authlogic 1.4.3 → 2.0.0

data/lib/authlogic/session/http_auth.rb

@@ -0,0 +1,23 @@
+module Authlogic
+  module Session
+    # Handles all authentication that deals with basic HTTP auth.
+    module HttpAuth
+      def self.included(klass)
+        klass.persist :persist_by_http_auth
+      end
+      
+      private
+        def persist_by_http_auth
+          controller.authenticate_with_http_basic do |login, password|
+            if !login.blank? && !password.blank?
+              send("#{login_field}=", login)
+              send("#{password_field}=", password)
+              return valid?
+            end
+          end
+        
+          false
+        end
+    end
+  end
+end

data/lib/authlogic/session/id.rb

@@ -0,0 +1,41 @@
+module Authlogic
+  module Session
+    # Allows you to separate sessions with an id, ultimately letting you create multiple sessions for the same user.
+    module Id
+      def self.included(klass)
+        klass.class_eval do
+          attr_writer :id
+        end
+      end
+      
+      # Setting the id if it is passed in the credentials.
+      def credentials=(value)
+        super
+        values = value.is_a?(Array) ? value : [value]
+        self.id = values.last if values.last.is_a?(Symbol)
+      end
+      
+      # Allows you to set a unique identifier for your session, so that you can have more than 1 session at a time.
+      # A good example when this might be needed is when you want to have a normal user session and a "secure" user session.
+      # The secure user session would be created only when they want to modify their billing information, or other sensitive
+      # information. Similar to me.com. This requires 2 user sessions. Just use an id for the "secure" session and you should be good.
+      #
+      # You can set the id during initialization (see initialize for more information), or as an attribute:
+      #
+      #   session.id = :my_id
+      #
+      # Just be sure and set your id before you save your session.
+      #
+      # Lastly, to retrieve your session with the id check out the find class method.
+      def id
+        @id
+      end
+      
+      private
+        # Used for things like cookie_key, session_key, etc.
+        def build_key(last_part)
+          [id, super].compact.join("_")
+        end
+    end
+  end
+end

data/lib/authlogic/session/klass.rb

@@ -0,0 +1,75 @@
+module Authlogic
+  module Session
+    # Handles authenticating via a traditional username and password.
+    module Klass
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          
+          class << self
+            attr_accessor :configured_klass_methods
+          end
+        end
+      end
+      
+      module Config
+        # Lets you change which model to use for authentication.
+        #
+        # * <tt>Default:</tt> inferred from the class name. UserSession would automatically try User
+        # * <tt>Accepts:</tt> an ActiveRecord class
+        def authenticate_with(klass)
+          @klass_name = klass.name
+          @klass = klass
+        end
+        alias_method :authenticate_with=, :authenticate_with
+        
+        # The name of the class that this session is authenticating with. For example, the UserSession class will
+        # authenticate with the User class unless you specify otherwise in your configuration. See authenticate_with
+        # for information on how to change this value.
+        def klass
+          @klass ||=
+            if klass_name
+              klass_name.constantize
+            else
+              nil
+            end
+        end
+        
+        # Same as klass, just returns a string instead of the actual constant.
+        def klass_name
+          @klass_name ||= 
+            if guessed_name = name.scan(/(.*)Session/)[0]
+              @klass_name = guessed_name[0]
+            end
+        end
+      end
+      
+      module InstanceMethods
+        # Creating an alias method for the "record" method based on the klass name, so that we can do:
+        #
+        #   session.user
+        #
+        # instead of:
+        #
+        #   session.record
+        def initialize(*args)
+          if !self.class.configured_klass_methods
+            self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
+            self.class.configured_klass_methods = true
+          end
+          super
+        end
+        
+        private
+          def klass
+            self.class.klass
+          end
+
+          def klass_name
+            self.class.klass_name
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/magic_columns.rb

@@ -0,0 +1,75 @@
+module Authlogic
+  module Session
+    # Just like ActiveRecord has "magic" columns, such as: created_at and updated_at. Authlogic has its own "magic" columns too:
+    #
+    #   Column name           Description
+    #   login_count           Increased every time an explicit login is made. This will *NOT* increase if logging in by a session, cookie, or basic http auth
+    #   failed_login_count    This increases for each consecutive failed login. See Authlogic::Session::BruteForceProtection and the consecutive_failed_logins_limit config option for more details.
+    #   last_request_at       Updates every time the user logs in, either by explicitly logging in, or logging in by cookie, session, or http auth
+    #   current_login_at      Updates with the current time when an explicit login is made.
+    #   last_login_at         Updates with the value of current_login_at before it is reset.
+    #   current_login_ip      Updates with the request remote_ip when an explicit login is made.
+    #   last_login_ip         Updates with the value of current_login_ip before it is reset.
+    module MagicColumns
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          after_persisting :set_last_request_at
+          validate :increase_failed_login_count
+          before_save :update_info
+        end
+      end
+      
+      # Configuration for the magic columns feature.
+      module Config
+        # Every time a session is found the last_request_at field for that record is updatd with the current time, if that field exists. If you want to limit how frequent that field is updated specify the threshold
+        # here. For example, if your user is making a request every 5 seconds, and you feel this is too frequent, and feel a minute is a good threashold. Set this to 1.minute. Once a minute has passed in between
+        # requests the field will be updated.
+        #
+        # * <tt>Default:</tt> 0
+        # * <tt>Accepts:</tt> integer representing time in seconds
+        def last_request_at_threshold(value = nil)
+          config(:last_request_at_threshold, value, 0)
+        end
+        alias_method :last_request_at_threshold=, :last_request_at_threshold
+      end
+      
+      # The methods available for an Authlogic::Session::Base object that make up the magic columns feature.
+      module InstanceMethods
+        private
+          def increase_failed_login_count
+            if errors.on(password_field) && attempted_record.respond_to?(:failed_login_count)
+              attempted_record.failed_login_count ||= 0
+              attempted_record.failed_login_count += 1
+            end
+          end
+        
+          def update_info
+            record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1) if record.respond_to?(:login_count)
+            record.failed_login_count = 0 if record.respond_to?(:failed_login_count)
+          
+            if record.respond_to?(:current_login_at)
+              record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+              record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+            end
+          
+            if record.respond_to?(:current_login_ip)
+              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+              record.current_login_ip = controller.request.remote_ip
+            end
+          end
+        
+          def set_last_request_at
+            if record && record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
+              record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+            end
+          end
+          
+          def last_request_at_threshold
+            self.class.last_request_at_threshold
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/magic_states.rb

@@ -0,0 +1,58 @@
+module Authlogic
+  module Session
+    # Authlogic tries to check the state of the record before creating the session. If your record responds to the following methods and any of them return false, validation will fail:
+    #
+    #   Method name           Description
+    #   active?               Is the record marked as active?
+    #   approved?             Has the record been approved?
+    #   confirmed?            Has the record been conirmed?
+    #
+    # Authlogic does nothing to define these methods for you, its up to you to define what they mean. If your object responds to these methods Authlogic will use them, otherwise they are ignored.
+    #
+    # What's neat about this is that these are checked upon any type of login. When logging in explicitly, by cookie, session, or basic http auth. So if you mark a user inactive in the middle of their session they wont be logged back in next time they refresh the page. Giving you complete control.
+    #
+    # Need Authlogic to check your own "state"? No problem, check out the hooks section below. Add in a before_validation to do your own checking. The sky is the limit.
+    module MagicStates
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          validate :validate_magic_states
+        end
+      end
+      
+      # Configuration for the magic states feature.
+      module Config
+        # Set this to true if you want to disable the checking of active?, approved?, and confirmed? on your record. This is more or less of a
+        # convenience feature, since 99% of the time if those methods exist and return false you will not want the user logging in. You could
+        # easily accomplish this same thing with a before_validation method or other callbacks.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def disable_magic_states(value = nil)
+          config(:disable_magic_states, value, false)
+        end
+        alias_method :disable_magic_states=, :disable_magic_states
+      end
+      
+      # The methods available for an Authlogic::Session::Base object that make up the magic states feature.
+      module InstanceMethods
+        private
+          def disable_magic_states?
+            self.class.disable_magic_states == true
+          end
+        
+          def validate_magic_states
+            return true if disable_magic_states? || attempted_record.nil?
+            [:active, :approved, :confirmed].each do |required_status|
+              if attempted_record.respond_to?("#{required_status}?") && !attempted_record.send("#{required_status}?")
+                errors.add_to_base(I18n.t("error_messages.not_#{required_status}", :default => "Your account is not #{required_status}"))
+                return false
+              end
+            end
+            true
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/params.rb

@@ -1,32 +1,95 @@
 module Authlogic
   module Session
-    # = Params
+    # This module is responsible for authenticating the user via params, which ultimately allows the user to log in using a URL like the following:
     #
-    # Tries to log the user in via params. Think about cookies and sessions. They are just hashes in your controller, so are params. People never
-    # look at params as an authentication option, but it can be useful for logging into private feeds, etc. Logging in a user is as simple as:
+    #   https://www.domain.com?user_credentials=4LiXF7FiGUppIPubBPey
     #
-    #   https://www.domain.com?user_credentials=[insert single access token here]
+    # Notice the token in the URL, this is a single access token. A single access token is used for single access only, it is not persisted. Meaning the user
+    # provides it, Authlogic grants them access, and that's it. If they want access again they need to provide the token again. Authlogic will
+    # *NEVER* try to persist the session after authenticating through this method.
     #
-    # Wait, what is a single access token? It is all explained in the README. Checkout the "Tokens" section in the README, there is section about
-    # single access tokens. For security reasons, this type of authentication is ONLY available via single access tokens, you can NOT pass your persistence token.
-    # Which means you must have a single_access_token field in your database.
+    # For added security, this token is *ONLY* allowed for RSS and ATOM requests. You can change this with the configuration. You can also define if
+    # it is allowed dynamically by defining a single_access_allowed? method in your controller. For example:
+    #
+    #   class UsersController < ApplicationController
+    #     private
+    #       def single_access_allowed?
+    #         action_name == "index"
+    #       end
+    #
+    # Also, by default, this token is permanent. Meaning if the user changes their password, this token will remain the same. It will only change
+    # when it is explicitly reset.
+    #
+    # You can modify all of this behavior with the Config sub module.
     module Params
-      # Tries to validate the session from information in the params token
-      def valid_params?
-        if params_credentials && single_access_token_field && (single_access_allowed_request_types.include?(controller.request_content_type) || single_access_allowed_request_types.include?(:all) || controller.single_access_allowed?)
-          self.unauthorized_record = search_for_record("find_by_#{single_access_token_field}", params_credentials)
-          self.persisting = false
-          return true if valid?
-          self.persisting = true
-        else
-          false
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          attr_accessor :single_access
+          persist :persist_by_params
         end
       end
       
-      private
-        def params_credentials
-          controller.params[params_key]
+      # Configuration for the params / single access feature.
+      module Config
+        # Works exactly like cookie_key, but for params. So a user can login via params just like a cookie or a session. Your URL would look like:
+        #
+        #   http://www.domain.com?user_credentials=my_single_access_key
+        #
+        # You can change the "user_credentials" key above with this configuration option. Keep in mind, just like cookie_key, if you supply an id
+        # the id will be appended to the front. Check out cookie_key for more details. Also checkout the "Single Access / Private Feeds Access" section in the README.
+        #
+        # * <tt>Default:</tt> cookie_key
+        # * <tt>Accepts:</tt> String
+        def params_key(value = nil)
+          config(:params_key, value, cookie_key)
+        end
+        alias_method :params_key=, :params_key
+        
+        # Authentication is allowed via a single access token, but maybe this is something you don't want for your application as a whole. Maybe this is something you only want for specific request types.
+        # Specify a list of allowed request types and single access authentication will only be allowed for the ones you specify. Checkout the "Single Access / Private Feeds Access" section in the README.
+        #
+        # * <tt>Default:</tt> "application/rss+xml", "application/atom+xml"
+        # * <tt>Accepts:</tt> String of request type, or :all to allow single access authentication for any and all request types
+        def single_access_allowed_request_types(value = nil)
+          config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
         end
+        alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
+      end
+      
+      # The methods available for an Authlogic::Session::Base object that make up the params / single access feature.
+      module InstanceMethods
+        private
+          def persist_by_params
+            return false if !params_enabled?
+            self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
+            self.single_access = valid?
+          end
+          
+          def params_enabled?
+            params_credentials && klass.column_names.include?("single_access_token") &&
+              (single_access_allowed_request_types.include?(controller.request_content_type) ||
+                single_access_allowed_request_types.include?(:all) ||
+                  controller.single_access_allowed?)
+          end
+          
+          def params_key
+            build_key(self.class.params_key)
+          end
+          
+          def single_access?
+            single_access == true
+          end
+          
+          def single_access_allowed_request_types
+            self.class.single_access_allowed_request_types
+          end
+          
+          def params_credentials
+            controller.params[params_key]
+          end
+      end
     end
   end
 end

data/lib/authlogic/session/password.rb

@@ -0,0 +1,156 @@
+module Authlogic
+  module Session
+    # Handles authenticating via a traditional username and password.
+    module Password
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          validate :validate_by_password, :if => :authenticating_with_password?
+          
+          class << self
+            attr_accessor :configured_password_methods
+          end
+        end
+      end
+      
+      # Password configuration
+      module Config
+        # Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and making sure it exists. What method it uses the do this is up to you.
+        #
+        # Let's say you have a UserSession that is authenticating a User. By default UserSession will call User.find_by_login(login). You can change what method UserSession calls by specifying it here. Then
+        # in your User model you can make that method do anything you want, giving you complete control of how users are found by the UserSession.
+        #
+        # Let's take an example: You want to allow users to login by username or email. Set this to the name of the class method that does this in the User model. Let's call it "find_by_username_or_email"
+        #
+        #   class User < ActiveRecord::Base
+        #     def self.find_by_username_or_email(login)
+        #       find_by_username(login) || find_by_email(login)
+        #     end
+        #   end
+        #
+        # * <tt>Default:</tt> "find_by_#{login_field}"
+        # * <tt>Accepts:</tt> Symbol or String
+        def find_by_login_method(value = nil)
+          config(:find_by_login_method, value, "find_by_#{login_field}")
+        end
+        alias_method :find_by_login_method=, :find_by_login_method
+        
+        # The name of the method you want Authlogic to create for storing the login / username. Keep in mind this is just for your
+        # Authlogic::Session, if you want it can be something completely different than the field in your model. So if you wanted people to
+        # login with a field called "login" and then find users by email this is compeltely doable. See the find_by_login_method configuration
+        # option for more details.
+        #
+        # * <tt>Default:</tt> Uses the configuration option in your model: User.login_field
+        # * <tt>Accepts:</tt> Symbol or String
+        def login_field(value = nil)
+          config(:login_field, value, klass.login_field || klass.email_field)
+        end
+        alias_method :login_field=, :login_field
+        
+        # Works exactly like login_field, but for the password instead.
+        #
+        # * <tt>Default:</tt> :password
+        # * <tt>Accepts:</tt> Symbol or String
+        def password_field(value = nil)
+          config(:password_field, value, :password)
+        end
+        alias_method :password_field=, :password_field
+        
+        # The name of the method in your model used to verify the password. This should be an instance method. It should also be prepared to accept a raw password and a crytped password.
+        #
+        # * <tt>Default:</tt> "valid_#{password_field}?"
+        # * <tt>Accepts:</tt> Symbol or String
+        def verify_password_method(value = nil)
+          config(:verify_password_method, value, "valid_#{password_field}?")
+        end
+        alias_method :verify_password_method=, :verify_password_method
+      end
+      
+      # Password related instance methods
+      module InstanceMethods
+        def initialize(*args)
+          if !self.class.configured_password_methods
+            self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
+            self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
+            self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
+            self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
+
+            self.class.class_eval <<-"end_eval", __FILE__, __LINE__
+              private
+                # The password should not be accessible publicly. This way forms using form_for don't fill the password with the attempted password. The prevent this we just create this method that is private.
+                def protected_#{password_field}
+                  @#{password_field}
+                end
+            end_eval
+
+            self.class.configured_password_methods = true
+          end
+          
+          super
+        end
+        
+        def credentials
+          if authenticating_with_password?
+            details = {}
+            details[login_field.to_sym] = send(login_field)
+            details[password_field.to_sym] = "<protected>"
+            details
+          else
+            super
+          end
+        end
+        
+        def credentials=(value)
+          super
+          values = value.is_a?(Array) ? value : [value]
+          if values.first.is_a?(Hash)
+            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
+              next if value.blank?
+              send("#{field}=", value)
+            end
+          end
+        end
+        
+        private
+          def authenticating_with_password?
+            !send(login_field).nil? || !send("protected_#{password_field}").nil?
+          end
+          
+          def validate_by_password
+            errors.add(login_field, I18n.t('error_messages.login_blank', :default => "can not be blank")) if send(login_field).blank?
+            errors.add(password_field, I18n.t('error_messages.password_blank', :default => "can not be blank")) if send("protected_#{password_field}").blank?
+            return if errors.count > 0
+
+            self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+
+            if attempted_record.blank?
+              errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "does not exist"))
+              return
+            end
+
+            if !attempted_record.send(verify_password_method, send("protected_#{password_field}"))
+              errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
+              return
+            end
+          end
+          
+          def find_by_login_method
+            self.class.find_by_login_method
+          end
+          
+          def login_field
+            self.class.login_field
+          end
+          
+          def password_field
+            self.class.password_field
+          end
+          
+          def verify_password_method
+            self.class.verify_password_method
+          end
+      end
+    end
+  end
+end