Fix test for maximum concurrent devices.

tmjfitch · Feb 13, 2018 · 3e46396 · 3e46396
1 parent d7aaa80
commit 3e46396
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -176,6 +176,7 @@ The following settings are available for configuration in `config/initializers/d
 |---|---|---|
 | **`change_headers_on_each_request`** | `true` | By default the access-token header will change after each request. The client is responsible for keeping track of the changing tokens. Both [ng-token-auth](https://github.com/lynndylanhurley/ng-token-auth) and [jToker](https://github.com/lynndylanhurley/j-toker) do this out of the box. While this implementation is more secure, it can be difficult to manage. Set this to false to prevent the `access-token` header from changing after each request. [Read more](#about-token-management). |
 | **`token_lifespan`** | `2.weeks` | Set the length of your tokens' lifespans. Users will need to re-authenticate after this duration of time has passed since their last login. |
+| **`max_number_of_devices`** | `10` | Set the max number of concurrent devices per user. After this limit is reached, the oldest tokens will be removed. |
 | **`batch_request_buffer_throttle`** | `5.seconds` | Sometimes it's necessary to make several requests to the API at the same time. In this case, each request in the batch will need to share the same auth token. This setting determines how far apart the requests can be while still using the same auth token. [Read more](#about-batch-requests). |
 | **`omniauth_prefix`** | `"/omniauth"` | This route will be the prefix for all oauth2 redirect callbacks. For example, using the default '/omniauth' setting, the github oauth2 provider will redirect successful authentications to '/omniauth/github/callback'. [Read more](#omniauth-provider-settings). |
 | **`default_confirm_success_url`** | `nil` | By default this value is expected to be sent by the client so that the API knows where to redirect users after successful email confirmation. If this param is set, the API will redirect to this value when no value is provided by the client. |

diff --git a/app/controllers/devise_token_auth/concerns/set_user_by_token.rb b/app/controllers/devise_token_auth/concerns/set_user_by_token.rb
@@ -62,9 +62,6 @@ def set_user_by_token(mapping=nil)
       if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
         @used_auth_by_token = false
         @resource = devise_warden_user
-        # REVIEW: Why are we bothering to create an auth token here? It won't
-        # get used anywhere by the looks of it...?
-        @resource.create_new_auth_token
       end
     end
 

diff --git a/test/controllers/demo_user_controller_test.rb b/test/controllers/demo_user_controller_test.rb
@@ -412,6 +412,34 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           DeviseTokenAuth.headers_names[:'access-token'] = 'access-token'
         end
       end
+
+      describe 'maximum concurrent devices per user' do
+        before do
+          @max_devices = DeviseTokenAuth.max_number_of_devices
+        end
+
+        it 'should limit the maximum number of concurrent devices' do
+          # increment the number of devices until the maximum is exceeded
+          1.upto(@max_devices + 1).each do |n|
+            assert_equal [n, @max_devices].min, @resource.reload.tokens.keys.length
+            @resource.create_new_auth_token
+          end
+        end
+
+        it 'should drop the oldest token when the maximum number of devices is exceeded' do
+          # create the maximum number of tokens
+          1.upto(@max_devices).each { @resource.create_new_auth_token }
+
+          # get the oldest token
+          oldest_token, _ = @resource.reload.tokens \
+                              .min_by { |cid, v| v[:expiry] || v["expiry"] }
+
+          # create another token, thereby dropping the oldest token
+          @resource.create_new_auth_token
+
+          assert_not_includes @resource.reload.tokens.keys, oldest_token
+        end
+      end
     end
 
     describe 'bypass_sign_in' do
@@ -508,18 +536,6 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           it 'should not define current_mang' do
             refute_equal @resource, @controller.current_mang
           end
-
-          it 'should increase the number of tokens by a factor of 2 up to 11' do
-            @first_token = @resource.tokens.keys.first
-
-            DeviseTokenAuth.max_number_of_devices = 11
-            (1..10).each do |n|
-              assert_equal [11, 2 * n].min, @resource.reload.tokens.keys.length
-              get '/demo/members_only', params: {}, headers: nil
-            end
-
-            assert_not_includes @resource.reload.tokens.keys, @first_token
-          end
         end
 
         it 'should return success status' do
@@ -554,6 +570,8 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
           @resource.save!
           login_as(@resource, scope: :user)
 
+          # send the auth_headers anyway, but they *should* be ignored and
+          #   warden *should* still authenticate correctly.
           get '/demo/members_only',
               params: {},
               headers: @auth_headers