Users with allowed unconfirmed access can now log in successfully.

app/controllers/devise_token_auth/sessions_controller.rb

@@ -24,7 +24,7 @@ def create
         @resource = resource_class.where(q, q_value).first
       end
 
-      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and @resource.confirmed?
+      if @resource and valid_params?(field, q_value) and @resource.valid_password?(resource_params[:password]) and (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         # create client id
         @client_id = SecureRandom.urlsafe_base64(nil, false)
         @token     = SecureRandom.urlsafe_base64(nil, false)
@@ -41,7 +41,7 @@ def create
           data: @resource.token_validation_response
         }
 
-      elsif @resource and not @resource.confirmed?
+      elsif @resource and not (!@resource.respond_to?(:active_for_authentication?) or @resource.active_for_authentication?)
         render json: {
           success: false,
           errors: [

test/controllers/devise_token_auth/sessions_controller_test.rb

@@ -181,6 +181,58 @@ class DeviseTokenAuth::SessionsControllerTest < ActionController::TestCase
       end
     end
 
+    describe "Unconfirmed user with allowed unconfirmed access" do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = 3.days
+        @recent_unconfirmed_user = users(:recent_unconfirmed_email_user)
+        xhr :post, :create, {
+          email: @recent_unconfirmed_user.email,
+          password: 'secret123'
+        }
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+
+      test "request should succeed" do
+        assert_equal 200, response.status
+      end
+
+      test "request should return user data" do
+        assert_equal @recent_unconfirmed_user.email, @data['data']['email']
+      end
+    end
+
+    describe "Unconfirmed user with expired unconfirmed access" do
+      before do
+        @original_duration = Devise.allow_unconfirmed_access_for
+        Devise.allow_unconfirmed_access_for = 3.days
+        @unconfirmed_user = users(:unconfirmed_email_user)
+        xhr :post, :create, {
+          email: @unconfirmed_user.email,
+          password: 'secret123'
+        }
+        @resource = assigns(:resource)
+        @data = JSON.parse(response.body)
+      end
+
+      after do
+        Devise.allow_unconfirmed_access_for = @original_duration
+      end
+
+      test "request should fail" do
+        assert_equal 401, response.status
+      end
+
+      test "response should contain errors" do
+        assert @data['errors']
+      end
+    end
+
     describe "Non-existing user" do
       before do
         xhr :post, :create, {

test/fixtures/users.yml

@@ -28,3 +28,15 @@ unconfirmed_email_user:
   created_at:         '<%= timestamp %>'
   updated_at:         '<%= timestamp %>'
   encrypted_password: <%= User.new.send(:password_digest, 'secret123') %>
+  confirmation_sent_at: '<%= timestamp %>'
+
+<% @recent_unconfirmed_email = Faker::Internet.email %>
+<% recent_timestamp = DateTime.parse(1.day.ago.to_s).to_time.strftime("%F %T") %>
+recent_unconfirmed_email_user:
+  uid:                "<%= @recent_unconfirmed_email %>"
+  email:              "<%= @recent_unconfirmed_email %>"
+  provider:           'email'
+  created_at:         '<%= timestamp %>'
+  updated_at:         '<%= timestamp %>'
+  encrypted_password: <%= User.new.send(:password_digest, 'secret123') %>
+  confirmation_sent_at: '<%= recent_timestamp %>'