devise_token_auth 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of devise_token_auth might be problematic. Click here for more details.
- checksums.yaml +5 -5
- data/README.md +2 -2
- data/app/controllers/devise_token_auth/application_controller.rb +0 -1
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +11 -12
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +15 -28
- data/app/controllers/devise_token_auth/confirmations_controller.rb +14 -19
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +46 -21
- data/app/controllers/devise_token_auth/passwords_controller.rb +15 -19
- data/app/controllers/devise_token_auth/registrations_controller.rb +31 -39
- data/app/controllers/devise_token_auth/unlocks_controller.rb +1 -1
- data/app/models/devise_token_auth/concerns/active_record_support.rb +34 -0
- data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
- data/app/models/devise_token_auth/concerns/user.rb +9 -23
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +2 -2
- data/app/validators/{email_validator.rb → devise_token_auth/email_validator.rb} +1 -1
- data/config/locales/he.yml +50 -0
- data/config/locales/ja.yml +1 -1
- data/lib/devise_token_auth.rb +5 -3
- data/lib/devise_token_auth/blacklist.rb +2 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +3 -87
- data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +0 -7
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
- data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +41 -20
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +2 -0
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +115 -94
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -4
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +0 -38
- data/test/controllers/devise_token_auth/token_validations_controller_test.rb +2 -1
- data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
- data/test/dummy/app/{models → active_record}/mang.rb +0 -0
- data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
- data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
- data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
- data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
- data/test/dummy/app/active_record/user.rb +6 -0
- data/test/dummy/app/controllers/overrides/sessions_controller.rb +1 -1
- data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
- data/test/dummy/app/mongoid/lockable_user.rb +38 -0
- data/test/dummy/app/mongoid/mang.rb +46 -0
- data/test/dummy/app/mongoid/only_email_user.rb +33 -0
- data/test/dummy/app/mongoid/scoped_user.rb +50 -0
- data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
- data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
- data/test/dummy/app/mongoid/user.rb +49 -0
- data/test/dummy/config/application.rb +23 -1
- data/test/dummy/config/boot.rb +4 -0
- data/test/dummy/config/initializers/devise.rb +12 -0
- data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
- data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
- data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
- data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
- data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
- data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
- data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
- data/test/dummy/db/schema.rb +1 -28
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +9 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +50 -0
- data/test/dummy/tmp/generators/config/routes.rb +4 -0
- data/test/dummy/tmp/generators/db/migrate/20190112150327_devise_token_auth_create_azpire_v1_human_resource_users.rb +56 -0
- data/test/lib/devise_token_auth/blacklist_test.rb +11 -0
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
- data/test/models/concerns/mongoid_support_test.rb +31 -0
- data/test/models/only_email_user_test.rb +0 -8
- data/test/models/user_test.rb +1 -1
- data/test/test_helper.rb +12 -2
- metadata +91 -27
- data/config/initializers/devise.rb +0 -198
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 5baf8b0a539be2dcf9b1add5ee2dfaac82753127a6180500c653e7d710c04da3
|
|
4
|
+
data.tar.gz: 794584507c533b59b88c724c810f7099d06221ff35faab7ee558f92d6849688e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 58f70c5a715ef337e2d949261f0c774f020831f9755d12fc37b04ca4cba2e416080658946bdb95f5fc1625a3a53c3836202b9e9842dbf420363959be163786cc
|
|
7
|
+
data.tar.gz: 8991c6cea21651fff0c98561ac6004bd4a75e04e78ad1af749c04e71fcb9caf8ebb19255ecb78ae91e610b6db05d878d9cf41492560941ea131bcefb7ea0bc0b
|
data/README.md
CHANGED
|
@@ -19,7 +19,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
|
|
|
19
19
|
|
|
20
20
|
* Seamless integration with:
|
|
21
21
|
* [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
|
|
22
|
-
* [
|
|
22
|
+
* [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
|
|
23
23
|
* [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
|
|
24
24
|
* [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
|
|
25
25
|
* Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
|
|
@@ -69,7 +69,7 @@ See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_toke
|
|
|
69
69
|
|
|
70
70
|
[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).
|
|
71
71
|
|
|
72
|
-
[Here is a demo](https://
|
|
72
|
+
[Here is a demo](https://stackblitz.com/github/neroniaky/angular-token) of this app running with the [Angular-Token](https://github.com/neroniaky/angular-token) service and [Angular](https://github.com/angular/angular).
|
|
73
73
|
|
|
74
74
|
[Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/).
|
|
75
75
|
|
|
@@ -3,7 +3,6 @@
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class ApplicationController < DeviseController
|
|
5
5
|
include DeviseTokenAuth::Concerns::SetUserByToken
|
|
6
|
-
include DeviseTokenAuth::Concerns::ResourceFinder
|
|
7
6
|
|
|
8
7
|
def resource_data(opts = {})
|
|
9
8
|
response_data = opts[:resource_json] || @resource.as_json
|
|
@@ -20,21 +20,20 @@ module DeviseTokenAuth::Concerns::ResourceFinder
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def find_resource(field, value)
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
@resource = resource_class.where(q, value).first
|
|
23
|
+
@resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
|
|
24
|
+
# fix for mysql default case insensitivity
|
|
25
|
+
resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
|
|
26
|
+
else
|
|
27
|
+
resource_class.dta_find_by(field => value, 'provider' => provider)
|
|
28
|
+
end
|
|
30
29
|
end
|
|
31
30
|
|
|
32
31
|
def resource_class(m = nil)
|
|
33
|
-
if m
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
32
|
+
mapping = if m
|
|
33
|
+
Devise.mappings[m]
|
|
34
|
+
else
|
|
35
|
+
Devise.mappings[resource_name] || Devise.mappings.values.first
|
|
36
|
+
end
|
|
38
37
|
|
|
39
38
|
mapping.to
|
|
40
39
|
end
|
|
@@ -23,18 +23,6 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
23
23
|
@is_batch_request ||= nil
|
|
24
24
|
end
|
|
25
25
|
|
|
26
|
-
def ensure_pristine_resource
|
|
27
|
-
if @resource.changed?
|
|
28
|
-
# Stash pending changes in the resource before reloading.
|
|
29
|
-
changes = @resource.changes
|
|
30
|
-
@resource.reload
|
|
31
|
-
end
|
|
32
|
-
yield
|
|
33
|
-
ensure
|
|
34
|
-
# Reapply pending changes
|
|
35
|
-
@resource.assign_attributes(changes) if changes
|
|
36
|
-
end
|
|
37
|
-
|
|
38
26
|
# user auth
|
|
39
27
|
def set_user_by_token(mapping = nil)
|
|
40
28
|
# determine target authentication class
|
|
@@ -80,14 +68,15 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
80
68
|
return false unless @token
|
|
81
69
|
|
|
82
70
|
# mitigate timing attacks by finding by uid instead of auth token
|
|
83
|
-
user = uid && rc.
|
|
71
|
+
user = uid && rc.dta_find_by(uid: uid)
|
|
72
|
+
scope = rc.to_s.underscore.to_sym
|
|
84
73
|
|
|
85
74
|
if user && user.valid_token?(@token, @client_id)
|
|
86
75
|
# sign_in with bypass: true will be deprecated in the next version of Devise
|
|
87
76
|
if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
|
|
88
|
-
bypass_sign_in(user, scope:
|
|
77
|
+
bypass_sign_in(user, scope: scope)
|
|
89
78
|
else
|
|
90
|
-
sign_in(
|
|
79
|
+
sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
|
|
91
80
|
end
|
|
92
81
|
return @resource = user
|
|
93
82
|
else
|
|
@@ -130,25 +119,23 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
130
119
|
private
|
|
131
120
|
|
|
132
121
|
def refresh_headers
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
@resource
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
end # end lock
|
|
144
|
-
end # end ensure_pristine_resource
|
|
122
|
+
# Lock the user record during any auth_header updates to ensure
|
|
123
|
+
# we don't have write contention from multiple threads
|
|
124
|
+
@resource.with_lock do
|
|
125
|
+
# should not append auth header if @resource related token was
|
|
126
|
+
# cleared by sign out in the meantime
|
|
127
|
+
return if @used_auth_by_token && @resource.tokens[@client_id].nil?
|
|
128
|
+
|
|
129
|
+
# update the response header
|
|
130
|
+
response.headers.merge!(auth_header_from_batch_request)
|
|
131
|
+
end # end lock
|
|
145
132
|
end
|
|
146
133
|
|
|
147
134
|
def is_batch_request?(user, client_id)
|
|
148
135
|
!params[:unbatch] &&
|
|
149
136
|
user.tokens[client_id] &&
|
|
150
137
|
user.tokens[client_id]['updated_at'] &&
|
|
151
|
-
|
|
138
|
+
user.tokens[client_id]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
|
|
152
139
|
end
|
|
153
140
|
|
|
154
141
|
def auth_header_from_batch_request
|
|
@@ -5,32 +5,27 @@ module DeviseTokenAuth
|
|
|
5
5
|
def show
|
|
6
6
|
@resource = resource_class.confirm_by_token(params[:confirmation_token])
|
|
7
7
|
|
|
8
|
-
if @resource
|
|
9
|
-
expiry = nil
|
|
10
|
-
if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
|
|
11
|
-
expiry = (Time.zone.now + 1.second).to_i
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
client_id, token = @resource.create_token expiry: expiry
|
|
15
|
-
|
|
16
|
-
sign_in(@resource)
|
|
17
|
-
@resource.save!
|
|
18
|
-
|
|
8
|
+
if @resource.errors.empty?
|
|
19
9
|
yield @resource if block_given?
|
|
20
10
|
|
|
21
11
|
redirect_header_options = { account_confirmation_success: true }
|
|
22
|
-
redirect_headers = build_redirect_headers(token,
|
|
23
|
-
client_id,
|
|
24
|
-
redirect_header_options)
|
|
25
12
|
|
|
26
|
-
# give redirect value from params priority
|
|
27
|
-
|
|
13
|
+
# give redirect value from params priority or fall back to default value if provided
|
|
14
|
+
redirect_url = params[:redirect_url] || DeviseTokenAuth.default_confirm_success_url
|
|
15
|
+
|
|
16
|
+
if signed_in?(resource_name)
|
|
17
|
+
client_id, token = signed_in_resource.create_token
|
|
28
18
|
|
|
29
|
-
|
|
30
|
-
|
|
19
|
+
redirect_headers = build_redirect_headers(token,
|
|
20
|
+
client_id,
|
|
21
|
+
redirect_header_options)
|
|
31
22
|
|
|
23
|
+
redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
|
|
24
|
+
else
|
|
25
|
+
redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
|
|
26
|
+
end
|
|
32
27
|
|
|
33
|
-
redirect_to(
|
|
28
|
+
redirect_to(redirect_to_link)
|
|
34
29
|
else
|
|
35
30
|
raise ActionController::RoutingError, 'Not Found'
|
|
36
31
|
end
|
|
@@ -12,11 +12,8 @@ module DeviseTokenAuth
|
|
|
12
12
|
|
|
13
13
|
# derive target redirect route from 'resource_class' param, which was set
|
|
14
14
|
# before authentication.
|
|
15
|
-
devise_mapping =
|
|
16
|
-
|
|
17
|
-
path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
|
|
18
|
-
klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
|
|
19
|
-
redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
|
|
15
|
+
devise_mapping = get_devise_mapping
|
|
16
|
+
redirect_route = get_redirect_route(devise_mapping)
|
|
20
17
|
|
|
21
18
|
# preserve omniauth info for success route. ignore 'extra' in twitter
|
|
22
19
|
# auth response to avoid CookieOverflow.
|
|
@@ -26,6 +23,34 @@ module DeviseTokenAuth
|
|
|
26
23
|
redirect_to redirect_route
|
|
27
24
|
end
|
|
28
25
|
|
|
26
|
+
def get_redirect_route(devise_mapping)
|
|
27
|
+
path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
|
|
28
|
+
klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
|
|
29
|
+
redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def get_devise_mapping
|
|
33
|
+
# derive target redirect route from 'resource_class' param, which was set
|
|
34
|
+
# before authentication.
|
|
35
|
+
devise_mapping = [request.env['omniauth.params']['namespace_name'],
|
|
36
|
+
request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
|
|
37
|
+
rescue NoMethodError => err
|
|
38
|
+
default_devise_mapping
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
# This method will only be called if `get_devise_mapping` cannot
|
|
42
|
+
# find the mapping in `omniauth.params`.
|
|
43
|
+
#
|
|
44
|
+
# One example use-case here is for IDP-initiated SAML login. In that
|
|
45
|
+
# case, there will have been no initial request in which to save
|
|
46
|
+
# the devise mapping. If you are in a situation like that, and
|
|
47
|
+
# your app allows for you to determine somehow what the devise
|
|
48
|
+
# mapping should be (because, for example, it is always the same),
|
|
49
|
+
# then you can handle it by overriding this method.
|
|
50
|
+
def default_devise_mapping
|
|
51
|
+
raise NotImplementedError.new('no default_devise_mapping set')
|
|
52
|
+
end
|
|
53
|
+
|
|
29
54
|
def omniauth_success
|
|
30
55
|
get_resource_from_auth_hash
|
|
31
56
|
set_token_on_resource
|
|
@@ -37,7 +62,7 @@ module DeviseTokenAuth
|
|
|
37
62
|
end
|
|
38
63
|
|
|
39
64
|
sign_in(:user, @resource, store: false, bypass: false)
|
|
40
|
-
|
|
65
|
+
|
|
41
66
|
@resource.save!
|
|
42
67
|
|
|
43
68
|
yield @resource if block_given?
|
|
@@ -79,7 +104,7 @@ module DeviseTokenAuth
|
|
|
79
104
|
|
|
80
105
|
# break out provider attribute assignment for easy method extension
|
|
81
106
|
def assign_provider_attrs(user, auth_hash)
|
|
82
|
-
attrs = auth_hash['info'].slice(*user.
|
|
107
|
+
attrs = auth_hash['info'].slice(*user.attribute_names)
|
|
83
108
|
user.assign_attributes(attrs)
|
|
84
109
|
end
|
|
85
110
|
|
|
@@ -136,16 +161,6 @@ module DeviseTokenAuth
|
|
|
136
161
|
true
|
|
137
162
|
end
|
|
138
163
|
|
|
139
|
-
# necessary for access to devise_parameter_sanitizers
|
|
140
|
-
def devise_mapping
|
|
141
|
-
if omniauth_params
|
|
142
|
-
Devise.mappings[[omniauth_params['namespace_name'],
|
|
143
|
-
omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
|
|
144
|
-
else
|
|
145
|
-
request.env['devise.mapping']
|
|
146
|
-
end
|
|
147
|
-
end
|
|
148
|
-
|
|
149
164
|
def set_random_password
|
|
150
165
|
# set crazy password for new oauth users. this is only used to prevent
|
|
151
166
|
# access via email sign-in.
|
|
@@ -214,6 +229,15 @@ module DeviseTokenAuth
|
|
|
214
229
|
</html>)
|
|
215
230
|
end
|
|
216
231
|
|
|
232
|
+
def handle_new_resource
|
|
233
|
+
@oauth_registration = true
|
|
234
|
+
set_random_password
|
|
235
|
+
end
|
|
236
|
+
|
|
237
|
+
def assign_whitelisted_params?
|
|
238
|
+
true
|
|
239
|
+
end
|
|
240
|
+
|
|
217
241
|
def get_resource_from_auth_hash
|
|
218
242
|
# find or create user by provider and provider uid
|
|
219
243
|
@resource = resource_class.where(
|
|
@@ -222,16 +246,17 @@ module DeviseTokenAuth
|
|
|
222
246
|
).first_or_initialize
|
|
223
247
|
|
|
224
248
|
if @resource.new_record?
|
|
225
|
-
|
|
226
|
-
set_random_password
|
|
249
|
+
handle_new_resource
|
|
227
250
|
end
|
|
228
251
|
|
|
229
252
|
# sync user info with provider, update/generate auth token
|
|
230
253
|
assign_provider_attrs(@resource, auth_hash)
|
|
231
254
|
|
|
232
255
|
# assign any additional (whitelisted) attributes
|
|
233
|
-
|
|
234
|
-
|
|
256
|
+
if assign_whitelisted_params?
|
|
257
|
+
extra_params = whitelisted_params
|
|
258
|
+
@resource.assign_attributes(extra_params) if extra_params
|
|
259
|
+
end
|
|
235
260
|
|
|
236
261
|
@resource
|
|
237
262
|
end
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class PasswordsController < DeviseTokenAuth::ApplicationController
|
|
5
5
|
before_action :set_user_by_token, only: [:update]
|
|
6
|
+
before_action :validate_redirect_url_param, only: [:create, :edit]
|
|
6
7
|
skip_after_action :update_auth_header, only: [:create, :edit]
|
|
7
8
|
|
|
8
9
|
# this action is responsible for generating password reset tokens and
|
|
@@ -10,15 +11,6 @@ module DeviseTokenAuth
|
|
|
10
11
|
def create
|
|
11
12
|
return render_create_error_missing_email unless resource_params[:email]
|
|
12
13
|
|
|
13
|
-
# give redirect value from params priority
|
|
14
|
-
@redirect_url = params.fetch(
|
|
15
|
-
:redirect_url,
|
|
16
|
-
DeviseTokenAuth.default_password_reset_url
|
|
17
|
-
)
|
|
18
|
-
|
|
19
|
-
return render_create_error_missing_redirect_url unless @redirect_url
|
|
20
|
-
return render_create_error_not_allowed_redirect_url if blacklisted_redirect_url?
|
|
21
|
-
|
|
22
14
|
@email = get_case_insensitive_field_from_resource_params(:email)
|
|
23
15
|
@resource = find_resource(:uid, @email)
|
|
24
16
|
|
|
@@ -44,7 +36,7 @@ module DeviseTokenAuth
|
|
|
44
36
|
# this is where users arrive after visiting the password reset confirmation link
|
|
45
37
|
def edit
|
|
46
38
|
# if a user is not found, return nil
|
|
47
|
-
@resource = with_reset_password_token(resource_params[:reset_password_token])
|
|
39
|
+
@resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
|
|
48
40
|
|
|
49
41
|
if @resource && @resource.reset_password_period_valid?
|
|
50
42
|
client_id, token = @resource.create_token
|
|
@@ -63,7 +55,7 @@ module DeviseTokenAuth
|
|
|
63
55
|
redirect_headers = build_redirect_headers(token,
|
|
64
56
|
client_id,
|
|
65
57
|
redirect_header_options)
|
|
66
|
-
redirect_to(@resource.build_auth_url(
|
|
58
|
+
redirect_to(@resource.build_auth_url(@redirect_url,
|
|
67
59
|
redirect_headers))
|
|
68
60
|
else
|
|
69
61
|
render_edit_error
|
|
@@ -114,7 +106,7 @@ module DeviseTokenAuth
|
|
|
114
106
|
render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
|
|
115
107
|
end
|
|
116
108
|
|
|
117
|
-
def
|
|
109
|
+
def render_error_not_allowed_redirect_url
|
|
118
110
|
response = {
|
|
119
111
|
status: 'error',
|
|
120
112
|
data: resource_data
|
|
@@ -178,15 +170,19 @@ module DeviseTokenAuth
|
|
|
178
170
|
params.permit(*params_for_resource(:account_update))
|
|
179
171
|
end
|
|
180
172
|
|
|
181
|
-
def with_reset_password_token token
|
|
182
|
-
recoverable = resource_class.with_reset_password_token(token)
|
|
183
|
-
|
|
184
|
-
recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
|
|
185
|
-
recoverable
|
|
186
|
-
end
|
|
187
|
-
|
|
188
173
|
def render_not_found_error
|
|
189
174
|
render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
|
|
190
175
|
end
|
|
176
|
+
|
|
177
|
+
def validate_redirect_url_param
|
|
178
|
+
# give redirect value from params priority
|
|
179
|
+
@redirect_url = params.fetch(
|
|
180
|
+
:redirect_url,
|
|
181
|
+
DeviseTokenAuth.default_password_reset_url
|
|
182
|
+
)
|
|
183
|
+
|
|
184
|
+
return render_create_error_missing_redirect_url unless @redirect_url
|
|
185
|
+
return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
|
|
186
|
+
end
|
|
191
187
|
end
|
|
192
188
|
end
|
|
@@ -30,40 +30,37 @@ module DeviseTokenAuth
|
|
|
30
30
|
# if whitelist is set, validate redirect_url against whitelist
|
|
31
31
|
return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
|
|
32
32
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
|
|
37
|
-
|
|
38
|
-
if @resource.respond_to? :skip_confirmation_notification!
|
|
39
|
-
# Fix duplicate e-mails by disabling Devise confirmation e-mail
|
|
40
|
-
@resource.skip_confirmation_notification!
|
|
41
|
-
end
|
|
33
|
+
# override email confirmation, must be sent manually from ctrl
|
|
34
|
+
resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
|
|
35
|
+
resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
|
|
42
36
|
|
|
43
|
-
|
|
44
|
-
|
|
37
|
+
if @resource.respond_to? :skip_confirmation_notification!
|
|
38
|
+
# Fix duplicate e-mails by disabling Devise confirmation e-mail
|
|
39
|
+
@resource.skip_confirmation_notification!
|
|
40
|
+
end
|
|
45
41
|
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
@
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
render_create_error
|
|
42
|
+
if @resource.save
|
|
43
|
+
yield @resource if block_given?
|
|
44
|
+
|
|
45
|
+
unless @resource.confirmed?
|
|
46
|
+
# user will require email authentication
|
|
47
|
+
@resource.send_confirmation_instructions({
|
|
48
|
+
client_config: params[:config_name],
|
|
49
|
+
redirect_url: @redirect_url
|
|
50
|
+
})
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
if active_for_authentication?
|
|
54
|
+
# email auth has been bypassed, authenticate user
|
|
55
|
+
@client_id, @token = @resource.create_token
|
|
56
|
+
@resource.save!
|
|
57
|
+
update_auth_header
|
|
63
58
|
end
|
|
64
|
-
|
|
59
|
+
|
|
60
|
+
render_create_success
|
|
61
|
+
else
|
|
65
62
|
clean_up_passwords @resource
|
|
66
|
-
|
|
63
|
+
render_create_error
|
|
67
64
|
end
|
|
68
65
|
end
|
|
69
66
|
|
|
@@ -145,15 +142,6 @@ module DeviseTokenAuth
|
|
|
145
142
|
}, status: 422
|
|
146
143
|
end
|
|
147
144
|
|
|
148
|
-
def render_create_error_email_already_exists
|
|
149
|
-
response = {
|
|
150
|
-
status: 'error',
|
|
151
|
-
data: resource_data
|
|
152
|
-
}
|
|
153
|
-
message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
|
|
154
|
-
render_error(422, message, response)
|
|
155
|
-
end
|
|
156
|
-
|
|
157
145
|
def render_update_success
|
|
158
146
|
render json: {
|
|
159
147
|
status: 'success',
|
|
@@ -208,5 +196,9 @@ module DeviseTokenAuth
|
|
|
208
196
|
def validate_post_data which, message
|
|
209
197
|
render_error(:unprocessable_entity, message, status: 'error') if which.empty?
|
|
210
198
|
end
|
|
199
|
+
|
|
200
|
+
def active_for_authentication?
|
|
201
|
+
!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
|
|
202
|
+
end
|
|
211
203
|
end
|
|
212
204
|
end
|