af-devise 2.1.2

data/lib/devise/models/confirmable.rb

@@ -0,0 +1,270 @@
+module Devise
+  module Models
+    # Confirmable is responsible to verify if an account is already confirmed to
+    # sign in, and to send emails with confirmation instructions.
+    # Confirmation instructions are sent to the user email after creating a
+    # record and when manually requested by a new confirmation instruction request.
+    #
+    # == Options
+    #
+    # Confirmable adds the following options to devise_for:
+    #
+    #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access his account
+    #     before confirming it. After this period, the user access is denied. You can
+    #     use this to let your user access some features of your application without
+    #     confirming the account, but blocking it after a certain period (ie 7 days).
+    #     By default allow_unconfirmed_access_for is zero, it means users always have to confirm to sign in.
+    #   * +reconfirmable+: requires any email changes to be confirmed (exactly the same way as
+    #     initial account confirmation) to be applied. Requires additional unconfirmed_email
+    #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
+    #     stored in unconfirmed email column, and copied to email column on successful
+    #     confirmation.
+    #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
+    #     You can use this to force the user to confirm within a set period of time.
+    #
+    # == Examples
+    #
+    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirmed?    # true/false
+    #   User.find(1).send_confirmation_instructions # manually send instructions
+    #
+    module Confirmable
+      extend ActiveSupport::Concern
+      include ActionView::Helpers::DateHelper
+
+      included do
+        before_create :generate_confirmation_token, :if => :confirmation_required?
+        after_create  :send_on_create_confirmation_instructions, :if => :confirmation_required?
+        before_update :postpone_email_change_until_confirmation, :if => :postpone_email_change?
+        after_update  :send_confirmation_instructions, :if => :reconfirmation_required?
+      end
+
+      def self.required_fields(klass)
+        required_methods = [:confirmation_token, :confirmed_at, :confirmation_sent_at]
+        required_methods << :unconfirmed_email if klass.reconfirmable
+        required_methods
+      end
+
+      # Confirm a user by setting it's confirmed_at to actual time. If the user
+      # is already confirmed, add an error to email field. If the user is invalid
+      # add errors
+      def confirm!
+        pending_any_confirmation do
+          if confirmation_period_expired?
+            self.errors.add(:email, :confirmation_period_expired,
+              :period => Devise::TimeInflector.time_ago_in_words(self.class.confirm_within.ago))
+            return false
+          end
+
+          self.confirmation_token = nil
+          self.confirmed_at = Time.now.utc
+
+          if self.class.reconfirmable && unconfirmed_email.present?
+            skip_reconfirmation!
+            self.email = unconfirmed_email
+            self.unconfirmed_email = nil
+
+            # We need to validate in such cases to enforce e-mail uniqueness
+            save(:validate => true)
+          else
+            save(:validate => false)
+          end
+        end
+      end
+
+      # Verifies whether a user is confirmed or not
+      def confirmed?
+        !!confirmed_at
+      end
+
+      def pending_reconfirmation?
+        self.class.reconfirmable && unconfirmed_email.present?
+      end
+
+      # Send confirmation instructions by email
+      def send_confirmation_instructions
+        self.confirmation_token = nil if reconfirmation_required?
+        @reconfirmation_required = false
+
+        generate_confirmation_token! if self.confirmation_token.blank?
+        send_devise_notification(:confirmation_instructions)
+      end
+
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        pending_any_confirmation do
+          self.confirmation_token = nil if confirmation_period_expired?
+          send_confirmation_instructions
+        end
+      end
+
+      # Overwrites active_for_authentication? for confirmation
+      # by verifying whether a user is active to sign in or not. If the user
+      # is already confirmed, it should never be blocked. Otherwise we need to
+      # calculate if the confirm time has not expired for this user.
+      def active_for_authentication?
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
+      end
+
+      # The message to be shown if the account is inactive.
+      def inactive_message
+        !confirmed? ? :unconfirmed : super
+      end
+
+      # If you don't want confirmation to be sent on create, neither a code
+      # to be generated, call skip_confirmation!
+      def skip_confirmation!
+        self.confirmed_at = Time.now.utc
+      end
+
+      # If you don't want reconfirmation to be sent, neither a code
+      # to be generated, call skip_reconfirmation!
+      def skip_reconfirmation!
+        @bypass_postpone = true
+      end
+
+      def headers_for(action)
+        headers = super
+        if action == :confirmation_instructions && pending_reconfirmation?
+          headers[:to] = unconfirmed_email
+        end
+        headers
+      end
+
+      protected
+
+        # A callback method used to deliver confirmation
+        # instructions on creation. This can be overriden
+        # in models to map to a nice sign up e-mail.
+        def send_on_create_confirmation_instructions
+          send_devise_notification(:confirmation_instructions)
+        end
+
+        # Callback to overwrite if confirmation is required or not.
+        def confirmation_required?
+          !confirmed?
+        end
+
+        # Checks if the confirmation for the user is within the limit time.
+        # We do this by calculating if the difference between today and the
+        # confirmation sent date does not exceed the confirm in time configured.
+        # Confirm_within is a model configuration, must always be an integer value.
+        #
+        # Example:
+        #
+        #   # allow_unconfirmed_access_for = 1.day and confirmation_sent_at = today
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # allow_unconfirmed_access_for = 5.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # allow_unconfirmed_access_for = 5.days and confirmation_sent_at = 5.days.ago
+        #   confirmation_period_valid?   # returns false
+        #
+        #   # allow_unconfirmed_access_for = 0.days
+        #   confirmation_period_valid?   # will always return false
+        #
+        def confirmation_period_valid?
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
+        end
+
+        # Checks if the user confirmation happens before the token becomes invalid
+        # Examples:
+        #
+        #   # confirm_within = 3.days and confirmation_sent_at = 2.days.ago
+        #   confirmation_period_expired?  # returns false
+        #
+        #   # confirm_within = 3.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_expired?  # returns true
+        #
+        #   # confirm_within = nil
+        #   confirmation_period_expired?  # will always return false
+        #
+        def confirmation_period_expired?
+          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within )
+        end
+
+        # Checks whether the record requires any confirmation.
+        def pending_any_confirmation
+          if (!confirmed? || pending_reconfirmation?)
+            yield
+          else
+            self.errors.add(:email, :already_confirmed)
+            false
+          end
+        end
+
+        # Generates a new random token for confirmation, and stores the time
+        # this token is being generated
+        def generate_confirmation_token
+          self.confirmation_token = self.class.confirmation_token
+          self.confirmation_sent_at = Time.now.utc
+        end
+
+        def generate_confirmation_token!
+          generate_confirmation_token && save(:validate => false)
+        end
+
+        def after_password_reset
+          super
+          confirm! unless confirmed?
+        end
+
+        def postpone_email_change_until_confirmation
+          @reconfirmation_required = true
+          self.unconfirmed_email = self.email
+          self.email = self.email_was
+        end
+
+        def postpone_email_change?
+          postpone = self.class.reconfirmable && email_changed? && !@bypass_postpone
+          @bypass_postpone = nil
+          postpone
+        end
+
+        def reconfirmation_required?
+          self.class.reconfirmable && @reconfirmation_required
+        end
+
+      module ClassMethods
+        # Attempt to find a user by its email. If a record is found, send new
+        # confirmation instructions to it. If not, try searching for a user by unconfirmed_email
+        # field. If no user is found, returns a new user with an email not found error.
+        # Options must contain the user email
+        def send_confirmation_instructions(attributes={})
+          confirmable = find_by_unconfirmed_email_with_errors(attributes) if reconfirmable
+          unless confirmable.try(:persisted?)
+            confirmable = find_or_initialize_with_errors(confirmation_keys, attributes, :not_found)
+          end
+          confirmable.resend_confirmation_token if confirmable.persisted?
+          confirmable
+        end
+
+        # Find a user by its confirmation token and try to confirm it.
+        # If no user is found, returns a new user with an error.
+        # If the user is already confirmed, create an error for the user
+        # Options must have the confirmation_token
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          confirmable.confirm! if confirmable.persisted?
+          confirmable
+        end
+
+        # Generate a token checking if one does not already exist in the database.
+        def confirmation_token
+          generate_token(:confirmation_token)
+        end
+
+        # Find a record for confirmation by unconfirmed email field
+        def find_by_unconfirmed_email_with_errors(attributes = {})
+          unconfirmed_required_attributes = confirmation_keys.map { |k| k == :email ? :unconfirmed_email : k }
+          unconfirmed_attributes = attributes.symbolize_keys
+          unconfirmed_attributes[:unconfirmed_email] = unconfirmed_attributes.delete(:email)
+          find_or_initialize_with_errors(unconfirmed_required_attributes, unconfirmed_attributes, :not_found)
+        end
+
+        Devise::Models.config(self, :allow_unconfirmed_access_for, :confirmation_keys, :reconfirmable, :confirm_within)
+      end
+    end
+  end
+end

data/lib/devise/models/database_authenticatable.rb

@@ -0,0 +1,127 @@
+require 'devise/strategies/database_authenticatable'
+require 'bcrypt'
+
+module Devise
+  module Models
+    # Authenticatable Module, responsible for encrypting password and validating
+    # authenticity of a user while signing in.
+    #
+    # == Options
+    #
+    # DatabaseAuthenticable adds the following options to devise_for:
+    #
+    #   * +pepper+: a random string used to provide a more secure hash. Use
+    #     `rake secret` to generate new keys.
+    #
+    #   * +stretches+: the cost given to bcrypt.
+    #
+    # == Examples
+    #
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module DatabaseAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      def self.required_fields(klass)
+        [:encrypted_password] + klass.authentication_keys
+      end
+
+      # Generates password encryption based on the given value.
+      def password=(new_password)
+        @password = new_password
+        self.encrypted_password = password_digest(@password) if @password.present?
+      end
+
+      # Verifies whether an password (ie from sign in) is the user password.
+      def valid_password?(password)
+        return false if encrypted_password.blank?
+        bcrypt   = ::BCrypt::Password.new(encrypted_password)
+        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
+        Devise.secure_compare(password, encrypted_password)
+      end
+
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
+      def update_with_password(params, *options)
+        current_password = params.delete(:current_password)
+
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        end
+
+        result = if valid_password?(current_password)
+          update_attributes(params, *options)
+        else
+          params.delete(:password)
+          self.assign_attributes(params, *options)
+          self.valid?
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          false
+        end
+
+        clean_up_passwords
+        result
+      end
+
+      # Updates record attributes without asking for the current password.
+      # Never allows to change the current password. If you are using this
+      # method, you should probably override this method to protect other
+      # attributes you would not like to be updated without a password.
+      #
+      # Example:
+      #
+      #   def update_without_password(params={})
+      #     params.delete(:email)
+      #     super(params)
+      #   end
+      #
+      def update_without_password(params, *options)
+        params.delete(:password)
+        params.delete(:password_confirmation)
+
+        result = update_attributes(params, *options)
+        clean_up_passwords
+        result
+      end
+
+      def after_database_authentication
+      end
+
+      # A reliable way to expose the salt regardless of the implementation.
+      def authenticatable_salt
+        encrypted_password[0,29] if encrypted_password
+      end
+
+    protected
+
+      # Digests the password using bcrypt.
+      def password_digest(password)
+        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches)
+
+        # We assume this method already gets the sanitized values from the
+        # DatabaseAuthenticatable strategy. If you are using this method on
+        # your own, be sure to sanitize the conditions hash to only include
+        # the proper fields.
+        def find_for_database_authentication(conditions)
+          find_for_authentication(conditions)
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/lockable.rb

@@ -0,0 +1,193 @@
+require "devise/hooks/lockable"
+
+module Devise
+  module Models
+    # Handles blocking a user access after a certain number of attempts.
+    # Lockable accepts two different strategies to unlock a user after it's
+    # blocked: email and time. The former will send an email to the user when
+    # the lock happens, containing a link to unlock its account. The second
+    # will unlock the user automatically after some configured time (ie 2.hours).
+    # It's also possible to setup lockable to use both email and time strategies.
+    #
+    # == Options
+    #
+    # Lockable adds the following options to +devise+:
+    #
+    #   * +maximum_attempts+: how many attempts should be accepted before blocking the user.
+    #   * +lock_strategy+: lock the user account by :failed_attempts or :none.
+    #   * +unlock_strategy+: unlock the user account by :time, :email, :both or :none.
+    #   * +unlock_in+: the time you want to lock the user after to lock happens. Only available when unlock_strategy is :time or :both.
+    #   * +unlock_keys+: the keys you want to use when locking and unlocking an account
+    #
+    module Lockable
+      extend  ActiveSupport::Concern
+
+      delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
+
+      def self.required_fields(klass)
+        attributes = []
+        attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
+        attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
+        attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
+
+        attributes
+      end
+
+      # Lock a user setting its locked_at to actual time.
+      def lock_access!
+        self.locked_at = Time.now.utc
+
+        if unlock_strategy_enabled?(:email)
+          generate_unlock_token!
+          send_unlock_instructions
+        else
+          save(:validate => false)
+        end
+      end
+
+      # Unlock a user by cleaning locked_at and failed_attempts.
+      def unlock_access!
+        self.locked_at = nil
+        self.failed_attempts = 0 if respond_to?(:failed_attempts=)
+        self.unlock_token = nil  if respond_to?(:unlock_token=)
+        save(:validate => false)
+      end
+
+      # Verifies whether a user is locked or not.
+      def access_locked?
+        locked_at && !lock_expired?
+      end
+
+      # Send unlock instructions by email
+      def send_unlock_instructions
+        send_devise_notification(:unlock_instructions)
+      end
+
+      # Resend the unlock instructions if the user is locked.
+      def resend_unlock_token
+        if_access_locked { send_unlock_instructions }
+      end
+
+      # Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes
+      # by verifying whether a user is active to sign in or not based on locked?
+      def active_for_authentication?
+        super && !access_locked?
+      end
+
+      # Overwrites invalid_message from Devise::Models::Authenticatable to define
+      # the correct reason for blocking the sign in.
+      def inactive_message
+        access_locked? ? :locked : super
+      end
+
+      # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
+      # for verifying whether a user is allowed to sign in or not. If the user
+      # is locked, it should never be allowed.
+      def valid_for_authentication?
+        return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
+
+        # Unlock the user if the lock is expired, no matter
+        # if the user can login or not (wrong password, etc)
+        unlock_access! if lock_expired?
+
+        if super && !access_locked?
+          true
+        else
+          self.failed_attempts ||= 0
+          self.failed_attempts += 1
+          if attempts_exceeded?
+            lock_access! unless access_locked?
+          else
+            save(:validate => false)
+          end
+          false
+        end
+      end
+
+      def unauthenticated_message
+        # If set to paranoid mode, do not show the locked message because it
+        # leaks the existence of an account.
+        if Devise.paranoid
+          super
+        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+          :locked
+        else
+          super
+        end
+      end
+
+      protected
+
+        def attempts_exceeded?
+          self.failed_attempts > self.class.maximum_attempts
+        end
+
+        # Generates unlock token
+        def generate_unlock_token
+          self.unlock_token = self.class.unlock_token
+        end
+
+        def generate_unlock_token!
+          generate_unlock_token && save(:validate => false)
+        end
+
+        # Tells if the lock is expired if :time unlock strategy is active
+        def lock_expired?
+          if unlock_strategy_enabled?(:time)
+            locked_at && locked_at < self.class.unlock_in.ago
+          else
+            false
+          end
+        end
+
+        # Checks whether the record is locked or not, yielding to the block
+        # if it's locked, otherwise adds an error to email.
+        def if_access_locked
+          if access_locked?
+            yield
+          else
+            self.errors.add(:email, :not_locked)
+            false
+          end
+        end
+
+      module ClassMethods
+        # Attempt to find a user by its email. If a record is found, send new
+        # unlock instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_unlock_instructions(attributes={})
+          lockable = find_or_initialize_with_errors(unlock_keys, attributes, :not_found)
+          lockable.resend_unlock_token if lockable.persisted?
+          lockable
+        end
+
+        # Find a user by its unlock token and try to unlock it.
+        # If no user is found, returns a new user with an error.
+        # If the user is not locked, creates an error for the user
+        # Options must have the unlock_token
+        def unlock_access_by_token(unlock_token)
+          lockable = find_or_initialize_with_error_by(:unlock_token, unlock_token)
+          lockable.unlock_access! if lockable.persisted?
+          lockable
+        end
+
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
+        # Is the lock enabled for the given lock strategy?
+        def lock_strategy_enabled?(strategy)
+          self.lock_strategy == strategy
+        end
+
+        def unlock_token
+          Devise.friendly_token
+        end
+
+        Devise::Models.config(self, :maximum_attempts, :lock_strategy, :unlock_strategy, :unlock_in, :unlock_keys)
+      end
+    end
+  end
+end