challah 1.4.2 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 447489331d6bd86a5454685e67160b9299f4717c
-  data.tar.gz: dced3cd2315e8382dd9b844b32851e53b2549b8e
+  metadata.gz: 5267d7f2cfbc84cb4a6af2c0d4a863ef8790a853
+  data.tar.gz: cbf3accdb5a30c551041e0b749ce3fd7a3f84eb7
 SHA512:
-  metadata.gz: 443ee62005886d2eb46d9184239fd4bd27e8c70094ee118b0d2dabd3411e82618547c92fc21087258c176cbcbb11cc8725d7652fe565cb076b86c9a0e1af20bc
-  data.tar.gz: 1e8aca0d48ec952a7050a0a13865099764b13eda8cea1b44e17f3d4e6e32690ee46bf81ffb5c3093bddc1cd047c4585b82eac22a708547210d7bc4e736270cd8
+  metadata.gz: 8849cba25a8264c34e120aa9c875040cac7aff7dc7a0f423b844098686f56544f66c973caaf089a018b5fd4bcbf7d7011ac972bb2124fb4ef888135eeea6b06b
+  data.tar.gz: d4c31ad4cc1301412bce1f6ebbeb3b1a5b6b79cb65ecfdbbe26041db09c8ac1eedd9b3e38839ce5ccee2855c5acd98f28bdbc299bf2b84f11b35d860202dd106

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Challah 1.5.0
+
+* Extract status enum to separate concern [PR #32](https://github.com/jdtornow/challah/pull/32) @philtr
+* Add built-in support for authenticating using X-Auth-Token header for APIs
+
 ## Challah 1.4.2
 
 * Fix issue with duplicating models and audits [#28](https://github.com/jdtornow/challah/issues/28)

data/README.md

@@ -8,9 +8,9 @@ Challah doesn't provide any fancy controllers or views that clutter your app or
 
 ## Requirements
 
-* Ruby 2.1.2+
+* Ruby 2.2.2+
 * Bundler
-* Rails 5.0 (Recommended)
+* Rails 4.2+ (5.0 Recommended)
 
 ## Installation
 
@@ -143,6 +143,50 @@ If necessary, the sessions controller which handles creating new sessions and si
 rails challah:unpack:signin
 ```
 
+## API Controllers
+
+For apps that use JSON API controllers, Challah can be used to authenticate a user with a url parameter or an HTTP request header. This feature is disabled by default, so to use it you will need to change the `token_enabled` setting to `true`:
+
+```ruby
+# in config/initializers/challah.rb
+Challah.options[:token_enabled] = true
+```
+
+Once enabled, this setting will allow the `api_key` for the user to be used to authenticate them via the `token` parameter, or `X-Auth-Token` HTTP header.
+
+For example, the following request would authenticate a valid active user that has the `api_key` value of `abc123`:
+
+``` shell
+curl -H "X-Auth-Token: abc123" \
+  -H 'Content-Type: application/json' \
+  http://localhost:3000/api/test.json
+```
+
+Using the `token` param, you could write the same thing as:
+
+``` shell
+curl -H 'Content-Type: application/json' \
+  http://localhost:3000/api/test.json?token=abc123
+```
+
+If you'd like to change the HTTP header used to fetch the user's api key from, you can change it using the `token_header` setting:
+
+```ruby
+# in config/initializers/challah.rb
+Challah.options[:token_enabled] = true
+Challah.options[:token_header] = "X-App-User"
+```
+
+Then:
+
+``` shell
+curl -H "X-App-User: abc123" \
+  -H 'Content-Type: application/json' \
+  http://localhost:3000/api/test.json
+```
+
+_Note: Custom HTTP headers should always start with X-_
+
 ## ActionCable in Rails 5
 
 Challah works well with securing your ActionCable channels since Rails 5. Here is a sample `ApplicationCable::Connection` file to secure connections to a valid signed-in user:

data/VERSION

@@ -1 +1 @@
-1.4.2
+1.5.0

data/lib/challah.rb

@@ -15,7 +15,6 @@ module Challah
   autoload :Session,                          "challah/session"
   autoload :Signup,                           "challah/signup"
   autoload :Techniques,                       "challah/techniques"
-  autoload :Techniques,                       "challah/techniques"
 
   autoload :EmailValidator,                   "challah/validators/email_validator"
   autoload :PasswordValidator,                "challah/validators/password_validator"
@@ -32,6 +31,7 @@ module Challah
   autoload :UserFindable,                     "challah/concerns/user/findable"
   autoload :UserPasswordable,                 "challah/concerns/user/passwordable"
   autoload :UserProvideable,                  "challah/concerns/user/provideable"
+  autoload :UserStatusable,                   "challah/concerns/user/statusable"
   autoload :UserValidateable,                 "challah/concerns/user/validateable"
 
   # Configuration options
@@ -49,6 +49,8 @@ module Challah
     @options ||= {
       access_denied_view:     "sessions/access_denied",
       api_key_enabled:        false,
+      token_enabled:          false,
+      token_header:           "X-Auth-Token",
       cookie_prefix:          "challah",
       email_validator:        "challah/email",
       password_validator:     PasswordValidator,
@@ -70,6 +72,7 @@ module Challah
   # Default registered authentication techiques.
   register_technique :api_key,        ApiKeyTechnique
   register_technique :password,       PasswordTechnique
+  register_technique :token,          TokenTechnique
 
   # Set up plugin registering capability
   extend Plugins

data/lib/challah/concerns/user/attributeable.rb

@@ -7,40 +7,10 @@ module Challah
       attr_reader :password_confirmation
       attr_reader :password_updated
 
-      begin
-        if columns.map(&:name).include?("status")
-          enum status: %w( active inactive )
-        end
-      rescue ActiveRecord::StatementInvalid => exception
-        raise exception unless exception.message =~ /could not find table/i ||
-                               exception.message =~ /does not exist/i
-      end
-
       before_save :ensure_user_tokens
       before_validation :normalize_user_email
     end
 
-    # Fallback to pre-enum active column (pre challah 1.4)
-    def active=(enabled)
-      if self.class.columns.map(&:name).include?("status")
-        self.status = (!!enabled ? :active : :inactive)
-      else
-        write_attribute(:active, !!enabled)
-      end
-    end
-
-    def active?
-      # enum-based status
-      if self.class.columns.map(&:name).include?("status")
-        read_attribute(:status).to_s == "active"
-
-      # support for non-enum status column (pre challah 1.4)
-      else
-        !!read_attribute(:active)
-      end
-    end
-    alias_method :active, :active?
-
     # First name and last name together
     def name
       "#{ first_name } #{ last_name }".strip
@@ -55,7 +25,7 @@ module Challah
     #
     # Override this method if you need to check for a particular configuration on each page request.
     def valid_session?
-      active?
+      true
     end
 
     protected

data/lib/challah/concerns/user/statusable.rb

@@ -0,0 +1,45 @@
+module Challah
+  module UserStatusable
+    extend ActiveSupport::Concern
+
+    included do
+      begin
+        if columns.map(&:name).include?("status")
+          additional_statuses = Array(Challah.options[:additional_statuses])
+          enum status: [:active, :inactive, *additional_statuses]
+        end
+      rescue ActiveRecord::StatementInvalid => exception
+        raise exception unless exception.message =~ /could not find table/i ||
+                               exception.message =~ /does not exist/i
+      end
+    end
+
+    # Fallback to pre-enum active column (pre challah 1.4)
+    def active=(enabled)
+      if self.class.columns.map(&:name).include?("status")
+        self.status = (!!enabled ? :active : :inactive)
+      else
+        write_attribute(:active, !!enabled)
+      end
+    end
+
+    def active?
+      # enum-based status
+      if self.class.columns.map(&:name).include?("status")
+        read_attribute(:status).to_s == "active"
+
+      # support for non-enum status column (pre challah 1.4)
+      else
+        !!read_attribute(:active)
+      end
+    end
+
+    def active
+      active?
+    end
+
+    def valid_session?
+      active?
+    end
+  end
+end

data/lib/challah/concerns/userable.rb

@@ -8,6 +8,7 @@ module Challah
     include UserFindable
     include UserPasswordable
     include UserProvideable
+    include UserStatusable
 
     unless Challah.options[:skip_user_validations]
       include UserValidateable

data/lib/challah/session.rb

@@ -53,7 +53,7 @@ module Challah
         nil
       end
 
-      if store_user and store_user.active? and store_user.persistence_token == persistence_token
+      if store_user and store_user.valid_session? and store_user.persistence_token == persistence_token
         if store_user.valid_session?
           self.user = store_user
           @valid = true
@@ -90,7 +90,7 @@ module Challah
     # Returns true if this session has been authenticated and is ready to save.
     def valid?
       return @valid if @valid != nil
-      return true if self.user and self.user.active?
+      return true if self.user and self.user.valid_session?
       authenticate!
     end
 
@@ -126,7 +126,7 @@ module Challah
         end
       end
 
-      if user_record and user_record.active?
+      if user_record and user_record.valid_session?
         session.user = user_record
         session.persist = true
       end

data/lib/challah/techniques.rb

@@ -1,5 +1,6 @@
-require 'challah/techniques/api_key_technique'
-require 'challah/techniques/password_technique'
+require "challah/techniques/api_key_technique"
+require "challah/techniques/password_technique"
+require "challah/techniques/token_technique"
 
 module Challah
   # Techniques are used to allow different methods of authentication. By default, there are
@@ -23,7 +24,7 @@ module Challah
   #         # was params[:secret] provided to the request
   #         if @session.secret?
   #           # does the params[:secret] value match our shared password?
-  #           if @session.secret == 'let-me-in'
+  #           if @session.secret == "let-me-in"
   #             # if the secret was correct, grab the username from params, and load the user
   #             user = User.find_for_session(@session.username)
   #             return user

data/lib/challah/techniques/api_key_technique.rb

@@ -16,7 +16,7 @@ module Challah
       unless @key.to_s.blank?
         user = user_model.find_by_api_key(@key)
 
-        if user and user.active?
+        if user and user.valid_session?
           return user
         end
       end
@@ -33,4 +33,4 @@ module Challah
     end
 
   end
-end
+end

data/lib/challah/techniques/password_technique.rb

@@ -1,5 +1,4 @@
 module Challah
-
   # Allows authentication by username and password.
   class PasswordTechnique
 
@@ -17,7 +16,7 @@ module Challah
         user = user_model.find_for_session(username)
 
         if user
-          if user.active?
+          if user.valid_session?
             if user.authenticate(@password)
               return user
             end
@@ -51,5 +50,4 @@ module Challah
       @username
     end
   end
-
-end
+end

data/lib/challah/techniques/token_technique.rb

@@ -0,0 +1,47 @@
+module Challah
+  # Allows authentication with a token URL parameter or X-Auth-Token header.
+  # Useful for API-based authentication.
+  class TokenTechnique
+
+    attr_accessor :user_model
+
+    def initialize(session)
+      if session.request && session.request.headers[header_key]
+        @token = session.request.headers[header_key].to_s
+      else
+        @token = session.params[:token].to_s
+      end
+    end
+
+    def authenticate
+      # Token authorization functionality is only enabled with the :token_enabled option.
+      # This is turned off by default and must be manually enabled for security reasons.
+      return nil unless Challah.options[:token_enabled]
+
+      if user = user_model.where(api_key: token).first
+        if user.valid_session?
+          return user
+        end
+      end
+
+      nil
+    end
+
+    def header_key
+      Challah.options[:token_header] || "X-Auth-Token"
+    end
+
+    def persist?
+      false
+    end
+
+    def user_model
+      @user_model ||= Challah.user
+    end
+
+    private
+
+    attr_reader :token
+
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: challah
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.5.0
 platform: ruby
 authors:
 - John Tornow
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-08-08 00:00:00.000000000 Z
+date: 2017-01-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: highline
@@ -148,6 +148,7 @@ files:
 - lib/challah/concerns/user/findable.rb
 - lib/challah/concerns/user/passwordable.rb
 - lib/challah/concerns/user/provideable.rb
+- lib/challah/concerns/user/statusable.rb
 - lib/challah/concerns/user/validateable.rb
 - lib/challah/concerns/userable.rb
 - lib/challah/controller.rb
@@ -165,6 +166,7 @@ files:
 - lib/challah/techniques.rb
 - lib/challah/techniques/api_key_technique.rb
 - lib/challah/techniques/password_technique.rb
+- lib/challah/techniques/token_technique.rb
 - lib/challah/test.rb
 - lib/challah/validators/email_validator.rb
 - lib/challah/validators/password_validator.rb
@@ -192,7 +194,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.8.11
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: Rails authentication and sessions