devise_token_auth 1.1.0 → 1.1.5

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -28,11 +28,12 @@ module DeviseTokenAuth
       end
 
       # if whitelist is set, validate redirect_url against whitelist
-      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
 
       # override email confirmation, must be sent manually from ctrl
-      resource_class.set_callback('create', :after, :send_on_create_confirmation_instructions)
-      resource_class.skip_callback('create', :after, :send_on_create_confirmation_instructions)
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
 
       if @resource.respond_to? :skip_confirmation_notification!
         # Fix duplicate e-mails by disabling Devise confirmation e-mail
@@ -52,7 +53,7 @@ module DeviseTokenAuth
 
         if active_for_authentication?
           # email auth has been bypassed, authenticate user
-          @client_id, @token = @resource.create_token
+          @token = @resource.create_token
           @resource.save!
           update_auth_header
         end
@@ -181,7 +182,7 @@ module DeviseTokenAuth
       elsif account_update_params.key?(:current_password)
         'update_with_password'
       else
-        'update_attributes'
+        'update'
       end
     end
 

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
 
         sign_in(:user, @resource, store: false, bypass: false)
@@ -48,11 +48,11 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client_id = remove_instance_variable(:@client_id) if @client_id
-      remove_instance_variable(:@token) if @token
+      client = @token.client
+      @token.clear!
 
-      if user && client_id && user.tokens[client_id]
-        user.tokens.delete(client_id)
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
         user.save!
 
         yield user if block_given?

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -35,13 +35,13 @@ module DeviseTokenAuth
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
       if @resource.persisted?
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
 
         redirect_header_options = { unlock: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
                                              redirect_headers))

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -2,11 +2,7 @@ module DeviseTokenAuth::Concerns::ActiveRecordSupport
   extend ActiveSupport::Concern
 
   included do
-    serialize :tokens, JSON unless tokens_has_json_column_type?
-
-    # can't set default on text fields in mysql, simulate here instead.
-    after_save :set_empty_token_hash
-    after_initialize :set_empty_token_hash
+    serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
   end
 
   class_methods do
@@ -14,21 +10,5 @@ module DeviseTokenAuth::Concerns::ActiveRecordSupport
     def dta_find_by(attrs = {})
       find_by(attrs)
     end
-
-    protected
-
-    def tokens_has_json_column_type?
-      database_exists? && table_exists? && columns_hash['tokens'] && columns_hash['tokens'].type.in?([:json, :jsonb])
-    end
-
-    def database_exists?
-      ActiveRecord::Base.connection_pool.with_connection { |con| con.active? } rescue false
-    end
-  end
-
-  protected
-
-  def set_empty_token_hash
-    self.tokens ||= {} if has_attribute?(:tokens)
   end
 end

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -0,0 +1,28 @@
+module DeviseTokenAuth::Concerns::ConfirmableSupport
+  extend ActiveSupport::Concern
+
+  included do
+    # Override standard devise `postpone_email_change?` method
+    # for not to use `will_save_change_to_email?` & `email_changed?` methods.
+    def postpone_email_change?
+      postpone = self.class.reconfirmable &&
+        email_value_in_database != email &&
+        !@bypass_confirmation_postpone &&
+        self.email.present? &&
+        (!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
+      @bypass_confirmation_postpone = false
+      postpone
+    end
+  end
+
+  protected
+
+  def email_value_in_database
+    rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
+    if rails51 && respond_to?(:email_in_database)
+      email_in_database
+    else
+      email_was
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,31 @@
+module DeviseTokenAuth::Concerns::TokensSerialization
+  extend self
+  # Serialization hash to json
+  def dump(object)
+    JSON.generate(object && object.transform_values do |token|
+      serialize_updated_at(token).compact
+    end.compact)
+  end
+
+  # Deserialization json to hash
+  def load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+
+  private
+
+  def serialize_updated_at(token)
+    updated_at_key = ['updated_at', :updated_at].find(&token.method(:[]))
+
+    return token unless token[updated_at_key].respond_to?(:iso8601)
+
+    token.merge updated_at_key => token[updated_at_key].iso8601
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'bcrypt'
-
 module DeviseTokenAuth::Concerns::User
   extend ActiveSupport::Concern
 
@@ -9,7 +7,7 @@ module DeviseTokenAuth::Concerns::User
     @token_equality_cache ||= {}
 
     key = "#{token_hash}/#{token}"
-    result = @token_equality_cache[key] ||= (::BCrypt::Password.new(token_hash) == token)
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
     @token_equality_cache = {} if @token_equality_cache.size > 10000
     result
   end
@@ -46,6 +44,10 @@ module DeviseTokenAuth::Concerns::User
     def email_changed?; false; end
     def will_save_change_to_email?; false; end
 
+    if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
+      include DeviseTokenAuth::Concerns::ConfirmableSupport
+    end
+
     def password_required?
       return false unless provider == 'email'
       super
@@ -86,27 +88,25 @@ module DeviseTokenAuth::Concerns::User
       send_devise_notification(:unlock_instructions, raw, opts)
       raw
     end
-  end
 
-  def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
-    client_id ||= SecureRandom.urlsafe_base64(nil, false)
-    token     ||= SecureRandom.urlsafe_base64(nil, false)
-    expiry    ||= (Time.zone.now + token_lifespan).to_i
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
 
-    tokens[client_id] = {
-      token: BCrypt::Password.create(token),
-      expiry: expiry
-    }.merge!(token_extras)
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
 
-    clean_old_tokens
+      clean_old_tokens
 
-    [client_id, token, expiry]
+      token
+    end
   end
 
-  def valid_token?(token, client_id = 'default')
-    return false unless tokens[client_id]
-    return true if token_is_current?(token, client_id)
-    return true if token_can_be_reused?(token, client_id)
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
 
     # return false if none of the above conditions are met
     false
@@ -116,10 +116,10 @@ module DeviseTokenAuth::Concerns::User
   # can be passed on from the client
   def send_confirmation_notification?; false; end
 
-  def token_is_current?(token, client_id)
+  def token_is_current?(token, client)
     # ghetto HashWithIndifferentAccess
-    expiry     = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
-    token_hash = tokens[client_id]['token'] || tokens[client_id][:token]
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
 
     return true if (
       # ensure that expiry and token are set
@@ -134,53 +134,52 @@ module DeviseTokenAuth::Concerns::User
   end
 
   # allow batch requests to use the previous token
-  def token_can_be_reused?(token, client_id)
+  def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
-    updated_at = tokens[client_id]['updated_at'] || tokens[client_id][:updated_at]
-    last_token = tokens[client_id]['last_token'] || tokens[client_id][:last_token]
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
 
     return true if (
       # ensure that the last token and its creation time exist
-      updated_at && last_token &&
+      updated_at && last_token_hash &&
 
       # ensure that previous token falls within the batch buffer throttle time of the last request
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
-      ::BCrypt::Password.new(last_token) == token
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
     )
   end
 
   # update user's auth token (should happen on each request)
-  def create_new_auth_token(client_id = nil)
+  def create_new_auth_token(client = nil)
     now = Time.zone.now
 
-    client_id, token = create_token(
-      client_id: client_id,
-      expiry: (now + token_lifespan).to_i,
-      last_token: tokens.fetch(client_id, {})['token'],
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
       updated_at: now
     )
 
-    update_auth_header(token, client_id)
+    update_auth_header(token.token, token.client)
   end
 
-  def build_auth_header(token, client_id = 'default')
+  def build_auth_header(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
-    expiry = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
 
     {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
-      DeviseTokenAuth.headers_names[:"client"]       => client_id,
+      DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
   end
 
-  def update_auth_header(token, client_id = 'default')
-    headers = build_auth_header(token, client_id)
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
     clean_old_tokens
     save!
 
@@ -194,9 +193,9 @@ module DeviseTokenAuth::Concerns::User
     DeviseTokenAuth::Url.generate(base_url, args)
   end
 
-  def extend_batch_buffer(token, client_id)
-    tokens[client_id]['updated_at'] = Time.zone.now
-    update_auth_header(token, client_id)
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now
+    update_auth_header(token, client)
   end
 
   def confirmed?
@@ -207,10 +206,6 @@ module DeviseTokenAuth::Concerns::User
     as_json(except: %i[tokens created_at updated_at])
   end
 
-  def token_lifespan
-    DeviseTokenAuth.token_lifespan
-  end
-
   protected
 
   def destroy_expired_tokens
@@ -223,11 +218,11 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def should_remove_tokens_after_password_reset?
-    if Rails::VERSION::MAJOR <= 5
+    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
       encrypted_password_changed? &&
         DeviseTokenAuth.remove_tokens_after_password_reset
     else
-      saved_change_to_encrypted_password? &&
+      saved_change_to_attribute?(:encrypted_password) &&
         DeviseTokenAuth.remove_tokens_after_password_reset
     end
   end
@@ -236,8 +231,8 @@ module DeviseTokenAuth::Concerns::User
     return unless should_remove_tokens_after_password_reset?
 
     if tokens.present? && tokens.many?
-      client_id, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
-      self.tokens = { client_id => token_data }
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
     end
   end
 

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -5,11 +5,11 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
 
   included do
     validates :email, presence: true,if: :email_provider?
-    validates :email, 'devise_token_auth/email' => true, allow_nil: true, allow_blank: true, if: :email_provider?
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
     validates_presence_of :uid, unless: :email_provider?
 
     # only validate unique emails among email registration users
-    validates :email, uniqueness: { scope: :provider }, on: :create, if: :email_provider?
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
 
     # keep uid in sync with email
     before_save :sync_uid
@@ -23,6 +23,9 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   end
 
   def sync_uid
+    if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone
+      return if postpone_email_change?
+    end
     self.uid = email if email_provider?
   end
 end

data/app/validators/{devise_token_auth/email_validator.rb → devise_token_auth_email_validator.rb}

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-class DeviseTokenAuth::EmailValidator < ActiveModel::EachValidator
+class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
     unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
-      record.errors[attribute] << email_invalid_message
+      record.errors.add(attribute, email_invalid_message)
     end
   end
 

data/config/locales/da-DK.yml

@@ -14,6 +14,8 @@ da-DK:
       account_with_uid_destroyed: "Kontoen med UID '%{uid}' er slettet."
       account_to_destroy_not_found: "Kan ikke finde kontoen som skal slettes."
       user_not_found: "Brugeren ikke fundet."
+    omniauth:
+      not_allowed_redirect_url: "Omdirigering til '%{redirect_url}' er ikke tilladt."
     passwords:
       missing_email: "Du skal udfylde email feltet."
       missing_redirect_url: "Der er ingen omdirigeringsadresse."

data/config/locales/de.yml

@@ -14,6 +14,8 @@ de:
       account_with_uid_destroyed: "Account mit der uid '%{uid}' wurde gelöscht."
       account_to_destroy_not_found: "Der zu löschende Account kann nicht gefunden werden."
       user_not_found: "Benutzer kann nicht gefunden werden."
+    omniauth:
+      not_allowed_redirect_url: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet."
     passwords:
       missing_email: "Sie müssen eine E-Mail-Adresse angeben."
       missing_redirect_url: "Es fehlt die URL zu Weiterleitung."

data/config/locales/en.yml

@@ -14,6 +14,8 @@ en:
       account_with_uid_destroyed: "Account with UID '%{uid}' has been destroyed."
       account_to_destroy_not_found: "Unable to locate account for destruction."
       user_not_found: "User not found."
+    omniauth:
+      not_allowed_redirect_url: "Redirect to '%{redirect_url}' not allowed."
     passwords:
       missing_email: "You must provide an email address."
       missing_redirect_url: "Missing redirect URL."
@@ -27,6 +29,11 @@ en:
       missing_email: "You must provide an email address."
       sended: "An email has been sent to '%{email}' containing instructions for unlocking your account."
       user_not_found: "Unable to find user with email '%{email}'."
+    confirmations:
+      sended: "An email has been sent to '%{email}' containing instructions for confirming your account."
+      user_not_found: "Unable to find user with email '%{email}'."
+      missing_email: "You must provide an email address."
+
   errors:
     messages:
       validate_sign_up_params: "Please submit proper sign up data in request body."