RubyGems - cm-devise_token_auth - Versions diffs - 0.1.30.1 - Mend

cm-devise_token_auth 0.1.30.1

Files changed (117) hide show

checksums.yaml +7 -0
data/LICENSE +13 -0
data/README.md +688 -0
data/Rakefile +34 -0
data/app/controllers/devise_token_auth/application_controller.rb +17 -0
data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +109 -0
data/app/controllers/devise_token_auth/confirmations_controller.rb +31 -0
data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +171 -0
data/app/controllers/devise_token_auth/passwords_controller.rb +155 -0
data/app/controllers/devise_token_auth/registrations_controller.rb +123 -0
data/app/controllers/devise_token_auth/sessions_controller.rb +98 -0
data/app/controllers/devise_token_auth/token_validations_controller.rb +23 -0
data/app/models/devise_token_auth/concerns/user.rb +231 -0
data/app/views/devise/mailer/confirmation_instructions.html.erb +5 -0
data/app/views/devise/mailer/reset_password_instructions.html.erb +8 -0
data/app/views/devise/mailer/unlock_instructions.html.erb +7 -0
data/app/views/devise_token_auth/omniauth_failure.html.erb +2 -0
data/app/views/devise_token_auth/omniauth_success.html.erb +8 -0
data/app/views/layouts/omniauth_response.html.erb +31 -0
data/config/initializers/devise.rb +203 -0
data/config/locales/devise.en.yml +59 -0
data/config/routes.rb +5 -0
data/lib/devise_token_auth.rb +7 -0
data/lib/devise_token_auth/controllers/helpers.rb +129 -0
data/lib/devise_token_auth/controllers/url_helpers.rb +8 -0
data/lib/devise_token_auth/engine.rb +25 -0
data/lib/devise_token_auth/rails/routes.rb +65 -0
data/lib/devise_token_auth/version.rb +3 -0
data/lib/generators/devise_token_auth/USAGE +31 -0
data/lib/generators/devise_token_auth/install_generator.rb +115 -0
data/lib/generators/devise_token_auth/install_views_generator.rb +16 -0
data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +22 -0
data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +54 -0
data/lib/generators/devise_token_auth/templates/user.rb +3 -0
data/lib/tasks/devise_token_auth_tasks.rake +4 -0
data/test/controllers/demo_group_controller_test.rb +126 -0
data/test/controllers/demo_mang_controller_test.rb +263 -0
data/test/controllers/demo_user_controller_test.rb +262 -0
data/test/controllers/devise_token_auth/confirmations_controller_test.rb +107 -0
data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +167 -0
data/test/controllers/devise_token_auth/passwords_controller_test.rb +287 -0
data/test/controllers/devise_token_auth/registrations_controller_test.rb +458 -0
data/test/controllers/devise_token_auth/sessions_controller_test.rb +221 -0
data/test/controllers/overrides/confirmations_controller_test.rb +44 -0
data/test/controllers/overrides/omniauth_callbacks_controller_test.rb +44 -0
data/test/controllers/overrides/passwords_controller_test.rb +62 -0
data/test/controllers/overrides/registrations_controller_test.rb +40 -0
data/test/controllers/overrides/sessions_controller_test.rb +33 -0
data/test/controllers/overrides/token_validations_controller_test.rb +38 -0
data/test/dummy/README.rdoc +28 -0
data/test/dummy/Rakefile +6 -0
data/test/dummy/app/assets/images/logo.jpg +0 -0
data/test/dummy/app/assets/images/omniauth-provider-settings.png +0 -0
data/test/dummy/app/assets/javascripts/application.js +13 -0
data/test/dummy/app/assets/stylesheets/application.css +15 -0
data/test/dummy/app/controllers/application_controller.rb +16 -0
data/test/dummy/app/controllers/demo_group_controller.rb +13 -0
data/test/dummy/app/controllers/demo_mang_controller.rb +12 -0
data/test/dummy/app/controllers/demo_user_controller.rb +12 -0
data/test/dummy/app/controllers/overrides/confirmations_controller.rb +32 -0
data/test/dummy/app/controllers/overrides/omniauth_callbacks_controller.rb +14 -0
data/test/dummy/app/controllers/overrides/passwords_controller.rb +39 -0
data/test/dummy/app/controllers/overrides/registrations_controller.rb +27 -0
data/test/dummy/app/controllers/overrides/sessions_controller.rb +43 -0
data/test/dummy/app/controllers/overrides/token_validations_controller.rb +23 -0
data/test/dummy/app/helpers/application_helper.rb +1065 -0
data/test/dummy/app/models/evil_user.rb +3 -0
data/test/dummy/app/models/mang.rb +3 -0
data/test/dummy/app/models/user.rb +18 -0
data/test/dummy/app/views/layouts/application.html.erb +14 -0
data/test/dummy/bin/bundle +3 -0
data/test/dummy/bin/rails +8 -0
data/test/dummy/bin/rake +8 -0
data/test/dummy/bin/spring +18 -0
data/test/dummy/config.ru +16 -0
data/test/dummy/config/application.rb +23 -0
data/test/dummy/config/application.yml.bk +0 -0
data/test/dummy/config/boot.rb +5 -0
data/test/dummy/config/database.yml +31 -0
data/test/dummy/config/environment.rb +5 -0
data/test/dummy/config/environments/development.rb +44 -0
data/test/dummy/config/environments/production.rb +82 -0
data/test/dummy/config/environments/test.rb +40 -0
data/test/dummy/config/initializers/assets.rb +8 -0
data/test/dummy/config/initializers/backtrace_silencers.rb +7 -0
data/test/dummy/config/initializers/cookies_serializer.rb +3 -0
data/test/dummy/config/initializers/devise_token_auth.rb +22 -0
data/test/dummy/config/initializers/figaro.rb +1 -0
data/test/dummy/config/initializers/filter_parameter_logging.rb +4 -0
data/test/dummy/config/initializers/inflections.rb +16 -0
data/test/dummy/config/initializers/mime_types.rb +4 -0
data/test/dummy/config/initializers/omniauth.rb +8 -0
data/test/dummy/config/initializers/session_store.rb +3 -0
data/test/dummy/config/initializers/wrap_parameters.rb +14 -0
data/test/dummy/config/locales/en.yml +23 -0
data/test/dummy/config/routes.rb +30 -0
data/test/dummy/config/secrets.yml +22 -0
data/test/dummy/config/spring.rb +1 -0
data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +56 -0
data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +56 -0
data/test/dummy/db/migrate/20140829044006_add_operating_thetan_to_user.rb +6 -0
data/test/dummy/db/migrate/20140916224624_add_favorite_color_to_mangs.rb +5 -0
data/test/dummy/db/migrate/20140928231203_devise_token_auth_create_evil_users.rb +57 -0
data/test/dummy/db/schema.rb +114 -0
data/test/dummy/public/404.html +67 -0
data/test/dummy/public/422.html +67 -0
data/test/dummy/public/500.html +66 -0
data/test/dummy/public/favicon.ico +0 -0
data/test/fixtures/evil_users.yml +29 -0
data/test/fixtures/mangs.yml +29 -0
data/test/fixtures/users.yml +29 -0
data/test/integration/navigation_test.rb +10 -0
data/test/lib/generators/devise_token_auth/install_generator_test.rb +178 -0
data/test/lib/generators/devise_token_auth/install_views_generator_test.rb +23 -0
data/test/models/user_test.rb +90 -0
data/test/test_helper.rb +60 -0
metadata +310 -0

data/app/controllers/devise_token_auth/registrations_controller.rb ADDED

@@ -0,0 +1,123 @@
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:destroy, :update]
+    skip_after_filter :update_auth_header, :only => [:create, :destroy]
+    respond_to :json
+    def create
+      @resource            = resource_class.new(sign_up_params)
+      @resource.provider   = "email"
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].downcase
+      else
+        @resource.email = sign_up_params[:email]
+      end
+      # success redirect url is required
+      unless params[:confirm_success_url]
+        return render json: {
+          status: 'error',
+          data:   @resource,
+          errors: ["Missing `confirm_success_url` param."]
+        }, status: 403
+      end
+      begin
+        # override email confirmation, must be sent manually from ctrl
+        resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+        if @resource.save
+          unless @resource.confirmed?
+            # user will require email authentication
+            @resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: params[:confirm_success_url]
+            })
+          else
+            # email auth has been bypassed, authenticate user
+            @client_id = SecureRandom.urlsafe_base64(nil, false)
+            @token     = SecureRandom.urlsafe_base64(nil, false)
+            @resource.tokens[@client_id] = {
+              token: BCrypt::Password.create(@token),
+              expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+            }
+            @resource.save!
+            update_auth_header
+          end
+          render json: {
+            status: 'success',
+            data:   @resource.as_json
+          }
+        else
+          clean_up_passwords @resource
+          render json: {
+            status: 'error',
+            data:   @resource,
+            errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+          }, status: 403
+        end
+      rescue ActiveRecord::RecordNotUnique
+        clean_up_passwords @resource
+        render json: {
+          status: 'error',
+          data:   @resource,
+          errors: ["An account already exists for #{@resource.email}"]
+        }, status: 403
+      end
+    end
+    def update
+      if @resource
+        if @resource.update_attributes(account_update_params)
+          render json: {
+            status: 'success',
+            data:   @resource.as_json
+          }
+        else
+          render json: {
+            status: 'error',
+            errors: @resource.errors
+          }, status: 403
+        end
+      else
+        render json: {
+          status: 'error',
+          errors: ["User not found."]
+        }, status: 404
+      end
+    end
+    def destroy
+      if @resource
+        @resource.destroy
+        render json: {
+          status: 'success',
+          message: "Account with uid #{@resource.uid} has been destroyed."
+        }
+      else
+        render json: {
+          status: 'error',
+          errors: ["Unable to locate account for destruction."]
+        }, status: 404
+      end
+    end
+    def sign_up_params
+      params.permit(devise_parameter_sanitizer.for(:sign_up))
+    end
+    def account_update_params
+      params.permit(devise_parameter_sanitizer.for(:account_update))
+    end
+  end
+end

data/app/controllers/devise_token_auth/sessions_controller.rb ADDED

@@ -0,0 +1,98 @@
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    I18N_ERRORS_KEY = "devise_token_auth.errors"
+    before_filter :set_user_by_token, :only => [:destroy]
+    def create
+      if valid_params?
+        # honor devise configuration for case_insensitive_keys
+        if resource_class.case_insensitive_keys.include?(:email)
+          email = resource_params[:email].downcase
+        else
+          email = resource_params[:email]
+        end
+      else
+        render_json_error :unauthorized, :invalid_login, default: "Invalid login credentials. Please try again."
+        return
+      end
+      q = "uid='#{email}' AND provider='email'"
+      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+        q = "BINARY uid='#{email}' AND provider='email'"
+      end
+      resources = resource_class.where(q)
+      resources = resources.active if resource_class.respond_to?(:active)
+      @resource = resources.first
+      if @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
+        render_json_error :unauthorized, :invalid_login, default: "Invalid login credentials. Please try again."
+      elsif @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
+        # create client id
+        @client_id = SecureRandom.urlsafe_base64(nil, false)
+        @token     = SecureRandom.urlsafe_base64(nil, false)
+        @resource.tokens[@client_id] = {
+          token: BCrypt::Password.create(@token),
+          expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+        }
+        @resource.save
+        sign_in(:user, @resource, store: false, bypass: false)
+        render json: {
+          data: @resource.as_json(except: [
+            :tokens, :created_at, :updated_at
+          ])
+        }
+      elsif @resource and not @resource.confirmed?
+        default_message = "A confirmation email was sent to your account at #{@resource.email}. "+
+          "You must follow the instructions in the email before your account "+
+          "can be activated"
+        render_json_error :unauthorized, :confirmation_was_sent, default: default_message, email: @resource.email
+      else
+        render_json_error :unauthorized, :invalid_login, default: "Invalid login credentials. Please try again."
+      end
+    end
+    def destroy
+      # remove auth instance variables so that after_filter does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client_id = remove_instance_variable(:@client_id) if @client_id
+      remove_instance_variable(:@token) if @token
+      if user and client_id and user.tokens[client_id]
+        user.tokens.delete(client_id)
+        user.save!
+        render json: {
+          success:true
+        }, status: 200
+      else
+        render_json_error :not_found, :user_not_found, default: "User was not found or was not logged in."
+      end
+    end
+    def valid_params?
+      resource_params[:password] && resource_params[:email]
+    end
+    def resource_params
+      params.permit(devise_parameter_sanitizer.for(:sign_in))
+    end
+    def render_json_error(status, error, options)
+      message = I18n.t("#{I18N_ERRORS_KEY}.#{error}", options)
+      render json: {
+        errors: [message]
+      }, status: status
+    end
+  end
+end

data/app/controllers/devise_token_auth/token_validations_controller.rb ADDED

@@ -0,0 +1,23 @@
+module DeviseTokenAuth
+  class TokenValidationsController < DeviseTokenAuth::ApplicationController
+    skip_before_filter :assert_is_devise_resource!, :only => [:validate_token]
+    before_filter :set_user_by_token, :only => [:validate_token]
+    def validate_token
+      # @resource will have been set by set_user_token concern
+      if @resource
+        render json: {
+          success: true,
+          data: @resource.as_json(except: [
+            :tokens, :created_at, :updated_at
+          ])
+        }
+      else
+        render json: {
+          success: false,
+          errors: ["Invalid login credentials"]
+        }, status: 401
+      end
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb ADDED

@@ -0,0 +1,231 @@
+module DeviseTokenAuth::Concerns::User
+  extend ActiveSupport::Concern
+  included do
+    # Include default devise modules. Others available are:
+    # :confirmable, :lockable, :timeoutable and :omniauthable
+    devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable
+    serialize :tokens, JSON
+    validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' }
+    validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' }
+    # only validate unique emails among email registration users
+    validate :unique_email_user, on: :create
+    # can't set default on text fields in mysql, simulate here instead.
+    after_save :set_empty_token_hash
+    after_initialize :set_empty_token_hash
+    # keep uid in sync with email
+    before_save :sync_uid
+    before_create :sync_uid
+    # get rid of dead tokens
+    before_save :destroy_expired_tokens
+    # don't use default devise email validation
+    def email_required?
+      false
+    end
+    def email_changed?
+      false
+    end
+    # override devise method to include additional info as opts hash
+    def send_confirmation_instructions(opts=nil)
+      unless @raw_confirmation_token
+        generate_confirmation_token!
+      end
+      opts ||= {}
+      # fall back to "default" config name
+      opts[:client_config] ||= "default"
+      if pending_reconfirmation?
+        opts[:to] = unconfirmed_email
+      end
+      send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+    end
+    # override devise method to include additional info as opts hash
+    def send_reset_password_instructions(opts=nil)
+      token = set_reset_password_token
+      opts ||= {}
+      # fall back to "default" config name
+      opts[:client_config] ||= "default"
+      if pending_reconfirmation?
+        opts[:to] = unconfirmed_email
+      else
+        opts[:to] = email
+      end
+      send_devise_notification(:reset_password_instructions, token, opts)
+      token
+    end
+  end
+  def valid_token?(token, client_id='default')
+    client_id ||= 'default'
+    return false unless self.tokens[client_id]
+    return true if token_is_current?(token, client_id)
+    return true if token_can_be_reused?(token, client_id)
+    # return false if none of the above conditions are met
+    return false
+  end
+  # this must be done from the controller so that additional params
+  # can be passed on from the client
+  def send_confirmation_notification?
+    false
+  end
+  def token_is_current?(token, client_id)
+    return true if (
+      # ensure that expiry and token are set
+      self.tokens[client_id]['expiry'] and
+      self.tokens[client_id]['token'] and
+      # ensure that the token has not yet expired
+      DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and
+      # ensure that the token is valid
+      BCrypt::Password.new(self.tokens[client_id]['token']) == token
+    )
+  end
+  # allow batch requests to use the previous token
+  def token_can_be_reused?(token, client_id)
+    return true if (
+      # ensure that the last token and its creation time exist
+      self.tokens[client_id]['updated_at'] and
+      self.tokens[client_id]['last_token'] and
+      # ensure that previous token falls within the batch buffer throttle time of the last request
+      Time.parse(self.tokens[client_id]['updated_at']) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and
+      # ensure that the token is valid
+      BCrypt::Password.new(self.tokens[client_id]['last_token']) == token
+    )
+  end
+  # update user's auth token (should happen on each request)
+  def create_new_auth_token(client_id=nil)
+    client_id  ||= SecureRandom.urlsafe_base64(nil, false)
+    last_token ||= nil
+    token        = SecureRandom.urlsafe_base64(nil, false)
+    token_hash   = BCrypt::Password.create(token)
+    expiry       = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+    if self.tokens[client_id] and self.tokens[client_id]['token']
+      last_token = self.tokens[client_id]['token']
+    end
+    self.tokens[client_id] = {
+      token:      token_hash,
+      expiry:     expiry,
+      last_token: last_token,
+      updated_at: Time.now
+    }
+    self.save!
+    return build_auth_header(token, client_id)
+  end
+  def build_auth_header(token, client_id='default')
+    return unless self.tokens[client_id]
+    # client may use expiry to prevent validation request if expired
+    # must be cast as string or headers will break
+    expiry = self.tokens[client_id]['expiry'].to_s
+    return {
+      "access-token" => token,
+      "token-type"   => "Bearer",
+      "client"       => client_id,
+      "expiry"       => expiry,
+      "uid"          => self.uid
+    }
+  end
+  def build_auth_url(base_url, args)
+    args[:uid]    = self.uid
+    args[:expiry] = self.tokens[args[:client_id]]['expiry']
+    generate_url(base_url, args)
+  end
+  def extend_batch_buffer(token, client_id)
+    self.tokens[client_id]['updated_at'] = Time.now
+    self.save!
+    return build_auth_header(token, client_id)
+  end
+  protected
+  # NOTE: ensure that fragment comes AFTER querystring for proper $location
+  # parsing using AngularJS.
+  def generate_url(url, params = {})
+    uri = URI(url)
+    res = "#{uri.scheme}://#{uri.host}"
+    res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443)
+    res += "#{uri.path}" if uri.path
+    res += '#'
+    res += "#{uri.fragment}" if uri.fragment
+    res += "?#{params.to_query}"
+    return res
+  end
+  # only validate unique email among users that registered by email
+  def unique_email_user
+    if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0
+      errors.add(:email, :already_in_use, default: "This email address is already in use")
+    end
+  end
+  def set_empty_token_hash
+    self.tokens ||= {} if has_attribute?(:tokens)
+  end
+  def sync_uid
+    self.uid = email if provider == 'email'
+  end
+  def destroy_expired_tokens
+    self.tokens.delete_if{|cid,v|
+      expiry = v[:expiry] || v["expiry"]
+      DateTime.strptime(expiry.to_s, '%s') < Time.now
+    }
+  end
+end