authkit 0.0.1

data/lib/generators/authkit/install_generator.rb

@@ -0,0 +1,113 @@
+require 'rails/generators'
+require 'rails/generators/active_record'
+
+module Authkit
+  class InstallGenerator < Rails::Generators::Base
+    include Rails::Generators::Migration
+
+    desc "An auth system for your Rails app"
+
+    def self.source_root
+      @source_root ||= File.join(File.dirname(__FILE__), 'templates')
+    end
+
+    def generate_authkit
+      generate_migration("create_users")
+      generate_migration("add_authkit_fields_to_users")
+
+      # Ensure the destination structure
+      empty_directory "app"
+      empty_directory "app/models"
+      empty_directory "app/controllers"
+      empty_directory "app/views"
+      empty_directory "app/views/users"
+      empty_directory "app/views/sessions"
+      empty_directory "app/views/password_reset"
+      empty_directory "app/views/password_change"
+      empty_directory "spec"
+      empty_directory "spec/models"
+      empty_directory "spec/controllers"
+      empty_directory "lib"
+
+      # Fill out some templates (for now, this is just straight copy)
+      template "app/models/user.rb", "app/models/user.rb"
+      template "app/controllers/users_controller.rb", "app/controllers/users_controller.rb"
+      template "app/controllers/sessions_controller.rb", "app/controllers/sessions_controller.rb"
+      template "app/controllers/password_reset_controller.rb", "app/controllers/password_reset_controller.rb"
+      template "app/controllers/password_change_controller.rb", "app/controllers/password_change_controller.rb"
+      template "app/controllers/email_confirmation_controller.rb", "app/controllers/email_confirmation_controller.rb"
+
+      template "spec/models/user_spec.rb", "spec/models/user_spec.rb"
+      template "spec/controllers/application_controller_spec.rb", "spec/controllers/application_controller_spec.rb"
+      template "spec/controllers/users_controller_spec.rb", "spec/controllers/users_controller_spec.rb"
+      template "spec/controllers/sessions_controller_spec.rb", "spec/controllers/sessions_controller_spec.rb"
+      template "spec/controllers/password_reset_controller_spec.rb", "spec/controllers/password_reset_controller_spec.rb"
+      template "spec/controllers/password_change_controller_spec.rb", "spec/controllers/password_change_controller_spec.rb"
+      template "spec/controllers/email_confirmation_controller_spec.rb", "spec/controllers/email_confirmation_controller_spec.rb"
+
+      template "lib/email_format_validator.rb", "lib/email_format_validator.rb"
+
+      # Don't treat these like templates
+      copy_file "app/views/users/new.html.erb", "app/views/users/new.html.erb"
+      copy_file "app/views/users/edit.html.erb", "app/views/users/edit.html.erb"
+      copy_file "app/views/sessions/new.html.erb", "app/views/sessions/new.html.erb"
+      copy_file "app/views/password_reset/show.html.erb", "app/views/password_reset/show.html.erb"
+      copy_file "app/views/password_change/show.html.erb", "app/views/password_change/show.html.erb"
+
+      # We don't want to override this file and may have a protected section
+      insert_at_end_of_class "app/controllers/application_controller.rb", "app/controllers/application_controller.rb"
+
+      # Need a temp root
+      route "root 'welcome#index'"
+
+      # Setup the routes
+      route "get  '/email/confirm/:token', to: 'email_confirmation#show', as: :confirm"
+
+      route "post '/password/reset', to: 'password_reset#create'"
+      route "get  '/password/reset', to: 'password_reset#show', as: :password_reset"
+      route "post '/password/change/:token', to: 'password_change#create'"
+      route "get  '/password/change/:token', to: 'password_change#show', as: :password_change"
+
+      route "get  '/signup', to: 'users#new', as: :signup"
+      route "get  '/logout', to: 'sessions#destroy', as: :logout"
+      route "get  '/login', to: 'sessions#new', as: :login"
+
+      route "put  '/account', to: 'users#update'"
+      route "get  '/account', to: 'users#edit', as: :user"
+
+      route "resources :sessions, only: [:new, :create, :destroy]"
+      route "resources :users, only: [:new, :create]"
+
+      # Support for has_secure_password and has_one_time_password
+      gem "active_model_otp"
+      gem "bcrypt-ruby", '~> 3.0.0'
+
+      # RSpec needs to be in the development group to be used in generators
+      gem_group :test, :development do
+        gem "rspec-rails"
+        gem "shoulda-matchers"
+      end
+    end
+
+    def self.next_migration_number(dirname)
+      ActiveRecord::Generators::Base.next_migration_number(dirname)
+    end
+
+    protected
+
+    def insert_at_end_of_class(filename, source)
+      source = File.expand_path(find_in_source_paths(source.to_s))
+      context = instance_eval('binding')
+      content = ERB.new(::File.binread(source), nil, '-', '@output_buffer').result(context)
+      insert_into_file "app/controllers/application_controller.rb", "#{content}\n", before: /end\n*\z/
+    end
+
+    def generate_migration(filename)
+      if self.class.migration_exists?("db/migrate", "#{filename}")
+        say_status "skipped", "Migration #{filename}.rb already exists"
+      else
+        migration_template "db/migrate/#{filename}.rb", "db/migrate/#{filename}.rb"
+      end
+    end
+  end
+end

data/lib/generators/authkit/templates/app/controllers/application_controller.rb

@@ -0,0 +1,94 @@
+
+  before_filter :set_time_zone
+
+  helper_method :logged_in?, :current_user
+
+  # It is very unlikely that this exception will be created under normal
+  # circumstances. Unique validations are handled in Rails, but they are
+  # also enforced at the database level to guarantee data integrity. In
+  # certain cases (double-clicking a save link, multiple distributed servers)
+  # it is possible to get past the Rails validation in which case the
+  # database throws an exception.
+  rescue_from ActiveRecord::RecordNotUnique, with: :record_not_unique
+
+  protected
+
+  def current_user
+    return @current_user if defined?(@current_user)
+    @current_user ||= User.find_by(session[:user_id]) if session[:user_id]
+    @current_user ||= User.user_from_remember_token(cookies.signed[:remember]) unless cookies.signed[:remember].blank?
+    session[:user_id] = @current_user.id if @current_user
+    session[:time_zone] = @current_user.time_zone if @current_user
+    set_time_zone
+
+    @current_user
+  end
+
+  def allow_tracking?
+    "#{request.headers['X-Do-Not-Track']}" != '1' && "#{request.headers['DNT']}" != '1'
+  end
+
+  def logged_in?
+    !!current_user
+  end
+
+  def require_login
+    deny_user(nil, login_path) unless logged_in?
+  end
+
+  def require_token
+    deny_user("Invalid token", root_path) unless @user = User.user_from_token(params[:token])
+  end
+
+  def login(user)
+    @current_user = user
+    current_user.track_sign_in(request.remote_ip) if allow_tracking?
+    current_user.set_token(:remember_token)
+    set_remember_cookie
+    reset_session
+    session[:user_id] = current_user.id
+    session[:time_zone] = current_user.time_zone
+    set_time_zone
+    current_user
+  end
+
+  def logout
+    current_user.clear_remember_token if current_user
+    cookies.delete(:remember)
+    reset_session
+    @current_user = nil
+  end
+
+  def set_time_zone
+    Time.zone = session[:time_zone] if session[:time_zone].present?
+  end
+
+  def set_remember_cookie
+    cookies.permanent.signed[:remember] = {
+      value: current_user.remember_token,
+      secure: Rails.env.production?
+    }
+  end
+
+  def redirect_back_or_default
+    redirect_to(session.delete(:return_url) || root_path)
+  end
+
+  def deny_user(message=nil, location=nil)
+    location ||= (logged_in? ? root_path : login_path)
+
+    session[:return_url] = request.fullpath
+    respond_to do |format|
+      format.json { render(status: 403, nothing: true) }
+      format.html do
+        flash[:error] = message || "Sorry, you must be logged in to do that"
+        redirect_to(location)
+      end
+    end
+
+    false
+  end
+
+  def record_not_unique
+    respond_with(nil, location: root_path, status: 422)
+  end

data/lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb

@@ -0,0 +1,25 @@
+class EmailConfirmationController < ApplicationController
+  before_filter :require_token
+
+  respond_to :html
+
+  def show
+    if @user.email_confirmed
+      login(@user)
+      flash[:notice] = "Thanks for confirming your email address"
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html { redirect_to root_path }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { status: 'error', errors: @user.errors }.to_json, status: 422 }
+        format.html {
+          flash[:error] = "Could not confirm email address because it is already in use"
+          redirect_to root_path
+        }
+      end
+    end
+  end
+end
+

data/lib/generators/authkit/templates/app/controllers/password_change_controller.rb

@@ -0,0 +1,29 @@
+class PasswordChangeController < ApplicationController
+  before_filter :require_token
+
+  def show
+    respond_to do |format|
+      format.json { head :no_content }
+      format.html
+    end
+  end
+
+  def create
+    if @user.change_password(params[:password], params[:password_confirmation])
+      login(@user)
+
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html {
+          flash.now[:notice] = "Password updated successfully"
+          redirect_to(root_path)
+        }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { status: 'error', errors: @user.errors }.to_json, status: 422 }
+        format.html { render :show }
+      end
+    end
+  end
+end

data/lib/generators/authkit/templates/app/controllers/password_reset_controller.rb

@@ -0,0 +1,29 @@
+class PasswordResetController < ApplicationController
+  def show
+  end
+
+  def create
+    username_or_email = "#{params[:email]}".downcase
+    user = User.find_by_username_or_email(username_or_email) if username_or_email.present?
+
+    if user && user.send_reset_password
+      logout
+
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html {
+          flash[:notice] = "We've sent an email which can be used to change your password"
+          redirect_to login_path
+        }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { errors: ["Invalid user name or email"], status: "error" }, status: 422 }
+        format.html {
+          flash.now[:error] = "Invalid user name or email"
+          render :show
+        }
+      end
+    end
+  end
+end

data/lib/generators/authkit/templates/app/controllers/sessions_controller.rb

@@ -0,0 +1,35 @@
+class SessionsController < ApplicationController
+  # Login
+  def new
+  end
+
+  def create
+    username_or_email = "#{params[:email]}".downcase
+    user = User.find_by_username_or_email(username_or_email) if username_or_email.present?
+
+    if user && user.authenticate(params[:password])
+      login(user)
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html { redirect_back_or_default }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { errors: ["Invalid user name or password"], status: "error" }, status: 422 }
+        format.html {
+          flash.now[:error] = "Invalid user name or password"
+          render :new
+        }
+      end
+    end
+  end
+
+  # Logout
+  def destroy
+    logout
+    respond_to do |format|
+      format.json { head :no_content }
+      format.html { redirect_to root_path }
+    end
+  end
+end

data/lib/generators/authkit/templates/app/controllers/users_controller.rb

@@ -0,0 +1,89 @@
+class UsersController < ApplicationController
+  before_filter :require_login, only: [:edit, :update]
+
+  respond_to :html, :json
+
+  # Signup
+  def new
+    @user = User.new
+  end
+
+  def create
+    @user = User.new(user_create_params)
+    if @user.save
+      @user.send_confirmation
+      login(@user)
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html { redirect_to root_path }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { status: 'error', errors: @user.errors }.to_json, status: 422 }
+        format.html { render :new }
+      end
+    end
+  end
+
+  def edit
+    @user = current_user
+  end
+
+  def update
+    @user = current_user
+
+    orig_confirmation_email = @user.confirmation_email
+
+    if @user.update_attributes(user_update_params)
+      # Send a new email confirmation if the user updated their email address
+      if @user.confirmation_email.present? &&
+         @user.confirmation_email != @user.email &&
+         @user.confirmation_email != orig_confirmation_email
+         @user.send_confirmation
+      end
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html { redirect_to @user }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { status: 'error', errors: @user.errors }.to_json, status: 422 }
+        format.html { render :edit }
+      end
+    end
+  end
+
+  protected
+
+  # It would be nice to find a strategy to merge these. The only difference is that
+  # when signing up you are setting the email, and when changing your settings you
+  # are setting the confirmation email.
+
+  def user_create_params
+    params.require(:user).permit(
+      :email,
+      :username,
+      :password,
+      :password_confirmation,
+      :first_name,
+      :last_name,
+      :bio,
+      :website,
+      :phone_number,
+      :time_zone)
+  end
+
+  def user_update_params
+    params.require(:user).permit(
+      :confirmation_email,
+      :username,
+      :password,
+      :password_confirmation,
+      :first_name,
+      :last_name,
+      :bio,
+      :website,
+      :phone_number,
+      :time_zone)
+  end
+end

data/lib/generators/authkit/templates/app/models/user.rb

@@ -0,0 +1,170 @@
+require 'email_format_validator'
+
+class User < ActiveRecord::Base
+  has_secure_password
+  has_one_time_password
+
+  # Uncomment if you are not using strong params (note, that email is only permitted on
+  # signup and confirmation_email is only permitted on update):
+  #
+  # attr_accessible :username,
+  #  :email,
+  #  :confirmation_email,
+  #  :password,
+  #  :password_confirmation,
+  #  :time_zone,
+  #  :first_name,
+  #  :last_name,
+  #  :bio,
+  #  :website,
+  #  :phone_number
+
+  before_validation :downcase_email
+  before_validation :set_confirmation_email
+
+  # Whenever the password is set, validate (not only on create)
+  validates :password, presence: true, confirmation: true, length: {minimum: 6}, if: :password_set?
+  validates :username, presence: true, uniqueness: {case_sensitive: false}
+  validates :email, email_format: true, presence: true, uniqueness: true
+  validates :confirmation_email, email_format: true, presence: true
+
+  # Confirm emails check for existing emails for uniqueness as a convenience
+  validate  :confirmation_email_uniqueness, if: :confirmation_email_set?
+
+  def self.user_from_token(token)
+    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_token)
+    id = verifier.verify(token)
+    User.find_by_id(id)
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    nil
+  end
+
+  # The tokens created by this method have unique indexes but they are digests of the
+  # id which is unique. Because of this we shouldn't see a conflict. If we do, however
+  # we want the ActiveRecord::StatementInvalid or ActiveRecord::RecordNotUnique exeception
+  # to bubble up.
+  def set_token(field)
+    return unless self.persisted?
+    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_token)
+    self.send("#{field}_created_at=", Time.now)
+    self.send("#{field}=", verifier.generate(self.id))
+    self.save
+  end
+
+  # These methods are a little redundant, but give you the opportunity to
+  # insert expiry for any of these token based authentication strategies.
+  # For example:
+  #
+  #    def self.user_from_remember_token(token)
+  #      user = user_from_token(token)
+  #      user = nil if user && user.remember_token_created_at < 30.days.ago
+  #      user
+  #    end
+  #
+  def self.user_from_remember_token(token)
+    user_from_token(token)
+  end
+
+  def self.user_from_reset_password_token(token)
+    user_from_token(token)
+  end
+
+  def self.user_from_confirmation_token(token)
+    user_from_token(token)
+  end
+
+  def self.user_from_unlock_token(token)
+    user_from_token(token)
+  end
+
+  def display_name
+    [first_name, last_name].compact.join(" ")
+  end
+
+  def track_sign_in(ip)
+    self.sign_in_count += 1
+    self.last_sign_in_at = self.current_sign_in_at
+    self.last_sign_in_ip = self.current_sign_in_ip
+    self.current_sign_in_at = Time.now
+    self.current_sign_in_ip = ip
+    self.save
+  end
+
+  def clear_remember_token
+    self.remember_token = nil
+    self.remember_token_created_at = nil
+    self.save
+  end
+
+  def send_reset_password
+    return false unless set_token(:reset_password_token)
+
+    # TODO: insert your mailer logic here
+    true
+  end
+
+  def send_confirmation
+    return false unless set_token(:confirmation_token)
+
+    # TODO: insert your mailer logic here
+    true
+  end
+
+  def email_confirmed
+    return false if self.confirmation_token.blank? || self.confirmation_email.blank?
+
+    self.email = self.confirmation_email
+
+    # Don't nil out the token unless the changes are valid as it may be
+    # needed again (when re-rendering the form, for instance)
+    if valid?
+      self.confirmation_token = nil
+      self.confirmation_token_created_at = nil
+    end
+
+    self.save
+  end
+
+  def change_password(password, password_confirmation)
+    self.password = password
+    self.password_confirmation = password_confirmation
+
+    # Don't nil out the token unless the changes are valid as it may be
+    # needed again (when re-rendering the form, for instance)
+    if valid?
+      self.reset_password_token = nil
+      self.reset_password_token_created_at = nil
+    end
+
+    self.save
+  end
+
+  protected
+
+  def password_set?
+    self.password.present?
+  end
+
+  def downcase_email
+    self.email = self.email.downcase if self.email
+  end
+
+  def set_confirmation_email
+    self.confirmation_email = self.email if self.confirmation_email.blank?
+  end
+
+  def confirmation_email_set?
+    confirmation_email.present? && confirmation_email_changed? && confirmation_email != email
+  end
+
+  # It is possible that a user will change their email, not confirm, and then
+  # sign up for the service again using the same email. If they later go to confirm
+  # the email change on the first account it will fail because the email will be
+  # used by the new signup. Though this is problematic it avoids the larger problem of
+  # users blocking new user signups by changing their email address to something they
+  # don't control. This check is just for convenience and does not need to
+  # guarantee uniqueness.
+  def confirmation_email_uniqueness
+    errors.add(:confirmation_email, :taken, value: email) if User.where('email = ?', confirmation_email).count > 0
+  end
+end