devise_token_auth 0.1.13 → 0.1.14

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 834e6565e101d247f0c8941ebc6d3c9a5aeb57fb
-  data.tar.gz: e0d5fec0bbf44b1d96bf0f91bdc2b525e5e87d02
+  metadata.gz: 85dbd55f7d4269a7061c016208d1fbb7c106f190
+  data.tar.gz: 3eefd3ae437e88ca1a7960556e4a9708c29b3cad
 SHA512:
-  metadata.gz: 6f5d97700e9940fb9a6fe382efe248f2bb26332d1c232c563fb944e968adceeb122e77ca2a26bce437965980a56bfd6d7a7639e0e5d7475a990e0f614dfb4dbe
-  data.tar.gz: c5cd9381e88c4cd41213967e2249a4fa4a6292a8b598e37a46c8a2562df4ef204f784417732ecb3751ab3a178ba5868b479f4b309b3fc35cd3846c7ab684cafe
+  metadata.gz: 8c8f4f54d6701084ffcbcd7217de162b7cb2b999e2d18fbddc65a24cca83f956ccf63900c052b3b253da1ee367f60339315745e4e7e306e9ba66851d3b15e527
+  data.tar.gz: 0e5002e2584cef474734197b538266643dfabfa9c28e84ca6a60b9b8770e47b22886f7224e816534204c04ec150bc14a72e85be76a567b78faded45ed1359d07

data/LICENSE

@@ -0,0 +1,13 @@
+        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+                    Version 2, December 2004 
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 
+
+ Everyone is permitted to copy and distribute verbatim or modified 
+ copies of this license document, and changing it is allowed as long 
+ as the name is changed. 
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

data/README.md

@@ -0,0 +1,244 @@
+# Devise Token Auth
+
+![build](https://travis-ci.org/lynndylanhurley/devise_token_auth.svg)
+
+This gem provides simple, secure token based authentication.
+
+This gem was designed to work with the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js).
+
+# Demo
+
+[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module.
+
+The fully configured api used in the demo can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo).
+
+# Dependencies
+This project leverages the following gems:
+
+* [Devise](https://github.com/plataformatec/devise)
+* [Omniauth](https://github.com/intridea/omniauth)
+
+# Installation
+Add the following to your `Gemfile`:
+
+~~~ruby
+gem devise_token_auth
+~~~
+
+Then install the gem using bundle:
+
+~~~bash
+bundle install
+~~~
+
+## Migrations
+You will need to create a user model. Run the following to generate and run the `User` model migration:
+
+~~~bash
+rake devise_token_auth:install:migrations
+~~~
+
+Then run the migration:
+
+~~~bash
+rake db:migrate
+~~~
+
+## Omniauth authentication
+
+If you wish to use omniauth authentication, add all of your desired authentication provider gems as well.
+
+##### Omniauth example using github, facebook, and google:
+~~~ruby
+gem 'omniauth-github',        :git => 'git://github.com/intridea/omniauth-github.git'
+gem 'omniauth-facebook',      :git => 'git://github.com/mkdynamic/omniauth-facebook.git'
+gem 'omniauth-google-oauth2', :git => 'git://github.com/zquestz/omniauth-google-oauth2.git'
+~~~
+
+Then run `bundle install`.
+
+[List of oauth2 providers](https://github.com/intridea/omniauth/wiki/List-of-Strategies)
+
+#### Provider settings
+In `config/initializers/omniauth.rb`, add the settings for each of your providers.
+
+These settings must be obtained from the providers themselves.
+
+##### Example using github, facebook, and google:
+~~~ruby
+# config/initializers/omniauth.rb
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :github,        ENV['GITHUB_KEY'],   ENV['GITHUB_SECRET'],   scope: 'email,profile'
+  provider :facebook,      ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET']
+  provider :google_oauth2, ENV['GOOGLE_KEY'],   ENV['GOOGLE_SECRET']
+end
+~~~
+
+The above example assumes that your provider keys and secrets are stored in environmental variables. Use the [figaro](https://github.com/laserlemon/figaro) gem (or [dotenv](https://github.com/bkeepers/dotenv) or [secrets.yml](https://github.com/rails/rails/blob/v4.1.0/railties/lib/rails/generators/rails/app/templates/config/secrets.yml) or equivalent) to accomplish this.
+
+
+**Note for [pow](http://pow.cx/) and [xip.io](http://xip.io) users**: if you receive `redirect-uri-mismatch` errors from your provider when using pow or xip.io urls, set the following in your development config:
+
+~~~ruby
+# config/environments/development.rb
+
+# when using pow
+OmniAuth.config.full_host = "http://app-name.dev"
+
+# when using xip.io
+OmniAuth.config.full_host = "http://xxx.xxx.xxx.app-name.xip.io"
+~~~
+
+There may be a better way to accomplish this. Please post an issue if you have any suggestions.
+
+## Email authentication
+If you wish to use email authentication, you must configure your Rails application to send email. [Read here](http://guides.rubyonrails.org/action_mailer_basics.html) for more information.
+
+I recommend using [mailcatcher](http://mailcatcher.me/) for development.
+
+##### mailcatcher development example configuration:
+~~~ruby
+# config/environments/development.rb
+Rails.application.configure do
+  config.action_mailer.default_url_options = { :host => 'your-dev-host.dev' }
+  config.action_mailer.delivery_method = :smtp
+  config.action_mailer.smtp_settings = { :address => 'your-dev-host.dev', :port => 1025 }
+end
+~~~
+
+## Routes
+
+The authentication routes must be mounted to your project.
+
+In `config/routes.rb`, add the following line:
+
+~~~ruby
+# config/routes.rb
+mount DeviseTokenAuth::Engine => "/auth"
+~~~
+
+Note that you can mount this engine to any route that you like. `/auth` is used to conform to the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module.
+
+## CORS
+
+If your API and client live on different domains, you will need to configure your Rails API to allow cross origin requests. The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this.
+
+The following example will allow cross domain requests from any domain.
+
+##### Example rack-cors configuration:
+~~~ruby
+# gemfile
+gem 'rack-cors', :require => 'rack/cors'
+
+# config/application.rb
+module YourApp
+  class Application < Rails::Application
+    config.middleware.use Rack::Cors do
+      allow do
+        origins '*'
+        resource '*',
+          :headers => :any,
+          :expose => ['Authorization'], # <-- important!
+          :methods => [:get, :post, :options, :delete, :put]
+      end
+    end
+  end
+end
+~~~
+
+Make extra sure that the `Access-Control-Expose-Headers` includes `Authorization` (as is set in the example above by the`:expose` param). If your client experiences erroneous 401 responses, this is likely the cause.
+
+CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the [ng-token-auth readme](https://github.com/lynndylanhurley/ng-token-auth) for more information.
+
+# Usage
+
+The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`/auth` in the example above).
+
+| path | method | purpose |
+|:-----|:-------|:--------|
+| /    | POST   | email registration. accepts **email**, **password**, and **password_confirmation** params. |
+| /sign_in | POST | email authentication. accepts **email** and **password** as params. |
+| /sign_out | DELETE | invalidate tokens (end session) |
+| /:provider | GET | set this route as the destination for client authentication. ideally this will happen in an external window or popup. |
+| /:provider/callback | GET/POST | destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. |
+| /validate_token | POST | use this route to validate tokens on return visits to the client. accepts **uid** and **auth_token** as params. these values should correspond to the columns in your `User` table of the same names. |
+
+If you're using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for angular.js, then your client is ready to go.
+
+## Identifying users in controllers
+
+The authentication information should be included by the client in the `Authorization` header of each request. The header should follow this format:
+
+~~~
+token=xxxxx client=yyyyy uid=zzzzz
+~~~
+
+Replace `xxxxx` with the user's `auth_token` and `zzzzz` with the user's `uid`. The `client` field exists to allow for multiple simultaneous sessions per user. The client field defaults to `default` if omitted.
+
+This all happens effortlessly and invisibly when using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth).
+
+### DeviseTokenAuth::Concerns::SetUserByToken
+
+This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) that can be used to identify users by the `Authorization` header.
+
+This concern runs a [before_action](http://guides.rubyonrails.org/action_controller_overview.html#filters), setting the `@user` variable for use in your controllers. The user will be signed in via devise for the duration of the request.
+
+The concern also runs an [after_action](http://guides.rubyonrails.org/action_controller_overview.html#filters) that changes the auth token after each request.
+
+It is recommended to include the concern in your base `ApplicationController` so that all children of that controller include the concern as well.
+
+~~~ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include DeviseTokenAuth::Concerns::SetUserByToken
+end
+
+# app/controllers/test_controller.rb
+class TestController < ApplicationController
+  def members_only
+    if @user
+      render json: {
+        data: {
+          message: "Welcome #{@user.name}",
+          user: @user
+        }
+      }, status: 200
+    else
+      render json: {
+        errors: ["Authorized users only."]
+      }, status: 401
+    end
+  end
+end
+~~~
+
+# Security
+
+This gem takes the following steps to ensure security.
+
+This gem uses auth tokens that are:
+* changed after every request,
+* [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html),
+* hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text),
+* securely compared (to protect against timing attacks),
+* invalidated after 2 weeks
+
+These measures were inspired by [this stackoverflow post](http://stackoverflow.com/questions/18605294/is-devises-token-authenticatable-secure).
+
+This gem further mitigates timing attacks by using [this technique](https://gist.github.com/josevalim/fb706b1e933ef01e4fb6).
+
+But the most important step is to use HTTPS. You are on the hook for that.
+
+# TODO
+
+* Write tests
+* `User` model is currently baked into this gem. Allow for dynamic definition using concerns (or other means).
+* Find a way to expose devise + omniauth configs, maybe using generators.
+
+# Contributing
+Just send a pull request. I will grant you commit access if you send quality pull requests.
+
+Guidelines will be posted if the need arises.
+
+# License
+This project uses the WTFPL

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -4,16 +4,17 @@ module DeviseTokenAuth
 
     def show
       @user = User.confirm_by_token(params[:confirmation_token])
-      if @user
+
+      if @user.id
         # create client id
         client_id  = SecureRandom.urlsafe_base64(nil, false)
-
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
         @user.tokens[client_id] = {
           token:  token_hash,
           expiry: Time.now + 2.weeks
         }
+
         @user.save!
 
         redirect_to generate_url(@user.confirm_success_url, {

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -11,18 +11,27 @@ module DeviseTokenAuth
       @resource.uid        = resource_params[:email]
       @resource.provider   = "email"
 
-      if @resource.save
-        render json: {
-          status: 'success',
-          data:   @resource.as_json
-        }
-      else
+      begin
+        if @resource.save
+          render json: {
+            status: 'success',
+            data:   @resource.as_json
+          }
+        else
+          clean_up_passwords @resource
+          render json: {
+            status: 'error',
+            data:   @resource,
+            errors: ["An account already exists for #{@resource.email}"]
+          }, status: 403
+        end
+      rescue ActiveRecord::RecordNotUnique
         clean_up_passwords @resource
-        render status: 403, json: {
+        render json: {
           status: 'error',
-          data:   @resource.as_json,
-          errors: @resource.errors.full_messages
-        }
+          data:   @resource,
+          errors: ["An account already exists for #{@resource.email}"]
+        }, status: 403
       end
     end
 

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -8,17 +8,9 @@ module DeviseTokenAuth
     respond_to :json
 
     def create
-      resource = User.find_by_email(resource_params[:email])
-
-      unless resource and valid_params? and resource.valid_password?(params[:password])
-        render json: {
-          success: false,
-          errors: ["Invalid login credentials. Please try again."]
-        }, status: 401
-
-      else
-        @user = resource
+      @user = User.find_by_email(resource_params[:email])
 
+      if @user and valid_params? and @user.valid_password?(resource_params[:password]) and @user.confirmed?
         # create client id
         @client_id = SecureRandom.urlsafe_base64(nil, false)
         @token     = SecureRandom.urlsafe_base64(nil, false)
@@ -31,8 +23,24 @@ module DeviseTokenAuth
 
         render json: {
           success: true,
-          data: resource.as_json
+          data: @user.as_json
         }
+
+      elsif @user and not @user.confirmed?
+        render json: {
+          success: false,
+          errors: [
+            "A confirmation email was sent to your account at #{@user.email}. "+
+            "You must follow the instructions in the email before your account "+
+            "can be activated"
+          ]
+        }, status: 401
+
+      else
+        render json: {
+          success: false,
+          errors: ["Invalid login credentials. Please try again."]
+        }, status: 401
       end
     end
 
@@ -45,7 +53,7 @@ module DeviseTokenAuth
     end
 
     def valid_params?
-      params[:password] && params[:email]
+      resource_params[:password] && resource_params[:email]
     end
 
     def resource_params

data/app/models/user.rb

@@ -9,6 +9,7 @@ class User < ActiveRecord::Base
 
   # only validate unique emails among email registration users
   validates_uniqueness_of :email, conditions: -> { where(provider: 'email') }
+  validates_presence_of :confirm_success_url
 
   def valid_token?(client_id, token)
     return false unless self.tokens[client_id]['expiry'] > 2.weeks.ago

data/lib/devise_token_auth/version.rb

@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.13"
+  VERSION = "0.1.14"
 end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -0,0 +1,53 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
+  describe DeviseTokenAuth::ConfirmationsController, "Confirmation" do
+    fixtures :users
+
+    before do
+      @new_user = users(:unconfirmed_email_user)
+      @new_user.send_confirmation_instructions
+      @mail  = ActionMailer::Base.deliveries.last
+      @token = @mail.body.match(/confirmation_token=(.*)\"/)[1]
+    end
+
+    test 'should generate raw token' do
+      assert @token
+    end
+
+    test "should store token hash in user" do
+      assert @new_user.confirmation_token
+    end
+
+    describe "success" do
+      before do
+        xhr :get, :show, {confirmation_token: @token}
+        @user = assigns(:user)
+      end
+
+      test "user should now be confirmed" do
+        assert @user.confirmed?
+      end
+
+      test "should redirect to success url" do
+        assert_redirected_to(/^#{@user.confirm_success_url}/)
+      end
+    end
+
+    describe "failure" do
+      test "user should not be confirmed" do
+        assert_raises(ActionController::RoutingError) {
+          xhr :get, :show, {confirmation_token: "bogus"}
+        }
+        @user = assigns(:user)
+        refute @user.confirmed?
+      end
+    end
+  end
+end