devise_token_auth 1.2.1 → 1.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be08ae7f01121ebe8c6b9b8fe04bcc2bdc83a2c8108452ffc986f1865278e85f
-  data.tar.gz: 272f45dc6f28fba16b6a523f47cbb9ecf3be9c05d4aa644ee0d0998fa5272f43
+  metadata.gz: 135b5088d17b20d187a6ffe314356dd2a2474d9bd98898bc9e36bc931e6c9fef
+  data.tar.gz: cf3c3c6fc19564248bdcb22e3b99624bd25a027383649a45c7e7bf1fddfd5bbd
 SHA512:
-  metadata.gz: cc54c90eee4fdf43e6d9b72ca905fc58e4338f1310b289bbede651978bd4f407556392d3d4c61cfaeabf6d4fba179768e02ec9c00bc245b33ba629972676c676
-  data.tar.gz: 00e139ae99fe395580ef8f846cca46516792b68cda0e0201e551e90ca9c70679fcf9519d3682ea82095588e78a93bb2def3db2bebe670a0e96f933e7087fee4b
+  metadata.gz: 5f6e88376261bcea31e98d8af66cc298755d2cbc2724c481a100d78273824b1dcfcc016bbc2af2b43d1dcac945fc6a4015d351f321da9a432ec4c5129f8c58f0
+  data.tar.gz: bde72417d1882c6f69076d3bfe8cebd077e39a681898fb0c5603643770a3d81eb0ac3d42dd46f8ae27aff4dae74a138159160974c1996ef4e28d252baf6b52ba

data/README.md

@@ -1,7 +1,7 @@
 # Devise Token Auth
 
 [![Gem Version](https://badge.fury.io/rb/devise_token_auth.svg)](http://badge.fury.io/rb/devise_token_auth)
-[![Build Status](https://travis-ci.org/lynndylanhurley/devise_token_auth.svg?branch=master)](https://travis-ci.org/lynndylanhurley/devise_token_auth)
+[![Build Status](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/lynndylanhurley/devise_token_auth/actions/workflows/test.yml)
 [![Code Climate](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/gpa.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth)
 [![Test Coverage](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/badges/coverage.svg)](https://codeclimate.com/github/lynndylanhurley/devise_token_auth/coverage)
 [![Downloads](https://img.shields.io/gem/dt/devise_token_auth.svg)](https://rubygems.org/gems/devise_token_auth)
@@ -22,6 +22,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
   * [Angular-Token](https://github.com/neroniaky/angular-token) for [Angular](https://github.com/angular/angular)
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
+  * [vanilla-token-auth](https://github.com/theblang/vanilla-token-auth) for an unopinionated client
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
 * Email authentication using [Devise](https://github.com/plataformatec/devise), including:
   * User registration, update and deletion

data/app/controllers/devise_token_auth/application_controller.rb

@@ -84,12 +84,16 @@ module DeviseTokenAuth
       end
     end
 
+    def redirect_options
+      {}
+    end
+
     # When using a cookie to transport the auth token we can set it immediately in flows such as
     # reset password and OmniAuth success, rather than making the client scrape the token from
     # query params (to then send in the initial validate_token request).
     # TODO: We should be able to stop exposing the token in query params when this method is used
     def set_token_in_cookie(resource, token)
-      auth_header = resource.build_auth_header(token.token, token.client)
+      auth_header = resource.build_auth_headers(token.token, token.client)
       cookies[DeviseTokenAuth.cookie_name] = DeviseTokenAuth.cookie_attributes.merge(value: auth_header.to_json)
     end
   end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -22,7 +22,8 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   def find_resource(field, value)
     @resource = if database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity
-                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                  field_sanitized = resource_class.connection.quote_column_name(field)
+                  resource_class.where("BINARY #{field_sanitized} = ? AND provider= ?", value, provider).first
                 else
                   resource_class.dta_find_by(field => value, 'provider' => provider)
                 end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -111,7 +111,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # cleared by sign out in the meantime
       return if @resource.reload.tokens[@token.client].nil?
 
-      auth_header = @resource.build_auth_header(@token.token, @token.client)
+      auth_header = @resource.build_auth_headers(@token.token, @token.client)
 
       # update the response header
       response.headers.merge!(auth_header)
@@ -154,8 +154,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken
       # update the response header
       response.headers.merge!(_auth_header_from_batch_request)
 
-      # set a server cookie if configured
-      if DeviseTokenAuth.cookie_enabled
+      # set a server cookie if configured and is not a batch request
+      if DeviseTokenAuth.cookie_enabled && !@is_batch_request
         set_cookie(_auth_header_from_batch_request)
       end
     end # end lock

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -22,11 +22,15 @@ module DeviseTokenAuth
           redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
         else
           redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
-       end
+        end
 
-        redirect_to(redirect_to_link)
+        redirect_to(redirect_to_link, redirect_options)
       else
-        raise ActionController::RoutingError, 'Not Found'
+        if redirect_url
+          redirect_to DeviseTokenAuth::Url.generate(redirect_url, account_confirmation_success: false)
+        else
+          raise ActionController::RoutingError, 'Not Found'
+        end
       end
     end
 
@@ -81,6 +85,5 @@ module DeviseTokenAuth
         DeviseTokenAuth.default_confirm_success_url
       )
     end
-
   end
 end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -23,7 +23,7 @@ module DeviseTokenAuth
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route, status: 307
+      redirect_to redirect_route, {status: 307}.merge(redirect_options)
     end
 
     def get_redirect_route(devise_mapping)
@@ -111,7 +111,6 @@ module DeviseTokenAuth
         end
       end
       @_omniauth_params
-
     end
 
     # break out provider attribute assignment for easy method extension
@@ -133,23 +132,19 @@ module DeviseTokenAuth
     end
 
     def resource_class(mapping = nil)
-      if omniauth_params['resource_class']
-        omniauth_params['resource_class'].constantize
-      elsif params['resource_class']
-        params['resource_class'].constantize
-      else
-        raise 'No resource_class found'
-      end
+      return @resource_class if defined?(@resource_class)
+
+      constant_name = omniauth_params['resource_class'].presence || params['resource_class'].presence
+      @resource_class = ObjectSpace.each_object(Class).detect { |cls| cls.to_s == constant_name && cls.pretty_print_inspect.starts_with?(constant_name) }
+      raise 'No resource_class found' if @resource_class.nil?
+
+      @resource_class
     end
 
     def resource_name
       resource_class
     end
 
-    def omniauth_window_type
-      omniauth_params['omniauth_window_type']
-    end
-
     def unsafe_auth_origin_url
       omniauth_params['auth_origin_url'] || omniauth_params['origin']
     end
@@ -168,12 +163,11 @@ module DeviseTokenAuth
       omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
     end
 
-    # this sesison value is set by the redirect_callbacks method. its purpose
+    # this session value is set by the redirect_callbacks method. its purpose
     # is to persist the omniauth auth hash value thru a redirect. the value
-    # must be destroyed immediatly after it is accessed by omniauth_success
+    # must be destroyed immediately after it is accessed by omniauth_success
     def auth_hash
       @_auth_hash ||= session.delete('dta.omniauth.auth')
-      @_auth_hash
     end
 
     # ensure that this controller responds to :devise_controller? conditionals.
@@ -233,7 +227,7 @@ module DeviseTokenAuth
       elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
 
         # build and redirect to destination url
-        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true))
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true).merge(redirect_options))
       else
 
         # there SHOULD always be an auth_origin_url, but if someone does something silly
@@ -287,5 +281,4 @@ module DeviseTokenAuth
       @resource
     end
   end
-
 end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -49,7 +49,8 @@ module DeviseTokenAuth
         yield @resource if block_given?
 
         if require_client_password_reset_token?
-          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token]),
+          redirect_options
         else
           if DeviseTokenAuth.cookie_enabled
             set_token_in_cookie(@resource, token)
@@ -60,7 +61,8 @@ module DeviseTokenAuth
                                                     token.client,
                                                     redirect_header_options)
           redirect_to(@resource.build_auth_url(@redirect_url,
-                                               redirect_headers))
+                                               redirect_headers),
+                                               redirect_options)
         end
       else
         render_edit_error

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -11,11 +11,7 @@ module DeviseTokenAuth
     end
 
     def create
-      # Check
-      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
-
-      @resource = nil
-      if field
+      if field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
         q_value = get_case_insensitive_field_from_resource_params(field)
 
         @resource = find_resource(field, q_value)
@@ -29,18 +25,19 @@ module DeviseTokenAuth
 
         create_and_assign_token
 
-        sign_in(:user, @resource, store: false, bypass: false)
+        sign_in(@resource, scope: :user, store: false, bypass: false)
 
         yield @resource if block_given?
 
         render_create_success
-      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      elsif @resource && !Devise.paranoid && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
         if @resource.respond_to?(:locked_at) && @resource.locked_at
           render_create_error_account_locked
         else
           render_create_error_not_confirmed
         end
       else
+        hash_password_in_paranoid_mode
         render_create_error_bad_credentials
       end
     end
@@ -78,7 +75,6 @@ module DeviseTokenAuth
     def get_auth_params
       auth_key = nil
       auth_val = nil
-
       # iterate thru allowed auth keys, use first found
       resource_class.authentication_keys.each do |k|
         if resource_params[k]
@@ -145,5 +141,13 @@ module DeviseTokenAuth
         @resource.save!
       end
     end
+
+    def hash_password_in_paranoid_mode
+      # In order to avoid timing attacks in paranoid mode, we want the password hash to be
+      # calculated even if no resource has been found. Devise's DatabaseAuthenticatable warden
+      # strategy handles this case similarly:
+      # https://github.com/heartcombo/devise/blob/main/lib/devise/strategies/database_authenticatable.rb
+      resource_class.new.password = resource_params[:password] if Devise.paranoid
+    end
   end
 end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -44,7 +44,8 @@ module DeviseTokenAuth
                                                   token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
-                                             redirect_headers))
+                                             redirect_headers),
+                                             redirect_options)
       else
         render_show_error
       end

data/app/models/devise_token_auth/concerns/user.rb

@@ -176,10 +176,10 @@ module DeviseTokenAuth::Concerns::User
       updated_at: now
     )
 
-    update_auth_header(token.token, token.client)
+    update_auth_headers(token.token, token.client)
   end
 
-  def build_auth_header(token, client = 'default')
+  def build_auth_headers(token, client = 'default')
     # client may use expiry to prevent validation request if expired
     # must be cast as string or headers will break
     expiry = tokens[client]['expiry'] || tokens[client][:expiry]
@@ -190,17 +190,19 @@ module DeviseTokenAuth::Concerns::User
       DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
       DeviseTokenAuth.headers_names[:"uid"]          => uid
     }
-    headers.merge!(build_bearer_token(headers))
+    headers.merge(build_bearer_token(headers))
   end
 
   def build_bearer_token(auth)
+    return {} if DeviseTokenAuth.cookie_enabled # There is no need for the bearer token if it is using cookies
+
     encoded_token = Base64.strict_encode64(auth.to_json)
     bearer_token = "Bearer #{encoded_token}"
-    {DeviseTokenAuth.headers_names[:"authorization"] => bearer_token}
+    { DeviseTokenAuth.headers_names[:"authorization"] => bearer_token }
   end
 
-  def update_auth_header(token, client = 'default')
-    headers = build_auth_header(token, client)
+  def update_auth_headers(token, client = 'default')
+    headers = build_auth_headers(token, client)
     clean_old_tokens
     save!
 
@@ -216,7 +218,7 @@ module DeviseTokenAuth::Concerns::User
 
   def extend_batch_buffer(token, client)
     tokens[client]['updated_at'] = Time.zone.now
-    update_auth_header(token, client)
+    update_auth_headers(token, client)
   end
 
   def confirmed?

data/lib/devise_token_auth/rails/routes.rb

@@ -65,8 +65,8 @@ module ActionDispatch::Routing
 
           # omniauth routes. only define if omniauth is installed and not skipped.
           if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)
-            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get]
-            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get]
+            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
+            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get, :post]
 
             match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: 'redirect_callbacks', via: [:get, :post]
             match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
@@ -75,7 +75,8 @@ module ActionDispatch::Routing
             # resource as "resource_class" param
             match "#{full_path}/:provider", to: redirect(status: 307) { |params, request|
               # get the current querystring
-              qs = CGI::parse(request.env['QUERY_STRING'])
+              # TODO: deprecate in favor of using params
+              qs = CGI::parse(request.env['QUERY_STRING'].empty? ? request.body.read : request.env['QUERY_STRING'] )
 
               # append name of current resource
               qs['resource_class'] = [resource]

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.2.1'.freeze
+  VERSION = '1.2.2'.freeze
 end

data/lib/generators/devise_token_auth/templates/devise_token_auth.rb

@@ -42,11 +42,14 @@ DeviseTokenAuth.setup do |config|
   # config.default_callbacks = true
 
   # Makes it possible to change the headers names
-  # config.headers_names = {:'access-token' => 'access-token',
-  #                        :'client' => 'client',
-  #                        :'expiry' => 'expiry',
-  #                        :'uid' => 'uid',
-  #                        :'token-type' => 'token-type' }
+  # config.headers_names = {
+  #   :'authorization' => 'Authorization',
+  #   :'access-token' => 'access-token',
+  #   :'client' => 'client',
+  #   :'expiry' => 'expiry',
+  #   :'uid' => 'uid',
+  #   :'token-type' => 'token-type'
+  # }
 
   # Makes it possible to use custom uid column
   # config.other_uid = "foo"

data/test/controllers/custom/custom_confirmations_controller_test.rb

@@ -11,7 +11,7 @@ class Custom::ConfirmationsControllerTest < ActionController::TestCase
       @new_user = create(:user)
       @new_user.send_confirmation_instructions(redirect_url: @redirect_url)
       @mail          = ActionMailer::Base.deliveries.last
-      @token         = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+      @token         = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
       @client_config = @mail.body.match(/config=([^&]*)&/)[1]
 
       get :show,

data/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb

@@ -20,7 +20,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest
 
     test 'yield resource to block on omniauth_success success' do
       @redirect_url = 'http://ng-token-auth.dev/'
-      get '/nice_user_auth/facebook',
+      post '/nice_user_auth/facebook',
           params: { auth_origin_url: @redirect_url,
                     omniauth_window_type: 'newWindow' }
 

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -11,7 +11,7 @@ require 'test_helper'
 class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
   describe DeviseTokenAuth::ConfirmationsController do
     def token_and_client_config_from(body)
-      token         = body.match(/confirmation_token=([^&]*)&/)[1]
+      token         = body.match(/confirmation_token=([^&]*)[&"]/)[1]
       client_config = body.match(/config=([^&]*)&/)[1]
       [token, client_config]
     end
@@ -202,9 +202,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
 
       describe 'failure' do
         test 'user should not be confirmed' do
-          assert_raises(ActionController::RoutingError) do
-            get :show, params: { confirmation_token: 'bogus' }
-          end
+          get :show,
+              params: { confirmation_token: 'bogus',
+                        redirect_url: @redirect_url }
+
+          assert_redirected_to(/^#{@redirect_url}/)
+
           @resource = assigns(:resource)
           refute @resource.confirmed?
         end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -13,7 +13,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
   end
 
   before do
-    @redirect_url = 'http://ng-token-auth.dev/'
+    @redirect_url = 'https://ng-token-auth.dev/'
   end
 
   def get_parsed_data_json
@@ -98,7 +98,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'with alternate user model' do
       before do
-        get '/mangs/facebook',
+        post '/mangs/facebook',
             params: {
               auth_origin_url: @redirect_url,
               omniauth_window_type: 'newWindow'
@@ -123,7 +123,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       before do
         @fav_color = 'alizarin crimson'
         @unpermitted_param = 'M. Bison'
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       favorite_color: @fav_color,
                       name: @unpermitted_param,
@@ -160,7 +160,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response contains oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
 
@@ -176,7 +176,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         end
 
         test 'response does not contain oauth_registration attr' do
-          get '/auth/facebook',
+          post '/auth/facebook',
               params: { auth_origin_url: @redirect_url,
                         omniauth_window_type: 'newWindow' }
 
@@ -189,7 +189,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'using namespaces' do
       before do
-        get '/api/v1/auth/facebook',
+        post '/api/v1/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -234,7 +234,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     describe 'with omniauth_window_type=sameWindow' do
       test 'redirects to auth_origin_url with all expected query params' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: '/auth_origin',
                       omniauth_window_type: 'sameWindow' }
 
@@ -258,7 +258,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     end
 
     def get_success(params = {})
-      get '/auth/facebook',
+      post '/auth/facebook',
           params: {
             auth_origin_url: @redirect_url,
             omniauth_window_type: 'newWindow'
@@ -282,7 +282,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'renders expected data' do
       silence_omniauth do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -298,7 +298,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'renders something with no auth_origin_url' do
       silence_omniauth do
-        get '/auth/facebook'
+        post '/auth/facebook'
         follow_all_redirects!
       end
       assert_equal 200, response.status
@@ -339,7 +339,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request using non-whitelisted redirect fail' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @bad_redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -351,7 +351,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request to whitelisted redirect should succeed' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: @good_redirect_url,
               omniauth_window_type: 'newWindow'
@@ -365,7 +365,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
       test 'should support wildcards' do
         DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @good_redirect_url,
                       omniauth_window_type: 'newWindow' }
 
@@ -397,7 +397,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request using non-whitelisted redirect fail' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: { auth_origin_url: @bad_redirect_url,
                       omniauth_window_type: 'sameWindow' }
 
@@ -408,7 +408,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
       end
 
       test 'request to whitelisted redirect should succeed' do
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: '/auth_origin',
               omniauth_window_type: 'sameWindow'
@@ -422,7 +422,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
       test 'should support wildcards' do
         DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"]
-        get '/auth/facebook',
+        post '/auth/facebook',
             params: {
               auth_origin_url: '/auth_origin',
               omniauth_window_type: 'sameWindow'
@@ -433,9 +433,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest
         assert_equal 200, response.status
         assert_equal false, response.body.include?("Redirect to '#{@good_redirect_url}' not allowed")
       end
-
-
     end
-
   end
 end

data/test/controllers/devise_token_auth/registrations_controller_test.rb

@@ -306,7 +306,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
         @data = JSON.parse(response.body)
         @mail = ActionMailer::Base.deliveries.last
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end
@@ -826,7 +826,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration
 
         @resource.reload
 
-        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)&/)[1]
+        @mail_reset_token  = @mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
         @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=(.*)\"/)[1])
         @mail_config_name  = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1])
       end

data/test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -39,13 +39,17 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
         describe 'using auth cookie' do
           before do
             DeviseTokenAuth.cookie_enabled = true
+            post :create, params: @user_session_params
           end
 
           test 'request should return auth cookie' do
-            post :create, params: @user_session_params
             assert response.cookies[DeviseTokenAuth.cookie_name]
           end
 
+          test 'request should not include bearer token' do
+            assert_nil response.headers["Authorization"]
+          end
+
           after do
             DeviseTokenAuth.cookie_enabled = false
           end
@@ -306,23 +310,47 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Unconfirmed user' do
-      before do
-        @unconfirmed_user = create(:user)
-        post :create, params: { email: @unconfirmed_user.email,
-                                password: @unconfirmed_user.password }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          post :create, params: { email: @unconfirmed_user.email,
+                                  password: @unconfirmed_user.password }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.not_confirmed',
+                              email: @unconfirmed_user.email)]
+        end
       end
+      
+      describe 'With paranoid mode' do
+        before do
+          @unconfirmed_user = create(:user)
+          swap Devise, paranoid: true do
+            post :create, params: { email: @unconfirmed_user.email,
+                                    password: @unconfirmed_user.password }
+          end
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'response should contain errors' do
-        assert @data['errors']
-        assert_equal @data['errors'],
-                     [I18n.t('devise_token_auth.sessions.not_confirmed',
-                             email: @unconfirmed_user.email)]
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors that do not leak the existence of the account' do
+          assert @data['errors']
+          assert_equal @data['errors'],
+                      [I18n.t('devise_token_auth.sessions.bad_credentials')]
+        end
       end
     end
 
@@ -371,20 +399,42 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
     end
 
     describe 'Non-existing user' do
-      before do
-        post :create,
-             params: { email: -> { Faker::Internet.email },
-                       password: -> { Faker::Number.number(10) } }
-        @resource = assigns(:resource)
-        @data = JSON.parse(response.body)
-      end
+      describe 'Without paranoid mode' do
+        before do
+          post :create,
+              params: { email: -> { Faker::Internet.email },
+                        password: -> { Faker::Number.number(10) } }
+          @resource = assigns(:resource)
+          @data = JSON.parse(response.body)
+        end
 
-      test 'request should fail' do
-        assert_equal 401, response.status
+        test 'request should fail' do
+          assert_equal 401, response.status
+        end
+
+        test 'response should contain errors' do
+          assert @data['errors']
+        end
       end
 
-      test 'response should contain errors' do
-        assert @data['errors']
+      describe 'With paranoid mode' do
+        before do
+          mock_hash = '$2a$04$MUWADkfA6MHXDdWHoep6QOvX1o0Y56pNqt3NMWQ9zCRwKSp1HZJba'
+          @bcrypt_mock = MiniTest::Mock.new
+          @bcrypt_mock.expect(:call, mock_hash, [Object, String])
+
+          swap Devise, paranoid: true do
+            BCrypt::Engine.stub :hash_secret, @bcrypt_mock do
+              post :create,
+                  params: { email: -> { Faker::Internet.email },
+                            password: -> { Faker::Number.number(10) } }
+            end
+          end
+        end
+        
+        test 'password should be hashed' do
+          @bcrypt_mock.verify
+        end
       end
     end
 
@@ -468,21 +518,44 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
 
       describe 'locked user' do
-        before do
-          @locked_user = create(:lockable_user, :locked)
-          post :create,
-               params: { email: @locked_user.email,
-                         password: @locked_user.password }
-          @data = JSON.parse(response.body)
-        end
+        describe 'Without paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            post :create,
+                params: { email: @locked_user.email,
+                          password: @locked_user.password }
+            @data = JSON.parse(response.body)
+          end
 
-        test 'request should fail' do
-          assert_equal 401, response.status
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+          end
         end
 
-        test 'response should contain errors' do
-          assert @data['errors']
-          assert_equal @data['errors'], [I18n.t('devise.mailer.unlock_instructions.account_lock_msg')]
+        describe 'With paranoid mode' do
+          before do
+            @locked_user = create(:lockable_user, :locked)
+            swap Devise, paranoid: true do
+              post :create,
+                  params: { email: @locked_user.email,
+                            password: @locked_user.password }
+            end
+            @data = JSON.parse(response.body)
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'response should contain errors that do not leak the existence of the account' do
+            assert @data['errors']
+            assert_equal @data['errors'], [I18n.t('devise_token_auth.sessions.bad_credentials')]
+          end
         end
       end
 

data/test/controllers/overrides/omniauth_callbacks_controller_test.rb

@@ -25,7 +25,7 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe
 
       @favorite_color = 'gray'
 
-      get '/evil_user_auth/facebook',
+      post '/evil_user_auth/facebook',
           params: {
             auth_origin_url: Faker::Internet.url,
             favorite_color: @favorite_color,

data/test/dummy/app/controllers/application_controller.rb

@@ -8,11 +8,7 @@ class ApplicationController < ActionController::Base
   protected
 
   def configure_permitted_parameters
-    permitted_parameters = devise_parameter_sanitizer.instance_values['permitted']
-    permitted_parameters[:sign_up] << :operating_thetan
-    permitted_parameters[:sign_up] << :favorite_color
-    permitted_parameters[:account_update] << :operating_thetan
-    permitted_parameters[:account_update] << :favorite_color
-    permitted_parameters[:account_update] << :current_password
+    devise_parameter_sanitizer.permit(:sign_up, keys: [:operating_thetan, :favorite_color])
+    devise_parameter_sanitizer.permit(:account_update, keys: [:operating_thetan, :favorite_color, :current_password])
   end
 end

data/test/dummy/app/controllers/overrides/confirmations_controller.rb

@@ -19,7 +19,8 @@ module Overrides
                                                   redirect_header_options)
 
         redirect_to(@resource.build_auth_url(params[:redirect_url],
-                                             redirect_headers))
+                                             redirect_headers),
+                                             redirect_options)
       else
         raise ActionController::RoutingError, 'Not Found'
       end

data/test/dummy/app/controllers/overrides/passwords_controller.rb

@@ -26,7 +26,8 @@ module Overrides
                                                   token.client,
                                                   redirect_header_options)
         redirect_to(@resource.build_auth_url(params[:redirect_url],
-                                             redirect_headers))
+                                             redirect_headers),
+                                             redirect_options)
       else
         raise ActionController::RoutingError, 'Not Found'
       end

data/test/dummy/config/environments/test.rb

@@ -15,14 +15,18 @@ Rails.application.configure do
   config.eager_load = false
 
   # Configure static asset server for tests with Cache-Control for performance.
-  Rails::VERSION::MAJOR == 5 ?
+  Rails::VERSION::MAJOR >= 5 ?
       (config.public_file_server.enabled = true) :
       (config.serve_static_files  = true)
 
-  Rails::VERSION::MAJOR == 5 ?
+  Rails::VERSION::MAJOR >= 5 ?
       (config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }) :
       (config.static_cache_control = 'public, max-age=3600')
 
+  if Rails::VERSION::MAJOR > 6 && ENV['DEVISE_TOKEN_AUTH_ORM'] != 'mongoid'
+    config.active_record.legacy_connection_handling = false
+  end
+
   # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false

data/test/dummy/tmp/generators/app/models/user.rb

@@ -1,11 +1,9 @@
-              class User < ApplicationRecord
-            # Include default devise modules.
-            devise :database_authenticatable, :registerable,
-                    :recoverable, :rememberable, :trackable, :validatable,
-                    :confirmable, :omniauthable
-            include DeviseTokenAuth::Concerns::User
+# frozen_string_literal: true
 
-                def whatever
-                  puts 'whatever'
-                end
-              end
+class User < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+  include DeviseTokenAuth::Concerns::User
+end

data/test/dummy/tmp/generators/config/initializers/devise_token_auth.rb

@@ -42,11 +42,17 @@ DeviseTokenAuth.setup do |config|
   # config.default_callbacks = true
 
   # Makes it possible to change the headers names
-  # config.headers_names = {:'access-token' => 'access-token',
-  #                        :'client' => 'client',
-  #                        :'expiry' => 'expiry',
-  #                        :'uid' => 'uid',
-  #                        :'token-type' => 'token-type' }
+  # config.headers_names = {
+  #   :'authorization' => 'Authorization',
+  #   :'access-token' => 'access-token',
+  #   :'client' => 'client',
+  #   :'expiry' => 'expiry',
+  #   :'uid' => 'uid',
+  #   :'token-type' => 'token-type'
+  # }
+
+  # Makes it possible to use custom uid column
+  # config.other_uid = "foo"
 
   # By default, only Bearer Token authentication is implemented out of the box.
   # If, however, you wish to integrate with legacy Devise authentication, you can

data/test/dummy/tmp/generators/db/migrate/{20220822003050_devise_token_auth_create_users.rb → 20230415183419_devise_token_auth_create_users.rb}

@@ -1,7 +1,7 @@
-class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[5.2]
+class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[7.0]
   def change
     
-    create_table(:users) do |t|
+    create_table(:users, id: :uuid) do |t|
       ## Required
       t.string :provider, :null => false, :default => "email"
       t.string :uid, :null => false, :default => ""

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.2.2
 platform: ruby
 authors:
 - Lynn Hurley
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-10 00:00:00.000000000 Z
+date: 2023-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -146,14 +146,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
 description: For use with client side single page apps such as the venerable https://github.com/lynndylanhurley/ng-token-auth.
 email:
 - lynn.dylan.hurley@gmail.com
@@ -321,7 +321,7 @@ files:
 - test/dummy/lib/migration_database_helper.rb
 - test/dummy/tmp/generators/app/models/user.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb
+- test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb
 - test/factories/users.rb
 - test/lib/devise_token_auth/blacklist_test.rb
 - test/lib/devise_token_auth/rails/custom_routes_test.rb
@@ -338,11 +338,11 @@ files:
 - test/models/user_test.rb
 - test/support/controllers/routes.rb
 - test/test_helper.rb
-homepage: http://github.com/lynndylanhurley/devise_token_auth
+homepage: https://github.com/lynndylanhurley/devise_token_auth
 licenses:
 - WTFPL
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -357,119 +357,119 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
-signing_key: 
+rubygems_version: 3.3.7
+signing_key:
 specification_version: 4
 summary: Token based authentication for rails. Uses Devise + OmniAuth.
 test_files:
-- test/dummy/app/mongoid/only_email_user.rb
-- test/dummy/app/mongoid/scoped_user.rb
-- test/dummy/app/mongoid/confirmable_user.rb
-- test/dummy/app/mongoid/mang.rb
-- test/dummy/app/mongoid/unregisterable_user.rb
-- test/dummy/app/mongoid/lockable_user.rb
-- test/dummy/app/mongoid/unconfirmable_user.rb
-- test/dummy/app/mongoid/user.rb
-- test/dummy/app/models/concerns/favorite_color.rb
-- test/dummy/app/active_record/only_email_user.rb
-- test/dummy/app/active_record/scoped_user.rb
+- test/controllers/custom/custom_confirmations_controller_test.rb
+- test/controllers/custom/custom_omniauth_callbacks_controller_test.rb
+- test/controllers/custom/custom_passwords_controller_test.rb
+- test/controllers/custom/custom_registrations_controller_test.rb
+- test/controllers/custom/custom_sessions_controller_test.rb
+- test/controllers/custom/custom_token_validations_controller_test.rb
+- test/controllers/demo_group_controller_test.rb
+- test/controllers/demo_mang_controller_test.rb
+- test/controllers/demo_user_controller_test.rb
+- test/controllers/devise_token_auth/confirmations_controller_test.rb
+- test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb
+- test/controllers/devise_token_auth/passwords_controller_test.rb
+- test/controllers/devise_token_auth/registrations_controller_test.rb
+- test/controllers/devise_token_auth/sessions_controller_test.rb
+- test/controllers/devise_token_auth/token_validations_controller_test.rb
+- test/controllers/devise_token_auth/unlocks_controller_test.rb
+- test/controllers/overrides/confirmations_controller_test.rb
+- test/controllers/overrides/omniauth_callbacks_controller_test.rb
+- test/controllers/overrides/passwords_controller_test.rb
+- test/controllers/overrides/registrations_controller_test.rb
+- test/controllers/overrides/sessions_controller_test.rb
+- test/controllers/overrides/token_validations_controller_test.rb
+- test/dummy/README.rdoc
 - test/dummy/app/active_record/confirmable_user.rb
-- test/dummy/app/active_record/mang.rb
-- test/dummy/app/active_record/unregisterable_user.rb
 - test/dummy/app/active_record/lockable_user.rb
+- test/dummy/app/active_record/mang.rb
+- test/dummy/app/active_record/only_email_user.rb
+- test/dummy/app/active_record/scoped_user.rb
 - test/dummy/app/active_record/unconfirmable_user.rb
+- test/dummy/app/active_record/unregisterable_user.rb
 - test/dummy/app/active_record/user.rb
-- test/dummy/app/controllers/overrides/token_validations_controller.rb
-- test/dummy/app/controllers/overrides/omniauth_callbacks_controller.rb
-- test/dummy/app/controllers/overrides/passwords_controller.rb
-- test/dummy/app/controllers/overrides/sessions_controller.rb
-- test/dummy/app/controllers/overrides/confirmations_controller.rb
-- test/dummy/app/controllers/overrides/registrations_controller.rb
 - test/dummy/app/controllers/application_controller.rb
-- test/dummy/app/controllers/demo_user_controller.rb
 - test/dummy/app/controllers/auth_origin_controller.rb
-- test/dummy/app/controllers/demo_mang_controller.rb
-- test/dummy/app/controllers/demo_group_controller.rb
-- test/dummy/app/controllers/custom/token_validations_controller.rb
+- test/dummy/app/controllers/custom/confirmations_controller.rb
 - test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb
 - test/dummy/app/controllers/custom/passwords_controller.rb
-- test/dummy/app/controllers/custom/sessions_controller.rb
-- test/dummy/app/controllers/custom/confirmations_controller.rb
 - test/dummy/app/controllers/custom/registrations_controller.rb
-- test/dummy/app/views/layouts/application.html.erb
+- test/dummy/app/controllers/custom/sessions_controller.rb
+- test/dummy/app/controllers/custom/token_validations_controller.rb
+- test/dummy/app/controllers/demo_group_controller.rb
+- test/dummy/app/controllers/demo_mang_controller.rb
+- test/dummy/app/controllers/demo_user_controller.rb
+- test/dummy/app/controllers/overrides/confirmations_controller.rb
+- test/dummy/app/controllers/overrides/omniauth_callbacks_controller.rb
+- test/dummy/app/controllers/overrides/passwords_controller.rb
+- test/dummy/app/controllers/overrides/registrations_controller.rb
+- test/dummy/app/controllers/overrides/sessions_controller.rb
+- test/dummy/app/controllers/overrides/token_validations_controller.rb
 - test/dummy/app/helpers/application_helper.rb
-- test/dummy/config/routes.rb
-- test/dummy/config/environments/production.rb
-- test/dummy/config/environments/development.rb
-- test/dummy/config/environments/test.rb
-- test/dummy/config/spring.rb
-- test/dummy/config/environment.rb
+- test/dummy/app/models/concerns/favorite_color.rb
+- test/dummy/app/mongoid/confirmable_user.rb
+- test/dummy/app/mongoid/lockable_user.rb
+- test/dummy/app/mongoid/mang.rb
+- test/dummy/app/mongoid/only_email_user.rb
+- test/dummy/app/mongoid/scoped_user.rb
+- test/dummy/app/mongoid/unconfirmable_user.rb
+- test/dummy/app/mongoid/unregisterable_user.rb
+- test/dummy/app/mongoid/user.rb
+- test/dummy/app/views/layouts/application.html.erb
 - test/dummy/config/application.rb
-- test/dummy/config/boot.rb
 - test/dummy/config/application.yml.bk
+- test/dummy/config/boot.rb
+- test/dummy/config/environment.rb
+- test/dummy/config/environments/development.rb
+- test/dummy/config/environments/production.rb
+- test/dummy/config/environments/test.rb
 - test/dummy/config/initializers/backtrace_silencers.rb
+- test/dummy/config/initializers/cookies_serializer.rb
+- test/dummy/config/initializers/devise.rb
 - test/dummy/config/initializers/devise_token_auth.rb
-- test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/figaro.rb
 - test/dummy/config/initializers/filter_parameter_logging.rb
+- test/dummy/config/initializers/inflections.rb
+- test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/omniauth.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/initializers/wrap_parameters.rb
-- test/dummy/config/initializers/cookies_serializer.rb
-- test/dummy/config/initializers/devise.rb
-- test/dummy/config/initializers/omniauth.rb
-- test/dummy/config/initializers/inflections.rb
-- test/dummy/config/initializers/figaro.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/spring.rb
 - test/dummy/config.ru
-- test/dummy/lib/migration_database_helper.rb
-- test/dummy/db/schema.rb
-- test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb
+- test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb
+- test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb
 - test/dummy/db/migrate/20140829044006_add_operating_thetan_to_user.rb
 - test/dummy/db/migrate/20140916224624_add_favorite_color_to_mangs.rb
-- test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb
 - test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb
-- test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb
+- test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb
+- test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb
 - test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb
-- test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb
-- test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb
+- test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb
 - test/dummy/db/migrate/20190924101113_devise_token_auth_create_confirmable_users.rb
+- test/dummy/db/schema.rb
+- test/dummy/lib/migration_database_helper.rb
 - test/dummy/tmp/generators/app/models/user.rb
 - test/dummy/tmp/generators/config/initializers/devise_token_auth.rb
-- test/dummy/tmp/generators/db/migrate/20220822003050_devise_token_auth_create_users.rb
-- test/dummy/README.rdoc
-- test/models/only_email_user_test.rb
-- test/models/confirmable_user_test.rb
-- test/models/concerns/mongoid_support_test.rb
-- test/models/concerns/tokens_serialization_test.rb
-- test/models/user_test.rb
-- test/support/controllers/routes.rb
+- test/dummy/tmp/generators/db/migrate/20230415183419_devise_token_auth_create_users.rb
 - test/factories/users.rb
-- test/lib/devise_token_auth/url_test.rb
 - test/lib/devise_token_auth/blacklist_test.rb
-- test/lib/devise_token_auth/token_factory_test.rb
 - test/lib/devise_token_auth/rails/custom_routes_test.rb
 - test/lib/devise_token_auth/rails/routes_test.rb
+- test/lib/devise_token_auth/token_factory_test.rb
+- test/lib/devise_token_auth/url_test.rb
 - test/lib/generators/devise_token_auth/install_generator_test.rb
-- test/lib/generators/devise_token_auth/install_views_generator_test.rb
 - test/lib/generators/devise_token_auth/install_generator_with_namespace_test.rb
+- test/lib/generators/devise_token_auth/install_views_generator_test.rb
+- test/models/concerns/mongoid_support_test.rb
+- test/models/concerns/tokens_serialization_test.rb
+- test/models/confirmable_user_test.rb
+- test/models/only_email_user_test.rb
+- test/models/user_test.rb
+- test/support/controllers/routes.rb
 - test/test_helper.rb
-- test/controllers/overrides/token_validations_controller_test.rb
-- test/controllers/overrides/confirmations_controller_test.rb
-- test/controllers/overrides/registrations_controller_test.rb
-- test/controllers/overrides/omniauth_callbacks_controller_test.rb
-- test/controllers/overrides/sessions_controller_test.rb
-- test/controllers/overrides/passwords_controller_test.rb
-- test/controllers/demo_mang_controller_test.rb
-- test/controllers/devise_token_auth/token_validations_controller_test.rb
-- test/controllers/devise_token_auth/confirmations_controller_test.rb
-- test/controllers/devise_token_auth/unlocks_controller_test.rb
-- test/controllers/devise_token_auth/registrations_controller_test.rb
-- test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb
-- test/controllers/devise_token_auth/sessions_controller_test.rb
-- test/controllers/devise_token_auth/passwords_controller_test.rb
-- test/controllers/demo_user_controller_test.rb
-- test/controllers/custom/custom_omniauth_callbacks_controller_test.rb
-- test/controllers/custom/custom_sessions_controller_test.rb
-- test/controllers/custom/custom_confirmations_controller_test.rb
-- test/controllers/custom/custom_token_validations_controller_test.rb
-- test/controllers/custom/custom_registrations_controller_test.rb
-- test/controllers/custom/custom_passwords_controller_test.rb
-- test/controllers/demo_group_controller_test.rb