RubyGems - devise_token_auth - Versions diffs - 1.1.0 → 1.1.5 - Mend

devise_token_auth 1.1.0 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (91) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5baf8b0a539be2dcf9b1add5ee2dfaac82753127a6180500c653e7d710c04da3
-  data.tar.gz: 794584507c533b59b88c724c810f7099d06221ff35faab7ee558f92d6849688e
+  metadata.gz: 7a64d8fc927471b28cec59b5191e06ef4d2fd7152dadcc9f49b5c512611ba4e6
+  data.tar.gz: 3ac708a845da1df134975f293a7db9e8977cd116c0d8dbdc7650e249bb99df82
 SHA512:
-  metadata.gz: 58f70c5a715ef337e2d949261f0c774f020831f9755d12fc37b04ca4cba2e416080658946bdb95f5fc1625a3a53c3836202b9e9842dbf420363959be163786cc
-  data.tar.gz: 8991c6cea21651fff0c98561ac6004bd4a75e04e78ad1af749c04e71fcb9caf8ebb19255ecb78ae91e610b6db05d878d9cf41492560941ea131bcefb7ea0bc0b
+  metadata.gz: 51a73c32d0debfc772ff7f7b8b5a524a67fde1676bb66a1d77d243c451a3ca5b375c593287bfb1be2abff7ff881947e39470a6d46421c73f112d4a5b1d774858
+  data.tar.gz: a79f4e32938818a92fddbcb88eb918da3c53afe8bf304769fa9d02f1841ed67093ab0bf7b004263094737da15d3dae222b785c70ef233e1b6f43a07a7f49f2b5

data/README.md CHANGED Viewed

@@ -65,6 +65,8 @@ Please read the [issue template](https://github.com/lynndylanhurley/devise_token
 See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969).
+We have some bounties for some issues, [check them out](https://github.com/lynndylanhurley/devise_token_auth/issues?q=is%3Aopen+is%3Aissue+label%3Abounty)!
 ## Live Demos
 [Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).

data/app/controllers/devise_token_auth/application_controller.rb CHANGED Viewed

@@ -16,8 +16,8 @@ module DeviseTokenAuth
     protected
-    def blacklisted_redirect_url?
-      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
     end
     def build_redirect_headers(access_token, client, redirect_header_options = {})

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb CHANGED Viewed

@@ -17,9 +17,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @used_auth_by_token = true
     # initialize instance variables
-    @client_id ||= nil
+    @token ||= DeviseTokenAuth::TokenFactory.new
     @resource ||= nil
-    @token ||= nil
     @is_batch_request ||= nil
   end
@@ -37,17 +36,18 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     client_name = DeviseTokenAuth.headers_names[:'client']
     # parse header for values necessary for authentication
-    uid        = request.headers[uid_name] || params[uid_name]
-    @token     ||= request.headers[access_token_name] || params[access_token_name]
-    @client_id ||= request.headers[client_name] || params[client_name]
+    uid              = request.headers[uid_name] || params[uid_name]
+    @token           = DeviseTokenAuth::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name]
-    # client_id isn't required, set to 'default' if absent
-    @client_id ||= 'default'
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
     # check for an existing user, authenticated via warden/devise, if enabled
     if DeviseTokenAuth.enable_standard_devise_support
-      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
-      if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
+      devise_warden_user = warden.user(mapping)
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
         # REVIEW: The following line _should_ be safe to remove;
@@ -59,19 +59,17 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # user has already been found and authenticated
     return @resource if @resource && @resource.is_a?(rc)
-    # ensure we clear the client_id
-    unless @token
-      @client_id = nil
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
       return
     end
-    return false unless @token
     # mitigate timing attacks by finding by uid instead of auth token
     user = uid && rc.dta_find_by(uid: uid)
     scope = rc.to_s.underscore.to_sym
-    if user && user.valid_token?(@token, @client_id)
+    if user && user.valid_token?(@token.token, @token.client)
       # sign_in with bypass: true will be deprecated in the next version of Devise
       if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
         bypass_sign_in(user, scope: scope)
@@ -81,32 +79,31 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       return @resource = user
     else
       # zero all values previously set values
-      @client_id = nil
+      @token.client = nil
       return @resource = nil
     end
   end
   def update_auth_header
     # cannot save object if model has invalid params
+    return unless @resource && @token.client
-    return unless @resource && @client_id
-    # Generate new client_id with existing authentication
-    @client_id = nil unless @used_auth_by_token
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
     if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @resource.reload.tokens[@client_id].nil?
+      return if @resource.reload.tokens[@token.client].nil?
-      auth_header = @resource.build_auth_header(@token, @client_id)
+      auth_header = @resource.build_auth_header(@token.token, @token.client)
       # update the response header
       response.headers.merge!(auth_header)
     else
       unless @resource.reload.valid?
-        @resource = resource_class.find(@resource.to_param) # errors remain after reload
+        @resource = @resource.class.find(@resource.to_param) # errors remain after reload
         # if we left the model in a bad state, something is wrong in our app
         unless @resource.valid?
           raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
@@ -124,30 +121,30 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @resource.with_lock do
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @used_auth_by_token && @resource.tokens[@client_id].nil?
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
       # update the response header
       response.headers.merge!(auth_header_from_batch_request)
     end # end lock
   end
-  def is_batch_request?(user, client_id)
+  def is_batch_request?(user, client)
     !params[:unbatch] &&
-      user.tokens[client_id] &&
-      user.tokens[client_id]['updated_at'] &&
-      user.tokens[client_id]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
   end
   def auth_header_from_batch_request
     # determine batch request status after request processing, in case
     # another processes has updated it during that processing
-    @is_batch_request = is_batch_request?(@resource, @client_id)
+    @is_batch_request = is_batch_request?(@resource, @token.client)
     auth_header = {}
     # extend expiration of batch buffer to account for the duration of
     # this request
     if @is_batch_request
-      auth_header = @resource.extend_batch_buffer(@token, @client_id)
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
       # Do not return token for batch requests to avoid invalidated
       # tokens returned to the client in case of race conditions.
@@ -158,7 +155,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
     else
       # update Authorization response header with new token
-      auth_header = @resource.create_new_auth_token(@client_id)
+      auth_header = @resource.create_new_auth_token(@token.client)
     end
     auth_header
   end

data/app/controllers/devise_token_auth/confirmations_controller.rb CHANGED Viewed

@@ -2,22 +2,21 @@
 module DeviseTokenAuth
   class ConfirmationsController < DeviseTokenAuth::ApplicationController
     def show
-      @resource = resource_class.confirm_by_token(params[:confirmation_token])
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
       if @resource.errors.empty?
         yield @resource if block_given?
         redirect_header_options = { account_confirmation_success: true }
-        # give redirect value from params priority or fall back to default value if provided
-        redirect_url = params[:redirect_url] || DeviseTokenAuth.default_confirm_success_url
         if signed_in?(resource_name)
-          client_id, token = signed_in_resource.create_token
+          token = signed_in_resource.create_token
+          signed_in_resource.save!
-          redirect_headers = build_redirect_headers(token,
-                                                    client_id,
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
                                                     redirect_header_options)
           redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
@@ -30,5 +29,54 @@ module DeviseTokenAuth
         raise ActionController::RoutingError, 'Not Found'
       end
     end
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+      return render_not_found_error unless @resource
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+      return render_create_success
+    end
+    protected
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.confirmations.missing_email'))
+    end
+    def render_create_success
+      render json: {
+          success: true,
+          message: I18n.t('devise_token_auth.confirmations.sended', email: @email)
+      }
+    end
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+    end
+    private
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+    end
   end
 end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb CHANGED Viewed

@@ -3,6 +3,9 @@
 module DeviseTokenAuth
   class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
     attr_reader :auth_params
+    before_action :validate_auth_origin_url_param
     skip_before_action :set_user_by_token, raise: false
     skip_after_action :update_auth_header
@@ -62,7 +65,7 @@ module DeviseTokenAuth
       end
       sign_in(:user, @resource, store: false, bypass: false)
       @resource.save!
       yield @resource if block_given?
@@ -75,6 +78,11 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
+    def validate_auth_origin_url_param
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
     protected
     # this will be determined differently depending on the action that calls
@@ -104,7 +112,8 @@ module DeviseTokenAuth
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
-      attrs = auth_hash['info'].slice(*user.attribute_names)
+      attrs = auth_hash['info'].to_hash
+      attrs = attrs.slice(*user.attribute_names)
       user.assign_attributes(attrs)
     end
@@ -137,10 +146,18 @@ module DeviseTokenAuth
       omniauth_params['omniauth_window_type']
     end
-    def auth_origin_url
+    def unsafe_auth_origin_url
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
+    def auth_origin_url
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
+    end
     # in the success case, omniauth_window_type is in the omniauth_params.
     # in the failure case, it is in a query param.  See monkey patch above
     def omniauth_window_type
@@ -171,11 +188,11 @@ module DeviseTokenAuth
     def create_auth_params
       @auth_params = {
-        auth_token:     @token,
-        client_id: @client_id,
-        uid:       @resource.uid,
-        expiry:    @expiry,
-        config:    @config
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
       }
       @auth_params.merge!(oauth_registration: true) if @oauth_registration
       @auth_params
@@ -183,11 +200,16 @@ module DeviseTokenAuth
     def set_token_on_resource
       @config = omniauth_params['config_name']
-      @client_id, @token, @expiry = @resource.create_token
+      @token  = @resource.create_token
+    end
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
     end
     def render_data(message, data)
-      @data = data.merge(message: message)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
       render layout: nil, template: 'devise_token_auth/omniauth_external_window'
     end
@@ -224,7 +246,7 @@ module DeviseTokenAuth
             <html>
                     <head></head>
                     <body>
-                            #{text}
+                            #{ActionController::Base.helpers.sanitize(text)}
                     </body>
             </html>)
     end
@@ -261,4 +283,5 @@ module DeviseTokenAuth
       @resource
     end
   end
 end

data/app/controllers/devise_token_auth/passwords_controller.rb CHANGED Viewed

@@ -2,12 +2,10 @@
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
-    before_action :set_user_by_token, only: [:update]
     before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
-    # this action is responsible for generating password reset tokens and
-    # sending emails
+    # this action is responsible for generating password reset tokens and sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
@@ -39,11 +37,10 @@ module DeviseTokenAuth
       @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
       if @resource && @resource.reset_password_period_valid?
-        client_id, token = @resource.create_token
+        token = @resource.create_token unless require_client_password_reset_token?
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
@@ -51,12 +48,16 @@ module DeviseTokenAuth
         yield @resource if block_given?
-        redirect_header_options = { reset_password: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
-                                                  redirect_header_options)
-        redirect_to(@resource.build_auth_url(@redirect_url,
-                                             redirect_headers))
+        if require_client_password_reset_token?
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+        else
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers))
+        end
       else
         render_edit_error
       end
@@ -64,6 +65,15 @@ module DeviseTokenAuth
     def update
       # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
       return render_update_error_unauthorized unless @resource
       # make sure account doesn't use oauth2 provider
@@ -90,9 +100,9 @@ module DeviseTokenAuth
     protected
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
       if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
-        'update_attributes'
+        'update'
       else
         'update_with_password'
       end
@@ -182,7 +192,15 @@ module DeviseTokenAuth
       )
       return render_create_error_missing_redirect_url unless @redirect_url
-      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+    end
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+    def require_client_password_reset_token?
+      DeviseTokenAuth.require_client_password_reset_token
     end
   end
 end