RubyGems - devise_token_auth - Versions diffs - 1.2.0 → 1.2.1 - Mend

devise_token_auth 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb2d73d7859e1754b505d6f554c8d298ba899444b4fe4e1b47d50ca9bab453e8
-  data.tar.gz: 3572d4ff07d68f62d8e51270959fd20451d9edb4832d576b9342939275390dee
+  metadata.gz: be08ae7f01121ebe8c6b9b8fe04bcc2bdc83a2c8108452ffc986f1865278e85f
+  data.tar.gz: 272f45dc6f28fba16b6a523f47cbb9ecf3be9c05d4aa644ee0d0998fa5272f43
 SHA512:
-  metadata.gz: 50c95181401bedfd959a407d450f222ab185d75000825385dd691a064e831b36263eb1338d25f6378a743ac9009b73f80df3e24cb09ce5680a0e6723fc98acb9
-  data.tar.gz: 91910874d7e473d31eb39cf40c6860da4ab5b59aa874a0f1296faa17718103124018568cf289486a9d49a3ec1b967f14e23c18afb8d3f6cd3ec2fd837d663a83
+  metadata.gz: cc54c90eee4fdf43e6d9b72ca905fc58e4338f1310b289bbede651978bd4f407556392d3d4c61cfaeabf6d4fba179768e02ec9c00bc245b33ba629972676c676
+  data.tar.gz: 00e139ae99fe395580ef8f846cca46516792b68cda0e0201e551e90ca9c70679fcf9519d3682ea82095588e78a93bb2def3db2bebe670a0e96f933e7087fee4b

data/app/controllers/devise_token_auth/application_controller.rb CHANGED Viewed

@@ -83,5 +83,14 @@ module DeviseTokenAuth
         I18n.t("devise_token_auth.#{name}.sended", email: email)
       end
     end
+    # When using a cookie to transport the auth token we can set it immediately in flows such as
+    # reset password and OmniAuth success, rather than making the client scrape the token from
+    # query params (to then send in the initial validate_token request).
+    # TODO: We should be able to stop exposing the token in query params when this method is used
+    def set_token_in_cookie(resource, token)
+      auth_header = resource.build_auth_header(token.token, token.client)
+      cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
+    end
   end
 end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb CHANGED Viewed

@@ -32,8 +32,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     # gets the headers names, which was set in the initialize file
     uid_name = DeviseTokenAuth.headers_names[:'uid']
+    other_uid_name = DeviseTokenAuth.other_uid && DeviseTokenAuth.headers_names[DeviseTokenAuth.other_uid.to_sym]
     access_token_name = DeviseTokenAuth.headers_names[:'access-token']
     client_name = DeviseTokenAuth.headers_names[:'client']
+    authorization_name = DeviseTokenAuth.headers_names[:"authorization"]
+    # Read Authorization token and decode it if present
+    decoded_authorization_token = decode_bearer_token(request.headers[authorization_name])
     # gets values from cookie if configured and present
     parsed_auth_cookie = {}
@@ -45,10 +50,11 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
     # parse header for values necessary for authentication
-    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name]
+    uid              = request.headers[uid_name] || params[uid_name] || parsed_auth_cookie[uid_name] || decoded_authorization_token[uid_name]
+    other_uid        = other_uid_name && request.headers[other_uid_name] || params[other_uid_name] || parsed_auth_cookie[other_uid_name]
     @token           = DeviseTokenAuth::TokenFactory.new unless @token
-    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name]
-    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name]
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name] || parsed_auth_cookie[access_token_name] || decoded_authorization_token[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name] || parsed_auth_cookie[client_name] || decoded_authorization_token[client_name]
     # client isn't required, set to 'default' if absent
     @token.client ||= 'default'
@@ -75,7 +81,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
     end
     # mitigate timing attacks by finding by uid instead of auth token
-    user = uid && rc.dta_find_by(uid: uid)
+    user = (uid && rc.dta_find_by(uid: uid)) || (other_uid && rc.dta_find_by("#{DeviseTokenAuth.other_uid}": other_uid))
     scope = rc.to_s.underscore.to_sym
     if user && user.valid_token?(@token.token, @token.client)
@@ -128,6 +134,13 @@ module DeviseTokenAuth::Concerns::SetUserByToken
   private
+  def decode_bearer_token(bearer_token)
+    return {} if bearer_token.blank?
+    encoded_token = bearer_token.split.last # Removes the 'Bearer' from the string
+    JSON.parse(Base64.strict_decode64(encoded_token)) rescue {}
+  end
   def refresh_headers
     # Lock the user record during any auth_header updates to ensure
     # we don't have write contention from multiple threads

data/app/controllers/devise_token_auth/confirmations_controller.rb CHANGED Viewed

@@ -62,7 +62,7 @@ module DeviseTokenAuth
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.confirmations.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
       end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module DeviseTokenAuth
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
-      redirect_to redirect_route
+      redirect_to redirect_route, status: 307
     end
     def get_redirect_route(devise_mapping)
@@ -45,7 +45,7 @@ module DeviseTokenAuth
     # find the mapping in `omniauth.params`.
     #
     # One example use-case here is for IDP-initiated SAML login.  In that
-    # case, there will have been no initial request in which to save
+    # case, there will have been no initial request in which to save
     # the devise mapping.  If you are in a situation like that, and
     # your app allows for you to determine somehow what the devise
     # mapping should be (because, for example, it is always the same),
@@ -70,6 +70,10 @@ module DeviseTokenAuth
       yield @resource if block_given?
+      if DeviseTokenAuth.cookie_enabled
+        set_token_in_cookie(@resource, @token)
+      end
       render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
     end
@@ -78,10 +82,10 @@ module DeviseTokenAuth
       render_data_or_redirect('authFailure', error: @error)
     end
-    def validate_auth_origin_url_param
+    def validate_auth_origin_url_param
       return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
     end
     protected

data/app/controllers/devise_token_auth/passwords_controller.rb CHANGED Viewed

@@ -51,6 +51,10 @@ module DeviseTokenAuth
         if require_client_password_reset_token?
           redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
         else
+          if DeviseTokenAuth.cookie_enabled
+            set_token_in_cookie(@resource, token)
+          end
           redirect_header_options = { reset_password: true }
           redirect_headers = build_redirect_headers(token.token,
                                                     token.client,
@@ -182,7 +186,7 @@ module DeviseTokenAuth
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.passwords.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
       end

data/app/controllers/devise_token_auth/sessions_controller.rb CHANGED Viewed

@@ -26,8 +26,8 @@ module DeviseTokenAuth
         if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
           return render_create_error_bad_credentials
         end
-        @token = @resource.create_token
-        @resource.save
+        create_and_assign_token
         sign_in(:user, @resource, store: false, bypass: false)
@@ -133,5 +133,17 @@ module DeviseTokenAuth
     def resource_params
       params.permit(*params_for_resource(:sign_in))
     end
+    def create_and_assign_token
+      if @resource.respond_to?(:with_lock)
+        @resource.with_lock do
+          @token = @resource.create_token
+          @resource.save!
+        end
+      else
+        @token = @resource.create_token
+        @resource.save!
+      end
+    end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb CHANGED Viewed

@@ -80,7 +80,7 @@ module DeviseTokenAuth
     def render_not_found_error
       if Devise.paranoid
-        render_error(404, I18n.t('devise_token_auth.unlocks.sended_paranoid'))
+        render_create_success
       else
         render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
       end

data/app/models/devise_token_auth/concerns/user.rb CHANGED Viewed

@@ -120,6 +120,7 @@ module DeviseTokenAuth::Concerns::User
     # ghetto HashWithIndifferentAccess
     expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
     token_hash = tokens[client]['token'] || tokens[client][:token]
+    previous_token_hash = tokens[client]['previous_token'] || tokens[client][:previous_token]
     return true if (
       # ensure that expiry and token are set
@@ -129,11 +130,24 @@ module DeviseTokenAuth::Concerns::User
       DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
       # ensure that the token is valid
-      DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+      (
+        # check if the latest token matches
+        does_token_match?(token_hash, token) ||
+        # check if the previous token matches
+        does_token_match?(previous_token_hash, token)
+      )
     )
   end
-  # allow batch requests to use the previous token
+  # check if the hash of received token matches the stored token
+  def does_token_match?(token_hash, token)
+    return false if token_hash.nil?
+    DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+  end
+  # allow batch requests to use the last token
   def token_can_be_reused?(token, client)
     # ghetto HashWithIndifferentAccess
     updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
@@ -143,7 +157,7 @@ module DeviseTokenAuth::Concerns::User
       # ensure that the last token and its creation time exist
       updated_at && last_token_hash &&
-      # ensure that previous token falls within the batch buffer throttle time of the last request
+      # ensure that last token falls within the batch buffer throttle time of the last request
       updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
       # ensure that the token is valid
@@ -157,7 +171,8 @@ module DeviseTokenAuth::Concerns::User
     token = create_token(
       client: client,
-      last_token: tokens.fetch(client, {})['token'],
+      previous_token: tokens.fetch(client, {})['token'],
+      last_token: tokens.fetch(client, {})['previous_token'],
       updated_at: now
     )
@@ -168,14 +183,20 @@ module DeviseTokenAuth::Concerns::User
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
     expiry = tokens[client]['expiry'] || tokens[client][:expiry]
-    {
+    headers = {
       DeviseTokenAuth.headers_names[:"access-token"] => token,
       DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
       DeviseTokenAuth.headers_names[:"client"]       => client,
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
+    headers.merge!(build_bearer_token(headers))
+  end
+  def build_bearer_token(auth)
+    encoded_token = Base64.strict_encode64(auth.to_json)
+    bearer_token = "Bearer #{encoded_token}"
+    {DeviseTokenAuth.headers_names[:"authorization"] => bearer_token}
   end
   def update_auth_header(token, client = 'default')

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb CHANGED Viewed

@@ -4,12 +4,12 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   extend ActiveSupport::Concern
   included do
-    validates :email, presence: true,if: :email_provider?
-    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
-    validates_presence_of :uid, unless: :email_provider?
+    validates :email, presence: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
+    validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
     # only validate unique emails among email registration users
-    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
     # keep uid in sync with email
     before_save :sync_uid
@@ -18,6 +18,10 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
   protected
+  def uid_and_provider_defined?
+    defined?(provider) && defined?(uid)
+  end
   def email_provider?
     provider == 'email'
   end
@@ -26,6 +30,6 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     unless self.new_record?
       return if devise_modules.include?(:confirmable) && !@bypass_confirmation_postpone && postpone_email_change?
     end
-    self.uid = email if email_provider?
+    self.uid = email if uid_and_provider_defined? && email_provider?
   end
 end

data/app/validators/devise_token_auth_email_validator.rb CHANGED Viewed

@@ -1,8 +1,16 @@
 # frozen_string_literal: true
 class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
+  EMAIL_REGEXP = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+  class << self
+    def validate?(email)
+      email =~ EMAIL_REGEXP
+    end
+  end
   def validate_each(record, attribute, value)
-    unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+    unless DeviseTokenAuthEmailValidator.validate?(value)
       record.errors.add(attribute, email_invalid_message)
     end
   end

data/config/locales/ja.yml CHANGED Viewed

@@ -21,10 +21,22 @@ ja:
       missing_redirect_url: "リダイレクト URL が与えられていません。"
       not_allowed_redirect_url: "'%{redirect_url}' へのリダイレクトは許可されていません。"
       sended: "'%{email}' にパスワードリセットの案内が送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、 数分後にパスワード再発行用のリンクを記載したメールをお送りします。"
       user_not_found: "メールアドレス '%{email}' のユーザーが見つかりません。"
       password_not_required: "このアカウントはパスワードを要求していません。'%{provider}' を利用してログインしてください。"
       missing_passwords: "'Password', 'Password confirmation' パラメータが与えられていません。"
       successfully_updated: "パスワードの更新に成功しました。"
+    unlocks:
+      missing_email: "メールアドレスが与えられていません。"
+      sended: "%{email}' にアカウントのロックを解除する方法を記載したメールが送信されました。"
+      sended_paranoid: "アカウントが存在する場合、数分後にロックを解除する方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+    confirmations:
+      sended: "'%{email}' にアカウントの確認方法を記載したメールが送信されました。"
+      sended_paranoid: "すでにメールアドレスがデータベースに登録されている場合、数分後にメールアドレスの確認方法を記載したメールをお送りします。"
+      user_not_found: "メールアドレス '%{email}' を持つユーザーが見つかりません。"
+      missing_email: "メールアドレスが与えられていません。"
   errors:
     messages:
       validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。"

data/lib/devise_token_auth/engine.rb CHANGED Viewed

@@ -30,7 +30,8 @@ module DeviseTokenAuth
                  :cookie_attributes,
                  :bypass_sign_in,
                  :send_confirmation_email,
-                 :require_client_password_reset_token
+                 :require_client_password_reset_token,
+                 :other_uid
   self.change_headers_on_each_request       = true
   self.max_number_of_devices                = 10
@@ -45,7 +46,8 @@ module DeviseTokenAuth
   self.enable_standard_devise_support       = false
   self.remove_tokens_after_password_reset   = false
   self.default_callbacks                    = true
-  self.headers_names                        = { 'access-token': 'access-token',
+  self.headers_names                        = { 'authorization': 'Authorization',
+                                                'access-token': 'access-token',
                                                 'client': 'client',
                                                 'expiry': 'expiry',
                                                 'uid': 'uid',
@@ -56,6 +58,7 @@ module DeviseTokenAuth
   self.bypass_sign_in                       = true
   self.send_confirmation_email              = false
   self.require_client_password_reset_token  = false
+  self.other_uid                            = nil
   def self.setup(&block)
     yield self

data/lib/devise_token_auth/rails/routes.rb CHANGED Viewed

@@ -73,7 +73,7 @@ module ActionDispatch::Routing
             # preserve the resource class thru oauth authentication by setting name of
             # resource as "resource_class" param
-            match "#{full_path}/:provider", to: redirect{ |params, request|
+            match "#{full_path}/:provider", to: redirect(status: 307) { |params, request|
               # get the current querystring
               qs = CGI::parse(request.env['QUERY_STRING'])
@@ -99,7 +99,7 @@ module ActionDispatch::Routing
               # re-construct the path for omniauth
               "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
-            }, via: [:get]
+            }, via: [:get, :post]
           end
         end
       end

data/lib/devise_token_auth/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module DeviseTokenAuth
-  VERSION = '1.2.0'.freeze
+  VERSION = '1.2.1'.freeze
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb CHANGED Viewed

@@ -48,6 +48,9 @@ DeviseTokenAuth.setup do |config|
   #                        :'uid' => 'uid',
   #                        :'token-type' => 'token-type' }
+  # Makes it possible to use custom uid column
+  # config.other_uid = "foo"
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can
   # do so by enabling this flag. NOTE: This feature is highly experimental!

data/test/controllers/demo_mang_controller_test.rb CHANGED Viewed

@@ -235,7 +235,7 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only_mang',
                 params: {},
                 headers: @auth_headers
@@ -244,38 +244,67 @@ class DemoMangControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+            @resource.reload
+            age_token(@resource, @client_id)
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
           it 'should define user during first request' do
             assert @first_user
           end
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/demo_user_controller_test.rb CHANGED Viewed

@@ -265,7 +265,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @resource.reload
             age_token(@resource, @client_id)
-            # use expired auth header
+            # use previous auth header
             get '/demo/members_only',
                 params: {},
                 headers: @auth_headers
@@ -274,38 +274,67 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
             @second_user = assigns(:resource)
             @second_access_token = response.headers['access-token']
             @second_response_status = response.status
+            @resource.reload
+            age_token(@resource, @client_id)
+            # use expired auth headers
+            get '/demo/members_only_mang',
+                params: {},
+                headers: @auth_headers
+            @third_is_batch_request = assigns(:is_batch_request)
+            @third_user = assigns(:resource)
+            @third_access_token = response.headers['access-token']
+            @third_response_status = response.status
           end
           it 'should allow the first request through' do
             assert_equal 200, @first_response_status
           end
+          it 'should allow the second request through' do
+            assert_equal 200, @second_response_status
+          end
           it 'should not allow the second request through' do
-            assert_equal 401, @second_response_status
+            assert_equal 401, @third_response_status
           end
           it 'should not treat first request as batch request' do
+            refute @first_is_batch_request
+          end
+          it 'should not treat second request as batch request' do
             refute @second_is_batch_request
           end
+          it 'should not treat third request as batch request' do
+            refute @third_is_batch_request
+          end
           it 'should return auth headers from the first request' do
             assert @first_access_token
           end
-          it 'should not treat second request as batch request' do
-            refute @second_is_batch_request
+          it 'should return auth headers from the second request' do
+            assert @second_access_token
           end
-          it 'should not return auth headers from the second request' do
-            refute @second_access_token
+          it 'should not return auth headers from the third request' do
+            refute @third_access_token
           end
           it 'should define user during first request' do
             assert @first_user
           end
-          it 'should not define user during second request' do
-            refute @second_user
+          it 'should define user during second request' do
+            assert @second_user
+          end
+          it 'should not define user during third request' do
+            refute @third_user
           end
         end
       end

data/test/controllers/devise_token_auth/confirmations_controller_test.rb CHANGED Viewed

@@ -171,21 +171,30 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
             test 'response should contain message' do
               assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @resource.email)
             end
+            test 'response should return success status' do
+              assert_equal 200, response.status
+            end
           end
           describe 'on failure' do
             before do
               swap Devise, paranoid: true do
+                @email = 'chester@cheet.ah'
                 post :create,
-                     params: { email: 'chester@cheet.ah',
+                     params: { email: @email,
                                redirect_url: @redirect_url },
                      xhr: true
                 @data = JSON.parse(response.body)
               end
             end
-            test 'response should contain errors' do
-              assert_equal @data['errors'], [I18n.t('devise_token_auth.confirmations.sended_paranoid')]
+            test 'response should not contain errors' do
+              assert_equal @data['message'], I18n.t('devise_token_auth.confirmations.sended_paranoid', email: @email)
+            end
+            test 'response should return success status' do
+              assert_equal 200, response.status
             end
           end
         end

data/test/controllers/devise_token_auth/passwords_controller_test.rb CHANGED Viewed

@@ -116,14 +116,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
               end
             end
-            test 'unknown user should return 404' do
-              assert_equal 404, response.status
+            test 'response should return success status' do
+              assert_equal 200, response.status
             end
-            test 'errors should be returned' do
-              assert @data['errors']
-              assert_equal @data['errors'],
-              [I18n.t('devise_token_auth.passwords.sended_paranoid')]
+            test 'response should contain message' do
+              assert_equal \
+                @data['message'],
+              I18n.t('devise_token_auth.passwords.sended_paranoid')
             end
           end
         end

data/test/controllers/devise_token_auth/token_validations_controller_test.rb CHANGED Viewed

@@ -18,11 +18,51 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat
       @token     = @auth_headers['access-token']
       @client_id = @auth_headers['client']
       @expiry    = @auth_headers['expiry']
+      @authorization_header = @auth_headers.slice('Authorization')
       # ensure that request is not treated as batch request
       age_token(@resource, @client_id)
     end
+    describe 'using only Authorization header' do
+      describe 'using valid Authorization header' do
+        before do
+          get '/auth/validate_token', params: {}, headers: @authorization_header
+        end
+        test 'token valid' do
+          assert_equal 200, response.status
+        end
+      end
+      describe 'using invalid Authorization header' do
+        describe 'with invalid base64' do
+          before do
+            get '/auth/validate_token', params: {}, headers: {'Authorization': 'Bearer invalidtoken=='}
+          end
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+        describe 'with valid base64' do
+          before do
+            valid_base64 = Base64.strict_encode64({
+              "access-token": 'invalidtoken',
+              "token-type": 'Bearer',
+              "client": 'client',
+              "expiry": '1234567'
+            }.to_json)
+            get '/auth/validate_token', params: {}, headers: {'Authorization': "Bearer #{valid_base64}"}
+          end
+          test 'returns access denied' do
+            assert_equal 401, response.status
+          end
+        end
+      end
+    end
     describe 'vanilla user' do
       before do
         get '/auth/validate_token', params: {}, headers: @auth_headers

data/test/controllers/devise_token_auth/unlocks_controller_test.rb CHANGED Viewed

@@ -81,17 +81,19 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
             end
           end
-          test 'unknown user should return 404' do
-            assert_equal 404, response.status
+          test 'should always return success' do
+            assert_equal 200, response.status
           end
-          test 'errors should be returned' do
-            assert @data['errors']
-            assert_equal @data['errors'], [I18n.t('devise_token_auth.unlocks.sended_paranoid')]
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
           end
         end
-        describe 'successfully requested unlock' do
+        describe 'successfully requested unlock without paranoid mode' do
           before do
             post :create, params: { email: @resource.email }
@@ -103,6 +105,26 @@ class DeviseTokenAuth::UnlocksControllerTest < ActionController::TestCase
           end
         end
+        describe 'successfully requested unlock with paranoid mode' do
+          before do
+            swap Devise, paranoid: true do
+              post :create, params: { email: @resource.email }
+              @data = JSON.parse(response.body)
+            end
+          end
+          test 'should always return success' do
+            assert_equal 200, response.status
+          end
+          test 'errors should not be returned' do
+            assert @data['success']
+            assert_equal \
+              @data['message'],
+            I18n.t('devise_token_auth.unlocks.sended_paranoid')
+          end
+        end
         describe 'case-sensitive email' do
           before do
             post :create, params: { email: @resource.email }

data/test/dummy/db/schema.rb CHANGED Viewed

@@ -2,11 +2,11 @@
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
 #
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
 #
 # It's strongly recommended that you check this file into your version control system.

data/test/dummy/tmp/generators/app/models/user.rb ADDED Viewed

@@ -0,0 +1,11 @@
+              class User < ApplicationRecord
+            # Include default devise modules.
+            devise :database_authenticatable, :registerable,
+                    :recoverable, :rememberable, :trackable, :validatable,
+                    :confirmable, :omniauthable
+            include DeviseTokenAuth::Concerns::User
+                def whatever
+                  puts 'whatever'
+                end
+              end

data/test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb ADDED Viewed

@@ -0,0 +1,49 @@
+class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[5.2]
+  def change
+    create_table(:users) do |t|
+      ## Required
+      t.string :provider, :null => false, :default => "email"
+      t.string :uid, :null => false, :default => ""
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+      t.boolean  :allow_password_change, :default => false
+      ## Rememberable
+      t.datetime :remember_created_at
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+      t.string :email
+      ## Tokens
+      t.text :tokens
+      t.timestamps
+    end
+    add_index :users, :email,                unique: true
+    add_index :users, [:uid, :provider],     unique: true
+    add_index :users, :reset_password_token, unique: true
+    add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+end

data/test/models/user_test.rb CHANGED Viewed

@@ -76,6 +76,28 @@ class UserTest < ActiveSupport::TestCase
       end
     end
+    describe 'previous token' do
+      before do
+        @resource = create(:user, :confirmed)
+        @auth_headers1 = @resource.create_new_auth_token
+      end
+      test 'should properly indicate whether previous token is current' do
+        assert @resource.token_is_current?(@auth_headers1['access-token'], @auth_headers1['client'])
+        # create another token, emulating a new request
+        @auth_headers2 = @resource.create_new_auth_token
+        # should work for previous token
+        assert @resource.token_is_current?(@auth_headers1['access-token'], @auth_headers1['client'])
+        # should work for latest token as well
+        assert @resource.token_is_current?(@auth_headers2['access-token'], @auth_headers2['client'])
+        # after using latest token, previous token should not work
+        assert @resource.token_is_current?(@auth_headers1['access-token'], @auth_headers1['client'])
+      end
+    end
     describe 'expired tokens are destroyed on save' do
       before do
         @resource = create(:user, :confirmed)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Lynn Hurley
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-07-19 00:00:00.000000000 Z
+date: 2022-09-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,7 +19,7 @@ dependencies:
         version: 4.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 4.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.2'
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -319,9 +319,9 @@ files:
 - test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb
 - test/dummy/db/schema.rb
 - test/dummy/lib/migration_database_helper.rb
-- test/dummy/tmp/generators/app/controllers/application_controller.rb
-- test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb
+- test/dummy/tmp/generators/app/models/user.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
+- test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb
 - test/factories/users.rb
 - test/lib/devise_token_auth/blacklist_test.rb
 - test/lib/devise_token_auth/rails/custom_routes_test.rb
@@ -350,14 +350,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.0
+      version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Token based authentication for rails. Uses Devise + OmniAuth.
@@ -431,9 +431,9 @@ test_files:
 - test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb
 - test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb
 - test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb
-- test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb
-- test/dummy/tmp/generators/app/controllers/application_controller.rb
+- test/dummy/tmp/generators/app/models/user.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
+- test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb
 - test/dummy/README.rdoc
 - test/models/only_email_user_test.rb
 - test/models/confirmable_user_test.rb

data/test/dummy/tmp/generators/app/controllers/application_controller.rb DELETED Viewed

@@ -1,6 +0,0 @@
-            class ApplicationController < ActionController::Base
-        include DeviseTokenAuth::Concerns::SetUserByToken
-              def whatever
-                'whatever'
-              end
-            end

data/test/dummy/tmp/generators/app/models/azpire/v1/human_resource/user.rb DELETED Viewed

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-class Azpire::V1::HumanResource::User
-  include Mongoid::Document
-  include Mongoid::Timestamps
-  include Mongoid::Locker
-  field :locker_locked_at, type: Time
-  field :locker_locked_until, type: Time
-  locker locked_at_field: :locker_locked_at,
-         locked_until_field: :locker_locked_until
-  ## Database authenticatable
-  field :email,              type: String, default: ''
-  field :encrypted_password, type: String, default: ''
-  ## Recoverable
-  field :reset_password_token,        type: String
-  field :reset_password_sent_at,      type: Time
-  field :reset_password_redirect_url, type: String
-  field :allow_password_change,       type: Boolean, default: false
-  ## Rememberable
-  field :remember_created_at, type: Time
-  ## Confirmable
-  field :confirmation_token,   type: String
-  field :confirmed_at,         type: Time
-  field :confirmation_sent_at, type: Time
-  field :unconfirmed_email,    type: String # Only if using reconfirmable
-  ## Lockable
-  # field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
-  # field :unlock_token,    type: String # Only if unlock strategy is :email or :both
-  # field :locked_at,       type: Time
-  ## Required
-  field :provider, type: String
-  field :uid,      type: String, default: ''
-  ## Tokens
-  field :tokens, type: Hash, default: {}
-  # Include default devise modules. Others available are:
-  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
-  devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :validatable
-  include DeviseTokenAuth::Concerns::User
-  index({ email: 1 }, { name: 'email_index', unique: true, background: true })
-  index({ reset_password_token: 1 }, { name: 'reset_password_token_index', unique: true, sparse: true, background: true })
-  index({ confirmation_token: 1 }, { name: 'confirmation_token_index', unique: true, sparse: true, background: true })
-  index({ uid: 1, provider: 1}, { name: 'uid_provider_index', unique: true, background: true })
-  # index({ unlock_token: 1 }, { name: 'unlock_token_index', unique: true, sparse: true, background: true })
-end