devise-token_authenticatable 0.4.6 → 0.4.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +3 -8
- data/README.md +5 -6
- data/lib/devise/token_authenticatable.rb +4 -7
- data/lib/devise/token_authenticatable/model.rb +5 -10
- data/lib/devise/token_authenticatable/strategy.rb +10 -0
- data/lib/devise/token_authenticatable/version.rb +1 -1
- data/spec/factories/user.rb +6 -0
- data/spec/models/devise/token_authenticatable/model_spec.rb +21 -50
- data/spec/requests/devise/token_authenticatable/strategy_spec.rb +43 -70
- data/spec/support/rails_app/db/migrate/20100401102949_create_tables.rb +8 -7
- data/spec/support/rails_app/db/schema.rb +1 -0
- data/spec/support/session_helper.rb +2 -1
- data/spec/token_authenticatable_spec.rb +4 -8
- metadata +2 -3
- data/lib/devise/token_authenticatable/hooks/timeoutable.rb +0 -34
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 33ae1c06a79b20b7e886cdbc7795b776b78fc767
|
|
4
|
+
data.tar.gz: 175c959f673397ff325234ac4a23d673d6824f7f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: be522497669564ea1abc605303c6df1e76a8cb84daeb9bf6366bdbbce48deb0dc669ec76370bc7c5365b13371974eae14094155e85bab4bb9445f5038eeb4176
|
|
7
|
+
data.tar.gz: e9404d5a0f635763fff3159df5e40cdf6cd7c716d9adcc8d8b4b4caee2ee905a68e150ddf40ee1e1d332c41f819ee148ec88240b95dce24cccfa0cfde644c79f
|
data/.travis.yml
CHANGED
|
@@ -1,16 +1,11 @@
|
|
|
1
1
|
language: ruby
|
|
2
2
|
rvm:
|
|
3
|
-
- 1.9.3
|
|
4
3
|
- 2.0.0
|
|
5
|
-
- 2.1.
|
|
6
|
-
- 2.2.
|
|
7
|
-
-
|
|
4
|
+
- 2.1.9
|
|
5
|
+
- 2.2.5
|
|
6
|
+
- 2.3.1
|
|
8
7
|
|
|
9
8
|
before_install:
|
|
10
9
|
- gem install bundler -v 1.11
|
|
11
10
|
|
|
12
|
-
env:
|
|
13
|
-
global:
|
|
14
|
-
- "JRUBY_OPTS=-Xcext.enabled=true"
|
|
15
|
-
|
|
16
11
|
script: bundle exec rspec
|
data/README.md
CHANGED
|
@@ -27,8 +27,8 @@ Or install it yourself as:
|
|
|
27
27
|
`~> 0.1` | `~> 3.2.0`
|
|
28
28
|
`~> 0.2` | `~> 3.3.0`
|
|
29
29
|
`~> 0.3` | `~> 3.4.0`
|
|
30
|
-
`~> 0.4`
|
|
31
|
-
`~> 0.4.
|
|
30
|
+
`~> 0.4.0`, `< 0.4.9` | `~> 3.5.0`, `< 3.5.2`
|
|
31
|
+
`~> 0.4.9` | `~> 3.5.2`
|
|
32
32
|
|
|
33
33
|
## Usage
|
|
34
34
|
|
|
@@ -46,10 +46,9 @@ This gem can be configured as shown in the following:
|
|
|
46
46
|
|
|
47
47
|
```ruby
|
|
48
48
|
Devise::TokenAuthenticatable.setup do |config|
|
|
49
|
-
# enables the expiration of a token after a
|
|
50
|
-
#
|
|
51
|
-
|
|
52
|
-
config.expire_auth_token_on_timeout = true
|
|
49
|
+
# enables the expiration of a token after a specified amount of time,
|
|
50
|
+
# defaults to nil
|
|
51
|
+
config.token_expires_in = 1.day
|
|
53
52
|
|
|
54
53
|
# set the authentication key name used by this module,
|
|
55
54
|
# defaults to :auth_token
|
|
@@ -3,17 +3,14 @@ require "devise/token_authenticatable/strategy"
|
|
|
3
3
|
module Devise
|
|
4
4
|
module TokenAuthenticatable
|
|
5
5
|
|
|
6
|
-
# Authentication token expiration on timeout
|
|
7
|
-
#
|
|
8
|
-
# This option is only used if your model uses the Devise
|
|
9
|
-
# :timeoutable module.
|
|
10
|
-
mattr_accessor :expire_auth_token_on_timeout
|
|
11
|
-
@@expire_auth_token_on_timeout = false
|
|
12
|
-
|
|
13
6
|
# Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
|
|
14
7
|
mattr_accessor :token_authentication_key
|
|
15
8
|
@@token_authentication_key = :auth_token
|
|
16
9
|
|
|
10
|
+
# Token expiration period. E.g. 1.day
|
|
11
|
+
mattr_accessor :token_expires_in
|
|
12
|
+
@@token_expires_in = nil
|
|
13
|
+
|
|
17
14
|
# Defines if the authentication token is reset before the model is saved.
|
|
18
15
|
mattr_accessor :should_reset_authentication_token
|
|
19
16
|
@@should_reset_authentication_token = false
|
|
@@ -1,5 +1,3 @@
|
|
|
1
|
-
require 'devise/token_authenticatable/hooks/timeoutable'
|
|
2
|
-
|
|
3
1
|
module Devise
|
|
4
2
|
module Models
|
|
5
3
|
# The +TokenAuthenticatable+ module is responsible for generating an authentication token and
|
|
@@ -30,7 +28,7 @@ module Devise
|
|
|
30
28
|
before_save :reset_authentication_token_before_save
|
|
31
29
|
before_save :ensure_authentication_token_before_save
|
|
32
30
|
|
|
33
|
-
attr_writer :
|
|
31
|
+
attr_writer :token_expires_in
|
|
34
32
|
end
|
|
35
33
|
|
|
36
34
|
module ClassMethods
|
|
@@ -55,12 +53,13 @@ module Devise
|
|
|
55
53
|
end
|
|
56
54
|
|
|
57
55
|
def self.required_fields(klass)
|
|
58
|
-
[:authentication_token]
|
|
56
|
+
[:authentication_token, :authentication_token_created_at]
|
|
59
57
|
end
|
|
60
58
|
|
|
61
59
|
# Generate new authentication token (a.k.a. "single access token").
|
|
62
60
|
def reset_authentication_token
|
|
63
61
|
self.authentication_token = self.class.authentication_token
|
|
62
|
+
self.authentication_token_created_at = Time.now
|
|
64
63
|
end
|
|
65
64
|
|
|
66
65
|
# Generate new authentication token and save the record.
|
|
@@ -83,12 +82,8 @@ module Devise
|
|
|
83
82
|
def after_token_authentication
|
|
84
83
|
end
|
|
85
84
|
|
|
86
|
-
def
|
|
87
|
-
|
|
88
|
-
@expire_auth_token_on_timeout
|
|
89
|
-
else
|
|
90
|
-
Devise::TokenAuthenticatable.expire_auth_token_on_timeout
|
|
91
|
-
end
|
|
85
|
+
def token_expires_in
|
|
86
|
+
Devise::TokenAuthenticatable.token_expires_in
|
|
92
87
|
end
|
|
93
88
|
|
|
94
89
|
private
|
|
@@ -36,6 +36,12 @@ module Devise
|
|
|
36
36
|
resource = mapping.to.find_for_token_authentication(authentication_hash)
|
|
37
37
|
return fail(:invalid_token) unless resource
|
|
38
38
|
|
|
39
|
+
unless token_expires_in.blank?
|
|
40
|
+
if Time.now > (resource.authentication_token_created_at + token_expires_in.to_i)
|
|
41
|
+
return fail(:expired_token)
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
39
45
|
if validate(resource)
|
|
40
46
|
resource.after_token_authentication
|
|
41
47
|
success!(resource)
|
|
@@ -88,6 +94,10 @@ module Devise
|
|
|
88
94
|
def authentication_keys
|
|
89
95
|
@authentication_keys ||= [Devise::TokenAuthenticatable.token_authentication_key]
|
|
90
96
|
end
|
|
97
|
+
|
|
98
|
+
def token_expires_in
|
|
99
|
+
@token_expires_in ||= Devise::TokenAuthenticatable.token_expires_in
|
|
100
|
+
end
|
|
91
101
|
end
|
|
92
102
|
end
|
|
93
103
|
end
|
data/spec/factories/user.rb
CHANGED
|
@@ -21,6 +21,12 @@ FactoryGirl.define do
|
|
|
21
21
|
|
|
22
22
|
trait :with_authentication_token do
|
|
23
23
|
authentication_token { SecureRandom.hex }
|
|
24
|
+
authentication_token_created_at { Time.now }
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
trait :with_day_old_token do
|
|
28
|
+
authentication_token { SecureRandom.hex }
|
|
29
|
+
authentication_token_created_at { Time.now - 1.day }
|
|
24
30
|
end
|
|
25
31
|
end
|
|
26
32
|
end
|
|
@@ -8,72 +8,56 @@ require 'spec_helper'
|
|
|
8
8
|
# See spec/factories/user.rb for an example.
|
|
9
9
|
#
|
|
10
10
|
shared_examples "token authenticatable" do
|
|
11
|
-
|
|
12
11
|
context "instance methods" do
|
|
13
|
-
|
|
14
12
|
describe "#reset_authentication_token" do
|
|
15
13
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
16
14
|
|
|
15
|
+
subject { entity.reset_authentication_token }
|
|
16
|
+
|
|
17
17
|
it "should reset authentication token" do
|
|
18
|
-
expect {
|
|
18
|
+
expect { subject }.to change { entity.authentication_token }
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
it "should reset token created at" do
|
|
22
|
+
expect { subject }.to change { entity.authentication_token_created_at }
|
|
19
23
|
end
|
|
20
24
|
end
|
|
21
25
|
|
|
22
26
|
describe "#ensure_authentication_token" do
|
|
27
|
+
subject { entity.ensure_authentication_token }
|
|
23
28
|
|
|
24
29
|
context "with existing authentication token" do
|
|
25
30
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
26
31
|
|
|
27
32
|
it "should not change the authentication token" do
|
|
28
|
-
expect {
|
|
33
|
+
expect { subject }.to_not change { entity.authentication_token }
|
|
29
34
|
end
|
|
30
|
-
end
|
|
31
|
-
|
|
32
|
-
context "without existing authentication token" do
|
|
33
|
-
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
34
35
|
|
|
35
|
-
it "should
|
|
36
|
-
entity.
|
|
37
|
-
expect { entity.ensure_authentication_token }.to change { entity.authentication_token }
|
|
36
|
+
it "should not change the authentication token created at" do
|
|
37
|
+
expect { subject }.to_not change { entity.authentication_token_created_at }
|
|
38
38
|
end
|
|
39
39
|
end
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
describe "#expire_auth_token_on_timeout" do
|
|
43
|
-
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
44
40
|
|
|
45
|
-
context "
|
|
41
|
+
context "without existing authentication token and authentication token created at" do
|
|
42
|
+
let(:entity) { create(described_class.name.underscore.to_sym) }
|
|
46
43
|
|
|
47
44
|
before :each do
|
|
48
|
-
entity.
|
|
45
|
+
entity.authentication_token = nil
|
|
46
|
+
entity.authentication_token_created_at = nil
|
|
49
47
|
end
|
|
50
48
|
|
|
51
|
-
it "should
|
|
52
|
-
expect
|
|
49
|
+
it "should set an authentication token" do
|
|
50
|
+
expect { subject }.to change { entity.authentication_token }
|
|
53
51
|
end
|
|
54
52
|
|
|
55
|
-
it "should
|
|
56
|
-
expect
|
|
57
|
-
|
|
58
|
-
entity.expire_auth_token_on_timeout
|
|
53
|
+
it "should set authentication token created at" do
|
|
54
|
+
expect { subject }.to change { entity.authentication_token_created_at }
|
|
59
55
|
end
|
|
60
|
-
|
|
61
|
-
end
|
|
62
|
-
|
|
63
|
-
context "not enabling expire_auth_token_on_timeout" do
|
|
64
|
-
|
|
65
|
-
it "should use the default" do
|
|
66
|
-
expect(Devise::TokenAuthenticatable).to receive(:expire_auth_token_on_timeout)
|
|
67
|
-
|
|
68
|
-
entity.expire_auth_token_on_timeout
|
|
69
|
-
end
|
|
70
|
-
|
|
71
56
|
end
|
|
72
57
|
end
|
|
73
58
|
end
|
|
74
59
|
|
|
75
60
|
context "class methods" do
|
|
76
|
-
|
|
77
61
|
describe "#find_for_authentication_token" do
|
|
78
62
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
79
63
|
|
|
@@ -97,7 +81,7 @@ shared_examples "token authenticatable" do
|
|
|
97
81
|
end
|
|
98
82
|
|
|
99
83
|
it "should not be subject to injection" do
|
|
100
|
-
|
|
84
|
+
create(described_class.name.underscore.to_sym, :with_authentication_token)
|
|
101
85
|
|
|
102
86
|
authenticated_entity = described_class.find_for_token_authentication(auth_token: { '$ne' => entity.authentication_token })
|
|
103
87
|
expect(authenticated_entity).to be_nil
|
|
@@ -105,23 +89,19 @@ shared_examples "token authenticatable" do
|
|
|
105
89
|
end
|
|
106
90
|
|
|
107
91
|
describe "#required_fields" do
|
|
108
|
-
|
|
109
92
|
it "should contain the fields that Devise uses" do
|
|
110
93
|
expect(Devise::Models::TokenAuthenticatable.required_fields(described_class)).to eq([
|
|
111
|
-
:authentication_token
|
|
94
|
+
:authentication_token, :authentication_token_created_at
|
|
112
95
|
])
|
|
113
96
|
end
|
|
114
|
-
|
|
115
97
|
end
|
|
116
98
|
|
|
117
99
|
end
|
|
118
100
|
|
|
119
101
|
context "before_save" do
|
|
120
|
-
|
|
121
102
|
let(:entity) { create(described_class.name.underscore.to_sym, :with_authentication_token) }
|
|
122
103
|
|
|
123
104
|
context "when the authentication token should be reset" do
|
|
124
|
-
|
|
125
105
|
before :each do
|
|
126
106
|
Devise::TokenAuthenticatable.setup do |config|
|
|
127
107
|
config.should_reset_authentication_token = true
|
|
@@ -139,21 +119,17 @@ shared_examples "token authenticatable" do
|
|
|
139
119
|
|
|
140
120
|
entity.update_attributes(created_at: Time.now)
|
|
141
121
|
end
|
|
142
|
-
|
|
143
122
|
end
|
|
144
123
|
|
|
145
124
|
context "when the authentication token should not be reset" do
|
|
146
|
-
|
|
147
125
|
it "does not reset the authentication token" do
|
|
148
126
|
expect(entity).to_not receive(:reset_authentication_token)
|
|
149
127
|
|
|
150
128
|
entity.update_attributes(created_at: Time.now)
|
|
151
129
|
end
|
|
152
|
-
|
|
153
130
|
end
|
|
154
131
|
|
|
155
132
|
context "when the authentication token should be ensured" do
|
|
156
|
-
|
|
157
133
|
before :each do
|
|
158
134
|
Devise::TokenAuthenticatable.setup do |config|
|
|
159
135
|
config.should_ensure_authentication_token = true
|
|
@@ -171,21 +147,16 @@ shared_examples "token authenticatable" do
|
|
|
171
147
|
|
|
172
148
|
entity.update_attributes(created_at: Time.now)
|
|
173
149
|
end
|
|
174
|
-
|
|
175
150
|
end
|
|
176
151
|
|
|
177
152
|
context "when the authentication token should not be ensured" do
|
|
178
|
-
|
|
179
153
|
it "does not set the authentication token" do
|
|
180
154
|
expect(entity).to_not receive(:ensure_authentication_token)
|
|
181
155
|
|
|
182
156
|
entity.update_attributes(created_at: Time.now)
|
|
183
157
|
end
|
|
184
|
-
|
|
185
158
|
end
|
|
186
|
-
|
|
187
159
|
end
|
|
188
|
-
|
|
189
160
|
end
|
|
190
161
|
|
|
191
162
|
describe User do
|
|
@@ -1,11 +1,8 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Devise::Strategies::TokenAuthenticatable do
|
|
4
|
-
|
|
5
4
|
context "with valid authentication token key and value" do
|
|
6
|
-
|
|
7
5
|
context "through params" do
|
|
8
|
-
|
|
9
6
|
it "should be a success" do
|
|
10
7
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
11
8
|
sign_in_as_new_user_with_token
|
|
@@ -59,7 +56,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
59
56
|
end
|
|
60
57
|
|
|
61
58
|
context "when request is stateless" do
|
|
62
|
-
|
|
63
59
|
it 'should authenticate the user with use of authentication token' do
|
|
64
60
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
65
61
|
swap Devise, skip_session_storage: [:token_auth] do
|
|
@@ -92,13 +88,10 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
92
88
|
end
|
|
93
89
|
end
|
|
94
90
|
end
|
|
95
|
-
|
|
96
91
|
end
|
|
97
92
|
|
|
98
93
|
context "when request is stateless and timeoutable" do
|
|
99
|
-
|
|
100
94
|
context "on sign in" do
|
|
101
|
-
|
|
102
95
|
it 'should authenticate the user' do
|
|
103
96
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
104
97
|
swap Devise, skip_session_storage: [:token_auth], timeout_in: (0.1).second do
|
|
@@ -107,11 +100,9 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
107
100
|
end
|
|
108
101
|
end
|
|
109
102
|
end
|
|
110
|
-
|
|
111
103
|
end
|
|
112
104
|
|
|
113
105
|
context "on delayed access" do
|
|
114
|
-
|
|
115
106
|
it 'should authenticate the user' do
|
|
116
107
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
117
108
|
swap Devise, skip_session_storage: [:token_auth], timeout_in: (0.1).second do
|
|
@@ -127,59 +118,10 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
127
118
|
end
|
|
128
119
|
end
|
|
129
120
|
end
|
|
130
|
-
|
|
131
|
-
end
|
|
132
|
-
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
context "when expire_auth_token_on_timeout is set to true, timeoutable is enabled and we have a timed out session" do
|
|
136
|
-
|
|
137
|
-
context "on sign in" do
|
|
138
|
-
|
|
139
|
-
it 'should authenticate the user' do
|
|
140
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
141
|
-
swap Devise, timeout_in: (-1).minute do
|
|
142
|
-
sign_in_as_new_user_with_token
|
|
143
|
-
expect(warden).to be_authenticated(:user)
|
|
144
|
-
end
|
|
145
|
-
end
|
|
146
|
-
end
|
|
147
|
-
|
|
148
|
-
end
|
|
149
|
-
|
|
150
|
-
context "on re-sign in" do
|
|
151
|
-
|
|
152
|
-
it 'should not authenticate the user' do
|
|
153
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
154
|
-
swap Devise, timeout_in: (-1).minute do
|
|
155
|
-
user = sign_in_as_new_user_with_token
|
|
156
|
-
token = user.authentication_token
|
|
157
|
-
|
|
158
|
-
sign_in_as_new_user_with_token(user: user)
|
|
159
|
-
expect(warden).to_not be_authenticated(:user)
|
|
160
|
-
end
|
|
161
|
-
end
|
|
162
|
-
end
|
|
163
|
-
|
|
164
|
-
it 'should reset the authentication token' do
|
|
165
|
-
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token, expire_auth_token_on_timeout: true do
|
|
166
|
-
swap Devise, timeout_in: (-1).minute do
|
|
167
|
-
user = sign_in_as_new_user_with_token
|
|
168
|
-
token = user.authentication_token
|
|
169
|
-
|
|
170
|
-
sign_in_as_new_user_with_token(user: user)
|
|
171
|
-
user.reload
|
|
172
|
-
expect(token).to_not eq(user.authentication_token)
|
|
173
|
-
end
|
|
174
|
-
end
|
|
175
|
-
end
|
|
176
|
-
|
|
177
121
|
end
|
|
178
|
-
|
|
179
122
|
end
|
|
180
123
|
|
|
181
124
|
context "when not configured" do
|
|
182
|
-
|
|
183
125
|
it "should redirect to sign in page" do
|
|
184
126
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
185
127
|
swap Devise, params_authenticatable: [:database] do
|
|
@@ -203,7 +145,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
203
145
|
end
|
|
204
146
|
|
|
205
147
|
context "through http" do
|
|
206
|
-
|
|
207
148
|
it "should be a success" do
|
|
208
149
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
209
150
|
swap Devise, http_authenticatable: true do
|
|
@@ -225,7 +166,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
225
166
|
end
|
|
226
167
|
|
|
227
168
|
context "when not configured" do
|
|
228
|
-
|
|
229
169
|
it "should be an unauthorized" do
|
|
230
170
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
231
171
|
swap Devise, http_authenticatable: [:database] do
|
|
@@ -249,7 +189,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
249
189
|
end
|
|
250
190
|
|
|
251
191
|
context "through http header" do
|
|
252
|
-
|
|
253
192
|
it "should redirect to root path" do
|
|
254
193
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
255
194
|
swap Devise, http_authenticatable: true do
|
|
@@ -325,7 +264,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
325
264
|
end
|
|
326
265
|
|
|
327
266
|
context "with denied token authorization" do
|
|
328
|
-
|
|
329
267
|
it "should be an unauthorized" do
|
|
330
268
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
331
269
|
swap Devise, http_authenticatable: false do
|
|
@@ -345,14 +283,11 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
345
283
|
end
|
|
346
284
|
end
|
|
347
285
|
end
|
|
348
|
-
|
|
349
286
|
end
|
|
350
|
-
|
|
351
287
|
end
|
|
352
288
|
end
|
|
353
289
|
|
|
354
290
|
context "with improper authentication token key" do
|
|
355
|
-
|
|
356
291
|
it "should redirect to the sign in page" do
|
|
357
292
|
swap Devise::TokenAuthenticatable, token_authentication_key: :donald_duck_token do
|
|
358
293
|
sign_in_as_new_user_with_token(auth_token_key: :secret_token)
|
|
@@ -372,19 +307,16 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
372
307
|
it "should not be subject to injection" do
|
|
373
308
|
swap Devise::TokenAuthenticatable, token_authentication_key: :secret_token do
|
|
374
309
|
user1 = create(:user, :with_authentication_token)
|
|
375
|
-
|
|
310
|
+
create(:user, :with_authentication_token)
|
|
376
311
|
|
|
377
312
|
get users_path(Devise::TokenAuthenticatable.token_authentication_key.to_s + '[$ne]' => user1.authentication_token)
|
|
378
313
|
expect(warden).to_not be_authenticated(:user)
|
|
379
314
|
end
|
|
380
315
|
end
|
|
381
|
-
|
|
382
316
|
end
|
|
383
317
|
|
|
384
318
|
context "with improper authentication token value" do
|
|
385
|
-
|
|
386
319
|
context "through params" do
|
|
387
|
-
|
|
388
320
|
before { sign_in_as_new_user_with_token(auth_token: '*** INVALID TOKEN ***') }
|
|
389
321
|
|
|
390
322
|
it "should redirect to the sign in page" do
|
|
@@ -397,7 +329,6 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
397
329
|
end
|
|
398
330
|
|
|
399
331
|
context "through http header" do
|
|
400
|
-
|
|
401
332
|
before { sign_in_as_new_user_with_token(token_auth: true, auth_token: '*** INVALID TOKEN ***') }
|
|
402
333
|
|
|
403
334
|
it "should be an unauthorized" do
|
|
@@ -409,4 +340,46 @@ describe Devise::Strategies::TokenAuthenticatable do
|
|
|
409
340
|
end
|
|
410
341
|
end
|
|
411
342
|
end
|
|
343
|
+
|
|
344
|
+
context "with expired authentication token value" do
|
|
345
|
+
context "through params" do
|
|
346
|
+
it "should redirect to the sign in page" do
|
|
347
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
348
|
+
sign_in_as_new_user_with_token(use: :with_day_old_token)
|
|
349
|
+
|
|
350
|
+
expect(response).to redirect_to new_user_session_path
|
|
351
|
+
end
|
|
352
|
+
end
|
|
353
|
+
|
|
354
|
+
it "should not authenticate user" do
|
|
355
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
356
|
+
sign_in_as_new_user_with_token(use: :with_day_old_token)
|
|
357
|
+
|
|
358
|
+
expect(warden).to_not be_authenticated(:user)
|
|
359
|
+
end
|
|
360
|
+
end
|
|
361
|
+
|
|
362
|
+
context "through http header" do
|
|
363
|
+
it "should redirect to the sign in page" do
|
|
364
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
365
|
+
swap Devise, http_authenticatable: true do
|
|
366
|
+
sign_in_as_new_user_with_token(http_auth: true, use: :with_day_old_token)
|
|
367
|
+
|
|
368
|
+
expect(response.status).to eq(401)
|
|
369
|
+
end
|
|
370
|
+
end
|
|
371
|
+
end
|
|
372
|
+
|
|
373
|
+
it "does not authenticate with expired authentication token value in header" do
|
|
374
|
+
swap Devise::TokenAuthenticatable, token_expires_in: 1.hour do
|
|
375
|
+
swap Devise, http_authenticatable: true do
|
|
376
|
+
sign_in_as_new_user_with_token(http_auth: true, use: :with_day_old_token)
|
|
377
|
+
|
|
378
|
+
expect(warden).to_not be_authenticated(:user)
|
|
379
|
+
end
|
|
380
|
+
end
|
|
381
|
+
end
|
|
382
|
+
end
|
|
383
|
+
end
|
|
384
|
+
end
|
|
412
385
|
end
|
|
@@ -5,8 +5,8 @@ class CreateTables < ActiveRecord::Migration
|
|
|
5
5
|
t.string :facebook_token
|
|
6
6
|
|
|
7
7
|
## Database authenticatable
|
|
8
|
-
t.string :email, :
|
|
9
|
-
t.string :encrypted_password, :
|
|
8
|
+
t.string :email, null: false, default: ""
|
|
9
|
+
t.string :encrypted_password, null: false, default: ""
|
|
10
10
|
|
|
11
11
|
## Recoverable
|
|
12
12
|
t.string :reset_password_token
|
|
@@ -16,7 +16,7 @@ class CreateTables < ActiveRecord::Migration
|
|
|
16
16
|
t.datetime :remember_created_at
|
|
17
17
|
|
|
18
18
|
## Trackable
|
|
19
|
-
t.integer :sign_in_count, :
|
|
19
|
+
t.integer :sign_in_count, default: 0
|
|
20
20
|
t.datetime :current_sign_in_at
|
|
21
21
|
t.datetime :last_sign_in_at
|
|
22
22
|
t.string :current_sign_in_ip
|
|
@@ -29,20 +29,21 @@ class CreateTables < ActiveRecord::Migration
|
|
|
29
29
|
# t.string :unconfirmed_email # Only if using reconfirmable
|
|
30
30
|
|
|
31
31
|
## Lockable
|
|
32
|
-
t.integer :failed_attempts, :
|
|
32
|
+
t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
|
|
33
33
|
t.string :unlock_token # Only if unlock strategy is :email or :both
|
|
34
34
|
t.datetime :locked_at
|
|
35
35
|
|
|
36
36
|
## Token authenticatable
|
|
37
37
|
t.string :authentication_token
|
|
38
|
+
t.datetime :authentication_token_created_at, null: true
|
|
38
39
|
|
|
39
40
|
t.timestamps
|
|
40
41
|
end
|
|
41
42
|
|
|
42
43
|
create_table :admins do |t|
|
|
43
44
|
## Database authenticatable
|
|
44
|
-
t.string :email, :
|
|
45
|
-
t.string :encrypted_password, :
|
|
45
|
+
t.string :email, null: true
|
|
46
|
+
t.string :encrypted_password, null: true
|
|
46
47
|
|
|
47
48
|
## Recoverable
|
|
48
49
|
t.string :reset_password_token
|
|
@@ -61,7 +62,7 @@ class CreateTables < ActiveRecord::Migration
|
|
|
61
62
|
t.datetime :locked_at
|
|
62
63
|
|
|
63
64
|
## Attribute for testing route blocks
|
|
64
|
-
t.boolean :active, :
|
|
65
|
+
t.boolean :active, default: false
|
|
65
66
|
|
|
66
67
|
t.timestamps
|
|
67
68
|
end
|
|
@@ -7,7 +7,8 @@
|
|
|
7
7
|
# a new one is created.
|
|
8
8
|
#
|
|
9
9
|
def sign_in_as_new_user_with_token(options = {})
|
|
10
|
-
|
|
10
|
+
trait = options[:use] ? options[:use] : :with_authentication_token
|
|
11
|
+
user = options.delete(:user) || create(:user, trait)
|
|
11
12
|
|
|
12
13
|
options[:auth_token_key] ||= Devise::TokenAuthenticatable.token_authentication_key
|
|
13
14
|
options[:auth_token] ||= user.authentication_token
|
|
@@ -1,18 +1,15 @@
|
|
|
1
1
|
require 'spec_helper'
|
|
2
2
|
|
|
3
3
|
describe Devise::TokenAuthenticatable do
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
let(:expire_auth_token_on_timeout) { true }
|
|
4
|
+
context "configuring the token_expires_in" do
|
|
5
|
+
let(:expire_time) { 1.hour }
|
|
7
6
|
|
|
8
7
|
it "should set the configuration" do
|
|
9
8
|
expect {
|
|
10
9
|
Devise::TokenAuthenticatable.setup do |config|
|
|
11
|
-
config.
|
|
10
|
+
config.token_expires_in = expire_time
|
|
12
11
|
end
|
|
13
|
-
}.to change {
|
|
14
|
-
Devise::TokenAuthenticatable.expire_auth_token_on_timeout
|
|
15
|
-
}.from(false).to(expire_auth_token_on_timeout)
|
|
12
|
+
}.to change { Devise::TokenAuthenticatable.token_expires_in }.from(nil).to(expire_time)
|
|
16
13
|
end
|
|
17
14
|
end
|
|
18
15
|
|
|
@@ -51,5 +48,4 @@ describe Devise::TokenAuthenticatable do
|
|
|
51
48
|
}.to change { Devise::TokenAuthenticatable.should_ensure_authentication_token }.from(false).to(should_ensure)
|
|
52
49
|
end
|
|
53
50
|
end
|
|
54
|
-
|
|
55
51
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise-token_authenticatable
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Sebastian Oelke
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-05-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: devise
|
|
@@ -147,7 +147,6 @@ files:
|
|
|
147
147
|
- devise-token_authenticatable.gemspec
|
|
148
148
|
- lib/devise-token_authenticatable.rb
|
|
149
149
|
- lib/devise/token_authenticatable.rb
|
|
150
|
-
- lib/devise/token_authenticatable/hooks/timeoutable.rb
|
|
151
150
|
- lib/devise/token_authenticatable/model.rb
|
|
152
151
|
- lib/devise/token_authenticatable/strategy.rb
|
|
153
152
|
- lib/devise/token_authenticatable/version.rb
|
|
@@ -1,34 +0,0 @@
|
|
|
1
|
-
# Each time a record is set we check whether its session has already timed out
|
|
2
|
-
# or not, based on last request time. If so and :expire_auth_token_on_timeout
|
|
3
|
-
# is set to true, the record's auth token is reset.
|
|
4
|
-
|
|
5
|
-
# This is a backport of the functionality of expire_auth_token_on_timeout that
|
|
6
|
-
# has been removed from devise in version 3.5.2.
|
|
7
|
-
#
|
|
8
|
-
# For the original version cf.
|
|
9
|
-
# https://github.com/plataformatec/devise/blob/v3.5.1/lib/devise/hooks/timeoutable.rb.
|
|
10
|
-
|
|
11
|
-
Warden::Manager.after_set_user do |record, warden, options|
|
|
12
|
-
scope = options[:scope]
|
|
13
|
-
env = warden.request.env
|
|
14
|
-
|
|
15
|
-
if record && record.respond_to?(:timedout?) &&
|
|
16
|
-
warden.authenticated?(scope) &&
|
|
17
|
-
options[:store] != false &&
|
|
18
|
-
!env['devise.skip_timeoutable']
|
|
19
|
-
|
|
20
|
-
last_request_at = warden.session(scope)['last_request_at']
|
|
21
|
-
|
|
22
|
-
if last_request_at.is_a? Integer
|
|
23
|
-
last_request_at = Time.at(last_request_at).utc
|
|
24
|
-
elsif last_request_at.is_a? String
|
|
25
|
-
last_request_at = Time.parse(last_request_at)
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
if record.timedout?(last_request_at) && !env['devise.skip_timeout']
|
|
29
|
-
if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
|
|
30
|
-
record.reset_authentication_token!
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
end
|
|
34
|
-
end
|