devise_token_auth 0.1.42 → 0.1.43.beta1

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -7,7 +7,7 @@ module DeviseTokenAuth
 
     def create
       @resource            = resource_class.new(sign_up_params)
-      @resource.provider   = "email"
+      @resource.provider   = provider
 
       # honor devise configuration for case_insensitive_keys
       if resource_class.case_insensitive_keys.include?(:email)
@@ -38,6 +38,10 @@ module DeviseTokenAuth
         # override email confirmation, must be sent manually from ctrl
         resource_class.set_callback("create", :after, :send_on_create_confirmation_instructions)
         resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+        if @resource.respond_to? :skip_confirmation_notification!
+          # Fix duplicate e-mails by disabling Devise confirmation e-mail
+          @resource.skip_confirmation_notification!
+        end
         if @resource.save
           yield @resource if block_given?
 
@@ -55,7 +59,7 @@ module DeviseTokenAuth
 
             @resource.tokens[@client_id] = {
               token: BCrypt::Password.create(@token),
-              expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+              expiry: (Time.now + @resource.token_lifespan).to_i
             }
 
             @resource.save!

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -14,19 +14,9 @@ module DeviseTokenAuth
 
       @resource = nil
       if field
-        q_value = resource_params[field]
+        q_value = get_case_insensitive_field_from_resource_params(field)
 
-        if resource_class.case_insensitive_keys.include?(field)
-          q_value.downcase!
-        end
-
-        q = "#{field.to_s} = ? AND provider='email'"
-
-        if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-          q = "BINARY " + q
-        end
-
-        @resource = resource_class.where(q, q_value).first
+        @resource = find_resource(field, q_value)
       end
 
       if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
@@ -41,7 +31,7 @@ module DeviseTokenAuth
 
         @resource.tokens[@client_id] = {
           token: BCrypt::Password.create(@token),
-          expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+          expiry: (Time.now + @resource.token_lifespan).to_i
         }
         @resource.save
 
@@ -142,7 +132,6 @@ module DeviseTokenAuth
       }, status: 404
     end
 
-
     private
 
     def resource_params

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -0,0 +1,105 @@
+module DeviseTokenAuth
+  class UnlocksController < DeviseTokenAuth::ApplicationController
+    skip_after_action :update_auth_header, :only => [:create, :show]
+
+    # this action is responsible for generating unlock tokens and
+    # sending emails
+    def create
+      unless resource_params[:email]
+        return render_create_error_missing_email
+      end
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:email, @email)
+
+      @errors = nil
+      @error_status = 400
+
+      if @resource
+        yield @resource if block_given?
+
+        @resource.send_unlock_instructions({
+          email: @email,
+          provider: 'email',
+          client_config: params[:config_name]
+        })
+
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          @errors = @resource.errors
+        end
+      else
+        @errors = [I18n.t("devise_token_auth.unlocks.user_not_found", email: @email)]
+        @error_status = 404
+      end
+
+      if @errors
+        return render_create_error
+      end
+    end
+
+    def show
+      @resource = resource_class.unlock_access_by_token(params[:unlock_token])
+
+      if @resource && @resource.id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @resource.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        @resource.save!
+        yield @resource if block_given?
+
+        redirect_header_options = {unlock: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
+                                             redirect_headers))
+      else
+        render_show_error
+      end
+    end
+
+    private
+    def after_unlock_path_for(resource)
+      #TODO: This should probably be a configuration option at the very least.
+      '/'
+    end
+
+    def render_create_error_missing_email
+      render json: {
+        success: false,
+        errors: [I18n.t("devise_token_auth.unlocks.missing_email")]
+      }, status: 401
+    end
+
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t("devise_token_auth.unlocks.sended", email: @email)
+      }
+    end
+
+    def render_create_error
+      render json: {
+        success: false,
+        errors: @errors,
+      }, status: @error_status
+    end
+
+    def render_show_error
+      raise ActionController::RoutingError.new('Not Found')
+    end
+
+    def resource_params
+      params.permit(:email, :unlock_token, :config)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -41,12 +41,6 @@ module DeviseTokenAuth::Concerns::User
     # remove old tokens if password has changed
     before_save :remove_tokens_after_password_reset
 
-    # allows user to change password without current_password
-    attr_writer :allow_password_change
-    def allow_password_change
-      @allow_password_change || false
-    end
-
     # don't use default devise email validation
     def email_required?
       false
@@ -56,6 +50,15 @@ module DeviseTokenAuth::Concerns::User
       false
     end
 
+    def will_save_change_to_email?
+      false
+    end
+
+    def password_required?
+      return false unless provider == 'email'
+      super
+    end
+
     # override devise method to include additional info as opts hash
     def send_confirmation_instructions(opts=nil)
       unless @raw_confirmation_token
@@ -88,6 +91,21 @@ module DeviseTokenAuth::Concerns::User
 
       token
     end
+
+    # override devise method to include additional info as opts hash
+    def send_unlock_instructions(opts=nil)
+      raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+      self.unlock_token = enc
+      save(validate: false)
+
+      opts ||= {}
+
+      # fall back to "default" config name
+      opts[:client_config] ||= "default"
+
+      send_devise_notification(:unlock_instructions, raw, opts)
+      raw
+    end
   end
 
   module ClassMethods
@@ -99,11 +117,7 @@ module DeviseTokenAuth::Concerns::User
     end
 
     def database_exists?
-      ActiveRecord::Base.connection
-    rescue ActiveRecord::NoDatabaseError
-      false
-    else
-      true
+      ActiveRecord::Base.connection_pool.with_connection { |con| con.active? } rescue false
     end
   end
 
@@ -172,7 +186,7 @@ module DeviseTokenAuth::Concerns::User
     last_token ||= nil
     token        = SecureRandom.urlsafe_base64(nil, false)
     token_hash   = ::BCrypt::Password.create(token)
-    expiry       = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+    expiry       = (Time.now + token_lifespan).to_i
 
     if self.tokens[client_id] && self.tokens[client_id]['token']
       last_token = self.tokens[client_id]['token']
@@ -238,6 +252,9 @@ module DeviseTokenAuth::Concerns::User
     ])
   end
 
+  def token_lifespan
+    DeviseTokenAuth.token_lifespan
+  end
 
   protected
 

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -2,11 +2,11 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   extend ActiveSupport::Concern
 
   included do
-    validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' }
-    validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' }
+    validates :email, presence: true, email: true, if: :email_provider?
+    validates_presence_of :uid, unless: :email_provider?
 
     # only validate unique emails among email registration users
-    validate :unique_email_user, on: :create
+    validates :email, uniqueness: { scope: :provider }, on: :create, if: :email_provider?
 
     # keep uid in sync with email
     before_save :sync_uid
@@ -15,11 +15,8 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
 
   protected
 
-  # only validate unique email among users that registered by email
-  def unique_email_user
-    if provider == 'email' && self.class.where(provider: 'email', email: email).count > 0
-      errors.add(:email, :taken)
-    end
+  def email_provider?
+    provider == 'email'
   end
 
   def sync_uid

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -4,4 +4,4 @@
 
 <p><%= t '.unlock_link_msg' %></p>
 
-<p><%= link_to t('.unlock_link'), unlock_url(@resource, unlock_token: @token) %></p>
+<p><%= link_to t('.unlock_link'), unlock_url(@resource, unlock_token: @token, config: message['client-config'].to_s) %></p>

data/app/views/devise_token_auth/omniauth_external_window.html.erb

@@ -15,7 +15,7 @@
             Cordova / PhoneGap)
       */
 
-      var data = <%= @data.to_json.html_safe %>;
+      var data = JSON.parse(decodeURIComponent('<%= URI::escape( @data.to_json ) %>'));
 
       window.addEventListener("message", function(ev) {
         if (ev.data === "requestCredentials") {

data/config/initializers/devise.rb

@@ -142,7 +142,7 @@ Devise.setup do |config|
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  config.email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this

data/config/locales/da-DK.yml

@@ -0,0 +1,50 @@
+da-DK:
+  devise_token_auth:
+    sessions:
+      not_confirmed: "Der er sendt en bekræftelsesemail til din konto på '%{email}'. Følg venligst instruktionerne i emailen for at aktivere din konto."
+      bad_credentials: "Ugyldigt kombination af brugernavn og kodeord. Prøv venligst igen."
+      not_supported: "Brug POST /sign_in for at logge ind. GET er ikke supporteret."
+      user_not_found: "Brugeren er ikke fundet eller er ikke logget ind."
+    token_validations:
+      invalid: "Ugyldig legitimationsoplysninger."
+    registrations:
+      missing_confirm_success_url: "Der mangler et 'confirm_success_url' parameter."
+      redirect_url_not_allowed: "Omdirigering til '%{redirect_url}' er ikke tilladt."
+      email_already_exists: "Der eksisterer allerede en konto med '%{email}'"
+      account_with_uid_destroyed: "Kontoen med UID '%{uid}' er slettet."
+      account_to_destroy_not_found: "Kan ikke finde kontoen som skal slettes."
+      user_not_found: "Brugeren ikke fundet."
+    passwords:
+      missing_email: "Du skal udfylde email feltet."
+      missing_redirect_url: "Der er ingen omdirigeringsadresse."
+      redirect_url_not_allowed: "Omdirigering til '%{redirect_url}' er ikke tilladt."
+      sended: "En email er blevet sendt til '%{email}' med instruktioner for at nulstille dit kodeord."
+      user_not_found: "Kan ikke finde en bruger med '%{email}'."
+      password_not_required: "Denne bruger kræver ikke et kodeord. Log ind med '%{provider}' konto i stedet."
+      missing_passwords: "Du skal fylde alle felter ud som indeholder 'Password' og 'Password confirmation'."
+      successfully_updated: "Dit kodeord er opdateret."
+    unlocks:
+      missing_email: "Du skal udfylde en email."
+      sended: "En email er blevet sendt til '%{email}', som indeholder instruktioner for at låse kontoen op."
+      user_not_found: "Kan ikke finde en burger med email '%{email}'."
+  errors:
+    messages:
+      validate_sign_up_params: "Angiv venligst passende registeringsdata i request body."
+      validate_account_update_params: "Angiv venligst en passende konto opdatering i request body."
+      not_email: "er ikke en email"
+  devise:
+    mailer:
+      confirmation_instructions:
+        confirm_link_msg: "Du kan bekræfte din konto email for linket herunder:"
+        confirm_account_link: "Bekræft min konto"
+      reset_password_instructions:
+        request_reset_link_msg: "Der er nogle der har anmodet om et link til at ændre dit kodeord. Det kan du gøre gennem linket nedenfor."
+        password_change_link: "Ændre mit kodeord."
+        ignore_mail_msg: "Hvis du ikke anmodede om dette, ignorer venligst denne email."
+        no_changes_msg: "Din kodeord vil ikke ændres indtil du går ind på linket ovenfor og laver et nyt et."
+      unlock_instructions:
+        account_lock_msg: "Din konto er blevet låst fordi der er for mange forkerte log ind-forsøg."
+        unlock_link_msg: "Klik linket nedenfor, for at låse din konto op:"
+        unlock_link: "Lås min konto op"
+  hello: "hej"
+  welcome: "velkommen"

data/config/locales/en.yml

@@ -23,6 +23,10 @@ en:
       password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
       successfully_updated: "Your password has been successfully updated."
+    unlocks:
+      missing_email: "You must provide an email address."
+      sended: "An email has been sent to '%{email}' containing instructions for unlocking your account."
+      user_not_found: "Unable to find user with email '%{email}'."
   errors:
     messages:
       validate_sign_up_params: "Please submit proper sign up data in request body."

data/lib/devise_token_auth/controllers/helpers.rb

@@ -15,10 +15,11 @@ module DeviseTokenAuth
         #     devise_group :blogger, contains: [:user, :admin]
         #
         #   Generated methods:
-        #     authenticate_blogger!  # Redirects unless user or admin are signed in
-        #     blogger_signed_in?     # Checks whether there is either a user or an admin signed in
-        #     current_blogger        # Currently signed in user or admin
-        #     current_bloggers       # Currently signed in user and admin
+        #     authenticate_blogger!             # Redirects unless user or admin are signed in
+        #     blogger_signed_in?                # Checks whether there is either a user or an admin signed in
+        #     current_blogger                   # Currently signed in user or admin
+        #     current_bloggers                  # Currently signed in user and admin
+        #     render_authenticate_error         # Render error unless user or admin are signed in
         #
         #   Use:
         #     before_action :authenticate_blogger!              # Redirects unless either a user or an admin are authenticated
@@ -38,9 +39,7 @@ module DeviseTokenAuth
                 end
 
                 unless current_#{group_name}
-                  return render json: {
-                    errors: [I18n.t('devise.failure.unauthenticated')]
-                  }, status: 401
+                  render_authenticate_error
                 end
               end
             end
@@ -67,8 +66,14 @@ module DeviseTokenAuth
               end.compact
             end
 
+            def render_authenticate_error
+              return render json: {
+                errors: [I18n.t('devise.failure.unauthenticated')]
+              }, status: 401
+            end
+
             if respond_to?(:helper_method)
-              helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+              helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?", "render_authenticate_error"
             end
           METHODS
         end
@@ -90,14 +95,15 @@ module DeviseTokenAuth
       #     Admin
       #
       #   Generated methods:
-      #     authenticate_user!  # Signs user in or 401
-      #     authenticate_admin! # Signs admin in or 401
-      #     user_signed_in?     # Checks whether there is a user signed in or not
-      #     admin_signed_in?    # Checks whether there is an admin signed in or not
-      #     current_user        # Current signed in user
-      #     current_admin       # Current signed in admin
-      #     user_session        # Session data available only to the user scope
-      #     admin_session       # Session data available only to the admin scope
+      #     authenticate_user!                   # Signs user in or 401
+      #     authenticate_admin!                  # Signs admin in or 401
+      #     user_signed_in?                      # Checks whether there is a user signed in or not
+      #     admin_signed_in?                     # Checks whether there is an admin signed in or not
+      #     current_user                         # Current signed in user
+      #     current_admin                        # Current signed in admin
+      #     user_session                         # Session data available only to the user scope
+      #     admin_session                        # Session data available only to the admin scope
+      #     render_authenticate_error            # Render error unless user or admin is signed in
       #
       #   Use:
       #     before_action :authenticate_user!  # Tell devise to use :user map
@@ -109,9 +115,7 @@ module DeviseTokenAuth
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
           def authenticate_#{mapping}!
             unless current_#{mapping}
-              return render json: {
-                errors: [I18n.t('devise.failure.unauthenticated')]
-              }, status: 401
+              render_authenticate_error
             end
           end
 
@@ -126,11 +130,17 @@ module DeviseTokenAuth
           def #{mapping}_session
             current_#{mapping} && warden.session(:#{mapping})
           end
+
+          def render_authenticate_error
+            return render json: {
+              errors: [I18n.t('devise.failure.unauthenticated')]
+            }, status: 401
+          end
         METHODS
 
         ActiveSupport.on_load(:action_controller) do
           if respond_to?(:helper_method)
-            helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+            helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session", "render_authenticate_error"
           end
         end
       end