devise_token_auth 1.1.3 → 1.2.0

data/test/dummy/config/environments/production.rb

@@ -24,18 +24,6 @@ Rails.application.configure do
   # Disable Rails's static asset server (Apache or nginx will already do this).
   config.serve_static_files = false
 
-  # Compress JavaScripts and CSS.
-  config.assets.js_compressor = :uglifier
-  # config.assets.css_compressor = :sass
-
-  # Do not fallback to assets pipeline if a precompiled asset is missed.
-  config.assets.compile = false
-
-  # Generate digests for assets URLs.
-  config.assets.digest = true
-
-  # `config.assets.precompile` has moved to config/initializers/assets.rb
-
   # Specifies the header that your server uses for sending files.
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
@@ -58,10 +46,6 @@ Rails.application.configure do
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
   # config.action_controller.asset_host = "http://assets.example.com"
 
-  # Precompile additional assets.
-  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
-  # config.assets.precompile += %w( search.js )
-
   # Ignore bad email addresses and do not raise email delivery errors.
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false

data/test/dummy/config/initializers/figaro.rb

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-#Figaro.require("GITHUB_KEY", "GITHUB_SECRET", "FACEBOOK_KEY", "FACEBOOK_SECRET", "GOOGLE_KEY", "GOOGLE_SECRET")
+#Figaro.require("GITHUB_KEY", "GITHUB_SECRET", "FACEBOOK_KEY", "FACEBOOK_SECRET", "GOOGLE_KEY", "GOOGLE_SECRET", "APPLE_CLIENT_ID", "APPLE_TEAM_ID", "APPLE_KEY", "APPLE_PEM")

data/test/dummy/config/initializers/omniauth.rb

@@ -4,6 +4,7 @@ Rails.application.config.middleware.use OmniAuth::Builder do |b|
   provider :github,        ENV['GITHUB_KEY'],   ENV['GITHUB_SECRET'],   scope: 'email,profile'
   provider :facebook,      ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET']
   provider :google_oauth2, ENV['GOOGLE_KEY'],   ENV['GOOGLE_SECRET']
+  provider :apple,         ENV['APPLE_CLIENT_ID'], '', { scope: 'email name', team_id: ENV['APPLE_TEAM_ID'], key_id: ENV['APPLE_KEY'], pem: ENV['APPLE_PEM'] }
   provider :developer,
            fields: [:first_name, :last_name],
            uid_field: :last_name

data/test/dummy/config/routes.rb

@@ -20,6 +20,8 @@ Rails.application.routes.draw do
 
   mount_devise_token_auth_for 'LockableUser', at: 'lockable_user_auth'
 
+  mount_devise_token_auth_for 'ConfirmableUser', at: 'confirmable_user_auth'
+
   # test namespacing
   namespace :api do
     scope :v1 do

data/test/dummy/{tmp/generators/db/migrate/20170630171909_devise_token_auth_create_mangs.rb → db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb}

@@ -1,6 +1,7 @@
-class DeviseTokenAuthCreateMangs < ActiveRecord::Migration[4.2]
+class DeviseTokenAuthCreateConfirmableUsers < ActiveRecord::Migration[5.2]
   def change
-    create_table(:mangs) do |t|
+    
+    create_table(:confirmable_users) do |t|
       ## Required
       t.string :provider, :null => false, :default => "email"
       t.string :uid, :null => false, :default => ""
@@ -11,17 +12,11 @@ class DeviseTokenAuthCreateMangs < ActiveRecord::Migration[4.2]
       ## Recoverable
       t.string   :reset_password_token
       t.datetime :reset_password_sent_at
+      t.boolean  :allow_password_change, :default => false
 
       ## Rememberable
       t.datetime :remember_created_at
 
-      ## Trackable
-      t.integer  :sign_in_count, :default => 0, :null => false
-      t.datetime :current_sign_in_at
-      t.datetime :last_sign_in_at
-      t.string   :current_sign_in_ip
-      t.string   :last_sign_in_ip
-
       ## Confirmable
       t.string   :confirmation_token
       t.datetime :confirmed_at
@@ -45,10 +40,10 @@ class DeviseTokenAuthCreateMangs < ActiveRecord::Migration[4.2]
       t.timestamps
     end
 
-    add_index :mangs, :email,                unique: true
-    add_index :mangs, [:uid, :provider],     unique: true
-    add_index :mangs, :reset_password_token, unique: true
-    add_index :mangs, :confirmation_token,   unique: true
-    # add_index :mangs, :unlock_token,       unique: true
+    add_index :confirmable_users, :email,                unique: true
+    add_index :confirmable_users, [:uid, :provider],     unique: true
+    add_index :confirmable_users, :reset_password_token, unique: true
+    add_index :confirmable_users, :confirmation_token,   unique: true
+    # add_index :confirmable_users, :unlock_token,       unique: true
   end
 end

data/test/dummy/db/schema.rb

@@ -10,7 +10,32 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2016_06_29_184441) do
+ActiveRecord::Schema.define(version: 2019_09_24_101113) do
+
+  create_table "confirmable_users", force: :cascade do |t|
+    t.string "provider", default: "email", null: false
+    t.string "uid", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.boolean "allow_password_change", default: false
+    t.datetime "remember_created_at"
+    t.string "confirmation_token"
+    t.datetime "confirmed_at"
+    t.datetime "confirmation_sent_at"
+    t.string "unconfirmed_email"
+    t.string "name"
+    t.string "nickname"
+    t.string "image"
+    t.string "email"
+    t.text "tokens"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["confirmation_token"], name: "index_confirmable_users_on_confirmation_token", unique: true
+    t.index ["email"], name: "index_confirmable_users_on_email", unique: true
+    t.index ["reset_password_token"], name: "index_confirmable_users_on_reset_password_token", unique: true
+    t.index ["uid", "provider"], name: "index_confirmable_users_on_uid_and_provider", unique: true
+  end
 
   create_table "lockable_users", force: :cascade do |t|
     t.string "provider", null: false

data/test/dummy/tmp/generators/app/controllers/application_controller.rb

@@ -0,0 +1,6 @@
+            class ApplicationController < ActionController::Base
+        include DeviseTokenAuth::Concerns::SetUserByToken
+              def whatever
+                'whatever'
+              end
+            end

data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+class Azpire::V1::HumanResource::User
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+
+  ## Lockable
+  # field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  # field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  # field :locked_at,       type: Time
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  include DeviseTokenAuth::Concerns::User
+
+  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
+  index({ reset_password_token: 1 }, { name: 'reset_password_token_index', unique: true, sparse: true, background: true })
+  index({ confirmation_token: 1 }, { name: 'confirmation_token_index', unique: true, sparse: true, background: true })
+  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
+  # index({ unlock_token: 1 }, { name: 'unlock_token_index', unique: true, sparse: true, background: true })
+end

data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 DeviseTokenAuth.setup do |config|
   # By default the authorization headers will change after each request. The
   # client is responsible for keeping track of the changing tokens. Change
@@ -9,6 +11,11 @@ DeviseTokenAuth.setup do |config|
   # determines how long tokens will remain valid after they are issued.
   # config.token_lifespan = 2.weeks
 
+  # Limiting the token_cost to just 4 in testing will increase the performance of
+  # your test suite dramatically. The possible cost value is within range from 4
+  # to 31. It is recommended to not use a value more than 10 in other environments.
+  config.token_cost = Rails.env.test? ? 4 : 10
+
   # Sets the max number of concurrent devices per user, which is 10 by default.
   # After this limit is reached, the oldest tokens will be removed.
   # config.max_number_of_devices = 10
@@ -45,4 +52,9 @@ DeviseTokenAuth.setup do |config|
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!
   # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
 end

data/test/factories/users.rb

@@ -36,5 +36,6 @@ FactoryBot.define do
     factory :mang_user, class: 'Mang'
     factory :only_email_user, class: 'OnlyEmailUser'
     factory :scoped_user, class: 'ScopedUser'
+    factory :confirmable_user, class: 'ConfirmableUser'
   end
 end

data/test/lib/devise_token_auth/blacklist_test.rb

@@ -3,9 +3,17 @@
 require 'test_helper'
 
 class DeviseTokenAuth::BlacklistTest < ActiveSupport::TestCase
-  describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
-    test 'should include :tokens' do
-      assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+  if defined? Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
+    describe Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION.include?(:tokens)
+      end
+    end
+  else
+    describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+      end
     end
   end
 end

data/test/lib/devise_token_auth/rails/custom_routes_test.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class DeviseTokenAuth::CustomRoutesTest < ActiveSupport::TestCase
+  after do
+    Rails.application.reload_routes!
+  end
+  test 'custom controllers' do
+    class ActionDispatch::Routing::Mapper
+        include Mocha::ParameterMatchers
+    end
+    Rails.application.routes.draw do
+      self.expects(:devise_for).with(
+        :users,
+        has_entries(
+          controllers: has_entries(
+            invitations: "custom/invitations", foo: "custom/foo"
+          )
+        )
+      )
+
+      mount_devise_token_auth_for 'User', at: 'my_custom_users', controllers: {
+        invitations: 'custom/invitations',
+        foo: 'custom/foo'
+      }
+    end
+  end
+end

data/test/lib/devise_token_auth/rails/routes_test.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Needed for MiniTest to start a controller test so we can use assert_recognizes
+class DeviseTokenAuth::RoutesTestController < DeviseTokenAuth::ApplicationController
+end
+
+class DeviseTokenAuth::RoutesTest < ActionController::TestCase
+  self.controller_class = DeviseTokenAuth::RoutesTestController
+  before do
+    Rails.application.routes.draw do
+      mount_devise_token_auth_for 'User', at: 'my_custom_users', controllers: {
+        invitations: 'custom/invitations',
+        foo: 'custom/foo'
+      }
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  test 'map new user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'new'}, {path: 'my_custom_users/sign_in', method: :get})
+  end
+
+  test 'map create user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'create'}, {path: 'my_custom_users/sign_in', method: :post})
+  end
+
+  test 'map destroy user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'destroy'}, {path: 'my_custom_users/sign_out', method: :delete})
+  end
+
+  test 'map new user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'new'}, 'my_custom_users/confirmation/new')
+  end
+
+  test 'map create user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'create'}, {path: 'my_custom_users/confirmation', method: :post})
+  end
+
+  test 'map show user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'show'}, {path: 'my_custom_users/confirmation', method: :get})
+  end
+
+  test 'map new user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'new'}, 'my_custom_users/password/new')
+  end
+
+  test 'map create user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'create'}, {path: 'my_custom_users/password', method: :post})
+  end
+
+  test 'map edit user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'edit'}, 'my_custom_users/password/edit')
+  end
+
+  test 'map update user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'update'}, {path: 'my_custom_users/password', method: :put})
+  end
+
+  test 'map new user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'new'}, 'my_custom_users/sign_up')
+  end
+
+  test 'map create user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'create'}, {path: 'my_custom_users', method: :post})
+  end
+
+  test 'map edit user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'edit'}, {path: 'my_custom_users/edit', method: :get})
+  end
+
+  test 'map update user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'update'}, {path: 'my_custom_users', method: :put})
+  end
+
+  test 'map destroy user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'destroy'}, {path: 'my_custom_users', method: :delete})
+  end
+
+  test 'map cancel user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'cancel'}, {path: 'my_custom_users/cancel', method: :get})
+  end
+end

data/test/lib/devise_token_auth/url_test.rb

@@ -4,10 +4,10 @@ require 'test_helper'
 
 class DeviseTokenAuth::UrlTest < ActiveSupport::TestCase
   describe 'DeviseTokenAuth::Url#generate' do
-    test 'URI fragment should appear at the end of URL' do
+    test 'URI fragment should appear at the end of URL with repeat of query params' do
       params = { client_id: 123 }
       url = 'http://example.com#fragment'
-      assert_equal DeviseTokenAuth::Url.send(:generate, url, params), 'http://example.com?client_id=123#fragment'
+      assert_equal DeviseTokenAuth::Url.send(:generate, url, params), 'http://example.com?client_id=123#fragment?client_id=123'
     end
 
     describe 'with existing query params' do

data/test/lib/generators/devise_token_auth/install_generator_test.rb

@@ -70,7 +70,7 @@ module DeviseTokenAuth
         case DEVISE_TOKEN_AUTH_ORM
         when :active_record
           # account for rails version 5
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
 
           @f = File.open(@fname, 'w') do |f|
             f.write <<-RUBY

data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb

@@ -75,7 +75,7 @@ module DeviseTokenAuth
         case DEVISE_TOKEN_AUTH_ORM
         when :active_record
           # account for rails version 5
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
 
           @f = File.open(@fname, 'w') do |f|
             f.write <<-RUBY

data/test/models/concerns/tokens_serialization_test.rb

@@ -13,7 +13,6 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
 
       user.tokens
     end
-    let(:json) { JSON.generate(tokens) }
 
     it 'is defined' do
       assert_equal(ts.present?, true)
@@ -21,6 +20,9 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
     end
 
     describe '.load(json)' do
+
+      let(:json) { JSON.generate(tokens) }
+
       let(:default) { {} }
 
       it 'is defined' do
@@ -55,16 +57,48 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
         assert_equal(ts.dump({}), '{}')
       end
 
-      it 'deserialize tokens' do
-        assert_equal(ts.dump(tokens), json)
-      end
-
       it 'removes nil values' do
         new_tokens = tokens.dup
         new_tokens[new_tokens.first[0]][:kos] = nil
 
         assert_equal(ts.dump(tokens), ts.dump(new_tokens))
       end
+
+      describe 'updated_at' do
+        before do
+          @default_format = ::Time::DATE_FORMATS[:default]
+          ::Time::DATE_FORMATS[:default] = 'imprecise format'
+        end
+
+        after do
+          ::Time::DATE_FORMATS[:default] = @default_format
+        end
+
+        def updated_ats(tokens)
+          tokens.
+            values.
+            flat_map do |token|
+            [:updated_at, 'updated_at'].map do |key|
+              token[key]
+            end
+          end.
+          compact
+        end
+
+        it 'is defined' do
+          refute_empty updated_ats(tokens)
+        end
+
+        it 'uses iso8601' do
+          updated_ats(JSON.parse(ts.dump(tokens))).each do |updated_at|
+            Time.strptime(updated_at, '%Y-%m-%dT%H:%M:%SZ')
+          end
+        end
+
+        it 'does not rely on Time#to_s' do
+          refute_includes(updated_ats(tokens), 'imprecise format')
+        end
+      end
     end
   end
 end

data/test/models/confirmable_user_test.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class ConfirmableUserTest < ActiveSupport::TestCase
+  describe ConfirmableUser do
+    describe 'creation' do
+      test 'email should be saved' do
+        @resource = create(:confirmable_user)
+        assert @resource.email.present?
+      end
+    end
+
+    describe 'updating email' do
+      test 'new email should be saved to unconfirmed_email' do
+        @resource = create(:confirmable_user, email: 'old_address@example.com')
+        @resource.update(email: 'new_address@example.com')
+        assert @resource.unconfirmed_email == 'new_address@example.com'
+      end
+
+      test 'old email should be kept in email' do
+        @resource = create(:confirmable_user, email: 'old_address@example.com')
+        @resource.update(email: 'new_address@example.com')
+        assert @resource.email == 'old_address@example.com'
+      end
+
+      test 'confirmation_token should be changed' do
+        @resource = create(:confirmable_user, email: 'old_address@example.com')
+        old_token = @resource.confirmation_token
+        @resource.update(email: 'new_address@example.com')
+        assert @resource.confirmation_token != old_token
+      end
+    end
+  end
+end

data/test/test_helper.rb

@@ -15,7 +15,11 @@ require File.expand_path('dummy/config/environment', __dir__)
 require 'active_support/testing/autorun'
 require 'minitest/rails'
 require 'mocha/minitest'
-require 'database_cleaner'
+if DEVISE_TOKEN_AUTH_ORM == :active_record
+  require 'database_cleaner'
+else
+  require 'database_cleaner/mongoid'
+end
 
 FactoryBot.definition_file_paths = [File.expand_path('factories', __dir__)]
 FactoryBot.find_definitions
@@ -37,16 +41,43 @@ class ActiveSupport::TestCase
   ActiveRecord::Migration.check_pending! if DEVISE_TOKEN_AUTH_ORM == :active_record
 
   strategies = { active_record: :transaction,
-                 mongoid: :truncation }
+                 mongoid: :deletion }
   DatabaseCleaner.strategy = strategies[DEVISE_TOKEN_AUTH_ORM]
   setup { DatabaseCleaner.start }
   teardown { DatabaseCleaner.clean }
 
   # Add more helper methods to be used by all tests here...
 
+  # Execute the block setting the given values and restoring old values after
+  # the block is executed.
+  # shamelessly copied from devise test_helper.
+  def swap(object, new_values)
+    old_values = {}
+    new_values.each do |key, value|
+      old_values[key] = object.send key
+      object.send :"#{key}=", value
+    end
+    clear_cached_variables(new_values)
+    yield
+  ensure
+    clear_cached_variables(new_values)
+    old_values.each do |key, value|
+      object.send :"#{key}=", value
+    end
+  end
+
+  # shamelessly copied from devise test_helper.
+  def clear_cached_variables(options)
+    if options.key?(:case_insensitive_keys) || options.key?(:strip_whitespace_keys)
+      Devise.mappings.each do |_, mapping|
+        mapping.to.instance_variable_set(:@devise_parameter_filter, nil)
+      end
+    end
+  end
+
   def age_token(user, client_id)
     if user.tokens[client_id]
-      user.tokens[client_id]['updated_at'] = Time.zone.now - (DeviseTokenAuth.batch_request_buffer_throttle + 10.seconds)
+      user.tokens[client_id]['updated_at'] = (Time.zone.now - (DeviseTokenAuth.batch_request_buffer_throttle + 10.seconds))
       user.save!
     end
   end
@@ -85,7 +116,7 @@ module Rails
         %w[get post patch put head delete get_via_redirect post_via_redirect].each do |method|
           define_method(method) do |path_or_action, **args|
             if Rails::VERSION::MAJOR >= 5
-              super path_or_action, args
+              super path_or_action, **args
             else
               super path_or_action, args[:params], args[:headers]
             end