RubyGems - devise_token_auth - Versions diffs - 1.0.0 → 1.1.1 - Mend

devise_token_auth 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of devise_token_auth might be problematic. Click here for more details.

Files changed (83) hide show

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED Viewed

@@ -41,22 +41,46 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         before do
           @auth_headers = @resource.create_new_auth_token
           @new_password = Faker::Internet.password
-          post :create,
-               params: { email: 'chester@cheet.ah' }
-          @data = JSON.parse(response.body)
         end
-        test 'response should fail' do
-          assert_equal 401, response.status
+        describe 'for create' do
+          before do
+            post :create,
+                 params: { email: 'chester@cheet.ah' }
+            @data = JSON.parse(response.body)
+          end
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
-        test 'error message should be returned' do
-          assert @data['errors']
-          assert_equal(
-            @data['errors'],
-            [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
-          )
+        describe 'for edit' do
+          before do
+            get_reset_token
+            get :edit, params: { reset_password_token: @mail_reset_token}
+            @data = JSON.parse(response.body)
+          end
+          test 'response should fail' do
+            assert_equal 401, response.status
+          end
+          test 'error message should be returned' do
+            assert @data['errors']
+            assert_equal(
+              @data['errors'],
+              [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
+            )
+          end
         end
       end
@@ -235,14 +259,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
-            test 'reset_password_token should be rewritten by origin mail_reset_token' do
+            test 'reset_password_token should not be rewritten by origin mail_reset_token' do
               get :edit, params: {
                 reset_password_token: @mail_reset_token,
                 redirect_url: @mail_redirect_url
               }
               @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
+              assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
             test 'response should return success status' do
@@ -254,26 +278,6 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               assert_equal 302, response.status
             end
-            test 'reset_password_token should be valid only one first time' do
-              get :edit, params: {
-                reset_password_token: @mail_reset_token,
-                redirect_url: @mail_redirect_url
-              }
-              @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
-              assert_raises(ActionController::RoutingError) {
-                get :edit, params: {
-                  reset_password_token: @mail_reset_token,
-                  redirect_url: @mail_redirect_url
-                }
-              }
-              @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
-            end
             test 'reset_password_sent_at should be valid' do
               assert_equal @resource.reset_password_period_valid?, true
@@ -283,7 +287,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               }
               @resource.reload
-              assert_equal @mail_reset_token, @resource.reset_password_token
+              assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
             end
             test 'reset_password_sent_at should be expired' do
@@ -354,8 +358,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       describe 'Using redirect_whitelist' do
         before do
-          @resource = create(:user, :confirmed)
-          @good_redirect_url = Faker::Internet.url
+          @good_redirect_url = @redirect_url
           @bad_redirect_url = Faker::Internet.url
           DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
         end
@@ -364,31 +367,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           DeviseTokenAuth.redirect_whitelist = nil
         end
-        test 'request to whitelisted redirect should be successful' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @good_redirect_url }
+        describe 'for create' do
+          test 'request to whitelisted redirect should be successful' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @good_redirect_url }
-          assert_equal 200, response.status
-        end
+            assert_equal 200, response.status
+          end
-        test 'request to non-whitelisted redirect should fail' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @bad_redirect_url }
+          test 'request to non-whitelisted redirect should fail' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @bad_redirect_url }
+            assert_equal 422, response.status
+          end
+          test 'request to non-whitelisted redirect should return error message' do
+            post :create,
+                 params: { email: @resource.email,
+                           redirect_url: @bad_redirect_url }
-          assert_equal 422, response.status
+            @data = JSON.parse(response.body)
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
+                                 redirect_url: @bad_redirect_url)]
+          end
         end
-        test 'request to non-whitelisted redirect should return error message' do
-          post :create,
-               params: { email: @resource.email,
-                         redirect_url: @bad_redirect_url }
-          @data = JSON.parse(response.body)
-          assert @data['errors']
-          assert_equal @data['errors'],
-                       [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
-                               redirect_url: @bad_redirect_url)]
+        describe 'for edit' do
+          before do
+            @auth_headers = @resource.create_new_auth_token
+            @new_password = Faker::Internet.password
+            get_reset_token
+          end
+          test 'request to whitelisted redirect should be successful' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @good_redirect_url }
+            assert_equal 302, response.status
+          end
+          test 'request to non-whitelisted redirect should fail' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
+            assert_equal 422, response.status
+          end
+          test 'request to non-whitelisted redirect should return error message' do
+            get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
+            @data = JSON.parse(response.body)
+            assert @data['errors']
+            assert_equal @data['errors'],
+                         [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
+                                 redirect_url: @bad_redirect_url)]
+          end
         end
       end
@@ -509,6 +546,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           test 'new password should authenticate user' do
             assert @resource.valid_password?(@new_password)
           end
+          test 'reset_password_token should be removed' do
+            assert_nil @resource.reset_password_token
+          end
         end
         describe 'password mismatch error' do
@@ -554,16 +595,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       before do
         @resource = create(:mang_user, :confirmed)
         @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
       end
       test 'response should return success status' do
@@ -582,15 +614,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @resource = create(:user)
         @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
         get :edit, params: { reset_password_token: @mail_reset_token,
                              redirect_url: @mail_redirect_url }
@@ -610,17 +634,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       before do
         @resource = unconfirmable_users(:user)
-        @redirect_url = 'http://ng-token-auth.dev'
-        post :create, params: { email: @resource.email,
-                                redirect_url: @redirect_url }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token
         get :edit, params: { reset_password_token: @mail_reset_token,
                              redirect_url: @mail_redirect_url }
@@ -635,21 +650,27 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
         @redirect_url = 'http://ng-token-auth.dev'
         @config_name  = 'altUser'
-        post :create, params: { email: @resource.email,
+        params = { email: @resource.email,
                                 redirect_url: @redirect_url,
                                 config_name: @config_name }
-        @mail = ActionMailer::Base.deliveries.last
-        @resource.reload
-        @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
-        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
-        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        get_reset_token params
       end
       test 'config_name param is included in the confirmation email link' do
         assert_equal @config_name, @mail_config_name
       end
     end
+    def get_reset_token(params = nil)
+      params ||= { email: @resource.email, redirect_url: @redirect_url }
+      post :create, params: params
+      @mail = ActionMailer::Base.deliveries.last
+      @resource.reload
+      @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
+      @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
+      @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+    end
   end
 end

data/test/controllers/devise_token_auth/registrations_controller_test.rb CHANGED Viewed

@@ -83,6 +83,33 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
     end
+    describe 'using allow_unconfirmed_access_for' do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = nil
+        post '/auth',
+             params: {
+               email: Faker::Internet.email,
+               password: 'secret123',
+               password_confirmation: 'secret123',
+               confirm_success_url: Faker::Internet.url,
+               unpermitted_param: '(x_x)'
+             }
+      end
+      test 'auth headers were returned in response' do
+        assert response.headers['access-token']
+        assert response.headers['token-type']
+        assert response.headers['client']
+        assert response.headers['expiry']
+        assert response.headers['uid']
+      end
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+    end
     describe 'using "+" in email' do
       test 'can use + sign in email addresses' do
         @plus_email = 'ak+testing@gmail.com'
@@ -305,7 +332,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -333,7 +360,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should not have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -362,7 +389,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do
@@ -393,7 +420,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       end
       test 'user should have been created' do
-        assert_nil @resource.id
+        refute @resource.persisted?
       end
       test 'error should be returned in the response' do

data/test/controllers/devise_token_auth/sessions_controller_test.rb CHANGED Viewed

@@ -17,12 +17,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       describe 'success' do
         before do
-          @old_sign_in_count      = @existing_user.sign_in_count
-          @old_current_sign_in_at = @existing_user.current_sign_in_at
-          @old_last_sign_in_at    = @existing_user.last_sign_in_at
-          @old_sign_in_ip         = @existing_user.current_sign_in_ip
-          @old_last_sign_in_ip    = @existing_user.last_sign_in_ip
           post :create,
                params: {
                  email: @existing_user.email,
@@ -31,12 +25,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
-          @new_sign_in_count      = @resource.sign_in_count
-          @new_current_sign_in_at = @resource.current_sign_in_at
-          @new_last_sign_in_at    = @resource.last_sign_in_at
-          @new_sign_in_ip         = @resource.current_sign_in_ip
-          @new_last_sign_in_ip    = @resource.last_sign_in_ip
         end
         test 'request should succeed' do
@@ -47,32 +35,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
-        describe 'trackable' do
-          test 'sign_in_count incrementns' do
-            assert_equal @old_sign_in_count + 1, @new_sign_in_count
-          end
-          test 'current_sign_in_at is updated' do
-            refute @old_current_sign_in_at
-            assert @new_current_sign_in_at
-          end
-          test 'last_sign_in_at is updated' do
-            refute @old_last_sign_in_at
-            assert @new_last_sign_in_at
-          end
-          test 'sign_in_ip is updated' do
-            refute @old_sign_in_ip
-            assert_equal '0.0.0.0', @new_sign_in_ip
-          end
-          test 'last_sign_in_ip is updated' do
-            refute @old_last_sign_in_ip
-            assert_equal '0.0.0.0', @new_last_sign_in_ip
-          end
-        end
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number

data/test/controllers/devise_token_auth/token_validations_controller_test.rb CHANGED Viewed

@@ -47,7 +47,8 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
     describe 'with invalid user' do
       before do
-        @resource.update_column :email, 'invalid'
+        @resource.update_column(:email, 'invalid') if DEVISE_TOKEN_AUTH_ORM == :active_record
+        @resource.set(email: 'invalid') if DEVISE_TOKEN_AUTH_ORM == :mongoid
       end
       test 'request should raise invalid model error' do

data/test/dummy/app/{models → active_record}/scoped_user.rb RENAMED Viewed

@@ -3,7 +3,7 @@
 class ScopedUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable,
-         :confirmable, :omniauthable
+         :recoverable, :rememberable,
+         :validatable, :confirmable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unconfirmable_user.rb RENAMED Viewed

@@ -4,7 +4,6 @@ class UnconfirmableUser < ActiveRecord::Base
   # Include default devise modules.
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable,
-         :trackable, :validatable,
-         :omniauthable
+         :validatable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/{models → active_record}/unregisterable_user.rb RENAMED Viewed

@@ -2,8 +2,8 @@
 class UnregisterableUser < ActiveRecord::Base
   # Include default devise modules.
-  devise :database_authenticatable,
-         :recoverable, :trackable, :validatable,
-         :confirmable, :omniauthable
+  devise :database_authenticatable, :recoverable,
+         :validatable, :confirmable,
+         :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/dummy/app/active_record/user.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+class User < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+  include FavoriteColor
+end

data/test/dummy/app/controllers/overrides/confirmations_controller.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Overrides
       @resource = resource_class.confirm_by_token(params[:confirmation_token])
       if @resource && @resource.id
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         @resource.save!
         redirect_header_options = {
@@ -14,8 +14,8 @@ module Overrides
           config: params[:config],
           override_proof: '(^^,)'
         }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(params[:redirect_url],

data/test/dummy/app/controllers/overrides/passwords_controller.rb CHANGED Viewed

@@ -11,7 +11,7 @@ module Overrides
       )
       if @resource && @resource.id
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         # ensure that user is confirmed
         @resource.skip_confirmation! unless @resource.confirmed_at
@@ -22,8 +22,8 @@ module Overrides
           override_proof: OVERRIDE_PROOF,
           reset_password: true
         }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(params[:redirect_url],
                                              redirect_headers))

data/test/dummy/app/controllers/overrides/registrations_controller.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Overrides
     def update
       if @resource
-        if @resource.update_attributes(account_update_params)
+        if @resource.update(account_update_params)
           render json: {
             status: 'success',
             data:   @resource.as_json,

data/test/dummy/app/controllers/overrides/sessions_controller.rb CHANGED Viewed

@@ -5,10 +5,10 @@ module Overrides
     OVERRIDE_PROOF = '(^^,)'.freeze
     def create
-      @resource = resource_class.find_by(email: resource_params[:email])
+      @resource = resource_class.dta_find_by(email: resource_params[:email])
       if @resource && valid_params?(:email, resource_params[:email]) && @resource.valid_password?(resource_params[:password]) && @resource.confirmed?
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
         render json: {

data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} RENAMED Viewed

@@ -1,13 +1,12 @@
-# frozen_string_literal: true
-class User < ActiveRecord::Base
-  include DeviseTokenAuth::Concerns::User
-  validates :operating_thetan, numericality: true, allow_nil: true
-  validate :ensure_correct_favorite_color
+module FavoriteColor
+  extend ActiveSupport::Concern
+  included do
+    validates :operating_thetan, numericality: true, allow_nil: true
+    validate :ensure_correct_favorite_color
+  end
   def ensure_correct_favorite_color
     if favorite_color && (favorite_color != '')
       unless ApplicationHelper::COLOR_NAMES.any?{ |s| s.casecmp(favorite_color)==0 }
         matches = ApplicationHelper::COLOR_SEARCH.search(favorite_color)

data/test/dummy/app/mongoid/lockable_user.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+class LockableUser
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+  ## User Info
+  field :name,      type: String
+  field :nickname,  type: String
+  field :image,     type: String
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+  ## Lockable
+  field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  field :locked_at,       type: Time
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable, :lockable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/mongoid/mang.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+class Mang
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+  ## User Info
+  field :name,      type: String
+  field :nickname,  type: String
+  field :image,     type: String
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+  ## Rememberable
+  field :remember_created_at, type: Time
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+  include DeviseTokenAuth::Concerns::User
+end