devise_token_auth 1.1.2 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/devise_token_auth/application_controller.rb +10 -2
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
- data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
- data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
- data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
- data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
- data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
- data/app/models/devise_token_auth/concerns/user.rb +9 -10
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
- data/app/validators/devise_token_auth_email_validator.rb +1 -1
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +5 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +2 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +3 -1
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +5 -1
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +11 -1
- data/lib/devise_token_auth/rails/routes.rb +15 -10
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +4 -4
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +0 -1
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +26 -1
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
- data/test/factories/users.rb +2 -1
- data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
- data/test/models/concerns/tokens_serialization_test.rb +39 -5
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/test_helper.rb +35 -4
- metadata +27 -14
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: fb2d73d7859e1754b505d6f554c8d298ba899444b4fe4e1b47d50ca9bab453e8
|
|
4
|
+
data.tar.gz: 3572d4ff07d68f62d8e51270959fd20451d9edb4832d576b9342939275390dee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 50c95181401bedfd959a407d450f222ab185d75000825385dd691a064e831b36263eb1338d25f6378a743ac9009b73f80df3e24cb09ce5680a0e6723fc98acb9
|
|
7
|
+
data.tar.gz: 91910874d7e473d31eb39cf40c6860da4ab5b59aa874a0f1296faa17718103124018568cf289486a9d49a3ec1b967f14e23c18afb8d3f6cd3ec2fd837d663a83
|
|
@@ -16,8 +16,8 @@ module DeviseTokenAuth
|
|
|
16
16
|
|
|
17
17
|
protected
|
|
18
18
|
|
|
19
|
-
def blacklisted_redirect_url?
|
|
20
|
-
DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(
|
|
19
|
+
def blacklisted_redirect_url?(redirect_url)
|
|
20
|
+
DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
def build_redirect_headers(access_token, client, redirect_header_options = {})
|
|
@@ -75,5 +75,13 @@ module DeviseTokenAuth
|
|
|
75
75
|
response = response.merge(data) if data
|
|
76
76
|
render json: response, status: status
|
|
77
77
|
end
|
|
78
|
+
|
|
79
|
+
def success_message(name, email)
|
|
80
|
+
if Devise.paranoid
|
|
81
|
+
I18n.t("devise_token_auth.#{name}.sended_paranoid")
|
|
82
|
+
else
|
|
83
|
+
I18n.t("devise_token_auth.#{name}.sended", email: email)
|
|
84
|
+
end
|
|
85
|
+
end
|
|
78
86
|
end
|
|
79
87
|
end
|
|
@@ -20,7 +20,7 @@ module DeviseTokenAuth::Concerns::ResourceFinder
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def find_resource(field, value)
|
|
23
|
-
@resource = if
|
|
23
|
+
@resource = if database_adapter&.include?('mysql')
|
|
24
24
|
# fix for mysql default case insensitivity
|
|
25
25
|
resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
|
|
26
26
|
else
|
|
@@ -28,6 +28,19 @@ module DeviseTokenAuth::Concerns::ResourceFinder
|
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
+
def database_adapter
|
|
32
|
+
@database_adapter ||= begin
|
|
33
|
+
rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
|
|
34
|
+
|
|
35
|
+
adapter =
|
|
36
|
+
if rails_version >= "6.1"
|
|
37
|
+
resource_class.try(:connection_db_config)&.try(:adapter)
|
|
38
|
+
else
|
|
39
|
+
resource_class.try(:connection_config)&.try(:[], :adapter)
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
|
|
31
44
|
def resource_class(m = nil)
|
|
32
45
|
mapping = if m
|
|
33
46
|
Devise.mappings[m]
|
|
@@ -17,7 +17,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
17
17
|
@used_auth_by_token = true
|
|
18
18
|
|
|
19
19
|
# initialize instance variables
|
|
20
|
-
@token
|
|
20
|
+
@token ||= DeviseTokenAuth::TokenFactory.new
|
|
21
21
|
@resource ||= nil
|
|
22
22
|
@is_batch_request ||= nil
|
|
23
23
|
end
|
|
@@ -35,18 +35,27 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
35
35
|
access_token_name = DeviseTokenAuth.headers_names[:'access-token']
|
|
36
36
|
client_name = DeviseTokenAuth.headers_names[:'client']
|
|
37
37
|
|
|
38
|
+
# gets values from cookie if configured and present
|
|
39
|
+
parsed_auth_cookie = {}
|
|
40
|
+
if DeviseTokenAuth.cookie_enabled
|
|
41
|
+
auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
|
|
42
|
+
if auth_cookie.present?
|
|
43
|
+
parsed_auth_cookie = JSON.parse(auth_cookie)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
38
47
|
# parse header for values necessary for authentication
|
|
39
|
-
uid = request.headers[uid_name] || params[uid_name]
|
|
48
|
+
uid = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name]
|
|
40
49
|
@token = DeviseTokenAuth::TokenFactory.new unless @token
|
|
41
|
-
@token.token ||= request.headers[access_token_name] || params[access_token_name]
|
|
42
|
-
@token.client ||= request.headers[client_name] || params[client_name]
|
|
50
|
+
@token.token ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name]
|
|
51
|
+
@token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name]
|
|
43
52
|
|
|
44
53
|
# client isn't required, set to 'default' if absent
|
|
45
54
|
@token.client ||= 'default'
|
|
46
55
|
|
|
47
56
|
# check for an existing user, authenticated via warden/devise, if enabled
|
|
48
57
|
if DeviseTokenAuth.enable_standard_devise_support
|
|
49
|
-
devise_warden_user = warden.user(
|
|
58
|
+
devise_warden_user = warden.user(mapping)
|
|
50
59
|
if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
|
|
51
60
|
@used_auth_by_token = false
|
|
52
61
|
@resource = devise_warden_user
|
|
@@ -101,9 +110,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
101
110
|
# update the response header
|
|
102
111
|
response.headers.merge!(auth_header)
|
|
103
112
|
|
|
113
|
+
# set a server cookie if configured
|
|
114
|
+
if DeviseTokenAuth.cookie_enabled
|
|
115
|
+
set_cookie(auth_header)
|
|
116
|
+
end
|
|
104
117
|
else
|
|
105
118
|
unless @resource.reload.valid?
|
|
106
|
-
@resource =
|
|
119
|
+
@resource = @resource.class.find(@resource.to_param) # errors remain after reload
|
|
107
120
|
# if we left the model in a bad state, something is wrong in our app
|
|
108
121
|
unless @resource.valid?
|
|
109
122
|
raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
|
|
@@ -123,11 +136,22 @@ module DeviseTokenAuth::Concerns::SetUserByToken
|
|
|
123
136
|
# cleared by sign out in the meantime
|
|
124
137
|
return if @used_auth_by_token && @resource.tokens[@token.client].nil?
|
|
125
138
|
|
|
139
|
+
_auth_header_from_batch_request = auth_header_from_batch_request
|
|
140
|
+
|
|
126
141
|
# update the response header
|
|
127
|
-
response.headers.merge!(
|
|
142
|
+
response.headers.merge!(_auth_header_from_batch_request)
|
|
143
|
+
|
|
144
|
+
# set a server cookie if configured
|
|
145
|
+
if DeviseTokenAuth.cookie_enabled
|
|
146
|
+
set_cookie(_auth_header_from_batch_request)
|
|
147
|
+
end
|
|
128
148
|
end # end lock
|
|
129
149
|
end
|
|
130
150
|
|
|
151
|
+
def set_cookie(auth_header)
|
|
152
|
+
cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
|
|
153
|
+
end
|
|
154
|
+
|
|
131
155
|
def is_batch_request?(user, client)
|
|
132
156
|
!params[:unbatch] &&
|
|
133
157
|
user.tokens[client] &&
|
|
@@ -13,6 +13,7 @@ module DeviseTokenAuth
|
|
|
13
13
|
|
|
14
14
|
if signed_in?(resource_name)
|
|
15
15
|
token = signed_in_resource.create_token
|
|
16
|
+
signed_in_resource.save!
|
|
16
17
|
|
|
17
18
|
redirect_headers = build_redirect_headers(token.token,
|
|
18
19
|
token.client,
|
|
@@ -54,13 +55,17 @@ module DeviseTokenAuth
|
|
|
54
55
|
|
|
55
56
|
def render_create_success
|
|
56
57
|
render json: {
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
58
|
+
success: true,
|
|
59
|
+
message: success_message('confirmations', @email)
|
|
60
|
+
}
|
|
60
61
|
end
|
|
61
62
|
|
|
62
63
|
def render_not_found_error
|
|
63
|
-
|
|
64
|
+
if Devise.paranoid
|
|
65
|
+
render_error(404, I18n.t('devise_token_auth.confirmations.sended_paranoid'))
|
|
66
|
+
else
|
|
67
|
+
render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
|
|
68
|
+
end
|
|
64
69
|
end
|
|
65
70
|
|
|
66
71
|
private
|
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
|
|
5
5
|
attr_reader :auth_params
|
|
6
|
+
|
|
7
|
+
before_action :validate_auth_origin_url_param
|
|
8
|
+
|
|
6
9
|
skip_before_action :set_user_by_token, raise: false
|
|
7
10
|
skip_after_action :update_auth_header
|
|
8
11
|
|
|
@@ -75,6 +78,11 @@ module DeviseTokenAuth
|
|
|
75
78
|
render_data_or_redirect('authFailure', error: @error)
|
|
76
79
|
end
|
|
77
80
|
|
|
81
|
+
def validate_auth_origin_url_param
|
|
82
|
+
return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
|
|
78
86
|
protected
|
|
79
87
|
|
|
80
88
|
# this will be determined differently depending on the action that calls
|
|
@@ -104,7 +112,8 @@ module DeviseTokenAuth
|
|
|
104
112
|
|
|
105
113
|
# break out provider attribute assignment for easy method extension
|
|
106
114
|
def assign_provider_attrs(user, auth_hash)
|
|
107
|
-
attrs = auth_hash['info'].
|
|
115
|
+
attrs = auth_hash['info'].to_hash
|
|
116
|
+
attrs = attrs.slice(*user.attribute_names)
|
|
108
117
|
user.assign_attributes(attrs)
|
|
109
118
|
end
|
|
110
119
|
|
|
@@ -137,10 +146,18 @@ module DeviseTokenAuth
|
|
|
137
146
|
omniauth_params['omniauth_window_type']
|
|
138
147
|
end
|
|
139
148
|
|
|
140
|
-
def
|
|
149
|
+
def unsafe_auth_origin_url
|
|
141
150
|
omniauth_params['auth_origin_url'] || omniauth_params['origin']
|
|
142
151
|
end
|
|
143
152
|
|
|
153
|
+
|
|
154
|
+
def auth_origin_url
|
|
155
|
+
if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
|
|
156
|
+
return nil
|
|
157
|
+
end
|
|
158
|
+
return unsafe_auth_origin_url
|
|
159
|
+
end
|
|
160
|
+
|
|
144
161
|
# in the success case, omniauth_window_type is in the omniauth_params.
|
|
145
162
|
# in the failure case, it is in a query param. See monkey patch above
|
|
146
163
|
def omniauth_window_type
|
|
@@ -186,8 +203,13 @@ module DeviseTokenAuth
|
|
|
186
203
|
@token = @resource.create_token
|
|
187
204
|
end
|
|
188
205
|
|
|
206
|
+
def render_error_not_allowed_auth_origin_url
|
|
207
|
+
message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
|
|
208
|
+
render_data_or_redirect('authFailure', error: message)
|
|
209
|
+
end
|
|
210
|
+
|
|
189
211
|
def render_data(message, data)
|
|
190
|
-
@data = data.merge(message: message)
|
|
212
|
+
@data = data.merge(message: ActionController::Base.helpers.sanitize(message))
|
|
191
213
|
render layout: nil, template: 'devise_token_auth/omniauth_external_window'
|
|
192
214
|
end
|
|
193
215
|
|
|
@@ -224,7 +246,7 @@ module DeviseTokenAuth
|
|
|
224
246
|
<html>
|
|
225
247
|
<head></head>
|
|
226
248
|
<body>
|
|
227
|
-
#{text}
|
|
249
|
+
#{ActionController::Base.helpers.sanitize(text)}
|
|
228
250
|
</body>
|
|
229
251
|
</html>)
|
|
230
252
|
end
|
|
@@ -261,4 +283,5 @@ module DeviseTokenAuth
|
|
|
261
283
|
@resource
|
|
262
284
|
end
|
|
263
285
|
end
|
|
286
|
+
|
|
264
287
|
end
|
|
@@ -2,12 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
module DeviseTokenAuth
|
|
4
4
|
class PasswordsController < DeviseTokenAuth::ApplicationController
|
|
5
|
-
before_action :set_user_by_token, only: [:update]
|
|
6
5
|
before_action :validate_redirect_url_param, only: [:create, :edit]
|
|
7
6
|
skip_after_action :update_auth_header, only: [:create, :edit]
|
|
8
7
|
|
|
9
|
-
# this action is responsible for generating password reset tokens and
|
|
10
|
-
# sending emails
|
|
8
|
+
# this action is responsible for generating password reset tokens and sending emails
|
|
11
9
|
def create
|
|
12
10
|
return render_create_error_missing_email unless resource_params[:email]
|
|
13
11
|
|
|
@@ -39,11 +37,10 @@ module DeviseTokenAuth
|
|
|
39
37
|
@resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
|
|
40
38
|
|
|
41
39
|
if @resource && @resource.reset_password_period_valid?
|
|
42
|
-
token = @resource.create_token
|
|
40
|
+
token = @resource.create_token unless require_client_password_reset_token?
|
|
43
41
|
|
|
44
42
|
# ensure that user is confirmed
|
|
45
43
|
@resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
|
|
46
|
-
|
|
47
44
|
# allow user to change password once without current_password
|
|
48
45
|
@resource.allow_password_change = true if recoverable_enabled?
|
|
49
46
|
|
|
@@ -51,12 +48,16 @@ module DeviseTokenAuth
|
|
|
51
48
|
|
|
52
49
|
yield @resource if block_given?
|
|
53
50
|
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
51
|
+
if require_client_password_reset_token?
|
|
52
|
+
redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
|
|
53
|
+
else
|
|
54
|
+
redirect_header_options = { reset_password: true }
|
|
55
|
+
redirect_headers = build_redirect_headers(token.token,
|
|
56
|
+
token.client,
|
|
57
|
+
redirect_header_options)
|
|
58
|
+
redirect_to(@resource.build_auth_url(@redirect_url,
|
|
59
|
+
redirect_headers))
|
|
60
|
+
end
|
|
60
61
|
else
|
|
61
62
|
render_edit_error
|
|
62
63
|
end
|
|
@@ -64,6 +65,15 @@ module DeviseTokenAuth
|
|
|
64
65
|
|
|
65
66
|
def update
|
|
66
67
|
# make sure user is authorized
|
|
68
|
+
if require_client_password_reset_token? && resource_params[:reset_password_token]
|
|
69
|
+
@resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
|
|
70
|
+
return render_update_error_unauthorized unless @resource
|
|
71
|
+
|
|
72
|
+
@token = @resource.create_token
|
|
73
|
+
else
|
|
74
|
+
@resource = set_user_by_token
|
|
75
|
+
end
|
|
76
|
+
|
|
67
77
|
return render_update_error_unauthorized unless @resource
|
|
68
78
|
|
|
69
79
|
# make sure account doesn't use oauth2 provider
|
|
@@ -90,7 +100,7 @@ module DeviseTokenAuth
|
|
|
90
100
|
protected
|
|
91
101
|
|
|
92
102
|
def resource_update_method
|
|
93
|
-
allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
|
|
103
|
+
allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
|
|
94
104
|
if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
|
|
95
105
|
'update'
|
|
96
106
|
else
|
|
@@ -118,7 +128,7 @@ module DeviseTokenAuth
|
|
|
118
128
|
def render_create_success
|
|
119
129
|
render json: {
|
|
120
130
|
success: true,
|
|
121
|
-
message:
|
|
131
|
+
message: success_message('passwords', @email)
|
|
122
132
|
}
|
|
123
133
|
end
|
|
124
134
|
|
|
@@ -171,7 +181,11 @@ module DeviseTokenAuth
|
|
|
171
181
|
end
|
|
172
182
|
|
|
173
183
|
def render_not_found_error
|
|
174
|
-
|
|
184
|
+
if Devise.paranoid
|
|
185
|
+
render_error(404, I18n.t('devise_token_auth.passwords.sended_paranoid'))
|
|
186
|
+
else
|
|
187
|
+
render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
|
|
188
|
+
end
|
|
175
189
|
end
|
|
176
190
|
|
|
177
191
|
def validate_redirect_url_param
|
|
@@ -182,7 +196,15 @@ module DeviseTokenAuth
|
|
|
182
196
|
)
|
|
183
197
|
|
|
184
198
|
return render_create_error_missing_redirect_url unless @redirect_url
|
|
185
|
-
return render_error_not_allowed_redirect_url if blacklisted_redirect_url?
|
|
199
|
+
return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
|
|
200
|
+
end
|
|
201
|
+
|
|
202
|
+
def reset_password_token_as_raw?(recoverable)
|
|
203
|
+
recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
|
|
204
|
+
end
|
|
205
|
+
|
|
206
|
+
def require_client_password_reset_token?
|
|
207
|
+
DeviseTokenAuth.require_client_password_reset_token
|
|
186
208
|
end
|
|
187
209
|
end
|
|
188
210
|
end
|
|
@@ -28,7 +28,7 @@ module DeviseTokenAuth
|
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
# if whitelist is set, validate redirect_url against whitelist
|
|
31
|
-
return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?
|
|
31
|
+
return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
|
|
32
32
|
|
|
33
33
|
# override email confirmation, must be sent manually from ctrl
|
|
34
34
|
callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
|
|
@@ -48,13 +48,19 @@ module DeviseTokenAuth
|
|
|
48
48
|
def destroy
|
|
49
49
|
# remove auth instance variables so that after_action does not run
|
|
50
50
|
user = remove_instance_variable(:@resource) if @resource
|
|
51
|
-
client = @token.client
|
|
51
|
+
client = @token.client
|
|
52
52
|
@token.clear!
|
|
53
53
|
|
|
54
54
|
if user && client && user.tokens[client]
|
|
55
55
|
user.tokens.delete(client)
|
|
56
56
|
user.save!
|
|
57
57
|
|
|
58
|
+
if DeviseTokenAuth.cookie_enabled
|
|
59
|
+
# If a cookie is set with a domain specified then it must be deleted with that domain specified
|
|
60
|
+
# See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
|
|
61
|
+
cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
|
|
62
|
+
end
|
|
63
|
+
|
|
58
64
|
yield user if block_given?
|
|
59
65
|
|
|
60
66
|
render_destroy_success
|
|
@@ -63,7 +63,7 @@ module DeviseTokenAuth
|
|
|
63
63
|
def render_create_success
|
|
64
64
|
render json: {
|
|
65
65
|
success: true,
|
|
66
|
-
message:
|
|
66
|
+
message: success_message('unlocks', @email)
|
|
67
67
|
}
|
|
68
68
|
end
|
|
69
69
|
|
|
@@ -79,7 +79,11 @@ module DeviseTokenAuth
|
|
|
79
79
|
end
|
|
80
80
|
|
|
81
81
|
def render_not_found_error
|
|
82
|
-
|
|
82
|
+
if Devise.paranoid
|
|
83
|
+
render_error(404, I18n.t('devise_token_auth.unlocks.sended_paranoid'))
|
|
84
|
+
else
|
|
85
|
+
render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
|
|
86
|
+
end
|
|
83
87
|
end
|
|
84
88
|
|
|
85
89
|
def resource_params
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module DeviseTokenAuth::Concerns::ConfirmableSupport
|
|
2
|
+
extend ActiveSupport::Concern
|
|
3
|
+
|
|
4
|
+
included do
|
|
5
|
+
# Override standard devise `postpone_email_change?` method
|
|
6
|
+
# for not to use `will_save_change_to_email?` & `email_changed?` methods.
|
|
7
|
+
def postpone_email_change?
|
|
8
|
+
postpone = self.class.reconfirmable &&
|
|
9
|
+
email_value_in_database != email &&
|
|
10
|
+
!@bypass_confirmation_postpone &&
|
|
11
|
+
self.email.present? &&
|
|
12
|
+
(!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
|
|
13
|
+
@bypass_confirmation_postpone = false
|
|
14
|
+
postpone
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
protected
|
|
19
|
+
|
|
20
|
+
def email_value_in_database
|
|
21
|
+
rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
|
|
22
|
+
if rails51 && respond_to?(:email_in_database)
|
|
23
|
+
email_in_database
|
|
24
|
+
else
|
|
25
|
+
email_was
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|