devise_token_auth 1.1.4 → 1.2.1

data/lib/devise_token_auth/engine.rb

@@ -25,9 +25,13 @@ module DeviseTokenAuth
                  :remove_tokens_after_password_reset,
                  :default_callbacks,
                  :headers_names,
+                 :cookie_enabled,
+                 :cookie_name,
+                 :cookie_attributes,
                  :bypass_sign_in,
                  :send_confirmation_email,
-                 :require_client_password_reset_token
+                 :require_client_password_reset_token,
+                 :other_uid
 
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -42,14 +46,19 @@ module DeviseTokenAuth
   self.enable_standard_devise_support       = false
   self.remove_tokens_after_password_reset   = false
   self.default_callbacks                    = true
-  self.headers_names                        = { 'access-token': 'access-token',
+  self.headers_names                        = { 'authorization': 'Authorization',
+                                                'access-token': 'access-token',
                                                 'client': 'client',
                                                 'expiry': 'expiry',
                                                 'uid': 'uid',
                                                 'token-type': 'token-type' }
+  self.cookie_enabled                       = false
+  self.cookie_name                          = 'auth_cookie'
+  self.cookie_attributes                    = {}
   self.bypass_sign_in                       = true
   self.send_confirmation_email              = false
   self.require_client_password_reset_token  = false
+  self.other_uid                            = nil
 
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/rails/routes.rb

@@ -8,26 +8,31 @@ module ActionDispatch::Routing
       opts[:skip]        ||= []
 
       # check for ctrl overrides, fall back to defaults
-      sessions_ctrl          = opts[:controllers][:sessions] || 'devise_token_auth/sessions'
-      registrations_ctrl     = opts[:controllers][:registrations] || 'devise_token_auth/registrations'
-      passwords_ctrl         = opts[:controllers][:passwords] || 'devise_token_auth/passwords'
-      confirmations_ctrl     = opts[:controllers][:confirmations] || 'devise_token_auth/confirmations'
-      token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_token_auth/token_validations'
-      omniauth_ctrl          = opts[:controllers][:omniauth_callbacks] || 'devise_token_auth/omniauth_callbacks'
-      unlocks_ctrl           = opts[:controllers][:unlocks] || 'devise_token_auth/unlocks'
+      sessions_ctrl          = opts[:controllers].delete(:sessions) || 'devise_token_auth/sessions'
+      registrations_ctrl     = opts[:controllers].delete(:registrations) || 'devise_token_auth/registrations'
+      passwords_ctrl         = opts[:controllers].delete(:passwords) || 'devise_token_auth/passwords'
+      confirmations_ctrl     = opts[:controllers].delete(:confirmations) || 'devise_token_auth/confirmations'
+      token_validations_ctrl = opts[:controllers].delete(:token_validations) || 'devise_token_auth/token_validations'
+      omniauth_ctrl          = opts[:controllers].delete(:omniauth_callbacks) || 'devise_token_auth/omniauth_callbacks'
+      unlocks_ctrl           = opts[:controllers].delete(:unlocks) || 'devise_token_auth/unlocks'
+
+      # check for resource override
+      route                  = opts[:as] || resource.pluralize.underscore.gsub('/', '_')
 
       # define devise controller mappings
-      controllers = { sessions: sessions_ctrl,
+      controllers = opts[:controllers].merge(
+                      sessions: sessions_ctrl,
                       registrations: registrations_ctrl,
                       passwords: passwords_ctrl,
-                      confirmations: confirmations_ctrl }
+                      confirmations: confirmations_ctrl
+                    )
 
       controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
 
       # remove any unwanted devise modules
       opts[:skip].each{ |item| controllers.delete(item) }
 
-      devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
+      devise_for route.to_sym,
                  class_name: resource,
                  module: :devise,
                  path: opts[:at].to_s,
@@ -68,7 +73,7 @@ module ActionDispatch::Routing
 
             # preserve the resource class thru oauth authentication by setting name of
             # resource as "resource_class" param
-            match "#{full_path}/:provider", to: redirect{ |params, request|
+            match "#{full_path}/:provider", to: redirect(status: 307) { |params, request|
               # get the current querystring
               qs = CGI::parse(request.env['QUERY_STRING'])
 
@@ -94,7 +99,7 @@ module ActionDispatch::Routing
 
               # re-construct the path for omniauth
               "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
-            }, via: [:get]
+            }, via: [:get, :post]
           end
         end
       end

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.1.4'.freeze
+  VERSION = '1.2.1'.freeze
 end

data/lib/generators/devise_token_auth/install_generator.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         inclusion = 'include DeviseTokenAuth::Concerns::User'
         unless parse_file_for_line(fname, inclusion)
 
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
           inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY'
             # Include default devise modules.
             devise :database_authenticatable, :registerable,

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -48,6 +48,9 @@ DeviseTokenAuth.setup do |config|
   #                        :'uid' => 'uid',
   #                        :'token-type' => 'token-type' }
 
+  # Makes it possible to use custom uid column
+  # config.other_uid = "foo"
+
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb

@@ -44,6 +44,6 @@ class DeviseTokenAuthCreate<%= user_class.pluralize.gsub("::","") %> < ActiveRec
     add_index :<%= table_name %>, [:uid, :provider],     unique: true
     add_index :<%= table_name %>, :reset_password_token, unique: true
     add_index :<%= table_name %>, :confirmation_token,   unique: true
-    # add_index :<%= table_name %>, :unlock_token,       unique: true
+    # add_index :<%= table_name %>, :unlock_token,         unique: true
   end
 end

data/test/controllers/demo_mang_controller_test.rb

@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only_mang',
                 params: {},
                 headers: @auth_headers
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/demo_user_controller_test.rb

@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only',
                 params: {},
                 headers: @auth_headers
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -92,30 +92,111 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         end
 
         describe 'resend confirmation' do
-          before do
-            post :create,
-                params: { email: @new_user.email,
-                          redirect_url: @redirect_url },
-                xhr: true
-            @resource = assigns(:resource)
-
-            @mail = ActionMailer::Base.deliveries.last
-            @token, @client_config = token_and_client_config_from(@mail.body)
-          end
-
-          test 'user should not be confirmed' do
-            assert_nil @resource.confirmed_at
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
           end
+        end
 
-          test 'should generate raw token' do
-            assert @token
-            assert_equal @new_user.confirmation_token, @token
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
           end
 
-          test 'user should receive confirmation email' do
-            assert_equal @resource.email, @mail['to'].to_s
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                @email = 'chester@cheet.ah'
+                post :create,
+                     params: { email: @email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should not contain errors' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
           end
-
         end
       end
 

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
   def get_parsed_data_json
     encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(URI.unescape(encoded_json_data))
+    JSON.parse(CGI.unescape(encoded_json_data))
   end
 
   describe 'success callback' do
@@ -346,7 +346,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         follow_all_redirects!
 
         data = get_parsed_data_json
-        assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
+        assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
                     data['error']
       end
 

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -85,37 +85,89 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       describe 'request password reset' do
-        describe 'unknown user should return 404' do
-          before do
-            post :create,
-                 params: { email: 'chester@cheet.ah',
-                           redirect_url: @redirect_url }
-            @data = JSON.parse(response.body)
-          end
+        describe 'unknown user' do
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: 'chester@cheet.ah',
+                             redirect_url: @redirect_url }
+              @data = JSON.parse(response.body)
+            end
 
-          test 'unknown user should return 404' do
-            assert_equal 404, response.status
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.user_not_found',
+                      email: 'chester@cheet.ah')]
+            end
           end
 
-          test 'errors should be returned' do
-            assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
+            end
           end
         end
 
         describe 'successfully requested password reset' do
-          before do
-            post :create,
-                 params: { email: @resource.email,
-                           redirect_url: @redirect_url }
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: @resource.email,
+                             redirect_url: @redirect_url }
 
-            @data = JSON.parse(response.body)
+              @data = JSON.parse(response.body)
+            end
+
+            test 'response should not contain extra data' do
+              assert_nil @data['data']
+            end
+
+            test 'response should contains message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
+            end
           end
 
-          test 'response should not contain extra data' do
-            assert_nil @data['data']
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @resource.email,
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
+            end
           end
         end
 

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -10,6 +10,17 @@ require 'test_helper'
 
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
+
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
 
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -87,17 +92,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       before do
         @original_duration = Devise.allow_unconfirmed_access_for
         Devise.allow_unconfirmed_access_for = nil
-        post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
       end
 
       test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
         assert response.headers['access-token']
         assert response.headers['token-type']
         assert response.headers['client']
@@ -105,6 +103,21 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         assert response.headers['uid']
       end
 
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
+
       after do
         Devise.allow_unconfirmed_access_for = @original_duration
       end