devise_token_auth 0.1.37 → 0.1.38

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7cb47a5fba41d7ebd8bc1d0c8f3ca0efb1895de7
-  data.tar.gz: f249fd363679cb78330361b84b73538c897cf148
+  metadata.gz: aa39458371b7528fd21f448db0ee9925c85925c0
+  data.tar.gz: a0eaf377f37b1a5c36ff93df23effaee5747ebb5
 SHA512:
-  metadata.gz: 70f0be0bdf639d61b7f508d402b13c859250439fd11d9d18332b72c1e8a3a676ed151b90743cb43984e31b14237ad385e333f4672f3cbdc968043e50f09de611
-  data.tar.gz: e53a3f7c326d34c265fe99087441d299f19c711e408f62cae81a486258613c2a40b7eecbb6e9b42b9aa83f09d6bc02d2fc78d30d38d9116ba842f060217796cf
+  metadata.gz: 0cd833a8afc253f5c72622ef1536a10d0fc527ff830c089e3b6c8ce76c909dcd0a084d3c7cc6b563d663c009308043e3b2d8128c60d35dd5e58ba3df4f355d9f
+  data.tar.gz: 29f59819d0a882b8dc83c9ac78f172b8b8e7f20b80b4c361d3867ddff89295be122e0ced3d82e7387f0eaa7ffdfedb911daf685552e272f24d83bfc1bc564cc1

data/README.md

@@ -139,7 +139,7 @@ The following routes are available for use by your client. These routes live rel
 | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. |
 | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. |
 | /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. |
-| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. |
+| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. |
 | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). |
 | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). |
 | /validate_token | GET | Use this route to validate tokens on return visits to the client. Requires **`uid`**, **`client`**, and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. |
@@ -166,6 +166,7 @@ The following settings are available for configuration in `config/initializers/d
 | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. |
 | **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! |
 | **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. |
+| **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. |
 
 
 Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file:
@@ -781,7 +782,7 @@ Yes! But you will need to enable the support use separate routes for standard De
 #### config/initializers/devise_token_auth.rb
 ~~~ruby
 DeviseTokenAuth.setup do |config|
-  # enable_standard_devise_support = false
+  # config.enable_standard_devise_support = false
 end
 ~~~
 
@@ -844,7 +845,7 @@ These measures are taken by default when using this gem.
 
 ## About batch requests
 
-By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's neccessary to make several concurrent requests to the API, for example:
+By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's necessary to make several concurrent requests to the API, for example:
 
 #####Batch request example
 ~~~javascript

data/app/controllers/devise_token_auth/application_controller.rb

@@ -2,9 +2,24 @@ module DeviseTokenAuth
   class ApplicationController < DeviseController
     include DeviseTokenAuth::Concerns::SetUserByToken
 
+    def resource_data(opts={})
+      response_data = opts[:resource_json] || @resource.as_json
+      if is_json_api
+        response_data['type'] = @resource.class.name.parameterize
+      end
+      response_data
+    end
+
+    def resource_errors
+      return @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+    end
+
     protected
 
     def params_for_resource(resource)
+      devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
+        params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?
+      end
       devise_parameter_sanitizer.instance_values['permitted'][resource]
     end
 
@@ -17,5 +32,14 @@ module DeviseTokenAuth
 
       mapping.to
     end
+
+    def is_json_api
+      return false unless defined?(ActiveModel::Serializer)
+      return ActiveModel::Serializer.setup do |config|
+        config.adapter == :json_api
+      end if ActiveModel::Serializer.respond_to?(:setup)
+      return ActiveModelSerializers.config.adapter == :json_api
+    end
+
   end
 end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -23,10 +23,15 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # no default user defined
     return unless rc
 
+    #gets the headers names, which was set in the initialize file
+    uid_name = DeviseTokenAuth.headers_names[:'uid']
+    access_token_name = DeviseTokenAuth.headers_names[:'access-token']
+    client_name = DeviseTokenAuth.headers_names[:'client']
+
     # parse header for values necessary for authentication
-    uid        = request.headers['uid'] || params['uid']
-    @token     = request.headers['access-token'] || params['access-token']
-    @client_id = request.headers['client'] || params['client']
+    uid        = request.headers[uid_name] || params[uid_name]
+    @token     ||= request.headers[access_token_name] || params[access_token_name]
+    @client_id ||= request.headers[client_name] || params[client_name]
 
     # client_id isn't required, set to 'default' if absent
     @client_id ||= 'default'
@@ -56,7 +61,12 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     user = uid && rc.find_by_uid(uid)
 
     if user && user.valid_token?(@token, @client_id)
-      sign_in(:user, user, store: false, bypass: true)
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if self.respond_to? :bypass_sign_in
+        bypass_sign_in(user, scope: :user)
+      else
+        sign_in(:user, user, store: false, bypass: true)
+      end
       return @resource = user
     else
       # zero all values previously set values
@@ -74,6 +84,10 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @client_id = nil unless @used_auth_by_token
 
     if @used_auth_by_token and not DeviseTokenAuth.change_headers_on_each_request
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @resource.reload.tokens[@client_id].nil?
+
       auth_header = @resource.build_auth_header(@token, @client_id)
 
       # update the response header
@@ -84,6 +98,9 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # Lock the user record during any auth_header updates to ensure
       # we don't have write contention from multiple threads
       @resource.with_lock do
+        # should not append auth header if @resource related token was
+        # cleared by sign out in the meantime
+        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
 
         # determine batch request status after request processing, in case
         # another processes has updated it during that processing

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -17,7 +17,7 @@ module DeviseTokenAuth
 
         @resource.save!
 
-        yield if block_given?
+        yield @resource if block_given?
 
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:                        token,

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -2,7 +2,7 @@ module DeviseTokenAuth
   class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
 
     attr_reader :auth_params
-    skip_before_action :set_user_by_token
+    skip_before_action :set_user_by_token, raise: false
     skip_after_action :update_auth_header
 
     # intermediary route for successful omniauth authentication. omniauth does
@@ -11,8 +11,9 @@ module DeviseTokenAuth
 
       # derive target redirect route from 'resource_class' param, which was set
       # before authentication.
-      devise_mapping = request.env['omniauth.params']['resource_class'].underscore.gsub("/", "_").to_sym
-      redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].fullpath}/#{params[:provider]}/callback"
+      devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+      redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
 
       # preserve omniauth info for success route. ignore 'extra' in twitter
       # auth response to avoid CookieOverflow.
@@ -37,7 +38,7 @@ module DeviseTokenAuth
 
       @resource.save!
 
-      yield if block_given?
+      yield @resource if block_given?
 
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
@@ -142,7 +143,8 @@ module DeviseTokenAuth
     # necessary for access to devise_parameter_sanitizers
     def devise_mapping
       if omniauth_params
-        Devise.mappings[omniauth_params['resource_class'].underscore.to_sym]
+        Devise.mappings[[omniauth_params['namespace_name'],
+                         omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
       else
         request.env['devise.mapping']
       end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -47,7 +47,7 @@ module DeviseTokenAuth
       @error_status = 400
 
       if @resource
-        yield if block_given?
+        yield @resource if block_given?
         @resource.send_reset_password_instructions({
           email: @email,
           provider: 'email',
@@ -94,7 +94,7 @@ module DeviseTokenAuth
         @resource.allow_password_change = true;
 
         @resource.save!
-        yield if block_given?
+        yield @resource if block_given?
 
         redirect_to(@resource.build_auth_url(params[:redirect_url], {
           token:          token,
@@ -126,7 +126,7 @@ module DeviseTokenAuth
       if @resource.send(resource_update_method, password_resource_params)
         @resource.allow_password_change = false
 
-        yield if block_given?
+        yield @resource if block_given?
         return render_update_success
       else
         return render_update_error
@@ -160,14 +160,15 @@ module DeviseTokenAuth
     def render_create_error_not_allowed_redirect_url
       render json: {
         status: 'error',
-        data:   @resource.as_json,
+        data:   resource_data,
         errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)]
-      }, status: 403
+      }, status: 422
     end
 
     def render_create_success
       render json: {
         success: true,
+        data: resource_data,
         message: I18n.t("devise_token_auth.passwords.sended", email: @email)
       }
     end
@@ -207,17 +208,15 @@ module DeviseTokenAuth
     def render_update_success
       render json: {
         success: true,
-        data: {
-          user: @resource,
-          message: I18n.t("devise_token_auth.passwords.successfully_updated")
-        }
+        data: resource_data,
+        message: I18n.t("devise_token_auth.passwords.successfully_updated")
       }
     end
 
     def render_update_error
       return render json: {
         success: false,
-        errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+        errors: resource_errors
       }, status: 422
     end
 

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -110,54 +110,54 @@ module DeviseTokenAuth
     def render_create_error_missing_confirm_success_url
       render json: {
         status: 'error',
-        data:   @resource.as_json,
+        data:   resource_data,
         errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")]
-      }, status: 403
+      }, status: 422
     end
 
     def render_create_error_redirect_url_not_allowed
       render json: {
         status: 'error',
-        data:   @resource.as_json,
+        data:   resource_data,
         errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @redirect_url)]
-      }, status: 403
+      }, status: 422
     end
 
     def render_create_success
       render json: {
         status: 'success',
-        data:   @resource.as_json
+        data:   resource_data
       }
     end
 
     def render_create_error
       render json: {
         status: 'error',
-        data:   @resource.as_json,
-        errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
-      }, status: 403
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
     end
 
     def render_create_error_email_already_exists
       render json: {
         status: 'error',
-        data:   @resource.as_json,
+        data:   resource_data,
         errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)]
-      }, status: 403
+      }, status: 422
     end
 
     def render_update_success
       render json: {
         status: 'success',
-        data:   @resource.as_json
+        data:   resource_data
       }
     end
 
     def render_update_error
       render json: {
         status: 'error',
-        errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
-      }, status: 403
+        errors: resource_errors
+      }, status: 422
     end
 
     def render_update_error_user_not_found

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -42,7 +42,7 @@ module DeviseTokenAuth
 
         sign_in(:user, @resource, store: false, bypass: false)
 
-        yield if block_given?
+        yield @resource if block_given?
 
         render_create_success
       elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
@@ -62,7 +62,7 @@ module DeviseTokenAuth
         user.tokens.delete(client_id)
         user.save!
 
-        yield if block_given?
+        yield user if block_given?
 
         render_destroy_success
       else
@@ -108,7 +108,7 @@ module DeviseTokenAuth
 
     def render_create_success
       render json: {
-        data: @resource.token_validation_response
+        data: resource_data(resource_json: @resource.token_validation_response)
       }
     end
 

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -6,19 +6,19 @@ module DeviseTokenAuth
     def validate_token
       # @resource will have been set by set_user_token concern
       if @resource
-        yield if block_given?
+        yield @resource if block_given?
         render_validate_token_success
       else
         render_validate_token_error
       end
     end
 
-    protected 
+    protected
 
     def render_validate_token_success
       render json: {
         success: true,
-        data: @resource.token_validation_response
+        data: resource_data(resource_json: @resource.token_validation_response)
       }
     end
 

data/app/models/devise_token_auth/concerns/user.rb

@@ -27,20 +27,14 @@ module DeviseTokenAuth::Concerns::User
       serialize :tokens, JSON
     end
 
-    validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' }
-    validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' }
-
-    # only validate unique emails among email registration users
-    validate :unique_email_user, on: :create
+    if DeviseTokenAuth.default_callbacks
+      include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+    end
 
     # can't set default on text fields in mysql, simulate here instead.
     after_save :set_empty_token_hash
     after_initialize :set_empty_token_hash
 
-    # keep uid in sync with email
-    before_save :sync_uid
-    before_create :sync_uid
-
     # get rid of dead tokens
     before_save :destroy_expired_tokens
 
@@ -76,6 +70,7 @@ module DeviseTokenAuth::Concerns::User
       if pending_reconfirmation?
         opts[:to] = unconfirmed_email
       end
+      opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url
 
       send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
     end
@@ -182,14 +177,6 @@ module DeviseTokenAuth::Concerns::User
       updated_at: Time.now
     }
 
-    max_clients = DeviseTokenAuth.max_number_of_devices
-    while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length
-      oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] }
-      self.tokens.delete(oldest_token.first)
-    end
-
-    self.save!
-
     return build_auth_header(token, client_id)
   end
 
@@ -201,12 +188,20 @@ module DeviseTokenAuth::Concerns::User
     # must be cast as string or headers will break
     expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry]
 
+    max_clients = DeviseTokenAuth.max_number_of_devices
+    while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length
+      oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] }
+      self.tokens.delete(oldest_token.first)
+    end
+
+    self.save!
+
     return {
-      "access-token" => token,
-      "token-type"   => "Bearer",
-      "client"       => client_id,
-      "expiry"       => expiry.to_s,
-      "uid"          => self.uid
+      DeviseTokenAuth.headers_names[:"access-token"] => token,
+      DeviseTokenAuth.headers_names[:"token-type"]   => "Bearer",
+      DeviseTokenAuth.headers_names[:"client"]       => client_id,
+      DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
+      DeviseTokenAuth.headers_names[:"uid"]          => self.uid
     }
   end
 
@@ -221,7 +216,6 @@ module DeviseTokenAuth::Concerns::User
 
   def extend_batch_buffer(token, client_id)
     self.tokens[client_id]['updated_at'] = Time.now
-    self.save!
 
     return build_auth_header(token, client_id)
   end
@@ -239,21 +233,10 @@ module DeviseTokenAuth::Concerns::User
 
   protected
 
-  # only validate unique email among users that registered by email
-  def unique_email_user
-    if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0
-      errors.add(:email, I18n.t("errors.messages.already_in_use"))
-    end
-  end
-
   def set_empty_token_hash
     self.tokens ||= {} if has_attribute?(:tokens)
   end
 
-  def sync_uid
-    self.uid = email if provider == 'email'
-  end
-
   def destroy_expired_tokens
     if self.tokens
       self.tokens.delete_if do |cid, v|
@@ -270,7 +253,7 @@ module DeviseTokenAuth::Concerns::User
 
     if should_remove_old_tokens
       latest_token = self.tokens.max_by { |cid, v| v[:expiry] || v["expiry"] }
-      self.tokens = {latest_token.first => latest_token.last}
+      self.tokens = { latest_token.first => latest_token.last }
     end
   end