RubyGems - devise_token_auth - Versions diffs - 0.1.38 → 0.1.39 - Mend

devise_token_auth 0.1.38 → 0.1.39

Potentially problematic release.

This version of devise_token_auth might be problematic. Click here for more details.

Files changed (14) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: aa39458371b7528fd21f448db0ee9925c85925c0
-  data.tar.gz: a0eaf377f37b1a5c36ff93df23effaee5747ebb5
+  metadata.gz: 69aefa1a60b35d0639a7ce60d2145992a1421288
+  data.tar.gz: 99d081fe410204ca5b64eb0406a602731d564b4b
 SHA512:
-  metadata.gz: 0cd833a8afc253f5c72622ef1536a10d0fc527ff830c089e3b6c8ce76c909dcd0a084d3c7cc6b563d663c009308043e3b2d8128c60d35dd5e58ba3df4f355d9f
-  data.tar.gz: 29f59819d0a882b8dc83c9ac78f172b8b8e7f20b80b4c361d3867ddff89295be122e0ced3d82e7387f0eaa7ffdfedb911daf685552e272f24d83bfc1bc564cc1
+  metadata.gz: 187e75b7fc83677e77b11cadcdcb7f30ca60e825d246d83a5f68530ca1dd3aa034183f9750efd16b826c4ed83bd50f7b99e6eb48329b4933f5b6e7c7997c1894
+  data.tar.gz: 1b95f3264baece0776433da8f186c2e48a47b52f8308212ed1038c78458e4ddf5fc601560cdb191cc40a504a69d2faaa4cc339e5397094dedaf821dd7ab1c144

data/README.md CHANGED

@@ -136,7 +136,7 @@ The following routes are available for use by your client. These routes live rel
 | path | method | purpose |
 |:-----|:-------|:--------|
 | /    | POST   | Email registration. Requires **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. |
-| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. |
+| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access_token`** and **`client`** headers. |
 | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. |
 | /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. |
 | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. |

data/config/locales/zh-CN.yml ADDED

@@ -0,0 +1,54 @@
+zh-CN:
+  devise_token_auth:
+    sessions:
+      not_confirmed: "您将在几分钟后收到一封电子邮件'%{email}',内有验证账号的步骤说明"
+      bad_credentials: "不正确的登录信息，请重试"
+      not_supported: "请使用 POST /sign_in 进行登录. GET 是不支持的."
+      user_not_found: "没有找到账号或没有成功登录"
+    token_validations:
+      invalid: "不正确的登录资料"
+    registrations:
+      missing_confirm_success_url: "缺少数据 'confirm_success_url'"
+      redirect_url_not_allowed: "不支持转向到 '%{redirect_url}'"
+      email_already_exists: "邮箱'%{email}'已被使用"
+      account_with_uid_destroyed: "账号 '%{uid}' 已被移除。"
+      account_to_destroy_not_found: "无法找到目标帐号。"
+      user_not_found: "找不到帐号。"
+    passwords:
+      missing_email: "必需提供邮箱。"
+      missing_redirect_url: "欠缺 redirect URL."
+      not_allowed_redirect_url: "不支持转向到 '%{redirect_url}'"
+      sended: "您将在几分钟后收到一封电子邮件'%{email}，内含可重新设定密码的链接。"
+      user_not_found: "找不到帐号 '%{email}'。"
+      password_not_required: "这不是一个需要密码的帐号. 请使用 '%{provider}' 进行登入"
+      missing_passwords: "必需填写'密码'与'确认密码'。"
+      successfully_updated: "您的密码已被修改。"
+  errors:
+    messages:
+      already_in_use: "已被使用。"
+      validate_sign_up_params: "请在request body中填入有效的注册内容"
+      validate_account_update_params: "请在request body中填入有效的更新帐号资料"
+      not_email: "这不是一个合适的邮箱。"
+  devise:
+    mailer:
+      confirmation_instructions:
+        confirm_link_msg: "可以使用下面的链接确定你的邮箱"
+        confirm_account_link: "确定你的帐号"
+      reset_password_instructions:
+        request_reset_link_msg: "已申请修改您的密码，你可以用下面的链接进入"
+        password_change_link: "修改我的密码"
+        ignore_mail_msg: "如你没有申请，请忽略"
+        no_changes_msg: "在你点击上面链接前，你的密码都没有改变"
+      unlock_instructions:
+        account_lock_msg: "由于多次登入失败，我们已锁定你的帐号"
+        unlock_link_msg: "可以使用下面的链接解锁你的帐号"
+        unlock_link: "解锁帐号"
+  activerecord:
+    errors:
+      models:
+        user:
+          attributes:
+            email:
+              already_in_use: "邮箱已被使用"
+  hello: "你好"
+  welcome: "欢迎"

data/lib/devise_token_auth/rails/routes.rb CHANGED

@@ -73,8 +73,22 @@ module ActionDispatch::Routing
               set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix)
+              redirect_params = {}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}
+              if DeviseTokenAuth.redirect_whitelist
+                redirect_url = request.params['auth_origin_url']
+                unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url)
+                  message = I18n.t(
+                    'devise_token_auth.registrations.redirect_url_not_allowed',
+                    redirect_url: redirect_url
+                  )
+                  redirect_params['message'] = message
+                  next "#{::OmniAuth.config.path_prefix}/failure?#{redirect_params.to_param}"
+                end
+              end
               # re-construct the path for omniauth
-              "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}"
+              "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
             }, via: [:get]
           end
         end

data/lib/devise_token_auth/version.rb CHANGED

@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.38"
+  VERSION = "0.1.39"
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb CHANGED

@@ -1,4 +1,4 @@
-class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration
+class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration<%= '[' << Rails::VERSION::STRING[0..2] << ']'%>
   def change
     create_table(:<%= user_class.pluralize.underscore %>) do |t|
       ## Required

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb CHANGED

@@ -279,4 +279,46 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       }
     end
   end
+  describe 'Using redirect_whitelist' do
+    before do
+      @user_email = 'slemp.diggler@sillybandz.gov'
+      OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new(
+        provider: 'facebook',
+        uid: '123545',
+        info: {
+          name: 'chong',
+          email: @user_email
+        }
+      )
+      @good_redirect_url = Faker::Internet.url
+      @bad_redirect_url = Faker::Internet.url
+      DeviseTokenAuth.redirect_whitelist = [@good_redirect_url]
+    end
+    teardown do
+      DeviseTokenAuth.redirect_whitelist = nil
+    end
+    test 'request using non-whitelisted redirect fail' do
+      get_via_redirect '/auth/facebook',
+                       auth_origin_url: @bad_redirect_url,
+                       omniauth_window_type: 'newWindow'
+      data_json = @response.body.match(/var data \= (.+)\;/)[1]
+      data = ActiveSupport::JSON.decode(data_json)
+      assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
+                   data['error']
+    end
+    test 'request to whitelisted redirect should succeed' do
+      get_via_redirect '/auth/facebook',
+                       auth_origin_url: @good_redirect_url,
+                       omniauth_window_type: 'newWindow'
+      data_json = @response.body.match(/var data \= (.+)\;/)[1]
+      data = ActiveSupport::JSON.decode(data_json)
+      assert_equal @user_email, data['email']
+    end
+  end
 end

data/test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb ADDED

@@ -0,0 +1,5 @@
+<p><%= t(:welcome).capitalize + ' ' + @email %>!</p>
+<p><%= t '.confirm_link_msg' %> </p>
+<p><%= link_to t('.confirm_account_link'), confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %></p>

data/test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb ADDED

@@ -0,0 +1,8 @@
+<p><%= t(:hello).capitalize %> <%= @resource.email %>!</p>
+<p><%= t '.request_reset_link_msg' %></p>
+<p><%= link_to t('.password_change_link'), edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %></p>
+<p><%= t '.ignore_mail_msg' %></p>
+<p><%= t '.no_changes_msg' %></p>

data/test/lib/generators/devise_token_auth/install_generator_test.rb CHANGED

@@ -28,6 +28,10 @@ module DeviseTokenAuth
         assert_migration 'db/migrate/devise_token_auth_create_users.rb'
       end
+      test 'migration file contains rails version' do
+        assert_migration 'db/migrate/devise_token_auth_create_users.rb', /4.2/
+      end
       test 'subsequent runs raise no errors' do
         run_generator
       end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.38
+  version: 0.1.39
 platform: ruby
 authors:
 - Lynn Hurley
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-07-11 00:00:00.000000000 Z
+date: 2016-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -122,6 +122,7 @@ files:
 - config/locales/pt-BR.yml
 - config/locales/pt.yml
 - config/locales/ru.yml
+- config/locales/zh-CN.yml
 - config/locales/zh-HK.yml
 - config/locales/zh-TW.yml
 - lib/devise_token_auth.rb
@@ -221,9 +222,8 @@ files:
 - test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb
 - test/dummy/db/schema.rb
 - test/dummy/lib/migration_database_helper.rb
-- test/dummy/tmp/generators/app/models/user.rb
-- test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20160711201448_devise_token_auth_create_users.rb
+- test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb
+- test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb
 - test/integration/navigation_test.rb
 - test/lib/devise_token_auth/url_test.rb
 - test/lib/generators/devise_token_auth/install_generator_test.rb
@@ -339,9 +339,8 @@ test_files:
 - test/dummy/db/schema.rb
 - test/dummy/lib/migration_database_helper.rb
 - test/dummy/README.rdoc
-- test/dummy/tmp/generators/app/models/user.rb
-- test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20160711201448_devise_token_auth_create_users.rb
+- test/dummy/tmp/generators/app/views/devise/mailer/confirmation_instructions.html.erb
+- test/dummy/tmp/generators/app/views/devise/mailer/reset_password_instructions.html.erb
 - test/integration/navigation_test.rb
 - test/lib/devise_token_auth/url_test.rb
 - test/lib/generators/devise_token_auth/install_generator_test.rb

data/test/dummy/tmp/generators/app/models/user.rb DELETED

@@ -1,7 +0,0 @@
-class User < ActiveRecord::Base
-  # Include default devise modules.
-  devise :database_authenticatable, :registerable,
-          :recoverable, :rememberable, :trackable, :validatable,
-          :confirmable, :omniauthable
-  include DeviseTokenAuth::Concerns::User
-end

data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb DELETED

@@ -1,48 +0,0 @@
-DeviseTokenAuth.setup do |config|
-  # By default the authorization headers will change after each request. The
-  # client is responsible for keeping track of the changing tokens. Change
-  # this to false to prevent the Authorization header from changing after
-  # each request.
-  # config.change_headers_on_each_request = true
-  # By default, users will need to re-authenticate after 2 weeks. This setting
-  # determines how long tokens will remain valid after they are issued.
-  # config.token_lifespan = 2.weeks
-  # Sets the max number of concurrent devices per user, which is 10 by default.
-  # After this limit is reached, the oldest tokens will be removed.
-  # config.max_number_of_devices = 10
-  # Sometimes it's necessary to make several requests to the API at the same
-  # time. In this case, each request in the batch will need to share the same
-  # auth token. This setting determines how far apart the requests can be while
-  # still using the same auth token.
-  # config.batch_request_buffer_throttle = 5.seconds
-  # This route will be the prefix for all oauth2 redirect callbacks. For
-  # example, using the default '/omniauth', the github oauth2 provider will
-  # redirect successful authentications to '/omniauth/github/callback'
-  # config.omniauth_prefix = "/omniauth"
-  # By default sending current password is not needed for the password update.
-  # Uncomment to enforce current_password param to be checked before all
-  # attribute updates. Set it to :password if you want it to be checked only if
-  # password is updated.
-  # config.check_current_password_before_update = :attributes
-  # By default we will use callbacks for single omniauth.
-  # It depends on fields like email, provider and uid.
-  # config.default_callbacks = true
-  # Makes it possible to change the headers names
-  # config.headers_names = {:'access-token' => 'access-token',
-  #                        :'client' => 'client',
-  #                        :'expiry' => 'expiry',
-  #                        :'uid' => 'uid',
-  #                        :'token-type' => 'token-type' }
-  # By default, only Bearer Token authentication is implemented out of the box.
-  # If, however, you wish to integrate with legacy Devise authentication, you can
-  # do so by enabling this flag. NOTE: This feature is highly experimental!
-  # config.enable_standard_devise_support = false
-end

data/test/dummy/tmp/generators/db/migrate/20160711201448_devise_token_auth_create_users.rb DELETED

@@ -1,54 +0,0 @@
-class DeviseTokenAuthCreateUsers < ActiveRecord::Migration
-  def change
-    create_table(:users) do |t|
-      ## Required
-      t.string :provider, :null => false, :default => "email"
-      t.string :uid, :null => false, :default => ""
-      ## Database authenticatable
-      t.string :encrypted_password, :null => false, :default => ""
-      ## Recoverable
-      t.string   :reset_password_token
-      t.datetime :reset_password_sent_at
-      ## Rememberable
-      t.datetime :remember_created_at
-      ## Trackable
-      t.integer  :sign_in_count, :default => 0, :null => false
-      t.datetime :current_sign_in_at
-      t.datetime :last_sign_in_at
-      t.string   :current_sign_in_ip
-      t.string   :last_sign_in_ip
-      ## Confirmable
-      t.string   :confirmation_token
-      t.datetime :confirmed_at
-      t.datetime :confirmation_sent_at
-      t.string   :unconfirmed_email # Only if using reconfirmable
-      ## Lockable
-      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
-      # t.string   :unlock_token # Only if unlock strategy is :email or :both
-      # t.datetime :locked_at
-      ## User Info
-      t.string :name
-      t.string :nickname
-      t.string :image
-      t.string :email
-      ## Tokens
-      t.text :tokens
-      t.timestamps
-    end
-    add_index :users, :email
-    add_index :users, [:uid, :provider],     :unique => true
-    add_index :users, :reset_password_token, :unique => true
-    # add_index :users, :confirmation_token,   :unique => true
-    # add_index :users, :unlock_token,         :unique => true
-  end
-end