RubyGems - devise_token_auth - Versions diffs - 0.1.34 → 0.1.35 - Mend

devise_token_auth 0.1.34 → 0.1.35

Potentially problematic release.

This version of devise_token_auth might be problematic. Click here for more details.

Files changed (29) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4fdc74cd5894dae6ce1eae8903c9a30d38fc5827
-  data.tar.gz: 2c99359cc717c189bb12beb45f80521b340367ca
+  metadata.gz: 89fd0f78a201ad5a99dedac0fed3488d7560ed25
+  data.tar.gz: 6fd0ffc8d75f18d4c444ae9d6afe8e5e0ad0ea26
 SHA512:
-  metadata.gz: b5e79c25c08635fc1c5c7b9afc36d153da02ac003bb0643482b2f83978806c1441155b491987cbe94a664cd1486fa8ab7ed0f212abb3961793388d9b8c097060
-  data.tar.gz: f967d2e07f376a7fb62d28dddb8d8cd5e6013800bb8e62506938f78099e4ba943a85460fe9ea2aba8e976f8345f260d990a65dd9b71562b81b68c772c6fd9805
+  metadata.gz: c3b3be8a1cd2e4ac12bd699c6b3b118045235c40b984a3e733d7676912aa5194454211edbb5c5e22eda77c9637604269dd1d92cca9796ed72e365e0b0f99745e
+  data.tar.gz: 98902da7dc896d05ffa0d01dcd30d9a7e297fd4f0725f54756f794907abfb5117d91720d41d0228f45f485242f9b0b203dbe7f092c868acf999e85db4451377d

data/README.md CHANGED

@@ -8,6 +8,8 @@
 ## Simple, secure token based authentication for Rails.
+[![Join the chat at https://gitter.im/lynndylanhurley/devise_token_auth](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/lynndylanhurley/devise_token_auth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
 This gem provides the following features:
 * Seamless integration with both the the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js) and the outstanding [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/).
@@ -42,6 +44,7 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is
   * [OmniAuth Authentication](#omniauth-authentication)
   * [OmniAuth Provider Settings](#omniauth-provider-settings)
   * [Email Authentication](#email-authentication)
+  * [Customizing Devise Verbiage](#customizing-devise-verbiage)
   * [Cross Origin Requests (CORS)](#cors)
 * [Usage Continued](#usage-cont)
   * [Mounting Routes](#mounting-routes)
@@ -162,6 +165,20 @@ The following settings are available for configuration in `config/initializers/d
 | **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the cilent. |
 | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. |
+Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file:
+~~~ruby
+Devise.setup do |config|
+  # The e-mail address that mail will appear to be sent from
+  # If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com"
+  config.mailer_sender = "support@myapp.com"
+  # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash
+  # middleware b/c rails-api does not include it.
+  # See: http://stackoverflow.com/q/19600905/806956
+  config.navigational_formats = [:json]
+end
+~~~
 ## OmniAuth authentication
@@ -271,6 +288,21 @@ Rails.application.configure do
 end
 ~~~
+If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](#email-template-overrides).
+## Customizing Devise Verbiage
+Devise Token Auth ships with intelligent default wording for everything you need. But that doesn't mean you can't make it more awesome. You can override the [devise defaults](https://github.com/plataformatec/devise/blob/master/config/locales/en.yml) by creating a YAML file at `config/locales/devise.en.yml` and assigning whatever custom values you want. For example, to customize the subject line of your devise e-mails, you could do this:
+~~~yaml
+en:
+  devise:
+    mailer:
+      confirmation_instructions:
+        subject: "Please confirm your e-mail address"
+      reset_password_instructions:
+        subject: "Reset password request"
+~~~
 ## CORS
 If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this.
@@ -635,6 +667,45 @@ module Overrides
 end
 ~~~
+## Overriding rendering methods
+To customize json rendering, implement the following protected controller methods, for success methods, assume that the @resource object is available:
+### Registrations Controller
+* render_create_error_missing_confirm_success_url
+* render_create_error_redirect_url_not_allowed
+* render_create_success
+* render_create_error
+* render_create_error_email_already_exists
+* render_update_success
+* render_update_error
+* render_update_error_user_not_found
+### Sessions Controller
+* render_new_error
+* render_create_success
+* render_create_error_not_confirmed
+* render_create_error_bad_credentials
+* render_destroy_success
+* render_destroy_error
+### Passwords Controller
+* render_create_error_missing_email
+* render_create_error_missing_redirect_url
+* render_create_error_not_allowed_redirect_url
+* render_create_success
+* render_create_error
+* render_update_error_unauthorized
+* render_update_error_password_not_required
+* render_update_error_missing_password
+* render_update_success
+* render_update_error
+### Token Validations Controller
+* render_validate_token_success
+* render_validate_token_error
 ##### Example: all :controller options with default settings:
 ~~~ruby
@@ -681,7 +752,7 @@ This will create two new files:
 * `app/views/devise/mailer/reset_password_instructions.html.erb`
 * `app/views/devise/mailer/confirmation_instructions.html.erb`
-These files may be edited to suit your taste.
+These files may be edited to suit your taste. You can customize the e-mail subjects like [this](#customizing-devise-verbiage).
 **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing.
@@ -851,7 +922,7 @@ To run just one test:
 2. Run `bundle install`
 3. Run `rake db:migrate`
 4. Run `RAILS_ENV=test rake db:migrate`
-5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/
+5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/
 # License
 This project uses the WTFPL

data/app/controllers/devise_token_auth/application_controller.rb CHANGED

@@ -2,6 +2,7 @@ module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
+    protected
     def resource_class(m=nil)
       if m

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb CHANGED

@@ -7,6 +7,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     after_action :update_auth_header
   end
+  protected
   # keep track of request duration
   def set_request_start
     @request_started_at = Time.now

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb CHANGED

@@ -12,7 +12,7 @@ module DeviseTokenAuth
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
       devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym
-      redirect_route = "/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback"
+      redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback"
       # preserve omniauth info for success route. ignore 'extra' in twitter
       # auth response to avoid CookieOverflow.
@@ -22,108 +22,6 @@ module DeviseTokenAuth
       redirect_to redirect_route
     end
-    def get_resource_from_auth_hash
-      # find or create user by provider and provider uid
-      @resource = resource_class.where({
-        uid:      auth_hash['uid'],
-        provider: auth_hash['provider']
-      }).first_or_initialize
-      if @resource.new_record?
-        @oauth_registration = true
-        set_random_password
-      end
-      # sync user info with provider, update/generate auth token
-      assign_provider_attrs(@resource, auth_hash)
-      # assign any additional (whitelisted) attributes
-      extra_params = whitelisted_params
-      @resource.assign_attributes(extra_params) if extra_params
-      @resource
-    end
-    def set_random_password
-      # set crazy password for new oauth users. this is only used to prevent
-        # access via email sign-in.
-        p = SecureRandom.urlsafe_base64(nil, false)
-        @resource.password = p
-        @resource.password_confirmation = p
-    end
-    def create_token_info
-      # create token info
-      @client_id = SecureRandom.urlsafe_base64(nil, false)
-      @token     = SecureRandom.urlsafe_base64(nil, false)
-      @expiry    = (Time.now + DeviseTokenAuth.token_lifespan).to_i
-      @config    = omniauth_params['config_name']
-    end
-    def create_auth_params
-      @auth_params = {
-        auth_token:     @token,
-        client_id: @client_id,
-        uid:       @resource.uid,
-        expiry:    @expiry,
-        config:    @config
-      }
-      @auth_params.merge!(oauth_registration: true) if @oauth_registration
-      @auth_params
-    end
-    def set_token_on_resource
-      @resource.tokens[@client_id] = {
-        token: BCrypt::Password.create(@token),
-        expiry: @expiry
-      }
-    end
-    def render_data(message, data)
-      @data = data.merge({
-        message: message
-      })
-      render :layout => nil, :template => "devise_token_auth/omniauth_external_window"
-    end
-    def render_data_or_redirect(message, data)
-      # We handle inAppBrowser and newWindow the same, but it is nice
-      # to support values in case people need custom implementations for each case
-      # (For example, nbrustein does not allow new users to be created if logging in with
-      # an inAppBrowser)
-      #
-      # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand
-      # why we can handle these both the same.  The view is setup to handle both cases
-      # at the same time.
-      if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type)
-        render_data(message, data)
-      elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
-        # build and redirect to destination url
-        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data)
-      else
-        # there SHOULD always be an auth_origin_url, but if someone does something silly
-        # like coming straight to this url or refreshing the page at the wrong time, there may not be one.
-        # In that case, just render in plain text the error message if there is one or otherwise
-        # a generic message.
-        fallback_render data[:error] || 'An error occurred'
-      end
-    end
-    def fallback_render(text)
-        render inline: %Q|
-            <html>
-                    <head></head>
-                    <body>
-                            #{text}
-                    </body>
-            </html>|
-    end
     def omniauth_success
       get_resource_from_auth_hash
       create_token_info
@@ -141,9 +39,40 @@ module DeviseTokenAuth
       yield if block_given?
-      render_data_or_redirect('deliverCredentials', @resource.as_json.merge(@auth_params.as_json))
+      render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
+    end
+    def omniauth_failure
+      @error = params[:message]
+      render_data_or_redirect('authFailure', {error: @error})
     end
+    protected
+    # this will be determined differently depending on the action that calls
+    # it. redirect_callbacks is called upon returning from successful omniauth
+    # authentication, and the target params live in an omniauth-specific
+    # request.env variable. this variable is then persisted thru the redirect
+    # using our own dta.omniauth.params session var. the omniauth_success
+    # method will access that session var and then destroy it immediately
+    # after use.  In the failure case, finally, the omniauth params
+    # are added as query params in our monkey patch to OmniAuth in engine.rb
+    def omniauth_params
+      if !defined?(@_omniauth_params)
+        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
+          @_omniauth_params = request.env['omniauth.params']
+        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
+          @_omniauth_params ||= session.delete('dta.omniauth.params')
+          @_omniauth_params
+        elsif params['omniauth_window_type']
+          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+        else
+          @_omniauth_params = {}
+        end
+      end
+      @_omniauth_params
+    end
     # break out provider attribute assignment for easy method extension
     def assign_provider_attrs(user, auth_hash)
@@ -155,13 +84,6 @@ module DeviseTokenAuth
       })
     end
-    def omniauth_failure
-      @error = params[:message]
-      render_data_or_redirect('authFailure', {error: @error})
-    end
     # derive allowed params from the standard devise parameter sanitizer
     def whitelisted_params
       whitelist = devise_parameter_sanitizer.for(:sign_up)
@@ -189,31 +111,6 @@ module DeviseTokenAuth
       resource_class
     end
-    # this will be determined differently depending on the action that calls
-    # it. redirect_callbacks is called upon returning from successful omniauth
-    # authentication, and the target params live in an omniauth-specific
-    # request.env variable. this variable is then persisted thru the redirect
-    # using our own dta.omniauth.params session var. the omniauth_success
-    # method will access that session var and then destroy it immediately
-    # after use.  In the failure case, finally, the omniauth params
-    # are added as query params in our monkey patch to OmniAuth in engine.rb
-    def omniauth_params
-      if !defined?(@_omniauth_params)
-        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
-          @_omniauth_params = request.env['omniauth.params']
-        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
-          @_omniauth_params ||= session.delete('dta.omniauth.params')
-          @_omniauth_params
-        elsif params['omniauth_window_type']
-          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
-        else
-          @_omniauth_params = {}
-        end
-      end
-      @_omniauth_params
-    end
     def omniauth_window_type
       omniauth_params['omniauth_window_type']
     end
@@ -251,5 +148,107 @@ module DeviseTokenAuth
       end
     end
+    def set_random_password
+      # set crazy password for new oauth users. this is only used to prevent
+        # access via email sign-in.
+        p = SecureRandom.urlsafe_base64(nil, false)
+        @resource.password = p
+        @resource.password_confirmation = p
+    end
+    def create_token_info
+      # create token info
+      @client_id = SecureRandom.urlsafe_base64(nil, false)
+      @token     = SecureRandom.urlsafe_base64(nil, false)
+      @expiry    = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+      @config    = omniauth_params['config_name']
+    end
+    def create_auth_params
+      @auth_params = {
+        auth_token:     @token,
+        client_id: @client_id,
+        uid:       @resource.uid,
+        expiry:    @expiry,
+        config:    @config
+      }
+      @auth_params.merge!(oauth_registration: true) if @oauth_registration
+      @auth_params
+    end
+    def set_token_on_resource
+      @resource.tokens[@client_id] = {
+        token: BCrypt::Password.create(@token),
+        expiry: @expiry
+      }
+    end
+    def render_data(message, data)
+      @data = data.merge({
+        message: message
+      })
+      render :layout => nil, :template => "devise_token_auth/omniauth_external_window"
+    end
+    def render_data_or_redirect(message, data, user_data = {})
+      # We handle inAppBrowser and newWindow the same, but it is nice
+      # to support values in case people need custom implementations for each case
+      # (For example, nbrustein does not allow new users to be created if logging in with
+      # an inAppBrowser)
+      #
+      # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand
+      # why we can handle these both the same.  The view is setup to handle both cases
+      # at the same time.
+      if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type)
+        render_data(message, user_data.merge(data))
+      elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
+        # build and redirect to destination url
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data)
+      else
+        # there SHOULD always be an auth_origin_url, but if someone does something silly
+        # like coming straight to this url or refreshing the page at the wrong time, there may not be one.
+        # In that case, just render in plain text the error message if there is one or otherwise
+        # a generic message.
+        fallback_render data[:error] || 'An error occurred'
+      end
+    end
+    def fallback_render(text)
+        render inline: %Q|
+            <html>
+                    <head></head>
+                    <body>
+                            #{text}
+                    </body>
+            </html>|
+    end
+    def get_resource_from_auth_hash
+      # find or create user by provider and provider uid
+      @resource = resource_class.where({
+        uid:      auth_hash['uid'],
+        provider: auth_hash['provider']
+      }).first_or_initialize
+      if @resource.new_record?
+        @oauth_registration = true
+        set_random_password
+      end
+      # sync user info with provider, update/generate auth token
+      assign_provider_attrs(@resource, auth_hash)
+      # assign any additional (whitelisted) attributes
+      extra_params = whitelisted_params
+      @resource.assign_attributes(extra_params) if extra_params
+      @resource
+    end
   end
 end