authenticate 0.1.0

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/authenticate.gemspec

@@ -0,0 +1,38 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+# $:.push File.expand_path("../lib", __FILE__)
+
+require 'authenticate/version'
+require 'date'
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = 'authenticate'
+  s.version     = Authenticate::VERSION
+  s.authors     = ['Justin Tomich']
+  s.email       = ['justin@tomich.org']
+  s.homepage    = 'http://github.com/tomichj/authenticate'
+  s.summary     = 'Rails authentication with email & password'
+  s.description = 'Rails authentication with email & password'
+  s.license     = 'MIT'
+
+  # s.files = Dir["{app,config,db,lib}/**/*", "MIT-LICENSE", "Rakefile", "README.md"]
+  s.files = `git ls-files`.split("\n")
+  # s.test_files = `git ls-files -- {spec}/*`.split("\n")
+  s.test_files = Dir['spec/**/*_spec.rb']
+
+  s.extra_rdoc_files = %w(LICENSE README.md)
+  s.rdoc_options = ['--charset=UTF-8']
+
+  s.require_paths = ['lib']
+
+  s.add_dependency 'bcrypt'
+  s.add_dependency 'email_validator', '~> 1.6'
+  s.add_dependency 'rails', '>= 4.0', '< 5.1'
+  s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rspec-rails'
+  # s.add_development_dependency 'capybara'
+  s.add_development_dependency 'factory_girl_rails'
+
+  s.required_ruby_version = Gem::Requirement.new('>= 2.0')
+end

data/bin/rails

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 4 gems installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('../..', __FILE__)
+ENGINE_PATH = File.expand_path('../../lib/authenticate/engine', __FILE__)
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])
+
+require 'rails/all'
+require 'rails/engine/commands'

data/config/routes.rb

@@ -0,0 +1,2 @@
+Rails.application.routes.draw do
+end

data/lib/authenticate.rb

@@ -0,0 +1,12 @@
+require 'authenticate/debug'
+require 'authenticate/configuration'
+require 'authenticate/lifecycle'
+require 'authenticate/controller'
+require 'authenticate/session'
+require 'authenticate/user'
+require 'authenticate/engine'
+require 'authenticate/modules'
+
+module Authenticate
+  # Your code goes here...
+end

data/lib/authenticate/callbacks/authenticatable.rb

@@ -0,0 +1,4 @@
+# If user failed to authenticate, toss them out.
+Authenticate.lifecycle.after_authentication name: 'authenticatable' do |user, session, opts|
+  throw(:failure, 'Wrong email or password.') unless session.authenticated?
+end

data/lib/authenticate/callbacks/brute_force.rb

@@ -0,0 +1,31 @@
+# Prevents a locked user from logging in, and unlocks users that expired their lock time.
+# Runs as a hook after authentication.
+Authenticate.lifecycle.prepend_after_authentication name: 'brute force protection' do |user, session, options|
+  include ActionView::Helpers::DateHelper
+
+  # puts 'bf: about to check authentication'
+  unless session.authenticated?
+    # puts 'bf: session not authenticated'
+
+    user_credentials = User.credentials(session.request.params)
+    # puts "brute force protection user_credentials: #{user_credentials}"
+    user ||= User.find_by_credentials(user_credentials)
+
+    # puts 'bf: looked up user by credentials, found:' + user.inspect
+    if user
+      # puts 'found user, about to register failed attempt'
+      user.register_failed_login!
+      user.save!
+    end
+  end
+
+  if user && user.locked? && Authenticate.configuration.bad_login_lockout_period != nil
+    user.unlock! if user.lock_expires_at <= Time.now.utc
+  end
+
+  if user && user.locked?
+    remaining = time_ago_in_words(user.lock_expires_at)
+    throw(:failure, "Your account is locked, will unlock in #{remaining.to_s}")
+  end
+
+end

data/lib/authenticate/callbacks/lifetimed.rb

@@ -0,0 +1,5 @@
+Authenticate.lifecycle.after_set_user name: 'lifetimed after set_user', except: :authentication do |user, session, options|
+  if user && user.respond_to?(:max_session_timedout?)
+    throw(:failure, "Your session has reached it's maximum allowed lifetime, you must log in again") if user.max_session_timedout?
+  end
+end

data/lib/authenticate/callbacks/timeoutable.rb

@@ -0,0 +1,15 @@
+Authenticate.lifecycle.after_authentication name: 'timeoutable after authentication' do |user, session, options|
+  if user && user.respond_to?(:last_access_at)
+    user.last_access_at = Time.now.utc
+    user.save!
+  end
+end
+
+Authenticate.lifecycle.after_set_user name: 'timeoutable after set_user', except: :authentication do |user, session, options|
+  puts "user.respond_to?(:timedout?) #{user.respond_to?(:timedout?).inspect}" if user
+  if user && user.respond_to?(:timedout?)
+    throw(:failure, 'Your session has expired') if user.timedout?
+    user.last_access_at = Time.now.utc
+    user.save!
+  end
+end

data/lib/authenticate/callbacks/trackable.rb

@@ -0,0 +1,8 @@
+# After each sign in: ”update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication.
+Authenticate.lifecycle.after_authentication name: 'trackable' do |user, session, options|
+  if user.respond_to?(:update_tracked_fields!)
+    user.update_tracked_fields!(session.request)
+  end
+end

data/lib/authenticate/configuration.rb

@@ -0,0 +1,144 @@
+module Authenticate
+  class Configuration
+
+    # ActiveRecord model class name that represents your user.
+    # Specify as a String. Defaults to '::User'.
+    # To set to a different class:
+    #
+    #   Authenticate.configure do |config|
+    #     config.user_model = 'BlogUser'
+    #   end
+    #
+    # @return [String]
+    attr_accessor :user_model
+
+    # Name of the session cookie Authenticate will send to client browser.
+    # Defaults to 'authenticate_session_token'.
+    # @return [String]
+    attr_accessor :cookie_name
+
+    # A lambda called to set the remember token cookie expires attribute. Defaults to 1 year expiration.
+    # Note this is NOT the session's max lifetime, see #max_session_lifetime.
+    # To set cookie expiration yourself:
+    #
+    #   Authenticate.configure do |config|
+    #     config.cookie_expiration = { 1.month.from_now.utc }
+    #   end
+    #
+    # @return [Lambda]
+    attr_accessor :cookie_expiration
+
+    # The domain to set for the Authenticate session cookie.
+    # Defaults to nil, which will cause the cookie domain to set
+    # to the domain of the request.
+    # @return [String]
+    attr_accessor :cookie_domain
+
+    # Crypto used when authenticating and setting passwords.
+    # Defaults to {Authenticate::Model::BCrypt}.
+    # Crypto implementations must provide:
+    #   * match?(secret, encrypted)
+    #   * encrypt(secret)
+    #
+    # @return [Module #match? #encrypt]
+    attr_accessor :crypto_provider
+
+    # Invalidate the session after the specified period of idle time.
+    # Defaults to nil, which is no idle timeout.
+    #
+    #   Authenticate.configure do |config|
+    #     config.timeout_in = 45.minutes
+    #   end
+    #
+    # @return [ActiveSupport::CoreExtensions::Numeric::Time]
+    attr_accessor :timeout_in
+
+    # Allow a session to 'live' for no more than the given elapsed time, e.g. 8.hours.
+    # Defaults to nil, or no max session time.
+    # @return [ActiveSupport::CoreExtensions::Numeric::Time]
+    attr_accessor :max_session_lifetime
+
+    # Number of consecutive bad login attempts allowed.
+    # Default is nil, which disables this feature.
+    # @return [Integer]
+    attr_accessor :max_consecutive_bad_logins_allowed
+
+    # Time period to lock an account for if the user exceeds
+    # max_consecutive_bad_logins_allowed (and it's set to nonzero).
+    # If set to nil, account is locked out indefinitely.
+    # @return [ActiveSupport::CoreExtensions::Numeric::Time]
+    attr_accessor :bad_login_lockout_period
+
+    # Strategy for authentication.
+    #
+    # Available strategies:
+    #   :email - requires user have attribute :email
+    #   :username - requires user have attribute :username
+    # Defaults to :email. To set to :username:
+    #   Configuration.configure do |config|
+    #     config.authentication_strategy = :username
+    #   end
+    #
+    # Or, you can plug in your own authentication class, eg:
+    #   Configuration.configure do |config|
+    #     config.authentication_strategy = MyFunkyAuthClass
+    #   end
+    # @return [Symbol or Class]
+    attr_accessor :authentication_strategy
+
+
+    # Enable debugging messages.
+    # @private
+    # @return [Boolean]
+    attr_accessor :debug
+
+    # An array of additional modules to load into the User module.
+    # Defaults to an empty array.
+    # @return [Array]
+    attr_accessor :modules
+
+
+    def initialize
+      # Defaults
+      @debug = false
+      @cookie_name = 'authenticate_session_token'
+      @cookie_expiration =  -> { 1.year.from_now.utc }
+      @modules = []
+      @user_model = '::User'
+      @authentication_strategy = :email
+    end
+
+    def user_model_class
+      @user_model_class ||= user_model.constantize
+    end
+
+
+    # List of symbols naming modules to load.
+    def modules
+      modules = @modules.dup # in case the user pushes any on
+      modules << @authentication_strategy
+      modules << :db_password
+      modules << :trackable  # needs configuration
+      modules << :timeoutable if @timeout_in
+      modules << :lifetimed if @max_session_lifetime
+      modules << :brute_force if @max_consecutive_bad_logins_allowed
+      modules
+    end
+
+
+  end # end of Configuration class
+
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  def self.configure
+    yield configuration
+  end
+
+end

data/lib/authenticate/controller.rb

@@ -0,0 +1,110 @@
+module Authenticate
+  module Controller
+    extend ActiveSupport::Concern
+    include Debug
+
+    included do
+      helper_method :current_user, :authenticated?
+      attr_writer :authenticate_session
+    end
+
+
+    # Validate a user's identity with (typically) email/ID & password, and return the User if valid, or nil.
+    # After calling this, call login(user) to complete the process.
+    def authenticate(params)
+      # todo: get params from User model
+      user_credentials = Authenticate.configuration.user_model_class.credentials(params)
+      puts "Controller::user_credentials: #{user_credentials.inspect}"
+      Authenticate.configuration.user_model_class.authenticate(user_credentials)
+    end
+
+
+    # Complete the user's sign in process: after calling authenticate, or after user creates account.
+    # Runs all valid callbacks and sends the user a session token.
+    def login(user, &block)
+      authenticate_session.login user, &block
+    end
+
+
+    # Log the user out. Typically used in session controller.
+    #
+    # class SessionsController < ActionController::Base
+    #   include Authenticate::Controller
+    #
+    #   def destroy
+    #     logout
+    #     redirect_to '/', notice: 'You logged out successfully'
+    #   end
+    def logout
+      authenticate_session.deauthenticate
+    end
+
+
+    # Use this as a before_action to restrict controller actions to authenticated users.
+    # Consider using in application_controller to restrict access to all controllers.
+    #
+    # Example:
+    #
+    #   class ApplicationController < ActionController::Base
+    #     before_action :require_authentication
+    #
+    #     def index
+    #       # ...
+    #     end
+    #   end
+    #
+    def require_authentication
+      d 'Controller::require_authentication'
+      unless authenticated?
+        unauthorized
+      end
+
+      message = catch(:failure) do
+        current_user = authenticate_session.current_user
+        Authenticate.lifecycle.run_callbacks(:after_set_user, current_user, authenticate_session, {event: :set_user })
+      end
+      unauthorized(message) if message
+    end
+
+
+    # Has the user been logged in? Exposed as a helper, can be called from views.
+    #
+    #   <% if authenticated? %>
+    #     <%= link_to logout_path, "Sign out" %>
+    #   <% else %>
+    #     <%= link_to login_path, "Sign in" %>
+    #   <% end %>
+    #
+    def authenticated?
+      authenticate_session.authenticated?
+    end
+
+
+    # Get the current user from the current Authenticate session.
+    # Exposed as a helper , can be called from controllers, views, and other helpers.
+    #
+    #   <p>Your email address: <%= current_user.email %></p>
+    #
+    def current_user
+      authenticate_session.current_user
+    end
+
+    private
+
+    def authenticate_session
+      @authenticate_session ||= Authenticate::Session.new(request, cookies)
+    end
+
+    def unauthorized(msg = 'You must sign in')
+      respond_to do |format|
+        format.any(:js, :json, :xml) { head :unauthorized }
+        format.any {
+          flash[:notice] = msg  # TODO use locales
+          redirect_to '/authenticate' #TODO something better baby
+        }
+      end
+    end
+
+
+  end
+end

data/lib/authenticate/crypto/bcrypt.rb

@@ -0,0 +1,30 @@
+module Authenticate
+  module Crypto
+
+    # All crypto providers must implement encrypt(secret) and match?(secret, encrypted)
+    module BCrypt
+      require 'bcrypt'
+
+      def encrypt(secret)
+        ::BCrypt::Password.create secret, cost: cost
+      end
+
+      def match?(secret, encrypted)
+        return false unless encrypted.present?
+        ::BCrypt::Password.new(encrypted) == secret
+      end
+
+      def cost
+        @cost ||= ::BCrypt::Engine::DEFAULT_COST
+      end
+
+      def cost=(val)
+        if val < ::BCrypt::Engine::MIN_COST
+          raise ArgumentError.new("bcrypt cost cannot be set below the engine's min cost (#{::BCrypt::Engine::MIN_COST})")
+        end
+        @cost = val
+      end
+
+    end
+  end
+end