devise_token_auth 0.1.30.beta3 → 0.1.30.beta4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 13686bc403d2df30bb7f32a8a3f50567a15e5658
-  data.tar.gz: 906522d0eba251932decb2a3be1de864192e8c7b
+  metadata.gz: b53b78fa871bf37ca5f3b9b0bf81b51a811eaa61
+  data.tar.gz: e5c001234e39914f312c192362f4430747dc6f5d
 SHA512:
-  metadata.gz: f438a0e7396a3947d37bbf770603e58f88a108c61c9aa68cf88bcf0509e59cc66250d9f89c9cdc629522c5f24b6112365dd9adb9bd8a974902293bc2cf3105eb
-  data.tar.gz: d8fa0d4141795cc03be332d8e90ed79c267e4d2479c84307ff7213dbe448820ab59038f81a749a745c1b4e757a31e0f4c2c68eb2931655e3a43f65b10dc00015
+  metadata.gz: c02997a4d6df1d85cad79c559931f19e3b1222ecd175e4cac7b0c9ecc1156de1a02630c48a2167429df2c42e028842d99ca1754a100c21d229c29c8e2003c4ab
+  data.tar.gz: 738bb86d30c28f52d6b591a62629e3cf621fa4af2b4ce520d727b0faf2d9ec3620c04768d7c191ffd513038e3019f007d1a2c6a15bdce8954b05e5aa068f82e2

data/README.md

@@ -666,9 +666,23 @@ But the most important step is to use HTTPS. You are on the hook for that.
 
 
 # Contributing
-Just send a pull request. I will grant you commit access if you send quality pull requests.
 
-Guidelines will be posted if the need arises.
+1. Create a feature branch with your changes.
+2. Write some test cases.
+3. Make all the tests pass.
+4. Issue a pull request.
+
+I will grant you commit access if you send quality pull requests.
+
+To run the test suite do the following:
+
+1. Clone this repo
+2. Run `bundle install`
+3. Run `rake db:migrate`
+4. Run `RAILS_ENV=test rake db:migrate`
+5. Run `guard`.
+
+The last command will open the [guard](https://github.com/guard/guard) test-runner. Guard will re-run each test suite when changes are made to its corresponding files.
 
 # License
 This project uses the WTFPL

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -22,7 +22,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     return unless rc
 
     # user has already been found and authenticated
-    return @user if @user and @user.class == rc
+    return @resource if @resource and @resource.class == rc
 
     # parse header for values necessary for authentication
     uid        = request.headers['uid']
@@ -39,10 +39,10 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     if user && user.valid_token?(@token, @client_id)
       sign_in(:user, user, store: false, bypass: true)
-      return @user = user
+      return @resource = user
     else
       # zero all values previously set values
-      return @user = nil
+      return @resource = nil
     end
   end
 
@@ -50,20 +50,20 @@ module DeviseTokenAuth::Concerns::SetUserByToken
   def update_auth_header
 
     # cannot save object if model has invalid params
-    return unless @user and @user.valid? and @client_id
+    return unless @resource and @resource.valid? and @client_id
 
     # Lock the user record during any auth_header updates to ensure
     # we don't have write contention from multiple threads
-    @user.with_lock do
+    @resource.with_lock do
 
       # determine batch request status after request processing, in case
       # another processes has updated it during that processing
-      @is_batch_request = is_batch_request?(@user, @client_id)
+      @is_batch_request = is_batch_request?(@resource, @client_id)
 
       auth_header = {}
 
       if not DeviseTokenAuth.change_headers_on_each_request
-        auth_header = @user.build_auth_header(@token, @client_id)
+        auth_header = @resource.build_auth_header(@token, @client_id)
 
         # update the response header
         response.headers.merge!(auth_header)
@@ -71,11 +71,11 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # extend expiration of batch buffer to account for the duration of
       # this request
       elsif @is_batch_request
-        auth_header = @user.extend_batch_buffer(@token, @client_id)
+        auth_header = @resource.extend_batch_buffer(@token, @client_id)
 
       # update Authorization response header with new token
       else
-        auth_header = @user.create_new_auth_token(@client_id)
+        auth_header = @resource.create_new_auth_token(@client_id)
 
         # update the response header
         response.headers.merge!(auth_header)

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -1,23 +1,23 @@
 module DeviseTokenAuth
   class ConfirmationsController < DeviseTokenAuth::ApplicationController
     def show
-      @user = resource_class.confirm_by_token(params[:confirmation_token])
+      @resource = resource_class.confirm_by_token(params[:confirmation_token])
 
-      if @user and @user.id
+      if @resource and @resource.id
         # create client id
         client_id  = SecureRandom.urlsafe_base64(nil, false)
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
         expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
 
-        @user.tokens[client_id] = {
+        @resource.tokens[client_id] = {
           token:  token_hash,
           expiry: expiry
         }
 
-        @user.save!
+        @resource.save!
 
-        redirect_to(@user.build_auth_url(params[:redirect_url], {
+        redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:                        token,
           client_id:                    client_id,
           account_confirmation_success: true,

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -20,7 +20,7 @@ module DeviseTokenAuth
 
     def omniauth_success
       # find or create user by provider and provider uid
-      @user = resource_class.where({
+      @resource = resource_class.where({
         uid:      auth_hash['uid'],
         provider: auth_hash['provider']
       }).first_or_initialize
@@ -33,34 +33,34 @@ module DeviseTokenAuth
       @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], {
         token:     @token,
         client_id: @client_id,
-        uid:       @user.uid,
+        uid:       @resource.uid,
         expiry:    @expiry
       })
 
       # set crazy password for new oauth users. this is only used to prevent
       # access via email sign-in.
-      unless @user.id
+      unless @resource.id
         p = SecureRandom.urlsafe_base64(nil, false)
-        @user.password = p
-        @user.password_confirmation = p
+        @resource.password = p
+        @resource.password_confirmation = p
       end
 
-      @user.tokens[@client_id] = {
+      @resource.tokens[@client_id] = {
         token: BCrypt::Password.create(@token),
         expiry: @expiry
       }
 
       # sync user info with provider, update/generate auth token
-      assign_provider_attrs(@user, auth_hash)
+      assign_provider_attrs(@resource, auth_hash)
 
       # assign any additional (whitelisted) attributes
       extra_params = whitelisted_params
-      @user.assign_attributes(extra_params) if extra_params
+      @resource.assign_attributes(extra_params) if extra_params
 
       # don't send confirmation email!!!
-      @user.skip_confirmation!
+      @resource.skip_confirmation!
 
-      @user.save!
+      @resource.save!
 
       # render user info to javascript postMessage communication window
       respond_to do |format|

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -20,32 +20,43 @@ module DeviseTokenAuth
         }, status: 401
       end
 
-      @user = resource_class.where({
-        email: resource_params[:email],
-        provider: 'email'
-      }).first
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        email = resource_params[:email].downcase
+      else
+        email = resource_params[:email]
+      end
+
+      q = "uid='#{email}' AND provider='email'"
+
+      # fix for mysql default case insensitivity
+      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+        q = "BINARY uid='#{email}' AND provider='email'"
+      end
+
+      @resource = resource_class.where(q).first
 
       errors = nil
 
-      if @user
-        @user.send_reset_password_instructions({
-          email: resource_params[:email],
+      if @resource
+        @resource.send_reset_password_instructions({
+          email: email,
           provider: 'email',
           redirect_url: params[:redirect_url],
           client_config: params[:config_name]
         })
 
-        if @user.errors.empty?
+        if @resource.errors.empty?
           render json: {
             success: true,
-            message: "An email has been sent to #{@user.email} containing "+
+            message: "An email has been sent to #{email} containing "+
               "instructions for resetting your password."
           }
         else
-          errors = @user.errors
+          errors = @resource.errors
         end
       else
-        errors = ["Unable to find user with email '#{resource_params[:email]}'."]
+        errors = ["Unable to find user with email '#{email}'."]
       end
 
       if errors
@@ -59,27 +70,27 @@ module DeviseTokenAuth
 
     # this is where users arrive after visiting the email confirmation link
     def edit
-      @user = resource_class.reset_password_by_token({
+      @resource = resource_class.reset_password_by_token({
         reset_password_token: resource_params[:reset_password_token]
       })
 
-      if @user and @user.id
+      if @resource and @resource.id
         client_id  = SecureRandom.urlsafe_base64(nil, false)
         token      = SecureRandom.urlsafe_base64(nil, false)
         token_hash = BCrypt::Password.create(token)
         expiry     = (Time.now + DeviseTokenAuth.token_lifespan).to_i
 
-        @user.tokens[client_id] = {
+        @resource.tokens[client_id] = {
           token:  token_hash,
           expiry: expiry
         }
 
         # ensure that user is confirmed
-        @user.skip_confirmation! unless @user.confirmed_at
+        @resource.skip_confirmation! unless @resource.confirmed_at
 
-        @user.save!
+        @resource.save!
 
-        redirect_to(@user.build_auth_url(params[:redirect_url], {
+        redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:          token,
           client_id:      client_id,
           reset_password: true,
@@ -92,7 +103,7 @@ module DeviseTokenAuth
 
     def update
       # make sure user is authorized
-      unless @user
+      unless @resource
         return render json: {
           success: false,
           errors: ['Unauthorized']
@@ -100,11 +111,11 @@ module DeviseTokenAuth
       end
 
       # make sure account doesn't use oauth2 provider
-      unless @user.provider == 'email'
+      unless @resource.provider == 'email'
         return render json: {
           success: false,
           errors: ["This account does not require a password. Sign in using "+
-                   "your #{@user.provider.humanize} account instead."]
+                   "your #{@resource.provider.humanize} account instead."]
         }, status: 422
       end
 
@@ -116,18 +127,18 @@ module DeviseTokenAuth
         }, status: 422
       end
 
-      if @user.update_attributes(password_resource_params)
+      if @resource.update_attributes(password_resource_params)
         return render json: {
           success: true,
           data: {
-            user: @user,
+            user: @resource,
             message: "Your password has been successfully updated."
           }
         }
       else
         return render json: {
           success: false,
-          errors: @user.errors
+          errors: @resource.errors
         }, status: 422
       end
     end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -21,7 +21,7 @@ module DeviseTokenAuth
 
       begin
         # override email confirmation, must be sent manually from ctrl
-        User.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+        resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions)
         if @resource.save
 
           unless @resource.confirmed?
@@ -33,16 +33,15 @@ module DeviseTokenAuth
 
           else
             # email auth has been bypassed, authenticate user
-            @user      = @resource
             @client_id = SecureRandom.urlsafe_base64(nil, false)
             @token     = SecureRandom.urlsafe_base64(nil, false)
 
-            @user.tokens[@client_id] = {
+            @resource.tokens[@client_id] = {
               token: BCrypt::Password.create(@token),
               expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
             }
 
-            @user.save!
+            @resource.save!
 
             update_auth_header
           end
@@ -70,16 +69,16 @@ module DeviseTokenAuth
     end
 
     def update
-      if @user
-        if @user.update_attributes(account_update_params)
+      if @resource
+        if @resource.update_attributes(account_update_params)
           render json: {
             status: 'success',
-            data:   @user.as_json
+            data:   @resource.as_json
           }
         else
           render json: {
             status: 'error',
-            errors: @user.errors
+            errors: @resource.errors
           }, status: 403
         end
       else
@@ -91,12 +90,12 @@ module DeviseTokenAuth
     end
 
     def destroy
-      if @user
-        @user.destroy
+      if @resource
+        @resource.destroy
 
         render json: {
           status: 'success',
-          message: "Account with uid #{@user.uid} has been destroyed."
+          message: "Account with uid #{@resource.uid} has been destroyed."
         }
       else
         render json: {

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -4,30 +4,45 @@ module DeviseTokenAuth
     before_filter :set_user_by_token, :only => [:destroy]
 
     def create
-      @user = resource_class.find_by_email(resource_params[:email])
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        email = resource_params[:email].downcase
+      else
+        email = resource_params[:email]
+      end
 
-      if @user and valid_params? and @user.valid_password?(resource_params[:password]) and @user.confirmed?
+      q = "uid='#{email}' AND provider='email'"
+
+      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+        q = "BINARY uid='#{email}' AND provider='email'"
+      end
+
+      @resource = resource_class.where(q).first
+
+      if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
         # create client id
         @client_id = SecureRandom.urlsafe_base64(nil, false)
         @token     = SecureRandom.urlsafe_base64(nil, false)
 
-        @user.tokens[@client_id] = {
+        @resource.tokens[@client_id] = {
           token: BCrypt::Password.create(@token),
           expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
         }
-        @user.save
+        @resource.save
+
+        sign_in(:user, @resource, store: false, bypass: false)
 
         render json: {
-          data: @user.as_json(except: [
+          data: @resource.as_json(except: [
             :tokens, :created_at, :updated_at
           ])
         }
 
-      elsif @user and not @user.confirmed?
+      elsif @resource and not @resource.confirmed?
         render json: {
           success: false,
           errors: [
-            "A confirmation email was sent to your account at #{@user.email}. "+
+            "A confirmation email was sent to your account at #{@resource.email}. "+
             "You must follow the instructions in the email before your account "+
             "can be activated"
           ]
@@ -42,7 +57,7 @@ module DeviseTokenAuth
 
     def destroy
       # remove auth instance variables so that after_filter does not run
-      user = remove_instance_variable(:@user) if @user
+      user = remove_instance_variable(:@resource) if @resource
       client_id = remove_instance_variable(:@client_id) if @client_id
       remove_instance_variable(:@token) if @token
 

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -4,11 +4,11 @@ module DeviseTokenAuth
     before_filter :set_user_by_token, :only => [:validate_token]
 
     def validate_token
-      # @user will have been set by set_user_token concern
-      if @user
+      # @resource will have been set by set_user_token concern
+      if @resource
         render json: {
           success: true,
-          data: @user.as_json(except: [
+          data: @resource.as_json(except: [
             :tokens, :created_at, :updated_at
           ])
         }