added token based authentication, switch to api-only mode

b777997f · John Doe · f0838c29 · b777997f · b777997f · b777997f
Commit b777997f authored Feb 03, 2017 by John Doe
Showing with 225 additions and 40 deletions
Gemfile
Gemfile.lock
app/controllers/application_controller.rb
app/controllers/db_elements_controller.rb
app/controllers/db_folders_controller.rb
app/controllers/db_streams_controller.rb
app/controllers/dbs_controller.rb
app/controllers/nilms_controller.rb
app/models/user.rb
app/views/devise/mailer/confirmation_instructions.html.erb
app/views/devise/mailer/reset_password_instructions.html.erb
app/views/layouts/application.html.erb
config/application.rb
config/environments/development.rb
config/initializers/devise.rb
config/initializers/devise_token_auth.rb
config/routes.rb
db/migrate/20170204010933_devise_token_auth_create_users.rb
db/schema.rb
--- a/Gemfile
+++ b/Gemfile
@@ -34,6 +34,8 @@ gem 'sdoc', '~> 0.4.0', group: :doc
 gem 'httparty'
 gem 'rack-cors'
+gem 'devise_token_auth'
+gem 'omniauth'
 group :development, :test do
  # Call 'byebug' anywhere in the code to stop execution and get a debugger console
@@ -48,9 +50,6 @@ group :development, :test do
  gem 'cucumber-rails', require: false
  gem 'database_cleaner'
  gem 'tzinfo-data'
-end
-group :development, :test do
  gem 'guard'
  gem 'guard-rspec'
  gem 'spring-commands-rspec'
@@ -58,18 +57,16 @@ group :development, :test do
  gem 'terminal-notifier'
 end
-group :development do
+# NOTE: install mailcatcher for development
-  gem 'guard-rubocop'
-end
-group :test do
-  gem 'simplecov', :require => false
-end
 group :development do
+  gem 'guard-rubocop'
  # Access an IRB console on exception pages or by using <%= console %> in views
  gem 'web-console', '~> 2.0'
  # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring
  gem 'spring'
 end
+group :test do
+  gem 'simplecov', :require => false
+end
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -42,11 +42,13 @@ GEM
      public_suffix (~> 2.0, >= 2.0.2)
    arel (7.1.4)
    ast (2.3.0)
+    bcrypt (3.1.11)
+    bcrypt (3.1.11-x64-mingw32)
    binding_of_caller (0.7.2)
      debug_inspector (>= 0.0.1)
    builder (3.2.3)
    byebug (9.0.6)
-    capybara (2.11.0)
+    capybara (2.12.0)
      addressable
      mime-types (>= 1.16)
      nokogiri (>= 1.3.3)
@@ -83,6 +85,15 @@ GEM
    cucumber-wire (0.0.1)
    database_cleaner (1.5.3)
    debug_inspector (0.0.2)
+    devise (4.2.0)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0, < 5.1)
+      responders
+      warden (~> 1.2.3)
+    devise_token_auth (0.1.40)
+      devise (> 3.5.2, <= 4.2)
+      rails (< 6)
    diff-lcs (1.3)
    docile (1.1.5)
    erubis (2.7.0)
@@ -100,7 +111,7 @@ GEM
    gherkin (4.0.0)
    globalid (0.3.7)
      activesupport (>= 4.1.0)
-    guard (2.14.0)
+    guard (2.14.1)
      formatador (>= 0.2.4)
      listen (>= 2.7, < 4.0)
      lumberjack (~> 1.0)
@@ -118,9 +129,10 @@ GEM
      guard (~> 2.0)
      rubocop (~> 0.20)
    hashdiff (0.3.2)
+    hashie (3.5.1)
    httparty (0.14.0)
      multi_xml (>= 0.5.2)
-    i18n (0.7.0)
+    i18n (0.8.0)
    jbuilder (2.6.1)
      activesupport (>= 3.0.0, < 5.1)
      multi_json (~> 1.2)
@@ -156,6 +168,10 @@ GEM
    notiffany (0.1.1)
      nenv (~> 0.1)
      shellany (~> 0.0)
+    omniauth (1.3.2)
+      hashie (>= 1.2, < 4)
+      rack (>= 1.0, < 3)
+    orm_adapter (0.5.0)
    parser (2.3.3.1)
      ast (~> 2.2)
    powerpack (0.1.1)
@@ -165,7 +181,7 @@ GEM
      slop (~> 3.4)
    public_suffix (2.0.5)
    rack (2.0.1)
-    rack-cors (0.4.0)
+    rack-cors (0.4.1)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails (5.0.1)
@@ -194,9 +210,11 @@ GEM
    rainbow (2.2.1)
    rake (12.0.0)
    rb-fsevent (0.9.8)
-    rb-inotify (0.9.7)
+    rb-inotify (0.9.8)
      ffi (>= 0.5.0)
    rdoc (4.3.0)
+    responders (2.3.0)
+      railties (>= 4.2.0, < 5.1)
    rspec (3.5.0)
      rspec-core (~> 3.5.0)
      rspec-expectations (~> 3.5.0)
@@ -239,7 +257,7 @@ GEM
      json (~> 1.7, >= 1.7.7)
      rdoc (~> 4.0)
    shellany (0.0.1)
-    simplecov (0.12.0)
+    simplecov (0.13.0)
      docile (~> 1.1.0)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
@@ -262,7 +280,7 @@ GEM
    terminal-notifier-guard (1.7.0)
    thor (0.19.4)
    thread_safe (0.3.5)
-    tilt (2.0.5)
+    tilt (2.0.6)
    turbolinks (5.0.1)
      turbolinks-source (~> 5)
    turbolinks-source (5.0.0)
@@ -274,6 +292,8 @@ GEM
      execjs (>= 0.3.0, < 3)
    unicode-display_width (1.1.3)
    vcr (3.0.3)
+    warden (1.2.7)
+      rack (>= 1.0)
    web-console (2.3.0)
      activemodel (>= 4.0)
      binding_of_caller (>= 0.7.2)
@@ -283,7 +303,7 @@ GEM
      addressable (>= 2.3.6)
      crack (>= 0.3.2)
      hashdiff
-    websocket-driver (0.6.4)
+    websocket-driver (0.6.5)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.2)
    xpath (2.0.0)
@@ -298,6 +318,7 @@ DEPENDENCIES
  coffee-rails (~> 4.1.0)
  cucumber-rails
  database_cleaner
+  devise_token_auth
  factory_girl_rails
  faker
  guard
@@ -306,6 +327,7 @@ DEPENDENCIES
  httparty
  jbuilder (~> 2.0)
  jquery-rails
+  omniauth
  rack-cors
  rails (= 5.0.1)
  rspec-json_expectations

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
 # frozen_string_literal: true
 # application controller
-class ApplicationController < ActionController::Base
+class ApplicationController < ActionController::API
-  # Prevent CSRF attacks by raising an exception.
+  include DeviseTokenAuth::Concerns::SetUserByToken
-  # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :null_session
 end
--- a/app/controllers/db_elements_controller.rb
+++ b/app/controllers/db_elements_controller.rb
@@ -2,4 +2,6 @@
 # controller for DbStreams
 class DbElementsController < ApplicationController
+  before_action :authenticate_user!
 end
--- a/app/controllers/db_folders_controller.rb
+++ b/app/controllers/db_folders_controller.rb
@@ -2,6 +2,8 @@
 # Controller for DbFolders
 class DbFoldersController < ApplicationController
+  before_action :authenticate_user!
  def show
    folder = DbFolder.find(params[:id])
    render json: folder, shallow: false

--- a/app/controllers/db_streams_controller.rb
+++ b/app/controllers/db_streams_controller.rb
@@ -2,6 +2,8 @@
 # Controller for DbStreams
 class DbStreamsController < ApplicationController
+  before_action :authenticate_user!
  def update
    stream = DbStream.find(params[:id])
    adapter = DbAdapter.new(stream.db.url)

--- a/app/controllers/dbs_controller.rb
+++ b/app/controllers/dbs_controller.rb
@@ -2,6 +2,8 @@
 # Controller for Database Objects
 class DbsController < ApplicationController
+  before_action :authenticate_user!
  def show
    db = Db.find(params[:id])
    render json: db

--- a/app/controllers/nilms_controller.rb
+++ b/app/controllers/nilms_controller.rb
@@ -2,6 +2,8 @@
 # controller for NILM objects
 class NilmsController < ApplicationController
+  before_action :authenticate_user!
  def index
    nilms = Nilm.all
    render json: nilms

--- a/app/models/user.rb
+++ b/app/models/user.rb
+class User < ActiveRecord::Base
+  # Include default devise modules.
+  devise :database_authenticatable, :registerable,
+          :recoverable, :rememberable, :trackable, :validatable,
+          :confirmable, :omniauthable
+  include DeviseTokenAuth::Concerns::User
+end
--- a/app/views/devise/mailer/confirmation_instructions.html.erb
+++ b/app/views/devise/mailer/confirmation_instructions.html.erb
+<p><%= t(:welcome).capitalize + ' ' + @email %>!</p>
+<p><%= t '.confirm_link_msg' %> </p>
+<p><%= link_to t('.confirm_account_link'), confirmation_url(@resource, {confirmation_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url']}).html_safe %></p>
--- a/app/views/devise/mailer/reset_password_instructions.html.erb
+++ b/app/views/devise/mailer/reset_password_instructions.html.erb
+<p><%= t(:hello).capitalize %> <%= @resource.email %>!</p>
+<p><%= t '.request_reset_link_msg' %></p>
+<p><%= link_to t('.password_change_link'), edit_password_url(@resource, reset_password_token: @token, config: message['client-config'].to_s, redirect_url: message['redirect-url'].to_s).html_safe %></p>
+<p><%= t '.ignore_mail_msg' %></p>
+<p><%= t '.no_changes_msg' %></p>
\ No newline at end of file
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
-<!DOCTYPE html>
-<html>
-<head>
-  <title>ControlPanel</title>
-  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
-  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
-  <%= csrf_meta_tags %>
-</head>
-<body>
-<%= yield %>
-</body>
-</html>
--- a/config/application.rb
+++ b/config/application.rb
@@ -12,6 +12,7 @@ module ControlPanel
    # Application configuration should go into files in config/initializers
    # -- all .rb files in that directory are automatically loaded.
    # Add folders under the services directory
+    config.api_only = true
    %w(nilm db db_folder db_stream).each do |service|
      config.autoload_paths << Rails.root.join("app/services/#{service}")
    end

--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -26,10 +26,16 @@ Rails.application.configure do
    config.cache_store = :null_store
  end
+  # render json on error since this is an API app
+  config.debug_exception_response_format = :api
  # Don't care if the mailer can't send.
  config.action_mailer.raise_delivery_errors = false
  config.action_mailer.perform_caching = false
+  config.action_mailer.default_url_options = { :host => 'wattsworth.dev' }
+  config.action_mailer.delivery_method = :smtp
+  config.action_mailer.smtp_settings =
+    { :address => "localhost", :port => 1025 }
  # Print deprecation notices to the Rails logger.
  config.active_support.deprecation = :log
@@ -54,7 +60,10 @@ Rails.application.configure do
  config.middleware.insert_before 0, Rack::Cors do
    allow do
      origins '*'
-      resource '*', headers: :any, methods: [:get, :post, :options, :put]
+      resource '*',
+        :headers => :any,
+        :expose => ['access-token', 'expiry', 'token-type', 'uid', 'client'],
+        :methods =>  [:get, :post, :options, :delete, :put]
    end
  end
 end
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
+Devise.setup do |config|
+  # The e-mail address that mail will appear to be sent from
+  # If absent, mail is sent from "please-change-me-at-config-initializers-devise@example.com"
+  config.mailer_sender = "support@myapp.com"
+  # If using rails-api, you may want to tell devise to not use ActionDispatch::Flash
+  # middleware b/c rails-api does not include it.
+  # See: http://stackoverflow.com/q/19600905/806956
+  config.navigational_formats = [:json]
+end
--- a/config/initializers/devise_token_auth.rb
+++ b/config/initializers/devise_token_auth.rb
+DeviseTokenAuth.setup do |config|
+  # By default the authorization headers will change after each request. The
+  # client is responsible for keeping track of the changing tokens. Change
+  # this to false to prevent the Authorization header from changing after
+  # each request.
+  # config.change_headers_on_each_request = true
+  # By default, users will need to re-authenticate after 2 weeks. This setting
+  # determines how long tokens will remain valid after they are issued.
+  # config.token_lifespan = 2.weeks
+  # Sets the max number of concurrent devices per user, which is 10 by default.
+  # After this limit is reached, the oldest tokens will be removed.
+  # config.max_number_of_devices = 10
+  # Sometimes it's necessary to make several requests to the API at the same
+  # time. In this case, each request in the batch will need to share the same
+  # auth token. This setting determines how far apart the requests can be while
+  # still using the same auth token.
+  # config.batch_request_buffer_throttle = 5.seconds
+  # This route will be the prefix for all oauth2 redirect callbacks. For
+  # example, using the default '/omniauth', the github oauth2 provider will
+  # redirect successful authentications to '/omniauth/github/callback'
+  # config.omniauth_prefix = "/omniauth"
+  # By default sending current password is not needed for the password update.
+  # Uncomment to enforce current_password param to be checked before all
+  # attribute updates. Set it to :password if you want it to be checked only if
+  # password is updated.
+  # config.check_current_password_before_update = :attributes
+  # By default we will use callbacks for single omniauth.
+  # It depends on fields like email, provider and uid.
+  # config.default_callbacks = true
+  # Makes it possible to change the headers names
+  # config.headers_names = {:'access-token' => 'access-token',
+  #                        :'client' => 'client',
+  #                        :'expiry' => 'expiry',
+  #                        :'uid' => 'uid',
+  #                        :'token-type' => 'token-type' }
+  # By default, only Bearer Token authentication is implemented out of the box.
+  # If, however, you wish to integrate with legacy Devise authentication, you can
+  # do so by enabling this flag. NOTE: This feature is highly experimental!
+  # config.enable_standard_devise_support = false
+end
--- a/config/routes.rb
+++ b/config/routes.rb
 Rails.application.routes.draw do
+  mount_devise_token_auth_for 'User', at: 'auth'
  resources :db_decimations
  resources :nilms
  resources :dbs

--- a/db/migrate/20170204010933_devise_token_auth_create_users.rb
+++ b/db/migrate/20170204010933_devise_token_auth_create_users.rb
+class DeviseTokenAuthCreateUsers < ActiveRecord::Migration[5.0]
+  def change
+    create_table(:users) do |t|
+      ## Required
+      t.string :provider, :null => false, :default => "email"
+      t.string :uid, :null => false, :default => ""
+      ## Database authenticatable
+      t.string :encrypted_password, :null => false, :default => ""
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+      ## Rememberable
+      t.datetime :remember_created_at
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0, :null => false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+      ## User Info
+      t.string :first_name
+      t.string :last_name
+      t.string :email
+      ## Tokens
+      t.text :tokens
+      t.timestamps
+    end
+    add_index :users, :email,                unique: true
+    add_index :users, [:uid, :provider],     unique: true
+    add_index :users, :reset_password_token, unique: true
+    add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,       unique: true
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
-ActiveRecord::Schema.define(version: 20170130022828) do
+ActiveRecord::Schema.define(version: 20170204010933) do
  create_table "db_decimations", force: :cascade do |t|
    t.integer  "start_time",   limit: 8
@@ -94,4 +94,32 @@ ActiveRecord::Schema.define(version: 20170130022828) do
    t.datetime "updated_at",  null: false
  end
+  create_table "users", force: :cascade do |t|
+    t.string   "provider",               default: "email", null: false
+    t.string   "uid",                    default: "",      null: false
+    t.string   "encrypted_password",     default: "",      null: false
+    t.string   "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer  "sign_in_count",          default: 0,       null: false
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string   "current_sign_in_ip"
+    t.string   "last_sign_in_ip"
+    t.string   "confirmation_token"
+    t.datetime "confirmed_at"
+    t.datetime "confirmation_sent_at"
+    t.string   "unconfirmed_email"
+    t.string   "first_name"
+    t.string   "last_name"
+    t.string   "email"
+    t.text     "tokens"
+    t.datetime "created_at",                               null: false
+    t.datetime "updated_at",                               null: false
+    t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
+    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
+    t.index ["uid", "provider"], name: "index_users_on_uid_and_provider", unique: true
+  end
 end