authlogic 0.10.4 → 1.0.0

data/CHANGELOG.rdoc

@@ -1,3 +1,14 @@
+== 1.0.0 released 2008-11-05
+
+* Checked for blank login counts, if a default wasnt set in the migrations.
+* Added check for database table in acts_as_authentic to avoid errors in initial setup.
+* Completely rewrote tests to be more conventional and thorough tests, removed test_app.
+* Modified how validations work so that a validate method was added as well as callbacks for that method.
+* Extracted scope support into its own module to help organize code better.
+* Added in salt for encryption, just like hashes and removed :crypto_provider_type option for acts_as_authentic.
+* Added merb adapters.
+* Improved documentation throughout.
+
 == 0.10.4 released 2008-10-31
 
 * Changed configuration to use inheritable attributes

data/Manifest

@@ -4,12 +4,14 @@ lib/authlogic/active_record/acts_as_authentic.rb
 lib/authlogic/active_record/authenticates_many.rb
 lib/authlogic/active_record/scoped_session.rb
 lib/authlogic/controller_adapters/abstract_adapter.rb
+lib/authlogic/controller_adapters/merb_adapter.rb
 lib/authlogic/controller_adapters/rails_adapter.rb
 lib/authlogic/session/active_record_trickery.rb
 lib/authlogic/session/base.rb
 lib/authlogic/session/callbacks.rb
 lib/authlogic/session/config.rb
 lib/authlogic/session/errors.rb
+lib/authlogic/session/scopes.rb
 lib/authlogic/sha512_crypto_provider.rb
 lib/authlogic/version.rb
 lib/authlogic.rb
@@ -17,84 +19,19 @@ Manifest
 MIT-LICENSE
 Rakefile
 README.rdoc
-test_app/app/controllers/application.rb
-test_app/app/controllers/companies_controller.rb
-test_app/app/controllers/user_sessions_controller.rb
-test_app/app/controllers/users_controller.rb
-test_app/app/helpers/application_helper.rb
-test_app/app/helpers/companies_helper.rb
-test_app/app/helpers/user_sessions_helper.rb
-test_app/app/helpers/users_helper.rb
-test_app/app/models/company.rb
-test_app/app/models/project.rb
-test_app/app/models/user.rb
-test_app/app/models/user_session.rb
-test_app/app/views/layouts/application.html.erb
-test_app/app/views/user_sessions/new.html.erb
-test_app/app/views/users/_form.erb
-test_app/app/views/users/edit.html.erb
-test_app/app/views/users/new.html.erb
-test_app/app/views/users/show.html.erb
-test_app/config/boot.rb
-test_app/config/database.yml
-test_app/config/environment.rb
-test_app/config/environments/development.rb
-test_app/config/environments/production.rb
-test_app/config/environments/test.rb
-test_app/config/initializers/inflections.rb
-test_app/config/initializers/mime_types.rb
-test_app/config/initializers/new_rails_defaults.rb
-test_app/config/routes.rb
-test_app/db/development.sqlite3
-test_app/db/migrate/20081023040052_create_users.rb
-test_app/db/migrate/20081103003828_create_companies.rb
-test_app/db/migrate/20081103003834_create_projects.rb
-test_app/db/schema.rb
-test_app/db/test.sqlite3
-test_app/doc/README_FOR_APP
-test_app/public/404.html
-test_app/public/422.html
-test_app/public/500.html
-test_app/public/dispatch.cgi
-test_app/public/dispatch.fcgi
-test_app/public/dispatch.rb
-test_app/public/favicon.ico
-test_app/public/images/rails.png
-test_app/public/javascripts/application.js
-test_app/public/javascripts/controls.js
-test_app/public/javascripts/dragdrop.js
-test_app/public/javascripts/effects.js
-test_app/public/javascripts/prototype.js
-test_app/public/robots.txt
-test_app/public/stylesheets/scaffold.css
-test_app/Rakefile
-test_app/README
-test_app/script/about
-test_app/script/console
-test_app/script/dbconsole
-test_app/script/destroy
-test_app/script/generate
-test_app/script/performance/benchmarker
-test_app/script/performance/profiler
-test_app/script/performance/request
-test_app/script/plugin
-test_app/script/process/inspector
-test_app/script/process/reaper
-test_app/script/process/spawner
-test_app/script/runner
-test_app/script/server
-test_app/test/fixtures/companies.yml
-test_app/test/fixtures/projects.yml
-test_app/test/fixtures/users.yml
-test_app/test/functional/companies_controller_test.rb
-test_app/test/functional/user_sessions_controller_test.rb
-test_app/test/functional/users_controller_test.rb
-test_app/test/integration/company_user_session_stories_test.rb
-test_app/test/integration/user_sesion_stories_test.rb
-test_app/test/integration/user_session_config_test.rb
-test_app/test/integration/user_session_test.rb
-test_app/test/test_helper.rb
-test_app/test/unit/account_test.rb
-test_app/test/unit/company_test.rb
-test_app/test/unit/project_test.rb
-test_app/test/unit/user_test.rb
+test/active_record_acts_as_authentic_test.rb
+test/active_record_authenticates_many_test.rb
+test/fixtures/companies.yml
+test/fixtures/employees.yml
+test/fixtures/projects.yml
+test/fixtures/users.yml
+test/test_helper.rb
+test/user_session_active_record_trickery_test.rb
+test/user_session_base_test.rb
+test/user_session_config_test.rb
+test/user_session_scopes_test.rb
+test_libs/aes128_crypto_provider.rb
+test_libs/mock_controller.rb
+test_libs/mock_cookie_jar.rb
+test_libs/mock_request.rb
+test_libs/ordered_hash.rb

data/README.rdoc

@@ -1,12 +1,12 @@
 = Authlogic
 
-Authlogic is "rails authentication done right". Put simply, its the Chuck Norris of authentication solutions.
+Authlogic is a framework agnostic object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database. Put simply, its the Chuck Norris of authentication solutions for rails, merb, etc.
 
-The last thing we need is another authentication solution for rails, right? That's what I thought until I tried out some of the current solutions. None of them felt right. They were either too complicated, bloated, littered my application with tons of code, or were just confusing. This is not the simple / elegant rails we all fell in love with. We need a "rails like" authentication solution. Authlogic is my attempt to satisfy that need...
+The last thing we need is another authentication solution, right? That's what I thought until I tried out some of the current solutions in both rails and merb. None of them felt right. They were either too complicated, bloated, littered my application with tons of code, or were just confusing. This is not the simple / elegant ruby we all fell in love with. We need a "ruby like" authentication solution. Authlogic is my attempt to satisfy that need...
 
-Wouldn't it be nice to keep your app up to date with the latest and greatest security techniques with a simple update of a plugin?
+Let's take a rails application, wouldn't it be nice to keep your app up to date with the latest and greatest security techniques with a simple update of a plugin?
 
-What if you could have authentication up and running in minutes without having to run a generator? All because it's simple, like everything else in rails.
+What if you could have authentication up and running in minutes without having to run a generator? All because it's simple, like everything else.
 
 What if creating a user session could be as simple as...
 
@@ -35,8 +35,8 @@ What if your user sessions controller could look just like your other controller
 
 Look familiar? If you didn't know any better, you would think UserSession was an ActiveRecord model. I think that's pretty cool, because it fits nicely into the RESTful development pattern, a style we all know and love. What about the view...
 
-  <%= error_messages_for "user_session" %>
   <% form_for @user_session do |f| %>
+    <%= f.error_messages %>
     <%= f.label :login %><br />
     <%= f.text_field :login %><br />
     <br />
@@ -63,8 +63,8 @@ Authlogic makes this a reality. This is just the tip of the ice berg. Keep readi
 == Helpful links
 
 *	<b>Documentation:</b> http://authlogic.rubyforge.org
-*	<b>Authlogic setup tutorial:</b> coming soon...
-*	<b>Live example of the setup tutorial above (with source):</b> coming soon....
+*	<b>Authlogic setup tutorial:</b> http://www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup
+*	<b>Live example of the setup tutorial above (with source):</b> http://authlogic_example.binarylogic.com
 * <b>Bugs / feature suggestions:</b> http://binarylogic.lighthouseapp.com/projects/18752-authlogic
 
 == Install and use
@@ -79,7 +79,39 @@ Or as a plugin
 
   script/plugin install git://github.com/binarylogic/authlogic.git
 
-In an effort to keep this readme a reference instead of a step by step guide, I moved the setup tutorial to my blog. See "helpful links" above. If this is your first time using Authlogic checkout the tutorial.
+=== Create your session
+
+Lets assume you are setting up a session for your User model.
+
+Create your user_session.rb file:
+
+  # app/models/user_session.rb
+  class UserSession < Authgasm::Session::Base
+    # configuration here, just like ActiveRecord, or in an initializer
+    # See Authgasm::Session::Config::ClassMethods for more details
+  end
+
+=== Ensure proper database fields
+
+The user model needs to have the following columns. The names of these columns can be changed with configuration. Better yet, Authgasm tries to guess these names by checking for the existence of common names. See Authgasm::Session::Config::ClassMethods for more details, but chances are you won't have to specify any configuration for your field names, even if they aren't the same names as below.
+
+    t.string    :login, :null => false
+    t.string    :crypted_password, :null => false
+    t.string    :password_salt, :null => false # not needed if you are encrypting your pw instead of using a hash algorithm
+    t.string    :remember_token, :null => false
+    t.integer   :login_count # This is optional, it is a "magic" column, just like "created_at". See below for a list of all magic columns.
+
+=== Set up your model
+
+Make sure you have a model that you will be authenticating with. For this example let's say you have a User model:
+
+  class User < ActiveRecord::Base
+    acts_as_authentic # for options see documentation: Authgasm::ActsAsAuthentic::ClassMethods
+  end
+
+The options for acts_as_authentic are based on the UserSession configuration. So if you specified configuration for your UserSession model you should not have to specify any options for acts_as_authentic, unless you want them to be different.
+
+Done! Now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this readme or check out the tutorial (see above in "helpful links") for a more detailed walk through.
 
 == Magic Columns
 
@@ -104,7 +136,7 @@ Authlogic tries to check the state of the record before creating the session. If
   
 What's neat about this is that these are checked upon any type of login. When logging in explicitly, by cookie, session, or basic http auth. So if you mark a user inactive in the middle of their session they wont be logged back in next time they refresh the page. Giving you complete control.
 
-Need Authlogic to check your own "state"? No problem, check out the hooks section below. Add in a before_validation or after_validation to do your own checking.
+Need Authlogic to check your own "state"? No problem, check out the hooks section below. Add in a before_validation to do your own checking. The sky is the limit.
 
 == Hooks / Callbacks
 
@@ -172,7 +204,7 @@ This scopes your login field validation, so that users are allowed to have the s
 
 === Scoping your session
 
-When you session tries to validate it searches for a record. You want to scope that search. No problem...
+When the session tries to validate it searches for a record. You want to scope that search. No problem...
 
 The goal of Authlogic was to not try and introduce anything new. As a result I came up with:
 
@@ -189,9 +221,9 @@ This works just like ActiveRecord, so it should come natural. Here is how you ge
 
 === Scoping cookies
 
-What's neat about cookies is that if you use sub domains they automatically scope their self. Meaning if you create a cookie in whatever.yourdomain.com it will not exist in another.yourdomain.com. So if you have the example used above, where you can access accounts via a sub domain, you don't have to do anything.
+What's neat about cookies is that if you use sub domains they automatically scope their self. Meaning if you create a cookie in whatever.yourdomain.com it will not exist in another.yourdomain.com. So if you are using subdomains to scope your users, you don't have to do anything.
 
-But what if you don't want to separate your cookies by subdomains? You can accomplish this by doing:
+But what if you *don't* want to separate your cookies by subdomains? You can accomplish this by doing:
 
   ActionController::Base.session_options[:session_domain] = ‘.mydomain.com’
 
@@ -205,7 +237,7 @@ Now let's look at this from the other angle. What if you are *NOT* using subdoma
 
 Done, Authlogic will give each cookie a unique name depending on the account.
 
-With the above information you should be able to scope your sessions any way you want. Just mix and match the tools above to accomplish what you want. Also check out the documentation on Authlogic::ActiveRecord::AuthenticatesMany.
+With the above information you should be able to scope your sessions any way you want. Just mix and match the tools above to accomplish this. Also check out the documentation on Authlogic::ActiveRecord::AuthenticatesMany.
 
 == Errors
 
@@ -250,13 +282,17 @@ Obviously there is a little more to it than this, but hopefully this clarifies a
 
 When things come together like this I think its a sign that you are doing something right. Put that in your pipe and smoke it!
 
-== What about [insert framework here]?
+== Framework agnostic (Rails, Merb, etc.)
+
+I designed Authlogic to be framework agnostic, meaning it doesn't care what framework you use it in. Right out of the box it supports rails and merb. I have not had the opportunity to use other frameworks, but the only thing stopping Authlogic from being used in other frameworks is a simple adapter. Check out controller_adapters/rails_adapter, or controller_adapters/merb_adapter.
+
+Since pretty much all of the frameworks in ruby follow the Rack conventions, the code should be very similar across adapters. You're saying "but Ben, why not just hook into Rack and avoid the need for controller adapters all together?". It's not that simple, because rails doesn't inherit from the Rack::Request class, plus there are small differences between how rack is implemented in each framework. Authlogic has to hook into your controller with a before_filter anyways, so it can "activate" itself. Why not just use the controller object?
 
-As of now, authlogic supports rails right out of the box. But I designed authlogic to be framework agnostic. The only thing stopping Authlogic from being implemented in merb, or any other framework, is a simple adapter. I have not had the opportunity to use Authlogic in anything other than rails. If you want to use this in merb or any other framework take a look at authlogic/controller/rails_adapter.rb. 
+The point in all of this rambling is that implementing Authlogic is as simple as creating an adapter. I created both the rails and merb adapters in under 10 minutes. If you have an adapter you created and would like to add please let me know and I will add it into the source.
 
 == How it works
 
-Interested in how all of this all works? Basically a before_filter is automatically set in your controller which lets Authlogic know about the current controller object. This "activates" Authlogic and allows Authlogic to set sessions, cookies, login via basic http auth, etc. If you are using rails in a multiple thread environment, don't worry. I kept that in mind and made this thread safe.
+Interested in how all of this all works? Basically a before_filter is automatically set in your controller which lets Authlogic know about the current controller object. This "activates" Authlogic and allows Authlogic to set sessions, cookies, login via basic http auth, etc. If you are using your framework in a multiple thread environment, don't worry. I kept that in mind and made this thread safe.
 
 From there it is pretty simple. When you try to create a new session the record is authenticated and then all of the session / cookie magic is done for you. The sky is the limit.
 
@@ -268,7 +304,7 @@ I don't necessarily think the current solutions are "wrong", nor am I saying Aut
 
 === Generators are messy
 
-Generators have their place, and it is not to add authentication to a rails app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
+Generators have their place, and it is not to add authentication to an app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
 
 Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators add code to your application, once code crosses that line, you are responsible for maintaining it. You get to make sure it stays up with the latest and greatest security techniques. And when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed. You don't really have a choice either, because you can't ignore security updates.
 

data/Rakefile

@@ -8,7 +8,7 @@ Echoe.new 'authlogic' do |p|
   p.author = "Ben Johnson of Binary Logic"
   p.email  = 'bjohnson@binarylogic.com'
   p.project = 'authlogic'
-  p.summary = "Rails authentication done right"
+  p.summary = "Framework agnostic object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database."
   p.url = "http://github.com/binarylogic/authlogic"
   p.dependencies = %w(activesupport activerecord)
   p.include_rakefile = true

data/authlogic.gemspec

@@ -1,21 +1,22 @@
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "0.10.4"
+  s.version = "1.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2008-11-03}
-  s.description = %q{Rails authentication done right}
+  s.date = %q{2008-11-05}
+  s.description = %q{Framework agnostic object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.}
   s.email = %q{bjohnson@binarylogic.com}
-  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/active_record/acts_as_authentic.rb", "lib/authlogic/active_record/authenticates_many.rb", "lib/authlogic/active_record/scoped_session.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/sha512_crypto_provider.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
-  s.files = ["CHANGELOG.rdoc", "init.rb", "lib/authlogic/active_record/acts_as_authentic.rb", "lib/authlogic/active_record/authenticates_many.rb", "lib/authlogic/active_record/scoped_session.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/sha512_crypto_provider.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "test_app/app/controllers/application.rb", "test_app/app/controllers/companies_controller.rb", "test_app/app/controllers/user_sessions_controller.rb", "test_app/app/controllers/users_controller.rb", "test_app/app/helpers/application_helper.rb", "test_app/app/helpers/companies_helper.rb", "test_app/app/helpers/user_sessions_helper.rb", "test_app/app/helpers/users_helper.rb", "test_app/app/models/company.rb", "test_app/app/models/project.rb", "test_app/app/models/user.rb", "test_app/app/models/user_session.rb", "test_app/app/views/layouts/application.html.erb", "test_app/app/views/user_sessions/new.html.erb", "test_app/app/views/users/_form.erb", "test_app/app/views/users/edit.html.erb", "test_app/app/views/users/new.html.erb", "test_app/app/views/users/show.html.erb", "test_app/config/boot.rb", "test_app/config/database.yml", "test_app/config/environment.rb", "test_app/config/environments/development.rb", "test_app/config/environments/production.rb", "test_app/config/environments/test.rb", "test_app/config/initializers/inflections.rb", "test_app/config/initializers/mime_types.rb", "test_app/config/initializers/new_rails_defaults.rb", "test_app/config/routes.rb", "test_app/db/development.sqlite3", "test_app/db/migrate/20081023040052_create_users.rb", "test_app/db/migrate/20081103003828_create_companies.rb", "test_app/db/migrate/20081103003834_create_projects.rb", "test_app/db/schema.rb", "test_app/db/test.sqlite3", "test_app/doc/README_FOR_APP", "test_app/public/404.html", "test_app/public/422.html", "test_app/public/500.html", "test_app/public/dispatch.cgi", "test_app/public/dispatch.fcgi", "test_app/public/dispatch.rb", "test_app/public/favicon.ico", "test_app/public/images/rails.png", "test_app/public/javascripts/application.js", "test_app/public/javascripts/controls.js", "test_app/public/javascripts/dragdrop.js", "test_app/public/javascripts/effects.js", "test_app/public/javascripts/prototype.js", "test_app/public/robots.txt", "test_app/public/stylesheets/scaffold.css", "test_app/Rakefile", "test_app/README", "test_app/script/about", "test_app/script/console", "test_app/script/dbconsole", "test_app/script/destroy", "test_app/script/generate", "test_app/script/performance/benchmarker", "test_app/script/performance/profiler", "test_app/script/performance/request", "test_app/script/plugin", "test_app/script/process/inspector", "test_app/script/process/reaper", "test_app/script/process/spawner", "test_app/script/runner", "test_app/script/server", "test_app/test/fixtures/companies.yml", "test_app/test/fixtures/projects.yml", "test_app/test/fixtures/users.yml", "test_app/test/functional/companies_controller_test.rb", "test_app/test/functional/user_sessions_controller_test.rb", "test_app/test/functional/users_controller_test.rb", "test_app/test/integration/company_user_session_stories_test.rb", "test_app/test/integration/user_sesion_stories_test.rb", "test_app/test/integration/user_session_config_test.rb", "test_app/test/integration/user_session_test.rb", "test_app/test/test_helper.rb", "test_app/test/unit/account_test.rb", "test_app/test/unit/company_test.rb", "test_app/test/unit/project_test.rb", "test_app/test/unit/user_test.rb", "authlogic.gemspec"]
+  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/active_record/acts_as_authentic.rb", "lib/authlogic/active_record/authenticates_many.rb", "lib/authlogic/active_record/scoped_session.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/sha512_crypto_provider.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
+  s.files = ["CHANGELOG.rdoc", "init.rb", "lib/authlogic/active_record/acts_as_authentic.rb", "lib/authlogic/active_record/authenticates_many.rb", "lib/authlogic/active_record/scoped_session.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/sha512_crypto_provider.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "test/active_record_acts_as_authentic_test.rb", "test/active_record_authenticates_many_test.rb", "test/fixtures/companies.yml", "test/fixtures/employees.yml", "test/fixtures/projects.yml", "test/fixtures/users.yml", "test/test_helper.rb", "test/user_session_active_record_trickery_test.rb", "test/user_session_base_test.rb", "test/user_session_config_test.rb", "test/user_session_scopes_test.rb", "test_libs/aes128_crypto_provider.rb", "test_libs/mock_controller.rb", "test_libs/mock_cookie_jar.rb", "test_libs/mock_request.rb", "test_libs/ordered_hash.rb", "authlogic.gemspec"]
   s.has_rdoc = true
   s.homepage = %q{http://github.com/binarylogic/authlogic}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Authlogic", "--main", "README.rdoc"]
   s.require_paths = ["lib"]
   s.rubyforge_project = %q{authlogic}
   s.rubygems_version = %q{1.2.0}
-  s.summary = %q{Rails authentication done right}
+  s.summary = %q{Framework agnostic object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.}
+  s.test_files = ["test/active_record_acts_as_authentic_test.rb", "test/active_record_authenticates_many_test.rb", "test/test_helper.rb", "test/user_session_active_record_trickery_test.rb", "test/user_session_base_test.rb", "test/user_session_config_test.rb", "test/user_session_scopes_test.rb"]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION

data/lib/authlogic.rb

@@ -1,7 +1,10 @@
+require "active_support"
+
 require File.dirname(__FILE__) + "/authlogic/version"
 
 require File.dirname(__FILE__) + "/authlogic/controller_adapters/abstract_adapter"
 require File.dirname(__FILE__) + "/authlogic/controller_adapters/rails_adapter" if defined?(Rails)
+require File.dirname(__FILE__) + "/authlogic/controller_adapters/merb_adapter" if defined?(Merb)
 
 require File.dirname(__FILE__) + "/authlogic/sha512_crypto_provider"
 
@@ -13,6 +16,7 @@ require File.dirname(__FILE__) + "/authlogic/session/active_record_trickery"
 require File.dirname(__FILE__) + "/authlogic/session/callbacks"
 require File.dirname(__FILE__) + "/authlogic/session/config"
 require File.dirname(__FILE__) + "/authlogic/session/errors"
+require File.dirname(__FILE__) + "/authlogic/session/scopes"
 require File.dirname(__FILE__) + "/authlogic/session/base"
 
 module Authlogic
@@ -20,6 +24,7 @@ module Authlogic
     class Base
       include ActiveRecordTrickery
       include Callbacks
+      include Scopes
     end
   end
 end

data/lib/authlogic/active_record/acts_as_authentic.rb

@@ -1,15 +1,9 @@
 module Authlogic
   module ActiveRecord # :nodoc:
     # = Acts As Authentic
-    # Provides and "acts_as" method to include in your models to help with authentication. See method below.
+    # Provides the acts_as_authentic method to include in your models to help with authentication. See method below.
     module ActsAsAuthentic
-        # Call this method in your model to add in basic authentication madness that your authlogic session expects.
-      #
-      # <b>Please keep in mind</b> that based on your configuration the method names could change. For example, if you pass the option:
-      #
-      #   :password_field => :pass
-      #
-      # The method will not be password=, it will be pass=. Same with valid_password?, it will be valid_pass?, etc.
+      # Call this method in your model to add in basic authentication madness that your authlogic session expects.
       #
       # === Methods
       # For example purposes lets assume you have a User model.
@@ -32,21 +26,71 @@ module Authlogic
       #   user.forget!                Changes their remember token, making their cookie and session invalid. A way to log the user out withouth changing their password.
       #
       # === Options
-      # * <tt>session_class:</tt> default: "#{name}Session", the related session class. Used so that you don't have to repeat yourself here. A lot of the configuration will be based off of the configuration values of this class.
-      # * <tt>crypto_provider:</tt> default: Authlogic::Sha512CryptoProvider, class that provides Sha512 encryption. What ultimately encrypts your password.
-      # * <tt>crypto_provider_type:</tt> default: options[:crypto_provider].respond_to?(:decrypt) ? :encryption : :hash. You can explicitly set this if you wish. Since encryptions and hashes are handled different this is the flag Authlogic uses.
-      # * <tt>login_field:</tt> default: options[:session_class].login_field, the name of the field used for logging in
-      # * <tt>login_field_type:</tt> default: options[:login_field] == :email ? :email : :login, tells authlogic how to validation the field, what regex to use, etc.
-      # * <tt>password_field:</tt> default: options[:session_class].password_field, the name of the field to set the password, *NOT* the field the encrypted password is stored
-      # * <tt>crypted_password_field:</tt> default: depends on which columns are present, checks: crypted_password, encrypted_password, password_hash, pw_hash, if none are present defaults to crypted_password. This is the name of column that your encrypted password is stored.
-      # * <tt>password_salt_field:</tt> default: depends on which columns are present, checks: password_salt, pw_salt, salt, if none are present defaults to password_salt. This is the name of the field your salt is stored, only relevant for a hash crypto provider.
-      # * <tt>remember_token_field:</tt> default: options[:session_class].remember_token_field, the name of the field your remember token is stored. What the cookie stores so the session can be "remembered"
-      # * <tt>scope:</tt> default: nil, if all of your users belong to an account you might want to scope everything to the account. Just pass :account_id
-      # * <tt>logged_in_timeout:</tt> default: 10.minutes, this allows you to specify a time the determines if a user is logged in or out. Useful if you want to count how many users are currently logged in.
-      # * <tt>session_ids:</tt> default: [nil], the sessions that we want to automatically reset when a user is created or updated so you don't have to worry about this. Set to [] to disable. Should be an array of ids. See Authlogic::Session::Base#initialize for information on ids. The order is important. The first id should be your main session, the session they need to log into first. This is generally nil, meaning so explicitly set id.
+      #
+      # * <tt>session_class:</tt> default: "#{name}Session",
+      #   This is the related session class. A lot of the configuration will be based off of the configuration values of this class.
+      #   
+      # * <tt>crypto_provider:</tt> default: Authlogic::Sha512CryptoProvider,
+      #   This is the class that provides your encryption. By default Authlogic provides its own crypto provider that uses Sha512 encrypton.
+      #   
+      # * <tt>login_field:</tt> default: options[:session_class].login_field,
+      #   The name of the field used for logging in, this is guess based on what columns are in your db. Only specify if you aren't using:
+      #   login, username, or email
+      #   
+      # * <tt>login_field_type:</tt> default: options[:login_field] == :email ? :email : :login,
+      #   Tells authlogic how to validation the field, what regex to use, etc. If the field name is email it will automatically use email,
+      #   otherwise it uses login.
+      #   
+      # * <tt>login_field_regex:</tt> default: if email then typical email regex, otherwise typical login regex.
+      #   This is used in validates_format_of for the login_field.
+      #   
+      # * <tt>login_field_regex_message:</tt> the message to use when the validates_format_of for the login field fails.
+      #   
+      # * <tt>password_field:</tt> default: options[:session_class].password_field,
+      #   This is the name of the field to set the password, *NOT* the field the encrypted password is stored.
+      #   
+      # * <tt>crypted_password_field:</tt> default: depends on which columns are present,
+      #   The name of the database field where your encrypted password is stored. If the name of the field is different from any of the following
+      #   you need to specify it with this option: crypted_password, encrypted_password, password_hash, pw_hash
+      #   
+      # * <tt>password_salt_field:</tt> default: depends on which columns are present,
+      #   This is the name of the field in your database that stores your password salt. If the name of the field is different from any of the
+      #   following then you need to specify it with this option: password_salt, pw_salt, salt
+      #   
+      # * <tt>remember_token_field:</tt> default: options[:session_class].remember_token_field,
+      #   This is the name of the field your remember_token is stored. The remember token is a unique token that is stored in the users cookie and
+      #   session. This way you have complete control of when session expire and you don't have to change passwords to expire sessions. This also
+      #   ensures that stale sessions can not be persisted. By stale, I mean sessions that are logged in using an outdated password. If the name
+      #   of the field is anything other than the following you need to specify it with this option: remember_token, remember_key, cookie_token,
+      #   cookie_key
+      #   
+      # * <tt>scope:</tt> default: nil,
+      #   This scopes validations. If all of your users belong to an account you might want to scope everything to the account. Just pass :account_id
+      #   
+      # * <tt>logged_in_timeout:</tt> default: 10.minutes,
+      #   This is really just a nifty feature to tell if a user is logged in or not. It's based on activity. So if the user in inactive longer than
+      #   the value you pass here they are assumed "logged out".
+      #
+      # * <tt>session_ids:</tt> default: [nil],
+      #   The sessions that we want to automatically reset when a user is created or updated so you don't have to worry about this. Set to [] to disable.
+      #   Should be an array of ids. See the Authlogic::Session documentation for information on ids. The order is important.
+      #   The first id should be your main session, the session they need to log into first. This is generally nil. When you don't specify an id
+      #   in your session you are really just inexplicitly saying you want to use the id of nil.
       def acts_as_authentic(options = {})
+        # If we don't have a database, skip all of this, solves initial setup errors
+        begin
+          column_names
+        rescue Exception
+          return
+        end
+        
         # Setup default options
-        options[:session_class] ||= "#{name}Session".constantize
+        begin
+          options[:session_class] ||= "#{name}Session".constantize
+        rescue NameError
+          raise NameError.new("You must create a #{name}Session class before a model can act_as_authentic. If that is not the name of the class pass the class constant via the :session_class option.")
+        end
+        
         options[:crypto_provider] ||= Sha512CryptoProvider
         options[:crypto_provider_type] ||= options[:crypto_provider].respond_to?(:decrypt) ? :encryption : :hash
         options[:login_field] ||= options[:session_class].login_field
@@ -74,11 +118,14 @@ module Authlogic
           email_name_regex  = '[\w\.%\+\-]+'
           domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
           domain_tld_regex  = '(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|jobs|museum)'
-          email_regex       = /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-          validates_format_of options[:login_field], :with => email_regex, :message => "should look like an email address."
+          options[:login_field_regex] ||= /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
+          options[:login_field_regex_message] ||= "should look like an email address."
+          validates_format_of options[:login_field], :with => options[:login_field_regex], :message => options[:login_field_regex_message]
         else
           validates_length_of options[:login_field], :within => 2..100
-          validates_format_of options[:login_field], :with => /\A\w[\w\.\-_@]+\z/, :message => "use only letters, numbers, and .-_@ please."
+          options[:login_field_regex] ||= /\A\w[\w\.\-_@ ]+\z/
+          options[:login_field_regex_message] ||= "use only letters, numbers, spaces, and .-_@ please."
+          validates_format_of options[:login_field], :with => options[:login_field_regex], :message => options[:login_field_regex_message]
         end
       
         validates_uniqueness_of options[:login_field], :scope => options[:scope]
@@ -88,7 +135,7 @@ module Authlogic
       
         if column_names.include?("last_request_at")
           named_scope :logged_in, lambda { {:conditions => ["last_request_at > ?", options[:logged_in_timeout].ago]} }
-          named_scope :logged_out, lambda { {:conditions => ["last_request_at <= ?", options[:logged_in_timeout].ago]} }
+          named_scope :logged_out, lambda { {:conditions => ["last_request_at is NULL or last_request_at <= ?", options[:logged_in_timeout].ago]} }
         end
       
         before_save :get_session_information, :if => :update_sessions?
@@ -101,7 +148,8 @@ module Authlogic
         # Class methods
         class_eval <<-"end_eval", __FILE__, __LINE__
           def self.unique_token
-            crypto_provider.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+            # Force using the Sha512 because all that we are doing is creating a unique token, a hash is perfect for this
+            Authlogic::Sha512CryptoProvider.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
           end
         
           def self.crypto_provider
@@ -129,39 +177,23 @@ module Authlogic
           end_eval
         end
       
-        case options[:crypto_provider_type]
-        when :hash
-          class_eval <<-"end_eval", __FILE__, __LINE__
-            def #{options[:password_field]}=(pass)
-              return if pass.blank?
-              self.tried_to_set_#{options[:password_field]} = true
-              @#{options[:password_field]} = pass
-              self.#{options[:remember_token_field]} = self.class.unique_token
-              self.#{options[:password_salt_field]} = self.class.unique_token
-              self.#{options[:crypted_password_field]} = crypto_provider.encrypt(@#{options[:password_field]} + #{options[:password_salt_field]})
-            end
-          
-            def valid_#{options[:password_field]}?(attempted_password)
-              return false if attempted_password.blank?
-              attempted_password == #{options[:crypted_password_field]} || #{options[:crypted_password_field]} == crypto_provider.encrypt(attempted_password + #{options[:password_salt_field]})
-            end
-          end_eval
-        when :encryption
-          class_eval <<-"end_eval", __FILE__, __LINE__
-            def #{options[:password_field]}=(pass)
-              return if pass.blank?
-              self.tried_to_set_#{options[:password_field]} = true
-              @#{options[:password_field]} = pass
-              self.#{options[:remember_token_field]} = self.class.unique_token
-              self.#{options[:crypted_password_field]} = crypto_provider.encrypt(@#{options[:password_field]})
-            end
+        class_eval <<-"end_eval", __FILE__, __LINE__
+          def #{options[:password_field]}=(pass)
+            return if pass.blank?
+            self.tried_to_set_#{options[:password_field]} = true
+            @#{options[:password_field]} = pass
+            self.#{options[:remember_token_field]} = self.class.unique_token
+            self.#{options[:password_salt_field]} = self.class.unique_token
+            self.#{options[:crypted_password_field]} = crypto_provider.encrypt(@#{options[:password_field]} + #{options[:password_salt_field]})
+          end
         
-            def valid_#{options[:password_field]}?(attemtped_password)
-              return false if attempted_password.blank?
-              attempted_password == #{options[:crypted_password_field]} || #{options[:crypted_password_field]} = crypto_provider.decrypt(attempted_password)
-            end
-          end_eval
-        end
+          def valid_#{options[:password_field]}?(attempted_password)
+            return false if attempted_password.blank? || #{options[:crypted_password_field]}.blank? || #{options[:password_salt_field]}.blank?
+            attempted_password == #{options[:crypted_password_field]} ||
+              (crypto_provider.respond_to?(:decrypt) && crypto_provider.decrypt(#{options[:crypted_password_field]}) == attempted_password + #{options[:password_salt_field]}) ||
+              (!crypto_provider.respond_to?(:decrypt) && crypto_provider.encrypt(attempted_password + #{options[:password_salt_field]}) == #{options[:crypted_password_field]})
+          end
+        end_eval
       
         class_eval <<-"end_eval", __FILE__, __LINE__
           def #{options[:password_field]}; end