clearance 0.16.3 → 1.0.0.rc1

data/lib/clearance.rb

@@ -5,3 +5,4 @@ require 'clearance/authentication'
 require 'clearance/user'
 require 'clearance/engine'
 require 'clearance/password_strategies'
+require 'clearance/constraints'

data/lib/clearance/authentication.rb

@@ -4,90 +4,58 @@ module Clearance
 
     included do
       helper_method :current_user, :signed_in?, :signed_out?
-      hide_action   :current_user, :current_user=,
-                    :signed_in?,   :signed_out?,
-                    :sign_in,      :sign_out,
-                    :authorize,    :deny_access
+      hide_action :authorize, :current_user, :current_user=, :deny_access,
+        :sign_in, :sign_out, :signed_in?, :signed_out?
+    end
+
+    def authenticate(params)
+      Clearance.configuration.user_model.authenticate(
+        params[:session][:email], params[:session][:password]
+      )
+    end
+
+    def authorize
+      unless signed_in?
+        deny_access
+      end
     end
 
-    # Finds the user from the rack clearance session
-    #
-    # @return [User, nil]
     def current_user
       clearance_session.current_user
     end
 
-    # Set the current user
-    #
-    # @param [User]
     def current_user=(user)
       clearance_session.sign_in user
     end
 
-    # Is the current user signed in?
-    #
-    # @return [true, false]
-    def signed_in?
-      clearance_session.signed_in?
-    end
+    def deny_access(flash_message = nil)
+      store_location
 
-    # Is the current user signed out?
-    #
-    # @return [true, false]
-    def signed_out?
-      !signed_in?
+      if flash_message
+        flash[:notice] = flash_message
+      end
+
+      if signed_in?
+        redirect_to url_after_denied_access_when_signed_in
+      else
+        redirect_to url_after_denied_access_when_signed_out
+      end
     end
 
-    # Sign user in to cookie.
-    #
-    # @param [User]
-    #
-    # @example
-    #   sign_in(@user)
     def sign_in(user)
       clearance_session.sign_in user
     end
 
-    # Sign user out of cookie.
-    #
-    # @example
-    #   sign_out
     def sign_out
       clearance_session.sign_out
     end
 
-    # Find the user by the given params or return nil.
-    # By default, uses email and password.
-    # Redefine this method and User.authenticate for other mechanisms
-    # such as username and password.
-    #
-    # @example
-    #   @user = authenticate(params)
-    def authenticate(params)
-      Clearance.configuration.user_model.authenticate(params[:session][:email],
-                                                      params[:session][:password])
-    end
-
-    # Deny the user access if they are signed out.
-    #
-    # @example
-    #   before_filter :authorize
-    def authorize
-      deny_access unless signed_in?
+    def signed_in?
+      clearance_session.signed_in?
     end
 
-    # Store the current location and redirect to sign in.
-    # Display a failure flash message if included.
-    #
-    # @param [String] optional flash message to display to denied user
-    def deny_access(flash_message = nil)
-      store_location
-      flash[:notice] = flash_message if flash_message
-      if signed_in?
-        redirect_to(url_after_denied_access_when_signed_in)
-      else
-        redirect_to(url_after_denied_access_when_signed_out)
-      end
+    def signed_out?
+      !signed_in?
     end
 
     # CSRF protection in Rails >= 3.0.4
@@ -99,6 +67,10 @@ module Clearance
 
     protected
 
+    def clear_return_to
+      session[:return_to] = nil
+    end
+
     def clearance_session
       request.env[:clearance]
     end
@@ -114,18 +86,14 @@ module Clearance
       clear_return_to
     end
 
-    def return_to
-      session[:return_to] || params[:return_to]
-    end
-
-    def clear_return_to
-      session[:return_to] = nil
-    end
-
     def redirect_to_root
       redirect_to('/')
     end
 
+    def return_to
+      session[:return_to] || params[:return_to]
+    end
+
     def url_after_denied_access_when_signed_in
       '/'
     end

data/lib/clearance/configuration.rb

@@ -1,10 +1,10 @@
 module Clearance
   class Configuration
-    attr_accessor :mailer_sender, :cookie_expiration, :password_strategy, :user_model
+    attr_accessor :cookie_expiration, :mailer_sender, :password_strategy, :user_model
 
     def initialize
-      @mailer_sender = 'reply@example.com'
       @cookie_expiration = lambda { 1.year.from_now.utc }
+      @mailer_sender = 'reply@example.com'
     end
 
     def user_model
@@ -16,23 +16,8 @@ module Clearance
     attr_accessor :configuration
   end
 
-  # Configure Clearance someplace sensible,
-  # like config/initializers/clearance.rb
-  #
-  # If you want users to only be signed in during the current session
-  # instead of being remembered, do this:
-  #
-  #   config.cookie_expiration = lambda { }
-  #
-  # @example
-  #   Clearance.configure do |config|
-  #     config.mailer_sender     = 'me@example.com'
-  #     config.cookie_expiration = lambda { 2.weeks.from_now.utc }
-  #     config.password_strategy = MyPasswordStrategy
-  #     config.user_model        = MyNamespace::MyUser
-  #   end
   def self.configure
     self.configuration ||= Configuration.new
-    yield(configuration)
+    yield configuration
   end
 end

data/lib/clearance/constraints.rb

@@ -0,0 +1,2 @@
+require 'clearance/constraints/signed_in'
+require 'clearance/constraints/signed_out'

data/lib/clearance/constraints/signed_in.rb

@@ -0,0 +1,28 @@
+module Clearance
+  module Constraints
+    class SignedIn
+      def initialize(&block)
+        @block = block || lambda { |user| true }
+      end
+
+      def matches?(request)
+        @request = request
+        signed_in? && current_user_fulfills_additional_requirements?
+      end
+
+      private
+
+      def current_user
+        @request.env[:clearance].current_user
+      end
+
+      def current_user_fulfills_additional_requirements?
+        @block.call current_user
+      end
+
+      def signed_in?
+        @request.env[:clearance].signed_in?
+      end
+    end
+  end
+end

data/lib/clearance/constraints/signed_out.rb

@@ -0,0 +1,9 @@
+module Clearance
+  module Constraints
+    class SignedOut
+      def matches?(request)
+        request.env[:clearance].signed_out?
+      end
+    end
+  end
+end

data/lib/clearance/engine.rb

@@ -1,10 +1,10 @@
-require "clearance"
-require "rails"
+require 'clearance'
+require 'rails'
 
 module Clearance
   class Engine < Rails::Engine
-    initializer "clearance.filter" do |app|
-      app.config.filter_parameters += [:token, :password]
+    initializer 'clearance.filter' do |app|
+      app.config.filter_parameters += [:password, :token]
     end
 
     config.app_middleware.insert_after ActionDispatch::Cookies, Clearance::RackSession

data/lib/clearance/password_strategies.rb

@@ -1,6 +1,10 @@
 module Clearance
   module PasswordStrategies
-    autoload :SHA1, 'clearance/password_strategies/sha1'
+    autoload :BCrypt, 'clearance/password_strategies/bcrypt'
+    autoload :BCryptMigrationFromSHA1,
+      'clearance/password_strategies/bcrypt_migration_from_sha1'
     autoload :Blowfish, 'clearance/password_strategies/blowfish'
+    autoload :Fake, 'clearance/password_strategies/fake'
+    autoload :SHA1, 'clearance/password_strategies/sha1'
   end
 end

data/lib/clearance/password_strategies/bcrypt.rb

@@ -0,0 +1,27 @@
+module Clearance
+  module PasswordStrategies
+    module BCrypt
+      require 'bcrypt'
+
+      extend ActiveSupport::Concern
+
+      def authenticated?(password)
+        ::BCrypt::Password.new(encrypted_password) == password
+      end
+
+      def password=(new_password)
+        @password = new_password
+
+        if new_password.present?
+          self.encrypted_password = encrypt(new_password)
+        end
+      end
+
+      private
+
+      def encrypt(password)
+        ::BCrypt::Password.create(password)
+      end
+    end
+  end
+end

data/lib/clearance/password_strategies/bcrypt_migration_from_sha1.rb

@@ -0,0 +1,52 @@
+module Clearance
+  module PasswordStrategies
+    module BCryptMigrationFromSHA1
+      class BCryptUser
+        include Clearance::PasswordStrategies::BCrypt
+
+        def initialize(user)
+          @user = user
+        end
+
+        delegate :encrypted_password, :encrypted_password=, to: :@user
+      end
+
+      class SHA1User
+        include Clearance::PasswordStrategies::SHA1
+
+        def initialize(user)
+          @user = user
+        end
+
+        delegate :salt, :salt=, :encrypted_password, :encrypted_password=, to: :@user
+      end
+
+      def authenticated?(password)
+        authenticated_with_sha1?(password) || authenticated_with_bcrypt?(password)
+      end
+
+      def password=(new_password)
+        BCryptUser.new(self).password = new_password
+      end
+
+      private
+
+      def authenticated_with_bcrypt?(password)
+        BCryptUser.new(self).authenticated? password
+      end
+
+      def authenticated_with_sha1?(password)
+        if sha1_password?
+          if SHA1User.new(self).authenticated? password
+            self.password = password
+            true
+          end
+        end
+      end
+
+      def sha1_password?
+        self.encrypted_password =~ /^[a-f0-9]{40}$/
+      end
+    end
+  end
+end

data/lib/clearance/password_strategies/blowfish.rb

@@ -3,35 +3,31 @@ require 'openssl'
 module Clearance
   module PasswordStrategies
     module Blowfish
-      # Am I authenticated with given password?
-      #
-      # @param [String] plain-text password
-      # @return [true, false]
-      # @example
-      #   user.authenticated?('password')
       def authenticated?(password)
         encrypted_password == encrypt(password)
       end
 
-      protected
-
-      def encrypt_password
+      def password=(new_password)
+        @password = new_password
         initialize_salt_if_necessary
-        if password.present?
-          self.encrypted_password = encrypt(password)
+
+        if new_password.present?
+          self.encrypted_password = encrypt(new_password)
         end
       end
 
+      protected
+
+      def encrypt(string)
+        generate_hash("--#{salt}--#{string}--")
+      end
+
       def generate_hash(string)
         cipher = OpenSSL::Cipher::Cipher.new('bf-cbc').encrypt
         cipher.key = Digest::SHA256.digest(salt)
         cipher.update(string) << cipher.final
       end
 
-      def encrypt(string)
-        generate_hash("--#{salt}--#{string}--")
-      end
-
       def initialize_salt_if_necessary
         if salt.blank?
           self.salt = generate_random_code

data/lib/clearance/password_strategies/fake.rb

@@ -0,0 +1,23 @@
+module Clearance
+  module PasswordStrategies
+    module Fake
+      extend ActiveSupport::Concern
+
+      def authenticated?(password)
+        encrypted_password == password
+      end
+
+      def encrypt(password)
+        password
+      end
+
+      def password=(new_password)
+        @password = new_password
+
+        if new_password.present?
+          self.encrypted_password = encrypt(password)
+        end
+      end
+    end
+  end
+end

data/lib/clearance/password_strategies/sha1.rb

@@ -1,37 +1,31 @@
-require 'digest/sha1'
-
 module Clearance
   module PasswordStrategies
     module SHA1
-      # Am I authenticated with given password?
-      #
-      # @param [String] plain-text password
-      # @return [true, false]
-      # @example
-      #   user.authenticated?('password')
+      require 'digest/sha1'
+
+      extend ActiveSupport::Concern
+
       def authenticated?(password)
         encrypted_password == encrypt(password)
       end
 
-      protected
-
-      def encrypt_password
+      def password=(new_password)
+        @password = new_password
         initialize_salt_if_necessary
-        if password.present?
-          self.encrypted_password = encrypt(password)
-        end
-      end
 
-      def generate_hash(string)
-        if RUBY_VERSION >= '1.9'
-          Digest::SHA1.hexdigest(string).encode('UTF-8')
-        else
-          Digest::SHA1.hexdigest(string)
+        if new_password.present?
+          self.encrypted_password = encrypt(new_password)
         end
       end
 
+      private
+
       def encrypt(string)
-        generate_hash("--#{salt}--#{string}--")
+        generate_hash "--#{salt}--#{string}--"
+      end
+
+      def generate_hash(string)
+        Digest::SHA1.hexdigest(string).encode 'UTF-8'
       end
 
       def initialize_salt_if_necessary