authpwn_rails 0.12.0 → 0.12.1

data/lib/authpwn_rails/generators/templates/session/new.html.erb

@@ -20,19 +20,19 @@
             :placeholder => 'your@email.com' %>
     </span>
   </div>
-  
+
   <div class="field">
     <%= label_tag :password %><br />
     <span class="value">
       <%= password_field_tag :password %>
     </span>
   </div>
-  
+
   <div class="actions">
     <%= button_tag 'Log in', :name => 'login', :value => 'requested' %>
     <%= button_tag 'Reset Password', :name => 'reset_password',
           :value => 'requested', :formaction => reset_password_session_path %>
-    
+
     <% if @redirect_url %>
     <%= hidden_field_tag :redirect_url, @redirect_url %>
     <% end %>

data/lib/authpwn_rails/generators/templates/session/welcome.html.erb

@@ -1,5 +1,5 @@
 <p>
   This view gets displayed when the user is not logged in. Entice the user to
   sign up for your application, and allow them to
-  <%= link_to 'Log in', new_session_path %>. 
+  <%= link_to 'Log in', new_session_path %>.
 </p>

data/lib/authpwn_rails/generators/templates/session_controller.rb

@@ -1,7 +1,7 @@
 # Manages logging in and out of the application.
 class SessionController < ApplicationController
   include Authpwn::SessionController
-  
+
   # Sets up the 'session/welcome' view. No user is logged in.
   def welcome
     # You can brag about some statistics.
@@ -15,17 +15,19 @@ class SessionController < ApplicationController
     @user = current_user
   end
   private :home
-  
+
   # The notification text displayed when a session authentication fails.
   def bounce_notice_text(reason)
     case reason
     when :invalid
       'Invalid e-mail or password'
+    when :expired
+      'Password expired. Please click "Forget password"'
     when :blocked
       'Account blocked. Please verify your e-mail address'
     end
   end
-  
+
   # A user is logged in, based on a token.
   def home_with_token(token)
     respond_to do |format|
@@ -44,7 +46,14 @@ class SessionController < ApplicationController
     end
   end
   private :home_with_token
-  
+
+  # If true, every successful login results in a SQL query that removes expired
+  # session tokens from the database, to keep its size down.
+  #
+  # For better performance, set this to false and periodically call
+  # Tokens::SessionUid.remove_expired in background thread.
+  self.auto_purge_sessions = true
+
   # You shouldn't extend the session controller, so you can benefit from future
   # features. But, if you must, you can do it here.
 end

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -16,6 +16,17 @@ class SessionControllerTest < ActionController::TestCase
     assert_select 'a[href="/session"][data-method="delete"]', 'Log out'
   end
 
+  test "user login works and purges old sessions" do
+    old_token = credentials(:jane_session_token)
+    old_token.updated_at = Time.now - 1.year
+    old_token.save!
+    post :create, :email => @email_credential.email, :password => 'password'
+    assert_equal @user, session_current_user, 'session'
+    assert_redirected_to session_url
+    assert_nil Credentials::Token.with_code(old_token.code),
+               'old session not purged'
+  end
+
   test "user logged in JSON request" do
     set_session_current_user @user
     get :show, :format => 'json'
@@ -37,7 +48,7 @@ class SessionControllerTest < ActionController::TestCase
     assert_equal({}, ActiveSupport::JSON.decode(response.body))
   end
 
-  test "user signup page" do
+  test "user login page" do
     get :new
     assert_template :new
 
@@ -63,7 +74,6 @@ class SessionControllerTest < ActionController::TestCase
                'Password not cleared'
   end
 
-
   test "password change form" do
     set_session_current_user @user
     get :password_change

data/lib/authpwn_rails/generators/templates/session_mailer.rb

@@ -5,17 +5,17 @@ class SessionMailer < ActionMailer::Base
     # Consider replacing the hostname with a user-friendly application name.
     "#{server_hostname} e-mail verification"
   end
-  
+
   def email_verification_from(token, server_hostname, protocol)
     # You most likely need to replace the e-mail address below.
     %Q|"#{server_hostname} staff" <admin@#{server_hostname}>|
-  end  
+  end
 
   def reset_password_subject(token, server_hostname, protocol)
     # Consider replacing the hostname with a user-friendly application name.
     "#{server_hostname} password reset"
   end
-  
+
   def reset_password_from(token, server_hostname, protocol)
     # You most likely need to replace the e-mail address below.
     %Q|"#{server_hostname} staff" <admin@#{server_hostname}>|

data/lib/authpwn_rails/generators/templates/session_mailer/email_verification_email.html.erb

@@ -2,21 +2,21 @@
 <html>
   <body>
     <h3>Dear <%= @token.email %>,</h3>
-    
+
     <p>
       You are receiving this e-mail because someone (hopefully you) registered
       an account at
       <%= link_to @host, root_url(:host => @host, :protocol => @protocol) %>
       using your e-mail address.
     </p>
-    
+
     <p>
       Please go
       <%= link_to 'here', token_session_url(@token, :host => @host,
                                             :protocol => @protocol) %>
       to confirm your e-mail address.
     </p>
-    
+
     <p>
       If you haven't registered an account, please ignore this e-mail. Someone
       most likely mistyped their e-mail.

data/lib/authpwn_rails/generators/templates/session_mailer/reset_password_email.html.erb

@@ -2,21 +2,21 @@
 <html>
   <body>
     <h3>Dear <%= @email %>,</h3>
-    
+
     <p>
       You are receiving this e-mail because someone (hopefully you) requested a
       password reset for your
       <%= link_to @host, root_url(:host => @host, :protocol => @protocol) %>
       account.
     </p>
-    
+
     <p>
       Please go
       <%= link_to 'here', token_session_url(@token, :host => @host,
                                             :protocol => @protocol) %>
       to reset your password.
     </p>
-    
+
     <p>
       If you haven't requested a password reset, please ignore this e-mail.
       Someone most likely mistyped their e-mail.

data/lib/authpwn_rails/generators/templates/session_mailer_test.rb

@@ -13,25 +13,25 @@ class SessionMailerTest < ActionMailer::TestCase
     email = SessionMailer.email_verification_email(@verification_token,
                                                    @root_url).deliver
     assert !ActionMailer::Base.deliveries.empty?
-    
+
     assert_equal 'test.host e-mail verification', email.subject
     assert_equal ['admin@test.host'], email.from
     assert_equal '"test.host staff" <admin@test.host>', email['from'].to_s
     assert_equal [@verification_email], email.to
     assert_match @verification_token.code, email.encoded
     assert_match @root_url, email.encoded
-  end  
+  end
 
   test 'password reset email' do
     email = SessionMailer.reset_password_email(@reset_email, @reset_token,
                                                @root_url).deliver
     assert !ActionMailer::Base.deliveries.empty?
-    
+
     assert_equal 'test.host password reset', email.subject
     assert_equal ['admin@test.host'], email.from
     assert_equal '"test.host staff" <admin@test.host>', email['from'].to_s
     assert_equal [@reset_email], email.to
     assert_match @reset_token.code, email.encoded
     assert_match @root_url, email.encoded
-  end  
+  end
 end

data/lib/authpwn_rails/routes.rb

@@ -21,24 +21,24 @@ module MapperMixin
     controller = options[:controller] || 'session'
     paths = options[:paths] || controller
     methods = options[:method_names] || 'session'
-    
+
     get "/#{paths}/token/:code", :controller => controller, :action => 'token',
                                  :as => :"token_#{methods}"
-    
+
     get "/#{paths}", :controller => controller, :action => 'show',
                      :as => :"#{methods}"
     get "/#{paths}/new", :controller => controller, :action => 'new',
                          :as => :"new_#{methods}"
     post "/#{paths}", :controller => controller, :action => 'create'
     delete "/#{paths}", :controller => controller, :action => 'destroy'
-    
+
     get "/#{paths}/change_password", :controller => controller,
                                     :action => 'password_change',
                                     :as => "change_password_#{methods}"
     post "/#{paths}/change_password", :controller => controller,
                                      :action => 'change_password'
     post "/#{paths}/reset_password", :controller => controller,
-                                     :action => 'reset_password', 
+                                     :action => 'reset_password',
                                      :as => "reset_password_#{methods}"
   end
 end

data/lib/authpwn_rails/session.rb

@@ -2,16 +2,16 @@ require 'action_controller'
 
 # :nodoc: adds authenticates_using_session
 class ActionController::Base
-  # Keeps track of the currently authenticated user via the session. 
+  # Keeps track of the currently authenticated user via the session.
   #
   # Assumes the existence of a User model. A bare ActiveModel model will do the
   # trick. Model instances must implement id, and the model class must implement
   # find_by_id.
   def self.authenticates_using_session(options = {})
     include Authpwn::ControllerInstanceMethods
-    before_filter :authenticate_using_session, options   
+    before_filter :authenticate_using_session, options
   end
-  
+
   # True for controllers belonging to the authentication implementation.
   #
   # Controllers that return true here are responsible for performing their own
@@ -28,6 +28,29 @@ module Authpwn
 module ControllerInstanceMethods
   include Authpwn::CurrentUser
 
+  # Sets up the session so that it will authenticate the given user.
+  def set_session_current_user(user)
+    # Try to reuse existing sessions.
+    if session[:authpwn_suid]
+      token = Tokens::SessionUid.with_code session[:authpwn_suid]
+      if token
+        if token.user == user
+          token.touch
+          return user
+        else
+          token.destroy
+        end
+      end
+    end
+    if user
+      session[:authpwn_suid] = Tokens::SessionUid.random_for(user,
+          request.remote_ip, request.user_agent).suid
+    else
+      session.delete :authpwn_suid
+    end
+    self.current_user = user
+  end
+
   # Filter that implements authenticates_using_session.
   #
   # If your ApplicationController contains authenticates_using_session, you
@@ -36,17 +59,17 @@ module ControllerInstanceMethods
   #     skip_before_filter :authenticate_using_session
   def authenticate_using_session
     return if current_user
-    user_param = session[:user_exuid]
-    user = user_param && User.find_by_param(user_param)
-    self.current_user = user if user
+    session_uid = session[:authpwn_suid]
+    user = session_uid && Tokens::SessionUid.authenticate(session_uid)
+    self.current_user = user if user && !user.instance_of?(Symbol)
   end
   private :authenticate_using_session
-  
+
   # Inform the user that their request is forbidden.
   #
   # If a user is logged on, this renders the session/forbidden view with a HTTP
   # 403 code.
-  # 
+  #
   # If no user is logged in, the user is redirected to session/new, and the
   # current request's URL is saved in flash[:auth_redirect_url].
   def bounce_user(redirect_url = request.url)

data/lib/authpwn_rails/session_controller.rb

@@ -9,10 +9,14 @@ module Authpwn
 # Session.
 module SessionController
   extend ActiveSupport::Concern
-  
+
   included do
     skip_filter :authenticate_using_session
     authenticates_using_session :except => [:create, :reset_password, :token]
+
+    # If set, every successful login will cause a database purge.
+    class_attribute :auto_purge_sessions
+    self.auto_purge_sessions = true
   end
 
   # GET /session/new
@@ -33,7 +37,7 @@ module SessionController
           format.json { render :json => {} }
         end
       end
-    else      
+    else
       home
       unless performed?
         respond_to do |format|
@@ -48,17 +52,20 @@ module SessionController
       end
     end
   end
-  
+
   # POST /session
   def create
     # Workaround for lack of browser support for the formaction attribute.
     return reset_password if params[:reset_password]
-    
+
     @redirect_url = params[:redirect_url] || session_url
     @email = params[:email]
     auth = User.authenticate_signin @email, params[:password]
-    self.current_user = auth unless auth.kind_of? Symbol
-        
+    unless auth.kind_of? Symbol
+      self.set_session_current_user auth
+      Tokens::SessionUid.remove_expired if auto_purge_sessions
+    end
+
     respond_to do |format|
       if current_user
         format.html { redirect_to @redirect_url }
@@ -80,17 +87,17 @@ module SessionController
       end
     end
   end
-  
+
   # POST /session/reset_password
   def reset_password
     @email = params[:email]
     credential = Credentials::Email.with @email
-    
+
     if user = (credential && credential.user)
       token = Tokens::PasswordReset.random_for user
       ::SessionMailer.reset_password_email(@email, token, root_url).deliver
     end
-     
+
     respond_to do |format|
       if user
         format.html do
@@ -109,7 +116,7 @@ module SessionController
       end
     end
   end
-  
+
   # GET /session/token/token-code
   def token
     if token = Credentials::Token.with_code(params[:code])
@@ -117,7 +124,7 @@ module SessionController
     else
       auth = :invalid
     end
-        
+
     if auth.is_a? Symbol
       error_text = bounce_notice_text auth
       respond_to do |format|
@@ -128,7 +135,7 @@ module SessionController
         format.json { render :json => { :error => auth, :text => error_text } }
       end
     else
-      self.current_user = auth
+      self.set_session_current_user auth
       home_with_token token
       unless performed?
         respond_to do |format|
@@ -148,7 +155,7 @@ module SessionController
 
   # DELETE /session
   def destroy
-    self.current_user = nil
+    self.set_session_current_user nil
     respond_to do |format|
       format.html { redirect_to session_url }
       format.json { head :ok }
@@ -174,14 +181,14 @@ module SessionController
       end
     end
   end
-  
+
   # POST /session/change_password
   def change_password
     unless current_user
       bounce_user
       return
     end
-    
+
     @credential = current_user.credentials.
                                find { |c| c.is_a? Credentials::Password }
     if @credential
@@ -222,22 +229,24 @@ module SessionController
   def home
   end
   private :home
-  
+
   # Hook for setting up the welcome view.
   def welcome
   end
   private :welcome
-  
+
   # Hook for setting up the home view after token-based authentication.
   def home_with_token(token)
   end
   private :home_with_token
 
-  # Hook for customizing the bounce notification text.    
+  # Hook for customizing the bounce notification text.
   def bounce_notice_text(reason)
     case reason
     when :invalid
       'Invalid e-mail or password'
+    when :expired
+      'Password expired. Please click "Forget password"'
     when :blocked
       'Account blocked. Please verify your e-mail address'
     end