devise_token_auth 1.0.0 → 1.1.5

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -2,23 +2,13 @@
 
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
-    before_action :set_user_by_token, only: [:update]
+    before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
 
-    # this action is responsible for generating password reset tokens and
-    # sending emails
+    # this action is responsible for generating password reset tokens and sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
-      # give redirect value from params priority
-      @redirect_url = params.fetch(
-        :redirect_url,
-        DeviseTokenAuth.default_password_reset_url
-      )
-
-      return render_create_error_missing_redirect_url unless @redirect_url
-      return render_create_error_not_allowed_redirect_url if blacklisted_redirect_url?
-
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:uid, @email)
 
@@ -44,14 +34,13 @@ module DeviseTokenAuth
     # this is where users arrive after visiting the password reset confirmation link
     def edit
       # if a user is not found, return nil
-      @resource = with_reset_password_token(resource_params[:reset_password_token])
+      @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
       if @resource && @resource.reset_password_period_valid?
-        client_id, token = @resource.create_token
+        token = @resource.create_token unless require_client_password_reset_token?
 
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
-
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
 
@@ -59,12 +48,16 @@ module DeviseTokenAuth
 
         yield @resource if block_given?
 
-        redirect_header_options = { reset_password: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
-        redirect_to(@resource.build_auth_url(params[:redirect_url],
-                                             redirect_headers))
+        if require_client_password_reset_token?
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+        else
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers))
+        end
       else
         render_edit_error
       end
@@ -72,6 +65,15 @@ module DeviseTokenAuth
 
     def update
       # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
+
       return render_update_error_unauthorized unless @resource
 
       # make sure account doesn't use oauth2 provider
@@ -98,9 +100,9 @@ module DeviseTokenAuth
     protected
 
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
       if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
-        'update_attributes'
+        'update'
       else
         'update_with_password'
       end
@@ -114,7 +116,7 @@ module DeviseTokenAuth
       render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
     end
 
-    def render_create_error_not_allowed_redirect_url
+    def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
         data:   resource_data
@@ -178,15 +180,27 @@ module DeviseTokenAuth
       params.permit(*params_for_resource(:account_update))
     end
 
-    def with_reset_password_token token
-      recoverable = resource_class.with_reset_password_token(token)
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+    end
+
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_password_reset_url
+      )
 
-      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
-      recoverable
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
     end
 
-    def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+
+    def require_client_password_reset_token?
+      DeviseTokenAuth.require_client_password_reset_token
     end
   end
 end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -28,42 +28,40 @@ module DeviseTokenAuth
       end
 
       # if whitelist is set, validate redirect_url against whitelist
-      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
 
-      begin
-        # override email confirmation, must be sent manually from ctrl
-        resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
-        resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
+      # override email confirmation, must be sent manually from ctrl
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
 
-        if @resource.respond_to? :skip_confirmation_notification!
-          # Fix duplicate e-mails by disabling Devise confirmation e-mail
-          @resource.skip_confirmation_notification!
-        end
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
 
-        if @resource.save
-          yield @resource if block_given?
+      if @resource.save
+        yield @resource if block_given?
 
-          if @resource.confirmed?
-            # email auth has been bypassed, authenticate user
-            @client_id, @token = @resource.create_token
-            @resource.save!
-            update_auth_header
-          else
-            # user will require email authentication
-            @resource.send_confirmation_instructions(
-              client_config: params[:config_name],
-              redirect_url: @redirect_url
-            )
-          end
-
-          render_create_success
-        else
-          clean_up_passwords @resource
-          render_create_error
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
         end
-      rescue ActiveRecord::RecordNotUnique
+
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
+        end
+
+        render_create_success
+      else
         clean_up_passwords @resource
-        render_create_error_email_already_exists
+        render_create_error
       end
     end
 
@@ -145,15 +143,6 @@ module DeviseTokenAuth
       }, status: 422
     end
 
-    def render_create_error_email_already_exists
-      response = {
-        status: 'error',
-        data:   resource_data
-      }
-      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
-      render_error(422, message, response)
-    end
-
     def render_update_success
       render json: {
         status: 'success',
@@ -193,7 +182,7 @@ module DeviseTokenAuth
       elsif account_update_params.key?(:current_password)
         'update_with_password'
       else
-        'update_attributes'
+        'update'
       end
     end
 
@@ -208,5 +197,9 @@ module DeviseTokenAuth
     def validate_post_data which, message
       render_error(:unprocessable_entity, message, status: 'error') if which.empty?
     end
+
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
   end
 end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
 
         sign_in(:user, @resource, store: false, bypass: false)
@@ -48,11 +48,11 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client_id = remove_instance_variable(:@client_id) if @client_id
-      remove_instance_variable(:@token) if @token
+      client = @token.client
+      @token.clear!
 
-      if user && client_id && user.tokens[client_id]
-        user.tokens.delete(client_id)
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
         user.save!
 
         yield user if block_given?

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -34,14 +34,14 @@ module DeviseTokenAuth
     def show
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
-      if @resource && @resource.id
-        client_id, token = @resource.create_token
+      if @resource.persisted?
+        token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
 
         redirect_header_options = { unlock: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
                                              redirect_headers))

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -0,0 +1,14 @@
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+
+  included do
+    serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -0,0 +1,28 @@
+module DeviseTokenAuth::Concerns::ConfirmableSupport
+  extend ActiveSupport::Concern
+
+  included do
+    # Override standard devise `postpone_email_change?` method
+    # for not to use `will_save_change_to_email?` & `email_changed?` methods.
+    def postpone_email_change?
+      postpone = self.class.reconfirmable &&
+        email_value_in_database != email &&
+        !@bypass_confirmation_postpone &&
+        self.email.present? &&
+        (!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
+      @bypass_confirmation_postpone = false
+      postpone
+    end
+  end
+
+  protected
+
+  def email_value_in_database
+    rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
+    if rails51 && respond_to?(:email_in_database)
+      email_in_database
+    else
+      email_was
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/mongoid_support.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::MongoidSupport
+  extend ActiveSupport::Concern
+
+  def as_json(options = {})
+    options[:except] = (options[:except] || []) + [:_id]
+    hash = super(options)
+    hash['id'] = to_param
+    hash
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    rescue Mongoid::Errors::DocumentNotFound
+      nil
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,31 @@
+module DeviseTokenAuth::Concerns::TokensSerialization
+  extend self
+  # Serialization hash to json
+  def dump(object)
+    JSON.generate(object && object.transform_values do |token|
+      serialize_updated_at(token).compact
+    end.compact)
+  end
+
+  # Deserialization json to hash
+  def load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+
+  private
+
+  def serialize_updated_at(token)
+    updated_at_key = ['updated_at', :updated_at].find(&token.method(:[]))
+
+    return token unless token[updated_at_key].respond_to?(:iso8601)
+
+    token.merge updated_at_key => token[updated_at_key].iso8601
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'bcrypt'
-
 module DeviseTokenAuth::Concerns::User
   extend ActiveSupport::Concern
 
@@ -9,7 +7,7 @@ module DeviseTokenAuth::Concerns::User
     @token_equality_cache ||= {}
 
     key = "#{token_hash}/#{token}"
-    result = @token_equality_cache[key] ||= (::BCrypt::Password.new(token_hash) == token)
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
     @token_equality_cache = {} if @token_equality_cache.size > 10000
     result
   end
@@ -20,19 +18,21 @@ module DeviseTokenAuth::Concerns::User
       devise_modules.delete(:omniauthable)
     else
       devise :database_authenticatable, :registerable,
-             :recoverable, :trackable, :validatable, :confirmable
+             :recoverable, :validatable, :confirmable
     end
 
-    serialize :tokens, JSON unless tokens_has_json_column_type?
+    if const_defined?('ActiveRecord') && ancestors.include?(ActiveRecord::Base)
+      include DeviseTokenAuth::Concerns::ActiveRecordSupport
+    end
+
+    if const_defined?('Mongoid') && ancestors.include?(Mongoid::Document)
+      include DeviseTokenAuth::Concerns::MongoidSupport
+    end
 
     if DeviseTokenAuth.default_callbacks
       include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     end
 
-    # can't set default on text fields in mysql, simulate here instead.
-    after_save :set_empty_token_hash
-    after_initialize :set_empty_token_hash
-
     # get rid of dead tokens
     before_save :destroy_expired_tokens
 
@@ -44,6 +44,10 @@ module DeviseTokenAuth::Concerns::User
     def email_changed?; false; end
     def will_save_change_to_email?; false; end
 
+    if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
+      include DeviseTokenAuth::Concerns::ConfirmableSupport
+    end
+
     def password_required?
       return false unless provider == 'email'
       super
@@ -84,39 +88,25 @@ module DeviseTokenAuth::Concerns::User
       send_devise_notification(:unlock_instructions, raw, opts)
       raw
     end
-  end
 
-  def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
-    client_id ||= SecureRandom.urlsafe_base64(nil, false)
-    token     ||= SecureRandom.urlsafe_base64(nil, false)
-    expiry    ||= (Time.zone.now + token_lifespan).to_i
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
 
-    tokens[client_id] = {
-      token: BCrypt::Password.create(token),
-      expiry: expiry
-    }.merge!(token_extras)
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
 
-    clean_old_tokens
+      clean_old_tokens
 
-    [client_id, token, expiry]
-  end
-
-  module ClassMethods
-    protected
-
-    def tokens_has_json_column_type?
-      database_exists? && table_exists? && columns_hash['tokens'] && columns_hash['tokens'].type.in?([:json, :jsonb])
-    end
-
-    def database_exists?
-      ActiveRecord::Base.connection_pool.with_connection { |con| con.active? } rescue false
+      token
     end
   end
 
-  def valid_token?(token, client_id = 'default')
-    return false unless tokens[client_id]
-    return true if token_is_current?(token, client_id)
-    return true if token_can_be_reused?(token, client_id)
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
 
     # return false if none of the above conditions are met
     false
@@ -126,10 +116,10 @@ module DeviseTokenAuth::Concerns::User
   # can be passed on from the client
   def send_confirmation_notification?; false; end
 
-  def token_is_current?(token, client_id)
+  def token_is_current?(token, client)
     # ghetto HashWithIndifferentAccess
-    expiry     = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
-    token_hash = tokens[client_id]['token'] || tokens[client_id][:token]
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
 
     return true if (
       # ensure that expiry and token are set
@@ -144,53 +134,52 @@ module DeviseTokenAuth::Concerns::User
   end
 
   # allow batch requests to use the previous token
-  def token_can_be_reused?(token, client_id)
+  def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
-    updated_at = tokens[client_id]['updated_at'] || tokens[client_id][:updated_at]
-    last_token = tokens[client_id]['last_token'] || tokens[client_id][:last_token]
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
 
     return true if (
       # ensure that the last token and its creation time exist
-      updated_at && last_token &&
+      updated_at && last_token_hash &&
 
       # ensure that previous token falls within the batch buffer throttle time of the last request
-      Time.parse(updated_at) > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
+      updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
-      ::BCrypt::Password.new(last_token) == token
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
     )
   end
 
   # update user's auth token (should happen on each request)
-  def create_new_auth_token(client_id = nil)
+  def create_new_auth_token(client = nil)
     now = Time.zone.now
 
-    client_id, token = create_token(
-      client_id: client_id,
-      expiry: (now + token_lifespan).to_i,
-      last_token: tokens.fetch(client_id, {})['token'],
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
       updated_at: now
     )
 
-    update_auth_header(token, client_id)
+    update_auth_header(token.token, token.client)
   end
 
-  def build_auth_header(token, client_id = 'default')
+  def build_auth_header(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
-    expiry = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
 
     {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
-      DeviseTokenAuth.headers_names[:"client"]       => client_id,
+      DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
   end
 
-  def update_auth_header(token, client_id = 'default')
-    headers = build_auth_header(token, client_id)
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
     clean_old_tokens
     save!
 
@@ -204,9 +193,9 @@ module DeviseTokenAuth::Concerns::User
     DeviseTokenAuth::Url.generate(base_url, args)
   end
 
-  def extend_batch_buffer(token, client_id)
-    tokens[client_id]['updated_at'] = Time.zone.now
-    update_auth_header(token, client_id)
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now
+    update_auth_header(token, client)
   end
 
   def confirmed?
@@ -217,16 +206,8 @@ module DeviseTokenAuth::Concerns::User
     as_json(except: %i[tokens created_at updated_at])
   end
 
-  def token_lifespan
-    DeviseTokenAuth.token_lifespan
-  end
-
   protected
 
-  def set_empty_token_hash
-    self.tokens ||= {} if has_attribute?(:tokens)
-  end
-
   def destroy_expired_tokens
     if tokens
       tokens.delete_if do |cid, v|
@@ -237,11 +218,11 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def should_remove_tokens_after_password_reset?
-    if Rails::VERSION::MAJOR <= 5
+    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
       encrypted_password_changed? &&
         DeviseTokenAuth.remove_tokens_after_password_reset
     else
-      saved_change_to_encrypted_password? &&
+      saved_change_to_attribute?(:encrypted_password) &&
         DeviseTokenAuth.remove_tokens_after_password_reset
     end
   end
@@ -250,8 +231,8 @@ module DeviseTokenAuth::Concerns::User
     return unless should_remove_tokens_after_password_reset?
 
     if tokens.present? && tokens.many?
-      client_id, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
-      self.tokens = { client_id => token_data }
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
     end
   end
 

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -5,11 +5,11 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
 
   included do
     validates :email, presence: true,if: :email_provider?
-    validates :email, email: true, allow_nil: true, allow_blank: true, if: :email_provider?
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
     validates_presence_of :uid, unless: :email_provider?
 
     # only validate unique emails among email registration users
-    validates :email, uniqueness: { scope: :provider }, on: :create, if: :email_provider?
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
 
     # keep uid in sync with email
     before_save :sync_uid
@@ -23,6 +23,9 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   end
 
   def sync_uid
-    self.uid = email if provider == 'email'
+    if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone
+      return if postpone_email_change?
+    end
+    self.uid = email if email_provider?
   end
 end

data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb}

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-class EmailValidator < ActiveModel::EachValidator
+class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
-      record.errors[attribute] << email_invalid_message
+      record.errors.add(attribute, email_invalid_message)
     end
   end