devise_token_auth 1.2.5 → 1.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e031d0a5148c716c1b4f2d9d2f6a71de42d46271b8d5b35c958440bb59e572c9
-  data.tar.gz: e194048efc1fd92ec64c815d6b6863e1abfcb73f2f06b6da8f4ff7b69dce4da3
+  metadata.gz: 2950da8c6b3eac0a2a3ee2b1659d5e321ca9890e5a9b0a1525dcbf11e95d67dd
+  data.tar.gz: d04830c1c12f69b3537e80fae17d5914b0b22272a52b78d7226a04be560cadea
 SHA512:
-  metadata.gz: 6015bc177925ae7a86cbf2e3f010172bfa6c8e30e1409d749e916896e05bf3fc8b55d046c533f4569faed058126924c8105f89ebebcbb3a4cf252472438031d6
-  data.tar.gz: 70412779543cf2c98b1623b7873d484ec430c6f5e3c4329f806aafaeaf63e0d1ff95ddbf02af9cd34a194d4a5fed41bbdf848597eee7bf3ba772927970993e7b
+  metadata.gz: 0a7e1dcce01dabc1e270926ff05b54c166d861232ef6ecf7547d88442e2d11ab7c104fef833312bf73a69dd5e3dd7df4923f050baf3e4aee877f32df6392d352
+  data.tar.gz: b44b9aa57a43fb58e86a7985957e9a5d425787ae65e898b480d7fefe02bf573433f27af356512ae2a4989c3a6d9f0b91a9cc1a1b3b2ef3f95a4b39557472ffa7

data/README.md

@@ -23,6 +23,7 @@ Also, it maintains a session for each client/device, so you can have as many ses
   * [redux-token-auth](https://github.com/kylecorbelli/redux-token-auth) for [React with Redux](https://github.com/reactjs/react-redux)
   * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/)
   * [vanilla-token-auth](https://github.com/theblang/vanilla-token-auth) for an unopinionated client
+  * [flutter_token_auth](https://github.com/diarmuidr3d/flutter_token_auth) for Flutter
 * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth).
 * Email authentication using [Devise](https://github.com/plataformatec/devise), including:
   * User registration, update and deletion

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -56,7 +56,7 @@ module DeviseTokenAuth
             set_token_in_cookie(@resource, token)
           end
 
-          redirect_header_options = { reset_password: true }
+          redirect_header_options = { reset_password: true, reset_password_token: resource_params[:reset_password_token] }
           redirect_headers = build_redirect_headers(token.token,
                                                     token.client,
                                                     redirect_header_options)
@@ -73,7 +73,7 @@ module DeviseTokenAuth
       # make sure user is authorized
       if require_client_password_reset_token? && resource_params[:reset_password_token]
         @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
-        return render_update_error_unauthorized unless @resource
+        return render_update_error_unauthorized unless @resource && @resource.reset_password_period_valid?
 
         @token = @resource.create_token
       else

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -131,7 +131,7 @@ module DeviseTokenAuth
     end
 
     def create_and_assign_token
-      if @resource.respond_to?(:with_lock)
+      if @resource.respond_to?(:with_lock) && !@resource.changed?
         @resource.with_lock do
           @token = @resource.create_token
           @resource.save!

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -3,7 +3,7 @@ module DeviseTokenAuth::Concerns::ConfirmableSupport
 
   included do
     # Override standard devise `postpone_email_change?` method
-    # for not to use `will_save_change_to_email?` & `email_changed?` methods.
+    # for not to use `devise_will_save_change_to_email?` methods.
     def postpone_email_change?
       postpone = self.class.reconfirmable &&
         email_value_in_database != email &&

data/app/models/devise_token_auth/concerns/user.rb

@@ -41,8 +41,7 @@ module DeviseTokenAuth::Concerns::User
 
     # don't use default devise email validation
     def email_required?; false; end
-    def email_changed?; false; end
-    def will_save_change_to_email?; false; end
+    def devise_will_save_change_to_email?; false; end
 
     if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
       include DeviseTokenAuth::Concerns::ConfirmableSupport
@@ -259,17 +258,25 @@ module DeviseTokenAuth::Concerns::User
   end
 
   def clean_old_tokens
-    if tokens.present? && max_client_tokens_exceeded?
-      # Using Enumerable#sort_by on a Hash will typecast it into an associative
-      #   Array (i.e. an Array of key-value Array pairs). However, since Hashes
-      #   have an internal order in Ruby 1.9+, the resulting sorted associative
-      #   Array can be converted back into a Hash, while maintaining the sorted
-      #   order.
-      self.tokens = tokens.sort_by { |_cid, v| v[:expiry] || v['expiry'] }.to_h
-
-      # Since the tokens are sorted by expiry, shift the oldest client token
-      #   off the Hash until it no longer exceeds the maximum number of clients
-      tokens.shift while max_client_tokens_exceeded?
+    return if tokens.blank? || !max_client_tokens_exceeded?
+
+    # First, remove any tokens with expiry greater than current max allowed lifespan
+    #   this handles the case where token lifespan was reduced and old tokens exist
+    max_lifespan_expiry = Time.now.to_i + DeviseTokenAuth.token_lifespan.to_i
+    tokens_to_keep = tokens.select do |_cid, v|
+      expiry = (v[:expiry] || v['expiry']).to_i
+      expiry <= max_lifespan_expiry
     end
+
+    # Using Enumerable#sort_by on a Hash will typecast it into an associative
+    #   Array (i.e. an Array of key-value Array pairs). However, since Hashes
+    #   have an internal order in Ruby 1.9+, the resulting sorted associative
+    #   Array can be converted back into a Hash, while maintaining the sorted
+    #   order.
+    self.tokens = tokens_to_keep.sort_by { |_cid, v| v[:expiry] || v['expiry'] }.to_h
+
+    # Since the tokens are sorted by expiry, shift the oldest client token
+    #   off the Hash until it no longer exceeds the maximum number of clients
+    tokens.shift while max_client_tokens_exceeded?
   end
 end

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '1.2.5'.freeze
+  VERSION = '1.2.6'.freeze
 end

data/test/controllers/devise_token_auth/passwords_controller_test.rb

@@ -229,42 +229,73 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
 
           describe 'password reset link success' do
-            before do
-              get :edit,
-                  params: { reset_password_token: @mail_reset_token,
-                            redirect_url: @mail_redirect_url }
+            describe 'with require_client_password_reset_token is enabled' do
+              before do
+                DeviseTokenAuth.require_client_password_reset_token = true
+                get :edit,
+                    params: { reset_password_token: @mail_reset_token,
+                              redirect_url: @mail_redirect_url }
 
-              @resource.reload
+                @resource.reload
 
-              raw_qs = response.location.split('?')[1]
-              @qs = Rack::Utils.parse_nested_query(raw_qs)
+                raw_qs = response.location.split('?')[1]
+                @qs = Rack::Utils.parse_nested_query(raw_qs)
 
-              @access_token   = @qs['access-token']
-              @client_id      = @qs['client_id']
-              @client         = @qs['client']
-              @expiry         = @qs['expiry']
-              @reset_password = @qs['reset_password']
-              @token          = @qs['token']
-              @uid            = @qs['uid']
-            end
+                @reset_password_token = @qs['reset_password_token']
+              end
 
-            test 'response should have success redirect status' do
-              assert_equal 302, response.status
-            end
+              test 'response should have success redirect status' do
+                assert_equal 302, response.status
+              end
 
-            test 'response should contain auth params' do
-              assert @access_token
-              assert @client
-              assert @client_id
-              assert @expiry
-              assert @reset_password
-              assert @token
-              assert @uid
+              test 'response should contain reset_password_token param' do
+                assert_equal @mail_reset_token, @qs['reset_password_token']
+              end
             end
 
-            test 'response auth params should be valid' do
-              assert @resource.valid_token?(@token, @client_id)
-              assert @resource.valid_token?(@access_token, @client)
+            describe 'require_client_password_reset_token is disabled' do
+              before do
+                DeviseTokenAuth.require_client_password_reset_token = false
+                get :edit,
+                    params: { reset_password_token: @mail_reset_token,
+                              redirect_url: @mail_redirect_url }
+
+                @resource.reload
+
+                raw_qs = response.location.split('?')[1]
+                @qs = Rack::Utils.parse_nested_query(raw_qs)
+
+                @access_token   = @qs['access-token']
+                @client_id      = @qs['client_id']
+                @client         = @qs['client']
+                @expiry         = @qs['expiry']
+                @reset_password = @qs['reset_password']
+                @token          = @qs['token']
+                @uid            = @qs['uid']
+              end
+
+              test 'response should have success redirect status' do
+                assert_equal 302, response.status
+              end
+
+              test 'response should contain auth params' do
+                assert @access_token
+                assert @client
+                assert @client_id
+                assert @expiry
+                assert @reset_password
+                assert @token
+                assert @uid
+              end
+
+              test 'response auth params should be valid' do
+                assert @resource.valid_token?(@token, @client_id)
+                assert @resource.valid_token?(@access_token, @client)
+              end
+
+              test 'response should contain reset_password_token param' do
+                assert_equal @mail_reset_token, @qs['reset_password_token']
+              end
             end
           end
         end
@@ -715,6 +746,36 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase
           end
         end
 
+        describe 'with expired reset password token' do
+          before do
+            DeviseTokenAuth.require_client_password_reset_token = true
+            reset_password_token = @resource.send_reset_password_instructions
+            @resource.update! reset_password_sent_at: 2.days.ago
+
+            @new_password = Faker::Internet.password
+            @params = { password: @new_password,
+                        password_confirmation: @new_password,
+                        reset_password_token: reset_password_token }
+
+            put :update, params: @params
+
+            @data = JSON.parse(response.body)
+            @resource.reload
+          end
+
+          test 'request should fail' do
+            assert_equal 401, response.status
+          end
+
+          test 'new password should not authenticate user' do
+            assert !@resource.valid_password?(@new_password)
+          end
+
+          teardown do
+            DeviseTokenAuth.require_client_password_reset_token = false
+          end
+        end
+
         describe 'with invalid reset password token' do
           before do
             DeviseTokenAuth.require_client_password_reset_token = true

data/test/dummy/config/application.rb

@@ -2,6 +2,7 @@
 
 require File.expand_path('boot', __dir__)
 
+require 'logger'
 require 'action_controller/railtie'
 require 'action_mailer/railtie'
 require 'rails/generators'

data/test/dummy/config/environments/test.rb

@@ -23,7 +23,7 @@ Rails.application.configure do
       (config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }) :
       (config.static_cache_control = 'public, max-age=3600')
 
-  if Rails::VERSION::MAJOR > 6 && ENV['DEVISE_TOKEN_AUTH_ORM'] != 'mongoid'
+  if Rails::VERSION::MAJOR < 7 && ENV['DEVISE_TOKEN_AUTH_ORM'] != 'mongoid'
     config.active_record.legacy_connection_handling = false
   end
 
@@ -32,7 +32,11 @@ Rails.application.configure do
   config.action_controller.perform_caching = false
 
   # Raise exceptions instead of rendering exception templates.
-  config.action_dispatch.show_exceptions = false
+  if Rails::VERSION::MAJOR >= 7 && Rails::VERSION::MINOR > 0
+    config.action_dispatch.show_exceptions = :none
+  else
+    config.action_dispatch.show_exceptions = false
+  end
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false

data/test/models/user_test.rb

@@ -127,4 +127,98 @@ class UserTest < ActiveSupport::TestCase
       end
     end
   end
+
+  describe 'clean_old_tokens' do
+    before do
+      @resource = create(:user, :confirmed)
+      @token_lifespan = DeviseTokenAuth.token_lifespan
+      @max_client_count = DeviseTokenAuth.max_number_of_devices
+      DeviseTokenAuth.max_number_of_devices = 2
+      DeviseTokenAuth.token_lifespan = 1.week
+    end
+
+    after do
+      DeviseTokenAuth.token_lifespan = @token_lifespan
+      DeviseTokenAuth.max_number_of_devices = @max_client_count
+    end
+
+    test 'removes tokens with expiry beyond the maximum lifespan' do
+      # Create tokens with different expiry times
+      current_time = Time.now.to_i
+
+      max_lifespan = current_time + DeviseTokenAuth.token_lifespan.to_i
+
+      # Valid token within lifespan
+      @resource.tokens['valid_client'] = {
+        'token' => 'valid_token',
+        'expiry' => current_time + 1.day.to_i
+      }
+
+      # Token exactly at max lifespan (should be kept)
+      @resource.tokens['edge_client'] = {
+        'token' => 'edge_token',
+        'expiry' => max_lifespan
+      }
+
+      # Token beyond max lifespan (should be removed)
+      @resource.tokens['expired_client'] = {
+        'token' => 'expired_token',
+        'expiry' => max_lifespan + 1.day.to_i
+      }
+
+      # Call the method under test
+      @resource.send(:clean_old_tokens)
+
+      # Assert that tokens beyond lifespan were removed
+      assert @resource.tokens.key?('valid_client'), 'Valid token should be kept'
+      assert @resource.tokens.key?('edge_client'), 'Edge case token at max lifespan should be kept'
+      refute @resource.tokens.key?('expired_client'), 'Token beyond max lifespan should be removed'
+    end
+
+    test 'handles token lifespan reduction when creating token' do
+      # Setup: Create the maximum allowed number of tokens with a longer lifespan
+      DeviseTokenAuth.token_lifespan = 2.weeks
+      DeviseTokenAuth.max_number_of_devices = 3
+
+      # Create tokens at different times but all within the initial long lifespan
+      @resource.tokens = {}
+      @resource.tokens['client_1'] = {
+        'token' => 'token_1',
+        'expiry' => Time.now.to_i + 12.days.to_i
+      }
+
+      @resource.tokens['client_2'] = {
+        'token' => 'token_2',
+        'expiry' => Time.now.to_i + 10.days.to_i
+      }
+
+      @resource.tokens['client_3'] = {
+        'token' => 'token_3',
+        'expiry' => Time.now.to_i + 5.days.to_i
+      }
+
+      # We've reached the maximum number of devices/tokens
+      assert_equal 3, @resource.tokens.length
+
+      # Now reduce token lifespan - simulating a config change
+      DeviseTokenAuth.token_lifespan = 1.week
+
+      # Create a new token which should trigger clean_old_tokens
+      new_auth_headers = @resource.create_new_auth_token
+      new_client = new_auth_headers['client']
+
+      # The new token should exist
+      assert @resource.tokens.key?(new_client), 'New token should exist'
+
+      # Tokens exceeding the new reduced lifespan should be removed
+      refute @resource.tokens.key?('client_1'), 'Token with expiry > new lifespan should be removed'
+      refute @resource.tokens.key?('client_2'), 'Token with expiry > new lifespan should be removed'
+
+      # Token within new lifespan should be kept
+      assert @resource.tokens.key?('client_3'), 'Token within new reduced lifespan should be kept'
+
+      # We should have exactly 2 tokens: the new one and client_3
+      assert_equal 2, @resource.tokens.length
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.2.5
+  version: 1.2.6
 platform: ruby
 authors:
 - Lynn Hurley
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-06 00:00:00.000000000 Z
+date: 2025-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,7 +19,7 @@ dependencies:
         version: 4.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 4.2.0
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -144,16 +144,22 @@ dependencies:
   name: mongoid-locker
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 description: For use with client side single page apps such as the venerable https://github.com/lynndylanhurley/ng-token-auth.
 email:
 - lynn.dylan.hurley@gmail.com
@@ -358,7 +364,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
 summary: Token based authentication for rails. Uses Devise + OmniAuth.