devise_token_auth 0.1.37 → 0.1.38

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -0,0 +1,28 @@
+module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+  extend ActiveSupport::Concern
+
+  included do
+    validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' }
+    validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' }
+
+    # only validate unique emails among email registration users
+    validate :unique_email_user, on: :create
+
+    # keep uid in sync with email
+    before_save :sync_uid
+    before_create :sync_uid
+  end
+
+  protected
+
+  # only validate unique email among users that registered by email
+  def unique_email_user
+    if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0
+      errors.add(:email, I18n.t("errors.messages.already_in_use"))
+    end
+  end
+
+  def sync_uid
+    self.uid = email if provider == 'email'
+  end
+end

data/config/initializers/devise.rb

@@ -142,7 +142,7 @@ Devise.setup do |config|
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

data/config/locales/de.yml

@@ -1,7 +1,7 @@
 de:
   devise_token_auth:
     sessions:
-      not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}'' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren"
+      not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren"
       bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut."
       not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt."
       user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden."

data/config/locales/ja.yml

@@ -0,0 +1,47 @@
+ja:
+  devise_token_auth:
+    sessions:
+      not_confirmed: "'%{email}' に確認用のメールを送信しました。メール内の説明を読み、アカウントの有効化をしてください。"
+      bad_credentials: "ログイン用の認証情報が正しくありません。再度お試しください。"
+      not_supported: "/sign_in に GET はサポートされていません。POST をお使いください。"
+      user_not_found: "ユーザーが見つからないか、ログインしていません。"
+    token_validations:
+      invalid: "ログイン用の認証情報が正しくありません。"
+    registrations:
+      missing_confirm_success_url: "'confirm_success_url' パラメータが与えられていません。"
+      redirect_url_not_allowed: "'%{redirect_url}' へのリダイレクトは許可されていません。"
+      email_already_exists: "'%{email}' のアカウントはすでに存在しています。"
+      account_with_uid_destroyed: "'%{uid}' のアカウントは削除されました。"
+      account_to_destroy_not_found: "削除するアカウントが見つかりません。"
+      user_not_found: "ユーザーが見つかりません。"
+    passwords:
+      missing_email: "メールアドレスが与えられていません。"
+      missing_redirect_url: "リダイレクト URL が与えられていません。"
+      not_allowed_redirect_url: "'%{redirect_url}' へのリダイレクトは許可されていません。"
+      sended: "'%{email}' にパスワードリセットの案内が送信されました。"
+      user_not_found: "メールアドレス '%{email}' のユーザーが見つかりません。"
+      password_not_required: "このアカウントはパスワードを要求していません。'%{provider}' を利用してログインしてください。"
+      missing_passwords: "'Password', 'Password confirmation' パラメータが与えられていません。"
+      successfully_updated: "パスワードの更新に成功しました。"
+  errors:
+    messages:
+      already_in_use: "すでに利用されています。"
+      validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。"
+      validate_account_update_params: "リクエストボディに適切なアカウント更新のデータを送信してください。"
+      not_email: "はメールアドレスではありません"
+  devise:
+    mailer:
+      confirmation_instructions:
+        confirm_link_msg: "下記のリンクからアカウントを有効化できます:"
+        confirm_account_link: "アカウントを有効化する"
+      reset_password_instructions:
+        request_reset_link_msg: "パスワード変更のリクエストが送信されました。下記のリンクからパスワードの変更をできます。"
+        password_change_link: "パスワードを変更する"
+        ignore_mail_msg: "もしこの内容に覚えがない場合は、このメールを無視してください。"
+        no_changes_msg: "上記のリンクにアクセスして新しいパスワードを作成するまで、現在のパスワードは変更されません。"
+      unlock_instructions:
+        account_lock_msg: "連続してログインに失敗したため、あなたのアカウントはロックされました。"
+        unlock_link_msg: "下記のリンクをクリックしてアカウントを有効化してください:"
+        unlock_link: "アカウントを有効化する"
+  hello: "こんにちは"
+  welcome: "ようこそ"

data/config/locales/nl.yml

@@ -0,0 +1,31 @@
+nl:
+  devise_token_auth:
+    sessions:
+      not_confirmed: "Een bevestingsmail is verzonden naar het adres '%{email}'. Volg de instructies in de mail om uw account te activeren."
+      bad_credentials: 'Ongeldige logingegevens.'
+      not_supported: "Gebruik POST /sign_in om in te loggen. GET wordt niet ondersteund."
+      user_not_found: "Gebruiker is niet gevonden of niet ingelogd."
+    token_validations:
+      invalid: "Ongeldige logingegevens."
+    registrations:
+      missing_confirm_success_url: "Parameter 'confirm_success_url' ontbreekt."
+      redirect_url_not_allowed: "Redirect naar '%{redirect_url}' niet toegestaan."
+      email_already_exists: "Er bestaat al een account voor het adres '%{email}'"
+      account_with_uid_destroyed: "Account met id '%{uid}' is verwijderd."
+      account_to_destroy_not_found: "Te verwijderen account niet gevonden."
+      user_not_found: "Gebruiker niet gevonden."
+    passwords:
+      missing_email: "Je moet een e-mailadres opgeven."
+      missing_redirect_url: "Redirect URL ontbreekt."
+      not_allowed_redirect_url: "Redirect naar '%{redirect_url}' niet toegestaan."
+      sended: "Er is een e-mail naar '%{email}' verstuurd met instructies om uw wachtwoord te resetten."
+      user_not_found: "Kan gebruiker met e-mail '%{email}' niet vinden."
+      password_not_required: "Voor dit account is geen wachtwoord nodig. Log in met uw '%{provider}' account."
+      missing_passwords: "De velden 'Wachtwoord' en 'Wachtwoord bevestiging' zijn verplicht."
+      successfully_updated: "Uw wachtwoord is aangepast."
+  errors:
+    messages:
+      already_in_use: "al in gebruik"
+      validate_sign_up_params: "Gegevens voor aanmaken van het account zijn niet geldig."
+      validate_account_update_params: "Gegevens voor updaten van het account zijn niet geldig."
+      not_email: "is geen geldig e-emailadres"

data/lib/devise_token_auth/controllers/helpers.rb

@@ -36,6 +36,12 @@ module DeviseTokenAuth
                 mappings.each do |mapping|
                   set_user_by_token(mapping)
                 end
+
+                unless current_#{group_name}
+                  return render json: {
+                    errors: ["Authorized users only."]
+                  }, status: 401
+                end
               end
             end
 

data/lib/devise_token_auth/engine.rb

@@ -19,7 +19,9 @@ module DeviseTokenAuth
                  :redirect_whitelist,
                  :check_current_password_before_update,
                  :enable_standard_devise_support,
-                 :remove_tokens_after_password_reset
+                 :remove_tokens_after_password_reset,
+                 :default_callbacks,
+                 :headers_names
 
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -32,6 +34,12 @@ module DeviseTokenAuth
   self.check_current_password_before_update = false
   self.enable_standard_devise_support       = false
   self.remove_tokens_after_password_reset   = false
+  self.default_callbacks                    = true
+  self.headers_names                        = {:'access-token' => 'access-token',
+                                               :'client' => 'client',
+                                               :'expiry' => 'expiry',
+                                               :'uid' => 'uid',
+                                               :'token-type' => 'token-type' }
 
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/rails/routes.rb

@@ -58,8 +58,8 @@ module ActionDispatch::Routing
             match "#{full_path}/failure",             controller: omniauth_ctrl, action: "omniauth_failure", via: [:get]
             match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: "omniauth_success", via: [:get]
 
-            match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: "redirect_callbacks", via: [:get]
-            match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get]
+            match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: "redirect_callbacks", via: [:get, :post]
+            match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get, :post]
 
             # preserve the resource class thru oauth authentication by setting name of
             # resource as "resource_class" param
@@ -69,6 +69,7 @@ module ActionDispatch::Routing
 
               # append name of current resource
               qs["resource_class"] = [resource]
+              qs["namespace_name"] = [namespace_name] if namespace_name
 
               set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix)
 

data/lib/devise_token_auth/version.rb

@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.37"
+  VERSION = "0.1.38"
 end

data/lib/generators/devise_token_auth/USAGE

@@ -1,6 +1,6 @@
 Description:
   This generator will install all the necessary configuration and migration
-  files for the devies_token_auth gem. See
+  files for the devise_token_auth gem. See
   https://github.com/lynndylanhurley/devise_token_auth for more information.
 
 Arguments:

data/lib/generators/devise_token_auth/install_generator.rb

@@ -29,7 +29,9 @@ module DeviseTokenAuth
       else
         inclusion = "include DeviseTokenAuth::Concerns::User"
         unless parse_file_for_line(fname, inclusion)
-          inject_into_file fname, after: "class #{user_class} < ActiveRecord::Base\n" do <<-'RUBY'
+          
+          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
           :recoverable, :rememberable, :trackable, :validatable,

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -30,8 +30,19 @@ DeviseTokenAuth.setup do |config|
   # password is updated.
   # config.check_current_password_before_update = :attributes
 
+  # By default we will use callbacks for single omniauth.
+  # It depends on fields like email, provider and uid.
+  # config.default_callbacks = true
+
+  # Makes it possible to change the headers names
+  # config.headers_names = {:'access-token' => 'access-token',
+  #                        :'client' => 'client',
+  #                        :'expiry' => 'expiry',
+  #                        :'uid' => 'uid',
+  #                        :'token-type' => 'token-type' }
+
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
-  # enable_standard_devise_support = false
+  # config.enable_standard_devise_support = false
 end

data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb

@@ -16,7 +16,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
       })
     end
 
-    test "yield resource to block on omniauth_sucess success" do
+    test "yield resource to block on omniauth_success success" do
       @redirect_url = "http://ng-token-auth.dev/"
       get_via_redirect '/nice_user_auth/facebook', {
         auth_origin_url: @redirect_url,

data/test/controllers/demo_group_controller_test.rb

@@ -120,7 +120,20 @@ class DemoGroupControllerTest < ActionDispatch::IntegrationTest
           end
         end
       end
+
+      describe 'failed access' do
+        before do
+          get '/demo/members_only_group', {}, @mang_auth_headers.merge({'access-token' => "bogus"})
+        end
+
+        it 'should not return any auth headers' do
+          refute response.headers['access-token']
+        end
+
+        it 'should return error: unauthorized status' do
+          assert_equal 401, response.status
+        end      
+      end
     end
   end
 end
-

data/test/controllers/demo_user_controller_test.rb

@@ -315,17 +315,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           assert 200, response.status
         end
 
-        describe 'another device should not be abble to login' do
+        describe 'another device should not be able to login' do
 
           it 'should return forbidden status' do
             get '/demo/members_only', {}, @old_auth_headers
             assert 401, response.status
           end
-          
+
+        end
+
+      end
+
+      describe 'request including destroy of token' do
+        describe 'when change_headers_on_each_request is set to false' do
+          before do
+            DeviseTokenAuth.change_headers_on_each_request = false
+            age_token(@resource, @client_id)
+
+            get '/demo/members_only_remove_token', {}, @auth_headers
+          end
+
+          after do
+            DeviseTokenAuth.change_headers_on_each_request = true
+          end
+
+          it 'should not return auth-headers' do
+            refute response.headers['access-token']
+          end
         end
 
+        describe 'when change_headers_on_each_request is set to true' do
+          before do
+            age_token(@resource, @client_id)
+            get '/demo/members_only_remove_token', {}, @auth_headers
+          end
+
+          it 'should not return auth-headers' do
+            refute response.headers['access-token']
+          end
+        end
       end
 
+      describe 'when access-token name has been changed' do
+        before do
+          # ensure that request is not treated as batch request
+          DeviseTokenAuth.headers_names[:'access-token'] = 'new-access-token'
+          auth_headers_modified = @resource.create_new_auth_token
+          client_id = auth_headers_modified['client']
+          age_token(@resource, client_id)
+
+          get '/demo/members_only', {}, auth_headers_modified
+          @resp_token = response.headers['new-access-token']
+        end
+
+        it 'should have "new-access-token" header' do
+          assert @resp_token.present?
+        end
+
+        after do
+          DeviseTokenAuth.headers_names[:'access-token'] = 'access-token'
+        end
+      end
     end
 
     describe 'enable_standard_devise_support' do
@@ -364,8 +414,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           it 'should not define current_mang' do
             refute_equal @resource, @controller.current_mang
           end
-		  
-		  
+
+
           it 'should increase the number of tokens by a factor of 2 up to 11' do
             @first_token = @resource.tokens.keys.first
 
@@ -459,6 +509,5 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
       end
 
     end
-
   end
 end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -8,6 +8,12 @@ require 'test_helper'
 
 class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::ConfirmationsController do
+    def token_and_client_config_from(body)
+      token         = body.match(/confirmation_token=([^&]*)&/)[1]
+      client_config = body.match(/config=([^&]*)&/)[1]
+      [token, client_config]
+    end
+
     describe "Confirmation" do
       before do
         @redirect_url = Faker::Internet.url
@@ -15,9 +21,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         @new_user.send_confirmation_instructions({
           redirect_url: @redirect_url
         })
-        @mail          = ActionMailer::Base.deliveries.last
-        @token         = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
-        @client_config = @mail.body.match(/config=([^&]*)&/)[1]
+        mail = ActionMailer::Base.deliveries.last
+        @token, @client_config = token_and_client_config_from(mail.body)
       end
 
       test 'should generate raw token' do
@@ -74,9 +79,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
 
         @new_user.send_confirmation_instructions(client_config: @config_name)
 
-        @mail          = ActionMailer::Base.deliveries.last
-        @token         = @mail.body.match(/confirmation_token=(.*)\"/)[1]
-        @client_config = @mail.body.match(/config=(.*)\&/)[1]
+        mail = ActionMailer::Base.deliveries.last
+        @token, @client_config = token_and_client_config_from(mail.body)
       end
 
       test 'should generate raw token' do

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -263,7 +263,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       assert_equal({"error"=>"invalid_credentials", "message"=>"authFailure"}, data)
     end
 
-    test 'renders somethign with no auth_origin_url' do
+    test 'renders something with no auth_origin_url' do
       get_via_redirect '/auth/facebook'
       assert_equal 200, response.status
       assert_select "body", "invalid_credentials"

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -256,7 +256,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
             redirect_url: @bad_redirect_url
           }
 
-          assert_equal 403, response.status
+          assert_equal 422, response.status
         end
         test "request to non-whitelisted redirect should return error message" do
           xhr :post, :create, {
@@ -380,8 +380,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
 
           test "request should return success message" do
-            assert @data["data"]["message"]
-            assert_equal @data["data"]["message"], I18n.t("devise_token_auth.passwords.successfully_updated")
+            assert @data["message"]
+            assert_equal @data["message"], I18n.t("devise_token_auth.passwords.successfully_updated")
           end
 
           test "new password should authenticate user" do

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -131,7 +131,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         }
         @data = JSON.parse(response.body)
 
-        assert_equal 403, response.status
+        assert_equal 422, response.status
         assert @data["errors"]
         assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @bad_redirect_url)]
       end
@@ -147,7 +147,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           unpermitted_param: '(x_x)'
         }
 
-        assert_equal 403, response.status
+        assert_equal 422, response.status
       end
 
       test "request to non-whitelisted redirect should fail" do
@@ -311,7 +311,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test "request should not be successful" do
-        assert_equal 403, response.status
+        assert_equal 422, response.status
       end
 
       test "user should not have been created" do
@@ -340,7 +340,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test "request should not be successful" do
-        assert_equal 403, response.status
+        assert_equal 422, response.status
       end
 
       test "user should not have been created" do
@@ -370,7 +370,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test "request should not be successful" do
-        assert_equal 403, response.status
+        assert_equal 422, response.status
       end
 
       test "user should have been created" do
@@ -402,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
 
       test "request should not be successful" do
-        assert_equal 403, response.status
+        assert_equal 422, response.status
       end
 
       test "user should have been created" do
@@ -563,7 +563,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
             end
 
             test "Request was NOT successful" do
-              assert_equal 403, response.status
+              assert_equal 422, response.status
             end
 
             test "Errors were provided with response" do
@@ -627,7 +627,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
             test "Request was NOT successful" do
               put "/auth", @request_params, @auth_headers
-              assert_equal 403, response.status
+              assert_equal 422, response.status
             end
           end
         end
@@ -671,7 +671,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
             test "Request was NOT successful" do
               put "/auth", @request_params, @auth_headers
-              assert_equal 403, response.status
+              assert_equal 422, response.status
             end
           end
         end