lynndylanhurley · danielneis · Jun 29, 2016 · Jun 29, 2016 · Jun 30, 2016 · Sep 4, 2017
diff --git a/app/controllers/devise_token_auth/concerns/resource_finder.rb b/app/controllers/devise_token_auth/concerns/resource_finder.rb
@@ -12,14 +12,26 @@ def get_case_insensitive_field_from_resource_params(field)
     q_value
   end
 
-  def find_resource(field, value)
-    # fix for mysql default case insensitivity
-    q = "#{field.to_s} = ? AND provider='#{provider.to_s}'"
-    if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
-      q = "BINARY " + q
+  def find_resource
+
+    fields = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys)
+
+    conditions = []
+    values = {}
+    fields.each do |field|
+      condition = " #{field.to_s} = :#{field.to_s} "
+      # fix for mysql default case insensitivity
+      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+        condition = "BINARY " + condition
+      end
+      conditions.push(condition)
+      values[field.to_sym] = get_case_insensitive_field_from_resource_params(field)
     end
 
-    @resource = resource_class.where(q, value).first
+    conditions.push(' provider = :provider')
+    values[:provider] = provider.to_s
+
+    @resource = resource_class.where([conditions.join(' AND '), values]).first
   end
 
   def resource_class(m=nil)

diff --git a/app/controllers/devise_token_auth/passwords_controller.rb b/app/controllers/devise_token_auth/passwords_controller.rb
@@ -28,7 +28,7 @@ def create
       end
 
       @email = get_case_insensitive_field_from_resource_params(:email)
-      @resource = find_resource(:uid, @email)
+      @resource = find_resource
 
       @errors = nil
       @error_status = 400

diff --git a/app/controllers/devise_token_auth/sessions_controller.rb b/app/controllers/devise_token_auth/sessions_controller.rb
@@ -10,16 +10,10 @@ def new
 
     def create
       # Check
-      field = (resource_params.keys.map(&:to_sym) & resource_class.authentication_keys).first
 
-      @resource = nil
-      if field
-        q_value = get_case_insensitive_field_from_resource_params(field)
+      @resource = find_resource
 
-        @resource = find_resource(field, q_value)
-      end
-
-      if @resource && valid_params?(field, q_value) && ([email protected]_to?(:active_for_authentication?) || @resource.active_for_authentication?)
+      if @resource && ([email protected]_to?(:active_for_authentication?) || @resource.active_for_authentication?)
         valid_password = @resource.valid_password?(resource_params[:password])
         if (@resource.respond_to?(:valid_for_authentication?) && [email protected]_for_authentication? { valid_password }) || !valid_password
           render_create_error_bad_credentials

diff --git a/app/controllers/devise_token_auth/unlocks_controller.rb b/app/controllers/devise_token_auth/unlocks_controller.rb
@@ -10,7 +10,7 @@ def create
       end
 
       @email = get_case_insensitive_field_from_resource_params(:email)
-      @resource = find_resource(:email, @email)
+      @resource = find_resource
 
       @errors = nil
       @error_status = 400