authpwn_rails 0.3.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,24 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## ECLIPSE
+.loadpath
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/.project

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>pwnauth_rails</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.rubypeople.rdt.core.rubybuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.rubypeople.rdt.core.rubynature</nature>
+	</natures>
+</projectDescription>

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Victor Costan
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,21 @@
+= mini_auth_rails
+
+User authentication for a Ruby on Rails 3 application. Works with Facebook.
+
+== Integration
+
+TBD
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Victor Costan, released under the MIT license

data/Rakefile

@@ -0,0 +1,57 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "authpwn_rails"
+    gem.summary = %Q{User authentication for Rails 3 applications.}
+    gem.description = %Q{Works with Facebook.}
+    gem.email = "victor@costan.us"
+    gem.homepage = "http://github.com/costan/mini_auth_rails"
+    gem.authors = ["Victor Costan"]
+    gem.add_runtime_dependency "fbgraph_rails", ">= 0.1.3"
+    gem.add_development_dependency "activerecord", ">= 3.0.0.rc"
+    gem.add_development_dependency "actionpack", ">= 3.0.0.rc"
+    gem.add_development_dependency "activesupport", ">= 3.0.0.rc"
+    gem.add_development_dependency "sqlite3-ruby", ">= 1.3.0"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+task :test => :check_dependencies
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "authpwn_rails #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.3.0

data/app/controllers/session_controller.rb

@@ -0,0 +1,10 @@
+# Manages logging in and out of the application.
+class SessionController < ApplicationController
+  authenticates_using_session
+
+  # DELETE /session
+  def destroy
+    self.current_user = nil
+    redirect_to root_url
+  end
+end

data/app/helpers/session_helper.rb

@@ -0,0 +1,4 @@
+module SessionHelper
+  # The user currently logged in. Nil if no user is logged in.
+  attr_reader :current_user
+end

data/app/models/facebook_token.rb

@@ -0,0 +1,47 @@
+require 'active_record'
+
+
+# Wraps an OAuth2 access token for Facebook.
+class FacebookToken < ActiveRecord::Base
+  # The user whose token this is.
+  belongs_to :user
+  validates :user, :presence => true
+  
+  # A unique ID on the Facebook site for the user owning this token.
+  validates :external_uid, :length => 1..32, :presence => true
+
+  # The OAuth2 access token.
+  validates :access_token, :length => 1..128, :presence => true
+  
+  # FBGraph client loaded with this access token.
+  def facebook_client
+    @client ||= FBGraphRails.fbclient(access_token)    
+  end  
+  
+  # Finds or creates the model containing a token.
+  #
+  # If a model for the same user exists, the model is updated with the given
+  # token. Otherwise, a new model will be created, together with a user.
+  def self.for(access_token)
+    uid = uid_from_token access_token
+    token = self.where(:external_uid => uid).first
+    if token
+      token.access_token = access_token
+    else
+      token = FacebookToken.new :external_uid => uid,
+                                :access_token => access_token
+      token.user = User.create_with_facebook_token token
+    end
+    token.save!
+    token
+  end
+  
+  # Extracts the Facebook user ID from a OAuth2 token.
+  #
+  # This is a hack. It works based on the current format, but might break at any
+  # time. Hopefully, we'll eventually have an official way of pulling the UID
+  # out of an OAuth2 token.
+  def self.uid_from_token(access_token)
+    access_token.split('|')[1].split('-').last
+  end
+end

data/app/models/user.rb

@@ -0,0 +1,70 @@
+require 'active_record'
+
+
+# An user account.
+class User < ActiveRecord::Base
+  # E-mail address identifying the user account.
+  validates :email, :format => /^[A-Za-z0-9.+_]+@[^@]*\.(\w+)$/,
+                    :presence => true, :length => 1..64, :uniqueness => true
+  
+  # Random string preventing dictionary attacks on the password database.
+  validates :password_salt, :length => 1..16, :allow_nil => true
+  
+  # SHA-256 of (salt + password).
+  validates :password_hash, :length => 1..64, :allow_nil => true
+    
+  # Virtual attribute: the user's password.
+  attr_reader :password
+  validates :password, :confirmation => true
+  def password=(new_password)
+    @password = new_password
+    self.password_salt = self.class.random_salt
+    self.password_hash = self.class.hash_password new_password, password_salt
+  end
+  
+  # Virtual attribute: confirmation for the user's password.
+  attr_accessor :password_confirmation
+  validates_confirmation_of :password
+  
+  # The authenticated user or nil.
+  def self.find_by_email_and_password(email, password)
+    @user = User.where(:email => email).first
+    (@user && @user.password_matches?(password)) ? @user : nil
+  end
+  
+  # Compares the given password against the user's stored password.
+  #
+  # Returns +true+ for a match, +false+ otherwise.
+  def password_matches?(passwd)
+    password_hash == User.hash_password(passwd, password_salt)
+  end  
+  
+  # Computes a password hash from a raw password and a salt.
+  def self.hash_password(password, salt)
+    Digest::SHA2.hexdigest(password + salt)
+  end
+  
+  # Generates a random salt value.
+  def self.random_salt
+    (0...16).map { |i| 1 + rand(255) }.pack('C*')
+  end    
+  
+  # Resets the virtual password attributes.
+  def reset_password
+    @password = @password_confirmation = nil
+  end
+  
+  
+  # Fills out a new user's information based on a Facebook access token.
+  def self.create_with_facebook_token(token)
+    self.create :email => "#{token.external_uid}@graph.facebook.com"
+  end
+  
+  # The user that owns a given Facebook OAuth2 token.
+  #
+  # A new user will be created if the token doesn't belong to any user. This is
+  # the case for a new visitor.
+  def self.for_facebook_token(access_token)
+    FacebookToken.for(access_token).user
+  end  
+end

data/authpwn_rails.gemspec

@@ -0,0 +1,99 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{authpwn_rails}
+  s.version = "0.3.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Victor Costan"]
+  s.date = %q{2010-08-02}
+  s.description = %q{Works with Facebook.}
+  s.email = %q{victor@costan.us}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     ".project",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "app/controllers/session_controller.rb",
+     "app/helpers/session_helper.rb",
+     "app/models/facebook_token.rb",
+     "app/models/user.rb",
+     "authpwn_rails.gemspec",
+     "config/routes.rb",
+     "lib/authpwn_rails.rb",
+     "lib/authpwn_rails/engine.rb",
+     "lib/authpwn_rails/facebook_token.rb",
+     "lib/authpwn_rails/generators/facebook_migration_generator.rb",
+     "lib/authpwn_rails/generators/templates/001_create_users.rb",
+     "lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb",
+     "lib/authpwn_rails/generators/templates/facebook_token.rb",
+     "lib/authpwn_rails/generators/templates/facebook_tokens.yml",
+     "lib/authpwn_rails/generators/templates/user.rb",
+     "lib/authpwn_rails/generators/templates/users.yml",
+     "lib/authpwn_rails/generators/user_migration_generator.rb",
+     "lib/authpwn_rails/session.rb",
+     "test/cookie_controller_test.rb",
+     "test/facebook_controller_test.rb",
+     "test/facebook_token_test.rb",
+     "test/helpers/application_controller.rb",
+     "test/helpers/db_setup.rb",
+     "test/helpers/fbgraph.rb",
+     "test/helpers/routes.rb",
+     "test/session_controller_test.rb",
+     "test/test_helper.rb",
+     "test/user_test.rb"
+  ]
+  s.homepage = %q{http://github.com/costan/mini_auth_rails}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.7}
+  s.summary = %q{User authentication for Rails 3 applications.}
+  s.test_files = [
+    "test/facebook_token_test.rb",
+     "test/user_test.rb",
+     "test/cookie_controller_test.rb",
+     "test/test_helper.rb",
+     "test/facebook_controller_test.rb",
+     "test/session_controller_test.rb",
+     "test/helpers/application_controller.rb",
+     "test/helpers/routes.rb",
+     "test/helpers/fbgraph.rb",
+     "test/helpers/db_setup.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<fbgraph_rails>, [">= 0.1.3"])
+      s.add_development_dependency(%q<activerecord>, [">= 3.0.0.rc"])
+      s.add_development_dependency(%q<actionpack>, [">= 3.0.0.rc"])
+      s.add_development_dependency(%q<activesupport>, [">= 3.0.0.rc"])
+      s.add_development_dependency(%q<sqlite3-ruby>, [">= 1.3.0"])
+    else
+      s.add_dependency(%q<fbgraph_rails>, [">= 0.1.3"])
+      s.add_dependency(%q<activerecord>, [">= 3.0.0.rc"])
+      s.add_dependency(%q<actionpack>, [">= 3.0.0.rc"])
+      s.add_dependency(%q<activesupport>, [">= 3.0.0.rc"])
+      s.add_dependency(%q<sqlite3-ruby>, [">= 1.3.0"])
+    end
+  else
+    s.add_dependency(%q<fbgraph_rails>, [">= 0.1.3"])
+    s.add_dependency(%q<activerecord>, [">= 3.0.0.rc"])
+    s.add_dependency(%q<actionpack>, [">= 3.0.0.rc"])
+    s.add_dependency(%q<activesupport>, [">= 3.0.0.rc"])
+    s.add_dependency(%q<sqlite3-ruby>, [">= 1.3.0"])
+  end
+end
+

data/config/routes.rb

@@ -0,0 +1,3 @@
+Rails::Application.routes.draw do |map|
+  resource :session, :controller => 'session'
+end

data/lib/authpwn_rails/engine.rb

@@ -0,0 +1,25 @@
+require 'mini_auth_rails'
+require 'rails'
+
+# :nodoc: namespace
+module AuthpwnRails
+
+class Engine < Rails::Engine
+  paths.app                 = "app"
+  paths.app.controllers     = "app/controllers"
+  paths.app.helpers         = "app/helpers"
+  paths.app.models          = "app/models"
+  paths.app.views           = "app/views"
+  # paths.lib                 = "lib"
+  # paths.lib.tasks           = "lib/tasks"
+  # paths.config              = "config"
+  # paths.config.initializers = "config/initializers"
+  # paths.config.locales      = "config/locales"
+  paths.config.routes       = "config/routes.rb"
+  
+  def generators
+    require 'mini_auth_rails/generators/user_model_generator.rb'
+  end
+end  # class AuthpwnRails::Engine
+
+end  # namespace AuthpwnRails

data/lib/authpwn_rails/facebook_token.rb

@@ -0,0 +1,44 @@
+require 'action_controller'
+
+# :nodoc: namespace
+module AuthpwnRails
+
+# :nodoc: namespace
+module FacebookToken
+
+# Mixed into ActiveController::Base
+module ControllerMixin
+  def self.included(base)
+    base.send :extend, ControllerClassMethods
+  end
+end
+
+# Methods here become ActiveController::Base class methods.
+module ControllerClassMethods  
+  # Authenticates users via Facebook OAuth2, using fbgraph_rails.
+  #
+  # The User model class must implement for_facebook_token. The controller
+  # should obtain the Facebook token, using probes_facebook_access_token or
+  # requires_facebook_access_token.
+  def authenticates_using_facebook(options = {})
+    include ControllerInstanceMethods
+    before_filter :authenticate_using_facebook_access_token, options
+  end
+end
+
+# Included in controllers that call authenticates_using_facebook.
+module ControllerInstanceMethods
+  def authenticate_using_facebook_access_token
+    return true if current_user
+    if access_token = current_facebook_access_token
+      self.current_user = User.for_facebook_token access_token
+    end
+  end
+  private :authenticate_using_facebook_access_token
+end
+
+ActionController::Base.send :include, ControllerMixin
+
+end  # namespace AuthpwnRails::FacebookToken
+
+end  # namespace AuthpwnRails

data/lib/authpwn_rails/generators/facebook_migration_generator.rb

@@ -0,0 +1,17 @@
+# :nodoc: namespace
+module AuthpwnRails
+
+
+class FacebookMigrationGenerator < Rails::Generators::Base
+  source_root File.expand_path("../templates", __FILE__)
+
+  def create_session_model
+    template 'facebook_token.rb',
+             File.join('app/models', class_path, 'facebook_token.rb')
+    template '002_create_facebook_tokens.rb',
+        File.join('db/migrations', '20100725000002_create_facebook_tokens.rb')
+    template 'facebook_tokens.yml', File.join('test/fixtures', 'facebook_tokens.yml')
+  end
+end  # class AuthpwnRails::UserMigrationGenerator
+
+end  # namespace AuthpwnRails

data/lib/authpwn_rails/generators/templates/001_create_users.rb

@@ -0,0 +1,17 @@
+class CreateUsers < ActiveRecord::Migration
+  def self.up
+    create_table :users do |t|
+      t.string :email, :limit => 64, :null => false
+      t.string :password_salt, :limit => 16, :null => true
+      t.string :password_hash, :limit => 64, :null => true
+      
+      t.timestamps
+    end
+    
+    add_index :users, :email, :unique => true, :null => false
+  end
+
+  def self.down
+    drop_table :users
+  end
+end

data/lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb

@@ -0,0 +1,15 @@
+class CreateFacebookTokens < ActiveRecord::Migration
+  def self.up
+    create_table :facebook_tokens do |t|
+      t.integer :user_id, :null => false
+      t.string :external_uid, :limit => 32, :null => false
+      t.string :access_token, :limit => 128, :null => false
+    end
+    
+    add_index :facebook_tokens, :external_uid, :unique => true, :null => false
+  end
+
+  def self.down
+    drop_table :facebook_tokens
+  end
+end

data/lib/authpwn_rails/generators/templates/facebook_token.rb

@@ -0,0 +1,5 @@
+# :nodoc: extensions
+class FacebookToken
+  # Add your extensions to the FacebookToken class here.
+  
+end

data/lib/authpwn_rails/generators/templates/facebook_tokens.yml

@@ -0,0 +1,10 @@
+# Test account vic.tor@costan.us
+jane:
+  user: jane
+  external_uid: 100001181310542
+  access_token: 125502267478972|d2ecea6d763d2fb17cfa70fa-100001181310542|h849k0nQBq4FkAVEGVgeyoSd_RA.
+
+john:
+  user: john
+  external_uid: 702659
+  access_token: 702659|ffffffffffffffffffffffff-702659|ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

data/lib/authpwn_rails/generators/templates/user.rb

@@ -0,0 +1,5 @@
+# :nodoc: extensions
+class User
+  # Add your extensions to the User class here.
+  
+end

data/lib/authpwn_rails/generators/templates/users.yml

@@ -0,0 +1,9 @@
+jane:
+  email: jane@gmail.com
+  password_salt: 5678
+  password_hash: <%= User.hash_password('pa55w0rd', '5678').inspect %>
+
+john:
+  email: john@gmail.com
+  password_salt: 1234
+  password_hash: <%= User.hash_password('password', '1234').inspect %>

data/lib/authpwn_rails/generators/user_migration_generator.rb

@@ -0,0 +1,17 @@
+# :nodoc: namespace
+module AuthpwnRails
+
+
+class UserMigrationGenerator < Rails::Generators::Base
+  source_root File.expand_path("../templates", __FILE__)
+
+  def create_session_model
+    template 'user_token.rb',
+             File.join('app/models', class_path, 'user.rb')
+    template '001_create_users.rb',
+        File.join('db/migrations', '20100725000001_create_users.rb')
+    template 'users.yml', File.join('test/fixtures', 'users.yml')
+  end
+end  # class AuthpwnRails::UserMigrationGenerator
+
+end  # namespace AuthpwnRails

data/lib/authpwn_rails/session.rb

@@ -0,0 +1,63 @@
+require 'action_controller'
+
+# :nodoc: namespace
+module AuthpwnRails
+
+# :nodoc: namespace
+module Session
+
+# Mixed into ActiveController::Base
+module ControllerMixin
+  def self.included(base)
+    base.send :extend, ControllerClassMethods
+  end
+end
+
+# Methods here become ActiveController::Base class methods.
+module ControllerClassMethods  
+  # Keeps track of the currently authenticated user via the session. 
+  #
+  # Assumes the existence of a User model. A bare ActiveModel model will do the
+  # trick. Model instances must implement id, and the model class must implement
+  # find_by_id.
+  def authenticates_using_session(options = {})
+    include ControllerInstanceMethods
+    before_filter :authenticate_using_session, options   
+  end
+end
+
+# Included in controllers that call authenticates_using_session.
+module ControllerInstanceMethods
+  attr_reader :current_user
+  
+  def current_user=(user)
+    @current_user = user
+    if user
+      session[:current_user_id] = user.id
+    else
+      session.delete :current_user_id
+    end
+  end  
+
+  def authenticate_using_session
+    return true if current_user
+    user_id = session[:current_user_id]
+    user = user_id && User.find_by_id(user_id)
+    self.current_user = user if user
+  end
+  private :authenticate_using_session  
+end
+
+ActionController::Base.send :include, ControllerMixin
+
+# :nodoc: add session modification
+class ActionController::TestCase
+  # Sets the authenticated user in the test session.
+  def set_session_current_user(user)
+    request.session[:current_user_id] = user ? user.id : nil
+  end
+end
+
+end  # namespace AuthpwnRails::Session
+
+end  # namespace AuthpwnRails

data/lib/authpwn_rails.rb

@@ -0,0 +1,15 @@
+# :nodoc: namespace
+module AuthpwnRails
+end
+
+require 'authpwn_rails/facebook_token.rb'
+require 'authpwn_rails/session.rb'
+
+if defined?(Rails)
+  require 'authpwn_rails/engine.rb'
+
+  # HACK(costan): this works around a known Rails bug
+  #     https://rails.lighthouseapp.com/projects/8994/tickets/1905-apphelpers-within-plugin-not-being-mixed-in
+  require File.expand_path('../../app/helpers/session_helper.rb', __FILE__)
+  ActionController::Base.helper SessionHelper
+end

data/test/cookie_controller_test.rb

@@ -0,0 +1,41 @@
+require File.expand_path('../test_helper', __FILE__)
+
+# Mock controller used for testing session handling.
+class CookieController < ApplicationController
+  authenticates_using_session
+    
+  def show
+    if current_user
+      render :text => "User: #{current_user.id}"
+    else
+      render :text => "No user"
+    end
+  end
+end
+
+class CookieControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:john)
+  end
+
+  test "no user_id in session" do
+    get :show
+    assert_response :success
+    assert_nil assigns(:current_user)
+    assert_equal 'No user', response.body
+  end
+  
+  test "valid user_id in session" do
+    set_session_current_user @user
+    get :show
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+    assert_equal "User: #{Fixtures.identify(:john)}", response.body
+  end
+  
+  test "invalid user_id in session" do
+    get :show, {}, :current_user_id => 999
+    assert_response :success
+    assert_nil assigns(:current_user)
+  end
+end

data/test/facebook_controller_test.rb

@@ -0,0 +1,43 @@
+require File.expand_path('../test_helper', __FILE__)
+
+# Mock controller used for testing session handling.
+class FacebookController < ApplicationController
+  authenticates_using_session
+  probes_facebook_access_token
+  authenticates_using_facebook
+  
+  def show
+    if current_user
+      render :text => "User: #{current_user.id}"
+    else
+      render :text => "No user"
+    end
+  end
+end
+
+class FacebookControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:john)
+    @new_token = 'facebook:new_token|boom'
+  end
+
+  test "no facebook token" do
+    get :show
+    assert_response :success
+    assert_nil assigns(:current_user)
+  end
+  
+  test "facebook token for existing user" do
+    set_session_current_facebook_token facebook_tokens(:john).access_token
+    get :show, {}
+    assert_response :success
+    assert_equal @user, assigns(:current_user)
+  end
+  
+  test "new facebook token" do    
+    set_session_current_facebook_token @new_token
+    get :show, {}
+    assert_response :success
+    assert !(@user == assigns(:current_user))
+  end
+end

data/test/facebook_token_test.rb

@@ -0,0 +1,28 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class FacebookTokenTest < ActiveSupport::TestCase
+  setup do
+    @code = '125502267478972|057806abb79e632e0f7dde62-100001181310542|y5SoPVcXoEl214vfs--F3y-Z0Xk.'
+  end
+  
+  test "uid_from_token" do
+    assert_equal '100001181310542', FacebookToken.uid_from_token(@code)
+  end
+  
+  test "for with existing access token" do
+    assert_equal facebook_tokens(:jane), FacebookToken.for(@code),
+                 'Wrong token'
+    assert_equal @code, facebook_tokens(:jane).reload.access_token,
+                 'Token not refreshed'
+  end
+  
+  test "for with new access token" do
+    token = nil
+    assert_difference 'FacebookToken.count', 1 do      
+      token = FacebookToken.for @code.gsub('100001181310542', '3141592')
+    end
+    assert_equal '3141592@graph.facebook.com', token.user.email
+    assert !token.new_record?, 'New token not saved'
+    assert !token.user.new_record?, "New token's user not saved"    
+  end
+end

data/test/helpers/application_controller.rb

@@ -0,0 +1,3 @@
+# :nodoc: stubbed, because controllers inherit from it
+class ApplicationController < ActionController::Base
+end

data/test/helpers/db_setup.rb

@@ -0,0 +1,25 @@
+ActiveRecord::Base.establish_connection :adapter => 'sqlite3',
+                                        :database => ':memory:'
+ActiveRecord::Base.configurations = true
+
+ActiveRecord::Migration.verbose = false
+require 'authpwn_rails/generators/templates/001_create_users.rb'
+CreateUsers.up
+require 'authpwn_rails/generators/templates/002_create_facebook_tokens.rb'
+CreateFacebookTokens.up
+
+require File.expand_path('../../../app/models/facebook_token.rb', __FILE__)
+require File.expand_path('../../../app/models/user.rb', __FILE__)
+
+# :nodoc: open TestCase to setup fixtures
+class ActiveSupport::TestCase
+  include ActiveRecord::TestFixtures
+  
+  self.fixture_path =
+      File.expand_path '../../../lib/authpwn_rails/generators/templates',
+                       __FILE__
+  self.use_transactional_fixtures = false
+  self.use_instantiated_fixtures  = false
+  self.pre_loaded_fixtures = false
+  fixtures :all
+end

data/test/helpers/fbgraph.rb

@@ -0,0 +1,6 @@
+# :nodoc: stub FBGraphRails.config because it depends on Rails.root
+module FBGraphRails
+  def self.config
+    { 'id' => '12345', 'secret' => 'awesome', 'scope' => []}
+  end
+end

data/test/helpers/routes.rb

@@ -0,0 +1,15 @@
+# :nodoc: the routes used in all tests
+class ActionController::TestCase
+  def setup_routes
+    @routes = ActionController::Routing::RouteSet.new
+    @routes.draw do
+      resource :cookie, :controller => 'cookie'
+      resource :facebook, :controller => 'facebook'
+      resource :session, :controller => 'session'
+      root :to => 'session#index'
+    end
+    ApplicationController.send :include, @routes.url_helpers
+  end
+  
+  setup :setup_routes
+end

data/test/session_controller_test.rb

@@ -0,0 +1,17 @@
+require File.expand_path('../test_helper', __FILE__)
+
+require File.expand_path('../../app/controllers/session_controller', __FILE__)
+
+class SessionControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:john)
+  end
+
+  test "logout" do
+    set_session_current_user @user
+    delete :destroy
+    
+    assert_redirected_to root_url
+    assert_nil assigns(:current_user)
+  end  
+end

data/test/test_helper.rb

@@ -0,0 +1,17 @@
+require 'rubygems'
+require 'test/unit'
+
+require 'action_pack'
+require 'active_record'
+require 'active_support'
+
+require 'fbgraph_rails'
+require 'fbgraph_rails/controller'
+require 'sqlite3'
+
+require 'authpwn_rails'
+
+require 'helpers/application_controller.rb'
+require 'helpers/db_setup.rb'
+require 'helpers/fbgraph.rb'
+require 'helpers/routes.rb'

data/test/user_test.rb

@@ -0,0 +1,88 @@
+require File.expand_path('../test_helper', __FILE__)
+
+class UserTest < ActiveSupport::TestCase  
+  def setup
+    @user = User.new :password => 'awesome',
+                     :password_confirmation => 'awesome',
+                     :email => 'dvdjohn@mit.edu'
+  end
+  
+  test 'password_salt not required' do
+    @user.password_salt = nil
+    assert @user.valid?
+  end
+  
+  test 'password_salt length' do
+    @user.password_salt = '12345' * 4
+    assert !@user.valid?, 'Long salt'
+    @user.password_salt = ''
+    assert !@user.valid?, 'Empty salt'
+  end
+  
+  test 'password_hash not required' do
+    @user.password_hash = nil
+    assert @user.valid?
+  end
+  
+  test 'password_hash length' do
+    @user.password_hash = '12345' * 13
+    assert !@user.valid?, 'Long hash'
+    @user.password_hash = ''
+    assert !@user.valid?, 'Empty hash'
+  end
+  
+  test 'email presence' do
+    @user.email = nil
+    assert !@user.valid?
+  end
+  
+  test 'email length' do
+    @user.email = 'abcde' * 12 + '@mit.edu'
+    assert !@user.valid?, 'Overly long user name'
+  end
+  
+  test 'email format' do
+    ['cos tan@gmail.com', 'costan@x@mit.edu'].each do |email|
+      @user.email = email
+      assert !@user.valid?, "Bad email format - #{name}"
+    end    
+  end
+  
+  test 'email uniqueness' do
+    @user.email = users(:john).email
+    assert !@user.valid?
+  end
+  
+  test 'password not required' do
+    @user.reset_password
+    assert @user.valid?
+  end
+  
+  test 'password confirmation' do
+    @user.password_confirmation = 'not awesome'
+    assert !@user.valid?
+  end
+  
+  test 'password_matches?' do
+    assert_equal true, @user.password_matches?('awesome')
+    assert_equal false, @user.password_matches?('not awesome'), 'Bogus password'
+    assert_equal false, @user.password_matches?('password'),
+                 "Another user's password" 
+  end
+  
+  test 'find_by_email_and_password' do
+    assert_equal users(:john),
+        User.find_by_email_and_password('john@gmail.com', 'password')
+    assert_equal nil,
+        User.find_by_email_and_password('john@gmail.com', 'pa55w0rd'),
+        "Jane's password on John's account"
+    assert_equal users(:jane),
+        User.find_by_email_and_password('jane@gmail.com', 'pa55w0rd')
+    assert_equal nil,
+        User.find_by_email_and_password('jane@gmail.com', 'password'),
+        "John's password on Jane's account"
+    assert_equal nil,
+        User.find_by_email_and_password('john@gmail.com', 'awesome'),
+        'Bogus password'
+  end
+end

metadata

@@ -0,0 +1,193 @@
+--- !ruby/object:Gem::Specification 
+name: authpwn_rails
+version: !ruby/object:Gem::Version 
+  hash: 19
+  prerelease: false
+  segments: 
+  - 0
+  - 3
+  - 0
+  version: 0.3.0
+platform: ruby
+authors: 
+- Victor Costan
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-08-02 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: fbgraph_rails
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 29
+        segments: 
+        - 0
+        - 1
+        - 3
+        version: 0.1.3
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activerecord
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 7712042
+        segments: 
+        - 3
+        - 0
+        - 0
+        - rc
+        version: 3.0.0.rc
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: actionpack
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 7712042
+        segments: 
+        - 3
+        - 0
+        - 0
+        - rc
+        version: 3.0.0.rc
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 7712042
+        segments: 
+        - 3
+        - 0
+        - 0
+        - rc
+        version: 3.0.0.rc
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: sqlite3-ruby
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 1
+        - 3
+        - 0
+        version: 1.3.0
+  type: :development
+  version_requirements: *id005
+description: Works with Facebook.
+email: victor@costan.us
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- .project
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- app/controllers/session_controller.rb
+- app/helpers/session_helper.rb
+- app/models/facebook_token.rb
+- app/models/user.rb
+- authpwn_rails.gemspec
+- config/routes.rb
+- lib/authpwn_rails.rb
+- lib/authpwn_rails/engine.rb
+- lib/authpwn_rails/facebook_token.rb
+- lib/authpwn_rails/generators/facebook_migration_generator.rb
+- lib/authpwn_rails/generators/templates/001_create_users.rb
+- lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb
+- lib/authpwn_rails/generators/templates/facebook_token.rb
+- lib/authpwn_rails/generators/templates/facebook_tokens.yml
+- lib/authpwn_rails/generators/templates/user.rb
+- lib/authpwn_rails/generators/templates/users.yml
+- lib/authpwn_rails/generators/user_migration_generator.rb
+- lib/authpwn_rails/session.rb
+- test/cookie_controller_test.rb
+- test/facebook_controller_test.rb
+- test/facebook_token_test.rb
+- test/helpers/application_controller.rb
+- test/helpers/db_setup.rb
+- test/helpers/fbgraph.rb
+- test/helpers/routes.rb
+- test/session_controller_test.rb
+- test/test_helper.rb
+- test/user_test.rb
+has_rdoc: true
+homepage: http://github.com/costan/mini_auth_rails
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: User authentication for Rails 3 applications.
+test_files: 
+- test/facebook_token_test.rb
+- test/user_test.rb
+- test/cookie_controller_test.rb
+- test/test_helper.rb
+- test/facebook_controller_test.rb
+- test/session_controller_test.rb
+- test/helpers/application_controller.rb
+- test/helpers/routes.rb
+- test/helpers/fbgraph.rb
+- test/helpers/db_setup.rb