rails_jwt_auth 1.7.2 → 2.0.3

data/app/models/concerns/rails_jwt_auth/confirmable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RailsJwtAuth
   module Confirmable
     def self.included(base)
@@ -20,47 +22,16 @@ module RailsJwtAuth
             send_confirmation_instructions
           end
         end
-
-        before_update do
-          email_field = RailsJwtAuth.email_field_name!
-
-          if public_send("#{email_field}_changed?") &&
-             public_send("#{email_field}_was") &&
-             !confirmed_at_changed? &&
-             !self['invitation_token']
-            self.unconfirmed_email = self[email_field]
-            self[email_field] = public_send("#{email_field}_was")
-
-            self.confirmation_token = SecureRandom.base58(24)
-            self.confirmation_sent_at = Time.current
-          end
-        end
-
-        if defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
-          after_commit  do
-            if unconfirmed_email && saved_change_to_unconfirmed_email?
-              deliver_email_changed_emails
-            end
-          end
-        elsif defined?(Mongoid) && ancestors.include?(Mongoid::Document)
-          after_update do
-            if unconfirmed_email && unconfirmed_email_changed?
-              deliver_email_changed_emails
-            end
-          end
-        end
       end
     end
 
     def send_confirmation_instructions
-      email_field = RailsJwtAuth.email_field_name!
-
       if confirmed? && !unconfirmed_email
-        errors.add(email_field, :already_confirmed)
+        errors.add(RailsJwtAuth.email_field_name, :already_confirmed)
         return false
       end
 
-      self.confirmation_token = SecureRandom.base58(24)
+      self.confirmation_token = generate_confirmation_token
       self.confirmation_sent_at = Time.current
       return false unless save
 
@@ -72,12 +43,12 @@ module RailsJwtAuth
       confirmed_at.present?
     end
 
-    def confirm!
+    def confirm
       self.confirmed_at = Time.current
       self.confirmation_token = nil
 
       if unconfirmed_email
-        email_field = RailsJwtAuth.email_field_name!
+        email_field = RailsJwtAuth.email_field_name
 
         self[email_field] = unconfirmed_email
         self.unconfirmed_email = nil
@@ -91,17 +62,56 @@ module RailsJwtAuth
       save
     end
 
-    def skip_confirmation!
+    def skip_confirmation
       self.confirmed_at = Time.current
       self.confirmation_token = nil
     end
 
+    def update_email(params)
+      email_field = RailsJwtAuth.email_field_name.to_sym
+      params = HashWithIndifferentAccess.new(params)
+
+      # email change must be protected by password
+      password_error = if (password = params[:password]).blank?
+                         :blank
+                       elsif !authenticate(password)
+                         :invalid
+                       end
+
+      self.email = params[email_field]
+      self.confirmation_token = generate_confirmation_token
+      self.confirmation_sent_at = Time.current
+
+      valid? # validates first other fields
+      errors.add(:password, password_error) if password_error
+      errors.add(email_field, :not_change) unless email_changed?
+
+      return false unless errors.empty?
+
+      # move email to unconfirmed_email field and restore
+      self.unconfirmed_email = email
+      self.email = email_was
+
+      return false unless save
+
+      deliver_email_changed_emails
+
+      true
+    end
+
     protected
 
+    def generate_confirmation_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(confirmation_token: token).exists?
+      end
+    end
+
     def validate_confirmation
       return true unless confirmed_at
 
-      email_field = RailsJwtAuth.email_field_name!
+      email_field = RailsJwtAuth.email_field_name
 
       if confirmed_at_was && !public_send("#{email_field}_changed?")
         errors.add(email_field, :already_confirmed)
@@ -116,8 +126,8 @@ module RailsJwtAuth
       RailsJwtAuth.send_email(:confirmation_instructions, self)
 
       # send notify to old email
-      if RailsJwtAuth.send_email_changed_notification
-        RailsJwtAuth.send_email(:email_changed, self)
+      if RailsJwtAuth.send_email_change_requested_notification
+        RailsJwtAuth.send_email(:email_change_requested_notification, self)
       end
     end
   end

data/app/models/concerns/rails_jwt_auth/invitable.rb

@@ -11,115 +11,89 @@ module RailsJwtAuth
           field :invitation_token,         type: String
           field :invitation_sent_at,       type: Time
           field :invitation_accepted_at,   type: Time
-          field :invitation_created_at,    type: Time
         end
       end
     end
 
     module ClassMethods
       # Creates an user and sends an invitation to him.
-      # If the user is already invited and pending of completing registration
-      # the invitation is resent by email.
-      # If the user is already registered, it returns the user with a
-      # <tt>:taken</tt> on the email field.
-      #
-      # @param [Hash] attributes Hash containing user's attributes to be filled.
-      #               Must contain an email key.
-      #
-      # @return [user] The user created or found by email.
-      def invite!(attributes={})
+      def invite(attributes={})
         attrs = ActiveSupport::HashWithIndifferentAccess.new(attributes.to_h)
-        auth_field = RailsJwtAuth.auth_field_name!
+        auth_field = RailsJwtAuth.auth_field_name
         auth_attribute = attrs.delete(auth_field)
 
-        raise ArgumentError unless auth_attribute
-
         record = RailsJwtAuth.model.find_or_initialize_by(auth_field => auth_attribute)
         record.assign_attributes(attrs)
 
-        record.invite!
+        record.invite
         record
       end
     end
 
-    # Accept an invitation by clearing token and setting invitation_accepted_at
-    def accept_invitation
-      self.invitation_accepted_at = Time.current
-      self.invitation_token = nil
-    end
-
-    def accept_invitation!
-      return unless invited?
-
-      if valid_invitation?
-        accept_invitation
-        self.confirmed_at = Time.current if respond_to?(:confirmed_at) && confirmed_at.nil?
-      else
-        errors.add(:invitation_token, :invalid)
+    # Sends an invitation to user
+    # If the user has pending invitation, new one is sent
+    def invite
+      if persisted? && !invitation_token
+        errors.add(RailsJwtAuth.auth_field_name, :registered)
+        return false
       end
-    end
 
-    def invite!
-      self.invitation_created_at = Time.current if new_record?
+      @inviting = true
+      self.invitation_token = generate_invitation_token
+      self.invitation_sent_at = Time.current
 
-      unless password || password_digest
-        passw = SecureRandom.base58(16)
-        self.password = passw
-        self.password_confirmation = passw
-      end
+      return false unless save_without_password
 
-      valid?
+      RailsJwtAuth.send_email(:invitation_instructions, self)
+      true
+    ensure
+      @inviting = false
+    end
 
-      # users that are registered and were not invited are not reinvitable
-      if !new_record? && !invited?
-        errors.add(RailsJwtAuth.auth_field_name!, :taken)
-      end
+    # Finishes invitation process setting user password
+    def accept_invitation(params)
+      return false unless invitation_token.present?
 
-      # users that have already accepted an invitation are not reinvitable
-      if !new_record? && invited? && invitation_accepted_at.present?
-        errors.add(RailsJwtAuth.auth_field_name!, :taken)
-      end
+      self.assign_attributes(params)
 
-      return self unless errors.empty?
+      valid?
+      errors.add(:password, :blank) if params[:password].blank?
+      errors.add(:invitation_token, :expired) if expired_invitation_token?
 
-      generate_invitation_token if invitation_token.nil?
-      self.invitation_sent_at = Time.current
+      return false unless errors.empty?
 
-      send_invitation_mail if save(validate: false)
-      self
+      self.invitation_accepted_at = Time.current
+      self.invitation_token = nil
+      self.invitation_sent_at = nil
+      self.confirmed_at = Time.current if respond_to?(:confirmed_at) && confirmed_at.nil?
+      save
     end
 
-    def invited?
-      (persisted? && invitation_token.present?)
+    def inviting?
+      @inviting || false
     end
 
-    def generate_invitation_token!
-      generate_invitation_token && save(validate: false)
+    def valid_for_invite?
+      @inviting = true
+      valid_without_password?
+    ensure
+      @inviting = false
     end
 
-    def valid_invitation?
-      invited? && invitation_period_valid?
-    end
+    def expired_invitation_token?
+      expiration_time = RailsJwtAuth.invitation_expiration_time
+      return false if expiration_time.to_i.zero?
 
-    def accepted_invitation?
-      invitation_token.nil? && invitation_accepted_at.present?
+      invitation_sent_at && invitation_sent_at < expiration_time.ago
     end
 
     protected
 
     def generate_invitation_token
-      self.invitation_token = SecureRandom.base58(128)
-    end
-
-    def send_invitation_mail
-      RailsJwtAuth.email_field_name! # ensure email field is valid
-      RailsJwtAuth.send_email(:send_invitation, self)
-    end
-
-    def invitation_period_valid?
-      time = invitation_sent_at || invitation_created_at
-      expiration_time = RailsJwtAuth.invitation_expiration_time
-      time && (expiration_time.to_i.zero? || time >= expiration_time.ago)
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(invitation_token: token).exists?
+      end
     end
   end
 end

data/app/models/concerns/rails_jwt_auth/lockable.rb

@@ -13,66 +13,51 @@ module RailsJwtAuth
       end
     end
 
-    def lock_access!
-      self.locked_at = Time.now.utc
+    def lock_access
+      self.locked_at = Time.current
+
       save(validate: false).tap do |result|
         send_unlock_instructions if result && unlock_strategy_enabled?(:email)
       end
     end
 
-    def unlock_access!
+    def clean_lock
       self.locked_at = nil
-      self.failed_attempts = 0
-      self.first_failed_attempt_at = nil
       self.unlock_token = nil
-      save(validate: false)
+      reset_attempts
     end
 
-    def reset_attempts!
-      self.failed_attempts = 0
-      self.first_failed_attempt_at = nil
-      save(validate: false)
+    def unlock_access
+      clean_lock
+
+      save(validate: false) if changed?
     end
 
-    def authentication?(pass)
-      return super(pass) unless lock_strategy_enabled?(:failed_attempts)
+    def access_locked?
+      locked_at && !lock_expired?
+    end
 
-      reset_attempts! if !access_locked? && attempts_expired?
-      unlock_access! if lock_expired?
+    def failed_attempt
+      return if access_locked?
 
-      if access_locked?
-        false
-      elsif super(pass)
-        unlock_access!
-        self
-      else
-        failed_attempt!
-        lock_access! if attempts_exceeded?
-        false
-      end
-    end
+      reset_attempts if attempts_expired?
 
-    def unauthenticated_error
-      return super unless lock_strategy_enabled?(:failed_attempts)
+      self.failed_attempts ||= 0
+      self.failed_attempts += 1
+      self.first_failed_attempt_at = Time.current if failed_attempts == 1
 
-      if access_locked?
-        {error: :locked}
-      else
-        {error: :invalid_session, remaining_attempts: remaining_attempts}
+      save(validate: false).tap do |result|
+        lock_access if result && attempts_exceeded?
       end
     end
 
     protected
 
     def send_unlock_instructions
-      self.unlock_token = SecureRandom.base58(24)
+      self.unlock_token = generate_unlock_token
       save(validate: false)
 
-      RailsJwtAuth.send_email(:send_unlock_instructions, self)
-    end
-
-    def access_locked?
-      locked_at && !lock_expired?
+      RailsJwtAuth.send_email(:unlock_instructions, self)
     end
 
     def lock_expired?
@@ -83,25 +68,32 @@ module RailsJwtAuth
       end
     end
 
-    def failed_attempt!
-      self.failed_attempts ||= 0
-      self.failed_attempts += 1
-      self.first_failed_attempt_at = Time.now.utc if failed_attempts == 1
-      save(validate: false)
-    end
-
-    def attempts_exceeded?
-      failed_attempts && failed_attempts >= RailsJwtAuth.maximum_attempts
+    def reset_attempts
+      self.failed_attempts = 0
+      self.first_failed_attempt_at = nil
     end
 
     def remaining_attempts
       RailsJwtAuth.maximum_attempts - failed_attempts.to_i
     end
 
+    def attempts_exceeded?
+      !remaining_attempts.positive?
+    end
+
     def attempts_expired?
       first_failed_attempt_at && first_failed_attempt_at < RailsJwtAuth.reset_attempts_in.ago
     end
 
+    protected
+
+    def generate_unlock_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(unlock_token: token).exists?
+      end
+    end
+
     def lock_strategy_enabled?(strategy)
       RailsJwtAuth.lock_strategy == strategy
     end

data/app/models/concerns/rails_jwt_auth/recoverable.rb

@@ -10,20 +10,11 @@ module RailsJwtAuth
           field :reset_password_token,   type: String
           field :reset_password_sent_at, type: Time
         end
-
-        validate :validate_reset_password_token, if: :password_digest_changed?
-
-        before_update do
-          if password_digest_changed? && reset_password_token
-            self.reset_password_token = nil
-            self.auth_tokens = []
-          end
-        end
       end
     end
 
     def send_reset_password_instructions
-      email_field = RailsJwtAuth.email_field_name! # ensure email field es valid
+      email_field = RailsJwtAuth.email_field_name # ensure email field es valid
 
       if self.class.ancestors.include?(RailsJwtAuth::Confirmable) && !confirmed?
         errors.add(email_field, :unconfirmed)
@@ -36,35 +27,45 @@ module RailsJwtAuth
         return false
       end
 
-      self.reset_password_token = SecureRandom.base58(24)
+      self.reset_password_token = generate_reset_password_token
       self.reset_password_sent_at = Time.current
       return false unless save
 
       RailsJwtAuth.send_email(:reset_password_instructions, self)
     end
 
-    def set_and_send_password_instructions
-      RailsJwtAuth.email_field_name! # ensure email field es valid
-      return if password.present?
+    def set_reset_password(params)
+      self.assign_attributes(params)
 
-      self.password = SecureRandom.base58(48)
-      self.password_confirmation = self.password
-      self.skip_confirmation! if self.class.ancestors.include?(RailsJwtAuth::Confirmable)
+      valid?
+      errors.add(:password, :blank) if params[:password].blank?
+      errors.add(:reset_password_token, :expired) if expired_reset_password_token?
 
-      self.reset_password_token = SecureRandom.base58(24)
-      self.reset_password_sent_at = Time.current
-      return false unless save
+      return false unless errors.empty?
+
+      clean_reset_password
+      self.auth_tokens = [] # reset all sessions
+      save
+    end
+
+    def expired_reset_password_token?
+      expiration_time = RailsJwtAuth.reset_password_expiration_time
+      return false if expiration_time.to_i.zero?
+
+      reset_password_sent_at && reset_password_sent_at < expiration_time.ago
+    end
 
-      RailsJwtAuth.send_email(:set_password_instructions, self)
-      true
+    def clean_reset_password
+      self.reset_password_sent_at = nil
+      self.reset_password_token = nil
     end
 
     protected
 
-    def validate_reset_password_token
-      if reset_password_sent_at &&
-         (reset_password_sent_at < (Time.current - RailsJwtAuth.reset_password_expiration_time))
-        errors.add(:reset_password_token, :expired)
+    def generate_reset_password_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(reset_password_token: token).exists?
       end
     end
   end