devise_token_auth 1.1.2 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/devise_token_auth/application_controller.rb +10 -2
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
- data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
- data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
- data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
- data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
- data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
- data/app/models/devise_token_auth/concerns/user.rb +9 -10
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
- data/app/validators/devise_token_auth_email_validator.rb +1 -1
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +5 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +2 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +3 -1
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +5 -1
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +11 -1
- data/lib/devise_token_auth/rails/routes.rb +15 -10
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +4 -4
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +0 -1
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +26 -1
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
- data/test/factories/users.rb +2 -1
- data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
- data/test/models/concerns/tokens_serialization_test.rb +39 -5
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/test_helper.rb +35 -4
- metadata +27 -14
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fb2d73d7859e1754b505d6f554c8d298ba899444b4fe4e1b47d50ca9bab453e8
|
|
4
|
+
data.tar.gz: 3572d4ff07d68f62d8e51270959fd20451d9edb4832d576b9342939275390dee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 50c95181401bedfd959a407d450f222ab185d75000825385dd691a064e831b36263eb1338d25f6378a743ac9009b73f80df3e24cb09ce5680a0e6723fc98acb9
|
|
7
|
+
data.tar.gz: 91910874d7e473d31eb39cf40c6860da4ab5b59aa874a0f1296faa17718103124018568cf289486a9d49a3ec1b967f14e23c18afb8d3f6cd3ec2fd837d663a83
|
|
@@ -16,8 +16,8 @@ module DeviseTokenAuth
|
|
|
16
16
|
|
|
17
17
|
protected
|
|
18
18
|
|
|
19
|
-
def blacklisted_redirect_url?
|
|
20
|
-
DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(
|
|
19
|
+
def blacklisted_redirect_url?(redirect_url)
|
|
20
|
+
DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
def build_redirect_headers(access_token, client, redirect_header_options = {})
|
|
@@ -75,5 +75,13 @@ module DeviseTokenAuth
|
|
|
75
75
|
response = response.merge(data) if data
|
|
76
76
|
render json: response, status: status
|
|
77
77
|
end
|
|
78
|
+
|
|
79
|
+
def success_message(name, email)
|
|
80
|
+
if Devise.paranoid
|
|
81
|
+
I18n.t("devise_token_auth.#{name}.sended_paranoid")
|
|
82
|
+
else
|
|
83
|
+
I18n.t("devise_token_auth.#{name}.sended", email: email)
|
|
84
|
+
end
|
|
85
|
+
end
|
|
78
86
|
end
|
|
79
87
|
end
|
|
@@ -20,7 +20,7 @@ module DeviseTokenAuth::Concerns::ResourceFinder
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def find_resource(field, value)
|
|
23
|
-
@resource = if
|
|
23
|
+
@resource = if database_adapter&.include?('mysql')
|
|
24
24
|
# fix for mysql default case insensitivity
|
|
25
25
|
resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
|
|
26
26
|
else
|
|
@@ -28,6 +28,19 @@ module DeviseTokenAuth::Concerns::ResourceFinder
|
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
+
def database_adapter
|
|
32
|
+
@database_adapter ||= begin
|
|
33
|
+
rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
|
|
34
|
+
|
|
35
|
+
adapter =
|
|
36
|
+
if rails_version >= "6.1"
|
|
37
|
+
resource_class.try(:connection_db_config)&.try(:adapter)
|
|
38
|
+
else
|
|
39
|
+
resource_class.try(:connection_config)&.try(:[], :adapter)
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
31
44
|
def resource_class(m = nil)
|
|
32
45
|
mapping = if m
|
|
33
46
|
Devise.mappings[m]
|
|
@@ -17,7 +17,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
17
17
|
@used_auth_by_token = true
|
|
18
18
|
|
|
19
19
|
# initialize instance variables
|
|
20
|
-
@token
|
|
20
|
+
@token ||= DeviseTokenAuth::TokenFactory.new
|
|
21
21
|
@resource ||= nil
|
|
22
22
|
@is_batch_request ||= nil
|
|
23
23
|
end
|
|
@@ -35,18 +35,27 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
35
35
|
access_token_name = DeviseTokenAuth.headers_names[:'access-token']
|
|
36
36
|
client_name = DeviseTokenAuth.headers_names[:'client']
|
|
37
37
|
|
|
38
|
+
# gets values from cookie if configured and present
|
|
39
|
+
parsed_auth_cookie = {}
|
|
40
|
+
if DeviseTokenAuth.cookie_enabled
|
|
41
|
+
auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
|
|
42
|
+
if auth_cookie.present?
|
|
43
|
+
parsed_auth_cookie = JSON.parse(auth_cookie)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
38
47
|
# parse header for values necessary for authentication
|
|
39
|
-
uid = request.headers[uid_name] || params[uid_name]
|
|
48
|
+
uid = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name]
|
|
40
49
|
@token = DeviseTokenAuth::TokenFactory.new unless @token
|
|
41
|
-
@token.token ||= request.headers[access_token_name] || params[access_token_name]
|
|
42
|
-
@token.client ||= request.headers[client_name] || params[client_name]
|
|
50
|
+
@token.token ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name]
|
|
51
|
+
@token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name]
|
|
43
52
|
|
|
44
53
|
# client isn't required, set to 'default' if absent
|
|
45
54
|
@token.client ||= 'default'
|
|
46
55
|
|
|
47
56
|
# check for an existing user, authenticated via warden/devise, if enabled
|
|
48
57
|
if DeviseTokenAuth.enable_standard_devise_support
|
|
49
|
-
devise_warden_user = warden.user(
|
|
58
|
+
devise_warden_user = warden.user(mapping)
|
|
50
59
|
if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
|
|
51
60
|
@used_auth_by_token = false
|
|
52
61
|
@resource = devise_warden_user
|
|
@@ -101,9 +110,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
101
110
|
# update the response header
|
|
102
111
|
response.headers.merge!(auth_header)
|
|
103
112
|
|
|
113
|
+
# set a server cookie if configured
|
|
114
|
+
if DeviseTokenAuth.cookie_enabled
|
|
115
|
+
set_cookie(auth_header)
|
|
116
|
+
end
|
|
104
117
|
else
|
|
105
118
|
unless @resource.reload.valid?
|
|
106
|
-
@resource =
|
|
119
|
+
@resource = @resource.class.find(@resource.to_param) # errors remain after reload
|
|
107
120
|
# if we left the model in a bad state, something is wrong in our app
|
|
108
121
|
unless @resource.valid?
|
|
109
122
|
raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
|
|
@@ -123,11 +136,22 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
123
136
|
# cleared by sign out in the meantime
|
|
124
137
|
return if @used_auth_by_token && @resource.tokens[@token.client].nil?
|
|
125
138
|
|
|
139
|
+
_auth_header_from_batch_request = auth_header_from_batch_request
|
|
140
|
+
|
|
126
141
|
# update the response header
|
|
127
|
-
response.headers.merge!(
|
|
142
|
+
response.headers.merge!(_auth_header_from_batch_request)
|
|
143
|
+
|
|
144
|
+
# set a server cookie if configured
|
|
145
|
+
if DeviseTokenAuth.cookie_enabled
|
|
146
|
+
set_cookie(_auth_header_from_batch_request)
|
|
147
|
+
end
|
|
128
148
|
end # end lock
|
|
129
149
|
end
|
|
130
150
|
|
|
151
|
+
def set_cookie(auth_header)
|
|
152
|
+
cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
|
|
153
|
+
end
|
|
154
|
+
|
|
131
155
|
def is_batch_request?(user, client)
|
|
132
156
|
!params[:unbatch] &&
|
|
133
157
|
user.tokens[client] &&
|
|
@@ -13,6 +13,7 @@ module DeviseTokenAuth
|
|
|
13
13
|
|
|
14
14
|
if signed_in?(resource_name)
|
|
15
15
|
token = signed_in_resource.create_token
|
|
16
|
+
signed_in_resource.save!
|
|
16
17
|
|
|
17
18
|
redirect_headers = build_redirect_headers(token.token,
|
|
18
19
|
token.client,
|
|
@@ -54,13 +55,17 @@ module DeviseTokenAuth
|
|
|
54
55
|
|
|
55
56
|
def render_create_success
|
|
56
57
|
render json: {
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
58
|
+
success: true,
|
|
59
|
+
message: success_message('confirmations', @email)
|
|
60
|
+
}
|
|
60
61
|
end
|
|
61
62
|
|
|
62
63
|
def render_not_found_error
|
|
63
|
-
|
|
64
|
+
if Devise.paranoid
|
|
65
|
+
render_error(404, I18n.t('devise_token_auth.confirmations.sended_paranoid'))
|
|
66
|
+
else
|
|
67
|
+
render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
|
|
68
|
+
end
|
|
64
69
|
end
|
|
65
70
|
|
|
66
71
|
private
|
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
|
|
5
5
|
attr_reader :auth_params
|
|
6
|
+
|
|
7
|
+
before_action :validate_auth_origin_url_param
|
|
8
|
+
|
|
6
9
|
skip_before_action :set_user_by_token, raise: false
|
|
7
10
|
skip_after_action :update_auth_header
|
|
8
11
|
|
|
@@ -75,6 +78,11 @@ module DeviseTokenAuth
|
|
|
75
78
|
render_data_or_redirect('authFailure', error: @error)
|
|
76
79
|
end
|
|
77
80
|
|
|
81
|
+
def validate_auth_origin_url_param
|
|
82
|
+
return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
|
|
78
86
|
protected
|
|
79
87
|
|
|
80
88
|
# this will be determined differently depending on the action that calls
|
|
@@ -104,7 +112,8 @@ module DeviseTokenAuth
|
|
|
104
112
|
|
|
105
113
|
# break out provider attribute assignment for easy method extension
|
|
106
114
|
def assign_provider_attrs(user, auth_hash)
|
|
107
|
-
attrs = auth_hash['info'].
|
|
115
|
+
attrs = auth_hash['info'].to_hash
|
|
116
|
+
attrs = attrs.slice(*user.attribute_names)
|
|
108
117
|
user.assign_attributes(attrs)
|
|
109
118
|
end
|
|
110
119
|
|
|
@@ -137,10 +146,18 @@ module DeviseTokenAuth
|
|
|
137
146
|
omniauth_params['omniauth_window_type']
|
|
138
147
|
end
|
|
139
148
|
|
|
140
|
-
def
|
|
149
|
+
def unsafe_auth_origin_url
|
|
141
150
|
omniauth_params['auth_origin_url'] || omniauth_params['origin']
|
|
142
151
|
end
|
|
143
152
|
|
|
153
|
+
|
|
154
|
+
def auth_origin_url
|
|
155
|
+
if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
|
|
156
|
+
return nil
|
|
157
|
+
end
|
|
158
|
+
return unsafe_auth_origin_url
|
|
159
|
+
end
|
|
160
|
+
|
|
144
161
|
# in the success case, omniauth_window_type is in the omniauth_params.
|
|
145
162
|
# in the failure case, it is in a query param. See monkey patch above
|
|
146
163
|
def omniauth_window_type
|
|
@@ -186,8 +203,13 @@ module DeviseTokenAuth
|
|
|
186
203
|
@token = @resource.create_token
|
|
187
204
|
end
|
|
188
205
|
|
|
206
|
+
def render_error_not_allowed_auth_origin_url
|
|
207
|
+
message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
|
|
208
|
+
render_data_or_redirect('authFailure', error: message)
|
|
209
|
+
end
|
|
210
|
+
|
|
189
211
|
def render_data(message, data)
|
|
190
|
-
@data = data.merge(message: message)
|
|
212
|
+
@data = data.merge(message: ActionController::Base.helpers.sanitize(message))
|
|
191
213
|
render layout: nil, template: 'devise_token_auth/omniauth_external_window'
|
|
192
214
|
end
|
|
193
215
|
|
|
@@ -224,7 +246,7 @@ module DeviseTokenAuth
|
|
|
224
246
|
<html>
|
|
225
247
|
<head></head>
|
|
226
248
|
<body>
|
|
227
|
-
#{text}
|
|
249
|
+
#{ActionController::Base.helpers.sanitize(text)}
|
|
228
250
|
</body>
|
|
229
251
|
</html>)
|
|
230
252
|
end
|
|
@@ -261,4 +283,5 @@ module DeviseTokenAuth
|
|
|
261
283
|
@resource
|
|
262
284
|
end
|
|
263
285
|
end
|
|
286
|
+
|
|
264
287
|
end
|
|
@@ -2,12 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class PasswordsController < DeviseTokenAuth::ApplicationController
|
|
5
|
-
before_action :set_user_by_token, only: [:update]
|
|
6
5
|
before_action :validate_redirect_url_param, only: [:create, :edit]
|
|
7
6
|
skip_after_action :update_auth_header, only: [:create, :edit]
|
|
8
7
|
|
|
9
|
-
# this action is responsible for generating password reset tokens and
|
|
10
|
-
# sending emails
|
|
8
|
+
# this action is responsible for generating password reset tokens and sending emails
|
|
11
9
|
def create
|
|
12
10
|
return render_create_error_missing_email unless resource_params[:email]
|
|
13
11
|
|
|
@@ -39,11 +37,10 @@ module DeviseTokenAuth
|
|
|
39
37
|
@resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
|
|
40
38
|
|
|
41
39
|
if @resource && @resource.reset_password_period_valid?
|
|
42
|
-
token = @resource.create_token
|
|
40
|
+
token = @resource.create_token unless require_client_password_reset_token?
|
|
43
41
|
|
|
44
42
|
# ensure that user is confirmed
|
|
45
43
|
@resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
|
|
46
|
-
|
|
47
44
|
# allow user to change password once without current_password
|
|
48
45
|
@resource.allow_password_change = true if recoverable_enabled?
|
|
49
46
|
|
|
@@ -51,12 +48,16 @@ module DeviseTokenAuth
|
|
|
51
48
|
|
|
52
49
|
yield @resource if block_given?
|
|
53
50
|
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
51
|
+
if require_client_password_reset_token?
|
|
52
|
+
redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
|
|
53
|
+
else
|
|
54
|
+
redirect_header_options = { reset_password: true }
|
|
55
|
+
redirect_headers = build_redirect_headers(token.token,
|
|
56
|
+
token.client,
|
|
57
|
+
redirect_header_options)
|
|
58
|
+
redirect_to(@resource.build_auth_url(@redirect_url,
|
|
59
|
+
redirect_headers))
|
|
60
|
+
end
|
|
60
61
|
else
|
|
61
62
|
render_edit_error
|
|
62
63
|
end
|
|
@@ -64,6 +65,15 @@ module DeviseTokenAuth
|
|
|
64
65
|
|
|
65
66
|
def update
|
|
66
67
|
# make sure user is authorized
|
|
68
|
+
if require_client_password_reset_token? && resource_params[:reset_password_token]
|
|
69
|
+
@resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
|
|
70
|
+
return render_update_error_unauthorized unless @resource
|
|
71
|
+
|
|
72
|
+
@token = @resource.create_token
|
|
73
|
+
else
|
|
74
|
+
@resource = set_user_by_token
|
|
75
|
+
end
|
|
76
|
+
|
|
67
77
|
return render_update_error_unauthorized unless @resource
|
|
68
78
|
|
|
69
79
|
# make sure account doesn't use oauth2 provider
|
|
@@ -90,7 +100,7 @@ module DeviseTokenAuth
|
|
|
90
100
|
protected
|
|
91
101
|
|
|
92
102
|
def resource_update_method
|
|
93
|
-
allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
|
|
103
|
+
allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
|
|
94
104
|
if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
|
|
95
105
|
'update'
|
|
96
106
|
else
|
|
@@ -118,7 +128,7 @@ module DeviseTokenAuth
|
|
|
118
128
|
def render_create_success
|
|
119
129
|
render json: {
|
|
120
130
|
success: true,
|
|
121
|
-
message:
|
|
131
|
+
message: success_message('passwords', @email)
|
|
122
132
|
}
|
|
123
133
|
end
|
|
124
134
|
|
|
@@ -171,7 +181,11 @@ module DeviseTokenAuth
|
|
|
171
181
|
end
|
|
172
182
|
|
|
173
183
|
def render_not_found_error
|
|
174
|
-
|
|
184
|
+
if Devise.paranoid
|
|
185
|
+
render_error(404, I18n.t('devise_token_auth.passwords.sended_paranoid'))
|
|
186
|
+
else
|
|
187
|
+
render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
|
|
188
|
+
end
|
|
175
189
|
end
|
|
176
190
|
|
|
177
191
|
def validate_redirect_url_param
|
|
@@ -182,7 +196,15 @@ module DeviseTokenAuth
|
|
|
182
196
|
)
|
|
183
197
|
|
|
184
198
|
return render_create_error_missing_redirect_url unless @redirect_url
|
|
185
|
-
return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
|
|
199
|
+
return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
def reset_password_token_as_raw?(recoverable)
|
|
203
|
+
recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
|
|
204
|
+
end
|
|
205
|
+
|
|
206
|
+
def require_client_password_reset_token?
|
|
207
|
+
DeviseTokenAuth.require_client_password_reset_token
|
|
186
208
|
end
|
|
187
209
|
end
|
|
188
210
|
end
|
|
@@ -28,7 +28,7 @@ module DeviseTokenAuth
|
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
# if whitelist is set, validate redirect_url against whitelist
|
|
31
|
-
return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
|
|
31
|
+
return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
|
|
32
32
|
|
|
33
33
|
# override email confirmation, must be sent manually from ctrl
|
|
34
34
|
callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
|
|
@@ -48,13 +48,19 @@ module DeviseTokenAuth
|
|
|
48
48
|
def destroy
|
|
49
49
|
# remove auth instance variables so that after_action does not run
|
|
50
50
|
user = remove_instance_variable(:@resource) if @resource
|
|
51
|
-
client = @token.client
|
|
51
|
+
client = @token.client
|
|
52
52
|
@token.clear!
|
|
53
53
|
|
|
54
54
|
if user && client && user.tokens[client]
|
|
55
55
|
user.tokens.delete(client)
|
|
56
56
|
user.save!
|
|
57
57
|
|
|
58
|
+
if DeviseTokenAuth.cookie_enabled
|
|
59
|
+
# If a cookie is set with a domain specified then it must be deleted with that domain specified
|
|
60
|
+
# See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
|
|
61
|
+
cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
|
|
62
|
+
end
|
|
63
|
+
|
|
58
64
|
yield user if block_given?
|
|
59
65
|
|
|
60
66
|
render_destroy_success
|
|
@@ -63,7 +63,7 @@ module DeviseTokenAuth
|
|
|
63
63
|
def render_create_success
|
|
64
64
|
render json: {
|
|
65
65
|
success: true,
|
|
66
|
-
message:
|
|
66
|
+
message: success_message('unlocks', @email)
|
|
67
67
|
}
|
|
68
68
|
end
|
|
69
69
|
|
|
@@ -79,7 +79,11 @@ module DeviseTokenAuth
|
|
|
79
79
|
end
|
|
80
80
|
|
|
81
81
|
def render_not_found_error
|
|
82
|
-
|
|
82
|
+
if Devise.paranoid
|
|
83
|
+
render_error(404, I18n.t('devise_token_auth.unlocks.sended_paranoid'))
|
|
84
|
+
else
|
|
85
|
+
render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
|
|
86
|
+
end
|
|
83
87
|
end
|
|
84
88
|
|
|
85
89
|
def resource_params
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module DeviseTokenAuth::Concerns::ConfirmableSupport
|
|
2
|
+
extend ActiveSupport::Concern
|
|
3
|
+
|
|
4
|
+
included do
|
|
5
|
+
# Override standard devise `postpone_email_change?` method
|
|
6
|
+
# for not to use `will_save_change_to_email?` & `email_changed?` methods.
|
|
7
|
+
def postpone_email_change?
|
|
8
|
+
postpone = self.class.reconfirmable &&
|
|
9
|
+
email_value_in_database != email &&
|
|
10
|
+
!@bypass_confirmation_postpone &&
|
|
11
|
+
self.email.present? &&
|
|
12
|
+
(!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
|
|
13
|
+
@bypass_confirmation_postpone = false
|
|
14
|
+
postpone
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
protected
|
|
19
|
+
|
|
20
|
+
def email_value_in_database
|
|
21
|
+
rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
|
|
22
|
+
if rails51 && respond_to?(:email_in_database)
|
|
23
|
+
email_in_database
|
|
24
|
+
else
|
|
25
|
+
email_was
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|