devise_token_auth 1.1.3 → 1.2.0

data/lib/generators/devise_token_auth/USAGE

@@ -8,7 +8,7 @@ Arguments:
              # 'User'
   MOUNT_PATH # The path at which to mount the authentication routes. Default is
              # 'auth'. More detail documentation is here:
-             # https://github.com/lynndylanhurley/devise_token_auth#usage-tldr
+             # https://devise-token-auth.gitbook.io/devise-token-auth/usage
 
 Example:
   rails generate devise_token_auth:install User auth

data/lib/generators/devise_token_auth/install_generator.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         inclusion = 'include DeviseTokenAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
 
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
           inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
             # Include default devise modules.
             devise :database_authenticatable, :registerable,
@@ -75,12 +75,12 @@ module DeviseTokenAuth
       ActiveRecord::Base.connection.select_value('SELECT VERSION()')
     end
 
-    def rails5?
-      Rails.version.start_with? '5'
+    def rails_5_or_newer?
+      Rails::VERSION::MAJOR >= 5
     end
 
     def primary_key_type
-      primary_key_string if rails5?
+      primary_key_string if rails_5_or_newer?
     end
 
     def primary_key_string

data/lib/generators/devise_token_auth/install_mongoid_generator.rb

@@ -29,9 +29,9 @@ module DeviseTokenAuth
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -52,4 +52,9 @@ DeviseTokenAuth.setup do |config|
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
   # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb

@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
     add_index :<%= table_name %>, [:uid, :provider],     unique: true
     add_index :<%= table_name %>, :reset_password_token, unique: true
     add_index :<%= table_name %>, :confirmation_token,   unique: true
-    # add_index :<%= table_name %>, :unlock_token,       unique: true
+    # add_index :<%= table_name %>, :unlock_token,         unique: true
   end
 end

data/lib/generators/devise_token_auth/templates/user.rb.erb

@@ -2,8 +2,8 @@
 
 class <%= user_class %> < ActiveRecord::Base
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 end

data/lib/generators/devise_token_auth/templates/user_mongoid.rb.erb

@@ -43,9 +43,9 @@ class <%= user_class %>
   field :tokens, type: Hash, default: {}
 
   # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable and :omniauthable
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
 
   index({ email: 1 }, { name: 'email_index', unique: true, background: true })

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -53,6 +53,10 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             assert @resource.confirmed?
           end
 
+          test 'should save the authentication token' do
+            assert @resource.reload.tokens.present?
+          end
+
           test 'should redirect to success url' do
             assert_redirected_to(/^#{@redirect_url}/)
           end
@@ -88,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         end
 
         describe 'resend confirmation' do
-          before do
-            post :create,
-                params: { email: @new_user.email,
-                          redirect_url: @redirect_url },
-                xhr: true
-            @resource = assigns(:resource)
-
-            @mail = ActionMailer::Base.deliveries.last
-            @token, @client_config = token_and_client_config_from(@mail.body)
-          end
-
-          test 'user should not be confirmed' do
-            assert_nil @resource.confirmed_at
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
           end
+        end
 
-          test 'should generate raw token' do
-            assert @token
-            assert_equal @new_user.confirmation_token, @token
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
           end
 
-          test 'user should receive confirmation email' do
-            assert_equal @resource.email, @mail['to'].to_s
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should contain errors' do
+              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            end
           end
-
         end
       end
 

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
   def get_parsed_data_json
     encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(URI.unescape(encoded_json_data))
+    JSON.parse(CGI.unescape(encoded_json_data))
   end
 
   describe 'success callback' do
@@ -346,7 +346,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         follow_all_redirects!
 
         data = get_parsed_data_json
-        assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
+        assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
                     data['error']
       end
 

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -85,37 +85,89 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       describe 'request password reset' do
-        describe 'unknown user should return 404' do
-          before do
-            post :create,
-                 params: { email: 'chester@cheet.ah',
-                           redirect_url: @redirect_url }
-            @data = JSON.parse(response.body)
-          end
+        describe 'unknown user' do
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: 'chester@cheet.ah',
+                             redirect_url: @redirect_url }
+              @data = JSON.parse(response.body)
+            end
 
-          test 'unknown user should return 404' do
-            assert_equal 404, response.status
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.user_not_found',
+                      email: 'chester@cheet.ah')]
+            end
           end
 
-          test 'errors should be returned' do
-            assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.sended_paranoid')]
+            end
           end
         end
 
         describe 'successfully requested password reset' do
-          before do
-            post :create,
-                 params: { email: @resource.email,
-                           redirect_url: @redirect_url }
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: @resource.email,
+                             redirect_url: @redirect_url }
 
-            @data = JSON.parse(response.body)
+              @data = JSON.parse(response.body)
+            end
+
+            test 'response should not contain extra data' do
+              assert_nil @data['data']
+            end
+
+            test 'response should contains message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
+            end
           end
 
-          test 'response should not contain extra data' do
-            assert_nil @data['data']
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @resource.email,
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
+            end
           end
         end
 

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -10,6 +10,17 @@ require 'test_helper'
 
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
+
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
 
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -87,17 +92,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       before do
         @original_duration = Devise.allow_unconfirmed_access_for
         Devise.allow_unconfirmed_access_for = nil
-        post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
       end
 
       test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
         assert response.headers['access-token']
         assert response.headers['token-type']
         assert response.headers['client']
@@ -105,6 +103,21 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         assert response.headers['uid']
       end
 
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
+
       after do
         Devise.allow_unconfirmed_access_for = @original_duration
       end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -17,11 +17,12 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'success' do
         before do
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: @existing_user.password
-               }
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
+
+          post :create, params: @user_session_params
 
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
@@ -35,17 +36,27 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
 
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+          end
+
+          test 'request should return auth cookie' do
+            post :create, params: @user_session_params
+            assert response.cookies[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
+
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number
             #  to expedite tests! (Default is 10)
             DeviseTokenAuth.max_number_of_devices = 2
             DeviseTokenAuth.change_headers_on_each_request = false
-
-            @user_session_params = {
-              email: @existing_user.email,
-              password: @existing_user.password
-            }
           end
 
           test 'should limit the maximum number of concurrent devices' do
@@ -159,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
 
       describe 'unauthed user sign out' do

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
 
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -68,9 +68,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
           end
         end
 

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
       override_proof_str = '(^^,)'
 
       # ensure present in redirect URL
-      override_proof_param = URI.unescape(response.headers['Location']
+      override_proof_param = CGI.unescape(response.headers['Location']
                                 .match(/override_proof=([^&]*)&/)[1])
 
       assert_equal override_proof_str, override_proof_param

data/test/dummy/app/active_record/confirmable_user.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ConfirmableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable,
+         :validatable, :confirmable
+  DeviseTokenAuth.send_confirmation_email = true
+  include DeviseTokenAuth::Concerns::User
+  DeviseTokenAuth.send_confirmation_email = false
+end

data/test/dummy/app/mongoid/confirmable_user.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+class ConfirmableUser
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## User Info
+  field :name,      type: String
+  field :nickname,  type: String
+  field :image,     type: String
+
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable,
+         :validatable, :confirmable
+  DeviseTokenAuth.send_confirmation_email = true
+  include DeviseTokenAuth::Concerns::User
+  DeviseTokenAuth.send_confirmation_email = false
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -2,8 +2,6 @@
 <html>
 <head>
   <title>Dummy</title>
-  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
-  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
   <%= csrf_meta_tags %>
 </head>
 <body>

data/test/dummy/config/application.rb

@@ -4,7 +4,6 @@ require File.expand_path('boot', __dir__)
 
 require 'action_controller/railtie'
 require 'action_mailer/railtie'
-require 'sprockets/railtie'
 require 'rails/generators'
 require 'rack/cors'
 

data/test/dummy/config/environments/development.rb

@@ -29,16 +29,6 @@ Rails.application.configure do
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
-  # Debug mode disables concatenation and preprocessing of assets.
-  # This option may cause significant delays in view rendering with a large
-  # number of complex assets.
-  config.assets.debug = true
-
-  # Adds additional error checking when serving assets at runtime.
-  # Checks for improperly declared sprockets dependencies.
-  # Raises helpful error messages.
-  config.assets.raise_runtime_errors = true
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true