authpwn_rails 0.10.5 → 0.10.6

data/lib/authpwn_rails/generators/templates/session/new.html.erb

@@ -1,5 +1,3 @@
-<p>This is a sample login form. You should customize it for your users.</p>
-
 <% if flash[:notice] %>
 <p class="notice"><%= flash[:notice] %></p>
 <% end %>
@@ -14,16 +12,23 @@
 <%= form_tag session_path do %>
   <div class="field">
     <%= label_tag :email, 'Email Address' %><br />
-    <%= email_field_tag :email, @email %>
+    <span class="value">
+      <%= email_field_tag :email, @email, :autofocus => true, :required => true,
+            :placeholder => 'your@email.com' %>
+    </span>
   </div>
   
   <div class="field">
     <%= label_tag :password %><br />
-    <%= password_field_tag :password %>
+    <span class="value">
+      <%= password_field_tag :password %>
+    </span>
   </div>
   
   <div class="actions">
-    <%= submit_tag 'Log in' %>
+    <%= button_tag 'Log in', :name => 'login', :value => 'requested' %>
+    <%= button_tag 'Reset Password', :name => 'reset_password',
+          :value => 'requested', :formaction => reset_password_session_path %>
     
     <% if @redirect_url %>
     <%= hidden_field_tag :redirect_url, @redirect_url %>

data/lib/authpwn_rails/generators/templates/session/password_change.html.erb

@@ -0,0 +1,37 @@
+<h1>Password Change</h1>
+
+<% if flash[:notice] %>
+<p class="notice"><%= flash[:notice] %></p>
+<% end %>
+
+<%= form_for @credential, :url => change_password_session_path,
+                          :as => :credential, :method => :post do |f| %>
+  <section class="fields">
+  <% unless @credential.new_record? %>
+  <div class="field">
+    <%= label_tag :old_password, 'Current Password' %><br />
+    <span class="value">
+      <%= password_field_tag :old_password %>
+    </span>
+  </div>
+  <% end %>
+  
+  <div class="field">
+    <%= f.label :password, 'New Password' %><br />
+    <span class="value">
+      <%= f.password_field :password %>
+    </span>
+  </div>
+
+  <div class="field">
+    <%= f.label :password_confirmation, 'Re-enter New Password' %><br />
+    <span class="value">
+      <%= f.password_field :password_confirmation %>
+    </span>
+  </div>
+  </section>
+  
+  <div class="actions">
+    <%= f.submit 'Change Password' %>
+  </div>
+<% end %>

data/lib/authpwn_rails/generators/templates/session_controller.rb

@@ -26,7 +26,25 @@ class SessionController < ApplicationController
     end
   end
   
+  # A user is logged in, based on a token.
+  def home_with_token(token)
+    respond_to do |format|
+      format.html do
+        case token
+        when Tokens::EmailVerification
+          redirect_to session_url, :notice => 'E-mail address confirmed'
+        when Tokens::PasswordReset
+          redirect_to change_password_session_url
+        # Handle other token types here.
+        end
+      end
+      format.json do
+        # Rely on default behavior.
+      end
+    end
+  end
+  private :home_with_token
+  
   # You shouldn't extend the session controller, so you can benefit from future
-  # features, like Facebook / Twitter / OpenID integration. But, if you must,
-  # you can do it here.
+  # features. But, if you must, you can do it here.
 end

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -3,6 +3,9 @@ require 'test_helper'
 class SessionControllerTest < ActionController::TestCase
   setup do
     @user = users(:john)
+    @email_credential = credentials(:john_email)
+    @password_credential = credentials(:john_password)
+    @token_credential = credentials(:john_email_token)
   end
   
   test "user home page" do
@@ -33,4 +36,72 @@ class SessionControllerTest < ActionController::TestCase
 
     assert_equal({}, ActiveSupport::JSON.decode(response.body))
   end
+  
+  test "user signup page" do
+    get :new
+    assert_template :new
+  
+    assert_select 'form[action=?]', session_path do
+      assert_select 'input[name="email"]'
+      assert_select 'input[name="password"]'
+      assert_select 'button[name="login"]'
+      assert_select 'button[name="reset_password"]'
+    end
+  end
+  
+  test "e-mail verification link" do
+    get :token, :code => @token_credential.code
+    assert_redirected_to session_url
+    assert @email_credential.reload.verified?, 'Email not verified'
+  end
+  
+  test "password reset link" do
+    password_credential = credentials(:jane_password)
+    get :token, :code => credentials(:jane_password_token).code
+    assert_redirected_to change_password_session_url
+    assert_nil Credential.where(:id => password_credential.id).first,
+               'Password not cleared'
+  end
+  
+
+  test "password change form" do
+    set_session_current_user @user
+    get :password_change
+    
+    assert_select 'form[action=?][method="post"]',
+                  change_password_session_path do
+      assert_select 'input[name="old_password"]'
+      assert_select 'input[name=?]', 'credential[password]'
+      assert_select 'input[name=?]', 'credential[password_confirmation]'
+      assert_select 'input[type=submit]'
+    end
+  end
+
+  test "password reset form" do
+    set_session_current_user @user
+    @password_credential.destroy
+    get :password_change
+    
+    assert_select 'form[action=?][method="post"]',
+                  change_password_session_path do
+      assert_select 'input[name="old_password"]', :count => 0
+      assert_select 'input[name=?]', 'credential[password]'
+      assert_select 'input[name=?]', 'credential[password_confirmation]'
+      assert_select 'input[type=submit]'
+    end
+  end
+  
+  test "password reset request" do
+    ActionMailer::Base.deliveries = []
+
+    assert_difference 'Credential.count', 1 do
+      post :reset_password, :email => @email_credential.email
+    end
+    
+    assert !ActionMailer::Base.deliveries.empty?, 'email generated'
+    email = ActionMailer::Base.deliveries.last
+    assert_equal [@email_credential.email], email.to
+    
+    assert_redirected_to new_session_url
+  end
 end

data/lib/authpwn_rails/generators/templates/session_mailer.rb

@@ -0,0 +1,26 @@
+class SessionMailer < ActionMailer::Base
+  include Authpwn::SessionMailer
+
+  def email_verification_subject(token, server_hostname)
+    # Consider replacing the hostname with a user-friendly application name.
+    "#{server_hostname} e-mail verification"
+  end
+  
+  def email_verification_from(token, server_hostname)
+    # You most likely need to replace the e-mail address below.
+    %Q|"#{server_hostname} staff" <admin@#{server_hostname}>|
+  end  
+
+  def reset_password_subject(token, server_hostname)
+    # Consider replacing the hostname with a user-friendly application name.
+    "#{server_hostname} password reset"
+  end
+  
+  def reset_password_from(token, server_hostname)
+    # You most likely need to replace the e-mail address below.
+    %Q|"#{server_hostname} staff" <admin@#{server_hostname}>|
+  end
+
+  # You shouldn't extend the session controller, so you can benefit from future
+  # features. But, if you must, you can do it here.
+end

data/lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.html.erb

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <h3>Dear <%= @token.email %>,</h3>
+    
+    <p>
+      You are receiving this e-mail because someone (hopefully you) registered
+      an account at <%= link_to @host, root_url(:host => @host) %>
+      using your e-mail address.
+    </p>
+    
+    <p>
+      Please go
+      <%= link_to 'here', token_session_url(@token, :host => @host) %>
+      to confirm your e-mail address.
+    </p>
+    
+    <p>
+      If you haven't registered an account, please ignore this e-mail. Someone
+      most likely mistyped their e-mail.
+    </p>
+  </body>
+</html>

data/lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.text.erb

@@ -0,0 +1,11 @@
+Dear <%= @token.email %>,
+
+
+You are receiving this e-mail because someone (hopefully you) registered an
+account at <%= @host %> using your e-mail address.
+
+Please go to the address below to confirm your e-mail address.
+<%= link_to 'here', token_session_url(@token, :host => @host) %>
+
+If you haven't registered an account, please ignore this e-mail. Someone most
+likely mistyped their e-mail.

data/lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.html.erb

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+  <body>
+    <h3>Dear <%= @email %>,</h3>
+    
+    <p>
+      You are receiving this e-mail because someone (hopefully you) requested a
+      password reset for your <%= link_to @host, root_url(:host => @host) %>
+      account.
+    </p>
+    
+    <p>
+      Please go
+      <%= link_to 'here', token_session_url(@token, :host => @host) %>
+      to reset your password.
+    </p>
+    
+    <p>
+      If you haven't requested a password reset, please ignore this e-mail.
+      Someone most likely mistyped their e-mail.
+    </p>
+  </body>
+</html>

data/lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.text.erb

@@ -0,0 +1,11 @@
+Dear <%= @email %>,
+
+
+You are receiving this e-mail because someone (hopefully you) requested a
+password reset for your <%= @host %> account.
+
+Please go to the address below to reset your password.
+<%= token_session_url(@token, :host => @host) %>
+
+If you haven't requested a password reset, please ignore this e-mail. Someone
+most likely mistyped their e-mail.

data/lib/authpwn_rails/generators/templates/session_mailer_test.rb

@@ -0,0 +1,37 @@
+require 'test_helper'
+
+class SessionMailerTest < ActionMailer::TestCase
+  setup do
+    @reset_email = credentials(:jane_email).email
+    @reset_token = credentials(:jane_password_token)
+    @verification_token = credentials(:john_email_token)
+    @verification_email = credentials(:john_email).email
+    @host = 'test.host'
+  end
+
+  test 'email verification email' do
+    email = SessionMailer.email_verification_email(@verification_token, @host).
+                          deliver
+    assert !ActionMailer::Base.deliveries.empty?
+    
+    assert_equal 'test.host e-mail verification', email.subject
+    assert_equal ['admin@test.host'], email.from
+    assert_equal '"test.host staff" <admin@test.host>', email['from'].to_s
+    assert_equal [@verification_email], email.to
+    assert_match @verification_token.code, email.encoded
+    assert_match @host, email.encoded
+  end  
+
+  test 'password reset email' do
+    email = SessionMailer.reset_password_email(@reset_email, @reset_token,
+                                               @host).deliver
+    assert !ActionMailer::Base.deliveries.empty?
+    
+    assert_equal 'test.host password reset', email.subject
+    assert_equal ['admin@test.host'], email.from
+    assert_equal '"test.host staff" <admin@test.host>', email['from'].to_s
+    assert_equal [@reset_email], email.to
+    assert_match @reset_token.code, email.encoded
+    assert_match @host, email.encoded
+  end  
+end

data/lib/authpwn_rails/routes.rb

@@ -0,0 +1,50 @@
+require 'action_pack'
+
+# :nodoc: namespace
+module Authpwn
+
+# :nodoc: namespace
+module Routes
+
+# :nodoc: mixed into ActionPack's route mapper.
+module MapperMixin
+  # Draws the routes for a session controller.
+  #
+  # The options hash accepts the following keys.
+  #   :controller:: the name of the controller; defaults to "session" for
+  #                 SessionController
+  #   :paths:: the prefix of the route paths; defaults to the controller name
+  #   :method_names:: the root of name used in the path methods; defaults to
+  #                   "session", which will generate names like session_path,
+  #                   new_session_path, and token_session_path
+  def authpwn_session(options = {})
+    controller = options[:controller] || 'session'
+    paths = options[:paths] || controller
+    methods = options[:method_names] || 'session'
+    
+    get "/#{paths}/token/:code", :controller => controller, :action => 'token',
+                                 :as => :"token_#{methods}"
+    
+    get "/#{paths}", :controller => controller, :action => 'show',
+                     :as => :"#{methods}"
+    get "/#{paths}/new", :controller => controller, :action => 'new',
+                         :as => :"new_#{methods}"
+    post "/#{paths}", :controller => controller, :action => 'create'
+    delete "/#{paths}", :controller => controller, :action => 'destroy'
+    
+    get "/#{paths}/change_password", :controller => controller,
+                                    :action => 'password_change',
+                                    :as => "change_password_#{methods}"
+    post "/#{paths}/change_password", :controller => controller,
+                                     :action => 'change_password'
+    post "/#{paths}/reset_password", :controller => controller,
+                                     :action => 'reset_password', 
+                                     :as => "reset_password_#{methods}"
+  end
+end
+
+ActionDispatch::Routing::Mapper.send :include, MapperMixin
+
+end  # namespace Authpwn::Routes
+
+end  # namespace Authpwn

data/lib/authpwn_rails/session_controller.rb

@@ -50,6 +50,9 @@ module SessionController
   
   # POST /session
   def create
+    # Workaround for lack of browser support for the formaction attribute.
+    return reset_password if params[:reset_password]
+    
     @redirect_url = params[:redirect_url] || session_url
     @email = params[:email]
     auth = Credentials::Password.authenticate_email @email, params[:password]
@@ -76,6 +79,72 @@ module SessionController
       end
     end
   end
+  
+  # POST /session/reset_password
+  def reset_password
+    @email = params[:email]
+    credential = Credentials::Email.with @email
+    
+    if user = (credential && credential.user)
+      token = Tokens::PasswordReset.random_for user
+      ::SessionMailer.reset_password_email(@email, token,
+                                           request.host_with_port).deliver
+    end
+     
+    respond_to do |format|
+      if user
+        format.html do
+          redirect_to new_session_url, :notice =>
+              'Please check your e-mail for instructions'
+        end
+        format.json { render :json => { } }
+      else
+        notice = 'Invalid e-mail'
+        format.html do
+          redirect_to new_session_url, :notice => notice
+        end
+        format.json do
+          render :json => { :error => :not_found, :text => notice }
+        end
+      end
+    end
+  end
+  
+  # GET /session/token/token-code
+  def token
+    if token = Credentials::Token.with_code(params[:code])
+      auth = token.authenticate
+    else
+      auth = :invalid
+    end
+        
+    if auth.is_a? Symbol
+      notice = bounce_notice_text auth
+      respond_to do |format|        
+        format.html do
+          redirect_to new_session_url, :flash => { :notice => notice,
+              :auth_redirect_url => session_url }
+        end
+        format.json { render :json => { :error => auth, :text => notice } }
+      end
+    else
+      self.current_user = auth
+      home_with_token token
+      unless performed?
+        respond_to do |format|
+          format.html { redirect_to session_url }
+          format.json do
+            user_data = current_user.as_json
+            if current_user.class.include_root_in_json
+              user_data = user_data['user']
+            end
+            render :json => { :user => user_data,
+                              :csrf => form_authenticity_token }
+          end
+        end
+      end
+    end
+  end
 
   # DELETE /session
   def destroy
@@ -86,6 +155,61 @@ module SessionController
     end
   end
 
+  # GET /session/change_password
+  def password_change
+    unless current_user
+      bounce_user
+      return
+    end
+
+    respond_to do |format|
+      format.html do
+        @credential = current_user.credentials.
+                                   find { |c| c.is_a? Credentials::Password }
+        unless @credential
+          @credential = Credentials::Password.new
+          @credential.user = current_user
+        end
+        # Renders session/password_change.html.erb
+      end
+    end
+  end
+  
+  # POST /session/change_password
+  def change_password
+    unless current_user
+      bounce_user
+      return
+    end
+    
+    @credential = current_user.credentials.
+                               find { |c| c.is_a? Credentials::Password }
+    if @credential
+      # An old password is set, must verify it.
+      if @credential.check_password params[:old_password]
+        success = @credential.update_attributes params[:credential]
+      else
+        success = false
+        flash[:notice] = 'Incorrect old password. Please try again.'
+      end
+    else
+      @credential = Credentials::Password.new params[:credential]
+      @credential.user = current_user
+      success = @credential.save
+    end
+    respond_to do |format|
+      if success
+        format.html do
+          redirect_to session_url, :notice => 'Password updated'
+        end
+        format.json { head :ok }
+      else
+        format.html { render :action => :password_change }
+        format.json { render :json => { :error => :invalid } }
+      end
+    end
+  end
+
   # Hook for setting up the home view.
   def home
   end
@@ -95,6 +219,11 @@ module SessionController
   def welcome
   end
   private :welcome
+  
+  # Hook for setting up the home view after token-based authentication.
+  def home_with_token(token)
+  end
+  private :home_with_token
 
   # Hook for customizing the bounce notification text.    
   def bounce_notice_text(reason)