From 17f10779d8128c23ca835321d8735a6a457c16f8 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 10 Nov 2014 12:37:37 -0500 Subject: [PATCH 001/328] fix(case-sensitivity): ensure new registrations downcase UID if Devise case_insensitive_keys include Email --- .../registrations_controller.rb | 8 ++++- .../registrations_controller_test.rb | 30 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index fb776d401..12faeb744 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -7,9 +7,15 @@ class RegistrationsController < DeviseTokenAuth::ApplicationController def create @resource = resource_class.new(sign_up_params) - @resource.uid = sign_up_params[:email] @resource.provider = "email" + # honor devise configuration for case_insensitive_keys + if resource_class.case_insensitive_keys.include?(:email) + @resource.uid = sign_up_params[:email].downcase + else + @resource.uid = sign_up_params[:email] + end + # success redirect url is required unless params[:confirm_success_url] return render json: { diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 51370e7b8..0c588da66 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -55,6 +55,36 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe "case-insensitive email" do + + before do + @resource_class = User + @request_params = { + email: "AlternatingCase@example.com", + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url + } + end + + test "success should downcase uid if configured" do + @resource_class.case_insensitive_keys = [:email] + post '/auth', @request_params + assert_equal 200, response.status + @data = JSON.parse(response.body) + assert_equal "alternatingcase@example.com", @data['data']['uid'] + end + + test "request should not downcase uid if not configured" do + @resource_class.case_insensitive_keys = [] + post '/auth', @request_params + assert_equal 200, response.status + @data = JSON.parse(response.body) + assert_equal "AlternatingCase@example.com", @data['data']['uid'] + end + + end + describe "Adding extra params" do before do @redirect_url = Faker::Internet.url From 42400d98beaf6882ed4fdf5f6215aea28f56d6d9 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 10 Nov 2014 13:23:51 -0500 Subject: [PATCH 002/328] fix(uid updates): ensure UID is updated alongside Email (accounting for case sensitivity) --- .../registrations_controller.rb | 11 ++++++- .../registrations_controller_test.rb | 32 ++++++++++++++----- 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 12faeb744..7145c52c8 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -76,7 +76,16 @@ def create def update if @resource - if @resource.update_attributes(account_update_params) + + # honor devise configuration for case_insensitive_keys + params = account_update_params + if resource_class.case_insensitive_keys.include?(:email) && params[:email] + params[:uid] = params[:email].downcase + else + params[:uid] = params[:email] + end + + if @resource.update_attributes(params) render json: { status: 'success', data: @resource.as_json diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 0c588da66..cb89306df 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -235,22 +235,38 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration describe "success" do before do # test valid update param + @resource_class = User @new_operating_thetan = 1000000 - - put "/auth", { - operating_thetan: @new_operating_thetan - }, @auth_headers - - @data = JSON.parse(response.body) - @existing_user.reload + @email = "AlternatingCase2@example.com" + @request_params = { + operating_thetan: @new_operating_thetan, + email: @email + } end test "Request was successful" do + put "/auth", @request_params, @auth_headers assert_equal 200, response.status end - test "User attribute was updated" do + test "Case sensitive attributes update" do + @resource_class.case_insensitive_keys = [] + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload + assert_equal @new_operating_thetan, @existing_user.operating_thetan + assert_equal @email, @existing_user.email + assert_equal @email, @existing_user.uid + end + + test "Case insensitive attributes update" do + @resource_class.case_insensitive_keys = [:email] + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload assert_equal @new_operating_thetan, @existing_user.operating_thetan + assert_equal @email.downcase, @existing_user.email + assert_equal @email.downcase, @existing_user.uid end end From 48b5ba62d12d8c2ccf2042aeef1e3fb439a9272d Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 11 Nov 2014 10:29:58 -0500 Subject: [PATCH 003/328] use before_save to keep uid in sync with email --- .../devise_token_auth/registrations_controller.rb | 14 +++----------- app/models/devise_token_auth/concerns/user.rb | 8 ++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 7145c52c8..e92e29cfd 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -11,9 +11,9 @@ def create # honor devise configuration for case_insensitive_keys if resource_class.case_insensitive_keys.include?(:email) - @resource.uid = sign_up_params[:email].downcase + @resource.email = sign_up_params[:email].downcase else - @resource.uid = sign_up_params[:email] + @resource.email = sign_up_params[:email] end # success redirect url is required @@ -76,16 +76,8 @@ def create def update if @resource - - # honor devise configuration for case_insensitive_keys - params = account_update_params - if resource_class.case_insensitive_keys.include?(:email) && params[:email] - params[:uid] = params[:email].downcase - else - params[:uid] = params[:email] - end - if @resource.update_attributes(params) + if @resource.update_attributes(account_update_params) render json: { status: 'success', data: @resource.as_json diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 8c251b81f..4d9a7f0e4 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -19,6 +19,9 @@ module DeviseTokenAuth::Concerns::User after_save :set_empty_token_hash after_initialize :set_empty_token_hash + # keep uid in sync with email + before_save :sync_uid + # get rid of dead tokens before_save :destroy_expired_tokens @@ -212,10 +215,15 @@ def set_empty_token_hash self.tokens ||= {} if has_attribute?(:tokens) end + def sync_uid + self.uid = email if provider == 'email' + end + def destroy_expired_tokens self.tokens.delete_if{|cid,v| expiry = v[:expiry] || v["expiry"] DateTime.strptime(expiry.to_s, '%s') < Time.now } end + end From 523a0ef8aca6efce7bb66362c142c4dac8f4ecb0 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 15 Nov 2014 13:16:26 -0500 Subject: [PATCH 004/328] relax uid validation for email users (will be synched with email) --- app/models/devise_token_auth/concerns/user.rb | 3 ++- test/dummy/db/schema.rb | 24 +++++++++---------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index c01241ad4..ac215de1d 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -11,7 +11,7 @@ module DeviseTokenAuth::Concerns::User serialize :tokens, JSON validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' } - validates_presence_of :uid + validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } # only validate unique emails among email registration users validate :unique_email_user, on: :create @@ -22,6 +22,7 @@ module DeviseTokenAuth::Concerns::User # keep uid in sync with email before_save :sync_uid + before_create :sync_uid # get rid of dead tokens before_save :destroy_expired_tokens diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 3f259bd3a..769f67e77 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -39,10 +39,10 @@ t.datetime "updated_at" end - add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true, using: :btree - add_index "evil_users", ["email"], name: "index_evil_users_on_email", using: :btree - add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true, using: :btree - add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true, using: :btree + add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true + add_index "evil_users", ["email"], name: "index_evil_users_on_email" + add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true + add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true create_table "mangs", force: true do |t| t.string "email" @@ -72,10 +72,10 @@ t.string "favorite_color" end - add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true, using: :btree - add_index "mangs", ["email"], name: "index_mangs_on_email", using: :btree - add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true, using: :btree - add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true, using: :btree + add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true + add_index "mangs", ["email"], name: "index_mangs_on_email" + add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true + add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true create_table "users", force: true do |t| t.string "email" @@ -106,9 +106,9 @@ t.string "favorite_color" end - add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree - add_index "users", ["email"], name: "index_users_on_email", using: :btree - add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree - add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true, using: :btree + add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true + add_index "users", ["email"], name: "index_users_on_email" + add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true + add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true end From 783de9d1376790e97c1939b6820b4611b84b2c3a Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 15 Nov 2014 13:17:05 -0500 Subject: [PATCH 005/328] v0.1.30.beta6 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index cdf4181c9..b2d1d7158 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.30.beta5) + devise_token_auth (0.1.30.beta6) devise (~> 3.3) rails (~> 4.1) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index fa05a15c1..ca8c99ab3 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.30.beta5" + VERSION = "0.1.30.beta6" end From 49bf5a06bf4c757b06347d3bab7df83e910a58b7 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 15 Nov 2014 15:06:24 -0500 Subject: [PATCH 006/328] update to rails 4.1.7, devise 3.4.1 --- Gemfile.lock | 62 ++++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b2d1d7158..4c261645c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -38,27 +38,27 @@ PATH GEM remote: https://rubygems.org/ specs: - actionmailer (4.1.6) - actionpack (= 4.1.6) - actionview (= 4.1.6) + actionmailer (4.1.7) + actionpack (= 4.1.7) + actionview (= 4.1.7) mail (~> 2.5, >= 2.5.4) - actionpack (4.1.6) - actionview (= 4.1.6) - activesupport (= 4.1.6) + actionpack (4.1.7) + actionview (= 4.1.7) + activesupport (= 4.1.7) rack (~> 1.5.2) rack-test (~> 0.6.2) - actionview (4.1.6) - activesupport (= 4.1.6) + actionview (4.1.7) + activesupport (= 4.1.7) builder (~> 3.1) erubis (~> 2.7.0) - activemodel (4.1.6) - activesupport (= 4.1.6) + activemodel (4.1.7) + activesupport (= 4.1.7) builder (~> 3.1) - activerecord (4.1.6) - activemodel (= 4.1.6) - activesupport (= 4.1.6) + activerecord (4.1.7) + activemodel (= 4.1.7) + activesupport (= 4.1.7) arel (~> 5.0.0) - activesupport (4.1.6) + activesupport (4.1.7) i18n (~> 0.6, >= 0.6.9) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -111,11 +111,11 @@ GEM rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) lumberjack (1.0.9) - mail (2.6.1) + mail (2.6.3) mime-types (>= 1.16, < 3) method_source (0.8.2) - mime-types (2.4.2) - minitest (5.4.2) + mime-types (2.4.3) + minitest (5.4.3) minitest-focus (1.1.0) minitest (>= 4, < 6) minitest-rails (2.1.0) @@ -157,19 +157,19 @@ GEM rack-cors (0.2.9) rack-test (0.6.2) rack (>= 1.0) - rails (4.1.6) - actionmailer (= 4.1.6) - actionpack (= 4.1.6) - actionview (= 4.1.6) - activemodel (= 4.1.6) - activerecord (= 4.1.6) - activesupport (= 4.1.6) + rails (4.1.7) + actionmailer (= 4.1.7) + actionpack (= 4.1.7) + actionview (= 4.1.7) + activemodel (= 4.1.7) + activerecord (= 4.1.7) + activesupport (= 4.1.7) bundler (>= 1.3.0, < 2.0) - railties (= 4.1.6) + railties (= 4.1.7) sprockets-rails (~> 2.0) - railties (4.1.6) - actionpack (= 4.1.6) - activesupport (= 4.1.6) + railties (4.1.7) + actionpack (= 4.1.7) + activesupport (= 4.1.7) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (10.3.2) @@ -185,15 +185,15 @@ GEM simplecov-html (~> 0.8.0) simplecov-html (0.8.0) slop (3.6.0) - sprockets (2.12.2) + sprockets (2.12.3) hike (~> 1.2) multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sprockets-rails (2.1.4) + sprockets-rails (2.2.0) actionpack (>= 3.0) activesupport (>= 3.0) - sprockets (~> 2.8) + sprockets (>= 2.8, < 4.0) sqlite3 (1.3.9) thor (0.19.1) thread_safe (0.3.4) From d4d533523aeb3d7fef92ce47ef2a1fca1450edb3 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 18 Nov 2014 13:42:02 -0500 Subject: [PATCH 007/328] v0.1.30 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4c261645c..780d78dd5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.30.beta6) + devise_token_auth (0.1.30) devise (~> 3.3) rails (~> 4.1) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index ca8c99ab3..d83b3d918 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.30.beta6" + VERSION = "0.1.30" end From ff4725d01b2936e7b7eb5421f679b2ef81c3879b Mon Sep 17 00:00:00 2001 From: jartek Date: Sun, 14 Dec 2014 13:03:36 +0530 Subject: [PATCH 008/328] Exclude devise modules --- .../registrations_controller.rb | 5 +---- app/models/devise_token_auth/concerns/user.rb | 7 ++++--- lib/devise_token_auth/engine.rb | 19 ++++++++++++++++++- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index e92e29cfd..8f764a421 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -17,7 +17,7 @@ def create end # success redirect url is required - unless params[:confirm_success_url] + if DeviseTokenAuth.modules.include?(:confirmable) && !params[:confirm_success_url] return render json: { status: 'error', data: @resource, @@ -29,14 +29,12 @@ def create # override email confirmation, must be sent manually from ctrl resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions) if @resource.save - unless @resource.confirmed? # user will require email authentication @resource.send_confirmation_instructions({ client_config: params[:config_name], redirect_url: params[:confirm_success_url] }) - else # email auth has been bypassed, authenticate user @client_id = SecureRandom.urlsafe_base64(nil, false) @@ -76,7 +74,6 @@ def create def update if @resource - if @resource.update_attributes(account_update_params) render json: { status: 'success', diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index ac215de1d..38686fb94 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -4,9 +4,7 @@ module DeviseTokenAuth::Concerns::User included do # Include default devise modules. Others available are: # :confirmable, :lockable, :timeoutable and :omniauthable - devise :database_authenticatable, :registerable, - :recoverable, :rememberable, :trackable, :validatable, - :confirmable, :omniauthable + devise *DeviseTokenAuth.modules serialize :tokens, JSON @@ -186,6 +184,9 @@ def extend_batch_buffer(token, client_id) return build_auth_header(token, client_id) end + def confirmed? + DeviseTokenAuth.modules.exclude?(:confirmable) || super + end protected diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index c88c5d9ba..66d3a1f3a 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -12,14 +12,31 @@ class Engine < ::Rails::Engine mattr_accessor :change_headers_on_each_request, :token_lifespan, :batch_request_buffer_throttle, - :omniauth_prefix + :omniauth_prefix, + :excluded_modules self.change_headers_on_each_request = true self.token_lifespan = 2.weeks self.batch_request_buffer_throttle = 5.seconds self.omniauth_prefix = '/omniauth' + self.excluded_modules = [] def self.setup(&block) yield self end + + def self.modules + available_modules = [ + :database_authenticatable, + :registerable, + :recoverable, + :rememberable, + :trackable, + :validatable, + :confirmable, + :omniauthable + ] + + available_modules - excluded_modules + end end From 2d398d043f98ff589e4a7a7c8870a434fb43f6fd Mon Sep 17 00:00:00 2001 From: jartek Date: Mon, 15 Dec 2014 08:16:31 +0530 Subject: [PATCH 009/328] Move devise modules to individual classes --- .../registrations_controller.rb | 5 ++++- app/models/devise_token_auth/concerns/user.rb | 11 +++++++---- lib/devise_token_auth/engine.rb | 19 +------------------ .../devise_token_auth/install_generator.rb | 4 ++++ .../devise_token_auth/templates/user.rb | 4 ++++ 5 files changed, 20 insertions(+), 23 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 8f764a421..208dd0197 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -17,7 +17,7 @@ def create end # success redirect url is required - if DeviseTokenAuth.modules.include?(:confirmable) && !params[:confirm_success_url] + if resource_class.devise_modules.include?(:confirmable) && !params[:confirm_success_url] return render json: { status: 'error', data: @resource, @@ -29,12 +29,14 @@ def create # override email confirmation, must be sent manually from ctrl resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions) if @resource.save + unless @resource.confirmed? # user will require email authentication @resource.send_confirmation_instructions({ client_config: params[:config_name], redirect_url: params[:confirm_success_url] }) + else # email auth has been bypassed, authenticate user @client_id = SecureRandom.urlsafe_base64(nil, false) @@ -74,6 +76,7 @@ def create def update if @resource + if @resource.update_attributes(account_update_params) render json: { status: 'success', diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 38686fb94..2f824efa5 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -2,9 +2,12 @@ module DeviseTokenAuth::Concerns::User extend ActiveSupport::Concern included do - # Include default devise modules. Others available are: - # :confirmable, :lockable, :timeoutable and :omniauthable - devise *DeviseTokenAuth.modules + # Hack to check if devise is already enabled + unless self.method_defined?(:devise_modules) + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, :trackable, :validatable, + :confirmable, :omniauthable + end serialize :tokens, JSON @@ -185,7 +188,7 @@ def extend_batch_buffer(token, client_id) end def confirmed? - DeviseTokenAuth.modules.exclude?(:confirmable) || super + self.devise_modules.exclude?(:confirmable) || super end protected diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index 66d3a1f3a..c88c5d9ba 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -12,31 +12,14 @@ class Engine < ::Rails::Engine mattr_accessor :change_headers_on_each_request, :token_lifespan, :batch_request_buffer_throttle, - :omniauth_prefix, - :excluded_modules + :omniauth_prefix self.change_headers_on_each_request = true self.token_lifespan = 2.weeks self.batch_request_buffer_throttle = 5.seconds self.omniauth_prefix = '/omniauth' - self.excluded_modules = [] def self.setup(&block) yield self end - - def self.modules - available_modules = [ - :database_authenticatable, - :registerable, - :recoverable, - :rememberable, - :trackable, - :validatable, - :confirmable, - :omniauthable - ] - - available_modules - excluded_modules - end end diff --git a/lib/generators/devise_token_auth/install_generator.rb b/lib/generators/devise_token_auth/install_generator.rb index 8bf15a0cb..a83555c8b 100644 --- a/lib/generators/devise_token_auth/install_generator.rb +++ b/lib/generators/devise_token_auth/install_generator.rb @@ -30,6 +30,10 @@ def create_user_model inclusion = "include DeviseTokenAuth::Concerns::User" unless parse_file_for_line(fname, inclusion) inject_into_file fname, after: "class #{user_class} < ActiveRecord::Base\n" do <<-'RUBY' + # Include default devise modules. + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, :trackable, :validatable, + :confirmable, :omniauthable include DeviseTokenAuth::Concerns::User RUBY end diff --git a/lib/generators/devise_token_auth/templates/user.rb b/lib/generators/devise_token_auth/templates/user.rb index 461c3c431..2eeb0fa96 100644 --- a/lib/generators/devise_token_auth/templates/user.rb +++ b/lib/generators/devise_token_auth/templates/user.rb @@ -1,3 +1,7 @@ class <%= user_class %> < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, :trackable, :validatable, + :confirmable, :omniauthable include DeviseTokenAuth::Concerns::User end From 503a91abf648c19619b91dafe3b081cb6764956c Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 21 Dec 2014 23:21:15 -0600 Subject: [PATCH 010/328] add tests for #85 --- .../omniauth_callbacks_controller_test.rb | 10 ++++ .../registrations_controller_test.rb | 31 +++++++++++ .../sessions_controller_test.rb | 28 ++++++++++ test/dummy/app/models/only_email_user.rb | 5 ++ test/dummy/config/routes.rb | 2 + ...vise_token_auth_create_only_email_users.rb | 54 +++++++++++++++++++ test/dummy/db/schema.rb | 18 ++++++- test/fixtures/only_email_users.yml | 9 ++++ test/models/only_email_user_test.rb | 35 ++++++++++++ 9 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 test/dummy/app/models/only_email_user.rb create mode 100644 test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb create mode 100644 test/fixtures/only_email_users.yml create mode 100644 test/models/only_email_user_test.rb diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 2c0cdec06..1ee0d5813 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -164,4 +164,14 @@ class OmniauthTest < ActionDispatch::IntegrationTest end end end + + describe 'User with only :database_authenticatable and :registerable included' do + test 'OnlyEmailUser should not be able to use OAuth' do + assert_raises(ActionController::RoutingError) { + get_via_redirect '/only_email_auth/facebook', { + auth_origin_url: @redirect_url + } + } + end + end end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index cb89306df..38796526c 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -454,5 +454,36 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert @resource.valid_token?(@token, @client_id) end end + + + describe 'User with only :database_authenticatable and :registerable included' do + setup do + @mails_sent = ActionMailer::Base.deliveries.count + + post '/only_email_auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url, + unpermitted_param: '(x_x)' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + @mail = ActionMailer::Base.deliveries.last + end + + test 'user was created' do + assert @resource.id + end + + test 'email confirmation was not sent' do + assert_equal @mails_sent, ActionMailer::Base.deliveries.count + end + + test 'user is confirmed' do + assert @resource.confirmed? + end + end end end diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index e21be558d..4169a49e4 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -217,5 +217,33 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase assert_equal @existing_user.email, @data['data']['email'] end end + + describe 'User with only :database_authenticatable and :registerable included' do + setup do + @request.env['devise.mapping'] = Devise.mappings[:only_email_user] + end + + teardown do + @request.env['devise.mapping'] = Devise.mappings[:user] + end + + before do + @existing_user = only_email_users(:user) + @existing_user.save! + + xhr :post, :create, { + email: @existing_user.email, + password: 'secret123' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test 'user should be able to sign in without confirmation' do + assert 200, response.status + refute OnlyEmailUser.method_defined?(:confirmed_at) + end + end end end diff --git a/test/dummy/app/models/only_email_user.rb b/test/dummy/app/models/only_email_user.rb new file mode 100644 index 000000000..c6fee9c45 --- /dev/null +++ b/test/dummy/app/models/only_email_user.rb @@ -0,0 +1,5 @@ +class OnlyEmailUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 1e779fbd4..65cd76e49 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -19,6 +19,8 @@ token_validations: 'overrides/token_validations' } + mount_devise_token_auth_for 'OnlyEmailUser', at: '/only_email_auth', skip: [:omniauth_callbacks] + # this route will authorize visitors using the User class get 'demo/members_only', to: 'demo_user#members_only' diff --git a/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb b/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb new file mode 100644 index 000000000..a2b60325f --- /dev/null +++ b/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb @@ -0,0 +1,54 @@ +class DeviseTokenAuthCreateOnlyEmailUsers < ActiveRecord::Migration + def change + create_table(:only_email_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + #t.string :reset_password_token + #t.datetime :reset_password_sent_at + + ## Rememberable + #t.datetime :remember_created_at + + ## Trackable + #t.integer :sign_in_count, :default => 0, :null => false + #t.datetime :current_sign_in_at + #t.datetime :last_sign_in_at + #t.string :current_sign_in_ip + #t.string :last_sign_in_ip + + ## Confirmable + #t.string :confirmation_token + #t.datetime :confirmed_at + #t.datetime :confirmation_sent_at + #t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + # t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + # t.string :unlock_token # Only if unlock strategy is :email or :both + # t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + t.text :tokens + + t.timestamps + end + + add_index :only_email_users, :email + add_index :only_email_users, [:uid, :provider], :unique => true + #add_index :only_email_users, :reset_password_token, :unique => true + # add_index :only_email_users, :confirmation_token, :unique => true + # add_index :only_email_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 769f67e77..cc8a21acc 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20140928231203) do +ActiveRecord::Schema.define(version: 20141222035835) do create_table "evil_users", force: true do |t| t.string "email" @@ -77,6 +77,22 @@ add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true + create_table "only_email_users", force: true do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" + add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true + create_table "users", force: true do |t| t.string "email" t.string "encrypted_password", default: "", null: false diff --git a/test/fixtures/only_email_users.yml b/test/fixtures/only_email_users.yml new file mode 100644 index 000000000..7c0117bff --- /dev/null +++ b/test/fixtures/only_email_users.yml @@ -0,0 +1,9 @@ +<% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> +<% @email = Faker::Internet.email %> +user: + uid: "<%= @email %>" + email: "<%= @email %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> diff --git a/test/models/only_email_user_test.rb b/test/models/only_email_user_test.rb new file mode 100644 index 000000000..9575c9ec6 --- /dev/null +++ b/test/models/only_email_user_test.rb @@ -0,0 +1,35 @@ +require 'test_helper' + +class OnlyEmailUserTest < ActiveSupport::TestCase + describe OnlyEmailUser do + test 'trackable is disabled' do + refute OnlyEmailUser.method_defined?(:sign_in_count) + refute OnlyEmailUser.method_defined?(:current_sign_in_at) + refute OnlyEmailUser.method_defined?(:last_sign_in_at) + refute OnlyEmailUser.method_defined?(:current_sign_in_ip) + refute OnlyEmailUser.method_defined?(:last_sign_in_ip) + end + + test 'confirmable is disabled' do + refute OnlyEmailUser.method_defined?(:confirmation_token) + refute OnlyEmailUser.method_defined?(:confirmed_at) + refute OnlyEmailUser.method_defined?(:confirmation_sent_at) + refute OnlyEmailUser.method_defined?(:unconfirmed_email) + end + + test 'lockable is disabled' do + refute OnlyEmailUser.method_defined?(:failed_attempts) + refute OnlyEmailUser.method_defined?(:unlock_token) + refute OnlyEmailUser.method_defined?(:locked_at) + end + + test 'recoverable is disabled' do + refute OnlyEmailUser.method_defined?(:reset_password_token) + refute OnlyEmailUser.method_defined?(:reset_password_sent_at) + end + + test 'rememberable is disabled' do + refute OnlyEmailUser.method_defined?(:remember_created_at) + end + end +end From fbd6ca20e547116c58704ae4f0b3e9e13c081a5b Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 21 Dec 2014 23:29:24 -0600 Subject: [PATCH 011/328] remove :rememberable from default devise modules. fixes #80 --- app/models/devise_token_auth/concerns/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 2f824efa5..38f7ad54f 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -5,7 +5,7 @@ module DeviseTokenAuth::Concerns::User # Hack to check if devise is already enabled unless self.method_defined?(:devise_modules) devise :database_authenticatable, :registerable, - :recoverable, :rememberable, :trackable, :validatable, + :recoverable, :trackable, :validatable, :confirmable, :omniauthable end From 74652980bba6e69ea5ba9b46d81e2f13fdc6328d Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 22 Dec 2014 00:05:33 -0600 Subject: [PATCH 012/328] add test for disabling registration routes. fixes #70. document module exclusion process. --- README.md | 59 ++++++++++++++++--- .../registrations_controller_test.rb | 14 +++++ test/dummy/app/models/unregisterable_user.rb | 7 +++ test/dummy/config/routes.rb | 2 + ..._token_auth_create_unregisterable_users.rb | 54 +++++++++++++++++ test/dummy/db/schema.rb | 31 +++++++++- 6 files changed, 158 insertions(+), 9 deletions(-) create mode 100644 test/dummy/app/models/unregisterable_user.rb create mode 100644 test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb diff --git a/README.md b/README.md index 941e8622f..702f42c62 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ The fully configured api used in the demo can be found [here](https://github.com * [Controller Integration](#controller-concerns) * [Model Integration](#model-concerns) * [Using Multiple User Classes](#using-multiple-models) - * [Skip Confirmation Upon Email Registration](#skip-confirmation-upon-registration) + * [Excluding Modules](#excluding-modules) * [Custom Controller Overrides](#custom-controller-overrides) * [Email Template Overrides](#email-template-overrides) * [Conceptual Diagrams](#conceptual) @@ -507,24 +507,67 @@ In the above example, the following methods will be available (in addition to `c * `current_member` * `member_signed_in?` -## Skip Confirmation Upon Email Registration +## Excluding Modules -By default, an email is sent containing a link that the user must visit to activate their account. This measure is in place to ensure that users cannot register other people for accounts. +By default, almost all of the Devise modules are included: +* [`database_authenticatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb) +* [`registerable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/registerable.rb) +* [`recoverable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb) +* [`trackable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/trackable.rb) +* [`validatable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb) +* [`confirmable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb) +* [`omniauthable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/omniauthable.rb) -To bypass this measure, add `before_create :skip_confirmation!` to your `User` model (or equivalent). +You may not want all of these features enabled in your app. That's OK! You can customize them to suit your own unique style. -##### Example: bypass email confirmation +The following example shows how to disable email confirmation. + +##### Example: disable email confirmation + +Just list the devise modules that you want to include **before** including the `DeviseTokenAuth::Concerns::User` model concern. ~~~ruby +# app/models/user.rb class User < ActiveRecord::Base + + # notice this comes BEFORE the include statement below + # also notice that :confirmable is not included in this block + devise :database_authenticatable, + :recoverable, :trackable, :validatable, + :registerable, :omniauthable + + # note that this include statement comes AFTER the devise block above include DeviseTokenAuth::Concerns::User - before_create :skip_confirmation! end ~~~ -##### Note for ng-token-auth users: +Some features include routes that you may not want mounted to your app. The following example shows how to disable OAuth and its routes. + +##### Example: disable OAuth authentication + +First instruct the model not to include the `omniauthable` module. + +~~~ruby +# app/models/user.rb +class User < ActiveRecord::Base + + # notice that :omniauthable is not included in this block + devise :database_authenticatable, :confirmable, + :recoverable, :trackable, :validatable, + :registerable, :omniauthable -If this `before_create :skip_confirmation!` callback is in place, the `$auth.submitRegistration` method will both register and authenticate users in a single step. + include DeviseTokenAuth::Concerns::User +end +~~~ + +Now tell the route helper to `skip` mounting the `omniauth_callbacks` controller: + +~~~ruby +Rails.application.routes.draw do + # config/routes.rb + mount_devise_token_auth_for 'User', at: '/auth', skip: [:omniauth_callbacks] +end +~~~ ## Custom Controller Overrides diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 38796526c..776369209 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -485,5 +485,19 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert @resource.confirmed? end end + + describe 'User with registration routes disabled' do + test 'OnlyEmailUser should not be able to use OAuth' do + assert_raises(ActionController::RoutingError) { + post '/unregisterable_user_auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url, + unpermitted_param: '(x_x)' + } + } + end + end end end diff --git a/test/dummy/app/models/unregisterable_user.rb b/test/dummy/app/models/unregisterable_user.rb new file mode 100644 index 000000000..44f596d40 --- /dev/null +++ b/test/dummy/app/models/unregisterable_user.rb @@ -0,0 +1,7 @@ +class UnregisterableUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, + :recoverable, :trackable, :validatable, + :confirmable, :omniauthable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 65cd76e49..5cd6784b7 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -21,6 +21,8 @@ mount_devise_token_auth_for 'OnlyEmailUser', at: '/only_email_auth', skip: [:omniauth_callbacks] + mount_devise_token_auth_for 'UnregisterableUser', at: '/unregisterable_user_auth', skip: [:registrations] + # this route will authorize visitors using the User class get 'demo/members_only', to: 'demo_user#members_only' diff --git a/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb b/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb new file mode 100644 index 000000000..0fd983b5a --- /dev/null +++ b/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb @@ -0,0 +1,54 @@ +class DeviseTokenAuthCreateUnregisterableUsers < ActiveRecord::Migration + def change + create_table(:unregisterable_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + t.string :reset_password_token + t.datetime :reset_password_sent_at + + ## Rememberable + t.datetime :remember_created_at + + ## Trackable + t.integer :sign_in_count, :default => 0, :null => false + t.datetime :current_sign_in_at + t.datetime :last_sign_in_at + t.string :current_sign_in_ip + t.string :last_sign_in_ip + + ## Confirmable + t.string :confirmation_token + t.datetime :confirmed_at + t.datetime :confirmation_sent_at + t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + # t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + # t.string :unlock_token # Only if unlock strategy is :email or :both + # t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + t.text :tokens + + t.timestamps + end + + add_index :unregisterable_users, :email + add_index :unregisterable_users, [:uid, :provider], :unique => true + add_index :unregisterable_users, :reset_password_token, :unique => true + # add_index :unregisterable_users, :confirmation_token, :unique => true + # add_index :unregisterable_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index cc8a21acc..f11cfbe69 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141222035835) do +ActiveRecord::Schema.define(version: 20141222053502) do create_table "evil_users", force: true do |t| t.string "email" @@ -93,6 +93,35 @@ add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true + create_table "unregisterable_users", force: true do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" + t.datetime "reset_password_sent_at" + t.datetime "remember_created_at" + t.integer "sign_in_count", default: 0, null: false + t.datetime "current_sign_in_at" + t.datetime "last_sign_in_at" + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" + t.datetime "confirmed_at" + t.datetime "confirmation_sent_at" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email" + add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true + add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true + create_table "users", force: true do |t| t.string "email" t.string "encrypted_password", default: "", null: false From 0ae1348badebd39a0ceeac3efee24d11a2b5ca5d Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 22 Dec 2014 00:07:02 -0600 Subject: [PATCH 013/328] v0.1.31.beta1 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 780d78dd5..d1aac1acf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.30) + devise_token_auth (0.1.31.beta1) devise (~> 3.3) rails (~> 4.1) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index d83b3d918..7504ea3fd 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.30" + VERSION = "0.1.31.beta1" end From 7719e68be8f23bd2380de50d302daf295d0baa0e Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 22 Dec 2014 00:15:48 -0600 Subject: [PATCH 014/328] add callouts section, add @jartek --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 702f42c62..64c7ca37f 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ The fully configured api used in the demo can be found [here](https://github.com * [Token Management](#about-token-management) * [Batch Requests](#about-batch-requests) * [Security](#security) +* [Callouts](#callouts) * [Contribution Guidelines](#contributing) # Dependencies @@ -707,6 +708,16 @@ This gem further mitigates timing attacks by using [this technique](https://gist But the most important step is to use HTTPS. You are on the hook for that. +# Callouts + +Thanks to the following contributors: + +* [@booleanbetrayal](https://github.com/booleanbetrayal) +* [@guilhermesimoes](https://github.com/guilhermesimoes) +* [@jasonswett](https://github.com/jasonswett) +* [@m2omou](https://github.com/m2omou) +* [@smarquez1](https://github.com/smarquez1) +* [@jartek](https://github.com/jartek) # Contributing From 332da2741689e96292450a756c39437480357595 Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Mon, 22 Dec 2014 04:04:03 -0600 Subject: [PATCH 015/328] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 64c7ca37f..f23ebed38 100644 --- a/README.md +++ b/README.md @@ -519,7 +519,7 @@ By default, almost all of the Devise modules are included: * [`confirmable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb) * [`omniauthable`](https://github.com/plataformatec/devise/blob/master/lib/devise/models/omniauthable.rb) -You may not want all of these features enabled in your app. That's OK! You can customize them to suit your own unique style. +You may not want all of these features enabled in your app. That's OK! You can mix and match to suit your own unique style. The following example shows how to disable email confirmation. @@ -533,9 +533,9 @@ class User < ActiveRecord::Base # notice this comes BEFORE the include statement below # also notice that :confirmable is not included in this block - devise :database_authenticatable, + devise :database_authenticatable, :confirmable, :recoverable, :trackable, :validatable, - :registerable, :omniauthable + :registerable # note that this include statement comes AFTER the devise block above include DeviseTokenAuth::Concerns::User From efd3f944d0f00b740f6bb955012557e7fcc14e10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Edgar=20Henr=C3=ADquez?= Date: Mon, 22 Dec 2014 18:26:56 -0430 Subject: [PATCH 016/328] Fix small error in documentation. Both examples about how to exclude modules still had the modules to be disabled (:confirmable and :omniauthable respectively). --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f23ebed38..e032c5c5a 100644 --- a/README.md +++ b/README.md @@ -533,9 +533,9 @@ class User < ActiveRecord::Base # notice this comes BEFORE the include statement below # also notice that :confirmable is not included in this block - devise :database_authenticatable, :confirmable, - :recoverable, :trackable, :validatable, - :registerable + devise :database_authenticatable, :recoverable, + :trackable, :validatable, :registerable, + :omniauthable # note that this include statement comes AFTER the devise block above include DeviseTokenAuth::Concerns::User @@ -555,7 +555,7 @@ class User < ActiveRecord::Base # notice that :omniauthable is not included in this block devise :database_authenticatable, :confirmable, :recoverable, :trackable, :validatable, - :registerable, :omniauthable + :registerable include DeviseTokenAuth::Concerns::User end From 5ccad1931ca318ee7cb6b70c648bc8acaa9e8413 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 20:10:06 -0600 Subject: [PATCH 017/328] add namespace support. fixes #101, #96 --- README.md | 16 +++--- .../omniauth_callbacks_controller.rb | 2 +- lib/devise_token_auth/rails/routes.rb | 57 +++++++++---------- .../omniauth_callbacks_controller_test.rb | 23 ++++++++ .../registrations_controller_test.rb | 26 +++++++++ test/dummy/config/routes.rb | 15 +++-- 6 files changed, 95 insertions(+), 44 deletions(-) diff --git a/README.md b/README.md index 64c7ca37f..e9e2aefc1 100644 --- a/README.md +++ b/README.md @@ -199,7 +199,7 @@ For example, given that the app is mounted using the following settings: ~~~ruby # config/routes.rb -mount_devise_token_auth_for 'User', at: '/auth' +mount_devise_token_auth_for 'User', at: 'auth' ~~~ The client configuration for github should look like this: @@ -290,12 +290,12 @@ The authentication routes must be mounted to your project. This gem includes a r | Argument | Type | Default | Description | |---|---|---|---| |`class_name`| string | 'User' | The name of the class to use for authentication. This class must include the [model concern described here](#model-concerns). | -| `options` | object | {at: '/auth'} | The [routes to be used for authentication](#usage) will be prefixed by the path specified in the `at` param of this object. | +| `options` | object | {at: 'auth'} | The [routes to be used for authentication](#usage) will be prefixed by the path specified in the `at` param of this object. | **Example**: ~~~ruby # config/routes.rb -mount_devise_token_auth_for 'User', at: '/auth' +mount_devise_token_auth_for 'User', at: 'auth' ~~~ Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly. @@ -458,11 +458,11 @@ This gem supports the use of multiple user models. One possible use case is to a # within a `devise_scope` block # define :users as the first devise mapping: - mount_devise_token_auth_for 'User', at: '/auth' + mount_devise_token_auth_for 'User', at: 'auth' # define :admins as the second devise mapping. routes using this class will # need to be defined within a devise_scope as shown below - mount_devise_token_auth_for "Admin", at: '/admin_auth' + mount_devise_token_auth_for "Admin", at: 'admin_auth' # this route will authorize requests using the User class get 'demo/members_only', to: 'demo#members_only' @@ -566,7 +566,7 @@ Now tell the route helper to `skip` mounting the `omniauth_callbacks` controller ~~~ruby Rails.application.routes.draw do # config/routes.rb - mount_devise_token_auth_for 'User', at: '/auth', skip: [:omniauth_callbacks] + mount_devise_token_auth_for 'User', at: 'auth', skip: [:omniauth_callbacks] end ~~~ @@ -582,7 +582,7 @@ For example, the default behavior of the [`validate_token`](https://github.com/l # config/routes.rb Rails.application.routes.draw do ... - mount_devise_token_auth_for 'User', at: '/auth', controllers: { + mount_devise_token_auth_for 'User', at: 'auth', controllers: { token_validations: 'overrides/token_validations' } end @@ -611,7 +611,7 @@ end ##### Example: all :controller options with default settings: ~~~ruby -mount_devise_token_auth_for 'User', at: '/auth', controllers: { +mount_devise_token_auth_for 'User', at: 'auth', controllers: { confirmations: 'devise_token_auth/confirmations', passwords: 'devise_token_auth/passwords', omniauth_callbacks: 'devise_token_auth/omniauth_callbacks', diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 6ecf9b853..6896e401d 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -9,7 +9,7 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym - redirect_route = "#{Devise.mappings[devise_mapping].as_json["path_prefix"]}/#{params[:provider]}/callback" + redirect_route = "/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback" # preserve omniauth info for success route session['dta.omniauth.auth'] = request.env['omniauth.auth'] diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 41cceedb2..fed434855 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -23,35 +23,33 @@ def mount_devise_token_auth_for(resource, opts) # remove any unwanted devise modules opts[:skip].each{|item| controllers.delete(item)} - scope opts[:at] do - devise_for resource.pluralize.underscore.to_sym, - :class_name => resource, - :module => :devise, - :path => "", - :controllers => controllers - - devise_scope resource.underscore.to_sym do - # path to verify token validity - get "validate_token", to: "#{token_validations_ctrl}#validate_token" - - # omniauth routes. only define if omniauth is installed and not skipped. - if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) - get "failure", to: "#{omniauth_ctrl}#omniauth_failure" - get ":provider/callback", to: "#{omniauth_ctrl}#omniauth_success" - - # preserve the resource class thru oauth authentication by setting name of - # resource as "resource_class" param - match ":provider", to: redirect{|params, request| - # get the current querystring - qs = CGI::parse(request.env["QUERY_STRING"]) - - # append name of current resource - qs["resource_class"] = [resource] - - # re-construct the path for omniauth - "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" - }, via: [:get] - end + devise_for resource.pluralize.underscore.to_sym, + :class_name => resource, + :module => :devise, + :path => "#{opts[:at]}", + :controllers => controllers + + devise_scope resource.underscore.to_sym do + # path to verify token validity + get "#{opts[:at]}/validate_token", to: "#{token_validations_ctrl}#validate_token" + + # omniauth routes. only define if omniauth is installed and not skipped. + if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) + get "#{opts[:at]}/failure", to: "#{omniauth_ctrl}#omniauth_failure" + get "#{opts[:at]}/:provider/callback", to: "#{omniauth_ctrl}#omniauth_success" + + # preserve the resource class thru oauth authentication by setting name of + # resource as "resource_class" param + match "#{opts[:at]}/:provider", to: redirect{|params, request| + # get the current querystring + qs = CGI::parse(request.env["QUERY_STRING"]) + + # append name of current resource + qs["resource_class"] = [resource] + + # re-construct the path for omniauth + "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" + }, via: [:get] end end end @@ -60,6 +58,5 @@ def mount_devise_token_auth_for(resource, opts) def set_omniauth_path_prefix!(path_prefix) ::OmniAuth.config.path_prefix = path_prefix end - end end diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 1ee0d5813..30a36fca7 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -126,6 +126,29 @@ class OmniauthTest < ActionDispatch::IntegrationTest refute_equal @unpermitted_param, @resource.name end end + + + describe 'using namespaces' do + before do + get_via_redirect '/vx/auth/facebook', { + auth_origin_url: @redirect_url + } + + @resource = assigns(:resource) + end + + test 'request is successful' do + assert_equal 200, response.status + end + + test 'user should have been created' do + assert @resource + end + + test 'user should be of the correct class' do + assert_equal User, @resource.class + end + end end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 776369209..ade67b1a5 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -55,6 +55,32 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'using namespaces' do + before do + @mails_sent = ActionMailer::Base.deliveries.count + + post '/vx/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url, + unpermitted_param: '(x_x)' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + @mail = ActionMailer::Base.deliveries.last + end + + test "request should be successful" do + assert_equal 200, response.status + end + + test "user should have been created" do + assert @resource.id + end + end + describe "case-insensitive email" do before do diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 5cd6784b7..fb6c6e2f6 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -4,13 +4,13 @@ # within a `devise_scope` block # define :users as the first devise mapping: - mount_devise_token_auth_for 'User', at: '/auth' + mount_devise_token_auth_for 'User', at: 'auth' # define :mangs as the second devise mapping. routes using this class will # need to be defined within a devise_scope as shown below - mount_devise_token_auth_for "Mang", at: '/mangs' + mount_devise_token_auth_for "Mang", at: 'mangs' - mount_devise_token_auth_for 'EvilUser', at: '/evil_user_auth', controllers: { + mount_devise_token_auth_for 'EvilUser', at: 'evil_user_auth', controllers: { confirmations: 'overrides/confirmations', passwords: 'overrides/passwords', omniauth_callbacks: 'overrides/omniauth_callbacks', @@ -19,9 +19,14 @@ token_validations: 'overrides/token_validations' } - mount_devise_token_auth_for 'OnlyEmailUser', at: '/only_email_auth', skip: [:omniauth_callbacks] + mount_devise_token_auth_for 'OnlyEmailUser', at: 'only_email_auth', skip: [:omniauth_callbacks] - mount_devise_token_auth_for 'UnregisterableUser', at: '/unregisterable_user_auth', skip: [:registrations] + mount_devise_token_auth_for 'UnregisterableUser', at: 'unregisterable_user_auth', skip: [:registrations] + + # test namespacing + namespace :vx do + mount_devise_token_auth_for 'User', at: 'auth' + end # this route will authorize visitors using the User class get 'demo/members_only', to: 'demo_user#members_only' From dacf0ee4639b1f9bbd43dc8d24729356d73745c0 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 20:18:24 -0600 Subject: [PATCH 018/328] add test to ensure routes for skipped controllers are not accessible. references #97 --- .../registrations_controller_test.rb | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index ade67b1a5..dd802b0e8 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -440,6 +440,19 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'Excluded :registrations module' do + test 'UnregisterableUser should not be able to access registration routes' do + assert_raises(ActionController::RoutingError) { + post 'unregisterable_user_auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url + } + } + end + end + describe "Skipped confirmation" do setup do User.set_callback(:create, :before, :skip_confirmation!) From be073735eb564b697ac835903c11e341a1c0997e Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 20:22:15 -0600 Subject: [PATCH 019/328] 0.1.31.beta2 --- lib/devise_token_auth/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 7504ea3fd..21896de83 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta1" + VERSION = "0.1.31.beta2" end From 60775e6a8129a5b2ea312e53851a2bbaf18d12ec Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 20:39:59 -0600 Subject: [PATCH 020/328] update namespace test. references #96 --- Gemfile.lock | 2 +- .../devise_token_auth/omniauth_callbacks_controller_test.rb | 2 +- .../devise_token_auth/registrations_controller_test.rb | 2 +- test/dummy/config/routes.rb | 6 ++++-- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d1aac1acf..fd6c89b74 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta1) + devise_token_auth (0.1.31.beta2) devise (~> 3.3) rails (~> 4.1) diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 30a36fca7..1874697a7 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -130,7 +130,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest describe 'using namespaces' do before do - get_via_redirect '/vx/auth/facebook', { + get_via_redirect '/api/v1/auth/facebook', { auth_origin_url: @redirect_url } diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index dd802b0e8..2f85e0009 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -59,7 +59,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration before do @mails_sent = ActionMailer::Base.deliveries.count - post '/vx/auth', { + post '/api/v1/auth', { email: Faker::Internet.email, password: "secret123", password_confirmation: "secret123", diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index fb6c6e2f6..dd42ee383 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -24,8 +24,10 @@ mount_devise_token_auth_for 'UnregisterableUser', at: 'unregisterable_user_auth', skip: [:registrations] # test namespacing - namespace :vx do - mount_devise_token_auth_for 'User', at: 'auth' + namespace :api do + scope :v1 do + mount_devise_token_auth_for 'User', at: 'auth' + end end # this route will authorize visitors using the User class From 4ac8060912399edf0d0a0990bc4a3005da43c053 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 22:37:29 -0600 Subject: [PATCH 021/328] upgrade to rails 4.2 --- Gemfile.lock | 161 +++++++++++------- .../application_controller.rb | 1 - .../concerns/set_user_by_token.rb | 2 +- .../registrations_controller.rb | 2 - app/models/devise_token_auth/concerns/user.rb | 4 +- .../mailer/confirmation_instructions.html.erb | 2 +- .../reset_password_instructions.html.erb | 2 +- .../mailer/unlock_instructions.html.erb | 2 +- devise_token_auth.gemspec | 2 +- .../registrations_controller_test.rb | 16 +- .../app/controllers/application_controller.rb | 2 - test/dummy/config/environments/production.rb | 2 +- test/dummy/config/environments/test.rb | 5 +- .../install_generator_test.rb | 2 - 14 files changed, 108 insertions(+), 97 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index fd6c89b74..d02e7025e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,71 +8,80 @@ GIT GIT remote: git://github.com/laserlemon/figaro.git - revision: 9f54872dfc1a972b4a971211706272f0f38495f4 + revision: 5720b12ca2b086ee5f0a9f4267b11b7753c67d21 specs: - figaro (1.0.0.rc1) + figaro (1.0.0) thor (~> 0.14) GIT remote: git://github.com/mkdynamic/omniauth-facebook.git - revision: ee4fb4dd6f664b3223974c229fda36169309e9ec + revision: 9f729037e5c27d102462ebbb205b5da17f9aaf86 specs: omniauth-facebook (2.0.0) omniauth-oauth2 (~> 1.2) GIT remote: git://github.com/zquestz/omniauth-google-oauth2.git - revision: a40a748be080cd3a83808ef98afcbf590d7ffbba + revision: 74d9e4fa4ec369bbb088628b1f400e54d3094fd9 specs: - omniauth-google-oauth2 (0.2.5) - omniauth (> 1.0) - omniauth-oauth2 (~> 1.1) + omniauth-google-oauth2 (0.2.6) + omniauth (>= 1.1.1) + omniauth-oauth2 (>= 1.1.1) PATH remote: . specs: devise_token_auth (0.1.31.beta2) devise (~> 3.3) - rails (~> 4.1) + rails (~> 4.2) GEM remote: https://rubygems.org/ specs: - actionmailer (4.1.7) - actionpack (= 4.1.7) - actionview (= 4.1.7) + actionmailer (4.2.0) + actionpack (= 4.2.0) + actionview (= 4.2.0) + activejob (= 4.2.0) mail (~> 2.5, >= 2.5.4) - actionpack (4.1.7) - actionview (= 4.1.7) - activesupport (= 4.1.7) - rack (~> 1.5.2) + rails-dom-testing (~> 1.0, >= 1.0.5) + actionpack (4.2.0) + actionview (= 4.2.0) + activesupport (= 4.2.0) + rack (~> 1.6.0) rack-test (~> 0.6.2) - actionview (4.1.7) - activesupport (= 4.1.7) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + actionview (4.2.0) + activesupport (= 4.2.0) builder (~> 3.1) erubis (~> 2.7.0) - activemodel (4.1.7) - activesupport (= 4.1.7) + rails-dom-testing (~> 1.0, >= 1.0.5) + rails-html-sanitizer (~> 1.0, >= 1.0.1) + activejob (4.2.0) + activesupport (= 4.2.0) + globalid (>= 0.3.0) + activemodel (4.2.0) + activesupport (= 4.2.0) builder (~> 3.1) - activerecord (4.1.7) - activemodel (= 4.1.7) - activesupport (= 4.1.7) - arel (~> 5.0.0) - activesupport (4.1.7) - i18n (~> 0.6, >= 0.6.9) + activerecord (4.2.0) + activemodel (= 4.2.0) + activesupport (= 4.2.0) + arel (~> 6.0) + activesupport (4.2.0) + i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) - thread_safe (~> 0.1) + thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) ansi (1.4.3) - arel (5.0.1.20140414130214) - attr_encrypted (1.3.2) + arel (6.0.0) + attr_encrypted (1.3.3) encryptor (>= 1.3.0) bcrypt (3.1.9) builder (3.2.2) - celluloid (0.15.2) - timers (~> 1.1.0) - codeclimate-test-reporter (0.4.0) + celluloid (0.16.0) + timers (~> 4.0.0) + codeclimate-test-reporter (0.4.4) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) devise (3.4.1) @@ -89,39 +98,46 @@ GEM i18n (~> 0.5) faraday (0.9.0) multipart-post (>= 1.2, < 3) - ffi (1.9.3) + ffi (1.9.6) formatador (0.2.5) fuzz_ball (0.9.1) - guard (2.6.1) + globalid (0.3.0) + activesupport (>= 4.1.0) + guard (2.10.5) formatador (>= 0.2.4) listen (~> 2.7) lumberjack (~> 1.0) + nenv (~> 0.1) pry (>= 0.9.12) thor (>= 0.18.1) - guard-minitest (2.3.1) + guard-minitest (2.3.2) guard (~> 2.0) minitest (>= 3.0) - hashie (3.2.0) + hashie (3.3.2) hike (1.2.3) - i18n (0.6.11) + hitimes (1.2.2) + i18n (0.7.0) json (1.8.1) - jwt (1.0.0) - listen (2.7.9) + jwt (1.2.0) + listen (2.8.4) celluloid (>= 0.15.2) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) + loofah (2.0.1) + nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) method_source (0.8.2) mime-types (2.4.3) - minitest (5.4.3) + mini_portile (0.6.2) + minitest (5.5.0) minitest-focus (1.1.0) minitest (>= 4, < 6) - minitest-rails (2.1.0) + minitest-rails (2.1.1) minitest (~> 5.4) railties (~> 4.1) - minitest-reporters (1.0.5) + minitest-reporters (1.0.8) ansi builder minitest (>= 5.0) @@ -129,7 +145,10 @@ GEM multi_json (1.10.1) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.3.16) + mysql2 (0.3.17) + nenv (0.1.1) + nokogiri (1.6.5) + mini_portile (~> 0.6.0) oauth2 (1.0.0) faraday (>= 0.8, < 0.10) jwt (~> 1.0) @@ -145,7 +164,7 @@ GEM oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) - pg (0.17.1) + pg (0.18.0) pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) @@ -153,35 +172,44 @@ GEM pry-remote (0.1.8) pry (~> 0.9) slop (~> 3.0) - rack (1.5.2) - rack-cors (0.2.9) + rack (1.6.0) + rack-cors (0.3.1) rack-test (0.6.2) rack (>= 1.0) - rails (4.1.7) - actionmailer (= 4.1.7) - actionpack (= 4.1.7) - actionview (= 4.1.7) - activemodel (= 4.1.7) - activerecord (= 4.1.7) - activesupport (= 4.1.7) + rails (4.2.0) + actionmailer (= 4.2.0) + actionpack (= 4.2.0) + actionview (= 4.2.0) + activejob (= 4.2.0) + activemodel (= 4.2.0) + activerecord (= 4.2.0) + activesupport (= 4.2.0) bundler (>= 1.3.0, < 2.0) - railties (= 4.1.7) - sprockets-rails (~> 2.0) - railties (4.1.7) - actionpack (= 4.1.7) - activesupport (= 4.1.7) + railties (= 4.2.0) + sprockets-rails + rails-deprecated_sanitizer (1.0.3) + activesupport (>= 4.2.0.alpha) + rails-dom-testing (1.0.5) + activesupport (>= 4.2.0.beta, < 5.0) + nokogiri (~> 1.6.0) + rails-deprecated_sanitizer (>= 1.0.1) + rails-html-sanitizer (1.0.1) + loofah (~> 2.0) + railties (4.2.0) + actionpack (= 4.2.0) + activesupport (= 4.2.0) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (10.3.2) + rake (10.4.2) rb-fsevent (0.9.4) rb-inotify (0.9.5) ffi (>= 0.5.0) - responders (1.1.2) - railties (>= 3.2, < 4.2) - ruby-progressbar (1.5.1) - simplecov (0.9.0) + responders (2.0.2) + railties (>= 4.2.0.alpha, < 5) + ruby-progressbar (1.7.1) + simplecov (0.9.1) docile (~> 1.1.0) - multi_json + multi_json (~> 1.0) simplecov-html (~> 0.8.0) simplecov-html (0.8.0) slop (3.6.0) @@ -190,15 +218,16 @@ GEM multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sprockets-rails (2.2.0) + sprockets-rails (2.2.2) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) - sqlite3 (1.3.9) + sqlite3 (1.3.10) thor (0.19.1) thread_safe (0.3.4) tilt (1.4.1) - timers (1.1.0) + timers (4.0.1) + hitimes tzinfo (1.2.2) thread_safe (~> 0.1) warden (1.2.3) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index b48b4f64c..30de620c7 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -1,7 +1,6 @@ module DeviseTokenAuth class ApplicationController < DeviseController include DeviseTokenAuth::Concerns::SetUserByToken - respond_to :json def resource_class(m=nil) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 87bc41df3..97f3f5238 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -102,6 +102,6 @@ def resource_class(m=nil) def is_batch_request?(user, client_id) user.tokens[client_id] and user.tokens[client_id]['updated_at'] and - Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle + user.tokens[client_id]['updated_at'] > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle end end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 208dd0197..ec64b11af 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -3,8 +3,6 @@ class RegistrationsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy, :update] skip_after_filter :update_auth_header, :only => [:create, :destroy] - respond_to :json - def create @resource = resource_class.new(sign_up_params) @resource.provider = "email" diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 38f7ad54f..7f031fa64 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -9,7 +9,7 @@ module DeviseTokenAuth::Concerns::User :confirmable, :omniauthable end - serialize :tokens, JSON + serialize :tokens, HashWithIndifferentAccess validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' } validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } @@ -122,7 +122,7 @@ def token_can_be_reused?(token, client_id) self.tokens[client_id]['last_token'] and # ensure that previous token falls within the batch buffer throttle time of the last request - Time.parse(self.tokens[client_id]['updated_at']) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and + self.tokens[client_id]['updated_at'] > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and # ensure that the token is valid BCrypt::Password.new(self.tokens[client_id]['last_token']) == token diff --git a/app/views/devise/mailer/confirmation_instructions.html.erb b/app/views/devise/mailer/confirmation_instructions.html.erb index 13c70d036..c233a2165 100644 --- a/app/views/devise/mailer/confirmation_instructions.html.erb +++ b/app/views/devise/mailer/confirmation_instructions.html.erb @@ -2,4 +2,4 @@

You can confirm your account email through the link below:

-

<%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']) %>

+

<%= link_to 'Confirm my account', confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %>

diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb index 9d6cc6e25..859f8eac4 100644 --- a/app/views/devise/mailer/reset_password_instructions.html.erb +++ b/app/views/devise/mailer/reset_password_instructions.html.erb @@ -2,7 +2,7 @@

Someone has requested a link to change your password. You can do this through the link below.

-

<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s) %>

+

<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %>

If you didn't request this, please ignore this email.

Your password won't change until you access the link above and create a new one.

diff --git a/app/views/devise/mailer/unlock_instructions.html.erb b/app/views/devise/mailer/unlock_instructions.html.erb index 41e148bf2..8a1c14a94 100644 --- a/app/views/devise/mailer/unlock_instructions.html.erb +++ b/app/views/devise/mailer/unlock_instructions.html.erb @@ -4,4 +4,4 @@

Click the link below to unlock your account:

-

<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token) %>

+

<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token).html_safe %>

diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 27f1585d2..99088c684 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -17,7 +17,7 @@ Gem::Specification.new do |s| s.files = Dir["{app,config,db,lib}/**/*", "LICENSE", "Rakefile", "README.md"] s.test_files = Dir["test/**/*"] - s.add_dependency "rails", "~> 4.1" + s.add_dependency "rails", "~> 4.2" s.add_dependency "devise", "~> 3.3" s.add_development_dependency "sqlite3", "~> 1.3" diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 2f85e0009..bd931181c 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -443,7 +443,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration describe 'Excluded :registrations module' do test 'UnregisterableUser should not be able to access registration routes' do assert_raises(ActionController::RoutingError) { - post 'unregisterable_user_auth', { + post '/unregisterable_user_auth', { email: Faker::Internet.email, password: "secret123", password_confirmation: "secret123", @@ -524,19 +524,5 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert @resource.confirmed? end end - - describe 'User with registration routes disabled' do - test 'OnlyEmailUser should not be able to use OAuth' do - assert_raises(ActionController::RoutingError) { - post '/unregisterable_user_auth', { - email: Faker::Internet.email, - password: "secret123", - password_confirmation: "secret123", - confirm_success_url: Faker::Internet.url, - unpermitted_param: '(x_x)' - } - } - end - end end end diff --git a/test/dummy/app/controllers/application_controller.rb b/test/dummy/app/controllers/application_controller.rb index 69b8974e9..c941fac42 100644 --- a/test/dummy/app/controllers/application_controller.rb +++ b/test/dummy/app/controllers/application_controller.rb @@ -3,8 +3,6 @@ class ApplicationController < ActionController::Base before_action :configure_permitted_parameters, if: :devise_controller? - respond_to :json - protected def configure_permitted_parameters diff --git a/test/dummy/config/environments/production.rb b/test/dummy/config/environments/production.rb index a8836c36c..a6ed58747 100644 --- a/test/dummy/config/environments/production.rb +++ b/test/dummy/config/environments/production.rb @@ -20,7 +20,7 @@ # config.action_dispatch.rack_cache = true # Disable Rails's static asset server (Apache or nginx will already do this). - config.serve_static_assets = false + config.serve_static_files = false # Compress JavaScripts and CSS. config.assets.js_compressor = :uglifier diff --git a/test/dummy/config/environments/test.rb b/test/dummy/config/environments/test.rb index 69acac45f..e8df48bd3 100644 --- a/test/dummy/config/environments/test.rb +++ b/test/dummy/config/environments/test.rb @@ -13,7 +13,7 @@ config.eager_load = false # Configure static asset server for tests with Cache-Control for performance. - config.serve_static_assets = true + config.serve_static_files = true config.static_cache_control = 'public, max-age=3600' # Show full error reports and disable caching. @@ -37,4 +37,7 @@ # Raises error for missing translations # config.action_view.raise_on_missing_translations = true + + # randomize test order + config.active_support.test_order = :random end diff --git a/test/lib/generators/devise_token_auth/install_generator_test.rb b/test/lib/generators/devise_token_auth/install_generator_test.rb index e9c280756..9b1625d77 100644 --- a/test/lib/generators/devise_token_auth/install_generator_test.rb +++ b/test/lib/generators/devise_token_auth/install_generator_test.rb @@ -148,8 +148,6 @@ def whatever @f = File.open(@fname, 'w') {|f| f.write <<-RUBY class ApplicationController < ActionController::Base - respond_to :json - def whatever 'whatever' end From 78f7239365e5b904db611d9e28393ceab7cb6d98 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 22:38:00 -0600 Subject: [PATCH 022/328] v0.1.31.beta3 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index d02e7025e..ed229b2f9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta2) + devise_token_auth (0.1.31.beta3) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 21896de83..7f7ef3fae 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta2" + VERSION = "0.1.31.beta3" end From a11e877b99ca8a2067c91b8c928ab8a8873cdbd7 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 22:45:51 -0600 Subject: [PATCH 023/328] routes: forward ":skip" param to devise_for. fixes #97 --- lib/devise_token_auth/rails/routes.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index fed434855..59baf4fc6 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -27,7 +27,8 @@ def mount_devise_token_auth_for(resource, opts) :class_name => resource, :module => :devise, :path => "#{opts[:at]}", - :controllers => controllers + :controllers => controllers, + :skip => opts[:skip] devise_scope resource.underscore.to_sym do # path to verify token validity From 2c546c0b7951c6c7b8ce7450d9107b8d254741e5 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 4 Jan 2015 22:46:25 -0600 Subject: [PATCH 024/328] v0.1.31.beta4 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ed229b2f9..bbfce32a6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta3) + devise_token_auth (0.1.31.beta4) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 7f7ef3fae..940a0204a 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta3" + VERSION = "0.1.31.beta4" end From 4754092d93e153eb28a7509aa65fc14ab6bc18be Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 5 Jan 2015 02:41:23 -0600 Subject: [PATCH 025/328] unnest token validation, omniauth callback routes. references #101 --- lib/devise_token_auth/rails/routes.rb | 66 +++++++++++++------ .../token_validations_controller_test.rb | 49 ++++++++++++++ 2 files changed, 94 insertions(+), 21 deletions(-) create mode 100644 test/controllers/devise_token_auth/token_validations_controller_test.rb diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 59baf4fc6..cff45410d 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -30,31 +30,55 @@ def mount_devise_token_auth_for(resource, opts) :controllers => controllers, :skip => opts[:skip] - devise_scope resource.underscore.to_sym do - # path to verify token validity - get "#{opts[:at]}/validate_token", to: "#{token_validations_ctrl}#validate_token" - - # omniauth routes. only define if omniauth is installed and not skipped. - if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) - get "#{opts[:at]}/failure", to: "#{omniauth_ctrl}#omniauth_failure" - get "#{opts[:at]}/:provider/callback", to: "#{omniauth_ctrl}#omniauth_success" - - # preserve the resource class thru oauth authentication by setting name of - # resource as "resource_class" param - match "#{opts[:at]}/:provider", to: redirect{|params, request| - # get the current querystring - qs = CGI::parse(request.env["QUERY_STRING"]) - - # append name of current resource - qs["resource_class"] = [resource] - - # re-construct the path for omniauth - "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" - }, via: [:get] + + unnest_namespace do + # get full url path as if it were namespaced + full_path = "#{@scope[:path]}/#{opts[:at]}" + + # clear scope so controller routes aren't namespaced + @scope = ActionDispatch::Routing::Mapper::Scope.new( + path: "", + shallow_path: "", + constraints: {}, + defaults: {}, + options: {}, + parent: nil + ) + + devise_scope resource.underscore.to_sym do + # path to verify token validity + get "#{full_path}/validate_token", controller: "#{token_validations_ctrl}", action: "validate_token" + + # omniauth routes. only define if omniauth is installed and not skipped. + if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) + match "#{full_path}/failure", controller: "#{omniauth_ctrl}", action: "omniauth_failure", via: [:get] + match "#{full_path}/:provider/callback", controller: "#{omniauth_ctrl}", action: "omniauth_success", via: [:get] + + # preserve the resource class thru oauth authentication by setting name of + # resource as "resource_class" param + match "#{full_path}/:provider", to: redirect{|params, request| + # get the current querystring + qs = CGI::parse(request.env["QUERY_STRING"]) + + # append name of current resource + qs["resource_class"] = [resource] + + # re-construct the path for omniauth + "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" + }, via: [:get] + end end end end + # this allows us to use namespaced paths without namespacing the routes + def unnest_namespace + current_scope = @scope.dup + yield + ensure + @scope = current_scope + end + # ignore error about omniauth/multiple model support def set_omniauth_path_prefix!(path_prefix) ::OmniAuth.config.path_prefix = path_prefix diff --git a/test/controllers/devise_token_auth/token_validations_controller_test.rb b/test/controllers/devise_token_auth/token_validations_controller_test.rb new file mode 100644 index 000000000..24d064479 --- /dev/null +++ b/test/controllers/devise_token_auth/token_validations_controller_test.rb @@ -0,0 +1,49 @@ +require 'test_helper' + +# was the web request successful? +# was the user redirected to the right page? +# was the user successfully authenticated? +# was the correct object stored in the response? +# was the appropriate message delivered in the json payload? + +class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::IntegrationTest + describe DeviseTokenAuth::TokenValidationsController do + before do + @resource = users(:confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + + @auth_headers = @resource.create_new_auth_token + + @token = @auth_headers['access-token'] + @client_id = @auth_headers['client'] + @expiry = @auth_headers['expiry'] + + # ensure that request is not treated as batch request + age_token(@resource, @client_id) + + end + + describe 'vanilla user' do + before do + get '/auth/validate_token', {}, @auth_headers + @resp = JSON.parse(response.body) + end + + test "token valid" do + assert_equal 200, response.status + end + end + + describe 'using namespaces' do + before do + get '/api/v1/auth/validate_token', {}, @auth_headers + @resp = JSON.parse(response.body) + end + + test "token valid" do + assert_equal 200, response.status + end + end + end +end From 4b2320a615b22a3edf70fb0b5aa53b99097664e7 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 5 Jan 2015 02:42:07 -0600 Subject: [PATCH 026/328] v0.1.31.beta5 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index bbfce32a6..6ce9dea9b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta4) + devise_token_auth (0.1.31.beta5) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 940a0204a..2e90664ea 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta4" + VERSION = "0.1.31.beta5" end From 62041b6283a0fe882950f94e58890bf79c3f1237 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 6 Jan 2015 16:54:51 -0600 Subject: [PATCH 027/328] program apps: search, pagination, ordering all work together --- .../devise_token_auth/omniauth_callbacks_controller_test.rb | 1 + test/dummy/config/environments/development.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 1874697a7..e3678a10d 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -37,6 +37,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest assert_equal 200, response.status end + focus test 'request should determine the correct resource_class' do assert_equal 'User', controller.omniauth_params['resource_class'] end diff --git a/test/dummy/config/environments/development.rb b/test/dummy/config/environments/development.rb index 4a908bafb..2573bb349 100644 --- a/test/dummy/config/environments/development.rb +++ b/test/dummy/config/environments/development.rb @@ -40,5 +40,5 @@ # Raises error for missing translations # config.action_view.raise_on_missing_translations = true - OmniAuth.config.full_host = "http://devise-token-auth.dev" + OmniAuth.config.full_host = "https://devise-token-auth.dev" end From a1e44213010239cbc1d79516b7507acd4d8e3d71 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 6 Jan 2015 16:54:51 -0600 Subject: [PATCH 028/328] [wip] - squash me --- .../devise_token_auth/omniauth_callbacks_controller_test.rb | 1 + test/dummy/config/environments/development.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 1874697a7..e3678a10d 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -37,6 +37,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest assert_equal 200, response.status end + focus test 'request should determine the correct resource_class' do assert_equal 'User', controller.omniauth_params['resource_class'] end diff --git a/test/dummy/config/environments/development.rb b/test/dummy/config/environments/development.rb index 4a908bafb..2573bb349 100644 --- a/test/dummy/config/environments/development.rb +++ b/test/dummy/config/environments/development.rb @@ -40,5 +40,5 @@ # Raises error for missing translations # config.action_view.raise_on_missing_translations = true - OmniAuth.config.full_host = "http://devise-token-auth.dev" + OmniAuth.config.full_host = "https://devise-token-auth.dev" end From 9ca1fd83371420e9f938c26f2b3a93a43793b588 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 02:29:45 -0600 Subject: [PATCH 029/328] [wip] force use of vanilla OmniAuth as :omniauthable does not support multiple models. --- app/models/devise_token_auth/concerns/user.rb | 4 +++- config/initializers/devise.rb | 7 ------- config/routes.rb | 2 +- lib/devise_token_auth/engine.rb | 6 ++++++ lib/devise_token_auth/rails/routes.rb | 14 +++++++------- test/dummy/config/environments/development.rb | 2 +- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 7f031fa64..49d132426 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -6,7 +6,9 @@ module DeviseTokenAuth::Concerns::User unless self.method_defined?(:devise_modules) devise :database_authenticatable, :registerable, :recoverable, :trackable, :validatable, - :confirmable, :omniauthable + :confirmable + else + self.devise_modules.delete(:omniauthable) end serialize :tokens, HashWithIndifferentAccess diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 21b85f7ff..eb7adf184 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -193,11 +193,4 @@ # don't serialize tokens Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens - - # mounted routes will point to this - Rails.application.config.after_initialize do - if defined?(::OmniAuth) - ::OmniAuth::config.path_prefix = config.omniauth_path_prefix = DeviseTokenAuth.omniauth_prefix - end - end end diff --git a/config/routes.rb b/config/routes.rb index 90f2f4897..d50f7e6b0 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,5 @@ Rails.application.routes.draw do if defined?(::OmniAuth) - get "#{::OmniAuth::config.path_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" + get "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" end end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index c88c5d9ba..b703adae5 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -21,5 +21,11 @@ class Engine < ::Rails::Engine def self.setup(&block) yield self + + Rails.application.config.after_initialize do + if defined?(::OmniAuth) + ::OmniAuth::config.path_prefix = Devise.omniauth_path_prefix = self.omniauth_prefix + end + end end end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index cff45410d..544cb67f9 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -17,8 +17,7 @@ def mount_devise_token_auth_for(resource, opts) controllers = {:sessions => sessions_ctrl, :registrations => registrations_ctrl, :passwords => passwords_ctrl, - :confirmations => confirmations_ctrl, - :omniauth_callbacks => omniauth_ctrl} + :confirmations => confirmations_ctrl} # remove any unwanted devise modules opts[:skip].each{|item| controllers.delete(item)} @@ -28,8 +27,7 @@ def mount_devise_token_auth_for(resource, opts) :module => :devise, :path => "#{opts[:at]}", :controllers => controllers, - :skip => opts[:skip] - + :skip => opts[:skip] + [:omniauth_callbacks] unnest_namespace do # get full url path as if it were namespaced @@ -51,8 +49,8 @@ def mount_devise_token_auth_for(resource, opts) # omniauth routes. only define if omniauth is installed and not skipped. if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) - match "#{full_path}/failure", controller: "#{omniauth_ctrl}", action: "omniauth_failure", via: [:get] - match "#{full_path}/:provider/callback", controller: "#{omniauth_ctrl}", action: "omniauth_success", via: [:get] + match "#{full_path}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] + match "#{full_path}/:provider/callback", controller: omniauth_ctrl, action: "omniauth_success", via: [:get] # preserve the resource class thru oauth authentication by setting name of # resource as "resource_class" param @@ -63,8 +61,10 @@ def mount_devise_token_auth_for(resource, opts) # append name of current resource qs["resource_class"] = [resource] + set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix) + # re-construct the path for omniauth - "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" + "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" }, via: [:get] end end diff --git a/test/dummy/config/environments/development.rb b/test/dummy/config/environments/development.rb index 2573bb349..4a908bafb 100644 --- a/test/dummy/config/environments/development.rb +++ b/test/dummy/config/environments/development.rb @@ -40,5 +40,5 @@ # Raises error for missing translations # config.action_view.raise_on_missing_translations = true - OmniAuth.config.full_host = "https://devise-token-auth.dev" + OmniAuth.config.full_host = "http://devise-token-auth.dev" end From c3ea125e3f89339c06554131afa2accaeb7a7957 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 02:29:45 -0600 Subject: [PATCH 030/328] [wip] force use of vanilla OmniAuth as :omniauthable does not support multiple models. --- app/models/devise_token_auth/concerns/user.rb | 4 +++- config/initializers/devise.rb | 7 ------- config/routes.rb | 2 +- lib/devise_token_auth/engine.rb | 6 ++++++ lib/devise_token_auth/rails/routes.rb | 14 +++++++------- .../omniauth_callbacks_controller_test.rb | 1 - test/dummy/config/environments/development.rb | 2 +- 7 files changed, 18 insertions(+), 18 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 7f031fa64..49d132426 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -6,7 +6,9 @@ module DeviseTokenAuth::Concerns::User unless self.method_defined?(:devise_modules) devise :database_authenticatable, :registerable, :recoverable, :trackable, :validatable, - :confirmable, :omniauthable + :confirmable + else + self.devise_modules.delete(:omniauthable) end serialize :tokens, HashWithIndifferentAccess diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 21b85f7ff..eb7adf184 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -193,11 +193,4 @@ # don't serialize tokens Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION << :tokens - - # mounted routes will point to this - Rails.application.config.after_initialize do - if defined?(::OmniAuth) - ::OmniAuth::config.path_prefix = config.omniauth_path_prefix = DeviseTokenAuth.omniauth_prefix - end - end end diff --git a/config/routes.rb b/config/routes.rb index 90f2f4897..d50f7e6b0 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,5 @@ Rails.application.routes.draw do if defined?(::OmniAuth) - get "#{::OmniAuth::config.path_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" + get "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" end end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index c88c5d9ba..b703adae5 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -21,5 +21,11 @@ class Engine < ::Rails::Engine def self.setup(&block) yield self + + Rails.application.config.after_initialize do + if defined?(::OmniAuth) + ::OmniAuth::config.path_prefix = Devise.omniauth_path_prefix = self.omniauth_prefix + end + end end end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index cff45410d..544cb67f9 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -17,8 +17,7 @@ def mount_devise_token_auth_for(resource, opts) controllers = {:sessions => sessions_ctrl, :registrations => registrations_ctrl, :passwords => passwords_ctrl, - :confirmations => confirmations_ctrl, - :omniauth_callbacks => omniauth_ctrl} + :confirmations => confirmations_ctrl} # remove any unwanted devise modules opts[:skip].each{|item| controllers.delete(item)} @@ -28,8 +27,7 @@ def mount_devise_token_auth_for(resource, opts) :module => :devise, :path => "#{opts[:at]}", :controllers => controllers, - :skip => opts[:skip] - + :skip => opts[:skip] + [:omniauth_callbacks] unnest_namespace do # get full url path as if it were namespaced @@ -51,8 +49,8 @@ def mount_devise_token_auth_for(resource, opts) # omniauth routes. only define if omniauth is installed and not skipped. if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) - match "#{full_path}/failure", controller: "#{omniauth_ctrl}", action: "omniauth_failure", via: [:get] - match "#{full_path}/:provider/callback", controller: "#{omniauth_ctrl}", action: "omniauth_success", via: [:get] + match "#{full_path}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] + match "#{full_path}/:provider/callback", controller: omniauth_ctrl, action: "omniauth_success", via: [:get] # preserve the resource class thru oauth authentication by setting name of # resource as "resource_class" param @@ -63,8 +61,10 @@ def mount_devise_token_auth_for(resource, opts) # append name of current resource qs["resource_class"] = [resource] + set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix) + # re-construct the path for omniauth - "#{::OmniAuth::config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" + "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" }, via: [:get] end end diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index e3678a10d..1874697a7 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -37,7 +37,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest assert_equal 200, response.status end - focus test 'request should determine the correct resource_class' do assert_equal 'User', controller.omniauth_params['resource_class'] end diff --git a/test/dummy/config/environments/development.rb b/test/dummy/config/environments/development.rb index 2573bb349..4a908bafb 100644 --- a/test/dummy/config/environments/development.rb +++ b/test/dummy/config/environments/development.rb @@ -40,5 +40,5 @@ # Raises error for missing translations # config.action_view.raise_on_missing_translations = true - OmniAuth.config.full_host = "https://devise-token-auth.dev" + OmniAuth.config.full_host = "http://devise-token-auth.dev" end From 3042b2a622815bdd91b14516ae6ba96288337daa Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 04:00:45 -0600 Subject: [PATCH 031/328] fix testing issue with symbol / string token hash access --- app/models/devise_token_auth/concerns/user.rb | 25 ++++++++++++------- test/models/user_test.rb | 4 +-- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 49d132426..cc1099818 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -11,7 +11,7 @@ module DeviseTokenAuth::Concerns::User self.devise_modules.delete(:omniauthable) end - serialize :tokens, HashWithIndifferentAccess + serialize :tokens, JSON validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' } validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } @@ -102,32 +102,39 @@ def send_confirmation_notification? def token_is_current?(token, client_id) + # ghetto HashWithIndifferentAccess + expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] + token_hash = self.tokens[client_id]['token'] || self.tokens[client_id][:token] + return true if ( # ensure that expiry and token are set - self.tokens[client_id]['expiry'] and - self.tokens[client_id]['token'] and + expiry and token and # ensure that the token has not yet expired - DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and + DateTime.strptime(expiry.to_s, '%s') > Time.now and # ensure that the token is valid - BCrypt::Password.new(self.tokens[client_id]['token']) == token + BCrypt::Password.new(token_hash) == token ) end # allow batch requests to use the previous token def token_can_be_reused?(token, client_id) + # ghetto HashWithIndifferentAccess + updated_at = self.tokens[client_id]['updated_at'] || self.tokens[client_id][:updated_at] + last_token = self.tokens[client_id]['last_token'] || self.tokens[client_id][:last_token] + + return true if ( # ensure that the last token and its creation time exist - self.tokens[client_id]['updated_at'] and - self.tokens[client_id]['last_token'] and + updated_at and last_token and # ensure that previous token falls within the batch buffer throttle time of the last request - self.tokens[client_id]['updated_at'] > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and + updated_at > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and # ensure that the token is valid - BCrypt::Password.new(self.tokens[client_id]['last_token']) == token + BCrypt::Password.new(last_token) == token ) end diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 09b2038eb..6ddfdae2b 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -79,11 +79,11 @@ class UserTest < ActiveSupport::TestCase end test 'expired token was removed' do - refute @resource.tokens[@old_auth_headers['client']] + refute @resource.tokens[@old_auth_headers[:client]] end test 'current token was not removed' do - assert @resource.tokens[@new_auth_headers['client']] + assert @resource.tokens[@new_auth_headers["client"]] end end end From 3506fd814d91053899d7a749a5cb01dc5f640215 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 04:01:58 -0600 Subject: [PATCH 032/328] v0.1.31.beta6 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6ce9dea9b..50a1201a4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta5) + devise_token_auth (0.1.31.beta6) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 2e90664ea..387c99862 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta5" + VERSION = "0.1.31.beta6" end From 9634a823af50d95771b02c8d39b6a131e03ab0b1 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 04:11:18 -0600 Subject: [PATCH 033/328] v0.1.31.beta7. fixes #90 --- Gemfile.lock | 2 +- app/models/devise_token_auth/concerns/user.rb | 4 ++-- lib/devise_token_auth/version.rb | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 50a1201a4..4afbd0fea 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta6) + devise_token_auth (0.1.31.beta7) devise (~> 3.3) rails (~> 4.2) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index cc1099818..ef9425271 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -169,13 +169,13 @@ def build_auth_header(token, client_id='default') # client may use expiry to prevent validation request if expired # must be cast as string or headers will break - expiry = self.tokens[client_id]['expiry'].to_s + expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] return { "access-token" => token, "token-type" => "Bearer", "client" => client_id, - "expiry" => expiry, + "expiry" => expiry.to_s, "uid" => self.uid } end diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 387c99862..ab9590312 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta6" + VERSION = "0.1.31.beta7" end From 82b91fcf69abedc70d36889c14c7261209d1aad4 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 04:34:15 -0600 Subject: [PATCH 034/328] [bugfix] date comparison with ruby 1.9.3 --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- app/models/devise_token_auth/concerns/user.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 97f3f5238..87bc41df3 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -102,6 +102,6 @@ def resource_class(m=nil) def is_batch_request?(user, client_id) user.tokens[client_id] and user.tokens[client_id]['updated_at'] and - user.tokens[client_id]['updated_at'] > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle + Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle end end diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index ef9425271..9e8d7312e 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -131,7 +131,7 @@ def token_can_be_reused?(token, client_id) updated_at and last_token and # ensure that previous token falls within the batch buffer throttle time of the last request - updated_at > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and + Time.parse(updated_at) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and # ensure that the token is valid BCrypt::Password.new(last_token) == token From 8f1e837ce81fd8b18bcdd36bb3fb296834802a32 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 7 Jan 2015 04:35:00 -0600 Subject: [PATCH 035/328] v0.1.31.beta8 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4afbd0fea..6b51878d2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta7) + devise_token_auth (0.1.31.beta8) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index ab9590312..9f696de00 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta7" + VERSION = "0.1.31.beta8" end From b1aad9322726dce5a1ce4a3ba60339247c07b404 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Fri, 9 Jan 2015 13:10:34 -0600 Subject: [PATCH 036/328] fix possible sql injection vulnerability --- Gemfile.lock | 2 +- app/controllers/devise_token_auth/passwords_controller.rb | 6 +++--- app/controllers/devise_token_auth/sessions_controller.rb | 6 +++--- lib/devise_token_auth/version.rb | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6b51878d2..32dc2fd55 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta8) + devise_token_auth (0.1.31.beta9) devise (~> 3.3) rails (~> 4.2) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index e90cc556f..d5f9176b0 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -27,14 +27,14 @@ def create email = resource_params[:email] end - q = "uid='#{email}' AND provider='email'" + q = "uid = ? AND provider='email'" # fix for mysql default case insensitivity if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid='#{email}' AND provider='email'" + q = "BINARY uid = ? AND provider='email'" end - @resource = resource_class.where(q).first + @resource = resource_class.where(q, email).first errors = nil diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 447b8d37b..43cbf5367 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -11,13 +11,13 @@ def create email = resource_params[:email] end - q = "uid='#{email}' AND provider='email'" + q = "uid = ? AND provider='email'" if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid='#{email}' AND provider='email'" + q = "BINARY uid = ? AND provider='email'" end - @resource = resource_class.where(q).first + @resource = resource_class.where(q, email).first if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 9f696de00..cbf6cfb21 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta8" + VERSION = "0.1.31.beta9" end From a5ef9c51b058bd8d4fdd7aca5d2bf90ea5c11025 Mon Sep 17 00:00:00 2001 From: Lukas Elmer Date: Sun, 11 Jan 2015 23:50:34 +0100 Subject: [PATCH 037/328] document GET for /validate_token See https://github.com/lynndylanhurley/devise_token_auth/blob/master/lib/devise_token_auth/rails/routes.rb#L48 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index be3a05af5..c73656388 100644 --- a/README.md +++ b/README.md @@ -130,7 +130,7 @@ The following routes are available for use by your client. These routes live rel | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. | | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | -| /validate_token | POST | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`auth_token`** as params. These values should correspond to the columns in your `User` table of the same names. | +| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`auth_token`** as params. These values should correspond to the columns in your `User` table of the same names. | | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | | /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). | | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | From b6c7cecd8704dc1226ddb2d06599cc32bce84ea4 Mon Sep 17 00:00:00 2001 From: Le6ow5k1 Date: Sun, 18 Jan 2015 20:35:11 +0500 Subject: [PATCH 038/328] Fix links to section about controller integration. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c73656388..78be6b95b 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ The fully configured api used in the demo can be found [here](https://github.com * [Cross Origin Requests (CORS)](#cors) * [Usage Continued](#usage-cont) * [Mounting Routes](#mounting-routes) - * [Controller Integration](#controller-concerns) + * [Controller Integration](#controller-methods) * [Model Integration](#model-concerns) * [Using Multiple User Classes](#using-multiple-models) * [Excluding Modules](#excluding-modules) @@ -73,7 +73,7 @@ bundle install # Configuration TL;DR -You will need to create a [user model](#model-concerns), [define routes](#mounting-routes), [include concerns](#controller-concerns), and you may want to alter some of the [default settings](#initializer-settings) for this gem. Run the following command for an easy one-step installation: +You will need to create a [user model](#model-concerns), [define routes](#mounting-routes), [include concerns](#controller-methods), and you may want to alter some of the [default settings](#initializer-settings) for this gem. Run the following command for an easy one-step installation: ~~~bash rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH] @@ -100,7 +100,7 @@ The following events will take place when using the install generator: * Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). -* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-concerns). +* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). * A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: @@ -385,7 +385,7 @@ The authentication headers required for each request will be available in the re ##### DeviseTokenAuth::Concerns::User -Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-concerns) described above. +Typical use of this gem will not require the use of any of the following model methods. All authentication should be handled invisibly by the [controller concerns](#controller-methods) described above. Models that include the `DeviseTokenAuth::Concerns::User` concern will have access to the following public methods (read the above section for context on `token` and `client`): From 9dbc719925b37de64d6062fac18469ed6ee408ae Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 28 Jan 2015 13:31:03 -0600 Subject: [PATCH 039/328] add `token_validation_response` method to user concern --- README.md | 28 +++++++++++++++++++ .../token_validations_controller.rb | 4 +-- app/models/devise_token_auth/concerns/user.rb | 9 ++++-- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index be3a05af5..d6c7803e4 100644 --- a/README.md +++ b/README.md @@ -45,6 +45,7 @@ The fully configured api used in the demo can be found [here](https://github.com * [Excluding Modules](#excluding-modules) * [Custom Controller Overrides](#custom-controller-overrides) * [Email Template Overrides](#email-template-overrides) +* [FAQ](#faq) * [Conceptual Diagrams](#conceptual) * [Token Management](#about-token-management) * [Batch Requests](#about-batch-requests) @@ -640,6 +641,33 @@ These files may be edited to suit your taste. **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. +# FAQ + +### Can I use this gem alongside standard Devise? + +Yes! But you will need to use separate routes for standard Devise. So do something like this: + +~~~ruby +Rails.application.routes.draw do + + # standard devise routes available at /users + # NOTE: make sure this comes first!!! + devise_for :users + + # token auth routes available at /api/v1/auth + namespace :api do + scope :v1 do + mount_devise_token_auth_for 'User', at: 'auth' + end + end + +end +~~~ + +### Why are the `new` routes included if this gem doesn't use them? + +Removing the `new` routes will require significant modifications to devise. If the inclusion of the `new` routes is causing your app any problems, post an issue in the issue tracker and it will be addressed ASAP. + # Conceptual None of the following information is required to use this gem, but read on if you're curious. diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 52da3d9b9..9824c2c46 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -8,9 +8,7 @@ def validate_token if @resource render json: { success: true, - data: @resource.as_json(except: [ - :tokens, :created_at, :updated_at - ]) + data: @resource.token_validation_response } else render json: { diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 9e8d7312e..3f8525314 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -30,7 +30,6 @@ module DeviseTokenAuth::Concerns::User # get rid of dead tokens before_save :destroy_expired_tokens - # don't use default devise email validation def email_required? false @@ -200,6 +199,13 @@ def confirmed? self.devise_modules.exclude?(:confirmable) || super end + def token_validation_response + self.as_json(except: [ + :tokens, :created_at, :updated_at + ]) + end + + protected @@ -218,7 +224,6 @@ def generate_url(url, params = {}) return res end - # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 From dbb82c3cbc6aab542b1f66b03042f995f20e9619 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 28 Jan 2015 13:32:06 -0600 Subject: [PATCH 040/328] v0.1.31.beta10 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 32dc2fd55..ea95d871d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta9) + devise_token_auth (0.1.31.beta10) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index cbf6cfb21..2280c9dfd 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta9" + VERSION = "0.1.31.beta10" end From 94254974bcd4f40817e0aec67627a5637b78f247 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 28 Jan 2015 16:48:31 -0600 Subject: [PATCH 041/328] v0.1.31 --- Gemfile.lock | 8 ++++---- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ea95d871d..a0f342c01 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31.beta10) + devise_token_auth (0.1.31) devise (~> 3.3) rails (~> 4.2) @@ -204,8 +204,8 @@ GEM rb-fsevent (0.9.4) rb-inotify (0.9.5) ffi (>= 0.5.0) - responders (2.0.2) - railties (>= 4.2.0.alpha, < 5) + responders (2.1.0) + railties (>= 4.2.0, < 5) ruby-progressbar (1.7.1) simplecov (0.9.1) docile (~> 1.1.0) @@ -218,7 +218,7 @@ GEM multi_json (~> 1.0) rack (~> 1.0) tilt (~> 1.1, != 1.3.0) - sprockets-rails (2.2.2) + sprockets-rails (2.2.4) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 2280c9dfd..65221908b 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31.beta10" + VERSION = "0.1.31" end From 9bc64e4745112e1c32ada8294c25c417870e8a65 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Sat, 31 Jan 2015 22:15:25 +0000 Subject: [PATCH 042/328] Check if confirmable is active before skipping confirmation --- .../devise_token_auth/omniauth_callbacks_controller.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 6896e401d..f3564a04b 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -57,8 +57,10 @@ def omniauth_success extra_params = whitelisted_params @resource.assign_attributes(extra_params) if extra_params - # don't send confirmation email!!! - @resource.skip_confirmation! + if resource_class.devise_modules.include?(:confirmable) + # don't send confirmation email!!! + @resource.skip_confirmation! + end sign_in(:user, @resource, store: false, bypass: false) From 24a3b1e852fae4e5cbd47951cce67678e9321cf1 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 00:00:30 +0000 Subject: [PATCH 043/328] Implementation of username login according to Wiki --- .gitignore | 1 + .../devise_token_auth/concerns/set_user_by_token.rb | 8 ++++++++ app/models/devise_token_auth/concerns/user.rb | 13 ++++++++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 3bda27950..f83d7a10c 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ test/dummy/tmp/ test/dummy/.sass-cache test/dummy/config/application.yml coverage +.idea \ No newline at end of file diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 87bc41df3..0a11f40b8 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -5,6 +5,14 @@ module DeviseTokenAuth::Concerns::SetUserByToken included do before_action :set_request_start after_action :update_auth_header + + before_action :default_permitted_parameters, if: :devise_controller? + end + + def default_permitted_parameters + devise_parameter_sanitizer.for(:sign_up).concat([:email, :login, :username]) + devise_parameter_sanitizer.for(:sign_in).concat([:email, :login, :username]) + devise_parameter_sanitizer.for(:account_update).concat([:email, :username]) end # keep track of request duration diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 3f8525314..1d2090839 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -6,9 +6,10 @@ module DeviseTokenAuth::Concerns::User unless self.method_defined?(:devise_modules) devise :database_authenticatable, :registerable, :recoverable, :trackable, :validatable, - :confirmable + :confirmable, authentication_keys: [:login] else self.devise_modules.delete(:omniauthable) + self.devise_modules.push(authentication_keys: [:login]) end serialize :tokens, JSON @@ -30,6 +31,8 @@ module DeviseTokenAuth::Concerns::User # get rid of dead tokens before_save :destroy_expired_tokens + attr_accessor :login + # don't use default devise email validation def email_required? false @@ -39,6 +42,14 @@ def email_changed? false end + def self.find_for_database_authentication(warden_conditions) + conditions = warden_conditions.dup + if login = conditions.delete(:login) + where(conditions).where(["username = :value OR lower(email) = lower(:value)", { :value => login }]).first + else + where(conditions.to_h).first + end + end # override devise method to include additional info as opts hash def send_confirmation_instructions(opts=nil) From 179c7c734abe9a11c755e48e09c88c4b86d8d1f0 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 00:35:18 +0000 Subject: [PATCH 044/328] Add login with username --- .../devise_token_auth/sessions_controller.rb | 25 ++-- .../sessions_controller_test.rb | 139 ++++++++++++++++++ .../20150202001247_add_username_to_users.rb | 6 + test/dummy/db/schema.rb | 14 +- test/fixtures/users.yml | 13 ++ 5 files changed, 182 insertions(+), 15 deletions(-) create mode 100644 test/dummy/db/migrate/20150202001247_add_username_to_users.rb diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 43cbf5367..5b9cea709 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -6,19 +6,26 @@ class SessionsController < DeviseTokenAuth::ApplicationController def create # honor devise configuration for case_insensitive_keys if resource_class.case_insensitive_keys.include?(:email) - email = resource_params[:email].downcase - else - email = resource_params[:email] - end + q_value = resource_params[:email].downcase - q = "uid = ? AND provider='email'" + q = "uid = ? AND provider='email'" - if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid = ? AND provider='email'" - end + if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' + q = "BINARY uid = ? AND provider='email'" + end + + elsif resource_class.case_insensitive_keys.include?(:username) + q_value = resource_params[:username].downcase - @resource = resource_class.where(q, email).first + q = "username = ? AND provider='email'" + + if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' + q = "BINARY username = ? AND provider='email'" + end + + end + @resource = resource_class.where(q, q_value).first if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 4169a49e4..a8805373b 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -8,6 +8,145 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase describe DeviseTokenAuth::SessionsController do + describe "Confirmed user with username" do + before do + @existing_user = users(:confirmed_email_user_with_username) + @existing_user.skip_confirmation! + @existing_user.save! + end + + describe 'success' do + before do + @old_sign_in_count = @existing_user.sign_in_count + @old_current_sign_in_at = @existing_user.current_sign_in_at + @old_last_sign_in_at = @existing_user.last_sign_in_at + @old_sign_in_ip = @existing_user.current_sign_in_ip + @old_last_sign_in_ip = @existing_user.last_sign_in_ip + + xhr :post, :create, { + username: @existing_user.username, + password: 'secret123' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + + @new_sign_in_count = @resource.sign_in_count + @new_current_sign_in_at = @resource.current_sign_in_at + @new_last_sign_in_at = @resource.last_sign_in_at + @new_sign_in_ip = @resource.current_sign_in_ip + @new_last_sign_in_ip = @resource.last_sign_in_ip + end + + test "request should succeed" do + assert_equal 200, response.status + end + + test "request should return user data" do + assert_equal @existing_user.username, @data['data']['username'] + end + + describe 'trackable' do + test 'sign_in_count incrementns' do + assert_equal @old_sign_in_count + 1, @new_sign_in_count + end + + test 'current_sign_in_at is updated' do + refute @old_current_sign_in_at + assert @new_current_sign_in_at + end + + test 'last_sign_in_at is updated' do + refute @old_last_sign_in_at + assert @new_last_sign_in_at + end + + test 'sign_in_ip is updated' do + refute @old_sign_in_ip + assert_equal "0.0.0.0", @new_sign_in_ip + end + + test 'last_sign_in_ip is updated' do + refute @old_last_sign_in_ip + assert_equal "0.0.0.0", @new_last_sign_in_ip + end + end + end + + + describe 'authed user sign out' do + before do + @auth_headers = @existing_user.create_new_auth_token + request.headers.merge!(@auth_headers) + xhr :delete, :destroy, format: :json + end + + test "user is successfully logged out" do + assert_equal 200, response.status + end + + test "token was destroyed" do + @existing_user.reload + refute @existing_user.tokens[@auth_headers["client"]] + end + end + + describe 'unauthed user sign out' do + before do + @auth_headers = @existing_user.create_new_auth_token + xhr :delete, :destroy, format: :json + end + + test "unauthed request returns 404" do + assert_equal 404, response.status + end + end + + describe 'failure' do + before do + xhr :post, :create, { + email: @existing_user.username, + password: 'bogus' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "response should contain errors" do + assert @data['errors'] + end + end + + describe 'case-insensitive username' do + + before do + @resource_class = User + @request_params = { + username: @existing_user.username.upcase, + password: 'secret123' + } + end + + test "request should succeed if configured" do + @resource_class.case_insensitive_keys = [:username] + xhr :post, :create, @request_params + assert_equal 200, response.status + end + + test "request should fail if not configured" do + @resource_class.case_insensitive_keys = [] + xhr :post, :create, @request_params + assert_equal 401, response.status + end + + end + end + describe "Confirmed user" do before do @existing_user = users(:confirmed_email_user) diff --git a/test/dummy/db/migrate/20150202001247_add_username_to_users.rb b/test/dummy/db/migrate/20150202001247_add_username_to_users.rb new file mode 100644 index 000000000..59cd85913 --- /dev/null +++ b/test/dummy/db/migrate/20150202001247_add_username_to_users.rb @@ -0,0 +1,6 @@ +class AddUsernameToUsers < ActiveRecord::Migration + def change + add_column :users, :username, :string + add_index :users, :username, unique: true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index f11cfbe69..555f6124c 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,9 +11,9 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141222053502) do +ActiveRecord::Schema.define(version: 20150202001247) do - create_table "evil_users", force: true do |t| + create_table "evil_users", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -44,7 +44,7 @@ add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true - create_table "mangs", force: true do |t| + create_table "mangs", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -77,7 +77,7 @@ add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true - create_table "only_email_users", force: true do |t| + create_table "only_email_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false t.string "encrypted_password", default: "", null: false @@ -93,7 +93,7 @@ add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true - create_table "unregisterable_users", force: true do |t| + create_table "unregisterable_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false t.string "encrypted_password", default: "", null: false @@ -122,7 +122,7 @@ add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true - create_table "users", force: true do |t| + create_table "users", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -149,11 +149,13 @@ t.datetime "updated_at" t.integer "operating_thetan" t.string "favorite_color" + t.string "username" end add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true add_index "users", ["email"], name: "index_users_on_email" add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true + add_index "users", ["username"], name: "index_users_on_username", unique: true end diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index bc84324f1..65516992a 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -1,5 +1,6 @@ <% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> <% @email = Faker::Internet.email %> +<% @username = Faker::Internet.user_name %> confirmed_email_user: uid: "<%= @email %>" email: "<%= @email %>" @@ -9,6 +10,18 @@ confirmed_email_user: updated_at: '<%= timestamp %>' encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> +<% @email = Faker::Internet.email %> +<% @username = Faker::Internet.user_name %> +confirmed_email_user_with_username: + uid: "<%= @email %>" + email: "<%= @email %>" + provider: 'email' + confirmed_at: '<%= timestamp %>' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + username: "<%= @username %>" + <% @fb_email = Faker::Internet.email %> duplicate_email_facebook_user: uid: "<%= Faker::Number.number(10) %>" From 83590a38f8a4cf6e86929f9daf840b6e8bced24e Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 00:45:19 +0000 Subject: [PATCH 045/328] Delete unwanted space --- app/controllers/devise_token_auth/sessions_controller.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 5b9cea709..9835b694a 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -22,7 +22,6 @@ def create if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' q = "BINARY username = ? AND provider='email'" end - end @resource = resource_class.where(q, q_value).first From 3a44f924e1996704e2d7908d1bda5c539ce78615 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 12:20:18 +0000 Subject: [PATCH 046/328] * Refactor on SessionsController * Clean useless function in User concer * Delete references to 'login' --- .../devise_token_auth/sessions_controller.rb | 24 ++++++++++++++----- app/models/devise_token_auth/concerns/user.rb | 15 +----------- .../sessions_controller_test.rb | 1 - test/dummy/config/initializers/devise.rb | 4 ++++ test/fixtures/users.yml | 1 - 5 files changed, 23 insertions(+), 22 deletions(-) create mode 100644 test/dummy/config/initializers/devise.rb diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 9835b694a..ad7d44b8f 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -5,8 +5,12 @@ class SessionsController < DeviseTokenAuth::ApplicationController def create # honor devise configuration for case_insensitive_keys - if resource_class.case_insensitive_keys.include?(:email) - q_value = resource_params[:email].downcase + if resource_params.include?(:email) + q_value = resource_params[:email] + + if resource_class.case_insensitive_keys.include?(:email) + q_value = resource_params[:email].downcase + end q = "uid = ? AND provider='email'" @@ -14,8 +18,11 @@ def create q = "BINARY uid = ? AND provider='email'" end - elsif resource_class.case_insensitive_keys.include?(:username) - q_value = resource_params[:username].downcase + elsif resource_params.include?(:username) + q_value = resource_params[:username] + if resource_class.case_insensitive_keys.include?(:username) + q_value = resource_params[:username].downcase + end q = "username = ? AND provider='email'" @@ -24,7 +31,12 @@ def create end end - @resource = resource_class.where(q, q_value).first + @resource = nil + + if q && q_value + @resource = resource_class.where(q, q_value).first + end + if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @@ -83,7 +95,7 @@ def destroy end def valid_params? - resource_params[:password] && resource_params[:email] + resource_params[:password] && (resource_params[:email] || resource_params[:username]) end def resource_params diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 1d2090839..9c6277fe5 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -5,11 +5,9 @@ module DeviseTokenAuth::Concerns::User # Hack to check if devise is already enabled unless self.method_defined?(:devise_modules) devise :database_authenticatable, :registerable, - :recoverable, :trackable, :validatable, - :confirmable, authentication_keys: [:login] + :recoverable, :trackable, :validatable, :confirmable else self.devise_modules.delete(:omniauthable) - self.devise_modules.push(authentication_keys: [:login]) end serialize :tokens, JSON @@ -31,8 +29,6 @@ module DeviseTokenAuth::Concerns::User # get rid of dead tokens before_save :destroy_expired_tokens - attr_accessor :login - # don't use default devise email validation def email_required? false @@ -42,15 +38,6 @@ def email_changed? false end - def self.find_for_database_authentication(warden_conditions) - conditions = warden_conditions.dup - if login = conditions.delete(:login) - where(conditions).where(["username = :value OR lower(email) = lower(:value)", { :value => login }]).first - else - where(conditions.to_h).first - end - end - # override devise method to include additional info as opts hash def send_confirmation_instructions(opts=nil) unless @raw_confirmation_token diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index a8805373b..adab79a51 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -30,7 +30,6 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase @resource = assigns(:resource) @data = JSON.parse(response.body) - @new_sign_in_count = @resource.sign_in_count @new_current_sign_in_at = @resource.current_sign_in_at @new_last_sign_in_at = @resource.last_sign_in_at diff --git a/test/dummy/config/initializers/devise.rb b/test/dummy/config/initializers/devise.rb new file mode 100644 index 000000000..9d6bf02ce --- /dev/null +++ b/test/dummy/config/initializers/devise.rb @@ -0,0 +1,4 @@ +Devise.setup do |config| + config.authentication_keys = [:email, :username] + config.case_insensitive_keys = [:email, :username] +end diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index 65516992a..21795a53a 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -1,6 +1,5 @@ <% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> <% @email = Faker::Internet.email %> -<% @username = Faker::Internet.user_name %> confirmed_email_user: uid: "<%= @email %>" email: "<%= @email %>" From 10fefd8cd7265adf6278ac2dfc31e51662fb9000 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 20:34:28 +0000 Subject: [PATCH 047/328] Refactor to use custom authentication_keys --- .../devise_token_auth/sessions_controller.rb | 34 ++++++------------- 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index ad7d44b8f..9a4a239cc 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -4,36 +4,22 @@ class SessionsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy] def create - # honor devise configuration for case_insensitive_keys - if resource_params.include?(:email) - q_value = resource_params[:email] + # Check + field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first - if resource_class.case_insensitive_keys.include?(:email) - q_value = resource_params[:email].downcase - end - - q = "uid = ? AND provider='email'" - - if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid = ? AND provider='email'" - end + @resource = nil + if field + q_value = resource_params[field] - elsif resource_params.include?(:username) - q_value = resource_params[:username] - if resource_class.case_insensitive_keys.include?(:username) - q_value = resource_params[:username].downcase + if resource_class.case_insensitive_keys.include?(field) + q_value.downcase! end + q = "uid = ? AND provider='email'" - q = "username = ? AND provider='email'" - - if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY username = ? AND provider='email'" + if field != :email + q = "#{field.to_s} = ? AND provider='email'" end - end - - @resource = nil - if q && q_value @resource = resource_class.where(q, q_value).first end From 65f4077da078f4a8515b1c91f610427c687c337d Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Mon, 2 Feb 2015 21:05:40 +0000 Subject: [PATCH 048/328] Refactor and fix mysql error --- app/controllers/devise_token_auth/sessions_controller.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 9a4a239cc..96d80c0c7 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -14,10 +14,11 @@ def create if resource_class.case_insensitive_keys.include?(field) q_value.downcase! end - q = "uid = ? AND provider='email'" - if field != :email - q = "#{field.to_s} = ? AND provider='email'" + q = "#{field.to_s} = ? AND provider='email'" + + if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' + q = "BINARY " + q end @resource = resource_class.where(q, q_value).first From 0d4de710e3705beaf6843b7ed11034f34b324d45 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 3 Feb 2015 17:43:01 -0600 Subject: [PATCH 049/328] accept auth data as params in addition to headers --- .../devise_token_auth/concerns/set_user_by_token.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 87bc41df3..721dfe764 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -25,9 +25,9 @@ def set_user_by_token(mapping=nil) return @resource if @resource and @resource.class == rc # parse header for values necessary for authentication - uid = request.headers['uid'] - @token = request.headers['access-token'] - @client_id = request.headers['client'] + uid = request.headers['uid'] || params['uid'] + @token = request.headers['access-token'] || params['access-token'] + @client_id = request.headers['client'] || params['client'] return false unless @token From 9c500461f52ae28ae21d91324fb9effa27e467c3 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 3 Feb 2015 17:44:36 -0600 Subject: [PATCH 050/328] v0.1.32.beta1 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index a0f342c01..52faa3f75 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.31) + devise_token_auth (0.1.32.beta1) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 65221908b..20ba366d6 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.31" + VERSION = "0.1.32.beta1" end From c92166ca80fa5764bdd4671fdb67b9fa5c388120 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 8 Feb 2015 20:20:44 -0600 Subject: [PATCH 051/328] [wip] --- .../devise_token_auth/concerns/set_user_by_token.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index ba0d5955f..a54eb4499 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -5,14 +5,12 @@ module DeviseTokenAuth::Concerns::SetUserByToken included do before_action :set_request_start after_action :update_auth_header - - before_action :default_permitted_parameters, if: :devise_controller? end def default_permitted_parameters - devise_parameter_sanitizer.for(:sign_up).concat([:email, :login, :username]) - devise_parameter_sanitizer.for(:sign_in).concat([:email, :login, :username]) - devise_parameter_sanitizer.for(:account_update).concat([:email, :username]) + devise_parameter_sanitizer.for(:sign_up).concat([:email, :login]) + devise_parameter_sanitizer.for(:sign_in).concat([:email, :login]) + devise_parameter_sanitizer.for(:account_update).concat([:email]) end # keep track of request duration From 2af3dd2dae9fad8fa32e6f9440b5816f7cdaf14f Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 8 Feb 2015 21:28:10 -0600 Subject: [PATCH 052/328] allow authentication using `authentication_keys` value instead of just `email` --- .../devise_token_auth/sessions_controller.rb | 43 +++++++++++++------ .../sessions_controller_test.rb | 14 ++++++ .../overrides/sessions_controller.rb | 2 +- test/dummy/config/initializers/devise.rb | 3 ++ ...15061447_devise_token_auth_create_users.rb | 1 + test/dummy/db/schema.rb | 11 ++--- test/fixtures/users.yml | 41 +++++++++--------- 7 files changed, 77 insertions(+), 38 deletions(-) create mode 100644 test/dummy/config/initializers/devise.rb diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 43cbf5367..f0c1d809a 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -4,22 +4,17 @@ class SessionsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy] def create - # honor devise configuration for case_insensitive_keys - if resource_class.case_insensitive_keys.include?(:email) - email = resource_params[:email].downcase - else - email = resource_params[:email] - end + auth_params = get_auth_params - q = "uid = ? AND provider='email'" + q = "#{auth_params[:key]} = ? AND provider='email'" if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid = ? AND provider='email'" + q = "BINARY #{auth_params[:key]} = ? AND provider='email'" end - @resource = resource_class.where(q, email).first + @resource = resource_class.where(q, auth_params[:val]).first - if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? + if @resource and valid_params?(auth_params) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) @@ -76,12 +71,36 @@ def destroy end end - def valid_params? - resource_params[:password] && resource_params[:email] + def valid_params?(auth_params) + resource_params[:password] && auth_params[:key] && auth_params[:val] end def resource_params params.permit(devise_parameter_sanitizer.for(:sign_in)) end + + def get_auth_params + auth_key = nil + auth_val = nil + + # iterate thru allowed auth keys, use first found + resource_class.authentication_keys.each do |k| + if resource_params[k] + auth_val = resource_params[k] + auth_key = k + break + end + end + + # honor devise configuration for case_insensitive_keys + if resource_class.case_insensitive_keys.include?(auth_key) + auth_val.downcase! + end + + return { + key: auth_key, + val: auth_val + } + end end end diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 4169a49e4..3c91d7ac3 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -73,6 +73,20 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase end end + describe 'alt auth keys' do + before do + xhr :post, :create, { + nickname: @existing_user.nickname, + password: 'secret123' + } + @data = JSON.parse(response.body) + end + + test 'user can sign in using nickname' do + assert_equal 200, response.status + assert_equal @existing_user.email, @data['data']['email'] + end + end describe 'authed user sign out' do before do diff --git a/test/dummy/app/controllers/overrides/sessions_controller.rb b/test/dummy/app/controllers/overrides/sessions_controller.rb index 06cd691ac..2924a6a6c 100644 --- a/test/dummy/app/controllers/overrides/sessions_controller.rb +++ b/test/dummy/app/controllers/overrides/sessions_controller.rb @@ -5,7 +5,7 @@ class SessionsController < DeviseTokenAuth::SessionsController def create @resource = resource_class.find_by_email(resource_params[:email]) - if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? + if @resource and valid_params?(get_auth_params) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) diff --git a/test/dummy/config/initializers/devise.rb b/test/dummy/config/initializers/devise.rb new file mode 100644 index 000000000..d5c41f257 --- /dev/null +++ b/test/dummy/config/initializers/devise.rb @@ -0,0 +1,3 @@ +Devise.setup do |config| + config.authentication_keys = [:email, :nickname] +end diff --git a/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb b/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb index 1406f1e1b..b9f02b662 100644 --- a/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +++ b/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb @@ -51,6 +51,7 @@ def change add_index :users, [:uid, :provider], :unique => true add_index :users, :reset_password_token, :unique => true add_index :users, :confirmation_token, :unique => true + add_index :users, :nickname, :unique => true # add_index :users, :unlock_token, :unique => true end end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index f11cfbe69..0fc3b2f6d 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -13,7 +13,7 @@ ActiveRecord::Schema.define(version: 20141222053502) do - create_table "evil_users", force: true do |t| + create_table "evil_users", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -44,7 +44,7 @@ add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true - create_table "mangs", force: true do |t| + create_table "mangs", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -77,7 +77,7 @@ add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true - create_table "only_email_users", force: true do |t| + create_table "only_email_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false t.string "encrypted_password", default: "", null: false @@ -93,7 +93,7 @@ add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true - create_table "unregisterable_users", force: true do |t| + create_table "unregisterable_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false t.string "encrypted_password", default: "", null: false @@ -122,7 +122,7 @@ add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true - create_table "users", force: true do |t| + create_table "users", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false t.string "reset_password_token" @@ -153,6 +153,7 @@ add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true add_index "users", ["email"], name: "index_users_on_email" + add_index "users", ["nickname"], name: "index_users_on_nickname", unique: true add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index bc84324f1..bc29e9067 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -1,29 +1,30 @@ <% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> <% @email = Faker::Internet.email %> confirmed_email_user: - uid: "<%= @email %>" - email: "<%= @email %>" - provider: 'email' - confirmed_at: '<%= timestamp %>' - created_at: '<%= timestamp %>' - updated_at: '<%= timestamp %>' - encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + uid: "<%= @email %>" + email: "<%= @email %>" + nickname: 'stimpy' + provider: 'email' + confirmed_at: '<%= timestamp %>' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> <% @fb_email = Faker::Internet.email %> duplicate_email_facebook_user: - uid: "<%= Faker::Number.number(10) %>" - email: "<%= @fb_email %>" - provider: 'facebook' - created_at: '<%= timestamp %>' - updated_at: '<%= timestamp %>' - confirmed_at: '<%= timestamp %>' - encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + uid: "<%= Faker::Number.number(10) %>" + email: "<%= @fb_email %>" + provider: 'facebook' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + confirmed_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> <% @unconfirmed_email = Faker::Internet.email %> unconfirmed_email_user: - uid: "<%= @unconfirmed_email %>" - email: "<%= @unconfirmed_email %>" - provider: 'email' - created_at: '<%= timestamp %>' - updated_at: '<%= timestamp %>' - encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + uid: "<%= @unconfirmed_email %>" + email: "<%= @unconfirmed_email %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> From 445d44422dc98439b0778e1bb5476a13b350b770 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 8 Feb 2015 22:17:19 -0600 Subject: [PATCH 053/328] v0.1.32.beta2 --- Gemfile.lock | 4 ++-- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 52faa3f75..3726195b6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta1) + devise_token_auth (0.1.32.beta2) devise (~> 3.3) rails (~> 4.2) @@ -77,7 +77,7 @@ GEM arel (6.0.0) attr_encrypted (1.3.3) encryptor (>= 1.3.0) - bcrypt (3.1.9) + bcrypt (3.1.10) builder (3.2.2) celluloid (0.16.0) timers (~> 4.0.0) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 20ba366d6..bc9d7bdd0 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta1" + VERSION = "0.1.32.beta2" end From 7a00a98b89a4214df8d84140e751fd77c48f0c05 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 8 Feb 2015 23:13:47 -0600 Subject: [PATCH 054/328] updaet contributors list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 076350a1b..d590b06d6 100644 --- a/README.md +++ b/README.md @@ -746,6 +746,7 @@ Thanks to the following contributors: * [@m2omou](https://github.com/m2omou) * [@smarquez1](https://github.com/smarquez1) * [@jartek](https://github.com/jartek) +* [@nicolas-besnard](https://github.com/nicolas-besnard) # Contributing From 82771f402038250f485b8b302121fd66f385e235 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 00:10:12 -0600 Subject: [PATCH 055/328] fixes #137 --- .../devise_token_auth/passwords_controller.rb | 6 ++++-- .../devise_token_auth/passwords_controller_test.rb | 10 +++++++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index d5f9176b0..9e855b0ab 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -37,6 +37,7 @@ def create @resource = resource_class.where(q, email).first errors = nil + error_status = 400 if @resource @resource.send_reset_password_instructions({ @@ -57,13 +58,14 @@ def create end else errors = ["Unable to find user with email '#{email}'."] + error_status = 404 end if errors render json: { success: false, - errors: errors - }, status: 400 + errors: errors, + }, status: error_status end end diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index dd02dca19..b4f88e931 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -15,6 +15,14 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end describe 'request password reset' do + test 'unknown user should return 404' do + xhr :post, :create, { + email: 'chester@cheet.ah', + redirect_url: @redirect_url + } + + assert_equal 404, response.status + end describe 'case-sensitive email' do before do @@ -126,7 +134,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase test 'response should return failure status if not configured' do @resource_class.case_insensitive_keys = [] xhr :post, :create, @request_params - assert_equal 400, response.status + assert_equal 404, response.status end end end From 341f8786699c2dcce84476662a04754f011f33ed Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 00:10:51 -0600 Subject: [PATCH 056/328] v0.1.32.beta3 --- Gemfile.lock | 4 ++-- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 3726195b6..184c51d89 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta2) + devise_token_auth (0.1.32.beta3) devise (~> 3.3) rails (~> 4.2) @@ -101,7 +101,7 @@ GEM ffi (1.9.6) formatador (0.2.5) fuzz_ball (0.9.1) - globalid (0.3.0) + globalid (0.3.2) activesupport (>= 4.1.0) guard (2.10.5) formatador (>= 0.2.4) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index bc9d7bdd0..431235752 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta2" + VERSION = "0.1.32.beta3" end From 569da72742b4f5f42301cff277d33c1e7974ac54 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 00:32:46 -0600 Subject: [PATCH 057/328] fixes #133 --- lib/generators/devise_token_auth/USAGE | 2 +- lib/generators/devise_token_auth/install_generator.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/generators/devise_token_auth/USAGE b/lib/generators/devise_token_auth/USAGE index a022bce66..453620202 100644 --- a/lib/generators/devise_token_auth/USAGE +++ b/lib/generators/devise_token_auth/USAGE @@ -28,4 +28,4 @@ Example: The following line will be inserted at the top of 'config/routes.rb' if it does not already exist: - mount_devise_token_auth_for "User", at: '/auth' + mount_devise_token_auth_for "User", at: 'auth' diff --git a/lib/generators/devise_token_auth/install_generator.rb b/lib/generators/devise_token_auth/install_generator.rb index a83555c8b..a9b8cdea4 100644 --- a/lib/generators/devise_token_auth/install_generator.rb +++ b/lib/generators/devise_token_auth/install_generator.rb @@ -5,7 +5,7 @@ class InstallGenerator < Rails::Generators::Base source_root File.expand_path('../templates', __FILE__) argument :user_class, type: :string, default: "User" - argument :mount_path, type: :string, default: '/auth' + argument :mount_path, type: :string, default: 'auth' def create_initializer_file copy_file("devise_token_auth.rb", "config/initializers/devise_token_auth.rb") From ac8b39ac6eecd8b36281358b6cbf4fc3348e6b59 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 00:35:35 -0600 Subject: [PATCH 058/328] update mount point examples to new format --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d590b06d6..bd4b99126 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ rails g devise_token_auth:install [USER_CLASS] [MOUNT_PATH] **Example**: ~~~bash -rails g devise_token_auth:install User /auth +rails g devise_token_auth:install User auth ~~~ This generator accepts the following optional arguments: @@ -91,7 +91,7 @@ This generator accepts the following optional arguments: | Argument | Default | Description | |---|---|---| | USER_CLASS | `User` | The name of the class to use for user authentication. | -| MOUNT_PATH | `/auth` | The path at which to mount the authentication routes. [Read more](#usage). | +| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage). | The following events will take place when using the install generator: @@ -120,7 +120,7 @@ You may also need to configure the following items: # Usage TL;DR -The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`/auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js. +The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js. | path | method | purpose | |:-----|:-------|:--------| From b10a0ad526d0e7e1e32771cd61d7c70ee8d21513 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 00:39:21 -0600 Subject: [PATCH 059/328] v0.1.32.beta4 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 184c51d89..fc14515bc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta3) + devise_token_auth (0.1.32.beta4) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 431235752..055729e7c 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta3" + VERSION = "0.1.32.beta4" end From 7adc6d15c33baa6cba728f68dfe00b1d483ded6d Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 01:39:00 -0600 Subject: [PATCH 060/328] fix generator tests --- .../devise_token_auth/install_generator_test.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/lib/generators/devise_token_auth/install_generator_test.rb b/test/lib/generators/devise_token_auth/install_generator_test.rb index 9b1625d77..2cd2e1f48 100644 --- a/test/lib/generators/devise_token_auth/install_generator_test.rb +++ b/test/lib/generators/devise_token_auth/install_generator_test.rb @@ -98,21 +98,21 @@ def whatever test 'route method is appended to routes file' do assert_file 'config/routes.rb' do |routes| - assert_match(/mount_devise_token_auth_for 'User', at: '\/auth'/, routes) + assert_match(/mount_devise_token_auth_for 'User', at: 'auth'/, routes) end end test 'subsequent runs do not modify file' do run_generator assert_file 'config/routes.rb' do |routes| - matches = routes.scan(/mount_devise_token_auth_for 'User', at: '\/auth'/m).size + matches = routes.scan(/mount_devise_token_auth_for 'User', at: 'auth'/m).size assert_equal 1, matches end end describe 'subsequent models' do before do - run_generator %w(Mang /mangs) + run_generator %w(Mang mangs) end test 'migration is created' do @@ -121,7 +121,7 @@ def whatever test 'route method is appended to routes file' do assert_file 'config/routes.rb' do |routes| - assert_match(/mount_devise_token_auth_for 'Mang', at: '\/mangs'/, routes) + assert_match(/mount_devise_token_auth_for 'Mang', at: 'mangs'/, routes) end end From ba774df1c0011fa6a7f82e96007dc62d5dd12c33 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 01:45:39 -0600 Subject: [PATCH 061/328] fixes #132 --- .../devise_token_auth/omniauth_callbacks_controller.rb | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index f3564a04b..c74c8753d 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -67,9 +67,7 @@ def omniauth_success @resource.save! # render user info to javascript postMessage communication window - respond_to do |format| - format.html { render :layout => "omniauth_response", :template => "devise_token_auth/omniauth_success" } - end + render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_success" end @@ -86,10 +84,7 @@ def assign_provider_attrs(user, auth_hash) def omniauth_failure @error = params[:message] - - respond_to do |format| - format.html { render :layout => "omniauth_response", :template => "devise_token_auth/omniauth_failure" } - end + render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_failure" end From 0aeca7565c9d218c0c275c4b1c084f7094851f7a Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 9 Feb 2015 01:46:17 -0600 Subject: [PATCH 062/328] v0.1.32.beta5 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index fc14515bc..e0f1fd16a 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta4) + devise_token_auth (0.1.32.beta5) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 055729e7c..016d59c38 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta4" + VERSION = "0.1.32.beta5" end From 1135c4989e5e89e79be446cee3c3a5fae7f85614 Mon Sep 17 00:00:00 2001 From: Rajan Agaskar Date: Mon, 9 Feb 2015 07:23:04 -0800 Subject: [PATCH 063/328] Actual header key uses dashes, not underscores. Fix typos in README (helpful to folks hand-rolling clients). --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bd4b99126..3ddd7c462 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ The following settings are available for configuration in `config/initializers/d | Name | Default | Description| |---|---|---| -| **`change_headers_on_each_request`** | `true` | By default the access_token header will change after each request. The client is responsible for keeping track of the changing tokens. The [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js does this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access_token` header from changing after each request. [Read more](#about-token-management). | +| **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. The [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js does this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). | | **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | | **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | @@ -364,8 +364,8 @@ The authentication information should be included by the client in the headers o ##### Authentication headers example: ~~~ -"access_token": "wwwww", -"token_type": "Bearer", +"access-token": "wwwww", +"token-type": "Bearer", "client": "xxxxx", "expiry": "yyyyy", "uid": "zzzzz" @@ -375,7 +375,7 @@ The authentication headers consists of the following params: | param | description | |---|---| -| **`access_token`** | This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request. | +| **`access-token`** | This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request. | | **`client`** | This enables the use of multiple simultaneous sessions on different clients. (For example, a user may want to be authenticated on both their phone and their laptop at the same time.) | | **`expiry`** | The date at which the current session will expire. This can be used by clients to invalidate expired tokens without the need for an API request. | | **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/). | @@ -396,7 +396,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce ~~~ruby # extract token + client_id from auth header client_id = request.headers['client'] - token = request.headers['access_token'] + token = request.headers['access-token'] @user.valid_token?(token, client_id) ~~~ @@ -678,7 +678,7 @@ Tokens should be invalidated after each request to the API. The following diagra ![password reset flow](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/token-update-detail.jpg) -During each request, a new token is generated. The `access_token` header that should be used in the next request is returned in the `access_token` header of the response to the previous request. The last request in the diagram fails because it tries to use a token that was invalidated by the previous request. +During each request, a new token is generated. The `access-token` header that should be used in the next request is returned in the `access-token` header of the response to the previous request. The last request in the diagram fails because it tries to use a token that was invalidated by the previous request. The only case where an expired token is allowed is during [batch requests](#about-batch-requests). @@ -704,7 +704,7 @@ $scope.getResourceData = function() { }; ~~~ -In this case, it's impossible to update the `access_token` header for the second request with the `access_token` header of the first response because the second request will begin before the first one is complete. The server must allow these batches of concurrent requests to share the same auth token. This diagram illustrates how batch requests are identified by the server: +In this case, it's impossible to update the `access-token` header for the second request with the `access-token` header of the first response because the second request will begin before the first one is complete. The server must allow these batches of concurrent requests to share the same auth token. This diagram illustrates how batch requests are identified by the server: ![batch request overview](https://github.com/lynndylanhurley/ng-token-auth/raw/master/test/app/images/flow/batch-request-overview.jpg) From 9a771ec02b458dfc9f2b41e3515c909d938e5aad Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Wed, 11 Feb 2015 14:10:42 -0600 Subject: [PATCH 064/328] add issue reporting guidelines --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index bd4b99126..b1bff07a8 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,10 @@ This gem provides the following features: The fully configured api used in the demo can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). +# Troubleshooting + +Please read the [issue reporting guidelines](#issue-reporting) before posting issues. + # Table of Contents * [Dependencies](#dependencies) @@ -45,6 +49,7 @@ The fully configured api used in the demo can be found [here](https://github.com * [Excluding Modules](#excluding-modules) * [Custom Controller Overrides](#custom-controller-overrides) * [Email Template Overrides](#email-template-overrides) +* [Issue Reporting Guidelines](#issue-reporting) * [FAQ](#faq) * [Conceptual Diagrams](#conceptual) * [Token Management](#about-token-management) @@ -452,6 +457,7 @@ This gem supports the use of multiple user models. One possible use case is to a 1. Define the routes to be used by the `Admin` user within a [`devise_scope`](https://github.com/plataformatec/devise#configuring-routes). **Example**: + ~~~ruby Rails.application.routes.draw do # when using multiple models, controllers will default to the first available @@ -641,6 +647,19 @@ These files may be edited to suit your taste. **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. +# Issue Reporting + +When posting issues, please include the following information to speed up the troubleshooting process: + +* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) if applicable) are you using? +* **Request and response headers**: these can be found in the "Network" tab of your browser's web inspector. +* **Rails Stacktrace**: this can be found in the `log/development.log` of your API. +* **Environmental Info**: How is your application different from the [reference implementation](https://github.com/lynndylanhurley/devise_token_auth_demo)? This may include (but is not limited to) the following details: + * **Routes**: are you using some crazy namespace, scope, or constraint? + * **Gems**: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.? + * **Custom Overrides**: what have you done in terms of [custom controller overrides](#custom-controller-overrides)? + * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), or something else? + # FAQ ### Can I use this gem alongside standard Devise? From 0f494adad36d5ea019ac3ca66904c991c7b3903d Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Sun, 15 Feb 2015 20:57:21 +0000 Subject: [PATCH 065/328] Check email format on registration --- app/models/devise_token_auth/concerns/user.rb | 2 +- app/validators/email_validator.rb | 7 +++++ .../registrations_controller_test.rb | 30 +++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 app/validators/email_validator.rb diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 9c6277fe5..138ea8767 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -12,7 +12,7 @@ module DeviseTokenAuth::Concerns::User serialize :tokens, JSON - validates_presence_of :email, if: Proc.new { |u| u.provider == 'email' } + validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' } validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } # only validate unique emails among email registration users diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb new file mode 100644 index 000000000..b2c877451 --- /dev/null +++ b/app/validators/email_validator.rb @@ -0,0 +1,7 @@ +class EmailValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i + record.errors[attribute] << (options[:message] || 'is not an email') + end + end +end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index bd931181c..785f6a999 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -151,6 +151,36 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'bad email' do + before do + post '/auth', { + email: "false_email@", + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test "request should not be successful" do + assert_equal 403, response.status + end + + test "user should not have been created" do + assert_nil @resource.id + end + + test "error should be returned in the response" do + assert @data['errors'].length + end + + test "full_messages should be included in error hash" do + assert @data['errors']['full_messages'].length + end + end + describe "Mismatched passwords" do before do post '/auth', { From b7daf4ffebc3a3fbc7e300dffdf2a40adfa46070 Mon Sep 17 00:00:00 2001 From: Nicolas Besnard Date: Sun, 15 Feb 2015 21:31:16 +0000 Subject: [PATCH 066/328] Some missing as_json ? --- .../devise_token_auth/registrations_controller.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index ec64b11af..b66c3b5b7 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -18,7 +18,7 @@ def create if resource_class.devise_modules.include?(:confirmable) && !params[:confirm_success_url] return render json: { status: 'error', - data: @resource, + data: @resource.as_json, errors: ["Missing `confirm_success_url` param."] }, status: 403 end @@ -58,7 +58,7 @@ def create clean_up_passwords @resource render json: { status: 'error', - data: @resource, + data: @resource.as_json, errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) }, status: 403 end @@ -66,7 +66,7 @@ def create clean_up_passwords @resource render json: { status: 'error', - data: @resource, + data: @resource.as_json, errors: ["An account already exists for #{@resource.email}"] }, status: 403 end From e7433ede0c37205d6f0dcab220dee4ead16fb540 Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Mon, 23 Feb 2015 13:37:46 -0600 Subject: [PATCH 067/328] Update README.md Add FAQ item for use with ActiveAdmin. References #156 --- README.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README.md b/README.md index c38165c8c..518afcf5d 100644 --- a/README.md +++ b/README.md @@ -687,6 +687,25 @@ end Removing the `new` routes will require significant modifications to devise. If the inclusion of the `new` routes is causing your app any problems, post an issue in the issue tracker and it will be addressed ASAP. +### I'm having trouble using this gem alongside [ActiveAdmin](http://activeadmin.info/)... + +For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. + +The solution is to use two separate `ApplicationController` classes - one for your API, and one for ActiveAdmin. Something like this: + +~~~ruby +# app/controllers/api_controller.rb +# API routes extend from this controller +class ApiController < ActionController::Base + include DeviseTokenAuth::Concerns::SetUserByToken +end + +# app/controllers/application_controller.rb +# leave this for ActiveAdmin, and any other non-api routes +class ApplicationController < ActionController::Base +end +~~~ + # Conceptual None of the following information is required to use this gem, but read on if you're curious. From 288af2f6559bbc28582a656b63b1ce9408083040 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 3 Mar 2015 13:48:49 -0600 Subject: [PATCH 068/328] use token_validation_response method for sign_in response --- app/controllers/devise_token_auth/sessions_controller.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index e5a92ff6d..993e1b2f2 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -38,9 +38,7 @@ def create sign_in(:user, @resource, store: false, bypass: false) render json: { - data: @resource.as_json(except: [ - :tokens, :created_at, :updated_at - ]) + data: @resource.token_validation_response } elsif @resource and not @resource.confirmed? From 7ec42ad2e0b0e2caf55481a1988f97ea0f0c5df9 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 3 Mar 2015 13:50:59 -0600 Subject: [PATCH 069/328] v0.1.32.beta6 --- Gemfile.lock | 4 ++-- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e0f1fd16a..aed105542 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta5) + devise_token_auth (0.1.32.beta6) devise (~> 3.3) rails (~> 4.2) @@ -101,7 +101,7 @@ GEM ffi (1.9.6) formatador (0.2.5) fuzz_ball (0.9.1) - globalid (0.3.2) + globalid (0.3.3) activesupport (>= 4.1.0) guard (2.10.5) formatador (>= 0.2.4) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 016d59c38..0c1f11993 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta5" + VERSION = "0.1.32.beta6" end From dceb6222f9e2ce272daf5d32e6f5fc49a40f5a30 Mon Sep 17 00:00:00 2001 From: Travis Loncar Date: Wed, 11 Mar 2015 20:37:33 -0400 Subject: [PATCH 070/328] Ignore 'extra' in Twitter auth response to avoid CookieOverflow. Fixes #145. --- .../devise_token_auth/omniauth_callbacks_controller.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index c74c8753d..658231775 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -11,8 +11,9 @@ def redirect_callbacks devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym redirect_route = "/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback" - # preserve omniauth info for success route - session['dta.omniauth.auth'] = request.env['omniauth.auth'] + # preserve omniauth info for success route. ignore 'extra' in twitter + # auth response to avoid CookieOverflow. + session['dta.omniauth.auth'] = request.env['omniauth.auth'].except('extra') session['dta.omniauth.params'] = request.env['omniauth.params'] redirect_to redirect_route From 549f42ff4bd78ca07cc9e113639a42a4f419dbba Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Wed, 11 Mar 2015 21:46:17 -0500 Subject: [PATCH 071/328] Update README.md Add @tbloncar to callouts list --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 518afcf5d..e1b945f43 100644 --- a/README.md +++ b/README.md @@ -784,7 +784,8 @@ Thanks to the following contributors: * [@m2omou](https://github.com/m2omou) * [@smarquez1](https://github.com/smarquez1) * [@jartek](https://github.com/jartek) -* [@nicolas-besnard](https://github.com/nicolas-besnard) +* [@nicolas-besnard](https://github.com/nicolas-besnard) +* [@tbloncar](https://github.com/tbloncar) # Contributing From 1b5e1f5399efa58edb1e4f82f7490d052658513e Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Thu, 12 Mar 2015 03:52:16 -0500 Subject: [PATCH 072/328] v0.1.32.beta7 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index aed105542..ae4fbb315 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta6) + devise_token_auth (0.1.32.beta7) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 0c1f11993..8331d48de 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta6" + VERSION = "0.1.32.beta7" end From 0b8ad52dfa60b9a99f56f218648f85ea7dccfebc Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Fri, 13 Mar 2015 00:07:01 -0500 Subject: [PATCH 073/328] allow default email confirmation and password reset confirmation redirect urls. fixes #176 --- README.md | 3 + .../devise_token_auth/passwords_controller.rb | 23 +++++- .../registrations_controller.rb | 21 +++++- lib/devise_token_auth/engine.rb | 8 +- .../passwords_controller_test.rb | 66 +++++++++++++++++ .../registrations_controller_test.rb | 73 +++++++++++++++++++ 6 files changed, 188 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e1b945f43..2c55c973f 100644 --- a/README.md +++ b/README.md @@ -155,6 +155,9 @@ The following settings are available for configuration in `config/initializers/d | **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | | **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | +| **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the cilent. | +| **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the cilent. | +| **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | ## OmniAuth authentication diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 9e855b0ab..83f6949e8 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -13,13 +13,30 @@ def create }, status: 401 end - unless params[:redirect_url] + # give redirect value from params priority + redirect_url = params[:redirect_url] + + # fall back to default value if provided + redirect_url ||= DeviseTokenAuth.default_password_reset_url + + unless redirect_url return render json: { success: false, errors: ['Missing redirect url.'] }, status: 401 end + # if whitelist is set, validate redirect_url against whitelist + if DeviseTokenAuth.redirect_whitelist + unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) + return render json: { + status: 'error', + data: @resource.as_json, + errors: ["Redirect to #{redirect_url} not allowed."] + }, status: 403 + end + end + # honor devise configuration for case_insensitive_keys if resource_class.case_insensitive_keys.include?(:email) email = resource_params[:email].downcase @@ -43,7 +60,7 @@ def create @resource.send_reset_password_instructions({ email: email, provider: 'email', - redirect_url: params[:redirect_url], + redirect_url: redirect_url, client_config: params[:config_name] }) @@ -70,7 +87,7 @@ def create end - # this is where users arrive after visiting the email confirmation link + # this is where users arrive after visiting the password reset confirmation link def edit @resource = resource_class.reset_password_by_token({ reset_password_token: resource_params[:reset_password_token] diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index b66c3b5b7..52741ebdb 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -14,8 +14,14 @@ def create @resource.email = sign_up_params[:email] end + # give redirect value from params priority + redirect_url = params[:confirm_success_url] + + # fall back to default value if provided + redirect_url ||= DeviseTokenAuth.default_confirm_success_url + # success redirect url is required - if resource_class.devise_modules.include?(:confirmable) && !params[:confirm_success_url] + if resource_class.devise_modules.include?(:confirmable) && !redirect_url return render json: { status: 'error', data: @resource.as_json, @@ -23,6 +29,17 @@ def create }, status: 403 end + # if whitelist is set, validate redirect_url against whitelist + if DeviseTokenAuth.redirect_whitelist + unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) + return render json: { + status: 'error', + data: @resource.as_json, + errors: ["Redirect to #{redirect_url} not allowed."] + }, status: 403 + end + end + begin # override email confirmation, must be sent manually from ctrl resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions) @@ -32,7 +49,7 @@ def create # user will require email authentication @resource.send_confirmation_instructions({ client_config: params[:config_name], - redirect_url: params[:confirm_success_url] + redirect_url: redirect_url }) else diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index b703adae5..c7703f769 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -12,12 +12,18 @@ class Engine < ::Rails::Engine mattr_accessor :change_headers_on_each_request, :token_lifespan, :batch_request_buffer_throttle, - :omniauth_prefix + :omniauth_prefix, + :default_confirm_success_url, + :default_password_reset_url, + :redirect_whitelist self.change_headers_on_each_request = true self.token_lifespan = 2.weeks self.batch_request_buffer_throttle = 5.seconds self.omniauth_prefix = '/omniauth' + self.default_confirm_success_url = nil + self.default_password_reset_url = nil + self.redirect_whitelist = nil def self.setup(&block) yield self diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index b4f88e931..870672898 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -139,6 +139,72 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end end + describe 'Using default_password_reset_url' do + before do + @resource = users(:confirmed_email_user) + @redirect_url = 'http://ng-token-auth.dev' + + DeviseTokenAuth.default_password_reset_url = @redirect_url + + xhr :post, :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @mail = ActionMailer::Base.deliveries.last + @resource.reload + + @sent_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) + end + + teardown do + DeviseTokenAuth.default_password_reset_url = nil + end + + test 'response should return success status' do + assert_equal 200, response.status + end + + test 'action should send an email' do + assert @mail + end + + test 'the email body should contain a link with redirect url as a query param' do + assert_equal @redirect_url, @sent_redirect_url + end + end + + describe 'Using redirect_whitelist' do + before do + @resource = users(:confirmed_email_user) + @good_redirect_url = Faker::Internet.url + @bad_redirect_url = Faker::Internet.url + DeviseTokenAuth.redirect_whitelist = [@good_redirect_url] + end + + teardown do + DeviseTokenAuth.redirect_whitelist = nil + end + + test "request to whitelisted redirect should be successful" do + xhr :post, :create, { + email: @resource.email, + redirect_url: @good_redirect_url + } + + assert_equal 200, response.status + end + + test "request to non-whitelisted redirect should fail" do + xhr :post, :create, { + email: @resource.email, + redirect_url: @bad_redirect_url + } + + assert_equal 403, response.status + end + end + describe "change password" do describe 'success' do before do diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 785f6a999..92ed2aa8d 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -55,6 +55,79 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'Using redirect_whitelist' do + before do + @good_redirect_url = Faker::Internet.url + @bad_redirect_url = Faker::Internet.url + DeviseTokenAuth.redirect_whitelist = [@good_redirect_url] + end + + teardown do + DeviseTokenAuth.redirect_whitelist = nil + end + + test "request to whitelisted redirect should be successful" do + post '/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: @good_redirect_url, + unpermitted_param: '(x_x)' + } + + assert_equal 200, response.status + end + + test "request to non-whitelisted redirect should fail" do + post '/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: @bad_redirect_url, + unpermitted_param: '(x_x)' + } + + assert_equal 403, response.status + end + end + + describe 'Using default_confirm_success_url' do + before do + @mails_sent = ActionMailer::Base.deliveries.count + @redirect_url = Faker::Internet.url + + DeviseTokenAuth.default_confirm_success_url = @redirect_url + + post '/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + unpermitted_param: '(x_x)' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + @mail = ActionMailer::Base.deliveries.last + @sent_redirect_url = URI.decode(@mail.body.match(/redirect_url=([^&]*)(&|\")/)[1]) + end + + teardown do + DeviseTokenAuth.default_confirm_success_url = nil + end + + test "request should be successful" do + assert_equal 200, response.status + end + + test "the email was sent" do + assert_equal @mails_sent + 1, ActionMailer::Base.deliveries.count + end + + test 'email contains the default redirect url' do + assert_equal @redirect_url, @sent_redirect_url + end + end + describe 'using namespaces' do before do @mails_sent = ActionMailer::Base.deliveries.count From afa14c1224a608d7da74403c99b6d83bed73bf56 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Fri, 13 Mar 2015 00:08:24 -0500 Subject: [PATCH 074/328] v0.1.32.beta8 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index ae4fbb315..fd5f06a26 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta7) + devise_token_auth (0.1.32.beta8) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 8331d48de..e6907034c 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta7" + VERSION = "0.1.32.beta8" end From da97c90c69ac6f578bc9c22468a38fac91244f90 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Fri, 13 Mar 2015 00:19:15 -0500 Subject: [PATCH 075/328] add test to confirm that + sign works in email addresses. fixes #171 --- .../registrations_controller_test.rb | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 92ed2aa8d..e55ee616d 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -55,6 +55,23 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'using "+" in email' do + test 'can use + sign in email addresses' do + @plus_email = 'ak+testing@gmail.com' + + post '/auth', { + email: @plus_email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url + } + + @resource = assigns(:resource) + + assert_equal @plus_email, @resource.email + end + end + describe 'Using redirect_whitelist' do before do @good_redirect_url = Faker::Internet.url From 7a15aa4a1fb6dc719f05c178467bbf926480289b Mon Sep 17 00:00:00 2001 From: Miles Matthias Date: Wed, 18 Mar 2015 11:20:12 -0600 Subject: [PATCH 076/328] the result of running --- test/dummy/db/schema.rb | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 5f8224fd7..9fd8a86c5 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -39,10 +39,10 @@ t.datetime "updated_at" end - add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true, using: :btree - add_index "evil_users", ["email"], name: "index_evil_users_on_email", using: :btree - add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true, using: :btree - add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true, using: :btree + add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true + add_index "evil_users", ["email"], name: "index_evil_users_on_email" + add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true + add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true create_table "mangs", force: :cascade do |t| t.string "email", limit: 255 @@ -72,10 +72,10 @@ t.string "favorite_color", limit: 255 end - add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true, using: :btree - add_index "mangs", ["email"], name: "index_mangs_on_email", using: :btree - add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true, using: :btree - add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true, using: :btree + add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true + add_index "mangs", ["email"], name: "index_mangs_on_email" + add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true + add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true create_table "only_email_users", force: :cascade do |t| t.string "provider", limit: 255, null: false @@ -90,8 +90,8 @@ t.datetime "updated_at" end - add_index "only_email_users", ["email"], name: "index_only_email_users_on_email", using: :btree - add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true, using: :btree + add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" + add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true create_table "unregisterable_users", force: :cascade do |t| t.string "provider", limit: 255, null: false @@ -118,9 +118,9 @@ t.datetime "updated_at" end - add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email", using: :btree - add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true, using: :btree - add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true, using: :btree + add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email" + add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true + add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true create_table "users", force: :cascade do |t| t.string "email", limit: 255 @@ -151,10 +151,10 @@ t.string "favorite_color", limit: 255 end - add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree - add_index "users", ["email"], name: "index_users_on_email", using: :btree - add_index "users", ["nickname"], name: "index_users_on_nickname", unique: true, using: :btree - add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree - add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true, using: :btree + add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true + add_index "users", ["email"], name: "index_users_on_email" + add_index "users", ["nickname"], name: "index_users_on_nickname", unique: true + add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true + add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true end From 3b753800470e8510490ee46f8ff6615cb4589d92 Mon Sep 17 00:00:00 2001 From: Miles Matthias Date: Wed, 18 Mar 2015 11:24:53 -0600 Subject: [PATCH 077/328] be more helpful when people GET sign_in than raising a vague exception. --- .../devise_token_auth/sessions_controller.rb | 6 ++++++ .../devise_token_auth/sessions_controller_test.rb | 14 ++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 993e1b2f2..155138aa6 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -3,6 +3,12 @@ module DeviseTokenAuth class SessionsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy] + def new + render json: { + errors: ["Use POST /sign_in to sign in. GET is not supported."] + }, status: 405 + end + def create # Check field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 3c91d7ac3..14d3b8d0b 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -73,6 +73,20 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase end end + describe 'get sign_in is not supported' do + before do + xhr :get, :new, { + nickname: @existing_user.nickname, + password: 'secret123' + } + @data = JSON.parse(response.body) + end + + test 'user is notified that they should use post sign_in to authenticate' do + assert_equal 405, response.status + end + end + describe 'alt auth keys' do before do xhr :post, :create, { From 64b0a5f29f28e81a4f5879c990d5c3ec10830ff0 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 23 Mar 2015 23:11:50 -0500 Subject: [PATCH 078/328] misc fixes for jToker compatibility --- .../omniauth_callbacks_controller.rb | 4 +- .../devise_token_auth/passwords_controller.rb | 2 +- .../registrations_controller.rb | 2 +- .../omniauth_success.html.erb | 3 +- test/dummy/db/schema.rb | 180 +++++++++--------- 5 files changed, 97 insertions(+), 94 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 658231775..7846fe609 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -30,12 +30,14 @@ def omniauth_success @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) @expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i + @config = omniauth_params['config_name'] @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], { token: @token, client_id: @client_id, uid: @resource.uid, - expiry: @expiry + expiry: @expiry, + config: @config }) # set crazy password for new oauth users. this is only used to prevent diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 83f6949e8..9fc594689 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -157,7 +157,7 @@ def update else return render json: { success: false, - errors: @resource.errors + errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) }, status: 422 end end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 52741ebdb..d2f514be3 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -100,7 +100,7 @@ def update else render json: { status: 'error', - errors: @resource.errors + errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) }, status: 403 end else diff --git a/app/views/devise_token_auth/omniauth_success.html.erb b/app/views/devise_token_auth/omniauth_success.html.erb index 34ef6b740..697b92038 100644 --- a/app/views/devise_token_auth/omniauth_success.html.erb +++ b/app/views/devise_token_auth/omniauth_success.html.erb @@ -5,4 +5,5 @@ "auth_token": "<%= @token %>", "message": "deliverCredentials", "client_id": "<%= @client_id %>", -"expiry": "<%= @expiry %>" +"expiry": "<%= @expiry %>", +"config": "<%= @config %>" diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 5f8224fd7..0fc3b2f6d 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -14,147 +14,147 @@ ActiveRecord::Schema.define(version: 20141222053502) do create_table "evil_users", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 - t.string "favorite_color", limit: 255 + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" + t.string "favorite_color" t.datetime "created_at" t.datetime "updated_at" end - add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true, using: :btree - add_index "evil_users", ["email"], name: "index_evil_users_on_email", using: :btree - add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true, using: :btree - add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true, using: :btree + add_index "evil_users", ["confirmation_token"], name: "index_evil_users_on_confirmation_token", unique: true + add_index "evil_users", ["email"], name: "index_evil_users_on_email" + add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true + add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true create_table "mangs", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url", limit: 255 + t.string "reset_password_redirect_url" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url", limit: 255 - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 + t.string "confirm_success_url" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" - t.string "favorite_color", limit: 255 + t.string "favorite_color" end - add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true, using: :btree - add_index "mangs", ["email"], name: "index_mangs_on_email", using: :btree - add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true, using: :btree - add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true, using: :btree + add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true + add_index "mangs", ["email"], name: "index_mangs_on_email" + add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true + add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true create_table "only_email_users", force: :cascade do |t| - t.string "provider", limit: 255, null: false - t.string "uid", limit: 255, default: "", null: false - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "email", limit: 255 - t.text "tokens", limit: 65535 + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" end - add_index "only_email_users", ["email"], name: "index_only_email_users_on_email", using: :btree - add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true, using: :btree + add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" + add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true create_table "unregisterable_users", force: :cascade do |t| - t.string "provider", limit: 255, null: false - t.string "uid", limit: 255, default: "", null: false - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "email", limit: 255 - t.text "tokens", limit: 65535 + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" end - add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email", using: :btree - add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true, using: :btree - add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true, using: :btree + add_index "unregisterable_users", ["email"], name: "index_unregisterable_users_on_email" + add_index "unregisterable_users", ["reset_password_token"], name: "index_unregisterable_users_on_reset_password_token", unique: true + add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true create_table "users", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url", limit: 255 + t.string "reset_password_redirect_url" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url", limit: 255 - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 + t.string "confirm_success_url" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" - t.integer "operating_thetan", limit: 4 - t.string "favorite_color", limit: 255 + t.integer "operating_thetan" + t.string "favorite_color" end - add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true, using: :btree - add_index "users", ["email"], name: "index_users_on_email", using: :btree - add_index "users", ["nickname"], name: "index_users_on_nickname", unique: true, using: :btree - add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, using: :btree - add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true, using: :btree + add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true + add_index "users", ["email"], name: "index_users_on_email" + add_index "users", ["nickname"], name: "index_users_on_nickname", unique: true + add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true + add_index "users", ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true end From 910596fa5787617e8b64460eb737f3606284a4cf Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Mon, 23 Mar 2015 23:12:40 -0500 Subject: [PATCH 079/328] v0.1.32.beta9 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index fd5f06a26..198211d02 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -31,7 +31,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta8) + devise_token_auth (0.1.32.beta9) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index e6907034c..5adc9660c 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta8" + VERSION = "0.1.32.beta9" end From 2f9488a58f9a7b16f0d1a8a63b7e7c7c8549ecff Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Wed, 25 Mar 2015 17:48:49 -0500 Subject: [PATCH 080/328] Update README.md Add links to jToker in docs --- README.md | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 2c55c973f..35f8daaa9 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ This gem provides the following features: -* Seamless integration with the the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js). +* Seamless integration with both the the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js) and the outstanding [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth). * Email authentication using [Devise](https://github.com/plataformatec/devise), including: * User registration @@ -20,11 +20,13 @@ This gem provides the following features: * Support for [multiple user models](https://github.com/lynndylanhurley/devise_token_auth#using-multiple-models). * It is [secure](#security). -# [Live Demo](http://ng-token-auth-demo.herokuapp.com/) +# Live Demos -[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module. +[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://angularjs.org/). -The fully configured api used in the demo can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). +[Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/). + +The fully configured api used in these demos can be found [here](https://github.com/lynndylanhurley/devise_token_auth_demo). # Troubleshooting @@ -125,7 +127,7 @@ You may also need to configure the following items: # Usage TL;DR -The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js. +The following routes are available for use by your client. These routes live relative to the path at which this engine is mounted (`auth` by default). These routes correspond to the defaults used by the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [AngularJS](https://angularjs.org/) and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). | path | method | purpose | |:-----|:-------|:--------| @@ -151,7 +153,7 @@ The following settings are available for configuration in `config/initializers/d | Name | Default | Description| |---|---|---| -| **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. The [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js does this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). | +| **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. Both [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) and [jToker](https://github.com/lynndylanhurley/j-toker) do this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). | | **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | | **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | @@ -226,6 +228,17 @@ angular.module('myApp', ['ng-token-auth']) }); ~~~ +**jToker settings for github should look like this: + +~~~javascript +$.auth.configure({ + apiUrl: 'http://api.example.com', + authProviderPaths: { + github: '/auth/github' // <-- note that this is different than what was set with github + } +}); +~~~ + This incongruence is necessary to support multiple user classes and mounting points. #### Note for [pow](http://pow.cx/) and [xip.io](http://xip.io) users @@ -286,7 +299,7 @@ end Make extra sure that the `Access-Control-Expose-Headers` includes `access-token`, `expiry`, `token-type`, `uid`, and `client` (as is set in the example above by the`:expose` param). If your client experiences erroneous 401 responses, this is likely the cause. -CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the [ng-token-auth readme](https://github.com/lynndylanhurley/ng-token-auth) for more information. +CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the [ng-token-auth readme](https://github.com/lynndylanhurley/ng-token-auth) or the [jToker readme](https://github.com/lynndylanhurley/j-toker) for more information. # Usage cont. @@ -309,7 +322,7 @@ mount_devise_token_auth_for 'User', at: 'auth' Any model class can be used, but the class will need to include [`DeviseTokenAuth::Concerns::User`](#model-concerns) for authentication to work properly. -You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module. +You can mount this engine to any route that you like. `/auth` is used by default to conform with the defaults of the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and the [jToker](https://github.com/lynndylanhurley/j-toker) plugin. ## Controller Methods @@ -388,7 +401,7 @@ The authentication headers consists of the following params: | **`expiry`** | The date at which the current session will expire. This can be used by clients to invalidate expired tokens without the need for an API request. | | **`uid`** | A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to [timing attacks](http://codahale.com/a-lesson-in-timing-attacks/). | -The authentication headers required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for angular.js, this functionality is already provided. +The authentication headers required for each request will be available in the response from the previous request. If you are using the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) AngularJS module or the [jToker](https://github.com/lynndylanhurley/j-toker) jQuery plugin, this functionality is already provided. ## Model Concerns @@ -446,7 +459,10 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce ## Using multiple models -### [View Live Multi-User Demo](http://ng-token-auth-demo.herokuapp.com/multi-user) +### View Live Multi-User Demos + +* [AngularJS](http://ng-token-auth-demo.herokuapp.com/multi-user) +* [React + jToker](http://j-toker-demo.herokuapp.com/#/alt-user) This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app: @@ -654,14 +670,14 @@ These files may be edited to suit your taste. When posting issues, please include the following information to speed up the troubleshooting process: -* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) if applicable) are you using? +* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) / [jToker](https://github.com/lynndylanhurley/j-toker) if applicable) are you using? * **Request and response headers**: these can be found in the "Network" tab of your browser's web inspector. * **Rails Stacktrace**: this can be found in the `log/development.log` of your API. * **Environmental Info**: How is your application different from the [reference implementation](https://github.com/lynndylanhurley/devise_token_auth_demo)? This may include (but is not limited to) the following details: * **Routes**: are you using some crazy namespace, scope, or constraint? * **Gems**: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.? * **Custom Overrides**: what have you done in terms of [custom controller overrides](#custom-controller-overrides)? - * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), or something else? + * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker), or something else? # FAQ From 39dedf082f40a6e9f242daf7413cb5964b97d564 Mon Sep 17 00:00:00 2001 From: Nick Lewis Date: Mon, 30 Mar 2015 15:57:36 -0500 Subject: [PATCH 081/328] Checking for a user in warden/devise session before passing through to token auth. --- .../concerns/set_user_by_token.rb | 17 ++++-- test/controllers/demo_user_controller_test.rb | 53 +++++++++++++++++++ 2 files changed, 65 insertions(+), 5 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 721dfe764..099be68f4 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -21,19 +21,26 @@ def set_user_by_token(mapping=nil) # no default user defined return unless rc - # user has already been found and authenticated - return @resource if @resource and @resource.class == rc - # parse header for values necessary for authentication uid = request.headers['uid'] || params['uid'] @token = request.headers['access-token'] || params['access-token'] @client_id = request.headers['client'] || params['client'] - return false unless @token - # client_id isn't required, set to 'default' if absent @client_id ||= 'default' + # check for an existing user, authenticated via warden/devise + devise_warden_user = warden.user(rc.to_s.underscore.to_sym) + if devise_warden_user && devise_warden_user.tokens[@client_id].nil? + @resource = devise_warden_user + @resource.create_new_auth_token + end + + # user has already been found and authenticated + return @resource if @resource and @resource.class == rc + + return false unless @token + # mitigate timing attacks by finding by uid instead of auth token user = uid && rc.find_by_uid(uid) diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index 81720de3f..364a90355 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -7,6 +7,7 @@ # was the appropriate message delivered in the json payload? class DemoUserControllerTest < ActionDispatch::IntegrationTest + include Warden::Test::Helpers describe DemoUserController do describe "Token access" do before do @@ -258,5 +259,57 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end end + + describe 'Existing Warden authentication' do + before do + @resource = users(:confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + login_as( @resource, :scope => :user) + + # no auth headers sent, testing that warden authenticates correctly. + get '/demo/members_only', {}, nil + + @resp_token = response.headers['access-token'] + @resp_client_id = response.headers['client'] + @resp_expiry = response.headers['expiry'] + @resp_uid = response.headers['uid'] + end + + describe 'devise mappings' do + it 'should define current_user' do + assert_equal @resource, @controller.current_user + end + + it 'should define user_signed_in?' do + assert @controller.user_signed_in? + end + + it 'should not define current_mang' do + refute_equal @resource, @controller.current_mang + end + end + + it 'should return success status' do + assert_equal 200, response.status + end + + it 'should receive new token after successful request' do + assert @resp_token + end + + it 'should set the token expiry in the auth header' do + assert @resp_expiry + end + + it 'should return the client id in the auth header' do + assert @resp_client_id + end + + it "should return the user's uid in the auth header" do + assert @resp_uid + end + end + end end From dae8106e0a74d1bdb86459025e0464bd59b270ca Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Tue, 31 Mar 2015 10:55:54 -0500 Subject: [PATCH 082/328] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 35f8daaa9..55eabca5b 100644 --- a/README.md +++ b/README.md @@ -805,6 +805,7 @@ Thanks to the following contributors: * [@jartek](https://github.com/jartek) * [@nicolas-besnard](https://github.com/nicolas-besnard) * [@tbloncar](https://github.com/tbloncar) +* [@nickL](https://github.com/nickL) # Contributing From 269e0235ea5a7f2aaa239b3dcbb3e876fcc4d61d Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Thu, 2 Apr 2015 21:29:56 -0400 Subject: [PATCH 083/328] Users with allowed unconfirmed access can now log in successfully. --- .../devise_token_auth/sessions_controller.rb | 4 +- .../sessions_controller_test.rb | 52 +++++++++++++++++++ test/fixtures/users.yml | 12 +++++ 3 files changed, 66 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 993e1b2f2..1a99d7861 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -24,7 +24,7 @@ def create @resource = resource_class.where(q, q_value).first end - if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? + if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) @@ -41,7 +41,7 @@ def create data: @resource.token_validation_response } - elsif @resource and not @resource.confirmed? + elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) render json: { success: false, errors: [ diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 3c91d7ac3..c6825b200 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -181,6 +181,58 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase end end + describe "Unconfirmed user with allowed unconfirmed access" do + before do + @original_duration = Devise.allow_unconfirmed_access_for + Devise.allow_unconfirmed_access_for = 3.days + @recent_unconfirmed_user = users(:recent_unconfirmed_email_user) + xhr :post, :create, { + email: @recent_unconfirmed_user.email, + password: 'secret123' + } + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + after do + Devise.allow_unconfirmed_access_for = @original_duration + end + + test "request should succeed" do + assert_equal 200, response.status + end + + test "request should return user data" do + assert_equal @recent_unconfirmed_user.email, @data['data']['email'] + end + end + + describe "Unconfirmed user with expired unconfirmed access" do + before do + @original_duration = Devise.allow_unconfirmed_access_for + Devise.allow_unconfirmed_access_for = 3.days + @unconfirmed_user = users(:unconfirmed_email_user) + xhr :post, :create, { + email: @unconfirmed_user.email, + password: 'secret123' + } + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + after do + Devise.allow_unconfirmed_access_for = @original_duration + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "response should contain errors" do + assert @data['errors'] + end + end + describe "Non-existing user" do before do xhr :post, :create, { diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index bc29e9067..5b5a1275c 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -28,3 +28,15 @@ unconfirmed_email_user: created_at: '<%= timestamp %>' updated_at: '<%= timestamp %>' encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + confirmation_sent_at: '<%= timestamp %>' + +<% @recent_unconfirmed_email = Faker::Internet.email %> +<% recent_timestamp = DateTime.parse(1.day.ago.to_s).to_time.strftime("%F %T") %> +recent_unconfirmed_email_user: + uid: "<%= @recent_unconfirmed_email %>" + email: "<%= @recent_unconfirmed_email %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + confirmation_sent_at: '<%= recent_timestamp %>' \ No newline at end of file From 180d69e090e43443197b9d60387f8c02fa8365ad Mon Sep 17 00:00:00 2001 From: Mauricio Chavarriaga Date: Sat, 4 Apr 2015 23:08:24 -0500 Subject: [PATCH 084/328] Returning 422 instead of 500 when empty body request for sign up and account update. --- .../registrations_controller.rb | 19 +++++++ .../registrations_controller_test.rb | 53 +++++++++++++++++++ 2 files changed, 72 insertions(+) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index d2f514be3..f4f988c25 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -1,6 +1,8 @@ module DeviseTokenAuth class RegistrationsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy, :update] + before_filter :validate_sign_up_params, :only => :create + before_filter :validate_account_update_params, :only => :update skip_after_filter :update_auth_header, :only => [:create, :destroy] def create @@ -134,5 +136,22 @@ def sign_up_params def account_update_params params.permit(devise_parameter_sanitizer.for(:account_update)) end + + private + + def validate_sign_up_params + validate_post_data sign_up_params, 'Please submit proper sign up data in request body.' + end + + def validate_account_update_params + validate_post_data account_update_params, 'Please submit proper account update data in request body.' + end + + def validate_post_data which, message + render json: { + status: 'error', + errors: [message] + }, status: :unprocessable_entity if which.empty? + end end end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index e55ee616d..069628146 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -9,6 +9,32 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest describe DeviseTokenAuth::RegistrationsController do + describe 'Validate non-empty body' do + before do + # need to post empty data + post '/auth', {} + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test 'request should fail' do + assert_equal 422, response.status + end + + test 'returns error message' do + assert_not_empty @data['errors'] + end + + test 'return error status' do + assert_equal 'error', @data['status'] + end + + test 'user should not have been saved' do + assert @resource.nil? + end + end + describe "Successful registration" do before do @mails_sent = ActionMailer::Base.deliveries.count @@ -416,6 +442,33 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'validate non-empty body' do + before do + # get the email so we can check it wasn't updated + @email = @existing_user.email + put '/auth', {}, @auth_headers + + @data = JSON.parse(response.body) + @existing_user.reload + end + + test 'request should fail' do + assert_equal 422, response.status + end + + test 'returns error message' do + assert_not_empty @data['errors'] + end + + test 'return error status' do + assert_equal 'error', @data['status'] + end + + test 'user should not have been saved' do + assert_equal @email, @existing_user.email + end + end + describe "error" do before do # test invalid update param From 05f6ddec99dc9126c31d96f7cfc722b8074c1e59 Mon Sep 17 00:00:00 2001 From: tomdov Date: Tue, 7 Apr 2015 00:48:47 +0300 Subject: [PATCH 085/328] remove fragment sign ("#") from URLs without fragment --- app/models/devise_token_auth/concerns/user.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 138ea8767..8aeb72ebb 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -215,8 +215,7 @@ def generate_url(url, params = {}) res = "#{uri.scheme}://#{uri.host}" res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) res += "#{uri.path}" if uri.path - res += '#' - res += "#{uri.fragment}" if uri.fragment + res += "##{uri.fragment}" if uri.fragment res += "?#{params.to_query}" return res From 7a6fea6baaa4801b9535a494b4b5bff351634a85 Mon Sep 17 00:00:00 2001 From: Dmitry Lihachev Date: Tue, 7 Apr 2015 11:08:06 +0600 Subject: [PATCH 086/328] Ability to localize error message Gem users must have ability to localize error messages. So to localize error, simply put your text in locale.yml with key activerecord.errors.models.{{model}}.attributes.email.already_in_use --- app/models/devise_token_auth/concerns/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 138ea8767..cd403d849 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -225,7 +225,7 @@ def generate_url(url, params = {}) # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, "This email address is already in use") + errors.add(:email, :already_in_use, default: "This email address is already in use") end end From e6a0f8829dae76e357d50a2d2673e199c195ca29 Mon Sep 17 00:00:00 2001 From: Samuel Gwilym Date: Thu, 9 Apr 2015 15:25:24 +0200 Subject: [PATCH 087/328] Add block yielding to RegistrationsController Allows you to make super simple additions to the RegistrationsController without having to reimplement entire pieces of functionality by passing a block to super. --- .../registrations_controller.rb | 3 ++ .../custom_registrations_controller_test.rb | 43 +++++++++++++++ .../custom/registrations_controller.rb | 33 ++++++++++++ test/dummy/app/models/nice_user.rb | 7 +++ test/dummy/config/routes.rb | 4 ++ ...712_devise_token_auth_create_nice_users.rb | 54 +++++++++++++++++++ test/dummy/db/schema.rb | 31 ++++++++++- test/fixtures/nice_users.yml | 29 ++++++++++ 8 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 test/controllers/custom/custom_registrations_controller_test.rb create mode 100644 test/dummy/app/controllers/custom/registrations_controller.rb create mode 100644 test/dummy/app/models/nice_user.rb create mode 100644 test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb create mode 100644 test/fixtures/nice_users.yml diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index d2f514be3..d09064eab 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -44,6 +44,7 @@ def create # override email confirmation, must be sent manually from ctrl resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions) if @resource.save + yield @resource if block_given? unless @resource.confirmed? # user will require email authentication @@ -93,6 +94,7 @@ def update if @resource if @resource.update_attributes(account_update_params) + yield @resource if block_given? render json: { status: 'success', data: @resource.as_json @@ -114,6 +116,7 @@ def update def destroy if @resource @resource.destroy + yield @resource if block_given? render json: { status: 'success', diff --git a/test/controllers/custom/custom_registrations_controller_test.rb b/test/controllers/custom/custom_registrations_controller_test.rb new file mode 100644 index 000000000..1d705497a --- /dev/null +++ b/test/controllers/custom/custom_registrations_controller_test.rb @@ -0,0 +1,43 @@ +require 'test_helper' + +class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest + + describe Custom::RegistrationsController do + + setup do + @create_params = { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url, + unpermitted_param: '(x_x)' + } + + @existing_user = nice_users(:confirmed_email_user) + @auth_headers = @existing_user.create_new_auth_token + @client_id = @auth_headers['client'] + + # ensure request is not treated as batch request + age_token(@existing_user, @client_id) + end + + test "yield resource to block on create success" do + post '/nice_user_auth', @create_params + assert @controller.create_block_called?, "create failed to yield resource to provided block" + end + + test "yield resource to block on update success" do + put '/nice_user_auth', { + nickname: "Ol' Sunshine-face", + }, @auth_headers + assert @controller.update_block_called?, "update failed to yield resource to provided block" + end + + test "yield resource to block on destroy success" do + delete '/nice_user_auth', @auth_headers + assert @controller.destroy_block_called?, "update failed to yield resource to provided block" + end + + end + +end diff --git a/test/dummy/app/controllers/custom/registrations_controller.rb b/test/dummy/app/controllers/custom/registrations_controller.rb new file mode 100644 index 000000000..47c62e7f6 --- /dev/null +++ b/test/dummy/app/controllers/custom/registrations_controller.rb @@ -0,0 +1,33 @@ +class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController + + def create + super do |resource| + @create_block_called = true + end + end + + def update + super do |resource| + @update_block_called = true + end + end + + def destroy + super do |resource| + @destroy_block_called = true + end + end + + def create_block_called? + @create_block_called == true + end + + def update_block_called? + @update_block_called == true + end + + def destroy_block_called? + @destroy_block_called == true + end + +end diff --git a/test/dummy/app/models/nice_user.rb b/test/dummy/app/models/nice_user.rb new file mode 100644 index 000000000..a151ae1e2 --- /dev/null +++ b/test/dummy/app/models/nice_user.rb @@ -0,0 +1,7 @@ +class NiceUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, :trackable, :validatable, + :confirmable, :omniauthable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index dd42ee383..796f63252 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -19,6 +19,10 @@ token_validations: 'overrides/token_validations' } + mount_devise_token_auth_for 'NiceUser', at: 'nice_user_auth', controllers: { + registrations: 'custom/registrations' + } + mount_devise_token_auth_for 'OnlyEmailUser', at: 'only_email_auth', skip: [:omniauth_callbacks] mount_devise_token_auth_for 'UnregisterableUser', at: 'unregisterable_user_auth', skip: [:registrations] diff --git a/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb b/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb new file mode 100644 index 000000000..c2175ed8c --- /dev/null +++ b/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb @@ -0,0 +1,54 @@ +class DeviseTokenAuthCreateNiceUsers < ActiveRecord::Migration + def change + create_table(:nice_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + t.string :reset_password_token + t.datetime :reset_password_sent_at + + ## Rememberable + t.datetime :remember_created_at + + ## Trackable + t.integer :sign_in_count, :default => 0, :null => false + t.datetime :current_sign_in_at + t.datetime :last_sign_in_at + t.string :current_sign_in_ip + t.string :last_sign_in_ip + + ## Confirmable + t.string :confirmation_token + t.datetime :confirmed_at + t.datetime :confirmation_sent_at + t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + # t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + # t.string :unlock_token # Only if unlock strategy is :email or :both + # t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + t.text :tokens + + t.timestamps + end + + add_index :nice_users, :email + add_index :nice_users, [:uid, :provider], :unique => true + add_index :nice_users, :reset_password_token, :unique => true + # add_index :nice_users, :confirmation_token, :unique => true + # add_index :nice_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 0fc3b2f6d..4b50acf27 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141222053502) do +ActiveRecord::Schema.define(version: 20150409095712) do create_table "evil_users", force: :cascade do |t| t.string "email" @@ -77,6 +77,35 @@ add_index "mangs", ["reset_password_token"], name: "index_mangs_on_reset_password_token", unique: true add_index "mangs", ["uid", "provider"], name: "index_mangs_on_uid_and_provider", unique: true + create_table "nice_users", force: :cascade do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" + t.datetime "reset_password_sent_at" + t.datetime "remember_created_at" + t.integer "sign_in_count", default: 0, null: false + t.datetime "current_sign_in_at" + t.datetime "last_sign_in_at" + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" + t.datetime "confirmed_at" + t.datetime "confirmation_sent_at" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "nice_users", ["email"], name: "index_nice_users_on_email" + add_index "nice_users", ["reset_password_token"], name: "index_nice_users_on_reset_password_token", unique: true + add_index "nice_users", ["uid", "provider"], name: "index_nice_users_on_uid_and_provider", unique: true + create_table "only_email_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false diff --git a/test/fixtures/nice_users.yml b/test/fixtures/nice_users.yml new file mode 100644 index 000000000..bc84324f1 --- /dev/null +++ b/test/fixtures/nice_users.yml @@ -0,0 +1,29 @@ +<% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> +<% @email = Faker::Internet.email %> +confirmed_email_user: + uid: "<%= @email %>" + email: "<%= @email %>" + provider: 'email' + confirmed_at: '<%= timestamp %>' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + +<% @fb_email = Faker::Internet.email %> +duplicate_email_facebook_user: + uid: "<%= Faker::Number.number(10) %>" + email: "<%= @fb_email %>" + provider: 'facebook' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + confirmed_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + +<% @unconfirmed_email = Faker::Internet.email %> +unconfirmed_email_user: + uid: "<%= @unconfirmed_email %>" + email: "<%= @unconfirmed_email %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> From 2b733c9091f1d95f54696c796201a473cc4cd129 Mon Sep 17 00:00:00 2001 From: Samuel Gwilym Date: Thu, 9 Apr 2015 15:40:24 +0200 Subject: [PATCH 088/328] Documentation --- README.md | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 55eabca5b..990d2a6f5 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is * [Excluding Modules](#excluding-modules) * [Custom Controller Overrides](#custom-controller-overrides) * [Email Template Overrides](#email-template-overrides) + * [Passing blocks to Controllers](#passing-blocks-controllers) * [Issue Reporting Guidelines](#issue-reporting) * [FAQ](#faq) * [Conceptual Diagrams](#conceptual) @@ -367,7 +368,7 @@ Note that if the model that you're trying to access isn't called `User`, the hel # app/controllers/test_controller.rb class TestController < ApplicationController before_action :authenticate_user! - + def members_only render json: { data: { @@ -476,7 +477,7 @@ This gem supports the use of multiple user models. One possible use case is to a 1. Define the routes to be used by the `Admin` user within a [`devise_scope`](https://github.com/plataformatec/devise#configuring-routes). **Example**: - + ~~~ruby Rails.application.routes.draw do # when using multiple models, controllers will default to the first available @@ -499,7 +500,7 @@ This gem supports the use of multiple user models. One possible use case is to a end end ~~~ - + 1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods): * `before_action: :authenticate_admin!` * `current_admin` @@ -516,7 +517,7 @@ It is also possible to control access to multiple user types at the same time us class DemoGroupController < ApplicationController devise_token_auth_group :member, contains: [:user, :admin] before_action :authenticate_member! - + def members_only render json: { data: { @@ -598,7 +599,7 @@ end ## Custom Controller Overrides -The built-in controllers can be overridden with your own custom controllers. +The built-in controllers can be overridden with your own custom controllers. For example, the default behavior of the [`validate_token`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb#L6) method of the [`TokenValidationController`](https://github.com/lynndylanhurley/devise_token_auth/blob/8a33d25deaedb4809b219e557e82ec7ec61bf940/app/controllers/devise_token_auth/token_validations_controller.rb) is to return the `User` object as json (sans password and token data). The following example shows how to override the `validate_token` action to include a model method as well. @@ -666,6 +667,22 @@ These files may be edited to suit your taste. **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. +## Passing blocks to RegistrationController + +If you simply want to add behaviour to the existing Registration controller, you can do so by creating a new controller that inherits from it, and override the `create`, `update` or `destroy` methods, and passing a block to super: + +```ruby +class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController + + def create + super do |resource| + resource.add_something(extra) + end + end + +end +``` + # Issue Reporting When posting issues, please include the following information to speed up the troubleshooting process: @@ -708,7 +725,7 @@ Removing the `new` routes will require significant modifications to devise. If t ### I'm having trouble using this gem alongside [ActiveAdmin](http://activeadmin.info/)... -For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. +For some odd reason, [ActiveAdmin](http://activeadmin.info/) extends from your own app's `ApplicationController`. This becomes a problem if you include the `DeviseTokenAuth::Concerns::SetUserByToken` concern in your app's `ApplicationController`. The solution is to use two separate `ApplicationController` classes - one for your API, and one for ActiveAdmin. Something like this: From a561a9b74bd8f6eb957bc54a5ee3aa3714bcfc8e Mon Sep 17 00:00:00 2001 From: Lynn Dylan Hurley Date: Thu, 9 Apr 2015 10:51:02 -0500 Subject: [PATCH 089/328] Update README.md Update callouts --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 990d2a6f5..820a7b37a 100644 --- a/README.md +++ b/README.md @@ -823,6 +823,7 @@ Thanks to the following contributors: * [@nicolas-besnard](https://github.com/nicolas-besnard) * [@tbloncar](https://github.com/tbloncar) * [@nickL](https://github.com/nickL) +* [@mchavarriagam](https://github.com/mchavarriagam) # Contributing From be4a7eaa414c8899f015b4b8d2c32fafbe42be15 Mon Sep 17 00:00:00 2001 From: Ian Young Date: Thu, 16 Apr 2015 17:24:31 -0700 Subject: [PATCH 090/328] Fix error when email missing from registration --- .../registrations_controller.rb | 2 +- .../registrations_controller_test.rb | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 988296eb1..ce00da197 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -11,7 +11,7 @@ def create # honor devise configuration for case_insensitive_keys if resource_class.case_insensitive_keys.include?(:email) - @resource.email = sign_up_params[:email].downcase + @resource.email = sign_up_params[:email].try :downcase else @resource.email = sign_up_params[:email] end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 069628146..4ed02e52d 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -297,6 +297,35 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end end + describe 'missing email' do + before do + post '/auth', { + password: "secret123", + password_confirmation: "secret123", + confirm_success_url: Faker::Internet.url + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test "request should not be successful" do + assert_equal 403, response.status + end + + test "user should not have been created" do + assert_nil @resource.id + end + + test "error should be returned in the response" do + assert @data['errors'].length + end + + test "full_messages should be included in error hash" do + assert @data['errors']['full_messages'].length + end + end + describe "Mismatched passwords" do before do post '/auth', { From 9b41f0cfef8a4516d69360f5d7f5e3919bb58532 Mon Sep 17 00:00:00 2001 From: Aaron Snyder Date: Thu, 23 Apr 2015 15:12:39 -0400 Subject: [PATCH 091/328] fixes password reset when not using confirmable --- app/models/devise_token_auth/concerns/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index cd403d849..0966fcb22 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -65,7 +65,7 @@ def send_reset_password_instructions(opts=nil) # fall back to "default" config name opts[:client_config] ||= "default" - if pending_reconfirmation? + if respond_to?(:pending_reconfirmation?) && pending_reconfirmation? opts[:to] = unconfirmed_email else opts[:to] = email From d07eca5997c55fd61e6d5c857a23659251d8505f Mon Sep 17 00:00:00 2001 From: Jason Swett Date: Mon, 11 May 2015 18:28:02 -0400 Subject: [PATCH 092/328] Allow current_password to be supplied when updating profile. --- .../devise_token_auth/registrations_controller.rb | 11 +++++++++-- .../registrations_controller_test.rb | 12 ++++++++++++ test/dummy/app/controllers/application_controller.rb | 1 + 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 988296eb1..771012bd2 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -94,8 +94,7 @@ def create def update if @resource - - if @resource.update_attributes(account_update_params) + if @resource.send(resource_update_method, account_update_params) yield @resource if block_given? render json: { status: 'success', @@ -142,6 +141,14 @@ def account_update_params private + def resource_update_method + if account_update_params.has_key?(:current_password) + "update_with_password" + else + "update_attributes" + end + end + def validate_sign_up_params validate_post_data sign_up_params, 'Please submit proper sign up data in request body.' end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 069628146..aff7b8b67 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -440,6 +440,18 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert_equal @email.downcase, @existing_user.email assert_equal @email.downcase, @existing_user.uid end + + test "Supply current password" do + @request_params.merge!( + current_password: "secret123", + email: "new.email@example.com", + ) + + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload + assert_equal @existing_user.email, "new.email@example.com" + end end describe 'validate non-empty body' do diff --git a/test/dummy/app/controllers/application_controller.rb b/test/dummy/app/controllers/application_controller.rb index c941fac42..44d131dde 100644 --- a/test/dummy/app/controllers/application_controller.rb +++ b/test/dummy/app/controllers/application_controller.rb @@ -10,5 +10,6 @@ def configure_permitted_parameters devise_parameter_sanitizer.for(:sign_up) << :favorite_color devise_parameter_sanitizer.for(:account_update) << :operating_thetan devise_parameter_sanitizer.for(:account_update) << :favorite_color + devise_parameter_sanitizer.for(:account_update) << :current_password end end From f9fcb0842222fda925e16c59d8c8d41d357dda01 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Thu, 21 May 2015 12:30:20 -0400 Subject: [PATCH 093/328] fix(resource_class): support optional mapping property from set_user_by_token --- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 7846fe609..35bca8a12 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -105,7 +105,7 @@ def whitelisted_params end # pull resource class from omniauth return - def resource_class + def resource_class(mapping = nil) if omniauth_params omniauth_params['resource_class'].constantize end From 789c5ccf473ff79e834c793a5a97d5e247d0cfe2 Mon Sep 17 00:00:00 2001 From: Nate Brustein Date: Fri, 22 May 2015 17:43:04 +0200 Subject: [PATCH 094/328] fix(sessions controller): call reset_session on destroy --- app/controllers/devise_token_auth/sessions_controller.rb | 1 + .../devise_token_auth/sessions_controller_test.rb | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 993e1b2f2..b13a84f81 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -2,6 +2,7 @@ module DeviseTokenAuth class SessionsController < DeviseTokenAuth::ApplicationController before_filter :set_user_by_token, :only => [:destroy] + after_action :reset_session, :only => [:destroy] def create # Check diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 3c91d7ac3..44264f8cf 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -90,6 +90,8 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase describe 'authed user sign out' do before do + def @controller.reset_session_called; @reset_session_called == true; end + def @controller.reset_session; @reset_session_called = true; end @auth_headers = @existing_user.create_new_auth_token request.headers.merge!(@auth_headers) xhr :delete, :destroy, format: :json @@ -103,6 +105,10 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase @existing_user.reload refute @existing_user.tokens[@auth_headers["client"]] end + + test "session was destroyed" do + assert_equal true, @controller.reset_session_called + end end describe 'unauthed user sign out' do From 5f18c3af0092376ea7eb33a725d32b57d34d5228 Mon Sep 17 00:00:00 2001 From: Nate Brustein Date: Fri, 22 May 2015 18:02:48 +0200 Subject: [PATCH 095/328] feat(ominauth): support json-formatted values in omniauth callback. Fixes #221 --- .../omniauth_success.html.erb | 4 ++-- .../omniauth_callbacks_controller_test.rb | 20 ++++++++++--------- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/app/views/devise_token_auth/omniauth_success.html.erb b/app/views/devise_token_auth/omniauth_success.html.erb index 697b92038..d47f05e9b 100644 --- a/app/views/devise_token_auth/omniauth_success.html.erb +++ b/app/views/devise_token_auth/omniauth_success.html.erb @@ -1,9 +1,9 @@ <% @resource.as_json.each do |attr, val| %> - "<%= attr %>": "<%= val %>", + "<%= attr %>": <%= val.to_json.html_safe %>, <% end %> "auth_token": "<%= @token %>", "message": "deliverCredentials", "client_id": "<%= @client_id %>", "expiry": "<%= @expiry %>", -"config": "<%= @config %>" +"config": "<%= @config %>" \ No newline at end of file diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 1874697a7..b1e1597d7 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -60,16 +60,18 @@ class OmniauthTest < ActionDispatch::IntegrationTest test 'response contains all serializable attributes for user' do post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) - assert post_message["id"] - assert post_message["email"] - assert post_message["uid"] - assert post_message["name"] - assert post_message["favorite_color"] - assert post_message["message"] - assert post_message["client_id"] + + ['id', 'email', 'uid', 'name', + 'favorite_color', 'tokens', 'password' + ].each do |key| + assert_equal post_message[key], @resource.as_json[key], "Unexpected value for #{key.inspect}" + end + + assert_equal "deliverCredentials", post_message["message"] assert post_message["auth_token"] - refute post_message["tokens"] - refute post_message["password"] + assert post_message["client_id"] + assert post_message["expiry"] + assert post_message["config"] end test 'session vars have been cleared' do From e903d89c8348a0fb7ba8c40cf79db16074e86971 Mon Sep 17 00:00:00 2001 From: ann_lewis Date: Wed, 27 May 2015 11:41:17 -0400 Subject: [PATCH 096/328] fix(session#new): unset client_id to avoid unhandled 500 server error caused by logging in with valid user, bad password, and DeviseTokenAuth.change_headers_on_each_request = false --- .../concerns/set_user_by_token.rb | 9 ++++-- .../sessions_controller_test.rb | 30 +++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 099be68f4..2e522690a 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -14,7 +14,6 @@ def set_request_start # user auth def set_user_by_token(mapping=nil) - # determine target authentication class rc = resource_class(mapping) @@ -39,6 +38,12 @@ def set_user_by_token(mapping=nil) # user has already been found and authenticated return @resource if @resource and @resource.class == rc + # ensure we clear the client_id + if !@token + @client_id = nil + return + end + return false unless @token # mitigate timing attacks by finding by uid instead of auth token @@ -49,13 +54,13 @@ def set_user_by_token(mapping=nil) return @resource = user else # zero all values previously set values + @client_id = nil return @resource = nil end end def update_auth_header - # cannot save object if model has invalid params return unless @resource and @resource.valid? and @client_id diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 3c91d7ac3..7051e7648 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -136,6 +136,36 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase end end + describe 'failure with bad password when change_headers_on_each_request false' do + before do + DeviseTokenAuth.change_headers_on_each_request = false + + # accessing current_user calls through set_user_by_token, + # which initializes client_id + @controller.current_user + + xhr :post, :create, { + email: @existing_user.email, + password: 'bogus' + } + + @resource = assigns(:resource) + @data = JSON.parse(response.body) + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "response should contain errors" do + assert @data['errors'] + end + + after do + DeviseTokenAuth.change_headers_on_each_request = true + end + end + describe 'case-insensitive email' do before do From 2427af688033ad3bc8386139b12c06df77af6100 Mon Sep 17 00:00:00 2001 From: Brent Date: Wed, 27 May 2015 14:41:44 -0400 Subject: [PATCH 097/328] fix(email-validation): Simplify default in-use email validation message during registration to allow full_message use Currently, if you have an email validation error during registration, you get a `full_message` response of "Email This Email address is already in use" and so you cannot simply regurgitate that as a client-facing error. This is because `full_message` construction takes the field name and prepends it to the default devise messaging. While this commit results in more abbreviated messaging, it allows `full_messages` to be used across the board without any additional programmatic work. If this message is not ideal, I believe it can still be modified through devise translation configuration: http://stackoverflow.com/a/12435725/824966 --- app/models/devise_token_auth/concerns/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index cd403d849..a62cf8f4a 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -225,7 +225,7 @@ def generate_url(url, params = {}) # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, :already_in_use, default: "This email address is already in use") + errors.add(:email, :already_in_use, default: "address is already in use") end end From 3c4c16709a3bacbd4725e0e3836b18eeeb25206a Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 8 Jun 2015 16:15:22 -0400 Subject: [PATCH 098/328] perf(update_auth_header): only lock the resource if we are rotating tokens and need to worry about contention --- .../concerns/set_user_by_token.rb | 48 ++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 099be68f4..740cac569 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -59,36 +59,40 @@ def update_auth_header # cannot save object if model has invalid params return unless @resource and @resource.valid? and @client_id - # Lock the user record during any auth_header updates to ensure - # we don't have write contention from multiple threads - @resource.with_lock do + if not DeviseTokenAuth.change_headers_on_each_request + auth_header = @resource.build_auth_header(@token, @client_id) - # determine batch request status after request processing, in case - # another processes has updated it during that processing - @is_batch_request = is_batch_request?(@resource, @client_id) + # update the response header + response.headers.merge!(auth_header) - auth_header = {} + else + + # Lock the user record during any auth_header updates to ensure + # we don't have write contention from multiple threads + @resource.with_lock do - if not DeviseTokenAuth.change_headers_on_each_request - auth_header = @resource.build_auth_header(@token, @client_id) + # determine batch request status after request processing, in case + # another processes has updated it during that processing + @is_batch_request = is_batch_request?(@resource, @client_id) - # update the response header - response.headers.merge!(auth_header) + auth_header = {} - # extend expiration of batch buffer to account for the duration of - # this request - elsif @is_batch_request - auth_header = @resource.extend_batch_buffer(@token, @client_id) + # extend expiration of batch buffer to account for the duration of + # this request + if @is_batch_request + auth_header = @resource.extend_batch_buffer(@token, @client_id) - # update Authorization response header with new token - else - auth_header = @resource.create_new_auth_token(@client_id) + # update Authorization response header with new token + else + auth_header = @resource.create_new_auth_token(@client_id) - # update the response header - response.headers.merge!(auth_header) - end + # update the response header + response.headers.merge!(auth_header) + end - end # end lock + end # end lock + + end end From 2113dc82bf5ec4a8e23f3428f6f4983f777c09d7 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 16 Jun 2015 18:32:57 -0400 Subject: [PATCH 099/328] merge master + resolve conflicts --- .../omniauth_callbacks_controller.rb | 7 ++- .../omniauth_success.html.erb | 3 ++ .../omniauth_callbacks_controller_test.rb | 50 +++++++++++++++++++ 3 files changed, 58 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 35bca8a12..7bd4fa915 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -25,6 +25,7 @@ def omniauth_success uid: auth_hash['uid'], provider: auth_hash['provider'] }).first_or_initialize + @oauth_registration = @resource.new_record? # create token info @client_id = SecureRandom.urlsafe_base64(nil, false) @@ -32,13 +33,15 @@ def omniauth_success @expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i @config = omniauth_params['config_name'] - @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], { + auth_origin_url_params = { token: @token, client_id: @client_id, uid: @resource.uid, expiry: @expiry, config: @config - }) + } + auth_origin_url_params.merge!(oauth_registration: true) if @oauth_registration + @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], auth_origin_url_params) # set crazy password for new oauth users. this is only used to prevent # access via email sign-in. diff --git a/app/views/devise_token_auth/omniauth_success.html.erb b/app/views/devise_token_auth/omniauth_success.html.erb index d47f05e9b..5536ede5e 100644 --- a/app/views/devise_token_auth/omniauth_success.html.erb +++ b/app/views/devise_token_auth/omniauth_success.html.erb @@ -6,4 +6,7 @@ "message": "deliverCredentials", "client_id": "<%= @client_id %>", "expiry": "<%= @expiry %>", +<% if @oauth_registration %> +"oauth_registration": "true", +<% end %> "config": "<%= @config %>" \ No newline at end of file diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index b1e1597d7..c85e543c1 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -101,6 +101,56 @@ class OmniauthTest < ActionDispatch::IntegrationTest end end + end + + describe "oauth_registration attr" do + + def stub_resource + relation = {} + def relation.first_or_initialize + @resource ||= User.new + def @resource.save!; end # prevent validation error + @resource + end + User.stub(:where, relation) do + yield(relation.first_or_initialize) + end + end + + test 'response contains oauth_registration attr with new user' do + + stub_resource do |resource| + def resource.new_record? + true + end + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url + } + + post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) + assert post_message['oauth_registration'] + assert_match 'oauth_registration', @controller.instance_variable_get(:@auth_origin_url) + end + end + + test 'response does not contain oauth_registration attr with existing user' do + + stub_resource do |resource| + def resource.new_record? + false + end + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url + } + + post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) + refute post_message['oauth_registration'] + assert_no_match 'oauth_registration', @controller.instance_variable_get(:@auth_origin_url) + end + end + + + end describe 'pass additional params' do From 0d40de9e0f5ee50b355d75614d5c820b80930dea Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 Jun 2015 10:23:20 -0400 Subject: [PATCH 100/328] chore(deps): update gems - rails, devise, omniauth (and providers), guard, minitest --- Gemfile.lock | 144 ++++++++++++++++++++++++++------------------------- 1 file changed, 73 insertions(+), 71 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 198211d02..21638844b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,10 +1,10 @@ GIT remote: git://github.com/intridea/omniauth-github.git - revision: 21fa5e1a7295a11eae42846690b1eee88e57c23a + revision: 45f2fc73d6d06f30863adac0e6aa112bcaaadf67 specs: omniauth-github (1.1.2) omniauth (~> 1.0) - omniauth-oauth2 (~> 1.1) + omniauth-oauth2 (>= 1.1.1, < 2.0) GIT remote: git://github.com/laserlemon/figaro.git @@ -15,16 +15,18 @@ GIT GIT remote: git://github.com/mkdynamic/omniauth-facebook.git - revision: 9f729037e5c27d102462ebbb205b5da17f9aaf86 + revision: b127c35135b16b7d5cdc746a718192acfe1da21c specs: - omniauth-facebook (2.0.0) + omniauth-facebook (2.1.0) omniauth-oauth2 (~> 1.2) GIT remote: git://github.com/zquestz/omniauth-google-oauth2.git - revision: 74d9e4fa4ec369bbb088628b1f400e54d3094fd9 + revision: 814732cb0761f2b4a26375049ccd42da5655eccb specs: omniauth-google-oauth2 (0.2.6) + jwt (~> 1.0) + multi_json (~> 1.3) omniauth (>= 1.1.1) omniauth-oauth2 (>= 1.1.1) @@ -38,36 +40,36 @@ PATH GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.0) - actionpack (= 4.2.0) - actionview (= 4.2.0) - activejob (= 4.2.0) + actionmailer (4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.0) - actionview (= 4.2.0) - activesupport (= 4.2.0) - rack (~> 1.6.0) + actionpack (4.2.2) + actionview (= 4.2.2) + activesupport (= 4.2.2) + rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.1) - actionview (4.2.0) - activesupport (= 4.2.0) + actionview (4.2.2) + activesupport (= 4.2.2) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.1) - activejob (4.2.0) - activesupport (= 4.2.0) + activejob (4.2.2) + activesupport (= 4.2.2) globalid (>= 0.3.0) - activemodel (4.2.0) - activesupport (= 4.2.0) + activemodel (4.2.2) + activesupport (= 4.2.2) builder (~> 3.1) - activerecord (4.2.0) - activemodel (= 4.2.0) - activesupport (= 4.2.0) + activerecord (4.2.2) + activemodel (= 4.2.2) + activesupport (= 4.2.2) arel (~> 6.0) - activesupport (4.2.0) + activesupport (4.2.2) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) @@ -84,7 +86,7 @@ GEM codeclimate-test-reporter (0.4.4) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) - devise (3.4.1) + devise (3.5.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -96,59 +98,64 @@ GEM erubis (2.7.0) faker (1.4.3) i18n (~> 0.5) - faraday (0.9.0) + faraday (0.9.1) multipart-post (>= 1.2, < 3) - ffi (1.9.6) + ffi (1.9.8) formatador (0.2.5) fuzz_ball (0.9.1) - globalid (0.3.3) + globalid (0.3.5) activesupport (>= 4.1.0) - guard (2.10.5) + guard (2.12.6) formatador (>= 0.2.4) listen (~> 2.7) lumberjack (~> 1.0) nenv (~> 0.1) + notiffany (~> 0.0) pry (>= 0.9.12) + shellany (~> 0.0) thor (>= 0.18.1) - guard-minitest (2.3.2) - guard (~> 2.0) + guard-compat (1.2.1) + guard-minitest (2.4.4) + guard-compat (~> 1.2) minitest (>= 3.0) - hashie (3.3.2) - hike (1.2.3) + hashie (3.4.2) hitimes (1.2.2) i18n (0.7.0) - json (1.8.1) - jwt (1.2.0) - listen (2.8.4) - celluloid (>= 0.15.2) + json (1.8.3) + jwt (1.5.0) + listen (2.10.1) + celluloid (~> 0.16.0) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) - loofah (2.0.1) + loofah (2.0.2) nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) method_source (0.8.2) - mime-types (2.4.3) + mime-types (2.6.1) mini_portile (0.6.2) - minitest (5.5.0) + minitest (5.7.0) minitest-focus (1.1.0) minitest (>= 4, < 6) - minitest-rails (2.1.1) - minitest (~> 5.4) + minitest-rails (2.2.0) + minitest (~> 5.7) railties (~> 4.1) minitest-reporters (1.0.8) ansi builder minitest (>= 5.0) ruby-progressbar - multi_json (1.10.1) + multi_json (1.11.1) multi_xml (0.5.5) multipart-post (2.0.0) mysql2 (0.3.17) - nenv (0.1.1) - nokogiri (1.6.5) + nenv (0.2.0) + nokogiri (1.6.6.2) mini_portile (~> 0.6.0) + notiffany (0.0.6) + nenv (~> 0.1) + shellany (~> 0.0) oauth2 (1.0.0) faraday (>= 0.8, < 0.10) jwt (~> 1.0) @@ -158,9 +165,7 @@ GEM omniauth (1.2.2) hashie (>= 1.2, < 4) rack (~> 1.0) - omniauth-oauth2 (1.2.0) - faraday (>= 0.8, < 0.10) - multi_json (~> 1.3) + omniauth-oauth2 (1.3.0) oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) @@ -172,60 +177,57 @@ GEM pry-remote (0.1.8) pry (~> 0.9) slop (~> 3.0) - rack (1.6.0) + rack (1.6.2) rack-cors (0.3.1) - rack-test (0.6.2) + rack-test (0.6.3) rack (>= 1.0) - rails (4.2.0) - actionmailer (= 4.2.0) - actionpack (= 4.2.0) - actionview (= 4.2.0) - activejob (= 4.2.0) - activemodel (= 4.2.0) - activerecord (= 4.2.0) - activesupport (= 4.2.0) + rails (4.2.2) + actionmailer (= 4.2.2) + actionpack (= 4.2.2) + actionview (= 4.2.2) + activejob (= 4.2.2) + activemodel (= 4.2.2) + activerecord (= 4.2.2) + activesupport (= 4.2.2) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.0) + railties (= 4.2.2) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) - rails-dom-testing (1.0.5) + rails-dom-testing (1.0.6) activesupport (>= 4.2.0.beta, < 5.0) nokogiri (~> 1.6.0) rails-deprecated_sanitizer (>= 1.0.1) - rails-html-sanitizer (1.0.1) + rails-html-sanitizer (1.0.2) loofah (~> 2.0) - railties (4.2.0) - actionpack (= 4.2.0) - activesupport (= 4.2.0) + railties (4.2.2) + actionpack (= 4.2.2) + activesupport (= 4.2.2) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (10.4.2) - rb-fsevent (0.9.4) + rb-fsevent (0.9.5) rb-inotify (0.9.5) ffi (>= 0.5.0) responders (2.1.0) railties (>= 4.2.0, < 5) ruby-progressbar (1.7.1) + shellany (0.0.1) simplecov (0.9.1) docile (~> 1.1.0) multi_json (~> 1.0) simplecov-html (~> 0.8.0) simplecov-html (0.8.0) slop (3.6.0) - sprockets (2.12.3) - hike (~> 1.2) - multi_json (~> 1.0) + sprockets (3.2.0) rack (~> 1.0) - tilt (~> 1.1, != 1.3.0) - sprockets-rails (2.2.4) + sprockets-rails (2.3.1) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) thor (0.19.1) - thread_safe (0.3.4) - tilt (1.4.1) + thread_safe (0.3.5) timers (4.0.1) hitimes tzinfo (1.2.2) From 5e4e4c02eb162061b296217c1ea846befa6a8457 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 Jun 2015 10:30:49 -0400 Subject: [PATCH 101/328] docs(README): remove trailing / misleading period in test-running instructions --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 820a7b37a..4d39ef1de 100644 --- a/README.md +++ b/README.md @@ -840,7 +840,7 @@ To run the test suite do the following: 2. Run `bundle install` 3. Run `rake db:migrate` 4. Run `RAILS_ENV=test rake db:migrate` -5. Run `guard`. +5. Run `guard` The last command will open the [guard](https://github.com/guard/guard) test-runner. Guard will re-run each test suite when changes are made to its corresponding files. From 27cad66a519660802f56d5ac52357b1dd270bfa6 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 Jun 2015 14:03:04 -0400 Subject: [PATCH 102/328] perf(token_is_current?): add simplistic cache to reduce overhead of redundant token checks during validation calls --- app/models/devise_token_auth/concerns/user.rb | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 5c61964ee..a6e6f51be 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -1,6 +1,17 @@ module DeviseTokenAuth::Concerns::User extend ActiveSupport::Concern + def self.tokens_match?(token_hash, token) + @token_equality_cache ||= {} + + key = "#{token_hash}/#{token}" + result = @token_equality_cache[key] ||= (BCrypt::Password.new(token_hash) == token) + if @token_equality_cache.size > 10000 + @token_equality_cache = {} + end + result + end + included do # Hack to check if devise is already enabled unless self.method_defined?(:devise_modules) @@ -111,7 +122,7 @@ def token_is_current?(token, client_id) DateTime.strptime(expiry.to_s, '%s') > Time.now and # ensure that the token is valid - BCrypt::Password.new(token_hash) == token + DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token) ) end From 82a0ec818d8d28b4b8ad7bd13fdb715b72c4e8ec Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 22 Jun 2015 11:01:36 -0700 Subject: [PATCH 103/328] v0.1.32.beta10 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 21638844b..2a0846ab0 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta9) + devise_token_auth (0.1.32.beta10) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 5adc9660c..c5adaaa26 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta9" + VERSION = "0.1.32.beta10" end From d304d1c61528438e92fc8ebbdc7c7e6cb941df12 Mon Sep 17 00:00:00 2001 From: Samuel Gwilym Date: Fri, 10 Apr 2015 17:48:40 +0200 Subject: [PATCH 104/328] Added block yielding to ConfirmationsController, PasswordsController, SessionsController, TokenValidationsController, and OmniAuthCallbacksController Includes tests and documentation --- README.md | 36 +++++----- .../confirmations_controller.rb | 2 + .../omniauth_callbacks_controller.rb | 2 + .../devise_token_auth/passwords_controller.rb | 3 + .../devise_token_auth/sessions_controller.rb | 4 ++ .../token_validations_controller.rb | 1 + .../custom_confirmations_controller_test.rb | 26 ++++++++ ...stom_omniauth_callbacks_controller_test.rb | 29 ++++++++ .../custom_passwords_controller_test.rb | 66 +++++++++++++++++++ .../custom_registrations_controller_test.rb | 2 +- .../custom/custom_sessions_controller_test.rb | 30 +++++++++ ...ustom_token_validations_controller_test.rb | 29 ++++++++ .../custom/confirmations_controller.rb | 13 ++++ .../custom/omniauth_callbacks_controller.rb | 13 ++++ .../custom/passwords_controller.rb | 35 ++++++++++ .../controllers/custom/sessions_controller.rb | 23 +++++++ .../custom/token_validations_controller.rb | 13 ++++ test/dummy/config/routes.rb | 7 +- 18 files changed, 315 insertions(+), 19 deletions(-) create mode 100644 test/controllers/custom/custom_confirmations_controller_test.rb create mode 100644 test/controllers/custom/custom_omniauth_callbacks_controller_test.rb create mode 100644 test/controllers/custom/custom_passwords_controller_test.rb create mode 100644 test/controllers/custom/custom_sessions_controller_test.rb create mode 100644 test/controllers/custom/custom_token_validations_controller_test.rb create mode 100644 test/dummy/app/controllers/custom/confirmations_controller.rb create mode 100644 test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb create mode 100644 test/dummy/app/controllers/custom/passwords_controller.rb create mode 100644 test/dummy/app/controllers/custom/sessions_controller.rb create mode 100644 test/dummy/app/controllers/custom/token_validations_controller.rb diff --git a/README.md b/README.md index 820a7b37a..e6308b005 100644 --- a/README.md +++ b/README.md @@ -50,8 +50,8 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is * [Using Multiple User Classes](#using-multiple-models) * [Excluding Modules](#excluding-modules) * [Custom Controller Overrides](#custom-controller-overrides) - * [Email Template Overrides](#email-template-overrides) * [Passing blocks to Controllers](#passing-blocks-controllers) + * [Email Template Overrides](#email-template-overrides) * [Issue Reporting Guidelines](#issue-reporting) * [FAQ](#faq) * [Conceptual Diagrams](#conceptual) @@ -650,6 +650,24 @@ mount_devise_token_auth_for 'User', at: 'auth', controllers: { **Note:** Controller overrides must implement the expected actions of the controllers that they replace. +## Passing blocks to Controllers + +It may be that you simply want to _add_ behavior to existing controllers without having to re-implement their behavior completely. In this case, you can do so by creating a new controller that inherits from any of DeviseTokenAuth's controllers, overriding whichever methods you'd like to add behavior to by passing a block to `super`: + +```ruby +class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController + + def create + super do |resource| + resource.do_something(extra) + end + end + +end +``` + +Your block will be performed just before the controller would usually render a successful response. + ## Email Template Overrides You will probably want to override the default email templates for email sign-up and password-reset confirmation. Run the following command to copy the email templates into your app: @@ -667,22 +685,6 @@ These files may be edited to suit your taste. **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. -## Passing blocks to RegistrationController - -If you simply want to add behaviour to the existing Registration controller, you can do so by creating a new controller that inherits from it, and override the `create`, `update` or `destroy` methods, and passing a block to super: - -```ruby -class Custom::RegistrationsController < DeviseTokenAuth::RegistrationsController - - def create - super do |resource| - resource.add_something(extra) - end - end - -end -``` - # Issue Reporting When posting issues, please include the following information to speed up the troubleshooting process: diff --git a/app/controllers/devise_token_auth/confirmations_controller.rb b/app/controllers/devise_token_auth/confirmations_controller.rb index ed9bf1720..bf336e4d3 100644 --- a/app/controllers/devise_token_auth/confirmations_controller.rb +++ b/app/controllers/devise_token_auth/confirmations_controller.rb @@ -17,6 +17,8 @@ def show @resource.save! + yield if block_given? + redirect_to(@resource.build_auth_url(params[:redirect_url], { token: token, client_id: client_id, diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 7846fe609..47c2a973f 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -69,6 +69,8 @@ def omniauth_success @resource.save! + yield if block_given? + # render user info to javascript postMessage communication window render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_success" end diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 9fc594689..31cc66fe3 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -57,6 +57,7 @@ def create error_status = 400 if @resource + yield if block_given? @resource.send_reset_password_instructions({ email: email, provider: 'email', @@ -108,6 +109,7 @@ def edit @resource.skip_confirmation! unless @resource.confirmed_at @resource.save! + yield if block_given? redirect_to(@resource.build_auth_url(params[:redirect_url], { token: token, @@ -147,6 +149,7 @@ def update end if @resource.update_attributes(password_resource_params) + yield if block_given? return render json: { success: true, data: { diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 993e1b2f2..afa5281f0 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -37,6 +37,8 @@ def create sign_in(:user, @resource, store: false, bypass: false) + yield if block_given? + render json: { data: @resource.token_validation_response } @@ -68,6 +70,8 @@ def destroy user.tokens.delete(client_id) user.save! + yield if block_given? + render json: { success:true }, status: 200 diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 9824c2c46..9c0666489 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -6,6 +6,7 @@ class TokenValidationsController < DeviseTokenAuth::ApplicationController def validate_token # @resource will have been set by set_user_token concern if @resource + yield if block_given? render json: { success: true, data: @resource.token_validation_response diff --git a/test/controllers/custom/custom_confirmations_controller_test.rb b/test/controllers/custom/custom_confirmations_controller_test.rb new file mode 100644 index 000000000..9fbde6043 --- /dev/null +++ b/test/controllers/custom/custom_confirmations_controller_test.rb @@ -0,0 +1,26 @@ +require 'test_helper' + +class Custom::ConfirmationsControllerTest < ActionController::TestCase + + describe Custom::ConfirmationsController do + + before do + @redirect_url = Faker::Internet.url + @new_user = users(:unconfirmed_email_user) + @new_user.send_confirmation_instructions({ + redirect_url: @redirect_url + }) + @mail = ActionMailer::Base.deliveries.last + @token = @mail.body.match(/confirmation_token=([^&]*)&/)[1] + @client_config = @mail.body.match(/config=([^&]*)&/)[1] + + get :show, {confirmation_token: @token, redirect_url: @redirect_url} + end + + test "yield resource to block on show success" do + assert @controller.show_block_called?, "show failed to yield resource to provided block" + end + + end + +end diff --git a/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb new file mode 100644 index 000000000..edf785cb1 --- /dev/null +++ b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb @@ -0,0 +1,29 @@ +require 'test_helper' + +class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest + + describe Custom::OmniauthCallbacksController do + + setup do + OmniAuth.config.test_mode = true + OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({ + :provider => 'facebook', + :uid => '123545', + :info => { + name: 'swong', + email: 'swongsong@yandex.ru' + } + }) + end + + test "yield resource to block on omniauth_sucess success" do + @redirect_url = "http://ng-token-auth.dev/" + get_via_redirect '/nice_user_auth/facebook', { + auth_origin_url: @redirect_url + } + assert @controller.omniauth_success_block_called?, "omniauth_success failed to yield resource to provided block" + end + + end + +end diff --git a/test/controllers/custom/custom_passwords_controller_test.rb b/test/controllers/custom/custom_passwords_controller_test.rb new file mode 100644 index 000000000..5ca4862d4 --- /dev/null +++ b/test/controllers/custom/custom_passwords_controller_test.rb @@ -0,0 +1,66 @@ +require 'test_helper' + +class Custom::PasswordsControllerTest < ActionController::TestCase + + describe Custom::PasswordsController do + + before do + @resource = users(:confirmed_email_user) + @redirect_url = 'http://ng-token-auth.dev' + end + + test "yield resource to block on create success" do + post :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @mail = ActionMailer::Base.deliveries.last + @resource.reload + + @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1]) + @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) + @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1] + + assert @controller.create_block_called?, "create failed to yield resource to provided block" + end + + test "yield resource to block on edit success" do + @resource = users(:unconfirmed_email_user) + @redirect_url = 'http://ng-token-auth.dev' + + xhr :post, :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @mail = ActionMailer::Base.deliveries.last + @resource.reload + + @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1]) + @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) + @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1] + + xhr :get, :edit, { + reset_password_token: @mail_reset_token, + redirect_url: @mail_redirect_url + } + + @resource.reload + assert @controller.edit_block_called?, "edit failed to yield resource to provided block" + end + + test "yield resource to block on update success" do + @auth_headers = @resource.create_new_auth_token + request.headers.merge!(@auth_headers) + @new_password = Faker::Internet.password + put :update, { + password: @new_password, + password_confirmation: @new_password + } + assert @controller.update_block_called?, "update failed to yield resource to provided block" + end + + end + +end diff --git a/test/controllers/custom/custom_registrations_controller_test.rb b/test/controllers/custom/custom_registrations_controller_test.rb index 1d705497a..61c97a1e9 100644 --- a/test/controllers/custom/custom_registrations_controller_test.rb +++ b/test/controllers/custom/custom_registrations_controller_test.rb @@ -35,7 +35,7 @@ class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest test "yield resource to block on destroy success" do delete '/nice_user_auth', @auth_headers - assert @controller.destroy_block_called?, "update failed to yield resource to provided block" + assert @controller.destroy_block_called?, "destroy failed to yield resource to provided block" end end diff --git a/test/controllers/custom/custom_sessions_controller_test.rb b/test/controllers/custom/custom_sessions_controller_test.rb new file mode 100644 index 000000000..6df14c8d9 --- /dev/null +++ b/test/controllers/custom/custom_sessions_controller_test.rb @@ -0,0 +1,30 @@ +require 'test_helper' + +class Custom::SessionsControllerTest < ActionController::TestCase + + describe Custom::SessionsController do + + before do + @existing_user = users(:confirmed_email_user) + @existing_user.skip_confirmation! + @existing_user.save! + end + + test "yield resource to block on create success" do + post :create, { + email: @existing_user.email, + password: 'secret123' + } + assert @controller.create_block_called?, "create failed to yield resource to provided block" + end + + test "yield resource to block on destroy success" do + @auth_headers = @existing_user.create_new_auth_token + request.headers.merge!(@auth_headers) + delete :destroy, format: :json + assert @controller.destroy_block_called?, "destroy failed to yield resource to provided block" + end + + end + +end diff --git a/test/controllers/custom/custom_token_validations_controller_test.rb b/test/controllers/custom/custom_token_validations_controller_test.rb new file mode 100644 index 000000000..29c40aef3 --- /dev/null +++ b/test/controllers/custom/custom_token_validations_controller_test.rb @@ -0,0 +1,29 @@ +require 'test_helper' + +class Custom::TokenValidationsControllerTest < ActionDispatch::IntegrationTest + + describe Custom::TokenValidationsController do + + before do + @resource = nice_users(:confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + + @auth_headers = @resource.create_new_auth_token + + @token = @auth_headers['access-token'] + @client_id = @auth_headers['client'] + @expiry = @auth_headers['expiry'] + + # ensure that request is not treated as batch request + age_token(@resource, @client_id) + end + + test "yield resource to block on validate_token success" do + get '/nice_user_auth/validate_token', {}, @auth_headers + assert @controller.validate_token_block_called?, "validate_token failed to yield resource to provided block" + end + + end + +end diff --git a/test/dummy/app/controllers/custom/confirmations_controller.rb b/test/dummy/app/controllers/custom/confirmations_controller.rb new file mode 100644 index 000000000..6bebe342b --- /dev/null +++ b/test/dummy/app/controllers/custom/confirmations_controller.rb @@ -0,0 +1,13 @@ +class Custom::ConfirmationsController < DeviseTokenAuth::ConfirmationsController + + def show + super do |resource| + @show_block_called = true + end + end + + def show_block_called? + @show_block_called == true + end + +end diff --git a/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb b/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb new file mode 100644 index 000000000..d733277e2 --- /dev/null +++ b/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb @@ -0,0 +1,13 @@ +class Custom::OmniauthCallbacksController < DeviseTokenAuth::OmniauthCallbacksController + + def omniauth_success + super do |resource| + @omniauth_success_block_called = true + end + end + + def omniauth_success_block_called? + @omniauth_success_block_called == true + end + +end diff --git a/test/dummy/app/controllers/custom/passwords_controller.rb b/test/dummy/app/controllers/custom/passwords_controller.rb new file mode 100644 index 000000000..88ae25a00 --- /dev/null +++ b/test/dummy/app/controllers/custom/passwords_controller.rb @@ -0,0 +1,35 @@ +class Custom::PasswordsController < DeviseTokenAuth::PasswordsController + + def create + super do |resource| + @create_block_called = true + end + end + + def edit + super do |resource| + @edit_block_called = true + end + end + + def update + super do |resource| + @update_block_called = true + end + end + + def create_block_called? + @create_block_called == true + end + + def edit_block_called? + @edit_block_called == true + end + + def update_block_called? + @update_block_called == true + end + + + +end diff --git a/test/dummy/app/controllers/custom/sessions_controller.rb b/test/dummy/app/controllers/custom/sessions_controller.rb new file mode 100644 index 000000000..74113d0b5 --- /dev/null +++ b/test/dummy/app/controllers/custom/sessions_controller.rb @@ -0,0 +1,23 @@ +class Custom::SessionsController < DeviseTokenAuth::SessionsController + + def create + super do |resource| + @create_block_called = true + end + end + + def destroy + super do |resource| + @destroy_block_called = true + end + end + + def create_block_called? + @create_block_called == true + end + + def destroy_block_called? + @destroy_block_called == true + end + +end diff --git a/test/dummy/app/controllers/custom/token_validations_controller.rb b/test/dummy/app/controllers/custom/token_validations_controller.rb new file mode 100644 index 000000000..ad496e722 --- /dev/null +++ b/test/dummy/app/controllers/custom/token_validations_controller.rb @@ -0,0 +1,13 @@ +class Custom::TokenValidationsController < DeviseTokenAuth::TokenValidationsController + + def validate_token + super do |resource| + @validate_token_block_called = true + end + end + + def validate_token_block_called? + @validate_token_block_called == true + end + +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 796f63252..66a0b4b5f 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -20,7 +20,12 @@ } mount_devise_token_auth_for 'NiceUser', at: 'nice_user_auth', controllers: { - registrations: 'custom/registrations' + registrations: 'custom/registrations', + confirmations: 'custom/confirmations', + passwords: 'custom/passwords', + sessions: 'custom/sessions', + token_validations: 'custom/token_validations', + omniauth_callbacks: 'custom/omniauth_callbacks' } mount_devise_token_auth_for 'OnlyEmailUser', at: 'only_email_auth', skip: [:omniauth_callbacks] From 57379c0dbb414a1eaa8e1d43756db15ff1c6de7a Mon Sep 17 00:00:00 2001 From: Miles Matthias Date: Tue, 23 Jun 2015 13:44:13 -0600 Subject: [PATCH 105/328] ran the tests per the README. this is the resulting test schema. --- test/dummy/db/schema.rb | 144 ++++++++++++++++++++-------------------- 1 file changed, 72 insertions(+), 72 deletions(-) diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index 4b50acf27..a1adc9a90 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -14,27 +14,27 @@ ActiveRecord::Schema.define(version: 20150409095712) do create_table "evil_users", force: :cascade do |t| - t.string "email" - t.string "encrypted_password", default: "", null: false - t.string "reset_password_token" + t.string "email", limit: 255 + t.string "encrypted_password", limit: 255, default: "", null: false + t.string "reset_password_token", limit: 255 t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", default: 0, null: false + t.integer "sign_in_count", limit: 4, default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip" - t.string "last_sign_in_ip" - t.string "confirmation_token" + t.string "current_sign_in_ip", limit: 255 + t.string "last_sign_in_ip", limit: 255 + t.string "confirmation_token", limit: 255 t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email" - t.string "name" - t.string "nickname" - t.string "image" - t.string "provider" - t.string "uid", default: "", null: false - t.text "tokens" - t.string "favorite_color" + t.string "unconfirmed_email", limit: 255 + t.string "name", limit: 255 + t.string "nickname", limit: 255 + t.string "image", limit: 255 + t.string "provider", limit: 255 + t.string "uid", limit: 255, default: "", null: false + t.text "tokens", limit: 65535 + t.string "favorite_color", limit: 255 t.datetime "created_at" t.datetime "updated_at" end @@ -45,31 +45,31 @@ add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true create_table "mangs", force: :cascade do |t| - t.string "email" - t.string "encrypted_password", default: "", null: false - t.string "reset_password_token" + t.string "email", limit: 255 + t.string "encrypted_password", limit: 255, default: "", null: false + t.string "reset_password_token", limit: 255 t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url" + t.string "reset_password_redirect_url", limit: 255 t.datetime "remember_created_at" - t.integer "sign_in_count", default: 0, null: false + t.integer "sign_in_count", limit: 4, default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip" - t.string "last_sign_in_ip" - t.string "confirmation_token" + t.string "current_sign_in_ip", limit: 255 + t.string "last_sign_in_ip", limit: 255 + t.string "confirmation_token", limit: 255 t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url" - t.string "unconfirmed_email" - t.string "name" - t.string "nickname" - t.string "image" - t.string "provider" - t.string "uid", default: "", null: false - t.text "tokens" + t.string "confirm_success_url", limit: 255 + t.string "unconfirmed_email", limit: 255 + t.string "name", limit: 255 + t.string "nickname", limit: 255 + t.string "image", limit: 255 + t.string "provider", limit: 255 + t.string "uid", limit: 255, default: "", null: false + t.text "tokens", limit: 65535 t.datetime "created_at" t.datetime "updated_at" - t.string "favorite_color" + t.string "favorite_color", limit: 255 end add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true @@ -107,14 +107,14 @@ add_index "nice_users", ["uid", "provider"], name: "index_nice_users_on_uid_and_provider", unique: true create_table "only_email_users", force: :cascade do |t| - t.string "provider", null: false - t.string "uid", default: "", null: false - t.string "encrypted_password", default: "", null: false - t.string "name" - t.string "nickname" - t.string "image" - t.string "email" - t.text "tokens" + t.string "provider", limit: 255, null: false + t.string "uid", limit: 255, default: "", null: false + t.string "encrypted_password", limit: 255, default: "", null: false + t.string "name", limit: 255 + t.string "nickname", limit: 255 + t.string "image", limit: 255 + t.string "email", limit: 255 + t.text "tokens", limit: 65535 t.datetime "created_at" t.datetime "updated_at" end @@ -123,26 +123,26 @@ add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true create_table "unregisterable_users", force: :cascade do |t| - t.string "provider", null: false - t.string "uid", default: "", null: false - t.string "encrypted_password", default: "", null: false - t.string "reset_password_token" + t.string "provider", limit: 255, null: false + t.string "uid", limit: 255, default: "", null: false + t.string "encrypted_password", limit: 255, default: "", null: false + t.string "reset_password_token", limit: 255 t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", default: 0, null: false + t.integer "sign_in_count", limit: 4, default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip" - t.string "last_sign_in_ip" - t.string "confirmation_token" + t.string "current_sign_in_ip", limit: 255 + t.string "last_sign_in_ip", limit: 255 + t.string "confirmation_token", limit: 255 t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email" - t.string "name" - t.string "nickname" - t.string "image" - t.string "email" - t.text "tokens" + t.string "unconfirmed_email", limit: 255 + t.string "name", limit: 255 + t.string "nickname", limit: 255 + t.string "image", limit: 255 + t.string "email", limit: 255 + t.text "tokens", limit: 65535 t.datetime "created_at" t.datetime "updated_at" end @@ -152,32 +152,32 @@ add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true create_table "users", force: :cascade do |t| - t.string "email" - t.string "encrypted_password", default: "", null: false - t.string "reset_password_token" + t.string "email", limit: 255 + t.string "encrypted_password", limit: 255, default: "", null: false + t.string "reset_password_token", limit: 255 t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url" + t.string "reset_password_redirect_url", limit: 255 t.datetime "remember_created_at" - t.integer "sign_in_count", default: 0, null: false + t.integer "sign_in_count", limit: 4, default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip" - t.string "last_sign_in_ip" - t.string "confirmation_token" + t.string "current_sign_in_ip", limit: 255 + t.string "last_sign_in_ip", limit: 255 + t.string "confirmation_token", limit: 255 t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url" - t.string "unconfirmed_email" - t.string "name" - t.string "nickname" - t.string "image" - t.string "provider" - t.string "uid", default: "", null: false - t.text "tokens" + t.string "confirm_success_url", limit: 255 + t.string "unconfirmed_email", limit: 255 + t.string "name", limit: 255 + t.string "nickname", limit: 255 + t.string "image", limit: 255 + t.string "provider", limit: 255 + t.string "uid", limit: 255, default: "", null: false + t.text "tokens", limit: 65535 t.datetime "created_at" t.datetime "updated_at" - t.integer "operating_thetan" - t.string "favorite_color" + t.integer "operating_thetan", limit: 4 + t.string "favorite_color", limit: 255 end add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true From c131893ef905d6269cc2dc6e65633dfdb2497f3d Mon Sep 17 00:00:00 2001 From: Adam Gall Date: Wed, 24 Jun 2015 20:59:10 -0400 Subject: [PATCH 106/328] Update documentation for validate_token The `Usage TL;DR` section of README.md has documentation for `validate_token` that states that the method takes `id` and `auth_token` as params. However, the class where `validate_token` is defined (`TokenValidationsController`) includes a `:before_filter :set_user_by_token`, who's definition parses headers and query params for `access-token`, not `auth_token`. This commit updates the documentation to specify that `access-token` is an accepted param instead of `auth_token`. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a449e7ec0..1cbbfc03b 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ The following routes are available for use by your client. These routes live rel | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. | | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | -| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`auth_token`** as params. These values should correspond to the columns in your `User` table of the same names. | +| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | | /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). | | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | From 672ac99295fc466584d51ccb04d6e103945e994a Mon Sep 17 00:00:00 2001 From: Cory Schires Date: Fri, 3 Jul 2015 12:17:03 -0500 Subject: [PATCH 107/328] Don't send password reset instructions to unconfirmed email Background ------------------------------------------------------------------------------- Currently, we're overriding the Devise's `send_reset_password_instructions` to pass a few additional options. Problem ------------------------------------------------------------------------------- As part of this, we're also [overriding the recipient email address](https://github.com/lynndylanhurley/devise_token_auth/blob/master/app/models/devise_token_auth/concerns/user.rb#L79-L83) in order to conditionally send to the user's unconfirmed email. This is a (small) security liability. For more info see issue https://github.com/lynndylanhurley/devise_token_auth/issues/287. Solution ------------------------------------------------------------------------------- We still need to override `send_reset_password_instructions`, for good reason. But we don't need to override the `to` address. We can fix the issue by eliminating those specific lines. --- app/models/devise_token_auth/concerns/user.rb | 6 ------ 1 file changed, 6 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index e1f0101ed..bdaf11486 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -76,12 +76,6 @@ def send_reset_password_instructions(opts=nil) # fall back to "default" config name opts[:client_config] ||= "default" - if respond_to?(:pending_reconfirmation?) && pending_reconfirmation? - opts[:to] = unconfirmed_email - else - opts[:to] = email - end - send_devise_notification(:reset_password_instructions, token, opts) token From 7a2fc528badd386d3a150388eb92cfd8cffd5136 Mon Sep 17 00:00:00 2001 From: Nicholas Shook Date: Wed, 24 Jun 2015 14:49:18 -0700 Subject: [PATCH 108/328] Added json support for tokens In the installation generator script, the migration template checks to see if the app is using postgres by seeing what sub-class of ``ActiveRecord::ConnectionAdapter`` the app is using. If it is postgres, or mysql with the correct version, the app will use a token column instead of a text one Postgres has JSON types as of 9.3 Mysql has JSON types as of 5.7.7 http://mysqlserverteam.com/json-labs-release-native-json-data-type-and-binary-format/ teeny refactoring --- .../devise_token_auth/install_generator.rb | 28 +++++++++++++++++++ .../devise_token_auth_create_users.rb.erb | 2 +- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/install_generator.rb b/lib/generators/devise_token_auth/install_generator.rb index a9b8cdea4..5a7521ba7 100644 --- a/lib/generators/devise_token_auth/install_generator.rb +++ b/lib/generators/devise_token_auth/install_generator.rb @@ -115,5 +115,33 @@ def parse_file_for_line(filename, str) end match end + + def json_supported_database? + (postgres? && postgres_correct_version?) || (mysql? && mysql_correct_version?) + end + + def postgres? + database_name == 'ActiveRecord::ConnectionAdapters::PostgreSQLAdapter' + end + + def postgres_correct_version? + database_version > '9.3' + end + + def mysql? + database_name == 'ActiveRecord::ConnectionAdapters::MysqlAdapter' + end + + def mysql_correct_version? + database_version > '5.7.7' + end + + def database_name + ActiveRecord::Base.connection.class.name + end + + def database_version + ActiveRecord::Base.connection.select_value('SELECT VERSION()') + end end end diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index a384daace..20358cad8 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -40,7 +40,7 @@ class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration t.string :email ## Tokens - t.text :tokens + <%= json_supported_database? ? 't.json :tokens' : 't.text :tokens' %> t.timestamps end From b9b338510cdf3e707c9a64a5a414d349c08db729 Mon Sep 17 00:00:00 2001 From: Jay Liu Date: Mon, 6 Jul 2015 20:43:04 -0400 Subject: [PATCH 109/328] Fix MOUNT_PATH 'Read More' link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1cbbfc03b..c870c9f9b 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,7 @@ This generator accepts the following optional arguments: | Argument | Default | Description | |---|---|---| | USER_CLASS | `User` | The name of the class to use for user authentication. | -| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage). | +| MOUNT_PATH | `auth` | The path at which to mount the authentication routes. [Read more](#usage-tldr). | The following events will take place when using the install generator: From ccd9925b5640c03a326c43c1ff62f70e0abb83fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adis=20=D0=9E=D1=81=D0=BC=D0=BE=D0=BD=D0=BE=D0=B2?= Date: Wed, 8 Jul 2015 13:23:12 +0600 Subject: [PATCH 110/328] Update README.md Add note about change_headers_on_each_request parameter --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c870c9f9b..2bfece77e 100644 --- a/README.md +++ b/README.md @@ -800,7 +800,7 @@ This gem automatically manages batch requests. You can change the time buffer fo This gem takes the following steps to ensure security. This gem uses auth tokens that are: -* [changed after every request](#about-token-management), +* [changed after every request](#about-token-management) (can be [turned off](https://github.com/lynndylanhurley/devise_token_auth/#initializer-settings)), * [of cryptographic strength](http://ruby-doc.org/stdlib-2.1.0/libdoc/securerandom/rdoc/SecureRandom.html), * hashed using [BCrypt](https://github.com/codahale/bcrypt-ruby) (not stored in plain-text), * securely compared (to protect against timing attacks), From cfac0f14b0ee0a80711e4ded8bde251df44e5bce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=CC=81bastien=20Fieloux?= Date: Tue, 30 Jun 2015 11:30:59 +0200 Subject: [PATCH 111/328] Add I18n support to the gem --- .../devise_token_auth/passwords_controller.rb | 18 ++--- .../registrations_controller.rb | 16 ++-- .../devise_token_auth/sessions_controller.rb | 12 +-- .../token_validations_controller.rb | 2 +- app/validators/email_validator.rb | 2 +- config/locales/devise.en.yml | 59 -------------- config/locales/en.yml | 36 +++++++++ .../passwords_controller_test.rb | 78 ++++++++++++++++++- .../registrations_controller_test.rb | 44 +++++++++++ .../sessions_controller_test.rb | 15 +++- .../token_validations_controller_test.rb | 17 ++++ 11 files changed, 207 insertions(+), 92 deletions(-) delete mode 100644 config/locales/devise.en.yml create mode 100644 config/locales/en.yml diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 31cc66fe3..34c511d9e 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -9,7 +9,7 @@ def create unless resource_params[:email] return render json: { success: false, - errors: ['You must provide an email address.'] + errors: [I18n.t("devise_token_auth.passwords.missing_email")] }, status: 401 end @@ -22,7 +22,7 @@ def create unless redirect_url return render json: { success: false, - errors: ['Missing redirect url.'] + errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")] }, status: 401 end @@ -32,7 +32,7 @@ def create return render json: { status: 'error', data: @resource.as_json, - errors: ["Redirect to #{redirect_url} not allowed."] + errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: redirect_url)] }, status: 403 end end @@ -68,14 +68,13 @@ def create if @resource.errors.empty? render json: { success: true, - message: "An email has been sent to #{email} containing "+ - "instructions for resetting your password." + message: I18n.t("devise_token_auth.passwords.sended", email: email) } else errors = @resource.errors end else - errors = ["Unable to find user with email '#{email}'."] + errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: email)] error_status = 404 end @@ -135,8 +134,7 @@ def update unless @resource.provider == 'email' return render json: { success: false, - errors: ["This account does not require a password. Sign in using "+ - "your #{@resource.provider.humanize} account instead."] + errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)] }, status: 422 end @@ -144,7 +142,7 @@ def update unless password_resource_params[:password] and password_resource_params[:password_confirmation] return render json: { success: false, - errors: ['You must fill out the fields labeled "password" and "password confirmation".'] + errors: [I18n.t("devise_token_auth.passwords.missing_passwords")] }, status: 422 end @@ -154,7 +152,7 @@ def update success: true, data: { user: @resource, - message: "Your password has been successfully updated." + message: I18n.t("devise_token_auth.passwords.successfully_updated") } } else diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 8daa8af94..4216f5198 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -27,7 +27,7 @@ def create return render json: { status: 'error', data: @resource.as_json, - errors: ["Missing `confirm_success_url` param."] + errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] }, status: 403 end @@ -37,7 +37,7 @@ def create return render json: { status: 'error', data: @resource.as_json, - errors: ["Redirect to #{redirect_url} not allowed."] + errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: redirect_url)] }, status: 403 end end @@ -87,7 +87,7 @@ def create render json: { status: 'error', data: @resource.as_json, - errors: ["An account already exists for #{@resource.email}"] + errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)] }, status: 403 end end @@ -109,7 +109,7 @@ def update else render json: { status: 'error', - errors: ["User not found."] + errors: [I18n.t("devise_token_auth.registrations.user_not_found")] }, status: 404 end end @@ -121,12 +121,12 @@ def destroy render json: { status: 'success', - message: "Account with uid #{@resource.uid} has been destroyed." + message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid) } else render json: { status: 'error', - errors: ["Unable to locate account for destruction."] + errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")] }, status: 404 end end @@ -150,11 +150,11 @@ def resource_update_method end def validate_sign_up_params - validate_post_data sign_up_params, 'Please submit proper sign up data in request body.' + validate_post_data sign_up_params, I18n.t("errors.validate_sign_up_params") end def validate_account_update_params - validate_post_data account_update_params, 'Please submit proper account update data in request body.' + validate_post_data account_update_params, I18n.t("errors.validate_account_update_params") end def validate_post_data which, message diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index db58d7907..f70f90c69 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -6,7 +6,7 @@ class SessionsController < DeviseTokenAuth::ApplicationController def new render json: { - errors: ["Use POST /sign_in to sign in. GET is not supported."] + errors: [ I18n.t("devise_token_auth.sessions.not_supported")] }, status: 405 end @@ -53,16 +53,12 @@ def create elsif @resource and not @resource.confirmed? render json: { success: false, - errors: [ - "A confirmation email was sent to your account at #{@resource.email}. "+ - "You must follow the instructions in the email before your account "+ - "can be activated" - ] + errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ] }, status: 401 else render json: { - errors: ["Invalid login credentials. Please try again."] + errors: [I18n.t("devise_token_auth.sessions.bad_credentials")] }, status: 401 end end @@ -85,7 +81,7 @@ def destroy else render json: { - errors: ["User was not found or was not logged in."] + errors: [I18n.t("devise_token_auth.sessions.user_not_found")] }, status: 404 end end diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 9c0666489..ee825c234 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -14,7 +14,7 @@ def validate_token else render json: { success: false, - errors: ["Invalid login credentials"] + errors: [I18n.t("devise_token_auth.token_validations.invalid")] }, status: 401 end end diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb index b2c877451..7aa1eeb0e 100644 --- a/app/validators/email_validator.rb +++ b/app/validators/email_validator.rb @@ -1,7 +1,7 @@ class EmailValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i - record.errors[attribute] << (options[:message] || 'is not an email') + record.errors[attribute] << (options[:message] || I18n.t("errors.not_email")) end end end diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml deleted file mode 100644 index abccdb087..000000000 --- a/config/locales/devise.en.yml +++ /dev/null @@ -1,59 +0,0 @@ -# Additional translations at https://github.com/plataformatec/devise/wiki/I18n - -en: - devise: - confirmations: - confirmed: "Your account was successfully confirmed." - send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes." - send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes." - failure: - already_authenticated: "You are already signed in." - inactive: "Your account is not activated yet." - invalid: "Invalid email or password." - locked: "Your account is locked." - last_attempt: "You have one more attempt before your account will be locked." - not_found_in_database: "Invalid email or password." - timeout: "Your session expired. Please sign in again to continue." - unauthenticated: "You need to sign in or sign up before continuing." - unconfirmed: "You have to confirm your account before continuing." - mailer: - confirmation_instructions: - subject: "Confirmation instructions" - reset_password_instructions: - subject: "Reset password instructions" - unlock_instructions: - subject: "Unlock Instructions" - omniauth_callbacks: - failure: "Could not authenticate you from %{kind} because \"%{reason}\"." - success: "Successfully authenticated from %{kind} account." - passwords: - no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided." - send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes." - send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes." - updated: "Your password was changed successfully. You are now signed in." - updated_not_active: "Your password was changed successfully." - registrations: - destroyed: "Bye! Your account was successfully cancelled. We hope to see you again soon." - signed_up: "Welcome! You have signed up successfully." - signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated." - signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked." - signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please open the link to activate your account." - update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and click on the confirm link to finalize confirming your new email address." - updated: "You updated your account successfully." - sessions: - signed_in: "Signed in successfully." - signed_out: "Signed out successfully." - unlocks: - send_instructions: "You will receive an email with instructions about how to unlock your account in a few minutes." - send_paranoid_instructions: "If your account exists, you will receive an email with instructions about how to unlock it in a few minutes." - unlocked: "Your account has been unlocked successfully. Please sign in to continue." - errors: - messages: - already_confirmed: "was already confirmed, please try signing in" - confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one" - expired: "has expired, please request a new one" - not_found: "not found" - not_locked: "was not locked" - not_saved: - one: "1 error prohibited this %{resource} from being saved:" - other: "%{count} errors prohibited this %{resource} from being saved:" diff --git a/config/locales/en.yml b/config/locales/en.yml new file mode 100644 index 000000000..51ad6e739 --- /dev/null +++ b/config/locales/en.yml @@ -0,0 +1,36 @@ +en: + devise_token_auth: + sessions: + not_confirmed: "A confirmation email was sent to your account at %{email}. You must follow the instructions in the email before your account can be activated" + bad_credentials: "Invalid login credentials. Please try again." + not_supported: "Use POST /sign_in to sign in. GET is not supported." + user_not_found: "User was not found or was not logged in." + token_validations: + invalid: "Invalid login credentials" + registrations: + missing_confirm_success_url: "Missing `confirm_success_url` param." + redirect_url_not_allowed: "Redirect to %{redirect_url} not allowed." + email_already_exists: "An account already exists for %{email}" + account_with_uid_destroyed: "Account with uid %{uid} has been destroyed." + account_to_destroy_not_found: "Unable to locate account for destruction." + user_not_found: "User not found." + passwords: + missing_email: "You must provide an email address." + missing_redirect_url: "Missing redirect url." + not_allowed_redirect_url: "Redirect to %{redirect_url} not allowed." + sended: "An email has been sent to %{email} containing instructions for resetting your password." + user_not_found: "Unable to find user with email '%{email}'." + password_not_required: "This account does not require a password. Sign in using your %{provider} account instead." + missing_passwords: 'You must fill out the fields labeled "password" and "password confirmation".' + successfully_updated: "Your password has been successfully updated." + + errors: + validate_sign_up_params: "Please submit proper sign up data in request body." + validate_account_update_params: "Please submit proper account update data in request body." + not_email: "is not an email" + + + + + + diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 870672898..f488e6ed6 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -14,16 +14,65 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase @redirect_url = 'http://ng-token-auth.dev' end - describe 'request password reset' do - test 'unknown user should return 404' do + describe 'not email should return 401' do + before do + @auth_headers = @resource.create_new_auth_token + @new_password = Faker::Internet.password + xhr :post, :create, { - email: 'chester@cheet.ah', redirect_url: @redirect_url } + @data = JSON.parse(response.body) + end + + test 'response should fail' do + assert_equal 401, response.status + end + test 'error message should be returned' do + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")] + end + end + describe 'not redirect_url should return 401' do + before do + @auth_headers = @resource.create_new_auth_token + @new_password = Faker::Internet.password + + xhr :post, :create, { + email: 'chester@cheet.ah', + } + @data = JSON.parse(response.body) + end + + test 'response should fail' do + assert_equal 401, response.status + end + test 'error message should be returned' do + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_redirect_url")] + end + end + + describe 'request password reset' do + describe 'unknown user should return 404' do + before do + xhr :post, :create, { + email: 'chester@cheet.ah', + redirect_url: @redirect_url + } + @data = JSON.parse(response.body) + end + test 'unknown user should return 404' do + assert_equal 404, response.status + end - assert_equal 404, response.status + test 'errors should be returned' do + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.user_not_found", email: 'chester@cheet.ah')] + end end + describe 'case-sensitive email' do before do xhr :post, :create, { @@ -33,6 +82,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase @mail = ActionMailer::Base.deliveries.last @resource.reload + @data = JSON.parse(response.body) @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1]) @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) @@ -43,6 +93,10 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase assert_equal 200, response.status end + test 'response should contains message' do + assert_equal @data["message"], I18n.t("devise_token_auth.passwords.sended", email: @resource.email) + end + test 'action should send an email' do assert @mail end @@ -203,6 +257,16 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase assert_equal 403, response.status end + test "request to non-whitelisted redirect should return error message" do + xhr :post, :create, { + email: @resource.email, + redirect_url: @bad_redirect_url + } + + @data = JSON.parse(response.body) + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @bad_redirect_url)] + end end describe "change password" do @@ -217,6 +281,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase password_confirmation: @new_password } + @data = JSON.parse(response.body) @resource.reload end @@ -224,6 +289,11 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase assert_equal 200, response.status end + test "request should return success message" do + assert @data["data"]["message"] + assert_equal @data["data"]["message"], I18n.t("devise_token_auth.passwords.successfully_updated") + end + test "new password should authenticate user" do assert @resource.valid_password?(@new_password) end diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index aa62aa7b9..fef52206e 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -129,8 +129,38 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration confirm_success_url: @bad_redirect_url, unpermitted_param: '(x_x)' } + @data = JSON.parse(response.body) assert_equal 403, response.status + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @bad_redirect_url)] + end + end + + describe 'failure if not redirecturl' do + + test "request should fail if not redirect_url" do + post '/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + unpermitted_param: '(x_x)' + } + + assert_equal 403, response.status + end + + test "request to non-whitelisted redirect should fail" do + post '/auth', { + email: Faker::Internet.email, + password: "secret123", + password_confirmation: "secret123", + unpermitted_param: '(x_x)' + } + @data = JSON.parse(response.body) + + assert @data["errors"] + assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] end end @@ -404,6 +434,10 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert_equal 200, response.status end + test "message should be returned" do + assert @data["message"] + assert_equal @data["message"], I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @existing_user.uid) + end test "existing user should be deleted" do refute User.where(id: @existing_user.id).first end @@ -418,6 +452,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration test 'request returns 404 (not found) status' do assert_equal 404, response.status end + + test 'error should be returned' do + assert @data['errors'].length + assert_equal @data['errors'], [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")] + end end end @@ -556,6 +595,11 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration assert_equal 404, response.status end + test "error should be returned" do + assert @data["errors"].length + assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.user_not_found")] + end + test "User should not be updated" do refute_equal @new_operating_thetan, @existing_user.operating_thetan end diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index ec04b9900..ea7478b97 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -85,6 +85,10 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase test 'user is notified that they should use post sign_in to authenticate' do assert_equal 405, response.status end + test "response should contain errors" do + assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.not_supported")] + end end describe 'alt auth keys' do @@ -129,11 +133,17 @@ def @controller.reset_session; @reset_session_called = true; end before do @auth_headers = @existing_user.create_new_auth_token xhr :delete, :destroy, format: :json + @data = JSON.parse(response.body) end test "unauthed request returns 404" do assert_equal 404, response.status end + + test "response should contain errors" do + assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.user_not_found")] + end end describe 'failure' do @@ -153,6 +163,7 @@ def @controller.reset_session; @reset_session_called = true; end test "response should contain errors" do assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.bad_credentials")] end end @@ -160,7 +171,7 @@ def @controller.reset_session; @reset_session_called = true; end before do DeviseTokenAuth.change_headers_on_each_request = false - # accessing current_user calls through set_user_by_token, + # accessing current_user calls through set_user_by_token, # which initializes client_id @controller.current_user @@ -179,6 +190,7 @@ def @controller.reset_session; @reset_session_called = true; end test "response should contain errors" do assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.bad_credentials")] end after do @@ -228,6 +240,7 @@ def @controller.reset_session; @reset_session_called = true; end test "response should contain errors" do assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.not_confirmed", email: @unconfirmed_user.email)] end end diff --git a/test/controllers/devise_token_auth/token_validations_controller_test.rb b/test/controllers/devise_token_auth/token_validations_controller_test.rb index 24d064479..8a9b7fced 100644 --- a/test/controllers/devise_token_auth/token_validations_controller_test.rb +++ b/test/controllers/devise_token_auth/token_validations_controller_test.rb @@ -45,5 +45,22 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat assert_equal 200, response.status end end + + describe 'failure' do + before do + get '/api/v1/auth/validate_token', {}, @auth_headers.merge({"access-token" => "12345"}) + @resp = JSON.parse(response.body) + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "response should contain errors" do + assert @resp['errors'] + assert_equal @resp['errors'], [I18n.t("devise_token_auth.token_validations.invalid")] + end + end + end end From b3b98bb9e31e504939f3b808753c76db270250ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Se=CC=81bastien=20Fieloux?= Date: Wed, 8 Jul 2015 14:12:28 +0200 Subject: [PATCH 112/328] When we edit user password (after asking reset). Do not run skip_confirmation! is the user is not :confirmable --- .../devise_token_auth/passwords_controller.rb | 6 ++- .../passwords_controller_test.rb | 41 +++++++++++--- test/dummy/app/models/unconfirmable_user.rb | 8 +++ test/dummy/config/routes.rb | 2 + ...e_token_auth_create_unconfirmable_users.rb | 54 +++++++++++++++++++ test/dummy/db/schema.rb | 27 +++++++++- test/fixtures/unconfirmable_users.yml | 9 ++++ 7 files changed, 138 insertions(+), 9 deletions(-) create mode 100644 test/dummy/app/models/unconfirmable_user.rb create mode 100644 test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb create mode 100644 test/fixtures/unconfirmable_users.yml diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 31cc66fe3..b64b3b42a 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -106,7 +106,7 @@ def edit } # ensure that user is confirmed - @resource.skip_confirmation! unless @resource.confirmed_at + @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at @resource.save! yield if block_given? @@ -118,7 +118,9 @@ def edit config: params[:config] })) else - raise ActionController::RoutingError.new('Not Found') + render json: { + success: false + }, status: 404 end end diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 870672898..0a8097be2 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -68,13 +68,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end describe 'password reset link failure' do - test 'request should not be authorized' do - assert_raises(ActionController::RoutingError) { - xhr :get, :edit, { + test 'respone should return 404' do + xhr :get, :edit, { reset_password_token: 'bogus', redirect_url: @mail_redirect_url - } } + + assert_equal 404, response.status end end @@ -327,9 +327,38 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase @resource.reload end + end + describe 'unconfirmable user' do + setup do + @request.env['devise.mapping'] = Devise.mappings[:unconfirmable_user] + end + + teardown do + @request.env['devise.mapping'] = Devise.mappings[:user] + end + + before do + @resource = unconfirmable_users(:user) + @redirect_url = 'http://ng-token-auth.dev' + + xhr :post, :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @mail = ActionMailer::Base.deliveries.last + @resource.reload - test 'unconfirmed email user should now be confirmed' do - assert @resource.confirmed_at + @mail_config_name = CGI.unescape(@mail.body.match(/config=([^&]*)&/)[1]) + @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) + @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1] + + xhr :get, :edit, { + reset_password_token: @mail_reset_token, + redirect_url: @mail_redirect_url + } + + @resource.reload end end diff --git a/test/dummy/app/models/unconfirmable_user.rb b/test/dummy/app/models/unconfirmable_user.rb new file mode 100644 index 000000000..64fb15e53 --- /dev/null +++ b/test/dummy/app/models/unconfirmable_user.rb @@ -0,0 +1,8 @@ +class UnconfirmableUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, + :trackable, :validatable, + :omniauthable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 66a0b4b5f..24c3c984f 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -32,6 +32,8 @@ mount_devise_token_auth_for 'UnregisterableUser', at: 'unregisterable_user_auth', skip: [:registrations] + mount_devise_token_auth_for 'UnconfirmableUser', at: 'unconfirmable_user_auth' + # test namespacing namespace :api do scope :v1 do diff --git a/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb b/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb new file mode 100644 index 000000000..1a0e1db46 --- /dev/null +++ b/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb @@ -0,0 +1,54 @@ +class DeviseTokenAuthCreateUnconfirmableUsers < ActiveRecord::Migration + def change + create_table(:unconfirmable_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + t.string :reset_password_token + t.datetime :reset_password_sent_at + + ## Rememberable + t.datetime :remember_created_at + + ## Trackable + t.integer :sign_in_count, :default => 0, :null => false + t.datetime :current_sign_in_at + t.datetime :last_sign_in_at + t.string :current_sign_in_ip + t.string :last_sign_in_ip + + ## Confirmable + # t.string :confirmation_token + # t.datetime :confirmed_at + # t.datetime :confirmation_sent_at + # t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + # t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + # t.string :unlock_token # Only if unlock strategy is :email or :both + # t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + t.text :tokens + + t.timestamps + end + + add_index :unconfirmable_users, :email + add_index :unconfirmable_users, [:uid, :provider], :unique => true + add_index :unconfirmable_users, :reset_password_token, :unique => true + # add_index :nice_users, :confirmation_token, :unique => true + # add_index :nice_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index a1adc9a90..b2fc48cdf 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20150409095712) do +ActiveRecord::Schema.define(version: 20150708104536) do create_table "evil_users", force: :cascade do |t| t.string "email", limit: 255 @@ -122,6 +122,31 @@ add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true + create_table "unconfirmable_users", force: :cascade do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" + t.datetime "reset_password_sent_at" + t.datetime "remember_created_at" + t.integer "sign_in_count", default: 0, null: false + t.datetime "current_sign_in_at" + t.datetime "last_sign_in_at" + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "unconfirmable_users", ["email"], name: "index_unconfirmable_users_on_email" + add_index "unconfirmable_users", ["reset_password_token"], name: "index_unconfirmable_users_on_reset_password_token", unique: true + add_index "unconfirmable_users", ["uid", "provider"], name: "index_unconfirmable_users_on_uid_and_provider", unique: true + create_table "unregisterable_users", force: :cascade do |t| t.string "provider", limit: 255, null: false t.string "uid", limit: 255, default: "", null: false diff --git a/test/fixtures/unconfirmable_users.yml b/test/fixtures/unconfirmable_users.yml new file mode 100644 index 000000000..7c0117bff --- /dev/null +++ b/test/fixtures/unconfirmable_users.yml @@ -0,0 +1,9 @@ +<% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> +<% @email = Faker::Internet.email %> +user: + uid: "<%= @email %>" + email: "<%= @email %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> From 4c012f9a0c0bac27d32929cd264b38f244575f90 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 8 Jul 2015 11:19:29 -0400 Subject: [PATCH 113/328] feat(localization): add French and Spanish translations --- config/locales/en.yml | 8 +------- config/locales/es.yml | 30 ++++++++++++++++++++++++++++++ config/locales/fr.yml | 30 ++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 7 deletions(-) create mode 100644 config/locales/es.yml create mode 100644 config/locales/fr.yml diff --git a/config/locales/en.yml b/config/locales/en.yml index 51ad6e739..93434a352 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -27,10 +27,4 @@ en: errors: validate_sign_up_params: "Please submit proper sign up data in request body." validate_account_update_params: "Please submit proper account update data in request body." - not_email: "is not an email" - - - - - - + not_email: "is not an email" \ No newline at end of file diff --git a/config/locales/es.yml b/config/locales/es.yml new file mode 100644 index 000000000..9c81f9fd2 --- /dev/null +++ b/config/locales/es.yml @@ -0,0 +1,30 @@ +es: + devise_token_auth: + sessions: + not_confirmed: "Un correo electrónico de confirmación de su cuenta ha sido enviado a %{email}. Por favor, siga las instrucciones para validar su cuenta" + bad_credentials: "Identidad o contraseña no válida." + not_supported: "Use POST /sign_in para la conexión. GET no esta disponible." + user_not_found: "Usuario desconocido o no está conectado." + token_validations: + invalid: "Identidad o contraseña no válida." + registrations: + missing_confirm_success_url: "El parámetro `confirm_success_url` no esta presente." + redirect_url_not_allowed: "Redirección hacia %{redirect_url} no esta permitida." + email_already_exists: "Una cuenta ya existe con este correo electrónico: %{email}" + account_with_uid_destroyed: "La cuenta con el identificador %{uid} se ha eliminado." + account_to_destroy_not_found: "No se puede encontrar la cuenta a borrar." + user_not_found: "Usuario no encontrado." + passwords: + missing_email: "Debe incluir un correo electrónico." + missing_redirect_url: "Falta el Url de redirección." + not_allowed_redirect_url: "Redirección hacia %{redirect_url} no esta permitida." + sended: "Un correo electrónico ha sido enviado a %{email} con las instrucciones para restablecer su contraseña." + user_not_found: "No se pudo encontrar un usuario con este correo electrónico: '%{email}'." + password_not_required: "Esta cuenta no requiere contraseña. Iniciar sesión utilizando %{provider}." + missing_passwords: 'Debe llenar los campos "contraseña" y "confirmación de contraseña".' + successfully_updated: "Su contraseña ha sido actualizada con éxito." + + errors: + validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." + validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." + not_email: "no es un correo electrónico" \ No newline at end of file diff --git a/config/locales/fr.yml b/config/locales/fr.yml new file mode 100644 index 000000000..bc468dca2 --- /dev/null +++ b/config/locales/fr.yml @@ -0,0 +1,30 @@ +fr: + devise_token_auth: + sessions: + not_confirmed: "Une email de confirmation de votre compte a été envoyé à %{email}. Merci de suivre les instructions afin de valider votre compte" + bad_credentials: "Mot de passe ou identifiant invalide." + not_supported: "Utilisez POST /sign_in pour la connexion. GET n'est pas supporté." + user_not_found: "L'utilisateur est inconnu ou n'est pas connecté." + token_validations: + invalid: "Mot de passe ou identifiant invalide." + registrations: + missing_confirm_success_url: "Le paramètre `confirm_success_url` est manquant." + redirect_url_not_allowed: "Redirection vers %{redirect_url} n'est pas autorisée." + email_already_exists: "Un compte existe déjà avec cet email: %{email}" + account_with_uid_destroyed: "Le compte avec l'identifiant %{uid} a été supprimé." + account_to_destroy_not_found: "Impossible de trouver le compte à supprimer." + user_not_found: "Utilisateur non trouvé." + passwords: + missing_email: "Vous devez soumettre un email." + missing_redirect_url: "Url de redirection manquante." + not_allowed_redirect_url: "Redirection vers %{redirect_url} n'est pas autorisée." + sended: "Un email a été envoyé à %{email} avec les instructions pour réinitialiser votre mot de passe." + user_not_found: "Impossible de trouver un utilisateur avec cet email: '%{email}'." + password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous plutôt en utilisant %{provider}." + missing_passwords: 'Vous devez remplir les champs "mt de passe" et "confirmation de mot de passe".' + successfully_updated: "Votre mot de passe a été correctement mis à jour." + + errors: + validate_sign_up_params: "Les données de l'inscription dans le corps de la requête ne sont pas valides." + validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." + not_email: "n'est pas un email" \ No newline at end of file From c7d8092f22ffc6ea08d667da0b4b8baa73202b9a Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Sun, 12 Jul 2015 21:36:06 -0400 Subject: [PATCH 114/328] Set default provider to "email" in migration Fixes incompatibility with standard devise controllers using default migrations. --- .../templates/devise_token_auth_create_users.rb.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index 20358cad8..7179726aa 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -2,7 +2,7 @@ class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration def change create_table(:<%= user_class.pluralize.underscore %>) do |t| ## Required - t.string :provider, :null => false + t.string :provider, :null => false, :default => "email" t.string :uid, :null => false, :default => "" ## Database authenticatable From b60c7c304c684e0fa7ee0a565f7f6b3b53913efd Mon Sep 17 00:00:00 2001 From: Luis Edimerchk Laverde Date: Sat, 11 Apr 2015 07:54:56 -0500 Subject: [PATCH 115/328] URI fragment should appear at the end of URL --- app/models/devise_token_auth/concerns/user.rb | 4 +--- test/models/user_test.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index bdaf11486..078c9b56d 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -212,16 +212,14 @@ def token_validation_response protected - # NOTE: ensure that fragment comes AFTER querystring for proper $location - # parsing using AngularJS. def generate_url(url, params = {}) uri = URI(url) res = "#{uri.scheme}://#{uri.host}" res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) res += "#{uri.path}" if uri.path - res += "##{uri.fragment}" if uri.fragment res += "?#{params.to_query}" + res += "##{uri.fragment}" if uri.fragment return res end diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 6ddfdae2b..5b27db289 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -86,5 +86,13 @@ class UserTest < ActiveSupport::TestCase assert @resource.tokens[@new_auth_headers["client"]] end end + + describe "#generate_url" do + test 'URI fragment should appear at the end of URL' do + params = {client_id: 123} + url = 'http://example.com#fragment' + assert_equal @resource.send(:generate_url, url, params), "http://example.com?client_id=123#fragment" + end + end end end From 9ea86bbd9ca1103862210441246f86cfdeb102e7 Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Wed, 15 Jul 2015 16:42:40 -0400 Subject: [PATCH 116/328] Disabled serialization for JSON type columns. --- .travis.yml | 3 ++ app/models/devise_token_auth/concerns/user.rb | 13 ++++++++- test/dummy/config/application.rb | 1 + ...15061447_devise_token_auth_create_users.rb | 8 ++++- ...15061805_devise_token_auth_create_mangs.rb | 8 ++++- ...203_devise_token_auth_create_evil_users.rb | 8 ++++- ...vise_token_auth_create_only_email_users.rb | 8 ++++- ..._token_auth_create_unregisterable_users.rb | 8 ++++- ...712_devise_token_auth_create_nice_users.rb | 8 ++++- ...e_token_auth_create_unconfirmable_users.rb | 8 ++++- test/dummy/lib/migration_database_helper.rb | 29 +++++++++++++++++++ 11 files changed, 94 insertions(+), 8 deletions(-) create mode 100644 test/dummy/lib/migration_database_helper.rb diff --git a/.travis.yml b/.travis.yml index d15282da9..928d64ece 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,3 +17,6 @@ script: before_script: - mysql -e 'create database devise_token_auth_test' - psql -c 'create database devise_token_auth_test' -U postgres + +addons: + postgresql: "9.3" \ No newline at end of file diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 078c9b56d..7d9d49f53 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -21,7 +21,9 @@ def self.tokens_match?(token_hash, token) self.devise_modules.delete(:omniauthable) end - serialize :tokens, JSON + unless tokens_has_json_column_type? + serialize :tokens, JSON + end validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' } validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } @@ -82,6 +84,15 @@ def send_reset_password_instructions(opts=nil) end end + module ClassMethods + protected + + + def tokens_has_json_column_type? + table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb]) + end + end + def valid_token?(token, client_id='default') client_id ||= 'default' diff --git a/test/dummy/config/application.rb b/test/dummy/config/application.rb index 1fe3dcd98..ff7cd58d8 100644 --- a/test/dummy/config/application.rb +++ b/test/dummy/config/application.rb @@ -19,5 +19,6 @@ class Application < Rails::Application # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded. # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s] # config.i18n.default_locale = :de + config.autoload_paths << Rails.root.join('lib') end end diff --git a/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb b/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb index b9f02b662..c6227fa45 100644 --- a/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb +++ b/test/dummy/db/migrate/20140715061447_devise_token_auth_create_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateUsers < ActiveRecord::Migration def change create_table(:users) do |t| @@ -42,7 +44,11 @@ def change t.string :uid, :null => false, :default => "" ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb b/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb index 7337c7cad..628ad8af4 100644 --- a/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb +++ b/test/dummy/db/migrate/20140715061805_devise_token_auth_create_mangs.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateMangs < ActiveRecord::Migration def change create_table(:mangs) do |t| @@ -42,7 +44,11 @@ def change t.string :uid, :null => false, :default => "" ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/db/migrate/20140928231203_devise_token_auth_create_evil_users.rb b/test/dummy/db/migrate/20140928231203_devise_token_auth_create_evil_users.rb index f5fd9aabf..8bc60b8cf 100644 --- a/test/dummy/db/migrate/20140928231203_devise_token_auth_create_evil_users.rb +++ b/test/dummy/db/migrate/20140928231203_devise_token_auth_create_evil_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateEvilUsers < ActiveRecord::Migration def change create_table(:evil_users) do |t| @@ -40,7 +42,11 @@ def change t.string :uid, :null => false, :default => "" ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end ## etc. t.string :favorite_color diff --git a/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb b/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb index a2b60325f..6c25075fa 100644 --- a/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb +++ b/test/dummy/db/migrate/20141222035835_devise_token_auth_create_only_email_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateOnlyEmailUsers < ActiveRecord::Migration def change create_table(:only_email_users) do |t| @@ -40,7 +42,11 @@ def change t.string :email ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb b/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb index 0fd983b5a..aa7cb7ec7 100644 --- a/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb +++ b/test/dummy/db/migrate/20141222053502_devise_token_auth_create_unregisterable_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateUnregisterableUsers < ActiveRecord::Migration def change create_table(:unregisterable_users) do |t| @@ -40,7 +42,11 @@ def change t.string :email ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb b/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb index c2175ed8c..0b237452e 100644 --- a/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb +++ b/test/dummy/db/migrate/20150409095712_devise_token_auth_create_nice_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateNiceUsers < ActiveRecord::Migration def change create_table(:nice_users) do |t| @@ -40,7 +42,11 @@ def change t.string :email ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb b/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb index 1a0e1db46..af0a224a7 100644 --- a/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb +++ b/test/dummy/db/migrate/20150708104536_devise_token_auth_create_unconfirmable_users.rb @@ -1,3 +1,5 @@ +include MigrationDatabaseHelper + class DeviseTokenAuthCreateUnconfirmableUsers < ActiveRecord::Migration def change create_table(:unconfirmable_users) do |t| @@ -40,7 +42,11 @@ def change t.string :email ## Tokens - t.text :tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end t.timestamps end diff --git a/test/dummy/lib/migration_database_helper.rb b/test/dummy/lib/migration_database_helper.rb new file mode 100644 index 000000000..bdfc3f517 --- /dev/null +++ b/test/dummy/lib/migration_database_helper.rb @@ -0,0 +1,29 @@ +module MigrationDatabaseHelper + def json_supported_database? + (postgres? && postgres_correct_version?) || (mysql? && mysql_correct_version?) + end + + def postgres? + database_name == 'ActiveRecord::ConnectionAdapters::PostgreSQLAdapter' + end + + def postgres_correct_version? + database_version > '9.3' + end + + def mysql? + database_name == 'ActiveRecord::ConnectionAdapters::MysqlAdapter' + end + + def mysql_correct_version? + database_version > '5.7.7' + end + + def database_name + ActiveRecord::Base.connection.class.name + end + + def database_version + ActiveRecord::Base.connection.select_value('SELECT VERSION()') + end +end \ No newline at end of file From 002b0201744610fb9d725d1140fc986d4e4121f7 Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Wed, 15 Jul 2015 20:45:29 -0400 Subject: [PATCH 117/328] Allow tokens to be set to nil before save --- app/models/devise_token_auth/concerns/user.rb | 10 ++++++---- test/models/user_test.rb | 13 +++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 7d9d49f53..baa336f99 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -251,10 +251,12 @@ def sync_uid end def destroy_expired_tokens - self.tokens.delete_if{|cid,v| - expiry = v[:expiry] || v["expiry"] - DateTime.strptime(expiry.to_s, '%s') < Time.now - } + if self.tokens + self.tokens.delete_if do |cid, v| + expiry = v[:expiry] || v["expiry"] + DateTime.strptime(expiry.to_s, '%s') < Time.now + end + end end end diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 5b27db289..93a127c9e 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -87,6 +87,19 @@ class UserTest < ActiveSupport::TestCase end end + describe 'nil tokens are handled properly' do + before do + @resource = users(:confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + end + + test 'tokens can be set to nil' do + @resource.tokens = nil + assert @resource.save + end + end + describe "#generate_url" do test 'URI fragment should appear at the end of URL' do params = {client_id: 123} From 5862e5bac9b1a04c0f340faed0d8ddb4e0dac997 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 15 Jul 2015 22:15:28 -0400 Subject: [PATCH 118/328] chore(docs): update references from @user to @resource --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 2bfece77e..669a07a7c 100644 --- a/README.md +++ b/README.md @@ -420,7 +420,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce client_id = request.headers['client'] token = request.headers['access-token'] - @user.valid_token?(token, client_id) + @resource.valid_token?(token, client_id) ~~~ * **`create_new_auth_token`**: creates a new auth token with all of the necessary metadata. Accepts `client` as an optional argument. Will generate a new `client` if none is provided. Returns the authentication headers that should be sent by the client as an object. @@ -431,7 +431,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce client_id = request.headers['client'] # update token, generate updated auth headers for response - new_auth_header = @user.create_new_auth_token(client_id) + new_auth_header = @resource.create_new_auth_token(client_id) # update response with the header that will be required by the next request response.headers.merge!(new_auth_header) @@ -446,13 +446,13 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce token = SecureRandom.urlsafe_base64(nil, false) # store client + token in user's token hash - @user.tokens[client_id] = { + @resource.tokens[client_id] = { token: BCrypt::Password.create(token), expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i } # generate auth headers for response - new_auth_header = @user.build_auth_header(token, client_id) + new_auth_header = @resource.build_auth_header(token, client_id) # update response with the header that will be required by the next request response.headers.merge!(new_auth_header) @@ -619,10 +619,10 @@ module Overrides class TokenValidationsController < DeviseTokenAuth::TokenValidationsController def validate_token - # @user will have been set by set_user_by_token concern - if @user + # @resource will have been set by set_user_by_token concern + if @resource render json: { - data: @user.as_json(methods: :calculate_operating_thetan) + data: @resource.as_json(methods: :calculate_operating_thetan) } else render json: { From 9d1b529af5404e261d28b1d189537d2e5e1de875 Mon Sep 17 00:00:00 2001 From: Jay Liu Date: Mon, 20 Jul 2015 12:19:22 -0400 Subject: [PATCH 119/328] Remove erroneous colon from before_action callback --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 669a07a7c..6aa3dd01b 100644 --- a/README.md +++ b/README.md @@ -502,7 +502,7 @@ This gem supports the use of multiple user models. One possible use case is to a ~~~ 1. Configure any `Admin` restricted controllers. Controllers will now have access to the methods [described here](#methods): - * `before_action: :authenticate_admin!` + * `before_action :authenticate_admin!` * `current_admin` * `admin_signed_in?` From 2ce397ba344fe3994741dbca5a2deb58e382106a Mon Sep 17 00:00:00 2001 From: Jakub Rohleder Date: Tue, 21 Jul 2015 21:29:27 +0200 Subject: [PATCH 120/328] Old password check before password update --- README.md | 6 +- .../devise_token_auth/passwords_controller.rb | 12 +- .../registrations_controller.rb | 6 +- lib/devise_token_auth/engine.rb | 18 +- .../templates/devise_token_auth.rb | 6 + .../passwords_controller_test.rb | 50 ++++ .../registrations_controller_test.rb | 244 +++++++++++++----- 7 files changed, 259 insertions(+), 83 deletions(-) diff --git a/README.md b/README.md index 6aa3dd01b..2e3be0b72 100644 --- a/README.md +++ b/README.md @@ -134,14 +134,14 @@ The following routes are available for use by your client. These routes live rel |:-----|:-------|:--------| | / | POST | Email registration. Accepts **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. | -| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | +| / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | | /sign_in | POST | Email authentication. Accepts **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login. | | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. | | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | | /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | -| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). | +| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | [Jump here](#usage-cont) for more usage information. @@ -608,7 +608,7 @@ For example, the default behavior of the [`validate_token`](https://github.com/l ~~~ruby # config/routes.rb Rails.application.routes.draw do - ... + ... mount_devise_token_auth_for 'User', at: 'auth', controllers: { token_validations: 'overrides/token_validations' } diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index ea146cfe0..1e4c25fb4 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -148,7 +148,7 @@ def update }, status: 422 end - if @resource.update_attributes(password_resource_params) + if @resource.send(resource_update_method, password_resource_params) yield if block_given? return render json: { success: true, @@ -165,12 +165,20 @@ def update end end + def resource_update_method + if DeviseTokenAuth.check_current_password_before_update != false + "update_with_password" + else + "update_attributes" + end + end + def password_resource_params params.permit(devise_parameter_sanitizer.for(:account_update)) end def resource_params - params.permit(:email, :password, :password_confirmation, :reset_password_token) + params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token) end end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 4216f5198..2df300f6e 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -142,7 +142,11 @@ def account_update_params private def resource_update_method - if account_update_params.has_key?(:current_password) + if DeviseTokenAuth.check_current_password_before_update == :attributes + "update_with_password" + elsif DeviseTokenAuth.check_current_password_before_update == :password and account_update_params.has_key?(:password) + "update_with_password" + elsif account_update_params.has_key?(:current_password) "update_with_password" else "update_attributes" diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index c7703f769..baf126332 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -15,15 +15,17 @@ class Engine < ::Rails::Engine :omniauth_prefix, :default_confirm_success_url, :default_password_reset_url, - :redirect_whitelist + :redirect_whitelist, + :check_current_password_before_update - self.change_headers_on_each_request = true - self.token_lifespan = 2.weeks - self.batch_request_buffer_throttle = 5.seconds - self.omniauth_prefix = '/omniauth' - self.default_confirm_success_url = nil - self.default_password_reset_url = nil - self.redirect_whitelist = nil + self.change_headers_on_each_request = true + self.token_lifespan = 2.weeks + self.batch_request_buffer_throttle = 5.seconds + self.omniauth_prefix = '/omniauth' + self.default_confirm_success_url = nil + self.default_password_reset_url = nil + self.redirect_whitelist = nil + self.check_current_password_before_update = false def self.setup(&block) yield self diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index a34435e15..e158e784f 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -19,4 +19,10 @@ # example, using the default '/omniauth', the github oauth2 provider will # redirect successful authentications to '/omniauth/github/callback' #config.omniauth_prefix = "/omniauth" + + # By defult sending current password is not needed for the password update. + # Uncomment to enforce current_password param to be checked before all + # attribute updates. Set it to :password if you want it to be checked only if + # password is updated. + # config.check_current_password_before_update = :attributes end diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 866023659..a2962143c 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -269,6 +269,56 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end end + describe "change password with current password required" do + before do + DeviseTokenAuth.check_current_password_before_update = :password + end + + after do + DeviseTokenAuth.check_current_password_before_update = false + end + + describe 'success' do + before do + @auth_headers = @resource.create_new_auth_token + request.headers.merge!(@auth_headers) + @new_password = Faker::Internet.password + @resource.update password: 'secret123', password_confirmation: 'secret123' + + xhr :put, :update, { + password: @new_password, + password_confirmation: @new_password, + current_password: 'secret123' + } + + @data = JSON.parse(response.body) + @resource.reload + end + + test "request should be successful" do + assert_equal 200, response.status + end + end + + describe 'current password mismatch error' do + before do + @auth_headers = @resource.create_new_auth_token + request.headers.merge!(@auth_headers) + @new_password = Faker::Internet.password + + xhr :put, :update, { + password: @new_password, + password_confirmation: @new_password, + current_password: 'not_very_secret321' + } + end + + test 'response should fail unauthorized' do + assert_equal 422, response.status + end + end + end + describe "change password" do describe 'success' do before do diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index fef52206e..574e437ff 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -472,101 +472,207 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration age_token(@existing_user, @client_id) end - describe "success" do - before do - # test valid update param - @resource_class = User - @new_operating_thetan = 1000000 - @email = "AlternatingCase2@example.com" - @request_params = { - operating_thetan: @new_operating_thetan, - email: @email - } + describe "without password check" do + describe "success" do + before do + # test valid update param + @resource_class = User + @new_operating_thetan = 1000000 + @email = "AlternatingCase2@example.com" + @request_params = { + operating_thetan: @new_operating_thetan, + email: @email + } + end + + test "Request was successful" do + put "/auth", @request_params, @auth_headers + assert_equal 200, response.status + end + + test "Case sensitive attributes update" do + @resource_class.case_insensitive_keys = [] + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload + assert_equal @new_operating_thetan, @existing_user.operating_thetan + assert_equal @email, @existing_user.email + assert_equal @email, @existing_user.uid + end + + test "Case insensitive attributes update" do + @resource_class.case_insensitive_keys = [:email] + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload + assert_equal @new_operating_thetan, @existing_user.operating_thetan + assert_equal @email.downcase, @existing_user.email + assert_equal @email.downcase, @existing_user.uid + end + + test "Supply current password" do + @request_params.merge!( + current_password: "secret123", + email: "new.email@example.com", + ) + + put "/auth", @request_params, @auth_headers + @data = JSON.parse(response.body) + @existing_user.reload + assert_equal @existing_user.email, "new.email@example.com" + end end - test "Request was successful" do - put "/auth", @request_params, @auth_headers - assert_equal 200, response.status - end + describe 'validate non-empty body' do + before do + # get the email so we can check it wasn't updated + @email = @existing_user.email + put '/auth', {}, @auth_headers - test "Case sensitive attributes update" do - @resource_class.case_insensitive_keys = [] - put "/auth", @request_params, @auth_headers - @data = JSON.parse(response.body) - @existing_user.reload - assert_equal @new_operating_thetan, @existing_user.operating_thetan - assert_equal @email, @existing_user.email - assert_equal @email, @existing_user.uid - end + @data = JSON.parse(response.body) + @existing_user.reload + end - test "Case insensitive attributes update" do - @resource_class.case_insensitive_keys = [:email] - put "/auth", @request_params, @auth_headers - @data = JSON.parse(response.body) - @existing_user.reload - assert_equal @new_operating_thetan, @existing_user.operating_thetan - assert_equal @email.downcase, @existing_user.email - assert_equal @email.downcase, @existing_user.uid - end + test 'request should fail' do + assert_equal 422, response.status + end + + test 'returns error message' do + assert_not_empty @data['errors'] + end - test "Supply current password" do - @request_params.merge!( - current_password: "secret123", - email: "new.email@example.com", - ) + test 'return error status' do + assert_equal 'error', @data['status'] + end - put "/auth", @request_params, @auth_headers - @data = JSON.parse(response.body) - @existing_user.reload - assert_equal @existing_user.email, "new.email@example.com" + test 'user should not have been saved' do + assert_equal @email, @existing_user.email + end + end + + describe "error" do + before do + # test invalid update param + @new_operating_thetan = "blegh" + put "/auth", { + operating_thetan: @new_operating_thetan + }, @auth_headers + + @data = JSON.parse(response.body) + @existing_user.reload + end + + test "Request was NOT successful" do + assert_equal 403, response.status + end + + test "Errors were provided with response" do + assert @data["errors"].length + end end end - describe 'validate non-empty body' do + describe "with password check for password update only" do before do - # get the email so we can check it wasn't updated - @email = @existing_user.email - put '/auth', {}, @auth_headers - - @data = JSON.parse(response.body) - @existing_user.reload + DeviseTokenAuth.check_current_password_before_update = :password end - test 'request should fail' do - assert_equal 422, response.status + after do + DeviseTokenAuth.check_current_password_before_update = false end - test 'returns error message' do - assert_not_empty @data['errors'] + describe "success without password update" do + before do + # test valid update param + @resource_class = User + @new_operating_thetan = 1000000 + @email = "AlternatingCase2@example.com" + @request_params = { + operating_thetan: @new_operating_thetan, + email: @email + } + end + + test "Request was successful" do + put "/auth", @request_params, @auth_headers + assert_equal 200, response.status + end end - test 'return error status' do - assert_equal 'error', @data['status'] + describe "success with password update" do + before do + @existing_user.update password: 'secret123', password_confirmation: 'secret123' + @request_params = { + password: 'the_new_secret456', + password_confirmation: 'the_new_secret456', + current_password: 'secret123' + } + end + + test "Request was successful" do + put "/auth", @request_params, @auth_headers + assert_equal 200, response.status + end end - test 'user should not have been saved' do - assert_equal @email, @existing_user.email + describe "error with password mismatch" do + before do + @existing_user.update password: 'secret123', password_confirmation: 'secret123' + @request_params = { + password: 'the_new_secret456', + password_confirmation: 'the_new_secret456', + current_password: 'not_so_secret321' + } + end + + test "Request was NOT successful" do + put "/auth", @request_params, @auth_headers + assert_equal 403, response.status + end end end - describe "error" do + describe "with password check for all attributes" do before do - # test invalid update param - @new_operating_thetan = "blegh" - put "/auth", { - operating_thetan: @new_operating_thetan - }, @auth_headers - - @data = JSON.parse(response.body) - @existing_user.reload + DeviseTokenAuth.check_current_password_before_update = :password + @new_operating_thetan = 1000000 + @email = "AlternatingCase2@example.com" + end + + after do + DeviseTokenAuth.check_current_password_before_update = false end - test "Request was NOT successful" do - assert_equal 403, response.status + describe "success with password update" do + before do + @existing_user.update password: 'secret123', password_confirmation: 'secret123' + @request_params = { + operating_thetan: @new_operating_thetan, + email: @email, + current_password: 'secret123' + } + end + + test "Request was successful" do + put "/auth", @request_params, @auth_headers + assert_equal 200, response.status + end end - test "Errors were provided with response" do - assert @data["errors"].length + describe "error with password mismatch" do + before do + @existing_user.update password: 'secret123', password_confirmation: 'secret123' + @request_params = { + operating_thetan: @new_operating_thetan, + email: @email, + current_password: 'not_so_secret321' + } + end + + test "Request was NOT successful" do + put "/auth", @request_params, @auth_headers + assert_equal 403, response.status + end end end end From 66e9426ad5d21fd07e20c57794f03bd444e7d234 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 29 Jul 2015 10:42:52 -0400 Subject: [PATCH 121/328] chore(deps): update gem dependencies --- Gemfile.lock | 122 ++++++++++++++++++++++++--------------------------- 1 file changed, 58 insertions(+), 64 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2a0846ab0..86cb2e294 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,14 +8,14 @@ GIT GIT remote: git://github.com/laserlemon/figaro.git - revision: 5720b12ca2b086ee5f0a9f4267b11b7753c67d21 + revision: 5191084e16cf5cd5c2cc8a98df9071dbac9b4cba specs: - figaro (1.0.0) + figaro (1.1.1) thor (~> 0.14) GIT remote: git://github.com/mkdynamic/omniauth-facebook.git - revision: b127c35135b16b7d5cdc746a718192acfe1da21c + revision: f20e906b52b0a8849569f1391f01771fb628f6d7 specs: omniauth-facebook (2.1.0) omniauth-oauth2 (~> 1.2) @@ -40,50 +40,48 @@ PATH GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.2) - actionpack (= 4.2.2) - actionview (= 4.2.2) - activejob (= 4.2.2) + actionmailer (4.2.3) + actionpack (= 4.2.3) + actionview (= 4.2.3) + activejob (= 4.2.3) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.2) - actionview (= 4.2.2) - activesupport (= 4.2.2) + actionpack (4.2.3) + actionview (= 4.2.3) + activesupport (= 4.2.3) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) - rails-html-sanitizer (~> 1.0, >= 1.0.1) - actionview (4.2.2) - activesupport (= 4.2.2) + rails-html-sanitizer (~> 1.0, >= 1.0.2) + actionview (4.2.3) + activesupport (= 4.2.3) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) - rails-html-sanitizer (~> 1.0, >= 1.0.1) - activejob (4.2.2) - activesupport (= 4.2.2) + rails-html-sanitizer (~> 1.0, >= 1.0.2) + activejob (4.2.3) + activesupport (= 4.2.3) globalid (>= 0.3.0) - activemodel (4.2.2) - activesupport (= 4.2.2) + activemodel (4.2.3) + activesupport (= 4.2.3) builder (~> 3.1) - activerecord (4.2.2) - activemodel (= 4.2.2) - activesupport (= 4.2.2) + activerecord (4.2.3) + activemodel (= 4.2.3) + activesupport (= 4.2.3) arel (~> 6.0) - activesupport (4.2.2) + activesupport (4.2.3) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - ansi (1.4.3) - arel (6.0.0) - attr_encrypted (1.3.3) + ansi (1.5.0) + arel (6.0.2) + attr_encrypted (1.3.4) encryptor (>= 1.3.0) bcrypt (3.1.10) builder (3.2.2) - celluloid (0.16.0) - timers (~> 4.0.0) - codeclimate-test-reporter (0.4.4) + codeclimate-test-reporter (0.4.7) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) devise (3.5.1) @@ -100,14 +98,14 @@ GEM i18n (~> 0.5) faraday (0.9.1) multipart-post (>= 1.2, < 3) - ffi (1.9.8) + ffi (1.9.10) formatador (0.2.5) fuzz_ball (0.9.1) globalid (0.3.5) activesupport (>= 4.1.0) - guard (2.12.6) + guard (2.13.0) formatador (>= 0.2.4) - listen (~> 2.7) + listen (>= 2.7, <= 4.0) lumberjack (~> 1.0) nenv (~> 0.1) notiffany (~> 0.0) @@ -119,12 +117,10 @@ GEM guard-compat (~> 1.2) minitest (>= 3.0) hashie (3.4.2) - hitimes (1.2.2) i18n (0.7.0) json (1.8.3) - jwt (1.5.0) - listen (2.10.1) - celluloid (~> 0.16.0) + jwt (1.5.1) + listen (3.0.3) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) loofah (2.0.2) @@ -136,24 +132,24 @@ GEM mime-types (2.6.1) mini_portile (0.6.2) minitest (5.7.0) - minitest-focus (1.1.0) + minitest-focus (1.1.2) minitest (>= 4, < 6) minitest-rails (2.2.0) minitest (~> 5.7) railties (~> 4.1) - minitest-reporters (1.0.8) + minitest-reporters (1.0.19) ansi builder minitest (>= 5.0) ruby-progressbar - multi_json (1.11.1) + multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.3.17) + mysql2 (0.3.18) nenv (0.2.0) nokogiri (1.6.6.2) mini_portile (~> 0.6.0) - notiffany (0.0.6) + notiffany (0.0.7) nenv (~> 0.1) shellany (~> 0.0) oauth2 (1.0.0) @@ -165,11 +161,11 @@ GEM omniauth (1.2.2) hashie (>= 1.2, < 4) rack (~> 1.0) - omniauth-oauth2 (1.3.0) + omniauth-oauth2 (1.3.1) oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) - pg (0.18.0) + pg (0.18.2) pry (0.10.1) coderay (~> 1.1.0) method_source (~> 0.8.1) @@ -177,20 +173,20 @@ GEM pry-remote (0.1.8) pry (~> 0.9) slop (~> 3.0) - rack (1.6.2) - rack-cors (0.3.1) + rack (1.6.4) + rack-cors (0.4.0) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.2) - actionmailer (= 4.2.2) - actionpack (= 4.2.2) - actionview (= 4.2.2) - activejob (= 4.2.2) - activemodel (= 4.2.2) - activerecord (= 4.2.2) - activesupport (= 4.2.2) + rails (4.2.3) + actionmailer (= 4.2.3) + actionpack (= 4.2.3) + actionview (= 4.2.3) + activejob (= 4.2.3) + activemodel (= 4.2.3) + activerecord (= 4.2.3) + activesupport (= 4.2.3) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.2) + railties (= 4.2.3) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -200,9 +196,9 @@ GEM rails-deprecated_sanitizer (>= 1.0.1) rails-html-sanitizer (1.0.2) loofah (~> 2.0) - railties (4.2.2) - actionpack (= 4.2.2) - activesupport (= 4.2.2) + railties (4.2.3) + actionpack (= 4.2.3) + activesupport (= 4.2.3) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (10.4.2) @@ -211,25 +207,23 @@ GEM ffi (>= 0.5.0) responders (2.1.0) railties (>= 4.2.0, < 5) - ruby-progressbar (1.7.1) + ruby-progressbar (1.7.5) shellany (0.0.1) - simplecov (0.9.1) + simplecov (0.10.0) docile (~> 1.1.0) - multi_json (~> 1.0) - simplecov-html (~> 0.8.0) - simplecov-html (0.8.0) + json (~> 1.8) + simplecov-html (~> 0.10.0) + simplecov-html (0.10.0) slop (3.6.0) sprockets (3.2.0) rack (~> 1.0) - sprockets-rails (2.3.1) + sprockets-rails (2.3.2) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) sqlite3 (1.3.10) thor (0.19.1) thread_safe (0.3.5) - timers (4.0.1) - hitimes tzinfo (1.2.2) thread_safe (~> 0.1) warden (1.2.3) From 14b66a910e517f5e00e10f7b9fd9c657e7fd8d14 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 29 Jul 2015 10:43:26 -0400 Subject: [PATCH 122/328] v0.1.32 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 86cb2e294..f5447bbdd 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32.beta10) + devise_token_auth (0.1.32) devise (~> 3.3) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index c5adaaa26..1725586a4 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32.beta10" + VERSION = "0.1.32" end From 11f7998b20159058c9e359446a36d3c081b8da91 Mon Sep 17 00:00:00 2001 From: Kosta Korenkov <7r0ggy@gmail.com> Date: Wed, 29 Jul 2015 20:47:17 +0300 Subject: [PATCH 123/328] Invalid omniauth redirect Addresses #285 --- .../devise_token_auth/omniauth_callbacks_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 3c12c2523..8b44a32b3 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -9,7 +9,9 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym - redirect_route = "/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback" + redirect_route = File.join(request.protocol, request.host_with_port, Devise.mappings[devise_mapping].as_json["path"], + params[:provider], 'callback') + # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. From b324f1b659ace580121d87390db8ea2663be8158 Mon Sep 17 00:00:00 2001 From: Kosta Korenkov <7r0ggy@gmail.com> Date: Thu, 30 Jul 2015 06:22:00 +0300 Subject: [PATCH 124/328] Don't use File.join --- .../devise_token_auth/omniauth_callbacks_controller.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 8b44a32b3..0aa9e8aa8 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -9,9 +9,7 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym - redirect_route = File.join(request.protocol, request.host_with_port, Devise.mappings[devise_mapping].as_json["path"], - params[:provider], 'callback') - + redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback" # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. From 6bb099957adce29e84bc764d8171bb6747237ce7 Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Sat, 8 Aug 2015 15:12:47 -0400 Subject: [PATCH 125/328] Fixed error when using standard devise authentication --- .../devise_token_auth/concerns/set_user_by_token.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index aae932af5..015147d9a 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -10,6 +10,7 @@ module DeviseTokenAuth::Concerns::SetUserByToken # keep track of request duration def set_request_start @request_started_at = Time.now + @used_auth_by_token = true end # user auth @@ -31,6 +32,7 @@ def set_user_by_token(mapping=nil) # check for an existing user, authenticated via warden/devise devise_warden_user = warden.user(rc.to_s.underscore.to_sym) if devise_warden_user && devise_warden_user.tokens[@client_id].nil? + @used_auth_by_token = false @resource = devise_warden_user @resource.create_new_auth_token end @@ -64,6 +66,9 @@ def update_auth_header # cannot save object if model has invalid params return unless @resource and @resource.valid? and @client_id + # Generate new client_id with existing authentication + @client_id = nil unless @used_auth_by_token + if not DeviseTokenAuth.change_headers_on_each_request auth_header = @resource.build_auth_header(@token, @client_id) From 1f2d06350d4b592c59ccdbf299c6522e30c5f20e Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Sat, 8 Aug 2015 16:15:06 -0400 Subject: [PATCH 126/328] Tests to ensure standard devise has greater priority than tokens --- test/controllers/demo_user_controller_test.rb | 60 ++++++++++++++++++- test/fixtures/users.yml | 11 ++++ 2 files changed, 70 insertions(+), 1 deletion(-) diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index 364a90355..df0ad7c9a 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -258,11 +258,69 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end end + + describe 'existing Warden authentication with ignored token data' do + before do + @resource = users(:second_confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + login_as( @resource, :scope => :user) + + get '/demo/members_only', {}, @auth_headers + + @resp_token = response.headers['access-token'] + @resp_client_id = response.headers['client'] + @resp_expiry = response.headers['expiry'] + @resp_uid = response.headers['uid'] + end + + describe 'devise mappings' do + it 'should define current_user' do + assert_equal @resource, @controller.current_user + end + + it 'should define user_signed_in?' do + assert @controller.user_signed_in? + end + + it 'should not define current_mang' do + refute_equal @resource, @controller.current_mang + end + end + + it 'should return success status' do + assert_equal 200, response.status + end + + it 'should receive new token after successful request' do + assert @resp_token + end + + it 'should set the token expiry in the auth header' do + assert @resp_expiry + end + + it 'should return the client id in the auth header' do + assert @resp_client_id + end + + it "should not use the existing token's client" do + refute_equal @auth_headers['client'], @resp_client_id + end + + it "should return the user's uid in the auth header" do + assert @resp_uid + end + + it "should not return the token user's uid in the auth header" do + refute_equal @resp_uid, @auth_headers['uid'] + end + end end describe 'Existing Warden authentication' do before do - @resource = users(:confirmed_email_user) + @resource = users(:second_confirmed_email_user) @resource.skip_confirmation! @resource.save! login_as( @resource, :scope => :user) diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml index 5b5a1275c..fa65e199d 100644 --- a/test/fixtures/users.yml +++ b/test/fixtures/users.yml @@ -10,6 +10,17 @@ confirmed_email_user: updated_at: '<%= timestamp %>' encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> +<% @second_email = Faker::Internet.email %> +second_confirmed_email_user: + uid: "<%= @second_email %>" + email: "<%= @second_email %>" + nickname: 'stimpy2' + provider: 'email' + confirmed_at: '<%= timestamp %>' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + <% @fb_email = Faker::Internet.email %> duplicate_email_facebook_user: uid: "<%= Faker::Number.number(10) %>" From 2d144767333ebee969926ba89920149e38ff15e7 Mon Sep 17 00:00:00 2001 From: Michael Colavita Date: Sat, 8 Aug 2015 17:10:04 -0400 Subject: [PATCH 127/328] Fix exception when change_headers_on_each_request is used alongside devise --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 015147d9a..93923cd8f 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -69,7 +69,7 @@ def update_auth_header # Generate new client_id with existing authentication @client_id = nil unless @used_auth_by_token - if not DeviseTokenAuth.change_headers_on_each_request + if @used_auth_by_token and not DeviseTokenAuth.change_headers_on_each_request auth_header = @resource.build_auth_header(@token, @client_id) # update the response header From e3e24b732841ea8233da4836c61caaae8b4e2949 Mon Sep 17 00:00:00 2001 From: nbrustein Date: Fri, 31 Jul 2015 14:21:33 -0400 Subject: [PATCH 128/328] feat(improved-omniauth): add support for sameWindow and inAppBrowser omniauth flows --- CHANGELOG.md | 10 + Gemfile | 1 + Gemfile.lock | 8 +- README.md | 7 + .../devise_token_auth/CHANGELOG.md | 10 + .../omniauth_callbacks_controller.rb | 165 ++++++--- app/models/devise_token_auth/concerns/user.rb | 15 +- .../omniauth_external_window.html.erb | 38 ++ .../omniauth_failure.html.erb | 2 - .../omniauth_success.html.erb | 12 - app/views/layouts/omniauth_response.html.erb | 31 -- config/routes.rb | 1 + lib/devise_token_auth.rb | 1 + lib/devise_token_auth/engine.rb | 35 ++ lib/devise_token_auth/url.rb | 15 + lib/devise_token_auth/version.rb | 2 +- ...stom_omniauth_callbacks_controller_test.rb | 3 +- .../omniauth_callbacks_controller_test.rb | 333 ++++++++++-------- .../omniauth_callbacks_controller_test.rb | 3 +- .../app/controllers/auth_origin_controller.rb | 5 + test/dummy/config/routes.rb | 3 + test/lib/devise_token_auth/url_test.rb | 11 + test/models/user_test.rb | 8 - 23 files changed, 459 insertions(+), 260 deletions(-) create mode 100644 CHANGELOG.md create mode 100644 app/controllers/devise_token_auth/CHANGELOG.md create mode 100644 app/views/devise_token_auth/omniauth_external_window.html.erb delete mode 100644 app/views/devise_token_auth/omniauth_failure.html.erb delete mode 100644 app/views/devise_token_auth/omniauth_success.html.erb delete mode 100644 app/views/layouts/omniauth_response.html.erb create mode 100644 lib/devise_token_auth/url.rb create mode 100644 test/dummy/app/controllers/auth_origin_controller.rb create mode 100644 test/lib/devise_token_auth/url_test.rb diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 000000000..a9c4380f9 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,10 @@ + +# 0.1.33 (2015-08-09) + +## Features + +- **Improved OAuth Flow**: Supports new OAuth window flows, allowing options for `sameWindow`, `newWindow`, and `inAppBrowser` + +## Breaking Changes + +- The new OmniAuth callback behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. \ No newline at end of file diff --git a/Gemfile b/Gemfile index 0822904c2..f826f53ff 100644 --- a/Gemfile +++ b/Gemfile @@ -34,6 +34,7 @@ group :development, :test do gem 'guard-minitest' gem 'faker' gem 'fuzz_ball' + gem 'mocha' end # code coverage, metrics diff --git a/Gemfile.lock b/Gemfile.lock index f5447bbdd..4fdbc7b0b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.32) + devise_token_auth (0.1.33) devise (~> 3.3) rails (~> 4.2) @@ -128,6 +128,7 @@ GEM lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) + metaclass (0.0.4) method_source (0.8.2) mime-types (2.6.1) mini_portile (0.6.2) @@ -142,10 +143,12 @@ GEM builder minitest (>= 5.0) ruby-progressbar + mocha (1.1.0) + metaclass (~> 0.0.1) multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.3.18) + mysql2 (0.3.19) nenv (0.2.0) nokogiri (1.6.6.2) mini_portile (~> 0.6.0) @@ -245,6 +248,7 @@ DEPENDENCIES minitest-focus minitest-rails minitest-reporters + mocha mysql2 omniauth-facebook! omniauth-github! diff --git a/README.md b/README.md index 2e3be0b72..a5a6e8aec 100644 --- a/README.md +++ b/README.md @@ -846,5 +846,12 @@ To run the test suite do the following: The last command will open the [guard](https://github.com/guard/guard) test-runner. Guard will re-run each test suite when changes are made to its corresponding files. +To run just one test: +1. Clone this repo +2. Run `bundle install` +3. Run `rake db:migrate` +4. Run `RAILS_ENV=test rake db:migrate` +5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/ + # License This project uses the WTFPL diff --git a/app/controllers/devise_token_auth/CHANGELOG.md b/app/controllers/devise_token_auth/CHANGELOG.md new file mode 100644 index 000000000..a7c7ff0d3 --- /dev/null +++ b/app/controllers/devise_token_auth/CHANGELOG.md @@ -0,0 +1,10 @@ ++ ++# 0.1.33 (2015-??-??) ++ ++## Features ++ ++- **Improved OAuth Flow**: Supports new OAuth window flows, allowing options for `sameWindow`, `newWindow`, and `inAppBrowser` ++ ++## Breaking Changes ++ ++- The new OAuth redirect behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. \ No newline at end of file diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 3c12c2523..64abc8b4f 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -1,11 +1,14 @@ module DeviseTokenAuth class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController + + attr_reader :auth_params skip_before_filter :set_user_by_token skip_after_filter :update_auth_header # intermediary route for successful omniauth authentication. omniauth does # not support multiple models, so we must resort to this terrible hack. def redirect_callbacks + # derive target redirect route from 'resource_class' param, which was set # before authentication. devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym @@ -19,49 +22,113 @@ def redirect_callbacks redirect_to redirect_route end - def omniauth_success + def get_resource_from_auth_hash # find or create user by provider and provider uid @resource = resource_class.where({ uid: auth_hash['uid'], provider: auth_hash['provider'] }).first_or_initialize - @oauth_registration = @resource.new_record? + if @resource.new_record? + @oauth_registration = true + set_random_password + end + + # sync user info with provider, update/generate auth token + assign_provider_attrs(@resource, auth_hash) + + # assign any additional (whitelisted) attributes + extra_params = whitelisted_params + @resource.assign_attributes(extra_params) if extra_params + + @resource + end + + def set_random_password + # set crazy password for new oauth users. this is only used to prevent + # access via email sign-in. + p = SecureRandom.urlsafe_base64(nil, false) + @resource.password = p + @resource.password_confirmation = p + end + + def create_token_info # create token info @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) @expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i @config = omniauth_params['config_name'] + end - auth_origin_url_params = { - token: @token, + def create_auth_params + @auth_params = { + auth_token: @token, client_id: @client_id, uid: @resource.uid, expiry: @expiry, config: @config } - auth_origin_url_params.merge!(oauth_registration: true) if @oauth_registration - @auth_origin_url = generate_url(omniauth_params['auth_origin_url'], auth_origin_url_params) - - # set crazy password for new oauth users. this is only used to prevent - # access via email sign-in. - unless @resource.id - p = SecureRandom.urlsafe_base64(nil, false) - @resource.password = p - @resource.password_confirmation = p - end + @auth_params.merge!(oauth_registration: true) if @oauth_registration + @auth_params + end + def set_token_on_resource @resource.tokens[@client_id] = { token: BCrypt::Password.create(@token), expiry: @expiry } + end - # sync user info with provider, update/generate auth token - assign_provider_attrs(@resource, auth_hash) + def render_data(message, data) + @data = data.merge({ + message: message + }) + render :layout => nil, :template => "devise_token_auth/omniauth_external_window" + end - # assign any additional (whitelisted) attributes - extra_params = whitelisted_params - @resource.assign_attributes(extra_params) if extra_params + def render_data_or_redirect(message, data) + + # We handle inAppBrowser and newWindow the same, but it is nice + # to support values in case people need custom implementations for each case + # (For example, nbrustein does not allow new users to be created if logging in with + # an inAppBrowser) + # + # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand + # why we can handle these both the same. The view is setup to handle both cases + # at the same time. + if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type) + render_data(message, data) + + elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url + + # build and redirect to destination url + redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data) + else + + # there SHOULD always be an auth_origin_url, but if someone does something silly + # like coming straight to this url or refreshing the page at the wrong time, there may not be one. + # In that case, just render in plain text the error message if there is one or otherwise + # a generic message. + fallback_render data[:error] || 'An error occurred' + end + end + + def fallback_render(text) + render inline: %Q| + + + + + #{text} + + | + end + + def omniauth_success + get_resource_from_auth_hash + create_token_info + set_token_on_resource + create_auth_params if resource_class.devise_modules.include?(:confirmable) # don't send confirmation email!!! @@ -74,8 +141,7 @@ def omniauth_success yield if block_given? - # render user info to javascript postMessage communication window - render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_success" + render_data_or_redirect('deliverCredentials', @resource.as_json.merge(@auth_params.as_json)) end @@ -92,7 +158,7 @@ def assign_provider_attrs(user, auth_hash) def omniauth_failure @error = params[:message] - render :layout => "layouts/omniauth_response", :template => "devise_token_auth/omniauth_failure" + render_data_or_redirect('authFailure', {error: @error}) end @@ -109,10 +175,13 @@ def whitelisted_params } end - # pull resource class from omniauth return def resource_class(mapping = nil) - if omniauth_params + if omniauth_params['resource_class'] omniauth_params['resource_class'].constantize + elsif params['resource_class'] + params['resource_class'].constantize + else + raise "No resource_class found" end end @@ -126,14 +195,37 @@ def resource_name # request.env variable. this variable is then persisted thru the redirect # using our own dta.omniauth.params session var. the omniauth_success # method will access that session var and then destroy it immediately - # after use. + # after use. In the failure case, finally, the omniauth params + # are added as query params in our monkey patch to OmniAuth in engine.rb def omniauth_params - if request.env['omniauth.params'] - request.env['omniauth.params'] - else - @_omniauth_params ||= session.delete('dta.omniauth.params') - @_omniauth_params + if !defined?(@_omniauth_params) + if request.env['omniauth.params'] && request.env['omniauth.params'].any? + @_omniauth_params = request.env['omniauth.params'] + elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any? + @_omniauth_params ||= session.delete('dta.omniauth.params') + @_omniauth_params + elsif params['omniauth_window_type'] + @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin') + else + @_omniauth_params = {} + end end + @_omniauth_params + + end + + def omniauth_window_type + omniauth_params['omniauth_window_type'] + end + + def auth_origin_url + omniauth_params['auth_origin_url'] || omniauth_params['origin'] + end + + # in the success case, omniauth_window_type is in the omniauth_params. + # in the failure case, it is in a query param. See monkey patch above + def omniauth_window_type + omniauth_params.nil? ? params['omniauth_window_type'] : omniauth_params['omniauth_window_type'] end # this sesison value is set by the redirect_callbacks method. its purpose @@ -159,18 +251,5 @@ def devise_mapping end end - def generate_url(url, params = {}) - auth_url = url - - # ensure that hash-bang is present BEFORE querystring for angularjs - unless url.match(/#/) - auth_url += '#' - end - - # add query AFTER hash-bang - auth_url += "?#{params.to_query}" - - return auth_url - end end end diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index baa336f99..8ca4c7ae9 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -198,7 +198,7 @@ def build_auth_url(base_url, args) args[:uid] = self.uid args[:expiry] = self.tokens[args[:client_id]]['expiry'] - generate_url(base_url, args) + DeviseTokenAuth::Url.generate(base_url, args) end @@ -222,19 +222,6 @@ def token_validation_response protected - - def generate_url(url, params = {}) - uri = URI(url) - - res = "#{uri.scheme}://#{uri.host}" - res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) - res += "#{uri.path}" if uri.path - res += "?#{params.to_query}" - res += "##{uri.fragment}" if uri.fragment - - return res - end - # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 diff --git a/app/views/devise_token_auth/omniauth_external_window.html.erb b/app/views/devise_token_auth/omniauth_external_window.html.erb new file mode 100644 index 000000000..c81af76ba --- /dev/null +++ b/app/views/devise_token_auth/omniauth_external_window.html.erb @@ -0,0 +1,38 @@ + + + + + + + 
+
+ + \ No newline at end of file diff --git a/app/views/devise_token_auth/omniauth_failure.html.erb b/app/views/devise_token_auth/omniauth_failure.html.erb deleted file mode 100644 index e483d3018..000000000 --- a/app/views/devise_token_auth/omniauth_failure.html.erb +++ /dev/null @@ -1,2 +0,0 @@ -message: "authFailure", -error: "<%= @error %>" diff --git a/app/views/devise_token_auth/omniauth_success.html.erb b/app/views/devise_token_auth/omniauth_success.html.erb deleted file mode 100644 index 5536ede5e..000000000 --- a/app/views/devise_token_auth/omniauth_success.html.erb +++ /dev/null @@ -1,12 +0,0 @@ -<% @resource.as_json.each do |attr, val| %> - "<%= attr %>": <%= val.to_json.html_safe %>, -<% end %> - -"auth_token": "<%= @token %>", -"message": "deliverCredentials", -"client_id": "<%= @client_id %>", -"expiry": "<%= @expiry %>", -<% if @oauth_registration %> -"oauth_registration": "true", -<% end %> -"config": "<%= @config %>" \ No newline at end of file diff --git a/app/views/layouts/omniauth_response.html.erb b/app/views/layouts/omniauth_response.html.erb deleted file mode 100644 index 2b3d6d3a2..000000000 --- a/app/views/layouts/omniauth_response.html.erb +++ /dev/null @@ -1,31 +0,0 @@ - - - - - - - 
-      Redirecting...
-
- - diff --git a/config/routes.rb b/config/routes.rb index d50f7e6b0..a0aee7715 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,6 @@ Rails.application.routes.draw do if defined?(::OmniAuth) get "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" + get "#{DeviseTokenAuth.omniauth_prefix}/failure", to: "devise_token_auth/omniauth_callbacks#omniauth_failure" end end diff --git a/lib/devise_token_auth.rb b/lib/devise_token_auth.rb index 3a7865ab3..7ba990e61 100644 --- a/lib/devise_token_auth.rb +++ b/lib/devise_token_auth.rb @@ -2,6 +2,7 @@ require "devise_token_auth/engine" require "devise_token_auth/controllers/helpers" require "devise_token_auth/controllers/url_helpers" +require "devise_token_auth/url" module DeviseTokenAuth end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index baf126332..b40a4d66b 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -33,6 +33,41 @@ def self.setup(&block) Rails.application.config.after_initialize do if defined?(::OmniAuth) ::OmniAuth::config.path_prefix = Devise.omniauth_path_prefix = self.omniauth_prefix + + + # Omniauth currently does not pass along omniauth.params upon failure redirect + # see also: https://github.com/intridea/omniauth/issues/626 + OmniAuth::FailureEndpoint.class_eval do + def redirect_to_failure + message_key = env['omniauth.error.type'] + origin_query_param = env['omniauth.origin'] ? "&origin=#{CGI.escape(env['omniauth.origin'])}" : "" + strategy_name_query_param = env['omniauth.error.strategy'] ? "&strategy=#{env['omniauth.error.strategy'].name}" : "" + extra_params = env['omniauth.params'] ? "&#{env['omniauth.params'].to_query}" : "" + new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}#{extra_params}" + Rack::Response.new(["302 Moved"], 302, 'Location' => new_path).finish + end + end + + + # Omniauth currently removes omniauth.params during mocked requests + # see also: https://github.com/intridea/omniauth/pull/812 + OmniAuth::Strategy.class_eval do + def mock_callback_call + setup_phase + @env['omniauth.origin'] = session.delete('omniauth.origin') + @env['omniauth.origin'] = nil if env['omniauth.origin'] == '' + @env['omniauth.params'] = session.delete('omniauth.params') || {} + mocked_auth = OmniAuth.mock_auth_for(name.to_s) + if mocked_auth.is_a?(Symbol) + fail!(mocked_auth) + else + @env['omniauth.auth'] = mocked_auth + OmniAuth.config.before_callback_phase.call(@env) if OmniAuth.config.before_callback_phase + call_app! + end + end + end + end end end diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb new file mode 100644 index 000000000..172a22fd6 --- /dev/null +++ b/lib/devise_token_auth/url.rb @@ -0,0 +1,15 @@ +module DeviseTokenAuth::Url + + def self.generate(url, params = {}) + uri = URI(url) + + res = "#{uri.scheme}://#{uri.host}" + res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) + res += "#{uri.path}" if uri.path + res += "?#{params.to_query}" + res += "##{uri.fragment}" if uri.fragment + + return res + end + +end \ No newline at end of file diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 1725586a4..aa2634345 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.32" + VERSION = "0.1.33" end diff --git a/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb index edf785cb1..950bc7820 100644 --- a/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +++ b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb @@ -19,7 +19,8 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest test "yield resource to block on omniauth_sucess success" do @redirect_url = "http://ng-token-auth.dev/" get_via_redirect '/nice_user_auth/facebook', { - auth_origin_url: @redirect_url + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' } assert @controller.omniauth_success_block_called?, "omniauth_success failed to yield resource to provided block" end diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index c85e543c1..e11bee030 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -1,4 +1,5 @@ require 'test_helper' +require 'mocha/test_unit' # was the web request successful? # was the user redirected to the right page? @@ -9,148 +10,91 @@ class OmniauthTest < ActionDispatch::IntegrationTest setup do OmniAuth.config.test_mode = true - OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({ - :provider => 'facebook', - :uid => '123545', - :info => { - name: 'chong', - email: 'chongbong@aol.com' - } - }) end before do @redirect_url = "http://ng-token-auth.dev/" end - describe 'default user model' do - describe 'from api to provider' do - before do - get_via_redirect '/auth/facebook', { - auth_origin_url: @redirect_url - } + describe 'success callback' do - @resource = assigns(:resource) - end - - test 'status should be success' do - assert_equal 200, response.status - end + setup do + OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({ + :provider => 'facebook', + :uid => '123545', + :info => { + name: 'chong', + email: 'chongbong@aol.com' + } + }) + end - test 'request should determine the correct resource_class' do - assert_equal 'User', controller.omniauth_params['resource_class'] - end + test 'request should pass correct redirect_url' do + get_success + assert_equal @redirect_url, controller.omniauth_params['auth_origin_url'] + end - test 'request should pass correct redirect_url' do - assert_equal @redirect_url, controller.omniauth_params['auth_origin_url'] - end + test 'user should have been created' do + get_success + assert @resource + end - test 'user should have been created' do - assert @resource - end + test 'user should be assigned info from provider' do + get_success + assert_equal 'chongbong@aol.com', @resource.email + end - test 'user should be assigned info from provider' do - assert_equal 'chongbong@aol.com', @resource.email - end + test 'user should be assigned token' do + get_success + client_id = controller.auth_params[:client_id] + token = controller.auth_params[:auth_token] + expiry = controller.auth_params[:expiry] - test 'user should be of the correct class' do - assert_equal User, @resource.class - end + # the expiry should have been set + assert_equal expiry, @resource.tokens[client_id][:expiry] + # the token sent down to the client should now be valid + assert @resource.valid_token?(token, client_id) + end - test 'response contains all serializable attributes for user' do - post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) + test 'session vars have been cleared' do + get_success + refute request.session['dta.omniauth.auth'] + refute request.session['dta.omniauth.params'] + end + test 'sign_in was called' do + User.any_instance.expects(:sign_in) + get_success + end - ['id', 'email', 'uid', 'name', - 'favorite_color', 'tokens', 'password' - ].each do |key| - assert_equal post_message[key], @resource.as_json[key], "Unexpected value for #{key.inspect}" - end - - assert_equal "deliverCredentials", post_message["message"] - assert post_message["auth_token"] - assert post_message["client_id"] - assert post_message["expiry"] - assert post_message["config"] + describe 'with default user model' do + before do + get_success end - - test 'session vars have been cleared' do - refute request.session['dta.omniauth.auth'] - refute request.session['dta.omniauth.params'] + test 'request should determine the correct resource_class' do + assert_equal 'User', controller.omniauth_params['resource_class'] end - describe 'trackable' do - test 'sign_in_count incrementns' do - assert @resource.sign_in_count > 0 - end - - test 'current_sign_in_at is updated' do - assert @resource.current_sign_in_at - end - - test 'last_sign_in_at is updated' do - assert @resource.last_sign_in_at - end - - test 'sign_in_ip is updated' do - assert @resource.current_sign_in_ip - end - - test 'last_sign_in_ip is updated' do - assert @resource.last_sign_in_ip - end + test 'user should be of the correct class' do + assert_equal User, @resource.class end - end - describe "oauth_registration attr" do - - def stub_resource - relation = {} - def relation.first_or_initialize - @resource ||= User.new - def @resource.save!; end # prevent validation error - @resource - end - User.stub(:where, relation) do - yield(relation.first_or_initialize) - end + describe 'with alternate user model' do + before do + get_via_redirect '/mangs/facebook', { + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' + } + assert_equal 200, response.status + @resource = assigns(:resource) end - - test 'response contains oauth_registration attr with new user' do - - stub_resource do |resource| - def resource.new_record? - true - end - get_via_redirect '/auth/facebook', { - auth_origin_url: @redirect_url - } - - post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) - assert post_message['oauth_registration'] - assert_match 'oauth_registration', @controller.instance_variable_get(:@auth_origin_url) - end + test 'request should determine the correct resource_class' do + assert_equal 'Mang', controller.omniauth_params['resource_class'] end - - test 'response does not contain oauth_registration attr with existing user' do - - stub_resource do |resource| - def resource.new_record? - false - end - get_via_redirect '/auth/facebook', { - auth_origin_url: @redirect_url - } - - post_message = JSON.parse(/postMessage\((?.*), '\*'\);/m.match(response.body)[:data]) - refute post_message['oauth_registration'] - assert_no_match 'oauth_registration', @controller.instance_variable_get(:@auth_origin_url) - end + test 'user should be of the correct class' do + assert_equal Mang, @resource.class end - - - end describe 'pass additional params' do @@ -160,7 +104,8 @@ def resource.new_record? get_via_redirect '/auth/facebook', { auth_origin_url: @redirect_url, favorite_color: @fav_color, - name: @unpermitted_param + name: @unpermitted_param, + omniauth_window_type: 'newWindow' } @resource = assigns(:resource) @@ -179,11 +124,54 @@ def resource.new_record? end end + describe "oauth registration attr" do + + after do + User.any_instance.unstub(:new_record?) + end + + describe 'with new user' do + + before do + User.any_instance.expects(:new_record?).returns(true).at_least_once + end + + test 'response contains oauth_registration attr' do + + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' + } + + assert_equal true, controller.auth_params[:oauth_registration] + end + end + + describe 'with existing user' do + + before do + User.any_instance.expects(:new_record?).returns(false).at_least_once + end + + test 'response does not contain oauth_registration attr' do + + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' + } + + assert_equal false, controller.auth_params.key?(:oauth_registration) + end + + end + + end describe 'using namespaces' do before do get_via_redirect '/api/v1/auth/facebook', { - auth_origin_url: @redirect_url + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' } @resource = assigns(:resource) @@ -201,43 +189,98 @@ def resource.new_record? assert_equal User, @resource.class end end - end + describe 'with omniauth_window_type=inAppBrowser' do - describe 'alternate user model' do - describe 'from api to provider' do - before do - get_via_redirect '/mangs/facebook', { - auth_origin_url: @redirect_url - } + test 'response contains all expected data' do + get_success(omniauth_window_type: 'inAppBrowser') + assert_expected_data_in_new_window + end - @resource = assigns(:resource) + end + + describe 'with omniauth_window_type=newWindow' do + + test 'response contains all expected data' do + get_success(omniauth_window_type: 'newWindow') + assert_expected_data_in_new_window end + end + + def assert_expected_data_in_new_window + data_json = @response.body.match(/var data \= (.+)\;/)[1] + data = ActiveSupport::JSON.decode(data_json) + expected_data = @resource.as_json.merge(controller.auth_params.as_json) + expected_data = ActiveSupport::JSON.decode(expected_data.to_json) + assert_equal(expected_data.merge("message" => "deliverCredentials"), data) + end - test 'status should be success' do + describe 'with omniauth_window_type=sameWindow' do + + test 'redirects to auth_origin_url with all expected query params' do + get_via_redirect '/auth/facebook', { + auth_origin_url: '/auth_origin', + omniauth_window_type: 'sameWindow' + } assert_equal 200, response.status - end - test 'request should determine the correct resource_class' do - assert_equal 'Mang', controller.omniauth_params['resource_class'] - end + # We have been forwarded to a url with all the expected + # data in the query params. - test 'request should pass correct redirect_url' do - assert_equal @redirect_url, controller.omniauth_params['auth_origin_url'] - end + # Assert that a uid was passed along. We have to assume + # that the rest of the values were as well, as we don't + # have access to @resource in this test anymore + assert(uid = controller.params['uid'], "No uid found") - test 'user should have been created' do - assert @resource + # check that all the auth stuff is there + [:auth_token, :client_id, :uid, :expiry, :config].each do |key| + assert(controller.params.key?(key), "No value for #{key.inspect}") + end end + end - test 'user should be assigned info from provider' do - assert_equal 'chongbong@aol.com', @resource.email - end + def get_success(params = {}) + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' + }.merge(params) + assert_equal 200, response.status + @resource = assigns(:resource) + end - test 'user should be of the correct class' do - assert_equal Mang, @resource.class - end + + + end + + describe 'failure callback' do + + + setup do + OmniAuth.config.mock_auth[:facebook] = :invalid_credentials + OmniAuth.config.on_failure = Proc.new { |env| + OmniAuth::FailureEndpoint.new(env).redirect_to_failure + } end + + test 'renders expected data' do + get_via_redirect '/auth/facebook', { + auth_origin_url: @redirect_url, + omniauth_window_type: 'newWindow' + } + assert_equal 200, response.status + + data_json = @response.body.match(/var data \= (.+)\;/)[1] + data = ActiveSupport::JSON.decode(data_json) + + assert_equal({"error"=>"invalid_credentials", "message"=>"authFailure"}, data) + end + + test 'renders somethign with no auth_origin_url' do + get_via_redirect '/auth/facebook' + assert_equal 200, response.status + assert_select "body", "invalid_credentials" + end + end describe 'User with only :database_authenticatable and :registerable included' do @@ -249,4 +292,4 @@ def resource.new_record? } end end -end +end \ No newline at end of file diff --git a/test/controllers/overrides/omniauth_callbacks_controller_test.rb b/test/controllers/overrides/omniauth_callbacks_controller_test.rb index 65265f0ef..640446202 100644 --- a/test/controllers/overrides/omniauth_callbacks_controller_test.rb +++ b/test/controllers/overrides/omniauth_callbacks_controller_test.rb @@ -23,7 +23,8 @@ class Overrides::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTe get_via_redirect '/evil_user_auth/facebook', { auth_origin_url: Faker::Internet.url, - favorite_color: @favorite_color + favorite_color: @favorite_color, + omniauth_window_type: 'newWindow' } @resource = assigns(:resource) diff --git a/test/dummy/app/controllers/auth_origin_controller.rb b/test/dummy/app/controllers/auth_origin_controller.rb new file mode 100644 index 000000000..6df99d122 --- /dev/null +++ b/test/dummy/app/controllers/auth_origin_controller.rb @@ -0,0 +1,5 @@ +class AuthOriginController < ApplicationController + def redirected + render :nothing => true + end +end \ No newline at end of file diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 24c3c984f..c189223bb 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -49,4 +49,7 @@ # routes within this block will authorize visitors using the Mang or User class get 'demo/members_only_group', to: 'demo_group#members_only' + + # we need a route for omniauth_callback_controller to redirect to in sameWindow case + get 'auth_origin', to: 'auth_origin#redirected' end diff --git a/test/lib/devise_token_auth/url_test.rb b/test/lib/devise_token_auth/url_test.rb new file mode 100644 index 000000000..012dbf076 --- /dev/null +++ b/test/lib/devise_token_auth/url_test.rb @@ -0,0 +1,11 @@ +require 'test_helper' + +class DeviseTokenAuth::UrlTest < ActiveSupport::TestCase + describe "DeviseTokenAuth::Url#generate" do + test 'URI fragment should appear at the end of URL' do + params = {client_id: 123} + url = 'http://example.com#fragment' + assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?client_id=123#fragment" + end + end +end \ No newline at end of file diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 93a127c9e..0e745ce91 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -99,13 +99,5 @@ class UserTest < ActiveSupport::TestCase assert @resource.save end end - - describe "#generate_url" do - test 'URI fragment should appear at the end of URL' do - params = {client_id: 123} - url = 'http://example.com#fragment' - assert_equal @resource.send(:generate_url, url, params), "http://example.com?client_id=123#fragment" - end - end end end From cc4a9baa1613be0764ce402e9ac040b80dd6f88e Mon Sep 17 00:00:00 2001 From: Josias Schneider Date: Mon, 10 Aug 2015 17:33:21 -0300 Subject: [PATCH 129/328] add Brazilian Portuguese translation (pt-BR) --- config/locales/pt-BR.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 config/locales/pt-BR.yml diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml new file mode 100644 index 000000000..33e6e0b28 --- /dev/null +++ b/config/locales/pt-BR.yml @@ -0,0 +1,30 @@ +pt-BR: + devise_token_auth: + sessions: + not_confirmed: "Uma mensagem com um link de confirmação foi enviado para seu endereço de e-mail. Você precisa confirmar sua conta antes de continuar." + bad_credentials: "E-mail ou senha inválidos." + not_supported: "Use POST /sign_in para efetuar o login. GET não é suportado." + user_not_found: "Usuário não existe ou não está logado." + token_validations: + invalid: "Dados de login inválidos." + registrations: + missing_confirm_success_url: "Parâmetro `confirm_success_url` não informado." + redirect_url_not_allowed: "Redirecionamento para %{redirect_url} não permitido." + email_already_exists: "Já existe uma conta com o email %{email}." + account_with_uid_destroyed: "A conta com uid %{uid} foi excluída." + account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão." + user_not_found: "Usuário não encontrado." + passwords: + missing_email: "Informe o endereço de e-mail." + missing_redirect_url: "URL para redirecionamento não informada." + not_allowed_redirect_url: "Redirecionamento para %{redirect_url} não permitido." + sended: "Você receberá um e-mail com instruções sobre como redefinir sua senha." + user_not_found: "Não existe um usuário com o e-mail '%{email}'." + password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." + missing_passwords: 'Preencha a senha e a confirmação de senha.' + successfully_updated: "Senha atualizada com sucesso." + + errors: + validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." + validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." + not_email: "não é um e-mail" From 71d8bbe5978ef442d05230f675c04aaa954db011 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 10 Aug 2015 17:09:10 -0600 Subject: [PATCH 130/328] chore(deps): lock devise to last known working v3.5.1 --- Gemfile.lock | 2 +- devise_token_auth.gemspec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 4fdbc7b0b..959386546 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ PATH remote: . specs: devise_token_auth (0.1.33) - devise (~> 3.3) + devise (= 3.5.1) rails (~> 4.2) GEM diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 99088c684..79c7e7c8b 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |s| s.test_files = Dir["test/**/*"] s.add_dependency "rails", "~> 4.2" - s.add_dependency "devise", "~> 3.3" + s.add_dependency "devise", "3.5.1" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From 3b897a80d9543ed377f47dea7fce34986ed18111 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 10 Aug 2015 17:13:50 -0600 Subject: [PATCH 131/328] v0.1.34 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 959386546..5c3ddc058 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.33) + devise_token_auth (0.1.34) devise (= 3.5.1) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index aa2634345..9d889d1a5 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.33" + VERSION = "0.1.34" end From 870dcdbdf8263e3c594bb64b4b494e111330e019 Mon Sep 17 00:00:00 2001 From: Nate Brustein Date: Thu, 13 Aug 2015 09:44:29 -0400 Subject: [PATCH 132/328] fix(omniauth): fix error in setting text on redirect page --- app/views/devise_token_auth/omniauth_external_window.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/devise_token_auth/omniauth_external_window.html.erb b/app/views/devise_token_auth/omniauth_external_window.html.erb index c81af76ba..3992decb2 100644 --- a/app/views/devise_token_auth/omniauth_external_window.html.erb +++ b/app/views/devise_token_auth/omniauth_external_window.html.erb @@ -27,7 +27,7 @@ return data; } setTimeout(function() { - window.getElementById('text').innerHTML = 'Redirecting...'; + document.getElementById('text').innerHTML = (data && data.error) || 'Redirecting...'; }, 1000); From 29a77eb2a1cfc154d13058cdce44a9900dce6cc4 Mon Sep 17 00:00:00 2001 From: Kopylov German Date: Mon, 17 Aug 2015 20:17:56 +0300 Subject: [PATCH 133/328] #340 Restrict access to controllers methods --- .../application_controller.rb | 1 + .../concerns/set_user_by_token.rb | 2 + .../omniauth_callbacks_controller.rb | 267 +++++++++--------- .../devise_token_auth/passwords_controller.rb | 10 +- .../devise_token_auth/sessions_controller.rb | 13 +- 5 files changed, 152 insertions(+), 141 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 30de620c7..0edc95010 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -2,6 +2,7 @@ module DeviseTokenAuth class ApplicationController < DeviseController include DeviseTokenAuth::Concerns::SetUserByToken + protected def resource_class(m=nil) if m diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 93923cd8f..d2289a34e 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -7,6 +7,8 @@ module DeviseTokenAuth::Concerns::SetUserByToken after_action :update_auth_header end + protected + # keep track of request duration def set_request_start @request_started_at = Time.now diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 4c355c8ae..7ed01e095 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -22,108 +22,6 @@ def redirect_callbacks redirect_to redirect_route end - def get_resource_from_auth_hash - # find or create user by provider and provider uid - @resource = resource_class.where({ - uid: auth_hash['uid'], - provider: auth_hash['provider'] - }).first_or_initialize - - if @resource.new_record? - @oauth_registration = true - set_random_password - end - - # sync user info with provider, update/generate auth token - assign_provider_attrs(@resource, auth_hash) - - # assign any additional (whitelisted) attributes - extra_params = whitelisted_params - @resource.assign_attributes(extra_params) if extra_params - - @resource - end - - def set_random_password - # set crazy password for new oauth users. this is only used to prevent - # access via email sign-in. - p = SecureRandom.urlsafe_base64(nil, false) - @resource.password = p - @resource.password_confirmation = p - end - - def create_token_info - # create token info - @client_id = SecureRandom.urlsafe_base64(nil, false) - @token = SecureRandom.urlsafe_base64(nil, false) - @expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i - @config = omniauth_params['config_name'] - end - - def create_auth_params - @auth_params = { - auth_token: @token, - client_id: @client_id, - uid: @resource.uid, - expiry: @expiry, - config: @config - } - @auth_params.merge!(oauth_registration: true) if @oauth_registration - @auth_params - end - - def set_token_on_resource - @resource.tokens[@client_id] = { - token: BCrypt::Password.create(@token), - expiry: @expiry - } - end - - def render_data(message, data) - @data = data.merge({ - message: message - }) - render :layout => nil, :template => "devise_token_auth/omniauth_external_window" - end - - def render_data_or_redirect(message, data) - - # We handle inAppBrowser and newWindow the same, but it is nice - # to support values in case people need custom implementations for each case - # (For example, nbrustein does not allow new users to be created if logging in with - # an inAppBrowser) - # - # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand - # why we can handle these both the same. The view is setup to handle both cases - # at the same time. - if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type) - render_data(message, data) - - elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url - - # build and redirect to destination url - redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data) - else - - # there SHOULD always be an auth_origin_url, but if someone does something silly - # like coming straight to this url or refreshing the page at the wrong time, there may not be one. - # In that case, just render in plain text the error message if there is one or otherwise - # a generic message. - fallback_render data[:error] || 'An error occurred' - end - end - - def fallback_render(text) - render inline: %Q| - - - - - #{text} - - | - end - def omniauth_success get_resource_from_auth_hash create_token_info @@ -144,6 +42,37 @@ def omniauth_success render_data_or_redirect('deliverCredentials', @resource.as_json.merge(@auth_params.as_json)) end + def omniauth_failure + @error = params[:message] + render_data_or_redirect('authFailure', {error: @error}) + end + + # this will be determined differently depending on the action that calls + # it. redirect_callbacks is called upon returning from successful omniauth + # authentication, and the target params live in an omniauth-specific + # request.env variable. this variable is then persisted thru the redirect + # using our own dta.omniauth.params session var. the omniauth_success + # method will access that session var and then destroy it immediately + # after use. In the failure case, finally, the omniauth params + # are added as query params in our monkey patch to OmniAuth in engine.rb + def omniauth_params + if !defined?(@_omniauth_params) + if request.env['omniauth.params'] && request.env['omniauth.params'].any? + @_omniauth_params = request.env['omniauth.params'] + elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any? + @_omniauth_params ||= session.delete('dta.omniauth.params') + @_omniauth_params + elsif params['omniauth_window_type'] + @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin') + else + @_omniauth_params = {} + end + end + @_omniauth_params + + end + + protected # break out provider attribute assignment for easy method extension def assign_provider_attrs(user, auth_hash) @@ -155,13 +84,6 @@ def assign_provider_attrs(user, auth_hash) }) end - - def omniauth_failure - @error = params[:message] - render_data_or_redirect('authFailure', {error: @error}) - end - - # derive allowed params from the standard devise parameter sanitizer def whitelisted_params whitelist = devise_parameter_sanitizer.for(:sign_up) @@ -189,31 +111,6 @@ def resource_name resource_class end - # this will be determined differently depending on the action that calls - # it. redirect_callbacks is called upon returning from successful omniauth - # authentication, and the target params live in an omniauth-specific - # request.env variable. this variable is then persisted thru the redirect - # using our own dta.omniauth.params session var. the omniauth_success - # method will access that session var and then destroy it immediately - # after use. In the failure case, finally, the omniauth params - # are added as query params in our monkey patch to OmniAuth in engine.rb - def omniauth_params - if !defined?(@_omniauth_params) - if request.env['omniauth.params'] && request.env['omniauth.params'].any? - @_omniauth_params = request.env['omniauth.params'] - elsif session['dta.omniauth.params'] && session['dta.omniauth.params'].any? - @_omniauth_params ||= session.delete('dta.omniauth.params') - @_omniauth_params - elsif params['omniauth_window_type'] - @_omniauth_params = params.slice('omniauth_window_type', 'auth_origin_url', 'resource_class', 'origin') - else - @_omniauth_params = {} - end - end - @_omniauth_params - - end - def omniauth_window_type omniauth_params['omniauth_window_type'] end @@ -251,5 +148,107 @@ def devise_mapping end end + def set_random_password + # set crazy password for new oauth users. this is only used to prevent + # access via email sign-in. + p = SecureRandom.urlsafe_base64(nil, false) + @resource.password = p + @resource.password_confirmation = p + end + + def create_token_info + # create token info + @client_id = SecureRandom.urlsafe_base64(nil, false) + @token = SecureRandom.urlsafe_base64(nil, false) + @expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i + @config = omniauth_params['config_name'] + end + + def create_auth_params + @auth_params = { + auth_token: @token, + client_id: @client_id, + uid: @resource.uid, + expiry: @expiry, + config: @config + } + @auth_params.merge!(oauth_registration: true) if @oauth_registration + @auth_params + end + + def set_token_on_resource + @resource.tokens[@client_id] = { + token: BCrypt::Password.create(@token), + expiry: @expiry + } + end + + def render_data(message, data) + @data = data.merge({ + message: message + }) + render :layout => nil, :template => "devise_token_auth/omniauth_external_window" + end + + def render_data_or_redirect(message, data) + + # We handle inAppBrowser and newWindow the same, but it is nice + # to support values in case people need custom implementations for each case + # (For example, nbrustein does not allow new users to be created if logging in with + # an inAppBrowser) + # + # See app/views/devise_token_auth/omniauth_external_window.html.erb to understand + # why we can handle these both the same. The view is setup to handle both cases + # at the same time. + if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type) + render_data(message, data) + + elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url + + # build and redirect to destination url + redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data) + else + + # there SHOULD always be an auth_origin_url, but if someone does something silly + # like coming straight to this url or refreshing the page at the wrong time, there may not be one. + # In that case, just render in plain text the error message if there is one or otherwise + # a generic message. + fallback_render data[:error] || 'An error occurred' + end + end + + def fallback_render(text) + render inline: %Q| + + + + + #{text} + + | + end + + def get_resource_from_auth_hash + # find or create user by provider and provider uid + @resource = resource_class.where({ + uid: auth_hash['uid'], + provider: auth_hash['provider'] + }).first_or_initialize + + if @resource.new_record? + @oauth_registration = true + set_random_password + end + + # sync user info with provider, update/generate auth token + assign_provider_attrs(@resource, auth_hash) + + # assign any additional (whitelisted) attributes + extra_params = whitelisted_params + @resource.assign_attributes(extra_params) if extra_params + + @resource + end + end end diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 1e4c25fb4..96452821a 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -165,6 +165,8 @@ def update end end + protected + def resource_update_method if DeviseTokenAuth.check_current_password_before_update != false "update_with_password" @@ -173,13 +175,15 @@ def resource_update_method end end - def password_resource_params - params.permit(devise_parameter_sanitizer.for(:account_update)) - end + private def resource_params params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token) end + def password_resource_params + params.permit(devise_parameter_sanitizer.for(:account_update)) + end + end end diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index afaa45365..22bca7582 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -86,14 +86,12 @@ def destroy end end + protected + def valid_params?(key, val) resource_params[:password] && key && val end - def resource_params - params.permit(devise_parameter_sanitizer.for(:sign_in)) - end - def get_auth_params auth_key = nil auth_val = nil @@ -117,5 +115,12 @@ def get_auth_params val: auth_val } end + + private + + def resource_params + params.permit(devise_parameter_sanitizer.for(:sign_in)) + end + end end From 2cac1ef9a8ce5f1f998bc273339a77ea48e7f128 Mon Sep 17 00:00:00 2001 From: Travis Loncar Date: Wed, 19 Aug 2015 19:44:07 -0400 Subject: [PATCH 134/328] Fully support OmniauthCallbacksController action overrides. Fixes #186. Remove config/routes.rb and define all routes in lib/devise_token_auth/rails/routes.rb; this ensures that all OmniauthCallbacksController actions can be overridden. --- config/routes.rb | 6 ------ lib/devise_token_auth/rails/routes.rb | 3 +++ 2 files changed, 3 insertions(+), 6 deletions(-) delete mode 100644 config/routes.rb diff --git a/config/routes.rb b/config/routes.rb deleted file mode 100644 index a0aee7715..000000000 --- a/config/routes.rb +++ /dev/null @@ -1,6 +0,0 @@ -Rails.application.routes.draw do - if defined?(::OmniAuth) - get "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", to: "devise_token_auth/omniauth_callbacks#redirect_callbacks" - get "#{DeviseTokenAuth.omniauth_prefix}/failure", to: "devise_token_auth/omniauth_callbacks#omniauth_failure" - end -end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 544cb67f9..937d60292 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -52,6 +52,9 @@ def mount_devise_token_auth_for(resource, opts) match "#{full_path}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] match "#{full_path}/:provider/callback", controller: omniauth_ctrl, action: "omniauth_success", via: [:get] + match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: "redirect_callbacks", via: [:get] + match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] + # preserve the resource class thru oauth authentication by setting name of # resource as "resource_class" param match "#{full_path}/:provider", to: redirect{|params, request| From 8afe4d349a8564eb36e7be3c5faed62f08f539e9 Mon Sep 17 00:00:00 2001 From: aarongray Date: Thu, 20 Aug 2015 19:22:42 -0700 Subject: [PATCH 135/328] Add documentation to explain gotcha with rails-api. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a5a6e8aec..22467f3ac 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ The following events will take place when using the install generator: * Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). -* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). +* A concern will be included by your application controller at `app/controllers/application_controller.rb`. *If you are using `rails-api` instead of vanilla rails, you will need to add this concern manually.* [Read more](#controller-methods). * A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: From 0db531efa19d4f37f4d11781160f8220791f5727 Mon Sep 17 00:00:00 2001 From: aarongray Date: Thu, 20 Aug 2015 23:39:56 -0700 Subject: [PATCH 136/328] Fix concern not being inserted for rails-api apps. --- README.md | 2 +- lib/generators/devise_token_auth/install_generator.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 22467f3ac..a5a6e8aec 100644 --- a/README.md +++ b/README.md @@ -109,7 +109,7 @@ The following events will take place when using the install generator: * Routes will be appended to file at `config/routes.rb`. [Read more](#mounting-routes). -* A concern will be included by your application controller at `app/controllers/application_controller.rb`. *If you are using `rails-api` instead of vanilla rails, you will need to add this concern manually.* [Read more](#controller-methods). +* A concern will be included by your application controller at `app/controllers/application_controller.rb`. [Read more](#controller-methods). * A migration file will be created in the `db/migrate` directory. Inspect the migrations file, add additional columns if necessary, and then run the migration: diff --git a/lib/generators/devise_token_auth/install_generator.rb b/lib/generators/devise_token_auth/install_generator.rb index 5a7521ba7..b459529ce 100644 --- a/lib/generators/devise_token_auth/install_generator.rb +++ b/lib/generators/devise_token_auth/install_generator.rb @@ -48,6 +48,11 @@ def include_controller_concerns if File.exist?(File.join(destination_root, fname)) if parse_file_for_line(fname, line) say_status("skipped", "Concern is already included in the application controller.") + elsif is_rails_api? + inject_into_file fname, after: "class ApplicationController < ActionController::API\n" do <<-'RUBY' + include DeviseTokenAuth::Concerns::SetUserByToken + RUBY + end else inject_into_file fname, after: "class ApplicationController < ActionController::Base\n" do <<-'RUBY' include DeviseTokenAuth::Concerns::SetUserByToken @@ -116,6 +121,12 @@ def parse_file_for_line(filename, str) match end + def is_rails_api? + fname = "app/controllers/application_controller.rb" + line = "class ApplicationController < ActionController::API" + parse_file_for_line(fname, line) + end + def json_supported_database? (postgres? && postgres_correct_version?) || (mysql? && mysql_correct_version?) end From b310544993f2a03dde60c2a1999a32ac326f97de Mon Sep 17 00:00:00 2001 From: Yaroslav Konoplov Date: Tue, 25 Aug 2015 16:18:10 +0300 Subject: [PATCH 137/328] Correct handling namespaced resources --- lib/devise_token_auth/rails/routes.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 937d60292..a147eea47 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -22,7 +22,7 @@ def mount_devise_token_auth_for(resource, opts) # remove any unwanted devise modules opts[:skip].each{|item| controllers.delete(item)} - devise_for resource.pluralize.underscore.to_sym, + devise_for resource.pluralize.underscore.gsub('/', '_').to_sym, :class_name => resource, :module => :devise, :path => "#{opts[:at]}", @@ -43,7 +43,7 @@ def mount_devise_token_auth_for(resource, opts) parent: nil ) - devise_scope resource.underscore.to_sym do + devise_scope resource.underscore.gsub('/', '_').to_sym do # path to verify token validity get "#{full_path}/validate_token", controller: "#{token_validations_ctrl}", action: "validate_token" From b61aa2cba681918b9bb5d6486cbb59803d1cab99 Mon Sep 17 00:00:00 2001 From: aarongray Date: Tue, 25 Aug 2015 12:35:37 -0700 Subject: [PATCH 138/328] Add description to readme about the devise.rb initializer. Right now the readme doesn't contain any info about this file, although it is an important part of configuring this library, and our example app uses it. Adding this section here should make it a little easier on newcomers to learn that this part of configuring devise. --- README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/README.md b/README.md index a5a6e8aec..704a91e26 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,20 @@ The following settings are available for configuration in `config/initializers/d | **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the cilent. | | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | +Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: + +~~~ruby +Devise.setup do |config| + # The e-mail address that mail will appear to be sent from + # If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com" + config.mailer_sender = "support@myapp.com" + + # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash + # middleware b/c rails-api does not include it. + # See: http://stackoverflow.com/q/19600905/806956 + config.navigational_formats = [:json] +end +~~~ ## OmniAuth authentication From d904522f8e7e365f4d06ccbc6746fbd91f0f7112 Mon Sep 17 00:00:00 2001 From: aarongray Date: Wed, 26 Aug 2015 21:36:38 -0700 Subject: [PATCH 139/328] Improvements to the docs. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Add link in e-mail auth section pointing to e-mail template overrides. • Add section explaining that devise_token_auth uses the devise verbiage by default (so its not necessary to create a yml file), but if you wish to customize it, you can create an overrides file in config/locales/devise.en.yml. • Add link pointing to default devise verbiage file. • Add link to e-mail template overrides demoing custom e-mail subjects. --- README.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 704a91e26..5b6e26be1 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,7 @@ Please read the [issue reporting guidelines](#issue-reporting) before posting is * [OmniAuth Authentication](#omniauth-authentication) * [OmniAuth Provider Settings](#omniauth-provider-settings) * [Email Authentication](#email-authentication) + * [Customizing Devise Verbiage](#customizing-devise-verbiage) * [Cross Origin Requests (CORS)](#cors) * [Usage Continued](#usage-cont) * [Mounting Routes](#mounting-routes) @@ -285,6 +286,21 @@ Rails.application.configure do end ~~~ +If you wish to send custom e-mails instead of using the default devise templates, you can [do that too](#email-template-overrides). + +## Customizing Devise Verbiage +Devise Token Auth ships with intelligent default wording for everything you need. But that doesn't mean you can't make it more awesome. You can override the [devise defaults](https://github.com/plataformatec/devise/blob/master/config/locales/en.yml) by creating a YAML file at `config/locales/devise.en.yml` and assigning whatever custom values you want. For example, to customize the subject line of your devise e-mails, you could do this: + +~~~yaml +en: + devise: + mailer: + confirmation_instructions: + subject: "Please confirm your e-mail address" + reset_password_instructions: + subject: "Reset password request" +~~~ + ## CORS If your API and client live on different domains, you will need to configure your Rails API to allow [cross origin requests](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). The [rack-cors](https://github.com/cyu/rack-cors) gem can be used to accomplish this. @@ -695,7 +711,7 @@ This will create two new files: * `app/views/devise/mailer/reset_password_instructions.html.erb` * `app/views/devise/mailer/confirmation_instructions.html.erb` -These files may be edited to suit your taste. +These files may be edited to suit your taste. You can customize the e-mail subjects like [this](#customizing-devise-verbiage). **Note:** if you choose to modify these templates, do not modify the `link_to` blocks unless you absolutely know what you are doing. From d59866bd5c37df01657480f7d23f4a49c7a8dae4 Mon Sep 17 00:00:00 2001 From: The Gitter Badger Date: Thu, 27 Aug 2015 22:27:28 +0000 Subject: [PATCH 140/328] Added Gitter badge --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 5b6e26be1..3e0c0de3c 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,8 @@ ## Simple, secure token based authentication for Rails. +[![Join the chat at https://gitter.im/lynndylanhurley/devise_token_auth](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/lynndylanhurley/devise_token_auth?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) + This gem provides the following features: * Seamless integration with both the the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js) and the outstanding [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). From bf2cc1b69a1456e53b40de87ec98245102d235a8 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 28 Aug 2015 21:05:03 -0600 Subject: [PATCH 141/328] chore(deps): update to devise 3.5.2 --- Gemfile.lock | 10 +++++----- devise_token_auth.gemspec | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5c3ddc058..754ef9a7c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ PATH remote: . specs: devise_token_auth (0.1.34) - devise (= 3.5.1) + devise (~> 3.5.2) rails (~> 4.2) GEM @@ -76,7 +76,7 @@ GEM thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) ansi (1.5.0) - arel (6.0.2) + arel (6.0.3) attr_encrypted (1.3.4) encryptor (>= 1.3.0) bcrypt (3.1.10) @@ -84,7 +84,7 @@ GEM codeclimate-test-reporter (0.4.7) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) - devise (3.5.1) + devise (3.5.2) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -101,7 +101,7 @@ GEM ffi (1.9.10) formatador (0.2.5) fuzz_ball (0.9.1) - globalid (0.3.5) + globalid (0.3.6) activesupport (>= 4.1.0) guard (2.13.0) formatador (>= 0.2.4) @@ -218,7 +218,7 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.2.0) + sprockets (3.3.3) rack (~> 1.0) sprockets-rails (2.3.2) actionpack (>= 3.0) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 79c7e7c8b..4a8044e25 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |s| s.test_files = Dir["test/**/*"] s.add_dependency "rails", "~> 4.2" - s.add_dependency "devise", "3.5.1" + s.add_dependency "devise", "~> 3.5.2" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From bf0d19b96f65327b28a8cd1f0f07741ebce1a3a6 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Sat, 29 Aug 2015 11:41:41 -0600 Subject: [PATCH 142/328] fix(concern): fix BCrypt namespacing after Devise 3.5.2 update. Fixes #333 --- app/models/devise_token_auth/concerns/user.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 8ca4c7ae9..91f4c7599 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -1,3 +1,5 @@ +require 'bcrypt' + module DeviseTokenAuth::Concerns::User extend ActiveSupport::Concern @@ -5,7 +7,7 @@ def self.tokens_match?(token_hash, token) @token_equality_cache ||= {} key = "#{token_hash}/#{token}" - result = @token_equality_cache[key] ||= (BCrypt::Password.new(token_hash) == token) + result = @token_equality_cache[key] ||= (::BCrypt::Password.new(token_hash) == token) if @token_equality_cache.size > 10000 @token_equality_cache = {} end @@ -147,7 +149,7 @@ def token_can_be_reused?(token, client_id) Time.parse(updated_at) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and # ensure that the token is valid - BCrypt::Password.new(last_token) == token + ::BCrypt::Password.new(last_token) == token ) end @@ -157,7 +159,7 @@ def create_new_auth_token(client_id=nil) client_id ||= SecureRandom.urlsafe_base64(nil, false) last_token ||= nil token = SecureRandom.urlsafe_base64(nil, false) - token_hash = BCrypt::Password.create(token) + token_hash = ::BCrypt::Password.create(token) expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i if self.tokens[client_id] and self.tokens[client_id]['token'] From 77e89f1bea6c57e7e54b3fab41ca9a4a6bd2c5c7 Mon Sep 17 00:00:00 2001 From: Kopylov German Date: Mon, 31 Aug 2015 23:26:11 +0300 Subject: [PATCH 143/328] Move omniauth_params to protected methods --- .../devise_token_auth/omniauth_callbacks_controller.rb | 4 ++-- .../omniauth_callbacks_controller_test.rb | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 7ed01e095..59063c6be 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -47,6 +47,8 @@ def omniauth_failure render_data_or_redirect('authFailure', {error: @error}) end + protected + # this will be determined differently depending on the action that calls # it. redirect_callbacks is called upon returning from successful omniauth # authentication, and the target params live in an omniauth-specific @@ -72,8 +74,6 @@ def omniauth_params end - protected - # break out provider attribute assignment for easy method extension def assign_provider_attrs(user, auth_hash) user.assign_attributes({ diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index e11bee030..d82fda8eb 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -31,7 +31,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest test 'request should pass correct redirect_url' do get_success - assert_equal @redirect_url, controller.omniauth_params['auth_origin_url'] + assert_equal @redirect_url, controller.send(:omniauth_params)['auth_origin_url'] end test 'user should have been created' do @@ -72,7 +72,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest get_success end test 'request should determine the correct resource_class' do - assert_equal 'User', controller.omniauth_params['resource_class'] + assert_equal 'User', controller.send(:omniauth_params)['resource_class'] end test 'user should be of the correct class' do @@ -90,7 +90,7 @@ class OmniauthTest < ActionDispatch::IntegrationTest @resource = assigns(:resource) end test 'request should determine the correct resource_class' do - assert_equal 'Mang', controller.omniauth_params['resource_class'] + assert_equal 'Mang', controller.send(:omniauth_params)['resource_class'] end test 'user should be of the correct class' do assert_equal Mang, @resource.class @@ -292,4 +292,4 @@ def get_success(params = {}) } end end -end \ No newline at end of file +end From bccb7ef3b71c32ecb1d5f8f258353fa498e54e58 Mon Sep 17 00:00:00 2001 From: Yaroslav Konoplov Date: Tue, 1 Sep 2015 23:53:57 +0300 Subject: [PATCH 144/328] Fallback to ActiveModel translations in EmailValidator --- app/validators/email_validator.rb | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb index 7aa1eeb0e..edba79957 100644 --- a/app/validators/email_validator.rb +++ b/app/validators/email_validator.rb @@ -1,7 +1,25 @@ class EmailValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) unless value =~ /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i - record.errors[attribute] << (options[:message] || I18n.t("errors.not_email")) + record.errors[attribute] << email_invalid_message end end -end + + private + + def email_invalid_message + # Try strictly set message: + message = options[:message] + + if message.nil? + + # Try DeviceTokenAuth translations: + message = I18n.t('errors.not_email', default: '') + + # Fallback to ActiveModel translations: + message = I18n.t('errors.messages.invalid') if message.blank? + end + + message + end +end \ No newline at end of file From 3dbebb21cd24e90fe18403d267a5c8259184324e Mon Sep 17 00:00:00 2001 From: Nate Brustein Date: Wed, 2 Sep 2015 13:32:01 -0400 Subject: [PATCH 145/328] fix(oauth): do not serialize the entire user object in the url when redirecting from oauth --- .../devise_token_auth/omniauth_callbacks_controller.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 59063c6be..9061c0d25 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -39,7 +39,7 @@ def omniauth_success yield if block_given? - render_data_or_redirect('deliverCredentials', @resource.as_json.merge(@auth_params.as_json)) + render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json) end def omniauth_failure @@ -190,7 +190,7 @@ def render_data(message, data) render :layout => nil, :template => "devise_token_auth/omniauth_external_window" end - def render_data_or_redirect(message, data) + def render_data_or_redirect(message, data, user_data = {}) # We handle inAppBrowser and newWindow the same, but it is nice # to support values in case people need custom implementations for each case @@ -201,7 +201,7 @@ def render_data_or_redirect(message, data) # why we can handle these both the same. The view is setup to handle both cases # at the same time. if ['inAppBrowser', 'newWindow'].include?(omniauth_window_type) - render_data(message, data) + render_data(message, user_data.merge(data)) elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url From d33bcdb5bae993bd4ba8134b52486c8b6cce2908 Mon Sep 17 00:00:00 2001 From: Jakub Rohleder Date: Tue, 18 Aug 2015 19:28:31 +0200 Subject: [PATCH 146/328] Fixed bug where user couldn't update his password after reset --- .../devise_token_auth/passwords_controller.rb | 11 ++++++++--- app/models/devise_token_auth/concerns/user.rb | 8 +++++++- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 96452821a..5e322d91e 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -107,6 +107,9 @@ def edit # ensure that user is confirmed @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at + # allow user to change password without current_password + @resource.allow_password_change = true; + @resource.save! yield if block_given? @@ -149,6 +152,8 @@ def update end if @resource.send(resource_update_method, password_resource_params) + @resource.allow_password_change = false + yield if block_given? return render json: { success: true, @@ -168,10 +173,10 @@ def update protected def resource_update_method - if DeviseTokenAuth.check_current_password_before_update != false - "update_with_password" - else + if DeviseTokenAuth.check_current_password_before_update == false or @resource.allow_password_change == true "update_attributes" + else + "update_with_password" end end diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 91f4c7599..379e225ba 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -44,6 +44,12 @@ def self.tokens_match?(token_hash, token) # get rid of dead tokens before_save :destroy_expired_tokens + # allows user to change password without current_password + attr_writer :allow_password_change + def allow_password_change + @allow_password_change || false + end + # don't use default devise email validation def email_required? false @@ -88,7 +94,7 @@ def send_reset_password_instructions(opts=nil) module ClassMethods protected - + def tokens_has_json_column_type? table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb]) From cee20d9299403c6f31726bc0019885917a3adcef Mon Sep 17 00:00:00 2001 From: Jakub Rohleder Date: Thu, 10 Sep 2015 10:47:42 +0200 Subject: [PATCH 147/328] Tests --- .../devise_token_auth/passwords_controller.rb | 2 +- .../passwords_controller_test.rb | 40 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 5e322d91e..78a899678 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -107,7 +107,7 @@ def edit # ensure that user is confirmed @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at - # allow user to change password without current_password + # allow user to change password once without current_password @resource.allow_password_change = true; @resource.save! diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index a2962143c..4dbe9ffce 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -33,6 +33,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase assert_equal @data["errors"], [I18n.t("devise_token_auth.passwords.missing_email")] end end + describe 'not redirect_url should return 401' do before do @auth_headers = @resource.create_new_auth_token @@ -300,6 +301,45 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end end + describe 'success with after password reset' do + before do + xhr :post, :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @mail = ActionMailer::Base.deliveries.last + @mail_redirect_url = CGI.unescape(@mail.body.match(/redirect_url=([^&]*)&/)[1]) + @mail_reset_token = @mail.body.match(/reset_password_token=(.*)\"/)[1] + + xhr :get, :edit, { + reset_password_token: @mail_reset_token, + redirect_url: @mail_redirect_url + } + + @auth_headers = @resource.create_new_auth_token + request.headers.merge!(@auth_headers) + @new_password = Faker::Internet.password + + xhr :put, :update, { + password: @new_password, + password_confirmation: @new_password + } + + @data = JSON.parse(response.body) + @allow_password_change = @resource.allow_password_change + @resource.reload + end + + test "request should be successful" do + assert_equal 200, response.status + end + + test "sets allow_password_change false" do + assert_equal false, @allow_password_change + end + end + describe 'current password mismatch error' do before do @auth_headers = @resource.create_new_auth_token From 53cfe4b04fae0e4e0eb7f51796d8e6582cbc69b5 Mon Sep 17 00:00:00 2001 From: John Negron Date: Mon, 21 Sep 2015 17:55:57 -0400 Subject: [PATCH 148/328] Implement hook methods for customized json rendering --- README.md | 41 ++++- .../devise_token_auth/passwords_controller.rb | 169 +++++++++++------- .../registrations_controller.rb | 141 +++++++++------ .../devise_token_auth/sessions_controller.rb | 66 ++++--- .../token_validations_controller.rb | 26 ++- .../custom_passwords_controller_test.rb | 15 ++ .../custom_registrations_controller_test.rb | 9 + .../custom/custom_sessions_controller_test.rb | 9 + ...ustom_token_validations_controller_test.rb | 9 + .../custom/passwords_controller.rb | 5 + .../custom/registrations_controller.rb | 6 + .../controllers/custom/sessions_controller.rb | 6 + .../custom/token_validations_controller.rb | 6 + 13 files changed, 364 insertions(+), 144 deletions(-) diff --git a/README.md b/README.md index 3e0c0de3c..976044346 100644 --- a/README.md +++ b/README.md @@ -667,6 +667,45 @@ module Overrides end ~~~ +## Overriding rendering methods +To customize json rendering, implement the following protected controller methods, for success methods, assume that the @resource object is available: + +### Registrations Controller +* render_create_error_missing_confirm_success_url +* render_create_error_redirect_url_not_allowed +* render_create_success +* render_create_error +* render_create_error_email_already_exists +* render_update_success +* render_update_error +* render_update_error_user_not_found + + +### Sessions Controller +* render_new_error +* render_create_success +* render_create_error_not_confirmed +* render_create_error_bad_credentials +* render_destroy_success +* render_destroy_error + + +### Passwords Controller +* render_create_error_missing_email +* render_create_error_missing_redirect_url +* render_create_error_not_allowed_redirect_url +* render_create_success +* render_create_error +* render_update_error_unauthorized +* render_update_error_password_not_required +* render_update_error_missing_password +* render_update_success +* render_update_error + +### Token Validations Controller +* render_validate_token_success +* render_validate_token_error + ##### Example: all :controller options with default settings: ~~~ruby @@ -883,7 +922,7 @@ To run just one test: 2. Run `bundle install` 3. Run `rake db:migrate` 4. Run `RAILS_ENV=test rake db:migrate` -5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/ +5. See this link for various ways to run a single file or a single test: http://flavio.castelli.name/2010/05/28/rails_execute_single_test/ # License This project uses the WTFPL diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 96452821a..d917dbb8d 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -7,41 +7,31 @@ class PasswordsController < DeviseTokenAuth::ApplicationController # sending emails def create unless resource_params[:email] - return render json: { - success: false, - errors: [I18n.t("devise_token_auth.passwords.missing_email")] - }, status: 401 + return render_create_error_missing_email end # give redirect value from params priority - redirect_url = params[:redirect_url] + @redirect_url = params[:redirect_url] # fall back to default value if provided - redirect_url ||= DeviseTokenAuth.default_password_reset_url + @redirect_url ||= DeviseTokenAuth.default_password_reset_url - unless redirect_url - return render json: { - success: false, - errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")] - }, status: 401 + unless @redirect_url + return render_create_error_missing_redirect_url end # if whitelist is set, validate redirect_url against whitelist if DeviseTokenAuth.redirect_whitelist - unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) - return render json: { - status: 'error', - data: @resource.as_json, - errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: redirect_url)] - }, status: 403 + unless DeviseTokenAuth.redirect_whitelist.include?(@redirect_url) + return render_create_error_not_allowed_redirect_url end end # honor devise configuration for case_insensitive_keys if resource_class.case_insensitive_keys.include?(:email) - email = resource_params[:email].downcase + @email = resource_params[:email].downcase else - email = resource_params[:email] + @email = resource_params[:email] end q = "uid = ? AND provider='email'" @@ -51,42 +41,35 @@ def create q = "BINARY uid = ? AND provider='email'" end - @resource = resource_class.where(q, email).first + @resource = resource_class.where(q, @email).first - errors = nil - error_status = 400 + @errors = nil + @error_status = 400 if @resource yield if block_given? @resource.send_reset_password_instructions({ - email: email, + email: @email, provider: 'email', - redirect_url: redirect_url, + redirect_url: @redirect_url, client_config: params[:config_name] }) if @resource.errors.empty? - render json: { - success: true, - message: I18n.t("devise_token_auth.passwords.sended", email: email) - } + return render_create_success else - errors = @resource.errors + @errors = @resource.errors end else - errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: email)] - error_status = 404 + @errors = [I18n.t("devise_token_auth.passwords.user_not_found", email: @email)] + @error_status = 404 end - if errors - render json: { - success: false, - errors: errors, - }, status: error_status + if @errors + return render_create_error end end - # this is where users arrive after visiting the password reset confirmation link def edit @resource = resource_class.reset_password_by_token({ @@ -117,51 +100,31 @@ def edit config: params[:config] })) else - render json: { - success: false - }, status: 404 + render_edit_error end end def update # make sure user is authorized unless @resource - return render json: { - success: false, - errors: ['Unauthorized'] - }, status: 401 + return render_update_error_unauthorized end # make sure account doesn't use oauth2 provider unless @resource.provider == 'email' - return render json: { - success: false, - errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)] - }, status: 422 + return render_update_error_password_not_required end # ensure that password params were sent unless password_resource_params[:password] and password_resource_params[:password_confirmation] - return render json: { - success: false, - errors: [I18n.t("devise_token_auth.passwords.missing_passwords")] - }, status: 422 + return render_update_error_missing_password end if @resource.send(resource_update_method, password_resource_params) yield if block_given? - return render json: { - success: true, - data: { - user: @resource, - message: I18n.t("devise_token_auth.passwords.successfully_updated") - } - } + return render_update_success else - return render json: { - success: false, - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) - }, status: 422 + return render_update_error end end @@ -175,6 +138,86 @@ def resource_update_method end end + def render_create_error_missing_email + render json: { + success: false, + errors: [I18n.t("devise_token_auth.passwords.missing_email")] + }, status: 401 + end + + def render_create_error_missing_redirect_url + render json: { + success: false, + errors: [I18n.t("devise_token_auth.passwords.missing_redirect_url")] + }, status: 401 + end + + def render_create_error_not_allowed_redirect_url + render json: { + status: 'error', + data: @resource.as_json, + errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)] + }, status: 403 + end + + def render_create_success + render json: { + success: true, + message: I18n.t("devise_token_auth.passwords.sended", email: @email) + } + end + + def render_create_error + render json: { + success: false, + errors: @errors, + }, status: @error_status + end + + def render_edit_error + render json: { + success: false + }, status: 404 + end + + def render_update_error_unauthorized + render json: { + success: false, + errors: ['Unauthorized'] + }, status: 401 + end + + def render_update_error_password_not_required + render json: { + success: false, + errors: [I18n.t("devise_token_auth.passwords.password_not_required", provider: @resource.provider.humanize)] + }, status: 422 + end + + def render_update_error_missing_password + render json: { + success: false, + errors: [I18n.t("devise_token_auth.passwords.missing_passwords")] + }, status: 422 + end + + def render_update_success + render json: { + success: true, + data: { + user: @resource, + message: I18n.t("devise_token_auth.passwords.successfully_updated") + } + } + end + + def render_update_error + return render json: { + success: false, + errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + }, status: 422 + end + private def resource_params diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 2df300f6e..039525258 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -17,28 +17,20 @@ def create end # give redirect value from params priority - redirect_url = params[:confirm_success_url] + @redirect_url = params[:confirm_success_url] # fall back to default value if provided - redirect_url ||= DeviseTokenAuth.default_confirm_success_url + @redirect_url ||= DeviseTokenAuth.default_confirm_success_url # success redirect url is required - if resource_class.devise_modules.include?(:confirmable) && !redirect_url - return render json: { - status: 'error', - data: @resource.as_json, - errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] - }, status: 403 + if resource_class.devise_modules.include?(:confirmable) && !@redirect_url + return render_create_error_missing_confirm_success_url end # if whitelist is set, validate redirect_url against whitelist if DeviseTokenAuth.redirect_whitelist - unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) - return render json: { - status: 'error', - data: @resource.as_json, - errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: redirect_url)] - }, status: 403 + unless DeviseTokenAuth.redirect_whitelist.include?(@redirect_url) + return render_create_error_redirect_url_not_allowed end end @@ -52,7 +44,7 @@ def create # user will require email authentication @resource.send_confirmation_instructions({ client_config: params[:config_name], - redirect_url: redirect_url + redirect_url: @redirect_url }) else @@ -69,26 +61,14 @@ def create update_auth_header end - - render json: { - status: 'success', - data: @resource.as_json - } + render_create_success else clean_up_passwords @resource - render json: { - status: 'error', - data: @resource.as_json, - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) - }, status: 403 + render_create_error end rescue ActiveRecord::RecordNotUnique clean_up_passwords @resource - render json: { - status: 'error', - data: @resource.as_json, - errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)] - }, status: 403 + render_create_error_email_already_exists end end @@ -96,21 +76,12 @@ def update if @resource if @resource.send(resource_update_method, account_update_params) yield @resource if block_given? - render json: { - status: 'success', - data: @resource.as_json - } + render_update_success else - render json: { - status: 'error', - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) - }, status: 403 + render_update_error end else - render json: { - status: 'error', - errors: [I18n.t("devise_token_auth.registrations.user_not_found")] - }, status: 404 + render_update_error_user_not_found end end @@ -119,15 +90,9 @@ def destroy @resource.destroy yield @resource if block_given? - render json: { - status: 'success', - message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid) - } + render_destroy_success else - render json: { - status: 'error', - errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")] - }, status: 404 + render_destroy_error end end @@ -139,6 +104,82 @@ def account_update_params params.permit(devise_parameter_sanitizer.for(:account_update)) end + protected + + def render_create_error_missing_confirm_success_url + render json: { + status: 'error', + data: @resource.as_json, + errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] + }, status: 403 + end + + def render_create_error_redirect_url_not_allowed + render json: { + status: 'error', + data: @resource.as_json, + errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @redirect_url)] + }, status: 403 + end + + def render_create_success + render json: { + status: 'success', + data: @resource.as_json + } + end + + def render_create_error + render json: { + status: 'error', + data: @resource.as_json, + errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + }, status: 403 + end + + def render_create_error_email_already_exists + render json: { + status: 'error', + data: @resource.as_json, + errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)] + }, status: 403 + end + + def render_update_success + render json: { + status: 'success', + data: @resource.as_json + } + end + + def render_update_error + render json: { + status: 'error', + errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + }, status: 403 + end + + def render_update_error_user_not_found + render json: { + status: 'error', + errors: [I18n.t("devise_token_auth.registrations.user_not_found")] + }, status: 404 + end + + def render_destroy_success + render json: { + status: 'success', + message: I18n.t("devise_token_auth.registrations.account_with_uid_destroyed", uid: @resource.uid) + } + end + + def render_destroy_error + render json: { + status: 'error', + errors: [I18n.t("devise_token_auth.registrations.account_to_destroy_not_found")] + }, status: 404 + end + private def resource_update_method diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 22bca7582..893aecfb9 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -5,9 +5,7 @@ class SessionsController < DeviseTokenAuth::ApplicationController after_action :reset_session, :only => [:destroy] def new - render json: { - errors: [ I18n.t("devise_token_auth.sessions.not_supported")] - }, status: 405 + render_new_error end def create @@ -46,20 +44,11 @@ def create yield if block_given? - render json: { - data: @resource.token_validation_response - } - + render_create_success elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) - render json: { - success: false, - errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ] - }, status: 401 - + render_create_error_not_confirmed else - render json: { - errors: [I18n.t("devise_token_auth.sessions.bad_credentials")] - }, status: 401 + render_create_error_bad_credentials end end @@ -75,14 +64,9 @@ def destroy yield if block_given? - render json: { - success:true - }, status: 200 - + render_destroy_success else - render json: { - errors: [I18n.t("devise_token_auth.sessions.user_not_found")] - }, status: 404 + render_destroy_error end end @@ -116,6 +100,44 @@ def get_auth_params } end + def render_new_error + render json: { + errors: [ I18n.t("devise_token_auth.sessions.not_supported")] + }, status: 405 + end + + def render_create_success + render json: { + data: @resource.token_validation_response + } + end + + def render_create_error_not_confirmed + render json: { + success: false, + errors: [ I18n.t("devise_token_auth.sessions.not_confirmed", email: @resource.email) ] + }, status: 401 + end + + def render_create_error_bad_credentials + render json: { + errors: [I18n.t("devise_token_auth.sessions.bad_credentials")] + }, status: 401 + end + + def render_destroy_success + render json: { + success:true + }, status: 200 + end + + def render_destroy_error + render json: { + errors: [I18n.t("devise_token_auth.sessions.user_not_found")] + }, status: 404 + end + + private def resource_params diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index ee825c234..99cd273a5 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -7,16 +7,26 @@ def validate_token # @resource will have been set by set_user_token concern if @resource yield if block_given? - render json: { - success: true, - data: @resource.token_validation_response - } + render_validate_token_success else - render json: { - success: false, - errors: [I18n.t("devise_token_auth.token_validations.invalid")] - }, status: 401 + render_validate_token_error end end + + protected + + def render_validate_token_success + render json: { + success: true, + data: @resource.token_validation_response + } + end + + def render_validate_token_error + render json: { + success: false, + errors: [I18n.t("devise_token_auth.token_validations.invalid")] + }, status: 401 + end end end diff --git a/test/controllers/custom/custom_passwords_controller_test.rb b/test/controllers/custom/custom_passwords_controller_test.rb index 5ca4862d4..4da315769 100644 --- a/test/controllers/custom/custom_passwords_controller_test.rb +++ b/test/controllers/custom/custom_passwords_controller_test.rb @@ -61,6 +61,21 @@ class Custom::PasswordsControllerTest < ActionController::TestCase assert @controller.update_block_called?, "update failed to yield resource to provided block" end + test "yield resource to block on update success with custom json" do + @auth_headers = @resource.create_new_auth_token + request.headers.merge!(@auth_headers) + @new_password = Faker::Internet.password + put :update, { + password: @new_password, + password_confirmation: @new_password + } + + @data = JSON.parse(response.body) + + assert @controller.update_block_called?, "update failed to yield resource to provided block" + assert_equal @data["custom"], "foo" + end + end end diff --git a/test/controllers/custom/custom_registrations_controller_test.rb b/test/controllers/custom/custom_registrations_controller_test.rb index 61c97a1e9..0a1d411c8 100644 --- a/test/controllers/custom/custom_registrations_controller_test.rb +++ b/test/controllers/custom/custom_registrations_controller_test.rb @@ -26,6 +26,15 @@ class Custom::RegistrationsControllerTest < ActionDispatch::IntegrationTest assert @controller.create_block_called?, "create failed to yield resource to provided block" end + test "yield resource to block on create success with custom json" do + post '/nice_user_auth', @create_params + + @data = JSON.parse(response.body) + + assert @controller.create_block_called?, "create failed to yield resource to provided block" + assert_equal @data["custom"], "foo" + end + test "yield resource to block on update success" do put '/nice_user_auth', { nickname: "Ol' Sunshine-face", diff --git a/test/controllers/custom/custom_sessions_controller_test.rb b/test/controllers/custom/custom_sessions_controller_test.rb index 6df14c8d9..2f9431e1b 100644 --- a/test/controllers/custom/custom_sessions_controller_test.rb +++ b/test/controllers/custom/custom_sessions_controller_test.rb @@ -25,6 +25,15 @@ class Custom::SessionsControllerTest < ActionController::TestCase assert @controller.destroy_block_called?, "destroy failed to yield resource to provided block" end + test "render method override" do + post :create, { + email: @existing_user.email, + password: 'secret123' + } + @data = JSON.parse(response.body) + assert_equal @data["custom"], "foo" + end + end end diff --git a/test/controllers/custom/custom_token_validations_controller_test.rb b/test/controllers/custom/custom_token_validations_controller_test.rb index 29c40aef3..a515d561f 100644 --- a/test/controllers/custom/custom_token_validations_controller_test.rb +++ b/test/controllers/custom/custom_token_validations_controller_test.rb @@ -24,6 +24,15 @@ class Custom::TokenValidationsControllerTest < ActionDispatch::IntegrationTest assert @controller.validate_token_block_called?, "validate_token failed to yield resource to provided block" end + test "yield resource to block on validate_token success with custom json" do + get '/nice_user_auth/validate_token', {}, @auth_headers + + @data = JSON.parse(response.body) + + assert @controller.validate_token_block_called?, "validate_token failed to yield resource to provided block" + assert_equal @data["custom"], "foo" + end + end end diff --git a/test/dummy/app/controllers/custom/passwords_controller.rb b/test/dummy/app/controllers/custom/passwords_controller.rb index 88ae25a00..628937529 100644 --- a/test/dummy/app/controllers/custom/passwords_controller.rb +++ b/test/dummy/app/controllers/custom/passwords_controller.rb @@ -30,6 +30,11 @@ def update_block_called? @update_block_called == true end + protected + + def render_update_success + render json: {custom: "foo"} + end end diff --git a/test/dummy/app/controllers/custom/registrations_controller.rb b/test/dummy/app/controllers/custom/registrations_controller.rb index 47c62e7f6..f3cd6f0d8 100644 --- a/test/dummy/app/controllers/custom/registrations_controller.rb +++ b/test/dummy/app/controllers/custom/registrations_controller.rb @@ -30,4 +30,10 @@ def destroy_block_called? @destroy_block_called == true end + protected + + def render_create_success + render json: {custom: "foo"} + end + end diff --git a/test/dummy/app/controllers/custom/sessions_controller.rb b/test/dummy/app/controllers/custom/sessions_controller.rb index 74113d0b5..915f4a0e9 100644 --- a/test/dummy/app/controllers/custom/sessions_controller.rb +++ b/test/dummy/app/controllers/custom/sessions_controller.rb @@ -20,4 +20,10 @@ def destroy_block_called? @destroy_block_called == true end + protected + + def render_create_success + render json: {custom: "foo"} + end + end diff --git a/test/dummy/app/controllers/custom/token_validations_controller.rb b/test/dummy/app/controllers/custom/token_validations_controller.rb index ad496e722..2978e4a74 100644 --- a/test/dummy/app/controllers/custom/token_validations_controller.rb +++ b/test/dummy/app/controllers/custom/token_validations_controller.rb @@ -10,4 +10,10 @@ def validate_token_block_called? @validate_token_block_called == true end + protected + + def render_validate_token_success + render json: {custom: "foo"} + end + end From 47ea5002907111b58755ef8bf5f7c89dabf74e7d Mon Sep 17 00:00:00 2001 From: Adrian Mugnolo Date: Mon, 12 Oct 2015 03:01:53 -0300 Subject: [PATCH 149/328] Drop .ruby-version file If needed, add a sample file or `required_ruby_version` entry. --- .ruby-version | 1 - 1 file changed, 1 deletion(-) delete mode 100644 .ruby-version diff --git a/.ruby-version b/.ruby-version deleted file mode 100644 index ac2cdeba0..000000000 --- a/.ruby-version +++ /dev/null @@ -1 +0,0 @@ -2.1.3 From 93e4539c846e60a0d33d7097d323109f4be38d0d Mon Sep 17 00:00:00 2001 From: H3xed Date: Mon, 12 Oct 2015 09:48:55 +0200 Subject: [PATCH 150/328] Added polish translation. --- config/locales/pl.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 config/locales/pl.yml diff --git a/config/locales/pl.yml b/config/locales/pl.yml new file mode 100644 index 000000000..1f1e62d6a --- /dev/null +++ b/config/locales/pl.yml @@ -0,0 +1,30 @@ +pl: + devise_token_auth: + sessions: + not_confirmed: "Wiadomość z potwierdzeniem Twojego konta została wysłana na %{email}. Proszę postępować zgodnie z wskazówkami znajdującymi się w wiadomości celem aktywacji konta." + bad_credentials: "Nieprawidłowe dane logowania. Proszę spróbować ponownie." + not_supported: "Proszę użyć POST /sign_in do zalogowania. GET nie jest obsługiwany." + user_not_found: "Użytkownik nie został odnaleziony lub nie jest zalogowany." + token_validations: + invalid: "Nieprawidłowe dane logowania." + registrations: + missing_confirm_success_url: "Brak parametru `confirm_success_url`." + redirect_url_not_allowed: "Przekierowanie na adres %{redirect_url} nie jest dozwolone." + email_already_exists: "Konto z adresem %{email} już istnieje." + account_with_uid_destroyed: "Konto z uid %{uid} zostało usunięte." + account_to_destroy_not_found: "Nie odnaleziono konta do usunięcia." + user_not_found: "Użytkownik nie został odnaleziony." + passwords: + missing_email: "Musisz wprowadzić adres e-mail." + missing_redirect_url: "Brak adresu zwrotnego." + not_allowed_redirect_url: "Przekierowanie na adres %{redirect_url} nie jest dozwolone." + sended: "Wiadomość wysłana na adres %{email} zawiera instrukcje dotyczące zmiany hasła." + user_not_found: "Nie odnaleziono użytkownika o adresie '%{email}'." + password_not_required: "To konto nie wymaga podania hasła. Zaloguj się używając konta %{provider}." + missing_passwords: 'Musisz wypełnić wszystkie pola z etykietą "hasło" oraz "potwierdzenie hasła".' + successfully_updated: "Twoje hasło zostało zaktualizowane." + + errors: + validate_sign_up_params: "Proszę dostarczyć odpowiednie dane logowania w ciele zapytania." + validate_account_update_params: "Proszę dostarczyć odpowiednie dane aktualizacji konta w ciele zapytania." + not_email: "nie jest prawidłowym adresem e-mail" From 020bc66f918039cfa352589d236d66aa945693ec Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 12 Oct 2015 20:40:20 -0600 Subject: [PATCH 151/328] chore(deps): update dependencies --- Gemfile.lock | 100 ++++++++++++++++++++++++++------------------------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 754ef9a7c..e4a2f8311 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -22,9 +22,10 @@ GIT GIT remote: git://github.com/zquestz/omniauth-google-oauth2.git - revision: 814732cb0761f2b4a26375049ccd42da5655eccb + revision: ad0b8ae200a94c86566975dc4d1c2fc28eeb2e24 specs: - omniauth-google-oauth2 (0.2.6) + omniauth-google-oauth2 (0.2.8) + addressable (~> 2.3) jwt (~> 1.0) multi_json (~> 1.3) omniauth (>= 1.1.1) @@ -33,55 +34,56 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.34) + devise_token_auth (0.1.35) devise (~> 3.5.2) rails (~> 4.2) GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.3) - actionpack (= 4.2.3) - actionview (= 4.2.3) - activejob (= 4.2.3) + actionmailer (4.2.4) + actionpack (= 4.2.4) + actionview (= 4.2.4) + activejob (= 4.2.4) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.3) - actionview (= 4.2.3) - activesupport (= 4.2.3) + actionpack (4.2.4) + actionview (= 4.2.4) + activesupport (= 4.2.4) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.3) - activesupport (= 4.2.3) + actionview (4.2.4) + activesupport (= 4.2.4) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.3) - activesupport (= 4.2.3) + activejob (4.2.4) + activesupport (= 4.2.4) globalid (>= 0.3.0) - activemodel (4.2.3) - activesupport (= 4.2.3) + activemodel (4.2.4) + activesupport (= 4.2.4) builder (~> 3.1) - activerecord (4.2.3) - activemodel (= 4.2.3) - activesupport (= 4.2.3) + activerecord (4.2.4) + activemodel (= 4.2.4) + activesupport (= 4.2.4) arel (~> 6.0) - activesupport (4.2.3) + activesupport (4.2.4) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) + addressable (2.3.8) ansi (1.5.0) arel (6.0.3) attr_encrypted (1.3.4) encryptor (>= 1.3.0) bcrypt (3.1.10) builder (3.2.2) - codeclimate-test-reporter (0.4.7) + codeclimate-test-reporter (0.4.8) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) devise (3.5.2) @@ -94,9 +96,9 @@ GEM docile (1.1.5) encryptor (1.3.0) erubis (2.7.0) - faker (1.4.3) + faker (1.5.0) i18n (~> 0.5) - faraday (0.9.1) + faraday (0.9.2) multipart-post (>= 1.2, < 3) ffi (1.9.10) formatador (0.2.5) @@ -123,22 +125,22 @@ GEM listen (3.0.3) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) - loofah (2.0.2) + loofah (2.0.3) nokogiri (>= 1.5.9) lumberjack (1.0.9) mail (2.6.3) mime-types (>= 1.16, < 3) metaclass (0.0.4) method_source (0.8.2) - mime-types (2.6.1) + mime-types (2.6.2) mini_portile (0.6.2) - minitest (5.7.0) + minitest (5.8.1) minitest-focus (1.1.2) minitest (>= 4, < 6) minitest-rails (2.2.0) minitest (~> 5.7) railties (~> 4.1) - minitest-reporters (1.0.19) + minitest-reporters (1.1.3) ansi builder minitest (>= 5.0) @@ -148,11 +150,11 @@ GEM multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.3.19) + mysql2 (0.4.1) nenv (0.2.0) nokogiri (1.6.6.2) mini_portile (~> 0.6.0) - notiffany (0.0.7) + notiffany (0.0.8) nenv (~> 0.1) shellany (~> 0.0) oauth2 (1.0.0) @@ -168,8 +170,8 @@ GEM oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) - pg (0.18.2) - pry (0.10.1) + pg (0.18.3) + pry (0.10.2) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) @@ -180,32 +182,32 @@ GEM rack-cors (0.4.0) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.3) - actionmailer (= 4.2.3) - actionpack (= 4.2.3) - actionview (= 4.2.3) - activejob (= 4.2.3) - activemodel (= 4.2.3) - activerecord (= 4.2.3) - activesupport (= 4.2.3) + rails (4.2.4) + actionmailer (= 4.2.4) + actionpack (= 4.2.4) + actionview (= 4.2.4) + activejob (= 4.2.4) + activemodel (= 4.2.4) + activerecord (= 4.2.4) + activesupport (= 4.2.4) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.3) + railties (= 4.2.4) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) - rails-dom-testing (1.0.6) + rails-dom-testing (1.0.7) activesupport (>= 4.2.0.beta, < 5.0) nokogiri (~> 1.6.0) rails-deprecated_sanitizer (>= 1.0.1) rails-html-sanitizer (1.0.2) loofah (~> 2.0) - railties (4.2.3) - actionpack (= 4.2.3) - activesupport (= 4.2.3) + railties (4.2.4) + actionpack (= 4.2.4) + activesupport (= 4.2.4) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rake (10.4.2) - rb-fsevent (0.9.5) + rb-fsevent (0.9.6) rb-inotify (0.9.5) ffi (>= 0.5.0) responders (2.1.0) @@ -218,13 +220,13 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.3.3) - rack (~> 1.0) - sprockets-rails (2.3.2) + sprockets (3.4.0) + rack (> 1, < 3) + sprockets-rails (2.3.3) actionpack (>= 3.0) activesupport (>= 3.0) sprockets (>= 2.8, < 4.0) - sqlite3 (1.3.10) + sqlite3 (1.3.11) thor (0.19.1) thread_safe (0.3.5) tzinfo (1.2.2) From a3968adb6e96003d3d8ffe19baa3c628eb991ebc Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 12 Oct 2015 20:41:18 -0600 Subject: [PATCH 152/328] v0.1.35 --- CHANGELOG.md | 33 ++++++++++++++++++++++++++++++++ lib/devise_token_auth/version.rb | 2 +- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9c4380f9..dca21866e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,36 @@ + +# 0.1.35 (2015-10-13) + +## Features + +- **Localization**: Add Polish translation (pl) + +## Fixes + +- **OAuth**: Fix error in setting text on redirect page +- **OAuth**: Fully support OmniauthCallbacksController action overrides +- **OAuth**: Don't serialize the entire user object in redirect URLs +- **Rails-API**: Fix Rails-API integration hang-ups +- **Namespaces**: Correct handling namespaced resources + +## Misc + +- **Code Quality**: Restrict access to controller methods and other cleanup +- **Deps**: Update to Devise v3.5.2 + + + +# 0.1.34 (2015-08-10) + +## Features + +- **Localization**: Add Brazilian Portuguese translation (pt-BR) + +## Fixes + +- **Deps**: Lock Devise to last known working version (v3.5.1) + + # 0.1.33 (2015-08-09) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 9d889d1a5..7a469ab41 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.34" + VERSION = "0.1.35" end From b6d8787b706c8cddee6a4a34eb6710d9c7e4aad8 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 12 Oct 2015 21:08:54 -0600 Subject: [PATCH 153/328] fix(ci): revert to last known working mysql2 gem for Travis --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index e4a2f8311..4b7ce22d5 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -150,7 +150,7 @@ GEM multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.4.1) + mysql2 (0.3.19) nenv (0.2.0) nokogiri (1.6.6.2) mini_portile (~> 0.6.0) From 18cc2d664437bc29b79298937239fd191e7a01de Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 12 Oct 2015 21:19:07 -0600 Subject: [PATCH 154/328] v0.1.36 --- CHANGELOG.md | 8 ++++++++ Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index dca21866e..1c401bec4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ + +# 0.1.36 (2015-10-13) + +## Fixes + +- **Deps**: Revert to last known working mysql2 gem for Travis + + # 0.1.35 (2015-10-13) diff --git a/Gemfile.lock b/Gemfile.lock index 4b7ce22d5..74797a609 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.35) + devise_token_auth (0.1.36) devise (~> 3.5.2) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 7a469ab41..1eceefd31 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.35" + VERSION = "0.1.36" end From 3055ee97be697df41d16474d1e095a1dfa0fe50a Mon Sep 17 00:00:00 2001 From: Adrian Mugnolo Date: Fri, 16 Oct 2015 13:24:45 -0300 Subject: [PATCH 155/328] Add .ruby-version entry to .gitignore --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index f83d7a10c..b4390ac67 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,5 @@ test/dummy/tmp/ test/dummy/.sass-cache test/dummy/config/application.yml coverage -.idea \ No newline at end of file +.idea +.ruby-version From bed394f0f382f3ff1a6a8bb1f4a3944da8cabbfa Mon Sep 17 00:00:00 2001 From: Rui Venancio Date: Fri, 16 Oct 2015 18:09:31 +0100 Subject: [PATCH 156/328] Portuguese (portugal) translation --- config/locales/pt-PT.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 config/locales/pt-PT.yml diff --git a/config/locales/pt-PT.yml b/config/locales/pt-PT.yml new file mode 100644 index 000000000..d9859a798 --- /dev/null +++ b/config/locales/pt-PT.yml @@ -0,0 +1,30 @@ +pt-PT: + devise_token_auth: + sessions: + not_confirmed: "Uma mensagem com um link de confirmação foi enviado para seu endereço de e-mail. Você precisa confirmar sua conta antes de continuar." + bad_credentials: "E-mail ou senha inválidos." + not_supported: "Use POST /sign_in para efetuar o login. GET não é suportado." + user_not_found: "Utilizador não existe ou não está logado." + token_validations: + invalid: "Dados de login inválidos." + registrations: + missing_confirm_success_url: "Parâmetro `confirm_success_url` não informado." + redirect_url_not_allowed: "Redirecionamento para %{redirect_url} não permitido." + email_already_exists: "Já existe uma conta com o email %{email}." + account_with_uid_destroyed: "A conta com uid %{uid} foi excluída." + account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão." + user_not_found: "Utilizador não encontrado." + passwords: + missing_email: "Informe o endereço de e-mail." + missing_redirect_url: "URL para redirecionamento não informada." + not_allowed_redirect_url: "Redirecionamento para %{redirect_url} não permitido." + sended: "Você receberá um e-mail com instruções sobre como redefinir sua senha." + user_not_found: "Não existe um utilizador com o e-mail '%{email}'." + password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." + missing_passwords: 'Preencha a senha e a confirmação de senha.' + successfully_updated: "Senha atualizada com sucesso." + + errors: + validate_sign_up_params: "Os dados submetidos na requisição de registo são inválidos." + validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." + not_email: "não é um e-mail" \ No newline at end of file From 986922133327c8ca983570e2c3a45259adf22bd7 Mon Sep 17 00:00:00 2001 From: Rui Venancio Date: Fri, 16 Oct 2015 18:18:06 +0100 Subject: [PATCH 157/328] When you visit the change password link for the second time (sent by email), you should be redirected to a 404 page instead of get a window with a json message. This behaviour is also required when you have a wrong password confirmtion link. --- .../devise_token_auth/passwords_controller.rb | 8 +------- .../devise_token_auth/passwords_controller_test.rb | 10 +++++----- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index d917dbb8d..2f74c3d05 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -100,7 +100,7 @@ def edit config: params[:config] })) else - render_edit_error + raise ActionController::RoutingError.new('Not Found') end end @@ -174,12 +174,6 @@ def render_create_error }, status: @error_status end - def render_edit_error - render json: { - success: false - }, status: 404 - end - def render_update_error_unauthorized render json: { success: false, diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index a2962143c..726bd7875 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -122,13 +122,13 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end describe 'password reset link failure' do - test 'respone should return 404' do - xhr :get, :edit, { - reset_password_token: 'bogus', + test 'response should return 404' do + assert_raises(ActionController::RoutingError) { + xhr :get, :edit, { + reset_password_token: "bogus", redirect_url: @mail_redirect_url + } } - - assert_equal 404, response.status end end From 9062b5e886034457128e38cc486aee4c16dc65ef Mon Sep 17 00:00:00 2001 From: Brian Carrigan Date: Fri, 16 Oct 2015 15:38:51 -0400 Subject: [PATCH 158/328] Updated the usage information in the documentation. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 976044346..787554ed5 100644 --- a/README.md +++ b/README.md @@ -135,16 +135,16 @@ The following routes are available for use by your client. These routes live rel | path | method | purpose | |:-----|:-------|:--------| -| / | POST | Email registration. Accepts **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | +| / | POST | Email registration. Requires **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. | | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | -| /sign_in | POST | Email authentication. Accepts **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login. | +| /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. | | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. | | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | -| /validate_token | GET | Use this route to validate tokens on return visits to the client. Accepts **`uid`** and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | +| /validate_token | GET | Use this route to validate tokens on return visits to the client. Requires **`uid`**, **`client`**, and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | | /password | POST | Use this route to send a password reset confirmation email to users that registered by email. Accepts **`email`** and **`redirect_url`** as params. The user matching the `email` param will be sent instructions on how to reset their password. `redirect_url` is the url to which the user will be redirected after visiting the link contained in the email. | -| /password | PUT | Use this route to change users' passwords. Accepts **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | +| /password | PUT | Use this route to change users' passwords. Requires **`password`** and **`password_confirmation`** as params. This route is only valid for users that registered by email (OAuth2 users will receive an error). It also checks **`current_password`** if **`config.check_current_password_before_update`** is not set `false` (disabled by default). | | /password/edit | GET | Verify user by password reset token. This route is the destination URL for password reset confirmation. This route must contain **`reset_password_token`** and **`redirect_url`** params. These values will be set automatically by the confirmation email that is generated by the password reset request. | [Jump here](#usage-cont) for more usage information. From 087df7e68cface084ab1263c9c5122039e4bd4cc Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 20 Oct 2015 22:00:41 -0600 Subject: [PATCH 159/328] fix(gemspec): ensure log files from tests aren't bundled as part of gem --- devise_token_auth.gemspec | 1 + 1 file changed, 1 insertion(+) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 4a8044e25..1f4c99fe4 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -16,6 +16,7 @@ Gem::Specification.new do |s| s.files = Dir["{app,config,db,lib}/**/*", "LICENSE", "Rakefile", "README.md"] s.test_files = Dir["test/**/*"] + s.test_files.reject! { |file| file.ends_with?(".log") } s.add_dependency "rails", "~> 4.2" s.add_dependency "devise", "~> 3.5.2" From a3c886a303088409183410962f42e62fe707f3e3 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 20 Oct 2015 22:08:56 -0600 Subject: [PATCH 160/328] fix(gemspec): add .sqlite3 to exclude pattern --- devise_token_auth.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 1f4c99fe4..a4a9d2801 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -16,7 +16,7 @@ Gem::Specification.new do |s| s.files = Dir["{app,config,db,lib}/**/*", "LICENSE", "Rakefile", "README.md"] s.test_files = Dir["test/**/*"] - s.test_files.reject! { |file| file.ends_with?(".log") } + s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "~> 4.2" s.add_dependency "devise", "~> 3.5.2" From 31a1618ea70d65c8ce1b669c6c8051a68bcad647 Mon Sep 17 00:00:00 2001 From: Yaroslav Konoplov Date: Wed, 21 Oct 2015 12:25:32 +0300 Subject: [PATCH 161/328] Make translation keys symbols and add better fallback --- app/validators/email_validator.rb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb index edba79957..d036c58a0 100644 --- a/app/validators/email_validator.rb +++ b/app/validators/email_validator.rb @@ -12,12 +12,8 @@ def email_invalid_message message = options[:message] if message.nil? - - # Try DeviceTokenAuth translations: - message = I18n.t('errors.not_email', default: '') - - # Fallback to ActiveModel translations: - message = I18n.t('errors.messages.invalid') if message.blank? + # Try DeviceTokenAuth translations or fallback to ActiveModel translations + message = I18n.t(:'errors.not_email', default: :'errors.messages.invalid') end message From 0252300ebd9a1a68e7725be1687626daecfa9196 Mon Sep 17 00:00:00 2001 From: ponyesteves Date: Sat, 24 Oct 2015 14:29:08 -0300 Subject: [PATCH 162/328] change default message for already in use error and added to english and spanish translation files (en.yml and es.yml) --- app/models/devise_token_auth/concerns/user.rb | 2 +- config/locales/en.yml | 4 +++- config/locales/es.yml | 4 +++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 379e225ba..4ec8053be 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -233,7 +233,7 @@ def token_validation_response # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, :already_in_use, default: "address is already in use") + errors.add(:email, :already_in_use) end end diff --git a/config/locales/en.yml b/config/locales/en.yml index 93434a352..ca035b555 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -27,4 +27,6 @@ en: errors: validate_sign_up_params: "Please submit proper sign up data in request body." validate_account_update_params: "Please submit proper account update data in request body." - not_email: "is not an email" \ No newline at end of file + not_email: "is not an email" + message: + already_in_use: already in use \ No newline at end of file diff --git a/config/locales/es.yml b/config/locales/es.yml index 9c81f9fd2..018fb6143 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -27,4 +27,6 @@ es: errors: validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." - not_email: "no es un correo electrónico" \ No newline at end of file + not_email: "no es un correo electrónico" + messages: + already_in_use: ya ha sido ocupado \ No newline at end of file From c80cfce88c4fbfce163dde4a7527d0c13f30d77f Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 24 Oct 2015 20:23:41 -0500 Subject: [PATCH 163/328] ensure session is cleared after each request. references #375 --- .../concerns/set_user_by_token.rb | 2 + test/dummy/db/schema.rb | 144 +++++++++--------- 2 files changed, 74 insertions(+), 72 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index d2289a34e..546c76213 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -106,6 +106,8 @@ def update_auth_header end + sign_out(@resource) + end def resource_class(m=nil) diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index b2fc48cdf..b54f5cc68 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -14,27 +14,27 @@ ActiveRecord::Schema.define(version: 20150708104536) do create_table "evil_users", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 - t.string "favorite_color", limit: 255 + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" + t.string "favorite_color" t.datetime "created_at" t.datetime "updated_at" end @@ -45,31 +45,31 @@ add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true create_table "mangs", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url", limit: 255 + t.string "reset_password_redirect_url" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url", limit: 255 - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 + t.string "confirm_success_url" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" - t.string "favorite_color", limit: 255 + t.string "favorite_color" end add_index "mangs", ["confirmation_token"], name: "index_mangs_on_confirmation_token", unique: true @@ -107,14 +107,14 @@ add_index "nice_users", ["uid", "provider"], name: "index_nice_users_on_uid_and_provider", unique: true create_table "only_email_users", force: :cascade do |t| - t.string "provider", limit: 255, null: false - t.string "uid", limit: 255, default: "", null: false - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "email", limit: 255 - t.text "tokens", limit: 65535 + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" end @@ -148,26 +148,26 @@ add_index "unconfirmable_users", ["uid", "provider"], name: "index_unconfirmable_users_on_uid_and_provider", unique: true create_table "unregisterable_users", force: :cascade do |t| - t.string "provider", limit: 255, null: false - t.string "uid", limit: 255, default: "", null: false - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "email", limit: 255 - t.text "tokens", limit: 65535 + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" end @@ -177,32 +177,32 @@ add_index "unregisterable_users", ["uid", "provider"], name: "index_unregisterable_users_on_uid_and_provider", unique: true create_table "users", force: :cascade do |t| - t.string "email", limit: 255 - t.string "encrypted_password", limit: 255, default: "", null: false - t.string "reset_password_token", limit: 255 + t.string "email" + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" t.datetime "reset_password_sent_at" - t.string "reset_password_redirect_url", limit: 255 + t.string "reset_password_redirect_url" t.datetime "remember_created_at" - t.integer "sign_in_count", limit: 4, default: 0, null: false + t.integer "sign_in_count", default: 0, null: false t.datetime "current_sign_in_at" t.datetime "last_sign_in_at" - t.string "current_sign_in_ip", limit: 255 - t.string "last_sign_in_ip", limit: 255 - t.string "confirmation_token", limit: 255 + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" t.datetime "confirmed_at" t.datetime "confirmation_sent_at" - t.string "confirm_success_url", limit: 255 - t.string "unconfirmed_email", limit: 255 - t.string "name", limit: 255 - t.string "nickname", limit: 255 - t.string "image", limit: 255 - t.string "provider", limit: 255 - t.string "uid", limit: 255, default: "", null: false - t.text "tokens", limit: 65535 + t.string "confirm_success_url" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "provider" + t.string "uid", default: "", null: false + t.text "tokens" t.datetime "created_at" t.datetime "updated_at" - t.integer "operating_thetan", limit: 4 - t.string "favorite_color", limit: 255 + t.integer "operating_thetan" + t.string "favorite_color" end add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true From 1084ec2f2d87548c34840dbc4afd804660764f18 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 24 Oct 2015 20:24:41 -0500 Subject: [PATCH 164/328] v0.1.37.beta1 --- lib/devise_token_auth/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 1eceefd31..bcd7bd88c 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.36" + VERSION = "0.1.37.beta1" end From 4922d90f8a76a9b74cc85b1b187b3e64299e9b30 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 24 Oct 2015 20:32:48 -0500 Subject: [PATCH 165/328] oops. commit gemfile.lock after version change --- Gemfile.lock | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 74797a609..6f1e400a6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.36) + devise_token_auth (0.1.37.beta1) devise (~> 3.5.2) rails (~> 4.2) @@ -261,3 +261,6 @@ DEPENDENCIES rack-cors sqlite3 (~> 1.3) thor + +BUNDLED WITH + 1.10.5 From 2b8f2af2dd8ef594c69bcbee80366ff80c902173 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 24 Oct 2015 21:04:04 -0500 Subject: [PATCH 166/328] prevent batching of requests by appending "unbatch=true" param to request url --- .../concerns/set_user_by_token.rb | 1 + test/controllers/demo_user_controller_test.rb | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 546c76213..6dff274a4 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -125,6 +125,7 @@ def resource_class(m=nil) def is_batch_request?(user, client_id) + not params[:unbatch] and user.tokens[client_id] and user.tokens[client_id]['updated_at'] and Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index df0ad7c9a..df3dde9af 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -201,6 +201,31 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end + describe 'unbatch' do + before do + @resource.reload + age_token(@resource, @client_id) + + get '/demo/members_only', {}, @auth_headers + + @first_is_batch_request = assigns(:is_batch_request) + @first_user = assigns(:resource).dup + @first_access_token = response.headers['access-token'] + @first_response_status = response.status + + get '/demo/members_only?unbatch=true', {}, @auth_headers + + @second_is_batch_request = assigns(:is_batch_request) + @second_user = assigns(:resource) + @second_access_token = response.headers['access-token'] + @second_response_status = response.status + end + + it 'should NOT treat the second request as a batch request when "unbatch" param is set' do + refute @second_is_batch_request + end + end + describe 'time out' do before do @resource.reload From 52347c4adb927e8693ca484e10ddec9f39f2411d Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sat, 24 Oct 2015 21:07:26 -0500 Subject: [PATCH 167/328] v0.1.37.beta2 --- CHANGELOG.md | 9 ++++++++- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c401bec4..d7ab6c0b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ + +# 0.1.37 (beta) + +## Features + +- **Batch Requests**: Prevent batching of requests by appending `unbatch=true` param to request URL + # 0.1.36 (2015-10-13) @@ -48,4 +55,4 @@ ## Breaking Changes -- The new OmniAuth callback behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. \ No newline at end of file +- The new OmniAuth callback behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. diff --git a/Gemfile.lock b/Gemfile.lock index 6f1e400a6..e144d5044 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.37.beta1) + devise_token_auth (0.1.37.beta2) devise (~> 3.5.2) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index bcd7bd88c..e5de0c3ab 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.37.beta1" + VERSION = "0.1.37.beta2" end From 9927d3c669d1ba666a41a3fbc24ea7e444d5dd37 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 27 Oct 2015 02:29:14 -0500 Subject: [PATCH 168/328] add "blank=true" param to sameWindow redirect url. This will notify the client not to render the page --- .../devise_token_auth/omniauth_callbacks_controller.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 9061c0d25..2cb044cf5 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -71,7 +71,7 @@ def omniauth_params end end @_omniauth_params - + end # break out provider attribute assignment for easy method extension @@ -206,12 +206,12 @@ def render_data_or_redirect(message, data, user_data = {}) elsif auth_origin_url # default to same-window implementation, which forwards back to auth_origin_url # build and redirect to destination url - redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data) + redirect_to DeviseTokenAuth::Url.generate(auth_origin_url, data.merge(blank: true)) else - + # there SHOULD always be an auth_origin_url, but if someone does something silly # like coming straight to this url or refreshing the page at the wrong time, there may not be one. - # In that case, just render in plain text the error message if there is one or otherwise + # In that case, just render in plain text the error message if there is one or otherwise # a generic message. fallback_render data[:error] || 'An error occurred' end @@ -225,7 +225,7 @@ def fallback_render(text) #{text} - | + | end def get_resource_from_auth_hash From 0620c9b8efab894da8b969354e7d60e1e6d34640 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 27 Oct 2015 02:30:34 -0500 Subject: [PATCH 169/328] references #200 --- .../devise_token_auth/concerns/set_user_by_token.rb | 6 ++---- .../devise_token_auth/omniauth_external_window.html.erb | 2 +- lib/devise_token_auth/url.rb | 2 +- 3 files changed, 4 insertions(+), 6 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 6dff274a4..c3264a0ab 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -32,7 +32,7 @@ def set_user_by_token(mapping=nil) @client_id ||= 'default' # check for an existing user, authenticated via warden/devise - devise_warden_user = warden.user(rc.to_s.underscore.to_sym) + devise_warden_user = warden.user(rc.to_s.underscore.to_sym) if devise_warden_user && devise_warden_user.tokens[@client_id].nil? @used_auth_by_token = false @resource = devise_warden_user @@ -54,7 +54,7 @@ def set_user_by_token(mapping=nil) user = uid && rc.find_by_uid(uid) if user && user.valid_token?(@token, @client_id) - sign_in(:user, user, store: false, bypass: true) + sign_in(:user, user, store: false, bypass: false) return @resource = user else # zero all values previously set values @@ -106,8 +106,6 @@ def update_auth_header end - sign_out(@resource) - end def resource_class(m=nil) diff --git a/app/views/devise_token_auth/omniauth_external_window.html.erb b/app/views/devise_token_auth/omniauth_external_window.html.erb index 3992decb2..0739e4c6d 100644 --- a/app/views/devise_token_auth/omniauth_external_window.html.erb +++ b/app/views/devise_token_auth/omniauth_external_window.html.erb @@ -35,4 +35,4 @@
- \ No newline at end of file + diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb index 172a22fd6..7614a86af 100644 --- a/lib/devise_token_auth/url.rb +++ b/lib/devise_token_auth/url.rb @@ -12,4 +12,4 @@ def self.generate(url, params = {}) return res end -end \ No newline at end of file +end From bfb9ddce220e1ac74088398fa576f6f11a1334c0 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 27 Oct 2015 02:31:21 -0500 Subject: [PATCH 170/328] v0.1.37.beta3 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e144d5044..8f1c95547 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.37.beta2) + devise_token_auth (0.1.37.beta3) devise (~> 3.5.2) rails (~> 4.2) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index e5de0c3ab..bc00e5fe0 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.37.beta2" + VERSION = "0.1.37.beta3" end From 728df21e56e54b253c269e7c8fa349a80ef43d61 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Tue, 27 Oct 2015 03:05:57 -0500 Subject: [PATCH 171/328] fix broken test --- .../devise_token_auth/registrations_controller_test.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index 574e437ff..abc7a1c31 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -763,13 +763,15 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "Mang should be destroyed" do + @resource.skip_confirmation! + @resource.save! @auth_headers = @resource.create_new_auth_token @client_id = @auth_headers['client'] # ensure request is not treated as batch request age_token(@resource, @client_id) - delete "/mangs", {}, @auth_headers + xhr :delete, "/mangs", {}, @auth_headers assert_equal 200, response.status refute Mang.where(id: @resource.id).first From 408aa244a2dbcc6aef029ff029df468346412ebb Mon Sep 17 00:00:00 2001 From: Nate Brustein Date: Tue, 27 Oct 2015 09:27:38 -0400 Subject: [PATCH 172/328] fix(url): preserve query parameters when building urls --- lib/devise_token_auth/url.rb | 5 +++-- test/lib/devise_token_auth/url_test.rb | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb index 172a22fd6..fa948149b 100644 --- a/lib/devise_token_auth/url.rb +++ b/lib/devise_token_auth/url.rb @@ -5,8 +5,9 @@ def self.generate(url, params = {}) res = "#{uri.scheme}://#{uri.host}" res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) - res += "#{uri.path}" if uri.path - res += "?#{params.to_query}" + res += "#{uri.path}" if uri.path + query = [uri.query, params.to_query].reject(&:blank?).join('&') + res += "?#{query}" res += "##{uri.fragment}" if uri.fragment return res diff --git a/test/lib/devise_token_auth/url_test.rb b/test/lib/devise_token_auth/url_test.rb index 012dbf076..e668140bf 100644 --- a/test/lib/devise_token_auth/url_test.rb +++ b/test/lib/devise_token_auth/url_test.rb @@ -7,5 +7,22 @@ class DeviseTokenAuth::UrlTest < ActiveSupport::TestCase url = 'http://example.com#fragment' assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?client_id=123#fragment" end + + describe 'with existing query params' do + test 'should preserve existing query params' do + url = 'http://example.com?a=1' + assert_equal DeviseTokenAuth::Url.send(:generate, url), "http://example.com?a=1" + end + + test 'should marge existing query params with new ones' do + params = {client_id: 123} + url = 'http://example.com?a=1' + assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?a=1&client_id=123" + end + + + end + + end end \ No newline at end of file From 9ef4d6abbc7a73ef35c4ef6b15a64e74981a95d3 Mon Sep 17 00:00:00 2001 From: Stefan Haslinger Date: Thu, 29 Oct 2015 09:13:34 +0100 Subject: [PATCH 173/328] I18n to German (in file de.yml) --- config/locales/de.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 config/locales/de.yml diff --git a/config/locales/de.yml b/config/locales/de.yml new file mode 100644 index 000000000..8860998dc --- /dev/null +++ b/config/locales/de.yml @@ -0,0 +1,32 @@ +en: + devise_token_auth: + sessions: + not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse %{email} gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" + bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut." + not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt." + user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden." + token_validations: + invalid: "Ungültige Anmeldeinformationen" + registrations: + missing_confirm_success_url: "Fehlender Paramter `confirm_success_url`." + redirect_url_not_allowed: "Weiterleitung zu %{redirect_url} ist nicht gestattet." + email_already_exists: "Es gibt bereits einen Account für %{email}." + account_with_uid_destroyed: "Account mit der uid %{uid} wurde gelöscht." + account_to_destroy_not_found: "Der Account, der gelöscht werden soll, kann nicht gefunden werden." + user_not_found: "Benutzer kann nicht gefunden werden." + passwords: + missing_email: "Sie müssen eine E-Mail Adresse angeben." + missing_redirect_url: "Es fehlt der URL zu Weiterleitung." + not_allowed_redirect_url: "Weiterleitung zu %{redirect_url} ist nicht gestattet." + sended: "Ein E-Mail mit Anleitung zum Rücksetzen Ihres Passwortes wurde an %{email} gesendet." + user_not_found: "Der Benutzer mit E-Mail-Adresse '%{email}' kann nicht gefunden werden." + password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie Sich stattdessen über Ihren Account bei %{provider} an." + missing_passwords: 'Sie müssen die Felder "Passwort" and "Passwortbestätigung" ausfüllen.' + successfully_updated: "Ihr Passwort wurde erfolgreich aktualisiert." + + errors: + validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." + validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." + not_email: "ist keine E-Mail Adresse" + message: + already_in_use: "bereits in Verwendung" \ No newline at end of file From c1ee530858d31898566b9af363d16fb4b0d0b2a0 Mon Sep 17 00:00:00 2001 From: Stefan Haslinger Date: Thu, 29 Oct 2015 09:14:34 +0100 Subject: [PATCH 174/328] I18n to German (in file de.yml) --- config/locales/de.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/locales/de.yml b/config/locales/de.yml index 8860998dc..c63da1ee4 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -1,4 +1,4 @@ -en: +de: devise_token_auth: sessions: not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse %{email} gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" @@ -29,4 +29,4 @@ en: validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." not_email: "ist keine E-Mail Adresse" message: - already_in_use: "bereits in Verwendung" \ No newline at end of file + already_in_use: "bereits in Verwendung" From d10f0552c6a49ba4ed5ec0804d75851369ca7364 Mon Sep 17 00:00:00 2001 From: Carlos Palhares Date: Thu, 29 Oct 2015 20:26:08 -0200 Subject: [PATCH 175/328] Fix omniauthredirection when under scopes --- .../omniauth_callbacks_controller.rb | 2 +- .../omniauth_callbacks_controller_test.rb | 13 ------------- 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 2cb044cf5..48bfdc4df 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -12,7 +12,7 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym - redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].as_json["path"]}/#{params[:provider]}/callback" + redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].fullpath}/#{params[:provider]}/callback" # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index d82fda8eb..ea8f9988d 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -17,7 +17,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest end describe 'success callback' do - setup do OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new({ :provider => 'facebook', @@ -125,13 +124,11 @@ class OmniauthTest < ActionDispatch::IntegrationTest end describe "oauth registration attr" do - after do User.any_instance.unstub(:new_record?) end describe 'with new user' do - before do User.any_instance.expects(:new_record?).returns(true).at_least_once end @@ -148,7 +145,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest end describe 'with existing user' do - before do User.any_instance.expects(:new_record?).returns(false).at_least_once end @@ -191,7 +187,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest end describe 'with omniauth_window_type=inAppBrowser' do - test 'response contains all expected data' do get_success(omniauth_window_type: 'inAppBrowser') assert_expected_data_in_new_window @@ -200,7 +195,6 @@ class OmniauthTest < ActionDispatch::IntegrationTest end describe 'with omniauth_window_type=newWindow' do - test 'response contains all expected data' do get_success(omniauth_window_type: 'newWindow') assert_expected_data_in_new_window @@ -216,7 +210,6 @@ def assert_expected_data_in_new_window end describe 'with omniauth_window_type=sameWindow' do - test 'redirects to auth_origin_url with all expected query params' do get_via_redirect '/auth/facebook', { auth_origin_url: '/auth_origin', @@ -247,14 +240,9 @@ def get_success(params = {}) assert_equal 200, response.status @resource = assigns(:resource) end - - - end describe 'failure callback' do - - setup do OmniAuth.config.mock_auth[:facebook] = :invalid_credentials OmniAuth.config.on_failure = Proc.new { |env| @@ -280,7 +268,6 @@ def get_success(params = {}) assert_equal 200, response.status assert_select "body", "invalid_credentials" end - end describe 'User with only :database_authenticatable and :registerable included' do From 073f711a6101636498452655f4ab80eef64b923f Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 30 Oct 2015 12:38:03 -0600 Subject: [PATCH 176/328] chore(doc): remove stale / duplicated changelog --- app/controllers/devise_token_auth/CHANGELOG.md | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 app/controllers/devise_token_auth/CHANGELOG.md diff --git a/app/controllers/devise_token_auth/CHANGELOG.md b/app/controllers/devise_token_auth/CHANGELOG.md deleted file mode 100644 index a7c7ff0d3..000000000 --- a/app/controllers/devise_token_auth/CHANGELOG.md +++ /dev/null @@ -1,10 +0,0 @@ -+ -+# 0.1.33 (2015-??-??) -+ -+## Features -+ -+- **Improved OAuth Flow**: Supports new OAuth window flows, allowing options for `sameWindow`, `newWindow`, and `inAppBrowser` -+ -+## Breaking Changes -+ -+- The new OAuth redirect behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. \ No newline at end of file From ee7e3f6600a1139232da28858efa002661a11319 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 30 Oct 2015 14:21:57 -0600 Subject: [PATCH 177/328] feat(enable-standard-devise): allow configurable support of legacy Devise authentication. update default to disabled. --- CHANGELOG.md | 11 ++ Gemfile.lock | 3 - README.md | 12 ++- .../concerns/set_user_by_token.rb | 14 +-- lib/devise_token_auth/engine.rb | 6 +- .../templates/devise_token_auth.rb | 15 ++- test/controllers/demo_user_controller_test.rb | 101 ++++++++++-------- 7 files changed, 100 insertions(+), 62 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d7ab6c0b5..00478055d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,19 @@ ## Features +- **Standard Devise**: Allow conditional support of legacy Devise. Now defaults to disabled. +- **Localization**: Add German translation(de) - **Batch Requests**: Prevent batching of requests by appending `unbatch=true` param to request URL +## Fixes + +- **URL Helper**: Preserve query parameters when building urls + +## Breaking Changes + +- This version updates legacy Devise support to default to disabled rather than enabled. This support causing all sorts of random issues for people who may not have needed the integration. This feature is considered experimental. + + # 0.1.36 (2015-10-13) diff --git a/Gemfile.lock b/Gemfile.lock index 8f1c95547..9dcba307c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -261,6 +261,3 @@ DEPENDENCIES rack-cors sqlite3 (~> 1.3) thor - -BUNDLED WITH - 1.10.5 diff --git a/README.md b/README.md index 787554ed5..ddcf52014 100644 --- a/README.md +++ b/README.md @@ -164,6 +164,8 @@ The following settings are available for configuration in `config/initializers/d | **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the cilent. | | **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the cilent. | | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | +| **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | + Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: @@ -773,8 +775,16 @@ When posting issues, please include the following information to speed up the tr ### Can I use this gem alongside standard Devise? -Yes! But you will need to use separate routes for standard Devise. So do something like this: +Yes! But you will need to enable the support use separate routes for standard Devise. So do something like this: + +#### config/initializers/devise_token_auth.rb +~~~ruby +DeviseTokenAuth.setup do |config| + # enable_standard_devise_support = false +end +~~~ +#### config/routes.rb ~~~ruby Rails.application.routes.draw do diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index c3264a0ab..35101b586 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -31,12 +31,14 @@ def set_user_by_token(mapping=nil) # client_id isn't required, set to 'default' if absent @client_id ||= 'default' - # check for an existing user, authenticated via warden/devise - devise_warden_user = warden.user(rc.to_s.underscore.to_sym) - if devise_warden_user && devise_warden_user.tokens[@client_id].nil? - @used_auth_by_token = false - @resource = devise_warden_user - @resource.create_new_auth_token + # check for an existing user, authenticated via warden/devise, if enabled + if DeviseTokenAuth.enable_standard_devise_support + devise_warden_user = warden.user(rc.to_s.underscore.to_sym) + if devise_warden_user && devise_warden_user.tokens[@client_id].nil? + @used_auth_by_token = false + @resource = devise_warden_user + @resource.create_new_auth_token + end end # user has already been found and authenticated diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index b40a4d66b..aa0441c11 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -16,7 +16,8 @@ class Engine < ::Rails::Engine :default_confirm_success_url, :default_password_reset_url, :redirect_whitelist, - :check_current_password_before_update + :check_current_password_before_update, + :enable_standard_devise_support self.change_headers_on_each_request = true self.token_lifespan = 2.weeks @@ -26,6 +27,7 @@ class Engine < ::Rails::Engine self.default_password_reset_url = nil self.redirect_whitelist = nil self.check_current_password_before_update = false + self.enable_standard_devise_support = false def self.setup(&block) yield self @@ -33,7 +35,7 @@ def self.setup(&block) Rails.application.config.after_initialize do if defined?(::OmniAuth) ::OmniAuth::config.path_prefix = Devise.omniauth_path_prefix = self.omniauth_prefix - + # Omniauth currently does not pass along omniauth.params upon failure redirect # see also: https://github.com/intridea/omniauth/issues/626 diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index e158e784f..6169a8bf7 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -3,26 +3,31 @@ # client is responsible for keeping track of the changing tokens. Change # this to false to prevent the Authorization header from changing after # each request. - #config.change_headers_on_each_request = true + # config.change_headers_on_each_request = true # By default, users will need to re-authenticate after 2 weeks. This setting # determines how long tokens will remain valid after they are issued. - #config.token_lifespan = 2.weeks + # config.token_lifespan = 2.weeks # Sometimes it's necessary to make several requests to the API at the same # time. In this case, each request in the batch will need to share the same # auth token. This setting determines how far apart the requests can be while # still using the same auth token. - #config.batch_request_buffer_throttle = 5.seconds + # config.batch_request_buffer_throttle = 5.seconds # This route will be the prefix for all oauth2 redirect callbacks. For # example, using the default '/omniauth', the github oauth2 provider will # redirect successful authentications to '/omniauth/github/callback' - #config.omniauth_prefix = "/omniauth" + # config.omniauth_prefix = "/omniauth" # By defult sending current password is not needed for the password update. # Uncomment to enforce current_password param to be checked before all # attribute updates. Set it to :password if you want it to be checked only if # password is updated. # config.check_current_password_before_update = :attributes -end + + # By default, only Bearer Token authentication is implemented out of the box. + # If, however, you wish to integrate with legacy Devise authentication, you can + # do so by enabling this flag. NOTE: This feature is highly experimental! + # enable_standard_devise_support = false +end \ No newline at end of file diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index df3dde9af..899d11a84 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -284,14 +284,25 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end - describe 'existing Warden authentication with ignored token data' do + end + + describe 'enable_standard_devise_support' do + + before do + @resource = users(:confirmed_email_user) + @auth_headers = @resource.create_new_auth_token + DeviseTokenAuth.enable_standard_devise_support = true + end + + describe 'Existing Warden authentication' do before do @resource = users(:second_confirmed_email_user) @resource.skip_confirmation! @resource.save! login_as( @resource, :scope => :user) - get '/demo/members_only', {}, @auth_headers + # no auth headers sent, testing that warden authenticates correctly. + get '/demo/members_only', {}, nil @resp_token = response.headers['access-token'] @resp_client_id = response.headers['client'] @@ -329,69 +340,69 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest assert @resp_client_id end - it "should not use the existing token's client" do - refute_equal @auth_headers['client'], @resp_client_id - end - it "should return the user's uid in the auth header" do assert @resp_uid end + end - it "should not return the token user's uid in the auth header" do - refute_equal @resp_uid, @auth_headers['uid'] + describe 'existing Warden authentication with ignored token data' do + before do + @resource = users(:second_confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + login_as( @resource, :scope => :user) + + get '/demo/members_only', {}, @auth_headers + + @resp_token = response.headers['access-token'] + @resp_client_id = response.headers['client'] + @resp_expiry = response.headers['expiry'] + @resp_uid = response.headers['uid'] end - end - end - describe 'Existing Warden authentication' do - before do - @resource = users(:second_confirmed_email_user) - @resource.skip_confirmation! - @resource.save! - login_as( @resource, :scope => :user) + describe 'devise mappings' do + it 'should define current_user' do + assert_equal @resource, @controller.current_user + end - # no auth headers sent, testing that warden authenticates correctly. - get '/demo/members_only', {}, nil + it 'should define user_signed_in?' do + assert @controller.user_signed_in? + end - @resp_token = response.headers['access-token'] - @resp_client_id = response.headers['client'] - @resp_expiry = response.headers['expiry'] - @resp_uid = response.headers['uid'] - end + it 'should not define current_mang' do + refute_equal @resource, @controller.current_mang + end + end - describe 'devise mappings' do - it 'should define current_user' do - assert_equal @resource, @controller.current_user + it 'should return success status' do + assert_equal 200, response.status end - it 'should define user_signed_in?' do - assert @controller.user_signed_in? + it 'should receive new token after successful request' do + assert @resp_token end - it 'should not define current_mang' do - refute_equal @resource, @controller.current_mang + it 'should set the token expiry in the auth header' do + assert @resp_expiry end - end - it 'should return success status' do - assert_equal 200, response.status - end + it 'should return the client id in the auth header' do + assert @resp_client_id + end - it 'should receive new token after successful request' do - assert @resp_token - end + it "should not use the existing token's client" do + refute_equal @auth_headers['client'], @resp_client_id + end - it 'should set the token expiry in the auth header' do - assert @resp_expiry - end + it "should return the user's uid in the auth header" do + assert @resp_uid + end - it 'should return the client id in the auth header' do - assert @resp_client_id + it "should not return the token user's uid in the auth header" do + refute_equal @resp_uid, @auth_headers['uid'] + end end - it "should return the user's uid in the auth header" do - assert @resp_uid - end end end From e0b4dff6bc76ad7f3021e579cfa23477752140ff Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 30 Oct 2015 15:33:49 -0600 Subject: [PATCH 178/328] fix(before_filter): revert change to sign_in bypass to last stable --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 35101b586..ebed505e8 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -56,7 +56,7 @@ def set_user_by_token(mapping=nil) user = uid && rc.find_by_uid(uid) if user && user.valid_token?(@token, @client_id) - sign_in(:user, user, store: false, bypass: false) + sign_in(:user, user, store: false, bypass: true) return @resource = user else # zero all values previously set values From 84ee3509a60585eabb0736e79007a1a5a45aae38 Mon Sep 17 00:00:00 2001 From: Arne Zeising Date: Mon, 2 Nov 2015 22:16:40 +0100 Subject: [PATCH 179/328] Raise error in controller method --- app/controllers/devise_token_auth/passwords_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 242a0032f..cb3291baa 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -103,7 +103,7 @@ def edit config: params[:config] })) else - raise ActionController::RoutingError.new('Not Found') + render_edit_error end end @@ -179,6 +179,10 @@ def render_create_error }, status: @error_status end + def render_edit_error + raise ActionController::RoutingError.new('Not Found') + end + def render_update_error_unauthorized render json: { success: false, From d851eee065785e3798aff1967ea85e69ec020e2d Mon Sep 17 00:00:00 2001 From: Paulo Soares Date: Thu, 5 Nov 2015 08:24:43 -0200 Subject: [PATCH 180/328] limiting the number of concurrent devices --- app/models/devise_token_auth/concerns/user.rb | 6 ++++++ lib/devise_token_auth/engine.rb | 2 ++ .../templates/devise_token_auth.rb | 4 ++++ test/controllers/demo_user_controller_test.rb | 13 +++++++++++++ test/test_helper.rb | 12 ++++++++---- 5 files changed, 33 insertions(+), 4 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 4ec8053be..e8416d41e 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -178,6 +178,12 @@ def create_new_auth_token(client_id=nil) last_token: last_token, updated_at: Time.now } + + max_clients = DeviseTokenAuth.max_number_of_devices + while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length + oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] } + self.tokens.delete(oldest_token.first) + end self.save! diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index aa0441c11..a88bbaa54 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -10,6 +10,7 @@ class Engine < ::Rails::Engine end mattr_accessor :change_headers_on_each_request, + :max_number_of_devices, :token_lifespan, :batch_request_buffer_throttle, :omniauth_prefix, @@ -20,6 +21,7 @@ class Engine < ::Rails::Engine :enable_standard_devise_support self.change_headers_on_each_request = true + self.max_number_of_devices = 10 self.token_lifespan = 2.weeks self.batch_request_buffer_throttle = 5.seconds self.omniauth_prefix = '/omniauth' diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index 6169a8bf7..5c2018df9 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -9,6 +9,10 @@ # determines how long tokens will remain valid after they are issued. # config.token_lifespan = 2.weeks + # Sets the max number of concurrent devices per user, which is 10 by default. + # After this limit is reached, the oldest tokens will be removed. + # config.max_number_of_devices = 10 + # Sometimes it's necessary to make several requests to the API at the same # time. In this case, each request in the batch will need to share the same # auth token. This setting determines how far apart the requests can be while diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index 899d11a84..d10b12a25 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -322,6 +322,19 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest it 'should not define current_mang' do refute_equal @resource, @controller.current_mang end + + + it 'should increase the number of tokens by a factor of 2 up to 11' do + @first_token = @resource.tokens.keys.first + + DeviseTokenAuth.max_number_of_devices = 11 + (1..10).each do |n| + assert_equal [11, 2*n].min, @resource.reload.tokens.keys.length + get '/demo/members_only', {}, nil + end + + assert_not_includes @resource.reload.tokens.keys, @first_token + end end it 'should return success status' do diff --git a/test/test_helper.rb b/test/test_helper.rb index da3a528b5..3b9f88871 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -40,13 +40,17 @@ class ActiveSupport::TestCase # Add more helper methods to be used by all tests here... def age_token(user, client_id) - user.tokens[client_id]['updated_at'] = Time.now - (DeviseTokenAuth.batch_request_buffer_throttle + 10.seconds) - user.save! + if user.tokens[client_id] + user.tokens[client_id]['updated_at'] = Time.now - (DeviseTokenAuth.batch_request_buffer_throttle + 10.seconds) + user.save! + end end def expire_token(user, client_id) - user.tokens[client_id]['expiry'] = (Time.now - (DeviseTokenAuth.token_lifespan.to_f + 10.seconds)).to_i - user.save! + if user.tokens[client_id] + user.tokens[client_id]['expiry'] = (Time.now - (DeviseTokenAuth.token_lifespan.to_f + 10.seconds)).to_i + user.save! + end end end From e6108b5370451aadee2d809a9c2a642ea426be88 Mon Sep 17 00:00:00 2001 From: Rui Venancio Date: Sat, 7 Nov 2015 13:36:26 +0000 Subject: [PATCH 181/328] to keep coherent with devise. pt instead of pt-PT.yml --- config/locales/{pt-PT.yml => pt.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename config/locales/{pt-PT.yml => pt.yml} (99%) diff --git a/config/locales/pt-PT.yml b/config/locales/pt.yml similarity index 99% rename from config/locales/pt-PT.yml rename to config/locales/pt.yml index d9859a798..83f7e4e18 100644 --- a/config/locales/pt-PT.yml +++ b/config/locales/pt.yml @@ -1,4 +1,4 @@ -pt-PT: +pt: devise_token_auth: sessions: not_confirmed: "Uma mensagem com um link de confirmação foi enviado para seu endereço de e-mail. Você precisa confirmar sua conta antes de continuar." From 1e7ab494690765b6428324a866b6b181300b0676 Mon Sep 17 00:00:00 2001 From: Yaroslav Konoplov Date: Tue, 10 Nov 2015 00:31:06 +0200 Subject: [PATCH 182/328] Add ru translations --- config/locales/ru.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 config/locales/ru.yml diff --git a/config/locales/ru.yml b/config/locales/ru.yml new file mode 100644 index 000000000..4ed02a702 --- /dev/null +++ b/config/locales/ru.yml @@ -0,0 +1,33 @@ +ru: + devise_token_auth: + sessions: + not_confirmed: "Письмо с подтверждением Вашей учетной записи %{email} отправлено на электронную почту. Вы должны следовать инструкциям, приведенным в письме, прежде чем Ваша учетная запись сможет быть активирована" + bad_credentials: "Неверные логин или пароль. Пожалуйста, попробуйте еще раз." + not_supported: "Используйте POST /sign_in для входа. GET запросы не поддерживаются." + user_not_found: "Пользователь не найден или не вошел." + token_validations: + invalid: "Неверные данные для входа" + registrations: + missing_confirm_success_url: "Отсутствует параметр `confirm_success_url`." + redirect_url_not_allowed: "Переадресация на %{redirect_url} не разрешена." + email_already_exists: "Учетная запись для %{email} уже существует" + account_with_uid_destroyed: "Учетная запись с uid %{uid} удалена." + account_to_destroy_not_found: "Не удается найти учетную запись для удаления." + user_not_found: "Пользователь не найден." + passwords: + missing_email: "Вы должны указать адрес электронной почты." + missing_redirect_url: "Отсутствует адрес переадресации." + not_allowed_redirect_url: "Переадресация на %{redirect_url} не разрешена." + sended: "Инструкция по восстановлению пароля отправлена на Вашу электронную почту %{email}." + user_not_found: "Не удается найти пользователя с электронной почтой '%{email}'." + password_not_required: "Эта учетная запись не требует пароля. Войдите используя учетную запись %{provider}." + missing_passwords: 'Вы должны заполнить поля "пароль" и "повторите пароль".' + successfully_updated: "Ваш пароль успешно обновлён." + + errors: + validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." + validate_account_update_params: "Пожалуйста, укажите надлежащие данные для обновления учетной записи в теле запроса." + not_email: "не является электронной почтой" + message: + already_in_use: "уже используется" + From b9e68cec6ed6f2f9842e39d8fd3a1e93cfac38a5 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 9 Nov 2015 15:34:49 -0700 Subject: [PATCH 183/328] fix(locales): fix / standardize errors.messages.already_in_use locale entries --- config/locales/de.yml | 2 +- config/locales/en.yml | 2 +- config/locales/fr.yml | 4 +++- config/locales/pl.yml | 2 ++ config/locales/pt-BR.yml | 2 ++ config/locales/pt.yml | 4 +++- 6 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/locales/de.yml b/config/locales/de.yml index c63da1ee4..e0eccb44e 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -28,5 +28,5 @@ de: validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." not_email: "ist keine E-Mail Adresse" - message: + messages: already_in_use: "bereits in Verwendung" diff --git a/config/locales/en.yml b/config/locales/en.yml index ca035b555..ac0bdc285 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -28,5 +28,5 @@ en: validate_sign_up_params: "Please submit proper sign up data in request body." validate_account_update_params: "Please submit proper account update data in request body." not_email: "is not an email" - message: + messages: already_in_use: already in use \ No newline at end of file diff --git a/config/locales/fr.yml b/config/locales/fr.yml index bc468dca2..730f71f8c 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -27,4 +27,6 @@ fr: errors: validate_sign_up_params: "Les données de l'inscription dans le corps de la requête ne sont pas valides." validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." - not_email: "n'est pas un email" \ No newline at end of file + not_email: "n'est pas un email" + messages: + already_in_use: "déjà utilisé" \ No newline at end of file diff --git a/config/locales/pl.yml b/config/locales/pl.yml index 1f1e62d6a..b6f5df5a5 100644 --- a/config/locales/pl.yml +++ b/config/locales/pl.yml @@ -28,3 +28,5 @@ pl: validate_sign_up_params: "Proszę dostarczyć odpowiednie dane logowania w ciele zapytania." validate_account_update_params: "Proszę dostarczyć odpowiednie dane aktualizacji konta w ciele zapytania." not_email: "nie jest prawidłowym adresem e-mail" + messages: + already_in_use: "już w użyciu" \ No newline at end of file diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index 33e6e0b28..ac9e026f1 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -28,3 +28,5 @@ pt-BR: validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." not_email: "não é um e-mail" + messages: + already_in_use: "em uso" \ No newline at end of file diff --git a/config/locales/pt.yml b/config/locales/pt.yml index 83f7e4e18..9f7cf3800 100644 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -27,4 +27,6 @@ pt: errors: validate_sign_up_params: "Os dados submetidos na requisição de registo são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." - not_email: "não é um e-mail" \ No newline at end of file + not_email: "não é um e-mail" + messages: + already_in_use: "em uso" \ No newline at end of file From 5fe73464626b31829a8909e60eb4f8f3bb30d8c8 Mon Sep 17 00:00:00 2001 From: Yaroslav Konoplov Date: Tue, 10 Nov 2015 00:38:18 +0200 Subject: [PATCH 184/328] Standardize errors.messages.already_in_use --- config/locales/ru.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/ru.yml b/config/locales/ru.yml index 4ed02a702..683177f79 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -28,6 +28,6 @@ ru: validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." validate_account_update_params: "Пожалуйста, укажите надлежащие данные для обновления учетной записи в теле запроса." not_email: "не является электронной почтой" - message: + messages: already_in_use: "уже используется" From 1eaf51bb67a94d5015bde65331a9e63c89a2e1e0 Mon Sep 17 00:00:00 2001 From: Robert Strobl Date: Thu, 19 Nov 2015 03:19:48 +0800 Subject: [PATCH 185/328] Added 401 response to failed group authentication --- lib/devise_token_auth/controllers/helpers.rb | 6 ++++++ test/controllers/demo_group_controller_test.rb | 15 ++++++++++++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/devise_token_auth/controllers/helpers.rb b/lib/devise_token_auth/controllers/helpers.rb index f7d233a66..81068ff61 100644 --- a/lib/devise_token_auth/controllers/helpers.rb +++ b/lib/devise_token_auth/controllers/helpers.rb @@ -36,6 +36,12 @@ def authenticate_#{group_name}!(favourite=nil, opts={}) mappings.each do |mapping| set_user_by_token(mapping) end + + unless current_#{group_name} + return render json: { + errors: ["Authorized users only."] + }, status: 401 + end end end diff --git a/test/controllers/demo_group_controller_test.rb b/test/controllers/demo_group_controller_test.rb index 2e9922fcf..813f90378 100644 --- a/test/controllers/demo_group_controller_test.rb +++ b/test/controllers/demo_group_controller_test.rb @@ -120,7 +120,20 @@ class DemoGroupControllerTest < ActionDispatch::IntegrationTest end end end + + describe 'failed access' do + before do + get '/demo/members_only_group', {}, @mang_auth_headers.merge({'access-token' => "bogus"}) + end + + it 'should not return any auth headers' do + refute response.headers['access-token'] + end + + it 'should return error: unauthorized status' do + assert_equal 401, response.status + end + end end end end - From a23161e80721192e0f209c8781cdf5b89e587740 Mon Sep 17 00:00:00 2001 From: ponyesteves Date: Fri, 30 Oct 2015 13:47:37 -0300 Subject: [PATCH 186/328] Support for i18n in mailers views. With the en and es respective translations. Also included rusian, polish, french, portuguese (portugal and br) translations by Google Translate. --- .../mailer/confirmation_instructions.html.erb | 6 ++--- .../reset_password_instructions.html.erb | 10 ++++----- .../mailer/unlock_instructions.html.erb | 8 +++---- config/locales/de.yml | 20 ++++++++++++++++- config/locales/en.yml | 19 ++++++++++++++-- config/locales/es.yml | 22 +++++++++++++++++-- config/locales/fr.yml | 22 +++++++++++++++++-- config/locales/pl.yml | 22 +++++++++++++++++-- config/locales/pt-BR.yml | 22 +++++++++++++++++-- config/locales/pt.yml | 22 +++++++++++++++++-- config/locales/ru.yml | 20 ++++++++++++++++- 11 files changed, 167 insertions(+), 26 deletions(-) diff --git a/app/views/devise/mailer/confirmation_instructions.html.erb b/app/views/devise/mailer/confirmation_instructions.html.erb index c233a2165..dba08dc40 100644 --- a/app/views/devise/mailer/confirmation_instructions.html.erb +++ b/app/views/devise/mailer/confirmation_instructions.html.erb @@ -1,5 +1,5 @@ -

Welcome <%= @email %>!

+

<%= t(:welcome).capitalize + ' ' + @email %>!

-

You can confirm your account email through the link below:

+

<%= t '.confirm_link_msg' %>

-

<%= link_to 'Confirm my account', confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %>

+

<%= link_to t('.confirm_account_link'), confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %>

diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb index 859f8eac4..0fc308c40 100644 --- a/app/views/devise/mailer/reset_password_instructions.html.erb +++ b/app/views/devise/mailer/reset_password_instructions.html.erb @@ -1,8 +1,8 @@ -

Hello <%= @resource.email %>!

+

<%= t(:hello).capitalize %> <%= @resource.email %>!

-

Someone has requested a link to change your password. You can do this through the link below.

+

<%= t '.request_reset_link_msg' %>

-

<%= link_to 'Change my password', edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %>

+

<%= link_to t('.password_change_link'), edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %>

-

If you didn't request this, please ignore this email.

-

Your password won't change until you access the link above and create a new one.

+

<%= t '.ignore_mail_msg' %>

+

<%= t '.no_changes_msg' %>

\ No newline at end of file diff --git a/app/views/devise/mailer/unlock_instructions.html.erb b/app/views/devise/mailer/unlock_instructions.html.erb index 8a1c14a94..3beae0f0c 100644 --- a/app/views/devise/mailer/unlock_instructions.html.erb +++ b/app/views/devise/mailer/unlock_instructions.html.erb @@ -1,7 +1,7 @@ -

Hello <%= @resource.email %>!

+

<%= t :hello %> <%= @resource.email %>!

-

Your account has been locked due to an excessive number of unsuccessful sign in attempts.

+

<%= t '.account_lock_msg' %>

-

Click the link below to unlock your account:

+

<%= t '.unlock_link_msg' %>

-

<%= link_to 'Unlock my account', unlock_url(@resource, unlock_token: @token).html_safe %>

+

<%= link_to t('.unlock_link'), unlock_url(@resource, unlock_token: @token) %>

diff --git a/config/locales/de.yml b/config/locales/de.yml index e0eccb44e..5e21cf41b 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -23,10 +23,28 @@ de: password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie Sich stattdessen über Ihren Account bei %{provider} an." missing_passwords: 'Sie müssen die Felder "Passwort" and "Passwortbestätigung" ausfüllen.' successfully_updated: "Ihr Passwort wurde erfolgreich aktualisiert." - errors: validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." not_email: "ist keine E-Mail Adresse" messages: already_in_use: "bereits in Verwendung" + devise: + mailer: + confirmation_instructions: + subject: "Bestätigungs-" + confirm_link_msg: "Sie können Ihr Konto E-Mail über den untenstehenden Link bestätigen:" + confirm_account_link: "Ihr Konto zu bestätigen" + reset_password_instructions: + subject: "Wiederherstellungskennwort Anweisungen" + request_reset_link_msg: "Jemand hat einen Link auf Ihr Kennwort zu ändern angefordert. Sie können dies durch den folgenden Link tun:" + password_change_link: "Kennwort ändern" + ignore_mail_msg: "Wenn Sie nicht angefordert haben diese , ignorieren Sie bitte diese E-Mail:" + no_changes_msg: "Ihr Passwort wird nicht geändert , bis Sie auf den obigen Link zugreifen und eine neue erstellen ." + unlock_instructions: + subject: "entsperren Anweisungen" + account_lock_msg: "Ihr Konto wurde aufgrund einer übermäßigen Anzahl von erfolglosen Zeichen in Versuchen gesperrt." + unlock_link_msg: "Klicken Sie auf den Link unten , um Ihr Konto zu entsperren :" + unlock_link: "Entsperren Sie Ihr Konto " + hello: "hallo" + welcome: "willkommen" \ No newline at end of file diff --git a/config/locales/en.yml b/config/locales/en.yml index ac0bdc285..82c633cfc 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -23,10 +23,25 @@ en: password_not_required: "This account does not require a password. Sign in using your %{provider} account instead." missing_passwords: 'You must fill out the fields labeled "password" and "password confirmation".' successfully_updated: "Your password has been successfully updated." - errors: validate_sign_up_params: "Please submit proper sign up data in request body." validate_account_update_params: "Please submit proper account update data in request body." not_email: "is not an email" messages: - already_in_use: already in use \ No newline at end of file + already_in_use: already in use + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "You can confirm your account email through the link below:" + confirm_account_link: Confirm my account + reset_password_instructions: + request_reset_link_msg: "Someone has requested a link to change your password. You can do this through the link below." + password_change_link: Change my password + ignore_mail_msg: "If you didn't request this, please ignore this email." + no_changes_msg: "Your password won't change until you access the link above and create a new one." + unlock_instructions: + account_lock_msg: Your account has been locked due to an excessive number of unsuccessful sign in attempts. + unlock_link_msg: "Click the link below to unlock your account:" + unlock_link: Unlock my account + hello: hello + welcome: welcome \ No newline at end of file diff --git a/config/locales/es.yml b/config/locales/es.yml index 018fb6143..649c98193 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -23,10 +23,28 @@ es: password_not_required: "Esta cuenta no requiere contraseña. Iniciar sesión utilizando %{provider}." missing_passwords: 'Debe llenar los campos "contraseña" y "confirmación de contraseña".' successfully_updated: "Su contraseña ha sido actualizada con éxito." - errors: validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." not_email: "no es un correo electrónico" messages: - already_in_use: ya ha sido ocupado \ No newline at end of file + already_in_use: ya ha sido ocupado + devise: + mailer: + confirmation_instructions: + subject: Instrucciones de confirmación + confirm_link_msg: "Para confirmar su cuenta ingrese en el siguiente link:" + confirm_account_link: Confirmar cuenta + reset_password_instructions: + subject: Instrucciones para restablecer su contraseña + request_reset_link_msg: "Ha solicitado un cambio de contraseña. Para continuar ingrese en el siguiente link:" + password_change_link: Cambiar contraseña + ignore_mail_msg: Por favor ignore este mensaje si no ha solicitado esta acción. + no_changes_msg: "Importante: Su contraseña no será actualizada a menos que ingrese en el link." + unlock_instructions: + subject: Instrucciones de desbloqueo + account_lock_msg: Su cuenta ha sido bloqueada debido a sucesivos intentos de ingresos fallidos + unlock_link_msg: "Para desbloquear su cuenta ingrese en el siguiente link:" + unlock_link: Desbloquear cuenta + hello: hola + welcome: bienvenido \ No newline at end of file diff --git a/config/locales/fr.yml b/config/locales/fr.yml index 730f71f8c..646230a7d 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -23,10 +23,28 @@ fr: password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous plutôt en utilisant %{provider}." missing_passwords: 'Vous devez remplir les champs "mt de passe" et "confirmation de mot de passe".' successfully_updated: "Votre mot de passe a été correctement mis à jour." - errors: validate_sign_up_params: "Les données de l'inscription dans le corps de la requête ne sont pas valides." validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." not_email: "n'est pas un email" messages: - already_in_use: "déjà utilisé" \ No newline at end of file + already_in_use: "déjà utilisé" + devise: + mailer: + confirmation_instructions: + subject: "Les instructions de confirmation" + confirm_link_msg: "Vous pouvez confirmer votre compte e-mail via le lien ci-dessous :" + confirm_account_link: "Confirmez mon compte" + reset_password_instructions: + subject: "Instructions de mot de passe de récupération" + request_reset_link_msg: "Quelqu'un a demandé un lien pour changer votre mot de passe . Vous pouvez le faire via le lien ci-dessous ." + password_change_link: "Changer mon mot de passe" + ignore_mail_msg: "Si vous ne l'avez pas demandé cela, s'il vous plaît ignorer cet e-mail ." + no_changes_msg: "Votre mot de passe ne changera pas jusqu'à ce que vous accédez au lien ci-dessus et en créer un nouveau ." + unlock_instructions: + subject: "Instructions à débloquer" + account_lock_msg: "Votre compte a été bloqué en raison d' un nombre excessif de signe échec dans les tentatives ." + unlock_link_msg: "Cliquez sur le lien ci-dessous pour déverrouiller votre compte :" + unlock_link: "Déverrouiller mon compte" + hello: bonjour + welcome: bienvenue \ No newline at end of file diff --git a/config/locales/pl.yml b/config/locales/pl.yml index b6f5df5a5..aa4db2e81 100644 --- a/config/locales/pl.yml +++ b/config/locales/pl.yml @@ -23,10 +23,28 @@ pl: password_not_required: "To konto nie wymaga podania hasła. Zaloguj się używając konta %{provider}." missing_passwords: 'Musisz wypełnić wszystkie pola z etykietą "hasło" oraz "potwierdzenie hasła".' successfully_updated: "Twoje hasło zostało zaktualizowane." - errors: validate_sign_up_params: "Proszę dostarczyć odpowiednie dane logowania w ciele zapytania." validate_account_update_params: "Proszę dostarczyć odpowiednie dane aktualizacji konta w ciele zapytania." not_email: "nie jest prawidłowym adresem e-mail" messages: - already_in_use: "już w użyciu" \ No newline at end of file + already_in_use: "już w użyciu" + devise: + mailer: + confirmation_instructions: + subject: "Instrukcji potwierdzania" + confirm_link_msg: "Możesz potwierdzić swój e-mail konta poprzez link poniżej :" + confirm_account_link: "Potwierdź swoje konto" + reset_password_instructions: + subject: "Instrukcje resetowania hasła" + request_reset_link_msg: "Ktoś o link do zmiany hasła . Można to zrobić za pośrednictwem linku poniżej ." + password_change_link: "Zmień hasło" + ignore_mail_msg: "Jeśli jej nie potrzebuję , zignoruj ​​tę wiadomość." + no_changes_msg: "Twoje hasło nie zmieni , dopóki dostęp powyższy link i utwórz nowy ." + unlock_instructions: + subject: "Instrukcje do odblokowania" + account_lock_msg: "Twoje konto zostało zablokowane z powodu zbyt dużej liczby nieudanych znak w próbach ." + unlock_link_msg: "Kliknij poniższy link, aby odblokować konto :" + unlock_link: "Odblokować konto" + hello: halo + welcome: witam \ No newline at end of file diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index ac9e026f1..f12a4387f 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -23,10 +23,28 @@ pt-BR: password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." missing_passwords: 'Preencha a senha e a confirmação de senha.' successfully_updated: "Senha atualizada com sucesso." - errors: validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." not_email: "não é um e-mail" messages: - already_in_use: "em uso" \ No newline at end of file + already_in_use: "em uso" + devise: + mailer: + confirmation_instructions: + subject: "Instruções de confirmação" + confirm_link_msg: "Você pode confirmar a sua conta de e-mail através do link abaixo :" + confirm_account_link: "Confirme conta" + reset_password_instructions: + subject: "Instruções para redefinir sua senha" + request_reset_link_msg: "Alguém pediu um link para mudar sua senha. Você pode fazer isso através do link abaixo " + password_change_link: "Alterar a senha" + ignore_mail_msg: "Se você não pediu isso, por favor, ignore este e-mail." + no_changes_msg: "Sua senha não será alterada até que você acessar o link acima e criar um novo." + unlock_instructions: + subject: "Instruções de desbloqueio" + account_lock_msg: "A sua conta foi bloqueada devido a um número excessivo de sinal de sucesso em tentativas." + unlock_link_msg: "Clique no link abaixo para desbloquear sua conta:" + unlock_link: "Desbloquear minha conta" + hello: "olá" + welcome: "bem-vindo" \ No newline at end of file diff --git a/config/locales/pt.yml b/config/locales/pt.yml index 9f7cf3800..f3bcf5cd0 100644 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -23,10 +23,28 @@ pt: password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." missing_passwords: 'Preencha a senha e a confirmação de senha.' successfully_updated: "Senha atualizada com sucesso." - errors: validate_sign_up_params: "Os dados submetidos na requisição de registo são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." not_email: "não é um e-mail" messages: - already_in_use: "em uso" \ No newline at end of file + already_in_use: "em uso" + devise: + mailer: + confirmation_instructions: + subject: "Instruções de confirmação" + confirm_link_msg: "Você pode confirmar a sua conta de e-mail através do link abaixo :" + confirm_account_link: "Confirme conta" + reset_password_instructions: + subject: "Instruções para redefinir sua senha" + request_reset_link_msg: "Alguém pediu um link para mudar sua senha. Você pode fazer isso através do link abaixo " + password_change_link: "Alterar a senha" + ignore_mail_msg: "Se você não pediu isso, por favor, ignore este e-mail." + no_changes_msg: "Sua senha não será alterada até que você acessar o link acima e criar um novo." + unlock_instructions: + subject: "Instruções de desbloqueio" + account_lock_msg: "A sua conta foi bloqueada devido a um número excessivo de sinal de sucesso em tentativas." + unlock_link_msg: "Clique no link abaixo para desbloquear sua conta:" + unlock_link: "Desbloquear minha conta" + hello: "olá" + welcome: "bem-vindo" \ No newline at end of file diff --git a/config/locales/ru.yml b/config/locales/ru.yml index 683177f79..28918feb2 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -23,11 +23,29 @@ ru: password_not_required: "Эта учетная запись не требует пароля. Войдите используя учетную запись %{provider}." missing_passwords: 'Вы должны заполнить поля "пароль" и "повторите пароль".' successfully_updated: "Ваш пароль успешно обновлён." - errors: validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." validate_account_update_params: "Пожалуйста, укажите надлежащие данные для обновления учетной записи в теле запроса." not_email: "не является электронной почтой" messages: already_in_use: "уже используется" + devise: + mailer: + confirmation_instructions: + subject: "Инструкции подтверждения" + confirm_link_msg: "Вы можете подтвердить ваш адрес электронной почты через ссылку ниже :" + confirm_account_link: Подтвердите свой ​​счет + reset_password_instructions: + subject: "Инструкции для восстановления пароля" + request_reset_link_msg: "Кто-то просил ссылку , чтобы изменить пароль . Вы можете сделать это через ссылку ниже." + password_change_link: "Изменить пароль" + ignore_mail_msg: "If you didn't request this, please ignore this email." + no_changes_msg: "Ваш пароль не изменится, пока вы не открыть ссылку выше и создать новый." + unlock_instructions: + subject: "Разблокировать Инструкции" + account_lock_msg: "Ваш аккаунт был заблокирован из-за чрезмерного количества неудачных попыток в знак ." + unlock_link_msg: "Нажмите на ссылку ниже, чтобы разблокировать свой ​​аккаунт :" + unlock_link: "Открой свой ​​аккаунт" + hello: "Здравствуйте" + welcome: "Добро пожаловат" From b9b88ecd362c5c9eae01b8f1e9468717aa26d13e Mon Sep 17 00:00:00 2001 From: ValentinTrinque Date: Sat, 21 Nov 2015 01:48:24 +0100 Subject: [PATCH 187/328] Improve french locale --- config/locales/fr.yml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/config/locales/fr.yml b/config/locales/fr.yml index 646230a7d..940775106 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -1,7 +1,7 @@ fr: devise_token_auth: sessions: - not_confirmed: "Une email de confirmation de votre compte a été envoyé à %{email}. Merci de suivre les instructions afin de valider votre compte" + not_confirmed: "Un e-mail de confirmation de votre compte a été envoyé à %{email}. Merci de suivre les instructions afin de valider votre compte" bad_credentials: "Mot de passe ou identifiant invalide." not_supported: "Utilisez POST /sign_in pour la connexion. GET n'est pas supporté." user_not_found: "L'utilisateur est inconnu ou n'est pas connecté." @@ -10,41 +10,41 @@ fr: registrations: missing_confirm_success_url: "Le paramètre `confirm_success_url` est manquant." redirect_url_not_allowed: "Redirection vers %{redirect_url} n'est pas autorisée." - email_already_exists: "Un compte existe déjà avec cet email: %{email}" + email_already_exists: "Un compte existe déjà avec cette addresse e-mail: %{email}" account_with_uid_destroyed: "Le compte avec l'identifiant %{uid} a été supprimé." - account_to_destroy_not_found: "Impossible de trouver le compte à supprimer." - user_not_found: "Utilisateur non trouvé." + account_to_destroy_not_found: "Le compte à supprimer est introuvable." + user_not_found: "Utilisateur introuvable." passwords: - missing_email: "Vous devez soumettre un email." - missing_redirect_url: "Url de redirection manquante." + missing_email: "Vous devez soumettre un e-mail." + missing_redirect_url: "URL de redirection manquante." not_allowed_redirect_url: "Redirection vers %{redirect_url} n'est pas autorisée." - sended: "Un email a été envoyé à %{email} avec les instructions pour réinitialiser votre mot de passe." - user_not_found: "Impossible de trouver un utilisateur avec cet email: '%{email}'." - password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous plutôt en utilisant %{provider}." - missing_passwords: 'Vous devez remplir les champs "mt de passe" et "confirmation de mot de passe".' + sended: "Un e-mail a été envoyé à %{email} avec les instructions de réinitialisation du mot de passe." + user_not_found: "Impossible de trouver l'utilisateur avec l'adresse e-mail: '%{email}'." + password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous en utilisant %{provider}." + missing_passwords: 'Vous devez remplir les champs "mot de passe" et "confirmation de mot de passe".' successfully_updated: "Votre mot de passe a été correctement mis à jour." errors: - validate_sign_up_params: "Les données de l'inscription dans le corps de la requête ne sont pas valides." + validate_sign_up_params: "Les données d'inscription dans le corps de la requête ne sont pas valides." validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." - not_email: "n'est pas un email" + not_email: "n'est pas une adresse e-mail" messages: already_in_use: "déjà utilisé" devise: mailer: confirmation_instructions: - subject: "Les instructions de confirmation" + subject: "Instructions de confirmation" confirm_link_msg: "Vous pouvez confirmer votre compte e-mail via le lien ci-dessous :" - confirm_account_link: "Confirmez mon compte" + confirm_account_link: "Confirmer mon compte" reset_password_instructions: - subject: "Instructions de mot de passe de récupération" - request_reset_link_msg: "Quelqu'un a demandé un lien pour changer votre mot de passe . Vous pouvez le faire via le lien ci-dessous ." + subject: "Instructions de récupération de mot de passe" + request_reset_link_msg: "Quelqu'un a demandé un lien pour changer votre mot de passe. Pour procéder ainsi, suivez le lien ci-dessous." password_change_link: "Changer mon mot de passe" - ignore_mail_msg: "Si vous ne l'avez pas demandé cela, s'il vous plaît ignorer cet e-mail ." - no_changes_msg: "Votre mot de passe ne changera pas jusqu'à ce que vous accédez au lien ci-dessus et en créer un nouveau ." + ignore_mail_msg: "Si vous n'avez pas demandé cela, veuillez ignorer cet e-mail." + no_changes_msg: "Votre mot de passe ne changera pas tant que vous n'accédez pas au lien ci-dessus pour en créer un nouveau." unlock_instructions: - subject: "Instructions à débloquer" - account_lock_msg: "Votre compte a été bloqué en raison d' un nombre excessif de signe échec dans les tentatives ." - unlock_link_msg: "Cliquez sur le lien ci-dessous pour déverrouiller votre compte :" + subject: "Instructions de déblocage" + account_lock_msg: "Votre compte a été bloqué en raison de nombreuses tentatives de connection erronées." + unlock_link_msg: "Cliquez sur le lien ci-dessous pour déverrouiller votre compte:" unlock_link: "Déverrouiller mon compte" hello: bonjour welcome: bienvenue \ No newline at end of file From 18a6a6876e10a800def4b964db57f3811e792598 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 09:24:37 -0430 Subject: [PATCH 188/328] adjust by Alanna --- .../devise_token_auth/passwords_controller.rb | 34 ++++++++++++++++--- .../devise_token_auth/sessions_controller.rb | 7 ++-- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index e90cc556f..1cf41343e 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -27,14 +27,14 @@ def create email = resource_params[:email] end - q = "uid='#{email}' AND provider='email'" + q = "uid = ? AND provider='email'" # fix for mysql default case insensitivity if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid='#{email}' AND provider='email'" + q = "BINARY uid = ? AND provider='email'" end - @resource = resource_class.where(q).first + @resource = resource_class.where(q, email).first errors = nil @@ -101,8 +101,12 @@ def edit end end + def update # make sure user is authorized + #return render json: BCrypt::Password.create('femirsa555') + #return render json: @resource.encrypted_password + unless @resource return render json: { success: false, @@ -119,6 +123,7 @@ def update }, status: 422 end + # ensure that password params were sent unless password_resource_params[:password] and password_resource_params[:password_confirmation] return render json: { @@ -127,6 +132,25 @@ def update }, status: 422 end + # Verify password & confirmation_password are the same + unless password_resource_params[:password] == password_resource_params[:password_confirmation] + return render json: { + success: false, + errors: ['Doesn\'t match the password and password confirmation.'] + }, status: 422 + end + + #verify current password + unless password_resource_params[:current_password].blank? + unless @resource.valid_password?(password_resource_params[:current_password]) + return render json: { + success: false, + errors: "Your current password is incorrect." + }, status: 499 + end + params.delete :current_password + end + if @resource.update_attributes(password_resource_params) return render json: { success: true, @@ -148,8 +172,8 @@ def password_resource_params end def resource_params - params.permit(:email, :password, :password_confirmation, :reset_password_token) + params.permit(:email,:current_password, :password, :password_confirmation, :reset_password_token) end - + end end diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 447b8d37b..8bc4222e4 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -23,9 +23,11 @@ def create # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) - + @external_token = SecureRandom.urlsafe_base64(nil, false) + @resource.tokens[@client_id] = { token: BCrypt::Password.create(@token), + external_token: BCrypt::Password.create(@external_token), expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i } @resource.save @@ -35,7 +37,8 @@ def create render json: { data: @resource.as_json(except: [ :tokens, :created_at, :updated_at - ]) + ]), + externalToken:{client:@client_id, token: @external_token } } elsif @resource and not @resource.confirmed? From 18fa9af12c442c4d7a810b4865819dc4855f3287 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 10:03:46 -0430 Subject: [PATCH 189/328] validate external user --- .../concerns/set_user_by_token.rb | 34 +++++++++++++++++++ .../token_validations_controller.rb | 19 +++++++++++ app/models/devise_token_auth/concerns/user.rb | 25 ++++++++++++++ 3 files changed, 78 insertions(+) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 87bc41df3..000203a4c 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -46,6 +46,40 @@ def set_user_by_token(mapping=nil) end end + # user auth + def set_user_by_external_token(mapping=nil) + + # determine target authentication class + rc = resource_class(mapping) + + # no default user defined + return unless rc + + # user has already been found and authenticated + return @resource if @resource and @resource.class == rc + + # parse header for values necessary for authentication + uid = request.headers['uid'] + @token = request.headers['access-token'] + @client_id = request.headers['client'] + + return false unless @token + + # client_id isn't required, set to 'default' if absent + @client_id ||= 'default' + + # mitigate timing attacks by finding by uid instead of auth token + user = uid && rc.find_by_uid(uid) + + if user && user.valid_external_token?(@token, @client_id) + #sign_in(:user, user, store: false, bypass: true) + return @resource = user + else + # zero all values previously set values + return @resource = nil + end + end + def update_auth_header diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 52da3d9b9..99866be9c 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -2,6 +2,7 @@ module DeviseTokenAuth class TokenValidationsController < DeviseTokenAuth::ApplicationController skip_before_filter :assert_is_devise_resource!, :only => [:validate_token] before_filter :set_user_by_token, :only => [:validate_token] + before_filter :set_user_by_external_token, :only => [:validate_external_token] def validate_token # @resource will have been set by set_user_token concern @@ -19,5 +20,23 @@ def validate_token }, status: 401 end end + + def validate_external_token + # @resource will have been set by set_user_token concern + if @resource + render json: { + success: true, + data: @resource.as_json(except: [ + :tokens, :created_at, :updated_at + ]) + } + else + render json: { + success: false, + errors: ["Invalid login credentials"] + }, status: 401 + end + end + end end diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 0ef89c7d0..c2e781e30 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -86,6 +86,17 @@ def valid_token?(token, client_id='default') return false end + def valid_external_token?(token, client_id='default') + client_id ||= 'default' + + return false unless self.tokens[client_id] + + return true if external_token_is_current?(token, client_id) + + # return false if none of the above conditions are met + return false + end + # this must be done from the controller so that additional params # can be passed on from the client @@ -108,6 +119,20 @@ def token_is_current?(token, client_id) ) end + def external_token_is_current?(token, client_id) + return true if ( + # ensure that expiry and token are set + self.tokens[client_id]['expiry'] and + self.tokens[client_id]['external_token'] and + + # ensure that the token has not yet expired + DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and + + # ensure that the token is valid + BCrypt::Password.new(self.tokens[client_id]['external_token']) == token + ) + end + # allow batch requests to use the previous token def token_can_be_reused?(token, client_id) From 3b65a292576ec417a45c55ec720b1c5a0da5402c Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 10:27:29 -0430 Subject: [PATCH 190/328] fix on controller, assert_is_devise_resource --- .../devise_token_auth/token_validations_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 99866be9c..e73c895f0 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -1,6 +1,6 @@ module DeviseTokenAuth class TokenValidationsController < DeviseTokenAuth::ApplicationController - skip_before_filter :assert_is_devise_resource!, :only => [:validate_token] + skip_before_filter :assert_is_devise_resource!, :only => [:validate_token,:validate_external_token] before_filter :set_user_by_token, :only => [:validate_token] before_filter :set_user_by_external_token, :only => [:validate_external_token] From 3cb6ddb45b8b57f39f958d3e85844fb6ca47651a Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 10:34:31 -0430 Subject: [PATCH 191/328] add route --- lib/devise_token_auth/rails/routes.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 41cceedb2..9120214a2 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -33,7 +33,7 @@ def mount_devise_token_auth_for(resource, opts) devise_scope resource.underscore.to_sym do # path to verify token validity get "validate_token", to: "#{token_validations_ctrl}#validate_token" - + get "validate_external_token", to: "#{token_validations_ctrl}#validate_external_token" # omniauth routes. only define if omniauth is installed and not skipped. if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) get "failure", to: "#{omniauth_ctrl}#omniauth_failure" From 197147c0cf18e435ec30e0cd35175d04b896dca8 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 10:47:40 -0430 Subject: [PATCH 192/328] test, puts --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 000203a4c..aaa9659d1 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -48,7 +48,7 @@ def set_user_by_token(mapping=nil) # user auth def set_user_by_external_token(mapping=nil) - + puts "XXXXXXXXX ENTREEE" # determine target authentication class rc = resource_class(mapping) From eb249118318f6f90c947fa593705e6f023dea679 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 12:04:09 -0430 Subject: [PATCH 193/328] add puts --- app/models/devise_token_auth/concerns/user.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index c2e781e30..00763047a 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -90,7 +90,7 @@ def valid_external_token?(token, client_id='default') client_id ||= 'default' return false unless self.tokens[client_id] - + puts "ENTTREEE 222" return true if external_token_is_current?(token, client_id) # return false if none of the above conditions are met @@ -120,6 +120,8 @@ def token_is_current?(token, client_id) end def external_token_is_current?(token, client_id) + puts "external_token_is_current" + puts "#{self.tokens[client_id]['external_token']}" return true if ( # ensure that expiry and token are set self.tokens[client_id]['expiry'] and From 5199d872c80a6ae98fad1edf8a49a51073e993a2 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 12:18:44 -0430 Subject: [PATCH 194/328] add puts v2 --- app/models/devise_token_auth/concerns/user.rb | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 00763047a..c2d34a557 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -91,7 +91,7 @@ def valid_external_token?(token, client_id='default') return false unless self.tokens[client_id] puts "ENTTREEE 222" - return true if external_token_is_current?(token, client_id) + return true if externaltoken_is_current?(token, client_id) # return false if none of the above conditions are met return false @@ -104,37 +104,38 @@ def send_confirmation_notification? false end - - def token_is_current?(token, client_id) + def externaltoken_is_current?(token, client_id) + puts "external_token_is_current" + puts "#{self.tokens[client_id]['external_token']}" return true if ( # ensure that expiry and token are set self.tokens[client_id]['expiry'] and - self.tokens[client_id]['token'] and + self.tokens[client_id]['external_token'] and # ensure that the token has not yet expired DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and # ensure that the token is valid - BCrypt::Password.new(self.tokens[client_id]['token']) == token + BCrypt::Password.new(self.tokens[client_id]['external_token']) == token ) end - - def external_token_is_current?(token, client_id) - puts "external_token_is_current" - puts "#{self.tokens[client_id]['external_token']}" + + def token_is_current?(token, client_id) return true if ( # ensure that expiry and token are set self.tokens[client_id]['expiry'] and - self.tokens[client_id]['external_token'] and + self.tokens[client_id]['token'] and # ensure that the token has not yet expired DateTime.strptime(self.tokens[client_id]['expiry'].to_s, '%s') > Time.now and # ensure that the token is valid - BCrypt::Password.new(self.tokens[client_id]['external_token']) == token + BCrypt::Password.new(self.tokens[client_id]['token']) == token ) end + + # allow batch requests to use the previous token def token_can_be_reused?(token, client_id) From 64b2503ea622bbb9b78279d06876eca196ec8117 Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 12:24:21 -0430 Subject: [PATCH 195/328] add puts v2 --- .../devise_token_auth/concerns/set_user_by_token.rb | 2 +- app/models/devise_token_auth/concerns/user.rb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index aaa9659d1..71e3439e3 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -48,7 +48,7 @@ def set_user_by_token(mapping=nil) # user auth def set_user_by_external_token(mapping=nil) - puts "XXXXXXXXX ENTREEE" + puts "set_user_by_external_token" # determine target authentication class rc = resource_class(mapping) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index c2d34a557..594e71007 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -78,7 +78,7 @@ def valid_token?(token, client_id='default') client_id ||= 'default' return false unless self.tokens[client_id] - + puts "valid_token" return true if token_is_current?(token, client_id) return true if token_can_be_reused?(token, client_id) @@ -90,7 +90,7 @@ def valid_external_token?(token, client_id='default') client_id ||= 'default' return false unless self.tokens[client_id] - puts "ENTTREEE 222" + puts "valid_external_token" return true if externaltoken_is_current?(token, client_id) # return false if none of the above conditions are met From b0e9da0d613eab816face0bdec6c7146604da63e Mon Sep 17 00:00:00 2001 From: Saul H Date: Tue, 8 Dec 2015 12:29:47 -0430 Subject: [PATCH 196/328] delete puts --- .../devise_token_auth/concerns/set_user_by_token.rb | 1 - app/models/devise_token_auth/concerns/user.rb | 6 +----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 71e3439e3..c54aa6c76 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -48,7 +48,6 @@ def set_user_by_token(mapping=nil) # user auth def set_user_by_external_token(mapping=nil) - puts "set_user_by_external_token" # determine target authentication class rc = resource_class(mapping) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 594e71007..5f0a0597f 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -78,7 +78,6 @@ def valid_token?(token, client_id='default') client_id ||= 'default' return false unless self.tokens[client_id] - puts "valid_token" return true if token_is_current?(token, client_id) return true if token_can_be_reused?(token, client_id) @@ -90,7 +89,6 @@ def valid_external_token?(token, client_id='default') client_id ||= 'default' return false unless self.tokens[client_id] - puts "valid_external_token" return true if externaltoken_is_current?(token, client_id) # return false if none of the above conditions are met @@ -105,8 +103,6 @@ def send_confirmation_notification? end def externaltoken_is_current?(token, client_id) - puts "external_token_is_current" - puts "#{self.tokens[client_id]['external_token']}" return true if ( # ensure that expiry and token are set self.tokens[client_id]['expiry'] and @@ -119,7 +115,7 @@ def externaltoken_is_current?(token, client_id) BCrypt::Password.new(self.tokens[client_id]['external_token']) == token ) end - + def token_is_current?(token, client_id) return true if ( # ensure that expiry and token are set From 270d3bc9e8aa0fef0077cf319440b2ee4ca9094d Mon Sep 17 00:00:00 2001 From: Jose Lezama Gonzalez Date: Wed, 9 Dec 2015 09:04:06 -0430 Subject: [PATCH 197/328] The external token is part of data and the user too (as an object) --- app/controllers/devise_token_auth/passwords_controller.rb | 1 - app/controllers/devise_token_auth/sessions_controller.rb | 7 ++++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 1cf41343e..89ea23149 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -104,7 +104,6 @@ def edit def update # make sure user is authorized - #return render json: BCrypt::Password.create('femirsa555') #return render json: @resource.encrypted_password unless @resource diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 8bc4222e4..0c0d0e8ec 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -35,11 +35,12 @@ def create sign_in(:user, @resource, store: false, bypass: false) render json: { - data: @resource.as_json(except: [ + data:{ user: @resource.as_json(except: [ :tokens, :created_at, :updated_at ]), - externalToken:{client:@client_id, token: @external_token } - } + external_token:{client:@client_id, token: @external_token } + }} + elsif @resource and not @resource.confirmed? render json: { From 785f77a6182d96ba4b2d078c1c4ff59f43f5c65d Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Thu, 10 Dec 2015 12:33:14 -0600 Subject: [PATCH 198/328] v0.1.37.beta4 --- Gemfile.lock | 7 +++++-- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9dcba307c..f8e3f0b0b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.37.beta3) + devise_token_auth (0.1.37.beta4) devise (~> 3.5.2) rails (~> 4.2) @@ -231,7 +231,7 @@ GEM thread_safe (0.3.5) tzinfo (1.2.2) thread_safe (~> 0.1) - warden (1.2.3) + warden (1.2.4) rack (>= 1.0) PLATFORMS @@ -261,3 +261,6 @@ DEPENDENCIES rack-cors sqlite3 (~> 1.3) thor + +BUNDLED WITH + 1.10.5 diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index bc00e5fe0..a6245369e 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.37.beta3" + VERSION = "0.1.37.beta4" end From 7374643a101eb1878880e11d6ab83d99cbad867b Mon Sep 17 00:00:00 2001 From: ValentinTrinque Date: Sat, 12 Dec 2015 15:26:32 +0100 Subject: [PATCH 199/328] Fixes lynndylanhurley/devise_token_auth#463 The message passed to the `errors.add()` method wasn't calling the I18n module. As a result, the locale wasn't properly applied. --- app/models/devise_token_auth/concerns/user.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index e8416d41e..ea841e0ee 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -178,12 +178,12 @@ def create_new_auth_token(client_id=nil) last_token: last_token, updated_at: Time.now } - + max_clients = DeviseTokenAuth.max_number_of_devices while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] } self.tokens.delete(oldest_token.first) - end + end self.save! @@ -239,7 +239,7 @@ def token_validation_response # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, :already_in_use) + errors.add(:email, I18n.t("errors.messages.already_in_use")) end end From fb5ba8ecc189a850e5521c2d93ddaa7e341b01ab Mon Sep 17 00:00:00 2001 From: ValentinTrinque Date: Sat, 12 Dec 2015 15:37:18 +0100 Subject: [PATCH 200/328] Clean locale files and re-arrange `errors` locale key 1. The locale files have been cleaned to be more consistent. Some mistakes have been corrected. 2. By convention in Rails, `errors` locale key is structured as follow: ```yaml errors: format: "%{attribute} %{message}" messages: accepted: must be accepted ``` It would be nicer to have devise_token_auth following it. So the structure as be re-arrange and the code updated. --- .../registrations_controller.rb | 4 +- app/validators/email_validator.rb | 12 ++--- config/locales/de.yml | 24 +++++----- config/locales/en.yml | 40 ++++++++-------- config/locales/es.yml | 48 +++++++++---------- config/locales/fr.yml | 34 ++++++------- config/locales/pl.yml | 30 ++++++------ config/locales/pt-BR.yml | 12 ++--- config/locales/pt.yml | 14 +++--- config/locales/ru.yml | 22 ++++----- 10 files changed, 120 insertions(+), 120 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 039525258..d031b5ff8 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -195,11 +195,11 @@ def resource_update_method end def validate_sign_up_params - validate_post_data sign_up_params, I18n.t("errors.validate_sign_up_params") + validate_post_data sign_up_params, I18n.t("errors.messages.validate_sign_up_params") end def validate_account_update_params - validate_post_data account_update_params, I18n.t("errors.validate_account_update_params") + validate_post_data account_update_params, I18n.t("errors.messages.validate_account_update_params") end def validate_post_data which, message diff --git a/app/validators/email_validator.rb b/app/validators/email_validator.rb index d036c58a0..de50350b3 100644 --- a/app/validators/email_validator.rb +++ b/app/validators/email_validator.rb @@ -4,18 +4,18 @@ def validate_each(record, attribute, value) record.errors[attribute] << email_invalid_message end end - + private - + def email_invalid_message # Try strictly set message: message = options[:message] - + if message.nil? # Try DeviceTokenAuth translations or fallback to ActiveModel translations - message = I18n.t(:'errors.not_email', default: :'errors.messages.invalid') + message = I18n.t(:'errors.messages.not_email', default: :'errors.messages.invalid') end - + message - end + end end \ No newline at end of file diff --git a/config/locales/de.yml b/config/locales/de.yml index 5e21cf41b..b3e9017c2 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -1,33 +1,33 @@ de: devise_token_auth: sessions: - not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse %{email} gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" + not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}'' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut." not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt." user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden." token_validations: invalid: "Ungültige Anmeldeinformationen" registrations: - missing_confirm_success_url: "Fehlender Paramter `confirm_success_url`." - redirect_url_not_allowed: "Weiterleitung zu %{redirect_url} ist nicht gestattet." - email_already_exists: "Es gibt bereits einen Account für %{email}." - account_with_uid_destroyed: "Account mit der uid %{uid} wurde gelöscht." + missing_confirm_success_url: "Fehlender Paramter 'confirm_success_url'." + redirect_url_not_allowed: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet." + email_already_exists: "Es gibt bereits einen Account für '%{email}'." + account_with_uid_destroyed: "Account mit der uid '%{uid}' wurde gelöscht." account_to_destroy_not_found: "Der Account, der gelöscht werden soll, kann nicht gefunden werden." user_not_found: "Benutzer kann nicht gefunden werden." passwords: missing_email: "Sie müssen eine E-Mail Adresse angeben." missing_redirect_url: "Es fehlt der URL zu Weiterleitung." - not_allowed_redirect_url: "Weiterleitung zu %{redirect_url} ist nicht gestattet." - sended: "Ein E-Mail mit Anleitung zum Rücksetzen Ihres Passwortes wurde an %{email} gesendet." + not_allowed_redirect_url: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet." + sended: "Ein E-Mail mit Anleitung zum Rücksetzen Ihres Passwortes wurde an '%{email}' gesendet." user_not_found: "Der Benutzer mit E-Mail-Adresse '%{email}' kann nicht gefunden werden." - password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie Sich stattdessen über Ihren Account bei %{provider} an." - missing_passwords: 'Sie müssen die Felder "Passwort" and "Passwortbestätigung" ausfüllen.' + password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie Sich stattdessen über Ihren Account bei '%{provider}' an." + missing_passwords: "Sie müssen die Felder 'Passwort' and 'Passwortbestätigung' ausfüllen." successfully_updated: "Ihr Passwort wurde erfolgreich aktualisiert." errors: - validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." - validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." - not_email: "ist keine E-Mail Adresse" messages: + validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." + validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." + not_email: "ist keine E-Mail Adresse" already_in_use: "bereits in Verwendung" devise: mailer: diff --git a/config/locales/en.yml b/config/locales/en.yml index 82c633cfc..26ac9930a 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1,47 +1,47 @@ en: devise_token_auth: sessions: - not_confirmed: "A confirmation email was sent to your account at %{email}. You must follow the instructions in the email before your account can be activated" + not_confirmed: "A confirmation email was sent to your account at '%{email}'. You must follow the instructions in the email before your account can be activated" bad_credentials: "Invalid login credentials. Please try again." not_supported: "Use POST /sign_in to sign in. GET is not supported." user_not_found: "User was not found or was not logged in." token_validations: invalid: "Invalid login credentials" registrations: - missing_confirm_success_url: "Missing `confirm_success_url` param." - redirect_url_not_allowed: "Redirect to %{redirect_url} not allowed." - email_already_exists: "An account already exists for %{email}" - account_with_uid_destroyed: "Account with uid %{uid} has been destroyed." + missing_confirm_success_url: "Missing 'confirm_success_url' parameter." + redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed." + email_already_exists: "An account already exists for '%{email}'" + account_with_uid_destroyed: "Account with UID '%{uid}' has been destroyed." account_to_destroy_not_found: "Unable to locate account for destruction." user_not_found: "User not found." passwords: missing_email: "You must provide an email address." - missing_redirect_url: "Missing redirect url." - not_allowed_redirect_url: "Redirect to %{redirect_url} not allowed." - sended: "An email has been sent to %{email} containing instructions for resetting your password." + missing_redirect_url: "Missing redirect URL." + not_allowed_redirect_url: "Redirect to '%{redirect_url}' not allowed." + sended: "An email has been sent to '%{email}' containing instructions for resetting your password." user_not_found: "Unable to find user with email '%{email}'." - password_not_required: "This account does not require a password. Sign in using your %{provider} account instead." - missing_passwords: 'You must fill out the fields labeled "password" and "password confirmation".' + password_not_required: "This account does not require a password. Sign in using your '%{provider}' account instead." + missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'." successfully_updated: "Your password has been successfully updated." errors: - validate_sign_up_params: "Please submit proper sign up data in request body." - validate_account_update_params: "Please submit proper account update data in request body." - not_email: "is not an email" messages: - already_in_use: already in use + already_in_use: "already in use" + validate_sign_up_params: "Please submit proper sign up data in request body." + validate_account_update_params: "Please submit proper account update data in request body." + not_email: "is not an email" devise: mailer: confirmation_instructions: confirm_link_msg: "You can confirm your account email through the link below:" - confirm_account_link: Confirm my account + confirm_account_link: "Confirm my account" reset_password_instructions: request_reset_link_msg: "Someone has requested a link to change your password. You can do this through the link below." - password_change_link: Change my password + password_change_link: "Change my password" ignore_mail_msg: "If you didn't request this, please ignore this email." no_changes_msg: "Your password won't change until you access the link above and create a new one." unlock_instructions: - account_lock_msg: Your account has been locked due to an excessive number of unsuccessful sign in attempts. + account_lock_msg: "Your account has been locked due to an excessive number of unsuccessful sign in attempts." unlock_link_msg: "Click the link below to unlock your account:" - unlock_link: Unlock my account - hello: hello - welcome: welcome \ No newline at end of file + unlock_link: "Unlock my account" + hello: "hello" + welcome: "welcome" \ No newline at end of file diff --git a/config/locales/es.yml b/config/locales/es.yml index 649c98193..66b864b38 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -1,50 +1,50 @@ es: devise_token_auth: sessions: - not_confirmed: "Un correo electrónico de confirmación de su cuenta ha sido enviado a %{email}. Por favor, siga las instrucciones para validar su cuenta" + not_confirmed: "Un correo electrónico de confirmación de su cuenta ha sido enviado a '%{email}'. Por favor, siga las instrucciones para validar su cuenta" bad_credentials: "Identidad o contraseña no válida." not_supported: "Use POST /sign_in para la conexión. GET no esta disponible." user_not_found: "Usuario desconocido o no está conectado." token_validations: invalid: "Identidad o contraseña no válida." registrations: - missing_confirm_success_url: "El parámetro `confirm_success_url` no esta presente." - redirect_url_not_allowed: "Redirección hacia %{redirect_url} no esta permitida." - email_already_exists: "Una cuenta ya existe con este correo electrónico: %{email}" - account_with_uid_destroyed: "La cuenta con el identificador %{uid} se ha eliminado." + missing_confirm_success_url: "El parámetro 'confirm_success_url' no esta presente." + redirect_url_not_allowed: "Redirección hacia '%{redirect_url}' no esta permitida." + email_already_exists: "Una cuenta ya existe con este correo electrónico '%{email}'" + account_with_uid_destroyed: "La cuenta con el identificador '%{uid}' se ha eliminado." account_to_destroy_not_found: "No se puede encontrar la cuenta a borrar." user_not_found: "Usuario no encontrado." passwords: missing_email: "Debe incluir un correo electrónico." missing_redirect_url: "Falta el Url de redirección." - not_allowed_redirect_url: "Redirección hacia %{redirect_url} no esta permitida." - sended: "Un correo electrónico ha sido enviado a %{email} con las instrucciones para restablecer su contraseña." - user_not_found: "No se pudo encontrar un usuario con este correo electrónico: '%{email}'." - password_not_required: "Esta cuenta no requiere contraseña. Iniciar sesión utilizando %{provider}." - missing_passwords: 'Debe llenar los campos "contraseña" y "confirmación de contraseña".' + not_allowed_redirect_url: "Redirección hacia '%{redirect_url}' no esta permitida." + sended: "Un correo electrónico ha sido enviado a '%{email}' con las instrucciones para restablecer su contraseña." + user_not_found: "No se pudo encontrar un usuario con este correo electrónico '%{email}'." + password_not_required: "Esta cuenta no requiere contraseña. Iniciar sesión utilizando '%{provider}'." + missing_passwords: "Debe llenar los campos 'Contraseña' y 'Confirmación de contraseña'." successfully_updated: "Su contraseña ha sido actualizada con éxito." errors: - validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." - validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." - not_email: "no es un correo electrónico" messages: - already_in_use: ya ha sido ocupado + validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." + validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." + not_email: "no es un correo electrónico" + already_in_use: "ya ha sido ocupado" devise: mailer: confirmation_instructions: - subject: Instrucciones de confirmación + subject: "Instrucciones de confirmación" confirm_link_msg: "Para confirmar su cuenta ingrese en el siguiente link:" - confirm_account_link: Confirmar cuenta + confirm_account_link: "Confirmar cuenta" reset_password_instructions: - subject: Instrucciones para restablecer su contraseña + subject: "Instrucciones para restablecer su contraseña" request_reset_link_msg: "Ha solicitado un cambio de contraseña. Para continuar ingrese en el siguiente link:" - password_change_link: Cambiar contraseña - ignore_mail_msg: Por favor ignore este mensaje si no ha solicitado esta acción. + password_change_link: "Cambiar contraseña" + ignore_mail_msg: "Por favor ignore este mensaje si no ha solicitado esta acción." no_changes_msg: "Importante: Su contraseña no será actualizada a menos que ingrese en el link." unlock_instructions: - subject: Instrucciones de desbloqueo - account_lock_msg: Su cuenta ha sido bloqueada debido a sucesivos intentos de ingresos fallidos + subject: "Instrucciones de desbloqueo" + account_lock_msg: "Su cuenta ha sido bloqueada debido a sucesivos intentos de ingresos fallidos" unlock_link_msg: "Para desbloquear su cuenta ingrese en el siguiente link:" - unlock_link: Desbloquear cuenta - hello: hola - welcome: bienvenido \ No newline at end of file + unlock_link: "Desbloquear cuenta" + hello: "hola" + welcome: "bienvenido" \ No newline at end of file diff --git a/config/locales/fr.yml b/config/locales/fr.yml index 940775106..4ac9480c0 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -1,34 +1,34 @@ fr: devise_token_auth: sessions: - not_confirmed: "Un e-mail de confirmation de votre compte a été envoyé à %{email}. Merci de suivre les instructions afin de valider votre compte" + not_confirmed: "Un e-mail de confirmation de votre compte a été envoyé à '%{email}'. Merci de suivre les instructions afin de valider votre compte" bad_credentials: "Mot de passe ou identifiant invalide." not_supported: "Utilisez POST /sign_in pour la connexion. GET n'est pas supporté." user_not_found: "L'utilisateur est inconnu ou n'est pas connecté." token_validations: invalid: "Mot de passe ou identifiant invalide." registrations: - missing_confirm_success_url: "Le paramètre `confirm_success_url` est manquant." - redirect_url_not_allowed: "Redirection vers %{redirect_url} n'est pas autorisée." - email_already_exists: "Un compte existe déjà avec cette addresse e-mail: %{email}" - account_with_uid_destroyed: "Le compte avec l'identifiant %{uid} a été supprimé." + missing_confirm_success_url: "Le paramètre 'confirm_success_url' est manquant." + redirect_url_not_allowed: "Redirection vers '%{redirect_url}' n'est pas autorisée." + email_already_exists: "Un compte existe déjà avec l'adresse e-mail suivante '%{email}'" + account_with_uid_destroyed: "Le compte avec l'identifiant '%{uid}' a été supprimé." account_to_destroy_not_found: "Le compte à supprimer est introuvable." user_not_found: "Utilisateur introuvable." passwords: missing_email: "Vous devez soumettre un e-mail." missing_redirect_url: "URL de redirection manquante." - not_allowed_redirect_url: "Redirection vers %{redirect_url} n'est pas autorisée." - sended: "Un e-mail a été envoyé à %{email} avec les instructions de réinitialisation du mot de passe." - user_not_found: "Impossible de trouver l'utilisateur avec l'adresse e-mail: '%{email}'." - password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous en utilisant %{provider}." - missing_passwords: 'Vous devez remplir les champs "mot de passe" et "confirmation de mot de passe".' + not_allowed_redirect_url: "Redirection vers '%{redirect_url}' n'est pas autorisée." + sended: "Un e-mail a été envoyé à '%{email}' avec les instructions de réinitialisation du mot de passe." + user_not_found: "Impossible de trouver l'utilisateur avec l'adresse e-mail suivante '%{email}'." + password_not_required: "Ce compte ne demande pas de mot de passe. Connectez vous en utilisant '%{provider}'." + missing_passwords: "Vous devez remplir les champs 'Mot de passe' et 'Confirmation de mot de passe'." successfully_updated: "Votre mot de passe a été correctement mis à jour." errors: - validate_sign_up_params: "Les données d'inscription dans le corps de la requête ne sont pas valides." - validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." - not_email: "n'est pas une adresse e-mail" messages: - already_in_use: "déjà utilisé" + already_in_use: "déjà utilisé(e)" + validate_sign_up_params: "Les données d'inscription dans le corps de la requête ne sont pas valides." + validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." + not_email: "n'est pas une adresse e-mail" devise: mailer: confirmation_instructions: @@ -43,8 +43,8 @@ fr: no_changes_msg: "Votre mot de passe ne changera pas tant que vous n'accédez pas au lien ci-dessus pour en créer un nouveau." unlock_instructions: subject: "Instructions de déblocage" - account_lock_msg: "Votre compte a été bloqué en raison de nombreuses tentatives de connection erronées." + account_lock_msg: "Votre compte a été bloqué en raison de nombreuses tentatives de connexion erronées." unlock_link_msg: "Cliquez sur le lien ci-dessous pour déverrouiller votre compte:" unlock_link: "Déverrouiller mon compte" - hello: bonjour - welcome: bienvenue \ No newline at end of file + hello: "bonjour" + welcome: "bienvenue" \ No newline at end of file diff --git a/config/locales/pl.yml b/config/locales/pl.yml index aa4db2e81..2a56308e8 100644 --- a/config/locales/pl.yml +++ b/config/locales/pl.yml @@ -1,27 +1,27 @@ pl: devise_token_auth: sessions: - not_confirmed: "Wiadomość z potwierdzeniem Twojego konta została wysłana na %{email}. Proszę postępować zgodnie z wskazówkami znajdującymi się w wiadomości celem aktywacji konta." + not_confirmed: "Wiadomość z potwierdzeniem Twojego konta została wysłana na '%{email}'. Proszę postępować zgodnie z wskazówkami znajdującymi się w wiadomości celem aktywacji konta." bad_credentials: "Nieprawidłowe dane logowania. Proszę spróbować ponownie." not_supported: "Proszę użyć POST /sign_in do zalogowania. GET nie jest obsługiwany." user_not_found: "Użytkownik nie został odnaleziony lub nie jest zalogowany." token_validations: invalid: "Nieprawidłowe dane logowania." registrations: - missing_confirm_success_url: "Brak parametru `confirm_success_url`." - redirect_url_not_allowed: "Przekierowanie na adres %{redirect_url} nie jest dozwolone." - email_already_exists: "Konto z adresem %{email} już istnieje." - account_with_uid_destroyed: "Konto z uid %{uid} zostało usunięte." + missing_confirm_success_url: "Brak parametru 'confirm_success_url'." + redirect_url_not_allowed: "Przekierowanie na adres '%{redirect_url}' nie jest dozwolone." + email_already_exists: "Konto z adresem '%{email}' już istnieje." + account_with_uid_destroyed: "Konto z uid '%{uid}' zostało usunięte." account_to_destroy_not_found: "Nie odnaleziono konta do usunięcia." user_not_found: "Użytkownik nie został odnaleziony." passwords: missing_email: "Musisz wprowadzić adres e-mail." missing_redirect_url: "Brak adresu zwrotnego." - not_allowed_redirect_url: "Przekierowanie na adres %{redirect_url} nie jest dozwolone." - sended: "Wiadomość wysłana na adres %{email} zawiera instrukcje dotyczące zmiany hasła." + not_allowed_redirect_url: "Przekierowanie na adres '%{redirect_url}' nie jest dozwolone." + sended: "Wiadomość wysłana na adres '%{email}' zawiera instrukcje dotyczące zmiany hasła." user_not_found: "Nie odnaleziono użytkownika o adresie '%{email}'." - password_not_required: "To konto nie wymaga podania hasła. Zaloguj się używając konta %{provider}." - missing_passwords: 'Musisz wypełnić wszystkie pola z etykietą "hasło" oraz "potwierdzenie hasła".' + password_not_required: "To konto nie wymaga podania hasła. Zaloguj się używając konta '%{provider}'." + missing_passwords: "Musisz wypełnić wszystkie pola z etykietą 'Hasło' oraz 'Potwierdzenie hasła'." successfully_updated: "Twoje hasło zostało zaktualizowane." errors: validate_sign_up_params: "Proszę dostarczyć odpowiednie dane logowania w ciele zapytania." @@ -37,14 +37,14 @@ pl: confirm_account_link: "Potwierdź swoje konto" reset_password_instructions: subject: "Instrukcje resetowania hasła" - request_reset_link_msg: "Ktoś o link do zmiany hasła . Można to zrobić za pośrednictwem linku poniżej ." + request_reset_link_msg: "Ktoś o link do zmiany hasła. Można to zrobić za pośrednictwem linku poniżej." password_change_link: "Zmień hasło" - ignore_mail_msg: "Jeśli jej nie potrzebuję , zignoruj ​​tę wiadomość." - no_changes_msg: "Twoje hasło nie zmieni , dopóki dostęp powyższy link i utwórz nowy ." + ignore_mail_msg: "Jeśli jej nie potrzebuję, zignoruj ​​tę wiadomość." + no_changes_msg: "Twoje hasło nie zmieni, dopóki dostęp powyższy link i utwórz nowy." unlock_instructions: subject: "Instrukcje do odblokowania" - account_lock_msg: "Twoje konto zostało zablokowane z powodu zbyt dużej liczby nieudanych znak w próbach ." + account_lock_msg: "Twoje konto zostało zablokowane z powodu zbyt dużej liczby nieudanych znak w próbach." unlock_link_msg: "Kliknij poniższy link, aby odblokować konto :" unlock_link: "Odblokować konto" - hello: halo - welcome: witam \ No newline at end of file + hello: "halo" + welcome: "witam" \ No newline at end of file diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index f12a4387f..8426a6f0e 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -8,19 +8,19 @@ pt-BR: token_validations: invalid: "Dados de login inválidos." registrations: - missing_confirm_success_url: "Parâmetro `confirm_success_url` não informado." - redirect_url_not_allowed: "Redirecionamento para %{redirect_url} não permitido." - email_already_exists: "Já existe uma conta com o email %{email}." - account_with_uid_destroyed: "A conta com uid %{uid} foi excluída." + missing_confirm_success_url: "Parâmetro 'confirm_success_url' não informado." + redirect_url_not_allowed: "Redirecionamento para '%{redirect_url}' não permitido." + email_already_exists: "Já existe uma conta com o email '%{email}'." + account_with_uid_destroyed: "A conta com uid '%{uid}' foi excluída." account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão." user_not_found: "Usuário não encontrado." passwords: missing_email: "Informe o endereço de e-mail." missing_redirect_url: "URL para redirecionamento não informada." - not_allowed_redirect_url: "Redirecionamento para %{redirect_url} não permitido." + not_allowed_redirect_url: "Redirecionamento para '%{redirect_url}' não permitido." sended: "Você receberá um e-mail com instruções sobre como redefinir sua senha." user_not_found: "Não existe um usuário com o e-mail '%{email}'." - password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." + password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando '%{provider}'." missing_passwords: 'Preencha a senha e a confirmação de senha.' successfully_updated: "Senha atualizada com sucesso." errors: diff --git a/config/locales/pt.yml b/config/locales/pt.yml index f3bcf5cd0..6dc9f3817 100644 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -8,20 +8,20 @@ pt: token_validations: invalid: "Dados de login inválidos." registrations: - missing_confirm_success_url: "Parâmetro `confirm_success_url` não informado." - redirect_url_not_allowed: "Redirecionamento para %{redirect_url} não permitido." - email_already_exists: "Já existe uma conta com o email %{email}." - account_with_uid_destroyed: "A conta com uid %{uid} foi excluída." + missing_confirm_success_url: "Parâmetro 'confirm_success_url' não informado." + redirect_url_not_allowed: "Redirecionamento para '%{redirect_url}' não permitido." + email_already_exists: "Já existe uma conta com o email '%{email}'." + account_with_uid_destroyed: "A conta com uid '%{uid}' foi excluída." account_to_destroy_not_found: "Não foi possível encontrar a conta para exclusão." user_not_found: "Utilizador não encontrado." passwords: missing_email: "Informe o endereço de e-mail." missing_redirect_url: "URL para redirecionamento não informada." - not_allowed_redirect_url: "Redirecionamento para %{redirect_url} não permitido." + not_allowed_redirect_url: "Redirecionamento para '%{redirect_url}' não permitido." sended: "Você receberá um e-mail com instruções sobre como redefinir sua senha." user_not_found: "Não existe um utilizador com o e-mail '%{email}'." - password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando %{provider}." - missing_passwords: 'Preencha a senha e a confirmação de senha.' + password_not_required: "Esta conta não necessita de uma senha. Faça login utilizando '%{provider}'." + missing_passwords: "Preencha a senha e a confirmação de senha." successfully_updated: "Senha atualizada com sucesso." errors: validate_sign_up_params: "Os dados submetidos na requisição de registo são inválidos." diff --git a/config/locales/ru.yml b/config/locales/ru.yml index 28918feb2..f075547d2 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -1,27 +1,27 @@ ru: devise_token_auth: sessions: - not_confirmed: "Письмо с подтверждением Вашей учетной записи %{email} отправлено на электронную почту. Вы должны следовать инструкциям, приведенным в письме, прежде чем Ваша учетная запись сможет быть активирована" + not_confirmed: "Письмо с подтверждением Вашей учетной записи '%{email}' отправлено на электронную почту. Вы должны следовать инструкциям, приведенным в письме, прежде чем Ваша учетная запись сможет быть активирована" bad_credentials: "Неверные логин или пароль. Пожалуйста, попробуйте еще раз." not_supported: "Используйте POST /sign_in для входа. GET запросы не поддерживаются." user_not_found: "Пользователь не найден или не вошел." token_validations: invalid: "Неверные данные для входа" registrations: - missing_confirm_success_url: "Отсутствует параметр `confirm_success_url`." - redirect_url_not_allowed: "Переадресация на %{redirect_url} не разрешена." - email_already_exists: "Учетная запись для %{email} уже существует" - account_with_uid_destroyed: "Учетная запись с uid %{uid} удалена." + missing_confirm_success_url: "Отсутствует параметр 'confirm_success_url'." + redirect_url_not_allowed: "Переадресация на '%{redirect_url}' не разрешена." + email_already_exists: "Учетная запись для '%{email}' уже существует" + account_with_uid_destroyed: "Учетная запись с uid '%{uid}' удалена." account_to_destroy_not_found: "Не удается найти учетную запись для удаления." user_not_found: "Пользователь не найден." passwords: missing_email: "Вы должны указать адрес электронной почты." missing_redirect_url: "Отсутствует адрес переадресации." - not_allowed_redirect_url: "Переадресация на %{redirect_url} не разрешена." - sended: "Инструкция по восстановлению пароля отправлена на Вашу электронную почту %{email}." + not_allowed_redirect_url: "Переадресация на '%{redirect_url}' не разрешена." + sended: "Инструкция по восстановлению пароля отправлена на Вашу электронную почту '%{email}'." user_not_found: "Не удается найти пользователя с электронной почтой '%{email}'." - password_not_required: "Эта учетная запись не требует пароля. Войдите используя учетную запись %{provider}." - missing_passwords: 'Вы должны заполнить поля "пароль" и "повторите пароль".' + password_not_required: "Эта учетная запись не требует пароля. Войдите используя учетную запись '%{provider}'." + missing_passwords: "Вы должны заполнить поля 'пароль' и 'повторите пароль'." successfully_updated: "Ваш пароль успешно обновлён." errors: validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." @@ -43,9 +43,9 @@ ru: no_changes_msg: "Ваш пароль не изменится, пока вы не открыть ссылку выше и создать новый." unlock_instructions: subject: "Разблокировать Инструкции" - account_lock_msg: "Ваш аккаунт был заблокирован из-за чрезмерного количества неудачных попыток в знак ." + account_lock_msg: "Ваш аккаунт был заблокирован из-за чрезмерного количества неудачных попыток в знак." unlock_link_msg: "Нажмите на ссылку ниже, чтобы разблокировать свой ​​аккаунт :" - unlock_link: "Открой свой ​​аккаунт" + unlock_link: "Открой свой ​​аккаунт" hello: "Здравствуйте" welcome: "Добро пожаловат" From 8c152451861a311395d56f1009abbf0c32e1bad1 Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 11 Dec 2015 16:27:13 -0500 Subject: [PATCH 201/328] Reduce dependencies to allow Rails 5.0: #458 --- Gemfile.lock | 12 +++++++----- devise_token_auth.gemspec | 2 +- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index f8e3f0b0b..95a688414 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -36,7 +36,7 @@ PATH specs: devise_token_auth (0.1.37.beta4) devise (~> 3.5.2) - rails (~> 4.2) + rails (< 6) GEM remote: https://rubygems.org/ @@ -86,7 +86,8 @@ GEM codeclimate-test-reporter (0.4.8) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) - devise (3.5.2) + concurrent-ruby (1.0.0) + devise (3.5.3) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -132,7 +133,7 @@ GEM mime-types (>= 1.16, < 3) metaclass (0.0.4) method_source (0.8.2) - mime-types (2.6.2) + mime-types (2.99) mini_portile (0.6.2) minitest (5.8.1) minitest-focus (1.1.2) @@ -220,7 +221,8 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.4.0) + sprockets (3.5.2) + concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (2.3.3) actionpack (>= 3.0) @@ -263,4 +265,4 @@ DEPENDENCIES thor BUNDLED WITH - 1.10.5 + 1.10.6 diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index a4a9d2801..fb0ae933f 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -18,7 +18,7 @@ Gem::Specification.new do |s| s.test_files = Dir["test/**/*"] s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } - s.add_dependency "rails", "~> 4.2" + s.add_dependency "rails", "< 6" s.add_dependency "devise", "~> 3.5.2" s.add_development_dependency "sqlite3", "~> 1.3" From e38805968371cf1d302c199fa361d33b5b7b0df2 Mon Sep 17 00:00:00 2001 From: djsegal Date: Sat, 12 Dec 2015 17:04:19 -0500 Subject: [PATCH 202/328] =?UTF-8?q?Prevent=20helpers=20being=20loaded=20fo?= =?UTF-8?q?r=20Rails=20API=E2=80=99s:=20#468?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/devise_token_auth/controllers/helpers.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/controllers/helpers.rb b/lib/devise_token_auth/controllers/helpers.rb index f7d233a66..b5872d75a 100644 --- a/lib/devise_token_auth/controllers/helpers.rb +++ b/lib/devise_token_auth/controllers/helpers.rb @@ -61,7 +61,9 @@ def current_#{group_name.to_s.pluralize} end.compact end - helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?" + if respond_to?(:helper_method) + helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?" + end METHODS end @@ -121,7 +123,9 @@ def #{mapping}_session METHODS ActiveSupport.on_load(:action_controller) do - helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session" + if respond_to?(:helper_method) + helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session" + end end end end From e7fb01efb7e6fae16665254fef9adb94306a5a69 Mon Sep 17 00:00:00 2001 From: ValentinTrinque Date: Sun, 13 Dec 2015 23:25:58 +0100 Subject: [PATCH 203/328] Move travis to container based configuration --- .travis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.travis.yml b/.travis.yml index 928d64ece..92aca9ba1 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,5 +1,6 @@ language: ruby cache: bundler +sudo: false rvm: - 1.9.3 From 6bff99b4c6af09947922e71940d66c7e99de1e4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=80=9CPaulo?= <“phsoares.ita@gmail.com”> Date: Thu, 17 Dec 2015 09:21:58 -0200 Subject: [PATCH 204/328] removing old tokens when user changes passwords --- README.md | 5 ++- app/models/devise_token_auth/concerns/user.rb | 14 +++++++ lib/devise_token_auth/engine.rb | 4 +- test/controllers/demo_user_controller_test.rb | 42 +++++++++++++++++++ 4 files changed, 62 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ddcf52014..0f64e710c 100644 --- a/README.md +++ b/README.md @@ -161,10 +161,11 @@ The following settings are available for configuration in `config/initializers/d | **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. | | **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). | | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | -| **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the cilent. | -| **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the cilent. | +| **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the client. | +| **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the client. | | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | | **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | +| **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. | Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index ea841e0ee..3dcc5a02b 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -44,6 +44,9 @@ def self.tokens_match?(token_hash, token) # get rid of dead tokens before_save :destroy_expired_tokens + # remove old tokens if password has changed + before_save :remove_tokens_after_password_reset + # allows user to change password without current_password attr_writer :allow_password_change def allow_password_change @@ -260,4 +263,15 @@ def destroy_expired_tokens end end + def remove_tokens_after_password_reset + there_is_more_than_one_token = self.tokens && self.tokens.keys.length > 1 + should_remove_old_tokens = DeviseTokenAuth.remove_tokens_after_password_reset && + encrypted_password_changed? && there_is_more_than_one_token + + if should_remove_old_tokens + latest_token = self.tokens.max_by { |cid, v| v[:expiry] || v["expiry"] } + self.tokens = {latest_token.first => latest_token.last} + end + end + end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index a88bbaa54..fc1cbd855 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -18,7 +18,8 @@ class Engine < ::Rails::Engine :default_password_reset_url, :redirect_whitelist, :check_current_password_before_update, - :enable_standard_devise_support + :enable_standard_devise_support, + :remove_tokens_after_password_reset self.change_headers_on_each_request = true self.max_number_of_devices = 10 @@ -30,6 +31,7 @@ class Engine < ::Rails::Engine self.redirect_whitelist = nil self.check_current_password_before_update = false self.enable_standard_devise_support = false + self.remove_tokens_after_password_reset = false def self.setup(&block) yield self diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index d10b12a25..cfa6c206f 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -284,6 +284,48 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end + describe 'successful password change' do + before do + DeviseTokenAuth.remove_tokens_after_password_reset = true + + # adding one more token to simulate another logged in device + @old_auth_headers = @auth_headers + @auth_headers = @resource.create_new_auth_token + age_token(@resource, @client_id) + assert @resource.tokens.count > 1 + + # password changed from new device + @resource.update_attributes({ + password: 'newsecret123', + password_confirmation: 'newsecret123' + }) + + get '/demo/members_only', {}, @auth_headers + end + + after do + DeviseTokenAuth.remove_tokens_after_password_reset = false + end + + it 'should have only one token' do + assert_equal 1, @resource.tokens.count + end + + it 'new request should be successful' do + assert 200, response.status + end + + describe 'another device should not be abble to login' do + + it 'should return forbidden status' do + get '/demo/members_only', {}, @old_auth_headers + assert 401, response.status + end + + end + + end + end describe 'enable_standard_devise_support' do From 974e722a09fc2bf5315316ad1cee2e6734c876e6 Mon Sep 17 00:00:00 2001 From: Ankur Agarwal Date: Fri, 18 Dec 2015 11:32:11 +0530 Subject: [PATCH 205/328] Fixes Issue #362: Fixes for the omniauth redirection issue for namespaced model --- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 48bfdc4df..2813453e0 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -11,7 +11,7 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. - devise_mapping = request.env['omniauth.params']['resource_class'].underscore.to_sym + devise_mapping = request.env['omniauth.params']['resource_class'].underscore.gsub("/", "_").to_sym redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].fullpath}/#{params[:provider]}/callback" # preserve omniauth info for success route. ignore 'extra' in twitter From 75efddd1ae39e01894d92f95ef22e5894eee9f23 Mon Sep 17 00:00:00 2001 From: fertingoff Date: Fri, 18 Dec 2015 14:51:51 +0200 Subject: [PATCH 206/328] Fixed typos and inconsistencies in ru.yml --- config/locales/ru.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/locales/ru.yml b/config/locales/ru.yml index f075547d2..8e37afcd8 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -6,7 +6,7 @@ ru: not_supported: "Используйте POST /sign_in для входа. GET запросы не поддерживаются." user_not_found: "Пользователь не найден или не вошел." token_validations: - invalid: "Неверные данные для входа" + invalid: "Неверные логин или пароль." registrations: missing_confirm_success_url: "Отсутствует параметр 'confirm_success_url'." redirect_url_not_allowed: "Переадресация на '%{redirect_url}' не разрешена." @@ -34,18 +34,18 @@ ru: confirmation_instructions: subject: "Инструкции подтверждения" confirm_link_msg: "Вы можете подтвердить ваш адрес электронной почты через ссылку ниже :" - confirm_account_link: Подтвердите свой ​​счет + confirm_account_link: "Подтвердить свою учетную запись" reset_password_instructions: subject: "Инструкции для восстановления пароля" - request_reset_link_msg: "Кто-то просил ссылку , чтобы изменить пароль . Вы можете сделать это через ссылку ниже." + request_reset_link_msg: "Кто-то запросил ссылку на изменение пароля. Вы можете сделать это через ссылку ниже." password_change_link: "Изменить пароль" - ignore_mail_msg: "If you didn't request this, please ignore this email." - no_changes_msg: "Ваш пароль не изменится, пока вы не открыть ссылку выше и создать новый." + ignore_mail_msg: "Если Вы не запрашивали это, Вы можете проигнорировать это письмо." + no_changes_msg: "Ваш пароль не изменится, пока вы не откроете ссылку выше и не создадите новый пароль." unlock_instructions: subject: "Разблокировать Инструкции" - account_lock_msg: "Ваш аккаунт был заблокирован из-за чрезмерного количества неудачных попыток в знак." - unlock_link_msg: "Нажмите на ссылку ниже, чтобы разблокировать свой ​​аккаунт :" - unlock_link: "Открой свой ​​аккаунт" + account_lock_msg: "Ваш аккаунт был заблокирован из-за чрезмерного количества неудачных попыток входа." + unlock_link_msg: "Нажмите на ссылку ниже, чтобы разблокировать свой аккаунт:" + unlock_link: "Разблокировать мою учетную запись" hello: "Здравствуйте" - welcome: "Добро пожаловат" + welcome: "Добро пожаловать" From bfb2d43f4856b235773735c5bf45de01b99c9a19 Mon Sep 17 00:00:00 2001 From: Travis Date: Tue, 22 Dec 2015 12:29:31 +0800 Subject: [PATCH 207/328] create zh-TW.yml This file is to translate zh-TW for devise token auth. --- config/locales/zh-TW.yml | 49 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 config/locales/zh-TW.yml diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml new file mode 100644 index 000000000..c9544372c --- /dev/null +++ b/config/locales/zh-TW.yml @@ -0,0 +1,49 @@ +# Additional translations at https://github.com/plataformatec/devise/wiki/I18n + +zh-TW: + devise_token_auth: + sessions: + not_confirmed: "您將在幾分鐘後收到一封電子郵件'%{email}',內有驗證帳號的步驟說明。" + bad_credentials: "不正確的登入資料。請重試。" + not_supported: "請使用 POST /sign_in 進行登入. GET 是不支援的." + user_not_found: "未能找到帳號或未能成功登入。" + token_validations: + invalid: "不正確的登入資料。" + registrations: + missing_confirm_success_url: "欠缺數值 'confirm_success_url'" + redirect_url_not_allowed: "不支援轉向到'%{redirect_url}'" + email_already_exists: "電郵'%{email}'已被使用" + account_with_uid_destroyed: "帳號 '%{uid}' 已被移除。" + account_to_destroy_not_found: "無法找到目標帳號。" + user_not_found: "找不到帳號。" + passwords: + missing_email: "必需提供電郵。" + missing_redirect_url: "欠缺 redirect URL." + not_allowed_redirect_url: "不支援轉向到 '%{redirect_url}'" + sended: "您將在幾分鐘後收到一封電子郵件'%{email},內含可重新設定密碼連結的電子郵件。" + user_not_found: "找不到帳號 '%{email}'。" + password_not_required: "這不是一個需要密碼的帳號. 請使用 '%{provider}' 進行登入" + missing_passwords: "必需填寫'密碼'與'確認密碼'。" + successfully_updated: "您的密碼已被修改。" + errors: + messages: + already_in_use: "已被使用。" + validate_sign_up_params: "請在request body中填入有效的註冊內容" + validate_account_update_params: "請在request body中填入有效的更新帳號資料" + not_email: "這不是一個合適的電郵。" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "可以使用下面連結確定你的電郵" + confirm_account_link: "確定你的帳號" + reset_password_instructions: + request_reset_link_msg: "已申請修改您的密碼,你可以用下面連結進入" + password_change_link: "修改我的密碼" + ignore_mail_msg: "如你沒有申請,請忽略" + no_changes_msg: "在你點擊上面連結前,你的密碼都沒有改變" + unlock_instructions: + account_lock_msg: "由於多失敗登入,我們已鎖定你的帳號" + unlock_link_msg: "可以使用下面連結解鎖你的帳號" + unlock_link: "解鎖帳號" + hello: "你好" + welcome: "歡迎" From 3e4201b3e81dedc5abc97fa8cd6a327f8a5fb790 Mon Sep 17 00:00:00 2001 From: Travis Date: Tue, 22 Dec 2015 12:30:48 +0800 Subject: [PATCH 208/328] create zh-HK.yml This is zh-HK locale file for devise token auth. --- config/locales/zh-HK | 49 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 config/locales/zh-HK diff --git a/config/locales/zh-HK b/config/locales/zh-HK new file mode 100644 index 000000000..c9544372c --- /dev/null +++ b/config/locales/zh-HK @@ -0,0 +1,49 @@ +# Additional translations at https://github.com/plataformatec/devise/wiki/I18n + +zh-TW: + devise_token_auth: + sessions: + not_confirmed: "您將在幾分鐘後收到一封電子郵件'%{email}',內有驗證帳號的步驟說明。" + bad_credentials: "不正確的登入資料。請重試。" + not_supported: "請使用 POST /sign_in 進行登入. GET 是不支援的." + user_not_found: "未能找到帳號或未能成功登入。" + token_validations: + invalid: "不正確的登入資料。" + registrations: + missing_confirm_success_url: "欠缺數值 'confirm_success_url'" + redirect_url_not_allowed: "不支援轉向到'%{redirect_url}'" + email_already_exists: "電郵'%{email}'已被使用" + account_with_uid_destroyed: "帳號 '%{uid}' 已被移除。" + account_to_destroy_not_found: "無法找到目標帳號。" + user_not_found: "找不到帳號。" + passwords: + missing_email: "必需提供電郵。" + missing_redirect_url: "欠缺 redirect URL." + not_allowed_redirect_url: "不支援轉向到 '%{redirect_url}'" + sended: "您將在幾分鐘後收到一封電子郵件'%{email},內含可重新設定密碼連結的電子郵件。" + user_not_found: "找不到帳號 '%{email}'。" + password_not_required: "這不是一個需要密碼的帳號. 請使用 '%{provider}' 進行登入" + missing_passwords: "必需填寫'密碼'與'確認密碼'。" + successfully_updated: "您的密碼已被修改。" + errors: + messages: + already_in_use: "已被使用。" + validate_sign_up_params: "請在request body中填入有效的註冊內容" + validate_account_update_params: "請在request body中填入有效的更新帳號資料" + not_email: "這不是一個合適的電郵。" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "可以使用下面連結確定你的電郵" + confirm_account_link: "確定你的帳號" + reset_password_instructions: + request_reset_link_msg: "已申請修改您的密碼,你可以用下面連結進入" + password_change_link: "修改我的密碼" + ignore_mail_msg: "如你沒有申請,請忽略" + no_changes_msg: "在你點擊上面連結前,你的密碼都沒有改變" + unlock_instructions: + account_lock_msg: "由於多失敗登入,我們已鎖定你的帳號" + unlock_link_msg: "可以使用下面連結解鎖你的帳號" + unlock_link: "解鎖帳號" + hello: "你好" + welcome: "歡迎" From fa2e25a591483e09268b412a5b7ab6012dc0d3bb Mon Sep 17 00:00:00 2001 From: Travis Date: Tue, 22 Dec 2015 12:31:26 +0800 Subject: [PATCH 209/328] change zh-HK file name to zh-HK.yml --- config/locales/{zh-HK => zh-HK.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename config/locales/{zh-HK => zh-HK.yml} (100%) diff --git a/config/locales/zh-HK b/config/locales/zh-HK.yml similarity index 100% rename from config/locales/zh-HK rename to config/locales/zh-HK.yml From 70308bd6ead666d623c6fa91444ebbedf6ab20e2 Mon Sep 17 00:00:00 2001 From: Paulo Date: Tue, 22 Dec 2015 00:07:21 -0200 Subject: [PATCH 210/328] fix namespaced mapping name --- lib/devise_token_auth/rails/routes.rb | 8 ++- .../token_validations_controller_test.rb | 25 ++++++++ test/dummy/app/models/scoped_user.rb | 7 +++ test/dummy/config/routes.rb | 13 ++++ ...1_devise_token_auth_create_scoped_users.rb | 60 +++++++++++++++++++ test/dummy/db/schema.rb | 31 +++++++++- test/fixtures/scoped_users.yml | 10 ++++ 7 files changed, 152 insertions(+), 2 deletions(-) create mode 100644 test/dummy/app/models/scoped_user.rb create mode 100644 test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb create mode 100644 test/fixtures/scoped_users.yml diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index a147eea47..9884fa5dc 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -33,6 +33,9 @@ def mount_devise_token_auth_for(resource, opts) # get full url path as if it were namespaced full_path = "#{@scope[:path]}/#{opts[:at]}" + # get namespace name + namespace_name = @scope[:as] + # clear scope so controller routes aren't namespaced @scope = ActionDispatch::Routing::Mapper::Scope.new( path: "", @@ -43,7 +46,10 @@ def mount_devise_token_auth_for(resource, opts) parent: nil ) - devise_scope resource.underscore.gsub('/', '_').to_sym do + mapping_name = resource.underscore.gsub('/', '_') + mapping_name = "#{namespace_name}_#{mapping_name}" if namespace_name + + devise_scope mapping_name.to_sym do # path to verify token validity get "#{full_path}/validate_token", controller: "#{token_validations_ctrl}", action: "validate_token" diff --git a/test/controllers/devise_token_auth/token_validations_controller_test.rb b/test/controllers/devise_token_auth/token_validations_controller_test.rb index 8a9b7fced..8a03c4c9e 100644 --- a/test/controllers/devise_token_auth/token_validations_controller_test.rb +++ b/test/controllers/devise_token_auth/token_validations_controller_test.rb @@ -63,4 +63,29 @@ class DeviseTokenAuth::TokenValidationsControllerTest < ActionDispatch::Integrat end end + + describe 'using namespaces with unused resource' do + + before do + @resource = scoped_users(:confirmed_email_user) + @resource.skip_confirmation! + @resource.save! + + @auth_headers = @resource.create_new_auth_token + + @token = @auth_headers['access-token'] + @client_id = @auth_headers['client'] + @expiry = @auth_headers['expiry'] + + # ensure that request is not treated as batch request + age_token(@resource, @client_id) + end + + test "should be successful" do + get '/api_v2/auth/validate_token', {}, @auth_headers + assert_equal 200, response.status + end + + end + end diff --git a/test/dummy/app/models/scoped_user.rb b/test/dummy/app/models/scoped_user.rb new file mode 100644 index 000000000..5dca1286f --- /dev/null +++ b/test/dummy/app/models/scoped_user.rb @@ -0,0 +1,7 @@ +class ScopedUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable, + :recoverable, :rememberable, :trackable, :validatable, + :confirmable, :omniauthable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index c189223bb..2c1c7371a 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -41,6 +41,19 @@ end end + # test namespacing with not created devise mapping + namespace :api_v2, defaults: { format: :json } do + mount_devise_token_auth_for "ScopedUser", + at: "auth", + controllers: { + omniauth_callbacks: "api_v2/omniauth_callbacks", + sessions: "api_v2/sessions", + registrations: "api_v2/registrations", + confirmations: "api_v2/confirmations", + passwords: "api_v2/passwords" + } + end + # this route will authorize visitors using the User class get 'demo/members_only', to: 'demo_user#members_only' diff --git a/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb b/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb new file mode 100644 index 000000000..0b2a9320f --- /dev/null +++ b/test/dummy/db/migrate/20160103235141_devise_token_auth_create_scoped_users.rb @@ -0,0 +1,60 @@ +include MigrationDatabaseHelper + +class DeviseTokenAuthCreateScopedUsers < ActiveRecord::Migration + def change + create_table(:scoped_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + t.string :reset_password_token + t.datetime :reset_password_sent_at + + ## Rememberable + t.datetime :remember_created_at + + ## Trackable + t.integer :sign_in_count, :default => 0, :null => false + t.datetime :current_sign_in_at + t.datetime :last_sign_in_at + t.string :current_sign_in_ip + t.string :last_sign_in_ip + + ## Confirmable + t.string :confirmation_token + t.datetime :confirmed_at + t.datetime :confirmation_sent_at + t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + # t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + # t.string :unlock_token # Only if unlock strategy is :email or :both + # t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end + + t.timestamps + end + + add_index :scoped_users, :email + add_index :scoped_users, [:uid, :provider], :unique => true + add_index :scoped_users, :reset_password_token, :unique => true + # add_index :scoped_users, :confirmation_token, :unique => true + # add_index :scoped_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index b54f5cc68..c5e24774c 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20150708104536) do +ActiveRecord::Schema.define(version: 20160103235141) do create_table "evil_users", force: :cascade do |t| t.string "email" @@ -122,6 +122,35 @@ add_index "only_email_users", ["email"], name: "index_only_email_users_on_email" add_index "only_email_users", ["uid", "provider"], name: "index_only_email_users_on_uid_and_provider", unique: true + create_table "scoped_users", force: :cascade do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.string "reset_password_token" + t.datetime "reset_password_sent_at" + t.datetime "remember_created_at" + t.integer "sign_in_count", default: 0, null: false + t.datetime "current_sign_in_at" + t.datetime "last_sign_in_at" + t.string "current_sign_in_ip" + t.string "last_sign_in_ip" + t.string "confirmation_token" + t.datetime "confirmed_at" + t.datetime "confirmation_sent_at" + t.string "unconfirmed_email" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "scoped_users", ["email"], name: "index_scoped_users_on_email" + add_index "scoped_users", ["reset_password_token"], name: "index_scoped_users_on_reset_password_token", unique: true + add_index "scoped_users", ["uid", "provider"], name: "index_scoped_users_on_uid_and_provider", unique: true + create_table "unconfirmable_users", force: :cascade do |t| t.string "provider", null: false t.string "uid", default: "", null: false diff --git a/test/fixtures/scoped_users.yml b/test/fixtures/scoped_users.yml new file mode 100644 index 000000000..cfb26e762 --- /dev/null +++ b/test/fixtures/scoped_users.yml @@ -0,0 +1,10 @@ +<% timestamp = DateTime.parse(2.weeks.ago.to_s).to_time.strftime("%F %T") %> +<% @email = Faker::Internet.email %> +confirmed_email_user: + uid: "<%= @email %>" + email: "<%= @email %>" + provider: 'email' + confirmed_at: '<%= timestamp %>' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> From a92166752424e449331e4a4b924e953e7eed261b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9rgio=20Souza?= Date: Wed, 6 Jan 2016 18:55:58 -0300 Subject: [PATCH 211/328] Improve Brazilian Portuguese locale --- config/locales/pt-BR.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index 8426a6f0e..12058ed98 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -24,25 +24,22 @@ pt-BR: missing_passwords: 'Preencha a senha e a confirmação de senha.' successfully_updated: "Senha atualizada com sucesso." errors: - validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." - validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." - not_email: "não é um e-mail" messages: already_in_use: "em uso" + validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." + validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." + not_email: "não é um e-mail" devise: mailer: confirmation_instructions: - subject: "Instruções de confirmação" confirm_link_msg: "Você pode confirmar a sua conta de e-mail através do link abaixo :" confirm_account_link: "Confirme conta" reset_password_instructions: - subject: "Instruções para redefinir sua senha" request_reset_link_msg: "Alguém pediu um link para mudar sua senha. Você pode fazer isso através do link abaixo " password_change_link: "Alterar a senha" ignore_mail_msg: "Se você não pediu isso, por favor, ignore este e-mail." no_changes_msg: "Sua senha não será alterada até que você acessar o link acima e criar um novo." unlock_instructions: - subject: "Instruções de desbloqueio" account_lock_msg: "A sua conta foi bloqueada devido a um número excessivo de sinal de sucesso em tentativas." unlock_link_msg: "Clique no link abaixo para desbloquear sua conta:" unlock_link: "Desbloquear minha conta" From d5d86264a17e544e3818fdaac3b853db59b0b1af Mon Sep 17 00:00:00 2001 From: Tom FORLINI Date: Fri, 8 Jan 2016 14:28:13 +0100 Subject: [PATCH 212/328] Spelling mistake --- .../devise_token_auth/templates/devise_token_auth.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index 5c2018df9..ba76d510a 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -24,7 +24,7 @@ # redirect successful authentications to '/omniauth/github/callback' # config.omniauth_prefix = "/omniauth" - # By defult sending current password is not needed for the password update. + # By default sending current password is not needed for the password update. # Uncomment to enforce current_password param to be checked before all # attribute updates. Set it to :password if you want it to be checked only if # password is updated. @@ -34,4 +34,4 @@ # If, however, you wish to integrate with legacy Devise authentication, you can # do so by enabling this flag. NOTE: This feature is highly experimental! # enable_standard_devise_support = false -end \ No newline at end of file +end From b20826de8987338a14634ebe0e4bcc1e71388902 Mon Sep 17 00:00:00 2001 From: djsegal Date: Mon, 18 Jan 2016 15:47:32 -0500 Subject: [PATCH 213/328] Allow new devise version for rails 5 compatibility --- Gemfile.lock | 14 +++++++------- devise_token_auth.gemspec | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 95a688414..6671a2370 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,7 +35,7 @@ PATH remote: . specs: devise_token_auth (0.1.37.beta4) - devise (~> 3.5.2) + devise (> 3.5.2, < 4.1) rails (< 6) GEM @@ -211,8 +211,8 @@ GEM rb-fsevent (0.9.6) rb-inotify (0.9.5) ffi (>= 0.5.0) - responders (2.1.0) - railties (>= 4.2.0, < 5) + responders (2.1.1) + railties (>= 4.2.0, < 5.1) ruby-progressbar (1.7.5) shellany (0.0.1) simplecov (0.10.0) @@ -224,10 +224,10 @@ GEM sprockets (3.5.2) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (2.3.3) - actionpack (>= 3.0) - activesupport (>= 3.0) - sprockets (>= 2.8, < 4.0) + sprockets-rails (3.0.0) + actionpack (>= 4.0) + activesupport (>= 4.0) + sprockets (>= 3.0.0) sqlite3 (1.3.11) thor (0.19.1) thread_safe (0.3.5) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index fb0ae933f..3432858dd 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "~> 3.5.2" + s.add_dependency "devise", "> 3.5.2", "< 4.1" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From 1cbaab8ef6812ba5d0a158462e8c88449a2760ef Mon Sep 17 00:00:00 2001 From: Patrick Ma Date: Sat, 23 Jan 2016 09:49:49 +0800 Subject: [PATCH 214/328] remove deprecations from RegistrationsController --- .../devise_token_auth/registrations_controller.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index d031b5ff8..2710120b1 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -1,9 +1,9 @@ module DeviseTokenAuth class RegistrationsController < DeviseTokenAuth::ApplicationController - before_filter :set_user_by_token, :only => [:destroy, :update] - before_filter :validate_sign_up_params, :only => :create - before_filter :validate_account_update_params, :only => :update - skip_after_filter :update_auth_header, :only => [:create, :destroy] + before_action :set_user_by_token, :only => [:destroy, :update] + before_action :validate_sign_up_params, :only => :create + before_action :validate_account_update_params, :only => :update + skip_after_action :update_auth_header, :only => [:create, :destroy] def create @resource = resource_class.new(sign_up_params) From 50c6d919ee9b980cbd0ac6cca6f23a3cecd0d2a6 Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 22 Jan 2016 18:56:38 -0500 Subject: [PATCH 215/328] Change before_filter to before_action for rails5 --- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- .../devise_token_auth/passwords_controller.rb | 2 +- .../devise_token_auth/sessions_controller.rb | 2 +- .../devise_token_auth/token_validations_controller.rb | 4 ++-- lib/devise_token_auth/controllers/helpers.rb | 10 +++++----- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 2813453e0..7fdaaec7a 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -2,7 +2,7 @@ module DeviseTokenAuth class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController attr_reader :auth_params - skip_before_filter :set_user_by_token + skip_before_action :set_user_by_token skip_after_filter :update_auth_header # intermediary route for successful omniauth authentication. omniauth does diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index cb3291baa..58867ddb7 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -1,6 +1,6 @@ module DeviseTokenAuth class PasswordsController < DeviseTokenAuth::ApplicationController - before_filter :set_user_by_token, :only => [:update] + before_action :set_user_by_token, :only => [:update] skip_after_filter :update_auth_header, :only => [:create, :edit] # this action is responsible for generating password reset tokens and diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 893aecfb9..9658e09fc 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -1,7 +1,7 @@ # see http://www.emilsoman.com/blog/2013/05/18/building-a-tested/ module DeviseTokenAuth class SessionsController < DeviseTokenAuth::ApplicationController - before_filter :set_user_by_token, :only => [:destroy] + before_action :set_user_by_token, :only => [:destroy] after_action :reset_session, :only => [:destroy] def new diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 99cd273a5..7d24bcd25 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -1,7 +1,7 @@ module DeviseTokenAuth class TokenValidationsController < DeviseTokenAuth::ApplicationController - skip_before_filter :assert_is_devise_resource!, :only => [:validate_token] - before_filter :set_user_by_token, :only => [:validate_token] + skip_before_action :assert_is_devise_resource!, :only => [:validate_token] + before_action :set_user_by_token, :only => [:validate_token] def validate_token # @resource will have been set by set_user_token concern diff --git a/lib/devise_token_auth/controllers/helpers.rb b/lib/devise_token_auth/controllers/helpers.rb index b5872d75a..cc4bee393 100644 --- a/lib/devise_token_auth/controllers/helpers.rb +++ b/lib/devise_token_auth/controllers/helpers.rb @@ -21,8 +21,8 @@ module ClassMethods # current_bloggers # Currently signed in user and admin # # Use: - # before_filter :authenticate_blogger! # Redirects unless either a user or an admin are authenticated - # before_filter ->{ authenticate_blogger! :admin } # Redirects to the admin login page + # before_action :authenticate_blogger! # Redirects unless either a user or an admin are authenticated + # before_action ->{ authenticate_blogger! :admin } # Redirects to the admin login page # current_blogger :user # Preferably returns a User if one is signed in # def devise_token_auth_group(group_name, opts={}) @@ -74,7 +74,7 @@ def log_process_action(payload) end # Define authentication filters and accessor helpers based on mappings. - # These filters should be used inside the controllers as before_filters, + # These filters should be used inside the controllers as before_actions, # so you can control the scope of the user who should be signed in to # access that specific controller/action. # Example: @@ -94,8 +94,8 @@ def log_process_action(payload) # admin_session # Session data available only to the admin scope # # Use: - # before_filter :authenticate_user! # Tell devise to use :user map - # before_filter :authenticate_admin! # Tell devise to use :admin map + # before_action :authenticate_user! # Tell devise to use :user map + # before_action :authenticate_admin! # Tell devise to use :admin map # def self.define_helpers(mapping) #:nodoc: mapping = mapping.name From 467336e3233b898ce90a4f84e98b281715a0dc1f Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 22 Jan 2016 18:59:35 -0500 Subject: [PATCH 216/328] Alter devise_parameter_sanitizer for devise update --- .../devise_token_auth/application_controller.rb | 4 ++++ .../omniauth_callbacks_controller.rb | 2 +- .../devise_token_auth/passwords_controller.rb | 2 +- .../devise_token_auth/registrations_controller.rb | 4 ++-- .../devise_token_auth/sessions_controller.rb | 2 +- test/dummy/app/controllers/application_controller.rb | 11 ++++++----- 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 0edc95010..08ef096bb 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -4,6 +4,10 @@ class ApplicationController < DeviseController protected + def params_for_resource(resource) + devise_parameter_sanitizer.instance_values['permitted'][resource] + end + def resource_class(m=nil) if m mapping = Devise.mappings[m] diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 7fdaaec7a..3a39b232c 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -86,7 +86,7 @@ def assign_provider_attrs(user, auth_hash) # derive allowed params from the standard devise parameter sanitizer def whitelisted_params - whitelist = devise_parameter_sanitizer.for(:sign_up) + whitelist = params_for_resource(:sign_up) whitelist.inject({}){|coll, key| param = omniauth_params[key.to_s] diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 58867ddb7..bf9d25c44 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -228,7 +228,7 @@ def resource_params end def password_resource_params - params.permit(devise_parameter_sanitizer.for(:account_update)) + params.permit(*params_for_resource(:account_update)) end end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 2710120b1..fcae10be3 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -97,11 +97,11 @@ def destroy end def sign_up_params - params.permit(devise_parameter_sanitizer.for(:sign_up)) + params.permit(*params_for_resource(:sign_up)) end def account_update_params - params.permit(devise_parameter_sanitizer.for(:account_update)) + params.permit(*params_for_resource(:account_update)) end protected diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 9658e09fc..d458faac9 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -141,7 +141,7 @@ def render_destroy_error private def resource_params - params.permit(devise_parameter_sanitizer.for(:sign_in)) + params.permit(*params_for_resource(:sign_in)) end end diff --git a/test/dummy/app/controllers/application_controller.rb b/test/dummy/app/controllers/application_controller.rb index 44d131dde..bf0f6fb13 100644 --- a/test/dummy/app/controllers/application_controller.rb +++ b/test/dummy/app/controllers/application_controller.rb @@ -6,10 +6,11 @@ class ApplicationController < ActionController::Base protected def configure_permitted_parameters - devise_parameter_sanitizer.for(:sign_up) << :operating_thetan - devise_parameter_sanitizer.for(:sign_up) << :favorite_color - devise_parameter_sanitizer.for(:account_update) << :operating_thetan - devise_parameter_sanitizer.for(:account_update) << :favorite_color - devise_parameter_sanitizer.for(:account_update) << :current_password + permitted_parameters = devise_parameter_sanitizer.instance_values['permitted'] + permitted_parameters[:sign_up] << :operating_thetan + permitted_parameters[:sign_up] << :favorite_color + permitted_parameters[:account_update] << :operating_thetan + permitted_parameters[:account_update] << :favorite_color + permitted_parameters[:account_update] << :current_password end end From cf66a0190abb6942837ef2113dfa4df614d43549 Mon Sep 17 00:00:00 2001 From: Patrick Ma Date: Sat, 23 Jan 2016 13:02:17 +0800 Subject: [PATCH 217/328] filter -> action --- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- app/controllers/devise_token_auth/passwords_controller.rb | 2 +- app/controllers/devise_token_auth/sessions_controller.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 3a39b232c..07813d871 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -3,7 +3,7 @@ class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController attr_reader :auth_params skip_before_action :set_user_by_token - skip_after_filter :update_auth_header + skip_after_action :update_auth_header # intermediary route for successful omniauth authentication. omniauth does # not support multiple models, so we must resort to this terrible hack. diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index bf9d25c44..8851d0862 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -1,7 +1,7 @@ module DeviseTokenAuth class PasswordsController < DeviseTokenAuth::ApplicationController before_action :set_user_by_token, :only => [:update] - skip_after_filter :update_auth_header, :only => [:create, :edit] + skip_after_action :update_auth_header, :only => [:create, :edit] # this action is responsible for generating password reset tokens and # sending emails diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index d458faac9..c3a33e093 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -53,7 +53,7 @@ def create end def destroy - # remove auth instance variables so that after_filter does not run + # remove auth instance variables so that after_action does not run user = remove_instance_variable(:@resource) if @resource client_id = remove_instance_variable(:@client_id) if @client_id remove_instance_variable(:@token) if @token From 94b01a77de938e24192e4214abc50475ad304ac2 Mon Sep 17 00:00:00 2001 From: Patrick Ma Date: Sat, 23 Jan 2016 13:33:55 +0800 Subject: [PATCH 218/328] solve #496 fixes an issue where send_on_create_confirmation_instructions callback is not defined --- app/controllers/devise_token_auth/registrations_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 2710120b1..86cf0fd66 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -36,6 +36,7 @@ def create begin # override email confirmation, must be sent manually from ctrl + resource_class.set_callback("create", :after, :send_on_create_confirmation_instructions) resource_class.skip_callback("create", :after, :send_on_create_confirmation_instructions) if @resource.save yield @resource if block_given? From b23d929d04f05a78c968f99b50aeb3ca62b539d6 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 26 Jan 2016 11:35:18 -0700 Subject: [PATCH 219/328] chore(deps): update gems - rails-4.2.5.1, addressable-2.4.0, attr_encrypted-1.3.5, devise-3.5.5, faker-1.6.1, hashie-3.4.3, jwt-1.5.2, listen-3.0.5, lumberjack-1.0.10, mini_portile2-2.0.0, minitest-reporters-1.1.7, pg-0.18.4, pry-0.10.3, rake-10.5.0, rb-fsevent-0.9.7, simplecov-0.11.1 --- Gemfile.lock | 102 +++++++++++++++++++++++++-------------------------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 6671a2370..74b3a6a78 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -41,53 +41,53 @@ PATH GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.4) - actionpack (= 4.2.4) - actionview (= 4.2.4) - activejob (= 4.2.4) + actionmailer (4.2.5.1) + actionpack (= 4.2.5.1) + actionview (= 4.2.5.1) + activejob (= 4.2.5.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.4) - actionview (= 4.2.4) - activesupport (= 4.2.4) + actionpack (4.2.5.1) + actionview (= 4.2.5.1) + activesupport (= 4.2.5.1) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.4) - activesupport (= 4.2.4) + actionview (4.2.5.1) + activesupport (= 4.2.5.1) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.4) - activesupport (= 4.2.4) + activejob (4.2.5.1) + activesupport (= 4.2.5.1) globalid (>= 0.3.0) - activemodel (4.2.4) - activesupport (= 4.2.4) + activemodel (4.2.5.1) + activesupport (= 4.2.5.1) builder (~> 3.1) - activerecord (4.2.4) - activemodel (= 4.2.4) - activesupport (= 4.2.4) + activerecord (4.2.5.1) + activemodel (= 4.2.5.1) + activesupport (= 4.2.5.1) arel (~> 6.0) - activesupport (4.2.4) + activesupport (4.2.5.1) i18n (~> 0.7) json (~> 1.7, >= 1.7.7) minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.3.8) + addressable (2.4.0) ansi (1.5.0) arel (6.0.3) - attr_encrypted (1.3.4) - encryptor (>= 1.3.0) + attr_encrypted (1.3.5) + encryptor (~> 1.3.0) bcrypt (3.1.10) builder (3.2.2) codeclimate-test-reporter (0.4.8) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) concurrent-ruby (1.0.0) - devise (3.5.3) + devise (3.5.5) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -97,7 +97,7 @@ GEM docile (1.1.5) encryptor (1.3.0) erubis (2.7.0) - faker (1.5.0) + faker (1.6.1) i18n (~> 0.5) faraday (0.9.2) multipart-post (>= 1.2, < 3) @@ -119,29 +119,29 @@ GEM guard-minitest (2.4.4) guard-compat (~> 1.2) minitest (>= 3.0) - hashie (3.4.2) + hashie (3.4.3) i18n (0.7.0) json (1.8.3) - jwt (1.5.1) - listen (3.0.3) + jwt (1.5.2) + listen (3.0.5) rb-fsevent (>= 0.9.3) rb-inotify (>= 0.9) loofah (2.0.3) nokogiri (>= 1.5.9) - lumberjack (1.0.9) + lumberjack (1.0.10) mail (2.6.3) mime-types (>= 1.16, < 3) metaclass (0.0.4) method_source (0.8.2) mime-types (2.99) - mini_portile (0.6.2) - minitest (5.8.1) + mini_portile2 (2.0.0) + minitest (5.8.4) minitest-focus (1.1.2) minitest (>= 4, < 6) minitest-rails (2.2.0) minitest (~> 5.7) railties (~> 4.1) - minitest-reporters (1.1.3) + minitest-reporters (1.1.7) ansi builder minitest (>= 5.0) @@ -151,10 +151,10 @@ GEM multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.3.19) + mysql2 (0.4.2) nenv (0.2.0) - nokogiri (1.6.6.2) - mini_portile (~> 0.6.0) + nokogiri (1.6.7.2) + mini_portile2 (~> 2.0.0.rc2) notiffany (0.0.8) nenv (~> 0.1) shellany (~> 0.0) @@ -171,8 +171,8 @@ GEM oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) - pg (0.18.3) - pry (0.10.2) + pg (0.18.4) + pry (0.10.3) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) @@ -183,16 +183,16 @@ GEM rack-cors (0.4.0) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.4) - actionmailer (= 4.2.4) - actionpack (= 4.2.4) - actionview (= 4.2.4) - activejob (= 4.2.4) - activemodel (= 4.2.4) - activerecord (= 4.2.4) - activesupport (= 4.2.4) + rails (4.2.5.1) + actionmailer (= 4.2.5.1) + actionpack (= 4.2.5.1) + actionview (= 4.2.5.1) + activejob (= 4.2.5.1) + activemodel (= 4.2.5.1) + activerecord (= 4.2.5.1) + activesupport (= 4.2.5.1) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.4) + railties (= 4.2.5.1) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -200,22 +200,22 @@ GEM activesupport (>= 4.2.0.beta, < 5.0) nokogiri (~> 1.6.0) rails-deprecated_sanitizer (>= 1.0.1) - rails-html-sanitizer (1.0.2) + rails-html-sanitizer (1.0.3) loofah (~> 2.0) - railties (4.2.4) - actionpack (= 4.2.4) - activesupport (= 4.2.4) + railties (4.2.5.1) + actionpack (= 4.2.5.1) + activesupport (= 4.2.5.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (10.4.2) - rb-fsevent (0.9.6) + rake (10.5.0) + rb-fsevent (0.9.7) rb-inotify (0.9.5) ffi (>= 0.5.0) responders (2.1.1) railties (>= 4.2.0, < 5.1) ruby-progressbar (1.7.5) shellany (0.0.1) - simplecov (0.10.0) + simplecov (0.11.1) docile (~> 1.1.0) json (~> 1.8) simplecov-html (~> 0.10.0) @@ -265,4 +265,4 @@ DEPENDENCIES thor BUNDLED WITH - 1.10.6 + 1.11.2 From 18d7d67947be2e9c038910246e0018460cac6d41 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Tue, 26 Jan 2016 11:59:18 -0700 Subject: [PATCH 220/328] v0.1.37 --- .github_changelog_generator | 4 + CHANGELOG.md | 398 ++++++++++++++++++++++++++++--- Gemfile | 4 + Gemfile.lock | 16 +- lib/devise_token_auth/version.rb | 2 +- 5 files changed, 383 insertions(+), 41 deletions(-) create mode 100644 .github_changelog_generator diff --git a/.github_changelog_generator b/.github_changelog_generator new file mode 100644 index 000000000..bff97b3df --- /dev/null +++ b/.github_changelog_generator @@ -0,0 +1,4 @@ +bug-labels=bug,Bug,fix,Fix +enhancement-labels=enhancement,Enhancement,feat,Feat +unreleased-label=0.1.38 +base=CHANGELOG.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 00478055d..757530137 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,69 +1,389 @@ - -# 0.1.37 (beta) +# Change Log -## Features +## [0.1.37](https://github.com/lynndylanhurley/devise_token_auth/tree/0.1.37) (2016-01-26) -- **Standard Devise**: Allow conditional support of legacy Devise. Now defaults to disabled. -- **Localization**: Add German translation(de) -- **Batch Requests**: Prevent batching of requests by appending `unbatch=true` param to request URL +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37.beta4...0.1.37) -## Fixes +**Closed issues:** -- **URL Helper**: Preserve query parameters when building urls +- Not working with rails 5 and devise master [\#504](https://github.com/lynndylanhurley/devise_token_auth/issues/504) +- Unpermitted parameters: confirm\_success\_url, config\_name, registration [\#501](https://github.com/lynndylanhurley/devise_token_auth/issues/501) +- Master branch no longer working with devise master branch \(version error\) [\#498](https://github.com/lynndylanhurley/devise_token_auth/issues/498) +- uid is not getting set in git revision 996b9cf23a18 [\#497](https://github.com/lynndylanhurley/devise_token_auth/issues/497) +- ve\_model\_serializer namespace [\#492](https://github.com/lynndylanhurley/devise_token_auth/issues/492) +- User remains logged in when using devise and devise\_token\_auth in the same app [\#486](https://github.com/lynndylanhurley/devise_token_auth/issues/486) +- DEPRECATION WARNING: alias\_method\_chain is deprecated. Rails 5 [\#482](https://github.com/lynndylanhurley/devise_token_auth/issues/482) +- validate\_token - resource\_name - undefined method `name' for nil:NilClass [\#480](https://github.com/lynndylanhurley/devise_token_auth/issues/480) +- Helpers being loaded for Rails API's [\#468](https://github.com/lynndylanhurley/devise_token_auth/issues/468) +- locales `errors.messages.already\_in\_use` seems broken [\#463](https://github.com/lynndylanhurley/devise_token_auth/issues/463) +- omniauth callback redirect not working properly when using namespace/scope [\#362](https://github.com/lynndylanhurley/devise_token_auth/issues/362) +- delete tokens after password change [\#318](https://github.com/lynndylanhurley/devise_token_auth/issues/318) -## Breaking Changes +**Merged pull requests:** -- This version updates legacy Devise support to default to disabled rather than enabled. This support causing all sorts of random issues for people who may not have needed the integration. This feature is considered experimental. +- send\_on\_create\_confirmation\_instructions callback isn't defined \(rails 5\) [\#508](https://github.com/lynndylanhurley/devise_token_auth/pull/508) ([fivetwentysix](https://github.com/fivetwentysix)) +- \[REBASE\] Fix rails 5 deprecation and devise parameter sanitization [\#507](https://github.com/lynndylanhurley/devise_token_auth/pull/507) ([fivetwentysix](https://github.com/fivetwentysix)) +- remove deprecations from RegistrationsController [\#506](https://github.com/lynndylanhurley/devise_token_auth/pull/506) ([fivetwentysix](https://github.com/fivetwentysix)) +- Allow new devise version for rails 5 compatibility [\#499](https://github.com/lynndylanhurley/devise_token_auth/pull/499) ([djsegal](https://github.com/djsegal)) +- Spelling mistake [\#493](https://github.com/lynndylanhurley/devise_token_auth/pull/493) ([Tom-Tom](https://github.com/Tom-Tom)) +- Improve Brazilian Portuguese locale [\#491](https://github.com/lynndylanhurley/devise_token_auth/pull/491) ([ssouza](https://github.com/ssouza)) +- fix namespaced mapping name [\#484](https://github.com/lynndylanhurley/devise_token_auth/pull/484) ([paulosoares86](https://github.com/paulosoares86)) +- Locale file for both zh-TW and zh-HK [\#483](https://github.com/lynndylanhurley/devise_token_auth/pull/483) ([TravisTam](https://github.com/TravisTam)) +- Fixed typos and inconsistencies in ru.yml [\#478](https://github.com/lynndylanhurley/devise_token_auth/pull/478) ([fertingoff](https://github.com/fertingoff)) +- Fixes Issue \#362: Fixes for the omniauth redirection issue for namesp… [\#476](https://github.com/lynndylanhurley/devise_token_auth/pull/476) ([devilankur18](https://github.com/devilankur18)) +- removing old tokens when user changes passwords [\#474](https://github.com/lynndylanhurley/devise_token_auth/pull/474) ([paulosoares86](https://github.com/paulosoares86)) +- Move travis to container based configuration [\#470](https://github.com/lynndylanhurley/devise_token_auth/pull/470) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Prevent helpers being loaded for Rails API’s [\#469](https://github.com/lynndylanhurley/devise_token_auth/pull/469) ([djsegal](https://github.com/djsegal)) +- Reduce dependencies to allow Rails 5.0 [\#467](https://github.com/lynndylanhurley/devise_token_auth/pull/467) ([djsegal](https://github.com/djsegal)) +- Fix locales `errors.messages.already\_in\_use` + clean up [\#466](https://github.com/lynndylanhurley/devise_token_auth/pull/466) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Fix omniauthredirection when under scopes [\#425](https://github.com/lynndylanhurley/devise_token_auth/pull/425) ([xjunior](https://github.com/xjunior)) +## [v0.1.37.beta4](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.37.beta4) (2015-12-10) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37.beta3...v0.1.37.beta4) - -# 0.1.36 (2015-10-13) +**Closed issues:** -## Fixes +- It shows "An error occurred" after omniauth callback [\#445](https://github.com/lynndylanhurley/devise_token_auth/issues/445) +- - [\#444](https://github.com/lynndylanhurley/devise_token_auth/issues/444) +- Put Access Token in body [\#442](https://github.com/lynndylanhurley/devise_token_auth/issues/442) +- Unable to add a new param for sign up [\#440](https://github.com/lynndylanhurley/devise_token_auth/issues/440) +- Undefined method provider from devise\_toke\_auth concerns/user.rb [\#438](https://github.com/lynndylanhurley/devise_token_auth/issues/438) +- Scoped DeviseToken but it still affects the original Omniauth redirects. [\#429](https://github.com/lynndylanhurley/devise_token_auth/issues/429) +- Can't create user via api [\#422](https://github.com/lynndylanhurley/devise_token_auth/issues/422) +- change\_headers\_on\_each\_request and batch requests [\#403](https://github.com/lynndylanhurley/devise_token_auth/issues/403) +- password length [\#380](https://github.com/lynndylanhurley/devise_token_auth/issues/380) +- The action 'twitter' could not be found for DeviseTokenAuth::OmniauthCallbacksController [\#309](https://github.com/lynndylanhurley/devise_token_auth/issues/309) +- undefined method `tokens' for \#\ [\#297](https://github.com/lynndylanhurley/devise_token_auth/issues/297) +- Generating many client tokens [\#210](https://github.com/lynndylanhurley/devise_token_auth/issues/210) -- **Deps**: Revert to last known working mysql2 gem for Travis +**Merged pull requests:** +- RU translations [\#441](https://github.com/lynndylanhurley/devise_token_auth/pull/441) ([yivo](https://github.com/yivo)) +- to keep coherent with devise. pt instead of pt-PT.yml [\#436](https://github.com/lynndylanhurley/devise_token_auth/pull/436) ([rmvenancio](https://github.com/rmvenancio)) +- limiting the number of concurrent devices [\#434](https://github.com/lynndylanhurley/devise_token_auth/pull/434) ([paulosoares86](https://github.com/paulosoares86)) +- Raise error in controller method [\#430](https://github.com/lynndylanhurley/devise_token_auth/pull/430) ([ArneZsng](https://github.com/ArneZsng)) +- feat\(enable-standard-devise\): allow configurable support of legacy Devise authentication [\#428](https://github.com/lynndylanhurley/devise_token_auth/pull/428) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Support for i18n in mailers views [\#427](https://github.com/lynndylanhurley/devise_token_auth/pull/427) ([ponyesteves](https://github.com/ponyesteves)) +- Translation to German [\#423](https://github.com/lynndylanhurley/devise_token_auth/pull/423) ([haslinger](https://github.com/haslinger)) +- fix\(url\): preserve query parameters when building urls [\#421](https://github.com/lynndylanhurley/devise_token_auth/pull/421) ([nbrustein](https://github.com/nbrustein)) +- Fallback to ActiveModel translations in EmailValidator [\#369](https://github.com/lynndylanhurley/devise_token_auth/pull/369) ([yivo](https://github.com/yivo)) - -# 0.1.35 (2015-10-13) +## [v0.1.37.beta3](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.37.beta3) (2015-10-27) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37.beta2...v0.1.37.beta3) -## Features +**Closed issues:** -- **Localization**: Add Polish translation (pl) +- Password Reset question, do I need my own form? [\#418](https://github.com/lynndylanhurley/devise_token_auth/issues/418) +- seeing other users data after login/out with different users on ionic [\#375](https://github.com/lynndylanhurley/devise_token_auth/issues/375) -## Fixes +## [v0.1.37.beta2](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.37.beta2) (2015-10-25) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37.beta1...v0.1.37.beta2) -- **OAuth**: Fix error in setting text on redirect page -- **OAuth**: Fully support OmniauthCallbacksController action overrides -- **OAuth**: Don't serialize the entire user object in redirect URLs -- **Rails-API**: Fix Rails-API integration hang-ups -- **Namespaces**: Correct handling namespaced resources +**Closed issues:** -## Misc +- The validate\_token function in the readme is missing a parameter [\#413](https://github.com/lynndylanhurley/devise_token_auth/issues/413) -- **Code Quality**: Restrict access to controller methods and other cleanup -- **Deps**: Update to Devise v3.5.2 +**Merged pull requests:** +- Change default message for already in use error and added to english … [\#417](https://github.com/lynndylanhurley/devise_token_auth/pull/417) ([ponyesteves](https://github.com/ponyesteves)) +- Issue \#413 [\#414](https://github.com/lynndylanhurley/devise_token_auth/pull/414) ([Carrigan](https://github.com/Carrigan)) +- 404 for invalid link with password reset token [\#411](https://github.com/lynndylanhurley/devise_token_auth/pull/411) ([rmvenancio](https://github.com/rmvenancio)) - -# 0.1.34 (2015-08-10) +## [v0.1.37.beta1](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.37.beta1) (2015-10-25) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.36...v0.1.37.beta1) -## Features +**Closed issues:** -- **Localization**: Add Brazilian Portuguese translation (pt-BR) +- Large Size on Disk [\#415](https://github.com/lynndylanhurley/devise_token_auth/issues/415) +- Cannot migrate database: NoMethodError: undefined method `new' for DeviseTokenAuth:Module [\#406](https://github.com/lynndylanhurley/devise_token_auth/issues/406) +- uninitialized constant DeviseTokenAuth::OmniauthCallbacksController::BCrypt [\#393](https://github.com/lynndylanhurley/devise_token_auth/issues/393) +- Devise token auth not found routing error [\#379](https://github.com/lynndylanhurley/devise_token_auth/issues/379) +- undefined method `match' for nil:NilClass [\#201](https://github.com/lynndylanhurley/devise_token_auth/issues/201) -## Fixes +**Merged pull requests:** -- **Deps**: Lock Devise to last known working version (v3.5.1) +- Add .ruby-version entry to .gitignore [\#412](https://github.com/lynndylanhurley/devise_token_auth/pull/412) ([xymbol](https://github.com/xymbol)) +- Portuguese Translation [\#409](https://github.com/lynndylanhurley/devise_token_auth/pull/409) ([rmvenancio](https://github.com/rmvenancio)) +- Drop .ruby-version file [\#404](https://github.com/lynndylanhurley/devise_token_auth/pull/404) ([xymbol](https://github.com/xymbol)) +- Feature/password reset with check fix [\#374](https://github.com/lynndylanhurley/devise_token_auth/pull/374) ([jakubrohleder](https://github.com/jakubrohleder)) +## [v0.1.36](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.36) (2015-10-13) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.35...v0.1.36) - -# 0.1.33 (2015-08-09) +## [v0.1.35](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.35) (2015-10-13) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.34...v0.1.35) -## Features +**Fixed bugs:** -- **Improved OAuth Flow**: Supports new OAuth window flows, allowing options for `sameWindow`, `newWindow`, and `inAppBrowser` +- Generator doesn't work correctly with mongoid and/or rails-api [\#14](https://github.com/lynndylanhurley/devise_token_auth/issues/14) -## Breaking Changes +**Closed issues:** -- The new OmniAuth callback behavior now defaults to `sameWindow` mode, whereas the previous implementation mimicked the functionality of `newWindow`. This was changed due to limitations with the `postMessage` API support in popular browsers, as well as feedback from user-experience testing. +- Multiple users, returning\(and creating\) wrong model's auth token [\#399](https://github.com/lynndylanhurley/devise_token_auth/issues/399) +- Sign in not success. [\#388](https://github.com/lynndylanhurley/devise_token_auth/issues/388) +- Defining a custom primary key [\#378](https://github.com/lynndylanhurley/devise_token_auth/issues/378) +- omniauth: when redirecting, user object should not be serialized into url [\#368](https://github.com/lynndylanhurley/devise_token_auth/issues/368) +- getting ng-token-auth and devise\_token\_auth to work with OAuth in ionic InAppBrowser [\#367](https://github.com/lynndylanhurley/devise_token_auth/issues/367) +- invalid token in method set\_user\_by\_token on RegistrationsController\#update [\#357](https://github.com/lynndylanhurley/devise_token_auth/issues/357) +- Allow devise patch version updates [\#351](https://github.com/lynndylanhurley/devise_token_auth/issues/351) +- Error validating token [\#348](https://github.com/lynndylanhurley/devise_token_auth/issues/348) +- Allow for HTTP Basic Auth ? [\#337](https://github.com/lynndylanhurley/devise_token_auth/issues/337) +- Allow Omniauth user reset password [\#335](https://github.com/lynndylanhurley/devise_token_auth/issues/335) +- NameError \(uninitialized constant DeviseTokenAuth::Concerns::User::BCrypt\) [\#333](https://github.com/lynndylanhurley/devise_token_auth/issues/333) +- Unpermitted parameters: format, session [\#328](https://github.com/lynndylanhurley/devise_token_auth/issues/328) +- devise token auth + Save Facebook auth\_hash info in database [\#326](https://github.com/lynndylanhurley/devise_token_auth/issues/326) +- Error sending password reset email when not using confirmable \(reopened \#124\) [\#321](https://github.com/lynndylanhurley/devise_token_auth/issues/321) +- Facebook omniauth redirection is missing url when testing on localhost [\#285](https://github.com/lynndylanhurley/devise_token_auth/issues/285) +- Failure route not handled [\#262](https://github.com/lynndylanhurley/devise_token_auth/issues/262) +- Unable to override OmniauthCallbacksController\#redirect\_callbacks [\#186](https://github.com/lynndylanhurley/devise_token_auth/issues/186) + +**Merged pull requests:** + +- Added polish translation. [\#405](https://github.com/lynndylanhurley/devise_token_auth/pull/405) ([h3xed](https://github.com/h3xed)) +- Implement hook methods for customized json rendering [\#384](https://github.com/lynndylanhurley/devise_token_auth/pull/384) ([neutronz](https://github.com/neutronz)) +- fix\(oauth\): fixes \#368: do not serialize the entire user object in the url when redirecting from oauth [\#371](https://github.com/lynndylanhurley/devise_token_auth/pull/371) ([nbrustein](https://github.com/nbrustein)) +- Add a Gitter chat badge to README.md [\#360](https://github.com/lynndylanhurley/devise_token_auth/pull/360) ([gitter-badger](https://github.com/gitter-badger)) +- Improvements to the docs. [\#358](https://github.com/lynndylanhurley/devise_token_auth/pull/358) ([aarongray](https://github.com/aarongray)) +- Add description to readme about the devise.rb initializer. [\#356](https://github.com/lynndylanhurley/devise_token_auth/pull/356) ([aarongray](https://github.com/aarongray)) +- Correct handling namespaced resources [\#355](https://github.com/lynndylanhurley/devise_token_auth/pull/355) ([yivo](https://github.com/yivo)) +- Fix concern not being inserted for rails-api apps. [\#350](https://github.com/lynndylanhurley/devise_token_auth/pull/350) ([aarongray](https://github.com/aarongray)) +- Add documentation to explain gotcha with rails-api. [\#349](https://github.com/lynndylanhurley/devise_token_auth/pull/349) ([aarongray](https://github.com/aarongray)) +- Fully support OmniauthCallbacksController action overrides. Fixes \#186. [\#347](https://github.com/lynndylanhurley/devise_token_auth/pull/347) ([tbloncar](https://github.com/tbloncar)) +- \#340 Restrict access to controllers methods [\#341](https://github.com/lynndylanhurley/devise_token_auth/pull/341) ([gkopylov](https://github.com/gkopylov)) +- fix\(omniauth\): fix error in setting text on redirect page [\#336](https://github.com/lynndylanhurley/devise_token_auth/pull/336) ([nbrustein](https://github.com/nbrustein)) +- Fix invalid omniauth redirect [\#322](https://github.com/lynndylanhurley/devise_token_auth/pull/322) ([troggy](https://github.com/troggy)) + +## [v0.1.34](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.34) (2015-08-10) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.33...v0.1.34) + +**Implemented enhancements:** + +- Rails generator to update views [\#33](https://github.com/lynndylanhurley/devise_token_auth/issues/33) +- Extract Omniauth attributes assignation into a method [\#31](https://github.com/lynndylanhurley/devise_token_auth/issues/31) + +**Fixed bugs:** + +- Generator issues [\#13](https://github.com/lynndylanhurley/devise_token_auth/issues/13) + +**Closed issues:** + +- Routing error / Preflight request / OPTIONS [\#320](https://github.com/lynndylanhurley/devise_token_auth/issues/320) +- Can't authorize \(user\_signed\_in? always show false\) [\#315](https://github.com/lynndylanhurley/devise_token_auth/issues/315) +- Warden::SessionSerializer - wrong number of arguments \(2 for 1\) [\#312](https://github.com/lynndylanhurley/devise_token_auth/issues/312) +- Having 401 Unauthorized only with mobile [\#305](https://github.com/lynndylanhurley/devise_token_auth/issues/305) +- remove unused nickname, image from user object [\#304](https://github.com/lynndylanhurley/devise_token_auth/issues/304) +- HI, This is more of a doubt since I could not finding anything related to this in your documentation. [\#300](https://github.com/lynndylanhurley/devise_token_auth/issues/300) +- Getting 401's when making requests using iOS/Android clients [\#299](https://github.com/lynndylanhurley/devise_token_auth/issues/299) +- Confirmation URL giving bad arguments [\#293](https://github.com/lynndylanhurley/devise_token_auth/issues/293) +- set\_user\_by\_token not called in overriden controller [\#291](https://github.com/lynndylanhurley/devise_token_auth/issues/291) +- Question: Should we send password reset instructions to unconfirmed emails? [\#287](https://github.com/lynndylanhurley/devise_token_auth/issues/287) +- No route matches \[GET\] "/users/facebook/callback" [\#280](https://github.com/lynndylanhurley/devise_token_auth/issues/280) +- No route matches \[GET\] "/omniauth/:provider" [\#278](https://github.com/lynndylanhurley/devise_token_auth/issues/278) +- How to refresh token/expiry? [\#275](https://github.com/lynndylanhurley/devise_token_auth/issues/275) +- wrong number of arguments \(1 for 0\): in DeviseTokenAuth::RegistrationsController\#create [\#274](https://github.com/lynndylanhurley/devise_token_auth/issues/274) +- Can not save a user with nil tokens attribute [\#271](https://github.com/lynndylanhurley/devise_token_auth/issues/271) +- Shouldn't validate\_token param be access-token, not auth\_token? [\#270](https://github.com/lynndylanhurley/devise_token_auth/issues/270) +- include associations on login [\#269](https://github.com/lynndylanhurley/devise_token_auth/issues/269) +- Getting Unauthorized error even after sending the correct token, uid and client [\#261](https://github.com/lynndylanhurley/devise_token_auth/issues/261) +- Weird error message [\#259](https://github.com/lynndylanhurley/devise_token_auth/issues/259) +- undefined method `provider' for \#\ [\#257](https://github.com/lynndylanhurley/devise_token_auth/issues/257) +- File download with query params [\#246](https://github.com/lynndylanhurley/devise_token_auth/issues/246) +- Info: is devise\_token\_auth compatible with rails 3.2.19? [\#245](https://github.com/lynndylanhurley/devise_token_auth/issues/245) +- Headers required for different methods [\#243](https://github.com/lynndylanhurley/devise_token_auth/issues/243) +- Unpermitted parameters: format, session, lang [\#239](https://github.com/lynndylanhurley/devise_token_auth/issues/239) +- On sign\_in, devise\_token\_auth expects the uid to be the same as the email [\#237](https://github.com/lynndylanhurley/devise_token_auth/issues/237) +- Name conflict with inherited\_resources [\#236](https://github.com/lynndylanhurley/devise_token_auth/issues/236) +- sign\_in will not fetch the token [\#234](https://github.com/lynndylanhurley/devise_token_auth/issues/234) +- Log in request 401 error [\#231](https://github.com/lynndylanhurley/devise_token_auth/issues/231) +- User Registration - "email address already in use" when it is unique [\#230](https://github.com/lynndylanhurley/devise_token_auth/issues/230) +- Devise email validation disabled...why? [\#229](https://github.com/lynndylanhurley/devise_token_auth/issues/229) +- confirm\_success\_url error not working [\#226](https://github.com/lynndylanhurley/devise_token_auth/issues/226) +- pending\_reconfirmation called when confirmable isn't used [\#224](https://github.com/lynndylanhurley/devise_token_auth/issues/224) +- omniauth\_success.html.erb JSON bug [\#221](https://github.com/lynndylanhurley/devise_token_auth/issues/221) +- Using devise\_token\_auth and ng\_token\_auth with angularJS in an Ionic Hybrid application [\#218](https://github.com/lynndylanhurley/devise_token_auth/issues/218) +- Where can I got token? [\#217](https://github.com/lynndylanhurley/devise_token_auth/issues/217) +- URI fragment prevent to send params in Confirmation URL [\#213](https://github.com/lynndylanhurley/devise_token_auth/issues/213) +- Limit tokens hash? [\#208](https://github.com/lynndylanhurley/devise_token_auth/issues/208) +- 500 error returned when no data is POSTed to registration controller [\#203](https://github.com/lynndylanhurley/devise_token_auth/issues/203) +- DELETE method becoming OPTIONS @ Heroku [\#197](https://github.com/lynndylanhurley/devise_token_auth/issues/197) +- 40 Mb log file and 1 minute to have token with curl [\#195](https://github.com/lynndylanhurley/devise_token_auth/issues/195) +- 401 unauthorized [\#193](https://github.com/lynndylanhurley/devise_token_auth/issues/193) +- GET requests to sign\_in shouldn't raise an exception [\#190](https://github.com/lynndylanhurley/devise_token_auth/issues/190) +- Api not locked by default [\#189](https://github.com/lynndylanhurley/devise_token_auth/issues/189) +- Rails 4.1 [\#187](https://github.com/lynndylanhurley/devise_token_auth/issues/187) +- Token based authentication with no sessions [\#183](https://github.com/lynndylanhurley/devise_token_auth/issues/183) +- undefined method `authenticate\_user!' [\#182](https://github.com/lynndylanhurley/devise_token_auth/issues/182) +- confirm\_success\_url shouldn't be a required param [\#176](https://github.com/lynndylanhurley/devise_token_auth/issues/176) +- Provide an OAuth implementation for native apps [\#175](https://github.com/lynndylanhurley/devise_token_auth/issues/175) +- getting an argument error when trying to use omniauth [\#174](https://github.com/lynndylanhurley/devise_token_auth/issues/174) +- Sign in via username doesn't seem to work correctly. [\#173](https://github.com/lynndylanhurley/devise_token_auth/issues/173) +- Cannot use + sign in email address. [\#171](https://github.com/lynndylanhurley/devise_token_auth/issues/171) +- How can i authenticate using curl and get private entries ! [\#167](https://github.com/lynndylanhurley/devise_token_auth/issues/167) +- Pessimistic Locking produces ArgumentError [\#165](https://github.com/lynndylanhurley/devise_token_auth/issues/165) +- POTENTIAL SECURITY RISK: Setting confirm\_success\_url and redirect\_url via API [\#162](https://github.com/lynndylanhurley/devise_token_auth/issues/162) +- Sign out just on client side ? [\#161](https://github.com/lynndylanhurley/devise_token_auth/issues/161) +- Unpermitted parameter: redirect\_url [\#160](https://github.com/lynndylanhurley/devise_token_auth/issues/160) +- Issues using devise and devise\_token\_auth [\#159](https://github.com/lynndylanhurley/devise_token_auth/issues/159) +- Add role based authorization [\#158](https://github.com/lynndylanhurley/devise_token_auth/issues/158) +- Not compatible with ActiveAdmin [\#156](https://github.com/lynndylanhurley/devise_token_auth/issues/156) +- \[Duplicate\] is devise\_invitable supported? [\#154](https://github.com/lynndylanhurley/devise_token_auth/issues/154) +- User can register with a "false" email [\#149](https://github.com/lynndylanhurley/devise_token_auth/issues/149) +- /validate\_token [\#148](https://github.com/lynndylanhurley/devise_token_auth/issues/148) +- Email confirmation link [\#147](https://github.com/lynndylanhurley/devise_token_auth/issues/147) +- Tokens field on database [\#146](https://github.com/lynndylanhurley/devise_token_auth/issues/146) +- Twitter OAuth always throughs CookieOverflow [\#145](https://github.com/lynndylanhurley/devise_token_auth/issues/145) +- Is there a way to configure apiUrl for both dev and prod? [\#144](https://github.com/lynndylanhurley/devise_token_auth/issues/144) +- Getting 401 unauthorized on login attempt [\#142](https://github.com/lynndylanhurley/devise_token_auth/issues/142) +- Comparing with jwt [\#140](https://github.com/lynndylanhurley/devise_token_auth/issues/140) +- Can't get omniauth to work \(error in redirect\_callbacks\) [\#139](https://github.com/lynndylanhurley/devise_token_auth/issues/139) +- Change controller inheritance [\#138](https://github.com/lynndylanhurley/devise_token_auth/issues/138) +- Reset Password call returns 400 for Not Found user [\#137](https://github.com/lynndylanhurley/devise_token_auth/issues/137) +- The gem is too big. Please take care of it. [\#136](https://github.com/lynndylanhurley/devise_token_auth/issues/136) +- Error when loging with facebook the second time without logout [\#135](https://github.com/lynndylanhurley/devise_token_auth/issues/135) +- OmniAuth redirect doesn't work if using the generated mount\_devise\_token route [\#133](https://github.com/lynndylanhurley/devise_token_auth/issues/133) +- Missing template /omniauth\_response [\#132](https://github.com/lynndylanhurley/devise_token_auth/issues/132) +- Unpermitted parameter: session [\#130](https://github.com/lynndylanhurley/devise_token_auth/issues/130) +- OAuth error: We're sorry, but something went wrong [\#129](https://github.com/lynndylanhurley/devise_token_auth/issues/129) +- Would it be useful to integrate login with username ? [\#127](https://github.com/lynndylanhurley/devise_token_auth/issues/127) +- Sign in with login instead of email [\#126](https://github.com/lynndylanhurley/devise_token_auth/issues/126) +- Error sending password reset email when not using confirmable [\#124](https://github.com/lynndylanhurley/devise_token_auth/issues/124) +- Using expired token for parallel calls [\#123](https://github.com/lynndylanhurley/devise_token_auth/issues/123) +- User tokens don't properly deserialize [\#121](https://github.com/lynndylanhurley/devise_token_auth/issues/121) +- Could not load 'omniauth' [\#118](https://github.com/lynndylanhurley/devise_token_auth/issues/118) +- bad argument \(expected URI object or URI string\) [\#116](https://github.com/lynndylanhurley/devise_token_auth/issues/116) +- devise\_token\_auth for public API, but devise for rest of app? [\#114](https://github.com/lynndylanhurley/devise_token_auth/issues/114) +- Omniauthable deleted on UsersConcern : Why ? [\#111](https://github.com/lynndylanhurley/devise_token_auth/issues/111) +- Unrequired route [\#110](https://github.com/lynndylanhurley/devise_token_auth/issues/110) +- raises NoMethodError instead of displaying error when email is missing [\#108](https://github.com/lynndylanhurley/devise_token_auth/issues/108) +- Error with RailsAdmin. "The action 'new' could not be found for DeviseTokenAuth::SessionsController" [\#107](https://github.com/lynndylanhurley/devise_token_auth/issues/107) +- Circular dependency detected while autoloading constant Api [\#106](https://github.com/lynndylanhurley/devise_token_auth/issues/106) +- Can't Authenticate via cURL [\#105](https://github.com/lynndylanhurley/devise_token_auth/issues/105) +- Unpermitted parameters: user, registration [\#104](https://github.com/lynndylanhurley/devise_token_auth/issues/104) +- BCrypt::Errors::InvalidSalt errors [\#103](https://github.com/lynndylanhurley/devise_token_auth/issues/103) +- Active job token expiring integration [\#102](https://github.com/lynndylanhurley/devise_token_auth/issues/102) +- The action 'new' could not be found for DeviseTokenAuth::RegistrationsController [\#100](https://github.com/lynndylanhurley/devise_token_auth/issues/100) +- Disable confirmable [\#99](https://github.com/lynndylanhurley/devise_token_auth/issues/99) +- responders - rails 4.2 [\#98](https://github.com/lynndylanhurley/devise_token_auth/issues/98) +- forward skip to devise [\#97](https://github.com/lynndylanhurley/devise_token_auth/issues/97) +- API versioning the devise scope of token validation and ominiauth controller path will wrap up [\#96](https://github.com/lynndylanhurley/devise_token_auth/issues/96) +- Overwriting default "from" email address [\#94](https://github.com/lynndylanhurley/devise_token_auth/issues/94) +- uninitialized constant DeviseTokenAuth [\#92](https://github.com/lynndylanhurley/devise_token_auth/issues/92) +- change\_headers\_on\_each\_request not working expiry header empty [\#90](https://github.com/lynndylanhurley/devise_token_auth/issues/90) +- Gem render consistency [\#87](https://github.com/lynndylanhurley/devise_token_auth/issues/87) +- Sample Sessions Controller for logging in via Rails View. [\#86](https://github.com/lynndylanhurley/devise_token_auth/issues/86) +- Change authorization key: Use phone\_number instead of email [\#84](https://github.com/lynndylanhurley/devise_token_auth/issues/84) +- Conflict with active\_admin gem [\#83](https://github.com/lynndylanhurley/devise_token_auth/issues/83) +- NoMethodError in DeviseTokenAuth::OmniauthCallbacksController\#redirect\_callbacks [\#82](https://github.com/lynndylanhurley/devise_token_auth/issues/82) +- All the APIs are getting 'Authorized users only' [\#81](https://github.com/lynndylanhurley/devise_token_auth/issues/81) +- Is Devise option Rememberable required ? [\#80](https://github.com/lynndylanhurley/devise_token_auth/issues/80) +- Problem with skip\_confirmation! [\#78](https://github.com/lynndylanhurley/devise_token_auth/issues/78) +- Cannot reset password if registered by omniauth [\#77](https://github.com/lynndylanhurley/devise_token_auth/issues/77) +- NoMethodError at /omniauth/facebook/callback - undefined method `\[\]' for nil:NilClass [\#76](https://github.com/lynndylanhurley/devise_token_auth/issues/76) +- Skipping Registrations Controller Altogether [\#70](https://github.com/lynndylanhurley/devise_token_auth/issues/70) +- Problem in validate\_token if the model is in a namespace [\#69](https://github.com/lynndylanhurley/devise_token_auth/issues/69) +- Cannot send confirmation email if there is no 'User' model [\#68](https://github.com/lynndylanhurley/devise_token_auth/issues/68) +- Better guidelines for contributors [\#65](https://github.com/lynndylanhurley/devise_token_auth/issues/65) +- admin namespace [\#63](https://github.com/lynndylanhurley/devise_token_auth/issues/63) +- Devise trackable module not working [\#62](https://github.com/lynndylanhurley/devise_token_auth/issues/62) +- Devise\_token\_auth without OmniAuth authentication [\#60](https://github.com/lynndylanhurley/devise_token_auth/issues/60) +- Reset Password error [\#59](https://github.com/lynndylanhurley/devise_token_auth/issues/59) +- Confirmable - unconfirmed email [\#58](https://github.com/lynndylanhurley/devise_token_auth/issues/58) +- Email Column Isn't Used for Database Authentication [\#56](https://github.com/lynndylanhurley/devise_token_auth/issues/56) +- Unique Key for Provider and UID Combination [\#55](https://github.com/lynndylanhurley/devise_token_auth/issues/55) +- User Info in separate table or removed [\#53](https://github.com/lynndylanhurley/devise_token_auth/issues/53) +- rename @user to @resource [\#48](https://github.com/lynndylanhurley/devise_token_auth/issues/48) +- Active\_admin issue [\#47](https://github.com/lynndylanhurley/devise_token_auth/issues/47) +- Possible Logout Issue [\#46](https://github.com/lynndylanhurley/devise_token_auth/issues/46) +- Routes not appended to routes.rb [\#45](https://github.com/lynndylanhurley/devise_token_auth/issues/45) +- Return resource.errors.full\_messages in addition to resource.errors [\#44](https://github.com/lynndylanhurley/devise_token_auth/issues/44) +- Devise and Devise\_Token\_Auth in api namespace [\#43](https://github.com/lynndylanhurley/devise_token_auth/issues/43) +- Trackable attributes are not being updated. [\#42](https://github.com/lynndylanhurley/devise_token_auth/issues/42) +- Avoid using respond\_to in application controller [\#41](https://github.com/lynndylanhurley/devise_token_auth/issues/41) +- devise\_token\_auth assumes you want the :confirmable functionality [\#40](https://github.com/lynndylanhurley/devise_token_auth/issues/40) +- undefined method `match' for nil:NilClass [\#39](https://github.com/lynndylanhurley/devise_token_auth/issues/39) +- Expired token aren't removed when session expires [\#38](https://github.com/lynndylanhurley/devise_token_auth/issues/38) +- sign\_up helper [\#37](https://github.com/lynndylanhurley/devise_token_auth/issues/37) +- self.tokens\[client\_id\]\['token'\] != token [\#30](https://github.com/lynndylanhurley/devise_token_auth/issues/30) +- How is the uid generated for non-omniauth users? [\#29](https://github.com/lynndylanhurley/devise_token_auth/issues/29) +- Access to current\_user variable? [\#28](https://github.com/lynndylanhurley/devise_token_auth/issues/28) +- Filter chain halted as :require\_no\_authentication [\#27](https://github.com/lynndylanhurley/devise_token_auth/issues/27) +- Allow additional parameters for registration [\#25](https://github.com/lynndylanhurley/devise_token_auth/issues/25) +- Cannot add more parameters at sign\_up [\#22](https://github.com/lynndylanhurley/devise_token_auth/issues/22) +- Error on Registration [\#21](https://github.com/lynndylanhurley/devise_token_auth/issues/21) +- Error with authentication [\#20](https://github.com/lynndylanhurley/devise_token_auth/issues/20) +- Cascade of Issues with Omniauth\(?\) [\#18](https://github.com/lynndylanhurley/devise_token_auth/issues/18) +- Batch Requests Respond with Original Auth Token [\#17](https://github.com/lynndylanhurley/devise_token_auth/issues/17) +- Sign out with email provider error [\#16](https://github.com/lynndylanhurley/devise_token_auth/issues/16) +- sessions\_controller.rb [\#12](https://github.com/lynndylanhurley/devise_token_auth/issues/12) +- Github login in example is broken [\#10](https://github.com/lynndylanhurley/devise_token_auth/issues/10) +- Facebook auth is broken [\#9](https://github.com/lynndylanhurley/devise_token_auth/issues/9) +- Generator is not working [\#8](https://github.com/lynndylanhurley/devise_token_auth/issues/8) +- Test ticket from Code Climate [\#6](https://github.com/lynndylanhurley/devise_token_auth/issues/6) +- Test ticket from Code Climate [\#5](https://github.com/lynndylanhurley/devise_token_auth/issues/5) +- extending the devise\_token\_auth user model [\#4](https://github.com/lynndylanhurley/devise_token_auth/issues/4) +- A few ideas [\#3](https://github.com/lynndylanhurley/devise_token_auth/issues/3) +- Google Oauth2 does not set cookies in production. [\#1](https://github.com/lynndylanhurley/devise_token_auth/issues/1) + +**Merged pull requests:** + +- add Brazilian Portuguese translation \(pt-BR\) [\#331](https://github.com/lynndylanhurley/devise_token_auth/pull/331) ([josiasds](https://github.com/josiasds)) +- Tests to ensure standard devise has greater priority than tokens [\#330](https://github.com/lynndylanhurley/devise_token_auth/pull/330) ([colavitam](https://github.com/colavitam)) +- Fixed error when using standard devise authentication [\#329](https://github.com/lynndylanhurley/devise_token_auth/pull/329) ([colavitam](https://github.com/colavitam)) +- feat\(improved-omniauth\): omniauth sameWindow and inAppBrowser flows [\#323](https://github.com/lynndylanhurley/devise_token_auth/pull/323) ([nbrustein](https://github.com/nbrustein)) +- Old password check before password update [\#317](https://github.com/lynndylanhurley/devise_token_auth/pull/317) ([jakubrohleder](https://github.com/jakubrohleder)) +- Remove erroneous colon from before\_action callback [\#310](https://github.com/lynndylanhurley/devise_token_auth/pull/310) ([jmliu](https://github.com/jmliu)) +- Disabled serialization for JSON type columns [\#306](https://github.com/lynndylanhurley/devise_token_auth/pull/306) ([colavitam](https://github.com/colavitam)) +- Set default provider to "email" in migration [\#302](https://github.com/lynndylanhurley/devise_token_auth/pull/302) ([colavitam](https://github.com/colavitam)) +- Fix an issue for not :confirmable users [\#296](https://github.com/lynndylanhurley/devise_token_auth/pull/296) ([sebfie](https://github.com/sebfie)) +- Update README.md [\#295](https://github.com/lynndylanhurley/devise_token_auth/pull/295) ([adisos](https://github.com/adisos)) +- Fix MOUNT\_PATH 'Read More' link [\#294](https://github.com/lynndylanhurley/devise_token_auth/pull/294) ([jmliu](https://github.com/jmliu)) +- Don't send password reset instructions to unconfirmed email [\#288](https://github.com/lynndylanhurley/devise_token_auth/pull/288) ([coryschires](https://github.com/coryschires)) +- Feature/i18n support [\#283](https://github.com/lynndylanhurley/devise_token_auth/pull/283) ([sebfie](https://github.com/sebfie)) +- Update documentation for validate\_token [\#277](https://github.com/lynndylanhurley/devise_token_auth/pull/277) ([adamgall](https://github.com/adamgall)) +- Added json support for tokens [\#276](https://github.com/lynndylanhurley/devise_token_auth/pull/276) ([shicholas](https://github.com/shicholas)) +- perf\(token\_is\_current?\): add simplistic cache to reduce overhead of redundant token checks during validation calls [\#272](https://github.com/lynndylanhurley/devise_token_auth/pull/272) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- perf\(update\_auth\_header\): only lock the resource if we are rotating tokens [\#267](https://github.com/lynndylanhurley/devise_token_auth/pull/267) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(email-validation\): Update in-use email validation message during registration to allow full\_message use [\#255](https://github.com/lynndylanhurley/devise_token_auth/pull/255) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(session\#new\): fix unhandled 500 when logging in with valid user and bad password [\#254](https://github.com/lynndylanhurley/devise_token_auth/pull/254) ([mathemagica](https://github.com/mathemagica)) +- feat\(ominauth\): support json-formatted values in omniauth callback. [\#252](https://github.com/lynndylanhurley/devise_token_auth/pull/252) ([nbrustein](https://github.com/nbrustein)) +- fix\(sessions controller\): call reset\_session on destroy [\#251](https://github.com/lynndylanhurley/devise_token_auth/pull/251) ([nbrustein](https://github.com/nbrustein)) +- fix\(resource\_class\): support optional mapping property from set\_user\_by\_token [\#250](https://github.com/lynndylanhurley/devise_token_auth/pull/250) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Allow current\_password to be supplied when updating profile. [\#240](https://github.com/lynndylanhurley/devise_token_auth/pull/240) ([jasonswett](https://github.com/jasonswett)) +- fixes password reset when not using confirmable [\#225](https://github.com/lynndylanhurley/devise_token_auth/pull/225) ([aesnyder](https://github.com/aesnyder)) +- Fix error when email missing from registration params [\#220](https://github.com/lynndylanhurley/devise_token_auth/pull/220) ([iangreenleaf](https://github.com/iangreenleaf)) +- URI fragment should appear at the end of URL [\#214](https://github.com/lynndylanhurley/devise_token_auth/pull/214) ([edymerchk](https://github.com/edymerchk)) +- Super block yield \(all controllers\) [\#209](https://github.com/lynndylanhurley/devise_token_auth/pull/209) ([sgwilym](https://github.com/sgwilym)) +- Super block yield [\#207](https://github.com/lynndylanhurley/devise_token_auth/pull/207) ([sgwilym](https://github.com/sgwilym)) +- Ability to localize error message [\#206](https://github.com/lynndylanhurley/devise_token_auth/pull/206) ([lda](https://github.com/lda)) +- remove fragment sign \("\#"\) from URLs without fragment [\#205](https://github.com/lynndylanhurley/devise_token_auth/pull/205) ([tomdov](https://github.com/tomdov)) +- Return 422 \(was 500\) when empty body for sign up and account update [\#204](https://github.com/lynndylanhurley/devise_token_auth/pull/204) ([mchavarriagam](https://github.com/mchavarriagam)) +- Users with allowed unconfirmed access can now log in successfully. [\#202](https://github.com/lynndylanhurley/devise_token_auth/pull/202) ([colavitam](https://github.com/colavitam)) +- Authenticating an existing Warden/Devise User [\#200](https://github.com/lynndylanhurley/devise_token_auth/pull/200) ([nickL](https://github.com/nickL)) +- GET sign\_in should direct people to use POST sign\_in rather than raising exception [\#191](https://github.com/lynndylanhurley/devise_token_auth/pull/191) ([milesmatthias](https://github.com/milesmatthias)) +- Ignore 'extra' in Twitter auth response to avoid CookieOverflow. Fixes \#145. [\#179](https://github.com/lynndylanhurley/devise_token_auth/pull/179) ([tbloncar](https://github.com/tbloncar)) +- Some missing as\_json ? [\#152](https://github.com/lynndylanhurley/devise_token_auth/pull/152) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check email format on registration [\#150](https://github.com/lynndylanhurley/devise_token_auth/pull/150) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Actual header key uses dashes, not underscores. [\#143](https://github.com/lynndylanhurley/devise_token_auth/pull/143) ([ragaskar](https://github.com/ragaskar)) +- Username register login [\#128](https://github.com/lynndylanhurley/devise_token_auth/pull/128) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check if confirmable is active before skipping confirmation [\#125](https://github.com/lynndylanhurley/devise_token_auth/pull/125) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Fix links to section about controller integration. [\#117](https://github.com/lynndylanhurley/devise_token_auth/pull/117) ([Le6ow5k1](https://github.com/Le6ow5k1)) +- document GET for /validate\_token [\#113](https://github.com/lynndylanhurley/devise_token_auth/pull/113) ([lukaselmer](https://github.com/lukaselmer)) +- Fix small error in documentation. [\#91](https://github.com/lynndylanhurley/devise_token_auth/pull/91) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Exclude devise modules [\#85](https://github.com/lynndylanhurley/devise_token_auth/pull/85) ([jartek](https://github.com/jartek)) +- fix\(registration and update\): Ensure UID is updated alongside Email, and case-sensitivity is honored [\#71](https://github.com/lynndylanhurley/devise_token_auth/pull/71) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Add better guidelines for contributors. [\#67](https://github.com/lynndylanhurley/devise_token_auth/pull/67) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Use resource\_class to override email confirmation. [\#64](https://github.com/lynndylanhurley/devise_token_auth/pull/64) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- fix\(case-sensitivity\): support devise case\_insensitive\_keys for session ... [\#57](https://github.com/lynndylanhurley/devise_token_auth/pull/57) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(contention\): fix write contention in update\_auth\_headers and always ... [\#52](https://github.com/lynndylanhurley/devise_token_auth/pull/52) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Include resource.errors.full\_messages in error response. [\#50](https://github.com/lynndylanhurley/devise_token_auth/pull/50) ([jasonswett](https://github.com/jasonswett)) +- fix\(expiry\): fix an issue where token expiration checks were too permissive [\#49](https://github.com/lynndylanhurley/devise_token_auth/pull/49) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Update README with Example Generator Command [\#35](https://github.com/lynndylanhurley/devise_token_auth/pull/35) ([wwilkins](https://github.com/wwilkins)) +- Remove OmniAuth dependency [\#26](https://github.com/lynndylanhurley/devise_token_auth/pull/26) ([hannahhoward](https://github.com/hannahhoward)) +- Update README.md [\#24](https://github.com/lynndylanhurley/devise_token_auth/pull/24) ([davidsavoya](https://github.com/davidsavoya)) +- guard against MissingAttributeError during common ActiveRecord operations [\#19](https://github.com/lynndylanhurley/devise_token_auth/pull/19) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Fix expiry data type [\#11](https://github.com/lynndylanhurley/devise_token_auth/pull/11) ([lonre](https://github.com/lonre)) +- README and travis config tweaks [\#7](https://github.com/lynndylanhurley/devise_token_auth/pull/7) ([guilhermesimoes](https://github.com/guilhermesimoes)) + + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/Gemfile b/Gemfile index f826f53ff..904b40945 100644 --- a/Gemfile +++ b/Gemfile @@ -41,3 +41,7 @@ end group :test do gem "codeclimate-test-reporter", require: nil end + +group :development do + gem "github_changelog_generator" +end \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 74b3a6a78..804d58785 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.37.beta4) + devise_token_auth (0.1.37) devise (> 3.5.2, < 4.1) rails (< 6) @@ -86,7 +86,10 @@ GEM codeclimate-test-reporter (0.4.8) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) + colorize (0.7.7) concurrent-ruby (1.0.0) + descendants_tracker (0.0.4) + thread_safe (~> 0.3, >= 0.3.1) devise (3.5.5) bcrypt (~> 3.0) orm_adapter (~> 0.1) @@ -104,6 +107,16 @@ GEM ffi (1.9.10) formatador (0.2.5) fuzz_ball (0.9.1) + github_api (0.13.1) + addressable (~> 2.4.0) + descendants_tracker (~> 0.0.4) + faraday (~> 0.8, < 0.10) + hashie (>= 3.4) + multi_json (>= 1.7.5, < 2.0) + oauth2 + github_changelog_generator (1.10.1) + colorize (~> 0.7) + github_api (~> 0.12) globalid (0.3.6) activesupport (>= 4.1.0) guard (2.13.0) @@ -246,6 +259,7 @@ DEPENDENCIES faker figaro! fuzz_ball + github_changelog_generator guard guard-minitest minitest diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index a6245369e..fcfd69e8b 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.37.beta4" + VERSION = "0.1.37" end From 9278dc1002df04c9fb58d36bef918939f5b7406b Mon Sep 17 00:00:00 2001 From: jeryRazakarison Date: Tue, 26 Jan 2016 21:25:44 +0100 Subject: [PATCH 221/328] Prevent raise of exception if set_user_by_token not defined Rails 4 like --- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 07813d871..6368cf596 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -2,7 +2,7 @@ module DeviseTokenAuth class OmniauthCallbacksController < DeviseTokenAuth::ApplicationController attr_reader :auth_params - skip_before_action :set_user_by_token + skip_before_action :set_user_by_token, raise: false skip_after_action :update_auth_header # intermediary route for successful omniauth authentication. omniauth does From b975a1f64f9ea05afe9a3a7ed053ac5ea0bd4e3a Mon Sep 17 00:00:00 2001 From: djsegal Date: Wed, 27 Jan 2016 02:53:08 -0500 Subject: [PATCH 222/328] Make render_create_success render valid json_api --- .../devise_token_auth/registrations_controller.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index c5283ee53..184fde0dd 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -124,9 +124,14 @@ def render_create_error_redirect_url_not_allowed end def render_create_success + response_data = @resource.as_json + if defined?(ActiveModel::Serializer) && + ActiveModel::Serializer.config.adapter == :json_api + response_data['type'] = @resource.class.name.parameterize + end render json: { status: 'success', - data: @resource.as_json + data: response_data } end From ffeefadee3a226ac1b5983375758627849536d88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Halil=20=C3=96zg=C3=BCr?= Date: Fri, 29 Jan 2016 22:23:43 +0200 Subject: [PATCH 223/328] Fix enable_standard_devise_support in initializer --- lib/generators/devise_token_auth/templates/devise_token_auth.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index ba76d510a..768f13990 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -33,5 +33,5 @@ # By default, only Bearer Token authentication is implemented out of the box. # If, however, you wish to integrate with legacy Devise authentication, you can # do so by enabling this flag. NOTE: This feature is highly experimental! - # enable_standard_devise_support = false + # config.enable_standard_devise_support = false end From 2cda0122a8e1d72b2e82c74e584138967f83c03a Mon Sep 17 00:00:00 2001 From: Charles De Groote Date: Thu, 4 Feb 2016 18:12:47 +0100 Subject: [PATCH 224/328] create token when no client_id token fix #286. Case of no change headers on each request. --- app/models/devise_token_auth/concerns/user.rb | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 3dcc5a02b..36fb3257d 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -196,18 +196,23 @@ def create_new_auth_token(client_id=nil) def build_auth_header(token, client_id='default') client_id ||= 'default' + + if !DeviseTokenAuth.change_headers_on_each_request && self.tokens[client_id].nil? + create_new_auth_token(client_id) + else - # client may use expiry to prevent validation request if expired - # must be cast as string or headers will break - expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] - - return { - "access-token" => token, - "token-type" => "Bearer", - "client" => client_id, - "expiry" => expiry.to_s, - "uid" => self.uid - } + # client may use expiry to prevent validation request if expired + # must be cast as string or headers will break + expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] + + return { + "access-token" => token, + "token-type" => "Bearer", + "client" => client_id, + "expiry" => expiry.to_s, + "uid" => self.uid + } + end end From afc9f6bc2f30c3ac738298af765f8f3bb604a591 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Virginia=20Rodr=C3=ADguez?= Date: Thu, 4 Feb 2016 17:13:04 -0300 Subject: [PATCH 225/328] Avoid sending auth headers if while processing used token is cleared --- .../concerns/set_user_by_token.rb | 7 ++++ test/controllers/demo_user_controller_test.rb | 36 ++++++++++++++++--- .../app/controllers/demo_user_controller.rb | 13 +++++++ test/dummy/config/routes.rb | 2 ++ 4 files changed, 54 insertions(+), 4 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index ebed505e8..de24b8497 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -74,6 +74,10 @@ def update_auth_header @client_id = nil unless @used_auth_by_token if @used_auth_by_token and not DeviseTokenAuth.change_headers_on_each_request + # should not append auth header if @resource related token was + # cleared by sign out in the meantime + return if @resource.reload.tokens[@client_id].nil? + auth_header = @resource.build_auth_header(@token, @client_id) # update the response header @@ -84,6 +88,9 @@ def update_auth_header # Lock the user record during any auth_header updates to ensure # we don't have write contention from multiple threads @resource.with_lock do + # should not append auth header if @resource related token was + # cleared by sign out in the meantime + return if @used_auth_by_token && @resource.tokens[@client_id].nil? # determine batch request status after request processing, in case # another processes has updated it during that processing diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index cfa6c206f..794b01b56 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -321,11 +321,40 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest get '/demo/members_only', {}, @old_auth_headers assert 401, response.status end - + end end + describe 'request including destroy of token' do + describe 'when change_headers_on_each_request is set to false' do + before do + DeviseTokenAuth.change_headers_on_each_request = false + age_token(@resource, @client_id) + + get '/demo/members_only_remove_token', {}, @auth_headers + end + + after do + DeviseTokenAuth.change_headers_on_each_request = true + end + + it 'should not return auth-headers' do + refute response.headers['access-token'] + end + end + + describe 'when change_headers_on_each_request is set to true' do + before do + age_token(@resource, @client_id) + get '/demo/members_only_remove_token', {}, @auth_headers + end + + it 'should not return auth-headers' do + refute response.headers['access-token'] + end + end + end end describe 'enable_standard_devise_support' do @@ -364,8 +393,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest it 'should not define current_mang' do refute_equal @resource, @controller.current_mang end - - + + it 'should increase the number of tokens by a factor of 2 up to 11' do @first_token = @resource.tokens.keys.first @@ -459,6 +488,5 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end - end end diff --git a/test/dummy/app/controllers/demo_user_controller.rb b/test/dummy/app/controllers/demo_user_controller.rb index 9bf3191b0..a17789fbd 100644 --- a/test/dummy/app/controllers/demo_user_controller.rb +++ b/test/dummy/app/controllers/demo_user_controller.rb @@ -9,4 +9,17 @@ def members_only } }, status: 200 end + + def members_only_remove_token + u = User.find(current_user.id) + u.tokens = {} + u.save! + + render json: { + data: { + message: "Welcome #{current_user.name}", + user: current_user + } + }, status: 200 + end end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index 2c1c7371a..b2f45c838 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -56,6 +56,8 @@ # this route will authorize visitors using the User class get 'demo/members_only', to: 'demo_user#members_only' + get 'demo/members_only_remove_token', to: 'demo_user#members_only_remove_token' + # routes within this block will authorize visitors using the Mang class get 'demo/members_only_mang', to: 'demo_mang#members_only' From 4a9df4f5b6451adefbffd3baeef54c757e3daad5 Mon Sep 17 00:00:00 2001 From: Alexander Merkulov Date: Sat, 6 Feb 2016 00:26:01 +0300 Subject: [PATCH 226/328] Extract callbacks. Add setting for exctracted callbacks. Load it by default. Fix generator template. Add line to readme. --- .gitignore | 1 + README.md | 1 + app/models/devise_token_auth/concerns/user.rb | 23 ++------------- .../concerns/user_omniauth_callbacks.rb | 28 +++++++++++++++++++ lib/devise_token_auth/engine.rb | 4 ++- .../templates/devise_token_auth.rb | 4 +++ 6 files changed, 40 insertions(+), 21 deletions(-) create mode 100644 app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb diff --git a/.gitignore b/.gitignore index b4390ac67..a6f6298cf 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,5 @@ test/dummy/.sass-cache test/dummy/config/application.yml coverage .idea +.irb_history .ruby-version diff --git a/README.md b/README.md index 0f64e710c..d5e87b62a 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,7 @@ The following settings are available for configuration in `config/initializers/d | **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | | **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | | **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. | +| **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. | Additionally, you can configure other aspects of devise by manually creating the traditional devise.rb file at `config/initializers/devise.rb`. Here are some examples of what you can do in this file: diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 3dcc5a02b..216a9e5e0 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -27,20 +27,14 @@ def self.tokens_match?(token_hash, token) serialize :tokens, JSON end - validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' } - validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } - - # only validate unique emails among email registration users - validate :unique_email_user, on: :create + if DeviseTokenAuth.default_callbacks + include DeviseTokenAuth::Concerns::UserOmniauthCallbacks + end # can't set default on text fields in mysql, simulate here instead. after_save :set_empty_token_hash after_initialize :set_empty_token_hash - # keep uid in sync with email - before_save :sync_uid - before_create :sync_uid - # get rid of dead tokens before_save :destroy_expired_tokens @@ -239,21 +233,10 @@ def token_validation_response protected - # only validate unique email among users that registered by email - def unique_email_user - if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, I18n.t("errors.messages.already_in_use")) - end - end - def set_empty_token_hash self.tokens ||= {} if has_attribute?(:tokens) end - def sync_uid - self.uid = email if provider == 'email' - end - def destroy_expired_tokens if self.tokens self.tokens.delete_if do |cid, v| diff --git a/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb new file mode 100644 index 000000000..ac500861d --- /dev/null +++ b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb @@ -0,0 +1,28 @@ +module DeviseTokenAuth::Concerns::UserOmniauthCallbacks + extend ActiveSupport::Concern + + included do + validates :email, presence: true, email: true, if: Proc.new { |u| u.provider == 'email' } + validates_presence_of :uid, if: Proc.new { |u| u.provider != 'email' } + + # only validate unique emails among email registration users + validate :unique_email_user, on: :create + + # keep uid in sync with email + before_save :sync_uid + before_create :sync_uid + end + + protected + + # only validate unique email among users that registered by email + def unique_email_user + if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 + errors.add(:email, I18n.t("errors.messages.already_in_use")) + end + end + + def sync_uid + self.uid = email if provider == 'email' + end +end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index fc1cbd855..c75240dfa 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -19,7 +19,8 @@ class Engine < ::Rails::Engine :redirect_whitelist, :check_current_password_before_update, :enable_standard_devise_support, - :remove_tokens_after_password_reset + :remove_tokens_after_password_reset, + :default_callbacks self.change_headers_on_each_request = true self.max_number_of_devices = 10 @@ -32,6 +33,7 @@ class Engine < ::Rails::Engine self.check_current_password_before_update = false self.enable_standard_devise_support = false self.remove_tokens_after_password_reset = false + self.default_callbacks = true def self.setup(&block) yield self diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index 768f13990..5ae1a23ad 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -30,6 +30,10 @@ # password is updated. # config.check_current_password_before_update = :attributes + # By default we will use callbacks for single omniauth. + # It depends on fields like email, provider and uid. + # config.default_callbacks = true + # By default, only Bearer Token authentication is implemented out of the box. # If, however, you wish to integrate with legacy Devise authentication, you can # do so by enabling this flag. NOTE: This feature is highly experimental! From 62820614833b66615f714100c7d6e6ff3e68f4c5 Mon Sep 17 00:00:00 2001 From: gro_0ve Date: Mon, 8 Feb 2016 03:08:25 +0300 Subject: [PATCH 227/328] Added omniauth post route --- lib/devise_token_auth/rails/routes.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 9884fa5dc..3280e25b7 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -58,8 +58,8 @@ def mount_devise_token_auth_for(resource, opts) match "#{full_path}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] match "#{full_path}/:provider/callback", controller: omniauth_ctrl, action: "omniauth_success", via: [:get] - match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: "redirect_callbacks", via: [:get] - match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] + match "#{DeviseTokenAuth.omniauth_prefix}/:provider/callback", controller: omniauth_ctrl, action: "redirect_callbacks", via: [:get, :post] + match "#{DeviseTokenAuth.omniauth_prefix}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get, :post] # preserve the resource class thru oauth authentication by setting name of # resource as "resource_class" param From 89630dc2c9c0ad26246323bd0529c5476c8b52d5 Mon Sep 17 00:00:00 2001 From: metalunk Date: Tue, 9 Feb 2016 15:01:24 +0900 Subject: [PATCH 228/328] Add ja locale --- config/locales/ja.yml | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 config/locales/ja.yml diff --git a/config/locales/ja.yml b/config/locales/ja.yml new file mode 100644 index 000000000..941ceac29 --- /dev/null +++ b/config/locales/ja.yml @@ -0,0 +1,47 @@ +ja: + devise_token_auth: + sessions: + not_confirmed: "'%{email}' に確認用のメールを送信しました。メール内の説明を読み、アカウントの有効化をしてください。" + bad_credentials: "ログイン用の認証情報が正しくありません。再度お試しください。" + not_supported: "/sign_in に GET はサポートされていません。POST をお使いください。" + user_not_found: "ユーザーが見つからないか、ログインしていません。" + token_validations: + invalid: "ログイン用の認証情報が正しくありません。" + registrations: + missing_confirm_success_url: "'confirm_success_url' パラメータが与えられていません。" + redirect_url_not_allowed: "'%{redirect_url}' へのリダイレクトは許可されていません。" + email_already_exists: "'%{email}' のアカウントはすでに存在しています。" + account_with_uid_destroyed: "'%{uid}' のアカウントは削除されました。" + account_to_destroy_not_found: "削除するアカウントが見つかりません。" + user_not_found: "ユーザーが見つかりません。" + passwords: + missing_email: "メールアドレスが与えられていません。" + missing_redirect_url: "リダイレクト URL が与えられていません。" + not_allowed_redirect_url: "'%{redirect_url}' へのリダイレクトは許可されていません。" + sended: "'%{email}' にパスワードリセットの案内が送信されました。" + user_not_found: "メールアドレス '%{email}' のユーザーが見つかりません。" + password_not_required: "このアカウントはパスワードを要求していません。'%{provider}' を利用してログインしてください。" + missing_passwords: "'Password', 'Password confirmation' パラメータが与えられていません。" + successfully_updated: "パスワードの更新に成功しました。" + errors: + messages: + already_in_use: "すでに利用されています。" + validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。" + validate_account_update_params: "リクエストボディに適切なアカウント更新のデータを送信してください。" + not_email: "はメールアドレスではありません" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "下記のリンクからアカウントを有効化できます:" + confirm_account_link: "アカウントを有効化する" + reset_password_instructions: + request_reset_link_msg: "パスワード変更のリクエストが送信されました。下記のリンクからパスワードの変更をできます。" + password_change_link: "パスワードを変更する" + ignore_mail_msg: "もしこの内容に覚えがない場合は、このメールを無視してください。" + no_changes_msg: "上記のリンクにアクセスして新しいパスワードを作成するまで、現在のパスワードは変更されません。" + unlock_instructions: + account_lock_msg: "連続してログインに失敗したため、あなたのアカウントはロックされました。" + unlock_link_msg: "下記のリンクをクリックしてアカウントを有効化してください:" + unlock_link: "アカウントを有効化する" + hello: "こんにちは" + welcome: "ようこそ" From a6448c792d40f4745e22b270169de5b3b720febd Mon Sep 17 00:00:00 2001 From: metalunk Date: Tue, 9 Feb 2016 15:22:38 +0900 Subject: [PATCH 229/328] Fix typos --- README.md | 2 +- lib/generators/devise_token_auth/USAGE | 2 +- .../custom/custom_omniauth_callbacks_controller_test.rb | 2 +- test/controllers/demo_user_controller_test.rb | 2 +- .../devise_token_auth/omniauth_callbacks_controller_test.rb | 2 +- test/controllers/overrides/passwords_controller_test.rb | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0f64e710c..3a44db779 100644 --- a/README.md +++ b/README.md @@ -844,7 +844,7 @@ These measures are taken by default when using this gem. ## About batch requests -By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's neccessary to make several concurrent requests to the API, for example: +By default, the API should update the auth token for each request ([read more](#about-token-management)). But sometimes it's necessary to make several concurrent requests to the API, for example: #####Batch request example ~~~javascript diff --git a/lib/generators/devise_token_auth/USAGE b/lib/generators/devise_token_auth/USAGE index 453620202..eb59d728f 100644 --- a/lib/generators/devise_token_auth/USAGE +++ b/lib/generators/devise_token_auth/USAGE @@ -1,6 +1,6 @@ Description: This generator will install all the necessary configuration and migration - files for the devies_token_auth gem. See + files for the devise_token_auth gem. See https://github.com/lynndylanhurley/devise_token_auth for more information. Arguments: diff --git a/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb index 950bc7820..a5b8fea95 100644 --- a/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb +++ b/test/controllers/custom/custom_omniauth_callbacks_controller_test.rb @@ -16,7 +16,7 @@ class Custom::OmniauthCallbacksControllerTest < ActionDispatch::IntegrationTest }) end - test "yield resource to block on omniauth_sucess success" do + test "yield resource to block on omniauth_success success" do @redirect_url = "http://ng-token-auth.dev/" get_via_redirect '/nice_user_auth/facebook', { auth_origin_url: @redirect_url, diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index cfa6c206f..b18b7eabd 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -315,7 +315,7 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest assert 200, response.status end - describe 'another device should not be abble to login' do + describe 'another device should not be able to login' do it 'should return forbidden status' do get '/demo/members_only', {}, @old_auth_headers diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index ea8f9988d..f81acb6f1 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -263,7 +263,7 @@ def get_success(params = {}) assert_equal({"error"=>"invalid_credentials", "message"=>"authFailure"}, data) end - test 'renders somethign with no auth_origin_url' do + test 'renders something with no auth_origin_url' do get_via_redirect '/auth/facebook' assert_equal 200, response.status assert_select "body", "invalid_credentials" diff --git a/test/controllers/overrides/passwords_controller_test.rb b/test/controllers/overrides/passwords_controller_test.rb index 6a32c8f0e..e2dce5034 100644 --- a/test/controllers/overrides/passwords_controller_test.rb +++ b/test/controllers/overrides/passwords_controller_test.rb @@ -42,7 +42,7 @@ class Overrides::PasswordsControllerTest < ActionDispatch::IntegrationTest @override_proof = @qs["override_proof"] end - test 'respones should have success redirect status' do + test 'response should have success redirect status' do assert_equal 302, response.status end From 4210ee68144e906b881468480ac929d71fda778c Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 12 Feb 2016 15:21:58 -0500 Subject: [PATCH 230/328] Change Unprocessable Entity errors from 403 to 422 --- .../devise_token_auth/passwords_controller.rb | 2 +- .../registrations_controller.rb | 10 +++++----- .../passwords_controller_test.rb | 2 +- .../registrations_controller_test.rb | 18 +++++++++--------- .../overrides/registrations_controller.rb | 2 +- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 8851d0862..52278d3bc 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -162,7 +162,7 @@ def render_create_error_not_allowed_redirect_url status: 'error', data: @resource.as_json, errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)] - }, status: 403 + }, status: 422 end def render_create_success diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 184fde0dd..e80ac2406 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -112,7 +112,7 @@ def render_create_error_missing_confirm_success_url status: 'error', data: @resource.as_json, errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] - }, status: 403 + }, status: 422 end def render_create_error_redirect_url_not_allowed @@ -120,7 +120,7 @@ def render_create_error_redirect_url_not_allowed status: 'error', data: @resource.as_json, errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @redirect_url)] - }, status: 403 + }, status: 422 end def render_create_success @@ -140,7 +140,7 @@ def render_create_error status: 'error', data: @resource.as_json, errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) - }, status: 403 + }, status: 422 end def render_create_error_email_already_exists @@ -148,7 +148,7 @@ def render_create_error_email_already_exists status: 'error', data: @resource.as_json, errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)] - }, status: 403 + }, status: 422 end def render_update_success @@ -162,7 +162,7 @@ def render_update_error render json: { status: 'error', errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) - }, status: 403 + }, status: 422 end def render_update_error_user_not_found diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 461879c1c..74377035c 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -256,7 +256,7 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase redirect_url: @bad_redirect_url } - assert_equal 403, response.status + assert_equal 422, response.status end test "request to non-whitelisted redirect should return error message" do xhr :post, :create, { diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb index abc7a1c31..e0df8bc9a 100644 --- a/test/controllers/devise_token_auth/registrations_controller_test.rb +++ b/test/controllers/devise_token_auth/registrations_controller_test.rb @@ -131,7 +131,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration } @data = JSON.parse(response.body) - assert_equal 403, response.status + assert_equal 422, response.status assert @data["errors"] assert_equal @data["errors"], [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @bad_redirect_url)] end @@ -147,7 +147,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration unpermitted_param: '(x_x)' } - assert_equal 403, response.status + assert_equal 422, response.status end test "request to non-whitelisted redirect should fail" do @@ -311,7 +311,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "request should not be successful" do - assert_equal 403, response.status + assert_equal 422, response.status end test "user should not have been created" do @@ -340,7 +340,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "request should not be successful" do - assert_equal 403, response.status + assert_equal 422, response.status end test "user should not have been created" do @@ -370,7 +370,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "request should not be successful" do - assert_equal 403, response.status + assert_equal 422, response.status end test "user should have been created" do @@ -402,7 +402,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "request should not be successful" do - assert_equal 403, response.status + assert_equal 422, response.status end test "user should have been created" do @@ -563,7 +563,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration end test "Request was NOT successful" do - assert_equal 403, response.status + assert_equal 422, response.status end test "Errors were provided with response" do @@ -627,7 +627,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration test "Request was NOT successful" do put "/auth", @request_params, @auth_headers - assert_equal 403, response.status + assert_equal 422, response.status end end end @@ -671,7 +671,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::Integration test "Request was NOT successful" do put "/auth", @request_params, @auth_headers - assert_equal 403, response.status + assert_equal 422, response.status end end end diff --git a/test/dummy/app/controllers/overrides/registrations_controller.rb b/test/dummy/app/controllers/overrides/registrations_controller.rb index 2d8274992..5c6be0ce4 100644 --- a/test/dummy/app/controllers/overrides/registrations_controller.rb +++ b/test/dummy/app/controllers/overrides/registrations_controller.rb @@ -14,7 +14,7 @@ def update render json: { status: 'error', errors: @resource.errors - }, status: 403 + }, status: 422 end else render json: { From 66dc3bae0c14294ae54f9a0f774d8f22476016bd Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 12 Feb 2016 15:26:04 -0500 Subject: [PATCH 231/328] Refactor resource_errors out into app controller --- app/controllers/devise_token_auth/application_controller.rb | 4 ++++ app/controllers/devise_token_auth/passwords_controller.rb | 2 +- app/controllers/devise_token_auth/registrations_controller.rb | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 08ef096bb..3bdc74d23 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -2,6 +2,10 @@ module DeviseTokenAuth class ApplicationController < DeviseController include DeviseTokenAuth::Concerns::SetUserByToken + def resource_errors + return @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + end + protected def params_for_resource(resource) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 52278d3bc..49b48f79b 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -217,7 +217,7 @@ def render_update_success def render_update_error return render json: { success: false, - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + errors: resource_errors }, status: 422 end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index e80ac2406..8b7a333dd 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -139,7 +139,7 @@ def render_create_error render json: { status: 'error', data: @resource.as_json, - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + errors: resource_errors }, status: 422 end @@ -161,7 +161,7 @@ def render_update_success def render_update_error render json: { status: 'error', - errors: @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) + errors: resource_errors }, status: 422 end From 4f7fdf789f51c9499582d264811e211fe5ad170b Mon Sep 17 00:00:00 2001 From: djsegal Date: Fri, 12 Feb 2016 15:30:29 -0500 Subject: [PATCH 232/328] Refactor resource_data out into app controller --- .../devise_token_auth/application_controller.rb | 14 ++++++++++++++ .../devise_token_auth/passwords_controller.rb | 9 ++++----- .../registrations_controller.rb | 17 ++++++----------- .../passwords_controller_test.rb | 4 ++-- 4 files changed, 26 insertions(+), 18 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 3bdc74d23..18e930cb9 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -2,6 +2,14 @@ module DeviseTokenAuth class ApplicationController < DeviseController include DeviseTokenAuth::Concerns::SetUserByToken + def resource_data + response_data = @resource.as_json + if is_json_api + response_data['type'] = @resource.class.name.parameterize + end + response_data + end + def resource_errors return @resource.errors.to_hash.merge(full_messages: @resource.errors.full_messages) end @@ -21,5 +29,11 @@ def resource_class(m=nil) mapping.to end + + def is_json_api + return false unless defined?(ActiveModel::Serializer) + return ActiveModel::Serializer.config.adapter == :json_api + end + end end diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 49b48f79b..dce44a8cb 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -160,7 +160,7 @@ def render_create_error_missing_redirect_url def render_create_error_not_allowed_redirect_url render json: { status: 'error', - data: @resource.as_json, + data: resource_data, errors: [I18n.t("devise_token_auth.passwords.not_allowed_redirect_url", redirect_url: @redirect_url)] }, status: 422 end @@ -168,6 +168,7 @@ def render_create_error_not_allowed_redirect_url def render_create_success render json: { success: true, + data: resource_data, message: I18n.t("devise_token_auth.passwords.sended", email: @email) } end @@ -207,10 +208,8 @@ def render_update_error_missing_password def render_update_success render json: { success: true, - data: { - user: @resource, - message: I18n.t("devise_token_auth.passwords.successfully_updated") - } + data: resource_data, + message: I18n.t("devise_token_auth.passwords.successfully_updated") } end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 8b7a333dd..cf337c51f 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -110,7 +110,7 @@ def account_update_params def render_create_error_missing_confirm_success_url render json: { status: 'error', - data: @resource.as_json, + data: resource_data, errors: [I18n.t("devise_token_auth.registrations.missing_confirm_success_url")] }, status: 422 end @@ -118,27 +118,22 @@ def render_create_error_missing_confirm_success_url def render_create_error_redirect_url_not_allowed render json: { status: 'error', - data: @resource.as_json, + data: resource_data, errors: [I18n.t("devise_token_auth.registrations.redirect_url_not_allowed", redirect_url: @redirect_url)] }, status: 422 end def render_create_success - response_data = @resource.as_json - if defined?(ActiveModel::Serializer) && - ActiveModel::Serializer.config.adapter == :json_api - response_data['type'] = @resource.class.name.parameterize - end render json: { status: 'success', - data: response_data + data: resource_data } end def render_create_error render json: { status: 'error', - data: @resource.as_json, + data: resource_data, errors: resource_errors }, status: 422 end @@ -146,7 +141,7 @@ def render_create_error def render_create_error_email_already_exists render json: { status: 'error', - data: @resource.as_json, + data: resource_data, errors: [I18n.t("devise_token_auth.registrations.email_already_exists", email: @resource.email)] }, status: 422 end @@ -154,7 +149,7 @@ def render_create_error_email_already_exists def render_update_success render json: { status: 'success', - data: @resource.as_json + data: resource_data } end diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 74377035c..00cb1f6eb 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -380,8 +380,8 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end test "request should return success message" do - assert @data["data"]["message"] - assert_equal @data["data"]["message"], I18n.t("devise_token_auth.passwords.successfully_updated") + assert @data["message"] + assert_equal @data["message"], I18n.t("devise_token_auth.passwords.successfully_updated") end test "new password should authenticate user" do From 857c70f27c050a7901017e662e7dccf48b809c5f Mon Sep 17 00:00:00 2001 From: Alexander Merkulov Date: Tue, 16 Feb 2016 02:18:15 +0300 Subject: [PATCH 233/328] Add namespace prefix for oauth --- .../devise_token_auth/omniauth_callbacks_controller.rb | 8 +++++--- lib/devise_token_auth/rails/routes.rb | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 6368cf596..27e1ba82f 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -11,8 +11,9 @@ def redirect_callbacks # derive target redirect route from 'resource_class' param, which was set # before authentication. - devise_mapping = request.env['omniauth.params']['resource_class'].underscore.gsub("/", "_").to_sym - redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping].fullpath}/#{params[:provider]}/callback" + devise_mapping = [request.env['omniauth.params']['namespace_name'], + request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_') + redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback" # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. @@ -142,7 +143,8 @@ def assert_is_devise_resource! # necessary for access to devise_parameter_sanitizers def devise_mapping if omniauth_params - Devise.mappings[omniauth_params['resource_class'].underscore.to_sym] + Devise.mappings[[omniauth_params['namespace_name'], + omniauth_params['resource_class'].underscore].compact.join('_').to_sym] else request.env['devise.mapping'] end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 9884fa5dc..739358770 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -69,6 +69,7 @@ def mount_devise_token_auth_for(resource, opts) # append name of current resource qs["resource_class"] = [resource] + qs["namespace_name"] = [namespace_name] if namespace_name set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix) From 6a6b37b232cea375dab6d375d27bc15b25af9cce Mon Sep 17 00:00:00 2001 From: Rui Miguel Santos Date: Sun, 6 Mar 2016 14:51:38 +0000 Subject: [PATCH 234/328] Return resource with top-level 'type' member. Render resource with top-level 'type' member on responses from SessionsController and TokenValidationsController for json:api compliance. --- app/controllers/devise_token_auth/application_controller.rb | 4 ++-- app/controllers/devise_token_auth/sessions_controller.rb | 2 +- .../devise_token_auth/token_validations_controller.rb | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 18e930cb9..6f06ea344 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -2,8 +2,8 @@ module DeviseTokenAuth class ApplicationController < DeviseController include DeviseTokenAuth::Concerns::SetUserByToken - def resource_data - response_data = @resource.as_json + def resource_data(opts={}) + response_data = opts[:resource_json] || @resource.as_json if is_json_api response_data['type'] = @resource.class.name.parameterize end diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index c3a33e093..882a9f645 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -108,7 +108,7 @@ def render_new_error def render_create_success render json: { - data: @resource.token_validation_response + data: resource_data(resource_json: @resource.token_validation_response) } end diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 7d24bcd25..690e995bd 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -13,12 +13,12 @@ def validate_token end end - protected + protected def render_validate_token_success render json: { success: true, - data: @resource.token_validation_response + data: resource_data(resource_json: @resource.token_validation_response) } end From b16b4650e2ca6935813608abb67c728fcfce5705 Mon Sep 17 00:00:00 2001 From: Ingolfur Edvardsson Date: Fri, 11 Mar 2016 12:29:35 +0000 Subject: [PATCH 235/328] now possible to change headers names in the config file --- .../concerns/set_user_by_token.rb | 11 +++++++--- app/models/devise_token_auth/concerns/user.rb | 10 ++++----- lib/devise_token_auth/engine.rb | 8 ++++++- .../templates/devise_token_auth.rb | 7 +++++++ test/controllers/demo_user_controller_test.rb | 21 +++++++++++++++++++ 5 files changed, 48 insertions(+), 9 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index de24b8497..375bde2e3 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -23,10 +23,15 @@ def set_user_by_token(mapping=nil) # no default user defined return unless rc + #gets the headers names, which was set in the initilize file + uid_name = DeviseTokenAuth.headers_names[:'uid'] + access_token_name = DeviseTokenAuth.headers_names[:'access-token'] + client_name = DeviseTokenAuth.headers_names[:'client'] + # parse header for values necessary for authentication - uid = request.headers['uid'] || params['uid'] - @token = request.headers['access-token'] || params['access-token'] - @client_id = request.headers['client'] || params['client'] + uid = request.headers[uid_name] || params[uid_name] + @token = request.headers[access_token_name] || params[access_token_name] + @client_id = request.headers[client_name] || params[client_name] # client_id isn't required, set to 'default' if absent @client_id ||= 'default' diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 810e56fc1..a8e9dce2d 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -200,11 +200,11 @@ def build_auth_header(token, client_id='default') expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] return { - "access-token" => token, - "token-type" => "Bearer", - "client" => client_id, - "expiry" => expiry.to_s, - "uid" => self.uid + DeviseTokenAuth.headers_names[:"access-token"] => token, + DeviseTokenAuth.headers_names[:"token-type"] => "Bearer", + DeviseTokenAuth.headers_names[:"client"] => client_id, + DeviseTokenAuth.headers_names[:"expiry"] => expiry.to_s, + DeviseTokenAuth.headers_names[:"uid"] => self.uid } end end diff --git a/lib/devise_token_auth/engine.rb b/lib/devise_token_auth/engine.rb index c75240dfa..558e6dbf0 100644 --- a/lib/devise_token_auth/engine.rb +++ b/lib/devise_token_auth/engine.rb @@ -20,7 +20,8 @@ class Engine < ::Rails::Engine :check_current_password_before_update, :enable_standard_devise_support, :remove_tokens_after_password_reset, - :default_callbacks + :default_callbacks, + :headers_names self.change_headers_on_each_request = true self.max_number_of_devices = 10 @@ -34,6 +35,11 @@ class Engine < ::Rails::Engine self.enable_standard_devise_support = false self.remove_tokens_after_password_reset = false self.default_callbacks = true + self.headers_names = {:'access-token' => 'access-token', + :'client' => 'client', + :'expiry' => 'expiry', + :'uid' => 'uid', + :'token-type' => 'token-type' } def self.setup(&block) yield self diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth.rb b/lib/generators/devise_token_auth/templates/devise_token_auth.rb index 5ae1a23ad..af7acd737 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth.rb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth.rb @@ -34,6 +34,13 @@ # It depends on fields like email, provider and uid. # config.default_callbacks = true + # Makes it possible to change the headers names + # config.headers_names = {:'access-token' => 'access-token', + # :'client' => 'client', + # :'expiry' => 'expiry', + # :'uid' => 'uid', + # :'token-type' => 'token-type' } + # By default, only Bearer Token authentication is implemented out of the box. # If, however, you wish to integrate with legacy Devise authentication, you can # do so by enabling this flag. NOTE: This feature is highly experimental! diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb index 37a00f8ed..226bd972f 100644 --- a/test/controllers/demo_user_controller_test.rb +++ b/test/controllers/demo_user_controller_test.rb @@ -355,6 +355,27 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest end end end + + describe 'when access-token name has been changed' do + before do + # ensure that request is not treated as batch request + DeviseTokenAuth.headers_names[:'access-token'] = 'new-access-token' + auth_headers_modified = @resource.create_new_auth_token + client_id = auth_headers_modified['client'] + age_token(@resource, client_id) + + get '/demo/members_only', {}, auth_headers_modified + @resp_token = response.headers['new-access-token'] + end + + it 'should have "new-access-token" header' do + assert @resp_token.present? + end + + after do + DeviseTokenAuth.headers_names[:'access-token'] = 'access-token' + end + end end describe 'enable_standard_devise_support' do From 832e3e5841d89a26351fa7febcfd5d0980d350d7 Mon Sep 17 00:00:00 2001 From: Niek Schmoller Date: Fri, 11 Mar 2016 13:52:48 +0100 Subject: [PATCH 236/328] Added dutch translations --- config/locales/nl.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 config/locales/nl.yml diff --git a/config/locales/nl.yml b/config/locales/nl.yml new file mode 100644 index 000000000..83dcc195d --- /dev/null +++ b/config/locales/nl.yml @@ -0,0 +1,31 @@ +nl: + devise_token_auth: + sessions: + not_confirmed: "Een bevestingsmail is verzonden naar het adres '%{email}'. Volg de instructies in de mail om uw account te activeren." + bad_credentials: 'Ongeldige logingegevens.' + not_supported: "Gebruik POST /sign_in om in te loggen. GET wordt niet ondersteund." + user_not_found: "Gebruiker is niet gevonden of niet ingelogd." + token_validations: + invalid: "Ongeldige logingegevens." + registrations: + missing_confirm_success_url: "Parameter 'confirm_success_url' ontbreekt." + redirect_url_not_allowed: "Redirect naar '%{redirect_url}' niet toegestaan." + email_already_exists: "Er bestaat al een account voor het adres '%{email}'" + account_with_uid_destroyed: "Account met id '%{uid}' is verwijderd." + account_to_destroy_not_found: "Te verwijderen account niet gevonden." + user_not_found: "Gebruiker niet gevonden." + passwords: + missing_email: "Je moet een e-mailadres opgeven." + missing_redirect_url: "Redirect URL ontbreekt." + not_allowed_redirect_url: "Redirect naar '%{redirect_url}' niet toegestaan." + sended: "Er is een e-mail naar '%{email}' verstuurd met instructies om uw wachtwoord te resetten." + user_not_found: "Kan gebruiker met e-mail '%{email}' niet vinden." + password_not_required: "Voor dit account is geen wachtwoord nodig. Log in met uw '%{provider}' account." + missing_passwords: "De velden 'Wachtwoord' en 'Wachtwoord bevestiging' zijn verplicht." + successfully_updated: "Uw wachtwoord is aangepast." + errors: + messages: + already_in_use: "al in gebruik" + validate_sign_up_params: "Gegevens voor aanmaken van het account zijn niet geldig." + validate_account_update_params: "Gegevens voor updaten van het account zijn niet geldig." + not_email: "is geen geldig e-emailadres" From bb92ecf3ff5a87e74cc0f969b45c94813eb955f1 Mon Sep 17 00:00:00 2001 From: Saul H Date: Fri, 11 Mar 2016 12:23:17 -0430 Subject: [PATCH 237/328] fix login serializer --- .../devise_token_auth/sessions_controller.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 0c0d0e8ec..69834070c 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -33,13 +33,15 @@ def create @resource.save sign_in(:user, @resource, store: false, bypass: false) + # puts "#{@resource.class}" + # puts "OKOKOKO11111 #{@resource.sign_in_count}" + # puts "OKOKOKO #{@resource.as_json(only: [:sign_in_count])}" + # puts "OKOKOKO-TODO #{@resource.as_json}" + # serializer_options = {} + # serializer = UserAgentSerializer.new(@resource, serializer_options) + # puts "#{serializer.as_json}" - render json: { - data:{ user: @resource.as_json(except: [ - :tokens, :created_at, :updated_at - ]), - external_token:{client:@client_id, token: @external_token } - }} + render json: @resource elsif @resource and not @resource.confirmed? From f69ab2f64713d8412b02406054d0baeaa5dcb8c4 Mon Sep 17 00:00:00 2001 From: Saul H Date: Fri, 11 Mar 2016 17:01:06 -0430 Subject: [PATCH 238/328] fix render json --- .../devise_token_auth/sessions_controller.rb | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 69834070c..cacfad854 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -33,16 +33,36 @@ def create @resource.save sign_in(:user, @resource, store: false, bypass: false) - # puts "#{@resource.class}" + # puts "SAAAAAAA #{@resource.class}" # puts "OKOKOKO11111 #{@resource.sign_in_count}" # puts "OKOKOKO #{@resource.as_json(only: [:sign_in_count])}" # puts "OKOKOKO-TODO #{@resource.as_json}" # serializer_options = {} # serializer = UserAgentSerializer.new(@resource, serializer_options) # puts "#{serializer.as_json}" - - render json: @resource - + if @resource.class.to_s == 'Agent' + render json: { + data: @resource.as_json(only: [ + :id, + :email, + :provider, + :uid, + :agency_id, + :name, + :last_name, + :is_owner, + :avatar_file_name, + :avatar_content_type, + :telephone, + :sign_in_count],include: [:agency]) + } + else + render json: { + data: @resource.as_json(except: [ + :tokens, :created_at, :updated_at + ]) + } + end elsif @resource and not @resource.confirmed? render json: { From 95f24425c56815554d6be5691e99952e22f86025 Mon Sep 17 00:00:00 2001 From: Saul H Date: Fri, 11 Mar 2016 17:07:00 -0430 Subject: [PATCH 239/328] fix --- app/controllers/devise_token_auth/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index cacfad854..d43097058 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -54,7 +54,7 @@ def create :avatar_file_name, :avatar_content_type, :telephone, - :sign_in_count],include: [:agency]) + :sign_in_count],include: {agency: { except:[:sabre_ipcc,:sabre_password,:sabre_username]}}) } else render json: { From 0b7e3f160ef363474d0028704f286b1bf74d8441 Mon Sep 17 00:00:00 2001 From: Saul H Date: Sat, 12 Mar 2016 19:05:57 -0430 Subject: [PATCH 240/328] add profile a la gema --- app/controllers/devise_token_auth/sessions_controller.rb | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index d43097058..63b205ac9 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -54,7 +54,13 @@ def create :avatar_file_name, :avatar_content_type, :telephone, - :sign_in_count],include: {agency: { except:[:sabre_ipcc,:sabre_password,:sabre_username]}}) + :sign_in_count],include: {agency: { + except:[:sabre_ipcc,:sabre_password,:sabre_username]}, + profile:{ + include: { functionalities:{} + } + } + }) } else render json: { From 0660391754a7e3aba37e608c0602f945266aab3e Mon Sep 17 00:00:00 2001 From: Saul H Date: Sun, 13 Mar 2016 16:26:06 -0430 Subject: [PATCH 241/328] add registro en bitacora, al login Agent --- .../devise_token_auth/sessions_controller.rb | 62 +++++++++++-------- 1 file changed, 35 insertions(+), 27 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 63b205ac9..98bfcaec1 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -41,34 +41,42 @@ def create # serializer = UserAgentSerializer.new(@resource, serializer_options) # puts "#{serializer.as_json}" if @resource.class.to_s == 'Agent' - render json: { - data: @resource.as_json(only: [ - :id, - :email, - :provider, - :uid, - :agency_id, - :name, - :last_name, - :is_owner, - :avatar_file_name, - :avatar_content_type, - :telephone, - :sign_in_count],include: {agency: { - except:[:sabre_ipcc,:sabre_password,:sabre_username]}, - profile:{ - include: { functionalities:{} - } - } - }) - } - else - render json: { - data: @resource.as_json(except: [ - :tokens, :created_at, :updated_at + LoginBitacoraAgent.create( + :agency_id => @resource.agency_id, + :profile_id => @resource.profile_id, + :agent_id =>@resource.id, + :email =>@resource.email, + :is_owner =>@resource.is_owner, + :sign_in_ip =>@resource.current_sign_in_ip + ) + render json: { + data: @resource.as_json(only: [ + :id, + :email, + :provider, + :uid, + :agency_id, + :name, + :last_name, + :is_owner, + :avatar_file_name, + :avatar_content_type, + :telephone, + :sign_in_count],include: {agency: { + except:[:sabre_ipcc,:sabre_password,:sabre_username]}, + profile:{ + include: { functionalities:{} + } + } + }) + } + else + render json: { + data: @resource.as_json(except: [ + :tokens, :created_at, :updated_at ]) - } - end + } + end elsif @resource and not @resource.confirmed? render json: { From 9bdd582d7318fca8cc1d554f6935f628bedd1956 Mon Sep 17 00:00:00 2001 From: Saul H Date: Sun, 13 Mar 2016 17:22:14 -0430 Subject: [PATCH 242/328] improvement on bitacora --- .../devise_token_auth/sessions_controller.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 98bfcaec1..2d5506284 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -47,7 +47,8 @@ def create :agent_id =>@resource.id, :email =>@resource.email, :is_owner =>@resource.is_owner, - :sign_in_ip =>@resource.current_sign_in_ip + :sign_in_ip =>@resource.current_sign_in_ip, + :action_type =>LoginBitacoraAgent.action_types[:sign_in] ) render json: { data: @resource.as_json(only: [ @@ -102,6 +103,15 @@ def destroy remove_instance_variable(:@token) if @token if user and client_id and user.tokens[client_id] + LoginBitacoraAgent.create( + :agency_id => user.agency_id, + :profile_id => user.profile_id, + :agent_id =>user.id, + :email =>user.email, + :is_owner =>user.is_owner, + :sign_in_ip =>user.current_sign_in_ip, + :action_type =>LoginBitacoraAgent.action_types[:sign_out] + ) user.tokens.delete(client_id) user.save! From 6d781e46a33214c1226c70b18652a06a03663cec Mon Sep 17 00:00:00 2001 From: Saul H Date: Sun, 13 Mar 2016 17:24:03 -0430 Subject: [PATCH 243/328] improvement on bitacora --- .../devise_token_auth/sessions_controller.rb | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 2d5506284..1da523e0b 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -103,15 +103,18 @@ def destroy remove_instance_variable(:@token) if @token if user and client_id and user.tokens[client_id] - LoginBitacoraAgent.create( - :agency_id => user.agency_id, - :profile_id => user.profile_id, - :agent_id =>user.id, - :email =>user.email, - :is_owner =>user.is_owner, - :sign_in_ip =>user.current_sign_in_ip, - :action_type =>LoginBitacoraAgent.action_types[:sign_out] - ) + + if user.class.to_s == 'Agent' + LoginBitacoraAgent.create( + :agency_id => user.agency_id, + :profile_id => user.profile_id, + :agent_id =>user.id, + :email =>user.email, + :is_owner =>user.is_owner, + :sign_in_ip =>user.current_sign_in_ip, + :action_type =>LoginBitacoraAgent.action_types[:sign_out] + ) + end user.tokens.delete(client_id) user.save! From 1d436f2cd2d8ebfdef82b97fbfdac5a7af59f515 Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Tue, 15 Mar 2016 17:20:08 +0100 Subject: [PATCH 244/328] =?UTF-8?q?User=20concern:=20Ensure=20fallback=20i?= =?UTF-8?q?s=20in=20place=20=20=E2=80=A6=20=20=20=20=20Without=20this=20ch?= =?UTF-8?q?ange=20redirect=5Furl=20may=20be=20blank,=20leading=20to=20an?= =?UTF-8?q?=20internal=20bad=20URI=20error=20unless=20set=20when=20confirm?= =?UTF-8?q?ing.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Occurs when creating a user from the Rails console, for instance. --- app/models/devise_token_auth/concerns/user.rb | 1 + .../confirmations_controller_test.rb | 16 ++++++++++------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index a8e9dce2d..18f027d59 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -70,6 +70,7 @@ def send_confirmation_instructions(opts=nil) if pending_reconfirmation? opts[:to] = unconfirmed_email end + opts[:redirect_url] ||= DeviseTokenAuth.default_confirm_success_url send_devise_notification(:confirmation_instructions, @raw_confirmation_token, opts) end diff --git a/test/controllers/devise_token_auth/confirmations_controller_test.rb b/test/controllers/devise_token_auth/confirmations_controller_test.rb index 6268408f4..19069b082 100644 --- a/test/controllers/devise_token_auth/confirmations_controller_test.rb +++ b/test/controllers/devise_token_auth/confirmations_controller_test.rb @@ -8,6 +8,12 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase describe DeviseTokenAuth::ConfirmationsController do + def token_and_client_config_from(body) + token = body.match(/confirmation_token=([^&]*)&/)[1] + client_config = body.match(/config=([^&]*)&/)[1] + [token, client_config] + end + describe "Confirmation" do before do @redirect_url = Faker::Internet.url @@ -15,9 +21,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase @new_user.send_confirmation_instructions({ redirect_url: @redirect_url }) - @mail = ActionMailer::Base.deliveries.last - @token = @mail.body.match(/confirmation_token=([^&]*)&/)[1] - @client_config = @mail.body.match(/config=([^&]*)&/)[1] + mail = ActionMailer::Base.deliveries.last + @token, @client_config = token_and_client_config_from(mail.body) end test 'should generate raw token' do @@ -74,9 +79,8 @@ class DeviseTokenAuth::ConfirmationsControllerTest < ActionController::TestCase @new_user.send_confirmation_instructions(client_config: @config_name) - @mail = ActionMailer::Base.deliveries.last - @token = @mail.body.match(/confirmation_token=(.*)\"/)[1] - @client_config = @mail.body.match(/config=(.*)\&/)[1] + mail = ActionMailer::Base.deliveries.last + @token, @client_config = token_and_client_config_from(mail.body) end test 'should generate raw token' do From ce9fa5ecb9118c7d82b00b5f5f89d92606445605 Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Tue, 15 Mar 2016 18:00:15 +0100 Subject: [PATCH 245/328] Whitespace: tabs removed --- test/lib/devise_token_auth/url_test.rb | 42 ++++++++++++-------------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/test/lib/devise_token_auth/url_test.rb b/test/lib/devise_token_auth/url_test.rb index e668140bf..6f75a4526 100644 --- a/test/lib/devise_token_auth/url_test.rb +++ b/test/lib/devise_token_auth/url_test.rb @@ -1,28 +1,24 @@ require 'test_helper' class DeviseTokenAuth::UrlTest < ActiveSupport::TestCase - describe "DeviseTokenAuth::Url#generate" do - test 'URI fragment should appear at the end of URL' do - params = {client_id: 123} - url = 'http://example.com#fragment' - assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?client_id=123#fragment" - end + describe "DeviseTokenAuth::Url#generate" do + test 'URI fragment should appear at the end of URL' do + params = {client_id: 123} + url = 'http://example.com#fragment' + assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?client_id=123#fragment" + end - describe 'with existing query params' do - test 'should preserve existing query params' do - url = 'http://example.com?a=1' - assert_equal DeviseTokenAuth::Url.send(:generate, url), "http://example.com?a=1" - end + describe 'with existing query params' do + test 'should preserve existing query params' do + url = 'http://example.com?a=1' + assert_equal DeviseTokenAuth::Url.send(:generate, url), "http://example.com?a=1" + end - test 'should marge existing query params with new ones' do - params = {client_id: 123} - url = 'http://example.com?a=1' - assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?a=1&client_id=123" - end - - - end - - - end -end \ No newline at end of file + test 'should marge existing query params with new ones' do + params = {client_id: 123} + url = 'http://example.com?a=1' + assert_equal DeviseTokenAuth::Url.send(:generate, url, params), "http://example.com?a=1&client_id=123" + end + end + end +end From 5243f1a840389fc3fb13490d98194f62a0d92564 Mon Sep 17 00:00:00 2001 From: Ingolfur Edvardsson Date: Wed, 16 Mar 2016 10:58:38 +0000 Subject: [PATCH 246/328] allowing authenticating using headers as well as a post request --- .../devise_token_auth/application_controller.rb | 3 +++ .../devise_token_auth/sessions_controller_test.rb | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 6f06ea344..1310121ef 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -17,6 +17,9 @@ def resource_errors protected def params_for_resource(resource) + devise_parameter_sanitizer.instance_values['permitted'][resource].each do |type| + params[type.to_s] ||= request.headers[type.to_s] unless request.headers[type.to_s].nil? + end devise_parameter_sanitizer.instance_values['permitted'][resource] end diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index cc7f66d96..9875f650c 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -91,6 +91,21 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase end end + describe 'header sign_in is supported' do + before do + request.headers.merge!( + 'email' => @existing_user.email, + 'password' => 'secret123') + + xhr :head, :create + @data = JSON.parse(response.body) + end + + test 'user can sign in using header request' do + assert_equal 200, response.status + end + end + describe 'alt auth keys' do before do xhr :post, :create, { From 8ad135d040eda22ed5eb69f89df6dac7b9fcfad3 Mon Sep 17 00:00:00 2001 From: y4ashida Date: Thu, 17 Mar 2016 20:53:13 +0900 Subject: [PATCH 247/328] Fix typo --- config/locales/de.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/de.yml b/config/locales/de.yml index b3e9017c2..23510da08 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -1,7 +1,7 @@ de: devise_token_auth: sessions: - not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}'' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" + not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut." not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt." user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden." From 2af5acf62e1afc67ffa012083e2e7e78b08268c2 Mon Sep 17 00:00:00 2001 From: y4ashida Date: Thu, 17 Mar 2016 21:01:00 +0900 Subject: [PATCH 248/328] Remove trailing whitespace --- app/models/devise_token_auth/concerns/user.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index a8e9dce2d..7baac0866 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -190,7 +190,7 @@ def create_new_auth_token(client_id=nil) def build_auth_header(token, client_id='default') client_id ||= 'default' - + if !DeviseTokenAuth.change_headers_on_each_request && self.tokens[client_id].nil? create_new_auth_token(client_id) else @@ -198,7 +198,7 @@ def build_auth_header(token, client_id='default') # client may use expiry to prevent validation request if expired # must be cast as string or headers will break expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] - + return { DeviseTokenAuth.headers_names[:"access-token"] => token, DeviseTokenAuth.headers_names[:"token-type"] => "Bearer", From 85c558a200bf3e9cdff531a94ed787cd6582d8e4 Mon Sep 17 00:00:00 2001 From: y4ashida Date: Thu, 17 Mar 2016 21:03:37 +0900 Subject: [PATCH 249/328] Put spaces inside {} --- app/models/devise_token_auth/concerns/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 7baac0866..2976cce32 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -258,7 +258,7 @@ def remove_tokens_after_password_reset if should_remove_old_tokens latest_token = self.tokens.max_by { |cid, v| v[:expiry] || v["expiry"] } - self.tokens = {latest_token.first => latest_token.last} + self.tokens = { latest_token.first => latest_token.last } end end From 889f7533d93278c0497487374e64428ee8483a48 Mon Sep 17 00:00:00 2001 From: Jacob Andersen Date: Fri, 25 Mar 2016 16:13:26 -0700 Subject: [PATCH 250/328] Add info to README\n Regards adding info to request headers for signout route. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c901bc141..5f57fcbcd 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,7 @@ The following routes are available for use by your client. These routes live rel | / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. | | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | | /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. | -| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. | +| /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. | | /:provider | GET | Set this route as the destination for client authentication. Ideally this will happen in an external window or popup. [Read more](#omniauth-authentication). | | /:provider/callback | GET/POST | Destination for the oauth2 provider's callback uri. `postMessage` events containing the authenticated user's data will be sent back to the main client window from this page. [Read more](#omniauth-authentication). | | /validate_token | GET | Use this route to validate tokens on return visits to the client. Requires **`uid`**, **`client`**, and **`access-token`** as params. These values should correspond to the columns in your `User` table of the same names. | From af3434ab36d3c4a74710a715a6081eee8e165e27 Mon Sep 17 00:00:00 2001 From: y4ashida Date: Tue, 29 Mar 2016 16:46:40 +0900 Subject: [PATCH 251/328] Update readme for headers names --- README.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5f57fcbcd..23233ee0d 100644 --- a/README.md +++ b/README.md @@ -325,9 +325,15 @@ module YourApp allow do origins '*' resource '*', - :headers => :any, - :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'], - :methods => [:get, :post, :options, :delete, :put] + headers: :any, + expose: [ + DeviseTokenAuth.headers_names[:'access-token'], + DeviseTokenAuth.headers_names[:'client'], + DeviseTokenAuth.headers_names[:'expiry'], + DeviseTokenAuth.headers_names[:'uid'], + DeviseTokenAuth.headers_names[:'token-type'] + ], + methods: [:get, :post, :options, :delete, :put] end end end From 44fe68e9582b2d31fabfcd9acb6410413416f51f Mon Sep 17 00:00:00 2001 From: y4ashida Date: Thu, 31 Mar 2016 15:20:56 +0900 Subject: [PATCH 252/328] Revert "Update readme for headers names" This reverts commit af3434ab36d3c4a74710a715a6081eee8e165e27. --- README.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 23233ee0d..5f57fcbcd 100644 --- a/README.md +++ b/README.md @@ -325,15 +325,9 @@ module YourApp allow do origins '*' resource '*', - headers: :any, - expose: [ - DeviseTokenAuth.headers_names[:'access-token'], - DeviseTokenAuth.headers_names[:'client'], - DeviseTokenAuth.headers_names[:'expiry'], - DeviseTokenAuth.headers_names[:'uid'], - DeviseTokenAuth.headers_names[:'token-type'] - ], - methods: [:get, :post, :options, :delete, :put] + :headers => :any, + :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'], + :methods => [:get, :post, :options, :delete, :put] end end end From 5d3a4eda0b219e9229867b3bfa1565eac695f1f4 Mon Sep 17 00:00:00 2001 From: Jose Lezama Gonzalez Date: Thu, 7 Apr 2016 07:55:36 -0430 Subject: [PATCH 253/328] Added external token to can access Exteranl APIs --- app/controllers/devise_token_auth/sessions_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 1da523e0b..2f1cb99e6 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -68,8 +68,8 @@ def create profile:{ include: { functionalities:{} } - } - }) + } + }).merge("external_token" => {client:@client_id, token: @external_token }) } else render json: { From 0b43493dfdf52f768908dbcdcdf14d2cb8125bb8 Mon Sep 17 00:00:00 2001 From: Lemuel Barango Date: Thu, 21 Apr 2016 09:41:46 -0400 Subject: [PATCH 254/328] fixed devise deprecation warning for config.email_regexp --- config/initializers/devise.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index eb7adf184..58149ce5c 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -142,7 +142,7 @@ # Email regex used to validate email formats. It simply asserts that # one (and only one) @ exists in the given string. This is mainly # to give user feedback and not to assert the e-mail validity. - # config.email_regexp = /\A[^@]+@[^@]+\z/ + config.email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/ # ==> Configuration for :timeoutable # The time you want to timeout the user session without activity. After this From 4d746cf1a29c9f1f1989a83a4563dda442847629 Mon Sep 17 00:00:00 2001 From: Jose Lezama Gonzalez Date: Sat, 23 Apr 2016 14:08:29 -0430 Subject: [PATCH 255/328] Added custom control to check the compound uid, based on provider+email. Lets use multiple times same email with different providers --- .../devise_token_auth/sessions_controller.rb | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 2f1cb99e6..50bfc5ce3 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -10,15 +10,16 @@ def create else email = resource_params[:email] end + provider=resource_params[:provider] - q = "uid='#{email}' AND provider='email'" + q = provider == "email" ? "uid='#{email}' AND provider='#{provider}'" : "uid='#{provider}@#{email}' AND provider='#{provider}'" if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql' - q = "BINARY uid='#{email}' AND provider='email'" + q = provider == "email" ? "BINARY uid='#{email}' AND provider='#{provider}'" : "BINARY uid='#{provider}@#{email}' AND provider='#{provider}'" end - + @resource = resource_class.where(q).first - + if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @@ -33,13 +34,6 @@ def create @resource.save sign_in(:user, @resource, store: false, bypass: false) - # puts "SAAAAAAA #{@resource.class}" - # puts "OKOKOKO11111 #{@resource.sign_in_count}" - # puts "OKOKOKO #{@resource.as_json(only: [:sign_in_count])}" - # puts "OKOKOKO-TODO #{@resource.as_json}" - # serializer_options = {} - # serializer = UserAgentSerializer.new(@resource, serializer_options) - # puts "#{serializer.as_json}" if @resource.class.to_s == 'Agent' LoginBitacoraAgent.create( :agency_id => @resource.agency_id, From fd602efd82ca366574af5b2c5e1f910d834ab5e4 Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 10 May 2016 22:14:17 -0700 Subject: [PATCH 256/328] fix spelling in comment on token auth concern --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 375bde2e3..2f0f6bd1e 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -23,7 +23,7 @@ def set_user_by_token(mapping=nil) # no default user defined return unless rc - #gets the headers names, which was set in the initilize file + #gets the headers names, which was set in the initialize file uid_name = DeviseTokenAuth.headers_names[:'uid'] access_token_name = DeviseTokenAuth.headers_names[:'access-token'] client_name = DeviseTokenAuth.headers_names[:'client'] From e72a591cd45758f3bab06aeda81ad2ff6bc8b8c1 Mon Sep 17 00:00:00 2001 From: Ethan Katzenberg Date: Mon, 16 May 2016 21:01:52 -0700 Subject: [PATCH 257/328] Added check for rails 5 --- lib/generators/devise_token_auth/install_generator.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/install_generator.rb b/lib/generators/devise_token_auth/install_generator.rb index b459529ce..0518857f0 100644 --- a/lib/generators/devise_token_auth/install_generator.rb +++ b/lib/generators/devise_token_auth/install_generator.rb @@ -29,7 +29,9 @@ def create_user_model else inclusion = "include DeviseTokenAuth::Concerns::User" unless parse_file_for_line(fname, inclusion) - inject_into_file fname, after: "class #{user_class} < ActiveRecord::Base\n" do <<-'RUBY' + + active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base' + inject_into_file fname, after: "class #{user_class} < #{active_record_needle}\n" do <<-'RUBY' # Include default devise modules. devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, From 95d6b53a77833fe69f23d81551e59c1906406b9b Mon Sep 17 00:00:00 2001 From: Tiago Garcia Date: Tue, 17 May 2016 14:17:20 +0200 Subject: [PATCH 258/328] Assert yields in actions return non-nil resources --- .../app/controllers/custom/confirmations_controller.rb | 2 +- .../app/controllers/custom/omniauth_callbacks_controller.rb | 2 +- test/dummy/app/controllers/custom/passwords_controller.rb | 6 +++--- .../app/controllers/custom/registrations_controller.rb | 4 ++-- test/dummy/app/controllers/custom/sessions_controller.rb | 4 ++-- .../app/controllers/custom/token_validations_controller.rb | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/test/dummy/app/controllers/custom/confirmations_controller.rb b/test/dummy/app/controllers/custom/confirmations_controller.rb index 6bebe342b..8e29e8976 100644 --- a/test/dummy/app/controllers/custom/confirmations_controller.rb +++ b/test/dummy/app/controllers/custom/confirmations_controller.rb @@ -2,7 +2,7 @@ class Custom::ConfirmationsController < DeviseTokenAuth::ConfirmationsController def show super do |resource| - @show_block_called = true + @show_block_called = true unless resource.nil? end end diff --git a/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb b/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb index d733277e2..6680f48dc 100644 --- a/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb +++ b/test/dummy/app/controllers/custom/omniauth_callbacks_controller.rb @@ -2,7 +2,7 @@ class Custom::OmniauthCallbacksController < DeviseTokenAuth::OmniauthCallbacksCo def omniauth_success super do |resource| - @omniauth_success_block_called = true + @omniauth_success_block_called = true unless resource.nil? end end diff --git a/test/dummy/app/controllers/custom/passwords_controller.rb b/test/dummy/app/controllers/custom/passwords_controller.rb index 628937529..3f7b6a828 100644 --- a/test/dummy/app/controllers/custom/passwords_controller.rb +++ b/test/dummy/app/controllers/custom/passwords_controller.rb @@ -2,19 +2,19 @@ class Custom::PasswordsController < DeviseTokenAuth::PasswordsController def create super do |resource| - @create_block_called = true + @create_block_called = true unless resource.nil? end end def edit super do |resource| - @edit_block_called = true + @edit_block_called = true unless resource.nil? end end def update super do |resource| - @update_block_called = true + @update_block_called = true unless resource.nil? end end diff --git a/test/dummy/app/controllers/custom/registrations_controller.rb b/test/dummy/app/controllers/custom/registrations_controller.rb index f3cd6f0d8..86d98b1d6 100644 --- a/test/dummy/app/controllers/custom/registrations_controller.rb +++ b/test/dummy/app/controllers/custom/registrations_controller.rb @@ -8,13 +8,13 @@ def create def update super do |resource| - @update_block_called = true + @update_block_called = true unless resource.nil? end end def destroy super do |resource| - @destroy_block_called = true + @destroy_block_called = true unless resource.nil? end end diff --git a/test/dummy/app/controllers/custom/sessions_controller.rb b/test/dummy/app/controllers/custom/sessions_controller.rb index 915f4a0e9..57809020e 100644 --- a/test/dummy/app/controllers/custom/sessions_controller.rb +++ b/test/dummy/app/controllers/custom/sessions_controller.rb @@ -2,13 +2,13 @@ class Custom::SessionsController < DeviseTokenAuth::SessionsController def create super do |resource| - @create_block_called = true + @create_block_called = true unless resource.nil? end end def destroy super do |resource| - @destroy_block_called = true + @destroy_block_called = true unless resource.nil? end end diff --git a/test/dummy/app/controllers/custom/token_validations_controller.rb b/test/dummy/app/controllers/custom/token_validations_controller.rb index 2978e4a74..4bfca82bb 100644 --- a/test/dummy/app/controllers/custom/token_validations_controller.rb +++ b/test/dummy/app/controllers/custom/token_validations_controller.rb @@ -2,7 +2,7 @@ class Custom::TokenValidationsController < DeviseTokenAuth::TokenValidationsCont def validate_token super do |resource| - @validate_token_block_called = true + @validate_token_block_called = true unless resource.nil? end end From 2d9e02b604dd4294bb368486d8bc0612b88bb3af Mon Sep 17 00:00:00 2001 From: Tiago Garcia Date: Tue, 17 May 2016 14:19:29 +0200 Subject: [PATCH 259/328] Add missing values in controller action yields --- .../devise_token_auth/confirmations_controller.rb | 2 +- .../devise_token_auth/omniauth_callbacks_controller.rb | 2 +- app/controllers/devise_token_auth/passwords_controller.rb | 6 +++--- app/controllers/devise_token_auth/sessions_controller.rb | 4 ++-- .../devise_token_auth/token_validations_controller.rb | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/controllers/devise_token_auth/confirmations_controller.rb b/app/controllers/devise_token_auth/confirmations_controller.rb index bf336e4d3..becf755f2 100644 --- a/app/controllers/devise_token_auth/confirmations_controller.rb +++ b/app/controllers/devise_token_auth/confirmations_controller.rb @@ -17,7 +17,7 @@ def show @resource.save! - yield if block_given? + yield @resource if block_given? redirect_to(@resource.build_auth_url(params[:redirect_url], { token: token, diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 27e1ba82f..3aa6678a0 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -38,7 +38,7 @@ def omniauth_success @resource.save! - yield if block_given? + yield @resource if block_given? render_data_or_redirect('deliverCredentials', @auth_params.as_json, @resource.as_json) end diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index dce44a8cb..089e564e0 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -47,7 +47,7 @@ def create @error_status = 400 if @resource - yield if block_given? + yield @resource if block_given? @resource.send_reset_password_instructions({ email: @email, provider: 'email', @@ -94,7 +94,7 @@ def edit @resource.allow_password_change = true; @resource.save! - yield if block_given? + yield @resource if block_given? redirect_to(@resource.build_auth_url(params[:redirect_url], { token: token, @@ -126,7 +126,7 @@ def update if @resource.send(resource_update_method, password_resource_params) @resource.allow_password_change = false - yield if block_given? + yield @resource if block_given? return render_update_success else return render_update_error diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 882a9f645..c85af0c77 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -42,7 +42,7 @@ def create sign_in(:user, @resource, store: false, bypass: false) - yield if block_given? + yield @resource if block_given? render_create_success elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) @@ -62,7 +62,7 @@ def destroy user.tokens.delete(client_id) user.save! - yield if block_given? + yield user if block_given? render_destroy_success else diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 690e995bd..42415cd1d 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -6,7 +6,7 @@ class TokenValidationsController < DeviseTokenAuth::ApplicationController def validate_token # @resource will have been set by set_user_token concern if @resource - yield if block_given? + yield @resource if block_given? render_validate_token_success else render_validate_token_error From 5cf01125f930e56bd5b491c987ca5c93f220d676 Mon Sep 17 00:00:00 2001 From: Fergus Cooney Date: Tue, 17 May 2016 16:59:57 +0100 Subject: [PATCH 260/328] Updating Devise dependency to max 4.1.1 Updating devise dependency to 4.1.1 from 4.1 mk2 --- devise_token_auth.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 3432858dd..4e0ccab06 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "< 4.1" + s.add_dependency "devise", "> 3.5.2", "< 4.1.1" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From a2e1b3b74fd8cfd7a587ca696cdf8b8c53afa8c1 Mon Sep 17 00:00:00 2001 From: Iain McGrath Date: Wed, 18 May 2016 12:34:45 +0100 Subject: [PATCH 261/328] Adding support for devise 4.1.1 upgrading devise gem to 4.1.1 --- devise_token_auth.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 4e0ccab06..e16d95640 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "< 4.1.1" + s.add_dependency "devise", "> 3.5.2", "<= 4.1.1" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From 7b9727995e1eb42385a2a4102516fcd3a372ad81 Mon Sep 17 00:00:00 2001 From: bvandgrift Date: Thu, 26 May 2016 16:35:11 -0400 Subject: [PATCH 262/328] updates config wrapper --- app/controllers/devise_token_auth/application_controller.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 1310121ef..6b197c98a 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -35,7 +35,9 @@ def resource_class(m=nil) def is_json_api return false unless defined?(ActiveModel::Serializer) - return ActiveModel::Serializer.config.adapter == :json_api + return ActiveModel::Serializer.setup do |config| + config.adapter == :json_api + end end end From 3943071db76f7fdfb7b948e7fa852fde3e4a4455 Mon Sep 17 00:00:00 2001 From: Alexander Epifanov Date: Thu, 2 Jun 2016 20:17:43 +0500 Subject: [PATCH 263/328] tokens count overmuch fixed --- app/models/devise_token_auth/concerns/user.rb | 40 ++++++++----------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index fa5ffdff7..df097b846 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -177,14 +177,6 @@ def create_new_auth_token(client_id=nil) updated_at: Time.now } - max_clients = DeviseTokenAuth.max_number_of_devices - while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length - oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] } - self.tokens.delete(oldest_token.first) - end - - self.save! - return build_auth_header(token, client_id) end @@ -192,22 +184,25 @@ def create_new_auth_token(client_id=nil) def build_auth_header(token, client_id='default') client_id ||= 'default' - if !DeviseTokenAuth.change_headers_on_each_request && self.tokens[client_id].nil? - create_new_auth_token(client_id) - else + # client may use expiry to prevent validation request if expired + # must be cast as string or headers will break + expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] - # client may use expiry to prevent validation request if expired - # must be cast as string or headers will break - expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] - - return { - DeviseTokenAuth.headers_names[:"access-token"] => token, - DeviseTokenAuth.headers_names[:"token-type"] => "Bearer", - DeviseTokenAuth.headers_names[:"client"] => client_id, - DeviseTokenAuth.headers_names[:"expiry"] => expiry.to_s, - DeviseTokenAuth.headers_names[:"uid"] => self.uid - } + max_clients = DeviseTokenAuth.max_number_of_devices + while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length + oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] } + self.tokens.delete(oldest_token.first) end + + self.save! + + return { + DeviseTokenAuth.headers_names[:"access-token"] => token, + DeviseTokenAuth.headers_names[:"token-type"] => "Bearer", + DeviseTokenAuth.headers_names[:"client"] => client_id, + DeviseTokenAuth.headers_names[:"expiry"] => expiry.to_s, + DeviseTokenAuth.headers_names[:"uid"] => self.uid + } end @@ -221,7 +216,6 @@ def build_auth_url(base_url, args) def extend_batch_buffer(token, client_id) self.tokens[client_id]['updated_at'] = Time.now - self.save! return build_auth_header(token, client_id) end From 48fb700e3e99093dd8771b84dfaadc36c36968f5 Mon Sep 17 00:00:00 2001 From: woodcrust Date: Thu, 2 Jun 2016 18:22:31 +0300 Subject: [PATCH 264/328] fix method 'is_json_api' with active_model_serialier v 0.10.0 --- app/controllers/devise_token_auth/application_controller.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 6b197c98a..419f0e700 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -35,9 +35,7 @@ def resource_class(m=nil) def is_json_api return false unless defined?(ActiveModel::Serializer) - return ActiveModel::Serializer.setup do |config| - config.adapter == :json_api - end + return ActiveModelSerializers.config.adapter == :json_api end end From 316cece4f4fd37cfa596ef30e221c7c45fcdbb7a Mon Sep 17 00:00:00 2001 From: woodcrust Date: Thu, 2 Jun 2016 19:46:42 +0300 Subject: [PATCH 265/328] update for older version active_model_serializers then 0.10.0 --- app/controllers/devise_token_auth/application_controller.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/controllers/devise_token_auth/application_controller.rb b/app/controllers/devise_token_auth/application_controller.rb index 419f0e700..bd1dea58b 100644 --- a/app/controllers/devise_token_auth/application_controller.rb +++ b/app/controllers/devise_token_auth/application_controller.rb @@ -35,6 +35,9 @@ def resource_class(m=nil) def is_json_api return false unless defined?(ActiveModel::Serializer) + return ActiveModel::Serializer.setup do |config| + config.adapter == :json_api + end if ActiveModel::Serializer.respond_to?(:setup) return ActiveModelSerializers.config.adapter == :json_api end From a5472fa66fe91ddc3bd0a16729a325db2fd8b9f5 Mon Sep 17 00:00:00 2001 From: Saul H Date: Wed, 15 Jun 2016 20:01:31 -0400 Subject: [PATCH 266/328] add, parameter - admin_license on login post --- app/controllers/devise_token_auth/sessions_controller.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 50bfc5ce3..eaa8b0a3d 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -57,6 +57,7 @@ def create :avatar_file_name, :avatar_content_type, :telephone, + :admin_license, :sign_in_count],include: {agency: { except:[:sabre_ipcc,:sabre_password,:sabre_username]}, profile:{ From a9294f801170385c12981e95268590c303ec63e1 Mon Sep 17 00:00:00 2001 From: Kendall Park Date: Fri, 17 Jun 2016 11:02:25 -0500 Subject: [PATCH 267/328] added bypass_sign_in for next version of Devise --- .../devise_token_auth/concerns/set_user_by_token.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 2f0f6bd1e..e025c7802 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -61,7 +61,12 @@ def set_user_by_token(mapping=nil) user = uid && rc.find_by_uid(uid) if user && user.valid_token?(@token, @client_id) - sign_in(:user, user, store: false, bypass: true) + # sign_in with bypass: true will be deprecated in the next version of Devise + if self.respond_to? :bypass_sign_in + bypass_sign_in(user, scope: :user) + else + sign_in(:user, user, store: false, bypass: true) + end return @resource = user else # zero all values previously set values From 52baf04cc6cb5b032aba3e18b338fee5136d983e Mon Sep 17 00:00:00 2001 From: Guillaume Dufloux Date: Wed, 22 Jun 2016 15:43:03 +0200 Subject: [PATCH 268/328] Update README.md fix setup config example --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5f57fcbcd..4481194bb 100644 --- a/README.md +++ b/README.md @@ -782,7 +782,7 @@ Yes! But you will need to enable the support use separate routes for standard De #### config/initializers/devise_token_auth.rb ~~~ruby DeviseTokenAuth.setup do |config| - # enable_standard_devise_support = false + # config.enable_standard_devise_support = false end ~~~ From 668dbaa8884da791550715963a708e52166b8dfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miika=20Lepp=C3=A4nen?= Date: Fri, 8 Jul 2016 13:59:57 +0300 Subject: [PATCH 269/328] Fix for issue #600 Method set_user_by_token is called(from current_user) after SessionController create action and @client_id was set to nil. --- .../devise_token_auth/concerns/set_user_by_token.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index e025c7802..17f28c202 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -30,8 +30,8 @@ def set_user_by_token(mapping=nil) # parse header for values necessary for authentication uid = request.headers[uid_name] || params[uid_name] - @token = request.headers[access_token_name] || params[access_token_name] - @client_id = request.headers[client_name] || params[client_name] + @token ||= request.headers[access_token_name] || params[access_token_name] + @client_id ||= request.headers[client_name] || params[client_name] # client_id isn't required, set to 'default' if absent @client_id ||= 'default' From 21f601d60c06a6ed33b51725164861a4a9f2a078 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 11 Jul 2016 14:17:28 -0600 Subject: [PATCH 270/328] chore(deps): update dependencies + silence deprecation warnings in specs --- Gemfile.lock | 27 ++++++++++++++------------- devise_token_auth.gemspec | 2 +- test/dummy/config/application.rb | 2 ++ test/test_helper.rb | 2 +- 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 804d58785..570c595b3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,7 +35,7 @@ PATH remote: . specs: devise_token_auth (0.1.37) - devise (> 3.5.2, < 4.1) + devise (> 3.5.2, <= 4.2) rails (< 6) GEM @@ -81,21 +81,20 @@ GEM arel (6.0.3) attr_encrypted (1.3.5) encryptor (~> 1.3.0) - bcrypt (3.1.10) + bcrypt (3.1.11) builder (3.2.2) codeclimate-test-reporter (0.4.8) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.0) colorize (0.7.7) - concurrent-ruby (1.0.0) + concurrent-ruby (1.0.2) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) - devise (3.5.5) + devise (4.2.0) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 3.2.6, < 5) + railties (>= 4.1.0, < 5.1) responders - thread_safe (~> 0.1) warden (~> 1.2.3) docile (1.1.5) encryptor (1.3.0) @@ -142,11 +141,13 @@ GEM loofah (2.0.3) nokogiri (>= 1.5.9) lumberjack (1.0.10) - mail (2.6.3) - mime-types (>= 1.16, < 3) + mail (2.6.4) + mime-types (>= 1.16, < 4) metaclass (0.0.4) method_source (0.8.2) - mime-types (2.99) + mime-types (3.1) + mime-types-data (~> 3.2015) + mime-types-data (3.2016.0521) mini_portile2 (2.0.0) minitest (5.8.4) minitest-focus (1.1.2) @@ -224,7 +225,7 @@ GEM rb-fsevent (0.9.7) rb-inotify (0.9.5) ffi (>= 0.5.0) - responders (2.1.1) + responders (2.2.0) railties (>= 4.2.0, < 5.1) ruby-progressbar (1.7.5) shellany (0.0.1) @@ -234,10 +235,10 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.5.2) + sprockets (3.6.3) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (3.0.0) + sprockets-rails (3.1.1) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) @@ -246,7 +247,7 @@ GEM thread_safe (0.3.5) tzinfo (1.2.2) thread_safe (~> 0.1) - warden (1.2.4) + warden (1.2.6) rack (>= 1.0) PLATFORMS diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index e16d95640..a77c00c76 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "<= 4.1.1" + s.add_dependency "devise", "> 3.5.2", "<= 4.2" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' diff --git a/test/dummy/config/application.rb b/test/dummy/config/application.rb index ff7cd58d8..f265029f6 100644 --- a/test/dummy/config/application.rb +++ b/test/dummy/config/application.rb @@ -20,5 +20,7 @@ class Application < Rails::Application # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s] # config.i18n.default_locale = :de config.autoload_paths << Rails.root.join('lib') + + config.active_record.raise_in_transactional_callbacks = true end end diff --git a/test/test_helper.rb b/test/test_helper.rb index 3b9f88871..a37e30d30 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -55,7 +55,7 @@ def expire_token(user, client_id) end class ActionController::TestCase - include Devise::TestHelpers + include Devise::Test::ControllerHelpers setup do @routes = Dummy::Application.routes From 5f9f16c7f8b20e80441060ebaecef53eee08baf4 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 11 Jul 2016 14:29:24 -0600 Subject: [PATCH 271/328] v0.1.38 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 570c595b3..3c8e60a09 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.37) + devise_token_auth (0.1.38) devise (> 3.5.2, <= 4.2) rails (< 6) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index fcfd69e8b..1c431a656 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.37" + VERSION = "0.1.38" end From fde6f98f489c0e9179b1395364dc0de06e2bec25 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 11 Jul 2016 14:34:18 -0600 Subject: [PATCH 272/328] chore(changelog): update changelog v0.1.37 -> v0.1.38 --- CHANGELOG.md | 407 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 407 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 757530137..6f9219fcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,410 @@ # Change Log +## [0.1.38](https://github.com/lynndylanhurley/devise_token_auth/tree/HEAD) + +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37...HEAD) + +**Implemented enhancements:** + +- Rails generator to update views [\#33](https://github.com/lynndylanhurley/devise_token_auth/issues/33) +- Extract Omniauth attributes assignation into a method [\#31](https://github.com/lynndylanhurley/devise_token_auth/issues/31) + +**Fixed bugs:** + +- Generator doesn't work correctly with mongoid and/or rails-api [\#14](https://github.com/lynndylanhurley/devise_token_auth/issues/14) +- Generator issues [\#13](https://github.com/lynndylanhurley/devise_token_auth/issues/13) + +**Closed issues:** + +- rails g devise\_token\_auth:install User auth hangs and does nothing [\#671](https://github.com/lynndylanhurley/devise_token_auth/issues/671) +- callback :set\_user\_by\_token has not been defined [\#649](https://github.com/lynndylanhurley/devise_token_auth/issues/649) +- Issues with active\_model\_serializers [\#644](https://github.com/lynndylanhurley/devise_token_auth/issues/644) +- Error with devise [\#643](https://github.com/lynndylanhurley/devise_token_auth/issues/643) +- undefined method `token\_validation\_response' [\#635](https://github.com/lynndylanhurley/devise_token_auth/issues/635) +- when password is reset from UI, all tokens must be removed if remove\_tokens\_after\_password\_reset is true [\#634](https://github.com/lynndylanhurley/devise_token_auth/issues/634) +- Relax devise dependency to allow 4.1 [\#631](https://github.com/lynndylanhurley/devise_token_auth/issues/631) +- Rails 5 generator doesn't insert concern [\#627](https://github.com/lynndylanhurley/devise_token_auth/issues/627) +- NoMethodError \(undefined method `find\_by\_uid'\) in production. [\#625](https://github.com/lynndylanhurley/devise_token_auth/issues/625) +- Curl not working for sign\_in but works on ng-token-angular [\#620](https://github.com/lynndylanhurley/devise_token_auth/issues/620) +- After Sign-in success, The following requests on Angular side are unauthorized. [\#619](https://github.com/lynndylanhurley/devise_token_auth/issues/619) +- Omniauth - Facebook app doesn't run callback url after successful Facebook authentication [\#615](https://github.com/lynndylanhurley/devise_token_auth/issues/615) +- :authenticate\_user! wired behaviour [\#614](https://github.com/lynndylanhurley/devise_token_auth/issues/614) +- current\_user is nil, request headers are all upcased and prefixed with HTML\_ [\#611](https://github.com/lynndylanhurley/devise_token_auth/issues/611) +- Problem in generated routes [\#607](https://github.com/lynndylanhurley/devise_token_auth/issues/607) +- Rails 5 API Mode - no headers in response [\#606](https://github.com/lynndylanhurley/devise_token_auth/issues/606) +- Filter chain halted as :authenticate\_user! rendered or redirected [\#603](https://github.com/lynndylanhurley/devise_token_auth/issues/603) +- 422 Unprocessable Entity when using local IP address [\#601](https://github.com/lynndylanhurley/devise_token_auth/issues/601) +- overriding rendering methods in devise\_token\_auth [\#597](https://github.com/lynndylanhurley/devise_token_auth/issues/597) +- redirect\_url is missing in email instructions sent to the user for password reset [\#588](https://github.com/lynndylanhurley/devise_token_auth/issues/588) +- Unpermitted parameter: {"email":"mail@gmail.com","password":"abcdefgh","password\_confirmation":"abcdefgh"} [\#587](https://github.com/lynndylanhurley/devise_token_auth/issues/587) +- can't authenticate user when opening a new download tab [\#582](https://github.com/lynndylanhurley/devise_token_auth/issues/582) +- Mails are not being sent [\#581](https://github.com/lynndylanhurley/devise_token_auth/issues/581) +- current\_user seems to be nil after doing requests from different tabs [\#579](https://github.com/lynndylanhurley/devise_token_auth/issues/579) +- Do we have any rspec helpers to sign\_in an user? [\#577](https://github.com/lynndylanhurley/devise_token_auth/issues/577) +- Cannot override json response of authenticate\_user! [\#575](https://github.com/lynndylanhurley/devise_token_auth/issues/575) +- return custom json data after sign\_in [\#567](https://github.com/lynndylanhurley/devise_token_auth/issues/567) +- /auth/validate\_token works but getting 401 unauthorized when sending request with auth headers [\#550](https://github.com/lynndylanhurley/devise_token_auth/issues/550) +- Where is the access key of omniauth provider? [\#549](https://github.com/lynndylanhurley/devise_token_auth/issues/549) +- How this gem is different from a JWT system? [\#543](https://github.com/lynndylanhurley/devise_token_auth/issues/543) +- Improper formatting for JSON API error/success responses [\#536](https://github.com/lynndylanhurley/devise_token_auth/issues/536) +- Is it a hybrid authentication system? [\#527](https://github.com/lynndylanhurley/devise_token_auth/issues/527) +- check\_current\_password\_before\_update still requires password when resetting password [\#526](https://github.com/lynndylanhurley/devise_token_auth/issues/526) +- Manually authenticate for testing [\#521](https://github.com/lynndylanhurley/devise_token_auth/issues/521) +- Support for STI [\#517](https://github.com/lynndylanhurley/devise_token_auth/issues/517) +- JSON responses don't fit JSON\_API requirements [\#512](https://github.com/lynndylanhurley/devise_token_auth/issues/512) +- Not working with rails 5 and devise master [\#504](https://github.com/lynndylanhurley/devise_token_auth/issues/504) +- Unpermitted parameters: confirm\_success\_url, config\_name, registration [\#501](https://github.com/lynndylanhurley/devise_token_auth/issues/501) +- set\_user\_by\_token not defined in production for rails 5 [\#500](https://github.com/lynndylanhurley/devise_token_auth/issues/500) +- Master branch no longer working with devise master branch \(version error\) [\#498](https://github.com/lynndylanhurley/devise_token_auth/issues/498) +- uid is not getting set in git revision 996b9cf23a18 [\#497](https://github.com/lynndylanhurley/devise_token_auth/issues/497) +- ve\_model\_serializer namespace [\#492](https://github.com/lynndylanhurley/devise_token_auth/issues/492) +- User remains logged in when using devise and devise\_token\_auth in the same app [\#486](https://github.com/lynndylanhurley/devise_token_auth/issues/486) +- DEPRECATION WARNING: alias\_method\_chain is deprecated. Rails 5 [\#482](https://github.com/lynndylanhurley/devise_token_auth/issues/482) +- validate\_token - resource\_name - undefined method `name' for nil:NilClass [\#480](https://github.com/lynndylanhurley/devise_token_auth/issues/480) +- Helpers being loaded for Rails API's [\#468](https://github.com/lynndylanhurley/devise_token_auth/issues/468) +- Unable to call `rails g devise\_token\_auth:install` within rails engine [\#465](https://github.com/lynndylanhurley/devise_token_auth/issues/465) +- locales `errors.messages.already\_in\_use` seems broken [\#463](https://github.com/lynndylanhurley/devise_token_auth/issues/463) +- It shows "An error occurred" after omniauth callback [\#445](https://github.com/lynndylanhurley/devise_token_auth/issues/445) +- - [\#444](https://github.com/lynndylanhurley/devise_token_auth/issues/444) +- Put Access Token in body [\#442](https://github.com/lynndylanhurley/devise_token_auth/issues/442) +- Unable to add a new param for sign up [\#440](https://github.com/lynndylanhurley/devise_token_auth/issues/440) +- Undefined method provider from devise\_toke\_auth concerns/user.rb [\#438](https://github.com/lynndylanhurley/devise_token_auth/issues/438) +- Scoped DeviseToken but it still affects the original Omniauth redirects. [\#429](https://github.com/lynndylanhurley/devise_token_auth/issues/429) +- Can't create user via api [\#422](https://github.com/lynndylanhurley/devise_token_auth/issues/422) +- Password Reset question, do I need my own form? [\#418](https://github.com/lynndylanhurley/devise_token_auth/issues/418) +- Large Size on Disk [\#415](https://github.com/lynndylanhurley/devise_token_auth/issues/415) +- The validate\_token function in the readme is missing a parameter [\#413](https://github.com/lynndylanhurley/devise_token_auth/issues/413) +- Cannot migrate database: NoMethodError: undefined method `new' for DeviseTokenAuth:Module [\#406](https://github.com/lynndylanhurley/devise_token_auth/issues/406) +- change\_headers\_on\_each\_request and batch requests [\#403](https://github.com/lynndylanhurley/devise_token_auth/issues/403) +- Multiple users, returning\(and creating\) wrong model's auth token [\#399](https://github.com/lynndylanhurley/devise_token_auth/issues/399) +- Can't verify CSRF token authenticity [\#398](https://github.com/lynndylanhurley/devise_token_auth/issues/398) +- uninitialized constant DeviseTokenAuth::OmniauthCallbacksController::BCrypt [\#393](https://github.com/lynndylanhurley/devise_token_auth/issues/393) +- Sign in not success. [\#388](https://github.com/lynndylanhurley/devise_token_auth/issues/388) +- password length [\#380](https://github.com/lynndylanhurley/devise_token_auth/issues/380) +- Devise token auth not found routing error [\#379](https://github.com/lynndylanhurley/devise_token_auth/issues/379) +- Defining a custom primary key [\#378](https://github.com/lynndylanhurley/devise_token_auth/issues/378) +- seeing other users data after login/out with different users on ionic [\#375](https://github.com/lynndylanhurley/devise_token_auth/issues/375) +- omniauth: when redirecting, user object should not be serialized into url [\#368](https://github.com/lynndylanhurley/devise_token_auth/issues/368) +- getting ng-token-auth and devise\_token\_auth to work with OAuth in ionic InAppBrowser [\#367](https://github.com/lynndylanhurley/devise_token_auth/issues/367) +- omniauth callback redirect not working properly when using namespace/scope [\#362](https://github.com/lynndylanhurley/devise_token_auth/issues/362) +- invalid token in method set\_user\_by\_token on RegistrationsController\#update [\#357](https://github.com/lynndylanhurley/devise_token_auth/issues/357) +- Allow devise patch version updates [\#351](https://github.com/lynndylanhurley/devise_token_auth/issues/351) +- Error validating token [\#348](https://github.com/lynndylanhurley/devise_token_auth/issues/348) +- Allow for HTTP Basic Auth ? [\#337](https://github.com/lynndylanhurley/devise_token_auth/issues/337) +- Allow Omniauth user reset password [\#335](https://github.com/lynndylanhurley/devise_token_auth/issues/335) +- NameError \(uninitialized constant DeviseTokenAuth::Concerns::User::BCrypt\) [\#333](https://github.com/lynndylanhurley/devise_token_auth/issues/333) +- Unpermitted parameters: format, session [\#328](https://github.com/lynndylanhurley/devise_token_auth/issues/328) +- devise token auth + Save Facebook auth\_hash info in database [\#326](https://github.com/lynndylanhurley/devise_token_auth/issues/326) +- Error sending password reset email when not using confirmable \(reopened \#124\) [\#321](https://github.com/lynndylanhurley/devise_token_auth/issues/321) +- Routing error / Preflight request / OPTIONS [\#320](https://github.com/lynndylanhurley/devise_token_auth/issues/320) +- delete tokens after password change [\#318](https://github.com/lynndylanhurley/devise_token_auth/issues/318) +- Can't authorize \(user\_signed\_in? always show false\) [\#315](https://github.com/lynndylanhurley/devise_token_auth/issues/315) +- Warden::SessionSerializer - wrong number of arguments \(2 for 1\) [\#312](https://github.com/lynndylanhurley/devise_token_auth/issues/312) +- The action 'twitter' could not be found for DeviseTokenAuth::OmniauthCallbacksController [\#309](https://github.com/lynndylanhurley/devise_token_auth/issues/309) +- Having 401 Unauthorized only with mobile [\#305](https://github.com/lynndylanhurley/devise_token_auth/issues/305) +- remove unused nickname, image from user object [\#304](https://github.com/lynndylanhurley/devise_token_auth/issues/304) +- HI, This is more of a doubt since I could not finding anything related to this in your documentation. [\#300](https://github.com/lynndylanhurley/devise_token_auth/issues/300) +- Getting 401's when making requests using iOS/Android clients [\#299](https://github.com/lynndylanhurley/devise_token_auth/issues/299) +- undefined method `tokens' for \#\ [\#297](https://github.com/lynndylanhurley/devise_token_auth/issues/297) +- Confirmation URL giving bad arguments [\#293](https://github.com/lynndylanhurley/devise_token_auth/issues/293) +- set\_user\_by\_token not called in overriden controller [\#291](https://github.com/lynndylanhurley/devise_token_auth/issues/291) +- Question: Should we send password reset instructions to unconfirmed emails? [\#287](https://github.com/lynndylanhurley/devise_token_auth/issues/287) +- NoMethodError \(undefined method `\[\]' for nil:NilClass\): [\#286](https://github.com/lynndylanhurley/devise_token_auth/issues/286) +- Facebook omniauth redirection is missing url when testing on localhost [\#285](https://github.com/lynndylanhurley/devise_token_auth/issues/285) +- No route matches \[GET\] "/users/facebook/callback" [\#280](https://github.com/lynndylanhurley/devise_token_auth/issues/280) +- No route matches \[GET\] "/omniauth/:provider" [\#278](https://github.com/lynndylanhurley/devise_token_auth/issues/278) +- How to refresh token/expiry? [\#275](https://github.com/lynndylanhurley/devise_token_auth/issues/275) +- wrong number of arguments \(1 for 0\): in DeviseTokenAuth::RegistrationsController\#create [\#274](https://github.com/lynndylanhurley/devise_token_auth/issues/274) +- Can not save a user with nil tokens attribute [\#271](https://github.com/lynndylanhurley/devise_token_auth/issues/271) +- Shouldn't validate\_token param be access-token, not auth\_token? [\#270](https://github.com/lynndylanhurley/devise_token_auth/issues/270) +- include associations on login [\#269](https://github.com/lynndylanhurley/devise_token_auth/issues/269) +- Failure route not handled [\#262](https://github.com/lynndylanhurley/devise_token_auth/issues/262) +- Getting Unauthorized error even after sending the correct token, uid and client [\#261](https://github.com/lynndylanhurley/devise_token_auth/issues/261) +- Weird error message [\#259](https://github.com/lynndylanhurley/devise_token_auth/issues/259) +- undefined method `provider' for \#\ [\#257](https://github.com/lynndylanhurley/devise_token_auth/issues/257) +- Custom Serializer like ActiveModel Serializer [\#249](https://github.com/lynndylanhurley/devise_token_auth/issues/249) +- File download with query params [\#246](https://github.com/lynndylanhurley/devise_token_auth/issues/246) +- Info: is devise\_token\_auth compatible with rails 3.2.19? [\#245](https://github.com/lynndylanhurley/devise_token_auth/issues/245) +- Headers required for different methods [\#243](https://github.com/lynndylanhurley/devise_token_auth/issues/243) +- Unpermitted parameters: format, session, lang [\#239](https://github.com/lynndylanhurley/devise_token_auth/issues/239) +- On sign\_in, devise\_token\_auth expects the uid to be the same as the email [\#237](https://github.com/lynndylanhurley/devise_token_auth/issues/237) +- Name conflict with inherited\_resources [\#236](https://github.com/lynndylanhurley/devise_token_auth/issues/236) +- sign\_in will not fetch the token [\#234](https://github.com/lynndylanhurley/devise_token_auth/issues/234) +- Remove \('\#'\) symbol when using html5mode in locationProvider [\#232](https://github.com/lynndylanhurley/devise_token_auth/issues/232) +- Log in request 401 error [\#231](https://github.com/lynndylanhurley/devise_token_auth/issues/231) +- User Registration - "email address already in use" when it is unique [\#230](https://github.com/lynndylanhurley/devise_token_auth/issues/230) +- Devise email validation disabled...why? [\#229](https://github.com/lynndylanhurley/devise_token_auth/issues/229) +- confirm\_success\_url error not working [\#226](https://github.com/lynndylanhurley/devise_token_auth/issues/226) +- pending\_reconfirmation called when confirmable isn't used [\#224](https://github.com/lynndylanhurley/devise_token_auth/issues/224) +- omniauth\_success.html.erb JSON bug [\#221](https://github.com/lynndylanhurley/devise_token_auth/issues/221) +- Using devise\_token\_auth and ng\_token\_auth with angularJS in an Ionic Hybrid application [\#218](https://github.com/lynndylanhurley/devise_token_auth/issues/218) +- Where can I got token? [\#217](https://github.com/lynndylanhurley/devise_token_auth/issues/217) +- URI fragment prevent to send params in Confirmation URL [\#213](https://github.com/lynndylanhurley/devise_token_auth/issues/213) +- Generating many client tokens [\#210](https://github.com/lynndylanhurley/devise_token_auth/issues/210) +- Limit tokens hash? [\#208](https://github.com/lynndylanhurley/devise_token_auth/issues/208) +- 500 error returned when no data is POSTed to registration controller [\#203](https://github.com/lynndylanhurley/devise_token_auth/issues/203) +- undefined method `match' for nil:NilClass [\#201](https://github.com/lynndylanhurley/devise_token_auth/issues/201) +- DELETE method becoming OPTIONS @ Heroku [\#197](https://github.com/lynndylanhurley/devise_token_auth/issues/197) +- 40 Mb log file and 1 minute to have token with curl [\#195](https://github.com/lynndylanhurley/devise_token_auth/issues/195) +- 401 unauthorized [\#193](https://github.com/lynndylanhurley/devise_token_auth/issues/193) +- GET requests to sign\_in shouldn't raise an exception [\#190](https://github.com/lynndylanhurley/devise_token_auth/issues/190) +- Api not locked by default [\#189](https://github.com/lynndylanhurley/devise_token_auth/issues/189) +- Rails 4.1 [\#187](https://github.com/lynndylanhurley/devise_token_auth/issues/187) +- Unable to override OmniauthCallbacksController\#redirect\_callbacks [\#186](https://github.com/lynndylanhurley/devise_token_auth/issues/186) +- Token based authentication with no sessions [\#183](https://github.com/lynndylanhurley/devise_token_auth/issues/183) +- undefined method `authenticate\_user!' [\#182](https://github.com/lynndylanhurley/devise_token_auth/issues/182) +- confirm\_success\_url shouldn't be a required param [\#176](https://github.com/lynndylanhurley/devise_token_auth/issues/176) +- Provide an OAuth implementation for native apps [\#175](https://github.com/lynndylanhurley/devise_token_auth/issues/175) +- getting an argument error when trying to use omniauth [\#174](https://github.com/lynndylanhurley/devise_token_auth/issues/174) +- Sign in via username doesn't seem to work correctly. [\#173](https://github.com/lynndylanhurley/devise_token_auth/issues/173) +- Cannot use + sign in email address. [\#171](https://github.com/lynndylanhurley/devise_token_auth/issues/171) +- How can i authenticate using curl and get private entries ! [\#167](https://github.com/lynndylanhurley/devise_token_auth/issues/167) +- Pessimistic Locking produces ArgumentError [\#165](https://github.com/lynndylanhurley/devise_token_auth/issues/165) +- POTENTIAL SECURITY RISK: Setting confirm\_success\_url and redirect\_url via API [\#162](https://github.com/lynndylanhurley/devise_token_auth/issues/162) +- Sign out just on client side ? [\#161](https://github.com/lynndylanhurley/devise_token_auth/issues/161) +- Unpermitted parameter: redirect\_url [\#160](https://github.com/lynndylanhurley/devise_token_auth/issues/160) +- Issues using devise and devise\_token\_auth [\#159](https://github.com/lynndylanhurley/devise_token_auth/issues/159) +- Add role based authorization [\#158](https://github.com/lynndylanhurley/devise_token_auth/issues/158) +- Not compatible with ActiveAdmin [\#156](https://github.com/lynndylanhurley/devise_token_auth/issues/156) +- \[Duplicate\] is devise\_invitable supported? [\#154](https://github.com/lynndylanhurley/devise_token_auth/issues/154) +- User can register with a "false" email [\#149](https://github.com/lynndylanhurley/devise_token_auth/issues/149) +- /validate\_token [\#148](https://github.com/lynndylanhurley/devise_token_auth/issues/148) +- Email confirmation link [\#147](https://github.com/lynndylanhurley/devise_token_auth/issues/147) +- Tokens field on database [\#146](https://github.com/lynndylanhurley/devise_token_auth/issues/146) +- Twitter OAuth always throughs CookieOverflow [\#145](https://github.com/lynndylanhurley/devise_token_auth/issues/145) +- Is there a way to configure apiUrl for both dev and prod? [\#144](https://github.com/lynndylanhurley/devise_token_auth/issues/144) +- Getting 401 unauthorized on login attempt [\#142](https://github.com/lynndylanhurley/devise_token_auth/issues/142) +- Comparing with jwt [\#140](https://github.com/lynndylanhurley/devise_token_auth/issues/140) +- Can't get omniauth to work \(error in redirect\_callbacks\) [\#139](https://github.com/lynndylanhurley/devise_token_auth/issues/139) +- Change controller inheritance [\#138](https://github.com/lynndylanhurley/devise_token_auth/issues/138) +- Reset Password call returns 400 for Not Found user [\#137](https://github.com/lynndylanhurley/devise_token_auth/issues/137) +- The gem is too big. Please take care of it. [\#136](https://github.com/lynndylanhurley/devise_token_auth/issues/136) +- Error when loging with facebook the second time without logout [\#135](https://github.com/lynndylanhurley/devise_token_auth/issues/135) +- OmniAuth redirect doesn't work if using the generated mount\_devise\_token route [\#133](https://github.com/lynndylanhurley/devise_token_auth/issues/133) +- Missing template /omniauth\_response [\#132](https://github.com/lynndylanhurley/devise_token_auth/issues/132) +- Unpermitted parameter: session [\#130](https://github.com/lynndylanhurley/devise_token_auth/issues/130) +- OAuth error: We're sorry, but something went wrong [\#129](https://github.com/lynndylanhurley/devise_token_auth/issues/129) +- Would it be useful to integrate login with username ? [\#127](https://github.com/lynndylanhurley/devise_token_auth/issues/127) +- Sign in with login instead of email [\#126](https://github.com/lynndylanhurley/devise_token_auth/issues/126) +- Error sending password reset email when not using confirmable [\#124](https://github.com/lynndylanhurley/devise_token_auth/issues/124) +- Using expired token for parallel calls [\#123](https://github.com/lynndylanhurley/devise_token_auth/issues/123) +- User tokens don't properly deserialize [\#121](https://github.com/lynndylanhurley/devise_token_auth/issues/121) +- Could not load 'omniauth' [\#118](https://github.com/lynndylanhurley/devise_token_auth/issues/118) +- bad argument \(expected URI object or URI string\) [\#116](https://github.com/lynndylanhurley/devise_token_auth/issues/116) +- devise\_token\_auth for public API, but devise for rest of app? [\#114](https://github.com/lynndylanhurley/devise_token_auth/issues/114) +- Omniauthable deleted on UsersConcern : Why ? [\#111](https://github.com/lynndylanhurley/devise_token_auth/issues/111) +- Unrequired route [\#110](https://github.com/lynndylanhurley/devise_token_auth/issues/110) +- raises NoMethodError instead of displaying error when email is missing [\#108](https://github.com/lynndylanhurley/devise_token_auth/issues/108) +- Error with RailsAdmin. "The action 'new' could not be found for DeviseTokenAuth::SessionsController" [\#107](https://github.com/lynndylanhurley/devise_token_auth/issues/107) +- Circular dependency detected while autoloading constant Api [\#106](https://github.com/lynndylanhurley/devise_token_auth/issues/106) +- Can't Authenticate via cURL [\#105](https://github.com/lynndylanhurley/devise_token_auth/issues/105) +- Unpermitted parameters: user, registration [\#104](https://github.com/lynndylanhurley/devise_token_auth/issues/104) +- BCrypt::Errors::InvalidSalt errors [\#103](https://github.com/lynndylanhurley/devise_token_auth/issues/103) +- Active job token expiring integration [\#102](https://github.com/lynndylanhurley/devise_token_auth/issues/102) +- The action 'new' could not be found for DeviseTokenAuth::RegistrationsController [\#100](https://github.com/lynndylanhurley/devise_token_auth/issues/100) +- Disable confirmable [\#99](https://github.com/lynndylanhurley/devise_token_auth/issues/99) +- responders - rails 4.2 [\#98](https://github.com/lynndylanhurley/devise_token_auth/issues/98) +- forward skip to devise [\#97](https://github.com/lynndylanhurley/devise_token_auth/issues/97) +- API versioning the devise scope of token validation and ominiauth controller path will wrap up [\#96](https://github.com/lynndylanhurley/devise_token_auth/issues/96) +- Overwriting default "from" email address [\#94](https://github.com/lynndylanhurley/devise_token_auth/issues/94) +- uninitialized constant DeviseTokenAuth [\#92](https://github.com/lynndylanhurley/devise_token_auth/issues/92) +- change\_headers\_on\_each\_request not working expiry header empty [\#90](https://github.com/lynndylanhurley/devise_token_auth/issues/90) +- Gem render consistency [\#87](https://github.com/lynndylanhurley/devise_token_auth/issues/87) +- Sample Sessions Controller for logging in via Rails View. [\#86](https://github.com/lynndylanhurley/devise_token_auth/issues/86) +- Change authorization key: Use phone\_number instead of email [\#84](https://github.com/lynndylanhurley/devise_token_auth/issues/84) +- Conflict with active\_admin gem [\#83](https://github.com/lynndylanhurley/devise_token_auth/issues/83) +- NoMethodError in DeviseTokenAuth::OmniauthCallbacksController\#redirect\_callbacks [\#82](https://github.com/lynndylanhurley/devise_token_auth/issues/82) +- All the APIs are getting 'Authorized users only' [\#81](https://github.com/lynndylanhurley/devise_token_auth/issues/81) +- Is Devise option Rememberable required ? [\#80](https://github.com/lynndylanhurley/devise_token_auth/issues/80) +- Problem with skip\_confirmation! [\#78](https://github.com/lynndylanhurley/devise_token_auth/issues/78) +- Cannot reset password if registered by omniauth [\#77](https://github.com/lynndylanhurley/devise_token_auth/issues/77) +- NoMethodError at /omniauth/facebook/callback - undefined method `\[\]' for nil:NilClass [\#76](https://github.com/lynndylanhurley/devise_token_auth/issues/76) +- Remove dependency on ActiveRecord [\#72](https://github.com/lynndylanhurley/devise_token_auth/issues/72) +- Skipping Registrations Controller Altogether [\#70](https://github.com/lynndylanhurley/devise_token_auth/issues/70) +- Problem in validate\_token if the model is in a namespace [\#69](https://github.com/lynndylanhurley/devise_token_auth/issues/69) +- Cannot send confirmation email if there is no 'User' model [\#68](https://github.com/lynndylanhurley/devise_token_auth/issues/68) +- Better guidelines for contributors [\#65](https://github.com/lynndylanhurley/devise_token_auth/issues/65) +- admin namespace [\#63](https://github.com/lynndylanhurley/devise_token_auth/issues/63) +- Devise trackable module not working [\#62](https://github.com/lynndylanhurley/devise_token_auth/issues/62) +- Devise\_token\_auth without OmniAuth authentication [\#60](https://github.com/lynndylanhurley/devise_token_auth/issues/60) +- Reset Password error [\#59](https://github.com/lynndylanhurley/devise_token_auth/issues/59) +- Confirmable - unconfirmed email [\#58](https://github.com/lynndylanhurley/devise_token_auth/issues/58) +- Email Column Isn't Used for Database Authentication [\#56](https://github.com/lynndylanhurley/devise_token_auth/issues/56) +- Unique Key for Provider and UID Combination [\#55](https://github.com/lynndylanhurley/devise_token_auth/issues/55) +- User Info in separate table or removed [\#53](https://github.com/lynndylanhurley/devise_token_auth/issues/53) +- rename @user to @resource [\#48](https://github.com/lynndylanhurley/devise_token_auth/issues/48) +- Active\_admin issue [\#47](https://github.com/lynndylanhurley/devise_token_auth/issues/47) +- Possible Logout Issue [\#46](https://github.com/lynndylanhurley/devise_token_auth/issues/46) +- Routes not appended to routes.rb [\#45](https://github.com/lynndylanhurley/devise_token_auth/issues/45) +- Return resource.errors.full\_messages in addition to resource.errors [\#44](https://github.com/lynndylanhurley/devise_token_auth/issues/44) +- Devise and Devise\_Token\_Auth in api namespace [\#43](https://github.com/lynndylanhurley/devise_token_auth/issues/43) +- Trackable attributes are not being updated. [\#42](https://github.com/lynndylanhurley/devise_token_auth/issues/42) +- Avoid using respond\_to in application controller [\#41](https://github.com/lynndylanhurley/devise_token_auth/issues/41) +- devise\_token\_auth assumes you want the :confirmable functionality [\#40](https://github.com/lynndylanhurley/devise_token_auth/issues/40) +- undefined method `match' for nil:NilClass [\#39](https://github.com/lynndylanhurley/devise_token_auth/issues/39) +- Expired token aren't removed when session expires [\#38](https://github.com/lynndylanhurley/devise_token_auth/issues/38) +- sign\_up helper [\#37](https://github.com/lynndylanhurley/devise_token_auth/issues/37) +- self.tokens\[client\_id\]\['token'\] != token [\#30](https://github.com/lynndylanhurley/devise_token_auth/issues/30) +- How is the uid generated for non-omniauth users? [\#29](https://github.com/lynndylanhurley/devise_token_auth/issues/29) +- Access to current\_user variable? [\#28](https://github.com/lynndylanhurley/devise_token_auth/issues/28) +- Filter chain halted as :require\_no\_authentication [\#27](https://github.com/lynndylanhurley/devise_token_auth/issues/27) +- Allow additional parameters for registration [\#25](https://github.com/lynndylanhurley/devise_token_auth/issues/25) +- Cannot add more parameters at sign\_up [\#22](https://github.com/lynndylanhurley/devise_token_auth/issues/22) +- Error on Registration [\#21](https://github.com/lynndylanhurley/devise_token_auth/issues/21) +- Error with authentication [\#20](https://github.com/lynndylanhurley/devise_token_auth/issues/20) +- Cascade of Issues with Omniauth\(?\) [\#18](https://github.com/lynndylanhurley/devise_token_auth/issues/18) +- Batch Requests Respond with Original Auth Token [\#17](https://github.com/lynndylanhurley/devise_token_auth/issues/17) +- Sign out with email provider error [\#16](https://github.com/lynndylanhurley/devise_token_auth/issues/16) +- sessions\_controller.rb [\#12](https://github.com/lynndylanhurley/devise_token_auth/issues/12) +- Github login in example is broken [\#10](https://github.com/lynndylanhurley/devise_token_auth/issues/10) +- Facebook auth is broken [\#9](https://github.com/lynndylanhurley/devise_token_auth/issues/9) +- Generator is not working [\#8](https://github.com/lynndylanhurley/devise_token_auth/issues/8) +- Test ticket from Code Climate [\#6](https://github.com/lynndylanhurley/devise_token_auth/issues/6) +- Test ticket from Code Climate [\#5](https://github.com/lynndylanhurley/devise_token_auth/issues/5) +- extending the devise\_token\_auth user model [\#4](https://github.com/lynndylanhurley/devise_token_auth/issues/4) +- A few ideas [\#3](https://github.com/lynndylanhurley/devise_token_auth/issues/3) +- Google Oauth2 does not set cookies in production. [\#1](https://github.com/lynndylanhurley/devise_token_auth/issues/1) + +**Merged pull requests:** + +- Fix for issue \#600 [\#674](https://github.com/lynndylanhurley/devise_token_auth/pull/674) ([milep](https://github.com/milep)) +- Fix setup config example in README [\#665](https://github.com/lynndylanhurley/devise_token_auth/pull/665) ([guich-wo](https://github.com/guich-wo)) +- added bypass\_sign\_in for next version of Devise [\#663](https://github.com/lynndylanhurley/devise_token_auth/pull/663) ([KendallPark](https://github.com/KendallPark)) +- fix method 'is\_json\_api' with active\_model\_serialier v 0.10.0 [\#651](https://github.com/lynndylanhurley/devise_token_auth/pull/651) ([woodcrust](https://github.com/woodcrust)) +- Tokens count overmuch fixed [\#650](https://github.com/lynndylanhurley/devise_token_auth/pull/650) ([JerryGreen](https://github.com/JerryGreen)) +- updates config wrapper to conform with newer idiom [\#648](https://github.com/lynndylanhurley/devise_token_auth/pull/648) ([bvandgrift](https://github.com/bvandgrift)) +- Adding support for devise 4.1.1 [\#642](https://github.com/lynndylanhurley/devise_token_auth/pull/642) ([iainmcg](https://github.com/iainmcg)) +- Updating Devise dependency to max 4.1.1 [\#641](https://github.com/lynndylanhurley/devise_token_auth/pull/641) ([TGRGIT](https://github.com/TGRGIT)) +- Fix yields from controller actions [\#638](https://github.com/lynndylanhurley/devise_token_auth/pull/638) ([tiagojsag](https://github.com/tiagojsag)) +- Fix generator to correctly inject content into the user model in rails 5 [\#636](https://github.com/lynndylanhurley/devise_token_auth/pull/636) ([ethangk](https://github.com/ethangk)) +- fix spelling in comment on token auth concern [\#632](https://github.com/lynndylanhurley/devise_token_auth/pull/632) ([dandlezzz](https://github.com/dandlezzz)) +- fixed devise deprecation warning for config.email\_regexp [\#618](https://github.com/lynndylanhurley/devise_token_auth/pull/618) ([lemuelbarango](https://github.com/lemuelbarango)) +- Revert "Update readme for headers names" [\#592](https://github.com/lynndylanhurley/devise_token_auth/pull/592) ([y4ashida](https://github.com/y4ashida)) +- Update readme for headers names [\#589](https://github.com/lynndylanhurley/devise_token_auth/pull/589) ([y4ashida](https://github.com/y4ashida)) +- Add info to README [\#585](https://github.com/lynndylanhurley/devise_token_auth/pull/585) ([ghost](https://github.com/ghost)) +- Fix typo and remove trailing spaces [\#578](https://github.com/lynndylanhurley/devise_token_auth/pull/578) ([y4ashida](https://github.com/y4ashida)) +- allowing authenticating using headers as well as a post request [\#576](https://github.com/lynndylanhurley/devise_token_auth/pull/576) ([ingolfured](https://github.com/ingolfured)) +- Whitespace: tabs removed [\#574](https://github.com/lynndylanhurley/devise_token_auth/pull/574) ([olleolleolle](https://github.com/olleolleolle)) +- Added dutch translations [\#571](https://github.com/lynndylanhurley/devise_token_auth/pull/571) ([nschmoller](https://github.com/nschmoller)) +- now possible to change headers names in the config file [\#569](https://github.com/lynndylanhurley/devise_token_auth/pull/569) ([ingolfured](https://github.com/ingolfured)) +- User concern: Ensure fallback is in place [\#564](https://github.com/lynndylanhurley/devise_token_auth/pull/564) ([olleolleolle](https://github.com/olleolleolle)) +- Return resource with top-level 'type' member. [\#562](https://github.com/lynndylanhurley/devise_token_auth/pull/562) ([ruimiguelsantos](https://github.com/ruimiguelsantos)) +- Fix devise mapping [\#540](https://github.com/lynndylanhurley/devise_token_auth/pull/540) ([merqlove](https://github.com/merqlove)) +- Make all json responses to be json\_api compliant [\#537](https://github.com/lynndylanhurley/devise_token_auth/pull/537) ([djsegal](https://github.com/djsegal)) +- Avoid sending auth headers if while processing used token is cleared [\#531](https://github.com/lynndylanhurley/devise_token_auth/pull/531) ([virginia-rodriguez](https://github.com/virginia-rodriguez)) +- Add Japanese locale and fix typo [\#530](https://github.com/lynndylanhurley/devise_token_auth/pull/530) ([metalunk](https://github.com/metalunk)) +- Added omniauth post route [\#528](https://github.com/lynndylanhurley/devise_token_auth/pull/528) ([v3rtx](https://github.com/v3rtx)) +- Extract model callbacks [\#525](https://github.com/lynndylanhurley/devise_token_auth/pull/525) ([merqlove](https://github.com/merqlove)) +- create token when no client\_id token [\#523](https://github.com/lynndylanhurley/devise_token_auth/pull/523) ([charlesdg](https://github.com/charlesdg)) +- Fix enable\_standard\_devise\_support in initializer [\#518](https://github.com/lynndylanhurley/devise_token_auth/pull/518) ([halilim](https://github.com/halilim)) +- Make render\_create\_success render valid json\_api [\#513](https://github.com/lynndylanhurley/devise_token_auth/pull/513) ([djsegal](https://github.com/djsegal)) +- Prevent raise of exception if set\_user\_by\_token not defined [\#511](https://github.com/lynndylanhurley/devise_token_auth/pull/511) ([jeryRazakarison](https://github.com/jeryRazakarison)) +- send\_on\_create\_confirmation\_instructions callback isn't defined \(rails 5\) [\#508](https://github.com/lynndylanhurley/devise_token_auth/pull/508) ([fivetwentysix](https://github.com/fivetwentysix)) +- \[REBASE\] Fix rails 5 deprecation and devise parameter sanitization [\#507](https://github.com/lynndylanhurley/devise_token_auth/pull/507) ([fivetwentysix](https://github.com/fivetwentysix)) +- remove deprecations from RegistrationsController [\#506](https://github.com/lynndylanhurley/devise_token_auth/pull/506) ([fivetwentysix](https://github.com/fivetwentysix)) +- Allow new devise version for rails 5 compatibility [\#499](https://github.com/lynndylanhurley/devise_token_auth/pull/499) ([djsegal](https://github.com/djsegal)) +- Spelling mistake [\#493](https://github.com/lynndylanhurley/devise_token_auth/pull/493) ([Tom-Tom](https://github.com/Tom-Tom)) +- Improve Brazilian Portuguese locale [\#491](https://github.com/lynndylanhurley/devise_token_auth/pull/491) ([ssouza](https://github.com/ssouza)) +- fix namespaced mapping name [\#484](https://github.com/lynndylanhurley/devise_token_auth/pull/484) ([paulosoares86](https://github.com/paulosoares86)) +- Locale file for both zh-TW and zh-HK [\#483](https://github.com/lynndylanhurley/devise_token_auth/pull/483) ([TravisTam](https://github.com/TravisTam)) +- Fixed typos and inconsistencies in ru.yml [\#478](https://github.com/lynndylanhurley/devise_token_auth/pull/478) ([fertingoff](https://github.com/fertingoff)) +- Fixes Issue \#362: Fixes for the omniauth redirection issue for namesp… [\#476](https://github.com/lynndylanhurley/devise_token_auth/pull/476) ([devilankur18](https://github.com/devilankur18)) +- removing old tokens when user changes passwords [\#474](https://github.com/lynndylanhurley/devise_token_auth/pull/474) ([paulosoares86](https://github.com/paulosoares86)) +- Move travis to container based configuration [\#470](https://github.com/lynndylanhurley/devise_token_auth/pull/470) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Prevent helpers being loaded for Rails API’s [\#469](https://github.com/lynndylanhurley/devise_token_auth/pull/469) ([djsegal](https://github.com/djsegal)) +- Reduce dependencies to allow Rails 5.0 [\#467](https://github.com/lynndylanhurley/devise_token_auth/pull/467) ([djsegal](https://github.com/djsegal)) +- Fix locales `errors.messages.already\_in\_use` + clean up [\#466](https://github.com/lynndylanhurley/devise_token_auth/pull/466) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Added 401 response to failed group authentication [\#446](https://github.com/lynndylanhurley/devise_token_auth/pull/446) ([rstrobl](https://github.com/rstrobl)) +- RU translations [\#441](https://github.com/lynndylanhurley/devise_token_auth/pull/441) ([yivo](https://github.com/yivo)) +- to keep coherent with devise. pt instead of pt-PT.yml [\#436](https://github.com/lynndylanhurley/devise_token_auth/pull/436) ([rmvenancio](https://github.com/rmvenancio)) +- limiting the number of concurrent devices [\#434](https://github.com/lynndylanhurley/devise_token_auth/pull/434) ([paulosoares86](https://github.com/paulosoares86)) +- Raise error in controller method [\#430](https://github.com/lynndylanhurley/devise_token_auth/pull/430) ([ArneZsng](https://github.com/ArneZsng)) +- feat\(enable-standard-devise\): allow configurable support of legacy Devise authentication [\#428](https://github.com/lynndylanhurley/devise_token_auth/pull/428) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Support for i18n in mailers views [\#427](https://github.com/lynndylanhurley/devise_token_auth/pull/427) ([ponyesteves](https://github.com/ponyesteves)) +- Fix omniauthredirection when under scopes [\#425](https://github.com/lynndylanhurley/devise_token_auth/pull/425) ([xjunior](https://github.com/xjunior)) +- Translation to German [\#423](https://github.com/lynndylanhurley/devise_token_auth/pull/423) ([haslinger](https://github.com/haslinger)) +- fix\(url\): preserve query parameters when building urls [\#421](https://github.com/lynndylanhurley/devise_token_auth/pull/421) ([nbrustein](https://github.com/nbrustein)) +- Change default message for already in use error and added to english … [\#417](https://github.com/lynndylanhurley/devise_token_auth/pull/417) ([ponyesteves](https://github.com/ponyesteves)) +- Issue \#413 [\#414](https://github.com/lynndylanhurley/devise_token_auth/pull/414) ([Carrigan](https://github.com/Carrigan)) +- Add .ruby-version entry to .gitignore [\#412](https://github.com/lynndylanhurley/devise_token_auth/pull/412) ([xymbol](https://github.com/xymbol)) +- 404 for invalid link with password reset token [\#411](https://github.com/lynndylanhurley/devise_token_auth/pull/411) ([rmvenancio](https://github.com/rmvenancio)) +- Portuguese Translation [\#409](https://github.com/lynndylanhurley/devise_token_auth/pull/409) ([rmvenancio](https://github.com/rmvenancio)) +- Added polish translation. [\#405](https://github.com/lynndylanhurley/devise_token_auth/pull/405) ([h3xed](https://github.com/h3xed)) +- Drop .ruby-version file [\#404](https://github.com/lynndylanhurley/devise_token_auth/pull/404) ([xymbol](https://github.com/xymbol)) +- Implement hook methods for customized json rendering [\#384](https://github.com/lynndylanhurley/devise_token_auth/pull/384) ([neutronz](https://github.com/neutronz)) +- Feature/password reset with check fix [\#374](https://github.com/lynndylanhurley/devise_token_auth/pull/374) ([jakubrohleder](https://github.com/jakubrohleder)) +- fix\(oauth\): fixes \#368: do not serialize the entire user object in the url when redirecting from oauth [\#371](https://github.com/lynndylanhurley/devise_token_auth/pull/371) ([nbrustein](https://github.com/nbrustein)) +- Fallback to ActiveModel translations in EmailValidator [\#369](https://github.com/lynndylanhurley/devise_token_auth/pull/369) ([yivo](https://github.com/yivo)) +- Add a Gitter chat badge to README.md [\#360](https://github.com/lynndylanhurley/devise_token_auth/pull/360) ([gitter-badger](https://github.com/gitter-badger)) +- Improvements to the docs. [\#358](https://github.com/lynndylanhurley/devise_token_auth/pull/358) ([aarongray](https://github.com/aarongray)) +- Add description to readme about the devise.rb initializer. [\#356](https://github.com/lynndylanhurley/devise_token_auth/pull/356) ([aarongray](https://github.com/aarongray)) +- Correct handling namespaced resources [\#355](https://github.com/lynndylanhurley/devise_token_auth/pull/355) ([yivo](https://github.com/yivo)) +- Fix concern not being inserted for rails-api apps. [\#350](https://github.com/lynndylanhurley/devise_token_auth/pull/350) ([aarongray](https://github.com/aarongray)) +- Add documentation to explain gotcha with rails-api. [\#349](https://github.com/lynndylanhurley/devise_token_auth/pull/349) ([aarongray](https://github.com/aarongray)) +- Fully support OmniauthCallbacksController action overrides. Fixes \#186. [\#347](https://github.com/lynndylanhurley/devise_token_auth/pull/347) ([tbloncar](https://github.com/tbloncar)) +- \#340 Restrict access to controllers methods [\#341](https://github.com/lynndylanhurley/devise_token_auth/pull/341) ([gkopylov](https://github.com/gkopylov)) +- fix\(omniauth\): fix error in setting text on redirect page [\#336](https://github.com/lynndylanhurley/devise_token_auth/pull/336) ([nbrustein](https://github.com/nbrustein)) +- add Brazilian Portuguese translation \(pt-BR\) [\#331](https://github.com/lynndylanhurley/devise_token_auth/pull/331) ([josiasds](https://github.com/josiasds)) +- Tests to ensure standard devise has greater priority than tokens [\#330](https://github.com/lynndylanhurley/devise_token_auth/pull/330) ([colavitam](https://github.com/colavitam)) +- Fixed error when using standard devise authentication [\#329](https://github.com/lynndylanhurley/devise_token_auth/pull/329) ([colavitam](https://github.com/colavitam)) +- feat\(improved-omniauth\): omniauth sameWindow and inAppBrowser flows [\#323](https://github.com/lynndylanhurley/devise_token_auth/pull/323) ([nbrustein](https://github.com/nbrustein)) +- Fix invalid omniauth redirect [\#322](https://github.com/lynndylanhurley/devise_token_auth/pull/322) ([troggy](https://github.com/troggy)) +- Old password check before password update [\#317](https://github.com/lynndylanhurley/devise_token_auth/pull/317) ([jakubrohleder](https://github.com/jakubrohleder)) +- Remove erroneous colon from before\_action callback [\#310](https://github.com/lynndylanhurley/devise_token_auth/pull/310) ([jmliu](https://github.com/jmliu)) +- Disabled serialization for JSON type columns [\#306](https://github.com/lynndylanhurley/devise_token_auth/pull/306) ([colavitam](https://github.com/colavitam)) +- Set default provider to "email" in migration [\#302](https://github.com/lynndylanhurley/devise_token_auth/pull/302) ([colavitam](https://github.com/colavitam)) +- Fix an issue for not :confirmable users [\#296](https://github.com/lynndylanhurley/devise_token_auth/pull/296) ([sebfie](https://github.com/sebfie)) +- Update README.md [\#295](https://github.com/lynndylanhurley/devise_token_auth/pull/295) ([adisos](https://github.com/adisos)) +- Fix MOUNT\_PATH 'Read More' link [\#294](https://github.com/lynndylanhurley/devise_token_auth/pull/294) ([jmliu](https://github.com/jmliu)) +- Don't send password reset instructions to unconfirmed email [\#288](https://github.com/lynndylanhurley/devise_token_auth/pull/288) ([coryschires](https://github.com/coryschires)) +- Feature/i18n support [\#283](https://github.com/lynndylanhurley/devise_token_auth/pull/283) ([sebfie](https://github.com/sebfie)) +- Update documentation for validate\_token [\#277](https://github.com/lynndylanhurley/devise_token_auth/pull/277) ([adamgall](https://github.com/adamgall)) +- Added json support for tokens [\#276](https://github.com/lynndylanhurley/devise_token_auth/pull/276) ([shicholas](https://github.com/shicholas)) +- perf\(token\_is\_current?\): add simplistic cache to reduce overhead of redundant token checks during validation calls [\#272](https://github.com/lynndylanhurley/devise_token_auth/pull/272) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- perf\(update\_auth\_header\): only lock the resource if we are rotating tokens [\#267](https://github.com/lynndylanhurley/devise_token_auth/pull/267) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(email-validation\): Update in-use email validation message during registration to allow full\_message use [\#255](https://github.com/lynndylanhurley/devise_token_auth/pull/255) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(session\#new\): fix unhandled 500 when logging in with valid user and bad password [\#254](https://github.com/lynndylanhurley/devise_token_auth/pull/254) ([mathemagica](https://github.com/mathemagica)) +- feat\(ominauth\): support json-formatted values in omniauth callback. [\#252](https://github.com/lynndylanhurley/devise_token_auth/pull/252) ([nbrustein](https://github.com/nbrustein)) +- fix\(sessions controller\): call reset\_session on destroy [\#251](https://github.com/lynndylanhurley/devise_token_auth/pull/251) ([nbrustein](https://github.com/nbrustein)) +- fix\(resource\_class\): support optional mapping property from set\_user\_by\_token [\#250](https://github.com/lynndylanhurley/devise_token_auth/pull/250) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Allow current\_password to be supplied when updating profile. [\#240](https://github.com/lynndylanhurley/devise_token_auth/pull/240) ([jasonswett](https://github.com/jasonswett)) +- fixes password reset when not using confirmable [\#225](https://github.com/lynndylanhurley/devise_token_auth/pull/225) ([aesnyder](https://github.com/aesnyder)) +- Fix error when email missing from registration params [\#220](https://github.com/lynndylanhurley/devise_token_auth/pull/220) ([iangreenleaf](https://github.com/iangreenleaf)) +- URI fragment should appear at the end of URL [\#214](https://github.com/lynndylanhurley/devise_token_auth/pull/214) ([edymerchk](https://github.com/edymerchk)) +- Super block yield \(all controllers\) [\#209](https://github.com/lynndylanhurley/devise_token_auth/pull/209) ([sgwilym](https://github.com/sgwilym)) +- Super block yield [\#207](https://github.com/lynndylanhurley/devise_token_auth/pull/207) ([sgwilym](https://github.com/sgwilym)) +- Ability to localize error message [\#206](https://github.com/lynndylanhurley/devise_token_auth/pull/206) ([lda](https://github.com/lda)) +- remove fragment sign \("\#"\) from URLs without fragment [\#205](https://github.com/lynndylanhurley/devise_token_auth/pull/205) ([tomdov](https://github.com/tomdov)) +- Return 422 \(was 500\) when empty body for sign up and account update [\#204](https://github.com/lynndylanhurley/devise_token_auth/pull/204) ([mchavarriagam](https://github.com/mchavarriagam)) +- Users with allowed unconfirmed access can now log in successfully. [\#202](https://github.com/lynndylanhurley/devise_token_auth/pull/202) ([colavitam](https://github.com/colavitam)) +- Authenticating an existing Warden/Devise User [\#200](https://github.com/lynndylanhurley/devise_token_auth/pull/200) ([nickL](https://github.com/nickL)) +- GET sign\_in should direct people to use POST sign\_in rather than raising exception [\#191](https://github.com/lynndylanhurley/devise_token_auth/pull/191) ([milesmatthias](https://github.com/milesmatthias)) +- Ignore 'extra' in Twitter auth response to avoid CookieOverflow. Fixes \#145. [\#179](https://github.com/lynndylanhurley/devise_token_auth/pull/179) ([tbloncar](https://github.com/tbloncar)) +- Some missing as\_json ? [\#152](https://github.com/lynndylanhurley/devise_token_auth/pull/152) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check email format on registration [\#150](https://github.com/lynndylanhurley/devise_token_auth/pull/150) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Actual header key uses dashes, not underscores. [\#143](https://github.com/lynndylanhurley/devise_token_auth/pull/143) ([ragaskar](https://github.com/ragaskar)) +- Username register login [\#128](https://github.com/lynndylanhurley/devise_token_auth/pull/128) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check if confirmable is active before skipping confirmation [\#125](https://github.com/lynndylanhurley/devise_token_auth/pull/125) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Fix links to section about controller integration. [\#117](https://github.com/lynndylanhurley/devise_token_auth/pull/117) ([Le6ow5k1](https://github.com/Le6ow5k1)) +- document GET for /validate\_token [\#113](https://github.com/lynndylanhurley/devise_token_auth/pull/113) ([lukaselmer](https://github.com/lukaselmer)) +- Fix small error in documentation. [\#91](https://github.com/lynndylanhurley/devise_token_auth/pull/91) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Exclude devise modules [\#85](https://github.com/lynndylanhurley/devise_token_auth/pull/85) ([jartek](https://github.com/jartek)) +- fix\(registration and update\): Ensure UID is updated alongside Email, and case-sensitivity is honored [\#71](https://github.com/lynndylanhurley/devise_token_auth/pull/71) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Add better guidelines for contributors. [\#67](https://github.com/lynndylanhurley/devise_token_auth/pull/67) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Use resource\_class to override email confirmation. [\#64](https://github.com/lynndylanhurley/devise_token_auth/pull/64) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- fix\(case-sensitivity\): support devise case\_insensitive\_keys for session ... [\#57](https://github.com/lynndylanhurley/devise_token_auth/pull/57) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(contention\): fix write contention in update\_auth\_headers and always ... [\#52](https://github.com/lynndylanhurley/devise_token_auth/pull/52) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Include resource.errors.full\_messages in error response. [\#50](https://github.com/lynndylanhurley/devise_token_auth/pull/50) ([jasonswett](https://github.com/jasonswett)) +- fix\(expiry\): fix an issue where token expiration checks were too permissive [\#49](https://github.com/lynndylanhurley/devise_token_auth/pull/49) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Update README with Example Generator Command [\#35](https://github.com/lynndylanhurley/devise_token_auth/pull/35) ([wwilkins](https://github.com/wwilkins)) +- Remove OmniAuth dependency [\#26](https://github.com/lynndylanhurley/devise_token_auth/pull/26) ([hannahhoward](https://github.com/hannahhoward)) +- Update README.md [\#24](https://github.com/lynndylanhurley/devise_token_auth/pull/24) ([davidsavoya](https://github.com/davidsavoya)) +- guard against MissingAttributeError during common ActiveRecord operations [\#19](https://github.com/lynndylanhurley/devise_token_auth/pull/19) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Fix expiry data type [\#11](https://github.com/lynndylanhurley/devise_token_auth/pull/11) ([lonre](https://github.com/lonre)) +- README and travis config tweaks [\#7](https://github.com/lynndylanhurley/devise_token_auth/pull/7) ([guilhermesimoes](https://github.com/guilhermesimoes)) + +# Change Log + ## [0.1.37](https://github.com/lynndylanhurley/devise_token_auth/tree/0.1.37) (2016-01-26) [Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37.beta4...0.1.37) @@ -386,4 +791,6 @@ +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* + \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file From 851f4d194c3585d5200489787099a00942b16794 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 11 Jul 2016 14:55:36 -0600 Subject: [PATCH 273/328] chore(deps): more dependency updates + travis tweaks --- .travis.yml | 3 +- Gemfile.lock | 95 +++++++++++++++++++++++++++------------------------- 2 files changed, 50 insertions(+), 48 deletions(-) diff --git a/.travis.yml b/.travis.yml index 92aca9ba1..ab61968de 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,6 @@ cache: bundler sudo: false rvm: - - 1.9.3 - 2.1 env: @@ -20,4 +19,4 @@ before_script: - psql -c 'create database devise_token_auth_test' -U postgres addons: - postgresql: "9.3" \ No newline at end of file + postgresql: "9.4" \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 3c8e60a09..6a507577f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,21 +15,20 @@ GIT GIT remote: git://github.com/mkdynamic/omniauth-facebook.git - revision: f20e906b52b0a8849569f1391f01771fb628f6d7 + revision: 8afbe04ae8a2f1b2db0f382efeecbb91575d1ba5 specs: - omniauth-facebook (2.1.0) + omniauth-facebook (4.0.0.rc1) omniauth-oauth2 (~> 1.2) GIT remote: git://github.com/zquestz/omniauth-google-oauth2.git - revision: ad0b8ae200a94c86566975dc4d1c2fc28eeb2e24 + revision: 1cd603bb29499f56379aefcd6b34663ef105e165 specs: - omniauth-google-oauth2 (0.2.8) - addressable (~> 2.3) - jwt (~> 1.0) + omniauth-google-oauth2 (0.4.1) + jwt (~> 1.5.2) multi_json (~> 1.3) omniauth (>= 1.1.1) - omniauth-oauth2 (>= 1.1.1) + omniauth-oauth2 (>= 1.3.1) PATH remote: . @@ -79,14 +78,14 @@ GEM addressable (2.4.0) ansi (1.5.0) arel (6.0.3) - attr_encrypted (1.3.5) - encryptor (~> 1.3.0) + attr_encrypted (3.0.1) + encryptor (~> 3.0.0) bcrypt (3.1.11) builder (3.2.2) - codeclimate-test-reporter (0.4.8) + codeclimate-test-reporter (0.6.0) simplecov (>= 0.7.1, < 1.0.0) - coderay (1.1.0) - colorize (0.7.7) + coderay (1.1.1) + colorize (0.8.1) concurrent-ruby (1.0.2) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) @@ -97,30 +96,30 @@ GEM responders warden (~> 1.2.3) docile (1.1.5) - encryptor (1.3.0) + encryptor (3.0.0) erubis (2.7.0) - faker (1.6.1) + faker (1.6.5) i18n (~> 0.5) faraday (0.9.2) multipart-post (>= 1.2, < 3) - ffi (1.9.10) + ffi (1.9.13) formatador (0.2.5) fuzz_ball (0.9.1) - github_api (0.13.1) + github_api (0.14.3) addressable (~> 2.4.0) descendants_tracker (~> 0.0.4) faraday (~> 0.8, < 0.10) hashie (>= 3.4) - multi_json (>= 1.7.5, < 2.0) - oauth2 - github_changelog_generator (1.10.1) + oauth2 (~> 1.0.0) + github_changelog_generator (1.13.0) colorize (~> 0.7) github_api (~> 0.12) + rake (>= 10.0) globalid (0.3.6) activesupport (>= 4.1.0) - guard (2.13.0) + guard (2.14.0) formatador (>= 0.2.4) - listen (>= 2.7, <= 4.0) + listen (>= 2.7, < 4.0) lumberjack (~> 1.0) nenv (~> 0.1) notiffany (~> 0.0) @@ -128,16 +127,17 @@ GEM shellany (~> 0.0) thor (>= 0.18.1) guard-compat (1.2.1) - guard-minitest (2.4.4) + guard-minitest (2.4.5) guard-compat (~> 1.2) minitest (>= 3.0) - hashie (3.4.3) + hashie (3.4.4) i18n (0.7.0) json (1.8.3) - jwt (1.5.2) - listen (3.0.5) - rb-fsevent (>= 0.9.3) - rb-inotify (>= 0.9) + jwt (1.5.4) + listen (3.1.5) + rb-fsevent (~> 0.9, >= 0.9.4) + rb-inotify (~> 0.9, >= 0.9.7) + ruby_dep (~> 1.2) loofah (2.0.3) nokogiri (>= 1.5.9) lumberjack (1.0.10) @@ -148,28 +148,29 @@ GEM mime-types (3.1) mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) - mini_portile2 (2.0.0) - minitest (5.8.4) + mini_portile2 (2.1.0) + minitest (5.9.0) minitest-focus (1.1.2) minitest (>= 4, < 6) - minitest-rails (2.2.0) + minitest-rails (2.2.1) minitest (~> 5.7) railties (~> 4.1) - minitest-reporters (1.1.7) + minitest-reporters (1.1.10) ansi builder minitest (>= 5.0) ruby-progressbar mocha (1.1.0) metaclass (~> 0.0.1) - multi_json (1.11.2) + multi_json (1.12.1) multi_xml (0.5.5) multipart-post (2.0.0) - mysql2 (0.4.2) - nenv (0.2.0) - nokogiri (1.6.7.2) - mini_portile2 (~> 2.0.0.rc2) - notiffany (0.0.8) + mysql2 (0.4.4) + nenv (0.3.0) + nokogiri (1.6.8) + mini_portile2 (~> 2.1.0) + pkg-config (~> 1.1.7) + notiffany (0.1.0) nenv (~> 0.1) shellany (~> 0.0) oauth2 (1.0.0) @@ -178,15 +179,16 @@ GEM multi_json (~> 1.3) multi_xml (~> 0.5) rack (~> 1.2) - omniauth (1.2.2) + omniauth (1.3.1) hashie (>= 1.2, < 4) - rack (~> 1.0) - omniauth-oauth2 (1.3.1) + rack (>= 1.0, < 3) + omniauth-oauth2 (1.4.0) oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) pg (0.18.4) - pry (0.10.3) + pkg-config (1.1.7) + pry (0.10.4) coderay (~> 1.1.0) method_source (~> 0.8.1) slop (~> 3.4) @@ -221,17 +223,18 @@ GEM activesupport (= 4.2.5.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (10.5.0) + rake (11.2.2) rb-fsevent (0.9.7) - rb-inotify (0.9.5) + rb-inotify (0.9.7) ffi (>= 0.5.0) responders (2.2.0) railties (>= 4.2.0, < 5.1) - ruby-progressbar (1.7.5) + ruby-progressbar (1.8.1) + ruby_dep (1.3.1) shellany (0.0.1) - simplecov (0.11.1) + simplecov (0.12.0) docile (~> 1.1.0) - json (~> 1.8) + json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) From 162967970c9534af7d2d3ba152fcf7fe5194be70 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 11 Jul 2016 15:07:55 -0600 Subject: [PATCH 274/328] chore(travis): upgrading Ruby to v2.3.1 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ab61968de..4e1c60e4b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,7 +3,7 @@ cache: bundler sudo: false rvm: - - 2.1 + - 2.3.1 env: - DB=sqlite From bbe8dcedb0aa39fc9f9d07c149dbe9951ce22bb4 Mon Sep 17 00:00:00 2001 From: Tan Date: Fri, 5 Aug 2016 23:25:55 +0700 Subject: [PATCH 275/328] update README.md Update the request headers of Account deletion --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4481194bb..48566dec0 100644 --- a/README.md +++ b/README.md @@ -136,7 +136,7 @@ The following routes are available for use by your client. These routes live rel | path | method | purpose | |:-----|:-------|:--------| | / | POST | Email registration. Requires **`email`**, **`password`**, and **`password_confirmation`** params. A verification email will be sent to the email address provided. Accepted params can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. | -| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`** and **`auth_token`** headers. | +| / | DELETE | Account deletion. This route will destroy users identified by their **`uid`**, **`access_token`** and **`client`** headers. | | / | PUT | Account updates. This route will update an existing user's account settings. The default accepted params are **`password`** and **`password_confirmation`**, but this can be customized using the [`devise_parameter_sanitizer`](https://github.com/plataformatec/devise#strong-parameters) system. If **`config.check_current_password_before_update`** is set to `:attributes` the **`current_password`** param is checked before any update, if it is set to `:password` the **`current_password`** param is checked only if the request updates user password. | | /sign_in | POST | Email authentication. Requires **`email`** and **`password`** as params. This route will return a JSON representation of the `User` model on successful login along with the `access-token` and `client` in the header of the response. | | /sign_out | DELETE | Use this route to end the user's current session. This route will invalidate the user's authentication token. You must pass in **`uid`**, **`client`**, and **`access-token`** in the request headers. | From 3986245f7b4d95f1dbccccf82fb1611eff4a93cb Mon Sep 17 00:00:00 2001 From: hui_ease Date: Sat, 13 Aug 2016 21:48:50 +0800 Subject: [PATCH 276/328] add zh-CN.yml --- config/locales/zh-CN.yml | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 config/locales/zh-CN.yml diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml new file mode 100644 index 000000000..94b4942e2 --- /dev/null +++ b/config/locales/zh-CN.yml @@ -0,0 +1,54 @@ +zh-CN: + devise_token_auth: + sessions: + not_confirmed: "您将在几分钟后收到一封电子邮件'%{email}',内有验证账号的步骤说明" + bad_credentials: "不正确的登录信息,请重试" + not_supported: "请使用 POST /sign_in 进行登录. GET 是不支持的." + user_not_found: "没有找到账号或没有成功登录" + token_validations: + invalid: "不正确的登录资料" + registrations: + missing_confirm_success_url: "缺少数据 'confirm_success_url'" + redirect_url_not_allowed: "不支持转向到 '%{redirect_url}'" + email_already_exists: "邮箱'%{email}'已被使用" + account_with_uid_destroyed: "账号 '%{uid}' 已被移除。" + account_to_destroy_not_found: "无法找到目标帐号。" + user_not_found: "找不到帐号。" + passwords: + missing_email: "必需提供邮箱。" + missing_redirect_url: "欠缺 redirect URL." + not_allowed_redirect_url: "不支持转向到 '%{redirect_url}'" + sended: "您将在几分钟后收到一封电子邮件'%{email},内含可重新设定密码的链接。" + user_not_found: "找不到帐号 '%{email}'。" + password_not_required: "这不是一个需要密码的帐号. 请使用 '%{provider}' 进行登入" + missing_passwords: "必需填写'密码'与'确认密码'。" + successfully_updated: "您的密码已被修改。" + errors: + messages: + already_in_use: "已被使用。" + validate_sign_up_params: "请在request body中填入有效的注册内容" + validate_account_update_params: "请在request body中填入有效的更新帐号资料" + not_email: "这不是一个合适的邮箱。" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "可以使用下面的链接确定你的邮箱" + confirm_account_link: "确定你的帐号" + reset_password_instructions: + request_reset_link_msg: "已申请修改您的密码,你可以用下面的链接进入" + password_change_link: "修改我的密码" + ignore_mail_msg: "如你没有申请,请忽略" + no_changes_msg: "在你点击上面链接前,你的密码都没有改变" + unlock_instructions: + account_lock_msg: "由于多次登入失败,我们已锁定你的帐号" + unlock_link_msg: "可以使用下面的链接解锁你的帐号" + unlock_link: "解锁帐号" + activerecord: + errors: + models: + user: + attributes: + email: + already_in_use: "邮箱已被使用" + hello: "你好" + welcome: "欢迎" \ No newline at end of file From 2f37b6e86a6a619dd4cc941b7706119462cc5764 Mon Sep 17 00:00:00 2001 From: Lynn Hurley Date: Sun, 14 Aug 2016 13:56:26 -0500 Subject: [PATCH 277/328] fix #696 --- lib/devise_token_auth/rails/routes.rb | 16 ++++++- .../omniauth_callbacks_controller_test.rb | 42 +++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 06818cf53..c5db0d887 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -73,8 +73,22 @@ def mount_devise_token_auth_for(resource, opts) set_omniauth_path_prefix!(DeviseTokenAuth.omniauth_prefix) + redirect_params = {}.tap {|hash| qs.each{|k, v| hash[k] = v.first}} + + if DeviseTokenAuth.redirect_whitelist + redirect_url = request.params['auth_origin_url'] + unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) + message = I18n.t( + 'devise_token_auth.registrations.redirect_url_not_allowed', + redirect_url: redirect_url + ) + redirect_params['message'] = message + next "#{::OmniAuth.config.path_prefix}/failure?#{redirect_params.to_param}" + end + end + # re-construct the path for omniauth - "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{{}.tap {|hash| qs.each{|k, v| hash[k] = v.first}}.to_param}" + "#{::OmniAuth.config.path_prefix}/#{params[:provider]}?#{redirect_params.to_param}" }, via: [:get] end end diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index f81acb6f1..91c85835e 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -279,4 +279,46 @@ def get_success(params = {}) } end end + + describe 'Using redirect_whitelist' do + before do + @user_email = 'slemp.diggler@sillybandz.gov' + OmniAuth.config.mock_auth[:facebook] = OmniAuth::AuthHash.new( + provider: 'facebook', + uid: '123545', + info: { + name: 'chong', + email: @user_email + } + ) + @good_redirect_url = Faker::Internet.url + @bad_redirect_url = Faker::Internet.url + DeviseTokenAuth.redirect_whitelist = [@good_redirect_url] + end + + teardown do + DeviseTokenAuth.redirect_whitelist = nil + end + + test 'request using non-whitelisted redirect fail' do + get_via_redirect '/auth/facebook', + auth_origin_url: @bad_redirect_url, + omniauth_window_type: 'newWindow' + + data_json = @response.body.match(/var data \= (.+)\;/)[1] + data = ActiveSupport::JSON.decode(data_json) + assert_equal "Redirect to '#{@bad_redirect_url}' not allowed.", + data['error'] + end + + test 'request to whitelisted redirect should succeed' do + get_via_redirect '/auth/facebook', + auth_origin_url: @good_redirect_url, + omniauth_window_type: 'newWindow' + + data_json = @response.body.match(/var data \= (.+)\;/)[1] + data = ActiveSupport::JSON.decode(data_json) + assert_equal @user_email, data['email'] + end + end end From e9385d441d35982bdce62d427c8e97b3eec4c5cf Mon Sep 17 00:00:00 2001 From: Justin Date: Mon, 15 Aug 2016 11:01:56 +1200 Subject: [PATCH 278/328] Fix for issue #698 Update migration template to include version of Rails to silence a deprecation warning. --- .../templates/devise_token_auth_create_users.rb.erb | 2 +- .../generators/devise_token_auth/install_generator_test.rb | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index 7179726aa..a6651dbfe 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -1,4 +1,4 @@ -class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration +class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration<%= '[' << Rails::VERSION::STRING[0..2] << ']'%> def change create_table(:<%= user_class.pluralize.underscore %>) do |t| ## Required diff --git a/test/lib/generators/devise_token_auth/install_generator_test.rb b/test/lib/generators/devise_token_auth/install_generator_test.rb index 2cd2e1f48..67e3193d1 100644 --- a/test/lib/generators/devise_token_auth/install_generator_test.rb +++ b/test/lib/generators/devise_token_auth/install_generator_test.rb @@ -28,6 +28,10 @@ class InstallGeneratorTest < Rails::Generators::TestCase assert_migration 'db/migrate/devise_token_auth_create_users.rb' end + test 'migration file contains rails version' do + assert_migration 'db/migrate/devise_token_auth_create_users.rb', /4.2/ + end + test 'subsequent runs raise no errors' do run_generator end From 43a0239244f48f250a24057dd6dbfe33c8a7ea0f Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 15 Aug 2016 21:06:27 -0600 Subject: [PATCH 279/328] v0.1.39 --- .github_changelog_generator | 3 ++- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index bff97b3df..3b7f2f2f8 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,4 +1,5 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat -unreleased-label=0.1.38 +between-tags=0.1.38,0.1.39 +unreleased-label=0.1.40 base=CHANGELOG.md \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 6a507577f..e1ac9ba64 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.38) + devise_token_auth (0.1.39) devise (> 3.5.2, <= 4.2) rails (< 6) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 1c431a656..8432c1a53 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.38" + VERSION = "0.1.39" end From 13d019fc06b02e6559caba66cb551869e04ae384 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 15 Aug 2016 21:12:47 -0600 Subject: [PATCH 280/328] chore(changelog): update changelog v0.1.38 -> v0.1.39 --- .github_changelog_generator | 5 +++-- CHANGELOG.md | 24 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index 3b7f2f2f8..e5f9016b5 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,5 +1,6 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat -between-tags=0.1.38,0.1.39 -unreleased-label=0.1.40 +since-tags=v0.1.38 +between-tags=v0.1.38,v0.1.39 +unreleased-label=v0.1.40 base=CHANGELOG.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f9219fcd..f2ce60f55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,29 @@ # Change Log +## [v0.1.39](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.39) (2016-08-16) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.38...v0.1.39) + +**Closed issues:** + +- "Covert Redirect" Vulnerability [\#696](https://github.com/lynndylanhurley/devise_token_auth/issues/696) +- No route matches \[POST\] "/api/v1/auth" [\#694](https://github.com/lynndylanhurley/devise_token_auth/issues/694) +- Got this error with ActiveAdmin "wrong number of arguments \(1 for 0\)" [\#692](https://github.com/lynndylanhurley/devise_token_auth/issues/692) +- using devise\_token\_auth for API alongside standard devise gem for HTML view [\#689](https://github.com/lynndylanhurley/devise_token_auth/issues/689) +- No Headers after sign\_in for new Users created by Admin [\#685](https://github.com/lynndylanhurley/devise_token_auth/issues/685) +- NoMethodError \(undefined method `headers\_names' for DeviseTokenAuth:Module\) [\#684](https://github.com/lynndylanhurley/devise_token_auth/issues/684) +- Fast page refresh problem [\#683](https://github.com/lynndylanhurley/devise_token_auth/issues/683) +- IndexError: string not matched on User sign\_in [\#681](https://github.com/lynndylanhurley/devise_token_auth/issues/681) +- skip\_confirmation\_notification! not working [\#679](https://github.com/lynndylanhurley/devise_token_auth/issues/679) +- Bump version to support devise 4.1.1 [\#659](https://github.com/lynndylanhurley/devise_token_auth/issues/659) +- not working with latest version of active\_model\_serializers [\#600](https://github.com/lynndylanhurley/devise_token_auth/issues/600) + +**Merged pull requests:** + +- Fix Migration Deprecation Warning [\#700](https://github.com/lynndylanhurley/devise_token_auth/pull/700) ([juddey](https://github.com/juddey)) +- Apply `redirect\_whitelist` to OAuth redirect URI. [\#699](https://github.com/lynndylanhurley/devise_token_auth/pull/699) ([lynndylanhurley](https://github.com/lynndylanhurley)) +- add zh-CN.yml [\#697](https://github.com/lynndylanhurley/devise_token_auth/pull/697) ([halfray](https://github.com/halfray)) +- update README.md [\#693](https://github.com/lynndylanhurley/devise_token_auth/pull/693) ([nhattan](https://github.com/nhattan)) + ## [0.1.38](https://github.com/lynndylanhurley/devise_token_auth/tree/HEAD) [Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.37...HEAD) From 9fac2fdc25097c7223daed1f2a3fa44d5b78664f Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Thu, 25 Aug 2016 10:53:30 -0600 Subject: [PATCH 281/328] feat(whitelist): add wildcard support for redirect_whitelist patterns --- README.md | 2 +- .../devise_token_auth/passwords_controller.rb | 2 +- .../registrations_controller.rb | 2 +- lib/devise_token_auth/rails/routes.rb | 2 +- lib/devise_token_auth/url.rb | 23 ++++++++++++++++++- .../omniauth_callbacks_controller_test.rb | 12 ++++++++++ 6 files changed, 38 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 48566dec0..d71f20ef3 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ The following settings are available for configuration in `config/initializers/d | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). | | **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the client. | | **`default_password_reset_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful password resets. If this param is set, the API will redirect to this value when no value is provided by the client. | -| **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing exact matches to the client URLs to be visited after validation. | +| **`redirect_whitelist`** | `nil` | As an added security measure, you can limit the URLs to which the API will redirect after email token validation (password reset, email confirmation, etc.). This value should be an array containing matches to the client URLs to be visited after validation. Wildcards are supported. | | **`enable_standard_devise_support`** | `false` | By default, only Bearer Token authentication is implemented out of the box. If, however, you wish to integrate with legacy Devise authentication, you can do so by enabling this flag. NOTE: This feature is highly experimental! | | **`remove_tokens_after_password_reset`** | `false` | By default, old tokens are not invalidated when password is changed. Enable this option if you want to make passwords updates to logout other devices. | | **`default_callbacks`** | `true` | By default User model will include the `DeviseTokenAuth::Concerns::UserOmniauthCallbacks` concern, which has `email`, `uid` validations & `uid` synchronization callbacks. | diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 089e564e0..a5b44bd0b 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -22,7 +22,7 @@ def create # if whitelist is set, validate redirect_url against whitelist if DeviseTokenAuth.redirect_whitelist - unless DeviseTokenAuth.redirect_whitelist.include?(@redirect_url) + unless DeviseTokenAuth::Url.whitelisted?(@redirect_url) return render_create_error_not_allowed_redirect_url end end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index cf337c51f..1d1ee0296 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -29,7 +29,7 @@ def create # if whitelist is set, validate redirect_url against whitelist if DeviseTokenAuth.redirect_whitelist - unless DeviseTokenAuth.redirect_whitelist.include?(@redirect_url) + unless DeviseTokenAuth::Url.whitelisted?(@redirect_url) return render_create_error_redirect_url_not_allowed end end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index c5db0d887..880331f82 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -77,7 +77,7 @@ def mount_devise_token_auth_for(resource, opts) if DeviseTokenAuth.redirect_whitelist redirect_url = request.params['auth_origin_url'] - unless DeviseTokenAuth.redirect_whitelist.include?(redirect_url) + unless DeviseTokenAuth::Url.whitelisted?(redirect_url) message = I18n.t( 'devise_token_auth.registrations.redirect_url_not_allowed', redirect_url: redirect_url diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb index 0616397a8..3cc21671f 100644 --- a/lib/devise_token_auth/url.rb +++ b/lib/devise_token_auth/url.rb @@ -5,7 +5,7 @@ def self.generate(url, params = {}) res = "#{uri.scheme}://#{uri.host}" res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) - res += "#{uri.path}" if uri.path + res += "#{uri.path}" if uri.path query = [uri.query, params.to_query].reject(&:blank?).join('&') res += "?#{query}" res += "##{uri.fragment}" if uri.fragment @@ -13,4 +13,25 @@ def self.generate(url, params = {}) return res end + def self.whitelisted?(url) + DeviseTokenAuth.redirect_whitelist.find { |pattern| !!Wildcat.new(pattern).match(url) } + end + + + # wildcard convenience class + class Wildcat + def self.parse_to_regex(str) + escaped = Regexp.escape(str).gsub('\*','.*?') + Regexp.new("^#{escaped}$", Regexp::IGNORECASE) + end + + def initialize(str) + @regex = self.class.parse_to_regex(str) + end + + def match(str) + !!@regex.match(str) + end + end + end diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 91c85835e..9a52ef33a 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -320,5 +320,17 @@ def get_success(params = {}) data = ActiveSupport::JSON.decode(data_json) assert_equal @user_email, data['email'] end + + test 'should support wildcards' do + DeviseTokenAuth.redirect_whitelist = ["#{@good_redirect_url[0..8]}*"] + get_via_redirect '/auth/facebook', + auth_origin_url: @good_redirect_url, + omniauth_window_type: 'newWindow' + + data_json = @response.body.match(/var data \= (.+)\;/)[1] + data = ActiveSupport::JSON.decode(data_json) + assert_equal @user_email, data['email'] + end + end end From b8ce90319e5d6b4bc3b7830e6aabae60900ba330 Mon Sep 17 00:00:00 2001 From: Brent Date: Thu, 25 Aug 2016 12:34:32 -0600 Subject: [PATCH 282/328] fix(whitelist): ensure we always return boolean in DeviseTokenAuth::Url.whitelisted? --- lib/devise_token_auth/url.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb index 3cc21671f..b705837b8 100644 --- a/lib/devise_token_auth/url.rb +++ b/lib/devise_token_auth/url.rb @@ -14,7 +14,7 @@ def self.generate(url, params = {}) end def self.whitelisted?(url) - DeviseTokenAuth.redirect_whitelist.find { |pattern| !!Wildcat.new(pattern).match(url) } + !!DeviseTokenAuth.redirect_whitelist.find { |pattern| !!Wildcat.new(pattern).match(url) } end From c3c43a135ea0b3a6e9b41fd2a237a7e313817bdf Mon Sep 17 00:00:00 2001 From: Jan-Philipp Riethmacher Date: Fri, 26 Aug 2016 09:43:22 +0200 Subject: [PATCH 283/328] Added reference to Angular2-Token to README --- README.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d71f20ef3..46a98ed20 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,10 @@ This gem provides the following features: -* Seamless integration with both the the venerable [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module for [angular.js](https://github.com/angular/angular.js) and the outstanding [jToker](https://github.com/lynndylanhurley/j-toker) plugin for [jQuery](https://jquery.com/). +* Seamless integration with: + * [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) for [AngularJS](https://github.com/angular/angular.js) + * [Angular2-Token](https://github.com/neroniaky/angular2-token) for [Angular2](https://github.com/angular/angular) + * [jToker](https://github.com/lynndylanhurley/j-toker) for [jQuery](https://jquery.com/) * Oauth2 authentication using [OmniAuth](https://github.com/intridea/omniauth). * Email authentication using [Devise](https://github.com/plataformatec/devise), including: * User registration @@ -24,7 +27,9 @@ This gem provides the following features: # Live Demos -[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://angularjs.org/). +[Here is a demo](http://ng-token-auth-demo.herokuapp.com/) of this app running with the [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) module and [AngularJS](https://github.com/angular/angular.js). + +[Here is a demo](https://angular2-token.herokuapp.com) of this app running with the [Angular2-Token](https://github.com/neroniaky/angular2-token) service and [Angular2](https://github.com/angular/angular). [Here is a demo](https://j-toker-demo.herokuapp.com/) of this app using the [jToker](https://github.com/lynndylanhurley/j-toker) plugin and [React](http://facebook.github.io/react/). @@ -499,6 +504,7 @@ Models that include the `DeviseTokenAuth::Concerns::User` concern will have acce ### View Live Multi-User Demos * [AngularJS](http://ng-token-auth-demo.herokuapp.com/multi-user) +* [Angular2](https://angular2-token.herokuapp.com) * [React + jToker](http://j-toker-demo.herokuapp.com/#/alt-user) This gem supports the use of multiple user models. One possible use case is to authenticate visitors using a model called `User`, and to authenticate administrators with a model called `Admin`. Take the following steps to add another authentication model to your app: @@ -764,14 +770,14 @@ These files may be edited to suit your taste. You can customize the e-mail subje When posting issues, please include the following information to speed up the troubleshooting process: -* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) / [jToker](https://github.com/lynndylanhurley/j-toker) if applicable) are you using? +* **Version**: which version of this gem (and [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker) or [Angular2-Token](https://github.com/neroniaky/angular2-token) if applicable) are you using? * **Request and response headers**: these can be found in the "Network" tab of your browser's web inspector. * **Rails Stacktrace**: this can be found in the `log/development.log` of your API. * **Environmental Info**: How is your application different from the [reference implementation](https://github.com/lynndylanhurley/devise_token_auth_demo)? This may include (but is not limited to) the following details: * **Routes**: are you using some crazy namespace, scope, or constraint? * **Gems**: are you using MongoDB, Grape, RailsApi, ActiveAdmin, etc.? * **Custom Overrides**: what have you done in terms of [custom controller overrides](#custom-controller-overrides)? - * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker), or something else? + * **Custom Frontend**: are you using [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth), [jToker](https://github.com/lynndylanhurley/j-toker), [Angular2-Token](https://github.com/neroniaky/angular2-token), or something else? # FAQ From 5105e4669c88dbfd5de0e72f3ef3099052e876b5 Mon Sep 17 00:00:00 2001 From: Jonathan Chen Date: Fri, 26 Aug 2016 15:58:49 -0400 Subject: [PATCH 284/328] Fix grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d71f20ef3..0907cf039 100644 --- a/README.md +++ b/README.md @@ -777,7 +777,7 @@ When posting issues, please include the following information to speed up the tr ### Can I use this gem alongside standard Devise? -Yes! But you will need to enable the support use separate routes for standard Devise. So do something like this: +Yes! But you will need to enable the support of separate routes for standard Devise. So do something like this: #### config/initializers/devise_token_auth.rb ~~~ruby From 6fac61fc2e5bb118403b49f41f34dd20ebafd54e Mon Sep 17 00:00:00 2001 From: Jordan Hammond Date: Tue, 30 Aug 2016 19:23:16 -0400 Subject: [PATCH 285/328] added an extra line to create an ordered list via markdown --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 11bdf62c9..2961bc362 100644 --- a/README.md +++ b/README.md @@ -936,6 +936,7 @@ To run the test suite do the following: The last command will open the [guard](https://github.com/guard/guard) test-runner. Guard will re-run each test suite when changes are made to its corresponding files. To run just one test: + 1. Clone this repo 2. Run `bundle install` 3. Run `rake db:migrate` From 5b18f3641edf953d4c8069a31c7e130fc7e850b7 Mon Sep 17 00:00:00 2001 From: Jonathan Chen Date: Wed, 31 Aug 2016 15:52:59 -0400 Subject: [PATCH 286/328] Add unique index to email Why: Keep data consistent with multiple processes and match devise gem implementation References: https://robots.thoughtbot.com/the-perils-of-uniqueness-validations https://github.com/plataformatec/devise/blob/master/lib/generators/active_record/templates/migration.rb#L13 --- .../templates/devise_token_auth_create_users.rb.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index a6651dbfe..6a380a467 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -45,7 +45,7 @@ class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration t.timestamps end - add_index :<%= user_class.pluralize.underscore %>, :email + add_index :<%= user_class.pluralize.underscore %>, :email, :unique => true add_index :<%= user_class.pluralize.underscore %>, [:uid, :provider], :unique => true add_index :<%= user_class.pluralize.underscore %>, :reset_password_token, :unique => true # add_index :<%= user_class.pluralize.underscore %>, :confirmation_token, :unique => true From 06db9ad0adc6e10fb4bfb83677bc3c499e4e6d60 Mon Sep 17 00:00:00 2001 From: Jonathan Chen Date: Wed, 31 Aug 2016 15:57:06 -0400 Subject: [PATCH 287/328] Update Ruby hash syntax --- .../templates/devise_token_auth_create_users.rb.erb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index 6a380a467..c773a2ce7 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -45,10 +45,10 @@ class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration t.timestamps end - add_index :<%= user_class.pluralize.underscore %>, :email, :unique => true - add_index :<%= user_class.pluralize.underscore %>, [:uid, :provider], :unique => true - add_index :<%= user_class.pluralize.underscore %>, :reset_password_token, :unique => true - # add_index :<%= user_class.pluralize.underscore %>, :confirmation_token, :unique => true - # add_index :<%= user_class.pluralize.underscore %>, :unlock_token, :unique => true + add_index :<%= user_class.pluralize.underscore %>, :email, unique: true + add_index :<%= user_class.pluralize.underscore %>, [:uid, :provider], unique: true + add_index :<%= user_class.pluralize.underscore %>, :reset_password_token, unique: true + # add_index :<%= user_class.pluralize.underscore %>, :confirmation_token, unique: true + # add_index :<%= user_class.pluralize.underscore %>, :unlock_token, unique: true end end From 421347b9910e187f6f2271e348c75407d03192ab Mon Sep 17 00:00:00 2001 From: razvanmitre Date: Wed, 28 Sep 2016 16:55:17 +0300 Subject: [PATCH 288/328] Add Romanian locale. --- config/locales/ro.yml | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 config/locales/ro.yml diff --git a/config/locales/ro.yml b/config/locales/ro.yml new file mode 100644 index 000000000..e8457f612 --- /dev/null +++ b/config/locales/ro.yml @@ -0,0 +1,47 @@ +en: + devise_token_auth: + sessions: + not_confirmed: "Un email de confirmare a fost trimis către contul tău la '%{email}'. Pentru a-ți activa contul este necesar să urmezi instrucțiunile din acesta." + bad_credentials: "Datele introduse sunt incorecte. Te rugăm să incerci din nou." + not_supported: "Folosește functionalitatea POST /sign_in pentru a te autentifica. GET nu este suportat." + user_not_found: "Utilizatorul nu a fost găsit sau nu este logat în cont." + token_validations: + invalid: "Datele introduse pentru autentificare sunt invalide." + registrations: + missing_confirm_success_url: "Parametrul 'confirm_success_url' lipsește." + redirect_url_not_allowed: "Redirecționarea către '%{redirect_url}' nu este permisă." + email_already_exists: "Un cont cu email '%{email} deja există.'" + account_with_uid_destroyed: "Contul cu UID '%{uid}' a fost șters." + account_to_destroy_not_found: "Nu se poate localiza contul pentru ștergere." + user_not_found: "Utilizatorul nu a fost găsit." + passwords: + missing_email: "Trebuie să introduci o adresă de e-mail." + missing_redirect_url: "URL-ul pentru redirecționare lipsește." + not_allowed_redirect_url: "Redirecționarea către '%{redirect_url}' nu este permisă." + sended: "Un e-mail cu instrucțiuni pentru resetare a parolei a fost trimis către '%{email}'." + user_not_found: "Utilizatorul cu email-ul '%{email}' nu a fost găsit." + password_not_required: "Acest cont nu necesită parolă. Autentifică-te in schimb cu '%{provider}'." + missing_passwords: "Cămpurile 'Parolă' și 'Confirmare parolă' trebuiesc completate." + successfully_updated: "Parola contului a fost schimbată cu succes." + errors: + messages: + already_in_use: "este deja folosit" + validate_sign_up_params: "Trimite credențiale valide în body-ul request-ului." + validate_account_update_params: "Trimite credențiale valide în body-ul request-ului." + not_email: "nu este un email" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "Poți confirma contul accesănd link-ul de mai jos:" + confirm_account_link: "Confirmă cont" + reset_password_instructions: + request_reset_link_msg: "Cineva a solicitat un link pentru schimbarea parolei contului tău. Poți face această schimbare accesând link-ul de mai jos." + password_change_link: "Schimbă parola" + ignore_mail_msg: "Dacă nu ai solicitat această schimbare ignoră acest e-mail." + no_changes_msg: "Parola ta nu se va schimba până când nu vei accesa link-ul de mai sus și vei crea o nouă parolă." + unlock_instructions: + account_lock_msg: "Contul tău a fost blocat din cauză că cineva a încercat accesarea lui de mai mult ori într-un timp foarte scurt." + unlock_link_msg: "Click pe acest link pentru a debloca contul:" + unlock_link: "Deblochează contul." + hello: "salut" + welcome: "bun venit" From 024b167e5330c6dee0452ce141065ecf3d8db1e5 Mon Sep 17 00:00:00 2001 From: razvanmitre Date: Wed, 28 Sep 2016 17:02:20 +0300 Subject: [PATCH 289/328] fix wrong locale code --- config/locales/ro.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/ro.yml b/config/locales/ro.yml index e8457f612..4230496a4 100644 --- a/config/locales/ro.yml +++ b/config/locales/ro.yml @@ -1,4 +1,4 @@ -en: +ro: devise_token_auth: sessions: not_confirmed: "Un email de confirmare a fost trimis către contul tău la '%{email}'. Pentru a-ți activa contul este necesar să urmezi instrucțiunile din acesta." From b7d73590ce1a46d03615457f369c22bf27fc3bb3 Mon Sep 17 00:00:00 2001 From: Maksym Pugach Date: Wed, 5 Oct 2016 07:43:49 +0300 Subject: [PATCH 290/328] Use standart ActiveRecord error message for email uniqueness validation --- .../concerns/user_omniauth_callbacks.rb | 2 +- config/locales/de.yml | 3 +-- config/locales/en.yml | 3 +-- config/locales/es.yml | 3 +-- config/locales/fr.yml | 3 +-- config/locales/ja.yml | 1 - config/locales/nl.yml | 1 - config/locales/pl.yml | 4 +--- config/locales/pt-BR.yml | 3 +-- config/locales/pt.yml | 4 +--- config/locales/ro.yml | 1 - config/locales/ru.yml | 7 +++--- config/locales/zh-CN.yml | 10 +-------- config/locales/zh-HK.yml | 1 - config/locales/zh-TW.yml | 1 - test/models/user_test.rb | 22 +++++++++++++++++++ 16 files changed, 34 insertions(+), 35 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb index ac500861d..576639b67 100644 --- a/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +++ b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb @@ -18,7 +18,7 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks # only validate unique email among users that registered by email def unique_email_user if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 - errors.add(:email, I18n.t("errors.messages.already_in_use")) + errors.add(:email, :taken) end end diff --git a/config/locales/de.yml b/config/locales/de.yml index 23510da08..28b30e9ec 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -28,7 +28,6 @@ de: validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." not_email: "ist keine E-Mail Adresse" - already_in_use: "bereits in Verwendung" devise: mailer: confirmation_instructions: @@ -47,4 +46,4 @@ de: unlock_link_msg: "Klicken Sie auf den Link unten , um Ihr Konto zu entsperren :" unlock_link: "Entsperren Sie Ihr Konto " hello: "hallo" - welcome: "willkommen" \ No newline at end of file + welcome: "willkommen" diff --git a/config/locales/en.yml b/config/locales/en.yml index 26ac9930a..80d6f8ae9 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -25,7 +25,6 @@ en: successfully_updated: "Your password has been successfully updated." errors: messages: - already_in_use: "already in use" validate_sign_up_params: "Please submit proper sign up data in request body." validate_account_update_params: "Please submit proper account update data in request body." not_email: "is not an email" @@ -44,4 +43,4 @@ en: unlock_link_msg: "Click the link below to unlock your account:" unlock_link: "Unlock my account" hello: "hello" - welcome: "welcome" \ No newline at end of file + welcome: "welcome" diff --git a/config/locales/es.yml b/config/locales/es.yml index 66b864b38..93360f32c 100644 --- a/config/locales/es.yml +++ b/config/locales/es.yml @@ -28,7 +28,6 @@ es: validate_sign_up_params: "Los datos introducidos en la solicitud de acceso no son válidos." validate_account_update_params: "Los datos introducidos en la solicitud de actualización no son válidos." not_email: "no es un correo electrónico" - already_in_use: "ya ha sido ocupado" devise: mailer: confirmation_instructions: @@ -47,4 +46,4 @@ es: unlock_link_msg: "Para desbloquear su cuenta ingrese en el siguiente link:" unlock_link: "Desbloquear cuenta" hello: "hola" - welcome: "bienvenido" \ No newline at end of file + welcome: "bienvenido" diff --git a/config/locales/fr.yml b/config/locales/fr.yml index 4ac9480c0..c3f6d5e18 100644 --- a/config/locales/fr.yml +++ b/config/locales/fr.yml @@ -25,7 +25,6 @@ fr: successfully_updated: "Votre mot de passe a été correctement mis à jour." errors: messages: - already_in_use: "déjà utilisé(e)" validate_sign_up_params: "Les données d'inscription dans le corps de la requête ne sont pas valides." validate_account_update_params: "Les données de mise à jour dans le corps de la requête ne sont pas valides." not_email: "n'est pas une adresse e-mail" @@ -47,4 +46,4 @@ fr: unlock_link_msg: "Cliquez sur le lien ci-dessous pour déverrouiller votre compte:" unlock_link: "Déverrouiller mon compte" hello: "bonjour" - welcome: "bienvenue" \ No newline at end of file + welcome: "bienvenue" diff --git a/config/locales/ja.yml b/config/locales/ja.yml index 941ceac29..1b2343127 100644 --- a/config/locales/ja.yml +++ b/config/locales/ja.yml @@ -25,7 +25,6 @@ ja: successfully_updated: "パスワードの更新に成功しました。" errors: messages: - already_in_use: "すでに利用されています。" validate_sign_up_params: "リクエストボディに適切なアカウント新規登録データを送信してください。" validate_account_update_params: "リクエストボディに適切なアカウント更新のデータを送信してください。" not_email: "はメールアドレスではありません" diff --git a/config/locales/nl.yml b/config/locales/nl.yml index 83dcc195d..7b39022d6 100644 --- a/config/locales/nl.yml +++ b/config/locales/nl.yml @@ -25,7 +25,6 @@ nl: successfully_updated: "Uw wachtwoord is aangepast." errors: messages: - already_in_use: "al in gebruik" validate_sign_up_params: "Gegevens voor aanmaken van het account zijn niet geldig." validate_account_update_params: "Gegevens voor updaten van het account zijn niet geldig." not_email: "is geen geldig e-emailadres" diff --git a/config/locales/pl.yml b/config/locales/pl.yml index 2a56308e8..5d365567c 100644 --- a/config/locales/pl.yml +++ b/config/locales/pl.yml @@ -27,8 +27,6 @@ pl: validate_sign_up_params: "Proszę dostarczyć odpowiednie dane logowania w ciele zapytania." validate_account_update_params: "Proszę dostarczyć odpowiednie dane aktualizacji konta w ciele zapytania." not_email: "nie jest prawidłowym adresem e-mail" - messages: - already_in_use: "już w użyciu" devise: mailer: confirmation_instructions: @@ -47,4 +45,4 @@ pl: unlock_link_msg: "Kliknij poniższy link, aby odblokować konto :" unlock_link: "Odblokować konto" hello: "halo" - welcome: "witam" \ No newline at end of file + welcome: "witam" diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml index 12058ed98..c87cfb48a 100644 --- a/config/locales/pt-BR.yml +++ b/config/locales/pt-BR.yml @@ -25,7 +25,6 @@ pt-BR: successfully_updated: "Senha atualizada com sucesso." errors: messages: - already_in_use: "em uso" validate_sign_up_params: "Os dados submetidos na requisição de cadastro são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." not_email: "não é um e-mail" @@ -44,4 +43,4 @@ pt-BR: unlock_link_msg: "Clique no link abaixo para desbloquear sua conta:" unlock_link: "Desbloquear minha conta" hello: "olá" - welcome: "bem-vindo" \ No newline at end of file + welcome: "bem-vindo" diff --git a/config/locales/pt.yml b/config/locales/pt.yml index 6dc9f3817..9b6152af5 100644 --- a/config/locales/pt.yml +++ b/config/locales/pt.yml @@ -27,8 +27,6 @@ pt: validate_sign_up_params: "Os dados submetidos na requisição de registo são inválidos." validate_account_update_params: "Os dados submetidos para atualização de conta são inválidos." not_email: "não é um e-mail" - messages: - already_in_use: "em uso" devise: mailer: confirmation_instructions: @@ -47,4 +45,4 @@ pt: unlock_link_msg: "Clique no link abaixo para desbloquear sua conta:" unlock_link: "Desbloquear minha conta" hello: "olá" - welcome: "bem-vindo" \ No newline at end of file + welcome: "bem-vindo" diff --git a/config/locales/ro.yml b/config/locales/ro.yml index 4230496a4..516b5c13b 100644 --- a/config/locales/ro.yml +++ b/config/locales/ro.yml @@ -25,7 +25,6 @@ ro: successfully_updated: "Parola contului a fost schimbată cu succes." errors: messages: - already_in_use: "este deja folosit" validate_sign_up_params: "Trimite credențiale valide în body-ul request-ului." validate_account_update_params: "Trimite credențiale valide în body-ul request-ului." not_email: "nu este un email" diff --git a/config/locales/ru.yml b/config/locales/ru.yml index 8e37afcd8..13dba216b 100644 --- a/config/locales/ru.yml +++ b/config/locales/ru.yml @@ -24,11 +24,10 @@ ru: missing_passwords: "Вы должны заполнить поля 'пароль' и 'повторите пароль'." successfully_updated: "Ваш пароль успешно обновлён." errors: - validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." - validate_account_update_params: "Пожалуйста, укажите надлежащие данные для обновления учетной записи в теле запроса." - not_email: "не является электронной почтой" messages: - already_in_use: "уже используется" + validate_sign_up_params: "Пожалуйста, укажите надлежащие данные для регистрации в теле запроса." + validate_account_update_params: "Пожалуйста, укажите надлежащие данные для обновления учетной записи в теле запроса." + not_email: "не является электронной почтой" devise: mailer: confirmation_instructions: diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml index 94b4942e2..8a34f5f00 100644 --- a/config/locales/zh-CN.yml +++ b/config/locales/zh-CN.yml @@ -25,7 +25,6 @@ zh-CN: successfully_updated: "您的密码已被修改。" errors: messages: - already_in_use: "已被使用。" validate_sign_up_params: "请在request body中填入有效的注册内容" validate_account_update_params: "请在request body中填入有效的更新帐号资料" not_email: "这不是一个合适的邮箱。" @@ -43,12 +42,5 @@ zh-CN: account_lock_msg: "由于多次登入失败,我们已锁定你的帐号" unlock_link_msg: "可以使用下面的链接解锁你的帐号" unlock_link: "解锁帐号" - activerecord: - errors: - models: - user: - attributes: - email: - already_in_use: "邮箱已被使用" hello: "你好" - welcome: "欢迎" \ No newline at end of file + welcome: "欢迎" diff --git a/config/locales/zh-HK.yml b/config/locales/zh-HK.yml index c9544372c..b541f8459 100644 --- a/config/locales/zh-HK.yml +++ b/config/locales/zh-HK.yml @@ -27,7 +27,6 @@ zh-TW: successfully_updated: "您的密碼已被修改。" errors: messages: - already_in_use: "已被使用。" validate_sign_up_params: "請在request body中填入有效的註冊內容" validate_account_update_params: "請在request body中填入有效的更新帳號資料" not_email: "這不是一個合適的電郵。" diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml index c9544372c..b541f8459 100644 --- a/config/locales/zh-TW.yml +++ b/config/locales/zh-TW.yml @@ -27,7 +27,6 @@ zh-TW: successfully_updated: "您的密碼已被修改。" errors: messages: - already_in_use: "已被使用。" validate_sign_up_params: "請在request body中填入有效的註冊內容" validate_account_update_params: "請在request body中填入有效的更新帳號資料" not_email: "這不是一個合適的電郵。" diff --git a/test/models/user_test.rb b/test/models/user_test.rb index 0e745ce91..c06a6efbc 100644 --- a/test/models/user_test.rb +++ b/test/models/user_test.rb @@ -35,6 +35,28 @@ class UserTest < ActiveSupport::TestCase end end + describe 'email uniqueness' do + test 'model should not save if email is taken' do + provider = 'email' + + User.create( + email: @email, + provider: provider, + password: @password, + password_confirmation: @password + ) + + @resource.email = @email + @resource.provider = provider + @resource.password = @password + @resource.password_confirmation = @password + + refute @resource.save + assert @resource.errors.messages[:email] == [I18n.t('errors.messages.taken')] + assert @resource.errors.messages[:email].none? { |e| e =~ /translation missing/ } + end + end + describe 'oauth2 authentication' do test 'model should save even if email is blank' do @resource.provider = 'facebook' From abe993bda23cdd16c634ff01c02eba0e79d728fe Mon Sep 17 00:00:00 2001 From: Piotr Kaczmarek Date: Wed, 9 Nov 2016 00:30:50 +0100 Subject: [PATCH 291/328] Fixes constructing redirect_route --- .../devise_token_auth/omniauth_callbacks_controller.rb | 3 ++- .../devise_token_auth/omniauth_callbacks_controller_test.rb | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 3aa6678a0..0e1c16d25 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -13,7 +13,8 @@ def redirect_callbacks # before authentication. devise_mapping = [request.env['omniauth.params']['namespace_name'], request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_') - redirect_route = "#{request.protocol}#{request.host_with_port}/#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback" + path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback" + redirect_route = URI::HTTP.build(scheme: request.scheme, host: request.host, port: request.port, path: path).to_s # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. diff --git a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb index 9a52ef33a..34d02a9f3 100644 --- a/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb +++ b/test/controllers/devise_token_auth/omniauth_callbacks_controller_test.rb @@ -66,6 +66,11 @@ class OmniauthTest < ActionDispatch::IntegrationTest get_success end + test 'should be redirected via valid url' do + get_success + assert_equal 'http://www.example.com/auth/facebook/callback', request.original_url + end + describe 'with default user model' do before do get_success From 4b07ade2e381a9381140dbe984dab7a079f62962 Mon Sep 17 00:00:00 2001 From: Jonathan Chen Date: Sat, 12 Nov 2016 02:43:37 -0500 Subject: [PATCH 292/328] Add index for confirmation_token Since it's enabled by default on line 26. --- .../templates/devise_token_auth_create_users.rb.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb index c773a2ce7..b1aec3236 100644 --- a/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb +++ b/lib/generators/devise_token_auth/templates/devise_token_auth_create_users.rb.erb @@ -48,7 +48,7 @@ class DeviseTokenAuthCreate<%= user_class.pluralize %> < ActiveRecord::Migration add_index :<%= user_class.pluralize.underscore %>, :email, unique: true add_index :<%= user_class.pluralize.underscore %>, [:uid, :provider], unique: true add_index :<%= user_class.pluralize.underscore %>, :reset_password_token, unique: true - # add_index :<%= user_class.pluralize.underscore %>, :confirmation_token, unique: true + add_index :<%= user_class.pluralize.underscore %>, :confirmation_token, unique: true # add_index :<%= user_class.pluralize.underscore %>, :unlock_token, unique: true end end From d3c74371b847dbb92e7ecb6d670c2f7bc605be30 Mon Sep 17 00:00:00 2001 From: Jonathan Chen Date: Fri, 2 Dec 2016 14:44:31 -0500 Subject: [PATCH 293/328] Update link --- lib/generators/devise_token_auth/USAGE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/generators/devise_token_auth/USAGE b/lib/generators/devise_token_auth/USAGE index eb59d728f..bc9c1da1a 100644 --- a/lib/generators/devise_token_auth/USAGE +++ b/lib/generators/devise_token_auth/USAGE @@ -8,7 +8,7 @@ Arguments: # 'User' MOUNT_PATH # The path at which to mount the authentication routes. Default is # 'auth'. More detail documentation is here: - # https://github.com/lynndylanhurley/devise_token_auth#usage + # https://github.com/lynndylanhurley/devise_token_auth#usage-tldr Example: rails generate devise_token_auth:install User auth From b023307a0be0d78d7990202079221c866d2a7b8b Mon Sep 17 00:00:00 2001 From: Genaro Madrid Date: Wed, 29 Jun 2016 15:12:16 -0500 Subject: [PATCH 294/328] validate authentication for lockable option --- app/controllers/devise_token_auth/sessions_controller.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index c85af0c77..86db56310 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -29,7 +29,12 @@ def create @resource = resource_class.where(q, q_value).first end - if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) + if @resource and valid_params?(field, q_value) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) + valid_password = @resource.valid_password?(resource_params[:password]) + if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password + render_create_error_bad_credentials + return + end # create client id @client_id = SecureRandom.urlsafe_base64(nil, false) @token = SecureRandom.urlsafe_base64(nil, false) From 8e972a78d8d03a313aaf9c46eaa14adea558902c Mon Sep 17 00:00:00 2001 From: Genaro Madrid Date: Wed, 29 Jun 2016 15:12:34 -0500 Subject: [PATCH 295/328] allow to overwrite unlocks controller --- lib/devise_token_auth/rails/routes.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index 880331f82..af1f5195d 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -12,6 +12,7 @@ def mount_devise_token_auth_for(resource, opts) confirmations_ctrl = opts[:controllers][:confirmations] || "devise_token_auth/confirmations" token_validations_ctrl = opts[:controllers][:token_validations] || "devise_token_auth/token_validations" omniauth_ctrl = opts[:controllers][:omniauth_callbacks] || "devise_token_auth/omniauth_callbacks" + unlocks_ctrl = opts[:controllers][:unlocks] # define devise controller mappings controllers = {:sessions => sessions_ctrl, @@ -19,6 +20,8 @@ def mount_devise_token_auth_for(resource, opts) :passwords => passwords_ctrl, :confirmations => confirmations_ctrl} + controllers[:unlocks] = unlocks_ctrl if unlocks_ctrl + # remove any unwanted devise modules opts[:skip].each{|item| controllers.delete(item)} From 4f243cd19ed8a97eb145e94634bb122b1a936929 Mon Sep 17 00:00:00 2001 From: Genaro Madrid Date: Wed, 29 Jun 2016 20:48:03 -0500 Subject: [PATCH 296/328] test lockable users --- .../sessions_controller_test.rb | 89 +++++++++++++++++++ test/dummy/app/models/lockable_user.rb | 5 ++ test/dummy/config/routes.rb | 2 + ...devise_token_auth_create_lockable_users.rb | 60 +++++++++++++ test/dummy/db/schema.rb | 22 ++++- test/fixtures/lockable_users.yml | 22 +++++ 6 files changed, 199 insertions(+), 1 deletion(-) create mode 100644 test/dummy/app/models/lockable_user.rb create mode 100644 test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb create mode 100644 test/fixtures/lockable_users.yml diff --git a/test/controllers/devise_token_auth/sessions_controller_test.rb b/test/controllers/devise_token_auth/sessions_controller_test.rb index 9875f650c..7dc9458b2 100644 --- a/test/controllers/devise_token_auth/sessions_controller_test.rb +++ b/test/controllers/devise_token_auth/sessions_controller_test.rb @@ -389,5 +389,94 @@ def @controller.reset_session; @reset_session_called = true; end refute OnlyEmailUser.method_defined?(:confirmed_at) end end + + describe "Lockable User" do + setup do + @request.env['devise.mapping'] = Devise.mappings[:lockable_user] + end + + teardown do + @request.env['devise.mapping'] = Devise.mappings[:user] + end + + before do + @original_lock_strategy = Devise.lock_strategy + @original_unlock_strategy = Devise.unlock_strategy + @original_maximum_attempts = Devise.maximum_attempts + Devise.lock_strategy = :failed_attempts + Devise.unlock_strategy = :email + Devise.maximum_attempts = 5 + end + + after do + Devise.lock_strategy = @original_lock_strategy + Devise.maximum_attempts = @original_maximum_attempts + Devise.unlock_strategy = @original_unlock_strategy + end + + describe "locked user" do + before do + @locked_user = lockable_users(:locked_user) + xhr :post, :create, { + email: @locked_user.email, + password: 'secret123' + } + @data = JSON.parse(response.body) + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "response should contain errors" do + assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.not_confirmed", email: @locked_user.email)] + end + end + + describe "unlocked user with bad password" do + before do + @unlocked_user = lockable_users(:unlocked_user) + xhr :post, :create, { + email: @unlocked_user.email, + password: 'bad-password' + } + @data = JSON.parse(response.body) + end + + test "request should fail" do + assert_equal 401, response.status + end + + test "should increase failed_attempts" do + assert_equal 1, @unlocked_user.reload.failed_attempts + end + + test "response should contain errors" do + assert @data['errors'] + assert_equal @data['errors'], [I18n.t("devise_token_auth.sessions.bad_credentials")] + end + + describe 'after maximum_attempts should block the user' do + before do + 4.times do + xhr :post, :create, { + email: @unlocked_user.email, + password: 'bad-password' + } + end + @data = JSON.parse(response.body) + end + + test "should increase failed_attempts" do + assert_equal 5, @unlocked_user.reload.failed_attempts + end + + test "should block the user" do + assert_equal true, @unlocked_user.reload.access_locked? + end + end + end + end end end diff --git a/test/dummy/app/models/lockable_user.rb b/test/dummy/app/models/lockable_user.rb new file mode 100644 index 000000000..79e34a6b2 --- /dev/null +++ b/test/dummy/app/models/lockable_user.rb @@ -0,0 +1,5 @@ +class LockableUser < ActiveRecord::Base + # Include default devise modules. + devise :database_authenticatable, :registerable, :lockable + include DeviseTokenAuth::Concerns::User +end diff --git a/test/dummy/config/routes.rb b/test/dummy/config/routes.rb index b2f45c838..c0b6472ea 100644 --- a/test/dummy/config/routes.rb +++ b/test/dummy/config/routes.rb @@ -34,6 +34,8 @@ mount_devise_token_auth_for 'UnconfirmableUser', at: 'unconfirmable_user_auth' + mount_devise_token_auth_for 'LockableUser', at: 'lockable_user_auth' + # test namespacing namespace :api do scope :v1 do diff --git a/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb b/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb new file mode 100644 index 000000000..460c0a22d --- /dev/null +++ b/test/dummy/db/migrate/20160629184441_devise_token_auth_create_lockable_users.rb @@ -0,0 +1,60 @@ +include MigrationDatabaseHelper + +class DeviseTokenAuthCreateLockableUsers < ActiveRecord::Migration + def change + create_table(:lockable_users) do |t| + ## Required + t.string :provider, :null => false + t.string :uid, :null => false, :default => "" + + ## Database authenticatable + t.string :encrypted_password, :null => false, :default => "" + + ## Recoverable + # t.string :reset_password_token + # t.datetime :reset_password_sent_at + + ## Rememberable + # t.datetime :remember_created_at + + ## Trackable + # t.integer :sign_in_count, :default => 0, :null => false + # t.datetime :current_sign_in_at + # t.datetime :last_sign_in_at + # t.string :current_sign_in_ip + # t.string :last_sign_in_ip + + ## Confirmable + # t.string :confirmation_token + # t.datetime :confirmed_at + # t.datetime :confirmation_sent_at + # t.string :unconfirmed_email # Only if using reconfirmable + + ## Lockable + t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts + t.string :unlock_token # Only if unlock strategy is :email or :both + t.datetime :locked_at + + ## User Info + t.string :name + t.string :nickname + t.string :image + t.string :email + + ## Tokens + if json_supported_database? + t.json :tokens + else + t.text :tokens + end + + t.timestamps + end + + add_index :lockable_users, :email + add_index :lockable_users, [:uid, :provider], :unique => true + # add_index :lockable_users, :reset_password_token, :unique => true + # add_index :lockable_users, :confirmation_token, :unique => true + add_index :lockable_users, :unlock_token, :unique => true + end +end diff --git a/test/dummy/db/schema.rb b/test/dummy/db/schema.rb index c5e24774c..6e5b299b1 100644 --- a/test/dummy/db/schema.rb +++ b/test/dummy/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20160103235141) do +ActiveRecord::Schema.define(version: 20160629184441) do create_table "evil_users", force: :cascade do |t| t.string "email" @@ -44,6 +44,26 @@ add_index "evil_users", ["reset_password_token"], name: "index_evil_users_on_reset_password_token", unique: true add_index "evil_users", ["uid", "provider"], name: "index_evil_users_on_uid_and_provider", unique: true + create_table "lockable_users", force: :cascade do |t| + t.string "provider", null: false + t.string "uid", default: "", null: false + t.string "encrypted_password", default: "", null: false + t.integer "failed_attempts", default: 0, null: false + t.string "unlock_token" + t.datetime "locked_at" + t.string "name" + t.string "nickname" + t.string "image" + t.string "email" + t.text "tokens" + t.datetime "created_at" + t.datetime "updated_at" + end + + add_index "lockable_users", ["email"], name: "index_lockable_users_on_email" + add_index "lockable_users", ["uid", "provider"], name: "index_lockable_users_on_uid_and_provider", unique: true + add_index "lockable_users", ["unlock_token"], name: "index_lockable_users_on_unlock_token", unique: true + create_table "mangs", force: :cascade do |t| t.string "email" t.string "encrypted_password", default: "", null: false diff --git a/test/fixtures/lockable_users.yml b/test/fixtures/lockable_users.yml new file mode 100644 index 000000000..7a299b32f --- /dev/null +++ b/test/fixtures/lockable_users.yml @@ -0,0 +1,22 @@ +<% @locked_user = Faker::Internet.email %> +<% timestamp = DateTime.parse(1.day.ago.to_s).to_time.strftime("%F %T") %> +unlocked_user: + uid: "<%= @locked_user %>" + email: "<%= @locked_user %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + +<% @locked_user = Faker::Internet.email %> +<% timestamp = DateTime.parse(1.day.ago.to_s).to_time.strftime("%F %T") %> +locked_user: + uid: "<%= @locked_user %>" + email: "<%= @locked_user %>" + provider: 'email' + created_at: '<%= timestamp %>' + updated_at: '<%= timestamp %>' + encrypted_password: <%= User.new.send(:password_digest, 'secret123') %> + locked_at: '<%= timestamp %>' + failed_attempts: 5 + From e3debcda99f87dcf6b52b68d021dcd19dfabf8ed Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Tue, 6 Dec 2016 16:45:45 +0100 Subject: [PATCH 297/328] Travis: use code_climate addon config --- .travis.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.travis.yml b/.travis.yml index 4e1c60e4b..572f03674 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,17 +6,25 @@ rvm: - 2.3.1 env: - - DB=sqlite - - DB=mysql - - DB=postgresql + global: + - RAILS_ENV=test + matrix: + - DB=sqlite + - DB=mysql + - DB=postgresql script: - - RAILS_ENV=test bundle exec rake --trace db:migrate - - RAILS_ENV=test CODECLIMATE_REPO_TOKEN=44d7688de8e1b567b4af25ec5083c2cc0a355ab911192a7cbefd1ea25b2ffd3d bundle exec rake + - bundle exec rake --trace db:migrate + - bundle exec rake before_script: - mysql -e 'create database devise_token_auth_test' - psql -c 'create database devise_token_auth_test' -U postgres addons: - postgresql: "9.4" \ No newline at end of file + postgresql: "9.4" + code_climate: + - repo_token: 44d7688de8e1b567b4af25ec5083c2cc0a355ab911192a7cbefd1ea25b2ffd3d + +after_success: + - bundle exec codeclimate-test-reporter From 45825deccaca5e7b213df1bf5c76a917aa72bc50 Mon Sep 17 00:00:00 2001 From: Jacob Date: Thu, 22 Dec 2016 17:09:22 -0500 Subject: [PATCH 298/328] Don't send extra data on request password reset Why: * So we don't leak any user data This change addresses the need by: * Not returning extra data after request * Spec --- .../devise_token_auth/passwords_controller.rb | 1 - .../passwords_controller_test.rb | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index a5b44bd0b..f329fab32 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -168,7 +168,6 @@ def render_create_error_not_allowed_redirect_url def render_create_success render json: { success: true, - data: resource_data, message: I18n.t("devise_token_auth.passwords.sended", email: @email) } end diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 00cb1f6eb..75fa8c518 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -73,6 +73,21 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase end end + describe 'successfully requested password reset' do + before do + xhr :post, :create, { + email: @resource.email, + redirect_url: @redirect_url + } + + @data = JSON.parse(response.body) + end + + test 'response should not contain extra data' do + assert_equal @data['data'], nil + end + end + describe 'case-sensitive email' do before do From 115effc45585d24c70f43d29b793c31cd9c430e4 Mon Sep 17 00:00:00 2001 From: Matthias Orgler Date: Tue, 3 Jan 2017 15:09:59 +0100 Subject: [PATCH 299/328] Fix language errors in German locale --- config/locales/de.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/config/locales/de.yml b/config/locales/de.yml index 28b30e9ec..52e724551 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -1,7 +1,7 @@ de: devise_token_auth: sessions: - not_confirmed: "Ein E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}' gesendet. Sie müssen den Anleitungsschritten im E-Mail folgen, um Ihren Account zu aktivieren" + not_confirmed: "Eine E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}' gesendet. Sie müssen der Anleitung in der E-Mail folgen, um Ihren Account zu aktivieren." bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut." not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt." user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden." @@ -15,35 +15,35 @@ de: account_to_destroy_not_found: "Der Account, der gelöscht werden soll, kann nicht gefunden werden." user_not_found: "Benutzer kann nicht gefunden werden." passwords: - missing_email: "Sie müssen eine E-Mail Adresse angeben." - missing_redirect_url: "Es fehlt der URL zu Weiterleitung." + missing_email: "Sie müssen eine E-Mail-Adresse angeben." + missing_redirect_url: "Es fehlt die URL zu Weiterleitung." not_allowed_redirect_url: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet." - sended: "Ein E-Mail mit Anleitung zum Rücksetzen Ihres Passwortes wurde an '%{email}' gesendet." - user_not_found: "Der Benutzer mit E-Mail-Adresse '%{email}' kann nicht gefunden werden." - password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie Sich stattdessen über Ihren Account bei '%{provider}' an." + sended: "Ein E-Mail mit der Anleitung zum Zurücksetzen Ihres Passwortes wurde an '%{email}' gesendet." + user_not_found: "Der Benutzer mit der E-Mail-Adresse '%{email}' kann nicht gefunden werden." + password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie sich stattdessen über Ihren Account bei '%{provider}' an." missing_passwords: "Sie müssen die Felder 'Passwort' and 'Passwortbestätigung' ausfüllen." successfully_updated: "Ihr Passwort wurde erfolgreich aktualisiert." errors: messages: validate_sign_up_params: "Bitte übermitteln sie vollständige Anmeldeinformationen im Body des Requests." validate_account_update_params: "Bitte übermitteln sie vollständige Informationen zur Aktualisierung im Body des Requests." - not_email: "ist keine E-Mail Adresse" + not_email: "ist keine E-Mail-Adresse" devise: mailer: confirmation_instructions: - subject: "Bestätigungs-" - confirm_link_msg: "Sie können Ihr Konto E-Mail über den untenstehenden Link bestätigen:" - confirm_account_link: "Ihr Konto zu bestätigen" + subject: "Bestätigung Ihres Kontos" + confirm_link_msg: "Sie können Ihr Konto über den untenstehenden Link bestätigen:" + confirm_account_link: "Konto bestätigen" reset_password_instructions: - subject: "Wiederherstellungskennwort Anweisungen" - request_reset_link_msg: "Jemand hat einen Link auf Ihr Kennwort zu ändern angefordert. Sie können dies durch den folgenden Link tun:" - password_change_link: "Kennwort ändern" - ignore_mail_msg: "Wenn Sie nicht angefordert haben diese , ignorieren Sie bitte diese E-Mail:" - no_changes_msg: "Ihr Passwort wird nicht geändert , bis Sie auf den obigen Link zugreifen und eine neue erstellen ." + subject: "Passwort zurücksetzen" + request_reset_link_msg: "Jemand hat einen Link zur Änderungen Ihres Passwortes angefordert. Sie können dies durch den folgenden Link tun:" + password_change_link: "Passwort ändern" + ignore_mail_msg: "Wenn Sie keine Änderung Ihres Passwortes angefordert haben, ignorieren Sie bitte diese E-Mail:" + no_changes_msg: "Ihr Passwort wird nicht geändert, bis Sie auf den obigen Link zugreifen und eine neues Passwort erstellen." unlock_instructions: - subject: "entsperren Anweisungen" - account_lock_msg: "Ihr Konto wurde aufgrund einer übermäßigen Anzahl von erfolglosen Zeichen in Versuchen gesperrt." - unlock_link_msg: "Klicken Sie auf den Link unten , um Ihr Konto zu entsperren :" - unlock_link: "Entsperren Sie Ihr Konto " + subject: "Anweisungen zum Entsperren Ihres Kontos" + account_lock_msg: "Ihr Konto wurde aufgrund einer übermäßigen Anzahl von erfolglosen Anmeldeversuchen gesperrt." + unlock_link_msg: "Klicken Sie auf den Link unten, um Ihr Konto zu entsperren:" + unlock_link: "Entsperren Sie Ihr Konto" hello: "hallo" welcome: "willkommen" From ab9511ae284ded8bba1f0e29a0d556ccbf4c9819 Mon Sep 17 00:00:00 2001 From: Damian Kaczmarek Date: Wed, 11 Jan 2017 10:46:00 +0000 Subject: [PATCH 300/328] Add missing parameter :redirect_url, fixes lynndylanhurley/devise_token_auth#805 --- app/controllers/devise_token_auth/passwords_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index a5b44bd0b..44969a8c7 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -223,7 +223,7 @@ def render_update_error private def resource_params - params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token) + params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token, :redirect_url) end def password_resource_params From 14c69c19b3fbf3faa35a2aa0fba38555ce7c2c7e Mon Sep 17 00:00:00 2001 From: Damian Kaczmarek Date: Thu, 12 Jan 2017 12:26:53 +0000 Subject: [PATCH 301/328] Whitelist :config as part of resource params as required by ng-token-auth --- app/controllers/devise_token_auth/passwords_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index 44969a8c7..5b2f04fe1 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -223,7 +223,7 @@ def render_update_error private def resource_params - params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token, :redirect_url) + params.permit(:email, :password, :password_confirmation, :current_password, :reset_password_token, :redirect_url, :config) end def password_resource_params From 371d206ea55745ee844b3f817b0273db1fae79a0 Mon Sep 17 00:00:00 2001 From: biomancer Date: Sat, 14 Jan 2017 02:21:26 +0300 Subject: [PATCH 302/328] Do not return resource data on password reset request --- app/controllers/devise_token_auth/passwords_controller.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index a5b44bd0b..f329fab32 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -168,7 +168,6 @@ def render_create_error_not_allowed_redirect_url def render_create_success render json: { success: true, - data: resource_data, message: I18n.t("devise_token_auth.passwords.sended", email: @email) } end From cef76f5eeaf7e22f3c82e40d7c2fe3e93d7d5dbe Mon Sep 17 00:00:00 2001 From: Chosko Date: Tue, 17 Jan 2017 12:24:37 +0100 Subject: [PATCH 303/328] added italian locale --- config/locales/it.yml | 46 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 config/locales/it.yml diff --git a/config/locales/it.yml b/config/locales/it.yml new file mode 100644 index 000000000..dfd0eb506 --- /dev/null +++ b/config/locales/it.yml @@ -0,0 +1,46 @@ +it: + devise_token_auth: + sessions: + not_confirmed: "Un'email di conferma è stata mandata al tuo account '%{email}'. Segui le istruzioni nell'email per attivare il tuo account." + bad_credentials: "Credenziali di login non valide. Riprova." + not_supported: "Usa POST /sign_in per eseguire il login. GET non è supportato." + user_not_found: "Utente non trovato o non autenticato." + token_validations: + invalid: "Credenziali di login non valide" + registrations: + missing_confirm_success_url: "Parametro 'confirm_success_url' mancante." + redirect_url_not_allowed: "Redirezione a '%{redirect_url}' non consentita." + email_already_exists: "Esiste già un account per '%{email}'" + account_with_uid_destroyed: "L'account con UID '%{uid}' è stato eliminato." + account_to_destroy_not_found: "Impossibile trovare l'account da eliminare." + user_not_found: "Utente non trovato." + passwords: + missing_email: "Devi fornire un indirizzo email." + missing_redirect_url: "Redirect URL mancante." + not_allowed_redirect_url: "Redirezione a '%{redirect_url}' non consentita." + sended: "E' stata inviata un'email a '%{email}' contenente le istruzioni per reimpostare la password." + user_not_found: "Impossibile trovare un utente con email '%{email}'." + password_not_required: "Questo account non richiede una password. Accedi utilizzando l'account di '%{provider}'." + missing_passwords: "Devi riempire i campi 'Password' e 'Password confirmation'." + successfully_updated: "La tua password è stata aggiornata correttamente." + errors: + messages: + validate_sign_up_params: "Dati di registrazione non validi." + validate_account_update_params: "Dati di aggiornamento dell'account non validi." + not_email: "non è un'email" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "Puoi confermare il tuo account email cliccando sul seguente link:" + confirm_account_link: "Conferma il mio account" + reset_password_instructions: + request_reset_link_msg: "Qualcuno ha richiesto un link per cambiare la tua password. Puoi farlo cliccando sul seguente link." + password_change_link: "Cambia la mia password" + ignore_mail_msg: "Se non hai richiesto questa operazione, puoi ignorare l'email." + no_changes_msg: "La tua password non cambierà finchè non cliccherai sul link sopra per crearne una nuova." + unlock_instructions: + account_lock_msg: "Il tuo account è stato bloccato a causa di un numero eccessivo di tentativi di accesso non validi." + unlock_link_msg: "Clicca sul seguente link per sbloccare il tuo account:" + unlock_link: "Sblocca il mio account" + hello: "ciao" + welcome: "benvenuto" From fe71cc1c507410692455d056352521e3fc553b81 Mon Sep 17 00:00:00 2001 From: Bijan Rahnema Date: Thu, 19 Jan 2017 14:13:48 +0100 Subject: [PATCH 304/328] Update german translation. Improve the wording and fix not translated parts. --- config/locales/de.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/locales/de.yml b/config/locales/de.yml index 52e724551..ff03e354f 100644 --- a/config/locales/de.yml +++ b/config/locales/de.yml @@ -1,7 +1,7 @@ de: devise_token_auth: sessions: - not_confirmed: "Eine E-Mail zu Bestätigung wurde an Ihre Adresse '%{email}' gesendet. Sie müssen der Anleitung in der E-Mail folgen, um Ihren Account zu aktivieren." + not_confirmed: "Eine Bestätigungs-E-Mail wurde an Ihre Adresse '%{email}' gesendet. Sie müssen der Anleitung in der E-Mail folgen, um Ihren Account zu aktivieren." bad_credentials: "Ungültige Anmeldeinformationen. Bitte versuchen Sie es erneut." not_supported: "Verwenden Sie POST /sign_in zur Anmeldung. GET wird nicht unterstützt." user_not_found: "Benutzer wurde nicht gefunden oder konnte nicht angemeldet werden." @@ -12,7 +12,7 @@ de: redirect_url_not_allowed: "Weiterleitung zu '%{redirect_url}' ist nicht gestattet." email_already_exists: "Es gibt bereits einen Account für '%{email}'." account_with_uid_destroyed: "Account mit der uid '%{uid}' wurde gelöscht." - account_to_destroy_not_found: "Der Account, der gelöscht werden soll, kann nicht gefunden werden." + account_to_destroy_not_found: "Der zu löschende Account kann nicht gefunden werden." user_not_found: "Benutzer kann nicht gefunden werden." passwords: missing_email: "Sie müssen eine E-Mail-Adresse angeben." @@ -21,7 +21,7 @@ de: sended: "Ein E-Mail mit der Anleitung zum Zurücksetzen Ihres Passwortes wurde an '%{email}' gesendet." user_not_found: "Der Benutzer mit der E-Mail-Adresse '%{email}' kann nicht gefunden werden." password_not_required: "Dieser Account benötigt kein Passwort. Melden Sie sich stattdessen über Ihren Account bei '%{provider}' an." - missing_passwords: "Sie müssen die Felder 'Passwort' and 'Passwortbestätigung' ausfüllen." + missing_passwords: "Sie müssen die Felder 'Passwort' und 'Passwortbestätigung' ausfüllen." successfully_updated: "Ihr Passwort wurde erfolgreich aktualisiert." errors: messages: From 5f96f487730a7a359ecac337de65bf851bf363f3 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Thu, 19 Jan 2017 17:33:28 -0700 Subject: [PATCH 305/328] bump v0.1.40 --- .github_changelog_generator | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index e5f9016b5..8eacfdf99 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,6 +1,6 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat since-tags=v0.1.38 -between-tags=v0.1.38,v0.1.39 +between-tags=v0.1.39,v0.1.40 unreleased-label=v0.1.40 base=CHANGELOG.md \ No newline at end of file diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 8432c1a53..6d0189c83 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.39" + VERSION = "0.1.40" end From 083829046f311734a2283ca57dafed17b62687eb Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Thu, 19 Jan 2017 23:11:06 -0700 Subject: [PATCH 306/328] chore(docs): update CHANGELOG.md --- .github_changelog_generator | 5 ++-- CHANGELOG.md | 53 +++++++++++++++++++++++++++++++++++++ Gemfile.lock | 10 +++---- 3 files changed, 60 insertions(+), 8 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index 8eacfdf99..4b970df16 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,6 +1,5 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat -since-tags=v0.1.38 -between-tags=v0.1.39,v0.1.40 -unreleased-label=v0.1.40 +between-tags=v0.1.38,v0.1.40 +unreleased-label=v0.1.41 base=CHANGELOG.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index f2ce60f55..06cd01315 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,56 @@ # Change Log +## [v0.1.40](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.40) (2017-01-20) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.39...v0.1.40) + + +**Closed issues:** + +- Support for multiple providers during same session [\#815](https://github.com/lynndylanhurley/devise_token_auth/issues/815) +- not supporting for angular1.6 [\#810](https://github.com/lynndylanhurley/devise_token_auth/issues/810) +- Add has one/belongs to assotiation [\#807](https://github.com/lynndylanhurley/devise_token_auth/issues/807) +- redirect\_url required but not permitted in strong parameters [\#805](https://github.com/lynndylanhurley/devise_token_auth/issues/805) +- Rails 5 API Mode Not Authorizing [\#796](https://github.com/lynndylanhurley/devise_token_auth/issues/796) +- wrong constant name user [\#784](https://github.com/lynndylanhurley/devise_token_auth/issues/784) +- current\_user returns nill [\#779](https://github.com/lynndylanhurley/devise_token_auth/issues/779) +- ActionController::RoutingError - undefined method `helper\_method' [\#776](https://github.com/lynndylanhurley/devise_token_auth/issues/776) +- Minimum Limits on a token? [\#764](https://github.com/lynndylanhurley/devise_token_auth/issues/764) +- Octopus throwing error when deleting expired tokens [\#761](https://github.com/lynndylanhurley/devise_token_auth/issues/761) +- Only one User model return the correct headers [\#757](https://github.com/lynndylanhurley/devise_token_auth/issues/757) +- ArgumentError in Devise::RegistrationsController\#new [\#750](https://github.com/lynndylanhurley/devise_token_auth/issues/750) +- Rails 5 API deployed as microservices [\#741](https://github.com/lynndylanhurley/devise_token_auth/issues/741) +- Query params left in url after facebook login cause authentication to fail on refresh [\#734](https://github.com/lynndylanhurley/devise_token_auth/issues/734) +- Can't permit parameters in rails engine [\#731](https://github.com/lynndylanhurley/devise_token_auth/issues/731) +- Cannot integrate with omniauth-facebook [\#729](https://github.com/lynndylanhurley/devise_token_auth/issues/729) +- Two models, one not working [\#726](https://github.com/lynndylanhurley/devise_token_auth/issues/726) +- API response bodies are empty when using active\_model\_serializers [\#715](https://github.com/lynndylanhurley/devise_token_auth/issues/715) +- /sign\_out route is returning 404 not found [\#713](https://github.com/lynndylanhurley/devise_token_auth/issues/713) +- Why is `tokens` field a json type and how to create a query based on inside values? [\#707](https://github.com/lynndylanhurley/devise_token_auth/issues/707) +- Deprecation Error Message on 5.0 [\#698](https://github.com/lynndylanhurley/devise_token_auth/issues/698) + + +**Merged pull requests:** + +- Update german translation. [\#816](https://github.com/lynndylanhurley/devise_token_auth/pull/816) ([gobijan](https://github.com/gobijan)) +- Add support for italian locale [\#811](https://github.com/lynndylanhurley/devise_token_auth/pull/811) ([Chosko](https://github.com/Chosko)) +- Fix privacy issue with password reset request [\#808](https://github.com/lynndylanhurley/devise_token_auth/pull/808) ([biomancer](https://github.com/biomancer)) +- Add missing parameter :redirect\_url, fixes \#805 [\#806](https://github.com/lynndylanhurley/devise_token_auth/pull/806) ([Rush](https://github.com/Rush)) +- Fix language errors in German locale [\#800](https://github.com/lynndylanhurley/devise_token_auth/pull/800) ([morgler](https://github.com/morgler)) +- Don't send extra data on request password reset [\#798](https://github.com/lynndylanhurley/devise_token_auth/pull/798) ([Mrjaco12](https://github.com/Mrjaco12)) +- Travis: use the code\_climate addon config [\#786](https://github.com/lynndylanhurley/devise_token_auth/pull/786) ([olleolleolle](https://github.com/olleolleolle)) +- Update link [\#782](https://github.com/lynndylanhurley/devise_token_auth/pull/782) ([dijonkitchen](https://github.com/dijonkitchen)) +- Add index for confirmation\_token [\#767](https://github.com/lynndylanhurley/devise_token_auth/pull/767) ([dijonkitchen](https://github.com/dijonkitchen)) +- Fixes constructing redirect\_route [\#765](https://github.com/lynndylanhurley/devise_token_auth/pull/765) ([piotrkaczmarek](https://github.com/piotrkaczmarek)) +- Use standart ActiveRecord error message for email uniqueness validation [\#746](https://github.com/lynndylanhurley/devise_token_auth/pull/746) ([mpugach](https://github.com/mpugach)) +- Add Romanian locale. [\#743](https://github.com/lynndylanhurley/devise_token_auth/pull/743) ([razvanmitre](https://github.com/razvanmitre)) +- Update indexes on template [\#724](https://github.com/lynndylanhurley/devise_token_auth/pull/724) ([dijonkitchen](https://github.com/dijonkitchen)) +- Add an extra line to the "contributing" list [\#720](https://github.com/lynndylanhurley/devise_token_auth/pull/720) ([jahammo2](https://github.com/jahammo2)) +- Fix grammar [\#712](https://github.com/lynndylanhurley/devise_token_auth/pull/712) ([dijonkitchen](https://github.com/dijonkitchen)) +- Added reference to Angular2-Token to README [\#710](https://github.com/lynndylanhurley/devise_token_auth/pull/710) ([neroniaky](https://github.com/neroniaky)) +- feat\(whitelist\): add wildcard support for redirect\_whitelist patterns [\#709](https://github.com/lynndylanhurley/devise_token_auth/pull/709) ([booleanbetrayal](https://github.com/booleanbetrayal)) + +# Change Log + ## [v0.1.39](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.39) (2016-08-16) [Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.38...v0.1.39) @@ -815,6 +866,8 @@ +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* + \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index e1ac9ba64..38dc0df8c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.39) + devise_token_auth (0.1.40) devise (> 3.5.2, <= 4.2) rails (< 6) @@ -115,7 +115,7 @@ GEM colorize (~> 0.7) github_api (~> 0.12) rake (>= 10.0) - globalid (0.3.6) + globalid (0.3.7) activesupport (>= 4.1.0) guard (2.14.0) formatador (>= 0.2.4) @@ -227,7 +227,7 @@ GEM rb-fsevent (0.9.7) rb-inotify (0.9.7) ffi (>= 0.5.0) - responders (2.2.0) + responders (2.3.0) railties (>= 4.2.0, < 5.1) ruby-progressbar (1.8.1) ruby_dep (1.3.1) @@ -238,10 +238,10 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.6.3) + sprockets (3.7.0) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (3.1.1) + sprockets-rails (3.2.0) actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) From d44fd90071be8f0b78658fd090d6635229370341 Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Mon, 12 Sep 2016 17:11:36 +0200 Subject: [PATCH 307/328] Ruby syntax: replace and/not with &&/! --- .../devise_token_auth/concerns/set_user_by_token.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 17f28c202..c37d510d1 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -142,9 +142,9 @@ def resource_class(m=nil) def is_batch_request?(user, client_id) - not params[:unbatch] and - user.tokens[client_id] and - user.tokens[client_id]['updated_at'] and + !params[:unbatch] && + user.tokens[client_id] && + user.tokens[client_id]['updated_at'] && Time.parse(user.tokens[client_id]['updated_at']) > @request_started_at - DeviseTokenAuth.batch_request_buffer_throttle end end From a24f8c0e444b673a136ec32116b33f7b9b5828a4 Mon Sep 17 00:00:00 2001 From: Olle Jonsson Date: Mon, 12 Sep 2016 23:30:51 +0200 Subject: [PATCH 308/328] Ruby syntax: avoid English operators --- .../devise_token_auth/concerns/set_user_by_token.rb | 6 +++--- .../devise_token_auth/confirmations_controller.rb | 2 +- .../devise_token_auth/passwords_controller.rb | 4 ++-- .../devise_token_auth/registrations_controller.rb | 2 +- .../devise_token_auth/sessions_controller.rb | 6 +++--- app/models/devise_token_auth/concerns/user.rb | 12 ++++++------ .../concerns/user_omniauth_callbacks.rb | 2 +- lib/devise_token_auth/rails/routes.rb | 2 +- lib/devise_token_auth/url.rb | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index c37d510d1..3af49e082 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -47,7 +47,7 @@ def set_user_by_token(mapping=nil) end # user has already been found and authenticated - return @resource if @resource and @resource.class == rc + return @resource if @resource && @resource.class == rc # ensure we clear the client_id if !@token @@ -78,12 +78,12 @@ def set_user_by_token(mapping=nil) def update_auth_header # cannot save object if model has invalid params - return unless @resource and @resource.valid? and @client_id + return unless @resource && @resource.valid? && @client_id # Generate new client_id with existing authentication @client_id = nil unless @used_auth_by_token - if @used_auth_by_token and not DeviseTokenAuth.change_headers_on_each_request + if @used_auth_by_token && !DeviseTokenAuth.change_headers_on_each_request # should not append auth header if @resource related token was # cleared by sign out in the meantime return if @resource.reload.tokens[@client_id].nil? diff --git a/app/controllers/devise_token_auth/confirmations_controller.rb b/app/controllers/devise_token_auth/confirmations_controller.rb index becf755f2..16f85ac78 100644 --- a/app/controllers/devise_token_auth/confirmations_controller.rb +++ b/app/controllers/devise_token_auth/confirmations_controller.rb @@ -3,7 +3,7 @@ class ConfirmationsController < DeviseTokenAuth::ApplicationController def show @resource = resource_class.confirm_by_token(params[:confirmation_token]) - if @resource and @resource.id + if @resource && @resource.id # create client id client_id = SecureRandom.urlsafe_base64(nil, false) token = SecureRandom.urlsafe_base64(nil, false) diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb index dbddf75e2..80ab946d4 100644 --- a/app/controllers/devise_token_auth/passwords_controller.rb +++ b/app/controllers/devise_token_auth/passwords_controller.rb @@ -76,7 +76,7 @@ def edit reset_password_token: resource_params[:reset_password_token] }) - if @resource and @resource.id + if @resource && @resource.id client_id = SecureRandom.urlsafe_base64(nil, false) token = SecureRandom.urlsafe_base64(nil, false) token_hash = BCrypt::Password.create(token) @@ -119,7 +119,7 @@ def update end # ensure that password params were sent - unless password_resource_params[:password] and password_resource_params[:password_confirmation] + unless password_resource_params[:password] && password_resource_params[:password_confirmation] return render_update_error_missing_password end diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb index 1d1ee0296..79cdd5c9f 100644 --- a/app/controllers/devise_token_auth/registrations_controller.rb +++ b/app/controllers/devise_token_auth/registrations_controller.rb @@ -186,7 +186,7 @@ def render_destroy_error def resource_update_method if DeviseTokenAuth.check_current_password_before_update == :attributes "update_with_password" - elsif DeviseTokenAuth.check_current_password_before_update == :password and account_update_params.has_key?(:password) + elsif DeviseTokenAuth.check_current_password_before_update == :password && account_update_params.has_key?(:password) "update_with_password" elsif account_update_params.has_key?(:current_password) "update_with_password" diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb index 86db56310..f190dca69 100644 --- a/app/controllers/devise_token_auth/sessions_controller.rb +++ b/app/controllers/devise_token_auth/sessions_controller.rb @@ -29,7 +29,7 @@ def create @resource = resource_class.where(q, q_value).first end - if @resource and valid_params?(field, q_value) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) + if @resource && valid_params?(field, q_value) && (!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?) valid_password = @resource.valid_password?(resource_params[:password]) if (@resource.respond_to?(:valid_for_authentication?) && !@resource.valid_for_authentication? { valid_password }) || !valid_password render_create_error_bad_credentials @@ -50,7 +50,7 @@ def create yield @resource if block_given? render_create_success - elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?) + elsif @resource && !(!@resource.respond_to?(:active_for_authentication?) || @resource.active_for_authentication?) render_create_error_not_confirmed else render_create_error_bad_credentials @@ -63,7 +63,7 @@ def destroy client_id = remove_instance_variable(:@client_id) if @client_id remove_instance_variable(:@token) if @token - if user and client_id and user.tokens[client_id] + if user && client_id && user.tokens[client_id] user.tokens.delete(client_id) user.save! diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index df097b846..9d595a4a0 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -127,10 +127,10 @@ def token_is_current?(token, client_id) return true if ( # ensure that expiry and token are set - expiry and token and + expiry && token && # ensure that the token has not yet expired - DateTime.strptime(expiry.to_s, '%s') > Time.now and + DateTime.strptime(expiry.to_s, '%s') > Time.now && # ensure that the token is valid DeviseTokenAuth::Concerns::User.tokens_match?(token_hash, token) @@ -147,10 +147,10 @@ def token_can_be_reused?(token, client_id) return true if ( # ensure that the last token and its creation time exist - updated_at and last_token and + updated_at && last_token && # ensure that previous token falls within the batch buffer throttle time of the last request - Time.parse(updated_at) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle and + Time.parse(updated_at) > Time.now - DeviseTokenAuth.batch_request_buffer_throttle && # ensure that the token is valid ::BCrypt::Password.new(last_token) == token @@ -166,7 +166,7 @@ def create_new_auth_token(client_id=nil) token_hash = ::BCrypt::Password.create(token) expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i - if self.tokens[client_id] and self.tokens[client_id]['token'] + if self.tokens[client_id] && self.tokens[client_id]['token'] last_token = self.tokens[client_id]['token'] end @@ -189,7 +189,7 @@ def build_auth_header(token, client_id='default') expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry] max_clients = DeviseTokenAuth.max_number_of_devices - while self.tokens.keys.length > 0 and max_clients < self.tokens.keys.length + while self.tokens.keys.length > 0 && max_clients < self.tokens.keys.length oldest_token = self.tokens.min_by { |cid, v| v[:expiry] || v["expiry"] } self.tokens.delete(oldest_token.first) end diff --git a/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb index 576639b67..42aa1c849 100644 --- a/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb +++ b/app/models/devise_token_auth/concerns/user_omniauth_callbacks.rb @@ -17,7 +17,7 @@ module DeviseTokenAuth::Concerns::UserOmniauthCallbacks # only validate unique email among users that registered by email def unique_email_user - if provider == 'email' and self.class.where(provider: 'email', email: email).count > 0 + if provider == 'email' && self.class.where(provider: 'email', email: email).count > 0 errors.add(:email, :taken) end end diff --git a/lib/devise_token_auth/rails/routes.rb b/lib/devise_token_auth/rails/routes.rb index af1f5195d..eed9d9e0a 100644 --- a/lib/devise_token_auth/rails/routes.rb +++ b/lib/devise_token_auth/rails/routes.rb @@ -57,7 +57,7 @@ def mount_devise_token_auth_for(resource, opts) get "#{full_path}/validate_token", controller: "#{token_validations_ctrl}", action: "validate_token" # omniauth routes. only define if omniauth is installed and not skipped. - if defined?(::OmniAuth) and not opts[:skip].include?(:omniauth_callbacks) + if defined?(::OmniAuth) && !opts[:skip].include?(:omniauth_callbacks) match "#{full_path}/failure", controller: omniauth_ctrl, action: "omniauth_failure", via: [:get] match "#{full_path}/:provider/callback", controller: omniauth_ctrl, action: "omniauth_success", via: [:get] diff --git a/lib/devise_token_auth/url.rb b/lib/devise_token_auth/url.rb index b705837b8..ad4699e3c 100644 --- a/lib/devise_token_auth/url.rb +++ b/lib/devise_token_auth/url.rb @@ -4,7 +4,7 @@ def self.generate(url, params = {}) uri = URI(url) res = "#{uri.scheme}://#{uri.host}" - res += ":#{uri.port}" if (uri.port and uri.port != 80 and uri.port != 443) + res += ":#{uri.port}" if (uri.port && uri.port != 80 && uri.port != 443) res += "#{uri.path}" if uri.path query = [uri.query, params.to_query].reject(&:blank?).join('&') res += "?#{query}" From 6d764da48dccec44f707d62dcc6aa4fbd2562c02 Mon Sep 17 00:00:00 2001 From: Christophe Bliard Date: Thu, 19 Jan 2017 10:53:59 +0100 Subject: [PATCH 309/328] Prevent getting table info if not connected to db Fixes #327 When precompiling assets while building a docker image, the database is not available and the DeviseTokenAuth::Concerns::User concern tries to load user table information from database and fails. It now checks if the database connection is available before gathering information about user table. --- app/models/devise_token_auth/concerns/user.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index df097b846..3c0097477 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -95,7 +95,15 @@ module ClassMethods def tokens_has_json_column_type? - table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb]) + database_exists? && table_exists? && self.columns_hash['tokens'] && self.columns_hash['tokens'].type.in?([:json, :jsonb]) + end + + def database_exists? + ActiveRecord::Base.connection + rescue ActiveRecord::NoDatabaseError + false + else + true end end From 87a12a9fc2665e143144d411830ee07e8b852f94 Mon Sep 17 00:00:00 2001 From: Fatos Morina Date: Wed, 1 Mar 2017 10:52:22 +0100 Subject: [PATCH 310/328] Add Albanian locale --- config/locales/sq.yml | 46 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 config/locales/sq.yml diff --git a/config/locales/sq.yml b/config/locales/sq.yml new file mode 100644 index 000000000..313f46347 --- /dev/null +++ b/config/locales/sq.yml @@ -0,0 +1,46 @@ +en: + devise_token_auth: + sessions: + not_confirmed: "Një email konfirmues është dërguar tek llogaria juaj '%{email}'. Ju duhet të ndiqni udhëzimet në email përpara se të bëhet aktivizimi i llogarisë tuaj." + bad_credentials: "Kredencialet e qasjes nuk janë në rregull. Ju lutemi, provoni përsëri." + not_supported: "Përdorni POST/sign_in për t'u kyçur. GET nuk lejohet në këtë rast." + user_not_found: "Përdoruesi nuk u gjet ose nuk është i kyçur." + token_validations: + invalid: "Kredencialet për kyçje nuk janë në rregull." + registrations: + missing_confirm_success_url: "Mungon parametri 'confirm_success_url'." + redirect_url_not_allowed: "Nuk lejohet shkuarja tek adresa '%{redirect_url}'." + email_already_exists: "Një llogari është regjistruar më parë me adresën '%{email}'" + account_with_uid_destroyed: "Llogaria me UID-në '%{uid}' është fshirë." + account_to_destroy_not_found: "Nuk u gjet llogaria për fshirje." + user_not_found: "Përdoruesi nuk u gjet." + passwords: + missing_email: "Ju duhet të jepni një email adresë." + missing_redirect_url: "Mungon URL-ja për ridërgim." + not_allowed_redirect_url: "Nuk lejohet shkuarja tek URL-ja '%{redirect_url}'." + sended: "Një email është dërguar tek email adresa '%{email}' që përmban udhëzime për rikthim të fjalëkalimit tuaj." + user_not_found: "Nuk u gjet përdoruesi me email adresën '%{email}'." + password_not_required: "Kjo llogari nuk kërkon fjalëkalim. Në vend të fjalëkalimit, përdorni llogarinë '%{provider}'." + missing_passwords: "Ju duhet t'i mbushni fushat e etiketuara si 'Fjalëkalimi' dhe 'Konfirmo fjalëkalimin'." + successfully_updated: "Fjalëkalimi juaj është ndryshuar me sukses." + errors: + messages: + validate_sign_up_params: "Ju lutemi, dërgoni të dhëna të duhura në trupin e kërkesës." + validate_account_update_params: "Ju lutemi, dërgoni të dhëna të duhura për ndryshim në trupin e kërkesës." + not_email: "nuk është email" + devise: + mailer: + confirmation_instructions: + confirm_link_msg: "Ju mund ta konfirmoni email adresën e llogarisë tuaj përmes lidhjes më poshtë:" + confirm_account_link: "Konfirmo llogarinë time" + reset_password_instructions: + request_reset_link_msg: "Dikush ka kërkuar një lidhje për të ndryshuar fjalëkalimin tuaj. Ju mund ta bëni këtë përmes lidhjes më poshtë." + password_change_link: "Ndrysho fjalëkalimin tim" + ignore_mail_msg: "Nëse nuk e keni kërkuar këtë, ju lutemi injorojeni këtë email." + no_changes_msg: "Fjalëkalimi juaj nuk do të ndryshohet derisa t'i qaseni lidhjes më sipër dhe ta krijoni një fjalëkalim të ri." + unlock_instructions: + account_lock_msg: "Llogaria juaj është bllokuar për shkak të numrit të tepërt të përpjekjeve të pa suksesshme për t'u kyçur." + unlock_link_msg: "Klikoni lidhjen më poshtë për të zhbllokuar llogarinë tuaj:" + unlock_link: "Zhblloko llogarinë time" + hello: "tungjatjeta" + welcome: "mirësevini" From 93f9c94814a195c74325b6283390b37665dff2cf Mon Sep 17 00:00:00 2001 From: Fatos Morina Date: Wed, 1 Mar 2017 11:03:17 +0100 Subject: [PATCH 311/328] Replace en with sq --- config/locales/sq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/locales/sq.yml b/config/locales/sq.yml index 313f46347..cf1f0b278 100644 --- a/config/locales/sq.yml +++ b/config/locales/sq.yml @@ -1,4 +1,4 @@ -en: +sq: devise_token_auth: sessions: not_confirmed: "Një email konfirmues është dërguar tek llogaria juaj '%{email}'. Ju duhet të ndiqni udhëzimet në email përpara se të bëhet aktivizimi i llogarisë tuaj." From 31a8ffcd66e6b399b1a3aaec9003a196092314a2 Mon Sep 17 00:00:00 2001 From: Dicky Ho Date: Mon, 20 Mar 2017 23:31:05 +0800 Subject: [PATCH 312/328] Support for Devise 4.2.1 --- devise_token_auth.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index a77c00c76..387b64f25 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "<= 4.2" + s.add_dependency "devise", "> 3.5.2", "<= 4.2.1" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From 2656f54e302670b6483ead62a1eab519a32e44ef Mon Sep 17 00:00:00 2001 From: Dicky Ho Date: Mon, 20 Mar 2017 23:40:15 +0800 Subject: [PATCH 313/328] Update Gemfile.lock --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 38dc0df8c..3cd5d67e7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ PATH remote: . specs: devise_token_auth (0.1.40) - devise (> 3.5.2, <= 4.2) + devise (> 3.5.2, <= 4.2.1) rails (< 6) GEM From 76378828d40e07404d2adccf574674cdccd44695 Mon Sep 17 00:00:00 2001 From: alex-lairan Date: Mon, 3 Apr 2017 17:47:51 +0200 Subject: [PATCH 314/328] Rename find_by methods --- app/controllers/devise_token_auth/concerns/set_user_by_token.rb | 2 +- test/dummy/app/controllers/overrides/sessions_controller.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb index 3af49e082..cf13eefdf 100644 --- a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb +++ b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb @@ -58,7 +58,7 @@ def set_user_by_token(mapping=nil) return false unless @token # mitigate timing attacks by finding by uid instead of auth token - user = uid && rc.find_by_uid(uid) + user = uid && rc.find_by(uid: uid) if user && user.valid_token?(@token, @client_id) # sign_in with bypass: true will be deprecated in the next version of Devise diff --git a/test/dummy/app/controllers/overrides/sessions_controller.rb b/test/dummy/app/controllers/overrides/sessions_controller.rb index 3be969c34..4526dfd5c 100644 --- a/test/dummy/app/controllers/overrides/sessions_controller.rb +++ b/test/dummy/app/controllers/overrides/sessions_controller.rb @@ -3,7 +3,7 @@ class SessionsController < DeviseTokenAuth::SessionsController OVERRIDE_PROOF = "(^^,)" def create - @resource = resource_class.find_by_email(resource_params[:email]) + @resource = resource_class.find_by(email: resource_params[:email]) if @resource and valid_params?(:email, resource_params[:email]) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed? # create client id From 5300ea7cc9e06346e42f31864f85f776c2379e4d Mon Sep 17 00:00:00 2001 From: Carlos Correa Date: Sat, 8 Apr 2017 12:38:46 -0700 Subject: [PATCH 315/328] use URI::HTTPS to generate HTTPS redirects --- .../devise_token_auth/omniauth_callbacks_controller.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb index 0e1c16d25..ea06b59dc 100644 --- a/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb +++ b/app/controllers/devise_token_auth/omniauth_callbacks_controller.rb @@ -14,7 +14,8 @@ def redirect_callbacks devise_mapping = [request.env['omniauth.params']['namespace_name'], request.env['omniauth.params']['resource_class'].underscore.gsub('/', '_')].compact.join('_') path = "#{Devise.mappings[devise_mapping.to_sym].fullpath}/#{params[:provider]}/callback" - redirect_route = URI::HTTP.build(scheme: request.scheme, host: request.host, port: request.port, path: path).to_s + klass = request.scheme == 'https' ? URI::HTTPS : URI::HTTP + redirect_route = klass.build(host: request.host, port: request.port, path: path).to_s # preserve omniauth info for success route. ignore 'extra' in twitter # auth response to avoid CookieOverflow. From 873136a4e5df57c60deada631674dd2727d75b6e Mon Sep 17 00:00:00 2001 From: guins_j Date: Sat, 15 Apr 2017 14:08:12 +0900 Subject: [PATCH 316/328] Updated generator test code to work with rails 5 --- test/dummy/config/application.rb | 2 -- test/dummy/config/environments/test.rb | 9 ++++-- .../install_generator_test.rb | 31 ++++++++++--------- test/test_helper.rb | 6 ++-- 4 files changed, 26 insertions(+), 22 deletions(-) diff --git a/test/dummy/config/application.rb b/test/dummy/config/application.rb index f265029f6..ff7cd58d8 100644 --- a/test/dummy/config/application.rb +++ b/test/dummy/config/application.rb @@ -20,7 +20,5 @@ class Application < Rails::Application # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s] # config.i18n.default_locale = :de config.autoload_paths << Rails.root.join('lib') - - config.active_record.raise_in_transactional_callbacks = true end end diff --git a/test/dummy/config/environments/test.rb b/test/dummy/config/environments/test.rb index e8df48bd3..4fd5b040b 100644 --- a/test/dummy/config/environments/test.rb +++ b/test/dummy/config/environments/test.rb @@ -13,8 +13,13 @@ config.eager_load = false # Configure static asset server for tests with Cache-Control for performance. - config.serve_static_files = true - config.static_cache_control = 'public, max-age=3600' + Rails::VERSION::MAJOR == 5 ? + (config.public_file_server.enabled = true) : + (config.serve_static_files = true) + + Rails::VERSION::MAJOR == 5 ? + (config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }) : + (config.static_cache_control = 'public, max-age=3600') # Show full error reports and disable caching. config.consider_all_requests_local = true diff --git a/test/lib/generators/devise_token_auth/install_generator_test.rb b/test/lib/generators/devise_token_auth/install_generator_test.rb index 67e3193d1..06059b4de 100644 --- a/test/lib/generators/devise_token_auth/install_generator_test.rb +++ b/test/lib/generators/devise_token_auth/install_generator_test.rb @@ -29,7 +29,7 @@ class InstallGeneratorTest < Rails::Generators::TestCase end test 'migration file contains rails version' do - assert_migration 'db/migrate/devise_token_auth_create_users.rb', /4.2/ + assert_migration 'db/migrate/devise_token_auth_create_users.rb', /#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}/ end test 'subsequent runs raise no errors' do @@ -48,14 +48,17 @@ class InstallGeneratorTest < Rails::Generators::TestCase # make dir if not exists FileUtils.mkdir_p(@dir) + # account for rails version 5 + active_record_needle = (Rails::VERSION::MAJOR == 5) ? 'ApplicationRecord' : 'ActiveRecord::Base' + @f = File.open(@fname, 'w') {|f| f.write <<-RUBY -class User < ActiveRecord::Base + class User < #{active_record_needle} - def whatever - puts 'whatever' - end -end + def whatever + puts 'whatever' + end + end RUBY } @@ -91,9 +94,9 @@ def whatever @f = File.open(@fname, 'w') {|f| f.write <<-RUBY -Rails.application.routes.draw do - patch '/chong', to: 'bong#index' -end + Rails.application.routes.draw do + patch '/chong', to: 'bong#index' + end RUBY } @@ -151,11 +154,11 @@ def whatever @f = File.open(@fname, 'w') {|f| f.write <<-RUBY -class ApplicationController < ActionController::Base - def whatever - 'whatever' - end -end + class ApplicationController < ActionController::Base + def whatever + 'whatever' + end + end RUBY } diff --git a/test/test_helper.rb b/test/test_helper.rb index a37e30d30..48e1b1435 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -1,13 +1,11 @@ -require "codeclimate-test-reporter" -#require 'simplecov' +require 'simplecov' #SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[ #SimpleCov::Formatter::HTMLFormatter, #CodeClimate::TestReporter::Formatter #] -#SimpleCov.start 'rails' -CodeClimate::TestReporter.start +SimpleCov.start 'rails' ENV["RAILS_ENV"] = "test" From 9d179418226bc355183258bd20098fc26d672905 Mon Sep 17 00:00:00 2001 From: Vincenzo Farruggia Date: Fri, 5 May 2017 12:44:23 +0200 Subject: [PATCH 317/328] Translate message: Authorized users only through devise --- lib/devise_token_auth/controllers/helpers.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/controllers/helpers.rb b/lib/devise_token_auth/controllers/helpers.rb index c10332e91..368b78aa8 100644 --- a/lib/devise_token_auth/controllers/helpers.rb +++ b/lib/devise_token_auth/controllers/helpers.rb @@ -39,7 +39,7 @@ def authenticate_#{group_name}!(favourite=nil, opts={}) unless current_#{group_name} return render json: { - errors: ["Authorized users only."] + errors: [I18n.t('devise.failure.unauthenticated')] }, status: 401 end end @@ -110,7 +110,7 @@ def self.define_helpers(mapping) #:nodoc: def authenticate_#{mapping}! unless current_#{mapping} return render json: { - errors: ["Authorized users only."] + errors: [I18n.t('devise.failure.unauthenticated')] }, status: 401 end end From 391dec24f75622a4c4303cb1639767bf9204dbd6 Mon Sep 17 00:00:00 2001 From: Vincenzo Farruggia Date: Fri, 5 May 2017 12:44:23 +0200 Subject: [PATCH 318/328] Translate message: Authorized users only through devise --- lib/devise_token_auth/controllers/helpers.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/devise_token_auth/controllers/helpers.rb b/lib/devise_token_auth/controllers/helpers.rb index c10332e91..368b78aa8 100644 --- a/lib/devise_token_auth/controllers/helpers.rb +++ b/lib/devise_token_auth/controllers/helpers.rb @@ -39,7 +39,7 @@ def authenticate_#{group_name}!(favourite=nil, opts={}) unless current_#{group_name} return render json: { - errors: ["Authorized users only."] + errors: [I18n.t('devise.failure.unauthenticated')] }, status: 401 end end @@ -110,7 +110,7 @@ def self.define_helpers(mapping) #:nodoc: def authenticate_#{mapping}! unless current_#{mapping} return render json: { - errors: ["Authorized users only."] + errors: [I18n.t('devise.failure.unauthenticated')] }, status: 401 end end From e21cb89f78036b65464137634f494c8628988f43 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Fri, 12 May 2017 10:02:35 -0600 Subject: [PATCH 319/328] v0.1.41 --- .github_changelog_generator | 2 +- CHANGELOG.md | 486 +++++++++++++++++++++++++++++++ Gemfile.lock | 4 +- lib/devise_token_auth/version.rb | 2 +- 4 files changed, 490 insertions(+), 4 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index 4b970df16..388e44f05 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,5 +1,5 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat -between-tags=v0.1.38,v0.1.40 +somce=tag=v0.1.40 unreleased-label=v0.1.41 base=CHANGELOG.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 06cd01315..bbb98dc72 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,489 @@ # Change Log +## [v0.1.41](https://github.com/lynndylanhurley/devise_token_auth/tree/HEAD) + +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.40...HEAD) + +**Implemented enhancements:** + +- Rails generator to update views [\#33](https://github.com/lynndylanhurley/devise_token_auth/issues/33) +- Extract Omniauth attributes assignation into a method [\#31](https://github.com/lynndylanhurley/devise_token_auth/issues/31) + +**Fixed bugs:** + +- Generator doesn't work correctly with mongoid and/or rails-api [\#14](https://github.com/lynndylanhurley/devise_token_auth/issues/14) +- Generator issues [\#13](https://github.com/lynndylanhurley/devise_token_auth/issues/13) + +**Closed issues:** + +- Can´t retrieve access token in login response headers [\#877](https://github.com/lynndylanhurley/devise_token_auth/issues/877) +- how do I login a user after account signup? [\#866](https://github.com/lynndylanhurley/devise_token_auth/issues/866) +- Can only register one account. [\#858](https://github.com/lynndylanhurley/devise_token_auth/issues/858) +- No access-token in the header [\#855](https://github.com/lynndylanhurley/devise_token_auth/issues/855) +- Headers not present in all requests [\#851](https://github.com/lynndylanhurley/devise_token_auth/issues/851) +- uninitialized constant SECRET\_KEY\_BASE [\#845](https://github.com/lynndylanhurley/devise_token_auth/issues/845) +- devise\_token\_auth: can't work with Rails subdomain. [\#831](https://github.com/lynndylanhurley/devise_token_auth/issues/831) +- Question: email confirmation token URI with Rails API [\#824](https://github.com/lynndylanhurley/devise_token_auth/issues/824) +- readme code for controller override needs a slight change [\#819](https://github.com/lynndylanhurley/devise_token_auth/issues/819) +- Support for multiple providers during same session [\#815](https://github.com/lynndylanhurley/devise_token_auth/issues/815) +- not supporting for angular1.6 [\#810](https://github.com/lynndylanhurley/devise_token_auth/issues/810) +- Add has one/belongs to assotiation [\#807](https://github.com/lynndylanhurley/devise_token_auth/issues/807) +- redirect\_url required but not permitted in strong parameters [\#805](https://github.com/lynndylanhurley/devise_token_auth/issues/805) +- Data leak on create password reset [\#797](https://github.com/lynndylanhurley/devise_token_auth/issues/797) +- Rails 5 API Mode Not Authorizing [\#796](https://github.com/lynndylanhurley/devise_token_auth/issues/796) +- wrong constant name user [\#784](https://github.com/lynndylanhurley/devise_token_auth/issues/784) +- current\_user returns nill [\#779](https://github.com/lynndylanhurley/devise_token_auth/issues/779) +- ActionController::RoutingError - undefined method `helper\_method' [\#776](https://github.com/lynndylanhurley/devise_token_auth/issues/776) +- Minimum Limits on a token? [\#764](https://github.com/lynndylanhurley/devise_token_auth/issues/764) +- Octopus throwing error when deleting expired tokens [\#761](https://github.com/lynndylanhurley/devise_token_auth/issues/761) +- Only one User model return the correct headers [\#757](https://github.com/lynndylanhurley/devise_token_auth/issues/757) +- ArgumentError in Devise::RegistrationsController\#new [\#750](https://github.com/lynndylanhurley/devise_token_auth/issues/750) +- OAuth \(GitHub\) redirects to callback url twice [\#749](https://github.com/lynndylanhurley/devise_token_auth/issues/749) +- Rails 5 API deployed as microservices [\#741](https://github.com/lynndylanhurley/devise_token_auth/issues/741) +- Query params left in url after facebook login cause authentication to fail on refresh [\#734](https://github.com/lynndylanhurley/devise_token_auth/issues/734) +- Can't permit parameters in rails engine [\#731](https://github.com/lynndylanhurley/devise_token_auth/issues/731) +- Cannot integrate with omniauth-facebook [\#729](https://github.com/lynndylanhurley/devise_token_auth/issues/729) +- Two models, one not working [\#726](https://github.com/lynndylanhurley/devise_token_auth/issues/726) +- API response bodies are empty when using active\_model\_serializers [\#715](https://github.com/lynndylanhurley/devise_token_auth/issues/715) +- /sign\_out route is returning 404 not found [\#713](https://github.com/lynndylanhurley/devise_token_auth/issues/713) +- Why is `tokens` field a json type and how to create a query based on inside values? [\#707](https://github.com/lynndylanhurley/devise_token_auth/issues/707) +- Deprecation Error Message on 5.0 [\#698](https://github.com/lynndylanhurley/devise_token_auth/issues/698) +- "Covert Redirect" Vulnerability [\#696](https://github.com/lynndylanhurley/devise_token_auth/issues/696) +- No route matches \[POST\] "/api/v1/auth" [\#694](https://github.com/lynndylanhurley/devise_token_auth/issues/694) +- Got this error with ActiveAdmin "wrong number of arguments \(1 for 0\)" [\#692](https://github.com/lynndylanhurley/devise_token_auth/issues/692) +- using devise\_token\_auth for API alongside standard devise gem for HTML view [\#689](https://github.com/lynndylanhurley/devise_token_auth/issues/689) +- No Headers after sign\_in for new Users created by Admin [\#685](https://github.com/lynndylanhurley/devise_token_auth/issues/685) +- NoMethodError \(undefined method `headers\_names' for DeviseTokenAuth:Module\) [\#684](https://github.com/lynndylanhurley/devise_token_auth/issues/684) +- Fast page refresh problem [\#683](https://github.com/lynndylanhurley/devise_token_auth/issues/683) +- IndexError: string not matched on User sign\_in [\#681](https://github.com/lynndylanhurley/devise_token_auth/issues/681) +- skip\_confirmation\_notification! not working [\#679](https://github.com/lynndylanhurley/devise_token_auth/issues/679) +- rails g devise\_token\_auth:install User auth hangs and does nothing [\#671](https://github.com/lynndylanhurley/devise_token_auth/issues/671) +- Bump version to support devise 4.1.1 [\#659](https://github.com/lynndylanhurley/devise_token_auth/issues/659) +- callback :set\_user\_by\_token has not been defined [\#649](https://github.com/lynndylanhurley/devise_token_auth/issues/649) +- Issues with active\_model\_serializers [\#644](https://github.com/lynndylanhurley/devise_token_auth/issues/644) +- Error with devise [\#643](https://github.com/lynndylanhurley/devise_token_auth/issues/643) +- undefined method `token\_validation\_response' [\#635](https://github.com/lynndylanhurley/devise_token_auth/issues/635) +- when password is reset from UI, all tokens must be removed if remove\_tokens\_after\_password\_reset is true [\#634](https://github.com/lynndylanhurley/devise_token_auth/issues/634) +- Relax devise dependency to allow 4.1 [\#631](https://github.com/lynndylanhurley/devise_token_auth/issues/631) +- Rails 5 generator doesn't insert concern [\#627](https://github.com/lynndylanhurley/devise_token_auth/issues/627) +- NoMethodError \(undefined method `find\_by\_uid'\) in production. [\#625](https://github.com/lynndylanhurley/devise_token_auth/issues/625) +- Why is password confirmation required ? [\#624](https://github.com/lynndylanhurley/devise_token_auth/issues/624) +- Curl not working for sign\_in but works on ng-token-angular [\#620](https://github.com/lynndylanhurley/devise_token_auth/issues/620) +- After Sign-in success, The following requests on Angular side are unauthorized. [\#619](https://github.com/lynndylanhurley/devise_token_auth/issues/619) +- Omniauth - Facebook app doesn't run callback url after successful Facebook authentication [\#615](https://github.com/lynndylanhurley/devise_token_auth/issues/615) +- :authenticate\_user! wired behaviour [\#614](https://github.com/lynndylanhurley/devise_token_auth/issues/614) +- current\_user is nil, request headers are all upcased and prefixed with HTML\_ [\#611](https://github.com/lynndylanhurley/devise_token_auth/issues/611) +- Problem in generated routes [\#607](https://github.com/lynndylanhurley/devise_token_auth/issues/607) +- Rails 5 API Mode - no headers in response [\#606](https://github.com/lynndylanhurley/devise_token_auth/issues/606) +- Filter chain halted as :authenticate\_user! rendered or redirected [\#603](https://github.com/lynndylanhurley/devise_token_auth/issues/603) +- 422 Unprocessable Entity when using local IP address [\#601](https://github.com/lynndylanhurley/devise_token_auth/issues/601) +- not working with latest version of active\_model\_serializers [\#600](https://github.com/lynndylanhurley/devise_token_auth/issues/600) +- overriding rendering methods in devise\_token\_auth [\#597](https://github.com/lynndylanhurley/devise_token_auth/issues/597) +- redirect\_url is missing in email instructions sent to the user for password reset [\#588](https://github.com/lynndylanhurley/devise_token_auth/issues/588) +- Unpermitted parameter: {"email":"mail@gmail.com","password":"abcdefgh","password\_confirmation":"abcdefgh"} [\#587](https://github.com/lynndylanhurley/devise_token_auth/issues/587) +- can't authenticate user when opening a new download tab [\#582](https://github.com/lynndylanhurley/devise_token_auth/issues/582) +- Mails are not being sent [\#581](https://github.com/lynndylanhurley/devise_token_auth/issues/581) +- current\_user seems to be nil after doing requests from different tabs [\#579](https://github.com/lynndylanhurley/devise_token_auth/issues/579) +- Do we have any rspec helpers to sign\_in an user? [\#577](https://github.com/lynndylanhurley/devise_token_auth/issues/577) +- Cannot override json response of authenticate\_user! [\#575](https://github.com/lynndylanhurley/devise_token_auth/issues/575) +- return custom json data after sign\_in [\#567](https://github.com/lynndylanhurley/devise_token_auth/issues/567) +- /auth/validate\_token works but getting 401 unauthorized when sending request with auth headers [\#550](https://github.com/lynndylanhurley/devise_token_auth/issues/550) +- Where is the access key of omniauth provider? [\#549](https://github.com/lynndylanhurley/devise_token_auth/issues/549) +- How this gem is different from a JWT system? [\#543](https://github.com/lynndylanhurley/devise_token_auth/issues/543) +- Improper formatting for JSON API error/success responses [\#536](https://github.com/lynndylanhurley/devise_token_auth/issues/536) +- Is it a hybrid authentication system? [\#527](https://github.com/lynndylanhurley/devise_token_auth/issues/527) +- check\_current\_password\_before\_update still requires password when resetting password [\#526](https://github.com/lynndylanhurley/devise_token_auth/issues/526) +- Manually authenticate for testing [\#521](https://github.com/lynndylanhurley/devise_token_auth/issues/521) +- Support for STI [\#517](https://github.com/lynndylanhurley/devise_token_auth/issues/517) +- DEPRECATION WARNING: alias\_method\_chain is deprecated [\#514](https://github.com/lynndylanhurley/devise_token_auth/issues/514) +- JSON responses don't fit JSON\_API requirements [\#512](https://github.com/lynndylanhurley/devise_token_auth/issues/512) +- Not working with rails 5 and devise master [\#504](https://github.com/lynndylanhurley/devise_token_auth/issues/504) +- Unpermitted parameters: confirm\_success\_url, config\_name, registration [\#501](https://github.com/lynndylanhurley/devise_token_auth/issues/501) +- set\_user\_by\_token not defined in production for rails 5 [\#500](https://github.com/lynndylanhurley/devise_token_auth/issues/500) +- Master branch no longer working with devise master branch \(version error\) [\#498](https://github.com/lynndylanhurley/devise_token_auth/issues/498) +- uid is not getting set in git revision 996b9cf23a18 [\#497](https://github.com/lynndylanhurley/devise_token_auth/issues/497) +- ve\_model\_serializer namespace [\#492](https://github.com/lynndylanhurley/devise_token_auth/issues/492) +- User remains logged in when using devise and devise\_token\_auth in the same app [\#486](https://github.com/lynndylanhurley/devise_token_auth/issues/486) +- DEPRECATION WARNING: alias\_method\_chain is deprecated. Rails 5 [\#482](https://github.com/lynndylanhurley/devise_token_auth/issues/482) +- validate\_token - resource\_name - undefined method `name' for nil:NilClass [\#480](https://github.com/lynndylanhurley/devise_token_auth/issues/480) +- Helpers being loaded for Rails API's [\#468](https://github.com/lynndylanhurley/devise_token_auth/issues/468) +- Unable to call `rails g devise\_token\_auth:install` within rails engine [\#465](https://github.com/lynndylanhurley/devise_token_auth/issues/465) +- locales `errors.messages.already\_in\_use` seems broken [\#463](https://github.com/lynndylanhurley/devise_token_auth/issues/463) +- It shows "An error occurred" after omniauth callback [\#445](https://github.com/lynndylanhurley/devise_token_auth/issues/445) +- - [\#444](https://github.com/lynndylanhurley/devise_token_auth/issues/444) +- Put Access Token in body [\#442](https://github.com/lynndylanhurley/devise_token_auth/issues/442) +- Unable to add a new param for sign up [\#440](https://github.com/lynndylanhurley/devise_token_auth/issues/440) +- Undefined method provider from devise\_toke\_auth concerns/user.rb [\#438](https://github.com/lynndylanhurley/devise_token_auth/issues/438) +- Scoped DeviseToken but it still affects the original Omniauth redirects. [\#429](https://github.com/lynndylanhurley/devise_token_auth/issues/429) +- Can't create user via api [\#422](https://github.com/lynndylanhurley/devise_token_auth/issues/422) +- Password Reset question, do I need my own form? [\#418](https://github.com/lynndylanhurley/devise_token_auth/issues/418) +- Large Size on Disk [\#415](https://github.com/lynndylanhurley/devise_token_auth/issues/415) +- The validate\_token function in the readme is missing a parameter [\#413](https://github.com/lynndylanhurley/devise_token_auth/issues/413) +- Cannot migrate database: NoMethodError: undefined method `new' for DeviseTokenAuth:Module [\#406](https://github.com/lynndylanhurley/devise_token_auth/issues/406) +- change\_headers\_on\_each\_request and batch requests [\#403](https://github.com/lynndylanhurley/devise_token_auth/issues/403) +- Multiple users, returning\(and creating\) wrong model's auth token [\#399](https://github.com/lynndylanhurley/devise_token_auth/issues/399) +- Can't verify CSRF token authenticity [\#398](https://github.com/lynndylanhurley/devise_token_auth/issues/398) +- uninitialized constant DeviseTokenAuth::OmniauthCallbacksController::BCrypt [\#393](https://github.com/lynndylanhurley/devise_token_auth/issues/393) +- Sign in not success. [\#388](https://github.com/lynndylanhurley/devise_token_auth/issues/388) +- password length [\#380](https://github.com/lynndylanhurley/devise_token_auth/issues/380) +- Devise token auth not found routing error [\#379](https://github.com/lynndylanhurley/devise_token_auth/issues/379) +- Defining a custom primary key [\#378](https://github.com/lynndylanhurley/devise_token_auth/issues/378) +- seeing other users data after login/out with different users on ionic [\#375](https://github.com/lynndylanhurley/devise_token_auth/issues/375) +- omniauth: when redirecting, user object should not be serialized into url [\#368](https://github.com/lynndylanhurley/devise_token_auth/issues/368) +- getting ng-token-auth and devise\_token\_auth to work with OAuth in ionic InAppBrowser [\#367](https://github.com/lynndylanhurley/devise_token_auth/issues/367) +- omniauth callback redirect not working properly when using namespace/scope [\#362](https://github.com/lynndylanhurley/devise_token_auth/issues/362) +- invalid token in method set\_user\_by\_token on RegistrationsController\#update [\#357](https://github.com/lynndylanhurley/devise_token_auth/issues/357) +- Allow devise patch version updates [\#351](https://github.com/lynndylanhurley/devise_token_auth/issues/351) +- Error validating token [\#348](https://github.com/lynndylanhurley/devise_token_auth/issues/348) +- Restricting access to controllers methods [\#340](https://github.com/lynndylanhurley/devise_token_auth/issues/340) +- Allow for HTTP Basic Auth ? [\#337](https://github.com/lynndylanhurley/devise_token_auth/issues/337) +- Allow Omniauth user reset password [\#335](https://github.com/lynndylanhurley/devise_token_auth/issues/335) +- NameError \(uninitialized constant DeviseTokenAuth::Concerns::User::BCrypt\) [\#333](https://github.com/lynndylanhurley/devise_token_auth/issues/333) +- Unpermitted parameters: format, session [\#328](https://github.com/lynndylanhurley/devise_token_auth/issues/328) +- Concern causes app to connect to database when precompiling assets. [\#327](https://github.com/lynndylanhurley/devise_token_auth/issues/327) +- devise token auth + Save Facebook auth\_hash info in database [\#326](https://github.com/lynndylanhurley/devise_token_auth/issues/326) +- Error sending password reset email when not using confirmable \(reopened \#124\) [\#321](https://github.com/lynndylanhurley/devise_token_auth/issues/321) +- Routing error / Preflight request / OPTIONS [\#320](https://github.com/lynndylanhurley/devise_token_auth/issues/320) +- delete tokens after password change [\#318](https://github.com/lynndylanhurley/devise_token_auth/issues/318) +- Can't authorize \(user\_signed\_in? always show false\) [\#315](https://github.com/lynndylanhurley/devise_token_auth/issues/315) +- Warden::SessionSerializer - wrong number of arguments \(2 for 1\) [\#312](https://github.com/lynndylanhurley/devise_token_auth/issues/312) +- The action 'twitter' could not be found for DeviseTokenAuth::OmniauthCallbacksController [\#309](https://github.com/lynndylanhurley/devise_token_auth/issues/309) +- Having 401 Unauthorized only with mobile [\#305](https://github.com/lynndylanhurley/devise_token_auth/issues/305) +- remove unused nickname, image from user object [\#304](https://github.com/lynndylanhurley/devise_token_auth/issues/304) +- HI, This is more of a doubt since I could not finding anything related to this in your documentation. [\#300](https://github.com/lynndylanhurley/devise_token_auth/issues/300) +- Getting 401's when making requests using iOS/Android clients [\#299](https://github.com/lynndylanhurley/devise_token_auth/issues/299) +- undefined method `tokens' for \#\ [\#297](https://github.com/lynndylanhurley/devise_token_auth/issues/297) +- Confirmation URL giving bad arguments [\#293](https://github.com/lynndylanhurley/devise_token_auth/issues/293) +- set\_user\_by\_token not called in overriden controller [\#291](https://github.com/lynndylanhurley/devise_token_auth/issues/291) +- Question: Should we send password reset instructions to unconfirmed emails? [\#287](https://github.com/lynndylanhurley/devise_token_auth/issues/287) +- NoMethodError \(undefined method `\[\]' for nil:NilClass\): [\#286](https://github.com/lynndylanhurley/devise_token_auth/issues/286) +- Facebook omniauth redirection is missing url when testing on localhost [\#285](https://github.com/lynndylanhurley/devise_token_auth/issues/285) +- No route matches \[GET\] "/users/facebook/callback" [\#280](https://github.com/lynndylanhurley/devise_token_auth/issues/280) +- No route matches \[GET\] "/omniauth/:provider" [\#278](https://github.com/lynndylanhurley/devise_token_auth/issues/278) +- How to refresh token/expiry? [\#275](https://github.com/lynndylanhurley/devise_token_auth/issues/275) +- wrong number of arguments \(1 for 0\): in DeviseTokenAuth::RegistrationsController\#create [\#274](https://github.com/lynndylanhurley/devise_token_auth/issues/274) +- Can not save a user with nil tokens attribute [\#271](https://github.com/lynndylanhurley/devise_token_auth/issues/271) +- Shouldn't validate\_token param be access-token, not auth\_token? [\#270](https://github.com/lynndylanhurley/devise_token_auth/issues/270) +- include associations on login [\#269](https://github.com/lynndylanhurley/devise_token_auth/issues/269) +- Failure route not handled [\#262](https://github.com/lynndylanhurley/devise_token_auth/issues/262) +- Getting Unauthorized error even after sending the correct token, uid and client [\#261](https://github.com/lynndylanhurley/devise_token_auth/issues/261) +- Weird error message [\#259](https://github.com/lynndylanhurley/devise_token_auth/issues/259) +- undefined method `provider' for \#\ [\#257](https://github.com/lynndylanhurley/devise_token_auth/issues/257) +- Custom Serializer like ActiveModel Serializer [\#249](https://github.com/lynndylanhurley/devise_token_auth/issues/249) +- File download with query params [\#246](https://github.com/lynndylanhurley/devise_token_auth/issues/246) +- Info: is devise\_token\_auth compatible with rails 3.2.19? [\#245](https://github.com/lynndylanhurley/devise_token_auth/issues/245) +- Headers required for different methods [\#243](https://github.com/lynndylanhurley/devise_token_auth/issues/243) +- Unpermitted parameters: format, session, lang [\#239](https://github.com/lynndylanhurley/devise_token_auth/issues/239) +- On sign\_in, devise\_token\_auth expects the uid to be the same as the email [\#237](https://github.com/lynndylanhurley/devise_token_auth/issues/237) +- Name conflict with inherited\_resources [\#236](https://github.com/lynndylanhurley/devise_token_auth/issues/236) +- sign\_in will not fetch the token [\#234](https://github.com/lynndylanhurley/devise_token_auth/issues/234) +- Remove \('\#'\) symbol when using html5mode in locationProvider [\#232](https://github.com/lynndylanhurley/devise_token_auth/issues/232) +- Log in request 401 error [\#231](https://github.com/lynndylanhurley/devise_token_auth/issues/231) +- User Registration - "email address already in use" when it is unique [\#230](https://github.com/lynndylanhurley/devise_token_auth/issues/230) +- Devise email validation disabled...why? [\#229](https://github.com/lynndylanhurley/devise_token_auth/issues/229) +- confirm\_success\_url error not working [\#226](https://github.com/lynndylanhurley/devise_token_auth/issues/226) +- pending\_reconfirmation called when confirmable isn't used [\#224](https://github.com/lynndylanhurley/devise_token_auth/issues/224) +- omniauth\_success.html.erb JSON bug [\#221](https://github.com/lynndylanhurley/devise_token_auth/issues/221) +- Using devise\_token\_auth and ng\_token\_auth with angularJS in an Ionic Hybrid application [\#218](https://github.com/lynndylanhurley/devise_token_auth/issues/218) +- Where can I got token? [\#217](https://github.com/lynndylanhurley/devise_token_auth/issues/217) +- URI fragment prevent to send params in Confirmation URL [\#213](https://github.com/lynndylanhurley/devise_token_auth/issues/213) +- Generating many client tokens [\#210](https://github.com/lynndylanhurley/devise_token_auth/issues/210) +- Limit tokens hash? [\#208](https://github.com/lynndylanhurley/devise_token_auth/issues/208) +- 500 error returned when no data is POSTed to registration controller [\#203](https://github.com/lynndylanhurley/devise_token_auth/issues/203) +- undefined method `match' for nil:NilClass [\#201](https://github.com/lynndylanhurley/devise_token_auth/issues/201) +- DELETE method becoming OPTIONS @ Heroku [\#197](https://github.com/lynndylanhurley/devise_token_auth/issues/197) +- 40 Mb log file and 1 minute to have token with curl [\#195](https://github.com/lynndylanhurley/devise_token_auth/issues/195) +- 401 unauthorized [\#193](https://github.com/lynndylanhurley/devise_token_auth/issues/193) +- GET requests to sign\_in shouldn't raise an exception [\#190](https://github.com/lynndylanhurley/devise_token_auth/issues/190) +- Api not locked by default [\#189](https://github.com/lynndylanhurley/devise_token_auth/issues/189) +- Rails 4.1 [\#187](https://github.com/lynndylanhurley/devise_token_auth/issues/187) +- Unable to override OmniauthCallbacksController\#redirect\_callbacks [\#186](https://github.com/lynndylanhurley/devise_token_auth/issues/186) +- Devise and devise\_token\_auth omniauth callbacks [\#184](https://github.com/lynndylanhurley/devise_token_auth/issues/184) +- Token based authentication with no sessions [\#183](https://github.com/lynndylanhurley/devise_token_auth/issues/183) +- undefined method `authenticate\_user!' [\#182](https://github.com/lynndylanhurley/devise_token_auth/issues/182) +- confirm\_success\_url shouldn't be a required param [\#176](https://github.com/lynndylanhurley/devise_token_auth/issues/176) +- Provide an OAuth implementation for native apps [\#175](https://github.com/lynndylanhurley/devise_token_auth/issues/175) +- getting an argument error when trying to use omniauth [\#174](https://github.com/lynndylanhurley/devise_token_auth/issues/174) +- Sign in via username doesn't seem to work correctly. [\#173](https://github.com/lynndylanhurley/devise_token_auth/issues/173) +- Cannot use + sign in email address. [\#171](https://github.com/lynndylanhurley/devise_token_auth/issues/171) +- How can i authenticate using curl and get private entries ! [\#167](https://github.com/lynndylanhurley/devise_token_auth/issues/167) +- Pessimistic Locking produces ArgumentError [\#165](https://github.com/lynndylanhurley/devise_token_auth/issues/165) +- POTENTIAL SECURITY RISK: Setting confirm\_success\_url and redirect\_url via API [\#162](https://github.com/lynndylanhurley/devise_token_auth/issues/162) +- Sign out just on client side ? [\#161](https://github.com/lynndylanhurley/devise_token_auth/issues/161) +- Unpermitted parameter: redirect\_url [\#160](https://github.com/lynndylanhurley/devise_token_auth/issues/160) +- Issues using devise and devise\_token\_auth [\#159](https://github.com/lynndylanhurley/devise_token_auth/issues/159) +- Add role based authorization [\#158](https://github.com/lynndylanhurley/devise_token_auth/issues/158) +- Not compatible with ActiveAdmin [\#156](https://github.com/lynndylanhurley/devise_token_auth/issues/156) +- \[Duplicate\] is devise\_invitable supported? [\#154](https://github.com/lynndylanhurley/devise_token_auth/issues/154) +- User can register with a "false" email [\#149](https://github.com/lynndylanhurley/devise_token_auth/issues/149) +- /validate\_token [\#148](https://github.com/lynndylanhurley/devise_token_auth/issues/148) +- Email confirmation link [\#147](https://github.com/lynndylanhurley/devise_token_auth/issues/147) +- Tokens field on database [\#146](https://github.com/lynndylanhurley/devise_token_auth/issues/146) +- Twitter OAuth always throughs CookieOverflow [\#145](https://github.com/lynndylanhurley/devise_token_auth/issues/145) +- Is there a way to configure apiUrl for both dev and prod? [\#144](https://github.com/lynndylanhurley/devise_token_auth/issues/144) +- Getting 401 unauthorized on login attempt [\#142](https://github.com/lynndylanhurley/devise_token_auth/issues/142) +- Comparing with jwt [\#140](https://github.com/lynndylanhurley/devise_token_auth/issues/140) +- Can't get omniauth to work \(error in redirect\_callbacks\) [\#139](https://github.com/lynndylanhurley/devise_token_auth/issues/139) +- Change controller inheritance [\#138](https://github.com/lynndylanhurley/devise_token_auth/issues/138) +- Reset Password call returns 400 for Not Found user [\#137](https://github.com/lynndylanhurley/devise_token_auth/issues/137) +- The gem is too big. Please take care of it. [\#136](https://github.com/lynndylanhurley/devise_token_auth/issues/136) +- Error when loging with facebook the second time without logout [\#135](https://github.com/lynndylanhurley/devise_token_auth/issues/135) +- OmniAuth redirect doesn't work if using the generated mount\_devise\_token route [\#133](https://github.com/lynndylanhurley/devise_token_auth/issues/133) +- Missing template /omniauth\_response [\#132](https://github.com/lynndylanhurley/devise_token_auth/issues/132) +- Unpermitted parameter: session [\#130](https://github.com/lynndylanhurley/devise_token_auth/issues/130) +- OAuth error: We're sorry, but something went wrong [\#129](https://github.com/lynndylanhurley/devise_token_auth/issues/129) +- Would it be useful to integrate login with username ? [\#127](https://github.com/lynndylanhurley/devise_token_auth/issues/127) +- Sign in with login instead of email [\#126](https://github.com/lynndylanhurley/devise_token_auth/issues/126) +- Error sending password reset email when not using confirmable [\#124](https://github.com/lynndylanhurley/devise_token_auth/issues/124) +- Using expired token for parallel calls [\#123](https://github.com/lynndylanhurley/devise_token_auth/issues/123) +- User tokens don't properly deserialize [\#121](https://github.com/lynndylanhurley/devise_token_auth/issues/121) +- OmniauthCallbacksController\#omniauth\_success wrong number of arguments \(1 for 0\) [\#119](https://github.com/lynndylanhurley/devise_token_auth/issues/119) +- Could not load 'omniauth' [\#118](https://github.com/lynndylanhurley/devise_token_auth/issues/118) +- bad argument \(expected URI object or URI string\) [\#116](https://github.com/lynndylanhurley/devise_token_auth/issues/116) +- devise\_token\_auth for public API, but devise for rest of app? [\#114](https://github.com/lynndylanhurley/devise_token_auth/issues/114) +- Omniauthable deleted on UsersConcern : Why ? [\#111](https://github.com/lynndylanhurley/devise_token_auth/issues/111) +- Unrequired route [\#110](https://github.com/lynndylanhurley/devise_token_auth/issues/110) +- raises NoMethodError instead of displaying error when email is missing [\#108](https://github.com/lynndylanhurley/devise_token_auth/issues/108) +- Error with RailsAdmin. "The action 'new' could not be found for DeviseTokenAuth::SessionsController" [\#107](https://github.com/lynndylanhurley/devise_token_auth/issues/107) +- Circular dependency detected while autoloading constant Api [\#106](https://github.com/lynndylanhurley/devise_token_auth/issues/106) +- Can't Authenticate via cURL [\#105](https://github.com/lynndylanhurley/devise_token_auth/issues/105) +- Unpermitted parameters: user, registration [\#104](https://github.com/lynndylanhurley/devise_token_auth/issues/104) +- BCrypt::Errors::InvalidSalt errors [\#103](https://github.com/lynndylanhurley/devise_token_auth/issues/103) +- Active job token expiring integration [\#102](https://github.com/lynndylanhurley/devise_token_auth/issues/102) +- The action 'new' could not be found for DeviseTokenAuth::RegistrationsController [\#100](https://github.com/lynndylanhurley/devise_token_auth/issues/100) +- Disable confirmable [\#99](https://github.com/lynndylanhurley/devise_token_auth/issues/99) +- responders - rails 4.2 [\#98](https://github.com/lynndylanhurley/devise_token_auth/issues/98) +- forward skip to devise [\#97](https://github.com/lynndylanhurley/devise_token_auth/issues/97) +- API versioning the devise scope of token validation and ominiauth controller path will wrap up [\#96](https://github.com/lynndylanhurley/devise_token_auth/issues/96) +- Overwriting default "from" email address [\#94](https://github.com/lynndylanhurley/devise_token_auth/issues/94) +- uninitialized constant DeviseTokenAuth [\#92](https://github.com/lynndylanhurley/devise_token_auth/issues/92) +- change\_headers\_on\_each\_request not working expiry header empty [\#90](https://github.com/lynndylanhurley/devise_token_auth/issues/90) +- Gem render consistency [\#87](https://github.com/lynndylanhurley/devise_token_auth/issues/87) +- Sample Sessions Controller for logging in via Rails View. [\#86](https://github.com/lynndylanhurley/devise_token_auth/issues/86) +- Change authorization key: Use phone\_number instead of email [\#84](https://github.com/lynndylanhurley/devise_token_auth/issues/84) +- Conflict with active\_admin gem [\#83](https://github.com/lynndylanhurley/devise_token_auth/issues/83) +- NoMethodError in DeviseTokenAuth::OmniauthCallbacksController\#redirect\_callbacks [\#82](https://github.com/lynndylanhurley/devise_token_auth/issues/82) +- All the APIs are getting 'Authorized users only' [\#81](https://github.com/lynndylanhurley/devise_token_auth/issues/81) +- Is Devise option Rememberable required ? [\#80](https://github.com/lynndylanhurley/devise_token_auth/issues/80) +- Problem with skip\_confirmation! [\#78](https://github.com/lynndylanhurley/devise_token_auth/issues/78) +- Cannot reset password if registered by omniauth [\#77](https://github.com/lynndylanhurley/devise_token_auth/issues/77) +- NoMethodError at /omniauth/facebook/callback - undefined method `\[\]' for nil:NilClass [\#76](https://github.com/lynndylanhurley/devise_token_auth/issues/76) +- Remove dependency on ActiveRecord [\#72](https://github.com/lynndylanhurley/devise_token_auth/issues/72) +- Skipping Registrations Controller Altogether [\#70](https://github.com/lynndylanhurley/devise_token_auth/issues/70) +- Problem in validate\_token if the model is in a namespace [\#69](https://github.com/lynndylanhurley/devise_token_auth/issues/69) +- Cannot send confirmation email if there is no 'User' model [\#68](https://github.com/lynndylanhurley/devise_token_auth/issues/68) +- Better guidelines for contributors [\#65](https://github.com/lynndylanhurley/devise_token_auth/issues/65) +- admin namespace [\#63](https://github.com/lynndylanhurley/devise_token_auth/issues/63) +- Devise trackable module not working [\#62](https://github.com/lynndylanhurley/devise_token_auth/issues/62) +- Devise\_token\_auth without OmniAuth authentication [\#60](https://github.com/lynndylanhurley/devise_token_auth/issues/60) +- Reset Password error [\#59](https://github.com/lynndylanhurley/devise_token_auth/issues/59) +- Confirmable - unconfirmed email [\#58](https://github.com/lynndylanhurley/devise_token_auth/issues/58) +- Email Column Isn't Used for Database Authentication [\#56](https://github.com/lynndylanhurley/devise_token_auth/issues/56) +- Unique Key for Provider and UID Combination [\#55](https://github.com/lynndylanhurley/devise_token_auth/issues/55) +- User Info in separate table or removed [\#53](https://github.com/lynndylanhurley/devise_token_auth/issues/53) +- rename @user to @resource [\#48](https://github.com/lynndylanhurley/devise_token_auth/issues/48) +- Active\_admin issue [\#47](https://github.com/lynndylanhurley/devise_token_auth/issues/47) +- Possible Logout Issue [\#46](https://github.com/lynndylanhurley/devise_token_auth/issues/46) +- Routes not appended to routes.rb [\#45](https://github.com/lynndylanhurley/devise_token_auth/issues/45) +- Return resource.errors.full\_messages in addition to resource.errors [\#44](https://github.com/lynndylanhurley/devise_token_auth/issues/44) +- Devise and Devise\_Token\_Auth in api namespace [\#43](https://github.com/lynndylanhurley/devise_token_auth/issues/43) +- Trackable attributes are not being updated. [\#42](https://github.com/lynndylanhurley/devise_token_auth/issues/42) +- Avoid using respond\_to in application controller [\#41](https://github.com/lynndylanhurley/devise_token_auth/issues/41) +- devise\_token\_auth assumes you want the :confirmable functionality [\#40](https://github.com/lynndylanhurley/devise_token_auth/issues/40) +- undefined method `match' for nil:NilClass [\#39](https://github.com/lynndylanhurley/devise_token_auth/issues/39) +- Expired token aren't removed when session expires [\#38](https://github.com/lynndylanhurley/devise_token_auth/issues/38) +- sign\_up helper [\#37](https://github.com/lynndylanhurley/devise_token_auth/issues/37) +- self.tokens\[client\_id\]\['token'\] != token [\#30](https://github.com/lynndylanhurley/devise_token_auth/issues/30) +- How is the uid generated for non-omniauth users? [\#29](https://github.com/lynndylanhurley/devise_token_auth/issues/29) +- Access to current\_user variable? [\#28](https://github.com/lynndylanhurley/devise_token_auth/issues/28) +- Filter chain halted as :require\_no\_authentication [\#27](https://github.com/lynndylanhurley/devise_token_auth/issues/27) +- Allow additional parameters for registration [\#25](https://github.com/lynndylanhurley/devise_token_auth/issues/25) +- Cannot add more parameters at sign\_up [\#22](https://github.com/lynndylanhurley/devise_token_auth/issues/22) +- Error on Registration [\#21](https://github.com/lynndylanhurley/devise_token_auth/issues/21) +- Error with authentication [\#20](https://github.com/lynndylanhurley/devise_token_auth/issues/20) +- Cascade of Issues with Omniauth\(?\) [\#18](https://github.com/lynndylanhurley/devise_token_auth/issues/18) +- Batch Requests Respond with Original Auth Token [\#17](https://github.com/lynndylanhurley/devise_token_auth/issues/17) +- Sign out with email provider error [\#16](https://github.com/lynndylanhurley/devise_token_auth/issues/16) +- sessions\_controller.rb [\#12](https://github.com/lynndylanhurley/devise_token_auth/issues/12) +- Github login in example is broken [\#10](https://github.com/lynndylanhurley/devise_token_auth/issues/10) +- Facebook auth is broken [\#9](https://github.com/lynndylanhurley/devise_token_auth/issues/9) +- Generator is not working [\#8](https://github.com/lynndylanhurley/devise_token_auth/issues/8) +- Test ticket from Code Climate [\#6](https://github.com/lynndylanhurley/devise_token_auth/issues/6) +- Test ticket from Code Climate [\#5](https://github.com/lynndylanhurley/devise_token_auth/issues/5) +- extending the devise\_token\_auth user model [\#4](https://github.com/lynndylanhurley/devise_token_auth/issues/4) +- A few ideas [\#3](https://github.com/lynndylanhurley/devise_token_auth/issues/3) +- Google Oauth2 does not set cookies in production. [\#1](https://github.com/lynndylanhurley/devise_token_auth/issues/1) + +**Merged pull requests:** + +- Translate message: Authorized users only through devise [\#883](https://github.com/lynndylanhurley/devise_token_auth/pull/883) ([vincenzodev](https://github.com/vincenzodev)) +- Updated generator test code to work with rails 5 [\#872](https://github.com/lynndylanhurley/devise_token_auth/pull/872) ([jrhee17](https://github.com/jrhee17)) +- use URI::HTTPS to generate HTTPS redirects [\#864](https://github.com/lynndylanhurley/devise_token_auth/pull/864) ([cgc](https://github.com/cgc)) +- Rename find\_by methods [\#860](https://github.com/lynndylanhurley/devise_token_auth/pull/860) ([alex-lairan](https://github.com/alex-lairan)) +- Support for Devise 4.2.1 [\#852](https://github.com/lynndylanhurley/devise_token_auth/pull/852) ([ckho](https://github.com/ckho)) +- Add Albanian locale [\#842](https://github.com/lynndylanhurley/devise_token_auth/pull/842) ([fatosmorina](https://github.com/fatosmorina)) +- Update german translation. [\#816](https://github.com/lynndylanhurley/devise_token_auth/pull/816) ([gobijan](https://github.com/gobijan)) +- Prevent getting table info if not connected to db [\#814](https://github.com/lynndylanhurley/devise_token_auth/pull/814) ([cbliard](https://github.com/cbliard)) +- Add support for italian locale [\#811](https://github.com/lynndylanhurley/devise_token_auth/pull/811) ([Chosko](https://github.com/Chosko)) +- Fix privacy issue with password reset request [\#808](https://github.com/lynndylanhurley/devise_token_auth/pull/808) ([biomancer](https://github.com/biomancer)) +- Add missing parameter :redirect\_url, fixes \#805 [\#806](https://github.com/lynndylanhurley/devise_token_auth/pull/806) ([Rush](https://github.com/Rush)) +- Fix language errors in German locale [\#800](https://github.com/lynndylanhurley/devise_token_auth/pull/800) ([morgler](https://github.com/morgler)) +- Don't send extra data on request password reset [\#798](https://github.com/lynndylanhurley/devise_token_auth/pull/798) ([Mrjaco12](https://github.com/Mrjaco12)) +- Travis: use the code\_climate addon config [\#786](https://github.com/lynndylanhurley/devise_token_auth/pull/786) ([olleolleolle](https://github.com/olleolleolle)) +- Update link [\#782](https://github.com/lynndylanhurley/devise_token_auth/pull/782) ([dijonkitchen](https://github.com/dijonkitchen)) +- Add index for confirmation\_token [\#767](https://github.com/lynndylanhurley/devise_token_auth/pull/767) ([dijonkitchen](https://github.com/dijonkitchen)) +- Fixes constructing redirect\_route [\#765](https://github.com/lynndylanhurley/devise_token_auth/pull/765) ([piotrkaczmarek](https://github.com/piotrkaczmarek)) +- Use standart ActiveRecord error message for email uniqueness validation [\#746](https://github.com/lynndylanhurley/devise_token_auth/pull/746) ([mpugach](https://github.com/mpugach)) +- Add Romanian locale. [\#743](https://github.com/lynndylanhurley/devise_token_auth/pull/743) ([razvanmitre](https://github.com/razvanmitre)) +- Ruby syntax: replace and/not with &&/! [\#733](https://github.com/lynndylanhurley/devise_token_auth/pull/733) ([olleolleolle](https://github.com/olleolleolle)) +- Update indexes on template [\#724](https://github.com/lynndylanhurley/devise_token_auth/pull/724) ([dijonkitchen](https://github.com/dijonkitchen)) +- Add an extra line to the "contributing" list [\#720](https://github.com/lynndylanhurley/devise_token_auth/pull/720) ([jahammo2](https://github.com/jahammo2)) +- Fix grammar [\#712](https://github.com/lynndylanhurley/devise_token_auth/pull/712) ([dijonkitchen](https://github.com/dijonkitchen)) +- Added reference to Angular2-Token to README [\#710](https://github.com/lynndylanhurley/devise_token_auth/pull/710) ([neroniaky](https://github.com/neroniaky)) +- feat\(whitelist\): add wildcard support for redirect\_whitelist patterns [\#709](https://github.com/lynndylanhurley/devise_token_auth/pull/709) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Fix Migration Deprecation Warning [\#700](https://github.com/lynndylanhurley/devise_token_auth/pull/700) ([juddey](https://github.com/juddey)) +- Apply `redirect\_whitelist` to OAuth redirect URI. [\#699](https://github.com/lynndylanhurley/devise_token_auth/pull/699) ([lynndylanhurley](https://github.com/lynndylanhurley)) +- add zh-CN.yml [\#697](https://github.com/lynndylanhurley/devise_token_auth/pull/697) ([halfray](https://github.com/halfray)) +- update README.md [\#693](https://github.com/lynndylanhurley/devise_token_auth/pull/693) ([nhattan](https://github.com/nhattan)) +- Fix for issue \#600 [\#674](https://github.com/lynndylanhurley/devise_token_auth/pull/674) ([milep](https://github.com/milep)) +- Use lockable devise option and unlock controller overwrite [\#669](https://github.com/lynndylanhurley/devise_token_auth/pull/669) ([genaromadrid](https://github.com/genaromadrid)) +- Fix setup config example in README [\#665](https://github.com/lynndylanhurley/devise_token_auth/pull/665) ([guich-wo](https://github.com/guich-wo)) +- added bypass\_sign\_in for next version of Devise [\#663](https://github.com/lynndylanhurley/devise_token_auth/pull/663) ([KendallPark](https://github.com/KendallPark)) +- fix method 'is\_json\_api' with active\_model\_serialier v 0.10.0 [\#651](https://github.com/lynndylanhurley/devise_token_auth/pull/651) ([woodcrust](https://github.com/woodcrust)) +- Tokens count overmuch fixed [\#650](https://github.com/lynndylanhurley/devise_token_auth/pull/650) ([JerryGreen](https://github.com/JerryGreen)) +- updates config wrapper to conform with newer idiom [\#648](https://github.com/lynndylanhurley/devise_token_auth/pull/648) ([bvandgrift](https://github.com/bvandgrift)) +- Adding support for devise 4.1.1 [\#642](https://github.com/lynndylanhurley/devise_token_auth/pull/642) ([iainmcg](https://github.com/iainmcg)) +- Updating Devise dependency to max 4.1.1 [\#641](https://github.com/lynndylanhurley/devise_token_auth/pull/641) ([TGRGIT](https://github.com/TGRGIT)) +- Fix yields from controller actions [\#638](https://github.com/lynndylanhurley/devise_token_auth/pull/638) ([tiagojsag](https://github.com/tiagojsag)) +- Fix generator to correctly inject content into the user model in rails 5 [\#636](https://github.com/lynndylanhurley/devise_token_auth/pull/636) ([ethangk](https://github.com/ethangk)) +- fix spelling in comment on token auth concern [\#632](https://github.com/lynndylanhurley/devise_token_auth/pull/632) ([dandlezzz](https://github.com/dandlezzz)) +- fixed devise deprecation warning for config.email\_regexp [\#618](https://github.com/lynndylanhurley/devise_token_auth/pull/618) ([lemuelbarango](https://github.com/lemuelbarango)) +- Revert "Update readme for headers names" [\#592](https://github.com/lynndylanhurley/devise_token_auth/pull/592) ([ash1day](https://github.com/ash1day)) +- Update readme for headers names [\#589](https://github.com/lynndylanhurley/devise_token_auth/pull/589) ([ash1day](https://github.com/ash1day)) +- Add info to README [\#585](https://github.com/lynndylanhurley/devise_token_auth/pull/585) ([ghost](https://github.com/ghost)) +- Fix typo and remove trailing spaces [\#578](https://github.com/lynndylanhurley/devise_token_auth/pull/578) ([ash1day](https://github.com/ash1day)) +- allowing authenticating using headers as well as a post request [\#576](https://github.com/lynndylanhurley/devise_token_auth/pull/576) ([ingolfured](https://github.com/ingolfured)) +- Whitespace: tabs removed [\#574](https://github.com/lynndylanhurley/devise_token_auth/pull/574) ([olleolleolle](https://github.com/olleolleolle)) +- Added dutch translations [\#571](https://github.com/lynndylanhurley/devise_token_auth/pull/571) ([nschmoller](https://github.com/nschmoller)) +- now possible to change headers names in the config file [\#569](https://github.com/lynndylanhurley/devise_token_auth/pull/569) ([ingolfured](https://github.com/ingolfured)) +- User concern: Ensure fallback is in place [\#564](https://github.com/lynndylanhurley/devise_token_auth/pull/564) ([olleolleolle](https://github.com/olleolleolle)) +- Return resource with top-level 'type' member. [\#562](https://github.com/lynndylanhurley/devise_token_auth/pull/562) ([ruimiguelsantos](https://github.com/ruimiguelsantos)) +- Fix devise mapping [\#540](https://github.com/lynndylanhurley/devise_token_auth/pull/540) ([merqlove](https://github.com/merqlove)) +- Make all json responses to be json\_api compliant [\#537](https://github.com/lynndylanhurley/devise_token_auth/pull/537) ([djsegal](https://github.com/djsegal)) +- Avoid sending auth headers if while processing used token is cleared [\#531](https://github.com/lynndylanhurley/devise_token_auth/pull/531) ([virginia-rodriguez](https://github.com/virginia-rodriguez)) +- Add Japanese locale and fix typo [\#530](https://github.com/lynndylanhurley/devise_token_auth/pull/530) ([metalunk](https://github.com/metalunk)) +- Added omniauth post route [\#528](https://github.com/lynndylanhurley/devise_token_auth/pull/528) ([v3rtx](https://github.com/v3rtx)) +- Extract model callbacks [\#525](https://github.com/lynndylanhurley/devise_token_auth/pull/525) ([merqlove](https://github.com/merqlove)) +- create token when no client\_id token [\#523](https://github.com/lynndylanhurley/devise_token_auth/pull/523) ([charlesdg](https://github.com/charlesdg)) +- Fix enable\_standard\_devise\_support in initializer [\#518](https://github.com/lynndylanhurley/devise_token_auth/pull/518) ([halilim](https://github.com/halilim)) +- Make render\_create\_success render valid json\_api [\#513](https://github.com/lynndylanhurley/devise_token_auth/pull/513) ([djsegal](https://github.com/djsegal)) +- Prevent raise of exception if set\_user\_by\_token not defined [\#511](https://github.com/lynndylanhurley/devise_token_auth/pull/511) ([jeryRazakarison](https://github.com/jeryRazakarison)) +- send\_on\_create\_confirmation\_instructions callback isn't defined \(rails 5\) [\#508](https://github.com/lynndylanhurley/devise_token_auth/pull/508) ([fivetwentysix](https://github.com/fivetwentysix)) +- \[REBASE\] Fix rails 5 deprecation and devise parameter sanitization [\#507](https://github.com/lynndylanhurley/devise_token_auth/pull/507) ([fivetwentysix](https://github.com/fivetwentysix)) +- remove deprecations from RegistrationsController [\#506](https://github.com/lynndylanhurley/devise_token_auth/pull/506) ([fivetwentysix](https://github.com/fivetwentysix)) +- Allow new devise version for rails 5 compatibility [\#499](https://github.com/lynndylanhurley/devise_token_auth/pull/499) ([djsegal](https://github.com/djsegal)) +- Spelling mistake [\#493](https://github.com/lynndylanhurley/devise_token_auth/pull/493) ([Tom-Tom](https://github.com/Tom-Tom)) +- Improve Brazilian Portuguese locale [\#491](https://github.com/lynndylanhurley/devise_token_auth/pull/491) ([ssouza](https://github.com/ssouza)) +- fix namespaced mapping name [\#484](https://github.com/lynndylanhurley/devise_token_auth/pull/484) ([paulosoares86](https://github.com/paulosoares86)) +- Locale file for both zh-TW and zh-HK [\#483](https://github.com/lynndylanhurley/devise_token_auth/pull/483) ([SunnyTam](https://github.com/SunnyTam)) +- Fixed typos and inconsistencies in ru.yml [\#478](https://github.com/lynndylanhurley/devise_token_auth/pull/478) ([fertingoff](https://github.com/fertingoff)) +- Fixes Issue \#362: Fixes for the omniauth redirection issue for namesp… [\#476](https://github.com/lynndylanhurley/devise_token_auth/pull/476) ([devilankur18](https://github.com/devilankur18)) +- removing old tokens when user changes passwords [\#474](https://github.com/lynndylanhurley/devise_token_auth/pull/474) ([paulosoares86](https://github.com/paulosoares86)) +- Move travis to container based configuration [\#470](https://github.com/lynndylanhurley/devise_token_auth/pull/470) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Prevent helpers being loaded for Rails API’s [\#469](https://github.com/lynndylanhurley/devise_token_auth/pull/469) ([djsegal](https://github.com/djsegal)) +- Reduce dependencies to allow Rails 5.0 [\#467](https://github.com/lynndylanhurley/devise_token_auth/pull/467) ([djsegal](https://github.com/djsegal)) +- Fix locales `errors.messages.already\_in\_use` + clean up [\#466](https://github.com/lynndylanhurley/devise_token_auth/pull/466) ([ValentinTrinque](https://github.com/ValentinTrinque)) +- Added 401 response to failed group authentication [\#446](https://github.com/lynndylanhurley/devise_token_auth/pull/446) ([rstrobl](https://github.com/rstrobl)) +- RU translations [\#441](https://github.com/lynndylanhurley/devise_token_auth/pull/441) ([yivo](https://github.com/yivo)) +- to keep coherent with devise. pt instead of pt-PT.yml [\#436](https://github.com/lynndylanhurley/devise_token_auth/pull/436) ([rmvenancio](https://github.com/rmvenancio)) +- limiting the number of concurrent devices [\#434](https://github.com/lynndylanhurley/devise_token_auth/pull/434) ([paulosoares86](https://github.com/paulosoares86)) +- Raise error in controller method [\#430](https://github.com/lynndylanhurley/devise_token_auth/pull/430) ([ArneZsng](https://github.com/ArneZsng)) +- feat\(enable-standard-devise\): allow configurable support of legacy Devise authentication [\#428](https://github.com/lynndylanhurley/devise_token_auth/pull/428) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Support for i18n in mailers views [\#427](https://github.com/lynndylanhurley/devise_token_auth/pull/427) ([ponyesteves](https://github.com/ponyesteves)) +- Fix omniauthredirection when under scopes [\#425](https://github.com/lynndylanhurley/devise_token_auth/pull/425) ([xjunior](https://github.com/xjunior)) +- Translation to German [\#423](https://github.com/lynndylanhurley/devise_token_auth/pull/423) ([haslinger](https://github.com/haslinger)) +- fix\(url\): preserve query parameters when building urls [\#421](https://github.com/lynndylanhurley/devise_token_auth/pull/421) ([nbrustein](https://github.com/nbrustein)) +- Change default message for already in use error and added to english … [\#417](https://github.com/lynndylanhurley/devise_token_auth/pull/417) ([ponyesteves](https://github.com/ponyesteves)) +- Issue \#413 [\#414](https://github.com/lynndylanhurley/devise_token_auth/pull/414) ([Carrigan](https://github.com/Carrigan)) +- Add .ruby-version entry to .gitignore [\#412](https://github.com/lynndylanhurley/devise_token_auth/pull/412) ([xymbol](https://github.com/xymbol)) +- 404 for invalid link with password reset token [\#411](https://github.com/lynndylanhurley/devise_token_auth/pull/411) ([rmvenancio](https://github.com/rmvenancio)) +- Portuguese Translation [\#409](https://github.com/lynndylanhurley/devise_token_auth/pull/409) ([rmvenancio](https://github.com/rmvenancio)) +- Added polish translation. [\#405](https://github.com/lynndylanhurley/devise_token_auth/pull/405) ([h3xed](https://github.com/h3xed)) +- Drop .ruby-version file [\#404](https://github.com/lynndylanhurley/devise_token_auth/pull/404) ([xymbol](https://github.com/xymbol)) +- Implement hook methods for customized json rendering [\#384](https://github.com/lynndylanhurley/devise_token_auth/pull/384) ([neutronz](https://github.com/neutronz)) +- Feature/password reset with check fix [\#374](https://github.com/lynndylanhurley/devise_token_auth/pull/374) ([jakubrohleder](https://github.com/jakubrohleder)) +- fix\(oauth\): fixes \#368: do not serialize the entire user object in the url when redirecting from oauth [\#371](https://github.com/lynndylanhurley/devise_token_auth/pull/371) ([nbrustein](https://github.com/nbrustein)) +- Fallback to ActiveModel translations in EmailValidator [\#369](https://github.com/lynndylanhurley/devise_token_auth/pull/369) ([yivo](https://github.com/yivo)) +- Add a Gitter chat badge to README.md [\#360](https://github.com/lynndylanhurley/devise_token_auth/pull/360) ([gitter-badger](https://github.com/gitter-badger)) +- Improvements to the docs. [\#358](https://github.com/lynndylanhurley/devise_token_auth/pull/358) ([aarongray](https://github.com/aarongray)) +- Add description to readme about the devise.rb initializer. [\#356](https://github.com/lynndylanhurley/devise_token_auth/pull/356) ([aarongray](https://github.com/aarongray)) +- Correct handling namespaced resources [\#355](https://github.com/lynndylanhurley/devise_token_auth/pull/355) ([yivo](https://github.com/yivo)) +- Fix concern not being inserted for rails-api apps. [\#350](https://github.com/lynndylanhurley/devise_token_auth/pull/350) ([aarongray](https://github.com/aarongray)) +- Add documentation to explain gotcha with rails-api. [\#349](https://github.com/lynndylanhurley/devise_token_auth/pull/349) ([aarongray](https://github.com/aarongray)) +- Fully support OmniauthCallbacksController action overrides. Fixes \#186. [\#347](https://github.com/lynndylanhurley/devise_token_auth/pull/347) ([tbloncar](https://github.com/tbloncar)) +- \#340 Restrict access to controllers methods [\#341](https://github.com/lynndylanhurley/devise_token_auth/pull/341) ([gkopylov](https://github.com/gkopylov)) +- fix\(omniauth\): fix error in setting text on redirect page [\#336](https://github.com/lynndylanhurley/devise_token_auth/pull/336) ([nbrustein](https://github.com/nbrustein)) +- add Brazilian Portuguese translation \(pt-BR\) [\#331](https://github.com/lynndylanhurley/devise_token_auth/pull/331) ([josiasds](https://github.com/josiasds)) +- Tests to ensure standard devise has greater priority than tokens [\#330](https://github.com/lynndylanhurley/devise_token_auth/pull/330) ([colavitam](https://github.com/colavitam)) +- Fixed error when using standard devise authentication [\#329](https://github.com/lynndylanhurley/devise_token_auth/pull/329) ([colavitam](https://github.com/colavitam)) +- feat\(improved-omniauth\): omniauth sameWindow and inAppBrowser flows [\#323](https://github.com/lynndylanhurley/devise_token_auth/pull/323) ([nbrustein](https://github.com/nbrustein)) +- Fix invalid omniauth redirect [\#322](https://github.com/lynndylanhurley/devise_token_auth/pull/322) ([troggy](https://github.com/troggy)) +- Old password check before password update [\#317](https://github.com/lynndylanhurley/devise_token_auth/pull/317) ([jakubrohleder](https://github.com/jakubrohleder)) +- Remove erroneous colon from before\_action callback [\#310](https://github.com/lynndylanhurley/devise_token_auth/pull/310) ([jmliu](https://github.com/jmliu)) +- Disabled serialization for JSON type columns [\#306](https://github.com/lynndylanhurley/devise_token_auth/pull/306) ([colavitam](https://github.com/colavitam)) +- Set default provider to "email" in migration [\#302](https://github.com/lynndylanhurley/devise_token_auth/pull/302) ([colavitam](https://github.com/colavitam)) +- Fix an issue for not :confirmable users [\#296](https://github.com/lynndylanhurley/devise_token_auth/pull/296) ([sebfie](https://github.com/sebfie)) +- Update README.md [\#295](https://github.com/lynndylanhurley/devise_token_auth/pull/295) ([adisos](https://github.com/adisos)) +- Fix MOUNT\_PATH 'Read More' link [\#294](https://github.com/lynndylanhurley/devise_token_auth/pull/294) ([jmliu](https://github.com/jmliu)) +- Don't send password reset instructions to unconfirmed email [\#288](https://github.com/lynndylanhurley/devise_token_auth/pull/288) ([coryschires](https://github.com/coryschires)) +- Feature/i18n support [\#283](https://github.com/lynndylanhurley/devise_token_auth/pull/283) ([sebfie](https://github.com/sebfie)) +- Update documentation for validate\_token [\#277](https://github.com/lynndylanhurley/devise_token_auth/pull/277) ([adamgall](https://github.com/adamgall)) +- Added json support for tokens [\#276](https://github.com/lynndylanhurley/devise_token_auth/pull/276) ([shicholas](https://github.com/shicholas)) +- perf\(token\_is\_current?\): add simplistic cache to reduce overhead of redundant token checks during validation calls [\#272](https://github.com/lynndylanhurley/devise_token_auth/pull/272) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- perf\(update\_auth\_header\): only lock the resource if we are rotating tokens [\#267](https://github.com/lynndylanhurley/devise_token_auth/pull/267) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(email-validation\): Update in-use email validation message during registration to allow full\_message use [\#255](https://github.com/lynndylanhurley/devise_token_auth/pull/255) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(session\#new\): fix unhandled 500 when logging in with valid user and bad password [\#254](https://github.com/lynndylanhurley/devise_token_auth/pull/254) ([mathemagica](https://github.com/mathemagica)) +- feat\(ominauth\): support json-formatted values in omniauth callback. [\#252](https://github.com/lynndylanhurley/devise_token_auth/pull/252) ([nbrustein](https://github.com/nbrustein)) +- fix\(sessions controller\): call reset\_session on destroy [\#251](https://github.com/lynndylanhurley/devise_token_auth/pull/251) ([nbrustein](https://github.com/nbrustein)) +- fix\(resource\_class\): support optional mapping property from set\_user\_by\_token [\#250](https://github.com/lynndylanhurley/devise_token_auth/pull/250) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Allow current\_password to be supplied when updating profile. [\#240](https://github.com/lynndylanhurley/devise_token_auth/pull/240) ([jasonswett](https://github.com/jasonswett)) +- fixes password reset when not using confirmable [\#225](https://github.com/lynndylanhurley/devise_token_auth/pull/225) ([aesnyder](https://github.com/aesnyder)) +- Fix error when email missing from registration params [\#220](https://github.com/lynndylanhurley/devise_token_auth/pull/220) ([iangreenleaf](https://github.com/iangreenleaf)) +- URI fragment should appear at the end of URL [\#214](https://github.com/lynndylanhurley/devise_token_auth/pull/214) ([edymerchk](https://github.com/edymerchk)) +- Super block yield \(all controllers\) [\#209](https://github.com/lynndylanhurley/devise_token_auth/pull/209) ([sgwilym](https://github.com/sgwilym)) +- Super block yield [\#207](https://github.com/lynndylanhurley/devise_token_auth/pull/207) ([sgwilym](https://github.com/sgwilym)) +- Ability to localize error message [\#206](https://github.com/lynndylanhurley/devise_token_auth/pull/206) ([lda](https://github.com/lda)) +- remove fragment sign \("\#"\) from URLs without fragment [\#205](https://github.com/lynndylanhurley/devise_token_auth/pull/205) ([tomdov](https://github.com/tomdov)) +- Return 422 \(was 500\) when empty body for sign up and account update [\#204](https://github.com/lynndylanhurley/devise_token_auth/pull/204) ([mchavarriagam](https://github.com/mchavarriagam)) +- Users with allowed unconfirmed access can now log in successfully. [\#202](https://github.com/lynndylanhurley/devise_token_auth/pull/202) ([colavitam](https://github.com/colavitam)) +- Authenticating an existing Warden/Devise User [\#200](https://github.com/lynndylanhurley/devise_token_auth/pull/200) ([nickL](https://github.com/nickL)) +- GET sign\_in should direct people to use POST sign\_in rather than raising exception [\#191](https://github.com/lynndylanhurley/devise_token_auth/pull/191) ([milesmatthias](https://github.com/milesmatthias)) +- Ignore 'extra' in Twitter auth response to avoid CookieOverflow. Fixes \#145. [\#179](https://github.com/lynndylanhurley/devise_token_auth/pull/179) ([tbloncar](https://github.com/tbloncar)) +- Some missing as\_json ? [\#152](https://github.com/lynndylanhurley/devise_token_auth/pull/152) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check email format on registration [\#150](https://github.com/lynndylanhurley/devise_token_auth/pull/150) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Actual header key uses dashes, not underscores. [\#143](https://github.com/lynndylanhurley/devise_token_auth/pull/143) ([ragaskar](https://github.com/ragaskar)) +- Username register login [\#128](https://github.com/lynndylanhurley/devise_token_auth/pull/128) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Check if confirmable is active before skipping confirmation [\#125](https://github.com/lynndylanhurley/devise_token_auth/pull/125) ([nicolas-besnard](https://github.com/nicolas-besnard)) +- Fix links to section about controller integration. [\#117](https://github.com/lynndylanhurley/devise_token_auth/pull/117) ([Le6ow5k1](https://github.com/Le6ow5k1)) +- document GET for /validate\_token [\#113](https://github.com/lynndylanhurley/devise_token_auth/pull/113) ([lukaselmer](https://github.com/lukaselmer)) +- Fix small error in documentation. [\#91](https://github.com/lynndylanhurley/devise_token_auth/pull/91) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Exclude devise modules [\#85](https://github.com/lynndylanhurley/devise_token_auth/pull/85) ([jartek](https://github.com/jartek)) +- fix\(registration and update\): Ensure UID is updated alongside Email, and case-sensitivity is honored [\#71](https://github.com/lynndylanhurley/devise_token_auth/pull/71) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Add better guidelines for contributors. [\#67](https://github.com/lynndylanhurley/devise_token_auth/pull/67) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- Use resource\_class to override email confirmation. [\#64](https://github.com/lynndylanhurley/devise_token_auth/pull/64) ([edgarhenriquez](https://github.com/edgarhenriquez)) +- fix\(case-sensitivity\): support devise case\_insensitive\_keys for session ... [\#57](https://github.com/lynndylanhurley/devise_token_auth/pull/57) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- fix\(contention\): fix write contention in update\_auth\_headers and always ... [\#52](https://github.com/lynndylanhurley/devise_token_auth/pull/52) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Include resource.errors.full\_messages in error response. [\#50](https://github.com/lynndylanhurley/devise_token_auth/pull/50) ([jasonswett](https://github.com/jasonswett)) +- fix\(expiry\): fix an issue where token expiration checks were too permissive [\#49](https://github.com/lynndylanhurley/devise_token_auth/pull/49) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Update README with Example Generator Command [\#35](https://github.com/lynndylanhurley/devise_token_auth/pull/35) ([wwilkins](https://github.com/wwilkins)) +- Remove OmniAuth dependency [\#26](https://github.com/lynndylanhurley/devise_token_auth/pull/26) ([hannahhoward](https://github.com/hannahhoward)) +- Update README.md [\#24](https://github.com/lynndylanhurley/devise_token_auth/pull/24) ([davidsavoya](https://github.com/davidsavoya)) +- guard against MissingAttributeError during common ActiveRecord operations [\#19](https://github.com/lynndylanhurley/devise_token_auth/pull/19) ([booleanbetrayal](https://github.com/booleanbetrayal)) +- Fix expiry data type [\#11](https://github.com/lynndylanhurley/devise_token_auth/pull/11) ([lonre](https://github.com/lonre)) +- README and travis config tweaks [\#7](https://github.com/lynndylanhurley/devise_token_auth/pull/7) ([guilhermesimoes](https://github.com/guilhermesimoes)) + +# Change Log + ## [v0.1.40](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.40) (2017-01-20) [Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.39...v0.1.40) @@ -870,4 +1354,6 @@ \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* + \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 3cd5d67e7..172be9c5e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.40) + devise_token_auth (0.1.41) devise (> 3.5.2, <= 4.2.1) rails (< 6) @@ -86,7 +86,7 @@ GEM simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.1) colorize (0.8.1) - concurrent-ruby (1.0.2) + concurrent-ruby (1.0.5) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) devise (4.2.0) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 6d0189c83..452a74f83 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.40" + VERSION = "0.1.41" end From 9217150fefc95cacec4909045e1ce19f01648fc8 Mon Sep 17 00:00:00 2001 From: silviu-simeria Date: Wed, 17 May 2017 11:03:01 +0100 Subject: [PATCH 320/328] Added '.ruby-gemset' to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a6f6298cf..4e2728039 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ coverage .idea .irb_history .ruby-version +.ruby-gemset From c52543ae594897ce94f84205dbbfd8ebf65a3c48 Mon Sep 17 00:00:00 2001 From: silviu-simeria Date: Wed, 17 May 2017 11:05:13 +0100 Subject: [PATCH 321/328] Support for devise 4.3 --- Gemfile.lock | 49 +++++++++++++++++++-------------------- devise_token_auth.gemspec | 2 +- 2 files changed, 25 insertions(+), 26 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 172be9c5e..662422e7b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,7 +34,7 @@ PATH remote: . specs: devise_token_auth (0.1.41) - devise (> 3.5.2, <= 4.2.1) + devise (> 3.5.2, <= 4.3) rails (< 6) GEM @@ -81,7 +81,7 @@ GEM attr_encrypted (3.0.1) encryptor (~> 3.0.0) bcrypt (3.1.11) - builder (3.2.2) + builder (3.2.3) codeclimate-test-reporter (0.6.0) simplecov (>= 0.7.1, < 1.0.0) coderay (1.1.1) @@ -89,10 +89,10 @@ GEM concurrent-ruby (1.0.5) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) - devise (4.2.0) + devise (4.3.0) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 4.1.0, < 5.1) + railties (>= 4.1.0, < 5.2) responders warden (~> 1.2.3) docile (1.1.5) @@ -115,8 +115,8 @@ GEM colorize (~> 0.7) github_api (~> 0.12) rake (>= 10.0) - globalid (0.3.7) - activesupport (>= 4.1.0) + globalid (0.4.0) + activesupport (>= 4.2.0) guard (2.14.0) formatador (>= 0.2.4) listen (>= 2.7, < 4.0) @@ -131,8 +131,8 @@ GEM guard-compat (~> 1.2) minitest (>= 3.0) hashie (3.4.4) - i18n (0.7.0) - json (1.8.3) + i18n (0.8.1) + json (1.8.6) jwt (1.5.4) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) @@ -141,7 +141,7 @@ GEM loofah (2.0.3) nokogiri (>= 1.5.9) lumberjack (1.0.10) - mail (2.6.4) + mail (2.6.5) mime-types (>= 1.16, < 4) metaclass (0.0.4) method_source (0.8.2) @@ -149,7 +149,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2016.0521) mini_portile2 (2.1.0) - minitest (5.9.0) + minitest (5.10.2) minitest-focus (1.1.2) minitest (>= 4, < 6) minitest-rails (2.2.1) @@ -167,9 +167,8 @@ GEM multipart-post (2.0.0) mysql2 (0.4.4) nenv (0.3.0) - nokogiri (1.6.8) + nokogiri (1.7.2) mini_portile2 (~> 2.1.0) - pkg-config (~> 1.1.7) notiffany (0.1.0) nenv (~> 0.1) shellany (~> 0.0) @@ -187,7 +186,6 @@ GEM omniauth (~> 1.2) orm_adapter (0.5.0) pg (0.18.4) - pkg-config (1.1.7) pry (0.10.4) coderay (~> 1.1.0) method_source (~> 0.8.1) @@ -195,7 +193,7 @@ GEM pry-remote (0.1.8) pry (~> 0.9) slop (~> 3.0) - rack (1.6.4) + rack (1.6.8) rack-cors (0.4.0) rack-test (0.6.3) rack (>= 1.0) @@ -212,9 +210,9 @@ GEM sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) - rails-dom-testing (1.0.7) + rails-dom-testing (1.0.8) activesupport (>= 4.2.0.beta, < 5.0) - nokogiri (~> 1.6.0) + nokogiri (~> 1.6) rails-deprecated_sanitizer (>= 1.0.1) rails-html-sanitizer (1.0.3) loofah (~> 2.0) @@ -223,12 +221,13 @@ GEM activesupport (= 4.2.5.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) - rake (11.2.2) + rake (12.0.0) rb-fsevent (0.9.7) rb-inotify (0.9.7) ffi (>= 0.5.0) - responders (2.3.0) - railties (>= 4.2.0, < 5.1) + responders (2.4.0) + actionpack (>= 4.2.0, < 5.3) + railties (>= 4.2.0, < 5.3) ruby-progressbar (1.8.1) ruby_dep (1.3.1) shellany (0.0.1) @@ -238,7 +237,7 @@ GEM simplecov-html (~> 0.10.0) simplecov-html (0.10.0) slop (3.6.0) - sprockets (3.7.0) + sprockets (3.7.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) sprockets-rails (3.2.0) @@ -246,11 +245,11 @@ GEM activesupport (>= 4.0) sprockets (>= 3.0.0) sqlite3 (1.3.11) - thor (0.19.1) - thread_safe (0.3.5) - tzinfo (1.2.2) + thor (0.19.4) + thread_safe (0.3.6) + tzinfo (1.2.3) thread_safe (~> 0.1) - warden (1.2.6) + warden (1.2.7) rack (>= 1.0) PLATFORMS @@ -283,4 +282,4 @@ DEPENDENCIES thor BUNDLED WITH - 1.11.2 + 1.14.6 diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 387b64f25..8fe33142b 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "<= 4.2.1" + s.add_dependency "devise", "> 3.5.2", "<= 4.3" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From c99af19d859d22c1fa66cfeae631454e1356a470 Mon Sep 17 00:00:00 2001 From: silviu-simeria Date: Wed, 17 May 2017 11:05:47 +0100 Subject: [PATCH 322/328] Fixed a test throwing undefined `split` for nil class --- .../devise_token_auth/passwords_controller_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/controllers/devise_token_auth/passwords_controller_test.rb b/test/controllers/devise_token_auth/passwords_controller_test.rb index 75fa8c518..f3dc394d8 100644 --- a/test/controllers/devise_token_auth/passwords_controller_test.rb +++ b/test/controllers/devise_token_auth/passwords_controller_test.rb @@ -83,9 +83,9 @@ class DeviseTokenAuth::PasswordsControllerTest < ActionController::TestCase @data = JSON.parse(response.body) end - test 'response should not contain extra data' do - assert_equal @data['data'], nil - end + test 'response should not contain extra data' do + assert_nil @data["data"] + end end From 2738202b32c5d984a23f93ad5042404edc1a93b5 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 May 2017 11:19:07 -0600 Subject: [PATCH 323/328] chore(deps): update gems --- Gemfile.lock | 113 +++++++++++++++++++++++++++------------------------ 1 file changed, 60 insertions(+), 53 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 662422e7b..9ebe0b879 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,30 +1,30 @@ GIT remote: git://github.com/intridea/omniauth-github.git - revision: 45f2fc73d6d06f30863adac0e6aa112bcaaadf67 + revision: a893c2bc45d3c869ada960fddca97d6cba28082d specs: - omniauth-github (1.1.2) - omniauth (~> 1.0) - omniauth-oauth2 (>= 1.1.1, < 2.0) + omniauth-github (1.2.3) + omniauth (~> 1.5) + omniauth-oauth2 (>= 1.4.0, < 2.0) GIT remote: git://github.com/laserlemon/figaro.git - revision: 5191084e16cf5cd5c2cc8a98df9071dbac9b4cba + revision: 8dd678f5075272138acf4b56682b8b1cbcd6ce10 specs: figaro (1.1.1) thor (~> 0.14) GIT remote: git://github.com/mkdynamic/omniauth-facebook.git - revision: 8afbe04ae8a2f1b2db0f382efeecbb91575d1ba5 + revision: 19634473820d0190a5112f6b42266ef98c8ee276 specs: - omniauth-facebook (4.0.0.rc1) + omniauth-facebook (4.0.0) omniauth-oauth2 (~> 1.2) GIT remote: git://github.com/zquestz/omniauth-google-oauth2.git - revision: 1cd603bb29499f56379aefcd6b34663ef105e165 + revision: 9a9ef392fdf93d2e711823b88bf821a3f54b97a4 specs: - omniauth-google-oauth2 (0.4.1) + omniauth-google-oauth2 (0.5.0) jwt (~> 1.5.2) multi_json (~> 1.3) omniauth (>= 1.1.1) @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.41) + devise_token_auth (0.1.42) devise (> 3.5.2, <= 4.3) rails (< 6) @@ -75,20 +75,18 @@ GEM minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) - addressable (2.4.0) + addressable (2.5.1) + public_suffix (~> 2.0, >= 2.0.2) ansi (1.5.0) - arel (6.0.3) - attr_encrypted (3.0.1) + arel (6.0.4) + attr_encrypted (3.0.3) encryptor (~> 3.0.0) bcrypt (3.1.11) builder (3.2.3) - codeclimate-test-reporter (0.6.0) - simplecov (>= 0.7.1, < 1.0.0) + codeclimate-test-reporter (1.0.8) + simplecov (<= 0.13) coderay (1.1.1) - colorize (0.8.1) concurrent-ruby (1.0.5) - descendants_tracker (0.0.4) - thread_safe (~> 0.3, >= 0.3.1) devise (4.3.0) bcrypt (~> 3.0) orm_adapter (~> 0.1) @@ -98,26 +96,26 @@ GEM docile (1.1.5) encryptor (3.0.0) erubis (2.7.0) - faker (1.6.5) + faker (1.7.3) i18n (~> 0.5) - faraday (0.9.2) + faraday (0.11.0) multipart-post (>= 1.2, < 3) - ffi (1.9.13) + faraday-http-cache (2.0.0) + faraday (~> 0.8) + ffi (1.9.18) formatador (0.2.5) fuzz_ball (0.9.1) - github_api (0.14.3) - addressable (~> 2.4.0) - descendants_tracker (~> 0.0.4) - faraday (~> 0.8, < 0.10) - hashie (>= 3.4) - oauth2 (~> 1.0.0) - github_changelog_generator (1.13.0) - colorize (~> 0.7) - github_api (~> 0.12) + github_changelog_generator (1.14.3) + activesupport + faraday-http-cache + multi_json + octokit (~> 4.6) + rainbow (>= 2.1) rake (>= 10.0) + retriable (~> 2.1) globalid (0.4.0) activesupport (>= 4.2.0) - guard (2.14.0) + guard (2.14.1) formatador (>= 0.2.4) listen (>= 2.7, < 4.0) lumberjack (~> 1.0) @@ -127,20 +125,20 @@ GEM shellany (~> 0.0) thor (>= 0.18.1) guard-compat (1.2.1) - guard-minitest (2.4.5) + guard-minitest (2.4.6) guard-compat (~> 1.2) minitest (>= 3.0) - hashie (3.4.4) + hashie (3.5.5) i18n (0.8.1) json (1.8.6) - jwt (1.5.4) + jwt (1.5.6) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2) loofah (2.0.3) nokogiri (>= 1.5.9) - lumberjack (1.0.10) + lumberjack (1.0.12) mail (2.6.5) mime-types (>= 1.16, < 4) metaclass (0.0.4) @@ -155,37 +153,39 @@ GEM minitest-rails (2.2.1) minitest (~> 5.7) railties (~> 4.1) - minitest-reporters (1.1.10) + minitest-reporters (1.1.14) ansi builder minitest (>= 5.0) ruby-progressbar - mocha (1.1.0) + mocha (1.2.1) metaclass (~> 0.0.1) multi_json (1.12.1) - multi_xml (0.5.5) + multi_xml (0.6.0) multipart-post (2.0.0) - mysql2 (0.4.4) + mysql2 (0.4.6) nenv (0.3.0) nokogiri (1.7.2) mini_portile2 (~> 2.1.0) - notiffany (0.1.0) + notiffany (0.1.1) nenv (~> 0.1) shellany (~> 0.0) - oauth2 (1.0.0) - faraday (>= 0.8, < 0.10) + oauth2 (1.3.1) + faraday (>= 0.8, < 0.12) jwt (~> 1.0) multi_json (~> 1.3) multi_xml (~> 0.5) - rack (~> 1.2) - omniauth (1.3.1) - hashie (>= 1.2, < 4) - rack (>= 1.0, < 3) + rack (>= 1.2, < 3) + octokit (4.7.0) + sawyer (~> 0.8.0, >= 0.5.3) + omniauth (1.6.1) + hashie (>= 3.4.6, < 3.6.0) + rack (>= 1.6.2, < 3) omniauth-oauth2 (1.4.0) oauth2 (~> 1.0) omniauth (~> 1.2) orm_adapter (0.5.0) - pg (0.18.4) + pg (0.20.0) pry (0.10.4) coderay (~> 1.1.0) method_source (~> 0.8.1) @@ -193,8 +193,9 @@ GEM pry-remote (0.1.8) pry (~> 0.9) slop (~> 3.0) + public_suffix (2.0.5) rack (1.6.8) - rack-cors (0.4.0) + rack-cors (0.4.1) rack-test (0.6.3) rack (>= 1.0) rails (4.2.5.1) @@ -221,17 +222,23 @@ GEM activesupport (= 4.2.5.1) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) + rainbow (2.2.2) + rake rake (12.0.0) - rb-fsevent (0.9.7) - rb-inotify (0.9.7) + rb-fsevent (0.9.8) + rb-inotify (0.9.8) ffi (>= 0.5.0) responders (2.4.0) actionpack (>= 4.2.0, < 5.3) railties (>= 4.2.0, < 5.3) + retriable (2.1.0) ruby-progressbar (1.8.1) - ruby_dep (1.3.1) + ruby_dep (1.5.0) + sawyer (0.8.1) + addressable (>= 2.3.5, < 2.6) + faraday (~> 0.8, < 1.0) shellany (0.0.1) - simplecov (0.12.0) + simplecov (0.13.0) docile (~> 1.1.0) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) @@ -244,7 +251,7 @@ GEM actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) - sqlite3 (1.3.11) + sqlite3 (1.3.13) thor (0.19.4) thread_safe (0.3.6) tzinfo (1.2.3) From aca205d20e4aad679f765b2e62310833f7aa97cd Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 May 2017 12:35:48 -0600 Subject: [PATCH 324/328] chore(deps): remove deprecation warnings --- Gemfile | 8 ++++---- Gemfile.lock | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Gemfile b/Gemfile index 904b40945..21a0c30e6 100644 --- a/Gemfile +++ b/Gemfile @@ -15,10 +15,10 @@ gemspec group :development, :test do gem 'thor' - gem "figaro", :github => 'laserlemon/figaro' - gem 'omniauth-github', :git => 'git://github.com/intridea/omniauth-github.git' - gem 'omniauth-facebook', :git => 'git://github.com/mkdynamic/omniauth-facebook.git' - gem 'omniauth-google-oauth2', :git => 'git://github.com/zquestz/omniauth-google-oauth2.git' + gem "figaro", :git => 'https://github.com/laserlemon/figaro' + gem 'omniauth-github', :git => 'https://github.com/intridea/omniauth-github' + gem 'omniauth-facebook', :git => 'https://github.com/mkdynamic/omniauth-facebook' + gem 'omniauth-google-oauth2', :git => 'https://github.com/zquestz/omniauth-google-oauth2' gem 'rack-cors', :require => 'rack/cors' gem 'attr_encrypted' diff --git a/Gemfile.lock b/Gemfile.lock index 9ebe0b879..b9a04d04e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,5 +1,5 @@ GIT - remote: git://github.com/intridea/omniauth-github.git + remote: https://github.com/intridea/omniauth-github revision: a893c2bc45d3c869ada960fddca97d6cba28082d specs: omniauth-github (1.2.3) @@ -7,21 +7,21 @@ GIT omniauth-oauth2 (>= 1.4.0, < 2.0) GIT - remote: git://github.com/laserlemon/figaro.git + remote: https://github.com/laserlemon/figaro revision: 8dd678f5075272138acf4b56682b8b1cbcd6ce10 specs: figaro (1.1.1) thor (~> 0.14) GIT - remote: git://github.com/mkdynamic/omniauth-facebook.git + remote: https://github.com/mkdynamic/omniauth-facebook revision: 19634473820d0190a5112f6b42266ef98c8ee276 specs: omniauth-facebook (4.0.0) omniauth-oauth2 (~> 1.2) GIT - remote: git://github.com/zquestz/omniauth-google-oauth2.git + remote: https://github.com/zquestz/omniauth-google-oauth2 revision: 9a9ef392fdf93d2e711823b88bf821a3f54b97a4 specs: omniauth-google-oauth2 (0.5.0) @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.42) + devise_token_auth (0.1.41) devise (> 3.5.2, <= 4.3) rails (< 6) From 0ef7988c0bad6e1667b3eea32e3c504862c2ed9c Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 May 2017 12:43:25 -0600 Subject: [PATCH 325/328] v0.1.42 --- Gemfile.lock | 2 +- lib/devise_token_auth/version.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b9a04d04e..eb034e61e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ GIT PATH remote: . specs: - devise_token_auth (0.1.41) + devise_token_auth (0.1.42) devise (> 3.5.2, <= 4.3) rails (< 6) diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb index 452a74f83..c504dcf71 100644 --- a/lib/devise_token_auth/version.rb +++ b/lib/devise_token_auth/version.rb @@ -1,3 +1,3 @@ module DeviseTokenAuth - VERSION = "0.1.41" + VERSION = "0.1.42" end From 5be8770e1e43eeeedc2d94e89d24f6e8d902d0b5 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Wed, 17 May 2017 12:46:17 -0600 Subject: [PATCH 326/328] chore(docs): update CHANGELOG.md --- .github_changelog_generator | 4 ++-- CHANGELOG.md | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/.github_changelog_generator b/.github_changelog_generator index 388e44f05..c57c00448 100644 --- a/.github_changelog_generator +++ b/.github_changelog_generator @@ -1,5 +1,5 @@ bug-labels=bug,Bug,fix,Fix enhancement-labels=enhancement,Enhancement,feat,Feat -somce=tag=v0.1.40 -unreleased-label=v0.1.41 +since-tag=v0.1.42 +unreleased-label=v0.1.43 base=CHANGELOG.md \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index bbb98dc72..687f76220 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # Change Log +## [v0.1.42](https://github.com/lynndylanhurley/devise_token_auth/tree/v0.1.42) (2017-05-17) +[Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.41...v0.1.42) + +**Closed issues:** + +- devise\_token\_auth blocks upgrade to Rails 5.1.0 [\#875](https://github.com/lynndylanhurley/devise_token_auth/issues/875) + +**Merged pull requests:** + +- Support for devise 4.3 that is now supporting rails 5.1 [\#891](https://github.com/lynndylanhurley/devise_token_auth/pull/891) ([silviusimeria](https://github.com/silviusimeria)) + +# Change Log + ## [v0.1.41](https://github.com/lynndylanhurley/devise_token_auth/tree/HEAD) [Full Changelog](https://github.com/lynndylanhurley/devise_token_auth/compare/v0.1.40...HEAD) @@ -1356,4 +1369,6 @@ \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* + \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file From 7e079dc38dc79bfa404d0a085e811382ae711ff9 Mon Sep 17 00:00:00 2001 From: Brent Dearth Date: Mon, 22 May 2017 11:39:04 -0600 Subject: [PATCH 327/328] chore(deps): expand devise to allow < 4.4 --- Gemfile.lock | 65 +++++++++++++++++++-------------------- devise_token_auth.gemspec | 2 +- 2 files changed, 33 insertions(+), 34 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index eb034e61e..d66b604a8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -34,44 +34,43 @@ PATH remote: . specs: devise_token_auth (0.1.42) - devise (> 3.5.2, <= 4.3) + devise (> 3.5.2, < 4.4) rails (< 6) GEM remote: https://rubygems.org/ specs: - actionmailer (4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) + actionmailer (4.2.8) + actionpack (= 4.2.8) + actionview (= 4.2.8) + activejob (= 4.2.8) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 1.0, >= 1.0.5) - actionpack (4.2.5.1) - actionview (= 4.2.5.1) - activesupport (= 4.2.5.1) + actionpack (4.2.8) + actionview (= 4.2.8) + activesupport (= 4.2.8) rack (~> 1.6) rack-test (~> 0.6.2) rails-dom-testing (~> 1.0, >= 1.0.5) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (4.2.5.1) - activesupport (= 4.2.5.1) + actionview (4.2.8) + activesupport (= 4.2.8) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) - rails-html-sanitizer (~> 1.0, >= 1.0.2) - activejob (4.2.5.1) - activesupport (= 4.2.5.1) + rails-html-sanitizer (~> 1.0, >= 1.0.3) + activejob (4.2.8) + activesupport (= 4.2.8) globalid (>= 0.3.0) - activemodel (4.2.5.1) - activesupport (= 4.2.5.1) + activemodel (4.2.8) + activesupport (= 4.2.8) builder (~> 3.1) - activerecord (4.2.5.1) - activemodel (= 4.2.5.1) - activesupport (= 4.2.5.1) + activerecord (4.2.8) + activemodel (= 4.2.8) + activesupport (= 4.2.8) arel (~> 6.0) - activesupport (4.2.5.1) + activesupport (4.2.8) i18n (~> 0.7) - json (~> 1.7, >= 1.7.7) minitest (~> 5.1) thread_safe (~> 0.3, >= 0.3.4) tzinfo (~> 1.1) @@ -130,7 +129,7 @@ GEM minitest (>= 3.0) hashie (3.5.5) i18n (0.8.1) - json (1.8.6) + json (2.1.0) jwt (1.5.6) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) @@ -198,16 +197,16 @@ GEM rack-cors (0.4.1) rack-test (0.6.3) rack (>= 1.0) - rails (4.2.5.1) - actionmailer (= 4.2.5.1) - actionpack (= 4.2.5.1) - actionview (= 4.2.5.1) - activejob (= 4.2.5.1) - activemodel (= 4.2.5.1) - activerecord (= 4.2.5.1) - activesupport (= 4.2.5.1) + rails (4.2.8) + actionmailer (= 4.2.8) + actionpack (= 4.2.8) + actionview (= 4.2.8) + activejob (= 4.2.8) + activemodel (= 4.2.8) + activerecord (= 4.2.8) + activesupport (= 4.2.8) bundler (>= 1.3.0, < 2.0) - railties (= 4.2.5.1) + railties (= 4.2.8) sprockets-rails rails-deprecated_sanitizer (1.0.3) activesupport (>= 4.2.0.alpha) @@ -217,9 +216,9 @@ GEM rails-deprecated_sanitizer (>= 1.0.1) rails-html-sanitizer (1.0.3) loofah (~> 2.0) - railties (4.2.5.1) - actionpack (= 4.2.5.1) - activesupport (= 4.2.5.1) + railties (4.2.8) + actionpack (= 4.2.8) + activesupport (= 4.2.8) rake (>= 0.8.7) thor (>= 0.18.1, < 2.0) rainbow (2.2.2) diff --git a/devise_token_auth.gemspec b/devise_token_auth.gemspec index 8fe33142b..c49c1296b 100644 --- a/devise_token_auth.gemspec +++ b/devise_token_auth.gemspec @@ -19,7 +19,7 @@ Gem::Specification.new do |s| s.test_files.reject! { |file| file.match(/[.log|.sqlite3]$/) } s.add_dependency "rails", "< 6" - s.add_dependency "devise", "> 3.5.2", "<= 4.3" + s.add_dependency "devise", "> 3.5.2", "< 4.4" s.add_development_dependency "sqlite3", "~> 1.3" s.add_development_dependency 'pg' From 00f5bc7286a0391c086c46a93912d5ead55076da Mon Sep 17 00:00:00 2001 From: Carlos Dominguez Date: Mon, 29 May 2017 14:48:07 -0400 Subject: [PATCH 328/328] Adding missed methods in token_validations_controller.rb --- .../token_validations_controller.rb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/app/controllers/devise_token_auth/token_validations_controller.rb b/app/controllers/devise_token_auth/token_validations_controller.rb index 7d81a7855..11edcf1e6 100644 --- a/app/controllers/devise_token_auth/token_validations_controller.rb +++ b/app/controllers/devise_token_auth/token_validations_controller.rb @@ -31,5 +31,20 @@ def validate_external_token end end + protected + + def render_validate_token_success + render json: { + success: true, + data: resource_data(resource_json: @resource.token_validation_response) + } + end + + def render_validate_token_error + render json: { + success: false, + errors: [I18n.t("devise_token_auth.token_validations.invalid")] + }, status: 401 + end end end