devise_token_auth 1.0.0 → 1.2.1

data/lib/generators/devise_token_auth/install_mongoid_generator.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require_relative 'install_generator_helpers'
+
+module DeviseTokenAuth
+  class InstallMongoidGenerator < Rails::Generators::Base
+    include DeviseTokenAuth::InstallGeneratorHelpers
+
+    def create_user_model
+      fname = "app/models/#{user_class.underscore}.rb"
+      if File.exist?(File.join(destination_root, fname))
+        inclusion = 'include DeviseTokenAuth::Concerns::User'
+        unless parse_file_for_line(fname, inclusion)
+          inject_into_file fname, before: /end\s\z/ do <<-'RUBY'
+
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  include DeviseTokenAuth::Concerns::User
+
+  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
+            RUBY
+          end
+        end
+      else
+        template('user_mongoid.rb.erb', fname)
+      end
+    end
+  end
+end

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -11,6 +11,11 @@ DeviseTokenAuth.setup do |config|
   # determines how long tokens will remain valid after they are issued.
   # config.token_lifespan = 2.weeks
 
+  # Limiting the token_cost to just 4 in testing will increase the performance of
+  # your test suite dramatically. The possible cost value is within range from 4
+  # to 31. It is recommended to not use a value more than 10 in other environments.
+  config.token_cost = Rails.env.test? ? 4 : 10
+
   # Sets the max number of concurrent devices per user, which is 10 by default.
   # After this limit is reached, the oldest tokens will be removed.
   # config.max_number_of_devices = 10
@@ -43,8 +48,16 @@ DeviseTokenAuth.setup do |config|
   #                        :'uid' => 'uid',
   #                        :'token-type' => 'token-type' }
 
+  # Makes it possible to use custom uid column
+  # config.other_uid = "foo"
+
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
   # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb

@@ -17,13 +17,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
       ## Rememberable
       t.datetime :remember_created_at
 
-      ## Trackable
-      t.integer  :sign_in_count, :default => 0, :null => false
-      t.datetime :current_sign_in_at
-      t.datetime :last_sign_in_at
-      t.string   :current_sign_in_ip
-      t.string   :last_sign_in_ip
-
       ## Confirmable
       t.string   :confirmation_token
       t.datetime :confirmed_at
@@ -51,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
     add_index :<%= table_name %>, [:uid, :provider],     unique: true
     add_index :<%= table_name %>, :reset_password_token, unique: true
     add_index :<%= table_name %>, :confirmation_token,   unique: true
-    # add_index :<%= table_name %>, :unlock_token,       unique: true
+    # add_index :<%= table_name %>, :unlock_token,         unique: true
   end
 end

data/lib/generators/devise_token_auth/templates/user.rb.erb

@@ -2,8 +2,8 @@
 
 class <%= user_class %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 end

data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+class <%= user_class %>
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+
+  ## Lockable
+  # field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  # field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  # field :locked_at,       type: Time
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  include DeviseTokenAuth::Concerns::User
+
+  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
+  index({ reset_password_token: 1 }, { name: 'reset_password_token_index', unique: true, sparse: true, background: true })
+  index({ confirmation_token: 1 }, { name: 'confirmation_token_index', unique: true, sparse: true, background: true })
+  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
+  # index({ unlock_token: 1 }, { name: 'unlock_token_index', unique: true, sparse: true, background: true })
+end

data/test/controllers/custom/custom_confirmations_controller_test.rb

@@ -5,7 +5,7 @@ require 'test_helper'
 class Custom::ConfirmationsControllerTest < ActionController::TestCase
   describe Custom::ConfirmationsController do
     include CustomControllersRoutes
-    
+
     before do
       @redirect_url = Faker::Internet.url
       @new_user = create(:user)

data/test/controllers/demo_mang_controller_test.rb

@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only_mang',
                 params: {},
                 headers: @auth_headers
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/demo_user_controller_test.rb

@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only',
                 params: {},
                 headers: @auth_headers
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end
@@ -321,8 +350,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           assert @resource.tokens.count > 1
 
           # password changed from new device
-          @resource.update_attributes(password: 'newsecret123',
-                                      password_confirmation: 'newsecret123')
+          @resource.update(password: 'newsecret123',
+                           password_confirmation: 'newsecret123')
 
           get '/demo/members_only',
               params: {},

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -23,6 +23,7 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
         mail = ActionMailer::Base.deliveries.last
         @token, @client_config = token_and_client_config_from(mail.body)
+        @token_params = %w[access-token client client_id config expiry token uid]
       end
 
       test 'should generate raw token' do
@@ -38,32 +39,164 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
       end
 
       describe 'success' do
-        before do
-          get :show,
-              params: { confirmation_token: @token,
-                        redirect_url: @redirect_url },
-              xhr: true
-          @resource = assigns(:resource)
-        end
+        describe 'when authenticated' do
+          before do
+            sign_in(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
 
-        test 'user should now be confirmed' do
-          assert @resource.confirmed?
-        end
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
+
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
+
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
 
-        test 'should redirect to success url' do
-          assert_redirected_to(/^#{@redirect_url}/)
+          test 'redirect url includes token params' do
+            assert @token_params.all? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
 
-        test 'the sign_in_count should be 1' do
-          assert @resource.sign_in_count == 1
+        describe 'when unauthenticated' do
+          before do
+            sign_out(@new_user)
+            get :show,
+                params: { confirmation_token: @token,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+          end
+
+          test 'user should now be confirmed' do
+            assert @resource.confirmed?
+          end
+
+          test 'should redirect to success url' do
+            assert_redirected_to(/^#{@redirect_url}/)
+          end
+
+          test 'redirect url does not include token params' do
+            refute @token_params.any? { |param| response.body.include?(param) }
+            assert response.body.include?('account_confirmation_success')
+          end
         end
 
-        test 'User shoud have the signed in info filled' do
-          assert @resource.current_sign_in_at?
+        describe 'resend confirmation' do
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
+          end
         end
 
-        test 'User shoud have the Last checkin filled' do
-          assert @resource.last_sign_in_at?
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+          end
+
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                @email = 'chester@cheet.ah'
+                post :create,
+                     params: { email: @email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should not contain errors' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+          end
         end
       end
 
@@ -75,6 +208,18 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end
+
+        test 'request resend confirmation without email' do
+          post :create, params: { email: nil }, xhr: true
+
+          assert_equal 401, response.status
+        end
+
+        test 'user should not be found on resend confirmation request' do
+          post :create, params: { email: 'bogus' }, xhr: true
+
+          assert_equal 404, response.status
+        end
       end
     end