authlogic 2.0.9 → 2.0.11

data/lib/authlogic/acts_as_authentic/password.rb

@@ -31,6 +31,16 @@ module Authlogic
         end
         alias_method :password_salt_field=, :password_salt_field
         
+        # Whether or not to require a password confirmation. If you don't want your users to confirm their password
+        # just set this to false.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def require_password_confirmation(value = nil)
+          config(:require_password_confirmation, value, true)
+        end
+        alias_method :require_password_confirmation=, :require_password_confirmation
+        
         # By default passwords are required when a record is new or the crypted_password is blank, but if both of these things
         # are met a password is not required. In this case, blank passwords are ignored.
         #
@@ -47,6 +57,23 @@ module Authlogic
         end
         alias_method :ignore_blank_passwords=, :ignore_blank_passwords
         
+        # When calling valid_password?("some pass") do you want to check that password against what's in that object or whats in
+        # the datbase. Take this example:
+        #
+        #   u = User.first
+        #   u.password = "new pass"
+        #   u.valid_password?("old pass")
+        #
+        # Should the last line above return true or false? The record hasn't been saved yet, so most would assume yes.
+        # Other would assume no. So I let you decide by giving you this option.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def check_passwords_against_database(value = nil)
+          config(:check_passwords_against_database, value, true)
+        end
+        alias_method :check_passwords_against_database=, :check_passwords_against_database
+        
         # Whether or not to validate the password field.
         #
         # * <tt>Default:</tt> true
@@ -58,6 +85,10 @@ module Authlogic
         
         # A hash of options for the validates_length_of call for the password field. Allows you to change this however you want.
         #
+        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
+        # merge options into it. Checkout the convenience function merge_validates_length_of_password_field_options to merge
+        # options.</b>
+        #
         # * <tt>Default:</tt> {:minimum => 4, :if => :require_password?}
         # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
         def validates_length_of_password_field_options(value = nil)
@@ -65,8 +96,23 @@ module Authlogic
         end
         alias_method :validates_length_of_password_field_options=, :validates_length_of_password_field_options
         
+        # A convenience function to merge options into the validates_length_of_login_field_options. So intead of:
+        #
+        #   self.validates_length_of_password_field_options = validates_length_of_password_field_options.merge(:my_option => my_value)
+        #
+        # You can do this:
+        #
+        #   merge_validates_length_of_password_field_options :my_option => my_value
+        def merge_validates_length_of_password_field_options(options = {})
+          self.validates_length_of_password_field_options = validates_length_of_password_field_options.merge(options)
+        end
+        
         # A hash of options for the validates_confirmation_of call for the password field. Allows you to change this however you want.
         #
+        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
+        # merge options into it. Checkout the convenience function merge_validates_length_of_login_field_options to merge
+        # options.</b>
+        #
         # * <tt>Default:</tt> {:minimum => 4, :if => "#{password_salt_field}_changed?".to_sym}
         # * <tt>Accepts:</tt> Hash of options accepted by validates_confirmation_of
         def validates_confirmation_of_password_field_options(value = nil)
@@ -74,8 +120,17 @@ module Authlogic
         end
         alias_method :validates_confirmation_of_password_field_options=, :validates_confirmation_of_password_field_options
         
+        # See merge_validates_length_of_password_field_options. The same thing, except for validates_confirmation_of_password_field_options
+        def merge_validates_confirmation_of_password_field_options(options = {})
+          self.validates_confirmation_of_password_field_options = validates_confirmation_of_password_field_options.merge(options)
+        end
+        
         # A hash of options for the validates_length_of call for the password_confirmation field. Allows you to change this however you want.
         #
+        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
+        # merge options into it. Checkout the convenience function merge_validates_length_of_login_field_options to merge
+        # options.</b>
+        #
         # * <tt>Default:</tt> validates_length_of_password_field_options
         # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
         def validates_length_of_password_confirmation_field_options(value = nil)
@@ -83,6 +138,11 @@ module Authlogic
         end
         alias_method :validates_length_of_password_confirmation_field_options=, :validates_length_of_password_confirmation_field_options
         
+        # See merge_validates_length_of_password_field_options. The same thing, except for validates_length_of_password_confirmation_field_options
+        def merge_validates_length_of_password_confirmation_field_options(options = {})
+          self.validates_length_of_password_confirmation_field_options = validates_length_of_password_confirmation_field_options.merge(options)
+        end
+        
         # The class you want to use to encrypt and verify your encrypted passwords. See the Authlogic::CryptoProviders module for more info
         # on the available methods and how to create your own.
         #
@@ -142,8 +202,11 @@ module Authlogic
             
             if validate_password_field
               validates_length_of :password, validates_length_of_password_field_options
-              validates_confirmation_of :password, validates_confirmation_of_password_field_options
-              validates_length_of :password_confirmation, validates_length_of_password_confirmation_field_options
+              
+              if require_password_confirmation
+                validates_confirmation_of :password, validates_confirmation_of_password_field_options
+                validates_length_of :password_confirmation, validates_length_of_password_confirmation_field_options
+              end
             end
             
             after_save :reset_password_changed
@@ -168,30 +231,23 @@ module Authlogic
             after_password_set
           end
         
-          # Accepts a raw password to determine if it is the correct password or not.
-          def valid_password?(attempted_password)
-            return false if attempted_password.blank? || send(crypted_password_field).blank?
-          
+          # Accepts a raw password to determine if it is the correct password or not. Notice the second argument. That defaults to the value of
+          # check_passwords_against_database. See that method for mor information, but basically it just tells Authlogic to check the password
+          # against the value in the database or the value in the object.
+          def valid_password?(attempted_password, check_against_database = check_passwords_against_database?)
+            crypted = check_against_database && send("#{crypted_password_field}_changed?") ? send("#{crypted_password_field}_was") : send(crypted_password_field)
+            return false if attempted_password.blank? || crypted.blank?
             before_password_verification
           
-            crypto_providers = [crypto_provider] + transition_from_crypto_providers
             crypto_providers.each_with_index do |encryptor, index|
               # The arguments_type of for the transitioning from restful_authentication
               arguments_type = (act_like_restful_authentication? && index == 0) ||
                 (transition_from_restful_authentication? && index > 0 && encryptor == Authlogic::CryptoProviders::Sha1) ?
                 :restful_authentication : nil
             
-              if encryptor.matches?(send(crypted_password_field), *encrypt_arguments(attempted_password, arguments_type))
-                # If we are transitioning from an older encryption algorithm and the password is still using the old algorithm
-                # then let's reset the password using the new algorithm. If the algorithm has a cost (BCrypt) and the cost has changed, update the password with
-                # the new cost.
-                if index > 0 || (encryptor.respond_to?(:cost_matches?) && !encryptor.cost_matches?(send(crypted_password_field)))
-                  self.password = attempted_password
-                  save(false)
-                end
-              
+              if encryptor.matches?(crypted, *encrypt_arguments(attempted_password, check_against_database, arguments_type))
+                transition_password(attempted_password) if transition_password?(index, encryptor, crypted, check_against_database)
                 after_password_verification
-              
                 return true
               end
             end
@@ -215,8 +271,18 @@ module Authlogic
           alias_method :randomize_password!, :reset_password!
         
           private
-            def encrypt_arguments(raw_password, arguments_type = nil)
-              salt = password_salt_field ? send(password_salt_field) : nil
+            def check_passwords_against_database?
+              self.class.check_passwords_against_database == true
+            end
+            
+            def crypto_providers
+              [crypto_provider] + transition_from_crypto_providers
+            end
+            
+            def encrypt_arguments(raw_password, check_against_database, arguments_type = nil)
+              salt = nil
+              salt = (check_against_database && send("#{password_salt_field}_changed?") ? send("#{password_salt_field}_was") : send(password_salt_field)) if password_salt_field
+              
               case arguments_type
               when :restful_authentication
                 [REST_AUTH_SITE_KEY, salt, raw_password, REST_AUTH_SITE_KEY].compact
@@ -224,6 +290,21 @@ module Authlogic
                 [raw_password, salt].compact
               end
             end
+            
+            # Determines if we need to tranisiton the password.
+            # If the index > 0 then we are using an "transition from" crypto provider.
+            # If the encryptor has a cost and the cost it outdated.
+            # If we aren't using database values
+            # If we are using database values, only if the password hasnt change so we don't overwrite any changes
+            def transition_password?(index, encryptor, crypted, check_against_database)
+              (index > 0 || (encryptor.respond_to?(:cost_matches?) && !encryptor.cost_matches?(send(crypted_password_field)))) &&
+                (!check_against_database || !send("#{crypted_password_field}_changed?"))
+            end
+            
+            def transition_password(attempted_password)
+              self.password = attempted_password
+              save(false)
+            end
           
             def require_password?
               new_record? || password_changed? || send(crypted_password_field).blank?

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -26,6 +26,17 @@ module Authlogic
       end
       
       module Config
+        # This is more of a convenience method. In order to turn off automatic maintenance of sessions just
+        # set this to false, or you can also set the session_ids method to a blank array. Both accomplish
+        # the same thing. This method is a little clearer in it's intentions though.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def maintain_sessions(value = nil)
+          config(:maintain_sessions, value, true)
+        end
+        alias_method :maintain_sessions=, :maintain_sessions
+        
         # As you may know, authlogic sessions can be separate by id (See Authlogic::Session::Base#id). You can
         # specify here what session ids you want auto maintained. By default it is the main session, which has
         # an id of nil.
@@ -74,7 +85,7 @@ module Authlogic
           end
           
           def update_sessions?
-            !skip_session_maintenance && session_class && session_class.activated? && !session_ids.blank? && persistence_token_changed?
+            !skip_session_maintenance && session_class && session_class.activated? && self.class.maintain_sessions == true && !session_ids.blank? && persistence_token_changed?
           end
           
           def get_session_information

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -34,7 +34,7 @@ module Authlogic
             include InstanceMethods
             validates_uniqueness_of :single_access_token, :if => :single_access_token_changed?
             before_validation :reset_single_access_token, :if => :reset_single_access_token?
-            after_password_set :reset_single_access_token, :if => :change_single_access_token_with_password?
+            after_password_set(:reset_single_access_token, :if => :change_single_access_token_with_password?) if respond_to?(:after_password_set)
           end
         end
         

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -42,8 +42,12 @@ module Authlogic
         controller.session
       end
       
+      def responds_to_single_access_allowed?
+        controller.respond_to?(:single_access_allowed?, true)
+      end
+      
       def single_access_allowed?
-        controller.respond_to?(:single_access_allowed?, true) && controller.send(:single_access_allowed?)
+        controller.send(:single_access_allowed?)
       end
       
       private

data/lib/authlogic/i18n.rb

@@ -45,7 +45,7 @@ module Authlogic
   #       user_session: (or whatever name you are using)
   #         login: login
   #         email: email
-  #         passwword: password
+  #         password: password
   #         remember_me: remember me
   class I18n
     class << self

data/lib/authlogic/session/http_auth.rb

@@ -1,23 +1,58 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with basic HTTP auth.
+    # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol:
+    #
+    #   http://username:password@whatever.com
+    #
+    # Also, if you are not comfortable letting users pass their raw username and password you can always use the single
+    # access token. See Authlogic::Session::Params for more info.
     module HttpAuth
       def self.included(klass)
-        klass.persist :persist_by_http_auth
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          persist :persist_by_http_auth, :if => :persist_by_http_auth?
+        end
       end
       
-      private
-        def persist_by_http_auth
-          controller.authenticate_with_http_basic do |login, password|
-            if !login.blank? && !password.blank?
-              send("#{login_field}=", login)
-              send("#{password_field}=", password)
-              return valid?
+      # Configuration for the HTTP basic auth feature of Authlogic.
+      module Config
+        # Do you want to allow your users to log in via HTTP basic auth?
+        #
+        # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable
+        # having your users provide their raw username and password. Whatever the reason, you can disable it here.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def allow_http_basic_auth(value = nil)
+          config(:allow_http_basic_auth, value, true)
+        end
+        alias_method :allow_http_basic_auth=, :allow_http_basic_auth
+      end
+      
+      # Instance methods for the HTTP basic auth feature of authlogic.
+      module InstanceMethods
+        private
+          def persist_by_http_auth?
+            allow_http_basic_auth? && login_field && password_field
+          end
+        
+          def persist_by_http_auth
+            controller.authenticate_with_http_basic do |login, password|
+              if !login.blank? && !password.blank?
+                send("#{login_field}=", login)
+                send("#{password_field}=", password)
+                return valid?
+              end
             end
+        
+            false
           end
         
-          false
-        end
+          def allow_http_basic_auth?
+            self.class.allow_http_basic_auth == true
+          end
+      end
     end
   end
 end

data/lib/authlogic/session/params.rb

@@ -48,10 +48,10 @@ module Authlogic
         alias_method :params_key=, :params_key
         
         # Authentication is allowed via a single access token, but maybe this is something you don't want for your application as a whole. Maybe this is something you only want for specific request types.
-        # Specify a list of allowed request types and single access authentication will only be allowed for the ones you specify. Checkout the "Single Access / Private Feeds Access" section in the README.
+        # Specify a list of allowed request types and single access authentication will only be allowed for the ones you specify.
         #
-        # * <tt>Default:</tt> "application/rss+xml", "application/atom+xml"
-        # * <tt>Accepts:</tt> String of request type, or :all to allow single access authentication for any and all request types
+        # * <tt>Default:</tt> ["application/rss+xml", "application/atom+xml"]
+        # * <tt>Accepts:</tt> String of a request type, or :all or :any to allow single access authentication for any and all request types
         def single_access_allowed_request_types(value = nil)
           config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
         end
@@ -68,10 +68,15 @@ module Authlogic
           end
           
           def params_enabled?
-            params_credentials && klass.column_names.include?("single_access_token") &&
-              (single_access_allowed_request_types.include?(controller.request_content_type) ||
-                single_access_allowed_request_types.include?(:all) ||
-                  controller.single_access_allowed?)
+            return false if !params_credentials || !klass.column_names.include?("single_access_token")
+            return controller.single_access_allowed? if controller.responds_to_single_access_allowed?
+            
+            case single_access_allowed_request_types
+            when Array
+              single_access_allowed_request_types.include?(controller.request_content_type) || single_access_allowed_request_types.include?(:all)
+            else
+              [:all, :any].include?(single_access_allowed_request_types)
+            end
           end
           
           def params_key

data/lib/authlogic/test_case.rb

@@ -5,10 +5,30 @@ require File.dirname(__FILE__) + "/test_case/mock_logger"
 require File.dirname(__FILE__) + "/test_case/mock_request"
 
 module Authlogic
-  # This is a collection of methods and classes that help you easily test Authlogic. In fact, I use these same tools
-  # to test the internals of Authlogic.
+  # This module is a collection of methods and classes that help you easily test Authlogic. In fact,
+  # I use these same tools to test the internals of Authlogic.
   #
-  # Some important things to keep in mind when testing:
+  # === The quick and dirty
+  #
+  #   require "authlogic/test_case" # include at the top of test_helper.rb
+  #   setup :activate_authlogic # run before tests are executed
+  #   UserSession.create(users(:whomever)) # logs a user in
+  #
+  # For a more detailed explanation, see below.
+  #
+  # === Setting up
+  #
+  # Authlogic comes with some simple testing tools. To get these, you need to first require Authlogic's TestCase. If
+  # you are doing this in a rails app, you would require this file at the top of your test_helper.rb file:
+  #
+  #   require "authlogic/test_case"
+  #
+  # If you are using Test::Unit::TestCase, the standard testing library that comes with ruby, then you can skip this next part.
+  # If you are not, you need to include the Authlogic::TestCase into your testing suite as follows:
+  #
+  #   include Authlogic::TestCase
+  #
+  # Now that everything is ready to go, let's move onto actually testing. Here is the basic idea behind testing:
   #
   # Authlogic requires a "connection" to your controller to activate it. In the same manner that ActiveRecord requires a connection to
   # your database. It can't do anything until it gets connnected. That being said, Authlogic will raise an
@@ -18,30 +38,38 @@ module Authlogic
   # === Functional tests
   #
   # Activating Authlogic isn't a problem here, because making a request will activate Authlogic for you. The problem is
-  # logging users in so they can access restricted areas. Solvin this is simple, just do this:
+  # logging users in so they can access restricted areas. Solving this is simple, just do this:
   #
   #   setup :activate_authlogic
   #
-  # Now log users in using Authlogic:
+  # For those of you unfamiliar with TestUnit, the setup method bascially just executes a method before any test is ran.
+  # It is essentially "setting up" your tests.
+  #
+  # Once you have done this, just log users in like usual:
   #
   #   UserSession.create(users(:whomever))
+  #   # access my restricted area here
   #
   # Do this before you make your request and it will act as if that user is logged in.
   #
   # === Integration tests
   #
   # Again, just like functional tests, you don't have to do anything. As soon as you make a request, Authlogic will be
-  # conntected.
+  # conntected. If you want to activate Authlogic before making a request follow the same steps described in the
+  # "functional tests" section above. It works in the same manner.
   #
   # === Unit tests
   #
-  # The only time you need to do any trickiness here is if you want to test Authlogic yourself. Maybe you added some custom
-  # code or methods in your Session class. Maybe you are writing a plugin or a library that extends Authlogic. Whatever it is
-  # you need to make sure your code is tested and working properly.
+  # The only time you need to do any trickiness here is if you want to test Authlogic models. Maybe you added some custom
+  # code or methods in your Authlogic models. Maybe you are writing a plugin or a library that extends Authlogic.
   #
-  # That being said, in this environment there is no controller. So you need to "fake" Authlogic into
-  # thinking there is. Don't worry, because the this module takes care of this for you. Just do the following
-  # in your test's setup and you are good to go:
+  # That being said, in this environment there is no controller. So you need to use a "mock" controller. Something
+  # that looks like a controller, acts like a controller, but isn't a "real" controller. You are essentially connecting
+  # Authlogic to your "mock" controller, then you can test off of the mock controller to make sure everything is functioning
+  # properly.
+  # 
+  # I use a mock controller to test Authlogic myself. It's part of the Authlogic library that you can easily use. It's as simple
+  # as functional and integration tests. Just do the following:
   #
   #   setup :activate_authlogic
   #
@@ -52,13 +80,7 @@ module Authlogic
   #   assert UserSession.create(ben)
   #   assert_equal controller.session["user_credentials"], ben.persistence_token
   #
-  # That's it.
-  #
-  # === How to use
-  #
-  # Just require the file in your test_helper.rb file.
-  #
-  #   require "authlogic/test_case"
+  # See how I am checking that Authlogic is interacting with the controller properly? That's the idea here.
   module TestCase
     # Activates authlogic so that you can use it in your tests. You should call this method in your test's setup. Ex:
     #
@@ -74,5 +96,5 @@ module Authlogic
     end
   end
   
-  ::Test::Unit::TestCase.send(:include, TestCase)
+  ::Test::Unit::TestCase.send(:include, TestCase) if defined?(::Test::Unit::TestCase)
 end