devise-tokens 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78cd95c506477bf946903658700208508bf7eba1fde5bfba02b6068281550e34
-  data.tar.gz: bffd925f0488dc99af39d2c892031a7f4b7878f1cbf57fb96a0f4b05be404571
+  metadata.gz: 7dafc9b9c1d7eb65cf8162acc3a06dacbd5151dfbea76da7c801564538bd275f
+  data.tar.gz: b798b1450394f2d804bd59efdd273fce5dad770eecf73d017248329314063d41
 SHA512:
-  metadata.gz: f4266ac42be750d396ce6c3ea1878ea269de258326fde4af3fc298ed836f8c9c19070fd6330985268ed996624afa574bff3368d3dffb51956d70d8d746961dfb
-  data.tar.gz: 5f779487e2966857b9e9b4d637699f8bf1b8497247e4eccae02e0cba9c6eb8a7a60c0b03129e6509e0bb805ace2548f1121403b892f2f070d95fecbaa6729e4a
+  metadata.gz: da07c4adec6ea1aea9f9343f0b508f5125e2922b1c5adff00f2d3a56ffaec3189c4aaa93f6357abd4999a75298bc9227a6a46049a9d0a1e68d4ff0379af89f11
+  data.tar.gz: 6da368d8796a98de5a218a4cf0eaa44b59f0e7466864db2a820b7228f678ec9834b9697cd2c08345018d7110a4d545bccc1fcc0cf190e2f88f0eb25fec07fc39

data/app/controllers/devise_tokens/application_controller.rb

@@ -0,0 +1,77 @@
+module DeviseTokens
+  class ApplicationController < DeviseController
+    include DeviseTokens::Concerns::SetUserByToken
+
+    def resource_data(opts = {})
+      response_data = opts[:resource_json] || @resource.as_json
+      response_data['type'] = @resource.class.name.parameterize if json_api?
+      response_data
+    end
+
+    def resource_errors
+      @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+    end
+
+    protected
+
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokens.redirect_whitelist && !DeviseTokens::Url.whitelisted?(redirect_url)
+    end
+
+    def build_redirect_headers(access_token, client, redirect_header_options = {})
+      {
+        DeviseTokens.headers_names[:"access-token"] => access_token,
+        DeviseTokens.headers_names[:"client"] => client,
+        :config => params[:config],
+
+        # Legacy parameters which may be removed in a future release.
+        # Consider using "client" and "access-token" in client code.
+        # See: github.com/lynndylanhurley/devise_tokens/issues/993
+        :client_id => client,
+        :token => access_token
+      }.merge(redirect_header_options)
+    end
+
+    def params_for_resource(resource)
+      devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
+        params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?
+      end
+      devise_parameter_sanitizer.instance_values['permitted'][resource]
+    end
+
+    def resource_class(m = nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
+
+    def json_api?
+      return false unless defined?(ActiveModel::Serializer)
+      return ActiveModel::Serializer.setup do |config|
+        config.adapter == :json_api
+      end if ActiveModel::Serializer.respond_to?(:setup)
+      ActiveModelSerializers.config.adapter == :json_api
+    end
+
+    def recoverable_enabled?
+      resource_class.devise_modules.include?(:recoverable)
+    end
+
+    def confirmable_enabled?
+      resource_class.devise_modules.include?(:confirmable)
+    end
+
+    def render_error(status, message, data = nil)
+      response = {
+        success: false,
+        errors: [message]
+      }
+      response = response.merge(data) if data
+      render json: response, status: status
+    end
+  end
+end

data/app/controllers/devise_tokens/concerns/resource_finder.rb

@@ -0,0 +1,42 @@
+module DeviseTokens::Concerns::ResourceFinder
+  extend ActiveSupport::Concern
+  include DeviseTokens::Controllers::Helpers
+
+  def get_case_insensitive_field_from_resource_params(field)
+    # honor Devise configuration for case_insensitive keys
+    q_value = resource_params[field.to_sym]
+
+    if resource_class.case_insensitive_keys.include?(field.to_sym)
+      q_value.downcase!
+    end
+
+    if resource_class.strip_whitespace_keys.include?(field.to_sym)
+      q_value.strip!
+    end
+
+    q_value
+  end
+
+  def find_resource(field, value)
+    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+                  # fix for mysql default case insensitivity
+                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
+  end
+
+  def resource_class(m = nil)
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
+
+    mapping.to
+  end
+
+  def provider
+    'email'
+  end
+end

data/app/controllers/devise_tokens/concerns/set_user_by_token.rb

@@ -0,0 +1,160 @@
+module DeviseTokens::Concerns::SetUserByToken
+  extend ActiveSupport::Concern
+  include DeviseTokens::Concerns::ResourceFinder
+
+  included do
+    before_action :set_request_start
+    after_action :update_auth_header
+  end
+
+  protected
+
+  # keep track of request duration
+  def set_request_start
+    @request_started_at = Time.zone.now
+    @used_auth_by_token = true
+
+    # initialize instance variables
+    @token = DeviseTokens::TokenFactory.new
+    @resource ||= nil
+    @is_batch_request ||= nil
+  end
+
+  # user auth
+  def set_user_by_token(mapping = nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
+    # no default user defined
+    return unless rc
+
+    # gets the headers names, which was set in the initialize file
+    uid_name = DeviseTokens.headers_names[:'uid']
+    access_token_name = DeviseTokens.headers_names[:'access-token']
+    client_name = DeviseTokens.headers_names[:'client']
+
+    # parse header for values necessary for authentication
+    uid              = request.headers[uid_name] || params[uid_name]
+    @token           = DeviseTokens::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name]
+
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
+
+    # check for an existing user, authenticated via warden/devise, if enabled
+    if DeviseTokens.enable_standard_devise_support
+      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
+        @used_auth_by_token = false
+        @resource = devise_warden_user
+        # REVIEW: The following line _should_ be safe to remove;
+        #  the generated token does not get used anywhere.
+        # @resource.create_new_auth_token
+      end
+    end
+
+    # user has already been found and authenticated
+    return @resource if @resource && @resource.is_a?(rc)
+
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
+      return
+    end
+
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.dta_find_by(uid: uid)
+    scope = rc.to_s.underscore.to_sym
+
+    if user && user.valid_token?(@token.token, @token.client)
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if respond_to?(:bypass_sign_in) && DeviseTokens.bypass_sign_in
+        bypass_sign_in(user, scope: scope)
+      else
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokens.bypass_sign_in)
+      end
+      return @resource = user
+    else
+      # zero all values previously set values
+      @token.client = nil
+      return @resource = nil
+    end
+  end
+
+  def update_auth_header
+    # cannot save object if model has invalid params
+    return unless @resource && @token.client
+
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
+
+    if @used_auth_by_token && !DeviseTokens.change_headers_on_each_request
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @resource.reload.tokens[@token.client].nil?
+
+      auth_header = @resource.build_auth_header(@token.token, @token.client)
+
+      # update the response header
+      response.headers.merge!(auth_header)
+
+    else
+      unless @resource.reload.valid?
+        @resource = resource_class.find(@resource.to_param) # errors remain after reload
+        # if we left the model in a bad state, something is wrong in our app
+        unless @resource.valid?
+          raise DeviseTokens::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
+        end
+      end
+      refresh_headers
+    end
+  end
+
+  private
+
+  def refresh_headers
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
+
+      # update the response header
+      response.headers.merge!(auth_header_from_batch_request)
+    end # end lock
+  end
+
+  def is_batch_request?(user, client)
+    !params[:unbatch] &&
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokens.batch_request_buffer_throttle
+  end
+
+  def auth_header_from_batch_request
+    # determine batch request status after request processing, in case
+    # another processes has updated it during that processing
+    @is_batch_request = is_batch_request?(@resource, @token.client)
+
+    auth_header = {}
+    # extend expiration of batch buffer to account for the duration of
+    # this request
+    if @is_batch_request
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
+
+      # Do not return token for batch requests to avoid invalidated
+      # tokens returned to the client in case of race conditions.
+      # Use a blank string for the header to still be present and
+      # being passed in a XHR response in case of
+      # 304 Not Modified responses.
+      auth_header[DeviseTokens.headers_names[:"access-token"]] = ' '
+      auth_header[DeviseTokens.headers_names[:"expiry"]] = ' '
+    else
+      # update Authorization response header with new token
+      auth_header = @resource.create_new_auth_token(@token.client)
+    end
+    auth_header
+  end
+end

data/app/controllers/devise_tokens/confirmations_controller.rb

@@ -0,0 +1,79 @@
+module DeviseTokens
+  class ConfirmationsController < DeviseTokens::ApplicationController
+
+    def show
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
+
+      if @resource.errors.empty?
+        yield @resource if block_given?
+
+        redirect_header_options = { account_confirmation_success: true }
+
+        if signed_in?(resource_name)
+          token = signed_in_resource.create_token
+
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+
+          redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseTokens::Url.generate(redirect_url, redirect_header_options)
+       end
+
+        redirect_to(redirect_to_link)
+      else
+        raise ActionController::RoutingError, 'Not Found'
+      end
+    end
+
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+
+      return render_create_success
+    end
+
+    protected
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_tokens.confirmations.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+          success: true,
+          message: I18n.t('devise_tokens.confirmations.sended', email: @email)
+      }
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_tokens.confirmations.user_not_found', email: @email))
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokens.default_confirm_success_url
+      )
+    end
+
+  end
+end

data/app/controllers/devise_tokens/omniauth_callbacks_controller.rb

@@ -0,0 +1,284 @@
+module DeviseTokens
+  class OmniauthCallbacksController < DeviseTokens::ApplicationController
+    attr_reader :auth_params
+
+    before_action :validate_auth_origin_url_param
+
+    skip_before_action :set_user_by_token, raise: false
+    skip_after_action :update_auth_header
+
+    # intermediary route for successful omniauth authentication. omniauth does
+    # not support multiple models, so we must resort to this terrible hack.
+    def redirect_callbacks
+
+      # derive target redirect route from 'resource_class' param, which was set
+      # before authentication.
+      devise_mapping = get_devise_mapping
+      redirect_route = get_redirect_route(devise_mapping)
+
+      # preserve omniauth info for success route. ignore 'extra' in twitter
+      # auth response to avoid CookieOverflow.
+      session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
+      session['dta.omniauth.params'] = request.env['omniauth.params']
+
+      redirect_to redirect_route
+    end
+
+    def get_redirect_route(devise_mapping)
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+    end
+
+    def get_devise_mapping
+       # derive target redirect route from 'resource_class' param, which was set
+       # before authentication.
+       devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+    rescue NoMethodError => err
+      default_devise_mapping
+    end
+
+    # This method will only be called if `get_devise_mapping` cannot
+    # find the mapping in `omniauth.params`.
+    #
+    # One example use-case here is for IDP-initiated SAML login.  In that
+    # case, there will have been no initial request in which to save
+    # the devise mapping.  If you are in a situation like that, and
+    # your app allows for you to determine somehow what the devise
+    # mapping should be (because, for example, it is always the same),
+    # then you can handle it by overriding this method.
+    def default_devise_mapping
+      raise NotImplementedError.new('no default_devise_mapping set')
+    end
+
+    def omniauth_success
+      get_resource_from_auth_hash
+      set_token_on_resource
+      create_auth_params
+
+      if confirmable_enabled?
+        # don't send confirmation email!!!
+        @resource.skip_confirmation!
+      end
+
+      sign_in(:user, @resource, store: false, bypass: false)
+
+      @resource.save!
+
+      yield @resource if block_given?
+
+      render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
+    end
+
+    def omniauth_failure
+      @error = params[:message]
+      render_data_or_redirect('authFailure', error: @error)
+    end
+
+    def validate_auth_origin_url_param
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
+
+
+    protected
+
+    # this will be determined differently depending on the action that calls
+    # it. redirect_callbacks is called upon returning from successful omniauth
+    # authentication, and the target params live in an omniauth-specific
+    # request.env variable. this variable is then persisted thru the redirect
+    # using our own dta.omniauth.params session var. the omniauth_success
+    # method will access that session var and then destroy it immediately
+    # after use.  In the failure case, finally, the omniauth params
+    # are added as query params in our monkey patch to OmniAuth in engine.rb
+    def omniauth_params
+      unless defined?(@_omniauth_params)
+        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
+          @_omniauth_params = request.env['omniauth.params']
+        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
+          @_omniauth_params ||= session.delete('dta.omniauth.params')
+          @_omniauth_params
+        elsif params['omniauth_window_type']
+          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+        else
+          @_omniauth_params = {}
+        end
+      end
+      @_omniauth_params
+
+    end
+
+    # break out provider attribute assignment for easy method extension
+    def assign_provider_attrs(user, auth_hash)
+      attrs = auth_hash['info'].slice(*user.attribute_names)
+      user.assign_attributes(attrs)
+    end
+
+    # derive allowed params from the standard devise parameter sanitizer
+    def whitelisted_params
+      whitelist = params_for_resource(:sign_up)
+
+      whitelist.inject({}) do |coll, key|
+        param = omniauth_params[key.to_s]
+        coll[key] = param if param
+        coll
+      end
+    end
+
+    def resource_class(mapping = nil)
+      if omniauth_params['resource_class']
+        omniauth_params['resource_class'].constantize
+      elsif params['resource_class']
+        params['resource_class'].constantize
+      else
+        raise 'No resource_class found'
+      end
+    end
+
+    def resource_name
+      resource_class
+    end
+
+    def omniauth_window_type
+      omniauth_params['omniauth_window_type']
+    end
+
+    def unsafe_auth_origin_url
+      omniauth_params['auth_origin_url'] || omniauth_params['origin']
+    end
+
+
+    def auth_origin_url
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
+    end
+
+    # in the success case, omniauth_window_type is in the omniauth_params.
+    # in the failure case, it is in a query param.  See monkey patch above
+    def omniauth_window_type
+      omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
+    end
+
+    # this sesison value is set by the redirect_callbacks method. its purpose
+    # is to persist the omniauth auth hash value thru a redirect. the value
+    # must be destroyed immediatly after it is accessed by omniauth_success
+    def auth_hash
+      @_auth_hash ||= session.delete('dta.omniauth.auth')
+      @_auth_hash
+    end
+
+    # ensure that this controller responds to :devise_controller? conditionals.
+    # this is used primarily for access to the parameter sanitizers.
+    def assert_is_devise_resource!
+      true
+    end
+
+    def set_random_password
+      # set crazy password for new oauth users. this is only used to prevent
+      # access via email sign-in.
+      p = SecureRandom.urlsafe_base64(nil, false)
+      @resource.password = p
+      @resource.password_confirmation = p
+    end
+
+    def create_auth_params
+      @auth_params = {
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
+      }
+      @auth_params.merge!(oauth_registration: true) if @oauth_registration
+      @auth_params
+    end
+
+    def set_token_on_resource
+      @config = omniauth_params['config_name']
+      @token  = @resource.create_token
+    end
+
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_tokens.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
+    end
+
+    def render_data(message, data)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
+      render layout: nil, template: 'devise_tokens/omniauth_external_window'
+    end
+
+    def render_data_or_redirect(message, data, user_data = {})
+
+      # We handle inAppBrowser and newWindow the same, but it is nice
+      # to support values in case people need custom implementations for each case
+      # (For example, nbrustein does not allow new users to be created if logging in with
+      # an inAppBrowser)
+      #
+      # See app/views/devise_tokens/omniauth_external_window.html.erb to understand
+      # why we can handle these both the same.  The view is setup to handle both cases
+      # at the same time.
+      if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type)
+        render_data(message, user_data.merge(data))
+
+      elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
+
+        # build and redirect to destination url
+        redirect_to DeviseTokens::Url.generate(auth_origin_url, data.merge(blank: true))
+      else
+
+        # there SHOULD always be an auth_origin_url, but if someone does something silly
+        # like coming straight to this url or refreshing the page at the wrong time, there may not be one.
+        # In that case, just render in plain text the error message if there is one or otherwise
+        # a generic message.
+        fallback_render data[:error] || 'An error occurred'
+      end
+    end
+
+    def fallback_render(text)
+        render inline: %Q(
+
+            <html>
+                    <head></head>
+                    <body>
+                            #{ActionController::Base.helpers.sanitize(text)}
+                    </body>
+            </html>)
+    end
+
+    def handle_new_resource
+      @oauth_registration = true
+      set_random_password
+    end
+
+    def assign_whitelisted_params?
+      true
+    end
+
+    def get_resource_from_auth_hash
+      # find or create user by provider and provider uid
+      @resource = resource_class.where(
+        uid: auth_hash['uid'],
+        provider: auth_hash['provider']
+      ).first_or_initialize
+
+      if @resource.new_record?
+        handle_new_resource
+      end
+
+      # sync user info with provider, update/generate auth token
+      assign_provider_attrs(@resource, auth_hash)
+
+      # assign any additional (whitelisted) attributes
+      if assign_whitelisted_params?
+        extra_params = whitelisted_params
+        @resource.assign_attributes(extra_params) if extra_params
+      end
+
+      @resource
+    end
+  end
+
+end