devise_token_auth 1.0.0 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (126) hide show
  1. checksums.yaml +5 -5
  2. data/README.md +4 -2
  3. data/app/controllers/devise_token_auth/application_controller.rb +2 -3
  4. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +11 -12
  5. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +41 -57
  6. data/app/controllers/devise_token_auth/confirmations_controller.rb +63 -20
  7. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +77 -29
  8. data/app/controllers/devise_token_auth/passwords_controller.rb +44 -30
  9. data/app/controllers/devise_token_auth/registrations_controller.rb +33 -40
  10. data/app/controllers/devise_token_auth/sessions_controller.rb +5 -5
  11. data/app/controllers/devise_token_auth/unlocks_controller.rb +4 -4
  12. data/app/models/devise_token_auth/concerns/active_record_support.rb +14 -0
  13. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  14. data/app/models/devise_token_auth/concerns/mongoid_support.rb +19 -0
  15. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +31 -0
  16. data/app/models/devise_token_auth/concerns/user.rb +51 -70
  17. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +6 -3
  18. data/app/validators/{email_validator.rb → devise_token_auth_email_validator.rb} +2 -2
  19. data/config/locales/da-DK.yml +2 -0
  20. data/config/locales/de.yml +2 -0
  21. data/config/locales/en.yml +7 -0
  22. data/config/locales/es.yml +2 -0
  23. data/config/locales/fr.yml +2 -0
  24. data/config/locales/he.yml +52 -0
  25. data/config/locales/it.yml +2 -0
  26. data/config/locales/ja.yml +4 -2
  27. data/config/locales/ko.yml +51 -0
  28. data/config/locales/nl.yml +2 -0
  29. data/config/locales/pl.yml +6 -3
  30. data/config/locales/pt-BR.yml +2 -0
  31. data/config/locales/pt.yml +6 -3
  32. data/config/locales/ro.yml +2 -0
  33. data/config/locales/ru.yml +2 -0
  34. data/config/locales/sq.yml +2 -0
  35. data/config/locales/sv.yml +2 -0
  36. data/config/locales/uk.yml +2 -0
  37. data/config/locales/vi.yml +2 -0
  38. data/config/locales/zh-CN.yml +2 -0
  39. data/config/locales/zh-HK.yml +2 -0
  40. data/config/locales/zh-TW.yml +2 -0
  41. data/lib/devise_token_auth/blacklist.rb +2 -0
  42. data/lib/devise_token_auth/controllers/helpers.rb +5 -9
  43. data/lib/devise_token_auth/engine.rb +7 -1
  44. data/lib/devise_token_auth/rails/routes.rb +16 -11
  45. data/lib/devise_token_auth/token_factory.rb +126 -0
  46. data/lib/devise_token_auth/url.rb +3 -0
  47. data/lib/devise_token_auth/version.rb +1 -1
  48. data/lib/devise_token_auth.rb +6 -3
  49. data/lib/generators/devise_token_auth/USAGE +1 -1
  50. data/lib/generators/devise_token_auth/install_generator.rb +7 -91
  51. data/lib/generators/devise_token_auth/install_generator_helpers.rb +98 -0
  52. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +46 -0
  53. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +10 -0
  54. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -8
  55. data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
  56. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +56 -0
  57. data/test/controllers/custom/custom_confirmations_controller_test.rb +1 -1
  58. data/test/controllers/demo_user_controller_test.rb +2 -2
  59. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +83 -19
  60. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +109 -42
  61. data/test/controllers/devise_token_auth/passwords_controller_test.rb +227 -102
  62. data/test/controllers/devise_token_auth/registrations_controller_test.rb +34 -7
  63. data/test/controllers/devise_token_auth/sessions_controller_test.rb +0 -38
  64. data/test/controllers/devise_token_auth/token_validations_controller_test.rb +2 -1
  65. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  66. data/test/dummy/app/{models → active_record}/scoped_user.rb +2 -2
  67. data/test/dummy/app/{models → active_record}/unconfirmable_user.rb +1 -2
  68. data/test/dummy/app/{models → active_record}/unregisterable_user.rb +3 -3
  69. data/test/dummy/app/active_record/user.rb +6 -0
  70. data/test/dummy/app/controllers/overrides/confirmations_controller.rb +3 -3
  71. data/test/dummy/app/controllers/overrides/passwords_controller.rb +3 -3
  72. data/test/dummy/app/controllers/overrides/registrations_controller.rb +1 -1
  73. data/test/dummy/app/controllers/overrides/sessions_controller.rb +2 -2
  74. data/test/dummy/app/models/{user.rb → concerns/favorite_color.rb} +7 -8
  75. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  76. data/test/dummy/app/mongoid/lockable_user.rb +38 -0
  77. data/test/dummy/app/mongoid/mang.rb +46 -0
  78. data/test/dummy/app/mongoid/only_email_user.rb +33 -0
  79. data/test/dummy/app/mongoid/scoped_user.rb +50 -0
  80. data/test/dummy/app/mongoid/unconfirmable_user.rb +44 -0
  81. data/test/dummy/app/mongoid/unregisterable_user.rb +47 -0
  82. data/test/dummy/app/mongoid/user.rb +49 -0
  83. data/test/dummy/app/views/layouts/application.html.erb +0 -2
  84. data/test/dummy/config/application.rb +22 -1
  85. data/test/dummy/config/boot.rb +4 -0
  86. data/test/dummy/config/environments/development.rb +0 -10
  87. data/test/dummy/config/environments/production.rb +0 -16
  88. data/test/dummy/config/initializers/devise.rb +285 -0
  89. data/test/dummy/config/initializers/devise_token_auth.rb +35 -4
  90. data/test/dummy/config/initializers/figaro.rb +1 -1
  91. data/test/dummy/config/initializers/omniauth.rb +1 -0
  92. data/test/dummy/config/routes.rb +2 -0
  93. data/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +0 -7
  94. data/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +0 -7
  95. data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +0 -7
  96. data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +0 -7
  97. data/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +0 -7
  98. data/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb +0 -7
  99. data/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb +0 -7
  100. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  101. data/test/dummy/db/schema.rb +26 -28
  102. data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +9 -0
  103. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
  104. data/test/dummy/tmp/generators/db/migrate/20210126004321_devise_token_auth_create_azpire_v1_human_resource_users.rb +49 -0
  105. data/test/factories/users.rb +3 -2
  106. data/test/lib/devise_token_auth/blacklist_test.rb +11 -0
  107. data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
  108. data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
  109. data/test/lib/devise_token_auth/token_factory_test.rb +191 -0
  110. data/test/lib/devise_token_auth/url_test.rb +2 -2
  111. data/test/lib/generators/devise_token_auth/install_generator_test.rb +51 -31
  112. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +51 -31
  113. data/test/models/concerns/mongoid_support_test.rb +31 -0
  114. data/test/models/concerns/tokens_serialization_test.rb +104 -0
  115. data/test/models/confirmable_user_test.rb +35 -0
  116. data/test/models/only_email_user_test.rb +0 -8
  117. data/test/models/user_test.rb +1 -33
  118. data/test/test_helper.rb +13 -3
  119. metadata +125 -32
  120. data/config/initializers/devise.rb +0 -198
  121. data/test/dummy/config/initializers/assets.rb +0 -10
  122. data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
  123. data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
  124. /data/test/dummy/app/{models → active_record}/lockable_user.rb +0 -0
  125. /data/test/dummy/app/{models → active_record}/mang.rb +0 -0
  126. /data/test/dummy/app/{models → active_record}/only_email_user.rb +0 -0
@@ -155,6 +155,8 @@ class OmniauthTest < ActionDispatch::IntegrationTest
155
155
  describe 'with new user' do
156
156
  before do
157
157
  User.any_instance.expects(:new_record?).returns(true).at_least_once
158
+ # https://docs.mongodb.com/mongoid/master/tutorials/mongoid-documents/#notes-on-persistence
159
+ User.any_instance.expects(:save!).returns(true)
158
160
  end
159
161
 
160
162
  test 'response contains oauth_registration attr' do
@@ -315,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
315
317
  end
316
318
 
317
319
  describe 'Using redirect_whitelist' do
318
- before do
319
- @user_email = 'slemp.diggler@sillybandz.gov'
320
- OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
321
- provider: 'facebook',
322
- uid: '123545',
323
- info: {
324
- name: 'chong',
325
- email: @user_email
326
- }
327
- )
328
- @good_redirect_url = Faker::Internet.url
329
- @bad_redirect_url = Faker::Internet.url
330
- DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
331
- end
332
320
 
333
- teardown do
334
- DeviseTokenAuth.redirect_whitelist = nil
335
- end
321
+ describe "newWindow" do
322
+ before do
323
+ @user_email = 'slemp.diggler@sillybandz.gov'
324
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
325
+ provider: 'facebook',
326
+ uid: '123545',
327
+ info: {
328
+ name: 'chong',
329
+ email: @user_email
330
+ }
331
+ )
332
+ @good_redirect_url = Faker::Internet.url
333
+ @bad_redirect_url = Faker::Internet.url
334
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
335
+ end
336
336
 
337
- test 'request using non-whitelisted redirect fail' do
338
- get '/auth/facebook',
339
- params: { auth_origin_url: @bad_redirect_url,
340
- omniauth_window_type: 'newWindow' }
337
+ teardown do
338
+ DeviseTokenAuth.redirect_whitelist = nil
339
+ end
341
340
 
342
- follow_all_redirects!
341
+ test 'request using non-whitelisted redirect fail' do
342
+ get '/auth/facebook',
343
+ params: { auth_origin_url: @bad_redirect_url,
344
+ omniauth_window_type: 'newWindow' }
343
345
 
344
- data = get_parsed_data_json
345
- assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
346
- data['error']
346
+ follow_all_redirects!
347
+
348
+ data = get_parsed_data_json
349
+ assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
350
+ data['error']
351
+ end
352
+
353
+ test 'request to whitelisted redirect should succeed' do
354
+ get '/auth/facebook',
355
+ params: {
356
+ auth_origin_url: @good_redirect_url,
357
+ omniauth_window_type: 'newWindow'
358
+ }
359
+
360
+ follow_all_redirects!
361
+
362
+ data = get_parsed_data_json
363
+ assert_equal @user_email, data['email']
364
+ end
365
+
366
+ test 'should support wildcards' do
367
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
368
+ get '/auth/facebook',
369
+ params: { auth_origin_url: @good_redirect_url,
370
+ omniauth_window_type: 'newWindow' }
371
+
372
+ follow_all_redirects!
373
+
374
+ data = get_parsed_data_json
375
+ assert_equal @user_email, data['email']
376
+ end
347
377
  end
348
378
 
349
- test 'request to whitelisted redirect should succeed' do
350
- get '/auth/facebook',
351
- params: {
352
- auth_origin_url: @good_redirect_url,
353
- omniauth_window_type: 'newWindow'
379
+ describe "sameWindow" do
380
+ before do
381
+ @user_email = 'slemp.diggler@sillybandz.gov'
382
+ OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
383
+ provider: 'facebook',
384
+ uid: '123545',
385
+ info: {
386
+ name: 'chong',
387
+ email: @user_email
354
388
  }
389
+ )
390
+ @good_redirect_url = '/auth_origin'
391
+ @bad_redirect_url = Faker::Internet.url
392
+ DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
393
+ end
355
394
 
356
- follow_all_redirects!
395
+ teardown do
396
+ DeviseTokenAuth.redirect_whitelist = nil
397
+ end
357
398
 
358
- data = get_parsed_data_json
359
- assert_equal @user_email, data['email']
360
- end
399
+ test 'request using non-whitelisted redirect fail' do
400
+ get '/auth/facebook',
401
+ params: { auth_origin_url: @bad_redirect_url,
402
+ omniauth_window_type: 'sameWindow' }
361
403
 
362
- test 'should support wildcards' do
363
- DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
364
- get '/auth/facebook',
365
- params: { auth_origin_url: @good_redirect_url,
366
- omniauth_window_type: 'newWindow' }
404
+ follow_all_redirects!
405
+
406
+ assert_equal 200, response.status
407
+ assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
408
+ end
409
+
410
+ test 'request to whitelisted redirect should succeed' do
411
+ get '/auth/facebook',
412
+ params: {
413
+ auth_origin_url: '/auth_origin',
414
+ omniauth_window_type: 'sameWindow'
415
+ }
416
+
417
+ follow_all_redirects!
418
+
419
+ assert_equal 200, response.status
420
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
421
+ end
422
+
423
+ test 'should support wildcards' do
424
+ DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
425
+ get '/auth/facebook',
426
+ params: {
427
+ auth_origin_url: '/auth_origin',
428
+ omniauth_window_type: 'sameWindow'
429
+ }
430
+
431
+ follow_all_redirects!
432
+
433
+ assert_equal 200, response.status
434
+ assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
435
+ end
367
436
 
368
- follow_all_redirects!
369
437
 
370
- data = get_parsed_data_json
371
- assert_equal @user_email, data['email']
372
438
  end
439
+
373
440
  end
374
441
  end
@@ -41,22 +41,46 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
41
41
  before do
42
42
  @auth_headers = @resource.create_new_auth_token
43
43
  @new_password = Faker::Internet.password
44
-
45
- post :create,
46
- params: { email: 'chester@cheet.ah' }
47
- @data = JSON.parse(response.body)
48
44
  end
49
45
 
50
- test 'response should fail' do
51
- assert_equal 401, response.status
46
+ describe 'for create' do
47
+ before do
48
+ post :create,
49
+ params: { email: 'chester@cheet.ah' }
50
+ @data = JSON.parse(response.body)
51
+ end
52
+
53
+ test 'response should fail' do
54
+ assert_equal 401, response.status
55
+ end
56
+
57
+ test 'error message should be returned' do
58
+ assert @data['errors']
59
+ assert_equal(
60
+ @data['errors'],
61
+ [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
62
+ )
63
+ end
52
64
  end
53
65
 
54
- test 'error message should be returned' do
55
- assert @data['errors']
56
- assert_equal(
57
- @data['errors'],
58
- [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
59
- )
66
+ describe 'for edit' do
67
+ before do
68
+ get_reset_token
69
+ get :edit, params: { reset_password_token: @mail_reset_token}
70
+ @data = JSON.parse(response.body)
71
+ end
72
+
73
+ test 'response should fail' do
74
+ assert_equal 401, response.status
75
+ end
76
+
77
+ test 'error message should be returned' do
78
+ assert @data['errors']
79
+ assert_equal(
80
+ @data['errors'],
81
+ [I18n.t('devise_token_auth.passwords.missing_redirect_url')]
82
+ )
83
+ end
60
84
  end
61
85
  end
62
86
 
@@ -215,10 +239,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
215
239
  end
216
240
  end
217
241
 
218
- describe 'Cheking reset_password_token' do
242
+ describe 'Checking reset_password_token' do
219
243
  before do
220
244
  post :create, params: {
221
- email: @resource.email,
245
+ email: @resource.email,
222
246
  redirect_url: @redirect_url
223
247
  }
224
248
 
@@ -235,14 +259,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
235
259
  assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
236
260
  end
237
261
 
238
- test 'reset_password_token should be rewritten by origin mail_reset_token' do
262
+ test 'reset_password_token should not be rewritten by origin mail_reset_token' do
239
263
  get :edit, params: {
240
264
  reset_password_token: @mail_reset_token,
241
265
  redirect_url: @mail_redirect_url
242
266
  }
243
267
  @resource.reload
244
268
 
245
- assert_equal @mail_reset_token, @resource.reset_password_token
269
+ assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
246
270
  end
247
271
 
248
272
  test 'response should return success status' do
@@ -254,26 +278,6 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
254
278
  assert_equal 302, response.status
255
279
  end
256
280
 
257
- test 'reset_password_token should be valid only one first time' do
258
- get :edit, params: {
259
- reset_password_token: @mail_reset_token,
260
- redirect_url: @mail_redirect_url
261
- }
262
-
263
- @resource.reload
264
- assert_equal @mail_reset_token, @resource.reset_password_token
265
-
266
- assert_raises(ActionController::RoutingError) {
267
- get :edit, params: {
268
- reset_password_token: @mail_reset_token,
269
- redirect_url: @mail_redirect_url
270
- }
271
- }
272
-
273
- @resource.reload
274
- assert_equal @mail_reset_token, @resource.reset_password_token
275
- end
276
-
277
281
  test 'reset_password_sent_at should be valid' do
278
282
  assert_equal @resource.reset_password_period_valid?, true
279
283
 
@@ -283,7 +287,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
283
287
  }
284
288
 
285
289
  @resource.reload
286
- assert_equal @mail_reset_token, @resource.reset_password_token
290
+ assert_equal Devise.token_generator.digest(self, :reset_password_token, @mail_reset_token), @resource.reset_password_token
287
291
  end
288
292
 
289
293
  test 'reset_password_sent_at should be expired' do
@@ -354,8 +358,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
354
358
 
355
359
  describe 'Using redirect_whitelist' do
356
360
  before do
357
- @resource = create(:user, :confirmed)
358
- @good_redirect_url = Faker::Internet.url
361
+ @good_redirect_url = @redirect_url
359
362
  @bad_redirect_url = Faker::Internet.url
360
363
  DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
361
364
  end
@@ -364,31 +367,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
364
367
  DeviseTokenAuth.redirect_whitelist = nil
365
368
  end
366
369
 
367
- test 'request to whitelisted redirect should be successful' do
368
- post :create,
369
- params: { email: @resource.email,
370
- redirect_url: @good_redirect_url }
370
+ describe 'for create' do
371
+ test 'request to whitelisted redirect should be successful' do
372
+ post :create,
373
+ params: { email: @resource.email,
374
+ redirect_url: @good_redirect_url }
371
375
 
372
- assert_equal 200, response.status
373
- end
376
+ assert_equal 200, response.status
377
+ end
374
378
 
375
- test 'request to non-whitelisted redirect should fail' do
376
- post :create,
377
- params: { email: @resource.email,
378
- redirect_url: @bad_redirect_url }
379
+ test 'request to non-whitelisted redirect should fail' do
380
+ post :create,
381
+ params: { email: @resource.email,
382
+ redirect_url: @bad_redirect_url }
383
+
384
+ assert_equal 422, response.status
385
+ end
386
+
387
+ test 'request to non-whitelisted redirect should return error message' do
388
+ post :create,
389
+ params: { email: @resource.email,
390
+ redirect_url: @bad_redirect_url }
379
391
 
380
- assert_equal 422, response.status
392
+ @data = JSON.parse(response.body)
393
+ assert @data['errors']
394
+ assert_equal @data['errors'],
395
+ [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
396
+ redirect_url: @bad_redirect_url)]
397
+ end
381
398
  end
382
- test 'request to non-whitelisted redirect should return error message' do
383
- post :create,
384
- params: { email: @resource.email,
385
- redirect_url: @bad_redirect_url }
386
399
 
387
- @data = JSON.parse(response.body)
388
- assert @data['errors']
389
- assert_equal @data['errors'],
390
- [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
391
- redirect_url: @bad_redirect_url)]
400
+ describe 'for edit' do
401
+ before do
402
+ @auth_headers = @resource.create_new_auth_token
403
+ @new_password = Faker::Internet.password
404
+
405
+ get_reset_token
406
+ end
407
+
408
+ test 'request to whitelisted redirect should be successful' do
409
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @good_redirect_url }
410
+
411
+ assert_equal 302, response.status
412
+ end
413
+
414
+ test 'request to non-whitelisted redirect should fail' do
415
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
416
+
417
+ assert_equal 422, response.status
418
+ end
419
+
420
+ test 'request to non-whitelisted redirect should return error message' do
421
+ get :edit, params: { reset_password_token: @mail_reset_token, redirect_url: @bad_redirect_url }
422
+
423
+ @data = JSON.parse(response.body)
424
+ assert @data['errors']
425
+ assert_equal @data['errors'],
426
+ [I18n.t('devise_token_auth.passwords.not_allowed_redirect_url',
427
+ redirect_url: @bad_redirect_url)]
428
+ end
392
429
  end
393
430
  end
394
431
 
@@ -403,6 +440,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
403
440
 
404
441
  describe 'success' do
405
442
  before do
443
+ DeviseTokenAuth.require_client_password_reset_token = false
406
444
  @auth_headers = @resource.create_new_auth_token
407
445
  request.headers.merge!(@auth_headers)
408
446
  @new_password = Faker::Internet.password
@@ -467,6 +505,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
467
505
 
468
506
  describe 'current password mismatch error' do
469
507
  before do
508
+ DeviseTokenAuth.require_client_password_reset_token = false
470
509
  @auth_headers = @resource.create_new_auth_token
471
510
  request.headers.merge!(@auth_headers)
472
511
  @new_password = Faker::Internet.password
@@ -483,7 +522,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
483
522
  end
484
523
 
485
524
  describe 'change password' do
486
- describe 'success' do
525
+ describe 'using reset token' do
526
+ before do
527
+ DeviseTokenAuth.require_client_password_reset_token = true
528
+ @redirect_url = 'http://client-app.dev'
529
+ get_reset_token
530
+ edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
531
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
532
+ get :edit, params: query_parts
533
+ end
534
+
535
+ test 'request should be redirect' do
536
+ assert_equal 302, response.status
537
+ end
538
+
539
+ test 'request should redirect to correct redirect url' do
540
+ host = URI.parse(response.location).host
541
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
542
+
543
+ assert_equal 'client-app.dev', host
544
+ assert_equal @mail_reset_token, query_parts['reset_password_token']
545
+ assert_equal 1, query_parts.keys.size
546
+ end
547
+
548
+ teardown do
549
+ DeviseTokenAuth.require_client_password_reset_token = false
550
+ end
551
+ end
552
+
553
+ describe 'with valid headers' do
487
554
  before do
488
555
  @auth_headers = @resource.create_new_auth_token
489
556
  request.headers.merge!(@auth_headers)
@@ -509,6 +576,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
509
576
  test 'new password should authenticate user' do
510
577
  assert @resource.valid_password?(@new_password)
511
578
  end
579
+
580
+ test 'reset_password_token should be removed' do
581
+ assert_nil @resource.reset_password_token
582
+ end
512
583
  end
513
584
 
514
585
  describe 'password mismatch error' do
@@ -526,19 +597,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
526
597
  end
527
598
  end
528
599
 
529
- describe 'unauthorized user' do
600
+ describe 'without valid headers' do
530
601
  before do
531
- @auth_headers = @resource.create_new_auth_token
532
- @new_password = Faker::Internet.password
602
+ @resource.create_new_auth_token
603
+ new_password = Faker::Internet.password
533
604
 
534
- put :update, params: { password: @new_password,
535
- password_confirmation: @new_password }
605
+ put :update, params: { password: new_password,
606
+ password_confirmation: new_password }
536
607
  end
537
608
 
538
609
  test 'response should fail' do
539
610
  assert_equal 401, response.status
540
611
  end
541
612
  end
613
+
614
+ describe 'with valid reset password token' do
615
+ before do
616
+ reset_password_token = @resource.send_reset_password_instructions
617
+ @new_password = Faker::Internet.password
618
+ @params = { password: @new_password,
619
+ password_confirmation: @new_password,
620
+ reset_password_token: reset_password_token }
621
+ end
622
+
623
+ describe 'with require_client_password_reset_token disabled' do
624
+ before do
625
+ DeviseTokenAuth.require_client_password_reset_token = false
626
+ put :update, params: @params
627
+
628
+ @data = JSON.parse(response.body)
629
+ @resource.reload
630
+ end
631
+
632
+ test 'request should be not be successful' do
633
+ assert_equal 401, response.status
634
+ end
635
+ end
636
+
637
+ describe 'with require_client_password_reset_token enabled' do
638
+ before do
639
+ DeviseTokenAuth.require_client_password_reset_token = true
640
+ put :update, params: @params
641
+
642
+ @data = JSON.parse(response.body)
643
+ @resource.reload
644
+ end
645
+
646
+ test 'request should be successful' do
647
+ assert_equal 200, response.status
648
+ end
649
+
650
+ test 'request should return success message' do
651
+ assert @data['message']
652
+ assert_equal @data['message'],
653
+ I18n.t('devise_token_auth.passwords.successfully_updated')
654
+ end
655
+
656
+ test 'new password should authenticate user' do
657
+ assert @resource.valid_password?(@new_password)
658
+ end
659
+
660
+ teardown do
661
+ DeviseTokenAuth.require_client_password_reset_token = false
662
+ end
663
+ end
664
+ end
665
+
666
+ describe 'with invalid reset password token' do
667
+ before do
668
+ DeviseTokenAuth.require_client_password_reset_token = true
669
+ @resource.update reset_password_token: 'koskoskoskos'
670
+ put :update, params: @params
671
+ @data = JSON.parse(response.body)
672
+ @resource.reload
673
+ end
674
+
675
+ test 'request should fail' do
676
+ assert_equal 401, response.status
677
+ end
678
+
679
+ test 'new password should not authenticate user' do
680
+ assert !@resource.valid_password?(@new_password)
681
+ end
682
+
683
+ teardown do
684
+ DeviseTokenAuth.require_client_password_reset_token = false
685
+ end
686
+ end
542
687
  end
543
688
  end
544
689
 
@@ -554,16 +699,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
554
699
  before do
555
700
  @resource = create(:mang_user, :confirmed)
556
701
  @redirect_url = 'http://ng-token-auth.dev'
557
-
558
- post :create, params: { email: @resource.email,
559
- redirect_url: @redirect_url }
560
-
561
- @mail = ActionMailer::Base.deliveries.last
562
- @resource.reload
563
-
564
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
565
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
566
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
702
+ get_reset_token
567
703
  end
568
704
 
569
705
  test 'response should return success status' do
@@ -582,15 +718,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
582
718
  @resource = create(:user)
583
719
  @redirect_url = 'http://ng-token-auth.dev'
584
720
 
585
- post :create, params: { email: @resource.email,
586
- redirect_url: @redirect_url }
587
-
588
- @mail = ActionMailer::Base.deliveries.last
589
- @resource.reload
590
-
591
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
592
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
593
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
721
+ get_reset_token
594
722
 
595
723
  get :edit, params: { reset_password_token: @mail_reset_token,
596
724
  redirect_url: @mail_redirect_url }
@@ -610,17 +738,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
610
738
 
611
739
  before do
612
740
  @resource = unconfirmable_users(:user)
613
- @redirect_url = 'http://ng-token-auth.dev'
614
741
 
615
- post :create, params: { email: @resource.email,
616
- redirect_url: @redirect_url }
617
-
618
- @mail = ActionMailer::Base.deliveries.last
619
- @resource.reload
620
-
621
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
622
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
623
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
742
+ get_reset_token
624
743
 
625
744
  get :edit, params: { reset_password_token: @mail_reset_token,
626
745
  redirect_url: @mail_redirect_url }
@@ -635,21 +754,27 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
635
754
  @redirect_url = 'http://ng-token-auth.dev'
636
755
  @config_name = 'altUser'
637
756
 
638
- post :create, params: { email: @resource.email,
757
+ params = { email: @resource.email,
639
758
  redirect_url: @redirect_url,
640
759
  config_name: @config_name }
641
-
642
- @mail = ActionMailer::Base.deliveries.last
643
- @resource.reload
644
-
645
- @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
646
- @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
647
- @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
760
+ get_reset_token params
648
761
  end
649
762
 
650
763
  test 'config_name param is included in the confirmation email link' do
651
764
  assert_equal @config_name, @mail_config_name
652
765
  end
653
766
  end
767
+
768
+ def get_reset_token(params = nil)
769
+ params ||= { email: @resource.email, redirect_url: @redirect_url }
770
+ post :create, params: params
771
+
772
+ @mail = ActionMailer::Base.deliveries.last
773
+ @resource.reload
774
+
775
+ @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
776
+ @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1])
777
+ @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1]
778
+ end
654
779
  end
655
780
  end