devise_token_auth 0.1.43.beta1 → 0.1.43

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 49f4bcdd5d7a311223110f453bd4575fe89768e0
-  data.tar.gz: f6ccefa63103a9da877b9872a2f23aa26ce5bbf0
+  metadata.gz: d76ab61068684b190f5e9ced53aaf80a61de83ac
+  data.tar.gz: 0617315c78c9bf77b2c35385585453699cbee307
 SHA512:
-  metadata.gz: bd75219ef40a2a64ed0cba0f57631b2d097c7d0187ae596d3db16b9b59f38fa8ae47edc7c87627ff65c4f3e5f1c0c626b610cb6d585c310f37a023709838dd0d
-  data.tar.gz: 66658c65532b7271c542302f75c2798db7f6bd425fc642ad70f67ca7f9d3dd6869ca0199df6d911fa2eced7a6fdba8997f30775193143b40634d6959e38c6945
+  metadata.gz: 4f13d725883dca5733e9c93365ccd59ff36ba66e4e14d8804128c9a5619b988c78fb5188d5fda88b381e68d293f85b477403096d9a34c561d366cd7ced2b1400
+  data.tar.gz: 3157a019543604074cfcd411c1742ac3731356f080303d6176106f7f2daf998b30fbc7a0236da09181252017ebcbd8d5aa817ec6b351459bb70878caf6cfcaba

data/README.md

@@ -11,6 +11,7 @@ See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_toke
 [![Code Climate](http://img.shields.io/codeclimate/github/lynndylanhurley/devise_token_auth.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth)
 [![Test Coverage](http://img.shields.io/codeclimate/coverage/github/lynndylanhurley/devise_token_auth.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth)
 [![Dependency Status](https://gemnasium.com/lynndylanhurley/devise_token_auth.svg)](https://gemnasium.com/lynndylanhurley/devise_token_auth)
+[![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth)
 
 ## Simple, secure token based authentication for Rails.
 
@@ -21,6 +22,7 @@ This gem provides the following features:
 * Seamless integration with:
   * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js)
   * [Angular2-Token](https://github.com/neroniaky/angular2-token) for [Angular2](https://github.com/angular/angular)
+  * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
 * Email authentication using [Devise](https://github.com/plataformatec/devise), including:
@@ -69,6 +71,7 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is
   * [Testing](#testing)
 * [Issue Reporting Guidelines](#issue-reporting)
 * [FAQ](#faq)
+  * [Can I use this gem alongside standard Devise?](#can-i-use-this-gem-alongside-standard-devise)
 * [Conceptual Diagrams](#conceptual)
   * [Token Management](#about-token-management)
   * [Batch Requests](#about-batch-requests)
@@ -179,6 +182,7 @@ The following settings are available for configuration in `config/initializers/d
 | **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! |
 | **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. |
 | **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. |
+| **`bypass_sign_in`** | `true` | By default DeviseTokenAuth will not check user's `#active_for_authentication?` which includes confirmation check on each call (it will do it only on sign in). If you want it to be validated on each request (for example, to be able to deactivate logged in users on the fly), set it to false. |
 
 
 Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file:

data/Rakefile

@@ -28,6 +28,7 @@ Rake::TestTask.new(:test) do |t|
   t.libs << 'test'
   t.pattern = 'test/**/*_test.rb'
   t.verbose = false
+  t.warning = false
 end
 
 

data/app/controllers/devise_token_auth/application_controller.rb

@@ -5,7 +5,7 @@ module DeviseTokenAuth
 
     def resource_data(opts={})
       response_data = opts[:resource_json] || @resource.as_json
-      if is_json_api
+      if json_api?
         response_data['type'] = @resource.class.name.parameterize
       end
       response_data
@@ -48,7 +48,7 @@ module DeviseTokenAuth
       mapping.to
     end
 
-    def is_json_api
+    def json_api?
       return false unless defined?(ActiveModel::Serializer)
       return ActiveModel::Serializer.setup do |config|
         config.adapter == :json_api
@@ -56,5 +56,21 @@ module DeviseTokenAuth
       return ActiveModelSerializers.config.adapter == :json_api
     end
 
+    def recoverable_enabled?
+      resource_class.devise_modules.include?(:recoverable)
+    end
+
+    def confirmable_enabled?
+      resource_class.devise_modules.include?(:confirmable)
+    end
+
+    def render_error(status, message, data = nil)
+      response = {
+        success: false,
+        errors: [message]
+      }
+      response = response.merge(data) if data
+      render json: response, status: status
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -9,6 +9,11 @@ module DeviseTokenAuth::Concerns::ResourceFinder
     if resource_class.case_insensitive_keys.include?(field.to_sym)
       q_value.downcase!
     end
+
+    if resource_class.strip_whitespace_keys.include?(field.to_sym)
+      q_value.strip!
+    end
+
     q_value
   end
 

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -21,6 +21,18 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @is_batch_request = nil
   end
 
+  def ensure_pristine_resource
+    if @resource.changed?
+      # Stash pending changes in the resource before reloading.
+      changes = @resource.changes
+      @resource.reload
+    end
+    yield
+  ensure
+    # Reapply pending changes
+    @resource.assign_attributes(changes) if changes
+  end
+
   # user auth
   def set_user_by_token(mapping=nil)
     # determine target authentication class
@@ -68,10 +80,10 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     if user && user.valid_token?(@token, @client_id)
       # sign_in with bypass: true will be deprecated in the next version of Devise
-      if self.respond_to? :bypass_sign_in
+      if self.respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
         bypass_sign_in(user, scope: :user)
       else
-        sign_in(:user, user, store: false, bypass: true)
+        sign_in(:user, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
       end
       return @resource = user
     else
@@ -100,42 +112,43 @@ module DeviseTokenAuth::Concerns::SetUserByToken
 
     else
 
-      # Lock the user record during any auth_header updates to ensure
-      # we don't have write contention from multiple threads
-      @resource.with_lock do
-        # should not append auth header if @resource related token was
-        # cleared by sign out in the meantime
-        return if @used_auth_by_token && @resource.tokens[@client_id].nil?
-
-        # determine batch request status after request processing, in case
-        # another processes has updated it during that processing
-        @is_batch_request = is_batch_request?(@resource, @client_id)
-
-        auth_header = {}
-
-        # extend expiration of batch buffer to account for the duration of
-        # this request
-        if @is_batch_request
-          auth_header = @resource.extend_batch_buffer(@token, @client_id)
-
-          # Do not return token for batch requests to avoid invalidated
-          # tokens returned to the client in case of race conditions.
-          # Use a blank string for the header to still be present and
-          # being passed in a XHR response in case of
-          # 304 Not Modified responses.
-          auth_header[DeviseTokenAuth.headers_names[:"access-token"]] = ' '
-          auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
-
-        # update Authorization response header with new token
-        else
-          auth_header = @resource.create_new_auth_token(@client_id)
-        end
-
-        # update the response header
-        response.headers.merge!(auth_header)
-
-      end # end lock
-
+      ensure_pristine_resource do
+        # Lock the user record during any auth_header updates to ensure
+        # we don't have write contention from multiple threads
+        @resource.with_lock do
+          # should not append auth header if @resource related token was
+          # cleared by sign out in the meantime
+          return if @used_auth_by_token && @resource.tokens[@client_id].nil?
+
+          # determine batch request status after request processing, in case
+          # another processes has updated it during that processing
+          @is_batch_request = is_batch_request?(@resource, @client_id)
+
+          auth_header = {}
+
+          # extend expiration of batch buffer to account for the duration of
+          # this request
+          if @is_batch_request
+            auth_header = @resource.extend_batch_buffer(@token, @client_id)
+
+            # Do not return token for batch requests to avoid invalidated
+            # tokens returned to the client in case of race conditions.
+            # Use a blank string for the header to still be present and
+            # being passed in a XHR response in case of
+            # 304 Not Modified responses.
+            auth_header[DeviseTokenAuth.headers_names[:"access-token"]] = ' '
+            auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
+
+          # update Authorization response header with new token
+          else
+            auth_header = @resource.create_new_auth_token(@client_id)
+          end
+
+          # update the response header
+          response.headers.merge!(auth_header)
+
+        end # end lock
+      end # end ensure_pristine_resource
     end
 
   end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -4,20 +4,12 @@ module DeviseTokenAuth
       @resource = resource_class.confirm_by_token(params[:confirmation_token])
 
       if @resource && @resource.id
-        # create client id
-        client_id  = SecureRandom.urlsafe_base64(nil, false)
-        token      = SecureRandom.urlsafe_base64(nil, false)
-        token_hash = BCrypt::Password.create(token)
-        expiry     = (Time.now + @resource.token_lifespan).to_i
-
-        if @resource.sign_in_count > 0
+        expiry = nil
+        if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
           expiry = (Time.now + 1.second).to_i
         end
 
-        @resource.tokens[client_id] = {
-          token:  token_hash,
-          expiry: expiry
-        }
+        client_id, token = @resource.create_token expiry: expiry
 
         sign_in(@resource)
         @resource.save!

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -27,11 +27,10 @@ module DeviseTokenAuth
 
     def omniauth_success
       get_resource_from_auth_hash
-      create_token_info
       set_token_on_resource
       create_auth_params
 
-      if resource_class.devise_modules.include?(:confirmable)
+      if confirmable_enabled?
         # don't send confirmation email!!!
         @resource.skip_confirmation!
       end
@@ -156,14 +155,6 @@ module DeviseTokenAuth
         @resource.password_confirmation = p
     end
 
-    def create_token_info
-      # create token info
-      @client_id = SecureRandom.urlsafe_base64(nil, false)
-      @token     = SecureRandom.urlsafe_base64(nil, false)
-      @expiry    = (Time.now + @resource.token_lifespan).to_i
-      @config    = omniauth_params['config_name']
-    end
-
     def create_auth_params
       @auth_params = {
         auth_token:     @token,
@@ -177,10 +168,8 @@ module DeviseTokenAuth
     end
 
     def set_token_on_resource
-      @resource.tokens[@client_id] = {
-        token: BCrypt::Password.create(@token),
-        expiry: @expiry
-      }
+      @config = omniauth_params['config_name']
+      @client_id, @token, @expiry = @resource.create_token
     end
 
     def render_data(message, data)

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -30,9 +30,6 @@ module DeviseTokenAuth
       @email = get_case_insensitive_field_from_resource_params(:email)
       @resource = find_resource(:uid, @email)
 
-      @errors = nil
-      @error_status = 400
-
       if @resource
         yield @resource if block_given?
         @resource.send_reset_password_instructions({
@@ -45,41 +42,26 @@ module DeviseTokenAuth
         if @resource.errors.empty?
           return render_create_success
         else
-          @errors = @resource.errors
+          render_create_error @resource.errors
         end
       else
-        @errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: @email)]
-        @error_status = 404
-      end
-
-      if @errors
-        return render_create_error
+        render_not_found_error
       end
     end
 
     # this is where users arrive after visiting the password reset confirmation link
     def edit
       # if a user is not found, return nil
-      @resource = resource_class.with_reset_password_token(
-        resource_params[:reset_password_token]
-      )
+      @resource = with_reset_password_token(resource_params[:reset_password_token])
 
-      if @resource
-        client_id  = SecureRandom.urlsafe_base64(nil, false)
-        token      = SecureRandom.urlsafe_base64(nil, false)
-        token_hash = BCrypt::Password.create(token)
-        expiry     = (Time.now + @resource.token_lifespan).to_i
-
-        @resource.tokens[client_id] = {
-          token:  token_hash,
-          expiry: expiry
-        }
+      if @resource && @resource.reset_password_period_valid?
+        client_id, token = @resource.create_token
 
         # ensure that user is confirmed
-        @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
+        @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
 
         # allow user to change password once without current_password
-        @resource.allow_password_change = true;
+        @resource.allow_password_change = true if recoverable_enabled?
 
         @resource.save!
 
@@ -113,7 +95,7 @@ module DeviseTokenAuth
       end
 
       if @resource.send(resource_update_method, password_resource_params)
-        @resource.allow_password_change = false
+        @resource.allow_password_change = false if recoverable_enabled?
         @resource.save!
 
         yield @resource if block_given?
@@ -126,7 +108,8 @@ module DeviseTokenAuth
     protected
 
     def resource_update_method
-      if DeviseTokenAuth.check_current_password_before_update == false or @resource.allow_password_change == true
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
         "update_attributes"
       else
         "update_with_password"
@@ -134,25 +117,20 @@ module DeviseTokenAuth
     end
 
     def render_create_error_missing_email
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.passwords.missing_email")]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_email"))
     end
 
     def render_create_error_missing_redirect_url
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")]
-      }, status: 401
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_redirect_url"))
     end
 
     def render_create_error_not_allowed_redirect_url
-      render json: {
+      response = {
         status: 'error',
-        data:   resource_data,
-        errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)]
-      }, status: 422
+        data:   resource_data
+      }
+      message = I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)
+      render_error(422, message, response)
     end
 
     def render_create_success
@@ -162,11 +140,11 @@ module DeviseTokenAuth
       }
     end
 
-    def render_create_error
+    def render_create_error(errors)
       render json: {
         success: false,
-        errors: @errors,
-      }, status: @error_status
+        errors: errors,
+      }, status: 400
     end
 
     def render_edit_error
@@ -174,24 +152,15 @@ module DeviseTokenAuth
     end
 
     def render_update_error_unauthorized
-      render json: {
-        success: false,
-        errors: ['Unauthorized']
-      }, status: 401
+      render_error(401, 'Unauthorized')
     end
 
     def render_update_error_password_not_required
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)]
-      }, status: 422
+      render_error(422, I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize))
     end
 
     def render_update_error_missing_password
-      render json: {
-        success: false,
-        errors: [I18n.t("devise_token_auth.passwords.missing_passwords")]
-      }, status: 422
+      render_error(422, I18n.t("devise_token_auth.passwords.missing_passwords"))
     end
 
     def render_update_success
@@ -212,12 +181,22 @@ module DeviseTokenAuth
     private
 
     def resource_params
-      params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token, :redirect_url, :config)
+      params.permit(:email, :reset_password_token)
     end
 
     def password_resource_params
       params.permit(*params_for_resource(:account_update))
     end
 
+    def with_reset_password_token token
+      recoverable = resource_class.with_reset_password_token(token)
+
+      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
+      recoverable
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t("devise_token_auth.passwords.user_not_found", email: @email))
+    end
   end
 end