authlogic 1.4.3 → 2.0.0

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,12 +1,10 @@
 module Authlogic
   module Session
-    # = Brute Force Protection
-    #
     # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
     # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
     # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
-    # and execute a brute force attack locally, meaning there is no network lag, it would take decades to complete. Now throw in network lag for hackers
-    # executing this attack over a network, and it would take centuries.
+    # and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
+    # and it would take MUCH longer.
     #
     # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
     # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
@@ -18,37 +16,62 @@ module Authlogic
     #   end
     module BruteForceProtection
       def self.included(klass)
-        klass.validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
-        klass.validate :increase_failed_login_count, :if => :protect_from_brute_force_attacks?
-        klass.after_save :reset_failed_login_count, :if => :protect_from_brute_force_attacks?
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
+        end
       end
       
-      # This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue
-      # trying to login. So, if an account exceeds the limit the only way they will be able to log back in is if your execute this
-      # method, which merely resets the failed_login_count field to 0.
-      def reset_failed_login_count
-        record.failed_login_count = 0
+      # Configuration for the brute force protection feature.
+      module Config
+        # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
+        # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
+        #
+        # In order to enable this field your model MUST have a failed_login_count (integer) field.
+        #
+        # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
+        # in possibly millions of attempts to log into an account.
+        #
+        # * <tt>Default:</tt> 50
+        # * <tt>Accepts:</tt> Integer, set to 0 to disable
+        def consecutive_failed_logins_limit(value = nil)
+          config(:consecutive_failed_logins_limit, value, 50)
+        end
+        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
+        
+        # Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
+        #
+        # * <tt>Default:</tt> 2.hours
+        # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
+        def failed_login_ban_for(value = nil)
+          config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
+        end
+        alias_method :failed_login_ban_for=, :failed_login_ban_for
       end
       
-      private
-        def protect_from_brute_force_attacks?
-          r = attempted_record || record
-          r && r.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0
-        end
+      # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
+      module InstanceMethods
+        private
+          def protect_from_brute_force_attacks?
+            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
+              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit &&
+              (failed_login_ban_for <= 0 || (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+          end
+          
+          def consecutive_failed_logins_limit
+            self.class.consecutive_failed_logins_limit
+          end
+          
+          def failed_login_ban_for
+            self.class.failed_login_ban_for
+          end
         
-        def validate_failed_logins
-          if attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
+          def validate_failed_logins
             errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
             errors.add_to_base(I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded, account is disabled."))
           end
-        end
-
-        def increase_failed_login_count
-          if errors.on(password_field)
-            attempted_record.failed_login_count ||= 0
-            attempted_record.failed_login_count += 1
-          end
-        end
+      end
     end
   end
 end

data/lib/authlogic/session/callbacks.rb

@@ -1,14 +1,13 @@
 module Authlogic
   module Session
-    # = Callbacks
-    #
     # Just like in ActiveRecord you have before_save, before_validation, etc. You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
     #
     # Here is the order they execute
     #
-    #   before_find
-    #   after_find
-    #   save record if changed?
+    #   before_persisting
+    #   persist
+    #   after_persisting
+    #   [save record if record.changed?]
     #   
     #   before_validation
     #   before_validation_on_create
@@ -17,7 +16,7 @@ module Authlogic
     #   after_validation_on_update
     #   after_validation_on_create
     #   after_validation
-    #   save record if changed?
+    #   [save record if record.changed?]
     #   
     #   before_save
     #   before_create
@@ -25,7 +24,7 @@ module Authlogic
     #   after_update
     #   after_create
     #   after_save
-    #   save record if changed?
+    #   [save record if record.changed?]
     #   
     #   before_destroy
     #   destroy
@@ -45,7 +44,7 @@ module Authlogic
     # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic to extend properly with multiple extensions. Please ONLY use the method above.
     module Callbacks
       METHODS = [
-        "before_find", "after_find",
+        "before_persisting", "persist", "after_persisting",
         "before_validation", "before_validation_on_create", "before_validation_on_update", "validate", "after_validation_on_update", "after_validation_on_create", "after_validation",
         "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
         "before_destroy", "after_destroy"
@@ -56,13 +55,23 @@ module Authlogic
         base.define_callbacks *METHODS
       end
       
-      METHODS.each do |method|
-        class_eval <<-"end_eval", __FILE__, __LINE__
-          def #{method}
-            run_callbacks(:#{method})
-          end
-        end_eval
-      end
+      private
+        METHODS.each do |method|
+          class_eval <<-"end_eval", __FILE__, __LINE__
+            def #{method}
+              run_callbacks(:#{method}) { |result, object| result == false }
+            end
+          end_eval
+        end
+      
+        def persist
+          run_callbacks(:persist) { |result, object| result == true }
+        end
+        
+        def save_record(alternate_record = nil)
+          r = alternate_record || record
+          r.save_without_session_maintenance(false) if r && r.changed?
+        end
     end
   end
 end

data/lib/authlogic/session/cookies.rb

@@ -1,40 +1,126 @@
 module Authlogic
   module Session
-    # = Cookies
-    #
     # Handles all authentication that deals with cookies, such as persisting a session and saving / destroying a session.
     module Cookies
       def self.included(klass)
-        klass.after_save :save_cookie, :if => :persisting?
-        klass.after_destroy :destroy_cookie, :if => :persisting?
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          persist :persist_by_cookie
+          after_save :save_cookie
+          after_destroy :destroy_cookie
+        end
       end
       
-      # Tries to validate the session from information in the cookie
-      def valid_cookie?
-        if cookie_credentials
-          self.unauthorized_record = search_for_record("find_by_#{persistence_token_field}", cookie_credentials)
-          valid?
-        else
-          false
+      # Configuration for the cookie feature set.
+      module Config
+        # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
+        # Also, if a id is set it will be inserted into the beginning of the string. Exmaple:
+        #
+        #   session = UserSession.new
+        #   session.cookie_key => "user_credentials"
+        #   
+        #   session = UserSession.new(:super_high_secret)
+        #   session.cookie_key => "super_high_secret_user_credentials"
+        #
+        # * <tt>Default:</tt> "#{klass_name.underscore}_credentials"
+        # * <tt>Accepts:</tt> String
+        def cookie_key(value = nil)
+          config(:cookie_key, value, "#{klass_name.underscore}_credentials")
+        end
+        alias_method :cookie_key=, :cookie_key
+        
+        # If sessions should be remembered by default or not.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def remember_me(value = nil)
+          config(:remember_me, value, false)
+        end
+        alias_method :remember_me=, :remember_me
+        
+        # The length of time until the cookie expires.
+        #
+        # * <tt>Default:</tt> 3.months
+        # * <tt>Accepts:</tt> Integer, length of time in seconds, such as 60 or 3.months
+        def remember_me_for(value = :_read)
+          config(:remember_me_for, value, 3.months, :_read)
         end
+        alias_method :remember_me_for=, :remember_me_for
       end
       
-      private
-        def cookie_credentials
-          controller.cookies[cookie_key]
+      # The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
+      module InstanceMethods  
+        def credentials=(value)
+          super
+          values = value.is_a?(Array) ? value : [value]
+          case values.first
+          when Hash
+            self.remember_me = values.first.with_indifferent_access[:remember_me]
+          else
+            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
+            self.remember_me = r if !r.nil?
+          end
         end
         
-        def save_cookie
-          controller.cookies[cookie_key] = {
-            :value => record.send(persistence_token_field),
-            :expires => remember_me_until,
-            :domain => controller.cookie_domain
-          }
+        def remember_me # :nodoc:
+          return @remember_me if defined?(@remember_me)
+          @remember_me = self.class.remember_me
+        end
+      
+        # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
+        def remember_me=(value)
+          @remember_me = value
+        end
+      
+        # Allows users to be remembered via a cookie.
+        def remember_me?
+          remember_me == true || remember_me == "true" || remember_me == "1"
         end
         
-        def destroy_cookie
-          controller.cookies.delete cookie_key, :domain => controller.cookie_domain
+        # How long to remember the user if remember_me is true. This is based on the class level configuration: remember_me_for
+        def remember_me_for
+          return unless remember_me?
+          self.class.remember_me_for
+        end
+      
+        # When to expire the cookie. See remember_me_for configuration option to change this.
+        def remember_me_until
+          return unless remember_me?
+          remember_me_for.from_now
         end
+        
+        private
+          def cookie_key
+            build_key(self.class.cookie_key)
+          end
+          
+          def cookie_credentials
+            controller.cookies[cookie_key]
+          end
+          
+          # Tries to validate the session from information in the cookie
+          def persist_by_cookie
+            if cookie_credentials
+              self.unauthorized_record = search_for_record("find_by_persistence_token", cookie_credentials)
+              valid?
+            else
+              false
+            end
+          end
+        
+          def save_cookie
+            controller.cookies[cookie_key] = {
+              :value => record.persistence_token,
+              :expires => remember_me_until,
+              :domain => controller.cookie_domain
+            }
+          end
+        
+          def destroy_cookie
+            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
+          end
+      end
     end
   end
 end

data/lib/authlogic/session/existence.rb

@@ -0,0 +1,89 @@
+module Authlogic
+  module Session
+    # Provides methods to create and destroy objects. Basically controls their "existence".
+    module Existence
+      class SessionInvalidError < ::StandardError # :nodoc:
+        def initialize(session)
+          super("Your session is invalid and has the following errors: #{session.errors.full_messages.to_sentence}")
+        end
+      end
+      
+      def self.included(klass)
+        klass.class_eval do
+          extend ClassMethods
+          include InstanceMethods
+          attr_accessor :new_session, :record
+        end
+      end
+      
+      module ClassMethods
+        # A convenince method. The same as:
+        #
+        #   session = UserSession.new(*args)
+        #   session.create
+        #
+        # Instead you can do:
+        #
+        #   UserSession.create(*args)
+        def create(*args, &block)
+          session = new(*args)
+          session.save(&block)
+        end
+        
+        # Same as create but calls create!, which raises an exception when validation fails.
+        def create!(*args)
+          session = new(*args)
+          session.save!
+        end
+      end
+      
+      module InstanceMethods
+        # Clears all errors and the associated record, you should call this terminate a session, thus requring
+        # the user to authenticate again if it is needed.
+        def destroy
+          before_destroy
+          errors.clear
+          @record = nil
+          after_destroy
+          true
+        end
+        
+        # Returns true if the session has not been saved yet.
+        def new_session?
+          new_session != false
+        end
+        
+        # After you have specified all of the details for your session you can try to save it. This will
+        # run validation checks and find the associated record, if all validation passes. If validation
+        # does not pass, the save will fail and the erorrs will be stored in the errors object.
+        def save(&block)
+          result = nil
+          if valid?
+            self.record = attempted_record
+
+            before_save
+            new_session? ? before_create : before_update
+            new_session? ? after_create : after_update
+            after_save
+
+            save_record
+            self.new_session = false
+            result = true
+          else
+            result = false
+          end
+
+          yield result if block_given?
+          result
+        end
+
+        # Same as save but raises an exception of validation errors when validation fails
+        def save!
+          result = save
+          raise SessionInvalidError.new(self) unless result
+          result
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/session/foundation.rb

@@ -0,0 +1,63 @@
+module Authlogic
+  module Session
+    # Sort of like an interface, it sets the foundation for the class, such as the required methods. This also allows
+    # other modules to overwrite methods and call super on them. It's also a place to put "utility" methods used
+    # throughout Authlogic.
+    module Foundation
+      def self.included(klass)
+        klass.class_eval do
+          extend ClassMethods
+          include InstanceMethods
+        end
+      end
+      
+      module ClassMethods
+        private
+          def config(key, value, default_value = nil, read_value = nil)
+            if value == read_value
+              return read_inheritable_attribute(key) if inheritable_attributes.include?(key)
+              write_inheritable_attribute(key, default_value)
+            else
+              write_inheritable_attribute(key, value)
+            end
+          end
+      end
+      
+      module InstanceMethods
+        def initialize(*args)
+          self.credentials = args
+        end
+        
+        # The credentials you passed to create your session. See credentials= for more info.
+        def credentials
+          []
+        end
+
+        # Set your credentials before you save your session. You can pass a hash of credentials:
+        #
+        #   session.credentials = {:login => "my login", :password => "my password", :remember_me => true}
+        #
+        # or you can pass an array of objects:
+        #
+        #   session.credentails = [my_user_object, true]
+        #
+        # and if you need to set an id, just pass it last. This value need be the last item in the array you pass, since the id is something that
+        # you control yourself, it should never be set from a hash or a form. Examples:
+        #
+        #   session.credentials = [{:login => "my login", :password => "my password", :remember_me => true}, :my_id]
+        #   session.credentials = [my_user_object, true, :my_id]
+        def credentials=(values)
+        end
+        
+        def inspect
+          "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
+        end
+        
+        private
+          def build_key(last_part)
+            last_part
+          end
+      end
+    end
+  end
+end