RubyGems - devise_token_auth - Versions diffs - 0.1.32.beta10 → 0.1.32 - Mend

devise_token_auth 0.1.32.beta10 → 0.1.32

Files changed (59) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3956bc3feda1139343107ad175573264e3230fba
-  data.tar.gz: d2d3d63265f7f80d306bf951d0beee3f3d81f630
+  metadata.gz: 0e28de2ceef16d684a4307e2f18f647f7a0421d0
+  data.tar.gz: ddd67c0685fcef8fc0b47524342f8a89994eb814
 SHA512:
-  metadata.gz: 923ad035f18ef936354811a275ed58da5fede3f717d1216d17916862586669a0c98f994fa9723a5334331e7d3604451958d6e1c1701df3f31d277d9c76025fe6
-  data.tar.gz: e5c749d2804ffe84495d6d3b9997302ea3e9589948f771214c5e2be1d9da1c8e3d9ab0b5c87c816981738701708da28b7ef30ad63f2c7d97537e2058d5a4c3a0
+  metadata.gz: 4ae5e76e7e77ce36862c03dcd02579ac84ba38958bbbccfdc1c844f69019235124a560d55174cd48db035d340ca9b1dff1ca66d2a212f472314a2caccac600c0
+  data.tar.gz: af21c98c27ffaf6beafedc4d4fdc28e75aca53044bf2f6ad0fbfe3a3b56f96aa5f22a89c08bd31f8966c24d5e86093f3f42a6733a8049c6683bfa2455423862b

data/README.md CHANGED

@@ -50,8 +50,8 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is
   * [Using Multiple User Classes](#using-multiple-models)
   * [Excluding Modules](#excluding-modules)
   * [Custom Controller Overrides](#custom-controller-overrides)
-  * [Email Template Overrides](#email-template-overrides)
   * [Passing blocks to Controllers](#passing-blocks-controllers)
+  * [Email Template Overrides](#email-template-overrides)
 * [Issue Reporting Guidelines](#issue-reporting)
 * [FAQ](#faq)
 * [Conceptual Diagrams](#conceptual)
@@ -99,7 +99,7 @@ This generator accepts the following optional arguments:
 | Argument | Default | Description |
 |---|---|---|
 | USER_CLASS | `User` | The name of the class to use for user authentication. |
-| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage). |
+| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage-tldr). |
 The following events will take place when using the install generator:
@@ -134,14 +134,14 @@ The following routes are available for use by your client. These routes live rel
 |:-----|:-------|:--------|
 | /    | POST   | Email registration. Accepts **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
 | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. |
-| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
+| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. |
 | /sign_in | POST | Email authentication. Accepts **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login. |
 | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. |
 | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). |
 | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). |
-| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`auth_token`** as params. These values should correspond to the columns in your `User` table of the same names. |
+| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. |
 | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. |
-| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). |
+| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). |
 | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. |
 [Jump here](#usage-cont) for more usage information.
@@ -420,7 +420,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   client_id = request.headers['client']
   token = request.headers['access-token']
-  @user.valid_token?(token, client_id)
+  @resource.valid_token?(token, client_id)
   ~~~
 * **`create_new_auth_token`**: creates a new auth token with all of the necessary metadata. Accepts `client` as an optional argument. Will generate a new `client` if none is provided. Returns the authentication headers that should be sent by the client as an object.
@@ -431,7 +431,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   client_id = request.headers['client']
   # update token, generate updated auth headers for response
-  new_auth_header = @user.create_new_auth_token(client_id)
+  new_auth_header = @resource.create_new_auth_token(client_id)
   # update response with the header that will be required by the next request
   response.headers.merge!(new_auth_header)
@@ -446,13 +446,13 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   token     = SecureRandom.urlsafe_base64(nil, false)
   # store client + token in user's token hash
-  @user.tokens[client_id] = {
+  @resource.tokens[client_id] = {
     token: BCrypt::Password.create(token),
     expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
   }
   # generate auth headers for response
-  new_auth_header = @user.build_auth_header(token, client_id)
+  new_auth_header = @resource.build_auth_header(token, client_id)
   # update response with the header that will be required by the next request
   response.headers.merge!(new_auth_header)
@@ -502,7 +502,7 @@ This gem supports the use of multiple user models. One possible use case is to a
   ~~~
 1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods):
-  * `before_action: :authenticate_admin!`
+  * `before_action :authenticate_admin!`
   * `current_admin`
   * `admin_signed_in?`
@@ -608,7 +608,7 @@ For example, the default behavior of the [`validate_token`](https://github.com/l
 ~~~ruby
 # config/routes.rb
 Rails.application.routes.draw do
-  ...
+  ...
   mount_devise_token_auth_for 'User', at: 'auth', controllers: {
     token_validations:  'overrides/token_validations'
   }
@@ -619,10 +619,10 @@ module Overrides
   class TokenValidationsController < DeviseTokenAuth::TokenValidationsController
     def validate_token
-      # @user will have been set by set_user_by_token concern
-      if @user
+      # @resource will have been set by set_user_by_token concern
+      if @resource
         render json: {
-          data: @user.as_json(methods: :calculate_operating_thetan)
+          data: @resource.as_json(methods: :calculate_operating_thetan)
         }
       else
         render json: {
@@ -650,6 +650,24 @@ mount_devise_token_auth_for 'User', at: 'auth', controllers: {
 **Note:** Controller overrides must implement the expected actions of the controllers that they replace.
+## Passing blocks to Controllers
+It may be that you simply want to _add_ behavior to existing controllers without having to re-implement their behavior completely. In this case, you can do so by creating a new controller that inherits from any of DeviseTokenAuth's controllers, overriding whichever methods you'd like to add behavior to by  passing a block to `super`:
+```ruby
+class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController
+  def create
+    super do |resource|
+      resource.do_something(extra)
+    end
+  end
+end
+```
+Your block will be performed just before the controller would usually render a successful response.
 ## Email Template Overrides
 You will probably want to override the default email templates for email sign-up and password-reset confirmation. Run the following command to copy the email templates into your app:
@@ -667,22 +685,6 @@ These files may be edited to suit your taste.
 **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing.
-## Passing blocks to RegistrationController
-If you simply want to add behaviour to the existing Registration controller, you can do so by creating a new controller that inherits from it, and override the `create`, `update` or `destroy` methods, and passing a block to super:
-```ruby
-class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController
-  def create
-    super do |resource|
-      resource.add_something(extra)
-    end
-  end
-end
-```
 # Issue Reporting
 When posting issues, please include the following information to speed up the troubleshooting process:
@@ -798,7 +800,7 @@ This gem automatically manages batch requests. You can change the time buffer fo
 This gem takes the following steps to ensure security.
 This gem uses auth tokens that are:
-* [changed after every request](#about-token-management),
+* [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)),
 * [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html),
 * hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text),
 * securely compared (to protect against timing attacks),

data/app/controllers/devise_token_auth/confirmations_controller.rb CHANGED

@@ -17,6 +17,8 @@ module DeviseTokenAuth
         @resource.save!
+        yield if block_given?
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:                        token,
           client_id:                    client_id,

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb CHANGED

@@ -72,6 +72,8 @@ module DeviseTokenAuth
       @resource.save!
+      yield if block_given?
       # render user info to javascript postMessage communication window
       render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_success"
     end

data/app/controllers/devise_token_auth/passwords_controller.rb CHANGED

@@ -9,7 +9,7 @@ module DeviseTokenAuth
       unless resource_params[:email]
         return render json: {
           success: false,
-          errors: ['You must provide an email address.']
+          errors: [I18n.t("devise_token_auth.passwords.missing_email")]
         }, status: 401
       end
@@ -22,7 +22,7 @@ module DeviseTokenAuth
       unless redirect_url
         return render json: {
           success: false,
-          errors: ['Missing redirect url.']
+          errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
         }, status: 401
       end
@@ -32,7 +32,7 @@ module DeviseTokenAuth
           return render json: {
             status: 'error',
             data:   @resource.as_json,
-            errors: ["Redirect to #{redirect_url} not allowed."]
+            errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: redirect_url)]
           }, status: 403
         end
       end
@@ -57,6 +57,7 @@ module DeviseTokenAuth
       error_status = 400
       if @resource
+        yield if block_given?
         @resource.send_reset_password_instructions({
           email: email,
           provider: 'email',
@@ -67,14 +68,13 @@ module DeviseTokenAuth
         if @resource.errors.empty?
           render json: {
             success: true,
-            message: "An email has been sent to #{email} containing "+
-              "instructions for resetting your password."
+            message: I18n.t("devise_token_auth.passwords.sended", email: email)
           }
         else
           errors = @resource.errors
         end
       else
-        errors = ["Unable to find user with email '#{email}'."]
+        errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: email)]
         error_status = 404
       end
@@ -105,9 +105,10 @@ module DeviseTokenAuth
         }
         # ensure that user is confirmed
-        @resource.skip_confirmation! unless @resource.confirmed_at
+        @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
         @resource.save!
+        yield if block_given?
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:          token,
@@ -116,7 +117,9 @@ module DeviseTokenAuth
           config:         params[:config]
         }))
       else
-        raise ActionController::RoutingError.new('Not Found')
+        render json: {
+          success: false
+        }, status: 404
       end
     end
@@ -133,8 +136,7 @@ module DeviseTokenAuth
       unless @resource.provider == 'email'
         return render json: {
           success: false,
-          errors: ["This account does not require a password. Sign in using "+
-                   "your #{@resource.provider.humanize} account instead."]
+          errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)]
         }, status: 422
       end
@@ -142,16 +144,17 @@ module DeviseTokenAuth
       unless password_resource_params[:password] and password_resource_params[:password_confirmation]
         return render json: {
           success: false,
-          errors: ['You must fill out the fields labeled "password" and "password confirmation".']
+          errors: [I18n.t("devise_token_auth.passwords.missing_passwords")]
         }, status: 422
       end
-      if @resource.update_attributes(password_resource_params)
+      if @resource.send(resource_update_method, password_resource_params)
+        yield if block_given?
         return render json: {
           success: true,
           data: {
             user: @resource,
-            message: "Your password has been successfully updated."
+            message: I18n.t("devise_token_auth.passwords.successfully_updated")
           }
         }
       else
@@ -162,12 +165,20 @@ module DeviseTokenAuth
       end
     end
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update != false
+        "update_with_password"
+      else
+        "update_attributes"
+      end
+    end
     def password_resource_params
       params.permit(devise_parameter_sanitizer.for(:account_update))
     end
     def resource_params
-      params.permit(:email, :password, :password_confirmation, :reset_password_token)
+      params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token)
     end
   end

data/app/controllers/devise_token_auth/registrations_controller.rb CHANGED

@@ -11,7 +11,7 @@ module DeviseTokenAuth
       # honor devise configuration for case_insensitive_keys
       if resource_class.case_insensitive_keys.include?(:email)
-        @resource.email = sign_up_params[:email].downcase
+        @resource.email = sign_up_params[:email].try :downcase
       else
         @resource.email = sign_up_params[:email]
       end
@@ -27,7 +27,7 @@ module DeviseTokenAuth
         return render json: {
           status: 'error',
           data:   @resource.as_json,
-          errors: ["Missing `confirm_success_url` param."]
+          errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
         }, status: 403
       end
@@ -37,7 +37,7 @@ module DeviseTokenAuth
           return render json: {
             status: 'error',
             data:   @resource.as_json,
-            errors: ["Redirect to #{redirect_url} not allowed."]
+            errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: redirect_url)]
           }, status: 403
         end
       end
@@ -87,15 +87,14 @@ module DeviseTokenAuth
         render json: {
           status: 'error',
           data:   @resource.as_json,
-          errors: ["An account already exists for #{@resource.email}"]
+          errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)]
         }, status: 403
       end
     end
     def update
       if @resource
-        if @resource.update_attributes(account_update_params)
+        if @resource.send(resource_update_method, account_update_params)
           yield @resource if block_given?
           render json: {
             status: 'success',
@@ -110,7 +109,7 @@ module DeviseTokenAuth
       else
         render json: {
           status: 'error',
-          errors: ["User not found."]
+          errors: [I18n.t("devise_token_auth.registrations.user_not_found")]
         }, status: 404
       end
     end
@@ -122,12 +121,12 @@ module DeviseTokenAuth
         render json: {
           status: 'success',
-          message: "Account with uid #{@resource.uid} has been destroyed."
+          message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid)
         }
       else
         render json: {
           status: 'error',
-          errors: ["Unable to locate account for destruction."]
+          errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")]
         }, status: 404
       end
     end
@@ -142,12 +141,24 @@ module DeviseTokenAuth
     private
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        "update_with_password"
+      elsif DeviseTokenAuth.check_current_password_before_update == :password and account_update_params.has_key?(:password)
+        "update_with_password"
+      elsif account_update_params.has_key?(:current_password)
+        "update_with_password"
+      else
+        "update_attributes"
+      end
+    end
     def validate_sign_up_params
-      validate_post_data sign_up_params, 'Please submit proper sign up data in request body.'
+      validate_post_data sign_up_params, I18n.t("errors.validate_sign_up_params")
     end
     def validate_account_update_params
-      validate_post_data account_update_params, 'Please submit proper account update data in request body.'
+      validate_post_data account_update_params, I18n.t("errors.validate_account_update_params")
     end
     def validate_post_data which, message

data/app/controllers/devise_token_auth/sessions_controller.rb CHANGED

@@ -4,6 +4,12 @@ module DeviseTokenAuth
     before_filter :set_user_by_token, :only => [:destroy]
     after_action :reset_session, :only => [:destroy]
+    def new
+      render json: {
+        errors: [ I18n.t("devise_token_auth.sessions.not_supported")]
+      }, status: 405
+    end
     def create
       # Check
       field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
@@ -25,7 +31,7 @@ module DeviseTokenAuth
         @resource = resource_class.where(q, q_value).first
       end
-      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
+      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         # create client id
         @client_id = SecureRandom.urlsafe_base64(nil, false)
         @token     = SecureRandom.urlsafe_base64(nil, false)
@@ -38,23 +44,21 @@ module DeviseTokenAuth
         sign_in(:user, @resource, store: false, bypass: false)
+        yield if block_given?
         render json: {
           data: @resource.token_validation_response
         }
-      elsif @resource and not @resource.confirmed?
+      elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         render json: {
           success: false,
-          errors: [
-            "A confirmation email was sent to your account at #{@resource.email}. "+
-            "You must follow the instructions in the email before your account "+
-            "can be activated"
-          ]
+          errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ]
         }, status: 401
       else
         render json: {
-          errors: ["Invalid login credentials. Please try again."]
+          errors: [I18n.t("devise_token_auth.sessions.bad_credentials")]
         }, status: 401
       end
     end
@@ -69,13 +73,15 @@ module DeviseTokenAuth
         user.tokens.delete(client_id)
         user.save!
+        yield if block_given?
         render json: {
           success:true
         }, status: 200
       else
         render json: {
-          errors: ["User was not found or was not logged in."]
+          errors: [I18n.t("devise_token_auth.sessions.user_not_found")]
         }, status: 404
       end
     end