authentication-logic 0.1.0

data/lib/auth/logic/acts_as_authentic/session_maintenance.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      # This is one of my favorite features that I think is pretty cool. It's
+      # things like this that make a library great and let you know you are on the
+      # right track.
+      #
+      # Just to clear up any confusion, Authentication::Logic stores both the record id and
+      # the persistence token in the session. Why? So stale sessions can not be
+      # persisted. It stores the id so it can quickly find the record, and the
+      # persistence token to ensure no sessions are stale. So if the persistence
+      # token changes, the user must log back in.
+      #
+      # Well, the persistence token changes with the password. What happens if the
+      # user changes his own password? He shouldn't have to log back in, he's the
+      # one that made the change.
+      #
+      # That being said, wouldn't it be nice if their session and cookie
+      # information was automatically updated? Instead of cluttering up your
+      # controller with redundant session code. The same thing goes for new
+      # registrations.
+      #
+      # That's what this module is all about. This will automatically maintain the
+      # cookie and session values as records are saved.
+      module SessionMaintenance
+        def self.included(klass)
+          klass.class_eval do
+            extend Config
+            add_acts_as_authentic_module(Methods)
+          end
+        end
+
+        # Configuration for the session maintenance aspect of acts_as_authentic.
+        # These methods become class methods of ::ActiveRecord::Base.
+        module Config
+          # In order to turn off automatic maintenance of sessions
+          # after create, just set this to false.
+          #
+          # * <tt>Default:</tt> true
+          # * <tt>Accepts:</tt> Boolean
+          def log_in_after_create(value = nil)
+            rw_config(:log_in_after_create, value, true)
+          end
+          alias log_in_after_create= log_in_after_create
+
+          # In order to turn off automatic maintenance of sessions when updating
+          # the password, just set this to false.
+          #
+          # * <tt>Default:</tt> true
+          # * <tt>Accepts:</tt> Boolean
+          def log_in_after_password_change(value = nil)
+            rw_config(:log_in_after_password_change, value, true)
+          end
+          alias log_in_after_password_change= log_in_after_password_change
+
+          # As you may know, auth-logic sessions can be separate by id (See
+          # Authentication::Logic::Session::Base#id). You can specify here what session ids
+          # you want auto maintained. By default it is the main session, which has
+          # an id of nil.
+          #
+          # * <tt>Default:</tt> [nil]
+          # * <tt>Accepts:</tt> Array
+          def session_ids(value = nil)
+            rw_config(:session_ids, value, [nil])
+          end
+          alias session_ids= session_ids
+
+          # The name of the associated session class. This is inferred by the name
+          # of the model.
+          #
+          # * <tt>Default:</tt> "#{klass.name}Session".constantize
+          # * <tt>Accepts:</tt> Class
+          def session_class(value = nil)
+            const = begin
+              "#{base_class.name}Session".constantize
+            rescue NameError
+              nil
+            end
+            rw_config(:session_class, value, const)
+          end
+          alias session_class= session_class
+        end
+
+        # This module, as one of the `acts_as_authentic_modules`, is only included
+        # into an ActiveRecord model if that model calls `acts_as_authentic`.
+        module Methods
+          def self.included(klass)
+            klass.class_eval do
+              before_save :get_session_information, if: :update_sessions?
+              before_save :maintain_sessions, if: :update_sessions?
+            end
+          end
+
+          # Save the record and skip session maintenance all together.
+          def save_without_session_maintenance(**options)
+            self.skip_session_maintenance = true
+            result = save(**options)
+            self.skip_session_maintenance = false
+            result
+          end
+
+          private
+
+          def skip_session_maintenance=(value)
+            @skip_session_maintenance = value
+          end
+
+          def skip_session_maintenance
+            @skip_session_maintenance ||= false
+          end
+
+          def update_sessions?
+            !skip_session_maintenance &&
+              session_class &&
+              session_class.activated? &&
+              maintain_session? &&
+              !session_ids.blank? &&
+              will_save_change_to_persistence_token?
+          end
+
+          def maintain_session?
+            log_in_after_create? || log_in_after_password_change?
+          end
+
+          def get_session_information
+            # Need to determine if we are completely logged out, or logged in as
+            # another user.
+            @_sessions = []
+
+            session_ids.each do |session_id|
+              session = session_class.find(session_id, self)
+              @_sessions << session if session&.record
+            end
+          end
+
+          def maintain_sessions
+            if @_sessions.empty?
+              create_session
+            else
+              update_sessions
+            end
+          end
+
+          def create_session
+            # We only want to automatically login into the first session, since
+            # this is the main session. The other sessions are sessions that
+            # need to be created after logging into the main session.
+            session_id = session_ids.first
+            session_class.create(*[self, self, session_id].compact)
+
+            true
+          end
+
+          def update_sessions
+            # We found sessions above, let's update them with the new info
+            @_sessions.each do |stale_session|
+              next if stale_session.record != self
+
+              stale_session.unauthorized_record = self
+              stale_session.save
+            end
+
+            true
+          end
+
+          def session_ids
+            self.class.session_ids
+          end
+
+          def session_class
+            self.class.session_class
+          end
+
+          def log_in_after_create?
+            new_record? && self.class.log_in_after_create
+          end
+
+          def log_in_after_password_change?
+            persisted? &&
+              will_save_change_to_persistence_token? &&
+              self.class.log_in_after_password_change
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/acts_as_authentic/single_access_token.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      # This module is responsible for maintaining the single_access token. For
+      # more information the single access token and how to use it, see "Params"
+      # in `Session::Base`.
+      module SingleAccessToken
+        def self.included(klass)
+          klass.class_eval do
+            extend Config
+            add_acts_as_authentic_module(Methods)
+          end
+        end
+
+        # All configuration for the single_access token aspect of acts_as_authentic.
+        #
+        # These methods become class methods of ::ActiveRecord::Base.
+        module Config
+          # The single access token is used for authentication via URLs, such as a private
+          # feed. That being said, if the user changes their password, that token probably
+          # shouldn't change. If it did, the user would have to update all of their URLs. So
+          # be default this is option is disabled, if you need it, feel free to turn it on.
+          #
+          # * <tt>Default:</tt> false
+          # * <tt>Accepts:</tt> Boolean
+          def change_single_access_token_with_password(value = nil)
+            rw_config(:change_single_access_token_with_password, value, false)
+          end
+          alias change_single_access_token_with_password= change_single_access_token_with_password
+        end
+
+        # All method, for the single_access token aspect of acts_as_authentic.
+        #
+        # This module, as one of the `acts_as_authentic_modules`, is only included
+        # into an ActiveRecord model if that model calls `acts_as_authentic`.
+        module Methods
+          def self.included(klass)
+            return unless klass.column_names.include?("single_access_token")
+
+            klass.class_eval do
+              include InstanceMethods
+              validates_uniqueness_of :single_access_token,
+                                      case_sensitive: true,
+                                      if: :will_save_change_to_single_access_token?
+
+              before_validation :reset_single_access_token, if: :reset_single_access_token?
+              if respond_to?(:after_password_set)
+                after_password_set(
+                  :reset_single_access_token,
+                  if: :change_single_access_token_with_password?
+                )
+              end
+            end
+          end
+
+          # :nodoc:
+          module InstanceMethods
+            # Resets the single_access_token to a random friendly token.
+            def reset_single_access_token
+              self.single_access_token = Authentication::Logic::Random.friendly_token
+            end
+
+            # same as reset_single_access_token, but then saves the record.
+            def reset_single_access_token!
+              reset_single_access_token
+              save_without_session_maintenance
+            end
+
+            protected
+
+            def reset_single_access_token?
+              single_access_token.blank?
+            end
+
+            def change_single_access_token_with_password?
+              self.class.change_single_access_token_with_password == true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/config.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    # Mixed into `Authentication::Logic::ActsAsAuthentic::Base` and
+    # `Authentication::Logic::Session::Base`.
+    module Config
+      E_USE_NORMAL_RAILS_VALIDATION = <<~EOS
+        This Authentication::Logic configuration option (%s) is deprecated. Use normal
+        ActiveRecord validation instead. Detailed instructions:
+        https://github.com/vinccool96/auth-logic/blob/master/doc/use_normal_rails_validation.md
+      EOS
+
+      def self.extended(klass)
+        klass.class_eval do
+          class_attribute :acts_as_authentic_config
+          self.acts_as_authentic_config ||= {}
+        end
+      end
+
+      private
+
+      def deprecate_auth_logic_config(method_name)
+        ::ActiveSupport::Deprecation.warn(
+          format(E_USE_NORMAL_RAILS_VALIDATION, method_name)
+        )
+      end
+
+      # This is a one-liner method to write a config setting, read the config
+      # setting, and also set a default value for the setting.
+      def rw_config(key, value, default_value = nil)
+        if value.nil?
+          acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
+        else
+          self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
+          value
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/controller_adapters/abstract_adapter.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ControllerAdapters # :nodoc:
+      # Allows you to use Authentication::Logic in any framework you want, not just rails. See
+      # the RailsAdapter for an example of how to adapt Authentication::Logic to work with
+      # your framework.
+      class AbstractAdapter
+        E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
+          "implemented by the controller adapter"
+        ENV_SESSION_OPTIONS = "rack.session.options"
+
+        attr_accessor :controller
+
+        def initialize(controller)
+          self.controller = controller
+        end
+
+        def authenticate_with_http_basic
+          @auth = Rack::Auth::Basic::Request.new(controller.request.env)
+          if @auth.provided? && @auth.basic?
+            yield(*@auth.credentials)
+          else
+            false
+          end
+        end
+
+        def cookies
+          controller.cookies
+        end
+
+        def cookie_domain
+          raise NotImplementedError, E_COOKIE_DOMAIN_ADAPTER
+        end
+
+        def params
+          controller.params
+        end
+
+        def request
+          controller.request
+        end
+
+        def request_content_type
+          request.content_type
+        end
+
+        # Inform Rack that we would like a new session ID to be assigned. Changes
+        # the ID, but not the contents of the session.
+        #
+        # The `:renew` option is read by `rack/session/abstract/id.rb`.
+        #
+        # This is how Devise (via warden) implements defense against Session
+        # Fixation. Our implementation is copied directly from the warden gem
+        # (set_user in warden/proxy.rb)
+        def renew_session_id
+          env = request.env
+          options = env[ENV_SESSION_OPTIONS]
+          return unless options
+
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+
+        def session
+          controller.session
+        end
+
+        def responds_to_single_access_allowed?
+          controller.respond_to?(:single_access_allowed?, true)
+        end
+
+        def single_access_allowed?
+          controller.send(:single_access_allowed?)
+        end
+
+        # You can disable the updating of `last_request_at`
+        # on a per-controller basis.
+        #
+        #   # in your controller
+        #   def last_request_update_allowed?
+        #     false
+        #   end
+        #
+        # For example, what if you had a javascript function that polled the
+        # server updating how much time is left in their session before it
+        # times out. Obviously you would want to ignore this request, because
+        # then the user would never time out. So you can do something like
+        # this in your controller:
+        #
+        #   def last_request_update_allowed?
+        #     action_name != "update_session_time_left"
+        #   end
+        #
+        # See `auth/logic/session/magic_columns.rb` to learn more about the
+        # `last_request_at` column itself.
+        def last_request_update_allowed?
+          if controller.respond_to?(:last_request_update_allowed?, true)
+            controller.send(:last_request_update_allowed?)
+          else
+            true
+          end
+        end
+
+        def respond_to_missing?(*args)
+          super(*args) || controller.respond_to?(*args)
+        end
+
+        private
+
+        def method_missing(id, *args, &block)
+          controller.send(id, *args, &block)
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/controller_adapters/rack_adapter.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ControllerAdapters
+      # Adapter for auth-logic to make it function as a Rack middleware.
+      # First you'll have write your own Rack adapter where you have to set your cookie domain.
+      #
+      #     class YourRackAdapter < Authentication::Logic::ControllerAdapters::RackAdapter
+      #       def cookie_domain
+      #         'your_cookie_domain_here.com'
+      #       end
+      #     end
+      #
+      # Next you need to set up a rack middleware like this:
+      #
+      #     class Authentication::LogicMiddleware
+      #       def initialize(app)
+      #         @app = app
+      #       end
+      #
+      #       def call(env)
+      #         YourRackAdapter.new(env)
+      #         @app.call(env)
+      #       end
+      #     end
+      #
+      # And that is all! Now just load this middleware into rack:
+      #
+      #     use Authentication::LogicMiddleware
+      #
+      # Authentication::Logic will expect a User and a UserSession object to be present:
+      #
+      #     class UserSession < Authentication::Logic::Session::Base
+      #       # Authentication::Logic options go here
+      #     end
+      #
+      #     class User < ApplicationRecord
+      #       acts_as_authentic
+      #     end
+      #
+      class RackAdapter < AbstractAdapter
+        def initialize(env)
+          # We use the Rack::Request object as the controller object.
+          # For this to work, we have to add some glue.
+          request = Rack::Request.new(env)
+
+          request.instance_eval do
+            def request
+              self
+            end
+
+            def remote_ip
+              ip
+            end
+          end
+
+          super(request)
+          Authentication::Logic::Session::Base.controller = self
+        end
+
+        # Rack Requests stores cookies with not just the value, but also with
+        # flags and expire information in the hash. Authentication::Logic does not like this,
+        # so we drop everything except the cookie value.
+        def cookies
+          controller
+            .cookies
+            .map { |key, value_hash| { key => value_hash[:value] } }
+            .inject(:merge) || {}
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/controller_adapters/rails_adapter.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ControllerAdapters
+      # Adapts auth-logic to work with rails. The point is to close the gap between
+      # what auth-logic expects and what the rails controller object provides.
+      # Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite,
+      # etc.
+      class RailsAdapter < AbstractAdapter
+        def authenticate_with_http_basic(&block)
+          controller.authenticate_with_http_basic(&block)
+        end
+
+        # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
+        # http://guides.rubyonrails.org/action_controller_overview.html#cookies
+        def cookies
+          controller.respond_to?(:cookies, true) ? controller.send(:cookies) : nil
+        end
+
+        def cookie_domain
+          controller.request.session_options[:domain]
+        end
+
+        def request_content_type
+          request.format.to_s
+        end
+
+        # Lets Authentication::Logic know about the controller object via a before filter, AKA
+        # "activates" auth-logic.
+        module RailsImplementation
+          def self.included(klass) # :nodoc:
+            klass.prepend_before_action :activate_auth_logic
+          end
+
+          private
+
+          def activate_auth_logic
+            Authentication::Logic::Session::Base.controller = RailsAdapter.new(self)
+          end
+        end
+      end
+    end
+  end
+end
+
+ActiveSupport.on_load(:action_controller) do
+  include Authentication::Logic::ControllerAdapters::RailsAdapter::RailsImplementation
+end

data/lib/auth/logic/controller_adapters/sinatra_adapter.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# Authentication::Logic bridge for Sinatra
+module Authentication
+  module Logic
+    module ControllerAdapters
+      module SinatraAdapter
+        # Cookie management functions
+        class Cookies
+          attr_reader :request, :response
+
+          def initialize(request, response)
+            @request = request
+            @response = response
+          end
+
+          def delete(key, options = {})
+            @response.delete_cookie(key, options)
+          end
+
+          def []=(key, options)
+            @response.set_cookie(key, options)
+          end
+
+          def method_missing(meth, *args, &block)
+            @request.cookies.send(meth, *args, &block)
+          end
+        end
+
+        # Thin wrapper around request and response.
+        class Controller
+          attr_reader :request, :response, :cookies
+
+          def initialize(request, response)
+            @request = request
+            @cookies = Cookies.new(request, response)
+          end
+
+          def session
+            env["rack.session"]
+          end
+
+          def method_missing(meth, *args, &block)
+            @request.send meth, *args, &block
+          end
+        end
+
+        # Sinatra controller adapter
+        class Adapter < AbstractAdapter
+          def cookie_domain
+            env["SERVER_NAME"]
+          end
+
+          # Mixed into `Sinatra::Base`
+          module Implementation
+            def self.included(klass)
+              klass.send :before do
+                controller = Controller.new(request, response)
+                Authentication::Logic::Session::Base.controller = Adapter.new(controller)
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Sinatra::Base.include Authentication::Logic::ControllerAdapters::SinatraAdapter::Adapter::Implementation

data/lib/auth/logic/cookie_credentials.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    # Represents the credentials *in* the cookie. The value of the cookie.
+    # This is primarily a data object. It doesn't interact with controllers.
+    # It doesn't know about eg. cookie expiration.
+    #
+    # @api private
+    class CookieCredentials
+      # @api private
+      class ParseError < RuntimeError
+      end
+
+      DELIMITER = "::"
+
+      attr_reader :persistence_token, :record_id, :remember_me_until
+
+      # @api private
+      # @param persistence_token [String]
+      # @param record_id [String, Numeric]
+      # @param remember_me_until [ActiveSupport::TimeWithZone]
+      def initialize(persistence_token, record_id, remember_me_until)
+        @persistence_token = persistence_token
+        @record_id = record_id
+        @remember_me_until = remember_me_until
+      end
+
+      class << self
+        # @api private
+        def parse(string)
+          parts = string.split(DELIMITER)
+          raise ParseError, format("Expected 1..3 parts, got %d", parts.length) unless (1..3).cover?(parts.length)
+
+          new(parts[0], parts[1], parse_time(parts[2]))
+        end
+
+        private
+
+        # @api private
+        def parse_time(string)
+          return if string.nil?
+
+          ::Time.parse(string)
+        rescue ::ArgumentError => e
+          raise ParseError, format("Found cookie, cannot parse remember_me_until: #{e}")
+        end
+      end
+
+      # @api private
+      def remember_me?
+        !@remember_me_until.nil?
+      end
+
+      # @api private
+      def to_s
+        [
+          @persistence_token,
+          @record_id.to_s,
+          @remember_me_until&.iso8601
+        ].compact.join(DELIMITER)
+      end
+    end
+  end
+end