Merge branch 'next-minor' into develop

Gemfile

@@ -25,7 +25,6 @@ gem "json-schema", "2.7.0"
 
 gem "devise", "4.2.0"
 gem "devise_lastseenable", "0.0.6"
-gem "devise-token_authenticatable", "0.5.2"
 
 # Captcha
 

Gemfile.lock

@@ -171,8 +171,6 @@ GEM
       railties (>= 4.1.0, < 5.1)
       responders
       warden (~> 1.2.3)
-    devise-token_authenticatable (0.5.2)
-      devise (>= 4.0.0, < 4.3.0)
     devise_lastseenable (0.0.6)
       devise
       rails (>= 3.0.4)
@@ -931,7 +929,6 @@ DEPENDENCIES
   cucumber-rails (= 1.4.5)
   database_cleaner (= 1.5.3)
   devise (= 4.2.0)
-  devise-token_authenticatable (= 0.5.2)
   devise_lastseenable (= 0.0.6)
   diaspora-prosody-config (= 0.0.7)
   diaspora_federation-rails (= 0.1.5)

app/assets/javascripts/jsxc.js

@@ -12,7 +12,7 @@
 // initialize jsxc xmpp client
 $(document).ready(function() {
   if (app.currentUser.authenticated()) {
-    $.post('api/v1/tokens', null, function(data) {
+    $.post("/user/auth_token", null, function(data) {
       if (jsxc && data['token']) {
         var jid = app.currentUser.get('diaspora_id');
         jsxc.init({

app/controllers/api/v1/tokens_controller.rb

@@ -1,16 +0,0 @@
-class Api::V1::TokensController < ApplicationController
-  skip_before_filter :verify_authenticity_token
-  before_filter :authenticate_user!
-
-  respond_to :json
-
-  def create
-    current_user.ensure_authentication_token!
-    render :status => 200, :json => { :token => current_user.authentication_token }
-  end
-  
-  def destroy
-    current_user.reset_authentication_token!
-    render :json => true, :status => 200
-  end
-end

app/controllers/users_controller.rb

@@ -128,6 +128,11 @@ class UsersController < ApplicationController
     redirect_to edit_user_path
   end
 
+  def auth_token
+    current_user.ensure_authentication_token!
+    render status: 200, json: {token: current_user.authentication_token}
+  end
+
   private
 
   # rubocop:disable Metrics/MethodLength

app/models/user.rb

@@ -3,6 +3,7 @@
 #   the COPYRIGHT file.
 
 class User < ActiveRecord::Base
+  include AuthenticationToken
   include Connecting
   include Querying
   include SocialActions
@@ -16,7 +17,7 @@ class User < ActiveRecord::Base
   scope :halfyear_actives, ->(time = Time.now) { logged_in_since(time - 6.month) }
   scope :active, -> { joins(:person).where(people: {closed_account: false}) }
 
-  devise :token_authenticatable, :database_authenticatable, :registerable,
+  devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable,
          :lockable, :lastseenable, :lock_strategy => :none, :unlock_strategy => :none
 

app/models/user/authentication_token.rb

@@ -0,0 +1,26 @@
+class User
+  module AuthenticationToken
+    extend ActiveSupport::Concern
+
+    # Generate new authentication token and save the record.
+    def reset_authentication_token!
+      self.authentication_token = self.class.authentication_token
+      save(validate: false)
+    end
+
+    # Generate authentication token unless already exists and save the record.
+    def ensure_authentication_token!
+      reset_authentication_token! if authentication_token.blank?
+    end
+
+    module ClassMethods
+      # Generate a token checking if one does not already exist in the database.
+      def authentication_token
+        loop do
+          token = Devise.friendly_token(30)
+          break token unless User.exists?(authentication_token: token)
+        end
+      end
+    end
+  end
+end

config/routes.rb

@@ -106,6 +106,7 @@ Diaspora::Application.routes.draw do
     get :download_profile
     post :export_photos
     get :download_photos
+    post :auth_token
   end
 
   controller :users do
@@ -184,12 +185,6 @@ Diaspora::Application.routes.draw do
     end
   end
 
-  namespace :api do
-    namespace :v1 do
-      resources :tokens, :only => [:create, :destroy]
-    end
-  end
-
   get 'community_spotlight' => "contacts#spotlight", :as => 'community_spotlight'
   # Mobile site
 

spec/controllers/users_controller_spec.rb

@@ -242,11 +242,11 @@ describe UsersController, :type => :controller do
       expect(assigns[:email_prefs]['mentioned']).to be false
     end
 
-    it 'does allow token auth' do
+    it "does not allow token auth" do
       sign_out :user
       bob.reset_authentication_token!
       get :edit, :auth_token => bob.authentication_token
-      expect(response.status).to eq(200)
+      expect(response).to redirect_to new_user_session_path
     end
   end
 

spec/models/user/authentication_token_spec.rb

@@ -0,0 +1,42 @@
+require "spec_helper"
+
+describe User::AuthenticationToken, type: :model do
+  describe "#reset_authentication_token!" do
+    it "sets the authentication token" do
+      expect(alice.authentication_token).to be_nil
+      alice.reset_authentication_token!
+      expect(alice.authentication_token).not_to be_nil
+    end
+
+    it "resets the authentication token" do
+      alice.reset_authentication_token!
+      expect { alice.reset_authentication_token! }.to change { alice.authentication_token }
+    end
+  end
+
+  describe "#ensure_authentication_token!" do
+    it "doesn't change the authentication token" do
+      alice.reset_authentication_token!
+      expect { alice.ensure_authentication_token! }.to_not change { alice.authentication_token }
+    end
+
+    it "sets the authentication token if not yet set" do
+      expect(alice.authentication_token).to be_nil
+      alice.ensure_authentication_token!
+      expect(alice.authentication_token).not_to be_nil
+    end
+  end
+
+  describe ".authentication_token" do
+    it "generates an authentication token" do
+      expect(User.authentication_token.length).to eq(30)
+    end
+
+    it "checks that the authentication token is not yet in use by another user" do
+      alice.reset_authentication_token!
+      expect(Devise).to receive(:friendly_token).with(30).and_return(alice.authentication_token, "some_unused_token")
+
+      expect(User.authentication_token).to eq("some_unused_token")
+    end
+  end
+end