devise_token_auth 1.0.0 → 1.2.2

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -3,6 +3,9 @@
 module DeviseTokenAuth
   class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
     attr_reader :auth_params
+
+    before_action :validate_auth_origin_url_param
+
     skip_before_action :set_user_by_token, raise: false
     skip_after_action :update_auth_header
 
@@ -12,18 +15,43 @@ module DeviseTokenAuth
 
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
-      devise_mapping = [request.env['omniauth.params']['namespace_name'],
-                        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
-      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
-      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
-      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+      devise_mapping = get_devise_mapping
+      redirect_route = get_redirect_route(devise_mapping)
 
       # preserve omniauth info for success route. ignore 'extra' in twitter
       # auth response to avoid CookieOverflow.
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route
+      redirect_to redirect_route, {status: 307}.merge(redirect_options)
+    end
+
+    def get_redirect_route(devise_mapping)
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+    end
+
+    def get_devise_mapping
+       # derive target redirect route from 'resource_class' param, which was set
+       # before authentication.
+       devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+    rescue NoMethodError => err
+      default_devise_mapping
+    end
+
+    # This method will only be called if `get_devise_mapping` cannot
+    # find the mapping in `omniauth.params`.
+    #
+    # One example use-case here is for IDP-initiated SAML login.  In that
+    # case, there will have been no initial request in which to save
+    # the devise mapping.  If you are in a situation like that, and
+    # your app allows for you to determine somehow what the devise
+    # mapping should be (because, for example, it is always the same),
+    # then you can handle it by overriding this method.
+    def default_devise_mapping
+      raise NotImplementedError.new('no default_devise_mapping set')
     end
 
     def omniauth_success
@@ -42,6 +70,10 @@ module DeviseTokenAuth
 
       yield @resource if block_given?
 
+      if DeviseTokenAuth.cookie_enabled
+        set_token_in_cookie(@resource, @token)
+      end
+
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
 
@@ -50,6 +82,11 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
 
+    def validate_auth_origin_url_param
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
+
+
     protected
 
     # this will be determined differently depending on the action that calls
@@ -74,12 +111,12 @@ module DeviseTokenAuth
         end
       end
       @_omniauth_params
-
     end
 
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
-      attrs = auth_hash['info'].slice(*user.attributes.keys)
+      attrs = auth_hash['info'].to_hash
+      attrs = attrs.slice(*user.attribute_names)
       user.assign_attributes(attrs)
     end
 
@@ -95,25 +132,29 @@ module DeviseTokenAuth
     end
 
     def resource_class(mapping = nil)
-      if omniauth_params['resource_class']
-        omniauth_params['resource_class'].constantize
-      elsif params['resource_class']
-        params['resource_class'].constantize
-      else
-        raise 'No resource_class found'
-      end
+      return @resource_class if defined?(@resource_class)
+
+      constant_name = omniauth_params['resource_class'].presence || params['resource_class'].presence
+      @resource_class = ObjectSpace.each_object(Class).detect { |cls| cls.to_s == constant_name && cls.pretty_print_inspect.starts_with?(constant_name) }
+      raise 'No resource_class found' if @resource_class.nil?
+
+      @resource_class
     end
 
     def resource_name
       resource_class
     end
 
-    def omniauth_window_type
-      omniauth_params['omniauth_window_type']
+    def unsafe_auth_origin_url
+      omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
 
+
     def auth_origin_url
-      omniauth_params['auth_origin_url'] || omniauth_params['origin']
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
     end
 
     # in the success case, omniauth_window_type is in the omniauth_params.
@@ -122,12 +163,11 @@ module DeviseTokenAuth
       omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
     end
 
-    # this sesison value is set by the redirect_callbacks method. its purpose
+    # this session value is set by the redirect_callbacks method. its purpose
     # is to persist the omniauth auth hash value thru a redirect. the value
-    # must be destroyed immediatly after it is accessed by omniauth_success
+    # must be destroyed immediately after it is accessed by omniauth_success
     def auth_hash
       @_auth_hash ||= session.delete('dta.omniauth.auth')
-      @_auth_hash
     end
 
     # ensure that this controller responds to :devise_controller? conditionals.
@@ -136,16 +176,6 @@ module DeviseTokenAuth
       true
     end
 
-    # necessary for access to devise_parameter_sanitizers
-    def devise_mapping
-      if omniauth_params
-        Devise.mappings[[omniauth_params['namespace_name'],
-                         omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
-      else
-        request.env['devise.mapping']
-      end
-    end
-
     def set_random_password
       # set crazy password for new oauth users. this is only used to prevent
       # access via email sign-in.
@@ -156,11 +186,11 @@ module DeviseTokenAuth
 
     def create_auth_params
       @auth_params = {
-        auth_token:     @token,
-        client_id: @client_id,
-        uid:       @resource.uid,
-        expiry:    @expiry,
-        config:    @config
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
       }
       @auth_params.merge!(oauth_registration: true) if @oauth_registration
       @auth_params
@@ -168,11 +198,16 @@ module DeviseTokenAuth
 
     def set_token_on_resource
       @config = omniauth_params['config_name']
-      @client_id, @token, @expiry = @resource.create_token
+      @token  = @resource.create_token
+    end
+
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
     end
 
     def render_data(message, data)
-      @data = data.merge(message: message)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
       render layout: nil, template: 'devise_token_auth/omniauth_external_window'
     end
 
@@ -192,7 +227,7 @@ module DeviseTokenAuth
       elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
 
         # build and redirect to destination url
-        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true))
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true).merge(redirect_options))
       else
 
         # there SHOULD always be an auth_origin_url, but if someone does something silly
@@ -209,11 +244,20 @@ module DeviseTokenAuth
             <html>
                     <head></head>
                     <body>
-                            #{text}
+                            #{ActionController::Base.helpers.sanitize(text)}
                     </body>
             </html>)
     end
 
+    def handle_new_resource
+      @oauth_registration = true
+      set_random_password
+    end
+
+    def assign_whitelisted_params?
+      true
+    end
+
     def get_resource_from_auth_hash
       # find or create user by provider and provider uid
       @resource = resource_class.where(
@@ -222,16 +266,17 @@ module DeviseTokenAuth
       ).first_or_initialize
 
       if @resource.new_record?
-        @oauth_registration = true
-        set_random_password
+        handle_new_resource
       end
 
       # sync user info with provider, update/generate auth token
       assign_provider_attrs(@resource, auth_hash)
 
       # assign any additional (whitelisted) attributes
-      extra_params = whitelisted_params
-      @resource.assign_attributes(extra_params) if extra_params
+      if assign_whitelisted_params?
+        extra_params = whitelisted_params
+        @resource.assign_attributes(extra_params) if extra_params
+      end
 
       @resource
     end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -2,23 +2,13 @@
 
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
-    before_action :set_user_by_token, only: [:update]
+    before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
 
-    # this action is responsible for generating password reset tokens and
-    # sending emails
+    # this action is responsible for generating password reset tokens and sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
-      # give redirect value from params priority
-      @redirect_url = params.fetch(
-        :redirect_url,
-        DeviseTokenAuth.default_password_reset_url
-      )
-
-      return render_create_error_missing_redirect_url unless @redirect_url
-      return render_create_error_not_allowed_redirect_url if blacklisted_redirect_url?
-
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:uid, @email)
 
@@ -44,14 +34,13 @@ module DeviseTokenAuth
     # this is where users arrive after visiting the password reset confirmation link
     def edit
       # if a user is not found, return nil
-      @resource = with_reset_password_token(resource_params[:reset_password_token])
+      @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
       if @resource && @resource.reset_password_period_valid?
-        client_id, token = @resource.create_token
+        token = @resource.create_token unless require_client_password_reset_token?
 
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
-
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
 
@@ -59,12 +48,22 @@ module DeviseTokenAuth
 
         yield @resource if block_given?
 
-        redirect_header_options = { reset_password: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
-        redirect_to(@resource.build_auth_url(params[:redirect_url],
-                                             redirect_headers))
+        if require_client_password_reset_token?
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token]),
+          redirect_options
+        else
+          if DeviseTokenAuth.cookie_enabled
+            set_token_in_cookie(@resource, token)
+          end
+
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers),
+                                               redirect_options)
+        end
       else
         render_edit_error
       end
@@ -72,6 +71,15 @@ module DeviseTokenAuth
 
     def update
       # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
+
       return render_update_error_unauthorized unless @resource
 
       # make sure account doesn't use oauth2 provider
@@ -98,9 +106,9 @@ module DeviseTokenAuth
     protected
 
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
       if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
-        'update_attributes'
+        'update'
       else
         'update_with_password'
       end
@@ -114,7 +122,7 @@ module DeviseTokenAuth
       render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
     end
 
-    def render_create_error_not_allowed_redirect_url
+    def render_error_not_allowed_redirect_url
       response = {
         status: 'error',
         data:   resource_data
@@ -126,7 +134,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.passwords.sended', email: @email)
+        message: success_message('passwords', @email)
       }
     end
 
@@ -178,15 +186,31 @@ module DeviseTokenAuth
       params.permit(*params_for_resource(:account_update))
     end
 
-    def with_reset_password_token token
-      recoverable = resource_class.with_reset_password_token(token)
+    def render_not_found_error
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+      end
+    end
+
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_password_reset_url
+      )
 
-      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
-      recoverable
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
     end
 
-    def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+
+    def require_client_password_reset_token?
+      DeviseTokenAuth.require_client_password_reset_token
     end
   end
 end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -28,42 +28,40 @@ module DeviseTokenAuth
       end
 
       # if whitelist is set, validate redirect_url against whitelist
-      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
 
-      begin
-        # override email confirmation, must be sent manually from ctrl
-        resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
-        resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
+      # override email confirmation, must be sent manually from ctrl
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
 
-        if @resource.respond_to? :skip_confirmation_notification!
-          # Fix duplicate e-mails by disabling Devise confirmation e-mail
-          @resource.skip_confirmation_notification!
-        end
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
 
-        if @resource.save
-          yield @resource if block_given?
+      if @resource.save
+        yield @resource if block_given?
 
-          if @resource.confirmed?
-            # email auth has been bypassed, authenticate user
-            @client_id, @token = @resource.create_token
-            @resource.save!
-            update_auth_header
-          else
-            # user will require email authentication
-            @resource.send_confirmation_instructions(
-              client_config: params[:config_name],
-              redirect_url: @redirect_url
-            )
-          end
-
-          render_create_success
-        else
-          clean_up_passwords @resource
-          render_create_error
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
         end
-      rescue ActiveRecord::RecordNotUnique
+
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
+        end
+
+        render_create_success
+      else
         clean_up_passwords @resource
-        render_create_error_email_already_exists
+        render_create_error
       end
     end
 
@@ -145,15 +143,6 @@ module DeviseTokenAuth
       }, status: 422
     end
 
-    def render_create_error_email_already_exists
-      response = {
-        status: 'error',
-        data:   resource_data
-      }
-      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
-      render_error(422, message, response)
-    end
-
     def render_update_success
       render json: {
         status: 'success',
@@ -193,7 +182,7 @@ module DeviseTokenAuth
       elsif account_update_params.key?(:current_password)
         'update_with_password'
       else
-        'update_attributes'
+        'update'
       end
     end
 
@@ -208,5 +197,9 @@ module DeviseTokenAuth
     def validate_post_data which, message
       render_error(:unprocessable_entity, message, status: 'error') if which.empty?
     end
+
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
   end
 end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -11,11 +11,7 @@ module DeviseTokenAuth
     end
 
     def create
-      # Check
-      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
-
-      @resource = nil
-      if field
+      if field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
         q_value = get_case_insensitive_field_from_resource_params(field)
 
         @resource = find_resource(field, q_value)
@@ -26,21 +22,22 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @client_id, @token = @resource.create_token
-        @resource.save
 
-        sign_in(:user, @resource, store: false, bypass: false)
+        create_and_assign_token
+
+        sign_in(@resource, scope: :user, store: false, bypass: false)
 
         yield @resource if block_given?
 
         render_create_success
-      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      elsif @resource && !Devise.paranoid && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
         if @resource.respond_to?(:locked_at) && @resource.locked_at
           render_create_error_account_locked
         else
           render_create_error_not_confirmed
         end
       else
+        hash_password_in_paranoid_mode
         render_create_error_bad_credentials
       end
     end
@@ -48,13 +45,19 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client_id = remove_instance_variable(:@client_id) if @client_id
-      remove_instance_variable(:@token) if @token
+      client = @token.client
+      @token.clear!
 
-      if user && client_id && user.tokens[client_id]
-        user.tokens.delete(client_id)
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
         user.save!
 
+        if DeviseTokenAuth.cookie_enabled
+          # If a cookie is set with a domain specified then it must be deleted with that domain specified
+          # See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+          cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
+        end
+
         yield user if block_given?
 
         render_destroy_success
@@ -72,7 +75,6 @@ module DeviseTokenAuth
     def get_auth_params
       auth_key = nil
       auth_val = nil
-
       # iterate thru allowed auth keys, use first found
       resource_class.authentication_keys.each do |k|
         if resource_params[k]
@@ -127,5 +129,25 @@ module DeviseTokenAuth
     def resource_params
       params.permit(*params_for_resource(:sign_in))
     end
+
+    def create_and_assign_token
+      if @resource.respond_to?(:with_lock)
+        @resource.with_lock do
+          @token = @resource.create_token
+          @resource.save!
+        end
+      else
+        @token = @resource.create_token
+        @resource.save!
+      end
+    end
+
+    def hash_password_in_paranoid_mode
+      # In order to avoid timing attacks in paranoid mode, we want the password hash to be
+      # calculated even if no resource has been found. Devise's DatabaseAuthenticatable warden
+      # strategy handles this case similarly:
+      # https://github.com/heartcombo/devise/blob/main/lib/devise/strategies/database_authenticatable.rb
+      resource_class.new.password = resource_params[:password] if Devise.paranoid
+    end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -34,17 +34,18 @@ module DeviseTokenAuth
     def show
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
-      if @resource && @resource.id
-        client_id, token = @resource.create_token
+      if @resource.persisted?
+        token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
 
         redirect_header_options = { unlock: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
-                                             redirect_headers))
+                                             redirect_headers),
+                                             redirect_options)
       else
         render_show_error
       end
@@ -63,7 +64,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.unlocks.sended', email: @email)
+        message: success_message('unlocks', @email)
       }
     end
 
@@ -79,7 +80,11 @@ module DeviseTokenAuth
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      end
     end
 
     def resource_params

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -0,0 +1,14 @@
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+
+  included do
+    serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end