devise_token_auth 1.1.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/devise_token_auth/application_controller.rb +10 -2
  3. data/app/controllers/devise_token_auth/concerns/resource_finder.rb +14 -1
  4. data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +31 -7
  5. data/app/controllers/devise_token_auth/confirmations_controller.rb +9 -4
  6. data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +27 -4
  7. data/app/controllers/devise_token_auth/passwords_controller.rb +37 -15
  8. data/app/controllers/devise_token_auth/registrations_controller.rb +1 -1
  9. data/app/controllers/devise_token_auth/sessions_controller.rb +7 -1
  10. data/app/controllers/devise_token_auth/unlocks_controller.rb +6 -2
  11. data/app/models/devise_token_auth/concerns/active_record_support.rb +0 -2
  12. data/app/models/devise_token_auth/concerns/confirmable_support.rb +28 -0
  13. data/app/models/devise_token_auth/concerns/tokens_serialization.rb +16 -4
  14. data/app/models/devise_token_auth/concerns/user.rb +9 -10
  15. data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +4 -1
  16. data/app/validators/devise_token_auth_email_validator.rb +1 -1
  17. data/app/views/devise_token_auth/omniauth_external_window.html.erb +1 -1
  18. data/config/locales/da-DK.yml +2 -0
  19. data/config/locales/de.yml +2 -0
  20. data/config/locales/en.yml +5 -0
  21. data/config/locales/es.yml +2 -0
  22. data/config/locales/fr.yml +2 -0
  23. data/config/locales/he.yml +2 -0
  24. data/config/locales/it.yml +2 -0
  25. data/config/locales/ja.yml +3 -1
  26. data/config/locales/ko.yml +51 -0
  27. data/config/locales/nl.yml +2 -0
  28. data/config/locales/pl.yml +6 -3
  29. data/config/locales/pt-BR.yml +2 -0
  30. data/config/locales/pt.yml +6 -3
  31. data/config/locales/ro.yml +2 -0
  32. data/config/locales/ru.yml +2 -0
  33. data/config/locales/sq.yml +2 -0
  34. data/config/locales/sv.yml +2 -0
  35. data/config/locales/uk.yml +2 -0
  36. data/config/locales/vi.yml +2 -0
  37. data/config/locales/zh-CN.yml +2 -0
  38. data/config/locales/zh-HK.yml +2 -0
  39. data/config/locales/zh-TW.yml +2 -0
  40. data/lib/devise_token_auth/blacklist.rb +5 -1
  41. data/lib/devise_token_auth/controllers/helpers.rb +5 -9
  42. data/lib/devise_token_auth/engine.rb +11 -1
  43. data/lib/devise_token_auth/rails/routes.rb +15 -10
  44. data/lib/devise_token_auth/url.rb +3 -0
  45. data/lib/devise_token_auth/version.rb +1 -1
  46. data/lib/generators/devise_token_auth/USAGE +1 -1
  47. data/lib/generators/devise_token_auth/install_generator.rb +4 -4
  48. data/lib/generators/devise_token_auth/install_mongoid_generator.rb +2 -2
  49. data/lib/generators/devise_token_auth/templates/devise_token_auth.rb +5 -0
  50. data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +1 -1
  51. data/lib/generators/devise_token_auth/templates/user.rb.erb +2 -2
  52. data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb +2 -2
  53. data/test/controllers/devise_token_auth/confirmations_controller_test.rb +95 -19
  54. data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +108 -43
  55. data/test/controllers/devise_token_auth/passwords_controller_test.rb +185 -29
  56. data/test/controllers/devise_token_auth/registrations_controller_test.rb +31 -18
  57. data/test/controllers/devise_token_auth/sessions_controller_test.rb +39 -10
  58. data/test/controllers/devise_token_auth/unlocks_controller_test.rb +21 -4
  59. data/test/controllers/overrides/confirmations_controller_test.rb +1 -1
  60. data/test/dummy/app/active_record/confirmable_user.rb +11 -0
  61. data/test/dummy/app/mongoid/confirmable_user.rb +52 -0
  62. data/test/dummy/app/views/layouts/application.html.erb +0 -2
  63. data/test/dummy/config/application.rb +0 -1
  64. data/test/dummy/config/environments/development.rb +0 -10
  65. data/test/dummy/config/environments/production.rb +0 -16
  66. data/test/dummy/config/initializers/figaro.rb +1 -1
  67. data/test/dummy/config/initializers/omniauth.rb +1 -0
  68. data/test/dummy/config/routes.rb +2 -0
  69. data/test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb +49 -0
  70. data/test/dummy/db/schema.rb +26 -1
  71. data/test/dummy/tmp/generators/app/controllers/application_controller.rb +6 -0
  72. data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb +56 -0
  73. data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb +60 -0
  74. data/test/factories/users.rb +2 -1
  75. data/test/lib/devise_token_auth/blacklist_test.rb +11 -3
  76. data/test/lib/devise_token_auth/rails/custom_routes_test.rb +29 -0
  77. data/test/lib/devise_token_auth/rails/routes_test.rb +87 -0
  78. data/test/lib/devise_token_auth/url_test.rb +2 -2
  79. data/test/lib/generators/devise_token_auth/install_generator_test.rb +1 -1
  80. data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb +1 -1
  81. data/test/models/concerns/tokens_serialization_test.rb +39 -5
  82. data/test/models/confirmable_user_test.rb +35 -0
  83. data/test/test_helper.rb +35 -4
  84. metadata +27 -14
  85. data/test/dummy/config/initializers/assets.rb +0 -10
  86. data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb +0 -5
  87. data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb +0 -8
@@ -85,37 +85,89 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
85
85
  end
86
86
 
87
87
  describe 'request password reset' do
88
- describe 'unknown user should return 404' do
89
- before do
90
- post :create,
91
- params: { email: 'chester@cheet.ah',
92
- redirect_url: @redirect_url }
93
- @data = JSON.parse(response.body)
94
- end
88
+ describe 'unknown user' do
89
+ describe 'without paranoid mode' do
90
+ before do
91
+ post :create,
92
+ params: { email: 'chester@cheet.ah',
93
+ redirect_url: @redirect_url }
94
+ @data = JSON.parse(response.body)
95
+ end
95
96
 
96
- test 'unknown user should return 404' do
97
- assert_equal 404, response.status
97
+ test 'unknown user should return 404' do
98
+ assert_equal 404, response.status
99
+ end
100
+
101
+ test 'errors should be returned' do
102
+ assert @data['errors']
103
+ assert_equal @data['errors'],
104
+ [I18n.t('devise_token_auth.passwords.user_not_found',
105
+ email: 'chester@cheet.ah')]
106
+ end
98
107
  end
99
108
 
100
- test 'errors should be returned' do
101
- assert @data['errors']
102
- assert_equal @data['errors'],
103
- [I18n.t('devise_token_auth.passwords.user_not_found',
104
- email: 'chester@cheet.ah')]
109
+ describe 'with paranoid mode' do
110
+ before do
111
+ swap Devise, paranoid: true do
112
+ post :create,
113
+ params: { email: 'chester@cheet.ah',
114
+ redirect_url: @redirect_url }
115
+ @data = JSON.parse(response.body)
116
+ end
117
+ end
118
+
119
+ test 'unknown user should return 404' do
120
+ assert_equal 404, response.status
121
+ end
122
+
123
+ test 'errors should be returned' do
124
+ assert @data['errors']
125
+ assert_equal @data['errors'],
126
+ [I18n.t('devise_token_auth.passwords.sended_paranoid')]
127
+ end
105
128
  end
106
129
  end
107
130
 
108
131
  describe 'successfully requested password reset' do
109
- before do
110
- post :create,
111
- params: { email: @resource.email,
112
- redirect_url: @redirect_url }
132
+ describe 'without paranoid mode' do
133
+ before do
134
+ post :create,
135
+ params: { email: @resource.email,
136
+ redirect_url: @redirect_url }
113
137
 
114
- @data = JSON.parse(response.body)
138
+ @data = JSON.parse(response.body)
139
+ end
140
+
141
+ test 'response should not contain extra data' do
142
+ assert_nil @data['data']
143
+ end
144
+
145
+ test 'response should contains message' do
146
+ assert_equal \
147
+ @data['message'],
148
+ I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
149
+ end
115
150
  end
116
151
 
117
- test 'response should not contain extra data' do
118
- assert_nil @data['data']
152
+ describe 'with paranoid mode' do
153
+ before do
154
+ swap Devise, paranoid: true do
155
+ post :create,
156
+ params: { email: @resource.email,
157
+ redirect_url: @redirect_url }
158
+ @data = JSON.parse(response.body)
159
+ end
160
+ end
161
+
162
+ test 'response should return success status' do
163
+ assert_equal 200, response.status
164
+ end
165
+
166
+ test 'response should contain message' do
167
+ assert_equal \
168
+ @data['message'],
169
+ I18n.t('devise_token_auth.passwords.sended_paranoid')
170
+ end
119
171
  end
120
172
  end
121
173
 
@@ -239,10 +291,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
239
291
  end
240
292
  end
241
293
 
242
- describe 'Cheking reset_password_token' do
294
+ describe 'Checking reset_password_token' do
243
295
  before do
244
296
  post :create, params: {
245
- email: @resource.email,
297
+ email: @resource.email,
246
298
  redirect_url: @redirect_url
247
299
  }
248
300
 
@@ -440,6 +492,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
440
492
 
441
493
  describe 'success' do
442
494
  before do
495
+ DeviseTokenAuth.require_client_password_reset_token = false
443
496
  @auth_headers = @resource.create_new_auth_token
444
497
  request.headers.merge!(@auth_headers)
445
498
  @new_password = Faker::Internet.password
@@ -504,6 +557,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
504
557
 
505
558
  describe 'current password mismatch error' do
506
559
  before do
560
+ DeviseTokenAuth.require_client_password_reset_token = false
507
561
  @auth_headers = @resource.create_new_auth_token
508
562
  request.headers.merge!(@auth_headers)
509
563
  @new_password = Faker::Internet.password
@@ -520,7 +574,35 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
520
574
  end
521
575
 
522
576
  describe 'change password' do
523
- describe 'success' do
577
+ describe 'using reset token' do
578
+ before do
579
+ DeviseTokenAuth.require_client_password_reset_token = true
580
+ @redirect_url = 'http://client-app.dev'
581
+ get_reset_token
582
+ edit_url = CGI.unescape(@mail.body.match(/href=\"(.+)\"/)[1])
583
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(edit_url).query)
584
+ get :edit, params: query_parts
585
+ end
586
+
587
+ test 'request should be redirect' do
588
+ assert_equal 302, response.status
589
+ end
590
+
591
+ test 'request should redirect to correct redirect url' do
592
+ host = URI.parse(response.location).host
593
+ query_parts = Rack::Utils.parse_nested_query(URI.parse(response.location).query)
594
+
595
+ assert_equal 'client-app.dev', host
596
+ assert_equal @mail_reset_token, query_parts['reset_password_token']
597
+ assert_equal 1, query_parts.keys.size
598
+ end
599
+
600
+ teardown do
601
+ DeviseTokenAuth.require_client_password_reset_token = false
602
+ end
603
+ end
604
+
605
+ describe 'with valid headers' do
524
606
  before do
525
607
  @auth_headers = @resource.create_new_auth_token
526
608
  request.headers.merge!(@auth_headers)
@@ -567,19 +649,93 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
567
649
  end
568
650
  end
569
651
 
570
- describe 'unauthorized user' do
652
+ describe 'without valid headers' do
571
653
  before do
572
- @auth_headers = @resource.create_new_auth_token
573
- @new_password = Faker::Internet.password
654
+ @resource.create_new_auth_token
655
+ new_password = Faker::Internet.password
574
656
 
575
- put :update, params: { password: @new_password,
576
- password_confirmation: @new_password }
657
+ put :update, params: { password: new_password,
658
+ password_confirmation: new_password }
577
659
  end
578
660
 
579
661
  test 'response should fail' do
580
662
  assert_equal 401, response.status
581
663
  end
582
664
  end
665
+
666
+ describe 'with valid reset password token' do
667
+ before do
668
+ reset_password_token = @resource.send_reset_password_instructions
669
+ @new_password = Faker::Internet.password
670
+ @params = { password: @new_password,
671
+ password_confirmation: @new_password,
672
+ reset_password_token: reset_password_token }
673
+ end
674
+
675
+ describe 'with require_client_password_reset_token disabled' do
676
+ before do
677
+ DeviseTokenAuth.require_client_password_reset_token = false
678
+ put :update, params: @params
679
+
680
+ @data = JSON.parse(response.body)
681
+ @resource.reload
682
+ end
683
+
684
+ test 'request should be not be successful' do
685
+ assert_equal 401, response.status
686
+ end
687
+ end
688
+
689
+ describe 'with require_client_password_reset_token enabled' do
690
+ before do
691
+ DeviseTokenAuth.require_client_password_reset_token = true
692
+ put :update, params: @params
693
+
694
+ @data = JSON.parse(response.body)
695
+ @resource.reload
696
+ end
697
+
698
+ test 'request should be successful' do
699
+ assert_equal 200, response.status
700
+ end
701
+
702
+ test 'request should return success message' do
703
+ assert @data['message']
704
+ assert_equal @data['message'],
705
+ I18n.t('devise_token_auth.passwords.successfully_updated')
706
+ end
707
+
708
+ test 'new password should authenticate user' do
709
+ assert @resource.valid_password?(@new_password)
710
+ end
711
+
712
+ teardown do
713
+ DeviseTokenAuth.require_client_password_reset_token = false
714
+ end
715
+ end
716
+ end
717
+
718
+ describe 'with invalid reset password token' do
719
+ before do
720
+ DeviseTokenAuth.require_client_password_reset_token = true
721
+ @resource.update reset_password_token: 'koskoskoskos'
722
+ put :update, params: @params
723
+ @data = JSON.parse(response.body)
724
+ @resource.reload
725
+ end
726
+
727
+ test 'request should fail' do
728
+ assert_equal 401, response.status
729
+ end
730
+
731
+ test 'new password should not authenticate user' do
732
+ assert !@resource.valid_password?(@new_password)
733
+ end
734
+
735
+ teardown do
736
+ DeviseTokenAuth.require_client_password_reset_token = false
737
+ end
738
+ end
583
739
  end
584
740
  end
585
741
 
@@ -10,6 +10,17 @@ require 'test_helper'
10
10
 
11
11
  class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
12
12
  describe DeviseTokenAuth::RegistrationsController do
13
+
14
+ def mock_registration_params
15
+ {
16
+ email: Faker::Internet.email,
17
+ password: 'secret123',
18
+ password_confirmation: 'secret123',
19
+ confirm_success_url: Faker::Internet.url,
20
+ unpermitted_param: '(x_x)'
21
+ }
22
+ end
23
+
13
24
  describe 'Validate non-empty body' do
14
25
  before do
15
26
  # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
41
52
  @mails_sent = ActionMailer::Base.deliveries.count
42
53
 
43
54
  post '/auth',
44
- params: {
45
- email: Faker::Internet.email,
46
- password: 'secret123',
47
- password_confirmation: 'secret123',
48
- confirm_success_url: Faker::Internet.url,
49
- unpermitted_param: '(x_x)'
50
- }
55
+ params: mock_registration_params
51
56
 
52
57
  @resource = assigns(:resource)
53
58
  @data = JSON.parse(response.body)
@@ -87,17 +92,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
87
92
  before do
88
93
  @original_duration = Devise.allow_unconfirmed_access_for
89
94
  Devise.allow_unconfirmed_access_for = nil
90
- post '/auth',
91
- params: {
92
- email: Faker::Internet.email,
93
- password: 'secret123',
94
- password_confirmation: 'secret123',
95
- confirm_success_url: Faker::Internet.url,
96
- unpermitted_param: '(x_x)'
97
- }
98
95
  end
99
96
 
100
97
  test 'auth headers were returned in response' do
98
+ post '/auth', params: mock_registration_params
101
99
  assert response.headers['access-token']
102
100
  assert response.headers['token-type']
103
101
  assert response.headers['client']
@@ -105,6 +103,21 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
105
103
  assert response.headers['uid']
106
104
  end
107
105
 
106
+ describe 'using auth cookie' do
107
+ before do
108
+ DeviseTokenAuth.cookie_enabled = true
109
+ end
110
+
111
+ test 'auth cookie was returned in response' do
112
+ post '/auth', params: mock_registration_params
113
+ assert response.cookies[DeviseTokenAuth.cookie_name]
114
+ end
115
+
116
+ after do
117
+ DeviseTokenAuth.cookie_enabled = false
118
+ end
119
+ end
120
+
108
121
  after do
109
122
  Devise.allow_unconfirmed_access_for = @original_duration
110
123
  end
@@ -492,7 +505,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
492
505
  # test valid update param
493
506
  @resource_class = User
494
507
  @new_operating_thetan = 1_000_000
495
- @email = 'AlternatingCase2@example.com'
508
+ @email = Faker::Internet.safe_email
496
509
  @request_params = {
497
510
  operating_thetan: @new_operating_thetan,
498
511
  email: @email
@@ -599,7 +612,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
599
612
  # test valid update param
600
613
  @resource_class = User
601
614
  @new_operating_thetan = 1_000_000
602
- @email = 'AlternatingCase2@example.com'
615
+ @email = Faker::Internet.safe_email
603
616
  @request_params = {
604
617
  operating_thetan: @new_operating_thetan,
605
618
  email: @email
@@ -650,7 +663,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
650
663
  before do
651
664
  DeviseTokenAuth.check_current_password_before_update = :password
652
665
  @new_operating_thetan = 1_000_000
653
- @email = 'AlternatingCase2@example.com'
666
+ @email = Faker::Internet.safe_email
654
667
  end
655
668
 
656
669
  after do
@@ -17,11 +17,12 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
17
17
 
18
18
  describe 'success' do
19
19
  before do
20
- post :create,
21
- params: {
22
- email: @existing_user.email,
23
- password: @existing_user.password
24
- }
20
+ @user_session_params = {
21
+ email: @existing_user.email,
22
+ password: @existing_user.password
23
+ }
24
+
25
+ post :create, params: @user_session_params
25
26
 
26
27
  @resource = assigns(:resource)
27
28
  @data = JSON.parse(response.body)
@@ -35,17 +36,27 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
35
36
  assert_equal @existing_user.email, @data['data']['email']
36
37
  end
37
38
 
39
+ describe 'using auth cookie' do
40
+ before do
41
+ DeviseTokenAuth.cookie_enabled = true
42
+ end
43
+
44
+ test 'request should return auth cookie' do
45
+ post :create, params: @user_session_params
46
+ assert response.cookies[DeviseTokenAuth.cookie_name]
47
+ end
48
+
49
+ after do
50
+ DeviseTokenAuth.cookie_enabled = false
51
+ end
52
+ end
53
+
38
54
  describe "with multiple clients and headers don't change in each request" do
39
55
  before do
40
56
  # Set the max_number_of_devices to a lower number
41
57
  # to expedite tests! (Default is 10)
42
58
  DeviseTokenAuth.max_number_of_devices = 2
43
59
  DeviseTokenAuth.change_headers_on_each_request = false
44
-
45
- @user_session_params = {
46
- email: @existing_user.email,
47
- password: @existing_user.password
48
- }
49
60
  end
50
61
 
51
62
  test 'should limit the maximum number of concurrent devices' do
@@ -159,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
159
170
  test 'session was destroyed' do
160
171
  assert_equal true, @controller.reset_session_called
161
172
  end
173
+
174
+ describe 'using auth cookie' do
175
+ before do
176
+ DeviseTokenAuth.cookie_enabled = true
177
+ @auth_token = @existing_user.create_new_auth_token
178
+ @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
179
+ end
180
+
181
+ test 'auth cookie was destroyed' do
182
+ assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
183
+ delete :destroy, format: :json
184
+ assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
185
+ end
186
+
187
+ after do
188
+ DeviseTokenAuth.cookie_enabled = false
189
+ end
190
+ end
162
191
  end
163
192
 
164
193
  describe 'unauthed user sign out' do
@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
57
57
  end
58
58
 
59
59
  describe 'request unlock' do
60
- describe 'unknown user should return 404' do
60
+ describe 'without paranoid mode' do
61
61
  before do
62
62
  post :create, params: { email: 'chester@cheet.ah' }
63
63
  @data = JSON.parse(response.body)
@@ -68,9 +68,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
68
68
 
69
69
  test 'errors should be returned' do
70
70
  assert @data['errors']
71
- assert_equal @data['errors'],
72
- [I18n.t('devise_token_auth.passwords.user_not_found',
73
- email: 'chester@cheet.ah')]
71
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
72
+ email: 'chester@cheet.ah')]
73
+ end
74
+ end
75
+
76
+ describe 'with paranoid mode' do
77
+ before do
78
+ swap Devise, paranoid: true do
79
+ post :create, params: { email: 'chester@cheet.ah' }
80
+ @data = JSON.parse(response.body)
81
+ end
82
+ end
83
+
84
+ test 'unknown user should return 404' do
85
+ assert_equal 404, response.status
86
+ end
87
+
88
+ test 'errors should be returned' do
89
+ assert @data['errors']
90
+ assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
74
91
  end
75
92
  end
76
93