authlogic 1.1.0 → 1.1.1

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb

@@ -0,0 +1,61 @@
+module Authlogic
+  module ORMAdapters
+    module ActiveRecordAdapter
+      module ActsAsAuthentic
+        # = Single Access
+        #
+        # Instead of repeating myself here, checkout the README. There is a "Single Access" section in there that goes over this. Keep in mind none of this will be applied if there
+        # is not a single_access_token field supplied in the database.
+        #
+        # === Instance Methods
+        #
+        # * <tt>reset_{options[:single_access_token_field]}</tt> - resets the single access token with the friendly_unique_token
+        # * <tt>reset_{options[:single_access_token_field]}!</tt> - same as above, but saves the record afterwards
+        #
+        # === Alias Method Chains
+        #
+        # * <tt>{options[:password_field]}</tt> - if the :change_single_access_token_with_password is set to true, reset_{options[:single_access_token_field]} will be called when the password changes
+        module SingleAccess
+          def acts_as_authentic_with_single_access(options = {})
+            acts_as_authentic_without_single_access(options)
+          
+            if options[:single_access_token_field]
+              class_eval <<-"end_eval", __FILE__, __LINE__
+                validates_uniqueness_of :#{options[:single_access_token_field]}
+              
+                before_validation :set_#{options[:single_access_token_field]}_field
+              
+                def password_with_single_access=(value)
+                  reset_#{options[:single_access_token_field]} if #{options[:change_single_access_token_with_password].inspect}
+                  self.password_without_single_access = value
+                end
+                alias_method_chain :password=, :single_access
+              
+                def reset_#{options[:single_access_token_field]}
+                  self.#{options[:single_access_token_field]} = self.class.friendly_unique_token
+                end
+              
+                def reset_#{options[:single_access_token_field]}!
+                  reset_#{options[:single_access_token_field]}
+                  save_without_session_maintenance
+                end
+              
+                protected
+                  def set_#{options[:single_access_token_field]}_field
+                    reset_#{options[:single_access_token_field]} if #{options[:single_access_token_field]}.blank?
+                  end
+              end_eval
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+ActiveRecord::Base.class_eval do
+  class << self
+    include Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::SingleAccess
+    alias_method_chain :acts_as_authentic, :single_access
+  end
+end

data/lib/authlogic/session/base.rb

@@ -82,20 +82,18 @@ module Authlogic
     
       attr_accessor :new_session
       attr_reader :record, :unauthorized_record
-      attr_writer :authenticating_with, :id
+      attr_writer :authenticating_with, :id, :persisting
     
       # You can initialize a session by doing any of the following:
       #
       #   UserSession.new
       #   UserSession.new(:login => "login", :password => "password", :remember_me => true)
-      #   UserSession.new(:openid => "identity url", :remember_me => true)
       #   UserSession.new(User.first, true)
       #
       # If a user has more than one session you need to pass an id so that Authlogic knows how to differentiate the sessions. The id MUST be a Symbol.
       #
       #   UserSession.new(:my_id)
       #   UserSession.new({:login => "login", :password => "password", :remember_me => true}, :my_id)
-      #   UserSession.new({:openid => "identity url", :remember_me => true}, :my_id)
       #   UserSession.new(User.first, true, :my_id)
       #
       # Ids are rarely used, but they can be useful. For example, what if users allow other users to login into their account via proxy? Now that user can "technically" be logged into 2 accounts at once.
@@ -121,7 +119,6 @@ module Authlogic
       #
       # * :password - username and password
       # * :unauthorized_record - an actual ActiveRecord object
-      # * :openid - OpenID
       #
       # By default this is :password
       def authenticating_with
@@ -234,14 +231,24 @@ module Authlogic
         new_session != false
       end
       
+      def persisting # :nodoc:
+        return @persisting if defined?(@persisting)
+        @persisting = true
+      end
+      
+      # Returns true if the session is being persisted. This is set to false if the session was found by the single_access_token, since logging in via a single access token should not remember the user in the
+      # session or the cookie.
+      def persisting?
+        persisting == true
+      end
+      
       def remember_me # :nodoc:
-        return @remember_me if @set_remember_me
-        @remember_me ||= self.class.remember_me
+        return @remember_me if defined?(@remember_me)
+        @remember_me = self.class.remember_me
       end
       
       # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
       def remember_me=(value)
-        @set_remember_me = true
         @remember_me = value
       end
       
@@ -290,8 +297,12 @@ module Authlogic
         result
       end
       
-      # Sometimes you don't want to create a session via credentials (login and password). Maybe you already have the record. Just set this record to this and it will be authenticated when you try to validate
-      # the session. Basically this is another form of credentials, you are just skipping username and password validation.
+      # This lets you create a session by passing a single object of whatever you are authenticating. Let's say User. By passing a user object you are vouching for this user and saying you can guarantee
+      # this user is who he says he is, create a session for him.
+      #
+      # This is how persistence works in Authlogic. Authlogic grabs your cookie credentials, finds a user by those credentials, and then vouches for that user and creates a session. You can do this for just about
+      # anything, which comes in handy for those unique authentication methods. Do what you need to do to authenticate the user, guarantee he is who he says he is, then pass the object here. Authlogic will do its
+      # magic: create a session and cookie. Now when the user refreshes their session will be persisted by their session and cookie.
       def unauthorized_record=(value)
         self.authenticating_with = :unauthorized_record
         @unauthorized_record = value

data/lib/authlogic/session/config.rb

@@ -8,7 +8,7 @@ module Authlogic
       
       # = Session Config
       #
-      # This deals with configuration for your session. If you are wanting to configure your model please look at Authlogic::ORMAdapters::ActiveRecord::ActsAsAuthentic
+      # This deals with configuration for your session. If you are wanting to configure your model please look at Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::Config
       #
       # Configuration for your session is simple. The configuration options are just class methods. Just put this in your config/initializers directory
       #
@@ -89,20 +89,6 @@ module Authlogic
         end
         alias_method :find_by_login_method=, :find_by_login_method
         
-        # Once the user confirms their openid Authlogic tries to find the record with that openod. This is the method it called on the record's
-        # class to find the record by the openid.
-        #
-        # * <tt>Default:</tt> "find_by_#{openid_field}"
-        # * <tt>Accepts:</tt> Symbol or String
-        def find_by_openid_method(value = nil)
-          if value.nil?
-            read_inheritable_attribute(:find_by_openid_method) || find_by_openid_method("find_by_#{openid_field}")
-          else
-            write_inheritable_attribute(:find_by_openid_method, value)
-          end
-        end
-        alias_method :find_by_openid_method=, :find_by_openid_method
-        
         # Calling UserSession.find tries to find the user session by session, then cookie, then params, and finally by basic http auth.
         # This option allows you to change the order or remove any of these.
         #
@@ -110,7 +96,7 @@ module Authlogic
         # * <tt>Accepts:</tt> Array, and can only use any of the 3 options above
         def find_with(*values)
           if values.blank?
-            read_inheritable_attribute(:find_with) || find_with(:session, :cookie, :params, :http_auth)
+            read_inheritable_attribute(:find_with) || find_with(:params, :session, :cookie, :http_auth)
           else
             values.flatten!
             write_inheritable_attribute(:find_with, values)
@@ -138,55 +124,23 @@ module Authlogic
         # login with a field called "login" and then find users by email this is compeltely doable. See the find_by_login_method configuration
         # option for more details.
         #
-        # * <tt>Default:</tt> Guesses based on the model columns, tries login, username, and email. If none are present it defaults to login
+        # * <tt>Default:</tt> Uses the configuration option in your model: User.acts_as_authentic_config[:login_field]
         # * <tt>Accepts:</tt> Symbol or String
         def login_field(value = nil)
           if value.nil?
-            read_inheritable_attribute(:login_field) || login_field(klass.login_field)
+            read_inheritable_attribute(:login_field) || login_field(klass.acts_as_authentic_config[:login_field])
           else
             write_inheritable_attribute(:login_field, value)
           end
         end
         alias_method :login_field=, :login_field
         
-        # The name of the method you want Authlogic to create for storing the openid url. Keep in mind this is just for your Authlogic::Session,
-        # if you want it can be something completely different than the field in your model. So if you wanted people to login with a field called
-        # "openid_url" and then find users by openid this is compeltely doable. See the find_by_openid_method configuration option for
-        # more details.
-        #
-        # * <tt>Default:</tt> Guesses based on the model columns, tries openid, openid_url, identity_url.
-        # * <tt>Accepts:</tt> Symbol or String
-        def openid_field(value = nil)
-          if value.nil?
-            read_inheritable_attribute(:openid_field) || openid_field((klass.column_names.include?("openid") && :openid) || (klass.column_names.include?("openid_url") && :openid_url) || (klass.column_names.include?("identity_url") && :identity_url))
-          else
-            write_inheritable_attribute(:openid_field, value)
-          end
-        end
-        alias_method :openid_field=, :openid_field
-        
-        # The name of the method you want Authlogic to create for storing the openid url. Keep in mind this is just for your Authlogic::Session,
-        # if you want it can be something completely different than the field in your model. So if you wanted people to login with a field called
-        # "openid_url" and then find users by openid this is compeltely doable. See the find_by_openid_method configuration option for
-        # more details.
+        # Works exactly like cookie_key, but for params. So a user can login via params just like a cookie or a session. Your URL would look like:
         #
-        # * <tt>Default:</tt> Guesses based on the model columns, tries openid, openid_url, identity_url.
-        # * <tt>Accepts:</tt> Symbol or String
-        def openid_file_store_path(value = nil)
-          if value.nil?
-            read_inheritable_attribute(:openid_file_store_path) || openid_file_store_path((defined?(RAILS_ROOT) && RAILS_ROOT + "/tmp/openids") || (defined?(Merb) && Merb.root + "/tmp/openids"))
-          else
-            write_inheritable_attribute(:openid_file_store_path, value)
-          end
-        end
-        alias_method :openid_file_store_path=, :openid_file_store_path
-        
-        # Works exactly like cookie_key, but for params. So a user can login via params just like a cookie or a session. Your URK would look like:
-        #
-        #   http://www.domain.com?user_credentials=fdsfdfd32jfksdjfdksl
+        #   http://www.domain.com?user_credentials=my_single_access_key
         #
         # You can change the "user_credentials" key above with this configuration option. Keep in mind, just like cookie_key, if you supply an id
-        # the id will be appended to the front.
+        # the id will be appended to the front. Check out cookie_key for more details. Also checkout the "Single Access / Private Feeds Access" section in the README.
         #
         # * <tt>Default:</tt> cookie_key
         # * <tt>Accepts:</tt> String
@@ -199,13 +153,14 @@ module Authlogic
         end
         alias_method :params_key=, :params_key
         
+        
         # Works exactly like login_field, but for the password instead.
         #
-        # * <tt>Default:</tt> Guesses based on the model columns, tries password and pass. If none are present it defaults to password
+        # * <tt>Default:</tt> :password
         # * <tt>Accepts:</tt> Symbol or String
         def password_field(value = nil)
           if value.nil?
-            read_inheritable_attribute(:password_field) || password_field(klass.password_field)
+            read_inheritable_attribute(:password_field) || password_field(:password)
           else
             write_inheritable_attribute(:password_field, value)
           end
@@ -242,11 +197,11 @@ module Authlogic
         # long. Well they already have a cookie set to expire in 6 months. Without a token you would have to reset their password, which obviously isn't feasible. So instead of messing with their password
         # just reset their remember token. Next time they access the site and try to login via a cookie it will be rejected and they will have to relogin.
         #
-        # * <tt>Default:</tt> Guesses based on the model columns, tries remember_token, remember_key, cookie_token, and cookie_key. If none are present it defaults to remember_token
+        # * <tt>Default:</tt> Uses the configuration option in your model: User.acts_as_authentic_config[:remember_token_field]
         # * <tt>Accepts:</tt> Symbol or String
         def remember_token_field(value = nil)
           if value.nil?
-            read_inheritable_attribute(:remember_token_field) || remember_token_field(klass.remember_token_field)
+            read_inheritable_attribute(:remember_token_field) || remember_token_field(klass.acts_as_authentic_config[:remember_token_field])
           else
             write_inheritable_attribute(:remember_token_field, value)
           end
@@ -266,6 +221,34 @@ module Authlogic
         end
         alias_method :session_key=, :session_key
         
+        # Authentication is allowed via a single access token, but maybe this is something you don't want for your application as a whole. Maybe this is something you only want for specific request types.
+        # Specify a list of allowed request types and single access authentication will only be allowed for the ones you specify. Checkout the "Single Access / Private Feeds Access" section in the README.
+        #
+        # * <tt>Default:</tt> "application/rss+xml", "application/atom+xml"
+        # * <tt>Accepts:</tt> String, or :all to allow single access authentication for any and all request types
+        def single_access_allowed_request_types(*values)
+          if values.blank?
+            read_inheritable_attribute(:single_access_allowed_request_types) || single_access_allowed_request_types("application/rss+xml", "application/atom+xml")
+          else
+            write_inheritable_attribute(:single_access_allowed_request_types, values)
+          end
+        end
+        alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
+        
+        # This is a separate token for logging with single access. It works just the the remember_token but it does NOT persist. Meaning if a record is found with the single_access_token it will not set
+        # the session or the cookie and "remember" the user. Checkout the "Single Access / Private Feeds Access" section in the README.
+        #
+        # * <tt>Default:</tt> Uses the configuration option in your model: User.acts_as_authentic_config[:single_access_token]
+        # * <tt>Accepts:</tt> Symbol or String
+        def single_access_token_field(value = nil)
+          if value.nil?
+            read_inheritable_attribute(:single_access_token_field) || single_access_token_field(klass.acts_as_authentic_config[:single_access_token_field])
+          else
+            write_inheritable_attribute(:single_access_token_field, value)
+          end
+        end
+        alias_method :single_access_token_field=, :single_access_token_field
+        
         # The name of the method in your model used to verify the password. This should be an instance method. It should also be prepared to accept a raw password and a crytped password.
         #
         # * <tt>Default:</tt> "valid_#{password_field}?"
@@ -281,6 +264,10 @@ module Authlogic
       end
       
       module InstanceMethods # :nodoc:
+        def change_single_access_token_with_password?
+          self.class.change_single_access_token_with_password == true
+        end
+        
         def cookie_key
           build_key(self.class.cookie_key)
         end
@@ -289,10 +276,6 @@ module Authlogic
           self.class.find_by_login_method
         end
         
-        def find_by_openid_method
-          self.class.find_by_openid_method
-        end
-        
         def find_with
           self.class.find_with
         end
@@ -305,8 +288,8 @@ module Authlogic
           self.class.login_field
         end
         
-        def openid_field
-          self.class.openid_field
+        def params_allowed_request_types
+          build_key(self.class.params_allowed_request_types)
         end
         
         def params_key
@@ -329,6 +312,14 @@ module Authlogic
         def session_key
           build_key(self.class.session_key)
         end
+        
+        def single_access_token_field
+          self.class.single_access_token_field
+        end
+        
+        def single_access_allowed_request_types
+          self.class.single_access_allowed_request_types
+        end
       
         def verify_password_method
           self.class.verify_password_method

data/lib/authlogic/session/cookies.rb

@@ -5,8 +5,8 @@ module Authlogic
     # Handles all authentication that deals with cookies, such as persisting a session and saving / destroying a session.
     module Cookies
       def self.included(klass)
-        klass.after_save :save_cookie
-        klass.after_destroy :destroy_cookie
+        klass.after_save :save_cookie, :if => :persisting?
+        klass.after_destroy :destroy_cookie, :if => :persisting?
       end
       
       # Tries to validate the session from information in the cookie

data/lib/authlogic/session/params.rb

@@ -3,17 +3,20 @@ module Authlogic
     # = Params
     #
     # Tries to log the user in via params. Think about cookies and sessions. They are just hashes in your controller, so are params. People never
-    # look at params as an authentication option, but it can be useful for logging into private feeds. Logging in a user is as simple as:
+    # look at params as an authentication option, but it can be useful for logging into private feeds, etc. Logging in a user is as simple as:
     #
-    #   http://www.domain.com?user_credentials=[insert remember token here]
+    #   https://www.domain.com?user_credentials=[insert single access token here]
     #
-    # The user_credentials is based on the name of your session, the above example assumes UserSession. Also, this can be modified via configuration.
+    # Wait, what is a single access token? It is all explained in the README. Checkout the "Single Access" section in the README. For security reasons, this type of authentication
+    # is ONLY available via single access tokens, you can NOT pass your remember token.
     module Params
       # Tries to validate the session from information in the params token
       def valid_params?
-        if params_credentials
-          self.unauthorized_record = search_for_record("find_by_#{remember_token_field}", params_credentials)
-          return valid?
+        if params_credentials && single_access_token_field && single_access_allowed_request_types.include?(controller.request_content_type)
+          self.unauthorized_record = search_for_record("find_by_#{single_access_token_field}", params_credentials)
+          self.persisting = false
+          return true if valid?
+          self.persisting = true
         end
         
         false

data/lib/authlogic/session/session.rb

@@ -5,9 +5,9 @@ module Authlogic
     # Handles all parts of authentication that deal with sessions. Such as persisting a session and saving / destroy a session.
     module Session
       def self.included(klass)
-        klass.after_save :update_session!
-        klass.after_destroy :update_session!
-        klass.after_find :update_session!
+        klass.after_save :update_session!, :if => :persisting?
+        klass.after_destroy :update_session!, :if => :persisting?
+        klass.after_find :update_session!, :if => :persisting?
       end
       
       # Tries to validate the session from information in the session

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 1
     MINOR = 1
-    TINY  = 0
+    TINY  = 1
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/shoulda_macros/authlogic.rb

@@ -0,0 +1,13 @@
+require "test/unit"
+
+module Authlogic
+  module ShouldaMacros
+    def should_be_authentic(model)
+      should "acts as authentic" do
+        assert model.respond_to?(:acts_as_authentic_config)
+      end
+    end
+  end
+end
+
+Test::Unit::TestCase.extend Authlogic::ShouldaMacros

data/test/fixtures/employees.yml

@@ -2,7 +2,7 @@ drew:
   company: binary_logic
   email: dgainor@binarylogic.com
   password_salt: <%= salt = Employee.unique_token %>
-  crypted_password: "<%= Employee.crypto_provider.encrypt("drewrocks" + salt) %>"
+  crypted_password: "<%= Employee.acts_as_authentic_config[:crypto_provider].encrypt("drewrocks" + salt) %>"
   remember_token: 5273d85ed156e9dbd6a7c1438d319ef8c8d41dd24368db6c222de11346c7b11e53ee08d45ecf619b1c1dc91233d22b372482b751b066d0a6f6f9bac42eacaabf
   first_name: Drew
   last_name: Gainor
@@ -11,7 +11,7 @@ jennifer:
   company: logic_over_data
   email: jjohnson@logicoverdata.com
   password_salt: <%= salt = Employee.unique_token %>
-  crypted_password: "<%= Employee.crypto_provider.encrypt("jenniferocks" + salt) %>"
+  crypted_password: "<%= Employee.acts_as_authentic_config[:crypto_provider].encrypt("jenniferocks" + salt) %>"
   remember_token: 2be52a8f741ad00056e6f94eb6844d5316527206da7a3a5e3d0e14d19499ef9fe4c47c89b87febb59a2b41a69edfb4733b6b79302040f3de83f297c6991c75a2
   first_name: Jennifer
   last_name: Johnson

data/test/fixtures/users.yml

@@ -5,6 +5,7 @@ ben:
   password_salt: <%= salt = User.unique_token %>
   crypted_password: <%= Authlogic::CryptoProviders::Sha512.encrypt("benrocks" + salt) %>
   remember_token: 6cde0674657a8a313ce952df979de2830309aa4c11ca65805dd00bfdc65dbcc2f5e36718660a1d2e68c1a08c276d996763985d2f06fd3d076eb7bc4d97b1e317
+  single_access_token: <%= User.friendly_unique_token %>
   first_name: Ben
   last_name: Johnson
   
@@ -15,5 +16,6 @@ zack:
   password_salt: <%= salt = User.unique_token %>
   crypted_password: <%= Authlogic::CryptoProviders::Sha512.encrypt("zackrocks" + salt) %>
   remember_token: fd3c2d5ce09ab98e7547d21f1b3dcf9158a9a19b5d3022c0402f32ae197019fce3fdbc6614d7ee57d719bae53bb089e30edc9e5d6153e5bc3afca0ac1d320342
+  single_access_token: <%= User.friendly_unique_token %>
   first_name: Zack
   last_name: Ham