dacz-authuser 0.1.2

data/generators/authuser_features/templates/features/password_reset.feature

@@ -0,0 +1,33 @@
+Feature: Password reset
+  In order to sign in even if user forgot their password
+  A user
+  Should be able to reset it
+
+    Scenario: User is not signed up
+      Given no user exists with an email of "email@person.com"
+      When I request password reset link to be sent to "email@person.com"
+      Then I should see "Unknown email"
+
+    Scenario: User is signed up and requests password reset
+      Given I signed up with "email@person.com/password"
+      When I request password reset link to be sent to "email@person.com"
+      Then I should see "instructions for changing your password"
+      And a password reset message should be sent to "email@person.com"
+
+    Scenario: User is signed up updated his password and types wrong confirmation
+      Given I signed up with "email@person.com/password"
+      When I follow the password reset link sent to "email@person.com"
+      And I update my password with "newpassword/wrongconfirmation"
+      Then I should see error messages
+      And I should be signed out
+
+    Scenario: User is signed up and updates his password
+      Given I signed up with "email@person.com/password"
+      When I follow the password reset link sent to "email@person.com"
+      And I update my password with "newpassword/newpassword"
+      Then I should be signed in
+      When I sign out
+      Then I should be signed out
+      And I sign in as "email@person.com/newpassword"
+      Then I should be signed in
+

data/generators/authuser_features/templates/features/step_definitions/authuser_steps.rb

@@ -0,0 +1,110 @@
+# General
+
+Then /^I should see error messages$/ do
+  assert_match /error(s)? prohibited/m, response.body
+end
+
+# Database
+
+Given /^no user exists with an email of "(.*)"$/ do |email|
+  assert_nil User.find_by_email(email)
+end
+
+Given /^I signed up with "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :user,
+    :email                 => email,
+    :password              => password,
+    :password_confirmation => password
+end 
+
+Given /^I am signed up and confirmed as "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :email_confirmed_user,
+    :email                 => email,
+    :password              => password,
+    :password_confirmation => password
+end
+
+# Session
+
+Then /^I should be signed in$/ do
+  assert controller.signed_in?
+end
+
+Then /^I should be signed out$/ do
+  assert ! controller.signed_in?
+end
+
+When /^session is cleared$/ do
+  request.reset_session
+  controller.instance_variable_set(:@_current_user, nil)
+end
+
+# Emails
+
+Then /^a confirmation message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /confirm/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the confirmation link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit new_user_confirmation_path(:user_id => user, :token => user.token)
+end
+
+Then /^a password reset message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /password/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the password reset link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user, :token => user.token)
+end
+
+When /^I try to change the password of "(.*)" without token$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user)
+end
+
+Then /^I should be forbidden$/ do
+  assert_response :forbidden
+end
+
+# Actions
+
+When /^I sign in( with "remember me")? as "(.*)\/(.*)"$/ do |remember, email, password|
+  When %{I go to the sign in page}
+  And %{I fill in "Email" with "#{email}"}
+  And %{I fill in "Password" with "#{password}"}
+  And %{I check "Remember me"} if remember
+  And %{I press "Sign In"}
+end
+
+When /^I sign out$/ do
+  visit '/session', :delete
+end
+
+When /^I request password reset link to be sent to "(.*)"$/ do |email|
+  When %{I go to the password reset request page}
+  And %{I fill in "Email address" with "#{email}"}
+  And %{I press "Reset password"}
+end
+
+When /^I update my password with "(.*)\/(.*)"$/ do |password, confirmation|
+  And %{I fill in "Choose password" with "#{password}"}
+  And %{I fill in "Confirm password" with "#{confirmation}"}
+  And %{I press "Save this password"}
+end
+
+When /^I return next time$/ do
+  When %{session is cleared}
+  And %{I go to the homepage}
+end

data/generators/authuser_features/templates/features/step_definitions/factory_girl_steps.rb

@@ -0,0 +1,5 @@
+Factory.factories.each do |name, factory|
+  Given /^an? #{name} exists with an? (.*) of "([^"]*)"$/ do |attr, value|
+    Factory(name, attr.gsub(' ', '_') => value)
+  end
+end

data/generators/authuser_features/templates/features/support/paths.rb

@@ -0,0 +1,22 @@
+module NavigationHelpers
+  def path_to(page_name)
+    case page_name
+    
+    when /the homepage/i
+      root_path
+    when /the sign up page/i
+      new_user_path
+    when /the sign in page/i
+      new_session_path
+    when /the password reset request page/i
+      new_password_path
+    
+    # Add more page name => path mappings here
+    
+    else
+      raise "Can't find mapping from \"#{page_name}\" to a path."
+    end
+  end
+end
+ 
+World(NavigationHelpers)

data/generators/authuser_features/templates/features/user_login.feature

@@ -0,0 +1,42 @@
+Feature: Sign in
+  In order to get access to protected sections of the site
+  A user
+  Should be able to sign in
+
+    Scenario: User is not signed up
+      Given no user exists with an email of "email@person.com"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "Bad email or password"
+      And I should be signed out
+
+    Scenario: User is not confirmed
+      Given I signed up with "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "User has not confirmed email"
+      And I should be signed out
+
+   Scenario: User enters wrong password
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/wrongpassword"
+      Then I should see "Bad email or password"
+      And I should be signed out
+
+   Scenario: User signs in successfully
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "Signed in"
+      And I should be signed in
+
+   Scenario: User signs in and checks "remember me"
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in with "remember me" as "email@person.com/password"
+      Then I should see "Signed in"
+      And I should be signed in
+      When I return next time
+      Then I should be signed in
+

data/generators/authuser_features/templates/features/user_logout.feature

@@ -0,0 +1,23 @@
+Feature: Sign out
+  To protect my account from unauthorized access
+  A signed in user
+  Should be able to sign out
+
+    Scenario: User signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "Signed out"
+      And I should be signed out
+
+    Scenario: User who was remembered signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in with "remember me" as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "Signed out"
+      And I should be signed out
+      When I return next time
+      Then I should be signed out
+

data/generators/authuser_features/templates/features/user_register.feature

@@ -0,0 +1,28 @@
+Feature: Sign up
+  In order to get access to protected sections of the site
+  A user
+  Should be able to sign up
+
+    Scenario: User signs up with invalid data
+      When I go to the sign up page
+      And I fill in "Email" with "invalidemail"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with ""
+      And I press "Sign Up"
+      Then I should see error messages
+
+    Scenario: User signs up with valid data
+      When I go to the sign up page
+      And I fill in "Email" with "email@person.com"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with "password"
+      And I press "Sign Up"
+      Then I should see "instructions for confirming"
+      And a confirmation message should be sent to "email@person.com"
+
+    Scenario: User confirms his account
+      Given I signed up with "email@person.com/password"
+      When I follow the confirmation link sent to "email@person.com"
+      Then I should see "Confirmed email and signed in"
+      And I should be signed in
+

data/lib/authuser.rb

@@ -0,0 +1,20 @@
+require 'authuser/extensions/errors'
+require 'authuser/extensions/rescue'
+
+require 'authuser/authentication'
+require 'authuser/user'
+require 'authuser/version'
+
+class ActionController::Routing::RouteSet
+  def load_routes_with_authuser!
+    lib_path = File.dirname(__FILE__)
+    authuser_routes = File.join(lib_path, *%w[.. config authuser_routes.rb])
+    unless configuration_files.include?(authuser_routes)
+      add_configuration_file(authuser_routes)
+    end
+    load_routes_without_authuser!
+  end
+
+  alias_method_chain :load_routes!, :authuser
+end
+

data/lib/authuser/authentication.rb

@@ -0,0 +1,96 @@
+module Authuser
+  module Authentication
+
+    def self.included(controller)
+      controller.send(:include, InstanceMethods)
+
+      controller.class_eval do
+        helper_method :current_user
+        helper_method :signed_in?
+
+        hide_action :current_user, :signed_in?
+      end
+    end
+
+    module InstanceMethods
+      def current_user
+        @_current_user ||= (user_from_cookie || user_from_session)
+      end
+
+      def signed_in?
+        ! current_user.nil?
+      end
+
+      protected
+
+      def authenticate
+        deny_access unless signed_in?
+      end
+
+      def user_from_session
+        if session[:user_id]
+          return nil  unless user = ::User.find_by_id(session[:user_id])
+          return user if     user.email_confirmed?
+        end
+      end
+
+      def user_from_cookie
+        if token = cookies[:remember_token]
+          return nil  unless user = ::User.find_by_token(token)
+          return user if     user.remember?
+        end
+      end
+
+      def sign_user_in(user)
+        sign_in(user)
+      end
+
+      def sign_in(user)
+        if user
+          session[:user_id] = user.id
+        end
+      end
+
+      def remember?
+        params[:session] && params[:session][:remember_me] == "1"
+      end
+
+      def remember(user)
+        user.remember_me!
+        cookies[:remember_token] = { :value   => user.token,
+                                     :expires => user.token_expires_at }
+      end
+
+      def forget(user)
+        user.forget_me! if user
+        cookies.delete :remember_token
+        reset_session
+      end
+
+      def redirect_back_or(default)
+        session[:return_to] ||= params[:return_to]
+        if session[:return_to]
+          redirect_to(session[:return_to])
+        else
+          redirect_to(default)
+        end
+        session[:return_to] = nil
+      end
+
+      def redirect_to_root
+        redirect_to root_url
+      end
+
+      def store_location
+        session[:return_to] = request.request_uri if request.get?
+      end
+
+      def deny_access(flash_message = nil, opts = {})
+        store_location
+        flash[:failure] = flash_message if flash_message
+        redirect_to new_session_url
+      end
+    end
+
+  end
+end

data/lib/authuser/extensions/errors.rb

@@ -0,0 +1,4 @@
+module ActionController
+  class Forbidden < StandardError
+  end
+end

data/lib/authuser/extensions/rescue.rb

@@ -0,0 +1 @@
+ActionController::Base.rescue_responses.update('ActionController::Forbidden' => :forbidden)

data/lib/authuser/user.rb

@@ -0,0 +1,143 @@
+require 'digest/sha1'
+
+module Authuser
+  module User
+
+    def self.included(model)
+      model.extend(ClassMethods)
+
+      model.send(:include, InstanceMethods)
+      model.send(:include, AttrAccessible)
+      model.send(:include, AttrAccessor)
+      model.send(:include, Validations)
+      model.send(:include, Callbacks)
+    end
+
+    module AttrAccessible
+      def self.included(model)
+        model.class_eval do
+          attr_accessible :email, :password, :password_confirmation
+        end
+      end
+    end
+
+    module AttrAccessor
+      def self.included(model)
+        model.class_eval do
+          attr_accessor :password, :password_confirmation
+        end
+      end
+    end
+
+    module Validations
+      def self.included(model)
+        model.class_eval do
+          validates_presence_of     :email
+          validates_uniqueness_of   :email, :case_sensitive => false
+          validates_format_of       :email, :with => %r{.+@.+\..+}
+
+          validates_presence_of     :password, :if => :password_required?
+          validates_confirmation_of :password, :if => :password_required?
+        end
+      end
+    end
+
+    module Callbacks
+      def self.included(model)
+        model.class_eval do
+          before_save :initialize_salt, :encrypt_password, :initialize_token
+        end
+      end
+    end
+
+    module InstanceMethods
+      def authenticated?(password)
+        encrypted_password == encrypt(password)
+      end
+
+      def encrypt(string)
+        generate_hash("--#{salt}--#{string}--")
+      end
+
+      def remember?
+        token_expires_at && Time.now.utc < token_expires_at
+      end
+
+      def remember_me!
+        remember_me_until! 2.weeks.from_now.utc
+      end
+
+      def forget_me!
+        clear_token
+        save(false)
+      end
+
+      def confirm_email!
+        self.email_confirmed  = true
+        self.token            = nil
+        save(false)
+      end
+
+      def forgot_password!
+        generate_token
+        save(false)
+      end
+
+      def update_password(new_password, new_password_confirmation)
+        self.password              = new_password
+        self.password_confirmation = new_password_confirmation
+        clear_token if valid?
+        save
+      end
+
+      protected
+
+      def generate_hash(string)
+        Digest::SHA1.hexdigest(string)
+      end
+
+      def initialize_salt
+        if new_record?
+          self.salt = generate_hash("--#{Time.now.utc.to_s}--#{password}--")
+        end
+      end
+
+      def encrypt_password
+        return if password.blank?
+        self.encrypted_password = encrypt(password)
+      end
+
+      def generate_token
+        self.token = encrypt("--#{Time.now.utc.to_s}--#{password}--")
+        self.token_expires_at = nil
+      end
+
+      def clear_token
+        self.token            = nil
+        self.token_expires_at = nil
+      end
+
+      def initialize_token
+        generate_token if new_record?
+      end
+
+      def password_required?
+        encrypted_password.blank? || !password.blank?
+      end
+
+      def remember_me_until!(time)
+        self.token_expires_at = time
+        self.token = encrypt("--#{token_expires_at}--#{password}--")
+        save(false)
+      end
+    end
+
+    module ClassMethods
+      def authenticate(email, password)
+        return nil  unless user = find_by_email(email)
+        return user if     user.authenticated?(password)
+      end
+    end
+
+  end
+end