devise_token_auth 1.0.0 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 916c84285bb6b805d3a70a5adc8e86d83efb348e
-  data.tar.gz: 38deed793c1466de04cd75ab4861627a5eb18447
+SHA256:
+  metadata.gz: 135b5088d17b20d187a6ffe314356dd2a2474d9bd98898bc9e36bc931e6c9fef
+  data.tar.gz: cf3c3c6fc19564248bdcb22e3b99624bd25a027383649a45c7e7bf1fddfd5bbd
 SHA512:
-  metadata.gz: 4b631710faf5afc08a2f0f0fc89a96e63c7fe07d0c7a985a19d3b5c0a18801401afe67525aa6e0a078195ca4d24c58b6a6651da667c2a7a7f40723d4974dc850
-  data.tar.gz: 8707ad62656749fc88de275533456b93c17545f854e40f03920365c2ba9a11c170af44787118c4d8bc59ef593c5535ce8e09c512338c0de8af860c7e2500746f
+  metadata.gz: 5f6e88376261bcea31e98d8af66cc298755d2cbc2724c481a100d78273824b1dcfcc016bbc2af2b43d1dcac945fc6a4015d351f321da9a432ec4c5129f8c58f0
+  data.tar.gz: bde72417d1882c6f69076d3bfe8cebd077e39a681898fb0c5603643770a3d81eb0ac3d42dd46f8ae27aff4dae74a138159160974c1996ef4e28d252baf6b52ba

data/README.md

@@ -1,7 +1,7 @@
 # Devise Token Auth
 
 [![Gem Version](https://badge.fury.io/rb/devise_token_auth.svg)](http://badge.fury.io/rb/devise_token_auth)
-[![Build Status](https://travis-ci.org/lynndylanhurley/devise_token_auth.svg?branch=master)](https://travis-ci.org/lynndylanhurley/devise_token_auth)
+[![Build Status](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml)
 [![Code Climate](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/gpa.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth)
 [![Test Coverage](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/coverage.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/coverage)
 [![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth)
@@ -19,9 +19,10 @@ Also, it maintains a session for each client/device, so you can have as many ses
 
 * Seamless integration with:
   * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
-  * [Angular2-Token](https://github.com/neroniaky/angular2-token) for [Angular2](https://github.com/angular/angular)
+  * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
+  * [vanilla-token-auth](https://github.com/theblang/vanilla-token-auth) for an unopinionated client
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
 * Email authentication using [Devise](https://github.com/plataformatec/devise), including:
   * User registration, update and deletion
@@ -65,11 +66,13 @@ Please read the [issue template](https://github.com/lynndylanhurley/devise_token
 
 See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969).
 
+We have some bounties for some issues, [check them out](https://github.com/lynndylanhurley/devise_token_auth/issues?q=is%3Aopen+is%3Aissue+label%3Abounty)!
+
 ## Live Demos
 
 [Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).
 
-[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular).
+[Here is a demo](https://stackblitz.com/github/neroniaky/angular-token) of this app running with the [Angular-Token](https://github.com/neroniaky/angular-token) service and [Angular](https://github.com/angular/angular).
 
 [Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/).
 

data/app/controllers/devise_token_auth/application_controller.rb

@@ -3,7 +3,6 @@
 module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
-    include DeviseTokenAuth::Concerns::ResourceFinder
 
     def resource_data(opts = {})
       response_data = opts[:resource_json] || @resource.as_json
@@ -17,8 +16,8 @@ module DeviseTokenAuth
 
     protected
 
-    def blacklisted_redirect_url?
-      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
     end
 
     def build_redirect_headers(access_token, client, redirect_header_options = {})
@@ -76,5 +75,26 @@ module DeviseTokenAuth
       response = response.merge(data) if data
       render json: response, status: status
     end
+
+    def success_message(name, email)
+      if Devise.paranoid
+        I18n.t("devise_token_auth.#{name}.sended_paranoid")
+      else
+        I18n.t("devise_token_auth.#{name}.sended", email: email)
+      end
+    end
+
+    def redirect_options
+      {}
+    end
+
+    # When using a cookie to transport the auth token we can set it immediately in flows such as
+    # reset password and OmniAuth success, rather than making the client scrape the token from
+    # query params (to then send in the initial validate_token request).
+    # TODO: We should be able to stop exposing the token in query params when this method is used
+    def set_token_in_cookie(resource, token)
+      auth_header = resource.build_auth_headers(token.token, token.client)
+      cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,21 +20,34 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    # fix for mysql default case insensitivity
-    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
-    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-      q = 'BINARY ' + q
-    end
+    @resource = if database_adapter&.include?('mysql')
+                  # fix for mysql default case insensitivity
+                  field_sanitized = resource_class.connection.quote_column_name(field)
+                  resource_class.where("BINARY #{field_sanitized} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
+  end
+
+  def database_adapter
+    @database_adapter ||= begin
+      rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
 
-    @resource = resource_class.where(q, value).first
+      adapter =
+        if rails_version >= "6.1"
+          resource_class.try(:connection_db_config)&.try(:adapter)
+        else
+          resource_class.try(:connection_config)&.try(:[], :adapter)
+        end
+    end
   end
 
   def resource_class(m = nil)
-    if m
-      mapping = Devise.mappings[m]
-    else
-      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
-    end
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
 
     mapping.to
   end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -17,24 +17,11 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @used_auth_by_token = true
 
     # initialize instance variables
-    @client_id ||= nil
+    @token ||= DeviseTokenAuth::TokenFactory.new
     @resource ||= nil
-    @token ||= nil
     @is_batch_request ||= nil
   end
 
-  def ensure_pristine_resource
-    if @resource.changed?
-      # Stash pending changes in the resource before reloading.
-      changes = @resource.changes
-      @resource.reload
-    end
-    yield
-  ensure
-    # Reapply pending changes
-    @resource.assign_attributes(changes) if changes
-  end
-
   # user auth
   def set_user_by_token(mapping = nil)
     # determine target authentication class
@@ -45,21 +32,37 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
+    other_uid_name = DeviseTokenAuth.other_uid && DeviseTokenAuth.headers_names[DeviseTokenAuth.other_uid.to_sym]
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
+    authorization_name = DeviseTokenAuth.headers_names[:"authorization"]
+
+    # Read Authorization token and decode it if present
+    decoded_authorization_token = decode_bearer_token(request.headers[authorization_name])
+
+    # gets values from cookie if configured and present
+    parsed_auth_cookie = {}
+    if DeviseTokenAuth.cookie_enabled
+      auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
+      if auth_cookie.present?
+        parsed_auth_cookie = JSON.parse(auth_cookie)
+      end
+    end
 
     # parse header for values necessary for authentication
-    uid        = request.headers[uid_name] || params[uid_name]
-    @token     ||= request.headers[access_token_name] || params[access_token_name]
-    @client_id ||= request.headers[client_name] || params[client_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
+    other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
+    @token           = DeviseTokenAuth::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]
 
-    # client_id isn't required, set to 'default' if absent
-    @client_id ||= 'default'
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
 
     # check for an existing user, authenticated via warden/devise, if enabled
     if DeviseTokenAuth.enable_standard_devise_support
-      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
-      if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
+      devise_warden_user = warden.user(mapping)
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
         # REVIEW: The following line _should_ be safe to remove;
@@ -71,53 +74,55 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # user has already been found and authenticated
     return @resource if @resource && @resource.is_a?(rc)
 
-    # ensure we clear the client_id
-    unless @token
-      @client_id = nil
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
       return
     end
 
-    return false unless @token
-
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.find_by(uid: uid)
+    user = (uid && rc.dta_find_by(uid: uid)) || (other_uid && rc.dta_find_by("#{DeviseTokenAuth.other_uid}": other_uid))
+    scope = rc.to_s.underscore.to_sym
 
-    if user && user.valid_token?(@token, @client_id)
+    if user && user.valid_token?(@token.token, @token.client)
       # sign_in with bypass: true will be deprecated in the next version of Devise
       if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
-        bypass_sign_in(user, scope: :user)
+        bypass_sign_in(user, scope: scope)
       else
-        sign_in(:user, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
       end
       return @resource = user
     else
       # zero all values previously set values
-      @client_id = nil
+      @token.client = nil
       return @resource = nil
     end
   end
 
   def update_auth_header
     # cannot save object if model has invalid params
+    return unless @resource && @token.client
 
-    return unless @resource && @client_id
-
-    # Generate new client_id with existing authentication
-    @client_id = nil unless @used_auth_by_token
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
 
     if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @resource.reload.tokens[@client_id].nil?
+      return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token, @client_id)
+      auth_header = @resource.build_auth_headers(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)
 
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(auth_header)
+      end
     else
       unless @resource.reload.valid?
-        @resource = resource_class.find(@resource.to_param) # errors remain after reload
+        @resource = @resource.class.find(@resource.to_param) # errors remain after reload
         # if we left the model in a bad state, something is wrong in our app
         unless @resource.valid?
           raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
@@ -129,38 +134,54 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
   private
 
+  def decode_bearer_token(bearer_token)
+    return {} if bearer_token.blank?
+
+    encoded_token = bearer_token.split.last # Removes the 'Bearer' from the string
+    JSON.parse(Base64.strict_decode64(encoded_token)) rescue {}
+  end
+
   def refresh_headers
-    ensure_pristine_resource do
-      # Lock the user record during any auth_header updates to ensure
-      # we don't have write contention from multiple threads
-      @resource.with_lock do
-        # should not append auth header if @resource related token was
-        # cleared by sign out in the meantime
-        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
-
-        # update the response header
-        response.headers.merge!(auth_header_from_batch_request)
-      end # end lock
-    end # end ensure_pristine_resource
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
+
+      _auth_header_from_batch_request = auth_header_from_batch_request
+
+      # update the response header
+      response.headers.merge!(_auth_header_from_batch_request)
+
+      # set a server cookie if configured and is not a batch request
+      if DeviseTokenAuth.cookie_enabled && !@is_batch_request
+        set_cookie(_auth_header_from_batch_request)
+      end
+    end # end lock
+  end
+
+  def set_cookie(auth_header)
+    cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
   end
 
-  def is_batch_request?(user, client_id)
+  def is_batch_request?(user, client)
     !params[:unbatch] &&
-      user.tokens[client_id] &&
-      user.tokens[client_id]['updated_at'] &&
-      Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
   end
 
   def auth_header_from_batch_request
     # determine batch request status after request processing, in case
     # another processes has updated it during that processing
-    @is_batch_request = is_batch_request?(@resource, @client_id)
+    @is_batch_request = is_batch_request?(@resource, @token.client)
 
     auth_header = {}
     # extend expiration of batch buffer to account for the duration of
     # this request
     if @is_batch_request
-      auth_header = @resource.extend_batch_buffer(@token, @client_id)
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
 
       # Do not return token for batch requests to avoid invalidated
       # tokens returned to the client in case of race conditions.
@@ -171,7 +192,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
     else
       # update Authorization response header with new token
-      auth_header = @resource.create_new_auth_token(@client_id)
+      auth_header = @resource.create_new_auth_token(@token.client)
     end
     auth_header
   end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -2,38 +2,88 @@
 
 module DeviseTokenAuth
   class ConfirmationsController < DeviseTokenAuth::ApplicationController
+
     def show
-      @resource = resource_class.confirm_by_token(params[:confirmation_token])
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
+
+      if @resource.errors.empty?
+        yield @resource if block_given?
+
+        redirect_header_options = { account_confirmation_success: true }
+
+        if signed_in?(resource_name)
+          token = signed_in_resource.create_token
+          signed_in_resource.save!
 
-      if @resource && @resource.id
-        expiry = nil
-        if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
-          expiry = (Time.zone.now + 1.second).to_i
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+
+          redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
         end
 
-        client_id, token = @resource.create_token expiry: expiry
+        redirect_to(redirect_to_link, redirect_options)
+      else
+        if redirect_url
+          redirect_to DeviseTokenAuth::Url.generate(redirect_url, account_confirmation_success: false)
+        else
+          raise ActionController::RoutingError, 'Not Found'
+        end
+      end
+    end
 
-        sign_in(@resource)
-        @resource.save!
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
 
-        yield @resource if block_given?
+      @email = get_case_insensitive_field_from_resource_params(:email)
 
-        redirect_header_options = { account_confirmation_success: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
 
-        # give redirect value from params priority
-        @redirect_url = params[:redirect_url]
+      return render_create_success
+    end
+
+    protected
 
-        # fall back to default value if provided
-        @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.confirmations.missing_email'))
+    end
 
+    def render_create_success
+      render json: {
+               success: true,
+               message: success_message('confirmations', @email)
+             }
+    end
 
-        redirect_to(@resource.build_auth_url(@redirect_url, redirect_headers))
+    def render_not_found_error
+      if Devise.paranoid
+        render_create_success
       else
-        raise ActionController::RoutingError, 'Not Found'
+        render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
       end
     end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+    end
   end
 end