devise_token_auth_multi_email 0.9.3 → 0.9.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97d2fd4e834ebf59bf88453da0029868b9d333bdd9a20b6f7247b64906020224
-  data.tar.gz: 03ab97bf9fddea5cf9927243bac3c2ef32523dca22319d41e58c216ce8a00bc4
+  metadata.gz: d0c66feab8adcbd8779659cfca55d37dafc2f7b597478d249f252e6a8d359fa9
+  data.tar.gz: 9e62f19a8c193602b0c8063d2b569a07ed6864a961d9363e95aef335907f74d6
 SHA512:
-  metadata.gz: ee478a5fe378cd3d51e8f523e7a08703af2d98047e5abe273190e61356218a597063917c4871a97413df0b36e6e0e60c48df1f8f18bdcc0913d646ab20ba8a1d
-  data.tar.gz: 76fba5e04fc7528d483ecc03999a2227ebd96d484e6f5732a024cc74dcffb2a9b58a91c48a34a1de9b4108b161c46a64b7cd69513df90ed51c58405a3cafee48
+  metadata.gz: 25b3abeb4b9b3b13efca53a386affd1d080673c2815154ed60942aa7190d8860dd9a95bfd0306d34b32fe859150dac52684d6e5c678f3557d2637dcd89418b2b
+  data.tar.gz: c722c5166cc96ca5145174b898f5c8490d7230a6b8485ff78439c9dc1dddae87e1b5f05e4fb3164f9030fd500ec19e44765b5ffd92fb11bbb9c65b061d14c87f

data/README.md

@@ -1,4 +1,7 @@
 # Devise Token Auth Multi Email
+[![Dependabot Updates](https://github.com/mgmodell/devise_token_auth_multi_email/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/mgmodell/devise_token_auth_multi_email/actions/workflows/dependabot/dependabot-updates)
+[![Test](https://github.com/mgmodell/devise_token_auth_multi_email/actions/workflows/test.yml/badge.svg)](https://github.com/mgmodell/devise_token_auth_multi_email/actions/workflows/test.yml)
+[![Coverage Status](https://coveralls.io/repos/github/mgmodell/devise_token_auth_multi_email/badge.svg?branch=master)](https://coveralls.io/github/mgmodell/devise_token_auth_multi_email?branch=master)
 
 Simple, multi-client and secure token-based authentication for Rails.
 

data/Rakefile

@@ -21,14 +21,10 @@ load 'rails/tasks/engine.rake'
 
 Bundler::GemHelper.install_tasks
 
-require 'rake/testtask'
-
-Rake::TestTask.new(:test) do |t|
-  t.libs << 'lib'
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
-  t.verbose = false
-  t.warning = false
+# Custom test task to avoid minitest-rails SIGTRAP issue  
+desc 'Run all tests'
+task :test do
+  sh 'find test -name "*_test.rb" -exec bundle exec ruby -I lib:test {} \;'
 end
 
 task default: :test

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -20,15 +20,8 @@ module DeviseTokenAuth::Concerns::ResourceFinder
   end
 
   def find_resource(field, value)
-    @@multi_email_field = if( defined? @@multi_email_field )
-      @@multi_email_field = if( defined?( Devise::MultiEmail.emails_association_name ).nil? )
-                              Devise::MultiEmail.emails_association_name.to_s.singularize.to_sym
-                            else
-                              false
-                            end
-                          end
-
-    @resource = if :email == field && !@@multi_email_field
+    @resource = if :email == field && resource_class.respond_to?(:multi_email_association)
+                  # devise-multi_email adds multi_email_association to parent models only.
                   resource_class.find_by_email value
                 elsif database_adapter&.include?('mysql')
                   # fix for mysql default case insensitivity

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -23,7 +23,20 @@ module DeviseTokenAuth
       session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
       session['dta.omniauth.params'] = request.env['omniauth.params']
 
-      redirect_to redirect_route, {status: 307}.merge(redirect_options)
+      # Also encode omniauth params in the redirect URL so they survive as
+      # request params in omniauth_success even when the session cookie is
+      # not reliably forwarded through a 307 redirect chain (e.g. Rails 7.2+
+      # integration tests where follow_redirect! preserves the POST method).
+      omniauth_env_params = request.env['omniauth.params'].presence
+      redirect_url = omniauth_env_params ?
+        DeviseTokenAuth::Url.generate(redirect_route, omniauth_env_params) :
+        redirect_route
+
+      # Use 302/303 so the callback is performed as a GET and params/session
+      # survive reliably across the redirect chain in Rails integration tests.
+      # 303 is semantically "see other" after a POST; 302 is also widely used.
+      # Suggested by Claude Sonnet 4
+      redirect_to redirect_url, { status: 303 }.merge(redirect_options)
     end
 
     def get_redirect_route(devise_mapping)
@@ -102,13 +115,30 @@ module DeviseTokenAuth
         if request.env['omniauth.params'] && request.env['omniauth.params'].any?
           @_omniauth_params = request.env['omniauth.params']
         elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
-          @_omniauth_params ||= session.delete('dta.omniauth.params')
-          @_omniauth_params
-        elsif params['omniauth_window_type']
-          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+          @_omniauth_params = session['dta.omniauth.params']
+        elsif params['omniauth_window_type'] || params['auth_origin_url']
+          # Fallback: params may arrive as URL query string when the session
+          # is not reliably forwarded through a 307 redirect chain (Rails 7.2+).
+          # Pre-set @_omniauth_params to {} BEFORE calling params_for_resource to
+          # break a potential recursive loop:
+          #   omniauth_params → params_for_resource → devise_parameter_sanitizer
+          #   → resource_class → omniauth_params (still computing!) → loop
+          # With @_omniauth_params = {} set early, any re-entrant call returns {}
+          # and resource_class falls back to params['resource_class'] directly.
+          @_omniauth_params = {}
+          omniauth_known_keys = %w[omniauth_window_type auth_origin_url resource_class
+                                   origin namespace_name config_name]
+          begin
+            sign_up_keys = params_for_resource(:sign_up).map(&:to_s)
+          rescue NoMethodError, TypeError
+            sign_up_keys = []
+          end
+          @_omniauth_params = params.permit(*omniauth_known_keys, *sign_up_keys)
         else
           @_omniauth_params = {}
         end
+        # Always clean up the session key, regardless of which branch was taken.
+        session.delete('dta.omniauth.params')
       end
       @_omniauth_params
     end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -40,27 +40,33 @@ module DeviseTokenAuth
         @resource.skip_confirmation_notification!
       end
 
-      if @resource.save
-        yield @resource if block_given?
-
-        unless @resource.confirmed?
-          # user will require email authentication
-          @resource.send_confirmation_instructions({
-            client_config: params[:config_name],
-            redirect_url: @redirect_url
-          })
-        end
+      begin
+        if @resource.save
+          yield @resource if block_given?
 
-        if active_for_authentication?
-          # email auth has been bypassed, authenticate user
-          @token = @resource.create_token
-          @resource.save!
-          update_auth_header
+          unless @resource.confirmed?
+            # user will require email authentication
+            @resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: @redirect_url
+            })
+          end
+
+          if active_for_authentication?
+            # email auth has been bypassed, authenticate user
+            @token = @resource.create_token
+            @resource.save!
+            update_auth_header
+          end
+
+          render_create_success
+        else
+          clean_up_passwords @resource
+          render_create_error
         end
-
-        render_create_success
-      else
+      rescue ActiveRecord::RecordNotUnique
         clean_up_passwords @resource
+        @resource.errors.add(:email, :taken)
         render_create_error
       end
     end

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -8,9 +8,12 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
     validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
 
-    # Provide support for devise-multi_email - they implement case_sensitive
-    # and maintain uniqueness themselves.
-    unless Gem.loaded_specs[ 'devise-multi_email' ]
+    # Only skip the uniqueness validation for models that use devise-multi_email
+    # (detected by the presence of the multi_email_association class method, which
+    # Devise::MultiEmail::ParentModelExtensions adds via :multi_email_authenticatable).
+    # Standard models always validate; multi_email models manage uniqueness via the
+    # emails association table instead.
+    unless Gem.loaded_specs['devise-multi_email'] && respond_to?(:multi_email_association)
       # only validate unique emails among email registration users
       validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
     end

data/lib/devise_token_auth/engine.rb

@@ -82,12 +82,51 @@ module DeviseTokenAuth
 
         # Omniauth currently removes omniauth.params during mocked requests
         # see also: https://github.com/intridea/omniauth/pull/812
+        #
+        # In Rails 7.2+, follow_redirect! preserves the POST method for 307
+        # redirects.  This means the router's 307 to /omniauth/:provider is
+        # followed as a POST, which OmniAuth handles in mock_request_call.
+        # However the session cookie written by that Rack response is not
+        # reliably forwarded to the subsequent GET /omniauth/:provider/callback
+        # request in integration tests, so session['omniauth.params'] is nil
+        # when mock_callback_call runs.
+        #
+        # Fix: also encode the omniauth params as a query string in the
+        # callback redirect URL (mock_request_call) so they are available in
+        # request.params as a fallback (mock_callback_call).
         OmniAuth::Strategy.class_eval do
+          def mock_request_call
+            setup_phase
+            @env['omniauth.origin'] = request.params['origin']
+            @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
+            omniauth_params = request.params.except('authenticity_token')
+            session['omniauth.params'] = omniauth_params
+            # Set env now so redirect_to_failure (failure path) and
+            # mock_callback_call (success path) both have access to params.
+            @env['omniauth.params'] = omniauth_params
+            mocked_auth = OmniAuth.mock_auth_for(name.to_s)
+            if mocked_auth.is_a?(Symbol)
+              fail!(mocked_auth)
+            else
+              @env['omniauth.auth'] = mocked_auth
+              # Encode params in the callback URL so they survive even when the
+              # session cookie is not forwarded through the redirect chain.
+              redirect_target = omniauth_params.any? ?
+                "#{callback_url}?#{omniauth_params.to_query}" :
+                callback_url
+              redirect redirect_target
+            end
+          end
+
           def mock_callback_call
             setup_phase
             @env['omniauth.origin'] = session.delete('omniauth.origin')
             @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
-            @env['omniauth.params'] = session.delete('omniauth.params') || {}
+            # Prefer the session (Rails ≤7.1) but fall back to request params
+            # (Rails 7.2+ where the session cookie may not survive the redirect).
+            @env['omniauth.params'] = session.delete('omniauth.params').presence ||
+                                      request.params.except('authenticity_token') ||
+                                      {}
             mocked_auth = OmniAuth.mock_auth_for(name.to_s)
             if mocked_auth.is_a?(Symbol)
               fail!(mocked_auth)

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '0.9.3'.freeze
+  VERSION = '0.9.5'.freeze
 end

data/lib/devise_token_auth_multi_email.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'devise_token_auth'

data/test/controllers/devise_token_auth/confirmations_controller_test.rb

@@ -62,8 +62,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
           end
 
           test 'redirect url includes token params' do
-            assert @token_params.all? { |param| response.body.include?(param) }
-            assert response.body.include?('account_confirmation_success')
+            assert @token_params.all? { |param| response.location.include?(param) }
+            assert response.location.include?('account_confirmation_success')
           end
         end
 
@@ -86,8 +86,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase
           end
 
           test 'redirect url does not include token params' do
-            refute @token_params.any? { |param| response.body.include?(param) }
-            assert response.body.include?('account_confirmation_success')
+            refute @token_params.any? { |param| response.location.include?(param) }
+            assert response.location.include?('account_confirmation_success')
           end
         end
 

data/test/controllers/devise_token_auth/multi_email_coexistence_test.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify standard models and multi-email models can coexist in the
+# same Rails application without interfering with each other.
+#
+# Specifically:
+#   • Standard (User, Mang) and multi-email (MultiEmailUser) routes all work.
+#   • The same email address can be used across different model types (they
+#     live in different tables so there is no cross-model constraint conflict).
+#   • Token authentication works independently for each model type.
+#   • Session isolation: signing in on one model doesn't affect another.
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and route are
+# not set up in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailCoexistenceTest < ActionDispatch::IntegrationTest
+  def standard_params(email: nil)
+    {
+      email:                 email || Faker::Internet.unique.email,
+      password:              'secret123',
+      password_confirmation: 'secret123',
+      confirm_success_url:   Faker::Internet.url
+    }
+  end
+  alias multi_email_params standard_params
+
+  # -------------------------------------------------------------------------
+  # Both model types can register simultaneously
+  # -------------------------------------------------------------------------
+  describe 'independent registration' do
+    test 'standard user can register at /auth' do
+      post '/auth', params: standard_params
+      assert_equal 200, response.status
+      assert_equal 'User', assigns(:resource).class.name
+    end
+
+    test 'multi-email user can register at /multi_email_auth' do
+      post '/multi_email_auth', params: multi_email_params
+      assert_equal 200, response.status
+      assert_equal 'MultiEmailUser', assigns(:resource).class.name
+    end
+
+    test 'mang (another standard model) can register at /mangs' do
+      post '/mangs', params: standard_params
+      assert_equal 200, response.status
+      assert_equal 'Mang', assigns(:resource).class.name
+    end
+  end
+
+  # -------------------------------------------------------------------------
+  # Same email address may exist in both the users table and the
+  # multi_email_user_emails table simultaneously (different tables / models)
+  # -------------------------------------------------------------------------
+  describe 'same email across different models' do
+    before do
+      @shared_email = Faker::Internet.unique.email
+    end
+
+    test 'standard user and multi-email user can share an email address' do
+      # Register a standard User with the email
+      post '/auth', params: standard_params(email: @shared_email)
+      assert_equal 200, response.status,
+                   "Standard user registration failed: #{response.body}"
+
+      # Register a MultiEmailUser with the same email — succeeds because the
+      # models live in separate tables with no cross-table uniqueness constraint.
+      post '/multi_email_auth', params: multi_email_params(email: @shared_email)
+      assert_equal 200, response.status,
+                   "MultiEmailUser registration with shared email failed: #{response.body}"
+    end
+  end
+
+  # -------------------------------------------------------------------------
+  # Each model type independently rejects duplicate emails
+  # -------------------------------------------------------------------------
+  describe 'independent validation' do
+    test 'duplicate standard user email is rejected at model level' do
+      email = Faker::Internet.unique.email
+      create(:user, email: email, provider: 'email').confirm
+
+      post '/auth', params: standard_params(email: email)
+      assert_equal 422, response.status
+    end
+
+    test 'duplicate multi-email user email is rejected by the emails table' do
+      email = Faker::Internet.unique.email
+
+      # Register first multi_email user via the endpoint (not factory, since
+      # the gem handles email association creation internally on save).
+      post '/multi_email_auth', params: multi_email_params(email: email)
+      assert_equal 200, response.status, "First registration failed: #{response.body}"
+
+      # Duplicate registration should be rejected.
+      post '/multi_email_auth', params: multi_email_params(email: email)
+      assert_equal 422, response.status
+    end
+  end
+
+  # -------------------------------------------------------------------------
+  # Model-level configuration confirms coexistence setup is correct
+  # -------------------------------------------------------------------------
+  describe 'model configuration coexistence' do
+    test 'standard models have email uniqueness validator from concern' do
+      assert User.validators_on(:email).any? { |v|
+        v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+      }
+      assert Mang.validators_on(:email).any? { |v|
+        v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+      }
+    end
+
+    test 'multi_email model does NOT have concern email uniqueness validator' do
+      refute MultiEmailUser.validators_on(:email).any? { |v|
+        v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+      }
+    end
+
+    test 'multi_email model has multi_email_association class method' do
+      assert MultiEmailUser.respond_to?(:multi_email_association)
+    end
+
+    test 'standard models do NOT have multi_email_association class method' do
+      refute User.respond_to?(:multi_email_association)
+      refute Mang.respond_to?(:multi_email_association)
+    end
+  end
+end

data/test/controllers/devise_token_auth/multi_email_confirmations_controller_test.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify the ConfirmationsController works correctly with a
+# MultiEmailUser — a model that uses :multi_email_confirmable from the
+# devise-multi_email gem.
+#
+# With multi_email_confirmable the confirmation token is stored on the
+# MultiEmailUserEmail record (not the parent model).  The confirmations
+# controller calls resource_class.confirm_by_token, which the gem overrides to
+# search the email records, so the standard redirect-based confirmation flow
+# continues to work.
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and its route
+# are not available in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailConfirmationsControllerTest < ActionDispatch::IntegrationTest
+  describe 'MultiEmailUser confirmations' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # Parse the confirmation token out of a mailer body.
+    def token_from_mail(mail)
+      mail.body.match(/confirmation_token=([^&]*)[&"]/)[1]
+    end
+
+    before do
+      @redirect_url = Faker::Internet.url
+
+      # Register a new MultiEmailUser — this triggers the confirmation email.
+      @email = Faker::Internet.unique.email
+      post '/multi_email_auth', params: registration_params(email: @email)
+      assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+      @user = assigns(:resource)
+      @mail = ActionMailer::Base.deliveries.last
+      @token = token_from_mail(@mail)
+    end
+
+    # -----------------------------------------------------------------------
+    # Show (GET) — successful confirmation
+    # -----------------------------------------------------------------------
+    describe 'successful confirmation via token' do
+      before do
+        get '/multi_email_auth/confirmation',
+            params: { confirmation_token: @token, redirect_url: @redirect_url }
+      end
+
+      test 'response redirects to the redirect URL' do
+        assert_redirected_to(/^#{Regexp.escape(@redirect_url)}/)
+      end
+
+      test 'redirect URL includes account_confirmation_success' do
+        assert response.location.include?('account_confirmation_success')
+      end
+
+      test 'user is confirmed after following the link' do
+        @user.reload
+        assert @user.confirmed?
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Show (GET) — invalid token
+    # -----------------------------------------------------------------------
+    describe 'confirmation with invalid token' do
+      before do
+        get '/multi_email_auth/confirmation',
+            params: { confirmation_token: 'invalid-token', redirect_url: @redirect_url }
+      end
+
+      test 'response redirects (to failure URL)' do
+        assert_equal 302, response.status
+      end
+
+      test 'redirect URL contains account_confirmation_success=false' do
+        assert response.location.include?('account_confirmation_success=false')
+      end
+
+      test 'user is not confirmed' do
+        @user.reload
+        refute @user.confirmed?
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create (POST) — resend confirmation email (without paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'resend confirmation email — success' do
+      before do
+        @mail_count = ActionMailer::Base.deliveries.count
+
+        post '/multi_email_auth/confirmation',
+             params: { email: @email, redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+        @resent_mail = ActionMailer::Base.deliveries.last
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'a confirmation email is sent' do
+        assert_equal @mail_count + 1, ActionMailer::Base.deliveries.count
+      end
+
+      test 'email is addressed to the user' do
+        assert_equal @email, @resent_mail['to'].to_s
+      end
+
+      test 'response message is returned' do
+        assert @data['message']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create (POST) — resend confirmation email (with paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'resend confirmation email with paranoid mode — success' do
+      before do
+        swap Devise, paranoid: true do
+          post '/multi_email_auth/confirmation',
+               params: { email: @email, redirect_url: @redirect_url }
+          @data = JSON.parse(response.body)
+        end
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'paranoid message is returned' do
+        assert_equal I18n.t('devise_token_auth.confirmations.sended_paranoid',
+                            email: @email),
+                     @data['message']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create (POST) — missing email param
+    # -----------------------------------------------------------------------
+    describe 'resend confirmation — missing email' do
+      before do
+        post '/multi_email_auth/confirmation',
+             params: { redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'missing email error is returned' do
+        assert @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create (POST) — unknown email (without paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'resend confirmation — unknown email' do
+      before do
+        post '/multi_email_auth/confirmation',
+             params: { email: 'nobody@example.com', redirect_url: @redirect_url }
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails with 404' do
+        assert_equal 404, response.status
+      end
+
+      test 'user not found error is returned' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.confirmations.user_not_found',
+                              email: 'nobody@example.com')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Create (POST) — unknown email (with paranoid mode)
+    # -----------------------------------------------------------------------
+    describe 'resend confirmation — unknown email with paranoid mode' do
+      before do
+        swap Devise, paranoid: true do
+          post '/multi_email_auth/confirmation',
+               params: { email: 'nobody@example.com', redirect_url: @redirect_url }
+          @data = JSON.parse(response.body)
+        end
+      end
+
+      test 'request returns 200 to hide existence' do
+        assert_equal 200, response.status
+      end
+
+      test 'paranoid message is returned' do
+        assert_equal I18n.t('devise_token_auth.confirmations.sended_paranoid',
+                            email: 'nobody@example.com'),
+                     @data['message']
+      end
+    end
+  end
+end