RubyGems - devise-tokens - Versions diffs - 1.0.0 → 1.0.1 - Mend

devise-tokens 1.0.0 → 1.0.1

Files changed (64) hide show

checksums.yaml +4 -4
data/app/controllers/devise_tokens/application_controller.rb +77 -0
data/app/controllers/devise_tokens/concerns/resource_finder.rb +42 -0
data/app/controllers/devise_tokens/concerns/set_user_by_token.rb +160 -0
data/app/controllers/devise_tokens/confirmations_controller.rb +79 -0
data/app/controllers/devise_tokens/omniauth_callbacks_controller.rb +284 -0
data/app/controllers/devise_tokens/passwords_controller.rb +204 -0
data/app/controllers/devise_tokens/registrations_controller.rb +203 -0
data/app/controllers/devise_tokens/sessions_controller.rb +128 -0
data/app/controllers/devise_tokens/token_validations_controller.rb +29 -0
data/app/controllers/devise_tokens/unlocks_controller.rb +87 -0
data/app/models/devise_token_auth/concerns/active_record_support.rb +16 -0
data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
data/app/models/devise_token_auth/concerns/tokens_serialization.rb +19 -0
data/app/models/devise_token_auth/concerns/user.rb +253 -0
data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +28 -0
data/app/validators/devise_token_auth_email_validator.rb +23 -0
data/app/views/devise/mailer/confirmation_instructions.html.erb +5 -0
data/app/views/devise/mailer/reset_password_instructions.html.erb +8 -0
data/app/views/devise/mailer/unlock_instructions.html.erb +7 -0
data/app/views/devise_token_auth/omniauth_external_window.html.erb +38 -0
data/config/locales/da-DK.yml +52 -0
data/config/locales/de.yml +51 -0
data/config/locales/en.yml +57 -0
data/config/locales/es.yml +51 -0
data/config/locales/fr.yml +51 -0
data/config/locales/he.yml +52 -0
data/config/locales/it.yml +48 -0
data/config/locales/ja.yml +48 -0
data/config/locales/nl.yml +32 -0
data/config/locales/pl.yml +50 -0
data/config/locales/pt-BR.yml +48 -0
data/config/locales/pt.yml +50 -0
data/config/locales/ro.yml +48 -0
data/config/locales/ru.yml +52 -0
data/config/locales/sq.yml +48 -0
data/config/locales/sv.yml +52 -0
data/config/locales/uk.yml +61 -0
data/config/locales/vi.yml +52 -0
data/config/locales/zh-CN.yml +48 -0
data/config/locales/zh-HK.yml +50 -0
data/config/locales/zh-TW.yml +50 -0
data/lib/devise_tokens.rb +14 -0
data/lib/devise_tokens/blacklist.rb +2 -0
data/lib/devise_tokens/controllers/helpers.rb +161 -0
data/lib/devise_tokens/controllers/url_helpers.rb +10 -0
data/lib/devise_tokens/engine.rb +92 -0
data/lib/devise_tokens/errors.rb +6 -0
data/lib/devise_tokens/rails/routes.rb +116 -0
data/lib/devise_tokens/token_factory.rb +126 -0
data/lib/devise_tokens/url.rb +39 -0
data/lib/devise_tokens/version.rb +3 -0
data/lib/generators/devise_tokens/USAGE +31 -0
data/lib/generators/devise_tokens/install_generator.rb +91 -0
data/lib/generators/devise_tokens/install_generator_helpers.rb +98 -0
data/lib/generators/devise_tokens/install_mongoid_generator.rb +46 -0
data/lib/generators/devise_tokens/install_views_generator.rb +18 -0
data/lib/generators/devise_tokens/templates/devise_tokens.rb +55 -0
data/lib/generators/devise_tokens/templates/devise_tokens_create_users.rb.erb +49 -0
data/lib/generators/devise_tokens/templates/user.rb.erb +9 -0
data/lib/generators/devise_tokens/templates/user_mongoid.rb.erb +56 -0
data/lib/tasks/devise_tokens_tasks.rake +6 -0
metadata +208 -4
data/lib/devise-tokens.rb +0 -5

data/app/controllers/devise_tokens/passwords_controller.rb ADDED Viewed

@@ -0,0 +1,204 @@
+module DeviseTokens
+  class PasswordsController < DeviseTokens::ApplicationController
+    before_action :validate_redirect_url_param, only: [:create, :edit]
+    skip_after_action :update_auth_header, only: [:create, :edit]
+    # this action is responsible for generating password reset tokens and sending emails
+    def create
+      return render_create_error_missing_email unless resource_params[:email]
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:uid, @email)
+      if @resource
+        yield @resource if block_given?
+        @resource.send_reset_password_instructions(
+          email: @email,
+          provider: 'email',
+          redirect_url: @redirect_url,
+          client_config: params[:config_name]
+        )
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+    # this is where users arrive after visiting the password reset confirmation link
+    def edit
+      # if a user is not found, return nil
+      @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+      if @resource && @resource.reset_password_period_valid?
+        token = @resource.create_token unless require_client_password_reset_token?
+        # ensure that user is confirmed
+        @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
+        # allow user to change password once without current_password
+        @resource.allow_password_change = true if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        if require_client_password_reset_token?
+          redirect_to DeviseTokens::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+        else
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers))
+        end
+      else
+        render_edit_error
+      end
+    end
+    def update
+      # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
+      return render_update_error_unauthorized unless @resource
+      # make sure account doesn't use oauth2 provider
+      unless @resource.provider == 'email'
+        return render_update_error_password_not_required
+      end
+      # ensure that password params were sent
+      unless password_resource_params[:password] && password_resource_params[:password_confirmation]
+        return render_update_error_missing_password
+      end
+      if @resource.send(resource_update_method, password_resource_params)
+        @resource.allow_password_change = false if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        return render_update_success
+      else
+        return render_update_error
+      end
+    end
+    protected
+    def resource_update_method
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
+      if DeviseTokens.check_current_password_before_update == false || allow_password_change
+        'update'
+      else
+        'update_with_password'
+      end
+    end
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_tokens.passwords.missing_email'))
+    end
+    def render_create_error_missing_redirect_url
+      render_error(401, I18n.t('devise_tokens.passwords.missing_redirect_url'))
+    end
+    def render_error_not_allowed_redirect_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_tokens.passwords.not_allowed_redirect_url', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t('devise_tokens.passwords.sended', email: @email)
+      }
+    end
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors
+      }, status: 400
+    end
+    def render_edit_error
+      raise ActionController::RoutingError, 'Not Found'
+    end
+    def render_update_error_unauthorized
+      render_error(401, 'Unauthorized')
+    end
+    def render_update_error_password_not_required
+      render_error(422, I18n.t('devise_tokens.passwords.password_not_required', provider: @resource.provider.humanize))
+    end
+    def render_update_error_missing_password
+      render_error(422, I18n.t('devise_tokens.passwords.missing_passwords'))
+    end
+    def render_update_success
+      render json: {
+        success: true,
+        data: resource_data,
+        message: I18n.t('devise_tokens.passwords.successfully_updated')
+      }
+    end
+    def render_update_error
+      render json: {
+        success: false,
+        errors: resource_errors
+      }, status: 422
+    end
+    private
+    def resource_params
+      params.permit(:email, :reset_password_token)
+    end
+    def password_resource_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    def render_not_found_error
+      render_error(404, I18n.t('devise_tokens.passwords.user_not_found', email: @email))
+    end
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokens.default_password_reset_url
+      )
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+    end
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+    def require_client_password_reset_token?
+      DeviseTokens.require_client_password_reset_token
+    end
+  end
+end

data/app/controllers/devise_tokens/registrations_controller.rb ADDED Viewed

@@ -0,0 +1,203 @@
+module DeviseTokens
+  class RegistrationsController < DeviseTokens::ApplicationController
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
+    def create
+      build_resource
+      unless @resource.present?
+        raise DeviseTokens::Errors::NoResourceDefinedError,
+              "#{self.class.name} #build_resource does not define @resource,"\
+              ' execution stopped.'
+      end
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :confirm_success_url,
+        DeviseTokens.default_confirm_success_url
+      )
+      # success redirect url is required
+      if confirmable_enabled? && !@redirect_url
+        return render_create_error_missing_confirm_success_url
+      end
+      # if whitelist is set, validate redirect_url against whitelist
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
+      # override email confirmation, must be sent manually from ctrl
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
+      if @resource.save
+        yield @resource if block_given?
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
+        end
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
+        end
+        render_create_success
+      else
+        clean_up_passwords @resource
+        render_create_error
+      end
+    end
+    def update
+      if @resource
+        if @resource.send(resource_update_method, account_update_params)
+          yield @resource if block_given?
+          render_update_success
+        else
+          render_update_error
+        end
+      else
+        render_update_error_user_not_found
+      end
+    end
+    def destroy
+      if @resource
+        @resource.destroy
+        yield @resource if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    def sign_up_params
+      params.permit(*params_for_resource(:sign_up))
+    end
+    def account_update_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    protected
+    def build_resource
+      @resource            = resource_class.new(sign_up_params)
+      @resource.provider   = provider
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].try(:downcase)
+      else
+        @resource.email = sign_up_params[:email]
+      end
+    end
+    def render_create_error_missing_confirm_success_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_tokens.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
+    end
+    def render_create_error_redirect_url_not_allowed
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_tokens.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_create_error
+      render json: {
+        status: 'error',
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_update_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_update_error
+      render json: {
+        status: 'error',
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_update_error_user_not_found
+      render_error(404, I18n.t('devise_tokens.registrations.user_not_found'), status: 'error')
+    end
+    def render_destroy_success
+      render json: {
+        status: 'success',
+        message: I18n.t('devise_tokens.registrations.account_with_uid_destroyed', uid: @resource.uid)
+      }
+    end
+    def render_destroy_error
+      render_error(404, I18n.t('devise_tokens.registrations.account_to_destroy_not_found'), status: 'error')
+    end
+    private
+    def resource_update_method
+      if DeviseTokens.check_current_password_before_update == :attributes
+        'update_with_password'
+      elsif DeviseTokens.check_current_password_before_update == :password && account_update_params.key?(:password)
+        'update_with_password'
+      elsif account_update_params.key?(:current_password)
+        'update_with_password'
+      else
+        'update'
+      end
+    end
+    def validate_sign_up_params
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
+    end
+    def validate_account_update_params
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+    end
+    def validate_post_data which, message
+      render_error(:unprocessable_entity, message, status: 'error') if which.empty?
+    end
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
+  end
+end

data/app/controllers/devise_tokens/sessions_controller.rb ADDED Viewed

@@ -0,0 +1,128 @@
+module DeviseTokens
+  class SessionsController < DeviseTokens::ApplicationController
+    before_action :set_user_by_token, only: [:destroy]
+    after_action :reset_session, only: [:destroy]
+    def new
+      render_new_error
+    end
+    def create
+      # Check
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+        @resource = find_resource(field, q_value)
+      end
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+          return render_create_error_bad_credentials
+        end
+        @token = @resource.create_token
+        @resource.save
+        sign_in(:user, @resource, store: false, bypass: false)
+        yield @resource if block_given?
+        render_create_success
+      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
+      else
+        render_create_error_bad_credentials
+      end
+    end
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client = @token.client if @token.client
+      @token.clear!
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
+        user.save!
+        yield user if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    protected
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+      { key: auth_key, val: auth_val }
+    end
+    def render_new_error
+      render_error(405, I18n.t('devise_tokens.sessions.not_supported'))
+    end
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t('devise_tokens.sessions.not_confirmed', email: @resource.email))
+    end
+    def render_create_error_account_locked
+      render_error(401, I18n.t('devise.mailer.unlock_instructions.account_lock_msg'))
+    end
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t('devise_tokens.sessions.bad_credentials'))
+    end
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+    def render_destroy_error
+      render_error(404, I18n.t('devise_tokens.sessions.user_not_found'))
+    end
+    private
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+  end
+end