cm-devise_token_auth 0.1.30.1

data/Rakefile

@@ -0,0 +1,34 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseTokenAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/app/controllers/devise_token_auth/application_controller.rb

@@ -0,0 +1,17 @@
+module DeviseTokenAuth
+  class ApplicationController < DeviseController
+    include DeviseTokenAuth::Concerns::SetUserByToken
+    respond_to :json
+
+
+    def resource_class(m=nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
+  end
+end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -0,0 +1,109 @@
+module DeviseTokenAuth::Concerns::SetUserByToken
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Controllers::Helpers
+
+  included do
+    before_action :set_request_start
+    after_action :update_auth_header
+  end
+
+  # keep track of request duration
+  def set_request_start
+    @request_started_at = Time.now
+  end
+
+  # user auth
+  def set_user_by_token(mapping=nil)
+
+    # determine target authentication class
+    rc = resource_class(mapping)
+    rc = rc.active if rc.respond_to?(:active)
+
+    # no default user defined
+    return unless rc
+
+    # user has already been found and authenticated
+    return @resource if @resource and @resource.class == rc
+
+    # parse header for values necessary for authentication
+    uid        = request.headers['uid']
+    @token     = request.headers['access-token']
+    @client_id = request.headers['client']
+
+    return false unless @token
+
+    # client_id isn't required, set to 'default' if absent
+    @client_id ||= 'default'
+
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.find_by_uid(uid)
+
+    if user && user.valid_token?(@token, @client_id)
+      sign_in(:user, user, store: false, bypass: true)
+      return @resource = user
+    else
+      # zero all values previously set values
+      return @resource = nil
+    end
+  end
+
+
+  def update_auth_header
+
+    # cannot save object if model has invalid params
+    return unless @resource and @resource.valid? and @client_id
+
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+
+      # determine batch request status after request processing, in case
+      # another processes has updated it during that processing
+      @is_batch_request = is_batch_request?(@resource, @client_id)
+
+      auth_header = {}
+
+      if not DeviseTokenAuth.change_headers_on_each_request
+        auth_header = @resource.build_auth_header(@token, @client_id)
+        return unless auth_header
+
+        # update the response header
+        response.headers.merge!(auth_header)
+
+      # extend expiration of batch buffer to account for the duration of
+      # this request
+      elsif @is_batch_request
+        auth_header = @resource.extend_batch_buffer(@token, @client_id)
+
+      # update Authorization response header with new token
+      else
+        auth_header = @resource.create_new_auth_token(@client_id)
+
+        # update the response header
+        response.headers.merge!(auth_header)
+      end
+
+    end # end lock
+
+  end
+
+  def resource_class(m=nil)
+    if m
+      mapping = Devise.mappings[m]
+    else
+      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+    end
+
+    mapping.to
+  end
+
+
+  private
+
+
+  def is_batch_request?(user, client_id)
+    user.tokens[client_id] and
+    user.tokens[client_id]['updated_at'] and
+    Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+  end
+end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -0,0 +1,31 @@
+module DeviseTokenAuth
+  class ConfirmationsController < DeviseTokenAuth::ApplicationController
+    def show
+      @resource = resource_class.confirm_by_token(params[:confirmation_token])
+
+      if @resource and @resource.id
+        # create client id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @resource.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        @resource.save!
+
+        redirect_to(@resource.build_auth_url(params[:redirect_url], {
+          token:                        token,
+          client_id:                    client_id,
+          account_confirmation_success: true,
+          config:                       params[:config]
+        }))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+  end
+end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,171 @@
+module DeviseTokenAuth
+  class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
+    skip_before_filter :set_user_by_token
+    skip_after_filter :update_auth_header
+
+    # intermediary route for successful omniauth authentication. omniauth does
+    # not support multiple models, so we must resort to this terrible hack.
+    def redirect_callbacks
+      # derive target redirect route from 'resource_class' param, which was set
+      # before authentication.
+      devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym
+      redirect_route = "#{Devise.mappings[devise_mapping].as_json["path_prefix"]}/#{params[:provider]}/callback"
+
+      # preserve omniauth info for success route
+      session['dta.omniauth.auth'] = request.env['omniauth.auth']
+      session['dta.omniauth.params'] = request.env['omniauth.params']
+
+      redirect_to redirect_route
+    end
+
+    def omniauth_success
+      # find or create user by provider and provider uid
+      @resource = resource_class.where({
+        uid:      auth_hash['uid'],
+        provider: auth_hash['provider']
+      }).first_or_initialize
+
+      # create token info
+      @client_id = SecureRandom.urlsafe_base64(nil, false)
+      @token     = SecureRandom.urlsafe_base64(nil, false)
+      @expiry    = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+      @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], {
+        token:     @token,
+        client_id: @client_id,
+        uid:       @resource.uid,
+        expiry:    @expiry
+      })
+
+      # set crazy password for new oauth users. this is only used to prevent
+      # access via email sign-in.
+      unless @resource.id
+        p = SecureRandom.urlsafe_base64(nil, false)
+        @resource.password = p
+        @resource.password_confirmation = p
+      end
+
+      @resource.tokens[@client_id] = {
+        token: BCrypt::Password.create(@token),
+        expiry: @expiry
+      }
+
+      # sync user info with provider, update/generate auth token
+      assign_provider_attrs(@resource, auth_hash)
+
+      # assign any additional (whitelisted) attributes
+      extra_params = whitelisted_params
+      @resource.assign_attributes(extra_params) if extra_params
+
+      # don't send confirmation email!!!
+      @resource.skip_confirmation!
+
+      sign_in(:user, @resource, store: false, bypass: false)
+
+      @resource.save!
+
+      # render user info to javascript postMessage communication window
+      respond_to do |format|
+        format.html { render :layout => "omniauth_response", :template => "devise_token_auth/omniauth_success" }
+      end
+    end
+
+
+    # break out provider attribute assignment for easy method extension
+    def assign_provider_attrs(user, auth_hash)
+      user.assign_attributes({
+        nickname: auth_hash['info']['nickname'],
+        name:     auth_hash['info']['name'],
+        image:    auth_hash['info']['image'],
+        email:    auth_hash['info']['email']
+      })
+    end
+
+
+    def omniauth_failure
+      @error = params[:message]
+
+      respond_to do |format|
+        format.html { render :layout => "omniauth_response", :template => "devise_token_auth/omniauth_failure" }
+      end
+    end
+
+
+    # derive allowed params from the standard devise parameter sanitizer
+    def whitelisted_params
+      whitelist = devise_parameter_sanitizer.for(:sign_up)
+
+      whitelist.inject({}){|coll, key|
+        param = omniauth_params[key.to_s]
+        if param
+          coll[key] = param
+        end
+        coll
+      }
+    end
+
+    # pull resource class from omniauth return
+    def resource_class
+      if omniauth_params
+        omniauth_params['resource_class'].constantize
+      end
+    end
+
+    def resource_name
+      resource_class
+    end
+
+    # this will be determined differently depending on the action that calls
+    # it. redirect_callbacks is called upon returning from successful omniauth
+    # authentication, and the target params live in an omniauth-specific
+    # request.env variable. this variable is then persisted thru the redirect
+    # using our own dta.omniauth.params session var. the omniauth_success
+    # method will access that session var and then destroy it immediately
+    # after use.
+    def omniauth_params
+      if request.env['omniauth.params']
+        request.env['omniauth.params']
+      else
+        @_omniauth_params ||= session.delete('dta.omniauth.params')
+        @_omniauth_params
+      end
+    end
+
+    # this sesison value is set by the redirect_callbacks method. its purpose
+    # is to persist the omniauth auth hash value thru a redirect. the value
+    # must be destroyed immediatly after it is accessed by omniauth_success
+    def auth_hash
+      @_auth_hash ||= session.delete('dta.omniauth.auth')
+      @_auth_hash
+    end
+
+    # ensure that this controller responds to :devise_controller? conditionals.
+    # this is used primarily for access to the parameter sanitizers.
+    def assert_is_devise_resource!
+      true
+    end
+
+    # necessary for access to devise_parameter_sanitizers
+    def devise_mapping
+      if omniauth_params
+        Devise.mappings[omniauth_params['resource_class'].underscore.to_sym]
+      else
+        request.env['devise.mapping']
+      end
+    end
+
+    def generate_url(url, params = {})
+      auth_url = url
+
+      # ensure that hash-bang is present BEFORE querystring for angularjs
+      unless url.match(/#/)
+        auth_url += '#'
+      end
+
+      # add query AFTER hash-bang
+      auth_url += "?#{params.to_query}"
+
+      return auth_url
+    end
+  end
+end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -0,0 +1,155 @@
+module DeviseTokenAuth
+  class PasswordsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:update]
+    skip_after_filter :update_auth_header, :only => [:create, :edit]
+
+    # this action is responsible for generating password reset tokens and
+    # sending emails
+    def create
+      unless resource_params[:email]
+        return render json: {
+          success: false,
+          errors: ['You must provide an email address.']
+        }, status: 401
+      end
+
+      unless params[:redirect_url]
+        return render json: {
+          success: false,
+          errors: ['Missing redirect url.']
+        }, status: 401
+      end
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        email = resource_params[:email].downcase
+      else
+        email = resource_params[:email]
+      end
+
+      q = "uid='#{email}' AND provider='email'"
+
+      # fix for mysql default case insensitivity
+      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+        q = "BINARY uid='#{email}' AND provider='email'"
+      end
+
+      @resource = resource_class.where(q).first
+
+      errors = nil
+
+      if @resource
+        @resource.send_reset_password_instructions({
+          email: email,
+          provider: 'email',
+          redirect_url: params[:redirect_url],
+          client_config: params[:config_name]
+        })
+
+        if @resource.errors.empty?
+          render json: {
+            success: true,
+            message: "An email has been sent to #{email} containing "+
+              "instructions for resetting your password."
+          }
+        else
+          errors = @resource.errors
+        end
+      else
+        errors = ["Unable to find user with email '#{email}'."]
+      end
+
+      if errors
+        render json: {
+          success: false,
+          errors: errors
+        }, status: 400
+      end
+    end
+
+
+    # this is where users arrive after visiting the email confirmation link
+    def edit
+      @resource = resource_class.reset_password_by_token({
+        reset_password_token: resource_params[:reset_password_token]
+      })
+
+      if @resource and @resource.id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @resource.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        # ensure that user is confirmed
+        @resource.skip_confirmation! unless @resource.confirmed_at
+
+        @resource.save!
+
+        redirect_to(@resource.build_auth_url(params[:redirect_url], {
+          token:          token,
+          client_id:      client_id,
+          reset_password: true,
+          config:         params[:config]
+        }))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+
+    def update
+      # make sure user is authorized
+      unless @resource
+        return render json: {
+          success: false,
+          errors: ['Unauthorized']
+        }, status: 401
+      end
+
+      # make sure account doesn't use oauth2 provider
+      unless @resource.provider == 'email'
+        return render json: {
+          success: false,
+          errors: ["This account does not require a password. Sign in using "+
+                   "your #{@resource.provider.humanize} account instead."]
+        }, status: 422
+      end
+
+      # ensure that password params were sent
+      unless password_resource_params[:password] and password_resource_params[:password_confirmation]
+        return render json: {
+          success: false,
+          errors: ['You must fill out the fields labeled "password" and "password confirmation".']
+        }, status: 422
+      end
+
+      if @resource.update_attributes(password_resource_params)
+        return render json: {
+          success: true,
+          data: {
+            user: @resource,
+            message: "Your password has been successfully updated."
+          }
+        }
+      else
+        return render json: {
+          success: false,
+          errors: @resource.errors
+        }, status: 422
+      end
+    end
+
+    def password_resource_params
+      params.permit(devise_parameter_sanitizer.for(:account_update))
+    end
+
+    def resource_params
+      params.permit(:email, :password, :password_confirmation, :reset_password_token)
+    end
+
+  end
+end