rails_jwt_auth 0.18.1 → 1.3.1

data/app/controllers/rails_jwt_auth/invitations_controller.rb

@@ -4,21 +4,20 @@ module RailsJwtAuth
     include RenderHelper
 
     def create
-      attr_hash = invitation_create_params
-      user = RailsJwtAuth.model.invite!(attr_hash)
-      user.errors.empty? ? render_204 : render_422(user.errors)
+      user = RailsJwtAuth.model.invite!(invitation_create_params)
+      user.errors.empty? ? render_204 : render_422(user.errors.details)
     end
 
     def update
-      attr_hash = invitation_update_params
-      token = attr_hash.delete(:invitation_token)
-      user = RailsJwtAuth.model.where(invitation_token: token).first
-      user.assign_attributes attr_hash
-      user.accept_invitation!
+      return render_404 unless
+        params[:id] &&
+        (user = RailsJwtAuth.model.where(invitation_token: params[:id]).first)
 
+      user.assign_attributes invitation_update_params
+      user.accept_invitation!
       return render_204 if user.errors.empty? && user.save
 
-      render_422(user.errors)
+      render_422(user.errors.details)
     end
   end
 end

data/app/controllers/rails_jwt_auth/passwords_controller.rb

@@ -4,28 +4,20 @@ module RailsJwtAuth
     include RenderHelper
 
     def create
-      user = RailsJwtAuth.model.where(email: password_create_params[:email]).first
-      return render_422(email: [I18n.t('rails_jwt_auth.errors.not_found')]) unless user
+      user = RailsJwtAuth.model.where(email: password_create_params[:email].to_s.downcase).first
+      return render_422(email: [{error: :not_found}]) unless user
 
-      user.send_reset_password_instructions ? render_204 : render_422(user.errors)
+      user.send_reset_password_instructions ? render_204 : render_422(user.errors.details)
     end
 
     def update
-      if params[:reset_password_token].blank?
-        return render_422(reset_password_token: [I18n.t('rails_jwt_auth.errors.not_found')])
-      end
+      return render_404 unless
+        params[:id] &&
+        (user = RailsJwtAuth.model.where(reset_password_token: params[:id]).first)
 
-      user = RailsJwtAuth.model.where(reset_password_token: params[:reset_password_token]).first
+      return render_422(password: [{error: :blank}]) if password_update_params[:password].blank?
 
-      unless user
-        return render_422(reset_password_token: [I18n.t('rails_jwt_auth.errors.not_found')])
-      end
-
-      unless password_update_params[:password].present?
-        return render_422(password: [I18n.t('rails_jwt_auth.errors.password.blank')])
-      end
-
-      user.update_attributes(password_update_params) ? render_204 : render_422(user.errors)
+      user.update(password_update_params) ? render_204 : render_422(user.errors.details)
     end
   end
 end

data/app/controllers/rails_jwt_auth/registrations_controller.rb

@@ -5,7 +5,7 @@ module RailsJwtAuth
 
     def create
       user = RailsJwtAuth.model.new(registration_create_params)
-      user.save ? render_registration(user) : render_422(user.errors)
+      user.save ? render_registration(user) : render_422(user.errors.details)
     end
   end
 end

data/app/controllers/rails_jwt_auth/sessions_controller.rb

@@ -1,41 +1,40 @@
-require 'rails_jwt_auth/jwt/manager'
-require 'rails_jwt_auth/jwt/request'
-
 module RailsJwtAuth
   class SessionsController < ApplicationController
     include ParamsHelper
     include RenderHelper
 
     def create
-      user = RailsJwtAuth.model.where(RailsJwtAuth.auth_field_name =>
-        session_create_params[RailsJwtAuth.auth_field_name].to_s.downcase).first
+      user = find_user
 
       if !user
-        render_422 session: [create_session_error]
+        render_422 session: [{error: :invalid_session}]
       elsif user.respond_to?('confirmed?') && !user.confirmed?
-        render_422 session: [I18n.t('rails_jwt_auth.errors.unconfirmed')]
+        render_422 session: [{error: :unconfirmed}]
       elsif user.authenticate(session_create_params[:password])
-        render_session get_jwt(user), user
+        render_session generate_jwt(user), user
       else
-        render_422 session: [create_session_error]
+        render_422 session: [{error: :invalid_session}]
       end
     end
 
     def destroy
+      return render_404 unless RailsJwtAuth.simultaneous_sessions > 0
+
       authenticate!
-      current_user.destroy_auth_token Jwt::Request.new(request).auth_token
+      payload = JwtManager.decode_from_request(request)&.first
+      current_user.destroy_auth_token payload['auth_token']
       render_204
     end
 
     private
 
-    def get_jwt(user)
-      token = user.regenerate_auth_token
-      RailsJwtAuth::Jwt::Manager.encode(auth_token: token)
+    def generate_jwt(user)
+      JwtManager.encode(user.to_token_payload(request))
     end
 
-    def create_session_error
-      I18n.t('rails_jwt_auth.errors.create_session', field: RailsJwtAuth.auth_field_name)
+    def find_user
+      auth_field = RailsJwtAuth.auth_field_name!
+      RailsJwtAuth.model.where(auth_field => session_create_params[auth_field]).first
     end
   end
 end

data/app/mailers/rails_jwt_auth/mailer.rb

@@ -3,70 +3,61 @@ if defined?(ActionMailer)
     default from: RailsJwtAuth.mailer_sender
 
     def confirmation_instructions(user)
+      raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirmations_url.present?
       @user = user
 
-      if RailsJwtAuth.confirmation_url
-        url, params = RailsJwtAuth.confirmation_url.split('?')
-        params = params ? params.split('&') : []
-        params.push("confirmation_token=#{@user.confirmation_token}")
-
-        @confirmation_url = "#{url}?#{params.join('&')}"
-      else
-        @confirmation_url = confirmation_url(confirmation_token: @user.confirmation_token)
-      end
+      url, params = RailsJwtAuth.confirmations_url.split('?')
+      params = params ? params.split('&') : []
+      params.push("confirmation_token=#{@user.confirmation_token}")
+      @confirmations_url = "#{url}?#{params.join('&')}"
 
       subject = I18n.t('rails_jwt_auth.mailer.confirmation_instructions.subject')
-      mail(to: @user.unconfirmed_email || @user.email, subject: subject)
+      mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: subject)
     end
 
-    def reset_password_instructions(user)
+    def email_changed(user)
       @user = user
+      subject = I18n.t('rails_jwt_auth.mailer.email_changed.subject')
+      mail(to: @user[RailsJwtAuth.email_field_name!], subject: subject)
+    end
 
-      if RailsJwtAuth.reset_password_url
-        url, params = RailsJwtAuth.reset_password_url.split('?')
-        params = params ? params.split('&') : []
-        params.push("reset_password_token=#{@user.reset_password_token}")
+    def reset_password_instructions(user)
+      raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_passwords_url.present?
+      @user = user
 
-        @reset_password_url = "#{url}?#{params.join('&')}"
-      else
-        @reset_password_url = password_url(reset_password_token: @user.reset_password_token)
-      end
+      url, params = RailsJwtAuth.reset_passwords_url.split('?')
+      params = params ? params.split('&') : []
+      params.push("reset_password_token=#{@user.reset_password_token}")
+      @reset_passwords_url = "#{url}?#{params.join('&')}"
 
       subject = I18n.t('rails_jwt_auth.mailer.reset_password_instructions.subject')
-      mail(to: @user.email, subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
     end
 
     def set_password_instructions(user)
+      raise RailsJwtAuth::NotSetPasswordsUrl unless RailsJwtAuth.set_passwords_url.present?
       @user = user
 
-      if RailsJwtAuth.set_password_url
-        url, params = RailsJwtAuth.set_password_url.split('?')
-        params = params ? params.split('&') : []
-        params.push("reset_password_token=#{@user.reset_password_token}")
-
-        @reset_password_url = "#{url}?#{params.join('&')}"
-      else
-        @reset_password_url = password_url(reset_password_token: @user.reset_password_token)
-      end
+      url, params = RailsJwtAuth.set_passwords_url.split('?')
+      params = params ? params.split('&') : []
+      params.push("reset_password_token=#{@user.reset_password_token}")
+      @reset_passwords_url = "#{url}?#{params.join('&')}"
 
       subject = I18n.t('rails_jwt_auth.mailer.set_password_instructions.subject')
-      mail(to: @user.email, subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
     end
 
     def send_invitation(user)
+      raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.invitations_url.present?
       @user = user
 
-      if RailsJwtAuth.invitation_url
-        url, params = RailsJwtAuth.invitation_url.split '?'
-        params = params ? params.split('&') : []
-        params.push("invitation_token=#{@user.invitation_token}")
-        @accept_invitation_url = "#{url}?#{params.join('&')}"
-      else
-        @accept_invitation_url = invitation_url(invitation_token: @user.invitation_token)
-      end
+      url, params = RailsJwtAuth.invitations_url.split '?'
+      params = params ? params.split('&') : []
+      params.push("invitation_token=#{@user.invitation_token}")
+      @invitations_url = "#{url}?#{params.join('&')}"
 
       subject = I18n.t('rails_jwt_auth.mailer.send_invitation.subject')
-      mail(to: @user.email, subject: subject)
+      mail(to: @user[RailsJwtAuth.email_field_name], subject: subject)
     end
   end
 end

data/app/models/concerns/rails_jwt_auth/authenticatable.rb

@@ -2,6 +2,21 @@ include ActiveModel::SecurePassword
 
 module RailsJwtAuth
   module Authenticatable
+    def self.included(base)
+      base.extend(ClassMethods)
+
+      base.class_eval do
+        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
+          field :password_digest, type: String
+          field :auth_tokens, type: Array if RailsJwtAuth.simultaneous_sessions > 0
+        elsif defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
+          serialize :auth_tokens, Array
+        end
+
+        has_secure_password
+      end
+    end
+
     def regenerate_auth_token(token = nil)
       new_token = SecureRandom.base58(24)
 
@@ -25,48 +40,45 @@ module RailsJwtAuth
     end
 
     def update_with_password(params)
-      if (current_password = params.delete(:current_password)).blank?
-        errors.add(:current_password, I18n.t('rails_jwt_auth.errors.current_password.blank'))
-      elsif !authenticate(current_password)
-        errors.add(:current_password, I18n.t('rails_jwt_auth.errors.current_password.invalid'))
-      end
+      current_password_error = if (current_password = params.delete(:current_password)).blank?
+                                 'blank'
+                               elsif !authenticate(current_password)
+                                 'invalid'
+                               end
 
-      if params[:password].blank?
-        errors.add(:password, I18n.t('rails_jwt_auth.errors.password.blank'))
-      end
+      # abort reset password if exists to allow save
+      self.reset_password_token = self.reset_password_sent_at = nil if reset_password_token
 
-      errors.empty? ? update_attributes(params) : false
+      assign_attributes(params)
+      valid? # validates first other fields
+      errors.add(:current_password, current_password_error) if current_password_error
+      errors.add(:password, 'blank') if params[:password].blank?
+
+      errors.empty? ? save : false
     end
 
-    module ClassMethods
-      def get_by_token(token)
-        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
-          where(auth_tokens: token).first
-        elsif defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
-          where('auth_tokens like ?', "%#{token}%").first
-        end
+    def to_token_payload(_request=nil)
+      if RailsJwtAuth.simultaneous_sessions > 0
+        {auth_token: regenerate_auth_token}
+      else
+        {id: id.to_s}
       end
     end
 
-    def self.included(base)
-      base.extend(ClassMethods)
+    module ClassMethods
+      def from_token_payload(payload)
+        if RailsJwtAuth.simultaneous_sessions > 0
+          get_by_token(payload['auth_token'])
+        else
+          where(id: payload['id']).first
+        end
+      end
 
-      base.class_eval do
+      def get_by_token(token)
         if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
-          field RailsJwtAuth.auth_field_name, type: String
-          field :password_digest,             type: String
-          field :auth_tokens,                 type: Array
+          where(auth_tokens: token).first
         elsif defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
-          serialize :auth_tokens, Array
-        end
-
-        validates RailsJwtAuth.auth_field_name, presence: true, uniqueness: true
-        validates RailsJwtAuth.auth_field_name, email: true if RailsJwtAuth.auth_field_email
-
-        has_secure_password
-
-        before_validation do
-          self.email = email.downcase if email
+          where('auth_tokens like ?', "%#{token}%").first
         end
       end
     end

data/app/models/concerns/rails_jwt_auth/confirmable.rb

@@ -1,13 +1,61 @@
 module RailsJwtAuth
   module Confirmable
+    def self.included(base)
+      base.class_eval do
+        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
+          # include GlobalID::Identification to use deliver_later method
+          # http://edgeguides.rubyonrails.org/active_job_basics.html#globalid
+          include GlobalID::Identification if RailsJwtAuth.deliver_later
+
+          field :unconfirmed_email,    type: String
+          field :confirmation_token,   type: String
+          field :confirmation_sent_at, type: Time
+          field :confirmed_at,         type: Time
+        end
+
+        validate :validate_confirmation, if: :confirmed_at_changed?
+
+        after_create do
+          unless confirmed_at || confirmation_sent_at || self['invitation_token']
+            send_confirmation_instructions
+          end
+        end
+
+        before_update do
+          email_field = RailsJwtAuth.email_field_name!
+
+          if public_send("#{email_field}_changed?") &&
+             public_send("#{email_field}_was") &&
+             !confirmed_at_changed? &&
+             !self['invitation_token']
+            self.unconfirmed_email = self[email_field]
+            self[email_field] = public_send("#{email_field}_was")
+
+            self.confirmation_token = SecureRandom.base58(24)
+            self.confirmation_sent_at = Time.current
+
+            mailer = Mailer.confirmation_instructions(self)
+            RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+
+            if RailsJwtAuth.send_email_changed_notification
+              mailer = Mailer.email_changed(self)
+              RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
+            end
+          end
+        end
+      end
+    end
+
     def send_confirmation_instructions
+      email_field = RailsJwtAuth.email_field_name!
+
       if confirmed? && !unconfirmed_email
-        errors.add(:email, I18n.t('rails_jwt_auth.errors.already_confirmed'))
+        errors.add(email_field, :already_confirmed)
         return false
       end
 
       self.confirmation_token = SecureRandom.base58(24)
-      self.confirmation_sent_at = Time.now
+      self.confirmation_sent_at = Time.current
       return false unless save
 
       mailer = Mailer.confirmation_instructions(self)
@@ -20,11 +68,11 @@ module RailsJwtAuth
     end
 
     def confirm!
-      self.confirmed_at = Time.now.utc
+      self.confirmed_at = Time.current
       self.confirmation_token = nil
 
       if unconfirmed_email
-        self.email = unconfirmed_email
+        self[RailsJwtAuth.email_field_name!] = unconfirmed_email
         self.email_confirmation = unconfirmed_email if respond_to?(:email_confirmation)
         self.unconfirmed_email = nil
       end
@@ -33,57 +81,21 @@ module RailsJwtAuth
     end
 
     def skip_confirmation!
-      self.confirmed_at = Time.now.utc
+      self.confirmed_at = Time.current
       self.confirmation_token = nil
     end
 
-    def self.included(base)
-      base.class_eval do
-        if ancestors.include? Mongoid::Document
-          # include GlobalID::Identification to use deliver_later method
-          # http://edgeguides.rubyonrails.org/active_job_basics.html#globalid
-          include GlobalID::Identification if RailsJwtAuth.deliver_later
-
-          field :email,                type: String
-          field :unconfirmed_email,    type: String
-          field :confirmation_token,   type: String
-          field :confirmation_sent_at, type: Time
-          field :confirmed_at,         type: Time
-        end
-
-        validate :validate_confirmation, if: :confirmed_at_changed?
-
-        after_create do
-          unless confirmed_at || confirmation_sent_at || self['invitation_token']
-            send_confirmation_instructions
-          end
-        end
-
-        before_update do
-          if email_changed? && email_was && !confirmed_at_changed? && !self['invitation_token']
-            self.unconfirmed_email = email
-            self.email = email_was
-
-            self.confirmation_token = SecureRandom.base58(24)
-            self.confirmation_sent_at = Time.now
-
-            mailer = Mailer.confirmation_instructions(self)
-            RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
-          end
-        end
-      end
-    end
-
-    private
+    protected
 
     def validate_confirmation
       return true unless confirmed_at
+      email_field = RailsJwtAuth.email_field_name!
 
-      if confirmed_at_was && !email_changed?
-        errors.add(:email, I18n.t('rails_jwt_auth.errors.already_confirmed'))
+      if confirmed_at_was && !public_send("#{email_field}_changed?")
+        errors.add(email_field, :already_confirmed)
       elsif confirmation_sent_at &&
-            (confirmation_sent_at < (Time.now - RailsJwtAuth.confirmation_expiration_time))
-        errors.add(:confirmation_token, I18n.t('rails_jwt_auth.errors.expired'))
+            (confirmation_sent_at < (Time.current - RailsJwtAuth.confirmation_expiration_time))
+        errors.add(:confirmation_token, :expired)
       end
     end
   end

data/app/models/concerns/rails_jwt_auth/invitable.rb

@@ -1,11 +1,9 @@
 module RailsJwtAuth
   module Invitable
-    extend ActiveSupport::Concern
-
     def self.included(base)
       base.extend ClassMethods
       base.class_eval do
-        if ancestors.include? Mongoid::Document
+        if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
           # include GlobalID::Identification to use deliver_later method
           # http://edgeguides.rubyonrails.org/active_job_basics.html#globalid
           include GlobalID::Identification if RailsJwtAuth.deliver_later
@@ -14,8 +12,6 @@ module RailsJwtAuth
           field :invitation_sent_at,       type: Time
           field :invitation_accepted_at,   type: Time
           field :invitation_created_at,    type: Time
-
-          index({invitation_token: 1}, {unique: true})
         end
       end
     end
@@ -30,66 +26,67 @@ module RailsJwtAuth
       # @param [Hash] attributes Hash containing user's attributes to be filled.
       #               Must contain an email key.
       #
-      #
       # @return [user] The user created or found by email.
-
-      # rubocop:disable Metrics/AbcSize
       def invite!(attributes={})
         attrs = ActiveSupport::HashWithIndifferentAccess.new(attributes.to_h)
-        auth_field = RailsJwtAuth.auth_field_name
+        auth_field = RailsJwtAuth.auth_field_name!
         auth_attribute = attrs.delete(auth_field)
 
         raise ArgumentError unless auth_attribute
 
         record = RailsJwtAuth.model.find_or_initialize_by(auth_field => auth_attribute)
         record.assign_attributes(attrs)
-        record.invitation_created_at = Time.now.utc if record.new_record?
-
-        unless record.password || record.password_digest
-          password = SecureRandom.base58(16)
-          record.password = password
-          record.password_confirmation = password
-        end
 
-        record.valid?
-
-        # Users that are registered and were not invited are not reinvitable
-        if !record.new_record? && !record.invited?
-          record.errors.add(RailsJwtAuth.auth_field_name, :taken)
-        end
-
-        # Users that have already accepted an invitation are not reinvitable
-        if !record.new_record? && record.invited? && record.invitation_accepted_at.present?
-          record.errors.add(RailsJwtAuth.auth_field_name, :taken)
-        end
-
-        record.invite! if record.errors.empty?
+        record.invite!
         record
       end
-      # rubocop:enable Metrics/AbcSize
     end
 
     # Accept an invitation by clearing token and setting invitation_accepted_at
     def accept_invitation
-      self.invitation_accepted_at = Time.now.utc
+      self.invitation_accepted_at = Time.current
       self.invitation_token = nil
     end
 
     def accept_invitation!
       return unless invited?
+
       if valid_invitation?
         accept_invitation
-        self.confirmed_at = Time.now.utc if respond_to? :confirmed_at
+        self.confirmed_at = Time.current if respond_to?(:confirmed_at) && confirmed_at.nil?
       else
         errors.add(:invitation_token, :invalid)
       end
     end
 
     def invite!
+      self.invitation_created_at = Time.current if new_record?
+
+      unless password || password_digest
+        passw = SecureRandom.base58(16)
+        self.password = passw
+        self.password_confirmation = passw
+      end
+
+      valid?
+
+      # users that are registered and were not invited are not reinvitable
+      if !new_record? && !invited?
+        errors.add(RailsJwtAuth.auth_field_name!, :taken)
+      end
+
+      # users that have already accepted an invitation are not reinvitable
+      if !new_record? && invited? && invitation_accepted_at.present?
+        errors.add(RailsJwtAuth.auth_field_name!, :taken)
+      end
+
+      return self unless errors.empty?
+
       generate_invitation_token if invitation_token.nil?
-      self.invitation_sent_at = Time.now.utc
+      self.invitation_sent_at = Time.current
 
       send_invitation_mail if save(validate: false)
+      self
     end
 
     def invited?
@@ -104,6 +101,10 @@ module RailsJwtAuth
       invited? && invitation_period_valid?
     end
 
+    def accepted_invitation?
+      invitation_token.nil? && invitation_accepted_at.present?
+    end
+
     protected
 
     def generate_invitation_token
@@ -111,6 +112,7 @@ module RailsJwtAuth
     end
 
     def send_invitation_mail
+      RailsJwtAuth.email_field_name! # ensure email field es valid
       mailer = Mailer.send_invitation(self)
       RailsJwtAuth.deliver_later ? mailer.deliver_later : mailer.deliver
     end
@@ -118,7 +120,7 @@ module RailsJwtAuth
     def invitation_period_valid?
       time = invitation_sent_at || invitation_created_at
       expiration_time = RailsJwtAuth.invitation_expiration_time
-      time && (expiration_time.to_i.zero? || time.utc >= expiration_time.ago)
+      time && (expiration_time.to_i.zero? || time >= expiration_time.ago)
     end
   end
 end