devise-edge 1.2.rc

data/lib/devise/rails/warden_compat.rb

@@ -0,0 +1,42 @@
+module Warden::Mixins::Common
+  def request
+    @request ||= ActionDispatch::Request.new(env)
+  end
+
+  def reset_session!
+    raw_session.inspect # why do I have to inspect it to get it to clear?
+    raw_session.clear
+  end
+
+  def cookies
+    request.cookie_jar
+  end
+end
+
+class Warden::SessionSerializer
+  def serialize(record)
+    [record.class.name, record.id, record.authenticatable_salt]
+  end
+
+  def deserialize(keys)
+    if keys.size == 2
+      raise "Devise changed how it stores objects in session. If you are seeing this message, " <<
+        "you can fix it by changing one character in your cookie secret, forcing all previous " <<
+        "cookies to expire, or cleaning up your database sessions if you are using a db store."
+    end
+
+    klass, id, salt = keys
+
+    begin
+      record = klass.constantize.find(:first, :conditions => { :id => id })
+      record if record && record.authenticatable_salt == salt
+    rescue NameError => e
+      if e.message =~ /uninitialized constant/
+        Rails.logger.debug "Trying to deserialize invalid class #{klass}"
+        nil
+      else
+        raise
+      end
+    end
+  end
+end

data/lib/devise/schema.rb

@@ -0,0 +1,96 @@
+module Devise
+  # Holds devise schema information. To use it, just include its methods
+  # and overwrite the apply_schema method.
+  module Schema
+
+    # Creates email, encrypted_password and password_salt.
+    #
+    # == Options
+    # * :null - When true, allow columns to be null.
+    # * :default - Should be set to "" when :null is false.
+    #
+    # == Notes
+    # For Datamapper compatibility, we explicitly hardcode the limit for the
+    # encrypter password field in 128 characters.
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options.key?(:default) ? options[:default] : ("" if null == false)
+
+      apply_devise_schema :email,              String, :null => null, :default => default
+      apply_devise_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
+    end
+
+    # Creates password salt for encryption support.
+    def encryptable
+      apply_devise_schema :password_salt, String
+    end
+
+    # Creates authentication_token.
+    def token_authenticatable
+      apply_devise_schema :authentication_token, String
+    end
+
+    # Creates confirmation_token, confirmed_at and confirmation_sent_at.
+    def confirmable
+      apply_devise_schema :confirmation_token,   String
+      apply_devise_schema :confirmed_at,         DateTime
+      apply_devise_schema :confirmation_sent_at, DateTime
+    end
+
+    # Creates reset_password_token.
+    def recoverable
+      apply_devise_schema :reset_password_token, String
+    end
+
+    # Creates remember_token and remember_created_at.
+    #
+    # == Options
+    # * :use_salt - When true, does not create a remember_token and use password_salt instead.
+    def rememberable(options={})
+      use_salt = options.fetch(:use_salt, Devise.use_salt_as_remember_token)
+      apply_devise_schema :remember_token,      String unless use_salt
+      apply_devise_schema :remember_created_at, DateTime
+    end
+
+    # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
+    # current_sign_in_ip, last_sign_in_ip.
+    def trackable
+      apply_devise_schema :sign_in_count,      Integer, :default => 0
+      apply_devise_schema :current_sign_in_at, DateTime
+      apply_devise_schema :last_sign_in_at,    DateTime
+      apply_devise_schema :current_sign_in_ip, String
+      apply_devise_schema :last_sign_in_ip,    String
+    end
+
+    # Creates failed_attempts, unlock_token and locked_at depending on the options given.
+    #
+    # == Options
+    # * :unlock_strategy - The strategy used for unlock. Can be :time, :email, :both (default), :none.
+    #   If :email or :both, creates a unlock_token field.
+    # * :lock_strategy - The strategy used for locking. Can be :failed_attempts (default) or :none.
+    def lockable(options={})
+      unlock_strategy   = options[:unlock_strategy]
+      unlock_strategy ||= self.unlock_strategy if respond_to?(:unlock_strategy)
+      unlock_strategy ||= :both
+
+      lock_strategy   = options[:lock_strategy]
+      lock_strategy ||= self.lock_strategy if respond_to?(:lock_strategy)
+      lock_strategy ||= :failed_attempts
+
+      if lock_strategy == :failed_attempts
+        apply_devise_schema :failed_attempts, Integer, :default => 0
+      end
+
+      if [:both, :email].include?(unlock_strategy)
+        apply_devise_schema :unlock_token, String
+      end
+
+      apply_devise_schema :locked_at, DateTime
+    end
+
+    # Overwrite with specific modification to create your own schema.
+    def apply_devise_schema(name, type, options={})
+      raise NotImplementedError
+    end
+  end
+end

data/lib/devise/strategies/authenticatable.rb

@@ -0,0 +1,150 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # This strategy should be used as basis for authentication strategies. It retrieves
+    # parameters both from params or from http authorization headers. See database_authenticatable
+    # for an example.
+    class Authenticatable < Base
+      attr_accessor :authentication_hash, :password
+
+      def valid?
+        valid_for_params_auth? || valid_for_http_auth?
+      end
+
+    private
+
+      # Simply invokes valid_for_authentication? with the given block and deal with the result.
+      def validate(resource, &block)
+        result = resource && resource.valid_for_authentication?(&block)
+
+        case result
+        when Symbol, String
+          fail!(result)
+        else
+          result
+        end
+      end
+
+      # Check if this is strategy is valid for http authentication by:
+      #
+      #   * Validating if the model allows params authentication;
+      #   * If any of the authorization headers were sent;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_http_auth?
+        http_authenticatable? && request.authorization && with_authentication_hash(http_auth_hash)
+      end
+
+      # Check if this is strategy is valid for params authentication by:
+      #
+      #   * Validating if the model allows params authentication;
+      #   * If the request hits the sessions controller through POST;
+      #   * If the params[scope] returns a hash with credentials;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_params_auth?
+        params_authenticatable? && valid_request? &&
+          valid_params? && with_authentication_hash(params_auth_hash)
+      end
+
+      # Check if the model accepts this strategy as http authenticatable.
+      def http_authenticatable?
+        mapping.to.http_authenticatable?(authenticatable_name)
+      end
+
+      # Check if the model accepts this strategy as params authenticatable.
+      def params_authenticatable?
+        mapping.to.params_authenticatable?(authenticatable_name)
+      end
+
+      # Extract the appropriate subhash for authentication from params.
+      def params_auth_hash
+         params[scope]
+       end
+
+      # Extract a hash with attributes:values from the http params.
+      def http_auth_hash
+        keys = [authentication_keys.first, :password]
+        Hash[*keys.zip(decode_credentials).flatten]
+      end
+
+      # By default, a request is valid  if the controller is allowed and the VERB is POST.
+      def valid_request?
+        valid_controller? && valid_verb?
+      end
+
+      # Check if the controller is the one registered for authentication.
+      def valid_controller?
+        mapping.controllers[:sessions] == params[:controller]
+      end
+
+      # Check if it was a POST request.
+      def valid_verb?
+        request.post?
+      end
+
+      # If the request is valid, finally check if params_auth_hash returns a hash.
+      def valid_params?
+        params_auth_hash.is_a?(Hash)
+      end
+
+      # Check if password is present and is not equal to "X" (default value for token).
+      def valid_password?
+        password.present? && password != "X"
+      end
+
+      # Helper to decode credentials from HTTP.
+      def decode_credentials
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/
+        ActiveSupport::Base64.decode64($1).split(/:/, 2)
+      end
+
+      # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
+      def with_authentication_hash(auth_values)
+        self.authentication_hash = {}
+        self.password = auth_values[:password]
+
+        parse_authentication_key_values(auth_values, authentication_keys) &&
+        parse_authentication_key_values(request_values, request_keys)
+      end
+
+      # Holds the authentication keys.
+      def authentication_keys
+        @authentication_keys ||= mapping.to.authentication_keys
+      end
+
+      # Holds request keys.
+      def request_keys
+        @request_keys ||= mapping.to.request_keys
+      end
+
+      # Returns values from the request object.
+      def request_values
+        keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
+        values = keys.map { |k| self.request.send(k) }
+        Hash[keys.zip(values)]
+      end
+
+      # Parse authentication keys considering if they should be enforced or not.
+      def parse_authentication_key_values(hash, keys)
+        keys.each do |key, enforce|
+          value = hash[key].presence
+          if value
+            self.authentication_hash[key] = value
+          else
+            return false unless enforce == false
+          end
+        end
+        true
+      end
+
+      # Holds the authenticatable name for this class. Devise::Strategies::DatabaseAuthenticatable
+      # becomes simply :database.
+      def authenticatable_name
+        @authenticatable_name ||=
+          self.class.name.split("::").last.underscore.sub("_authenticatable", "").to_sym
+      end
+    end
+  end
+end

data/lib/devise/strategies/base.rb

@@ -0,0 +1,15 @@
+module Devise
+  module Strategies
+    # Base strategy for Devise. Responsible for verifying correct scope and mapping.
+    class Base < ::Warden::Strategies::Base
+      # Checks if a valid scope was given for devise and find mapping based on this scope.
+      def mapping
+        @mapping ||= begin
+          mapping = Devise.mappings[scope]
+          raise "Could not find mapping for #{scope}" unless mapping
+          mapping
+        end
+      end
+    end
+  end
+end

data/lib/devise/strategies/database_authenticatable.rb

@@ -0,0 +1,21 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Default strategy for signing in a user, based on his email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+
+        if validate(resource){ resource.valid_password?(password) }
+          resource.after_database_authentication
+          success!(resource)
+        else
+          fail(:invalid)
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

data/lib/devise/strategies/rememberable.rb

@@ -0,0 +1,51 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # Remember the user through the remember token. This strategy is responsible
+    # to verify whether there is a cookie with the remember token, and to
+    # recreate the user from this cookie if it exists. Must be called *before*
+    # authenticatable.
+    class Rememberable < Authenticatable
+      # A valid strategy for rememberable needs a remember token in the cookies.
+      def valid?
+        remember_cookie.present?
+      end
+
+      # To authenticate a user we deserialize the cookie and attempt finding
+      # the record in the database. If the attempt fails, we pass to another
+      # strategy handle the authentication.
+      def authenticate!
+        resource = mapping.to.serialize_from_cookie(*remember_cookie)
+
+        if validate(resource)
+          success!(resource)
+        else
+          cookies.delete(remember_key)
+          pass
+        end
+      end
+
+    private
+
+      def remember_me?
+        true
+      end
+
+      def remember_key
+        "remember_#{scope}_token"
+      end
+
+      def extend_remember_period?
+        mapping.to.extend_remember_period
+      end
+
+      # Accessor for remember cookie
+      def remember_cookie
+        @remember_cookie ||= cookies.signed[remember_key]
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:rememberable, Devise::Strategies::Rememberable)

data/lib/devise/strategies/token_authenticatable.rb

@@ -0,0 +1,53 @@
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    # Strategy for signing in a user, based on a authenticatable token. This works for both params
+    # and http. For the former, all you need to do is to pass the params in the URL:
+    #
+    #   http://myapp.example.com/?user_token=SECRET
+    #
+    # For HTTP, you can pass the token as username and blank password. Since some clients may require
+    # a password, you can pass "X" as password and it will simply be ignored.
+    class TokenAuthenticatable < Authenticatable
+      def store?
+        !mapping.to.stateless_token
+      end
+
+      def authenticate!
+        resource = mapping.to.find_for_token_authentication(authentication_hash)
+
+        if validate(resource)
+          resource.after_token_authentication
+          success!(resource)
+        else
+          fail(:invalid_token)
+        end
+      end
+
+    private
+
+      # TokenAuthenticatable request is valid for any controller and any verb.
+      def valid_request?
+        true
+      end
+
+      # Do not use remember_me behavior with token.
+      def remember_me?
+        false
+      end
+
+      # Try both scoped and non scoped keys.
+      def params_auth_hash
+        params[scope] || params
+      end
+
+      # Overwrite authentication keys to use token_authentication_key.
+      def authentication_keys
+        @authentication_keys ||= [mapping.to.token_authentication_key]
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:token_authenticatable, Devise::Strategies::TokenAuthenticatable)

data/lib/devise/test_helpers.rb

@@ -0,0 +1,100 @@
+module Devise
+  # Devise::TestHelpers provides a facility to test controllers in isolation
+  # when using ActionController::TestCase allowing you to quickly sign_in or
+  # sign_out an user. Do not use Devise::TestHelpers in integration tests.
+  #
+  # Notice you should not test Warden specific behavior (like Warden callbacks)
+  # using Devise::TestHelpers since it is a stub of the actual behavior. Such
+  # callbacks should be tested in your integration suite instead.
+  module TestHelpers
+    def self.included(base)
+      base.class_eval do
+        setup :setup_controller_for_warden, :warden if respond_to?(:setup)
+      end
+    end
+
+    # This is a Warden::Proxy customized for functional tests. It's meant to
+    # some of Warden::Manager responsibilities, as retrieving configuration
+    # options and calling the FailureApp.
+    class TestWarden < Warden::Proxy #:nodoc:
+      attr_reader :controller
+
+      def initialize(controller)
+        @controller = controller
+        manager = Warden::Manager.new(nil) do |config|
+          config.merge! Devise.warden_config
+        end
+        super(controller.request.env, manager)
+      end
+
+      def authenticate!(*args)
+        catch_with_redirect { super }
+      end
+
+      def user(*args)
+        catch_with_redirect { super }
+      end
+
+      def catch_with_redirect(&block)
+        result = catch(:warden, &block)
+
+        if result.is_a?(Hash) && !custom_failure? && !@controller.send(:performed?)
+          result[:action] ||= :unauthenticated
+
+          env = @controller.request.env
+          env["PATH_INFO"] = "/#{result[:action]}"
+          env["warden.options"] = result
+          Warden::Manager._before_failure.each{ |hook| hook.call(env, result) }
+
+          status, headers, body = Devise::FailureApp.call(env).to_a
+          @controller.send :render, :status => status, :text => body,
+            :content_type => headers["Content-Type"], :location => headers["Location"]
+
+          nil
+        else
+          result
+        end
+      end
+    end
+
+    # We need to setup the environment variables and the response in the controller.
+    def setup_controller_for_warden #:nodoc:
+      @request.env['action_controller.instance'] = @controller
+    end
+
+    # Quick access to Warden::Proxy.
+    def warden #:nodoc:
+      @warden ||= (@request.env['warden'] = TestWarden.new(@controller))
+    end
+
+    # sign_in a given resource by storing its keys in the session.
+    # This method bypass any warden authentication callback.
+    #
+    # Examples:
+    #
+    #   sign_in :user, @user   # sign_in(scope, resource)
+    #   sign_in @user          # sign_in(resource)
+    #
+    def sign_in(resource_or_scope, resource=nil)
+      scope    ||= Devise::Mapping.find_scope!(resource_or_scope)
+      resource ||= resource_or_scope
+      warden.session_serializer.store(resource, scope)
+    end
+
+    # Sign out a given resource or scope by calling logout on Warden.
+    # This method bypass any warden logout callback.
+    #
+    # Examples:
+    #
+    #   sign_out :user     # sign_out(scope)
+    #   sign_out @user     # sign_out(resource)
+    #
+    def sign_out(resource_or_scope)
+      scope = Devise::Mapping.find_scope!(resource_or_scope)
+      @controller.instance_variable_set(:"@current_#{scope}", nil)
+      user = warden.instance_variable_get(:@users).delete(scope)
+      warden.session_serializer.delete(scope, user)
+    end
+
+  end
+end