automatically auth users upon registration when confirmation is skipp…

…ed. fixes lynndylanhurley#32
nbrustein · Sep 30, 2014 · bcb74d4 · bcb74d4
1 parent be8f8d1
commit bcb74d4
Show file tree

Hide file tree

Showing 6 changed files with 104 additions and 54 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -31,7 +31,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise_token_auth (0.1.29.beta1)
+    devise_token_auth (0.1.29.beta2)
       devise (~> 3.2)
       rails (~> 4.1)
 

diff --git a/README.md b/README.md
@@ -42,6 +42,7 @@ The fully configured api used in the demo can be found [here](https://github.com
   * [Controller Integration](#controller-concerns)
   * [Model Integration](#model-concerns)
   * [Using Multiple User Classes](#using-multiple-models)
+  * [Skip Confirmation Upon Email Registration](#skip-confirmation-upon-registration)
   * [Custom Controller Overrides](#custom-controller-overrides)
 * [Conceptual Diagrams](#conceptual)
   * [Token Management](#about-token-management)
@@ -505,6 +506,25 @@ In the above example, the following methods will be available (in addition to `c
   * `current_member`
   * `member_signed_in?`
 
+## Skip Confirmation Upon Email Registration
+
+By default, an email is sent containing a link that the user must visit to activate their account. This measure is in place to ensure that users cannot register other people for accounts.
+
+To bypass this measure, add `before_create :skip_confirmation!` to your `User` model (or equivalent).
+
+##### Example: bypass email confirmation
+
+~~~ruby
+class User < ActiveRecord::Base
+  include DeviseTokenAuth::Concerns::User
+  before_create :skip_confirmation!
+end
+~~~
+
+##### Note for ng-token-auth users:
+
+If this `before_create :skip_confirmation!` callback is in place, the `$auth.submitRegistration` method will both register and authenticate users in a single step.
+
 ## Custom Controller Overrides
 
 The built-in controllers can be overridden with your own custom controllers. 

diff --git a/app/controllers/devise_token_auth/registrations_controller.rb b/app/controllers/devise_token_auth/registrations_controller.rb
@@ -23,10 +23,29 @@ def create
         # override email confirmation, must be sent manually from ctrl
         User.skip_callback("create", :after, :send_on_create_confirmation_instructions)
         if @resource.save
-          @resource.send_confirmation_instructions({
-            client_config: params[:config_name],
-            redirect_url: params[:confirm_success_url]
-          })
+
+          unless @resource.confirmed?
+            # user will require email authentication
+            @resource.send_confirmation_instructions({
+              client_config: params[:config_name],
+              redirect_url: params[:confirm_success_url]
+            })
+
+          else
+            # email auth has been bypassed, authenticate user
+            @user      = @resource
+            @client_id = SecureRandom.urlsafe_base64(nil, false)
+            @token     = SecureRandom.urlsafe_base64(nil, false)
+
+            @user.tokens[@client_id] = {
+              token: BCrypt::Password.create(@token),
+              expiry: (Time.now + DeviseTokenAuth.token_lifespan).to_i
+            }
+
+            @user.save!
+
+            update_auth_header
+          end
 
           render json: {
             status: 'success',

diff --git a/devise_token_auth-0.1.28.gem b/devise_token_auth-0.1.28.gem
diff --git a/lib/devise_token_auth/version.rb b/lib/devise_token_auth/version.rb
@@ -1,3 +1,3 @@
 module DeviseTokenAuth
-  VERSION = "0.1.29.beta1"
+  VERSION = "0.1.29.beta2"
 end
diff --git a/test/controllers/devise_token_auth/registrations_controller_test.rb b/test/controllers/devise_token_auth/registrations_controller_test.rb
@@ -6,13 +6,14 @@
 #  was the correct object stored in the response?
 #  was the appropriate message delivered in the json payload?
 
-class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
+
+class DeviseTokenAuth::RegistrationsControllerTest < ActionDispatch::IntegrationTest
   describe DeviseTokenAuth::RegistrationsController do
     describe "Successful registration" do
       before do
         @mails_sent = ActionMailer::Base.deliveries.count
 
-        xhr :post, :create, {
+        post '/auth', {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -59,7 +60,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
         @redirect_url     = Faker::Internet.url
         @operating_thetan = 2
 
-        xhr :post, :create, {
+        post '/auth', {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -96,7 +97,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
 
     describe "Mismatched passwords" do
       before do
-        xhr :post, :create, {
+        post '/auth', {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "bogus",
@@ -124,7 +125,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
       before do
         @existing_user = users(:confirmed_email_user)
 
-        xhr :post, :create, {
+        post "/auth", {
           email: @existing_user.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -159,10 +160,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
           # ensure request is not treated as batch request
           age_token(@existing_user, @client_id)
 
-          # add auth headers for user identification
-          request.headers.merge!(@auth_headers)
-
-          xhr :delete, :destroy
+          delete "/auth", {}, @auth_headers
 
           @data = JSON.parse(response.body)
         end
@@ -178,7 +176,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
 
       describe 'failure: no auth headers' do
         before do
-          xhr :delete, :destroy
+          delete "/auth"
           @data = JSON.parse(response.body)
         end
 
@@ -196,23 +194,18 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
           @auth_headers  = @existing_user.create_new_auth_token
           @client_id     = @auth_headers['client']
 
-
           # ensure request is not treated as batch request
           age_token(@existing_user, @client_id)
-
-          # add auth headers for user identification
-          request.headers.merge!(@auth_headers)
-
         end
 
         describe "success" do
           before do
             # test valid update param
             @new_operating_thetan = 1000000
 
-            xhr :put, :update, {
+            put "/auth", {
               operating_thetan: @new_operating_thetan
-            }
+            }, @auth_headers
 
             @data = JSON.parse(response.body)
             @existing_user.reload
@@ -231,9 +224,9 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
           before do
             # test invalid update param
             @new_operating_thetan = "blegh"
-            xhr :put, :update, {
+            put "/auth", {
               operating_thetan: @new_operating_thetan
-            }
+            }, @auth_headers
 
             @data = JSON.parse(response.body)
             @existing_user.reload
@@ -258,15 +251,12 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
           # ensure request is not treated as batch request
           expire_token(@existing_user, @client_id)
 
-          # add auth headers for user identification
-          request.headers.merge!(@auth_headers)
-
           # test valid update param
           @new_operating_thetan = 3
 
-          xhr :put, :update, {
+          put "/auth", {
             operating_thetan: @new_operating_thetan
-          }
+          }, @auth_headers
 
           @data = JSON.parse(response.body)
           @existing_user.reload
@@ -286,7 +276,7 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
       before do
         @existing_user = users(:duplicate_email_facebook_user)
 
-        xhr :post, :create, {
+        post "/auth", {
           email: @existing_user.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -311,16 +301,8 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
     end
 
     describe "Alternate user class" do
-      setup do
-        @request.env['devise.mapping'] = Devise.mappings[:mang]
-      end
-
-      teardown do
-        @request.env['devise.mapping'] = Devise.mappings[:user]
-      end
-
       before do
-        xhr :post, :create, {
+        post "/mangs", {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -347,30 +329,18 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
         # ensure request is not treated as batch request
         age_token(@user, @client_id)
 
-        # add auth headers for user identification
-        request.headers.merge!(@auth_headers)
-
-        xhr :delete, :destroy
+        delete "/mangs", {}, @auth_headers
 
         assert_equal 200, response.status
         refute Mang.where(id: @user.id).first
       end
     end
 
-
     describe "Passing client config name" do
-      setup do
-        @request.env['devise.mapping'] = Devise.mappings[:mang]
-      end
-
-      teardown do
-        @request.env['devise.mapping'] = Devise.mappings[:user]
-      end
-
       before do
         @config_name = 'altUser'
 
-        xhr :post, :create, {
+        post "/mangs", {
           email: Faker::Internet.email,
           password: "secret123",
           password_confirmation: "secret123",
@@ -393,5 +363,46 @@ class DeviseTokenAuth::RegistrationsControllerTest < ActionController::TestCase
         assert_equal @config_name, @mail_config_name
       end
     end
+
+    describe "Skipped confirmation" do
+      setup do
+        User.set_callback(:create, :before, :skip_confirmation!)
+
+        post "/auth", {
+          email: Faker::Internet.email,
+          password: "secret123",
+          password_confirmation: "secret123",
+          confirm_success_url: Faker::Internet.url
+        }
+
+        @user      = assigns(:user)
+        @token     = response.headers["access-token"]
+        @client_id = response.headers["client"]
+      end
+
+      teardown do
+        User.skip_callback(:create, :before, :skip_confirmation!)
+      end
+
+      test "user was created" do
+        assert @user
+      end
+
+      test "user was confirmed" do
+        assert @user.confirmed?
+      end
+
+      test "auth headers were returned in response" do
+        assert response.headers["access-token"]
+        assert response.headers["token-type"]
+        assert response.headers["client"]
+        assert response.headers["expiry"]
+        assert response.headers["uid"]
+      end
+
+      test "response token is valid" do
+        assert @user.valid_token?(@token, @client_id)
+      end
+    end
   end
 end