cb-sorcery 0.8.6

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -0,0 +1,81 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # The Remember Me submodule takes care of setting the user's cookie so that he will
+      # be automatically logged in to the site on every visit,
+      # until the cookie expires.
+      # See Sorcery::Model::Submodules::RememberMe for configuration options.
+      module RememberMe
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :remember_me_httponly
+              def merge_remember_me_defaults!
+                @defaults.merge!(:@remember_me_httponly => true)
+              end
+            end
+            merge_remember_me_defaults!
+          end
+          Config.login_sources << :login_from_cookie
+          Config.after_login << :remember_me_if_asked_to
+          Config.after_logout << :forget_me!
+        end
+
+        module InstanceMethods
+          # This method sets the cookie and calls the user to save the token and the expiration to db.
+          def remember_me!
+            current_user.remember_me!
+            set_remember_me_cookie!(current_user)
+          end
+
+          # Clears the cookie and clears the token from the db.
+          def forget_me!
+            current_user.forget_me!
+            cookies.delete(:remember_me_token, :domain => Config.cookie_domain)
+          end
+
+          # Override.
+          # logins a user instance, and optionally remembers him.
+          def auto_login(user, should_remember = false)
+            session[:user_id] = user.id.to_s
+            @current_user = user
+            remember_me! if should_remember
+          end
+
+          protected
+
+          # calls remember_me! if a third credential was passed to the login method.
+          # Runs as a hook after login.
+          def remember_me_if_asked_to(user, credentials)
+            remember_me! if ( credentials.size == 3 && credentials[2] && credentials[2] != "0" )
+          end
+
+          # Checks the cookie for a remember me token, tried to find a user with that token
+          # and logs the user in if found.
+          # Runs as a login source. See 'current_user' method for how it is used.
+          def login_from_cookie
+            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token])
+            if user && user.has_remember_me_token?
+              set_remember_me_cookie!(user)
+              session[:user_id] = user.id.to_s
+              @current_user = user
+            else
+              @current_user = false
+            end
+          end
+
+          def set_remember_me_cookie!(user)
+            cookies.signed[:remember_me_token] = {
+              :value => user.send(user.sorcery_config.remember_me_token_attribute_name),
+              :expires => user.send(user.sorcery_config.remember_me_token_expires_at_attribute_name),
+              :httponly => Config.remember_me_httponly,
+              :domain => Config.cookie_domain
+            }
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -0,0 +1,56 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # This submodule helps you set a timeout to all user sessions.
+      # The timeout can be configured and also you can choose to reset it on every user action.
+      module SessionTimeout
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :session_timeout,                     # how long in seconds to keep the session alive.
+
+                            :session_timeout_from_last_action     # use the last action as the beginning of session
+                                                                  # timeout.
+
+              def merge_session_timeout_defaults!
+                @defaults.merge!(:@session_timeout                      => 3600, # 1.hour
+                                 :@session_timeout_from_last_action     => false)
+              end
+            end
+            merge_session_timeout_defaults!
+          end
+          Config.after_login << :register_login_time
+          base.prepend_before_filter :validate_session
+        end
+
+        module InstanceMethods
+          protected
+
+          # Registers last login to be used as the timeout starting point.
+          # Runs as a hook after a successful login.
+          def register_login_time(user, credentials)
+            session[:login_time] = session[:last_action_time] = Time.now.in_time_zone
+          end
+
+          # Checks if session timeout was reached and expires the current session if so.
+          # To be used as a before_filter, before require_login
+          def validate_session
+            session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
+            if session_to_use && sorcery_session_expired?(session_to_use.to_time)
+              reset_sorcery_session
+              @current_user = nil
+            else
+              session[:last_action_time] = Time.now.in_time_zone
+            end
+          end
+
+          def sorcery_session_expired?(time)
+            Time.now.in_time_zone - time > Config.session_timeout
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/aes256.rb

@@ -0,0 +1,51 @@
+require "openssl"
+
+module Sorcery
+  module CryptoProviders
+    # This encryption method is reversible if you have the supplied key. 
+    # So in order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do the following:
+    #
+    #   Sorcery::Model::ConfigAES256.key = "my 32 bytes long key"
+    #
+    # My final comment is that this is a strong encryption method, 
+    # but its main weakness is that its reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
+    #
+    # Keep your key in a safe place, some even say the key should be stored on a separate server.
+    # This won't hurt performance because the only time it will try and access the key on the 
+    # separate server is during initialization, which only
+    # happens once. The reasoning behind this is if someone does compromise your server they 
+    # won't have the key also. Basically, you don't want to store the key with the lock.
+    class AES256
+      class << self
+        attr_writer :key
+    
+        def encrypt(*tokens)
+          aes.encrypt
+          aes.key = @key
+          [aes.update(tokens.join) + aes.final].pack("m").chomp
+        end
+    
+        def matches?(crypted, *tokens)
+          decrypt(crypted) == tokens.join
+        rescue OpenSSL::CipherError
+          false
+        end
+        
+        def decrypt(crypted)
+          aes.decrypt
+          aes.key = @key
+          (aes.update(crypted.unpack("m").first) + aes.final)
+        end
+    
+        private
+        
+        def aes
+          raise ArgumentError.new("#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it.") if ( @key.nil? || @key == "" )
+          @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -0,0 +1,97 @@
+require 'bcrypt'
+
+module Sorcery
+  module CryptoProviders
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear 
+    # launch codes you might want to consier BCrypt. This is an extremely
+    # secure hashing algorithm, mainly because it is slow. 
+    # A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
+    # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this,
+    # generating a password takes exponentially longer than any
+    # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
+    #
+    #   require "bcrypt"
+    #   require "digest"
+    #   require "benchmark"
+    #
+    #   Benchmark.bm(18) do |x|
+    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
+    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
+    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #   end
+    #
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
+    #
+    # You can play around with the cost to get that perfect balance between performance and security.
+    #
+    # Decided BCrypt is for you? Just insall the bcrypt gem:
+    #
+    #   gem install bcrypt-ruby
+    #
+    # Update your initializer to use it:
+    #
+    #   config.encryption_algorithm = :bcrypt
+    #
+    # You are good to go!
+    class BCrypt
+      class << self
+        # This is the :cost option for the BCrpyt library. 
+        # The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
+        # Set this to whatever you want, play around with it to get that perfect balance between 
+        # security and performance.
+        def cost
+          @cost ||= 10
+        end
+        attr_writer :cost
+        alias :stretches :cost
+        alias :stretches= :cost=
+        
+        # Creates a BCrypt hash for the password passed.
+        def encrypt(*tokens)
+          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+        end
+        
+        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(hash, *tokens)
+          hash = new_from_hash(hash)
+          return false if hash.nil? || hash == {}
+          hash == join_tokens(tokens)
+        end
+        
+        # This method is used as a flag to tell Sorcery to "resave" the password 
+        # upon a successful login, using the new cost
+        def cost_matches?(hash)
+          hash = new_from_hash(hash)
+          if hash.nil? || hash == {}
+            false
+          else
+            hash.cost == cost
+          end
+        end
+        
+        def reset!
+          @cost = 10
+        end
+        
+        private
+        
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
+        
+        def new_from_hash(hash)
+          begin
+            ::BCrypt::Password.new(hash)
+          rescue ::BCrypt::Errors::InvalidHash
+            return nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/common.rb

@@ -0,0 +1,35 @@
+module Sorcery
+  module CryptoProviders
+    module Common
+      def self.included(base)
+        base.class_eval do
+          class << self
+            attr_accessor :join_token
+
+            # The number of times to loop through the encryption.
+            def stretches
+              @stretches ||= 1
+            end
+            attr_writer :stretches
+
+            def encrypt(*tokens)
+              digest = tokens.flatten.compact.join(join_token)
+              stretches.times { digest = secure_digest(digest) }
+              digest
+            end
+
+            # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+            def matches?(crypted, *tokens)
+              encrypt(*tokens.compact) == crypted
+            end
+
+            def reset!
+              @stretches = 1
+              @join_token = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/md5.rb

@@ -0,0 +1,19 @@
+require "digest/md5"
+ 
+module Sorcery
+  module CryptoProviders
+    # This class was made for the users transitioning from md5 based systems. 
+    # I highly discourage using this crypto provider as it superbly inferior 
+    # to your other options.
+    #
+    # Please use any other provider offered by Sorcery.
+    class MD5
+      include Common
+      class << self
+        def secure_digest(digest)
+          Digest::MD5.hexdigest(digest)
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/sha1.rb

@@ -0,0 +1,28 @@
+require "digest/sha1"
+
+module Sorcery
+  module CryptoProviders
+    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
+    # crypto provider as it inferior to your other options. Please use any other provider offered by Sorcery.
+    class SHA1
+      include Common
+      class << self
+        def join_token
+          @join_token ||= "--"
+        end
+        
+        # Turns your raw password into a Sha1 hash.
+        def encrypt(*tokens)
+          tokens = tokens.flatten
+          digest = tokens.shift
+          stretches.times { digest = secure_digest([digest, *tokens].join(join_token)) }
+          digest
+        end
+        
+        def secure_digest(digest)
+          Digest::SHA1.hexdigest(digest)
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/sha256.rb

@@ -0,0 +1,36 @@
+require "digest/sha2"
+
+module Sorcery
+  # The activate_sorcery method has a custom_crypto_provider configuration option. 
+  # This allows you to use any type of encryption you like.
+  # Just create a class with a class level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
+  module CryptoProviders
+    # = Sha256
+    #
+    # Uses the Sha256 hash algorithm to encrypt passwords.
+    class SHA256
+      include Common
+      class << self
+        def secure_digest(digest)
+          Digest::SHA256.hexdigest(digest)
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/sha512.rb

@@ -0,0 +1,36 @@
+require "digest/sha2"
+
+module Sorcery
+  # The activate_sorcery method has a custom_crypto_provider configuration option. 
+  # This allows you to use any type of encryption you like.
+  # Just create a class with a class level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
+  module CryptoProviders
+    # = Sha512
+    #
+    # Uses the Sha512 hash algorithm to encrypt passwords.
+    class SHA512
+      include Common
+      class << self
+        def secure_digest(digest)
+          Digest::SHA512.hexdigest(digest)
+        end
+      end
+    end
+  end
+end