RubyGems - token_authenticate_me - Versions diffs - 0.2.0 - Mend

token_authenticate_me 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

data/lib/token_authenticate_me/controllers/sessionable.rb ADDED Viewed

@@ -0,0 +1,63 @@
+require 'active_support/concern'
+require 'token_authenticate_me/controllers/token_authenticateable'
+module TokenAuthenticateMe
+  module Controllers
+    module Sessionable
+      extend ActiveSupport::Concern
+      include TokenAuthenticateMe::Controllers::TokenAuthenticateable
+      included do
+        skip_before_action :authenticate, only: [:create]
+        after_action :cleanup_sessions, only: [:destroy]
+        def create
+          resource = User.where('username=? OR email=?', params[:username], params[:username]).first
+          if resource && resource.authenticate(params[:password])
+            @session = Session.create(user_id: resource.id)
+            render json: serialize_session(@session), status: 201
+          else
+            render json: { message: 'Bad credentials' }, status: 401
+          end
+        end
+        def show
+          @session = authenticate_token
+          render json: serialize_session(@session)
+        end
+        def destroy
+          authenticate_token.destroy
+          render status: 204, nothing: true
+        rescue
+          render_unauthorized
+        end
+        private
+        def serialize_session(session)
+          {
+            session: {
+              key: session.key,
+              user_id: session.user_id,
+              expiration: session.expiration
+            }
+          }
+        end
+        def session_params
+          params.permit(:username, :email, :password)
+        end
+        def cleanup_sessions
+          ApiSession.where('expiration < ?', DateTime.now).delete_all
+        rescue
+          Rails.logger.warn 'Error cleaning up old authentication sessions'
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/controllers/token_authenticateable.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'active_support/concern'
+module TokenAuthenticateMe
+  module Controllers
+    module TokenAuthenticateable
+      extend ActiveSupport::Concern
+      included do
+        before_action :authenticate
+      end
+      protected
+      def authenticate
+        authenticate_token || render_unauthorized
+      end
+      def current_user
+        if authenticate_token
+          @current_user ||= User.find_by_id(authenticate_token.user_id)
+        else
+          nil
+        end
+      end
+      def authenticate_token
+        @session ||= authenticate_with_http_token do |token, _options|
+          session = Session.find_by_key(token)
+          if session && session.expiration > DateTime.now
+            session
+          else
+            false
+          end
+        end
+      end
+      def render_unauthorized
+        headers['WWW-Authenticate'] = 'Token realm="Application"'
+        render json: 'Bad credentials', status: 401
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/engine.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module TokenAuthenticateMe
+  class Engine < Rails::Engine
+    # engine_name :token_authenticate_me
+  end
+end

data/lib/token_authenticate_me/models/authenticatable.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'active_support/concern'
+module TokenAuthenticateMe
+  module Models
+    module Authenticatable
+      extend ActiveSupport::Concern
+      included do
+        has_secure_password
+        validates(
+          :email,
+          presence: true,
+          uniqueness: { case_sensitive: false }
+        )
+        validates(
+          :username,
+          format: { with: /\A[a-zA-Z0-9]+\Z/ },
+          presence: true,
+          uniqueness: { case_sensitive: false }
+        )
+        def create_reset_token!
+          # rubocop:disable Lint/Loop
+          begin
+            self.reset_password_token = SecureRandom.hex
+          end while self.class.exists?(reset_password_token: reset_password_token)
+          self.reset_password_token_exp = password_expiration_hours.hours.from_now
+          self.save!
+        end
+        def password_expiration_hours
+          8
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/models/sessionable.rb ADDED Viewed

@@ -0,0 +1,27 @@
+require 'active_support/concern'
+module TokenAuthenticateMe
+  module Models
+    module Sessionable
+      extend ActiveSupport::Concern
+      included do
+        before_create :generate_unique_key
+        private
+        def generate_unique_key
+          begin
+            self.key = SecureRandom.hex
+          end while self.class.exists?(key: key) # rubocop:disable Lint/Loop
+          self.expiration = expiration_hours.hours.from_now
+        end
+        def expiration_hours
+          24
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module TokenAuthenticateMe
+  VERSION = '0.2.0'
+end

data/spec/acceptance/password_reset_api_spec.rb ADDED Viewed

@@ -0,0 +1,111 @@
+require 'spec_helper'
+describe 'Password Reset API' do
+  it 'resets the users password when called with the correct token' do
+    user = create_user
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+    expect(last_response.status).to eq(204)
+    expect(User.find(user.id).password_digest).not_to eq(encrypted_pw)
+  end
+  it 'does not allow replay attacks' do
+    user = create_user
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+    expect(last_response.status).to eq(204)
+    expect(User.find(user.id).password_digest).not_to eq(encrypted_pw)
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+    expect(last_response.status).to eq(404)
+  end
+  it 'fails to reset the users password when the confirmation does not match' do
+    user = create_user
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test_ops'
+    expect(last_response.status).to eq(422)
+    expect(User.find(user.id).password_digest).to eq(encrypted_pw)
+  end
+  it 'raises a routing error when called with an empty token' do
+    user = create_user
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    expect do
+      put '/password_resets//',  password: 'test', password_confirmation: 'test'
+    end.to raise_error(ActionController::RoutingError)
+    expect(User.find(user.id).password_digest).to eq(encrypted_pw)
+  end
+  it 'returns a 404 when reset is requested with a bad token' do
+    user = create_user
+    user.create_reset_token!
+    put '/password_resets/' + SecureRandom.hex.to_s + '/',
+        password: 'test', password_confirmation: 'test'
+    expect(last_response.status).to eq(404)
+  end
+  it 'returns a 204 when a password reset is requested with a valid e-mail' do
+    user = create_user
+    post '/password_resets/',  email: user.email
+    expect(last_response.status).to eq(204)
+  end
+  it 'returns a 204 when a password reset is requested with a invalid e-mail' do
+    user = create_user # rubocop:disable Lint/UselessAssignment
+    post '/password_resets/',  email: 'foo@bar.com'
+    expect(last_response.status).to eq(204)
+  end
+  it 'sends a valid e-mail when a password reset is requested with a valid e-mail' do
+    user = create_user
+    post '/password_resets/',  email: user.email
+    mail = ActionMailer::Base.deliveries.last
+    expect(mail['to'].to_s).to eq(user.email)
+    expect(mail['subject'].to_s).to eq('Password Reset')
+  end
+  it 'sends a invalid e-mail when a password reset is requested with a invalid e-mail' do
+    user = create_user # rubocop:disable Lint/UselessAssignment
+    email = 'foo@bar.com'
+    post '/password_resets/',  email: email
+    mail = ActionMailer::Base.deliveries.last
+    expect(mail['to'].to_s).to eq(email)
+    expect(mail['subject'].to_s).to eq('Password Reset Error')
+  end
+end

data/spec/acceptance/session_api_spec.rb ADDED Viewed

@@ -0,0 +1,95 @@
+require 'spec_helper'
+describe 'Session API' do
+  it 'creates a new session when authenticating with a username and password' do
+    password = 'text'
+    user = create_user(password: password)
+    post '/session/',
+         username: user.username, password: password
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+  it 'creates a new session when authenticating with a email and password' do
+    password = 'text'
+    user = create_user(password: password)
+    post '/session/',
+         username: user.email, password: password
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+  it 'fails to create a new session when authenticating with an invalid password' do
+    password = 'text'
+    user = create_user(password: password)
+    post '/session/',
+         username: user.email, password: 'not_test'
+    expect(last_response.status).to eq(401)
+  end
+  it 'fetches an existing session when authenticated' do
+    password = 'text'
+    user = create_user(password: password)
+    post '/session/',
+         username: user.email, password: password
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+    header 'Authorization', 'Token token=' + json['session']['key']
+    get '/session/'
+    expect(last_response.status).to eq(200)
+    json = JSON.parse(last_response.body)
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+  it 'fetching an expired session fails' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    session.update!(expiration: 5.minutes.ago)
+    header 'Authorization', 'Token token=' + session.key
+    get '/session/'
+    expect(last_response.status).to eq(401)
+  end
+  it 'destroying an existing session succeeds' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    header 'Authorization', 'Token token=' + session.key
+    delete '/session/'
+    expect(last_response.status).to eq(204)
+  end
+  it 'destroying an expired session fails' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    session.update!(expiration: 5.minutes.ago)
+    header 'Authorization', 'Token token=' + session.key
+    delete '/session/'
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/acceptance/users_api_spec.rb ADDED Viewed

@@ -0,0 +1,56 @@
+require 'spec_helper'
+describe 'Users API' do
+  it 'creates a new user when unauthenticated' do
+    username = 'test'
+    password = 'test'
+    email = 'test'
+    post '/users/',
+         user: {
+           username: username,
+           password: password,
+           password_confirmation: password,
+           email: email
+         }
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+    expect(json['user']).not_to be_nil
+    expect(json['user']['username']).to eq(username)
+    expect(json['user']['email']).to eq(email)
+  end
+  it 'fails to create a new user when the password confirmation does not match' do
+    username = 'test'
+    password = 'test'
+    email = 'test'
+    post '/users/',
+         user: {
+           username: username,
+           password: password,
+           password_confirmation: 'invalid',
+           email: email
+         }
+    expect(last_response.status).to eq(422)
+  end
+  it 'succeeds to list users when authenticated' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    header 'Authorization', 'Token token=' + session.key
+    get '/users/'
+    expect(last_response.status).to eq(200)
+  end
+  it 'fails to list users without being authenticated' do
+    get '/users/'
+    expect(last_response.status).to eq(401)
+  end
+end