devise-token_authenticatable 0.1.0.beta1

data/.gitignore

@@ -0,0 +1,21 @@
+*.gem
+*.rbc
+*.log
+.bundle
+.config
+.rspec
+.rspec-local
+.ruby-version
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise-token_authenticatable.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Sebastian Oelke
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,31 @@
+# Devise::TokenAuthenticatable
+
+**Note that this gem is not ready for usage, yet!**
+
+TODO: Write a gem description
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'devise-token_authenticatable'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install devise-token_authenticatable
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/devise-token_authenticatable.gemspec

@@ -0,0 +1,36 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devise/token_authenticatable/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "devise-token_authenticatable"
+  spec.version       = Devise::TokenAuthenticatable::VERSION.dup
+  spec.platform      = Gem::Platform::RUBY
+  spec.authors       = ["Sebastian Oelke"]
+  spec.email         = ["dev@sohleeatsworld.de"]
+  spec.description   = %q{This gem provides the extracted Token Authenticatable module of devise.
+                          It enables the user to sign in via an authentication token. This token
+                          can be given via a query string or HTTP Basic Authentication.}
+  spec.summary       = %q{Provides authentication based on an authentication token for devise 3.2 and up.}
+  spec.homepage      = "https://github.com/baschtl/devise-token_authenticatable"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+
+  spec.add_dependency "devise", "~> 3.2.0"
+
+  spec.add_development_dependency "activerecord",       ">= 3.2"
+  spec.add_development_dependency "actionmailer",       ">= 3.2"
+  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "factory_girl_rails"
+  spec.add_development_dependency "timecop"
+  spec.add_development_dependency "sqlite3",            "~> 1.3"
+  spec.add_development_dependency "bundler",            "~> 1.3"
+  spec.add_development_dependency "rake"
+end

data/lib/devise-token_authenticatable.rb

@@ -0,0 +1 @@
+require 'devise/token_authenticatable'

data/lib/devise/token_authenticatable.rb

@@ -0,0 +1,27 @@
+require "devise/token_authenticatable/strategy"
+
+module Devise
+  module TokenAuthenticatable
+
+    # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
+    mattr_accessor :token_authentication_key
+    @@token_authentication_key = :auth_token
+
+    # Enable the configuration of the TokenAuthenticatable
+    # strategy with a block:
+    #
+    #   Devise::TokenAuthenticatable.setup do |config|
+    #     config.token_authentication_key = :other_key
+    #   end
+    #
+    def self.setup
+      yield self
+    end
+  end
+end
+
+# Register TokenAuthenticatable module in Devise.
+Devise::add_module  :token_authenticatable,
+                    model: 'devise/token_authenticatable/model',
+                    strategy: true,
+                    no_input: true

data/lib/devise/token_authenticatable/model.rb

@@ -0,0 +1,90 @@
+module Devise
+  module Models
+    # The TokenAuthenticatable module is responsible for generating an authentication token and
+    # validating the authenticity of the same while signing in.
+    #
+    # This module only provides a few helpers to help you manage the token, but it is up to you
+    # to choose how to use it. For example, if you want to have a new token every time the user
+    # saves his account, you can do the following:
+    #
+    #   before_save :reset_authentication_token
+    #
+    # On the other hand, if you want to generate token unless one exists, you should use instead:
+    #
+    #   before_save :ensure_authentication_token
+    #
+    # If you want to delete the token after it is used, you can do so in the
+    # after_token_authentication callback.
+    #
+    # == APIs
+    #
+    # If you are using token authentication with APIs and using trackable. Every
+    # request will be considered as a new sign in (since there is no session in
+    # APIs). You can disable this by creating a before filter as follow:
+    #
+    #   before_filter :skip_trackable
+    #
+    #   def skip_trackable
+    #     request.env['devise.skip_trackable'] = true
+    #   end
+    #
+    # == Options
+    #
+    # TokenAuthenticatable adds the following options to devise_for:
+    #
+    #   * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
+    #
+    module TokenAuthenticatable
+      extend ActiveSupport::Concern
+
+      def self.required_fields(klass)
+        [:authentication_token]
+      end
+
+      # Generate new authentication token (a.k.a. "single access token").
+      def reset_authentication_token
+        self.authentication_token = self.class.authentication_token
+      end
+
+      # Generate new authentication token and save the record.
+      def reset_authentication_token!
+        reset_authentication_token
+        save(:validate => false)
+      end
+
+      # Generate authentication token unless already exists.
+      def ensure_authentication_token
+        reset_authentication_token if authentication_token.blank?
+      end
+
+      # Generate authentication token unless already exists and save the record.
+      def ensure_authentication_token!
+        reset_authentication_token! if authentication_token.blank?
+      end
+
+      # Hook called after token authentication.
+      def after_token_authentication
+      end
+
+      def expire_auth_token_on_timeout
+        self.class.expire_auth_token_on_timeout
+      end
+
+      module ClassMethods
+        def find_for_token_authentication(conditions)
+          find_for_authentication(:authentication_token => conditions[Devise::TokenAuthenticatable.token_authentication_key])
+        end
+
+        # Generate a token checking if one does not already exist in the database.
+        def authentication_token
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ :authentication_token => token })
+          end
+        end
+
+        Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)
+      end
+    end
+  end
+end

data/lib/devise/token_authenticatable/strategy.rb

@@ -0,0 +1,102 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    #
+    # The +TokenAuthenticatable+ strategy was extracted from Devise 3.1.0. Its purpose is
+    # to provide the deprecated functionality of the +TokenAuthenticatable+ strategy. The
+    # following description was adapted accordingly.
+    #
+    # See: https://github.com/plataformatec/devise/blob/v3.1/lib/devise/strategies/token_authenticatable.rb
+    #
+    #
+    # Strategy for signing in a user, based on a authenticatable token. This works for both params
+    # and http. For the former, all you need to do is to pass the params in the URL:
+    #
+    #   http://myapp.example.com/?user_token=SECRET
+    #
+    # For headers, you can use basic authentication passing the token as username and
+    # blank password. Since some clients may require a password, you can pass "X" as
+    # password and it will simply be ignored.
+    #
+    # You may also pass the token using the Token authentication mechanism provided
+    # by Rails: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
+    # The token options are stored in request.env['devise.token_options']
+    #
+    #
+    # Changes regarding the original +TokenAuthenticatable+ implementation:
+    #
+    # The private method +remember_me?+ in +TokenAuthenticatable+ returns +false+.
+    # For +TokenAuthenticatable+ this method was removed. This results in the
+    # usage of the default implementation in +Authenticatable+.
+    #
+    class TokenAuthenticatable < Authenticatable
+      def store?
+        super && !mapping.to.skip_session_storage.include?(:token_auth)
+      end
+
+      def valid?
+        super || valid_for_token_auth?
+      end
+
+      def authenticate!
+        resource = mapping.to.find_for_token_authentication(authentication_hash)
+        return fail(:invalid_token) unless resource
+
+        if validate(resource)
+          resource.after_token_authentication
+          success!(resource)
+        end
+      end
+
+    private
+
+      # Token Authenticatable can be authenticated with params in any controller and any verb.
+      def valid_params_request?
+        true
+      end
+
+      # Check if the model accepts this strategy as token authenticatable.
+      def token_authenticatable?
+        mapping.to.http_authenticatable?(:token_options)
+      end
+
+      # Check if this is strategy is valid for token authentication by:
+      #
+      #   * Validating if the model allows http token authentication;
+      #   * If the http auth token exists;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_token_auth?
+        token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash)
+      end
+
+      # Extract the auth token from the request
+      def auth_token
+        @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request)
+      end
+
+      # Extract a hash with attributes:values from the auth_token
+      def token_auth_hash
+        request.env['devise.token_options'] = auth_token.last
+        { authentication_keys.first => auth_token.first }
+      end
+
+      # Try both scoped and non scoped keys
+      def params_auth_hash
+        if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
+          params[scope]
+        else
+          params
+        end
+      end
+
+      # Overwrite authentication keys to use token_authentication_key.
+      def authentication_keys
+        @authentication_keys ||= [Devise::TokenAuthenticatable.token_authentication_key]
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:token_authenticatable, Devise::Strategies::TokenAuthenticatable)

data/lib/devise/token_authenticatable/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module TokenAuthenticatable
+    VERSION = "0.1.0.beta1".freeze
+  end
+end

data/spec/factories/admin.rb

@@ -0,0 +1,24 @@
+FactoryGirl.define do
+
+  factory :admin do
+    sequence(:email)      { |n| "admin#{n}@domain.com" }
+    password              'some_password'
+    password_confirmation 'some_password'
+
+    ignore do
+      confirm_account true
+    end
+
+    after(:create) do |u, evaluator|
+      u.confirm! if evaluator.confirm_account
+    end
+
+    trait :with_reset_password_token do
+      reset_password_token { SecureRandom.hex }
+    end
+
+    trait :with_authentication_token do
+      authentication_token { SecureRandom.hex }
+    end
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,25 @@
+FactoryGirl.define do
+
+  factory :user do
+    username              'testuser'
+    sequence(:email)      { |n| "user#{n}@domain.com" }
+    password              'some_password'
+    password_confirmation 'some_password'
+
+    ignore do
+      confirm_account true
+    end
+
+    after(:create) do |u, evaluator|
+      u.confirm! if evaluator.confirm_account
+    end
+
+    trait :with_reset_password_token do
+      reset_password_token { SecureRandom.hex }
+    end
+
+    trait :with_authentication_token do
+      authentication_token { SecureRandom.hex }
+    end
+  end
+end

data/spec/models/devise/token_authenticatable/model_spec.rb

@@ -0,0 +1,79 @@
+require 'spec_helper'
+
+##
+# If a model that is plain token authenticatable should be tested with
+# this shared example the corresponding factory has to provide a trait
+# +:with_authentication_token+ that sets the attribute +authentication_token+.
+#
+# See spec/factories/account.rb for an example.
+#
+shared_examples "plain token authenticatable" do
+
+  context "instance methods" do
+
+    describe "#reset_authentication_token" do
+      let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
+
+      it "should reset authentication token" do
+        expect { entity.reset_authentication_token }.to change { entity.authentication_token }
+      end
+    end
+
+    describe "#ensure_authentication_token" do
+
+      context "with existing authentication token" do
+        let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
+
+        it "should not change the authentication token" do
+          expect { entity.ensure_authentication_token }.to_not change { entity.authentication_token }
+        end
+      end
+
+      context "without existing authentication token" do
+        let(:entity) { create(described_class.name.underscore.to_sym) }
+
+        it "should create an authentication token" do
+          entity.authentication_token = nil
+          expect { entity.ensure_authentication_token }.to change { entity.authentication_token }
+        end
+      end
+    end
+  end
+
+  context "class methods" do
+
+    describe "#find_for_authentication_token" do
+      let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
+
+      it "should authenticate a valid entity with authentication token and return it" do
+        authenticated_entity = described_class.find_for_token_authentication(auth_token: entity.authentication_token)
+        expect(entity.authentication_token).to eq(authenticated_entity.authentication_token)
+      end
+
+      it "should return nil when authenticating an invalid entity by authentication token" do
+        authenticated_entity = described_class.find_for_token_authentication(auth_token: entity.authentication_token.reverse)
+        expect(authenticated_entity).to be_nil
+      end
+
+      it "should not be subject to injection" do
+        entity2 = create(described_class.name.underscore.to_sym, :with_authentication_token)
+
+        authenticated_entity = described_class.find_for_token_authentication(auth_token: { '$ne' => entity.authentication_token })
+        expect(authenticated_entity).to be_nil
+      end
+    end
+
+    describe "#required_fields" do
+
+      it "should contain the fields that Devise uses" do
+        expect(Devise::Models::TokenAuthenticatable.required_fields(described_class)).to eq([
+          :authentication_token
+        ])
+      end
+    end
+  end
+end
+
+describe User do
+  it_behaves_like "plain token authenticatable"
+end