simple_token_authentication 1.5.1 → 1.5.2

data/lib/simple_token_authentication/configuration.rb

@@ -1,15 +1,40 @@
 module SimpleTokenAuthentication
   module Configuration
 
+    mattr_reader   :fallback
     mattr_accessor :header_names
     mattr_accessor :sign_in_token
+    mattr_accessor :controller_adapters
+    mattr_accessor :model_adapters
 
     # Default configuration
+    @@fallback = :devise
     @@header_names = {}
     @@sign_in_token = false
+    @@controller_adapters = ['rails']
+    @@model_adapters = ['active_record']
 
+    # Allow the default configuration to be overwritten from initializers
     def configure
       yield self if block_given?
     end
+
+    def parse_options(options)
+      unless options[:fallback].presence
+        if options[:fallback_to_devise]
+          options[:fallback] = :devise
+        elsif options[:fallback_to_devise] == false
+          if SimpleTokenAuthentication.fallback == :devise
+              options[:fallback] = :none
+          else
+            options[:fallback] = SimpleTokenAuthentication.fallback
+          end
+        else
+          options[:fallback] = SimpleTokenAuthentication.fallback
+        end
+      end
+      options.reject! { |k,v| k == :fallback_to_devise }
+      options
+    end
   end
 end

data/lib/simple_token_authentication/entities_manager.rb

@@ -0,0 +1,10 @@
+require 'simple_token_authentication/entity'
+
+module SimpleTokenAuthentication
+  class EntitiesManager
+    def find_or_create_entity(model)
+      @entities ||= {}
+      @entities[model.name] ||= Entity.new(model)
+    end
+  end
+end

data/lib/simple_token_authentication/entity.rb

@@ -0,0 +1,64 @@
+module SimpleTokenAuthentication
+  class Entity
+    def initialize model
+      @model = model
+      @name = model.name
+    end
+
+    def model
+      @model
+    end
+
+    def name
+      @name
+    end
+
+    def name_underscore
+      name.underscore
+    end
+
+    # Private: Return the name of the header to watch for the token authentication param
+    def token_header_name
+      if SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym].presence \
+        && token_header_name = SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym][:authentication_token]
+        token_header_name
+      else
+        "X-#{name}-Token"
+      end
+    end
+
+    # Private: Return the name of the header to watch for the email param
+    def identifier_header_name
+      if SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym].presence \
+        && identifier_header_name = SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym][:email]
+        identifier_header_name
+      else
+        "X-#{name}-Email"
+      end
+    end
+
+    def token_param_name
+      "#{name_underscore}_token".to_sym
+    end
+
+    def identifier_param_name
+      "#{name_underscore}_email".to_sym
+    end
+
+    def get_token_from_params_or_headers controller
+      # if the token is not present among params, get it from headers
+      if token = controller.params[token_param_name].blank? && controller.request.headers[token_header_name]
+        controller.params[token_param_name] = token
+      end
+      controller.params[token_param_name]
+    end
+
+    def get_identifier_from_params_or_headers controller
+      # if the identifier (email) is not present among params, get it from headers
+      if email = controller.params[identifier_param_name].blank? && controller.request.headers[identifier_header_name]
+        controller.params[identifier_param_name] = email
+      end
+      controller.params[identifier_param_name]
+    end
+  end
+end

data/lib/simple_token_authentication/fallback_authentication_handler.rb

@@ -0,0 +1,11 @@
+module SimpleTokenAuthentication
+  class FallbackAuthenticationHandler
+    # Devise authentication is performed through a controller
+    # which includes Devise::Controllers::Helpers
+    # See http://rdoc.info/github/plataformatec/devise/master/\
+    #            Devise/Controllers/Helpers#define_helpers-class_method
+    def authenticate_entity!(controller, entity)
+      controller.send("authenticate_#{entity.name_underscore}!".to_sym)
+    end
+  end
+end

data/lib/simple_token_authentication/sign_in_handler.rb

@@ -0,0 +1,19 @@
+module SimpleTokenAuthentication
+  class SignInHandler
+    # Devise sign in is performed through a controller
+    # which includes Devise::Controllers::SignInOut
+    def sign_in(controller, record, *args)
+      integrate_with_devise_trackable!(controller)
+
+      controller.send(:sign_in, record, *args)
+    end
+
+    private
+
+    def integrate_with_devise_trackable!(controller)
+      # Sign in using token should not be tracked by Devise trackable
+      # See https://github.com/plataformatec/devise/issues/953
+      controller.env["devise.skip_trackable"] = true
+    end
+  end
+end

data/lib/simple_token_authentication/token_authentication_handler.rb

@@ -0,0 +1,138 @@
+require 'action_controller/base'
+require 'active_support/concern'
+
+require 'simple_token_authentication/entities_manager'
+require 'simple_token_authentication/fallback_authentication_handler'
+require 'simple_token_authentication/sign_in_handler'
+require 'simple_token_authentication/token_authentication_handler'
+require 'simple_token_authentication/token_comparator'
+
+module SimpleTokenAuthentication
+  module TokenAuthenticationHandler
+    extend ::ActiveSupport::Concern
+
+    included do
+      private_class_method :define_token_authentication_helpers_for
+      private_class_method :set_token_authentication_hooks
+      private_class_method :fallback_authentication_handler
+
+      private :authenticate_entity_from_token!
+      private :authenticate_entity_from_fallback!
+      private :token_correct?
+      private :perform_sign_in!
+      private :token_comparator
+      private :sign_in_handler
+      private :find_record_from_identifier
+
+      # This is necessary to test which arguments were passed to sign_in
+      # from authenticate_entity_from_token!
+      # See https://github.com/gonzalo-bulnes/simple_token_authentication/pull/32
+      ::ActionController::Base.send :include, Devise::Controllers::SignInOut if Rails.env.test?
+    end
+
+    def authenticate_entity_from_token!(entity)
+      record = find_record_from_identifier(entity)
+
+      if token_correct?(record, entity, token_comparator)
+        perform_sign_in!(record, sign_in_handler)
+      end
+    end
+
+    def authenticate_entity_from_fallback!(entity, fallback_authentication_handler)
+      fallback_authentication_handler.authenticate_entity!(self, entity)
+    end
+
+    def token_correct?(record, entity, token_comparator)
+      record && token_comparator.compare(record.authentication_token,
+                                         entity.get_token_from_params_or_headers(self))
+    end
+
+    def perform_sign_in!(record, sign_in_handler)
+      # Notice the store option defaults to false, so the record
+      # identifier is not actually stored in the session and a token
+      # is needed for every request. That behaviour can be configured
+      # through the sign_in_token option.
+      sign_in_handler.sign_in self, record, store: SimpleTokenAuthentication.sign_in_token
+    end
+
+    def find_record_from_identifier(entity)
+      email = entity.get_identifier_from_params_or_headers(self).presence
+
+      # Rails 3 and 4 finder methods are supported,
+      # see https://github.com/ryanb/cancan/blob/1.6.10/lib/cancan/controller_resource.rb#L108-L111
+      record = nil
+      if entity.model.respond_to? "find_by"
+        record = email && entity.model.find_by(email: email)
+      elsif entity.model.respond_to? "find_by_email"
+        record = email && entity.model.find_by_email(email)
+      end
+    end
+
+    def token_comparator
+      @@token_comparator ||= TokenComparator.new
+    end
+
+    def sign_in_handler
+      @@sign_in_handler ||= SignInHandler.new
+    end
+
+    module ClassMethods
+
+      # Provide token authentication handling for a token authenticatable class
+      #
+      # model - the token authenticatable Class
+      #
+      # Returns nothing.
+      def handle_token_authentication_for(model, options = {})
+        entity = entities_manager.find_or_create_entity(model)
+        options = SimpleTokenAuthentication.parse_options(options)
+        define_token_authentication_helpers_for(entity, fallback_authentication_handler)
+        set_token_authentication_hooks(entity, options)
+      end
+
+      def entities_manager
+        if class_variable_defined?(:@@entities_manager)
+          class_variable_get(:@@entities_manager)
+        else
+          class_variable_set(:@@entities_manager, EntitiesManager.new)
+        end
+      end
+
+      def fallback_authentication_handler
+        if class_variable_defined?(:@@fallback_authentication_handler)
+          class_variable_get(:@@fallback_authentication_handler)
+        else
+          class_variable_set(:@@fallback_authentication_handler, FallbackAuthenticationHandler.new)
+        end
+      end
+
+      def define_token_authentication_helpers_for(entity, fallback_authentication_handler)
+
+        method_name = "authenticate_#{entity.name_underscore}_from_token"
+        method_name_bang = method_name + '!'
+
+        class_eval do
+          define_method method_name.to_sym do
+            lambda { |entity| authenticate_entity_from_token!(entity) }.call(entity)
+          end
+
+          define_method method_name_bang.to_sym do
+            lambda do |entity|
+              authenticate_entity_from_token!(entity)
+              authenticate_entity_from_fallback!(entity, fallback_authentication_handler)
+            end.call(entity)
+          end
+        end
+      end
+
+      def set_token_authentication_hooks(entity, options)
+        authenticate_method = unless options[:fallback] == :none
+          :"authenticate_#{entity.name_underscore}_from_token!"
+        else
+          :"authenticate_#{entity.name_underscore}_from_token"
+        end
+        before_filter authenticate_method, options.slice(:only, :except)
+      end
+    end
+  end
+end

data/lib/simple_token_authentication/token_comparator.rb

@@ -0,0 +1,13 @@
+require 'devise'
+
+module SimpleTokenAuthentication
+  class TokenComparator
+    def compare(a, b)
+      # Notice how we use Devise.secure_compare to compare tokens
+      # while mitigating timing attacks.
+      # See http://rubydoc.info/github/plataformatec/\
+      #            devise/master/Devise#secure_compare-class_method
+      Devise.secure_compare(a, b)
+    end
+  end
+end

data/lib/simple_token_authentication/token_generator.rb

@@ -0,0 +1,9 @@
+require 'devise'
+
+module SimpleTokenAuthentication
+  class TokenGenerator
+    def generate_token
+      Devise.friendly_token
+    end
+  end
+end

data/lib/simple_token_authentication/version.rb

@@ -1,3 +1,3 @@
 module SimpleTokenAuthentication
-  VERSION = "1.5.1"
+  VERSION = "1.5.2"
 end

data/spec/configuration/action_controller_callbacks_options_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe 'ActionController', action_controller_callbacks_options: true do
+
+  after(:each) do
+    ensure_examples_independence
+  end
+
+  before(:each) do
+    double_user_model
+    define_test_subjects_for_extension_of(SimpleTokenAuthentication::ActsAsTokenAuthenticationHandler)
+  end
+
+  describe ':only option' do
+
+    context 'when provided to `acts_as_token_authentication_hanlder_for`' do
+
+      it 'is applied to the corresponding callback (1)', rspec_3_error: true, private: true do
+        some_class = @subjects.first
+
+        expect(some_class).to receive(:before_filter).with(:authenticate_user_from_token!, { only: ['some_action', :some_other_action] })
+        some_class.acts_as_token_authentication_handler_for User, only: ['some_action', :some_other_action]
+      end
+
+      it 'is applied to the corresponding callback (2)', rspec_3_error: true, private: true do
+        some_child_class = @subjects.last
+
+        expect(some_child_class).to receive(:before_filter).with(:authenticate_user_from_token!, { only: ['some_action', :some_other_action] })
+        some_child_class.acts_as_token_authentication_handler_for User, only: ['some_action', :some_other_action]
+      end
+    end
+  end
+
+  describe ':except option' do
+
+    context 'when provided to `acts_as_token_authentication_hanlder_for`' do
+
+      it 'is applied to the corresponding callback (1)', rspec_3_error: true, private: true do
+        some_class = @subjects.first
+
+        expect(some_class).to receive(:before_filter).with(:authenticate_user_from_token!, { except: ['some_action', :some_other_action] })
+        some_class.acts_as_token_authentication_handler_for User, except: ['some_action', :some_other_action]
+      end
+
+      it 'is applied to the corresponding callback (2)', rspec_3_error: true, private: true do
+        some_child_class = @subjects.last
+
+        expect(some_child_class).to receive(:before_filter).with(:authenticate_user_from_token!, { except: ['some_action', :some_other_action] })
+        some_child_class.acts_as_token_authentication_handler_for User, except: ['some_action', :some_other_action]
+      end
+    end
+  end
+end

data/spec/configuration/fallback_to_devise_option_spec.rb

@@ -0,0 +1,128 @@
+require 'spec_helper'
+
+describe 'Simple Token Authentication' do
+
+  describe ':fallback_to_devise option', fallback_to_devise_option: true, fallback_option: true do
+
+    describe 'determines what to do if token authentication fails' do
+
+      before(:each) do
+        user = double()
+        stub_const('User', user)
+        allow(user).to receive(:name).and_return('User')
+
+        # given a controller class which acts as token authentication handler
+        @controller_class = Class.new
+        allow(@controller_class).to receive(:before_filter)
+        @controller_class.send :extend, SimpleTokenAuthentication::ActsAsTokenAuthenticationHandler
+      end
+
+      context 'when true' do
+
+        it 'delegates authentication to Devise strategies', protected: true do
+          @controller = @controller_class.new
+          allow(@controller).to receive(:params)
+          allow(@controller).to receive(:find_record_from_identifier)
+
+          # sets :authenticate_user_from_token! (bang) in the before_filter
+          expect(@controller_class).to receive(:before_filter).with(:authenticate_user_from_token!, {})
+
+          # when falling back to Devise is enabled
+          @controller_class.acts_as_token_authentication_handler_for User, fallback_to_devise: true
+
+          # when the hook is triggered
+          # Devise strategies take control of authentication
+          expect(@controller).to receive(:authenticate_user!)
+          @controller.authenticate_user_from_token! # bang
+        end
+      end
+
+      context 'when false' do
+
+        it 'does nothing after token authentication fails', protected: true do
+          @controller = @controller_class.new
+          allow(@controller).to receive(:params)
+          allow(@controller).to receive(:find_record_from_identifier)
+
+          # sets :authenticate_user_from_token (non-bang) in the before_filter
+          expect(@controller_class).to receive(:before_filter).with(:authenticate_user_from_token, {})
+
+          # when falling back to Devise is enabled
+          @controller_class.acts_as_token_authentication_handler_for User, fallback_to_devise: false
+
+          # when the hook is triggered
+          # Devise strategies do not take control of authentication
+          expect(@controller).not_to receive(:authenticate_user!)
+          @controller.authenticate_user_from_token # non-bang
+        end
+      end
+
+      context 'when omitted' do
+
+        it 'delegates authentication to Devise strategies', protected: true do
+          @controller = @controller_class.new
+          allow(@controller).to receive(:params)
+          allow(@controller).to receive(:find_record_from_identifier)
+
+          # sets :authenticate_user_from_token! (bang) in the before_filter
+          expect(@controller_class).to receive(:before_filter).with(:authenticate_user_from_token!, {})
+
+          # when falling back to Devise is enabled
+          @controller_class.acts_as_token_authentication_handler_for User
+
+          # when the hook is triggered
+          # Devise strategies take control of authentication
+          expect(@controller).to receive(:authenticate_user!)
+          @controller.authenticate_user_from_token! # bang
+        end
+      end
+
+      describe 'in a per-model (token authenticatable) way' do
+
+        before(:each) do
+          admin = double()
+          stub_const('Admin', admin)
+          allow(admin).to receive(:name).and_return('Admin')
+        end
+
+        context 'when false for User and true for Admin' do
+
+          before(:each) do
+            @controller = @controller_class.new
+            allow(@controller).to receive(:params)
+            allow(@controller).to receive(:find_record_from_identifier)
+
+            # sets :authenticate_user_from_token (non-bang) in the before_filter
+            expect(@controller_class).to receive(:before_filter).with(:authenticate_user_from_token, {})
+            # sets :authenticate_admin_from_token! (bang) in the before_filter
+            expect(@controller_class).to receive(:before_filter).with(:authenticate_admin_from_token!, {})
+
+            # when falling back to Devise is enabled for Admin but not User
+            @controller_class.acts_as_token_authentication_handler_for User, fallback_to_devise: false
+            @controller_class.acts_as_token_authentication_handler_for Admin, fallback_to_devise: true
+          end
+
+          context 'after no user suceeds token authentication' do
+
+            it 'does nothing', protected: true do
+              # when the user hook is triggered
+              # Devise strategies do not take control of authentication
+              expect(@controller).not_to receive(:authenticate_user!)
+              @controller.authenticate_user_from_token
+            end
+          end
+
+          context 'after no admin succeeds token authentication' do
+
+            it 'does delegate authentication to Devise', protected: true do
+              # when the admin hook is triggered
+              # Devise strategies do take control of authentication
+              expect(@controller).to receive(:authenticate_admin!)
+              @controller.authenticate_admin_from_token!
+            end
+          end
+        end
+      end
+    end
+  end
+end