kotovalexarian-likes-github/heartcombo--devise
1
0
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2022-11-09 12:18:31 -05:00
Code Releases Activity

Merge pull request #1975 from promisedlandt/email-token-expiration

Browse source 
Email token expiration
This commit is contained in:
Rodrigo Flores 2012-07-22 13:10:27 -07:00
commit 6a37945025
10 changed files with 114 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Gemfile
View file

@ -16,6 +16,9 @@ group :test do
platforms :mri_18 do
gem "ruby-debug", ">= 0.10.3"
end
platforms :mri_19 do
gem 'debugger'
end
end
platforms :jruby do

8
Gemfile.lock
View file

@ -44,6 +44,13 @@ GEM
bson_ext (1.3.1)
builder (3.0.0)
columnize (0.3.5)
debugger (1.1.4)
columnize (>= 0.3.1)
debugger-linecache (~> 1.1.1)
debugger-ruby_core_source (~> 1.1.3)
debugger-linecache (1.1.2)
debugger-ruby_core_source (>= 1.1.1)
debugger-ruby_core_source (1.1.3)
erubis (2.7.0)
faraday (0.7.5)
addressable (~> 2.2.6)
@ -149,6 +156,7 @@ DEPENDENCIES
activerecord-jdbc-adapter
activerecord-jdbcsqlite3-adapter
bson_ext (~> 1.3.0)
debugger
devise!
jruby-openssl
mocha

1
config/locales/en.yml
View file

@ -10,6 +10,7 @@ en:
not_saved:
one: "1 error prohibited this %{resource} from being saved:"
other: "%{count} errors prohibited this %{resource} from being saved:"
confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
devise:
failure:

6
lib/devise.rb
View file

@ -104,6 +104,10 @@ module Devise
mattr_accessor :allow_unconfirmed_access_for
@@allow_unconfirmed_access_for = 0.days
# Time interval the confirmation token is valid. nil = unlimited
mattr_accessor :confirm_within
@@confirm_within = nil
# Defines which key will be used when confirming an account.
mattr_accessor :confirmation_keys
@@confirmation_keys = [ :email ]
@ -199,7 +203,7 @@ module Devise
# to provide custom routes.
mattr_accessor :router_name
@@router_name = nil
# Set the omniauth path prefix so it can be overriden when
# Devise is used in a mountable engine
mattr_accessor :omniauth_path_prefix

38
lib/devise/models/confirmable.rb
View file

@ -19,6 +19,8 @@ module Devise
# db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
# stored in unconfirmed email column, and copied to email column on successful
# confirmation.
# * +confirm_within+: the time before a sent confirmation token becomes invalid.
# You can use this to force the user to confirm within a set period of time.
#
# == Examples
#
@ -28,6 +30,7 @@ module Devise
#
module Confirmable
extend ActiveSupport::Concern
include ActionView::Helpers::DateHelper
included do
before_create :generate_confirmation_token, :if => :confirmation_required?
@ -118,7 +121,6 @@ module Devise
end
headers
end
protected
# A callback method used to deliver confirmation
@ -156,12 +158,40 @@ module Devise
confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
end
# Checks if the user confirmation happens before the token becomes invalid
# Examples:
#
# # confirm_within = 3.days and confirmation_sent_at = 2.days.ago
# confirmation_period_expired? # returns false
#
# # confirm_within = 3.days and confirmation_sent_at = 4.days.ago
# confirmation_period_expired? # returns true
#
# # confirm_within = nil
# confirmation_period_expired? # will always return false
#
def confirmation_period_expired?
if @confirmation_period_expired.nil?
@confirmation_period_expired = self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
@confirmation_period_expired
else
@confirmation_period_expired
end
end
# Checks whether the record requires any confirmation.
def pending_any_confirmation
if !confirmed? || pending_reconfirmation?
@confirmation_period_expired = confirmation_period_expired?
if (!confirmed? || pending_reconfirmation?) && !@confirmation_period_expired
yield
else
self.errors.add(:email, :already_confirmed)
if @confirmation_period_expired
self.errors.add(:email, :confirmation_period_expired, :period => time_ago_in_words(self.class.confirm_within.ago))
else
self.errors.add(:email, :already_confirmed)
end
false
end
end
@ -235,7 +265,7 @@ module Devise
find_or_initialize_with_errors(unconfirmed_required_attributes, unconfirmed_attributes, :not_found)
end
Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable)
Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable, :confirm_within)
end
end
end

10
lib/generators/templates/devise.rb
View file

@ -92,6 +92,14 @@ Devise.setup do |config|
# the user cannot access the website without confirming his account.
# config.allow_unconfirmed_access_for = 2.days
# A period that the user is allowed to confirm their account before their token
# becomes invalid. For example, if set to 3.days, the user can confirm their account
# within 3 days after the mail was sent, but on the fourth day their account can't be
# confirmed with the token any more.
# Default is nil, meaning there is no restriction on how long a user can take before
# confirming their account.
# config.confirm_within = 3.days
# If true, requires any email changes to be confirmed (exactly the same way as
# initial account confirmation) to be applied. Requires additional unconfirmed_email
# db field (see migrations). Until confirmed new email is stored in
@ -125,7 +133,7 @@ Devise.setup do |config|
# The time you want to timeout the user session without activity. After this
# time the user will be asked for credentials again. Default is 30 minutes.
# config.timeout_in = 30.minutes
# If true, expires auth token on session timeout.
# config.expire_auth_token_on_timeout = false

32
test/integration/confirmable_test.rb
View file

@ -16,7 +16,7 @@ class ConfirmationTest < ActionController::IntegrationTest
fill_in 'email', :with => user.email
click_button 'Resend confirmation instructions'
end
test 'user should be able to request a new confirmation' do
resend_confirmation
@ -50,6 +50,30 @@ class ConfirmationTest < ActionController::IntegrationTest
assert user.reload.confirmed?
end
test 'user with valid confirmation token should not be able to confirm an account after the token has expired' do
swap Devise, :confirm_within => 3.days do
user = create_user(:confirm => false, :confirmation_sent_at => 4.days.ago)
assert_not user.confirmed?
visit_user_confirmation_with_token(user.confirmation_token)
assert_have_selector '#error_explanation'
assert_contain /needs to be confirmed within 3 days/
assert_not user.reload.confirmed?
end
end
test 'user with valid confirmation token should be able to confirm an account before the token has expired' do
swap Devise, :confirm_within => 3.days do
user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
assert_not user.confirmed?
visit_user_confirmation_with_token(user.confirmation_token)
assert_contain 'Your account was successfully confirmed.'
assert_current_url '/'
assert user.reload.confirmed?
end
end
test 'user should be redirected to a custom path after confirmation' do
Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
@ -239,7 +263,7 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest
assert admin.reload.confirmed?
assert_not admin.reload.pending_reconfirmation?
end
test 'admin with previously valid confirmation token should not be able to confirm email after email changed again' do
admin = create_admin
admin.update_attributes(:email => 'first_test@example.com')
@ -247,11 +271,11 @@ class ConfirmationOnChangeTest < ActionController::IntegrationTest
confirmation_token = admin.confirmation_token
admin.update_attributes(:email => 'second_test@example.com')
assert_equal 'second_test@example.com', admin.unconfirmed_email
visit_admin_confirmation_with_token(confirmation_token)
assert_have_selector '#error_explanation'
assert_contain /Confirmation token(.*)invalid/
visit_admin_confirmation_with_token(admin.confirmation_token)
assert_contain 'Your account was successfully confirmed.'
assert_current_url '/admin_area/home'

24
test/models/confirmable_test.rb
View file

@ -235,6 +235,30 @@ class ConfirmableTest < ActiveSupport::TestCase
assert_equal "can't be blank", confirm_user.errors[:username].join
end
end
def confirm_user_by_token_with_confirmation_sent_at(confirmation_sent_at)
user = create_user
user.update_attribute(:confirmation_sent_at, confirmation_sent_at)
confirmed_user = User.confirm_by_token(user.confirmation_token)
assert_equal confirmed_user, user
user.reload.confirmed?
end
test 'should accept confirmation email token even after 5 years when no expiration is set' do
assert confirm_user_by_token_with_confirmation_sent_at(5.years.ago)
end
test 'should accept confirmation email token after 2 days when expiration is set to 3 days' do
swap Devise, :confirm_within => 3.days do
assert confirm_user_by_token_with_confirmation_sent_at(2.days.ago)
end
end
test 'should not accept confirmation email token after 4 days when expiration is set to 3 days' do
swap Devise, :confirm_within => 3.days do
assert_not confirm_user_by_token_with_confirmation_sent_at(4.days.ago)
end
end
end
class ReconfirmableTest < ActiveSupport::TestCase

2
test/rails_app/lib/shared_user.rb
View file

@ -7,7 +7,7 @@ module SharedUser
:trackable, :validatable, :omniauthable
attr_accessor :other_key
attr_accessible :username, :email, :password, :password_confirmation, :remember_me
attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :confirmation_sent_at
# They need to be included after Devise is called.
extend ExtendMethods

1
test/support/integration.rb
View file

@ -14,6 +14,7 @@ class ActionDispatch::IntegrationTest
:password_confirmation => options[:password] || '12345678',
:created_at => Time.now.utc
)
user.update_attribute(:confirmation_sent_at, options[:confirmation_sent_at]) if options[:confirmation_sent_at]
user.confirm! unless options[:confirm] == false
user.lock_access! if options[:locked] == true
user