devise_token_auth_skycocker_fork 1.0.0

data/lib/devise_token_auth.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'devise'
+
+module DeviseTokenAuth
+end
+
+require 'devise_token_auth/engine'
+require 'devise_token_auth/controllers/helpers'
+require 'devise_token_auth/controllers/url_helpers'
+require 'devise_token_auth/url'
+require 'devise_token_auth/errors'
+require 'devise_token_auth/blacklist'

data/lib/devise_token_auth/blacklist.rb

@@ -0,0 +1,2 @@
+# don't serialize tokens
+Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens

data/lib/devise_token_auth/controllers/helpers.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Define authentication filters and accessor helpers for a group of mappings.
+        # These methods are useful when you are working with multiple mappings that
+        # share some functionality. They are pretty much the same as the ones
+        # defined for normal mappings.
+        #
+        # Example:
+        #
+        #   inside BlogsController (or any other controller, it doesn't matter which):
+        #     devise_group :blogger, contains: [:user, :admin]
+        #
+        #   Generated methods:
+        #     authenticate_blogger!             # Redirects unless user or admin are signed in
+        #     blogger_signed_in?                # Checks whether there is either a user or an admin signed in
+        #     current_blogger                   # Currently signed in user or admin
+        #     current_bloggers                  # Currently signed in user and admin
+        #     render_authenticate_error         # Render error unless user or admin are signed in
+        #
+        #   Use:
+        #     before_action :authenticate_blogger!              # Redirects unless either a user or an admin are authenticated
+        #     before_action ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
+        #     current_blogger :user                             # Preferably returns a User if one is signed in
+        #
+        def devise_token_auth_group(group_name, opts = {})
+          mappings = "[#{opts[:contains].map { |m| ":#{m}" }.join(',')}]"
+
+          class_eval <<-METHODS, __FILE__, __LINE__ + 1
+            def authenticate_#{group_name}!(favourite=nil, opts={})
+              unless #{group_name}_signed_in?
+                mappings = #{mappings}
+                mappings.unshift mappings.delete(favourite.to_sym) if favourite
+                mappings.each do |mapping|
+                  set_user_by_token(mapping)
+                end
+
+                unless current_#{group_name}
+                  render_authenticate_error
+                end
+              end
+            end
+
+            def #{group_name}_signed_in?
+              #{mappings}.any? do |mapping|
+                set_user_by_token(mapping)
+              end
+            end
+
+            def current_#{group_name}(favourite=nil)
+              mappings = #{mappings}
+              mappings.unshift mappings.delete(favourite.to_sym) if favourite
+              mappings.each do |mapping|
+                current = set_user_by_token(mapping)
+                return current if current
+              end
+              nil
+            end
+
+            def current_#{group_name.to_s.pluralize}
+              #{mappings}.map do |mapping|
+                set_user_by_token(mapping)
+              end.compact
+            end
+
+            def render_authenticate_error
+              return render json: {
+                errors: [I18n.t('devise.failure.unauthenticated')]
+              }, status: 401
+            end
+
+            if respond_to?(:helper_method)
+              helper_method(
+                "current_#{group_name}",
+                "current_#{group_name.to_s.pluralize}",
+                "#{group_name}_signed_in?",
+                "render_authenticate_error"
+              )
+            end
+          METHODS
+        end
+
+        def log_process_action(payload)
+          payload[:status] ||= 401 unless payload[:exception]
+          super
+        end
+      end
+
+      # Define authentication filters and accessor helpers based on mappings.
+      # These filters should be used inside the controllers as before_actions,
+      # so you can control the scope of the user who should be signed in to
+      # access that specific controller/action.
+      # Example:
+      #
+      #   Roles:
+      #     User
+      #     Admin
+      #
+      #   Generated methods:
+      #     authenticate_user!                   # Signs user in or 401
+      #     authenticate_admin!                  # Signs admin in or 401
+      #     user_signed_in?                      # Checks whether there is a user signed in or not
+      #     admin_signed_in?                     # Checks whether there is an admin signed in or not
+      #     current_user                         # Current signed in user
+      #     current_admin                        # Current signed in admin
+      #     user_session                         # Session data available only to the user scope
+      #     admin_session                        # Session data available only to the admin scope
+      #     render_authenticate_error            # Render error unless user or admin is signed in
+      #
+      #   Use:
+      #     before_action :authenticate_user!  # Tell devise to use :user map
+      #     before_action :authenticate_admin! # Tell devise to use :admin map
+      #
+      def self.define_helpers(mapping) #:nodoc:
+        mapping = mapping.name
+
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def authenticate_#{mapping}!(opts={})
+            unless current_#{mapping}
+              render_authenticate_error
+            end
+          end
+
+          def #{mapping}_signed_in?
+            !!current_#{mapping}
+          end
+
+          def current_#{mapping}
+            @current_#{mapping} ||= set_user_by_token(:#{mapping})
+          end
+
+          def #{mapping}_session
+            current_#{mapping} && warden.session(:#{mapping})
+          end
+
+          def render_authenticate_error
+            return render json: {
+              errors: [I18n.t('devise.failure.unauthenticated')]
+            }, status: 401
+          end
+        METHODS
+
+        ActiveSupport.on_load(:action_controller) do
+          if respond_to?(:helper_method)
+            helper_method(
+              "current_#{mapping}",
+              "#{mapping}_signed_in?",
+              "#{mapping}_session",
+              'render_authenticate_error'
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise_token_auth/controllers/url_helpers.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  module Controllers
+    module UrlHelpers
+      def self.define_helpers(mapping)
+      end
+    end
+  end
+end

data/lib/devise_token_auth/engine.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'devise_token_auth/rails/routes'
+
+module DeviseTokenAuth
+  class Engine < ::Rails::Engine
+    isolate_namespace DeviseTokenAuth
+
+    initializer 'devise_token_auth.url_helpers' do
+      Devise.helpers << DeviseTokenAuth::Controllers::Helpers
+    end
+  end
+
+  mattr_accessor :change_headers_on_each_request,
+                 :max_number_of_devices,
+                 :token_lifespan,
+                 :batch_request_buffer_throttle,
+                 :omniauth_prefix,
+                 :default_confirm_success_url,
+                 :default_password_reset_url,
+                 :redirect_whitelist,
+                 :check_current_password_before_update,
+                 :enable_standard_devise_support,
+                 :remove_tokens_after_password_reset,
+                 :default_callbacks,
+                 :headers_names,
+                 :bypass_sign_in
+
+  self.change_headers_on_each_request       = true
+  self.max_number_of_devices                = 10
+  self.token_lifespan                       = 2.weeks
+  self.batch_request_buffer_throttle        = 5.seconds
+  self.omniauth_prefix                      = '/omniauth'
+  self.default_confirm_success_url          = nil
+  self.default_password_reset_url           = nil
+  self.redirect_whitelist                   = nil
+  self.check_current_password_before_update = false
+  self.enable_standard_devise_support       = false
+  self.remove_tokens_after_password_reset   = false
+  self.default_callbacks                    = true
+  self.headers_names                        = { 'access-token': 'access-token',
+                                                'client': 'client',
+                                                'expiry': 'expiry',
+                                                'uid': 'uid',
+                                                'token-type': 'token-type' }
+  self.bypass_sign_in                       = true
+
+  def self.setup(&block)
+    yield self
+
+    Rails.application.config.after_initialize do
+      if defined?(::OmniAuth)
+        ::OmniAuth::config.path_prefix = Devise.omniauth_path_prefix = omniauth_prefix
+
+        # Omniauth currently does not pass along omniauth.params upon failure redirect
+        # see also: https://github.com/intridea/omniauth/issues/626
+        OmniAuth::FailureEndpoint.class_eval do
+          def redirect_to_failure
+            message_key = env['omniauth.error.type']
+            origin_query_param = env['omniauth.origin'] ? "&origin=#{CGI.escape(env['omniauth.origin'])}" : ''
+            strategy_name_query_param = env['omniauth.error.strategy'] ? "&strategy=#{env['omniauth.error.strategy'].name}" : ''
+            extra_params = env['omniauth.params'] ? "&#{env['omniauth.params'].to_query}" : ''
+            new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}#{extra_params}"
+            Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
+          end
+        end
+
+        # Omniauth currently removes omniauth.params during mocked requests
+        # see also: https://github.com/intridea/omniauth/pull/812
+        OmniAuth::Strategy.class_eval do
+          def mock_callback_call
+            setup_phase
+            @env['omniauth.origin'] = session.delete('omniauth.origin')
+            @env['omniauth.origin'] = nil if env['omniauth.origin'] == ''
+            @env['omniauth.params'] = session.delete('omniauth.params') || {}
+            mocked_auth = OmniAuth.mock_auth_for(name.to_s)
+            if mocked_auth.is_a?(Symbol)
+              fail!(mocked_auth)
+            else
+              @env['omniauth.auth'] = mocked_auth
+              OmniAuth.config.before_callback_phase.call(@env) if OmniAuth.config.before_callback_phase
+              call_app!
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/devise_token_auth/errors.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  module Errors
+    class NoResourceDefinedError < StandardError; end
+    class InvalidModel < StandardError; end
+  end
+end

data/lib/devise_token_auth/rails/routes.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+module ActionDispatch::Routing
+  class Mapper
+    def mount_devise_token_auth_for(resource, opts)
+      # ensure objects exist to simplify attr checks
+      opts[:controllers] ||= {}
+      opts[:skip]        ||= []
+
+      # check for ctrl overrides, fall back to defaults
+      sessions_ctrl          = opts[:controllers][:sessions] || 'devise_token_auth/sessions'
+      registrations_ctrl     = opts[:controllers][:registrations] || 'devise_token_auth/registrations'
+      passwords_ctrl         = opts[:controllers][:passwords] || 'devise_token_auth/passwords'
+      confirmations_ctrl     = opts[:controllers][:confirmations] || 'devise_token_auth/confirmations'
+      token_validations_ctrl = opts[:controllers][:token_validations] || 'devise_token_auth/token_validations'
+      omniauth_ctrl          = opts[:controllers][:omniauth_callbacks] || 'devise_token_auth/omniauth_callbacks'
+      unlocks_ctrl           = opts[:controllers][:unlocks] || 'devise_token_auth/unlocks'
+
+      # define devise controller mappings
+      controllers = { sessions: sessions_ctrl,
+                      registrations: registrations_ctrl,
+                      passwords: passwords_ctrl,
+                      confirmations: confirmations_ctrl }
+
+      controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl
+
+      # remove any unwanted devise modules
+      opts[:skip].each{ |item| controllers.delete(item) }
+
+      devise_for resource.pluralize.underscore.gsub('/', '_').to_sym,
+                 class_name: resource,
+                 module: :devise,
+                 path: opts[:at].to_s,
+                 controllers: controllers,
+                 skip: opts[:skip] + [:omniauth_callbacks]
+
+      unnest_namespace do
+        # get full url path as if it were namespaced
+        full_path = "#{@scope[:path]}/#{opts[:at]}"
+
+        # get namespace name
+        namespace_name = @scope[:as]
+
+        # clear scope so controller routes aren't namespaced
+        @scope = ActionDispatch::Routing::Mapper::Scope.new(
+          path:         '',
+          shallow_path: '',
+          constraints:  {},
+          defaults:     {},
+          options:      {},
+          parent:       nil
+        )
+
+        mapping_name = resource.underscore.gsub('/', '_')
+        mapping_name = "#{namespace_name}_#{mapping_name}" if namespace_name
+
+        devise_scope mapping_name.to_sym do
+          # path to verify token validity
+          get "#{full_path}/validate_token", controller: token_validations_ctrl.to_s, action: 'validate_token'
+
+          # omniauth routes. only define if omniauth is installed and not skipped.
+          if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks)
+            match "#{full_path}/failure",             controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get]
+            match "#{full_path}/:provider/callback",  controller: omniauth_ctrl, action: 'omniauth_success', via: [:get]
+
+            match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: 'redirect_callbacks', via: [:get, :post]
+            match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: 'omniauth_failure', via: [:get, :post]
+
+            # preserve the resource class thru oauth authentication by setting name of
+            # resource as "resource_class" param
+            match "#{full_path}/:provider", to: redirect{ |params, request|
+              # get the current querystring
+              qs = CGI::parse(request.env['QUERY_STRING'])
+
+              # append name of current resource
+              qs['resource_class'] = [resource]
+              qs['namespace_name'] = [namespace_name] if namespace_name
+
+              set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix)
+
+              redirect_params = {}.tap { |hash| qs.each{ |k, v| hash[k] = v.first } }
+
+              if DeviseTokenAuth.redirect_whitelist
+                redirect_url = request.params['auth_origin_url']
+                unless DeviseTokenAuth::Url.whitelisted?(redirect_url)
+                  message = I18n.t(
+                    'devise_token_auth.registrations.redirect_url_not_allowed',
+                    redirect_url: redirect_url
+                  )
+                  redirect_params['message'] = message
+                  next "#{::OmniAuth.config.path_prefix}/failure?#{redirect_params.to_param}"
+                end
+              end
+
+              # re-construct the path for omniauth
+              "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}"
+            }, via: [:get]
+          end
+        end
+      end
+    end
+
+    # this allows us to use namespaced paths without namespacing the routes
+    def unnest_namespace
+      current_scope = @scope.dup
+      yield
+    ensure
+      @scope = current_scope
+    end
+
+    # ignore error about omniauth/multiple model support
+    def set_omniauth_path_prefix!(path_prefix)
+      ::OmniAuth.config.path_prefix = path_prefix
+    end
+  end
+end

data/lib/devise_token_auth/url.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Url
+
+  def self.generate(url, params = {})
+    uri = URI(url)
+
+    res = "#{uri.scheme}://#{uri.host}"
+    res += ":#{uri.port}" if (uri.port && uri.port != 80 && uri.port != 443)
+    res += uri.path.to_s if uri.path
+    query = [uri.query, params.to_query].reject(&:blank?).join('&')
+    res += "?#{query}"
+    res += "##{uri.fragment}" if uri.fragment
+
+    res
+  end
+
+  def self.whitelisted?(url)
+    url.nil? || \
+      !!DeviseTokenAuth.redirect_whitelist.find do |pattern|
+        !!Wildcat.new(pattern).match(url)
+      end
+  end
+
+  # wildcard convenience class
+  class Wildcat
+    def self.parse_to_regex(str)
+      escaped = Regexp.escape(str).gsub('\*','.*?')
+      Regexp.new("^#{escaped}$", Regexp::IGNORECASE)
+    end
+
+    def initialize(str)
+      @regex = self.class.parse_to_regex(str)
+    end
+
+    def match(str)
+      !!@regex.match(str)
+    end
+  end
+
+end