Fastboot Feature Branch (#1032)

* ignore store events while the session is busy (#965)

* 1.1.0-beta.5

* 1.1.0

* Check for resourceName in response in Devise Authenticator

* change cookie default key names to be rfc2616 compliant (#978)

fixes #977

* Test for session service data being set with Ember.set (#972)

* code/docs cleanup

* Add tokenRefreshOffset property to OAuth2PasswordGrantAuthenticator (#840)

tokenRefreshOffset determines the offset seconds before the token
expiration to refresh the token. This is randomized so as to reduce
race conditions between multiple tabs from refreshing at the same time.

This is configurable because in some cases, the offset randomization
needs to be increased to decrease the probability of the above mentioned
race conditions.

Once more case would be in slow internet connections, you make a call to
refresh the token but the server doesn't process it in time (or receive
it in time), the server will check and the token that you sent up is now
expired so the refresh will fail.

* cleanup transition usage in authenticated and unauthenticated route mixins (#992)

no issue
- fixes potential test timing issue
- removes unecessary abort call

* [BUGFIX] Remove Ember.Logger (#993)

Ember.Logger is not substituted by noops in production.

More info in emberjs/guides#1467

* [WIP] Validate server responses in authenticators (#957)

* Validate response data in devise authenticator

* Validate response data in OAuth2 authenticator

* Add tests for oauth2 data validations

* Add tests for devise data validations

* Remove unncessary validations

* Refactor 'restore' in devise authenticator

* Fix test timeout errors

* Minor cleanup

* Consider resource name when validating response

* Refactor devise authenticator _validate method

* update dependencies (#1004)

This updates Ember, Ember Data, Ember CLI etc. to the latest
versions. This also fixes a lot of JSCS warnings that were introduced
by the latest version of ember-suave.

* Use the term "squash" when referring to collapsing commits into one (#1011)

That's consistent with the term used in git-rebase and with the general public.

* Add rejectWithXhr to optionally reject with XHR vs response body (#1012)

Allows ember apps using ember-simple-auth to receive the whole XHR object if the backend fails, instead of the response body, if they so choose.

In the case of OAuth 2.0 backends, it's been a pattern in the wild to use X- headers to send context as to why a grant has failed. Examples include API throttling, brute force lockouts, and OTP/two-factor authentication information.

Selfishly, I require this change so my application can be notified when the API has locked out an account due to suspicious activity via an X- header.

The decision to expose it as an option was chosen so backwards compatibility is maintained and keeps the addon simple for those who need not be concerned with complex backends.

* Add fastboot-dist to npmignore (#1015)

* Optionally send custom headers in authentication call (#1018)

Complex systems that offer Two Factor Authentication with their OAuth 2.0 implementation need to send additional context via the HTTP headers. This pattern has been observed in the wild by such systems such as GitHub. Because of the restrictions of OAuth 2.0 RFC, only headers can be used for additional context, not request/response bodies.

This could be seen as a counterpart to #1012, where using both features allow bi-directional context enabling 2FA, brute force lockouts, etc.

* [fastboot-compatibility] initial work

* [fastboot-compatbility] improve support

* [fastboot-compatibility] Use ember-cookies@0.0.7

ember-cookies 0.0.6

ember-cookies@0.0.7

* [fastboot-compatbility] fix ember-build-cli.js

* [fastboot-compatibility] fix route mixin transitions

* [fastboot-compatibility] Update `session-stores/cookie` with `typeof` guard (#1)

* [fastboot-compatiblity] fix tests

* Use apiHost config for dummy app.

better name for api host conf setting

fix dummy app API endpoints

* Helpful instructions for `npm run fastboot`

* Restore cookie session renewal

* Fix various rebase issues

* ember-cli-fasboot@1.0.0-beta.7

.npmignore

@@ -2,7 +2,9 @@
 /config/ember-try.js
 /dist
 /tests
+/node-tests
 /tmp
+/fastboot-dist
 **/.gitkeep
 .bowerrc
 .editorconfig
@@ -14,4 +16,4 @@
 bower.json
 ember-cli-build.js
 testem.json
-node-tests/
+testem.js

.travis.yml

@@ -1,7 +1,7 @@
 ---
 language: node_js
 node_js:
-  - "0.12"
+  - "4"
 
 sudo: false
 
@@ -10,8 +10,8 @@ cache:
     - node_modules
 
 env:
-  - EMBER_TRY_SCENARIO=ember-release
   - EMBER_TRY_SCENARIO=ember-earliest
+  - EMBER_TRY_SCENARIO=ember-release
   - EMBER_TRY_SCENARIO=ember-beta
   - EMBER_TRY_SCENARIO=ember-canary
 
@@ -21,21 +21,19 @@ matrix:
     - env: EMBER_TRY_SCENARIO=ember-canary
 
 before_install:
-  - export PATH=/usr/local/phantomjs-2.0.0/bin:$PATH
-  - "npm config set spin false"
-  - "npm install -g npm@^2"
+  - npm config set spin false
+  - npm install -g bower
+  - npm install phantomjs-prebuilt
 
 install:
-  - npm install -g bower
   - npm install
   - bower install
 
 script:
-  - ember try $EMBER_TRY_SCENARIO test && npm run nodetest
+  - ember try $EMBER_TRY_SCENARIO test --skip-cleanup
 
 notifications:
   email: false
   slack:
     rooms:
       secure: OOKD4ZksqzEBW/A3WRuOToODIxnDITqx+Esu7tdmmYPuQlMYgx4SUHv8j9OM9/ScFJiseeVGSkl45vJrHLLIITX9XSjO1RgiGZgw2heVujmGpF6CZNqvT6GsQuKIvMzmwF7IxuHdfV45Csr9Ou/Fg74TszR/4S2h4SOI4zhLg7A=
-    on_success: never

CHANGELOG.md

@@ -1,3 +1,12 @@
+# 1.1.0
+
+There were no changes since 1.1.0-beta.5.
+
+# 1.1.0-beta.5
+
+* The session will now ignore session store events when it is currently
+  authenticating or restoring, see #965.
+
 # 1.1.0-beta.4
 
 * A critical bug in the cookie store causing an immediate logout after logging

CONTRIBUTING.md

@@ -33,7 +33,7 @@ Here's a few steps to follow to make sure your pull request gets accepted:
 3. Adhere to Ember Simple Auth's coding style; while there's no official style
   guide it should be clear by looking at the existing code what the agreed upon
   rules are.
-4. Stash all your commits into one before submitting the pull request so it's
+4. Squash all of your commits into one before submitting the pull request so it's
   easier to review them.
 5. Provide a good description for your pull request - what does it add, why is
   that needed etc.?

addon/authenticators/base.js

@@ -1,6 +1,6 @@
 import Ember from 'ember';
 
-const { RSVP } = Ember;
+const { RSVP, Evented, Object: EmberObject } = Ember;
 
 /**
   The base class for all authenticators. __This serves as a starting point for
@@ -57,7 +57,7 @@ const { RSVP } = Ember;
   @uses Ember.Evented
   @public
 */
-export default Ember.Object.extend(Ember.Evented, {
+export default EmberObject.extend(Evented, {
   /**
     __Triggered when the authentication data is updated by the authenticator
     due to an external or scheduled event__. This might happen e.g. if the

addon/authenticators/devise.js

@@ -1,7 +1,8 @@
 import Ember from 'ember';
 import BaseAuthenticator from './base';
 
-const { RSVP: { Promise }, isEmpty, run, get, $ } = Ember;
+const { RSVP: { Promise }, isEmpty, run, $: jQuery, assign: emberAssign, merge } = Ember;
+const assign = emberAssign || merge;
 
 /**
   Authenticator that works with the Ruby gem
@@ -60,6 +61,20 @@ export default BaseAuthenticator.extend({
   */
   identificationAttributeName: 'email',
 
+  /**
+    When authentication fails, the rejection callback is provided with the whole
+    XHR object instead of it's response JSON or text.
+
+    This is useful for cases when the backend provides additional context not
+    available in the response body.
+
+    @property rejectWithXhr
+    @type Boolean
+    @default false
+    @public
+  */
+  rejectWithXhr: false,
+
   /**
     Restores the session from a session data object; __returns a resolving
     promise when there are non-empty
@@ -74,15 +89,7 @@ export default BaseAuthenticator.extend({
     @public
   */
   restore(data) {
-    const { tokenAttributeName, identificationAttributeName } = this.getProperties('tokenAttributeName', 'identificationAttributeName');
-    const tokenAttribute = get(data, tokenAttributeName);
-    const identificationAttribute = get(data, identificationAttributeName);
-
-    if (!isEmpty(tokenAttribute) && !isEmpty(identificationAttribute)) {
-      return Promise.resolve(data);
-    } else {
-      return Promise.reject();
-    }
+    return this._validate(data) ? Promise.resolve(data) : Promise.reject();
   },
 
   /**
@@ -105,14 +112,23 @@ export default BaseAuthenticator.extend({
   */
   authenticate(identification, password) {
     return new Promise((resolve, reject) => {
-      const { resourceName, identificationAttributeName } = this.getProperties('resourceName', 'identificationAttributeName');
+      const useXhr = this.get('rejectWithXhr');
+      const { resourceName, identificationAttributeName, tokenAttributeName } = this.getProperties('resourceName', 'identificationAttributeName', 'tokenAttributeName');
       const data         = {};
       data[resourceName] = { password };
       data[resourceName][identificationAttributeName] = identification;
 
       return this.makeRequest(data).then(
-        (response) => run(null, resolve, response),
-        (xhr) => run(null, reject, xhr.responseJSON || xhr.responseText)
+        (response) => {
+          if (this._validate(response)) {
+            const resourceName = this.get('resourceName');
+            const _response = response[resourceName] ? response[resourceName] : response;
+            run(null, resolve, _response);
+          } else {
+            run(null, reject, `Check that server response includes ${tokenAttributeName} and ${identificationAttributeName}`);
+          }
+        },
+        (xhr) => run(null, reject, useXhr ? xhr : (xhr.responseJSON || xhr.responseText))
       );
     });
   },
@@ -139,16 +155,27 @@ export default BaseAuthenticator.extend({
   */
   makeRequest(data, options) {
     const serverTokenEndpoint = this.get('serverTokenEndpoint');
-    const requestOptions = $.extend({}, {
+    let requestOptions = {};
+    assign(requestOptions, {
       url:      serverTokenEndpoint,
       type:     'POST',
       dataType: 'json',
       data,
       beforeSend(xhr, settings) {
         xhr.setRequestHeader('Accept', settings.accepts.json);
       }
-    }, options || {});
+    });
+    assign(requestOptions, options || {});
+
+    return jQuery.ajax(requestOptions);
+  },
+
+  _validate(data) {
+    const tokenAttributeName = this.get('tokenAttributeName');
+    const identificationAttributeName = this.get('identificationAttributeName');
+    const resourceName = this.get('resourceName');
+    const _data = data[resourceName] ? data[resourceName] : data;
 
-    return $.ajax(requestOptions);
+    return !isEmpty(_data[tokenAttributeName]) && !isEmpty(_data[identificationAttributeName]);
   }
 });