devise_jwt_auth 0.1.5 → 0.1.6

data/lib/devise_jwt_auth/rails/routes.rb

@@ -8,14 +8,13 @@ module ActionDispatch::Routing
       opts[:skip]        ||= []
 
       # check for ctrl overrides, fall back to defaults
-      sessions_ctrl          = opts[:controllers][:sessions] || 'devise_jwt_auth/sessions'
-      registrations_ctrl     = opts[:controllers][:registrations] || 'devise_jwt_auth/registrations'
-      passwords_ctrl         = opts[:controllers][:passwords] || 'devise_jwt_auth/passwords'
-      confirmations_ctrl     = opts[:controllers][:confirmations] || 'devise_jwt_auth/confirmations'
-      # token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_jwt_auth/token_validations'
-      refresh_token_ctrl     = opts[:controllers][:refresh_token] || 'devise_jwt_auth/refresh_token'
-      omniauth_ctrl          = opts[:controllers][:omniauth_callbacks] || 'devise_jwt_auth/omniauth_callbacks'
-      unlocks_ctrl           = opts[:controllers][:unlocks] || 'devise_jwt_auth/unlocks'
+      sessions_ctrl      = opts[:controllers][:sessions] || 'devise_jwt_auth/sessions'
+      registrations_ctrl = opts[:controllers][:registrations] || 'devise_jwt_auth/registrations'
+      passwords_ctrl     = opts[:controllers][:passwords] || 'devise_jwt_auth/passwords'
+      confirmations_ctrl = opts[:controllers][:confirmations] || 'devise_jwt_auth/confirmations'
+      refresh_token_ctrl = opts[:controllers][:refresh_token] || 'devise_jwt_auth/refresh_token'
+      omniauth_ctrl      = opts[:controllers][:omniauth_callbacks] || 'devise_jwt_auth/omniauth_callbacks'
+      unlocks_ctrl       = opts[:controllers][:unlocks] || 'devise_jwt_auth/unlocks'
 
       # define devise controller mappings
       controllers = { sessions: sessions_ctrl,
@@ -26,7 +25,7 @@ module ActionDispatch::Routing
       controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
 
       # remove any unwanted devise modules
-      opts[:skip].each{ |item| controllers.delete(item) }
+      opts[:skip].each { |item| controllers.delete(item) }
 
       devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
                  class_name: resource,
@@ -44,12 +43,12 @@ module ActionDispatch::Routing
 
         # clear scope so controller routes aren't namespaced
         @scope = ActionDispatch::Routing::Mapper::Scope.new(
-          path:         '',
+          path: '',
           shallow_path: '',
-          constraints:  {},
-          defaults:     {},
-          options:      {},
-          parent:       nil
+          constraints: {},
+          defaults: {},
+          options: {},
+          parent: nil
         )
 
         mapping_name = resource.underscore.gsub('/', '_')
@@ -57,22 +56,34 @@ module ActionDispatch::Routing
 
         devise_scope mapping_name.to_sym do
           # path to refresh access tokens
-          get "#{full_path}/refresh_token", controller: refresh_token_ctrl.to_s, action: 'show' if !opts[:skip].include?(:refresh_token)
-          # get "#{full_path}/validate_token", controller: token_validations_ctrl.to_s, action: 'validate_token' if !opts[:skip].include?(:token_validations)
+          unless opts[:skip].include?(:refresh_token)
+            get "#{full_path}/refresh_token", controller: refresh_token_ctrl.to_s, action: 'show'
+          end
 
           # omniauth routes. only define if omniauth is installed and not skipped.
           if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)
-            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get]
-            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get]
-
-            match "#{DeviseJwtAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: 'redirect_callbacks', via: [:get, :post]
-            match "#{DeviseJwtAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
+            match "#{full_path}/failure",
+                  controller: omniauth_ctrl,
+                  action: 'omniauth_failure',
+                  via: [:get]
+            match "#{full_path}/:provider/callback",
+                  controller: omniauth_ctrl,
+                  action: 'omniauth_success',
+                  via: [:get]
+            match "#{DeviseJwtAuth.omniauth_prefix}/:provider/callback",
+                  controller: omniauth_ctrl,
+                  action: 'redirect_callbacks',
+                  via: [:get, :post]
+            match "#{DeviseJwtAuth.omniauth_prefix}/failure",
+                  controller: omniauth_ctrl,
+                  action: 'omniauth_failure',
+                  via: [:get, :post]
 
             # preserve the resource class thru oauth authentication by setting name of
             # resource as "resource_class" param
-            match "#{full_path}/:provider", to: redirect{ |params, request|
+            match "#{full_path}/:provider", to: redirect { |params, request|
               # get the current querystring
-              qs = CGI::parse(request.env['QUERY_STRING'])
+              qs = CGI.parse(request.env['QUERY_STRING'])
 
               # append name of current resource
               qs['resource_class'] = [resource]
@@ -80,7 +91,7 @@ module ActionDispatch::Routing
 
               set_omniauth_path_prefix!(DeviseJwtAuth.omniauth_prefix)
 
-              redirect_params = {}.tap { |hash| qs.each{ |k, v| hash[k] = v.first } }
+              redirect_params = {}.tap { |hash| qs.each { |k, v| hash[k] = v.first } }
 
               if DeviseJwtAuth.redirect_whitelist
                 redirect_url = request.params['auth_origin_url']

data/lib/devise_jwt_auth/token_factory.rb

@@ -1,9 +1,10 @@
+# frozen_string_literal: true
+
 require 'jwt'
 
 module DeviseJwtAuth
   # A token management factory which allow generate token objects and check them.
   module TokenFactory
-
     def self.create_refresh_token(payload)
       if payload[:exp].blank? && payload['exp'].blank?
         payload[:exp] = (Time.zone.now + DeviseJwtAuth.refresh_token_lifespan).to_i
@@ -33,7 +34,7 @@ module DeviseJwtAuth
     rescue TypeError
       {}
     end
-    
+
     def self.decode_access_token(token)
       JWT.decode(token, DeviseJwtAuth.access_token_encryption_key).first
     rescue JWT::ExpiredSignature

data/lib/devise_jwt_auth/url.rb

@@ -1,12 +1,11 @@
 # frozen_string_literal: true
 
 module DeviseJwtAuth::Url
-
   def self.generate(url, params = {})
     uri = URI(url)
 
     res = "#{uri.scheme}://#{uri.host}"
-    res += ":#{uri.port}" if (uri.port && uri.port != 80 && uri.port != 443)
+    res += ":#{uri.port}" if uri.port && uri.port != 80 && uri.port != 443
     res += uri.path.to_s if uri.path
     query = [uri.query, params.to_query].reject(&:blank?).join('&')
     res += "?#{query}"
@@ -28,7 +27,7 @@ module DeviseJwtAuth::Url
   # wildcard convenience class
   class Wildcat
     def self.parse_to_regex(str)
-      escaped = Regexp.escape(str).gsub('\*','.*?')
+      escaped = Regexp.escape(str).gsub('\*', '.*?')
       Regexp.new("^#{escaped}$", Regexp::IGNORECASE)
     end
 
@@ -40,5 +39,4 @@ module DeviseJwtAuth::Url
       !!@regex.match(str)
     end
   end
-
 end

data/lib/devise_jwt_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseJwtAuth
-  VERSION = '0.1.5'.freeze
+  VERSION = '0.1.6'
 end

data/lib/generators/devise_jwt_auth/install_generator.rb

@@ -10,12 +10,12 @@ module DeviseJwtAuth
     class_option :primary_key_type, type: :string, desc: 'The type for primary key'
 
     def copy_migrations
-      if self.class.migration_exists?('db/migrate', "devise_jwt_auth_create_#{user_class.pluralize.gsub('::','').underscore}")
-        say_status('skipped', "Migration 'devise_jwt_auth_create_#{user_class.pluralize.gsub('::','').underscore}' already exists")
+      if self.class.migration_exists?('db/migrate', "devise_jwt_auth_create_#{user_class.pluralize.gsub('::', '').underscore}")
+        say_status('skipped', "Migration 'devise_jwt_auth_create_#{user_class.pluralize.gsub('::', '').underscore}' already exists")
       else
         migration_template(
           'devise_jwt_auth_create_users.rb.erb',
-          "db/migrate/devise_jwt_auth_create_#{user_class.pluralize.gsub('::','').underscore}.rb"
+          "db/migrate/devise_jwt_auth_create_#{user_class.pluralize.gsub('::', '').underscore}.rb"
         )
       end
     end
@@ -26,8 +26,9 @@ module DeviseJwtAuth
         inclusion = 'include DeviseJwtAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
 
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
-          inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
+          active_record_needle = Rails::VERSION::MAJOR == 5 ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do
+            <<-'RUBY'
             # Include default devise modules.
             devise :database_authenticatable, :registerable,
                     :recoverable, :rememberable, :trackable, :validatable,
@@ -43,7 +44,7 @@ module DeviseJwtAuth
 
     private
 
-    def self.next_migration_number(path)
+    def self.next_migration_number(_path)
       Time.zone.now.utc.strftime('%Y%m%d%H%M%S')
     end
 

data/lib/generators/devise_jwt_auth/install_generator_helpers.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 module DeviseJwtAuth
+  # Helper methods for installation generators.
   module InstallGeneratorHelpers
     class << self
       def included(mod)
@@ -19,15 +22,19 @@ module DeviseJwtAuth
             if File.exist?(File.join(destination_root, fname))
               if parse_file_for_line(fname, line)
                 say_status('skipped', 'Concern is already included in the application controller.')
-              elsif is_rails_api?
-                inject_into_file fname, after: "class ApplicationController < ActionController::API\n" do <<-'RUBY'
+              elsif rails_api?
+                inject_into_file fname,
+                                 after: "class ApplicationController < ActionController::API\n" do
+                  <<-'RUBY'
         include DeviseJwtAuth::Concerns::SetUserByToken
-                RUBY
+                  RUBY
                 end
               else
-                inject_into_file fname, after: "class ApplicationController < ActionController::Base\n" do <<-'RUBY'
+                inject_into_file fname,
+                                 after: "class ApplicationController < ActionController::Base\n" do
+                  <<-'RUBY'
         include DeviseJwtAuth::Concerns::SetUserByToken
-                RUBY
+                  RUBY
                 end
               end
             else
@@ -69,7 +76,7 @@ module DeviseJwtAuth
 
           def ip_column
             # Padded with spaces so it aligns nicely with the rest of the columns.
-            "%-8s" % (inet? ? "inet" : "string")
+            format('%-8s', (inet? ? 'inet' : 'string'))
           end
 
           def inet?
@@ -100,7 +107,7 @@ module DeviseJwtAuth
             match
           end
 
-          def is_rails_api?
+          def rails_api?
             fname = 'app/controllers/application_controller.rb'
             line = 'class ApplicationController < ActionController::API'
             parse_file_for_line(fname, line)

data/lib/generators/devise_jwt_auth/install_mongoid_generator.rb

@@ -3,6 +3,7 @@
 require_relative 'install_generator_helpers'
 
 module DeviseJwtAuth
+  # Adds Mongoid settings to ORM
   class InstallMongoidGenerator < Rails::Generators::Base
     include DeviseJwtAuth::InstallGeneratorHelpers
 
@@ -11,8 +12,8 @@ module DeviseJwtAuth
       if File.exist?(File.join(destination_root, fname))
         inclusion = 'include DeviseJwtAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
-          inject_into_file fname, before: /end\s\z/ do <<-'RUBY'
-
+          inject_into_file fname, before: /end\s\z/ do
+            <<-'RUBY'
   include Mongoid::Locker
 
   field :locker_locked_at, type: Time

data/lib/generators/devise_jwt_auth/templates/devise_jwt_auth.rb

@@ -6,7 +6,7 @@ DeviseJwtAuth.setup do |config|
   # use the HTTP only refresh cookie that is sent during the authentication
   # process and make refresh token requests.
   # config.send_new_access_token_on_each_request = false
-  
+
   # By default, refresh token HTTP Only cookies last for 2 weeks. These tokens
   # are used for requesting shorter-lived acccess tokens.
   # config.refresh_token_lifespan = 2.weeks
@@ -32,7 +32,7 @@ DeviseJwtAuth.setup do |config|
   # environment variable or secret key base that isn't store in a repository.
   # Also, its a good idea to NOT use the same key for access tokens.
   config.refresh_token_encryption_key = 'your-refresh-token-secret-key-here'
-  
+
   # This is the refresh token encryption key. You should set this in an
   # environment variable or secret key base that isn't store in a repository.
   # Also, its a good idea to NOT use the same key for access tokens.
@@ -70,5 +70,4 @@ DeviseJwtAuth.setup do |config|
   # config.update_token_version_after_password_reset = true
   # config.bypass_sign_in                            = true
   # config.require_client_password_reset_token       = false
-
 end

data/test/controllers/custom/custom_confirmations_controller_test.rb

@@ -10,8 +10,8 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
       @redirect_url = Faker::Internet.url
       @new_user = create(:user)
       @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
-      @mail          = ActionMailer::Base.deliveries.last
-      @token         = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+      @mail = ActionMailer::Base.deliveries.last
+      @token = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
       @client_config = @mail.body.match(/config=([^&]*)&/)[1]
 
       get :show,

data/test/controllers/custom/custom_passwords_controller_test.rb

@@ -13,7 +13,7 @@ class Custom::PasswordsControllerTest < ActionController::TestCase
 
     test 'yield resource to block on create success' do
       post :create,
-           params: { email:  @resource.email,
+           params: { email: @resource.email,
                      redirect_url: @redirect_url }
 
       @mail = ActionMailer::Base.deliveries.last
@@ -21,7 +21,7 @@ class Custom::PasswordsControllerTest < ActionController::TestCase
 
       @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)"/)[1]
 
       assert @controller.create_block_called?,
              'create failed to yield resource to provided block'
@@ -32,7 +32,7 @@ class Custom::PasswordsControllerTest < ActionController::TestCase
       @redirect_url = 'http://ng-token-auth.dev'
 
       post :create,
-           params: { email:  @resource.email,
+           params: { email: @resource.email,
                      redirect_url: @redirect_url },
            xhr: true
 
@@ -41,7 +41,7 @@ class Custom::PasswordsControllerTest < ActionController::TestCase
 
       @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)"/)[1]
 
       get :edit,
           params: { reset_password_token: @mail_reset_token,

data/test/controllers/custom/custom_refresh_token_controller_test.rb

@@ -9,8 +9,7 @@ class Custom::RefreshTokenControllerTest < ActionDispatch::IntegrationTest
     before do
       @resource = create(:user, :confirmed)
       @auth_headers = get_cookie_header(DeviseJwtAuth.refresh_token_name,
-                                        @resource.create_refresh_token
-      )
+                                        @resource.create_refresh_token)
     end
 
     test 'yield resource to block on refresh_token success' do
@@ -33,4 +32,4 @@ class Custom::RefreshTokenControllerTest < ActionDispatch::IntegrationTest
       assert_equal @data['custom'], 'foo'
     end
   end
-end
+end

data/test/controllers/custom/custom_registrations_controller_test.rb

@@ -8,8 +8,8 @@ class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest
 
     before do
       @create_params = attributes_for(:user,
-        confirm_success_url: Faker::Internet.url,
-        unpermitted_param: '(x_x)')
+                                      confirm_success_url: Faker::Internet.url,
+                                      unpermitted_param: '(x_x)')
 
       @existing_user = create(:user, :confirmed)
       @auth_headers = @existing_user.create_named_token_pair

data/test/controllers/demo_mang_controller_test.rb

@@ -39,61 +39,59 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
           it 'should define current_mang' do
             assert_equal @resource, @controller.current_mang
           end
-          
+
           it 'should define mang_signed_in?' do
             assert @controller.mang_signed_in?
           end
-          
+
           it 'should not define current_user' do
             refute_equal @resource, @controller.current_user
           end
-          
+
           it 'should define render_authenticate_error' do
             assert @controller.methods.include?(:render_authenticate_error)
           end
         end
-        
+
         it 'should return success status' do
           assert_equal 200, response.status
         end
-        
-=begin
-        it 'should receive new token after successful request' do
-          refute_equal @token, @resp_token
-        end
 
-        it 'should preserve the client id from the first request' do
-          assert_equal @client_id, @resp_client_id
-        end
-
-        it "should return the user's uid in the auth header" do
-          assert_equal @resource.uid, @resp_uid
-        end
-
-        it 'should not treat this request as a batch request' do
-          refute assigns(:is_batch_request)
-        end
-        
-        describe 'subsequent requests' do
-          before do
-            @resource.reload
-            # ensure that request is not treated as batch request
-            # age_token(@resource, @client_id)
-            
-            get '/demo/members_only_mang',
-            params: {},
-            headers: @auth_headers.merge('access-token' => @resp_token)
-          end
-          
-          it 'should not treat this request as a batch request' do
-            refute assigns(:is_batch_request)
-          end
-          
-          it 'should allow a new request to be made using new token' do
-            assert_equal 200, response.status
-          end
-        end
-=end
+        #         it 'should receive new token after successful request' do
+        #           refute_equal @token, @resp_token
+        #         end
+        #
+        #         it 'should preserve the client id from the first request' do
+        #           assert_equal @client_id, @resp_client_id
+        #         end
+        #
+        #         it "should return the user's uid in the auth header" do
+        #           assert_equal @resource.uid, @resp_uid
+        #         end
+        #
+        #         it 'should not treat this request as a batch request' do
+        #           refute assigns(:is_batch_request)
+        #         end
+        #
+        #         describe 'subsequent requests' do
+        #           before do
+        #             @resource.reload
+        #             # ensure that request is not treated as batch request
+        #             # age_token(@resource, @client_id)
+        #
+        #             get '/demo/members_only_mang',
+        #             params: {},
+        #             headers: @auth_headers.merge('access-token' => @resp_token)
+        #           end
+        #
+        #           it 'should not treat this request as a batch request' do
+        #             refute assigns(:is_batch_request)
+        #           end
+        #
+        #           it 'should allow a new request to be made using new token' do
+        #             assert_equal 200, response.status
+        #           end
+        #         end
       end
 
       describe 'failed request' do
@@ -112,175 +110,173 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
         end
       end
 
-=begin
-      describe 'disable change_headers_on_each_request' do
-        before do
-          DeviseJwtAuth.change_headers_on_each_request = false
-          @resource.reload
-          # age_token(@resource, @client_id)
-
-          get '/demo/members_only_mang',
-              params: {},
-              headers: @auth_headers
-
-          @first_is_batch_request = assigns(:is_batch_request)
-          @first_user = assigns(:resource).dup
-          @first_access_token = response.headers['access-token']
-          @first_response_status = response.status
-
-          @resource.reload
-          # age_token(@resource, @client_id)
-
-          # use expired auth header
-          get '/demo/members_only_mang',
-              params: {},
-              headers: @auth_headers
-
-          @second_is_batch_request = assigns(:is_batch_request)
-          @second_user = assigns(:resource).dup
-          @second_access_token = response.headers['access-token']
-          @second_response_status = response.status
-        end
-
-        after do
-          DeviseJwtAuth.change_headers_on_each_request = true
-        end
-
-        it 'should allow the first request through' do
-          assert_equal 200, @first_response_status
-        end
-
-        it 'should allow the second request through' do
-          assert_equal 200, @second_response_status
-        end
-
-        it 'should return auth headers from the first request' do
-          assert @first_access_token
-        end
-
-        it 'should not treat either requests as batch requests' do
-          refute @first_is_batch_request
-          refute @second_is_batch_request
-        end
-
-        it 'should return auth headers from the second request' do
-          assert @second_access_token
-        end
-
-        it 'should define user during first request' do
-          assert @first_user
-        end
-
-        it 'should define user during second request' do
-          assert @second_user
-        end
-      end
-
-      describe 'batch requests' do
-        describe 'success' do
-          before do
-            # age_token(@resource, @client_id)
-
-            get '/demo/members_only_mang',
-                params: {},
-                headers: @auth_headers
-
-            @first_is_batch_request = assigns(:is_batch_request)
-            @first_user = assigns(:resource)
-            @first_access_token = response.headers['access-token']
-
-            get '/demo/members_only_mang',
-                params: {},
-                headers: @auth_headers
-
-            @second_is_batch_request = assigns(:is_batch_request)
-            @second_user = assigns(:resource)
-            @second_access_token = response.headers['access-token']
-          end
-
-          it 'should allow both requests through' do
-            assert_equal 200, response.status
-          end
-
-          it 'should not treat the first request as a batch request' do
-            refute @first_is_batch_request
-          end
-
-          it 'should treat the second request as a batch request' do
-            assert @second_is_batch_request
-          end
-
-          it 'should return access token for first (non-batch) request' do
-            assert @first_access_token
-          end
-
-          it 'should not return auth headers for second (batched) requests' do
-            assert_equal ' ', @second_access_token
-          end
-        end
-
-        describe 'time out' do
-          before do
-            @resource.reload
-            # age_token(@resource, @client_id)
-
-            get '/demo/members_only_mang',
-                params: {},
-                headers: @auth_headers
-
-            @first_is_batch_request = assigns(:is_batch_request)
-            @first_user = assigns(:resource).dup
-            @first_access_token = response.headers['access-token']
-            @first_response_status = response.status
-
-            @resource.reload
-            # age_token(@resource, @client_id)
-
-            # use expired auth header
-            get '/demo/members_only_mang',
-                params: {},
-                headers: @auth_headers
-
-            @second_is_batch_request = assigns(:is_batch_request)
-            @second_user = assigns(:resource)
-            @second_access_token = response.headers['access-token']
-            @second_response_status = response.status
-          end
-
-          it 'should allow the first request through' do
-            assert_equal 200, @first_response_status
-          end
-
-          it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
-          end
-
-          it 'should not treat first request as batch request' do
-            refute @second_is_batch_request
-          end
-
-          it 'should return auth headers from the first request' do
-            assert @first_access_token
-          end
-
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
-          end
-
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
-          end
-
-          it 'should define user during first request' do
-            assert @first_user
-          end
-
-          it 'should not define user during second request' do
-            refute @second_user
-          end
-        end
-      end
-=end
+      #       describe 'disable change_headers_on_each_request' do
+      #         before do
+      #           DeviseJwtAuth.change_headers_on_each_request = false
+      #           @resource.reload
+      #           # age_token(@resource, @client_id)
+      #
+      #           get '/demo/members_only_mang',
+      #               params: {},
+      #               headers: @auth_headers
+      #
+      #           @first_is_batch_request = assigns(:is_batch_request)
+      #           @first_user = assigns(:resource).dup
+      #           @first_access_token = response.headers['access-token']
+      #           @first_response_status = response.status
+      #
+      #           @resource.reload
+      #           # age_token(@resource, @client_id)
+      #
+      #           # use expired auth header
+      #           get '/demo/members_only_mang',
+      #               params: {},
+      #               headers: @auth_headers
+      #
+      #           @second_is_batch_request = assigns(:is_batch_request)
+      #           @second_user = assigns(:resource).dup
+      #           @second_access_token = response.headers['access-token']
+      #           @second_response_status = response.status
+      #         end
+      #
+      #         after do
+      #           DeviseJwtAuth.change_headers_on_each_request = true
+      #         end
+      #
+      #         it 'should allow the first request through' do
+      #           assert_equal 200, @first_response_status
+      #         end
+      #
+      #         it 'should allow the second request through' do
+      #           assert_equal 200, @second_response_status
+      #         end
+      #
+      #         it 'should return auth headers from the first request' do
+      #           assert @first_access_token
+      #         end
+      #
+      #         it 'should not treat either requests as batch requests' do
+      #           refute @first_is_batch_request
+      #           refute @second_is_batch_request
+      #         end
+      #
+      #         it 'should return auth headers from the second request' do
+      #           assert @second_access_token
+      #         end
+      #
+      #         it 'should define user during first request' do
+      #           assert @first_user
+      #         end
+      #
+      #         it 'should define user during second request' do
+      #           assert @second_user
+      #         end
+      #       end
+      #
+      #       describe 'batch requests' do
+      #         describe 'success' do
+      #           before do
+      #             # age_token(@resource, @client_id)
+      #
+      #             get '/demo/members_only_mang',
+      #                 params: {},
+      #                 headers: @auth_headers
+      #
+      #             @first_is_batch_request = assigns(:is_batch_request)
+      #             @first_user = assigns(:resource)
+      #             @first_access_token = response.headers['access-token']
+      #
+      #             get '/demo/members_only_mang',
+      #                 params: {},
+      #                 headers: @auth_headers
+      #
+      #             @second_is_batch_request = assigns(:is_batch_request)
+      #             @second_user = assigns(:resource)
+      #             @second_access_token = response.headers['access-token']
+      #           end
+      #
+      #           it 'should allow both requests through' do
+      #             assert_equal 200, response.status
+      #           end
+      #
+      #           it 'should not treat the first request as a batch request' do
+      #             refute @first_is_batch_request
+      #           end
+      #
+      #           it 'should treat the second request as a batch request' do
+      #             assert @second_is_batch_request
+      #           end
+      #
+      #           it 'should return access token for first (non-batch) request' do
+      #             assert @first_access_token
+      #           end
+      #
+      #           it 'should not return auth headers for second (batched) requests' do
+      #             assert_equal ' ', @second_access_token
+      #           end
+      #         end
+      #
+      #         describe 'time out' do
+      #           before do
+      #             @resource.reload
+      #             # age_token(@resource, @client_id)
+      #
+      #             get '/demo/members_only_mang',
+      #                 params: {},
+      #                 headers: @auth_headers
+      #
+      #             @first_is_batch_request = assigns(:is_batch_request)
+      #             @first_user = assigns(:resource).dup
+      #             @first_access_token = response.headers['access-token']
+      #             @first_response_status = response.status
+      #
+      #             @resource.reload
+      #             # age_token(@resource, @client_id)
+      #
+      #             # use expired auth header
+      #             get '/demo/members_only_mang',
+      #                 params: {},
+      #                 headers: @auth_headers
+      #
+      #             @second_is_batch_request = assigns(:is_batch_request)
+      #             @second_user = assigns(:resource)
+      #             @second_access_token = response.headers['access-token']
+      #             @second_response_status = response.status
+      #           end
+      #
+      #           it 'should allow the first request through' do
+      #             assert_equal 200, @first_response_status
+      #           end
+      #
+      #           it 'should not allow the second request through' do
+      #             assert_equal 401, @second_response_status
+      #           end
+      #
+      #           it 'should not treat first request as batch request' do
+      #             refute @second_is_batch_request
+      #           end
+      #
+      #           it 'should return auth headers from the first request' do
+      #             assert @first_access_token
+      #           end
+      #
+      #           it 'should not treat second request as batch request' do
+      #             refute @second_is_batch_request
+      #           end
+      #
+      #           it 'should not return auth headers from the second request' do
+      #             refute @second_access_token
+      #           end
+      #
+      #           it 'should define user during first request' do
+      #             assert @first_user
+      #           end
+      #
+      #           it 'should not define user during second request' do
+      #             refute @second_user
+      #           end
+      #         end
+      #       end
     end
   end
 end