rails_jwt_auth 1.7.2 → 2.0.3

data/app/controllers/concerns/rails_jwt_auth/render_helper.rb

@@ -9,12 +9,20 @@ module RailsJwtAuth
       render json: resource, root: true, status: 201
     end
 
+    def render_profile(resource)
+      render json: resource, root: true, status: 200
+    end
+
     def render_204
-      render json: {}, status: 204
+      head 204
     end
 
     def render_404
-      render json: {}, status: 404
+      head 404
+    end
+
+    def render_410
+      head 410
     end
 
     def render_422(errors)

data/app/controllers/rails_jwt_auth/confirmations_controller.rb

@@ -3,22 +3,60 @@ module RailsJwtAuth
     include ParamsHelper
     include RenderHelper
 
-    def create
-      user = RailsJwtAuth.model.where(
-        email: confirmation_create_params[RailsJwtAuth.email_field_name]
-      ).first
+    before_action :set_user_from_token, only: [:show, :update]
+    before_action :set_user_from_email, only: [:create]
+
+    # used to verify token
+    def show
+      return render_404 unless @user
+
+      if user.confirmation_sent_at < RailsJwtAuth.confirmation_expiration_time.ago
+        return render_410
+      end
+
+      render_204
+    end
 
-      return render_422(email: [{error: :not_found}]) unless user
+    # used to resend confirmation
+    def create
+      unless @user
+        if RailsJwtAuth.avoid_email_errors
+          return render_204
+        else
+          return render_422(RailsJwtAuth.email_field_name => [{error: :not_found}])
+        end
+      end
 
-      user.send_confirmation_instructions ? render_204 : render_422(user.errors.details)
+      @user.send_confirmation_instructions ? render_204 : render_422(@user.errors.details)
     end
 
+    # used to accept confirmation
     def update
-      return render_404 unless
-        params[:id] &&
-        (user = RailsJwtAuth.model.where(confirmation_token: params[:id]).first)
+      return render_404 unless @user
+
+      @user.confirm ? render_204 : render_422(@user.errors.details)
+    end
+
+    private
+
+    def set_user_from_token
+      return if params[:id].blank?
+
+      @user = RailsJwtAuth.model.where(confirmation_token: params[:id]).first
+    end
+
+
+    def set_user_from_email
+      email = (confirmation_create_params[RailsJwtAuth.email_field_name] || '').strip
+      email.downcase! if RailsJwtAuth.downcase_auth_field
+
+      if email.blank?
+        return render_422(RailsJwtAuth.email_field_name => [{error: :blank}])
+      elsif !email.match?(RailsJwtAuth.email_regex)
+        return render_422(RailsJwtAuth.email_field_name => [{error: :format}])
+      end
 
-      user.confirm! ? render_204 : render_422(user.errors.details)
+      @user = RailsJwtAuth.model.where(RailsJwtAuth.email_field_name => email).first
     end
   end
 end

data/app/controllers/rails_jwt_auth/invitations_controller.rb

@@ -1,24 +1,42 @@
 module RailsJwtAuth
   class InvitationsController < ApplicationController
+    include AuthenticableHelper
     include ParamsHelper
     include RenderHelper
 
+    before_action :authenticate!, only: [:create]
+    before_action :set_user_from_token, only: [:show, :update]
+
+    # used to verify token
+    def show
+      return render_404 unless @user
+
+      @user.expired_invitation_token? ? render_410 : render_204
+    end
+
+    # used to invite a user, if user is invited send new invitation
     def create
-      authenticate!
-      user = RailsJwtAuth.model.invite!(invitation_create_params)
+      user = RailsJwtAuth.model.invite(invitation_create_params)
       user.errors.empty? ? render_204 : render_422(user.errors.details)
     end
 
+    # used to accept invitation
     def update
-      return render_404 unless
-        params[:id] &&
-        (user = RailsJwtAuth.model.where(invitation_token: params[:id]).first)
+      return render_404 unless @user
+
+      if @user.accept_invitation(invitation_update_params)
+        render_204
+      else
+        render_422(@user.errors.details)
+      end
+    end
+
+    private
 
-      user.assign_attributes invitation_update_params
-      user.accept_invitation!
-      return render_204 if user.errors.empty? && user.save
+    def set_user_from_token
+      return if params[:id].blank?
 
-      render_422(user.errors.details)
+      @user = RailsJwtAuth.model.where(invitation_token: params[:id]).first
     end
   end
 end

data/app/controllers/rails_jwt_auth/profiles_controller.rb

@@ -0,0 +1,51 @@
+module RailsJwtAuth
+  class ProfilesController < ApplicationController
+    include AuthenticableHelper
+    include ParamsHelper
+    include RenderHelper
+
+    PASSWORD_PARAMS = %i[current_password password password_confirmation].freeze
+
+    before_action :authenticate!
+
+    def show
+      render_profile current_user
+    end
+
+    def update
+      if current_user.update(profile_update_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    def password
+      if current_user.update_password(update_password_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    def email
+      return update unless current_user.is_a?(RailsJwtAuth::Confirmable)
+
+      if current_user.update_email(profile_update_email_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    protected
+
+    def changing_password?
+      profile_update_params.values_at(*PASSWORD_PARAMS).any?(&:present?)
+    end
+
+    def update_password_params
+      profile_update_password_params.merge(current_auth_token: jwt_payload['auth_token'])
+    end
+  end
+end

data/app/controllers/rails_jwt_auth/reset_passwords_controller.rb

@@ -0,0 +1,65 @@
+module RailsJwtAuth
+  class ResetPasswordsController < ApplicationController
+    include ParamsHelper
+    include RenderHelper
+
+    before_action :set_user_from_token, only: [:show, :update]
+    before_action :set_user_from_email, only: [:create]
+
+    # used to verify token
+    def show
+      return render_404 unless @user
+
+      if @user.reset_password_sent_at < RailsJwtAuth.reset_password_expiration_time.ago
+        return render_410
+      end
+
+      render_204
+    end
+
+    # used to request restore password
+    def create
+      unless @user
+        if RailsJwtAuth.avoid_email_errors
+          return render_204
+        else
+          return render_422(RailsJwtAuth.email_field_name => [{error: :not_found}])
+        end
+      end
+
+      @user.send_reset_password_instructions ? render_204 : render_422(@user.errors.details)
+    end
+
+    # used to set new password
+    def update
+      return render_404 unless @user
+
+      if @user.set_reset_password(reset_password_update_params)
+        render_204
+      else
+        render_422(@user.errors.details)
+      end
+    end
+
+    private
+
+    def set_user_from_token
+      return if params[:id].blank?
+
+      @user = RailsJwtAuth.model.where(reset_password_token: params[:id]).first
+    end
+
+    def set_user_from_email
+      email = (reset_password_create_params[RailsJwtAuth.email_field_name] || '').strip
+      email.downcase! if RailsJwtAuth.downcase_auth_field
+
+      if email.blank?
+        return render_422(RailsJwtAuth.email_field_name => [{error: :blank}])
+      elsif !email.match?(RailsJwtAuth.email_regex)
+        return render_422(RailsJwtAuth.email_field_name => [{error: :format}])
+      end
+
+      @user = RailsJwtAuth.model.where(RailsJwtAuth.email_field_name => email).first
+    end
+  end
+end

data/app/controllers/rails_jwt_auth/sessions_controller.rb

@@ -1,40 +1,25 @@
 module RailsJwtAuth
   class SessionsController < ApplicationController
+    include AuthenticableHelper
     include ParamsHelper
     include RenderHelper
 
     def create
-      user = find_user
+      se = Session.new(session_create_params)
 
-      if !user
-        render_422 session: [{error: :invalid_session}]
-      elsif user.respond_to?('confirmed?') && !user.confirmed?
-        render_422 session: [{error: :unconfirmed}]
-      elsif user.authentication?(session_create_params[:password])
-        render_session generate_jwt(user), user
+      if se.generate!(request)
+        render_session se.jwt, se.user
       else
-        render_422 session: [user.unauthenticated_error]
+        render_422 se.errors.details
       end
     end
 
     def destroy
-      return render_404 unless RailsJwtAuth.simultaneous_sessions > 0
+      return render_404 unless RailsJwtAuth.simultaneous_sessions.positive?
 
       authenticate!
-      payload = JwtManager.decode_from_request(request)&.first
-      current_user.destroy_auth_token payload['auth_token']
+      current_user.destroy_auth_token @jwt_payload['auth_token']
       render_204
     end
-
-    private
-
-    def generate_jwt(user)
-      JwtManager.encode(user.to_token_payload(request))
-    end
-
-    def find_user
-      auth_field = RailsJwtAuth.auth_field_name!
-      RailsJwtAuth.model.where(auth_field => session_create_params[auth_field]).first
-    end
   end
 end

data/app/controllers/rails_jwt_auth/{unlocks_controller.rb → unlock_accounts_controller.rb}

@@ -1,5 +1,5 @@
 module RailsJwtAuth
-  class UnlocksController < ApplicationController
+  class UnlockAccountsController < ApplicationController
     include ParamsHelper
     include RenderHelper
 
@@ -8,7 +8,7 @@ module RailsJwtAuth
         params[:id] &&
         (user = RailsJwtAuth.model.where(unlock_token: params[:id]).first)
 
-      user.unlock_access! ? render_204 : render_422(user.errors.details)
+      user.unlock_access ? render_204 : render_422(user.errors.details)
     end
   end
 end

data/app/mailers/rails_jwt_auth/mailer.rb

@@ -4,65 +4,60 @@ if defined?(ActionMailer)
 
     before_action do
       @user = RailsJwtAuth.model.find(params[:user_id])
+      @to = @user[RailsJwtAuth.email_field_name]
       @subject = I18n.t("rails_jwt_auth.mailer.#{action_name}.subject")
     end
 
     def confirmation_instructions
-      raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirmations_url.present?
+      raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirm_email_url.present?
 
-      @confirmations_url = add_param_to_url(
-        RailsJwtAuth.confirmations_url,
+      @confirm_email_url = add_param_to_url(
+        RailsJwtAuth.confirm_email_url,
         'confirmation_token',
         @user.confirmation_token
       )
 
-      mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @user.unconfirmed_email || @to, subject: @subject)
     end
 
-    def email_changed
-      mail(to: @user[RailsJwtAuth.email_field_name!], subject: @subject)
+    def email_change_requested_notification
+      mail(to: @to, subject: @subject)
     end
 
     def reset_password_instructions
-      raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_passwords_url.present?
+      raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_password_url.present?
 
-      @reset_passwords_url = add_param_to_url(
-        RailsJwtAuth.reset_passwords_url,
+      @reset_password_url = add_param_to_url(
+        RailsJwtAuth.reset_password_url,
         'reset_password_token',
         @user.reset_password_token
       )
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
-    def set_password_instructions
-      raise RailsJwtAuth::NotSetPasswordsUrl unless RailsJwtAuth.set_passwords_url.present?
-
-      @reset_passwords_url = add_param_to_url(
-        RailsJwtAuth.set_passwords_url,
-        'reset_password_token',
-        @user.reset_password_token
-      )
-
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+    def password_changed_notification
+      mail(to: @to, subject: @subject)
     end
 
-    def send_invitation
-      raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.invitations_url.present?
+    def invitation_instructions
+      raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.accept_invitation_url.present?
 
-      @invitations_url = add_param_to_url(
-        RailsJwtAuth.invitations_url,
+      @accept_invitation_url = add_param_to_url(
+        RailsJwtAuth.accept_invitation_url,
         'invitation_token',
         @user.invitation_token
       )
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
-    def send_unlock_instructions
-      @unlock_url = add_param_to_url(RailsJwtAuth.unlock_url, 'unlock_token', @user.unlock_token)
+    def unlock_instructions
+      raise RailsJwtAuth::NotUnlockUrl unless RailsJwtAuth.unlock_account_url.present?
+
+      @unlock_account_url = add_param_to_url(RailsJwtAuth.unlock_account_url, 'unlock_token', @user.unlock_token)
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
     protected

data/app/models/concerns/rails_jwt_auth/authenticatable.rb

@@ -8,28 +8,41 @@ module RailsJwtAuth
       base.class_eval do
         if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
           field :password_digest, type: String
-          field :auth_tokens, type: Array if RailsJwtAuth.simultaneous_sessions > 0
+          field :auth_tokens, type: Array, default: [] if RailsJwtAuth.simultaneous_sessions > 0
         elsif defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
           serialize :auth_tokens, Array
         end
 
         has_secure_password
+
+        before_validation do
+          if RailsJwtAuth.downcase_auth_field &&
+             public_send("#{RailsJwtAuth.auth_field_name}_changed?")
+            self[RailsJwtAuth.auth_field_name]&.downcase!
+          end
+        end
       end
     end
 
-    def regenerate_auth_token(token = nil)
+    def load_auth_token
       new_token = SecureRandom.base58(24)
 
       if RailsJwtAuth.simultaneous_sessions > 1
-        tokens = ((auth_tokens || []) - [token]).last(RailsJwtAuth.simultaneous_sessions - 1)
-        update_attribute(:auth_tokens, (tokens + [new_token]).uniq)
+        tokens = (auth_tokens || []).last(RailsJwtAuth.simultaneous_sessions - 1)
+        self.auth_tokens = (tokens + [new_token]).uniq
       else
-        update_attribute(:auth_tokens, [new_token])
+        self.auth_tokens = [new_token]
       end
 
       new_token
     end
 
+    def regenerate_auth_token(token=nil)
+      self.auth_tokens -= [token] if token
+      token = load_auth_token
+      save ? token : false
+    end
+
     def destroy_auth_token(token)
       if RailsJwtAuth.simultaneous_sessions > 1
         tokens = auth_tokens || []
@@ -39,7 +52,34 @@ module RailsJwtAuth
       end
     end
 
-    def update_with_password(params)
+    def to_token_payload(_request=nil)
+      if RailsJwtAuth.simultaneous_sessions > 0
+        auth_tokens&.last ? {auth_token: auth_tokens.last} : false
+      else
+        {id: id.to_s}
+      end
+    end
+
+    def save_without_password
+      # when set password to nil only password_digest is setted to nil
+      # https://github.com/rails/rails/blob/master/activemodel/lib/active_model/secure_password.rb#L97
+      instance_variable_set("@password", nil)
+      self.password_confirmation = nil
+      self.password_digest = nil
+
+      return false unless valid_without_password?
+
+      save(validate: false)
+    end
+
+    def valid_without_password?
+      valid?
+      errors.delete(:password) # allow register without pass
+      errors.delete(:password_confirmation)
+      errors.empty?
+    end
+
+    def update_password(params)
       current_password_error = if (current_password = params.delete(:current_password)).blank?
                                  'blank'
                                elsif !authenticate(current_password)
@@ -51,28 +91,29 @@ module RailsJwtAuth
         self.reset_password_token = self.reset_password_sent_at = nil
       end
 
+      # close all sessions or other sessions when pass current_auth_token
+      current_auth_token = params.delete :current_auth_token
+      self.auth_tokens = current_auth_token ? [current_auth_token] : []
+
       assign_attributes(params)
       valid? # validates first other fields
       errors.add(:current_password, current_password_error) if current_password_error
       errors.add(:password, 'blank') if params[:password].blank?
 
-      errors.empty? ? save : false
-    end
+      return false unless errors.empty?
+      return false unless save
 
-    def to_token_payload(_request=nil)
-      if RailsJwtAuth.simultaneous_sessions > 0
-        {auth_token: regenerate_auth_token}
-      else
-        {id: id.to_s}
-      end
-    end
+      deliver_password_changed_notification
 
-    def authentication?(pass)
-      authenticate(pass)
+      true
     end
 
-    def unauthenticated_error
-      {error: :invalid_session}
+    protected
+
+    def deliver_password_changed_notification
+      return unless RailsJwtAuth.send_password_changed_notification
+
+      RailsJwtAuth.send_email(:password_changed_notification, self)
     end
 
     module ClassMethods