RubyGems - devise_token_auth - Versions diffs - 1.0.0 → 1.1.1 - Mend

devise_token_auth 1.0.0 → 1.1.1

Potentially problematic release.

This version of devise_token_auth might be problematic. Click here for more details.

Files changed (83) hide show

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED Viewed

@@ -41,22 +41,46 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         before do
           @auth_headers = @resource.create_new_auth_token
           @new_password = Faker::Internet.password
-          post :create,
-               params: { email: 'chester@cheet.ah' }
-          @data = JSON.parse(response.body)
         end
-        test 'response should fail' do
-          assert_equal 401, response.status
+        describe 'for create' do
+          before do
+            post :create,
+                 params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
-        test 'error message should be returned' do
-          assert @data['errors']
-          assert_equal(
-            @data['errors'],
-            [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
-          )
+        describe 'for edit' do
+          before do
+            get_reset_token
+            get :edit, params: { reset_password_token: @mail_reset_token}
+            @data = JSON.parse(response.body)
+          end
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
       end
@@ -235,14 +259,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
-            test 'reset_password_token should be rewritten by origin mail_reset_token' do
+            test 'reset_password_token should not be rewritten by origin mail_reset_token' do
               get :edit, params: {
                 reset_password_token: @mail_reset_token,
                 redirect_url: @mail_redirect_url
               }
               @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
+              assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
             test 'response should return success status' do
@@ -254,26 +278,6 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               assert_equal 302, response.status
             end
-            test 'reset_password_token should be valid only one first time' do
-              get :edit, params: {
-                reset_password_token: @mail_reset_token,
-                redirect_url: @mail_redirect_url
-              }
-              @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
-              assert_raises(ActionController::RoutingError) {
-                get :edit, params: {
-                  reset_password_token: @mail_reset_token,
-                  redirect_url: @mail_redirect_url
-                }
-              }
-              @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
-            end
             test 'reset_password_sent_at should be valid' do
               assert_equal @resource.reset_password_period_valid?, true
@@ -283,7 +287,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               }
               @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
+              assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
             test 'reset_password_sent_at should be expired' do
@@ -354,8 +358,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       describe 'Using redirect_whitelist' do
         before do
-          @resource = create(:user, :confirmed)
-          @good_redirect_url = Faker::Internet.url
+          @good_redirect_url = @redirect_url
           @bad_redirect_url = Faker::Internet.url
           DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
         end
@@ -364,31 +367,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           DeviseTokenAuth.redirect_whitelist = nil
         end
-        test 'request to whitelisted redirect should be successful' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @good_redirect_url }
+        describe 'for create' do
+          test 'request to whitelisted redirect should be successful' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @good_redirect_url }
-          assert_equal 200, response.status
-        end
+            assert_equal 200, response.status
+          end
-        test 'request to non-whitelisted redirect should fail' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @bad_redirect_url }
+          test 'request to non-whitelisted redirect should fail' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @bad_redirect_url }
+            assert_equal 422, response.status
+          end
+          test 'request to non-whitelisted redirect should return error message' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @bad_redirect_url }
-          assert_equal 422, response.status
+            @data = JSON.parse(response.body)
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
+                                 redirect_url: @bad_redirect_url)]
+          end
         end
-        test 'request to non-whitelisted redirect should return error message' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @bad_redirect_url }
-          @data = JSON.parse(response.body)
-          assert @data['errors']
-          assert_equal @data['errors'],
-                       [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
-                               redirect_url: @bad_redirect_url)]
+        describe 'for edit' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            @new_password = Faker::Internet.password
+            get_reset_token
+          end
+          test 'request to whitelisted redirect should be successful' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @good_redirect_url }
+            assert_equal 302, response.status
+          end
+          test 'request to non-whitelisted redirect should fail' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
+            assert_equal 422, response.status
+          end
+          test 'request to non-whitelisted redirect should return error message' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
+            @data = JSON.parse(response.body)
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
+                                 redirect_url: @bad_redirect_url)]
+          end
         end
       end
@@ -509,6 +546,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           test 'new password should authenticate user' do
             assert @resource.valid_password?(@new_password)
           end
+          test 'reset_password_token should be removed' do
+            assert_nil @resource.reset_password_token
+          end
         end
         describe 'password mismatch error' do
@@ -554,16 +595,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       before do
         @resource = create(:mang_user, :confirmed)
         @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
       end
       test 'response should return success status' do
@@ -582,15 +614,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource = create(:user)
         @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
         get :edit, params: { reset_password_token: @mail_reset_token,
                              redirect_url: @mail_redirect_url }
@@ -610,17 +634,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       before do
         @resource = unconfirmable_users(:user)
-        @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
         get :edit, params: { reset_password_token: @mail_reset_token,
                              redirect_url: @mail_redirect_url }
@@ -635,21 +650,27 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @redirect_url = 'http://ng-token-auth.dev'
         @config_name  = 'altUser'
-        post :create, params: { email: @resource.email,
+        params = { email: @resource.email,
                                 redirect_url: @redirect_url,
                                 config_name: @config_name }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token params
       end
       test 'config_name param is included in the confirmation email link' do
         assert_equal @config_name, @mail_config_name
       end
     end
+    def get_reset_token(params = nil)
+      params ||= { email: @resource.email, redirect_url: @redirect_url }
+      post :create, params: params
+      @mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+      @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+    end
   end
 end

data/test/controllers/devise_token_auth/registrations_controller_test.rb CHANGED Viewed

@@ -83,6 +83,33 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
+    describe 'using allow_unconfirmed_access_for' do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = nil
+        post '/auth',
+             params: {
+               email: Faker::Internet.email,
+               password: 'secret123',
+               password_confirmation: 'secret123',
+               confirm_success_url: Faker::Internet.url,
+               unpermitted_param: '(x_x)'
+             }
+      end
+      test 'auth headers were returned in response' do
+        assert response.headers['access-token']
+        assert response.headers['token-type']
+        assert response.headers['client']
+        assert response.headers['expiry']
+        assert response.headers['uid']
+      end
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+    end
     describe 'using "+" in email' do
       test 'can use + sign in email addresses' do
         @plus_email = 'ak+testing@gmail.com'
@@ -305,7 +332,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -333,7 +360,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -362,7 +389,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -393,7 +420,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do

data/test/controllers/devise_token_auth/sessions_controller_test.rb CHANGED Viewed

@@ -17,12 +17,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       describe 'success' do
         before do
-          @old_sign_in_count      = @existing_user.sign_in_count
-          @old_current_sign_in_at = @existing_user.current_sign_in_at
-          @old_last_sign_in_at    = @existing_user.last_sign_in_at
-          @old_sign_in_ip         = @existing_user.current_sign_in_ip
-          @old_last_sign_in_ip    = @existing_user.last_sign_in_ip
           post :create,
                params: {
                  email: @existing_user.email,
@@ -31,12 +25,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
-          @new_sign_in_count      = @resource.sign_in_count
-          @new_current_sign_in_at = @resource.current_sign_in_at
-          @new_last_sign_in_at    = @resource.last_sign_in_at
-          @new_sign_in_ip         = @resource.current_sign_in_ip
-          @new_last_sign_in_ip    = @resource.last_sign_in_ip
         end
         test 'request should succeed' do
@@ -47,32 +35,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
-        describe 'trackable' do
-          test 'sign_in_count incrementns' do
-            assert_equal @old_sign_in_count + 1, @new_sign_in_count
-          end
-          test 'current_sign_in_at is updated' do
-            refute @old_current_sign_in_at
-            assert @new_current_sign_in_at
-          end
-          test 'last_sign_in_at is updated' do
-            refute @old_last_sign_in_at
-            assert @new_last_sign_in_at
-          end
-          test 'sign_in_ip is updated' do
-            refute @old_sign_in_ip
-            assert_equal '0.0.0.0', @new_sign_in_ip
-          end
-          test 'last_sign_in_ip is updated' do
-            refute @old_last_sign_in_ip
-            assert_equal '0.0.0.0', @new_last_sign_in_ip
-          end
-        end
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number

data/test/controllers/devise_token_auth/token_validations_controller_test.rb CHANGED Viewed

@@ -47,7 +47,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
     describe 'with invalid user' do
       before do
-        @resource.update_column :email, 'invalid'
+        @resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
+        @resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
       end
       test 'request should raise invalid model error' do

data/test/dummy/app/{models → active_record}/scoped_user.rb RENAMED Viewed

@@ -3,7 +3,7 @@
 class ScopedUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable,
-         :confirmable, :omniauthable
+         :recoverable, :rememberable,
+         :validatable, :confirmable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unconfirmable_user.rb RENAMED Viewed

@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable,
-         :trackable, :validatable,
-         :omniauthable
+         :validatable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unregisterable_user.rb RENAMED Viewed

@@ -2,8 +2,8 @@
 class UnregisterableUser < ActiveRecord::Base
   # Include default devise modules.
-  devise :database_authenticatable,
-         :recoverable, :trackable, :validatable,
-         :confirmable, :omniauthable
+  devise :database_authenticatable, :recoverable,
+         :validatable, :confirmable,
+         :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/active_record/user.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+class User < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+  include FavoriteColor
+end

data/test/dummy/app/controllers/overrides/confirmations_controller.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Overrides
       @resource = resource_class.confirm_by_token(params[:confirmation_token])
       if @resource && @resource.id
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         @resource.save!
         redirect_header_options = {
@@ -14,8 +14,8 @@ module Overrides
           config: params[:config],
           override_proof: '(^^,)'
         }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(params[:redirect_url],

data/test/dummy/app/controllers/overrides/passwords_controller.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Overrides
       )
       if @resource && @resource.id
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         # ensure that user is confirmed
         @resource.skip_confirmation! unless @resource.confirmed_at
@@ -22,8 +22,8 @@ module Overrides
           override_proof: OVERRIDE_PROOF,
           reset_password: true
         }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(params[:redirect_url],
                                              redirect_headers))

data/test/dummy/app/controllers/overrides/registrations_controller.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Overrides
     def update
       if @resource
-        if @resource.update_attributes(account_update_params)
+        if @resource.update(account_update_params)
           render json: {
             status: 'success',
             data:   @resource.as_json,

data/test/dummy/app/controllers/overrides/sessions_controller.rb CHANGED Viewed

@@ -5,10 +5,10 @@ module Overrides
     OVERRIDE_PROOF = '(^^,)'.freeze
     def create
-      @resource = resource_class.find_by(email: resource_params[:email])
+      @resource = resource_class.dta_find_by(email: resource_params[:email])
       if @resource && valid_params?(:email, resource_params[:email]) && @resource.valid_password?(resource_params[:password]) && @resource.confirmed?
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
         render json: {

data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} RENAMED Viewed

@@ -1,13 +1,12 @@
-# frozen_string_literal: true
-class User < ActiveRecord::Base
-  include DeviseTokenAuth::Concerns::User
-  validates :operating_thetan, numericality: true, allow_nil: true
-  validate :ensure_correct_favorite_color
+module FavoriteColor
+  extend ActiveSupport::Concern
+  included do
+    validates :operating_thetan, numericality: true, allow_nil: true
+    validate :ensure_correct_favorite_color
+  end
   def ensure_correct_favorite_color
     if favorite_color && (favorite_color != '')
       unless ApplicationHelper::COLOR_NAMES.any?{ |s| s.casecmp(favorite_color)==0 }
         matches = ApplicationHelper::COLOR_SEARCH.search(favorite_color)

data/test/dummy/app/mongoid/lockable_user.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+class LockableUser
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+  ## User Info
+  field :name,      type: String
+  field :nickname,  type: String
+  field :image,     type: String
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+  ## Lockable
+  field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  field :locked_at,       type: Time
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable, :lockable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/mongoid/mang.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+class Mang
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+  ## User Info
+  field :name,      type: String
+  field :nickname,  type: String
+  field :image,     type: String
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+  ## Rememberable
+  field :remember_created_at, type: Time
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+  include DeviseTokenAuth::Concerns::User
+end