devise_jwt_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0517633f0e6ab6279f0c88ea33f0297b61ad94b9efa4b3db4d83befb21c0337a
+  data.tar.gz: 928947b0baddce870ee1562dec38641cff72660406974df8313dad02523b8482
+SHA512:
+  metadata.gz: 883502bfa948b19aad5c25d9d79793e33bee14d2ad13656c6ba9a0e1ac7e6617b03075757831a50ea5747e1fdad2ed25ce0868a0707256569ae9af5e3e66e3e2
+  data.tar.gz: cba02b2f073b3466cb0b59d8c1be85117736928d6a4976c8183c16edfbdc8e12699ce9eec016a0d29a70cb49b8dd3a2124bb7f2e7eb76bb66c5d7202aadfc4a6

data/LICENSE

@@ -0,0 +1,13 @@
+        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+                    Version 2, December 2004 
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 
+
+ Everyone is permitted to copy and distribute verbatim or modified 
+ copies of this license document, and changing it is allowed as long 
+ as the name is changed. 
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

data/README.md

@@ -0,0 +1,99 @@
+# Devise Token Auth
+
+[![Gem Version](https://badge.fury.io/rb/devise_jwt_auth.svg)](http://badge.fury.io/rb/devise_jwt_auth)
+[![Build Status](https://travis-ci.org/lynndylanhurley/devise_jwt_auth.svg?branch=master)](https://travis-ci.org/lynndylanhurley/devise_jwt_auth)
+[![Code Climate](https://codeclimate.com/github/lynndylanhurley/devise_jwt_auth/badges/gpa.svg)](https://codeclimate.com/github/lynndylanhurley/devise_jwt_auth)
+[![Test Coverage](https://codeclimate.com/github/lynndylanhurley/devise_jwt_auth/badges/coverage.svg)](https://codeclimate.com/github/lynndylanhurley/devise_jwt_auth/coverage)
+[![Downloads](https://img.shields.io/gem/dt/devise_jwt_auth.svg)](https://rubygems.org/gems/devise_jwt_auth)
+[![Backers on Open Collective](https://opencollective.com/devise_jwt_auth/backers/badge.svg)](#backers)
+[![Sponsors on Open Collective](https://opencollective.com/devise_jwt_auth/sponsors/badge.svg)](#sponsors)
+[![Join the chat at https://gitter.im/lynndylanhurley/devise_jwt_auth](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/lynndylanhurley/devise_jwt_auth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+Simple, multi-client and secure token-based authentication for Rails.
+
+If you're building SPA or a mobile app, and you want authentication, you need tokens, not cookies.
+This gem refreshes the tokens on each request, and expires them in a short time, so the app is secure.
+Also, it maintains a session for each client/device, so you can have as many sessions as you want.
+
+## Main features
+
+* Seamless integration with:
+  * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
+  * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
+  * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
+  * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
+* Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
+* Email authentication using [Devise](https://github.com/plataformatec/devise), including:
+  * User registration, update and deletion
+  * Login and logout
+  * Password reset, account confirmation
+* Support for [multiple user models](./docs/usage/multiple_models.md).
+* It is [secure](docs/security.md).
+
+This project leverages the following gems:
+
+* [Devise](https://github.com/plataformatec/devise)
+* [OmniAuth](https://github.com/intridea/omniauth)
+
+## Installation
+
+Add the following to your `Gemfile`:
+
+~~~ruby
+gem 'devise_jwt_auth'
+~~~
+
+Then install the gem using bundle:
+
+~~~bash
+bundle install
+~~~
+
+## [Docs](https://devise-token-auth.gitbook.io/devise-token-auth)
+
+## Need help?
+
+Please use [StackOverflow](https://stackoverflow.com/questions/tagged/devise-token-auth) for help requests and how-to questions.
+
+Please open GitHub issues for bugs and enhancements only, not general help requests. Please search previous issues (and Google and StackOverflow) before creating a new issue.
+
+Please read the [issue template](https://github.com/lynndylanhurley/devise_jwt_auth/blob/master/.github/ISSUE_TEMPLATE.md) before posting issues.
+
+## [FAQ](docs/faq.md)
+
+## Contributors wanted!
+
+See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_jwt_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_jwt_auth/issues/969).
+
+We have some bounties for some issues, [check them out](https://github.com/lynndylanhurley/devise_jwt_auth/issues?q=is%3Aopen+is%3Aissue+label%3Abounty)!
+
+## Live Demos
+
+[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).
+
+[Here is a demo](https://stackblitz.com/github/neroniaky/angular-token) of this app running with the [Angular-Token](https://github.com/neroniaky/angular-token) service and [Angular](https://github.com/angular/angular).
+
+[Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/).
+
+The fully configured api used in these demos can be found [here](https://github.com/lynndylanhurley/devise_jwt_auth_demo).
+
+
+## Contributors
+
+<a href="graphs/contributors"><img src="https://opencollective.com/devise_jwt_auth/contributors.svg?width=890&button=false" /></a>
+
+## Backers
+
+Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/devise_jwt_auth#backer)]
+
+[![](https://opencollective.com/devise_jwt_auth/backers.svg?width=890)](https://opencollective.com/devise_jwt_auth#backers)
+
+
+## Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/devise_jwt_auth#sponsor)]
+
+[![](https://opencollective.com/devise_jwt_auth/sponsor/0/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/0/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/1/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/1/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/2/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/2/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/3/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/3/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/4/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/4/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/5/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/5/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/6/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/6/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/7/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/7/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/8/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/8/website) [![](https://opencollective.com/devise_jwt_auth/sponsor/9/avatar.svg)](https://opencollective.com/devise_jwt_auth/sponsor/9/website)
+
+## License
+This project uses the WTFPL

data/Rakefile

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseJwtAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+  t.warning = false
+end
+
+task default: :test
+
+require 'rubocop/rake_task'
+
+desc 'Run RuboCop'
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.formatters = %w[fuubar offenses worst]
+  task.fail_on_error = false # don't abort rake on failure
+end

data/app/controllers/devise_jwt_auth/application_controller.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module DeviseJwtAuth
+  class ApplicationController < DeviseController
+    # include DeviseJwtAuth::Concerns::SetUserByToken
+    include DeviseJwtAuth::Concerns::SetUserByJwtToken
+
+    def resource_data(opts = {})
+      response_data = opts[:resource_json] || @resource.as_json
+      response_data['type'] = @resource.class.name.parameterize if json_api?
+      response_data
+    end
+
+    def resource_errors
+      @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+    end
+
+    protected
+
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseJwtAuth.redirect_whitelist && !DeviseJwtAuth::Url.whitelisted?(redirect_url)
+    end
+
+    def build_redirect_headers(access_token, client, redirect_header_options = {})
+      {
+        # DeviseJwtAuth.headers_names[:"access-token"] => access_token,
+        # DeviseJwtAuth.headers_names[:"client"] => client,
+        :config => params[:config],
+
+        # Legacy parameters which may be removed in a future release.
+        # Consider using "client" and "access-token" in client code.
+        # See: github.com/lynndylanhurley/devise_jwt_auth/issues/993
+        # :client_id => client,
+        :token => access_token
+      }.merge(redirect_header_options)
+    end
+
+    def params_for_resource(resource)
+      devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
+        params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?
+      end
+      devise_parameter_sanitizer.instance_values['permitted'][resource]
+    end
+
+    def resource_class(m = nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
+
+    def json_api?
+      return false unless defined?(ActiveModel::Serializer)
+      return ActiveModel::Serializer.setup do |config|
+        config.adapter == :json_api
+      end if ActiveModel::Serializer.respond_to?(:setup)
+      ActiveModelSerializers.config.adapter == :json_api
+    end
+
+    def recoverable_enabled?
+      resource_class.devise_modules.include?(:recoverable)
+    end
+
+    def confirmable_enabled?
+      resource_class.devise_modules.include?(:confirmable)
+    end
+
+    def render_error(status, message, data = nil)
+      response = {
+        success: false,
+        errors: [message]
+      }
+      response = response.merge(data) if data
+      render json: response, status: status
+    end
+  end
+end

data/app/controllers/devise_jwt_auth/concerns/resource_finder.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module DeviseJwtAuth::Concerns::ResourceFinder
+  extend ActiveSupport::Concern
+  include DeviseJwtAuth::Controllers::Helpers
+
+  def get_case_insensitive_field_from_resource_params(field)
+    # honor Devise configuration for case_insensitive keys
+    q_value = resource_params[field.to_sym]
+
+    if resource_class.case_insensitive_keys.include?(field.to_sym)
+      q_value.downcase!
+    end
+
+    if resource_class.strip_whitespace_keys.include?(field.to_sym)
+      q_value.strip!
+    end
+
+    q_value
+  end
+
+  def find_resource(field, value)
+    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+                  # fix for mysql default case insensitivity
+                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
+  end
+
+  def resource_class(m = nil)
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
+
+    mapping.to
+  end
+
+  def provider
+    'email'
+  end
+end

data/app/controllers/devise_jwt_auth/concerns/set_user_by_jwt_token.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module DeviseJwtAuth::Concerns::SetUserByJwtToken
+  extend ActiveSupport::Concern
+  include DeviseJwtAuth::Concerns::ResourceFinder
+
+  included do
+
+  end
+
+  protected
+
+  def set_user_by_token(mapping = nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
+    # no default user defined
+    return unless rc
+
+    # check for an existing user, authenticated via warden/devise, if enabled
+    if DeviseJwtAuth.enable_standard_devise_support
+      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      @resource = devise_warden_user if devise_warden_user
+    end
+    
+    # user has already been found and authenticated
+    return @resource if @resource && @resource.is_a?(rc)
+    
+    # TODO: Look for the access token in an 'Authentication' header
+    token = request.headers[DeviseJwtAuth.access_token_name]
+    return unless token
+
+    payload = DeviseJwtAuth::TokenFactory.decode_access_token(token)
+    return if payload.empty?
+    return if payload && payload['sub'].blank?
+    uid = payload['sub']
+    
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.dta_find_by(uid: uid)
+    scope = rc.to_s.underscore.to_sym
+
+    if user
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if respond_to?(:bypass_sign_in) && DeviseJwtAuth.bypass_sign_in
+        bypass_sign_in(user, scope: scope)
+      else
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseJwtAuth.bypass_sign_in)
+      end
+      return @resource = user
+    else
+      # zero all values previously set values
+      return @resource = nil
+    end
+  end
+
+  def set_user_by_refresh_token(mapping = nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
+    # no default user defined
+    return unless rc
+
+    # check for an existing user, authenticated via warden/devise, if enabled
+    if DeviseJwtAuth.enable_standard_devise_support
+      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      @resource = devise_warden_user if devise_warden_user
+    end
+    
+    # user has already been found and authenticated
+    return @resource if @resource && @resource.is_a?(rc)
+    
+    token = request.cookies[DeviseJwtAuth.refresh_token_name]
+
+    return unless token
+
+    payload = DeviseJwtAuth::TokenFactory.decode_refresh_token(token)
+    return if payload.empty?
+    return if payload && payload['sub'].blank?
+    uid = payload['sub']
+
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.dta_find_by(uid: uid)
+    scope = rc.to_s.underscore.to_sym
+
+    if user
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if respond_to?(:bypass_sign_in) && DeviseJwtAuth.bypass_sign_in
+        bypass_sign_in(user, scope: scope)
+      else
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseJwtAuth.bypass_sign_in)
+      end
+      return @resource = user
+    else
+      # zero all values previously set values
+      return @resource = nil
+    end
+  end
+  
+
+  def update_refresh_token_cookie
+    response.set_cookie(DeviseJwtAuth.refresh_token_name,
+                        value: @resource.create_refresh_token,
+                        path: '/auth/refresh_token', # TODO: Use configured auth path
+                        expires: Time.zone.now + DeviseJwtAuth.refresh_token_lifespan,
+                        httponly: true,
+                        secure: Rails.env.production?
+    )
+  end
+  
+  
+end

data/app/controllers/devise_jwt_auth/confirmations_controller.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module DeviseJwtAuth
+  class ConfirmationsController < DeviseJwtAuth::ApplicationController
+
+    def show
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
+
+      if @resource.errors.empty?
+        yield @resource if block_given?
+
+        redirect_header_options = { account_confirmation_success: true }
+
+        if signed_in?(resource_name)
+          # token = signed_in_resource.create_token
+
+          # redirect_headers = build_redirect_headers(token.token,
+          #                                           token.client,
+          #                                           redirect_header_options)
+          
+          redirect_headers = signed_in_resource.create_named_token_pair.
+                             merge(redirect_header_options)
+
+          # TODO: add a refresh token cookie in the response.
+          update_refresh_token_cookie
+          
+          #redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+          redirect_to_link = DeviseJwtAuth::Url.generate(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseJwtAuth::Url.generate(redirect_url, redirect_header_options)
+        end
+
+        redirect_to(redirect_to_link)
+      else
+        raise ActionController::RoutingError, 'Not Found'
+      end
+    end
+
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+
+      return render_create_success
+    end
+
+    protected
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_jwt_auth.confirmations.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+          success: true,
+          message: I18n.t('devise_jwt_auth.confirmations.sended', email: @email)
+      }
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_jwt_auth.confirmations.user_not_found', email: @email))
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseJwtAuth.default_confirm_success_url
+      )
+    end
+
+  end
+end