aerogel-users 1.4.3

data/assets/README.md

@@ -0,0 +1 @@
+All subfolders of this one will be served by Sprockets pipeline. Exact names, i.e. ```css/``` and ```scripts/```, are irrelevant and serve only for better organization of assets.

data/config/auth.conf

@@ -0,0 +1,43 @@
+auth {
+  providers {
+    #
+    # Known providers
+    #
+    password {
+      name "Email & Password"
+      gem_name nil
+      icon "fa-user"
+    }
+
+    github {
+      name "GitHub"
+      gem_name "omniauth-github"
+      icon "fa-github-square"
+    }
+
+    facebook {
+      name "Facebook"
+      gem_name "omniauth-facebook"
+      icon "fa-facebook-square"
+    }
+
+    twitter {
+      name "Twitter"
+      gem_name "omniauth-twitter"
+      icon "fa-twitter-square"
+    }
+
+    linkedin {
+      name "LinkedIn"
+      gem_name "omniauth-linkedin-oauth2"
+      icon "fa-linkedin-square"
+    }
+
+    vkontakte {
+      name "Vkontakte"
+      gem_name "omniauth-vkontakte"
+      icon "fa-vk"
+    }
+
+  }
+}

data/db/model/access.rb

@@ -0,0 +1,67 @@
+class Access
+
+  include Model
+
+  READ = :R
+  WRITE = :RW
+  ACCESS_TYPES = [READ, WRITE]
+
+  field :path, type: String
+  field :access, type: Symbol
+  field :role, type: Symbol
+  field :path_matcher, type: Regexp
+
+  validates_presence_of :path, :access, :role
+  validates :access, inclusion: { in: ACCESS_TYPES }
+
+  validate do |record|
+    # validate roles
+    if record.role_changed?
+      unless Role.slugs.include? record.role
+        record.errors.add :role, :invalid
+      end
+    end
+  end
+
+  # Sets path pattern for the rule and compiles it to path matcher Regexp.
+  #
+  def path=( value )
+    self.path_matcher = self.class.compile_matcher value
+    super( value )
+  end
+
+  # Returns true if the rule matches path.
+  #
+  def match?( path )
+    path_matcher =~ path
+  end
+
+  # Returns true if the rule permits requested access.
+  # +path+ should match this rule's path
+  # +access+ should be granted by this rule
+  # +roles+ should include rule's role
+  #
+  def grants?( path, access, roles )
+    roles = [*roles]
+    self.match?( path ) && ( self.access == WRITE || self.access == access ) && roles.include?( role )
+  end
+
+  # Returns list of rules that restrict access to the given +path+.
+  #
+  def self.rules_for_path( path )
+    self.all.select{|r| r.match? path }
+  end
+
+
+private
+
+  # Returns Regexp matcher for given +path+ pattern.
+  #
+  def self.compile_matcher( path )
+    re = path.gsub(/\*{1,2}/) do |match|
+      match == "**" ? ".*" : "[^\/]*"
+    end
+    Regexp.new "^#{re}$"
+  end
+
+end # class Access

data/db/model/authentication.rb

@@ -0,0 +1,54 @@
+class Authentication
+
+  include Model
+  include Aerogel::Db::SecurePassword
+
+  VALID_PROVIDERS = Aerogel::Auth.providers.keys
+
+  embedded_in :user
+
+  field :provider, type: Symbol
+  field :uid, type: String
+  field :info, type: Hash
+
+  # has one :email (through embedded user.emails), optional
+  field :email_id, type: String
+
+  field :password_reset_token, type: String
+
+  use_secure_password
+
+
+  # validations:
+  validates_presence_of :provider, :uid
+  validates :provider, inclusion: { in: VALID_PROVIDERS }
+  # validates :password, length: { minimum: 8 }, allow_nil: true
+
+  # validates uniqueness of provider & uid among all users
+  validate do |record|
+    if User.elem_match( :authentications => { :provider => record.provider, :uid => record.uid, :_id.ne => record.id } ).count > 0
+      record.errors.add :uid, :unique
+    end
+  end
+
+  # Only validate password if provider is :password
+  #
+  def validate_password?
+    provider == :password
+  end
+
+  # virtual attributes:
+
+  # Returns email associated with this Authentication
+  #
+  def email
+    user.emails.where( email: self.email_id ).first
+  end
+
+
+  # methods:
+
+
+end # class Authentication
+
+

data/db/model/role.rb

@@ -0,0 +1,17 @@
+class Role
+
+  include Model
+
+  field :name, type: String
+  field :slug, type: Symbol
+
+  validates_presence_of :name, :slug
+  validates_uniqueness_of :slug
+
+  # Returns lisf of registered slugs
+  #
+  def self.slugs
+    self.only(:slug).map(&:slug)
+  end
+
+end # class Role

data/db/model/user.rb

@@ -0,0 +1,223 @@
+require 'securerandom'
+
+class User
+
+  include Model
+  include Model::Timestamps
+
+  field :full_name, type: String
+  field :roles, type: Array
+  field :authenticated_at, type: Time
+
+  validates_presence_of :full_name
+
+  embeds_many :authentications
+  accepts_nested_attributes_for :authentications
+
+  embeds_many :emails, class_name: "UserEmail"
+  accepts_nested_attributes_for :emails
+
+
+
+  # validations:
+  validate do |record|
+    # validate roles
+    if record.roles_changed?
+      unless Role.slugs.contains? record.roles
+        record.errors.add :roles, :invalid_roles
+      end
+    end
+  end
+
+  # accessors:
+  def roles=( value )
+    if value.is_a? Array
+      self[:roles] = value.map(&:to_sym)
+    elsif value.is_a? String
+      self[:roles] = value.split(",").map{|v| v.strip.to_sym}
+    else
+      raise ArgumentError.new "Invalid value of class #{value.class} passed to roles= setter"
+    end
+  end
+
+  # methods:
+
+  # Find user authenticated by provider and params.
+  #
+  # For Password strategy, corresponding Authentication is found
+  # by params[:uid] and params[:password].
+  #
+  # For other strategies (github, facebook, twitter etc) only params[:uid] is used
+  #
+  def self.authenticate( provider, params )
+    logger.warn( "User.authenticate: #{provider} #{params}")
+    user = find_by_authentication( provider, params['uid'] )
+    return nil unless user
+    if provider == :password
+      a = user.authentications.where( provider: provider, uid: params['uid'] ).first
+      if a.password_is? params['password']
+        user
+      else
+        nil
+      end
+    else
+      user
+      # self.elem_match( :authentications => { provider: provider, uid: params['uid'] } ).first
+    end
+  end
+
+  # Finds user by authentication (provider & uid).
+  #
+  def self.find_by_authentication( provider, uid )
+    self.elem_match( :authentications => { provider: provider, uid: uid } ).first
+  end
+
+
+  # Creates a User from another +object+.
+  # +object+ may be a UserRegistrationForm.
+  #
+  def self.create_from( object )
+    raise "Cannot create User from #{object.class}" unless object.is_a? UserRegistrationForm
+
+    self.new(
+      full_name: object.full_name,
+      roles: [:user],
+      emails: [{
+        email: object.email,
+        confirmed: false
+      }],
+      authentications: [{
+        provider: :password,
+        uid: object.email,
+        email_id: object.email,
+        password: object.password,
+        password_confirmation: object.password_confirmation
+      }]
+    )
+  end
+
+  # Creates a User from omniauth AuthHash
+  #
+  def self.create_from_omniauth( omniauth_hash )
+    raise "Cannot create User from #{omniauth_hash.class}" unless omniauth_hash.is_a? OmniAuth::AuthHash
+
+    info = omniauth_hash['info'].to_hash
+    emails = []
+    emails << { email: info['email'], confirmed: false } if info['email']
+    self.new(
+      full_name: info['name'],
+      roles: [:user],
+      emails: emails,
+      authentications: [{
+        provider: omniauth_hash.provider.to_sym,
+        uid: omniauth_hash.uid,
+        info: info
+      }]
+    )
+  end
+
+  # Generates secure confirmation token using +seed+ for random
+  #
+  def self.generate_confirmation_token()
+    SecureRandom::hex
+  end
+
+  # Requests activation of newly registered user:
+  # requests confirmation of email used in password authentication.
+  #
+  def request_activation!
+    object = emails.first
+    request_email_confirmation!( object.email )
+  end
+
+  # Activates account: confirms user email used in password authentication.
+  # Returns corresponding User object on success.
+  # Raises error if confirmation fails.
+  #
+  def self.activate!( email, token )
+    confirm_email! email, token
+  end
+
+  # Returns +true+ if user is activated and password authentication uses +email+.
+  #
+  def activated?( email )
+    a = authentications.where( uid: email ).first
+    return false unless a
+    a.email.email == email && a.email.confirmed
+  end
+
+
+  # Requests confirmation of given email address.
+  # Returns corresponding UserEmail object with newly generated confirmation_token
+  #
+  def request_email_confirmation!( email )
+    object = emails.where( email: email ).first
+    raise "Email '#{email}' does not belong to user" unless object
+    object.confirmation_token = User.generate_confirmation_token
+    object.save!
+    object
+  end
+
+  # Confirms user email using previously issued token.
+  # Returns corresponding User object on success.
+  # Raises error if confirmation fails.
+  #
+  def self.confirm_email!( email, token )
+    user = self.where( 'emails.email' => email ).first
+    raise NotFoundError.new :user_not_found unless user
+    user_email = user.emails.where( email: email ).first
+    raise NotFoundError.new :user_email_not_found unless user_email
+    raise InvalidOperationError.new :email_already_confirmed if user_email.confirmed?
+    raise InvalidOperationError.new :invalid_confirmation_token if !token.nil? && user_email.confirmation_token != token
+    user_email.confirmed = true
+    user_email.save!
+    user
+  end
+
+  # Requests password reset of authentication with given email address.
+  # Returns corresponding Authentication object with newly generated password_reset_token
+  #
+  def request_password_reset!( email )
+    object = authentications.where( provider: :password, uid: email ).first
+    raise NotFoundError.new "Failed to find password authentication for user with email:'#{email}'" unless object
+    object.password_reset_token = User.generate_confirmation_token
+    object.save!
+    object
+  end
+
+  # Resets user password using previously issued token.
+  # Returns corresponding User object on success.
+  # Raises error if password reset fails.
+  #
+  def self.reset_password!( email, token, password, password_confirmation )
+    user = self.where( 'emails.email' => email ).first
+    raise NotFoundError.new "Failed to find user by email" unless user
+    authentication = user.authentications.where( provider: :password, uid: email ).first
+    raise NotFoundError.new "Failed to find password authentication for user with email:'#{email}'" unless authentication
+    raise "Password reset is not requested" if authentication.password_reset_token.nil?
+    raise "Password reset token is invalid" if authentication.password_reset_token != token
+    authentication.password = password
+    authentication.password_confirmation = password_confirmation
+    authentication.password_reset_token = nil
+    authentication.save!
+    user
+  end
+
+
+  # Updates authenticated_at, does not change other timestamps.
+  # Resets password_reset_token if :provider is 'password'
+  # Returns self.
+  #
+  def authenticated!( opts = {} )
+    self.timeless.update_attributes authenticated_at: Time.now
+    if opts[:provider] == 'password'
+      authentication = self.authentications.where( provider: :password, uid: opts[:uid] ).first
+      unless authentication.password_reset_token.nil?
+        authentication.update_attributes password_reset_token: nil
+      end
+    end
+    self
+  end
+
+end # class User
+

data/db/model/user_email.rb

@@ -0,0 +1,24 @@
+class UserEmail
+
+  include Model
+
+  field :email, type: String
+  field :confirmed, type: Boolean
+  field :confirmation_token, type: String
+
+  embedded_in :user
+
+  # validates uniqueness of email among all users
+  validate do |record|
+    if User.elem_match( :emails => { :email => record.email, :_id.ne => record.id } ).count > 0
+      record.errors.add :email, :unique
+    end
+  end
+
+  # Returns Authentication associated with email, if any
+  #
+  # def authentication
+  #  user.authentications.where( email_id: self.id )
+  # end
+
+end # class UserEmail

data/db/model/user_registration_form.rb

@@ -0,0 +1,23 @@
+class UserRegistrationForm
+
+  include Model::NonPersistent
+
+  field :full_name, type: String
+  field :email, type: String
+  field :password, type: String
+
+  validates_presence_of :full_name, :email, :password, :password_confirmation
+  validates_confirmation_of :password
+  validates_format_of :email, with: /@/, message: :invalid_format
+
+  # validates uniqueness of provider & uid (email) among all users
+  validate do |record|
+    if User.elem_match( :authentications => { :provider => :password, :uid => record.email } ).count > 0
+      record.errors.add :email, :taken
+    elsif User.elem_match( :emails => { :email => record.email } ).count > 0
+      record.errors.add :email, :taken
+    end
+  end
+
+
+end # class UserRegistrationForm