xing_backend_token_auth 0.1.31

data/config/initializers/token_auth_failure_app.rb

@@ -0,0 +1,7 @@
+class TokenAuthFailureApp < Devise::FailureApp
+  def respond
+    self.status = 401
+    self.content_type = 'json'
+    self.response_body = {"errors" => i18n_message}.to_json
+  end
+end

data/config/locales/devise.en.yml

@@ -0,0 +1,59 @@
+# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
+
+en:
+  devise:
+    confirmations:
+      confirmed: "Your account was successfully confirmed."
+      send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
+    failure:
+      already_authenticated: "You are already signed in."
+      inactive: "Your account is not activated yet."
+      invalid: "Invalid email or password."
+      locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account will be locked."
+      not_found_in_database: "Invalid email or password."
+      timeout: "Your session expired. Please sign in again to continue."
+      unauthenticated: "You need to sign in or sign up before continuing."
+      unconfirmed: "You have to confirm your account before continuing."
+    mailer:
+      confirmation_instructions:
+        subject: "Confirmation instructions"
+      reset_password_instructions:
+        subject: "Reset password instructions"
+      unlock_instructions:
+        subject: "Unlock Instructions"
+    omniauth_callbacks:
+      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      success: "Successfully authenticated from %{kind} account."
+    passwords:
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
+      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      updated: "Your password was changed successfully. You are now signed in."
+      updated_not_active: "Your password was changed successfully."
+    registrations:
+      destroyed: "Bye! Your account was successfully cancelled. We hope to see you again soon."
+      signed_up: "Welcome! You have signed up successfully."
+      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
+      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
+      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please open the link to activate your account."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm link to finalize confirming your new email address."
+      updated: "You updated your account successfully."
+    sessions:
+      signed_in: "Signed in successfully."
+      signed_out: "Signed out successfully."
+    unlocks:
+      send_instructions: "You will receive an email with instructions about how to unlock your account in a few minutes."
+      send_paranoid_instructions: "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes."
+      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
+  errors:
+    messages:
+      already_confirmed: "was already confirmed, please try signing in"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
+      expired: "has expired, please request a new one"
+      not_found: "not found"
+      not_locked: "was not locked"
+      not_saved:
+        one: "1 error prohibited this %{resource} from being saved:"
+        other: "%{count} errors prohibited this %{resource} from being saved:"

data/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  if defined?(::OmniAuth)
+    get "#{::OmniAuth::config.path_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks"
+  end
+end

data/lib/devise_token_auth.rb

@@ -0,0 +1,9 @@
+require "devise"
+require "devise_token_auth/engine"
+require "devise_token_auth/controllers/helpers"
+require "devise_token_auth/controllers/url_helpers"
+
+module DeviseTokenAuth
+end
+
+Devise.add_module :token_authenticatable, :model => 'devise_token_auth/models/token_authenticatable'

data/lib/devise_token_auth/controllers/helpers.rb

@@ -0,0 +1,129 @@
+module DeviseTokenAuth
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        # Define authentication filters and accessor helpers for a group of mappings.
+        # These methods are useful when you are working with multiple mappings that
+        # share some functionality. They are pretty much the same as the ones
+        # defined for normal mappings.
+        #
+        # Example:
+        #
+        #   inside BlogsController (or any other controller, it doesn't matter which):
+        #     devise_group :blogger, contains: [:user, :admin]
+        #
+        #   Generated methods:
+        #     authenticate_blogger!  # Redirects unless user or admin are signed in
+        #     blogger_signed_in?     # Checks whether there is either a user or an admin signed in
+        #     current_blogger        # Currently signed in user or admin
+        #     current_bloggers       # Currently signed in user and admin
+        #
+        #   Use:
+        #     before_filter :authenticate_blogger!              # Redirects unless either a user or an admin are authenticated
+        #     before_filter ->{ authenticate_blogger! :admin }  # Redirects to the admin login page
+        #     current_blogger :user                             # Preferably returns a User if one is signed in
+        #
+        def devise_token_auth_group(group_name, opts={})
+          mappings = "[#{ opts[:contains].map { |m| ":#{m}" }.join(',') }]"
+
+          class_eval <<-METHODS, __FILE__, __LINE__ + 1
+            def authenticate_#{group_name}!(favourite=nil, opts={})
+              unless #{group_name}_signed_in?
+                mappings = #{mappings}
+                mappings.unshift mappings.delete(favourite.to_sym) if favourite
+                mappings.each do |mapping|
+                  set_user_by_token(mapping)
+                end
+              end
+            end
+
+            def #{group_name}_signed_in?
+              #{mappings}.any? do |mapping|
+                set_user_by_token(mapping)
+              end
+            end
+
+            def current_#{group_name}(favourite=nil)
+              mappings = #{mappings}
+              mappings.unshift mappings.delete(favourite.to_sym) if favourite
+              mappings.each do |mapping|
+                current = set_user_by_token(mapping)
+                return current if current
+              end
+              nil
+            end
+
+            def current_#{group_name.to_s.pluralize}
+              #{mappings}.map do |mapping|
+                set_user_by_token(mapping)
+              end.compact
+            end
+
+            helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+          METHODS
+        end
+
+        def log_process_action(payload)
+          payload[:status] ||= 401 unless payload[:exception]
+          super
+        end
+      end
+
+      # Define authentication filters and accessor helpers based on mappings.
+      # These filters should be used inside the controllers as before_filters,
+      # so you can control the scope of the user who should be signed in to
+      # access that specific controller/action.
+      # Example:
+      #
+      #   Roles:
+      #     User
+      #     Admin
+      #
+      #   Generated methods:
+      #     authenticate_user!  # Signs user in or 401
+      #     authenticate_admin! # Signs admin in or 401
+      #     user_signed_in?     # Checks whether there is a user signed in or not
+      #     admin_signed_in?    # Checks whether there is an admin signed in or not
+      #     current_user        # Current signed in user
+      #     current_admin       # Current signed in admin
+      #     user_session        # Session data available only to the user scope
+      #     admin_session       # Session data available only to the admin scope
+      #
+      #   Use:
+      #     before_filter :authenticate_user!  # Tell devise to use :user map
+      #     before_filter :authenticate_admin! # Tell devise to use :admin map
+      #
+      def self.define_helpers(mapping) #:nodoc:
+        mapping = mapping.name
+
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def authenticate_#{mapping}!(opts={})
+            unless current_#{mapping}
+              return render json: {
+                errors: ["Authorized users only."]
+              }, status: 401
+            end
+          end
+
+          def #{mapping}_signed_in?
+            !!current_#{mapping}
+          end
+
+          def current_#{mapping}
+            @current_#{mapping} ||= set_user_by_token(:#{mapping})
+          end
+
+          def #{mapping}_session
+            current_#{mapping} && warden.session(:#{mapping})
+          end
+        METHODS
+
+        ActiveSupport.on_load(:action_controller) do
+          helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+        end
+      end
+    end
+  end
+end

data/lib/devise_token_auth/controllers/url_helpers.rb

@@ -0,0 +1,8 @@
+module DeviseTokenAuth
+  module Controllers
+    module UrlHelpers
+      def self.define_helpers(mapping)
+      end
+    end
+  end
+end

data/lib/devise_token_auth/engine.rb

@@ -0,0 +1,32 @@
+require 'devise_token_auth/rails/routes'
+
+module DeviseTokenAuth
+  class Engine < ::Rails::Engine
+    isolate_namespace DeviseTokenAuth
+
+    initializer "devise_token_auth.url_helpers" do
+      Devise.helpers << DeviseTokenAuth::Controllers::Helpers
+    end
+  end
+
+  mattr_accessor :change_headers_on_each_request,
+                 :token_lifespan,
+                 :batch_request_buffer_throttle,
+                 :omniauth_prefix,
+                 :session_serializer,
+                 :registration_serializer,
+                 :token_validation_serializer,
+                 :password_serializer,
+                 :error_serializer,
+                 :error_messages_serializer,
+                 :success_message_serializer
+
+  self.change_headers_on_each_request = true
+  self.token_lifespan                 = 2.weeks
+  self.batch_request_buffer_throttle  = 5.seconds
+  self.omniauth_prefix                = '/omniauth'
+
+  def self.setup(&block)
+    yield self
+  end
+end

data/lib/devise_token_auth/models/token_authenticatable.rb

@@ -0,0 +1,195 @@
+module Devise
+  module Models
+    module TokenAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+
+        serialize :tokens, JSON
+        # can't set default on text fields in mysql, simulate here instead.
+        after_save :set_empty_token_hash
+        after_initialize :set_empty_token_hash
+        before_save :destroy_expired_tokens
+
+        # override devise method to include additional info as opts hash
+        def send_confirmation_instructions(opts=nil)
+          unless @raw_confirmation_token
+            generate_confirmation_token!
+          end
+
+          opts ||= {}
+
+          # fall back to "default" config name
+          opts[:client_config] ||= "default"
+
+          if pending_reconfirmation?
+            opts[:to] = unconfirmed_email
+          end
+
+          send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts)
+        end
+
+
+        # override devise method to include additional info as opts hash
+        def send_reset_password_instructions(opts=nil)
+          token = set_reset_password_token
+
+          opts ||= {}
+
+          # fall back to "default" config name
+          opts[:client_config] ||= "default"
+
+          if pending_reconfirmation?
+            opts[:to] = unconfirmed_email
+          else
+            opts[:to] = email
+          end
+
+          send_devise_notification(:reset_password_instructions, token, opts)
+
+          token
+        end
+
+      end
+
+
+
+
+      # this must be done from the controller so that additional params
+      # can be passed on from the client
+      def send_confirmation_notification?
+        false
+      end
+
+      def valid_token?(token, client_id='default')
+        client_id ||= 'default'
+
+        return false unless self.tokens[client_id]
+
+        return true if token_is_current?(token, client_id)
+        return true if token_can_be_reused?(token, client_id)
+
+        # return false if none of the above conditions are met
+        return false
+      end
+
+
+      def token_is_current?(token, client_id)
+        return true if (
+          # ensure that expiry and token are set
+          self.tokens[client_id]['expiry'] and
+          self.tokens[client_id]['token'] and
+
+          # ensure that the token was created within the last two weeks
+          DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and
+
+          # ensure that the token is valid
+          BCrypt::Password.new(self.tokens[client_id]['token']) == token
+        )
+      end
+
+
+      # allow batch requests to use the previous token
+      def token_can_be_reused?(token, client_id)
+        return true if (
+          # ensure that the last token and its creation time exist
+          self.tokens[client_id]['updated_at'] and
+          self.tokens[client_id]['last_token'] and
+
+          # ensure that previous token falls within the batch buffer throttle time of the last request
+          Time.parse(self.tokens[client_id]['updated_at']) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and
+
+          # ensure that the token is valid
+          BCrypt::Password.new(self.tokens[client_id]['last_token']) == token
+        )
+      end
+
+
+      # update user's auth token (should happen on each request)
+      def create_new_auth_token(client_id=nil)
+        client_id  ||= SecureRandom.urlsafe_base64(nil, false)
+        last_token ||= nil
+        token        = SecureRandom.urlsafe_base64(nil, false)
+        token_hash   = BCrypt::Password.create(token)
+        expiry       = (Time.now + DeviseTokenAuth.token_lifespan).to_i
+
+        if self.tokens[client_id] and self.tokens[client_id]['token']
+          last_token = self.tokens[client_id]['token']
+        end
+
+        self.tokens[client_id] = {
+          token:      token_hash,
+          expiry:     expiry,
+          last_token: last_token,
+          updated_at: Time.now
+       }
+
+        self.save!
+
+        return build_auth_header(token, client_id)
+      end
+
+
+      def build_auth_header(token, client_id='default')
+        client_id ||= 'default'
+
+        # client may use expiry to prevent validation request if expired
+        # must be cast as string or headers will break
+        expiry = self.tokens[client_id]['expiry'].to_s
+
+        return {
+          "access-token" => token,
+          "token-type"   => "Bearer",
+          "client"       => client_id,
+          "expiry"       => expiry,
+          "uid"          => self.uid
+        }
+      end
+
+
+      def build_auth_url(base_url, args)
+        args[:uid]    = self.uid
+        args[:expiry] = self.tokens[args[:client_id]]['expiry']
+
+        generate_url(base_url, args)
+      end
+
+
+      def extend_batch_buffer(token, client_id)
+        self.tokens[client_id]['updated_at'] = Time.now
+        self.save!
+
+        return build_auth_header(token, client_id)
+      end
+
+
+      protected
+
+
+      # ensure that fragment comes AFTER querystring for proper $location
+      # parsing using AngularJS.
+      def generate_url(url, params = {})
+        uri = URI(url)
+
+        res = "#{uri.scheme}://#{uri.host}"
+        res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443)
+        res += "#{uri.path}#" if uri.path
+        res += "#{uri.fragment}" if uri.fragment
+        res += "?#{params.to_query}"
+
+        return res
+      end
+
+      def set_empty_token_hash
+        self.tokens ||= {} if has_attribute?(:tokens)
+      end
+
+      def destroy_expired_tokens
+        self.tokens.delete_if{|cid,v|
+          expiry = v[:expiry] || v["expiry"]
+          DateTime.strptime(expiry.to_s, '%s') < Time.now
+        }
+      end
+    end
+  end
+end