authlogic 0.10.4

data/lib/authlogic/session/active_record_trickery.rb

@@ -0,0 +1,26 @@
+module Authlogic
+  module Session
+    # = ActiveRecord Trickery
+    #
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here. This is useful for the various rails helper methods such as form_for, error_messages_for, etc.
+    # These helpers exptect various methods to be present. This adds in those methods into Authlogic.
+    module ActiveRecordTrickery
+      def self.included(klass) # :nodoc:
+        klass.extend ClassMethods
+        klass.send(:include, InstanceMethods)
+      end
+      
+      module ClassMethods # :nodoc:
+        def human_attribute_name(attribute_key_name, options = {})
+          attribute_key_name.humanize
+        end
+      end
+      
+      module InstanceMethods # :nodoc:
+        def new_record?
+          new_session?
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/session/base.rb

@@ -0,0 +1,510 @@
+module Authlogic
+  module Session # :nodoc:
+    # = Base
+    #
+    # This is the muscle behind Authlogic. For detailed information on how to use this please refer to the README. For detailed method explanations see below.
+    class Base
+      include Config
+      
+      class << self
+        # Returns true if a controller have been set and can be used properly. This MUST be set before anything can be done. Similar to how ActiveRecord won't allow you to do anything
+        # without establishing a DB connection. By default this is done for you automatically, but if you are using Authlogic in a unique way outside of rails, you need to assign a controller
+        # object to Authlogic via Authlogic::Session::Base.controller = obj.
+        def activated?
+          !controller.blank?
+        end
+        
+        def controller=(value) # :nodoc:
+          controllers[Thread.current] = value
+        end
+        
+        def controller # :nodoc:
+          controllers[Thread.current]
+        end
+        
+        # A convenince method. The same as:
+        #
+        #   session = UserSession.new
+        #   session.create
+        def create(*args)
+          session = new(*args)
+          session.save
+        end
+        
+        # Same as create but calls create!, which raises an exception when authentication fails
+        def create!(*args)
+          session = new(*args)
+          session.save!
+        end
+        
+        # A convenience method for session.find_record. Finds your session by session, then cookie, and finally basic http auth. Perfect for that global before_filter to find your logged in user:
+        #
+        #   before_filter :load_user
+        #
+        #   def load_user
+        #     @user_session = UserSession.find
+        #     @current_user = @user_session && @user_session.record
+        #   end
+        #
+        # Accepts a single parameter as the id. See initialize for more information on ids. Lastly, how it finds the session can be modified via configuration.
+        def find(id = nil)
+          args = [id].compact
+          session = new(*args)
+          return session if session.find_record
+          nil
+        end
+        
+        def klass # :nodoc:
+          @klass ||=
+            if klass_name
+              klass_name.constantize
+            else
+              nil
+            end
+        end
+        
+        def klass_name # :nodoc:
+          @klass_name ||= 
+            if guessed_name = name.scan(/(.*)Session/)[0]
+              @klass_name = guessed_name[0]
+            end
+        end
+        
+        # The current scope set, should be used in the block passed to with_scope.
+        def scope
+          scopes[Thread.current]
+        end
+        
+        # Authentication can be scoped, but scoping authentication can get a little tricky. Checkout the section "Scoping" in the readme for more details.
+        #
+        # What with_scopes focuses on is scoping the query when finding the object and the name of the cookies.
+        #
+        # with_scope accepts a hash with any of the following options:
+        #
+        # * <tt>find_options:</tt> any options you can pass into ActiveRecord::Base.find. This is used when trying to find the record.
+        # * <tt>id:</tt> see the id method above
+        #
+        # So you use it just like an ActiveRecord scope, essentially:
+        #
+        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
+        #     UserSession.find
+        #   end
+        #
+        # Eseentially what the above does is scope the searching of the object with the sql you provided. So instead of:
+        #
+        #   User.find(:first, :conditions => "login = 'ben'")
+        #
+        # it would be:
+        #
+        #   User.find(:first, :conditions => "login = 'ben' and account_id = 2")
+        #
+        # You will also notice the :id option. This works just like the id method. It scopes your cookies. So the name of your cookie will be:
+        #
+        #   account_2_user_credentials
+        #
+        # instead of:
+        #
+        #   user_credentials
+        #
+        # What is also nifty about scoping with an :id is that it merges your id's. So if you do:
+        #
+        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
+        #     session = UserSession.new
+        #     session.id = :secure
+        #   end
+        #
+        # The name of your cookies will be:
+        #
+        #   secure_account_2_user_credentials
+        def with_scope(options = {}, &block)
+          raise ArgumentError.new("You must provide a block") unless block_given?
+          self.scope = options
+          result = yield
+          self.scope = nil
+          result
+        end
+        
+        private
+          def controllers
+            @@controllers ||= {}
+          end
+          
+          def scope=(value)
+            scopes[Thread.current] = value
+          end
+          
+          def scopes
+            @scopes ||= {}
+          end
+      end
+    
+      attr_accessor :login_with, :new_session
+      attr_reader :record, :unauthorized_record
+      attr_writer :id, :scope
+    
+      # You can initialize a session by doing any of the following:
+      #
+      #   UserSession.new
+      #   UserSession.new(login, password)
+      #   UserSession.new(:login => login, :password => password)
+      #   UserSession.new(User.first)
+      #
+      # If a user has more than one session you need to pass an id so that Authlogic knows how to differentiate the sessions. The id MUST be a Symbol.
+      #
+      #   UserSession.new(:my_id)
+      #   UserSession.new(login, password, :my_id)
+      #   UserSession.new({:login => loing, :password => password}, :my_id)
+      #   UserSession.new(User.first, :my_id)
+      #
+      # Ids are rarely used, but they can be useful. For example, what if users allow other users to login into their account via proxy? Now that user can "technically" be logged into 2 accounts at once.
+      # To solve this just pass a id called :proxy, or whatever you want. Authlogic will separate everything out.
+      def initialize(*args)
+        raise NotActivated.new(self) unless self.class.activated?
+        
+        create_configurable_methods!
+        
+        self.scope = self.class.scope
+        self.id = args.pop if args.last.is_a?(Symbol)
+        
+        case args.size
+        when 1
+          credentials_or_record = args.first
+          case credentials_or_record
+          when Hash
+            self.credentials = credentials_or_record
+          else
+            self.unauthorized_record = credentials_or_record
+          end
+        else
+          send("#{login_field}=", args[0]) if args.size > 0
+          send("#{password_field}=", args[1]) if args.size > 1
+          self.remember_me = args[2] if args.size > 2
+        end
+      end
+      
+      # Your login credentials in hash format. Usually {:login => "my login", :password => "<protected>"} depending on your configuration.
+      # Password is protected as a security measure. The raw password should never be publicly accessible.
+      def credentials
+        {login_field => send(login_field), password_field => "<Protected>"}
+      end
+      
+      # Lets you set your loging and password via a hash format. This is "params" safe. It only allows for 3 keys: your login field name, password field name, and remember me.
+      def credentials=(values)
+        return if values.blank? || !values.is_a?(Hash)
+        values.symbolize_keys!
+        [login_field.to_sym, password_field.to_sym, :remember_me].each do |field|
+          next if !values.key?(field)
+          send("#{field}=", values[field])
+        end
+      end
+      
+      # Resets everything, your errors, record, cookies, and session. Basically "logs out" a user.
+      def destroy
+        errors.clear
+        @record = nil
+        controller.cookies.delete cookie_key
+        controller.session[session_key] = nil
+        true
+      end
+      
+      # The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses the exact same ActiveRecord errors class. Use it the same way:
+      #
+      # === Example
+      #
+      #  class UserSession
+      #    before_validation :check_if_awesome
+      #
+      #    private
+      #      def check_if_awesome
+      #        errors.add(:login, "must contain awesome") if login && !login.include?("awesome")
+      #        errors.add_to_base("You must be awesome to log in") unless record.awesome?
+      #      end
+      #  end
+      def errors
+        @errors ||= Errors.new(self)
+      end
+      
+      # Attempts to find the record by session, then cookie, and finally basic http auth. See the class level find method if you are wanting to use this in a before_filter to persist your session.
+      def find_record
+        return record if record
+        find_with.each do |find_method|
+          if send("valid_#{find_method}?")
+            if record.class.column_names.include?("last_request_at")
+              record.last_request_at = Time.now
+              record.save_without_session_maintenance(false)
+            end
+            return record
+          end
+        end
+        nil
+      end
+      
+      # Allows you to set a unique identifier for your session, so that you can have more than 1 session at a time. A good example when this might be needed is when you want to have a normal user session
+      # and a "secure" user session. The secure user session would be created only when they want to modify their billing information, or other sensative information. Similar to me.com. This requires 2
+      # user sessions. Just use an id for the "secure" session and you should be good.
+      #
+      # You can set the id a number of ways:
+      #
+      #   session = Session.new(:secure)
+      #   session = Session.new("username", "password", :secure)
+      #   session = Session.new({:username => "username", :password => "password"}, :secure)
+      #   session.id = :secure
+      #
+      # Just be sure and set your id before you validate / create / update your session.
+      def id
+        @id
+      end
+      
+      def inspect # :nodoc:
+        details = {}
+        case login_with
+        when :unauthorized_record
+          details[:unauthorized_record] = "<protected>"
+        else
+          details[login_field.to_sym] = send(login_field)
+          details[password_field.to_sym] = "<protected>"
+        end
+        "#<#{self.class.name} #{details.inspect}>"
+      end
+      
+      # Similar to ActiveRecord's new_record? Returns true if the session has not been saved yet.
+      def new_session?
+        new_session != false
+      end
+      
+      def remember_me # :nodoc:
+        return @remember_me if @set_remember_me
+        @remember_me ||= self.class.remember_me
+      end
+      
+      # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
+      def remember_me=(value)
+        @set_remember_me = true
+        @remember_me = value
+      end
+      
+      # Allows users to be remembered via a cookie.
+      def remember_me?
+        remember_me == true || remember_me == "true" || remember_me == "1"
+      end
+      
+      # When to expire the cookie. See remember_me_for configuration option to change this.
+      def remember_me_until
+        return unless remember_me?
+        remember_me_for.from_now
+      end
+      
+      # See the class level with_scope method on information on scopes. with_scope essentialls sets this scope with the options passed and unsets it after the block executes.
+      def scope
+        @scope ||= {}
+      end
+      
+      # Creates / updates a new user session for you. It does all of the magic:
+      #
+      # 1. validates
+      # 2. sets session
+      # 3. sets cookie
+      # 4. updates magic fields
+      def save
+        if valid?
+          update_session!
+          controller.cookies[cookie_key] = {
+            :value => record.send(remember_token_field),
+            :expires => remember_me_until
+          }
+          
+          record.login_count = record.login_count + 1 if record.respond_to?(:login_count)
+          
+          if record.respond_to?(:current_login_at)
+            record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+            record.current_login_at = Time.now
+          end
+          
+          if record.respond_to?(:current_login_ip)
+            record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+            record.current_login_ip = controller.request.remote_ip
+          end
+          
+          record.save_without_session_maintenance(false)
+          
+          self.new_session = false
+          self
+        end
+      end
+      
+      # Same as save but raises an exception when authentication fails
+      def save!
+        result = save
+        raise SessionInvalid.new(self) unless result
+        result
+      end
+      
+      # Sometimes you don't want to create a session via credentials (login and password). Maybe you already have the record. Just set this record to this and it will be authenticated when you try to validate
+      # the session. Basically this is another form of credentials, you are just skipping username and password validation.
+      def unauthorized_record=(value)
+        self.login_with = :unauthorized_record
+        @unauthorized_record = value
+      end
+      
+      # Returns if the session is valid or not. Basically it means that a record could or could not be found. If the session is valid you will have a result when calling the "record" method. If it was unsuccessful
+      # you will not have a record.
+      def valid?
+        errors.clear
+        temp_record = validate_credentials
+        if errors.empty?
+          @record = temp_record
+          return true
+        end
+        false
+      end
+      
+      # Tries to validate the session from information from a basic http auth, if it was provided.
+      def valid_http_auth?
+        controller.authenticate_with_http_basic do |login, password|
+          if !login.blank? && !password.blank?
+            send("#{login_method}=", login)
+            send("#{password_method}=", password)
+            result = valid?
+            if result
+              update_session!
+              return result
+            end
+          end
+        end
+        
+        false
+      end
+      
+      # Tries to validate the session from information in the cookie
+      def valid_cookie?
+        if cookie_credentials
+          self.unauthorized_record = search_for_record("find_by_#{remember_token_field}", cookie_credentials)
+          result = valid?
+          if result
+            update_session!
+            self.new_session = false
+            return result
+          end
+        end
+        
+        false
+      end
+      
+      # Tries to validate the session from information in the session
+      def valid_session?
+        if session_credentials
+          self.unauthorized_record = search_for_record("find_by_#{remember_token_field}", session_credentials)
+          result = valid?
+          if result
+            self.new_session = false
+            return result
+          end
+        end
+        
+        false
+      end
+      
+      private
+        def controller
+          self.class.controller
+        end
+        
+        def cookie_credentials
+          controller.cookies[cookie_key]
+        end
+        
+        def create_configurable_methods!
+          return if respond_to?(login_field) # already created these methods
+          
+          self.class.class_eval <<-"end_eval", __FILE__, __LINE__
+            attr_reader :#{login_field}
+            
+            def #{login_field}=(value)
+              self.login_with = :credentials
+              @#{login_field} = value
+            end
+            
+            def #{password_field}=(value)
+              self.login_with = :credentials
+              @#{password_field} = value
+            end
+
+            def #{password_field}; end
+            
+            private
+              # The password should not be accessible publicly. This way forms using form_for don't fill the password with the attempted password. The prevent this we just create this method that is private.
+              def protected_#{password_field}
+                @#{password_field}
+              end
+          end_eval
+        end
+        
+        def search_for_record(method, value)
+          klass.send(:with_scope, :find => (scope[:find_options] || {})) do
+            klass.send(method, value)
+          end
+        end
+        
+        def klass
+          self.class.klass
+        end
+      
+        def klass_name
+          self.class.klass_name
+        end
+        
+        def session_credentials
+          controller.session[session_key]
+        end
+        
+        def update_session!
+          controller.session[session_key] = record && record.send(remember_token_field)
+        end
+        
+        def validate_credentials
+          temp_record = unauthorized_record
+
+          case login_with
+          when :credentials
+            errors.add(login_field, "can not be blank") if send(login_field).blank?
+            errors.add(password_field, "can not be blank") if send("protected_#{password_field}").blank?
+            return if errors.count > 0
+
+            temp_record = search_for_record(find_by_login_method, send(login_field))
+
+            if temp_record.blank?
+              errors.add(login_field, "was not found")
+              return
+            end
+
+            unless temp_record.send(verify_password_method, send("protected_#{password_field}"))
+              errors.add(password_field, "is invalid")
+              return
+            end
+          when :unauthorized_record
+            if temp_record.blank?
+              errors.add_to_base("You can not log in with a blank record.")
+              return
+            end
+
+            if temp_record.new_record?
+              errors.add_to_base("You can not login with a new record.") if temp_record.new_record?
+              return
+            end
+          else
+            errors.add_to_base("You must provide some form of credentials before logging in.")
+            return
+          end
+
+          [:active, :approved, :confirmed].each do |required_status|
+            if temp_record.respond_to?("#{required_status}?") && !temp_record.send("#{required_status}?") 
+              errors.add_to_base("Your account has not been marked as #{required_status}")       
+              return
+            end
+          end
+          
+          temp_record
+        end
+    end
+  end
+end