authlogic 3.4.6 → 4.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/.github/ISSUE_TEMPLATE.md +13 -0
- data/.github/triage.md +87 -0
- data/.gitignore +4 -0
- data/.rubocop.yml +127 -0
- data/.rubocop_todo.yml +65 -0
- data/.travis.yml +18 -10
- data/CHANGELOG.md +156 -6
- data/CONTRIBUTING.md +71 -3
- data/Gemfile +2 -2
- data/README.md +386 -0
- data/Rakefile +13 -7
- data/UPGRADING.md +22 -0
- data/authlogic.gemspec +33 -22
- data/lib/authlogic.rb +60 -52
- data/lib/authlogic/acts_as_authentic/base.rb +40 -26
- data/lib/authlogic/acts_as_authentic/email.rb +96 -32
- data/lib/authlogic/acts_as_authentic/logged_in_status.rb +36 -12
- data/lib/authlogic/acts_as_authentic/login.rb +114 -49
- data/lib/authlogic/acts_as_authentic/magic_columns.rb +17 -6
- data/lib/authlogic/acts_as_authentic/password.rb +296 -139
- data/lib/authlogic/acts_as_authentic/perishable_token.rb +34 -20
- data/lib/authlogic/acts_as_authentic/persistence_token.rb +20 -24
- data/lib/authlogic/acts_as_authentic/queries/find_with_case.rb +67 -0
- data/lib/authlogic/acts_as_authentic/restful_authentication.rb +68 -23
- data/lib/authlogic/acts_as_authentic/session_maintenance.rb +128 -85
- data/lib/authlogic/acts_as_authentic/single_access_token.rb +41 -25
- data/lib/authlogic/acts_as_authentic/validations_scope.rb +8 -8
- data/lib/authlogic/authenticates_many/association.rb +22 -14
- data/lib/authlogic/authenticates_many/base.rb +35 -16
- data/lib/authlogic/config.rb +10 -10
- data/lib/authlogic/controller_adapters/abstract_adapter.rb +40 -12
- data/lib/authlogic/controller_adapters/rack_adapter.rb +15 -8
- data/lib/authlogic/controller_adapters/rails_adapter.rb +42 -22
- data/lib/authlogic/controller_adapters/sinatra_adapter.rb +3 -3
- data/lib/authlogic/crypto_providers.rb +91 -0
- data/lib/authlogic/crypto_providers/aes256.rb +42 -14
- data/lib/authlogic/crypto_providers/bcrypt.rb +35 -20
- data/lib/authlogic/crypto_providers/md5.rb +11 -9
- data/lib/authlogic/crypto_providers/scrypt.rb +26 -13
- data/lib/authlogic/crypto_providers/sha1.rb +14 -8
- data/lib/authlogic/crypto_providers/sha256.rb +16 -12
- data/lib/authlogic/crypto_providers/sha512.rb +8 -24
- data/lib/authlogic/crypto_providers/wordpress.rb +44 -15
- data/lib/authlogic/i18n.rb +33 -20
- data/lib/authlogic/i18n/translator.rb +1 -1
- data/lib/authlogic/random.rb +12 -29
- data/lib/authlogic/regex.rb +59 -27
- data/lib/authlogic/session/activation.rb +36 -23
- data/lib/authlogic/session/active_record_trickery.rb +13 -10
- data/lib/authlogic/session/base.rb +20 -8
- data/lib/authlogic/session/brute_force_protection.rb +87 -56
- data/lib/authlogic/session/callbacks.rb +99 -49
- data/lib/authlogic/session/cookies.rb +128 -59
- data/lib/authlogic/session/existence.rb +29 -19
- data/lib/authlogic/session/foundation.rb +70 -16
- data/lib/authlogic/session/http_auth.rb +39 -31
- data/lib/authlogic/session/id.rb +27 -15
- data/lib/authlogic/session/klass.rb +17 -13
- data/lib/authlogic/session/magic_columns.rb +78 -59
- data/lib/authlogic/session/magic_states.rb +50 -27
- data/lib/authlogic/session/params.rb +79 -50
- data/lib/authlogic/session/password.rb +197 -118
- data/lib/authlogic/session/perishable_token.rb +12 -6
- data/lib/authlogic/session/persistence.rb +20 -14
- data/lib/authlogic/session/priority_record.rb +20 -16
- data/lib/authlogic/session/scopes.rb +63 -33
- data/lib/authlogic/session/session.rb +40 -25
- data/lib/authlogic/session/timeout.rb +51 -34
- data/lib/authlogic/session/unauthorized_record.rb +24 -18
- data/lib/authlogic/session/validation.rb +32 -21
- data/lib/authlogic/test_case.rb +123 -35
- data/lib/authlogic/test_case/mock_controller.rb +14 -13
- data/lib/authlogic/test_case/mock_cookie_jar.rb +14 -5
- data/lib/authlogic/test_case/mock_logger.rb +1 -1
- data/lib/authlogic/test_case/mock_request.rb +9 -4
- data/lib/authlogic/test_case/rails_request_adapter.rb +8 -7
- data/lib/authlogic/version.rb +21 -0
- data/test/acts_as_authentic_test/base_test.rb +1 -1
- data/test/acts_as_authentic_test/email_test.rb +80 -63
- data/test/acts_as_authentic_test/logged_in_status_test.rb +14 -8
- data/test/acts_as_authentic_test/login_test.rb +91 -49
- data/test/acts_as_authentic_test/magic_columns_test.rb +13 -13
- data/test/acts_as_authentic_test/password_test.rb +82 -60
- data/test/acts_as_authentic_test/perishable_token_test.rb +31 -25
- data/test/acts_as_authentic_test/persistence_token_test.rb +9 -5
- data/test/acts_as_authentic_test/restful_authentication_test.rb +18 -9
- data/test/acts_as_authentic_test/session_maintenance_test.rb +86 -22
- data/test/acts_as_authentic_test/single_access_test.rb +15 -15
- data/test/adapter_test.rb +21 -0
- data/test/authenticates_many_test.rb +26 -11
- data/test/config_test.rb +9 -9
- data/test/crypto_provider_test/aes256_test.rb +3 -3
- data/test/crypto_provider_test/bcrypt_test.rb +1 -1
- data/test/crypto_provider_test/scrypt_test.rb +2 -2
- data/test/crypto_provider_test/sha1_test.rb +4 -4
- data/test/crypto_provider_test/sha256_test.rb +2 -2
- data/test/crypto_provider_test/sha512_test.rb +3 -3
- data/test/crypto_provider_test/wordpress_test.rb +24 -0
- data/test/gemfiles/Gemfile.rails-4.2.x +2 -2
- data/test/gemfiles/Gemfile.rails-5.0.x +6 -0
- data/test/gemfiles/Gemfile.rails-5.1.x +6 -0
- data/test/gemfiles/Gemfile.rails-5.2.x +6 -0
- data/test/gemfiles/Gemfile.rails-master +6 -0
- data/test/i18n_test.rb +9 -9
- data/test/libs/affiliate.rb +2 -2
- data/test/libs/company.rb +4 -4
- data/test/libs/employee.rb +2 -2
- data/test/libs/employee_session.rb +1 -1
- data/test/libs/ldaper.rb +1 -1
- data/test/libs/project.rb +1 -1
- data/test/libs/user_session.rb +2 -2
- data/test/random_test.rb +9 -38
- data/test/session_test/activation_test.rb +7 -7
- data/test/session_test/active_record_trickery_test.rb +9 -6
- data/test/session_test/brute_force_protection_test.rb +26 -21
- data/test/session_test/callbacks_test.rb +10 -4
- data/test/session_test/cookies_test.rb +54 -20
- data/test/session_test/existence_test.rb +45 -23
- data/test/session_test/foundation_test.rb +17 -1
- data/test/session_test/http_auth_test.rb +11 -12
- data/test/session_test/id_test.rb +3 -3
- data/test/session_test/klass_test.rb +2 -2
- data/test/session_test/magic_columns_test.rb +15 -17
- data/test/session_test/magic_states_test.rb +17 -19
- data/test/session_test/params_test.rb +26 -20
- data/test/session_test/password_test.rb +11 -12
- data/test/session_test/perishability_test.rb +5 -5
- data/test/session_test/persistence_test.rb +4 -3
- data/test/session_test/scopes_test.rb +15 -9
- data/test/session_test/session_test.rb +7 -6
- data/test/session_test/timeout_test.rb +16 -14
- data/test/session_test/unauthorized_record_test.rb +3 -3
- data/test/session_test/validation_test.rb +5 -5
- data/test/test_helper.rb +115 -49
- metadata +107 -36
- data/README.rdoc +0 -232
- data/test/gemfiles/Gemfile.rails-3.2.x +0 -7
- data/test/gemfiles/Gemfile.rails-4.0.x +0 -7
- data/test/gemfiles/Gemfile.rails-4.1.x +0 -7
data/CONTRIBUTING.md
CHANGED
@@ -1,10 +1,78 @@
|
|
1
|
+
# Contributing to Authlogic
|
2
|
+
|
3
|
+
## Issues
|
4
|
+
|
5
|
+
### Security Issues
|
6
|
+
|
7
|
+
**Do not disclose security issues in public.** Instead, please email:
|
8
|
+
|
9
|
+
```
|
10
|
+
Ben Johnson <bjohnson@binarylogic.com>,
|
11
|
+
Tieg Zaharia <tieg.zaharia@gmail.com>
|
12
|
+
Jared Beck <jared@jaredbeck.com>
|
13
|
+
```
|
14
|
+
|
15
|
+
We will review security issues promptly.
|
16
|
+
|
17
|
+
### Non-Security Issues
|
18
|
+
|
19
|
+
Please use github issues only for bug reports and feature requests.
|
20
|
+
|
21
|
+
### Usage Questions
|
22
|
+
|
23
|
+
Please ask usage questions on
|
24
|
+
[stackoverflow](http://stackoverflow.com/questions/tagged/authlogic).
|
25
|
+
|
26
|
+
## Development
|
27
|
+
|
28
|
+
Most local development should be done using the oldest supported version of
|
29
|
+
ruby. See `required_ruby_version` in the gemspec.
|
1
30
|
|
2
31
|
### Testing
|
3
32
|
|
4
|
-
Tests can be
|
33
|
+
Tests can be run against different versions of Rails like so:
|
5
34
|
|
6
35
|
```
|
7
|
-
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-
|
8
|
-
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-
|
36
|
+
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle install
|
37
|
+
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle exec rake
|
38
|
+
```
|
39
|
+
|
40
|
+
To run a single test:
|
41
|
+
|
9
42
|
```
|
43
|
+
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x \
|
44
|
+
bundle exec ruby -I test path/to/test.rb
|
45
|
+
```
|
46
|
+
|
47
|
+
Bundler can be omitted, and the latest installed version of a gem dependency
|
48
|
+
will be used. This is only suitable for certain unit tests.
|
49
|
+
|
50
|
+
```
|
51
|
+
ruby –I test path/to/test.rb
|
52
|
+
```
|
53
|
+
|
54
|
+
### Linting
|
55
|
+
|
56
|
+
Running `rake` also runs a linter, rubocop. Contributions must pass both
|
57
|
+
the linter and the tests. The linter can be run on its own.
|
58
|
+
|
59
|
+
```
|
60
|
+
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle exec rubocop
|
61
|
+
```
|
62
|
+
|
63
|
+
To run the tests without linting, use `rake test`.
|
64
|
+
|
65
|
+
```
|
66
|
+
BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle exec rake test
|
67
|
+
```
|
68
|
+
|
69
|
+
### Release
|
10
70
|
|
71
|
+
1. Update version number in lib/authlogic/version.rb
|
72
|
+
1. Add release date to changelog entry
|
73
|
+
1. Add a new "Unreleased" section at top of changelog
|
74
|
+
1. Commit with message like "Release 3.6.0"
|
75
|
+
1. git tag -a -m "v3.6.0" "v3.6.0" # or whatever number
|
76
|
+
1. git push --tags origin 3-stable # or whatever branch
|
77
|
+
1. gem build authlogic.gemspec
|
78
|
+
1. gem push authlogic-3.6.0
|
data/Gemfile
CHANGED
data/README.md
ADDED
@@ -0,0 +1,386 @@
|
|
1
|
+
# Authlogic
|
2
|
+
|
3
|
+
A clean, simple, and unobtrusive ruby authentication solution.
|
4
|
+
|
5
|
+
[![Gem Version][5]][6] [![Build Status][1]][2] [![Code Climate][7]][8] [![Dependency Status][3]][4]
|
6
|
+
|
7
|
+
## Sponsors
|
8
|
+
|
9
|
+
[](https://timber.io?utm_source=github&utm_medium=authlogic)
|
10
|
+
|
11
|
+
[Tail Authlogic users](https://timber.io/docs/app/console/tail-a-user) in your logs!
|
12
|
+
|
13
|
+
## Documentation
|
14
|
+
|
15
|
+
| Version | Documentation |
|
16
|
+
| ----------- | ------------- |
|
17
|
+
| Unreleased | https://github.com/binarylogic/authlogic/blob/master/README.md |
|
18
|
+
| 3.7.0 | https://github.com/binarylogic/authlogic/blob/v3.7.0/README.md |
|
19
|
+
| 2.1.11 | https://github.com/binarylogic/authlogic/blob/v2.1.11/README.rdoc |
|
20
|
+
| 1.4.3 | https://github.com/binarylogic/authlogic/blob/v1.4.3/README.rdoc |
|
21
|
+
|
22
|
+
## Table of Contents
|
23
|
+
|
24
|
+
- [1. Introduction](#1-introduction)
|
25
|
+
- [1.a. Compatibility](#1a-compatibility)
|
26
|
+
- [1.b. Overview](#1b-overview)
|
27
|
+
- [1.c. Reference Documentation](#1c-reference-documentation)
|
28
|
+
- [2. Rails](#2-rails)
|
29
|
+
- [2.a. The users table](#2a-the-users-table)
|
30
|
+
- [2.b. Controller](#2b-controller)
|
31
|
+
- [2.c. View](#2c-view)
|
32
|
+
- [2.d. CSRF Protection](#2d-csrf-protection)
|
33
|
+
- [3. Testing](#3-testing)
|
34
|
+
- [4. Helpful links](#4-helpful-links)
|
35
|
+
- [5. Add-ons](#5-add-ons)
|
36
|
+
- [6. Internals](#6-internals)
|
37
|
+
|
38
|
+
## 1. Introduction
|
39
|
+
|
40
|
+
### 1.a. Compatibility
|
41
|
+
|
42
|
+
| Version | branches | tag | ruby | activerecord |
|
43
|
+
| ---------- | ---------------- | ------- | -------- | ------------- |
|
44
|
+
| Unreleased | master, 4-stable | | >= 2.2.0 | >= 4.2, < 5.3 |
|
45
|
+
| 3 | 3-stable | v3.6.0 | >= 1.9.3 | >= 3.2, < 5.2 |
|
46
|
+
| 2 | rails2 | v2.1.11 | >= 1.9.3 | ~> 2.3.0 |
|
47
|
+
| 1 | ? | v1.4.3 | ? | ? |
|
48
|
+
|
49
|
+
### 1.b. Overview
|
50
|
+
|
51
|
+
Authlogic introduces a new type of model. You can have as many as you want, and
|
52
|
+
name them whatever you want, just like your other models. In this example, we
|
53
|
+
want to authenticate with our `User` model, which is inferred from the name:
|
54
|
+
|
55
|
+
```ruby
|
56
|
+
class UserSession < Authlogic::Session::Base
|
57
|
+
# specify configuration here, such as:
|
58
|
+
# logout_on_timeout true
|
59
|
+
# ...many more options in the documentation
|
60
|
+
end
|
61
|
+
```
|
62
|
+
|
63
|
+
In a `UserSessionsController`, login the user by using it just like your other models:
|
64
|
+
|
65
|
+
```ruby
|
66
|
+
UserSession.create(:login => "bjohnson", :password => "my password", :remember_me => true)
|
67
|
+
|
68
|
+
session = UserSession.new(:login => "bjohnson", :password => "my password", :remember_me => true)
|
69
|
+
session.save
|
70
|
+
|
71
|
+
# requires the authlogic-oid "add on" gem
|
72
|
+
UserSession.create(:openid_identifier => "identifier", :remember_me => true)
|
73
|
+
|
74
|
+
# skip authentication and log the user in directly, the true means "remember me"
|
75
|
+
UserSession.create(my_user_object, true)
|
76
|
+
```
|
77
|
+
|
78
|
+
The above handles the entire authentication process for you by:
|
79
|
+
|
80
|
+
1. authenticating (i.e. **validating** the record)
|
81
|
+
2. sets up the proper session values and cookies to persist the session (i.e. **saving** the record).
|
82
|
+
|
83
|
+
You can also log out (i.e. **destroying** the session):
|
84
|
+
|
85
|
+
``` ruby
|
86
|
+
session.destroy
|
87
|
+
```
|
88
|
+
|
89
|
+
After a session has been created, you can persist it (i.e. **finding** the
|
90
|
+
record) across requests. Thus keeping the user logged in:
|
91
|
+
|
92
|
+
``` ruby
|
93
|
+
session = UserSession.find
|
94
|
+
```
|
95
|
+
|
96
|
+
To get all of the nice authentication functionality in your model just do this:
|
97
|
+
|
98
|
+
```ruby
|
99
|
+
class User < ActiveRecord::Base
|
100
|
+
acts_as_authentic do |c|
|
101
|
+
c.my_config_option = my_value
|
102
|
+
end # the configuration block is optional
|
103
|
+
end
|
104
|
+
```
|
105
|
+
|
106
|
+
This handles validations, etc. It is also "smart" in the sense that it if a
|
107
|
+
login field is present it will use that to authenticate, if not it will look for
|
108
|
+
an email field, etc. This is all configurable, but for 99% of cases that above
|
109
|
+
is all you will need to do.
|
110
|
+
|
111
|
+
You may specify how passwords are cryptographically hashed (or encrypted) by
|
112
|
+
setting the Authlogic::CryptoProvider option:
|
113
|
+
|
114
|
+
``` ruby
|
115
|
+
c.crypto_provider = Authlogic::CryptoProviders::BCrypt
|
116
|
+
```
|
117
|
+
|
118
|
+
You may validate international email addresses by enabling the provided alternate regex:
|
119
|
+
|
120
|
+
``` ruby
|
121
|
+
c.validates_format_of_email_field_options = {:with => Authlogic::Regex.email_nonascii}
|
122
|
+
```
|
123
|
+
|
124
|
+
Also, sessions are automatically maintained. You can switch this on and off with
|
125
|
+
configuration, but the following will automatically log a user in after a
|
126
|
+
successful registration:
|
127
|
+
|
128
|
+
``` ruby
|
129
|
+
User.create(params[:user])
|
130
|
+
```
|
131
|
+
|
132
|
+
You can switch this on and off with the following configuration:
|
133
|
+
|
134
|
+
```ruby
|
135
|
+
class User < ActiveRecord::Base
|
136
|
+
acts_as_authentic do |c|
|
137
|
+
c.log_in_after_create = false
|
138
|
+
end # the configuration block is optional
|
139
|
+
end
|
140
|
+
```
|
141
|
+
|
142
|
+
Authlogic also updates the session when the user changes his/her password. You can also switch this on and off with the following configuration:
|
143
|
+
|
144
|
+
```ruby
|
145
|
+
class User < ActiveRecord::Base
|
146
|
+
acts_as_authentic do |c|
|
147
|
+
c.log_in_after_password_change = false
|
148
|
+
end # the configuration block is optional
|
149
|
+
end
|
150
|
+
```
|
151
|
+
|
152
|
+
Authlogic is very flexible, it has a strong public API and a plethora of hooks
|
153
|
+
to allow you to modify behavior and extend it. Check out the helpful links below
|
154
|
+
to dig deeper.
|
155
|
+
|
156
|
+
### 1.c. Reference Documentation
|
157
|
+
|
158
|
+
This README is just an introduction, but we also have [reference
|
159
|
+
documentation](http://www.rubydoc.info/github/binarylogic/authlogic).
|
160
|
+
|
161
|
+
**To use the reference documentation, you must understand how Authlogic's
|
162
|
+
code is organized.** There are 2 models, your Authlogic model and your
|
163
|
+
ActiveRecord model:
|
164
|
+
|
165
|
+
1. **Authlogic::Session**, your session models that
|
166
|
+
extend `Authlogic::Session::Base`.
|
167
|
+
2. **Authlogic::ActsAsAuthentic**, which adds in functionality to your
|
168
|
+
ActiveRecord model when you call `acts_as_authentic`.
|
169
|
+
|
170
|
+
Each of the above has various modules that are organized by topic: passwords,
|
171
|
+
cookies, etc. For example, if you want to timeout users after a certain period
|
172
|
+
of inactivity, you would look in `Authlogic::Session::Timeout`.
|
173
|
+
|
174
|
+
## 2. Rails
|
175
|
+
|
176
|
+
Let's walk through a typical rails setup.
|
177
|
+
|
178
|
+
### 2.a. The users table
|
179
|
+
|
180
|
+
If you want to enable all the features of Authlogic, a migration to create a
|
181
|
+
`User` model might look like this:
|
182
|
+
|
183
|
+
``` ruby
|
184
|
+
class CreateUser < ActiveRecord::Migration
|
185
|
+
def change
|
186
|
+
create_table :users do |t|
|
187
|
+
# Authlogic::ActsAsAuthentic::Email
|
188
|
+
t.string :email
|
189
|
+
|
190
|
+
# Authlogic::ActsAsAuthentic::Password
|
191
|
+
t.string :crypted_password
|
192
|
+
t.string :password_salt
|
193
|
+
|
194
|
+
# Authlogic::ActsAsAuthentic::PersistenceToken
|
195
|
+
t.string :persistence_token
|
196
|
+
t.index :persistence_token, unique: true
|
197
|
+
|
198
|
+
# Authlogic::ActsAsAuthentic::SingleAccessToken
|
199
|
+
t.string :single_access_token
|
200
|
+
t.index :single_access_token, unique: true
|
201
|
+
|
202
|
+
# Authlogic::ActsAsAuthentic::PerishableToken
|
203
|
+
t.string :perishable_token
|
204
|
+
t.index :perishable_token, unique: true
|
205
|
+
|
206
|
+
# Authlogic::Session::MagicColumns
|
207
|
+
t.integer :login_count, default: 0, null: false
|
208
|
+
t.integer :failed_login_count, default: 0, null: false
|
209
|
+
t.datetime :last_request_at
|
210
|
+
t.datetime :current_login_at
|
211
|
+
t.datetime :last_login_at
|
212
|
+
t.string :current_login_ip
|
213
|
+
t.string :last_login_ip
|
214
|
+
|
215
|
+
# Authlogic::Session::MagicStates
|
216
|
+
t.boolean :active, default: false
|
217
|
+
t.boolean :approved, default: false
|
218
|
+
t.boolean :confirmed, default: false
|
219
|
+
|
220
|
+
t.timestamps
|
221
|
+
end
|
222
|
+
end
|
223
|
+
end
|
224
|
+
```
|
225
|
+
|
226
|
+
### 2.b. Controller
|
227
|
+
|
228
|
+
Your sessions controller will look just like your other controllers.
|
229
|
+
|
230
|
+
```ruby
|
231
|
+
class UserSessionsController < ApplicationController
|
232
|
+
def new
|
233
|
+
@user_session = UserSession.new
|
234
|
+
end
|
235
|
+
|
236
|
+
def create
|
237
|
+
@user_session = UserSession.new(user_session_params)
|
238
|
+
if @user_session.save
|
239
|
+
redirect_to account_url
|
240
|
+
else
|
241
|
+
render :action => :new
|
242
|
+
end
|
243
|
+
end
|
244
|
+
|
245
|
+
def destroy
|
246
|
+
current_user_session.destroy
|
247
|
+
redirect_to new_user_session_url
|
248
|
+
end
|
249
|
+
|
250
|
+
private
|
251
|
+
|
252
|
+
def user_session_params
|
253
|
+
params.require(:user_session).permit(:email, :password, :remember_me)
|
254
|
+
end
|
255
|
+
end
|
256
|
+
```
|
257
|
+
|
258
|
+
As you can see, this fits nicely into the [conventional controller methods][9].
|
259
|
+
|
260
|
+
#### 2.b.1. Helper Methods
|
261
|
+
|
262
|
+
```ruby
|
263
|
+
class ApplicationController
|
264
|
+
helper_method :current_user_session, :current_user
|
265
|
+
|
266
|
+
private
|
267
|
+
def current_user_session
|
268
|
+
return @current_user_session if defined?(@current_user_session)
|
269
|
+
@current_user_session = UserSession.find
|
270
|
+
end
|
271
|
+
|
272
|
+
def current_user
|
273
|
+
return @current_user if defined?(@current_user)
|
274
|
+
@current_user = current_user_session && current_user_session.user
|
275
|
+
end
|
276
|
+
end
|
277
|
+
```
|
278
|
+
|
279
|
+
### 2.c. View
|
280
|
+
|
281
|
+
```erb
|
282
|
+
<%= form_for @user_session do |f| %>
|
283
|
+
<% if @user_session.errors.any? %>
|
284
|
+
<div id="error_explanation">
|
285
|
+
<h2><%= pluralize(@user_session.errors.count, "error") %> prohibited:</h2>
|
286
|
+
<ul>
|
287
|
+
<% @user_session.errors.full_messages.each do |msg| %>
|
288
|
+
<li><%= msg %></li>
|
289
|
+
<% end %>
|
290
|
+
</ul>
|
291
|
+
</div>
|
292
|
+
<% end %>
|
293
|
+
<%= f.label :login %><br />
|
294
|
+
<%= f.text_field :login %><br />
|
295
|
+
<br />
|
296
|
+
<%= f.label :password %><br />
|
297
|
+
<%= f.password_field :password %><br />
|
298
|
+
<br />
|
299
|
+
<%= f.submit "Login" %>
|
300
|
+
<% end %>
|
301
|
+
```
|
302
|
+
|
303
|
+
### 2.d. CSRF Protection
|
304
|
+
|
305
|
+
Because Authlogic introduces its own methods for storing user sessions, the CSRF
|
306
|
+
(Cross Site Request Forgery) protection that is built into Rails will not work
|
307
|
+
out of the box.
|
308
|
+
|
309
|
+
No generally applicable mitigation by the authlogic library is possible, because
|
310
|
+
the instance variable you use to store a reference to the user session in `def
|
311
|
+
current_user_session` will not be known to authlogic.
|
312
|
+
|
313
|
+
You will need to override `ActionController::Base#handle_unverified_request` to
|
314
|
+
do something appropriate to how your app handles user sessions, e.g.:
|
315
|
+
|
316
|
+
```ruby
|
317
|
+
class ApplicationController < ActionController::Base
|
318
|
+
...
|
319
|
+
protected
|
320
|
+
|
321
|
+
def handle_unverified_request
|
322
|
+
# raise an exception
|
323
|
+
fail ActionController::InvalidAuthenticityToken
|
324
|
+
# or destroy session, redirect
|
325
|
+
if current_user_session
|
326
|
+
current_user_session.destroy
|
327
|
+
end
|
328
|
+
redirect_to root_url
|
329
|
+
end
|
330
|
+
end
|
331
|
+
```
|
332
|
+
|
333
|
+
## 3. Testing
|
334
|
+
|
335
|
+
See [Authlogic::TestCase](https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/test_case.rb)
|
336
|
+
|
337
|
+
## 4. Helpful links
|
338
|
+
|
339
|
+
* <b>API Reference:</b> http://www.rubydoc.info/github/binarylogic/authlogic
|
340
|
+
* <b>Repository:</b> https://github.com/binarylogic/authlogic/tree/master
|
341
|
+
* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
|
342
|
+
* <b>Example repository with tutorial in README:</b> https://github.com/binarylogic/authlogic_example/tree/master
|
343
|
+
* <b>Tutorial</b>: Rails Authentication with Authlogic https://www.sitepoint.com/rails-authentication-with-authlogic
|
344
|
+
* <b>Issues:</b> https://github.com/binarylogic/authlogic/issues
|
345
|
+
* <b>Chrome is not logging out on browser close</b> https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion
|
346
|
+
|
347
|
+
## 5. Add-ons
|
348
|
+
|
349
|
+
* <b>Authlogic OpenID addon:</b> https://github.com/binarylogic/authlogic_openid
|
350
|
+
* <b>Authlogic LDAP addon:</b> https://github.com/binarylogic/authlogic_ldap
|
351
|
+
* <b>Authlogic Facebook Connect:</b> https://github.com/kalasjocke/authlogic-facebook-connect
|
352
|
+
* <b>Authlogic Facebook Connect (New JS API):</b> https://github.com/studybyte/authlogic_facebook_connect
|
353
|
+
* <b>Authlogic Facebook Shim</b> https://github.com/james2m/authlogic_facebook_shim
|
354
|
+
* <b>Authlogic OAuth (Twitter):</b> https://github.com/jrallison/authlogic_oauth
|
355
|
+
* <b>Authlogic Oauth and OpenID:</b> https://github.com/lancejpollard/authlogic-connect
|
356
|
+
* <b>Authlogic PAM:</b> https://github.com/nbudin/authlogic_pam
|
357
|
+
* <b>Authlogic x509:</b> https://github.com/auth-scc/authlogic_x509
|
358
|
+
|
359
|
+
If you create one of your own, please let us know about it so we can add it to
|
360
|
+
this list. Or just fork the project, add your link, and send us a pull request.
|
361
|
+
|
362
|
+
## 6. Internals
|
363
|
+
|
364
|
+
Interested in how all of this all works? Think about an ActiveRecord model. A
|
365
|
+
database connection must be established before you can use it. In the case of
|
366
|
+
Authlogic, a controller connection must be established before you can use it. It
|
367
|
+
uses that controller connection to modify cookies, the current session, login
|
368
|
+
with HTTP basic, etc. It connects to the controller through a before filter that
|
369
|
+
is automatically set in your controller which lets Authlogic know about the
|
370
|
+
current controller object. Then Authlogic leverages that to do everything, it's
|
371
|
+
a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the
|
372
|
+
tools your framework provides in the controller object.
|
373
|
+
|
374
|
+
## Intellectual Property
|
375
|
+
|
376
|
+
Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license
|
377
|
+
|
378
|
+
[1]: https://api.travis-ci.org/binarylogic/authlogic.svg?branch=master
|
379
|
+
[2]: https://travis-ci.org/binarylogic/authlogic
|
380
|
+
[3]: https://gemnasium.com/badges/github.com/binarylogic/authlogic.svg
|
381
|
+
[4]: https://gemnasium.com/binarylogic/authlogic
|
382
|
+
[5]: https://badge.fury.io/rb/authlogic.png
|
383
|
+
[6]: http://badge.fury.io/rb/authlogic
|
384
|
+
[7]: https://codeclimate.com/github/binarylogic/authlogic.png
|
385
|
+
[8]: https://codeclimate.com/github/binarylogic/authlogic
|
386
|
+
[9]: http://guides.rubyonrails.org/routing.html#resource-routing-the-rails-default
|