RubyGems - tiddle - Versions diffs - 1.0.2 → 1.1.0 - Mend

tiddle 1.0.2 → 1.1.0

Files changed (14) hide show

checksums.yaml +5 -5
data/.rubocop.yml +2 -0
data/.travis.yml +2 -0
data/CHANGELOG.md +7 -0
data/README.md +7 -1
data/lib/tiddle.rb +2 -2
data/lib/tiddle/strategy.rb +8 -1
data/lib/tiddle/token_issuer.rb +20 -9
data/lib/tiddle/version.rb +1 -1
data/spec/rails_app/config/application.rb +0 -2
data/spec/rails_app/db/migrate/20150217000000_create_tables.rb +1 -0
data/spec/strategy_spec.rb +38 -0
data/tiddle.gemspec +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 1fa66626fb86bdb8e5e02ff35478ba8429a8f416
-  data.tar.gz: 6cc2d9b7fb7f389a2345eb7c3eef23cb9d580b2f
+SHA256:
+  metadata.gz: 636a498dc602f9309c1baf81f3f34276aad7e710fd14d170c02ba5af381b40f1
+  data.tar.gz: 670f3801abc579331c721d66ee5cf68e46817a89bdadfc6356d0f02ce0276176
 SHA512:
-  metadata.gz: bc942083526221652b791dd9fd8f69cded955daa2f542dc7089def991997f503f08331690ec11b35d232a782d7e16bd3dfc3c964a13886044799d77e73f7d9b9
-  data.tar.gz: e5b5d147c14bc589affe4bae4623352e0f77d7be8210312f563e1d672f1eb5d3b2fa347f545ea809ac43722a5f9a141075e34e3c24d9643812c0b5ff81c063c6
+  metadata.gz: d5305d3d877befdee9203d7001f05e07ef38a3ad77abcc74563140f2217f69319d39d723be4453410b1935ed01a839995e8c296c767349b2355657b36ba7532b
+  data.tar.gz: c114628903a18817a6a99ab3e233639d4e2c428e7216c06e46eed4407aac243f89533db8cae5edf05335d351c4903ea3559da60e1b42821b3c98ffdbf984eb0b

data/.rubocop.yml CHANGED

@@ -26,3 +26,5 @@ Naming/FileName:
 Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'
+Metrics/MethodLength:
+  Max: 15

data/.travis.yml CHANGED

@@ -1,8 +1,10 @@
 language: ruby
+before_install: gem update --system
 rvm:
   - "2.2.8"
   - "2.3.5"
   - "2.4.2"
+  - "2.5.0"
 gemfile:
   - "gemfiles/rails4.2.gemfile"
   - "gemfiles/rails5.0.gemfile"

data/CHANGELOG.md CHANGED

@@ -1,3 +1,10 @@
+### 1.1.0
+New feature: optional token expiration after period of inactivity - #37
+You have to add `expires_in` field to the database table holding the tokens
+to benefit from this feature.
 ### 1.0.0
 No major changes - just a stable version release.

data/README.md CHANGED

@@ -40,7 +40,7 @@ end
 2) Generate the model which stores authentication tokens. The model name is not important, but the Devise-enabled model should have association called ```authentication_tokens```.
 ```
-rails g model AuthenticationToken body:string user:references last_used_at:datetime ip_address:string user_agent:string
+rails g model AuthenticationToken body:string:index user:references last_used_at:datetime expires_in:integer ip_address:string user_agent:string
 ```
 ```ruby
@@ -111,3 +111,9 @@ Change ```config.authentication_keys``` in Devise intitializer and Tiddle will u
 Usually it makes sense to remove user's tokens after a password change. Depending on the project and on your taste, this can be done using various methods like running `user.authentication_tokens.destroy_all` after the password change or with an `after_save` callback in your model which runs `authentication_tokens.destroy_all if encrypted_password_changed?`.
 In case of a security breach, remove all existing tokens.
+Tokens are expiring after certain period of inactivity. This behavior is optional. If you want your token to expire, create it passing `expires_in` option:
+```ruby
+token = Tiddle.create_and_return_token(user, request, expires_in: 1.month)
+```

data/lib/tiddle.rb CHANGED

@@ -5,8 +5,8 @@ require "tiddle/rails"
 require "tiddle/token_issuer"
 module Tiddle
-  def self.create_and_return_token(resource, request)
-    TokenIssuer.build.create_and_return_token(resource, request)
+  def self.create_and_return_token(resource, request, options = {})
+    TokenIssuer.build.create_and_return_token(resource, request, options)
   end
   def self.expire_token(resource, request)

data/lib/tiddle/strategy.rb CHANGED

@@ -12,7 +12,7 @@ module Devise
         return fail(:invalid_token) unless resource
         token = Tiddle::TokenIssuer.build.find_token(resource, token_from_headers)
-        if token
+        if token && unexpired?(token)
           touch_token(token)
           return success!(resource)
         end
@@ -51,6 +51,13 @@ module Devise
       def touch_token(token)
         token.update_attribute(:last_used_at, Time.current) if token.last_used_at < 1.hour.ago
       end
+      def unexpired?(token)
+        return true unless token.respond_to?(:expires_in)
+        return true if token.expires_in.blank? || token.expires_in.zero?
+        Time.current <= token.last_used_at + token.expires_in
+      end
     end
   end
 end

data/lib/tiddle/token_issuer.rb CHANGED

@@ -12,15 +12,13 @@ module Tiddle
       self.maximum_tokens_per_user = maximum_tokens_per_user
     end
-    def create_and_return_token(resource, request)
+    def create_and_return_token(resource, request, expires_in: nil)
       token_class = authentication_token_class(resource)
       token, token_body = Devise.token_generator.generate(token_class, :body)
-      resource.authentication_tokens
-              .create! body: token_body,
-                       last_used_at: Time.current,
-                       ip_address: request.remote_ip,
-                       user_agent: request.user_agent
+      resource.authentication_tokens.create!(
+        token_attributes(token_body, request, expires_in)
+      )
       token
     end
@@ -33,9 +31,7 @@ module Tiddle
     def find_token(resource, token_from_headers)
       token_class = authentication_token_class(resource)
       token_body = Devise.token_generator.digest(token_class, :body, token_from_headers)
-      resource.authentication_tokens.detect do |token|
-        Devise.secure_compare(token.body, token_body)
-      end
+      resource.authentication_tokens.find_by(body: token_body)
     end
     def purge_old_tokens(resource)
@@ -52,5 +48,20 @@ module Tiddle
     def authentication_token_class(resource)
       resource.association(:authentication_tokens).klass
     end
+    def token_attributes(token_body, request, expires_in)
+      attributes = {
+        body: token_body,
+        last_used_at: Time.current,
+        ip_address: request.remote_ip,
+        user_agent: request.user_agent
+      }
+      if expires_in
+        attributes.merge(expires_in: expires_in)
+      else
+        attributes
+      end
+    end
   end
 end

data/lib/tiddle/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Tiddle
-  VERSION = "1.0.2".freeze
+  VERSION = "1.1.0".freeze
 end

data/spec/rails_app/config/application.rb CHANGED

@@ -1,10 +1,8 @@
 require File.expand_path('../boot', __FILE__)
 require "active_model/railtie"
-require "active_job/railtie"
 require "active_record/railtie"
 require "action_controller/railtie"
-require "action_mailer/railtie"
 require "action_view/railtie"
 module RailsApp

data/spec/rails_app/db/migrate/20150217000000_create_tables.rb CHANGED

@@ -56,6 +56,7 @@ class CreateTables < migration_class
       t.string :body, null: false
       t.references :authenticatable, null: false, polymorphic: true
       t.datetime :last_used_at, null: false
+      t.integer :expires_in, null: false, default: 0
       t.string :ip_address
       t.string :user_agent

data/spec/strategy_spec.rb CHANGED

@@ -159,4 +159,42 @@ describe "Authentication using Tiddle strategy", type: :request do
       expect(response.status).to eq 200
     end
   end
+  context "when token has expires_in set up" do
+    before do
+      @user = User.create!(email: "test@example.com", password: "12345678")
+      @token = Tiddle.create_and_return_token(@user, FakeRequest.new, expires_in: 1.week)
+    end
+    describe "token is not expired" do
+      it "does allow to access endpoints which require authentication" do
+        warningless_get(
+          secrets_path,
+          headers: {
+            "X-USER-EMAIL" => "test@example.com",
+            "X-USER-TOKEN" => @token
+          }
+        )
+        expect(response.status).to eq 200
+      end
+    end
+    describe "token is expired" do
+      before do
+        token = @user.authentication_tokens.order(:id).last
+        token.update_attribute(:last_used_at, 1.month.ago)
+      end
+      it "does not allow to access endpoints which require authentication" do
+        warningless_get(
+          secrets_path,
+          headers: {
+            "X-USER-EMAIL" => "test@example.com",
+            "X-USER-TOKEN" => @token
+          }
+        )
+        expect(response.status).to eq 401
+      end
+    end
+  end
 end

data/tiddle.gemspec CHANGED

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.2.0'
-  spec.add_dependency "devise", ">= 4.0.0.rc1", "< 4.4"
+  spec.add_dependency "devise", ">= 4.0.0.rc1", "< 4.5"
   spec.add_dependency "activerecord", ">= 4.2.0"
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 12.0"

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tiddle
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.1.0
 platform: ruby
 authors:
 - Adam Niedzielski
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-12-14 00:00:00.000000000 Z
+date: 2018-03-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -19,7 +19,7 @@ dependencies:
         version: 4.0.0.rc1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.4'
+        version: '4.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: 4.0.0.rc1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '4.4'
+        version: '4.5'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -224,7 +224,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.13
+rubygems_version: 2.7.3
 signing_key:
 specification_version: 4
 summary: Token authentication for Devise which supports multiple tokens per model