-        msg: t('session_timeout'),
-        code: '2201'
-      }
-
-      handle_errors and return
-    else
-      e_s.update_column(:updated_at, Time.zone.now)
-    end
   end
 
   def current_user
-    @current_user ||= ApiUser.find_by_id(epp_session[:api_user_id])
+    return unless signed_in?
-    # by default PaperTrail uses before filter and at that
+    epp_session.user
-    # time current_user is not yet present
-    ::PaperTrail.whodunnit = user_log_str(@current_user)
-    ::PaperSession.session = epp_session.session_id if epp_session.session_id.present?
-    @current_user
   end
 
   # ERROR + RESPONSE HANDLING
@@ -397,4 +370,42 @@ class EppController < ApplicationController
     name = self.class.to_s.sub("Epp::","").sub("Controller","").underscore.singularize
     instance_variable_get("@#{name}")
   end
+
+  private
+
+  def signed_in?
+    epp_session
+  end
+
+  def epp_session_id
+    cookies[:session] # Passed by mod_epp https://github.com/mod-epp/mod-epp#requestscript-interface
+  end
+
+  def ensure_session_id_passed
+    raise 'EPP session id is empty' unless epp_session_id.present?
+  end
+
+  def update_epp_session
+    iptables_counter_update
+
+    if session_timeout_reached?
+      @api_user = current_user # cache current_user for logging
+      epp_session.destroy
+      response.headers['X-EPP-Returncode'] = '1500'
+
+      epp_errors << {
+        msg: t('session_timeout'),
+        code: '2201'
+      }
+
+      handle_errors and return
+    else
+      epp_session.update_column(:updated_at, Time.zone.now)
+    end
+  end
+
+  def session_timeout_reached?
+    timeout = 5.minutes
+    epp_session.updated_at < (Time.zone.now - timeout)
+  end
 end

app/models/epp_session.rb

@@ -1,36 +1,14 @@
 class EppSession < ActiveRecord::Base
-  before_save :marshal_data!
+  belongs_to :user, required: true
 
-  belongs_to :registrar
+  validates :session_id, uniqueness: true, presence: true
-  # rubocop: disable Rails/ReadWriteAttribute
-  # Turned back to read_attribute, thus in Rails 4
-  # there is differences between self[:data] and read_attribute.
-  def data
-    @data ||= self.class.unmarshal(read_attribute(:data)) || {}
-  end
-  # rubocop: enable Rails/ReadWriteAttribute
 
-  def [](key)
+  def self.limit_per_registrar
-    data[key.to_sym]
+    4
   end
 
-  def []=(key, value)
+  def self.limit_reached?(registrar)
-    data[key.to_sym] = value
+    count = where(user_id: registrar.api_users.ids).where('updated_at >= ?', Time.zone.now - 1.second).count
-    save!
+    count >= limit_per_registrar
-  end
-
-  def marshal_data!
-    self.data = self.class.marshal(data)
-  end
-
-  class << self
-    def marshal(data)
-      ::Base64.encode64(Marshal.dump(data)) if data
-    end
-
-    def unmarshal(data)
-      return data unless data.is_a? String
-      Marshal.load(::Base64.decode64(data)) if data
-    end
   end
 end

app/views/epp/sessions/login_fail.xml.builder

@@ -1,9 +0,0 @@
-xml.epp_head do
-  xml.response do
-    xml.result('code' => '2501') do
-      xml.msg(@msg || 'Authentication error; server closing connection')
-    end
-
-    render('epp/shared/trID', builder: xml)
-  end
-end

db/migrate/20180206213435_change_epp_sessions_session_id_to_not_null.rb

@@ -0,0 +1,5 @@
+class ChangeEppSessionsSessionIdToNotNull < ActiveRecord::Migration
+  def change
+    change_column_null :epp_sessions, :session_id, false
+  end
+end

db/migrate/20180206234620_add_epp_sessions_user_id.rb

@@ -0,0 +1,5 @@
+class AddEppSessionsUserId < ActiveRecord::Migration
+  def change
+    add_reference :epp_sessions, :user, foreign_key: true
+  end
+end

db/migrate/20180207071528_extract_user_id_from_epp_sessions_data.rb

@@ -0,0 +1,10 @@
+class ExtractUserIdFromEppSessionsData < ActiveRecord::Migration
+  def change
+    EppSession.all.each do |epp_session|
+      user_id = Marshal.load(::Base64.decode64(epp_session.data_before_type_cast))[:api_user_id]
+      user = ApiUser.find(user_id)
+      epp_session.user = user
+      epp_session.save!
+    end
+  end
+end

db/migrate/20180207072139_remove_epp_sessions_data.rb

@@ -0,0 +1,5 @@
+class RemoveEppSessionsData < ActiveRecord::Migration
+  def change
+    remove_column :epp_sessions, :data, :string
+  end
+end

db/migrate/20180212123810_remove_epp_sessions_registrar_id.rb

@@ -0,0 +1,5 @@
+class RemoveEppSessionsRegistrarId < ActiveRecord::Migration
+  def change
+    remove_column :epp_sessions, :registrar_id, :integer
+  end
+end

db/migrate/20180212152810_add_epp_sessions_session_id_unique_constraint.rb

@@ -0,0 +1,13 @@
+class AddEppSessionsSessionIdUniqueConstraint < ActiveRecord::Migration
+  def up
+    execute <<-SQL
+      ALTER TABLE epp_sessions ADD CONSTRAINT unique_session_id UNIQUE (session_id)
+    SQL
+  end
+
+  def down
+    execute <<-SQL
+      ALTER TABLE epp_sessions DROP CONSTRAINT unique_session_id
+    SQL
+  end
+end

db/migrate/20180212154731_remove_epp_sessions_session_id_unique_index.rb

@@ -0,0 +1,5 @@
+class RemoveEppSessionsSessionIdUniqueIndex < ActiveRecord::Migration
+  def change
+    remove_index :epp_sessions, name: :index_epp_sessions_on_session_id
+  end
+end

db/migrate/20180213183818_change_epp_sessions_user_id_to_not_null.rb

@@ -0,0 +1,5 @@
+class ChangeEppSessionsUserIdToNotNull < ActiveRecord::Migration
+  def change
+    change_column_null :epp_sessions, :user_id, false
+  end
+end

db/structure.sql

@@ -1050,11 +1050,10 @@ ALTER SEQUENCE domains_id_seq OWNED BY domains.id;
 
 CREATE TABLE epp_sessions (
     id integer NOT NULL,
-    session_id character varying,
+    session_id character varying NOT NULL,
-    data text,
     created_at timestamp without time zone,
     updated_at timestamp without time zone,
-    registrar_id integer
+    user_id integer NOT NULL
 );
 
 
@@ -3635,6 +3634,14 @@ ALTER TABLE ONLY contacts
     ADD CONSTRAINT unique_contact_code UNIQUE (code);
 
 
+--
+-- Name: unique_session_id; Type: CONSTRAINT; Schema: public; Owner: -; Tablespace:
+--
+
+ALTER TABLE ONLY epp_sessions
+    ADD CONSTRAINT unique_session_id UNIQUE (session_id);
+
+
 --
 -- Name: unique_zone_origin; Type: CONSTRAINT; Schema: public; Owner: -; Tablespace: 
 --
@@ -3886,13 +3893,6 @@ CREATE INDEX index_domains_on_registrar_id ON domains USING btree (registrar_id)
 CREATE INDEX index_domains_on_statuses ON domains USING gin (statuses);
 
 
---
--- Name: index_epp_sessions_on_session_id; Type: INDEX; Schema: public; Owner: -; Tablespace: 
---
-
-CREATE UNIQUE INDEX index_epp_sessions_on_session_id ON epp_sessions USING btree (session_id);
-
-
 --
 -- Name: index_epp_sessions_on_updated_at; Type: INDEX; Schema: public; Owner: -; Tablespace: 
 --
@@ -4484,6 +4484,14 @@ ALTER TABLE ONLY domain_transfers
     ADD CONSTRAINT fk_rails_87b8e40c63 FOREIGN KEY (domain_id) REFERENCES domains(id);
 
 
+--
+-- Name: fk_rails_adff2dc8e3; Type: FK CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY epp_sessions
+    ADD CONSTRAINT fk_rails_adff2dc8e3 FOREIGN KEY (user_id) REFERENCES users(id);
+
+
 --
 -- Name: fk_rails_b80dbb973d; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@@ -5070,6 +5078,22 @@ INSERT INTO schema_migrations (version) VALUES ('20180126104536');
 
 INSERT INTO schema_migrations (version) VALUES ('20180126104903');
 
+INSERT INTO schema_migrations (version) VALUES ('20180206213435');
+
+INSERT INTO schema_migrations (version) VALUES ('20180206234620');
+
+INSERT INTO schema_migrations (version) VALUES ('20180207071528');
+
+INSERT INTO schema_migrations (version) VALUES ('20180207072139');
+
+INSERT INTO schema_migrations (version) VALUES ('20180212123810');
+
+INSERT INTO schema_migrations (version) VALUES ('20180212152810');
+
+INSERT INTO schema_migrations (version) VALUES ('20180212154731');
+
+INSERT INTO schema_migrations (version) VALUES ('20180213183818');
+
 INSERT INTO schema_migrations (version) VALUES ('20180214200224');
 
 INSERT INTO schema_migrations (version) VALUES ('20180214213743');

doc/controllers_complete.svg

@@ -71,7 +71,6 @@
 <path fill="none" stroke="black" d="M532,-320.5C532,-320.5 656,-320.5 656,-320.5 662,-320.5 668,-326.5 668,-332.5 668,-332.5 668,-491.5 668,-491.5 668,-497.5 662,-503.5 656,-503.5 656,-503.5 532,-503.5 532,-503.5 526,-503.5 520,-497.5 520,-491.5 520,-491.5 520,-332.5 520,-332.5 520,-326.5 526,-320.5 532,-320.5"/>
 <text text-anchor="middle" x="594" y="-488.3" font-family="Times,serif" font-size="14.00">Epp::SessionsController</text>
 <polyline fill="none" stroke="black" points="520,-480.5 668,-480.5 "/>
-<text text-anchor="start" x="528" y="-465.3" font-family="Times,serif" font-size="14.00">connection_limit_ok?</text>
 <text text-anchor="start" x="528" y="-450.3" font-family="Times,serif" font-size="14.00">hello</text>
 <text text-anchor="start" x="528" y="-435.3" font-family="Times,serif" font-size="14.00">ip_white?</text>
 <text text-anchor="start" x="528" y="-420.3" font-family="Times,serif" font-size="14.00">login</text>
@@ -681,7 +680,6 @@
 <text text-anchor="start" x="-72.5" y="74.2" font-family="Times,serif" font-size="14.00">render_epp_response</text>
 <text text-anchor="start" x="-72.5" y="89.2" font-family="Times,serif" font-size="14.00">requires</text>
 <text text-anchor="start" x="-72.5" y="104.2" font-family="Times,serif" font-size="14.00">requires_attribute</text>
-<text text-anchor="start" x="-72.5" y="119.2" font-family="Times,serif" font-size="14.00">update_epp_session</text>
 <text text-anchor="start" x="-72.5" y="134.2" font-family="Times,serif" font-size="14.00">validate_request</text>
 <text text-anchor="start" x="-72.5" y="149.2" font-family="Times,serif" font-size="14.00">write_to_epp_log</text>
 <text text-anchor="start" x="-72.5" y="164.2" font-family="Times,serif" font-size="14.00">xml_attrs_present?</text>

lib/tasks/dev.rake

@@ -49,9 +49,9 @@ namespace :dev do
       account = create(:account, registrar: registrar, balance: 1_000_000)
       api_user = create(:api_user, username: 'test', password: 'testtest', registrar: registrar)
 
-      epp_session = build(:epp_session, registrar: registrar)
+      epp_session = EppSession.new
-      epp_session[:api_user_id] = api_user.id
+      epp_session.session_id = 'test'
-      epp_session.registrar_id = registrar.id
+      epp_session.user = api_user
       epp_session.save!
 
       domain_counter = 1.step

spec/factories/epp_session.rb

@@ -1,5 +1,6 @@
 FactoryBot.define do
   factory :epp_session do
-
+    sequence(:session_id) { |n| "test#{n}" }
+    association :user, factory: :api_user
   end
 end

spec/models/epp_session.rb

@@ -1,21 +0,0 @@
-require 'rails_helper'
-
-describe EppSession do
-  let(:epp_session) { create(:epp_session) }
-
-  it 'has marshalled data' do
-    expect(epp_session.read_attribute(:data)).to_not be_blank
-    expect(epp_session.read_attribute(:data).class).to eq(String)
-    expect(epp_session.data.class).to eq(Hash)
-  end
-
-  it 'stores data' do
-    expect(epp_session[:api_user_id]).to eq(1)
-
-    epp_session[:api_user_id] = 3
-    expect(epp_session[:api_user_id]).to eq(3)
-
-    epp_session =  EppSession.find_by(session_id: 'test')
-    expect(epp_session[:api_user_id]).to eq(3)
-  end
-end

spec/requests/epp/contact/create/ident_spec.rb

@@ -1,11 +1,14 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP contact:create' do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
 
   before do
     Setting.address_processing = false
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when all ident params are valid' do

spec/requests/epp/contact/create/phone_spec.rb

@@ -2,7 +2,10 @@ require 'rails_helper'
 require_relative '../shared/phone'
 
 RSpec.describe 'EPP contact:create' do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -27,7 +30,7 @@ RSpec.describe 'EPP contact:create' do
   }
 
   before do
-    sign_in_to_epp_area
+    login_as user
     allow(Contact).to receive(:address_processing?).and_return(false)
   end
 

spec/requests/epp/contact/create_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP contact:create' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml_with_address) { '<?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
       <command>
@@ -36,7 +39,7 @@ RSpec.describe 'EPP contact:create' do
   subject(:address_saved) { Contact.last.attributes.slice(*Contact.address_attribute_names).compact.any? }
 
   before do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when address processing is enabled' do
@@ -46,17 +49,17 @@ RSpec.describe 'EPP contact:create' do
 
     context 'with address' do
       it 'returns epp code of 1000' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1000')
       end
 
       it 'returns epp description' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address}, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully')
       end
 
       it 'saves address' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(address_saved).to be_truthy
       end
     end
@@ -69,17 +72,17 @@ RSpec.describe 'EPP contact:create' do
 
     context 'with address' do
       it 'returns epp code of 1100' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1100')
       end
 
       it 'returns epp description' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully; Postal address data discarded')
       end
 
       it 'does not save address' do
-        post '/epp/command/create', frame: request_xml_with_address
+        post '/epp/command/create', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(address_saved).to be_falsey
       end
     end
@@ -110,12 +113,12 @@ RSpec.describe 'EPP contact:create' do
       }
 
       it 'returns epp code of 1000' do
-        post '/epp/command/create', frame: request_xml_without_address
+        post '/epp/command/create', { frame: request_xml_without_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1000')
       end
 
       it 'returns epp description' do
-        post '/epp/command/create', frame: request_xml_without_address
+        post '/epp/command/create', { frame: request_xml_without_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully')
       end
     end

spec/requests/epp/contact/delete/used_spec.rb

@@ -1,10 +1,11 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP contact:delete' do
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:user) { create(:api_user, registrar: registrar) }
   let(:registrar) { create(:registrar) }
   let!(:registrant) { create(:registrant, registrar: registrar, code: 'TEST') }
-  let(:request) { post '/epp/command/delete', frame: request_xml }
+  let(:request) { post '/epp/command/delete', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -20,7 +21,7 @@ RSpec.describe 'EPP contact:delete' do
   }
 
   before do
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when contact is used' do

spec/requests/epp/contact/info_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP contact:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml) { '<?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
       <command>
@@ -19,7 +22,7 @@ RSpec.describe 'EPP contact:update' do
                               .count }
 
   before do
-    sign_in_to_epp_area
+    login_as user
     create(:contact, code: 'TEST')
   end
 
@@ -29,12 +32,12 @@ RSpec.describe 'EPP contact:update' do
     end
 
     it 'returns epp code of 1000' do
-      post '/epp/command/info', frame: request_xml
+      post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('1000')
     end
 
     it 'returns address' do
-      post '/epp/command/info', frame: request_xml
+      post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(address_count).to_not be_zero
     end
   end
@@ -45,12 +48,12 @@ RSpec.describe 'EPP contact:update' do
     end
 
     it 'returns epp code of 1000' do
-      post '/epp/command/info', frame: request_xml
+      post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('1000')
     end
 
     it 'does not return address' do
-      post '/epp/command/info', frame: request_xml
+      post '/epp/command/info', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(address_count).to be_zero
     end
   end

spec/requests/epp/contact/update/ident_spec.rb

@@ -3,8 +3,11 @@ require 'rails_helper'
 # https://github.com/internetee/registry/issues/576
 
 RSpec.describe 'EPP contact:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:ident) { contact.identifier }
-  let(:request) { post '/epp/command/update', frame: request_xml }
+  let(:request) { post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -30,7 +33,7 @@ RSpec.describe 'EPP contact:update' do
   }
 
   before do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when contact ident is valid' do

spec/requests/epp/contact/update/phone_spec.rb

@@ -2,8 +2,11 @@ require 'rails_helper'
 require_relative '../shared/phone'
 
 RSpec.describe 'EPP contact:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let!(:contact) { create(:contact, code: 'TEST') }
-  let(:request) { post '/epp/command/update', frame: request_xml }
+  let(:request) { post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -22,7 +25,7 @@ RSpec.describe 'EPP contact:update' do
   }
 
   before do
-    sign_in_to_epp_area
+    login_as user
     allow(Contact).to receive(:address_processing?).and_return(false)
   end
 

spec/requests/epp/contact/update_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP contact:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml_with_address) { '<?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
       <command>
@@ -33,7 +36,7 @@ RSpec.describe 'EPP contact:update' do
   subject(:response_description) { response_xml.css('result msg').text }
 
   before do
-    sign_in_to_epp_area
+    login_as user
     create(:contact, code: 'TEST')
   end
 
@@ -44,12 +47,12 @@ RSpec.describe 'EPP contact:update' do
 
     context 'with address' do
       it 'returns epp code of 1000' do
-        post '/epp/command/update', frame: request_xml_with_address
+        post '/epp/command/update', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1000')
       end
 
       it 'returns epp description' do
-        post '/epp/command/update', frame: request_xml_with_address
+        post '/epp/command/update', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully')
       end
     end
@@ -62,12 +65,12 @@ RSpec.describe 'EPP contact:update' do
 
     context 'with address' do
       it 'returns epp code of 1100' do
-        post '/epp/command/update', frame: request_xml_with_address
+        post '/epp/command/update', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1100')
       end
 
       it 'returns epp description' do
-        post '/epp/command/update', frame: request_xml_with_address
+        post '/epp/command/update', { frame: request_xml_with_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully; Postal address data discarded')
       end
     end
@@ -92,12 +95,12 @@ RSpec.describe 'EPP contact:update' do
       }
 
       it 'returns epp code of 1000' do
-        post '/epp/command/update', frame: request_xml_without_address
+        post '/epp/command/update', { frame: request_xml_without_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_code).to eq('1000')
       end
 
       it 'returns epp description' do
-        post '/epp/command/update', frame: request_xml_without_address
+        post '/epp/command/update', { frame: request_xml_without_address }, 'HTTP_COOKIE' => "session=#{session_id}"
         expect(response_description).to eq('Command completed successfully')
       end
     end

spec/requests/epp/domain/create/account_balance_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -36,7 +37,7 @@ RSpec.describe 'EPP domain:create', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when account balance is sufficient' do

spec/requests/epp/domain/create/default_period_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -37,7 +38,7 @@ RSpec.describe 'EPP domain:create', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010 10:30')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when period is absent' do

spec/requests/epp/domain/create/optional_nameserver_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
@@ -17,7 +18,7 @@ RSpec.describe 'EPP domain:create', settings: false do
 
   before :example do
     travel_to Time.zone.parse('05.07.2010')
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when nameserver is optional' do

spec/requests/epp/domain/create/period_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -10,7 +11,7 @@ RSpec.describe 'EPP domain:create', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010 10:30')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when period is 3 months' do

spec/requests/epp/domain/create/price_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -30,7 +31,7 @@ RSpec.describe 'EPP domain:create', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when price is present' do

spec/requests/epp/domain/create/required_nameserver_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:create', settings: false do
-  let(:request) { post '/epp/command/create', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/create', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:contact) { create(:contact, code: 'test') }
@@ -17,7 +18,7 @@ RSpec.describe 'EPP domain:create', settings: false do
 
   before :example do
     travel_to Time.zone.parse('05.07.2010')
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when nameserver is required' do

spec/requests/epp/domain/delete/discarded_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:delete' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -21,14 +24,14 @@ RSpec.describe 'EPP domain:delete' do
   }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when domain is not discarded' do
     let!(:domain) { create(:domain, name: 'test.com') }
 
     it 'returns epp code of 1001' do
-      post '/epp/command/delete', frame: request_xml
+      post '/epp/command/delete', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(1001)
     end
   end
@@ -37,7 +40,7 @@ RSpec.describe 'EPP domain:delete' do
     let!(:domain) { create(:domain_discarded, name: 'test.com') }
 
     it 'returns epp code of 2105' do
-      post '/epp/command/delete', frame: request_xml
+      post '/epp/command/delete', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(2105)
     end
   end

spec/requests/epp/domain/renew/account_balance_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew' do
-  let(:request) { post '/epp/command/renew', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:zone) { create(:zone, origin: 'test') }
   let!(:price) { create(:price,
@@ -16,7 +17,7 @@ RSpec.describe 'EPP domain:renew' do
   before :example do
     Setting.days_to_renew_domain_before_expire = 0
     travel_to Time.zone.parse('05.07.2010')
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when account balance is sufficient' do

spec/requests/epp/domain/renew/default_period_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew', settings: false do
-  let(:request) { post '/epp/command/renew', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:zone) { create(:zone, origin: 'test') }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
@@ -37,7 +38,7 @@ RSpec.describe 'EPP domain:renew', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when period is absent' do

spec/requests/epp/domain/renew/expire_time_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew' do
-  let(:request) { post '/epp/command/renew', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -17,7 +18,7 @@ RSpec.describe 'EPP domain:renew' do
   before :example do
     Setting.days_to_renew_domain_before_expire = 0
     travel_to Time.zone.parse('05.07.2010')
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when given expire time and current match' do

spec/requests/epp/domain/renew/max_expire_time_spec.rb

@@ -1,6 +1,7 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew' do
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:user) { create(:api_user_epp, registrar: registrar) }
   let(:registrar) { create(:registrar_with_unlimited_balance) }
   let!(:zone) { create(:zone, origin: 'test') }
@@ -19,7 +20,7 @@ RSpec.describe 'EPP domain:renew' do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when domain can be renewed' do
@@ -45,12 +46,12 @@ RSpec.describe 'EPP domain:renew' do
     }
 
     it 'returns epp code of 1000' do
-      post '/epp/command/renew', frame: request_xml
+      post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('1000')
     end
 
     it 'returns epp description' do
-      post '/epp/command/renew', frame: request_xml
+      post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_description).to eq('Command completed successfully')
     end
   end
@@ -78,12 +79,12 @@ RSpec.describe 'EPP domain:renew' do
     }
 
     it 'returns epp code of 2105' do
-      post '/epp/command/renew', frame: request_xml
+      post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('2105')
     end
 
     it 'returns epp description' do
-      post '/epp/command/renew', frame: request_xml
+      post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_description).to eq('Object is not eligible for renewal; ' \
         'Expiration date must be before 2021-07-05')
     end

spec/requests/epp/domain/renew/period_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew', settings: false do
-  let(:request) { post '/epp/command/renew', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:zone) { create(:zone, origin: 'test') }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
@@ -14,7 +15,7 @@ RSpec.describe 'EPP domain:renew', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when period is 3 months' do

spec/requests/epp/domain/renew/price_spec.rb

@@ -1,7 +1,8 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:renew', settings: false do
-  let(:request) { post '/epp/command/renew', frame: request_xml }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/renew', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:user) { create(:api_user_epp, registrar: registrar) }
   let!(:zone) { create(:zone, origin: 'test') }
   let!(:registrar) { create(:registrar_with_unlimited_balance) }
@@ -29,7 +30,7 @@ RSpec.describe 'EPP domain:renew', settings: false do
   before :example do
     travel_to Time.zone.parse('05.07.2010')
     Setting.days_to_renew_domain_before_expire = 0
-    sign_in_to_epp_area(user: user)
+    login_as user
   end
 
   context 'when price is present' do

spec/requests/epp/domain/transfer/discarded_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:transfer' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -19,14 +22,14 @@ RSpec.describe 'EPP domain:transfer' do
   }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when domain is not discarded' do
     let!(:domain) { create(:domain, name: 'test.com') }
 
     it 'returns epp code of 1000' do
-      post '/epp/command/transfer', frame: request_xml
+      post '/epp/command/transfer', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(1000)
     end
   end
@@ -35,7 +38,7 @@ RSpec.describe 'EPP domain:transfer' do
     let!(:domain) { create(:domain_discarded, name: 'test.com') }
 
     it 'returns epp code of 2105' do
-      post '/epp/command/transfer', frame: request_xml
+      post '/epp/command/transfer', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(2105)
     end
   end

spec/requests/epp/domain/update/discarded_spec.rb

@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -16,14 +19,14 @@ RSpec.describe 'EPP domain:update' do
   }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when domain is not discarded' do
     let!(:domain) { create(:domain, name: 'test.com') }
 
     it 'returns epp code of 1000' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(1000)
     end
   end
@@ -32,7 +35,7 @@ RSpec.describe 'EPP domain:update' do
     let!(:domain) { create(:domain_discarded, name: 'test.com') }
 
     it 'returns epp code of 2105' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response).to have_code_of(2105)
     end
   end

spec/requests/epp/domain/update/nameserver_add_spec.rb

@@ -1,13 +1,16 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   let!(:domain) { create(:domain, name: 'test.com') }
   subject(:response_xml) { Nokogiri::XML(response.body) }
   subject(:response_code) { response_xml.xpath('//xmlns:result').first['code'] }
   subject(:response_description) { response_xml.css('result msg').text }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
 
     allow(Domain).to receive(:nameserver_required?).and_return(false)
     Setting.ns_min_count = 2
@@ -37,12 +40,12 @@ RSpec.describe 'EPP domain:update' do
     }
 
     it 'returns epp code of 2308' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('2308'), "Expected EPP code of 2308, got #{response_code} (#{response_description})"
     end
 
     it 'returns epp description' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
 
       description = 'Data management policy violation;' \
         " Nameserver count must be between #{Setting.ns_min_count}-#{Setting.ns_max_count}" \
@@ -78,12 +81,12 @@ RSpec.describe 'EPP domain:update' do
     }
 
     it 'returns epp code of 1000' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('1000'), "Expected EPP code of 1000, got #{response_code} (#{response_description})"
     end
 
     it 'removes inactive status' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
 
       domain = Domain.find_by(name: 'test.com')
       expect(domain.statuses).to_not include(DomainStatus::INACTIVE)

spec/requests/epp/domain/update/nameserver_remove_spec.rb

@@ -1,13 +1,15 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
   subject(:response_xml) { Nokogiri::XML(response.body) }
   subject(:response_code) { response_xml.xpath('//xmlns:result').first['code'] }
   subject(:response_description) { response_xml.css('result msg').text }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
-
     allow(Domain).to receive(:nameserver_required?).and_return(false)
   end
 
@@ -43,12 +45,12 @@ RSpec.describe 'EPP domain:update' do
     end
 
     it 'returns epp code of 2308' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('2308'), "Expected EPP code of 2308, got #{response_code} (#{response_description})"
     end
 
     it 'returns epp description' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
 
       description = 'Data management policy violation;' \
       " Nameserver count must be between #{Setting.ns_min_count}-#{Setting.ns_max_count}" \
@@ -91,13 +93,13 @@ RSpec.describe 'EPP domain:update' do
     end
 
     it 'returns epp code of 1000' do
-      post '/epp/command/update', frame: request_xml
+      post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
       expect(response_code).to eq('1000'), "Expected EPP code of 1000, got #{response_code} (#{response_description})"
     end
 
     describe 'domain' do
       it 'has status of inactive' do
-        post '/epp/command/update', frame: request_xml
+        post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}"
         domain = Domain.find_by(name: 'test.com')
         expect(domain.statuses).to include(DomainStatus::INACTIVE)
       end

spec/requests/epp/domain/update/registrant_change/same_as_current_spec.rb

@@ -1,11 +1,14 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
-  let(:request) { post '/epp/command/update', frame: request_xml }
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:domain) { create(:domain, name: 'test.com', registrant: registrant) }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when registrant change confirmation is enabled' do

spec/requests/epp/domain/update/registrant_change/verified_spec.rb

@@ -1,13 +1,16 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
-  let(:request) { post '/epp/command/update', frame: request_xml }
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let!(:registrant) { create(:registrant, code: 'old-code') }
   let!(:domain) { create(:domain, name: 'test.com', registrant: registrant) }
   let!(:new_registrant) { create(:registrant, code: 'new-code') }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when registrant change confirmation is enabled' do

spec/requests/epp/domain/update/status_spec.rb

@@ -1,7 +1,10 @@
 require 'rails_helper'
 
 RSpec.describe 'EPP domain:update' do
-  let(:request) { post '/epp/command/update', frame: request_xml }
+  let(:registrar) { create(:registrar) }
+  let(:user) { create(:api_user_epp, registrar: registrar) }
+  let(:session_id) { create(:epp_session, user: user).session_id }
+  let(:request) { post '/epp/command/update', { frame: request_xml }, 'HTTP_COOKIE' => "session=#{session_id}" }
   let(:request_xml) { <<-XML
     <?xml version="1.0" encoding="UTF-8" standalone="no"?>
     <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
@@ -17,7 +20,7 @@ RSpec.describe 'EPP domain:update' do
   }
 
   before :example do
-    sign_in_to_epp_area
+    login_as user
   end
 
   context 'when domain has both SERVER_DELETE_PROHIBITED and PENDING_UPDATE statuses' do

spec/support/requests/session_helpers.rb

@@ -1,34 +1,5 @@
 module Requests
   module SessionHelpers
-    def sign_in_to_epp_area(user: create(:api_user_epp))
-      login_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>
-      <epp xmlns=\"https://epp.tld.ee/schema/epp-ee-1.0.xsd\">
-        <command>
-          <login>
-            <clID>#{user.username}</clID>
-            <pw>#{user.password}</pw>
-            <options>
-              <version>1.0</version>
-              <lang>en</lang>
-            </options>
-            <svcs>
-              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
-              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
-              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
-              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
-              <svcExtension>
-                <extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
-                <extURI>https://epp.tld.ee/schema/eis-1.0.xsd</extURI>
-              </svcExtension>
-            </svcs>
-          </login>
-          <clTRID>ABC-12345</clTRID>
-        </command>
-      </epp>"
-
-      post '/epp/session/login', frame: login_xml
-    end
-
     def sign_in_to_admin_area(user: create(:admin_user))
       post admin_sessions_path, admin_user: { username: user.username, password: user.password }
     end

test/fixtures/epp_sessions.yml

@@ -1,9 +1,7 @@
 api_bestnames:
-  session_id: 1
+  session_id: api_bestnames
-  registrar: bestnames
+  user: api_bestnames
-  data: <%= Base64.encode64(Marshal.dump({api_user_id: ActiveRecord::Fixtures.identify(:api_bestnames)})) %>
 
 api_goodnames:
-  session_id: 2
+  session_id: api_goodnames
-  registrar: goodnames
+  user: api_goodnames
-  data: <%= Base64.encode64(Marshal.dump({api_user_id: ActiveRecord::Fixtures.identify(:api_goodnames)})) %>

test/integration/epp/login/credentials_test.rb

@@ -0,0 +1,64 @@
+require 'test_helper'
+
+class EppLoginCredentialsTest < ActionDispatch::IntegrationTest
+  def test_correct_credentials
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>test_bestnames</clID>
+            <pw>testtest</pw>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=new_session_id' }
+    assert EppSession.find_by(session_id: 'new_session_id')
+    assert_equal users(:api_bestnames), EppSession.find_by(session_id: 'new_session_id').user
+    assert Nokogiri::XML(response.body).at_css('result[code="1000"]')
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+
+  def test_already_logged_in
+    assert true # Handled by mod_epp
+  end
+
+  def test_wrong_credentials
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>non-existent</clID>
+            <pw>valid-but-wrong</pw>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=any_random_string' }
+    assert Nokogiri::XML(response.body).at_css('result[code="2501"]')
+  end
+end

test/integration/epp/login/session_limit_test.rb

@@ -0,0 +1,63 @@
+require 'test_helper'
+
+class EppLoginSessionLimitTest < ActionDispatch::IntegrationTest
+  def setup
+    travel_to Time.zone.parse('2010-07-05')
+    EppSession.delete_all
+  end
+
+  def test_not_reached
+    (EppSession.limit_per_registrar - 1).times do
+      EppSession.create!(session_id: SecureRandom.hex,
+                         user: users(:api_bestnames),
+                         updated_at: Time.zone.parse('2010-07-05'))
+    end
+
+    assert_difference 'EppSession.count' do
+      post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=new_session_id' }
+    end
+
+    assert Nokogiri::XML(response.body).at_css('result[code="1000"]')
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+
+  def test_reached
+    EppSession.limit_per_registrar.times do
+      EppSession.create!(session_id: SecureRandom.hex,
+                         user: users(:api_bestnames),
+                         updated_at: Time.zone.parse('2010-07-05'))
+    end
+
+    assert_no_difference 'EppSession.count' do
+      post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=new_session_id' }
+    end
+
+    assert Nokogiri::XML(response.body).at_css('result[code="2501"]')
+  end
+
+  private
+
+  def request_xml
+    <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>test_bestnames</clID>
+            <pw>testtest</pw>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+  end
+end

test/integration/epp/logout_test.rb

@@ -0,0 +1,37 @@
+require 'test_helper'
+
+class EppLogoutTest < ActionDispatch::IntegrationTest
+  def test_success_response
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert Nokogiri::XML(response.body).at_css('result[code="1500"]')
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+
+  def test_ends_current_session
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert_nil EppSession.find_by(session_id: 'api_bestnames')
+  end
+
+  def test_keeps_other_sessions_intact
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=api_bestnames' }
+    assert EppSession.find_by(session_id: 'api_goodnames')
+  end
+
+  def test_anonymous_user
+    post '/epp/session/logout', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=non-existent' }
+    assert Nokogiri::XML(response.body).at_css('result[code="2201"]')
+  end
+
+  private
+
+  def request_xml
+    <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <logout/>
+        </command>
+      </epp>
+    XML
+  end
+end

test/models/epp_session_test.rb

@@ -0,0 +1,63 @@
+require 'test_helper'
+
+class EppSessionTest < ActiveSupport::TestCase
+  def setup
+    @epp_session = epp_sessions(:api_bestnames)
+  end
+
+  def test_valid
+    assert @epp_session.valid?
+  end
+
+  def test_invalid_without_session_id
+    @epp_session.session_id = nil
+    @epp_session.validate
+    assert @epp_session.invalid?
+  end
+
+  def test_invalid_without_user
+    @epp_session.user = nil
+    @epp_session.validate
+    assert @epp_session.invalid?
+  end
+
+  def test_invalid_if_persisted_record_with_the_same_session_id_exists
+    epp_session = EppSession.new(session_id: @epp_session.session_id, user: @epp_session.user)
+    epp_session.validate
+    assert epp_session.invalid?
+  end
+
+  # Having session_id constraints at the database level is crucial
+
+  def test_database_session_id_unique_constraint
+    epp_session = EppSession.new(session_id: @epp_session.session_id, user: @epp_session.user)
+
+    assert_raises ActiveRecord::RecordNotUnique do
+      epp_session.save(validate: false)
+    end
+  end
+
+  def test_database_session_id_not_null_constraint
+    @epp_session.session_id = nil
+    assert_raises ActiveRecord::StatementInvalid do
+      @epp_session.save(validate: false)
+    end
+  end
+
+  def test_limit_per_registrar
+    assert_equal 4, EppSession.limit_per_registrar
+  end
+
+  def test_limit_is_per_registrar
+    travel_to Time.zone.parse('2010-07-05')
+    EppSession.delete_all
+
+    EppSession.limit_per_registrar.times do
+      EppSession.create!(session_id: SecureRandom.hex,
+                         user: users(:api_goodnames),
+                         updated_at: Time.zone.parse('2010-07-05'))
+    end
+
+    refute EppSession.limit_reached?(registrars(:bestnames))
+  end
+end