devise_token_auth 1.1.2 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/devise_token_auth/application_controller.rb +10 -2
- data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
- data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
- data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
- data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
- data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
- data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
- data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
- data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
- data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
- data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
- data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
- data/app/models/devise_token_auth/concerns/user.rb +9 -10
- data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
- data/app/validators/devise_token_auth_email_validator.rb +1 -1
- data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
- data/config/locales/da-DK.yml +2 -0
- data/config/locales/de.yml +2 -0
- data/config/locales/en.yml +5 -0
- data/config/locales/es.yml +2 -0
- data/config/locales/fr.yml +2 -0
- data/config/locales/he.yml +2 -0
- data/config/locales/it.yml +2 -0
- data/config/locales/ja.yml +3 -1
- data/config/locales/ko.yml +51 -0
- data/config/locales/nl.yml +2 -0
- data/config/locales/pl.yml +6 -3
- data/config/locales/pt-BR.yml +2 -0
- data/config/locales/pt.yml +6 -3
- data/config/locales/ro.yml +2 -0
- data/config/locales/ru.yml +2 -0
- data/config/locales/sq.yml +2 -0
- data/config/locales/sv.yml +2 -0
- data/config/locales/uk.yml +2 -0
- data/config/locales/vi.yml +2 -0
- data/config/locales/zh-CN.yml +2 -0
- data/config/locales/zh-HK.yml +2 -0
- data/config/locales/zh-TW.yml +2 -0
- data/lib/devise_token_auth/blacklist.rb +5 -1
- data/lib/devise_token_auth/controllers/helpers.rb +5 -9
- data/lib/devise_token_auth/engine.rb +11 -1
- data/lib/devise_token_auth/rails/routes.rb +15 -10
- data/lib/devise_token_auth/url.rb +3 -0
- data/lib/devise_token_auth/version.rb +1 -1
- data/lib/generators/devise_token_auth/USAGE +1 -1
- data/lib/generators/devise_token_auth/install_generator.rb +4 -4
- data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
- data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
- data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
- data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
- data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
- data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
- data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
- data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
- data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
- data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
- data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
- data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
- data/test/dummy/app/active_record/confirmable_user.rb +11 -0
- data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
- data/test/dummy/app/views/layouts/application.html.erb +0 -2
- data/test/dummy/config/application.rb +0 -1
- data/test/dummy/config/environments/development.rb +0 -10
- data/test/dummy/config/environments/production.rb +0 -16
- data/test/dummy/config/initializers/figaro.rb +1 -1
- data/test/dummy/config/initializers/omniauth.rb +1 -0
- data/test/dummy/config/routes.rb +2 -0
- data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
- data/test/dummy/db/schema.rb +26 -1
- data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
- data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
- data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
- data/test/factories/users.rb +2 -1
- data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
- data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
- data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
- data/test/lib/devise_token_auth/url_test.rb +2 -2
- data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
- data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
- data/test/models/concerns/tokens_serialization_test.rb +39 -5
- data/test/models/confirmable_user_test.rb +35 -0
- data/test/test_helper.rb +35 -4
- metadata +27 -14
- data/test/dummy/config/initializers/assets.rb +0 -10
- data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
- data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
@@ -34,12 +34,6 @@ module DeviseTokenAuth
|
|
34
34
|
class_eval <<-METHODS, __FILE__, __LINE__ + 1
|
35
35
|
def authenticate_#{group_name}!(favourite=nil, opts={})
|
36
36
|
unless #{group_name}_signed_in?
|
37
|
-
mappings = #{mappings}
|
38
|
-
mappings.unshift mappings.delete(favourite.to_sym) if favourite
|
39
|
-
mappings.each do |mapping|
|
40
|
-
set_user_by_token(mapping)
|
41
|
-
end
|
42
|
-
|
43
37
|
unless current_#{group_name}
|
44
38
|
render_authenticate_error
|
45
39
|
end
|
@@ -47,12 +41,14 @@ module DeviseTokenAuth
|
|
47
41
|
end
|
48
42
|
|
49
43
|
def #{group_name}_signed_in?
|
50
|
-
#{
|
51
|
-
set_user_by_token(mapping)
|
52
|
-
end
|
44
|
+
!!current_#{group_name}
|
53
45
|
end
|
54
46
|
|
55
47
|
def current_#{group_name}(favourite=nil)
|
48
|
+
@current_#{group_name} ||= set_group_user_by_token(favourite)
|
49
|
+
end
|
50
|
+
|
51
|
+
def set_group_user_by_token(favourite)
|
56
52
|
mappings = #{mappings}
|
57
53
|
mappings.unshift mappings.delete(favourite.to_sym) if favourite
|
58
54
|
mappings.each do |mapping|
|
@@ -25,7 +25,12 @@ module DeviseTokenAuth
|
|
25
25
|
:remove_tokens_after_password_reset,
|
26
26
|
:default_callbacks,
|
27
27
|
:headers_names,
|
28
|
-
:
|
28
|
+
:cookie_enabled,
|
29
|
+
:cookie_name,
|
30
|
+
:cookie_attributes,
|
31
|
+
:bypass_sign_in,
|
32
|
+
:send_confirmation_email,
|
33
|
+
:require_client_password_reset_token
|
29
34
|
|
30
35
|
self.change_headers_on_each_request = true
|
31
36
|
self.max_number_of_devices = 10
|
@@ -45,7 +50,12 @@ module DeviseTokenAuth
|
|
45
50
|
'expiry': 'expiry',
|
46
51
|
'uid': 'uid',
|
47
52
|
'token-type': 'token-type' }
|
53
|
+
self.cookie_enabled = false
|
54
|
+
self.cookie_name = 'auth_cookie'
|
55
|
+
self.cookie_attributes = {}
|
48
56
|
self.bypass_sign_in = true
|
57
|
+
self.send_confirmation_email = false
|
58
|
+
self.require_client_password_reset_token = false
|
49
59
|
|
50
60
|
def self.setup(&block)
|
51
61
|
yield self
|
@@ -8,26 +8,31 @@ module ActionDispatch::Routing
|
|
8
8
|
opts[:skip] ||= []
|
9
9
|
|
10
10
|
# check for ctrl overrides, fall back to defaults
|
11
|
-
sessions_ctrl = opts[:controllers]
|
12
|
-
registrations_ctrl = opts[:controllers]
|
13
|
-
passwords_ctrl = opts[:controllers]
|
14
|
-
confirmations_ctrl = opts[:controllers]
|
15
|
-
token_validations_ctrl = opts[:controllers]
|
16
|
-
omniauth_ctrl = opts[:controllers]
|
17
|
-
unlocks_ctrl = opts[:controllers]
|
11
|
+
sessions_ctrl = opts[:controllers].delete(:sessions) || 'devise_token_auth/sessions'
|
12
|
+
registrations_ctrl = opts[:controllers].delete(:registrations) || 'devise_token_auth/registrations'
|
13
|
+
passwords_ctrl = opts[:controllers].delete(:passwords) || 'devise_token_auth/passwords'
|
14
|
+
confirmations_ctrl = opts[:controllers].delete(:confirmations) || 'devise_token_auth/confirmations'
|
15
|
+
token_validations_ctrl = opts[:controllers].delete(:token_validations) || 'devise_token_auth/token_validations'
|
16
|
+
omniauth_ctrl = opts[:controllers].delete(:omniauth_callbacks) || 'devise_token_auth/omniauth_callbacks'
|
17
|
+
unlocks_ctrl = opts[:controllers].delete(:unlocks) || 'devise_token_auth/unlocks'
|
18
|
+
|
19
|
+
# check for resource override
|
20
|
+
route = opts[:as] || resource.pluralize.underscore.gsub('/', '_')
|
18
21
|
|
19
22
|
# define devise controller mappings
|
20
|
-
controllers =
|
23
|
+
controllers = opts[:controllers].merge(
|
24
|
+
sessions: sessions_ctrl,
|
21
25
|
registrations: registrations_ctrl,
|
22
26
|
passwords: passwords_ctrl,
|
23
|
-
confirmations: confirmations_ctrl
|
27
|
+
confirmations: confirmations_ctrl
|
28
|
+
)
|
24
29
|
|
25
30
|
controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
|
26
31
|
|
27
32
|
# remove any unwanted devise modules
|
28
33
|
opts[:skip].each{ |item| controllers.delete(item) }
|
29
34
|
|
30
|
-
devise_for
|
35
|
+
devise_for route.to_sym,
|
31
36
|
class_name: resource,
|
32
37
|
module: :devise,
|
33
38
|
path: opts[:at].to_s,
|
@@ -11,6 +11,9 @@ module DeviseTokenAuth::Url
|
|
11
11
|
query = [uri.query, params.to_query].reject(&:blank?).join('&')
|
12
12
|
res += "?#{query}"
|
13
13
|
res += "##{uri.fragment}" if uri.fragment
|
14
|
+
# repeat any query params after the fragment to deal with Angular eating any pre fragment query params, used
|
15
|
+
# in the reset password redirect url
|
16
|
+
res += "?#{query}" if uri.fragment
|
14
17
|
|
15
18
|
res
|
16
19
|
end
|
@@ -8,7 +8,7 @@ Arguments:
|
|
8
8
|
# 'User'
|
9
9
|
MOUNT_PATH # The path at which to mount the authentication routes. Default is
|
10
10
|
# 'auth'. More detail documentation is here:
|
11
|
-
# https://
|
11
|
+
# https://devise-token-auth.gitbook.io/devise-token-auth/usage
|
12
12
|
|
13
13
|
Example:
|
14
14
|
rails generate devise_token_auth:install User auth
|
@@ -26,7 +26,7 @@ module DeviseTokenAuth
|
|
26
26
|
inclusion = 'include DeviseTokenAuth::Concerns::User'
|
27
27
|
unless parse_file_for_line(fname, inclusion)
|
28
28
|
|
29
|
-
active_record_needle = (Rails::VERSION::MAJOR
|
29
|
+
active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
|
30
30
|
inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
|
31
31
|
# Include default devise modules.
|
32
32
|
devise :database_authenticatable, :registerable,
|
@@ -75,12 +75,12 @@ module DeviseTokenAuth
|
|
75
75
|
ActiveRecord::Base.connection.select_value('SELECT VERSION()')
|
76
76
|
end
|
77
77
|
|
78
|
-
def
|
79
|
-
Rails
|
78
|
+
def rails_5_or_newer?
|
79
|
+
Rails::VERSION::MAJOR >= 5
|
80
80
|
end
|
81
81
|
|
82
82
|
def primary_key_type
|
83
|
-
primary_key_string if
|
83
|
+
primary_key_string if rails_5_or_newer?
|
84
84
|
end
|
85
85
|
|
86
86
|
def primary_key_string
|
@@ -29,9 +29,9 @@ module DeviseTokenAuth
|
|
29
29
|
field :tokens, type: Hash, default: {}
|
30
30
|
|
31
31
|
# Include default devise modules. Others available are:
|
32
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
32
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
33
33
|
devise :database_authenticatable, :registerable,
|
34
|
-
:recoverable, :rememberable, :
|
34
|
+
:recoverable, :rememberable, :validatable
|
35
35
|
include DeviseTokenAuth::Concerns::User
|
36
36
|
|
37
37
|
index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
|
@@ -52,4 +52,9 @@ DeviseTokenAuth.setup do |config|
|
|
52
52
|
# If, however, you wish to integrate with legacy Devise authentication, you can
|
53
53
|
# do so by enabling this flag. NOTE: This feature is highly experimental!
|
54
54
|
# config.enable_standard_devise_support = false
|
55
|
+
|
56
|
+
# By default DeviseTokenAuth will not send confirmation email, even when including
|
57
|
+
# devise confirmable module. If you want to use devise confirmable module and
|
58
|
+
# send email, set it to true. (This is a setting for compatibility)
|
59
|
+
# config.send_confirmation_email = true
|
55
60
|
end
|
@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
|
|
44
44
|
add_index :<%= table_name %>, [:uid, :provider], unique: true
|
45
45
|
add_index :<%= table_name %>, :reset_password_token, unique: true
|
46
46
|
add_index :<%= table_name %>, :confirmation_token, unique: true
|
47
|
-
# add_index :<%= table_name %>, :unlock_token,
|
47
|
+
# add_index :<%= table_name %>, :unlock_token, unique: true
|
48
48
|
end
|
49
49
|
end
|
@@ -2,8 +2,8 @@
|
|
2
2
|
|
3
3
|
class <%= user_class %> < ActiveRecord::Base
|
4
4
|
# Include default devise modules. Others available are:
|
5
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
5
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
6
6
|
devise :database_authenticatable, :registerable,
|
7
|
-
:recoverable, :rememberable, :
|
7
|
+
:recoverable, :rememberable, :validatable
|
8
8
|
include DeviseTokenAuth::Concerns::User
|
9
9
|
end
|
@@ -43,9 +43,9 @@ class <%= user_class %>
|
|
43
43
|
field :tokens, type: Hash, default: {}
|
44
44
|
|
45
45
|
# Include default devise modules. Others available are:
|
46
|
-
# :confirmable, :lockable, :timeoutable and :omniauthable
|
46
|
+
# :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
|
47
47
|
devise :database_authenticatable, :registerable,
|
48
|
-
:recoverable, :rememberable, :
|
48
|
+
:recoverable, :rememberable, :validatable
|
49
49
|
include DeviseTokenAuth::Concerns::User
|
50
50
|
|
51
51
|
index({ email: 1 }, { name: 'email_index', unique: true, background: true })
|
@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
53
53
|
assert @resource.confirmed?
|
54
54
|
end
|
55
55
|
|
56
|
+
test 'should save the authentication token' do
|
57
|
+
assert @resource.reload.tokens.present?
|
58
|
+
end
|
59
|
+
|
56
60
|
test 'should redirect to success url' do
|
57
61
|
assert_redirected_to(/^#{@redirect_url}/)
|
58
62
|
end
|
@@ -88,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
|
|
88
92
|
end
|
89
93
|
|
90
94
|
describe 'resend confirmation' do
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
95
|
+
describe 'without paranoid mode' do
|
96
|
+
|
97
|
+
describe 'on success' do
|
98
|
+
before do
|
99
|
+
post :create,
|
100
|
+
params: { email: @new_user.email,
|
101
|
+
redirect_url: @redirect_url },
|
102
|
+
xhr: true
|
103
|
+
@resource = assigns(:resource)
|
104
|
+
@data = JSON.parse(response.body)
|
105
|
+
@mail = ActionMailer::Base.deliveries.last
|
106
|
+
@token, @client_config = token_and_client_config_from(@mail.body)
|
107
|
+
end
|
108
|
+
|
109
|
+
test 'user should not be confirmed' do
|
110
|
+
assert_nil @resource.confirmed_at
|
111
|
+
end
|
112
|
+
|
113
|
+
test 'should generate raw token' do
|
114
|
+
assert @token
|
115
|
+
assert_equal @new_user.confirmation_token, @token
|
116
|
+
end
|
117
|
+
|
118
|
+
test 'user should receive confirmation email' do
|
119
|
+
assert_equal @resource.email, @mail['to'].to_s
|
120
|
+
end
|
121
|
+
|
122
|
+
test 'response should contain message' do
|
123
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
describe 'on failure' do
|
128
|
+
before do
|
129
|
+
post :create,
|
130
|
+
params: { email: 'chester@cheet.ah',
|
131
|
+
redirect_url: @redirect_url },
|
132
|
+
xhr: true
|
133
|
+
@data = JSON.parse(response.body)
|
134
|
+
end
|
135
|
+
|
136
|
+
test 'response should contain errors' do
|
137
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
|
138
|
+
end
|
139
|
+
end
|
104
140
|
end
|
141
|
+
end
|
105
142
|
|
106
|
-
|
107
|
-
|
108
|
-
|
143
|
+
describe 'with paranoid mode' do
|
144
|
+
describe 'on success' do
|
145
|
+
before do
|
146
|
+
swap Devise, paranoid: true do
|
147
|
+
post :create,
|
148
|
+
params: { email: @new_user.email,
|
149
|
+
redirect_url: @redirect_url },
|
150
|
+
xhr: true
|
151
|
+
@resource = assigns(:resource)
|
152
|
+
@data = JSON.parse(response.body)
|
153
|
+
@mail = ActionMailer::Base.deliveries.last
|
154
|
+
@token, @client_config = token_and_client_config_from(@mail.body)
|
155
|
+
end
|
156
|
+
end
|
157
|
+
|
158
|
+
test 'user should not be confirmed' do
|
159
|
+
assert_nil @resource.confirmed_at
|
160
|
+
end
|
161
|
+
|
162
|
+
test 'should generate raw token' do
|
163
|
+
assert @token
|
164
|
+
assert_equal @new_user.confirmation_token, @token
|
165
|
+
end
|
166
|
+
|
167
|
+
test 'user should receive confirmation email' do
|
168
|
+
assert_equal @resource.email, @mail['to'].to_s
|
169
|
+
end
|
170
|
+
|
171
|
+
test 'response should contain message' do
|
172
|
+
assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
|
173
|
+
end
|
109
174
|
end
|
110
175
|
|
111
|
-
|
112
|
-
|
176
|
+
describe 'on failure' do
|
177
|
+
before do
|
178
|
+
swap Devise, paranoid: true do
|
179
|
+
post :create,
|
180
|
+
params: { email: 'chester@cheet.ah',
|
181
|
+
redirect_url: @redirect_url },
|
182
|
+
xhr: true
|
183
|
+
@data = JSON.parse(response.body)
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
187
|
+
test 'response should contain errors' do
|
188
|
+
assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
|
189
|
+
end
|
113
190
|
end
|
114
|
-
|
115
191
|
end
|
116
192
|
end
|
117
193
|
|
@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
18
18
|
|
19
19
|
def get_parsed_data_json
|
20
20
|
encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
|
21
|
-
JSON.parse(
|
21
|
+
JSON.parse(CGI.unescape(encoded_json_data))
|
22
22
|
end
|
23
23
|
|
24
24
|
describe 'success callback' do
|
@@ -317,60 +317,125 @@ class OmniauthTest < ActionDispatch::IntegrationTest
|
|
317
317
|
end
|
318
318
|
|
319
319
|
describe 'Using redirect_whitelist' do
|
320
|
-
before do
|
321
|
-
@user_email = 'slemp.diggler@sillybandz.gov'
|
322
|
-
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
323
|
-
provider: 'facebook',
|
324
|
-
uid: '123545',
|
325
|
-
info: {
|
326
|
-
name: 'chong',
|
327
|
-
email: @user_email
|
328
|
-
}
|
329
|
-
)
|
330
|
-
@good_redirect_url = Faker::Internet.url
|
331
|
-
@bad_redirect_url = Faker::Internet.url
|
332
|
-
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
333
|
-
end
|
334
320
|
|
335
|
-
|
336
|
-
|
337
|
-
|
321
|
+
describe "newWindow" do
|
322
|
+
before do
|
323
|
+
@user_email = 'slemp.diggler@sillybandz.gov'
|
324
|
+
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
325
|
+
provider: 'facebook',
|
326
|
+
uid: '123545',
|
327
|
+
info: {
|
328
|
+
name: 'chong',
|
329
|
+
email: @user_email
|
330
|
+
}
|
331
|
+
)
|
332
|
+
@good_redirect_url = Faker::Internet.url
|
333
|
+
@bad_redirect_url = Faker::Internet.url
|
334
|
+
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
335
|
+
end
|
338
336
|
|
339
|
-
|
340
|
-
|
341
|
-
|
342
|
-
omniauth_window_type: 'newWindow' }
|
337
|
+
teardown do
|
338
|
+
DeviseTokenAuth.redirect_whitelist = nil
|
339
|
+
end
|
343
340
|
|
344
|
-
|
341
|
+
test 'request using non-whitelisted redirect fail' do
|
342
|
+
get '/auth/facebook',
|
343
|
+
params: { auth_origin_url: @bad_redirect_url,
|
344
|
+
omniauth_window_type: 'newWindow' }
|
345
345
|
|
346
|
-
|
347
|
-
|
348
|
-
|
346
|
+
follow_all_redirects!
|
347
|
+
|
348
|
+
data = get_parsed_data_json
|
349
|
+
assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
|
350
|
+
data['error']
|
351
|
+
end
|
352
|
+
|
353
|
+
test 'request to whitelisted redirect should succeed' do
|
354
|
+
get '/auth/facebook',
|
355
|
+
params: {
|
356
|
+
auth_origin_url: @good_redirect_url,
|
357
|
+
omniauth_window_type: 'newWindow'
|
358
|
+
}
|
359
|
+
|
360
|
+
follow_all_redirects!
|
361
|
+
|
362
|
+
data = get_parsed_data_json
|
363
|
+
assert_equal @user_email, data['email']
|
364
|
+
end
|
365
|
+
|
366
|
+
test 'should support wildcards' do
|
367
|
+
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
368
|
+
get '/auth/facebook',
|
369
|
+
params: { auth_origin_url: @good_redirect_url,
|
370
|
+
omniauth_window_type: 'newWindow' }
|
371
|
+
|
372
|
+
follow_all_redirects!
|
373
|
+
|
374
|
+
data = get_parsed_data_json
|
375
|
+
assert_equal @user_email, data['email']
|
376
|
+
end
|
349
377
|
end
|
350
378
|
|
351
|
-
|
352
|
-
|
353
|
-
|
354
|
-
|
355
|
-
|
379
|
+
describe "sameWindow" do
|
380
|
+
before do
|
381
|
+
@user_email = 'slemp.diggler@sillybandz.gov'
|
382
|
+
OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
|
383
|
+
provider: 'facebook',
|
384
|
+
uid: '123545',
|
385
|
+
info: {
|
386
|
+
name: 'chong',
|
387
|
+
email: @user_email
|
356
388
|
}
|
389
|
+
)
|
390
|
+
@good_redirect_url = '/auth_origin'
|
391
|
+
@bad_redirect_url = Faker::Internet.url
|
392
|
+
DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
|
393
|
+
end
|
357
394
|
|
358
|
-
|
395
|
+
teardown do
|
396
|
+
DeviseTokenAuth.redirect_whitelist = nil
|
397
|
+
end
|
359
398
|
|
360
|
-
|
361
|
-
|
362
|
-
|
399
|
+
test 'request using non-whitelisted redirect fail' do
|
400
|
+
get '/auth/facebook',
|
401
|
+
params: { auth_origin_url: @bad_redirect_url,
|
402
|
+
omniauth_window_type: 'sameWindow' }
|
363
403
|
|
364
|
-
|
365
|
-
|
366
|
-
|
367
|
-
|
368
|
-
|
404
|
+
follow_all_redirects!
|
405
|
+
|
406
|
+
assert_equal 200, response.status
|
407
|
+
assert_equal true, response.body.include?("Redirect to '#{@bad_redirect_url}' not allowed")
|
408
|
+
end
|
409
|
+
|
410
|
+
test 'request to whitelisted redirect should succeed' do
|
411
|
+
get '/auth/facebook',
|
412
|
+
params: {
|
413
|
+
auth_origin_url: '/auth_origin',
|
414
|
+
omniauth_window_type: 'sameWindow'
|
415
|
+
}
|
416
|
+
|
417
|
+
follow_all_redirects!
|
418
|
+
|
419
|
+
assert_equal 200, response.status
|
420
|
+
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
421
|
+
end
|
422
|
+
|
423
|
+
test 'should support wildcards' do
|
424
|
+
DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
|
425
|
+
get '/auth/facebook',
|
426
|
+
params: {
|
427
|
+
auth_origin_url: '/auth_origin',
|
428
|
+
omniauth_window_type: 'sameWindow'
|
429
|
+
}
|
430
|
+
|
431
|
+
follow_all_redirects!
|
432
|
+
|
433
|
+
assert_equal 200, response.status
|
434
|
+
assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
|
435
|
+
end
|
369
436
|
|
370
|
-
follow_all_redirects!
|
371
437
|
|
372
|
-
data = get_parsed_data_json
|
373
|
-
assert_equal @user_email, data['email']
|
374
438
|
end
|
439
|
+
|
375
440
|
end
|
376
441
|
end
|