devise_token_auth 0.1.43.beta1 → 0.1.43

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -1,12 +1,12 @@
 module DeviseTokenAuth
   class RegistrationsController < DeviseTokenAuth::ApplicationController
-    before_action :set_user_by_token, :only => [:destroy, :update]
-    before_action :validate_sign_up_params, :only => :create
-    before_action :validate_account_update_params, :only => :update
-    skip_after_action :update_auth_header, :only => [:create, :destroy]
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
 
     def create
-      @resource            = resource_class.new(sign_up_params)
+      @resource            = resource_class.new(sign_up_params.except(:confirm_success_url))
       @resource.provider   = provider
 
       # honor devise configuration for case_insensitive_keys
@@ -17,13 +17,13 @@ module DeviseTokenAuth
       end
 
       # give redirect value from params priority
-      @redirect_url = params[:confirm_success_url]
+      @redirect_url = sign_up_params[:confirm_success_url]
 
       # fall back to default value if provided
       @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
 
       # success redirect url is required
-      if resource_class.devise_modules.include?(:confirmable) && !@redirect_url
+      if confirmable_enabled? && !@redirect_url
         return render_create_error_missing_confirm_success_url
       end
 
@@ -54,13 +54,7 @@ module DeviseTokenAuth
 
           else
             # email auth has been bypassed, authenticate user
-            @client_id = SecureRandom.urlsafe_base64(nil, false)
-            @token     = SecureRandom.urlsafe_base64(nil, false)
-
-            @resource.tokens[@client_id] = {
-              token: BCrypt::Password.create(@token),
-              expiry: (Time.now + @resource.token_lifespan).to_i
-            }
+            @client_id, @token = @resource.create_token
 
             @resource.save!
 
@@ -102,7 +96,7 @@ module DeviseTokenAuth
     end
 
     def sign_up_params
-      params.permit(*params_for_resource(:sign_up))
+      params.permit([*params_for_resource(:sign_up), :confirm_success_url])
     end
 
     def account_update_params
@@ -112,19 +106,21 @@ module DeviseTokenAuth
     protected
 
     def render_create_error_missing_confirm_success_url
-      render json: {
+      response = {
         status: 'error',
-        data:   resource_data,
-        errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
-      }, status: 422
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
     end
 
     def render_create_error_redirect_url_not_allowed
-      render json: {
+      response = {
         status: 'error',
-        data:   resource_data,
-        errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @redirect_url)]
-      }, status: 422
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
     end
 
     def render_create_success
@@ -143,11 +139,12 @@ module DeviseTokenAuth
     end
 
     def render_create_error_email_already_exists
-      render json: {
+      response = {
         status: 'error',
-        data:   resource_data,
-        errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)]
-      }, status: 422
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
+      render_error(422, message, response)
     end
 
     def render_update_success
@@ -165,53 +162,44 @@ module DeviseTokenAuth
     end
 
     def render_update_error_user_not_found
-      render json: {
-        status: 'error',
-        errors: [I18n.t("devise_token_auth.registrations.user_not_found")]
-      }, status: 404
+      render_error(404, I18n.t('devise_token_auth.registrations.user_not_found'), { status: 'error' })
     end
 
     def render_destroy_success
       render json: {
         status: 'success',
-        message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid)
+        message: I18n.t('devise_token_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
       }
     end
 
     def render_destroy_error
-      render json: {
-        status: 'error',
-        errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")]
-      }, status: 404
+      render_error(404, I18n.t('devise_token_auth.registrations.account_to_destroy_not_found'), { status: 'error' })
     end
 
     private
 
     def resource_update_method
       if DeviseTokenAuth.check_current_password_before_update == :attributes
-        "update_with_password"
+        'update_with_password'
       elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.has_key?(:password)
-        "update_with_password"
+        'update_with_password'
       elsif account_update_params.has_key?(:current_password)
-        "update_with_password"
+        'update_with_password'
       else
-        "update_attributes"
+        'update_attributes'
       end
     end
 
     def validate_sign_up_params
-      validate_post_data sign_up_params, I18n.t("errors.messages.validate_sign_up_params")
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
     end
 
     def validate_account_update_params
-      validate_post_data account_update_params, I18n.t("errors.messages.validate_account_update_params")
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
     end
 
     def validate_post_data which, message
-      render json: {
-         status: 'error',
-         errors: [message]
-      }, status: :unprocessable_entity if which.empty?
+      render_error(:unprocessable_entity, message, { status: 'error' }) if which.empty?
     end
   end
 end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -22,17 +22,9 @@ module DeviseTokenAuth
       if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
         valid_password = @resource.valid_password?(resource_params[:password])
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
-          render_create_error_bad_credentials
-          return
+         return render_create_error_bad_credentials
         end
-        # create client id
-        @client_id = SecureRandom.urlsafe_base64(nil, false)
-        @token     = SecureRandom.urlsafe_base64(nil, false)
-
-        @resource.tokens[@client_id] = {
-          token: BCrypt::Password.create(@token),
-          expiry: (Time.now + @resource.token_lifespan).to_i
-        }
+        @client_id, @token = @resource.create_token
         @resource.save
 
         sign_in(:user, @resource, store: false, bypass: false)
@@ -41,7 +33,11 @@ module DeviseTokenAuth
 
         render_create_success
       elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
-        render_create_error_not_confirmed
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
       else
         render_create_error_bad_credentials
       end
@@ -96,9 +92,7 @@ module DeviseTokenAuth
     end
 
     def render_new_error
-      render json: {
-        errors: [ I18n.t("devise_token_auth.sessions.not_supported")]
-      }, status: 405
+      render_error(405, I18n.t("devise_token_auth.sessions.not_supported"))
     end
 
     def render_create_success
@@ -108,16 +102,15 @@ module DeviseTokenAuth
     end
 
     def render_create_error_not_confirmed
-      render json: {
-        success: false,
-        errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email))
+    end
+
+    def render_create_error_account_locked
+      render_error(401, I18n.t("devise.mailer.unlock_instructions.account_lock_msg"))
     end
 
     def render_create_error_bad_credentials
-      render json: {
-        errors: [I18n.t("devise_token_auth.sessions.bad_credentials")]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.sessions.bad_credentials"))
     end
 
     def render_destroy_success
@@ -127,9 +120,7 @@ module DeviseTokenAuth
     end
 
     def render_destroy_error
-      render json: {
-        errors: [I18n.t("devise_token_auth.sessions.user_not_found")]
-      }, status: 404
+      render_error(404, I18n.t("devise_token_auth.sessions.user_not_found"))
     end
 
     private

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -4,7 +4,7 @@ module DeviseTokenAuth
     before_action :set_user_by_token, :only => [:validate_token]
 
     def validate_token
-      # @resource will have been set by set_user_token concern
+      # @resource will have been set by set_user_by_token concern
       if @resource
         yield @resource if block_given?
         render_validate_token_success
@@ -23,10 +23,7 @@ module DeviseTokenAuth
     end
 
     def render_validate_token_error
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.token_validations.invalid")]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.token_validations.invalid"))
     end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -12,9 +12,6 @@ module DeviseTokenAuth
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:email, @email)
 
-      @errors = nil
-      @error_status = 400
-
       if @resource
         yield @resource if block_given?
 
@@ -27,15 +24,10 @@ module DeviseTokenAuth
         if @resource.errors.empty?
           return render_create_success
         else
-          @errors = @resource.errors
+          render_create_error @resource.errors
         end
       else
-        @errors = [I18n.t("devise_token_auth.unlocks.user_not_found", email: @email)]
-        @error_status = 404
-      end
-
-      if @errors
-        return render_create_error
+        render_not_found_error
       end
     end
 
@@ -43,16 +35,7 @@ module DeviseTokenAuth
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
       if @resource && @resource.id
-        client_id  = SecureRandom.urlsafe_base64(nil, false)
-        token      = SecureRandom.urlsafe_base64(nil, false)
-        token_hash = BCrypt::Password.create(token)
-        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
-
-        @resource.tokens[client_id] = {
-          token:  token_hash,
-          expiry: expiry
-        }
-
+        client_id, token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
 
@@ -74,10 +57,7 @@ module DeviseTokenAuth
     end
 
     def render_create_error_missing_email
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.unlocks.missing_email")]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.unlocks.missing_email"))
     end
 
     def render_create_success
@@ -87,17 +67,21 @@ module DeviseTokenAuth
       }
     end
 
-    def render_create_error
+    def render_create_error(errors)
       render json: {
         success: false,
-        errors: @errors,
-      }, status: @error_status
+        errors: errors,
+      }, status: 400
     end
 
     def render_show_error
       raise ActionController::RoutingError.new('Not Found')
     end
 
+    def render_not_found_error
+      render_error(404, I18n.t("devise_token_auth.unlocks.user_not_found", email: @email))
+    end
+
     def resource_params
       params.permit(:email, :unlock_token, :config)
     end

data/app/models/devise_token_auth/concerns/user.rb

@@ -42,17 +42,9 @@ module DeviseTokenAuth::Concerns::User
     before_save :remove_tokens_after_password_reset
 
     # don't use default devise email validation
-    def email_required?
-      false
-    end
-
-    def email_changed?
-      false
-    end
-
-    def will_save_change_to_email?
-      false
-    end
+    def email_required?; false; end
+    def email_changed?; false; end
+    def will_save_change_to_email?; false; end
 
     def password_required?
       return false unless provider == 'email'
@@ -60,46 +52,34 @@ module DeviseTokenAuth::Concerns::User
     end
 
     # override devise method to include additional info as opts hash
-    def send_confirmation_instructions(opts=nil)
-      unless @raw_confirmation_token
-        generate_confirmation_token!
-      end
-
-      opts ||= {}
+    def send_confirmation_instructions(opts={})
+      generate_confirmation_token! unless @raw_confirmation_token
 
       # fall back to "default" config name
       opts[:client_config] ||= "default"
-
-      if pending_reconfirmation?
-        opts[:to] = unconfirmed_email
-      end
+      opts[:to] = unconfirmed_email if pending_reconfirmation?
       opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url
 
       send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
     end
 
     # override devise method to include additional info as opts hash
-    def send_reset_password_instructions(opts=nil)
+    def send_reset_password_instructions(opts={})
       token = set_reset_password_token
 
-      opts ||= {}
-
       # fall back to "default" config name
       opts[:client_config] ||= "default"
 
       send_devise_notification(:reset_password_instructions, token, opts)
-
       token
     end
 
     # override devise method to include additional info as opts hash
-    def send_unlock_instructions(opts=nil)
+    def send_unlock_instructions(opts={})
       raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
       self.unlock_token = enc
       save(validate: false)
 
-      opts ||= {}
-
       # fall back to "default" config name
       opts[:client_config] ||= "default"
 
@@ -108,10 +88,22 @@ module DeviseTokenAuth::Concerns::User
     end
   end
 
+  def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
+    client_id ||= SecureRandom.urlsafe_base64(nil, false)
+    token     ||= SecureRandom.urlsafe_base64(nil, false)
+    expiry    ||= (Time.now + token_lifespan).to_i
+
+    self.tokens[client_id] = {
+      token: BCrypt::Password.create(token),
+      expiry: expiry
+    }.merge!(token_extras)
+
+    [client_id, token, expiry]
+  end
+
   module ClassMethods
     protected
 
-
     def tokens_has_json_column_type?
       database_exists? && table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb])
     end
@@ -123,10 +115,7 @@ module DeviseTokenAuth::Concerns::User
 
 
   def valid_token?(token, client_id='default')
-    client_id ||= 'default'
-
-    return false unless self.tokens[client_id]
-
+    return false unless tokens[client_id]
     return true if token_is_current?(token, client_id)
     return true if token_can_be_reused?(token, client_id)
 
@@ -137,15 +126,13 @@ module DeviseTokenAuth::Concerns::User
 
   # this must be done from the controller so that additional params
   # can be passed on from the client
-  def send_confirmation_notification?
-    false
-  end
+  def send_confirmation_notification?; false; end
 
 
   def token_is_current?(token, client_id)
     # ghetto HashWithIndifferentAccess
-    expiry     = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry]
-    token_hash = self.tokens[client_id]['token'] || self.tokens[client_id][:token]
+    expiry     = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
+    token_hash = tokens[client_id]['token'] || tokens[client_id][:token]
 
     return true if (
       # ensure that expiry and token are set
@@ -163,9 +150,8 @@ module DeviseTokenAuth::Concerns::User
   # allow batch requests to use the previous token
   def token_can_be_reused?(token, client_id)
     # ghetto HashWithIndifferentAccess
-    updated_at = self.tokens[client_id]['updated_at'] || self.tokens[client_id][:updated_at]
-    last_token = self.tokens[client_id]['last_token'] || self.tokens[client_id][:last_token]
-
+    updated_at = tokens[client_id]['updated_at'] || tokens[client_id][:updated_at]
+    last_token = tokens[client_id]['last_token'] || tokens[client_id][:last_token]
 
     return true if (
       # ensure that the last token and its creation time exist
@@ -182,55 +168,48 @@ module DeviseTokenAuth::Concerns::User
 
   # update user's auth token (should happen on each request)
   def create_new_auth_token(client_id=nil)
-    client_id  ||= SecureRandom.urlsafe_base64(nil, false)
-    last_token ||= nil
-    token        = SecureRandom.urlsafe_base64(nil, false)
-    token_hash   = ::BCrypt::Password.create(token)
-    expiry       = (Time.now + token_lifespan).to_i
-
-    if self.tokens[client_id] && self.tokens[client_id]['token']
-      last_token = self.tokens[client_id]['token']
-    end
+    now = Time.now
 
-    self.tokens[client_id] = {
-      token:      token_hash,
-      expiry:     expiry,
-      last_token: last_token,
-      updated_at: Time.now
-    }
+    client_id, token = create_token(
+      client_id: client_id,
+      expiry: (now + token_lifespan).to_i,
+      last_token: tokens.fetch(client_id, {})['token'],
+      updated_at: now
+    )
 
-    return build_auth_header(token, client_id)
+    update_auth_header(token, client_id)
   end
 
-
   def build_auth_header(token, client_id='default')
-    client_id ||= 'default'
-
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
-    expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry]
+    expiry = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
 
-    max_clients = DeviseTokenAuth.max_number_of_devices
-    while self.tokens.keys.length > 0 && max_clients < self.tokens.keys.length
-      oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] }
-      self.tokens.delete(oldest_token.first)
-    end
-
-    self.save!
-
-    return {
+    {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => "Bearer",
       DeviseTokenAuth.headers_names[:"client"]       => client_id,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
-      DeviseTokenAuth.headers_names[:"uid"]          => self.uid
+      DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
   end
 
+  def update_auth_header(token, client_id='default')
+    headers = build_auth_header(token, client_id)
+    while tokens.length > 0 && DeviseTokenAuth.max_number_of_devices < tokens.length
+      oldest_client_id, _tk = tokens.min_by { |_cid, v| v[:expiry] || v["expiry"] }
+      tokens.delete(oldest_client_id)
+    end
+
+    save!
+
+    headers
+  end
+
 
   def build_auth_url(base_url, args)
-    args[:uid]    = self.uid
-    args[:expiry] = self.tokens[args[:client_id]]['expiry']
+    args[:uid]    = uid
+    args[:expiry] = tokens[args[:client_id]]['expiry']
 
     DeviseTokenAuth::Url.generate(base_url, args)
   end
@@ -238,18 +217,15 @@ module DeviseTokenAuth::Concerns::User
 
   def extend_batch_buffer(token, client_id)
     self.tokens[client_id]['updated_at'] = Time.now
-
-    return build_auth_header(token, client_id)
+    update_auth_header(token, client_id)
   end
 
   def confirmed?
-    self.devise_modules.exclude?(:confirmable) || super
+    devise_modules.exclude?(:confirmable) || super
   end
 
   def token_validation_response
-    self.as_json(except: [
-      :tokens, :created_at, :updated_at
-    ])
+    as_json(except: [:tokens, :created_at, :updated_at])
   end
 
   def token_lifespan
@@ -263,8 +239,8 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def destroy_expired_tokens
-    if self.tokens
-      self.tokens.delete_if do |cid, v|
+    if tokens
+      tokens.delete_if do |cid, v|
         expiry = v[:expiry] || v["expiry"]
         DateTime.strptime(expiry.to_s, '%s') < Time.now
       end
@@ -272,13 +248,12 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def remove_tokens_after_password_reset
-    there_is_more_than_one_token = self.tokens && self.tokens.keys.length > 1
     should_remove_old_tokens = DeviseTokenAuth.remove_tokens_after_password_reset &&
-                               encrypted_password_changed? && there_is_more_than_one_token
+                               encrypted_password_changed? && tokens && tokens.many?
 
     if should_remove_old_tokens
-      latest_token = self.tokens.max_by { |cid, v| v[:expiry] || v["expiry"] }
-      self.tokens = { latest_token.first => latest_token.last }
+      client_id, token_data = tokens.max_by { |cid, v| v[:expiry] || v["expiry"] }
+      self.tokens = {client_id => token_data}
     end
   end