Skip to content

Commit 8a4688f

Browse files
committed
max_number_of_devices should be used in a new session as well
1 parent 7a83ada commit 8a4688f

2 files changed

Lines changed: 27 additions & 7 deletions

File tree

app/models/devise_token_auth/concerns/user.rb

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,8 @@ def create_token(client_id: nil, token: nil, expiry: nil, **token_extras)
9898
expiry: expiry
9999
}.merge!(token_extras)
100100

101+
clean_old_tokens
102+
101103
[client_id, token, expiry]
102104
end
103105

@@ -196,25 +198,19 @@ def build_auth_header(token, client_id='default')
196198

197199
def update_auth_header(token, client_id='default')
198200
headers = build_auth_header(token, client_id)
199-
while tokens.length > 0 && DeviseTokenAuth.max_number_of_devices < tokens.length
200-
oldest_client_id, _tk = tokens.min_by { |_cid, v| v[:expiry] || v["expiry"] }
201-
tokens.delete(oldest_client_id)
202-
end
203-
201+
clean_old_tokens
204202
save!
205203

206204
headers
207205
end
208206

209-
210207
def build_auth_url(base_url, args)
211208
args[:uid] = uid
212209
args[:expiry] = tokens[args[:client_id]]['expiry']
213210

214211
DeviseTokenAuth::Url.generate(base_url, args)
215212
end
216213

217-
218214
def extend_batch_buffer(token, client_id)
219215
self.tokens[client_id]['updated_at'] = Time.now
220216
update_auth_header(token, client_id)
@@ -257,4 +253,10 @@ def remove_tokens_after_password_reset
257253
end
258254
end
259255

256+
def clean_old_tokens
257+
while tokens.length > 0 && DeviseTokenAuth.max_number_of_devices < tokens.length
258+
oldest_client_id, _tk = tokens.min_by { |_cid, v| v[:expiry] || v["expiry"] }
259+
tokens.delete(oldest_client_id)
260+
end
261+
end
260262
end

test/controllers/devise_token_auth/sessions_controller_test.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,24 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
7272
assert_equal '0.0.0.0', @new_last_sign_in_ip
7373
end
7474
end
75+
76+
describe "with multiple clients and headers don't change in each request" do
77+
before do
78+
DeviseTokenAuth.max_number_of_devices = 1
79+
DeviseTokenAuth.change_headers_on_each_request = false
80+
(1..5).each do |n|
81+
post :create,
82+
params: {
83+
email: @existing_user.email,
84+
password: 'secret123'
85+
}
86+
end
87+
end
88+
89+
test 'should delete old tokens' do
90+
assert_equal 1, @existing_user.reload.tokens.count
91+
end
92+
end
7593
end
7694

7795
describe 'get sign_in is not supported' do

0 commit comments

Comments
 (0)