authpwn_rails 0.9.6 → 0.10.0

data/lib/authpwn_rails/test_extensions.rb

@@ -1,24 +1,24 @@
 # :nodoc: namespace
-module AuthpwnRails
+module Authpwn
 
 # Included in test cases.
 module TestExtensions
   # Sets the authenticated user in the test session.
   def set_session_current_user(user)
-    request.session[:current_user_pid] = user ? user.to_param : nil
+    request.session[:user_exuid] = user ? user.to_param : nil
   end
   
   # The authenticated user in the test session.
   def session_current_user
-    return nil unless user_param = request.session[:current_user_pid]
+    return nil unless user_param = request.session[:user_exuid]
     User.find_by_param user_param
   end
-end  # module AuthpwnRails::TestExtensions
+end  # module Authpwn::TestExtensions
 
-end  # namespace AuthpwnRails
+end  # namespace Authpwn
 
 
 # :nodoc: extend Test::Unit
 class ActionController::TestCase
-  include AuthpwnRails::TestExtensions
+  include Authpwn::TestExtensions
 end

data/lib/authpwn_rails/user_model.rb

@@ -2,119 +2,50 @@ require 'active_model'
 require 'active_support'
 
 # :nodoc: namespace
-module AuthpwnRails
+module Authpwn
 
 # Included by the model class that represents users.
 #
-# Right now, some parts of the codebase assume the model will be named User.
+# Parts of the codebase assume the model will be named User.
 module UserModel
   extend ActiveSupport::Concern
-  
+
   included do
-    # E-mail address identifying the user account.
-    validates :email, :format => /^[A-Za-z0-9.+_]+@[^@]*\.(\w+)$/,
-                      :presence => true, :length => 1..128, :uniqueness => true
-    
-    # Hash of e-mail address of the user account.
-    validates :email_hash, :length => 64..64, :allow_nil => false
-    
-    # Random string preventing dictionary attacks on the password database.
-    validates :password_salt, :length => { :in => 1..16, :allow_nil => true }
+    # Externally-visible user ID.
+    #
+    # This is decoupled from "id" column to avoid leaking information about
+    # the application's usage.
+    validates :exuid, :presence => true, :length => 1..32, :uniqueness => true
     
-    # SHA-256 of (salt + password).
-    validates :password_hash, :length => { :in => 64..64, :allow_nil => true }
-      
-    # Virtual attribute: the user's password.
-    attr_reader :password
-    validates :password, :confirmation => true
-
-    # Virtual attribute: confirmation for the user's password.
-    attr_accessor :password_confirmation
-    validates_confirmation_of :password
+    # Credentials used to authenticate the user.
+    has_many :credentials, :dependent => :destroy, :inverse_of => :user
     
-    # Facebook token.
-    has_one :facebook_token, :dependent => :destroy, :inverse_of => :user    
+    before_validation :set_default_exuid, :on => :create
   end
 
-  # Class methods on models that include AuthpwnRails::UserModel.
+  # Class methods on models that include Authpwn::UserModel.
   module ClassMethods
     # Queries the database using the value returned by User#to_param.
     #
     # Returns nil if no matching User exists.
     def find_by_param(param)
-      where(:email_hash => param).first
-    end
-    
-    # The authenticated user or nil.
-    def find_by_email_and_password(email, password)
-      user = where(:email => email).first
-      (user && user.password_matches?(password)) ? user : nil
-    end
-    
-    # Computes a password hash from a raw password and a salt.
-    def hash_password(password, salt)
-      Digest::SHA2.hexdigest(password + salt)
-    end
-    
-    # Generates a random salt value.
-    def random_salt
-      [(0...12).map { |i| 1 + rand(255) }.pack('C*')].pack('m').strip
-    end  
-    
-    # Fills out a new user's information based on a Facebook access token.
-    def create_with_facebook_token(token)
-      self.create! :email => "#{token.external_uid}@graph.facebook.com"
+      where(:exuid => param).first
     end
-    
-    # The user that owns a given Facebook OAuth2 token.
-    #
-    # A new user will be created if the token doesn't belong to any user. This
-    # is the case for a new visitor.
-    def for_facebook_token(access_token)
-      FacebookToken.for(access_token).user
-    end
-  end  # module AuthpwnRails::UserModel::ClassMethods
+  end  # module Authpwn::UserModel::ClassMethods
   
-  # Included in models that include AuthpwnRails::UserModel.
+  # Included in models that include Authpwn::UserModel.
   module InstanceMethods
-    # Resets the virtual password attributes.
-    def reset_password
-      @password = @password_confirmation = nil
-    end
-      
-    # Compares the given password against the user's stored password.
-    #
-    # Returns +true+ for a match, +false+ otherwise.
-    def password_matches?(passwd)
-      password_hash == self.class.hash_password(passwd, password_salt)
-    end  
-  
-    # Password virtual attribute.
-    def password=(new_password)
-      @password = new_password
-      self.password_salt = self.class.random_salt
-      self.password_hash = new_password &&
-                           self.class.hash_password(new_password, password_salt)
-    end
-    
     # Use e-mails instead of exposing ActiveRecord IDs.
     def to_param
-      email_hash
-    end
-    
-    # :nodoc: overwrites
-    def email=(new_email)
-      super
-      self.email_hash = new_email && Digest::SHA2.hexdigest(new_email)
+      exuid
     end
     
-    # Do not expose password and ActiveRecord IDs in JSON representation.
-    def as_json(options = {})
-      options ||= {}
-      super(options.merge(:except => [:password_salt, :password_hash, :id]))
+    # :nodoc: sets exuid to a (hopefully) unique value before validations occur. 
+    def set_default_exuid
+      self.exuid ||= (Time.now.to_f * 1_000_000).to_i
     end
-  end  # module AuthpwnRails::UserModel::InstanceMethods
-
-end  # namespace AuthpwnRails::UserModel
+  end  # module Authpwn::UserModel::InstanceMethods
+  
+end  # namespace Authpwn::UserModel
 
-end  # namespace AuthpwnRails
+end  # namespace Authpwn

data/test/email_credential_test.rb

@@ -0,0 +1,50 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class EmailCredentialTest < ActiveSupport::TestCase  
+  def setup
+    @credential = Credentials::Email.new :email => 'dvdjohn@mit.edu',
+        :user => users(:bill)
+  end
+  
+  test 'setup' do
+    assert @credential.valid?
+  end
+  
+  test 'verified required' do
+    @credential.verified = ''
+    assert !@credential.valid?
+  end
+  
+  test 'user presence' do
+    @credential.user = nil
+    assert !@credential.valid?
+  end
+
+  test 'email presence' do
+    @credential.email = nil
+    assert !@credential.valid?
+  end
+  
+  test 'email length' do
+    @credential.email = 'abcde' * 25 + '@mit.edu'
+    assert !@credential.valid?, 'Overly long email'
+  end
+  
+  test 'email format' do
+    ['cos tan@gmail.com', 'costan@x@mit.edu'].each do |email|
+      @credential.email = email
+      assert !@credential.valid?, "Bad email format - #{email}"
+    end    
+  end
+  
+  test 'email uniqueness' do
+    @credential.email = credentials(:john_email).email
+    assert !@credential.valid?
+  end
+  
+  test 'User#email_credential' do
+    assert_equal credentials(:john_email), users(:john).email_credential
+    assert_equal credentials(:jane_email), users(:jane).email_credential
+    assert_nil users(:bill).email_credential
+  end
+end

data/test/facebook_controller_test.rb

@@ -28,7 +28,10 @@ class FacebookControllerTest < ActionController::TestCase
   end
   
   test "facebook token for existing user" do
-    set_session_current_facebook_token facebook_tokens(:john).access_token
+    flexmock(Credentials::Facebook).should_receive(:uid_from_token).
+        with(credentials(:john_facebook).key).
+        and_return(credentials(:john_facebook).facebook_uid)
+    set_session_current_facebook_token credentials(:john_facebook).key
     get :show, {}
     assert_response :success
     assert_equal @user, assigns(:current_user)
@@ -36,8 +39,10 @@ class FacebookControllerTest < ActionController::TestCase
   
   test "new facebook token" do    
     set_session_current_facebook_token @new_token
+    flexmock(Credentials::Facebook).should_receive(:uid_from_token).
+        with(@new_token).and_return('12345678')
     get :show, {}
     assert_response :success
-    assert !(@user == assigns(:current_user))
+    assert_not_equal @user, assigns(:current_user)
   end
 end

data/test/facebook_credential_test.rb

@@ -0,0 +1,74 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class FacebookCredentialTest < ActiveSupport::TestCase  
+  def setup
+    @code = 'AAAEj8jKX2a8BAA4kNheRhOs6SlECVcZCE9o5pPKMytOjjoiNAoZBGZAwuL4KrrxXWesfJRhzDZCJiqrcQG3UdjRRNtyMJQMZD'
+    @credential = Credentials::Facebook.new :facebook_uid => '1181310542',
+        :key => 'AAAEj8jKX2a8BAOBMZCjxBe4dw7cRoD1JVxUgZAtB6ozJlR4Viazh6OAYcHB5kZAtUwgjpDy7a54ZA1DObLmBT9X99CLWYOj5Stqx8bHwnE7EzyBS1WxY',
+        :user => users(:bill)
+  end
+  
+  test 'setup' do
+    assert @credential.valid?
+  end
+  
+  test 'key required' do
+    @credential.key = nil
+    assert !@credential.valid?
+  end
+  
+  test 'user presence' do
+    @credential.user = nil
+    assert !@credential.valid?
+  end
+  
+  test 'user uniqueness' do
+    @credential.user = users(:john)
+    assert !@credential.valid?
+  end
+  
+  test 'facebook_uid uniqueness' do
+    @credential.facebook_uid = credentials(:jane_facebook).facebook_uid
+    assert !@credential.valid?
+  end
+  
+  test "uid_from_token" do
+    assert_equal '1011950666', Credentials::Facebook.uid_from_token(@code)
+  end
+
+  test "for with existing access token" do
+    flexmock(Credentials::Facebook).should_receive(:uid_from_token).with(@code).
+        and_return(credentials(:jane_facebook).facebook_uid)
+        
+    assert_equal credentials(:jane_facebook), Credentials::Facebook.for(@code),
+                 'Wrong token'
+    assert_equal @code, credentials(:jane_facebook).reload.key,
+                 'Token not refreshed'
+  end
+  
+  test "for with new access token" do
+    credential = nil
+    flexmock(Credentials::Facebook).should_receive(:uid_from_token).
+        with(@credential.key).and_return('123456789')
+    assert_difference 'Credentials::Facebook.count', 1 do      
+      credential = Credentials::Facebook.for @credential.key
+    end
+    assert_equal '123456789', credential.facebook_uid 
+    assert_equal @credential.key, credential.key
+    assert !credential.new_record?, 'New credential not saved'
+    assert !credential.user.new_record?, "New credential's user not saved"    
+  end  
+
+  test 'User#facebook_credential' do
+    user = users(:john)
+    assert_equal credentials(:john_facebook), user.facebook_credential
+  end
+  
+  test 'User#for_facebook_token' do
+    flexmock(Credentials::Facebook).should_receive(:uid_from_token).
+        with(credentials(:john_facebook).key).
+        and_return(credentials(:john_facebook).facebook_uid)
+    assert_equal users(:john),
+        User.for_facebook_token(credentials(:john_facebook).key)
+  end
+end

data/test/helpers/db_setup.rb

@@ -4,12 +4,12 @@ ActiveRecord::Base.configurations = true
 
 ActiveRecord::Migration.verbose = false
 require 'authpwn_rails/generators/templates/001_create_users.rb'
-CreateUsers.up
-require 'authpwn_rails/generators/templates/002_create_facebook_tokens.rb'
-CreateFacebookTokens.up
+CreateUsers.migrate :up
+require 'authpwn_rails/generators/templates/002_create_credentials.rb'
+CreateCredentials.migrate :up
 
-require 'authpwn_rails/generators/templates/facebook_token.rb'
 require 'authpwn_rails/generators/templates/user.rb'
+require 'authpwn_rails/generators/templates/credential.rb'
 
 # :nodoc: open TestCase to setup fixtures
 class ActiveSupport::TestCase

data/test/helpers/fbgraph.rb

@@ -1,6 +1,10 @@
 # :nodoc: stub FBGraphRails.config because it depends on Rails.root
 module FBGraphRails
   def self.config
-    { 'id' => '12345', 'secret' => 'awesome', 'scope' => []}
+    {
+      'id' => '320998114580911',
+      'secret' => '7ded389d3c226e1f5d363b2df695be2f',
+      'scope' => []
+    }
   end
-end
+end

data/test/password_credential_test.rb

@@ -0,0 +1,67 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class PasswordCredentialTest < ActiveSupport::TestCase  
+  def setup
+    @credential = Credentials::Password.new :password => 'awesome',
+        :password_confirmation => 'awesome', :user => users(:bill)
+  end
+  
+  test 'setup' do
+    assert @credential.valid?
+  end
+    
+  test 'key not required' do
+    @credential.key = nil
+    assert @credential.valid?
+  end
+  
+  test 'user presence' do
+    @credential.user = nil
+    assert !@credential.valid?
+  end
+  
+  test 'user uniqueness' do
+    @credential.user = users(:john)
+    assert !@credential.valid?
+  end
+  
+  test 'password confirmation' do
+    @credential.password_confirmation = 'not awesome'
+    assert !@credential.valid?
+  end
+  
+  test 'password required' do
+    @credential.password = @credential.password_confirmation = nil
+    assert !@credential.valid?
+  end
+  
+  test 'authenticate' do
+    assert_equal true, @credential.authenticate('awesome')
+    assert_equal false, @credential.authenticate('not awesome'),
+                 'Bogus password'
+    assert_equal false, @credential.authenticate('password'),
+                 "Another user's password" 
+  end
+    
+  test 'authenticate_email' do
+    assert_equal users(:john),
+        Credentials::Password.authenticate_email('john@gmail.com', 'password')
+    assert_equal nil,
+        Credentials::Password.authenticate_email('john@gmail.com', 'pa55w0rd'),
+        "Jane's password on John's account"
+    assert_equal users(:jane),
+        Credentials::Password.authenticate_email('jane@gmail.com', 'pa55w0rd')
+    assert_equal nil,
+        Credentials::Password.authenticate_email('jane@gmail.com', 'password'),
+        "John's password on Jane's account"
+    assert_equal nil,
+        Credentials::Password.authenticate_email('john@gmail.com', 'awesome'),
+        'Bogus password'
+  end
+  
+  test 'User#password_credential' do
+    assert_equal credentials(:john_password), users(:john).password_credential
+    assert_equal credentials(:jane_password), users(:jane).password_credential
+    assert_nil users(:bill).password_credential
+  end
+end

data/test/session_controller_api_test.rb

@@ -11,6 +11,7 @@ class SessionControllerApiTest < ActionController::TestCase
   
   setup do
     @user = users(:john)
+    @email_credential = credentials(:john_email)
   end
   
   test "show renders welcome without a user" do
@@ -42,7 +43,7 @@ class SessionControllerApiTest < ActionController::TestCase
     get :show, :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
-    assert_equal @user.email, data['user']['email']
+    assert_equal @user.exuid, data['user']['exuid']
     assert_equal session[:_csrf_token], data['csrf']
     assert_equal @user, assigns(:user), 'home controller method not called'
   end
@@ -57,11 +58,10 @@ class SessionControllerApiTest < ActionController::TestCase
     get :new
     assert_template :new
     assert_nil assigns(:current_user), 'current_user should not be set'
-    assert assigns(:user).new_record?, 'user instance variable should be fresh'
   
     assert_select 'form' do
-      assert_select 'input#user_email'
-      assert_select 'input#user_password'
+      assert_select 'input#email'
+      assert_select 'input#password'
       assert_select 'input[type=submit]'
     end
   end
@@ -77,18 +77,18 @@ class SessionControllerApiTest < ActionController::TestCase
   end
   
   test "create logs in with good account details" do
-    post :create, :user => { :email => @user.email, :password => 'password' }
+    post :create, :email => @email_credential.email, :password => 'password'
     assert_redirected_to session_url
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
   end
 
   test "create by json logs in with good account details" do
-    post :create, :user => { :email => @user.email, :password => 'password' },
+    post :create, :email => @email_credential.email, :password => 'password',
                   :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
-    assert_equal @user.email, data['user']['email']
+    assert_equal @user.exuid, data['user']['exuid']
     assert_equal session[:_csrf_token], data['csrf']
     assert_equal @user, assigns(:current_user), 'instance variable'
     assert_equal @user, session_current_user, 'session'
@@ -96,13 +96,13 @@ class SessionControllerApiTest < ActionController::TestCase
   
   test "create redirects properly with good account details" do
     url = 'http://authpwn.redirect.url'
-    post :create, :user => { :email => @user.email, :password => 'password' },
+    post :create, :email => @email_credential.email, :password => 'password',
                   :redirect_url => url
     assert_redirected_to url
   end
   
   test "create does not log in with bad password" do
-    post :create, :user => { :email => @user.email, :password => 'fail' }
+    post :create, :email => @email_credential.email, :password => 'fail'
     assert_redirected_to new_session_url
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
@@ -110,7 +110,7 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "create by json does not log in with bad password" do
-    post :create, :user => { :email => @user.email, :password => 'fail' },
+    post :create, :email => @email_credential.email, :password => 'fail',
                   :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
@@ -121,7 +121,7 @@ class SessionControllerApiTest < ActionController::TestCase
   
   test "create maintains redirect_url for bad logins" do
     url = 'http://authpwn.redirect.url'
-    post :create, :user => { :email => @user.email, :password => 'fail' },
+    post :create, :email => @email_credential.email, :password => 'fail',
                   :redirect_url => url
     assert_redirected_to new_session_url
     assert_not_nil flash[:notice]
@@ -129,7 +129,7 @@ class SessionControllerApiTest < ActionController::TestCase
   end
 
   test "create does not log in with bad e-mail" do
-    post :create, :user => { :email => 'nobody@gmail.com', :password => 'no' }
+    post :create, :email => 'nobody@gmail.com', :password => 'no'
     assert_redirected_to new_session_url
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'