Configurable token randomness (#67)

* Configurable token randomness * Add changelog entry for pull #67 * Update config call in generate_random_token and move randomness config to general section
Sorcery · Aug 3, 2017 · c9b8108 · c9b8108
1 parent bd7f530
commit c9b8108
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 # Changelog
 ## HEAD
 
+* Add configuration for token randomness [#67](https://github.com/Sorcery/sorcery/pull/67)
 * Add facebook user_info_path option to initializer.rb [#63](https://github.com/Sorcery/sorcery/pull/63)
 
 ## 0.11.0

diff --git a/lib/generators/sorcery/templates/initializer.rb b/lib/generators/sorcery/templates/initializer.rb
@@ -29,6 +29,12 @@
   #
   # config.remember_me_httponly =
 
+  # Set token randomness. (e.g. user activation tokens)
+  # The length of the result string is about 4/3 of `token_randomness`.
+  # Default: `15`
+  #
+  # config.token_randomness =
+
   # -- session timeout --
   # How long in seconds to keep the session alive.
   # Default: `3600`

diff --git a/lib/sorcery/model/config.rb b/lib/sorcery/model/config.rb
@@ -35,6 +35,8 @@ class Config
       attr_accessor :email_delivery_method
       # an array of method names to call after configuration by user. used internally.
       attr_accessor :after_config
+      # Set token randomness
+      attr_accessor :token_randomness
 
       # change default encryption_provider.
       attr_reader :encryption_provider
@@ -61,7 +63,8 @@ def initialize
           :@subclasses_inherit_config            => false,
           :@before_authenticate                  => [],
           :@after_config                         => [],
-          :@email_delivery_method                => default_email_delivery_method
+          :@email_delivery_method                => default_email_delivery_method,
+          :@token_randomness                     => 15
         }
         reset!
       end

diff --git a/lib/sorcery/model/temporary_token.rb b/lib/sorcery/model/temporary_token.rb
@@ -7,12 +7,14 @@ module Model
     # such as reseting password and activating the user by email.
     module TemporaryToken
       def self.included(base)
+        # FIXME: This may not be the ideal way of passing sorcery_config to generate_random_token.
+        @sorcery_config = base.sorcery_config
         base.extend(ClassMethods)
       end
 
       # Random code, used for salt and temporary tokens.
       def self.generate_random_token
-        SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz')
+        SecureRandom.urlsafe_base64(@sorcery_config.token_randomness).tr('lIO0', 'sxyz')
       end
 
       module ClassMethods

diff --git a/spec/sorcery_temporary_token_spec.rb b/spec/sorcery_temporary_token_spec.rb
@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe Sorcery::Model::TemporaryToken do
+  describe '.generate_random_token' do
+    before do
+      sorcery_reload!
+    end
+
+    subject { Sorcery::Model::TemporaryToken.generate_random_token.length }
+
+    context 'token_randomness is 3' do
+      before do
+        sorcery_model_property_set(:token_randomness, 3)
+      end
+
+      it { is_expected.to eq 4 }
+    end
+
+    context 'token_randomness is 15' do
+      before do
+        sorcery_model_property_set(:token_randomness, 15)
+      end
+
+      it { is_expected.to eq 20 }
+    end
+  end
+end