kotovalexarian-likes-github
/
heartcombo--devise
mirror of https://github.com/heartcombo/devise.git
1
0
Fork 0
Code Releases Activity

Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage

This commit is contained in:
José Valim 2011-12-11 20:39:41 +01:00
parent 930b324c15
commit 5a11c6597c
10 changed files with 58 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.rdoc
View File

@ -6,11 +6,12 @@
* deprecation
* Devise.apply_schema is deprecated
* Usage of remember_across_browsers was deprecated
* Usage of confirm_within was deprecated in favor allow_unconfirmed_access_for
* Usage of Devise.remember_across_browsers was deprecated
* Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for
* Usage of rememberable with remember_token was removed
* Usage of recoverable without reset_password_sent_at was removed
* Usage of case_insensitive_keys equals to false was removed
* Usage of Devise.case_insensitive_keys equals to false was removed
* Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage
== 1.5.2

13
lib/devise.rb
View File

@ -197,9 +197,9 @@ module Devise
mattr_accessor :token_authentication_key
@@token_authentication_key = :auth_token
# If true, authentication through token does not store user in session
mattr_accessor :stateless_token
@@stateless_token = false
# Skip session storage for the following strategies
mattr_accessor :skip_session_storage
@@skip_session_storage = []
# Which formats should be treated as navigational.
# We need both :"*/*" and "*/*" to work on different Rails versions.
@ -232,6 +232,13 @@ module Devise
def self.confirm_within=(value)
puts "\n[DEVISE] Devise.confirm_within= is deprecated. Please set Devise.allow_unconfirmed_access_for= instead."
Devise.allow_unconfirmed_access_for = value
end
def self.stateless_token=(value)
puts "\n[DEVISE] Devise.stateless_token= is deprecated. Please append :token_auth to Devise.skip_session_storage " \
"instead, for example: Devise.skip_session_storage << :token_auth"
Devise.skip_session_storage << :token_auth
end
# PRIVATE CONFIGURATION

7
lib/devise/models/authenticatable.rb
View File

@ -25,6 +25,11 @@ module Devise
# * +params_authenticatable+: if this model allows authentication through request params. By default true.
# It also accepts an array specifying the strategies that should allow params authentication.
#
# * +skip_session_storage+: By default Devise will store the user in session.
# You can skip storage for http and token auth by appending values to array:
# :skip_session_storage => [:token_auth] or :skip_session_storage => [:http_auth, :token_auth],
# by default is set to :skip_session_storage => [:http_auth].
#
# == active_for_authentication?
#
# After authenticating a user and in each request, Devise checks if your model is active by
@ -96,7 +101,7 @@ module Devise
module ClassMethods
Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
:case_insensitive_keys, :http_authenticatable, :params_authenticatable)
:case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
def serialize_into_session(record)
[record.to_key, record.authenticatable_salt]

5
lib/devise/models/token_authenticatable.rb
View File

@ -24,9 +24,6 @@ module Devise
#
# * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
#
# * +stateless_token+: By default, when you sign up with a token, Devise will store the user in session
# as any other authentication strategy. You can set stateless_token to true to avoid this.
#
module TokenAuthenticatable
extend ActiveSupport::Concern
@ -65,7 +62,7 @@ module Devise
generate_token(:authentication_token)
end
::Devise::Models.config(self, :token_authentication_key, :stateless_token)
::Devise::Models.config(self, :token_authentication_key)
end
end
end

20
lib/devise/strategies/authenticatable.rb
View File

@ -6,7 +6,11 @@ module Devise
# parameters both from params or from http authorization headers. See database_authenticatable
# for an example.
class Authenticatable < Base
attr_accessor :authentication_hash, :password
attr_accessor :authentication_hash, :authentication_type, :password
def store?
!mapping.to.skip_session_storage.include?(authentication_type)
end
def valid?
valid_for_params_auth? || valid_for_http_auth?
@ -47,7 +51,7 @@ module Devise
# * If all authentication keys are present;
#
def valid_for_http_auth?
http_authenticatable? && request.authorization && with_authentication_hash(http_auth_hash)
http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
end
# Check if this is strategy is valid for params authentication by:
@ -58,8 +62,8 @@ module Devise
# * If all authentication keys are present;
#
def valid_for_params_auth?
params_authenticatable? && valid_request? &&
valid_params? && with_authentication_hash(params_auth_hash)
params_authenticatable? && valid_params_request? &&
valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
end
# Check if the model accepts this strategy as http authenticatable.
@ -83,8 +87,8 @@ module Devise
Hash[*keys.zip(decode_credentials).flatten]
end
# By default, a request is valid if the controller is allowed and the VERB is POST.
def valid_request?
# By default, a request is valid if the controller set the proper env variable.
def valid_params_request?
!!env["devise.allow_params_authentication"]
end
@ -105,8 +109,8 @@ module Devise
end
# Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
def with_authentication_hash(auth_values)
self.authentication_hash = {}
def with_authentication_hash(auth_type, auth_values)
self.authentication_hash, self.authentication_type = {}, auth_type
self.password = auth_values[:password]
parse_authentication_key_values(auth_values, authentication_keys) &&

6
lib/devise/strategies/token_authenticatable.rb
View File

@ -11,7 +11,7 @@ module Devise
# a password, you can pass "X" as password and it will simply be ignored.
class TokenAuthenticatable < Authenticatable
def store?
!mapping.to.stateless_token
super && !mapping.to.skip_session_storage.include?(:token_auth)
end
def authenticate!
@ -27,8 +27,8 @@ module Devise
private
# TokenAuthenticatable request is valid for any controller and any verb.
def valid_request?
# Token Authenticatable can be authenticated with params in any controller and any verb.
def valid_params_request?
true
end

8
lib/generators/templates/devise.rb
View File

@ -62,6 +62,10 @@ Devise.setup do |config|
# Does not affect registerable.
# config.paranoid = true
# By default Devise will store the user in session. You can skip storage for
# :http_auth and :token_auth by adding those symbols to the array below.
config.skip_session_storage = [:http_auth]
# ==> Configuration for :database_authenticatable
# For bcrypt, this is the cost for hashing the password and defaults to 10. If
# using other encryptors, it sets how many times you want the password re-encrypted.
@ -165,10 +169,6 @@ Devise.setup do |config|
# Defines name of the authentication token params key
# config.token_authentication_key = :auth_token
# If true, authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token.
# config.stateless_token = false
# ==> Scopes configuration
# Turn scoped views on. Before rendering "sessions/new", it will first check for
# "users/sessions/new". It's turned off by default because it's slower if you

17
test/integration/http_authenticatable_test.rb
View File

@ -12,9 +12,24 @@ class HttpAuthenticationTest < ActionController::IntegrationTest
test 'sign in should authenticate with http' do
sign_in_as_new_user_with_http
assert_response :success
assert_response 200
assert_match '<email>user@test.com</email>', response.body
assert warden.authenticated?(:user)
get users_path(:format => :xml)
assert_response 200
end
test 'sign in should authenticate with http but not emit a cookie if skipping session storage' do
swap Devise, :skip_session_storage => [:http_auth] do
sign_in_as_new_user_with_http
assert_response 200
assert_match '<email>user@test.com</email>', response.body
assert warden.authenticated?(:user)
get users_path(:format => :xml)
assert_response 401
end
end
test 'returns a custom response with www-authenticate header on failures' do

4
test/integration/token_authenticatable_test.rb
View File

@ -25,7 +25,7 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
end
test 'authenticate with valid authentication token key but does not store if stateless' do
swap Devise, :token_authentication_key => :secret_token, :stateless_token => true do
swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth] do
sign_in_as_new_user_with_token
assert warden.authenticated?(:user)
@ -88,7 +88,7 @@ class TokenAuthenticationTest < ActionController::IntegrationTest
end
test 'authenticate with valid authentication token key and do not store if stateless and timeoutable are enabled' do
swap Devise, :token_authentication_key => :secret_token, :stateless_token => true, :timeout_in => (0.1).second do
swap Devise, :token_authentication_key => :secret_token, :skip_session_storage => [:token_auth], :timeout_in => (0.1).second do
user = sign_in_as_new_user_with_token
assert warden.authenticated?(:user)

4
test/rails_app/config/initializers/devise.rb
View File

@ -151,10 +151,6 @@ Devise.setup do |config|
# Defines name of the authentication token params key
# config.token_authentication_key = :auth_token
# If true, authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token.
# config.stateless_token = false
# ==> Scopes configuration
# Turn scoped views on. Before rendering "sessions/new", it will first check for
# "users/sessions/new". It's turned off by default because it's slower if you