authgasm 0.9.0

data/init.rb

@@ -0,0 +1,2 @@
+require "digest/sha2"
+require "authgasm"

data/lib/authgasm.rb

@@ -0,0 +1,18 @@
+require File.dirname(__FILE__) + "/authgasm/version"
+require File.dirname(__FILE__) + "/authgasm/controller"
+require File.dirname(__FILE__) + "/authgasm/sha256_crypto_provider"
+require File.dirname(__FILE__) + "/authgasm/acts_as_authentic"
+require File.dirname(__FILE__) + "/authgasm/session/active_record_trickery"
+require File.dirname(__FILE__) + "/authgasm/session/callbacks"
+require File.dirname(__FILE__) + "/authgasm/session/config"
+require File.dirname(__FILE__) + "/authgasm/session/errors"
+require File.dirname(__FILE__) + "/authgasm/session/base"
+
+module Authgasm
+  module Session
+    class Base
+      include ActiveRecordTrickery
+      include Callbacks
+    end
+  end
+end

data/lib/authgasm/acts_as_authentic.rb

@@ -0,0 +1,200 @@
+module Authgasm
+  module ActsAsAuthenticated # :nodoc:
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+    
+    # = Acts As Authentic
+    # Provides and "acts_as" method to include in your models to help with authentication. See method below.
+    module ClassMethods
+      # Call this method in your model to add in basic authentication madness:
+      #
+      # 1. Adds various validations for the login field
+      # 2. Adds various validations for the password field
+      # 3. Handles password encryption
+      # 4. Adds usefule methods to dealing with authentication
+      #
+      # === Methods
+      # For example purposes lets assume you have a User model.
+      #
+      #   Class method name           Description
+      #   User.unique_token           returns unique token generated by your :crypto_provider
+      #   User.crypto_provider        The class that you set in your :crypto_provider option
+      #
+      #   Named Scopes
+      #   User.logged_in              Find all users who are logged in, based on your :logged_in_timeout option
+      #   User.logged_out             Same as above, but logged out
+      #
+      #   Isntace method name
+      #   user.password=              Method name based on the :password_field option. This is used to set the password. Pass the *raw* password to this
+      #   user.confirm_password=      Confirms the password, needed to change the password
+      #   user.valid_password?(pass)  Based on the valid of :password_field. Determines if the password passed is valid. The password could be encrypted or raw.
+      #   user.randomize_password!    Basically resets the password to a random password using only letters and numbers
+      #   user.logged_in?             Based on the :logged_in_timeout option. Tells you if the user is logged in or not
+      #
+      # === Options
+      # * <tt>session_class:</tt> default: "#{name}Session", the related session class. Used so that you don't have to repeat yourself here. A lot of the configuration will be based off of the configuration values of this class.
+      # * <tt>crypto_provider:</tt> default: Authgasm::Sha256CryptoProvider, class that provides Sha256 encryption. What ultimately encrypts your password.
+      # * <tt>crypto_provider_type:</tt> default: options[:crypto_provider].respond_to?(:decrypt) ? :encryption : :hash. You can explicitly set this if you wish. Since encryptions and hashes are handled different this is the flag Authgasm uses.
+      # * <tt>login_field:</tt> default: options[:session_class].login_field, the name of the field used for logging in
+      # * <tt>login_field_type:</tt> default: options[:login_field] == :email ? :email : :login, tells authgasm how to validation the field, what regex to use, etc.
+      # * <tt>password_field:</tt> default: options[:session_class].password_field, the name of the field to set the password, *NOT* the field the encrypted password is stored
+      # * <tt>crypted_password_field:</tt> default: depends on which columns are present, checks: crypted_password, encrypted_password, password_hash, pw_hash, if none are present defaults to crypted_password. This is the name of column that your encrypted password is stored.
+      # * <tt>password_salt_field:</tt> default: depends on which columns are present, checks: password_salt, pw_salt, salt, if none are present defaults to password_salt. This is the name of the field your salt is stored, only relevant for a hash crypto provider.
+      # * <tt>remember_token_field:</tt> default: options[:session_class].remember_token_field, the name of the field your remember token is stored. What the cookie stores so the session can be "remembered"
+      # * <tt>logged_in_timeout:</tt> default: 10.minutes, this allows you to specify a time the determines if a user is logged in or out. Useful if you want to count how many users are currently logged in.
+      # * <tt>session_scopes:</tt> default: [nil], the sessions that we want to automatically reset when a user is created or updated so you don't have to worry about this. Set to [] to disable. Should be an array of scopes. See Authgasm::Session::Base#initialize for information on scopes.
+      def acts_as_authentic(options = {})
+        # Setup default options
+        options[:session_class] ||= "#{name}Session".constantize
+        options[:crypto_provider] ||= Sha256CryptoProvider
+        options[:crypto_provider_type] ||= options[:crypto_provider].respond_to?(:decrypt) ? :encryption : :hash
+        options[:login_field] ||= options[:session_class].login_field
+        options[:login_field_type] ||= options[:login_field] == :email ? :email : :login
+        options[:password_field] ||= options[:session_class].password_field
+        options[:crypted_password_field] ||=
+          (columns.include?("crypted_password") && :crypted_password) ||
+          (columns.include?("encrypted_password") && :encrypted_password) ||
+          (columns.include?("password_hash") && :password_hash) ||
+          (columns.include?("pw_hash") && :pw_hash) ||
+          :crypted_password
+        options[:password_salt_field] ||= 
+          (columns.include?("password_salt") && :password_salt) ||
+          (columns.include?("pw_salt") && :pw_salt) ||
+          (columns.include?("salt") && :salt) ||
+          :password_salt
+        options[:remember_token_field] ||= options[:session_class].remember_token_field
+        options[:logged_in_timeout] ||= 10.minutes
+        options[:session_scopes] ||= [nil]
+        
+        # Validations
+        case options[:login_field_type]
+        when :email
+          validates_length_of options[:login_field], :within => 6..100
+          email_name_regex  = '[\w\.%\+\-]+'
+          domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
+          domain_tld_regex  = '(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|jobs|museum)'
+          email_regex       = /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
+          validates_format_of options[:login_field], :with => email_regex, :message => "should look like an email address."
+        else
+          validates_length_of options[:login_field], :within => 2..100
+          validates_format_of options[:login_field], :with => /\A\w[\w\.\-_@]+\z/, :message => "use only letters, numbers, and .-_@ please."
+        end
+        
+        validates_uniqueness_of options[:login_field]
+        validate :validate_password
+        validates_numericality_of :login_count, :only_integer => :true, :greater_than_or_equal_to => 0, :allow_nil => true if column_names.include?("login_count")
+        
+        if column_names.include?("last_click_at")
+          named_scope :logged_in, lambda { {:conditions => ["last_click_at > ?", options[:logged_in_timeout].ago]} }
+          named_scope :logged_out, lambda { {:conditions => ["last_click_at <= ?", options[:logged_in_timeout].ago]} }
+        end
+        
+        after_create :create_sessions!
+        after_create :update_sessions!
+        
+        # Attributes
+        attr_writer "confirm_#{options[:password_field]}"
+        attr_accessor "tried_to_set_#{options[:password_field]}", :saving_from_session
+        
+        # Class methods
+        class_eval <<-"end_eval", __FILE__, __LINE__
+          def self.unique_token
+            crypto_provider.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+          end
+          
+          def self.crypto_provider
+            #{options[:crypto_provider]}
+          end
+        end_eval
+        
+        # Instance methods
+        if column_names.include?("last_click_at")
+          class_eval <<-"end_eval", __FILE__, __LINE__
+            def logged_in?
+              !last_click_at.nil? && last_click_at > #{options[:logged_in_timeout].to_i}.seconds.ago
+            end
+          end_eval
+        end
+        
+        case options[:crypto_provider_type]
+        when :hash
+          class_eval <<-"end_eval", __FILE__, __LINE__
+            def #{options[:password_field]}=(pass)
+              return if pass.blank?
+              self.tried_to_set_#{options[:password_field]} = true
+              @#{options[:password_field]} = pass
+              salt = [Array.new(6) {rand(256).chr}.join].pack("m").chomp
+              self.#{options[:remember_token_field]} = self.class.unique_token
+              self.#{options[:password_salt_field]}, self.#{options[:crypted_password_field]} = salt, crypto_provider.encrypt(@#{options[:password_field]} + salt)
+            end
+            
+            def valid_#{options[:password_field]}?(attempted_password)
+              attempted_password == #{options[:crypted_password_field]} || #{options[:crypted_password_field]} == crypto_provider.encrypt(attempted_password + #{options[:password_salt_field]})
+            end
+          end_eval
+        when :encryption
+          class_eval <<-"end_eval", __FILE__, __LINE__
+            def #{options[:password_field]}=(pass)
+              return if pass.blank?
+              self.tried_to_set_#{options[:password_field]} = true
+              @#{options[:password_field]} = pass
+              self.#{options[:remember_token_field]} = self.class.unique_token
+              self.#{options[:crypted_password_field]} = crypto_provider.encrypt(@#{options[:password_field]})
+            end
+          
+            def valid_#{options[:password_field]}?(attemtped_password)
+              attempted_password == #{options[:crypted_password_field]} || #{options[:crypted_password_field]} = crypto_provider.decrypt(attempted_password)
+            end
+          end_eval
+        end
+        
+        class_eval <<-"end_eval", __FILE__, __LINE__
+          def #{options[:password_field]}; end
+          def confirm_#{options[:password_field]}; end
+          
+          def crypto_provider
+            self.class.crypto_provider
+          end
+          
+          def randomize_#{options[:password_field]}!
+            chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+            newpass = ""
+            1.upto(10) { |i| newpass << chars[rand(chars.size-1)] }
+            self.#{options[:password_field]} = newpass
+            self.confirm_#{options[:password_field]} = newpass
+          end
+          
+          protected
+            def create_sessions!
+              #{options[:session_scopes].inspect}.each { |scope| #{options[:session_class]}.create(self) }
+            end
+            
+            def update_sessions!
+              #{options[:session_scopes].inspect}.each { |scope| #{options[:session_class]}.update(self) }
+            end
+            
+            def saving_from_session?
+              saving_from_session == true
+            end
+            
+            def tried_to_set_password?
+              tried_to_set_password == true
+            end
+            
+            def validate_password
+              if new_record? || tried_to_set_#{options[:password_field]}?
+                if @#{options[:password_field]}.blank?
+                  errors.add(:#{options[:password_field]}, "can not be blank")
+                else
+                  errors.add(:confirm_#{options[:password_field]}, "did not match") if @confirm_#{options[:password_field]} != @#{options[:password_field]}
+                end
+              end
+            end
+        end_eval
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.send(:include, Authgasm::ActsAsAuthenticated)

data/lib/authgasm/controller.rb

@@ -0,0 +1,16 @@
+module Authgasm
+  # = Controller
+  # Adds a before_filter to set the controller object so that Authgasm can do its session and cookie magic
+  module Controller
+    def self.included(klass) # :nodoc:
+      klass.prepend_before_filter :set_controller
+    end
+    
+    private
+      def set_controller
+        Authgasm::Session::Base.controller = self
+      end
+  end
+end
+
+ActionController::Base.send(:include, Authgasm::Controller)

data/lib/authgasm/session/active_record_trickery.rb

@@ -0,0 +1,30 @@
+module Authgasm
+  module Session
+    # = ActiveRecord Trickery
+    #
+    # Authgasm looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here. This is useful for the various rails helper methods such as form_for, error_messages_for, etc.
+    # These helpers exptect various methods to be present. This adds in those methods into Authgasm.
+    module ActiveRecordTrickery
+      def self.included(klass) # :nodoc:
+        klass.extend ClassMethods
+        klass.send(:include, InstanceMethods)
+      end
+      
+      module ClassMethods # :nodoc:
+        def human_attribute_name(attribute_key_name, options = {})
+          attribute_key_name.humanize
+        end
+      end
+      
+      module InstanceMethods # :nodoc:
+        def id
+          nil
+        end
+      
+        def new_record?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/authgasm/session/base.rb

@@ -0,0 +1,365 @@
+module Authgasm
+  module Session # :nodoc:
+    # = Base
+    #
+    # This is the muscle behind Authgasm. For detailed information on how to use this please refer to the README. For detailed method explanations see below.
+    class Base
+      include Config
+      
+      class << self
+        # Returns true if a controller have been set and can be used properly.
+        def activated?
+          !controller.blank?
+        end
+        
+        def controller=(value) # :nodoc:
+          controllers[Thread.current] = value
+        end
+        
+        def controller # :nodoc:
+          controllers[Thread.current]
+        end
+        
+        # A convenince method. The same as:
+        #
+        #   session = UserSession.new
+        #   session.create
+        def create(*args)
+          session = new(*args)
+          session.create
+        end
+        
+        # Same as create but calls create!, which raises an exception when authentication fails
+        def create!(*args)
+          session = new(*args)
+          session.create!
+        end
+        
+        # Finds your session by session, then cookie, and finally basic http auth. Perfect for that global before_filter to find your logged in user:
+        #
+        #   before_filter :load_user
+        #
+        #   def load_user
+        #     @user_session = UserSession.find
+        #     @current_user = @user_session && @user_session.record
+        #   end
+        #
+        # Accepts a single parameter as the scope. See initialize for more information on scopes.
+        def find(scope = nil)
+          args = [scope].compact
+          session = new(*args)
+          return session if session.valid_session? || session.valid_cookie?(true) || session.valid_http_auth?(true)
+          nil
+        end
+        
+        def klass # :nodoc:
+          @klass ||=
+            if klass_name
+              klass_name.constantize
+            else
+              nil
+            end
+        end
+        
+        def klass_name # :nodoc:
+          @klass_name ||= 
+            if guessed_name = name.scan(/(.*)Session/)[0]
+              @klass_name = guessed_name[0]
+            end
+        end
+        
+        # Convenience method. The same as:
+        #
+        #   session = UserSession.new
+        #   session.update
+        def update(*args)
+          session = new(*args)
+          session.update
+        end
+        
+        # The same as update but calls update!, which raises an exception when authentication fails
+        def update!(*args)
+          session = new(*args)
+          session.update!
+        end
+        
+        private
+          def controllers
+            @@controllers ||= {}
+          end
+      end
+    
+      attr_accessor :login_with, :remember_me, :scope
+      attr_reader :record, :unauthorized_record
+    
+      # You can initialize a session by doing any of the following:
+      #
+      #   UserSession.new
+      #   UserSession.new(login, password)
+      #   UserSession.new(:login => login, :password => password)
+      #
+      # If a user has more than one session you need to pass a scope so that Authgasm knows how to differentiate the sessions. The scope MUST be a Symbol.
+      #
+      #   UserSession.new(:my_scope)
+      #   UserSession.new(login, password, :my_scope)
+      #   UserSession.new({:login => loing, :password => password}, :my_scope)
+      #
+      # Scopes are rarely used, but they can be useful. For example, what if users allow other users to login into their account via proxy? Now that user can "technically" be logged into 2 accounts at once.
+      # To solve this just pass a scope called :proxy, or whatever you want. Authgasm will separate everything out.s
+      def initialize(*args)
+        create_configurable_methods!
+        
+        self.scope = args.pop if args.last.is_a?(Symbol)
+        
+        case args.size
+        when 1
+          credentials_or_record = args.first
+          case credentials_or_record
+          when Hash
+            self.credentials = credentials_or_record
+          else
+            self.unauthorized_record = credentials_or_record
+          end
+        else
+          send("#{login_field}=", args[0])
+          send("#{password_field}=", args[1])
+          self.remember_me = args[2]
+        end
+      end
+      
+      # Creates a new user session for you. It does all of the magic:
+      #
+      # 1. validates
+      # 2. sets session
+      # 3. sets cookie
+      # 4. updates magic fields
+      def create(updating = false)
+        if valid?(true)
+          cookies[cookie_key] = {
+            :value => record.send(remember_token_field),
+            :expires => remember_me? ? remember_me_for.from_now : nil
+          }
+          
+          if !updating
+            record.login_count = record.login_count + 1 if record.respond_to?(:login_count)
+          
+            if record.respond_to?(:current_login_at)
+              record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+              record.current_login_at = Time.now
+            end
+          
+            if record.respond_to?(:current_login_ip)
+              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+              record.current_login_ip = controller.request.remote_ip
+            end
+            
+            record.saving_from_session = true
+            record.save(false)
+          end
+          
+          self
+        end
+      end
+      
+      # Same as create but raises an exception when authentication fails
+      def create!(updating = false)
+        raise SessionInvalid.new(self) unless create(updating)
+      end
+      alias_method :start!, :create!
+      
+      # Your login credentials in hash format. Usually {:login => "my login", :password => "<protected>"} depending on your configuration.
+      # Password is protected as a security measure. The raw password should never be publicly accessible.
+      def credentials
+        {login_field => send(login_field), password_field => "<Protected>"}
+      end
+      
+      # Lets you set your loging and password via a hash format.
+      def credentials=(values)
+        values.symbolize_keys!
+        raise(ArgumentError, "Only 2 credentials are allowed: #{login_field} and #{password_field}") if !values.is_a?(Hash) || values.keys.size > 2 || !values.key?(login_field) || !values.key?(password_field)
+        values.each { |field, value| send("#{field}=", value) }
+      end
+      
+      # Resets everything, your errors, record, cookies, and session. Basically "logs out" a user.
+      def destroy
+        errors.clear
+        @record = nil
+        cookies.delete cookie_key
+        session[session_key] = nil
+      end
+      
+      # Errors when authentication fails, just like ActiveRecord errors. In fact it uses the same exact class.
+      def errors
+        @errors ||= Errors.new(self)
+      end
+      
+      def inspect # :nodoc:
+        details = {}
+        case login_with
+        when :unauthorized_record
+          details[:unauthorized_record] = unauthorized_record
+        else
+          details[login_field.to_sym] = send(login_field)
+          details[password_field.to_sym] = "<protected>"
+        end
+        "#<#{self.class.name} #{details.inspect}>"
+      end
+      
+      # Allows users to be remembered via a cookie.
+      def remember_me?
+        remember_me == true || remember_me = "true" || remember_me == "1"
+      end
+      
+      # When to expire the cookie. See remember_me_for configuration option to change this.
+      def remember_me_until
+        remember_me_for.from_now
+      end
+      
+      # Sometimes you don't want to create a session via credentials (login and password). Maybe you already have the record. Just set this record to this and it will be authenticated when you try to validate
+      # the session. Basically this is another form of credentials, you are just skipping username and password validation.
+      def unauthorized_record=(value)
+        self.login_with = :unauthorized_record
+        @unauthorized_record = value
+      end
+      
+      # Updates the session with any new information. Resets the session and cookie.
+      def update
+        create(true)
+      end
+      
+      # Same as update but raises an exception if validation is failed
+      def update!
+        create!(true)
+      end
+      
+      def valid?(set_session = false)
+        errors.clear
+        temp_record = unauthorized_record
+        
+        if login_with == :credentials
+          errors.add(login_field, "can not be blank") if login.blank?
+          errors.add(password_field, "can not be blank") if protected_password.blank?
+          return false if errors.count > 0
+
+          temp_record = klass.send(find_by_login_method, send(login_field))
+
+          if temp_record.blank?
+            errors.add(login_field, "was not found")
+            return false
+          end
+          
+          unless temp_record.send(verify_password_method, protected_password)
+            errors.add(password_field, "is invalid")
+            return false
+          end
+        end
+
+        [:approved, :confirmed, :inactive].each do |required_status|
+          if temp_record.respond_to?("#{required_status}?") && !temp_record.send("#{required_status}?") 
+            errors.add_to_base("Your account has not been #{required_status}")       
+            return false
+          end
+        end
+        
+        # All is good, lets set the record
+        @record = temp_record
+        
+        # Now lets set the session to make things easier on successive requests. This is nice when logging in from a cookie, the next requests will be right from the session, which is quicker.
+        if set_session
+          session[session_key] = record.id
+          if record.class.column_names.include?("last_click_at")
+            record.last_click_at = Time.now
+            record.saving_from_session = true
+            record.save(false)
+          end
+        end
+        
+        true
+      end
+      
+      def valid_http_auth?(set_session = false)
+        controller.authenticate_with_http_basic do |login, password|
+          if !login.blank? && !password.blank?
+            send("#{login_method}=", login)
+            send("#{password_method}=", password)
+            return valid?(set_session)
+          end
+        end
+        
+        false
+      end
+      
+      def valid_cookie?(set_session = false)
+        if cookie_credentials
+          self.unauthorized_record = klass.send("find_by_#{remember_token_field}", cookie_credentials)
+          valid?(set_session)
+        end
+        
+        false
+      end
+      
+      def valid_session?
+        if session_credentials
+          self.unauthorized_record = klass.find_by_id(session_credentials)
+          return valid?
+        end
+        
+        false
+      end
+      
+      private
+        def controller
+          self.class.controller
+        end
+        
+        def cookies
+          controller.send(:cookies)
+        end
+        
+        def cookie_credentials
+          cookies[cookie_key]
+        end
+        
+        def create_configurable_methods!
+          return if respond_to?(login_field) # already created these methods
+          
+          self.class.class_eval <<-"end_eval", __FILE__, __LINE__
+            attr_reader :#{login_field}
+            
+            def #{login_field}=(value)
+              self.login_with = :credentials
+              @#{login_field} = value
+            end
+            
+            def #{password_field}=(value)
+              self.login_with = :credentials
+              @#{password_field} = value
+            end
+
+            def #{password_field}; end
+          end_eval
+        end
+        
+        def klass
+          self.class.klass
+        end
+      
+        def klass_name
+          self.class.klass_name
+        end
+        
+        # The password should not be accessible publicly. This way forms using form_for don't fill the password with the attempted password. The prevent this we just create this method that is private.
+        def protected_password
+          @password
+        end
+        
+        def session
+          controller.session
+        end
+        
+        def session_credentials
+          session[session_key]
+        end
+    end
+  end
+end