authpwn_rails 0.5.6 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- data/VERSION +1 -1
- data/authpwn_rails.gemspec +3 -2
- data/lib/authpwn_rails/generators/session_generator.rb +2 -0
- data/lib/authpwn_rails/generators/templates/session/forbidden.html.erb +20 -0
- data/lib/authpwn_rails/generators/templates/session/new.html.erb +11 -0
- data/lib/authpwn_rails/session.rb +24 -3
- data/test/cookie_controller_test.rb +20 -0
- data/test/helpers/routes.rb +3 -1
- data/test/session_controller_api_test.rb +27 -1
- metadata +4 -3
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.
|
1
|
+
0.6.0
|
data/authpwn_rails.gemspec
CHANGED
@@ -5,11 +5,11 @@
|
|
5
5
|
|
6
6
|
Gem::Specification.new do |s|
|
7
7
|
s.name = %q{authpwn_rails}
|
8
|
-
s.version = "0.
|
8
|
+
s.version = "0.6.0"
|
9
9
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
11
11
|
s.authors = ["Victor Costan"]
|
12
|
-
s.date = %q{2010-11-
|
12
|
+
s.date = %q{2010-11-25}
|
13
13
|
s.description = %q{Works with Facebook.}
|
14
14
|
s.email = %q{victor@costan.us}
|
15
15
|
s.extra_rdoc_files = [
|
@@ -34,6 +34,7 @@ Gem::Specification.new do |s|
|
|
34
34
|
"lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb",
|
35
35
|
"lib/authpwn_rails/generators/templates/facebook_token.rb",
|
36
36
|
"lib/authpwn_rails/generators/templates/facebook_tokens.yml",
|
37
|
+
"lib/authpwn_rails/generators/templates/session/forbidden.html.erb",
|
37
38
|
"lib/authpwn_rails/generators/templates/session/home.html.erb",
|
38
39
|
"lib/authpwn_rails/generators/templates/session/new.html.erb",
|
39
40
|
"lib/authpwn_rails/generators/templates/session/welcome.html.erb",
|
@@ -8,6 +8,8 @@ class SessionGenerator < Rails::Generators::Base
|
|
8
8
|
def create_session
|
9
9
|
copy_file 'session_controller.rb',
|
10
10
|
File.join('app', 'controllers', 'session_controller.rb')
|
11
|
+
copy_file File.join('session', 'forbidden.html.erb'),
|
12
|
+
File.join('app', 'views', 'session', 'forbidden.html.erb')
|
11
13
|
copy_file File.join('session', 'home.html.erb'),
|
12
14
|
File.join('app', 'views', 'session', 'home.html.erb')
|
13
15
|
copy_file File.join('session', 'new.html.erb'),
|
@@ -0,0 +1,20 @@
|
|
1
|
+
<p>
|
2
|
+
This view gets displayed when the user tries to access something forbidden.
|
3
|
+
</p>
|
4
|
+
|
5
|
+
<% if current_user %>
|
6
|
+
<p>
|
7
|
+
You should inform the user that they are logged in as
|
8
|
+
<%= current_user.email %> and suggest them to
|
9
|
+
<%= link_to 'Log out', session_path, :method => :destroy %> and log in as a
|
10
|
+
different user.
|
11
|
+
</p>
|
12
|
+
<% else %>
|
13
|
+
<p>
|
14
|
+
The user will only see this if JavaScript is disabled. Ask them to
|
15
|
+
<%= link_to 'Log in', new_session_path %>.
|
16
|
+
</p>
|
17
|
+
<script type="text/javascript">
|
18
|
+
window.location = "<%= new_session_path %>";
|
19
|
+
</script>
|
20
|
+
<% end %>
|
@@ -4,6 +4,13 @@
|
|
4
4
|
<p class="notice"><%= flash[:notice] %></p>
|
5
5
|
<% end %>
|
6
6
|
|
7
|
+
<% if @redirect_url %>
|
8
|
+
<p>
|
9
|
+
We need you to log in before we can show you the page that you are trying to
|
10
|
+
view.
|
11
|
+
</p>
|
12
|
+
<% end %>
|
13
|
+
|
7
14
|
<%= form_for User.new, :url => session_path do |f| %>
|
8
15
|
<div class="field">
|
9
16
|
<%= f.label :email, 'Email Address' %><br />
|
@@ -17,5 +24,9 @@
|
|
17
24
|
|
18
25
|
<div class="actions">
|
19
26
|
<%= f.submit 'Log in' %>
|
27
|
+
|
28
|
+
<% if @redirect_url %>
|
29
|
+
<%= hidden_field_tag :redirect_url, @redirect_url %>
|
30
|
+
<% end %>
|
20
31
|
</div>
|
21
32
|
<% end %>
|
@@ -54,7 +54,24 @@ module ControllerInstanceMethods
|
|
54
54
|
user = user_param && User.find_by_param(user_param)
|
55
55
|
self.current_user = user if user
|
56
56
|
end
|
57
|
-
private :authenticate_using_session
|
57
|
+
private :authenticate_using_session
|
58
|
+
|
59
|
+
# Inform the user that their request is forbidden.
|
60
|
+
#
|
61
|
+
# If a user is logged on, this renders the session/forbidden view with a HTTP
|
62
|
+
# 403 code.
|
63
|
+
#
|
64
|
+
# If no user is logged in, the user is redirected to session/new, and the
|
65
|
+
# current request's URL is saved in flash[:auth_redirect_url].
|
66
|
+
def bounce_user(redirect_url = request.url)
|
67
|
+
@redirect_url = redirect_url
|
68
|
+
if current_user
|
69
|
+
render 'session/forbidden', :status => :forbidden
|
70
|
+
else
|
71
|
+
flash[:auth_redirect_url] = redirect_url
|
72
|
+
render 'session/forbidden', :status => :forbidden
|
73
|
+
end
|
74
|
+
end
|
58
75
|
end
|
59
76
|
|
60
77
|
# Included in controllers that call authenticates_using_session.
|
@@ -62,6 +79,7 @@ module SessionControllerInstanceMethods
|
|
62
79
|
# GET /session/new
|
63
80
|
def new
|
64
81
|
@user = User.new
|
82
|
+
@redirect_url = flash[:auth_redirect_url]
|
65
83
|
redirect_to session_url if current_user
|
66
84
|
end
|
67
85
|
|
@@ -80,15 +98,18 @@ module SessionControllerInstanceMethods
|
|
80
98
|
# POST /session
|
81
99
|
def create
|
82
100
|
@user = User.new params[:user]
|
101
|
+
@redirect_url = params[:redirect_url] || session_url
|
83
102
|
self.current_user =
|
84
103
|
User.find_by_email_and_password @user.email, @user.password
|
85
104
|
|
86
105
|
respond_to do |format|
|
87
106
|
if current_user
|
88
|
-
format.html { redirect_to
|
107
|
+
format.html { redirect_to @redirect_url }
|
89
108
|
else
|
90
109
|
format.html do
|
91
|
-
redirect_to new_session_url, :
|
110
|
+
redirect_to new_session_url, :flash => {
|
111
|
+
:notice => 'Invalid e-mail or password',
|
112
|
+
:auth_redirect_url => @redirect_url }
|
92
113
|
end
|
93
114
|
end
|
94
115
|
end
|
@@ -11,6 +11,10 @@ class CookieController < ApplicationController
|
|
11
11
|
render :text => "No user"
|
12
12
|
end
|
13
13
|
end
|
14
|
+
|
15
|
+
def bouncer
|
16
|
+
bounce_user
|
17
|
+
end
|
14
18
|
end
|
15
19
|
|
16
20
|
class CookieControllerTest < ActionController::TestCase
|
@@ -38,4 +42,20 @@ class CookieControllerTest < ActionController::TestCase
|
|
38
42
|
assert_response :success
|
39
43
|
assert_nil assigns(:current_user)
|
40
44
|
end
|
45
|
+
|
46
|
+
test "valid user_id bounced" do
|
47
|
+
set_session_current_user @user
|
48
|
+
get :bouncer
|
49
|
+
assert_response :forbidden
|
50
|
+
assert_template 'session/forbidden'
|
51
|
+
end
|
52
|
+
|
53
|
+
test "no user_id bounced" do
|
54
|
+
get :bouncer
|
55
|
+
assert_response :forbidden
|
56
|
+
assert_template 'session/forbidden'
|
57
|
+
assert_equal bouncer_cookie_url, flash[:auth_redirect_url]
|
58
|
+
|
59
|
+
assert_select 'script', %r/.*window.location.*#{new_session_path}.*/
|
60
|
+
end
|
41
61
|
end
|
data/test/helpers/routes.rb
CHANGED
@@ -3,7 +3,9 @@ class ActionController::TestCase
|
|
3
3
|
def setup_routes
|
4
4
|
@routes = ActionController::Routing::RouteSet.new
|
5
5
|
@routes.draw do
|
6
|
-
resource :cookie, :controller => 'cookie'
|
6
|
+
resource :cookie, :controller => 'cookie' do
|
7
|
+
collection { get :bouncer }
|
8
|
+
end
|
7
9
|
resource :facebook, :controller => 'facebook'
|
8
10
|
# NOTE: this route should be kept in sync with the session template.
|
9
11
|
resource :session, :controller => 'session'
|
@@ -46,7 +46,17 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
46
46
|
assert_select 'input#user_password'
|
47
47
|
assert_select 'input[type=submit]'
|
48
48
|
end
|
49
|
-
end
|
49
|
+
end
|
50
|
+
|
51
|
+
test "new renders redirect_url when present in flash" do
|
52
|
+
url = 'http://authpwn.redirect.url'
|
53
|
+
get :new, {}, {}, { :auth_redirect_url => url }
|
54
|
+
assert_template :new
|
55
|
+
assert_equal url, assigns(:redirect_url), 'redirect_url should be set'
|
56
|
+
assert_select 'form' do
|
57
|
+
assert_select "input[name=redirect_url][value=#{url}]"
|
58
|
+
end
|
59
|
+
end
|
50
60
|
|
51
61
|
test "create logs in with good account details" do
|
52
62
|
post :create, :user => { :email => @user.email, :password => 'password' }
|
@@ -55,6 +65,13 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
55
65
|
assert_equal @user, session_current_user, 'session'
|
56
66
|
end
|
57
67
|
|
68
|
+
test "create redirects properly with good account details" do
|
69
|
+
url = 'http://authpwn.redirect.url'
|
70
|
+
post :create, :user => { :email => @user.email, :password => 'password' },
|
71
|
+
:redirect_url => url
|
72
|
+
assert_redirected_to url
|
73
|
+
end
|
74
|
+
|
58
75
|
test "create does not log in with bad password" do
|
59
76
|
post :create, :user => { :email => @user.email, :password => 'fail' }
|
60
77
|
assert_redirected_to new_session_url
|
@@ -63,6 +80,15 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
63
80
|
assert_not_nil flash[:notice]
|
64
81
|
end
|
65
82
|
|
83
|
+
test "create maintains redirect_url for bad logins" do
|
84
|
+
url = 'http://authpwn.redirect.url'
|
85
|
+
post :create, :user => { :email => @user.email, :password => 'fail' },
|
86
|
+
:redirect_url => url
|
87
|
+
assert_redirected_to new_session_url
|
88
|
+
assert_not_nil flash[:notice]
|
89
|
+
assert_equal url, flash[:auth_redirect_url]
|
90
|
+
end
|
91
|
+
|
66
92
|
test "create does not log in with bad e-mail" do
|
67
93
|
post :create, :user => { :email => 'nobody@gmail.com', :password => 'no' }
|
68
94
|
assert_redirected_to new_session_url
|
metadata
CHANGED
@@ -5,9 +5,9 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
prerelease: false
|
6
6
|
segments:
|
7
7
|
- 0
|
8
|
-
- 5
|
9
8
|
- 6
|
10
|
-
|
9
|
+
- 0
|
10
|
+
version: 0.6.0
|
11
11
|
platform: ruby
|
12
12
|
authors:
|
13
13
|
- Victor Costan
|
@@ -15,7 +15,7 @@ autorequire:
|
|
15
15
|
bindir: bin
|
16
16
|
cert_chain: []
|
17
17
|
|
18
|
-
date: 2010-11-
|
18
|
+
date: 2010-11-25 00:00:00 -05:00
|
19
19
|
default_executable:
|
20
20
|
dependencies:
|
21
21
|
- !ruby/object:Gem::Dependency
|
@@ -93,6 +93,7 @@ files:
|
|
93
93
|
- lib/authpwn_rails/generators/templates/002_create_facebook_tokens.rb
|
94
94
|
- lib/authpwn_rails/generators/templates/facebook_token.rb
|
95
95
|
- lib/authpwn_rails/generators/templates/facebook_tokens.yml
|
96
|
+
- lib/authpwn_rails/generators/templates/session/forbidden.html.erb
|
96
97
|
- lib/authpwn_rails/generators/templates/session/home.html.erb
|
97
98
|
- lib/authpwn_rails/generators/templates/session/new.html.erb
|
98
99
|
- lib/authpwn_rails/generators/templates/session/welcome.html.erb
|