devise_token_auth_multi_email 0.9.4 → 0.9.5

data/test/controllers/devise_token_auth/multi_email_token_validations_controller_test.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify the TokenValidationsController works correctly with a
+# MultiEmailUser — a model that uses :multi_email_authenticatable from the
+# devise-multi_email gem.
+#
+# Token validation uses the uid / access-token / client headers; the uid is the
+# primary email address, which is synced to the uid column by the sync_uid
+# before_save callback.  No multi-email-specific lookup is needed here because
+# the token is looked up by uid (a real column), so this test primarily
+# confirms that the standard flow works end-to-end for multi-email users.
+#
+# These tests are ActiveRecord-only — the MultiEmailUser model and its route
+# are not available in Mongoid runs.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class MultiEmailTokenValidationsControllerTest < ActionDispatch::IntegrationTest
+  describe 'MultiEmailUser token validation' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # Register a user, confirm it, and sign in.  Returns [user, auth_headers].
+    def sign_in_confirmed_user
+      email = Faker::Internet.unique.email
+
+      post '/multi_email_auth', params: registration_params(email: email)
+      assert_equal 200, response.status, "Registration failed: #{response.body}"
+      user = assigns(:resource)
+      user.confirm
+
+      post '/multi_email_auth/sign_in',
+           params: { email: email, password: 'secret123' }
+      assert_equal 200, response.status, "Sign-in failed: #{response.body}"
+
+      auth_headers = {
+        'access-token' => response.headers['access-token'],
+        'client'       => response.headers['client'],
+        'uid'          => response.headers['uid'],
+        'token-type'   => response.headers['token-type']
+      }
+      [user, auth_headers]
+    end
+
+    before do
+      @user, @auth_headers = sign_in_confirmed_user
+      @client_id = @auth_headers['client']
+
+      # Age the token so the request is not treated as a batch request.
+      age_token(@user, @client_id)
+    end
+
+    # -----------------------------------------------------------------------
+    # Valid token
+    # -----------------------------------------------------------------------
+    describe 'valid token' do
+      before do
+        get '/multi_email_auth/validate_token', headers: @auth_headers
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'response includes user data' do
+        assert @data['data']
+      end
+
+      test 'response data includes the correct email' do
+        assert @data['data']['email']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Invalid access-token
+    # -----------------------------------------------------------------------
+    describe 'invalid access-token' do
+      before do
+        bad_headers = @auth_headers.merge('access-token' => 'this-is-wrong')
+        get '/multi_email_auth/validate_token', headers: bad_headers
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+        assert_equal [I18n.t('devise_token_auth.token_validations.invalid')],
+                     @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Missing auth headers
+    # -----------------------------------------------------------------------
+    describe 'missing auth headers' do
+      before do
+        get '/multi_email_auth/validate_token'
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Expired token
+    # -----------------------------------------------------------------------
+    describe 'expired token' do
+      before do
+        expire_token(@user, @client_id)
+        get '/multi_email_auth/validate_token', headers: @auth_headers
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request fails' do
+        assert_equal 401, response.status
+      end
+
+      test 'response contains errors' do
+        assert @data['errors']
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb

@@ -16,9 +16,11 @@ class OmniauthTest < ActionDispatch::IntegrationTest
     @redirect_url = 'https://ng-token-auth.dev/'
   end
 
+  # Suggested by GPT-5.2 as a more tolerant alternative to the above regex, which was brittle and failed when the JSON data contained certain characters.
   def get_parsed_data_json
-    encoded_json_data = @response.body.match(/var data \= JSON.parse\(decodeURIComponent\(\'(.+)\'\)\)\;/)[1]
-    JSON.parse(CGI.unescape(encoded_json_data))
+    m = response.body.match(/var\s+data\s*=\s*JSON\.parse\(decodeURIComponent\(['"](.+?)['"]\)\)/m)
+    raise "Could not find encoded data payload in response body" unless m
+    JSON.parse(CGI.unescape(m[1]))
   end
 
   describe 'success callback' do
@@ -79,8 +81,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest
 
     test 'should be redirected via valid url' do
       get_success
-      assert_equal 'http://www.example.com/auth/facebook/callback',
-                   request.original_url
+      assert_equal '/auth/facebook/callback', URI.parse(request.original_url).path
     end
 
     describe 'with default user model' do

data/test/controllers/devise_token_auth/standard_user_registrations_controller_test.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests that verify devise_token_auth works correctly with a **standard** model —
+# one that does NOT use devise-multi_email (i.e. does NOT have multi_email_association).
+#
+# Standard models get the email uniqueness validation directly from
+# DeviseTokenAuth::Concerns::UserOmniauthCallbacks, regardless of whether the
+# devise-multi_email gem is loaded. These tests confirm:
+#   • Basic registration, authentication, and account management work.
+#   • Duplicate email registrations are rejected at the model level (no DB
+#     constraint exception reaching PostgreSQL that would abort the transaction).
+#   • An OAuth user's email can be re-used for an email-provider registration
+#     because uniqueness is scoped to provider.
+#
+# These tests are ActiveRecord-specific because they validate AR-level validators
+# and the MultiEmailUser ActiveRecord model (used for contrast tests).
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class StandardUserRegistrationsControllerTest < ActionDispatch::IntegrationTest
+  describe 'Standard User (without multi_email_authenticatable)' do
+    def registration_params(email: nil)
+      {
+        email:                 email || Faker::Internet.unique.email,
+        password:              'secret123',
+        password_confirmation: 'secret123',
+        confirm_success_url:   Faker::Internet.url
+      }
+    end
+
+    # -----------------------------------------------------------------------
+    # Uniqueness validation lives in the concern for standard models
+    # -----------------------------------------------------------------------
+    describe 'email uniqueness' do
+      test 'validates uniqueness at the model level — not at the DB' do
+        # The concern (UserOmniauthCallbacks) adds this validation for standard
+        # models so the check happens before the INSERT, keeping PostgreSQL
+        # transactions clean.
+        assert User.validators_on(:email).any? { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+        }, 'Expected a UniquenessValidator on User#email'
+
+        assert Mang.validators_on(:email).any? { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+        }, 'Expected a UniquenessValidator on Mang#email'
+      end
+
+      test 'multi_email model does NOT carry the concern uniqueness validator' do
+        # MultiEmailUser uses :multi_email_authenticatable so it has
+        # multi_email_association — the concern skips adding the uniqueness
+        # validator (the emails table enforces uniqueness instead).
+        refute MultiEmailUser.validators_on(:email).any? { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
+        }, 'Expected NO UniquenessValidator on MultiEmailUser#email'
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Successful registration
+    # -----------------------------------------------------------------------
+    describe 'successful registration' do
+      before do
+        post '/auth', params: registration_params
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'user is persisted' do
+        assert @resource.id
+      end
+
+      test 'resource is a standard User' do
+        assert_equal User, @resource.class
+      end
+
+      test 'response includes email' do
+        assert @data['data']['email']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Duplicate email registration is rejected at the model level
+    # -----------------------------------------------------------------------
+    describe 'duplicate email registration' do
+      before do
+        @email = Faker::Internet.unique.email
+        create(:user, email: @email, provider: 'email').tap(&:confirm)
+
+        post '/auth', params: registration_params(email: @email)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is rejected' do
+        assert_equal 422, response.status
+      end
+
+      test 'errors mention email taken' do
+        assert_not_empty @data['errors']
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # OAuth user + same email re-used for email-provider registration
+    # (uniqueness is scoped to provider)
+    # -----------------------------------------------------------------------
+    describe 'email re-use across providers' do
+      before do
+        @oauth_user = create(:user, :facebook, :confirmed)
+
+        post '/auth',
+             params: registration_params(email: @oauth_user.email)
+
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'registration is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'a new email-provider user is created' do
+        assert @resource.id
+        assert_equal 'email', @resource.provider
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Mang (another standard model, at /mangs)
+    # -----------------------------------------------------------------------
+    describe 'alternate standard model (Mang)' do
+      before do
+        post '/mangs', params: registration_params
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'registration is successful' do
+        assert_equal 200, response.status
+      end
+
+      test 'resource is a Mang' do
+        assert_equal Mang, @resource.class
+      end
+    end
+
+    describe 'Mang duplicate email is rejected at model level' do
+      before do
+        @email = Faker::Internet.unique.email
+        create(:mang_user, email: @email, provider: 'email').tap(&:confirm)
+
+        post '/mangs', params: registration_params(email: @email)
+        @data = JSON.parse(response.body)
+      end
+
+      test 'request is rejected' do
+        assert_equal 422, response.status
+      end
+    end
+  end
+end

data/test/dummy/app/active_record/multi_email_user.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+# MultiEmailUser demonstrates a model that uses devise-multi_email alongside
+# DeviseTokenAuth.  Email uniqueness is enforced via the emails association/table
+# (managed by Devise::MultiEmail::ParentModelExtensions) rather than by the
+# column-level uniqueness validation that standard models carry.
+#
+# IMPORTANT ordering rules:
+#   1. has_many :emails must be declared BEFORE the multi_email devise modules so
+#      Devise::MultiEmail::ParentModelExtensions can reflect on the association.
+#   2. The multi_email devise modules must be called BEFORE including
+#      DeviseTokenAuth::Concerns::User so the concern skips its own devise call
+#      (it checks method_defined?(:devise_modules) to decide whether to call devise).
+class MultiEmailUser < ActiveRecord::Base
+  # 1. Association first — ParentModelExtensions reflects on it at include time.
+  #    Rails infers the FK as `multi_email_user_id` from the parent class name.
+  has_many :emails,
+           class_name: 'MultiEmailUserEmail',
+           dependent:  :destroy
+
+  # 2–3 only apply when running with ActiveRecord.  In Mongoid runs the
+  # activerecord gem is still bundled (so ActiveRecord::Base exists) but
+  # active_record/railtie is not required, which means devise-multi_email's
+  # AR-specific modules are not registered and calling `devise` would raise
+  # NoMethodError.  We guard here so the file can be safely autoloaded in
+  # Mongoid mode (Zeitwerk still gets a valid MultiEmailUser constant).
+  if DEVISE_TOKEN_AUTH_ORM == :active_record
+    # 2. multi_email devise modules — include Devise::MultiEmail::ParentModelExtensions
+    #    which adds multi_email_association, find_by_email, and related helpers.
+    devise :multi_email_authenticatable, :registerable,
+           :recoverable, :multi_email_validatable, :multi_email_confirmable
+
+    # 3. DeviseTokenAuth concern — sees devise_modules already defined, skips
+    #    its own devise call, and adds token management, OmniAuth callbacks, etc.
+    include DeviseTokenAuth::Concerns::User
+
+    # 4. Include the delegated `email` method in JSON serialization so that API
+    #    responses include the primary email even though there is no email column
+    #    on this table (email lives in the multi_email_user_emails table).
+    def as_json(options = {})
+      options[:methods] = Array(options[:methods]) | [:email]
+      super(options)
+    end
+  end
+end

data/test/dummy/app/active_record/multi_email_user_email.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+# Email record for MultiEmailUser.  Each row represents one email address
+# that belongs to a MultiEmailUser.
+#
+# The `primary` boolean column is required by the devise-multi_email gem:
+# it generates `primary?` and `primary=` via ActiveRecord from that column name,
+# which ParentModelManager calls to find/set the primary email address.
+#
+# Devise::MultiEmail::EmailModelExtensions (and EmailValidatable) are included
+# automatically into this class by MultiEmailUser's ParentModelExtensions when
+# that model is first loaded — no explicit include is needed here.
+#
+# The association name (:user) must match Devise::MultiEmail.parent_association_name
+# (which defaults to :user).  We specify the class and FK explicitly since our
+# parent model is MultiEmailUser (not User) and the FK column is multi_email_user_id.
+class MultiEmailUserEmail < ActiveRecord::Base
+  belongs_to :user,
+             class_name:  'MultiEmailUser',
+             foreign_key: :multi_email_user_id
+end

data/test/dummy/config/application.rb

@@ -39,7 +39,12 @@ module Dummy
     config.autoload_paths << Rails.root.join('lib')
     config.autoload_paths += ["#{config.root}/app/#{DEVISE_TOKEN_AUTH_ORM}"]
 
-    config.active_record.legacy_connection_handling = false if Rails::VERSION::MAJOR == 6
+    # legacy_connection_handling was deprecated in Rails 7.0/7.1 and removed in Rails 7.2+
+    # Only applies when using ActiveRecord (not when using Mongoid).
+    if DEVISE_TOKEN_AUTH_ORM == :active_record &&
+       !(Rails::VERSION::MAJOR > 7 || (Rails::VERSION::MAJOR == 7 && Rails::VERSION::MINOR >= 2))
+      config.active_record.legacy_connection_handling = false
+    end
 
     if DEVISE_TOKEN_AUTH_ORM == :mongoid
       Mongoid.configure do |config|

data/test/dummy/config/initializers/omniauth.rb

@@ -2,7 +2,21 @@
 
 Rails.application.config.middleware.use OmniAuth::Builder do |b|
   provider :github,        ENV['GITHUB_KEY'],   ENV['GITHUB_SECRET'],   scope: 'email,profile'
-  provider :facebook,      ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET']
+  provider :facebook,      ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'],
+    setup: lambda { |env|
+      req = Rack::Request.new(env)
+
+      # Persist request params so callback can read them later
+      env['rack.session']['dta.omniauth.params'] = req.params.slice(
+        'auth_origin_url',
+        'omniauth_window_type',
+        # include any additional permitted params you support:
+        'favorite_color'
+      )
+
+      # If your code expects auth data too:
+      # env['rack.session']['dta.omniauth.auth'] = ...
+    }
   provider :google_oauth2, ENV['GOOGLE_KEY'],   ENV['GOOGLE_SECRET']
   provider :apple,         ENV['APPLE_CLIENT_ID'], '', { scope: 'email name', team_id: ENV['APPLE_TEAM_ID'], key_id: ENV['APPLE_KEY'], pem: ENV['APPLE_PEM'] }
   provider :developer,

data/test/dummy/config/routes.rb

@@ -22,6 +22,14 @@ Rails.application.routes.draw do
 
   mount_devise_token_auth_for 'ConfirmableUser', at: 'confirmable_user_auth'
 
+  # MultiEmailUser uses devise-multi_email to manage email addresses via a
+  # separate emails association rather than a single email column.
+  # Only mount in ActiveRecord mode — the model's devise setup is AR-only.
+  if DEVISE_TOKEN_AUTH_ORM == :active_record
+    mount_devise_token_auth_for 'MultiEmailUser', at: 'multi_email_auth',
+                                skip: [:omniauth_callbacks]
+  end
+
   # test namespacing
   namespace :api do
     scope :v1 do

data/test/dummy/db/migrate/20260401000001_devise_token_auth_create_multi_email_users.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+include MigrationDatabaseHelper
+
+class DeviseTokenAuthCreateMultiEmailUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table(:multi_email_users) do |t|
+      ## Database authenticatable
+      t.string :encrypted_password, null: false, default: ''
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+      t.string   :reset_password_redirect_url
+      t.boolean  :allow_password_change, default: false
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email
+
+      ## User Info
+      t.string :name
+      t.string :nickname
+      t.string :image
+
+      ## Unique oauth id
+      t.string :provider
+      t.string :uid, null: false, default: ''
+
+      ## Tokens
+      if json_supported_database?
+        t.json :tokens
+      else
+        t.text :tokens
+      end
+
+      t.timestamps
+    end
+
+    add_index :multi_email_users, [:uid, :provider],     unique: true
+    add_index :multi_email_users, :reset_password_token, unique: true
+    add_index :multi_email_users, :confirmation_token,   unique: true
+  end
+end

data/test/dummy/db/migrate/20260401000002_devise_token_auth_create_multi_email_user_emails.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class DeviseTokenAuthCreateMultiEmailUserEmails < ActiveRecord::Migration[7.0]
+  def change
+    create_table(:multi_email_user_emails) do |t|
+      t.references :multi_email_user, null: false, foreign_key: true, type: :bigint
+      t.string  :email,   null: false
+      # devise-multi_email gem requires a column named `primary` (boolean).
+      # The gem calls `email_record.primary?` and `email_record.primary = value`
+      # which are auto-generated by ActiveRecord from this column name.
+      t.boolean :primary, null: false, default: false
+
+      # Confirmable columns — required by :multi_email_confirmable which
+      # includes devise :confirmable into each email record.
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email
+
+      t.timestamps
+    end
+
+    add_index :multi_email_user_emails, :email,     unique: true
+    add_index :multi_email_user_emails, :confirmation_token,
+              name: 'index_multi_email_user_emails_on_confirmation_token', unique: true
+    add_index :multi_email_user_emails, [:multi_email_user_id, :primary],
+              name: 'index_multi_email_user_emails_on_user_and_primary'
+  end
+end