devise_token_auth_multitenancy 1.1.3.alpha1

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy]
+    after_action :reset_session, only: [:destroy]
+
+    def new
+      render_new_error
+    end
+
+    def create
+      # Check
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+
+        @resource = find_resource(field, q_value)
+      end
+
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+          return render_create_error_bad_credentials
+        end
+        @token = @resource.create_token
+        @resource.save
+
+        sign_in(:user, @resource, store: false, bypass: false)
+
+        yield @resource if block_given?
+
+        render_create_success
+      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
+      else
+        render_create_error_bad_credentials
+      end
+    end
+
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client = @token.client if @token.client
+      @token.clear!
+
+      if user && client && user.tokens[client]
+        user.tokens.delete(client)
+        user.save!
+
+        yield user if block_given?
+
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+
+    protected
+
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+
+      { key: auth_key, val: auth_val }
+    end
+
+    def render_new_error
+      render_error(405, I18n.t('devise_token_auth.sessions.not_supported'))
+    end
+
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t('devise_token_auth.sessions.not_confirmed', email: @resource.email))
+    end
+
+    def render_create_error_account_locked
+      render_error(401, I18n.t('devise.mailer.unlock_instructions.account_lock_msg'))
+    end
+
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t('devise_token_auth.sessions.bad_credentials'))
+    end
+
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.sessions.user_not_found'))
+    end
+
+    private
+
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+  end
+end

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class TokenValidationsController < DeviseTokenAuth::ApplicationController
+    skip_before_action :assert_is_devise_resource!, only: [:validate_token]
+    before_action :set_user_by_token, only: [:validate_token]
+
+    def validate_token
+      # @resource will have been set by set_user_by_token concern
+      if @resource
+        yield @resource if block_given?
+        render_validate_token_success
+      else
+        render_validate_token_error
+      end
+    end
+
+    protected
+
+    def render_validate_token_success
+      render json: {
+        success: true,
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_validate_token_error
+      render_error(401, I18n.t('devise_token_auth.token_validations.invalid'))
+    end
+  end
+end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class UnlocksController < DeviseTokenAuth::ApplicationController
+    skip_after_action :update_auth_header, only: [:create, :show]
+
+    # this action is responsible for generating unlock tokens and
+    # sending emails
+    def create
+      return render_create_error_missing_email unless resource_params[:email]
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:email, @email)
+
+      if @resource
+        yield @resource if block_given?
+
+        @resource.send_unlock_instructions(
+          email: @email,
+          provider: 'email',
+          client_config: params[:config_name]
+        )
+
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+
+    def show
+      @resource = resource_class.unlock_access_by_token(params[:unlock_token])
+
+      if @resource.persisted?
+        token = @resource.create_token
+        @resource.save!
+        yield @resource if block_given?
+
+        redirect_header_options = { unlock: true }
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
+                                             redirect_headers))
+      else
+        render_show_error
+      end
+    end
+
+    private
+    def after_unlock_path_for(resource)
+      #TODO: This should probably be a configuration option at the very least.
+      '/'
+    end
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.unlocks.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t('devise_token_auth.unlocks.sended', email: @email)
+      }
+    end
+
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors
+      }, status: 400
+    end
+
+    def render_show_error
+      raise ActionController::RoutingError, 'Not Found'
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+    end
+
+    def resource_params
+      params.permit(:email, :unlock_token, :config)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -0,0 +1,16 @@
+require_relative 'tokens_serialization'
+
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+
+  included do
+    serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -0,0 +1,27 @@
+module DeviseTokenAuth::Concerns::ConfirmableSupport
+  extend ActiveSupport::Concern
+
+  included do
+    # Override standard devise `postpone_email_change?` method
+    # for not to use `will_save_change_to_email?` & `email_changed?` methods.
+    def postpone_email_change?
+      postpone = self.class.reconfirmable &&
+        email_value_in_database != email &&
+        !@bypass_confirmation_postpone &&
+        self.email.present? &&
+        (!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
+      @bypass_confirmation_postpone = false
+      postpone
+    end
+  end
+
+  protected
+
+  def email_value_in_database
+    if Devise.rails51? && respond_to?(:email_in_database)
+      email_in_database
+    else
+      email_was
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/mongoid_support.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::MongoidSupport
+  extend ActiveSupport::Concern
+
+  def as_json(options = {})
+    options[:except] = (options[:except] || []) + [:_id]
+    hash = super(options)
+    hash['id'] = to_param
+    hash
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    rescue Mongoid::Errors::DocumentNotFound
+      nil
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::TokensSerialization
+  # Serialization hash to json
+  def self.dump(object)
+    object.each_value(&:compact!) unless object.nil?
+    JSON.generate(object)
+  end
+
+  # Deserialization json to hash
+  def self.load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::User
+  extend ActiveSupport::Concern
+
+  def self.tokens_match?(token_hash, token)
+    @token_equality_cache ||= {}
+
+    key = "#{token_hash}/#{token}"
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
+    @token_equality_cache = {} if @token_equality_cache.size > 10000
+    result
+  end
+
+  included do
+    # Hack to check if devise is already enabled
+    if method_defined?(:devise_modules)
+      devise_modules.delete(:omniauthable)
+    else
+      devise :database_authenticatable, :registerable,
+             :recoverable, :validatable, :confirmable
+    end
+
+    if const_defined?('ActiveRecord') && ancestors.include?(ActiveRecord::Base)
+      include DeviseTokenAuth::Concerns::ActiveRecordSupport
+    end
+
+    if const_defined?('Mongoid') && ancestors.include?(Mongoid::Document)
+      include DeviseTokenAuth::Concerns::MongoidSupport
+    end
+
+    if DeviseTokenAuth.default_callbacks
+      include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+    end
+
+    # get rid of dead tokens
+    before_save :destroy_expired_tokens
+
+    # remove old tokens if password has changed
+    before_save :remove_tokens_after_password_reset
+
+    # don't use default devise email validation
+    def email_required?; false; end
+    def email_changed?; false; end
+    def will_save_change_to_email?; false; end
+
+    if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
+      include DeviseTokenAuth::Concerns::ConfirmableSupport
+    end
+
+    def password_required?
+      return false unless provider == 'email'
+      super
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_confirmation_instructions(opts = {})
+      generate_confirmation_token! unless @raw_confirmation_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+      opts[:to] = unconfirmed_email if pending_reconfirmation?
+      opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url
+
+      send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_reset_password_instructions(opts = {})
+      token = set_reset_password_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:reset_password_instructions, token, opts)
+      token
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_unlock_instructions(opts = {})
+      raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+      self.unlock_token = enc
+      save(validate: false)
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:unlock_instructions, raw, opts)
+      raw
+    end
+
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
+
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
+
+      clean_old_tokens
+
+      token
+    end
+  end
+
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
+
+    # return false if none of the above conditions are met
+    false
+  end
+
+  # this must be done from the controller so that additional params
+  # can be passed on from the client
+  def send_confirmation_notification?; false; end
+
+  def token_is_current?(token, client)
+    # ghetto HashWithIndifferentAccess
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
+
+    return true if (
+      # ensure that expiry and token are set
+      expiry && token &&
+
+      # ensure that the token has not yet expired
+      DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
+
+      # ensure that the token is valid
+      DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+    )
+  end
+
+  # allow batch requests to use the previous token
+  def token_can_be_reused?(token, client)
+    # ghetto HashWithIndifferentAccess
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
+
+    return true if (
+      # ensure that the last token and its creation time exist
+      updated_at && last_token_hash &&
+
+      # ensure that previous token falls within the batch buffer throttle time of the last request
+      updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
+
+      # ensure that the token is valid
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
+    )
+  end
+
+  # update user's auth token (should happen on each request)
+  def create_new_auth_token(client = nil)
+    now = Time.zone.now
+
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
+      updated_at: now.to_s(:rfc822)
+    )
+
+    update_auth_header(token.token, token.client)
+  end
+
+  def build_auth_header(token, client = 'default')
+    # client may use expiry to prevent validation request if expired
+    # must be cast as string or headers will break
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
+
+    {
+      DeviseTokenAuth.headers_names[:"access-token"] => token,
+      DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
+      DeviseTokenAuth.headers_names[:"client"]       => client,
+      DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
+      DeviseTokenAuth.headers_names[:"uid"]          => uid
+    }
+  end
+
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
+    clean_old_tokens
+    save!
+
+    headers
+  end
+
+  def build_auth_url(base_url, args)
+    args[:uid]    = uid
+    args[:expiry] = tokens[args[:client_id]]['expiry']
+
+    DeviseTokenAuth::Url.generate(base_url, args)
+  end
+
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now.to_s(:rfc822)
+    update_auth_header(token, client)
+  end
+
+  def confirmed?
+    devise_modules.exclude?(:confirmable) || super
+  end
+
+  def token_validation_response
+    as_json(except: %i[tokens created_at updated_at])
+  end
+
+  protected
+
+  def destroy_expired_tokens
+    if tokens
+      tokens.delete_if do |cid, v|
+        expiry = v[:expiry] || v['expiry']
+        DateTime.strptime(expiry.to_s, '%s') < Time.zone.now
+      end
+    end
+  end
+
+  def should_remove_tokens_after_password_reset?
+    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
+      encrypted_password_changed? &&
+        DeviseTokenAuth.remove_tokens_after_password_reset
+    else
+      saved_change_to_attribute?(:encrypted_password) &&
+        DeviseTokenAuth.remove_tokens_after_password_reset
+    end
+  end
+
+  def remove_tokens_after_password_reset
+    return unless should_remove_tokens_after_password_reset?
+
+    if tokens.present? && tokens.many?
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
+    end
+  end
+
+  def max_client_tokens_exceeded?
+    tokens.length > DeviseTokenAuth.max_number_of_devices
+  end
+
+  def clean_old_tokens
+    if tokens.present? && max_client_tokens_exceeded?
+      # Using Enumerable#sort_by on a Hash will typecast it into an associative
+      #   Array (i.e. an Array of key-value Array pairs). However, since Hashes
+      #   have an internal order in Ruby 1.9+, the resulting sorted associative
+      #   Array can be converted back into a Hash, while maintaining the sorted
+      #   order.
+      self.tokens = tokens.sort_by { |_cid, v| v[:expiry] || v['expiry'] }.to_h
+
+      # Since the tokens are sorted by expiry, shift the oldest client token
+      #   off the Hash until it no longer exceeds the maximum number of clients
+      tokens.shift while max_client_tokens_exceeded?
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+  extend ActiveSupport::Concern
+
+  included do
+    validates :email, presence: true,if: :email_provider?
+    validates :email, :devise_token_auth_email => true, allow_nil: true, allow_blank: true, if: :email_provider?
+    validates_presence_of :uid, unless: :email_provider?
+
+    # only validate unique emails among email registration users
+    validates :email, uniqueness: { case_sensitive: false, scope: :provider }, on: :create, if: :email_provider?
+
+    # keep uid in sync with email
+    before_save :sync_uid
+    before_create :sync_uid
+  end
+
+  protected
+
+  def email_provider?
+    provider == 'email'
+  end
+
+  def sync_uid
+    self.uid = email if email_provider?
+  end
+end

data/app/validators/devise_token_auth_email_validator.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class DeviseTokenAuthEmailValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i
+      record.errors[attribute] << email_invalid_message
+    end
+  end
+
+  private
+
+  def email_invalid_message
+    # Try strictly set message:
+    message = options[:message]
+
+    if message.nil?
+      # Try DeviceTokenAuth translations or fallback to ActiveModel translations
+      message = I18n.t(:'errors.messages.not_email', default: :'errors.messages.invalid')
+    end
+
+    message
+  end
+end

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -0,0 +1,5 @@
+<p><%= t(:welcome).capitalize + ' ' + @email %>!</p>
+
+<p><%= t '.confirm_link_msg' %> </p>
+
+<p><%= link_to t('.confirm_account_link'), confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %></p>

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -0,0 +1,8 @@
+<p><%= t(:hello).capitalize %> <%= @resource.email %>!</p>
+
+<p><%= t '.request_reset_link_msg' %></p>
+
+<p><%= link_to t('.password_change_link'), edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %></p>
+
+<p><%= t '.ignore_mail_msg' %></p>
+<p><%= t '.no_changes_msg' %></p>

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p><%= t :hello %> <%= @resource.email %>!</p>
+
+<p><%= t '.account_lock_msg' %></p>
+
+<p><%= t '.unlock_link_msg' %></p>
+
+<p><%= link_to t('.unlock_link'), unlock_url(@resource, unlock_token: @token, config: message['client-config'].to_s) %></p>