RubyGems - authlogic - Versions diffs - 1.1.2 → 1.2.0 - Mend

authlogic 1.1.2 → 1.2.0

Potentially problematic release.

This version of authlogic might be problematic. Click here for more details.

Files changed (26) hide show

data/CHANGELOG.rdoc CHANGED

@@ -1,6 +1,13 @@
-== 1.1.2 released 2008-11-13
+== 1.2.0 released 2008-11-16
 * Added check for database set up in acts_as_authentic to prevent errors during migrations.
+* Forced logged_in and logged_out named scopes to use seconds.
+* Hardened valid_password? method to only allow raw passwords.
+* controllers and scopes are no longer stored in class variables but in the Thread.current hash so their instances die out with the thread, which frees up memory.
+* Removed single_access_token_field and remember_token_field from Sesson::Config, they are not needed there.
+* Added password_reset_token to assist in resetting passwords.
+* Added email_field, email_field_regex, email_field_regex_failed_message configuration options to acts_as_authentic. So that you can validate emails as well as a login, instead of the either-or approach.
+* Added configuration for all validation messages for the session so that you can modify them and provide I18n support.
 == 1.1.1 released 2008-11-13

data/Manifest CHANGED

@@ -8,6 +8,7 @@ lib/authlogic/crypto_providers/sha512.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb
+lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/password_reset.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb
@@ -21,6 +22,7 @@ lib/authlogic/session/config.rb
 lib/authlogic/session/cookies.rb
 lib/authlogic/session/errors.rb
 lib/authlogic/session/params.rb
+lib/authlogic/session/password_reset.rb
 lib/authlogic/session/scopes.rb
 lib/authlogic/session/session.rb
 lib/authlogic/version.rb
@@ -42,6 +44,7 @@ test/libs/ordered_hash.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb
+test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/password_reset_test.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb
 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb
@@ -52,6 +55,7 @@ test/session_tests/base_test.rb
 test/session_tests/config_test.rb
 test/session_tests/cookies_test.rb
 test/session_tests/params_test.rb
+test/session_tests/password_reset_test.rb
 test/session_tests/scopes_test.rb
 test/session_tests/session_test.rb
 test/test_helper.rb

data/README.rdoc CHANGED

@@ -53,7 +53,7 @@ Or how about persisting the session...
   class ApplicationController
     helper_method :current_user_session, :current_user
-    protected
+    private
       def current_user_session
         return @current_user_session if defined?(@current_user_session)
         @current_user_session = UserSession.find
@@ -71,6 +71,7 @@ Authlogic makes this a reality. This is just the tip of the ice berg. Keep readi
 *	<b>Documentation:</b> http://authlogic.rubyforge.org
 *	<b>Authlogic setup tutorial:</b> http://www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup
+*	<b>Authlogic reset passwords tutorial:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
 *	<b>Live example of the setup tutorial above (with source):</b> http://authlogic_example.binarylogic.com
 * <b>Bugs / feature suggestions:</b> http://binarylogic.lighthouseapp.com/projects/18752-authlogic
@@ -105,11 +106,13 @@ Create your user_session.rb file:
 The user model needs to have the following columns. The names of these columns can be changed with configuration. Better yet, Authlogic tries to guess these names by checking for the existence of common names. See Authlogic::Session::Config::ClassMethods for more details, but chances are you won't have to specify any configuration for your field names, even if they aren't the same names as below.
-    t.string    :login, :null => false
-    t.string    :crypted_password, :null => false
-    t.string    :password_salt, :null => false # not needed if you are encrypting your pw instead of using a hash algorithm
-    t.string    :remember_token, :null => false
-    t.integer   :login_count # This is optional, it is a "magic" column, just like "created_at". See below for a list of all magic columns.
+    t.string    :login,                 :null => false
+    t.string    :crypted_password,      :null => false
+    t.string    :password_salt,         :null => false # not needed if you are encrypting your pw instead of using a hash algorithm.
+    t.string    :remember_token,        :null => false
+    t.string    :single_access_token,   :null => false # optional, see the single access section below.
+    t.string    :password_reset_token,  :null => false # optional, see the password reset section below.
+    t.integer   :login_count                           # optional, this is a "magic" column, see the magic columns section below
 === Set up your model
@@ -119,7 +122,7 @@ Make sure you have a model that you will be authenticating with. For this exampl
     acts_as_authentic # for options see documentation: Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::Config
   end
-Done! Now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this readme or check out the tutorial (see above in "helpful links") for a more detailed walk through.
+Done! Now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this README or check out the tutorials (see above in "helpful links") for a more detailed walk through.
 == Magic Columns
@@ -148,19 +151,23 @@ Need Authlogic to check your own "state"? No problem, check out the hooks sectio
 == Hooks / Callbacks
-Just like ActiveRecord you can create your own hooks / callbacks so that you can do whatever you want when certain actions are performed. Here they are:
+Just like ActiveRecord you can create your own hooks / callbacks so that you can do whatever you want when certain actions are performed. Such as before_save, after_save, etc.
   before_create
   after_create
   before_destroy
   after_destroy
+  before_find
+  after_find
   before_save
   after_save
   before_update
   after_update
   before_validation
   after_validation
+See Authlogic::Session::Callbacks for more information
 == Multiple Sessions / Session Identifiers
 You're asking: "why would I want multiple sessions?". Take this example:
@@ -171,7 +178,7 @@ You have an app where users login and then need to re-login to view / change the
   @user_session = UserSession.new
   @user_session.id
   # => nil
   # secure user session
   @secure_user_session = UserSession.new(:secure)
   @secure_user_session.id
@@ -182,25 +189,39 @@ This will keep everything separate. The :secure session will store its info in a
   @user_session = UserSession.find
   @secure_user_session = UserSession.find(:secure)
-For more information on ids checkout Authlogic::Session::Base#initialize
+For more information on ids checkout Authlogic::Session::Base#id
+== Resetting passwords
+You may have noticed in the helpful links section is a tutorial on resetting password with Authlogic. I'm not going to repeat myself here, but I will touch on the basics, if you want more information please see the tutorial.
+Just add the following field to your database:
+t.string :password_reset_token, :null => false
+Authlogic will notice this field and take care of maintaining it for you. You should use the value of this field to verify your user before they reset their password. There is a finder method you can use to find users with this token, I highly recommend using this method, as it adds in extra security checks to verify the user. See Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::PasswordReset for more information.
 == Single Access / Private Feeds Access
-Need to provide a single / one time access to an account where the session does NOT get persisted? Take a private feed for example, if everyone followed standards basic http auth should work just fine, but since we live in a world where following standards is a hard concept (*cough* Microsoft *cough*), the feed url needs to have some sort of "credentials" to log the user in and get their user specific feed items. This is easy, Authlogic has a nifty little feature for doing just this. All that you need to do is add the following field in your table:
+Need to provide a single / one time access to an account where the session does NOT get persisted? Take a private feed for example, if everyone followed standards, basic http auth should work just fine, but since we live in a world where following standards is not a standard (\*cough\* Microsoft \*cough\*), the feed url needs to have some sort of "credentials" to log the user in and get their user specific feed items. This is easy, Authlogic has a nifty little feature for doing just this. All that you need to do is add the following field in your table:
+  t.string :single_access_token, :null => false
+  # or call it feeds_token, feed_token, or whatever you want with configuration
-  t.string :single_access_token, :null => false # or call it feeds_token or feed_token
+Authlogic will notice you have this and adjust accordingly. By default single_access_tokens can only be used to login for rss and atom request types.
-Authlogic will notice you have this and adjust accordingly. You have the follow configuration options for your session (Authlogic::Session::Config) to customize how this works:
+To tailor how this works, you have the following configuration options:
-1. <tt>params_key:</tt> params_key is the key Authlogic will look for when trying to find your session. It works just like your cookie and session key, except this is for params. Take a UserSession: http://www.mydomin.com?user_credentials=single_access_token
-2. <tt>single_access_allowed_request_types:</tt> Single access needs to be handled with care, after all, it gives the user access to their account. But maybe you don't want to allow this for your entire application. Maybe you only want to allow this for certain request types, such as application/rss+xml or application/atom+xml. By default single access is only allowed for these requests types.
-3. <tt>single_access_token_field:</tt> This works just like remember_token_field. It basically allows you to name the column that the single_access_token is stored in.
-4. change_single_access_token_with_password
+Session configuration (Authlogic::Session::Config)
-You also have the following options when calling acts_as_authentic (Authlogic::ORMAdapters::ActiveRecordAdapter::Config):
+1. params_key
+2. single_access_allowed_request_types
+3. single_access_token_field
-1. <tt>single_access_token_field:</tt> Works the same as remember_token field.
-2. <tt>change_single_access_token_with_password:</tt> If the user changes their password do you want to change the single access token as well? This will require that they re-add the feed with the new token, as their old URL will not longer work. It's really up to you if you want to do this. The other alternative is to provide an option when they are changing their password to change their "feed token" as well. You can call user.reset_single_access_token to do this yourself.
+Model configuration (Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::Config)
+1. single_access_token_field:
+2. change_single_access_token_with_password
 Please use this with care and make sure you warn your users that the URL you provide them is to remain private. Even if Billy 13 year old gets this URL and tries to log in, the only way he can login is through a GET or POST parameter with an rss or atom request. Billy can't create a cookie with this token and Billy wont have access to anything else on the site, unless you change the above configuration.
@@ -253,7 +274,7 @@ What's neat about cookies is that if you use sub domains they automatically scop
 But what if you *don't* want to separate your cookies by subdomains? You can accomplish this by doing:
-  ActionController::Base.session_options[:session_domain] = ‘.mydomain.com’
+  ActionController::Base.session_options[:session_domain] = '.mydomain.com'
 If for some reason the above doesn't work for you, do some simple Google searches. There are a million blog posts on this.
@@ -300,8 +321,9 @@ Here is basically how this is done....
     private
       def maintain_sessions!
-        # If we aren't logged in at all and the password was changed, go ahead and log the user in
-        # If we are logged in and the password has change, update the sessions
+        # If we aren't logged in and a user is create log them in as that user
+        # If we aren't logged in and a user's password changes, log them in as that user
+        # If we are logged in and they change their password, update the session so they remain logged in
       end
   end
@@ -339,6 +361,10 @@ Using a library that hundreds of other people use has it advantages. Probably on
 Lastly, there is a pattern here, why clutter up all of your applications with the same code over and over?
+=== Why test the same code over and over?
+I've noticed my apps get cluttered with authentication tests, and they are the same exact tests! This irritates me. When you have identical tests across your apps thats a red flag that code can be extracted into a library. What's great about Authlogic is that I tested it for you. You don't write tests that test the internals of ActiveRecord do you? The same applies for Authlogic. Only test code that you've written. Essentially testing authentication is similar to testing any another RESTful controller. This makes your tests focused and easier to understand.
 === Limited to a single authentication
 I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it made the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authlogic. Authlogic can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.

data/authlogic.gemspec CHANGED

@@ -1,14 +1,14 @@
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "1.1.2"
+  s.version = "1.2.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2008-11-13}
+  s.date = %q{2008-11-16}
   s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
   s.email = %q{bjohnson@binarylogic.com}
-  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
-  s.files = ["CHANGELOG.rdoc", "init.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "shoulda_macros/authlogic.rb", "test/fixtures/companies.yml", "test/fixtures/employees.yml", "test/fixtures/projects.yml", "test/fixtures/users.yml", "test/libs/aes128_crypto_provider.rb", "test/libs/mock_controller.rb", "test/libs/mock_cookie_jar.rb", "test/libs/mock_request.rb", "test/libs/ordered_hash.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/test_helper.rb", "authlogic.gemspec"]
+  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/password_reset.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/password_reset.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
+  s.files = ["CHANGELOG.rdoc", "init.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/password_reset.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/password_reset.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "shoulda_macros/authlogic.rb", "test/fixtures/companies.yml", "test/fixtures/employees.yml", "test/fixtures/projects.yml", "test/fixtures/users.yml", "test/libs/aes128_crypto_provider.rb", "test/libs/mock_controller.rb", "test/libs/mock_cookie_jar.rb", "test/libs/mock_request.rb", "test/libs/ordered_hash.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/password_reset_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/password_reset_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/test_helper.rb", "authlogic.gemspec"]
   s.has_rdoc = true
   s.homepage = %q{http://github.com/binarylogic/authlogic}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Authlogic", "--main", "README.rdoc"]
@@ -16,7 +16,7 @@ Gem::Specification.new do |s|
   s.rubyforge_project = %q{authlogic}
   s.rubygems_version = %q{1.2.0}
   s.summary = %q{A clean, simple, and unobtrusive ruby authentication solution.}
-  s.test_files = ["test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/test_helper.rb"]
+  s.test_files = ["test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/password_reset_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/password_reset_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/test_helper.rb"]
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION

data/lib/authlogic.rb CHANGED

@@ -13,6 +13,7 @@ if defined?(ActiveRecord)
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in"
+  require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/password_reset"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access"
@@ -27,6 +28,7 @@ require File.dirname(__FILE__) + "/authlogic/session/config"
 require File.dirname(__FILE__) + "/authlogic/session/cookies"
 require File.dirname(__FILE__) + "/authlogic/session/errors"
 require File.dirname(__FILE__) + "/authlogic/session/params"
+require File.dirname(__FILE__) + "/authlogic/session/password_reset"
 require File.dirname(__FILE__) + "/authlogic/session/session"
 require File.dirname(__FILE__) + "/authlogic/session/scopes"
 require File.dirname(__FILE__) + "/authlogic/session/base"
@@ -38,6 +40,7 @@ module Authlogic
       include Callbacks
       include Cookies
       include Params
+      include PasswordReset
       include Session
       include Scopes
     end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb CHANGED

@@ -34,20 +34,27 @@ module Authlogic
         #
         # * <tt>login_field_regex_failed_message</tt> - the message to use when the validates_format_of for the login field fails. This depends on if you are
         #   performing :email or :login regex.
+        #
+        # * <tt>email_field</tt> - default: :email, depending on if it is present, if :email is not present defaults to nil
+        #   The name of the field used to store the email address. Only specify this if you arent using this as your :login_field.
+        #
+        # * <tt>email_field_regex</tt> - default: type email regex
+        #   This is used in validates_format_of for the :email_field.
+        #
+        # * <tt>email_field_regex_failed_message</tt> - the message to use when the validates_format_of for the email field fails.
         #
         # * <tt>change_single_access_token_with_password</tt> - default: false,
         #   When a user changes their password do you want the single access token to change as well? That's what this configuration option is all about.
         #
-        # * <tt>single_access_token_field</tt> - default: :single_access_token, :feed_token, or :feeds_token, depending on which column is present,
+        # * <tt>single_access_token_field</tt> - default: :single_access_token, :feed_token, or :feeds_token, depending on which column is present, if none are present defaults to nil
         #   This is the name of the field to login with single access, mainly used for private feed access. Only specify if the name of the field is different
         #   then the defaults. See the "Single Access" section in the README for more details on how single access works.
         #
         # * <tt>password_field</tt> - default: :password,
         #   This is the name of the field to set the password, *NOT* the field the encrypted password is stored. Defaults the what the configuration
         #
-        # * <tt>crypted_password_field</tt> - default: depends on which columns are present,
-        #   The name of the database field where your encrypted password is stored. If the name of the field is different from any of the following
-        #   you need to specify it with this option: crypted_password, encrypted_password, password_hash, pw_hash
+        # * <tt>crypted_password_field</tt> - default: :crypted_password, :encrypted_password, :password_hash, :pw_hash, depends on which columns are present, if none are present defaults to nil
+        #   The name of the database field where your encrypted password is stored.
         #
         # * <tt>password_blank_message</tt> - default: "can not be blank",
         #   The error message used when the password is left blank.
@@ -57,6 +64,15 @@ module Authlogic
         #
         # * <tt>password_salt_field</tt> - default: :password_salt, :pw_salt, or :salt, depending on which column is present, defaults to :password_salt if none are present,
         #   This is the name of the field in your database that stores your password salt.
+        #
+        # * <tt>password_reset_token_field</tt> - default: :password_reset_token, :pw_reset_token, :reset_password_token, or :reset_pw_token, depending on which column is present, if none are present defaults to nil
+        #   This is the name of the field in your database that stores your password reset token. The token you should use to verify your users before you allow a password reset. Authlogic takes care
+        #   of maintaining this for you and making sure it changes when needed.
+        #
+        # * <tt>password_reset_token_valid_for</tt> - default: 10.minutes,
+        #   Authlogic gives you a sepcial method for finding records by the password reset token (see Authlogic::ORMAdapters::ActiveRecordAdapter::ActcsAsAuthentic::PasswordReset). In this method
+        #   it checks for the age of the token. If the token is old than whatever you specify here, a user will NOT be returned. This way the tokens are perishable, thus making this system much
+        #   more secure.
         #
         # * <tt>remember_token_field</tt> - default: :remember_token, :remember_key, :cookie_tokien, or :cookie_key, depending on which column is present, defaults to :remember_token if none are present,
         #   This is the name of the field your remember_token is stored. The remember token is a unique token that is stored in the users cookie and
@@ -93,14 +109,19 @@ module Authlogic
             options[:crypto_provider] ||= CryptoProviders::Sha512
             options[:login_field] ||= first_column_to_exist(:login, :username, :email)
             options[:login_field_type] ||= options[:login_field] == :email ? :email : :login
+            options[:email_field] = first_column_to_exist(nil, :email) unless options.key?(:email_field)
+            options[:email_field] = nil if options[:email_field] == options[:login_field]
+            email_name_regex  = '[\w\.%\+\-]+'
+            domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
+            domain_tld_regex  = '(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|jobs|museum)'
+            options[:email_field_regex] ||= /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
+            options[:email_field_regex_failed_message] ||= "should look like an email address."
             case options[:login_field_type]
             when :email
-              email_name_regex  = '[\w\.%\+\-]+'
-              domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-              domain_tld_regex  = '(?:[A-Z]{2}|com|org|net|edu|gov|mil|biz|info|mobi|name|aero|jobs|museum)'
-              options[:login_field_regex] ||= /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-              options[:login_field_regex_failed_message] ||= "should look like an email address."
+              options[:login_field_regex] ||= options[:email_field_regex]
+              options[:login_field_regex_failed_message] ||= options[:email_field_regex_failed_message]
             else
               options[:login_field_regex] ||= /\A\w[\w\.\-_@ ]+\z/
               options[:login_field_regex_failed_message] ||= "use only letters, numbers, spaces, and .-_@ please."
@@ -113,6 +134,9 @@ module Authlogic
             options[:password_salt_field] ||= first_column_to_exist(:password_salt, :pw_salt, :salt)
             options[:remember_token_field] ||= first_column_to_exist(:remember_token, :remember_key, :cookie_token, :cookiey_key)
             options[:single_access_token_field] ||= first_column_to_exist(nil, :single_access_token, :feed_token, :feeds_token)
+            options[:password_reset_token_field] ||= first_column_to_exist(nil, :password_reset_token, :pw_reset_token, :reset_password_token, :reset_pw_token)
+            options[:password_reset_token_valid_for] ||= 10.minutes
+            options[:password_reset_token_valid_for] = options[:password_reset_token_valid_for].to_i
             options[:logged_in_timeout] ||= 10.minutes
             options[:logged_in_timeout] = options[:logged_in_timeout].to_i
             options[:session_ids] ||= [nil]

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb CHANGED

@@ -13,7 +13,7 @@ module Authlogic
         # === Instance Methods
         #
         # * <tt>{options[:password_field]}=(value)</tt> - encrypts a raw password and sets it to your crypted_password_field. Also sets the password_salt to a random token.
-        # * <tt>valid_{options[:password_field]}?(password_to_check)</tt> - checks is the password is valid. The password passed can be the raw password or the encrypted password.
+        # * <tt>valid_{options[:password_field]}?(password_to_check)</tt> - checks is the password is valid. The password passed must be the raw password, not encrypted.
         # * <tt>reset_{options[:password_field]}</tt> - resets the password using the friendly_unique_token class method
         # * <tt>reset_{options[:password_field]}!</tt> - calls reset_password and then saves the record
         module Credentials
@@ -29,6 +29,12 @@ module Authlogic
               validates_length_of options[:login_field], :within => 2..100, :allow_blank => true
               validates_format_of options[:login_field], :with => options[:login_field_regex], :message => options[:login_field_regex_failed_message]
             end
+            if options[:email_field]
+              validates_length_of options[:email_field], :within => 6..100
+              validates_format_of options[:email_field], :with => options[:email_field_regex], :message => options[:email_field_regex_failed_message]
+              validates_uniqueness_of options[:email_field], :scope => options[:scope]
+            end
             validates_uniqueness_of options[:login_field], :scope => options[:scope]
             validate :validate_password
@@ -54,8 +60,7 @@ module Authlogic
               def valid_#{options[:password_field]}?(attempted_password)
                 return false if attempted_password.blank? || #{options[:crypted_password_field]}.blank? || #{options[:password_salt_field]}.blank?
-                attempted_password == #{options[:crypted_password_field]} ||
-                  (#{options[:crypto_provider]}.respond_to?(:decrypt) && #{options[:crypto_provider]}.decrypt(#{options[:crypted_password_field]}) == attempted_password + #{options[:password_salt_field]}) ||
+                (#{options[:crypto_provider]}.respond_to?(:decrypt) && #{options[:crypto_provider]}.decrypt(#{options[:crypted_password_field]}) == attempted_password + #{options[:password_salt_field]}) ||
                   (!#{options[:crypto_provider]}.respond_to?(:decrypt) && #{options[:crypto_provider]}.encrypt(attempted_password + #{options[:password_salt_field]}) == #{options[:crypted_password_field]})
               end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb CHANGED

@@ -22,8 +22,8 @@ module Authlogic
             validates_numericality_of :login_count, :only_integer => :true, :greater_than_or_equal_to => 0, :allow_nil => true if column_names.include?("login_count")
             if column_names.include?("last_request_at")
-              named_scope :logged_in, lambda { {:conditions => ["last_request_at > ?", options[:logged_in_timeout].ago]} }
-              named_scope :logged_out, lambda { {:conditions => ["last_request_at is NULL or last_request_at <= ?", options[:logged_in_timeout].ago]} }
+              named_scope :logged_in, lambda { {:conditions => ["last_request_at > ?", options[:logged_in_timeout].seconds.ago]} }
+              named_scope :logged_out, lambda { {:conditions => ["last_request_at is NULL or last_request_at <= ?", options[:logged_in_timeout].seconds.ago]} }
             end
             if column_names.include?("last_request_at")

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/password_reset.rb ADDED

@@ -0,0 +1,73 @@
+module Authlogic
+  module ORMAdapters
+    module ActiveRecordAdapter
+      module ActsAsAuthentic
+        # = Password Reset
+        #
+        # Handles all logic the deals with maintaining the password reset token. This token should be used to authenticate a user that is not logged in so that they
+        # can change their password.
+        #
+        # === Class Methods
+        #
+        # * <tt>find_using_{options[:password_reset_token_field]}(token)</tt> - returns the record that matches the pased token. The record's updated at column must not be older than
+        #   {options[:password_reset_token_valid_for]} ago. Lastly, if a blank token is passed no record will be returned.
+        #
+        # === Instance Methods
+        #
+        # * <tt>reset_#{options[:password_reset_token_field]}</tt> - resets the password reset token field to a friendly unique token.
+        # * <tt>reset_#{options[:password_reset_token_field]}!</tt> - same as above but saves the record afterwards.
+        module PasswordReset
+          def acts_as_authentic_with_password_reset(options = {})
+            acts_as_authentic_without_password_reset(options)
+            return if options[:password_reset_token_field].blank?
+            class_eval <<-"end_eval", __FILE__, __LINE__
+              validates_uniqueness_of :#{options[:password_reset_token_field]}
+              before_validation :reset_#{options[:password_reset_token_field]}, :unless => :resetting_#{options[:password_reset_token_field]}?
+              def self.find_using_#{options[:password_reset_token_field]}(token)
+                return if token.blank?
+                conditions_sql = "#{options[:password_reset_token_field]} = ?"
+                conditions_subs = [token]
+                if column_names.include?("updated_at") && #{options[:password_reset_token_valid_for]} > 0
+                  conditions_sql += " and updated_at > ?"
+                  conditions_subs << #{options[:password_reset_token_valid_for]}.seconds.ago
+                end
+                find(:first, :conditions => [conditions_sql, *conditions_subs])
+              end
+              def reset_#{options[:password_reset_token_field]}
+                self.#{options[:password_reset_token_field]} = self.class.friendly_unique_token
+              end
+              def reset_#{options[:password_reset_token_field]}!
+                reset_#{options[:password_reset_token_field]}
+                @resetting_#{options[:password_reset_token_field]} = true
+                result = save_without_session_maintenance
+                @resetting_#{options[:password_reset_token_field]} = false
+                result
+              end
+              private
+                def resetting_#{options[:password_reset_token_field]}?
+                  @resetting_#{options[:password_reset_token_field]} == true
+                end
+            end_eval
+          end
+        end
+      end
+    end
+  end
+end
+ActiveRecord::Base.class_eval do
+  class << self
+    include Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::PasswordReset
+    alias_method_chain :acts_as_authentic, :password_reset
+  end
+end