devise_token_auth 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 916c84285bb6b805d3a70a5adc8e86d83efb348e
-  data.tar.gz: 38deed793c1466de04cd75ab4861627a5eb18447
+SHA256:
+  metadata.gz: 5baf8b0a539be2dcf9b1add5ee2dfaac82753127a6180500c653e7d710c04da3
+  data.tar.gz: 794584507c533b59b88c724c810f7099d06221ff35faab7ee558f92d6849688e
 SHA512:
-  metadata.gz: 4b631710faf5afc08a2f0f0fc89a96e63c7fe07d0c7a985a19d3b5c0a18801401afe67525aa6e0a078195ca4d24c58b6a6651da667c2a7a7f40723d4974dc850
-  data.tar.gz: 8707ad62656749fc88de275533456b93c17545f854e40f03920365c2ba9a11c170af44787118c4d8bc59ef593c5535ce8e09c512338c0de8af860c7e2500746f
+  metadata.gz: 58f70c5a715ef337e2d949261f0c774f020831f9755d12fc37b04ca4cba2e416080658946bdb95f5fc1625a3a53c3836202b9e9842dbf420363959be163786cc
+  data.tar.gz: 8991c6cea21651fff0c98561ac6004bd4a75e04e78ad1af749c04e71fcb9caf8ebb19255ecb78ae91e610b6db05d878d9cf41492560941ea131bcefb7ea0bc0b

data/README.md

@@ -19,7 +19,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
 
 * Seamless integration with:
   * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
-  * [Angular2-Token](https://github.com/neroniaky/angular2-token) for [Angular2](https://github.com/angular/angular)
+  * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
@@ -69,7 +69,7 @@ See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_toke
 
 [Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).
 
-[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular).
+[Here is a demo](https://stackblitz.com/github/neroniaky/angular-token) of this app running with the [Angular-Token](https://github.com/neroniaky/angular-token) service and [Angular](https://github.com/angular/angular).
 
 [Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/).
 

data/app/controllers/devise_token_auth/application_controller.rb

@@ -3,7 +3,6 @@
 module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
-    include DeviseTokenAuth::Concerns::ResourceFinder
 
     def resource_data(opts = {})
       response_data = opts[:resource_json] || @resource.as_json

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,21 +20,20 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    # fix for mysql default case insensitivity
-    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
-    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-      q = 'BINARY ' + q
-    end
-
-    @resource = resource_class.where(q, value).first
+    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+                  # fix for mysql default case insensitivity
+                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
   end
 
   def resource_class(m = nil)
-    if m
-      mapping = Devise.mappings[m]
-    else
-      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
-    end
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
 
     mapping.to
   end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -23,18 +23,6 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @is_batch_request ||= nil
   end
 
-  def ensure_pristine_resource
-    if @resource.changed?
-      # Stash pending changes in the resource before reloading.
-      changes = @resource.changes
-      @resource.reload
-    end
-    yield
-  ensure
-    # Reapply pending changes
-    @resource.assign_attributes(changes) if changes
-  end
-
   # user auth
   def set_user_by_token(mapping = nil)
     # determine target authentication class
@@ -80,14 +68,15 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     return false unless @token
 
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.find_by(uid: uid)
+    user = uid && rc.dta_find_by(uid: uid)
+    scope = rc.to_s.underscore.to_sym
 
     if user && user.valid_token?(@token, @client_id)
       # sign_in with bypass: true will be deprecated in the next version of Devise
       if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
-        bypass_sign_in(user, scope: :user)
+        bypass_sign_in(user, scope: scope)
       else
-        sign_in(:user, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
       end
       return @resource = user
     else
@@ -130,25 +119,23 @@ module DeviseTokenAuth::Concerns::SetUserByToken
   private
 
   def refresh_headers
-    ensure_pristine_resource do
-      # Lock the user record during any auth_header updates to ensure
-      # we don't have write contention from multiple threads
-      @resource.with_lock do
-        # should not append auth header if @resource related token was
-        # cleared by sign out in the meantime
-        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
-
-        # update the response header
-        response.headers.merge!(auth_header_from_batch_request)
-      end # end lock
-    end # end ensure_pristine_resource
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @used_auth_by_token && @resource.tokens[@client_id].nil?
+
+      # update the response header
+      response.headers.merge!(auth_header_from_batch_request)
+    end # end lock
   end
 
   def is_batch_request?(user, client_id)
     !params[:unbatch] &&
       user.tokens[client_id] &&
       user.tokens[client_id]['updated_at'] &&
-      Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+      user.tokens[client_id]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
   end
 
   def auth_header_from_batch_request

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -5,32 +5,27 @@ module DeviseTokenAuth
     def show
       @resource = resource_class.confirm_by_token(params[:confirmation_token])
 
-      if @resource && @resource.id
-        expiry = nil
-        if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
-          expiry = (Time.zone.now + 1.second).to_i
-        end
-
-        client_id, token = @resource.create_token expiry: expiry
-
-        sign_in(@resource)
-        @resource.save!
-
+      if @resource.errors.empty?
         yield @resource if block_given?
 
         redirect_header_options = { account_confirmation_success: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
 
-        # give redirect value from params priority
-        @redirect_url = params[:redirect_url]
+        # give redirect value from params priority or fall back to default value if provided
+        redirect_url = params[:redirect_url] || DeviseTokenAuth.default_confirm_success_url
+
+        if signed_in?(resource_name)
+          client_id, token = signed_in_resource.create_token
 
-        # fall back to default value if provided
-        @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
+          redirect_headers = build_redirect_headers(token,
+                                                    client_id,
+                                                    redirect_header_options)
 
+          redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
+       end
 
-        redirect_to(@resource.build_auth_url(@redirect_url, redirect_headers))
+        redirect_to(redirect_to_link)
       else
         raise ActionController::RoutingError, 'Not Found'
       end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -12,11 +12,8 @@ module DeviseTokenAuth
 
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
-      devise_mapping = [request.env['omniauth.params']['namespace_name'],
-                        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
-      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
-      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
-      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+      devise_mapping = get_devise_mapping
+      redirect_route = get_redirect_route(devise_mapping)
 
       # preserve omniauth info for success route. ignore 'extra' in twitter
       # auth response to avoid CookieOverflow.
@@ -26,6 +23,34 @@ module DeviseTokenAuth
       redirect_to redirect_route
     end
 
+    def get_redirect_route(devise_mapping)
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+    end
+
+    def get_devise_mapping
+       # derive target redirect route from 'resource_class' param, which was set
+       # before authentication.
+       devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+    rescue NoMethodError => err
+      default_devise_mapping
+    end
+
+    # This method will only be called if `get_devise_mapping` cannot
+    # find the mapping in `omniauth.params`.
+    #
+    # One example use-case here is for IDP-initiated SAML login.  In that
+    # case, there will have been no initial request in which to save 
+    # the devise mapping.  If you are in a situation like that, and
+    # your app allows for you to determine somehow what the devise
+    # mapping should be (because, for example, it is always the same),
+    # then you can handle it by overriding this method.
+    def default_devise_mapping
+      raise NotImplementedError.new('no default_devise_mapping set')
+    end
+
     def omniauth_success
       get_resource_from_auth_hash
       set_token_on_resource
@@ -37,7 +62,7 @@ module DeviseTokenAuth
       end
 
       sign_in(:user, @resource, store: false, bypass: false)
-
+      
       @resource.save!
 
       yield @resource if block_given?
@@ -79,7 +104,7 @@ module DeviseTokenAuth
 
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
-      attrs = auth_hash['info'].slice(*user.attributes.keys)
+      attrs = auth_hash['info'].slice(*user.attribute_names)
       user.assign_attributes(attrs)
     end
 
@@ -136,16 +161,6 @@ module DeviseTokenAuth
       true
     end
 
-    # necessary for access to devise_parameter_sanitizers
-    def devise_mapping
-      if omniauth_params
-        Devise.mappings[[omniauth_params['namespace_name'],
-                         omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
-      else
-        request.env['devise.mapping']
-      end
-    end
-
     def set_random_password
       # set crazy password for new oauth users. this is only used to prevent
       # access via email sign-in.
@@ -214,6 +229,15 @@ module DeviseTokenAuth
             </html>)
     end
 
+    def handle_new_resource
+      @oauth_registration = true
+      set_random_password
+    end
+
+    def assign_whitelisted_params?
+      true
+    end
+
     def get_resource_from_auth_hash
       # find or create user by provider and provider uid
       @resource = resource_class.where(
@@ -222,16 +246,17 @@ module DeviseTokenAuth
       ).first_or_initialize
 
       if @resource.new_record?
-        @oauth_registration = true
-        set_random_password
+        handle_new_resource
       end
 
       # sync user info with provider, update/generate auth token
       assign_provider_attrs(@resource, auth_hash)
 
       # assign any additional (whitelisted) attributes
-      extra_params = whitelisted_params
-      @resource.assign_attributes(extra_params) if extra_params
+      if assign_whitelisted_params?
+        extra_params = whitelisted_params
+        @resource.assign_attributes(extra_params) if extra_params
+      end
 
       @resource
     end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -3,6 +3,7 @@
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
     before_action :set_user_by_token, only: [:update]
+    before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
 
     # this action is responsible for generating password reset tokens and
@@ -10,15 +11,6 @@ module DeviseTokenAuth
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
-      # give redirect value from params priority
-      @redirect_url = params.fetch(
-        :redirect_url,
-        DeviseTokenAuth.default_password_reset_url
-      )
-
-      return render_create_error_missing_redirect_url unless @redirect_url
-      return render_create_error_not_allowed_redirect_url if blacklisted_redirect_url?
-
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:uid, @email)
 
@@ -44,7 +36,7 @@ module DeviseTokenAuth
     # this is where users arrive after visiting the password reset confirmation link
     def edit
       # if a user is not found, return nil
-      @resource = with_reset_password_token(resource_params[:reset_password_token])
+      @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
       if @resource && @resource.reset_password_period_valid?
         client_id, token = @resource.create_token
@@ -63,7 +55,7 @@ module DeviseTokenAuth
         redirect_headers = build_redirect_headers(token,
                                                   client_id,
                                                   redirect_header_options)
-        redirect_to(@resource.build_auth_url(params[:redirect_url],
+        redirect_to(@resource.build_auth_url(@redirect_url,
                                              redirect_headers))
       else
         render_edit_error
@@ -114,7 +106,7 @@ module DeviseTokenAuth
       render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
     end
 
-    def render_create_error_not_allowed_redirect_url
+    def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
         data:   resource_data
@@ -178,15 +170,19 @@ module DeviseTokenAuth
       params.permit(*params_for_resource(:account_update))
     end
 
-    def with_reset_password_token token
-      recoverable = resource_class.with_reset_password_token(token)
-
-      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
-      recoverable
-    end
-
     def render_not_found_error
       render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
     end
+
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_password_reset_url
+      )
+
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
+    end
   end
 end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -30,40 +30,37 @@ module DeviseTokenAuth
       # if whitelist is set, validate redirect_url against whitelist
       return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
 
-      begin
-        # override email confirmation, must be sent manually from ctrl
-        resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
-        resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
-
-        if @resource.respond_to? :skip_confirmation_notification!
-          # Fix duplicate e-mails by disabling Devise confirmation e-mail
-          @resource.skip_confirmation_notification!
-        end
+      # override email confirmation, must be sent manually from ctrl
+      resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
 
-        if @resource.save
-          yield @resource if block_given?
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
 
-          if @resource.confirmed?
-            # email auth has been bypassed, authenticate user
-            @client_id, @token = @resource.create_token
-            @resource.save!
-            update_auth_header
-          else
-            # user will require email authentication
-            @resource.send_confirmation_instructions(
-              client_config: params[:config_name],
-              redirect_url: @redirect_url
-            )
-          end
-
-          render_create_success
-        else
-          clean_up_passwords @resource
-          render_create_error
+      if @resource.save
+        yield @resource if block_given?
+
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
+        end
+
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @client_id, @token = @resource.create_token
+          @resource.save!
+          update_auth_header
         end
-      rescue ActiveRecord::RecordNotUnique
+
+        render_create_success
+      else
         clean_up_passwords @resource
-        render_create_error_email_already_exists
+        render_create_error
       end
     end
 
@@ -145,15 +142,6 @@ module DeviseTokenAuth
       }, status: 422
     end
 
-    def render_create_error_email_already_exists
-      response = {
-        status: 'error',
-        data:   resource_data
-      }
-      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
-      render_error(422, message, response)
-    end
-
     def render_update_success
       render json: {
         status: 'success',
@@ -208,5 +196,9 @@ module DeviseTokenAuth
     def validate_post_data which, message
       render_error(:unprocessable_entity, message, status: 'error') if which.empty?
     end
+
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
   end
 end