devise_token_auth 1.1.4 → 1.2.1

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -17,11 +17,12 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'success' do
         before do
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: @existing_user.password
-               }
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
+
+          post :create, params: @user_session_params
 
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
@@ -35,17 +36,27 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
 
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+          end
+
+          test 'request should return auth cookie' do
+            post :create, params: @user_session_params
+            assert response.cookies[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
+
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number
             #  to expedite tests! (Default is 10)
             DeviseTokenAuth.max_number_of_devices = 2
             DeviseTokenAuth.change_headers_on_each_request = false
-
-            @user_session_params = {
-              email: @existing_user.email,
-              password: @existing_user.password
-            }
           end
 
           test 'should limit the maximum number of concurrent devices' do
@@ -159,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
 
       describe 'unauthed user sign out' do

data/test/controllers/devise_token_auth/token_validations_controller_test.rb

@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
       @token     = @auth_headers['access-token']
       @client_id = @auth_headers['client']
       @expiry    = @auth_headers['expiry']
-
+      @authorization_header = @auth_headers.slice('Authorization')
       # ensure that request is not treated as batch request
       age_token(@resource, @client_id)
     end
 
+    describe 'using only Authorization header' do
+      describe 'using valid Authorization header' do
+        before do
+          get '/auth/validate_token', params: {}, headers: @authorization_header
+        end
+
+        test 'token valid' do
+          assert_equal 200, response.status
+        end
+      end
+
+      describe 'using invalid Authorization header' do
+        describe 'with invalid base64' do
+          before do
+            get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
+          end
+
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+
+        describe 'with valid base64' do
+          before do
+            valid_base64 = Base64.strict_encode64({
+              "access-token": 'invalidtoken',
+              "token-type": 'Bearer',
+              "client": 'client',
+              "expiry": '1234567'
+            }.to_json)
+            get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
+          end
+
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+      end
+    end
+
     describe 'vanilla user' do
       before do
         get '/auth/validate_token', params: {}, headers: @auth_headers

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
 
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -68,13 +68,32 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
           end
         end
 
-        describe 'successfully requested unlock' do
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'should always return success' do
+            assert_equal 200, response.status
+          end
+
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
+          end
+        end
+
+        describe 'successfully requested unlock without paranoid mode' do
           before do
             post :create, params: { email: @resource.email }
 
@@ -86,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'successfully requested unlock with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: @resource.email }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'should always return success' do
+            assert_equal 200, response.status
+          end
+
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
+          end
+        end
+
         describe 'case-sensitive email' do
           before do
             post :create, params: { email: @resource.email }

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
       override_proof_str = '(^^,)'
 
       # ensure present in redirect URL
-      override_proof_param = URI.unescape(response.headers['Location']
+      override_proof_param = CGI.unescape(response.headers['Location']
                                 .match(/override_proof=([^&]*)&/)[1])
 
       assert_equal override_proof_str, override_proof_param

data/test/dummy/app/views/layouts/application.html.erb

@@ -2,8 +2,6 @@
 <html>
 <head>
   <title>Dummy</title>
-  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
-  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
   <%= csrf_meta_tags %>
 </head>
 <body>

data/test/dummy/config/application.rb

@@ -4,7 +4,6 @@ require File.expand_path('boot', __dir__)
 
 require 'action_controller/railtie'
 require 'action_mailer/railtie'
-require 'sprockets/railtie'
 require 'rails/generators'
 require 'rack/cors'
 

data/test/dummy/config/environments/development.rb

@@ -29,16 +29,6 @@ Rails.application.configure do
   # Raise an error on page load if there are pending migrations.
   config.active_record.migration_error = :page_load
 
-  # Debug mode disables concatenation and preprocessing of assets.
-  # This option may cause significant delays in view rendering with a large
-  # number of complex assets.
-  config.assets.debug = true
-
-  # Adds additional error checking when serving assets at runtime.
-  # Checks for improperly declared sprockets dependencies.
-  # Raises helpful error messages.
-  config.assets.raise_runtime_errors = true
-
   # Raises error for missing translations
   # config.action_view.raise_on_missing_translations = true
 

data/test/dummy/config/environments/production.rb

@@ -24,18 +24,6 @@ Rails.application.configure do
   # Disable Rails's static asset server (Apache or nginx will already do this).
   config.serve_static_files = false
 
-  # Compress JavaScripts and CSS.
-  config.assets.js_compressor = :uglifier
-  # config.assets.css_compressor = :sass
-
-  # Do not fallback to assets pipeline if a precompiled asset is missed.
-  config.assets.compile = false
-
-  # Generate digests for assets URLs.
-  config.assets.digest = true
-
-  # `config.assets.precompile` has moved to config/initializers/assets.rb
-
   # Specifies the header that your server uses for sending files.
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
@@ -58,10 +46,6 @@ Rails.application.configure do
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
   # config.action_controller.asset_host = "http://assets.example.com"
 
-  # Precompile additional assets.
-  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
-  # config.assets.precompile += %w( search.js )
-
   # Ignore bad email addresses and do not raise email delivery errors.
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false

data/test/dummy/db/schema.rb

@@ -2,11 +2,11 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.
 

data/test/dummy/tmp/generators/app/models/user.rb

@@ -0,0 +1,11 @@
+              class User < ApplicationRecord
+            # Include default devise modules.
+            devise :database_authenticatable, :registerable,
+                    :recoverable, :rememberable, :trackable, :validatable,
+                    :confirmable, :omniauthable
+            include DeviseTokenAuth::Concerns::User
+
+                def whatever
+                  puts 'whatever'
+                end
+              end

data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+DeviseTokenAuth.setup do |config|
+  # By default the authorization headers will change after each request. The
+  # client is responsible for keeping track of the changing tokens. Change
+  # this to false to prevent the Authorization header from changing after
+  # each request.
+  # config.change_headers_on_each_request = true
+
+  # By default, users will need to re-authenticate after 2 weeks. This setting
+  # determines how long tokens will remain valid after they are issued.
+  # config.token_lifespan = 2.weeks
+
+  # Limiting the token_cost to just 4 in testing will increase the performance of
+  # your test suite dramatically. The possible cost value is within range from 4
+  # to 31. It is recommended to not use a value more than 10 in other environments.
+  config.token_cost = Rails.env.test? ? 4 : 10
+
+  # Sets the max number of concurrent devices per user, which is 10 by default.
+  # After this limit is reached, the oldest tokens will be removed.
+  # config.max_number_of_devices = 10
+
+  # Sometimes it's necessary to make several requests to the API at the same
+  # time. In this case, each request in the batch will need to share the same
+  # auth token. This setting determines how far apart the requests can be while
+  # still using the same auth token.
+  # config.batch_request_buffer_throttle = 5.seconds
+
+  # This route will be the prefix for all oauth2 redirect callbacks. For
+  # example, using the default '/omniauth', the github oauth2 provider will
+  # redirect successful authentications to '/omniauth/github/callback'
+  # config.omniauth_prefix = "/omniauth"
+
+  # By default sending current password is not needed for the password update.
+  # Uncomment to enforce current_password param to be checked before all
+  # attribute updates. Set it to :password if you want it to be checked only if
+  # password is updated.
+  # config.check_current_password_before_update = :attributes
+
+  # By default we will use callbacks for single omniauth.
+  # It depends on fields like email, provider and uid.
+  # config.default_callbacks = true
+
+  # Makes it possible to change the headers names
+  # config.headers_names = {:'access-token' => 'access-token',
+  #                        :'client' => 'client',
+  #                        :'expiry' => 'expiry',
+  #                        :'uid' => 'uid',
+  #                        :'token-type' => 'token-type' }
+
+  # By default, only Bearer Token authentication is implemented out of the box.
+  # If, however, you wish to integrate with legacy Devise authentication, you can
+  # do so by enabling this flag. NOTE: This feature is highly experimental!
+  # config.enable_standard_devise_support = false
+
+  # By default DeviseTokenAuth will not send confirmation email, even when including
+  # devise confirmable module. If you want to use devise confirmable module and
+  # send email, set it to true. (This is a setting for compatibility)
+  # config.send_confirmation_email = true
+end

data/test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb

@@ -0,0 +1,49 @@
+class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[5.2]
+  def change
+    
+    create_table(:users) do |t|
+      ## Required
+      t.string :provider, :null => false, :default => "email"
+      t.string :uid, :null => false, :default => ""
+
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+      t.boolean  :allow_password_change, :default => false
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+
+      ## Tokens
+      t.text :tokens
+
+      t.timestamps
+    end
+
+    add_index :users, :email,                unique: true
+    add_index :users, [:uid, :provider],     unique: true
+    add_index :users, :reset_password_token, unique: true
+    add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+end

data/test/lib/devise_token_auth/blacklist_test.rb

@@ -3,9 +3,17 @@
 require 'test_helper'
 
 class DeviseTokenAuth::BlacklistTest < ActiveSupport::TestCase
-  describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
-    test 'should include :tokens' do
-      assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+  if defined? Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
+    describe Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION.include?(:tokens)
+      end
+    end
+  else
+    describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+      end
     end
   end
 end

data/test/lib/devise_token_auth/rails/custom_routes_test.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class DeviseTokenAuth::CustomRoutesTest < ActiveSupport::TestCase
+  after do
+    Rails.application.reload_routes!
+  end
+  test 'custom controllers' do
+    class ActionDispatch::Routing::Mapper
+        include Mocha::ParameterMatchers
+    end
+    Rails.application.routes.draw do
+      self.expects(:devise_for).with(
+        :users,
+        has_entries(
+          controllers: has_entries(
+            invitations: "custom/invitations", foo: "custom/foo"
+          )
+        )
+      )
+
+      mount_devise_token_auth_for 'User', at: 'my_custom_users', controllers: {
+        invitations: 'custom/invitations',
+        foo: 'custom/foo'
+      }
+    end
+  end
+end

data/test/lib/devise_token_auth/rails/routes_test.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Needed for MiniTest to start a controller test so we can use assert_recognizes
+class DeviseTokenAuth::RoutesTestController < DeviseTokenAuth::ApplicationController
+end
+
+class DeviseTokenAuth::RoutesTest < ActionController::TestCase
+  self.controller_class = DeviseTokenAuth::RoutesTestController
+  before do
+    Rails.application.routes.draw do
+      mount_devise_token_auth_for 'User', at: 'my_custom_users', controllers: {
+        invitations: 'custom/invitations',
+        foo: 'custom/foo'
+      }
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  test 'map new user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'new'}, {path: 'my_custom_users/sign_in', method: :get})
+  end
+
+  test 'map create user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'create'}, {path: 'my_custom_users/sign_in', method: :post})
+  end
+
+  test 'map destroy user session' do
+    assert_recognizes({controller: 'devise_token_auth/sessions', action: 'destroy'}, {path: 'my_custom_users/sign_out', method: :delete})
+  end
+
+  test 'map new user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'new'}, 'my_custom_users/confirmation/new')
+  end
+
+  test 'map create user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'create'}, {path: 'my_custom_users/confirmation', method: :post})
+  end
+
+  test 'map show user confirmation' do
+    assert_recognizes({controller: 'devise_token_auth/confirmations', action: 'show'}, {path: 'my_custom_users/confirmation', method: :get})
+  end
+
+  test 'map new user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'new'}, 'my_custom_users/password/new')
+  end
+
+  test 'map create user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'create'}, {path: 'my_custom_users/password', method: :post})
+  end
+
+  test 'map edit user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'edit'}, 'my_custom_users/password/edit')
+  end
+
+  test 'map update user password' do
+    assert_recognizes({controller: 'devise_token_auth/passwords', action: 'update'}, {path: 'my_custom_users/password', method: :put})
+  end
+
+  test 'map new user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'new'}, 'my_custom_users/sign_up')
+  end
+
+  test 'map create user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'create'}, {path: 'my_custom_users', method: :post})
+  end
+
+  test 'map edit user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'edit'}, {path: 'my_custom_users/edit', method: :get})
+  end
+
+  test 'map update user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'update'}, {path: 'my_custom_users', method: :put})
+  end
+
+  test 'map destroy user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'destroy'}, {path: 'my_custom_users', method: :delete})
+  end
+
+  test 'map cancel user registration' do
+    assert_recognizes({controller: 'devise_token_auth/registrations', action: 'cancel'}, {path: 'my_custom_users/cancel', method: :get})
+  end
+end

data/test/lib/generators/devise_token_auth/install_generator_test.rb

@@ -70,7 +70,7 @@ module DeviseTokenAuth
         case DEVISE_TOKEN_AUTH_ORM
         when :active_record
           # account for rails version 5
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
 
           @f = File.open(@fname, 'w') do |f|
             f.write <<-RUBY

data/test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb

@@ -75,7 +75,7 @@ module DeviseTokenAuth
         case DEVISE_TOKEN_AUTH_ORM
         when :active_record
           # account for rails version 5
-          active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
+          active_record_needle = (Rails::VERSION::MAJOR >= 5) ? 'ApplicationRecord' : 'ActiveRecord::Base'
 
           @f = File.open(@fname, 'w') do |f|
             f.write <<-RUBY

data/test/models/concerns/tokens_serialization_test.rb

@@ -13,7 +13,6 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
 
       user.tokens
     end
-    let(:json) { JSON.generate(tokens) }
 
     it 'is defined' do
       assert_equal(ts.present?, true)
@@ -21,6 +20,9 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
     end
 
     describe '.load(json)' do
+
+      let(:json) { JSON.generate(tokens) }
+
       let(:default) { {} }
 
       it 'is defined' do
@@ -55,16 +57,48 @@ if DEVISE_TOKEN_AUTH_ORM == :active_record
         assert_equal(ts.dump({}), '{}')
       end
 
-      it 'deserialize tokens' do
-        assert_equal(ts.dump(tokens), json)
-      end
-
       it 'removes nil values' do
         new_tokens = tokens.dup
         new_tokens[new_tokens.first[0]][:kos] = nil
 
         assert_equal(ts.dump(tokens), ts.dump(new_tokens))
       end
+
+      describe 'updated_at' do
+        before do
+          @default_format = ::Time::DATE_FORMATS[:default]
+          ::Time::DATE_FORMATS[:default] = 'imprecise format'
+        end
+
+        after do
+          ::Time::DATE_FORMATS[:default] = @default_format
+        end
+
+        def updated_ats(tokens)
+          tokens.
+            values.
+            flat_map do |token|
+            [:updated_at, 'updated_at'].map do |key|
+              token[key]
+            end
+          end.
+          compact
+        end
+
+        it 'is defined' do
+          refute_empty updated_ats(tokens)
+        end
+
+        it 'uses iso8601' do
+          updated_ats(JSON.parse(ts.dump(tokens))).each do |updated_at|
+            Time.strptime(updated_at, '%Y-%m-%dT%H:%M:%SZ')
+          end
+        end
+
+        it 'does not rely on Time#to_s' do
+          refute_includes(updated_ats(tokens), 'imprecise format')
+        end
+      end
     end
   end
 end