authenticate 0.2.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ca8c03070d7634ba64d25f575271f6bebe6920fc
-  data.tar.gz: bc353110b848819716f864a7ca66f7df46afae1b
+  metadata.gz: 314ba694f7183f9f3a7ed5c239c1ec1dc7e45298
+  data.tar.gz: dabffa423ced67c1f8bf767befdee51979ef3989
 SHA512:
-  metadata.gz: 9c0d18c59f7373dbb3c817a92b7b02ff901d5f56c8c7ac5ab72c7c2dac611b044c15b25ebb0b93873986663825b00de386bc1ba25eccae537724d27171c767a1
-  data.tar.gz: 0122cd40a252a9db8c946368529220bdc41f6750220fd1ad3f6c61df3744392eac0f8969d13365e26f3c124fe333a1451f95e15bfad83574b2386db45d7a4ccc
+  metadata.gz: 9e3cc55ad8b83ab460966a9bfd9000c7799ed5792cc0402c8ce90eb22d3f055b0b3dadf146038c46c844f5278e4a233c6237992febf2679ddc95838c0ad0d4b8
+  data.tar.gz: 24f500d3c8917867c2a16c7b3ba2f0bcf44c47dfe5ea83ffb949c9bb03c864f880a30ccab3f7e7f755cb4fa7039f12926b42cd01d30fbab9482a7c0851c8ff1a

data/.gitignore

@@ -2,9 +2,9 @@
 authenticate-*.gem
 log/*.log
 pkg/
-test/dummy/db/*.sqlite3
-test/dummy/db/*.sqlite3-journal
-test/dummy/log/*.log
-test/dummy/tmp/
+spec/dummy/db/*.sqlite3
+spec/dummy/db/*.sqlite3-journal
+spec/dummy/log/*.log
+spec/dummy/tmp/
 spec/dummy/log/test.log
 spec/dummy/log/development.log

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Authenticate Changelog
 
+## [0.3.0] - February 24, 2016
+
+Moved normalize_email and find_normalized_email methods to base User module.
+Added full suite of controller and feature tests.
+Bug fixes: 
+* failed login count fix was off by one.
+* password validation now done only in correct circumstances
+
+[0.3.0]: https://github.com/tomichj/authenticate/compare/v0.2.2...v0.3.0
+
+
+
 ## [0.2.3] - February 13, 2016
 
 Small bugfix for :username authentication.

data/Gemfile

@@ -2,6 +2,7 @@ source 'https://rubygems.org'
 
 gemspec
 
+# gem 'capybara'
 
 # Declare your gem's dependencies in authenticate.gemspec.
 # Bundler will treat runtime dependencies like base dependencies, and

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authenticate (0.2.2)
+    authenticate (0.3.0)
       bcrypt
       email_validator (~> 1.6)
       rails (>= 4.0, < 5.1)
@@ -44,20 +44,26 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
+    addressable (2.4.0)
     arel (6.0.3)
     bcrypt (3.1.10)
     builder (3.2.2)
+    capybara (2.6.2)
+      addressable
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
     coderay (1.1.0)
     concurrent-ruby (1.0.0)
+    database_cleaner (1.5.1)
     diff-lcs (1.2.5)
     email_validator (1.6.0)
       activemodel
     erubis (2.7.0)
     factory_girl (4.4.0)
       activesupport (>= 3.0.0)
-    factory_girl_rails (4.4.1)
-      factory_girl (~> 4.4.0)
-      railties (>= 3.0.0)
     globalid (0.3.6)
       activesupport (>= 4.1.0)
     i18n (0.7.0)
@@ -120,6 +126,8 @@ GEM
       rspec-mocks (~> 3.1.0)
       rspec-support (~> 3.1.0)
     rspec-support (3.1.2)
+    shoulda-matchers (2.8.0)
+      activesupport (>= 3.0.0)
     slop (3.6.0)
     sprockets (3.5.2)
       concurrent-ruby (~> 1.0)
@@ -131,18 +139,25 @@ GEM
     sqlite3 (1.3.11)
     thor (0.19.1)
     thread_safe (0.3.5)
+    timecop (0.8.0)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
+    xpath (2.0.0)
+      nokogiri (~> 1.3)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   authenticate!
-  factory_girl_rails
+  capybara (~> 2.6.2)
+  database_cleaner (~> 1.5.1)
+  factory_girl
   pry
-  rspec-rails
+  rspec-rails (~> 3.1.0)
+  shoulda-matchers (~> 2.8)
   sqlite3
+  timecop (~> 0.8.0)
 
 BUNDLED WITH
    1.11.2

data/app/controllers/authenticate/passwords_controller.rb

@@ -68,7 +68,7 @@ class Authenticate::PasswordsController < Authenticate::AuthenticateController
   end
 
   def find_user_for_create
-    Authenticate.configuration.user_model_class.find_by_email params[:password][:email]
+    Authenticate.configuration.user_model_class.find_by_normalized_email params[:password][:email]
   end
 
   def find_user_for_edit

data/authenticate.gemspec

@@ -25,11 +25,15 @@ Gem::Specification.new do |s|
   s.add_dependency 'email_validator', '~> 1.6'
   s.add_dependency 'rails', '>= 4.0', '< 5.1'
 
-  # s.add_development_dependency 'capybara'
-  s.add_development_dependency 'factory_girl_rails'
-  s.add_development_dependency 'rspec-rails'
+  # s.add_development_dependency 'factory_girl_rails', '~> 4.4.1'
+  s.add_development_dependency 'factory_girl'
+  s.add_development_dependency 'rspec-rails', '~> 3.1.0'
   s.add_development_dependency 'pry'
   s.add_development_dependency 'sqlite3'
+  s.add_development_dependency 'shoulda-matchers', '~> 2.8'
+  s.add_development_dependency 'capybara', '~> 2.6.2'
+  s.add_development_dependency 'database_cleaner', '~> 1.5.1'
+  s.add_development_dependency 'timecop', '~> 0.8.0'
 
   s.required_ruby_version = Gem::Requirement.new('>= 2.0')
 end

data/config/locales/authenticate.en.yml

@@ -56,7 +56,7 @@ en:
       title: Sign up
   callbacks:
     authenticatable:
-      failure:  Bad id or password
+      failure:  Invalid id or password
     brute_force:
       failure: "Your account is locked, will unlock in %{time_remaining}"
     lifetimed:

data/gemfiles/rails42.gemfile

@@ -2,8 +2,13 @@
 
 source "https://rubygems.org"
 
+gem 'shoulda-matchers', '~> 2.8'
+gem 'capybara', '~> 2.6.2'
+gem 'database_cleaner', '~> 1.5.1'
+gem 'timecop', '~> 0.8.0'
+
 gem "bundler", "~> 1.3"
-gem "factory_girl_rails", "~> 4.2"
+gem "factory_girl", "~> 4.4"
 gem "rspec-rails", "~> 3.1"
 gem "sqlite3", "~> 1.3"
 gem "pry", :require => false

data/lib/authenticate/callbacks/brute_force.rb

@@ -6,7 +6,7 @@ Authenticate.lifecycle.prepend_after_authentication name: 'brute force protectio
   unless session.authenticated? || Authenticate.configuration.max_consecutive_bad_logins_allowed.nil?
     user_credentials = User.credentials(session.request.params)
     user ||= User.find_by_credentials(user_credentials)
-    if user
+    if user && user.respond_to?(:register_failed_login!)
       user.register_failed_login!
       user.save!
     end
@@ -14,14 +14,13 @@ Authenticate.lifecycle.prepend_after_authentication name: 'brute force protectio
 
   # if user is locked, and we allow a lockout period, then unlock the user if they've waited
   # longer than the lockout period.
-  if user && !Authenticate.configuration.bad_login_lockout_period.nil? && user.locked?
+  if user && user.respond_to?(:locked?) && user.locked? && !Authenticate.configuration.bad_login_lockout_period.nil?
     user.unlock! if user.lock_expires_at <= Time.now.utc
   end
 
   # if the user is still locked, let them know how long they are locked for.
-  if user && user.locked?
+  if user && user.respond_to?(:locked?) && user.locked?
     remaining = time_ago_in_words(user.lock_expires_at)
-    # throw(:failure, "Your account is locked, will unlock in #{remaining.to_s}")
     throw(:failure, I18n.t('callbacks.brute_force.failure', time_remaining: remaining.to_s))
   end
 

data/lib/authenticate/configuration.rb

@@ -206,12 +206,12 @@ module Authenticate
 
     def user_model_route_key
       return :users if @user_model == '::User' # avoid nil in generator
-      Authenticate.configuration.user_model_class.model_name.route_key
+      user_model_class.model_name.route_key
     end
 
     def user_model_param_key
       return :user if @user_model == '::User' # avoid nil in generator
-      Authenticate.configuration.user_model_class.model_name.param_key
+      user_model_class.model_name.param_key
     end
 
     # The name of foreign key parameter for the configured user model.

data/lib/authenticate/controller.rb

@@ -12,9 +12,7 @@ module Authenticate
     # Validate a user's identity with (typically) email/ID & password, and return the User if valid, or nil.
     # After calling this, call login(user) to complete the process.
     def authenticate(params)
-      # todo: get params from User model
       credentials = Authenticate.configuration.user_model_class.credentials(params)
-      debug "Controller::credentials: #{credentials.inspect}"
       Authenticate.configuration.user_model_class.authenticate(credentials)
     end
 
@@ -102,6 +100,7 @@ module Authenticate
 
     # User is not authorized, bounce 'em to sign in
     def unauthorized(msg = t('flashes.failure_when_not_signed_in'))
+      authenticate_session.deauthenticate
       respond_to do |format|
         format.any(:js, :json, :xml) { head :unauthorized }
         format.any {

data/lib/authenticate/model/brute_force.rb

@@ -33,7 +33,7 @@ module Authenticate
     module BruteForce
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:failed_logins_count, :lock_expires_at]
       end
 
@@ -41,7 +41,7 @@ module Authenticate
       def register_failed_login!
         self.failed_logins_count ||= 0
         self.failed_logins_count += 1
-        lock! if self.failed_logins_count >= max_bad_logins
+        lock! if self.failed_logins_count > max_bad_logins
       end
 
       def lock!

data/lib/authenticate/model/db_password.rb

@@ -26,7 +26,7 @@ module Authenticate
     module DbPassword
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:encrypted_password]
       end
 
@@ -72,8 +72,7 @@ module Authenticate
 
       # If we already have an encrypted password and it's not changing, skip the validation.
       def skip_password_validation?
-        # encrypted_password.present? && !password_changing
-        false
+        encrypted_password.present? && !password_changing
       end
 
     end

data/lib/authenticate/model/email.rb

@@ -25,7 +25,7 @@ module Authenticate
     module Email
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:email]
       end
 
@@ -41,6 +41,7 @@ module Authenticate
       module ClassMethods
 
         def credentials(params)
+          return [] if params.nil? || params[:session].nil?
           [params[:session][:email], params[:session][:password]]
         end
 
@@ -51,11 +52,7 @@ module Authenticate
 
         def find_by_credentials(credentials)
           email = credentials[0]
-          find_by_email normalize_email(email)
-        end
-
-        def normalize_email(email)
-          email.to_s.downcase.gsub(/\s+/, '')
+          find_by_normalized_email(email)
         end
 
       end

data/lib/authenticate/model/lifetimed.rb

@@ -25,7 +25,7 @@ module Authenticate
     module Lifetimed
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:current_sign_in_at]
       end
 

data/lib/authenticate/model/password_reset.rb

@@ -16,7 +16,7 @@ module Authenticate
     module PasswordReset
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:password_reset_token, :password_reset_sent_at, :email]
       end
 

data/lib/authenticate/model/timeoutable.rb

@@ -29,7 +29,7 @@ module Authenticate
     module Timeoutable
         extend ActiveSupport::Concern
 
-        def self.required_fields(klass)
+        def self.required_fields(_klass)
           [:last_access_at]
         end
 
@@ -45,6 +45,6 @@ module Authenticate
         def timeout_in
           Authenticate.configuration.timeout_in
         end
-      end
+    end
   end
 end

data/lib/authenticate/model/trackable.rb

@@ -19,7 +19,7 @@ module Authenticate
     module Trackable
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:current_sign_in_at, :current_sign_in_ip, :last_sign_in_at, :last_sign_in_ip, :sign_in_count]
       end
 

data/lib/authenticate/model/username.rb

@@ -17,7 +17,7 @@ module Authenticate
     module Username
       extend ActiveSupport::Concern
 
-      def self.required_fields(klass)
+      def self.required_fields(_klass)
         [:username, :email]
       end
 

data/lib/authenticate/session.rb

@@ -21,8 +21,6 @@ module Authenticate
     def login(user, &block)
       debug 'session.login()'
       @current_user = user
-      debug "session.login @current_user: #{@current_user.inspect}"
-      # todo extract token gen to two different strategies
       @current_user.generate_session_token if user.present?
 
       message = catch(:failure) do
@@ -44,7 +42,6 @@ module Authenticate
       end
     end
 
-
     # Get the user represented by this session.
     #
     # @return [User]
@@ -64,7 +61,6 @@ module Authenticate
       current_user.present?
     end
 
-
     # Invalidate the session token, unset the current user and remove the cookie.
     #
     # @return [void]

data/lib/authenticate/user.rb

@@ -49,6 +49,18 @@ module Authenticate
       save validate: false
     end
 
+    module ClassMethods
+
+      def normalize_email(email)
+        email.to_s.downcase.gsub(/\s+/, '')
+      end
+
+      # We need to find users by email even if they don't use email to log in
+      def find_by_normalized_email(email)
+        find_by_email normalize_email(email)
+      end
+
+      end
 
   end
 end

data/lib/authenticate/version.rb

@@ -1,3 +1,3 @@
 module Authenticate
-  VERSION = '0.2.3'
+  VERSION = '0.3.0'
 end

data/spec/controllers/passwords_controller_spec.rb

@@ -0,0 +1,119 @@
+require 'spec_helper'
+require 'support/controllers/controller_helpers'
+
+describe Authenticate::PasswordsController, type: :controller do
+  it { is_expected.to be_a Authenticate::Controller }
+
+  describe 'get to #new' do
+    it 'renders the new form' do
+      get :new
+      expect(response).to be_success
+      expect(response).to render_template(:new)
+    end
+  end
+
+  describe 'post to #create' do
+    context 'with email for an existing user' do
+      it 'generates a password_reset_token' do
+        user = create(:user)
+        post :create, password: { email: user.email.upcase }
+        expect(user.reload.password_reset_token).not_to be_nil
+      end
+      it 'sends a password reset email' do
+        ActionMailer::Base.deliveries.clear
+        user = create(:user)
+        post :create, password: { email: user.email }
+        email = ActionMailer::Base.deliveries.last
+        expect(email.subject).to match(/change your password/i)
+      end
+    end
+    context 'with email that does not belong to an existing user' do
+      bad_email = 'bunk_email_address@non_existent_domain.com'
+      it 'does not send an email' do
+        ActionMailer::Base.deliveries.clear
+        post :create, password: { email: bad_email}
+        expect(ActionMailer::Base.deliveries).to be_empty
+      end
+      it 'always responds with redirect to avoid leaking user information' do
+        post :create, password: { email: bad_email }
+        expect(response).to be_redirect
+      end
+    end
+  end
+
+  describe 'get to #edit' do
+    context 'with a valid password_reset_token and timestamp' do
+      it 'renders password update form' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        get :edit, id: user.id, token: user.password_reset_token
+        expect(response).to be_success
+        expect(response).to render_template(:edit)
+        expect(assigns(:user)).to eq user
+      end
+    end
+    context 'with a valid timestamp but invalid password_reset_token' do
+      it 'renders #new password form with notice' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        get :edit, id: user.id, token: 'bad token'
+        expect(response).to be_success
+        expect(response).to render_template(:new)
+      end
+    end
+    context 'with a valid password_reset_token but invalid timestamp' do
+      it 'renders #new password form with notice' do
+        user = create(:user, :with_password_reset_token_and_timestamp, password_reset_sent_at: 2.years.ago)
+        get :edit, id: user.id, token: user.password_reset_token
+        expect(response).to be_redirect
+        expect(flash[:notice]).to match /password change request has expired/
+      end
+    end
+    context 'with a blank password_reset_token' do
+      it 'renders #new password form with notice' do
+        user = create(:user)
+        get :edit, id: user.id, token: nil
+        expect(response).to be_success
+        expect(response).to render_template(:new)
+      end
+    end
+  end
+
+  describe 'put to #update' do
+    context 'with valid password_reset_token and new password' do
+      it 'updates the user password' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        old_encrypted_password = user.encrypted_password
+        put :update, update_params(user, new_password: 'new_password')
+        expect(user.reload.encrypted_password).not_to eq old_encrypted_password
+      end
+      it 'signs in the user' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        put :update, update_params(user, new_password: 'new_password')
+        expect(cookies[:authenticate_session_token]).to be_present
+        expect(cookies[:authenticate_session_token]).to eq user.reload.session_token
+      end
+      it 'redirects user' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        put :update, update_params(user, new_password: 'new_password')
+        expect(response).to redirect_to(Authenticate.configuration.redirect_url)
+      end
+    end
+    context 'with invalid new password' do
+      it 're-renders password edit form' do
+        user = create(:user, :with_password_reset_token_and_timestamp)
+        put :update, update_params(user, new_password: 'short')
+        expect(response).to render_template(:edit)
+      end
+    end
+
+  end
+
+  def update_params(user, options = {})
+    new_password = options.fetch(:new_password)
+    {
+        id: user,
+        token: user.password_reset_token,
+        password_reset: { password: new_password }
+    }
+  end
+
+end