cbsorcery 0.8.6

data/lib/sorcery/engine.rb

@@ -0,0 +1,21 @@
+require 'sorcery'
+require 'rails'
+
+module Sorcery
+  # The Sorcery engine takes care of extending ActiveRecord (if used) and ActionController,
+  # With the plugin logic.
+  class Engine < Rails::Engine
+    config.sorcery = ::Sorcery::Controller::Config
+    
+    initializer "extend Controller with sorcery" do |app|
+      ActionController::Base.send(:include, Sorcery::Controller)
+      ActionController::Base.helper_method :current_user
+      ActionController::Base.helper_method :logged_in?
+    end
+    
+    rake_tasks do
+      load "sorcery/railties/tasks.rake"
+    end
+    
+  end
+end

data/lib/sorcery/model.rb

@@ -0,0 +1,183 @@
+module Sorcery
+  # This module handles all plugin operations which are related to the Model layer in the MVC pattern.
+  # It should be included into the ORM base class.
+  # In the case of Rails this is usually ActiveRecord (actually, in that case, the plugin does this automatically).
+  #
+  # When included it defines a single method: 'authenticates_with_sorcery!'
+  # which when called adds the other capabilities to the class.
+  # This method is also the place to configure the plugin in the Model layer.
+  module Model
+    def authenticates_with_sorcery!
+      @sorcery_config = Config.new
+
+      extend ClassMethods # included here, before submodules, so they can be overriden by them.
+      include InstanceMethods
+      include TemporaryToken
+
+      include_required_submodules!
+
+      # This runs the options block set in the initializer on the model class.
+      ::Sorcery::Controller::Config.user_config.tap{|blk| blk.call(@sorcery_config) if blk}
+
+      define_base_fields
+      init_orm_hooks!
+
+      @sorcery_config.after_config << :add_config_inheritance if @sorcery_config.subclasses_inherit_config
+      @sorcery_config.after_config.each { |c| send(c) }
+    end
+
+    private
+
+    def define_base_fields
+      self.class_eval do
+        sorcery_config.username_attribute_names.each do |username|
+          sorcery_adapter.define_field username, String, length: 255
+        end
+        unless sorcery_config.username_attribute_names.include?(sorcery_config.email_attribute_name)
+          sorcery_adapter.define_field sorcery_config.email_attribute_name, String, length: 255
+        end
+        sorcery_adapter.define_field sorcery_config.crypted_password_attribute_name, String, length: 255
+        sorcery_adapter.define_field sorcery_config.salt_attribute_name, String, length: 255
+      end
+
+    end
+
+    # includes required submodules into the model class,
+    # which usually is called User.
+    def include_required_submodules!
+      self.class_eval do
+        @sorcery_config.submodules = ::Sorcery::Controller::Config.submodules
+        @sorcery_config.submodules.each do |mod|
+          begin
+            include Submodules.const_get(mod.to_s.split('_').map {|p| p.capitalize}.join)
+          rescue NameError
+            # don't stop on a missing submodule. Needed because some submodules are only defined
+            # in the controller side.
+          end
+        end
+      end
+    end
+
+    # add virtual password accessor and ORM callbacks.
+    def init_orm_hooks!
+      sorcery_adapter.define_callback :before, :validation, :encrypt_password, if: Proc.new {|record|
+        record.send(sorcery_config.password_attribute_name).present?
+      }
+
+      sorcery_adapter.define_callback :after, :save, :clear_virtual_password, if: Proc.new {|record|
+        record.send(sorcery_config.password_attribute_name).present?
+      }
+
+      attr_accessor sorcery_config.password_attribute_name
+    end
+
+    module ClassMethods
+      # Returns the class instance variable for configuration, when called by the class itself.
+      def sorcery_config
+        @sorcery_config
+      end
+
+      # The default authentication method.
+      # Takes a username and password,
+      # Finds the user by the username and compares the user's password to the one supplied to the method.
+      # returns the user if success, nil otherwise.
+      def authenticate(*credentials)
+        raise ArgumentError, "at least 2 arguments required" if credentials.size < 2
+
+        return false if credentials[0].blank?
+
+        if @sorcery_config.downcase_username_before_authenticating
+          credentials[0].downcase!
+        end
+
+        user = sorcery_adapter.find_by_credentials(credentials)
+
+        set_encryption_attributes
+
+        _salt = user.send(@sorcery_config.salt_attribute_name) if user && !@sorcery_config.salt_attribute_name.nil? && !@sorcery_config.encryption_provider.nil?
+        user if user && @sorcery_config.before_authenticate.all? {|c| user.send(c)} && credentials_match?(user.send(@sorcery_config.crypted_password_attribute_name),credentials[1],_salt)
+      end
+
+      # encrypt tokens using current encryption_provider.
+      def encrypt(*tokens)
+        return tokens.first if @sorcery_config.encryption_provider.nil?
+
+        set_encryption_attributes()
+
+        CryptoProviders::AES256.key = @sorcery_config.encryption_key
+        @sorcery_config.encryption_provider.encrypt(*tokens)
+      end
+
+      protected
+
+      def set_encryption_attributes()
+        @sorcery_config.encryption_provider.stretches = @sorcery_config.stretches if @sorcery_config.encryption_provider.respond_to?(:stretches) && @sorcery_config.stretches
+        @sorcery_config.encryption_provider.join_token = @sorcery_config.salt_join_token if @sorcery_config.encryption_provider.respond_to?(:join_token) && @sorcery_config.salt_join_token
+      end
+
+      # Calls the configured encryption provider to compare the supplied password with the encrypted one.
+      def credentials_match?(crypted, *tokens)
+        return crypted == tokens.join if @sorcery_config.encryption_provider.nil?
+        @sorcery_config.encryption_provider.matches?(crypted, *tokens)
+      end
+
+      def add_config_inheritance
+        self.class_eval do
+          def self.inherited(subclass)
+            subclass.class_eval do
+              class << self
+                attr_accessor :sorcery_config
+              end
+            end
+            subclass.sorcery_config = sorcery_config
+            super
+          end
+        end
+      end
+
+    end
+
+    module InstanceMethods
+      # Returns the class instance variable for configuration, when called by an instance.
+      def sorcery_config
+        self.class.sorcery_config
+      end
+
+      # identifies whether this user is regular, i.e. we hold his credentials in our db,
+      # or that he is external, and his credentials are saved elsewhere (twitter/facebook etc.).
+      def external?
+        send(sorcery_config.crypted_password_attribute_name).nil?
+      end
+
+      protected
+
+      # creates new salt and saves it.
+      # encrypts password with salt and saves it.
+      def encrypt_password
+        config = sorcery_config
+        self.send(:"#{config.salt_attribute_name}=", new_salt = TemporaryToken.generate_random_token) if !config.salt_attribute_name.nil?
+        self.send(:"#{config.crypted_password_attribute_name}=", self.class.encrypt(self.send(config.password_attribute_name),new_salt))
+      end
+
+      def clear_virtual_password
+        config = sorcery_config
+        self.send(:"#{config.password_attribute_name}=", nil)
+
+        if respond_to?(:"#{config.password_attribute_name}_confirmation=")
+          self.send(:"#{config.password_attribute_name}_confirmation=", nil)
+        end
+      end
+
+      # calls the requested email method on the configured mailer
+      # supports both the ActionMailer 3 way of calling, and the plain old Ruby object way.
+      def generic_send_email(method, mailer)
+        config = sorcery_config
+        mail = config.send(mailer).send(config.send(method),self)
+        if defined?(ActionMailer) and config.send(mailer).kind_of?(Class) and config.send(mailer) < ActionMailer::Base
+          mail.deliver
+        end
+      end
+    end
+
+  end
+end

data/lib/sorcery/model/config.rb

@@ -0,0 +1,96 @@
+# Each class which calls 'activate_sorcery!' receives an instance of this class.
+# Every submodule which gets loaded may add accessors to this class so that all
+# options will be configured from a single place.
+module Sorcery
+  module Model
+    class Config
+
+      attr_accessor :username_attribute_names,           # change default username attribute, for example, to use :email
+                                                        # as the login.
+
+                    :password_attribute_name,           # change *virtual* password attribute, the one which is used
+                                                        # until an encrypted one is generated.
+
+                    :email_attribute_name,              # change default email attribute.
+
+                    :downcase_username_before_authenticating, # downcase the username before trying to authenticate, default is false
+
+                    :crypted_password_attribute_name,   # change default crypted_password attribute.
+                    :salt_join_token,                   # what pattern to use to join the password with the salt
+                    :salt_attribute_name,               # change default salt attribute.
+                    :stretches,                         # how many times to apply encryption to the password.
+                    :encryption_key,                    # encryption key used to encrypt reversible encryptions such as
+                                                        # AES256.
+
+                    :subclasses_inherit_config,         # make this configuration inheritable for subclasses. Useful for
+                                                        # ActiveRecord's STI.
+
+                    :submodules,                        # configured in config/application.rb
+                    :before_authenticate,               # an array of method names to call before authentication
+                                                        # completes. used internally.
+
+                    :after_config                       # an array of method names to call after configuration by user.
+                                                        # used internally.
+
+      attr_reader   :encryption_provider,               # change default encryption_provider.
+                    :custom_encryption_provider,        # use an external encryption class.
+                    :encryption_algorithm               # encryption algorithm name. See 'encryption_algorithm=' below
+                                                        # for available options.
+
+      def initialize
+        @defaults = {
+          :@submodules                           => [],
+          :@username_attribute_names              => [:email],
+          :@password_attribute_name              => :password,
+          :@downcase_username_before_authenticating => false,
+          :@email_attribute_name                 => :email,
+          :@crypted_password_attribute_name      => :crypted_password,
+          :@encryption_algorithm                 => :bcrypt,
+          :@encryption_provider                  => CryptoProviders::BCrypt,
+          :@custom_encryption_provider           => nil,
+          :@encryption_key                       => nil,
+          :@salt_join_token                      => "",
+          :@salt_attribute_name                  => :salt,
+          :@stretches                            => nil,
+          :@subclasses_inherit_config            => false,
+          :@before_authenticate                  => [],
+          :@after_config                         => []
+        }
+        reset!
+      end
+
+      # Resets all configuration options to their default values.
+      def reset!
+        @defaults.each do |k,v|
+          instance_variable_set(k,v)
+        end
+      end
+
+      def username_attribute_names=(fields)
+        @username_attribute_names = fields.kind_of?(Array) ? fields : [fields]
+      end
+
+      def custom_encryption_provider=(provider)
+        @custom_encryption_provider = @encryption_provider = provider
+      end
+
+      def encryption_algorithm=(algo)
+        @encryption_algorithm = algo
+        @encryption_provider = case @encryption_algorithm.to_sym
+        when :none   then nil
+        when :md5    then CryptoProviders::MD5
+        when :sha1   then CryptoProviders::SHA1
+        when :sha256 then CryptoProviders::SHA256
+        when :sha512 then CryptoProviders::SHA512
+        when :aes256 then CryptoProviders::AES256
+        when :bcrypt then CryptoProviders::BCrypt
+        when :custom then @custom_encryption_provider
+        else raise ArgumentError.new("Encryption algorithm supplied, #{algo}, is invalid")
+        end
+      end
+
+    end
+
+  end
+end
+

data/lib/sorcery/model/submodules/activity_logging.rb

@@ -0,0 +1,70 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This submodule keeps track of events such as login, logout, and last activity time, per user.
+      # It helps in estimating which users are active now in the site.
+      # This cannot be determined absolutely because a user might be reading a page without clicking anything
+      # for a while.
+      # This is the model part of the submodule, which provides configuration options.
+      module ActivityLogging
+        def self.included(base)
+          base.extend(ClassMethods)
+          base.send(:include, InstanceMethods)
+
+          base.sorcery_config.class_eval do
+            attr_accessor :last_login_at_attribute_name,                  # last login attribute name.
+                          :last_logout_at_attribute_name,                 # last logout attribute name.
+                          :last_activity_at_attribute_name,               # last activity attribute name.
+                          :last_login_from_ip_address_name,               # last activity login source
+                          :activity_timeout                               # how long since last activity is
+                                                                          #the user defined logged out?
+          end
+
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@last_login_at_attribute_name                => :last_login_at,
+                             :@last_logout_at_attribute_name               => :last_logout_at,
+                             :@last_activity_at_attribute_name             => :last_activity_at,
+                             :@last_login_from_ip_address_name             => :last_login_from_ip_address,
+                             :@activity_timeout                            => 10 * 60)
+            reset!
+          end
+
+          base.sorcery_config.after_config << :define_activity_logging_fields
+        end
+
+        module InstanceMethods
+          def set_last_login_at(time)
+            sorcery_adapter.update_attribute(sorcery_config.last_login_at_attribute_name, time)
+          end
+
+          def set_last_logout_at(time)
+            sorcery_adapter.update_attribute(sorcery_config.last_logout_at_attribute_name, time)
+          end
+
+          def set_last_activity_at(time)
+            sorcery_adapter.update_attribute(sorcery_config.last_activity_at_attribute_name, time)
+          end
+
+          def set_last_ip_addess(ip_address)
+            sorcery_adapter.update_attribute(sorcery_config.last_login_from_ip_address_name, ip_address)
+          end
+        end
+
+        module ClassMethods
+          # get all users with last_activity within timeout
+          def current_users
+            sorcery_adapter.get_current_users
+          end
+
+          protected
+          def define_activity_logging_fields
+            sorcery_adapter.define_field sorcery_config.last_login_at_attribute_name,    Time
+            sorcery_adapter.define_field sorcery_config.last_logout_at_attribute_name,   Time
+            sorcery_adapter.define_field sorcery_config.last_activity_at_attribute_name, Time
+            sorcery_adapter.define_field sorcery_config.last_login_from_ip_address_name, String
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/model/submodules/brute_force_protection.rb

@@ -0,0 +1,125 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This module helps protect user accounts by locking them down after too many failed attemps
+      # to login were detected.
+      # This is the model part of the submodule which provides configuration options and methods
+      # for locking and unlocking the user.
+      module BruteForceProtection
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :failed_logins_count_attribute_name,        # failed logins attribute name.
+                          :lock_expires_at_attribute_name,            # this field indicates whether user
+                                                                      # is banned and when it will be active again.
+                          :consecutive_login_retries_amount_limit,    # how many failed logins allowed.
+                          :login_lock_time_period,                    # how long the user should be banned.
+                                                                      # in seconds. 0 for permanent.
+
+                          :unlock_token_attribute_name,               # Unlock token attribute name
+                          :unlock_token_email_method_name,            # Mailer method name
+                          :unlock_token_mailer_disabled,              # When true, dont send unlock token via email
+                          :unlock_token_mailer                        # Mailer class
+          end
+
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@failed_logins_count_attribute_name              => :failed_logins_count,
+                             :@lock_expires_at_attribute_name                  => :lock_expires_at,
+                             :@consecutive_login_retries_amount_limit          => 50,
+                             :@login_lock_time_period                          => 60 * 60,
+
+                             :@unlock_token_attribute_name                     => :unlock_token,
+                             :@unlock_token_email_method_name                  => :send_unlock_token_email,
+                             :@unlock_token_mailer_disabled                    => false,
+                             :@unlock_token_mailer                             => nil)
+            reset!
+          end
+
+          base.sorcery_config.before_authenticate << :prevent_locked_user_login
+          base.sorcery_config.after_config << :define_brute_force_protection_fields
+          base.extend(ClassMethods)
+          base.send(:include, InstanceMethods)
+        end
+
+        module ClassMethods
+          def load_from_unlock_token(token)
+            return nil if token.blank?
+            user = sorcery_adapter.find_by_token(sorcery_config.unlock_token_attribute_name,token)
+            user
+          end
+
+          protected
+
+          def define_brute_force_protection_fields
+            sorcery_adapter.define_field sorcery_config.failed_logins_count_attribute_name, Integer, :default => 0
+            sorcery_adapter.define_field sorcery_config.lock_expires_at_attribute_name, Time
+            sorcery_adapter.define_field sorcery_config.unlock_token_attribute_name, String
+          end
+        end
+
+        module InstanceMethods
+          # Called by the controller to increment the failed logins counter.
+          # Calls 'lock!' if login retries limit was reached.
+          def register_failed_login!
+            config = sorcery_config
+            return if !unlocked?
+
+            sorcery_adapter.increment(config.failed_logins_count_attribute_name)
+
+            if self.send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
+              lock!
+            end
+          end
+
+          # /!\
+          # Moved out of protected for use like activate! in controller
+          # /!\
+          def unlock!
+            config = sorcery_config
+            attributes = {config.lock_expires_at_attribute_name => nil,
+                          config.failed_logins_count_attribute_name => 0,
+                          config.unlock_token_attribute_name => nil}
+            sorcery_adapter.update_attributes(attributes)
+          end
+
+          def locked?
+            !unlocked?
+          end
+
+          protected
+
+          def lock!
+            config = sorcery_config
+            attributes = {config.lock_expires_at_attribute_name => Time.now.in_time_zone + config.login_lock_time_period,
+                          config.unlock_token_attribute_name => TemporaryToken.generate_random_token}
+            sorcery_adapter.update_attributes(attributes)
+
+            unless config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
+              send_unlock_token_email!
+            end
+          end
+
+          def unlocked?
+            config = sorcery_config
+            self.send(config.lock_expires_at_attribute_name).nil?
+          end
+
+          def send_unlock_token_email!
+            return if sorcery_config.unlock_token_email_method_name.nil?
+
+            generic_send_email(:unlock_token_email_method_name, :unlock_token_mailer)
+          end
+
+          # Prevents a locked user from logging in, and unlocks users that expired their lock time.
+          # Runs as a hook before authenticate.
+          def prevent_locked_user_login
+            config = sorcery_config
+            if !self.unlocked? && config.login_lock_time_period != 0
+              self.unlock! if self.send(config.lock_expires_at_attribute_name) <= Time.now.in_time_zone
+            end
+            unlocked?
+          end
+        end
+      end
+    end
+  end
+end