sidecar_token_auth 1.0.1

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class TokenValidationsController < DeviseTokenAuth::ApplicationController
+    skip_before_action :assert_is_devise_resource!, only: [:validate_token]
+    before_action :set_user_by_token, only: [:validate_token]
+
+    def validate_token
+      # @resource will have been set by set_user_by_token concern
+      if @resource
+        yield @resource if block_given?
+        render_validate_token_success
+      else
+        render_validate_token_error
+      end
+    end
+
+    protected
+
+    def render_validate_token_success
+      render json: {
+        success: true,
+        data: resource_data(resource_json: @resource.token_validation_response)
+      }
+    end
+
+    def render_validate_token_error
+      render_error(401, I18n.t('devise_token_auth.token_validations.invalid'))
+    end
+  end
+end

data/app/controllers/devise_token_auth/unlocks_controller.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth
+  class UnlocksController < DeviseTokenAuth::ApplicationController
+    skip_after_action :update_auth_header, only: [:create, :show]
+
+    # this action is responsible for generating unlock tokens and
+    # sending emails
+    def create
+      return render_create_error_missing_email unless resource_params[:email]
+
+      @email = get_case_insensitive_field_from_resource_params(:email)
+      @resource = find_resource(:email, @email)
+
+      if @resource
+        yield @resource if block_given?
+
+        @resource.send_unlock_instructions(
+          email: @email,
+          provider: 'email',
+          client_config: params[:config_name]
+        )
+
+        if @resource.errors.empty?
+          return render_create_success
+        else
+          render_create_error @resource.errors
+        end
+      else
+        render_not_found_error
+      end
+    end
+
+    def show
+      @resource = resource_class.unlock_access_by_token(params[:unlock_token])
+
+      if @resource.persisted?
+        token = @resource.create_token
+        @resource.save!
+        yield @resource if block_given?
+
+        redirect_header_options = { unlock: true }
+        redirect_headers = build_redirect_headers(token.token,
+                                                  token.client,
+                                                  redirect_header_options)
+        redirect_to(@resource.build_auth_url(after_unlock_path_for(@resource),
+                                             redirect_headers))
+      else
+        render_show_error
+      end
+    end
+
+    private
+    def after_unlock_path_for(resource)
+      #TODO: This should probably be a configuration option at the very least.
+      '/'
+    end
+
+    def render_create_error_missing_email
+      render_error(401, I18n.t('devise_token_auth.unlocks.missing_email'))
+    end
+
+    def render_create_success
+      render json: {
+        success: true,
+        message: I18n.t('devise_token_auth.unlocks.sended', email: @email)
+      }
+    end
+
+    def render_create_error(errors)
+      render json: {
+        success: false,
+        errors: errors
+      }, status: 400
+    end
+
+    def render_show_error
+      raise ActionController::RoutingError, 'Not Found'
+    end
+
+    def render_not_found_error
+      render_error(404, I18n.t('devise_token_auth.unlocks.user_not_found', email: @email))
+    end
+
+    def resource_params
+      params.permit(:email, :unlock_token, :config)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/active_record_support.rb

@@ -0,0 +1,16 @@
+require_relative 'tokens_serialization'
+
+module DeviseTokenAuth::Concerns::ActiveRecordSupport
+  extend ActiveSupport::Concern
+
+  included do
+    serialize :tokens, DeviseTokenAuth::Concerns::TokensSerialization
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/confirmable_support.rb

@@ -0,0 +1,28 @@
+module DeviseTokenAuth::Concerns::ConfirmableSupport
+  extend ActiveSupport::Concern
+
+  included do
+    # Override standard devise `postpone_email_change?` method
+    # for not to use `will_save_change_to_email?` & `email_changed?` methods.
+    def postpone_email_change?
+      postpone = self.class.reconfirmable &&
+        email_value_in_database != email &&
+        !@bypass_confirmation_postpone &&
+        self.email.present? &&
+        (!@skip_reconfirmation_in_callback || !email_value_in_database.nil?)
+      @bypass_confirmation_postpone = false
+      postpone
+    end
+  end
+
+  protected
+
+  def email_value_in_database
+    rails51 = Rails.gem_version >= Gem::Version.new("5.1.x")
+    if rails51 && respond_to?(:email_in_database)
+      email_in_database
+    else
+      email_was
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/mongoid_support.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::MongoidSupport
+  extend ActiveSupport::Concern
+
+  def as_json(options = {})
+    options[:except] = (options[:except] || []) + [:_id]
+    hash = super(options)
+    hash['id'] = to_param
+    hash
+  end
+
+  class_methods do
+    # It's abstract replacement .find_by
+    def dta_find_by(attrs = {})
+      find_by(attrs)
+    rescue Mongoid::Errors::DocumentNotFound
+      nil
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/tokens_serialization.rb

@@ -0,0 +1,19 @@
+module DeviseTokenAuth::Concerns::TokensSerialization
+  # Serialization hash to json
+  def self.dump(object)
+    object.each_value(&:compact!) unless object.nil?
+    JSON.generate(object)
+  end
+
+  # Deserialization json to hash
+  def self.load(json)
+    case json
+    when String
+      JSON.parse(json)
+    when NilClass
+      {}
+    else
+      json
+    end
+  end
+end

data/app/models/devise_token_auth/concerns/user.rb

@@ -0,0 +1,257 @@
+# frozen_string_literal: true
+
+module DeviseTokenAuth::Concerns::User
+  extend ActiveSupport::Concern
+
+  def self.tokens_match?(token_hash, token)
+    @token_equality_cache ||= {}
+
+    key = "#{token_hash}/#{token}"
+    result = @token_equality_cache[key] ||= DeviseTokenAuth::TokenFactory.token_hash_is_token?(token_hash, token)
+    @token_equality_cache = {} if @token_equality_cache.size > 10000
+    result
+  end
+
+  included do
+    # Hack to check if devise is already enabled
+    if method_defined?(:devise_modules)
+      devise_modules.delete(:omniauthable)
+    else
+      devise :database_authenticatable, :registerable,
+             :recoverable, :validatable, :confirmable
+    end
+
+    if const_defined?('ActiveRecord') && ancestors.include?(ActiveRecord::Base)
+      include DeviseTokenAuth::Concerns::ActiveRecordSupport
+    end
+
+    if const_defined?('Mongoid') && ancestors.include?(Mongoid::Document)
+      include DeviseTokenAuth::Concerns::MongoidSupport
+    end
+
+    if DeviseTokenAuth.default_callbacks
+      include DeviseTokenAuth::Concerns::UserOmniauthCallbacks
+    end
+
+    # get rid of dead tokens
+    before_save :destroy_expired_tokens
+
+    # remove old tokens if password has changed
+    before_save :remove_tokens_after_password_reset
+
+    # don't use default devise email validation
+    def email_required?; false; end
+    def email_changed?; false; end
+    def will_save_change_to_email?; false; end
+
+    if DeviseTokenAuth.send_confirmation_email && devise_modules.include?(:confirmable)
+      include DeviseTokenAuth::Concerns::ConfirmableSupport
+    end
+
+    def password_required?
+      return false unless provider == 'email'
+      super
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_confirmation_instructions(opts = {})
+      generate_confirmation_token! unless @raw_confirmation_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+      opts[:to] = unconfirmed_email if pending_reconfirmation?
+      opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url
+
+      send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_reset_password_instructions(opts = {})
+      token = set_reset_password_token
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:reset_password_instructions, token, opts)
+      token
+    end
+
+    # override devise method to include additional info as opts hash
+    def send_unlock_instructions(opts = {})
+      raw, enc = Devise.token_generator.generate(self.class, :unlock_token)
+      self.unlock_token = enc
+      save(validate: false)
+
+      # fall back to "default" config name
+      opts[:client_config] ||= 'default'
+
+      send_devise_notification(:unlock_instructions, raw, opts)
+      raw
+    end
+
+    def create_token(client: nil, lifespan: nil, cost: nil, **token_extras)
+      token = DeviseTokenAuth::TokenFactory.create(client: client, lifespan: lifespan, cost: cost)
+
+      tokens[token.client] = {
+        token:  token.token_hash,
+        expiry: token.expiry
+      }.merge!(token_extras)
+
+      clean_old_tokens
+
+      token
+    end
+  end
+
+  def valid_token?(token, client = 'default')
+    return false unless tokens[client]
+    return true if token_is_current?(token, client)
+    return true if token_can_be_reused?(token, client)
+
+    # return false if none of the above conditions are met
+    false
+  end
+
+  # this must be done from the controller so that additional params
+  # can be passed on from the client
+  def send_confirmation_notification?; false; end
+
+  def token_is_current?(token, client)
+    # ghetto HashWithIndifferentAccess
+    expiry     = tokens[client]['expiry'] || tokens[client][:expiry]
+    token_hash = tokens[client]['token'] || tokens[client][:token]
+
+    return true if (
+      # ensure that expiry and token are set
+      expiry && token &&
+
+      # ensure that the token has not yet expired
+      DateTime.strptime(expiry.to_s, '%s') > Time.zone.now &&
+
+      # ensure that the token is valid
+      DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token)
+    )
+  end
+
+  # allow batch requests to use the previous token
+  def token_can_be_reused?(token, client)
+    # ghetto HashWithIndifferentAccess
+    updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at]
+    last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token]
+
+    return true if (
+      # ensure that the last token and its creation time exist
+      updated_at && last_token_hash &&
+
+      # ensure that previous token falls within the batch buffer throttle time of the last request
+      updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle &&
+
+      # ensure that the token is valid
+      DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token)
+    )
+  end
+
+  # update user's auth token (should happen on each request)
+  def create_new_auth_token(client = nil)
+    now = Time.zone.now
+
+    token = create_token(
+      client: client,
+      last_token: tokens.fetch(client, {})['token'],
+      updated_at: now.to_s(:rfc822)
+    )
+
+    update_auth_header(token.token, token.client)
+  end
+
+  def build_auth_header(token, client = 'default')
+    # client may use expiry to prevent validation request if expired
+    # must be cast as string or headers will break
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
+
+    {
+      DeviseTokenAuth.headers_names[:"access-token"] => token,
+      DeviseTokenAuth.headers_names[:"token-type"]   => 'Bearer',
+      DeviseTokenAuth.headers_names[:"client"]       => client,
+      DeviseTokenAuth.headers_names[:"expiry"]       => expiry.to_s,
+      DeviseTokenAuth.headers_names[:"uid"]          => uid
+    }
+  end
+
+  def update_auth_header(token, client = 'default')
+    headers = build_auth_header(token, client)
+    clean_old_tokens
+    save!
+
+    headers
+  end
+
+  def build_auth_url(base_url, args)
+    args[:uid]    = uid
+    args[:expiry] = tokens[args[:client_id]]['expiry']
+
+    DeviseTokenAuth::Url.generate(base_url, args)
+  end
+
+  def extend_batch_buffer(token, client)
+    tokens[client]['updated_at'] = Time.zone.now.to_s(:rfc822)
+    update_auth_header(token, client)
+  end
+
+  def confirmed?
+    devise_modules.exclude?(:confirmable) || super
+  end
+
+  def token_validation_response
+    as_json(except: %i[tokens created_at updated_at])
+  end
+
+  protected
+
+  def destroy_expired_tokens
+    if tokens
+      tokens.delete_if do |cid, v|
+        expiry = v[:expiry] || v['expiry']
+        DateTime.strptime(expiry.to_s, '%s') < Time.zone.now
+      end
+    end
+  end
+
+  def should_remove_tokens_after_password_reset?
+    if Rails::VERSION::MAJOR <= 5 ||defined?('Mongoid')
+      encrypted_password_changed? &&
+        DeviseTokenAuth.remove_tokens_after_password_reset
+    else
+      saved_change_to_attribute?(:encrypted_password) &&
+        DeviseTokenAuth.remove_tokens_after_password_reset
+    end
+  end
+
+  def remove_tokens_after_password_reset
+    return unless should_remove_tokens_after_password_reset?
+
+    if tokens.present? && tokens.many?
+      client, token_data = tokens.max_by { |cid, v| v[:expiry] || v['expiry'] }
+      self.tokens = { client => token_data }
+    end
+  end
+
+  def max_client_tokens_exceeded?
+    tokens.length > DeviseTokenAuth.max_number_of_devices
+  end
+
+  def clean_old_tokens
+    if tokens.present? && max_client_tokens_exceeded?
+      # Using Enumerable#sort_by on a Hash will typecast it into an associative
+      #   Array (i.e. an Array of key-value Array pairs). However, since Hashes
+      #   have an internal order in Ruby 1.9+, the resulting sorted associative
+      #   Array can be converted back into a Hash, while maintaining the sorted
+      #   order.
+      self.tokens = tokens.sort_by { |_cid, v| v[:expiry] || v['expiry'] }.to_h
+
+      # Since the tokens are sorted by expiry, shift the oldest client token
+      #   off the Hash until it no longer exceeds the maximum number of clients
+      tokens.shift while max_client_tokens_exceeded?
+    end
+  end
+end