authpwn_rails 0.12.0 → 0.12.1

data/.travis.yml

@@ -1,5 +1,10 @@
+language: ruby
+env:
+  - DB=mysql
+  - DB=pg DB_USER=postgres
+  - DB=sqlite
 rvm:
   - 1.8.7
-  - 1.9.2
   - 1.9.3
-  - rbx-head
+  - rbx-18mode
+  - rbx-19mode

data/VERSION

@@ -1 +1 @@
-0.12.0
+0.12.1

data/app/models/credentials/password.rb

@@ -1,6 +1,6 @@
 # :namespace
 module Credentials
-  
+
 # Associates a password with the user account.
 class Password < ::Credential
   # Virtual attribute: the user's password.
@@ -11,9 +11,16 @@ class Password < ::Credential
   # Virtual attribute: confirmation for the user's password.
   attr_accessor :password_confirmation
 
-  # A user can have a single password
+  # A user can have a single password.
   validates :user_id, :uniqueness => true
 
+  # Passwords can expire, if users don't change them often enough.
+  include Authpwn::Expires
+  # Passwords don't expire by default, because it is non-trivial to get e-mail
+  # delivery working in Rails, which is necessary for recovering from expired
+  # passwords.
+  self.expires_after = nil
+
   # Compares a plain-text password against the password hash in this credential.
   #
   # Returns +true+ for a match, +false+ otherwise.
@@ -21,16 +28,17 @@ class Password < ::Credential
     return false unless key
     key == self.class.hash_password(password, key.split('|', 2).first)
   end
-  
+
   # Compares a plain-text password against the password hash in this credential.
   #
   # Returns the authenticated User instance, or a symbol indicating the reason
   # why the (potentially valid) password was rejected.
   def authenticate(password)
+    return :expired if expired?
     return :invalid unless check_password(password)
     user.auth_bounce_reason(self) || user
   end
-  
+
   # Password virtual attribute.
   def password=(new_password)
     @password = new_password
@@ -50,7 +58,7 @@ class Password < ::Credential
   def self.authenticate_email(email, password)
     user = Credentials::Email.authenticate email
     return user if user.is_a? Symbol
-    
+
     credential = user.credentials.find { |c| c.kind_of? Credentials::Password }
     credential ? credential.authenticate(password) : :invalid
   end
@@ -59,14 +67,14 @@ class Password < ::Credential
   def self.hash_password(password, salt)
     salt + '|' + Digest::SHA2.hexdigest(password + salt)
   end
-  
+
   # Generates a random salt value.
   def self.random_salt
     [(0...12).map { |i| 1 + rand(255) }.pack('C*')].pack('m').strip
   end
-  
+
   # Forms can only change the plain-text password fields.
-  attr_accessible :password, :password_confirmation  
+  attr_accessible :password, :password_confirmation
 end  # class Credentials::Password
 
 end  # namespace Credentials

data/app/models/credentials/token.rb

@@ -29,6 +29,10 @@ class Token < ::Credential
   validates :name, :format => /^[A-Za-z0-9\_\-]+$/, :presence => true,
                    :uniqueness => true
 
+  # Tokens can expire. This is a good idea most of the time, because token
+  # codes are supposed to be used quickly.
+  include Authpwn::Expires
+
   # Authenticates a user using a secret token code.
   #
   # The token will be spent on successful authentication. One-time tokens are
@@ -67,6 +71,10 @@ class Token < ::Credential
   # Returns the authenticated User instance, or a symbol indicating the reason
   # why the (potentially valid) token code was rejected.
   def authenticate
+    if expired?
+      destroy
+      return :invalid
+    end
     if bounce = user.auth_bounce_reason(self)
       return bounce
     end

data/app/models/tokens/email_verification.rb

@@ -12,6 +12,9 @@ class EmailVerification < OneTime
   alias_attribute :email, :key
   validates :email, :presence => true
 
+  # Decent compromise between convenience and security.
+  self.expires_after = 3.days
+
   # Creates a token with a random code that verifies the given e-mail address.
   def self.random_for(email_credential)
     super email_credential.user, email_credential.email, self

data/app/models/tokens/password_reset.rb

@@ -1,8 +1,11 @@
 # :namespace
 module Tokens
-  
+
 # Lets the user to change their password without knowing the old one.
 class PasswordReset < OneTime
+  # Decent compromise between convenience and security.
+  self.expires_after = 3.days
+
   # Blanks the user's old password, so the new password form won't ask for it.
   #
   # Returns the token instance.
@@ -14,7 +17,7 @@ class PasswordReset < OneTime
       super
     end
   end
-  
+
   # The credential that is removed by this token.
   #
   # This method might return nil if a user initiates password recovery multiple

data/app/models/tokens/session_uid.rb

@@ -0,0 +1,54 @@
+# :namespace
+module Tokens
+
+class SessionUid < Credentials::Token
+  # The session UID.
+  alias_attribute :suid, :name
+
+  # The IP address and User-Agent string of the browser using this session.
+  store :key, :accessors => [:browser_ip, :browser_ua]
+
+  # The User-Agent header of the browser that received this suid.
+  validates :browser_ua, :presence => true
+
+  # The IP of the computer that received this suid.
+  validates :browser_ip, :presence => true
+
+  # Decent compromise between convenience and security.
+  self.expires_after = 14.days
+
+  # Creates a new session UID token for a user.
+  #
+  # @param [User] user the user authenticated using this session
+  # @param [String] browser_ip the IP of the session
+  # @param [String] browser_ua the User-Agent of the browser used for this
+  #                            session
+  def self.random_for(user, browser_ip, browser_ua)
+    browser_ua = browser_ua[0, 1536] if browser_ua.length > 1536
+    key = { :browser_ip => browser_ip, :browser_ua => browser_ua }
+    super user, key, self
+  end
+
+  # Refresh precision for the updated_at timestamp, in seconds.
+  #
+  # When a session UID is used to authenticate a user, its updated_at time is
+  # refreshed if it differs from the current time by this much.
+  class_attribute :updates_after, :instance_writer => false
+  self.updates_after = 1.hour
+
+  # Updates the time associated with the session.
+  def spend
+    self.touch if Time.now - updated_at >= updates_after
+  end
+
+  # Garbage-collects database records of expired sessions.
+  #
+  # This method should be called periodically to keep the size of the session
+  # table under control.
+  def self.remove_expired
+    self.where('updated_at < ?', Time.now - expires_after).delete_all
+    self
+  end
+end  # class Tokens::SessionUid
+
+end  # namespace Tokens

data/authpwn_rails.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "authpwn_rails"
-  s.version = "0.12.0"
+  s.version = "0.12.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Victor Costan"]
-  s.date = "2012-09-24"
+  s.date = "2012-10-05"
   s.description = "Works with Facebook."
   s.email = "victor@costan.us"
   s.extra_rdoc_files = [
@@ -34,6 +34,7 @@ Gem::Specification.new do |s|
     "app/models/tokens/email_verification.rb",
     "app/models/tokens/one_time.rb",
     "app/models/tokens/password_reset.rb",
+    "app/models/tokens/session_uid.rb",
     "authpwn_rails.gemspec",
     "legacy/migrate_011_to_012.rb",
     "legacy/migrate_09_to_010.rb",
@@ -41,12 +42,14 @@ Gem::Specification.new do |s|
     "lib/authpwn_rails/credential_model.rb",
     "lib/authpwn_rails/current_user.rb",
     "lib/authpwn_rails/engine.rb",
+    "lib/authpwn_rails/expires.rb",
     "lib/authpwn_rails/facebook_session.rb",
     "lib/authpwn_rails/generators/all_generator.rb",
     "lib/authpwn_rails/generators/templates/001_create_users.rb",
     "lib/authpwn_rails/generators/templates/003_create_credentials.rb",
     "lib/authpwn_rails/generators/templates/credential.rb",
     "lib/authpwn_rails/generators/templates/credentials.yml",
+    "lib/authpwn_rails/generators/templates/initializer.rb",
     "lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
     "lib/authpwn_rails/generators/templates/session/home.html.erb",
     "lib/authpwn_rails/generators/templates/session/new.html.erb",
@@ -79,6 +82,7 @@ Gem::Specification.new do |s|
     "test/credentials/one_time_token_credential_test.rb",
     "test/credentials/password_credential_test.rb",
     "test/credentials/password_reset_token_test.rb",
+    "test/credentials/session_uid_token_test.rb",
     "test/credentials/token_crendential_test.rb",
     "test/facebook_controller_test.rb",
     "test/fixtures/bare_session/forbidden.html.erb",
@@ -94,9 +98,11 @@ Gem::Specification.new do |s|
     "test/helpers/routes.rb",
     "test/helpers/view_helpers.rb",
     "test/http_basic_controller_test.rb",
+    "test/initializer_test.rb",
     "test/routes_test.rb",
     "test/session_controller_api_test.rb",
     "test/session_mailer_api_test.rb",
+    "test/test_extensions_test.rb",
     "test/test_helper.rb",
     "test/user_extensions/email_field_test.rb",
     "test/user_extensions/facebook_fields_test.rb",

data/lib/authpwn_rails.rb

@@ -3,8 +3,10 @@ require 'active_support'
 # :nodoc: namespace
 module Authpwn
   extend ActiveSupport::Autoload
-  
+
   autoload :CredentialModel, 'authpwn_rails/credential_model.rb'
+  autoload :CurrentUser, 'authpwn_rails/current_user.rb'
+  autoload :Expires, 'authpwn_rails/expires.rb'
   autoload :SessionController, 'authpwn_rails/session_controller.rb'
   autoload :SessionMailer, 'authpwn_rails/session_mailer.rb'
   autoload :UserModel, 'authpwn_rails/user_model.rb'
@@ -17,7 +19,6 @@ module Authpwn
   end
 end
 
-require 'authpwn_rails/current_user.rb'
 require 'authpwn_rails/facebook_session.rb'
 require 'authpwn_rails/http_basic.rb'
 require 'authpwn_rails/routes.rb'

data/lib/authpwn_rails/current_user.rb

@@ -3,16 +3,7 @@ module Authpwn
 
 # The unofficial Rails convention for tracking the authenticated user.
 module CurrentUser
-  attr_reader :current_user
-  
-  def current_user=(user)
-    @current_user = user
-    if user
-      session[:user_exuid] = user.to_param
-    else
-      session.delete :user_exuid
-    end
-  end  
+  attr_accessor :current_user
 end  # module Authpwn::CurrentUser
 
 end  # namespace Authpwn

data/lib/authpwn_rails/engine.rb

@@ -8,11 +8,11 @@ class Engine < Rails::Engine
   generators do
     require 'authpwn_rails/generators/all_generator.rb'
   end
-  
+
   initializer 'authpwn.rspec.extensions' do
     begin
       require 'rspec'
-      
+
       RSpec.configure do |c|
         c.include Authpwn::TestExtensions
         c.include Authpwn::ControllerTestExtensions

data/lib/authpwn_rails/expires.rb

@@ -0,0 +1,23 @@
+# :nodoc: namespace
+module Authpwn
+
+# Common code for credentials that expire.
+module Expires
+  extend ActiveSupport::Concern
+
+  included do
+    # Number of seconds after which a credential becomes unusable.
+    #
+    # Users can reset this timer by updating their credentials, e.g. changing
+    # their password.
+    class_attribute :expires_after, :instance_writer => false
+  end
+
+  # True if this password is too old and should not be used for authentication.
+  def expired?
+    return false unless expires_after
+    updated_at < Time.now - expires_after
+  end
+end  # module Authpwn::Expires
+
+end  # namespace Authpwn

data/lib/authpwn_rails/generators/all_generator.rb

@@ -11,7 +11,7 @@ class AllGenerator < Rails::Generators::Base
         File.join('db', 'migrate', '20100725000001_create_users.rb')
     copy_file 'users.yml', File.join('test', 'fixtures', 'users.yml')
   end
-  
+
   def create_credential_model
     copy_file 'credential.rb', File.join('app', 'models', 'credential.rb')
     copy_file '003_create_credentials.rb',
@@ -19,17 +19,17 @@ class AllGenerator < Rails::Generators::Base
     copy_file 'credentials.yml',
         File.join('test', 'fixtures', 'credentials.yml')
   end
-  
+
   def create_session_controller
     copy_file 'session_controller.rb',
-              File.join('app', 'controllers', 'session_controller.rb')    
+              File.join('app', 'controllers', 'session_controller.rb')
     copy_file File.join('session_controller_test.rb'),
               File.join('test', 'functional', 'session_controller_test.rb')
 
     route "authpwn_session"
     route "root :to => 'session#show'"
   end
-  
+
   def create_session_views
     copy_file File.join('session', 'forbidden.html.erb'),
               File.join('app', 'views', 'session', 'forbidden.html.erb')
@@ -58,6 +58,11 @@ class AllGenerator < Rails::Generators::Base
               File.join('app', 'views', 'session_mailer',
                         'reset_password_email.text.erb')
   end
+
+  def create_initializer
+    copy_file 'initializer.rb',
+              File.join('config', 'initializers', 'authpwn.rb')
+  end
 end  # class Authpwn::AllGenerator
 
 end  # namespace Authpwn

data/lib/authpwn_rails/generators/templates/credential.rb

@@ -9,5 +9,5 @@ end
 module Credentials
 
 # Add your custom Credential types here.
-  
+
 end

data/lib/authpwn_rails/generators/templates/credentials.yml

@@ -53,3 +53,19 @@ jane_password_token:
   user: jane
   type: Tokens::PasswordReset
   name: nbMLTKN18tYy9plBAbsrwT6zdE2jZqoKPk6Ze4lHMSQ
+
+john_session_token:
+  user: john
+  type: Tokens::SessionUid
+  name: iyHvfTnYoF1f1jL9Vnb55hnXobf2Ld6HxIW-PXya6dw
+  key: <%= { :browser_ip => '18.241.1.121',
+             :browser_ua => 'Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1'
+           }.to_yaml.inspect %>
+
+jane_session_token:
+  user: jane
+  type: Tokens::SessionUid
+  name: sNIfh6UavUSceL0TpubJ-DnZRuxPSTAddoHBb-twEIg
+  key: <%= { :browser_ip => '18.70.0.160',
+             :browser_ua => 'Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1'
+           }.to_yaml.inspect %>

data/lib/authpwn_rails/generators/templates/initializer.rb

@@ -0,0 +1,18 @@
+# Tweak the password expiration interval, or comment out the line to disable
+# password expiration altogether.
+#
+# NOTE: when a user's password expires, he will need to use the password reset
+# flow, which relies on e-mail delivery. If your application doesn't implement
+# password reset, or doesn't have working e-mail delivery, disable password
+# expiration.
+Credentials::Password.expires_after = 1.year
+
+# These codes are sent in plaintext in e-mails, be somewhat aggressive.
+Tokens::EmailVerification.expires_after = 3.days
+Tokens::PasswordReset.expires_after = 3.days
+
+# Users are identified by cookies whose codes are looked up in the database.
+Tokens::SessionUid.expires_after = 14.days
+# This knob is a compromise between accurate session expiration and write
+# workload on the database. Keep it below 1% of expires_after.
+Tokens::SessionUid.updates_after = 1.hour

data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb

@@ -7,7 +7,7 @@
   You should inform the user that they are logged in as
   <%= current_user.exuid %> and suggest them to
   <%= link_to 'Log out', session_path, :method => :delete %> and log in as a
-  different user.  
+  different user.
 </p>
 <% else %>
 <p>

data/lib/authpwn_rails/generators/templates/session/home.html.erb

@@ -1,5 +1,5 @@
 <p>
-  This view gets displayed when the user is logged in. Right now, 
+  This view gets displayed when the user is logged in. Right now,
   user <%= current_user.exuid %> is logged in. You should allow the user to
   <%= link_to 'Log out', session_path, :method => :delete %>.
 </p>