devise_token_auth 0.1.18 → 0.1.19.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f24edb4af4fee31bc5c77072b92812bbe0cb2129
-  data.tar.gz: ea93c5bf5a750cd737eb52fac07f4b9226ecc31a
+  metadata.gz: 083650c6db3ad913ee66ea89099e0e2d96329750
+  data.tar.gz: ad8d32dbeae4612f739df26ad4f13e23c740faf5
 SHA512:
-  metadata.gz: b7826b9eb84c15688f007dabc52ed76c8e430d821db75417ce92e79724f4ac06195c7da28932b775143a4638be93505cc7d6211055e5180ee01f79a177b6f75c
-  data.tar.gz: c34c3a6378dd57ac8d0cb715fcbbd4ec4a44cf8385b8856b31c470603023221d6ba77941791b46b58d9a6515309c528310c662d3522a6dcd8b723f6731b63f05
+  metadata.gz: dd7d2c7bb0dc38c4eecd86c5a61131d44a17359146ec6bfcf114edccc815de1130a747f9b4730b4aeac1e54287fffb3cc7b0f8ea33a738d87b84644394f0f24f
+  data.tar.gz: dc2c50e3798e379b1d184f509d82820b32259d5d1f94e7ec2b7b8a33b5e0a3ded0dd86150cf6b435cd289b03a002a18bf0dff724a59439f8c1614e7d1b3e3513

data/README.md

@@ -162,12 +162,15 @@ The following routes are available for use by your client. These routes live rel
 
 | path | method | purpose |
 |:-----|:-------|:--------|
-| /    | POST   | email registration. accepts **email**, **password**, and **password_confirmation** params. |
-| /sign_in | POST | email authentication. accepts **email** and **password** as params. |
+| /    | POST   | email registration. accepts **`email`**, **`password`**, and **`password_confirmation`** params. |
+| /sign_in | POST | email authentication. accepts **`email`** and **`password`** as params. |
 | /sign_out | DELETE | invalidate tokens (end session) |
 | /:provider | GET | set this route as the destination for client authentication. ideally this will happen in an external window or popup. |
 | /:provider/callback | GET/POST | destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. |
-| /validate_token | POST | use this route to validate tokens on return visits to the client. accepts **uid** and **auth_token** as params. these values should correspond to the columns in your `User` table of the same names. |
+| /validate_token | POST | use this route to validate tokens on return visits to the client. accepts **`uid`** and **`auth_token`** as params. these values should correspond to the columns in your `User` table of the same names. |
+| /password | POST | send password email to users that registered by email. accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. |
+| /password | PUT | password change for users that registered by email. accepts **`password`** and **`password_confirmation`** as params. |
+| /password/edit | GET | verify user by password reset token. must contain **`reset_password_token`** and **`redirect_url`** as params. These values will be set automatically by the confirmation email that is generated by the password reset request. |
 
 If you're using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for angular.js, then your client is ready to go.
 
@@ -190,6 +193,9 @@ The `Authorization` header is made up of the following components:
 
 The `Authorization` header required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js, this functionality is already provided.
 
+## Handling batch requests
+
+Sometimes it's necessary to send several concurrent requests to the API. In these cases, the concurrent requests will need to share the same auth token (tokens are usually changed after each request). [Read here](https://github.com/lynndylanhurley/ng-token-auth#about-batch-requests) for an overview on how this gem deals with batch requests.
 
 ## The `User` model
 

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -40,18 +40,21 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
 
   def update_auth_header
+    # cannot save object if model has invalid params
+    return unless @user and @user.valid? and @client_id
 
     auth_header = nil
+
     if not DeviseTokenAuth.change_headers_on_each_request
       auth_header = @user.build_auth_header(@token, @client_id)
 
     # extend expiration of batch buffer to account for the duration of
     # this request
-    elsif @is_batch_request and @client_id and @user
+    elsif @is_batch_request
       auth_header = @user.extend_batch_buffer(@token, @client_id)
 
     # update Authorization response header with new token
-    elsif @user and @client_id
+    else
       auth_header = @user.create_new_auth_token(@client_id)
     end
 

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -5,32 +5,27 @@ module DeviseTokenAuth
     def show
       @user = User.confirm_by_token(params[:confirmation_token])
 
-      if @user.id
+      if @user and @user.id
         # create client id
         client_id  = SecureRandom.urlsafe_base64(nil, false)
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
+        expiry     = Time.now + DeviseTokenAuth.token_lifespan
+
         @user.tokens[client_id] = {
           token:  token_hash,
-          expiry: Time.now + DeviseTokenAuth.token_lifespan
+          expiry: expiry
         }
 
         @user.save!
 
-        redirect_to generate_url(@user.confirm_success_url, {
+        redirect_to(@user.build_auth_url(@user.confirm_success_url, {
           token:     token,
-          client_id: client_id,
-          uid:       @user.uid
-        })
+          client_id: client_id
+        }))
       else
         raise ActionController::RoutingError.new('Not Found')
       end
     end
-
-    def generate_url(url, params = {})
-      uri = URI(url)
-      uri.query = params.to_query
-      uri.to_s
-    end
   end
 end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -1,53 +1,141 @@
 module DeviseTokenAuth
   class PasswordsController < Devise::PasswordsController
     include Devise::Controllers::Helpers
+    include DeviseTokenAuth::Concerns::SetUserByToken
 
+    skip_before_filter :set_user_by_token, :only => [:create, :edit]
+    skip_after_filter :update_auth_header, :only => [:create, :edit]
+
+    # this action is responsible for generating password reset tokens and
+    # sending emails
     def create
-      self.resource = resource_class.send_reset_password_instructions(resource_params)
-      yield resource if block_given?
+      unless resource_params[:email]
+        return render json: {
+          success: false,
+          errors: ['You must provide an email address.']
+        }, status: 401
+      end
+
+      unless resource_params[:redirect_url]
+        return render json: {
+          success: false,
+          errors: ['Missing redirect url.']
+        }, status: 401
+      end
 
-      throw "Not implemented"
+      @user = User.where({
+        email: resource_params[:email],
+        provider: 'email'
+      }).first
 
-      if resource.errors.empty?
-        render json: {
-          success: true 
-        }
+      errors = nil
+
+      if @user
+        @user.update_attributes({
+          reset_password_redirect_url: resource_params[:redirect_url]
+        })
+
+        @user = User.send_reset_password_instructions({
+          email: resource_params[:email],
+          provider: 'email'
+        })
+
+        if @user.errors.empty?
+          render json: {
+            success: true,
+            message: "An email has been sent to #{@user.email} containing "+
+              "instructions for resetting your password."
+          }
+        else
+          errors = @user.errors
+        end
       else
+        errors = ["Unable to find user with email '#{resource_params[:email]}'."]
+      end
+
+      if errors
         render json: {
           success: false,
-          errors: ["Something went wrong. Please contact support@healthbox.com."]
-        }, status: 401
+          errors: errors
+        }, status: 400
       end
     end
 
 
+    # this is where users arrive after visiting the email confirmation link
+    def edit
+      @user = User.reset_password_by_token({
+        reset_password_token: resource_params[:reset_password_token]
+      })
+
+      if @user and @user.id
+        client_id  = SecureRandom.urlsafe_base64(nil, false)
+        token      = SecureRandom.urlsafe_base64(nil, false)
+        token_hash = BCrypt::Password.create(token)
+        expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        @user.tokens[client_id] = {
+          token:  token_hash,
+          expiry: expiry
+        }
+
+        @user.save!
+
+        redirect_to(@user.build_auth_url(resource_params[:redirect_url], {
+          token:          token,
+          client_id:      client_id,
+          reset_password: true
+        }))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+
     def update
-      self.resource = resource_class.reset_password_by_token(resource_params)
-      yield resource if block_given?
+      # make sure user is authorized
+      unless @user
+        return render json: {
+          success: false,
+          errors: ['Unauthorized']
+        }, status: 401
+      end
 
-      throw "Not implemented"
+      # make sure account doesn't use oauth2 provider
+      unless @user.provider == 'email'
+        return render json: {
+          success: false,
+          errors: ["This account does not require a password. Sign in using "+
+                   "your #{@user.provider.humanize} account instead."]
+        }, status: 422
+      end
 
-      if resource.errors.empty?
-        resource.unlock_access! if unlockable?(resource)
+      # ensure that password params were sent
+      unless resource_params[:password] and resource_params[:password_confirmation]
+        return render json: {
+          success: false,
+          errors: ['You must fill out the fields labeled "password" and "password confirmation".']
+        }, status: 422
+      end
 
-        render json: {
+      if @user.update_attributes(resource_params)
+        return render json: {
           success: true,
           data: {
-            user: self.resource
+            user: @user,
+            message: "Your password has been successfully updated."
           }
         }
       else
-        render json: {
+        return render json: {
           success: false,
-          errors: ["Something went wrong. Please contact support@healthbox.com."]
-        }, status: 401
+          errors: @user.errors
+        }, status: 422
       end
     end
 
 
     def resource_params
-      params.permit(:email, :password, :password_confirmation, :reset_password_token)
+      params.permit(:email, :password, :password_confirmation, :reset_password_token, :redirect_url)
     end
-
   end
 end

data/app/models/user.rb

@@ -82,6 +82,21 @@ class User < ActiveRecord::Base
   end
 
 
+  def build_auth_url(base_url, args)
+    args[:uid]    = self.uid
+    args[:expiry] = self.tokens[args[:client_id]]['expiry']
+
+    generate_url(base_url, args)
+  end
+
+
+  def generate_url(url, params = {})
+    uri = URI(url)
+    uri.query = params.to_query
+    uri.to_s
+  end
+
+
   def extend_batch_buffer(token, client_id)
     self.tokens[client_id]['updated_at'] = Time.now
     self.save!

data/app/views/{confirmable → devise}/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
-<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token) %></p>
+<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token, redirect_url: @resource.reset_password_redirect_url) %></p>
 
 <p>If you didn't request this, please ignore this email.</p>
 <p>Your password won't change until you access the link above and create a new one.</p>

data/lib/devise_token_auth/version.rb

@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.18"
+  VERSION = "0.1.19.alpha1"
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb

@@ -8,6 +8,7 @@ class DeviseTokenAuthCreateUsers < ActiveRecord::Migration
       ## Recoverable
       t.string   :reset_password_token
       t.datetime :reset_password_sent_at
+      t.string   :reset_password_redirect_url
 
       ## Rememberable
       t.datetime :remember_created_at

data/test/controllers/demo_controller_test.rb

@@ -19,9 +19,9 @@ class DemoControllerTest < ActionController::TestCase
 
       @auth_header = @user.create_new_auth_token
 
-      @token       = @auth_header[/token=(.*?) /,1]
-      @client_id   = @auth_header[/client=(.*?) /,1]
-      @expiry      = @auth_header[/expiry=(.*?) /,1]
+      @token     = @auth_header[/token=(.*?) /,1]
+      @client_id = @auth_header[/client=(.*?) /,1]
+      @expiry    = @auth_header[/expiry=(.*?) /,1]
     end
 
     describe 'successful request' do

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -0,0 +1,167 @@
+require 'test_helper'
+
+#  was the web request successful?
+#  was the user redirected to the right page?
+#  was the user successfully authenticated?
+#  was the correct object stored in the response?
+#  was the appropriate message delivered in the json payload?
+
+class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
+  describe DeviseTokenAuth::PasswordsController, "Password reset" do
+    fixtures :users
+
+    before do
+      @user = users(:confirmed_email_user)
+      @redirect_url = 'http://ng-token-auth.dev'
+    end
+
+    describe 'request password reset' do
+      before do
+        xhr :post, :create, {
+          email:        @user.email,
+          redirect_url: @redirect_url
+        }
+
+        @mail = ActionMailer::Base.deliveries.last
+        @user.reload
+
+        @mail_reset_token  = @mail.body.match(/reset_password_token=(.*)\"/)[1]
+        @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)&amp;/)[1])
+      end
+
+      test 'response should return success status' do
+        assert_equal 200, response.status
+      end
+
+      test 'action should save password_reset_redirect_url to user table' do
+        assert_equal @redirect_url, @user.reset_password_redirect_url
+      end
+
+      test 'action should send an email' do
+        assert @mail
+      end
+
+      test 'the email should be addressed to the user' do
+        assert_equal @mail.to.first, @user.email
+      end
+
+      test 'the email body should contain a link with redirect url as a query param' do
+        assert_equal @redirect_url, @mail_redirect_url
+      end
+
+      test 'the email body should contain a link with reset token as a query param' do
+        user = User.reset_password_by_token({
+          reset_password_token: @mail_reset_token
+        })
+
+        assert_equal user.id, @user.id
+      end
+
+      describe 'password reset link failure' do
+        test 'request should not be authorized' do
+          assert_raises(ActionController::RoutingError) {
+            xhr :get, :edit, {
+              reset_password_token: 'bogus',
+              redirect_url: @mail_redirect_url
+            }
+          }
+        end
+      end
+
+      describe 'password reset link success' do
+        before do
+          xhr :get, :edit, {
+            reset_password_token: @mail_reset_token,
+            redirect_url: @mail_redirect_url
+          }
+
+          @user.reload
+
+          @uri = URI.parse(response.location)
+          @qs = CGI::parse(@uri.query)
+
+          @client_id      = @qs["client_id"].first
+          @expiry         = @qs["expiry"].first
+          @reset_password = @qs["reset_password"].first
+          @token          = @qs["token"].first
+          @uid            = @qs["uid"].first
+        end
+
+        test 'respones should have success redirect status' do
+          assert_equal 302, response.status
+        end
+
+        test 'response should contain auth params' do
+          assert @client_id
+          assert @expiry
+          assert @reset_password
+          assert @token
+          assert @uid
+        end
+
+        test 'response auth params should be valid' do
+          assert @user.valid_token?(@token, @client_id)
+        end
+      end
+    end
+
+    describe "change password" do
+      describe 'success' do
+        before do
+          @auth_header = @user.create_new_auth_token
+          request.headers['Authorization'] = @auth_header
+          @new_password = Faker::Internet.password
+
+          xhr :put, :update, {
+            password: @new_password,
+            password_confirmation: @new_password
+          }
+
+          @user.reload
+        end
+
+        test "request should be successful" do
+          assert_equal 200, response.status
+        end
+
+        test "new password should authenticate user" do
+          assert @user.valid_password?(@new_password)
+        end
+      end
+
+      describe 'password mismatch error' do
+        before do
+          @auth_header = @user.create_new_auth_token
+          request.headers['Authorization'] = @auth_header
+          @new_password = Faker::Internet.password
+
+          xhr :put, :update, {
+            password: 'chong',
+            password_confirmation: 'bong'
+          }
+        end
+
+        test 'response should fail' do
+          assert_equal 422, response.status
+        end
+      end
+
+      describe 'unauthorized user' do
+        before do
+          @auth_header = @user.create_new_auth_token
+          @new_password = Faker::Internet.password
+
+          xhr :put, :update, {
+            password: @new_password,
+            password_confirmation: @new_password
+          }
+        end
+
+        test 'response should fail' do
+          assert_equal 401, response.status
+        end
+      end
+    end
+  end
+end
+