authkit 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 628f696a515e94589ec7097aa85063e3c040b835
-  data.tar.gz: 0ac0ee2390c87494d4ebff3405379832d3f6c33a
+  metadata.gz: 2c20d323000029539b3db935d5f81a0b315feff5
+  data.tar.gz: 31f3cb08d1e680b4000ba21c227ad7277d24a4cb
 SHA512:
-  metadata.gz: fa7b50d0f155153eca2da938d59a6e5c1765f7394406c577cfde13d2f161b413590dcfe9fdfd95f3f9ff3e9be9fd259c7691324b453a0fe23878ec4d30c68ba0
-  data.tar.gz: 2deaf4c89a911b6dc7c037c511530370823fab69d2306e07c304b30e88f14bbe42d80d42a944e66a873c257e14bdb1776d27ccd271a7939fa3479672cc16ccfe
+  metadata.gz: 0aac938938939b71b495b3e5c261bead4f72a126f623f6be637658b0960e506725f89262050dd9a2b30c72bbd7db253e9e98de71d8893e26812fd861ddac83c0
+  data.tar.gz: 62b3808da27f4c5c90c9047743e730a7669c2fb77a24a2e6e1fcd00a636c2eac02405e8f72905d4bc486e33f021a246d240e76e7370d8c23f031133159c96a8b

data/.gitignore

@@ -15,3 +15,4 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+.ruby-version

data/CHANGELOG.md

@@ -0,0 +1,12 @@
+## 0.6.0
+
+* Rails 4.2 compatibility
+* Removed unneeded development dependencies
+* Updated sample application to invoke out of process
+* `UserSession` all session based code has moved into the user session so that all sessions are maintained separately for each device.
+    - This fixes a problem where multiple logins would override the remember token
+    - This provides the groundwork to allow users to revoke sessions
+* Remember tokens no longer expire
+* Every access is recorded per session
+    - This means a significant number of writes to the database but this behavior also facilitates updating the remember token for each access
+* Factory Girl syntax methods moved to support per RSpec recommendation

data/README.md

@@ -4,11 +4,11 @@ A gem for installing auth into you app.
 
 ## Why?
 
-There are lots of great authentication gems out there; devise? clearance? restful_auth? All of these seek to solve the problem of adding authentication to your application but they all share one philosophy: you shouldn't need to think about authentication to build your app. For me, I find I spend way more time trying to figure out how to customize the tools for the few cases when my application needs to do something different.
+There are lots of great authentication gems out there; devise? clearance? restful_auth? All of these seek to solve the problem of adding authentication to your application but they all share one philosophy: you shouldn't need to think about authentication to build your app. Because of this, the developer may spend more time trying to customize the tools for the few cases when the application needs to do something different.
 
 Authkit takes the opposite stance: auth belongs in your app. It is important and it is specific to your app. It only includes generators and installs itself with some specs. You customize it. Everything is right where you would expect it to be.
 
-Of course, this stance can be very dangerous a it relies on the application developer to not interfere with the authentication mechanisms, and it makes introducing security patches difficult. This is the trade-off. Generally speaking the approaches taken within authkit are designed for the early life-cycle of a small to medium application. It can support much larger platforms, but it is likely that larger platforms will need centralized authentication mechanisms that go beyond the scope of this project.
+Of course, this stance can be very dangerous as it relies on the application developer to not interfere with the authentication mechanisms, and it makes introducing security patches difficult. This is the trade-off. Generally speaking the approaches taken within authkit are designed for the early life-cycle of a small to medium application. It can support much larger platforms, but it is likely that larger platforms will need centralized authentication mechanisms that go beyond the scope of this project.
 
 ## Features
 
@@ -22,6 +22,7 @@ Authkit supports Ruby down to version 1.9 but targets 2.0. It is built for Rails
   * One time password / Two factor authentication
   * Token support
   * Remember me
+  * User sessions per device
   * Account page
   * Time zones
   * Do not track (DNT) support
@@ -248,6 +249,13 @@ In the case of API access, storing a digest of the token is not practical. Bcryp
 
 Additionally, storing only the digest means that a user cannot login to see their API tokens. They would need to be regenerated. This might be considered a feature.
 
+## User session expiry
+
+Users sessions and the remember tokens attached to them do not expire by default. For most sites this type of behavior is fine. If the user chooses to remember their session on the current device then that shouldn't change based on an arbitrary timeout, but only if the user revokes the session or logs out. However on some sensitive sites you may want to change this behavior. You can do this by making the cookie expire after a specific amount of time or by making the token or session expire based on a rolling time window:
+
+      scope :active, -> { where('(accessed_at IS NULL OR accessed_at >= ?)', 2.weeks.ago).where(revoked_at: nil, logged_out_at: nil) }
+
+
 ## What's missing
 
 There is a significant amount of functionality that is currently unimplemented:
@@ -262,10 +270,10 @@ There is a significant amount of functionality that is currently unimplemented:
 * One time password support completed
 * Add Authy or Google Authenticator support
 * Avatars (possibly this should be within uploadkit)
-* User session tracking and revoking
 * Audit logs
 * No internationalization (i18n)
 * JavaScript validation for username and email availability and password complexity
+* Reset all sessions on password change
 
 ## Testing
 

data/Rakefile

@@ -5,13 +5,14 @@ gem_name = :authkit
 
 RSpec::Core::RakeTask.new(spec: ["generator:cleanup", "generator:prepare", "generator:#{gem_name}"]) do |task|
   task.pattern = "spec/**/*_spec.rb"
-  task.rspec_opts = "--color --drb"
+  task.rspec_opts = "--color"
   task.verbose = true
 end
 
 namespace :spec do
   RSpec::Core::RakeTask.new(database: ["generator:cleanup", "generator:prepare", "generator:database", "generator:#{gem_name}"]) do |task|
     task.pattern = "spec/**/*_spec.rb"
+    task.rspec_opts = "--color"
     task.verbose = true
   end
 end
@@ -34,19 +35,25 @@ namespace :generator do
     FileUtils.mkdir_p("spec/tmp")
 
     system "cd spec/tmp && rails new sample --skip-spring"
+    system "cp .ruby-version spec/tmp/sample"
 
     # bundle
     gem_root = File.expand_path(File.dirname(__FILE__))
     system "echo \"gem 'rspec-rails'\" >> spec/tmp/sample/Gemfile"
     system "echo \"gem '#{gem_name}', :path => '#{gem_root}'\" >> spec/tmp/sample/Gemfile"
-    system "cd spec/tmp/sample && bundle install"
-    system "cd spec/tmp/sample && rails g rspec:install"
+
+    system "cd spec/tmp/sample; bundle install"
+    system "cd spec/tmp/sample; bin/rails g rspec:install"
+
+    # Make sure rails helper loads the factory girl support file
+    sed("s/# Dir/Dir/", "spec/tmp/sample/spec/rails_helper.rb")
 
     # Open up the root route for specs
-    sed("s/# root/root/", "spec/tmp/sample/config/routes.rb")
+    sed("s/#/root to: \"sessions#new\" #/", "spec/tmp/sample/config/routes.rb")
 
     # Make a thing
-    system "cd spec/tmp/sample && rails g scaffold thing name:string mood:string"
+    # system "cd spec/tmp/sample; bin/rails g scaffold thing name:string mood:string --no-controller-specs --no-view-specs --no-helper-specs --no-routing-specs"
+    # system "rm spec/tmp/sample/spec/models/thing_spec.rb"
   end
 
   # This task is not used unless you need to test the generator with an alternate database
@@ -55,13 +62,13 @@ namespace :generator do
   task :database do
     puts "==  Configuring the database =================================================="
     system "cp config/database.yml.example spec/tmp/sample/config/database.yml"
-    system "cd spec/tmp/sample && rake db:migrate:reset"
+    system "cd spec/tmp/sample && bundle exec rake db:migrate:reset"
   end
 
   desc "Run the #{gem_name} generator"
   task gem_name do
-    system "cd spec/tmp/sample && rails g #{gem_name}:install --force #{'--oauth --google' if ENV['SKIP_OAUTH'].nil?}  #{'--skip-username' unless ENV['SKIP_USERNAME'].nil?} && rake db:migrate"
-    system "cd spec/tmp/sample && rake db:migrate RAILS_ENV=test"
+    system "cd spec/tmp/sample && rails g #{gem_name}:install --force #{'--oauth --google' if ENV['SKIP_OAUTH'].nil?}  #{'--skip-username' unless ENV['SKIP_USERNAME'].nil?} && bundle exec rake db:migrate"
+    system "cd spec/tmp/sample && bundle exec rake db:migrate RAILS_ENV=test"
   end
 
 end

data/authkit.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
   spec.add_development_dependency "rspec-rails"
-  spec.add_development_dependency "factory_girl_rails"
-  spec.add_development_dependency "active_model_otp"
+  spec.add_development_dependency "rails"
 end

data/lib/authkit/version.rb

@@ -1,3 +1,3 @@
 module Authkit
-  VERSION = "0.5.0"
+  VERSION = "0.7.0"
 end

data/lib/generators/authkit/install_generator.rb

@@ -45,6 +45,7 @@ module Authkit
     def generate_migrations
       generate_migration("create_users")
       generate_migration("add_authkit_fields_to_users")
+      generate_migration("create_user_sessions")
       generate_migration("create_auths") if oauth?
     end
 
@@ -61,6 +62,7 @@ module Authkit
        "app/views/password_reset",
        "app/views/password_change",
        "spec",
+       "spec/support",
        "spec/factories",
        "spec/models",
        "spec/controllers",
@@ -74,6 +76,7 @@ module Authkit
 
       # Fill out some templates (for now, this is just straight copy)
       template "app/models/user.rb", "app/models/user.rb"
+      template "app/models/user_session.rb", "app/models/user_session.rb"
       template "app/controllers/users_controller.rb", "app/controllers/users_controller.rb"
       template "app/controllers/signup_controller.rb", "app/controllers/signup_controller.rb"
       template "app/controllers/sessions_controller.rb", "app/controllers/sessions_controller.rb"
@@ -89,8 +92,12 @@ module Authkit
 
       template "app/forms/signup.rb", "app/forms/signup.rb"
 
+      template "spec/support/shoulda_matchers.rb", "spec/support/shoulda_matchers.rb"
+      template "spec/support/factory_girl.rb", "spec/support/factory_girl.rb"
       template "spec/factories/user.rb", "spec/factories/user.rb"
+      template "spec/factories/user_session.rb", "spec/factories/user_session.rb"
       template "spec/models/user_spec.rb", "spec/models/user_spec.rb"
+      template "spec/models/user_session_spec.rb", "spec/models/user_session_spec.rb"
       template "spec/forms/signup_spec.rb", "spec/forms/signup_spec.rb"
       template "spec/controllers/application_controller_spec.rb", "spec/controllers/application_controller_spec.rb"
       template "spec/controllers/users_controller_spec.rb", "spec/controllers/users_controller_spec.rb"
@@ -171,7 +178,7 @@ module Authkit
 
         # Support for google client apis
         if provider?(:google)
-          gem 'google-api-client', :require => 'google/api_client'
+          gem 'google-api-client'
           gem 'faraday', '~> 0.9.0'
           gem 'faraday_middleware'
         end

data/lib/generators/authkit/templates/app/controllers/application_controller.rb

@@ -1,5 +1,5 @@
 
-  before_filter :set_time_zone
+  before_action :set_time_zone
 
   helper_method :logged_in?, :current_user
 
@@ -16,15 +16,20 @@
   # The user is fetched using id or remember token but these come from a
   # verified cookie (verified using secure compare) so these database calls do
   # not need to protect against timing attacks.
-  def current_user
-    return @current_user if defined?(@current_user)
-    @current_user ||= User.where(id: session[:user_id]).first if session[:user_id]
-    set_current_user_from_remember_token unless @current_user
-    session[:user_id] = @current_user.id if @current_user
-    session[:time_zone] = @current_user.time_zone if @current_user
+  def current_user_session
+    return @current_user_session if defined?(@current_user_session)
+    @current_user_session ||= UserSession.active.where(id: session[:user_session_id]).first if session[:user_session_id]
+    set_current_user_session_from_remember_token unless @current_user_session
+    @current_user_session.access(request, allow_tracking?) if @current_user_session
+    session[:user_session_id] = @current_user_session.id if @current_user_session
+    session[:time_zone] = @current_user_session.user.time_zone if @current_user_session
     set_time_zone
 
-    @current_user
+    @current_user_session
+  end
+
+  def current_user
+    current_user_session && current_user_session.user
   end
 
   def allow_tracking?
@@ -46,38 +51,36 @@
 
   def login(user, remember=false)
     reset_session
-    @current_user = user
+    @current_user_session = UserSession.create(user: user)
     current_user.track_sign_in(request.remote_ip) if allow_tracking?
-    current_user.set_remember_token if remember
     set_remember_cookie if remember
-    session[:user_id] = current_user.id
+    session[:user_session_id] = current_user_session.id
     session[:time_zone] = current_user.time_zone
     set_time_zone
-    current_user
+    current_user_session
   end
 
   def logout
-    current_user.clear_remember_token if current_user
+    current_user_session.logout if current_user_session
     cookies.delete(:remember)
     reset_session
-    @current_user = nil
+    @current_user_session = nil
   end
 
   def set_time_zone
     Time.zone = session[:time_zone] if session[:time_zone].present?
   end
 
-  def set_current_user_from_remember_token
+  def set_current_user_session_from_remember_token
     token = cookies.signed[:remember]
     return if token.blank?
-    @current_user = User.where(remember_token: token).first
-    @current_user = nil if @current_user && @current_user.remember_token_expired?
-    @current_user
+    @current_user_session = UserSession.active.where(remember_token: "#{token}").first
+    @current_user_session
   end
 
   def set_remember_cookie
     cookies.permanent.signed[:remember] = {
-      value: current_user.remember_token,
+      value: current_user_session.remember_token,
       secure: Rails.env.production?
     }
   end
@@ -91,7 +94,7 @@
 
     session[:return_url] = request.fullpath
     respond_to do |format|
-      format.json { render(status: 403, nothing: true) }
+      format.json { head :forbidden }
       format.text { redirect_to(location) }
       format.html do
         flash[:error] = message || "Sorry, you must be logged in to do that"

data/lib/generators/authkit/templates/app/controllers/auths_controller.rb

@@ -2,10 +2,10 @@
 # in for the connection to work. This controller is not used for creating a new
 # session.
 class AuthsController < ApplicationController
-  before_filter :require_login, only: [:connect]
-  before_filter :require_login_when_connecting, only: [:callback]
-  before_filter :require_completed_login, only: [:disconnect]
-  before_filter :require_auth_hash, only: [:callback]
+  before_action :require_login, only: [:connect]
+  before_action :require_login_when_connecting, only: [:callback]
+  before_action :require_completed_login, only: [:disconnect]
+  before_action :require_auth_hash, only: [:callback]
 
   # Adjust scope here for particular sets of user using the session
   #

data/lib/generators/authkit/templates/app/controllers/email_confirmation_controller.rb

@@ -1,8 +1,6 @@
 class EmailConfirmationController < ApplicationController
-  before_filter :require_login
-  before_filter :require_token
-
-  respond_to :html
+  before_action :require_login
+  before_action :require_token
 
   def show
     if current_user.email_confirmed
@@ -33,9 +31,8 @@ class EmailConfirmationController < ApplicationController
   # It is possible to consider failed confirmation tokens failed attempts and
   # lock the account.
   def require_token
-    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
     valid = params[:token].present? && current_user.confirmation_token.present?
-    valid = valid && verifier.send(:secure_compare, params[:token], current_user.confirmation_token)
+    valid = valid && ActiveSupport::SecurityUtils.secure_compare(params[:token], current_user.confirmation_token)
     valid = valid && !current_user.confirmation_token_expired?
     deny_user("Invalid token", root_path) unless valid
   end

data/lib/generators/authkit/templates/app/controllers/password_change_controller.rb

@@ -1,7 +1,7 @@
 class PasswordChangeController < ApplicationController
-  before_filter :require_no_user
-  before_filter :require_email_user
-  before_filter :require_token
+  before_action :require_no_user
+  before_action :require_email_user
+  before_action :require_token
 
   def show
     respond_to do |format|
@@ -51,9 +51,8 @@ class PasswordChangeController < ApplicationController
 
   # Reset password tokens expire after 1 day
   def require_token
-    verifier = ActiveSupport::MessageVerifier.new(Rails.application.config.secret_key_base)
     valid = params[:token].present?
-    valid = valid && verifier.send(:secure_compare, params[:token], email_user.reset_password_token)
+    valid = valid && ActiveSupport::SecurityUtils.secure_compare(params[:token], email_user.reset_password_token)
     valid = valid && !email_user.reset_password_token_expired?
     deny_user("Invalid token", root_path) unless valid
   end

data/lib/generators/authkit/templates/app/controllers/signup_controller.rb

@@ -1,7 +1,6 @@
 class SignupController < ApplicationController
   <% if oauth? %>include AuthsHelper
   <% end %>
-  respond_to :html, :json
 
   # Create a new Signup form model (found in app/forms/signup.rb)
   def new
@@ -31,6 +30,10 @@ class SignupController < ApplicationController
 
   protected
 
+  def signup
+    @signup
+  end
+
   def signup_params
     params.require(:signup).permit(
       :email,

data/lib/generators/authkit/templates/app/controllers/upload_controller.rb

@@ -1,7 +1,7 @@
 class UploadController < ApplicationController
-  before_filter :require_login
-  before_filter :require_advertiser, only: [:audio, :cover]
-  before_filter :aws_key_to_remote_url, only: [:avatar]
+  before_action :require_login
+  before_action :require_advertiser, only: [:audio, :cover]
+  before_action :aws_key_to_remote_url, only: [:avatar]
 
   respond_to :json
 

data/lib/generators/authkit/templates/app/controllers/users_controller.rb

@@ -1,7 +1,5 @@
 class UsersController < ApplicationController
-  before_filter :require_login, only: [:edit, :update]
-
-  respond_to :html, :json
+  before_action :require_login, only: [:edit, :update]
 
   def edit
     @user = current_user

data/lib/generators/authkit/templates/app/forms/signup.rb

@@ -45,6 +45,10 @@ class Signup
     false
   end
 
+  def save!
+    raise ActiveRecord::RecordNotSaved unless save
+  end
+
   def save
     if valid?
       persist!
@@ -56,6 +60,10 @@ class Signup
     end
   end
 
+  def save!
+    raise ActiveRecord::RecordNotSaved.new(nil, self.user) unless save
+  end
+
   def user
     return @user if @user
     @user = User.new(user_params)
@@ -91,11 +99,11 @@ class Signup
   private
 
   def validate_models
-    self.user.errors.each { |k, v| errors[k] = v } unless self.user.valid?
+    self.user.errors.each { |k, v| errors.add(k, v) } unless self.user.valid?
 
     <% if oauth? %>
     if self.auth.present?
-      self.auth.errors.each { |k, v| errors[k] = v } unless self.auth.valid?
+      self.auth.errors.each { |k, v| errors.add(k, v) } unless self.auth.valid?
     end
     <% end %>
   end

data/lib/generators/authkit/templates/app/models/user.rb

@@ -2,7 +2,8 @@ require 'email_format_validator'
 require 'full_name_splitter'
 <% if username? %>require 'username_format_validator'
 <% end %>
-class User < ActiveRecord::Base
+class User < ApplicationRecord
+  has_many :sessions, class_name: 'UserSession'
   <% if oauth? %>
   has_many :auths
   <% end %>
@@ -56,22 +57,6 @@ class User < ActiveRecord::Base
     self.save
   end
 
-  # The tokens created by this method have unique indexes but collisions are very
-  # unlikely (1/64^32). Because of this there shouldn't be a conflict. If one occurs
-  # the ActiveRecord::StatementInvalid or ActiveRecord::RecordNotUnique exeception
-  # should bubble up.
-  def set_remember_token
-    self.remember_token = SecureRandom.urlsafe_base64(32)
-    self.remember_token_created_at = Time.now
-    self.save!
-  end
-
-  def clear_remember_token
-    self.remember_token = nil
-    self.remember_token_created_at = nil
-    self.save!
-  end
-
   def reset_password_token_expired?
     # TODO reset password tokens expire in 1 day by default
     self.reset_password_token_created_at.blank? || self.reset_password_token_created_at <= 1.day.ago
@@ -82,11 +67,6 @@ class User < ActiveRecord::Base
     self.confirmation_token_created_at.blank? || self.confirmation_token_created_at <= 3.days.ago
   end
 
-  def remember_token_expired?
-    # TODO remember tokens expire in 1 year by default
-    self.remember_token_created_at.blank? || self.remember_token_created_at <= 1.year.ago
-  end
-
   def send_welcome
     # TODO insert your mailer logic here
     true