devise_jwt_auth 0.1.2 → 0.1.7

data/app/controllers/devise_jwt_auth/passwords_controller.rb

@@ -3,9 +3,8 @@
 module DeviseJwtAuth
   class PasswordsController < DeviseJwtAuth::ApplicationController
     before_action :validate_redirect_url_param, only: [:create, :edit]
-    # skip_after_action :update_auth_header, only: [:create, :edit]
 
-    # this action is responsible for generating password reset tokens and sending emails
+    # This action is responsible for generating password reset tokens and sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
@@ -17,12 +16,11 @@ module DeviseJwtAuth
         @resource.send_reset_password_instructions(
           email: @email,
           provider: 'email',
-          redirect_url: @redirect_url,
-          client_config: params[:config_name]
+          redirect_url: @redirect_url
         )
 
         if @resource.errors.empty?
-          return render_create_success
+          render_create_success
         else
           render_create_error @resource.errors
         end
@@ -31,17 +29,14 @@ module DeviseJwtAuth
       end
     end
 
-    # this is where users arrive after visiting the password reset confirmation link
+    # This is where users arrive after visiting the password reset confirmation link.
     def edit
-      # if a user is not found, return nil
       @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
-      if @resource && @resource.reset_password_period_valid?
-        # TODO: add a token invalidator
-        # token = @resource.create_token unless require_client_password_reset_token?
-
+      if @resource&.reset_password_period_valid?
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
+
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
         @resource.save!
@@ -49,19 +44,16 @@ module DeviseJwtAuth
         yield @resource if block_given?
 
         if require_client_password_reset_token?
-          redirect_to DeviseJwtAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
-        else
-          redirect_header_options = { reset_password: true }
-          redirect_headers = @resource.create_named_token_pair.
-                             merge(redirect_header_options)
+          clear_refresh_token_cookie
 
+          redirect_to DeviseJwtAuth::Url.generate(
+            @redirect_url,
+            reset_password_token: resource_params[:reset_password_token]
+          )
+        else
           # TODO: do we put the refresh token here?
-          # we do if token exists (see line 41)
           update_refresh_token_cookie
-          
-          redirect_to_link = DeviseJwtAuth::Url.generate(@redirect_url, redirect_headers)
-
-          redirect_to redirect_to_link
+          redirect_to @redirect_url
         end
       else
         render_edit_error
@@ -69,12 +61,11 @@ module DeviseJwtAuth
     end
 
     def update
-      # make sure user is authorized
+      # Make sure user is authorized. Either by a reset_password_token or a valid access token.
       if require_client_password_reset_token? && resource_params[:reset_password_token]
         @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
-        return render_update_error_unauthorized unless @resource
 
-        # @token = @resource.create_token
+        return render_update_error_unauthorized unless @resource
       else
         @resource = set_user_by_token
       end
@@ -82,9 +73,7 @@ module DeviseJwtAuth
       return render_update_error_unauthorized unless @resource
 
       # make sure account doesn't use oauth2 provider
-      unless @resource.provider == 'email'
-        return render_update_error_password_not_required
-      end
+      return render_update_error_password_not_required unless @resource.provider == 'email'
 
       # ensure that password params were sent
       unless password_resource_params[:password] && password_resource_params[:password_confirmation]
@@ -100,16 +89,20 @@ module DeviseJwtAuth
         # send refresh cookie
         # send access token
         update_refresh_token_cookie
-        return render_update_success
+        render_update_success
       else
-        return render_update_error
+        render_update_error
       end
     end
 
     protected
 
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
+      allow_password_change =
+        recoverable_enabled? &&
+        @resource.allow_password_change == true ||
+        require_client_password_reset_token?
+
       if DeviseJwtAuth.check_current_password_before_update == false || allow_password_change
         'update'
       else
@@ -128,9 +121,10 @@ module DeviseJwtAuth
     def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
-        data:   resource_data
+        data: resource_data
       }
-      message = I18n.t('devise_jwt_auth.passwords.not_allowed_redirect_url', redirect_url: @redirect_url)
+      message = I18n.t('devise_jwt_auth.passwords.not_allowed_redirect_url',
+                       redirect_url: @redirect_url)
       render_error(422, message, response)
     end
 
@@ -157,7 +151,8 @@ module DeviseJwtAuth
     end
 
     def render_update_error_password_not_required
-      render_error(422, I18n.t('devise_jwt_auth.passwords.password_not_required', provider: @resource.provider.humanize))
+      render_error(422, I18n.t('devise_jwt_auth.passwords.password_not_required',
+                               provider: @resource.provider.humanize))
     end
 
     def render_update_error_missing_password
@@ -170,7 +165,7 @@ module DeviseJwtAuth
         data: resource_data,
         message: I18n.t('devise_jwt_auth.passwords.successfully_updated')
       }.merge!(@resource.create_named_token_pair)
-      
+
       render json: response_body
     end
 
@@ -203,11 +198,14 @@ module DeviseJwtAuth
       )
 
       return render_create_error_missing_redirect_url unless @redirect_url
-      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+
+      render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
     end
 
     def reset_password_token_as_raw?(recoverable)
-      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+      recoverable &&
+        recoverable.reset_password_token.present? &&
+        !require_client_password_reset_token?
     end
 
     def require_client_password_reset_token?

data/app/controllers/devise_jwt_auth/refresh_token_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 module DeviseJwtAuth
+  # Controller that handles sending refresh tokens.
   class RefreshTokenController < DeviseJwtAuth::ApplicationController
     before_action :set_user_by_refresh_token
 
@@ -14,6 +15,7 @@ module DeviseJwtAuth
     end
 
     protected
+
     def resource_data
       response_data = @resource.as_json
       response_data['type'] = @resource.class.name.parameterize if json_api?
@@ -23,10 +25,11 @@ module DeviseJwtAuth
     def render_refresh_token_success
       response_data = {
         status: 'success',
-        data:   resource_data
+        data: resource_data
       }
 
       response_data.merge!(@resource.create_named_token_pair) if active_for_authentication?
+
       render json: response_data
     end
 

data/app/controllers/devise_jwt_auth/registrations_controller.rb

@@ -28,10 +28,17 @@ module DeviseJwtAuth
       end
 
       # if whitelist is set, validate redirect_url against whitelist
-      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
+      if blacklisted_redirect_url?(@redirect_url)
+        return render_create_error_redirect_url_not_allowed
+      end
 
       # override email confirmation, must be sent manually from ctrl
-      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      callback_name = if defined?(ActiveRecord) && resource_class < ActiveRecord::Base
+                        :commit
+                      else
+                        :create
+                      end
+
       resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
       resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
 
@@ -46,9 +53,9 @@ module DeviseJwtAuth
         unless @resource.confirmed?
           # user will require email authentication
           @resource.send_confirmation_instructions({
-            client_config: params[:config_name],
-            redirect_url: @redirect_url
-          })
+                                                     client_config: params[:config_name],
+                                                     redirect_url: @redirect_url
+                                                   })
         end
 
         update_refresh_token_cookie if active_for_authentication?
@@ -98,17 +105,17 @@ module DeviseJwtAuth
       @resource.provider   = provider
 
       # honor devise configuration for case_insensitive_keys
-      if resource_class.case_insensitive_keys.include?(:email)
-        @resource.email = sign_up_params[:email].try(:downcase)
-      else
-        @resource.email = sign_up_params[:email]
-      end
+      @resource.email = if resource_class.case_insensitive_keys.include?(:email)
+                          sign_up_params[:email].try(:downcase)
+                        else
+                          sign_up_params[:email]
+                        end
     end
 
     def render_create_error_missing_confirm_success_url
       response = {
         status: 'error',
-        data:   resource_data
+        data: resource_data
       }
       message = I18n.t('devise_jwt_auth.registrations.missing_confirm_success_url')
       render_error(422, message, response)
@@ -117,26 +124,30 @@ module DeviseJwtAuth
     def render_create_error_redirect_url_not_allowed
       response = {
         status: 'error',
-        data:   resource_data
+        data: resource_data
       }
-      message = I18n.t('devise_jwt_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      message = I18n.t(
+        'devise_jwt_auth.registrations.redirect_url_not_allowed',
+        redirect_url: @redirect_url
+      )
       render_error(422, message, response)
     end
 
     def render_create_success
       response_data = {
         status: 'success',
-        data:   resource_data
+        data: resource_data
       }
 
       response_data.merge!(@resource.create_named_token_pair) if active_for_authentication?
+
       render json: response_data
     end
 
     def render_create_error
       render json: {
         status: 'error',
-        data:   resource_data,
+        data: resource_data,
         errors: resource_errors
       }, status: 422
     end
@@ -144,7 +155,7 @@ module DeviseJwtAuth
     def render_update_success
       render json: {
         status: 'success',
-        data:   resource_data
+        data: resource_data
       }
     end
 
@@ -162,12 +173,17 @@ module DeviseJwtAuth
     def render_destroy_success
       render json: {
         status: 'success',
-        message: I18n.t('devise_jwt_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
+        message: I18n.t(
+          'devise_jwt_auth.registrations.account_with_uid_destroyed',
+          uid: @resource.uid
+        )
       }
     end
 
     def render_destroy_error
-      render_error(404, I18n.t('devise_jwt_auth.registrations.account_to_destroy_not_found'), status: 'error')
+      render_error(404,
+                   I18n.t('devise_jwt_auth.registrations.account_to_destroy_not_found'),
+                   status: 'error')
     end
 
     private
@@ -175,7 +191,8 @@ module DeviseJwtAuth
     def resource_update_method
       if DeviseJwtAuth.check_current_password_before_update == :attributes
         'update_with_password'
-      elsif DeviseJwtAuth.check_current_password_before_update == :password && account_update_params.key?(:password)
+      elsif DeviseJwtAuth.check_current_password_before_update == :password &&
+            account_update_params.key?(:password)
         'update_with_password'
       elsif account_update_params.key?(:current_password)
         'update_with_password'
@@ -189,10 +206,12 @@ module DeviseJwtAuth
     end
 
     def validate_account_update_params
-      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+      validate_post_data account_update_params, I18n.t(
+        'errors.messages.validate_account_update_params'
+      )
     end
 
-    def validate_post_data which, message
+    def validate_post_data(which, message)
       render_error(:unprocessable_entity, message, status: 'error') if which.empty?
     end
 

data/app/controllers/devise_jwt_auth/sessions_controller.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
 module DeviseJwtAuth
   class SessionsController < DeviseJwtAuth::ApplicationController
     before_action :set_user_by_token, only: [:destroy]
@@ -21,11 +20,17 @@ module DeviseJwtAuth
         @resource = find_resource(field, q_value)
       end
 
-      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      if @resource &&
+         valid_params?(field, q_value) &&
+         (!@resource.respond_to?(:active_for_authentication?) ||
+          @resource.active_for_authentication?)
         valid_password = @resource.valid_password?(resource_params[:password])
-        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+        if (@resource.respond_to?(:valid_for_authentication?) &&
+           !@resource.valid_for_authentication? { valid_password }) ||
+           !valid_password
           return render_create_error_bad_credentials
         end
+
         @token = @resource.create_token
         @resource.save
 
@@ -35,7 +40,9 @@ module DeviseJwtAuth
 
         update_refresh_token_cookie
         render_create_success
-      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      elsif @resource &&
+            !(!@resource.respond_to?(:active_for_authentication?) ||
+              @resource.active_for_authentication?)
         if @resource.respond_to?(:locked_at) && @resource.locked_at
           render_create_error_account_locked
         else
@@ -48,18 +55,13 @@ module DeviseJwtAuth
 
     def destroy
       # TODO: logout? update token version?
-      
+
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      # client = @token.client if @token.client
-      # @token.clear!
-
-      if user # && client && user.tokens[client]
-        # user.tokens.delete(client)
-        # user.save!
 
+      if user
         yield user if block_given?
-
+        clear_refresh_token_cookie
         render_destroy_success
       else
         render_destroy_error
@@ -78,17 +80,15 @@ module DeviseJwtAuth
 
       # iterate thru allowed auth keys, use first found
       resource_class.authentication_keys.each do |k|
-        if resource_params[k]
-          auth_val = resource_params[k]
-          auth_key = k
-          break
-        end
+        next unless resource_params[k]
+
+        auth_val = resource_params[k]
+        auth_key = k
+        break
       end
 
       # honor devise configuration for case_insensitive_keys
-      if resource_class.case_insensitive_keys.include?(auth_key)
-        auth_val.downcase!
-      end
+      auth_val.downcase! if resource_class.case_insensitive_keys.include?(auth_key)
 
       { key: auth_key, val: auth_val }
     end
@@ -118,7 +118,7 @@ module DeviseJwtAuth
 
     def render_destroy_success
       render json: {
-        success:true
+        success: true
       }, status: 200
     end
 

data/app/controllers/devise_jwt_auth/unlocks_controller.rb

@@ -22,7 +22,7 @@ module DeviseJwtAuth
         )
 
         if @resource.errors.empty?
-          return render_create_success
+          render_create_success
         else
           render_create_error @resource.errors
         end
@@ -38,8 +38,8 @@ module DeviseJwtAuth
         yield @resource if block_given?
 
         redirect_header_options = { unlock: true }
-        redirect_headers = @resource.create_named_token_pair.
-                             merge(redirect_header_options)
+        redirect_headers = @resource.create_named_token_pair
+                             .merge(redirect_header_options)
 
         update_refresh_token_cookie
         redirect_url = after_unlock_path_for(@resource)
@@ -52,7 +52,8 @@ module DeviseJwtAuth
     end
 
     private
-    def after_unlock_path_for(resource)
+
+    def after_unlock_path_for(_resource)
       # TODO: This should probably be a configuration option at the very least.
       # Use confirmation controller / tests as a template for building out this feature.
       '/'