xing_backend_token_auth 0.1.31

data/app/controllers/devise_token_auth/registrations_controller.rb

@@ -0,0 +1,99 @@
+module DeviseTokenAuth
+  class RegistrationsController < DeviseTokenAuth::ApplicationController
+
+    before_filter :set_user_by_token, :only => [:destroy, :update]
+    skip_after_filter :update_auth_header, :only => [:create, :destroy]
+
+    respond_to :json
+
+    def create
+      build_resource(sign_up_params)
+
+      resource.uid        = sign_up_params[resource_class.authentication_keys.first]
+
+      # success redirect url is required
+      unless !defined?(resource.confirmed?) or params[:confirm_success_url]
+        return render json: {
+          status: 'error',
+          data:   resource,
+          errors: ["Missing `confirm_success_url` param."]
+        }, status: 403
+      end
+
+      begin
+         # override email confirmation, must be sent manually from ctrl
+        User.skip_callback("create", :after, :send_on_create_confirmation_instructions)
+
+	      if resource.save
+          if defined?(resource.confirmed?) and !resource.confirmed?
+            resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: params[:confirm_success_url]
+            })
+          else
+            # email auth has been bypassed, authenticate user
+            @user      = resource
+            @client_id = SecureRandom.urlsafe_base64(nil, false)
+            @token     = SecureRandom.urlsafe_base64(nil, false)
+
+            @user.tokens[@client_id] = {
+              token: BCrypt::Password.create(@token),
+              expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+            }
+
+            @user.save!
+
+            update_auth_header
+          end
+
+          render json: resource_serializer(resource)
+        else
+          clean_up_passwords resource
+          render json: error_serializer(resource), status: 403
+        end
+      rescue ActiveRecord::RecordNotUnique
+        clean_up_passwords resource
+        render json: error_serializer(resource, "An account already exists for #{resource.send(resource_class.authentication_keys.first)}"), status: 403
+      end
+    end
+
+    def update
+      if @user
+        if @user.update_attributes(account_update_params)
+          render json: resource_serializer(@user)
+        else
+          render json: error_serializer(@user), status: 403
+        end
+      else
+        render json: error_messages("User not found."), status: 404
+      end
+    end
+
+    def destroy
+      if @user
+        @user.destroy
+
+        render json: success_message("Account with uid #{@user.uid} has been destroyed.")
+      else
+        render json: error_messages("Unable to locate account for destruction."), status: 404
+      end
+    end
+
+    def build_resource(hash=nil)
+      self.resource = resource_class.new_with_session(hash || {}, session)
+    end
+
+    def sign_up_params
+      devise_parameter_sanitizer.sanitize(:sign_up)
+    end
+
+    def account_update_params
+      devise_parameter_sanitizer.sanitize(:account_update)
+    end
+
+    def resource_serializer(user)
+      serializer = DeviseTokenAuth.registration_serializer || ResourceSerializer
+      serializer.new(user)
+    end
+  end
+end

data/app/controllers/devise_token_auth/sessions_controller.rb

@@ -0,0 +1,50 @@
+# see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/
+module DeviseTokenAuth
+  class SessionsController < DeviseTokenAuth::ApplicationController
+    before_filter :set_user_by_token, :only => [:destroy]
+    prepend_before_filter :allow_params_authentication!, only: :create
+    prepend_before_filter only: [ :create, :destroy ] { request.env["devise.skip_timeout"] = true }
+
+    def create
+      self.resource = warden.authenticate!(auth_options)
+      sign_in(resource_name, resource, :store => false)
+      @user = resource
+      @client_id = SecureRandom.urlsafe_base64(nil, false)
+      @token     = SecureRandom.urlsafe_base64(nil, false)
+
+      @user.tokens[@client_id] = {
+        token: BCrypt::Password.create(@token),
+        expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+      }
+      @user.save
+      yield resource if block_given?
+      render json: resource_serializer(resource)
+    end
+
+    def auth_options
+      { scope: resource_name, recall: "#{controller_path}#new" }
+    end
+
+    def destroy
+      # remove auth instance variables so that after_filter does not run
+      user = remove_instance_variable(:@user) if @user
+      client_id = remove_instance_variable(:@client_id) if @client_id
+      remove_instance_variable(:@token) if @token
+
+      if user and client_id and user.tokens[client_id]
+        user.tokens.delete(client_id)
+        user.save!
+
+        render json: success_message, status: 200
+
+      else
+        render json: error_messages("User was not found or was not logged in."), status: 404
+      end
+    end
+
+    def resource_serializer(user)
+      serializer = DeviseTokenAuth.session_serializer || ResourceSerializer
+      serializer.new(user)
+    end
+  end
+end

data/app/controllers/devise_token_auth/token_validations_controller.rb

@@ -0,0 +1,22 @@
+module DeviseTokenAuth
+  class TokenValidationsController < DeviseTokenAuth::ApplicationController
+    skip_before_filter :assert_is_devise_resource!, :only => [:validate_token]
+    before_filter :set_user_by_token, :only => [:validate_token]
+
+    def validate_token
+      # @user will have been set by set_user_token concern
+      if @user
+        render json: resource_serializer(@user)
+      else
+        render json: error_messages("Invalid login credentials"), status: 401
+      end
+    end
+
+
+    def resource_serializer(user)
+      serializer = DeviseTokenAuth.token_validation_serializer || ResourceSerializer
+      serializer.new(user)
+    end
+
+  end
+end

data/app/serializers/devise_token_auth/error_messages_serializer.rb

@@ -0,0 +1,16 @@
+module DeviseTokenAuth
+  class ErrorMessagesSerializer
+    def initialize(*args)
+      @args = args
+    end
+
+    attr_reader :args
+
+    def as_json(options)
+      {
+        status: 'error',
+        errors: args
+      }
+    end
+  end
+end

data/app/serializers/devise_token_auth/resource_errors_serializer.rb

@@ -0,0 +1,24 @@
+module DeviseTokenAuth
+  class ResourceErrorsSerializer
+    def initialize(*args)
+      @args = args
+    end
+
+    attr_reader :args
+
+    def as_json(options)
+      resource = args[0]
+      response = {
+        status: "error",
+        data: resource.as_json(except: [:tokens, :created_at, :updated_at])
+      }
+      if args.length > 1
+        args.shift
+        response[:errors] = args
+      else
+        response[:errors] = resource.errors.to_hash.merge(full_messages: resource.errors.full_messages)
+      end
+      response
+    end
+  end
+end

data/app/serializers/devise_token_auth/resource_serializer.rb

@@ -0,0 +1,17 @@
+module DeviseTokenAuth
+
+  class ResourceSerializer
+    def initialize(resource)
+      @resource = resource
+    end
+    attr_reader :resource
+
+    def as_json(options)
+      {
+        status: "success",
+        data: resource.as_json(except: [:tokens, :created_at, :updated_at])
+      }
+    end
+
+  end
+end

data/app/serializers/devise_token_auth/success_message_serializer.rb

@@ -0,0 +1,15 @@
+module DeviseTokenAuth
+  class SuccessMessageSerializer
+    def initialize(message)
+      @message = message
+    end
+
+    attr_reader :message
+
+    def as_json(options)
+      json_response = { status: 'success' }
+      json_response[:message] = message if message
+      json_response
+    end
+  end
+end

data/app/views/devise/mailer/confirmation_instructions.html.erb

@@ -0,0 +1,5 @@
+<p>Welcome <%= @email %>!</p>
+
+<p>You can confirm your account email through the link below:</p>
+
+<p><%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']) %></p>

data/app/views/devise/mailer/reset_password_instructions.html.erb

@@ -0,0 +1,8 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Someone has requested a link to change your password. You can do this through the link below.</p>
+
+<p><%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s) %></p>
+
+<p>If you didn't request this, please ignore this email.</p>
+<p>Your password won't change until you access the link above and create a new one.</p>

data/app/views/devise/mailer/unlock_instructions.html.erb

@@ -0,0 +1,7 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
+
+<p>Click the link below to unlock your account:</p>
+
+<p><%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %></p>

data/app/views/devise_token_auth/omniauth_failure.html.erb

@@ -0,0 +1,2 @@
+message: "authFailure",
+error:   "<%= @error %>"

data/app/views/devise_token_auth/omniauth_success.html.erb

@@ -0,0 +1,8 @@
+<% @user.as_json.each do |attr, val| %>
+  "<%= attr %>": "<%= val %>",
+<% end %>
+
+"auth_token": "<%= @token %>",
+"message":    "deliverCredentials",
+"client_id":  "<%= @client_id %>",
+"expiry":     "<%= @expiry %>"

data/app/views/layouts/omniauth_response.html.erb

@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <script>
+      var usingExternalWindow = function() {
+        var nav     = navigator.userAgent.toLowerCase(),
+            ieLTE10 = (nav && nav.indexOf('msie') != -1),
+            ie11    = !!navigator.userAgent.match(/Trident.*rv\:11\./);
+        return !(ieLTE10 || ie11);
+      }
+
+      if (usingExternalWindow()) {
+        window.addEventListener("message", function(ev) {
+          if (ev.data === "requestCredentials") {
+            ev.source.postMessage({
+              <%= yield %>
+            }, '*');
+            window.close();
+          }
+        });
+      } else {
+        window.location.href = "<%= @auth_origin_url %>";
+      }
+    </script>
+  </head>
+  <body>
+    <pre>
+      Redirecting...
+    </pre>
+  </body>
+</html>

data/config/initializers/devise.rb

@@ -0,0 +1,207 @@
+# Use this hook to configure devise mailer, warden hooks and so forth.
+# Many of these configuration options can be set straight in your model.
+Devise.setup do |config|
+  # The secret key used by Devise. Devise uses this key to generate
+  # random tokens. Changing this key will render invalid all existing
+  # confirmation, reset password and unlock tokens in the database.
+  # config.secret_key = 'd029dbc7262359b4f9906ec029bae825981dee112d9a1425643719765c8fd4884f12a37add35607fa3fa2d6fa6945a0077d7fe0f10a67f8ee66d69e9cc6ac19b'
+
+  # ==> Mailer Configuration
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class
+  # with default "from" parameter.
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
+
+  # Configure the class responsible to send e-mails.
+  # config.mailer = 'Devise::Mailer'
+
+  # ==> ORM configuration
+  # Load and configure the ORM. Supports :active_record (default) and
+  # :mongoid (bson_ext recommended) by default. Other ORMs may be
+  # available as additional gems.
+  require 'devise/orm/active_record'
+
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating a user. The default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating a user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply a hash where the value is a boolean determining whether
+  # or not authentication should be aborted when the value is not present.
+  # config.authentication_keys = [ :email ]
+
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to the
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
+  # Configure which authentication keys should be case-insensitive.
+  # These keys will be downcased upon creating or modifying a user and when used
+  # to authenticate or find a user. Default is :email.
+  config.case_insensitive_keys = [ :email ]
+
+  # Configure which authentication keys should have whitespace stripped.
+  # These keys will have whitespace before and after removed upon creating or
+  # modifying a user and when used to authenticate or find a user. Default is :email.
+  config.strip_whitespace_keys = [ :email ]
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # It can be set to an array that will enable params authentication only for the
+  # given strategies, for example, `config.params_authenticatable = [:database]` will
+  # enable it only for database (email + password) authentication.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Auth is enabled. False by default.
+  # It can be set to an array that will enable http authentication only for the
+  # given strategies, for example, `config.http_authenticatable = [:database]` will
+  # enable it only for database authentication. The supported strategies are:
+  # :database      = Support basic authentication with authentication key + password
+  # config.http_authenticatable = false
+
+  # If http headers should be returned for AJAX requests. True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication. 'Application' by default.
+  # config.http_authentication_realm = 'Application'
+
+  # It will change confirmation, password recovery and other workflows
+  # to behave the same regardless if the e-mail provided was right or wrong.
+  # Does not affect registerable.
+  # config.paranoid = true
+
+  # By default Devise will store the user in session. You can skip storage for
+  # particular strategies by setting this option.
+  # Notice that if you are skipping storage for all authentication paths, you
+  # may want to disable generating routes to Devise's sessions controller by
+  # passing skip: :sessions to `devise_for` in your config/routes.rb
+  config.skip_session_storage = [:http_auth]
+
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
+  # ==> Configuration for :database_authenticatable
+  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # using other encryptors, it sets how many times you want the password re-encrypted.
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments. Note that, for bcrypt (the default
+  # encryptor), the cost increases exponentially with the number of stretches (e.g.
+  # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
+  config.stretches = Rails.env.test? ? 1 : 10
+
+  # Setup a pepper to generate the encrypted password.
+  # config.pepper = '8ff086600aff82d68ff1e00d23c99c821e66652ec8c2a5b48f58de4a56b325cb532f6db660cf58fc5ecb473b9d851be8cd1badff0a1053bc9dc045f78b6e6772'
+
+  # ==> Configuration for :confirmable
+  # A period that the user is allowed to access the website even without
+  # confirming their account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming their account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming their account.
+  # config.allow_unconfirmed_access_for = 2.days
+
+  # A period that the user is allowed to confirm their account before their
+  # token becomes invalid. For example, if set to 3.days, the user can confirm
+  # their account within 3 days after the mail was sent, but on the fourth day
+  # their account can't be confirmed with the token any more.
+  # Default is nil, meaning there is no restriction on how long a user can take
+  # before confirming their account.
+  # config.confirm_within = 3.days
+
+  # If true, requires any email changes to be confirmed (exactly the same way as
+  # initial account confirmation) to be applied. Requires additional unconfirmed_email
+  # db field (see migrations). Until confirmed, new email is stored in
+  # unconfirmed_email column, and copied to email column on successful confirmation.
+  config.reconfirmable = true
+
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
+  # ==> Configuration for :rememberable
+  # The time the user will be remembered without asking for credentials again.
+  # config.remember_for = 2.weeks
+
+  # If true, extends the user's remember period when remembered via cookie.
+  # config.extend_remember_period = false
+
+  # Options to be passed to the created cookie. For instance, you can set
+  # secure: true in order to force SSL only cookies.
+  # config.rememberable_options = {}
+
+  # ==> Configuration for :validatable
+  # Range for password length.
+  config.password_length = 8..128
+
+  # Email regex used to validate email formats. It simply asserts that
+  # one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
+
+  # ==> Configuration for :timeoutable
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
+
+  # If true, expires auth token on session timeout.
+  # config.expire_auth_token_on_timeout = false
+
+  # ==> Configuration for :lockable
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
+
+  # Defines which key will be used when locking and unlocking an account
+  # config.unlock_keys = [ :email ]
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
+  # config.unlock_strategy = :both
+
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # Warn on the last attempt before the account is locked.
+  # config.last_attempt_warning = false
+
+  # ==> Configuration for :recoverable
+  #
+  # Defines which key will be used when recovering the password for an account
+  # config.reset_password_keys = [ :email ]
+
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 6.hours
+
+  # The default HTTP method used to sign out a resource. Default is :delete.
+  config.sign_out_via = :delete
+
+  # don't serialize tokens
+  Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens
+
+  # mounted routes will point to this
+  Rails.application.config.after_initialize do
+    if defined?(::OmniAuth)
+      ::OmniAuth::config.path_prefix = config.omniauth_path_prefix = DeviseTokenAuth.omniauth_prefix
+    end
+  end
+
+  config.warden do |manager|
+    manager.failure_app = TokenAuthFailureApp
+  end
+end