graphql-devise · mcelicalderon · Oct 18, 2019 · Oct 18, 2019
diff --git a/app/graphql/graphql_devise/mutations/sign_up.rb b/app/graphql/graphql_devise/mutations/sign_up.rb
@@ -5,49 +5,45 @@ class SignUp < Base
       argument :password,              String, required: true
       argument :password_confirmation, String, required: true
       argument :confirm_success_url,   String, required: false
-      argument :config_name,           String, required: false
 
-      def resolve(confirm_success_url: nil, config_name: nil, **attrs)
+      def resolve(confirm_success_url: nil, **attrs)
         resource = resource_class.new(provider: provider, **attrs)
+        raise_user_error(I18n.t('graphql_devise.resource_build_failed')) if resource.blank?
 
-        if resource.present?
-          resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
+        redirect_url = confirm_success_url || DeviseTokenAuth.default_confirm_success_url
+        if confirmable_enabled? && redirect_url.blank?
+          raise_user_error(I18n.t('graphql_devise.registrations.missing_confirm_redirect_url'))
+        end
 
-          if resource.save
-            yield resource if block_given?
+        if blacklisted_redirect_url?(redirect_url)
+          raise_user_error(I18n.t('graphql_devise.registrations.redirect_url_not_allowed', redirect_url: redirect_url))
+        end
 
-            if requires_confirmation?(resource)
-              resource.send_confirmation_instructions(
-                client_config: config_name,
-                redirect_url:  confirm_success_url,
-                template_path: ['graphql_devise/mailer']
-              )
-            end
+        resource.skip_confirmation_notification! if resource.respond_to?(:skip_confirmation_notification!)
 
-            set_auth_headers(resource) if resource.active_for_authentication?
+        if resource.save
+          yield resource if block_given?
 
-            { authenticable: resource }
-          else
-            clean_up_passwords(resource)
-            raise_user_error_list(
-              I18n.t('graphql_devise.registration_failed'),
-              errors: resource.errors.full_messages
+          unless resource.confirmed?
+            resource.send_confirmation_instructions(
+              redirect_url:  confirm_success_url,
+              template_path: ['graphql_devise/mailer']
             )
           end
-        else
-          raise_user_error(I18n.t('graphql_devise.resource_build_failed'))
-        end
-      end
 
-      protected
+          set_auth_headers(resource) if resource.active_for_authentication?
 
-      def confirmable_enabled?(resource)
-        resource.respond_to?(:confirmed_at)
+          { authenticable: resource }
+        else
+          clean_up_passwords(resource)
+          raise_user_error_list(
+            I18n.t('graphql_devise.registration_failed'),
+            errors: resource.errors.full_messages
+          )
+        end
       end
 
-      def requires_confirmation?(resource)
-        resource.active_for_authentication? || !resource.confirmed?
-      end
+      private
 
       def provider
         :email

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -5,6 +5,9 @@ en:
     not_authenticated: "User is not logged in."
     user_not_found: "User was not found or was not logged in."
     invalid_resource: "Errors present in the resource."
+    registrations:
+      missing_confirm_redirect_url: "Missing 'confirm_success_url' parameter. Required when confirmable module is enabled."
+      redirect_url_not_allowed: "Redirect to '%{redirect_url}' not allowed."
     passwords:
       update_password_error: "Unable to update user password"
       missing_passwords: "You must fill out the fields labeled 'Password' and 'Password confirmation'."

diff --git a/lib/graphql_devise/concerns/controller_methods.rb b/lib/graphql_devise/concerns/controller_methods.rb
@@ -47,6 +47,10 @@ def confirmable_enabled?
         resource_class.devise_modules.include?(:confirmable)
       end
 
+      def blacklisted_redirect_url?(redirect_url)
+        DeviseTokenAuth.redirect_whitelist && !DeviseTokenAuth::Url.whitelisted?(redirect_url)
+      end
+
       def current_resource
         @current_resource ||= controller.send(:set_user_by_token, resource_name)
       end

diff --git a/spec/dummy/app/models/guest.rb b/spec/dummy/app/models/guest.rb
@@ -2,8 +2,7 @@ class Guest < ApplicationRecord
   devise :database_authenticatable,
          :registerable,
          :recoverable,
-         :validatable,
-         :confirmable
+         :validatable
 
   include GraphqlDevise::Concerns::Model
 end
diff --git a/spec/dummy/config/routes.rb b/spec/dummy/config/routes.rb
@@ -13,7 +13,7 @@
 
   mount_graphql_devise_for(
     'Guest',
-    only: [:login, :logout],
+    only: [:login, :logout, :sign_up],
     at:   '/api/v1/guest/graphql_auth'
   )
 

diff --git a/spec/requests/mutations/sign_up_spec.rb b/spec/requests/mutations/sign_up_spec.rb
@@ -122,12 +122,8 @@
       GRAPHQL
     end
 
-    before { post_request }
-
-    it 'skips the sign up mutation' do
-      expect(json_response[:errors]).to contain_exactly(
-        hash_including(message: "Field 'guestSignUp' doesn't exist on type 'Mutation'")
-      )
+    it 'works without the confirmable module' do
+      expect { post_request }.to change(Guest, :count).from(0).to(1)
     end
   end
 end