challah 0.3.5 → 0.4.0

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## Challah 0.4.0 (Unreleased)
+
+* Enabled api key access. Passing ?key=xxxx into any URL will authenticate a user for a single page load. This option is turned off by default in new apps and can be enabled using `Challah.options[:api_key_enabled]`.
+* Updated tests for API key access
+* Authenticate users on page load
+* Changed default api key length to 50 instead of 25
+
 ## Challah 0.3.5
 
 * Now using [Highline](https://github.com/JEG2/highline) for rake tasks instead of sloppy custom methods.

data/README.md

@@ -77,9 +77,10 @@ Roles should only be used within your app to consolidate various permissions int
 
 The default Challah installation creates two roles by default: 'Administrator' and 'Default'. Administrators have all permissions, now and in the future. Default users have no permissions other than being able to log in.
 
-To add a permission to a role, add it to the `permission_keys` array:
+Once you've added a few other permissions, you can easily add them to a role. In this case, the `moderator` permission key is added to the default role:
 
-    role.permission_keys << "new_role"
+    role = Role[:default]
+    role.permission_keys = %w( moderator )
     role.save
 
 ## Restricted access

data/lib/challah/authable/user.rb

@@ -211,7 +211,7 @@ module Challah
           end
 
           self.persistence_token = ::Challah::Random.token(125) if self.persistence_token.to_s.blank?
-          self.api_key = ::Challah::Random.token(25) if self.api_key.to_s.blank?
+          self.api_key = ::Challah::Random.token(50) if self.api_key.to_s.blank?
         end
       
         # Saves any updated permission keys to the database for this user.  

data/lib/challah/controller.rb

@@ -124,7 +124,7 @@ module Challah
         #
         # @return [Session] The current browser session.
         def current_user_session
-          @current_user_session ||= Challah::Session.find(request)
+          @current_user_session ||= Challah::Session.find(request, params)
         end
         
         # Checks the current user to see if they have the given permission key. If there is

data/lib/challah/session.rb

@@ -3,8 +3,8 @@ module Challah
     extend ActiveModel::Naming
     include ActiveModel::Conversion
     
-    attr_accessor :return_to, :ip, :user, :store
-    attr_reader :params, :request, :persist
+    attr_accessor :return_to, :ip, :user, :store, :persist
+    attr_reader :params, :request
     
     def initialize(request = nil, params = {})
       @request = request
@@ -24,6 +24,17 @@ module Challah
       @user = nil
     end
     
+    def find
+      self.read
+      
+      # If no session was found, try and authenticate
+      unless valid?
+        self.authenticate!
+      end
+        
+      self
+    end
+    
     def inspect
       "#<Session:0x#{object_id.to_s(16)} valid=#{valid?} store=#{self.store.inspect} user=#{user_id || 'nil'}>"
     end
@@ -49,11 +60,14 @@ module Challah
     end
     
     def save
-      return false unless self.valid?
+      return false unless valid?
       
-      if self.user
+      if self.user and persist?
         self.store.save(self.user.persistence_token, user_id)
+        return true
       end
+      
+      false
     end
     
     # Id of the current user.
@@ -95,6 +109,7 @@ module Challah
         
         if user_record and user_record.active?
           session.user = user_record
+          session.persist = true
         end
         
         session
@@ -117,7 +132,7 @@ module Challah
       # Load any existing session from the session store
       def find(*args)
         session = Session.new(*args)
-        session.read
+        session.find        
         session
       end
     end
@@ -125,13 +140,13 @@ module Challah
     protected
       # Try and authenticate against the various auth techniques. If one
       # technique works, then just exist and make the session active.
-      def authenticate!
-        Challah.techniques.values.each do |klass|
+      def authenticate!        
+        Challah.techniques.values.each do |klass|            
           technique = klass.new(self)
           @user = technique.authenticate
 
           if @user
-            @persist = technique.persist?
+            @persist = technique.respond_to?(:persist?) ? technique.persist? : false
             break
           end
         end

data/lib/challah/techniques/api_key_technique.rb

@@ -1,10 +1,14 @@
 module Challah
   class ApiKeyTechnique
     def initialize(session)
-      @key = session.api_key? ? session.api_key : nil   
+      @key = session.key? ? session.key : nil   
     end
     
     def authenticate
+      # Api key functionality is only enabled with the :api_key_enabled option. This is turned
+      # off by default and must be manually enabled for security reasons.
+      return nil unless Challah.options[:api_key_enabled]
+      
       unless @key.to_s.blank?
         user = ::User.find_by_api_key(@key)
         

data/lib/challah/version.rb

@@ -1,3 +1,3 @@
 module Challah
-  VERSION = "0.3.5" unless defined?(::Challah::VERSION)
+  VERSION = "0.4.0" unless defined?(::Challah::VERSION)
 end

data/lib/challah.rb

@@ -53,6 +53,7 @@ module Challah
     # @option options [Class] :storage_class (CookieStore) The class to use for persistence of sessions.
     def options
       @options ||= {
+        :api_key_enabled => false,
         :cookie_prefix => 'challah',
         :access_denied_view => 'sessions/access_denied',
         :storage_class => CookieStore,

data/test/cookie_store_test.rb

@@ -14,6 +14,7 @@ class CookieStoreTest < ActiveSupport::TestCase
       
       session = Session.new(@request)
       session.store = CookieStore.new(session)
+      session.persist = true
       session.user = @user
       session.save
             
@@ -28,6 +29,7 @@ class CookieStoreTest < ActiveSupport::TestCase
     should "be able to inspect the store" do
       session = Session.new(@request)
       session.store = CookieStore.new(session)
+      session.persist = true
       session.user = @user
       session.save
       
@@ -39,6 +41,7 @@ class CookieStoreTest < ActiveSupport::TestCase
       
       session = Session.new(@request)
       session.store = CookieStore.new(session)
+      session.persist = true
       session.user = @user
       session.save
       
@@ -54,6 +57,7 @@ class CookieStoreTest < ActiveSupport::TestCase
       session.store.stubs(:session_cookie).returns(session_cookie_val)
       
       session2 = Session.new(@request)
+      session2.persist = true
       session2.store = session.store      
       session2.read
       
@@ -75,6 +79,7 @@ class CookieStoreTest < ActiveSupport::TestCase
       session = Session.new(@request)
       session.store = CookieStore.new(session)
       session.user = @user
+      session.persist = true
       
       session.save
       

data/test/helper.rb

@@ -41,11 +41,12 @@ end
 class MockController
   include Challah::Controller
   
-  attr_accessor :request, :session
+  attr_accessor :request, :session, :params
   
   def initialize()
     @request = MockRequest.new
     @session ||= {}
+    @params ||= {}
   end
   
   def redirect_to(*args)

data/test/restrictions_controller_test.rb

@@ -86,5 +86,67 @@ class RestrictionsControllerTest < ActionController::TestCase
         assert_response :success
       end
     end
+    
+    context "With an api key" do
+      setup do
+        @user = Factory(:user)
+      end
+      
+      context "and api_key functionality enabled" do
+        setup do
+          Challah.options[:api_key_enabled] = true
+        end
+        
+        should "get to the index page" do
+          get :index, :key => @user.api_key
+          assert_response :success
+          assert_equal @user, assigns(:current_user)
+        end
+
+        should "get to the edit page" do
+          get :edit, :key => @user.api_key
+          assert_response :success
+        end
+
+        should "get to the show page" do
+          get :show, :key => @user.api_key
+          assert_response :success
+        end
+
+        should "not get to the new page" do
+          get :new, :key => @user.api_key
+
+          assert_template 'sessions/access_denied'
+          assert_response :unauthorized
+        end
+      end
+      
+      context "and api_key functionality disabled" do
+        setup do
+          Challah.options[:api_key_enabled] = false
+        end
+        
+        should "get to the index page" do
+          get :index, :key => @user.api_key
+          assert_response :success
+          assert_equal nil, assigns(:current_user)
+        end
+
+        should "get to the edit page" do
+          get :edit, :key => @user.api_key
+          assert_redirected_to '/login'
+        end
+
+        should "get to the show page" do
+          get :show, :key => @user.api_key
+          assert_redirected_to '/login'
+        end
+
+        should "not get to the new page" do
+          get :new, :key => @user.api_key
+          assert_redirected_to '/login'
+        end
+      end
+    end
   end
 end

data/test/session_test.rb

@@ -113,27 +113,33 @@ class SessionTest < ActiveSupport::TestCase
       assert_equal user, session.user
       assert_equal user.id, session.user_id
       assert_equal true, session.persist?
+      assert_equal true, session.save
       
       User.unstub(:find_for_session)
     end
     
     should "validate with an api key" do
+      Challah.options[:api_key_enabled] = true
+      
       user = Factory(:user, :api_key => '123456abcdefg')
       
       User.stubs(:find_for_session).returns(user)
       
       session = Session.new
       session.ip = '127.0.0.1'
-      session.api_key = '123456abcdefg'
+      session.key = '123456abcdefg'
       
       assert_equal true, session.valid?
       assert_equal user, session.user
       assert_equal user.id, session.user_id      
       assert_equal false, session.persist?
+      assert_equal false, session.save
       
       user.expects(:successful_authentication!).with('127.0.0.1').once
       
       User.unstub(:find_for_session)
+      
+      Challah.options[:api_key_enabled] = false
     end 
     
     should "reject if password is incorrect" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: challah
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.4.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-02-07 00:00:00.000000000Z
+date: 2012-02-08 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: highline
-  requirement: &70280590105920 !ruby/object:Gem::Requirement
+  requirement: &70244762031040 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70280590105920
+  version_requirements: *70244762031040
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &70280590199100 !ruby/object:Gem::Requirement
+  requirement: &70244762124220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: '3.1'
   type: :runtime
   prerelease: false
-  version_requirements: *70280590199100
+  version_requirements: *70244762124220
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &70280590198600 !ruby/object:Gem::Requirement
+  requirement: &70244762123720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: 0.9.2
   type: :runtime
   prerelease: false
-  version_requirements: *70280590198600
+  version_requirements: *70244762123720
 - !ruby/object:Gem::Dependency
   name: bcrypt-ruby
-  requirement: &70280590198140 !ruby/object:Gem::Requirement
+  requirement: &70244762123260 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +54,7 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *70280590198140
+  version_requirements: *70244762123260
 description: A simple ruby gem for authentication, users, roles and permissions.
 email:
 - john@johntornow.com