authpwn_rails 0.18.0 → 0.18.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 65618dde26dcdad94e8dc8e72daa2f32fd9ceef2
-  data.tar.gz: 423f8dcf94083a6e5c3ab49f6c73caa8ed6567ed
+  metadata.gz: f95225e77bd6c767761b3cf3495ccb273201c74e
+  data.tar.gz: cd28df6a7be62f693e4f238d16678c47173d720f
 SHA512:
-  metadata.gz: 434cb53b2466d1fa67cef7daa6b3d5a46a588568ebd82b7cef7533ac5c33e4f883b034113d8bc6a07911026e3f61d9617740e525a450aad5fb5081dd7c89bf07
-  data.tar.gz: 243f68501820c8eaecddc32d17ff36b5931ebdeacb703d0f09d696e4919ca92c687a2ea319878e155e30c2f7e63547d2aa2f394f38b73a41832e72c89f739005
+  metadata.gz: fc668c5c618028caa5d320f2247161bf6d09a23b969b7f6aa04c2173d5877ea7e917e951c7a0511621cecf0b29d3aaa9c9f190e847c4ea7e67c4acd84c85f92f
+  data.tar.gz: 925a34ef07e886f44ee7b42ef2d829d35bc6e9212f29a283a1effcef70183036cef41bcc599241b9a4947f2cf2a2cbb1b5b960ea037a262dd2cccd1fd22fbaa7

data/VERSION

@@ -1 +1 @@
-0.18.0
+0.18.1

data/authpwn_rails.gemspec

@@ -2,11 +2,11 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: authpwn_rails 0.18.0 ruby lib
+# stub: authpwn_rails 0.18.1 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.18.0"
+  s.version = "0.18.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
@@ -57,6 +57,7 @@ Gem::Specification.new do |s|
     "lib/authpwn_rails/generators/templates/initializer.rb",
     "lib/authpwn_rails/generators/templates/omniauth_initializer.rb",
     "lib/authpwn_rails/generators/templates/session.rb",
+    "lib/authpwn_rails/generators/templates/session/api_token.html.erb",
     "lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
     "lib/authpwn_rails/generators/templates/session/home.html.erb",
     "lib/authpwn_rails/generators/templates/session/new.html.erb",
@@ -94,6 +95,7 @@ Gem::Specification.new do |s|
     "test/credentials/password_reset_token_test.rb",
     "test/credentials/session_uid_token_test.rb",
     "test/credentials/token_crendential_test.rb",
+    "test/fixtures/bare_session/api_token.html.erb",
     "test/fixtures/bare_session/forbidden.html.erb",
     "test/fixtures/bare_session/home.html.erb",
     "test/fixtures/bare_session/new.html.erb",

data/lib/authpwn_rails/generators/all_generator.rb

@@ -32,6 +32,8 @@ class AllGenerator < Rails::Generators::Base
   end
 
   def create_session_views
+    copy_file File.join('session', 'api_token.html.erb'),
+              File.join('app', 'views', 'session', 'api_token.html.erb')
     copy_file File.join('session', 'forbidden.html.erb'),
               File.join('app', 'views', 'session', 'forbidden.html.erb')
     copy_file File.join('session', 'home.html.erb'),

data/lib/authpwn_rails/generators/templates/session/api_token.html.erb

@@ -0,0 +1,5 @@
+<h1>API Token</h1>
+
+<p>
+  Your API token is: <span class="api-token"><%= @api_token %></span>
+</p>

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -120,6 +120,23 @@ class SessionControllerTest < ActionController::TestCase
     assert_redirected_to new_session_url
   end
 
+  test "API token request" do
+    user = users(:john)
+    set_session_current_user user
+    get :api_token
+
+    assert_select 'span[class="api-token"]', credentials(:john_api_token).code
+  end
+
+  test "API token JSON request" do
+    user = users(:john)
+    set_session_current_user user
+    get :api_token, format: 'json'
+
+    assert_equal credentials(:john_api_token).code,
+        ActiveSupport::JSON.decode(response.body)['api_token']
+  end
+
   test "OmniAuth failure" do
     get :omniauth_failure
 

data/lib/authpwn_rails/routes.rb

@@ -37,6 +37,8 @@ module MapperMixin
     post "/#{paths}", controller: controller, action: 'create'
     delete "/#{paths}", controller: controller, action: 'destroy'
 
+    get "/#{paths}/api_token", controller: controller, action: 'api_token',
+                               as: "api_token_#{methods}"
     get "/#{paths}/change_password", controller: controller,
                                     action: 'password_change',
                                     as: "change_password_#{methods}"

data/lib/authpwn_rails/session_controller.rb

@@ -90,6 +90,22 @@ module SessionController
     end
   end
 
+  # GET /api_token
+  def api_token
+    unless current_user
+      bounce_user
+      return
+    end
+
+    token = Tokens::Api.where(user_id: current_user.id).first ||
+        Tokens::Api.random_for(current_user)
+    @api_token = token.code
+    respond_to do |format|
+      format.html
+      format.json { render json: { api_token: @api_token } }
+    end
+  end
+
   # POST /session/reset_password
   def reset_password
     email = params[:session] && params[:session][:email]
@@ -127,9 +143,12 @@ module SessionController
 
   # GET /session/token/token-code
   def token
-    # NOTE: This repeats the code in Token::Base.authenticate, because we need
-    #       the token.
-    if token = Tokens::Base.with_code(params[:code]).first
+    # NOTE: We don't use Tokens::Base here because we don't want users to abuse
+    #       API tokens to build permanent login links.
+    #
+    # This repeats the code in Token::Base.authenticate, because we need the
+    # token.
+    if token = Tokens::OneTime.with_code(params[:code]).first
       auth = token.authenticate
     else
       auth = :invalid

data/test/fixtures/bare_session/api_token.html.erb

@@ -0,0 +1,5 @@
+<h1>API Token</h1>
+
+<p>
+  Your API token is: <span class="api-token"><%= @api_token %></span>
+</p>

data/test/routes_test.rb

@@ -15,8 +15,8 @@ class RoutesTest < ActionController::TestCase
                    {controller: 'session', action: 'create'})
     assert_routing({path: '/session', method: :delete},
                    {controller: 'session', action: 'destroy'})
-    assert_routing({path: '/session', method: :delete},
-                   {controller: 'session', action: 'destroy'})
+    assert_routing({path: '/session/api_token', method: :get},
+                   {controller: 'session', action: 'api_token'})
     assert_routing({path: '/session/change_password', method: :get},
                    {controller: 'session', action: 'password_change'})
     assert_routing({path: '/session/change_password', method: :post},

data/test/session_controller_api_test.rb

@@ -399,6 +399,57 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_nil assigns(:current_user)
   end
 
+  test "api_token request" do
+    user = users(:john)
+    set_session_current_user user
+    get :api_token
+    assert_response :ok
+    assert_select 'span[class="api-token"]', credentials(:john_api_token).code
+  end
+
+  test "api_token request from user without token" do
+    set_session_current_user @user
+    assert_difference 'Tokens::Api.count', 1 do
+      get :api_token
+    end
+    assert_response :ok
+    token = @user.credentials.where(type: 'Tokens::Api').first
+    assert_select 'span[class="api-token"]', token.code
+  end
+
+  test "api_token request without logged in user" do
+    get :api_token
+    assert_response :forbidden
+  end
+
+  test "api_token JSON request" do
+    user = users(:john)
+    set_session_current_user user
+    get :api_token, format: 'json'
+
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal credentials(:john_api_token).code, data['api_token']
+  end
+
+  test "api_token JSON request from user without token" do
+    set_session_current_user @user
+    assert_difference 'Tokens::Api.count', 1 do
+      get :api_token, format: 'json'
+    end
+    token = @user.credentials.where(type: 'Tokens::Api').first
+
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal token.code, data['api_token']
+  end
+
+  test "api_token JSON request without logged in user" do
+    get :api_token, format: 'json'
+    assert_response :ok
+
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'Please sign in', data['error']
+  end
+
   test "password_change bounces without logged in user" do
     get :password_change
     assert_response :forbidden

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authpwn_rails
 version: !ruby/object:Gem::Version
-  version: 0.18.0
+  version: 0.18.1
 platform: ruby
 authors:
 - Victor Costan
@@ -224,6 +224,7 @@ files:
 - lib/authpwn_rails/generators/templates/initializer.rb
 - lib/authpwn_rails/generators/templates/omniauth_initializer.rb
 - lib/authpwn_rails/generators/templates/session.rb
+- lib/authpwn_rails/generators/templates/session/api_token.html.erb
 - lib/authpwn_rails/generators/templates/session/forbidden.html.erb
 - lib/authpwn_rails/generators/templates/session/home.html.erb
 - lib/authpwn_rails/generators/templates/session/new.html.erb
@@ -261,6 +262,7 @@ files:
 - test/credentials/password_reset_token_test.rb
 - test/credentials/session_uid_token_test.rb
 - test/credentials/token_crendential_test.rb
+- test/fixtures/bare_session/api_token.html.erb
 - test/fixtures/bare_session/forbidden.html.erb
 - test/fixtures/bare_session/home.html.erb
 - test/fixtures/bare_session/new.html.erb