Skip to content

Commit

Permalink
resolves #48
Browse files Browse the repository at this point in the history
  • Loading branch information
@lynndylanhurley
lynndylanhurley committed Oct 29, 2014
1 parent ba4266c commit d56af20
Show file tree
Hide file tree
Showing 28 changed files with 265 additions and 266 deletions.
18 changes: 9 additions & 9 deletions app/controllers/devise_token_auth/concerns/set_user_by_token.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def set_user_by_token(mapping=nil)
return unless rc

# user has already been found and authenticated
return @user if @user and @user.class == rc
return @resource if @resource and @resource.class == rc

# parse header for values necessary for authentication
uid = request.headers['uid']
Expand All @@ -39,43 +39,43 @@ def set_user_by_token(mapping=nil)

if user && user.valid_token?(@token, @client_id)
sign_in(:user, user, store: false, bypass: true)
return @user = user
return @resource = user
else
# zero all values previously set values
return @user = nil
return @resource = nil
end
end


def update_auth_header

# cannot save object if model has invalid params
return unless @user and @user.valid? and @client_id
return unless @resource and @resource.valid? and @client_id

# Lock the user record during any auth_header updates to ensure
# we don't have write contention from multiple threads
@user.with_lock do
@resource.with_lock do

# determine batch request status after request processing, in case
# another processes has updated it during that processing
@is_batch_request = is_batch_request?(@user, @client_id)
@is_batch_request = is_batch_request?(@resource, @client_id)

auth_header = {}

if not DeviseTokenAuth.change_headers_on_each_request
auth_header = @user.build_auth_header(@token, @client_id)
auth_header = @resource.build_auth_header(@token, @client_id)

# update the response header
response.headers.merge!(auth_header)

# extend expiration of batch buffer to account for the duration of
# this request
elsif @is_batch_request
auth_header = @user.extend_batch_buffer(@token, @client_id)
auth_header = @resource.extend_batch_buffer(@token, @client_id)

# update Authorization response header with new token
else
auth_header = @user.create_new_auth_token(@client_id)
auth_header = @resource.create_new_auth_token(@client_id)

# update the response header
response.headers.merge!(auth_header)
Expand Down
10 changes: 5 additions & 5 deletions app/controllers/devise_token_auth/confirmations_controller.rb
View file
Original file line number Diff line number Diff line change
@@ -1,23 +1,23 @@
module DeviseTokenAuth
class ConfirmationsController < DeviseTokenAuth::ApplicationController
def show
@user = resource_class.confirm_by_token(params[:confirmation_token])
@resource = resource_class.confirm_by_token(params[:confirmation_token])

if @user and @user.id
if @resource and @resource.id
# create client id
client_id = SecureRandom.urlsafe_base64(nil, false)
token = SecureRandom.urlsafe_base64(nil, false)
token_hash = BCrypt::Password.create(token)
expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i

@user.tokens[client_id] = {
@resource.tokens[client_id] = {
token: token_hash,
expiry: expiry
}

@user.save!
@resource.save!

redirect_to(@user.build_auth_url(params[:redirect_url], {
redirect_to(@resource.build_auth_url(params[:redirect_url], {
token: token,
client_id: client_id,
account_confirmation_success: true,
Expand Down
20 changes: 10 additions & 10 deletions app/controllers/devise_token_auth/omniauth_callbacks_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def redirect_callbacks

def omniauth_success
# find or create user by provider and provider uid
@user = resource_class.where({
@resource = resource_class.where({
uid: auth_hash['uid'],
provider: auth_hash['provider']
}).first_or_initialize
Expand All @@ -33,34 +33,34 @@ def omniauth_success
@auth_origin_url = generate_url(omniauth_params['auth_origin_url'], {
token: @token,
client_id: @client_id,
uid: @user.uid,
uid: @resource.uid,
expiry: @expiry
})

# set crazy password for new oauth users. this is only used to prevent
# access via email sign-in.
unless @user.id
unless @resource.id
p = SecureRandom.urlsafe_base64(nil, false)
@user.password = p
@user.password_confirmation = p
@resource.password = p
@resource.password_confirmation = p
end

@user.tokens[@client_id] = {
@resource.tokens[@client_id] = {
token: BCrypt::Password.create(@token),
expiry: @expiry
}

# sync user info with provider, update/generate auth token
assign_provider_attrs(@user, auth_hash)
assign_provider_attrs(@resource, auth_hash)

# assign any additional (whitelisted) attributes
extra_params = whitelisted_params
@user.assign_attributes(extra_params) if extra_params
@resource.assign_attributes(extra_params) if extra_params

# don't send confirmation email!!!
@user.skip_confirmation!
@resource.skip_confirmation!

@user.save!
@resource.save!

# render user info to javascript postMessage communication window
respond_to do |format|
Expand Down
36 changes: 18 additions & 18 deletions app/controllers/devise_token_auth/passwords_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,29 +20,29 @@ def create
}, status: 401
end

@user = resource_class.where({
@resource = resource_class.where({
email: resource_params[:email],
provider: 'email'
}).first

errors = nil

if @user
@user.send_reset_password_instructions({
if @resource
@resource.send_reset_password_instructions({
email: resource_params[:email],
provider: 'email',
redirect_url: params[:redirect_url],
client_config: params[:config_name]
})

if @user.errors.empty?
if @resource.errors.empty?
render json: {
success: true,
message: "An email has been sent to #{@user.email} containing "+
message: "An email has been sent to #{@resource.email} containing "+
"instructions for resetting your password."
}
else
errors = @user.errors
errors = @resource.errors
end
else
errors = ["Unable to find user with email '#{resource_params[:email]}'."]
Expand All @@ -59,27 +59,27 @@ def create

# this is where users arrive after visiting the email confirmation link
def edit
@user = resource_class.reset_password_by_token({
@resource = resource_class.reset_password_by_token({
reset_password_token: resource_params[:reset_password_token]
})

if @user and @user.id
if @resource and @resource.id
client_id = SecureRandom.urlsafe_base64(nil, false)
token = SecureRandom.urlsafe_base64(nil, false)
token_hash = BCrypt::Password.create(token)
expiry = (Time.now + DeviseTokenAuth.token_lifespan).to_i

@user.tokens[client_id] = {
@resource.tokens[client_id] = {
token: token_hash,
expiry: expiry
}

# ensure that user is confirmed
@user.skip_confirmation! unless @user.confirmed_at
@resource.skip_confirmation! unless @resource.confirmed_at

@user.save!
@resource.save!

redirect_to(@user.build_auth_url(params[:redirect_url], {
redirect_to(@resource.build_auth_url(params[:redirect_url], {
token: token,
client_id: client_id,
reset_password: true,
Expand All @@ -92,19 +92,19 @@ def edit

def update
# make sure user is authorized
unless @user
unless @resource
return render json: {
success: false,
errors: ['Unauthorized']
}, status: 401
end

# make sure account doesn't use oauth2 provider
unless @user.provider == 'email'
unless @resource.provider == 'email'
return render json: {
success: false,
errors: ["This account does not require a password. Sign in using "+
"your #{@user.provider.humanize} account instead."]
"your #{@resource.provider.humanize} account instead."]
}, status: 422
end

Expand All @@ -116,18 +116,18 @@ def update
}, status: 422
end

if @user.update_attributes(password_resource_params)
if @resource.update_attributes(password_resource_params)
return render json: {
success: true,
data: {
user: @user,
user: @resource,
message: "Your password has been successfully updated."
}
}
else
return render json: {
success: false,
errors: @user.errors
errors: @resource.errors
}, status: 422
end
end
Expand Down
19 changes: 9 additions & 10 deletions app/controllers/devise_token_auth/registrations_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,15 @@ def create

else
# email auth has been bypassed, authenticate user
@user = @resource
@client_id = SecureRandom.urlsafe_base64(nil, false)
@token = SecureRandom.urlsafe_base64(nil, false)

@user.tokens[@client_id] = {
@resource.tokens[@client_id] = {
token: BCrypt::Password.create(@token),
expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
}

@user.save!
@resource.save!

update_auth_header
end
Expand Down Expand Up @@ -70,16 +69,16 @@ def create
end

def update
if @user
if @user.update_attributes(account_update_params)
if @resource
if @resource.update_attributes(account_update_params)
render json: {
status: 'success',
data: @user.as_json
data: @resource.as_json
}
else
render json: {
status: 'error',
errors: @user.errors
errors: @resource.errors
}, status: 403
end
else
Expand All @@ -91,12 +90,12 @@ def update
end

def destroy
if @user
@user.destroy
if @resource
@resource.destroy

render json: {
status: 'success',
message: "Account with uid #{@user.uid} has been destroyed."
message: "Account with uid #{@resource.uid} has been destroyed."
}
else
render json: {
Expand Down
16 changes: 8 additions & 8 deletions app/controllers/devise_token_auth/sessions_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,30 @@ class SessionsController < DeviseTokenAuth::ApplicationController
before_filter :set_user_by_token, :only => [:destroy]

def create
@user = resource_class.find_by_email(resource_params[:email])
@resource = resource_class.find_by_email(resource_params[:email])

if @user and valid_params? and @user.valid_password?(resource_params[:password]) and @user.confirmed?
if @resource and valid_params? and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
# create client id
@client_id = SecureRandom.urlsafe_base64(nil, false)
@token = SecureRandom.urlsafe_base64(nil, false)

@user.tokens[@client_id] = {
@resource.tokens[@client_id] = {
token: BCrypt::Password.create(@token),
expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
}
@user.save
@resource.save

render json: {
data: @user.as_json(except: [
data: @resource.as_json(except: [
:tokens, :created_at, :updated_at
])
}

elsif @user and not @user.confirmed?
elsif @resource and not @resource.confirmed?
render json: {
success: false,
errors: [
"A confirmation email was sent to your account at #{@user.email}. "+
"A confirmation email was sent to your account at #{@resource.email}. "+
"You must follow the instructions in the email before your account "+
"can be activated"
]
Expand All @@ -42,7 +42,7 @@ def create

def destroy
# remove auth instance variables so that after_filter does not run
user = remove_instance_variable(:@user) if @user
user = remove_instance_variable(:@resource) if @resource
client_id = remove_instance_variable(:@client_id) if @client_id
remove_instance_variable(:@token) if @token

Expand Down
6 changes: 3 additions & 3 deletions app/controllers/devise_token_auth/token_validations_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@ class TokenValidationsController < DeviseTokenAuth::ApplicationController
before_filter :set_user_by_token, :only => [:validate_token]

def validate_token
# @user will have been set by set_user_token concern
if @user
# @resource will have been set by set_user_token concern
if @resource
render json: {
success: true,
data: @user.as_json(except: [
data: @resource.as_json(except: [
:tokens, :created_at, :updated_at
])
}
Expand Down
2 changes: 1 addition & 1 deletion app/views/devise_token_auth/omniauth_success.html.erb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<% @user.as_json.each do |attr, val| %>
<% @resource.as_json.each do |attr, val| %>
"<%= attr %>": "<%= val %>",
<% end %>

Expand Down
Loading

0 comments on commit d56af20

Please sign in to comment.