devise_token_auth 1.1.2 → 1.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7423b09a92407f6bdbdd24ec3cccd376f4f8f4ac63f388490be4d8328d947b69
-  data.tar.gz: cea3c75c98bb97bb3cc73b5d3529b046ce6a8ccffbe40ed2a0a32768caeafd94
+  metadata.gz: 9481d98d2610adb862b38d97afadba1d1a58594eab37606522fc0a0700e403b1
+  data.tar.gz: c9f1900cbabbffebc8fb84091ec35dda733c18f16537b562962f4274c464d680
 SHA512:
-  metadata.gz: 50f757b7ab47c3299833e01c1e9bce37d37ea4224e95e427e9d021e4e3b66288a7e7a43371abba312d1bcf457ec17f76ef34de967326a9fbe102e17a68bc9859
-  data.tar.gz: e2265972b5f973688801e369f4af27be3896e351cb5b7ed21cd38ab8b4f441d2042cbeef70831f675512a6e8698cdb094c6ac883d31af7f8999bb23da3837b96
+  metadata.gz: ea77bdbf1b588b53dfdea504ed37967f3c8dacb7c492a5a741444057de29e2e0443e535a98be60862e2139e6c768389627e438a27838afe2904c77f80c6c31dc
+  data.tar.gz: 533ee038f53fb8f63f521522468bbf966577d3ab941c3b689c948d45cb1f11524f8738f1bdcc0e48179a11008f123eea5831f1429d4426e847abddf9b5bbcec7

data/app/controllers/devise_token_auth/application_controller.rb

@@ -16,8 +16,8 @@ module DeviseTokenAuth
 
     protected
 
-    def blacklisted_redirect_url?
-      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
     end
 
     def build_redirect_headers(access_token, client, redirect_header_options = {})

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -3,6 +3,9 @@
 module DeviseTokenAuth
   class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
     attr_reader :auth_params
+
+    before_action :validate_auth_origin_url_param
+
     skip_before_action :set_user_by_token, raise: false
     skip_after_action :update_auth_header
 
@@ -75,6 +78,11 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
 
+    def validate_auth_origin_url_param 
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
+  
+
     protected
 
     # this will be determined differently depending on the action that calls
@@ -137,10 +145,18 @@ module DeviseTokenAuth
       omniauth_params['omniauth_window_type']
     end
 
-    def auth_origin_url
+    def unsafe_auth_origin_url
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
 
+
+    def auth_origin_url
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
+    end
+
     # in the success case, omniauth_window_type is in the omniauth_params.
     # in the failure case, it is in a query param.  See monkey patch above
     def omniauth_window_type
@@ -186,8 +202,13 @@ module DeviseTokenAuth
       @token  = @resource.create_token
     end
 
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
+    end
+
     def render_data(message, data)
-      @data = data.merge(message: message)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
       render layout: nil, template: 'devise_token_auth/omniauth_external_window'
     end
 
@@ -224,7 +245,7 @@ module DeviseTokenAuth
             <html>
                     <head></head>
                     <body>
-                            #{text}
+                            #{ActionController::Base.helpers.sanitize(text)}
                     </body>
             </html>)
     end
@@ -261,4 +282,5 @@ module DeviseTokenAuth
       @resource
     end
   end
+
 end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -2,12 +2,10 @@
 
 module DeviseTokenAuth
   class PasswordsController < DeviseTokenAuth::ApplicationController
-    before_action :set_user_by_token, only: [:update]
     before_action :validate_redirect_url_param, only: [:create, :edit]
     skip_after_action :update_auth_header, only: [:create, :edit]
 
-    # this action is responsible for generating password reset tokens and
-    # sending emails
+    # this action is responsible for generating password reset tokens and sending emails
     def create
       return render_create_error_missing_email unless resource_params[:email]
 
@@ -39,11 +37,10 @@ module DeviseTokenAuth
       @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
       if @resource && @resource.reset_password_period_valid?
-        token = @resource.create_token
+        token = @resource.create_token unless require_client_password_reset_token?
 
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
-
         # allow user to change password once without current_password
         @resource.allow_password_change = true if recoverable_enabled?
 
@@ -51,12 +48,16 @@ module DeviseTokenAuth
 
         yield @resource if block_given?
 
-        redirect_header_options = { reset_password: true }
-        redirect_headers = build_redirect_headers(token.token,
-                                                  token.client,
-                                                  redirect_header_options)
-        redirect_to(@resource.build_auth_url(@redirect_url,
-                                             redirect_headers))
+        if require_client_password_reset_token?
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+        else
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers))
+        end
       else
         render_edit_error
       end
@@ -64,6 +65,15 @@ module DeviseTokenAuth
 
     def update
       # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
+
       return render_update_error_unauthorized unless @resource
 
       # make sure account doesn't use oauth2 provider
@@ -90,7 +100,7 @@ module DeviseTokenAuth
     protected
 
     def resource_update_method
-      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
       if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
         'update'
       else
@@ -182,7 +192,15 @@ module DeviseTokenAuth
       )
 
       return render_create_error_missing_redirect_url unless @redirect_url
-      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+    end
+
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+
+    def require_client_password_reset_token?
+      DeviseTokenAuth.require_client_password_reset_token
     end
   end
 end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -28,7 +28,7 @@ module DeviseTokenAuth
       end
 
       # if whitelist is set, validate redirect_url against whitelist
-      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
 
       # override email confirmation, must be sent manually from ctrl
       callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create

data/config/locales/da-DK.yml

@@ -14,6 +14,8 @@ da-DK:
       account_with_uid_destroyed: "Kontoen med UID '%{uid}' er slettet."
       account_to_destroy_not_found: "Kan ikke finde kontoen som skal slettes."
       user_not_found: "Brugeren ikke fundet."
+    omniauth:
+      not_allowed_redirect_url: "Omdirigering til '%{redirect_url}' er ikke tilladt."
     passwords:
       missing_email: "Du skal udfylde email feltet."
       missing_redirect_url: "Der er ingen omdirigeringsadresse."

data/config/locales/de.yml

@@ -14,6 +14,8 @@ de:
       account_with_uid_destroyed: "Account mit der uid '%{uid}' wurde gelöscht."
       account_to_destroy_not_found: "Der zu löschende Account kann nicht gefunden werden."
       user_not_found: "Benutzer kann nicht gefunden werden."
+    omniauth:
+      not_allowed_redirect_url: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet."
     passwords:
       missing_email: "Sie müssen eine E-Mail-Adresse angeben."
       missing_redirect_url: "Es fehlt die URL zu Weiterleitung."

data/config/locales/en.yml

@@ -14,6 +14,8 @@ en:
       account_with_uid_destroyed: "Account with UID '%{uid}' has been destroyed."
       account_to_destroy_not_found: "Unable to locate account for destruction."
       user_not_found: "User not found."
+    omniauth:
+      not_allowed_redirect_url: "Redirect to '%{redirect_url}' not allowed."
     passwords:
       missing_email: "You must provide an email address."
       missing_redirect_url: "Missing redirect URL."

data/config/locales/es.yml

@@ -14,6 +14,8 @@ es:
       account_with_uid_destroyed: "La cuenta con el identificador '%{uid}' se ha eliminado."
       account_to_destroy_not_found: "No se puede encontrar la cuenta a borrar."
       user_not_found: "Usuario no encontrado."
+    omniauth:
+      not_allowed_redirect_url: "Redirección hacia '%{redirect_url}' no esta permitida."
     passwords:
       missing_email: "Debe incluir un correo electrónico."
       missing_redirect_url: "Falta el Url de redirección."

data/config/locales/fr.yml

@@ -14,6 +14,8 @@ fr:
       account_with_uid_destroyed: "Le compte avec l'identifiant '%{uid}' a été supprimé."
       account_to_destroy_not_found: "Le compte à supprimer est introuvable."
       user_not_found: "Utilisateur introuvable."
+    omniauth:
+      not_allowed_redirect_url: "Redirection vers '%{redirect_url}' n'est pas autorisée."
     passwords:
       missing_email: "Vous devez soumettre un e-mail."
       missing_redirect_url: "URL de redirection manquante."

data/config/locales/he.yml

@@ -14,6 +14,8 @@ he:
       account_with_uid_destroyed: "חשבון עם UID '%{uid}' הושמד."
       account_to_destroy_not_found: "לא ניתן לאתר חשבון להשמדה."
       user_not_found: "המשתמש לא נמצא."
+    omniauth:
+      not_allowed_redirect_url: "הפניה אל '%{redirect_url}' אינה מותרת."
     passwords:
       missing_email: "עליך לספק כתובת דוא\"ל."
       missing_redirect_url: "כתובת אתר להפניה מחדש חסרה."

data/config/locales/it.yml

@@ -14,6 +14,8 @@ it:
       account_with_uid_destroyed: "L'account con UID '%{uid}' è stato eliminato."
       account_to_destroy_not_found: "Impossibile trovare l'account da eliminare."
       user_not_found: "Utente non trovato."
+    omniauth:
+      not_allowed_redirect_url: "Redirezione a '%{redirect_url}' non consentita."
     passwords:
       missing_email: "Devi fornire un indirizzo email."
       missing_redirect_url: "Redirect URL mancante."

data/config/locales/ja.yml

@@ -14,6 +14,8 @@ ja:
       account_with_uid_destroyed: "'%{uid}' のアカウントは削除されました。"
       account_to_destroy_not_found: "削除するアカウントが見つかりません。"
       user_not_found: "ユーザーが見つかりません。"
+    omniauth:
+      not_allowed_redirect_url:  "'%{redirect_url}' へのリダイレクトは許可されていません。"
     passwords:
       missing_email: "メールアドレスが与えられていません。"
       missing_redirect_url: "リダイレクト URL が与えられていません。"

data/config/locales/nl.yml

@@ -14,6 +14,8 @@ nl:
       account_with_uid_destroyed: "Account met id '%{uid}' is verwijderd."
       account_to_destroy_not_found: "Te verwijderen account niet gevonden."
       user_not_found: "Gebruiker niet gevonden."
+    omniauth:
+      not_allowed_redirect_url: "Redirect naar '%{redirect_url}' niet toegestaan."
     passwords:
       missing_email: "Je moet een e-mailadres opgeven."
       missing_redirect_url: "Redirect URL ontbreekt."

data/config/locales/pl.yml

@@ -14,6 +14,8 @@ pl:
       account_with_uid_destroyed: "Konto z uid '%{uid}' zostało usunięte."
       account_to_destroy_not_found: "Nie odnaleziono konta do usunięcia."
       user_not_found: "Użytkownik nie został odnaleziony."
+    omniauth:
+      not_allowed_redirect_url: "Przekierowanie na adres '%{redirect_url}' nie jest dozwolone."
     passwords:
       missing_email: "Musisz wprowadzić adres e-mail."
       missing_redirect_url: "Brak adresu zwrotnego."

data/config/locales/pt-BR.yml

@@ -14,6 +14,8 @@ pt-BR:
       account_with_uid_destroyed: "A conta com uid '%{uid}' foi excluída."
       account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão."
       user_not_found: "Usuário não encontrado."
+    omniauth:
+      not_allowed_redirect_url: "Redirecionamento para '%{redirect_url}' não permitido."
     passwords:
       missing_email: "Informe o endereço de e-mail."
       missing_redirect_url: "URL para redirecionamento não informada."

data/config/locales/pt.yml

@@ -14,6 +14,8 @@ pt:
       account_with_uid_destroyed: "A conta com uid '%{uid}' foi excluída."
       account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão."
       user_not_found: "Utilizador não encontrado."
+    omniauth:
+      not_allowed_redirect_url: "Redirecionamento para '%{redirect_url}' não permitido."
     passwords:
       missing_email: "Informe o endereço de e-mail."
       missing_redirect_url: "URL para redirecionamento não informada."

data/config/locales/ro.yml

@@ -14,6 +14,8 @@ ro:
       account_with_uid_destroyed: "Contul cu UID '%{uid}' a fost șters."
       account_to_destroy_not_found: "Nu se poate localiza contul pentru ștergere."
       user_not_found: "Utilizatorul nu a fost găsit."
+    omniauth:
+      not_allowed_redirect_url: "Redirecționarea către '%{redirect_url}' nu este permisă."
     passwords:
       missing_email: "Trebuie să introduci o adresă de e-mail."
       missing_redirect_url: "URL-ul pentru redirecționare lipsește."

data/config/locales/ru.yml

@@ -14,6 +14,8 @@ ru:
       account_with_uid_destroyed: "Учетная запись с uid '%{uid}' удалена."
       account_to_destroy_not_found: "Не удается найти учетную запись для удаления."
       user_not_found: "Пользователь не найден."
+    omniauth:
+      not_allowed_redirect_url: "Переадресация на '%{redirect_url}' не разрешена."
     passwords:
       missing_email: "Вы должны указать адрес электронной почты."
       missing_redirect_url: "Отсутствует адрес переадресации."

data/config/locales/sq.yml

@@ -14,6 +14,8 @@ sq:
       account_with_uid_destroyed: "Llogaria me UID-në '%{uid}' është fshirë."
       account_to_destroy_not_found: "Nuk u gjet llogaria për fshirje."
       user_not_found: "Përdoruesi nuk u gjet."
+    omniauth:
+      not_allowed_redirect_url: "Nuk lejohet shkuarja tek URL-ja '%{redirect_url}'."
     passwords:
       missing_email: "Ju duhet të jepni një email adresë."
       missing_redirect_url: "Mungon URL-ja për ridërgim."

data/config/locales/sv.yml

@@ -14,6 +14,8 @@ sv:
       account_with_uid_destroyed: "Kontot med UID '%{uid}' har tagits bort."
       account_to_destroy_not_found: "Kunde inte hitta kontot för borttagning."
       user_not_found: "Användaren hittades ej."
+    omniauth:
+      not_allowed_redirect_url: "Omdirigering till '%{redirect_url}' ej tillåten."
     passwords:
       missing_email: "Du måste ange en emailadress."
       missing_redirect_url: "Saknar en omdirigerings-URL."

data/config/locales/uk.yml

@@ -14,6 +14,8 @@ uk:
       account_with_uid_destroyed: "Акаунт з UID '%{uid}' було видалено."
       account_to_destroy_not_found: "Неможливо знайти акаунт для видалення."
       user_not_found: "Користувача не знайдено"
+    omniauth:
+      not_allowed_redirect_url: "Перенаправлення до '%{redirect_url}' не дозволено."
     passwords:
       missing_email: "Ви маєте ввести email адресу."
       missing_redirect_url: "Немає URL для перенаправлення."

data/config/locales/vi.yml

@@ -14,6 +14,8 @@ vi:
       account_with_uid_destroyed: "Tài khoản với UID '%{uid}' vừa bị phá hủy."
       account_to_destroy_not_found: "Không thể xác định tài khoản cho việc phá hủy."
       user_not_found: "Người dùng không tìm thấy."
+    omniauth:
+      not_allowed_redirect_url: "Chuyển hướng tới '%{redirect_url}' không được phép."
     passwords:
       missing_email: "Bạn cần cung cấp địa chỉ email."
       missing_redirect_url: "Thiếu đường đẫn URL."

data/config/locales/zh-CN.yml

@@ -14,6 +14,8 @@ zh-CN:
       account_with_uid_destroyed: "账号 '%{uid}' 已被移除。"
       account_to_destroy_not_found: "无法找到目标帐号。"
       user_not_found: "找不到帐号。"
+    omniauth:
+      not_allowed_redirect_url: "不支持转向到 '%{redirect_url}'"
     passwords:
       missing_email: "必需提供邮箱。"
       missing_redirect_url: "欠缺 redirect URL."

data/config/locales/zh-HK.yml

@@ -16,6 +16,8 @@ zh-TW:
       account_with_uid_destroyed: "帳號 '%{uid}' 已被移除。"
       account_to_destroy_not_found: "無法找到目標帳號。"
       user_not_found: "找不到帳號。"
+    omniauth:
+      not_allowed_redirect_url: "不支援轉向到 '%{redirect_url}'"
     passwords:
       missing_email: "必需提供電郵。"
       missing_redirect_url: "欠缺 redirect URL."

data/config/locales/zh-TW.yml

@@ -16,6 +16,8 @@ zh-TW:
       account_with_uid_destroyed: "帳號 '%{uid}' 已被移除。"
       account_to_destroy_not_found: "無法找到目標帳號。"
       user_not_found: "找不到帳號。"
+    omniauth:
+      not_allowed_redirect_url: "不支援轉向到 '%{redirect_url}'"
     passwords:
       missing_email: "必需提供電郵。"
       missing_redirect_url: "欠缺 redirect URL."

data/lib/devise_token_auth/engine.rb

@@ -25,7 +25,8 @@ module DeviseTokenAuth
                  :remove_tokens_after_password_reset,
                  :default_callbacks,
                  :headers_names,
-                 :bypass_sign_in
+                 :bypass_sign_in,
+                 :require_client_password_reset_token
 
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -46,6 +47,7 @@ module DeviseTokenAuth
                                                 'uid': 'uid',
                                                 'token-type': 'token-type' }
   self.bypass_sign_in                       = true
+  self.require_client_password_reset_token  = false
 
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.1.2'.freeze
+  VERSION = '1.1.3'.freeze
 end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   describe 'Using redirect_whitelist' do
-    before do
-      @user_email = 'slemp.diggler@sillybandz.gov'
-      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
-        provider: 'facebook',
-        uid: '123545',
-        info: {
-          name: 'chong',
-          email: @user_email
-        }
-      )
-      @good_redirect_url = Faker::Internet.url
-      @bad_redirect_url = Faker::Internet.url
-      DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
-    end
 
-    teardown do
-      DeviseTokenAuth.redirect_whitelist = nil
-    end
+    describe "newWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
+          }
+        )
+        @good_redirect_url = Faker::Internet.url
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-    test 'request using non-whitelisted redirect fail' do
-      get '/auth/facebook',
-          params: { auth_origin_url: @bad_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      follow_all_redirects!
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'newWindow' }
 
-      data = get_parsed_data_json
-      assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
-                   data['error']
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
+                    data['error']
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: @good_redirect_url,
+              omniauth_window_type: 'newWindow'
+            }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: { auth_origin_url: @good_redirect_url,
+                      omniauth_window_type: 'newWindow' }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
     end
 
-    test 'request to whitelisted redirect should succeed' do
-      get '/auth/facebook',
-          params: {
-            auth_origin_url: @good_redirect_url,
-            omniauth_window_type: 'newWindow'
+    describe "sameWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
           }
+        )
+        @good_redirect_url = '/auth_origin'
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-      follow_all_redirects!
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
-    end
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'sameWindow' }
 
-    test 'should support wildcards' do
-      DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-      get '/auth/facebook',
-          params: { auth_origin_url: @good_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
 
-      follow_all_redirects!
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
     end
+
   end
 end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -239,10 +239,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
-        describe 'Cheking reset_password_token' do
+        describe 'Checking reset_password_token' do
           before do
             post :create, params: {
-              email:        @resource.email,
+              email: @resource.email,
               redirect_url: @redirect_url
             }
 
@@ -440,6 +440,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
         describe 'success' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -504,6 +505,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
 
         describe 'current password mismatch error' do
           before do
+            DeviseTokenAuth.require_client_password_reset_token = false
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
             @new_password = Faker::Internet.password
@@ -520,7 +522,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       describe 'change password' do
-        describe 'success' do
+        describe 'using reset token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @redirect_url = 'http://client-app.dev'
+            get_reset_token
+            edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
+            get :edit, params: query_parts
+          end
+
+          test 'request should be redirect' do
+            assert_equal 302, response.status
+          end
+
+          test 'request should redirect to correct redirect url' do
+            host = URI.parse(response.location).host
+            query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
+
+            assert_equal 'client-app.dev', host
+            assert_equal @mail_reset_token, query_parts['reset_password_token']
+            assert_equal 1, query_parts.keys.size
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
+
+        describe 'with valid headers' do
           before do
             @auth_headers = @resource.create_new_auth_token
             request.headers.merge!(@auth_headers)
@@ -567,19 +597,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
-        describe 'unauthorized user' do
+        describe 'without valid headers' do
           before do
-            @auth_headers = @resource.create_new_auth_token
-            @new_password = Faker::Internet.password
+            @resource.create_new_auth_token
+            new_password = Faker::Internet.password
 
-            put :update, params: { password: @new_password,
-                                   password_confirmation: @new_password }
+            put :update, params: { password: new_password,
+                                   password_confirmation: new_password }
           end
 
           test 'response should fail' do
             assert_equal 401, response.status
           end
         end
+
+        describe 'with valid reset password token' do
+          before do
+            reset_password_token = @resource.send_reset_password_instructions
+            @new_password = Faker::Internet.password
+            @params = { password: @new_password,
+                        password_confirmation: @new_password,
+                        reset_password_token: reset_password_token }
+          end
+
+          describe 'with require_client_password_reset_token disabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = false
+              put :update, params: @params
+
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+
+            test 'request should be not be successful' do
+              assert_equal 401, response.status
+            end
+          end
+
+          describe 'with require_client_password_reset_token enabled' do
+            before do
+              DeviseTokenAuth.require_client_password_reset_token = true
+              put :update, params: @params
+
+              @data = JSON.parse(response.body)
+              @resource.reload
+            end
+
+            test 'request should be successful' do
+              assert_equal 200, response.status
+            end
+
+            test 'request should return success message' do
+              assert @data['message']
+              assert_equal @data['message'],
+                           I18n.t('devise_token_auth.passwords.successfully_updated')
+            end
+
+            test 'new password should authenticate user' do
+              assert @resource.valid_password?(@new_password)
+            end
+
+            teardown do
+              DeviseTokenAuth.require_client_password_reset_token = false
+            end
+          end
+        end
+
+        describe 'with invalid reset password token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            @resource.update reset_password_token: 'koskoskoskos'
+            put :update, params: @params
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'new password should not authenticate user' do
+            assert !@resource.valid_password?(@new_password)
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
       end
     end
 

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -492,7 +492,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -599,7 +599,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
               # test valid update param
               @resource_class = User
               @new_operating_thetan = 1_000_000
-              @email = 'AlternatingCase2@example.com'
+              @email = Faker::Internet.safe_email
               @request_params = {
                 operating_thetan: @new_operating_thetan,
                 email: @email
@@ -650,7 +650,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
           before do
             DeviseTokenAuth.check_current_password_before_update = :password
             @new_operating_thetan = 1_000_000
-            @email = 'AlternatingCase2@example.com'
+            @email = Faker::Internet.safe_email
           end
 
           after do

data/test/dummy/tmp/generators/app/models/mang.rb

@@ -0,0 +1,7 @@
+class Mang < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/tmp/generators/app/models/user.rb

@@ -0,0 +1,7 @@
+class User < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb

@@ -0,0 +1,48 @@
+DeviseTokenAuth.setup do |config|
+  # By default the authorization headers will change after each request. The
+  # client is responsible for keeping track of the changing tokens. Change
+  # this to false to prevent the Authorization header from changing after
+  # each request.
+  # config.change_headers_on_each_request = true
+
+  # By default, users will need to re-authenticate after 2 weeks. This setting
+  # determines how long tokens will remain valid after they are issued.
+  # config.token_lifespan = 2.weeks
+
+  # Sets the max number of concurrent devices per user, which is 10 by default.
+  # After this limit is reached, the oldest tokens will be removed.
+  # config.max_number_of_devices = 10
+
+  # Sometimes it's necessary to make several requests to the API at the same
+  # time. In this case, each request in the batch will need to share the same
+  # auth token. This setting determines how far apart the requests can be while
+  # still using the same auth token.
+  # config.batch_request_buffer_throttle = 5.seconds
+
+  # This route will be the prefix for all oauth2 redirect callbacks. For
+  # example, using the default '/omniauth', the github oauth2 provider will
+  # redirect successful authentications to '/omniauth/github/callback'
+  # config.omniauth_prefix = "/omniauth"
+
+  # By default sending current password is not needed for the password update.
+  # Uncomment to enforce current_password param to be checked before all
+  # attribute updates. Set it to :password if you want it to be checked only if
+  # password is updated.
+  # config.check_current_password_before_update = :attributes
+
+  # By default we will use callbacks for single omniauth.
+  # It depends on fields like email, provider and uid.
+  # config.default_callbacks = true
+
+  # Makes it possible to change the headers names
+  # config.headers_names = {:'access-token' => 'access-token',
+  #                        :'client' => 'client',
+  #                        :'expiry' => 'expiry',
+  #                        :'uid' => 'uid',
+  #                        :'token-type' => 'token-type' }
+
+  # By default, only Bearer Token authentication is implemented out of the box.
+  # If, however, you wish to integrate with legacy Devise authentication, you can
+  # do so by enabling this flag. NOTE: This feature is highly experimental!
+  # config.enable_standard_devise_support = false
+end

data/test/dummy/tmp/generators/config/routes.rb

@@ -0,0 +1,9 @@
+            Rails.application.routes.draw do
+  mount_devise_token_auth_for 'User', at: 'auth'
+
+  mount_devise_token_auth_for 'Mang', at: 'mangs'
+  as :mang do
+    # Define routes for Mang within this block.
+  end
+              patch '/chong', to: 'bong#index'
+            end

data/test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_mangs.rb

@@ -0,0 +1,54 @@
+class DeviseTokenAuthCreateMangs < ActiveRecord::Migration[4.2]
+  def change
+    create_table(:mangs) do |t|
+      ## Required
+      t.string :provider, :null => false, :default => "email"
+      t.string :uid, :null => false, :default => ""
+
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0, :null => false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+
+      ## Tokens
+      t.text :tokens
+
+      t.timestamps
+    end
+
+    add_index :mangs, :email,                unique: true
+    add_index :mangs, [:uid, :provider],     unique: true
+    add_index :mangs, :reset_password_token, unique: true
+    add_index :mangs, :confirmation_token,   unique: true
+    # add_index :mangs, :unlock_token,       unique: true
+  end
+end

data/test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_users.rb

@@ -0,0 +1,54 @@
+class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[4.2]
+  def change
+    create_table(:users) do |t|
+      ## Required
+      t.string :provider, :null => false, :default => "email"
+      t.string :uid, :null => false, :default => ""
+
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0, :null => false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+
+      ## Tokens
+      t.text :tokens
+
+      t.timestamps
+    end
+
+    add_index :users, :email,                unique: true
+    add_index :users, [:uid, :provider],     unique: true
+    add_index :users, :reset_password_token, unique: true
+    add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,       unique: true
+  end
+end

data/test/factories/users.rb

@@ -1,6 +1,6 @@
 FactoryBot.define do
   factory :user do
-    email { Faker::Internet.safe_email }
+    email { Faker::Internet.unique.safe_email }
     password { Faker::Internet.password }
     provider { 'email' }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.1.3
 platform: ruby
 authors:
 - Lynn Hurley
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-01 00:00:00.000000000 Z
+date: 2019-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -315,8 +315,12 @@ files:
 - test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb
 - test/dummy/db/schema.rb
 - test/dummy/lib/migration_database_helper.rb
-- test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb
-- test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb
+- test/dummy/tmp/generators/app/models/mang.rb
+- test/dummy/tmp/generators/app/models/user.rb
+- test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
+- test/dummy/tmp/generators/config/routes.rb
+- test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_mangs.rb
+- test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_users.rb
 - test/factories/users.rb
 - test/lib/devise_token_auth/blacklist_test.rb
 - test/lib/devise_token_auth/token_factory_test.rb
@@ -349,8 +353,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.9
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Token based authentication for rails. Uses Devise + OmniAuth.
@@ -422,8 +425,12 @@ test_files:
 - test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb
 - test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb
 - test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb
-- test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb
-- test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb
+- test/dummy/tmp/generators/app/models/mang.rb
+- test/dummy/tmp/generators/app/models/user.rb
+- test/dummy/tmp/generators/config/routes.rb
+- test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
+- test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_mangs.rb
+- test/dummy/tmp/generators/db/migrate/20170630171909_devise_token_auth_create_users.rb
 - test/dummy/README.rdoc
 - test/models/only_email_user_test.rb
 - test/models/concerns/mongoid_support_test.rb

data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -1,5 +0,0 @@
-<p><%= t(:welcome).capitalize + ' ' + @email %>!</p>
-
-<p><%= t '.confirm_link_msg' %> </p>
-
-<p><%= link_to t('.confirm_account_link'), confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %></p>

data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -1,8 +0,0 @@
-<p><%= t(:hello).capitalize %> <%= @resource.email %>!</p>
-
-<p><%= t '.request_reset_link_msg' %></p>
-
-<p><%= link_to t('.password_change_link'), edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %></p>
-
-<p><%= t '.ignore_mail_msg' %></p>
-<p><%= t '.no_changes_msg' %></p>