authpwn_rails 0.10.11 → 0.10.12

data/Gemfile

@@ -1,15 +1,15 @@
 source :rubygems
 
 gem 'fbgraph_rails', '>= 0.2.2'
-gem 'rails', '>= 3.2.3'
+gem 'rails', '>= 3.2.6'
 
 group :development do
-  gem 'bundler', '>= 1.1.0'
+  gem 'bundler', '>= 1.1.4'
   gem 'flexmock', '>= 0.9.0'
-  gem 'jeweler', '>= 1.8.0'
+  gem 'jeweler', '>= 1.8.4'
   gem 'rcov', '>= 0', :platform => :mri_18
   gem 'simplecov', '>= 0', :platform => :mri_19
   gem 'mysql2', '>= 0.3.11'
-  gem 'pg', '>= 0.13.2'
+  gem 'pg', '>= 0.14.0'
   gem 'sqlite3', '>= 1.3.6'
 end

data/Gemfile.lock

@@ -1,37 +1,37 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.2.3)
-      actionpack (= 3.2.3)
+    actionmailer (3.2.6)
+      actionpack (= 3.2.6)
       mail (~> 2.4.4)
-    actionpack (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
+    actionpack (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.1)
       rack (~> 1.4.0)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.1.2)
-    activemodel (3.2.3)
-      activesupport (= 3.2.3)
+      sprockets (~> 2.1.3)
+    activemodel (3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
-    activerecord (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
+    activerecord (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.3)
-      activemodel (= 3.2.3)
-      activesupport (= 3.2.3)
-    activesupport (3.2.3)
+    activeresource (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+    activesupport (3.2.6)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     arel (3.0.2)
     builder (3.0.0)
     erubis (2.7.0)
-    faraday (0.8.0)
+    faraday (0.8.1)
       multipart-post (~> 1.1)
     fbgraph (1.10.0)
       activesupport
@@ -53,27 +53,30 @@ GEM
     hike (1.2.1)
     httpauth (0.1)
     i18n (0.6.0)
-    jeweler (1.8.3)
+    jeweler (1.8.4)
       bundler (~> 1.0)
       git (>= 1.2.5)
       rake
       rdoc
-    journey (1.0.3)
-    json (1.7.1)
+    journey (1.0.4)
+    json (1.7.3)
+    jwt (0.1.4)
+      json (>= 1.2.4)
     mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    mime-types (1.18)
-    multi_json (1.3.4)
+    mime-types (1.19)
+    multi_json (1.3.6)
     multipart-post (1.1.5)
     mysql2 (0.3.11)
-    oauth2 (0.7.1)
+    oauth2 (0.8.0)
       faraday (~> 0.8)
       httpauth (~> 0.1)
+      jwt (~> 0.1.4)
       multi_json (~> 1.0)
-      rack (~> 1.4)
-    pg (0.13.2)
+      rack (~> 1.2)
+    pg (0.14.0)
     polyglot (0.3.3)
     rack (1.4.1)
     rack-cache (1.2)
@@ -82,29 +85,29 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.2.3)
-      actionmailer (= 3.2.3)
-      actionpack (= 3.2.3)
-      activerecord (= 3.2.3)
-      activeresource (= 3.2.3)
-      activesupport (= 3.2.3)
+    rails (3.2.6)
+      actionmailer (= 3.2.6)
+      actionpack (= 3.2.6)
+      activerecord (= 3.2.6)
+      activeresource (= 3.2.6)
+      activesupport (= 3.2.6)
       bundler (~> 1.0)
-      railties (= 3.2.3)
-    railties (3.2.3)
-      actionpack (= 3.2.3)
-      activesupport (= 3.2.3)
+      railties (= 3.2.6)
+    railties (3.2.6)
+      actionpack (= 3.2.6)
+      activesupport (= 3.2.6)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6, < 2.0)
     rake (0.9.2.2)
     rcov (1.0.0)
     rdoc (3.12)
       json (~> 1.4)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    simplecov (0.6.2)
-      multi_json (~> 1.3)
+    simplecov (0.6.4)
+      multi_json (~> 1.0)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
     sprockets (2.1.3)
@@ -112,7 +115,7 @@ GEM
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.6)
-    thor (0.14.6)
+    thor (0.15.4)
     tilt (1.3.3)
     treetop (1.4.10)
       polyglot
@@ -123,13 +126,13 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (>= 1.1.0)
+  bundler (>= 1.1.4)
   fbgraph_rails (>= 0.2.2)
   flexmock (>= 0.9.0)
-  jeweler (>= 1.8.0)
+  jeweler (>= 1.8.4)
   mysql2 (>= 0.3.11)
-  pg (>= 0.13.2)
-  rails (>= 3.2.3)
+  pg (>= 0.14.0)
+  rails (>= 3.2.6)
   rcov
   simplecov
   sqlite3 (>= 1.3.6)

data/VERSION

@@ -1 +1 @@
-0.10.11
+0.10.12

data/authpwn_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.10.11"
+  s.version = "0.10.12"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = "2012-05-12"
+  s.date = "2012-07-08"
   s.description = "Works with Facebook."
   s.email = "victor@costan.us"
   s.extra_rdoc_files = [
@@ -38,6 +38,7 @@ Gem::Specification.new do |s|
     "legacy/migrate_09_to_010.rb",
     "lib/authpwn_rails.rb",
     "lib/authpwn_rails/credential_model.rb",
+    "lib/authpwn_rails/current_user.rb",
     "lib/authpwn_rails/engine.rb",
     "lib/authpwn_rails/facebook_session.rb",
     "lib/authpwn_rails/generators/all_generator.rb",
@@ -60,6 +61,7 @@ Gem::Specification.new do |s|
     "lib/authpwn_rails/generators/templates/session_mailer_test.rb",
     "lib/authpwn_rails/generators/templates/user.rb",
     "lib/authpwn_rails/generators/templates/users.yml",
+    "lib/authpwn_rails/http_basic.rb",
     "lib/authpwn_rails/routes.rb",
     "lib/authpwn_rails/session.rb",
     "lib/authpwn_rails/session_controller.rb",
@@ -90,6 +92,7 @@ Gem::Specification.new do |s|
     "test/helpers/fbgraph.rb",
     "test/helpers/routes.rb",
     "test/helpers/view_helpers.rb",
+    "test/http_basic_controller_test.rb",
     "test/routes_test.rb",
     "test/session_controller_api_test.rb",
     "test/session_mailer_api_test.rb",
@@ -110,37 +113,37 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<fbgraph_rails>, [">= 0.2.2"])
-      s.add_runtime_dependency(%q<rails>, [">= 3.2.3"])
-      s.add_development_dependency(%q<bundler>, [">= 1.1.0"])
+      s.add_runtime_dependency(%q<rails>, [">= 3.2.6"])
+      s.add_development_dependency(%q<bundler>, [">= 1.1.4"])
       s.add_development_dependency(%q<flexmock>, [">= 0.9.0"])
-      s.add_development_dependency(%q<jeweler>, [">= 1.8.0"])
+      s.add_development_dependency(%q<jeweler>, [">= 1.8.4"])
       s.add_development_dependency(%q<rcov>, [">= 0"])
       s.add_development_dependency(%q<simplecov>, [">= 0"])
       s.add_development_dependency(%q<mysql2>, [">= 0.3.11"])
-      s.add_development_dependency(%q<pg>, [">= 0.13.2"])
+      s.add_development_dependency(%q<pg>, [">= 0.14.0"])
       s.add_development_dependency(%q<sqlite3>, [">= 1.3.6"])
     else
       s.add_dependency(%q<fbgraph_rails>, [">= 0.2.2"])
-      s.add_dependency(%q<rails>, [">= 3.2.3"])
-      s.add_dependency(%q<bundler>, [">= 1.1.0"])
+      s.add_dependency(%q<rails>, [">= 3.2.6"])
+      s.add_dependency(%q<bundler>, [">= 1.1.4"])
       s.add_dependency(%q<flexmock>, [">= 0.9.0"])
-      s.add_dependency(%q<jeweler>, [">= 1.8.0"])
+      s.add_dependency(%q<jeweler>, [">= 1.8.4"])
       s.add_dependency(%q<rcov>, [">= 0"])
       s.add_dependency(%q<simplecov>, [">= 0"])
       s.add_dependency(%q<mysql2>, [">= 0.3.11"])
-      s.add_dependency(%q<pg>, [">= 0.13.2"])
+      s.add_dependency(%q<pg>, [">= 0.14.0"])
       s.add_dependency(%q<sqlite3>, [">= 1.3.6"])
     end
   else
     s.add_dependency(%q<fbgraph_rails>, [">= 0.2.2"])
-    s.add_dependency(%q<rails>, [">= 3.2.3"])
-    s.add_dependency(%q<bundler>, [">= 1.1.0"])
+    s.add_dependency(%q<rails>, [">= 3.2.6"])
+    s.add_dependency(%q<bundler>, [">= 1.1.4"])
     s.add_dependency(%q<flexmock>, [">= 0.9.0"])
-    s.add_dependency(%q<jeweler>, [">= 1.8.0"])
+    s.add_dependency(%q<jeweler>, [">= 1.8.4"])
     s.add_dependency(%q<rcov>, [">= 0"])
     s.add_dependency(%q<simplecov>, [">= 0"])
     s.add_dependency(%q<mysql2>, [">= 0.3.11"])
-    s.add_dependency(%q<pg>, [">= 0.13.2"])
+    s.add_dependency(%q<pg>, [">= 0.14.0"])
     s.add_dependency(%q<sqlite3>, [">= 1.3.6"])
   end
 end

data/lib/authpwn_rails/current_user.rb

@@ -0,0 +1,19 @@
+# :nodoc: namespace
+module Authpwn
+
+# The unofficial Rails convention for tracking the authenticated user.
+module CurrentUser
+  attr_reader :current_user
+  
+  def current_user=(user)
+    @current_user = user
+    if user
+      session[:user_exuid] = user.to_param
+    else
+      session.delete :user_exuid
+    end
+  end  
+end  # module Authpwn::CurrentUser
+
+end  # namespace Authpwn
+

data/lib/authpwn_rails/http_basic.rb

@@ -0,0 +1,63 @@
+require 'action_controller'
+
+# :nodoc: adds authenticates_using_http_basic
+class ActionController::Base
+  # Keeps track of the currently authenticated user via the session. 
+  #
+  # Assumes the existence of a User model. A bare ActiveModel model will do the
+  # trick. Model instances must implement id, and the model class must implement
+  # find_by_id.
+  def self.authenticates_using_http_basic(options = {})
+    include Authpwn::HttpBasicControllerInstanceMethods
+    before_filter :authenticate_using_http_basic, options   
+  end
+end
+
+# :nodoc: namespace
+module Authpwn
+
+# Included in controllers that call authenticates_using_http_basic.
+module HttpBasicControllerInstanceMethods
+  include Authpwn::CurrentUser
+
+  # Filter that implements authenticates_using_http_basic.
+  #
+  # If your ApplicationController contains authenticates_using_http_basic, you
+  # can opt out in individual controllers using skip_before_filter.
+  #
+  #     skip_before_filter :authenticate_using_http_filter
+  def authenticate_using_http_basic
+    return if current_user
+    authenticate_with_http_basic do |email, password|
+      auth = Credentials::Password.authenticate_email email, password
+      self.current_user = auth unless auth.kind_of? Symbol
+    end
+  end
+  private :authenticate_using_http_basic
+  
+  # Inform the user that their request is forbidden.
+  #
+  # If a user is logged on, this renders the session/forbidden view with a HTTP
+  # 403 code.
+  # 
+  # If no user is logged in, a HTTP 403 code is returned, together with an
+  # HTTP Authentication header causing the user-agent (browser) to initiate
+  # http basic authentication.
+  def bounce_to_http_basic()
+    unless current_user
+      request_http_basic_authentication
+      return
+    end
+
+    respond_to do |format|
+      format.html do
+        render 'session/forbidden', :status => :forbidden
+      end
+      format.json do
+        render :json => { :error => "You're not allowed to access that" }
+      end
+    end
+  end
+end  # module Authpwn::HttpBasicControllerInstanceMethods
+
+end  # namespace Authpwn

data/lib/authpwn_rails/session.rb

@@ -26,17 +26,14 @@ module Authpwn
 
 # Included in controllers that call authenticates_using_session.
 module ControllerInstanceMethods
-  attr_reader :current_user
-  
-  def current_user=(user)
-    @current_user = user
-    if user
-      session[:user_exuid] = user.to_param
-    else
-      session.delete :user_exuid
-    end
-  end  
+  include Authpwn::CurrentUser
 
+  # Filter that implements authenticates_using_session.
+  #
+  # If your ApplicationController contains authenticates_using_session, you
+  # can opt out in individual controllers using skip_before_filter.
+  #
+  #     skip_before_filter :authenticate_using_session
   def authenticate_using_session
     return if current_user
     user_param = session[:user_exuid]

data/lib/authpwn_rails/test_extensions.rb

@@ -48,6 +48,38 @@ module ControllerTestExtensions
     return nil unless user_param = request.session[:user_exuid]
     User.find_by_param user_param
   end
+
+  # Sets the HTTP Authentication header.
+  #
+  # If no password is provided, the user's password is set to "password". This
+  # change is normally reverted at the end of the test, as long as
+  # transactional fixtures are not disabled.
+  #
+  # Tests that need to disable transactional fixures should specify the user's
+  # password.
+  def set_http_basic_user(user, password = nil)
+    unless password
+      password = 'password'
+      credential = Credentials::Password.where(:user_id => user.id).first
+      if credential
+        credential.update_attributes! :password => password
+      else
+        credential = Credentials::Password.new :password => password
+        credential.user_id = user.id
+        credential.save!
+      end
+    end
+
+    credential = Credentials::Email.where(:user_id => user.id).first
+    unless credential
+      raise RuntimeError, "Can't specify an user without an e-mail"
+    end
+    email = credential.email
+
+    request.env['HTTP_AUTHORIZATION'] =
+        "Basic #{::Base64.strict_encode64("#{email}:#{password}")}"
+    user
+  end
 end  # module Authpwn::ControllerTestExtensions
 
 end  # namespace Authpwn

data/lib/authpwn_rails.rb

@@ -17,7 +17,9 @@ module Authpwn
   end
 end
 
+require 'authpwn_rails/current_user.rb'
 require 'authpwn_rails/facebook_session.rb'
+require 'authpwn_rails/http_basic.rb'
 require 'authpwn_rails/routes.rb'
 require 'authpwn_rails/session.rb'
 require 'authpwn_rails/test_extensions.rb'

data/test/helpers/routes.rb

@@ -6,6 +6,9 @@ class ActionController::TestCase
       resource :cookie, :controller => 'cookie' do
         collection { get :bouncer }
       end
+      resource :http_basic, :controller => 'http_basic' do
+        collection { get :bouncer }
+      end
       resource :facebook, :controller => 'facebook'
       authpwn_session :controller => 'bare_session',
                       :method_names => 'bare_session'

data/test/http_basic_controller_test.rb

@@ -0,0 +1,99 @@
+require File.expand_path('../test_helper', __FILE__)
+
+# Mock controller used for testing session handling.
+class HttpBasicController < ApplicationController
+  authenticates_using_http_basic
+    
+  def show
+    if current_user
+      render :text => "User: #{current_user.id}"
+    else
+      render :text => "No user"
+    end
+  end
+  
+  def bouncer
+    bounce_to_http_basic
+  end
+end
+
+class HttpBasicControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:jane)
+  end
+
+  test "no user_id in session cookie or header" do
+    get :show
+    assert_response :success
+    assert_nil assigns(:current_user)
+    assert_equal 'No user', response.body
+  end
+  
+  test "valid user_id in session cookie" do
+    set_session_current_user @user
+    get :show
+    assert_response :success
+    assert_nil assigns(:current_user)
+    assert_equal 'No user', response.body
+  end
+
+  test "valid user credentials in header" do
+    set_http_basic_user @user, 'pa55w0rd'
+    get :show
+    assert_equal @user, assigns(:current_user)
+    assert_equal "User: #{ActiveRecord::Fixtures.identify(:jane)}",
+                 response.body
+  end
+
+  test "invalid user credentials in header" do
+    set_http_basic_user @user, 'password'
+    get :show
+    assert_nil assigns(:current_user)
+    assert_equal 'No user', response.body
+  end
+
+  test "mocked user credentials in header" do
+    set_http_basic_user @user
+    get :show
+    assert_equal @user, assigns(:current_user)
+    assert_equal "User: #{ActiveRecord::Fixtures.identify(:jane)}",
+                 response.body
+  end
+  
+  test "invalid user_pid in session" do
+    get :show, {}, :current_user_pid => 'random@user.com'
+    assert_response :success
+    assert_nil assigns(:current_user)
+  end
+  
+  test "valid user bounced to http authentication" do
+    set_http_basic_user @user
+    get :bouncer
+    assert_response :forbidden
+    assert_template 'session/forbidden'
+    assert_select 'a[href="/session"][data-method="delete"]', 'Log out'
+  end
+
+  test "valid user bounced in json" do
+    set_http_basic_user @user
+    get :bouncer, :format => 'json'
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_match(/not allowed/i, data['error'])
+  end
+  
+  test "no user_id bounced to http authentication" do
+    get :bouncer
+    assert_response :unauthorized
+    assert_equal 'Basic realm="Application"',
+                 response.headers['WWW-Authenticate']
+  end
+
+  test "no user_id bounced in json" do
+    get :bouncer, :format => 'json'
+    assert_response :unauthorized
+    assert_equal 'Basic realm="Application"',
+                 response.headers['WWW-Authenticate']
+  end
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authpwn_rails
 version: !ruby/object:Gem::Version
-  version: 0.10.11
+  version: 0.10.12
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-05-12 00:00:00.000000000 Z
+date: 2012-07-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fbgraph_rails
@@ -34,7 +34,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 3.2.3
+        version: 3.2.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -42,7 +42,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 3.2.3
+        version: 3.2.6
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -50,7 +50,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -58,7 +58,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.1.0
+        version: 1.1.4
 - !ruby/object:Gem::Dependency
   name: flexmock
   requirement: !ruby/object:Gem::Requirement
@@ -82,7 +82,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -90,7 +90,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 1.8.0
+        version: 1.8.4
 - !ruby/object:Gem::Dependency
   name: rcov
   requirement: !ruby/object:Gem::Requirement
@@ -146,7 +146,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.13.2
+        version: 0.14.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -154,7 +154,7 @@ dependencies:
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 0.13.2
+        version: 0.14.0
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
@@ -200,6 +200,7 @@ files:
 - legacy/migrate_09_to_010.rb
 - lib/authpwn_rails.rb
 - lib/authpwn_rails/credential_model.rb
+- lib/authpwn_rails/current_user.rb
 - lib/authpwn_rails/engine.rb
 - lib/authpwn_rails/facebook_session.rb
 - lib/authpwn_rails/generators/all_generator.rb
@@ -222,6 +223,7 @@ files:
 - lib/authpwn_rails/generators/templates/session_mailer_test.rb
 - lib/authpwn_rails/generators/templates/user.rb
 - lib/authpwn_rails/generators/templates/users.yml
+- lib/authpwn_rails/http_basic.rb
 - lib/authpwn_rails/routes.rb
 - lib/authpwn_rails/session.rb
 - lib/authpwn_rails/session_controller.rb
@@ -252,6 +254,7 @@ files:
 - test/helpers/fbgraph.rb
 - test/helpers/routes.rb
 - test/helpers/view_helpers.rb
+- test/http_basic_controller_test.rb
 - test/routes_test.rb
 - test/session_controller_api_test.rb
 - test/session_mailer_api_test.rb
@@ -275,7 +278,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -1868875221807376290
+      hash: 546732945991405653
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: