devise_token_auth 1.0.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 916c84285bb6b805d3a70a5adc8e86d83efb348e
-  data.tar.gz: 38deed793c1466de04cd75ab4861627a5eb18447
+SHA256:
+  metadata.gz: be08ae7f01121ebe8c6b9b8fe04bcc2bdc83a2c8108452ffc986f1865278e85f
+  data.tar.gz: 272f45dc6f28fba16b6a523f47cbb9ecf3be9c05d4aa644ee0d0998fa5272f43
 SHA512:
-  metadata.gz: 4b631710faf5afc08a2f0f0fc89a96e63c7fe07d0c7a985a19d3b5c0a18801401afe67525aa6e0a078195ca4d24c58b6a6651da667c2a7a7f40723d4974dc850
-  data.tar.gz: 8707ad62656749fc88de275533456b93c17545f854e40f03920365c2ba9a11c170af44787118c4d8bc59ef593c5535ce8e09c512338c0de8af860c7e2500746f
+  metadata.gz: cc54c90eee4fdf43e6d9b72ca905fc58e4338f1310b289bbede651978bd4f407556392d3d4c61cfaeabf6d4fba179768e02ec9c00bc245b33ba629972676c676
+  data.tar.gz: 00e139ae99fe395580ef8f846cca46516792b68cda0e0201e551e90ca9c70679fcf9519d3682ea82095588e78a93bb2def3db2bebe670a0e96f933e7087fee4b

data/README.md

@@ -19,7 +19,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
 
 * Seamless integration with:
   * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
-  * [Angular2-Token](https://github.com/neroniaky/angular2-token) for [Angular2](https://github.com/angular/angular)
+  * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
@@ -65,11 +65,13 @@ Please read the [issue template](https://github.com/lynndylanhurley/devise_token
 
 See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969).
 
+We have some bounties for some issues, [check them out](https://github.com/lynndylanhurley/devise_token_auth/issues?q=is%3Aopen+is%3Aissue+label%3Abounty)!
+
 ## Live Demos
 
 [Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).
 
-[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular).
+[Here is a demo](https://stackblitz.com/github/neroniaky/angular-token) of this app running with the [Angular-Token](https://github.com/neroniaky/angular-token) service and [Angular](https://github.com/angular/angular).
 
 [Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/).
 

data/app/controllers/devise_token_auth/application_controller.rb

@@ -3,7 +3,6 @@
 module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
-    include DeviseTokenAuth::Concerns::ResourceFinder
 
     def resource_data(opts = {})
       response_data = opts[:resource_json] || @resource.as_json
@@ -17,8 +16,8 @@ module DeviseTokenAuth
 
     protected
 
-    def blacklisted_redirect_url?
-      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
     end
 
     def build_redirect_headers(access_token, client, redirect_header_options = {})
@@ -76,5 +75,22 @@ module DeviseTokenAuth
       response = response.merge(data) if data
       render json: response, status: status
     end
+
+    def success_message(name, email)
+      if Devise.paranoid
+        I18n.t("devise_token_auth.#{name}.sended_paranoid")
+      else
+        I18n.t("devise_token_auth.#{name}.sended", email: email)
+      end
+    end
+
+    # When using a cookie to transport the auth token we can set it immediately in flows such as
+    # reset password and OmniAuth success, rather than making the client scrape the token from
+    # query params (to then send in the initial validate_token request).
+    # TODO: We should be able to stop exposing the token in query params when this method is used
+    def set_token_in_cookie(resource, token)
+      auth_header = resource.build_auth_header(token.token, token.client)
+      cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,21 +20,33 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    # fix for mysql default case insensitivity
-    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
-    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-      q = 'BINARY ' + q
-    end
+    @resource = if database_adapter&.include?('mysql')
+                  # fix for mysql default case insensitivity
+                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
+  end
+
+  def database_adapter
+    @database_adapter ||= begin
+      rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
 
-    @resource = resource_class.where(q, value).first
+      adapter =
+        if rails_version >= "6.1"
+          resource_class.try(:connection_db_config)&.try(:adapter)
+        else
+          resource_class.try(:connection_config)&.try(:[], :adapter)
+        end
+    end
   end
 
   def resource_class(m = nil)
-    if m
-      mapping = Devise.mappings[m]
-    else
-      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
-    end
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
 
     mapping.to
   end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -17,24 +17,11 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @used_auth_by_token = true
 
     # initialize instance variables
-    @client_id ||= nil
+    @token ||= DeviseTokenAuth::TokenFactory.new
     @resource ||= nil
-    @token ||= nil
     @is_batch_request ||= nil
   end
 
-  def ensure_pristine_resource
-    if @resource.changed?
-      # Stash pending changes in the resource before reloading.
-      changes = @resource.changes
-      @resource.reload
-    end
-    yield
-  ensure
-    # Reapply pending changes
-    @resource.assign_attributes(changes) if changes
-  end
-
   # user auth
   def set_user_by_token(mapping = nil)
     # determine target authentication class
@@ -45,21 +32,37 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
+    other_uid_name = DeviseTokenAuth.other_uid && DeviseTokenAuth.headers_names[DeviseTokenAuth.other_uid.to_sym]
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
+    authorization_name = DeviseTokenAuth.headers_names[:"authorization"]
+
+    # Read Authorization token and decode it if present
+    decoded_authorization_token = decode_bearer_token(request.headers[authorization_name])
+
+    # gets values from cookie if configured and present
+    parsed_auth_cookie = {}
+    if DeviseTokenAuth.cookie_enabled
+      auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
+      if auth_cookie.present?
+        parsed_auth_cookie = JSON.parse(auth_cookie)
+      end
+    end
 
     # parse header for values necessary for authentication
-    uid        = request.headers[uid_name] || params[uid_name]
-    @token     ||= request.headers[access_token_name] || params[access_token_name]
-    @client_id ||= request.headers[client_name] || params[client_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
+    other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
+    @token           = DeviseTokenAuth::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]
 
-    # client_id isn't required, set to 'default' if absent
-    @client_id ||= 'default'
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
 
     # check for an existing user, authenticated via warden/devise, if enabled
     if DeviseTokenAuth.enable_standard_devise_support
-      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
-      if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
+      devise_warden_user = warden.user(mapping)
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
         # REVIEW: The following line _should_ be safe to remove;
@@ -71,53 +74,55 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # user has already been found and authenticated
     return @resource if @resource && @resource.is_a?(rc)
 
-    # ensure we clear the client_id
-    unless @token
-      @client_id = nil
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
       return
     end
 
-    return false unless @token
-
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.find_by(uid: uid)
+    user = (uid && rc.dta_find_by(uid: uid)) || (other_uid && rc.dta_find_by("#{DeviseTokenAuth.other_uid}": other_uid))
+    scope = rc.to_s.underscore.to_sym
 
-    if user && user.valid_token?(@token, @client_id)
+    if user && user.valid_token?(@token.token, @token.client)
       # sign_in with bypass: true will be deprecated in the next version of Devise
       if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
-        bypass_sign_in(user, scope: :user)
+        bypass_sign_in(user, scope: scope)
       else
-        sign_in(:user, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
       end
       return @resource = user
     else
       # zero all values previously set values
-      @client_id = nil
+      @token.client = nil
       return @resource = nil
     end
   end
 
   def update_auth_header
     # cannot save object if model has invalid params
+    return unless @resource && @token.client
 
-    return unless @resource && @client_id
-
-    # Generate new client_id with existing authentication
-    @client_id = nil unless @used_auth_by_token
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
 
     if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @resource.reload.tokens[@client_id].nil?
+      return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token, @client_id)
+      auth_header = @resource.build_auth_header(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)
 
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(auth_header)
+      end
     else
       unless @resource.reload.valid?
-        @resource = resource_class.find(@resource.to_param) # errors remain after reload
+        @resource = @resource.class.find(@resource.to_param) # errors remain after reload
         # if we left the model in a bad state, something is wrong in our app
         unless @resource.valid?
           raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
@@ -129,38 +134,54 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
   private
 
+  def decode_bearer_token(bearer_token)
+    return {} if bearer_token.blank?
+
+    encoded_token = bearer_token.split.last # Removes the 'Bearer' from the string
+    JSON.parse(Base64.strict_decode64(encoded_token)) rescue {}
+  end
+
   def refresh_headers
-    ensure_pristine_resource do
-      # Lock the user record during any auth_header updates to ensure
-      # we don't have write contention from multiple threads
-      @resource.with_lock do
-        # should not append auth header if @resource related token was
-        # cleared by sign out in the meantime
-        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
-
-        # update the response header
-        response.headers.merge!(auth_header_from_batch_request)
-      end # end lock
-    end # end ensure_pristine_resource
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
+
+      _auth_header_from_batch_request = auth_header_from_batch_request
+
+      # update the response header
+      response.headers.merge!(_auth_header_from_batch_request)
+
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(_auth_header_from_batch_request)
+      end
+    end # end lock
+  end
+
+  def set_cookie(auth_header)
+    cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
   end
 
-  def is_batch_request?(user, client_id)
+  def is_batch_request?(user, client)
     !params[:unbatch] &&
-      user.tokens[client_id] &&
-      user.tokens[client_id]['updated_at'] &&
-      Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
   end
 
   def auth_header_from_batch_request
     # determine batch request status after request processing, in case
     # another processes has updated it during that processing
-    @is_batch_request = is_batch_request?(@resource, @client_id)
+    @is_batch_request = is_batch_request?(@resource, @token.client)
 
     auth_header = {}
     # extend expiration of batch buffer to account for the duration of
     # this request
     if @is_batch_request
-      auth_header = @resource.extend_batch_buffer(@token, @client_id)
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
 
       # Do not return token for batch requests to avoid invalidated
       # tokens returned to the client in case of race conditions.
@@ -171,7 +192,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
     else
       # update Authorization response header with new token
-      auth_header = @resource.create_new_auth_token(@client_id)
+      auth_header = @resource.create_new_auth_token(@token.client)
     end
     auth_header
   end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -2,38 +2,85 @@
 
 module DeviseTokenAuth
   class ConfirmationsController < DeviseTokenAuth::ApplicationController
-    def show
-      @resource = resource_class.confirm_by_token(params[:confirmation_token])
-
-      if @resource && @resource.id
-        expiry = nil
-        if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
-          expiry = (Time.zone.now + 1.second).to_i
-        end
 
-        client_id, token = @resource.create_token expiry: expiry
-
-        sign_in(@resource)
-        @resource.save!
+    def show
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
 
+      if @resource.errors.empty?
         yield @resource if block_given?
 
         redirect_header_options = { account_confirmation_success: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
 
-        # give redirect value from params priority
-        @redirect_url = params[:redirect_url]
+        if signed_in?(resource_name)
+          token = signed_in_resource.create_token
+          signed_in_resource.save!
 
-        # fall back to default value if provided
-        @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
 
+          redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
+       end
 
-        redirect_to(@resource.build_auth_url(@redirect_url, redirect_headers))
+        redirect_to(redirect_to_link)
       else
         raise ActionController::RoutingError, 'Not Found'
       end
     end
+
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+
+      return render_create_success
+    end
+
+    protected
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.confirmations.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+               success: true,
+               message: success_message('confirmations', @email)
+             }
+    end
+
+    def render_not_found_error
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+      end
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+    end
+
   end
 end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -3,6 +3,9 @@
 module DeviseTokenAuth
   class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
     attr_reader :auth_params
+
+    before_action :validate_auth_origin_url_param
+
     skip_before_action :set_user_by_token, raise: false
     skip_after_action :update_auth_header
 
@@ -12,18 +15,43 @@ module DeviseTokenAuth
 
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
-      devise_mapping = [request.env['omniauth.params']['namespace_name'],
-                        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
-      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
-      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
-      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+      devise_mapping = get_devise_mapping
+      redirect_route = get_redirect_route(devise_mapping)
 
       # preserve omniauth info for success route. ignore 'extra' in twitter
       # auth response to avoid CookieOverflow.
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route
+      redirect_to redirect_route, status: 307
+    end
+
+    def get_redirect_route(devise_mapping)
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+    end
+
+    def get_devise_mapping
+       # derive target redirect route from 'resource_class' param, which was set
+       # before authentication.
+       devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+    rescue NoMethodError => err
+      default_devise_mapping
+    end
+
+    # This method will only be called if `get_devise_mapping` cannot
+    # find the mapping in `omniauth.params`.
+    #
+    # One example use-case here is for IDP-initiated SAML login.  In that
+    # case, there will have been no initial request in which to save
+    # the devise mapping.  If you are in a situation like that, and
+    # your app allows for you to determine somehow what the devise
+    # mapping should be (because, for example, it is always the same),
+    # then you can handle it by overriding this method.
+    def default_devise_mapping
+      raise NotImplementedError.new('no default_devise_mapping set')
     end
 
     def omniauth_success
@@ -42,6 +70,10 @@ module DeviseTokenAuth
 
       yield @resource if block_given?
 
+      if DeviseTokenAuth.cookie_enabled
+        set_token_in_cookie(@resource, @token)
+      end
+
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
 
@@ -50,6 +82,11 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
 
+    def validate_auth_origin_url_param
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
+
+
     protected
 
     # this will be determined differently depending on the action that calls
@@ -79,7 +116,8 @@ module DeviseTokenAuth
 
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
-      attrs = auth_hash['info'].slice(*user.attributes.keys)
+      attrs = auth_hash['info'].to_hash
+      attrs = attrs.slice(*user.attribute_names)
       user.assign_attributes(attrs)
     end
 
@@ -112,10 +150,18 @@ module DeviseTokenAuth
       omniauth_params['omniauth_window_type']
     end
 
-    def auth_origin_url
+    def unsafe_auth_origin_url
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
 
+
+    def auth_origin_url
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
+    end
+
     # in the success case, omniauth_window_type is in the omniauth_params.
     # in the failure case, it is in a query param.  See monkey patch above
     def omniauth_window_type
@@ -136,16 +182,6 @@ module DeviseTokenAuth
       true
     end
 
-    # necessary for access to devise_parameter_sanitizers
-    def devise_mapping
-      if omniauth_params
-        Devise.mappings[[omniauth_params['namespace_name'],
-                         omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
-      else
-        request.env['devise.mapping']
-      end
-    end
-
     def set_random_password
       # set crazy password for new oauth users. this is only used to prevent
       # access via email sign-in.
@@ -156,11 +192,11 @@ module DeviseTokenAuth
 
     def create_auth_params
       @auth_params = {
-        auth_token:     @token,
-        client_id: @client_id,
-        uid:       @resource.uid,
-        expiry:    @expiry,
-        config:    @config
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
       }
       @auth_params.merge!(oauth_registration: true) if @oauth_registration
       @auth_params
@@ -168,11 +204,16 @@ module DeviseTokenAuth
 
     def set_token_on_resource
       @config = omniauth_params['config_name']
-      @client_id, @token, @expiry = @resource.create_token
+      @token  = @resource.create_token
+    end
+
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
     end
 
     def render_data(message, data)
-      @data = data.merge(message: message)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
       render layout: nil, template: 'devise_token_auth/omniauth_external_window'
     end
 
@@ -209,11 +250,20 @@ module DeviseTokenAuth
             <html>
                     <head></head>
                     <body>
-                            #{text}
+                            #{ActionController::Base.helpers.sanitize(text)}
                     </body>
             </html>)
     end
 
+    def handle_new_resource
+      @oauth_registration = true
+      set_random_password
+    end
+
+    def assign_whitelisted_params?
+      true
+    end
+
     def get_resource_from_auth_hash
       # find or create user by provider and provider uid
       @resource = resource_class.where(
@@ -222,18 +272,20 @@ module DeviseTokenAuth
       ).first_or_initialize
 
       if @resource.new_record?
-        @oauth_registration = true
-        set_random_password
+        handle_new_resource
       end
 
       # sync user info with provider, update/generate auth token
       assign_provider_attrs(@resource, auth_hash)
 
       # assign any additional (whitelisted) attributes
-      extra_params = whitelisted_params
-      @resource.assign_attributes(extra_params) if extra_params
+      if assign_whitelisted_params?
+        extra_params = whitelisted_params
+        @resource.assign_attributes(extra_params) if extra_params
+      end
 
       @resource
     end
   end
+
 end