devise-token_authenticatable 0.4.6 → 0.4.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +3 -8
- data/README.md +5 -6
- data/lib/devise/token_authenticatable.rb +4 -7
- data/lib/devise/token_authenticatable/model.rb +5 -10
- data/lib/devise/token_authenticatable/strategy.rb +10 -0
- data/lib/devise/token_authenticatable/version.rb +1 -1
- data/spec/factories/user.rb +6 -0
- data/spec/models/devise/token_authenticatable/model_spec.rb +21 -50
- data/spec/requests/devise/token_authenticatable/strategy_spec.rb +43 -70
- data/spec/support/rails_app/db/migrate/20100401102949_create_tables.rb +8 -7
- data/spec/support/rails_app/db/schema.rb +1 -0
- data/spec/support/session_helper.rb +2 -1
- data/spec/token_authenticatable_spec.rb +4 -8
- metadata +2 -3
- data/lib/devise/token_authenticatable/hooks/timeoutable.rb +0 -34
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 33ae1c06a79b20b7e886cdbc7795b776b78fc767
|
|
4
|
+
data.tar.gz: 175c959f673397ff325234ac4a23d673d6824f7f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: be522497669564ea1abc605303c6df1e76a8cb84daeb9bf6366bdbbce48deb0dc669ec76370bc7c5365b13371974eae14094155e85bab4bb9445f5038eeb4176
|
|
7
|
+
data.tar.gz: e9404d5a0f635763fff3159df5e40cdf6cd7c716d9adcc8d8b4b4caee2ee905a68e150ddf40ee1e1d332c41f819ee148ec88240b95dce24cccfa0cfde644c79f
|
data/.travis.yml
CHANGED
|
@@ -1,16 +1,11 @@
|
|
|
1
1
|
language: ruby
|
|
2
2
|
rvm:
|
|
3
|
-
- 1.9.3
|
|
4
3
|
- 2.0.0
|
|
5
|
-
- 2.1.
|
|
6
|
-
- 2.2.
|
|
7
|
-
-
|
|
4
|
+
- 2.1.9
|
|
5
|
+
- 2.2.5
|
|
6
|
+
- 2.3.1
|
|
8
7
|
|
|
9
8
|
before_install:
|
|
10
9
|
- gem install bundler -v 1.11
|
|
11
10
|
|
|
12
|
-
env:
|
|
13
|
-
global:
|
|
14
|
-
- "JRUBY_OPTS=-Xcext.enabled=true"
|
|
15
|
-
|
|
16
11
|
script: bundle exec rspec
|
data/README.md
CHANGED
|
@@ -27,8 +27,8 @@ Or install it yourself as:
|
|
|
27
27
|
`~> 0.1` | `~> 3.2.0`
|
|
28
28
|
`~> 0.2` | `~> 3.3.0`
|
|
29
29
|
`~> 0.3` | `~> 3.4.0`
|
|
30
|
-
`~> 0.4`
|
|
31
|
-
`~> 0.4.
|
|
30
|
+
`~> 0.4.0`, `< 0.4.9` | `~> 3.5.0`, `< 3.5.2`
|
|
31
|
+
`~> 0.4.9` | `~> 3.5.2`
|
|
32
32
|
|
|
33
33
|
## Usage
|
|
34
34
|
|
|
@@ -46,10 +46,9 @@ This gem can be configured as shown in the following:
|
|
|
46
46
|
|
|
47
47
|
```ruby
|
|
48
48
|
Devise::TokenAuthenticatable.setup do |config|
|
|
49
|
-
# enables the expiration of a token after a
|
|
50
|
-
#
|
|
51
|
-
|
|
52
|
-
config.expire_auth_token_on_timeout = true
|
|
49
|
+
# enables the expiration of a token after a specified amount of time,
|
|
50
|
+
# defaults to nil
|
|
51
|
+
config.token_expires_in = 1.day
|
|
53
52
|
|
|
54
53
|
# set the authentication key name used by this module,
|
|
55
54
|
# defaults to :auth_token
|
|
@@ -3,17 +3,14 @@ require "devise/token_authenticatable/strategy"
|
|
|
3
3
|
module Devise
|
|
4
4
|
module TokenAuthenticatable
|
|
5
5
|
|
|
6
|
-
# Authentication token expiration on timeout
|
|
7
|
-
#
|
|
8
|
-
# This option is only used if your model uses the Devise
|
|
9
|
-
# :timeoutable module.
|
|
10
|
-
mattr_accessor :expire_auth_token_on_timeout
|
|
11
|
-
@@expire_auth_token_on_timeout = false
|
|
12
|
-
|
|
13
6
|
# Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
|
|
14
7
|
mattr_accessor :token_authentication_key
|
|
15
8
|
@@token_authentication_key = :auth_token
|
|
16
9
|
|
|
10
|
+
# Token expiration period. E.g. 1.day
|
|
11
|
+
mattr_accessor :token_expires_in
|
|
12
|
+
@@token_expires_in = nil
|
|
13
|
+
|
|
17
14
|
# Defines if the authentication token is reset before the model is saved.
|
|
18
15
|
mattr_accessor :should_reset_authentication_token
|
|
19
16
|
@@should_reset_authentication_token = false
|
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
require 'devise/token_authenticatable/hooks/timeoutable'
|
|
2
|
-
|
|
3
1
|
module Devise
|
|
4
2
|
module Models
|
|
5
3
|
# The +TokenAuthenticatable+ module is responsible for generating an authentication token and
|
|
@@ -30,7 +28,7 @@ module Devise
|
|
|
30
28
|
before_save :reset_authentication_token_before_save
|
|
31
29
|
before_save :ensure_authentication_token_before_save
|
|
32
30
|
|
|
33
|
-
attr_writer :
|
|
31
|
+
attr_writer :token_expires_in
|
|
34
32
|
end
|
|
35
33
|
|
|
36
34
|
module ClassMethods
|
|
@@ -55,12 +53,13 @@ module Devise
|
|
|
55
53
|
end
|
|
56
54
|
|
|
57
55
|
def self.required_fields(klass)
|
|
58
|
-
[:authentication_token]
|
|
56
|
+
[:authentication_token, :authentication_token_created_at]
|
|
59
57
|
end
|
|
60
58
|
|
|
61
59
|
# Generate new authentication token (a.k.a. "single access token").
|
|
62
60
|
def reset_authentication_token
|
|
63
61
|
self.authentication_token = self.class.authentication_token
|
|
62
|
+
self.authentication_token_created_at = Time.now
|
|
64
63
|
end
|
|
65
64
|
|
|
66
65
|
# Generate new authentication token and save the record.
|
|
@@ -83,12 +82,8 @@ module Devise
|
|
|
83
82
|
def after_token_authentication
|
|
84
83
|
end
|
|
85
84
|
|
|
86
|
-
def
|
|
87
|
-
|
|
88
|
-
@expire_auth_token_on_timeout
|
|
89
|
-
else
|
|
90
|
-
Devise::TokenAuthenticatable.expire_auth_token_on_timeout
|
|
91
|
-
end
|
|
85
|
+
def token_expires_in
|
|
86
|
+
Devise::TokenAuthenticatable.token_expires_in
|
|
92
87
|
end
|
|
93
88
|
|
|
94
89
|
private
|
|
@@ -36,6 +36,12 @@ module Devise
|
|
|
36
36
|
resource = mapping.to.find_for_token_authentication(authentication_hash)
|
|
37
37
|
return fail(:invalid_token) unless resource
|
|
38
38
|
|
|
39
|
+
unless token_expires_in.blank?
|
|
40
|
+
if Time.now > (resource.authentication_token_created_at + token_expires_in.to_i)
|
|
41
|
+
return fail(:expired_token)
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
39
45
|
if validate(resource)
|
|
40
46
|
resource.after_token_authentication
|
|
41
47
|
success!(resource)
|
|
@@ -88,6 +94,10 @@ module Devise
|
|
|
88
94
|
def authentication_keys
|
|
89
95
|
@authentication_keys ||= [Devise::TokenAuthenticatable.token_authentication_key]
|
|
90
96
|
end
|
|
97
|
+
|
|
98
|
+
def token_expires_in
|
|
99
|
+
@token_expires_in ||= Devise::TokenAuthenticatable.token_expires_in
|
|
100
|
+
end
|
|
91
101
|
end
|
|
92
102
|
end
|
|
93
103
|
end
|
data/spec/factories/user.rb
CHANGED
|
@@ -21,6 +21,12 @@ FactoryGirl.define do
|
|
|
21
21
|
|
|
22
22
|
trait :with_authentication_token do
|
|
23
23
|
authentication_token { SecureRandom.hex }
|
|
24
|
+
authentication_token_created_at { Time.now }
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
trait :with_day_old_token do
|
|
28
|
+
authentication_token { SecureRandom.hex }
|
|
29
|
+
authentication_token_created_at { Time.now - 1.day }
|
|
24
30
|
end
|
|
25
31
|
end
|
|
26
32
|
end
|
|
@@ -8,72 +8,56 @@ require 'spec_helper'
|
|
|
8
8
|
# See spec/factories/user.rb for an example.
|
|
9
9
|
#
|
|
10
10
|
shared_examples "token authenticatable" do
|
|
11
|
-
|
|
12
11
|
context "instance methods" do
|
|
13
|
-
|
|
14
12
|
describe "#reset_authentication_token" do
|
|
15
13
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
16
14
|
|
|
15
|
+
subject { entity.reset_authentication_token }
|
|
16
|
+
|
|
17
17
|
it "should reset authentication token" do
|
|
18
|
-
expect {
|
|
18
|
+
expect { subject }.to change { entity.authentication_token }
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
it "should reset token created at" do
|
|
22
|
+
expect { subject }.to change { entity.authentication_token_created_at }
|
|
19
23
|
end
|
|
20
24
|
end
|
|
21
25
|
|
|
22
26
|
describe "#ensure_authentication_token" do
|
|
27
|
+
subject { entity.ensure_authentication_token }
|
|
23
28
|
|
|
24
29
|
context "with existing authentication token" do
|
|
25
30
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
26
31
|
|
|
27
32
|
it "should not change the authentication token" do
|
|
28
|
-
expect {
|
|
33
|
+
expect { subject }.to_not change { entity.authentication_token }
|
|
29
34
|
end
|
|
30
|
-
end
|
|
31
|
-
|
|
32
|
-
context "without existing authentication token" do
|
|
33
|
-
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
34
35
|
|
|
35
|
-
it "should
|
|
36
|
-
entity.
|
|
37
|
-
expect { entity.ensure_authentication_token }.to change { entity.authentication_token }
|
|
36
|
+
it "should not change the authentication token created at" do
|
|
37
|
+
expect { subject }.to_not change { entity.authentication_token_created_at }
|
|
38
38
|
end
|
|
39
39
|
end
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
describe "#expire_auth_token_on_timeout" do
|
|
43
|
-
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
44
40
|
|
|
45
|
-
context "
|
|
41
|
+
context "without existing authentication token and authentication token created at" do
|
|
42
|
+
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
46
43
|
|
|
47
44
|
before :each do
|
|
48
|
-
entity.
|
|
45
|
+
entity.authentication_token = nil
|
|
46
|
+
entity.authentication_token_created_at = nil
|
|
49
47
|
end
|
|
50
48
|
|
|
51
|
-
it "should
|
|
52
|
-
expect
|
|
49
|
+
it "should set an authentication token" do
|
|
50
|
+
expect { subject }.to change { entity.authentication_token }
|
|
53
51
|
end
|
|
54
52
|
|
|
55
|
-
it "should
|
|
56
|
-
expect
|
|
57
|
-
|
|
58
|
-
entity.expire_auth_token_on_timeout
|
|
53
|
+
it "should set authentication token created at" do
|
|
54
|
+
expect { subject }.to change { entity.authentication_token_created_at }
|
|
59
55
|
end
|
|
60
|
-
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
context "not enabling expire_auth_token_on_timeout" do
|
|
64
|
-
|
|
65
|
-
it "should use the default" do
|
|
66
|
-
expect(Devise::TokenAuthenticatable).to receive(:expire_auth_token_on_timeout)
|
|
67
|
-
|
|
68
|
-
entity.expire_auth_token_on_timeout
|
|
69
|
-
end
|
|
70
|
-
|
|
71
56
|
end
|
|
72
57
|
end
|
|
73
58
|
end
|
|
74
59
|
|
|
75
60
|
context "class methods" do
|
|
76
|
-
|
|
77
61
|
describe "#find_for_authentication_token" do
|
|
78
62
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
79
63
|
|
|
@@ -97,7 +81,7 @@ shared_examples "token authenticatable" do
|
|
|
97
81
|
end
|
|
98
82
|
|
|
99
83
|
it "should not be subject to injection" do
|
|
100
|
-
|
|
84
|
+
create(described_class.name.underscore.to_sym, :with_authentication_token)
|
|
101
85
|
|
|
102
86
|
authenticated_entity = described_class.find_for_token_authentication(auth_token: { '$ne' => entity.authentication_token })
|
|
103
87
|
expect(authenticated_entity).to be_nil
|
|
@@ -105,23 +89,19 @@ shared_examples "token authenticatable" do
|
|
|
105
89
|
end
|
|
106
90
|
|
|
107
91
|
describe "#required_fields" do
|
|
108
|
-
|
|
109
92
|
it "should contain the fields that Devise uses" do
|
|
110
93
|
expect(Devise::Models::TokenAuthenticatable.required_fields(described_class)).to eq([
|
|
111
|
-
:authentication_token
|
|
94
|
+
:authentication_token, :authentication_token_created_at
|
|
112
95
|
])
|
|
113
96
|
end
|
|
114
|
-
|
|
115
97
|
end
|
|
116
98
|
|
|
117
99
|
end
|
|
118
100
|
|
|
119
101
|
context "before_save" do
|
|
120
|
-
|
|
121
102
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
122
103
|
|
|
123
104
|
context "when the authentication token should be reset" do
|
|
124
|
-
|
|
125
105
|
before :each do
|
|
126
106
|
Devise::TokenAuthenticatable.setup do |config|
|
|
127
107
|
config.should_reset_authentication_token = true
|
|
@@ -139,21 +119,17 @@ shared_examples "token authenticatable" do
|
|
|
139
119
|
|
|
140
120
|
entity.update_attributes(created_at: Time.now)
|
|
141
121
|
end
|
|
142
|
-
|
|
143
122
|
end
|
|
144
123
|
|
|
145
124
|
context "when the authentication token should not be reset" do
|
|
146
|
-
|
|
147
125
|
it "does not reset the authentication token" do
|
|
148
126
|
expect(entity).to_not receive(:reset_authentication_token)
|
|
149
127
|
|
|
150
128
|
entity.update_attributes(created_at: Time.now)
|
|
151
129
|
end
|
|
152
|
-
|
|
153
130
|
end
|
|
154
131
|
|
|
155
132
|
context "when the authentication token should be ensured" do
|
|
156
|
-
|
|
157
133
|
before :each do
|
|
158
134
|
Devise::TokenAuthenticatable.setup do |config|
|
|
159
135
|
config.should_ensure_authentication_token = true
|
|
@@ -171,21 +147,16 @@ shared_examples "token authenticatable" do
|
|
|
171
147
|
|
|
172
148
|
entity.update_attributes(created_at: Time.now)
|
|
173
149
|
end
|
|
174
|
-
|
|
175
150
|
end
|
|
176
151
|
|
|
177
152
|
context "when the authentication token should not be ensured" do
|
|
178
|
-
|
|
179
153
|
it "does not set the authentication token" do
|
|
180
154
|
expect(entity).to_not receive(:ensure_authentication_token)
|
|
181
155
|
|
|
182
156
|
entity.update_attributes(created_at: Time.now)
|
|
183
157
|
end
|
|
184
|
-
|
|
185
158
|
end
|
|
186
|
-
|
|
187
159
|
end
|
|
188
|
-
|
|
189
160
|
end
|
|
190
161
|
|
|
191
162
|
describe User do
|
|
@@ -1,11 +1,8 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Devise::Strategies::TokenAuthenticatable do
|
|
4
|
-
|
|
5
4
|
context "with valid authentication token key and value" do
|
|
6
|
-
|
|
7
5
|
context "through params" do
|
|
8
|
-
|
|
9
6
|
it "should be a success" do
|
|
10
7
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
11
8
|
sign_in_as_new_user_with_token
|
|
@@ -59,7 +56,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
59
56
|
end
|
|
60
57
|
|
|
61
58
|
context "when request is stateless" do
|
|
62
|
-
|
|
63
59
|
it 'should authenticate the user with use of authentication token' do
|
|
64
60
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
65
61
|
swap Devise, skip_session_storage: [:token_auth] do
|
|
@@ -92,13 +88,10 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
92
88
|
end
|
|
93
89
|
end
|
|
94
90
|
end
|
|
95
|
-
|
|
96
91
|
end
|
|
97
92
|
|
|
98
93
|
context "when request is stateless and timeoutable" do
|
|
99
|
-
|
|
100
94
|
context "on sign in" do
|
|
101
|
-
|
|
102
95
|
it 'should authenticate the user' do
|
|
103
96
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
104
97
|
swap Devise, skip_session_storage: [:token_auth], timeout_in: (0.1).second do
|
|
@@ -107,11 +100,9 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
107
100
|
end
|
|
108
101
|
end
|
|
109
102
|
end
|
|
110
|
-
|
|
111
103
|
end
|
|
112
104
|
|
|
113
105
|
context "on delayed access" do
|
|
114
|
-
|
|
115
106
|
it 'should authenticate the user' do
|
|
116
107
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
117
108
|
swap Devise, skip_session_storage: [:token_auth], timeout_in: (0.1).second do
|
|
@@ -127,59 +118,10 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
127
118
|
end
|
|
128
119
|
end
|
|
129
120
|
end
|
|
130
|
-
|
|
131
|
-
end
|
|
132
|
-
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
context "when expire_auth_token_on_timeout is set to true, timeoutable is enabled and we have a timed out session" do
|
|
136
|
-
|
|
137
|
-
context "on sign in" do
|
|
138
|
-
|
|
139
|
-
it 'should authenticate the user' do
|
|
140
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
141
|
-
swap Devise, timeout_in: (-1).minute do
|
|
142
|
-
sign_in_as_new_user_with_token
|
|
143
|
-
expect(warden).to be_authenticated(:user)
|
|
144
|
-
end
|
|
145
|
-
end
|
|
146
|
-
end
|
|
147
|
-
|
|
148
|
-
end
|
|
149
|
-
|
|
150
|
-
context "on re-sign in" do
|
|
151
|
-
|
|
152
|
-
it 'should not authenticate the user' do
|
|
153
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
154
|
-
swap Devise, timeout_in: (-1).minute do
|
|
155
|
-
user = sign_in_as_new_user_with_token
|
|
156
|
-
token = user.authentication_token
|
|
157
|
-
|
|
158
|
-
sign_in_as_new_user_with_token(user: user)
|
|
159
|
-
expect(warden).to_not be_authenticated(:user)
|
|
160
|
-
end
|
|
161
|
-
end
|
|
162
|
-
end
|
|
163
|
-
|
|
164
|
-
it 'should reset the authentication token' do
|
|
165
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
166
|
-
swap Devise, timeout_in: (-1).minute do
|
|
167
|
-
user = sign_in_as_new_user_with_token
|
|
168
|
-
token = user.authentication_token
|
|
169
|
-
|
|
170
|
-
sign_in_as_new_user_with_token(user: user)
|
|
171
|
-
user.reload
|
|
172
|
-
expect(token).to_not eq(user.authentication_token)
|
|
173
|
-
end
|
|
174
|
-
end
|
|
175
|
-
end
|
|
176
|
-
|
|
177
121
|
end
|
|
178
|
-
|
|
179
122
|
end
|
|
180
123
|
|
|
181
124
|
context "when not configured" do
|
|
182
|
-
|
|
183
125
|
it "should redirect to sign in page" do
|
|
184
126
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
185
127
|
swap Devise, params_authenticatable: [:database] do
|
|
@@ -203,7 +145,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
203
145
|
end
|
|
204
146
|
|
|
205
147
|
context "through http" do
|
|
206
|
-
|
|
207
148
|
it "should be a success" do
|
|
208
149
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
209
150
|
swap Devise, http_authenticatable: true do
|
|
@@ -225,7 +166,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
225
166
|
end
|
|
226
167
|
|
|
227
168
|
context "when not configured" do
|
|
228
|
-
|
|
229
169
|
it "should be an unauthorized" do
|
|
230
170
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
231
171
|
swap Devise, http_authenticatable: [:database] do
|
|
@@ -249,7 +189,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
249
189
|
end
|
|
250
190
|
|
|
251
191
|
context "through http header" do
|
|
252
|
-
|
|
253
192
|
it "should redirect to root path" do
|
|
254
193
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
255
194
|
swap Devise, http_authenticatable: true do
|
|
@@ -325,7 +264,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
325
264
|
end
|
|
326
265
|
|
|
327
266
|
context "with denied token authorization" do
|
|
328
|
-
|
|
329
267
|
it "should be an unauthorized" do
|
|
330
268
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
331
269
|
swap Devise, http_authenticatable: false do
|
|
@@ -345,14 +283,11 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
345
283
|
end
|
|
346
284
|
end
|
|
347
285
|
end
|
|
348
|
-
|
|
349
286
|
end
|
|
350
|
-
|
|
351
287
|
end
|
|
352
288
|
end
|
|
353
289
|
|
|
354
290
|
context "with improper authentication token key" do
|
|
355
|
-
|
|
356
291
|
it "should redirect to the sign in page" do
|
|
357
292
|
swap Devise::TokenAuthenticatable, token_authentication_key: :donald_duck_token do
|
|
358
293
|
sign_in_as_new_user_with_token(auth_token_key: :secret_token)
|
|
@@ -372,19 +307,16 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
372
307
|
it "should not be subject to injection" do
|
|
373
308
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
374
309
|
user1 = create(:user, :with_authentication_token)
|
|
375
|
-
|
|
310
|
+
create(:user, :with_authentication_token)
|
|
376
311
|
|
|
377
312
|
get users_path(Devise::TokenAuthenticatable.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
|
|
378
313
|
expect(warden).to_not be_authenticated(:user)
|
|
379
314
|
end
|
|
380
315
|
end
|
|
381
|
-
|
|
382
316
|
end
|
|
383
317
|
|
|
384
318
|
context "with improper authentication token value" do
|
|
385
|
-
|
|
386
319
|
context "through params" do
|
|
387
|
-
|
|
388
320
|
before { sign_in_as_new_user_with_token(auth_token: '*** INVALID TOKEN ***') }
|
|
389
321
|
|
|
390
322
|
it "should redirect to the sign in page" do
|
|
@@ -397,7 +329,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
397
329
|
end
|
|
398
330
|
|
|
399
331
|
context "through http header" do
|
|
400
|
-
|
|
401
332
|
before { sign_in_as_new_user_with_token(token_auth: true, auth_token: '*** INVALID TOKEN ***') }
|
|
402
333
|
|
|
403
334
|
it "should be an unauthorized" do
|
|
@@ -409,4 +340,46 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
409
340
|
end
|
|
410
341
|
end
|
|
411
342
|
end
|
|
343
|
+
|
|
344
|
+
context "with expired authentication token value" do
|
|
345
|
+
context "through params" do
|
|
346
|
+
it "should redirect to the sign in page" do
|
|
347
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
348
|
+
sign_in_as_new_user_with_token(use: :with_day_old_token)
|
|
349
|
+
|
|
350
|
+
expect(response).to redirect_to new_user_session_path
|
|
351
|
+
end
|
|
352
|
+
end
|
|
353
|
+
|
|
354
|
+
it "should not authenticate user" do
|
|
355
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
356
|
+
sign_in_as_new_user_with_token(use: :with_day_old_token)
|
|
357
|
+
|
|
358
|
+
expect(warden).to_not be_authenticated(:user)
|
|
359
|
+
end
|
|
360
|
+
end
|
|
361
|
+
|
|
362
|
+
context "through http header" do
|
|
363
|
+
it "should redirect to the sign in page" do
|
|
364
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
365
|
+
swap Devise, http_authenticatable: true do
|
|
366
|
+
sign_in_as_new_user_with_token(http_auth: true, use: :with_day_old_token)
|
|
367
|
+
|
|
368
|
+
expect(response.status).to eq(401)
|
|
369
|
+
end
|
|
370
|
+
end
|
|
371
|
+
end
|
|
372
|
+
|
|
373
|
+
it "does not authenticate with expired authentication token value in header" do
|
|
374
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
375
|
+
swap Devise, http_authenticatable: true do
|
|
376
|
+
sign_in_as_new_user_with_token(http_auth: true, use: :with_day_old_token)
|
|
377
|
+
|
|
378
|
+
expect(warden).to_not be_authenticated(:user)
|
|
379
|
+
end
|
|
380
|
+
end
|
|
381
|
+
end
|
|
382
|
+
end
|
|
383
|
+
end
|
|
384
|
+
end
|
|
412
385
|
end
|
|
@@ -5,8 +5,8 @@ class CreateTables < ActiveRecord::Migration
|
|
|
5
5
|
t.string :facebook_token
|
|
6
6
|
|
|
7
7
|
## Database authenticatable
|
|
8
|
-
t.string :email, :
|
|
9
|
-
t.string :encrypted_password, :
|
|
8
|
+
t.string :email, null: false, default: ""
|
|
9
|
+
t.string :encrypted_password, null: false, default: ""
|
|
10
10
|
|
|
11
11
|
## Recoverable
|
|
12
12
|
t.string :reset_password_token
|
|
@@ -16,7 +16,7 @@ class CreateTables < ActiveRecord::Migration
|
|
|
16
16
|
t.datetime :remember_created_at
|
|
17
17
|
|
|
18
18
|
## Trackable
|
|
19
|
-
t.integer :sign_in_count, :
|
|
19
|
+
t.integer :sign_in_count, default: 0
|
|
20
20
|
t.datetime :current_sign_in_at
|
|
21
21
|
t.datetime :last_sign_in_at
|
|
22
22
|
t.string :current_sign_in_ip
|
|
@@ -29,20 +29,21 @@ class CreateTables < ActiveRecord::Migration
|
|
|
29
29
|
# t.string :unconfirmed_email # Only if using reconfirmable
|
|
30
30
|
|
|
31
31
|
## Lockable
|
|
32
|
-
t.integer :failed_attempts, :
|
|
32
|
+
t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
|
|
33
33
|
t.string :unlock_token # Only if unlock strategy is :email or :both
|
|
34
34
|
t.datetime :locked_at
|
|
35
35
|
|
|
36
36
|
## Token authenticatable
|
|
37
37
|
t.string :authentication_token
|
|
38
|
+
t.datetime :authentication_token_created_at, null: true
|
|
38
39
|
|
|
39
40
|
t.timestamps
|
|
40
41
|
end
|
|
41
42
|
|
|
42
43
|
create_table :admins do |t|
|
|
43
44
|
## Database authenticatable
|
|
44
|
-
t.string :email, :
|
|
45
|
-
t.string :encrypted_password, :
|
|
45
|
+
t.string :email, null: true
|
|
46
|
+
t.string :encrypted_password, null: true
|
|
46
47
|
|
|
47
48
|
## Recoverable
|
|
48
49
|
t.string :reset_password_token
|
|
@@ -61,7 +62,7 @@ class CreateTables < ActiveRecord::Migration
|
|
|
61
62
|
t.datetime :locked_at
|
|
62
63
|
|
|
63
64
|
## Attribute for testing route blocks
|
|
64
|
-
t.boolean :active, :
|
|
65
|
+
t.boolean :active, default: false
|
|
65
66
|
|
|
66
67
|
t.timestamps
|
|
67
68
|
end
|
|
@@ -7,7 +7,8 @@
|
|
|
7
7
|
# a new one is created.
|
|
8
8
|
#
|
|
9
9
|
def sign_in_as_new_user_with_token(options = {})
|
|
10
|
-
|
|
10
|
+
trait = options[:use] ? options[:use] : :with_authentication_token
|
|
11
|
+
user = options.delete(:user) || create(:user, trait)
|
|
11
12
|
|
|
12
13
|
options[:auth_token_key] ||= Devise::TokenAuthenticatable.token_authentication_key
|
|
13
14
|
options[:auth_token] ||= user.authentication_token
|
|
@@ -1,18 +1,15 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Devise::TokenAuthenticatable do
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
let(:expire_auth_token_on_timeout) { true }
|
|
4
|
+
context "configuring the token_expires_in" do
|
|
5
|
+
let(:expire_time) { 1.hour }
|
|
7
6
|
|
|
8
7
|
it "should set the configuration" do
|
|
9
8
|
expect {
|
|
10
9
|
Devise::TokenAuthenticatable.setup do |config|
|
|
11
|
-
config.
|
|
10
|
+
config.token_expires_in = expire_time
|
|
12
11
|
end
|
|
13
|
-
}.to change {
|
|
14
|
-
Devise::TokenAuthenticatable.expire_auth_token_on_timeout
|
|
15
|
-
}.from(false).to(expire_auth_token_on_timeout)
|
|
12
|
+
}.to change { Devise::TokenAuthenticatable.token_expires_in }.from(nil).to(expire_time)
|
|
16
13
|
end
|
|
17
14
|
end
|
|
18
15
|
|
|
@@ -51,5 +48,4 @@ describe Devise::TokenAuthenticatable do
|
|
|
51
48
|
}.to change { Devise::TokenAuthenticatable.should_ensure_authentication_token }.from(false).to(should_ensure)
|
|
52
49
|
end
|
|
53
50
|
end
|
|
54
|
-
|
|
55
51
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise-token_authenticatable
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sebastian Oelke
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-05-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: devise
|
|
@@ -147,7 +147,6 @@ files:
|
|
|
147
147
|
- devise-token_authenticatable.gemspec
|
|
148
148
|
- lib/devise-token_authenticatable.rb
|
|
149
149
|
- lib/devise/token_authenticatable.rb
|
|
150
|
-
- lib/devise/token_authenticatable/hooks/timeoutable.rb
|
|
151
150
|
- lib/devise/token_authenticatable/model.rb
|
|
152
151
|
- lib/devise/token_authenticatable/strategy.rb
|
|
153
152
|
- lib/devise/token_authenticatable/version.rb
|
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
# Each time a record is set we check whether its session has already timed out
|
|
2
|
-
# or not, based on last request time. If so and :expire_auth_token_on_timeout
|
|
3
|
-
# is set to true, the record's auth token is reset.
|
|
4
|
-
|
|
5
|
-
# This is a backport of the functionality of expire_auth_token_on_timeout that
|
|
6
|
-
# has been removed from devise in version 3.5.2.
|
|
7
|
-
#
|
|
8
|
-
# For the original version cf.
|
|
9
|
-
# https://github.com/plataformatec/devise/blob/v3.5.1/lib/devise/hooks/timeoutable.rb.
|
|
10
|
-
|
|
11
|
-
Warden::Manager.after_set_user do |record, warden, options|
|
|
12
|
-
scope = options[:scope]
|
|
13
|
-
env = warden.request.env
|
|
14
|
-
|
|
15
|
-
if record && record.respond_to?(:timedout?) &&
|
|
16
|
-
warden.authenticated?(scope) &&
|
|
17
|
-
options[:store] != false &&
|
|
18
|
-
!env['devise.skip_timeoutable']
|
|
19
|
-
|
|
20
|
-
last_request_at = warden.session(scope)['last_request_at']
|
|
21
|
-
|
|
22
|
-
if last_request_at.is_a? Integer
|
|
23
|
-
last_request_at = Time.at(last_request_at).utc
|
|
24
|
-
elsif last_request_at.is_a? String
|
|
25
|
-
last_request_at = Time.parse(last_request_at)
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
if record.timedout?(last_request_at) && !env['devise.skip_timeout']
|
|
29
|
-
if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
|
|
30
|
-
record.reset_authentication_token!
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
end
|
|
34
|
-
end
|