devise_token_auth_multi_email 0.9.5 → 0.9.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0c66feab8adcbd8779659cfca55d37dafc2f7b597478d249f252e6a8d359fa9
-  data.tar.gz: 9e62f19a8c193602b0c8063d2b569a07ed6864a961d9363e95aef335907f74d6
+  metadata.gz: 43896725154b8afab36fcca00754a5bd5743cdbe08bf44401f0be917ec3cdb59
+  data.tar.gz: 4ddd80d829695020b27863ebe5891d9f3037f7070cd857658302e499eed3a711
 SHA512:
-  metadata.gz: 25b3abeb4b9b3b13efca53a386affd1d080673c2815154ed60942aa7190d8860dd9a95bfd0306d34b32fe859150dac52684d6e5c678f3557d2637dcd89418b2b
-  data.tar.gz: c722c5166cc96ca5145174b898f5c8490d7230a6b8485ff78439c9dc1dddae87e1b5f05e4fb3164f9030fd500ec19e44765b5ffd92fb11bbb9c65b061d14c87f
+  metadata.gz: 7429dbc8c2df36d2df63333d5e34de27b48de8313742942578c920a19de01c5c4fa16b02a702acabfa28a3c9c8a0c45eed728f11b5e9d006886d04da7190240c
+  data.tar.gz: c1d928e209ff6e3341c6b33233c1161b43ccae48bc208c4de62548164ad54d4e18f369b3325d3f2d7dbeda49b275a952d6876366cccc54c0009f760e45b6ebff

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -8,15 +8,18 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
     validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: lambda { uid_and_provider_defined? && email_provider? }
     validates_presence_of :uid, if: lambda { uid_and_provider_defined? && !email_provider? }
 
-    # Only skip the uniqueness validation for models that use devise-multi_email
-    # (detected by the presence of the multi_email_association class method, which
-    # Devise::MultiEmail::ParentModelExtensions adds via :multi_email_authenticatable).
-    # Standard models always validate; multi_email models manage uniqueness via the
-    # emails association table instead.
-    unless Gem.loaded_specs['devise-multi_email'] && respond_to?(:multi_email_association)
-      # only validate unique emails among email registration users
-      validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: lambda { uid_and_provider_defined? && email_provider? }
-    end
+    # Only validate email uniqueness for models that do NOT use devise-multi_email.
+    # Multi-email models manage uniqueness via the emails association table instead.
+    #
+    # The check is done at runtime (inside the lambda) rather than at class-load
+    # time, so that it works correctly regardless of the order in which modules are
+    # included.  If the class responds to :multi_email_association at the point the
+    # validation is about to run, we know this is a multi-email model and skip the
+    # check.  This also avoids calling column_for_attribute(:email) on a model that
+    # has no email column, which would otherwise cause MySQL to call
+    # nil.case_sensitive? and raise a NoMethodError.
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create,
+              if: lambda { uid_and_provider_defined? && email_provider? && !self.class.respond_to?(:multi_email_association) }
 
     # keep uid in sync with email
     before_save :sync_uid

data/lib/devise_token_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseTokenAuth
-  VERSION = '0.9.5'.freeze
+  VERSION = '0.9.9'.freeze
 end

data/test/controllers/devise_token_auth/concerns/resource_finder_test.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests targeting DeviseTokenAuth::Concerns::ResourceFinder in isolation.
+# The concern is exercised via DeviseTokenAuth::SessionsController, which
+# includes it transitively through SetUserByToken.
+class DeviseTokenAuth::Concerns::ResourceFinderTest < ActionController::TestCase
+  tests DeviseTokenAuth::SessionsController
+
+  describe DeviseTokenAuth::Concerns::ResourceFinder do
+    describe '#provider' do
+      it 'returns "email"' do
+        assert_equal 'email', @controller.provider
+      end
+    end
+
+    describe '#resource_class' do
+      it 'returns User when called without arguments (default devise mapping)' do
+        assert_equal User, @controller.resource_class
+      end
+
+      it 'returns the correct class for an explicit mapping argument' do
+        assert_equal Mang, @controller.resource_class(:mang)
+      end
+    end
+
+    if DEVISE_TOKEN_AUTH_ORM == :active_record
+      describe '#database_adapter' do
+        it 'returns a String identifying the configured database adapter' do
+          assert_kind_of String, @controller.database_adapter
+          refute_empty @controller.database_adapter
+        end
+      end
+
+      describe '#find_resource' do
+        describe 'standard user' do
+          before do
+            @existing_user = create(:user, :confirmed)
+            post :create, params: { email: @existing_user.email,
+                                    password: @existing_user.password }
+          end
+
+          it 'assigns the matching resource' do
+            assert_equal @existing_user, assigns(:resource)
+          end
+        end
+
+        describe 'non-existent email' do
+          before do
+            post :create, params: { email: 'nobody@example.com',
+                                    password: 'wrongpassword' }
+          end
+
+          it 'returns 401' do
+            assert_equal 401, response.status
+          end
+
+          it 'does not assign a resource' do
+            assert_nil assigns(:resource)
+          end
+        end
+      end
+    else
+      # Mongoid: connection_db_config is not available; database_adapter returns nil.
+      describe '#database_adapter' do
+        it 'returns nil for Mongoid (no SQL connection)' do
+          assert_nil @controller.database_adapter
+        end
+      end
+    end
+  end
+end
+
+# Tests for the multi_email branch of find_resource require ActiveRecord and
+# the /multi_email_auth routes.  They are placed in a separate integration test
+# class to avoid forcing a route/mapping override on the unit tests above.
+if DEVISE_TOKEN_AUTH_ORM == :active_record
+  class DeviseTokenAuth::Concerns::ResourceFinderMultiEmailTest < ActionDispatch::IntegrationTest
+    SIGN_IN_PASSWORD = 'secret123'
+
+    describe 'ResourceFinder#find_resource with a multi_email user' do
+      before do
+        # Register and immediately confirm a MultiEmailUser.
+        @email = Faker::Internet.unique.email
+        post '/multi_email_auth',
+             params: { email: @email, password: SIGN_IN_PASSWORD,
+                       password_confirmation: SIGN_IN_PASSWORD,
+                       confirm_success_url: Faker::Internet.url }
+        assert_equal 200, response.status, "Setup failed: #{response.body}"
+        @user = assigns(:resource)
+        @user.confirm
+      end
+
+      it 'finds the multi_email user via the emails association' do
+        post '/multi_email_auth/sign_in',
+             params: { email: @email, password: SIGN_IN_PASSWORD }
+        assert_equal 200, response.status
+        assert_equal @user, assigns(:resource)
+      end
+
+      it 'returns 401 when email is unknown' do
+        post '/multi_email_auth/sign_in',
+             params: { email: 'nobody@example.com', password: SIGN_IN_PASSWORD }
+        assert_equal 401, response.status
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/concerns/set_user_by_token_test.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Tests targeting DeviseTokenAuth::Concerns::SetUserByToken behaviors that are
+# not already covered by demo_user_controller_test.rb or
+# token_validations_controller_test.rb.
+#
+# The DemoUserController at /demo/members_only is used as the test target
+# because it runs set_user_by_token via the before_action inherited from
+# ApplicationController (which includes SetUserByToken).
+class DeviseTokenAuth::Concerns::SetUserByTokenTest < ActionDispatch::IntegrationTest
+  include Warden::Test::Helpers
+
+  describe DeviseTokenAuth::Concerns::SetUserByToken do
+    before do
+      @resource = create(:user, :confirmed)
+      @auth_headers = @resource.create_new_auth_token
+      @token     = @auth_headers['access-token']
+      @client_id = @auth_headers['client']
+      @uid       = @auth_headers['uid']
+    end
+
+    # -------------------------------------------------------------------------
+    # #set_request_start
+    # -------------------------------------------------------------------------
+    describe '#set_request_start' do
+      before do
+        age_token(@resource, @client_id)
+        get '/demo/members_only', params: {}, headers: @auth_headers
+      end
+
+      it 'sets @request_started_at to the current time' do
+        assert_kind_of Time, assigns(:request_started_at)
+      end
+
+      it 'initializes @resource' do
+        refute_nil assigns(:resource)
+      end
+
+      it 'initializes @token' do
+        refute_nil assigns(:token)
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #set_user_by_token – authentication via query parameters
+    # -------------------------------------------------------------------------
+    describe 'token auth via query params' do
+      before do
+        age_token(@resource, @client_id)
+        # Pass the three auth values as query-string parameters, not headers.
+        get '/demo/members_only',
+            params: {
+              'access-token' => @token,
+              'client'       => @client_id,
+              'uid'          => @uid
+            }
+      end
+
+      it 'returns 200' do
+        assert_equal 200, response.status
+      end
+
+      it 'authenticates the correct user' do
+        assert_equal @resource, assigns(:resource)
+      end
+
+      it 'returns a new access token in the response headers' do
+        assert response.headers['access-token'].present?
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #set_user_by_token – authentication via auth cookie
+    # -------------------------------------------------------------------------
+    describe 'token auth via auth cookie' do
+      before do
+        DeviseTokenAuth.cookie_enabled = true
+
+        # Sign in to receive the auth cookie from the server.
+        post '/auth/sign_in',
+             params: { email: @resource.email, password: @resource.password }
+        assert_equal 200, response.status, "Sign-in failed: #{response.body}"
+
+        # The integration session retains the Set-Cookie from sign-in.
+        # Make a protected request without explicit auth headers; the cookie
+        # should carry the credentials for set_user_by_token to use.
+        get '/demo/members_only', params: {}, headers: {}
+      end
+
+      after do
+        DeviseTokenAuth.cookie_enabled = false
+      end
+
+      it 'returns 200' do
+        assert_equal 200, response.status
+      end
+
+      it 'authenticates the correct user' do
+        assert_equal @resource, assigns(:resource)
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #decode_bearer_token – tested indirectly via /auth/validate_token
+    # -------------------------------------------------------------------------
+    describe '#decode_bearer_token' do
+      before do
+        age_token(@resource, @client_id)
+      end
+
+      describe 'with a blank Authorization header' do
+        before do
+          get '/auth/validate_token', params: {}, headers: {}
+        end
+
+        it 'returns 401 (no credentials provided)' do
+          assert_equal 401, response.status
+        end
+      end
+
+      describe 'with an invalid base64 Bearer token' do
+        before do
+          get '/auth/validate_token', params: {},
+              headers: { 'Authorization' => 'Bearer not-valid-base64!!!' }
+        end
+
+        it 'returns 401 (decoded token treated as empty hash)' do
+          assert_equal 401, response.status
+        end
+      end
+
+      describe 'with valid base64 but non-JSON payload' do
+        before do
+          non_json_token = Base64.strict_encode64('this is not json')
+          get '/auth/validate_token', params: {},
+              headers: { 'Authorization' => "Bearer #{non_json_token}" }
+        end
+
+        it 'returns 401 (JSON parse error rescued to empty hash)' do
+          assert_equal 401, response.status
+        end
+      end
+
+      describe 'with a valid Bearer token (correct uid + access-token + client)' do
+        before do
+          encoded = Base64.strict_encode64(@auth_headers.to_json)
+          get '/auth/validate_token', params: {},
+              headers: { 'Authorization' => "Bearer #{encoded}" }
+        end
+
+        it 'returns 200' do
+          assert_equal 200, response.status
+        end
+
+        it 'authenticates the correct user' do
+          assert_equal @resource, assigns(:resource)
+        end
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #set_user_by_token – no credentials at all → resource is nil
+    # -------------------------------------------------------------------------
+    describe 'when no auth credentials are provided' do
+      before do
+        get '/demo/members_only', params: {}, headers: {}
+      end
+
+      it 'returns 401' do
+        assert_equal 401, response.status
+      end
+
+      it 'does not authenticate a resource' do
+        assert_nil assigns(:resource)
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #update_auth_header – cookie updated on each request when cookie_enabled
+    # -------------------------------------------------------------------------
+    describe 'update_auth_header with cookie_enabled' do
+      before do
+        DeviseTokenAuth.cookie_enabled = true
+        age_token(@resource, @client_id)
+        get '/demo/members_only', params: {}, headers: @auth_headers
+      end
+
+      after do
+        DeviseTokenAuth.cookie_enabled = false
+      end
+
+      it 'sets the auth cookie on the response' do
+        assert response.cookies[DeviseTokenAuth.cookie_name].present?
+      end
+    end
+  end
+end

data/test/controllers/devise_token_auth/multi_email_registrations_controller_test.rb

@@ -46,11 +46,26 @@ class MultiEmailRegistrationsControllerTest < ActionDispatch::IntegrationTest
         assert MultiEmailUser.respond_to?(:find_by_email)
       end
 
-      test 'MultiEmailUser does NOT carry the concern uniqueness validator' do
-        # email uniqueness is handled by the emails table, not the user model
-        refute MultiEmailUser.validators_on(:email).any? { |v|
-          v.is_a?(ActiveRecord::Validations::UniquenessValidator)
-        }
+      test 'concern uniqueness validator never fires for MultiEmailUser' do
+        # The concern adds a uniqueness validator with a runtime :if guard that
+        # skips it whenever the model responds to :multi_email_association.
+        # This ensures the validator is never exercised on multi-email models
+        # (which have no email column and would otherwise crash on MySQL via
+        # nil.case_sensitive?).
+        #
+        # The :if lambda is called via instance_exec on the record (arity 0),
+        # so self inside the lambda is the user instance.
+        user = MultiEmailUser.new(provider: 'email', uid: 'test@example.com')
+        MultiEmailUser.validators_on(:email).select { |v|
+          v.is_a?(ActiveRecord::Validations::UniquenessValidator) &&
+            Array(v.options[:scope]).include?(:provider)
+        }.each do |validator|
+          if_procs = Array(validator.options[:if]).select { |c| c.respond_to?(:call) }
+          refute if_procs.empty?,
+                 'DTA concern uniqueness validator must have a runtime :if guard'
+          assert if_procs.none? { |c| user.instance_exec(&c) },
+                 'DTA concern uniqueness validator should not fire for multi-email models'
+        end
       end
 
       test 'MultiEmailUserEmail has email uniqueness validator from EmailValidatable' do
@@ -133,5 +148,147 @@ class MultiEmailRegistrationsControllerTest < ActionDispatch::IntegrationTest
         assert_not_empty @data['errors']
       end
     end
+
+    # -----------------------------------------------------------------------
+    # Shared helper: register, confirm, and sign in a MultiEmailUser.
+    # Returns [user, auth_headers].
+    # -----------------------------------------------------------------------
+    def sign_in_confirmed_user(email: nil)
+      email ||= Faker::Internet.unique.email
+      post '/multi_email_auth', params: registration_params(email: email)
+      assert_equal 200, response.status, "Setup registration failed: #{response.body}"
+      user = assigns(:resource)
+      user.confirm
+
+      post '/multi_email_auth/sign_in',
+           params: { email: email, password: 'secret123' }
+      assert_equal 200, response.status, "Sign-in failed: #{response.body}"
+
+      auth_headers = {
+        'access-token' => response.headers['access-token'],
+        'client'       => response.headers['client'],
+        'uid'          => response.headers['uid'],
+        'token-type'   => response.headers['token-type']
+      }
+      [user, auth_headers]
+    end
+
+    # -----------------------------------------------------------------------
+    # Update account (PUT /multi_email_auth)
+    # -----------------------------------------------------------------------
+    describe 'account update' do
+      describe 'successful account update (name field)' do
+        before do
+          @user, @auth_headers = sign_in_confirmed_user
+          age_token(@user, @auth_headers['client'])
+
+          put '/multi_email_auth',
+              params: { name: 'Updated Name' },
+              headers: @auth_headers
+          @data = JSON.parse(response.body)
+        end
+
+        test 'request is successful' do
+          assert_equal 200, response.status
+        end
+
+        test 'response status is success' do
+          assert_equal 'success', @data['status']
+        end
+
+        test 'updated name is reflected in the response' do
+          assert_equal 'Updated Name', @data['data']['name']
+        end
+
+        test 'name is persisted to the database' do
+          @user.reload
+          assert_equal 'Updated Name', @user.name
+        end
+      end
+
+      describe 'account update without authentication' do
+        before do
+          put '/multi_email_auth',
+              params: { name: 'Unauthenticated Update' }
+          @data = JSON.parse(response.body)
+        end
+
+        test 'request fails with 404' do
+          assert_equal 404, response.status
+        end
+
+        test 'user not found error is returned' do
+          assert @data['errors']
+        end
+      end
+
+      describe 'account update with empty body' do
+        before do
+          @user, @auth_headers = sign_in_confirmed_user
+          age_token(@user, @auth_headers['client'])
+
+          put '/multi_email_auth',
+              params: {},
+              headers: @auth_headers
+          @data = JSON.parse(response.body)
+        end
+
+        test 'request fails with 422' do
+          assert_equal 422, response.status
+        end
+      end
+    end
+
+    # -----------------------------------------------------------------------
+    # Destroy account (DELETE /multi_email_auth)
+    # -----------------------------------------------------------------------
+    describe 'account destroy' do
+      describe 'successful account deletion' do
+        before do
+          @user, @auth_headers = sign_in_confirmed_user
+          @user_id = @user.id
+          age_token(@user, @auth_headers['client'])
+
+          delete '/multi_email_auth', headers: @auth_headers
+          @data = JSON.parse(response.body)
+        end
+
+        test 'request is successful' do
+          assert_equal 200, response.status
+        end
+
+        test 'success status is returned' do
+          assert_equal 'success', @data['status']
+        end
+
+        test 'user is removed from the database' do
+          refute MultiEmailUser.where(id: @user_id).exists?,
+                 'MultiEmailUser should be deleted after destroy'
+        end
+
+        test 'associated email records are also deleted (dependent: :destroy)' do
+          refute MultiEmailUserEmail.where(multi_email_user_id: @user_id).exists?,
+                 'Email records should be destroyed with the user'
+        end
+      end
+
+      describe 'account deletion without authentication' do
+        before do
+          delete '/multi_email_auth'
+          @data = JSON.parse(response.body)
+        end
+
+        test 'request fails with 404' do
+          assert_equal 404, response.status
+        end
+
+        test 'error message is returned' do
+          assert @data['errors']
+          assert @data['errors'].include?(
+            I18n.t('devise_token_auth.registrations.account_to_destroy_not_found')
+          )
+        end
+      end
+    end
   end
 end

data/test/models/confirmable_support_concern_test.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Unit tests for DeviseTokenAuth::Concerns::ConfirmableSupport.
+#
+# This concern is included into models that have DeviseTokenAuth's
+# send_confirmation_email setting enabled along with Devise's :confirmable
+# module.  It overrides postpone_email_change? to avoid relying on
+# devise_will_save_change_to_email?, and exposes email_value_in_database
+# as a Rails-version-safe helper.
+#
+# These tests use ConfirmableUser, which is the only model in the test app
+# that has :confirmable and triggers ConfirmableSupport inclusion.
+return unless DEVISE_TOKEN_AUTH_ORM == :active_record
+
+class ConfirmableSupportConcernTest < ActiveSupport::TestCase
+  describe DeviseTokenAuth::Concerns::ConfirmableSupport do
+    # ConfirmableUser includes ConfirmableSupport via the
+    # DeviseTokenAuth.send_confirmation_email + :confirmable check in user.rb.
+    test 'ConfirmableUser includes ConfirmableSupport' do
+      assert ConfirmableUser.ancestors.include?(DeviseTokenAuth::Concerns::ConfirmableSupport),
+             'Expected ConfirmableUser to include ConfirmableSupport'
+    end
+
+    # -------------------------------------------------------------------------
+    # email_value_in_database (protected)
+    # -------------------------------------------------------------------------
+    describe '#email_value_in_database' do
+      test 'returns the persisted email (not an in-memory change)' do
+        original_email = 'original@example.com'
+        resource = create(:confirmable_user, email: original_email)
+
+        # Change email in memory only — do not save
+        resource.email = 'inmemory@example.com'
+
+        persisted = resource.send(:email_value_in_database)
+        assert_equal original_email, persisted,
+                     'email_value_in_database should return the DB value, not the in-memory change'
+      end
+
+      test 'returns nil for a brand-new (unsaved) record' do
+        resource = ConfirmableUser.new(email: 'new@example.com')
+        result = resource.send(:email_value_in_database)
+        # A new record has no persisted value — expect nil or blank string
+        assert result.blank?,
+               "Expected blank value for unsaved record, got: #{result.inspect}"
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # postpone_email_change? (public via override)
+    # -------------------------------------------------------------------------
+    describe '#postpone_email_change?' do
+      test 'returns true when reconfirmable is enabled and email has changed' do
+        resource = create(:confirmable_user, email: 'before@example.com')
+
+        # Change email but do not save — postpone_email_change? inspects pending
+        # changes before the save happens.
+        resource.email = 'after@example.com'
+
+        assert resource.postpone_email_change?,
+               'Expected postpone_email_change? to return true when email changed and reconfirmable is on'
+      end
+
+      test 'returns false when reconfirmable is disabled' do
+        swap ConfirmableUser, reconfirmable: false do
+          resource = create(:confirmable_user, email: 'reconf@example.com')
+          resource.email = 'reconf_new@example.com'
+          refute resource.postpone_email_change?,
+                 'Expected postpone_email_change? to return false when reconfirmable is off'
+        end
+      end
+
+      test 'returns false when email has not changed' do
+        resource = create(:confirmable_user, email: 'same@example.com')
+        # No change to email
+        refute resource.postpone_email_change?,
+               'Expected postpone_email_change? to return false when email is unchanged'
+      end
+
+      test 'resets @bypass_confirmation_postpone after the check' do
+        resource = create(:confirmable_user, email: 'reset_test@example.com')
+        resource.instance_variable_set(:@bypass_confirmation_postpone, true)
+        resource.email = 'reset_new@example.com'
+
+        # The flag bypasses the postpone on the first call
+        refute resource.postpone_email_change?,
+               'Expected postpone_email_change? to return false when bypass flag is set'
+
+        # After the first call the flag should be cleared
+        refute resource.instance_variable_get(:@bypass_confirmation_postpone),
+               '@bypass_confirmation_postpone should be reset to false after the call'
+      end
+    end
+  end
+end

data/test/models/user_concern_methods_test.rb

@@ -0,0 +1,326 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Unit tests for methods defined in DeviseTokenAuth::Concerns::User that are
+# not already exercised by user_test.rb or the controller-level tests.
+#
+# Covered here:
+#   - build_auth_headers / build_bearer_token
+#   - confirmed?
+#   - token_validation_response
+#   - extend_batch_buffer
+#   - remove_tokens_after_password_reset / should_remove_tokens_after_password_reset?
+#   - does_token_match?
+#   - tokens_match? (class-level cache)
+class UserConcernMethodsTest < ActiveSupport::TestCase
+  describe DeviseTokenAuth::Concerns::User do
+    # -------------------------------------------------------------------------
+    # Setup helpers
+    # -------------------------------------------------------------------------
+    def build_confirmed_user
+      create(:user, :confirmed)
+    end
+
+    # -------------------------------------------------------------------------
+    # build_auth_headers / build_bearer_token
+    # -------------------------------------------------------------------------
+    describe '#build_auth_headers' do
+      before do
+        @resource    = build_confirmed_user
+        @auth        = @resource.create_new_auth_token
+        @client_id   = @auth['client']
+        @token       = @auth['access-token']
+        @headers     = @resource.build_auth_headers(@token, @client_id)
+      end
+
+      test 'includes access-token key' do
+        assert @headers.key?(DeviseTokenAuth.headers_names[:'access-token'])
+      end
+
+      test 'includes token-type key' do
+        assert @headers.key?(DeviseTokenAuth.headers_names[:'token-type'])
+      end
+
+      test 'includes client key' do
+        assert @headers.key?(DeviseTokenAuth.headers_names[:'client'])
+      end
+
+      test 'includes expiry key' do
+        assert @headers.key?(DeviseTokenAuth.headers_names[:'expiry'])
+      end
+
+      test 'includes uid key' do
+        assert @headers.key?(DeviseTokenAuth.headers_names[:'uid'])
+      end
+
+      test 'uid value matches resource uid' do
+        assert_equal @resource.uid, @headers[DeviseTokenAuth.headers_names[:'uid']]
+      end
+
+      test 'access-token value matches token' do
+        assert_equal @token, @headers[DeviseTokenAuth.headers_names[:'access-token']]
+      end
+
+      test 'token-type is Bearer' do
+        assert_equal 'Bearer', @headers[DeviseTokenAuth.headers_names[:'token-type']]
+      end
+    end
+
+    describe '#build_bearer_token' do
+      before do
+        @resource  = build_confirmed_user
+        @auth      = @resource.create_new_auth_token
+        @client_id = @auth['client']
+        @token     = @auth['access-token']
+      end
+
+      test 'returns a hash with an Authorization key when cookies are disabled' do
+        DeviseTokenAuth.cookie_enabled = false
+        auth_payload = { 'uid' => @resource.uid }
+        result = @resource.build_bearer_token(auth_payload)
+        assert result.key?(DeviseTokenAuth.headers_names[:'authorization'])
+      end
+
+      test 'Authorization value starts with "Bearer "' do
+        DeviseTokenAuth.cookie_enabled = false
+        auth_payload = { 'uid' => @resource.uid }
+        result = @resource.build_bearer_token(auth_payload)
+        assert result[DeviseTokenAuth.headers_names[:'authorization']].start_with?('Bearer ')
+      end
+
+      test 'returns an empty hash when cookie_enabled is true' do
+        DeviseTokenAuth.cookie_enabled = true
+        auth_payload = { 'uid' => @resource.uid }
+        result = @resource.build_bearer_token(auth_payload)
+        assert_empty result
+      ensure
+        DeviseTokenAuth.cookie_enabled = false
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # confirmed?
+    # -------------------------------------------------------------------------
+    describe '#confirmed?' do
+      test 'returns true for a user without :confirmable devise module' do
+        # User does not include :confirmable, so confirmed? must return true.
+        resource = build_confirmed_user
+        refute resource.devise_modules.include?(:confirmable)
+        assert resource.confirmed?
+      end
+
+      if DEVISE_TOKEN_AUTH_ORM == :active_record
+        test 'returns true for a ConfirmableUser that has been confirmed' do
+          resource = create(:confirmable_user)
+          resource.confirm
+          assert resource.confirmed?
+        end
+
+        test 'returns false for a ConfirmableUser that has not been confirmed' do
+          resource = create(:confirmable_user)
+          # Reload to drop any in-memory state set during creation
+          resource.reload
+          refute resource.confirmed?
+        end
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # token_validation_response
+    # -------------------------------------------------------------------------
+    describe '#token_validation_response' do
+      before do
+        @resource = build_confirmed_user
+        @response = @resource.token_validation_response
+      end
+
+      test 'returns a hash' do
+        assert_kind_of Hash, @response
+      end
+
+      test 'does not include :tokens key' do
+        refute @response.key?('tokens'), 'tokens should be excluded from token_validation_response'
+      end
+
+      test 'does not include :created_at key' do
+        refute @response.key?('created_at'), 'created_at should be excluded'
+      end
+
+      test 'does not include :updated_at key' do
+        refute @response.key?('updated_at'), 'updated_at should be excluded'
+      end
+
+      test 'includes the email key' do
+        assert @response.key?('email')
+      end
+
+      test 'includes the uid key' do
+        assert @response.key?('uid')
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # extend_batch_buffer
+    # -------------------------------------------------------------------------
+    describe '#extend_batch_buffer' do
+      before do
+        @resource  = build_confirmed_user
+        @auth      = @resource.create_new_auth_token
+        @client_id = @auth['client']
+        @token     = @auth['access-token']
+        age_token(@resource, @client_id)
+      end
+
+      test 'returns a hash with auth header keys' do
+        result = @resource.extend_batch_buffer(@token, @client_id)
+        assert result.key?(DeviseTokenAuth.headers_names[:'access-token'])
+      end
+
+      test 'updates the updated_at timestamp for the client token' do
+        # age_token set updated_at to the past; extend_batch_buffer should
+        # refresh it to approximately now.
+        @resource.extend_batch_buffer(@token, @client_id)
+        updated_at = @resource.tokens[@client_id]['updated_at']
+        # updated_at should now be within the last 5 seconds
+        assert updated_at.to_time >= Time.zone.now - 5.seconds,
+               'updated_at should be refreshed to approximately now by extend_batch_buffer'
+      end
+
+      test 'persists the token record to the database' do
+        @resource.extend_batch_buffer(@token, @client_id)
+        reloaded = @resource.class.find(@resource.id)
+        assert reloaded.tokens[@client_id]
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # does_token_match?
+    # -------------------------------------------------------------------------
+    describe '#does_token_match?' do
+      before do
+        @resource  = build_confirmed_user
+        @auth      = @resource.create_new_auth_token
+        @client_id = @auth['client']
+        @token     = @auth['access-token']
+      end
+
+      test 'returns false when token_hash is nil' do
+        refute @resource.does_token_match?(nil, @token)
+      end
+
+      test 'returns false when token does not match' do
+        token_hash = @resource.tokens[@client_id]['token']
+        refute @resource.does_token_match?(token_hash, 'wrong_token')
+      end
+
+      test 'returns true when token matches its hash' do
+        # Obtain the raw token before it gets rotated; use the original
+        # auth headers directly since create_new_auth_token returns the
+        # plaintext token in the headers hash.
+        token_hash = @resource.tokens[@client_id]['token']
+        assert @resource.does_token_match?(token_hash, @token)
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # DeviseTokenAuth::Concerns::User.tokens_match? (class-level)
+    # -------------------------------------------------------------------------
+    describe '.tokens_match?' do
+      test 'returns truthy when hash matches token' do
+        raw = DeviseTokenAuth::TokenFactory.create
+        assert DeviseTokenAuth::Concerns::User.tokens_match?(raw.token_hash, raw.token)
+      end
+
+      test 'returns falsy when hash does not match token' do
+        raw = DeviseTokenAuth::TokenFactory.create
+        refute DeviseTokenAuth::Concerns::User.tokens_match?(raw.token_hash, 'wrong')
+      end
+
+      test 'populates and reuses the equality cache' do
+        raw = DeviseTokenAuth::TokenFactory.create
+        # Reset the cache to isolate this test
+        DeviseTokenAuth::Concerns::User.instance_variable_set(:@token_equality_cache, nil)
+
+        # First call — cache is empty, result computed from BCrypt
+        first = DeviseTokenAuth::Concerns::User.tokens_match?(raw.token_hash, raw.token)
+        cache_after_first = DeviseTokenAuth::Concerns::User.instance_variable_get(:@token_equality_cache)
+
+        assert first, 'Expected tokens_match? to return truthy for a matching pair'
+        assert_equal 1, cache_after_first.size, 'Cache should contain one entry after first call'
+
+        # Second call — same inputs, result served from cache (no BCrypt re-computation)
+        second = DeviseTokenAuth::Concerns::User.tokens_match?(raw.token_hash, raw.token)
+        cache_after_second = DeviseTokenAuth::Concerns::User.instance_variable_get(:@token_equality_cache)
+
+        assert second, 'Cached result should also be truthy'
+        assert_equal 1, cache_after_second.size, 'Cache size should remain 1 (no duplicate entry)'
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # should_remove_tokens_after_password_reset? / remove_tokens_after_password_reset
+    # -------------------------------------------------------------------------
+    if DEVISE_TOKEN_AUTH_ORM == :active_record
+      describe '#should_remove_tokens_after_password_reset?' do
+        before do
+          @resource = build_confirmed_user
+        end
+
+        test 'returns false when remove_tokens_after_password_reset is false' do
+          DeviseTokenAuth.remove_tokens_after_password_reset = false
+          refute @resource.send(:should_remove_tokens_after_password_reset?)
+        end
+
+        test 'returns false when remove_tokens_after_password_reset is true but password has not changed' do
+          DeviseTokenAuth.remove_tokens_after_password_reset = true
+          # Reload so there is no pending change
+          @resource.reload
+          refute @resource.send(:should_remove_tokens_after_password_reset?)
+        ensure
+          DeviseTokenAuth.remove_tokens_after_password_reset = false
+        end
+
+        test 'returns true when remove_tokens_after_password_reset is true and password changed' do
+          DeviseTokenAuth.remove_tokens_after_password_reset = true
+          @resource.password = @resource.password_confirmation = 'NewSecret999!'
+          assert @resource.send(:should_remove_tokens_after_password_reset?)
+        ensure
+          DeviseTokenAuth.remove_tokens_after_password_reset = false
+        end
+      end
+
+      describe '#remove_tokens_after_password_reset' do
+        before do
+          @resource = build_confirmed_user
+          # Create multiple tokens on multiple clients
+          3.times { @resource.create_new_auth_token }
+          @resource.save!
+        end
+
+        test 'keeps only the most recent token when password changes and setting is enabled' do
+          DeviseTokenAuth.remove_tokens_after_password_reset = true
+
+          # Simulate a password change
+          @resource.password = @resource.password_confirmation = 'NewSecret999!'
+          @resource.save!
+
+          assert_equal 1, @resource.tokens.count,
+                       'All but the most-recent token should be removed after password reset'
+        ensure
+          DeviseTokenAuth.remove_tokens_after_password_reset = false
+        end
+
+        test 'does not alter tokens when setting is disabled' do
+          DeviseTokenAuth.remove_tokens_after_password_reset = false
+          count_before = @resource.tokens.count
+
+          @resource.password = @resource.password_confirmation = 'NewSecret999!'
+          @resource.save!
+
+          assert_equal count_before, @resource.tokens.count
+        end
+      end
+    end
+  end
+end

data/test/models/user_omniauth_callbacks_concern_test.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+# Unit tests for DeviseTokenAuth::Concerns::UserOmniauthCallbacks.
+#
+# The concern is included in every model that includes
+# DeviseTokenAuth::Concerns::User.  It is responsible for:
+#   - Keeping uid in sync with email for email-provider users (sync_uid).
+#   - Validating uid presence for OAuth providers.
+#   - Providing the email_provider? and uid_and_provider_defined? helpers.
+class UserOmniauthCallbacksConcernTest < ActiveSupport::TestCase
+  describe DeviseTokenAuth::Concerns::UserOmniauthCallbacks do
+    # -------------------------------------------------------------------------
+    # #uid_and_provider_defined?
+    # -------------------------------------------------------------------------
+    describe '#uid_and_provider_defined?' do
+      test 'returns true for User (which has provider and uid columns)' do
+        resource = User.new
+        assert resource.send(:uid_and_provider_defined?)
+      end
+
+      if DEVISE_TOKEN_AUTH_ORM == :active_record
+        test 'returns true for MultiEmailUser' do
+          resource = MultiEmailUser.new
+          assert resource.send(:uid_and_provider_defined?)
+        end
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # #email_provider?
+    # -------------------------------------------------------------------------
+    describe '#email_provider?' do
+      test 'returns true when provider is "email"' do
+        resource = User.new(provider: 'email')
+        assert resource.send(:email_provider?)
+      end
+
+      test 'returns false when provider is not "email"' do
+        resource = User.new(provider: 'facebook')
+        refute resource.send(:email_provider?)
+      end
+
+      test 'returns false when provider is nil' do
+        resource = User.new(provider: nil)
+        refute resource.send(:email_provider?)
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # sync_uid (via before_save / before_create callbacks)
+    # -------------------------------------------------------------------------
+    describe 'sync_uid' do
+      if DEVISE_TOKEN_AUTH_ORM == :active_record
+        describe 'email-provider user' do
+          test 'uid is set to email when creating a new email-provider user' do
+            email = Faker::Internet.unique.email
+            resource = create(:user, email: email, provider: 'email')
+            assert_equal email, resource.uid,
+                         'uid should be synced from email on creation'
+          end
+
+          test 'uid is updated when email changes on an existing user' do
+            resource = create(:user, :confirmed)
+            new_email = Faker::Internet.unique.email
+            resource.email = new_email
+            resource.save(validate: false)
+            assert_equal new_email, resource.uid,
+                         'uid should stay in sync with email after update'
+          end
+        end
+
+        describe 'OAuth provider user' do
+          test 'uid is NOT overwritten with email for non-email providers' do
+            uid = '12345'
+            resource = build(:user, :facebook, uid: uid)
+            resource.save(validate: false)
+            assert_equal uid, resource.uid,
+                         'uid should remain unchanged for OAuth providers'
+          end
+        end
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # Validation: email presence (email provider)
+    # -------------------------------------------------------------------------
+    describe 'email presence validation' do
+      if DEVISE_TOKEN_AUTH_ORM == :active_record
+        test 'fails to save email-provider user without email' do
+          resource = User.new(provider: 'email', uid: '', password: 'secret123',
+                              password_confirmation: 'secret123')
+          refute resource.save
+          assert resource.errors[:email].any?
+        end
+
+        test 'saves OAuth user without email' do
+          resource = User.new(provider: 'facebook', uid: '999', email: nil)
+          # skip uniqueness / other validations to test only email presence
+          resource.password = resource.password_confirmation = 'secret123'
+          result = resource.save(validate: false)
+          assert result
+        end
+      end
+    end
+
+    # -------------------------------------------------------------------------
+    # Validation: uid presence (OAuth provider)
+    # -------------------------------------------------------------------------
+    describe 'uid presence validation for OAuth users' do
+      if DEVISE_TOKEN_AUTH_ORM == :active_record
+        test 'fails to save OAuth user without uid' do
+          resource = User.new(provider: 'facebook', uid: nil)
+          resource.password = resource.password_confirmation = 'secret123'
+          resource.save
+          assert resource.errors[:uid].any?,
+                 'Expected a validation error on :uid for OAuth users with nil uid'
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_token_auth_multi_email
 version: !ruby/object:Gem::Version
-  version: 0.9.5
+  version: 0.9.9
 platform: ruby
 authors:
 - Lynn Hurley
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-04-08 00:00:00.000000000 Z
+date: 2026-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -275,6 +275,8 @@ files:
 - test/controllers/demo_group_controller_test.rb
 - test/controllers/demo_mang_controller_test.rb
 - test/controllers/demo_user_controller_test.rb
+- test/controllers/devise_token_auth/concerns/resource_finder_test.rb
+- test/controllers/devise_token_auth/concerns/set_user_by_token_test.rb
 - test/controllers/devise_token_auth/confirmations_controller_test.rb
 - test/controllers/devise_token_auth/multi_email_coexistence_test.rb
 - test/controllers/devise_token_auth/multi_email_confirmations_controller_test.rb
@@ -389,10 +391,13 @@ files:
 - test/lib/generators/devise_token_auth/install_views_generator_test.rb
 - test/models/concerns/mongoid_support_test.rb
 - test/models/concerns/tokens_serialization_test.rb
+- test/models/confirmable_support_concern_test.rb
 - test/models/confirmable_user_test.rb
 - test/models/multi_email_user_email_test.rb
 - test/models/multi_email_user_test.rb
 - test/models/only_email_user_test.rb
+- test/models/user_concern_methods_test.rb
+- test/models/user_omniauth_callbacks_concern_test.rb
 - test/models/user_test.rb
 - test/support/controllers/routes.rb
 - test/test_helper.rb
@@ -430,6 +435,8 @@ test_files:
 - test/controllers/demo_group_controller_test.rb
 - test/controllers/demo_mang_controller_test.rb
 - test/controllers/demo_user_controller_test.rb
+- test/controllers/devise_token_auth/concerns/resource_finder_test.rb
+- test/controllers/devise_token_auth/concerns/set_user_by_token_test.rb
 - test/controllers/devise_token_auth/confirmations_controller_test.rb
 - test/controllers/devise_token_auth/multi_email_coexistence_test.rb
 - test/controllers/devise_token_auth/multi_email_confirmations_controller_test.rb
@@ -544,10 +551,13 @@ test_files:
 - test/lib/generators/devise_token_auth/install_views_generator_test.rb
 - test/models/concerns/mongoid_support_test.rb
 - test/models/concerns/tokens_serialization_test.rb
+- test/models/confirmable_support_concern_test.rb
 - test/models/confirmable_user_test.rb
 - test/models/multi_email_user_email_test.rb
 - test/models/multi_email_user_test.rb
 - test/models/only_email_user_test.rb
+- test/models/user_concern_methods_test.rb
+- test/models/user_omniauth_callbacks_concern_test.rb
 - test/models/user_test.rb
 - test/support/controllers/routes.rb
 - test/test_helper.rb