devise_token_auth 1.2.0 → 1.2.2

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -42,11 +42,17 @@ DeviseTokenAuth.setup do |config|
   # config.default_callbacks = true
 
   # Makes it possible to change the headers names
-  # config.headers_names = {:'access-token' => 'access-token',
-  #                        :'client' => 'client',
-  #                        :'expiry' => 'expiry',
-  #                        :'uid' => 'uid',
-  #                        :'token-type' => 'token-type' }
+  # config.headers_names = {
+  #   :'authorization' => 'Authorization',
+  #   :'access-token' => 'access-token',
+  #   :'client' => 'client',
+  #   :'expiry' => 'expiry',
+  #   :'uid' => 'uid',
+  #   :'token-type' => 'token-type'
+  # }
+
+  # Makes it possible to use custom uid column
+  # config.other_uid = "foo"
 
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can

data/test/controllers/custom/custom_confirmations_controller_test.rb

@@ -11,7 +11,7 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
       @new_user = create(:user)
       @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
       @mail          = ActionMailer::Base.deliveries.last
-      @token         = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+      @token         = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
       @client_config = @mail.body.match(/config=([^&]*)&/)[1]
 
       get :show,

data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb

@@ -20,7 +20,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
 
     test 'yield resource to block on omniauth_success success' do
       @redirect_url = 'http://ng-token-auth.dev/'
-      get '/nice_user_auth/facebook',
+      post '/nice_user_auth/facebook',
           params: { auth_origin_url: @redirect_url,
                     omniauth_window_type: 'newWindow' }
 

data/test/controllers/demo_mang_controller_test.rb

@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only_mang',
                 params: {},
                 headers: @auth_headers
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/demo_user_controller_test.rb

@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
 
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only',
                 params: {},
                 headers: @auth_headers
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+
+            @resource.reload
+            age_token(@resource, @client_id)
+
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
 
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
 
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
+
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
 
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
 
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
+
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
 
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
 
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
 
           it 'should define user during first request' do
             assert @first_user
           end
 
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -11,7 +11,7 @@ require 'test_helper'
 class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::ConfirmationsController do
     def token_and_client_config_from(body)
-      token         = body.match(/confirmation_token=([^&]*)&/)[1]
+      token         = body.match(/confirmation_token=([^&]*)[&"]/)[1]
       client_config = body.match(/config=([^&]*)&/)[1]
       [token, client_config]
     end
@@ -171,21 +171,30 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             test 'response should contain message' do
               assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
             end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
           end
 
           describe 'on failure' do
             before do
               swap Devise, paranoid: true do
+                @email = 'chester@cheet.ah'
                 post :create,
-                     params: { email: 'chester@cheet.ah',
+                     params: { email: @email,
                                redirect_url: @redirect_url },
                      xhr: true
                 @data = JSON.parse(response.body)
               end
             end
 
-            test 'response should contain errors' do
-              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            test 'response should not contain errors' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
             end
           end
         end
@@ -193,9 +202,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
 
       describe 'failure' do
         test 'user should not be confirmed' do
-          assert_raises(ActionController::RoutingError) do
-            get :show, params: { confirmation_token: 'bogus' }
-          end
+          get :show,
+              params: { confirmation_token: 'bogus',
+                        redirect_url: @redirect_url }
+
+          assert_redirected_to(/^#{@redirect_url}/)
+
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -13,7 +13,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   before do
-    @redirect_url = 'http://ng-token-auth.dev/'
+    @redirect_url = 'https://ng-token-auth.dev/'
   end
 
   def get_parsed_data_json
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'with alternate user model' do
       before do
-        get '/mangs/facebook',
+        post '/mangs/facebook',
             params: {
               auth_origin_url: @redirect_url,
               omniauth_window_type: 'newWindow'
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       before do
         @fav_color = 'alizarin crimson'
         @unpermitted_param = 'M. Bison'
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       favorite_color: @fav_color,
                       name: @unpermitted_param,
@@ -160,7 +160,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response contains oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
 
@@ -176,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response does not contain oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
 
@@ -189,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'using namespaces' do
       before do
-        get '/api/v1/auth/facebook',
+        post '/api/v1/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -234,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'with omniauth_window_type=sameWindow' do
       test 'redirects to auth_origin_url with all expected query params' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: '/auth_origin',
                       omniauth_window_type: 'sameWindow' }
 
@@ -258,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     end
 
     def get_success(params = {})
-      get '/auth/facebook',
+      post '/auth/facebook',
           params: {
             auth_origin_url: @redirect_url,
             omniauth_window_type: 'newWindow'
@@ -282,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'renders expected data' do
       silence_omniauth do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -298,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'renders something with no auth_origin_url' do
       silence_omniauth do
-        get '/auth/facebook'
+        post '/auth/facebook'
         follow_all_redirects!
       end
       assert_equal 200, response.status
@@ -339,7 +339,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request using non-whitelisted redirect fail' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @bad_redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -351,7 +351,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request to whitelisted redirect should succeed' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: @good_redirect_url,
               omniauth_window_type: 'newWindow'
@@ -365,7 +365,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
       test 'should support wildcards' do
         DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @good_redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -397,7 +397,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request using non-whitelisted redirect fail' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @bad_redirect_url,
                       omniauth_window_type: 'sameWindow' }
 
@@ -408,7 +408,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request to whitelisted redirect should succeed' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: '/auth_origin',
               omniauth_window_type: 'sameWindow'
@@ -422,7 +422,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
       test 'should support wildcards' do
         DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: '/auth_origin',
               omniauth_window_type: 'sameWindow'
@@ -433,9 +433,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         assert_equal 200, response.status
         assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
       end
-
-
     end
-
   end
 end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -116,14 +116,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               end
             end
 
-            test 'unknown user should return 404' do
-              assert_equal 404, response.status
+            test 'response should return success status' do
+              assert_equal 200, response.status
             end
 
-            test 'errors should be returned' do
-              assert @data['errors']
-              assert_equal @data['errors'],
-              [I18n.t('devise_token_auth.passwords.sended_paranoid')]
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
             end
           end
         end

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -306,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @data = JSON.parse(response.body)
         @mail = ActionMailer::Base.deliveries.last
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end
@@ -826,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
         @resource.reload
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -39,13 +39,17 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         describe 'using auth cookie' do
           before do
             DeviseTokenAuth.cookie_enabled = true
+            post :create, params: @user_session_params
           end
 
           test 'request should return auth cookie' do
-            post :create, params: @user_session_params
             assert response.cookies[DeviseTokenAuth.cookie_name]
           end
 
+          test 'request should not include bearer token' do
+            assert_nil response.headers["Authorization"]
+          end
+
           after do
             DeviseTokenAuth.cookie_enabled = false
           end
@@ -306,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Unconfirmed user' do
-      before do
-        @unconfirmed_user = create(:user)
-        post :create, params: { email: @unconfirmed_user.email,
-                                password: @unconfirmed_user.password }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          post :create, params: { email: @unconfirmed_user.email,
+                                  password: @unconfirmed_user.password }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.not_confirmed',
+                              email: @unconfirmed_user.email)]
+        end
       end
+      
+      describe 'With paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          swap Devise, paranoid: true do
+            post :create, params: { email: @unconfirmed_user.email,
+                                    password: @unconfirmed_user.password }
+          end
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'response should contain errors' do
-        assert @data['errors']
-        assert_equal @data['errors'],
-                     [I18n.t('devise_token_auth.sessions.not_confirmed',
-                             email: @unconfirmed_user.email)]
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors that do not leak the existence of the account' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.bad_credentials')]
+        end
       end
     end
 
@@ -371,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Non-existing user' do
-      before do
-        post :create,
-             params: { email: -> { Faker::Internet.email },
-                       password: -> { Faker::Number.number(10) } }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          post :create,
+              params: { email: -> { Faker::Internet.email },
+                        password: -> { Faker::Number.number(10) } }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+        end
       end
 
-      test 'response should contain errors' do
-        assert @data['errors']
+      describe 'With paranoid mode' do
+        before do
+          mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
+          @bcrypt_mock = MiniTest::Mock.new
+          @bcrypt_mock.expect(:call, mock_hash, [Object, String])
+
+          swap Devise, paranoid: true do
+            BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
+              post :create,
+                  params: { email: -> { Faker::Internet.email },
+                            password: -> { Faker::Number.number(10) } }
+            end
+          end
+        end
+        
+        test 'password should be hashed' do
+          @bcrypt_mock.verify
+        end
       end
     end
 
@@ -468,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
 
       describe 'locked user' do
-        before do
-          @locked_user = create(:lockable_user, :locked)
-          post :create,
-               params: { email: @locked_user.email,
-                         password: @locked_user.password }
-          @data = JSON.parse(response.body)
-        end
+        describe 'Without paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            post :create,
+                params: { email: @locked_user.email,
+                          password: @locked_user.password }
+            @data = JSON.parse(response.body)
+          end
 
-        test 'request should fail' do
-          assert_equal 401, response.status
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+          end
         end
 
-        test 'response should contain errors' do
-          assert @data['errors']
-          assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+        describe 'With paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            swap Devise, paranoid: true do
+              post :create,
+                  params: { email: @locked_user.email,
+                            password: @locked_user.password }
+            end
+            @data = JSON.parse(response.body)
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors that do not leak the existence of the account' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
+          end
         end
       end