Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
This commit is contained in:
parent
930b324c15
commit
5a11c6597c
|
@ -6,11 +6,12 @@
|
|||
|
||||
* deprecation
|
||||
* Devise.apply_schema is deprecated
|
||||
* Usage of remember_across_browsers was deprecated
|
||||
* Usage of confirm_within was deprecated in favor allow_unconfirmed_access_for
|
||||
* Usage of Devise.remember_across_browsers was deprecated
|
||||
* Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
|
||||
* Usage of rememberable with remember_token was removed
|
||||
* Usage of recoverable without reset_password_sent_at was removed
|
||||
* Usage of case_insensitive_keys equals to false was removed
|
||||
* Usage of Devise.case_insensitive_keys equals to false was removed
|
||||
* Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
|
||||
|
||||
== 1.5.2
|
||||
|
||||
|
|
|
@ -197,9 +197,9 @@ module Devise
|
|||
mattr_accessor :token_authentication_key
|
||||
@@token_authentication_key = :auth_token
|
||||
|
||||
# If true, authentication through token does not store user in session
|
||||
mattr_accessor :stateless_token
|
||||
@@stateless_token = false
|
||||
# Skip session storage for the following strategies
|
||||
mattr_accessor :skip_session_storage
|
||||
@@skip_session_storage = []
|
||||
|
||||
# Which formats should be treated as navigational.
|
||||
# We need both :"*/*" and "*/*" to work on different Rails versions.
|
||||
|
@ -232,6 +232,13 @@ module Devise
|
|||
|
||||
def self.confirm_within=(value)
|
||||
puts "\n[DEVISE] Devise.confirm_within= is deprecated. Please set Devise.allow_unconfirmed_access_for= instead."
|
||||
Devise.allow_unconfirmed_access_for = value
|
||||
end
|
||||
|
||||
def self.stateless_token=(value)
|
||||
puts "\n[DEVISE] Devise.stateless_token= is deprecated. Please append :token_auth to Devise.skip_session_storage " \
|
||||
"instead, for example: Devise.skip_session_storage << :token_auth"
|
||||
Devise.skip_session_storage << :token_auth
|
||||
end
|
||||
|
||||
# PRIVATE CONFIGURATION
|
||||
|
|
|
@ -25,6 +25,11 @@ module Devise
|
|||
# * +params_authenticatable+: if this model allows authentication through request params. By default true.
|
||||
# It also accepts an array specifying the strategies that should allow params authentication.
|
||||
#
|
||||
# * +skip_session_storage+: By default Devise will store the user in session.
|
||||
# You can skip storage for http and token auth by appending values to array:
|
||||
# :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],
|
||||
# by default is set to :skip_session_storage => [:http_auth].
|
||||
#
|
||||
# == active_for_authentication?
|
||||
#
|
||||
# After authenticating a user and in each request, Devise checks if your model is active by
|
||||
|
@ -96,7 +101,7 @@ module Devise
|
|||
|
||||
module ClassMethods
|
||||
Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
|
||||
:case_insensitive_keys, :http_authenticatable, :params_authenticatable)
|
||||
:case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
|
||||
|
||||
def serialize_into_session(record)
|
||||
[record.to_key, record.authenticatable_salt]
|
||||
|
|
|
@ -24,9 +24,6 @@ module Devise
|
|||
#
|
||||
# * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
|
||||
#
|
||||
# * +stateless_token+: By default, when you sign up with a token, Devise will store the user in session
|
||||
# as any other authentication strategy. You can set stateless_token to true to avoid this.
|
||||
#
|
||||
module TokenAuthenticatable
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
|
@ -65,7 +62,7 @@ module Devise
|
|||
generate_token(:authentication_token)
|
||||
end
|
||||
|
||||
::Devise::Models.config(self, :token_authentication_key, :stateless_token)
|
||||
::Devise::Models.config(self, :token_authentication_key)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -6,7 +6,11 @@ module Devise
|
|||
# parameters both from params or from http authorization headers. See database_authenticatable
|
||||
# for an example.
|
||||
class Authenticatable < Base
|
||||
attr_accessor :authentication_hash, :password
|
||||
attr_accessor :authentication_hash, :authentication_type, :password
|
||||
|
||||
def store?
|
||||
!mapping.to.skip_session_storage.include?(authentication_type)
|
||||
end
|
||||
|
||||
def valid?
|
||||
valid_for_params_auth? || valid_for_http_auth?
|
||||
|
@ -47,7 +51,7 @@ module Devise
|
|||
# * If all authentication keys are present;
|
||||
#
|
||||
def valid_for_http_auth?
|
||||
http_authenticatable? && request.authorization && with_authentication_hash(http_auth_hash)
|
||||
http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
|
||||
end
|
||||
|
||||
# Check if this is strategy is valid for params authentication by:
|
||||
|
@ -58,8 +62,8 @@ module Devise
|
|||
# * If all authentication keys are present;
|
||||
#
|
||||
def valid_for_params_auth?
|
||||
params_authenticatable? && valid_request? &&
|
||||
valid_params? && with_authentication_hash(params_auth_hash)
|
||||
params_authenticatable? && valid_params_request? &&
|
||||
valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
|
||||
end
|
||||
|
||||
# Check if the model accepts this strategy as http authenticatable.
|
||||
|
@ -83,8 +87,8 @@ module Devise
|
|||
Hash[*keys.zip(decode_credentials).flatten]
|
||||
end
|
||||
|
||||
# By default, a request is valid if the controller is allowed and the VERB is POST.
|
||||
def valid_request?
|
||||
# By default, a request is valid if the controller set the proper env variable.
|
||||
def valid_params_request?
|
||||
!!env["devise.allow_params_authentication"]
|
||||
end
|
||||
|
||||
|
@ -105,8 +109,8 @@ module Devise
|
|||
end
|
||||
|
||||
# Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
|
||||
def with_authentication_hash(auth_values)
|
||||
self.authentication_hash = {}
|
||||
def with_authentication_hash(auth_type, auth_values)
|
||||
self.authentication_hash, self.authentication_type = {}, auth_type
|
||||
self.password = auth_values[:password]
|
||||
|
||||
parse_authentication_key_values(auth_values, authentication_keys) &&
|
||||
|
|
|
@ -11,7 +11,7 @@ module Devise
|
|||
# a password, you can pass "X" as password and it will simply be ignored.
|
||||
class TokenAuthenticatable < Authenticatable
|
||||
def store?
|
||||
!mapping.to.stateless_token
|
||||
super && !mapping.to.skip_session_storage.include?(:token_auth)
|
||||
end
|
||||
|
||||
def authenticate!
|
||||
|
@ -27,8 +27,8 @@ module Devise
|
|||
|
||||
private
|
||||
|
||||
# TokenAuthenticatable request is valid for any controller and any verb.
|
||||
def valid_request?
|
||||
# Token Authenticatable can be authenticated with params in any controller and any verb.
|
||||
def valid_params_request?
|
||||
true
|
||||
end
|
||||
|
||||
|
|
|
@ -62,6 +62,10 @@ Devise.setup do |config|
|
|||
# Does not affect registerable.
|
||||
# config.paranoid = true
|
||||
|
||||
# By default Devise will store the user in session. You can skip storage for
|
||||
# :http_auth and :token_auth by adding those symbols to the array below.
|
||||
config.skip_session_storage = [:http_auth]
|
||||
|
||||
# ==> Configuration for :database_authenticatable
|
||||
# For bcrypt, this is the cost for hashing the password and defaults to 10. If
|
||||
# using other encryptors, it sets how many times you want the password re-encrypted.
|
||||
|
@ -165,10 +169,6 @@ Devise.setup do |config|
|
|||
# Defines name of the authentication token params key
|
||||
# config.token_authentication_key = :auth_token
|
||||
|
||||
# If true, authentication through token does not store user in session and needs
|
||||
# to be supplied on each request. Useful if you are using the token as API token.
|
||||
# config.stateless_token = false
|
||||
|
||||
# ==> Scopes configuration
|
||||
# Turn scoped views on. Before rendering "sessions/new", it will first check for
|
||||
# "users/sessions/new". It's turned off by default because it's slower if you
|
||||
|
|
|
@ -12,9 +12,24 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
|
|||
|
||||
test 'sign in should authenticate with http' do
|
||||
sign_in_as_new_user_with_http
|
||||
assert_response :success
|
||||
assert_response 200
|
||||
assert_match '<email>user@test.com</email>', response.body
|
||||
assert warden.authenticated?(:user)
|
||||
|
||||
get users_path(:format => :xml)
|
||||
assert_response 200
|
||||
end
|
||||
|
||||
test 'sign in should authenticate with http but not emit a cookie if skipping session storage' do
|
||||
swap Devise, :skip_session_storage => [:http_auth] do
|
||||
sign_in_as_new_user_with_http
|
||||
assert_response 200
|
||||
assert_match '<email>user@test.com</email>', response.body
|
||||
assert warden.authenticated?(:user)
|
||||
|
||||
get users_path(:format => :xml)
|
||||
assert_response 401
|
||||
end
|
||||
end
|
||||
|
||||
test 'returns a custom response with www-authenticate header on failures' do
|
||||
|
|
|
@ -25,7 +25,7 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
|
|||
end
|
||||
|
||||
test 'authenticate with valid authentication token key but does not store if stateless' do
|
||||
swap Devise, :token_authentication_key => :secret_token, :stateless_token => true do
|
||||
swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth] do
|
||||
sign_in_as_new_user_with_token
|
||||
assert warden.authenticated?(:user)
|
||||
|
||||
|
@ -88,7 +88,7 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
|
|||
end
|
||||
|
||||
test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
|
||||
swap Devise, :token_authentication_key => :secret_token, :stateless_token => true, :timeout_in => (0.1).second do
|
||||
swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth], :timeout_in => (0.1).second do
|
||||
user = sign_in_as_new_user_with_token
|
||||
assert warden.authenticated?(:user)
|
||||
|
||||
|
|
|
@ -151,10 +151,6 @@ Devise.setup do |config|
|
|||
# Defines name of the authentication token params key
|
||||
# config.token_authentication_key = :auth_token
|
||||
|
||||
# If true, authentication through token does not store user in session and needs
|
||||
# to be supplied on each request. Useful if you are using the token as API token.
|
||||
# config.stateless_token = false
|
||||
|
||||
# ==> Scopes configuration
|
||||
# Turn scoped views on. Before rendering "sessions/new", it will first check for
|
||||
# "users/sessions/new". It's turned off by default because it's slower if you
|
||||
|
|
Loading…
Reference in New Issue