authenticate 0.1.0 → 0.2.0

data/app/controllers/authenticate/sessions_controller.rb

@@ -0,0 +1,46 @@
+class Authenticate::SessionsController < ApplicationController
+  before_action :redirect_signed_in_users, only: [:new]
+  skip_before_action :require_authentication, only: [:create, :new, :destroy], raise: false
+
+
+  def new
+    render template: 'sessions/new'
+  end
+
+  def create
+    @user = authenticate(params)
+    login(@user) do |status|
+      if status.success?
+        redirect_back_or url_after_create
+      else
+        flash.now.notice = status.message
+        render template: 'sessions/new', status: :unauthorized
+      end
+    end
+  end
+
+  def destroy
+    logout
+    redirect_to url_after_destroy
+  end
+
+  private
+
+  def redirect_signed_in_users
+    if authenticated?
+      redirect_to url_for_signed_in_users
+    end
+  end
+
+  def url_after_create
+    Authenticate.configuration.redirect_url
+  end
+
+  def url_after_destroy
+    sign_in_url
+  end
+
+  def url_for_signed_in_users
+    url_after_create
+  end
+end

data/app/controllers/authenticate/users_controller.rb

@@ -0,0 +1,46 @@
+class Authenticate::UsersController < ApplicationController
+  before_action :redirect_signed_in_users, only: [:create, :new]
+  skip_before_action :require_authentication, only: [:create, :new], raise: false
+
+  def new
+    @user = user_from_params
+    render template: 'users/new'
+  end
+
+  def create
+    @user = user_from_params
+
+    if @user.save
+      login @user
+      redirect_back_or url_after_create
+    else
+      render template: 'users/new'
+    end
+  end
+
+  private
+
+  def redirect_signed_in_users
+    if authenticated?
+      redirect_to Authenticate.configuration.redirect_url
+    end
+  end
+
+  def url_after_create
+    Authenticate.configuration.redirect_url
+  end
+
+  def user_from_params
+    email = user_params.delete(:email)
+    password = user_params.delete(:password)
+
+    Authenticate.configuration.user_model_class.new(user_params).tap do |user|
+      user.email = email
+      user.password = password
+    end
+  end
+
+  def user_params
+    params[:user] || Hash.new
+  end
+end

data/app/mailers/authenticate_mailer.rb

@@ -0,0 +1,13 @@
+class AuthenticateMailer < ActionMailer::Base
+  def change_password(user)
+    @user = user
+    mail(
+      from: Authenticate.configuration.mailer_sender,
+      to: @user.email,
+      subject: I18n.t(
+        :change_password,
+        scope: [:authenticate, :models, :authenticate_mailer]
+      ),
+    )
+  end
+end

data/app/views/authenticate_mailer/change_password.html.erb

@@ -0,0 +1,8 @@
+<p><%= t(".opening") %></p>
+
+<p>
+  <%= link_to t(".link_text", default: "Change my password"),
+    edit_users_password_url(@user, token: @user.password_reset_token.html_safe) %>
+</p>
+
+<p><%= raw t(".closing") %></p>

data/app/views/authenticate_mailer/change_password.text.erb

@@ -0,0 +1,5 @@
+<%= t(".opening") %></p>
+
+<%= edit_users_password_url(@user, token: @user.password_reset_token.html_safe) %>
+
+<%= raw t(".closing") %>

data/app/views/layouts/application.html.erb

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <%= javascript_include_tag 'application' %>
+  <%= csrf_meta_tag %>
+</head>
+<body>
+  <div id="header">
+    <% if authenticated? -%>
+      <%= link_to t(".sign_out"), sign_out_path %>
+    <% else -%>
+      <%= link_to t(".sign_in"), sign_in_path %>
+    <% end -%>
+  </div>
+
+  <div id="flash">
+    <% flash.each do |key, value| -%>
+      <div id="flash_<%= key %>"><%=h value %></div>
+    <% end %>
+  </div>
+
+  <%= yield %>
+
+</body>
+</html>

data/app/views/passwords/edit.html.erb

@@ -0,0 +1,20 @@
+<div id="authenticate" class="password-reset">
+  <h2><%= t(".title") %></h2>
+
+  <p><%= t(".description") %></p>
+
+  <%= form_for :password_reset,
+               url: users_password_path(@user, token: @user.password_reset_token),
+               html: { method: :put } do |form| %>
+
+      <div class="field">
+        <%= form.label :password %>
+        <%= form.password_field :password %>
+      </div>
+
+      <div class="actions">
+        <%= form.submit %>
+      </div>
+
+  <% end %>
+</div>

data/app/views/passwords/new.html.erb

@@ -0,0 +1,19 @@
+<div id="authenticate" class="password-reset">
+  <h2><%= t(".title") %></h2>
+
+  <p><%= t(".description") %></p>
+
+  <%= form_for :password, url: passwords_path do |form| %>
+
+    <div class="field">
+      <%= form.label :email %>
+      <%= form.text_field :email, type: 'email' %>
+    </div>
+
+    <div class="actions">
+      <%= form.submit %>
+    </div>
+
+  <% end %>
+
+</div>

data/app/views/sessions/new.html.erb

@@ -0,0 +1,28 @@
+<div id="authenticate" class="sign-in">
+  <h2><%= t(".title") %></h2>
+
+  <%= form_for :session, url: session_path do |form| %>
+
+      <div class="field">
+        <%= form.label :email %>
+        <%= form.text_field :email, type: 'email' %>
+      </div>
+
+      <div class="field">
+        <%= form.label :password %>
+        <%= form.password_field :password %>
+      </div>
+
+      <div class="actions">
+        <%= form.submit %>
+      </div>
+
+      <div class="links">
+        <% if Authenticate.configuration.allow_sign_up? %>
+            <%= link_to t(".sign_up"), sign_up_path %>
+        <% end %>
+        <%= link_to t(".forgot_password"), new_password_path %>
+      </div>
+  <% end %>
+
+</div>

data/app/views/users/new.html.erb

@@ -0,0 +1,24 @@
+<div id="authenticate" class="sign-up">
+  <h2><%= t(".title") %></h2>
+
+  <%= form_for @user do |form| %>
+
+      <div class="field">
+        <%= form.label :email %>
+        <%= form.text_field :email, type: 'email' %>
+      </div>
+
+      <div class="field">
+        <%= form.label :password %>
+        <%= form.password_field :password %>
+      </div>
+
+    <div class="actions">
+      <%= form.submit %>
+    </div>
+
+    <div class="links">
+      <%= link_to t(".sign_in"), sign_in_path %>
+    </div>
+  <% end %>
+</div>

data/authenticate.gemspec

@@ -1,5 +1,4 @@
 $LOAD_PATH.push File.expand_path('../lib', __FILE__)
-# $:.push File.expand_path("../lib", __FILE__)
 
 require 'authenticate/version'
 require 'date'
@@ -29,10 +28,10 @@ Gem::Specification.new do |s|
   s.add_dependency 'email_validator', '~> 1.6'
   s.add_dependency 'rails', '>= 4.0', '< 5.1'
   s.add_development_dependency 'sqlite3'
-  s.add_development_dependency 'rspec'
   s.add_development_dependency 'rspec-rails'
   # s.add_development_dependency 'capybara'
   s.add_development_dependency 'factory_girl_rails'
+  s.add_development_dependency 'pry'
 
   s.required_ruby_version = Gem::Requirement.new('>= 2.0')
 end

data/config/locales/authenticate.en.yml

@@ -0,0 +1,57 @@
+---
+en:
+  authenticate:
+    models:
+      authenticate_mailer:
+        change_password: Change your password
+  authenticate_mailer:
+    change_password:
+      closing: If you didn't request this, ignore this email. Your password has not been changed.
+      link_text: Change my password
+      opening: Someone has requested a link to change your password. You can do this through the link below.
+  flashes:
+    failure_after_create: Bad email or password.
+    failure_after_update: Password can't be blank.
+    failure_when_forbidden: Please double check the URL or try submitting the form again.
+    failure_when_not_signed_in: Please sign in to continue.
+    failure_token_expired: Your password change request has expired. Please click 'Forgot Password' and try again.
+    success_password_changed: Your password has been updated.
+  helpers:
+    label:
+      password:
+        email: Email address
+      password_reset:
+        password: Choose password
+    submit:
+      password:
+        submit: Reset password
+      password_reset:
+        submit: Save this password
+      session:
+        submit: Sign in
+      user:
+        create: Sign up
+  layouts:
+    application:
+      sign_in: Sign in
+      sign_out: Sign out
+  passwords:
+    create:
+      description: You will receive an email within the next few minutes. It
+        contains instructions for changing your password.
+    edit:
+      description: Your password can be reset. Choose a new password below.
+      title: Change your password
+    new:
+      description: To be emailed a link to reset your password, please enter your email address.
+      title: Reset your password?
+  sessions:
+    form:
+      forgot_password: Forgot password?
+      sign_up: Sign up
+    new:
+      title: Sign in
+  users:
+    new:
+      sign_in: Sign in
+      title: Sign up

data/config/routes.rb

@@ -1,2 +1,15 @@
-Rails.application.routes.draw do
+if Authenticate.configuration.routes_enabled?
+  Rails.application.routes.draw do
+    resource :session, controller: 'authenticate/sessions', only: [:create, :new, :destroy]
+    resources :passwords, controller: 'authenticate/passwords', only: [:new, :create]
+
+    user_actions = Authenticate.configuration.allow_sign_up? ? [:new, :create] : []
+    resource :users, controller: 'authenticate/users', only: user_actions do
+      resources :passwords, controller: 'authenticate/passwords', only: [:edit, :update]
+    end
+
+    get '/sign_up', to: 'authenticate/users#new', as: 'sign_up'
+    get '/sign_in', to: 'authenticate/sessions#new', as: 'sign_in'
+    get '/sign_out', to: 'authenticate/sessions#destroy', as: 'sign_out'
+  end
 end

data/lib/authenticate/callbacks/brute_force.rb

@@ -3,26 +3,22 @@
 Authenticate.lifecycle.prepend_after_authentication name: 'brute force protection' do |user, session, options|
   include ActionView::Helpers::DateHelper
 
-  # puts 'bf: about to check authentication'
-  unless session.authenticated?
-    # puts 'bf: session not authenticated'
-
+  unless session.authenticated? || Authenticate.configuration.max_consecutive_bad_logins_allowed.nil?
     user_credentials = User.credentials(session.request.params)
-    # puts "brute force protection user_credentials: #{user_credentials}"
     user ||= User.find_by_credentials(user_credentials)
-
-    # puts 'bf: looked up user by credentials, found:' + user.inspect
     if user
-      # puts 'found user, about to register failed attempt'
       user.register_failed_login!
       user.save!
     end
   end
 
-  if user && user.locked? && Authenticate.configuration.bad_login_lockout_period != nil
+  # if user is locked, and we allow a lockout period, then unlock the user if they've waited
+  # longer than the lockout period.
+  if user && !Authenticate.configuration.bad_login_lockout_period.nil? && user.locked?
     user.unlock! if user.lock_expires_at <= Time.now.utc
   end
 
+  # if the user is still locked, let them know how long they are locked for.
   if user && user.locked?
     remaining = time_ago_in_words(user.lock_expires_at)
     throw(:failure, "Your account is locked, will unlock in #{remaining.to_s}")

data/lib/authenticate/callbacks/lifetimed.rb

@@ -1,3 +1,4 @@
+# Catch sessions that have been live for too long and kill them, forcing the user to reauthenticate.
 Authenticate.lifecycle.after_set_user name: 'lifetimed after set_user', except: :authentication do |user, session, options|
   if user && user.respond_to?(:max_session_timedout?)
     throw(:failure, "Your session has reached it's maximum allowed lifetime, you must log in again") if user.max_session_timedout?

data/lib/authenticate/callbacks/timeoutable.rb

@@ -1,3 +1,4 @@
+# Update last_access_at on every authentication
 Authenticate.lifecycle.after_authentication name: 'timeoutable after authentication' do |user, session, options|
   if user && user.respond_to?(:last_access_at)
     user.last_access_at = Time.now.utc
@@ -5,8 +6,8 @@ Authenticate.lifecycle.after_authentication name: 'timeoutable after authenticat
   end
 end
 
+# Fail users that have timed out. Otherwise update last_access_at.
 Authenticate.lifecycle.after_set_user name: 'timeoutable after set_user', except: :authentication do |user, session, options|
-  puts "user.respond_to?(:timedout?) #{user.respond_to?(:timedout?).inspect}" if user
   if user && user.respond_to?(:timedout?)
     throw(:failure, 'Your session has expired') if user.timedout?
     user.last_access_at = Time.now.utc

data/lib/authenticate/callbacks/trackable.rb

@@ -1,6 +1,4 @@
-# After each sign in: ”update sign in time, sign in count and sign in IP.
-# This is only triggered when the user is explicitly set (with set_user)
-# and on authentication.
+# Update all standard tracked stats at each authentication.
 Authenticate.lifecycle.after_authentication name: 'trackable' do |user, session, options|
   if user.respond_to?(:update_tracked_fields!)
     user.update_tracked_fields!(session.request)

data/lib/authenticate/configuration.rb

@@ -34,8 +34,38 @@ module Authenticate
     # @return [String]
     attr_accessor :cookie_domain
 
-    # Crypto used when authenticating and setting passwords.
-    # Defaults to {Authenticate::Model::BCrypt}.
+    # Controls which paths the session token cookie is valid for.
+    # Defaults to `"/"` for the entire domain.
+    # For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.1.4).
+    # @return [String]
+    attr_accessor :cookie_path
+
+    # Controls the secure setting on the session cookie. Defaults to `false`.
+    # When set, the browser will only send the cookie to the server over HTTPS.
+    # If set to true over an insecure http (not https) connection, the cookie will not
+    # be usable and the user will not be successfully authenticated.
+    #
+    # You should set this value to true in live environments to prevent session hijacking.
+    #
+    # For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.5).
+    # @return [Boolean]
+    attr_accessor :secure_cookie
+
+    # Controls whether the  HttpOnly flag should be set on the session cookie.
+    # Defaults to `false`. If `true`, the cookie will not be made available to JavaScript.
+    # For more see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.6).
+    # @return [Boolean]
+    attr_accessor :cookie_http_only
+
+    # Controls the 'from' address for Authenticate emails.
+    # Defaults to reply@example.com.
+    # @return [String]
+    attr_accessor :mailer_sender
+
+    # Determines what crypto is used when authenticating and setting passwords.
+    # Defaults to {Authenticate::Model::BCrypt}. At the moment Bcrypt is the only
+    # option offered.
+    #
     # Crypto implementations must provide:
     #   * match?(secret, encrypted)
     #   * encrypt(secret)
@@ -74,35 +104,75 @@ module Authenticate
     # Available strategies:
     #   :email - requires user have attribute :email
     #   :username - requires user have attribute :username
+    #
     # Defaults to :email. To set to :username:
+    #
     #   Configuration.configure do |config|
     #     config.authentication_strategy = :username
     #   end
     #
     # Or, you can plug in your own authentication class, eg:
+    #
     #   Configuration.configure do |config|
     #     config.authentication_strategy = MyFunkyAuthClass
     #   end
+    #
     # @return [Symbol or Class]
     attr_accessor :authentication_strategy
 
+    # The default path Authenticate will redirect signed in users to.
+    # Defaults to `"/"`. This can often be overridden for specific scenarios by
+    # overriding controller methods that rely on it.
+    # @return [String]
+    attr_accessor :redirect_url
 
-    # Enable debugging messages.
-    # @private
+    # Controls whether the "sign up" route, allowing creation of users, is enabled.
+    # Defaults to `true`. Set to `false` to disable user creation routes.
+    # The setting is ignored if routes are disabled.
+    # @param [Boolean] value
     # @return [Boolean]
-    attr_accessor :debug
+    attr_accessor :allow_sign_up
+
+
+    # Enable or disable Authenticate's built-in routes. Defaults to 'true',
+    # enabling Authenticate's built-in routes. Disable by setting to 'false'.
+    # If you disable the routes, your application is responsible for all routes.
+    # You can deploy a copy of Authenticate's routes with `rails generate authenticate:routes`,
+    # which will also set `config.routes = false`.
+    # @return [Boolean]
+    attr_accessor :routes
+
+    # The time period within which the password must be reset or the token expires.
+    # If set to nil, the password reset token does not expire.
+    # Defaults to `2.days`.
+    # @return [ActiveSupport::CoreExtensions::Numeric::Time]
+    attr_accessor :reset_password_within
 
     # An array of additional modules to load into the User module.
     # Defaults to an empty array.
     # @return [Array]
     attr_accessor :modules
 
+    # Enable debugging messages.
+    # @private
+    # @return [Boolean]
+    attr_accessor :debug
+
 
     def initialize
       # Defaults
       @debug = false
       @cookie_name = 'authenticate_session_token'
       @cookie_expiration =  -> { 1.year.from_now.utc }
+      @cookie_domain = nil
+      @cookie_path = '/'
+      @secure_cookie = false
+      @cookie_http_only = false
+      @mailer_sender = 'reply@example.com'
+      @redirect_url = '/'
+      @allow_sign_up = true
+      @routes = true
+      @reset_password_within = 2.days
       @modules = []
       @user_model = '::User'
       @authentication_strategy = :email
@@ -112,12 +182,31 @@ module Authenticate
       @user_model_class ||= user_model.constantize
     end
 
+    # The name of foreign key parameter for the configured user model.
+    # This is derived from the `model_name` of the `user_model` setting.
+    # In the default configuration, this is `user_id`.
+    # @return [Symbol]
+    def user_id_parameter
+      "#{user_model_class.model_name.singular}_id".to_sym
+    end
+
+    # Is the user sign up route enabled?
+    # @return [Boolean]
+    def allow_sign_up?
+      @allow_sign_up
+    end
+
+    # @return [Boolean] are Authenticate's built-in routes enabled?
+    def routes_enabled?
+      @routes
+    end
 
     # List of symbols naming modules to load.
     def modules
       modules = @modules.dup # in case the user pushes any on
       modules << @authentication_strategy
       modules << :db_password
+      modules << :password_reset
       modules << :trackable  # needs configuration
       modules << :timeoutable if @timeout_in
       modules << :lifetimed if @max_session_lifetime