devise_token_auth 0.1.28.beta6 → 0.1.28.beta7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ccede2e6459d83a37149b44ca415539e272f8281
-  data.tar.gz: 42832f0c9d06fec5a801692fef0295894990ca7d
+  metadata.gz: 10be5a0682b4707bdc008fb2962bee2e00b79ad9
+  data.tar.gz: 72f1c4e5ef9007b9a547cc8473ffe1f6bf0b227d
 SHA512:
-  metadata.gz: 17fd41de34801ae46b9065f8bff43c3195f7f8d8383eb04a187bbae210f5cedf1a296cadbb0c49ef66bb5a87c498258e0314d86e106d42acdd6b300ff84d365e
-  data.tar.gz: 9919f37387990dcd43525a6bdd8436245195c18e51c0deebd60d0e1418370240f70bc9df222f7bd771174d9d0e56da401361306db35553f15175761992fd4437
+  metadata.gz: ca0fcd9e0b3ce18849b28aae0536ca97ba5652f0ba5612e0cb28ab2fba4cc208b7a01db1c2d581898af0e395453349da6732b98523237465d980a38208514784
+  data.tar.gz: 0f2fe4f15ae311eb5d31aeb89805650f3f2114d045a085b8f1ee69040f20f4436f90eb72cb0d326ab42f5dc0e489f86c3d00a7a2caf8a465e4cc26b1c96af18e

data/README.md

@@ -288,48 +288,67 @@ The authentication routes must be mounted to your project. This gem includes a r
 mount_devise_token_auth_for 'User', at: '/auth'
 ~~~
 
-Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::SetUserByToken`](#model-concerns) for authentication to work properly.
+Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly.
 
 You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module.
 
 
-## Controller Concerns
+## Controller Methods
 
-##### DeviseTokenAuth::Concerns::SetUserByToken
+### Concerns
 
-This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. This concern can be used in controllers to identify users by their authentication headers.
-
-This concern runs a [before_action](http://guides.rubyonrails.org/action_controller_overview.html#filters), setting the `@user` variable for use in your controllers. The user will be signed in via devise for the duration of the request.
+This gem includes a [Rails concern](http://api.rubyonrails.org/classes/ActiveSupport/Concern.html) called `DeviseTokenAuth::Concerns::SetUserByToken`. Include this concern to provide access to [controller methods](#controller-methods) such as [`authenticate_user!`](#authenticate-user), [`user_signed_in?`](#user-signed-in), etc.
 
 The concern also runs an [after_action](http://guides.rubyonrails.org/action_controller_overview.html#filters) that changes the auth token after each request.
 
 It is recommended to include the concern in your base `ApplicationController` so that all children of that controller include the concern as well.
 
+##### Concern example:
+
 ~~~ruby
 # app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
   include DeviseTokenAuth::Concerns::SetUserByToken
 end
+~~~
+
+### Methods
+
+This gem provides access to all of the following [devise helpers](https://github.com/plataformatec/devise#controller-filters-and-helpers):
+
+| Method | Description |
+|---|---|
+| **`before_action :authenticate_user!`** | Returns a 401 error unless a `User` is signed-in. |
+| **`current_user`** | Returns the currently signed-in `User`, or `nil` if unavailable. |
+| **`user_signed_in?`** | Returns `true` if a `User` is signed in, otherwise `false`. |
+| **`devise_token_auth_group`** | Operate on multiple user classes as a group. [Read more](#group-access) |
 
+Note that if the model that you're trying to access isn't called `User`, the helper method names will change. For example, if the user model is called `Admin`, the methods would look like this:
+
+* `before_action :authenticate_admin!`
+* `admin_signed_in?`
+* `current_admin`
+
+
+##### Example: limit access to authenticated users
+~~~ruby
 # app/controllers/test_controller.rb
 class TestController < ApplicationController
+  before_action :authenticate_user!
+  
   def members_only
-    if @user
-      render json: {
-        data: {
-          message: "Welcome #{@user.name}",
-          user: @user
-        }
-      }, status: 200
-    else
-      render json: {
-        errors: ["Authorized users only."]
-      }, status: 401
-    end
+    render json: {
+      data: {
+        message: "Welcome #{current_user.name}",
+        user: current_user
+      }
+    }, status: 200
   end
 end
 ~~~
 
+### Token Header Format
+
 The authentication information should be included by the client in the headers of each request. The headers follow the [RFC 6750 Bearer Token](http://tools.ietf.org/html/rfc6750) format:
 
 ##### Authentication headers example:
@@ -354,11 +373,11 @@ The authentication headers required for each request will be available in the re
 
 ## Model Concerns
 
-##### DeviseTokenAuth::Concerns::SetUserByToken
+##### DeviseTokenAuth::Concerns::User
 
 Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-concerns) described above.
 
-Models that include the `DeviseTokenAuth::Concerns::SetUserByToken` concern will have access to the following public methods (read the above section for context on `token` and `client`):
+Models that include the `DeviseTokenAuth::Concerns::User` concern will have access to the following public methods (read the above section for context on `token` and `client`):
 
 * **`valid_token?`**: check if an authentication token is valid. Accepts a `token` and `client` as arguments. Returns a boolean.
 
@@ -408,6 +427,8 @@ Models that include the `DeviseTokenAuth::Concerns::SetUserByToken` concern will
 
 ## Using multiple models
 
+### [View Live Multi-User Demo](http://ng-token-auth-demo.herokuapp.com/multi-user)
+
 This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app:
 
 1. Run the install generator for the new model.
@@ -442,6 +463,40 @@ This gem supports the use of multiple user models. One possible use case is to a
     end
   end
   ~~~
+  
+1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods):
+  * `before_action: :authenticate_admin!`
+  * `current_admin`
+  * `admin_signed_in?`
+
+
+### Group access
+
+It is also possible to control access to multiple user types at the same time using groups. The following example shows how to limit controller access to both `User` and `Admin` users.
+
+##### Example: group authentication
+
+~~~ruby
+class DemoGroupController < ApplicationController
+  devise_token_auth_group :member, contains: [:user, :admin]
+  before_action :authenticate_member!
+  
+  def members_only
+    render json: {
+      data: {
+        message: "Welcome #{current_member.name}",
+        user: current_member
+      }
+    }, status: 200
+  end
+end
+~~~
+
+In the above example, the following methods will be available (in addition to `current_user`, `current_admin`, etc.):
+
+  * `before_action: :authenticate_member!`
+  * `current_member`
+  * `member_signed_in?`
 
 # Conceptual
 

data/app/controllers/devise_token_auth/application_controller.rb

@@ -1,5 +1,17 @@
 module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
+    respond_to :json
+
+
+    def resource_class(m=nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
   end
 end

data/app/controllers/devise_token_auth/auth_controller.rb

@@ -1,8 +1,8 @@
 module DeviseTokenAuth
   class AuthController < DeviseTokenAuth::ApplicationController
-    respond_to :json
     skip_after_filter :update_auth_header, :only => [:omniauth_success, :omniauth_failure]
     skip_before_filter :assert_is_devise_resource!, :only => [:validate_token]
+    before_filter :set_user_by_token, :only => [:validate_token]
 
     def validate_token
       # @user will have been set by set_user_token concern
@@ -22,7 +22,6 @@ module DeviseTokenAuth
     end
 
     def omniauth_success
-
       # find or create user by provider and provider uid
       @user = resource_name.where({
         uid:      auth_hash['uid'],

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -1,15 +1,21 @@
 module DeviseTokenAuth::Concerns::SetUserByToken
   extend ActiveSupport::Concern
+  include DeviseTokenAuth::Controllers::Helpers
 
   included do
-    before_action :set_user_by_token
     after_action :update_auth_header
   end
 
   # user auth
-  def set_user_by_token
+  def set_user_by_token(mapping=nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
     # no default user defined
-    return false unless resource_class
+    return unless rc
+
+    # user has already been found and authenticated
+    return @user if @user and @user.class == rc
 
     # parse header for values necessary for authentication
     uid        = request.headers['uid']
@@ -22,17 +28,19 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @client_id ||= 'default'
 
     # mitigate timing attacks by finding by uid instead of auth token
-    @user = @current_user = uid && resource_class.find_by_uid(uid)
+    user = uid && rc.find_by_uid(uid)
 
-    if @user && @user.valid_token?(@token, @client_id)
-      sign_in(:user, @user, store: false, bypass: true)
+    if user && user.valid_token?(@token, @client_id)
+      sign_in(:user, user, store: false, bypass: true)
 
       # check this now so that the duration of the request itself doesn't eat
       # away the buffer
-      @is_batch_request = is_batch_request?(@user, @client_id)
+      @is_batch_request = is_batch_request?(user, @client_id)
+
+      return @user = user
     else
       # zero all values previously set values
-      @user = @current_user = @is_batch_request = nil
+      return @user = @is_batch_request = nil
     end
   end
 
@@ -59,13 +67,21 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
   end
 
-  def resource_class
-    mapping = request.env['devise.mapping'] || Devise.mappings.values.first
+
+  def resource_class(m=nil)
+    if m
+      mapping = Devise.mappings[m]
+    else
+      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+    end
+
     mapping.to
   end
 
+
   private
 
+
   def is_batch_request?(user, client_id)
     user.tokens[client_id] and
     user.tokens[client_id]['updated_at'] and

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -1,7 +1,5 @@
 module DeviseTokenAuth
-  class ConfirmationsController < Devise::ConfirmationsController
-    include Devise::Controllers::Helpers
-
+  class ConfirmationsController < DeviseTokenAuth::ApplicationController
     def show
       @user = resource_class.confirm_by_token(params[:confirmation_token])
 

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -1,10 +1,6 @@
 module DeviseTokenAuth
-  class PasswordsController < Devise::PasswordsController
-    include Devise::Controllers::Helpers
-    include DeviseTokenAuth::Concerns::SetUserByToken
-
-    skip_before_filter :require_no_authentication
-    skip_before_filter :set_user_by_token, :only => [:create, :edit]
+  class PasswordsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:update]
     skip_after_filter :update_auth_header, :only => [:create, :edit]
 
     # this action is responsible for generating password reset tokens and
@@ -17,7 +13,7 @@ module DeviseTokenAuth
         }, status: 401
       end
 
-      unless resource_params[:redirect_url]
+      unless params[:redirect_url]
         return render json: {
           success: false,
           errors: ['Missing redirect url.']
@@ -32,13 +28,11 @@ module DeviseTokenAuth
       errors = nil
 
       if @user
-        @user.update_attributes({
-          reset_password_redirect_url: resource_params[:redirect_url]
-        })
-
-        @user = resource_class.send_reset_password_instructions({
+        @user.send_reset_password_instructions({
           email: resource_params[:email],
-          provider: 'email'
+          provider: 'email',
+          redirect_url: params[:redirect_url],
+          client_config: params[:config_name]
         })
 
         if @user.errors.empty?
@@ -80,11 +74,12 @@ module DeviseTokenAuth
           expiry: expiry
         }
 
+        # ensure that user is confirmed
         @user.skip_confirmation! unless @user.confirmed_at
 
         @user.save!
 
-        redirect_to(@user.build_auth_url(resource_params[:redirect_url], {
+        redirect_to(@user.build_auth_url(params[:redirect_url], {
           token:          token,
           client_id:      client_id,
           reset_password: true
@@ -141,7 +136,8 @@ module DeviseTokenAuth
     end
 
     def resource_params
-      params.permit(:email, :password, :password_confirmation, :reset_password_token, :redirect_url)
+      params.permit(:email, :password, :password_confirmation, :reset_password_token)
     end
+
   end
 end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -1,14 +1,6 @@
 module DeviseTokenAuth
-  class RegistrationsController < Devise::RegistrationsController
-    include Devise::Controllers::Helpers
-    include DeviseTokenAuth::Concerns::SetUserByToken
-
-    #prepend_before_filter :require_no_authentication, :only => [ :create, :destroy, :update ]
-    skip_before_filter :require_no_authentication
-    before_action :configure_devise_token_auth_permitted_parameters
-
-    skip_before_filter :set_user_by_token, :only => [:create]
-    skip_before_filter :authenticate_scope!, :only => [:destroy, :update]
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:destroy, :update]
     skip_after_filter :update_auth_header, :only => [:create, :destroy]
 
     respond_to :json
@@ -18,8 +10,22 @@ module DeviseTokenAuth
       @resource.uid        = sign_up_params[:email]
       @resource.provider   = "email"
 
+      # success redirect url is required
+      unless params[:confirm_success_url]
+        return render json: {
+          status: 'error',
+          data:   @resource,
+          errors: ["Missing `confirm_success_url` param."]
+        }, status: 403
+      end
+
       begin
         if @resource.save
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: params[:confirm_success_url]
+          })
+
           render json: {
             status: 'success',
             data:   @resource.as_json
@@ -86,9 +92,5 @@ module DeviseTokenAuth
     def account_update_params
       params.permit(devise_parameter_sanitizer.for(:account_update))
     end
-
-    def configure_devise_token_auth_permitted_parameters
-      devise_parameter_sanitizer.for(:sign_up) << :confirm_success_url
-    end
   end
 end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -1,11 +1,7 @@
 # see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
 module DeviseTokenAuth
-  class SessionsController < Devise::SessionsController
-    skip_before_filter :require_no_authentication
-    skip_before_filter :verify_signed_out_user, only: :destroy
-
-    include Devise::Controllers::Helpers
-    include DeviseTokenAuth::Concerns::SetUserByToken
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:destroy]
 
     def create
       @user = resource_class.find_by_email(resource_params[:email])

data/app/models/devise_token_auth/concerns/user.rb

@@ -11,7 +11,6 @@ module DeviseTokenAuth::Concerns::User
     serialize :tokens, JSON
 
     validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' }
-    validates_presence_of :confirm_success_url, if: Proc.new {|u| u.provider == 'email'}
 
     # only validate unique emails among email registration users
     validate :unique_email_user, on: :create
@@ -20,6 +19,7 @@ module DeviseTokenAuth::Concerns::User
     after_save :set_empty_token_hash
     after_initialize :set_empty_token_hash
 
+
     # don't use default devise email validation
     def email_required?
       false
@@ -28,9 +28,50 @@ module DeviseTokenAuth::Concerns::User
     def email_changed?
       false
     end
+
+
+    # override devise method to include additional info as opts hash
+    def send_confirmation_instructions(opts=nil)
+      unless @raw_confirmation_token
+        generate_confirmation_token!
+      end
+
+      opts ||= {}
+
+      # fall back to "default" config name
+      opts[:client_config] ||= "default"
+
+      if pending_reconfirmation?
+        opts[:to] = unconfirmed_email
+      end
+
+      send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+    end
+
+
+    # override devise method to include additional info as opts hash
+    def send_reset_password_instructions(opts=nil)
+      token = set_reset_password_token
+
+      opts ||= {}
+
+      # fall back to "default" config name
+      opts[:client_config] ||= "default"
+
+      if pending_reconfirmation?
+        opts[:to] = unconfirmed_email
+      else
+        opts[:to] = email
+      end
+
+      send_devise_notification(:reset_password_instructions, token, opts)
+
+      token
+    end
   end
 
 
+
   def valid_token?(token, client_id='default')
     client_id ||= 'default'
 
@@ -44,6 +85,13 @@ module DeviseTokenAuth::Concerns::User
   end
 
 
+  # this must be done from the controller so that additional params
+  # can be passed on from the client
+  def send_confirmation_notification?
+    false
+  end
+
+
   def token_is_current?(token, client_id)
     return true if (
       # ensure that expiry and token are set