authenticate 0.6.1 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2888d491c7df1e767b2bcf58c4581012bb64f56a
-  data.tar.gz: 30548171155bd56462c7326a70e4275d5dde2336
+  metadata.gz: dfcdc32766cdac8613010672395197b51dcbd54b
+  data.tar.gz: 32e9e1af1ef1cae8fd69e2aee5306f74837d51b7
 SHA512:
-  metadata.gz: bd4d8474083ff62f1f677ef8760f13bdfa9c821c8c7eefcf9461ce691d829cca4af8687fd1d8b51a637b19b752eb25ff7eef2383598ddebf69da7f493f2210c8
-  data.tar.gz: 95ef6dffaebefe2cf9e366e099812e625faa5eb0de27b6e549ccef7cd082aaaee876ae45828a4ddc9c49a0e3972e29984134f09ed095ac0c296f1357f225f2c4
+  metadata.gz: b63724b793d9f8c48d98151a1bd9e1722ccb6b1f5201de424e8998c94405835d143550f312d5778e66894e44317acae0b919d4bb2e1bb811651d22d0cc39a10e
+  data.tar.gz: 48ef63f7a896e3a00542908688b3e3dbb15056e6b7f8c3f5ecc4add8fb57abef5d4496919d1c91c36bb45452f5154b3b39b2959e454e4a071b22aa1f71ee5582

data/.travis.yml

@@ -7,16 +7,22 @@ rvm:
   - 2.1.8
   - 2.2.4
   - 2.3.3
+  - 2.4.1
 
 gemfile:
   - gemfiles/4.2.gemfile
   - gemfiles/5.0.gemfile
+  - gemfiles/5.1.gemfile
 
 
 matrix:
   exclude:
     - rvm: 2.1.8
       gemfile: gemfiles/5.0.gemfile
+    - rvm: 2.1.8
+      gemfile: gemfiles/5.1.gemfile
+    - rvm: 2.4.1
+      gemfile: gemfiles/4.2.gemfile
 
 install:
   - "bin/setup"

data/Appraisals

@@ -1,10 +1,16 @@
-appraise "4.2" do
-  gem "rails", "~> 4.2.0"
+if RUBY_VERSION < "2.4.0"
+    appraise "4.2" do
+      gem "rails", "~> 4.2.0"
+    end
 end
 
 if RUBY_VERSION >= "2.2.0"
   appraise "5.0" do
     gem "rails", "~> 5.0.0"
   end
+
+  appraise "5.1" do
+    gem "rails", "~> 5.1"
+  end
 end
 

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Authenticate Changelog
 
+
+## [0.7.0] - May 25, 2017
+
+### API Changes
+- controller#require_authentication is deprecated, use controller#require_login
+- controller#authenticated? is deprecated, use controller#logged_in? 
+- added controller#logged_out?
+ `authenticated?` and `required_authentication` will be removed in a future release.
+
+### Test support
+- Added login_as via middleware for feature/integration/system tests.
+- added rspec helpers for view and controller tests
+- added test-unit helpers for controller/view tests
+
+### Internal changes - will not affect normal apps
+- Session#initialize(request, cookies) is now Session#initialize(request)
+- Session API changes, #authenticated? renamed #logged_in?
+
+[0.7.0]: https://github.com/tomichj/authenticate/compare/v0.6.1...v0.7.0
+
+
 ## [0.6.1] - May 16, 2017
 
 ### Fixed
@@ -31,7 +52,7 @@
 
 
 
-## [0.5.0] - March 26, 2017
+## [0.5.0] - March 26, 2017oh
 
 ### Support for rails 5.1.
 

data/README.md

@@ -23,7 +23,6 @@ Please use [GitHub Issues] to report bugs. You can contact me directly on twitte
 * configuration driven - almost all configuration is performed in the initializer
 
 
-
 ## Implementation Overview
 
 Authenticate:
@@ -71,6 +70,19 @@ You'll need to run the migrations that Authenticate just generated:
 rake db:migrate
 ```
 
+Finally, you need to secure any controllers that require authentication by adding   
+`before_action :require_login`. If your entire app requires authentication, add it to 
+`ApplicationController`:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include Authenticate::Controller
+  before_action :require_login
+  protect_from_forgery with: :exception
+end
+```
+
 
 ## Configure
 
@@ -103,17 +115,16 @@ end
 Configuration parameters are described in detail here: [Configuration](lib/authenticate/configuration.rb)
 
 
-
 ## Use
 
 ### Access Control
 
-Use the `require_authentication` filter to control access to controller actions. To control access to
+Use the `require_login` filter to control access to controller actions. To control access to
 all controller actions, add the filter to your `ApplicationController`, e.g.:
 
 ```ruby
 class ApplicationController < ActionController::Base
-    before_action :require_authentication
+    before_action :require_login
 end
 ```
 
@@ -133,12 +144,12 @@ end
 
 ### Helpers
 
-Use `current_user` and `authenticated?` in controllers, views, and helpers.
+Use `current_user`, `logged_in?`, and `logged_out?` in controllers, views, and helpers.
 
 Example:
 
 ```erb
-<% if authenticated? %>
+<% if logged_in? %>
   <%= current_user.email %>
   <%= link_to "Sign out", sign_out_path %>
 <% else %>
@@ -196,6 +207,7 @@ application for modification.
 To turn off Authenticate's built-in routes:
 
 ```ruby
+# config/initializers/authenticate.rb
 Authenticate.configure do |config|
   config.routes = false
 end
@@ -222,12 +234,12 @@ For example, to customize `Authenticate::SessionController`:
 * subclass the controller:
 
 ```ruby
+# app/controllers/sessions_controller.rb
 class SessionsController < Authenticate::SessionController
   # render sign in screen
   def new
     # ...
   end
-  ...
 end
 ```
 
@@ -239,10 +251,11 @@ Start by dumping a copy of authenticate routes to your `config/routes.rb`:
 $ rails generate authenticate:routes 
 ```
 
-Now update `config/routes.rb` to point to your new controller:
+Now update your routes to point to your new controller:
+
 ```ruby
+# config/routes.rb
 resource :sessions, controller: 'sessions', only: [:create, :new, :destroy]
-  ...
 ```
 
 You can also use the Authenticate controller generator to copy the default controllers and mailer into 
@@ -290,21 +303,24 @@ All flash messages and email lines are stored in i18n translations. You can over
 See [config/locales/authenticate.en.yml](/config/locales/authenticate.en.yml) for the default messages.
 
 
-
 ## Extending Authenticate
 
-Authenticate can be further extended with two mechanisms:
+Authenticate can be extended via two mechanisms:
 
 * user modules: add behavior to the user model
-* callbacks: add behavior during various authentication events, such as login and subsequent hits
+* callbacks: add rules or behavior during various authentication events, such as login and subsequent hits
+
+Most of authenticate's behavior is implemented with a user module and a corresponding callback. User modules add 
+behavior to the user, and the callback uses the user model data to decide an authentication attempt is valid or
+invalid.
 
 
 ### User Modules
 
-Add behavior to your User model for your callbacks to use. You can, of course, incldue behavrio yourself directly
+Add behavior to your User model for your callbacks to use. You can include behavior yourself directly
 in your User class, but you can also use the Authenticate module loading system.
 
-To add a custom module to Authenticate, e.g. `MyUserModule`:
+To add a custom module for Authenticate to load into your User model, e.g. `MyUserModule`:
 
 ```ruby
 Authenticate.configuration do |config|
@@ -315,14 +331,23 @@ end
 
 ### Callbacks
 
-Callbacks can be added to Authenticate. Use `Authenticate.lifecycle.after_set_user` or
-`Authenticate.lifecycle.after_authentication`. See [Lifecycle](lib/authenticate/lifecycle.rb) for full details.
+Callbacks can be added to Authenticate. Callbacks available at these points of the authenticate lifecycle:
+
+- `Authenticate.lifecycle.after_set_user`
+Runs with every hit requiring authentication. This includes both the initial authentication process and
+subsequent to any controller secured by Authenticate. These callbacks run immediately after the User is determined. 
+ 
+- `Authenticate.lifecycle.after_authentication`
+These callbacks run only during the initial authentication process.
 
-Callbacks can `throw(:failure, message)` to signal an authentication/authorization failure. Callbacks can also perform
-actions on the user or session. Callbacks are passed a block at runtime of `|user, session, options|`.
+See [Lifecycle](lib/authenticate/lifecycle.rb) for full details.
 
-Here's an example that counts logins for users. It consists of a module for User, and a callback that is
-set in the `included` block. The callback is then added to the  User module via the Authenticate configuration.
+Callbacks must `throw(:failure, message)` to signal an authentication/authorization failure. Callbacks can also perform
+other actions on the user or session. Callbacks are invoked with `|user, session, options|`.
+
+Here's a simple example that counts logins for users. It consists of a module for User implemented as an 
+`ActiveSupport::Concern`, with a callback that is defined in an `included` block. The module and callback 
+is added to the User module via the Authenticate configuration.
 
 ```ruby
 # app/models/concerns/login_count.rb
@@ -348,15 +373,150 @@ Authenticate.configuration do |config|
 end
 ```
 
+More complex callbacks and modules can be implemented in a separate file(s); in that case, 
+the user module should `require` the callback file to inject it into Authenticate's callback lifecycle.
+
 
 ## Testing
 
-Authenticate has been tested with rails 4.2, other versions to follow.
+### Feature/Integration/System Tests
+
+Authenticate includes middleware which allows tests to directly sign a test user in,
+eliminating the need to visit and submit the sign on form. This can significantly speeds up tests.
+Used by integration, system, feature, etc tests.
+
+Configure your test environment to enable the middleware:
+```ruby
+# config/environments/test.rb
+MyRailsApp::Application.configure do
+  # ...
+  config.middleware.use Authenticate::Testing::IntegrationTestsSignOn
+  # ...
+end
+```
+
+Sign a test user in by passing as=USER_ID in a query parameter:
+```ruby
+visit root_path(as: user)
+```
+
+A feature spec using factory_girl and capybara with the integration sign on middleware might look like this: 
+```ruby
+require 'spec_helper'
+
+feature 'dashboard' do
+  scenario 'logged in user has name on dashboard' do
+    user = create(:user)
+    visit dashboard_path(as: user)
+    expect(page).to have_content user.name
+  end
+end  
+```
+
+
+### Controller Tests
+
+To test controller actions protected by authenticate with `before_action :require_login`, you can
+use Authenticate's test helpers.
+
+For `rspec`, add the following to your `spec/spec_helper.rb` or `spec/rails_helper.rb`:
+
+```ruby
+require 'authenticate/testing/rspec'
+```
+
+For `test-unit`, add the following to your `test/test_helper.rb`.
+
+```ruby
+require 'authenticate/testing/test_unit'
+```
+
+This will give you helper methods:
+
+```ruby
+login_as(user)
+logout
+```
+
+Once you `login_as(user)`, you will satisfy the `require_login` filter. The other `Authenticate::Controller`
+methods will then work: `current_user`, `logged_in?`, `logged_out?`
+
+A controller spec using `factory_girl` and authenticate's controller helpers might look like this:
+```ruby
+require 'spec_helper'
+describe DashboardsController do
+  describe '#show' do
+    it 'shows view' do
+      user = create(:user)
+      login_as(user)
+      get :show
+      expect(response).to be_success
+      expect(response).to render_template 'dashboards/show'
+    end
+  end
+end
+```
+
+Rails 5 built-in test suite's controller tests now extend `ActionDispatch::IntegrationTest`. Use the middleware 
+`IntegrationTestsSignOn` to support sign on. For example:
+```ruby
+require 'test_helper'
+class DashboardsControllerTest < ActionDispatch::IntegrationTest
+  test 'logged in user can GET a dashboard' do
+    user = create(:user)
+    get dashboards_show_path(as: user)
+    assert_response :success
+  end
+end
+```
+
+
+### View Tests
+
+For `rspec`, require `authenticate/testing/rspec` to include view helpers:
+
+```ruby
+login_as(user)
+current_user
+logged_in?
+logged_out?
+```
+
+Once you `login_as(user)`, your view can make use of the other helpers as you'd expect. 
+
+An example view spec using `factory_girl` and authenticate's view helpers:
+```ruby
+require 'spec_helper'
+describe 'dashboards/show', type: :view do
+  it 'displays user name' do
+    user = create(:user)
+    login_as(user)
+    render
+    expect(rendered).to match user.name  # view uses `current_user`
+  end
+end
+```
+
+
+## Additional Documentation
+
+Consult the [Authenticate wiki](https://github.com/tomichj/authenticate/wiki/) for additional documentation.
+
+
+## Versions of Rails Supported
+
+Authenticate is tested with rails 4.2, 5.0, and 5.1.
+
+
+## Changelog
 
+For a summary of changes by version, see the [CHANGELOG.md](/CHANGELOG.md).
 
 
 ## License
 
-This project rocks and uses MIT-LICENSE.
+Authenticate is copyright © 2015 Justin Tomich. It is free software, and may be
+redistributed under the terms specified in the [`LICENSE`] file.
 
+[`LICENSE`]: /LICENSE
 

data/app/controllers/authenticate/passwords_controller.rb

@@ -1,6 +1,7 @@
 # Request password change via an emailed link with a unique token.
 # Thanks to devise and Clearance.
 class Authenticate::PasswordsController < Authenticate::AuthenticateController
+  skip_before_action :require_login, only: [:create, :edit, :new, :update], raise: false
   skip_before_action :require_authentication, only: [:create, :edit, :new, :update], raise: false
   before_action :ensure_existing_user, only: [:edit, :update]
 

data/app/controllers/authenticate/sessions_controller.rb

@@ -3,12 +3,19 @@
 #
 class Authenticate::SessionsController < Authenticate::AuthenticateController
   before_action :redirect_signed_in_users, only: [:new]
+  skip_before_action :require_login, only: [:create, :new, :destroy], raise: false
   skip_before_action :require_authentication, only: [:create, :new, :destroy], raise: false
 
+  #
+  # Render the login screen.
+  #
   def new
     render template: 'sessions/new'
   end
 
+  #
+  # Log the user in, with the provided name and password.
+  #
   def create
     @user = authenticate(params)
     login(@user) do |status|
@@ -21,6 +28,9 @@ class Authenticate::SessionsController < Authenticate::AuthenticateController
     end
   end
 
+  #
+  # Log the user out
+  #
   def destroy
     logout
     redirect_to url_after_destroy
@@ -29,7 +39,7 @@ class Authenticate::SessionsController < Authenticate::AuthenticateController
   private
 
   def redirect_signed_in_users
-    redirect_to url_for_signed_in_users if authenticated?
+    redirect_to url_for_signed_in_users if logged_in?
   end
 
   def url_after_create

data/app/controllers/authenticate/users_controller.rb

@@ -3,6 +3,7 @@
 #
 class Authenticate::UsersController < Authenticate::AuthenticateController
   before_action :redirect_signed_in_users, only: [:create, :new]
+  skip_before_action :require_login, only: [:create, :new], raise: false
   skip_before_action :require_authentication, only: [:create, :new], raise: false
 
   def new
@@ -24,7 +25,7 @@ class Authenticate::UsersController < Authenticate::AuthenticateController
   private
 
   def redirect_signed_in_users
-    redirect_to Authenticate.configuration.redirect_url if authenticated?
+    redirect_to Authenticate.configuration.redirect_url if logged_in?
   end
 
   def url_after_create

data/app/views/layouts/application.html.erb

@@ -6,7 +6,7 @@
 </head>
 <body>
   <div id="header">
-    <% if authenticated? -%>
+    <% if logged_in? -%>
       <%= link_to t(".sign_out"), sign_out_path %>
     <% else -%>
       <%= link_to t(".sign_in"), sign_in_path %>

data/authenticate.gemspec

@@ -29,7 +29,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec-rails', '~> 3.6'
   s.add_development_dependency 'pry', '~> 0.10'
   s.add_development_dependency 'sqlite3', '~> 1.3'
-  s.add_development_dependency 'shoulda-matchers', '~> 2.8'
+  # s.add_development_dependency 'shoulda-matchers', '~> 2.8'
   s.add_development_dependency 'capybara', '~> 2.14'
   s.add_development_dependency 'database_cleaner', '~> 1.5'
   s.add_development_dependency 'timecop', '~> 0.8'

data/gemfiles/5.0.gemfile

@@ -3,6 +3,5 @@
 source "https://rubygems.org"
 
 gem "rails", "~> 5.0.0"
-gem "rails-controller-testing"
 
 gemspec path: "../"

data/gemfiles/5.1.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 5.1"
+
+gemspec path: "../"

data/lib/authenticate.rb

@@ -6,6 +6,7 @@ require 'authenticate/session'
 require 'authenticate/user'
 require 'authenticate/engine'
 require 'authenticate/modules'
+require 'authenticate/testing/integration_tests_sign_on'
 
 # Top level module of authenticate gem.
 module Authenticate

data/lib/authenticate/callbacks/authenticatable.rb

@@ -2,5 +2,5 @@
 #
 # If user failed to authenticate, toss them out.
 Authenticate.lifecycle.after_authentication name: 'authenticatable' do |_user, session, _opts|
-  throw(:failure, I18n.t('callbacks.authenticatable.failure')) unless session && session.authenticated?
+  throw(:failure, I18n.t('callbacks.authenticatable.failure')) unless session && session.logged_in?
 end

data/lib/authenticate/callbacks/brute_force.rb

@@ -2,7 +2,7 @@
 # Runs as a hook after authentication.
 Authenticate.lifecycle.prepend_after_authentication name: 'brute force protection' do |user, session, _options|
   include ActionView::Helpers::DateHelper
-  unless session.authenticated? || Authenticate.configuration.max_consecutive_bad_logins_allowed.nil?
+  unless session.logged_in? || Authenticate.configuration.max_consecutive_bad_logins_allowed.nil?
     user_credentials = User.credentials(session.request.params)
     user ||= User.find_by_credentials(user_credentials)
     if user && user.respond_to?(:register_failed_login!)

data/lib/authenticate/controller.rb

@@ -6,7 +6,7 @@ module Authenticate
   #
   #    class ApplicationController < ActionController::Base
   #       include Authenticate::Controller
-  #       before_action :require_authentication
+  #       before_action :require_login
   #       protect_from_forgery with: :exception
   #     end
   #
@@ -19,15 +19,16 @@ module Authenticate
   # * require_authentication - restrict access to authenticated users, often from ApplicationController
   #
   # Helpers, used anywhere:
-  # * current_user - get the current user from the current Authenticate session.
-  # * authenticated? - has the user been logged in?
+  # * current_user - get the currently logged in user
+  # * logged_in? - is the user logged in?
+  # * logged_out? - is the user not logged in?
   #
   module Controller
     extend ActiveSupport::Concern
     include Debug
 
     included do
-      helper_method :current_user, :authenticated?
+      helper_method :current_user, :logged_in?, :logged_out?, :authenticated?
       attr_writer :authenticate_session
     end
 
@@ -43,7 +44,7 @@ module Authenticate
     def login(user, &block)
       authenticate_session.login user, &block
 
-      if authenticated? && Authenticate.configuration.rotate_csrf_on_sign_in?
+      if logged_in? && Authenticate.configuration.rotate_csrf_on_sign_in?
         session.delete(:_csrf_token)
         form_authenticity_token
       end
@@ -59,25 +60,27 @@ module Authenticate
     #     redirect_to '/', notice: 'You logged out successfully'
     #   end
     def logout
-      authenticate_session.deauthenticate
+      authenticate_session.logout
     end
 
-    # Use this filter as a before_action to restrict controller actions to authenticated users.
-    # Consider using in application_controller to restrict access to all controllers.
+    # Use this filter as a before_action to control access to controller actions,
+    # limiting to logged in users.
+    #
+    # Placing in application_controller will control access to all controllers.
     #
     # Example:
     #
     #   class ApplicationController < ActionController::Base
-    #     before_action :require_authentication
+    #     before_action :require_login
     #
     #     def index
     #       # ...
     #     end
     #   end
     #
-    def require_authentication
-      debug 'Controller::require_authentication'
-      unauthorized unless authenticated?
+    def require_login
+      debug "!!!!!!!!!!!!!!!!!! controller#require_login " # logged_in? #{logged_in?}"
+      unauthorized unless logged_in?
       message = catch(:failure) do
         current_user = authenticate_session.current_user
         Authenticate.lifecycle.run_callbacks(:after_set_user, current_user, authenticate_session, event: :set_user)
@@ -87,14 +90,25 @@ module Authenticate
 
     # Has the user been logged in? Exposed as a helper, can be called from views.
     #
-    #   <% if authenticated? %>
-    #     <%= link_to logout_path, "Sign out" %>
+    #   <% if logged_in? %>
+    #     <%= link_to sign_out_path, "Sign out" %>
     #   <% else %>
-    #     <%= link_to login_path, "Sign in" %>
+    #     <%= link_to sign_in_path, "Sign in" %>
     #   <% end %>
     #
-    def authenticated?
-      authenticate_session.authenticated?
+    def logged_in?
+      debug "!!!!!!!!!!!!!!!!!! controller#logged_in?"
+      authenticate_session.logged_in?
+    end
+
+    # Has the user not logged in? Exposed as a helper, can be called from views.
+    #
+    #   <% if logged_out? %>
+    #     <%= link_to sign_in_path, "Sign in" %>
+    #   <% end %>
+    #
+    def logged_out?
+      !logged_in?
     end
 
     # Get the current user from the current Authenticate session.
@@ -115,11 +129,29 @@ module Authenticate
       is_a?(Authenticate::AuthenticateController)
     end
 
+    # The old API.
+    #
+    # todo: remove in a future version.
+    def require_authentication
+      warn "#{Kernel.caller.first}: [DEPRECATION] " +
+        "'require_authentication' is deprecated and will be removed in a future release. use 'require_login' instead"
+      require_login
+    end
+
+    # The old API.
+    #
+    # todo: remove in a future version.
+    def authenticated?
+      warn "#{Kernel.caller.first}: [DEPRECATION] " +
+             "'authenticated?' is deprecated and will be removed in a future release. Use 'logged_in?' instead."
+      logged_in?
+    end
+
     protected
 
     # User is not authorized, bounce 'em to sign in
     def unauthorized(msg = t('flashes.failure_when_not_signed_in'))
-      authenticate_session.deauthenticate
+      authenticate_session.logout
       respond_to do |format|
         format.any(:js, :json, :xml) { head :unauthorized }
         format.any { redirect_unauthorized(msg) }
@@ -127,13 +159,13 @@ module Authenticate
     end
 
     def redirect_unauthorized(flash_message)
-      store_location
+      store_location!
 
       if flash_message
         flash[:notice] = flash_message # TODO: use locales
       end
 
-      if authenticated?
+      if logged_in?
         redirect_to url_after_denied_access_when_signed_in
       else
         redirect_to url_after_denied_access_when_signed_out
@@ -164,7 +196,7 @@ module Authenticate
     private
 
     # Write location to return to in user's session (normally a cookie).
-    def store_location
+    def store_location!
       if request.get?
         session[:authenticate_return_to] = request.original_fullpath
       end
@@ -179,7 +211,7 @@ module Authenticate
     end
 
     def authenticate_session
-      @authenticate_session ||= Authenticate::Session.new(request, cookies)
+      @authenticate_session ||= Authenticate::Session.new(request)
     end
   end
 end

data/lib/authenticate/session.rb

@@ -8,18 +8,31 @@ module Authenticate
 
     attr_accessor :request
 
-    def initialize(request, cookies)
+    # Initialize an Authenticate session.
+    #
+    # The presence of a session does NOT mean the user is logged in; call #logged_in? to determine login status.
+    def initialize(request)
       @request = request # trackable module accesses request
-      @cookies = cookies
+      @cookies = request.cookie_jar
       @session_token = @cookies[cookie_name]
       debug 'SESSION initialize: @session_token: ' + @session_token.inspect
     end
 
     # Finish user login process, *after* the user has been authenticated.
+    #
     # Called when user creates an account or signs back into the app.
-    # Runs all callbacks checking for any login failure. If a login failure
-    # occurs, user is NOT logged in.
+    # Runs all configured callbacks, checking for login failure.
+    #
+    # If login is successful, @current_user is set and a session token is generated
+    # and returned to the client browser.
+    # If login fails, the user is NOT logged in. No session token is set,
+    # and @current_user will not be set.
+    #
+    # After callbacks are finished, a {LoginStatus} is yielded to the provided block,
+    # if one is provided.
     #
+    # @param [User] user login completed for this user
+    # @yieldparam [Success,Failure] status result of the sign in operation.
     # @return [User]
     def login(user)
       @current_user = user
@@ -45,23 +58,23 @@ module Authenticate
     #
     # @return [User]
     def current_user
-      debug 'session.current_user'
+      debug "session.current_user #{@current_user.inspect}"
       @current_user ||= load_user_from_session_token if @session_token.present?
       @current_user
     end
 
-    # Has this session successfully authenticated?
+    # Has this user successfully logged in?
     #
     # @return [Boolean]
-    def authenticated?
-      debug 'session.authenticated?'
+    def logged_in?
+      debug "session.logged_in? #{current_user.present?}"
       current_user.present?
     end
 
     # Invalidate the session token, unset the current user and remove the cookie.
     #
     # @return [void]
-    def deauthenticate
+    def logout
       # nuke session_token in db
       current_user.reset_session_token! if current_user.present?
 
@@ -72,12 +85,6 @@ module Authenticate
       @cookies.delete cookie_name
     end
 
-    protected
-
-    def user_loaded?
-      !@current_user.present?
-    end
-
     private
 
     def write_cookie

data/lib/authenticate/testing/controller_helpers.rb

@@ -0,0 +1,28 @@
+module Authenticate
+  module Testing
+
+    # Helpers for controller tests/specs.
+    #
+    # Example:
+    #
+    #   describe DashboardsController do
+    #     describe '#show' do
+    #       it 'shows view' do
+    #         user = create(:user)
+    #         login_as(user)
+    #         get :show
+    #         expect(response).to be_success
+    #       end
+    #     end
+    #   end
+    module ControllerHelpers
+      def login_as(user)
+        controller.login(user)
+      end
+
+      def logout
+        controller.logout
+      end
+    end
+  end
+end

data/lib/authenticate/testing/integration_tests_sign_on.rb

@@ -0,0 +1,72 @@
+module Authenticate
+  module Testing
+
+    # Middleware which allows tests to bypass your sign on screen.
+    # Typically used by integration and feature tests, etc.
+    # Speeds up these tests by eliminating the need to visit and
+    # submit the signon form repeatedly.
+    #
+    # Sign a test user in by passing as=USER_ID in a query parameter.
+    # If `User#to_param` is overridden you may pass a block to override
+    # the default user lookup behaviour.
+    #
+    # Configure your application's test environment as follows:
+    #
+    #   # config/environments/test.rb
+    #   MyRailsApp::Application.configure do
+    #     # ...
+    #     config.middleware.use Authenticate::IntegrationTestsSignOn
+    #     # ...
+    #   end
+    #
+    # or if `User#to_param` is overridden (to `username` for example):
+    #
+    #   # config/environments/test.rb
+    #   MyRailsApp::Application.configure do
+    #     # ...
+    #     config.middleware.use Authenticate::IntegrationTestsSignOn do |username|
+    #       User.find_by(username: username)
+    #     end
+    #     # ...
+    #   end
+    #
+    # After configuring your app, usage in an integration tests is simple:
+    #
+    #   user = ... # load user
+    #   visit dashboard_path(as: user)
+    #
+    class IntegrationTestsSignOn
+      def initialize(app, &block)
+        @app = app
+        @block = block
+      end
+
+      def call(env)
+        do_login(env)
+        @app.call(env)
+      end
+
+      private
+
+      def do_login(env)
+        params = Rack::Utils.parse_query(env['QUERY_STRING'])
+        user_param = params['as']
+
+        user = find_user(user_param) if user_param.present?
+        if user.present?
+          user.generate_session_token && user.save if user.session_token.nil?
+          request = Rack::Request.new(env)
+          request.cookies[Authenticate.configuration.cookie_name] = user.session_token
+        end
+      end
+
+      def find_user(user_param)
+        if @block
+          @block.call(user_param)
+        else
+          Authenticate.configuration.user_model_class.find(user_param)
+        end
+      end
+    end
+  end
+end

data/lib/authenticate/testing/rspec.rb

@@ -0,0 +1,10 @@
+require 'authenticate/testing/controller_helpers'
+require 'authenticate/testing/view_helpers'
+
+RSpec.configure do |config|
+  config.include Authenticate::Testing::ControllerHelpers, type: :controller
+  config.include Authenticate::Testing::ViewHelpers, type: :view
+  config.before(:each, type: :view) do
+    view.extend Authenticate::Testing::ViewHelpers::CurrentUser
+  end
+end

data/lib/authenticate/testing/test_unit.rb

@@ -0,0 +1,9 @@
+require 'authenticate/testing/controller_helpers'
+
+# Support for test unit.
+#
+# As of Rails 5, controller tests subclass `ActionDispatch::IntegrationTest` and should use
+# IntegrationTestsSignOn to bypass the sign on screen.
+class ActionController::TestCase
+  include Authenticate::Testing::ControllerHelpers
+end

data/lib/authenticate/testing/view_helpers.rb

@@ -0,0 +1,29 @@
+module Authenticate
+  module Testing
+
+    # Helpers for view tests/specs.
+    #
+    # Use login_as to log in a user for your test case, which allows
+    # `current_user`, `logged_in?` and `logged_out?` to work properly in your test.
+    module ViewHelpers
+
+      # Set the current_user on the view being tested.
+      def login_as(user)
+        view.current_user = user
+      end
+
+      module CurrentUser
+        attr_accessor :current_user
+
+        def logged_in?
+          current_user.present?
+        end
+
+        def logged_out?
+          !logged_in?
+        end
+      end
+
+    end
+  end
+end

data/lib/authenticate/version.rb

@@ -1,3 +1,3 @@
 module Authenticate
-  VERSION = '0.6.1'.freeze
+  VERSION = '0.7.0'.freeze
 end

data/spec/controllers/deprecated_controller_methods_spec.rb

@@ -0,0 +1,58 @@
+require 'spec_helper'
+require 'support/controllers/controller_helpers'
+
+# Matcher that asserts user was denied access.
+RSpec::Matchers.define :deny_access do
+  match do |controller|
+    redirects_to_sign_in?(controller) && sets_flash?(controller)
+  end
+
+  def redirects_to_sign_in?(controller)
+    expect(controller).to redirect_to(controller.sign_in_url)
+  end
+
+  def sets_flash?(controller)
+    controller.flash[:notice].match(/sign in to continue/)
+  end
+end
+
+# A dummy 'secured' controller to test
+class DeprecatedMethodsController < ActionController::Base
+  include Authenticate::Controller
+  before_action :require_authentication, only: :show
+
+  def new
+    head :ok
+  end
+
+  def show
+    head :ok
+  end
+end
+
+describe DeprecatedMethodsController, type: :controller do
+  before do
+    Rails.application.routes.draw do
+      resource :deprecated_methods, only: [:new, :show]
+      get '/sign_in' => 'authenticate/sessions#new', as: 'sign_in'
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  context 'with authenticated user' do
+    before { sign_in }
+
+    it 'warns but allows access to show' do
+      expect { do_get :show }.to output(/deprecated/i).to_stderr
+      expect(subject).to_not deny_access
+    end
+
+    it 'warns on authenticated?' do
+      expect { subject.authenticated? }.to output(/deprecated/i).to_stderr
+      expect(subject.authenticated?).to be_truthy
+    end
+  end
+end

data/spec/controllers/secured_controller_spec.rb

@@ -19,7 +19,7 @@ end
 # A dummy 'secured' controller to test
 class SecuredAppsController < ActionController::Base
   include Authenticate::Controller
-  before_action :require_authentication, only: :show
+  before_action :require_login, only: :show
 
   def new
     head :ok

data/spec/dummy/app/controllers/application_controller.rb

@@ -1,6 +1,7 @@
 class ApplicationController < ActionController::Base
   include Authenticate::Controller
-  before_action :require_authentication
+  # before_action :require_authentication
+  before_action :require_login
 
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.

data/spec/dummy/app/views/layouts/application.html.erb

@@ -9,7 +9,7 @@
 <body>
 
 <div id="header">
-  <% if authenticated? -%>
+  <% if logged_in? -%>
       <%= link_to t(".sign_out"), sign_out_path %>
   <% else -%>
       <%= link_to t(".sign_in"), sign_in_path %>

data/spec/dummy/config/initializers/authenticate.rb

@@ -5,4 +5,5 @@ Authenticate.configure do |config|
   config.bad_login_lockout_period = 10.minutes
   config.reset_password_within = 5.minutes
   config.password_length = 8..128
+  config.debug = true
 end

data/spec/model/session_spec.rb

@@ -4,21 +4,19 @@ describe Authenticate::Session do
   describe 'session token' do
     it 'finds a user from session token' do
       user = create(:user, :with_session_token)
-      request = mock_request
-      cookies = cookies_for user
-      session = Authenticate::Session.new(request, cookies)
+      request = mock_request cookies: session_cookie_for(user)
+      session = Authenticate::Session.new(request)
       expect(session.current_user).to eq user
     end
     it 'nil user without a session token' do
       request = mock_request
       cookies = {}
-      session = Authenticate::Session.new(request, cookies)
+      session = Authenticate::Session.new(request)
       expect(session.current_user).to be_nil
     end
     it 'returns nil with a bogus session token' do
-      request = mock_request
-      cookies = { Authenticate.configuration.cookie_name.freeze.to_sym => 'some made up value' }
-      session = Authenticate::Session.new(request, cookies)
+      request = mock_request cookies: { Authenticate.configuration.cookie_name.freeze.to_sym => 'some made up value' }
+      session = Authenticate::Session.new(request)
       expect(session.current_user).to be_nil
     end
   end
@@ -26,20 +24,20 @@ describe Authenticate::Session do
   describe '#login' do
     it 'sets current_user' do
       user = create(:user)
-      session = Authenticate::Session.new(mock_request, {})
+      session = Authenticate::Session.new(mock_request)
       session.login(user)
       expect(session.current_user).to eq user
     end
     context 'with a block' do
       it 'passes the success status to the block when login succeeds' do
         user = create(:user)
-        session = Authenticate::Session.new(mock_request, {})
+        session = Authenticate::Session.new(mock_request)
         session.login(user) do |status|
           expect(status.success?).to eq true
         end
       end
       it 'passes the failure status to the block when login fails' do
-        session = Authenticate::Session.new(mock_request, {})
+        session = Authenticate::Session.new(mock_request)
         session.login nil do |status|
           expect(status.success?).to eq false
         end
@@ -47,7 +45,7 @@ describe Authenticate::Session do
     end
     context 'with nil argument' do
       it 'assigned current_user to nil' do
-        session = Authenticate::Session.new(mock_request, {})
+        session = Authenticate::Session.new(mock_request)
         session.login nil
         expect(session.current_user).to be_nil
       end
@@ -55,13 +53,12 @@ describe Authenticate::Session do
     context 'modules' do
       it 'runs the callbacks' do
         user = create(:user, :with_session_token, sign_in_count: 0)
-        cookies = { authenticate_session_token: user.session_token }
-        session = Authenticate::Session.new(mock_request, cookies)
+        request = mock_request cookies: { authenticate_session_token: user.session_token }
+        session = Authenticate::Session.new(request)
         expect { session.login(user) }. to change { user.sign_in_count }.by(1)
       end
       it 'fails login if a callback fails' do
-        cookies = {}
-        session = Authenticate::Session.new(mock_request, cookies)
+        session = Authenticate::Session.new(mock_request)
         session.login nil do |status|
           expect(status.success?).to eq false
           expect(status.message).to eq I18n.t('callbacks.authenticatable.failure')
@@ -70,7 +67,3 @@ describe Authenticate::Session do
     end
   end
 end
-
-def cookies_for(user)
-  { Authenticate.configuration.cookie_name.freeze.to_sym => user.session_token }
-end

data/spec/spec_helper.rb

@@ -9,7 +9,7 @@ if ActiveRecord::VERSION::STRING >= '5.0'
 end
 
 require 'rspec/rails'
-require 'shoulda-matchers'
+# require 'shoulda-matchers'
 require 'capybara/rails'
 require 'capybara/rspec'
 require 'database_cleaner'
@@ -23,7 +23,7 @@ DatabaseCleaner.strategy = :truncation
 # Load factory girl factories.
 Dir[File.join(File.dirname(__FILE__), 'factories/**/*.rb')].each { |f| require f }
 
-# Build test database in spec/dummy/db/
+# Build test database in spec/dummy/db. There's probably a better way to do this.
 if defined?(ActiveRecord::Migration.maintain_test_schema!)
   ActiveRecord::Migration.maintain_test_schema! # rails 4.1+
 else
@@ -34,8 +34,6 @@ if ActiveRecord::VERSION::STRING >= '4.2' && ActiveRecord::VERSION::STRING < '5.
   ActiveRecord::Base.raise_in_transactional_callbacks = true
 end
 
-puts 'MAJOR:' + Rails::VERSION::MAJOR.to_s
-
 RSpec.configure do |config|
   config.include FactoryGirl::Syntax::Methods
   config.infer_spec_type_from_file_location!
@@ -57,13 +55,22 @@ RSpec.configure do |config|
   end
 end
 
-def mock_request(params = {})
+#
+# todo - enhance test helpers, put in main project
+#
+def mock_request(params: {}, cookies: {})
   req = double('request')
   allow(req).to receive(:params).and_return(params)
   allow(req).to receive(:remote_ip).and_return('111.111.111.111')
+  allow(req).to receive(:cookie_jar).and_return(cookies)
   req
 end
 
+def session_cookie_for(user)
+  { Authenticate.configuration.cookie_name.freeze.to_sym => user.session_token }
+end
+
+
 #
 # Dumb glue method, deal with rails 4 vs rails 5 get/post methods.
 #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authenticate
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.7.0
 platform: ruby
 authors:
 - Justin Tomich
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-17 00:00:00.000000000 Z
+date: 2017-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -114,20 +114,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: shoulda-matchers
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.8'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
@@ -240,6 +226,7 @@ files:
 - config/routes.rb
 - gemfiles/4.2.gemfile
 - gemfiles/5.0.gemfile
+- gemfiles/5.1.gemfile
 - lib/authenticate.rb
 - lib/authenticate/callbacks/authenticatable.rb
 - lib/authenticate/callbacks/brute_force.rb
@@ -263,6 +250,11 @@ files:
 - lib/authenticate/model/username.rb
 - lib/authenticate/modules.rb
 - lib/authenticate/session.rb
+- lib/authenticate/testing/controller_helpers.rb
+- lib/authenticate/testing/integration_tests_sign_on.rb
+- lib/authenticate/testing/rspec.rb
+- lib/authenticate/testing/test_unit.rb
+- lib/authenticate/testing/view_helpers.rb
 - lib/authenticate/token.rb
 - lib/authenticate/user.rb
 - lib/authenticate/version.rb
@@ -284,6 +276,7 @@ files:
 - lib/generators/authenticate/views/USAGE
 - lib/generators/authenticate/views/views_generator.rb
 - lib/tasks/authenticate_tasks.rake
+- spec/controllers/deprecated_controller_methods_spec.rb
 - spec/controllers/secured_controller_spec.rb
 - spec/dummy/README.rdoc
 - spec/dummy/Rakefile