RubyGems - digix_devise_token_auth - Versions diffs - 0.1.44 - Mend

digix_devise_token_auth 0.1.44

Files changed (149) hide show

data/app/controllers/devise_token_auth/passwords_controller.rb ADDED

@@ -0,0 +1,202 @@
+module DeviseTokenAuth
+  class PasswordsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, :only => [:update]
+    skip_after_action :update_auth_header, :only => [:create, :edit]
+    # this action is responsible for generating password reset tokens and
+    # sending emails
+    def create
+      unless resource_params[:email]
+        return render_create_error_missing_email
+      end
+      # give redirect value from params priority
+      @redirect_url = params[:redirect_url]
+      # fall back to default value if provided
+      @redirect_url ||= DeviseTokenAuth.default_password_reset_url
+      unless @redirect_url
+        return render_create_error_missing_redirect_url
+      end
+      # if whitelist is set, validate redirect_url against whitelist
+      if DeviseTokenAuth.redirect_whitelist
+        unless DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+          return render_create_error_not_allowed_redirect_url
+        end
+      end
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:uid, @email)
+      if @resource
+        yield @resource if block_given?
+        @resource.send_reset_password_instructions({
+          email: @email,
+          provider: 'email',
+          redirect_url: @redirect_url,
+          client_config: params[:config_name]
+        })
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+    # this is where users arrive after visiting the password reset confirmation link
+    def edit
+      # if a user is not found, return nil
+      @resource = with_reset_password_token(resource_params[:reset_password_token])
+      if @resource && @resource.reset_password_period_valid?
+        client_id, token = @resource.create_token
+        # ensure that user is confirmed
+        @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
+        # allow user to change password once without current_password
+        @resource.allow_password_change = true if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        redirect_header_options = {reset_password: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(params[:redirect_url],
+                                             redirect_headers))
+      else
+        render_edit_error
+      end
+    end
+    def update
+      # make sure user is authorized
+      unless @resource
+        return render_update_error_unauthorized
+      end
+      # make sure account doesn't use oauth2 provider
+      unless @resource.provider == 'email'
+        return render_update_error_password_not_required
+      end
+      # ensure that password params were sent
+      unless password_resource_params[:password] && password_resource_params[:password_confirmation]
+        return render_update_error_missing_password
+      end
+      if @resource.send(resource_update_method, password_resource_params)
+        @resource.allow_password_change = false if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        return render_update_success
+      else
+        return render_update_error
+      end
+    end
+    protected
+    def resource_update_method
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
+        "update_attributes"
+      else
+        "update_with_password"
+      end
+    end
+    def render_create_error_missing_email
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_email"))
+    end
+    def render_create_error_missing_redirect_url
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_redirect_url"))
+    end
+    def render_create_error_not_allowed_redirect_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t("devise_token_auth.passwords.sended", email: @email)
+      }
+    end
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors,
+      }, status: 400
+    end
+    def render_edit_error
+      raise ActionController::RoutingError.new('Not Found')
+    end
+    def render_update_error_unauthorized
+      render_error(401, 'Unauthorized')
+    end
+    def render_update_error_password_not_required
+      render_error(422, I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize))
+    end
+    def render_update_error_missing_password
+      render_error(422, I18n.t("devise_token_auth.passwords.missing_passwords"))
+    end
+    def render_update_success
+      render json: {
+        success: true,
+        data: resource_data,
+        message: I18n.t("devise_token_auth.passwords.successfully_updated")
+      }
+    end
+    def render_update_error
+      return render json: {
+        success: false,
+        errors: resource_errors
+      }, status: 422
+    end
+    private
+    def resource_params
+      params.permit(:email, :reset_password_token)
+    end
+    def password_resource_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    def with_reset_password_token token
+      recoverable = resource_class.with_reset_password_token(token)
+      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
+      recoverable
+    end
+    def render_not_found_error
+      render_error(404, I18n.t("devise_token_auth.passwords.user_not_found", email: @email))
+    end
+  end
+end

data/app/controllers/devise_token_auth/registrations_controller.rb ADDED

@@ -0,0 +1,205 @@
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
+    def create
+      @resource            = resource_class.new(sign_up_params.except(:confirm_success_url))
+      @resource.provider   = provider
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].try :downcase
+      else
+        @resource.email = sign_up_params[:email]
+      end
+      # give redirect value from params priority
+      @redirect_url = sign_up_params[:confirm_success_url]
+      # fall back to default value if provided
+      @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
+      # success redirect url is required
+      if confirmable_enabled? && !@redirect_url
+        return render_create_error_missing_confirm_success_url
+      end
+      # if whitelist is set, validate redirect_url against whitelist
+      if DeviseTokenAuth.redirect_whitelist
+        unless DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+          return render_create_error_redirect_url_not_allowed
+        end
+      end
+      begin
+        # override email confirmation, must be sent manually from ctrl
+        resource_class.set_callback("create", :after, :send_on_create_confirmation_instructions)
+        resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+        if @resource.respond_to? :skip_confirmation_notification!
+          # Fix duplicate e-mails by disabling Devise confirmation e-mail
+          @resource.skip_confirmation_notification!
+        end
+        if @resource.save
+          yield @resource if block_given?
+          unless @resource.confirmed?
+            # user will require email authentication
+            @resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: @redirect_url
+            })
+          else
+            # email auth has been bypassed, authenticate user
+            @client_id, @token = @resource.create_token
+            @resource.save!
+            update_auth_header
+          end
+          render_create_success
+        else
+          clean_up_passwords @resource
+          render_create_error
+        end
+      rescue ActiveRecord::RecordNotUnique
+        clean_up_passwords @resource
+        render_create_error_email_already_exists
+      end
+    end
+    def update
+      if @resource
+        if @resource.send(resource_update_method, account_update_params)
+          yield @resource if block_given?
+          render_update_success
+        else
+          render_update_error
+        end
+      else
+        render_update_error_user_not_found
+      end
+    end
+    def destroy
+      if @resource
+        @resource.destroy
+        yield @resource if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    def sign_up_params
+      params.permit([*params_for_resource(:sign_up), :confirm_success_url])
+    end
+    def account_update_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    protected
+    def render_create_error_missing_confirm_success_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
+    end
+    def render_create_error_redirect_url_not_allowed
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_create_error
+      render json: {
+        status: 'error',
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_create_error_email_already_exists
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
+      render_error(422, message, response)
+    end
+    def render_update_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_update_error
+      render json: {
+        status: 'error',
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_update_error_user_not_found
+      render_error(404, I18n.t('devise_token_auth.registrations.user_not_found'), { status: 'error' })
+    end
+    def render_destroy_success
+      render json: {
+        status: 'success',
+        message: I18n.t('devise_token_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
+      }
+    end
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.registrations.account_to_destroy_not_found'), { status: 'error' })
+    end
+    private
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        'update_with_password'
+      elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.has_key?(:password)
+        'update_with_password'
+      elsif account_update_params.has_key?(:current_password)
+        'update_with_password'
+      else
+        'update_attributes'
+      end
+    end
+    def validate_sign_up_params
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
+    end
+    def validate_account_update_params
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+    end
+    def validate_post_data which, message
+      render_error(:unprocessable_entity, message, { status: 'error' }) if which.empty?
+    end
+  end
+end

data/app/controllers/devise_token_auth/sessions_controller.rb ADDED

@@ -0,0 +1,133 @@
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, :only => [:destroy]
+    after_action :reset_session, :only => [:destroy]
+    def new
+      render_new_error
+    end
+    def create
+      # Check
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+        @resource = find_resource(field, q_value)
+      end
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+         return render_create_error_bad_credentials
+        end
+        @client_id, @token = @resource.create_token
+        @resource.save
+        sign_in(:user, @resource, store: false, bypass: false)
+        yield @resource if block_given?
+        render_create_success
+      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
+      else
+        render_create_error_bad_credentials
+      end
+    end
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client_id = remove_instance_variable(:@client_id) if @client_id
+      remove_instance_variable(:@token) if @token
+      if user && client_id && user.tokens[client_id]
+        user.tokens.delete(client_id)
+        user.save!
+        yield user if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    protected
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+      return {
+        key: auth_key,
+        val: auth_val
+      }
+    end
+    def render_new_error
+      render_error(405, I18n.t("devise_token_auth.sessions.not_supported"))
+    end
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email))
+    end
+    def render_create_error_account_locked
+      render_error(401, I18n.t("devise.mailer.unlock_instructions.account_lock_msg"))
+    end
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t("devise_token_auth.sessions.bad_credentials"))
+    end
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+    def render_destroy_error
+      render_error(404, I18n.t("devise_token_auth.sessions.user_not_found"))
+    end
+    private
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+  end
+end