devise_token_auth 0.1.43 → 1.2.0

data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+class <%= user_class %>
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+
+  ## Lockable
+  # field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  # field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  # field :locked_at,       type: Time
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  include DeviseTokenAuth::Concerns::User
+
+  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
+  index({ reset_password_token: 1 }, { name: 'reset_password_token_index', unique: true, sparse: true, background: true })
+  index({ confirmation_token: 1 }, { name: 'confirmation_token_index', unique: true, sparse: true, background: true })
+  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
+  # index({ unlock_token: 1 }, { name: 'unlock_token_index', unique: true, sparse: true, background: true })
+end

data/lib/tasks/devise_token_auth_tasks.rake

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # desc "Explaining what the task does"
 # task :devise_token_auth do
 #   # Task goes here

data/test/controllers/custom/custom_confirmations_controller_test.rb

@@ -1,10 +1,14 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::ConfirmationsControllerTest < ActionController::TestCase
   describe Custom::ConfirmationsController do
+    include CustomControllersRoutes
+
     before do
       @redirect_url = Faker::Internet.url
-      @new_user = users(:unconfirmed_email_user)
+      @new_user = create(:user)
       @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
       @mail          = ActionMailer::Base.deliveries.last
       @token         = @mail.body.match(/confirmation_token=([^&]*)&/)[1]

data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
   describe Custom::OmniauthCallbacksController do
+    include CustomControllersRoutes
+
     setup do
       OmniAuth.config.test_mode = true
       OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(

data/test/controllers/custom/custom_passwords_controller_test.rb

@@ -1,9 +1,13 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::PasswordsControllerTest < ActionController::TestCase
   describe Custom::PasswordsController do
+    include CustomControllersRoutes
+
     before do
-      @resource = users(:confirmed_email_user)
+      @resource = create(:user, :confirmed)
       @redirect_url = 'http://ng-token-auth.dev'
     end
 
@@ -24,7 +28,7 @@ class Custom::PasswordsControllerTest < ActionController::TestCase
     end
 
     test 'yield resource to block on edit success' do
-      @resource = users(:unconfirmed_email_user)
+      @resource = create(:user)
       @redirect_url = 'http://ng-token-auth.dev'
 
       post :create,

data/test/controllers/custom/custom_registrations_controller_test.rb

@@ -1,17 +1,17 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe Custom::RegistrationsController do
-    setup do
-      @create_params = {
-        email: Faker::Internet.email,
-        password: 'secret123',
-        password_confirmation: 'secret123',
+    include CustomControllersRoutes
+
+    before do
+      @create_params = attributes_for(:user,
         confirm_success_url: Faker::Internet.url,
-        unpermitted_param: '(x_x)'
-      }
+        unpermitted_param: '(x_x)')
 
-      @existing_user = nice_users(:confirmed_email_user)
+      @existing_user = create(:user, :confirmed)
       @auth_headers  = @existing_user.create_new_auth_token
       @client_id     = @auth_headers['client']
 
@@ -50,5 +50,14 @@ class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest
       assert @controller.destroy_block_called?,
              'destroy failed to yield resource to provided block'
     end
+
+    describe 'when overriding #build_resource' do
+      test 'it fails' do
+        Custom::RegistrationsController.any_instance.stubs(:build_resource).returns(nil)
+        assert_raises DeviseTokenAuth::Errors::NoResourceDefinedError do
+          post '/nice_user_auth', params: @create_params
+        end
+      end
+    end
   end
 end

data/test/controllers/custom/custom_sessions_controller_test.rb

@@ -1,18 +1,20 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::SessionsControllerTest < ActionController::TestCase
   describe Custom::SessionsController do
+    include CustomControllersRoutes
+
     before do
-      @existing_user = users(:confirmed_email_user)
-      @existing_user.skip_confirmation!
-      @existing_user.save!
+      @existing_user = create(:user, :confirmed)
     end
 
     test 'yield resource to block on create success' do
       post :create,
            params: {
              email: @existing_user.email,
-             password: 'secret123'
+             password: @existing_user.password
            }
       assert @controller.create_block_called?,
              'create failed to yield resource to provided block'
@@ -29,7 +31,7 @@ class Custom::SessionsControllerTest < ActionController::TestCase
     test 'render method override' do
       post :create,
            params: { email: @existing_user.email,
-                     password: 'secret123' }
+                     password: @existing_user.password }
       @data = JSON.parse(response.body)
       assert_equal @data['custom'], 'foo'
     end

data/test/controllers/custom/custom_token_validations_controller_test.rb

@@ -1,11 +1,13 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class Custom::TokenValidationsControllerTest < ActionDispatch::IntegrationTest
   describe Custom::TokenValidationsController do
+    include CustomControllersRoutes
+
     before do
-      @resource = nice_users(:confirmed_email_user)
-      @resource.skip_confirmation!
-      @resource.save!
+      @resource = create(:user, :confirmed)
 
       @auth_headers = @resource.create_new_auth_token
 

data/test/controllers/demo_group_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -11,9 +13,7 @@ class DemoGroupControllerTest < ActionDispatch::IntegrationTest
     describe 'Token access' do
       before do
         # user
-        @resource = users(:confirmed_email_user)
-        @resource.skip_confirmation!
-        @resource.save!
+        @resource = create(:user, :confirmed)
 
         @resource_auth_headers = @resource.create_new_auth_token
 
@@ -22,9 +22,7 @@ class DemoGroupControllerTest < ActionDispatch::IntegrationTest
         @resource_expiry    = @resource_auth_headers['expiry']
 
         # mang
-        @mang = mangs(:confirmed_email_user)
-        @mang.skip_confirmation!
-        @mang.save!
+        @mang = create(:mang_user, :confirmed)
 
         @mang_auth_headers = @mang.create_new_auth_token
 

data/test/controllers/demo_mang_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -10,9 +12,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
   describe DemoMangController do
     describe 'Token access' do
       before do
-        @resource = mangs(:confirmed_email_user)
-        @resource.skip_confirmation!
-        @resource.save!
+        @resource = create(:mang_user, :confirmed)
 
         @auth_headers = @resource.create_new_auth_token
 

data/test/controllers/demo_user_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -11,9 +13,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
   describe DemoUserController do
     describe 'Token access' do
       before do
-        @resource = users(:confirmed_email_user)
-        @resource.skip_confirmation!
-        @resource.save!
+        @resource = create(:user, :confirmed)
 
         @auth_headers = @resource.create_new_auth_token
 
@@ -321,8 +321,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           assert @resource.tokens.count > 1
 
           # password changed from new device
-          @resource.update_attributes(password: 'newsecret123',
-                                      password_confirmation: 'newsecret123')
+          @resource.update(password: 'newsecret123',
+                           password_confirmation: 'newsecret123')
 
           get '/demo/members_only',
               params: {},
@@ -407,12 +407,55 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           DeviseTokenAuth.headers_names[:'access-token'] = 'access-token'
         end
       end
+
+      describe 'maximum concurrent devices per user' do
+        before do
+          # Set the max_number_of_devices to a lower number
+          #  to expedite tests! (Default is 10)
+          DeviseTokenAuth.max_number_of_devices = 5
+        end
+
+        it 'should limit the maximum number of concurrent devices' do
+          # increment the number of devices until the maximum is exceeded
+          1.upto(DeviseTokenAuth.max_number_of_devices + 1).each do |n|
+
+            assert_equal(
+              [n, DeviseTokenAuth.max_number_of_devices].min,
+              @resource.reload.tokens.length
+            )
+
+            # Add a new device (and token) ahead of the next iteration
+            @resource.create_new_auth_token
+
+          end
+        end
+
+        it 'should drop the oldest token when the maximum number of devices is exceeded' do
+          # create the maximum number of tokens
+          1.upto(DeviseTokenAuth.max_number_of_devices).each do
+            @resource.create_new_auth_token
+          end
+
+          # get the oldest token client_id
+          oldest_client_id, = @resource.reload.tokens.min_by do |cid, v|
+            v[:expiry] || v['expiry']
+          end # => [ 'CLIENT_ID', {token: ...} ]
+
+          # create another token, thereby dropping the oldest token
+          @resource.create_new_auth_token
+
+          assert_not_includes @resource.reload.tokens.keys, oldest_client_id
+        end
+
+        after do
+          DeviseTokenAuth.max_number_of_devices = 10
+        end
+      end
     end
 
     describe 'bypass_sign_in' do
       before do
-        @resource = users(:unconfirmed_email_user)
-        @resource.save!
+        @resource = create(:user)
 
         @auth_headers = @resource.create_new_auth_token
 
@@ -467,16 +510,14 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
 
     describe 'enable_standard_devise_support' do
       before do
-        @resource = users(:confirmed_email_user)
+        @resource = create(:user, :confirmed)
         @auth_headers = @resource.create_new_auth_token
         DeviseTokenAuth.enable_standard_devise_support = true
       end
 
       describe 'Existing Warden authentication' do
         before do
-          @resource = users(:second_confirmed_email_user)
-          @resource.skip_confirmation!
-          @resource.save!
+          @resource = create(:user, :confirmed)
           login_as(@resource, scope: :user)
 
           # no auth headers sent, testing that warden authenticates correctly.
@@ -503,17 +544,6 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             refute_equal @resource, @controller.current_mang
           end
 
-          it 'should increase the number of tokens by a factor of 2 up to 11' do
-            @first_token = @resource.tokens.keys.first
-
-            DeviseTokenAuth.max_number_of_devices = 11
-            (1..10).each do |n|
-              assert_equal [11, 2 * n].min, @resource.reload.tokens.keys.length
-              get '/demo/members_only', params: {}, headers: nil
-            end
-
-            assert_not_includes @resource.reload.tokens.keys, @first_token
-          end
         end
 
         it 'should return success status' do
@@ -539,9 +569,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
 
       describe 'existing Warden authentication with ignored token data' do
         before do
-          @resource = users(:second_confirmed_email_user)
-          @resource.skip_confirmation!
-          @resource.save!
+          @resource = create(:user, :confirmed)
           login_as(@resource, scope: :user)
 
           get '/demo/members_only',

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 #  was the web request successful?
@@ -17,10 +19,11 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
     describe 'Confirmation' do
       before do
         @redirect_url = Faker::Internet.url
-        @new_user = users(:unconfirmed_email_user)
+        @new_user = create(:user)
         @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
         mail = ActionMailer::Base.deliveries.last
         @token, @client_config = token_and_client_config_from(mail.body)
+        @token_params = %w[access-token client client_id config expiry token uid]
       end
 
       test 'should generate raw token' do
@@ -36,35 +39,154 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
       end
 
       describe 'success' do
-        before do
-          get :show,
-              params: { confirmation_token: @token,
-                        redirect_url: @redirect_url },
-              xhr: true
-          @resource = assigns(:resource)
-        end
+        describe 'when authenticated' do
+          before do
+            sign_in(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
 
-        test 'user should now be confirmed' do
-          assert @resource.confirmed?
-        end
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
 
-        test 'should redirect to success url' do
-          assert_redirected_to(/^#{@redirect_url}/)
-        end
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
 
-        test 'the sign_in_count should be 1' do
-          assert @resource.sign_in_count == 1
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
+
+          test 'redirect url includes token params' do
+            assert @token_params.all? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
-        test 'User shoud have the signed in info filled' do
-          assert @resource.current_sign_in_at?
+
+        describe 'when unauthenticated' do
+          before do
+            sign_out(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
+
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
+
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
+
+          test 'redirect url does not include token params' do
+            refute @token_params.any? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
-        test 'User shoud have the Last checkin filled' do
-          assert @resource.last_sign_in_at?
+
+        describe 'resend confirmation' do
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
+          end
         end
-        
-        test 'user already confirmed' do
-          assert @resource.sign_in_count > 0 do
-            assert expiry == (Time.now + Time.now + 1.second).to_i
+
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
+          end
+
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should contain errors' do
+              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            end
           end
         end
       end
@@ -77,6 +199,18 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end
+
+        test 'request resend confirmation without email' do
+          post :create, params: { email: nil }, xhr: true
+
+          assert_equal 401, response.status
+        end
+
+        test 'user should not be found on resend confirmation request' do
+          post :create, params: { email: 'bogus' }, xhr: true
+
+          assert_equal 404, response.status
+        end
       end
     end
 
@@ -92,7 +226,7 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
 
       before do
         @config_name = 'altUser'
-        @new_user    = mangs(:unconfirmed_email_user)
+        @new_user    = create(:mang_user)
 
         @new_user.send_confirmation_instructions(client_config: @config_name)