Merge pull request #2271 from robhurring/master

Allowing http token auth to set the token_authentication_key if missing from params

lib/devise.rb

@@ -182,6 +182,10 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
+  # Allow HTTP token authorization to set token_authentication_key
+  mattr_accessor :allow_token_authenticatable_via_headers
+  @@allow_token_authenticatable_via_headers = true
+
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
   @@skip_session_storage = []

lib/devise/models/token_authenticatable.rb

@@ -82,7 +82,7 @@ module Devise
           generate_token(:authentication_token)
         end
 
-        Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)
+        Devise::Models.config(self, :token_authentication_key, :allow_token_authenticatable_via_headers, :expire_auth_token_on_timeout)
       end
     end
   end

lib/devise/strategies/token_authenticatable.rb

@@ -14,6 +14,10 @@ module Devise
         super && !mapping.to.skip_session_storage.include?(:token_auth)
       end
 
+      def valid?
+        super || valid_for_token_auth?
+      end
+
       def authenticate!
         resource = mapping.to.find_for_token_authentication(authentication_hash)
         return fail(:invalid_token) unless resource
@@ -36,6 +40,33 @@ module Devise
         false
       end
 
+      # Check if the model accepts this strategy as token authenticatable.
+      def token_authenticatable?
+        mapping.to.allow_token_authenticatable_via_headers
+      end
+
+      # Check if this is strategy is valid for token authentication by:
+      #
+      #   * Validating if the model allows http token authentication;
+      #   * If the http auth token exists;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_token_auth?
+        token_authenticatable? && auth_token.present? && with_authentication_hash(:token_auth, token_auth_hash)
+      end
+
+      # Extract the auth token from the request
+      def auth_token
+        @auth_token ||= ActionController::HttpAuthentication::Token.
+          token_and_options(request)
+      end
+
+      # Extract a hash with attributes:values from the auth_token.
+      def token_auth_hash
+        request.env['devise.token_options'] = auth_token.last
+        {authentication_keys.first => auth_token.first}
+      end
+
       # Try both scoped and non scoped keys.
       def params_auth_hash
         if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)

lib/generators/templates/devise.rb

@@ -184,6 +184,11 @@ Devise.setup do |config|
   # Defines name of the authentication token params key
   # config.token_authentication_key = :auth_token
 
+  # Tell if authentication through HTTP Token Auth is enabled. True by default.
+  # Any extra options passed along with the options will be available in the
+  # env['devise.token_options'] hash
+  # config.allow_token_authenticatable_via_headers = false
+
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you

test/integration/token_authenticatable_test.rb

@@ -129,6 +129,46 @@ class TokenAuthenticationTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'authenticate with valid authentication token key and value through http header' do
+    swap Devise, :token_authentication_key => :secret_token do
+      sign_in_as_new_user_with_token(:token_auth => true)
+
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert_equal request.env['devise.token_options'], {}
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'authenticate with valid authentication token key and value through http header, with options' do
+    swap Devise, :token_authentication_key => :secret_token do
+      signature = "**TESTSIGNATURE**"
+      sign_in_as_new_user_with_token(:token_auth => true, :token_options => {:signature => signature, :nonce => 'def'})
+
+      assert_response :success
+      assert_match '<email>user@test.com</email>', response.body
+      assert_equal request.env['devise.token_options'][:signature], signature
+      assert_equal request.env['devise.token_options'][:nonce], 'def'
+      assert warden.authenticated?(:user)
+    end
+  end
+
+  test 'authenticate with valid authentication token key and value through http header without allowing token authorization setting is denied' do
+    swap Devise, :token_authentication_key => :secret_token, :allow_token_authenticatable_via_headers => false do
+      sign_in_as_new_user_with_token(:token_auth => true)
+
+      assert_response :unauthorized
+      assert_nil warden.user(:user)
+    end
+  end
+
+  test 'does not authenticate with improper authentication token value in header' do
+    sign_in_as_new_user_with_token(:token_auth => true, :auth_token => '*** INVALID TOKEN ***')
+
+    assert_response :unauthorized
+    assert_nil warden.user(:user)
+  end
+
   private
 
     def sign_in_as_new_user_with_token(options = {})
@@ -140,6 +180,10 @@ class TokenAuthenticationTest < ActionDispatch::IntegrationTest
       if options[:http_auth]
         header = "Basic #{Base64.encode64("#{VALID_AUTHENTICATION_TOKEN}:X")}"
         get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
+      elsif options[:token_auth]
+        token_options = options[:token_options] || {}
+        header = ActionController::HttpAuthentication::Token.encode_credentials(options[:auth_token], token_options)
+        get users_path(:format => :xml), {}, "HTTP_AUTHORIZATION" => header
       else
         visit users_path(options[:auth_token_key].to_sym => options[:auth_token])
       end