RubyGems - devise_token_auth - Versions diffs - 0.1.32.beta10 → 0.1.32 - Mend

devise_token_auth 0.1.32.beta10 → 0.1.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (59) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3956bc3feda1139343107ad175573264e3230fba
-  data.tar.gz: d2d3d63265f7f80d306bf951d0beee3f3d81f630
+  metadata.gz: 0e28de2ceef16d684a4307e2f18f647f7a0421d0
+  data.tar.gz: ddd67c0685fcef8fc0b47524342f8a89994eb814
 SHA512:
-  metadata.gz: 923ad035f18ef936354811a275ed58da5fede3f717d1216d17916862586669a0c98f994fa9723a5334331e7d3604451958d6e1c1701df3f31d277d9c76025fe6
-  data.tar.gz: e5c749d2804ffe84495d6d3b9997302ea3e9589948f771214c5e2be1d9da1c8e3d9ab0b5c87c816981738701708da28b7ef30ad63f2c7d97537e2058d5a4c3a0
+  metadata.gz: 4ae5e76e7e77ce36862c03dcd02579ac84ba38958bbbccfdc1c844f69019235124a560d55174cd48db035d340ca9b1dff1ca66d2a212f472314a2caccac600c0
+  data.tar.gz: af21c98c27ffaf6beafedc4d4fdc28e75aca53044bf2f6ad0fbfe3a3b56f96aa5f22a89c08bd31f8966c24d5e86093f3f42a6733a8049c6683bfa2455423862b

data/README.md CHANGED

@@ -50,8 +50,8 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is
   * [Using Multiple User Classes](#using-multiple-models)
   * [Excluding Modules](#excluding-modules)
   * [Custom Controller Overrides](#custom-controller-overrides)
-  * [Email Template Overrides](#email-template-overrides)
   * [Passing blocks to Controllers](#passing-blocks-controllers)
+  * [Email Template Overrides](#email-template-overrides)
 * [Issue Reporting Guidelines](#issue-reporting)
 * [FAQ](#faq)
 * [Conceptual Diagrams](#conceptual)
@@ -99,7 +99,7 @@ This generator accepts the following optional arguments:
 | Argument | Default | Description |
 |---|---|---|
 | USER_CLASS | `User` | The name of the class to use for user authentication. |
-| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage). |
+| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage-tldr). |
 The following events will take place when using the install generator:
@@ -134,14 +134,14 @@ The following routes are available for use by your client. These routes live rel
 |:-----|:-------|:--------|
 | /    | POST   | Email registration. Accepts **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
 | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. |
-| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
+| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. |
 | /sign_in | POST | Email authentication. Accepts **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login. |
 | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. |
 | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). |
 | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). |
-| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`auth_token`** as params. These values should correspond to the columns in your `User` table of the same names. |
+| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. |
 | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. |
-| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). |
+| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). |
 | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. |
 [Jump here](#usage-cont) for more usage information.
@@ -420,7 +420,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   client_id = request.headers['client']
   token = request.headers['access-token']
-  @user.valid_token?(token, client_id)
+  @resource.valid_token?(token, client_id)
   ~~~
 * **`create_new_auth_token`**: creates a new auth token with all of the necessary metadata. Accepts `client` as an optional argument. Will generate a new `client` if none is provided. Returns the authentication headers that should be sent by the client as an object.
@@ -431,7 +431,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   client_id = request.headers['client']
   # update token, generate updated auth headers for response
-  new_auth_header = @user.create_new_auth_token(client_id)
+  new_auth_header = @resource.create_new_auth_token(client_id)
   # update response with the header that will be required by the next request
   response.headers.merge!(new_auth_header)
@@ -446,13 +446,13 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce
   token     = SecureRandom.urlsafe_base64(nil, false)
   # store client + token in user's token hash
-  @user.tokens[client_id] = {
+  @resource.tokens[client_id] = {
     token: BCrypt::Password.create(token),
     expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
   }
   # generate auth headers for response
-  new_auth_header = @user.build_auth_header(token, client_id)
+  new_auth_header = @resource.build_auth_header(token, client_id)
   # update response with the header that will be required by the next request
   response.headers.merge!(new_auth_header)
@@ -502,7 +502,7 @@ This gem supports the use of multiple user models. One possible use case is to a
   ~~~
 1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods):
-  * `before_action: :authenticate_admin!`
+  * `before_action :authenticate_admin!`
   * `current_admin`
   * `admin_signed_in?`
@@ -608,7 +608,7 @@ For example, the default behavior of the [`validate_token`](https://github.com/l
 ~~~ruby
 # config/routes.rb
 Rails.application.routes.draw do
-  ...
+  ...
   mount_devise_token_auth_for 'User', at: 'auth', controllers: {
     token_validations:  'overrides/token_validations'
   }
@@ -619,10 +619,10 @@ module Overrides
   class TokenValidationsController < DeviseTokenAuth::TokenValidationsController
     def validate_token
-      # @user will have been set by set_user_by_token concern
-      if @user
+      # @resource will have been set by set_user_by_token concern
+      if @resource
         render json: {
-          data: @user.as_json(methods: :calculate_operating_thetan)
+          data: @resource.as_json(methods: :calculate_operating_thetan)
         }
       else
         render json: {
@@ -650,6 +650,24 @@ mount_devise_token_auth_for 'User', at: 'auth', controllers: {
 **Note:** Controller overrides must implement the expected actions of the controllers that they replace.
+## Passing blocks to Controllers
+It may be that you simply want to _add_ behavior to existing controllers without having to re-implement their behavior completely. In this case, you can do so by creating a new controller that inherits from any of DeviseTokenAuth's controllers, overriding whichever methods you'd like to add behavior to by  passing a block to `super`:
+```ruby
+class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController
+  def create
+    super do |resource|
+      resource.do_something(extra)
+    end
+  end
+end
+```
+Your block will be performed just before the controller would usually render a successful response.
 ## Email Template Overrides
 You will probably want to override the default email templates for email sign-up and password-reset confirmation. Run the following command to copy the email templates into your app:
@@ -667,22 +685,6 @@ These files may be edited to suit your taste.
 **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing.
-## Passing blocks to RegistrationController
-If you simply want to add behaviour to the existing Registration controller, you can do so by creating a new controller that inherits from it, and override the `create`, `update` or `destroy` methods, and passing a block to super:
-```ruby
-class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController
-  def create
-    super do |resource|
-      resource.add_something(extra)
-    end
-  end
-end
-```
 # Issue Reporting
 When posting issues, please include the following information to speed up the troubleshooting process:
@@ -798,7 +800,7 @@ This gem automatically manages batch requests. You can change the time buffer fo
 This gem takes the following steps to ensure security.
 This gem uses auth tokens that are:
-* [changed after every request](#about-token-management),
+* [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)),
 * [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html),
 * hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text),
 * securely compared (to protect against timing attacks),

data/app/controllers/devise_token_auth/confirmations_controller.rb CHANGED

@@ -17,6 +17,8 @@ module DeviseTokenAuth
         @resource.save!
+        yield if block_given?
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:                        token,
           client_id:                    client_id,

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb CHANGED

@@ -72,6 +72,8 @@ module DeviseTokenAuth
       @resource.save!
+      yield if block_given?
       # render user info to javascript postMessage communication window
       render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_success"
     end

data/app/controllers/devise_token_auth/passwords_controller.rb CHANGED

@@ -9,7 +9,7 @@ module DeviseTokenAuth
       unless resource_params[:email]
         return render json: {
           success: false,
-          errors: ['You must provide an email address.']
+          errors: [I18n.t("devise_token_auth.passwords.missing_email")]
         }, status: 401
       end
@@ -22,7 +22,7 @@ module DeviseTokenAuth
       unless redirect_url
         return render json: {
           success: false,
-          errors: ['Missing redirect url.']
+          errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
         }, status: 401
       end
@@ -32,7 +32,7 @@ module DeviseTokenAuth
           return render json: {
             status: 'error',
             data:   @resource.as_json,
-            errors: ["Redirect to #{redirect_url} not allowed."]
+            errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: redirect_url)]
           }, status: 403
         end
       end
@@ -57,6 +57,7 @@ module DeviseTokenAuth
       error_status = 400
       if @resource
+        yield if block_given?
         @resource.send_reset_password_instructions({
           email: email,
           provider: 'email',
@@ -67,14 +68,13 @@ module DeviseTokenAuth
         if @resource.errors.empty?
           render json: {
             success: true,
-            message: "An email has been sent to #{email} containing "+
-              "instructions for resetting your password."
+            message: I18n.t("devise_token_auth.passwords.sended", email: email)
           }
         else
           errors = @resource.errors
         end
       else
-        errors = ["Unable to find user with email '#{email}'."]
+        errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: email)]
         error_status = 404
       end
@@ -105,9 +105,10 @@ module DeviseTokenAuth
         }
         # ensure that user is confirmed
-        @resource.skip_confirmation! unless @resource.confirmed_at
+        @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
         @resource.save!
+        yield if block_given?
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:          token,
@@ -116,7 +117,9 @@ module DeviseTokenAuth
           config:         params[:config]
         }))
       else
-        raise ActionController::RoutingError.new('Not Found')
+        render json: {
+          success: false
+        }, status: 404
       end
     end
@@ -133,8 +136,7 @@ module DeviseTokenAuth
       unless @resource.provider == 'email'
         return render json: {
           success: false,
-          errors: ["This account does not require a password. Sign in using "+
-                   "your #{@resource.provider.humanize} account instead."]
+          errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)]
         }, status: 422
       end
@@ -142,16 +144,17 @@ module DeviseTokenAuth
       unless password_resource_params[:password] and password_resource_params[:password_confirmation]
         return render json: {
           success: false,
-          errors: ['You must fill out the fields labeled "password" and "password confirmation".']
+          errors: [I18n.t("devise_token_auth.passwords.missing_passwords")]
         }, status: 422
       end
-      if @resource.update_attributes(password_resource_params)
+      if @resource.send(resource_update_method, password_resource_params)
+        yield if block_given?
         return render json: {
           success: true,
           data: {
             user: @resource,
-            message: "Your password has been successfully updated."
+            message: I18n.t("devise_token_auth.passwords.successfully_updated")
           }
         }
       else
@@ -162,12 +165,20 @@ module DeviseTokenAuth
       end
     end
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update != false
+        "update_with_password"
+      else
+        "update_attributes"
+      end
+    end
     def password_resource_params
       params.permit(devise_parameter_sanitizer.for(:account_update))
     end
     def resource_params
-      params.permit(:email, :password, :password_confirmation, :reset_password_token)
+      params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token)
     end
   end

data/app/controllers/devise_token_auth/registrations_controller.rb CHANGED

@@ -11,7 +11,7 @@ module DeviseTokenAuth
       # honor devise configuration for case_insensitive_keys
       if resource_class.case_insensitive_keys.include?(:email)
-        @resource.email = sign_up_params[:email].downcase
+        @resource.email = sign_up_params[:email].try :downcase
       else
         @resource.email = sign_up_params[:email]
       end
@@ -27,7 +27,7 @@ module DeviseTokenAuth
         return render json: {
           status: 'error',
           data:   @resource.as_json,
-          errors: ["Missing `confirm_success_url` param."]
+          errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
         }, status: 403
       end
@@ -37,7 +37,7 @@ module DeviseTokenAuth
           return render json: {
             status: 'error',
             data:   @resource.as_json,
-            errors: ["Redirect to #{redirect_url} not allowed."]
+            errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: redirect_url)]
           }, status: 403
         end
       end
@@ -87,15 +87,14 @@ module DeviseTokenAuth
         render json: {
           status: 'error',
           data:   @resource.as_json,
-          errors: ["An account already exists for #{@resource.email}"]
+          errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)]
         }, status: 403
       end
     end
     def update
       if @resource
-        if @resource.update_attributes(account_update_params)
+        if @resource.send(resource_update_method, account_update_params)
           yield @resource if block_given?
           render json: {
             status: 'success',
@@ -110,7 +109,7 @@ module DeviseTokenAuth
       else
         render json: {
           status: 'error',
-          errors: ["User not found."]
+          errors: [I18n.t("devise_token_auth.registrations.user_not_found")]
         }, status: 404
       end
     end
@@ -122,12 +121,12 @@ module DeviseTokenAuth
         render json: {
           status: 'success',
-          message: "Account with uid #{@resource.uid} has been destroyed."
+          message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid)
         }
       else
         render json: {
           status: 'error',
-          errors: ["Unable to locate account for destruction."]
+          errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")]
         }, status: 404
       end
     end
@@ -142,12 +141,24 @@ module DeviseTokenAuth
     private
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        "update_with_password"
+      elsif DeviseTokenAuth.check_current_password_before_update == :password and account_update_params.has_key?(:password)
+        "update_with_password"
+      elsif account_update_params.has_key?(:current_password)
+        "update_with_password"
+      else
+        "update_attributes"
+      end
+    end
     def validate_sign_up_params
-      validate_post_data sign_up_params, 'Please submit proper sign up data in request body.'
+      validate_post_data sign_up_params, I18n.t("errors.validate_sign_up_params")
     end
     def validate_account_update_params
-      validate_post_data account_update_params, 'Please submit proper account update data in request body.'
+      validate_post_data account_update_params, I18n.t("errors.validate_account_update_params")
     end
     def validate_post_data which, message

data/app/controllers/devise_token_auth/sessions_controller.rb CHANGED

@@ -4,6 +4,12 @@ module DeviseTokenAuth
     before_filter :set_user_by_token, :only => [:destroy]
     after_action :reset_session, :only => [:destroy]
+    def new
+      render json: {
+        errors: [ I18n.t("devise_token_auth.sessions.not_supported")]
+      }, status: 405
+    end
     def create
       # Check
       field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
@@ -25,7 +31,7 @@ module DeviseTokenAuth
         @resource = resource_class.where(q, q_value).first
       end
-      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
+      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         # create client id
         @client_id = SecureRandom.urlsafe_base64(nil, false)
         @token     = SecureRandom.urlsafe_base64(nil, false)
@@ -38,23 +44,21 @@ module DeviseTokenAuth
         sign_in(:user, @resource, store: false, bypass: false)
+        yield if block_given?
         render json: {
           data: @resource.token_validation_response
         }
-      elsif @resource and not @resource.confirmed?
+      elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         render json: {
           success: false,
-          errors: [
-            "A confirmation email was sent to your account at #{@resource.email}. "+
-            "You must follow the instructions in the email before your account "+
-            "can be activated"
-          ]
+          errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ]
         }, status: 401
       else
         render json: {
-          errors: ["Invalid login credentials. Please try again."]
+          errors: [I18n.t("devise_token_auth.sessions.bad_credentials")]
         }, status: 401
       end
     end
@@ -69,13 +73,15 @@ module DeviseTokenAuth
         user.tokens.delete(client_id)
         user.save!
+        yield if block_given?
         render json: {
           success:true
         }, status: 200
       else
         render json: {
-          errors: ["User was not found or was not logged in."]
+          errors: [I18n.t("devise_token_auth.sessions.user_not_found")]
         }, status: 404
       end
     end