devise_token_auth 0.1.42 → 0.1.43.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8e417664fd64bb5d235bbb2e071516172ff8125b
-  data.tar.gz: e75006fbdcf1b00f00117db24fce2410eb257162
+  metadata.gz: 49f4bcdd5d7a311223110f453bd4575fe89768e0
+  data.tar.gz: f6ccefa63103a9da877b9872a2f23aa26ce5bbf0
 SHA512:
-  metadata.gz: 7aa61841da344dd20e7921d74c98e015b6c21a0efe662e8bf2b1b7e4b5f27c4c0da53ed009a7df803b7aa97a969c834d93918a05e825618c65c92870725d90a8
-  data.tar.gz: cd4cc39794d409dd91016fba7e4cbcd8c5568f6180ba5346559f22dfd18b6800a04a5a9785e699ead20008554d36f0dc849e0bee3f46bd82d3248c3a9aaa223f
+  metadata.gz: bd75219ef40a2a64ed0cba0f57631b2d097c7d0187ae596d3db16b9b59f38fa8ae47edc7c87627ff65c4f3e5f1c0c626b610cb6d585c310f37a023709838dd0d
+  data.tar.gz: 66658c65532b7271c542302f75c2798db7f6bd425fc642ad70f67ca7f9d3dd6869ca0199df6d911fa2eced7a6fdba8997f30775193143b40634d6959e38c6945

data/README.md

@@ -1,3 +1,9 @@
+# Contributors wanted!
+
+See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). We're making an effort to bring back this gem and fix everything open! Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969).
+
+<hr>
+
 ![Serious Trust](https://github.com/lynndylanhurley/devise_token_auth/raw/master/test/dummy/app/assets/images/logo.jpg "Serious Trust")
 
 [![Gem Version](https://badge.fury.io/rb/devise_token_auth.svg)](http://badge.fury.io/rb/devise_token_auth)
@@ -60,6 +66,7 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is
   * [Custom Controller Overrides](#custom-controller-overrides)
   * [Passing blocks to Controllers](#passing-blocks-controllers)
   * [Email Template Overrides](#email-template-overrides)
+  * [Testing](#testing)
 * [Issue Reporting Guidelines](#issue-reporting)
 * [FAQ](#faq)
 * [Conceptual Diagrams](#conceptual)
@@ -140,8 +147,8 @@ The following routes are available for use by your client. These routes live rel
 
 | path | method | purpose |
 |:-----|:-------|:--------|
-| /    | POST   | Email registration. Requires **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
-| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access_token`** and **`client`** headers. |
+| /    | POST   | Email registration. Requires **`email`**, **`password`**, **`password_confirmation`**, and **`confirm_success_url`** params (this last one can be omitted if you have set `config.default_confirm_success_url` in `config/initializers/devise_token_auth.rb`). A verification email will be sent to the email address provided. Upon clicking the link in the confirmation email, the API will redirect to the URL specified in **`confirm_success_url`**. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
+| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access-token`** and **`client`** headers. |
 | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. |
 | /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. |
 | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. |
@@ -434,7 +441,7 @@ The authentication information should be included by the client in the headers o
 "uid":          "zzzzz"
 ~~~
 
-The authentication headers consists of the following params:
+The authentication headers (each one is a seperate header) consists of the following params:
 
 | param | description |
 |---|---|
@@ -489,7 +496,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   # store client + token in user's token hash
   @resource.tokens[client_id] = {
     token: BCrypt::Password.create(token),
-    expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+    expiry: (Time.now + @resource.token_lifespan).to_i
   }
 
   # generate auth headers for response
@@ -766,18 +773,21 @@ These files may be edited to suit your taste. You can customize the e-mail subje
 
 **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing.
 
+## Testing
+
+In order to authorise a request when testing your API you will need to pass the four headers through with your request, the easiest way to gain appropriate values for those headers is to use `resource.create_new_auth_token` e.g.
+
+```Ruby
+  request.headers.merge! resource.create_new_auth_token
+  get '/api/authenticated_resource'
+  # success
+```
+
 # Issue Reporting
 
-When posting issues, please include the following information to speed up the troubleshooting process:
+When posting issues, please include the information mentioned in the [ISSUE_TEMPLATE.md].
 
-* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker) or [Angular2-Token](https://github.com/neroniaky/angular2-token) if applicable) are you using?
-* **Request and response headers**: these can be found in the "Network" tab of your browser's web inspector.
-* **Rails Stacktrace**: this can be found in the `log/development.log` of your API.
-* **Environmental Info**: How is your application different from the [reference implementation](https://github.com/lynndylanhurley/devise_token_auth_demo)? This may include (but is not limited to) the following details:
-  * **Routes**: are you using some crazy namespace, scope, or constraint?
-  * **Gems**: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.?
-  * **Custom Overrides**: what have you done in terms of [custom controller overrides](#custom-controller-overrides)?
-  * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker), [Angular2-Token](https://github.com/neroniaky/angular2-token), or something else?
+[ISSUE_TEMPLATE.md]: https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/ISSUE_TEMPLATE.md
 
 # FAQ
 
@@ -833,6 +843,15 @@ class ApplicationController < ActionController::Base
 end
 ~~~
 
+### How can I use this gem with Grape?
+
+You may be interested in [GrapeTokenAuth](https://github.com/mcordell/grape_token_auth) or [GrapeDeviseTokenAuth](https://github.com/mcordell/grape_devise_token_auth).
+
+### I already have an user, how can I add the new fields?
+
+Check [Setup migrations for an existing User table](https://github.com/lynndylanhurley/devise_token_auth/wiki/Setup-migrations-for-an-existing-User-table)
+
+
 # Conceptual
 
 None of the following information is required to use this gem, but read on if you're curious.
@@ -853,7 +872,8 @@ These measures are taken by default when using this gem.
 
 By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's necessary to make several concurrent requests to the API, for example:
 
-#####Batch request example
+##### Batch request example
+
 ~~~javascript
 $scope.getResourceData = function() {
 
@@ -879,7 +899,7 @@ The following diagram details the relationship between the client, server, and a
 
 ![batch request detail](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-detail.jpg)
 
-Note that when the server identifies that a request is part of a batch request, the user's auth token is not updated. The auth token will be updated for the first request in the batch, and then that same token will be returned in the responses for each subsequent request in the batch (as shown in the diagram).
+Note that when the server identifies that a request is part of a batch request, the user's auth token is not updated. The auth token will be updated and returned with the first request in the batch, and the subsequent requests in the batch will not return a token. This is necessary because the order of the responses cannot be guaranteed to the client, and we need to be sure that the client does not receive an outdated token *after* the the last valid token is returned.
 
 This gem automatically manages batch requests. You can change the time buffer for what is considered a batch request using the `batch_request_buffer_throttle` parameter in `config/initializers/devise_token_auth.rb`.
 
@@ -906,6 +926,8 @@ But the most important step is to use HTTPS. You are on the hook for that.
 Thanks to the following contributors:
 
 * [@booleanbetrayal](https://github.com/booleanbetrayal)
+* [@zachfeldman](https://github.com/zachfeldman)
+* [@MaicolBen](https://github.com/MaicolBen)
 * [@guilhermesimoes](https://github.com/guilhermesimoes)
 * [@jasonswett](https://github.com/jasonswett)
 * [@m2omou](https://github.com/m2omou)
@@ -918,30 +940,9 @@ Thanks to the following contributors:
 
 # Contributing
 
-1. Create a feature branch with your changes.
-2. Write some test cases.
-3. Make all the tests pass.
-4. Issue a pull request.
-
-I will grant you commit access if you send quality pull requests.
-
-To run the test suite do the following:
-
-1. Clone this repo
-2. Run `bundle install`
-3. Run `rake db:migrate`
-4. Run `RAILS_ENV=test rake db:migrate`
-5. Run `guard`
-
-The last command will open the [guard](https://github.com/guard/guard) test-runner. Guard will re-run each test suite when changes are made to its corresponding files.
-
-To run just one test:
+See the [CONTRIBUTING.md] document.
 
-1. Clone this repo
-2. Run `bundle install`
-3. Run `rake db:migrate`
-4. Run `RAILS_ENV=test rake db:migrate`
-5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/
+[CONTRIBUTING.md]: https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md
 
 # License
 This project uses the WTFPL

data/app/controllers/devise_token_auth/application_controller.rb

@@ -1,6 +1,7 @@
 module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
+    include DeviseTokenAuth::Concerns::ResourceFinder
 
     def resource_data(opts={})
       response_data = opts[:resource_json] || @resource.as_json
@@ -16,6 +17,20 @@ module DeviseTokenAuth
 
     protected
 
+    def build_redirect_headers(access_token, client, redirect_header_options = {})
+      {
+        DeviseTokenAuth.headers_names[:"access-token"] => access_token,
+        DeviseTokenAuth.headers_names[:"client"] => client,
+        :config => params[:config],
+
+        # Legacy parameters which may be removed in a future release.
+        # Consider using "client" and "access-token" in client code.
+        # See: github.com/lynndylanhurley/devise_token_auth/issues/993
+        :client_id => client,
+        :token => access_token
+      }.merge(redirect_header_options)
+    end
+
     def params_for_resource(resource)
       devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
         params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -0,0 +1,38 @@
+module DeviseTokenAuth::Concerns::ResourceFinder
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Controllers::Helpers
+
+  def get_case_insensitive_field_from_resource_params(field)
+    # honor Devise configuration for case_insensitive keys
+    q_value = resource_params[field.to_sym]
+
+    if resource_class.case_insensitive_keys.include?(field.to_sym)
+      q_value.downcase!
+    end
+    q_value
+  end
+
+  def find_resource(field, value)
+    # fix for mysql default case insensitivity
+    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
+    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+      q = "BINARY " + q
+    end
+
+    @resource = resource_class.where(q, value).first
+  end
+
+  def resource_class(m=nil)
+    if m
+      mapping = Devise.mappings[m]
+    else
+      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+    end
+
+    mapping.to
+  end
+
+  def provider
+    'email'
+  end
+end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -1,6 +1,6 @@
 module DeviseTokenAuth::Concerns::SetUserByToken
   extend ActiveSupport::Concern
-  include DeviseTokenAuth::Controllers::Helpers
+  include DeviseTokenAuth::Concerns::ResourceFinder
 
   included do
     before_action :set_request_start
@@ -13,6 +13,12 @@ module DeviseTokenAuth::Concerns::SetUserByToken
   def set_request_start
     @request_started_at = Time.now
     @used_auth_by_token = true
+
+    # initialize instance variables
+    @client_id = nil
+    @resource = nil
+    @token = nil
+    @is_batch_request = nil
   end
 
   # user auth
@@ -23,7 +29,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # no default user defined
     return unless rc
 
-    #gets the headers names, which was set in the initialize file
+    # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
@@ -47,7 +53,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
 
     # user has already been found and authenticated
-    return @resource if @resource && @resource.class == rc
+    return @resource if @resource && @resource.is_a?(rc)
 
     # ensure we clear the client_id
     if !@token
@@ -75,10 +81,9 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
   end
 
-
   def update_auth_header
     # cannot save object if model has invalid params
-    return unless @resource && @resource.valid? && @client_id
+    return unless defined?(@resource) && @resource && @resource.valid? && @client_id
 
     # Generate new client_id with existing authentication
     @client_id = nil unless @used_auth_by_token
@@ -113,31 +118,28 @@ module DeviseTokenAuth::Concerns::SetUserByToken
         if @is_batch_request
           auth_header = @resource.extend_batch_buffer(@token, @client_id)
 
+          # Do not return token for batch requests to avoid invalidated
+          # tokens returned to the client in case of race conditions.
+          # Use a blank string for the header to still be present and
+          # being passed in a XHR response in case of
+          # 304 Not Modified responses.
+          auth_header[DeviseTokenAuth.headers_names[:"access-token"]] = ' '
+          auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
+
         # update Authorization response header with new token
         else
           auth_header = @resource.create_new_auth_token(@client_id)
-
-          # update the response header
-          response.headers.merge!(auth_header)
         end
 
-      end # end lock
+        # update the response header
+        response.headers.merge!(auth_header)
 
-    end
-
-  end
+      end # end lock
 
-  def resource_class(m=nil)
-    if m
-      mapping = Devise.mappings[m]
-    else
-      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
     end
 
-    mapping.to
   end
 
-
   private
 
 

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -8,23 +8,28 @@ module DeviseTokenAuth
         client_id  = SecureRandom.urlsafe_base64(nil, false)
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
-        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+        expiry     = (Time.now + @resource.token_lifespan).to_i
+
+        if @resource.sign_in_count > 0
+          expiry = (Time.now + 1.second).to_i
+        end
 
         @resource.tokens[client_id] = {
           token:  token_hash,
           expiry: expiry
         }
 
+        sign_in(@resource)
         @resource.save!
 
         yield @resource if block_given?
 
-        redirect_to(@resource.build_auth_url(params[:redirect_url], {
-          token:                        token,
-          client_id:                    client_id,
-          account_confirmation_success: true,
-          config:                       params[:config]
-        }))
+        redirect_header_options = {account_confirmation_success: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(params[:redirect_url],
+                                             redirect_headers))
       else
         raise ActionController::RoutingError.new('Not Found')
       end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -79,12 +79,8 @@ module DeviseTokenAuth
 
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
-      user.assign_attributes({
-        nickname: auth_hash['info']['nickname'],
-        name:     auth_hash['info']['name'],
-        image:    auth_hash['info']['image'],
-        email:    auth_hash['info']['email']
-      })
+      attrs = auth_hash['info'].slice(*user.attributes.keys)
+      user.assign_attributes(attrs)
     end
 
     # derive allowed params from the standard devise parameter sanitizer
@@ -164,7 +160,7 @@ module DeviseTokenAuth
       # create token info
       @client_id = SecureRandom.urlsafe_base64(nil, false)
       @token     = SecureRandom.urlsafe_base64(nil, false)
-      @expiry    = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+      @expiry    = (Time.now + @resource.token_lifespan).to_i
       @config    = omniauth_params['config_name']
     end
 

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -27,21 +27,8 @@ module DeviseTokenAuth
         end
       end
 
-      # honor devise configuration for case_insensitive_keys
-      if resource_class.case_insensitive_keys.include?(:email)
-        @email = resource_params[:email].downcase
-      else
-        @email = resource_params[:email]
-      end
-
-      q = "uid = ? AND provider='email'"
-
-      # fix for mysql default case insensitivity
-      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-        q = "BINARY uid = ? AND provider='email'"
-      end
-
-      @resource = resource_class.where(q, @email).first
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:uid, @email)
 
       @errors = nil
       @error_status = 400
@@ -72,15 +59,16 @@ module DeviseTokenAuth
 
     # this is where users arrive after visiting the password reset confirmation link
     def edit
-      @resource = resource_class.reset_password_by_token({
-        reset_password_token: resource_params[:reset_password_token]
-      })
+      # if a user is not found, return nil
+      @resource = resource_class.with_reset_password_token(
+        resource_params[:reset_password_token]
+      )
 
-      if @resource && @resource.id
+      if @resource
         client_id  = SecureRandom.urlsafe_base64(nil, false)
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
-        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+        expiry     = (Time.now + @resource.token_lifespan).to_i
 
         @resource.tokens[client_id] = {
           token:  token_hash,
@@ -94,14 +82,15 @@ module DeviseTokenAuth
         @resource.allow_password_change = true;
 
         @resource.save!
+
         yield @resource if block_given?
 
-        redirect_to(@resource.build_auth_url(params[:redirect_url], {
-          token:          token,
-          client_id:      client_id,
-          reset_password: true,
-          config:         params[:config]
-        }))
+        redirect_header_options = {reset_password: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(params[:redirect_url],
+                                             redirect_headers))
       else
         render_edit_error
       end
@@ -125,6 +114,7 @@ module DeviseTokenAuth
 
       if @resource.send(resource_update_method, password_resource_params)
         @resource.allow_password_change = false
+        @resource.save!
 
         yield @resource if block_given?
         return render_update_success