authkit 0.0.1 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 90322223474f0c5031812ebb9b08656f13667ad0
-  data.tar.gz: dbf307ddf9d5269d69742427777b6e7f72373428
+  metadata.gz: e32d463ccc3d5bbb3291b087ddb3c51a4341a2c0
+  data.tar.gz: 16ce8e2e4b53acf18863c454c9def5d1e7a26818
 SHA512:
-  metadata.gz: ba3bd5d2352745b4f9ff270ac323715359c95ecdde097ca4e60ca4b6f708275724e113d441f9b4c75f200f57a766ed55d0ce409dfefeaf3454f556e9d5e6bea3
-  data.tar.gz: cef78bd47d5249fdde5bb51276ef05b68400c9d251265deb0500fe7a7450142bc3db3b550c09bce606c22051c941c8ca5dab84f32d0dd4ff6f2f7c5e991e04f8
+  metadata.gz: 144e524bb9384e402ef0d0c942e46ce23469858226a354f327cd9ffeaa52b0749a29850a8eb1dac6a4d7d60eb0c7d1e952d958a67e42bb170171961080fe56c3
+  data.tar.gz: 9f9f94acc22505797557a18fd69ef532aefae1b57cc38f47bf8287f58e6b26a2f08595eaed136296fba001f798cf1f4972b6c921aa89a3adb44b4c0278139a0d

data/README.md

@@ -17,7 +17,8 @@ is right where you would expect it to be.
 ## Features
 
 Authkit supports Ruby down to version 1.9 but targets 2.0. It is built for Rails 4. It is possible
-that it could support Rails 3.x (it would need strong parameters). Some of the features include:
+that it could support Rails 3.x (currently it relies on strong parameters and the Rails 4
+message verifier and `secret_key_base`). Some of the features include:
 
   * Signup (username or email)
   * Login/Logout
@@ -75,17 +76,19 @@ This will add some basic migrations for the user:
 
 It will also create general authentication models and controllers:
 
-    create  app/models/user.rb
-    create  app/controllers/users_controller.rb
-    create  app/controllers/sessions_controller.rb
-    create  app/controllers/password_reset_controller.rb
-    create  app/controllers/password_change_controller.rb
-    create  app/controllers/email_confirmation_controller.rb
-    create  app/views/users/new.html.erb
-    create  app/views/users/edit.html.erb
-    create  app/views/sessions/new.html.erb
-    create  app/views/password_reset/show.html.erb
-    create  app/views/password_change/show.html.erb
+    app/models/user.rb
+    app/controllers/users_controller.rb
+    app/controllers/signup_controller.rb
+    app/controllers/sessions_controller.rb
+    app/controllers/password_reset_controller.rb
+    app/controllers/password_change_controller.rb
+    app/controllers/email_confirmation_controller.rb
+    app/forms/signup.rb
+    app/views/signup/new.html.erb
+    app/views/users/edit.html.erb
+    app/views/sessions/new.html.erb
+    app/views/password_reset/show.html.erb
+    app/views/password_change/show.html.erb
 
 And will insert a series of helpers into your application controller:
 
@@ -93,13 +96,16 @@ And will insert a series of helpers into your application controller:
 
 And create corresponding specs:
 
-    create  spec/models/user_spec.rb
-    create  spec/controllers/application_controller_spec.rb
-    create  spec/controllers/users_controller_spec.rb
-    create  spec/controllers/sessions_controller_spec.rb
-    create  spec/controllers/password_reset_controller_spec.rb
-    create  spec/controllers/password_change_controller_spec.rb
-    create  spec/controllers/email_confirmation_controller_spec.rb
+    spec/factories/user.rb
+    spec/models/user_spec.rb
+    spec/forms/signup_spec.rb
+    spec/controllers/application_controller_spec.rb
+    spec/controllers/users_controller_spec.rb
+    spec/controllers/signup_controller_spec.rb
+    spec/controllers/sessions_controller_spec.rb
+    spec/controllers/password_reset_controller_spec.rb
+    spec/controllers/password_change_controller_spec.rb
+    spec/controllers/email_confirmation_controller_spec.rb
 
 And a nice helpful email format validator:
 
@@ -107,26 +113,28 @@ And a nice helpful email format validator:
 
 It will also generate a set of routes:
 
-    route  get  '/email/confirm/:token', to: 'email_confirmation#show', as: :confirm
-    route  post '/password/reset', to: 'password_reset#create'
-    route  get  '/password/reset', to: 'password_reset#show', as: :password_reset
-    route  post '/password/change/:token', to: 'password_change#create'
-    route  get  '/password/change/:token', to: 'password_change#show', as: :password_change
-    route  get  '/signup', to: 'users#new', as: :signup
-    route  get  '/logout', to: 'sessions#destroy', as: :logout
-    route  get  '/login', to: 'sessions#new', as: :login
-    route  put  '/account', to: 'users#update'
-    route  get  '/account', to: 'users#edit', as: :user
+    route  get   '/email/confirm/:token', to: 'email_confirmation#show', as: :confirm
+    route  post  '/password/reset', to: 'password_reset#create'
+    route  get   '/password/reset', to: 'password_reset#show', as: :password_reset
+    route  post  '/password/change/:token', to: 'password_change#create'
+    route  get   '/password/change/:token', to: 'password_change#show', as: :password_change
+    route  post  '/signup', to: 'signup#create'
+    route  get   '/signup', to: 'signup#new', as: :signup
+    route  get   '/logout', to: 'sessions#destroy', as: :logout
+    route  get   '/login', to: 'sessions#new', as: :login
+    route  patch '/account', to: 'users#update'
+    route  get   '/account', to: 'users#edit', as: :user
 
     route  resources :sessions, only: [:new, :create, :destroy]
-    route  resources :users, only: [:new, :create]
+    route  resources :users, only: [:create]
 
 And will add some gems to your Gemfile:
 
     gemfile  active_model_otp
-    gemfile  bcrypt-ruby (~> 3.0.0)
+    gemfile  bcrypt-ruby (~> 3.1.2)
     gemfile  rspec-rails, :test, :development
     gemfile  shoulda-matchers, :test, :development
+    gemfile  factor_girl_rails, :test, :development
 
 Once you have this installed you can remove the gem, however you may want to
 keep the gem installed in development as you will be able to update it
@@ -156,8 +164,15 @@ application.
 
 The specs that are generated utilize a generous amount of mocking and stubbing in
 an attempt to keep them fast. However, they use vanilla `rspec-rails`, meaning
-they are not using FactoryGirl, or mocha. The one caveat is shoulda-matchers
-which are required.
+they are not using mocha. The two caveats are shoulda-matchers and FactoryGirl which
+are required. It is pretty easy to remove these dependencies, it just turned out
+that more people were using them than not.
+
+## TODO
+
+* Add oauth2 support (but not logging in?) in the form of facebook support, twitter support, google support
+* Add avatar support (maybe that should be uploadkit)
+* Add full name option (instead of first name and last name)name
 
 ## Contributing
 

data/authkit.gemspec

@@ -22,6 +22,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec-rails"
   spec.add_development_dependency "factory_girl_rails"
-  spec.add_development_dependency "mocha"
   spec.add_development_dependency "active_model_otp"
 end

data/lib/authkit/version.rb

@@ -1,3 +1,3 @@
 module Authkit
-  VERSION = "0.0.1"
+  VERSION = "0.2.1"
 end

data/lib/generators/authkit/install_generator.rb

@@ -18,6 +18,7 @@ module Authkit
       # Ensure the destination structure
       empty_directory "app"
       empty_directory "app/models"
+      empty_directory "app/forms"
       empty_directory "app/controllers"
       empty_directory "app/views"
       empty_directory "app/views/users"
@@ -25,6 +26,7 @@ module Authkit
       empty_directory "app/views/password_reset"
       empty_directory "app/views/password_change"
       empty_directory "spec"
+      empty_directory "spec/factories"
       empty_directory "spec/models"
       empty_directory "spec/controllers"
       empty_directory "lib"
@@ -32,14 +34,20 @@ module Authkit
       # Fill out some templates (for now, this is just straight copy)
       template "app/models/user.rb", "app/models/user.rb"
       template "app/controllers/users_controller.rb", "app/controllers/users_controller.rb"
+      template "app/controllers/signup_controller.rb", "app/controllers/signup_controller.rb"
       template "app/controllers/sessions_controller.rb", "app/controllers/sessions_controller.rb"
       template "app/controllers/password_reset_controller.rb", "app/controllers/password_reset_controller.rb"
       template "app/controllers/password_change_controller.rb", "app/controllers/password_change_controller.rb"
       template "app/controllers/email_confirmation_controller.rb", "app/controllers/email_confirmation_controller.rb"
 
+      template "app/forms/signup.rb", "app/forms/signup.rb"
+
+      template "spec/factories/user.rb", "spec/factories/user.rb"
       template "spec/models/user_spec.rb", "spec/models/user_spec.rb"
+      template "spec/forms/signup_spec.rb", "spec/forms/signup_spec.rb"
       template "spec/controllers/application_controller_spec.rb", "spec/controllers/application_controller_spec.rb"
       template "spec/controllers/users_controller_spec.rb", "spec/controllers/users_controller_spec.rb"
+      template "spec/controllers/signup_controller_spec.rb", "spec/controllers/signup_controller_spec.rb"
       template "spec/controllers/sessions_controller_spec.rb", "spec/controllers/sessions_controller_spec.rb"
       template "spec/controllers/password_reset_controller_spec.rb", "spec/controllers/password_reset_controller_spec.rb"
       template "spec/controllers/password_change_controller_spec.rb", "spec/controllers/password_change_controller_spec.rb"
@@ -48,44 +56,52 @@ module Authkit
       template "lib/email_format_validator.rb", "lib/email_format_validator.rb"
 
       # Don't treat these like templates
-      copy_file "app/views/users/new.html.erb", "app/views/users/new.html.erb"
+      copy_file "app/views/signup/new.html.erb", "app/views/signup/new.html.erb"
       copy_file "app/views/users/edit.html.erb", "app/views/users/edit.html.erb"
       copy_file "app/views/sessions/new.html.erb", "app/views/sessions/new.html.erb"
       copy_file "app/views/password_reset/show.html.erb", "app/views/password_reset/show.html.erb"
       copy_file "app/views/password_change/show.html.erb", "app/views/password_change/show.html.erb"
 
-      # We don't want to override this file and may have a protected section
+      # We don't want to overwrite this file and we may have a protected section so we want it at the bottom
       insert_at_end_of_class "app/controllers/application_controller.rb", "app/controllers/application_controller.rb"
 
+      # Technically, we aren't inserting this at the end of the class, but the end of the RSpec::Configure
+      insert_at_end_of_class "spec/spec_helper.rb", "spec/spec_helper.rb"
+
+      insert_at_end_of_file "config/initializers/filter_parameter_logging.rb", "config/initializers/filter_parameter_logging.rb"
+
       # Need a temp root
       route "root 'welcome#index'"
 
       # Setup the routes
-      route "get  '/email/confirm/:token', to: 'email_confirmation#show', as: :confirm"
+      route "get   '/email/confirm/:token', to: 'email_confirmation#show', as: :confirm"
 
-      route "post '/password/reset', to: 'password_reset#create'"
-      route "get  '/password/reset', to: 'password_reset#show', as: :password_reset"
-      route "post '/password/change/:token', to: 'password_change#create'"
-      route "get  '/password/change/:token', to: 'password_change#show', as: :password_change"
+      route "post  '/password/reset', to: 'password_reset#create'"
+      route "get   '/password/reset', to: 'password_reset#show', as: :password_reset"
+      route "post  '/password/change/:token', to: 'password_change#create'"
+      route "get   '/password/change/:token', to: 'password_change#show', as: :password_change"
 
-      route "get  '/signup', to: 'users#new', as: :signup"
-      route "get  '/logout', to: 'sessions#destroy', as: :logout"
-      route "get  '/login', to: 'sessions#new', as: :login"
+      route "post  '/signup', to: 'signup#create'"
+      route "get   '/signup', to: 'signup#new', as: :signup"
+      route "get   '/logout', to: 'sessions#destroy', as: :logout"
+      route "post  '/login', to: 'sessions#create'"
+      route "get   '/login', to: 'sessions#new', as: :login"
 
-      route "put  '/account', to: 'users#update'"
-      route "get  '/account', to: 'users#edit', as: :user"
+      route "patch '/account', to: 'users#update'"
+      route "get   '/account', to: 'users#edit', as: :user"
 
       route "resources :sessions, only: [:new, :create, :destroy]"
-      route "resources :users, only: [:new, :create]"
+      route "resources :users, only: [:create]"
 
       # Support for has_secure_password and has_one_time_password
       gem "active_model_otp"
-      gem "bcrypt-ruby", '~> 3.0.0'
+      gem "bcrypt-ruby", '~> 3.1.2'
 
       # RSpec needs to be in the development group to be used in generators
       gem_group :test, :development do
         gem "rspec-rails"
         gem "shoulda-matchers"
+        gem "factory_girl_rails"
       end
     end
 
@@ -95,11 +111,18 @@ module Authkit
 
     protected
 
+    def insert_at_end_of_file(filename, source)
+      source = File.expand_path(find_in_source_paths(source.to_s))
+      context = instance_eval('binding')
+      content = ERB.new(::File.binread(source), nil, '-', '@output_buffer').result(context)
+      insert_into_file filename, "#{content}\n", before: /\z/
+    end
+
     def insert_at_end_of_class(filename, source)
       source = File.expand_path(find_in_source_paths(source.to_s))
       context = instance_eval('binding')
       content = ERB.new(::File.binread(source), nil, '-', '@output_buffer').result(context)
-      insert_into_file "app/controllers/application_controller.rb", "#{content}\n", before: /end\n*\z/
+      insert_into_file filename, "#{content}\n", before: /end\n*\z/
     end
 
     def generate_migration(filename)

data/lib/generators/authkit/templates/app/controllers/application_controller.rb

@@ -15,7 +15,7 @@
 
   def current_user
     return @current_user if defined?(@current_user)
-    @current_user ||= User.find_by(session[:user_id]) if session[:user_id]
+    @current_user ||= User.where(id: session[:user_id]).first if session[:user_id]
     @current_user ||= User.user_from_remember_token(cookies.signed[:remember]) unless cookies.signed[:remember].blank?
     session[:user_id] = @current_user.id if @current_user
     session[:time_zone] = @current_user.time_zone if @current_user
@@ -41,11 +41,11 @@
   end
 
   def login(user)
+    reset_session
     @current_user = user
     current_user.track_sign_in(request.remote_ip) if allow_tracking?
     current_user.set_token(:remember_token)
     set_remember_cookie
-    reset_session
     session[:user_id] = current_user.id
     session[:time_zone] = current_user.time_zone
     set_time_zone

data/lib/generators/authkit/templates/app/controllers/password_reset_controller.rb

@@ -3,9 +3,6 @@ class PasswordResetController < ApplicationController
   end
 
   def create
-    username_or_email = "#{params[:email]}".downcase
-    user = User.find_by_username_or_email(username_or_email) if username_or_email.present?
-
     if user && user.send_reset_password
       logout
 
@@ -26,4 +23,13 @@ class PasswordResetController < ApplicationController
       end
     end
   end
+
+  protected
+
+  def user
+    return @user if defined?(@user)
+    username_or_email = "#{params[:email]}".downcase
+    return if username_or_email.blank?
+    @user = User.where('username = ? OR email = ?', username_or_email, username_or_email).first
+  end
 end

data/lib/generators/authkit/templates/app/controllers/sessions_controller.rb

@@ -4,9 +4,6 @@ class SessionsController < ApplicationController
   end
 
   def create
-    username_or_email = "#{params[:email]}".downcase
-    user = User.find_by_username_or_email(username_or_email) if username_or_email.present?
-
     if user && user.authenticate(params[:password])
       login(user)
       respond_to do |format|
@@ -32,4 +29,13 @@ class SessionsController < ApplicationController
       format.html { redirect_to root_path }
     end
   end
+
+  protected
+
+  def user
+    return @user if defined?(@user)
+    username_or_email = "#{params[:email]}".downcase
+    return if username_or_email.blank?
+    @user = User.where('username = ? OR email = ?', username_or_email, username_or_email).first
+  end
 end

data/lib/generators/authkit/templates/app/controllers/signup_controller.rb

@@ -0,0 +1,44 @@
+class SignupController < ApplicationController
+  respond_to :html, :json
+
+  # Create a new Signup form model (found in app/forms/signup.rb)
+  def new
+    @signup = Signup.new
+  end
+
+  def create
+    @signup = Signup.new(signup_params)
+
+    if @signup.save
+      login(@signup.user)
+      respond_to do |format|
+        format.json { head :no_content }
+        format.html {
+          redirect_to root_path
+        }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: { status: 'error', errors: @signup.errors }.to_json, status: 422 }
+        format.html { render :new }
+      end
+    end
+  end
+
+  protected
+
+  def signup_params
+    params.require(:signup).permit(
+      :email,
+      :username,
+      :password,
+      :password_confirmation,
+      :first_name,
+      :last_name,
+      :bio,
+      :website,
+      :phone_number,
+      :time_zone)
+  end
+end
+

data/lib/generators/authkit/templates/app/controllers/users_controller.rb

@@ -3,28 +3,6 @@ class UsersController < ApplicationController
 
   respond_to :html, :json
 
-  # Signup
-  def new
-    @user = User.new
-  end
-
-  def create
-    @user = User.new(user_create_params)
-    if @user.save
-      @user.send_confirmation
-      login(@user)
-      respond_to do |format|
-        format.json { head :no_content }
-        format.html { redirect_to root_path }
-      end
-    else
-      respond_to do |format|
-        format.json { render json: { status: 'error', errors: @user.errors }.to_json, status: 422 }
-        format.html { render :new }
-      end
-    end
-  end
-
   def edit
     @user = current_user
   end
@@ -34,7 +12,7 @@ class UsersController < ApplicationController
 
     orig_confirmation_email = @user.confirmation_email
 
-    if @user.update_attributes(user_update_params)
+    if @user.update_attributes(user_params)
       # Send a new email confirmation if the user updated their email address
       if @user.confirmation_email.present? &&
          @user.confirmation_email != @user.email &&
@@ -43,7 +21,7 @@ class UsersController < ApplicationController
       end
       respond_to do |format|
         format.json { head :no_content }
-        format.html { redirect_to @user }
+        format.html { redirect_to account_path }
       end
     else
       respond_to do |format|
@@ -55,25 +33,7 @@ class UsersController < ApplicationController
 
   protected
 
-  # It would be nice to find a strategy to merge these. The only difference is that
-  # when signing up you are setting the email, and when changing your settings you
-  # are setting the confirmation email.
-
-  def user_create_params
-    params.require(:user).permit(
-      :email,
-      :username,
-      :password,
-      :password_confirmation,
-      :first_name,
-      :last_name,
-      :bio,
-      :website,
-      :phone_number,
-      :time_zone)
-  end
-
-  def user_update_params
+  def user_params
     params.require(:user).permit(
       :confirmation_email,
       :username,

data/lib/generators/authkit/templates/app/forms/signup.rb

@@ -0,0 +1,82 @@
+# Multi-model form support object for signup and user creation
+class Signup
+  include ActiveModel::Model
+
+  attr_accessor :user
+
+  # User
+  attr_accessor(
+    :email,
+    :username,
+    :password,
+    :password_confirmation,
+    :first_name,
+    :last_name,
+    :bio,
+    :website,
+    :phone_number,
+    :time_zone)
+
+  attr_accessor(
+    :terms_of_service)
+
+  validates :terms_of_service, acceptance: true
+  validate :validate_models
+
+  def persisted?
+    false
+  end
+
+  def save
+    if valid?
+      persist!
+      send_confirmation!
+      send_welcome!
+      true
+    else
+      false
+    end
+  end
+
+  def user
+    return @user if @user
+    @user = User.new(user_params)
+    @user
+  end
+
+  private
+
+  def validate_models
+    self.user.errors.each { |k, v| errors[k] = v } unless self.user.valid?
+  end
+
+  def persist!
+    ActiveRecord::Base.transaction do
+      self.user.save!
+    end
+  end
+
+  def send_confirmation!
+    self.user.send_confirmation
+  end
+
+  def send_welcome!
+    self.user.send_welcome
+  end
+
+  def user_params
+    {
+      email: self.email,
+      username: self.username,
+      password: self.password,
+      password_confirmation: self.password_confirmation,
+      first_name: self.first_name,
+      last_name: self.last_name,
+      bio: self.bio,
+      website: self.website,
+      phone_number: self.phone_number,
+      time_zone: self.time_zone
+    }
+  end
+end
+

data/lib/generators/authkit/templates/app/models/user.rb

@@ -32,9 +32,9 @@ class User < ActiveRecord::Base
   validate  :confirmation_email_uniqueness, if: :confirmation_email_set?
 
   def self.user_from_token(token)
-    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_token)
+    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
     id = verifier.verify(token)
-    User.find_by_id(id)
+    User.where(id: id).first
   rescue ActiveSupport::MessageVerifier::InvalidSignature
     nil
   end
@@ -45,7 +45,7 @@ class User < ActiveRecord::Base
   # to bubble up.
   def set_token(field)
     return unless self.persisted?
-    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_token)
+    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
     self.send("#{field}_created_at=", Time.now)
     self.send("#{field}=", verifier.generate(self.id))
     self.save
@@ -90,6 +90,11 @@ class User < ActiveRecord::Base
     self.save
   end
 
+  def send_welcome
+    # TODO: insert your mailer logic here
+    true
+  end
+
   def clear_remember_token
     self.remember_token = nil
     self.remember_token_created_at = nil

data/lib/generators/authkit/templates/app/views/{users → signup}/new.html.erb

@@ -1,19 +1,19 @@
 <h1>Sign Up</h1>
 
-<% if @user.errors.any? %>
+<% if @signup.errors.any? %>
   <div id="error_explanation">
     <div class="alert alert-error">
-      The form contains <%= pluralize(@user.errors.count, "error") %>.
+      The form contains <%= pluralize(@signup.errors.count, "error") %>.
     </div>
     <ul>
-    <% @user.errors.full_messages.each do |msg| %>
+    <% @signup.errors.full_messages.each do |msg| %>
       <li>* <%= msg %></li>
     <% end %>
     </ul>
   </div>
 <% end %>
 
-<%= form_for @user do |f| %>
+<%= form_for @signup, url: signup_path do |f| %>
   <div class="field">
     <%= f.label "first_name" %>
     <%= f.text_field "first_name" %>
@@ -48,11 +48,11 @@
   </div>
   <div class="field">
     <%= f.label "password" %>
-    <%= f.text_field "password" %>
+    <%= f.password_field "password" %>
   </div>
   <div class="field">
     <%= f.label "password_confirmation" %>
-    <%= f.text_field "password_confirmation" %>
+    <%= f.password_field "password_confirmation" %>
   </div>
   <%= f.submit "Sign up" %>
 <% end %>

data/lib/generators/authkit/templates/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,22 @@
+
+# Authkit specific parameters should be filtered from logs and errors. This
+# prevents them from unintentionally appearing in reports or leaking when
+# doing reviews.
+Rails.application.config.filter_parameters += [
+  :password,
+  :password_confirmation,
+  :otp_secret_key,
+  :token,
+  :remember_token,
+  :confirmation_token,
+  :reset_password_token,
+  :unlock_token,
+  :first_name,
+  :last_name,
+  :phone_number,
+  :username,
+  :email,
+  :confirmation_email,
+  :current_sign_in_ip,
+  :last_sign_in_ip
+]