authenticate 0.2.0 → 0.2.1

data/gemfiles/rails42.gemfile

@@ -0,0 +1,12 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "bundler", "~> 1.3"
+gem "factory_girl_rails", "~> 4.2"
+gem "rspec-rails", "~> 3.1"
+gem "sqlite3", "~> 1.3"
+gem "pry", :require => false
+gem "rails", "~> 4.2.0"
+
+gemspec :path => "../"

data/lib/authenticate/callbacks/authenticatable.rb

@@ -1,4 +1,7 @@
+# Callback to check that the session has been authenticated.
+#
+
 # If user failed to authenticate, toss them out.
 Authenticate.lifecycle.after_authentication name: 'authenticatable' do |user, session, opts|
-  throw(:failure, 'Wrong email or password.') unless session.authenticated?
+  throw(:failure, I18n.t('callbacks.authenticatable.failure')) unless session && session.authenticated?
 end

data/lib/authenticate/callbacks/brute_force.rb

@@ -21,7 +21,8 @@ Authenticate.lifecycle.prepend_after_authentication name: 'brute force protectio
   # if the user is still locked, let them know how long they are locked for.
   if user && user.locked?
     remaining = time_ago_in_words(user.lock_expires_at)
-    throw(:failure, "Your account is locked, will unlock in #{remaining.to_s}")
+    # throw(:failure, "Your account is locked, will unlock in #{remaining.to_s}")
+    throw(:failure, I18n.t('callbacks.brute_force.failure', time_remaining: remaining.to_s))
   end
 
 end

data/lib/authenticate/callbacks/lifetimed.rb

@@ -1,6 +1,6 @@
 # Catch sessions that have been live for too long and kill them, forcing the user to reauthenticate.
 Authenticate.lifecycle.after_set_user name: 'lifetimed after set_user', except: :authentication do |user, session, options|
-  if user && user.respond_to?(:max_session_timedout?)
-    throw(:failure, "Your session has reached it's maximum allowed lifetime, you must log in again") if user.max_session_timedout?
+  if user && user.respond_to?(:max_session_lifetime_exceeded?)
+    throw(:failure, I18n.t('callbacks.lifetimed.failure')) if user.max_session_lifetime_exceeded?
   end
 end

data/lib/authenticate/callbacks/timeoutable.rb

@@ -9,7 +9,7 @@ end
 # Fail users that have timed out. Otherwise update last_access_at.
 Authenticate.lifecycle.after_set_user name: 'timeoutable after set_user', except: :authentication do |user, session, options|
   if user && user.respond_to?(:timedout?)
-    throw(:failure, 'Your session has expired') if user.timedout?
+    throw(:failure, I18n.t('callbacks.timeoutable.failure')) if user.timedout?
     user.last_access_at = Time.now.utc
     user.save!
   end

data/lib/authenticate/callbacks/trackable.rb

@@ -1,6 +1,6 @@
 # Update all standard tracked stats at each authentication.
 Authenticate.lifecycle.after_authentication name: 'trackable' do |user, session, options|
-  if user.respond_to?(:update_tracked_fields!)
+  if user && user.respond_to?(:update_tracked_fields!)
     user.update_tracked_fields!(session.request)
   end
 end

data/lib/authenticate/controller.rb

@@ -14,7 +14,7 @@ module Authenticate
     def authenticate(params)
       # todo: get params from User model
       user_credentials = Authenticate.configuration.user_model_class.credentials(params)
-      puts "Controller::user_credentials: #{user_credentials.inspect}"
+      debug "Controller::user_credentials: #{user_credentials.inspect}"
       Authenticate.configuration.user_model_class.authenticate(user_credentials)
     end
 
@@ -54,7 +54,7 @@ module Authenticate
     #   end
     #
     def require_authentication
-      d 'Controller::require_authentication'
+      debug 'Controller::require_authentication'
       unless authenticated?
         unauthorized
       end
@@ -89,10 +89,19 @@ module Authenticate
       authenticate_session.current_user
     end
 
+    # Return true if it's an Authenticate controller. Useful if you want to apply a before
+    # filter to all controllers, except the ones in Authenticate:
+    #
+    #   before_action :my_filter, unless: :authenticate_controller?
+    #
+    def authenticate_controller?
+      is_a?(Authenticate::AuthenticateController)
+    end
+
     protected
 
     # User is not authorized, bounce 'em to sign in
-    def unauthorized(msg = 'You must sign in') # get default message from locale
+    def unauthorized(msg = t('flashes.failure_when_not_signed_in'))
       respond_to do |format|
         format.any(:js, :json, :xml) { head :unauthorized }
         format.any {

data/lib/authenticate/debug.rb

@@ -2,10 +2,15 @@ module Authenticate
   module Debug
     extend ActiveSupport::Concern
 
-    def d(msg)
-      # todo check: Rails constant loaded? Authenticate config read? do a puts otherwise
-      Rails.logger.info msg.to_s if Authenticate.configuration.debug
+
+    def debug(msg)
+      if defined?(Rails) && defined?(Rails.logger)
+        Rails.logger.info msg.to_s if Authenticate.configuration.debug
+      else
+        puts msg.to_s if Authenticate.configuration.debug
+      end
     end
 
+
   end
 end

data/lib/authenticate/engine.rb

@@ -1,3 +1,6 @@
+require 'authenticate'
+require 'rails'
+
 module Authenticate
   class Engine < ::Rails::Engine
 

data/lib/authenticate/lifecycle.rb

@@ -41,10 +41,7 @@ module Authenticate
 
     # This callback is triggered after the first time a user is set during per-hit authorization, or during login.
     def after_set_user(options = {}, method = :push, &block)
-      raise BlockNotGiven unless block_given?
-      options = process_opts(options)
-      # puts "register after_set_user #{options.inspect}"
-      after_set_user_callbacks.send(method, [block, options])
+      add_callback(after_set_user_callbacks, options, method, &block)
     end
 
 
@@ -52,33 +49,38 @@ module Authenticate
     # A callback to run after the user successfully authenticates, during the login process.
     # Mechanically identical to [#after_set_user].
     def after_authentication(options = {}, method = :push, &block)
-      raise BlockNotGiven unless block_given?
-      options = process_opts(options)
-      # puts "register after_authentication #{options}"
-      after_authentication_callbacks.send(method, [block, options])
+      add_callback(after_authentication_callbacks, options, method, &block)
     end
 
 
+    # Run callbacks of the given kind.
+    #
+    # * kind - :authenticate or :after_set_user
+    # * args - user, session, opts hash. Opts is an optional event, e.g. { event: :authentication }
+    #
+    # Example:
+    #   Authenticate.lifecycle.run_callbacks(:after_set_user, @current_user, self, { event: :authentication })
+    #
     def run_callbacks(kind, *args) # args - |user, session, opts|
       # Last callback arg MUST be a Hash
       options = args.last
-      d "@@@@@@@@@@@@ run_callbacks kind:#{kind} options:#{options.inspect}"
+      debug "START Lifecycle.run_callbacks kind:#{kind} options:#{options.inspect}"
 
       # each callback has 'conditions' stored with it
       send("#{kind}_callbacks").each do |callback, conditions|
         conditions = conditions.dup # make a copy, we mutate it
-        d "running callback -- #{conditions.inspect}"
-        conditions.delete_if {|key, val| !@@conditions.include? key}
-        # d "conditions after filter:#{conditions.inspect}"
+        debug "Lifecycle.running callback -- #{conditions.inspect}"
+        conditions.delete_if {|key, _val| !@@conditions.include? key}
+        # debug "conditions after filter:#{conditions.inspect}"
         invalid = conditions.find do |key, value|
-          # d "!!!!!!! conditions key:#{key} value:#{value}      options[key]:#{options[key].inspect}"
-          # d("!value.include?(options[key]):#{!value.include?(options[key])}") if value.is_a?(Array)
+          # debug "!!!!!!! conditions key:#{key} value:#{value}      options[key]:#{options[key].inspect}"
+          # debug("!value.include?(options[key]):#{!value.include?(options[key])}") if value.is_a?(Array)
           value.is_a?(Array) ? !value.include?(options[key]) : (value != options[key])
         end
-        d "callback invalid? #{invalid.inspect}"
+        debug "Lifecycle.callback invalid? #{invalid.inspect}"
         callback.call(*args) unless invalid
       end
-      d "FINISHED run_callbacks #{kind}"
+      debug "FINISHED Lifecycle.run_callbacks #{kind}"
       nil
     end
 
@@ -89,6 +91,13 @@ module Authenticate
 
     private
 
+    def add_callback(callbacks, options = {}, method = :push, &block)
+      raise BlockNotGiven unless block_given?
+      options = process_opts(options)
+      callbacks.send(method, [block, options])
+    end
+
+
     # set event: to run callback on based on options
     def process_opts(options)
       if options.key?(:only)

data/lib/authenticate/model/brute_force.rb

@@ -7,18 +7,22 @@ module Authenticate
     # Protect from brute force attacks. Lock accounts that have too many failed consecutive logins.
     # Todo: email user to allow unlocking via a token.
     #
-    # = Columns
+    # To enable brute force protection, set the config params shown below. Example:
+    #
+    #   Authenticate.configure do |config|
+    #     config.bad_login_lockout_period = 5.minutes
+    #     config.max_consecutive_bad_logins_allowed = 3
+    #   end
     #
+    # = Columns
     # * failed_logins_count - each consecutive failed login increments this counter. Set back to 0 on successful login.
     # * lock_expires_at - datetime a locked account will again become available.
     #
     # = Configuration
-    #
     # * max_consecutive_bad_logins_allowed - how many failed logins are allowed?
     # * bad_login_lockout_period - how long is the user locked out? nil indicates forever.
     #
     # = Methods
-    #
     # The following methods are added to your user model:
     # * register_failed_login! - increment failed_logins_count, lock account if in violation
     # * lock! - lock the account, setting the lock_expires_at attribute

data/lib/authenticate/model/db_password.rb

@@ -7,22 +7,20 @@ module Authenticate
     # Encrypts and stores a password in the database to validate the authenticity of a user while logging in.
     #
     # Authenticate can plug in any crypto provider, but currently only features BCrypt.
+    #
     # A crypto provider must provide:
     # * encrypt(secret) - encrypt the secret, @return [String]
     # * match?(secret, encrypted) - does the secret match the encrypted? @return [Boolean]
     #
     # = Columns
-    #
     # * encrypted_password - the user's password, encrypted
     #
     # = Methods
-    #
     # The following methods are added to your user model:
     # * password=(new_password) - encrypt and set the user password
     # * password_match?(password) - checks to see if the user's password matches the given password
     #
     # = Validations
-    #
     # * :password validation, requiring the password is set unless we're skipping due to a password change
     #
     module DbPassword
@@ -33,6 +31,7 @@ module Authenticate
       end
 
       included do
+        private_class_method :crypto_provider
         include crypto_provider
         attr_reader :password
         attr_accessor :password_changing
@@ -41,16 +40,6 @@ module Authenticate
 
 
 
-      module ClassMethods
-
-        # We only have one crypto provider at the moment, but look up the provider in the config.
-        def crypto_provider
-          Authenticate.configuration.crypto_provider || Authenticate::Crypto::BCrypt
-        end
-
-      end
-
-
       def password_match?(password)
         match?(password, self.encrypted_password)
       end
@@ -65,7 +54,16 @@ module Authenticate
 
       private
 
-        # If we already have an encrypted password and it's not changing, skip the validation.
+      module ClassMethods
+
+        # We only have one crypto provider at the moment, but look up the provider in the config.
+        def crypto_provider
+          Authenticate.configuration.crypto_provider || Authenticate::Crypto::BCrypt
+        end
+      end
+
+
+      # If we already have an encrypted password and it's not changing, skip the validation.
       def skip_password_validation?
         encrypted_password.present? && !password_changing
       end

data/lib/authenticate/model/email.rb

@@ -16,7 +16,7 @@ module Authenticate
     # = Methods
     # * normalize_email - normalize the email, removing spaces etc, before saving
     #
-    # = class methods
+    # = Class Methods
     # * credentials(params) - return the credentials required for authorization by email
     # * authenticate(credentials) - find user with given email, validate their password, return the user if authenticated
     # * normalize_email(email) - clean up the given email and return it.

data/lib/authenticate/model/lifetimed.rb

@@ -3,11 +3,10 @@ require 'authenticate/callbacks/lifetimed'
 module Authenticate
   module Model
 
-    # The user session has a maximum allowed lifespan, after which the session is expired and requires
+    # Imposes a maximum allowed lifespan on a user's session, after which the session is expired and requires
     # re-authentication.
     #
-    # = configuration
-    #
+    # = Configuration
     # Set the maximum session lifetime in the initializer, giving a timestamp.
     #
     #   Authenticate.configure do |config|
@@ -16,11 +15,11 @@ module Authenticate
     #
     # If the max_session_lifetime configuration parameter is nil, the :lifetimed module is not loaded.
     #
-    # = columns
-    # Requires the `current_sign_in_at` column. This column is managed by the :trackable plugin.
+    # = Columns
+    # * current_sign_in_at - requires `current_sign_in_at` column. This column is managed by the :trackable plugin.
     #
-    # = methods
-    # - max_session_timedout? - true if the user's session is too old and must be reaped
+    # = Methods
+    # * max_session_lifetime_exceeded? - true if the user's session has exceeded the max lifetime allowed
     #
     #
     module Lifetimed
@@ -31,7 +30,7 @@ module Authenticate
       end
 
       # Has the session reached its maximum allowed lifespan?
-      def max_session_timedout?
+      def max_session_lifetime_exceeded?
         return false if max_session_lifetime.nil?
         return false if current_sign_in_at.nil?
         current_sign_in_at <= max_session_lifetime.ago

data/lib/authenticate/model/password_reset.rb

@@ -2,10 +2,17 @@ module Authenticate
   module Model
 
     # Support 'forgot my password' functionality.
-    # Methods:
+    #
+    # = Columns
+    # * password_reset_token - token required to reset a password
+    # * password_reset_sent_at - datetime password reset token was emailed to user
+    # * email - email address of user
+    #
+    # = Methods
     # * update_password(new_password) - call password setter below, generate a new session token if user.valid?, & save
-    # *
-
+    # * forgot_password! - generate a new password reset token, timestamp, and save
+    # * reset_password_period_valid? - is the password reset token still usable?
+    #
     module PasswordReset
       extend ActiveSupport::Concern
 
@@ -59,9 +66,9 @@ module Authenticate
       #   reset_password_period_valid?   # returns true
       #
       def reset_password_period_valid?
-        reset_within = Authenticate.configuration.reset_password_within.ago.utc
+        reset_within = Authenticate.configuration.reset_password_within
         return true if reset_within.nil?
-        self.password_reset_sent_at &&  self.password_reset_sent_at.utc >= reset_within
+        self.password_reset_sent_at &&  self.password_reset_sent_at.utc >= reset_within.ago.utc
       end
 
       private

data/lib/authenticate/model/timeoutable.rb

@@ -6,22 +6,20 @@ module Authenticate
     # Expire user sessions that have not been accessed within a certain period of time.
     # Expired users will be asked for credentials again.
     #
-    # = Columns
+    # Timeoutable is enabled and configured with the `timeout_in` configuration parameter.
+    # Example:
+    #
+    #   Authenticate.configure do |config|
+    #     config.timeout_in = 15.minutes
+    #   end
     #
+    # = Columns
     # This module expects and tracks this column on your user model:
     # * last_access_at - datetime of the last access by the user
     #
     # = Configuration
-    #
     # * timeout_in - maximum idle time allowed before session is invalidated. nil shuts off this feature.
     #
-    # Timeoutable is enabled and configured with the `timeout_in` configuration parameter.
-    # `timeout_in` expects a timestamp. Example:
-    #
-    #   Authenticate.configure do |config|
-    #     config.timeout_in = 15.minutes
-    #   end
-    #
     # You must specify a non-nil timeout_in in your initializer to enable Timeoutable.
     #
     # = Methods
@@ -37,14 +35,13 @@ module Authenticate
 
         # Checks whether the user session has expired based on configured time.
         def timedout?
-          Rails.logger.info "User.timedout? timeout_in:#{timeout_in}  last_access_at:#{last_access_at}"
           return false if timeout_in.nil?
           return false if last_access_at.nil?
-          # result = Time.now.utc > (last_access_at + timeout_in)
-          Rails.logger.info "User.timedout? #{last_access_at >= timeout_in.ago}   timeout_in.ago:#{timeout_in.ago}  last_access_at:#{last_access_at}"
           last_access_at <= timeout_in.ago
         end
 
+        private
+
         def timeout_in
           Authenticate.configuration.timeout_in
         end

data/lib/authenticate/model/trackable.rb

@@ -5,8 +5,11 @@ module Authenticate
 
     # Track information about your user sign ins. This module is always enabled.
     #
-    # == Columns
-    # This module expects and tracks the following columns on your user model:
+    # = Methods
+    # * update_tracked_fields - update the user's tracked fields based on the request.
+    # * update_tracked_fields! - update tracked fields and save immediately, bypassing validations
+    #
+    # = Columns
     # - sign_in_count - increase every time a sign in is successful
     # - current_sign_in_at - a timestamp updated at each sign in
     # - last_sign_in_at - a timestamp of the previous sign in