ateam-merb-auth-old 0.0.1

data/plugins/forgotten_password/app/controllers/passwords.rb

@@ -0,0 +1,90 @@
+module MerbAuth
+  class Passwords < Application
+  
+    controller_for_slice :MerbAuth
+      
+    def _template_location(context, type = nil, controller = controller_name)
+      if controller.nil? || controller != "merb_auth/passwords"
+        "#{controller}/#{context}.#{type}"
+      else
+        "passwords/#{context}.#{type}"
+      end
+    end
+    
+    before :login_required, :only => [:edit, :update]
+  
+    # NEW shows the html form to initiate the forgotten password request
+    def new
+      render
+    end
+  
+    # Edit shows the reset password form for a currently logged in person
+    def edit
+      @ivar = current_ma_user
+      set_ivar
+      render
+    end
+  
+    # Initiates a password reset for forgoten password
+    def create
+      email = params[:email]
+      @ivar = MA[:user].find_with_conditions(:email => email)
+      raise NotFound if @ivar.nil?
+      raise Unauthorized if logged_in? && @ivar != current_ma_user
+      @ivar.forgot_password!
+      set_ivar
+      redirect_back_or_default("/", "We've sent you a link to reset your password.  Keep an eye on your inbox.")
+    end
+  
+    # Reset is the link given in the email with the reset password code attached
+    # This action at best should be a 1 hit wonder link to log in the user, reset the code and 
+    # redirect to edit.  If There's an error send them to the new action
+    def show
+      id = params[:id]
+      @ivar = MA[:user].find_with_conditions(:password_reset_key => id)
+      if @ivar.nil?
+        redirect_back_or_default "/"
+      else
+        self.current_ma_user = @ivar
+        set_ivar
+        redirect url(:merb_auth_edit_password_form)
+      end
+    end
+  
+  
+    # Performs a password change for an existing user.  This is nice and big to ensure that we're only dealing with 
+    # Changes to passwords.   Not arbitrary stuff.
+    def update  
+      @ivar = current_ma_user
+      set_ivar
+      if params[MA[:single_resource]][:password].nil?
+        message[:notice] = "You must enter a password"
+        return render(:edit)
+      end
+    
+      if !@ivar.has_forgotten_password?
+        if @ivar != MA[:user].authenticate(@ivar.email, params[:current_password])
+          message[:notice] = "Your current password is incorrect"
+          return render(:edit)
+        end
+      end
+
+      @ivar.password = params[MA[:single_resource]][:password]
+      @ivar.password_confirmation = params[MA[:single_resource]][:password_confirmation]
+    
+      if @ivar.save
+        @ivar.clear_forgot_password!
+        redirect_back_or_default("/", "Password Changed")
+      else
+        redirect url(:merb_auth_edit_password_form), "Password Not Changed"
+      end     
+    end
+  
+    private
+    # sets the instance variable for the developer to use eg. @user
+    def set_ivar
+      instance_variable_set("@#{MA[:single_resource]}", @ivar)
+    end
+  
+  end
+end

data/plugins/forgotten_password/app/models/user.rb

@@ -0,0 +1,52 @@
+module MerbAuth
+  module ForgottenPassword
+    module Model
+      
+      def self.included(base)
+        base.send(:extend,  ClassMethods)
+        base.send(:include, InstanceMethods)
+      end
+      
+      module ClassMethods
+        def make_key
+          Digest::SHA1.hexdigest( Time.now.to_s.split(//).sort_by {rand}.join )
+        end
+        
+        def authenticate(email, password)
+          super(email, password)
+          return if @u.nil?
+          return @u unless @u.has_forgotten_password?
+          @u.clear_forgot_password!
+          puts @u.inspect
+          @u
+        end
+      end
+      
+      module InstanceMethods
+        def forgot_password! # Must be a unique password key before it goes in the database
+          pwreset_key_success = false
+          until pwreset_key_success
+            self.password_reset_key = self.class.make_key
+            self.save
+            pwreset_key_success = self.errors.on(:password_reset_key).nil? ? true : false 
+          end
+          send_forgot_password
+        end
+
+        def has_forgotten_password?
+          !self.password_reset_key.nil?
+        end
+
+        def clear_forgot_password!
+          self.password_reset_key = nil
+          self.save
+        end
+        
+
+      end # InstanceMethods
+      
+    end 
+  end
+end
+
+MA[:user].send(:include, MerbAuth::ForgottenPassword::Model)

data/plugins/forgotten_password/app/views/passwords/edit.html.erb

@@ -0,0 +1,9 @@
+<%= @message %>
+<% form_for @ivar, :action => url(:merb_auth_passwords), :method => :put do %>
+  <% unless @ivar.has_forgotten_password? %>
+   <%= password_field :name => "current_password", :label => "Current Password" %>
+  <% end %>
+  <%= password_control :password, :label => "Password" %>
+  <%= password_control :password_confirmation, :label => "Password Confirmation" %>
+  <%= submit_button "Save" %>
+<% end %>

data/plugins/forgotten_password/app/views/passwords/new.html.erb

@@ -0,0 +1,4 @@
+<% form_tag :action => url(:merb_auth_passwords), :method => :post do %>
+<%= text_field :name => "email", :label => "Email" %>
+<%= submit_button "Reset Password" %>
+<% end %>

data/plugins/forgotten_password/forgotten_password.rb

@@ -0,0 +1,6 @@
+if MerbAuth[:forgotten_password] && MerbAuth[:user]
+  dir = File.expand_path(File.dirname(__FILE__))
+  Dir[File.join(dir, "app", "**/*.rb")].each{ |f| require f }  
+end
+
+#########################  Include it into the module man

data/plugins/forgotten_password/init.rb

@@ -0,0 +1,8 @@
+MerbAuth.plugins[:forgotten_password] = File.join(File.expand_path(File.dirname(__FILE__)) / "forgotten_password.rb")
+
+MA.add_routes do |r|
+  if MerbAuth[:forgotten_password] && MerbAuth[:user]
+    r.match("/passwords/edit").to(:controller => "Passwords", :action => "edit").name(:merb_auth_edit_password_form)
+    r.resources :passwords
+  end
+end

data/plugins/forgotten_password/spec/controller_spec.rb

@@ -0,0 +1,236 @@
+require File.join(File.expand_path(File.dirname(__FILE__)), "spec_helper")
+
+describe "Passwords controller" do
+  
+  before(:each) do
+    User.clear_database_table
+    @user = User.create(valid_user_hash.with(
+      :password => "test",
+      :password_confirmation => "test",
+      :login => "gary",
+      :email => "gary@example.com"
+    ))
+    @user.activate
+    @user.reload
+    @deliveries = Merb::Mailer.deliveries
+  end
+  
+  after(:each) do
+    Merb::Mailer.deliveries.clear
+  end
+  
+  describe "new" do
+    
+    it "should render a form to create a reset password" do
+      c = dispatch_to(MA::Passwords, :new)
+      c.body.should have_tag(:form, :action => url(:merb_auth_passwords), :method => "post")
+    end
+  end
+  
+  describe "edit" do
+    
+    def dispatch_edit(opts = {})
+      dispatch_to(MA::Passwords, :edit, opts = {}) do |c|
+        c.stub!(:current_ma_user).and_return(@user)
+      end
+    end
+    
+    it "should require the user to be logged in" do
+      c = dispatch_to(MA::Passwords, :edit)
+      c.should redirect_to(url(:login))
+    end
+    
+    it "should have a form that is posted to url(:passwords)" do
+      c = dispatch_edit
+      c.body.should have_tag(:form, :action => url(:merb_auth_passwords), :method => "post")
+    end
+    
+    it "the form should have password and confirmation password fields" do
+      c = dispatch_edit
+      c.body.should have_tag(:form, :action => url(:merb_auth_passwords), :method => "post") do |d|
+        d.should have_tag(:input, :type => "hidden", :name => "_method")
+        d.should have_tag(:input, :type => "password", :id => "user_password")
+        d.should have_tag(:input, :type => "password", :id => "user_password_confirmation")
+      end
+    end
+    
+    it "should show the old password confirmation box if the user does not have a forgotten password" do
+      @user.clear_forgot_password!
+      @user.reload!
+      @user.should_not have_forgotten_password
+      
+      c = dispatch_edit
+      c.body.should have_tag(:form, :action => url(:merb_auth_passwords), :method => "post") do |d|
+        d.should have_tag(:input, :type => "hidden", :name => "_method")
+        d.should have_tag(:input, :type => "password", :id => "user_password")
+        d.should have_tag(:input, :type => "password", :id => "user_password_confirmation")
+        d.should have_tag(:input, :type => "password", :name => "current_password")
+      end
+    end
+    
+    it "should not show the old password ocnfirmation box if the user does have a forgotten password" do
+      @user.forgot_password!
+      @user.reload!
+      
+      c = dispatch_edit
+      c.body.should have_tag(:form, :action => url(:merb_auth_passwords), :method => "post") do |d|
+        d.should have_tag(:input, :type => "hidden", :name => "_method")
+        d.should have_tag(:input, :type => "password", :id => "user_password")
+        d.should have_tag(:input, :type => "password", :id => "user_password_confirmation")
+        d.should_not have_tag(:input, :type => "password", :name => "current_password")
+      end
+    end
+  end
+  
+  describe "create" do
+    def dispatch_create(opts = {})
+      dispatch_to(MA::Passwords, :create, {:email => @user.email}.merge!(opts) )
+    end
+    
+    it "should set the users password to forgotten" do
+      @user.should_not have_forgotten_password
+      dispatch_create
+      @user.reload!
+      @user.should have_forgotten_password
+    end
+    
+    it "should only change the user who's email was sent" do
+      user = User.create(valid_user_hash)
+      user.should_not be_new_record
+      
+      @user.should_not have_forgotten_password
+      user.should_not have_forgotten_password
+      
+      dispatch_create(:email => user.email)
+      
+      user.reload!
+      @user.reload!
+      
+      @user.should_not have_forgotten_password
+      user.should have_forgotten_password
+    end
+    
+    it "should redirect" do
+      c = dispatch_create
+      c.should redirect
+    end
+    
+    it "should raise an unauthorized if the user is logged in, and not the owner of the email" do
+      user = User.create(valid_user_hash)
+      lambda do
+        c = dispatch_to(MA::Passwords, :create, :email => user.email) do |c|
+          c.stub!(:current_ma_user).and_return(@user)
+        end
+      end.should raise_error(Merb::Controller::Unauthorized)
+    end
+    
+    it "should raise a NotFound error if the users email does not exist" do
+      lambda do
+        c = dispatch_create(:email => "does_not_exist@blah.com")
+      end.should raise_error(Merb::Controller::NotFound)
+    end
+    
+    it "should send a notification email that the password is to be resent" do
+      c = dispatch_create
+      c.should redirect_to("/")
+      @user.reload!
+      @deliveries.last.should_not be_nil
+      @deliveries.last.text.should include(url(:merb_auth_passwords, @user.password_reset_key))
+    end
+  end
+  
+  describe "show" do
+    
+    def dispatch_show(opts = {})
+      dispatch_to(MA::Passwords, :show, opts)
+    end
+    
+    it "should redirect to edit if given a valid reset key" do
+      @user.forgot_password!
+      c = dispatch_show(:id => @user.password_reset_key)
+      c.should redirect_to(url(:merb_auth_edit_password_form))
+    end
+    
+    it "should redirect to home if given an invalid reset key" do
+      c = dispatch_show(:id => "11234")
+      c.should redirect_to("/")
+    end
+    
+    it "should log the user in" do
+      @user.forgot_password!
+      c = dispatch_show(:id => @user.password_reset_key)
+      @user.reload!
+      c.should be_logged_in
+      c.send(:current_ma_user).should == @user
+    end
+  end
+  
+  describe "update" do
+    
+    def dispatch_update(opts = {})
+      dispatch_to(MA::Passwords, :update, opts){|c| c.stub!(:current_ma_user).and_return(@user)}
+    end
+    
+    it "should require the user to be logged in" do
+      c = dispatch_to(MA::Passwords, :update)
+      c.should redirect_to(url(:login))
+    end
+    
+    it "should update the current_users password with pw and pw conf if there is a password_reset_key present" do
+      @user.forgot_password!
+      @user.password_reset_key.should_not be_nil
+      c = dispatch_update(:user => {:password => "gahh", :password_confirmation => "gahh"})
+      @user.reload! 
+      User.authenticate(@user.email, "gahh").should == @user      
+    end
+    
+    it "should change the password when given a current password if there is no password_reset_key present" do
+      @user.should_not have_forgotten_password
+      c = dispatch_update(:user => {:password => "gahh", :password_confirmation => "gahh"}, :current_password => "test")
+      @user.reload!
+      User.authenticate(@user.email, "gahh").should == @user
+    end
+    
+    it "should not change the password when not given a current password if there is no password_reset_key present" do
+      @user.should_not have_forgotten_password
+      c = dispatch_update(:user => {:password => "gahh", :password_confirmation => "gahh"})
+      @user.reload!
+      User.authenticate(@user.email, "gahh").should be_nil
+      User.authenticate(@user.email, "test").should == @user
+    end
+    
+    it "should not change the password when the current password is wrong" do
+      @user.should_not have_forgotten_password
+      c = dispatch_update(:user => {:password => "gahh", :password_confirmation => "gahh"}, :current_password => "wrong")
+      @user.reload!
+      User.authenticate(@user.email, "wrong").should be_nil
+      User.authenticate(@user.email, "test").should == @user
+    end
+    
+    it "should clear the password_reset_key" do
+      @user.forgot_password!
+      @user.should have_forgotten_password
+      dispatch_update(:user => {:password => "gahh", :password_confirmation => "gahh"})
+      @user.reload!
+      @user.should_not have_forgotten_password
+    end
+    
+    it "should redirect to edit back to edit if the passwords do not match and not delete the forgotten password" do
+      @user.forgot_password!
+      c = dispatch_update(:user => {:password => "blah", :password_confirmation => "foo"})
+      @user.reload!
+      User.authenticate(@user.email, "blah").should be_nil
+      c.should redirect_to(url(:merb_auth_edit_password_form))
+      @user.should have_forgotten_password
+    end
+    
+    it "should redirect to home if the password was changed" do
+      @user.forgot_password!
+      c = dispatch_update(:user => {:password => "blah", :password_confirmation =>"blah"})
+      @user.reload!
+      User.authenticate(@user.email, "blah").should_not be_nil
+      c.should redirect_to("/")
+    end
+  end
+  
+end

data/plugins/forgotten_password/spec/model_spec.rb

@@ -0,0 +1,52 @@
+require File.join(File.expand_path(File.dirname(__FILE__)), "spec_helper")
+
+describe "Forgotten password for models" do
+  
+  before(:each) do
+    User.clear_database_table
+    @user = User.new(valid_user_hash.with(:password => "test", :password_confirmation => "test"))    
+    @user.save
+  end
+
+  it "should not have a forgotten password" do
+    @user.should_not have_forgotten_password
+  end
+  
+  it "should have a forgotten password" do
+    @user.forgot_password!
+    @user.should have_forgotten_password
+  end
+  
+  it "should have a forgotten password key 40 chars long when the password is forgotten" do
+    @user.password_reset_key.should be_nil
+    @user.forgot_password!
+    @user.password_reset_key.should_not be_nil
+  end
+  
+  it "should not allow duplicates of the key but should regenerate until it has a good one" do
+    key1 = @user.class.make_key
+    key2 = @user.class.make_key
+    key1.should_not == key2
+    @user.forgot_password!
+    @user.send(:password_reset_key=, key1)
+    @user.save
+    @user.reload!
+    @user.password_reset_key.should == key1
+    
+    user = User.create(valid_user_hash)
+    
+    User.should_receive(:make_key).exactly(3).times.and_return(key1,key1,key2)
+    user.forgot_password!
+  end
+  
+  it "should remove the forgotten password key if present when it is authenticated with the password" do
+    # If the user remembers to log in then the password is no longer forgotten and this should be reset
+    @user.forgot_password!
+    @user.reload!
+    @user.password_reset_key.should_not be_nil
+    User.authenticate(@user.email, "test")
+    @user.reload!
+    @user.password_reset_key.should be_nil
+  end
+  
+end