authpwn_rails 0.10.5 → 0.10.6

data/Gemfile

@@ -1,11 +1,11 @@
-source "http://rubygems.org"
-gem "fbgraph_rails", ">= 0.2.2"
-gem "rails", ">= 3.2.0.rc2"
+source 'http://rubygems.org'
+gem 'fbgraph_rails', '>= 0.2.2'
+gem 'rails', '>= 3.2.0.rc2'
 
 group :development do
-  gem "bundler", "~> 1.0.0"
-  gem "flexmock", "~> 0.9.0"
-  gem "jeweler", "~> 1.6.0"
-  gem "rcov", ">= 0", :platform => :mri
-  gem "sqlite3", ">= 1.3.3"
+  gem 'bundler', '~> 1.0.0'
+  gem 'flexmock', '~> 0.9.0'
+  gem 'jeweler', '~> 1.6.0'
+  gem 'rcov', '>= 0', :platform => :mri
+  gem 'sqlite3', '>= 1.3.5'
 end

data/Gemfile.lock

@@ -122,4 +122,4 @@ DEPENDENCIES
   jeweler (~> 1.6.0)
   rails (>= 3.2.0.rc2)
   rcov
-  sqlite3 (>= 1.3.3)
+  sqlite3 (>= 1.3.5)

data/VERSION

@@ -1 +1 @@
-0.10.5
+0.10.6

data/app/models/credentials/email.rb

@@ -38,17 +38,25 @@ class Email < ::Credential
   # Returns the authenticated User instance, or a symbol indicating the reason
   # why the (potentially valid) password was rejected.
   def self.authenticate(email)
+    credential = with email
+    return :invalid unless credential
+    user = credential.user
+    user.auth_bounce_reason(credential) || user
+  end
+  
+  # Locates the credential holding an e-mail address.
+  #
+  # Returns the User matching the given e-mail, or nil if the e-mail is not
+  # associated with any user.
+  def self.with(email)
     # This method is likely to be used to kick off a complex authentication
     # process, so it makes sense to pre-fetch the user's other credentials.
     credential = Credentials::Email.where(:name => email).
                                     includes(:user => :credentials).first
-    return :invalid unless credential
-    user = credential.user
-    user.auth_bounce_reason(credential) || user
   end
 
   # Forms can only change the e-mail in the credential.
   attr_accessible :email
-end  # class Credentials::Email 
+end  # class Credentials::Email
 
 end  # namespace Credentials

data/app/models/credentials/token.rb

@@ -0,0 +1,106 @@
+require 'securerandom'
+
+# :namespace
+module Credentials
+  
+# Associates a secret token code with the account.
+#
+# Subclasses of this class are in the tokens namespace.
+class Token < ::Credential
+  # The secret token code.
+  alias_attribute :code, :name
+  # Token names are random, so we can expect they'll be unique across the entire
+  # namespace. We need this check to enforce name uniqueness across different
+  # token types. 
+  validates :name, :format => /^[A-Za-z0-9\_\-]+$/, :presence => true,
+                   :uniqueness => true 
+
+  # Authenticates a user using a secret token code.
+  #
+  # The token will be spent on successful authentication. One-time tokens are
+  # deleted when spent.
+  #
+  # Returns the authenticated User instance, or a symbol indicating the reason
+  # why the (potentially valid) token code was rejected.
+  def self.authenticate(code)
+    credential = self.with_code code
+    credential ? credential.authenticate : :invalid
+  end
+  
+  # The token matching a secret code.
+  def self.with_code(code)
+    # NOTE 1: The where query must be performed off the root type, otherwise
+    #         Rails will try to guess the right values for the 'type' column,
+    #         and will sometimes get them wrong.
+    # NOTE 2: After using this method, it's likely that the user's other tokens
+    #         (e.g., email or Facebook OAuth token) will be required, so we
+    #         pre-fetch them.
+    credential = Credential.where(:name => code).
+                            includes(:user => :credentials).first
+    
+    if credential.is_a? Credentials::Token
+      credential
+    else
+      nil
+    end
+  end
+  
+  # Authenticates a user using this token.
+  #
+  # The token will be spent on successful authentication. One-time tokens are
+  # deleted when spent.
+  #
+  # Returns the authenticated User instance, or a symbol indicating the reason
+  # why the (potentially valid) token code was rejected.
+  def authenticate
+    if bounce = user.auth_bounce_reason(self)
+      return bounce
+    end
+    spend
+    user
+  end
+  
+  # Updates the token's state to reflect that it was used for authentication.
+  #
+  # Tokens may become invalid after they are spent.
+  #
+  # Returns the token instance.
+  def spend
+    self
+  end
+
+  # Creates a new random token for a user.
+  #
+  # Args:
+  #   user:: the User who will be authenticated by the token
+  #   key:: optional data associated with the token
+  #   klass:: class that will be instantiated (should be a subclass of Token)
+  #
+  # Returns a newly created and saved token with a random code.
+  def self.random_for(user, key = nil, klass = nil)
+    klass ||= self
+    if key.nil?
+      token = self.new(:code => random_code)
+    else
+      token = self.new(:code => random_code, :key => key)
+    end
+    user.credentials << token
+    token.save!
+    token
+  end
+
+  # Generates a random token code.
+  def self.random_code
+    SecureRandom.urlsafe_base64(32)
+  end
+  
+  # Use codes instead of exposing ActiveRecord IDs.
+  def to_param
+    code
+  end
+  class <<self
+    alias_method :find_by_param, :with_code
+  end
+end  # class Credentials::Token
+
+end  # namespace Credentials

data/app/models/tokens/email_verification.rb

@@ -0,0 +1,42 @@
+# :namespace
+module Tokens
+  
+# A token that verifies the user's ownership of their e-mail address.
+class EmailVerification < OneTime
+  # The e-mail address verified by this token.
+  #
+  # Note that it's useful to keep track of the exact e-mail address that the
+  # token vouches for, even if an application only allows a single e-mail per
+  # user. Otherwise, a user might be able to change their e-mail address and
+  # then use the token to verify the ownership of the wrong address. 
+  alias_attribute :email, :key
+  validates :email, :presence => true
+  
+  # Creates a token with a random code that verifies the given e-mail address.
+  def self.random_for(email_credential)
+    super email_credential.user, email_credential.email, self
+  end
+  
+  # Marks the e-mail associated with the token as verified.
+  #
+  # Returns the token instance.
+  def spend
+    self.transaction do
+      if credential = email_credential
+        credential.verified = true
+        credential.save!
+      end
+      super
+    end
+  end
+  
+  # The credential whose ownership is verified by this token.
+  #
+  # This method might return nil if a user is trying to take advantage of a race
+  # condition and changes her e-mail address before using the token.
+  def email_credential
+    user.credentials.find { |c| c.name == email }
+  end
+end  # class Tokens::EmailVerification
+
+end  # namespace Tokens

data/app/models/tokens/one_time.rb

@@ -0,0 +1,16 @@
+# :namespace
+module Tokens
+  
+# One-time tokens can only be used once to authenticate an account.
+class OneTime < Credentials::Token
+  # Updates the token's state to reflect that it was used for authentication.
+  #
+  # One-time tokens become invalid after they are spent.
+  #
+  # Returns the token instance.
+  def spend
+    destroy
+  end
+end  # class Tokens::OneTime
+
+end  # namespace Tokens

data/app/models/tokens/password_reset.rb

@@ -0,0 +1,27 @@
+# :namespace
+module Tokens
+  
+# Lets the user to change their password without knowing the old one.
+class PasswordReset < OneTime
+  # Blanks the user's old password, so the new password form won't ask for it.
+  #
+  # Returns the token instance.
+  def spend
+    self.transaction do
+      if credential = password_credential
+        credential.destroy
+      end
+      super
+    end
+  end
+  
+  # The credential that is removed by this token.
+  #
+  # This method might return nil if a user initiates password recovery multiple
+  # times.
+  def password_credential
+    user.credentials.find { |c| c.is_a? Credentials::Password }
+  end
+end  # class Tokens::PasswordReset
+
+end  # namespace Tokens

data/authpwn_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.10.5"
+  s.version = "0.10.6"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = "2012-01-07"
+  s.date = "2012-01-11"
   s.description = "Works with Facebook."
   s.email = "victor@costan.us"
   s.extra_rdoc_files = [
@@ -30,6 +30,10 @@ Gem::Specification.new do |s|
     "app/models/credentials/email.rb",
     "app/models/credentials/facebook.rb",
     "app/models/credentials/password.rb",
+    "app/models/credentials/token.rb",
+    "app/models/tokens/email_verification.rb",
+    "app/models/tokens/one_time.rb",
+    "app/models/tokens/password_reset.rb",
     "authpwn_rails.gemspec",
     "legacy/migrate_09_to_010.rb",
     "lib/authpwn_rails.rb",
@@ -44,34 +48,55 @@ Gem::Specification.new do |s|
     "lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
     "lib/authpwn_rails/generators/templates/session/home.html.erb",
     "lib/authpwn_rails/generators/templates/session/new.html.erb",
+    "lib/authpwn_rails/generators/templates/session/password_change.html.erb",
     "lib/authpwn_rails/generators/templates/session/welcome.html.erb",
     "lib/authpwn_rails/generators/templates/session_controller.rb",
     "lib/authpwn_rails/generators/templates/session_controller_test.rb",
+    "lib/authpwn_rails/generators/templates/session_mailer.rb",
+    "lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.html.erb",
+    "lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.text.erb",
+    "lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.html.erb",
+    "lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.text.erb",
+    "lib/authpwn_rails/generators/templates/session_mailer_test.rb",
     "lib/authpwn_rails/generators/templates/user.rb",
     "lib/authpwn_rails/generators/templates/users.yml",
+    "lib/authpwn_rails/routes.rb",
     "lib/authpwn_rails/session.rb",
     "lib/authpwn_rails/session_controller.rb",
+    "lib/authpwn_rails/session_mailer.rb",
     "lib/authpwn_rails/test_extensions.rb",
     "lib/authpwn_rails/user_extensions/email_field.rb",
     "lib/authpwn_rails/user_extensions/facebook_fields.rb",
     "lib/authpwn_rails/user_extensions/password_field.rb",
     "lib/authpwn_rails/user_model.rb",
     "test/cookie_controller_test.rb",
-    "test/email_credential_test.rb",
-    "test/email_field_test.rb",
+    "test/credentials/email_credential_test.rb",
+    "test/credentials/email_verification_token_test.rb",
+    "test/credentials/facebook_credential_test.rb",
+    "test/credentials/one_time_token_credential_test.rb",
+    "test/credentials/password_credential_test.rb",
+    "test/credentials/password_reset_token_test.rb",
+    "test/credentials/token_crendential_test.rb",
     "test/facebook_controller_test.rb",
-    "test/facebook_credential_test.rb",
-    "test/facebook_fields_test.rb",
+    "test/fixtures/bare_session/forbidden.html.erb",
+    "test/fixtures/bare_session/home.html.erb",
+    "test/fixtures/bare_session/new.html.erb",
+    "test/fixtures/bare_session/password_change.html.erb",
+    "test/fixtures/bare_session/welcome.html.erb",
+    "test/helpers/action_mailer.rb",
     "test/helpers/application_controller.rb",
     "test/helpers/autoload_path.rb",
     "test/helpers/db_setup.rb",
     "test/helpers/fbgraph.rb",
     "test/helpers/routes.rb",
     "test/helpers/view_helpers.rb",
-    "test/password_credential_test.rb",
-    "test/password_field_test.rb",
+    "test/routes_test.rb",
     "test/session_controller_api_test.rb",
+    "test/session_mailer_api_test.rb",
     "test/test_helper.rb",
+    "test/user_extensions/email_field_test.rb",
+    "test/user_extensions/facebook_fields_test.rb",
+    "test/user_extensions/password_field_test.rb",
     "test/user_test.rb"
   ]
   s.homepage = "http://github.com/pwnall/authpwn_rails"
@@ -90,7 +115,7 @@ Gem::Specification.new do |s|
       s.add_development_dependency(%q<flexmock>, ["~> 0.9.0"])
       s.add_development_dependency(%q<jeweler>, ["~> 1.6.0"])
       s.add_development_dependency(%q<rcov>, [">= 0"])
-      s.add_development_dependency(%q<sqlite3>, [">= 1.3.3"])
+      s.add_development_dependency(%q<sqlite3>, [">= 1.3.5"])
     else
       s.add_dependency(%q<fbgraph_rails>, [">= 0.2.2"])
       s.add_dependency(%q<rails>, [">= 3.2.0.rc2"])
@@ -98,7 +123,7 @@ Gem::Specification.new do |s|
       s.add_dependency(%q<flexmock>, ["~> 0.9.0"])
       s.add_dependency(%q<jeweler>, ["~> 1.6.0"])
       s.add_dependency(%q<rcov>, [">= 0"])
-      s.add_dependency(%q<sqlite3>, [">= 1.3.3"])
+      s.add_dependency(%q<sqlite3>, [">= 1.3.5"])
     end
   else
     s.add_dependency(%q<fbgraph_rails>, [">= 0.2.2"])
@@ -107,7 +132,7 @@ Gem::Specification.new do |s|
     s.add_dependency(%q<flexmock>, ["~> 0.9.0"])
     s.add_dependency(%q<jeweler>, ["~> 1.6.0"])
     s.add_dependency(%q<rcov>, [">= 0"])
-    s.add_dependency(%q<sqlite3>, [">= 1.3.3"])
+    s.add_dependency(%q<sqlite3>, [">= 1.3.5"])
   end
 end
 

data/lib/authpwn_rails.rb

@@ -6,6 +6,7 @@ module Authpwn
   
   autoload :CredentialModel, 'authpwn_rails/credential_model.rb'
   autoload :SessionController, 'authpwn_rails/session_controller.rb'
+  autoload :SessionMailer, 'authpwn_rails/session_mailer.rb'
   autoload :UserModel, 'authpwn_rails/user_model.rb'
 
   # Contains extensions to the User model.
@@ -17,6 +18,7 @@ module Authpwn
 end
 
 require 'authpwn_rails/facebook_session.rb'
+require 'authpwn_rails/routes.rb'
 require 'authpwn_rails/session.rb'
 require 'authpwn_rails/test_extensions.rb'
 

data/lib/authpwn_rails/generators/all_generator.rb

@@ -26,7 +26,7 @@ class AllGenerator < Rails::Generators::Base
     copy_file File.join('session_controller_test.rb'),
               File.join('test', 'functional', 'session_controller_test.rb')
 
-    route "resource :session, :controller => 'session'"
+    route "authpwn_session"
     route "root :to => 'session#show'"
   end
   
@@ -37,9 +37,27 @@ class AllGenerator < Rails::Generators::Base
               File.join('app', 'views', 'session', 'home.html.erb')
     copy_file File.join('session', 'new.html.erb'),
               File.join('app', 'views', 'session', 'new.html.erb')
+    copy_file File.join('session', 'password_change.html.erb'),
+              File.join('app', 'views', 'session', 'password_change.html.erb')
     copy_file File.join('session', 'welcome.html.erb'),
               File.join('app', 'views', 'session', 'welcome.html.erb')
-  end  
+  end
+
+  def create_session_mailer
+    copy_file 'session_mailer.rb',
+              File.join('app', 'mailers', 'session_mailer.rb')
+    copy_file File.join('session_mailer_test.rb'),
+              File.join('test', 'functional', 'session_mailer_test.rb')
+  end
+
+  def create_session_mailer_views
+    copy_file File.join('session_mailer', 'reset_password_email.html.erb'),
+              File.join('app', 'views', 'session_mailer',
+                        'reset_password_email.html.erb')
+    copy_file File.join('session_mailer', 'reset_password_email.text.erb'),
+              File.join('app', 'views', 'session_mailer',
+                        'reset_password_email.text.erb')
+  end
 end  # class Authpwn::AllGenerator
 
 end  # namespace Authpwn

data/lib/authpwn_rails/generators/templates/credentials.yml

@@ -32,3 +32,24 @@ john_facebook:
   type: Credentials::Facebook
   name: 702659
   key: 702659|ffffffffffffffffffffffff-702659|ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+
+jane_token:
+  user: jane
+  type: Credentials::Token
+  name: "6TXe1vv7BgOw0BkJ1hzUKO6G08fLk4sVfJ3wPDZHS-c"
+
+john_token:
+  user: john
+  type: Tokens::OneTime
+  name: YZ-Fo8HX6_NyU6lVZXYi6cMDLV5eAgt35UTF5l8bD6A
+
+john_email_token:
+  user: john
+  type: Tokens::EmailVerification
+  name: bDSU4tzfjuob79e3R0ykLcOGTBBYvuBWWJ9V06tQrCE
+  key: john@gmail.com
+
+jane_password_token:
+  user: jane
+  type: Tokens::PasswordReset
+  name: nbMLTKN18tYy9plBAbsrwT6zdE2jZqoKPk6Ze4lHMSQ