digix_devise_token_auth 0.1.44

data/Rakefile

@@ -0,0 +1,35 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseTokenAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+  t.warning = false
+end
+
+
+task default: :test

data/app/controllers/devise_token_auth/application_controller.rb

@@ -0,0 +1,76 @@
+module DeviseTokenAuth
+  class ApplicationController < DeviseController
+    include DeviseTokenAuth::Concerns::SetUserByToken
+    include DeviseTokenAuth::Concerns::ResourceFinder
+
+    def resource_data(opts={})
+      response_data = opts[:resource_json] || @resource.as_json
+      if json_api?
+        response_data['type'] = @resource.class.name.parameterize
+      end
+      response_data
+    end
+
+    def resource_errors
+      return @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+    end
+
+    protected
+
+    def build_redirect_headers(access_token, client, redirect_header_options = {})
+      {
+        DeviseTokenAuth.headers_names[:"access-token"] => access_token,
+        DeviseTokenAuth.headers_names[:"client"] => client,
+        :config => params[:config],
+
+        # Legacy parameters which may be removed in a future release.
+        # Consider using "client" and "access-token" in client code.
+        # See: github.com/lynndylanhurley/devise_token_auth/issues/993
+        :client_id => client,
+        :token => access_token
+      }.merge(redirect_header_options)
+    end
+
+    def params_for_resource(resource)
+      devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
+        params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?
+      end
+      devise_parameter_sanitizer.instance_values['permitted'][resource]
+    end
+
+    def resource_class(m=nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
+
+    def json_api?
+      return false unless defined?(ActiveModel::Serializer)
+      return ActiveModel::Serializer.setup do |config|
+        config.adapter == :json_api
+      end if ActiveModel::Serializer.respond_to?(:setup)
+      return ActiveModelSerializers.config.adapter == :json_api
+    end
+
+    def recoverable_enabled?
+      resource_class.devise_modules.include?(:recoverable)
+    end
+
+    def confirmable_enabled?
+      resource_class.devise_modules.include?(:confirmable)
+    end
+
+    def render_error(status, message, data = nil)
+      response = {
+        success: false,
+        errors: [message]
+      }
+      response = response.merge(data) if data
+      render json: response, status: status
+    end
+  end
+end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -0,0 +1,43 @@
+module DeviseTokenAuth::Concerns::ResourceFinder
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Controllers::Helpers
+
+  def get_case_insensitive_field_from_resource_params(field)
+    # honor Devise configuration for case_insensitive keys
+    q_value = resource_params[field.to_sym]
+
+    if resource_class.case_insensitive_keys.include?(field.to_sym)
+      q_value.downcase!
+    end
+
+    if resource_class.strip_whitespace_keys.include?(field.to_sym)
+      q_value.strip!
+    end
+
+    q_value
+  end
+
+  def find_resource(field, value)
+    # fix for mysql default case insensitivity
+    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
+    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+      q = "BINARY " + q
+    end
+
+    @resource = resource_class.where(q, value).first
+  end
+
+  def resource_class(m=nil)
+    if m
+      mapping = Devise.mappings[m]
+    else
+      mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+    end
+
+    mapping.to
+  end
+
+  def provider
+    'email'
+  end
+end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -0,0 +1,165 @@
+module DeviseTokenAuth::Concerns::SetUserByToken
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Concerns::ResourceFinder
+
+  included do
+    before_action :set_request_start
+    after_action :update_auth_header
+  end
+
+  protected
+
+  # keep track of request duration
+  def set_request_start
+    @request_started_at = Time.now
+    @used_auth_by_token = true
+
+    # initialize instance variables
+    @client_id = nil
+    @resource = nil
+    @token = nil
+    @is_batch_request = nil
+  end
+
+  def ensure_pristine_resource
+    if @resource.changed?
+      # Stash pending changes in the resource before reloading.
+      changes = @resource.changes
+      @resource.reload
+    end
+    yield
+  ensure
+    # Reapply pending changes
+    @resource.assign_attributes(changes) if changes
+  end
+
+  # user auth
+  def set_user_by_token(mapping=nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
+    # no default user defined
+    return unless rc
+
+    # gets the headers names, which was set in the initialize file
+    uid_name = DeviseTokenAuth.headers_names[:'uid']
+    access_token_name = DeviseTokenAuth.headers_names[:'access-token']
+    client_name = DeviseTokenAuth.headers_names[:'client']
+
+    # parse header for values necessary for authentication
+    uid        = request.headers[uid_name] || params[uid_name]
+    @token     ||= request.headers[access_token_name] || params[access_token_name]
+    @client_id ||= request.headers[client_name] || params[client_name]
+
+    # client_id isn't required, set to 'default' if absent
+    @client_id ||= 'default'
+
+    # check for an existing user, authenticated via warden/devise, if enabled
+    if DeviseTokenAuth.enable_standard_devise_support
+      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
+        @used_auth_by_token = false
+        @resource = devise_warden_user
+        @resource.create_new_auth_token
+      end
+    end
+
+    # user has already been found and authenticated
+    return @resource if @resource && @resource.is_a?(rc)
+
+    # ensure we clear the client_id
+    if !@token
+      @client_id = nil
+      return
+    end
+
+    return false unless @token
+
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.find_by(uid: uid)
+
+    if user && user.valid_token?(@token, @client_id)
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if self.respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
+        bypass_sign_in(user, scope: :user)
+      else
+        sign_in(:user, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
+      end
+      return @resource = user
+    else
+      # zero all values previously set values
+      @client_id = nil
+      return @resource = nil
+    end
+  end
+
+  def update_auth_header
+    # cannot save object if model has invalid params
+    return unless defined?(@resource) && @resource && @resource.valid? && @client_id
+
+    # Generate new client_id with existing authentication
+    @client_id = nil unless @used_auth_by_token
+
+    if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @resource.reload.tokens[@client_id].nil?
+
+      auth_header = @resource.build_auth_header(@token, @client_id)
+
+      # update the response header
+      response.headers.merge!(auth_header)
+
+    else
+
+      ensure_pristine_resource do
+        # Lock the user record during any auth_header updates to ensure
+        # we don't have write contention from multiple threads
+        @resource.with_lock do
+          # should not append auth header if @resource related token was
+          # cleared by sign out in the meantime
+          return if @used_auth_by_token && @resource.tokens[@client_id].nil?
+
+          # determine batch request status after request processing, in case
+          # another processes has updated it during that processing
+          @is_batch_request = is_batch_request?(@resource, @client_id)
+
+          auth_header = {}
+
+          # extend expiration of batch buffer to account for the duration of
+          # this request
+          if @is_batch_request
+            auth_header = @resource.extend_batch_buffer(@token, @client_id)
+
+            # Do not return token for batch requests to avoid invalidated
+            # tokens returned to the client in case of race conditions.
+            # Use a blank string for the header to still be present and
+            # being passed in a XHR response in case of
+            # 304 Not Modified responses.
+            auth_header[DeviseTokenAuth.headers_names[:"access-token"]] = ' '
+            auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
+
+          # update Authorization response header with new token
+          else
+            auth_header = @resource.create_new_auth_token(@client_id)
+          end
+
+          # update the response header
+          response.headers.merge!(auth_header)
+
+        end # end lock
+      end # end ensure_pristine_resource
+    end
+
+  end
+
+  private
+
+
+  def is_batch_request?(user, client_id)
+    !params[:unbatch] &&
+    user.tokens[client_id] &&
+    user.tokens[client_id]['updated_at'] &&
+    Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+  end
+end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -0,0 +1,30 @@
+module DeviseTokenAuth
+  class ConfirmationsController < DeviseTokenAuth::ApplicationController
+    def show
+      @resource = resource_class.confirm_by_token(params[:confirmation_token])
+
+      if @resource && @resource.id
+        expiry = nil
+        if defined?(@resource.sign_in_count) && @resource.sign_in_count > 0
+          expiry = (Time.now + 1.second).to_i
+        end
+
+        client_id, token = @resource.create_token expiry: expiry
+
+        sign_in(@resource)
+        @resource.save!
+
+        yield @resource if block_given?
+
+        redirect_header_options = {account_confirmation_success: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(params[:redirect_url],
+                                             redirect_headers))
+      else
+        raise ActionController::RoutingError.new('Not Found')
+      end
+    end
+  end
+end

data/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,243 @@
+module DeviseTokenAuth
+  class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController
+
+    attr_reader :auth_params
+    skip_before_action :set_user_by_token, raise: false
+    skip_after_action :update_auth_header
+
+    # intermediary route for successful omniauth authentication. omniauth does
+    # not support multiple models, so we must resort to this terrible hack.
+    def redirect_callbacks
+
+      # derive target redirect route from 'resource_class' param, which was set
+      # before authentication.
+      devise_mapping = [request.env['omniauth.params']['namespace_name'],
+                        request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_')
+      path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback"
+      klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP
+      redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s
+
+      # preserve omniauth info for success route. ignore 'extra' in twitter
+      # auth response to avoid CookieOverflow.
+      session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra')
+      session['dta.omniauth.params'] = request.env['omniauth.params']
+
+      redirect_to redirect_route
+    end
+
+    def omniauth_success
+      get_resource_from_auth_hash
+      set_token_on_resource
+      create_auth_params
+
+      if confirmable_enabled?
+        # don't send confirmation email!!!
+        @resource.skip_confirmation!
+      end
+
+      sign_in(:user, @resource, store: false, bypass: false)
+
+      @resource.save!
+
+      yield @resource if block_given?
+
+      render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json)
+    end
+
+    def omniauth_failure
+      @error = params[:message]
+      render_data_or_redirect('authFailure', {error: @error})
+    end
+
+    protected
+
+    # this will be determined differently depending on the action that calls
+    # it. redirect_callbacks is called upon returning from successful omniauth
+    # authentication, and the target params live in an omniauth-specific
+    # request.env variable. this variable is then persisted thru the redirect
+    # using our own dta.omniauth.params session var. the omniauth_success
+    # method will access that session var and then destroy it immediately
+    # after use.  In the failure case, finally, the omniauth params
+    # are added as query params in our monkey patch to OmniAuth in engine.rb
+    def omniauth_params
+      if !defined?(@_omniauth_params)
+        if request.env['omniauth.params'] && request.env['omniauth.params'].any?
+          @_omniauth_params = request.env['omniauth.params']
+        elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any?
+          @_omniauth_params ||= session.delete('dta.omniauth.params')
+          @_omniauth_params
+        elsif params['omniauth_window_type']
+          @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin')
+        else
+          @_omniauth_params = {}
+        end
+      end
+      @_omniauth_params
+
+    end
+
+    # break out provider attribute assignment for easy method extension
+    def assign_provider_attrs(user, auth_hash)
+      attrs = auth_hash['info'].slice(*user.attributes.keys)
+      user.assign_attributes(attrs)
+    end
+
+    # derive allowed params from the standard devise parameter sanitizer
+    def whitelisted_params
+      whitelist = params_for_resource(:sign_up)
+
+      whitelist.inject({}){|coll, key|
+        param = omniauth_params[key.to_s]
+        if param
+          coll[key] = param
+        end
+        coll
+      }
+    end
+
+    def resource_class(mapping = nil)
+      if omniauth_params['resource_class']
+        omniauth_params['resource_class'].constantize
+      elsif params['resource_class']
+        params['resource_class'].constantize
+      else
+        raise "No resource_class found"
+      end
+    end
+
+    def resource_name
+      resource_class
+    end
+
+    def omniauth_window_type
+      omniauth_params['omniauth_window_type']
+    end
+
+    def auth_origin_url
+      omniauth_params['auth_origin_url'] || omniauth_params['origin']
+    end
+
+    # in the success case, omniauth_window_type is in the omniauth_params.
+    # in the failure case, it is in a query param.  See monkey patch above
+    def omniauth_window_type
+      omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type']
+    end
+
+    # this sesison value is set by the redirect_callbacks method. its purpose
+    # is to persist the omniauth auth hash value thru a redirect. the value
+    # must be destroyed immediatly after it is accessed by omniauth_success
+    def auth_hash
+      @_auth_hash ||= session.delete('dta.omniauth.auth')
+      @_auth_hash
+    end
+
+    # ensure that this controller responds to :devise_controller? conditionals.
+    # this is used primarily for access to the parameter sanitizers.
+    def assert_is_devise_resource!
+      true
+    end
+
+    # necessary for access to devise_parameter_sanitizers
+    def devise_mapping
+      if omniauth_params
+        Devise.mappings[[omniauth_params['namespace_name'],
+                         omniauth_params['resource_class'].underscore].compact.join('_').to_sym]
+      else
+        request.env['devise.mapping']
+      end
+    end
+
+    def set_random_password
+      # set crazy password for new oauth users. this is only used to prevent
+        # access via email sign-in.
+        p = SecureRandom.urlsafe_base64(nil, false)
+        @resource.password = p
+        @resource.password_confirmation = p
+    end
+
+    def create_auth_params
+      @auth_params = {
+        auth_token:     @token,
+        client_id: @client_id,
+        uid:       @resource.uid,
+        expiry:    @expiry,
+        config:    @config
+      }
+      @auth_params.merge!(oauth_registration: true) if @oauth_registration
+      @auth_params
+    end
+
+    def set_token_on_resource
+      @config = omniauth_params['config_name']
+      @client_id, @token, @expiry = @resource.create_token
+    end
+
+    def render_data(message, data)
+      @data = data.merge({
+        message: message
+      })
+      render :layout => nil, :template => "devise_token_auth/omniauth_external_window"
+    end
+
+    def render_data_or_redirect(message, data, user_data = {})
+
+      # We handle inAppBrowser and newWindow the same, but it is nice
+      # to support values in case people need custom implementations for each case
+      # (For example, nbrustein does not allow new users to be created if logging in with
+      # an inAppBrowser)
+      #
+      # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand
+      # why we can handle these both the same.  The view is setup to handle both cases
+      # at the same time.
+      if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type)
+        render_data(message, user_data.merge(data))
+
+      elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url
+
+        # build and redirect to destination url
+        redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true))
+      else
+
+        # there SHOULD always be an auth_origin_url, but if someone does something silly
+        # like coming straight to this url or refreshing the page at the wrong time, there may not be one.
+        # In that case, just render in plain text the error message if there is one or otherwise
+        # a generic message.
+        fallback_render data[:error] || 'An error occurred'
+      end
+    end
+
+    def fallback_render(text)
+        render inline: %Q|
+
+            <html>
+                    <head></head>
+                    <body>
+                            #{text}
+                    </body>
+            </html>|
+    end
+
+    def get_resource_from_auth_hash
+      # find or create user by provider and provider uid
+      @resource = resource_class.where({
+        uid:      auth_hash['uid'],
+        provider: auth_hash['provider']
+      }).first_or_initialize
+
+      if @resource.new_record?
+        @oauth_registration = true
+        set_random_password
+      end
+
+      # sync user info with provider, update/generate auth token
+      assign_provider_attrs(@resource, auth_hash)
+
+      # assign any additional (whitelisted) attributes
+      extra_params = whitelisted_params
+      @resource.assign_attributes(extra_params) if extra_params
+
+      @resource
+    end
+
+  end
+end