authgasm 0.10.1 → 0.10.2

data/CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+== 0.10.2 released 2008-10-24
+
+* Added in stretches to the default Sha512 encryption algorithm.
+* Use column_names instead of columns when determining if a column is present.
+* Improved validation callbacks. after_validation should only be run if valid? = true. Also clear errors before the "before_validation" callback.
+
 == 0.10.1 released 2008-10-24
 
 * Sessions now store the "remember token" instead of the id. This is much safer and guarantees all "sessions" that are logged in are logged in with a valid password. This way stale sessions can't be persisted.

data/README.rdoc

@@ -10,7 +10,7 @@ Wouldn't it be nice to keep your app up to date with the latest and greatest sec
 
 What if creating a user session could be as simple as...
 
-  UserSession.create(params[:user])
+  UserSession.create(params[:user_session])
 
 What if your user sessions controller could look just like your other controllers...
 
@@ -33,7 +33,7 @@ What if your user sessions controller could look just like your other controller
     end
   end
 
-Look familiar? If you didn't know any better, you would think UserSession was an ActiveRecord model. I think that's pretty cool. Why is that cool? Because it fits nicely into the RESTful development pattern and its a style we all know and love. Wouldn't this be cool too...
+Look familiar? If you didn't know any better, you would think UserSession was an ActiveRecord model. I think that's pretty cool, because it fits nicely into the RESTful development pattern, a style we all know and love. What about the view...
 
   <%= error_messages_for "user_session" %>
   <% form_for @user_session do |f| %>
@@ -95,7 +95,7 @@ It is important to set your configuration for your session before you set the co
 
 === Ensure proper database fields
 
-The user model needs to have the following columns. The names of these columns can be changed with configuration.
+The user model needs to have the following columns. The names of these columns can be changed with configuration. Better yet, Authgasm tries to guess these names by checking for the existence of common names. See Authgasm::Session::Config::ClassMethods for more details, but chances are you won't have to specify any configuration for your field names.
 
     t.string    :login, :null => false
     t.string    :crypted_password, :null => false
@@ -169,7 +169,7 @@ The errors in Authgasm work JUST LIKE ActiveRecord. In fact, it uses the exact s
 
 == Automatic Session Updating
 
-This is one of my favorite features that I think its pretty cool. It's things like this that make a library great and let you know you are on the right track.
+This is one of my favorite features that I think is pretty cool. It's things like this that make a library great and let you know you are on the right track.
 
 Just to clear up any confusion, Authgasm does not store the plain id in the session. It stores a token. This token changes with the password, this way stale sessions can not be persisted.
 
@@ -244,13 +244,13 @@ I don't necessarily think the current solutions are "wrong", nor am I saying Aut
 
 Generators have their place, and it certainly is not to add authentication to a rails app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
 
-Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators litter your application with code that you get to maintain. You get to make sure it stays up with the latest and greatest security techniques. How fun! Oh, and when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed! Awesome! The cherry on top is the fact that you get to go through every app you've made and apply this update. You don't really have a choice either, because you can't ignore security updates. When ActiveRecord releases an update do you go through it line by line and manually apply it in each one of your apps? No.
+Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators litter your application with code that you get to maintain. You get to make sure it stays up with the latest and greatest security techniques. How fun! Oh, and when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed! Awesome! The cherry on top is the fact that you get to go through every app you've made and apply this update. You don't really have a choice either, because you can't ignore security updates.
 
 Security moves fast, and hackers make sure of this. As a result, it should be easy to update. Doesn't it make sense to leverage a library to handle this functionality for you? This way, when some new security technique is released, or a bug with your authentication system is found, you can fix it with a simple update. Just like everything else in ruby / rails.
 
 === Limited to a single authentication
 
-I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it make the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authgasm. Authgasm can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.
+I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it made the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authgasm. Authgasm can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.
 
 
 Copyright (c) 2008 Ben Johnson of [Binary Logic](http://www.binarylogic.com), released under the MIT license

data/authgasm.gemspec

@@ -1,18 +1,18 @@
 
-# Gem::Specification for Authgasm-0.10.1
+# Gem::Specification for Authgasm-0.10.2
 # Originally generated by Echoe
 
 --- !ruby/object:Gem::Specification 
 name: authgasm
 version: !ruby/object:Gem::Version 
-  version: 0.10.1
+  version: 0.10.2
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
 autorequire: 
 bindir: bin
 
-date: 2008-10-28 00:00:00 -04:00
+date: 2008-10-29 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 

data/lib/authgasm/acts_as_authentic.rb

@@ -7,32 +7,33 @@ module Authgasm
     # = Acts As Authentic
     # Provides and "acts_as" method to include in your models to help with authentication. See method below.
     module ClassMethods
-      # Call this method in your model to add in basic authentication madness:
+      # Call this method in your model to add in basic authentication madness that your authgasm session expects.
       #
-      # 1. Adds various validations for the login field
-      # 2. Adds various validations for the password field
-      # 3. Handles password encryption
-      # 4. Adds usefule methods to dealing with authentication
+      # <b>Please keep in mind</b> that based on your configuration the method names could change. For example, if you pass the option:
+      #
+      #   :password_field => :pass
+      #
+      # The method will not be password=, it will be pass=. Same with valid_password?, it will be valid_pass?, etc.
       #
       # === Methods
       # For example purposes lets assume you have a User model.
       #
       #   Class method name           Description
-      #   User.unique_token           returns unique token generated by your :crypto_provider
       #   User.crypto_provider        The class that you set in your :crypto_provider option
-      #   User.forget_all!            Resets all records so they will not be remembered on their next visit. Basically makes their cookies invalid
+      #   User.forget_all!            Finds all records, loops through them, and calls forget! on each record. This is paginated to save on memory.
+      #   User.unique_token           returns unique token generated by your :crypto_provider
       #
       #   Named Scopes
-      #   User.logged_in              Find all users who are logged in, based on your :logged_in_timeout option
-      #   User.logged_out             Same as above, but logged out
+      #   User.logged_in              Find all users who are logged in, based on your :logged_in_timeout option.
+      #   User.logged_out             Same as above, but logged out.
       #
       #   Isntace method name
-      #   user.password=              Method name based on the :password_field option. This is used to set the password. Pass the *raw* password to this
-      #   user.confirm_password=      Confirms the password, needed to change the password
-      #   user.valid_password?(pass)  Based on the valid of :password_field. Determines if the password passed is valid. The password could be encrypted or raw.
-      #   user.randomize_password!    Basically resets the password to a random password using only letters and numbers
-      #   user.logged_in?             Based on the :logged_in_timeout option. Tells you if the user is logged in or not
-      #   user.forget!                Changes their remember token, making their cookie invalid.
+      #   user.password=              Method name based on the :password_field option. This is used to set the password. Pass the *raw* password to this.
+      #   user.confirm_password=      Confirms the password, needed to change the password.
+      #   user.valid_password?(pass)  Determines if the password passed is valid. The password could be encrypted or raw.
+      #   user.randomize_password!    Basically resets the password to a random password using only letters and numbers.
+      #   user.logged_in?             Based on the :logged_in_timeout option. Tells you if the user is logged in or not.
+      #   user.forget!                Changes their remember token, making their cookie and session invalid. A way to log the user out withouth changing their password.
       #
       # === Options
       # * <tt>session_class:</tt> default: "#{name}Session", the related session class. Used so that you don't have to repeat yourself here. A lot of the configuration will be based off of the configuration values of this class.
@@ -55,15 +56,15 @@ module Authgasm
         options[:login_field_type] ||= options[:login_field] == :email ? :email : :login
         options[:password_field] ||= options[:session_class].password_field
         options[:crypted_password_field] ||=
-          (columns.include?("crypted_password") && :crypted_password) ||
-          (columns.include?("encrypted_password") && :encrypted_password) ||
-          (columns.include?("password_hash") && :password_hash) ||
-          (columns.include?("pw_hash") && :pw_hash) ||
+          (column_names.include?("crypted_password") && :crypted_password) ||
+          (column_names.include?("encrypted_password") && :encrypted_password) ||
+          (column_names.include?("password_hash") && :password_hash) ||
+          (column_names.include?("pw_hash") && :pw_hash) ||
           :crypted_password
         options[:password_salt_field] ||= 
-          (columns.include?("password_salt") && :password_salt) ||
-          (columns.include?("pw_salt") && :pw_salt) ||
-          (columns.include?("salt") && :salt) ||
+          (column_names.include?("password_salt") && :password_salt) ||
+          (column_names.include?("pw_salt") && :pw_salt) ||
+          (column_names.include?("salt") && :salt) ||
           :password_salt
         options[:remember_token_field] ||= options[:session_class].remember_token_field
         options[:logged_in_timeout] ||= 10.minutes
@@ -117,7 +118,7 @@ module Authgasm
             i = 0
             begin
               records = find(:all, :limit => 50, :offset => i)
-              records.each { |record| records.update_attribute(:#{options[:remember_token_field]}, unique_token) }
+              records.each { |record| record.forget! }
               i += 50
             end while !records.blank?
           end
@@ -210,7 +211,7 @@ module Authgasm
             end
             
             def find_my_sessions
-              return if @saving_from_session || !#{options[:session_class]}.activated?
+              return if @saving_from_session || !#{options[:session_class]}.activated? || #{options[:session_ids].inspect}.blank?
               
               @my_sessions = []
               #{options[:session_ids].inspect}.each do |session_id|
@@ -224,7 +225,7 @@ module Authgasm
             end
             
             def update_sessions!
-              return if @saving_from_session || !#{options[:session_class]}.activated?
+              return if @saving_from_session || @my_sessions.blank?
               
               @my_sessions.each do |stale_session|
                 stale_session.unauthorized_record = self

data/lib/authgasm/session/base.rb

@@ -257,51 +257,12 @@ module Authgasm
       
       def valid?
         errors.clear
-        temp_record = unauthorized_record
-        
-        case login_with
-        when :credentials
-          errors.add(login_field, "can not be blank") if send(login_field).blank?
-          errors.add(password_field, "can not be blank") if send("protected_#{password_field}").blank?
-          return false if errors.count > 0
-
-          temp_record = klass.send(find_by_login_method, send(login_field))
-
-          if temp_record.blank?
-            errors.add(login_field, "was not found")
-            return false
-          end
-          
-          unless temp_record.send(verify_password_method, send("protected_#{password_field}"))
-            errors.add(password_field, "is invalid")
-            return false
-          end
-        when :unauthorized_record
-          if temp_record.blank?
-            errors.add_to_base("You can not log in with a blank record.")
-            return false
-          end
-          
-          if temp_record.new_record?
-            errors.add_to_base("You can not login with a new record.") if temp_record.new_record?
-            return false
-          end
-        else
-          errors.add_to_base("You must provide some form of credentials before logging in.")
-          return false
+        temp_record = validate_credentials
+        if errors.empty?
+          @record = temp_record
+          return true
         end
-
-        [:active, :approved, :confirmed].each do |required_status|
-          if temp_record.respond_to?("#{required_status}?") && !temp_record.send("#{required_status}?") 
-            errors.add_to_base("Your account has not been marked as #{required_status}")       
-            return false
-          end
-        end
-        
-        # All is good, lets set the record
-        @record = temp_record
-        
-        true
+        false
       end
       
       def valid_http_auth?
@@ -397,6 +358,51 @@ module Authgasm
         def update_session!
           controller.session[session_key] = record && record.send(remember_token_field)
         end
+        
+        def validate_credentials
+          temp_record = unauthorized_record
+
+          case login_with
+          when :credentials
+            errors.add(login_field, "can not be blank") if send(login_field).blank?
+            errors.add(password_field, "can not be blank") if send("protected_#{password_field}").blank?
+            return if errors.count > 0
+
+            temp_record = klass.send(find_by_login_method, send(login_field))
+
+            if temp_record.blank?
+              errors.add(login_field, "was not found")
+              return
+            end
+
+            unless temp_record.send(verify_password_method, send("protected_#{password_field}"))
+              errors.add(password_field, "is invalid")
+              return
+            end
+          when :unauthorized_record
+            if temp_record.blank?
+              errors.add_to_base("You can not log in with a blank record.")
+              return
+            end
+
+            if temp_record.new_record?
+              errors.add_to_base("You can not login with a new record.") if temp_record.new_record?
+              return
+            end
+          else
+            errors.add_to_base("You must provide some form of credentials before logging in.")
+            return
+          end
+
+          [:active, :approved, :confirmed].each do |required_status|
+            if temp_record.respond_to?("#{required_status}?") && !temp_record.send("#{required_status}?") 
+              errors.add_to_base("Your account has not been marked as #{required_status}")       
+              return
+            end
+          end
+          
+          temp_record
+        end
     end
   end
 end

data/lib/authgasm/session/callbacks.rb

@@ -7,7 +7,7 @@ module Authgasm
       CALLBACKS = %w(before_create after_create before_destroy after_destroy before_save after_save before_update after_update before_validation after_validation)
 
       def self.included(base) #:nodoc:
-        [:destroy, :save, :valid?].each do |method|
+        [:destroy, :save, :valid?, :validate_credentials].each do |method|
           base.send :alias_method_chain, method, :callbacks
         end
 
@@ -41,15 +41,16 @@ module Authgasm
         result
       end
       
-      def valid_with_callbacks? # :nodoc:
-        run_callbacks(:before_validation)
+      def valid_with_callbacks?
         result = valid_without_callbacks?
-        if result
-          run_callbacks(:after_validation)
-          result = errors.empty?
-        end
+        run_callbacks(:after_validation) if result
         result
       end
+      
+      def validate_credentials_with_callbacks # :nodoc:
+        run_callbacks(:before_validation)
+        validate_credentials_without_callbacks
+      end
     end
   end
 end

data/lib/authgasm/session/config.rb

@@ -91,7 +91,7 @@ module Authgasm
         # * <tt>Default:</tt> Guesses based on the model columns, tries login, username, and email. If none are present it defaults to login
         # * <tt>Accepts:</tt> Symbol or String
         def login_field
-          @login_field ||= (klass.columns.include?("login") && :login) || (klass.columns.include?("username") && :username) || (klass.columns.include?("email") && :email) || :login
+          @login_field ||= (klass.column_names.include?("login") && :login) || (klass.column_names.include?("username") && :username) || (klass.column_names.include?("email") && :email) || :login
         end
         attr_writer :login_field
         
@@ -100,7 +100,7 @@ module Authgasm
         # * <tt>Default:</tt> Guesses based on the model columns, tries password and pass. If none are present it defaults to password
         # * <tt>Accepts:</tt> Symbol or String
         def password_field
-          @password_field ||= (klass.columns.include?("password") && :password) || (klass.columns.include?("pass") && :pass) || :password
+          @password_field ||= (klass.column_names.include?("password") && :password) || (klass.column_names.include?("pass") && :pass) || :password
         end
         attr_writer :password_field
         
@@ -126,10 +126,10 @@ module Authgasm
         # * <tt>Accepts:</tt> Symbol or String
         def remember_token_field
           @remember_token_field ||=
-            (klass.columns.include?("remember_token") && :remember_token) ||
-            (klass.columns.include?("remember_key") && :remember_key) ||
-            (klass.columns.include?("cookie_token") && :cookie_token) ||
-            (klass.columns.include?("cookie_key") && :cookie_key) ||
+            (klass.column_names.include?("remember_token") && :remember_token) ||
+            (klass.column_names.include?("remember_key") && :remember_key) ||
+            (klass.column_names.include?("cookie_token") && :cookie_token) ||
+            (klass.column_names.include?("cookie_key") && :cookie_key) ||
             :remember_token
         end
         attr_writer :remember_token_field

data/lib/authgasm/sha512_crypto_provider.rb

@@ -6,8 +6,11 @@ module Authgasm
   #
   # If you are encrypting via a hash just don't include a decrypt method, since hashes can't be decrypted. Authgasm will notice this adjust accordingly.
   class Sha512CryptoProvider
+    STRETCHES = 20
     def self.encrypt(pass)
-      Digest::SHA512.hexdigest(pass)
+      digest = pass
+      STRETCHES.times { digest = Digest::SHA512.hexdigest(digest) }
+      digest
     end
   end
 end

data/lib/authgasm/version.rb

@@ -44,7 +44,7 @@ module Authgasm # :nodoc:
 
     MAJOR = 0
     MINOR = 10
-    TINY  = 1
+    TINY  = 2
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authgasm
 version: !ruby/object:Gem::Version 
-  version: 0.10.1
+  version: 0.10.2
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-10-28 00:00:00 -04:00
+date: 2008-10-29 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency