devise_token_auth 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5baf8b0a539be2dcf9b1add5ee2dfaac82753127a6180500c653e7d710c04da3
-  data.tar.gz: 794584507c533b59b88c724c810f7099d06221ff35faab7ee558f92d6849688e
+  metadata.gz: 25a0c261827b5f9e1f7dccc40b782a5321d34c50a730fac7bdf9f2c281c397d9
+  data.tar.gz: dfee96bd1789d025ea52a83573d90d0ae784e4c63723d2ea864d17eea8fdbaf3
 SHA512:
-  metadata.gz: 58f70c5a715ef337e2d949261f0c774f020831f9755d12fc37b04ca4cba2e416080658946bdb95f5fc1625a3a53c3836202b9e9842dbf420363959be163786cc
-  data.tar.gz: 8991c6cea21651fff0c98561ac6004bd4a75e04e78ad1af749c04e71fcb9caf8ebb19255ecb78ae91e610b6db05d878d9cf41492560941ea131bcefb7ea0bc0b
+  metadata.gz: e68ff8599b70eebdfb2eceab3f76fce22a5cac1976234f485a58363c3821815e541982523f8ff08cd35677e794b507a10c5239c718dd033dc799f5594de0877a
+  data.tar.gz: d48ee0ebfa6a9117f1dbcb96180c4a6d06436ba3b555b75899da653115332fa2e69090cdb11ae8d1df3617f799a3e04547ac12bb45e0d148a49a52ac63b6c072

data/README.md

@@ -65,6 +65,8 @@ Please read the [issue template](https://github.com/lynndylanhurley/devise_token
 
 See our [Contribution Guidelines](https://github.com/lynndylanhurley/devise_token_auth/blob/master/.github/CONTRIBUTING.md). Feel free to submit pull requests, review pull requests, or review open issues. If you'd like to get in contact, [Zach Feldman](https://github.com/zachfeldman) has been wrangling this effort, you can reach him with his name @gmail. Further discussion of this in [this issue](https://github.com/lynndylanhurley/devise_token_auth/issues/969).
 
+We have some bounties for some issues, [check them out](https://github.com/lynndylanhurley/devise_token_auth/issues?q=is%3Aopen+is%3Aissue+label%3Abounty)!
+
 ## Live Demos
 
 [Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js).

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -17,9 +17,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @used_auth_by_token = true
 
     # initialize instance variables
-    @client_id ||= nil
+    @token = DeviseTokenAuth::TokenFactory.new
     @resource ||= nil
-    @token ||= nil
     @is_batch_request ||= nil
   end
 
@@ -37,17 +36,18 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     client_name = DeviseTokenAuth.headers_names[:'client']
 
     # parse header for values necessary for authentication
-    uid        = request.headers[uid_name] || params[uid_name]
-    @token     ||= request.headers[access_token_name] || params[access_token_name]
-    @client_id ||= request.headers[client_name] || params[client_name]
+    uid              = request.headers[uid_name] || params[uid_name]
+    @token           = DeviseTokenAuth::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name]
 
-    # client_id isn't required, set to 'default' if absent
-    @client_id ||= 'default'
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
 
     # check for an existing user, authenticated via warden/devise, if enabled
     if DeviseTokenAuth.enable_standard_devise_support
       devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
-      if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
         # REVIEW: The following line _should_ be safe to remove;
@@ -59,19 +59,17 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # user has already been found and authenticated
     return @resource if @resource && @resource.is_a?(rc)
 
-    # ensure we clear the client_id
-    unless @token
-      @client_id = nil
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
       return
     end
 
-    return false unless @token
-
     # mitigate timing attacks by finding by uid instead of auth token
     user = uid && rc.dta_find_by(uid: uid)
     scope = rc.to_s.underscore.to_sym
 
-    if user && user.valid_token?(@token, @client_id)
+    if user && user.valid_token?(@token.token, @token.client)
       # sign_in with bypass: true will be deprecated in the next version of Devise
       if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
         bypass_sign_in(user, scope: scope)
@@ -81,25 +79,24 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       return @resource = user
     else
       # zero all values previously set values
-      @client_id = nil
+      @token.client = nil
       return @resource = nil
     end
   end
 
   def update_auth_header
     # cannot save object if model has invalid params
+    return unless @resource && @token.client
 
-    return unless @resource && @client_id
-
-    # Generate new client_id with existing authentication
-    @client_id = nil unless @used_auth_by_token
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
 
     if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @resource.reload.tokens[@client_id].nil?
+      return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token, @client_id)
+      auth_header = @resource.build_auth_header(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)
@@ -124,30 +121,30 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     @resource.with_lock do
       # should not append auth header if @resource related token was
       # cleared by sign out in the meantime
-      return if @used_auth_by_token && @resource.tokens[@client_id].nil?
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
 
       # update the response header
       response.headers.merge!(auth_header_from_batch_request)
     end # end lock
   end
 
-  def is_batch_request?(user, client_id)
+  def is_batch_request?(user, client)
     !params[:unbatch] &&
-      user.tokens[client_id] &&
-      user.tokens[client_id]['updated_at'] &&
-      user.tokens[client_id]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
   end
 
   def auth_header_from_batch_request
     # determine batch request status after request processing, in case
     # another processes has updated it during that processing
-    @is_batch_request = is_batch_request?(@resource, @client_id)
+    @is_batch_request = is_batch_request?(@resource, @token.client)
 
     auth_header = {}
     # extend expiration of batch buffer to account for the duration of
     # this request
     if @is_batch_request
-      auth_header = @resource.extend_batch_buffer(@token, @client_id)
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
 
       # Do not return token for batch requests to avoid invalidated
       # tokens returned to the client in case of race conditions.
@@ -158,7 +155,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
     else
       # update Authorization response header with new token
-      auth_header = @resource.create_new_auth_token(@client_id)
+      auth_header = @resource.create_new_auth_token(@token.client)
     end
     auth_header
   end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -2,22 +2,20 @@
 
 module DeviseTokenAuth
   class ConfirmationsController < DeviseTokenAuth::ApplicationController
+
     def show
-      @resource = resource_class.confirm_by_token(params[:confirmation_token])
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
 
       if @resource.errors.empty?
         yield @resource if block_given?
 
         redirect_header_options = { account_confirmation_success: true }
 
-        # give redirect value from params priority or fall back to default value if provided
-        redirect_url = params[:redirect_url] || DeviseTokenAuth.default_confirm_success_url
-
         if signed_in?(resource_name)
-          client_id, token = signed_in_resource.create_token
+          token = signed_in_resource.create_token
 
-          redirect_headers = build_redirect_headers(token,
-                                                    client_id,
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
                                                     redirect_header_options)
 
           redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
@@ -30,5 +28,54 @@ module DeviseTokenAuth
         raise ActionController::RoutingError, 'Not Found'
       end
     end
+
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+
+      return render_create_success
+    end
+
+    protected
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.confirmations.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+          success: true,
+          message: I18n.t('devise_token_auth.confirmations.sended', email: @email)
+      }
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+    end
+
   end
 end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -62,7 +62,7 @@ module DeviseTokenAuth
       end
 
       sign_in(:user, @resource, store: false, bypass: false)
-      
+
       @resource.save!
 
       yield @resource if block_given?
@@ -171,11 +171,11 @@ module DeviseTokenAuth
 
     def create_auth_params
       @auth_params = {
-        auth_token:     @token,
-        client_id: @client_id,
-        uid:       @resource.uid,
-        expiry:    @expiry,
-        config:    @config
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
       }
       @auth_params.merge!(oauth_registration: true) if @oauth_registration
       @auth_params
@@ -183,7 +183,7 @@ module DeviseTokenAuth
 
     def set_token_on_resource
       @config = omniauth_params['config_name']
-      @client_id, @token, @expiry = @resource.create_token
+      @token  = @resource.create_token
     end
 
     def render_data(message, data)

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -39,7 +39,7 @@ module DeviseTokenAuth
       @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
 
       if @resource && @resource.reset_password_period_valid?
-        client_id, token = @resource.create_token
+        token = @resource.create_token
 
         # ensure that user is confirmed
         @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
@@ -52,8 +52,8 @@ module DeviseTokenAuth
         yield @resource if block_given?
 
         redirect_header_options = { reset_password: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(@redirect_url,
                                              redirect_headers))
@@ -92,7 +92,7 @@ module DeviseTokenAuth
     def resource_update_method
       allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
       if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
-        'update_attributes'
+        'update'
       else
         'update_with_password'
       end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -52,7 +52,7 @@ module DeviseTokenAuth
 
         if active_for_authentication?
           # email auth has been bypassed, authenticate user
-          @client_id, @token = @resource.create_token
+          @token = @resource.create_token
           @resource.save!
           update_auth_header
         end
@@ -181,7 +181,7 @@ module DeviseTokenAuth
       elsif account_update_params.key?(:current_password)
         'update_with_password'
       else
-        'update_attributes'
+        'update'
       end
     end
 

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -26,7 +26,7 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @client_id, @token = @resource.create_token
+        @token = @resource.create_token
         @resource.save
 
         sign_in(:user, @resource, store: false, bypass: false)
@@ -48,11 +48,11 @@ module DeviseTokenAuth
     def destroy
       # remove auth instance variables so that after_action does not run
       user = remove_instance_variable(:@resource) if @resource
-      client_id = remove_instance_variable(:@client_id) if @client_id
-      remove_instance_variable(:@token) if @token
+      client = @token.client if @token.client
+      @token.clear!
 
-      if user && client_id && user.tokens[client_id]
-        user.tokens.delete(client_id)
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
         user.save!
 
         yield user if block_given?

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -35,13 +35,13 @@ module DeviseTokenAuth
       @resource = resource_class.unlock_access_by_token(params[:unlock_token])
 
       if @resource.persisted?
-        client_id, token = @resource.create_token
+        token = @resource.create_token
         @resource.save!
         yield @resource if block_given?
 
         redirect_header_options = { unlock: true }
-        redirect_headers = build_redirect_headers(token,
-                                                  client_id,
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
                                              redirect_headers))

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -1,12 +1,10 @@
+require_relative 'tokens_serialization'
+
 module DeviseTokenAuth::Concerns::ActiveRecordSupport
   extend ActiveSupport::Concern
 
   included do
-    serialize :tokens, JSON unless tokens_has_json_column_type?
-
-    # can't set default on text fields in mysql, simulate here instead.
-    after_save :set_empty_token_hash
-    after_initialize :set_empty_token_hash
+    serialize :tokens, DeviseTokenAuth::TokensSerialization
   end
 
   class_methods do
@@ -14,21 +12,5 @@ module DeviseTokenAuth::Concerns::ActiveRecordSupport
     def dta_find_by(attrs = {})
       find_by(attrs)
     end
-
-    protected
-
-    def tokens_has_json_column_type?
-      database_exists? && table_exists? && columns_hash['tokens'] && columns_hash['tokens'].type.in?([:json, :jsonb])
-    end
-
-    def database_exists?
-      ActiveRecord::Base.connection_pool.with_connection { |con| con.active? } rescue false
-    end
-  end
-
-  protected
-
-  def set_empty_token_hash
-    self.tokens ||= {} if has_attribute?(:tokens)
   end
 end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::TokensSerialization
+  # Serialization hash to json
+  def self.dump(object)
+    object.each_value(&:compact!) unless object.nil?
+    JSON.generate(object)
+  end
+
+  # Deserialization json to hash
+  def self.load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'bcrypt'
-
 module DeviseTokenAuth::Concerns::User
   extend ActiveSupport::Concern
 
@@ -9,7 +7,7 @@ module DeviseTokenAuth::Concerns::User
     @token_equality_cache ||= {}
 
     key = "#{token_hash}/#{token}"
-    result = @token_equality_cache[key] ||= (::BCrypt::Password.new(token_hash) == token)
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
     @token_equality_cache = {} if @token_equality_cache.size > 10000
     result
   end
@@ -86,27 +84,25 @@ module DeviseTokenAuth::Concerns::User
       send_devise_notification(:unlock_instructions, raw, opts)
       raw
     end
-  end
 
-  def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
-    client_id ||= SecureRandom.urlsafe_base64(nil, false)
-    token     ||= SecureRandom.urlsafe_base64(nil, false)
-    expiry    ||= (Time.zone.now + token_lifespan).to_i
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
 
-    tokens[client_id] = {
-      token: BCrypt::Password.create(token),
-      expiry: expiry
-    }.merge!(token_extras)
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
 
-    clean_old_tokens
+      clean_old_tokens
 
-    [client_id, token, expiry]
+      token
+    end
   end
 
-  def valid_token?(token, client_id = 'default')
-    return false unless tokens[client_id]
-    return true if token_is_current?(token, client_id)
-    return true if token_can_be_reused?(token, client_id)
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
 
     # return false if none of the above conditions are met
     false
@@ -116,10 +112,10 @@ module DeviseTokenAuth::Concerns::User
   # can be passed on from the client
   def send_confirmation_notification?; false; end
 
-  def token_is_current?(token, client_id)
+  def token_is_current?(token, client)
     # ghetto HashWithIndifferentAccess
-    expiry     = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
-    token_hash = tokens[client_id]['token'] || tokens[client_id][:token]
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
 
     return true if (
       # ensure that expiry and token are set
@@ -134,10 +130,10 @@ module DeviseTokenAuth::Concerns::User
   end
 
   # allow batch requests to use the previous token
-  def token_can_be_reused?(token, client_id)
+  def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
-    updated_at = tokens[client_id]['updated_at'] || tokens[client_id][:updated_at]
-    last_token = tokens[client_id]['last_token'] || tokens[client_id][:last_token]
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token = tokens[client]['last_token'] || tokens[client][:last_token]
 
     return true if (
       # ensure that the last token and its creation time exist
@@ -147,40 +143,39 @@ module DeviseTokenAuth::Concerns::User
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
 
       # ensure that the token is valid
-      ::BCrypt::Password.new(last_token) == token
+      DeviseTokenAuth::TokenFactory.valid_token_hash?(last_token)
     )
   end
 
   # update user's auth token (should happen on each request)
-  def create_new_auth_token(client_id = nil)
+  def create_new_auth_token(client = nil)
     now = Time.zone.now
 
-    client_id, token = create_token(
-      client_id: client_id,
-      expiry: (now + token_lifespan).to_i,
-      last_token: tokens.fetch(client_id, {})['token'],
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
       updated_at: now
     )
 
-    update_auth_header(token, client_id)
+    update_auth_header(token.token, token.client)
   end
 
-  def build_auth_header(token, client_id = 'default')
+  def build_auth_header(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
-    expiry = tokens[client_id]['expiry'] || tokens[client_id][:expiry]
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
 
     {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
-      DeviseTokenAuth.headers_names[:"client"]       => client_id,
+      DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
   end
 
-  def update_auth_header(token, client_id = 'default')
-    headers = build_auth_header(token, client_id)
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
     clean_old_tokens
     save!
 
@@ -194,9 +189,9 @@ module DeviseTokenAuth::Concerns::User
     DeviseTokenAuth::Url.generate(base_url, args)
   end
 
-  def extend_batch_buffer(token, client_id)
-    tokens[client_id]['updated_at'] = Time.zone.now
-    update_auth_header(token, client_id)
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now
+    update_auth_header(token, client)
   end
 
   def confirmed?
@@ -207,10 +202,6 @@ module DeviseTokenAuth::Concerns::User
     as_json(except: %i[tokens created_at updated_at])
   end
 
-  def token_lifespan
-    DeviseTokenAuth.token_lifespan
-  end
-
   protected
 
   def destroy_expired_tokens
@@ -236,8 +227,8 @@ module DeviseTokenAuth::Concerns::User
     return unless should_remove_tokens_after_password_reset?
 
     if tokens.present? && tokens.many?
-      client_id, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
-      self.tokens = { client_id => token_data }
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
     end
   end