devise-tokens 1.0.0 → 1.0.1

data/lib/devise_tokens/errors.rb

@@ -0,0 +1,6 @@
+module DeviseTokens
+  module Errors
+    class NoResourceDefinedError < StandardError; end
+    class InvalidModel < StandardError; end
+  end
+end

data/lib/devise_tokens/rails/routes.rb

@@ -0,0 +1,116 @@
+
+
+module ActionDispatch::Routing
+  class Mapper
+    def mount_devise_tokens_for(resource, opts)
+      # ensure objects exist to simplify attr checks
+      opts[:controllers] ||= {}
+      opts[:skip]        ||= []
+
+      # check for ctrl overrides, fall back to defaults
+      sessions_ctrl          = opts[:controllers][:sessions] || 'devise_tokens/sessions'
+      registrations_ctrl     = opts[:controllers][:registrations] || 'devise_tokens/registrations'
+      passwords_ctrl         = opts[:controllers][:passwords] || 'devise_tokens/passwords'
+      confirmations_ctrl     = opts[:controllers][:confirmations] || 'devise_tokens/confirmations'
+      token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_tokens/token_validations'
+      omniauth_ctrl          = opts[:controllers][:omniauth_callbacks] || 'devise_tokens/omniauth_callbacks'
+      unlocks_ctrl           = opts[:controllers][:unlocks] || 'devise_tokens/unlocks'
+
+      # define devise controller mappings
+      controllers = { sessions: sessions_ctrl,
+                      registrations: registrations_ctrl,
+                      passwords: passwords_ctrl,
+                      confirmations: confirmations_ctrl }
+
+      controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
+
+      # remove any unwanted devise modules
+      opts[:skip].each{ |item| controllers.delete(item) }
+
+      devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
+                 class_name: resource,
+                 module: :devise,
+                 path: opts[:at].to_s,
+                 controllers: controllers,
+                 skip: opts[:skip] + [:omniauth_callbacks]
+
+      unnest_namespace do
+        # get full url path as if it were namespaced
+        full_path = "#{@scope[:path]}/#{opts[:at]}"
+
+        # get namespace name
+        namespace_name = @scope[:as]
+
+        # clear scope so controller routes aren't namespaced
+        @scope = ActionDispatch::Routing::Mapper::Scope.new(
+          path:         '',
+          shallow_path: '',
+          constraints:  {},
+          defaults:     {},
+          options:      {},
+          parent:       nil
+        )
+
+        mapping_name = resource.underscore.gsub('/', '_')
+        mapping_name = "#{namespace_name}_#{mapping_name}" if namespace_name
+
+        devise_scope mapping_name.to_sym do
+          # path to verify token validity
+          get "#{full_path}/validate_token", controller: token_validations_ctrl.to_s, action: 'validate_token' if !opts[:skip].include?(:token_validations)
+
+          # omniauth routes. only define if omniauth is installed and not skipped.
+          if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)
+            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get]
+            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get]
+
+            match "#{DeviseTokens.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: 'redirect_callbacks', via: [:get, :post]
+            match "#{DeviseTokens.omniauth_prefix}/failure", controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
+
+            # preserve the resource class thru oauth authentication by setting name of
+            # resource as "resource_class" param
+            match "#{full_path}/:provider", to: redirect{ |params, request|
+              # get the current querystring
+              qs = CGI::parse(request.env['QUERY_STRING'])
+
+              # append name of current resource
+              qs['resource_class'] = [resource]
+              qs['namespace_name'] = [namespace_name] if namespace_name
+
+              set_omniauth_path_prefix!(DeviseTokens.omniauth_prefix)
+
+              redirect_params = {}.tap { |hash| qs.each{ |k, v| hash[k] = v.first } }
+
+              if DeviseTokens.redirect_whitelist
+                redirect_url = request.params['auth_origin_url']
+                unless DeviseTokens::Url.whitelisted?(redirect_url)
+                  message = I18n.t(
+                    'devise_tokens.registrations.redirect_url_not_allowed',
+                    redirect_url: redirect_url
+                  )
+                  redirect_params['message'] = message
+                  next "#{::OmniAuth.config.path_prefix}/failure?#{redirect_params.to_param}"
+                end
+              end
+
+              # re-construct the path for omniauth
+              "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
+            }, via: [:get]
+          end
+        end
+      end
+    end
+
+    # this allows us to use namespaced paths without namespacing the routes
+    def unnest_namespace
+      current_scope = @scope.dup
+      yield
+    ensure
+      @scope = current_scope
+    end
+
+    # ignore error about omniauth/multiple model support
+    def set_omniauth_path_prefix!(path_prefix)
+      ::OmniAuth.config.path_prefix = path_prefix
+    end
+  end
+end

data/lib/devise_tokens/token_factory.rb

@@ -0,0 +1,126 @@
+require 'bcrypt'
+
+module DeviseTokens
+  # A token management factory which allow generate token objects and check them.
+  module TokenFactory
+    # For BCrypt::Password class see:
+    # https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/password.rb
+
+    # Creates a token instance. Takes an optional client, lifespan and cost options.
+    # Example:
+    #   DeviseTokens::TokenFactory.create
+    #   => #<struct DeviseTokens::TokenFactory::Token client="tElcgkdZ7f9XEa0unZhrYQ", token="rAMcWOs0-mGHFMnIgJD2cA", token_hash="$2a$10$wrsdlHVRGlYW11wfImxU..jr0Ux3bHo/qbXcSfgp8zmvVUNHosita", expiry=1518982690>
+    #
+    #   DeviseTokens::TokenFactory.create(lifespan: 10, cost: 4)
+    #   => #<struct DeviseTokens::TokenFactory::Token client="5qleT7_t9JPVcX9xmxkVYA", token="RBXX43u4xXNSO-fr2N_4pA", token_hash="$2a$04$9gpCaoFbu2dUKxU3qiTgluHX7jj9UzS.jq1QW0EkQmoaxARo1WxTy", expiry=1517773268>
+    def self.create(client: nil, lifespan: nil, cost: nil)
+      # obj_client  = client.nil? ? client() : client
+      obj_client  = client || client()
+      obj_token      = token
+      obj_token_hash = token_hash(obj_token, cost)
+      obj_expiry     = expiry(lifespan)
+
+      Token.new(obj_client, obj_token, obj_token_hash, obj_expiry)
+    end
+
+    # Generates a random URL-safe client.
+    # Example:
+    #   DeviseTokens::TokenFactory.client
+    #   => "zNf0pNP5iGfuBItZJGCseQ"
+    def self.client
+      secure_string
+    end
+
+    # Generates a random URL-safe token.
+    # Example:
+    #   DeviseTokens::TokenFactory.token
+    #   => "6Bqs4K9x8ChLmZogvruF3A"
+    def self.token
+      secure_string
+    end
+
+    # Returns token hash for a token with given cost. If no cost value is specified,
+    # the default value is used. The possible cost value is within range from 4 to 31.
+    # It is recommended to not use a value more than 10.
+    # Example:
+    #   DeviseTokens::TokenFactory.token_hash("_qxAxmc-biQLiYRHsmwd5Q")
+    #   => "$2a$10$6/cTAtQ3CBLfpkeHW7dlt.PD2aVCbFRN5vDDJUUhGsZ6pzYFlh4Me"
+    #
+    #   DeviseTokens::TokenFactory.token_hash("_qxAxmc-biQLiYRHsmwd5Q", 4)
+    #   => "$2a$04$RkIrosbdRtuet2eUk3si8eS4ufeNpiPc/rSSsfpniRK8ogM5YFOWS"
+    def self.token_hash(token, cost = nil)
+      cost ||= DeviseTokens.token_cost
+      BCrypt::Password.create(token, cost: cost)
+    end
+
+    # Returns the value of time as an integer number of seconds. Takes one argument.
+    # Example:
+    #   DeviseTokens::TokenFactory.expiry
+    #   => 1518983359
+    #   DeviseTokens::TokenFactory.expiry(10)
+    #   => 1517773781
+    def self.expiry(lifespan = nil)
+      lifespan ||= DeviseTokens.token_lifespan
+      (Time.zone.now + lifespan).to_i
+    end
+
+    # Generates a random URL-safe string.
+    # Example:
+    #   DeviseTokens::TokenFactory.secure_string
+    #   => "ADBoIaqXsEDnxIpOuumrTA"
+    def self.secure_string
+      # https://ruby-doc.org/stdlib-2.5.0/libdoc/securerandom/rdoc/Random/Formatter.html#method-i-urlsafe_base64
+      SecureRandom.urlsafe_base64
+    end
+
+    # Returns true if token hash is a valid token hash.
+    # Example:
+    #   token_hash = "$2a$10$ArjX0tskRIa5Z/Tmapy59OCiAXLStfhrCiaDz.8fCb6hnX1gJ0p/2"
+    #   DeviseTokens::TokenFactory.valid_token_hash?(token_hash)
+    #   => true
+    def self.valid_token_hash?(token_hash)
+      !!BCrypt::Password.valid_hash?(token_hash)
+    end
+
+    # Compares a potential token against the token hash. Returns true if the token is the original token, false otherwise.
+    # Example:
+    #   token = "4wZ9gcc900rMQD1McpcSNA"
+    #   token_hash = "$2a$10$ArjX0tskRIa5Z/Tmapy59OCiAXLStfhrCiaDz.8fCb6hnX1gJ0p/2"
+    #   DeviseTokens::TokenFactory.token_hash_is_token?(token_hash, token)
+    #   => true
+    def self.token_hash_is_token?(token_hash, token)
+      BCrypt::Password.new(token_hash).is_password?(token)
+    rescue StandardError
+      false
+    end
+
+    # Creates a token instance with instance variables equal nil.
+    # Example:
+    #   DeviseTokens::TokenFactory.new
+    #   => #<struct DeviseTokens::TokenFactory::Token client=nil, token=nil, token_hash=nil, expiry=nil>
+    def self.new
+      Token.new
+    end
+
+    Token = Struct.new(:client, :token, :token_hash, :expiry) do
+      # Sets all instance variables of the token to nil. It is faster than creating new empty token.
+      # Example:
+      #   token.clear!
+      #   => true
+      #   token
+      #   => #<struct DeviseTokens::TokenFactory::Token client=nil, token=nil, token_hash=nil, expiry=nil>
+      def clear!
+        size.times { |i| self[i] = nil }
+        true
+      end
+
+      # Checks token attribute presence
+      # Example:
+      #   token.present?
+      #   => true
+      def present?
+        token.present?
+      end
+    end
+  end
+end

data/lib/devise_tokens/url.rb

@@ -0,0 +1,39 @@
+module DeviseTokens::Url
+
+  def self.generate(url, params = {})
+    uri = URI(url)
+
+    res = "#{uri.scheme}://#{uri.host}"
+    res += ":#{uri.port}" if (uri.port && uri.port != 80 && uri.port != 443)
+    res += uri.path.to_s if uri.path
+    query = [uri.query, params.to_query].reject(&:blank?).join('&')
+    res += "?#{query}"
+    res += "##{uri.fragment}" if uri.fragment
+
+    res
+  end
+
+  def self.whitelisted?(url)
+    url.nil? || \
+      !!DeviseTokens.redirect_whitelist.find do |pattern|
+        !!Wildcat.new(pattern).match(url)
+      end
+  end
+
+  # wildcard convenience class
+  class Wildcat
+    def self.parse_to_regex(str)
+      escaped = Regexp.escape(str).gsub('\*','.*?')
+      Regexp.new("^#{escaped}$", Regexp::IGNORECASE)
+    end
+
+    def initialize(str)
+      @regex = self.class.parse_to_regex(str)
+    end
+
+    def match(str)
+      !!@regex.match(str)
+    end
+  end
+
+end

data/lib/devise_tokens/version.rb

@@ -0,0 +1,3 @@
+module DeviseTokens
+  VERSION = '1.1.3'.freeze
+end

data/lib/generators/devise_tokens/USAGE

@@ -0,0 +1,31 @@
+Description:
+  This generator will install all the necessary configuration and migration
+  files for the devise_tokens gem. See
+  https://github.com/lynndylanhurley/devise_tokens for more information.
+
+Arguments:
+  USER_CLASS # The name of the class to use for user authentication. Default is
+             # 'User'
+  MOUNT_PATH # The path at which to mount the authentication routes. Default is
+             # 'auth'. More detail documentation is here:
+             # https://github.com/lynndylanhurley/devise_tokens#usage-tldr
+
+Example:
+  rails generate devise_tokens:install User auth
+
+  This will create:
+      config/initializers/devise_tokens.rb
+      db/migrate/<%= Time.zone.now.utc.strftime("%Y%m%d%H%M%S") %>_create_devise_tokens_create_users.rb
+      app/models/user.rb
+
+  If 'app/models/user.rb' already exists, the following line will be inserted
+  after the class definition:
+      include DeviseTokens::Concerns::User
+
+  The following line will be inserted into your application controller at
+  app/controllers/application_controller.rb:
+      include DeviseTokens::Concerns::SetUserByToken
+
+  The following line will be inserted at the top of 'config/routes.rb' if it
+  does not already exist:
+      mount_devise_tokens_for "User", at: 'auth'

data/lib/generators/devise_tokens/install_generator.rb

@@ -0,0 +1,91 @@
+
+
+require_relative 'install_generator_helpers'
+
+module DeviseTokens
+  class InstallGenerator < Rails::Generators::Base
+    include Rails::Generators::Migration
+    include DeviseTokens::InstallGeneratorHelpers
+
+    class_option :primary_key_type, type: :string, desc: 'The type for primary key'
+
+    def copy_migrations
+      if self.class.migration_exists?('db/migrate', "devise_tokens_create_#{user_class.pluralize.gsub('::','').underscore}")
+        say_status('skipped', "Migration 'devise_tokens_create_#{user_class.pluralize.gsub('::','').underscore}' already exists")
+      else
+        migration_template(
+          'devise_tokens_create_users.rb.erb',
+          "db/migrate/devise_tokens_create_#{user_class.pluralize.gsub('::','').underscore}.rb"
+        )
+      end
+    end
+
+    def create_user_model
+      fname = "app/models/#{user_class.underscore}.rb"
+      if File.exist?(File.join(destination_root, fname))
+        inclusion = 'include DeviseTokens::Concerns::User'
+        unless parse_file_for_line(fname, inclusion)
+
+          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
+            # Include default devise modules.
+            devise :database_authenticatable, :registerable,
+                    :recoverable, :rememberable, :trackable, :validatable,
+                    :confirmable, :omniauthable
+            include DeviseTokens::Concerns::User
+            RUBY
+          end
+        end
+      else
+        template('user.rb.erb', fname)
+      end
+    end
+
+    private
+
+    def self.next_migration_number(path)
+      Time.zone.now.utc.strftime('%Y%m%d%H%M%S')
+    end
+
+    def json_supported_database?
+      (postgres? && postgres_correct_version?) || (mysql? && mysql_correct_version?)
+    end
+
+    def postgres?
+      database_name == 'ActiveRecord::ConnectionAdapters::PostgreSQLAdapter'
+    end
+
+    def postgres_correct_version?
+      database_version > '9.3'
+    end
+
+    def mysql?
+      database_name == 'ActiveRecord::ConnectionAdapters::MysqlAdapter'
+    end
+
+    def mysql_correct_version?
+      database_version > '5.7.7'
+    end
+
+    def database_name
+      ActiveRecord::Base.connection.class.name
+    end
+
+    def database_version
+      ActiveRecord::Base.connection.select_value('SELECT VERSION()')
+    end
+
+    def rails5?
+      Rails.version.start_with? '5'
+    end
+
+    def primary_key_type
+      primary_key_string if rails5?
+    end
+
+    def primary_key_string
+      key_string = options[:primary_key_type]
+      ", id: :#{key_string}" if key_string
+    end
+  end
+end

data/lib/generators/devise_tokens/install_generator_helpers.rb

@@ -0,0 +1,98 @@
+module DeviseTokens
+  module InstallGeneratorHelpers
+    class << self
+      def included(mod)
+        mod.class_eval do
+          source_root File.expand_path('templates', __dir__)
+
+          argument :user_class, type: :string, default: 'User'
+          argument :mount_path, type: :string, default: 'auth'
+
+          def create_initializer_file
+            copy_file('devise_tokens.rb', 'config/initializers/devise_tokens.rb')
+          end
+
+          def include_controller_concerns
+            fname = 'app/controllers/application_controller.rb'
+            line  = 'include DeviseTokens::Concerns::SetUserByToken'
+
+            if File.exist?(File.join(destination_root, fname))
+              if parse_file_for_line(fname, line)
+                say_status('skipped', 'Concern is already included in the application controller.')
+              elsif is_rails_api?
+                inject_into_file fname, after: "class ApplicationController < ActionController::API\n" do <<-'RUBY'
+        include DeviseTokens::Concerns::SetUserByToken
+                RUBY
+                end
+              else
+                inject_into_file fname, after: "class ApplicationController < ActionController::Base\n" do <<-'RUBY'
+        include DeviseTokens::Concerns::SetUserByToken
+                RUBY
+                end
+              end
+            else
+              say_status('skipped', "app/controllers/application_controller.rb not found. Add 'include DeviseTokens::Concerns::SetUserByToken' to any controllers that require authentication.")
+            end
+          end
+
+          def add_route_mount
+            f    = 'config/routes.rb'
+            str  = "mount_devise_tokens_for '#{user_class}', at: '#{mount_path}'"
+
+            if File.exist?(File.join(destination_root, f))
+              line = parse_file_for_line(f, 'mount_devise_tokens_for')
+
+              if line
+                existing_user_class = true
+              else
+                line = 'Rails.application.routes.draw do'
+                existing_user_class = false
+              end
+
+              if parse_file_for_line(f, str)
+                say_status('skipped', "Routes already exist for #{user_class} at #{mount_path}")
+              else
+                insert_after_line(f, line, str)
+
+                if existing_user_class
+                  scoped_routes = ''\
+                    "as :#{user_class.underscore} do\n"\
+                    "    # Define routes for #{user_class} within this block.\n"\
+                    "  end\n"
+                  insert_after_line(f, str, scoped_routes)
+                end
+              end
+            else
+              say_status('skipped', "config/routes.rb not found. Add \"mount_devise_tokens_for '#{user_class}', at: '#{mount_path}'\" to your routes file.")
+            end
+          end
+
+          private
+
+          def insert_after_line(filename, line, str)
+            gsub_file filename, /(#{Regexp.escape(line)})/mi do |match|
+              "#{match}\n  #{str}"
+            end
+          end
+
+          def parse_file_for_line(filename, str)
+            match = false
+
+            File.open(File.join(destination_root, filename)) do |f|
+              f.each_line do |line|
+                match = line if line =~ /(#{Regexp.escape(str)})/mi
+              end
+            end
+            match
+          end
+
+          def is_rails_api?
+            fname = 'app/controllers/application_controller.rb'
+            line = 'class ApplicationController < ActionController::API'
+            parse_file_for_line(fname, line)
+          end
+        end
+      end
+    end
+  end
+end