graphql_devise 0.13.3 → 0.14.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (36) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +7 -0
  3. data/Appraisals +14 -0
  4. data/CHANGELOG.md +47 -0
  5. data/README.md +35 -22
  6. data/app/models/graphql_devise/concerns/model.rb +6 -6
  7. data/app/views/graphql_devise/mailer/reset_password_instructions.html.erb +7 -1
  8. data/config/locales/en.yml +2 -1
  9. data/docs/usage/reset_password_flow.md +90 -0
  10. data/graphql_devise.gemspec +1 -1
  11. data/lib/graphql_devise/concerns/controller_methods.rb +7 -1
  12. data/lib/graphql_devise/default_operations/mutations.rb +10 -6
  13. data/lib/graphql_devise/mutations/resend_confirmation.rb +15 -5
  14. data/lib/graphql_devise/mutations/send_password_reset.rb +2 -0
  15. data/lib/graphql_devise/mutations/send_password_reset_with_token.rb +37 -0
  16. data/lib/graphql_devise/mutations/sign_up.rb +1 -3
  17. data/lib/graphql_devise/mutations/update_password_with_token.rb +38 -0
  18. data/lib/graphql_devise/resolvers/check_password_token.rb +1 -0
  19. data/lib/graphql_devise/resolvers/confirm_account.rb +2 -0
  20. data/lib/graphql_devise/schema_plugin.rb +12 -10
  21. data/lib/graphql_devise/version.rb +1 -1
  22. data/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb +13 -0
  23. data/spec/dummy/config/initializers/devise_token_auth.rb +2 -0
  24. data/spec/dummy/config/routes.rb +2 -1
  25. data/spec/graphql/user_queries_spec.rb +118 -0
  26. data/spec/requests/mutations/additional_mutations_spec.rb +0 -1
  27. data/spec/requests/mutations/resend_confirmation_spec.rb +42 -4
  28. data/spec/requests/mutations/send_password_reset_spec.rb +16 -1
  29. data/spec/requests/mutations/send_password_reset_with_token_spec.rb +78 -0
  30. data/spec/requests/mutations/sign_up_spec.rb +19 -1
  31. data/spec/requests/mutations/update_password_with_token_spec.rb +119 -0
  32. data/spec/requests/queries/check_password_token_spec.rb +16 -1
  33. data/spec/requests/queries/confirm_account_spec.rb +17 -2
  34. data/spec/requests/user_controller_spec.rb +9 -9
  35. data/spec/support/contexts/schema_test.rb +14 -0
  36. metadata +21 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3f53fa7a8d2d7b2358f448a3debe5bc56eba25282e51006e88922340eaedc3ac
4
- data.tar.gz: '07183950cd6bd45e2228cbe20fd41ed8d8352e8191aa51f39d1a07e8ce04310c'
3
+ metadata.gz: bf545450ef87f507744e5bf493ebc30d94c20da544307ec11657f58d2e685b37
4
+ data.tar.gz: 7c62c31ef018325ed51516e08a3f5774d5ebe8325340ce57edbee2df9a9e29bf
5
5
  SHA512:
6
- metadata.gz: 75da3fcc2f769c67f3c07ec7e732cb1ca82a1909ebb2cb35b03b4a902f7367eb17319398c7daf848598a71288c29aad84720f418174d1fb7a9fefbe7a6a75399
7
- data.tar.gz: da0bc0fdf1a5f3cefd4b76e7c08872a893606881ca51c3727c9051db753d938a57abdc25f6b1afb5171f0ec7a5df8104cae8ff14e5bc20bc48b050e15e2911bc
6
+ metadata.gz: 53dfe2bfde5d1e22f7d5d91f03c6336559abe2967208c2a237218d06fc65d4df2c5c3d0bf5d84f097c77fa2d39299defe6318999adddb68b05263c403a418654
7
+ data.tar.gz: dc0e2a550b3657fc13505db35042febdc32df9770cdfb00524fabb1fdaf09b1d43a0fc6a13ce71160e37aada85e3cef8ff611aaebb4d027efb81ec8013267eba
data/.travis.yml CHANGED
@@ -25,6 +25,7 @@ gemfile:
25
25
  - gemfiles/rails5.2_graphql1.9.gemfile
26
26
  - gemfiles/rails5.2_graphql1.10.gemfile
27
27
  - gemfiles/rails5.2_graphql1.11.gemfile
28
+ - gemfiles/rails5.2_graphql1.12.gemfile
28
29
 
29
30
  jobs:
30
31
  include:
@@ -52,6 +53,12 @@ jobs:
52
53
  rvm: 2.6.6
53
54
  - gemfile: gemfiles/rails6.0_graphql1.11.gemfile
54
55
  rvm: 2.7.1
56
+ - gemfile: gemfiles/rails6.0_graphql1.12.gemfile
57
+ rvm: 2.5.8
58
+ - gemfile: gemfiles/rails6.0_graphql1.12.gemfile
59
+ rvm: 2.6.6
60
+ - gemfile: gemfiles/rails6.0_graphql1.12.gemfile
61
+ rvm: 2.7.1
55
62
  - gemfile: gemfiles/rails6.0_graphql_edge.gemfile
56
63
  rvm: 2.6.6
57
64
  env:
data/Appraisals CHANGED
@@ -68,6 +68,13 @@ appraise 'rails5.2-graphql1.11' do
68
68
  gem 'rspec-rails', '< 4.0'
69
69
  end
70
70
 
71
+ appraise 'rails5.2-graphql1.12' do
72
+ gem 'sqlite3', '~> 1.3.6'
73
+ gem 'rails', github: 'rails/rails', branch: '5-2-stable'
74
+ gem 'graphql', '~> 1.12.0'
75
+ gem 'rspec-rails', '< 4.0'
76
+ end
77
+
71
78
  appraise 'rails6.0-graphql1.8' do
72
79
  gem 'sqlite3', '~> 1.4'
73
80
  gem 'devise', '>= 4.7'
@@ -96,6 +103,13 @@ appraise 'rails6.0-graphql1.11' do
96
103
  gem 'graphql', '~> 1.11.0'
97
104
  end
98
105
 
106
+ appraise 'rails6.0-graphql1.12' do
107
+ gem 'sqlite3', '~> 1.4'
108
+ gem 'devise', '>= 4.7'
109
+ gem 'rails', github: 'rails/rails', branch: '6-0-stable'
110
+ gem 'graphql', '~> 1.12.0'
111
+ end
112
+
99
113
  appraise 'rails6.0-graphql_edge' do
100
114
  gem 'sqlite3', '~> 1.4'
101
115
  gem 'devise_token_auth', github: 'lynndylanhurley/devise_token_auth', branch: 'master'
data/CHANGELOG.md CHANGED
@@ -1,5 +1,52 @@
1
1
  # Changelog
2
2
 
3
+ ## [v0.14.1](https://github.com/graphql-devise/graphql_devise/tree/v0.14.1) (2021-02-11)
4
+
5
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.14.0...v0.14.1)
6
+
7
+ **Implemented enhancements:**
8
+
9
+ - Testing Authenticated Elements [\#138](https://github.com/graphql-devise/graphql_devise/issues/138)
10
+ - Add support for GraphQL 1.12 [\#150](https://github.com/graphql-devise/graphql_devise/pull/150) ([mengqing](https://github.com/mengqing))
11
+ - Allow setting current resource in tests [\#149](https://github.com/graphql-devise/graphql_devise/pull/149) ([00dav00](https://github.com/00dav00))
12
+
13
+ **Merged pull requests:**
14
+
15
+ - Document password reset flows [\#147](https://github.com/graphql-devise/graphql_devise/pull/147) ([mcelicalderon](https://github.com/mcelicalderon))
16
+
17
+ ## [v0.14.0](https://github.com/graphql-devise/graphql_devise/tree/v0.14.0) (2021-01-19)
18
+
19
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.6...v0.14.0)
20
+
21
+ **Implemented enhancements:**
22
+
23
+ - Alternate reset password flow, only 2 steps, no redirect [\#146](https://github.com/graphql-devise/graphql_devise/pull/146) ([mcelicalderon](https://github.com/mcelicalderon))
24
+
25
+ ## [v0.13.6](https://github.com/graphql-devise/graphql_devise/tree/v0.13.6) (2020-12-22)
26
+
27
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.5...v0.13.6)
28
+
29
+ **Security fixes:**
30
+
31
+ - Possible security issue with password reset and redirectUrl [\#136](https://github.com/graphql-devise/graphql_devise/issues/136)
32
+ - Add redirect whitelist validation to all queries and mutations [\#140](https://github.com/graphql-devise/graphql_devise/pull/140) ([mcelicalderon](https://github.com/mcelicalderon))
33
+
34
+ ## [v0.13.5](https://github.com/graphql-devise/graphql_devise/tree/v0.13.5) (2020-11-20)
35
+
36
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.4...v0.13.5)
37
+
38
+ **Implemented enhancements:**
39
+
40
+ - Fixes connection\_config deprecation warning [\#135](https://github.com/graphql-devise/graphql_devise/pull/135) ([artplan1](https://github.com/artplan1))
41
+
42
+ ## [v0.13.4](https://github.com/graphql-devise/graphql_devise/tree/v0.13.4) (2020-08-15)
43
+
44
+ [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.3...v0.13.4)
45
+
46
+ **Implemented enhancements:**
47
+
48
+ - Allow resend of confirmation with unconfirmed email [\#127](https://github.com/graphql-devise/graphql_devise/pull/127) ([j15e](https://github.com/j15e))
49
+
3
50
  ## [v0.13.3](https://github.com/graphql-devise/graphql_devise/tree/v0.13.3) (2020-08-13)
4
51
 
5
52
  [Full Changelog](https://github.com/graphql-devise/graphql_devise/compare/v0.13.2...v0.13.3)
data/README.md CHANGED
@@ -1,5 +1,5 @@
1
1
  # GraphqlDevise
2
- [![Build Status](https://travis-ci.org/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.org/graphql-devise/graphql_devise)
2
+ [![Build Status](https://travis-ci.com/graphql-devise/graphql_devise.svg?branch=master)](https://travis-ci.com/graphql-devise/graphql_devise)
3
3
  [![Coverage Status](https://coveralls.io/repos/github/graphql-devise/graphql_devise/badge.svg?branch=master)](https://coveralls.io/github/graphql-devise/graphql_devise?branch=master)
4
4
  [![Gem Version](https://badge.fury.io/rb/graphql_devise.svg)](https://badge.fury.io/rb/graphql_devise)
5
5
 
@@ -33,6 +33,7 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
33
33
  * [Making Requests](#making-requests)
34
34
  * [Mutations](#mutations)
35
35
  * [Queries](#queries)
36
+ * [Reset Password Flow](#reset-password-flow)
36
37
  * [More Configuration Options](#more-configuration-options)
37
38
  * [Devise Token Auth Initializer](#devise-token-auth-initializer)
38
39
  * [Devise Initializer](#devise-initializer)
@@ -42,12 +43,13 @@ GraphQL interface on top of the [Devise Token Auth](https://github.com/lynndylan
42
43
  * [Contributing](#contributing)
43
44
  * [License](#license)
44
45
 
45
- <!-- Added by: david, at: mar jul 14 08:08:02 -05 2020 -->
46
+ <!-- Added by: mcelicalderon, at: Mon Jan 25 22:48:17 -05 2021 -->
46
47
 
47
48
  <!--te-->
48
49
 
49
50
  ## Introduction
50
- Graphql-Devise heavily relies on two gems:
51
+ Graphql-Devise heavily relies on 3 gems:
52
+ - [GraphQL Ruby](https://github.com/rmosolgo/graphql-ruby)
51
53
  - [Devise Token Auth](https://github.com/lynndylanhurley/devise_token_auth) (DTA)
52
54
  - [Devise](https://github.com/heartcombo/devise) (which is a DTA dependency)
53
55
 
@@ -107,7 +109,7 @@ and `api/auth` could be any mount path you would like to use for auth.
107
109
  - Avoid passing the `--mount` option or the gem will try to use an existing schema.
108
110
 
109
111
  #### Mounting Operations in Your Own Schema (> v0.12.0)
110
- To configure the gem to use your own GQL schema use the `--mount` option.
112
+ To configure the gem to use your own GQL schema use the `--mount` option.
111
113
  For instance the executing:
112
114
 
113
115
  ```bash
@@ -287,10 +289,12 @@ The following is a list of the symbols you can provide to the `operations`, `ski
287
289
  :login
288
290
  :logout
289
291
  :sign_up
290
- :update_password
291
- :send_password_reset
292
292
  :confirm_account
293
+ :send_password_reset
293
294
  :check_password_token
295
+ :update_password
296
+ :send_password_reset_with_token
297
+ :update_password_with_token
294
298
  ```
295
299
 
296
300
  ### Configuring Model
@@ -318,20 +322,19 @@ The install generator can do this for you if you specify the `user_class` option
318
322
  See [Installation](#installation) for details.
319
323
 
320
324
  ### Email Reconfirmation
321
- DTA and Devise support email reconfirmation. When the `confirmable` module is added to your
322
- resource, an email is sent to the provided email address when the `signUp` mutation is used.
323
- You can also use this gem so every time a user updates the `email` field, a new email gets sent
324
- for the user to confirm the new email address. Only after clicking on the confirmation link,
325
- the email will be updated on the database to use the new value.
326
-
327
- In order to use this feature there are a couple of things to setup first:
328
- 1. Make user your model includes the `:confirmable` module.
329
- 1. Add an `unconfirmed_email` String column to your resource's table.
330
-
331
- After that is done, you simply need to call a different update method on your resource,
332
- `update_with_email`. This method behaves exactly the same as ActiveRecord's `update` method
333
- if the previous steps are not performed, or if you are not updating the `email` attribute.
334
- It is also mandatory to provide two additional attributes when email will change or an error
325
+ Email reconfirmation is supported just like in Devise and DTA, but we want reconfirmable
326
+ in this gem to work on model basis instead of having a global configuration like in Devise.
327
+ **For this reason Devise's global `reconfirmable` setting is ignored.**
328
+
329
+ For a resource to be considered reconfirmable it has to meet 2 conditions:
330
+ 1. Include the `:confirmable` module.
331
+ 1. Has an `unconfirmed_email` column in the resource's table.
332
+
333
+ In order to trigger the reconfirmation email in a reconfirmable resource, you simply needi
334
+ to call a different update method on your resource,`update_with_email`.
335
+ When the resource is not reconfirmable or the email is not updated, this method behaves exactly
336
+ the same as ActiveRecord's `update`.
337
+ `update_with_email` requires two additional attributes when email will change or an error
335
338
  will be raised:
336
339
 
337
340
  1. `schema_url`: The full url where your GQL schema is mounted. You can get this value from the
@@ -355,6 +358,9 @@ user.update_with_email(
355
358
  )
356
359
  ```
357
360
 
361
+ We want reconfirmable in this gem to work separately
362
+ from DTA's or Devise (too much complexity in the model based on callbacks).
363
+
358
364
  ### Customizing Email Templates
359
365
  The approach of this gem is a bit different from DeviseTokenAuth. We have placed our templates in `app/views/graphql_devise/mailer`,
360
366
  so if you want to change them, place yours on the same dir structure on your Rails project. You can customize these two templates:
@@ -455,9 +461,11 @@ Operation | Description | Example
455
461
  login | This mutation has a second field by default. `credentials` can be fetched directly on the mutation return type.<br>Credentials are still returned in the headers of the response. | userLogin(email: String!, password: String!): UserLoginPayload
456
462
  logout | | userLogout: UserLogoutPayload
457
463
  signUp | The parameter `confirmSuccessUrl` is optional unless you are using the `confirmable` plugin from Devise in your `resource`'s model. If you have `confirmable` set up, you will have to provide it unless you have `config.default_confirm_success_url` set in `config/initializers/devise_token_auth.rb`. | userSignUp(email: String!, password: String!, passwordConfirmation: String!, confirmSuccessUrl: String): UserSignUpPayload
458
- sendResetPassword | | userSendResetPassword(email: String!, redirectUrl: String!): UserSendReserPasswordPayload
459
- updatePassword | The parameter `currentPassword` is optional if you have `config.check_current_password_before_update` set to false (disabled by default) on your generated `config/initializers/devise_token_aut.rb` or if the `resource` model supports the `recoverable` Devise plugin and the `resource`'s `allow_password_change` attribute is set to true (this is done in the `userCheckPasswordToken` query when you click on the sent email's link). | userUpdatePassword(password: String!, passwordConfirmation: String!, currentPassword: String): UserUpdatePasswordPayload
464
+ sendPasswordResetWithToken | Sends an email to the provided address with a link to reset the password of the resource. First step of the most recently implemented password reset flow. | userSendPasswordResetWithToken(email: String!, redirectUrl: String!): UserSendPasswordResetWithTokenPayload
465
+ updatePasswordWithToken | Uses a `resetPasswordToken` to update the password of a resource. Second and last step of the most recently implemented password reset flow. | userSendPasswordResetWithToken(resetPasswordToken: String!, password: String!, passwordConfirmation: String!): UserUpdatePasswordWithTokenPayload
460
466
  resendConfirmation | The `UserResendConfirmationPayload` will return the `authenticatable` resource that was sent the confirmation instructions but also has a `message: String!` that can be used to notify a user what to do after the instructions were sent to them | userResendConfirmation(email: String!, redirectUrl: String!): UserResendConfirmationPayload
467
+ sendResetPassword | Sends an email to the provided address with a link to reset the password of the resource. **This mutation is part of the first and soon to be deprecated password reset flow.** | userSendResetPassword(email: String!, redirectUrl: String!): UserSendReserPasswordPayload
468
+ updatePassword | The parameter `currentPassword` is optional if you have `config.check_current_password_before_update` set to false (disabled by default) on your generated `config/initializers/devise_token_aut.rb` or if the `resource` model supports the `recoverable` Devise plugin and the `resource`'s `allow_password_change` attribute is set to true (this is done in the `userCheckPasswordToken` query when you click on the sent email's link). **This mutation is part of the first and soon to be deprecated password reset flow.** | userUpdatePassword(password: String!, passwordConfirmation: String!, currentPassword: String): UserUpdatePasswordPayload
461
469
 
462
470
  #### Queries
463
471
  Operation | Description | Example
@@ -475,6 +483,11 @@ you can use [our specs](spec/requests) to better understand how to use the gem.
475
483
  Also, the [dummy app](spec/dummy) used in our specs will give you
476
484
  a clear idea on how to configure the gem on your Rails application.
477
485
 
486
+ ### Reset Password Flow
487
+ This gem supports two password recovery flows. The most recently implemented is preferred and
488
+ requires less steps. More detail on how it works can be found
489
+ [here](docs/usage/reset_password_flow.md).
490
+
478
491
  ### More Configuration Options
479
492
  As mentioned in the introduction there are many configurations that will change how this gem behaves. You can change
480
493
  this values on the initializer files generated by the installer.
@@ -7,14 +7,14 @@ module GraphqlDevise
7
7
  Model = DeviseTokenAuth::Concerns::User
8
8
 
9
9
  Model.module_eval do
10
- def update_with_email(attributes = {})
11
- GraphqlDevise::Model::WithEmailUpdater.new(self, attributes).call
10
+ class_methods do
11
+ def reconfirmable
12
+ devise_modules.include?(:confirmable) && column_names.include?('unconfirmed_email')
13
+ end
12
14
  end
13
15
 
14
- private
15
-
16
- def pending_reconfirmation?
17
- devise_modules.include?(:confirmable) && try(:unconfirmed_email).present?
16
+ def update_with_email(attributes = {})
17
+ GraphqlDevise::Model::WithEmailUpdater.new(self, attributes).call
18
18
  end
19
19
  end
20
20
  end
@@ -2,7 +2,13 @@
2
2
 
3
3
  <p><%= t('.request_reset_link_msg') %></p>
4
4
 
5
- <p><%= link_to t('.password_change_link'), "#{message['schema_url']}?#{password_reset_query(token: @token, redirect_url: message['redirect-url'], resource_name: @resource.class.to_s).to_query}" %></p>
5
+ <p>
6
+ <% if message['schema_url'].present? %>
7
+ <%= link_to t('.password_change_link'), "#{message['schema_url']}?#{password_reset_query(token: @token, redirect_url: message['redirect-url'], resource_name: @resource.class.to_s).to_query}" %>
8
+ <% else %>
9
+ <%= link_to t('.password_change_link'), "#{message['redirect-url'].to_s}?#{{ reset_password_token: @token }.to_query}" %>
10
+ <% end %>
11
+ </p>
6
12
 
7
13
  <p><%= t('.ignore_mail_msg') %></p>
8
14
  <p><%= t('.no_changes_msg') %></p>
@@ -1,5 +1,6 @@
1
1
  en:
2
2
  graphql_devise:
3
+ redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
3
4
  registration_failed: "User couldn't be registered"
4
5
  resource_build_failed: "Resource couldn't be built, execution stopped."
5
6
  not_authenticated: "User is not logged in."
@@ -7,8 +8,8 @@ en:
7
8
  invalid_resource: "Errors present in the resource."
8
9
  registrations:
9
10
  missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
10
- redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
11
11
  passwords:
12
+ password_recovery_disabled: "You must enable password recovery for this model."
12
13
  update_password_error: "Unable to update user password"
13
14
  missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."
14
15
  password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead."
@@ -0,0 +1,90 @@
1
+ # Reset Password Flow
2
+ This gem supports two different ways to reset a password on a resource. Each password reset flow has it's own set of
3
+ operations and this document will explain in more detail how to use each.
4
+ The first and most recently implemented flow is preferred as it requires less steps and doesn't require a mutation
5
+ to return a redirect on the response. Flow 2 might be deprecated in the future.
6
+
7
+ ## Flow #1 (Preferred)
8
+ This flow only has two steps. Each step name refers to the operation name you can use in the mount options to skip or override.
9
+
10
+ ### 1. send_password_reset_with_token
11
+ This mutation will send an email to the specified address if it's found on the system. Returns an error if the email is not found. Here's an example assuming the resource used
12
+ for authentication is `User`:
13
+ ```graphql
14
+ mutation {
15
+ userSendPasswordResetWithToken(
16
+ email: "vvega@wallaceinc.com",
17
+ redirectUrl: "https://google.com"
18
+ ) {
19
+ message
20
+ }
21
+ }
22
+ ```
23
+ The email will contain a link to the `redirectUrl` (https://google.com in the example) and append a `reset_password_token` query param. This is the token you will
24
+ need to use in the next step in order to reset the password.
25
+
26
+ ### 2. update_password_with_token
27
+ This mutation uses the token sent on the email to find the resource you are trying to recover.
28
+ All you have to do is send a valid token together with the new password and password confirmation.
29
+ Here's an example assuming the resource used for authentication is `User`:
30
+
31
+ ```graphql
32
+ mutation {
33
+ userUpdatePasswordWithToken(
34
+ resetPasswordToken: "token_here",
35
+ password: "password123",
36
+ passwordConfirmation: "password123"
37
+ ) {
38
+ authenticatable { email }
39
+ credentials { accessToken }
40
+ }
41
+ }
42
+ ```
43
+ The mutation has two fields:
44
+ 1. `authenticatable`: Just like other mutations, returns the actual resource you just recover the password for.
45
+ 1. `credentials`: This is a nullable field. It will only return credentials as if you had just logged
46
+ in into the app if you explicitly say so by overriding the mutation. The docs have more detail
47
+ on how to extend the default behavior of mutations, but
48
+ [here](https://github.com/graphql-devise/graphql_devise/blob/8c7c8a5ff1b35fb026e4c9499c70dc5f90b9187a/spec/dummy/app/graphql/mutations/reset_admin_password_with_token.rb)
49
+ you can find an example mutation on what needs to be done in order for the mutation to return
50
+ credentials after updating the password.
51
+
52
+ ## Flow 2 (Deprecated)
53
+ This was the first flow to be implemented, requires an additional step and also to encode a GQL query in a url, so this is not the preferred method.
54
+ Each step name refers to the operation name you can use in the mount options to skip or override.
55
+
56
+ ### 1. send_password_reset
57
+ This mutation will send an email to the specified address if it's found on the system. Returns an error if the email is not found. Here's an example assuming the resource used
58
+ for authentication is `User`:
59
+ ```graphql
60
+ mutation {
61
+ userSendPasswordReset(
62
+ email: "vvega@wallaceinc.com",
63
+ redirectUrl: "https://google.com"
64
+ ) {
65
+ message
66
+ }
67
+ }
68
+ ```
69
+ The email will contain an encoded GraphQL query that holds the reset token and redirectUrl.
70
+ The query is described in the next step.
71
+
72
+ ### 2. check_password_token
73
+ This query checks the reset password token and if successful changes a column in the DB (`allow_password_change`) to true.
74
+ This change will allow for the next step to update the password without providing the current password.
75
+ Then, this query will redirect to the provided `redirectUrl` with credentials.
76
+
77
+ ### 3. update_password
78
+ This step requires the request to include authentication headers and will allow the user to
79
+ update the password if step 2 was successful.
80
+ Here's an example assuming the resource used for authentication is `User`:
81
+ ```graphql
82
+ mutation {
83
+ userUpdatePassword(
84
+ password: "password123",
85
+ passwordConfirmation: "password123"
86
+ ) {
87
+ authenticatable { email }
88
+ }
89
+ }
90
+ ```
@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
28
28
  spec.required_ruby_version = '>= 2.2.0'
29
29
 
30
30
  spec.add_dependency 'devise_token_auth', '>= 0.1.43', '< 2.0'
31
- spec.add_dependency 'graphql', '>= 1.8', '< 1.12.0'
31
+ spec.add_dependency 'graphql', '>= 1.8', '< 1.13.0'
32
32
  spec.add_dependency 'rails', '>= 4.2', '< 6.2'
33
33
 
34
34
  spec.add_development_dependency 'appraisal'
@@ -7,6 +7,12 @@ module GraphqlDevise
7
7
 
8
8
  private
9
9
 
10
+ def check_redirect_url_whitelist!(redirect_url)
11
+ if blacklisted_redirect_url?(redirect_url)
12
+ raise_user_error(I18n.t('graphql_devise.redirect_url_not_allowed', redirect_url: redirect_url))
13
+ end
14
+ end
15
+
10
16
  def raise_user_error(message)
11
17
  raise GraphqlDevise::UserError, message
12
18
  end
@@ -90,7 +96,7 @@ module GraphqlDevise
90
96
  end
91
97
 
92
98
  def find_resource(field, value)
93
- if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
99
+ if resource_class.connection.adapter_name.downcase.include?('mysql')
94
100
  # fix for mysql default case insensitivity
95
101
  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
96
102
  elsif Gem::Version.new(DeviseTokenAuth::VERSION) < Gem::Version.new('1.1.0')
@@ -5,18 +5,22 @@ require 'graphql_devise/mutations/login'
5
5
  require 'graphql_devise/mutations/logout'
6
6
  require 'graphql_devise/mutations/resend_confirmation'
7
7
  require 'graphql_devise/mutations/send_password_reset'
8
+ require 'graphql_devise/mutations/send_password_reset_with_token'
8
9
  require 'graphql_devise/mutations/sign_up'
9
10
  require 'graphql_devise/mutations/update_password'
11
+ require 'graphql_devise/mutations/update_password_with_token'
10
12
 
11
13
  module GraphqlDevise
12
14
  module DefaultOperations
13
15
  MUTATIONS = {
14
- login: { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
15
- logout: { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
16
- sign_up: { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
17
- update_password: { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
18
- send_password_reset: { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
19
- resend_confirmation: { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
16
+ login: { klass: GraphqlDevise::Mutations::Login, authenticatable: true },
17
+ logout: { klass: GraphqlDevise::Mutations::Logout, authenticatable: true },
18
+ sign_up: { klass: GraphqlDevise::Mutations::SignUp, authenticatable: true },
19
+ update_password: { klass: GraphqlDevise::Mutations::UpdatePassword, authenticatable: true },
20
+ update_password_with_token: { klass: GraphqlDevise::Mutations::UpdatePasswordWithToken, authenticatable: true },
21
+ send_password_reset: { klass: GraphqlDevise::Mutations::SendPasswordReset, authenticatable: false },
22
+ send_password_reset_with_token: { klass: GraphqlDevise::Mutations::SendPasswordResetWithToken, authenticatable: false },
23
+ resend_confirmation: { klass: GraphqlDevise::Mutations::ResendConfirmation, authenticatable: false }
20
24
  }.freeze
21
25
  end
22
26
  end