RubyGems - devise_token_auth - Versions diffs - 1.0.0 → 1.1.1 - Mend

devise_token_auth 1.0.0 → 1.1.1

Potentially problematic release.

This version of devise_token_auth might be problematic. Click here for more details.

Files changed (83) hide show

data/app/controllers/devise_token_auth/registrations_controller.rb CHANGED Viewed

@@ -30,40 +30,37 @@ module DeviseTokenAuth
       # if whitelist is set, validate redirect_url against whitelist
       return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
-      begin
-        # override email confirmation, must be sent manually from ctrl
-        resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
-        resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
-        if @resource.respond_to? :skip_confirmation_notification!
-          # Fix duplicate e-mails by disabling Devise confirmation e-mail
-          @resource.skip_confirmation_notification!
-        end
+      # override email confirmation, must be sent manually from ctrl
+      resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
-        if @resource.save
-          yield @resource if block_given?
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
-          if @resource.confirmed?
-            # email auth has been bypassed, authenticate user
-            @client_id, @token = @resource.create_token
-            @resource.save!
-            update_auth_header
-          else
-            # user will require email authentication
-            @resource.send_confirmation_instructions(
-              client_config: params[:config_name],
-              redirect_url: @redirect_url
-            )
-          end
-          render_create_success
-        else
-          clean_up_passwords @resource
-          render_create_error
+      if @resource.save
+        yield @resource if block_given?
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
+        end
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
         end
-      rescue ActiveRecord::RecordNotUnique
+        render_create_success
+      else
         clean_up_passwords @resource
-        render_create_error_email_already_exists
+        render_create_error
       end
     end
@@ -145,15 +142,6 @@ module DeviseTokenAuth
       }, status: 422
     end
-    def render_create_error_email_already_exists
-      response = {
-        status: 'error',
-        data:   resource_data
-      }
-      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
-      render_error(422, message, response)
-    end
     def render_update_success
       render json: {
         status: 'success',
@@ -193,7 +181,7 @@ module DeviseTokenAuth
       elsif account_update_params.key?(:current_password)
         'update_with_password'
       else
-        'update_attributes'
+        'update'
       end
     end
@@ -208,5 +196,9 @@ module DeviseTokenAuth
     def validate_post_data which, message
       render_error(:unprocessable_entity, message, status: 'error') if which.empty?
     end
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
   end
 end

data/app/controllers/devise_token_auth/sessions_controller.rb CHANGED Viewed

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
         sign_in(:user, @resource, store: false, bypass: false)
@@ -48,11 +48,11 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client_id = remove_instance_variable(:@client_id) if @client_id
-      remove_instance_variable(:@token) if @token
+      client = @token.client if @token.client
+      @token.clear!
-      if user && client_id && user.tokens[client_id]
-        user.tokens.delete(client_id)
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
         user.save!
         yield user if block_given?

data/app/controllers/devise_token_auth/unlocks_controller.rb CHANGED Viewed

@@ -34,14 +34,14 @@ module DeviseTokenAuth
     def show
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
-      if @resource && @resource.id
-        client_id, token = @resource.create_token
+      if @resource.persisted?
+        token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
         redirect_header_options = { unlock: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
                                              redirect_headers))

data/app/models/devise_token_auth/concerns/active_record_support.rb ADDED Viewed

@@ -0,0 +1,16 @@
+require_relative 'tokens_serialization'
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+  included do
+    serialize :tokens, DeviseTokenAuth::TokensSerialization
+  end
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/mongoid_support.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::MongoidSupport
+  extend ActiveSupport::Concern
+  def as_json(options = {})
+    options[:except] = (options[:except] || []) + [:_id]
+    hash = super(options)
+    hash['id'] = to_param
+    hash
+  end
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    rescue Mongoid::Errors::DocumentNotFound
+      nil
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb ADDED Viewed

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::TokensSerialization
+  # Serialization hash to json
+  def self.dump(object)
+    object.each_value(&:compact!) unless object.nil?
+    JSON.generate(object)
+  end
+  # Deserialization json to hash
+  def self.load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require 'bcrypt'
 module DeviseTokenAuth::Concerns::User
   extend ActiveSupport::Concern
@@ -9,7 +7,7 @@ module DeviseTokenAuth::Concerns::User
     @token_equality_cache ||= {}
     key = "#{token_hash}/#{token}"
-    result = @token_equality_cache[key] ||= (::BCrypt::Password.new(token_hash) == token)
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
     @token_equality_cache = {} if @token_equality_cache.size > 10000
     result
   end
@@ -20,19 +18,21 @@ module DeviseTokenAuth::Concerns::User
       devise_modules.delete(:omniauthable)
     else
       devise :database_authenticatable, :registerable,
-             :recoverable, :trackable, :validatable, :confirmable
+             :recoverable, :validatable, :confirmable
     end
-    serialize :tokens, JSON unless tokens_has_json_column_type?
+    if const_defined?('ActiveRecord') && ancestors.include?(ActiveRecord::Base)
+      include DeviseTokenAuth::Concerns::ActiveRecordSupport
+    end
+    if const_defined?('Mongoid') && ancestors.include?(Mongoid::Document)
+      include DeviseTokenAuth::Concerns::MongoidSupport
+    end
     if DeviseTokenAuth.default_callbacks
       include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     end
-    # can't set default on text fields in mysql, simulate here instead.
-    after_save :set_empty_token_hash
-    after_initialize :set_empty_token_hash
     # get rid of dead tokens
     before_save :destroy_expired_tokens
@@ -84,39 +84,25 @@ module DeviseTokenAuth::Concerns::User
       send_devise_notification(:unlock_instructions, raw, opts)
       raw
     end
-  end
-  def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
-    client_id ||= SecureRandom.urlsafe_base64(nil, false)
-    token     ||= SecureRandom.urlsafe_base64(nil, false)
-    expiry    ||= (Time.zone.now + token_lifespan).to_i
-    tokens[client_id] = {
-      token: BCrypt::Password.create(token),
-      expiry: expiry
-    }.merge!(token_extras)
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
-    clean_old_tokens
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
-    [client_id, token, expiry]
-  end
+      clean_old_tokens
-  module ClassMethods
-    protected
-    def tokens_has_json_column_type?
-      database_exists? && table_exists? && columns_hash['tokens'] && columns_hash['tokens'].type.in?([:json, :jsonb])
-    end
-    def database_exists?
-      ActiveRecord::Base.connection_pool.with_connection { |con| con.active? } rescue false
+      token
     end
   end
-  def valid_token?(token, client_id = 'default')
-    return false unless tokens[client_id]
-    return true if token_is_current?(token, client_id)
-    return true if token_can_be_reused?(token, client_id)
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
     # return false if none of the above conditions are met
     false
@@ -126,10 +112,10 @@ module DeviseTokenAuth::Concerns::User
   # can be passed on from the client
   def send_confirmation_notification?; false; end
-  def token_is_current?(token, client_id)
+  def token_is_current?(token, client)
     # ghetto HashWithIndifferentAccess
-    expiry     = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
-    token_hash = tokens[client_id]['token'] || tokens[client_id][:token]
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
     return true if (
       # ensure that expiry and token are set
@@ -144,53 +130,52 @@ module DeviseTokenAuth::Concerns::User
   end
   # allow batch requests to use the previous token
-  def token_can_be_reused?(token, client_id)
+  def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
-    updated_at = tokens[client_id]['updated_at'] || tokens[client_id][:updated_at]
-    last_token = tokens[client_id]['last_token'] || tokens[client_id][:last_token]
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token = tokens[client]['last_token'] || tokens[client][:last_token]
     return true if (
       # ensure that the last token and its creation time exist
       updated_at && last_token &&
       # ensure that previous token falls within the batch buffer throttle time of the last request
-      Time.parse(updated_at) > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
+      updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
       # ensure that the token is valid
-      ::BCrypt::Password.new(last_token) == token
+      DeviseTokenAuth::TokenFactory.valid_token_hash?(last_token)
     )
   end
   # update user's auth token (should happen on each request)
-  def create_new_auth_token(client_id = nil)
+  def create_new_auth_token(client = nil)
     now = Time.zone.now
-    client_id, token = create_token(
-      client_id: client_id,
-      expiry: (now + token_lifespan).to_i,
-      last_token: tokens.fetch(client_id, {})['token'],
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
       updated_at: now
     )
-    update_auth_header(token, client_id)
+    update_auth_header(token.token, token.client)
   end
-  def build_auth_header(token, client_id = 'default')
+  def build_auth_header(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
-    expiry = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
     {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
-      DeviseTokenAuth.headers_names[:"client"]       => client_id,
+      DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
   end
-  def update_auth_header(token, client_id = 'default')
-    headers = build_auth_header(token, client_id)
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
     clean_old_tokens
     save!
@@ -204,9 +189,9 @@ module DeviseTokenAuth::Concerns::User
     DeviseTokenAuth::Url.generate(base_url, args)
   end
-  def extend_batch_buffer(token, client_id)
-    tokens[client_id]['updated_at'] = Time.zone.now
-    update_auth_header(token, client_id)
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now
+    update_auth_header(token, client)
   end
   def confirmed?
@@ -217,16 +202,8 @@ module DeviseTokenAuth::Concerns::User
     as_json(except: %i[tokens created_at updated_at])
   end
-  def token_lifespan
-    DeviseTokenAuth.token_lifespan
-  end
   protected
-  def set_empty_token_hash
-    self.tokens ||= {} if has_attribute?(:tokens)
-  end
   def destroy_expired_tokens
     if tokens
       tokens.delete_if do |cid, v|
@@ -250,8 +227,8 @@ module DeviseTokenAuth::Concerns::User
     return unless should_remove_tokens_after_password_reset?
     if tokens.present? && tokens.many?
-      client_id, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
-      self.tokens = { client_id => token_data }
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
     end
   end

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   included do
     validates :email, presence: true,if: :email_provider?
-    validates :email, email: true, allow_nil: true, allow_blank: true, if: :email_provider?
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
     validates_presence_of :uid, unless: :email_provider?
     # only validate unique emails among email registration users
@@ -23,6 +23,6 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   end
   def sync_uid
-    self.uid = email if provider == 'email'
+    self.uid = email if email_provider?
   end
 end

data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} RENAMED Viewed

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
-class EmailValidator < ActiveModel::EachValidator
+class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
       record.errors[attribute] << email_invalid_message

data/config/locales/en.yml CHANGED Viewed

@@ -27,6 +27,11 @@ en:
       missing_email: "You must provide an email address."
       sended: "An email has been sent to '%{email}' containing instructions for unlocking your account."
       user_not_found: "Unable to find user with email '%{email}'."
+    confirmations:
+      sended: "An email has been sent to '%{email}' containing instructions for confirming your account."
+      user_not_found: "Unable to find user with email '%{email}'."
+      missing_email: "You must provide an email address."
   errors:
     messages:
       validate_sign_up_params: "Please submit proper sign up data in request body."

data/config/locales/he.yml ADDED Viewed

@@ -0,0 +1,50 @@
+he:
+  devise_token_auth:
+    sessions:
+      not_confirmed: "הודעת אישור נשלחה לחשבון שלך בכתובת '%{email}'. עליך לפעול לפי ההנחיות שבדוא\"ל לפני הפעלת החשבון שלך"
+      bad_credentials: "נתוני כניסה שגויים. בבקשה נסה שוב."
+      not_supported: "השתמש ב- POST / sign_in כדי להיכנס. GET אינו נתמך."
+      user_not_found: "המשתמש לא נמצא או לא היה מחובר."
+    token_validations:
+      invalid: "נתוני כניסה שגויים"
+    registrations:
+      missing_confirm_success_url: "חסר פרמטר 'confirm_success_url'."
+      redirect_url_not_allowed: "הפניה אל '%{redirect_url}' אינה מותרת."
+      email_already_exists: "כבר קיים חשבון עבור '%{email}'"
+      account_with_uid_destroyed: "חשבון עם UID '%{uid}' הושמד."
+      account_to_destroy_not_found: "לא ניתן לאתר חשבון להשמדה."
+      user_not_found: "המשתמש לא נמצא."
+    passwords:
+      missing_email: "עליך לספק כתובת דוא\"ל."
+      missing_redirect_url: "כתובת אתר להפניה מחדש חסרה."
+      not_allowed_redirect_url: "הפניה אל '%{redirect_url}' אינה מותרת."
+      sended: "אימייל נשלח ל '%{email}' המכיל הוראות לאיפוס הסיסמה שלך."
+      user_not_found: "לא ניתן למצוא משתמש עם הדוא\"ל '%{email}'."
+      password_not_required: "חשבון זה אינו דורש סיסמה. במקום זאת, השתמש בחשבון '%{provider}' שלך."
+      missing_passwords: "עליך למלא את השדות 'סיסמה' ו'אישור סיסמה'."
+      successfully_updated: "הסיסמה שלך עודכנה בהצלחה."
+    unlocks:
+      missing_email: "עליך לספק כתובת דוא\"ל."
+      sended: "הודעת אימייל נשלחה אל '%{email}' המכילה הוראות לביטול הנעילה של חשבונך."
+      user_not_found: "ניתן למצוא את המשתמש עם הדוא\"ל '%{email}'"
+  errors:
+    messages:
+      validate_sign_up_params: "שלח נתוני רישום תקינים בגוף הבקשה."
+      validate_account_update_params: "שלחו בבקשה נתוני עדכון חשבון תקינים בגוף הבקשה."
+      not_email: "אינו דוא\"ל"
+  devise:
+    mailer:
+      confirmation_instructions:
+        confirm_link_msg: "תוכל לאשר את כתובת הדוא\"ל של החשבון שלך באמצעות הקישור הבא:"
+        confirm_account_link: "אשר את החשבון שלי"
+      reset_password_instructions:
+        request_reset_link_msg: "מישהו ביקש קישור לשינוי הסיסמה שלך. תוכל לעשות זאת באמצעות הקישור הבא."
+        password_change_link: "שנה את הסיסמה שלי"
+        ignore_mail_msg: "אם לא ביקשת זאת, התעלם מדוא\"ל זה."
+        no_changes_msg: "הסיסמה שלך לא תשתנה עד שתגיע לקישור שלמעלה ותיצור סיסמה חדשה."
+      unlock_instructions:
+        account_lock_msg: "החשבון שלך ננעל עקב מספר מופרז של ניסיונות כניסה לא מוצלחים."
+        unlock_link_msg: "לחץ על הקישור למטה כדי לבטל את נעילת החשבון שלך:"
+        unlock_link: "בטל את הנעילה של החשבון שלי"
+  hello: "שלום"
+  welcome: "ברוך הבא"

data/config/locales/ja.yml CHANGED Viewed

@@ -34,7 +34,7 @@ ja:
         confirm_link_msg: "下記のリンクからアカウントを有効化できます:"
         confirm_account_link: "アカウントを有効化する"
       reset_password_instructions:
-        request_reset_link_msg: "パスワード変更のリクエストが送信されました。下記のリンクからパスワードの変更をできます。"
+        request_reset_link_msg: "パスワード変更のリクエストが送信されました。下記のリンクからパスワードの変更ができます。"
         password_change_link: "パスワードを変更する"
         ignore_mail_msg: "もしこの内容に覚えがない場合は、このメールを無視してください。"
         no_changes_msg: "上記のリンクにアクセスして新しいパスワードを作成するまで、現在のパスワードは変更されません。"

data/lib/devise_token_auth/blacklist.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ # don't serialize tokens
2	+ Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens

data/lib/devise_token_auth/engine.rb CHANGED Viewed

@@ -14,6 +14,7 @@ module DeviseTokenAuth
   mattr_accessor :change_headers_on_each_request,
                  :max_number_of_devices,
                  :token_lifespan,
+                 :token_cost,
                  :batch_request_buffer_throttle,
                  :omniauth_prefix,
                  :default_confirm_success_url,
@@ -29,6 +30,7 @@ module DeviseTokenAuth
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
   self.token_lifespan                       = 2.weeks
+  self.token_cost                           = 10
   self.batch_request_buffer_throttle        = 5.seconds
   self.omniauth_prefix                      = '/omniauth'
   self.default_confirm_success_url          = nil

data/lib/devise_token_auth/rails/routes.rb CHANGED Viewed

@@ -56,7 +56,7 @@ module ActionDispatch::Routing
         devise_scope mapping_name.to_sym do
           # path to verify token validity
-          get "#{full_path}/validate_token", controller: token_validations_ctrl.to_s, action: 'validate_token'
+          get "#{full_path}/validate_token", controller: token_validations_ctrl.to_s, action: 'validate_token' if !opts[:skip].include?(:token_validations)
           # omniauth routes. only define if omniauth is installed and not skipped.
           if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)