devise_token_auth 1.1.2 → 1.2.0

data/lib/devise_token_auth/controllers/helpers.rb

@@ -34,12 +34,6 @@ module DeviseTokenAuth
           class_eval <<-METHODS, __FILE__, __LINE__ + 1
             def authenticate_#{group_name}!(favourite=nil, opts={})
               unless #{group_name}_signed_in?
-                mappings = #{mappings}
-                mappings.unshift mappings.delete(favourite.to_sym) if favourite
-                mappings.each do |mapping|
-                  set_user_by_token(mapping)
-                end
-
                 unless current_#{group_name}
                   render_authenticate_error
                 end
@@ -47,12 +41,14 @@ module DeviseTokenAuth
             end
 
             def #{group_name}_signed_in?
-              #{mappings}.any? do |mapping|
-                set_user_by_token(mapping)
-              end
+              !!current_#{group_name}
             end
 
             def current_#{group_name}(favourite=nil)
+              @current_#{group_name} ||= set_group_user_by_token(favourite)
+            end
+            
+            def set_group_user_by_token(favourite)
               mappings = #{mappings}
               mappings.unshift mappings.delete(favourite.to_sym) if favourite
               mappings.each do |mapping|

data/lib/devise_token_auth/engine.rb

@@ -25,7 +25,12 @@ module DeviseTokenAuth
                  :remove_tokens_after_password_reset,
                  :default_callbacks,
                  :headers_names,
-                 :bypass_sign_in
+                 :cookie_enabled,
+                 :cookie_name,
+                 :cookie_attributes,
+                 :bypass_sign_in,
+                 :send_confirmation_email,
+                 :require_client_password_reset_token
 
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -45,7 +50,12 @@ module DeviseTokenAuth
                                                 'expiry': 'expiry',
                                                 'uid': 'uid',
                                                 'token-type': 'token-type' }
+  self.cookie_enabled                       = false
+  self.cookie_name                          = 'auth_cookie'
+  self.cookie_attributes                    = {}
   self.bypass_sign_in                       = true
+  self.send_confirmation_email              = false
+  self.require_client_password_reset_token  = false
 
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/rails/routes.rb

@@ -8,26 +8,31 @@ module ActionDispatch::Routing
       opts[:skip]        ||= []
 
       # check for ctrl overrides, fall back to defaults
-      sessions_ctrl          = opts[:controllers][:sessions] || 'devise_token_auth/sessions'
-      registrations_ctrl     = opts[:controllers][:registrations] || 'devise_token_auth/registrations'
-      passwords_ctrl         = opts[:controllers][:passwords] || 'devise_token_auth/passwords'
-      confirmations_ctrl     = opts[:controllers][:confirmations] || 'devise_token_auth/confirmations'
-      token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_token_auth/token_validations'
-      omniauth_ctrl          = opts[:controllers][:omniauth_callbacks] || 'devise_token_auth/omniauth_callbacks'
-      unlocks_ctrl           = opts[:controllers][:unlocks] || 'devise_token_auth/unlocks'
+      sessions_ctrl          = opts[:controllers].delete(:sessions) || 'devise_token_auth/sessions'
+      registrations_ctrl     = opts[:controllers].delete(:registrations) || 'devise_token_auth/registrations'
+      passwords_ctrl         = opts[:controllers].delete(:passwords) || 'devise_token_auth/passwords'
+      confirmations_ctrl     = opts[:controllers].delete(:confirmations) || 'devise_token_auth/confirmations'
+      token_validations_ctrl = opts[:controllers].delete(:token_validations) || 'devise_token_auth/token_validations'
+      omniauth_ctrl          = opts[:controllers].delete(:omniauth_callbacks) || 'devise_token_auth/omniauth_callbacks'
+      unlocks_ctrl           = opts[:controllers].delete(:unlocks) || 'devise_token_auth/unlocks'
+
+      # check for resource override
+      route                  = opts[:as] || resource.pluralize.underscore.gsub('/', '_')
 
       # define devise controller mappings
-      controllers = { sessions: sessions_ctrl,
+      controllers = opts[:controllers].merge(
+                      sessions: sessions_ctrl,
                       registrations: registrations_ctrl,
                       passwords: passwords_ctrl,
-                      confirmations: confirmations_ctrl }
+                      confirmations: confirmations_ctrl
+                    )
 
       controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
 
       # remove any unwanted devise modules
       opts[:skip].each{ |item| controllers.delete(item) }
 
-      devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
+      devise_for route.to_sym,
                  class_name: resource,
                  module: :devise,
                  path: opts[:at].to_s,

data/lib/devise_token_auth/url.rb

@@ -11,6 +11,9 @@ module DeviseTokenAuth::Url
     query = [uri.query, params.to_query].reject(&:blank?).join('&')
     res += "?#{query}"
     res += "##{uri.fragment}" if uri.fragment
+    # repeat any query params after the fragment to deal with Angular eating any pre fragment query params, used
+    # in the reset password redirect url
+    res += "?#{query}" if uri.fragment
 
     res
   end

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.1.2'.freeze
+  VERSION = '1.2.0'.freeze
 end

data/lib/generators/devise_token_auth/USAGE

@@ -8,7 +8,7 @@ Arguments:
              # 'User'
   MOUNT_PATH # The path at which to mount the authentication routes. Default is
              # 'auth'. More detail documentation is here:
-             # https://github.com/lynndylanhurley/devise_token_auth#usage-tldr
+             # https://devise-token-auth.gitbook.io/devise-token-auth/usage
 
 Example:
   rails generate devise_token_auth:install User auth

data/lib/generators/devise_token_auth/install_generator.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         inclusion = 'include DeviseTokenAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
 
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
           inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
             # Include default devise modules.
             devise :database_authenticatable, :registerable,
@@ -75,12 +75,12 @@ module DeviseTokenAuth
       ActiveRecord::Base.connection.select_value('SELECT VERSION()')
     end
 
-    def rails5?
-      Rails.version.start_with? '5'
+    def rails_5_or_newer?
+      Rails::VERSION::MAJOR >= 5
     end
 
     def primary_key_type
-      primary_key_string if rails5?
+      primary_key_string if rails_5_or_newer?
     end
 
     def primary_key_string

data/lib/generators/devise_token_auth/install_mongoid_generator.rb

@@ -29,9 +29,9 @@ module DeviseTokenAuth
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -52,4 +52,9 @@ DeviseTokenAuth.setup do |config|
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
   # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb

@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
     add_index :<%= table_name %>, [:uid, :provider],     unique: true
     add_index :<%= table_name %>, :reset_password_token, unique: true
     add_index :<%= table_name %>, :confirmation_token,   unique: true
-    # add_index :<%= table_name %>, :unlock_token,       unique: true
+    # add_index :<%= table_name %>, :unlock_token,         unique: true
   end
 end

data/lib/generators/devise_token_auth/templates/user.rb.erb

@@ -2,8 +2,8 @@
 
 class <%= user_class %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 end

data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb

@@ -43,9 +43,9 @@ class <%= user_class %>
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ email: 1 }, { name: 'email_index', unique: true, background: true })

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             assert @resource.confirmed?
           end
 
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
+
           test 'should redirect to success url' do
             assert_redirected_to(/^#{@redirect_url}/)
           end
@@ -88,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         end
 
         describe 'resend confirmation' do
-          before do
-            post :create,
-                params: { email: @new_user.email,
-                          redirect_url: @redirect_url },
-                xhr: true
-            @resource = assigns(:resource)
-
-            @mail = ActionMailer::Base.deliveries.last
-            @token, @client_config = token_and_client_config_from(@mail.body)
-          end
-
-          test 'user should not be confirmed' do
-            assert_nil @resource.confirmed_at
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
           end
+        end
 
-          test 'should generate raw token' do
-            assert @token
-            assert_equal @new_user.confirmation_token, @token
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
           end
 
-          test 'user should receive confirmation email' do
-            assert_equal @resource.email, @mail['to'].to_s
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should contain errors' do
+              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            end
           end
-
         end
       end
 

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
   def get_parsed_data_json
     encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(URI.unescape(encoded_json_data))
+    JSON.parse(CGI.unescape(encoded_json_data))
   end
 
   describe 'success callback' do
@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   describe 'Using redirect_whitelist' do
-    before do
-      @user_email = 'slemp.diggler@sillybandz.gov'
-      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
-        provider: 'facebook',
-        uid: '123545',
-        info: {
-          name: 'chong',
-          email: @user_email
-        }
-      )
-      @good_redirect_url = Faker::Internet.url
-      @bad_redirect_url = Faker::Internet.url
-      DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
-    end
 
-    teardown do
-      DeviseTokenAuth.redirect_whitelist = nil
-    end
+    describe "newWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
+          }
+        )
+        @good_redirect_url = Faker::Internet.url
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-    test 'request using non-whitelisted redirect fail' do
-      get '/auth/facebook',
-          params: { auth_origin_url: @bad_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      follow_all_redirects!
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'newWindow' }
 
-      data = get_parsed_data_json
-      assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
-                   data['error']
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
+                    data['error']
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: @good_redirect_url,
+              omniauth_window_type: 'newWindow'
+            }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: { auth_origin_url: @good_redirect_url,
+                      omniauth_window_type: 'newWindow' }
+
+        follow_all_redirects!
+
+        data = get_parsed_data_json
+        assert_equal @user_email, data['email']
+      end
     end
 
-    test 'request to whitelisted redirect should succeed' do
-      get '/auth/facebook',
-          params: {
-            auth_origin_url: @good_redirect_url,
-            omniauth_window_type: 'newWindow'
+    describe "sameWindow" do
+      before do
+        @user_email = 'slemp.diggler@sillybandz.gov'
+        OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+          provider: 'facebook',
+          uid: '123545',
+          info: {
+            name: 'chong',
+            email: @user_email
           }
+        )
+        @good_redirect_url = '/auth_origin'
+        @bad_redirect_url = Faker::Internet.url
+        DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+      end
 
-      follow_all_redirects!
+      teardown do
+        DeviseTokenAuth.redirect_whitelist = nil
+      end
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
-    end
+      test 'request using non-whitelisted redirect fail' do
+        get '/auth/facebook',
+            params: { auth_origin_url: @bad_redirect_url,
+                      omniauth_window_type: 'sameWindow' }
 
-    test 'should support wildcards' do
-      DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-      get '/auth/facebook',
-          params: { auth_origin_url: @good_redirect_url,
-                    omniauth_window_type: 'newWindow' }
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
+      end
+
+      test 'request to whitelisted redirect should succeed' do
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
+
+      test 'should support wildcards' do
+        DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
+        get '/auth/facebook',
+            params: {
+              auth_origin_url: '/auth_origin',
+              omniauth_window_type: 'sameWindow'
+            }
+
+        follow_all_redirects!
+
+        assert_equal 200, response.status
+        assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
+      end
 
-      follow_all_redirects!
 
-      data = get_parsed_data_json
-      assert_equal @user_email, data['email']
     end
+
   end
 end