authpwn_rails 0.10.3 → 0.10.4

data/Gemfile.lock

@@ -60,13 +60,13 @@ GEM
       bundler (~> 1.0)
       git (>= 1.2.5)
       rake
-    json (1.6.1)
+    json (1.6.2)
     mail (2.3.0)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.17.2)
-    multi_json (1.0.3)
+    multi_json (1.0.4)
     multipart-post (1.1.4)
     oauth2 (0.5.1)
       faraday (~> 0.7.4)

data/VERSION

@@ -1 +1 @@
-0.10.3
+0.10.4

data/app/models/credentials/email.rb

@@ -10,13 +10,41 @@ class Email < ::Credential
        :message => 'This e-mail address is already claimed by an account' }
 
   # '1' if the user proved ownership of the e-mail address.
-  alias_attribute :verified, :key
-  validates :verified, :presence => true
+  validates :key, :presence => true, :inclusion => { :in => ['0', '1'] }
 
   before_validation :set_verified_to_false, :on => :create
   # :nodoc: by default, e-mail addresses are not verified
   def set_verified_to_false
-    self.verified ||= '0' if self.key.nil?
+    self.key ||= '0' if self.key.nil?
+  end
+  
+  # True if the e-mail has been verified via a token URL.
+  def verified?
+    key == '1'
+  end
+
+  # True if the e-mail has been verified via a token URL.
+  def verified=(new_verified_value)
+    self.key = new_verified_value ? '1' : '0'
+    new_verified_value ? true : false
+  end
+
+  # Locates the user that owns an e-mail address, for authentication purposes.
+  #
+  # Presenting the correct e-mail is almost never sufficient for authentication
+  # purposes. This method will most likely used to kick off an authentication
+  # process, such as in Password#authenticate_email.
+  #
+  # Returns the authenticated User instance, or a symbol indicating the reason
+  # why the (potentially valid) password was rejected.
+  def self.authenticate(email)
+    # This method is likely to be used to kick off a complex authentication
+    # process, so it makes sense to pre-fetch the user's other credentials.
+    credential = Credentials::Email.where(:name => email).
+                                    includes(:user => :credentials).first
+    return :invalid unless credential
+    user = credential.user
+    user.auth_bounce_reason(credential) || user
   end
 
   # Forms can only change the e-mail in the credential.

data/app/models/credentials/password.rb

@@ -14,14 +14,23 @@ class Password < ::Credential
   # A user can have a single password
   validates :user_id, :uniqueness => true
 
-  # Compares the given password against the user's stored password.
+  # Compares a plain-text password against the password hash in this credential.
   #
   # Returns +true+ for a match, +false+ otherwise.
-  def authenticate(password)
+  def check_password(password)
     return false unless key
     key == self.class.hash_password(password, key.split('|', 2).first)
   end
   
+  # Compares a plain-text password against the password hash in this credential.
+  #
+  # Returns the authenticated User instance, or a symbol indicating the reason
+  # why the (potentially valid) password was rejected.
+  def authenticate(password)
+    return :invalid unless check_password(password)
+    user.auth_bounce_reason(self) || user
+  end
+  
   # Password virtual attribute.
   def password=(new_password)
     @password = new_password
@@ -34,14 +43,16 @@ class Password < ::Credential
     @password = @password_confirmation = nil
   end
 
-  # The authenticated user or nil.
+  # Authenticates a user given an e-mail / password pair.
+  #
+  # Returns the authenticated User instance, or a symbol indicating the reason
+  # why the (potentially valid) credential was rejected.
   def self.authenticate_email(email, password)
-    email_cred = Credentials::Email.where(:name => email).
-                                    includes(:user => :credentials).first
-    return nil unless email_cred    
-    credential = email_cred.user.credentials.
-                            find { |c| c.kind_of? Credentials::Password }
-    credential.authenticate(password) ? email_cred.user : nil
+    user = Credentials::Email.authenticate email
+    return user if user.is_a? Symbol
+    
+    credential = user.credentials.find { |c| c.kind_of? Credentials::Password }
+    credential ? credential.authenticate(password) : :invalid
   end
 
   # Computes a password hash from a raw password and a salt.

data/authpwn_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.10.3"
+  s.version = "0.10.4"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = "2011-11-25"
+  s.date = "2011-11-30"
   s.description = "Works with Facebook."
   s.email = "victor@costan.us"
   s.extra_rdoc_files = [

data/legacy/migrate_09_to_010.rb

@@ -79,4 +79,5 @@ class DropFacebookTokens < ActiveRecord::Migration
     drop_table :facebook_tokens
   end
 end
+DropFacebookTokens.migrate :up
 reload!

data/lib/authpwn_rails/engine.rb

@@ -15,6 +15,7 @@ class Engine < Rails::Engine
       
       RSpec.configure do |c|
         c.include Authpwn::TestExtensions
+        c.include Authpwn::ControllerTestExtensions
       end
     rescue LoadError
       # No RSpec, no extensions.

data/lib/authpwn_rails/generators/templates/session_controller.rb

@@ -16,6 +16,16 @@ class SessionController < ApplicationController
   end
   private :home
   
+  # The notification text displayed when a session authentication fails.
+  def bounce_notice_text(reason)
+    case reason
+    when :invalid
+      'Invalid e-mail or password'
+    when :blocked
+      'Account blocked. Please verify your e-mail address'
+    end
+  end
+  
   # You shouldn't extend the session controller, so you can benefit from future
   # features, like Facebook / Twitter / OpenID integration. But, if you must,
   # you can do it here.

data/lib/authpwn_rails/session_controller.rb

@@ -54,8 +54,8 @@ module SessionController
     def create
       @redirect_url = params[:redirect_url] || session_url
       @email = params[:email]
-      self.current_user = Credentials::Password.authenticate_email(@email,
-          params[:password])
+      auth = Credentials::Password.authenticate_email @email, params[:password]
+      self.current_user = auth unless auth.kind_of? Symbol
           
       respond_to do |format|
         if current_user
@@ -69,12 +69,12 @@ module SessionController
                               :csrf => form_authenticity_token }
           end
         else
-          notice = 'Invalid e-mail or password'
+          notice = bounce_notice_text auth
           format.html do
             redirect_to new_session_url, :flash => { :notice => notice,
                 :auth_redirect_url => @redirect_url }
           end
-          format.json { render :json => { :error => notice} }
+          format.json { render :json => { :error => auth, :text => notice } }
         end
       end
     end
@@ -97,6 +97,16 @@ module SessionController
     def welcome
     end
     private :welcome
+
+    # Hook for customizing the bounce notification text.    
+    def bounce_notice_text(reason)
+      case reason
+      when :invalid
+        'Invalid e-mail or password'
+      when :blocked
+        'Account blocked. Please verify your e-mail address'
+      end
+    end
   end  # module Authpwn::SessionController::InstanceMethods
 
 end  # module Authpwn::SessionController

data/lib/authpwn_rails/test_extensions.rb

@@ -1,8 +1,39 @@
 # :nodoc: namespace
 module Authpwn
 
-# Included in test cases.
+# Included in all test cases.
 module TestExtensions
+  # Stubs User#auth_bounce_reason to block a given credential.
+  #
+  # The default implementation of User#auth_bounce_reason always returns nil.
+  # Your application's implementation might differ. Either way, the method is 
+  # replaced for the duration of the block, such that it returns :block if
+  # the credential matches the given argument, and nil otherwise.
+  def with_blocked_credential(blocked_credential, reason = :blocked, &block)
+    # Stub a method in all User instances for this test only.
+    # flexmock.new_instances doesn't work because ActiveRecord doesn't use new
+    # to instantiate records.
+    ::User.class_eval do
+      alias_method :_auth_bounce_reason_wbc_stub, :auth_bounce_reason
+      define_method :auth_bounce_reason do |credential|
+        credential == blocked_credential ? reason : nil
+      end
+    end
+    
+    begin
+      yield
+    ensure
+      ::User.class_eval do
+        undef_method :auth_bounce_reason
+        alias_method :auth_bounce_reason, :_auth_bounce_reason_wbc_stub
+        undef_method :_auth_bounce_reason_wbc_stub
+      end
+    end
+  end
+end  # module Authpwn::TestExtensions
+
+# Included in controller test cases.
+module ControllerTestExtensions
   # Sets the authenticated user in the test session.
   def set_session_current_user(user)
     request.session[:user_exuid] = user ? user.to_param : nil
@@ -13,12 +44,16 @@ module TestExtensions
     return nil unless user_param = request.session[:user_exuid]
     User.find_by_param user_param
   end
-end  # module Authpwn::TestExtensions
+end  # module Authpwn::ControllerTestExtensions
 
 end  # namespace Authpwn
 
+# :nodoc: extend Test::Unit
+class ActiveSupport::TestCase
+  include Authpwn::TestExtensions
+end
 
 # :nodoc: extend Test::Unit
 class ActionController::TestCase
-  include Authpwn::TestExtensions
+  include Authpwn::ControllerTestExtensions
 end

data/lib/authpwn_rails/user_model.rb

@@ -42,6 +42,14 @@ module UserModel
   
   # Included in models that include Authpwn::UserModel.
   module InstanceMethods
+    # Checks if a credential is acceptable for authenticating a user.
+    #
+    # Returns nil if the credential is acceptable, or a String containing a
+    # user-visible reason why the credential is not acceptable. 
+    def auth_bounce_reason(crdential)
+      nil
+    end
+    
     # Use e-mails instead of exposing ActiveRecord IDs.
     def to_param
       exuid

data/test/email_credential_test.rb

@@ -10,11 +10,28 @@ class EmailCredentialTest < ActiveSupport::TestCase
     assert @credential.valid?
   end
   
-  test 'verified required' do
-    @credential.verified = ''
+  test 'key required' do
+    @credential.key = ''
+    assert !@credential.valid?
+  end
+
+  test 'key cannot be some random string' do
+    @credential.key = 'xoxo'
     assert !@credential.valid?
   end
   
+  test 'verified set to true' do
+    @credential.verified = true
+    assert_equal '1', @credential.key, 'key'
+    assert_equal true, @credential.verified?, 'verified?'
+  end
+  
+  test 'verified set to false' do
+    @credential.verified = false
+    assert_equal '0', @credential.key, 'key'
+    assert_equal false, @credential.verified?, 'verified?'
+  end
+  
   test 'user presence' do
     @credential.user = nil
     assert !@credential.valid?
@@ -41,4 +58,19 @@ class EmailCredentialTest < ActiveSupport::TestCase
     @credential.email = credentials(:john_email).email
     assert !@credential.valid?
   end
+  
+  test 'authenticate' do
+    assert_equal users(:john), Credentials::Email.authenticate('john@gmail.com')
+    assert_equal users(:jane), Credentials::Email.authenticate('jane@gmail.com')
+    assert_equal :invalid, Credentials::Email.authenticate('bill@gmail.com')
+  end
+  
+  test 'authenticate calls User#auth_bounce_reason' do
+    with_blocked_credential credentials(:john_email), :reason do
+      assert_equal :reason, Credentials::Email.authenticate('john@gmail.com')
+      assert_equal users(:jane),
+                   Credentials::Email.authenticate('jane@gmail.com')
+      assert_equal :invalid, Credentials::Email.authenticate('bill@gmail.com')
+    end
+  end
 end

data/test/password_credential_test.rb

@@ -36,27 +36,45 @@ class PasswordCredentialTest < ActiveSupport::TestCase
     assert !@credential.valid?
   end
   
-  test 'authenticate' do
-    assert_equal true, @credential.authenticate('awesome')
-    assert_equal false, @credential.authenticate('not awesome'),
+  test 'check_password' do
+    assert_equal true, @credential.check_password('awesome')
+    assert_equal false, @credential.check_password('not awesome'),
                  'Bogus password'
-    assert_equal false, @credential.authenticate('password'),
+    assert_equal false, @credential.check_password('password'),
                  "Another user's password" 
   end
+  
+  test 'authenticate' do
+    assert_equal users(:bill), @credential.authenticate('awesome')
+    assert_equal :invalid, @credential.authenticate('not awesome')
+  end
+  
+  test 'authenticate calls User#auth_bounce_reason' do
+    user = @credential.user
+    flexmock(user).should_receive(:auth_bounce_reason).and_return(:reason)
+    assert_equal :reason, @credential.authenticate('awesome')
+    assert_equal :invalid, @credential.authenticate('not awesome')
+  end
     
   test 'authenticate_email' do
     assert_equal users(:john),
         Credentials::Password.authenticate_email('john@gmail.com', 'password')
-    assert_equal nil,
+    assert_equal :invalid,
         Credentials::Password.authenticate_email('john@gmail.com', 'pa55w0rd'),
         "Jane's password on John's account"
     assert_equal users(:jane),
         Credentials::Password.authenticate_email('jane@gmail.com', 'pa55w0rd')
-    assert_equal nil,
+    assert_equal :invalid,
         Credentials::Password.authenticate_email('jane@gmail.com', 'password'),
         "John's password on Jane's account"
-    assert_equal nil,
+    assert_equal :invalid,
         Credentials::Password.authenticate_email('john@gmail.com', 'awesome'),
         'Bogus password'
+    assert_equal :invalid,
+        Credentials::Password.authenticate_email('bill@gmail.com', 'pa55w0rd'),
+        'Password authentication on account without password credential'
+    assert_equal :invalid,
+        Credentials::Password.authenticate_email('none@gmail.com', 'pa55w0rd'),
+        'Bogus e-mail'
   end
 end

data/test/session_controller_api_test.rb

@@ -106,7 +106,17 @@ class SessionControllerApiTest < ActionController::TestCase
     assert_redirected_to new_session_url
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
-    assert_not_nil flash[:notice]
+    assert_match(/Invalid/, flash[:notice])
+  end
+  
+  test "create does not log in blocked accounts" do
+    with_blocked_credential @email_credential do
+      post :create, :email => @email_credential.email, :password => 'password'
+    end
+    assert_redirected_to new_session_url
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+    assert_match(/ blocked/, flash[:notice])
   end
 
   test "create by json does not log in with bad password" do
@@ -114,11 +124,25 @@ class SessionControllerApiTest < ActionController::TestCase
                   :format => 'json'
     assert_response :ok
     data = ActiveSupport::JSON.decode response.body
-    assert_match(/invalid/i , data['error'])
+    assert_equal 'invalid', data['error']
+    assert_match(/invalid/i , data['text'])
     assert_nil assigns(:current_user), 'instance variable'
     assert_nil session_current_user, 'session'
   end
   
+  test "create by json does not log in blocked accounts" do
+    with_blocked_credential @email_credential do
+      post :create, :email => @email_credential.email, :password => 'password',
+                    :format => 'json'
+    end
+    assert_response :ok
+    data = ActiveSupport::JSON.decode response.body
+    assert_equal 'blocked', data['error']
+    assert_match(/blocked/i , data['text'])
+    assert_nil assigns(:current_user), 'instance variable'
+    assert_nil session_current_user, 'session'
+  end  
+
   test "create maintains redirect_url for bad logins" do
     url = 'http://authpwn.redirect.url'
     post :create, :email => @email_credential.email, :password => 'fail',

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authpwn_rails
 version: !ruby/object:Gem::Version
-  version: 0.10.3
+  version: 0.10.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-25 00:00:00.000000000Z
+date: 2011-11-30 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fbgraph_rails
-  requirement: &24789920 !ruby/object:Gem::Requirement
+  requirement: &14255560 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 0.2.2
   type: :runtime
   prerelease: false
-  version_requirements: *24789920
+  version_requirements: *14255560
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &24770680 !ruby/object:Gem::Requirement
+  requirement: &14254720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 3.1.3
   type: :runtime
   prerelease: false
-  version_requirements: *24770680
+  version_requirements: *14254720
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &24769460 !ruby/object:Gem::Requirement
+  requirement: &14253940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *24769460
+  version_requirements: *14253940
 - !ruby/object:Gem::Dependency
   name: flexmock
-  requirement: &24767220 !ruby/object:Gem::Requirement
+  requirement: &14252840 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 0.9.0
   type: :development
   prerelease: false
-  version_requirements: *24767220
+  version_requirements: *14252840
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &24766540 !ruby/object:Gem::Requirement
+  requirement: &14251980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: 1.6.0
   type: :development
   prerelease: false
-  version_requirements: *24766540
+  version_requirements: *14251980
 - !ruby/object:Gem::Dependency
   name: rcov
-  requirement: &24765740 !ruby/object:Gem::Requirement
+  requirement: &14248280 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *24765740
+  version_requirements: *14248280
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &24765080 !ruby/object:Gem::Requirement
+  requirement: &14247460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -87,7 +87,7 @@ dependencies:
         version: 1.3.3
   type: :development
   prerelease: false
-  version_requirements: *24765080
+  version_requirements: *14247460
 description: Works with Facebook.
 email: victor@costan.us
 executables: []
@@ -167,7 +167,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -300984823103934206
+      hash: -3462448452980002093
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: