devise_token_auth_multitenancy 1.1.3.alpha1

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,287 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
+    attr_reader :auth_params
+
+    before_action :validate_auth_origin_url_param
+
+    skip_before_action :set_user_by_token, raise: false
+    skip_after_action :update_auth_header
+
+    # intermediary route for successful omniauth authentication. omniauth does
+    # not support multiple models, so we must resort to this terrible hack.
+    def redirect_callbacks
+
+      # derive target redirect route from 'resource_class' param, which was set
+      # before authentication.
+      devise_mapping = get_devise_mapping
+      redirect_route = get_redirect_route(devise_mapping)
+
+      # preserve omniauth info for success route. ignore 'extra' in twitter
+      # auth response to avoid CookieOverflow.
+      session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
+      session['dta.omniauth.params'] = request.env['omniauth.params']
+
+      redirect_to redirect_route
+    end
+
+    def get_redirect_route(devise_mapping)
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+    end
+
+    def get_devise_mapping
+       # derive target redirect route from 'resource_class' param, which was set
+       # before authentication.
+       devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                         request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+    rescue NoMethodError => err
+      default_devise_mapping
+    end
+
+    # This method will only be called if `get_devise_mapping` cannot
+    # find the mapping in `omniauth.params`.
+    #
+    # One example use-case here is for IDP-initiated SAML login.  In that
+    # case, there will have been no initial request in which to save 
+    # the devise mapping.  If you are in a situation like that, and
+    # your app allows for you to determine somehow what the devise
+    # mapping should be (because, for example, it is always the same),
+    # then you can handle it by overriding this method.
+    def default_devise_mapping
+      raise NotImplementedError.new('no default_devise_mapping set')
+    end
+
+    def omniauth_success
+      get_resource_from_auth_hash
+      set_token_on_resource
+      create_auth_params
+
+      if confirmable_enabled?
+        # don't send confirmation email!!!
+        @resource.skip_confirmation!
+      end
+
+      sign_in(:user, @resource, store: false, bypass: false)
+
+      @resource.save!
+
+      yield @resource if block_given?
+
+      render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
+    end
+
+    def omniauth_failure
+      @error = params[:message]
+      render_data_or_redirect('authFailure', error: @error)
+    end
+
+    def validate_auth_origin_url_param 
+      return render_error_not_allowed_auth_origin_url if auth_origin_url && blacklisted_redirect_url?(auth_origin_url)
+    end
+  
+
+    protected
+
+    # this will be determined differently depending on the action that calls
+    # it. redirect_callbacks is called upon returning from successful omniauth
+    # authentication, and the target params live in an omniauth-specific
+    # request.env variable. this variable is then persisted thru the redirect
+    # using our own dta.omniauth.params session var. the omniauth_success
+    # method will access that session var and then destroy it immediately
+    # after use.  In the failure case, finally, the omniauth params
+    # are added as query params in our monkey patch to OmniAuth in engine.rb
+    def omniauth_params
+      unless defined?(@_omniauth_params)
+        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
+          @_omniauth_params = request.env['omniauth.params']
+        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
+          @_omniauth_params ||= session.delete('dta.omniauth.params')
+          @_omniauth_params
+        elsif params['omniauth_window_type']
+          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+        else
+          @_omniauth_params = {}
+        end
+      end
+      @_omniauth_params
+
+    end
+
+    # break out provider attribute assignment for easy method extension
+    def assign_provider_attrs(user, auth_hash)
+      attrs = auth_hash['info'].to_hash
+      attrs = attrs.slice(*user.attribute_names)
+      user.assign_attributes(attrs)
+    end
+
+    # derive allowed params from the standard devise parameter sanitizer
+    def whitelisted_params
+      whitelist = params_for_resource(:sign_up)
+
+      whitelist.inject({}) do |coll, key|
+        param = omniauth_params[key.to_s]
+        coll[key] = param if param
+        coll
+      end
+    end
+
+    def resource_class(mapping = nil)
+      if omniauth_params['resource_class']
+        omniauth_params['resource_class'].constantize
+      elsif params['resource_class']
+        params['resource_class'].constantize
+      else
+        raise 'No resource_class found'
+      end
+    end
+
+    def resource_name
+      resource_class
+    end
+
+    def omniauth_window_type
+      omniauth_params['omniauth_window_type']
+    end
+
+    def unsafe_auth_origin_url
+      omniauth_params['auth_origin_url'] || omniauth_params['origin']
+    end
+
+
+    def auth_origin_url
+      if unsafe_auth_origin_url && blacklisted_redirect_url?(unsafe_auth_origin_url)
+        return nil
+      end
+      return unsafe_auth_origin_url
+    end
+
+    # in the success case, omniauth_window_type is in the omniauth_params.
+    # in the failure case, it is in a query param.  See monkey patch above
+    def omniauth_window_type
+      omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
+    end
+
+    # this sesison value is set by the redirect_callbacks method. its purpose
+    # is to persist the omniauth auth hash value thru a redirect. the value
+    # must be destroyed immediatly after it is accessed by omniauth_success
+    def auth_hash
+      @_auth_hash ||= session.delete('dta.omniauth.auth')
+      @_auth_hash
+    end
+
+    # ensure that this controller responds to :devise_controller? conditionals.
+    # this is used primarily for access to the parameter sanitizers.
+    def assert_is_devise_resource!
+      true
+    end
+
+    def set_random_password
+      # set crazy password for new oauth users. this is only used to prevent
+      # access via email sign-in.
+      p = SecureRandom.urlsafe_base64(nil, false)
+      @resource.password = p
+      @resource.password_confirmation = p
+    end
+
+    def create_auth_params
+      @auth_params = {
+        auth_token: @token.token,
+        client_id:  @token.client,
+        uid:        @resource.uid,
+        expiry:     @token.expiry,
+        config:     @config
+      }
+      @auth_params.merge!(oauth_registration: true) if @oauth_registration
+      @auth_params
+    end
+
+    def set_token_on_resource
+      @config = omniauth_params['config_name']
+      @token  = @resource.create_token
+    end
+
+    def render_error_not_allowed_auth_origin_url
+      message = I18n.t('devise_token_auth.omniauth.not_allowed_redirect_url', redirect_url: unsafe_auth_origin_url)
+      render_data_or_redirect('authFailure', error: message)
+    end
+
+    def render_data(message, data)
+      @data = data.merge(message: ActionController::Base.helpers.sanitize(message))
+      render layout: nil, template: 'devise_token_auth/omniauth_external_window'
+    end
+
+    def render_data_or_redirect(message, data, user_data = {})
+
+      # We handle inAppBrowser and newWindow the same, but it is nice
+      # to support values in case people need custom implementations for each case
+      # (For example, nbrustein does not allow new users to be created if logging in with
+      # an inAppBrowser)
+      #
+      # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand
+      # why we can handle these both the same.  The view is setup to handle both cases
+      # at the same time.
+      if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type)
+        render_data(message, user_data.merge(data))
+
+      elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
+
+        # build and redirect to destination url
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true))
+      else
+
+        # there SHOULD always be an auth_origin_url, but if someone does something silly
+        # like coming straight to this url or refreshing the page at the wrong time, there may not be one.
+        # In that case, just render in plain text the error message if there is one or otherwise
+        # a generic message.
+        fallback_render data[:error] || 'An error occurred'
+      end
+    end
+
+    def fallback_render(text)
+        render inline: %Q(
+
+            <html>
+                    <head></head>
+                    <body>
+                            #{ActionController::Base.helpers.sanitize(text)}
+                    </body>
+            </html>)
+    end
+
+    def handle_new_resource
+      @oauth_registration = true
+      set_random_password
+    end
+
+    def assign_whitelisted_params?
+      true
+    end
+
+    def get_resource_from_auth_hash
+      # find or create user by provider and provider uid
+      @resource = resource_class.where(
+        uid: auth_hash['uid'],
+        provider: auth_hash['provider']
+      ).first_or_initialize
+
+      if @resource.new_record?
+        handle_new_resource
+      end
+
+      # sync user info with provider, update/generate auth token
+      assign_provider_attrs(@resource, auth_hash)
+
+      # assign any additional (whitelisted) attributes
+      if assign_whitelisted_params?
+        extra_params = whitelisted_params
+        @resource.assign_attributes(extra_params) if extra_params
+      end
+
+      @resource
+    end
+  end
+
+end

data/app/controllers/devise_token_auth/passwords_controller.rb

@@ -0,0 +1,206 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class PasswordsController < DeviseTokenAuth::ApplicationController
+    before_action :validate_redirect_url_param, only: [:create, :edit]
+    skip_after_action :update_auth_header, only: [:create, :edit]
+
+    # this action is responsible for generating password reset tokens and sending emails
+    def create
+      return render_create_error_missing_email unless resource_params[:email]
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:uid, @email)
+
+      if @resource
+        yield @resource if block_given?
+        @resource.send_reset_password_instructions(
+          email: @email,
+          provider: 'email',
+          redirect_url: @redirect_url,
+          client_config: params[:config_name]
+        )
+
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+
+    # this is where users arrive after visiting the password reset confirmation link
+    def edit
+      # if a user is not found, return nil
+      @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+
+      if @resource && @resource.reset_password_period_valid?
+        token = @resource.create_token unless require_client_password_reset_token?
+
+        # ensure that user is confirmed
+        @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
+        # allow user to change password once without current_password
+        @resource.allow_password_change = true if recoverable_enabled?
+
+        @resource.save!
+
+        yield @resource if block_given?
+
+        if require_client_password_reset_token?
+          redirect_to DeviseTokenAuth::Url.generate(@redirect_url, reset_password_token: resource_params[:reset_password_token])
+        else
+          redirect_header_options = { reset_password: true }
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+          redirect_to(@resource.build_auth_url(@redirect_url,
+                                               redirect_headers))
+        end
+      else
+        render_edit_error
+      end
+    end
+
+    def update
+      # make sure user is authorized
+      if require_client_password_reset_token? && resource_params[:reset_password_token]
+        @resource = resource_class.with_reset_password_token(resource_params[:reset_password_token])
+        return render_update_error_unauthorized unless @resource
+
+        @token = @resource.create_token
+      else
+        @resource = set_user_by_token
+      end
+
+      return render_update_error_unauthorized unless @resource
+
+      # make sure account doesn't use oauth2 provider
+      unless @resource.provider == 'email'
+        return render_update_error_password_not_required
+      end
+
+      # ensure that password params were sent
+      unless password_resource_params[:password] && password_resource_params[:password_confirmation]
+        return render_update_error_missing_password
+      end
+
+      if @resource.send(resource_update_method, password_resource_params)
+        @resource.allow_password_change = false if recoverable_enabled?
+        @resource.save!
+
+        yield @resource if block_given?
+        return render_update_success
+      else
+        return render_update_error
+      end
+    end
+
+    protected
+
+    def resource_update_method
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true || require_client_password_reset_token?
+      if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
+        'update'
+      else
+        'update_with_password'
+      end
+    end
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.passwords.missing_email'))
+    end
+
+    def render_create_error_missing_redirect_url
+      render_error(401, I18n.t('devise_token_auth.passwords.missing_redirect_url'))
+    end
+
+    def render_error_not_allowed_redirect_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.passwords.not_allowed_redirect_url', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t('devise_token_auth.passwords.sended', email: @email)
+      }
+    end
+
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors
+      }, status: 400
+    end
+
+    def render_edit_error
+      raise ActionController::RoutingError, 'Not Found'
+    end
+
+    def render_update_error_unauthorized
+      render_error(401, 'Unauthorized')
+    end
+
+    def render_update_error_password_not_required
+      render_error(422, I18n.t('devise_token_auth.passwords.password_not_required', provider: @resource.provider.humanize))
+    end
+
+    def render_update_error_missing_password
+      render_error(422, I18n.t('devise_token_auth.passwords.missing_passwords'))
+    end
+
+    def render_update_success
+      render json: {
+        success: true,
+        data: resource_data,
+        message: I18n.t('devise_token_auth.passwords.successfully_updated')
+      }
+    end
+
+    def render_update_error
+      render json: {
+        success: false,
+        errors: resource_errors
+      }, status: 422
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :reset_password_token)
+    end
+
+    def password_resource_params
+      params.permit(*params_for_resource(:account_update))
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.passwords.user_not_found', email: @email))
+    end
+
+    def validate_redirect_url_param
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_password_reset_url
+      )
+
+      return render_create_error_missing_redirect_url unless @redirect_url
+      return render_error_not_allowed_redirect_url if blacklisted_redirect_url?(@redirect_url)
+    end
+
+    def reset_password_token_as_raw?(recoverable)
+      recoverable && recoverable.reset_password_token.present? && !require_client_password_reset_token?
+    end
+
+    def require_client_password_reset_token?
+      DeviseTokenAuth.require_client_password_reset_token
+    end
+  end
+end

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
+
+    def create
+      build_resource
+
+      unless @resource.present?
+        raise DeviseTokenAuth::Errors::NoResourceDefinedError,
+              "#{self.class.name} #build_resource does not define @resource,"\
+              ' execution stopped.'
+      end
+
+      # give redirect value from params priority
+      @redirect_url = params.fetch(
+        :confirm_success_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+
+      # success redirect url is required
+      if confirmable_enabled? && !@redirect_url
+        return render_create_error_missing_confirm_success_url
+      end
+
+      # if whitelist is set, validate redirect_url against whitelist
+      return render_create_error_redirect_url_not_allowed if blacklisted_redirect_url?(@redirect_url)
+
+      # override email confirmation, must be sent manually from ctrl
+      callback_name = defined?(ActiveRecord) && resource_class < ActiveRecord::Base ? :commit : :create
+      resource_class.set_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+      resource_class.skip_callback(callback_name, :after, :send_on_create_confirmation_instructions)
+
+      if @resource.respond_to? :skip_confirmation_notification!
+        # Fix duplicate e-mails by disabling Devise confirmation e-mail
+        @resource.skip_confirmation_notification!
+      end
+
+      if @resource.save
+        yield @resource if block_given?
+
+        unless @resource.confirmed?
+          # user will require email authentication
+          @resource.send_confirmation_instructions({
+            client_config: params[:config_name],
+            redirect_url: @redirect_url
+          })
+        end
+
+        if active_for_authentication?
+          # email auth has been bypassed, authenticate user
+          @token = @resource.create_token
+          @resource.save!
+          update_auth_header
+        end
+
+        render_create_success
+      else
+        clean_up_passwords @resource
+        render_create_error
+      end
+    end
+
+    def update
+      if @resource
+        if @resource.send(resource_update_method, account_update_params)
+          yield @resource if block_given?
+          render_update_success
+        else
+          render_update_error
+        end
+      else
+        render_update_error_user_not_found
+      end
+    end
+
+    def destroy
+      if @resource
+        @resource.destroy
+        yield @resource if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+
+    def sign_up_params
+      params.permit(*params_for_resource(:sign_up))
+    end
+
+    def account_update_params
+      params.permit(*params_for_resource(:account_update))
+    end
+
+    protected
+
+    def build_resource
+      @resource            = resource_class.new(sign_up_params)
+      @resource.provider   = provider
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].try(:downcase)
+      else
+        @resource.email = sign_up_params[:email]
+      end
+    end
+
+    def render_create_error_missing_confirm_success_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
+    end
+
+    def render_create_error_redirect_url_not_allowed
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+
+    def render_create_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+
+    def render_create_error
+      render json: {
+        status: 'error',
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
+    end
+
+    def render_update_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+
+    def render_update_error
+      render json: {
+        status: 'error',
+        errors: resource_errors
+      }, status: 422
+    end
+
+    def render_update_error_user_not_found
+      render_error(404, I18n.t('devise_token_auth.registrations.user_not_found'), status: 'error')
+    end
+
+    def render_destroy_success
+      render json: {
+        status: 'success',
+        message: I18n.t('devise_token_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
+      }
+    end
+
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.registrations.account_to_destroy_not_found'), status: 'error')
+    end
+
+    private
+
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        'update_with_password'
+      elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.key?(:password)
+        'update_with_password'
+      elsif account_update_params.key?(:current_password)
+        'update_with_password'
+      else
+        'update'
+      end
+    end
+
+    def validate_sign_up_params
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
+    end
+
+    def validate_account_update_params
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+    end
+
+    def validate_post_data which, message
+      render_error(:unprocessable_entity, message, status: 'error') if which.empty?
+    end
+
+    def active_for_authentication?
+      !@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?
+    end
+  end
+end