devise_token_auth 1.1.0 → 1.1.5

data/lib/devise_token_auth/url.rb

@@ -11,6 +11,9 @@ module DeviseTokenAuth::Url
     query = [uri.query, params.to_query].reject(&:blank?).join('&')
     res += "?#{query}"
     res += "##{uri.fragment}" if uri.fragment
+    # repeat any query params after the fragment to deal with Angular eating any pre fragment query params, used
+    # in the reset password redirect url
+    res += "?#{query}" if uri.fragment
 
     res
   end

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.1.5'.freeze
 end

data/lib/generators/devise_token_auth/USAGE

@@ -8,7 +8,7 @@ Arguments:
              # 'User'
   MOUNT_PATH # The path at which to mount the authentication routes. Default is
              # 'auth'. More detail documentation is here:
-             # https://github.com/lynndylanhurley/devise_token_auth#usage-tldr
+             # https://devise-token-auth.gitbook.io/devise-token-auth/usage
 
 Example:
   rails generate devise_token_auth:install User auth

data/lib/generators/devise_token_auth/install_generator.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         inclusion = 'include DeviseTokenAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
 
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
           inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
             # Include default devise modules.
             devise :database_authenticatable, :registerable,
@@ -75,12 +75,12 @@ module DeviseTokenAuth
       ActiveRecord::Base.connection.select_value('SELECT VERSION()')
     end
 
-    def rails5?
-      Rails.version.start_with? '5'
+    def rails_5_or_newer?
+      Rails::VERSION::MAJOR >= 5
     end
 
     def primary_key_type
-      primary_key_string if rails5?
+      primary_key_string if rails_5_or_newer?
     end
 
     def primary_key_string

data/lib/generators/devise_token_auth/install_mongoid_generator.rb

@@ -29,9 +29,9 @@ module DeviseTokenAuth
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -11,6 +11,11 @@ DeviseTokenAuth.setup do |config|
   # determines how long tokens will remain valid after they are issued.
   # config.token_lifespan = 2.weeks
 
+  # Limiting the token_cost to just 4 in testing will increase the performance of
+  # your test suite dramatically. The possible cost value is within range from 4
+  # to 31. It is recommended to not use a value more than 10 in other environments.
+  config.token_cost = Rails.env.test? ? 4 : 10
+
   # Sets the max number of concurrent devices per user, which is 10 by default.
   # After this limit is reached, the oldest tokens will be removed.
   # config.max_number_of_devices = 10
@@ -47,4 +52,9 @@ DeviseTokenAuth.setup do |config|
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
   # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb

@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
     add_index :<%= table_name %>, [:uid, :provider],     unique: true
     add_index :<%= table_name %>, :reset_password_token, unique: true
     add_index :<%= table_name %>, :confirmation_token,   unique: true
-    # add_index :<%= table_name %>, :unlock_token,       unique: true
+    # add_index :<%= table_name %>, :unlock_token,         unique: true
   end
 end

data/lib/generators/devise_token_auth/templates/user.rb.erb

@@ -2,8 +2,8 @@
 
 class <%= user_class %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 end

data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb

@@ -43,9 +43,9 @@ class <%= user_class %>
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ email: 1 }, { name: 'email_index', unique: true, background: true })

data/test/controllers/demo_user_controller_test.rb

@@ -321,8 +321,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           assert @resource.tokens.count > 1
 
           # password changed from new device
-          @resource.update_attributes(password: 'newsecret123',
-                                      password_confirmation: 'newsecret123')
+          @resource.update(password: 'newsecret123',
+                           password_confirmation: 'newsecret123')
 
           get '/demo/members_only',
               params: {},

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             assert @resource.confirmed?
           end
 
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
+
           test 'should redirect to success url' do
             assert_redirected_to(/^#{@redirect_url}/)
           end
@@ -86,6 +90,33 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             assert response.body.include?('account_confirmation_success')
           end
         end
+
+        describe 'resend confirmation' do
+          before do
+            post :create,
+                params: { email: @new_user.email,
+                          redirect_url: @redirect_url },
+                xhr: true
+            @resource = assigns(:resource)
+
+            @mail = ActionMailer::Base.deliveries.last
+            @token, @client_config = token_and_client_config_from(@mail.body)
+          end
+
+          test 'user should not be confirmed' do
+            assert_nil @resource.confirmed_at
+          end
+
+          test 'should generate raw token' do
+            assert @token
+            assert_equal @new_user.confirmation_token, @token
+          end
+
+          test 'user should receive confirmation email' do
+            assert_equal @resource.email, @mail['to'].to_s
+          end
+
+        end
       end
 
       describe 'failure' do
@@ -96,6 +127,18 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end
+
+        test 'request resend confirmation without email' do
+          post :create, params: { email: nil }, xhr: true
+
+          assert_equal 401, response.status
+        end
+
+        test 'user should not be found on resend confirmation request' do
+          post :create, params: { email: 'bogus' }, xhr: true
+
+          assert_equal 404, response.status
+        end
       end
     end
 

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   describe 'Using redirect_whitelist' do
-    before do
-      @user_email = 'slemp.diggler@sillybandz.gov'
-      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
-        provider: 'facebook',
-        uid: '123545',
-        info: {
-          name: 'chong',
-          email: @user_email
-        }
-      )
-      @good_redirect_url = Faker::Internet.url
-      @bad_redirect_url = Faker::Internet.url
-      DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
-    end
 
-    teardown do
-      DeviseTokenAuth.redirect_whitelist = nil
-    end
+    describe "newWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
+          }
+        )
+        @good_redirect_url = Faker::Internet.url
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-    test 'request using non-whitelisted redirect fail' do
-      get '/auth/facebook',
-          params: { auth_origin_url: @bad_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      follow_all_redirects!
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'newWindow' }
 
-      data = get_parsed_data_json
-      assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
-                   data['error']
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
+                    data['error']
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: @good_redirect_url,
+              omniauth_window_type: 'newWindow'
+            }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: { auth_origin_url: @good_redirect_url,
+                      omniauth_window_type: 'newWindow' }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
     end
 
-    test 'request to whitelisted redirect should succeed' do
-      get '/auth/facebook',
-          params: {
-            auth_origin_url: @good_redirect_url,
-            omniauth_window_type: 'newWindow'
+    describe "sameWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
           }
+        )
+        @good_redirect_url = '/auth_origin'
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-      follow_all_redirects!
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
-    end
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'sameWindow' }
 
-    test 'should support wildcards' do
-      DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-      get '/auth/facebook',
-          params: { auth_origin_url: @good_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
 
-      follow_all_redirects!
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
     end
+
   end
 end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -239,10 +239,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
-        describe 'Cheking reset_password_token' do
+        describe 'Checking reset_password_token' do
           before do
             post :create, params: {
-              email:        @resource.email,
+              email: @resource.email,
               redirect_url: @redirect_url
             }
 
@@ -440,6 +440,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
         describe 'success' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -504,6 +505,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
         describe 'current password mismatch error' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -520,7 +522,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       describe 'change password' do
-        describe 'success' do
+        describe 'using reset token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @redirect_url = 'http://client-app.dev'
+            get_reset_token
+            edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
+            get :edit, params: query_parts
+          end
+
+          test 'request should be redirect' do
+            assert_equal 302, response.status
+          end
+
+          test 'request should redirect to correct redirect url' do
+            host = URI.parse(response.location).host
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
+
+            assert_equal 'client-app.dev', host
+            assert_equal @mail_reset_token, query_parts['reset_password_token']
+            assert_equal 1, query_parts.keys.size
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
+
+        describe 'with valid headers' do
           before do
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
@@ -567,19 +597,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
-        describe 'unauthorized user' do
+        describe 'without valid headers' do
           before do
-            @auth_headers = @resource.create_new_auth_token
-            @new_password = Faker::Internet.password
+            @resource.create_new_auth_token
+            new_password = Faker::Internet.password
 
-            put :update, params: { password: @new_password,
-                                   password_confirmation: @new_password }
+            put :update, params: { password: new_password,
+                                   password_confirmation: new_password }
           end
 
           test 'response should fail' do
             assert_equal 401, response.status
           end
         end
+
+        describe 'with valid reset password token' do
+          before do
+            reset_password_token = @resource.send_reset_password_instructions
+            @new_password = Faker::Internet.password
+            @params = { password: @new_password,
+                        password_confirmation: @new_password,
+                        reset_password_token: reset_password_token }
+          end
+
+          describe 'with require_client_password_reset_token disabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = false
+              put :update, params: @params
+
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+
+            test 'request should be not be successful' do
+              assert_equal 401, response.status
+            end
+          end
+
+          describe 'with require_client_password_reset_token enabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = true
+              put :update, params: @params
+
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+
+            test 'request should be successful' do
+              assert_equal 200, response.status
+            end
+
+            test 'request should return success message' do
+              assert @data['message']
+              assert_equal @data['message'],
+                           I18n.t('devise_token_auth.passwords.successfully_updated')
+            end
+
+            test 'new password should authenticate user' do
+              assert @resource.valid_password?(@new_password)
+            end
+
+            teardown do
+              DeviseTokenAuth.require_client_password_reset_token = false
+            end
+          end
+        end
+
+        describe 'with invalid reset password token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @resource.update reset_password_token: 'koskoskoskos'
+            put :update, params: @params
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'new password should not authenticate user' do
+            assert !@resource.valid_password?(@new_password)
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
       end
     end