af-devise 2.1.2

data/lib/devise.rb

@@ -0,0 +1,444 @@
+require 'rails'
+require 'active_support/core_ext/numeric/time'
+require 'active_support/dependencies'
+require 'orm_adapter'
+require 'set'
+require 'securerandom'
+
+module Devise
+  autoload :Delegator,     'devise/delegator'
+  autoload :FailureApp,    'devise/failure_app'
+  autoload :OmniAuth,      'devise/omniauth'
+  autoload :ParamFilter,   'devise/param_filter'
+  autoload :TestHelpers,   'devise/test_helpers'
+  autoload :TimeInflector, 'devise/time_inflector'
+
+  module Controllers
+    autoload :Helpers, 'devise/controllers/helpers'
+    autoload :Rememberable, 'devise/controllers/rememberable'
+    autoload :ScopedViews, 'devise/controllers/scoped_views'
+    autoload :UrlHelpers, 'devise/controllers/url_helpers'
+  end
+
+  module Mailers
+    autoload :Helpers, 'devise/mailers/helpers'
+  end
+
+  module Strategies
+    autoload :Base, 'devise/strategies/base'
+    autoload :Authenticatable, 'devise/strategies/authenticatable'
+  end
+
+  # Constants which holds devise configuration for extensions. Those should
+  # not be modified by the "end user" (this is why they are constants).
+  ALL         = []
+  CONTROLLERS = ActiveSupport::OrderedHash.new
+  ROUTES      = ActiveSupport::OrderedHash.new
+  STRATEGIES  = ActiveSupport::OrderedHash.new
+  URL_HELPERS = ActiveSupport::OrderedHash.new
+
+  # Strategies that do not require user input.
+  NO_INPUT = []
+
+  # True values used to check params
+  TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
+
+  # Custom domain for cookies. Not set by default
+  mattr_accessor :rememberable_options
+  @@rememberable_options = {}
+
+  # The number of times to encrypt password.
+  mattr_accessor :stretches
+  @@stretches = 10
+
+  # Keys used when authenticating a user.
+  mattr_accessor :authentication_keys
+  @@authentication_keys = [ :email ]
+
+  # Request keys used when authenticating a user.
+  mattr_accessor :request_keys
+  @@request_keys = []
+
+  # Keys that should be case-insensitive.
+  mattr_accessor :case_insensitive_keys
+  @@case_insensitive_keys = [ :email ]
+
+  # Keys that should have whitespace stripped.
+  mattr_accessor :strip_whitespace_keys
+  @@strip_whitespace_keys = []
+
+  # If http authentication is enabled by default.
+  mattr_accessor :http_authenticatable
+  @@http_authenticatable = false
+
+  # If http headers should be returned for ajax requests. True by default.
+  mattr_accessor :http_authenticatable_on_xhr
+  @@http_authenticatable_on_xhr = true
+
+  # If params authenticatable is enabled by default.
+  mattr_accessor :params_authenticatable
+  @@params_authenticatable = true
+
+  # The realm used in Http Basic Authentication.
+  mattr_accessor :http_authentication_realm
+  @@http_authentication_realm = "Application"
+
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  mattr_accessor :email_regexp
+  @@email_regexp = /\A[^@]+@([^@\.]+\.)+[^@\.]+\z/
+
+  # Range validation for password length
+  mattr_accessor :password_length
+  @@password_length = 6..128
+
+  # The time the user will be remembered without asking for credentials again.
+  mattr_accessor :remember_for
+  @@remember_for = 2.weeks
+
+  # If true, extends the user's remember period when remembered via cookie.
+  mattr_accessor :extend_remember_period
+  @@extend_remember_period = false
+
+  # Time interval you can access your account before confirming your account.
+  mattr_accessor :allow_unconfirmed_access_for
+  @@allow_unconfirmed_access_for = 0.days
+
+  # Time interval the confirmation token is valid. nil = unlimited
+  mattr_accessor :confirm_within
+  @@confirm_within = nil
+
+  # Defines which key will be used when confirming an account.
+  mattr_accessor :confirmation_keys
+  @@confirmation_keys = [ :email ]
+
+  # Defines if email should be reconfirmable.
+  # False by default for backwards compatibility.
+  mattr_accessor :reconfirmable
+  @@reconfirmable = false
+
+  # Time interval to timeout the user session without activity.
+  mattr_accessor :timeout_in
+  @@timeout_in = 30.minutes
+
+  # Authentication token expiration on timeout
+  mattr_accessor :expire_auth_token_on_timeout
+  @@expire_auth_token_on_timeout = false
+
+  # Used to encrypt password. Please generate one with rake secret.
+  mattr_accessor :pepper
+  @@pepper = nil
+
+  # Scoped views. Since it relies on fallbacks to render default views, it's
+  # turned off by default.
+  mattr_accessor :scoped_views
+  @@scoped_views = false
+
+  # Defines which strategy can be used to lock an account.
+  # Values: :failed_attempts, :none
+  mattr_accessor :lock_strategy
+  @@lock_strategy = :failed_attempts
+
+  # Defines which key will be used when locking and unlocking an account
+  mattr_accessor :unlock_keys
+  @@unlock_keys = [ :email ]
+
+  # Defines which strategy can be used to unlock an account.
+  # Values: :email, :time, :both
+  mattr_accessor :unlock_strategy
+  @@unlock_strategy = :both
+
+  # Number of authentication tries before locking an account
+  mattr_accessor :maximum_attempts
+  @@maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is defined as unlock_strategy.
+  mattr_accessor :unlock_in
+  @@unlock_in = 1.hour
+
+  # Defines which key will be used when recovering the password for an account
+  mattr_accessor :reset_password_keys
+  @@reset_password_keys = [ :email ]
+
+  # Time interval you can reset your password with a reset password key
+  mattr_accessor :reset_password_within
+  @@reset_password_within = 6.hours
+
+  # The default scope which is used by warden.
+  mattr_accessor :default_scope
+  @@default_scope = nil
+
+  # Address which sends Devise e-mails.
+  mattr_accessor :mailer_sender
+  @@mailer_sender = nil
+
+  # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
+  mattr_accessor :token_authentication_key
+  @@token_authentication_key = :auth_token
+
+  # Skip session storage for the following strategies
+  mattr_accessor :skip_session_storage
+  @@skip_session_storage = []
+
+  # Which formats should be treated as navigational.
+  mattr_accessor :navigational_formats
+  @@navigational_formats = ["*/*", :html]
+
+  # When set to true, signing out a user signs out all other scopes.
+  mattr_accessor :sign_out_all_scopes
+  @@sign_out_all_scopes = true
+
+  # The default method used while signing out
+  mattr_accessor :sign_out_via
+  @@sign_out_via = :get
+
+  # The parent controller all Devise controllers inherits from.
+  # Defaults to ApplicationController. This should be set early
+  # in the initialization process and should be set to a string.
+  mattr_accessor :parent_controller
+  @@parent_controller = "ApplicationController"
+
+  # The router Devise should use to generate routes. Defaults
+  # to :main_app. Should be overriden by engines in order
+  # to provide custom routes.
+  mattr_accessor :router_name
+  @@router_name = nil
+
+  # Set the omniauth path prefix so it can be overriden when
+  # Devise is used in a mountable engine
+  mattr_accessor :omniauth_path_prefix
+  @@omniauth_path_prefix = nil
+
+  def self.encryptor=(value)
+    warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
+  end
+
+  def self.use_salt_as_remember_token=(value)
+    warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
+  end
+
+  def self.apply_schema=(value)
+    warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
+  end
+
+  # PRIVATE CONFIGURATION
+
+  # Store scopes mappings.
+  mattr_reader :mappings
+  @@mappings = ActiveSupport::OrderedHash.new
+
+  # Omniauth configurations.
+  mattr_reader :omniauth_configs
+  @@omniauth_configs = ActiveSupport::OrderedHash.new
+
+  # Define a set of modules that are called when a mapping is added.
+  mattr_reader :helpers
+  @@helpers = Set.new
+  @@helpers << Devise::Controllers::Helpers
+
+  # Private methods to interface with Warden.
+  mattr_accessor :warden_config
+  @@warden_config = nil
+  @@warden_config_block = nil
+
+  # When true, enter in paranoid mode to avoid user enumeration.
+  mattr_accessor :paranoid
+  @@paranoid = false
+
+  # Default way to setup Devise. Run rails generate devise_install to create
+  # a fresh initializer with all configuration values.
+  def self.setup
+    yield self
+  end
+
+  class Getter
+    def initialize name
+      @name = name
+    end
+
+    def get
+      ActiveSupport::Dependencies.constantize(@name)
+    end
+  end
+
+  def self.ref(arg)
+    if defined?(ActiveSupport::Dependencies::ClassCache)
+      ActiveSupport::Dependencies::reference(arg)
+      Getter.new(arg)
+    else
+      ActiveSupport::Dependencies.ref(arg)
+    end
+  end
+
+  def self.available_router_name
+    router_name || :main_app
+  end
+
+  def self.omniauth_providers
+    omniauth_configs.keys
+  end
+
+  # Get the mailer class from the mailer reference object.
+  def self.mailer
+    @@mailer_ref.get
+  end
+
+  # Set the mailer reference object to access the mailer.
+  def self.mailer=(class_name)
+    @@mailer_ref = ref(class_name)
+  end
+  self.mailer = "Devise::Mailer"
+
+  # Small method that adds a mapping to Devise.
+  def self.add_mapping(resource, options)
+    mapping = Devise::Mapping.new(resource, options)
+    @@mappings[mapping.name] = mapping
+    @@default_scope ||= mapping.name
+    @@helpers.each { |h| h.define_helpers(mapping) }
+    mapping
+  end
+
+  # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
+  #
+  # == Options:
+  #
+  #   +model+      - String representing the load path to a custom *model* for this module (to autoload.)
+  #   +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
+  #   +route+      - Symbol representing the named *route* helper for this module.
+  #   +strategy+   - Symbol representing if this module got a custom *strategy*.
+  #
+  # All values, except :model, accept also a boolean and will have the same name as the given module
+  # name.
+  #
+  # == Examples:
+  #
+  #   Devise.add_module(:party_module)
+  #   Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
+  #   Devise.add_module(:party_module, :model => 'party_module/model')
+  #
+  def self.add_module(module_name, options = {})
+    ALL << module_name
+    options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
+
+    if strategy = options[:strategy]
+      strategy = (strategy == true ? module_name : strategy)
+      STRATEGIES[module_name] = strategy
+    end
+
+    if controller = options[:controller]
+      controller = (controller == true ? module_name : controller)
+      CONTROLLERS[module_name] = controller
+    end
+
+    NO_INPUT << strategy if options[:no_input]
+
+    if route = options[:route]
+      case route
+      when TrueClass
+        key, value = module_name, []
+      when Symbol
+        key, value = route, []
+      when Hash
+        key, value = route.keys.first, route.values.flatten
+      else
+        raise ArgumentError, ":route should be true, a Symbol or a Hash"
+      end
+
+      URL_HELPERS[key] ||= []
+      URL_HELPERS[key].concat(value)
+      URL_HELPERS[key].uniq!
+
+      ROUTES[module_name] = key
+    end
+
+    if options[:model]
+      path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
+      camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
+      Devise::Models.send(:autoload, camelized.to_sym, path)
+    end
+
+    Devise::Mapping.add_module module_name
+  end
+
+  # Sets warden configuration using a block that will be invoked on warden
+  # initialization.
+  #
+  #  Devise.initialize do |config|
+  #    config.allow_unconfirmed_access_for = 2.days
+  #
+  #    config.warden do |manager|
+  #      # Configure warden to use other strategies, like oauth.
+  #      manager.oauth(:twitter)
+  #    end
+  #  end
+  def self.warden(&block)
+    @@warden_config_block = block
+  end
+
+  # Specify an omniauth provider.
+  #
+  #   config.omniauth :github, APP_ID, APP_SECRET
+  #
+  def self.omniauth(provider, *args)
+    @@helpers << Devise::OmniAuth::UrlHelpers
+    config = Devise::OmniAuth::Config.new(provider, args)
+    @@omniauth_configs[config.strategy_name.to_sym] = config
+  end
+
+  # Include helpers in the given scope to AC and AV.
+  def self.include_helpers(scope)
+    ActiveSupport.on_load(:action_controller) do
+      include scope::Helpers if defined?(scope::Helpers)
+      include scope::UrlHelpers
+    end
+
+    ActiveSupport.on_load(:action_view) do
+      include scope::UrlHelpers
+    end
+  end
+
+  # Regenerates url helpers considering Devise.mapping
+  def self.regenerate_helpers!
+    Devise::Controllers::UrlHelpers.remove_helpers!
+    Devise::Controllers::UrlHelpers.generate_helpers!
+  end
+
+  # A method used internally to setup warden manager from the Rails initialize
+  # block.
+  def self.configure_warden! #:nodoc:
+    @@warden_configured ||= begin
+      warden_config.failure_app   = Devise::Delegator.new
+      warden_config.default_scope = Devise.default_scope
+      warden_config.intercept_401 = false
+
+      Devise.mappings.each_value do |mapping|
+        warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
+      end
+
+      @@warden_config_block.try :call, Devise.warden_config
+      true
+    end
+  end
+
+  # Generate a friendly string randomically to be used as token.
+  def self.friendly_token
+    SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
+  end
+
+  # constant-time comparison algorithm to prevent timing attacks
+  def self.secure_compare(a, b)
+    return false if a.blank? || b.blank? || a.bytesize != b.bytesize
+    l = a.unpack "C#{a.bytesize}"
+
+    res = 0
+    b.each_byte { |byte| res |= byte ^ l.shift }
+    res == 0
+  end
+end
+
+require 'warden'
+require 'devise/mapping'
+require 'devise/models'
+require 'devise/modules'
+require 'devise/rails'

data/lib/devise/controllers/helpers.rb

@@ -0,0 +1,285 @@
+module Devise
+  module Controllers
+    # Those helpers are convenience methods added to ApplicationController.
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        helper_method :warden, :signed_in?, :devise_controller?
+      end
+
+      module ClassMethods
+        def log_process_action(payload)
+          payload[:status] ||= 401 unless payload[:exception]
+          super
+        end
+      end
+
+      # Define authentication filters and accessor helpers based on mappings.
+      # These filters should be used inside the controllers as before_filters,
+      # so you can control the scope of the user who should be signed in to
+      # access that specific controller/action.
+      # Example:
+      #
+      #   Roles:
+      #     User
+      #     Admin
+      #
+      #   Generated methods:
+      #     authenticate_user!  # Signs user in or redirect
+      #     authenticate_admin! # Signs admin in or redirect
+      #     user_signed_in?     # Checks whether there is a user signed in or not
+      #     admin_signed_in?    # Checks whether there is an admin signed in or not
+      #     current_user        # Current signed in user
+      #     current_admin       # Current signed in admin
+      #     user_session        # Session data available only to the user scope
+      #     admin_session       # Session data available only to the admin scope
+      #
+      #   Use:
+      #     before_filter :authenticate_user!  # Tell devise to use :user map
+      #     before_filter :authenticate_admin! # Tell devise to use :admin map
+      #
+      def self.define_helpers(mapping) #:nodoc:
+        mapping = mapping.name
+
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def authenticate_#{mapping}!(opts={})
+            opts[:scope] = :#{mapping}
+            warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
+          end
+
+          def #{mapping}_signed_in?
+            !!current_#{mapping}
+          end
+
+          def current_#{mapping}
+            @current_#{mapping} ||= warden.authenticate(:scope => :#{mapping})
+          end
+
+          def #{mapping}_session
+            current_#{mapping} && warden.session(:#{mapping})
+          end
+        METHODS
+
+        ActiveSupport.on_load(:action_controller) do
+          helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+        end
+      end
+
+      # The main accessor for the warden proxy instance
+      def warden
+        request.env['warden']
+      end
+
+      # Return true if it's a devise_controller. false to all controllers unless
+      # the controllers defined inside devise. Useful if you want to apply a before
+      # filter to all controllers, except the ones in devise:
+      #
+      #   before_filter :my_filter, :unless => :devise_controller?
+      def devise_controller?
+        is_a?(DeviseController)
+      end
+
+      # Tell warden that params authentication is allowed for that specific page.
+      def allow_params_authentication!
+        request.env["devise.allow_params_authentication"] = true
+      end
+
+      # Return true if the given scope is signed in session. If no scope given, return
+      # true if any scope is signed in. Does not run authentication hooks.
+      def signed_in?(scope=nil)
+        [ scope || Devise.mappings.keys ].flatten.any? do |_scope|
+          warden.authenticate?(:scope => _scope)
+        end
+      end
+
+      # Sign in a user that already was authenticated. This helper is useful for logging
+      # users in after sign up.
+      #
+      # All options given to sign_in is passed forward to the set_user method in warden.
+      # The only exception is the :bypass option, which bypass warden callbacks and stores
+      # the user straight in session. This option is useful in cases the user is already
+      # signed in, but we want to refresh the credentials in session.
+      #
+      # Examples:
+      #
+      #   sign_in :user, @user                      # sign_in(scope, resource)
+      #   sign_in @user                             # sign_in(resource)
+      #   sign_in @user, :event => :authentication  # sign_in(resource, options)
+      #   sign_in @user, :bypass => true            # sign_in(resource, options)
+      #
+      def sign_in(resource_or_scope, *args)
+        options  = args.extract_options!
+        scope    = Devise::Mapping.find_scope!(resource_or_scope)
+        resource = args.last || resource_or_scope
+
+        expire_session_data_after_sign_in!
+
+        if options[:bypass]
+          warden.session_serializer.store(resource, scope)
+        elsif warden.user(scope) == resource && !options.delete(:force)
+          # Do nothing. User already signed in and we are not forcing it.
+          true
+        else
+          warden.set_user(resource, options.merge!(:scope => scope))
+        end
+      end
+
+      # Sign out a given user or scope. This helper is useful for signing out a user
+      # after deleting accounts. Returns true if there was a logout and false if there
+      # is no user logged in on the referred scope
+      #
+      # Examples:
+      #
+      #   sign_out :user     # sign_out(scope)
+      #   sign_out @user     # sign_out(resource)
+      #
+      def sign_out(resource_or_scope=nil)
+        return sign_out_all_scopes unless resource_or_scope
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
+
+        warden.raw_session.inspect # Without this inspect here. The session does not clear.
+        warden.logout(scope)
+        warden.clear_strategies_cache!(:scope => scope)
+        instance_variable_set(:"@current_#{scope}", nil)
+
+        !!user
+      end
+
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
+      # and false if there was no user logged in on all scopes.
+      def sign_out_all_scopes(lock=true)
+        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
+
+        warden.raw_session.inspect
+        warden.logout
+        expire_devise_cached_variables!
+        warden.clear_strategies_cache!
+        warden.lock! if lock
+
+        users.any?
+      end
+
+      # Returns and delete (if it's navigational format) the url stored in the session for
+      # the given scope. Useful for giving redirect backs after sign up:
+      #
+      # Example:
+      #
+      #   redirect_to stored_location_for(:user) || root_path
+      #
+      def stored_location_for(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+
+        if is_navigational_format?
+          session.delete("#{scope}_return_to")
+        else
+          session["#{scope}_return_to"]
+        end
+      end
+
+      # The scope root url to be used when he's signed in. By default, it first
+      # tries to find a resource_root_path, otherwise it uses the root_path.
+      def signed_in_root_path(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        home_path = "#{scope}_root_path"
+        if respond_to?(home_path, true)
+          send(home_path)
+        elsif respond_to?(:root_path)
+          root_path
+        else
+          "/"
+        end
+      end
+
+      # The default url to be used after signing in. This is used by all Devise
+      # controllers and you can overwrite it in your ApplicationController to
+      # provide a custom hook for a custom resource.
+      #
+      # By default, it first tries to find a valid resource_return_to key in the
+      # session, then it fallbacks to resource_root_path, otherwise it uses the
+      # root path. For a user scope, you can define the default url in
+      # the following way:
+      #
+      #   map.user_root '/users', :controller => 'users' # creates user_root_path
+      #
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
+      #   end
+      #
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
+      #
+      #   def after_sign_in_path_for(resource)
+      #     stored_location_for(resource) ||
+      #       if resource.is_a?(User) && resource.can_publish?
+      #         publisher_url
+      #       else
+      #         super
+      #       end
+      #   end
+      #
+      def after_sign_in_path_for(resource_or_scope)
+        stored_location_for(resource_or_scope) || signed_in_root_path(resource_or_scope)
+      end
+
+      # Method used by sessions controller to sign out a user. You can overwrite
+      # it in your ApplicationController to provide a custom hook for a custom
+      # scope. Notice that differently from +after_sign_in_path_for+ this method
+      # receives a symbol with the scope, and not the resource.
+      #
+      # By default it is the root_path.
+      def after_sign_out_path_for(resource_or_scope)
+        respond_to?(:root_path) ? root_path : "/"
+      end
+
+      # Sign in a user and tries to redirect first to the stored location and
+      # then to the url specified by after_sign_in_path_for. It accepts the same
+      # parameters as the sign_in method.
+      def sign_in_and_redirect(resource_or_scope, *args)
+        options  = args.extract_options!
+        scope    = Devise::Mapping.find_scope!(resource_or_scope)
+        resource = args.last || resource_or_scope
+        sign_in(scope, resource, options)
+        redirect_to after_sign_in_path_for(resource)
+      end
+
+      def expire_session_data_after_sign_in!
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
+      end
+
+      # Sign out a user and tries to redirect to the url specified by
+      # after_sign_out_path_for.
+      def sign_out_and_redirect(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        redirect_path = after_sign_out_path_for(scope)
+        Devise.sign_out_all_scopes ? sign_out : sign_out(scope)
+        redirect_to redirect_path
+      end
+
+      # Overwrite Rails' handle unverified request to sign out all scopes,
+      # clear run strategies and remove cached variables.
+      def handle_unverified_request
+        sign_out_all_scopes(false)
+        request.env["devise.skip_storage"] = true
+        expire_devise_cached_variables!
+        super # call the default behaviour which resets the session
+      end
+
+      def request_format
+        @request_format ||= request.format.try(:ref)
+      end
+
+      def is_navigational_format?
+        Devise.navigational_formats.include?(request_format)
+      end
+
+      private
+
+      def expire_devise_cached_variables!
+        Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
+      end
+    end
+  end
+end