devise_token_auth 1.1.4 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 395c104491ef2762e5c41f0b35af5f2421f8d24c99cc10145231d1cb2cab2d70
-  data.tar.gz: c637be9bc9c731f1b6218002925c0e558dbc62f2d6fb999fdd187d31d60e20c4
+  metadata.gz: be08ae7f01121ebe8c6b9b8fe04bcc2bdc83a2c8108452ffc986f1865278e85f
+  data.tar.gz: 272f45dc6f28fba16b6a523f47cbb9ecf3be9c05d4aa644ee0d0998fa5272f43
 SHA512:
-  metadata.gz: a1a184d38110e9157c941f1b5e2b8a0cdd7901702f12c7316a4ffba2b5af239455bddc9c288d8fbbd2c909aadfdfe388283c16abcce1814abf595cfe853e3c51
-  data.tar.gz: 7ac1939d622a50f46e9ce3943826b85e67e9457178bba79326c5656f4c8fbacc5205b44828aa4935be4c2c4dc713f68ab1d44b8d7485ced86fa90416769e1431
+  metadata.gz: cc54c90eee4fdf43e6d9b72ca905fc58e4338f1310b289bbede651978bd4f407556392d3d4c61cfaeabf6d4fba179768e02ec9c00bc245b33ba629972676c676
+  data.tar.gz: 00e139ae99fe395580ef8f846cca46516792b68cda0e0201e551e90ca9c70679fcf9519d3682ea82095588e78a93bb2def3db2bebe670a0e96f933e7087fee4b

data/app/controllers/devise_token_auth/application_controller.rb

@@ -75,5 +75,22 @@ module DeviseTokenAuth
       response = response.merge(data) if data
       render json: response, status: status
     end
+
+    def success_message(name, email)
+      if Devise.paranoid
+        I18n.t("devise_token_auth.#{name}.sended_paranoid")
+      else
+        I18n.t("devise_token_auth.#{name}.sended", email: email)
+      end
+    end
+
+    # When using a cookie to transport the auth token we can set it immediately in flows such as
+    # reset password and OmniAuth success, rather than making the client scrape the token from
+    # query params (to then send in the initial validate_token request).
+    # TODO: We should be able to stop exposing the token in query params when this method is used
+    def set_token_in_cookie(resource, token)
+      auth_header = resource.build_auth_header(token.token, token.client)
+      cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,7 +20,7 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+    @resource = if database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity
                   resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
                 else
@@ -28,6 +28,19 @@ module DeviseTokenAuth::Concerns::ResourceFinder
                 end
   end
 
+  def database_adapter
+    @database_adapter ||= begin
+      rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
+
+      adapter =
+        if rails_version >= "6.1"
+          resource_class.try(:connection_db_config)&.try(:adapter)
+        else
+          resource_class.try(:connection_config)&.try(:[], :adapter)
+        end
+    end
+  end
+
   def resource_class(m = nil)
     mapping = if m
                 Devise.mappings[m]

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -17,7 +17,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @used_auth_by_token = true
 
     # initialize instance variables
-    @token = DeviseTokenAuth::TokenFactory.new
+    @token ||= DeviseTokenAuth::TokenFactory.new
     @resource ||= nil
     @is_batch_request ||= nil
   end
@@ -32,21 +32,36 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
+    other_uid_name = DeviseTokenAuth.other_uid && DeviseTokenAuth.headers_names[DeviseTokenAuth.other_uid.to_sym]
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
+    authorization_name = DeviseTokenAuth.headers_names[:"authorization"]
+
+    # Read Authorization token and decode it if present
+    decoded_authorization_token = decode_bearer_token(request.headers[authorization_name])
+
+    # gets values from cookie if configured and present
+    parsed_auth_cookie = {}
+    if DeviseTokenAuth.cookie_enabled
+      auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
+      if auth_cookie.present?
+        parsed_auth_cookie = JSON.parse(auth_cookie)
+      end
+    end
 
     # parse header for values necessary for authentication
-    uid              = request.headers[uid_name] || params[uid_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
+    other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
     @token           = DeviseTokenAuth::TokenFactory.new unless @token
-    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
-    @token.client ||= request.headers[client_name] || params[client_name]
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]
 
     # client isn't required, set to 'default' if absent
     @token.client ||= 'default'
 
     # check for an existing user, authenticated via warden/devise, if enabled
     if DeviseTokenAuth.enable_standard_devise_support
-      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      devise_warden_user = warden.user(mapping)
       if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
@@ -66,7 +81,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
 
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.dta_find_by(uid: uid)
+    user = (uid && rc.dta_find_by(uid: uid)) || (other_uid && rc.dta_find_by("#{DeviseTokenAuth.other_uid}": other_uid))
     scope = rc.to_s.underscore.to_sym
 
     if user && user.valid_token?(@token.token, @token.client)
@@ -101,9 +116,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # update the response header
       response.headers.merge!(auth_header)
 
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(auth_header)
+      end
     else
       unless @resource.reload.valid?
-        @resource = resource_class.find(@resource.to_param) # errors remain after reload
+        @resource = @resource.class.find(@resource.to_param) # errors remain after reload
         # if we left the model in a bad state, something is wrong in our app
         unless @resource.valid?
           raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
@@ -115,6 +134,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
   private
 
+  def decode_bearer_token(bearer_token)
+    return {} if bearer_token.blank?
+
+    encoded_token = bearer_token.split.last # Removes the 'Bearer' from the string
+    JSON.parse(Base64.strict_decode64(encoded_token)) rescue {}
+  end
+
   def refresh_headers
     # Lock the user record during any auth_header updates to ensure
     # we don't have write contention from multiple threads
@@ -123,11 +149,22 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # cleared by sign out in the meantime
       return if @used_auth_by_token && @resource.tokens[@token.client].nil?
 
+      _auth_header_from_batch_request = auth_header_from_batch_request
+
       # update the response header
-      response.headers.merge!(auth_header_from_batch_request)
+      response.headers.merge!(_auth_header_from_batch_request)
+
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(_auth_header_from_batch_request)
+      end
     end # end lock
   end
 
+  def set_cookie(auth_header)
+    cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+  end
+
   def is_batch_request?(user, client)
     !params[:unbatch] &&
       user.tokens[client] &&

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -55,13 +55,17 @@ module DeviseTokenAuth
 
     def render_create_success
       render json: {
-          success: true,
-          message: I18n.t('devise_token_auth.confirmations.sended', email: @email)
-      }
+               success: true,
+               message: success_message('confirmations', @email)
+             }
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+      end
     end
 
     private

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -23,7 +23,7 @@ module DeviseTokenAuth
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route
+      redirect_to redirect_route, status: 307
     end
 
     def get_redirect_route(devise_mapping)
@@ -45,7 +45,7 @@ module DeviseTokenAuth
     # find the mapping in `omniauth.params`.
     #
     # One example use-case here is for IDP-initiated SAML login.  In that
-    # case, there will have been no initial request in which to save 
+    # case, there will have been no initial request in which to save
     # the devise mapping.  If you are in a situation like that, and
     # your app allows for you to determine somehow what the devise
     # mapping should be (because, for example, it is always the same),
@@ -70,6 +70,10 @@ module DeviseTokenAuth
 
       yield @resource if block_given?
 
+      if DeviseTokenAuth.cookie_enabled
+        set_token_in_cookie(@resource, @token)
+      end
+
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
 
@@ -78,10 +82,10 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
 
-    def validate_auth_origin_url_param 
+    def validate_auth_origin_url_param
       return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
     end
-  
+
 
     protected
 

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -51,6 +51,10 @@ module DeviseTokenAuth
         if require_client_password_reset_token?
           redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
         else
+          if DeviseTokenAuth.cookie_enabled
+            set_token_in_cookie(@resource, token)
+          end
+
           redirect_header_options = { reset_password: true }
           redirect_headers = build_redirect_headers(token.token,
                                                     token.client,
@@ -128,7 +132,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.passwords.sended', email: @email)
+        message: success_message('passwords', @email)
       }
     end
 
@@ -181,7 +185,11 @@ module DeviseTokenAuth
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+      end
     end
 
     def validate_redirect_url_param

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -26,8 +26,8 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @token = @resource.create_token
-        @resource.save
+
+        create_and_assign_token
 
         sign_in(:user, @resource, store: false, bypass: false)
 
@@ -48,13 +48,19 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client = @token.client if @token.client
+      client = @token.client
       @token.clear!
 
       if user && client && user.tokens[client]
         user.tokens.delete(client)
         user.save!
 
+        if DeviseTokenAuth.cookie_enabled
+          # If a cookie is set with a domain specified then it must be deleted with that domain specified
+          # See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+          cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
+        end
+
         yield user if block_given?
 
         render_destroy_success
@@ -127,5 +133,17 @@ module DeviseTokenAuth
     def resource_params
       params.permit(*params_for_resource(:sign_in))
     end
+
+    def create_and_assign_token
+      if @resource.respond_to?(:with_lock)
+        @resource.with_lock do
+          @token = @resource.create_token
+          @resource.save!
+        end
+      else
+        @token = @resource.create_token
+        @resource.save!
+      end
+    end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -63,7 +63,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.unlocks.sended', email: @email)
+        message: success_message('unlocks', @email)
       }
     end
 
@@ -79,7 +79,11 @@ module DeviseTokenAuth
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      if Devise.paranoid
+        render_create_success
+      else
+        render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      end
     end
 
     def resource_params

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -1,5 +1,3 @@
-require_relative 'tokens_serialization'
-
 module DeviseTokenAuth::Concerns::ActiveRecordSupport
   extend ActiveSupport::Concern
 

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -18,7 +18,8 @@ module DeviseTokenAuth::Concerns::ConfirmableSupport
   protected
 
   def email_value_in_database
-    if Devise.rails51? && respond_to?(:email_in_database)
+    rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
+    if rails51 && respond_to?(:email_in_database)
       email_in_database
     else
       email_was

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -1,12 +1,14 @@
 module DeviseTokenAuth::Concerns::TokensSerialization
+  extend self
   # Serialization hash to json
-  def self.dump(object)
-    object.each_value(&:compact!) unless object.nil?
-    JSON.generate(object)
+  def dump(object)
+    JSON.generate(object && object.transform_values do |token|
+      serialize_updated_at(token).compact
+    end.compact)
   end
 
   # Deserialization json to hash
-  def self.load(json)
+  def load(json)
     case json
     when String
       JSON.parse(json)
@@ -16,4 +18,14 @@ module DeviseTokenAuth::Concerns::TokensSerialization
       json
     end
   end
+
+  private
+
+  def serialize_updated_at(token)
+    updated_at_key = ['updated_at', :updated_at].find(&token.method(:[]))
+
+    return token unless token[updated_at_key].respond_to?(:iso8601)
+
+    token.merge updated_at_key => token[updated_at_key].iso8601
+  end
 end

data/app/models/devise_token_auth/concerns/user.rb

@@ -120,6 +120,7 @@ module DeviseTokenAuth::Concerns::User
     # ghetto HashWithIndifferentAccess
     expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
     token_hash = tokens[client]['token'] || tokens[client][:token]
+    previous_token_hash = tokens[client]['previous_token'] || tokens[client][:previous_token]
 
     return true if (
       # ensure that expiry and token are set
@@ -129,11 +130,24 @@ module DeviseTokenAuth::Concerns::User
       DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
 
       # ensure that the token is valid
-      DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+      (
+        # check if the latest token matches
+        does_token_match?(token_hash, token) ||
+
+        # check if the previous token matches
+        does_token_match?(previous_token_hash, token)
+      )
     )
   end
 
-  # allow batch requests to use the previous token
+  # check if the hash of received token matches the stored token
+  def does_token_match?(token_hash, token)
+    return false if token_hash.nil?
+
+    DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+  end
+
+  # allow batch requests to use the last token
   def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
     updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
@@ -143,7 +157,7 @@ module DeviseTokenAuth::Concerns::User
       # ensure that the last token and its creation time exist
       updated_at && last_token_hash &&
 
-      # ensure that previous token falls within the batch buffer throttle time of the last request
+      # ensure that last token falls within the batch buffer throttle time of the last request
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
@@ -157,8 +171,9 @@ module DeviseTokenAuth::Concerns::User
 
     token = create_token(
       client: client,
-      last_token: tokens.fetch(client, {})['token'],
-      updated_at: now.to_s(:rfc822)
+      previous_token: tokens.fetch(client, {})['token'],
+      last_token: tokens.fetch(client, {})['previous_token'],
+      updated_at: now
     )
 
     update_auth_header(token.token, token.client)
@@ -168,14 +183,20 @@ module DeviseTokenAuth::Concerns::User
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
     expiry = tokens[client]['expiry'] || tokens[client][:expiry]
-
-    {
+    headers = {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
       DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
+    headers.merge!(build_bearer_token(headers))
+  end
+
+  def build_bearer_token(auth)
+    encoded_token = Base64.strict_encode64(auth.to_json)
+    bearer_token = "Bearer #{encoded_token}"
+    {DeviseTokenAuth.headers_names[:"authorization"] => bearer_token}
   end
 
   def update_auth_header(token, client = 'default')
@@ -194,7 +215,7 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def extend_batch_buffer(token, client)
-    tokens[client]['updated_at'] = Time.zone.now.to_s(:rfc822)
+    tokens[client]['updated_at'] = Time.zone.now
     update_auth_header(token, client)
   end
 
@@ -218,13 +239,8 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def should_remove_tokens_after_password_reset?
-    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
-      encrypted_password_changed? &&
-        DeviseTokenAuth.remove_tokens_after_password_reset
-    else
-      saved_change_to_attribute?(:encrypted_password) &&
-        DeviseTokenAuth.remove_tokens_after_password_reset
-    end
+    DeviseTokenAuth.remove_tokens_after_password_reset &&
+      (respond_to?(:encrypted_password_changed?) && encrypted_password_changed?)
   end
 
   def remove_tokens_after_password_reset

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -4,12 +4,12 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   extend ActiveSupport::Concern
 
   included do
-    validates :email, presence: true,if: :email_provider?
-    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
-    validates_presence_of :uid, unless: :email_provider?
+    validates :email, presence: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
 
     # only validate unique emails among email registration users
-    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
 
     # keep uid in sync with email
     before_save :sync_uid
@@ -18,11 +18,18 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
 
   protected
 
+  def uid_and_provider_defined?
+    defined?(provider) && defined?(uid)
+  end
+
   def email_provider?
     provider == 'email'
   end
 
   def sync_uid
-    self.uid = email if email_provider?
+    unless self.new_record?
+      return if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone && postpone_email_change?
+    end
+    self.uid = email if uid_and_provider_defined? && email_provider?
   end
 end

data/app/validators/devise_token_auth_email_validator.rb

@@ -1,9 +1,17 @@
 # frozen_string_literal: true
 
 class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
+  EMAIL_REGEXP = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+
+  class << self
+    def validate?(email)
+      email =~ EMAIL_REGEXP
+    end
+  end
+
   def validate_each(record, attribute, value)
-    unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
-      record.errors[attribute] << email_invalid_message
+    unless DeviseTokenAuthEmailValidator.validate?(value)
+      record.errors.add(attribute, email_invalid_message)
     end
   end
 

data/app/views/devise_token_auth/omniauth_external_window.html.erb

@@ -15,7 +15,7 @@
             Cordova / PhoneGap)
       */
 
-      var data = JSON.parse(decodeURIComponent('<%= URI::escape( @data.to_json ) %>'));
+      var data = JSON.parse(decodeURIComponent('<%= ERB::Util.url_encode( @data.to_json ) %>'));
 
       window.addEventListener("message", function(ev) {
         if (ev.data === "requestCredentials") {

data/config/locales/en.yml

@@ -21,6 +21,7 @@ en:
       missing_redirect_url: "Missing redirect URL."
       not_allowed_redirect_url: "Redirect to '%{redirect_url}' not allowed."
       sended: "An email has been sent to '%{email}' containing instructions for resetting your password."
+      sended_paranoid: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
       password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
@@ -28,9 +29,11 @@ en:
     unlocks:
       missing_email: "You must provide an email address."
       sended: "An email has been sent to '%{email}' containing instructions for unlocking your account."
+      sended_paranoid: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
     confirmations:
       sended: "An email has been sent to '%{email}' containing instructions for confirming your account."
+      sended_paranoid: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
       missing_email: "You must provide an email address."
 

data/config/locales/ja.yml

@@ -21,10 +21,22 @@ ja:
       missing_redirect_url: "リダイレクト URL が与えられていません。"
       not_allowed_redirect_url: "'%{redirect_url}' へのリダイレクトは許可されていません。"
       sended: "'%{email}' にパスワードリセットの案内が送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、 数分後にパスワード再発行用のリンクを記載したメールをお送りします。"
       user_not_found: "メールアドレス '%{email}' のユーザーが見つかりません。"
       password_not_required: "このアカウントはパスワードを要求していません。'%{provider}' を利用してログインしてください。"
       missing_passwords: "'Password', 'Password confirmation' パラメータが与えられていません。"
       successfully_updated: "パスワードの更新に成功しました。"
+    unlocks:
+      missing_email: "メールアドレスが与えられていません。"
+      sended: "%{email}' にアカウントのロックを解除する方法を記載したメールが送信されました。"
+      sended_paranoid: "アカウントが存在する場合、数分後にロックを解除する方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+    confirmations:
+      sended: "'%{email}' にアカウントの確認方法を記載したメールが送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、数分後にメールアドレスの確認方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+      missing_email: "メールアドレスが与えられていません。"
+
   errors:
     messages:
       validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。"

data/lib/devise_token_auth/blacklist.rb

@@ -1,2 +1,6 @@
 # don't serialize tokens
-Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens
+if defined? Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
+  Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION << :tokens
+else
+  Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens
+end

data/lib/devise_token_auth/controllers/helpers.rb

@@ -34,12 +34,6 @@ module DeviseTokenAuth
           class_eval <<-METHODS, __FILE__, __LINE__ + 1
             def authenticate_#{group_name}!(favourite=nil, opts={})
               unless #{group_name}_signed_in?
-                mappings = #{mappings}
-                mappings.unshift mappings.delete(favourite.to_sym) if favourite
-                mappings.each do |mapping|
-                  set_user_by_token(mapping)
-                end
-
                 unless current_#{group_name}
                   render_authenticate_error
                 end
@@ -47,12 +41,14 @@ module DeviseTokenAuth
             end
 
             def #{group_name}_signed_in?
-              #{mappings}.any? do |mapping|
-                set_user_by_token(mapping)
-              end
+              !!current_#{group_name}
             end
 
             def current_#{group_name}(favourite=nil)
+              @current_#{group_name} ||= set_group_user_by_token(favourite)
+            end
+            
+            def set_group_user_by_token(favourite)
               mappings = #{mappings}
               mappings.unshift mappings.delete(favourite.to_sym) if favourite
               mappings.each do |mapping|