RubyGems - authie - Versions diffs - 3.4.0 → 4.0.0.rc2 - Mend

authie 3.4.0 → 4.0.0.rc2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/authie/config.rb +18 -31
data/lib/authie/controller_delegate.rb +56 -26
data/lib/authie/controller_extension.rb +13 -36
data/lib/authie/event_manager.rb +2 -0
data/lib/authie/session.rb +231 -279
data/lib/authie/session_model.rb +141 -0
data/lib/authie/user.rb +1 -1
data/lib/authie/version.rb +6 -1
metadata +214 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3bbd79539a591d214d378e2f70f91ffb144fd6c0dfb31c36a4c0ea3d86bf1a5
-  data.tar.gz: 2ba2f38bc671db30ccbde3a6eda511aa642d7d9191dbb2d4311c890ff720249c
+  metadata.gz: d5347676808e3554dde1670a91c8402ed166be59767298dfea961a9020659843
+  data.tar.gz: 03ee0e9cc60e7ae24a9e83c7a6ead5d72ebec109ef558898395d476014843a65
 SHA512:
-  metadata.gz: 9b325154016b3844263b77a71c484158ee256ab1ff4a67b77f670d167beff464805ab4b8a654931205124389c612a22723133f46f5b0123b9ad7102343c96b50
-  data.tar.gz: 9925f9aec3113b474b2a857676c163f570531fa5a5958d272a715fd448b7b5d2de8a1698ca23547023d8d01614009ca04035c11fc9d98ced2f83a1a228b2eaf9
+  metadata.gz: 219676dee96408c5cb85432ab4d919967415b9e575cb9681c4b4a9d210f041213af2a841a63ebdd4c88d9a8d3856f4ab306ddfd5e4947dee6e3d3654de8538b0
+  data.tar.gz: 7dd321dd2d407fd73b89ea6e1894d60362ac7e4fd792d0d74ea9e2cc5178b30eebd8d42ab3bf7baa356bc3d6f161d6809e0c545d9430d6db3267e8dfbda87190

data/lib/authie/config.rb CHANGED Viewed

@@ -4,42 +4,29 @@ require 'authie/event_manager'
 module Authie
   class Config
-    def initialize
-      @callbacks = {}
-    end
-    def session_inactivity_timeout
-      @session_inactivity_timeout || 12.hours
-    end
-    attr_writer :session_inactivity_timeout, :persistent_session_length, :sudo_session_timeout, :browser_id_cookie_name
-    def persistent_session_length
-      @persistent_session_length || 2.months
-    end
-    def sudo_session_timeout
-      @sudo_session_timeout || 10.minutes
-    end
+    attr_accessor :session_inactivity_timeout
+    attr_accessor :persistent_session_length
+    attr_accessor :sudo_session_timeout
+    attr_accessor :browser_id_cookie_name
+    attr_accessor :events
-    def user_relationship_options
-      @user_relationship_options ||= {}
+    def initialize
+      @session_inactivity_timeout = 12.hours
+      @persistent_session_length = 2.months
+      @sudo_session_timeout = 10.minutes
+      @browser_id_cookie_name = :browser_id
+      @events = EventManager.new
     end
+  end
-    def browser_id_cookie_name
-      @browser_id_cookie_name || :browser_id
+  class << self
+    def config
+      @config ||= Config.new
     end
-    def events
-      @events ||= EventManager.new
+    def configure(&block)
+      block.call(config)
+      config
     end
   end
-  def self.config
-    @config ||= Config.new
-  end
-  def self.configure(&block)
-    block.call(config)
-    config
-  end
 end

data/lib/authie/controller_delegate.rb CHANGED Viewed

@@ -2,18 +2,28 @@
 require 'securerandom'
 require 'authie/session'
+require 'authie/config'
+require 'authie/session_model'
 module Authie
+  # The controller delegate implements methods that can be used by a controller. These are then
+  # extended into controllers as needed (see ControllerExtension).
   class ControllerDelegate
+    # @param controller [ActionController::Base]
+    # @return [Authie::ControllerDelegate]
     def initialize(controller)
       @controller = controller
     end
-    # Set a random browser ID for this browser.
+    # Sets a browser ID. This must be performed on any page request where AUthie will be used.
+    # It should be triggered before any other Authie provided methods. This will ensure that
+    # the given browser ID is unique.
+    #
+    # @return [String] the generated browser ID
     def set_browser_id
       until cookies[Authie.config.browser_id_cookie_name]
         proposed_browser_id = SecureRandom.uuid
-        next if Authie::Session.where(browser_id: proposed_browser_id).exists?
+        next if Authie::SessionModel.where(browser_id: proposed_browser_id).exists?
         cookies[Authie.config.browser_id_cookie_name] = {
           value: proposed_browser_id,
@@ -21,61 +31,81 @@ module Authie
           httponly: true,
           secure: @controller.request.ssl?
         }
-        # Dispatch an event when the browser ID is set.
         Authie.config.events.dispatch(:set_browser_id, proposed_browser_id)
       end
+      proposed_browser_id
     end
-    # Touch the auth session on each request if logged in
+    # Touch the session on each request to ensure that it is validated and all last activity
+    # information is updated. This will return the session if one has been touched otherwise
+    # it will reteurn false if there is no session/not logged in. It is safe to run this on
+    # all requests even if there is no session.
+    #
+    # @return [Authie::Session, false]
     def touch_auth_session
-      auth_session.touch! if logged_in?
+      return auth_session.touch if logged_in?
+      false
     end
-    # Return the currently logged in user object
+    # Return the user for the currently logged in user or nil if no user is logged in
+    #
+    # @return [ActiveRecord::Base, nil]
     def current_user
-      logged_in? ? auth_session.user : nil
-    end
+      return nil unless logged_in?
-    # Set the currently logged in user
-    def current_user=(user)
-      create_auth_session(user)
+      auth_session.session.user
     end
-    # Create a new session for the given user
+    # Create a new session for the given user. If nil is provided as a user, the existing session
+    # will be invalidated.
+    #
+    # @return [Authie::Session, nil]
     def create_auth_session(user)
       if user
         @auth_session = Authie::Session.start(@controller, user: user)
-      else
-        auth_session.invalidate! if logged_in?
-        @auth_session = :none
+        return @auth_session
       end
+      invalidate_auth_session
+      nil
     end
-    # Invalidate an existing auth session
+    # Invalidate the existing auth session if one exists. Return true if a sesion has been invalidated
+    # otherwise return false.
+    #
+    # @return [Boolean]
     def invalidate_auth_session
       if logged_in?
-        auth_session.invalidate!
-        @auth_session = :none
-        true
-      else
-        false
+        auth_session.invalidate
+        @auth_session = nil
+        return true
       end
+      false
     end
-    # Is anyone currently logged in?
+    # Is anyone currently logged in? Return true if there is an auth session present.
+    #
+    # Note: this does not check the validatity of the session. You must always ensure that the `validate`
+    # or `touch` method is invoked to ensure that the session that has been found is active.
+    #
+    # @return [Boolean]
     def logged_in?
       auth_session.is_a?(Session)
     end
-    # Return the currently logged in user session
+    # Return an auth session that has been found in the current cookies.
+    #
+    # @return [Authie::Session]
     def auth_session
-      @auth_session ||= Authie::Session.get_session(@controller)
-      @auth_session == :none ? nil : @auth_session
+      return @auth_session if instance_variable_defined?('@auth_session')
+      @auth_session = Authie::Session.get_session(@controller)
     end
     private
-    # Return cookies for the controller
     def cookies
       @controller.send(:cookies)
     end

data/lib/authie/controller_extension.rb CHANGED Viewed

@@ -4,10 +4,19 @@ require 'authie/controller_delegate'
 module Authie
   module ControllerExtension
-    def self.included(base)
-      base.helper_method :logged_in?, :current_user, :auth_session
-      before_action_method = base.respond_to?(:before_action) ? :before_action : :before_filter
-      base.public_send(before_action_method, :set_browser_id, :touch_auth_session)
+    class << self
+      def included(base)
+        base.helper_method :logged_in?, :current_user, :auth_session
+        base.before_action :set_browser_id, :touch_auth_session
+        base.delegate :set_browser_id, to: :auth_session_delegate
+        base.delegate :touch_auth_session, to: :auth_session_delegate
+        base.delegate :current_user, to: :auth_session_delegate
+        base.delegate :create_auth_session, to: :auth_session_delegate
+        base.delegate :invalidate_auth_session, to: :auth_session_delegate
+        base.delegate :logged_in?, to: :auth_session_delegate
+        base.delegate :auth_session, to: :auth_session_delegate
+      end
     end
     private
@@ -15,37 +24,5 @@ module Authie
     def auth_session_delegate
       @auth_session_delegate ||= Authie::ControllerDelegate.new(self)
     end
-    def set_browser_id
-      auth_session_delegate.set_browser_id
-    end
-    def touch_auth_session
-      auth_session_delegate.touch_auth_session
-    end
-    def current_user
-      auth_session_delegate.current_user
-    end
-    def current_user=(user)
-      auth_session_delegate.current_user = user
-    end
-    def create_auth_session(user)
-      auth_session_delegate.create_auth_session(user)
-    end
-    def invalidate_auth_session
-      auth_session_delegate.invalidate_auth_session
-    end
-    def logged_in?
-      auth_session_delegate.logged_in?
-    end
-    def auth_session
-      auth_session_delegate.auth_session
-    end
   end
 end

data/lib/authie/event_manager.rb CHANGED Viewed

@@ -2,6 +2,8 @@
 module Authie
   class EventManager
+    attr_reader :callbacks
     def initialize
       @callbacks = {}
     end

data/lib/authie/session.rb CHANGED Viewed

@@ -1,338 +1,290 @@
 # frozen_string_literal: true
-require 'secure_random_string'
+require 'authie/session_model'
+require 'authie/error'
+require 'authie/config'
+require 'active_support/core_ext/module/delegation'
 module Authie
-  class Session < ActiveRecord::Base
-    # Errors which will be raised when there's an issue with a session's
-    # validity in the request.
+  class Session
+    # The underlying session model instance
+    #
+    # @return [Authie::SessionModel]
+    attr_reader :session
+    # A parent class that encapsulates all session validity errors.
     class ValidityError < Error; end
+    # Raised when a session is used but it is no longer active
     class InactiveSession < ValidityError; end
+    # Raised when a session is used but it has expired
     class ExpiredSession < ValidityError; end
+    # Raised when a session is used but the browser ID does not match
     class BrowserMismatch < ValidityError; end
+    # Raised when a session is used but the hostname does not match
+    # the session hostname
     class HostMismatch < ValidityError; end
-    class NoParentSessionForRevert < Error; end
-    # Set table name
-    self.table_name = 'authie_sessions'
-    # Relationships
-    parent_options = { class_name: 'Authie::Session' }
-    parent_options[:optional] = true if ActiveRecord::VERSION::MAJOR >= 5
-    belongs_to :parent, **parent_options
-    # Scopes
-    scope :active, -> { where(active: true) }
-    scope :asc, -> { order(last_activity_at: :desc) }
-    scope :for_user, ->(user) { where(user_type: user.class.name, user_id: user.id) }
-    # Attributes
-    serialize :data, Hash
-    attr_accessor :controller, :temporary_token
-    before_validation do
-      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
-      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
-    end
-    before_create do
-      self.temporary_token = SecureRandomString.new(44)
-      self.token_hash = self.class.hash_token(temporary_token)
-      if controller
-        self.user_agent = controller.request.user_agent
-        set_cookie!
-      end
-    end
-    before_destroy do
-      cookies.delete(:user_session) if controller
-    end
-    # Return the user that
-    def user
-      return unless user_id && user_type
-      @user ||= user_type.constantize.find_by(id: user_id) || :none
-      @user == :none ? nil : @user
+    # Initialize a new session object
+    #
+    # @param controller [ActionController::Base] any controller
+    # @param session [Authie::SessionModel] an Authie session model instance
+    # @return [Authie::Session]
+    def initialize(controller, session)
+      @controller = controller
+      @session = session
+    end
+    # Validate that the session is valid and raise and error if not
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @return [Authie::Session]
+    def validate
+      validate_browser_id
+      validate_active
+      validate_expiry
+      validate_inactivity
+      validate_host
+      self
+    end
+    # Mark the current session as persistent. Will set the expiry time of the underlying
+    # session and update the cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def persist
+      @session.expires_at = Authie.config.persistent_session_length.from_now
+      @session.save!
+      set_cookie
+      self
+    end
+    # Invalidates the current session by marking it inactive and removing the current cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def invalidate
+      @session.invalidate!
+      cookies.delete(:user_session)
+      self
+    end
+    # Touches the current session to ensure it is currently valid and to update attributes
+    # which should be updatd on each request. This will raise the same errors as the #validate
+    # method. It will set the last activity time, IP and path as well as incrementing
+    # the request counter.
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def touch
+      validate
+      @session.last_activity_at = Time.now
+      @session.last_activity_ip = @controller.request.ip
+      @session.last_activity_path = @controller.request.path
+      @session.requests += 1
+      @session.save!
+      Authie.config.events.dispatch(:session_touched, self)
+      self
     end
-    # Set the user
-    def user=(user)
-      if user
-        self.user_type = user.class.name
-        self.user_id = user.id
-      else
-        self.user_type = nil
-        self.user_id = nil
-      end
+    # Mark the session's password as seen at the current time
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def see_password
+      @session.password_seen_at = Time.now
+      @session.save!
+      Authie.config.events.dispatch(:seen_password, self)
+      self
+    end
+    # Mark this request as two factored by setting the time and the current
+    # IP address.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def mark_as_two_factored
+      @session.two_factored_at = Time.now
+      @session.two_factored_ip = @controller.request.ip
+      @session.save!
+      Authie.config.events.dispatch(:marked_as_two_factor, self)
+      self
+    end
+    # Starts a new session by setting the cookie. This should be invoked whenever
+    # a new session begins. It usually does not need to be called directly as it
+    # will be taken care of by the class-level start method.
+    #
+    # @return [Authie::Session]
+    def start
+      set_cookie
+      Authie.config.events.dispatch(:start_session, session)
+      self
     end
-    # This method should be called each time a user performs an
-    # action while authenticated with this session.
-    def touch!
-      check_security!
-      self.last_activity_at = Time.now
-      self.last_activity_ip = controller.request.ip
-      self.last_activity_path = controller.request.path
-      self.requests += 1
-      save!
-      Authie.config.events.dispatch(:session_touched, self)
-      true
-    end
+    private
-    # Sets the cookie on the associated controller.
     # rubocop:disable Naming/AccessorMethodName
-    def set_cookie!(value = temporary_token)
+    def set_cookie(value = @session.temporary_token)
       cookies[:user_session] = {
         value: value,
-        secure: controller.request.ssl?,
+        secure: @controller.request.ssl?,
         httponly: true,
-        expires: expires_at
+        expires: @session.expires_at
       }
       Authie.config.events.dispatch(:session_cookie_updated, self)
       true
     end
     # rubocop:enable Naming/AccessorMethodName
-    # Sets the cookie for the parent session on the associated controller.
-    def set_parent_cookie!
-      cookies[:parent_user_session] = {
-        value: cookies[:user_session],
-        secure: controller.request.ssl?,
-        httponly: true,
-        expires: expires_at
-      }
-      Authie.config.events.dispatch(:parent_session_cookie_updated, self)
-      true
+    def cookies
+      @controller.send(:cookies)
     end
-    # Check the security of the session to ensure it can be used.
-    def check_security!
-      raise Authie::Error, 'Cannot check security without a controller' unless controller
-      if cookies[:browser_id] != browser_id
-        invalidate!
+    def validate_browser_id
+      if cookies[:browser_id] != @session.browser_id
+        invalidate
         Authie.config.events.dispatch(:browser_id_mismatch_error, self)
         raise BrowserMismatch, 'Browser ID mismatch'
       end
-      unless active?
-        invalidate!
+      self
+    end
+    def validate_active
+      unless @session.active?
+        invalidate
         Authie.config.events.dispatch(:invalid_session_error, self)
         raise InactiveSession, 'Session is no longer active'
       end
-      if expired?
-        invalidate!
+      self
+    end
+    def validate_expiry
+      if @session.expired?
+        invalidate
         Authie.config.events.dispatch(:expired_session_error, self)
         raise ExpiredSession, 'Persistent session has expired'
       end
-      if inactive?
-        invalidate!
+      self
+    end
+    def validate_inactivity
+      if @session.inactive?
+        invalidate
         Authie.config.events.dispatch(:inactive_session_error, self)
         raise InactiveSession, 'Non-persistent session has expired'
       end
-      if host && host != controller.request.host
-        invalidate!
-        Authie.config.events.dispatch(:host_mismatch_error, self)
-        raise HostMismatch, "Session was created on #{host} but accessed using #{controller.request.host}"
-      end
-      true
-    end
-    # Has this persistent session expired?
-    def expired?
-      expires_at &&
-        expires_at < Time.now
-    end
-    # Has a non-persistent session become inactive?
-    def inactive?
-      expires_at.nil? &&
-        last_activity_at &&
-        last_activity_at < Authie.config.session_inactivity_timeout.ago
-    end
-    # Allow this session to persist rather than expiring at the end of the
-    # current browser session
-    def persist!
-      self.expires_at = Authie.config.persistent_session_length.from_now
-      save!
-      set_cookie!
-    end
-    # Is this a persistent session?
-    def persistent?
-      !!expires_at
-    end
-    # Activate an old session
-    def activate!
-      self.active = true
-      save!
-    end
-    # Mark this session as invalid
-    def invalidate!
-      self.active = false
-      save!
-      cookies.delete(:user_session) if controller
-      Authie.config.events.dispatch(:session_invalidated, self)
-      true
-    end
-    # Set some additional data in this session
-    def set(key, value)
-      self.data ||= {}
-      self.data[key.to_s] = value
-      save!
-    end
-    # Get some additional data from this session
-    def get(key)
-      (self.data ||= {})[key.to_s]
-    end
-    # Invalidate all sessions but this one for this user
-    def invalidate_others!
-      self.class.where('id != ?', id).for_user(user).each(&:invalidate!)
-    end
-    # Note that we have just seen the user enter their password.
-    def see_password!
-      self.password_seen_at = Time.now
-      save!
-      Authie.config.events.dispatch(:seen_password, self)
-      true
-    end
-    # Have we seen the user's password recently in this sesion?
-    def recently_seen_password?
-      !!(password_seen_at && password_seen_at >= Authie.config.sudo_session_timeout.ago)
-    end
-    # Is two factor authentication required for this request?
-    def two_factored?
-      !!(two_factored_at || parent_id)
+      self
     end
-    # Mark this request as two factor authoritsed
-    def mark_as_two_factored!
-      self.two_factored_at = Time.now
-      self.two_factored_ip = controller.request.ip
-      save!
-      Authie.config.events.dispatch(:marked_as_two_factored, self)
-      true
-    end
-    # Create a new session for impersonating for the given user
-    def impersonate!(user)
-      set_parent_cookie!
-      self.class.start(controller, user: user, parent: self)
-    end
-    # Revert back to the parent session
-    def revert_to_parent!
-      unless parent && cookies[:parent_user_session]
-        raise NoParentSessionForRevert, 'Session does not have a parent therefore cannot be reverted.'
+    def validate_host
+      if @session.host && @session.host != @controller.request.host
+        invalidate
+        Authie.config.events.dispatch(:host_mismatch_error, self)
+        raise HostMismatch, "Session was created on #{@session.host} but accessed using #{@controller.request.host}"
       end
-      invalidate!
-      parent.activate!
-      parent.controller = controller
-      parent.set_cookie!(cookies[:parent_user_session])
-      cookies.delete(:parent_user_session)
-      parent
-    end
-    # Is this the first session for this session's browser?
-    def first_session_for_browser?
-      self.class.where('id < ?', id).for_user(user).where(browser_id: browser_id).empty?
-    end
-    # Is this the first session for the IP?
-    def first_session_for_ip?
-      self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
-    end
-    # Find a session from the database for the given controller instance.
-    # Returns a session object or :none if no session is found.
-    def self.get_session(controller)
-      cookies = controller.send(:cookies)
-      if cookies[:user_session] && (session = find_session_by_token(cookies[:user_session]))
-        session.temporary_token = cookies[:user_session]
-        session.controller = controller
-        session
-      else
-        :none
+      self
+    end
+    class << self
+      # Create a new session within the given controller for the
+      #
+      # @param controller [ActionController::Base]
+      # @option params [ActiveRecord::Base] user
+      # @return [Authie::Session]
+      def start(controller, params = {})
+        cookies = controller.send(:cookies)
+        SessionModel.active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
+        user_object = params.delete(:user)
+        session = SessionModel.new(params)
+        session.user = user_object
+        session.browser_id = cookies[:browser_id]
+        session.login_at = Time.now
+        session.login_ip = controller.request.ip
+        session.host = controller.request.host
+        session.user_agent = controller.request.user_agent
+        session.save!
+        new(controller, session).start
       end
-    end
-    # Find a session by a token (either from a hash or from the raw token)
-    def self.find_session_by_token(token)
-      return nil if token.blank?
-      active.where('token = ? OR token_hash = ?', token, hash_token(token)).first
-    end
+      # Lookup a session for a given controller and return the session
+      # object.
+      #
+      # @param controller [ActionController::Base]
+      # @return [Authie::Session]
+      def get_session(controller)
+        cookies = controller.send(:cookies)
+        return nil if cookies[:user_session].blank?
-    # Create a new session and return the newly created session object.
-    # Any other sessions for the browser will be invalidated.
-    def self.start(controller, params = {})
-      cookies = controller.send(:cookies)
-      active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
-      user_object = params.delete(:user)
-      session = new(params)
-      session.user = user_object
-      session.controller = controller
-      session.browser_id = cookies[:browser_id]
-      session.login_at = Time.now
-      session.login_ip = controller.request.ip
-      session.host = controller.request.host
-      session.save!
-      Authie.config.events.dispatch(:start_session, session)
-      session
-    end
+        session = SessionModel.find_session_by_token(cookies[:user_session])
+        return nil if session.blank?
-    # Cleanup any old sessions.
-    def self.cleanup
-      Authie.config.events.dispatch(:before_cleanup)
-      # Invalidate transient sessions that haven't been used
-      active.where('expires_at IS NULL AND last_activity_at < ?',
-                   Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
-      # Invalidate persistent sessions that have expired
-      active.where('expires_at IS NOT NULL AND expires_at < ?', Time.now).each(&:invalidate!)
-      Authie.config.events.dispatch(:after_cleanup)
-      true
-    end
-    # Return a hash of a given token
-    def self.hash_token(token)
-      Digest::SHA256.hexdigest(token)
-    end
-    # Convert all existing active sessions to store their tokens in the database
-    def self.convert_tokens_to_hashes
-      active.where(token_hash: nil).where('token is not null').each do |s|
-        hash = hash_token(s.token)
-        where(id: s.id).update_all(token_hash: hash, token: nil)
+        session.temporary_token = cookies[:user_session]
+        new(controller, session)
       end
-    end
-    private
-    # Return all cookies on the associated controller
-    def cookies
-      controller.send(:cookies)
-    end
+      delegate :hash_token, to: SessionModel
+    end
+    # Backwards compatibility with Authie < 4.0. These methods were all available on sessions
+    # in previous versions of Authie. They have been maintained for backwards-compatibility but
+    # will be removed entirely in Authie 5.0.
+    alias check_security! validate
+    alias persist! persist
+    alias invalidate! invalidate
+    alias touch! touch
+    alias set_cookie! set_cookie
+    alias see_password! see_password
+    alias mark_as_two_factored! mark_as_two_factored
+    # Delegate key methods back to the underlying session model. Previous behaviour in Authie
+    # exposed all methods on the session model. It is useful that these methods can be accessed
+    # easily from this session proxy model so these are maintained as delegated methods.
+    delegate :active?, to: :session
+    delegate :browser_id, to: :session
+    delegate :expired?, to: :session
+    delegate :first_session_for_browser?, to: :session
+    delegate :first_session_for_ip?, to: :session
+    delegate :get, to: :session
+    delegate :inactive?, to: :session
+    delegate :invalidate_others!, to: :session
+    delegate :last_activity_at, to: :session
+    delegate :last_activity_ip, to: :session
+    delegate :last_activity_path, to: :session
+    delegate :login_at, to: :session
+    delegate :login_ip, to: :session
+    delegate :password_seen_at, to: :session
+    delegate :persisted?, to: :session
+    delegate :persistent?, to: :session
+    delegate :recently_seen_password?, to: :session
+    delegate :requests, to: :session
+    delegate :set, to: :session
+    delegate :temporary_token, to: :session
+    delegate :token_hash, to: :session
+    delegate :two_factored_at, to: :session
+    delegate :two_factored_ip, to: :session
+    delegate :two_factored?, to: :session
+    delegate :update, to: :session
+    delegate :update!, to: :session
+    delegate :user_agent, to: :session
+    delegate :user, to: :session
   end
 end

data/lib/authie/session_model.rb ADDED Viewed

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+require 'active_record/base'
+require 'secure_random_string'
+require 'authie/config'
+module Authie
+  class SessionModel < ActiveRecord::Base
+    attr_accessor :temporary_token
+    self.table_name = 'authie_sessions'
+    belongs_to :parent, class_name: 'Authie::SessionModel', optional: true
+    scope :active, -> { where(active: true) }
+    scope :asc, -> { order(last_activity_at: :desc) }
+    scope :for_user, ->(user) { where(user_type: user.class.name, user_id: user.id) }
+    # Attributes
+    serialize :data, Hash
+    before_validation do
+      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
+      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
+    end
+    before_create do
+      self.temporary_token = SecureRandomString.new(44)
+      self.token_hash = self.class.hash_token(temporary_token)
+    end
+    # Return the user that
+    def user
+      return unless user_id && user_type
+      return @user if instance_variable_defined?('@user')
+      @user = user_type.constantize.find_by(id: user_id)
+    end
+    # Set the user
+    def user=(user)
+      @user = user
+      if user
+        self.user_type = user.class.name
+        self.user_id = user.id
+      else
+        self.user_type = nil
+        self.user_id = nil
+      end
+    end
+    def expired?
+      expires_at.present? &&
+        expires_at < Time.now
+    end
+    def inactive?
+      expires_at.nil? &&
+        last_activity_at.present? &&
+        last_activity_at < Authie.config.session_inactivity_timeout.ago
+    end
+    def persistent?
+      !!expires_at
+    end
+    def activate!
+      self.active = true
+      save!
+    end
+    def invalidate!
+      self.active = false
+      save!
+      true
+    end
+    def set(key, value)
+      self.data ||= {}
+      self.data[key.to_s] = value
+      save!
+    end
+    def get(key)
+      (self.data ||= {})[key.to_s]
+    end
+    def invalidate_others!
+      self.class.where('id != ?', id).for_user(user).each(&:invalidate!).inspect
+    end
+    # Have we seen the user's password recently in this sesion?
+    def recently_seen_password?
+      !!(password_seen_at && password_seen_at >= Authie.config.sudo_session_timeout.ago)
+    end
+    # Is two factor authentication required for this request?
+    def two_factored?
+      !!(two_factored_at || parent_id)
+    end
+    # Is this the first session for this session's browser?
+    def first_session_for_browser?
+      self.class.where('id < ?', id).for_user(user).where(browser_id: browser_id).empty?
+    end
+    # Is this the first session for the IP?
+    def first_session_for_ip?
+      self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
+    end
+    class << self
+      # Find a session from the database for the given controller instance.
+      # Returns a session object or :none if no session is found.
+      # Find a session by a token (either from a hash or from the raw token)
+      def find_session_by_token(token)
+        return nil if token.blank?
+        active.where(token_hash: hash_token(token)).first
+      end
+      # Cleanup any old sessions.
+      def cleanup
+        Authie.config.events.dispatch(:before_cleanup)
+        # Invalidate transient sessions that haven't been used
+        active.where('expires_at IS NULL AND last_activity_at < ?',
+                     Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
+        # Invalidate persistent sessions that have expired
+        active.where('expires_at IS NOT NULL AND expires_at < ?', Time.now).each(&:invalidate!)
+        Authie.config.events.dispatch(:after_cleanup)
+        true
+      end
+      # Return a hash of a given token
+      def hash_token(token)
+        Digest::SHA256.hexdigest(token)
+      end
+    end
+  end
+end

data/lib/authie/user.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Authie
   module User
     def self.included(base)
-      base.has_many :user_sessions, class_name: 'Authie::Session', as: :user, dependent: :delete_all
+      base.has_many :user_sessions, class_name: 'Authie::SessionModel', as: :user, dependent: :delete_all
     end
   end
 end

data/lib/authie/version.rb CHANGED Viewed

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 module Authie
-  VERSION = '3.4.0'
+  VERSION_FILE_ROOT = File.expand_path('../../VERSION', __dir__)
+  VERSION = if File.file?(VERSION_FILE_ROOT)
+              File.read(VERSION_FILE_ROOT).strip.sub(/\Av/, '')
+            else
+              '0.0.0.dev'
+            end
 end

metadata CHANGED Viewed

@@ -1,15 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: authie
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 4.0.0.rc2
 platform: ruby
 authors:
 - Adam Cooke
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-01 00:00:00.000000000 Z
+date: 2022-04-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: secure_random_string
   requirement: !ruby/object:Gem::Requirement
@@ -24,6 +44,194 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.4.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.4.1
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.17.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: solargraph
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Rails library for storing user sessions in a backend database
 email:
 - me@adamcooke.io
@@ -47,6 +255,7 @@ files:
 - lib/authie/event_manager.rb
 - lib/authie/rack_controller.rb
 - lib/authie/session.rb
+- lib/authie/session_model.rb
 - lib/authie/user.rb
 - lib/authie/version.rb
 homepage: https://github.com/adamcooke/authie
@@ -64,11 +273,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: A Rails library for storing user sessions in a backend database