RubyGems - devise_jwt_auth - Versions diffs - 0.1.5 → 0.1.6 - Mend

devise_jwt_auth 0.1.5 → 0.1.6

Files changed (81) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a15d74ac0fd5ea01fed0ef24dd71dd28f04391a2467598be4a6738a2f19ca0df
-  data.tar.gz: 527bb191cbf4bf2baf1bdf56fa3e3308da17c012f3dcf8c391d7db47c3903816
+  metadata.gz: 9c1a405bebeaa7813dc0b99465db4530d29bf458fe392dd968f11b8abc5b11ab
+  data.tar.gz: d1c81c134b4031df4ef862041a4dfc4a0bc021f2cd538c020c23aaccc485e298
 SHA512:
-  metadata.gz: 6332f906fd89b8938de3a6c16916805802ac5d04b71e7ef8e437ff00b69b6f12101d929aec8271306029047abaed0de6fa4be061abd13425a019efa1f3aee793
-  data.tar.gz: 4d26f6f3c681ec83d5d0b518d4def8afab6a6c587dbffbbf37ffd690c75c06a7497d3c89f0a217f6a3fcf9545dcb19520b3832fb77e36fe8b1524a627f2179ce
+  metadata.gz: 06141ad295c58d63e8f4e87bc26be3af1b223b52ac2a865329c0ea438bfb7409e7e0466ad2fb1a70b156ba773346dca676d04b6f3fe00e1297b900a3cc482bdd
+  data.tar.gz: b7de2ecb350212b5fc8e91b0066bd5cb5050ca1e5c1c344a116b8d2ce77273b5f8066dc654a26ab0412bb4d8e5b679f4852a16c022cee60a04b0408e2f0a1a12

data/README.md CHANGED

@@ -57,7 +57,7 @@ See our [Contribution Guidelines](https://github.com/aarona/devise_jwt_auth/blob
 ## Live Demos
-Live demos will hopefully be added in the future. At the very least, I'm planning on creating a Rails/React proof of concept repo that you can clone and run locally.
+Live demos will hopefully be added in the future. Currently, I have a [repository](https://github.com/aarona/dja_example) available that is a proof of concept for DJA that uses React as the client. However, the example application only supports sigining up, sigining in and singing out. It doesn't provide a way to reset a user's password for example and other things that DJA supports. Those will be added in the near future.
 ## License

data/app/controllers/devise_jwt_auth/application_controller.rb CHANGED

@@ -20,17 +20,17 @@ module DeviseJwtAuth
       DeviseJwtAuth.redirect_whitelist && !DeviseJwtAuth::Url.whitelisted?(redirect_url)
     end
-    def build_redirect_headers(access_token, client, redirect_header_options = {})
+    def build_redirect_headers(access_token, _client, redirect_header_options = {})
       {
         # DeviseJwtAuth.headers_names[:"access-token"] => access_token,
         # DeviseJwtAuth.headers_names[:"client"] => client,
-        :config => params[:config],
+        config: params[:config],
         # Legacy parameters which may be removed in a future release.
         # Consider using "client" and "access-token" in client code.
         # See: github.com/lynndylanhurley/devise_jwt_auth/issues/993
         # :client_id => client,
-        :token => access_token
+        token: access_token
       }.merge(redirect_header_options)
     end
@@ -42,20 +42,23 @@ module DeviseJwtAuth
     end
     def resource_class(m = nil)
-      if m
-        mapping = Devise.mappings[m]
-      else
-        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
-      end
+      mapping = if m
+                  Devise.mappings[m]
+                else
+                  Devise.mappings[resource_name] || Devise.mappings.values.first
+                end
       mapping.to
     end
     def json_api?
       return false unless defined?(ActiveModel::Serializer)
-      return ActiveModel::Serializer.setup do |config|
-        config.adapter == :json_api
-      end if ActiveModel::Serializer.respond_to?(:setup)
+      if ActiveModel::Serializer.respond_to?(:setup)
+        return ActiveModel::Serializer.setup do |config|
+          config.adapter == :json_api
+        end
+      end
       ActiveModelSerializers.config.adapter == :json_api
     end

data/app/controllers/devise_jwt_auth/concerns/resource_finder.rb CHANGED

@@ -8,13 +8,9 @@ module DeviseJwtAuth::Concerns::ResourceFinder
     # honor Devise configuration for case_insensitive keys
     q_value = resource_params[field.to_sym]
-    if resource_class.case_insensitive_keys.include?(field.to_sym)
-      q_value.downcase!
-    end
+    q_value.downcase! if resource_class.case_insensitive_keys.include?(field.to_sym)
-    if resource_class.strip_whitespace_keys.include?(field.to_sym)
-      q_value.strip!
-    end
+    q_value.strip! if resource_class.strip_whitespace_keys.include?(field.to_sym)
     q_value
   end

data/app/controllers/devise_jwt_auth/concerns/set_user_by_token.rb CHANGED

@@ -5,7 +5,6 @@ module DeviseJwtAuth::Concerns::SetUserByToken
   include DeviseJwtAuth::Concerns::ResourceFinder
   included do
   end
   protected
@@ -22,10 +21,10 @@ module DeviseJwtAuth::Concerns::SetUserByToken
       devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
       @resource = devise_warden_user if devise_warden_user
     end
     # user has already been found and authenticated
-    return @resource if @resource && @resource.is_a?(rc)
+    return @resource if @resource&.is_a?(rc)
     # TODO: Look for the access token in an 'Authentication' header
     token = request.headers[DeviseJwtAuth.access_token_name]
     return unless token
@@ -33,8 +32,9 @@ module DeviseJwtAuth::Concerns::SetUserByToken
     payload = DeviseJwtAuth::TokenFactory.decode_access_token(token)
     return if payload.empty?
     return if payload && payload['sub'].blank?
     uid = payload['sub']
     # mitigate timing attacks by finding by uid instead of auth token
     user = uid && rc.dta_find_by(uid: uid)
     scope = rc.to_s.underscore.to_sym
@@ -46,10 +46,10 @@ module DeviseJwtAuth::Concerns::SetUserByToken
       else
         sign_in(scope, user, store: false, event: :fetch, bypass: DeviseJwtAuth.bypass_sign_in)
       end
-      return @resource = user
+      @resource = user
     else
       # zero all values previously set values
-      return @resource = nil
+      @resource = nil
     end
   end
@@ -65,10 +65,10 @@ module DeviseJwtAuth::Concerns::SetUserByToken
       devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
       @resource = devise_warden_user if devise_warden_user
     end
     # user has already been found and authenticated
-    return @resource if @resource && @resource.is_a?(rc)
+    return @resource if @resource&.is_a?(rc)
     token = request.cookies[DeviseJwtAuth.refresh_token_name]
     return unless token
@@ -76,6 +76,7 @@ module DeviseJwtAuth::Concerns::SetUserByToken
     payload = DeviseJwtAuth::TokenFactory.decode_refresh_token(token)
     return if payload.empty?
     return if payload && payload['sub'].blank?
     uid = payload['sub']
     # mitigate timing attacks by finding by uid instead of auth token
@@ -89,13 +90,12 @@ module DeviseJwtAuth::Concerns::SetUserByToken
       else
         sign_in(scope, user, store: false, event: :fetch, bypass: DeviseJwtAuth.bypass_sign_in)
       end
-      return @resource = user
+      @resource = user
     else
       # zero all values previously set values
-      return @resource = nil
+      @resource = nil
     end
   end
   def update_refresh_token_cookie
     response.set_cookie(DeviseJwtAuth.refresh_token_name,
@@ -103,15 +103,13 @@ module DeviseJwtAuth::Concerns::SetUserByToken
                         path: '/auth/refresh_token', # TODO: Use configured auth path
                         expires: Time.zone.now + DeviseJwtAuth.refresh_token_lifespan,
                         httponly: true,
-                        secure: Rails.env.production?
-    )
+                        secure: Rails.env.production?)
   end
   def clear_refresh_token_cookie
     response.set_cookie(DeviseJwtAuth.refresh_token_name,
                         value: '',
                         path: '/auth/refresh_token', # TODO: Use configured auth path
-                        expires: Time.zone.now
-    )
+                        expires: Time.zone.now)
   end
-end
+end

data/app/controllers/devise_jwt_auth/confirmations_controller.rb CHANGED

@@ -2,7 +2,6 @@
 module DeviseJwtAuth
   class ConfirmationsController < DeviseJwtAuth::ApplicationController
     def show
       @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
@@ -12,19 +11,12 @@ module DeviseJwtAuth
         redirect_header_options = { account_confirmation_success: true }
         if signed_in?(resource_name)
-          # token = signed_in_resource.create_token
-          # redirect_headers = build_redirect_headers(token.token,
-          #                                           token.client,
-          #                                           redirect_header_options)
-          redirect_headers = signed_in_resource.create_named_token_pair.
-                             merge(redirect_header_options)
+          redirect_headers = signed_in_resource.create_named_token_pair
+                               .merge(redirect_header_options)
-          # TODO: add a refresh token cookie in the response.
           update_refresh_token_cookie
-          #redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+          # redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
           redirect_to_link = DeviseJwtAuth::Url.generate(redirect_url, redirect_headers)
         else
           redirect_to_link = DeviseJwtAuth::Url.generate(redirect_url, redirect_header_options)
@@ -46,11 +38,11 @@ module DeviseJwtAuth
       return render_not_found_error unless @resource
       @resource.send_confirmation_instructions({
-        redirect_url: redirect_url,
-        client_config: resource_params[:config_name]
-      })
+                                                 redirect_url: redirect_url,
+                                                 client_config: resource_params[:config_name]
+                                               })
-      return render_create_success
+      render_create_success
     end
     protected
@@ -61,8 +53,8 @@ module DeviseJwtAuth
     def render_create_success
       render json: {
-          success: true,
-          message: I18n.t('devise_jwt_auth.confirmations.sended', email: @email)
+        success: true,
+        message: I18n.t('devise_jwt_auth.confirmations.sended', email: @email)
       }
     end
@@ -83,6 +75,5 @@ module DeviseJwtAuth
         DeviseJwtAuth.default_confirm_success_url
       )
     end
   end
 end

data/app/controllers/devise_jwt_auth/omniauth_callbacks_controller.rb CHANGED

@@ -7,12 +7,10 @@ module DeviseJwtAuth
     before_action :validate_auth_origin_url_param
     skip_before_action :set_user_by_jwt_token, raise: false
-    # skip_after_action :update_auth_header
     # intermediary route for successful omniauth authentication. omniauth does
     # not support multiple models, so we must resort to this terrible hack.
     def redirect_callbacks
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
       devise_mapping = get_devise_mapping
@@ -29,15 +27,17 @@ module DeviseJwtAuth
     def get_redirect_route(devise_mapping)
       path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
       klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
-      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+      klass.build(host: request.host, port: request.port, path: path).to_s
     end
     def get_devise_mapping
-       # derive target redirect route from 'resource_class' param, which was set
-       # before authentication.
-       devise_mapping = [request.env['omniauth.params']['namespace_name'],
-                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
-    rescue NoMethodError => err
+      # derive target redirect route from 'resource_class' param, which was set
+      # before authentication.
+      [
+        request.env['omniauth.params']['namespace_name'],
+        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')
+      ].compact.join('_')
+    rescue NoMethodError
       default_devise_mapping
     end
@@ -45,13 +45,13 @@ module DeviseJwtAuth
     # find the mapping in `omniauth.params`.
     #
     # One example use-case here is for IDP-initiated SAML login.  In that
-    # case, there will have been no initial request in which to save
+    # case, there will have been no initial request in which to save
     # the devise mapping.  If you are in a situation like that, and
     # your app allows for you to determine somehow what the devise
     # mapping should be (because, for example, it is always the same),
     # then you can handle it by overriding this method.
     def default_devise_mapping
-      raise NotImplementedError.new('no default_devise_mapping set')
+      raise NotImplementedError, 'no default_devise_mapping set'
     end
     def omniauth_success
@@ -78,10 +78,11 @@ module DeviseJwtAuth
       render_data_or_redirect('authFailure', error: @error)
     end
-    def validate_auth_origin_url_param
-      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    def validate_auth_origin_url_param
+      return unless auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+      render_error_not_allowed_auth_origin_url
     end
     protected
@@ -95,19 +96,19 @@ module DeviseJwtAuth
     # are added as query params in our monkey patch to OmniAuth in engine.rb
     def omniauth_params
       unless defined?(@_omniauth_params)
-        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
+        if request.env['omniauth.params']&.any?
           @_omniauth_params = request.env['omniauth.params']
-        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
+        elsif session['dta.omniauth.params']&.any?
           @_omniauth_params ||= session.delete('dta.omniauth.params')
           @_omniauth_params
         elsif params['omniauth_window_type']
-          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+          @_omniauth_params =
+            params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
         else
           @_omniauth_params = {}
         end
       end
       @_omniauth_params
     end
     # break out provider attribute assignment for easy method extension
@@ -120,14 +121,13 @@ module DeviseJwtAuth
     def whitelisted_params
       whitelist = params_for_resource(:sign_up)
-      whitelist.inject({}) do |coll, key|
+      whitelist.each_with_object({}) do |key, coll|
         param = omniauth_params[key.to_s]
         coll[key] = param if param
-        coll
       end
     end
-    def resource_class(mapping = nil)
+    def resource_class(_mapping = nil)
       if omniauth_params['resource_class']
         omniauth_params['resource_class'].constantize
       elsif params['resource_class']
@@ -149,18 +149,18 @@ module DeviseJwtAuth
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
     def auth_origin_url
-      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
-        return nil
-      end
-      return unsafe_auth_origin_url
+      return nil if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+      unsafe_auth_origin_url
     end
     # in the success case, omniauth_window_type is in the omniauth_params.
     # in the failure case, it is in a query param.  See monkey patch above
     def omniauth_window_type
-      omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
+      return params['omniauth_window_type'] if omniauth_params.nil?
+      omniauth_params['omniauth_window_type']
     end
     # this sesison value is set by the redirect_callbacks method. its purpose
@@ -208,7 +208,10 @@ module DeviseJwtAuth
     end
     def render_error_not_allowed_auth_origin_url
-      message = I18n.t('devise_jwt_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      message =
+        I18n.t('devise_jwt_auth.omniauth.not_allowed_redirect_url',
+               redirect_url: unsafe_auth_origin_url)
       render_data_or_redirect('authFailure', error: message)
     end
@@ -218,7 +221,6 @@ module DeviseJwtAuth
     end
     def render_data_or_redirect(message, data, user_data = {})
       # We handle inAppBrowser and newWindow the same, but it is nice
       # to support values in case people need custom implementations for each case
       # (For example, nbrustein does not allow new users to be created if logging in with
@@ -245,7 +247,7 @@ module DeviseJwtAuth
     end
     def fallback_render(text)
-        render inline: %Q(
+      render inline: %(
             <html>
                     <head></head>
@@ -271,9 +273,7 @@ module DeviseJwtAuth
         provider: auth_hash['provider']
       ).first_or_initialize
-      if @resource.new_record?
-        handle_new_resource
-      end
+      handle_new_resource if @resource.new_record?
       # sync user info with provider, update/generate auth token
       assign_provider_attrs(@resource, auth_hash)
@@ -287,5 +287,4 @@ module DeviseJwtAuth
       @resource
     end
   end
 end

data/app/controllers/devise_jwt_auth/passwords_controller.rb CHANGED

@@ -3,7 +3,6 @@
 module DeviseJwtAuth
   class PasswordsController < DeviseJwtAuth::ApplicationController
     before_action :validate_redirect_url_param, only: [:create, :edit]
-    # skip_after_action :update_auth_header, only: [:create, :edit]
     # this action is responsible for generating password reset tokens and sending emails
     def create
@@ -22,7 +21,7 @@ module DeviseJwtAuth
         )
         if @resource.errors.empty?
-          return render_create_success
+          render_create_success
         else
           render_create_error @resource.errors
         end
@@ -36,12 +35,13 @@ module DeviseJwtAuth
       # if a user is not found, return nil
       @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
-      if @resource && @resource.reset_password_period_valid?
+      if @resource&.reset_password_period_valid?
         # TODO: add a token invalidator
         # token = @resource.create_token unless require_client_password_reset_token?
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
         @resource.save!
@@ -49,16 +49,19 @@ module DeviseJwtAuth
         yield @resource if block_given?
         if require_client_password_reset_token?
-          redirect_to DeviseJwtAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+          redirect_to DeviseJwtAuth::Url.generate(
+            @redirect_url,
+            reset_password_token: resource_params[:reset_password_token]
+          )
         else
           redirect_header_options = { reset_password: true }
-          redirect_headers = @resource.create_named_token_pair.
-                             merge(redirect_header_options)
+          redirect_headers = @resource.create_named_token_pair
+                               .merge(redirect_header_options)
           # TODO: do we put the refresh token here?
           # we do if token exists (see line 41)
           update_refresh_token_cookie
           redirect_to_link = DeviseJwtAuth::Url.generate(@redirect_url, redirect_headers)
           redirect_to redirect_to_link
@@ -82,9 +85,7 @@ module DeviseJwtAuth
       return render_update_error_unauthorized unless @resource
       # make sure account doesn't use oauth2 provider
-      unless @resource.provider == 'email'
-        return render_update_error_password_not_required
-      end
+      return render_update_error_password_not_required unless @resource.provider == 'email'
       # ensure that password params were sent
       unless password_resource_params[:password] && password_resource_params[:password_confirmation]
@@ -100,16 +101,20 @@ module DeviseJwtAuth
         # send refresh cookie
         # send access token
         update_refresh_token_cookie
-        return render_update_success
+        render_update_success
       else
-        return render_update_error
+        render_update_error
       end
     end
     protected
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
+      allow_password_change =
+        recoverable_enabled? &&
+        @resource.allow_password_change == true ||
+        require_client_password_reset_token?
       if DeviseJwtAuth.check_current_password_before_update == false || allow_password_change
         'update'
       else
@@ -128,9 +133,10 @@ module DeviseJwtAuth
     def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
-        data:   resource_data
+        data: resource_data
       }
-      message = I18n.t('devise_jwt_auth.passwords.not_allowed_redirect_url', redirect_url: @redirect_url)
+      message = I18n.t('devise_jwt_auth.passwords.not_allowed_redirect_url',
+                       redirect_url: @redirect_url)
       render_error(422, message, response)
     end
@@ -157,7 +163,8 @@ module DeviseJwtAuth
     end
     def render_update_error_password_not_required
-      render_error(422, I18n.t('devise_jwt_auth.passwords.password_not_required', provider: @resource.provider.humanize))
+      render_error(422, I18n.t('devise_jwt_auth.passwords.password_not_required',
+                               provider: @resource.provider.humanize))
     end
     def render_update_error_missing_password
@@ -170,7 +177,7 @@ module DeviseJwtAuth
         data: resource_data,
         message: I18n.t('devise_jwt_auth.passwords.successfully_updated')
       }.merge!(@resource.create_named_token_pair)
       render json: response_body
     end
@@ -203,11 +210,14 @@ module DeviseJwtAuth
       )
       return render_create_error_missing_redirect_url unless @redirect_url
-      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+      render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
     end
     def reset_password_token_as_raw?(recoverable)
-      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+      recoverable &&
+        recoverable.reset_password_token.present? &&
+        !require_client_password_reset_token?
     end
     def require_client_password_reset_token?