authenticate 0.1.0

data/lib/authenticate/debug.rb

@@ -0,0 +1,10 @@
+module Authenticate
+  module Debug
+    extend ActiveSupport::Concern
+
+    def d(msg)
+      Rails.logger.info msg.to_s if Authenticate.configuration.debug
+    end
+
+  end
+end

data/lib/authenticate/engine.rb

@@ -0,0 +1,21 @@
+module Authenticate
+  class Engine < ::Rails::Engine
+    # config.generators do |g|
+    #   g.test_framework :rspec
+    #   g.fixture_replacement :factory_girl, dir: 'spec/factories'
+    # end
+
+    # viget
+    config.generators do |g|
+      g.test_framework :rspec
+      g.fixture_replacement :factory_girl, dir: 'spec/factories'
+
+
+      # g.test_framework      :rspec,        fixture: false
+      # g.fixture_replacement :factory_girl, dir: 'spec/factories'
+      # g.assets false
+      # g.helper false
+    end
+
+  end
+end

data/lib/authenticate/lifecycle.rb

@@ -0,0 +1,120 @@
+module Authenticate
+
+  # Lifecycle stores and runs callbacks for authorization events.
+  #
+  # Heavily borrowed from warden (https://github.com/hassox/warden).
+  #
+  # = Events:
+  #   :set_user - called after the user object is loaded, either through id/password or via session token.
+  #   :authentication - called after the user authenticates with id & password
+  #
+  # Callbacks are added via after_set_user or after_authentication.
+  #
+  # Callbacks can throw(:failure,message) to signal an authentication/authorization failure, or perform
+  # actions on the user or session.
+  #
+  # = Options
+  #
+  # The callback options may optionally specify when to run the callback:
+  #   only - executes the callback only if it matches the event(s) given
+  #   except - executes the callback except if it matches the event(s) given
+  #
+  # The callback may also specify a 'name' key in options. This is for debugging purposes only.
+  #
+  # = Callback block parameters
+  #
+  # Callbacks are invoked with the following block parameters: |user, session, opts|
+  #   user - the user object just loaded
+  #   session - the Authenticate::Session
+  #   opts - any options you want passed into the callback
+  #
+  # = Example
+  #
+  #   # A callback to track the users successful logins:
+  #   Authenticate.lifecycle.after_set_user do |user, session, opts|
+  #     user.sign_in_count += 1
+  #   end
+  #
+  class Lifecycle
+    include Debug
+    @@conditions = [:only, :except, :event]
+
+    # This callback is triggered after the first time a user is set during per-hit authorization, or during login.
+    def after_set_user(options = {}, method = :push, &block)
+      raise BlockNotGiven unless block_given?
+      options = process_opts(options)
+      # puts "register after_set_user #{options.inspect}"
+      after_set_user_callbacks.send(method, [block, options])
+    end
+
+
+
+    # A callback to run after the user successfully authenticates, during the login process.
+    # Mechanically identical to [#after_set_user].
+    def after_authentication(options = {}, method = :push, &block)
+      raise BlockNotGiven unless block_given?
+      options = process_opts(options)
+      # puts "register after_authentication #{options}"
+      after_authentication_callbacks.send(method, [block, options])
+    end
+
+
+    def run_callbacks(kind, *args) # args - |user, session, opts|
+      # Last callback arg MUST be a Hash
+      options = args.last
+      d "@@@@@@@@@@@@ run_callbacks kind:#{kind} options:#{options.inspect}"
+
+      # each callback has 'conditions' stored with it
+      send("#{kind}_callbacks").each do |callback, conditions|
+        conditions = conditions.dup # make a copy, we mutate it
+        d "running callback -- #{conditions.inspect}"
+        conditions.delete_if {|key, val| !@@conditions.include? key}
+        # d "conditions after filter:#{conditions.inspect}"
+        invalid = conditions.find do |key, value|
+          # d "!!!!!!! conditions key:#{key} value:#{value}      options[key]:#{options[key].inspect}"
+          # d("!value.include?(options[key]):#{!value.include?(options[key])}") if value.is_a?(Array)
+          value.is_a?(Array) ? !value.include?(options[key]) : (value != options[key])
+        end
+        d "callback invalid? #{invalid.inspect}"
+        callback.call(*args) unless invalid
+      end
+      d "FINISHED run_callbacks #{kind}"
+      nil
+    end
+
+
+    def prepend_after_authentication(options = {}, &block)
+      after_authentication(options, :unshift, &block)
+    end
+
+    private
+
+    # set event: to run callback on based on options
+    def process_opts(options)
+      if options.key?(:only)
+        options[:event] = options.delete(:only)
+      elsif options.key?(:except)
+        options[:event] = [:set_user, :authentication] - Array(options.delete(:except))
+      end
+      options
+    end
+
+
+    def after_set_user_callbacks
+      @after_set_user_callbacks ||= []
+    end
+
+    def after_authentication_callbacks
+      @after_authentication_callbacks ||= []
+    end
+  end
+
+
+  def self.lifecycle
+    @lifecycle ||= Lifecycle.new
+  end
+
+  def self.lifecycle=(lifecycle)
+    @lifecycle = lifecycle
+  end
+end

data/lib/authenticate/login_status.rb

@@ -0,0 +1,27 @@
+module Authenticate
+
+  # Indicate login attempt was successful. Allows caller to supply a block to login() predicated on success?
+  class Success
+    def success?
+      true
+    end
+  end
+
+  # Indicate login attempt was a failure, with a message.
+  # Allows caller to supply a block to login() predicated on success?
+  class Failure
+    # The reason the sign in failed.
+    attr_reader :message
+
+    # @param [String] message The reason the login failed.
+    def initialize(message)
+      @message = message
+    end
+
+    def success?
+      false
+    end
+  end
+
+end
+

data/lib/authenticate/model/brute_force.rb

@@ -0,0 +1,51 @@
+require 'authenticate/callbacks/brute_force'
+
+module Authenticate
+  module Model
+
+
+    # Protect from brute force attacks.
+    # Lock accounts that have too many failed consecutive logins.
+    # Todo: email user to allow faster unlocking via token.
+    module BruteForce
+      extend ActiveSupport::Concern
+
+      def self.required_fields(klass)
+        [:failed_logins_count, :lock_expires_at]
+      end
+
+
+      def register_failed_login!
+        self.failed_logins_count ||= 0
+        self.failed_logins_count += 1
+        lock! if self.failed_logins_count >= max_bad_logins
+      end
+
+      def lock!
+        self.update_attribute(:lock_expires_at, Time.now.utc + lockout_period)
+      end
+
+      def unlock!
+        self.update_attributes({failed_logins_count: 0, lock_expires_at: nil})
+      end
+
+      def locked?
+        !unlocked?
+      end
+
+      def unlocked?
+        self.lock_expires_at.nil?
+      end
+
+      private
+
+      def max_bad_logins
+        Authenticate.configuration.max_consecutive_bad_logins_allowed
+      end
+
+      def lockout_period
+        Authenticate.configuration.bad_login_lockout_period
+      end
+    end
+  end
+end

data/lib/authenticate/model/db_password.rb

@@ -0,0 +1,71 @@
+require 'authenticate/crypto/bcrypt'
+
+
+module Authenticate
+  module Model
+
+    # Encrypts and stores a password in the database to validate the authenticity of a user while signing in.
+    #
+    # Authenticate can plug in any crypto provider, but currently only features BCrypt.
+    #
+    # = Methods
+    #
+    # The following methods are added to your user model:
+    # - password_match?(password) - checks to see if the user's password matches the given password
+    # - password=(new_password) - encrypt and set the user password
+    #
+    # = Validations
+    #
+    # - :password validation, requiring the password is set
+    #
+    module DbPassword
+      extend ActiveSupport::Concern
+
+      def self.required_fields(klass)
+        [:encrypted_password]
+      end
+
+      included do
+        include crypto_provider
+        attr_reader :password
+        attr_accessor :password_changing
+        validates :password, presence: true, unless: :skip_password_validation?
+      end
+
+
+
+      module ClassMethods
+
+        # We only have one crypto provider at the moment, but this is a pluggable point
+        # to install different crypto.
+        def crypto_provider
+          Authenticate.configuration.crypto_provider || Authenticate::Crypto::BCrypt
+        end
+
+      end
+
+
+
+      def password_match?(password)
+        match?(password, self.encrypted_password)
+      end
+
+      def password=(new_password)
+        @password = new_password
+
+        if new_password.present?
+          self.encrypted_password = encrypt(new_password)
+        end
+      end
+
+      private
+
+        # If we already have an encrypted password and it's not changing, skip the validation.
+      def skip_password_validation?
+        encrypted_password.present? && !password_changing
+      end
+
+    end
+  end
+end
+

data/lib/authenticate/model/email.rb

@@ -0,0 +1,76 @@
+require 'email_validator'
+
+module Authenticate
+  module Model
+
+    # Use :email as the identifier for the user. Must be unique to the system.
+    #
+    # = Columns
+    # - :email containing the email address of the user
+    #
+    # = Validations
+    # - :email requires email is set, validations the format, and ensure it is unique
+    #
+    # = Callbacks
+    # - :normalize_email - normalize the email, removing spaces etc, before saving
+    #
+    # = Methods
+    # - :email - require the email address is set and is a valid format
+    #
+    # = class methods
+    # - authenticate(email, password) - find user with given email, validate their password, return the user.
+    # - normalize_email(email) - clean up the given email and return it.
+    # - find_by_normalized_email(email) - normalize the given email, then look for the user with that email.
+    #
+    module Email
+      extend ActiveSupport::Concern
+
+      def self.required_fields(klass)
+        [:email]
+      end
+
+      included do
+        before_validation :normalize_email
+        validates :email,
+                  email: { strict_mode: true },
+                  presence: true,
+                  uniqueness: { allow_blank: true }
+      end
+
+
+      module ClassMethods
+
+        def credentials(params)
+          # todo closure from configuration
+          [params[:session][:email], params[:session][:password]]
+        end
+
+        def authenticate(credentials)
+          user = find_by_credentials(credentials)
+          user && user.password_match?(credentials[1]) ? user : nil
+        end
+
+        def find_by_credentials(credentials)
+          email = credentials[0]
+          puts "find_by_credentials email: #{email}"
+          find_by_email normalize_email(email)
+        end
+
+        def normalize_email(email)
+          email.to_s.downcase.gsub(/\s+/, '')
+        end
+
+      end
+
+      # Sets the email on this instance to the value returned by
+      # {.normalize_email}
+      #
+      # @return [String]
+      def normalize_email
+        self.email = self.class.normalize_email(email)
+      end
+    end
+
+  end
+end
+

data/lib/authenticate/model/lifetimed.rb

@@ -0,0 +1,48 @@
+require 'authenticate/callbacks/lifetimed'
+
+module Authenticate
+  module Model
+
+    # The user session has a maximum allowed lifespan, after which the session is expired and requires
+    # re-authentication.
+    #
+    # = configuration
+    #
+    # Set the maximum session lifetime in the initializer, giving a timestamp.
+    #
+    #   Authenticate.configure do |config|
+    #     config.max_session_lifetime = 8.hours
+    #   end
+    #
+    # If the max_session_lifetime configuration parameter is nil, the :lifetimed module is not loaded.
+    #
+    # = columns
+    # Requires the `current_sign_in_at` column. This column is managed by the :trackable plugin.
+    #
+    # = methods
+    # - max_session_timedout? - true if the user's session is too old and must be reaped
+    #
+    #
+    module Lifetimed
+      extend ActiveSupport::Concern
+
+      def self.required_fields(klass)
+        [:current_sign_in_at]
+      end
+
+      # Has the session reached its maximum allowed lifespan?
+      def max_session_timedout?
+        return false if max_session_lifetime.nil?
+        return false if current_sign_in_at.nil?
+        current_sign_in_at <= max_session_lifetime.ago
+      end
+
+      private
+
+      def max_session_lifetime
+        Authenticate.configuration.max_session_lifetime
+      end
+
+    end
+  end
+end

data/lib/authenticate/model/timeoutable.rb

@@ -0,0 +1,47 @@
+require 'authenticate/callbacks/timeoutable'
+
+module Authenticate
+  module Model
+
+    # Expire user sessions that have not been accessed within a certain period of time.
+    # Expired users will be asked for credentials again.
+    #
+    # == Columns
+    #
+    # This module expects and tracks this column on your user model:
+    # - last_access_at - timestamp of the last access by the user
+    #
+    # == Configuration
+    #
+    # Timeoutable is enabled and configured with the `timeout_in` configuration parameter.
+    # `timeout_in` expects a timestamp. Example:
+    #
+    #   Authenticate.configure do |config|
+    #     config.timeout_in = 15.minutes
+    #   end
+    #
+    # You must specify a non-nil timeout_in in your initializer to enable Timeoutable.
+    #
+    module Timeoutable
+        extend ActiveSupport::Concern
+
+        def self.required_fields(klass)
+          [:last_access_at]
+        end
+
+        # Checks whether the user session has expired based on configured time.
+        def timedout?
+          Rails.logger.info "User.timedout? timeout_in:#{timeout_in}  last_access_at:#{last_access_at}"
+          return false if timeout_in.nil?
+          return false if last_access_at.nil?
+          # result = Time.now.utc > (last_access_at + timeout_in)
+          Rails.logger.info "User.timedout? #{last_access_at >= timeout_in.ago}   timeout_in.ago:#{timeout_in.ago}  last_access_at:#{last_access_at}"
+          last_access_at <= timeout_in.ago
+        end
+
+        def timeout_in
+          Authenticate.configuration.timeout_in
+        end
+      end
+  end
+end