authenticate 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 314ba694f7183f9f3a7ed5c239c1ec1dc7e45298
-  data.tar.gz: dabffa423ced67c1f8bf767befdee51979ef3989
+  metadata.gz: 0f9f51572691eba2fb35eb46618d2235898149f5
+  data.tar.gz: 69fb6dcf45f900f7433f43e11feb8b69ec966bba
 SHA512:
-  metadata.gz: 9e3cc55ad8b83ab460966a9bfd9000c7799ed5792cc0402c8ce90eb22d3f055b0b3dadf146038c46c844f5278e4a233c6237992febf2679ddc95838c0ad0d4b8
-  data.tar.gz: 24f500d3c8917867c2a16c7b3ba2f0bcf44c47dfe5ea83ffb949c9bb03c864f880a30ccab3f7e7f755cb4fa7039f12926b42cd01d30fbab9482a7c0851c8ff1a
+  metadata.gz: 195b410e9982a6a410bd53abf79ff90aba67d7ab9eca23f7fa00ab278aa28de5a592577783820d15e2bd3a2f752338c8bf2b4c695be515dd09efa2753548eac3
+  data.tar.gz: 0a06b879d4f468e62bf22037d94338a384987e5e1bc4ee72752c038700f87dfb5214d50436e5bd2a69a713fc419e3b5377ea14b7a726ec988f107a32b5d27df9

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Authenticate Changelog
 
+## [0.3.1] - March 10, 2016
+
+User controller now allows arbitrary parameters without having to explicitly declare
+them. Still requires email and password.
+Mailer now checks for mail.respond_to?(:deliver_later) rather than rails version, 
+to decide deliver vs deliver_later.
+Removed unused user_id_parameter config method.
+
+[0.3.1]: https://github.com/tomichj/authenticate/compare/v0.3.0...v0.3.1
+
+
+
 ## [0.3.0] - February 24, 2016
 
 Moved normalize_email and find_normalized_email methods to base User module.

data/README.md

@@ -28,7 +28,7 @@ Authenticate:
 * loads modules into your user model to provide authentication functionality
 * loads `callbacks` that are triggered during authentication and access events. All authentication
 decisions are performed in callbacks, e.g. do you have a valid session, has your session timed out, etc.
-* loads a module into your controllers (typically application controller) to secure controller actions
+* loads a module into your controllers (typically `ApplicationController`) to secure controller actions
 
 The callback architecture is based on the system used by devise and warden, but significantly simplified.
 

data/app/controllers/authenticate/passwords_controller.rb

@@ -56,7 +56,7 @@ class Authenticate::PasswordsController < Authenticate::AuthenticateController
   def deliver_email(user)
     mail = ::AuthenticateMailer.change_password(user)
 
-    if Gem::Version.new(Rails::VERSION::STRING) >= Gem::Version.new('4.2.0')
+    if mail.respond_to?(:deliver_later)
       mail.deliver_later
     else
       mail.deliver

data/app/controllers/authenticate/users_controller.rb

@@ -30,18 +30,20 @@ class Authenticate::UsersController < Authenticate::AuthenticateController
     Authenticate.configuration.redirect_url
   end
 
+
   def user_from_params
-    param_key = Authenticate.configuration.user_model_param_key.to_sym # :user, :user_profile, etc
-    user_params = params[param_key] ? user_params(param_key) : Hash.new
-    Authenticate.configuration.user_model_class.new(user_params)
+    email = user_params.delete(:email)
+    password = user_params.delete(:password)
+
+    Authenticate.configuration.user_model_class.new(user_params).tap do |user|
+      user.email = email
+      user.password = password
+    end
   end
 
-  # Override this method to allow additional user attributes.
-  # Default impl allows username and email to service both styles of authentication.
-  #
-  # * param_key - String used for parameter names, ActiveModel::Naming.param_key
-  #
-  def user_params(param_key)
-    params.require(param_key).permit(:username, :email, :password)
+  def user_params
+    params[Authenticate.configuration.user_model_param_key] || Hash.new
   end
+
+
 end

data/lib/authenticate/configuration.rb

@@ -1,8 +1,10 @@
 module Authenticate
   class Configuration
 
-    # ActiveRecord model class name that represents your user.
-    # Specify as a String. Defaults to '::User'.
+    # ActiveRecord model class name that represents your user. Specify as a String.
+    #
+    # Defaults to '::User'.
+    #
     # To set to a different class:
     #
     #   Authenticate.configure do |config|
@@ -13,12 +15,20 @@ module Authenticate
     attr_accessor :user_model
 
     # Name of the session cookie Authenticate will send to client browser.
+    #
     # Defaults to 'authenticate_session_token'.
+    #
     # @return [String]
     attr_accessor :cookie_name
 
-    # A lambda called to set the remember token cookie expires attribute. Defaults to 1 year expiration.
-    # Note this is NOT the session's max lifetime, see #max_session_lifetime.
+    # A lambda called to set the remember token cookie expires attribute.
+    #
+    # Defaults to 1 year expiration.
+    #
+    # Note this is NOT the authenticate session's max lifetime, but only the cookie's lifetime.
+    #
+    # See #max_session_lifetime for more on the session lifetime.
+    #
     # To set cookie expiration yourself:
     #
     #   Authenticate.configure do |config|
@@ -29,44 +39,59 @@ module Authenticate
     attr_accessor :cookie_expiration
 
     # The domain to set for the Authenticate session cookie.
-    # Defaults to nil, which will cause the cookie domain to set
-    # to the domain of the request.
+    #
+    # Defaults to nil, which will cause the cookie domain to set to the domain of the request.
+    #
     # @return [String]
     attr_accessor :cookie_domain
 
     # Controls which paths the session token cookie is valid for.
+    #
     # Defaults to `"/"` for the entire domain.
+    #
     # For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.1.4).
     # @return [String]
     attr_accessor :cookie_path
 
-    # Controls the secure setting on the session cookie. Defaults to `false`.
-    # When set, the browser will only send the cookie to the server over HTTPS.
+    # Controls the secure setting on the session cookie.
+    #
+    # Defaults to `false`.
+    #
+    # When set to 'true', the browser will only send the cookie to the server over HTTPS.
     # If set to true over an insecure http (not https) connection, the cookie will not
     # be usable and the user will not be successfully authenticated.
     #
     # You should set this value to true in live environments to prevent session hijacking.
     #
+    # Set to false in development environments.
+    #
     # For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.5).
     # @return [Boolean]
     attr_accessor :secure_cookie
 
     # Controls whether the  HttpOnly flag should be set on the session cookie.
-    # Defaults to `false`. If `true`, the cookie will not be made available to JavaScript.
+    # If `true`, the cookie will not be made available to JavaScript.
+    #
+    # Defaults to `true`.
+    #
     # For more see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.6).
     # @return [Boolean]
     attr_accessor :cookie_http_only
 
-    # Controls the 'from' address for Authenticate emails.
+    # Controls the 'from' address for Authenticate emails. Set this to a value appropriate to your application.
+    #
     # Defaults to reply@example.com.
+    #
     # @return [String]
     attr_accessor :mailer_sender
 
     # Determines what crypto is used when authenticating and setting passwords.
-    # Defaults to {Authenticate::Model::BCrypt}. At the moment Bcrypt is the only
-    # option offered.
     #
-    # Crypto implementations must provide:
+    # Defaults to {Authenticate::Model::BCrypt}.
+    #
+    # At the moment Bcrypt is the only option offered.
+    #
+    # Crypto implementations must implement:
     #   * match?(secret, encrypted)
     #   * encrypt(secret)
     #
@@ -76,6 +101,7 @@ module Authenticate
     # Invalidate the session after the specified period of idle time.
     # If the interval between the current access time and the last access time is greater than timeout_in,
     # the session is invalidated. The user will be prompted for authentication again.
+    #
     # Defaults to nil, which is no idle timeout.
     #
     #   Authenticate.configure do |config|
@@ -86,9 +112,11 @@ module Authenticate
     attr_accessor :timeout_in
 
     # Allow a session to 'live' for no more than the given elapsed time, e.g. 8.hours.
-    # Defaults to nil, or no max session time. If set, a user session will expire once it has been active for
-    # max_session_lifetime. The user session is invalidated and the next access will will prompt
-    # the user for authentication.
+    #
+    # Defaults to nil, or no max session time.
+    #
+    # If set, a user session will expire once it has been active for max_session_lifetime.
+    # The user session is invalidated and the next access will will prompt the user for authentication.
     #
     # Authenticate.configure do |config|
     #   config.max_session_lifetime = 8.hours
@@ -97,8 +125,8 @@ module Authenticate
     # @return [ActiveSupport::CoreExtensions::Numeric::Time]
     attr_accessor :max_session_lifetime
 
-    # Number of consecutive bad login attempts allowed. This is called "brute force protection".
-    # The user's consecutive bad logins will be tracked, and if they exceed the allowed maximumm
+    # Number of consecutive bad login attempts allowed. Commonly called "brute force protection".
+    # The user's consecutive bad logins will be tracked, and if they exceed the allowed maximum,
     # the user's account will be locked. The length of the lockout is determined by [#bad_login_lockout_period].
     #
     # Default is nil, which disables this feature.
@@ -112,20 +140,24 @@ module Authenticate
     attr_accessor :max_consecutive_bad_logins_allowed
 
     # Time period to lock an account for if the user exceeds max_consecutive_bad_logins_allowed.
+    #
     # If set to nil, account is locked out indefinitely.
     #
     # @return [ActiveSupport::CoreExtensions::Numeric::Time]
     attr_accessor :bad_login_lockout_period
 
-    # Range requirement for password length. Defaults to `8..128`.
+    # Range requirement for password length.
+    #
+    # Defaults to `8..128`.
+    #
     # @return [Range]
     attr_accessor :password_length
 
     # Strategy for authentication.
     #
     # Available strategies:
-    #   :email - requires user have attribute :email
-    #   :username - requires user have attribute :username
+    # * :email - requires user have attribute :email
+    # * :username - requires user have attribute :username
     #
     # Defaults to :email. To set to :username:
     #
@@ -143,34 +175,47 @@ module Authenticate
     attr_accessor :authentication_strategy
 
     # The default path Authenticate will redirect signed in users to.
-    # Defaults to `"/"`. This can often be overridden for specific scenarios by
-    # overriding controller methods that rely on it.
+    #
+    # Defaults to `"/"`.
+    #
+    # This can also be overridden for specific scenarios by overriding controller methods that rely on it.
     # @return [String]
     attr_accessor :redirect_url
 
     # Controls whether the "sign up" route, allowing creation of users, is enabled.
-    # Defaults to `true`. Set to `false` to disable user creation routes.
-    # The setting is ignored if routes are disabled.
+    #
+    # Defaults to `true`.
+    #
+    # Set to `false` to disable user creation routes. The setting is ignored if routes are disabled.
+    #
     # @param [Boolean] value
     # @return [Boolean]
     attr_accessor :allow_sign_up
 
-    # Enable or disable Authenticate's built-in routes. Defaults to 'true',
-    # enabling Authenticate's built-in routes. Disable by setting to 'false'.
+    # Enable or disable Authenticate's built-in routes.
+    #
+    # Defaults to 'true'.
+    #
     # If you disable the routes, your application is responsible for all routes.
+    #
     # You can deploy a copy of Authenticate's routes with `rails generate authenticate:routes`,
     # which will also set `config.routes = false`.
+    #
     # @return [Boolean]
     attr_accessor :routes
 
     # The time period within which the password must be reset or the token expires.
     # If set to nil, the password reset token does not expire.
+    #
     # Defaults to `2.days`.
+    #
     # @return [ActiveSupport::CoreExtensions::Numeric::Time]
     attr_accessor :reset_password_within
 
     # An array of additional modules to load into the User module.
+    #
     # Defaults to an empty array.
+    #
     # @return [Array]
     attr_accessor :modules
 
@@ -188,7 +233,7 @@ module Authenticate
       @cookie_domain = nil
       @cookie_path = '/'
       @secure_cookie = false
-      @cookie_http_only = false
+      @cookie_http_only = true
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
       @allow_sign_up = true
@@ -204,22 +249,18 @@ module Authenticate
       @user_model_class ||= user_model.constantize
     end
 
+    # The routing key for user routes. See `routes.rb`.
+    # @return [Symbol]
     def user_model_route_key
       return :users if @user_model == '::User' # avoid nil in generator
       user_model_class.model_name.route_key
     end
 
+    # The key for accessing user parameters.
+    # @return [Symbol]
     def user_model_param_key
       return :user if @user_model == '::User' # avoid nil in generator
-      user_model_class.model_name.param_key
-    end
-
-    # The name of foreign key parameter for the configured user model.
-    # This is derived from the `model_name` of the `user_model` setting.
-    # In the default configuration, this is `user_id`.
-    # @return [Symbol]
-    def user_id_parameter
-      "#{user_model_class.model_name.singular}_id".to_sym
+      user_model_class.model_name.param_key.to_sym
     end
 
     # Is the user sign up route enabled?

data/lib/authenticate/lifecycle.rb

@@ -5,8 +5,8 @@ module Authenticate
   # Heavily borrowed from warden (https://github.com/hassox/warden).
   #
   # = Events:
-  #   :set_user - called after the user object is loaded, either through id/password or via session token.
-  #   :authentication - called after the user authenticates with id & password
+  # * :set_user - called after the user object is loaded, either through id/password or via session token.
+  # * :authentication - called after the user authenticates with id & password
   #
   # Callbacks are added via after_set_user or after_authentication.
   #
@@ -16,17 +16,17 @@ module Authenticate
   # = Options
   #
   # The callback options may optionally specify when to run the callback:
-  #   only - executes the callback only if it matches the event(s) given
-  #   except - executes the callback except if it matches the event(s) given
+  # * only - executes the callback only if it matches the event(s) given
+  # * except - executes the callback except if it matches the event(s) given
   #
   # The callback may also specify a 'name' key in options. This is for debugging purposes only.
   #
   # = Callback block parameters
   #
   # Callbacks are invoked with the following block parameters: |user, session, opts|
-  #   user - the user object just loaded
-  #   session - the Authenticate::Session
-  #   opts - any options you want passed into the callback
+  # * user - the user object just loaded
+  # * session - the Authenticate::Session
+  # * opts - any options you want passed into the callback
   #
   # = Example
   #

data/lib/authenticate/user.rb

@@ -4,7 +4,7 @@ require 'authenticate/callbacks/authenticatable'
 
 module Authenticate
 
-  # Required to be included in your configued user class, which is `User` by
+  # Required to be included in your configured user class, which is `User` by
   # default, but can be changed with {Configuration#user_model=}.
   #
   #   class User
@@ -27,6 +27,9 @@ module Authenticate
   # - generate_session_token - generates and sets the Authenticate session token
   # - reset_session_token! - calls generate_session_token and save! immediately
   #
+  # Every user will have these two class methods to normalize email addresses:
+  # - normalize_email(email) - normalize the given email address by downcasing, removing spaces.
+  # - find_by_normalized_email(email) - find a user by his/her normalized email address
   module User
     extend ActiveSupport::Concern
 

data/lib/authenticate/version.rb

@@ -1,3 +1,3 @@
 module Authenticate
-  VERSION = '0.3.0'
+  VERSION = '0.3.1'
 end

data/lib/generators/authenticate/controllers/controllers_generator.rb

@@ -8,7 +8,7 @@ module Authenticate
     class ControllersGenerator < Rails::Generators::Base
       source_root File.expand_path("../../../../..", __FILE__)
 
-      def create_views
+      def create_controllers
         directory 'app/controllers'
       end
 

data/spec/features/password_reset_spec.rb

@@ -67,3 +67,57 @@ end
 def expect_mailer_to_have_no_deliveries
   expect(ActionMailer::Base.deliveries).to be_empty
 end
+
+
+
+
+
+feature 'visitor sets new password' do
+  scenario 'requests password change' do
+    user = given_user_with_password_reset_token
+    visit_password_update_page_for user
+    request_password_change_for user
+    expect_password_is_changed_for user
+    expect_redirect_to_root
+  end
+
+  scenario 'attempts password change with fake password reset token' do
+    user = given_user_with_fake_password_reset_token
+    visit_password_update_page_for user
+    expect_failure_flash
+  end
+end
+
+
+def given_user_with_fake_password_reset_token
+  user = create :user
+  user.password_reset_token = 'big_fake_token'
+  user
+end
+
+def given_user_with_password_reset_token
+  create :user, :with_password_reset_token_and_timestamp
+end
+
+def visit_password_update_page_for user
+  visit edit_users_password_path(user.id, token: user.password_reset_token)
+end
+
+def request_password_change_for user
+  fill_in 'password_reset_password', with: 'new_dumb_password'
+  click_button 'Save this password'
+end
+
+def expect_password_is_changed_for user
+  old_encrypted_password = user.encrypted_password
+  expect(user.reload.encrypted_password).to_not eq old_encrypted_password
+end
+
+def expect_redirect_to_root
+  expect(current_path).to eq Authenticate.configuration.redirect_url
+end
+
+def expect_failure_flash
+  expect(page).to have_content 'Please double check the URL or try submitting the form again.'
+end
+

data/spec/model/configuration_spec.rb

@@ -24,7 +24,7 @@ describe Authenticate::Configuration do
     end
 
     it 'get a param key for a user model' do
-      expect(@conf.user_model_param_key).to eq('gug_profile')
+      expect(@conf.user_model_param_key).to eq(:gug_profile)
     end
 
     describe '#authentication_strategy' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authenticate
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Justin Tomich
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-26 00:00:00.000000000 Z
+date: 2016-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -190,17 +190,11 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/assets/config/authenticate_manifest.js
-- app/assets/images/authenticate/.keep
-- app/assets/javascripts/authenticate/.keep
-- app/assets/stylesheets/authenticate/.keep
 - app/controllers/authenticate/authenticate_controller.rb
 - app/controllers/authenticate/passwords_controller.rb
 - app/controllers/authenticate/sessions_controller.rb
 - app/controllers/authenticate/users_controller.rb
-- app/helpers/.keep
 - app/mailers/authenticate_mailer.rb
-- app/models/.keep
 - app/views/authenticate_mailer/change_password.html.erb
 - app/views/authenticate_mailer/change_password.text.erb
 - app/views/layouts/application.html.erb