authpwn_rails 0.13.4 → 0.14.0

data/lib/authpwn_rails/generators/templates/003_create_credentials.rb

@@ -1,22 +1,20 @@
 class CreateCredentials < ActiveRecord::Migration
   def change
     create_table :credentials do |t|
-      t.references :user, :null => false
-      t.string :type, :limit => 32, :null => false
-      t.string :name, :limit => 128, :null => true
+      t.references :user, null: false
+      t.string :type, limit: 32, null: false
+      t.string :name, limit: 128, null: true
 
-      t.timestamp :updated_at, :null => false
+      t.timestamp :updated_at, null: false
 
-      t.binary :key, :limit => 2.kilobytes, :null => true
+      t.binary :key, limit: 2.kilobytes, null: true
     end
 
     # All the credentials (maybe of a specific type) belonging to a user.
-    add_index :credentials, [:user_id, :type], :unique => false,
-                                               :null => false
+    add_index :credentials, [:user_id, :type], unique: false
     # A specific credential, to find out what user it belongs to.
-    add_index :credentials, [:type, :name], :unique => true, :null => true
+    add_index :credentials, [:type, :name], unique: true
     # Expired credentials (particularly useful for tokens).
-    add_index :credentials, [:type, :updated_at], :unique => false,
-                                                  :null => false
+    add_index :credentials, [:type, :updated_at], unique: false
   end
 end

data/lib/authpwn_rails/generators/templates/session/password_change.html.erb

@@ -11,7 +11,7 @@
 <p class="password_age_notice">
   Your have been using the same password for
   <span class="password_age">
-    <%= time_ago_in_words @credential.updated_at, true %>.
+    <%= time_ago_in_words @credential.updated_at, :include_seconds => true %>.
   </span>
 </p>
 <% end %>

data/lib/authpwn_rails/generators/templates/session_controller.rb

@@ -34,7 +34,7 @@ class SessionController < ApplicationController
       format.html do
         case token
         when Tokens::EmailVerification
-          redirect_to session_url, :notice => 'E-mail address confirmed'
+          redirect_to session_url, notice: 'E-mail address confirmed'
         when Tokens::PasswordReset
           redirect_to change_password_session_url
         # Handle other token types here.

data/lib/authpwn_rails/generators/templates/session_controller_test.rb

@@ -20,7 +20,7 @@ class SessionControllerTest < ActionController::TestCase
     old_token = credentials(:jane_session_token)
     old_token.updated_at = Time.now - 1.year
     old_token.save!
-    post :create, :email => @email_credential.email, :password => 'password'
+    post :create, email: @email_credential.email, password: 'password'
     assert_equal @user, session_current_user, 'session'
     assert_redirected_to session_url
     assert_nil Tokens::Base.with_code(old_token.code).first,
@@ -29,7 +29,7 @@ class SessionControllerTest < ActionController::TestCase
 
   test "user logged in JSON request" do
     set_session_current_user @user
-    get :show, :format => 'json'
+    get :show, format: 'json'
 
     assert_equal @user.exuid,
         ActiveSupport::JSON.decode(response.body)['user']['exuid']
@@ -43,7 +43,7 @@ class SessionControllerTest < ActionController::TestCase
   end
 
   test "user not logged in with JSON request" do
-    get :show, :format => 'json'
+    get :show, format: 'json'
 
     assert_equal({}, ActiveSupport::JSON.decode(response.body))
   end
@@ -61,16 +61,16 @@ class SessionControllerTest < ActionController::TestCase
   end
 
   test "e-mail verification link" do
-    get :token, :code => @token_credential.code
+    get :token, code: @token_credential.code
     assert_redirected_to session_url
     assert @email_credential.reload.verified?, 'Email not verified'
   end
 
   test "password reset link" do
     password_credential = credentials(:jane_password)
-    get :token, :code => credentials(:jane_password_token).code
+    get :token, code: credentials(:jane_password_token).code
     assert_redirected_to change_password_session_url
-    assert_nil Credential.where(:id => password_credential.id).first,
+    assert_nil Credential.where(id: password_credential.id).first,
                'Password not cleared'
   end
 
@@ -93,10 +93,10 @@ class SessionControllerTest < ActionController::TestCase
     @password_credential.destroy
     get :password_change
 
-    assert_select 'span[class="password_age"]', :count => 0
+    assert_select 'span[class="password_age"]', count: 0
     assert_select 'form[action=?][method="post"]',
                   change_password_session_path do
-      assert_select 'input[name="old_password"]', :count => 0
+      assert_select 'input[name="old_password"]', count: 0
       assert_select 'input[name=?]', 'credential[password]'
       assert_select 'input[name=?]', 'credential[password_confirmation]'
       assert_select 'input[type=submit]'
@@ -107,7 +107,7 @@ class SessionControllerTest < ActionController::TestCase
     ActionMailer::Base.deliveries = []
 
     assert_difference 'Credential.count', 1 do
-      post :reset_password, :email => @email_credential.email
+      post :reset_password, email: @email_credential.email
     end
 
     assert !ActionMailer::Base.deliveries.empty?, 'email generated'

data/lib/authpwn_rails/http_basic.rb

@@ -51,10 +51,10 @@ module HttpBasicControllerInstanceMethods
 
     respond_to do |format|
       format.html do
-        render 'session/forbidden', :status => :forbidden
+        render 'session/forbidden', status: :forbidden
       end
       format.json do
-        render :json => { :error => "You're not allowed to access that" }
+        render json: { error: "You're not allowed to access that" }
       end
     end
   end

data/lib/authpwn_rails/routes.rb

@@ -22,24 +22,24 @@ module MapperMixin
     paths = options[:paths] || controller
     methods = options[:method_names] || 'session'
 
-    get "/#{paths}/token/:code", :controller => controller, :action => 'token',
-                                 :as => :"token_#{methods}"
-
-    get "/#{paths}", :controller => controller, :action => 'show',
-                     :as => :"#{methods}"
-    get "/#{paths}/new", :controller => controller, :action => 'new',
-                         :as => :"new_#{methods}"
-    post "/#{paths}", :controller => controller, :action => 'create'
-    delete "/#{paths}", :controller => controller, :action => 'destroy'
-
-    get "/#{paths}/change_password", :controller => controller,
-                                    :action => 'password_change',
-                                    :as => "change_password_#{methods}"
-    post "/#{paths}/change_password", :controller => controller,
-                                     :action => 'change_password'
-    post "/#{paths}/reset_password", :controller => controller,
-                                     :action => 'reset_password',
-                                     :as => "reset_password_#{methods}"
+    get "/#{paths}/token/:code", controller: controller, action: 'token',
+                                 as: :"token_#{methods}"
+
+    get "/#{paths}", controller: controller, action: 'show',
+                     as: :"#{methods}"
+    get "/#{paths}/new", controller: controller, action: 'new',
+                         as: :"new_#{methods}"
+    post "/#{paths}", controller: controller, action: 'create'
+    delete "/#{paths}", controller: controller, action: 'destroy'
+
+    get "/#{paths}/change_password", controller: controller,
+                                    action: 'password_change',
+                                    as: "change_password_#{methods}"
+    post "/#{paths}/change_password", controller: controller,
+                                     action: 'change_password'
+    post "/#{paths}/reset_password", controller: controller,
+                                     action: 'reset_password',
+                                     as: "reset_password_#{methods}"
   end
 end
 

data/lib/authpwn_rails/session.rb

@@ -78,16 +78,16 @@ module ControllerInstanceMethods
       format.html do
         @redirect_url = redirect_url
         if current_user
-          render 'session/forbidden', :status => :forbidden
+          render 'session/forbidden', status: :forbidden
         else
           flash[:auth_redirect_url] = redirect_url
-          render 'session/forbidden', :status => :forbidden
+          render 'session/forbidden', status: :forbidden
         end
       end
       format.json do
         message = current_user ? "You're not allowed to access that" :
                                  'Please sign in'
-        render :json => { :error => message }
+        render json: { error: message }
       end
     end
   end

data/lib/authpwn_rails/session_controller.rb

@@ -12,7 +12,7 @@ module SessionController
 
   included do
     skip_filter :authenticate_using_session
-    authenticates_using_session :except => [:create, :reset_password, :token]
+    authenticates_using_session except: [:create, :reset_password, :token]
 
     # If set, every successful login will cause a database purge.
     class_attribute :auto_purge_sessions
@@ -33,20 +33,19 @@ module SessionController
       welcome
       unless performed?
         respond_to do |format|
-          format.html { render :action => :welcome }
-          format.json { render :json => {} }
+          format.html { render action: :welcome }
+          format.json { render json: {} }
         end
       end
     else
       home
       unless performed?
         respond_to do |format|
-          format.html { render :action => :home }
+          format.html { render action: :home }
           format.json do
             user_data = @user.as_json
             user_data = user_data['user'] if @user.class.include_root_in_json
-            render :json => { :user => user_data,
-                              :csrf => form_authenticity_token }
+            render json: { user: user_data, csrf: form_authenticity_token }
           end
         end
       end
@@ -74,16 +73,15 @@ module SessionController
           if current_user.class.include_root_in_json
             user_data = user_data['user']
           end
-          render :json => { :user => user_data,
-                            :csrf => form_authenticity_token }
+          render json: { user: user_data, csrf: form_authenticity_token }
         end
       else
         error_text = bounce_notice_text auth
         format.html do
-          redirect_to new_session_url, :flash => { :alert => error_text,
-              :auth_redirect_url => @redirect_url }
+          redirect_to new_session_url, flash: { alert: error_text,
+              auth_redirect_url: @redirect_url }
         end
-        format.json { render :json => { :error => auth, :text => error_text } }
+        format.json { render json: { error: auth, text: error_text } }
       end
     end
   end
@@ -101,17 +99,17 @@ module SessionController
     respond_to do |format|
       if user
         format.html do
-          redirect_to new_session_url, :alert =>
+          redirect_to new_session_url, alert:
               'Please check your e-mail for instructions'
         end
-        format.json { render :json => { } }
+        format.json { render json: { } }
       else
         error_text = 'Invalid e-mail'
         format.html do
-          redirect_to new_session_url, :alert => error_text
+          redirect_to new_session_url, alert: error_text
         end
         format.json do
-          render :json => { :error => :not_found, :text => notice }
+          render json: { error: :not_found, text: notice }
         end
       end
     end
@@ -129,10 +127,10 @@ module SessionController
       error_text = bounce_notice_text auth
       respond_to do |format|
         format.html do
-          redirect_to new_session_url, :flash => { :alert => error_text,
-              :auth_redirect_url => session_url }
+          redirect_to new_session_url, flash: { alert: error_text,
+              auth_redirect_url: session_url }
         end
-        format.json { render :json => { :error => auth, :text => error_text } }
+        format.json { render json: { error: auth, text: error_text } }
       end
     else
       self.set_session_current_user auth
@@ -145,8 +143,7 @@ module SessionController
             if current_user.class.include_root_in_json
               user_data = user_data['user']
             end
-            render :json => { :user => user_data,
-                              :csrf => form_authenticity_token }
+            render json: { user: user_data, csrf: form_authenticity_token }
           end
         end
       end
@@ -194,29 +191,46 @@ module SessionController
     if @credential
       # An old password is set, must verify it.
       if @credential.check_password params[:old_password]
-        success = @credential.update_attributes params[:credential]
+        success = @credential.update_attributes(
+            change_password_params[:credential])
       else
         success = false
         flash[:alert] = 'Incorrect old password. Please try again.'
       end
     else
-      @credential = Credentials::Password.new params[:credential]
+      @credential = Credentials::Password.new(
+          change_password_params[:credential])
       @credential.user = current_user
       success = @credential.save
     end
     respond_to do |format|
       if success
         format.html do
-          redirect_to session_url, :notice => 'Password updated'
+          redirect_to session_url, notice: 'Password updated'
         end
         format.json { head :ok }
       else
-        format.html { render :action => :password_change }
-        format.json { render :json => { :error => :invalid } }
+        format.html { render action: :password_change }
+        format.json { render json: { error: :invalid } }
       end
     end
   end
 
+  if defined? ActiveModel::ForbiddenAttributesProtection
+    # Rails 4.
+
+    # Parameters used to change the user's password.
+    def change_password_params
+      params.permit :format, :old_password,
+          credential: [ :password, :password_confirmation ]
+    end
+  else
+    # Rails 3.
+    def change_password_params
+      params
+    end
+  end
+
   # True for controllers belonging to the authentication implementation.
   #
   # Controllers that return true here are responsible for performing their own

data/lib/authpwn_rails/session_mailer.rb

@@ -16,9 +16,9 @@ module SessionMailer
     @host.slice! -1 if @host[-1] == ?/
     hostname = @host.split(':', 2).first  # Strip out any port.
     
-    mail :to => @token.email,
-         :subject => email_verification_subject(token, hostname, @protocol),
-         :from => email_verification_from(token, hostname, @protocol)
+    mail to: @token.email,
+         subject: email_verification_subject(token, hostname, @protocol),
+         from: email_verification_from(token, hostname, @protocol)
   end
 
   # The subject line in an e-mail verification e-mail.
@@ -48,8 +48,8 @@ module SessionMailer
     @host.slice! -1 if @host[-1] == ?/
 
     hostname = @host.split(':', 2).first  # Strip out any port.
-    mail :to => email, :from => reset_password_from(token, hostname, @protocol),
-         :subject => reset_password_subject(token, hostname, @protocol)
+    mail to: email, from: reset_password_from(token, hostname, @protocol),
+         subject: reset_password_subject(token, hostname, @protocol)
   end
   
   # The subject line in a password reset e-mail.

data/lib/authpwn_rails/test_extensions.rb

@@ -11,7 +11,7 @@ module TestExtensions
   # the credential matches the given argument, and nil otherwise.
   def with_blocked_credential(blocked_credential, reason = :blocked, &block)
     # Stub a method in all User instances for this test only.
-    # flexmock.new_instances doesn't work because ActiveRecord doesn't use new
+    # mocha.any_instance doesn't work because ActiveRecord doesn't use new
     # to instantiate records.
     ::User.class_eval do
       alias_method :_auth_bounce_reason_wbc_stub, :auth_bounce_reason
@@ -42,7 +42,7 @@ module ControllerTestExtensions
   def set_session_current_user(user)
     if user
       # Avoid database inserts, if at all possible.
-      if token = Tokens::SessionUid.where(:user_id => user.id).first
+      if token = Tokens::SessionUid.where(user_id: user.id).first
         token.spend  # Only bump updated_at if necessary.
       else
         token = Tokens::SessionUid.random_for user, '127.0.0.1', 'UnitTests'
@@ -75,17 +75,17 @@ module ControllerTestExtensions
 
     if password.nil?
       password = 'password'
-      credential = Credentials::Password.where(:user_id => user.id).first
+      credential = Credentials::Password.where(user_id: user.id).first
       if credential
-        credential.update_attributes! :password => password
+        credential.update_attributes! password: password
       else
-        credential = Credentials::Password.new :password => password
+        credential = Credentials::Password.new password: password
         credential.user_id = user.id
         credential.save!
       end
     end
 
-    credential = Credentials::Email.where(:user_id => user.id).first
+    credential = Credentials::Email.where(user_id: user.id).first
     unless credential
       raise RuntimeError, "Can't specify an user without an e-mail"
     end

data/lib/authpwn_rails/user_extensions/email_field.rb

@@ -1,4 +1,5 @@
 require 'active_model'
+require 'active_record'
 require 'active_support'
 
 # :nodoc: namespace
@@ -6,30 +7,46 @@ module Authpwn
 
 # :nodoc: namespace
 module UserExtensions
-  
+
 # Augments the User model with an email virtual attribute.
 module EmailField
   extend ActiveSupport::Concern
-  
+
   included do
-    validates :email, :format => /^[A-Za-z0-9.+_]+@[^@]*\.(\w+)$/,
-         :presence => true
-    attr_accessible :email
+    validates :email, format: /\A[A-Za-z0-9.+_]+@[^@]*\.(\w+)\Z/,
+         presence: true
+    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
+      attr_accessible :email
+    end
   end
-  
+
   module ClassMethods
-    # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
-    def with_email(email)
-      credential = Credentials::Email.where(:name => email).includes(:user).first
-      credential && credential.user
+    begin
+      ActiveRecord::QueryMethods.instance_method :references
+      # Rails 4.
+
+      # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
+      def with_email(email)
+        credential = Credentials::Email.where(name: email).
+            includes(:user).references(:user).first
+        credential && credential.user
+      end
+    rescue NameError
+      # Rails 3.
+
+      def with_email(email)
+        credential = Credentials::Email.where(name: email).includes(:user).
+                                        first
+        credential && credential.user
+      end
     end
   end
-  
+
   # Credentials::Email instance associated with this user.
   def email_credential
     credentials.find { |c| c.instance_of?(Credentials::Email) }
   end
-  
+
   # The e-mail from the user's Email credential.
   #
   # Returns nil if this user has no Email credential.
@@ -37,7 +54,7 @@ module EmailField
     credential = self.email_credential
     credential && credential.email
   end
-  
+
   # Sets the e-mail on the user's Email credential.
   #
   # Creates a new Credentials::Email instance if necessary.
@@ -45,12 +62,12 @@ module EmailField
     if credential = self.email_credential
       credential.email = new_email
     else
-      credentials << Credentials::Email.new(:email => new_email)
+      credentials << Credentials::Email.new(email: new_email)
     end
     new_email
   end
 end  # module Authpwn::UserExtensions::EmailField
-  
+
 end  # module Authpwn::UserExtensions
-  
+
 end  # module Authpwn

data/lib/authpwn_rails/user_extensions/facebook_fields.rb

@@ -22,7 +22,7 @@ module FacebookFields
     
     # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
     def with_facebook_uid(facebook_uid)
-      credential = Credentials::Facebook.where(:name => facebook_uid).
+      credential = Credentials::Facebook.where(name: facebook_uid).
                                          includes(:user).first
       credential && credential.user
     end

data/lib/authpwn_rails/user_extensions/password_field.rb

@@ -6,30 +6,33 @@ module Authpwn
 
 # :nodoc: namespace
 module UserExtensions
-  
+
 # Augments the User model with a password virtual attribute.
 module PasswordField
   extend ActiveSupport::Concern
-  
+
   included do
-    validates :password, :presence => { :on => :create },
-                         :confirmation => { :allow_nil => true }
-    attr_accessible :password, :password_confirmation
+    validates :password, presence: { on: :create },
+                         confirmation: { allow_nil: true }
+
+    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
+      attr_accessible :password, :password_confirmation
+    end
   end
-  
+
   module ClassMethods
     # The user who has a certain e-mail, or nil if the e-mail is unclaimed.
     def with_email(email)
-      credential = Credentials::Email.where(:name => email).includes(:user).first
+      credential = Credentials::Email.where(name: email).includes(:user).first
       credential && credential.user
     end
   end
-  
+
   # Credentials::Password instance associated with this user.
   def password_credential
     credentials.find { |c| c.instance_of?(Credentials::Password) }
   end
-  
+
   # The password from the user's Password credential, or nil.
   #
   # Returns nil if this user has no Password credential.
@@ -37,7 +40,7 @@ module PasswordField
     credential = self.password_credential
     credential && credential.password
   end
-  
+
   # The password_confirmation from the user's Password credential, or nil.
   #
   # Returns nil if this user has no Password credential.
@@ -53,7 +56,7 @@ module PasswordField
     if credential = self.password_credential
       credential.password = new_password
     else
-      credentials << Credentials::Password.new(:password => new_password)
+      credentials << Credentials::Password.new(password: new_password)
     end
     new_password
   end
@@ -65,13 +68,13 @@ module PasswordField
     if credential = self.password_credential
       credential.password_confirmation = new_password_confirmation
     else
-      credentials << Credentials::Password.new(:password_confirmation =>
+      credentials << Credentials::Password.new(password_confirmation:
                                                new_password_confirmation)
     end
     new_password_confirmation
   end
 end  # module Authpwn::UserExtensions::PasswordField
-  
+
 end  # module Authpwn::UserExtensions
-  
+
 end  # module Authpwn

data/lib/authpwn_rails/user_model.rb

@@ -17,18 +17,20 @@ module UserModel
     #
     # This is decoupled from "id" column to avoid leaking information about
     # the application's usage.
-    validates :exuid, :presence => true, :length => 1..32, :uniqueness => true
+    validates :exuid, presence: true, length: 1..32, uniqueness: true
 
     # Credentials used to authenticate the user.
-    has_many :credentials, :dependent => :destroy, :inverse_of => :user,
-                           :autosave => true
+    has_many :credentials, dependent: :destroy, inverse_of: :user,
+                           autosave: true
     validates_associated :credentials
 
     # Automatically assign exuid.
-    before_validation :set_default_exuid, :on => :create
+    before_validation :set_default_exuid, on: :create
 
-    # Forms should not be able to touch any attribute.
-    attr_accessible :credentials_attributes
+    if ActiveRecord::Base.respond_to? :mass_assignment_sanitizer=
+      # Forms should not be able to touch any attribute.
+      attr_accessible :credentials_attributes
+    end
   end
 
   # Class methods on models that include Authpwn::UserModel.
@@ -38,7 +40,7 @@ module UserModel
     # @param [String] param value returned by User#to_param
     # @return [ActiveRecord::Relation]
     def with_param(param)
-      where(:exuid => param)
+      where(exuid: param)
     end
 
     # Queries the database using the value returned by User#to_param.