simple_token_authentication 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d1e730c48d4c9f3816d431719e033c8b295191ef
-  data.tar.gz: 2bf59bfe3dc641daa8ba148b9bd5ac453d240031
+  metadata.gz: 899877f6ac2eca79e1be82590f26f325d8f78cdb
+  data.tar.gz: 7c4c175d5c7bc2ee42fa766ba93842fbdeaea4bc
 SHA512:
-  metadata.gz: fc2423b6fcf422ecf6d6147a3ea3800015325214446b83423718192178d75e339e17d346f662a28396fe410699b8c0ab264c9a60ed35f8eb163fc5b1f5dbb6f3
-  data.tar.gz: 449f14e10164ed7a2c90a7b99bfe9934ed1f64b2033b31ee8fc84bd919856732ad3d62a78eb44a44471c4417474685b12178b4f5a13f352dd570b0ea5cc80d75
+  metadata.gz: 0c6c9e2369c3a66d73e3bb374a8668bbb10453a8fd6096a95dee6b4afbf494cc8d2400752e74844876eccccba04d1f8bb6e8add7bd9e437b676de8f4028578a8
+  data.tar.gz: 51c836d46edb83dec3f98404248c57e2b69604c09522216e5627f2d9a7225241e2471195ec0d9a412e66964b62d45712ad7f02faa0bc9a1c0f9379fbf3bba013

data/README.md

@@ -146,6 +146,9 @@ SimpleTokenAuthentication.configure do |config|
   # When several token authenticatable models are defined, custom header names
   # can be specified for none, any, or all of them.
   #
+  # Note: when using the identifiers options, this option behaviour is modified.
+  # Please see the example below.
+  #
   # Examples
   #
   #   Given User and SuperAdmin are token authenticatable,
@@ -156,8 +159,40 @@ SimpleTokenAuthentication.configure do |config|
   #   And the token authentification handler for SuperAdmin watches the following headers:
   #     `X-Admin-Auth-Token, X-SuperAdmin-Email`
   #
+  #   When the identifiers option is set:
+  #     `config.identifiers = { super_admin: :phone_number }`
+  #   Then both the header names identifier key and default value are modified accordingly:
+  #     `config.header_names = { super_admin: { phone_number: 'X-SuperAdmin-PhoneNumber' } }`
+  #
   # config.header_names = { user: { authentication_token: 'X-User-Token', email: 'X-User-Email' } }
 
+  # Configure the name of the attribute used to identify the user for authentication.
+  # That attribute must exist in your model.
+  #
+  # The default identifiers follow the pattern:
+  # { entity: 'email' }
+  #
+  # Note: the identifer must match your Devise configuration,
+  # see https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-sign-in-using-their-username-or-email-address#tell-devise-to-use-username-in-the-authentication_keys
+  #
+  # Note: setting this option does modify the header_names behaviour,
+  # see the header_names section above.
+  #
+  # Example:
+  #
+  #   `config.identifiers = { super_admin: 'phone_number', user: 'uuid' }`
+  #
+  # config.identifiers = { user: 'email' }
+
+  # Configure the Devise trackable strategy integration.
+  #
+  # If true, tracking is disabled for token authentication: signing in through
+  # token authentication won't modify the Devise trackable statistics.
+  #
+  # If false, given Devise trackable is configured for the relevant model,
+  # then signing in through token authentication will be tracked as any other sign in.
+  #
+  # config.skip_devise_trackable = true
 end
 ```
 
@@ -193,7 +228,7 @@ In fact, you can mix both methods and provide the `user_email` with one and the
 
 If sign-in is successful, no other authentication method will be run, but if it doesn't (the authentication params were missing, or incorrect) then Devise takes control and tries to `authenticate_user!` with its own modules. That behaviour can however be modified for any controller through the **fallback_to_devise** option.
 
-**Important**: Please do notice that controller actions whithout CSRF protection **must** disable the Devise fallback for [security reasons][csrf]. Since Rails enables CSRF protection by default, this configuration requirement should only affect controllers where you have disabled it, which may be the case of API controllers.
+**Important**: Please do notice that controller actions without CSRF protection **must** disable the Devise fallback for [security reasons][csrf]. Since Rails enables CSRF protection by default, this configuration requirement should only affect controllers where you have disabled it, which may be the case of API controllers.
 
   [csrf]: https://github.com/gonzalo-bulnes/simple_token_authentication/issues/49
 
@@ -254,7 +289,7 @@ License
 -------
 
     Simple Token Authentication
-    Copyright (C) 2013, 2014 Gonzalo Bulnes Guilpain
+    Copyright (C) 2013, 2014, 2015 Gonzalo Bulnes Guilpain
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by

data/lib/simple_token_authentication/configuration.rb

@@ -3,14 +3,17 @@ module SimpleTokenAuthentication
 
     mattr_reader   :fallback
     mattr_accessor :header_names
+    mattr_accessor :identifiers
     mattr_accessor :sign_in_token
     mattr_accessor :controller_adapters
     mattr_accessor :model_adapters
     mattr_accessor :adapters_dependencies
+    mattr_accessor :skip_devise_trackable
 
     # Default configuration
     @@fallback = :devise
     @@header_names = {}
+    @@identifiers = {}
     @@sign_in_token = false
     @@controller_adapters = ['rails', 'rails_api']
     @@model_adapters = ['active_record', 'mongoid']
@@ -18,6 +21,7 @@ module SimpleTokenAuthentication
                                 'mongoid'       => 'Mongoid::Document',
                                 'rails'         => 'ActionController::Base',
                                 'rails_api'     => 'ActionController::API' }
+    @@skip_devise_trackable = true
 
     # Allow the default configuration to be overwritten from initializers
     def configure

data/lib/simple_token_authentication/entity.rb

@@ -30,10 +30,10 @@ module SimpleTokenAuthentication
     # Private: Return the name of the header to watch for the email param
     def identifier_header_name
       if SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym].presence \
-        && identifier_header_name = SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym][:email]
+        && identifier_header_name = SimpleTokenAuthentication.header_names["#{name_underscore}".to_sym][identifier]
         identifier_header_name
       else
-        "X-#{name}-Email"
+        "X-#{name}-#{identifier.to_s.camelize}"
       end
     end
 
@@ -42,7 +42,15 @@ module SimpleTokenAuthentication
     end
 
     def identifier_param_name
-      "#{name_underscore}_email".to_sym
+      "#{name_underscore}_#{identifier}".to_sym
+    end
+
+    def identifier
+      if custom_identifier = SimpleTokenAuthentication.identifiers["#{name_underscore}".to_sym]
+        custom_identifier.to_sym
+      else
+        :email
+      end
     end
 
     def get_token_from_params_or_headers controller
@@ -54,9 +62,9 @@ module SimpleTokenAuthentication
     end
 
     def get_identifier_from_params_or_headers controller
-      # if the identifier (email) is not present among params, get it from headers
-      if email = controller.params[identifier_param_name].blank? && controller.request.headers[identifier_header_name]
-        controller.params[identifier_param_name] = email
+      # if the identifier is not present among params, get it from headers
+      if identifer_param = controller.params[identifier_param_name].blank? && controller.request.headers[identifier_header_name]
+        controller.params[identifier_param_name] = identifer_param
       end
       controller.params[identifier_param_name]
     end

data/lib/simple_token_authentication/sign_in_handler.rb

@@ -13,7 +13,7 @@ module SimpleTokenAuthentication
     def integrate_with_devise_trackable!(controller)
       # Sign in using token should not be tracked by Devise trackable
       # See https://github.com/plataformatec/devise/issues/953
-      controller.env["devise.skip_trackable"] = true
+      controller.env["devise.skip_trackable"] = SimpleTokenAuthentication.skip_devise_trackable
     end
   end
 end

data/lib/simple_token_authentication/token_authentication_handler.rb

@@ -52,26 +52,26 @@ module SimpleTokenAuthentication
     end
 
     def find_record_from_identifier(entity)
-      email = entity.get_identifier_from_params_or_headers(self).presence
+      identifier_param_value = entity.get_identifier_from_params_or_headers(self).presence
 
-      email = integrate_with_devise_case_insensitive_keys(email)
+      identifier_param_value = integrate_with_devise_case_insensitive_keys(identifier_param_value, entity)
 
       # The finder method should be compatible with all the model adapters,
       # namely ActiveRecord and Mongoid in all their supported versions.
       record = nil
-      record = email && entity.model.where(email: email).first
+      record = identifier_param_value && entity.model.where(entity.identifier => identifier_param_value).first
     end
 
     # Private: Take benefit from Devise case-insensitive keys
     #
     # See https://github.com/plataformatec/devise/blob/v3.4.1/lib/generators/templates/devise.rb#L45-L48
     #
-    # email - the original email String
+    # identifier_value - the original identifier_value String
     #
-    # Returns an email String which case follows the Devise case-insensitive keys policy
-    def integrate_with_devise_case_insensitive_keys(email)
-      email.downcase! if email && Devise.case_insensitive_keys.include?(:email)
-      email
+    # Returns an identifier String value which case follows the Devise case-insensitive keys policy
+    def integrate_with_devise_case_insensitive_keys(identifier_value, entity)
+      identifier_value.downcase! if identifier_value && Devise.case_insensitive_keys.include?(entity.identifier)
+      identifier_value
     end
 
     # Private: Get one (always the same) object which behaves as a token comprator

data/lib/simple_token_authentication/version.rb

@@ -1,3 +1,3 @@
 module SimpleTokenAuthentication
-  VERSION = "1.7.0"
+  VERSION = "1.8.0"
 end

data/spec/configuration/skip_devise_trackable_option_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe SimpleTokenAuthentication do
+
+  describe ':skip_devise_trackable option', skip_devise_trackable_option: true do
+
+    describe 'determines if token authentication should increment the tracking statistics' do
+
+      before(:each) do
+        user = double()
+        stub_const('User', user)
+        allow(user).to receive(:name).and_return('User')
+        @record = double()
+        allow(user).to receive(:find_by).and_return(@record)
+
+        # given a controller class which acts as token authentication handler
+        controller_class = Class.new
+        allow(controller_class).to receive(:before_filter)
+        controller_class.send :extend, SimpleTokenAuthentication::ActsAsTokenAuthenticationHandler
+        controller_class.acts_as_token_authentication_handler_for User
+
+        @controller = controller_class.new
+        allow(@controller).to receive(:params)
+        # and there are credentials for a record of that model in params or headers
+        allow(@controller).to receive(:get_identifier_from_params_or_headers)
+        # and both identifier and authentication token are correct
+        allow(@controller).to receive(:find_record_from_identifier).and_return(@record)
+        allow(@controller).to receive(:token_correct?).and_return(true)
+        allow(@controller).to receive(:env).and_return({})
+        allow(@controller).to receive(:sign_in)
+      end
+
+      context 'when true', public: true do
+
+        it 'instructs Devise to track token-authentication-related signins' do
+          allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return(true)
+
+          expect(@controller).to receive_message_chain(:env, :[]=).with('devise.skip_trackable', true)
+          @controller.authenticate_user_from_token
+        end
+      end
+
+      context 'when false', public: true do
+
+        it 'instructs Devise not to track token-authentication-related signins' do
+          allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return(false)
+
+          expect(@controller).to receive_message_chain(:env, :[]=).with('devise.skip_trackable', false)
+          @controller.authenticate_user_from_token
+        end
+      end
+    end
+
+    it 'can be modified from an initializer file', public: true do
+      user = double()
+      stub_const('User', user)
+      allow(user).to receive(:name).and_return('User')
+      @record = double()
+      allow(user).to receive(:find_by).and_return(@record)
+
+      # given a controller class which acts as token authentication handler
+      controller_class = Class.new
+      allow(controller_class).to receive(:before_filter)
+      controller_class.send :extend, SimpleTokenAuthentication::ActsAsTokenAuthenticationHandler
+
+      allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return('initial value')
+      # INITIALIZATION
+      # this step occurs when 'simple_token_authentication' is required
+      #
+      # given the controller class handles token authentication for a model
+      controller_class.acts_as_token_authentication_handler_for User
+
+      # RUNTIME
+      @controller = controller_class.new
+      allow(@controller).to receive(:params)
+      # and there are credentials for a record of that model in params or headers
+      allow(@controller).to receive(:get_identifier_from_params_or_headers)
+      # and both identifier and authentication token are correct
+      allow(@controller).to receive(:find_record_from_identifier).and_return(@record)
+      allow(@controller).to receive(:token_correct?).and_return(true)
+      allow(@controller).to receive(:env).and_return({})
+      allow(@controller).to receive(:sign_in)
+
+      # even if modified *after* the class was loaded
+      allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return('updated value')
+
+      # the option updated value is taken into account
+      # when token authentication is performed
+      expect(@controller).to receive_message_chain(:env, :[]=).with('devise.skip_trackable', 'updated value')
+      @controller.authenticate_user_from_token
+    end
+  end
+end
+

data/spec/lib/simple_token_authentication/configuration_spec.rb

@@ -79,6 +79,15 @@ describe SimpleTokenAuthentication::Configuration do
       end
     end
 
+    describe 'provides #skip_devise_trackable which', skip_devise_trackable_option: true do
+
+      it_behaves_like 'a configuration option', 'skip_devise_trackable'
+
+      it "defaults to true", public: true do
+        expect(@subject.skip_devise_trackable).to eq true
+      end
+    end
+
     describe 'provides #parse_options which' do
 
       describe 'replaces :fallback_to_devise by :fallback' do

data/spec/lib/simple_token_authentication/entity_spec.rb

@@ -76,7 +76,8 @@ describe SimpleTokenAuthentication::Entity do
     end
   end
 
-  describe '#identifier_header_name', protected: true do
+  describe '#identifier_header_name', protected: true, identifiers_option: true do
+
     it 'is a String' do
       expect(@subject.identifier_header_name).to be_instance_of String
     end
@@ -84,6 +85,31 @@ describe SimpleTokenAuthentication::Entity do
     it 'defines a non-standard header field' do
       expect(@subject.identifier_header_name[0..1]).to eq 'X-'
     end
+
+    it 'returns the default header for the default identifier' do
+      expect(@subject.identifier_header_name).to eq 'X-SuperUser-Email'
+    end
+
+    context 'when a custom identifier is defined' do
+
+      before(:each) do
+        allow(SimpleTokenAuthentication).to receive(:identifiers).
+          and_return({ super_user: :phone_number })
+      end
+
+      it 'returns the default header name for that custom identifier' do
+        expect(@subject.identifier_header_name).to eq 'X-SuperUser-PhoneNumber'
+      end
+
+      context 'when a custom header name is defined for that custom identifer' do
+
+        it 'returns the custom header name for that custom identifier' do
+          allow(SimpleTokenAuthentication).to receive(:header_names).
+            and_return({ super_user: { phone_number: 'X-Custom' } })
+          expect(@subject.identifier_header_name).to eq 'X-Custom'
+        end
+      end
+    end
   end
 
   describe '#token_param_name', protected: true do
@@ -92,10 +118,44 @@ describe SimpleTokenAuthentication::Entity do
     end
   end
 
-  describe '#identifier_param_name', protected: true do
+  describe '#identifier_param_name', protected: true, identifiers_option: true do
+
     it 'is a Symbol' do
       expect(@subject.identifier_param_name).to be_instance_of Symbol
     end
+
+    it 'returns the default param name for the default identifier' do
+      expect(@subject.identifier_param_name).to eq :super_user_email
+    end
+
+    context 'when a custom identifier is defined' do
+
+      it 'returns the custom param name for that identifier' do
+        allow(SimpleTokenAuthentication).to receive(:identifiers).
+          and_return({ super_user: 'phone_number' })
+        expect(@subject.identifier_param_name).to eq :super_user_phone_number
+      end
+    end
+  end
+
+  describe '#identifier', protected: true, identifiers_option: true do
+
+    it 'is a Symbol' do
+      expect(@subject.identifier).to be_instance_of Symbol
+    end
+
+    it 'returns :email' do
+      expect(@subject.identifier).to eq :email
+    end
+
+    context 'when a custom identifier is defined' do
+
+      it 'returns the custom identifier' do
+        allow(SimpleTokenAuthentication).to receive(:identifiers).
+          and_return({ super_user: 'phone_number' })
+        expect(@subject.identifier).to eq :phone_number
+      end
+    end
   end
 
   describe '#get_token_from_params_or_headers', protected: true do

data/spec/lib/simple_token_authentication/sign_in_handler_spec.rb

@@ -31,13 +31,38 @@ describe SimpleTokenAuthentication::SignInHandler do
 
   describe '#integrate_with_devise_trackable!' do
 
-    it 'ensures Devise trackable statistics are kept clean', private: true do
-      controller = double()
-      env = double()
-      allow(controller).to receive(:env).and_return(env)
-      expect(env).to receive(:[]=).with('devise.skip_trackable', true)
+    context 'when the :skip_devise_trackable option is true', skip_devise_trackable_option: true do
+
+      before(:each) do
+        allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return(true)
+      end
+
+      it 'ensures Devise trackable statistics are kept untouched', private: true do
+        controller = double()
+        env = double()
+        allow(controller).to receive(:env).and_return(env)
+        expect(env).to receive(:[]=).with('devise.skip_trackable', true)
+
+        subject.send :integrate_with_devise_trackable!, controller
+      end
+    end
 
-      subject.send :integrate_with_devise_trackable!, controller
+
+    context 'when the :skip_devise_trackable option is false', skip_devise_trackable_option: true do
+
+      before(:each) do
+        allow(SimpleTokenAuthentication).to receive(:skip_devise_trackable).and_return(false)
+      end
+
+      it 'ensures Devise trackable statistics are updated', private: true do
+        controller = double()
+        env = double()
+        allow(controller).to receive(:env).and_return(env)
+        expect(env).to receive(:[]=).with('devise.skip_trackable', false)
+
+        subject.send :integrate_with_devise_trackable!, controller
+      end
     end
   end
 end
+

data/spec/lib/simple_token_authentication/token_authentication_handler_spec.rb

@@ -139,6 +139,8 @@ describe 'Any class which includes SimpleTokenAuthentication::TokenAuthenticatio
 
     before(:each) do
       @entity = double()
+      # default identifer is :email
+      allow(@entity).to receive(:identifier).and_return(:email)
     end
 
     context 'when the Devise config. does not defines the identifier as a case-insentitive key' do
@@ -187,7 +189,6 @@ describe 'Any class which includes SimpleTokenAuthentication::TokenAuthenticatio
       end
     end
 
-
     context 'when the Devise config. defines the identifier as a case-insentitive key' do
 
       before(:each) do
@@ -234,6 +235,106 @@ describe 'Any class which includes SimpleTokenAuthentication::TokenAuthenticatio
         end
       end
     end
+
+    context 'when a custom identifier was defined', identifiers_option: true do
+
+      before(:each) do
+        allow(@entity).to receive(:identifier).and_return(:phone_number)
+      end
+
+      context 'when the Devise config. does not defines the identifier as a case-insentitive key' do
+
+        before(:each) do
+          allow(Devise).to receive_message_chain(:case_insensitive_keys, :include?)
+          .with(:phone_number).and_return(false)
+        end
+
+        context 'when a downcased identifier was provided' do
+
+          before(:each) do
+            allow(@entity).to receive(:get_identifier_from_params_or_headers)
+            .and_return('alice@example.com')
+          end
+
+          it 'returns the proper record if any' do
+            # let's say there is a record
+            record = double()
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'alice@example.com')
+            .and_return([record])
+
+            expect(subject.new.send(:find_record_from_identifier, @entity)).to eq record
+          end
+        end
+
+        context 'when a upcased identifier was provided' do
+
+          before(:each) do
+            allow(@entity).to receive(:get_identifier_from_params_or_headers)
+            .and_return('AliCe@ExampLe.Com')
+          end
+
+          it 'does not return any record' do
+            # let's say there is a record...
+            record = double()
+            # ...whose identifier is downcased...
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'alice@example.com')
+            .and_return([record])
+            # ...not upcased
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'AliCe@ExampLe.Com')
+            .and_return([])
+
+            expect(subject.new.send(:find_record_from_identifier, @entity)).to be_nil
+          end
+        end
+      end
+
+      context 'when the Devise config. defines the identifier as a case-insentitive key' do
+
+        before(:each) do
+          allow(Devise).to receive_message_chain(:case_insensitive_keys, :include?)
+          .with(:phone_number).and_return(true)
+        end
+
+        context 'and a downcased identifier was provided' do
+
+          before(:each) do
+            allow(@entity).to receive(:get_identifier_from_params_or_headers)
+            .and_return('alice@example.com')
+          end
+
+          it 'returns the proper record if any' do
+            # let's say there is a record
+            record = double()
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'alice@example.com')
+            .and_return([record])
+
+            expect(subject.new.send(:find_record_from_identifier, @entity)).to eq record
+          end
+        end
+
+        context 'and a upcased identifier was provided' do
+
+          before(:each) do
+            allow(@entity).to receive(:get_identifier_from_params_or_headers)
+            .and_return('AliCe@ExampLe.Com')
+          end
+
+          it 'returns the proper record if any' do
+            # let's say there is a record...
+            record = double()
+            # ...whose identifier is downcased...
+            allow(@entity).to receive_message_chain(:model, :where)
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'alice@example.com')
+            .and_return([record])
+            # ...not upcased
+            allow(@entity).to receive_message_chain(:model, :where).with(phone_number: 'AliCe@ExampLe.Com')
+            .and_return([])
+
+            expect(subject.new.send(:find_record_from_identifier, @entity)).to eq record
+          end
+        end
+      end
+    end
   end
 
   describe 'and which supports the :before_filter hook' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_token_authentication
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Gonzalo Bulnes Guilpain
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-27 00:00:00.000000000 Z
+date: 2015-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionmailer
@@ -165,6 +165,7 @@ files:
 - spec/configuration/fallback_to_devise_option_spec.rb
 - spec/configuration/header_names_option_spec.rb
 - spec/configuration/sign_in_token_option_spec.rb
+- spec/configuration/skip_devise_trackable_option_spec.rb
 - spec/lib/simple_token_authentication/acts_as_token_authenticatable_spec.rb
 - spec/lib/simple_token_authentication/acts_as_token_authentication_handler_spec.rb
 - spec/lib/simple_token_authentication/adapter_spec.rb
@@ -212,11 +213,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.4
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: Simple (but safe) token authentication for Rails apps or API with Devise.
 test_files:
+- spec/configuration/skip_devise_trackable_option_spec.rb
 - spec/configuration/header_names_option_spec.rb
 - spec/configuration/sign_in_token_option_spec.rb
 - spec/configuration/action_controller_callbacks_options_spec.rb