RubyGems - digix_devise_token_auth - Versions diffs - 0.1.44 - Mend

digix_devise_token_auth 0.1.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (149) hide show

data/app/controllers/devise_token_auth/passwords_controller.rb ADDED

@@ -0,0 +1,202 @@
+module DeviseTokenAuth
+  class PasswordsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, :only => [:update]
+    skip_after_action :update_auth_header, :only => [:create, :edit]
+    # this action is responsible for generating password reset tokens and
+    # sending emails
+    def create
+      unless resource_params[:email]
+        return render_create_error_missing_email
+      end
+      # give redirect value from params priority
+      @redirect_url = params[:redirect_url]
+      # fall back to default value if provided
+      @redirect_url ||= DeviseTokenAuth.default_password_reset_url
+      unless @redirect_url
+        return render_create_error_missing_redirect_url
+      end
+      # if whitelist is set, validate redirect_url against whitelist
+      if DeviseTokenAuth.redirect_whitelist
+        unless DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+          return render_create_error_not_allowed_redirect_url
+        end
+      end
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:uid, @email)
+      if @resource
+        yield @resource if block_given?
+        @resource.send_reset_password_instructions({
+          email: @email,
+          provider: 'email',
+          redirect_url: @redirect_url,
+          client_config: params[:config_name]
+        })
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+    # this is where users arrive after visiting the password reset confirmation link
+    def edit
+      # if a user is not found, return nil
+      @resource = with_reset_password_token(resource_params[:reset_password_token])
+      if @resource && @resource.reset_password_period_valid?
+        client_id, token = @resource.create_token
+        # ensure that user is confirmed
+        @resource.skip_confirmation! if confirmable_enabled? && !@resource.confirmed_at
+        # allow user to change password once without current_password
+        @resource.allow_password_change = true if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        redirect_header_options = {reset_password: true}
+        redirect_headers = build_redirect_headers(token,
+                                                  client_id,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(params[:redirect_url],
+                                             redirect_headers))
+      else
+        render_edit_error
+      end
+    end
+    def update
+      # make sure user is authorized
+      unless @resource
+        return render_update_error_unauthorized
+      end
+      # make sure account doesn't use oauth2 provider
+      unless @resource.provider == 'email'
+        return render_update_error_password_not_required
+      end
+      # ensure that password params were sent
+      unless password_resource_params[:password] && password_resource_params[:password_confirmation]
+        return render_update_error_missing_password
+      end
+      if @resource.send(resource_update_method, password_resource_params)
+        @resource.allow_password_change = false if recoverable_enabled?
+        @resource.save!
+        yield @resource if block_given?
+        return render_update_success
+      else
+        return render_update_error
+      end
+    end
+    protected
+    def resource_update_method
+      allow_password_change = recoverable_enabled? && @resource.allow_password_change == true
+      if DeviseTokenAuth.check_current_password_before_update == false || allow_password_change
+        "update_attributes"
+      else
+        "update_with_password"
+      end
+    end
+    def render_create_error_missing_email
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_email"))
+    end
+    def render_create_error_missing_redirect_url
+      render_error(401, I18n.t("devise_token_auth.passwords.missing_redirect_url"))
+    end
+    def render_create_error_not_allowed_redirect_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t("devise_token_auth.passwords.sended", email: @email)
+      }
+    end
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors,
+      }, status: 400
+    end
+    def render_edit_error
+      raise ActionController::RoutingError.new('Not Found')
+    end
+    def render_update_error_unauthorized
+      render_error(401, 'Unauthorized')
+    end
+    def render_update_error_password_not_required
+      render_error(422, I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize))
+    end
+    def render_update_error_missing_password
+      render_error(422, I18n.t("devise_token_auth.passwords.missing_passwords"))
+    end
+    def render_update_success
+      render json: {
+        success: true,
+        data: resource_data,
+        message: I18n.t("devise_token_auth.passwords.successfully_updated")
+      }
+    end
+    def render_update_error
+      return render json: {
+        success: false,
+        errors: resource_errors
+      }, status: 422
+    end
+    private
+    def resource_params
+      params.permit(:email, :reset_password_token)
+    end
+    def password_resource_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    def with_reset_password_token token
+      recoverable = resource_class.with_reset_password_token(token)
+      recoverable.reset_password_token = token if recoverable && recoverable.reset_password_token.present?
+      recoverable
+    end
+    def render_not_found_error
+      render_error(404, I18n.t("devise_token_auth.passwords.user_not_found", email: @email))
+    end
+  end
+end

data/app/controllers/devise_token_auth/registrations_controller.rb ADDED

@@ -0,0 +1,205 @@
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, only: [:destroy, :update]
+    before_action :validate_sign_up_params, only: :create
+    before_action :validate_account_update_params, only: :update
+    skip_after_action :update_auth_header, only: [:create, :destroy]
+    def create
+      @resource            = resource_class.new(sign_up_params.except(:confirm_success_url))
+      @resource.provider   = provider
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(:email)
+        @resource.email = sign_up_params[:email].try :downcase
+      else
+        @resource.email = sign_up_params[:email]
+      end
+      # give redirect value from params priority
+      @redirect_url = sign_up_params[:confirm_success_url]
+      # fall back to default value if provided
+      @redirect_url ||= DeviseTokenAuth.default_confirm_success_url
+      # success redirect url is required
+      if confirmable_enabled? && !@redirect_url
+        return render_create_error_missing_confirm_success_url
+      end
+      # if whitelist is set, validate redirect_url against whitelist
+      if DeviseTokenAuth.redirect_whitelist
+        unless DeviseTokenAuth::Url.whitelisted?(@redirect_url)
+          return render_create_error_redirect_url_not_allowed
+        end
+      end
+      begin
+        # override email confirmation, must be sent manually from ctrl
+        resource_class.set_callback("create", :after, :send_on_create_confirmation_instructions)
+        resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+        if @resource.respond_to? :skip_confirmation_notification!
+          # Fix duplicate e-mails by disabling Devise confirmation e-mail
+          @resource.skip_confirmation_notification!
+        end
+        if @resource.save
+          yield @resource if block_given?
+          unless @resource.confirmed?
+            # user will require email authentication
+            @resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: @redirect_url
+            })
+          else
+            # email auth has been bypassed, authenticate user
+            @client_id, @token = @resource.create_token
+            @resource.save!
+            update_auth_header
+          end
+          render_create_success
+        else
+          clean_up_passwords @resource
+          render_create_error
+        end
+      rescue ActiveRecord::RecordNotUnique
+        clean_up_passwords @resource
+        render_create_error_email_already_exists
+      end
+    end
+    def update
+      if @resource
+        if @resource.send(resource_update_method, account_update_params)
+          yield @resource if block_given?
+          render_update_success
+        else
+          render_update_error
+        end
+      else
+        render_update_error_user_not_found
+      end
+    end
+    def destroy
+      if @resource
+        @resource.destroy
+        yield @resource if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    def sign_up_params
+      params.permit([*params_for_resource(:sign_up), :confirm_success_url])
+    end
+    def account_update_params
+      params.permit(*params_for_resource(:account_update))
+    end
+    protected
+    def render_create_error_missing_confirm_success_url
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.missing_confirm_success_url')
+      render_error(422, message, response)
+    end
+    def render_create_error_redirect_url_not_allowed
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: @redirect_url)
+      render_error(422, message, response)
+    end
+    def render_create_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_create_error
+      render json: {
+        status: 'error',
+        data:   resource_data,
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_create_error_email_already_exists
+      response = {
+        status: 'error',
+        data:   resource_data
+      }
+      message = I18n.t('devise_token_auth.registrations.email_already_exists', email: @resource.email)
+      render_error(422, message, response)
+    end
+    def render_update_success
+      render json: {
+        status: 'success',
+        data:   resource_data
+      }
+    end
+    def render_update_error
+      render json: {
+        status: 'error',
+        errors: resource_errors
+      }, status: 422
+    end
+    def render_update_error_user_not_found
+      render_error(404, I18n.t('devise_token_auth.registrations.user_not_found'), { status: 'error' })
+    end
+    def render_destroy_success
+      render json: {
+        status: 'success',
+        message: I18n.t('devise_token_auth.registrations.account_with_uid_destroyed', uid: @resource.uid)
+      }
+    end
+    def render_destroy_error
+      render_error(404, I18n.t('devise_token_auth.registrations.account_to_destroy_not_found'), { status: 'error' })
+    end
+    private
+    def resource_update_method
+      if DeviseTokenAuth.check_current_password_before_update == :attributes
+        'update_with_password'
+      elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.has_key?(:password)
+        'update_with_password'
+      elsif account_update_params.has_key?(:current_password)
+        'update_with_password'
+      else
+        'update_attributes'
+      end
+    end
+    def validate_sign_up_params
+      validate_post_data sign_up_params, I18n.t('errors.messages.validate_sign_up_params')
+    end
+    def validate_account_update_params
+      validate_post_data account_update_params, I18n.t('errors.messages.validate_account_update_params')
+    end
+    def validate_post_data which, message
+      render_error(:unprocessable_entity, message, { status: 'error' }) if which.empty?
+    end
+  end
+end

data/app/controllers/devise_token_auth/sessions_controller.rb ADDED

@@ -0,0 +1,133 @@
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_action :set_user_by_token, :only => [:destroy]
+    after_action :reset_session, :only => [:destroy]
+    def new
+      render_new_error
+    end
+    def create
+      # Check
+      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
+      @resource = nil
+      if field
+        q_value = get_case_insensitive_field_from_resource_params(field)
+        @resource = find_resource(field, q_value)
+      end
+      if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        valid_password = @resource.valid_password?(resource_params[:password])
+        if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password
+         return render_create_error_bad_credentials
+        end
+        @client_id, @token = @resource.create_token
+        @resource.save
+        sign_in(:user, @resource, store: false, bypass: false)
+        yield @resource if block_given?
+        render_create_success
+      elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+        if @resource.respond_to?(:locked_at) && @resource.locked_at
+          render_create_error_account_locked
+        else
+          render_create_error_not_confirmed
+        end
+      else
+        render_create_error_bad_credentials
+      end
+    end
+    def destroy
+      # remove auth instance variables so that after_action does not run
+      user = remove_instance_variable(:@resource) if @resource
+      client_id = remove_instance_variable(:@client_id) if @client_id
+      remove_instance_variable(:@token) if @token
+      if user && client_id && user.tokens[client_id]
+        user.tokens.delete(client_id)
+        user.save!
+        yield user if block_given?
+        render_destroy_success
+      else
+        render_destroy_error
+      end
+    end
+    protected
+    def valid_params?(key, val)
+      resource_params[:password] && key && val
+    end
+    def get_auth_params
+      auth_key = nil
+      auth_val = nil
+      # iterate thru allowed auth keys, use first found
+      resource_class.authentication_keys.each do |k|
+        if resource_params[k]
+          auth_val = resource_params[k]
+          auth_key = k
+          break
+        end
+      end
+      # honor devise configuration for case_insensitive_keys
+      if resource_class.case_insensitive_keys.include?(auth_key)
+        auth_val.downcase!
+      end
+      return {
+        key: auth_key,
+        val: auth_val
+      }
+    end
+    def render_new_error
+      render_error(405, I18n.t("devise_token_auth.sessions.not_supported"))
+    end
+    def render_create_success
+      render json: {
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+    def render_create_error_not_confirmed
+      render_error(401, I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email))
+    end
+    def render_create_error_account_locked
+      render_error(401, I18n.t("devise.mailer.unlock_instructions.account_lock_msg"))
+    end
+    def render_create_error_bad_credentials
+      render_error(401, I18n.t("devise_token_auth.sessions.bad_credentials"))
+    end
+    def render_destroy_success
+      render json: {
+        success:true
+      }, status: 200
+    end
+    def render_destroy_error
+      render_error(404, I18n.t("devise_token_auth.sessions.user_not_found"))
+    end
+    private
+    def resource_params
+      params.permit(*params_for_resource(:sign_in))
+    end
+  end
+end