authlogic 1.3.7 → 1.3.8

data/CHANGELOG.rdoc

@@ -1,3 +1,10 @@
+== 1.3.8 released 2008-11-30
+
+* Only change persistence token if the password is not blank
+* Normalize the last_request_at_threshold so that you can pass an integer or a date/time range.
+* Fixed bug where password length validations were not being run because the password value was not blank. It should be run if it is a new record, the password has changed, or the password is blank.
+* Added disable_magic_states option for sessions, to turn off the automatic checking of "magic states" such as active?, confirmed?, and approved?.
+
 == 1.3.7 released 2008-11-30
 
 * Added session generator: script/generate session UserSession

data/README.rdoc

@@ -6,7 +6,7 @@ So what is Authlogic, and why would I create a solution to a problem that alread
 
 Let's take a rails application...
 
-Wouldn't it be nice to keep your app up to date with the latest and greatest security techniques with a simple update of a plugin?
+Wouldn't it be nice to keep your app up to date with the latest and greatest security techniques with a simple update of a gem?
 
 What if you could have authentication up and running in minutes without having to run a generator? All because it's simple, like everything else.
 
@@ -100,6 +100,10 @@ Lets assume you are setting up a session for your User model.
 
 Create your user_session.rb file:
 
+  $ script/generate session user_session
+
+This will create a file that looks similar to:
+
   # app/models/user_session.rb
   class UserSession < Authlogic::Session::Base
     # configuration here, just like ActiveRecord, or in an initializer
@@ -416,9 +420,9 @@ This is one of my favorite features that I think is pretty cool. It's things lik
 
 Just to clear up any confusion, Authlogic stores both the record id and the persistence token in the session. Why? So stale sessions can not be persisted. It stores the id so it can quickly find the record, and the persistence token to ensure no sessions are stale. The persistence token changes with the password, if someone is logged in and their password is changed, they should be logged out, unless they made the change. That being said, the person making the change needs their session to be updated with the new persistence token, so they stay logged in, which is what this section is all about.
 
-That being said...What if a user changes their password? You have to re-log them in with the new password, recreate the session, etc, pain in the ass. Or what if a user creates a new user account? You have to do the same thing. Here's an even better one: what if a user is in the admin area and changes his own password? There might even be another place passwords can change. It shouldn't matter, your code should be written in a way where you don't have to remember to do this.
+So what if a user changes their password? You have to re-log them in with the new password, recreate the session, etc. This is messy and leads to redundant code. Or what if a user creates a new user account? You have to do the same thing. Here's an even better one: what if a user is in the admin area and changes their own password? There might even be another place passwords can change. It shouldn't matter, your code should be written in a way where you don't have to remember to do this.
 
-Instead of updating sessions all over the place, doesn't it make sense to do this at a lower level? Like the User model? You're saying "but Ben, models can't mess around with sessions and cookies". True...but Authlogic can, and you can access Authlogic just like a model. I know in most situations it's not good practice to do this but I view this in the same class as sweepers, and feel like it actually is good practice here. User sessions are directly tied to users, they should be connected on the model level.
+Instead of updating sessions all over the place, doesn't it make sense to do this at a lower level? Like the User model? You're saying "but Ben, models can't mess around with sessions and cookies". True...but Authlogic can, and you can access Authlogic just like a model. I know in most situations it's not good practice to do this, but I view this in the same class as sweepers, and feel like it actually is good practice here. User sessions are directly tied to users, they should be connected on the model level.
 
 Fear not, because the acts_as_authentic method you call in your model takes care of this for you, by adding an after_save callback to automatically keep the session up to date. You don't have to worry about it anymore. Don't even think about it. Let your UsersController deal with users, not users *AND* sessions. *ANYTIME* the user changes his password in *ANY* way, his session will be updated.
 
@@ -452,7 +456,7 @@ You get the following methods:
   set_cookie_for(record_object)
   set_http_auth_for(username, password)
 
-In your test, before you execute a request, just call one of those methods and it will set the proper values so that it will seems as if that record is logged in.
+In your test, before you execute a request, just call one of those methods and it will set the proper values so that it will seem as if that record is logged in.
 
 You can also checkout the authlogic_example application (see helpful links above), the tests there use this.
 

data/Rakefile

@@ -11,7 +11,7 @@ begin
     p.project = 'authlogic'
     p.summary = "A clean, simple, and unobtrusive ruby authentication solution."
     p.url = "http://github.com/binarylogic/authlogic"
-    p.dependencies = %w(activesupport)
+    p.dependencies = %w(activesupport echoe)
   end
 rescue LoadError => boom
   puts "You are missing a dependency required for meta-operations on this gem."

data/authlogic.gemspec

@@ -2,11 +2,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "1.3.7"
+  s.version = "1.3.8"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2008-12-01}
+  s.date = %q{2008-12-24}
   s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
   s.email = %q{bjohnson@binarylogic.com}
   s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
@@ -26,13 +26,16 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<activesupport>, [">= 0"])
+      s.add_runtime_dependency(%q<echoe>, [">= 0"])
       s.add_development_dependency(%q<echoe>, [">= 0"])
     else
       s.add_dependency(%q<activesupport>, [">= 0"])
       s.add_dependency(%q<echoe>, [">= 0"])
+      s.add_dependency(%q<echoe>, [">= 0"])
     end
   else
     s.add_dependency(%q<activesupport>, [">= 0"])
     s.add_dependency(%q<echoe>, [">= 0"])
+    s.add_dependency(%q<echoe>, [">= 0"])
   end
 end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -2,7 +2,7 @@ module Authlogic
   module ControllerAdapters # :nodoc:
     # = Abstract Adapter
     #
-    # Allows you to use Authlogic in any framework you want, not just rails. See tha RailsAdapter for an example of how to adapter Authlogic to work with your framework.
+    # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter or MerbAdapter for an example of how to adapt Authlogic to work with your framework.
     class AbstractAdapter
       attr_accessor :controller
 

data/lib/authlogic/controller_adapters/merb_adapter.rb

@@ -7,7 +7,7 @@ module Authlogic
     class MerbAdapter < AbstractAdapter
       # = Merb Implementation
       #
-      # Lets Authlogic know about the controller object, AKA "activates" authlogic.
+      # Lets Authlogic know about the controller object via a before filter, AKA "activates" authlogic.
       module MerbImplementation
         def self.included(klass) # :nodoc:
           klass.before :activate_authlogic

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -19,7 +19,7 @@ module Authlogic
       
       # = Rails Implementation
       #
-      # Lets Authlogic know about the controller object, AKA "activates" authlogic.
+      # Lets Authlogic know about the controller object via a before filter, AKA "activates" authlogic.
       module RailsImplementation
         def self.included(klass) # :nodoc:
           klass.prepend_before_filter :activate_authlogic

data/lib/authlogic/crypto_providers/sha1.rb

@@ -5,7 +5,7 @@ module Authlogic
     # = Sha1
     #
     # This class was made for the users transitioning from restful_authentication. I highly discourage using this crypto provider as it inferior to your other options.
-    # Please use the Sha512 crypto provider or the BCrypt provider.
+    # Please use any other provider offered by Authlogic.
     class Sha1
       class << self
         def join_token

data/lib/authlogic/crypto_providers/sha512.rb

@@ -10,7 +10,7 @@ module Authlogic
   #
   #   class MyAwesomeEncryptionMethod
   #     def self.encrypt(*tokens)
-  #       # the tokens passed wil be an array of objects, what type of object is irrelevant
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
   #       # just do what you need to do with them and return a single encrypted string.
   #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
   #     end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb

@@ -127,9 +127,12 @@ module Authlogic
         # * <tt>password_field_validates_length_of_options</tt> - default: {:minimum => 4},
         #   These options are applied to the validates_length_of call for the :password_field
         #
-        # * <tt>login_field_validates_confirmation_of_options</tt> - default: {},
+        # * <tt>password_field_validates_confirmation_of_options</tt> - default: {},
         #   These options are applied to the validates_confirmation_of call for the :password_field
         #
+        # * <tt>password_confirmation_field_validates_presence_of_options</tt> - default: {},
+        #   These options are applied to the validates_presence_of call for the :password_confirmation_field.
+        #
         # * <tt>email_field_validation_options</tt> - default: {},
         #   The same as :validation_options but these are only applied to validations that pertain to the :email_field
         #
@@ -198,6 +201,8 @@ module Authlogic
               end
             end
             
+            options[:password_confirmation_field_validates_presence_of_options] ||= {}
+            
             if options[:scope]
               options[:login_field_validates_uniqueness_of_options][:scope] ||= options[:scope]
               options[:email_field_validates_uniqueness_of_options][:scope] ||= options[:scope]

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb

@@ -42,7 +42,7 @@ module Authlogic
               if options[:validate_password_field]
                 validates_length_of options[:password_field], {:minimum => 4}.merge(options[:password_field_validates_length_of_options].merge(:if => "validate_#{options[:password_field]}?".to_sym))
                 validates_confirmation_of options[:password_field], options[:password_field_validates_confirmation_of_options].merge(:if => "#{options[:password_salt_field]}_changed?".to_sym)
-                validates_presence_of "#{options[:password_field]}_confirmation", :if => "#{options[:password_salt_field]}_changed?".to_sym
+                validates_presence_of "#{options[:password_field]}_confirmation", options[:password_confirmation_field_validates_presence_of_options].merge(:if => "#{options[:password_salt_field]}_changed?".to_sym)
               end
               
               if options[:validate_email_field] && options[:email_field]
@@ -116,12 +116,12 @@ module Authlogic
               def validate_#{options[:password_field]}?
                 case #{options[:password_field_validates_length_of_options][:if].inspect}
                 when String
-                  return false unless eval('#{options[:password_field_validates_length_of_options][:if]}')
+                  return false if !eval('#{options[:password_field_validates_length_of_options][:if]}')
                 when Symbol
-                  return false unless send(#{options[:password_field_validates_length_of_options][:if].inspect})
+                  return false if !send(#{options[:password_field_validates_length_of_options][:if].inspect})
                 end
                 
-                #{options[:crypted_password_field]}.blank?
+                new_record? || #{options[:password_salt_field]}_changed? || #{options[:crypted_password_field]}.blank?
               end
               
               private

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb

@@ -49,7 +49,7 @@ module Authlogic
               end
             
               def #{options[:password_field]}_with_persistence=(value)
-                reset_#{options[:persistence_token_field]}
+                reset_#{options[:persistence_token_field]} unless value.blank?
                 self.#{options[:password_field]}_without_persistence = value
               end
               alias_method_chain :#{options[:password_field]}=, :persistence

data/lib/authlogic/session/active_record_trickery.rb

@@ -2,8 +2,8 @@ module Authlogic
   module Session
     # = ActiveRecord Trickery
     #
-    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here. This is useful for the various rails helper methods such as form_for, error_messages_for, etc.
-    # These helpers exptect various methods to be present. This adds in those methods into Authlogic.
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here. This is useful for the various rails helper methods such as form_for, error_messages_for, or any
+    # method that expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we have no problems.
     module ActiveRecordTrickery
       def self.included(klass) # :nodoc:
         klass.extend ClassMethods

data/lib/authlogic/session/base.rb

@@ -191,7 +191,7 @@ module Authlogic
           if send("valid_#{find_method}?")
             self.new_session = false
             
-            if record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.ago >= record.last_request_at)
+            if record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
               record.last_request_at = Time.now
               record.save_without_session_maintenance(false)
             end
@@ -357,7 +357,7 @@ module Authlogic
           return if respond_to?(login_field) # already created these methods
           
           self.class.class_eval <<-"end_eval", __FILE__, __LINE__
-            alias_method :#{klass_name.underscore.split("/").last}, :record
+            alias_method :#{klass_name.demodulize.underscore}, :record
             
             attr_reader :#{login_field}
             
@@ -439,12 +439,14 @@ module Authlogic
         end
         
         def valid_record?
+          return true if disable_magic_states?
           [:active, :approved, :confirmed].each do |required_status|
             if record.respond_to?("#{required_status}?") && !record.send("#{required_status}?")
               errors.add_to_base(send("not_#{required_status}_message"))
               return false
             end
           end
+          true
         end
     end
   end

data/lib/authlogic/session/config.rb

@@ -65,6 +65,21 @@ module Authlogic
         end
         alias_method :cookie_key=, :cookie_key
         
+        # Set this to true if you want to disable the checking of active?, approved?, and confirmed? on your record. This is more or less of a
+        # convenience feature, since 99% of the time if those methods exist and return false you will not want the user logging in. You could
+        # easily accomplish this same thing with a before_validation method or other callbacks.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def disable_magic_states(value = nil)
+          if value.nil?
+            read_inheritable_attribute(:disable_magic_states)
+          else
+            write_inheritable_attribute(:disable_magic_states, value)
+          end
+        end
+        alias_method :disable_magic_states=, :disable_magic_states
+        
         # Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and making sure it exists. What method it uses the do this is up to you.
         #
         # Let's say you have a UserSession that is authenticating a User. By default UserSession will call User.find_by_login(login). You can change what method UserSession calls by specifying it here. Then
@@ -333,6 +348,10 @@ module Authlogic
           build_key(self.class.cookie_key)
         end
         
+        def disable_magic_states?
+          self.class.disable_magic_states == true
+        end
+        
         def find_by_login_method
           self.class.find_by_login_method
         end

data/lib/authlogic/testing/test_unit_helpers.rb

@@ -1,8 +1,12 @@
 module Authlogic
-  module Testing
+  module Testing # :nodoc:
     # = Test Unit Helpers
     #
-    # Provides useful methods for testing in Test::Unit, lets you log records in, etc.
+    # Provides useful methods for testing in Test::Unit, lets you log records in, etc. Just include this in your test_helper filter:
+    #
+    #   require "authlogic/testing/test_unit_helpers"
+    #
+    # Then you will have the methods below to use in your tests.
     module TestUnitHelpers
       private
         def session_class(record) # :nodoc:

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 1
     MINOR = 3
-    TINY  = 7
+    TINY  = 8
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb

@@ -45,7 +45,8 @@ module ORMAdaptersTests
             :validate_email_field => true,
             :validation_options => {},
             :login_field_validation_options => {},
-            :transition_from_crypto_provider => []
+            :transition_from_crypto_provider => [],
+            :password_confirmation_field_validates_presence_of_options => {}
            }
           assert_equal default_config, User.acts_as_authentic_config
         end

data/test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb

@@ -39,6 +39,15 @@ module ORMAdaptersTests
           assert !UserSession.find
           assert UserSession.find(:ziggity_zack)
         end
+        
+        def test_password
+          ben = users(:ben)
+          old_persistence_token = ben.persistence_token
+          ben.password = ""
+          assert_equal old_persistence_token, ben.persistence_token
+          ben.password = "newpass"
+          assert_not_equal old_persistence_token, ben.persistence_token
+        end
       end
     end
   end

data/test/session_tests/base_test.rb

@@ -274,6 +274,39 @@ module SessionTests
       assert session.errors.empty?
     end
     
+    def test_valid_record
+      session = UserSession.new      
+      ben = users(:ben)
+      session.send(:record=, ben)
+      assert session.send :valid_record?
+      assert session.errors.empty?
+
+      ben.update_attribute(:active, false)
+      assert !session.send(:valid_record?) 
+      assert session.errors.on_base.size > 0
+
+      ben.active = true
+      ben.approved = false
+      ben.save
+      assert !session.send(:valid_record?) 
+      assert session.errors.on_base.size > 0
+
+      ben.approved = true
+      ben.confirmed = false
+      ben.save
+      assert !session.send(:valid_record?) 
+      assert session.errors.on_base.size > 0
+
+      ben.approved = false
+      ben.confirmed = false
+      ben.active = false
+
+      UserSession.disable_magic_states = true
+      session = UserSession.new
+      session.send(:record=, ben)   
+      assert session.send :valid_record?
+    end
+    
     def test_valid_http_auth
       ben = users(:ben)
       session = UserSession.new

data/test/session_tests/config_test.rb

@@ -23,6 +23,18 @@ module SessionTests
       session = UserSession.new
       assert_equal "user_credentials", session.cookie_key
     end
+    
+    def test_disable_magic_states
+      UserSession.disable_magic_states = true
+      assert_equal true, UserSession.disable_magic_states
+      session = UserSession.new
+      assert_equal true, session.disable_magic_states?
+    
+      UserSession.disable_magic_states false
+      assert_equal false, UserSession.disable_magic_states
+      session = UserSession.new
+      assert_equal false, session.disable_magic_states?
+    end
   
     def test_find_by_login_method
       UserSession.find_by_login_method = "my_login_method"

data/test/test_helper.rb

@@ -50,6 +50,9 @@ ActiveRecord::Schema.define(:version => 1) do
     t.datetime  :last_login_at
     t.string    :current_login_ip
     t.string    :last_login_ip
+    t.boolean   :active, :default => true
+    t.boolean   :approved, :default => true
+    t.boolean   :confirmed, :default => true
   end
   
   create_table :employees do |t|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authlogic
 version: !ruby/object:Gem::Version 
-  version: 1.3.7
+  version: 1.3.8
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-12-01 00:00:00 -05:00
+date: 2008-12-24 00:00:00 -06:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -22,6 +22,16 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: "0"
     version: 
+- !ruby/object:Gem::Dependency 
+  name: echoe
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
 - !ruby/object:Gem::Dependency 
   name: echoe
   type: :development