Tidy up devise configuration

lib/devise.rb

@@ -52,8 +52,8 @@ module Devise
   @@stretches = 10
 
   # The default key used when authenticating over http auth.
-  mattr_accessor :http_auth_key
+  mattr_accessor :http_authentication_key
-  @@http_auth_key = nil
+  @@http_authentication_key = nil
 
   # Keys used when authenticating a user.
   mattr_accessor :authentication_keys
@@ -182,10 +182,6 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
-  # Allow HTTP token authorization to set token_authentication_key
-  mattr_accessor :allow_token_authenticatable_via_headers
-  @@allow_token_authenticatable_via_headers = true
-
   # Skip session storage for the following strategies
   mattr_accessor :skip_session_storage
   @@skip_session_storage = []

lib/devise/models/authenticatable.rb

@@ -10,7 +10,7 @@ module Devise
     #
     #   * +authentication_keys+: parameters used for authentication. By default [:email].
     #
-    #   * +http_auth_key+: map the username passed via HTTP Auth to this parameter. Defaults to
+    #   * +http_authentication_key+: map the username passed via HTTP Auth to this parameter. Defaults to
     #     the first element in +authentication_keys+.
     #
     #   * +request_keys+: parameters from the request object used for authentication.
@@ -198,7 +198,7 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
           :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage,
-          :http_auth_key)
+          :http_authentication_key)
 
         def serialize_into_session(record)
           [record.to_key, record.authenticatable_salt]

lib/devise/models/token_authenticatable.rb

@@ -82,7 +82,7 @@ module Devise
           generate_token(:authentication_token)
         end
 
-        Devise::Models.config(self, :token_authentication_key, :allow_token_authenticatable_via_headers, :expire_auth_token_on_timeout)
+        Devise::Models.config(self, :token_authentication_key, :expire_auth_token_on_timeout)
       end
     end
   end

lib/devise/strategies/authenticatable.rb

@@ -100,7 +100,7 @@ module Devise
 
       # Extract a hash with attributes:values from the http params.
       def http_auth_hash
-        keys = [http_auth_key, :password]
+        keys = [http_authentication_key, :password]
         Hash[*keys.zip(decode_credentials).flatten]
       end
 
@@ -134,32 +134,27 @@ module Devise
         parse_authentication_key_values(request_values, request_keys)
       end
 
-      # Holds the authentication keys.
       def authentication_keys
         @authentication_keys ||= mapping.to.authentication_keys
       end
 
-      def http_auth_key
+      def http_authentication_key
-        @http_auth_key ||= mapping.to.http_auth_key
+        @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
-        @http_auth_key ||= case authentication_keys
           when Array then authentication_keys.first
           when Hash then authentication_keys.keys.first
         end
       end
 
-      # Holds request keys.
       def request_keys
         @request_keys ||= mapping.to.request_keys
       end
 
-      # Returns values from the request object.
       def request_values
         keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
         values = keys.map { |k| self.request.send(k) }
         Hash[keys.zip(values)]
       end
 
-      # Parse authentication keys considering if they should be enforced or not.
       def parse_authentication_key_values(hash, keys)
         keys.each do |key, enforce|
           value = hash[key].presence

lib/devise/strategies/token_authenticatable.rb

@@ -7,8 +7,13 @@ module Devise
     #
     #   http://myapp.example.com/?user_token=SECRET
     #
-    # For HTTP, you can pass the token as username and blank password. Since some clients may require
+    # For headers, you can use basic authentication passing the token as username and
-    # a password, you can pass "X" as password and it will simply be ignored.
+    # blank password. Since some clients may require a password, you can pass "X" as
+    # password and it will simply be ignored.
+    #
+    # You may also pass the token using the Token authentication mechanism provided
+    # by Rails: http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
+    # The token options are stored in request.env['devise.token_options']
     class TokenAuthenticatable < Authenticatable
       def store?
         super && !mapping.to.skip_session_storage.include?(:token_auth)
@@ -42,7 +47,7 @@ module Devise
 
       # Check if the model accepts this strategy as token authenticatable.
       def token_authenticatable?
-        mapping.to.allow_token_authenticatable_via_headers
+        mapping.to.http_authenticatable?(:token_options)
       end
 
       # Check if this is strategy is valid for token authentication by:
@@ -57,17 +62,16 @@ module Devise
 
       # Extract the auth token from the request
       def auth_token
-        @auth_token ||= ActionController::HttpAuthentication::Token.
+        @auth_token ||= ActionController::HttpAuthentication::Token.token_and_options(request)
-          token_and_options(request)
       end
 
-      # Extract a hash with attributes:values from the auth_token.
+      # Extract a hash with attributes:values from the auth_token
       def token_auth_hash
         request.env['devise.token_options'] = auth_token.last
-        {authentication_keys.first => auth_token.first}
+        { authentication_keys.first => auth_token.first }
       end
 
-      # Try both scoped and non scoped keys.
+      # Try both scoped and non scoped keys
       def params_auth_hash
         if params[scope].kind_of?(Hash) && params[scope].has_key?(authentication_keys.first)
           params[scope]

lib/generators/templates/devise.rb

@@ -48,10 +48,14 @@ Devise.setup do |config|
   # enable it only for database (email + password) authentication.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication.
+  # enable it only for token authentication. The supported strategies are:
+  # :database      = Support basic authentication with authentication key + password
+  # :token         = Support basic authentication with token authentication key
+  # :token_options = Support token authentication with options as defined in
+  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -184,11 +188,6 @@ Devise.setup do |config|
   # Defines name of the authentication token params key
   # config.token_authentication_key = :auth_token
 
-  # Tell if authentication through HTTP Token Auth is enabled. True by default.
-  # Any extra options passed along with the options will be available in the
-  # env['devise.token_options'] hash
-  # config.allow_token_authenticatable_via_headers = false
-
   # ==> Scopes configuration
   # Turn scoped views on. Before rendering "sessions/new", it will first check for
   # "users/sessions/new". It's turned off by default because it's slower if you

test/integration/http_authenticatable_test.rb

@@ -72,7 +72,7 @@ class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   end
 
   test 'it uses the appropriate key when configured explicitly' do
-    swap Devise, :authentication_keys => { :email => false, :username => false }, :http_auth_key => :username do
+    swap Devise, :authentication_keys => { :email => false, :username => false }, :http_authentication_key => :username do
       sign_in_as_new_user_with_http("usertest")
       assert_response :success
       assert_match '<email>user@test.com</email>', response.body

test/integration/token_authenticatable_test.rb

@@ -141,7 +141,7 @@ class TokenAuthenticationTest < ActionDispatch::IntegrationTest
   end
 
   test 'authenticate with valid authentication token key and value through http header, with options' do
-    swap Devise, :token_authentication_key => :secret_token do
+    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => [:token_options] do
       signature = "**TESTSIGNATURE**"
       sign_in_as_new_user_with_token(:token_auth => true, :token_options => {:signature => signature, :nonce => 'def'})
 
@@ -154,7 +154,7 @@ class TokenAuthenticationTest < ActionDispatch::IntegrationTest
   end
 
   test 'authenticate with valid authentication token key and value through http header without allowing token authorization setting is denied' do
-    swap Devise, :token_authentication_key => :secret_token, :allow_token_authenticatable_via_headers => false do
+    swap Devise, :token_authentication_key => :secret_token, :http_authenticatable => false do
       sign_in_as_new_user_with_token(:token_auth => true)
 
       assert_response :unauthorized