cbsorcery 0.8.6

data/lib/sorcery/controller/config.rb

@@ -0,0 +1,65 @@
+module Sorcery
+  module Controller
+    module Config
+      class << self
+        attr_accessor :submodules,
+                      :user_class,                    # what class to use as the user class.
+                      :not_authenticated_action,      # what controller action to call for non-authenticated users.
+
+                      :save_return_to_url,            # when a non logged in user tries to enter a page that requires
+                                                      # login, save the URL he wanted to reach,
+                                                      # and send him there after login.
+
+                      :cookie_domain,                 # set domain option for cookies
+
+                      :login_sources,
+                      :after_login,
+                      :after_failed_login,
+                      :before_logout,
+                      :after_logout
+
+        def init!
+          @defaults = {
+            :@user_class                           => nil,
+            :@submodules                           => [],
+            :@not_authenticated_action             => :not_authenticated,
+            :@login_sources                        => [],
+            :@after_login                          => [],
+            :@after_failed_login                   => [],
+            :@before_logout                        => [],
+            :@after_logout                         => [],
+            :@save_return_to_url                   => true,
+            :@cookie_domain                        => nil
+          }
+        end
+
+        # Resets all configuration options to their default values.
+        def reset!
+          @defaults.each do |k,v|
+            instance_variable_set(k,v)
+          end
+        end
+
+        def update!
+          @defaults.each do |k,v|
+            instance_variable_set(k,v) if !instance_variable_defined?(k)
+          end
+        end
+
+        def user_config(&blk)
+          block_given? ? @user_config = blk : @user_config
+        end
+
+        def configure(&blk)
+          @configure_blk = blk
+        end
+
+        def configure!
+          @configure_blk.call(self) if @configure_blk
+        end
+      end
+      init!
+      reset!
+    end
+  end
+end

data/lib/sorcery/controller/submodules/activity_logging.rb

@@ -0,0 +1,82 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # This submodule keeps track of events such as login, logout,
+      # and last activity time, per user.
+      # It helps in estimating which users are active now in the site.
+      # This cannot be determined absolutely because a user might be
+      # reading a page without clicking anything for a while.
+      # This is the controller part of the submodule, which adds hooks
+      # to register user events,
+      # and methods to collect active users data for use in the app.
+      # see Socery::Model::Submodules::ActivityLogging for configuration
+      # options.
+      module ActivityLogging
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :register_login_time
+              attr_accessor :register_logout_time
+              attr_accessor :register_last_activity_time
+              attr_accessor :register_last_ip_address
+
+              def merge_activity_logging_defaults!
+                @defaults.merge!(:@register_login_time         => true,
+                                 :@register_logout_time        => true,
+                                 :@register_last_activity_time => true,
+                                 :@register_last_ip_address    => true
+                                 )
+              end
+            end
+            merge_activity_logging_defaults!
+          end
+          Config.after_login    << :register_login_time_to_db
+          Config.after_login    << :register_last_ip_address
+          Config.before_logout  << :register_logout_time_to_db
+          base.after_filter :register_last_activity_time_to_db
+        end
+
+        module InstanceMethods
+          # Returns an array of the active users.
+          def current_users
+            ActiveSupport::Deprecation.warn("Sorcery: `current_users` method is deprecated. Read more on Github: https://github.com/NoamB/sorcery/issues/602")
+
+            user_class.current_users
+          end
+
+          protected
+
+          # registers last login time on every login.
+          # This runs as a hook just after a successful login.
+          def register_login_time_to_db(user, credentials)
+            return unless Config.register_login_time
+            user.set_last_login_at(Time.now.in_time_zone)
+          end
+
+          # registers last logout time on every logout.
+          # This runs as a hook just before a logout.
+          def register_logout_time_to_db(user)
+            return unless Config.register_logout_time
+            user.set_last_logout_at(Time.now.in_time_zone)
+          end
+
+          # Updates last activity time on every request.
+          # The only exception is logout - we do not update activity on logout
+          def register_last_activity_time_to_db
+            return unless Config.register_last_activity_time
+            return unless logged_in?
+            current_user.set_last_activity_at(Time.now.in_time_zone)
+          end
+
+          # Updates IP address on every login.
+          # This runs as a hook just after a successful login.
+          def register_last_ip_address(user, credentials)
+            return unless Config.register_last_ip_address
+            current_user.set_last_ip_addess(request.remote_ip)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/brute_force_protection.rb

@@ -0,0 +1,38 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # This module helps protect user accounts by locking them down after too
+      # many failed attemps to login were detected.
+      # This is the controller part of the submodule which takes care of
+      # updating the failed logins and resetting them.
+      # See Sorcery::Model::Submodules::BruteForceProtection for configuration
+      # options.
+      module BruteForceProtection
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+
+          Config.after_login << :reset_failed_logins_count!
+          Config.after_failed_login << :update_failed_logins_count!
+        end
+
+        module InstanceMethods
+
+          protected
+
+          # Increments the failed logins counter on every failed login.
+          # Runs as a hook after a failed login.
+          def update_failed_logins_count!(credentials)
+            user = user_class.sorcery_adapter.find_by_credentials(credentials)
+            user.register_failed_login! if user
+          end
+
+          # Resets the failed logins counter.
+          # Runs as a hook after a successful login.
+          def reset_failed_logins_count!(user, credentials)
+            user.sorcery_adapter.update_attribute(user_class.sorcery_config.failed_logins_count_attribute_name, 0)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/external.rb

@@ -0,0 +1,199 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # This submodule helps you login users from external auth providers such as Twitter.
+      # This is the controller part which handles the http requests and tokens passed between the app and the @provider.
+      module External
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+
+          require 'sorcery/providers/base'
+          require 'sorcery/providers/facebook'
+          require 'sorcery/providers/twitter'
+          require 'sorcery/providers/vk'
+          require 'sorcery/providers/linkedin'
+          require 'sorcery/providers/liveid'
+          require 'sorcery/providers/xing'
+          require 'sorcery/providers/github'
+          require 'sorcery/providers/google'
+          require 'sorcery/providers/jira'
+
+          Config.module_eval do
+            class << self
+              attr_reader :external_providers
+              attr_accessor :ca_file
+
+              def external_providers=(providers)
+                @external_providers = providers
+
+                providers.each do |name|
+                  class_eval <<-E
+                    def self.#{name}
+                      @#{name} ||= Sorcery::Providers.const_get('#{name}'.to_s.capitalize).new
+                    end
+                  E
+                end
+              end
+
+              def merge_external_defaults!
+                @defaults.merge!(:@external_providers => [],
+                                 :@ca_file => File.join(File.expand_path(File.dirname(__FILE__)), '../../protocols/certs/ca-bundle.crt'))
+              end
+            end
+            merge_external_defaults!
+          end
+        end
+
+        module InstanceMethods
+          protected
+
+          # save the singleton ProviderClient instance into @provider
+          def sorcery_get_provider(provider_name)
+            return unless Config.external_providers.include?(provider_name.to_sym)
+            Config.send(provider_name.to_sym)
+          end
+
+          # get the login URL from the provider, if applicable.  Returns nil if the provider
+          # does not provide a login URL.  (as of v0.8.1 all providers provide a login URL)
+          def sorcery_login_url(provider_name, args = {})
+            @provider = sorcery_get_provider provider_name
+            sorcery_fixup_callback_url @provider
+            if @provider.respond_to?(:login_url) && @provider.has_callback?
+              @provider.state = args[:state] if args[:state]
+              return @provider.login_url(params, session)
+            else
+              return nil
+            end
+          end
+
+          # get the user hash from a provider using information from the params and session.
+          def sorcery_fetch_user_hash(provider_name)
+            # the application should never ask for user hashes from two different providers
+            # on the same request.  But if they do, we should be ready: on the second request,
+            # clear out the instance variables if the provider is different
+            provider = sorcery_get_provider provider_name
+            if @provider.nil? || @provider != provider
+              @provider = provider
+              @access_token = nil
+              @user_hash = nil
+            end
+
+            # delegate to the provider for the access token and the user hash.
+            # cache them in instance variables.
+            @access_token ||= @provider.process_callback(params, session) # sends request to oauth agent to get the token
+            @user_hash ||= @provider.get_user_hash(@access_token) # uses the token to send another request to the oauth agent requesting user info
+          end
+
+          # for backwards compatibility
+          def access_token(*args)
+            @access_token
+          end
+
+
+          # this method should be somewhere else.  It only does something once per application per provider.
+          def sorcery_fixup_callback_url(provider)
+            provider.original_callback_url ||= provider.callback_url
+            if provider.original_callback_url.present? && provider.original_callback_url[0] == '/'
+              uri = URI.parse(request.url.gsub(/\?.*$/,''))
+              uri.path = ''
+              uri.query = nil
+              uri.scheme = 'https' if(request.env['HTTP_X_FORWARDED_PROTO'] == 'https')
+              host = uri.to_s
+              provider.callback_url = "#{host}#{@provider.original_callback_url}"
+            end
+          end
+
+          # sends user to authenticate at the provider's website.
+          # after authentication the user is redirected to the callback defined in the provider config
+          def login_at(provider_name, args = {})
+            redirect_to sorcery_login_url(provider_name, args)
+          end
+
+          # tries to login the user from provider's callback
+          def login_from(provider_name, should_remember = false)
+            sorcery_fetch_user_hash provider_name
+
+            if user = user_class.load_from_provider(provider_name, @user_hash[:uid].to_s)
+              # we found the user.
+              # clear the session
+              return_to_url = session[:return_to_url]
+              reset_sorcery_session
+              session[:return_to_url] = return_to_url
+
+              # sign in the user
+              auto_login(user, should_remember)
+              after_login!(user)
+
+              # return the user
+              user
+            end
+          end
+
+          # If user is logged, he can add all available providers into his account
+          def add_provider_to_user(provider_name)
+            sorcery_fetch_user_hash provider_name
+            config = user_class.sorcery_config
+
+            current_user.add_provider_to_user(provider_name.to_s, @user_hash[:uid].to_s)
+          end
+
+          # Initialize new user from provider informations.
+          # If a provider doesn't give required informations or username/email is already taken,
+          # we store provider/user infos into a session and can be rendered into registration form
+          def create_and_validate_from(provider_name)
+            sorcery_fetch_user_hash provider_name
+            config = user_class.sorcery_config
+
+            attrs = user_attrs(@provider.user_info_mapping, @user_hash)
+
+            user, saved = user_class.create_and_validate_from_provider(provider_name, @user_hash[:uid], attrs)
+
+            session[:incomplete_user] = {
+              :provider => {config.provider_uid_attribute_name => @user_hash[:uid], config.provider_attribute_name => provider_name},
+              :user_hash => attrs
+            } unless saved
+
+            return user
+          end
+
+          # this method automatically creates a new user from the data in the external user hash.
+          # The mappings from user hash fields to user db fields are set at controller config.
+          # If the hash field you would like to map is nested, use slashes. For example, Given a hash like:
+          #
+          #   "user" => {"name"=>"moishe"}
+          #
+          # You will set the mapping:
+          #
+          #   {:username => "user/name"}
+          #
+          # And this will cause 'moishe' to be set as the value of :username field.
+          # Note: Be careful. This method skips validations model.
+          # Instead you can pass a block, if the block returns false the user will not be created
+          #
+          #   create_from(provider) {|user| user.some_check }
+          #
+          def create_from(provider_name, &block)
+            sorcery_fetch_user_hash provider_name
+            config = user_class.sorcery_config
+
+            attrs = user_attrs(@provider.user_info_mapping, @user_hash)
+            @user = user_class.create_from_provider(provider_name, @user_hash[:uid], attrs, &block)
+          end
+
+          def user_attrs(user_info_mapping, user_hash)
+            attrs = {}
+            user_info_mapping.each do |k,v|
+              if (varr = v.split("/")).size > 1
+                attribute_value = varr.inject(user_hash[:user_info]) {|hash, value| hash[value]} rescue nil
+                attribute_value.nil? ? attrs : attrs.merge!(k => attribute_value)
+              else
+                attrs.merge!(k => user_hash[:user_info][v])
+              end
+            end
+            return attrs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -0,0 +1,74 @@
+module Sorcery
+  module Controller
+    module Submodules
+      # This submodule integrates HTTP Basic authentication into sorcery.
+      # You are provided with a before filter, require_login_from_http_basic, 
+      # which requests the browser for authentication.
+      # Then the rest of the submodule takes care of logging the user in 
+      # into the session, so that the next requests will keep him logged in.
+      module HttpBasicAuth
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :controller_to_realm_map            # What realm to display for which controller name.
+                            
+              def merge_http_basic_auth_defaults!
+                @defaults.merge!(:@controller_to_realm_map  => {"application" => "Application"})
+              end
+            end
+            merge_http_basic_auth_defaults!
+          end
+          Config.login_sources << :login_from_basic_auth
+        end
+        
+        module InstanceMethods
+
+          protected
+          
+          # to be used as a before_filter.
+          # The method sets a session when requesting the user's credentials.
+          # This is a trick to overcome the way HTTP authentication works (explained below):
+          #
+          # Once the user fills the credentials once, the browser will always send it to the 
+          # server when visiting the website, until the browser is closed.
+          # This causes wierd behaviour if the user logs out. The session is reset, yet the 
+          # user is re-logged in by the before_filter calling 'login_from_basic_auth'.
+          # To overcome this, we set a session when requesting the password, which logout will
+          # reset, and that's how we know if we need to request for HTTP auth again.
+          def require_login_from_http_basic
+            (request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return) if (request.authorization.nil? || session[:http_authentication_used].nil?)
+            require_login
+            session[:http_authentication_used] = nil unless logged_in?
+          end
+          
+          # given to main controller module as a login source callback
+          def login_from_basic_auth
+            authenticate_with_http_basic do |username, password|
+              @current_user = (user_class.authenticate(username, password) if session[:http_authentication_used]) || false
+              auto_login(@current_user) if @current_user
+              @current_user
+            end
+          end
+          
+          # Sets the realm name by searching the controller name in the hash given at configuration time.
+          def realm_name_by_controller
+            if defined?(ActionController::Base)
+              current_controller = self.class
+              while current_controller != ActionController::Base
+                result = Config.controller_to_realm_map[current_controller.controller_name]
+                return result if result
+                current_controller = current_controller.superclass
+              end
+              nil
+            else
+              Config.controller_to_realm_map["application"]
+            end
+          end
+          
+        end
+
+      end
+    end
+  end
+end