devise_token_auth 0.1.30 → 0.1.31.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4b05d9b87355ad9ea9b5f30e8b7a807993b34edf
-  data.tar.gz: c1fc92696d137ab898122abdd88384c0381d0596
+  metadata.gz: 437d6254570e8b74952236076f3815f2176ad441
+  data.tar.gz: ec345e6e33582186b6abd59c92629b57fb55cab0
 SHA512:
-  metadata.gz: 58957893c26b676b268ec46e53f2761b79db11a0404dea02396146771013eef2bcc4155a86417d8fd1a0e64bf7d68e123b072c082d96619e7d10f2af5c02f907
-  data.tar.gz: ee5430adf921cbc78e2b2238a7198a17fe9034f58e07c22ba6c1b62e430c90d5b2f848f2123322e93eaf819ca238dc9b88d2a5f9b04fa718fbc9753c718b9e70
+  metadata.gz: 586417ffc4189d2b29d8d93d2ab34c07f7b977ec669e9148a259b53419af6de7d4e68236c3b85398d5d4fbe8851cbde78e124db223b8bffc90ab6b1373ccd32b
+  data.tar.gz: a791f36a4adee4063e41e99cca01956b4882926b410fbcc2357c6b09d21aea09d2fe296c1d4b842f78455e97e175fc3e8be67a27071190f4a2b28872fd021d15

data/README.md

@@ -42,7 +42,7 @@ The fully configured api used in the demo can be found [here](https://github.com
   * [Controller Integration](#controller-concerns)
   * [Model Integration](#model-concerns)
   * [Using Multiple User Classes](#using-multiple-models)
-  * [Skip Confirmation Upon Email Registration](#skip-confirmation-upon-registration)
+  * [Excluding Modules](#excluding-modules)
   * [Custom Controller Overrides](#custom-controller-overrides)
   * [Email Template Overrides](#email-template-overrides)
 * [Conceptual Diagrams](#conceptual)
@@ -507,24 +507,67 @@ In the above example, the following methods will be available (in addition to `c
   * `current_member`
   * `member_signed_in?`
 
-## Skip Confirmation Upon Email Registration
+## Excluding Modules
 
-By default, an email is sent containing a link that the user must visit to activate their account. This measure is in place to ensure that users cannot register other people for accounts.
+By default, almost all of the Devise modules are included:
+* [`database_authenticatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb)
+* [`registerable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/registerable.rb)
+* [`recoverable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb)
+* [`trackable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/trackable.rb)
+* [`validatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb)
+* [`confirmable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb)
+* [`omniauthable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/omniauthable.rb)
 
-To bypass this measure, add `before_create :skip_confirmation!` to your `User` model (or equivalent).
+You may not want all of these features enabled in your app. That's OK! You can customize them to suit your own unique style.
 
-##### Example: bypass email confirmation
+The following example shows how to disable email confirmation.
+
+##### Example: disable email confirmation
+
+Just list the devise modules that you want to include **before** including the `DeviseTokenAuth::Concerns::User` model concern.
 
 ~~~ruby
+# app/models/user.rb
 class User < ActiveRecord::Base
+
+  # notice this comes BEFORE the include statement below
+  # also notice that :confirmable is not included in this block
+  devise :database_authenticatable,
+         :recoverable, :trackable, :validatable,
+         :registerable, :omniauthable
+
+  # note that this include statement comes AFTER the devise block above
   include DeviseTokenAuth::Concerns::User
-  before_create :skip_confirmation!
 end
 ~~~
 
-##### Note for ng-token-auth users:
+Some features include routes that you may not want mounted to your app. The following example shows how to disable OAuth and its routes.
+
+##### Example: disable OAuth authentication
+
+First instruct the model not to include the `omniauthable` module.
+
+~~~ruby
+# app/models/user.rb
+class User < ActiveRecord::Base
+
+  # notice that :omniauthable is not included in this block
+  devise :database_authenticatable, :confirmable,
+         :recoverable, :trackable, :validatable,
+         :registerable, :omniauthable
 
-If this `before_create :skip_confirmation!` callback is in place, the `$auth.submitRegistration` method will both register and authenticate users in a single step.
+  include DeviseTokenAuth::Concerns::User
+end
+~~~
+
+Now tell the route helper to `skip` mounting the `omniauth_callbacks` controller:
+
+~~~ruby
+Rails.application.routes.draw do
+  # config/routes.rb
+  mount_devise_token_auth_for 'User', at: '/auth', skip: [:omniauth_callbacks]
+end
+~~~
 
 ## Custom Controller Overrides
 

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -17,7 +17,7 @@ module DeviseTokenAuth
       end
 
       # success redirect url is required
-      unless params[:confirm_success_url]
+      if resource_class.devise_modules.include?(:confirmable) && !params[:confirm_success_url]
         return render json: {
           status: 'error',
           data:   @resource,
@@ -76,7 +76,7 @@ module DeviseTokenAuth
 
     def update
       if @resource
-        
+
         if @resource.update_attributes(account_update_params)
           render json: {
             status: 'success',

data/app/models/devise_token_auth/concerns/user.rb

@@ -2,11 +2,12 @@ module DeviseTokenAuth::Concerns::User
   extend ActiveSupport::Concern
 
   included do
-    # Include default devise modules. Others available are:
-    # :confirmable, :lockable, :timeoutable and :omniauthable
-    devise :database_authenticatable, :registerable,
-          :recoverable, :rememberable, :trackable, :validatable,
+    # Hack to check if devise is already enabled
+    unless self.method_defined?(:devise_modules)
+      devise :database_authenticatable, :registerable,
+          :recoverable, :trackable, :validatable,
           :confirmable, :omniauthable
+    end
 
     serialize :tokens, JSON
 
@@ -186,6 +187,9 @@ module DeviseTokenAuth::Concerns::User
     return build_auth_header(token, client_id)
   end
 
+  def confirmed?
+    self.devise_modules.exclude?(:confirmable) || super
+  end
 
   protected
 

data/lib/devise_token_auth/version.rb

@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.30"
+  VERSION = "0.1.31.beta1"
 end

data/lib/generators/devise_token_auth/install_generator.rb

@@ -30,6 +30,10 @@ module DeviseTokenAuth
         inclusion = "include DeviseTokenAuth::Concerns::User"
         unless parse_file_for_line(fname, inclusion)
           inject_into_file fname, after: "class #{user_class} < ActiveRecord::Base\n" do <<-'RUBY'
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable, :omniauthable
   include DeviseTokenAuth::Concerns::User
           RUBY
           end

data/lib/generators/devise_token_auth/templates/user.rb

@@ -1,3 +1,7 @@
 class <%= user_class %> < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable, :omniauthable
   include DeviseTokenAuth::Concerns::User
 end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -164,4 +164,14 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
     end
   end
+
+  describe 'User with only :database_authenticatable and :registerable included' do
+    test 'OnlyEmailUser should not be able to use OAuth' do
+      assert_raises(ActionController::RoutingError) {
+        get_via_redirect '/only_email_auth/facebook', {
+          auth_origin_url: @redirect_url
+        }
+      }
+    end
+  end
 end

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -454,5 +454,50 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         assert @resource.valid_token?(@token, @client_id)
       end
     end
+
+
+    describe 'User with only :database_authenticatable and :registerable included' do
+      setup do
+        @mails_sent = ActionMailer::Base.deliveries.count
+
+        post '/only_email_auth', {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          confirm_success_url: Faker::Internet.url,
+          unpermitted_param: '(x_x)'
+        }
+
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+        @mail = ActionMailer::Base.deliveries.last
+      end
+
+      test 'user was created' do
+        assert @resource.id
+      end
+
+      test 'email confirmation was not sent' do
+        assert_equal @mails_sent, ActionMailer::Base.deliveries.count
+      end
+
+      test 'user is confirmed' do
+        assert @resource.confirmed?
+      end
+    end
+
+    describe 'User with registration routes disabled' do
+      test 'OnlyEmailUser should not be able to use OAuth' do
+        assert_raises(ActionController::RoutingError) {
+          post '/unregisterable_user_auth', {
+            email: Faker::Internet.email,
+            password: "secret123",
+            password_confirmation: "secret123",
+            confirm_success_url: Faker::Internet.url,
+            unpermitted_param: '(x_x)'
+          }
+        }
+      end
+    end
   end
 end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -217,5 +217,33 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         assert_equal @existing_user.email, @data['data']['email']
       end
     end
+
+    describe 'User with only :database_authenticatable and :registerable included' do
+      setup do
+        @request.env['devise.mapping'] = Devise.mappings[:only_email_user]
+      end
+
+      teardown do
+        @request.env['devise.mapping'] = Devise.mappings[:user]
+      end
+
+      before do
+        @existing_user = only_email_users(:user)
+        @existing_user.save!
+
+        xhr :post, :create, {
+          email: @existing_user.email,
+          password: 'secret123'
+        }
+
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'user should be able to sign in without confirmation' do
+        assert 200, response.status
+        refute OnlyEmailUser.method_defined?(:confirmed_at)
+      end
+    end
   end
 end

data/test/dummy/app/models/only_email_user.rb

@@ -0,0 +1,5 @@
+class OnlyEmailUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/app/models/unregisterable_user.rb

@@ -0,0 +1,7 @@
+class UnregisterableUser < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable,
+          :recoverable, :trackable, :validatable,
+          :confirmable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/config/routes.rb

@@ -19,6 +19,10 @@ Rails.application.routes.draw do
     token_validations:  'overrides/token_validations'
   }
 
+  mount_devise_token_auth_for 'OnlyEmailUser', at: '/only_email_auth', skip: [:omniauth_callbacks]
+
+  mount_devise_token_auth_for 'UnregisterableUser', at: '/unregisterable_user_auth', skip: [:registrations]
+
   # this route will authorize visitors using the User class
   get 'demo/members_only', to: 'demo_user#members_only'
 

data/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb

@@ -0,0 +1,54 @@
+class DeviseTokenAuthCreateOnlyEmailUsers < ActiveRecord::Migration
+  def change
+    create_table(:only_email_users) do |t|
+      ## Required
+      t.string :provider, :null => false
+      t.string :uid, :null => false, :default => ""
+
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      #t.string   :reset_password_token
+      #t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      #t.datetime :remember_created_at
+
+      ## Trackable
+      #t.integer  :sign_in_count, :default => 0, :null => false
+      #t.datetime :current_sign_in_at
+      #t.datetime :last_sign_in_at
+      #t.string   :current_sign_in_ip
+      #t.string   :last_sign_in_ip
+
+      ## Confirmable
+      #t.string   :confirmation_token
+      #t.datetime :confirmed_at
+      #t.datetime :confirmation_sent_at
+      #t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+
+      ## Tokens
+      t.text :tokens
+
+      t.timestamps
+    end
+
+    add_index :only_email_users, :email
+    add_index :only_email_users, [:uid, :provider],     :unique => true
+    #add_index :only_email_users, :reset_password_token, :unique => true
+    # add_index :only_email_users, :confirmation_token,   :unique => true
+    # add_index :only_email_users, :unlock_token,         :unique => true
+  end
+end

data/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb

@@ -0,0 +1,54 @@
+class DeviseTokenAuthCreateUnregisterableUsers < ActiveRecord::Migration
+  def change
+    create_table(:unregisterable_users) do |t|
+      ## Required
+      t.string :provider, :null => false
+      t.string :uid, :null => false, :default => ""
+
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0, :null => false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+
+      ## Tokens
+      t.text :tokens
+
+      t.timestamps
+    end
+
+    add_index :unregisterable_users, :email
+    add_index :unregisterable_users, [:uid, :provider],     :unique => true
+    add_index :unregisterable_users, :reset_password_token, :unique => true
+    # add_index :unregisterable_users, :confirmation_token,   :unique => true
+    # add_index :unregisterable_users, :unlock_token,         :unique => true
+  end
+end

data/test/dummy/db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20140928231203) do
+ActiveRecord::Schema.define(version: 20141222053502) do
 
   create_table "evil_users", force: true do |t|
     t.string   "email"
@@ -77,6 +77,51 @@ ActiveRecord::Schema.define(version: 20140928231203) do
   add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true
   add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true
 
+  create_table "only_email_users", force: true do |t|
+    t.string   "provider",                        null: false
+    t.string   "uid",                default: "", null: false
+    t.string   "encrypted_password", default: "", null: false
+    t.string   "name"
+    t.string   "nickname"
+    t.string   "image"
+    t.string   "email"
+    t.text     "tokens"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "only_email_users", ["email"], name: "index_only_email_users_on_email"
+  add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true
+
+  create_table "unregisterable_users", force: true do |t|
+    t.string   "provider",                            null: false
+    t.string   "uid",                    default: "", null: false
+    t.string   "encrypted_password",     default: "", null: false
+    t.string   "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer  "sign_in_count",          default: 0,  null: false
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string   "current_sign_in_ip"
+    t.string   "last_sign_in_ip"
+    t.string   "confirmation_token"
+    t.datetime "confirmed_at"
+    t.datetime "confirmation_sent_at"
+    t.string   "unconfirmed_email"
+    t.string   "name"
+    t.string   "nickname"
+    t.string   "image"
+    t.string   "email"
+    t.text     "tokens"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email"
+  add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true
+  add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true
+
   create_table "users", force: true do |t|
     t.string   "email"
     t.string   "encrypted_password",          default: "", null: false