sidecar_token_auth 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 593d12ca2ac3e8397b389fa09656f6ae61a5a49852331a5cb7c82f8a3d083695
+  data.tar.gz: '08fe7c735782c2260e73e4abf9ad87188256cf4110c481dddc705db5a87753cb'
+SHA512:
+  metadata.gz: e1b4cfa5dfcff0c83868c1a78386febd8322a22dfe9d535d3d021f609df333ba2dcd4d5089bb1974cf8e4a5e6dad840338a281f996b82957c204c9a4cc8dfa4a
+  data.tar.gz: 0c8ed59ffdc73a5eb205be7222c085d02b1fee94fb90c7976cf5b8022c708ebdb335fd673831fe1d26c29a884534fd5d21dc403d612994fad1fc4b6b670fecb9

data/LICENSE

@@ -0,0 +1,13 @@
+        DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+                    Version 2, December 2004 
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> 
+
+ Everyone is permitted to copy and distribute verbatim or modified 
+ copies of this license document, and changing it is allowed as long 
+ as the name is changed. 
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE 
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.

data/README.md

@@ -0,0 +1,12 @@
+This gem is forked from https://github.com/lynndylanhurley/devise_token_auth
+
+The `sidecar` branch, which is set as a default branch for the repo, has all the customizations done to the gem speicific to sidecar.
+
+The version of lynndylanhurley/devise_token_auth at the time of this README:
+v1.1.4
+
+How to upgrade(hypothetical - have not done earlier):
+ - Check out README
+ - `git pull` from upstream `master`
+ - `git checkout sidecar`
+ - `git rebase -i master`

data/Rakefile

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'DeviseTokenAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path('test/dummy/Rakefile', __dir__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+  t.warning = false
+end
+
+task default: :test
+
+require 'rubocop/rake_task'
+
+desc 'Run RuboCop'
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.formatters = %w[fuubar offenses worst]
+  task.fail_on_error = false # don't abort rake on failure
+end

data/app/controllers/devise_token_auth/application_controller.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class ApplicationController < DeviseController
+    include DeviseTokenAuth::Concerns::SetUserByToken
+
+    def resource_data(opts = {})
+      response_data = opts[:resource_json] || @resource.as_json
+      response_data['type'] = @resource.class.name.parameterize if json_api?
+      response_data
+    end
+
+    def resource_errors
+      @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages)
+    end
+
+    protected
+
+    def blacklisted_redirect_url?(redirect_url)
+      DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
+    end
+
+    def build_redirect_headers(access_token, client, redirect_header_options = {})
+      {
+        DeviseTokenAuth.headers_names[:"access-token"] => access_token,
+        DeviseTokenAuth.headers_names[:"client"] => client,
+        :config => params[:config],
+
+        # Legacy parameters which may be removed in a future release.
+        # Consider using "client" and "access-token" in client code.
+        # See: github.com/lynndylanhurley/devise_token_auth/issues/993
+        :client_id => client,
+        :token => access_token
+      }.merge(redirect_header_options)
+    end
+
+    def params_for_resource(resource)
+      devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type|
+        params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil?
+      end
+      devise_parameter_sanitizer.instance_values['permitted'][resource]
+    end
+
+    def resource_class(m = nil)
+      if m
+        mapping = Devise.mappings[m]
+      else
+        mapping = Devise.mappings[resource_name] || Devise.mappings.values.first
+      end
+
+      mapping.to
+    end
+
+    def json_api?
+      return false unless defined?(ActiveModel::Serializer)
+      return ActiveModel::Serializer.setup do |config|
+        config.adapter == :json_api
+      end if ActiveModel::Serializer.respond_to?(:setup)
+      ActiveModelSerializers.config.adapter == :json_api
+    end
+
+    def recoverable_enabled?
+      resource_class.devise_modules.include?(:recoverable)
+    end
+
+    def confirmable_enabled?
+      resource_class.devise_modules.include?(:confirmable)
+    end
+
+    def render_error(status, message, data = nil)
+      response = {
+        success: false,
+        errors: [message]
+      }
+      response = response.merge(data) if data
+      render json: response, status: status
+    end
+  end
+end

data/app/controllers/devise_token_auth/concerns/resource_finder.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::ResourceFinder
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Controllers::Helpers
+
+  def get_case_insensitive_field_from_resource_params(field)
+    # honor Devise configuration for case_insensitive keys
+    q_value = resource_params[field.to_sym]
+
+    if resource_class.case_insensitive_keys.include?(field.to_sym)
+      q_value.downcase!
+    end
+
+    if resource_class.strip_whitespace_keys.include?(field.to_sym)
+      q_value.strip!
+    end
+
+    q_value
+  end
+
+  def find_resource(field, value)
+    @resource = if resource_class.try(:connection_config).try(:[], :adapter).try(:include?, 'mysql')
+                  # fix for mysql default case insensitivity
+                  resource_class.where("BINARY #{field} = ? AND provider= ?", value, provider).first
+                else
+                  resource_class.dta_find_by(field => value, 'provider' => provider)
+                end
+  end
+
+  def resource_class(m = nil)
+    mapping = if m
+                Devise.mappings[m]
+              else
+                Devise.mappings[resource_name] || Devise.mappings.values.first
+              end
+
+    mapping.to
+  end
+
+  def provider
+    'email'
+  end
+end

data/app/controllers/devise_token_auth/concerns/set_user_by_token.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::SetUserByToken
+  extend ActiveSupport::Concern
+  include DeviseTokenAuth::Concerns::ResourceFinder
+
+  included do
+    before_action :set_request_start
+    after_action :update_auth_header
+  end
+
+  protected
+
+  # keep track of request duration
+  def set_request_start
+    @request_started_at = Time.zone.now
+    @used_auth_by_token = true
+
+    # initialize instance variables
+    @token ||= DeviseTokenAuth::TokenFactory.new
+    @resource ||= nil
+    @is_batch_request ||= nil
+  end
+
+  # user auth
+  def set_user_by_token(mapping = nil)
+    # determine target authentication class
+    rc = resource_class(mapping)
+
+    # no default user defined
+    return unless rc
+
+    # gets the headers names, which was set in the initialize file
+    uid_name = DeviseTokenAuth.headers_names[:'uid']
+    access_token_name = DeviseTokenAuth.headers_names[:'access-token']
+    client_name = DeviseTokenAuth.headers_names[:'client']
+
+    # parse header for values necessary for authentication
+    uid              = request.headers[uid_name] || params[uid_name]
+    @token           = DeviseTokenAuth::TokenFactory.new unless @token
+    @token.token     ||= request.headers[access_token_name] || params[access_token_name]
+    @token.client ||= request.headers[client_name] || params[client_name]
+
+    # client isn't required, set to 'default' if absent
+    @token.client ||= 'default'
+
+    # check for an existing user, authenticated via warden/devise, if enabled
+    if DeviseTokenAuth.enable_standard_devise_support
+      devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
+      if devise_warden_user && devise_warden_user.tokens[@token.client].nil?
+        @used_auth_by_token = false
+        @resource = devise_warden_user
+        # REVIEW: The following line _should_ be safe to remove;
+        #  the generated token does not get used anywhere.
+        # @resource.create_new_auth_token
+      end
+    end
+
+    # user has already been found and authenticated
+    return @resource if @resource && @resource.is_a?(rc)
+
+    # ensure we clear the client
+    unless @token.present?
+      @token.client = nil
+      return
+    end
+
+    # mitigate timing attacks by finding by uid instead of auth token
+    user = uid && rc.dta_find_by(uid: uid)
+    scope = rc.to_s.underscore.to_sym
+
+    if user && user.valid_token?(@token.token, @token.client)
+      # sign_in with bypass: true will be deprecated in the next version of Devise
+      if respond_to?(:bypass_sign_in) && DeviseTokenAuth.bypass_sign_in
+        bypass_sign_in(user, scope: scope)
+      else
+        sign_in(scope, user, store: false, event: :fetch, bypass: DeviseTokenAuth.bypass_sign_in)
+      end
+      return @resource = user
+    else
+      # zero all values previously set values
+      @token.client = nil
+      return @resource = nil
+    end
+  end
+
+  def update_auth_header
+    # cannot save object if model has invalid params
+    return unless @resource && @token.client
+
+    # Generate new client with existing authentication
+    @token.client = nil unless @used_auth_by_token
+
+    if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @resource.reload.tokens[@token.client].nil?
+
+      auth_header = @resource.build_auth_header(@token.token, @token.client)
+
+      # update the response header
+      response.headers.merge!(auth_header)
+
+    else
+      unless @resource.reload.valid?
+        @resource = @resource.class.find(@resource.to_param) # errors remain after reload
+        # if we left the model in a bad state, something is wrong in our app
+        unless @resource.valid?
+          raise DeviseTokenAuth::Errors::InvalidModel, "Cannot set auth token in invalid model. Errors: #{@resource.errors.full_messages}"
+        end
+      end
+      refresh_headers
+    end
+  end
+
+  private
+
+  def refresh_headers
+    # Lock the user record during any auth_header updates to ensure
+    # we don't have write contention from multiple threads
+    @resource.with_lock do
+      # should not append auth header if @resource related token was
+      # cleared by sign out in the meantime
+      return if @used_auth_by_token && @resource.tokens[@token.client].nil?
+
+      # update the response header
+      response.headers.merge!(auth_header_from_batch_request)
+    end # end lock
+  end
+
+  def is_batch_request?(user, client)
+    !params[:unbatch] &&
+      user.tokens[client] &&
+      user.tokens[client]['updated_at'] &&
+      user.tokens[client]['updated_at'].to_time > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle
+  end
+
+  def auth_header_from_batch_request
+    # determine batch request status after request processing, in case
+    # another processes has updated it during that processing
+    @is_batch_request = is_batch_request?(@resource, @token.client)
+
+    auth_header = {}
+    # extend expiration of batch buffer to account for the duration of
+    # this request
+    if @is_batch_request
+      auth_header = @resource.extend_batch_buffer(@token.token, @token.client)
+
+      # Do not return token for batch requests to avoid invalidated
+      # tokens returned to the client in case of race conditions.
+      # Use a blank string for the header to still be present and
+      # being passed in a XHR response in case of
+      # 304 Not Modified responses.
+      auth_header[DeviseTokenAuth.headers_names[:"access-token"]] = ' '
+      auth_header[DeviseTokenAuth.headers_names[:"expiry"]] = ' '
+    else
+      # update Authorization response header with new token
+      auth_header = @resource.create_new_auth_token(@token.client)
+    end
+    auth_header
+  end
+end

data/app/controllers/devise_token_auth/confirmations_controller.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class ConfirmationsController < DeviseTokenAuth::ApplicationController
+
+    def show
+      @resource = resource_class.confirm_by_token(resource_params[:confirmation_token])
+
+      if @resource.errors.empty?
+        yield @resource if block_given?
+
+        redirect_header_options = { account_confirmation_success: true }
+
+        if signed_in?(resource_name)
+          token = signed_in_resource.create_token
+          signed_in_resource.save!
+
+          redirect_headers = build_redirect_headers(token.token,
+                                                    token.client,
+                                                    redirect_header_options)
+
+          redirect_to_link = signed_in_resource.build_auth_url(redirect_url, redirect_headers)
+        else
+          redirect_to_link = DeviseTokenAuth::Url.generate(redirect_url, redirect_header_options)
+       end
+
+        redirect_to(redirect_to_link)
+      else
+        ##################################################
+        # Custom Logic Start
+        ##################################################
+
+        redirect_to redirect_url + '?' + { error: 'You may have already confirmed. Try to login!', status: 'error' }.to_query
+
+        ##################################################
+        # Custom Logic End
+        ##################################################
+      end
+    end
+
+    def create
+      return render_create_error_missing_email if resource_params[:email].blank?
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+
+      @resource = resource_class.dta_find_by(uid: @email, provider: provider)
+
+      return render_not_found_error unless @resource
+
+      @resource.send_confirmation_instructions({
+        redirect_url: redirect_url,
+        client_config: resource_params[:config_name]
+      })
+
+      return render_create_success
+    end
+
+    protected
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.confirmations.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+          success: true,
+          message: I18n.t('devise_token_auth.confirmations.sended', email: @email)
+      }
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.confirmations.user_not_found', email: @email))
+    end
+
+    private
+
+    def resource_params
+      params.permit(:email, :confirmation_token, :config_name)
+    end
+
+    # give redirect value from params priority or fall back to default value if provided
+    def redirect_url
+      params.fetch(
+        :redirect_url,
+        DeviseTokenAuth.default_confirm_success_url
+      )
+    end
+
+  end
+end