Skip to content

Commit

Permalink
Checking for a user in warden/devise session before passing through t…
Browse files Browse the repository at this point in the history
…o token auth.
  • Loading branch information
nickL committed Mar 30, 2015
1 parent 2f9488a commit 39dedf0
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 5 deletions.
17 changes: 12 additions & 5 deletions app/controllers/devise_token_auth/concerns/set_user_by_token.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,19 +21,26 @@ def set_user_by_token(mapping=nil)
# no default user defined
return unless rc

# user has already been found and authenticated
return @resource if @resource and @resource.class == rc

# parse header for values necessary for authentication
uid = request.headers['uid'] || params['uid']
@token = request.headers['access-token'] || params['access-token']
@client_id = request.headers['client'] || params['client']

return false unless @token

# client_id isn't required, set to 'default' if absent
@client_id ||= 'default'

# check for an existing user, authenticated via warden/devise
devise_warden_user = warden.user(rc.to_s.underscore.to_sym)
if devise_warden_user && devise_warden_user.tokens[@client_id].nil?
@resource = devise_warden_user
@resource.create_new_auth_token
end

# user has already been found and authenticated
return @resource if @resource and @resource.class == rc

return false unless @token

# mitigate timing attacks by finding by uid instead of auth token
user = uid && rc.find_by_uid(uid)

Expand Down
53 changes: 53 additions & 0 deletions test/controllers/demo_user_controller_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
# was the appropriate message delivered in the json payload?

class DemoUserControllerTest < ActionDispatch::IntegrationTest
include Warden::Test::Helpers
describe DemoUserController do
describe "Token access" do
before do
Expand Down Expand Up @@ -258,5 +259,57 @@ class DemoUserControllerTest < ActionDispatch::IntegrationTest
end
end
end

describe 'Existing Warden authentication' do
before do
@resource = users(:confirmed_email_user)
@resource.skip_confirmation!
@resource.save!
login_as( @resource, :scope => :user)

# no auth headers sent, testing that warden authenticates correctly.
get '/demo/members_only', {}, nil

@resp_token = response.headers['access-token']
@resp_client_id = response.headers['client']
@resp_expiry = response.headers['expiry']
@resp_uid = response.headers['uid']
end

describe 'devise mappings' do
it 'should define current_user' do
assert_equal @resource, @controller.current_user
end

it 'should define user_signed_in?' do
assert @controller.user_signed_in?
end

it 'should not define current_mang' do
refute_equal @resource, @controller.current_mang
end
end

it 'should return success status' do
assert_equal 200, response.status
end

it 'should receive new token after successful request' do
assert @resp_token
end

it 'should set the token expiry in the auth header' do
assert @resp_expiry
end

it 'should return the client id in the auth header' do
assert @resp_client_id
end

it "should return the user's uid in the auth header" do
assert @resp_uid
end
end

end
end

1 comment on commit 39dedf0

@adis-io
Copy link
Contributor

@adis-io adis-io commented on 39dedf0 Jul 9, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.