clearance 0.10.5 → 0.11.0

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+0.11.0
+-------------------
+
+* Removing password confirmation.
+* Use ActiveSupport::Concern and ActiveSupport::SecureRandom to clean up code.
+* New controller#authenticate(params) method. Redefine username & password or other styles of authentication.
+* before_filter :authenticate API replaced with more aptly-named before_filter :authorize.
+
 0.10.5
 -------------------
 

data/README.md

@@ -1,7 +1,7 @@
 Clearance
 =========
 
-Rails authentication with email & password.
+Rails authentication & authorization with email & password.
 
 [We have clearance, Clarence.](http://www.youtube.com/watch?v=fVq4_HhBK8Y)
 
@@ -11,9 +11,8 @@ Help
 ----
 
 * [Documentation](http://rdoc.info/gems/clearance) at RDoc.info.
-* [Patches welcome](http://github.com/thoughtbot/clearance/issues) via Github Issues.
-* [#thoughtbot](irc://irc.freenode.net/thoughtbot) IRC channel on freenode.
-* [Mailing list](http://groups.google.com/group/thoughtbot-clearance) on Google Groups.
+* [Patches and bugs](http://github.com/thoughtbot/clearance/issues) at Github Issues.
+* [Mailing list](http://groups.google.com/group/thoughtbot-clearance) at Google Groups.
 
 Installation
 ------------
@@ -40,11 +39,11 @@ series of Clearance if you have a Rails 2 app.
 Usage
 -----
 
-If you want to authenticate users for a controller action, use the authenticate
+If you want to authorize users for a controller action, use the authorize
 method in a before_filter.
 
     class WidgetsController < ApplicationController
-      before_filter :authenticate
+      before_filter :authorize
       def index
         @widgets = Widget.all
       end

data/VERSION

@@ -1 +1 @@
-0.10.5
+0.11.0

data/app/controllers/clearance/passwords_controller.rb

@@ -1,7 +1,7 @@
 class Clearance::PasswordsController < ApplicationController
   unloadable
 
-  skip_before_filter :authenticate,        :only => [:new, :create, :edit, :update]
+  skip_before_filter :authorize,           :only => [:new, :create, :edit, :update]
   before_filter :forbid_missing_token,     :only => [:edit, :update]
   before_filter :forbid_non_existent_user, :only => [:edit, :update]
 
@@ -31,8 +31,7 @@ class Clearance::PasswordsController < ApplicationController
     @user = ::User.find_by_id_and_confirmation_token(
                    params[:user_id], params[:token])
 
-    if @user.update_password(params[:user][:password],
-                             params[:user][:password_confirmation])
+    if @user.update_password(params[:user][:password])
       sign_in(@user)
       flash_success_after_update
       redirect_to(url_after_update)

data/app/controllers/clearance/sessions_controller.rb

@@ -1,7 +1,7 @@
 class Clearance::SessionsController < ApplicationController
   unloadable
 
-  skip_before_filter :authenticate, :only => [:new, :create, :destroy]
+  skip_before_filter :authorize, :only => [:new, :create, :destroy]
   protect_from_forgery :except => :create
 
   def new
@@ -9,8 +9,7 @@ class Clearance::SessionsController < ApplicationController
   end
 
   def create
-    @user = ::User.authenticate(params[:session][:email],
-                                params[:session][:password])
+    @user = authenticate(params)
     if @user.nil?
       flash_failure_after_create
       render :template => 'sessions/new', :status => :unauthorized

data/app/controllers/clearance/users_controller.rb

@@ -1,7 +1,7 @@
 class Clearance::UsersController < ApplicationController
   unloadable
 
-  skip_before_filter :authenticate, :only => [:new, :create]
+  skip_before_filter :authorize,    :only => [:new, :create]
   before_filter :redirect_to_root,  :only => [:new, :create], :if => :signed_in?
 
   def new
@@ -10,7 +10,7 @@ class Clearance::UsersController < ApplicationController
   end
 
   def create
-    @user = ::User.new params[:user]
+    @user = ::User.new(params[:user])
     if @user.save
       flash_notice_after_create
       sign_in(@user)
@@ -23,7 +23,7 @@ class Clearance::UsersController < ApplicationController
   private
 
   def flash_notice_after_create
-    flash[:notice] = translate(:deliver_confirmation,
+    flash[:notice] = translate(:signed_up,
       :scope   => [:clearance, :controllers, :users],
       :default => "You are now signed up.")
   end

data/app/views/passwords/edit.html.erb

@@ -12,10 +12,6 @@
     <%= form.label :password, "Choose password" %>
     <%= form.password_field :password %>
   </div>
-  <div class="password_field">
-    <%= form.label :password_confirmation, "Confirm password" %>
-    <%= form.password_field :password_confirmation %>
-  </div>
   <div class="submit_field">
     <%= form.submit "Save this password" %>
   </div>

data/app/views/users/_form.html.erb

@@ -7,7 +7,3 @@
   <%= form.label :password %>
   <%= form.password_field :password %>
 </div>
-<div class="password_field">
-  <%= form.label :password_confirmation, "Confirm password" %>
-  <%= form.password_field :password_confirmation %>
-</div>

data/clearance.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Dan Croak", "Mike Burns", "Jason Morrison", "Joe Ferris", "Eugene Bolshakov", "Nick Quaranto", "Josh Nichols", "Mike Breen", "Marcel G\303\266rner", "Bence Nagy", "Ben Mabey", "Eloy Duran", "Tim Pope", "Mihai Anca", "Mark Cornick", "Shay Arnett", "Jon Yurek", "Chad Pytel"]
   s.date        = Date.today.to_s
-  s.summary     = %q{Rails authentication with email & password.}
-  s.description = %q{Rails authentication with email & password.}
+  s.summary     = %q{Rails authentication & authorization with email & password.}
+  s.description = %q{Rails authentication & authorization with email & password.}
   s.extra_rdoc_files = [
     "LICENSE",
     "README.md"

data/features/engine/visitor_resets_password.feature

@@ -15,24 +15,14 @@ Feature: Password reset
     Then I should see "instructions for changing your password"
     And a password reset message should be sent to "email@example.com"
 
-  Scenario: User is signed up updated his password and tries blank password and confirmation
+  Scenario: User tries to reset his password with a blank password
     Given I signed up with "email@example.com/password"
     And I go to the password reset request page
     Then I should see an email field
     And I fill in "Email address" with "email@example.com"
     And I press "Reset password"
     When I follow the password reset link sent to "email@example.com"
-    And I update my password with "/"
-    Then I should see an error message
-    And I should be signed out
-
-  Scenario: User is signed up updated his password and types wrong confirmation
-    Given I signed up with "email@example.com/password"
-    And I go to the password reset request page
-    And I fill in "Email address" with "email@example.com"
-    And I press "Reset password"
-    When I follow the password reset link sent to "email@example.com"
-    And I update my password with "newpassword/wrongconfirmation"
+    And I update my password with ""
     Then I should see an error message
     And I should be signed out
 
@@ -42,7 +32,7 @@ Feature: Password reset
     And I fill in "Email address" with "email@example.com"
     And I press "Reset password"
     When I follow the password reset link sent to "email@example.com"
-    And I update my password with "newpassword/newpassword"
+    And I update my password with "newpassword"
     Then I should be signed in
     When I sign out
     Then I should be signed out
@@ -55,6 +45,6 @@ Feature: Password reset
     And I fill in "Email address" with "email@example.com"
     And I press "Reset password"
     When I follow the password reset link sent to "email@example.com"
-    And I update my password with "newpassword/newpassword"
+    And I update my password with "newpassword"
     Then I should be signed in
 

data/features/engine/visitor_signs_up.feature

@@ -8,16 +8,20 @@ Feature: Sign up
     When I go to the sign up page
     Then I should see an email field
 
-  Scenario: Visitor signs up with invalid data
+  Scenario: Visitor signs up with invalid email
     When I fill in "Email" with "invalidemail"
     And I fill in "Password" with "password"
-    And I fill in "Confirm password" with ""
     And I press "Sign up"
-    Then I should see error messages
+    Then I should see "Email is invalid"
+
+  Scenario: Visitor signs up with blank password
+    When I fill in "Email" with "email@example.com"
+    And I fill in "Password" with ""
+    And I press "Sign up"
+    Then I should see "Password can't be blank"
 
   Scenario: Visitor signs up with valid data
-    When I fill in "Email" with "email@person.com"
+    When I fill in "Email" with "email@example.com"
     And I fill in "Password" with "password"
-    And I fill in "Confirm password" with "password"
     And I press "Sign up"
     Then I should see "signed up"

data/features/step_definitions/engine/clearance_steps.rb

@@ -24,9 +24,8 @@ end
 
 Given /^(?:I am|I have|I) signed up (?:as|with) "(.*)\/(.*)"$/ do |email, password|
   Factory(:user,
-          :email                 => email,
-          :password              => password,
-          :password_confirmation => password)
+          :email    => email,
+          :password => password)
 end
 
 Given /^a user "([^"]*)" exists without a salt, remember token, or password$/ do |email|
@@ -71,9 +70,9 @@ Then /^a password reset message should be sent to "(.*)"$/ do |email|
   assert !user.confirmation_token.blank?
   assert !ActionMailer::Base.deliveries.empty?
   result = ActionMailer::Base.deliveries.any? do |email|
-    email.to == [user.email] &&
+    email.to      == [user.email] &&
     email.subject =~ /password/i &&
-    email.body =~ /#{user.confirmation_token}/
+    email.body    =~ /#{user.confirmation_token}/
   end
   assert result
 end
@@ -111,9 +110,8 @@ When /^I request password reset link to be sent to "(.*)"$/ do |email|
   And %{I press "Reset password"}
 end
 
-When /^I update my password with "(.*)\/(.*)"$/ do |password, confirmation|
+When /^I update my password with "(.*)"$/ do |password|
   And %{I fill in "Choose password" with "#{password}"}
-  And %{I fill in "Confirm password" with "#{confirmation}"}
   And %{I press "Save this password"}
 end
 

data/lib/clearance/authentication.rb

@@ -1,138 +1,135 @@
 module Clearance
   module Authentication
-
-    def self.included(controller) # :nodoc:
-      controller.send(:include, InstanceMethods)
-      controller.extend(ClassMethods)
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :current_user, :signed_in?, :signed_out?
+      hide_action   :current_user, :current_user=,
+                    :signed_in?,   :signed_out?,
+                    :sign_in,      :sign_out,
+                    :authorize, :deny_access
     end
 
-    module ClassMethods
-      def self.extended(controller)
-        controller.helper_method :current_user, :signed_in?, :signed_out?
-        controller.hide_action   :current_user, :current_user=,
-                                 :signed_in?,   :signed_out?,
-                                 :sign_in,      :sign_out,
-                                 :authenticate, :deny_access
-
-      end
+    # User in the current cookie
+    #
+    # @return [User, nil]
+    def current_user
+      @_current_user ||= user_from_cookie
     end
 
-    module InstanceMethods
-      # User in the current cookie
-      #
-      # @return [User, nil]
-      def current_user
-        @_current_user ||= user_from_cookie
-      end
-
-      # Set the current user
-      #
-      # @param [User]
-      def current_user=(user)
-        @_current_user = user
-      end
-
-      # Is the current user signed in?
-      #
-      # @return [true, false]
-      def signed_in?
-        ! current_user.nil?
-      end
+    # Set the current user
+    #
+    # @param [User]
+    def current_user=(user)
+      @_current_user = user
+    end
 
-      # Is the current user signed out?
-      #
-      # @return [true, false]
-      def signed_out?
-        current_user.nil?
-      end
+    # Is the current user signed in?
+    #
+    # @return [true, false]
+    def signed_in?
+      ! current_user.nil?
+    end
 
-      # Deny the user access if they are signed out.
-      #
-      # @example
-      #   before_filter :authenticate
-      def authenticate
-        deny_access unless signed_in?
-      end
+    # Is the current user signed out?
+    #
+    # @return [true, false]
+    def signed_out?
+      current_user.nil?
+    end
 
-      # Sign user in to cookie.
-      #
-      # @param [User]
-      #
-      # @example
-      #   sign_in(@user)
-      def sign_in(user)
-        if user
-          cookies[:remember_token] = {
-            :value   => user.remember_token,
-            :expires => Clearance.configuration.cookie_expiration.call
-          }
-          self.current_user = user
-        end
+    # Sign user in to cookie.
+    #
+    # @param [User]
+    #
+    # @example
+    #   sign_in(@user)
+    def sign_in(user)
+      if user
+        cookies[:remember_token] = {
+          :value   => user.remember_token,
+          :expires => Clearance.configuration.cookie_expiration.call
+        }
+        self.current_user = user
       end
+    end
 
-      # Sign user out of cookie.
-      #
-      # @example
-      #   sign_out
-      def sign_out
-        current_user.reset_remember_token! if current_user
-        cookies.delete(:remember_token)
-        self.current_user = nil
-      end
+    # Sign user out of cookie.
+    #
+    # @example
+    #   sign_out
+    def sign_out
+      current_user.reset_remember_token! if current_user
+      cookies.delete(:remember_token)
+      self.current_user = nil
+    end
 
-      # Store the current location and redirect to sign in.
-      # Display a failure flash message if included.
-      #
-      # @param [String] optional flash message to display to denied user
-      def deny_access(flash_message = nil)
-        store_location
-        flash[:failure] = flash_message if flash_message
-        redirect_to(sign_in_url)
-      end
+    # Find the user by the given params or return nil.
+    # By default, uses email and password.
+    # Redefine this method and User.authenticate for other mechanisms
+    # such as username and password.
+    #
+    # @example
+    #   @user = authenticate(params)
+    def authenticate(params)
+      ::User.authenticate(params[:session][:email],
+                          params[:session][:password])
+    end
 
-      protected
+    # Deny the user access if they are signed out.
+    #
+    # @example
+    #   before_filter :authorize
+    def authorize
+      deny_access unless signed_in?
+    end
 
-      # CSRF protection in Rails >= 3.0.4
-      # http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
-      def handle_unverified_request
-        super
-        sign_out
-      end
+    # Store the current location and redirect to sign in.
+    # Display a failure flash message if included.
+    #
+    # @param [String] optional flash message to display to denied user
+    def deny_access(flash_message = nil)
+      store_location
+      flash[:failure] = flash_message if flash_message
+      redirect_to(sign_in_url)
+    end
 
-      def user_from_cookie
-        if token = cookies[:remember_token]
-          ::User.find_by_remember_token(token)
-        end
-      end
+    # CSRF protection in Rails >= 3.0.4
+    # http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
+    def handle_unverified_request
+      super
+      sign_out
+    end
 
-      def sign_user_in(user)
-        warn "[DEPRECATION] sign_user_in: unnecessary. use sign_in(user) instead."
-        sign_in(user)
-      end
+    protected
 
-      def store_location
-        if request.get?
-          session[:return_to] = request.fullpath
-        end
+    def user_from_cookie
+      if token = cookies[:remember_token]
+        ::User.find_by_remember_token(token)
       end
+    end
 
-      def redirect_back_or(default)
-        redirect_to(return_to || default)
-        clear_return_to
+    def store_location
+      if request.get?
+        session[:return_to] = request.fullpath
       end
+    end
 
-      def return_to
-        session[:return_to] || params[:return_to]
-      end
+    def redirect_back_or(default)
+      redirect_to(return_to || default)
+      clear_return_to
+    end
 
-      def clear_return_to
-        session[:return_to] = nil
-      end
+    def return_to
+      session[:return_to] || params[:return_to]
+    end
 
-      def redirect_to_root
-        redirect_to('/')
-      end
+    def clear_return_to
+      session[:return_to] = nil
     end
 
+    def redirect_to_root
+      redirect_to('/')
+    end
   end
 end

data/lib/clearance/engine.rb

@@ -4,7 +4,7 @@ require "rails"
 module Clearance
   class Engine < Rails::Engine
     initializer "clearance.filter" do |app|
-      app.config.filter_parameters += [:token, :password, :password_confirmation]
+      app.config.filter_parameters += [:token, :password]
     end
   end
 end

data/lib/clearance/user.rb

@@ -2,6 +2,7 @@ require 'digest/sha1'
 
 module Clearance
   module User
+    extend ActiveSupport::Concern
 
     # Hook for all Clearance::User modules.
     #
@@ -9,192 +10,165 @@ module Clearance
     # extend and include à la carte.
     #
     # @example
-    #   extend ClassMethods
-    #   include InstanceMethods
-    #   include AttrAccessor
     #   include Callbacks
     #
-    # @see ClassMethods
-    # @see InstanceMethods
-    # @see AttrAccessor
     # @see Validations
     # @see Callbacks
-    def self.included(model)
-      model.extend(ClassMethods)
+    included do
+      attr_accessor :password, :password_changing
 
-      model.send(:include, InstanceMethods)
-      model.send(:include, AttrAccessor)
-      model.send(:include, Validations)
-      model.send(:include, Callbacks)
+      include Validations
+      include Callbacks
     end
 
-    module AttrAccessor
-      # Hook for attr_accessor virtual attributes.
+    module ClassMethods
+      # Authenticate with email and password.
       #
-      # :password, :password_confirmation
-      def self.included(model)
-        model.class_eval do
-          attr_accessor :password, :password_confirmation
-          private
-          attr_accessor :password_changing
-        end
+      # @param [String, String] email and password
+      # @return [User, nil] authenticated user or nil
+      # @example
+      #   User.authenticate("email@example.com", "password")
+      def authenticate(email, password)
+        return nil  unless user = find_by_email(email.to_s.downcase)
+        return user if     user.authenticated?(password)
       end
     end
 
     module Validations
+      extend ActiveSupport::Concern
+
       # Hook for validations.
       #
       # :email must be present, unique, formatted
       #
       # If password is required,
       # :password must be present, confirmed
-      def self.included(model)
-        model.class_eval do
-          validates_presence_of     :email, :unless => :email_optional?
-          validates_uniqueness_of   :email, :case_sensitive => false, :allow_blank => true
-          validates_format_of       :email, :with => %r{^[a-z0-9!#\$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#\$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$}i, :allow_blank => true
-
-          validates_presence_of     :password, :unless => :password_optional?
-          validates_confirmation_of :password
-        end
+      included do
+        validates_presence_of     :email, :unless => :email_optional?
+        validates_uniqueness_of   :email, :case_sensitive => false, :allow_blank => true
+        validates_format_of       :email, :with => %r{^[a-z0-9!#\$%&'*+\/=?^_`{|}~-]+(?:\.[a-z0-9!#\$%&'*+\/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$}i, :allow_blank => true
+
+        validates_presence_of     :password, :unless => :password_optional?
       end
     end
 
     module Callbacks
+      extend ActiveSupport::Concern
+
       # Hook for callbacks.
       #
       # salt, token, password encryption are handled before_save.
-      def self.included(model)
-        model.class_eval do
-          before_validation :downcase_email
-          before_save   :initialize_salt,
-                        :encrypt_password
-          before_create :generate_remember_token
-        end
+      included do
+        before_validation :downcase_email
+        before_save   :initialize_salt,
+                      :encrypt_password
+        before_create :generate_remember_token
       end
     end
 
-    module InstanceMethods
-      # Am I authenticated with given password?
-      #
-      # @param [String] plain-text password
-      # @return [true, false]
-      # @example
-      #   user.authenticated?('password')
-      def authenticated?(password)
-        encrypted_password == encrypt(password)
-      end
-
-      # Set the remember token.
-      #
-      # @deprecated Use {#reset_remember_token!} instead
-      def remember_me!
-        warn "[DEPRECATION] remember_me!: use reset_remember_token! instead"
-        reset_remember_token!
-      end
-
-      # Reset the remember token.
-      #
-      # @example
-      #   user.reset_remember_token!
-      def reset_remember_token!
-        generate_remember_token
-        save(:validate => false)
-      end
+    # Am I authenticated with given password?
+    #
+    # @param [String] plain-text password
+    # @return [true, false]
+    # @example
+    #   user.authenticated?('password')
+    def authenticated?(password)
+      encrypted_password == encrypt(password)
+    end
 
-      # Mark my account as forgotten password.
-      #
-      # @example
-      #   user.forgot_password!
-      def forgot_password!
-        generate_confirmation_token
-        save(:validate => false)
-      end
+    # Set the remember token.
+    #
+    # @deprecated Use {#reset_remember_token!} instead
+    def remember_me!
+      warn "[DEPRECATION] remember_me!: use reset_remember_token! instead"
+      reset_remember_token!
+    end
 
-      # Update my password.
-      #
-      # @param [String, String] password and password confirmation
-      # @return [true, false] password was updated or not
-      # @example
-      #   user.update_password('new-password', 'new-password')
-      def update_password(new_password, new_password_confirmation)
-        self.password_changing     = true
-        self.password              = new_password
-        self.password_confirmation = new_password_confirmation
-        if valid?
-          self.confirmation_token = nil
-          generate_remember_token
-        end
-        save
-      end
+    # Reset the remember token.
+    #
+    # @example
+    #   user.reset_remember_token!
+    def reset_remember_token!
+      generate_remember_token
+      save(:validate => false)
+    end
 
-      protected
+    # Mark my account as forgotten password.
+    #
+    # @example
+    #   user.forgot_password!
+    def forgot_password!
+      generate_confirmation_token
+      save(:validate => false)
+    end
 
-      def generate_hash(string)
-        Digest::SHA1.hexdigest(string)
+    # Update my password.
+    #
+    # @return [true, false] password was updated or not
+    # @example
+    #   user.update_password('new-password')
+    def update_password(new_password)
+      self.password_changing = true
+      self.password          = new_password
+      if valid?
+        self.confirmation_token = nil
+        generate_remember_token
       end
+      save
+    end
 
-      def encrypt(string)
-        generate_hash("--#{salt}--#{string}--")
-      end
+    protected
 
-      def initialize_salt
-        if salt.blank?
-          self.salt = generate_hash("--#{Time.now.utc}--#{password}--#{rand}--")
-        end
-      end
+    def generate_hash(string)
+      Digest::SHA1.hexdigest(string)
+    end
 
-      def encrypt_password
-        if password.present?
-          self.encrypted_password = encrypt(password)
-        end
-      end
+    def encrypt(string)
+      generate_hash("--#{salt}--#{string}--")
+    end
 
-      def generate_remember_token
-        self.remember_token = encrypt("--#{Time.now.utc}--#{encrypted_password}--#{id}--#{rand}--")
+    def initialize_salt
+      if salt.blank?
+        self.salt = ActiveSupport::SecureRandom.hex(20)
       end
+    end
 
-      def generate_confirmation_token
-        self.confirmation_token = encrypt("--#{Time.now.utc}--#{password}--#{rand}--")
+    def encrypt_password
+      if password.present?
+        self.encrypted_password = encrypt(password)
       end
+    end
 
-      # Always false. Override to allow other forms of authentication
-      # (username, facebook, etc).
-      # @return [Boolean] true if the email field be left blank for this user
-      def email_optional?
-        false
-      end
+    def generate_remember_token
+      self.remember_token = ActiveSupport::SecureRandom.hex(20)
+    end
 
-      # True if the password has been set and the password is not being
-      # updated and we are not updating the password. Override to allow
-      # other forms of authentication (username, facebook, etc).
-      # @return [Boolean] true if the password field can be left blank for this user
-      def password_optional?
-        encrypted_password.present? && password.blank? && password_changing.blank?
-      end
+    def generate_confirmation_token
+      self.confirmation_token = ActiveSupport::SecureRandom.hex(20)
+    end
 
-      def password_required?
-        # warn "[DEPRECATION] password_required?: use !password_optional? instead"
-        !password_optional?
-      end
+    # Always false. Override to allow other forms of authentication
+    # (username, facebook, etc).
+    # @return [Boolean] true if the email field be left blank for this user
+    def email_optional?
+      false
+    end
 
-      def downcase_email
-        self.email = email.to_s.downcase
-      end
+    # True if the password has been set and the password is not being
+    # updated and we are not updating the password. Override to allow
+    # other forms of authentication (username, facebook, etc).
+    # @return [Boolean] true if the password field can be left blank for this user
+    def password_optional?
+      encrypted_password.present? && password.blank? && password_changing.blank?
     end
 
-    module ClassMethods
-      # Authenticate with email and password.
-      #
-      # @param [String, String] email and password
-      # @return [User, nil] authenticated user or nil
-      # @example
-      #   User.authenticate("email@example.com", "password")
-      def authenticate(email, password)
-        return nil  unless user = find_by_email(email.to_s.downcase)
-        return user if     user.authenticated?(password)
-      end
+    def password_required?
+      # warn "[DEPRECATION] password_required?: use !password_optional? instead"
+      !password_optional?
     end
 
+    def downcase_email
+      self.email = email.to_s.downcase
+    end
   end
 end

data/spec/controllers/forgeries_controller_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 class ForgeriesController < ActionController::Base
   include Clearance::Authentication
   protect_from_forgery
-  before_filter :authenticate
+  before_filter :authorize
 
   # This is off in test by default, but we need it for this test
   self.allow_forgery_protection = true

data/spec/controllers/passwords_controller_spec.rb

@@ -1,7 +1,6 @@
 require 'spec_helper'
 
 describe Clearance::PasswordsController do
-
   include Shoulda::ActionMailer::Matchers
 
   it { should route(:get, '/users/1/password/edit').
@@ -101,18 +100,17 @@ describe Clearance::PasswordsController do
       it { should render_template(:new) }
     end
 
-    describe "on PUT to #update with matching password and password confirmation" do
+    describe "on PUT to #update with password" do
       before do
         new_password = "new_password"
         @encrypted_new_password = @user.send(:encrypt, new_password)
         @user.encrypted_password.should_not == @encrypted_new_password
 
         put(:update,
-            :user_id  => @user,
-            :token    => @user.confirmation_token,
-            :user     => {
-              :password              => new_password,
-              :password_confirmation => new_password
+            :user_id => @user,
+            :token   => @user.confirmation_token,
+            :user    => {
+              :password => new_password
             })
         @user.reload
       end
@@ -133,17 +131,13 @@ describe Clearance::PasswordsController do
       it { should redirect_to_url_after_update }
     end
 
-    describe "on PUT to #update with password but blank password confirmation" do
+    describe "on PUT to #update with blank password" do
       before do
-        new_password = "new_password"
-        @encrypted_new_password = @user.send(:encrypt, new_password)
-
         put(:update,
             :user_id => @user.to_param,
             :token   => @user.confirmation_token,
             :user    => {
-              :password => new_password,
-              :password_confirmation => ''
+              :password => ''
             })
         @user.reload
       end
@@ -173,5 +167,4 @@ describe Clearance::PasswordsController do
       sign_in_as @user_one
     end
   end
-
 end

data/spec/controllers/sessions_controller_spec.rb

@@ -156,5 +156,4 @@ describe Clearance::SessionsController do
       @controller.current_user.should be_nil
     end
   end
-
 end

data/spec/factories.rb

@@ -3,9 +3,8 @@ Factory.sequence :email do |n|
 end
 
 Factory.define :user do |user|
-  user.email                 { Factory.next :email }
-  user.password              { "password" }
-  user.password_confirmation { |instance| instance.password }
+  user.email    { Factory.next :email }
+  user.password { "password" }
 end
 
 Factory.define :email_confirmed_user, :parent => :user do |user|

data/spec/models/user_spec.rb

@@ -20,20 +20,6 @@ describe User do
     it { should_not allow_value("foo").for(:email) }
     it { should_not allow_value("example.com").for(:email) }
 
-    it "should require password confirmation on create" do
-      user = Factory.build(:user, :password              => 'blah',
-                                  :password_confirmation => 'boogidy')
-      (user.save).should_not be
-      user.errors[:password].should be_any
-    end
-
-    it "should require non blank password confirmation on create" do
-      user = Factory.build(:user, :password              => 'blah',
-                                  :password_confirmation => '')
-      (user.save).should_not be
-      user.errors[:password].should be_any
-    end
-
     it "should initialize salt" do
       Factory(:user).salt.should_not be_nil
     end
@@ -112,9 +98,9 @@ describe User do
       @old_encrypted_password = @user.encrypted_password
     end
 
-    describe "who updates password with confirmation" do
+    describe "who updates password" do
       before do
-        @user.update_password("new_password", "new_password")
+        @user.update_password("new_password")
       end
 
       it "should change encrypted password" do
@@ -126,12 +112,8 @@ describe User do
   it "should not generate the same remember token for users with the same password at the same time" do
     Time.stubs(:now => Time.now)
     password    = 'secret'
-    first_user  = Factory(:user,
-                          :password              => password,
-                          :password_confirmation => password)
-    second_user = Factory(:user,
-                          :password              => password,
-                          :password_confirmation => password)
+    first_user  = Factory(:user, :password => password)
+    second_user = Factory(:user, :password => password)
 
     second_user.remember_token.should_not == first_user.remember_token
   end
@@ -155,9 +137,9 @@ describe User do
       end
 
       describe "and then updates password" do
-        describe 'with confirmation' do
+        describe 'with password' do
           before do
-            @user.update_password("new_password", "new_password")
+            @user.update_password("new_password")
           end
 
           it "should change encrypted password" do
@@ -169,23 +151,9 @@ describe User do
           end
         end
 
-        describe 'without confirmation' do
-          before do
-            @user.update_password("new_password", "")
-          end
-
-          it "should not change encrypted password" do
-            @old_encrypted_password.should == @user.encrypted_password
-          end
-
-          it "should not clear confirmation token" do
-            @user.confirmation_token.should_not be_nil
-          end
-        end
-
-        describe 'with blank password and confirmation' do
+        describe 'with blank password' do
           before do
-            @user.update_password("", "")
+            @user.update_password("")
           end
 
           it "does not change encrypted password" do
@@ -251,7 +219,7 @@ describe User do
     end
 
     it "should initialize salt, generate remember token, and save encrypted password on update_password" do
-      @user.update_password('password', 'password')
+      @user.update_password('password')
       @user.salt.should_not be_nil
       @user.encrypted_password.should_not be_nil
       @user.remember_token.should_not be_nil

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 10
-  - 5
-  version: 0.10.5
+  - 11
+  - 0
+  version: 0.11.0
 platform: ruby
 authors: 
 - Dan Croak
@@ -31,7 +31,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-19 00:00:00 -04:00
+date: 2011-04-24 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -94,7 +94,7 @@ dependencies:
         version: 0.10.0
   type: :development
   version_requirements: *id004
-description: Rails authentication with email & password.
+description: Rails authentication & authorization with email & password.
 email: support@thoughtbot.com
 executables: []
 
@@ -124,7 +124,6 @@ files:
 - app/views/passwords/new.html.erb
 - app/views/sessions/new.html.erb
 - app/views/users/_form.html.erb
-- app/views/users/_inputs.html.erb
 - app/views/users/new.html.erb
 - clearance.gemspec
 - config/routes.rb
@@ -197,7 +196,7 @@ rubyforge_project:
 rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
-summary: Rails authentication with email & password.
+summary: Rails authentication & authorization with email & password.
 test_files: 
 - features/engine/visitor_resets_password.feature
 - features/engine/visitor_signs_in.feature

data/app/views/users/_inputs.html.erb

@@ -1,6 +0,0 @@
-<%= form.inputs do %>
-  <%= form.input :email %>
-  <%= form.input :password %>
-  <%= form.input :password_confirmation, :label => "Confirm password" %>
-<% end %>
-