authgasm 0.10.0 → 0.10.1

data/CHANGELOG.rdoc

@@ -1,3 +1,11 @@
+== 0.10.1 released 2008-10-24
+
+* Sessions now store the "remember token" instead of the id. This is much safer and guarantees all "sessions" that are logged in are logged in with a valid password. This way stale sessions can't be persisted.
+* Bumped security to Sha512 from Sha256.
+* Remove attr_protected call in acts_as_authentic
+* protected_password should use pasword_field configuration value
+* changed magic state "inactive" to "active"
+
 == 0.10.0 released 2008-10-24
 
 * Do not allow instantiation if the session has not been activated with a controller object. Just like ActiveRecord won't let you do anything without a DB connection.

data/Manifest

@@ -8,7 +8,7 @@ lib/authgasm/session/base.rb
 lib/authgasm/session/callbacks.rb
 lib/authgasm/session/config.rb
 lib/authgasm/session/errors.rb
-lib/authgasm/sha256_crypto_provider.rb
+lib/authgasm/sha512_crypto_provider.rb
 lib/authgasm/version.rb
 lib/authgasm.rb
 Manifest

data/README.rdoc

@@ -2,10 +2,12 @@
 
 Authgasm is "rails authentication done right"
 
-The last thing we need is another authentication solution for rails, right? That's what I thought. It was disappointing to find that all of the current solutions were overly complicated, bloated, poorly written, littered my application with code, and were just plain confusing. They felt very Microsoftish. This is not the simple / elegant rails we all fell in love with. It's like some Microsoft .NET engineers decided to dabble in ruby / rails for a day and their project was to write an authentication solution. That's what went through my head when I was trying out all of the current solutions. It's time someone makes a "rails like" authentication solution. So I give you Authgasm...
+The last thing we need is another authentication solution for rails, right? That's what I thought. It was disappointing to find that all of the current solutions were overly complicated, bloated, poorly written, littered my application with code, or were just plain confusing. They felt very Microsoftish. It's like some Microsoft .NET engineers decided to dabble in ruby / rails for a day and their project was to write an authentication solution. This is not the simple / elegant rails we all fell in love with. It's time someone makes a "rails like" authentication solution. So I give you Authgasm...
 
 What if you could have authentication up and running in minutes without having to run a generator? All because it's simple, like everything else in rails.
 
+Wouldn't it be nice to keep your app up to date with the latest and greatest security techniques with a simple update of a plugin?
+
 What if creating a user session could be as simple as...
 
   UserSession.create(params[:user])
@@ -128,9 +130,9 @@ Just like ActiveRecord has "magic" columns, such as: created_at and updated_at.
 Authgasm tries to check the state of the record before creating the session. If your record responds to the following methods and any of them return false, validation will fail:
 
   Method name           Description
+  active?               Is the record marked as active?
   approved?             Has the record been approved?
   confirmed?            Has the record been conirmed?
-  inactive?             Is the record marked as inactive?
   
 What's neat about this is that these are checked upon any type of login. When logging in explicitly, by cookie, session, or basic http auth. So if you mark a user inactive in the middle of their session they wont be logged back in next time they refresh the page. Giving you complete control.
 
@@ -169,7 +171,9 @@ The errors in Authgasm work JUST LIKE ActiveRecord. In fact, it uses the exact s
 
 This is one of my favorite features that I think its pretty cool. It's things like this that make a library great and let you know you are on the right track.
 
-What if a user changes their password? You have to re-log them in with the new password, recreate the session, etc, pain in the ass. Or what if a user creates a new user account? You have to do the same thing. Here's an even better one: what if a user is in the admin area and changes his own password? There might even be another place passwords can change. It shouldn't matter, your code should be written in a way where you don't have to remember to do this.
+Just to clear up any confusion, Authgasm does not store the plain id in the session. It stores a token. This token changes with the password, this way stale sessions can not be persisted.
+
+That being said...What if a user changes their password? You have to re-log them in with the new password, recreate the session, etc, pain in the ass. Or what if a user creates a new user account? You have to do the same thing. Here's an even better one: what if a user is in the admin area and changes his own password? There might even be another place passwords can change. It shouldn't matter, your code should be written in a way where you don't have to remember to do this.
 
 Instead of updating sessions all over the place, doesn't it make sense to do this at a lower level? Like the User model? You're saying "but Ben, models can't mess around with sessions and cookies". True...but Authgasm can, and you can access Authgasm just like a model. I know in most situations it's not good practice to do this but I view this in the same class as sweepers, and feel like it actually is good practice here. User sessions are directly tied to users, they should be connected on the model level.
 
@@ -230,5 +234,23 @@ Interested in how all of this all works? Basically a before_filter is automatica
 
 From there it is pretty simple. When you try to create a new session the record is authenticated and then all of the session / cookie magic is done for you. The sky is the limit.
 
+== What's wrong with the current solutions?
+
+You probably don't care, but I think releasing the millionth authentication solution for a framework that has been around for over 4 years requires a little explanation.
+
+I don't necessarily think the current solutions are "wrong", nor am I saying Authgasm is the answer to our prayers. But the current solutions were pretty disappointing. Especially when the rails community is full of brilliant programmers, and the best we could come up with was the "restful-authentication" plugin. This was just sad, and frankly kind of irritated me. Here's why...
+
+=== Generators are not the answer
+
+Generators have their place, and it certainly is not to add authentication to a rails app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
+
+Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators litter your application with code that you get to maintain. You get to make sure it stays up with the latest and greatest security techniques. How fun! Oh, and when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed! Awesome! The cherry on top is the fact that you get to go through every app you've made and apply this update. You don't really have a choice either, because you can't ignore security updates. When ActiveRecord releases an update do you go through it line by line and manually apply it in each one of your apps? No.
+
+Security moves fast, and hackers make sure of this. As a result, it should be easy to update. Doesn't it make sense to leverage a library to handle this functionality for you? This way, when some new security technique is released, or a bug with your authentication system is found, you can fix it with a simple update. Just like everything else in ruby / rails.
+
+=== Limited to a single authentication
+
+I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it make the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authgasm. Authgasm can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.
+
 
 Copyright (c) 2008 Ben Johnson of [Binary Logic](http://www.binarylogic.com), released under the MIT license

data/authgasm.gemspec

@@ -1,18 +1,18 @@
 
-# Gem::Specification for Authgasm-0.10.0
+# Gem::Specification for Authgasm-0.10.1
 # Originally generated by Echoe
 
 --- !ruby/object:Gem::Specification 
 name: authgasm
 version: !ruby/object:Gem::Version 
-  version: 0.10.0
+  version: 0.10.1
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
 autorequire: 
 bindir: bin
 
-date: 2008-10-27 00:00:00 -04:00
+date: 2008-10-28 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -61,7 +61,7 @@ extra_rdoc_files:
 - lib/authgasm/session/callbacks.rb
 - lib/authgasm/session/config.rb
 - lib/authgasm/session/errors.rb
-- lib/authgasm/sha256_crypto_provider.rb
+- lib/authgasm/sha512_crypto_provider.rb
 - lib/authgasm/version.rb
 - lib/authgasm.rb
 - README.rdoc
@@ -76,7 +76,7 @@ files:
 - lib/authgasm/session/callbacks.rb
 - lib/authgasm/session/config.rb
 - lib/authgasm/session/errors.rb
-- lib/authgasm/sha256_crypto_provider.rb
+- lib/authgasm/sha512_crypto_provider.rb
 - lib/authgasm/version.rb
 - lib/authgasm.rb
 - Manifest

data/lib/authgasm.rb

@@ -3,7 +3,7 @@ require File.dirname(__FILE__) + "/authgasm/version"
 
 require File.dirname(__FILE__) + "/authgasm/controller_adapters/rails_adapter" if defined?(Rails)
 
-require File.dirname(__FILE__) + "/authgasm/sha256_crypto_provider"
+require File.dirname(__FILE__) + "/authgasm/sha512_crypto_provider"
 require File.dirname(__FILE__) + "/authgasm/acts_as_authentic"
 require File.dirname(__FILE__) + "/authgasm/session/active_record_trickery"
 require File.dirname(__FILE__) + "/authgasm/session/callbacks"

data/lib/authgasm/acts_as_authentic.rb

@@ -49,7 +49,7 @@ module Authgasm
       def acts_as_authentic(options = {})
         # Setup default options
         options[:session_class] ||= "#{name}Session".constantize
-        options[:crypto_provider] ||= Sha256CryptoProvider
+        options[:crypto_provider] ||= Sha512CryptoProvider
         options[:crypto_provider_type] ||= options[:crypto_provider].respond_to?(:decrypt) ? :encryption : :hash
         options[:login_field] ||= options[:session_class].login_field
         options[:login_field_type] ||= options[:login_field] == :email ? :email : :login
@@ -84,6 +84,7 @@ module Authgasm
         end
         
         validates_uniqueness_of options[:login_field]
+        validates_uniqueness_of options[:remember_token_field]
         validate :validate_password
         validates_numericality_of :login_count, :only_integer => :true, :greater_than_or_equal_to => 0, :allow_nil => true if column_names.include?("login_count")
         
@@ -93,12 +94,12 @@ module Authgasm
         end
         
         after_create :create_sessions!
+        before_update :find_my_sessions
         after_update :update_sessions!
         
         # Attributes
         attr_writer "confirm_#{options[:password_field]}"
         attr_accessor "tried_to_set_#{options[:password_field]}"
-        attr_protected "tried_to_set_#{options[:password_field]}"
         
         # Class methods
         class_eval <<-"end_eval", __FILE__, __LINE__
@@ -208,18 +209,28 @@ module Authgasm
               #{options[:session_class]}.create(*args)
             end
             
-            def update_sessions!
+            def find_my_sessions
               return if @saving_from_session || !#{options[:session_class]}.activated?
               
+              @my_sessions = []
               #{options[:session_ids].inspect}.each do |session_id|
                 session = #{options[:session_class]}.find(*[session_id].compact)
                 
                 # Ignore if we can't find the session or the session isn't this record
                 next if !session || session.record != self
                 
-                # We know we are logged in and this is our record, update the session
-                session.save
+                @my_sessions << session
+              end
+            end
+            
+            def update_sessions!
+              return if @saving_from_session || !#{options[:session_class]}.activated?
+              
+              @my_sessions.each do |stale_session|
+                stale_session.unauthorized_record = self
+                stale_session.save
               end
+              @my_sessions = nil
             end
             
             def tried_to_set_password?

data/lib/authgasm/session/base.rb

@@ -261,8 +261,8 @@ module Authgasm
         
         case login_with
         when :credentials
-          errors.add(login_field, "can not be blank") if login.blank?
-          errors.add(password_field, "can not be blank") if protected_password.blank?
+          errors.add(login_field, "can not be blank") if send(login_field).blank?
+          errors.add(password_field, "can not be blank") if send("protected_#{password_field}").blank?
           return false if errors.count > 0
 
           temp_record = klass.send(find_by_login_method, send(login_field))
@@ -272,7 +272,7 @@ module Authgasm
             return false
           end
           
-          unless temp_record.send(verify_password_method, protected_password)
+          unless temp_record.send(verify_password_method, send("protected_#{password_field}"))
             errors.add(password_field, "is invalid")
             return false
           end
@@ -291,9 +291,9 @@ module Authgasm
           return false
         end
 
-        [:approved, :confirmed, :inactive].each do |required_status|
+        [:active, :approved, :confirmed].each do |required_status|
           if temp_record.respond_to?("#{required_status}?") && !temp_record.send("#{required_status}?") 
-            errors.add_to_base("Your account has not been #{required_status}")       
+            errors.add_to_base("Your account has not been marked as #{required_status}")       
             return false
           end
         end
@@ -336,7 +336,7 @@ module Authgasm
       
       def valid_session?
         if session_credentials
-          self.unauthorized_record = klass.find_by_id(session_credentials)
+          self.unauthorized_record = klass.send("find_by_#{remember_token_field}", cookie_credentials)
           result = valid?
           if result
             self.new_session = false
@@ -373,6 +373,12 @@ module Authgasm
             end
 
             def #{password_field}; end
+            
+            private
+              # The password should not be accessible publicly. This way forms using form_for don't fill the password with the attempted password. The prevent this we just create this method that is private.
+              def protected_#{password_field}
+                @#{password_field}
+              end
           end_eval
         end
         
@@ -384,17 +390,12 @@ module Authgasm
           self.class.klass_name
         end
         
-        # The password should not be accessible publicly. This way forms using form_for don't fill the password with the attempted password. The prevent this we just create this method that is private.
-        def protected_password
-          @password
-        end
-        
         def session_credentials
           controller.session[session_key]
         end
         
         def update_session!
-          controller.session[session_key] = record && record.id
+          controller.session[session_key] = record && record.send(remember_token_field)
         end
     end
   end

data/lib/authgasm/session/config.rb

@@ -136,10 +136,10 @@ module Authgasm
         
         # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
         #
-        # * <tt>Default:</tt> :#{klass_name.underscore}_id
+        # * <tt>Default:</tt> cookie_key
         # * <tt>Accepts:</tt> Symbol or String
         def session_key
-          @session_key ||= "#{klass_name.underscore}_id".to_sym
+          @session_key ||= cookie_key
         end
         attr_writer :session_key
         

data/lib/authgasm/{sha256_crypto_provider.rb → sha512_crypto_provider.rb}

@@ -1,13 +1,13 @@
 module Authgasm
-  # = Sha256 Crypto Provider
+  # = Sha512 Crypto Provider
   #
   # The acts_as_authentic method allows you to pass a :crypto_provider option. This allows you to use any type of encryption you like. Just create a class with a class level encrypt and decrypt method.
   # The password will be passed as the single parameter to each of these methods so you can do your magic.
   #
   # If you are encrypting via a hash just don't include a decrypt method, since hashes can't be decrypted. Authgasm will notice this adjust accordingly.
-  class Sha256CryptoProvider
+  class Sha512CryptoProvider
     def self.encrypt(pass)
-      Digest::SHA256.hexdigest(pass)
+      Digest::SHA512.hexdigest(pass)
     end
   end
 end

data/lib/authgasm/version.rb

@@ -44,7 +44,7 @@ module Authgasm # :nodoc:
 
     MAJOR = 0
     MINOR = 10
-    TINY  = 0
+    TINY  = 1
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test_app/app/views/layouts/application.html.erb

@@ -10,11 +10,11 @@
 <body>
   
 <% if !@current_user %>
-  <%= link_to "Register", new_user_path %> |
+  <%= link_to "Register", new_account_path %> |
   <%= link_to "Log In", new_user_session_path %>
 <% else %>
   <%= link_to "My Account", account_path %> |
-  <%= link_to "Logout", logout_path, :confirm => "Are you sure you want to logout?" %>
+  <%= link_to "Logout", user_session_path, :method => :delete, :confirm => "Are you sure you want to logout?" %>
 <% end %>
 
 <p style="color: green"><%= flash[:notice] %></p>

data/test_app/app/views/user_sessions/new.html.erb

@@ -2,7 +2,7 @@
 
 <%= error_messages_for "user_session", :header_message => nil %>
 
-<% form_for @user_session do |f| %>
+<% form_for @user_session, :url => user_session_path do |f| %>
   <%= f.label :login %><br />
   <%= f.text_field :login %><br />
   <br />

data/test_app/app/views/users/edit.html.erb

@@ -2,7 +2,7 @@
 
 <%= error_messages_for "user" %>
 
-<% form_for @user do |f| %>
+<% form_for @user, :url => account_path do |f| %>
   <%= render :partial => "form", :object => f %>
   <%= f.submit "Update" %>
 <% end %>

data/test_app/app/views/users/new.html.erb

@@ -2,7 +2,7 @@
 
 <%= error_messages_for "user" %>
 
-<% form_for @user do |f| %>
+<% form_for @user, :url => account_path do |f| %>
   <%= render :partial => "form", :object => f %>
   <%= f.submit "Register" %>
 <% end %>

data/test_app/config/routes.rb

@@ -1,7 +1,5 @@
 ActionController::Routing::Routes.draw do |map|
-  map.resources :users
-  map.resources :user_sessions
+  map.resource :user_session
   map.resource :account, :controller => "users"
-  map.logout "/logout", :controller => "user_sessions", :action => "destroy"
   map.default "/", :controller => "user_sessions", :action => "new"
 end

data/test_app/test/fixtures/users.yml

@@ -2,7 +2,7 @@ ben:
   id: 1
   login: bjohnson
   password_salt: <%= salt = User.unique_token %>
-  crypted_password: <%= Authgasm::Sha256CryptoProvider.encrypt("benrocks" + salt) %>
-  remember_token: 23a1d7c66f456b14b45211aa656ce8ba7052fd220cd2d07a5c323792938f2a14
+  crypted_password: <%= Authgasm::Sha512CryptoProvider.encrypt("benrocks" + salt) %>
+  remember_token: 6cde0674657a8a313ce952df979de2830309aa4c11ca65805dd00bfdc65dbcc2f5e36718660a1d2e68c1a08c276d996763985d2f06fd3d076eb7bc4d97b1e317
   first_name: Ben
   last_name: Johnson

data/test_app/test/functional/user_sessions_controller_test.rb

@@ -14,21 +14,21 @@ class UserSessionsControllerTest < ActionController::TestCase
   
   def test_successful_create
     get :create, {:user_session => {:login => "bjohnson", :password => "benrocks"}}
-    assert_equal 1, session[:user_id]
-    assert_equal ["23a1d7c66f456b14b45211aa656ce8ba7052fd220cd2d07a5c323792938f2a14"], cookies["user_credentials"]
+    assert_equal "6cde0674657a8a313ce952df979de2830309aa4c11ca65805dd00bfdc65dbcc2f5e36718660a1d2e68c1a08c276d996763985d2f06fd3d076eb7bc4d97b1e317", session[:user_credentials]
+    assert_equal ["6cde0674657a8a313ce952df979de2830309aa4c11ca65805dd00bfdc65dbcc2f5e36718660a1d2e68c1a08c276d996763985d2f06fd3d076eb7bc4d97b1e317"], cookies["user_credentials"]
     assert_redirected_to account_url
   end
   
   def test_unsuccessful_create
     get :create, {:user_session => {:login => "bjohnson", :password => "badpassword"}}
-    assert_equal nil, session[:user_id]
+    assert_equal nil, session[:user_credentials]
     assert_equal nil, cookies["user_credentials"]
     assert_template "new"
   end
   
   def test_destroy
     get :destroy
-    assert_equal nil, session[:user_id]
+    assert_equal nil, session[:user_credentials]
     assert_equal nil, cookies["user_credentials"]
     assert_redirected_to new_user_session_url
     assert flash.key?(:notice)

data/test_app/test/integration/user_sesion_stories_test.rb

@@ -10,11 +10,11 @@ class UserSessionStoriesTest < ActionController::IntegrationTest
     assert_template "user_sessions/new"
     
     # Try to register with no info
-    post users_url
+    post account_url
     assert_template "users/new"
     
     # Register successfully
-    post users_url, {:user => {:login => "binarylogic", :password => "pass", :confirm_password => "pass", :first_name => "Ben", :last_name => "Johnson"}}
+    post account_url, {:user => {:login => "binarylogic", :password => "pass", :confirm_password => "pass", :first_name => "Ben", :last_name => "Johnson"}}
     assert_redirected_to account_url
     assert flash.key?(:notice)
     
@@ -41,14 +41,14 @@ class UserSessionStoriesTest < ActionController::IntegrationTest
     assert_template "users/show"
     
     # Try to register after a successful login
-    get new_user_url
+    get new_account_url
     assert_redirected_to account_url
     follow_redirect!
     assert flash.key?(:notice)
     assert_template "users/show"
     
     access_account
-    logout(new_user_url) # before I tried to register, it stored my location
+    logout(new_account_url) # before I tried to register, it stored my location
     
     # Try to access my account again
     get account_url

data/test_app/test/integration/user_session_test.rb

@@ -26,7 +26,7 @@ class UserSessionTest < ActionController::IntegrationTest
   
   def test_find
     assert_equal nil, UserSession.find
-    post user_sessions_url, {:user_session => {:login => "bjohnson", :password => "benrocks"}}
+    login_successfully("bjohnson", "benrocks")
     assert UserSession.find
   end
   

data/test_app/test/test_helper.rb

@@ -46,7 +46,7 @@ class ActionController::IntegrationTest
   
   private
     def login_successfully(login, password)
-      post user_sessions_url, :user_session => {:login => login, :password => password}
+      post user_session_url, :user_session => {:login => login, :password => password}
       assert_redirected_to account_url
       follow_redirect!
       assert_template "users/show"
@@ -54,7 +54,7 @@ class ActionController::IntegrationTest
   
     def login_unsuccessfully(login = nil, password = nil)
       params = (login || password) ? {:user_session => {:login => login, :password => password}} : nil
-      post user_sessions_url, params
+      post user_session_url, params
       assert_template "user_sessions/new"
     end
   
@@ -63,7 +63,7 @@ class ActionController::IntegrationTest
       # Perform multiple requests to make sure the session is persisting properly, just being anal here
       3.times do
         get account_url
-        assert_equal user.id, session["user_id"]
+        assert_equal user.remember_token, session["user_credentials"]
         assert_equal user.remember_token, cookies["user_credentials"]
         assert_response :success
         assert_template "users/show"
@@ -72,12 +72,12 @@ class ActionController::IntegrationTest
   
     def logout(alt_redirect = nil)
       redirecting_to = alt_redirect || new_user_session_url
-      get logout_url
+      delete user_session_url
       assert_redirected_to redirecting_to # because I tried to access registration above, and it stored it
       follow_redirect!
       assert flash.key?(:notice)
-      assert_equal nil, session["user_id"]
+      assert_equal nil, session["user_credentials"]
       assert_equal "", cookies["user_credentials"]
-      assert_template redirecting_to.gsub("http://www.example.com/", "")
+      assert_template redirecting_to.gsub("http://www.example.com/", "").gsub("user_session", "user_sessions").gsub("account", "users")
     end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authgasm
 version: !ruby/object:Gem::Version 
-  version: 0.10.0
+  version: 0.10.1
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-10-27 00:00:00 -04:00
+date: 2008-10-28 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -58,7 +58,7 @@ extra_rdoc_files:
 - lib/authgasm/session/callbacks.rb
 - lib/authgasm/session/config.rb
 - lib/authgasm/session/errors.rb
-- lib/authgasm/sha256_crypto_provider.rb
+- lib/authgasm/sha512_crypto_provider.rb
 - lib/authgasm/version.rb
 - lib/authgasm.rb
 - README.rdoc
@@ -73,7 +73,7 @@ files:
 - lib/authgasm/session/callbacks.rb
 - lib/authgasm/session/config.rb
 - lib/authgasm/session/errors.rb
-- lib/authgasm/sha256_crypto_provider.rb
+- lib/authgasm/sha512_crypto_provider.rb
 - lib/authgasm/version.rb
 - lib/authgasm.rb
 - Manifest