devise_token_auth 1.2.0 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb2d73d7859e1754b505d6f554c8d298ba899444b4fe4e1b47d50ca9bab453e8
-  data.tar.gz: 3572d4ff07d68f62d8e51270959fd20451d9edb4832d576b9342939275390dee
+  metadata.gz: 135b5088d17b20d187a6ffe314356dd2a2474d9bd98898bc9e36bc931e6c9fef
+  data.tar.gz: cf3c3c6fc19564248bdcb22e3b99624bd25a027383649a45c7e7bf1fddfd5bbd
 SHA512:
-  metadata.gz: 50c95181401bedfd959a407d450f222ab185d75000825385dd691a064e831b36263eb1338d25f6378a743ac9009b73f80df3e24cb09ce5680a0e6723fc98acb9
-  data.tar.gz: 91910874d7e473d31eb39cf40c6860da4ab5b59aa874a0f1296faa17718103124018568cf289486a9d49a3ec1b967f14e23c18afb8d3f6cd3ec2fd837d663a83
+  metadata.gz: 5f6e88376261bcea31e98d8af66cc298755d2cbc2724c481a100d78273824b1dcfcc016bbc2af2b43d1dcac945fc6a4015d351f321da9a432ec4c5129f8c58f0
+  data.tar.gz: bde72417d1882c6f69076d3bfe8cebd077e39a681898fb0c5603643770a3d81eb0ac3d42dd46f8ae27aff4dae74a138159160974c1996ef4e28d252baf6b52ba

data/README.md

@@ -1,7 +1,7 @@
 # Devise Token Auth
 
 [![Gem Version](https://badge.fury.io/rb/devise_token_auth.svg)](http://badge.fury.io/rb/devise_token_auth)
-[![Build Status](https://travis-ci.org/lynndylanhurley/devise_token_auth.svg?branch=master)](https://travis-ci.org/lynndylanhurley/devise_token_auth)
+[![Build Status](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml)
 [![Code Climate](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/gpa.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth)
 [![Test Coverage](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/coverage.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/coverage)
 [![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth)
@@ -22,6 +22,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
   * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
+  * [vanilla-token-auth](https://github.com/theblang/vanilla-token-auth) for an unopinionated client
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
 * Email authentication using [Devise](https://github.com/plataformatec/devise), including:
   * User registration, update and deletion

data/app/controllers/devise_token_auth/application_controller.rb

@@ -83,5 +83,18 @@ module DeviseTokenAuth
         I18n.t("devise_token_auth.#{name}.sended", email: email)
       end
     end
+
+    def redirect_options
+      {}
+    end
+
+    # When using a cookie to transport the auth token we can set it immediately in flows such as
+    # reset password and OmniAuth success, rather than making the client scrape the token from
+    # query params (to then send in the initial validate_token request).
+    # TODO: We should be able to stop exposing the token in query params when this method is used
+    def set_token_in_cookie(resource, token)
+      auth_header = resource.build_auth_headers(token.token, token.client)
+      cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -22,7 +22,8 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   def find_resource(field, value)
     @resource = if database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity
-                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                  field_sanitized = resource_class.connection.quote_column_name(field)
+                  resource_class.where("BINARY #{field_sanitized} = ? AND provider= ?", value, provider).first
                 else
                   resource_class.dta_find_by(field => value, 'provider' => provider)
                 end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -32,8 +32,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
+    other_uid_name = DeviseTokenAuth.other_uid && DeviseTokenAuth.headers_names[DeviseTokenAuth.other_uid.to_sym]
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
+    authorization_name = DeviseTokenAuth.headers_names[:"authorization"]
+
+    # Read Authorization token and decode it if present
+    decoded_authorization_token = decode_bearer_token(request.headers[authorization_name])
 
     # gets values from cookie if configured and present
     parsed_auth_cookie = {}
@@ -45,10 +50,11 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
 
     # parse header for values necessary for authentication
-    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
+    other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
     @token           = DeviseTokenAuth::TokenFactory.new unless @token
-    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name]
-    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name]
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]
 
     # client isn't required, set to 'default' if absent
     @token.client ||= 'default'
@@ -75,7 +81,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
 
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.dta_find_by(uid: uid)
+    user = (uid && rc.dta_find_by(uid: uid)) || (other_uid && rc.dta_find_by("#{DeviseTokenAuth.other_uid}": other_uid))
     scope = rc.to_s.underscore.to_sym
 
     if user && user.valid_token?(@token.token, @token.client)
@@ -105,7 +111,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # cleared by sign out in the meantime
       return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token.token, @token.client)
+      auth_header = @resource.build_auth_headers(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)
@@ -128,6 +134,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
   private
 
+  def decode_bearer_token(bearer_token)
+    return {} if bearer_token.blank?
+
+    encoded_token = bearer_token.split.last # Removes the 'Bearer' from the string
+    JSON.parse(Base64.strict_decode64(encoded_token)) rescue {}
+  end
+
   def refresh_headers
     # Lock the user record during any auth_header updates to ensure
     # we don't have write contention from multiple threads
@@ -141,8 +154,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # update the response header
       response.headers.merge!(_auth_header_from_batch_request)
 
-      # set a server cookie if configured
-      if DeviseTokenAuth.cookie_enabled
+      # set a server cookie if configured and is not a batch request
+      if DeviseTokenAuth.cookie_enabled && !@is_batch_request
         set_cookie(_auth_header_from_batch_request)
       end
     end # end lock

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -22,11 +22,15 @@ module DeviseTokenAuth
           redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
         else
           redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
-       end
+        end
 
-        redirect_to(redirect_to_link)
+        redirect_to(redirect_to_link, redirect_options)
       else
-        raise ActionController::RoutingError, 'Not Found'
+        if redirect_url
+          redirect_to DeviseTokenAuth::Url.generate(redirect_url, account_confirmation_success: false)
+        else
+          raise ActionController::RoutingError, 'Not Found'
+        end
       end
     end
 
@@ -62,7 +66,7 @@ module DeviseTokenAuth
 
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.confirmations.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
       end
@@ -81,6 +85,5 @@ module DeviseTokenAuth
         DeviseTokenAuth.default_confirm_success_url
       )
     end
-
   end
 end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -23,7 +23,7 @@ module DeviseTokenAuth
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route
+      redirect_to redirect_route, {status: 307}.merge(redirect_options)
     end
 
     def get_redirect_route(devise_mapping)
@@ -45,7 +45,7 @@ module DeviseTokenAuth
     # find the mapping in `omniauth.params`.
     #
     # One example use-case here is for IDP-initiated SAML login.  In that
-    # case, there will have been no initial request in which to save 
+    # case, there will have been no initial request in which to save
     # the devise mapping.  If you are in a situation like that, and
     # your app allows for you to determine somehow what the devise
     # mapping should be (because, for example, it is always the same),
@@ -70,6 +70,10 @@ module DeviseTokenAuth
 
       yield @resource if block_given?
 
+      if DeviseTokenAuth.cookie_enabled
+        set_token_in_cookie(@resource, @token)
+      end
+
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
 
@@ -78,10 +82,10 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
 
-    def validate_auth_origin_url_param 
+    def validate_auth_origin_url_param
       return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
     end
-  
+
 
     protected
 
@@ -107,7 +111,6 @@ module DeviseTokenAuth
         end
       end
       @_omniauth_params
-
     end
 
     # break out provider attribute assignment for easy method extension
@@ -129,23 +132,19 @@ module DeviseTokenAuth
     end
 
     def resource_class(mapping = nil)
-      if omniauth_params['resource_class']
-        omniauth_params['resource_class'].constantize
-      elsif params['resource_class']
-        params['resource_class'].constantize
-      else
-        raise 'No resource_class found'
-      end
+      return @resource_class if defined?(@resource_class)
+
+      constant_name = omniauth_params['resource_class'].presence || params['resource_class'].presence
+      @resource_class = ObjectSpace.each_object(Class).detect { |cls| cls.to_s == constant_name && cls.pretty_print_inspect.starts_with?(constant_name) }
+      raise 'No resource_class found' if @resource_class.nil?
+
+      @resource_class
     end
 
     def resource_name
       resource_class
     end
 
-    def omniauth_window_type
-      omniauth_params['omniauth_window_type']
-    end
-
     def unsafe_auth_origin_url
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
@@ -164,12 +163,11 @@ module DeviseTokenAuth
       omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
     end
 
-    # this sesison value is set by the redirect_callbacks method. its purpose
+    # this session value is set by the redirect_callbacks method. its purpose
     # is to persist the omniauth auth hash value thru a redirect. the value
-    # must be destroyed immediatly after it is accessed by omniauth_success
+    # must be destroyed immediately after it is accessed by omniauth_success
     def auth_hash
       @_auth_hash ||= session.delete('dta.omniauth.auth')
-      @_auth_hash
     end
 
     # ensure that this controller responds to :devise_controller? conditionals.
@@ -229,7 +227,7 @@ module DeviseTokenAuth
       elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
 
         # build and redirect to destination url
-        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true))
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true).merge(redirect_options))
       else
 
         # there SHOULD always be an auth_origin_url, but if someone does something silly
@@ -283,5 +281,4 @@ module DeviseTokenAuth
       @resource
     end
   end
-
 end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -49,14 +49,20 @@ module DeviseTokenAuth
         yield @resource if block_given?
 
         if require_client_password_reset_token?
-          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token]),
+          redirect_options
         else
+          if DeviseTokenAuth.cookie_enabled
+            set_token_in_cookie(@resource, token)
+          end
+
           redirect_header_options = { reset_password: true }
           redirect_headers = build_redirect_headers(token.token,
                                                     token.client,
                                                     redirect_header_options)
           redirect_to(@resource.build_auth_url(@redirect_url,
-                                               redirect_headers))
+                                               redirect_headers),
+                                               redirect_options)
         end
       else
         render_edit_error
@@ -182,7 +188,7 @@ module DeviseTokenAuth
 
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.passwords.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
       end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -11,11 +11,7 @@ module DeviseTokenAuth
     end
 
     def create
-      # Check
-      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
-
-      @resource = nil
-      if field
+      if field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
         q_value = get_case_insensitive_field_from_resource_params(field)
 
         @resource = find_resource(field, q_value)
@@ -26,21 +22,22 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @token = @resource.create_token
-        @resource.save
 
-        sign_in(:user, @resource, store: false, bypass: false)
+        create_and_assign_token
+
+        sign_in(@resource, scope: :user, store: false, bypass: false)
 
         yield @resource if block_given?
 
         render_create_success
-      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      elsif @resource && !Devise.paranoid && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
         if @resource.respond_to?(:locked_at) && @resource.locked_at
           render_create_error_account_locked
         else
           render_create_error_not_confirmed
         end
       else
+        hash_password_in_paranoid_mode
         render_create_error_bad_credentials
       end
     end
@@ -78,7 +75,6 @@ module DeviseTokenAuth
     def get_auth_params
       auth_key = nil
       auth_val = nil
-
       # iterate thru allowed auth keys, use first found
       resource_class.authentication_keys.each do |k|
         if resource_params[k]
@@ -133,5 +129,25 @@ module DeviseTokenAuth
     def resource_params
       params.permit(*params_for_resource(:sign_in))
     end
+
+    def create_and_assign_token
+      if @resource.respond_to?(:with_lock)
+        @resource.with_lock do
+          @token = @resource.create_token
+          @resource.save!
+        end
+      else
+        @token = @resource.create_token
+        @resource.save!
+      end
+    end
+
+    def hash_password_in_paranoid_mode
+      # In order to avoid timing attacks in paranoid mode, we want the password hash to be
+      # calculated even if no resource has been found. Devise's DatabaseAuthenticatable warden
+      # strategy handles this case similarly:
+      # https://github.com/heartcombo/devise/blob/main/lib/devise/strategies/database_authenticatable.rb
+      resource_class.new.password = resource_params[:password] if Devise.paranoid
+    end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -44,7 +44,8 @@ module DeviseTokenAuth
                                                   token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
-                                             redirect_headers))
+                                             redirect_headers),
+                                             redirect_options)
       else
         render_show_error
       end
@@ -80,7 +81,7 @@ module DeviseTokenAuth
 
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.unlocks.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
       end

data/app/models/devise_token_auth/concerns/user.rb

@@ -120,6 +120,7 @@ module DeviseTokenAuth::Concerns::User
     # ghetto HashWithIndifferentAccess
     expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
     token_hash = tokens[client]['token'] || tokens[client][:token]
+    previous_token_hash = tokens[client]['previous_token'] || tokens[client][:previous_token]
 
     return true if (
       # ensure that expiry and token are set
@@ -129,11 +130,24 @@ module DeviseTokenAuth::Concerns::User
       DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
 
       # ensure that the token is valid
-      DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+      (
+        # check if the latest token matches
+        does_token_match?(token_hash, token) ||
+
+        # check if the previous token matches
+        does_token_match?(previous_token_hash, token)
+      )
     )
   end
 
-  # allow batch requests to use the previous token
+  # check if the hash of received token matches the stored token
+  def does_token_match?(token_hash, token)
+    return false if token_hash.nil?
+
+    DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+  end
+
+  # allow batch requests to use the last token
   def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
     updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
@@ -143,7 +157,7 @@ module DeviseTokenAuth::Concerns::User
       # ensure that the last token and its creation time exist
       updated_at && last_token_hash &&
 
-      # ensure that previous token falls within the batch buffer throttle time of the last request
+      # ensure that last token falls within the batch buffer throttle time of the last request
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
@@ -157,29 +171,38 @@ module DeviseTokenAuth::Concerns::User
 
     token = create_token(
       client: client,
-      last_token: tokens.fetch(client, {})['token'],
+      previous_token: tokens.fetch(client, {})['token'],
+      last_token: tokens.fetch(client, {})['previous_token'],
       updated_at: now
     )
 
-    update_auth_header(token.token, token.client)
+    update_auth_headers(token.token, token.client)
   end
 
-  def build_auth_header(token, client = 'default')
+  def build_auth_headers(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
     expiry = tokens[client]['expiry'] || tokens[client][:expiry]
-
-    {
+    headers = {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
       DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
+    headers.merge(build_bearer_token(headers))
+  end
+
+  def build_bearer_token(auth)
+    return {} if DeviseTokenAuth.cookie_enabled # There is no need for the bearer token if it is using cookies
+
+    encoded_token = Base64.strict_encode64(auth.to_json)
+    bearer_token = "Bearer #{encoded_token}"
+    { DeviseTokenAuth.headers_names[:"authorization"] => bearer_token }
   end
 
-  def update_auth_header(token, client = 'default')
-    headers = build_auth_header(token, client)
+  def update_auth_headers(token, client = 'default')
+    headers = build_auth_headers(token, client)
     clean_old_tokens
     save!
 
@@ -195,7 +218,7 @@ module DeviseTokenAuth::Concerns::User
 
   def extend_batch_buffer(token, client)
     tokens[client]['updated_at'] = Time.zone.now
-    update_auth_header(token, client)
+    update_auth_headers(token, client)
   end
 
   def confirmed?

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -4,12 +4,12 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   extend ActiveSupport::Concern
 
   included do
-    validates :email, presence: true,if: :email_provider?
-    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
-    validates_presence_of :uid, unless: :email_provider?
+    validates :email, presence: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
 
     # only validate unique emails among email registration users
-    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
 
     # keep uid in sync with email
     before_save :sync_uid
@@ -18,6 +18,10 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
 
   protected
 
+  def uid_and_provider_defined?
+    defined?(provider) && defined?(uid)
+  end
+
   def email_provider?
     provider == 'email'
   end
@@ -26,6 +30,6 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     unless self.new_record?
       return if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone && postpone_email_change?
     end
-    self.uid = email if email_provider?
+    self.uid = email if uid_and_provider_defined? && email_provider?
   end
 end

data/app/validators/devise_token_auth_email_validator.rb

@@ -1,8 +1,16 @@
 # frozen_string_literal: true
 
 class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
+  EMAIL_REGEXP = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+
+  class << self
+    def validate?(email)
+      email =~ EMAIL_REGEXP
+    end
+  end
+
   def validate_each(record, attribute, value)
-    unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+    unless DeviseTokenAuthEmailValidator.validate?(value)
       record.errors.add(attribute, email_invalid_message)
     end
   end

data/config/locales/ja.yml

@@ -21,10 +21,22 @@ ja:
       missing_redirect_url: "リダイレクト URL が与えられていません。"
       not_allowed_redirect_url: "'%{redirect_url}' へのリダイレクトは許可されていません。"
       sended: "'%{email}' にパスワードリセットの案内が送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、 数分後にパスワード再発行用のリンクを記載したメールをお送りします。"
       user_not_found: "メールアドレス '%{email}' のユーザーが見つかりません。"
       password_not_required: "このアカウントはパスワードを要求していません。'%{provider}' を利用してログインしてください。"
       missing_passwords: "'Password', 'Password confirmation' パラメータが与えられていません。"
       successfully_updated: "パスワードの更新に成功しました。"
+    unlocks:
+      missing_email: "メールアドレスが与えられていません。"
+      sended: "%{email}' にアカウントのロックを解除する方法を記載したメールが送信されました。"
+      sended_paranoid: "アカウントが存在する場合、数分後にロックを解除する方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+    confirmations:
+      sended: "'%{email}' にアカウントの確認方法を記載したメールが送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、数分後にメールアドレスの確認方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+      missing_email: "メールアドレスが与えられていません。"
+
   errors:
     messages:
       validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。"

data/lib/devise_token_auth/engine.rb

@@ -30,7 +30,8 @@ module DeviseTokenAuth
                  :cookie_attributes,
                  :bypass_sign_in,
                  :send_confirmation_email,
-                 :require_client_password_reset_token
+                 :require_client_password_reset_token,
+                 :other_uid
 
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -45,7 +46,8 @@ module DeviseTokenAuth
   self.enable_standard_devise_support       = false
   self.remove_tokens_after_password_reset   = false
   self.default_callbacks                    = true
-  self.headers_names                        = { 'access-token': 'access-token',
+  self.headers_names                        = { 'authorization': 'Authorization',
+                                                'access-token': 'access-token',
                                                 'client': 'client',
                                                 'expiry': 'expiry',
                                                 'uid': 'uid',
@@ -56,6 +58,7 @@ module DeviseTokenAuth
   self.bypass_sign_in                       = true
   self.send_confirmation_email              = false
   self.require_client_password_reset_token  = false
+  self.other_uid                            = nil
 
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/rails/routes.rb

@@ -65,17 +65,18 @@ module ActionDispatch::Routing
 
           # omniauth routes. only define if omniauth is installed and not skipped.
           if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)
-            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get]
-            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get]
+            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
+            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get, :post]
 
             match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: 'redirect_callbacks', via: [:get, :post]
             match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
 
             # preserve the resource class thru oauth authentication by setting name of
             # resource as "resource_class" param
-            match "#{full_path}/:provider", to: redirect{ |params, request|
+            match "#{full_path}/:provider", to: redirect(status: 307) { |params, request|
               # get the current querystring
-              qs = CGI::parse(request.env['QUERY_STRING'])
+              # TODO: deprecate in favor of using params
+              qs = CGI::parse(request.env['QUERY_STRING'].empty? ? request.body.read : request.env['QUERY_STRING'] )
 
               # append name of current resource
               qs['resource_class'] = [resource]
@@ -99,7 +100,7 @@ module ActionDispatch::Routing
 
               # re-construct the path for omniauth
               "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
-            }, via: [:get]
+            }, via: [:get, :post]
           end
         end
       end

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.2.0'.freeze
+  VERSION = '1.2.2'.freeze
 end