rails_jwt_auth 1.7.3 → 2.0.3

data/app/controllers/rails_jwt_auth/profiles_controller.rb

@@ -0,0 +1,51 @@
+module RailsJwtAuth
+  class ProfilesController < ApplicationController
+    include AuthenticableHelper
+    include ParamsHelper
+    include RenderHelper
+
+    PASSWORD_PARAMS = %i[current_password password password_confirmation].freeze
+
+    before_action :authenticate!
+
+    def show
+      render_profile current_user
+    end
+
+    def update
+      if current_user.update(profile_update_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    def password
+      if current_user.update_password(update_password_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    def email
+      return update unless current_user.is_a?(RailsJwtAuth::Confirmable)
+
+      if current_user.update_email(profile_update_email_params)
+        render_204
+      else
+        render_422(current_user.errors.details)
+      end
+    end
+
+    protected
+
+    def changing_password?
+      profile_update_params.values_at(*PASSWORD_PARAMS).any?(&:present?)
+    end
+
+    def update_password_params
+      profile_update_password_params.merge(current_auth_token: jwt_payload['auth_token'])
+    end
+  end
+end

data/app/controllers/rails_jwt_auth/reset_passwords_controller.rb

@@ -0,0 +1,65 @@
+module RailsJwtAuth
+  class ResetPasswordsController < ApplicationController
+    include ParamsHelper
+    include RenderHelper
+
+    before_action :set_user_from_token, only: [:show, :update]
+    before_action :set_user_from_email, only: [:create]
+
+    # used to verify token
+    def show
+      return render_404 unless @user
+
+      if @user.reset_password_sent_at < RailsJwtAuth.reset_password_expiration_time.ago
+        return render_410
+      end
+
+      render_204
+    end
+
+    # used to request restore password
+    def create
+      unless @user
+        if RailsJwtAuth.avoid_email_errors
+          return render_204
+        else
+          return render_422(RailsJwtAuth.email_field_name => [{error: :not_found}])
+        end
+      end
+
+      @user.send_reset_password_instructions ? render_204 : render_422(@user.errors.details)
+    end
+
+    # used to set new password
+    def update
+      return render_404 unless @user
+
+      if @user.set_reset_password(reset_password_update_params)
+        render_204
+      else
+        render_422(@user.errors.details)
+      end
+    end
+
+    private
+
+    def set_user_from_token
+      return if params[:id].blank?
+
+      @user = RailsJwtAuth.model.where(reset_password_token: params[:id]).first
+    end
+
+    def set_user_from_email
+      email = (reset_password_create_params[RailsJwtAuth.email_field_name] || '').strip
+      email.downcase! if RailsJwtAuth.downcase_auth_field
+
+      if email.blank?
+        return render_422(RailsJwtAuth.email_field_name => [{error: :blank}])
+      elsif !email.match?(RailsJwtAuth.email_regex)
+        return render_422(RailsJwtAuth.email_field_name => [{error: :format}])
+      end
+
+      @user = RailsJwtAuth.model.where(RailsJwtAuth.email_field_name => email).first
+    end
+  end
+end

data/app/controllers/rails_jwt_auth/sessions_controller.rb

@@ -1,40 +1,25 @@
 module RailsJwtAuth
   class SessionsController < ApplicationController
+    include AuthenticableHelper
     include ParamsHelper
     include RenderHelper
 
     def create
-      user = find_user
+      se = Session.new(session_create_params)
 
-      if !user
-        render_422 session: [{error: :invalid_session}]
-      elsif user.respond_to?('confirmed?') && !user.confirmed?
-        render_422 session: [{error: :unconfirmed}]
-      elsif user.authentication?(session_create_params[:password])
-        render_session generate_jwt(user), user
+      if se.generate!(request)
+        render_session se.jwt, se.user
       else
-        render_422 session: [user.unauthenticated_error]
+        render_422 se.errors.details
       end
     end
 
     def destroy
-      return render_404 unless RailsJwtAuth.simultaneous_sessions > 0
+      return render_404 unless RailsJwtAuth.simultaneous_sessions.positive?
 
       authenticate!
-      payload = JwtManager.decode_from_request(request)&.first
-      current_user.destroy_auth_token payload['auth_token']
+      current_user.destroy_auth_token @jwt_payload['auth_token']
       render_204
     end
-
-    private
-
-    def generate_jwt(user)
-      JwtManager.encode(user.to_token_payload(request))
-    end
-
-    def find_user
-      auth_field = RailsJwtAuth.auth_field_name!
-      RailsJwtAuth.model.where(auth_field => session_create_params[auth_field]).first
-    end
   end
 end

data/app/controllers/rails_jwt_auth/{unlocks_controller.rb → unlock_accounts_controller.rb}

@@ -1,5 +1,5 @@
 module RailsJwtAuth
-  class UnlocksController < ApplicationController
+  class UnlockAccountsController < ApplicationController
     include ParamsHelper
     include RenderHelper
 
@@ -8,7 +8,7 @@ module RailsJwtAuth
         params[:id] &&
         (user = RailsJwtAuth.model.where(unlock_token: params[:id]).first)
 
-      user.unlock_access! ? render_204 : render_422(user.errors.details)
+      user.unlock_access ? render_204 : render_422(user.errors.details)
     end
   end
 end

data/app/mailers/rails_jwt_auth/mailer.rb

@@ -4,65 +4,60 @@ if defined?(ActionMailer)
 
     before_action do
       @user = RailsJwtAuth.model.find(params[:user_id])
+      @to = @user[RailsJwtAuth.email_field_name]
       @subject = I18n.t("rails_jwt_auth.mailer.#{action_name}.subject")
     end
 
     def confirmation_instructions
-      raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirmations_url.present?
+      raise RailsJwtAuth::NotConfirmationsUrl unless RailsJwtAuth.confirm_email_url.present?
 
-      @confirmations_url = add_param_to_url(
-        RailsJwtAuth.confirmations_url,
+      @confirm_email_url = add_param_to_url(
+        RailsJwtAuth.confirm_email_url,
         'confirmation_token',
         @user.confirmation_token
       )
 
-      mail(to: @user.unconfirmed_email || @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @user.unconfirmed_email || @to, subject: @subject)
     end
 
-    def email_changed
-      mail(to: @user[RailsJwtAuth.email_field_name!], subject: @subject)
+    def email_change_requested_notification
+      mail(to: @to, subject: @subject)
     end
 
     def reset_password_instructions
-      raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_passwords_url.present?
+      raise RailsJwtAuth::NotResetPasswordsUrl unless RailsJwtAuth.reset_password_url.present?
 
-      @reset_passwords_url = add_param_to_url(
-        RailsJwtAuth.reset_passwords_url,
+      @reset_password_url = add_param_to_url(
+        RailsJwtAuth.reset_password_url,
         'reset_password_token',
         @user.reset_password_token
       )
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
-    def set_password_instructions
-      raise RailsJwtAuth::NotSetPasswordsUrl unless RailsJwtAuth.set_passwords_url.present?
-
-      @reset_passwords_url = add_param_to_url(
-        RailsJwtAuth.set_passwords_url,
-        'reset_password_token',
-        @user.reset_password_token
-      )
-
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+    def password_changed_notification
+      mail(to: @to, subject: @subject)
     end
 
-    def send_invitation
-      raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.invitations_url.present?
+    def invitation_instructions
+      raise RailsJwtAuth::NotInvitationsUrl unless RailsJwtAuth.accept_invitation_url.present?
 
-      @invitations_url = add_param_to_url(
-        RailsJwtAuth.invitations_url,
+      @accept_invitation_url = add_param_to_url(
+        RailsJwtAuth.accept_invitation_url,
         'invitation_token',
         @user.invitation_token
       )
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
-    def send_unlock_instructions
-      @unlock_url = add_param_to_url(RailsJwtAuth.unlock_url, 'unlock_token', @user.unlock_token)
+    def unlock_instructions
+      raise RailsJwtAuth::NotUnlockUrl unless RailsJwtAuth.unlock_account_url.present?
+
+      @unlock_account_url = add_param_to_url(RailsJwtAuth.unlock_account_url, 'unlock_token', @user.unlock_token)
 
-      mail(to: @user[RailsJwtAuth.email_field_name], subject: @subject)
+      mail(to: @to, subject: @subject)
     end
 
     protected

data/app/models/concerns/rails_jwt_auth/authenticatable.rb

@@ -8,28 +8,41 @@ module RailsJwtAuth
       base.class_eval do
         if defined?(Mongoid) && ancestors.include?(Mongoid::Document)
           field :password_digest, type: String
-          field :auth_tokens, type: Array if RailsJwtAuth.simultaneous_sessions > 0
+          field :auth_tokens, type: Array, default: [] if RailsJwtAuth.simultaneous_sessions > 0
         elsif defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
           serialize :auth_tokens, Array
         end
 
         has_secure_password
+
+        before_validation do
+          if RailsJwtAuth.downcase_auth_field &&
+             public_send("#{RailsJwtAuth.auth_field_name}_changed?")
+            self[RailsJwtAuth.auth_field_name]&.downcase!
+          end
+        end
       end
     end
 
-    def regenerate_auth_token(token = nil)
+    def load_auth_token
       new_token = SecureRandom.base58(24)
 
       if RailsJwtAuth.simultaneous_sessions > 1
-        tokens = ((auth_tokens || []) - [token]).last(RailsJwtAuth.simultaneous_sessions - 1)
-        update_attribute(:auth_tokens, (tokens + [new_token]).uniq)
+        tokens = (auth_tokens || []).last(RailsJwtAuth.simultaneous_sessions - 1)
+        self.auth_tokens = (tokens + [new_token]).uniq
       else
-        update_attribute(:auth_tokens, [new_token])
+        self.auth_tokens = [new_token]
       end
 
       new_token
     end
 
+    def regenerate_auth_token(token=nil)
+      self.auth_tokens -= [token] if token
+      token = load_auth_token
+      save ? token : false
+    end
+
     def destroy_auth_token(token)
       if RailsJwtAuth.simultaneous_sessions > 1
         tokens = auth_tokens || []
@@ -39,7 +52,34 @@ module RailsJwtAuth
       end
     end
 
-    def update_with_password(params)
+    def to_token_payload(_request=nil)
+      if RailsJwtAuth.simultaneous_sessions > 0
+        auth_tokens&.last ? {auth_token: auth_tokens.last} : false
+      else
+        {id: id.to_s}
+      end
+    end
+
+    def save_without_password
+      # when set password to nil only password_digest is setted to nil
+      # https://github.com/rails/rails/blob/master/activemodel/lib/active_model/secure_password.rb#L97
+      instance_variable_set("@password", nil)
+      self.password_confirmation = nil
+      self.password_digest = nil
+
+      return false unless valid_without_password?
+
+      save(validate: false)
+    end
+
+    def valid_without_password?
+      valid?
+      errors.delete(:password) # allow register without pass
+      errors.delete(:password_confirmation)
+      errors.empty?
+    end
+
+    def update_password(params)
       current_password_error = if (current_password = params.delete(:current_password)).blank?
                                  'blank'
                                elsif !authenticate(current_password)
@@ -51,28 +91,29 @@ module RailsJwtAuth
         self.reset_password_token = self.reset_password_sent_at = nil
       end
 
+      # close all sessions or other sessions when pass current_auth_token
+      current_auth_token = params.delete :current_auth_token
+      self.auth_tokens = current_auth_token ? [current_auth_token] : []
+
       assign_attributes(params)
       valid? # validates first other fields
       errors.add(:current_password, current_password_error) if current_password_error
       errors.add(:password, 'blank') if params[:password].blank?
 
-      errors.empty? ? save : false
-    end
+      return false unless errors.empty?
+      return false unless save
 
-    def to_token_payload(_request=nil)
-      if RailsJwtAuth.simultaneous_sessions > 0
-        {auth_token: regenerate_auth_token}
-      else
-        {id: id.to_s}
-      end
-    end
+      deliver_password_changed_notification
 
-    def authentication?(pass)
-      authenticate(pass)
+      true
     end
 
-    def unauthenticated_error
-      {error: :invalid_session}
+    protected
+
+    def deliver_password_changed_notification
+      return unless RailsJwtAuth.send_password_changed_notification
+
+      RailsJwtAuth.send_email(:password_changed_notification, self)
     end
 
     module ClassMethods

data/app/models/concerns/rails_jwt_auth/confirmable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RailsJwtAuth
   module Confirmable
     def self.included(base)
@@ -20,47 +22,16 @@ module RailsJwtAuth
             send_confirmation_instructions
           end
         end
-
-        before_update do
-          email_field = RailsJwtAuth.email_field_name!
-
-          if public_send("#{email_field}_changed?") &&
-             public_send("#{email_field}_was") &&
-             !confirmed_at_changed? &&
-             !self['invitation_token']
-            self.unconfirmed_email = self[email_field]
-            self[email_field] = public_send("#{email_field}_was")
-
-            self.confirmation_token = SecureRandom.base58(24)
-            self.confirmation_sent_at = Time.current
-          end
-        end
-
-        if defined?(ActiveRecord) && ancestors.include?(ActiveRecord::Base)
-          after_commit  do
-            if unconfirmed_email && saved_change_to_unconfirmed_email?
-              deliver_email_changed_emails
-            end
-          end
-        elsif defined?(Mongoid) && ancestors.include?(Mongoid::Document)
-          after_update do
-            if unconfirmed_email && unconfirmed_email_changed?
-              deliver_email_changed_emails
-            end
-          end
-        end
       end
     end
 
     def send_confirmation_instructions
-      email_field = RailsJwtAuth.email_field_name!
-
       if confirmed? && !unconfirmed_email
-        errors.add(email_field, :already_confirmed)
+        errors.add(RailsJwtAuth.email_field_name, :already_confirmed)
         return false
       end
 
-      self.confirmation_token = SecureRandom.base58(24)
+      self.confirmation_token = generate_confirmation_token
       self.confirmation_sent_at = Time.current
       return false unless save
 
@@ -72,12 +43,12 @@ module RailsJwtAuth
       confirmed_at.present?
     end
 
-    def confirm!
+    def confirm
       self.confirmed_at = Time.current
       self.confirmation_token = nil
 
       if unconfirmed_email
-        email_field = RailsJwtAuth.email_field_name!
+        email_field = RailsJwtAuth.email_field_name
 
         self[email_field] = unconfirmed_email
         self.unconfirmed_email = nil
@@ -91,17 +62,56 @@ module RailsJwtAuth
       save
     end
 
-    def skip_confirmation!
+    def skip_confirmation
       self.confirmed_at = Time.current
       self.confirmation_token = nil
     end
 
+    def update_email(params)
+      email_field = RailsJwtAuth.email_field_name.to_sym
+      params = HashWithIndifferentAccess.new(params)
+
+      # email change must be protected by password
+      password_error = if (password = params[:password]).blank?
+                         :blank
+                       elsif !authenticate(password)
+                         :invalid
+                       end
+
+      self.email = params[email_field]
+      self.confirmation_token = generate_confirmation_token
+      self.confirmation_sent_at = Time.current
+
+      valid? # validates first other fields
+      errors.add(:password, password_error) if password_error
+      errors.add(email_field, :not_change) unless email_changed?
+
+      return false unless errors.empty?
+
+      # move email to unconfirmed_email field and restore
+      self.unconfirmed_email = email
+      self.email = email_was
+
+      return false unless save
+
+      deliver_email_changed_emails
+
+      true
+    end
+
     protected
 
+    def generate_confirmation_token
+      loop do
+        token = RailsJwtAuth.friendly_token
+        return token unless self.class.where(confirmation_token: token).exists?
+      end
+    end
+
     def validate_confirmation
       return true unless confirmed_at
 
-      email_field = RailsJwtAuth.email_field_name!
+      email_field = RailsJwtAuth.email_field_name
 
       if confirmed_at_was && !public_send("#{email_field}_changed?")
         errors.add(email_field, :already_confirmed)
@@ -116,8 +126,8 @@ module RailsJwtAuth
       RailsJwtAuth.send_email(:confirmation_instructions, self)
 
       # send notify to old email
-      if RailsJwtAuth.send_email_changed_notification
-        RailsJwtAuth.send_email(:email_changed, self)
+      if RailsJwtAuth.send_email_change_requested_notification
+        RailsJwtAuth.send_email(:email_change_requested_notification, self)
       end
     end
   end