devise_token_auth 1.1.2 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/devise_token_auth/application_controller.rb +10 -2
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
- data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
- data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
- data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
- data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
- data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
- data/app/models/devise_token_auth/concerns/user.rb +9 -10
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
- data/app/validators/devise_token_auth_email_validator.rb +1 -1
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +5 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +2 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +3 -1
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +5 -1
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +11 -1
- data/lib/devise_token_auth/rails/routes.rb +15 -10
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +4 -4
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +0 -1
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +26 -1
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
- data/test/factories/users.rb +2 -1
- data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
- data/test/models/concerns/tokens_serialization_test.rb +39 -5
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/test_helper.rb +35 -4
- metadata +27 -14
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
@@ -34,12 +34,6 @@ module DeviseTokenAuth
|
|
34
34
|
class_eval <<-METHODS, __FILE__, __LINE__ + 1
|
35
35
|
def authenticate_#{group_name}!(favourite=nil, opts={})
|
36
36
|
unless #{group_name}_signed_in?
|
37
|
-
mappings = #{mappings}
|
38
|
-
mappings.unshift mappings.delete(favourite.to_sym) if favourite
|
39
|
-
mappings.each do |mapping|
|
40
|
-
set_user_by_token(mapping)
|
41
|
-
end
|
42
|
-
|
43
37
|
unless current_#{group_name}
|
44
38
|
render_authenticate_error
|
45
39
|
end
|
@@ -47,12 +41,14 @@ module DeviseTokenAuth
|
|
47
41
|
end
|
48
42
|
|
49
43
|
def #{group_name}_signed_in?
|
50
|
-
#{
|
51
|
-
set_user_by_token(mapping)
|
52
|
-
end
|
44
|
+
!!current_#{group_name}
|
53
45
|
end
|
54
46
|
|
55
47
|
def current_#{group_name}(favourite=nil)
|
48
|
+
@current_#{group_name} ||= set_group_user_by_token(favourite)
|
49
|
+
end
|
50
|
+
|
51
|
+
def set_group_user_by_token(favourite)
|
56
52
|
mappings = #{mappings}
|
57
53
|
mappings.unshift mappings.delete(favourite.to_sym) if favourite
|
58
54
|
mappings.each do |mapping|
|
@@ -25,7 +25,12 @@ module DeviseTokenAuth
|
|
25
25
|
:remove_tokens_after_password_reset,
|
26
26
|
:default_callbacks,
|
27
27
|
:headers_names,
|
28
|
-
:
|
28
|
+
:cookie_enabled,
|
29
|
+
:cookie_name,
|
30
|
+
:cookie_attributes,
|
31
|
+
:bypass_sign_in,
|
32
|
+
:send_confirmation_email,
|
33
|
+
:require_client_password_reset_token
|
29
34
|
|
30
35
|
self.change_headers_on_each_request = true
|
31
36
|
self.max_number_of_devices = 10
|
@@ -45,7 +50,12 @@ module DeviseTokenAuth
|
|
45
50
|
'expiry': 'expiry',
|
46
51
|
'uid': 'uid',
|
47
52
|
'token-type': 'token-type' }
|
53
|
+
self.cookie_enabled = false
|
54
|
+
self.cookie_name = 'auth_cookie'
|
55
|
+
self.cookie_attributes = {}
|
48
56
|
self.bypass_sign_in = true
|
57
|
+
self.send_confirmation_email = false
|
58
|
+
self.require_client_password_reset_token = false
|
49
59
|
|
50
60
|
def self.setup(&block)
|
51
61
|
yield self
|
@@ -8,26 +8,31 @@ module ActionDispatch::Routing
|
|
8
8
|
opts[:skip] ||= []
|
9
9
|
|
10
10
|
# check for ctrl overrides, fall back to defaults
|
11
|
-
sessions_ctrl = opts[:controllers]
|
12
|
-
registrations_ctrl = opts[:controllers]
|
13
|
-
passwords_ctrl = opts[:controllers]
|
14
|
-
confirmations_ctrl = opts[:controllers]
|
15
|
-
token_validations_ctrl = opts[:controllers]
|
16
|
-
omniauth_ctrl = opts[:controllers]
|
17
|
-
unlocks_ctrl = opts[:controllers]
|
11
|
+
sessions_ctrl = opts[:controllers].delete(:sessions) || 'devise_token_auth/sessions'
|
12
|
+
registrations_ctrl = opts[:controllers].delete(:registrations) || 'devise_token_auth/registrations'
|
13
|
+
passwords_ctrl = opts[:controllers].delete(:passwords) || 'devise_token_auth/passwords'
|
14
|
+
confirmations_ctrl = opts[:controllers].delete(:confirmations) || 'devise_token_auth/confirmations'
|
15
|
+
token_validations_ctrl = opts[:controllers].delete(:token_validations) || 'devise_token_auth/token_validations'
|
16
|
+
omniauth_ctrl = opts[:controllers].delete(:omniauth_callbacks) || 'devise_token_auth/omniauth_callbacks'
|
17
|
+
unlocks_ctrl = opts[:controllers].delete(:unlocks) || 'devise_token_auth/unlocks'
|
18
|
+
|
19
|
+
# check for resource override
|
20
|
+
route = opts[:as] || resource.pluralize.underscore.gsub('/', '_')
|
18
21
|
|
19
22
|
# define devise controller mappings
|
20
|
-
controllers =
|
23
|
+
controllers = opts[:controllers].merge(
|
24
|
+
sessions: sessions_ctrl,
|
21
25
|
registrations: registrations_ctrl,
|
22
26
|
passwords: passwords_ctrl,
|
23
|
-
confirmations: confirmations_ctrl
|
27
|
+
confirmations: confirmations_ctrl
|
28
|
+
)
|
24
29
|
|
25
30
|
controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
|
26
31
|
|
27
32
|
# remove any unwanted devise modules
|
28
33
|
opts[:skip].each{ |item| controllers.delete(item) }
|
29
34
|
|
30
|
-
devise_for
|
35
|
+
devise_for route.to_sym,
|
31
36
|
class_name: resource,
|
32
37
|
module: :devise,
|
33
38
|
path: opts[:at].to_s,
|
@@ -11,6 +11,9 @@ module DeviseTokenAuth::Url
|
|
11
11
|
query = [uri.query, params.to_query].reject(&:blank?).join('&')
|
12
12
|
res += "?#{query}"
|
13
13
|
res += "##{uri.fragment}" if uri.fragment
|
14
|
+
# repeat any query params after the fragment to deal with Angular eating any pre fragment query params, used
|
15
|
+
# in the reset password redirect url
|
16
|
+
res += "?#{query}" if uri.fragment
|
14
17
|
|
15
18
|
res
|
16
19
|
end
|
@@ -8,7 +8,7 @@ Arguments:
|
|
8
8
|
# 'User'
|
9
9
|
MOUNT_PATH # The path at which to mount the authentication routes. Default is
|
10
10
|
# 'auth'. More detail documentation is here:
|
11
|
-
# https://
|
11
|
+
# https://devise-token-auth.gitbook.io/devise-token-auth/usage
|
12
12
|
|
13
13
|
Example:
|
14
14
|
rails generate devise_token_auth:install User auth
|
@@ -26,7 +26,7 @@ module DeviseTokenAuth
|
|
26
26
|
inclusion = 'include DeviseTokenAuth::Concerns::User'
|
27
27
|
unless parse_file_for_line(fname, inclusion)
|
28
28
|
|
29
|
-
active_record_needle = (Rails::VERSION::MAJOR
|
29
|
+
active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
|
30
30
|
inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
|
31
31
|
# Include default devise modules.
|
32
32
|
devise :database_authenticatable, :registerable,
|
@@ -75,12 +75,12 @@ module DeviseTokenAuth
|
|
75
75
|
ActiveRecord::Base.connection.select_value('SELECT VERSION()')
|
76
76
|
end
|
77
77
|
|
78
|
-
def
|
79
|
-
Rails
|
78
|
+
def rails_5_or_newer?
|
79
|
+
Rails::VERSION::MAJOR >= 5
|
80
80
|
end
|
81
81
|
|
82
82
|
def primary_key_type
|
83
|
-
primary_key_string if
|
83
|
+
primary_key_string if rails_5_or_newer?
|
84
84
|
end
|
85
85
|
|
86
86
|
def primary_key_string
|
@@ -29,9 +29,9 @@ module DeviseTokenAuth
|
|
29
29
|
field :tokens, type: Hash, default: {}
|
30
30
|
|
31
31
|
# Include default devise modules. Others available are:
|
32
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
32
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
33
33
|
devise :database_authenticatable, :registerable,
|
34
|
-
:recoverable, :rememberable, :
|
34
|
+
:recoverable, :rememberable, :validatable
|
35
35
|
include DeviseTokenAuth::Concerns::User
|
36
36
|
|
37
37
|
index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
|
@@ -52,4 +52,9 @@ DeviseTokenAuth.setup do |config|
|
|
52
52
|
# If, however, you wish to integrate with legacy Devise authentication, you can
|
53
53
|
# do so by enabling this flag. NOTE: This feature is highly experimental!
|
54
54
|
# config.enable_standard_devise_support = false
|
55
|
+
|
56
|
+
# By default DeviseTokenAuth will not send confirmation email, even when including
|
57
|
+
# devise confirmable module. If you want to use devise confirmable module and
|
58
|
+
# send email, set it to true. (This is a setting for compatibility)
|
59
|
+
# config.send_confirmation_email = true
|
55
60
|
end
|
@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
|
|
44
44
|
add_index :<%= table_name %>, [:uid, :provider], unique: true
|
45
45
|
add_index :<%= table_name %>, :reset_password_token, unique: true
|
46
46
|
add_index :<%= table_name %>, :confirmation_token, unique: true
|
47
|
-
# add_index :<%= table_name %>, :unlock_token,
|
47
|
+
# add_index :<%= table_name %>, :unlock_token, unique: true
|
48
48
|
end
|
49
49
|
end
|
@@ -2,8 +2,8 @@
|
|
2
2
|
|
3
3
|
class <%= user_class %> < ActiveRecord::Base
|
4
4
|
# Include default devise modules. Others available are:
|
5
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
5
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
6
6
|
devise :database_authenticatable, :registerable,
|
7
|
-
:recoverable, :rememberable, :
|
7
|
+
:recoverable, :rememberable, :validatable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -43,9 +43,9 @@ class <%= user_class %>
|
|
43
43
|
field :tokens, type: Hash, default: {}
|
44
44
|
|
45
45
|
# Include default devise modules. Others available are:
|
46
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
46
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
47
47
|
devise :database_authenticatable, :registerable,
|
48
|
-
:recoverable, :rememberable, :
|
48
|
+
:recoverable, :rememberable, :validatable
|
49
49
|
include DeviseTokenAuth::Concerns::User
|
50
50
|
|
51
51
|
index({ email: 1 }, { name: 'email_index', unique: true, background: true })
|
@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
53
53
|
assert @resource.confirmed?
|
54
54
|
end
|
55
55
|
|
56
|
+
test 'should save the authentication token' do
|
57
|
+
assert @resource.reload.tokens.present?
|
58
|
+
end
|
59
|
+
|
56
60
|
test 'should redirect to success url' do
|
57
61
|
assert_redirected_to(/^#{@redirect_url}/)
|
58
62
|
end
|
@@ -88,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
88
92
|
end
|
89
93
|
|
90
94
|
describe 'resend confirmation' do
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
95
|
+
describe 'without paranoid mode' do
|
96
|
+
|
97
|
+
describe 'on success' do
|
98
|
+
before do
|
99
|
+
post :create,
|
100
|
+
params: { email: @new_user.email,
|
101
|
+
redirect_url: @redirect_url },
|
102
|
+
xhr: true
|
103
|
+
@resource = assigns(:resource)
|
104
|
+
@data = JSON.parse(response.body)
|
105
|
+
@mail = ActionMailer::Base.deliveries.last
|
106
|
+
@token, @client_config = token_and_client_config_from(@mail.body)
|
107
|
+
end
|
108
|
+
|
109
|
+
test 'user should not be confirmed' do
|
110
|
+
assert_nil @resource.confirmed_at
|
111
|
+
end
|
112
|
+
|
113
|
+
test 'should generate raw token' do
|
114
|
+
assert @token
|
115
|
+
assert_equal @new_user.confirmation_token, @token
|
116
|
+
end
|
117
|
+
|
118
|
+
test 'user should receive confirmation email' do
|
119
|
+
assert_equal @resource.email, @mail['to'].to_s
|
120
|
+
end
|
121
|
+
|
122
|
+
test 'response should contain message' do
|
123
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
describe 'on failure' do
|
128
|
+
before do
|
129
|
+
post :create,
|
130
|
+
params: { email: 'chester@cheet.ah',
|
131
|
+
redirect_url: @redirect_url },
|
132
|
+
xhr: true
|
133
|
+
@data = JSON.parse(response.body)
|
134
|
+
end
|
135
|
+
|
136
|
+
test 'response should contain errors' do
|
137
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
|
138
|
+
end
|
139
|
+
end
|
104
140
|
end
|
141
|
+
end
|
105
142
|
|
106
|
-
|
107
|
-
|
108
|
-
|
143
|
+
describe 'with paranoid mode' do
|
144
|
+
describe 'on success' do
|
145
|
+
before do
|
146
|
+
swap Devise, paranoid: true do
|
147
|
+
post :create,
|
148
|
+
params: { email: @new_user.email,
|
149
|
+
redirect_url: @redirect_url },
|
150
|
+
xhr: true
|
151
|
+
@resource = assigns(:resource)
|
152
|
+
@data = JSON.parse(response.body)
|
153
|
+
@mail = ActionMailer::Base.deliveries.last
|
154
|
+
@token, @client_config = token_and_client_config_from(@mail.body)
|
155
|
+
end
|
156
|
+
end
|
157
|
+
|
158
|
+
test 'user should not be confirmed' do
|
159
|
+
assert_nil @resource.confirmed_at
|
160
|
+
end
|
161
|
+
|
162
|
+
test 'should generate raw token' do
|
163
|
+
assert @token
|
164
|
+
assert_equal @new_user.confirmation_token, @token
|
165
|
+
end
|
166
|
+
|
167
|
+
test 'user should receive confirmation email' do
|
168
|
+
assert_equal @resource.email, @mail['to'].to_s
|
169
|
+
end
|
170
|
+
|
171
|
+
test 'response should contain message' do
|
172
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
|
173
|
+
end
|
109
174
|
end
|
110
175
|
|
111
|
-
|
112
|
-
|
176
|
+
describe 'on failure' do
|
177
|
+
before do
|
178
|
+
swap Devise, paranoid: true do
|
179
|
+
post :create,
|
180
|
+
params: { email: 'chester@cheet.ah',
|
181
|
+
redirect_url: @redirect_url },
|
182
|
+
xhr: true
|
183
|
+
@data = JSON.parse(response.body)
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
187
|
+
test 'response should contain errors' do
|
188
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
|
189
|
+
end
|
113
190
|
end
|
114
|
-
|
115
191
|
end
|
116
192
|
end
|
117
193
|
|
@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
18
18
|
|
19
19
|
def get_parsed_data_json
|
20
20
|
encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
|
21
|
-
JSON.parse(
|
21
|
+
JSON.parse(CGI.unescape(encoded_json_data))
|
22
22
|
end
|
23
23
|
|
24
24
|
describe 'success callback' do
|
@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
317
317
|
end
|
318
318
|
|
319
319
|
describe 'Using redirect_whitelist' do
|
320
|
-
before do
|
321
|
-
@user_email = 'slemp.diggler@sillybandz.gov'
|
322
|
-
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
323
|
-
provider: 'facebook',
|
324
|
-
uid: '123545',
|
325
|
-
info: {
|
326
|
-
name: 'chong',
|
327
|
-
email: @user_email
|
328
|
-
}
|
329
|
-
)
|
330
|
-
@good_redirect_url = Faker::Internet.url
|
331
|
-
@bad_redirect_url = Faker::Internet.url
|
332
|
-
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
333
|
-
end
|
334
320
|
|
335
|
-
|
336
|
-
|
337
|
-
|
321
|
+
describe "newWindow" do
|
322
|
+
before do
|
323
|
+
@user_email = 'slemp.diggler@sillybandz.gov'
|
324
|
+
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
325
|
+
provider: 'facebook',
|
326
|
+
uid: '123545',
|
327
|
+
info: {
|
328
|
+
name: 'chong',
|
329
|
+
email: @user_email
|
330
|
+
}
|
331
|
+
)
|
332
|
+
@good_redirect_url = Faker::Internet.url
|
333
|
+
@bad_redirect_url = Faker::Internet.url
|
334
|
+
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
335
|
+
end
|
338
336
|
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
omniauth_window_type: 'newWindow' }
|
337
|
+
teardown do
|
338
|
+
DeviseTokenAuth.redirect_whitelist = nil
|
339
|
+
end
|
343
340
|
|
344
|
-
|
341
|
+
test 'request using non-whitelisted redirect fail' do
|
342
|
+
get '/auth/facebook',
|
343
|
+
params: { auth_origin_url: @bad_redirect_url,
|
344
|
+
omniauth_window_type: 'newWindow' }
|
345
345
|
|
346
|
-
|
347
|
-
|
348
|
-
|
346
|
+
follow_all_redirects!
|
347
|
+
|
348
|
+
data = get_parsed_data_json
|
349
|
+
assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
|
350
|
+
data['error']
|
351
|
+
end
|
352
|
+
|
353
|
+
test 'request to whitelisted redirect should succeed' do
|
354
|
+
get '/auth/facebook',
|
355
|
+
params: {
|
356
|
+
auth_origin_url: @good_redirect_url,
|
357
|
+
omniauth_window_type: 'newWindow'
|
358
|
+
}
|
359
|
+
|
360
|
+
follow_all_redirects!
|
361
|
+
|
362
|
+
data = get_parsed_data_json
|
363
|
+
assert_equal @user_email, data['email']
|
364
|
+
end
|
365
|
+
|
366
|
+
test 'should support wildcards' do
|
367
|
+
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
368
|
+
get '/auth/facebook',
|
369
|
+
params: { auth_origin_url: @good_redirect_url,
|
370
|
+
omniauth_window_type: 'newWindow' }
|
371
|
+
|
372
|
+
follow_all_redirects!
|
373
|
+
|
374
|
+
data = get_parsed_data_json
|
375
|
+
assert_equal @user_email, data['email']
|
376
|
+
end
|
349
377
|
end
|
350
378
|
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
379
|
+
describe "sameWindow" do
|
380
|
+
before do
|
381
|
+
@user_email = 'slemp.diggler@sillybandz.gov'
|
382
|
+
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
383
|
+
provider: 'facebook',
|
384
|
+
uid: '123545',
|
385
|
+
info: {
|
386
|
+
name: 'chong',
|
387
|
+
email: @user_email
|
356
388
|
}
|
389
|
+
)
|
390
|
+
@good_redirect_url = '/auth_origin'
|
391
|
+
@bad_redirect_url = Faker::Internet.url
|
392
|
+
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
393
|
+
end
|
357
394
|
|
358
|
-
|
395
|
+
teardown do
|
396
|
+
DeviseTokenAuth.redirect_whitelist = nil
|
397
|
+
end
|
359
398
|
|
360
|
-
|
361
|
-
|
362
|
-
|
399
|
+
test 'request using non-whitelisted redirect fail' do
|
400
|
+
get '/auth/facebook',
|
401
|
+
params: { auth_origin_url: @bad_redirect_url,
|
402
|
+
omniauth_window_type: 'sameWindow' }
|
363
403
|
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
|
368
|
-
|
404
|
+
follow_all_redirects!
|
405
|
+
|
406
|
+
assert_equal 200, response.status
|
407
|
+
assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
|
408
|
+
end
|
409
|
+
|
410
|
+
test 'request to whitelisted redirect should succeed' do
|
411
|
+
get '/auth/facebook',
|
412
|
+
params: {
|
413
|
+
auth_origin_url: '/auth_origin',
|
414
|
+
omniauth_window_type: 'sameWindow'
|
415
|
+
}
|
416
|
+
|
417
|
+
follow_all_redirects!
|
418
|
+
|
419
|
+
assert_equal 200, response.status
|
420
|
+
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
421
|
+
end
|
422
|
+
|
423
|
+
test 'should support wildcards' do
|
424
|
+
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
425
|
+
get '/auth/facebook',
|
426
|
+
params: {
|
427
|
+
auth_origin_url: '/auth_origin',
|
428
|
+
omniauth_window_type: 'sameWindow'
|
429
|
+
}
|
430
|
+
|
431
|
+
follow_all_redirects!
|
432
|
+
|
433
|
+
assert_equal 200, response.status
|
434
|
+
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
435
|
+
end
|
369
436
|
|
370
|
-
follow_all_redirects!
|
371
437
|
|
372
|
-
data = get_parsed_data_json
|
373
|
-
assert_equal @user_email, data['email']
|
374
438
|
end
|
439
|
+
|
375
440
|
end
|
376
441
|
end
|