devise_token_auth 1.1.5 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a64d8fc927471b28cec59b5191e06ef4d2fd7152dadcc9f49b5c512611ba4e6
-  data.tar.gz: 3ac708a845da1df134975f293a7db9e8977cd116c0d8dbdc7650e249bb99df82
+  metadata.gz: fb2d73d7859e1754b505d6f554c8d298ba899444b4fe4e1b47d50ca9bab453e8
+  data.tar.gz: 3572d4ff07d68f62d8e51270959fd20451d9edb4832d576b9342939275390dee
 SHA512:
-  metadata.gz: 51a73c32d0debfc772ff7f7b8b5a524a67fde1676bb66a1d77d243c451a3ca5b375c593287bfb1be2abff7ff881947e39470a6d46421c73f112d4a5b1d774858
-  data.tar.gz: a79f4e32938818a92fddbcb88eb918da3c53afe8bf304769fa9d02f1841ed67093ab0bf7b004263094737da15d3dae222b785c70ef233e1b6f43a07a7f49f2b5
+  metadata.gz: 50c95181401bedfd959a407d450f222ab185d75000825385dd691a064e831b36263eb1338d25f6378a743ac9009b73f80df3e24cb09ce5680a0e6723fc98acb9
+  data.tar.gz: 91910874d7e473d31eb39cf40c6860da4ab5b59aa874a0f1296faa17718103124018568cf289486a9d49a3ec1b967f14e23c18afb8d3f6cd3ec2fd837d663a83

data/app/controllers/devise_token_auth/application_controller.rb

@@ -75,5 +75,13 @@ module DeviseTokenAuth
       response = response.merge(data) if data
       render json: response, status: status
     end
+
+    def success_message(name, email)
+      if Devise.paranoid
+        I18n.t("devise_token_auth.#{name}.sended_paranoid")
+      else
+        I18n.t("devise_token_auth.#{name}.sended", email: email)
+      end
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,7 +20,7 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+    @resource = if database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity
                   resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
                 else
@@ -28,6 +28,19 @@ module DeviseTokenAuth::Concerns::ResourceFinder
                 end
   end
 
+  def database_adapter
+    @database_adapter ||= begin
+      rails_version = [Rails::VERSION::MAJOR, Rails::VERSION::MINOR].join(".")
+
+      adapter =
+        if rails_version >= "6.1"
+          resource_class.try(:connection_db_config)&.try(:adapter)
+        else
+          resource_class.try(:connection_config)&.try(:[], :adapter)
+        end
+    end
+  end
+
   def resource_class(m = nil)
     mapping = if m
                 Devise.mappings[m]

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -35,11 +35,20 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
 
+    # gets values from cookie if configured and present
+    parsed_auth_cookie = {}
+    if DeviseTokenAuth.cookie_enabled
+      auth_cookie = request.cookies[DeviseTokenAuth.cookie_name]
+      if auth_cookie.present?
+        parsed_auth_cookie = JSON.parse(auth_cookie)
+      end
+    end
+
     # parse header for values necessary for authentication
-    uid              = request.headers[uid_name] || params[uid_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name]
     @token           = DeviseTokenAuth::TokenFactory.new unless @token
-    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
-    @token.client ||= request.headers[client_name] || params[client_name]
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name]
 
     # client isn't required, set to 'default' if absent
     @token.client ||= 'default'
@@ -101,6 +110,10 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # update the response header
       response.headers.merge!(auth_header)
 
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(auth_header)
+      end
     else
       unless @resource.reload.valid?
         @resource = @resource.class.find(@resource.to_param) # errors remain after reload
@@ -123,11 +136,22 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # cleared by sign out in the meantime
       return if @used_auth_by_token && @resource.tokens[@token.client].nil?
 
+      _auth_header_from_batch_request = auth_header_from_batch_request
+
       # update the response header
-      response.headers.merge!(auth_header_from_batch_request)
+      response.headers.merge!(_auth_header_from_batch_request)
+
+      # set a server cookie if configured
+      if DeviseTokenAuth.cookie_enabled
+        set_cookie(_auth_header_from_batch_request)
+      end
     end # end lock
   end
 
+  def set_cookie(auth_header)
+    cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+  end
+
   def is_batch_request?(user, client)
     !params[:unbatch] &&
       user.tokens[client] &&

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -55,13 +55,17 @@ module DeviseTokenAuth
 
     def render_create_success
       render json: {
-          success: true,
-          message: I18n.t('devise_token_auth.confirmations.sended', email: @email)
-      }
+               success: true,
+               message: success_message('confirmations', @email)
+             }
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+      if Devise.paranoid
+        render_error(404, I18n.t('devise_token_auth.confirmations.sended_paranoid'))
+      else
+        render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+      end
     end
 
     private

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -128,7 +128,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.passwords.sended', email: @email)
+        message: success_message('passwords', @email)
       }
     end
 
@@ -181,7 +181,11 @@ module DeviseTokenAuth
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+      if Devise.paranoid
+        render_error(404, I18n.t('devise_token_auth.passwords.sended_paranoid'))
+      else
+        render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+      end
     end
 
     def validate_redirect_url_param

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -55,6 +55,12 @@ module DeviseTokenAuth
         user.tokens.delete(client)
         user.save!
 
+        if DeviseTokenAuth.cookie_enabled
+          # If a cookie is set with a domain specified then it must be deleted with that domain specified
+          # See https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+          cookies.delete(DeviseTokenAuth.cookie_name, domain: DeviseTokenAuth.cookie_attributes[:domain])
+        end
+
         yield user if block_given?
 
         render_destroy_success

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -63,7 +63,7 @@ module DeviseTokenAuth
     def render_create_success
       render json: {
         success: true,
-        message: I18n.t('devise_token_auth.unlocks.sended', email: @email)
+        message: success_message('unlocks', @email)
       }
     end
 
@@ -79,7 +79,11 @@ module DeviseTokenAuth
     end
 
     def render_not_found_error
-      render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      if Devise.paranoid
+        render_error(404, I18n.t('devise_token_auth.unlocks.sended_paranoid'))
+      else
+        render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+      end
     end
 
     def resource_params

data/app/models/devise_token_auth/concerns/user.rb

@@ -218,13 +218,8 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def should_remove_tokens_after_password_reset?
-    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
-      encrypted_password_changed? &&
-        DeviseTokenAuth.remove_tokens_after_password_reset
-    else
-      saved_change_to_attribute?(:encrypted_password) &&
-        DeviseTokenAuth.remove_tokens_after_password_reset
-    end
+    DeviseTokenAuth.remove_tokens_after_password_reset &&
+      (respond_to?(:encrypted_password_changed?) && encrypted_password_changed?)
   end
 
   def remove_tokens_after_password_reset

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -23,8 +23,8 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   end
 
   def sync_uid
-    if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone
-      return if postpone_email_change?
+    unless self.new_record?
+      return if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone && postpone_email_change?
     end
     self.uid = email if email_provider?
   end

data/app/views/devise_token_auth/omniauth_external_window.html.erb

@@ -15,7 +15,7 @@
             Cordova / PhoneGap)
       */
 
-      var data = JSON.parse(decodeURIComponent('<%= URI::escape( @data.to_json ) %>'));
+      var data = JSON.parse(decodeURIComponent('<%= ERB::Util.url_encode( @data.to_json ) %>'));
 
       window.addEventListener("message", function(ev) {
         if (ev.data === "requestCredentials") {

data/config/locales/en.yml

@@ -21,6 +21,7 @@ en:
       missing_redirect_url: "Missing redirect URL."
       not_allowed_redirect_url: "Redirect to '%{redirect_url}' not allowed."
       sended: "An email has been sent to '%{email}' containing instructions for resetting your password."
+      sended_paranoid: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
       password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
@@ -28,9 +29,11 @@ en:
     unlocks:
       missing_email: "You must provide an email address."
       sended: "An email has been sent to '%{email}' containing instructions for unlocking your account."
+      sended_paranoid: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
     confirmations:
       sended: "An email has been sent to '%{email}' containing instructions for confirming your account."
+      sended_paranoid: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
       user_not_found: "Unable to find user with email '%{email}'."
       missing_email: "You must provide an email address."
 

data/lib/devise_token_auth/blacklist.rb

@@ -1,2 +1,6 @@
 # don't serialize tokens
-Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens
+if defined? Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
+  Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION << :tokens
+else
+  Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens
+end

data/lib/devise_token_auth/engine.rb

@@ -25,6 +25,9 @@ module DeviseTokenAuth
                  :remove_tokens_after_password_reset,
                  :default_callbacks,
                  :headers_names,
+                 :cookie_enabled,
+                 :cookie_name,
+                 :cookie_attributes,
                  :bypass_sign_in,
                  :send_confirmation_email,
                  :require_client_password_reset_token
@@ -47,6 +50,9 @@ module DeviseTokenAuth
                                                 'expiry': 'expiry',
                                                 'uid': 'uid',
                                                 'token-type': 'token-type' }
+  self.cookie_enabled                       = false
+  self.cookie_name                          = 'auth_cookie'
+  self.cookie_attributes                    = {}
   self.bypass_sign_in                       = true
   self.send_confirmation_email              = false
   self.require_client_password_reset_token  = false

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.1.5'.freeze
+  VERSION = '1.2.0'.freeze
 end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -92,30 +92,102 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
         end
 
         describe 'resend confirmation' do
-          before do
-            post :create,
-                params: { email: @new_user.email,
-                          redirect_url: @redirect_url },
-                xhr: true
-            @resource = assigns(:resource)
-
-            @mail = ActionMailer::Base.deliveries.last
-            @token, @client_config = token_and_client_config_from(@mail.body)
-          end
-
-          test 'user should not be confirmed' do
-            assert_nil @resource.confirmed_at
+          describe 'without paranoid mode' do
+
+            describe 'on success' do
+              before do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+
+              test 'user should not be confirmed' do
+                assert_nil @resource.confirmed_at
+              end
+
+              test 'should generate raw token' do
+                assert @token
+                assert_equal @new_user.confirmation_token, @token
+              end
+
+              test 'user should receive confirmation email' do
+                assert_equal @resource.email, @mail['to'].to_s
+              end
+
+              test 'response should contain message' do
+                assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended', email: @resource.email)
+              end
+            end
+
+            describe 'on failure' do
+              before do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+
+              test 'response should contain errors' do
+                assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.user_not_found', email: 'chester@cheet.ah')]
+              end
+            end
           end
+        end
 
-          test 'should generate raw token' do
-            assert @token
-            assert_equal @new_user.confirmation_token, @token
+        describe 'with paranoid mode' do
+          describe 'on success' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @new_user.email,
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @resource = assigns(:resource)
+                @data = JSON.parse(response.body)
+                @mail = ActionMailer::Base.deliveries.last
+                @token, @client_config = token_and_client_config_from(@mail.body)
+              end
+            end
+
+            test 'user should not be confirmed' do
+              assert_nil @resource.confirmed_at
+            end
+
+            test 'should generate raw token' do
+              assert @token
+              assert_equal @new_user.confirmation_token, @token
+            end
+
+            test 'user should receive confirmation email' do
+              assert_equal @resource.email, @mail['to'].to_s
+            end
+
+            test 'response should contain message' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
+            end
           end
 
-          test 'user should receive confirmation email' do
-            assert_equal @resource.email, @mail['to'].to_s
+          describe 'on failure' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url },
+                     xhr: true
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should contain errors' do
+              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            end
           end
-
         end
       end
 

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -18,7 +18,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
   def get_parsed_data_json
     encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(URI.unescape(encoded_json_data))
+    JSON.parse(CGI.unescape(encoded_json_data))
   end
 
   describe 'success callback' do
@@ -346,7 +346,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         follow_all_redirects!
 
         data = get_parsed_data_json
-        assert_equal "Redirect to &#39;#{@bad_redirect_url}&#39; not allowed.",
+        assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.",
                     data['error']
       end
 

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -85,37 +85,89 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
       end
 
       describe 'request password reset' do
-        describe 'unknown user should return 404' do
-          before do
-            post :create,
-                 params: { email: 'chester@cheet.ah',
-                           redirect_url: @redirect_url }
-            @data = JSON.parse(response.body)
-          end
+        describe 'unknown user' do
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: 'chester@cheet.ah',
+                             redirect_url: @redirect_url }
+              @data = JSON.parse(response.body)
+            end
 
-          test 'unknown user should return 404' do
-            assert_equal 404, response.status
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.user_not_found',
+                      email: 'chester@cheet.ah')]
+            end
           end
 
-          test 'errors should be returned' do
-            assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: 'chester@cheet.ah',
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'unknown user should return 404' do
+              assert_equal 404, response.status
+            end
+
+            test 'errors should be returned' do
+              assert @data['errors']
+              assert_equal @data['errors'],
+              [I18n.t('devise_token_auth.passwords.sended_paranoid')]
+            end
           end
         end
 
         describe 'successfully requested password reset' do
-          before do
-            post :create,
-                 params: { email: @resource.email,
-                           redirect_url: @redirect_url }
+          describe 'without paranoid mode' do
+            before do
+              post :create,
+                   params: { email: @resource.email,
+                             redirect_url: @redirect_url }
 
-            @data = JSON.parse(response.body)
+              @data = JSON.parse(response.body)
+            end
+
+            test 'response should not contain extra data' do
+              assert_nil @data['data']
+            end
+
+            test 'response should contains message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended', email: @resource.email)
+            end
           end
 
-          test 'response should not contain extra data' do
-            assert_nil @data['data']
+          describe 'with paranoid mode' do
+            before do
+              swap Devise, paranoid: true do
+                post :create,
+                     params: { email: @resource.email,
+                               redirect_url: @redirect_url }
+                @data = JSON.parse(response.body)
+              end
+            end
+
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
+
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
+            end
           end
         end
 

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -10,6 +10,17 @@ require 'test_helper'
 
 class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
+
+    def mock_registration_params
+      {
+        email: Faker::Internet.email,
+        password: 'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url: Faker::Internet.url,
+        unpermitted_param: '(x_x)'
+      }
+    end
+
     describe 'Validate non-empty body' do
       before do
         # need to post empty data
@@ -41,13 +52,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @mails_sent = ActionMailer::Base.deliveries.count
 
         post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
+             params: mock_registration_params
 
         @resource = assigns(:resource)
         @data = JSON.parse(response.body)
@@ -87,17 +92,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
       before do
         @original_duration = Devise.allow_unconfirmed_access_for
         Devise.allow_unconfirmed_access_for = nil
-        post '/auth',
-             params: {
-               email: Faker::Internet.email,
-               password: 'secret123',
-               password_confirmation: 'secret123',
-               confirm_success_url: Faker::Internet.url,
-               unpermitted_param: '(x_x)'
-             }
       end
 
       test 'auth headers were returned in response' do
+        post '/auth', params: mock_registration_params
         assert response.headers['access-token']
         assert response.headers['token-type']
         assert response.headers['client']
@@ -105,6 +103,21 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         assert response.headers['uid']
       end
 
+      describe 'using auth cookie' do
+        before do
+          DeviseTokenAuth.cookie_enabled = true
+        end
+
+        test 'auth cookie was returned in response' do
+          post '/auth', params: mock_registration_params
+          assert response.cookies[DeviseTokenAuth.cookie_name]
+        end
+
+        after do
+          DeviseTokenAuth.cookie_enabled = false
+        end
+      end
+
       after do
         Devise.allow_unconfirmed_access_for = @original_duration
       end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -17,11 +17,12 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
 
       describe 'success' do
         before do
-          post :create,
-               params: {
-                 email: @existing_user.email,
-                 password: @existing_user.password
-               }
+          @user_session_params = {
+            email: @existing_user.email,
+            password: @existing_user.password
+          }
+
+          post :create, params: @user_session_params
 
           @resource = assigns(:resource)
           @data = JSON.parse(response.body)
@@ -35,17 +36,27 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
           assert_equal @existing_user.email, @data['data']['email']
         end
 
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+          end
+
+          test 'request should return auth cookie' do
+            post :create, params: @user_session_params
+            assert response.cookies[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
+
         describe "with multiple clients and headers don't change in each request" do
           before do
             # Set the max_number_of_devices to a lower number
             #  to expedite tests! (Default is 10)
             DeviseTokenAuth.max_number_of_devices = 2
             DeviseTokenAuth.change_headers_on_each_request = false
-
-            @user_session_params = {
-              email: @existing_user.email,
-              password: @existing_user.password
-            }
           end
 
           test 'should limit the maximum number of concurrent devices' do
@@ -159,6 +170,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         test 'session was destroyed' do
           assert_equal true, @controller.reset_session_called
         end
+
+        describe 'using auth cookie' do
+          before do
+            DeviseTokenAuth.cookie_enabled = true
+            @auth_token = @existing_user.create_new_auth_token
+            @controller.send(:cookies)[DeviseTokenAuth.cookie_name] = { value: @auth_token.to_json }
+          end
+
+          test 'auth cookie was destroyed' do
+            assert_equal @auth_token.to_json, @controller.send(:cookies)[DeviseTokenAuth.cookie_name] # sanity check
+            delete :destroy, format: :json
+            assert_nil @controller.send(:cookies)[DeviseTokenAuth.cookie_name]
+          end
+
+          after do
+            DeviseTokenAuth.cookie_enabled = false
+          end
+        end
       end
 
       describe 'unauthed user sign out' do

data/test/controllers/devise_token_auth/unlocks_controller_test.rb

@@ -57,7 +57,7 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
       end
 
       describe 'request unlock' do
-        describe 'unknown user should return 404' do
+        describe 'without paranoid mode' do
           before do
             post :create, params: { email: 'chester@cheet.ah' }
             @data = JSON.parse(response.body)
@@ -68,9 +68,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
 
           test 'errors should be returned' do
             assert @data['errors']
-            assert_equal @data['errors'],
-                         [I18n.t('devise_token_auth.passwords.user_not_found',
-                                 email: 'chester@cheet.ah')]
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.user_not_found',
+                                                  email: 'chester@cheet.ah')]
+          end
+        end
+
+        describe 'with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: 'chester@cheet.ah' }
+              @data = JSON.parse(response.body)
+            end
+          end
+
+          test 'unknown user should return 404' do
+            assert_equal 404, response.status
+          end
+
+          test 'errors should be returned' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
           end
         end
 

data/test/controllers/overrides/confirmations_controller_test.rb

@@ -38,7 +38,7 @@ class Overrides::ConfirmationsControllerTest < ActionDispatch::IntegrationTest
       override_proof_str = '(^^,)'
 
       # ensure present in redirect URL
-      override_proof_param = URI.unescape(response.headers['Location']
+      override_proof_param = CGI.unescape(response.headers['Location']
                                 .match(/override_proof=([^&]*)&/)[1])
 
       assert_equal override_proof_str, override_proof_param

data/test/dummy/tmp/generators/app/controllers/application_controller.rb

@@ -0,0 +1,6 @@
+            class ApplicationController < ActionController::Base
+        include DeviseTokenAuth::Concerns::SetUserByToken
+              def whatever
+                'whatever'
+              end
+            end

data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb

@@ -1,9 +1,56 @@
 # frozen_string_literal: true
 
-class Azpire::V1::HumanResource::User < ActiveRecord::Base
+class Azpire::V1::HumanResource::User
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Mongoid::Locker
+
+  field :locker_locked_at, type: Time
+  field :locker_locked_until, type: Time
+
+  locker locked_at_field: :locker_locked_at,
+         locked_until_field: :locker_locked_until
+
+  ## Database authenticatable
+  field :email,              type: String, default: ''
+  field :encrypted_password, type: String, default: ''
+
+  ## Recoverable
+  field :reset_password_token,        type: String
+  field :reset_password_sent_at,      type: Time
+  field :reset_password_redirect_url, type: String
+  field :allow_password_change,       type: Boolean, default: false
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Confirmable
+  field :confirmation_token,   type: String
+  field :confirmed_at,         type: Time
+  field :confirmation_sent_at, type: Time
+  field :unconfirmed_email,    type: String # Only if using reconfirmable
+
+  ## Lockable
+  # field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  # field :unlock_token,    type: String # Only if unlock strategy is :email or :both
+  # field :locked_at,       type: Time
+
+  ## Required
+  field :provider, type: String
+  field :uid,      type: String, default: ''
+
+  ## Tokens
+  field :tokens, type: Hash, default: {}
+
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :validatable
   include DeviseTokenAuth::Concerns::User
+
+  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
+  index({ reset_password_token: 1 }, { name: 'reset_password_token_index', unique: true, sparse: true, background: true })
+  index({ confirmation_token: 1 }, { name: 'confirmation_token_index', unique: true, sparse: true, background: true })
+  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
+  # index({ unlock_token: 1 }, { name: 'unlock_token_index', unique: true, sparse: true, background: true })
 end

data/test/lib/devise_token_auth/blacklist_test.rb

@@ -3,9 +3,17 @@
 require 'test_helper'
 
 class DeviseTokenAuth::BlacklistTest < ActiveSupport::TestCase
-  describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
-    test 'should include :tokens' do
-      assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+  if defined? Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION
+    describe Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::UNSAFE_ATTRIBUTES_FOR_SERIALIZATION.include?(:tokens)
+      end
+    end
+  else
+    describe Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION do
+      test 'should include :tokens' do
+        assert Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION.include?(:tokens)
+      end
     end
   end
 end

data/test/test_helper.rb

@@ -15,7 +15,11 @@ require File.expand_path('dummy/config/environment', __dir__)
 require 'active_support/testing/autorun'
 require 'minitest/rails'
 require 'mocha/minitest'
-require 'database_cleaner'
+if DEVISE_TOKEN_AUTH_ORM == :active_record
+  require 'database_cleaner'
+else
+  require 'database_cleaner/mongoid'
+end
 
 FactoryBot.definition_file_paths = [File.expand_path('factories', __dir__)]
 FactoryBot.find_definitions
@@ -37,13 +41,40 @@ class ActiveSupport::TestCase
   ActiveRecord::Migration.check_pending! if DEVISE_TOKEN_AUTH_ORM == :active_record
 
   strategies = { active_record: :transaction,
-                 mongoid: :truncation }
+                 mongoid: :deletion }
   DatabaseCleaner.strategy = strategies[DEVISE_TOKEN_AUTH_ORM]
   setup { DatabaseCleaner.start }
   teardown { DatabaseCleaner.clean }
 
   # Add more helper methods to be used by all tests here...
 
+  # Execute the block setting the given values and restoring old values after
+  # the block is executed.
+  # shamelessly copied from devise test_helper.
+  def swap(object, new_values)
+    old_values = {}
+    new_values.each do |key, value|
+      old_values[key] = object.send key
+      object.send :"#{key}=", value
+    end
+    clear_cached_variables(new_values)
+    yield
+  ensure
+    clear_cached_variables(new_values)
+    old_values.each do |key, value|
+      object.send :"#{key}=", value
+    end
+  end
+
+  # shamelessly copied from devise test_helper.
+  def clear_cached_variables(options)
+    if options.key?(:case_insensitive_keys) || options.key?(:strip_whitespace_keys)
+      Devise.mappings.each do |_, mapping|
+        mapping.to.instance_variable_set(:@devise_parameter_filter, nil)
+      end
+    end
+  end
+
   def age_token(user, client_id)
     if user.tokens[client_id]
       user.tokens[client_id]['updated_at'] = (Time.zone.now - (DeviseTokenAuth.batch_request_buffer_throttle + 10.seconds))
@@ -85,7 +116,7 @@ module Rails
         %w[get post patch put head delete get_via_redirect post_via_redirect].each do |method|
           define_method(method) do |path_or_action, **args|
             if Rails::VERSION::MAJOR >= 5
-              super path_or_action, args
+              super path_or_action, **args
             else
               super path_or_action, args[:params], args[:headers]
             end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.1.5
+  version: 1.2.0
 platform: ruby
 authors:
 - Lynn Hurley
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-09 00:00:00.000000000 Z
+date: 2021-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -319,9 +319,9 @@ files:
 - test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb
 - test/dummy/db/schema.rb
 - test/dummy/lib/migration_database_helper.rb
+- test/dummy/tmp/generators/app/controllers/application_controller.rb
 - test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20210126004321_devise_token_auth_create_azpire_v1_human_resource_users.rb
 - test/factories/users.rb
 - test/lib/devise_token_auth/blacklist_test.rb
 - test/lib/devise_token_auth/rails/custom_routes_test.rb
@@ -357,7 +357,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Token based authentication for rails. Uses Devise + OmniAuth.
@@ -432,8 +432,8 @@ test_files:
 - test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb
 - test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb
 - test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb
+- test/dummy/tmp/generators/app/controllers/application_controller.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20210126004321_devise_token_auth_create_azpire_v1_human_resource_users.rb
 - test/dummy/README.rdoc
 - test/models/only_email_user_test.rb
 - test/models/confirmable_user_test.rb

data/test/dummy/tmp/generators/db/migrate/20210126004321_devise_token_auth_create_azpire_v1_human_resource_users.rb

@@ -1,49 +0,0 @@
-class DeviseTokenAuthCreateAzpireV1HumanResourceUsers < ActiveRecord::Migration[5.2]
-  def change
-    
-    create_table(:azpire_v1_human_resource_users) do |t|
-      ## Required
-      t.string :provider, :null => false, :default => "email"
-      t.string :uid, :null => false, :default => ""
-
-      ## Database authenticatable
-      t.string :encrypted_password, :null => false, :default => ""
-
-      ## Recoverable
-      t.string   :reset_password_token
-      t.datetime :reset_password_sent_at
-      t.boolean  :allow_password_change, :default => false
-
-      ## Rememberable
-      t.datetime :remember_created_at
-
-      ## Confirmable
-      t.string   :confirmation_token
-      t.datetime :confirmed_at
-      t.datetime :confirmation_sent_at
-      t.string   :unconfirmed_email # Only if using reconfirmable
-
-      ## Lockable
-      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
-      # t.string   :unlock_token # Only if unlock strategy is :email or :both
-      # t.datetime :locked_at
-
-      ## User Info
-      t.string :name
-      t.string :nickname
-      t.string :image
-      t.string :email
-
-      ## Tokens
-      t.text :tokens
-
-      t.timestamps
-    end
-
-    add_index :azpire_v1_human_resource_users, :email,                unique: true
-    add_index :azpire_v1_human_resource_users, [:uid, :provider],     unique: true
-    add_index :azpire_v1_human_resource_users, :reset_password_token, unique: true
-    add_index :azpire_v1_human_resource_users, :confirmation_token,   unique: true
-    # add_index :azpire_v1_human_resource_users, :unlock_token,         unique: true
-  end
-end