authlogic 3.8.0 → 6.0.0

data/lib/authlogic/session/existence.rb

@@ -1,93 +0,0 @@
-module Authlogic
-  module Session
-    # Provides methods to create and destroy objects. Basically controls their "existence".
-    module Existence
-      class SessionInvalidError < ::StandardError # :nodoc:
-        def initialize(session)
-          super("Your session is invalid and has the following errors: #{session.errors.full_messages.to_sentence}")
-        end
-      end
-
-      def self.included(klass)
-        klass.class_eval do
-          extend ClassMethods
-          include InstanceMethods
-          attr_accessor :new_session, :record
-        end
-      end
-
-      module ClassMethods
-        # A convenience method. The same as:
-        #
-        #   session = UserSession.new(*args)
-        #   session.save
-        #
-        # Instead you can do:
-        #
-        #   UserSession.create(*args)
-        def create(*args, &block)
-          session = new(*args)
-          session.save(&block)
-          session
-        end
-
-        # Same as create but calls create!, which raises an exception when validation fails.
-        def create!(*args)
-          session = new(*args)
-          session.save!
-          session
-        end
-      end
-
-      module InstanceMethods
-        # Clears all errors and the associated record, you should call this terminate a session, thus requiring
-        # the user to authenticate again if it is needed.
-        def destroy
-          before_destroy
-          save_record
-          errors.clear
-          @record = nil
-          after_destroy
-          true
-        end
-
-        # Returns true if the session is new, meaning no action has been taken on it and a successful save
-        # has not taken place.
-        def new_session?
-          new_session != false
-        end
-
-        # After you have specified all of the details for your session you can try to save it. This will
-        # run validation checks and find the associated record, if all validation passes. If validation
-        # does not pass, the save will fail and the errors will be stored in the errors object.
-        def save(&block)
-          result = nil
-          if valid?
-            self.record = attempted_record
-
-            before_save
-            new_session? ? before_create : before_update
-            new_session? ? after_create : after_update
-            after_save
-
-            save_record
-            self.new_session = false
-            result = true
-          else
-            result = false
-          end
-
-          yield result if block_given?
-          result
-        end
-
-        # Same as save but raises an exception of validation errors when validation fails
-        def save!
-          result = save
-          raise SessionInvalidError.new(self) unless result
-          result
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/foundation.rb

@@ -1,55 +0,0 @@
-module Authlogic
-  module Session
-    # Sort of like an interface, it sets the foundation for the class, such as the
-    # required methods. This also allows other modules to overwrite methods and call super
-    # on them. It's also a place to put "utility" methods used throughout Authlogic.
-    module Foundation
-      def self.included(klass)
-        klass.class_eval do
-          extend Authlogic::Config
-          include InstanceMethods
-        end
-      end
-
-      module InstanceMethods
-        def initialize(*args)
-          self.credentials = args
-        end
-
-        # The credentials you passed to create your session. See credentials= for more
-        # info.
-        def credentials
-          []
-        end
-
-        # Set your credentials before you save your session. You can pass a hash of
-        # credentials:
-        #
-        #   session.credentials = {:login => "my login", :password => "my password", :remember_me => true}
-        #
-        # or you can pass an array of objects:
-        #
-        #   session.credentials = [my_user_object, true]
-        #
-        # and if you need to set an id, just pass it last. This value need be the last
-        # item in the array you pass, since the id is something that you control yourself,
-        # it should never be set from a hash or a form. Examples:
-        #
-        #   session.credentials = [{:login => "my login", :password => "my password", :remember_me => true}, :my_id]
-        #   session.credentials = [my_user_object, true, :my_id]
-        def credentials=(values)
-        end
-
-        def inspect
-          "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
-        end
-
-        private
-
-          def build_key(last_part)
-            last_part
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/http_auth.rb

@@ -1,100 +0,0 @@
-module Authlogic
-  module Session
-    # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol:
-    #
-    #   http://username:password@whatever.com
-    #
-    # Also, if you are not comfortable letting users pass their raw username and password you can always use the single
-    # access token. See Authlogic::Session::Params for more info.
-    module HttpAuth
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          persist :persist_by_http_auth, :if => :persist_by_http_auth?
-        end
-      end
-
-      # Configuration for the HTTP basic auth feature of Authlogic.
-      module Config
-        # Do you want to allow your users to log in via HTTP basic auth?
-        #
-        # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable
-        # having your users provide their raw username and password. Whatever the reason, you can disable it here.
-        #
-        # * <tt>Default:</tt> true
-        # * <tt>Accepts:</tt> Boolean
-        def allow_http_basic_auth(value = nil)
-          rw_config(:allow_http_basic_auth, value, true)
-        end
-        alias_method :allow_http_basic_auth=, :allow_http_basic_auth
-
-        # Whether or not to request HTTP authentication
-        #
-        # If set to true and no HTTP authentication credentials are sent with
-        # the request, the Rails controller method
-        # authenticate_or_request_with_http_basic will be used and a '401
-        # Authorization Required' header will be sent with the response.  In
-        # most cases, this will cause the classic HTTP authentication popup to
-        # appear in the users browser.
-        #
-        # If set to false, the Rails controller method
-        # authenticate_with_http_basic is used and no 401 header is sent.
-        #
-        # Note: This parameter has no effect unless allow_http_basic_auth is
-        # true
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def request_http_basic_auth(value = nil)
-          rw_config(:request_http_basic_auth, value, false)
-        end
-        alias_method :request_http_basic_auth=, :request_http_basic_auth
-
-        # HTTP authentication realm
-        #
-        # Sets the HTTP authentication realm.
-        #
-        # Note: This option has no effect unless request_http_basic_auth is true
-        #
-        # * <tt>Default:</tt> 'Application'
-        # * <tt>Accepts:</tt> String
-        def http_basic_auth_realm(value = nil)
-          rw_config(:http_basic_auth_realm, value, 'Application')
-        end
-        alias_method :http_basic_auth_realm=, :http_basic_auth_realm
-      end
-
-      # Instance methods for the HTTP basic auth feature of authlogic.
-      module InstanceMethods
-        private
-
-          def persist_by_http_auth?
-            allow_http_basic_auth? && login_field && password_field
-          end
-
-          def persist_by_http_auth
-            login_proc = Proc.new do |login, password|
-              if !login.blank? && !password.blank?
-                send("#{login_field}=", login)
-                send("#{password_field}=", password)
-                valid?
-              end
-            end
-
-            if self.class.request_http_basic_auth
-              controller.authenticate_or_request_with_http_basic(self.class.http_basic_auth_realm, &login_proc)
-            else
-              controller.authenticate_with_http_basic(&login_proc)
-            end
-
-            false
-          end
-
-          def allow_http_basic_auth?
-            self.class.allow_http_basic_auth == true
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/id.rb

@@ -1,48 +0,0 @@
-module Authlogic
-  module Session
-    # Allows you to separate sessions with an id, ultimately letting you create
-    # multiple sessions for the same user.
-    module Id
-      def self.included(klass)
-        klass.class_eval do
-          attr_writer :id
-        end
-      end
-
-      # Setting the id if it is passed in the credentials.
-      def credentials=(value)
-        super
-        values = value.is_a?(Array) ? value : [value]
-        self.id = values.last if values.last.is_a?(Symbol)
-      end
-
-      # Allows you to set a unique identifier for your session, so that you can
-      # have more than 1 session at a time. A good example when this might be
-      # needed is when you want to have a normal user session and a "secure"
-      # user session. The secure user session would be created only when they
-      # want to modify their billing information, or other sensitive
-      # information. Similar to me.com. This requires 2 user sessions. Just use
-      # an id for the "secure" session and you should be good.
-      #
-      # You can set the id during initialization (see initialize for more
-      # information), or as an attribute:
-      #
-      #   session.id = :my_id
-      #
-      # Just be sure and set your id before you save your session.
-      #
-      # Lastly, to retrieve your session with the id check out the find class
-      # method.
-      def id
-        @id
-      end
-
-      private
-
-        # Used for things like cookie_key, session_key, etc.
-        def build_key(last_part)
-          [id, super].compact.join("_")
-        end
-    end
-  end
-end

data/lib/authlogic/session/klass.rb

@@ -1,70 +0,0 @@
-module Authlogic
-  module Session
-    # Handles authenticating via a traditional username and password.
-    module Klass
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-
-          class << self
-            attr_accessor :configured_klass_methods
-          end
-        end
-      end
-
-      module Config
-        # Lets you change which model to use for authentication.
-        #
-        # * <tt>Default:</tt> inferred from the class name. UserSession would automatically try User
-        # * <tt>Accepts:</tt> an ActiveRecord class
-        def authenticate_with(klass)
-          @klass_name = klass.name
-          @klass = klass
-        end
-        alias_method :authenticate_with=, :authenticate_with
-
-        # The name of the class that this session is authenticating with. For example, the UserSession class will
-        # authenticate with the User class unless you specify otherwise in your configuration. See authenticate_with
-        # for information on how to change this value.
-        def klass
-          @klass ||= klass_name ? klass_name.constantize : nil
-        end
-
-        # The string of the model name class guessed from the actual session class name.
-        def klass_name
-          return @klass_name if defined?(@klass_name)
-          @klass_name = name.scan(/(.*)Session/)[0]
-          @klass_name = klass_name ? klass_name[0] : nil
-        end
-      end
-
-      module InstanceMethods
-        # Creating an alias method for the "record" method based on the klass name, so that we can do:
-        #
-        #   session.user
-        #
-        # instead of:
-        #
-        #   session.record
-        def initialize(*args)
-          if !self.class.configured_klass_methods
-            self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
-            self.class.configured_klass_methods = true
-          end
-          super
-        end
-
-        private
-
-          def klass
-            self.class.klass
-          end
-
-          def klass_name
-            self.class.klass_name
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/magic_columns.rb

@@ -1,116 +0,0 @@
-module Authlogic
-  module Session
-    # Just like ActiveRecord has "magic" columns, such as: created_at and updated_at.
-    # Authlogic has its own "magic" columns too:
-    #
-    # * login_count - Increased every time an explicit login is made. This will *NOT*
-    #   increase if logging in by a session, cookie, or basic http auth
-    # * failed_login_count - This increases for each consecutive failed login. See
-    #   Authlogic::Session::BruteForceProtection and the consecutive_failed_logins_limit
-    #   config option for more details.
-    # * last_request_at - Updates every time the user logs in, either by explicitly
-    #   logging in, or logging in by cookie, session, or http auth
-    # * current_login_at - Updates with the current time when an explicit login is made.
-    # * last_login_at - Updates with the value of current_login_at before it is reset.
-    # * current_login_ip - Updates with the request ip when an explicit login is made.
-    # * last_login_ip - Updates with the value of current_login_ip before it is reset.
-    module MagicColumns
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          after_persisting :set_last_request_at, :if => :set_last_request_at?
-          validate :increase_failed_login_count
-          before_save :update_info
-          before_save :set_last_request_at, :if => :set_last_request_at?
-        end
-      end
-
-      # Configuration for the magic columns feature.
-      module Config
-        # Every time a session is found the last_request_at field for that record is
-        # updated with the current time, if that field exists. If you want to limit how
-        # frequent that field is updated specify the threshold here. For example, if your
-        # user is making a request every 5 seconds, and you feel this is too frequent, and
-        # feel a minute is a good threshold. Set this to 1.minute. Once a minute has
-        # passed in between requests the field will be updated.
-        #
-        # * <tt>Default:</tt> 0
-        # * <tt>Accepts:</tt> integer representing time in seconds
-        def last_request_at_threshold(value = nil)
-          rw_config(:last_request_at_threshold, value, 0)
-        end
-        alias_method :last_request_at_threshold=, :last_request_at_threshold
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make up the magic columns feature.
-      module InstanceMethods
-        private
-
-          def increase_failed_login_count
-            if invalid_password? && attempted_record.respond_to?(:failed_login_count)
-              attempted_record.failed_login_count ||= 0
-              attempted_record.failed_login_count += 1
-            end
-          end
-
-          def update_info
-            if record.respond_to?(:login_count)
-              record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
-            end
-
-            if record.respond_to?(:failed_login_count)
-              record.failed_login_count = 0
-            end
-
-            if record.respond_to?(:current_login_at)
-              record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
-              record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-            end
-
-            if record.respond_to?(:current_login_ip)
-              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-              record.current_login_ip = controller.request.ip
-            end
-          end
-
-          # This method lets authlogic know whether it should allow the
-          # last_request_at field to be updated with the current time
-          # (Time.now). One thing to note here is that it also checks for the
-          # existence of a last_request_update_allowed? method in your
-          # controller. This allows you to control this method pragmatically in
-          # your controller.
-          #
-          # For example, what if you had a javascript function that polled the
-          # server updating how much time is left in their session before it
-          # times out. Obviously you would want to ignore this request, because
-          # then the user would never time out. So you can do something like
-          # this in your controller:
-          #
-          #   def last_request_update_allowed?
-          #     action_name != "update_session_time_left"
-          #   end
-          #
-          # You can do whatever you want with that method.
-          def set_last_request_at? # :doc:
-            if !record || !klass.column_names.include?("last_request_at")
-              return false
-            end
-            if controller.responds_to_last_request_update_allowed? && !controller.last_request_update_allowed?
-              return false
-            end
-            record.last_request_at.blank? ||
-              last_request_at_threshold.to_i.seconds.ago >= record.last_request_at
-          end
-
-          def set_last_request_at
-            record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-          end
-
-          def last_request_at_threshold
-            self.class.last_request_at_threshold
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/magic_states.rb

@@ -1,76 +0,0 @@
-module Authlogic
-  module Session
-    # Authlogic tries to check the state of the record before creating the session. If
-    # your record responds to the following methods and any of them return false,
-    # validation will fail:
-    #
-    #   Method name           Description
-    #   active?               Is the record marked as active?
-    #   approved?             Has the record been approved?
-    #   confirmed?            Has the record been confirmed?
-    #
-    # Authlogic does nothing to define these methods for you, its up to you to define what
-    # they mean. If your object responds to these methods Authlogic will use them,
-    # otherwise they are ignored.
-    #
-    # What's neat about this is that these are checked upon any type of login. When
-    # logging in explicitly, by cookie, session, or basic http auth. So if you mark a user
-    # inactive in the middle of their session they wont be logged back in next time they
-    # refresh the page. Giving you complete control.
-    #
-    # Need Authlogic to check your own "state"? No problem, check out the hooks section
-    # below. Add in a before_validation to do your own checking. The sky is the limit.
-    module MagicStates
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          validate :validate_magic_states, :unless => :disable_magic_states?
-        end
-      end
-
-      # Configuration for the magic states feature.
-      module Config
-        # Set this to true if you want to disable the checking of active?, approved?, and
-        # confirmed? on your record. This is more or less of a convenience feature, since
-        # 99% of the time if those methods exist and return false you will not want the
-        # user logging in. You could easily accomplish this same thing with a
-        # before_validation method or other callbacks.
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def disable_magic_states(value = nil)
-          rw_config(:disable_magic_states, value, false)
-        end
-        alias_method :disable_magic_states=, :disable_magic_states
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make up the
-      # magic states feature.
-      module InstanceMethods
-        private
-
-          def disable_magic_states?
-            self.class.disable_magic_states == true
-          end
-
-          def validate_magic_states
-            return true if attempted_record.nil?
-            [:active, :approved, :confirmed].each do |required_status|
-              if attempted_record.respond_to?("#{required_status}?") && !attempted_record.send("#{required_status}?")
-                errors.add(
-                  :base,
-                  I18n.t(
-                    "error_messages.not_#{required_status}",
-                    :default => "Your account is not #{required_status}"
-                  )
-                )
-                return false
-              end
-            end
-            true
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/params.rb

@@ -1,116 +0,0 @@
-module Authlogic
-  module Session
-    # This module is responsible for authenticating the user via params, which ultimately
-    # allows the user to log in using a URL like the following:
-    #
-    #   https://www.domain.com?user_credentials=4LiXF7FiGUppIPubBPey
-    #
-    # Notice the token in the URL, this is a single access token. A single access token is
-    # used for single access only, it is not persisted. Meaning the user provides it,
-    # Authlogic grants them access, and that's it. If they want access again they need to
-    # provide the token again. Authlogic will *NEVER* try to persist the session after
-    # authenticating through this method.
-    #
-    # For added security, this token is *ONLY* allowed for RSS and ATOM requests. You can
-    # change this with the configuration. You can also define if it is allowed dynamically
-    # by defining a single_access_allowed? method in your controller. For example:
-    #
-    #   class UsersController < ApplicationController
-    #     private
-    #       def single_access_allowed?
-    #         action_name == "index"
-    #       end
-    #
-    # Also, by default, this token is permanent. Meaning if the user changes their
-    # password, this token will remain the same. It will only change when it is explicitly
-    # reset.
-    #
-    # You can modify all of this behavior with the Config sub module.
-    module Params
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          attr_accessor :single_access
-          persist :persist_by_params
-        end
-      end
-
-      # Configuration for the params / single access feature.
-      module Config
-        # Works exactly like cookie_key, but for params. So a user can login via
-        # params just like a cookie or a session. Your URL would look like:
-        #
-        #   http://www.domain.com?user_credentials=my_single_access_key
-        #
-        # You can change the "user_credentials" key above with this
-        # configuration option. Keep in mind, just like cookie_key, if you
-        # supply an id the id will be appended to the front. Check out
-        # cookie_key for more details. Also checkout the "Single Access /
-        # Private Feeds Access" section in the README.
-        #
-        # * <tt>Default:</tt> cookie_key
-        # * <tt>Accepts:</tt> String
-        def params_key(value = nil)
-          rw_config(:params_key, value, cookie_key)
-        end
-        alias_method :params_key=, :params_key
-
-        # Authentication is allowed via a single access token, but maybe this is
-        # something you don't want for your application as a whole. Maybe this
-        # is something you only want for specific request types. Specify a list
-        # of allowed request types and single access authentication will only be
-        # allowed for the ones you specify.
-        #
-        # * <tt>Default:</tt> ["application/rss+xml", "application/atom+xml"]
-        # * <tt>Accepts:</tt> String of a request type, or :all or :any to
-        #   allow single access authentication for any and all request types
-        def single_access_allowed_request_types(value = nil)
-          rw_config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
-        end
-        alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make
-      # up the params / single access feature.
-      module InstanceMethods
-        private
-
-          def persist_by_params
-            return false if !params_enabled?
-            self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
-            self.single_access = valid?
-          end
-
-          def params_enabled?
-            return false if !params_credentials || !klass.column_names.include?("single_access_token")
-            return controller.single_access_allowed? if controller.responds_to_single_access_allowed?
-
-            case single_access_allowed_request_types
-            when Array
-              single_access_allowed_request_types.include?(controller.request_content_type) ||
-                single_access_allowed_request_types.include?(:all)
-            else
-              [:all, :any].include?(single_access_allowed_request_types)
-            end
-          end
-
-          def params_key
-            build_key(self.class.params_key)
-          end
-
-          def single_access?
-            single_access == true
-          end
-
-          def single_access_allowed_request_types
-            self.class.single_access_allowed_request_types
-          end
-
-          def params_credentials
-            controller.params[params_key]
-          end
-      end
-    end
-  end
-end