RubyGems - authie - Versions diffs - 3.4.0 → 4.0.0.rc2 - Mend

authie 3.4.0 → 4.0.0.rc2

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/authie/config.rb +18 -31
data/lib/authie/controller_delegate.rb +56 -26
data/lib/authie/controller_extension.rb +13 -36
data/lib/authie/event_manager.rb +2 -0
data/lib/authie/session.rb +231 -279
data/lib/authie/session_model.rb +141 -0
data/lib/authie/user.rb +1 -1
data/lib/authie/version.rb +6 -1
metadata +214 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a3bbd79539a591d214d378e2f70f91ffb144fd6c0dfb31c36a4c0ea3d86bf1a5
-  data.tar.gz: 2ba2f38bc671db30ccbde3a6eda511aa642d7d9191dbb2d4311c890ff720249c
+  metadata.gz: d5347676808e3554dde1670a91c8402ed166be59767298dfea961a9020659843
+  data.tar.gz: 03ee0e9cc60e7ae24a9e83c7a6ead5d72ebec109ef558898395d476014843a65
 SHA512:
-  metadata.gz: 9b325154016b3844263b77a71c484158ee256ab1ff4a67b77f670d167beff464805ab4b8a654931205124389c612a22723133f46f5b0123b9ad7102343c96b50
-  data.tar.gz: 9925f9aec3113b474b2a857676c163f570531fa5a5958d272a715fd448b7b5d2de8a1698ca23547023d8d01614009ca04035c11fc9d98ced2f83a1a228b2eaf9
+  metadata.gz: 219676dee96408c5cb85432ab4d919967415b9e575cb9681c4b4a9d210f041213af2a841a63ebdd4c88d9a8d3856f4ab306ddfd5e4947dee6e3d3654de8538b0
+  data.tar.gz: 7dd321dd2d407fd73b89ea6e1894d60362ac7e4fd792d0d74ea9e2cc5178b30eebd8d42ab3bf7baa356bc3d6f161d6809e0c545d9430d6db3267e8dfbda87190

data/lib/authie/config.rb CHANGED Viewed

@@ -4,42 +4,29 @@ require 'authie/event_manager'
 module Authie
   class Config
-    def initialize
-      @callbacks = {}
-    end
-    def session_inactivity_timeout
-      @session_inactivity_timeout || 12.hours
-    end
-    attr_writer :session_inactivity_timeout, :persistent_session_length, :sudo_session_timeout, :browser_id_cookie_name
-    def persistent_session_length
-      @persistent_session_length || 2.months
-    end
-    def sudo_session_timeout
-      @sudo_session_timeout || 10.minutes
-    end
+    attr_accessor :session_inactivity_timeout
+    attr_accessor :persistent_session_length
+    attr_accessor :sudo_session_timeout
+    attr_accessor :browser_id_cookie_name
+    attr_accessor :events
-    def user_relationship_options
-      @user_relationship_options ||= {}
+    def initialize
+      @session_inactivity_timeout = 12.hours
+      @persistent_session_length = 2.months
+      @sudo_session_timeout = 10.minutes
+      @browser_id_cookie_name = :browser_id
+      @events = EventManager.new
     end
+  end
-    def browser_id_cookie_name
-      @browser_id_cookie_name || :browser_id
+  class << self
+    def config
+      @config ||= Config.new
     end
-    def events
-      @events ||= EventManager.new
+    def configure(&block)
+      block.call(config)
+      config
     end
   end
-  def self.config
-    @config ||= Config.new
-  end
-  def self.configure(&block)
-    block.call(config)
-    config
-  end
 end

data/lib/authie/controller_delegate.rb CHANGED Viewed

@@ -2,18 +2,28 @@
 require 'securerandom'
 require 'authie/session'
+require 'authie/config'
+require 'authie/session_model'
 module Authie
+  # The controller delegate implements methods that can be used by a controller. These are then
+  # extended into controllers as needed (see ControllerExtension).
   class ControllerDelegate
+    # @param controller [ActionController::Base]
+    # @return [Authie::ControllerDelegate]
     def initialize(controller)
       @controller = controller
     end
-    # Set a random browser ID for this browser.
+    # Sets a browser ID. This must be performed on any page request where AUthie will be used.
+    # It should be triggered before any other Authie provided methods. This will ensure that
+    # the given browser ID is unique.
+    #
+    # @return [String] the generated browser ID
     def set_browser_id
       until cookies[Authie.config.browser_id_cookie_name]
         proposed_browser_id = SecureRandom.uuid
-        next if Authie::Session.where(browser_id: proposed_browser_id).exists?
+        next if Authie::SessionModel.where(browser_id: proposed_browser_id).exists?
         cookies[Authie.config.browser_id_cookie_name] = {
           value: proposed_browser_id,
@@ -21,61 +31,81 @@ module Authie
           httponly: true,
           secure: @controller.request.ssl?
         }
-        # Dispatch an event when the browser ID is set.
         Authie.config.events.dispatch(:set_browser_id, proposed_browser_id)
       end
+      proposed_browser_id
     end
-    # Touch the auth session on each request if logged in
+    # Touch the session on each request to ensure that it is validated and all last activity
+    # information is updated. This will return the session if one has been touched otherwise
+    # it will reteurn false if there is no session/not logged in. It is safe to run this on
+    # all requests even if there is no session.
+    #
+    # @return [Authie::Session, false]
     def touch_auth_session
-      auth_session.touch! if logged_in?
+      return auth_session.touch if logged_in?
+      false
     end
-    # Return the currently logged in user object
+    # Return the user for the currently logged in user or nil if no user is logged in
+    #
+    # @return [ActiveRecord::Base, nil]
     def current_user
-      logged_in? ? auth_session.user : nil
-    end
+      return nil unless logged_in?
-    # Set the currently logged in user
-    def current_user=(user)
-      create_auth_session(user)
+      auth_session.session.user
     end
-    # Create a new session for the given user
+    # Create a new session for the given user. If nil is provided as a user, the existing session
+    # will be invalidated.
+    #
+    # @return [Authie::Session, nil]
     def create_auth_session(user)
       if user
         @auth_session = Authie::Session.start(@controller, user: user)
-      else
-        auth_session.invalidate! if logged_in?
-        @auth_session = :none
+        return @auth_session
       end
+      invalidate_auth_session
+      nil
     end
-    # Invalidate an existing auth session
+    # Invalidate the existing auth session if one exists. Return true if a sesion has been invalidated
+    # otherwise return false.
+    #
+    # @return [Boolean]
     def invalidate_auth_session
       if logged_in?
-        auth_session.invalidate!
-        @auth_session = :none
-        true
-      else
-        false
+        auth_session.invalidate
+        @auth_session = nil
+        return true
       end
+      false
     end
-    # Is anyone currently logged in?
+    # Is anyone currently logged in? Return true if there is an auth session present.
+    #
+    # Note: this does not check the validatity of the session. You must always ensure that the `validate`
+    # or `touch` method is invoked to ensure that the session that has been found is active.
+    #
+    # @return [Boolean]
     def logged_in?
       auth_session.is_a?(Session)
     end
-    # Return the currently logged in user session
+    # Return an auth session that has been found in the current cookies.
+    #
+    # @return [Authie::Session]
     def auth_session
-      @auth_session ||= Authie::Session.get_session(@controller)
-      @auth_session == :none ? nil : @auth_session
+      return @auth_session if instance_variable_defined?('@auth_session')
+      @auth_session = Authie::Session.get_session(@controller)
     end
     private
-    # Return cookies for the controller
     def cookies
       @controller.send(:cookies)
     end

data/lib/authie/controller_extension.rb CHANGED Viewed

@@ -4,10 +4,19 @@ require 'authie/controller_delegate'
 module Authie
   module ControllerExtension
-    def self.included(base)
-      base.helper_method :logged_in?, :current_user, :auth_session
-      before_action_method = base.respond_to?(:before_action) ? :before_action : :before_filter
-      base.public_send(before_action_method, :set_browser_id, :touch_auth_session)
+    class << self
+      def included(base)
+        base.helper_method :logged_in?, :current_user, :auth_session
+        base.before_action :set_browser_id, :touch_auth_session
+        base.delegate :set_browser_id, to: :auth_session_delegate
+        base.delegate :touch_auth_session, to: :auth_session_delegate
+        base.delegate :current_user, to: :auth_session_delegate
+        base.delegate :create_auth_session, to: :auth_session_delegate
+        base.delegate :invalidate_auth_session, to: :auth_session_delegate
+        base.delegate :logged_in?, to: :auth_session_delegate
+        base.delegate :auth_session, to: :auth_session_delegate
+      end
     end
     private
@@ -15,37 +24,5 @@ module Authie
     def auth_session_delegate
       @auth_session_delegate ||= Authie::ControllerDelegate.new(self)
     end
-    def set_browser_id
-      auth_session_delegate.set_browser_id
-    end
-    def touch_auth_session
-      auth_session_delegate.touch_auth_session
-    end
-    def current_user
-      auth_session_delegate.current_user
-    end
-    def current_user=(user)
-      auth_session_delegate.current_user = user
-    end
-    def create_auth_session(user)
-      auth_session_delegate.create_auth_session(user)
-    end
-    def invalidate_auth_session
-      auth_session_delegate.invalidate_auth_session
-    end
-    def logged_in?
-      auth_session_delegate.logged_in?
-    end
-    def auth_session
-      auth_session_delegate.auth_session
-    end
   end
 end

data/lib/authie/event_manager.rb CHANGED Viewed

@@ -2,6 +2,8 @@
 module Authie
   class EventManager
+    attr_reader :callbacks
     def initialize
       @callbacks = {}
     end

data/lib/authie/session.rb CHANGED Viewed

@@ -1,338 +1,290 @@
 # frozen_string_literal: true
-require 'secure_random_string'
+require 'authie/session_model'
+require 'authie/error'
+require 'authie/config'
+require 'active_support/core_ext/module/delegation'
 module Authie
-  class Session < ActiveRecord::Base
-    # Errors which will be raised when there's an issue with a session's
-    # validity in the request.
+  class Session
+    # The underlying session model instance
+    #
+    # @return [Authie::SessionModel]
+    attr_reader :session
+    # A parent class that encapsulates all session validity errors.
     class ValidityError < Error; end
+    # Raised when a session is used but it is no longer active
     class InactiveSession < ValidityError; end
+    # Raised when a session is used but it has expired
     class ExpiredSession < ValidityError; end
+    # Raised when a session is used but the browser ID does not match
     class BrowserMismatch < ValidityError; end
+    # Raised when a session is used but the hostname does not match
+    # the session hostname
     class HostMismatch < ValidityError; end
-    class NoParentSessionForRevert < Error; end
-    # Set table name
-    self.table_name = 'authie_sessions'
-    # Relationships
-    parent_options = { class_name: 'Authie::Session' }
-    parent_options[:optional] = true if ActiveRecord::VERSION::MAJOR >= 5
-    belongs_to :parent, **parent_options
-    # Scopes
-    scope :active, -> { where(active: true) }
-    scope :asc, -> { order(last_activity_at: :desc) }
-    scope :for_user, ->(user) { where(user_type: user.class.name, user_id: user.id) }
-    # Attributes
-    serialize :data, Hash
-    attr_accessor :controller, :temporary_token
-    before_validation do
-      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
-      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
-    end
-    before_create do
-      self.temporary_token = SecureRandomString.new(44)
-      self.token_hash = self.class.hash_token(temporary_token)
-      if controller
-        self.user_agent = controller.request.user_agent
-        set_cookie!
-      end
-    end
-    before_destroy do
-      cookies.delete(:user_session) if controller
-    end
-    # Return the user that
-    def user
-      return unless user_id && user_type
-      @user ||= user_type.constantize.find_by(id: user_id) || :none
-      @user == :none ? nil : @user
+    # Initialize a new session object
+    #
+    # @param controller [ActionController::Base] any controller
+    # @param session [Authie::SessionModel] an Authie session model instance
+    # @return [Authie::Session]
+    def initialize(controller, session)
+      @controller = controller
+      @session = session
+    end
+    # Validate that the session is valid and raise and error if not
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @return [Authie::Session]
+    def validate
+      validate_browser_id
+      validate_active
+      validate_expiry
+      validate_inactivity
+      validate_host
+      self
+    end
+    # Mark the current session as persistent. Will set the expiry time of the underlying
+    # session and update the cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def persist
+      @session.expires_at = Authie.config.persistent_session_length.from_now
+      @session.save!
+      set_cookie
+      self
+    end
+    # Invalidates the current session by marking it inactive and removing the current cookie.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def invalidate
+      @session.invalidate!
+      cookies.delete(:user_session)
+      self
+    end
+    # Touches the current session to ensure it is currently valid and to update attributes
+    # which should be updatd on each request. This will raise the same errors as the #validate
+    # method. It will set the last activity time, IP and path as well as incrementing
+    # the request counter.
+    #
+    # @raises [Authie::Session::BrowserMismatch]
+    # @raises [Authie::Session::InactiveSession]
+    # @raises [Authie::Session::ExpiredSession]
+    # @raises [Authie::Session::HostMismatch]
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def touch
+      validate
+      @session.last_activity_at = Time.now
+      @session.last_activity_ip = @controller.request.ip
+      @session.last_activity_path = @controller.request.path
+      @session.requests += 1
+      @session.save!
+      Authie.config.events.dispatch(:session_touched, self)
+      self
     end
-    # Set the user
-    def user=(user)
-      if user
-        self.user_type = user.class.name
-        self.user_id = user.id
-      else
-        self.user_type = nil
-        self.user_id = nil
-      end
+    # Mark the session's password as seen at the current time
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def see_password
+      @session.password_seen_at = Time.now
+      @session.save!
+      Authie.config.events.dispatch(:seen_password, self)
+      self
+    end
+    # Mark this request as two factored by setting the time and the current
+    # IP address.
+    #
+    # @raises [ActiveRecord::RecordInvalid]
+    # @return [Authie::Session]
+    def mark_as_two_factored
+      @session.two_factored_at = Time.now
+      @session.two_factored_ip = @controller.request.ip
+      @session.save!
+      Authie.config.events.dispatch(:marked_as_two_factor, self)
+      self
+    end
+    # Starts a new session by setting the cookie. This should be invoked whenever
+    # a new session begins. It usually does not need to be called directly as it
+    # will be taken care of by the class-level start method.
+    #
+    # @return [Authie::Session]
+    def start
+      set_cookie
+      Authie.config.events.dispatch(:start_session, session)
+      self
     end
-    # This method should be called each time a user performs an
-    # action while authenticated with this session.
-    def touch!
-      check_security!
-      self.last_activity_at = Time.now
-      self.last_activity_ip = controller.request.ip
-      self.last_activity_path = controller.request.path
-      self.requests += 1
-      save!
-      Authie.config.events.dispatch(:session_touched, self)
-      true
-    end
+    private
-    # Sets the cookie on the associated controller.
     # rubocop:disable Naming/AccessorMethodName
-    def set_cookie!(value = temporary_token)
+    def set_cookie(value = @session.temporary_token)
       cookies[:user_session] = {
         value: value,
-        secure: controller.request.ssl?,
+        secure: @controller.request.ssl?,
         httponly: true,
-        expires: expires_at
+        expires: @session.expires_at
       }
       Authie.config.events.dispatch(:session_cookie_updated, self)
       true
     end
     # rubocop:enable Naming/AccessorMethodName
-    # Sets the cookie for the parent session on the associated controller.
-    def set_parent_cookie!
-      cookies[:parent_user_session] = {
-        value: cookies[:user_session],
-        secure: controller.request.ssl?,
-        httponly: true,
-        expires: expires_at
-      }
-      Authie.config.events.dispatch(:parent_session_cookie_updated, self)
-      true
+    def cookies
+      @controller.send(:cookies)
     end
-    # Check the security of the session to ensure it can be used.
-    def check_security!
-      raise Authie::Error, 'Cannot check security without a controller' unless controller
-      if cookies[:browser_id] != browser_id
-        invalidate!
+    def validate_browser_id
+      if cookies[:browser_id] != @session.browser_id
+        invalidate
         Authie.config.events.dispatch(:browser_id_mismatch_error, self)
         raise BrowserMismatch, 'Browser ID mismatch'
       end
-      unless active?
-        invalidate!
+      self
+    end
+    def validate_active
+      unless @session.active?
+        invalidate
         Authie.config.events.dispatch(:invalid_session_error, self)
         raise InactiveSession, 'Session is no longer active'
       end
-      if expired?
-        invalidate!
+      self
+    end
+    def validate_expiry
+      if @session.expired?
+        invalidate
         Authie.config.events.dispatch(:expired_session_error, self)
         raise ExpiredSession, 'Persistent session has expired'
       end
-      if inactive?
-        invalidate!
+      self
+    end
+    def validate_inactivity
+      if @session.inactive?
+        invalidate
         Authie.config.events.dispatch(:inactive_session_error, self)
         raise InactiveSession, 'Non-persistent session has expired'
       end
-      if host && host != controller.request.host
-        invalidate!
-        Authie.config.events.dispatch(:host_mismatch_error, self)
-        raise HostMismatch, "Session was created on #{host} but accessed using #{controller.request.host}"
-      end
-      true
-    end
-    # Has this persistent session expired?
-    def expired?
-      expires_at &&
-        expires_at < Time.now
-    end
-    # Has a non-persistent session become inactive?
-    def inactive?
-      expires_at.nil? &&
-        last_activity_at &&
-        last_activity_at < Authie.config.session_inactivity_timeout.ago
-    end
-    # Allow this session to persist rather than expiring at the end of the
-    # current browser session
-    def persist!
-      self.expires_at = Authie.config.persistent_session_length.from_now
-      save!
-      set_cookie!
-    end
-    # Is this a persistent session?
-    def persistent?
-      !!expires_at
-    end
-    # Activate an old session
-    def activate!
-      self.active = true
-      save!
-    end
-    # Mark this session as invalid
-    def invalidate!
-      self.active = false
-      save!
-      cookies.delete(:user_session) if controller
-      Authie.config.events.dispatch(:session_invalidated, self)
-      true
-    end
-    # Set some additional data in this session
-    def set(key, value)
-      self.data ||= {}
-      self.data[key.to_s] = value
-      save!
-    end
-    # Get some additional data from this session
-    def get(key)
-      (self.data ||= {})[key.to_s]
-    end
-    # Invalidate all sessions but this one for this user
-    def invalidate_others!
-      self.class.where('id != ?', id).for_user(user).each(&:invalidate!)
-    end
-    # Note that we have just seen the user enter their password.
-    def see_password!
-      self.password_seen_at = Time.now
-      save!
-      Authie.config.events.dispatch(:seen_password, self)
-      true
-    end
-    # Have we seen the user's password recently in this sesion?
-    def recently_seen_password?
-      !!(password_seen_at && password_seen_at >= Authie.config.sudo_session_timeout.ago)
-    end
-    # Is two factor authentication required for this request?
-    def two_factored?
-      !!(two_factored_at || parent_id)
+      self
     end
-    # Mark this request as two factor authoritsed
-    def mark_as_two_factored!
-      self.two_factored_at = Time.now
-      self.two_factored_ip = controller.request.ip
-      save!
-      Authie.config.events.dispatch(:marked_as_two_factored, self)
-      true
-    end
-    # Create a new session for impersonating for the given user
-    def impersonate!(user)
-      set_parent_cookie!
-      self.class.start(controller, user: user, parent: self)
-    end
-    # Revert back to the parent session
-    def revert_to_parent!
-      unless parent && cookies[:parent_user_session]
-        raise NoParentSessionForRevert, 'Session does not have a parent therefore cannot be reverted.'
+    def validate_host
+      if @session.host && @session.host != @controller.request.host
+        invalidate
+        Authie.config.events.dispatch(:host_mismatch_error, self)
+        raise HostMismatch, "Session was created on #{@session.host} but accessed using #{@controller.request.host}"
       end
-      invalidate!
-      parent.activate!
-      parent.controller = controller
-      parent.set_cookie!(cookies[:parent_user_session])
-      cookies.delete(:parent_user_session)
-      parent
-    end
-    # Is this the first session for this session's browser?
-    def first_session_for_browser?
-      self.class.where('id < ?', id).for_user(user).where(browser_id: browser_id).empty?
-    end
-    # Is this the first session for the IP?
-    def first_session_for_ip?
-      self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
-    end
-    # Find a session from the database for the given controller instance.
-    # Returns a session object or :none if no session is found.
-    def self.get_session(controller)
-      cookies = controller.send(:cookies)
-      if cookies[:user_session] && (session = find_session_by_token(cookies[:user_session]))
-        session.temporary_token = cookies[:user_session]
-        session.controller = controller
-        session
-      else
-        :none
+      self
+    end
+    class << self
+      # Create a new session within the given controller for the
+      #
+      # @param controller [ActionController::Base]
+      # @option params [ActiveRecord::Base] user
+      # @return [Authie::Session]
+      def start(controller, params = {})
+        cookies = controller.send(:cookies)
+        SessionModel.active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
+        user_object = params.delete(:user)
+        session = SessionModel.new(params)
+        session.user = user_object
+        session.browser_id = cookies[:browser_id]
+        session.login_at = Time.now
+        session.login_ip = controller.request.ip
+        session.host = controller.request.host
+        session.user_agent = controller.request.user_agent
+        session.save!
+        new(controller, session).start
       end
-    end
-    # Find a session by a token (either from a hash or from the raw token)
-    def self.find_session_by_token(token)
-      return nil if token.blank?
-      active.where('token = ? OR token_hash = ?', token, hash_token(token)).first
-    end
+      # Lookup a session for a given controller and return the session
+      # object.
+      #
+      # @param controller [ActionController::Base]
+      # @return [Authie::Session]
+      def get_session(controller)
+        cookies = controller.send(:cookies)
+        return nil if cookies[:user_session].blank?
-    # Create a new session and return the newly created session object.
-    # Any other sessions for the browser will be invalidated.
-    def self.start(controller, params = {})
-      cookies = controller.send(:cookies)
-      active.where(browser_id: cookies[:browser_id]).each(&:invalidate!)
-      user_object = params.delete(:user)
-      session = new(params)
-      session.user = user_object
-      session.controller = controller
-      session.browser_id = cookies[:browser_id]
-      session.login_at = Time.now
-      session.login_ip = controller.request.ip
-      session.host = controller.request.host
-      session.save!
-      Authie.config.events.dispatch(:start_session, session)
-      session
-    end
+        session = SessionModel.find_session_by_token(cookies[:user_session])
+        return nil if session.blank?
-    # Cleanup any old sessions.
-    def self.cleanup
-      Authie.config.events.dispatch(:before_cleanup)
-      # Invalidate transient sessions that haven't been used
-      active.where('expires_at IS NULL AND last_activity_at < ?',
-                   Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
-      # Invalidate persistent sessions that have expired
-      active.where('expires_at IS NOT NULL AND expires_at < ?', Time.now).each(&:invalidate!)
-      Authie.config.events.dispatch(:after_cleanup)
-      true
-    end
-    # Return a hash of a given token
-    def self.hash_token(token)
-      Digest::SHA256.hexdigest(token)
-    end
-    # Convert all existing active sessions to store their tokens in the database
-    def self.convert_tokens_to_hashes
-      active.where(token_hash: nil).where('token is not null').each do |s|
-        hash = hash_token(s.token)
-        where(id: s.id).update_all(token_hash: hash, token: nil)
+        session.temporary_token = cookies[:user_session]
+        new(controller, session)
       end
-    end
-    private
-    # Return all cookies on the associated controller
-    def cookies
-      controller.send(:cookies)
-    end
+      delegate :hash_token, to: SessionModel
+    end
+    # Backwards compatibility with Authie < 4.0. These methods were all available on sessions
+    # in previous versions of Authie. They have been maintained for backwards-compatibility but
+    # will be removed entirely in Authie 5.0.
+    alias check_security! validate
+    alias persist! persist
+    alias invalidate! invalidate
+    alias touch! touch
+    alias set_cookie! set_cookie
+    alias see_password! see_password
+    alias mark_as_two_factored! mark_as_two_factored
+    # Delegate key methods back to the underlying session model. Previous behaviour in Authie
+    # exposed all methods on the session model. It is useful that these methods can be accessed
+    # easily from this session proxy model so these are maintained as delegated methods.
+    delegate :active?, to: :session
+    delegate :browser_id, to: :session
+    delegate :expired?, to: :session
+    delegate :first_session_for_browser?, to: :session
+    delegate :first_session_for_ip?, to: :session
+    delegate :get, to: :session
+    delegate :inactive?, to: :session
+    delegate :invalidate_others!, to: :session
+    delegate :last_activity_at, to: :session
+    delegate :last_activity_ip, to: :session
+    delegate :last_activity_path, to: :session
+    delegate :login_at, to: :session
+    delegate :login_ip, to: :session
+    delegate :password_seen_at, to: :session
+    delegate :persisted?, to: :session
+    delegate :persistent?, to: :session
+    delegate :recently_seen_password?, to: :session
+    delegate :requests, to: :session
+    delegate :set, to: :session
+    delegate :temporary_token, to: :session
+    delegate :token_hash, to: :session
+    delegate :two_factored_at, to: :session
+    delegate :two_factored_ip, to: :session
+    delegate :two_factored?, to: :session
+    delegate :update, to: :session
+    delegate :update!, to: :session
+    delegate :user_agent, to: :session
+    delegate :user, to: :session
   end
 end

data/lib/authie/session_model.rb ADDED Viewed

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+require 'active_record/base'
+require 'secure_random_string'
+require 'authie/config'
+module Authie
+  class SessionModel < ActiveRecord::Base
+    attr_accessor :temporary_token
+    self.table_name = 'authie_sessions'
+    belongs_to :parent, class_name: 'Authie::SessionModel', optional: true
+    scope :active, -> { where(active: true) }
+    scope :asc, -> { order(last_activity_at: :desc) }
+    scope :for_user, ->(user) { where(user_type: user.class.name, user_id: user.id) }
+    # Attributes
+    serialize :data, Hash
+    before_validation do
+      self.user_agent = user_agent[0, 255] if user_agent.is_a?(String)
+      self.last_activity_path = last_activity_path[0, 255] if last_activity_path.is_a?(String)
+    end
+    before_create do
+      self.temporary_token = SecureRandomString.new(44)
+      self.token_hash = self.class.hash_token(temporary_token)
+    end
+    # Return the user that
+    def user
+      return unless user_id && user_type
+      return @user if instance_variable_defined?('@user')
+      @user = user_type.constantize.find_by(id: user_id)
+    end
+    # Set the user
+    def user=(user)
+      @user = user
+      if user
+        self.user_type = user.class.name
+        self.user_id = user.id
+      else
+        self.user_type = nil
+        self.user_id = nil
+      end
+    end
+    def expired?
+      expires_at.present? &&
+        expires_at < Time.now
+    end
+    def inactive?
+      expires_at.nil? &&
+        last_activity_at.present? &&
+        last_activity_at < Authie.config.session_inactivity_timeout.ago
+    end
+    def persistent?
+      !!expires_at
+    end
+    def activate!
+      self.active = true
+      save!
+    end
+    def invalidate!
+      self.active = false
+      save!
+      true
+    end
+    def set(key, value)
+      self.data ||= {}
+      self.data[key.to_s] = value
+      save!
+    end
+    def get(key)
+      (self.data ||= {})[key.to_s]
+    end
+    def invalidate_others!
+      self.class.where('id != ?', id).for_user(user).each(&:invalidate!).inspect
+    end
+    # Have we seen the user's password recently in this sesion?
+    def recently_seen_password?
+      !!(password_seen_at && password_seen_at >= Authie.config.sudo_session_timeout.ago)
+    end
+    # Is two factor authentication required for this request?
+    def two_factored?
+      !!(two_factored_at || parent_id)
+    end
+    # Is this the first session for this session's browser?
+    def first_session_for_browser?
+      self.class.where('id < ?', id).for_user(user).where(browser_id: browser_id).empty?
+    end
+    # Is this the first session for the IP?
+    def first_session_for_ip?
+      self.class.where('id < ?', id).for_user(user).where(login_ip: login_ip).empty?
+    end
+    class << self
+      # Find a session from the database for the given controller instance.
+      # Returns a session object or :none if no session is found.
+      # Find a session by a token (either from a hash or from the raw token)
+      def find_session_by_token(token)
+        return nil if token.blank?
+        active.where(token_hash: hash_token(token)).first
+      end
+      # Cleanup any old sessions.
+      def cleanup
+        Authie.config.events.dispatch(:before_cleanup)
+        # Invalidate transient sessions that haven't been used
+        active.where('expires_at IS NULL AND last_activity_at < ?',
+                     Authie.config.session_inactivity_timeout.ago).each(&:invalidate!)
+        # Invalidate persistent sessions that have expired
+        active.where('expires_at IS NOT NULL AND expires_at < ?', Time.now).each(&:invalidate!)
+        Authie.config.events.dispatch(:after_cleanup)
+        true
+      end
+      # Return a hash of a given token
+      def hash_token(token)
+        Digest::SHA256.hexdigest(token)
+      end
+    end
+  end
+end

data/lib/authie/user.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Authie
   module User
     def self.included(base)
-      base.has_many :user_sessions, class_name: 'Authie::Session', as: :user, dependent: :delete_all
+      base.has_many :user_sessions, class_name: 'Authie::SessionModel', as: :user, dependent: :delete_all
     end
   end
 end

data/lib/authie/version.rb CHANGED Viewed

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 module Authie
-  VERSION = '3.4.0'
+  VERSION_FILE_ROOT = File.expand_path('../../VERSION', __dir__)
+  VERSION = if File.file?(VERSION_FILE_ROOT)
+              File.read(VERSION_FILE_ROOT).strip.sub(/\Av/, '')
+            else
+              '0.0.0.dev'
+            end
 end

metadata CHANGED Viewed

@@ -1,15 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: authie
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 4.0.0.rc2
 platform: ruby
 authors:
 - Adam Cooke
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-01 00:00:00.000000000 Z
+date: 2022-04-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: secure_random_string
   requirement: !ruby/object:Gem::Requirement
@@ -24,6 +44,194 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.4.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.4.1
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.17.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: solargraph
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: A Rails library for storing user sessions in a backend database
 email:
 - me@adamcooke.io
@@ -47,6 +255,7 @@ files:
 - lib/authie/event_manager.rb
 - lib/authie/rack_controller.rb
 - lib/authie/session.rb
+- lib/authie/session_model.rb
 - lib/authie/user.rb
 - lib/authie/version.rb
 homepage: https://github.com/adamcooke/authie
@@ -64,11 +273,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: A Rails library for storing user sessions in a backend database