graphql_devise 0.13.2 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3d25f0672c378bfd003351aa997e61fdfce123ed3b391ed5bddce60c86c4f28
-  data.tar.gz: 0052cc77751cf44d704cfc8c7f462c5ee1aed58c91ad7ba1e80068b085149f88
+  metadata.gz: 623b4df681f9e3ae95598c67885cbc261d4e73c5d6bd2cb070ea9c39b4305dbb
+  data.tar.gz: 4efd72cc4b7b61d44b03cdf062db5a47c3bbce831c9101801b1a0a6d6af91701
 SHA512:
-  metadata.gz: 3ee604289ff30fe95a1947ee63a58c05b2a05a659657253e29ed526213bea1558d6162597daf08be56a131a0c3c3100dc2affe1b821674f493d03939ad1540ee
-  data.tar.gz: cd6b4af9fda08c2310e6a47d3d9db8b451031bbbf05b0f214ca71a230d248d64c65cc18a92711b46676d20f047f669d5cdcb1fe6df3a42748109ff3bfae7d709
+  metadata.gz: 0510a69ab752c9f5047f1d4dd3a7f6721c974b5d3af979b73cacd9a5456cd0cdc695766fce66e6b2ed70879a9faa24104fb71140ec12e900c51e4925bf4fc850
+  data.tar.gz: afb8d1f441dde3094e11f9ff12e9555d7d0ada530d086a3836f371855ce1f784e48be0e93d3c0c20bef5e0bae5328cd7a4e17168e747edb57a43b03fbfec5ee4

data/CHANGELOG.md

@@ -1,5 +1,46 @@
 # Changelog
 
+## [v0.14.0](https://github.com/graphql-devise/graphql_devise/tree/v0.14.0) (2021-01-19)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.6...v0.14.0)
+
+**Implemented enhancements:**
+
+- Alternate reset password flow, only 2 steps, no redirect [\#146](https://github.com/graphql-devise/graphql_devise/pull/146) ([mcelicalderon](https://github.com/mcelicalderon))
+
+## [v0.13.6](https://github.com/graphql-devise/graphql_devise/tree/v0.13.6) (2020-12-22)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.5...v0.13.6)
+
+**Security fixes:**
+
+- Possible security issue with password reset and redirectUrl [\#136](https://github.com/graphql-devise/graphql_devise/issues/136)
+- Add redirect whitelist validation to all queries and mutations [\#140](https://github.com/graphql-devise/graphql_devise/pull/140) ([mcelicalderon](https://github.com/mcelicalderon))
+
+## [v0.13.5](https://github.com/graphql-devise/graphql_devise/tree/v0.13.5) (2020-11-20)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.4...v0.13.5)
+
+**Implemented enhancements:**
+
+- Fixes connection\_config deprecation warning [\#135](https://github.com/graphql-devise/graphql_devise/pull/135) ([artplan1](https://github.com/artplan1))
+
+## [v0.13.4](https://github.com/graphql-devise/graphql_devise/tree/v0.13.4) (2020-08-15)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.3...v0.13.4)
+
+**Implemented enhancements:**
+
+- Allow resend of confirmation with unconfirmed email [\#127](https://github.com/graphql-devise/graphql_devise/pull/127) ([j15e](https://github.com/j15e))
+
+## [v0.13.3](https://github.com/graphql-devise/graphql_devise/tree/v0.13.3) (2020-08-13)
+
+[Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.2...v0.13.3)
+
+**Fixed bugs:**
+
+- Fix unconfirmed\_email confirmation. Ignore devise reconfirmable config. [\#126](https://github.com/graphql-devise/graphql_devise/pull/126) ([mcelicalderon](https://github.com/mcelicalderon))
+
 ## [v0.13.2](https://github.com/graphql-devise/graphql_devise/tree/v0.13.2) (2020-08-12)
 
 [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.1...v0.13.2)

data/README.md

@@ -1,5 +1,5 @@
 # GraphqlDevise
-[![Build Status](https://travis-ci.org/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.org/graphql-devise/graphql_devise)
+[![Build Status](https://travis-ci.com/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.com/graphql-devise/graphql_devise)
 [![Coverage Status](https://coveralls.io/repos/github/graphql-devise/graphql_devise/badge.svg?branch=master)](https://coveralls.io/github/graphql-devise/graphql_devise?branch=master)
 [![Gem Version](https://badge.fury.io/rb/graphql_devise.svg)](https://badge.fury.io/rb/graphql_devise)
 
@@ -47,7 +47,8 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
 <!--te-->
 
 ## Introduction
-Graphql-Devise heavily relies on two gems:
+Graphql-Devise heavily relies on 3 gems:
+- [GraphQL Ruby](https://github.com/rmosolgo/graphql-ruby)
 - [Devise Token Auth](https://github.com/lynndylanhurley/devise_token_auth) (DTA)
 - [Devise](https://github.com/heartcombo/devise) (which is a DTA dependency)
 
@@ -107,7 +108,7 @@ and `api/auth` could be any mount path you would like to use for auth.
  - Avoid passing the `--mount` option or the gem will try to use an existing schema.
 
 #### Mounting Operations in Your Own Schema (> v0.12.0)
-To configure the gem to use your own GQL schema use the `--mount` option. 
+To configure the gem to use your own GQL schema use the `--mount` option.
 For instance the executing:
 
 ```bash
@@ -318,20 +319,19 @@ The install generator can do this for you if you specify the `user_class` option
 See [Installation](#installation) for details.
 
 ### Email Reconfirmation
-DTA and Devise support email reconfirmation. When the `confirmable` module is added to your
-resource, an email is sent to the provided email address when the `signUp` mutation is used.
-You can also use this gem so every time a user updates the `email` field, a new email gets sent
-for the user to confirm the new email address. Only after clicking on the confirmation link,
-the email will be updated on the database to use the new value.
-
-In order to use this feature there are a couple of things to setup first:
-1. Make user your model includes the `:confirmable` module.
-1. Add an `unconfirmed_email` String column to your resource's table.
-
-After that is done, you simply need to call a different update method on your resource,
-`update_with_email`. This method behaves exactly the same as ActiveRecord's `update` method
-if the previous steps are not performed, or if you are not updating the `email` attribute.
-It is also mandatory to provide two additional attributes when email will change or an error
+Email reconfirmation is supported just like in Devise and DTA, but we want reconfirmable
+in this gem to work on model basis instead of having a global configuration like in Devise.
+**For this reason Devise's global `reconfirmable` setting is ignored.**
+
+For a resource to be considered reconfirmable it has to meet 2 conditions:
+1. Include the `:confirmable` module.
+1. Has an `unconfirmed_email` column in the resource's table.
+
+In order to trigger the reconfirmation email in a reconfirmable resource, you simply needi
+to call a different update method on your resource,`update_with_email`.
+When the resource is not reconfirmable or the email is not updated, this method behaves exactly
+the same as ActiveRecord's `update`.
+`update_with_email` requires two additional attributes when email will change or an error
 will be raised:
 
 1. `schema_url`: The full url where your GQL schema is mounted. You can get this value from the
@@ -355,6 +355,9 @@ user.update_with_email(
 )
 ```
 
+ We want reconfirmable in this gem to work separately
+ from DTA's or Devise (too much complexity in the model based on callbacks).
+
 ### Customizing Email Templates
 The approach of this gem is a bit different from DeviseTokenAuth. We have placed our templates in `app/views/graphql_devise/mailer`,
 so if you want to change them, place yours on the same dir structure on your Rails project. You can customize these two templates:

data/app/models/graphql_devise/concerns/model.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
     Model = DeviseTokenAuth::Concerns::User
 
     Model.module_eval do
+      class_methods do
+        def reconfirmable
+          devise_modules.include?(:confirmable) && column_names.include?('unconfirmed_email')
+        end
+      end
+
       def update_with_email(attributes = {})
         GraphqlDevise::Model::WithEmailUpdater.new(self, attributes).call
       end

data/app/views/graphql_devise/mailer/reset_password_instructions.html.erb

@@ -2,7 +2,13 @@
 
 <p><%= t('.request_reset_link_msg') %></p>
 
-<p><%= link_to t('.password_change_link'), "#{message['schema_url']}?#{password_reset_query(token: @token, redirect_url: message['redirect-url'], resource_name: @resource.class.to_s).to_query}" %></p>
+<p>
+  <% if message['schema_url'].present? %>
+    <%= link_to t('.password_change_link'), "#{message['schema_url']}?#{password_reset_query(token: @token, redirect_url: message['redirect-url'], resource_name: @resource.class.to_s).to_query}" %>
+  <% else %>
+    <%= link_to t('.password_change_link'), "#{message['redirect-url'].to_s}?#{{ reset_password_token: @token }.to_query}" %>
+  <% end %>
+</p>
 
 <p><%= t('.ignore_mail_msg') %></p>
 <p><%= t('.no_changes_msg') %></p>

data/config/locales/en.yml

@@ -1,5 +1,6 @@
 en:
   graphql_devise:
+    redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
     registration_failed: "User couldn't be registered"
     resource_build_failed: "Resource couldn't be built, execution stopped."
     not_authenticated: "User is not logged in."
@@ -7,8 +8,8 @@ en:
     invalid_resource: "Errors present in the resource."
     registrations:
       missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
-      redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
     passwords:
+      password_recovery_disabled: "You must enable password recovery for this model."
       update_password_error: "Unable to update user password"
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
       password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."

data/lib/graphql_devise/concerns/controller_methods.rb

@@ -7,6 +7,12 @@ module GraphqlDevise
 
       private
 
+      def check_redirect_url_whitelist!(redirect_url)
+        if blacklisted_redirect_url?(redirect_url)
+          raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
+        end
+      end
+
       def raise_user_error(message)
         raise GraphqlDevise::UserError, message
       end
@@ -90,7 +96,7 @@ module GraphqlDevise
       end
 
       def find_resource(field, value)
-        if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+        if resource_class.connection.adapter_name.downcase.include?('mysql')
           # fix for mysql default case insensitivity
           resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
         elsif Gem::Version.new(DeviseTokenAuth::VERSION) < Gem::Version.new('1.1.0')

data/lib/graphql_devise/default_operations/mutations.rb

@@ -5,18 +5,22 @@ require 'graphql_devise/mutations/login'
 require 'graphql_devise/mutations/logout'
 require 'graphql_devise/mutations/resend_confirmation'
 require 'graphql_devise/mutations/send_password_reset'
+require 'graphql_devise/mutations/send_password_reset_with_token'
 require 'graphql_devise/mutations/sign_up'
 require 'graphql_devise/mutations/update_password'
+require 'graphql_devise/mutations/update_password_with_token'
 
 module GraphqlDevise
   module DefaultOperations
     MUTATIONS = {
-      login:               { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
-      logout:              { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
-      sign_up:             { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
-      update_password:     { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
-      send_password_reset: { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
-      resend_confirmation: { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
+      login:                          { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
+      logout:                         { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
+      sign_up:                        { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
+      update_password:                { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
+      update_password_with_token:     { klass: GraphqlDevise::Mutations::UpdatePasswordWithToken, authenticatable: true },
+      send_password_reset:            { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
+      send_password_reset_with_token: { klass: GraphqlDevise::Mutations::SendPasswordResetWithToken, authenticatable: false },
+      resend_confirmation:            { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
     }.freeze
   end
 end

data/lib/graphql_devise/mutations/resend_confirmation.rb

@@ -9,15 +9,16 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
-        resource = find_resource(
-          :email,
-          get_case_insensitive_field(:email, email)
-        )
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_confirmable_resource(email)
 
         if resource
           yield resource if block_given?
 
-          raise_user_error(I18n.t('graphql_devise.confirmations.already_confirmed')) if resource.confirmed?
+          if resource.confirmed? && !resource.pending_reconfirmation?
+            raise_user_error(I18n.t('graphql_devise.confirmations.already_confirmed'))
+          end
 
           resource.send_confirmation_instructions(
             redirect_url:  redirect_url,
@@ -30,6 +31,15 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.confirmations.user_not_found', email: email))
         end
       end
+
+      private
+
+      def find_confirmable_resource(email)
+        email_insensitive = get_case_insensitive_field(:email, email)
+        resource = find_resource(:unconfirmed_email, email_insensitive) if resource_class.reconfirmable
+        resource ||= find_resource(:email, email_insensitive)
+        resource
+      end
     end
   end
 end

data/lib/graphql_devise/mutations/send_password_reset.rb

@@ -9,6 +9,8 @@ module GraphqlDevise
       field :message, String, null: false
 
       def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = find_resource(:email, get_case_insensitive_field(:email, email))
 
         if resource

data/lib/graphql_devise/mutations/send_password_reset_with_token.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class SendPasswordResetWithToken < Base
+      argument :email,        String, required: true
+      argument :redirect_url, String, required: true
+
+      field :message, String, null: false
+
+      def resolve(email:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
+        resource = find_resource(:email, get_case_insensitive_field(:email, email))
+
+        if resource
+          yield resource if block_given?
+
+          resource.send_reset_password_instructions(
+            email:         email,
+            provider:      'email',
+            redirect_url:  redirect_url,
+            template_path: ['graphql_devise/mailer']
+          )
+
+          if resource.errors.empty?
+            { message: I18n.t('graphql_devise.passwords.send_instructions') }
+          else
+            raise_user_error_list(I18n.t('graphql_devise.invalid_resource'), errors: resource.errors.full_messages)
+          end
+        else
+          raise_user_error(I18n.t('graphql_devise.user_not_found'))
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/mutations/sign_up.rb

@@ -22,9 +22,7 @@ module GraphqlDevise
           raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
         end
 
-        if blacklisted_redirect_url?(redirect_url)
-          raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
-        end
+        check_redirect_url_whitelist!(redirect_url)
 
         resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
 

data/lib/graphql_devise/mutations/update_password_with_token.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module GraphqlDevise
+  module Mutations
+    class UpdatePasswordWithToken < Base
+      argument :password,              String, required: true
+      argument :password_confirmation, String, required: true
+      argument :reset_password_token,  String, required: true
+
+      field :credentials,
+            GraphqlDevise::Types::CredentialType,
+            null:        true,
+            description: 'Authentication credentials. Resource must be signed_in for credentials to be returned.'
+
+      def resolve(reset_password_token:, **attrs)
+        raise_user_error(I18n.t('graphql_devise.passwords.password_recovery_disabled')) unless recoverable_enabled?
+
+        resource = resource_class.with_reset_password_token(reset_password_token)
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_not_found')) if resource.blank?
+        raise_user_error(I18n.t('graphql_devise.passwords.reset_token_expired')) unless resource.reset_password_period_valid?
+
+        if resource.update(attrs)
+          yield resource if block_given?
+
+          response_payload               = { authenticatable: resource }
+          response_payload[:credentials] = set_auth_headers(resource) if controller.signed_in?(resource_name)
+
+          response_payload
+        else
+          raise_user_error_list(
+            I18n.t('graphql_devise.passwords.update_password_error'),
+            errors: resource.errors.full_messages
+          )
+        end
+      end
+    end
+  end
+end

data/lib/graphql_devise/resolvers/check_password_token.rb

@@ -27,6 +27,7 @@ module GraphqlDevise
           )
 
           if redirect_url.present?
+            check_redirect_url_whitelist!(redirect_url)
             controller.redirect_to(resource.build_auth_url(redirect_url, built_redirect_headers))
           else
             set_auth_headers(resource)

data/lib/graphql_devise/resolvers/confirm_account.rb

@@ -7,6 +7,8 @@ module GraphqlDevise
       argument :redirect_url,       String, required: true
 
       def resolve(confirmation_token:, redirect_url:)
+        check_redirect_url_whitelist!(redirect_url)
+
         resource = resource_class.confirm_by_token(confirmation_token)
 
         if resource.errors.empty?

data/lib/graphql_devise/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module GraphqlDevise
-  VERSION = '0.13.2'.freeze
+  VERSION = '0.14.0'.freeze
 end

data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Mutations
+  class ResetAdminPasswordWithToken < GraphqlDevise::Mutations::UpdatePasswordWithToken
+    field :authenticatable, Types::AdminType, null: false
+
+    def resolve(reset_password_token:, **attrs)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/app/graphql/resolvers/confirm_admin_account.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Resolvers
+  class ConfirmAdminAccount < GraphqlDevise::Resolvers::ConfirmAccount
+    type Types::AdminType, null: false
+
+    def resolve(confirmation_token:, redirect_url:)
+      super do |admin|
+        controller.sign_in(admin)
+      end
+    end
+  end
+end

data/spec/dummy/app/graphql/types/admin_type.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Types
+  class AdminType < GraphQL::Schema::Object
+    field :id,    Int,    null: false
+    field :email, String, null: false
+  end
+end

data/spec/dummy/config/initializers/devise.rb

@@ -142,7 +142,7 @@ Devise.setup do |config|
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed, new email is stored in
   # unconfirmed_email column, and copied to email column on successful confirmation.
-  config.reconfirmable = true
+  config.reconfirmable = false
 
   # Defines which key will be used when confirming an account
   # config.confirmation_keys = [:email]

data/spec/dummy/config/initializers/devise_token_auth.rb

@@ -39,6 +39,8 @@ DeviseTokenAuth.setup do |config|
 
   config.default_confirm_success_url = 'https://google.com'
 
+  config.redirect_whitelist = ['https://google.com']
+
   # By default we will use callbacks for single omniauth.
   # It depends on fields like email, provider and uid.
   # config.default_callbacks = true

data/spec/dummy/config/routes.rb

@@ -14,6 +14,10 @@ Rails.application.routes.draw do
     'Admin',
     authenticatable_type: Types::CustomAdminType,
     skip:                 [:sign_up, :check_password_token],
+    operations:           {
+      confirm_account:            Resolvers::ConfirmAdminAccount,
+      update_password_with_token: Mutations::ResetAdminPasswordWithToken
+    },
     at:                   '/api/v1/admin/graphql_auth'
   )
 

data/spec/dummy/db/schema.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.

data/spec/requests/mutations/additional_mutations_spec.rb

@@ -9,7 +9,6 @@ RSpec.describe 'Additional Mutations' do
   let(:password)              { Faker::Internet.password }
   let(:password_confirmation) { password }
   let(:email)                 { Faker::Internet.email }
-  let(:redirect)              { Faker::Internet.url }
 
   context 'when using the user model' do
     let(:query) do

data/spec/requests/mutations/resend_confirmation_spec.rb

@@ -5,10 +5,11 @@ require 'rails_helper'
 RSpec.describe 'Resend confirmation' do
   include_context 'with graphql query request'
 
-  let!(:user)    { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
-  let(:email)    { user.email }
-  let(:id)       { user.id }
-  let(:redirect) { Faker::Internet.url }
+  let(:confirmed_at) { nil }
+  let!(:user)        { create(:user, confirmed_at: nil, email: 'mwallace@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:id)           { user.id }
+  let(:redirect)     { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -22,6 +23,21 @@ RSpec.describe 'Resend confirmation' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends an email to the user with confirmation url and returns a success message' do
@@ -98,6 +114,28 @@ RSpec.describe 'Resend confirmation' do
     end
   end
 
+  context 'when the email was changed' do
+    let(:confirmed_at) { 2.seconds.ago }
+    let(:email)        { 'new-email@wallaceinc.com' }
+    let(:new_email)    { email }
+
+    before do
+      user.update_with_email(
+        email:                    new_email,
+        schema_url:               'http://localhost/test',
+        confirmation_success_url: 'https://google.com'
+      )
+    end
+
+    it 'sends new confirmation email' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(ActionMailer::Base.deliveries.first.to).to contain_exactly(new_email)
+      expect(json_response[:data][:userResendConfirmation]).to include(
+        message: 'You will receive an email with instructions for how to confirm your email address in a few minutes.'
+      )
+    end
+  end
+
   context "when the email isn't in the system" do
     let(:email) { 'nothere@gmail.com' }
 

data/spec/requests/mutations/send_password_reset_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe 'Send Password Reset Requests' do
 
   let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
   let(:email)        { user.email }
-  let(:redirect_url) { Faker::Internet.url }
+  let(:redirect_url) { 'https://google.com' }
   let(:query) do
     <<-GRAPHQL
       mutation {
@@ -21,6 +21,21 @@ RSpec.describe 'Send Password Reset Requests' do
     GRAPHQL
   end
 
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
   context 'when params are correct' do
     context 'when using the gem schema' do
       it 'sends password reset  email' do

data/spec/requests/mutations/send_password_reset_with_token_spec.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Send Password Reset Requests' do
+  include_context 'with graphql query request'
+
+  let!(:user)        { create(:user, :confirmed, email: 'jwinnfield@wallaceinc.com') }
+  let(:email)        { user.email }
+  let(:redirect_url) { 'https://google.com' }
+  let(:query) do
+    <<-GRAPHQL
+      mutation {
+        userSendPasswordResetWithToken(
+          email:       "#{email}",
+          redirectUrl: "#{redirect_url}"
+        ) {
+          message
+        }
+      }
+    GRAPHQL
+  end
+
+  context 'when redirect_url is not whitelisted' do
+    let(:redirect_url) { 'https://not-safe.com' }
+
+    it 'returns a not whitelisted redirect url error' do
+      expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
+
+      expect(json_response[:errors]).to containing_exactly(
+        hash_including(
+          message:    "Redirect to '#{redirect_url}' not allowed.",
+          extensions: { code: 'USER_ERROR' }
+        )
+      )
+    end
+  end
+
+  context 'when params are correct' do
+    context 'when using the gem schema' do
+      it 'sends password reset  email' do
+        expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+
+        expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+          message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+        )
+
+        email = Nokogiri::HTML(ActionMailer::Base.deliveries.last.body.encoded)
+        link  = email.css('a').first
+
+        expect(link['href']).to include(redirect_url + '?reset_password_token')
+      end
+    end
+  end
+
+  context 'when email address uses different casing' do
+    let(:email) { 'jWinnfield@wallaceinc.com' }
+
+    it 'honors devise configuration for case insensitive fields' do
+      expect { post_request }.to change(ActionMailer::Base.deliveries, :count).by(1)
+      expect(json_response[:data][:userSendPasswordResetWithToken]).to include(
+        message: 'You will receive an email with instructions on how to reset your password in a few minutes.'
+      )
+    end
+  end
+
+  context 'when user email is not found' do
+    let(:email) { 'nothere@gmail.com' }
+
+    before { post_request }
+
+    it 'returns an error' do
+      expect(json_response[:errors]).to contain_exactly(
+        hash_including(message: 'User was not found or was not logged in.', extensions: { code: 'USER_ERROR' })
+      )
+    end
+  end
+end

data/spec/requests/mutations/sign_up_spec.rb

@@ -8,7 +8,7 @@ RSpec.describe 'Sign Up process' do
   let(:name)     { Faker::Name.name }
   let(:password) { Faker::Internet.password }
   let(:email)    { Faker::Internet.email }
-  let(:redirect) { Faker::Internet.url }
+  let(:redirect) { 'https://google.com' }
 
   context 'when using the user model' do
     let(:query) do
@@ -31,6 +31,24 @@ RSpec.describe 'Sign Up process' do
       GRAPHQL
     end
 
+    context 'when redirect_url is not whitelisted' do
+      let(:redirect) { 'https://not-safe.com' }
+
+      it 'returns a not whitelisted redirect url error' do
+        expect { post_request }.to(
+          not_change(User, :count)
+          .and(not_change(ActionMailer::Base.deliveries, :count))
+        )
+
+        expect(json_response[:errors]).to containing_exactly(
+          hash_including(
+            message:    "Redirect to '#{redirect}' not allowed.",
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
+    end
+
     context 'when params are correct' do
       it 'creates a new resource that requires confirmation' do
         expect { post_request }.to(

data/spec/requests/mutations/update_password_with_token_spec.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Update Password With Token' do
+  include_context 'with graphql query request'
+
+  let(:password)              { '12345678' }
+  let(:password_confirmation) { password }
+
+  context 'when using the user model' do
+    let(:user) { create(:user, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          userUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { accessToken }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { user.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          user.reload
+        end.to change(user, :encrypted_password)
+
+        expect(user).to be_valid_password(password)
+        expect(json_response[:data][:userUpdatePasswordWithToken][:credentials]).to     be_nil
+        expect(json_response[:data][:userUpdatePasswordWithToken][:authenticatable]).to include(email: user.email)
+      end
+
+      context 'when token has expired' do
+        it 'returns an expired token error' do
+          travel_to 10.hours.ago do
+            token
+          end
+
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(message: 'Reset password token is no longer valid.', extensions: { code: 'USER_ERROR' })
+          )
+        end
+      end
+
+      context 'when password confirmation does not match' do
+        let(:password_confirmation) { 'does not match' }
+
+        it 'returns an error' do
+          post_request
+
+          expect(json_response[:errors]).to contain_exactly(
+            hash_including(
+              message:    'Unable to update user password',
+              extensions: { code: 'USER_ERROR', detailed_errors: ["Password confirmation doesn't match Password"] }
+            )
+          )
+        end
+      end
+    end
+
+    context 'when reset password token is not found' do
+      let(:token) { user.send(:set_reset_password_token) + 'invalid' }
+
+      it 'returns an error' do
+        post_request
+
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(message: 'No user found for the specified reset token.', extensions: { code: 'USER_ERROR' })
+        )
+      end
+    end
+  end
+
+  context 'when using the admin model' do
+    let(:admin) { create(:admin, :confirmed) }
+    let(:query) do
+      <<-GRAPHQL
+        mutation {
+          adminUpdatePasswordWithToken(
+            resetPasswordToken: "#{token}",
+            password: "#{password}",
+            passwordConfirmation: "#{password_confirmation}"
+          ) {
+            authenticatable { email }
+            credentials { uid }
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when reset password token is valid' do
+      let(:token) { admin.send(:set_reset_password_token) }
+
+      it 'updates the password' do
+        expect do
+          post_request
+          admin.reload
+        end.to change(admin, :encrypted_password)
+
+        expect(admin).to be_valid_password(password)
+        expect(json_response[:data][:adminUpdatePasswordWithToken]).to include(
+          credentials:     { uid: admin.email },
+          authenticatable: { email: admin.email }
+        )
+      end
+    end
+  end
+end

data/spec/requests/queries/check_password_token_spec.rb

@@ -54,6 +54,21 @@ RSpec.describe 'Check Password Token Requests' do
           expect(response.body).to include('uid=')
           expect(response.body).to include('expiry=')
         end
+
+        context 'when redirect_url is not whitelisted' do
+          let(:redirect_url) { 'https://not-safe.com' }
+
+          before { post_request }
+
+          it 'returns a not whitelisted redirect url error' do
+            expect(json_response[:errors]).to containing_exactly(
+              hash_including(
+                message:    "Redirect to '#{redirect_url}' not allowed.",
+                extensions: { code: 'USER_ERROR' }
+              )
+            )
+          end
+        end
       end
 
       context 'when token has expired' do
@@ -74,7 +89,7 @@ RSpec.describe 'Check Password Token Requests' do
     context 'when reset password token is not found' do
       let(:token) { user.send(:set_reset_password_token) + 'invalid' }
 
-      it 'redirects to redirect url' do
+      it 'returns an error message' do
         get_request
 
         expect(json_response[:errors]).to contain_exactly(

data/spec/requests/queries/confirm_account_spec.rb

@@ -5,60 +5,133 @@ require 'rails_helper'
 RSpec.describe 'Account confirmation' do
   include_context 'with graphql query request'
 
-  let(:user)     { create(:user, confirmed_at: nil) }
-  let(:redirect) { Faker::Internet.url }
-  let(:query) do
-    <<-GRAPHQL
-      {
-        userConfirmAccount(
-          confirmationToken: "#{token}"
-          redirectUrl:       "#{redirect}"
-        ) {
-          email
-          name
+  context 'when using the user model' do
+    let(:user)     { create(:user, confirmed_at: nil) }
+    let(:redirect) { 'https://google.com' }
+    let(:query) do
+      <<-GRAPHQL
+        {
+          userConfirmAccount(
+            confirmationToken: "#{token}"
+            redirectUrl:       "#{redirect}"
+          ) {
+            email
+            name
+          }
         }
-      }
-    GRAPHQL
-  end
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { user.confirmation_token }
+
+      before do
+        user.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer'],
+          controller:    'graphql_devise/graphql',
+          schema_url:    'http://not-using-this-value.com/gql'
+        )
+      end
+
+      it 'confirms the resource and redirects to the sent url' do
+        expect do
+          get_request
+          user.reload
+        end.to(change(user, :confirmed_at).from(nil))
+
+        expect(response).to redirect_to("#{redirect}?account_confirmation_success=true")
+        expect(user).to be_active_for_authentication
+      end
+
+      context 'when redirect_url is not whitelisted' do
+        let(:redirect) { 'https://not-safe.com' }
+
+        it 'returns a not whitelisted redirect url error' do
+          expect { post_request }.to not_change(ActionMailer::Base.deliveries, :count)
 
-  context 'when confirmation token is correct' do
-    let(:token) { user.confirmation_token }
+          expect(json_response[:errors]).to containing_exactly(
+            hash_including(
+              message:    "Redirect to '#{redirect}' not allowed.",
+              extensions: { code: 'USER_ERROR' }
+            )
+          )
+        end
+      end
 
-    before do
-      user.send_confirmation_instructions(
-        template_path: ['graphql_devise/mailer'],
-        controller:    'graphql_devise/graphql',
-        schema_url:    'http://not-using-this-value.com/gql'
-      )
+      context 'when unconfirmed_email is present' do
+        let(:user) { create(:user, :confirmed, unconfirmed_email: 'vvega@wallaceinc.com') }
+
+        it 'confirms the unconfirmed email and redirects' do
+          expect do
+            get_request
+            user.reload
+          end.to change(user, :email).from(user.email).to('vvega@wallaceinc.com').and(
+            change(user, :unconfirmed_email).from('vvega@wallaceinc.com').to(nil)
+          )
+
+          expect(response).to redirect_to("#{redirect}?account_confirmation_success=true")
+        end
+      end
     end
 
-    it 'confirms the resource and redirects to the sent url' do
-      expect do
-        get_request
-        user.reload
-      end.to(change(user, :confirmed_at).from(nil))
+    context 'when reset password token is not found' do
+      let(:token) { "#{user.confirmation_token}-invalid" }
+
+      it 'does *NOT* confirm the user nor does the redirection' do
+        expect do
+          get_request
+          user.reload
+        end.not_to(change(user, :confirmed_at).from(nil))
 
-      expect(response).to redirect_to "#{redirect}?account_confirmation_success=true"
-      expect(user).to be_active_for_authentication
+        expect(response).not_to be_redirect
+        expect(json_response[:errors]).to contain_exactly(
+          hash_including(
+            message:    'Invalid confirmation token. Please try again',
+            extensions: { code: 'USER_ERROR' }
+          )
+        )
+      end
     end
   end
 
-  context 'when reset password token is not found' do
-    let(:token) { "#{user.confirmation_token}-invalid" }
+  context 'when using the admin model' do
+    let(:admin)    { create(:admin, confirmed_at: nil) }
+    let(:redirect) { 'https://google.com' }
+    let(:query) do
+      <<-GRAPHQL
+        {
+          adminConfirmAccount(
+            confirmationToken: "#{token}"
+            redirectUrl:       "#{redirect}"
+          ) {
+            email
+          }
+        }
+      GRAPHQL
+    end
+
+    context 'when confirmation token is correct' do
+      let(:token) { admin.confirmation_token }
 
-    it 'does *NOT* confirm the user nor does the redirection' do
-      expect do
-        get_request
-        user.reload
-      end.not_to(change(user, :confirmed_at).from(nil))
+      before do
+        admin.send_confirmation_instructions(
+          template_path: ['graphql_devise/mailer'],
+          controller:    'graphql_devise/graphql',
+          schema_url:    'http://not-using-this-value.com/gql'
+        )
+      end
 
-      expect(response).not_to be_redirect
-      expect(json_response[:errors]).to contain_exactly(
-        hash_including(
-          message: 'Invalid confirmation token. Please try again',
-          extensions: { code: 'USER_ERROR' }
+      it 'confirms the resource, persists credentials on the DB and redirects to the sent url' do
+        expect do
+          get_request
+          admin.reload
+        end.to change(admin, :confirmed_at).from(nil).and(
+          change { admin.tokens.keys.count }.from(0).to(1)
         )
-      )
+
+        expect(response).to redirect_to(/\A#{redirect}.+access\-token=/)
+        expect(admin).to be_active_for_authentication
+      end
     end
   end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: graphql_devise
 version: !ruby/object:Gem::Version
-  version: 0.13.2
+  version: 0.14.0
 platform: ruby
 authors:
 - Mario Celi
 - David Revelo
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-08-12 00:00:00.000000000 Z
+date: 2021-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_token_auth
@@ -338,8 +338,10 @@ files:
 - lib/graphql_devise/mutations/logout.rb
 - lib/graphql_devise/mutations/resend_confirmation.rb
 - lib/graphql_devise/mutations/send_password_reset.rb
+- lib/graphql_devise/mutations/send_password_reset_with_token.rb
 - lib/graphql_devise/mutations/sign_up.rb
 - lib/graphql_devise/mutations/update_password.rb
+- lib/graphql_devise/mutations/update_password_with_token.rb
 - lib/graphql_devise/rails/routes.rb
 - lib/graphql_devise/resolvers/base.rb
 - lib/graphql_devise/resolvers/check_password_token.rb
@@ -362,10 +364,13 @@ files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
+- spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
 - spec/dummy/app/graphql/resolvers/public_user.rb
 - spec/dummy/app/graphql/resolvers/user_show.rb
+- spec/dummy/app/graphql/types/admin_type.rb
 - spec/dummy/app/graphql/types/base_object.rb
 - spec/dummy/app/graphql/types/custom_admin_type.rb
 - spec/dummy/app/graphql/types/mutation_type.rb
@@ -437,8 +442,10 @@ files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
 - spec/requests/user_controller_spec.rb
@@ -474,7 +481,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/graphql-devise/graphql_devise
   source_code_uri: https://github.com/graphql-devise/graphql_devise
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -489,8 +496,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key: 
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
 summary: GraphQL queries and mutations on top of devise_token_auth
 test_files:
@@ -503,10 +510,13 @@ test_files:
 - spec/dummy/app/graphql/interpreter_schema.rb
 - spec/dummy/app/graphql/mutations/login.rb
 - spec/dummy/app/graphql/mutations/register_confirmed_user.rb
+- spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb
 - spec/dummy/app/graphql/mutations/sign_up.rb
 - spec/dummy/app/graphql/mutations/update_user.rb
+- spec/dummy/app/graphql/resolvers/confirm_admin_account.rb
 - spec/dummy/app/graphql/resolvers/public_user.rb
 - spec/dummy/app/graphql/resolvers/user_show.rb
+- spec/dummy/app/graphql/types/admin_type.rb
 - spec/dummy/app/graphql/types/base_object.rb
 - spec/dummy/app/graphql/types/custom_admin_type.rb
 - spec/dummy/app/graphql/types/mutation_type.rb
@@ -578,8 +588,10 @@ test_files:
 - spec/requests/mutations/logout_spec.rb
 - spec/requests/mutations/resend_confirmation_spec.rb
 - spec/requests/mutations/send_password_reset_spec.rb
+- spec/requests/mutations/send_password_reset_with_token_spec.rb
 - spec/requests/mutations/sign_up_spec.rb
 - spec/requests/mutations/update_password_spec.rb
+- spec/requests/mutations/update_password_with_token_spec.rb
 - spec/requests/queries/check_password_token_spec.rb
 - spec/requests/queries/confirm_account_spec.rb
 - spec/requests/user_controller_spec.rb