devise-edge 1.2.rc

data/lib/devise/encryptors/base.rb

@@ -0,0 +1,20 @@
+module Devise
+  # Implements a way of adding different encryptions.
+  # The class should implement a self.digest method that taks the following params:
+  #   - password
+  #   - stretches: the number of times the encryption will be applied
+  #   - salt: the password salt as defined by devise
+  #   - pepper: Devise config option
+  #
+  module Encryptors
+    class Base
+      def self.digest
+        raise NotImplemented
+      end
+
+      def self.salt(stretches)
+        Devise.friendly_token[0,20]
+      end
+    end
+  end
+end

data/lib/devise/encryptors/clearance_sha1.rb

@@ -0,0 +1,17 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = ClearanceSha1
+    # Simulates Clearance's default encryption mechanism.
+    # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+    # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES
+    class ClearanceSha1 < Base
+      # Gererates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+      end
+    end
+  end
+end

data/lib/devise/encryptors/restful_authentication_sha1.rb

@@ -0,0 +1,22 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = RestfulAuthenticationSha1
+    # Simulates Restful Authentication's default encryption mechanism.
+    # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+    # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES. Should be set to 10 in 
+    # the initializer to silumate the default behavior.
+    class RestfulAuthenticationSha1 < Base
+      
+      # Gererates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = Digest::SHA1.hexdigest([digest, salt, password, pepper].flatten.join('--')) }
+        digest
+      end
+
+    end
+  end
+end

data/lib/devise/encryptors/sha1.rb

@@ -0,0 +1,25 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = Sha1
+    # Uses the Sha1 hash algorithm to encrypt passwords.
+    class Sha1 < Base
+      # Gererates a default password digest based on stretches, salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+        digest
+      end
+
+    private
+
+      # Generate a SHA1 digest joining args. Generated token is something like
+      #   --arg1--arg2--arg3--argN--
+      def self.secure_digest(*tokens)
+        ::Digest::SHA1.hexdigest('--' << tokens.flatten.join('--') << '--')
+      end
+    end
+  end
+end

data/lib/devise/encryptors/sha512.rb

@@ -0,0 +1,25 @@
+require "digest/sha2"
+
+module Devise
+  module Encryptors
+    # = Sha512
+    # Uses the Sha512 hash algorithm to encrypt passwords.
+    class Sha512 < Base
+      # Gererates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+        digest
+      end
+
+    private
+
+      # Generate a Sha512 digest joining args. Generated token is something like
+      #   --arg1--arg2--arg3--argN--
+      def self.secure_digest(*tokens)
+        ::Digest::SHA512.hexdigest('--' << tokens.flatten.join('--') << '--')
+      end
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -0,0 +1,126 @@
+require "action_controller/metal"
+
+module Devise
+  # Failure application that will be called every time :warden is thrown from
+  # any strategy or hook. Responsible for redirect the user to the sign in
+  # page based on current scope and mapping. If no scope is given, redirect
+  # to the default_url.
+  class FailureApp < ActionController::Metal
+    include ActionController::RackDelegation
+    include ActionController::UrlFor
+    include ActionController::Redirecting
+    include Rails.application.routes.url_helpers
+
+    delegate :flash, :to => :request
+
+    def self.call(env)
+      action(:respond).call(env)
+    end
+
+    def self.default_url_options(*args)
+      ApplicationController.default_url_options(*args)
+    end
+
+    def respond
+      if http_auth?
+        http_auth
+      elsif warden_options[:recall]
+        recall
+      else
+        redirect
+      end
+    end
+
+    def http_auth
+      self.status = 401
+      self.headers["WWW-Authenticate"] = %(Basic realm=#{Devise.http_authentication_realm.inspect}) if http_auth_header?
+      self.content_type = request.format.to_s
+      self.response_body = http_auth_body
+    end
+
+    def recall
+      env["PATH_INFO"]  = attempted_path
+      flash.now[:alert] = i18n_message(:invalid)
+      self.response = recall_app(warden_options[:recall]).call(env)
+    end
+
+    def redirect
+      store_location!
+      flash[:alert] = i18n_message unless flash[:notice]
+      redirect_to redirect_url
+    end
+
+  protected
+
+    def i18n_message(default = nil)
+      message = warden.message || warden_options[:message] || default || :unauthenticated
+
+      if message.is_a?(Symbol)
+        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
+               :scope => "devise.failure", :default => [message, message.to_s])
+      else
+        message.to_s
+      end
+    end
+
+    def redirect_url
+      send(:"new_#{scope}_session_path")
+    end
+
+    # Choose whether we should respond in a http authentication fashion,
+    # including 401 and optional headers.
+    #
+    # This method allows the user to explicitly disable http authentication
+    # on ajax requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your ajax API
+    # is the same as your public API and uses a format like JSON (so you
+    # cannot mark JSON as a navigational format).
+    def http_auth?
+      if request.xhr?
+        Devise.http_authenticatable_on_xhr
+      else
+        !Devise.navigational_formats.include?(request.format.to_sym)
+      end
+    end
+
+    # It does not make sense to send authenticate headers in ajax requests
+    # or if the user disabled them.
+    def http_auth_header?
+      Devise.mappings[scope].to.http_authenticatable && !request.xhr?
+    end
+
+    def http_auth_body
+      method = :"to_#{request.format.to_sym}"
+      {}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
+    end
+
+    def recall_app(app)
+      controller, action = app.split("#")
+      "#{controller.camelize}Controller".constantize.action(action)
+    end
+
+    def warden
+      env['warden']
+    end
+
+    def warden_options
+      env['warden.options']
+    end
+
+    def scope
+      @scope ||= warden_options[:scope] || Devise.default_scope
+    end
+
+    def attempted_path
+      warden_options[:attempted_path]
+    end
+
+    # Stores requested uri to redirect the user after signing in. We cannot use
+    # scoped session provided by warden here, since the user is not authenticated
+    # yet, but we still need to store the uri based on scope, so different scopes
+    # would never use the same uri to redirect.
+    def store_location!
+      session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
+    end
+  end
+end

data/lib/devise/hooks/activatable.rb

@@ -0,0 +1,11 @@
+# Deny user access whenever his account is not active yet. All strategies that inherits from
+# Devise::Strategies::Authenticatable and uses the validate already check if the user is active?
+# before actively signing him in. However, we need this as hook to validate the user activity
+# in each request and in case the user is using other strategies beside Devise ones.
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active?) && !record.active?
+    scope = options[:scope]
+    warden.logout(scope)
+    throw :warden, :scope => scope, :message => record.inactive_message
+  end
+end

data/lib/devise/hooks/forgetable.rb

@@ -0,0 +1,12 @@
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is frozen.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, options|
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    cookie_options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+    cookie_options.merge!(record.cookie_options)
+    warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -0,0 +1,45 @@
+module Devise
+  module Hooks
+    # Overwrite success! in authentication strategies allowing users to be remembered.
+    # We choose to implement this as an strategy hook instead of a warden hook to allow a specific
+    # strategy (like token authenticatable or facebook authenticatable) to turn off remember_me?
+    # cookies.
+    module Rememberable #:nodoc:
+      def success!(resource)
+        super
+
+        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
+          resource.remember_me!(extend_remember_period?)
+          cookies.signed["remember_#{scope}_token"] = cookie_values(resource)
+        end
+      end
+
+    protected
+
+      def cookie_values(resource)
+        options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+        options.merge!(resource.cookie_options)
+        options.merge!(
+          :value => resource.class.serialize_into_cookie(resource),
+          :expires => resource.remember_expires_at
+        )
+        options
+      end
+
+      def succeeded?
+        @result == :success
+      end
+
+      def extend_remember_period?
+        false
+      end
+
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+    end
+  end
+end
+
+Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable
+

data/lib/devise/hooks/timeoutable.rb

@@ -0,0 +1,22 @@
+# Each time a record is set we check whether its session has already timed out
+# or not, based on last request time. If so, the record is logged out and
+# redirected to the sign in page. Also, each time the request comes and the
+# record is set, we set the last request time inside it's scoped session to
+# verify timeout in the following request.
+Warden::Manager.after_set_user do |record, warden, options|
+  scope = options[:scope]
+
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
+    last_request_at = warden.session(scope)['last_request_at']
+
+    if record.timedout?(last_request_at)
+      path_checker = Devise::PathChecker.new(warden.env, scope)
+      unless path_checker.signing_out?
+        warden.logout(scope)
+        throw :warden, :scope => scope, :message => :timeout
+      end
+    end
+
+    warden.session(scope)['last_request_at'] = Time.now.utc
+  end
+end

data/lib/devise/hooks/trackable.rb

@@ -0,0 +1,9 @@
+# After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope])
+    record.update_tracked_fields!(warden.request)
+  end
+end

data/lib/devise/mapping.rb

@@ -0,0 +1,105 @@
+module Devise
+  # Responsible for handling devise mappings and routes configuration. Each
+  # resource configured by devise_for in routes is actually creating a mapping
+  # object. You can refer to devise_for in routes for usage options.
+  #
+  # The required value in devise_for is actually not used internally, but it's
+  # inflected to find all other values.
+  #
+  #   map.devise_for :users
+  #   mapping = Devise.mappings[:user]
+  #
+  #   mapping.name #=> :user
+  #   # is the scope used in controllers and warden, given in the route as :singular.
+  #
+  #   mapping.as   #=> "users"
+  #   # how the mapping should be search in the path, given in the route as :as.
+  #
+  #   mapping.to   #=> User
+  #   # is the class to be loaded from routes, given in the route as :class_name.
+  #
+  #   mapping.modules  #=> [:authenticatable]
+  #   # is the modules included in the class
+  #
+  class Mapping #:nodoc:
+    attr_reader :singular, :plural, :path, :controllers, :path_names, :class_name, :sign_out_via
+    alias :name :singular
+
+    # Receives an object and find a scope for it. If a scope cannot be found,
+    # raises an error. If a symbol is given, it's considered to be the scope.
+    def self.find_scope!(duck)
+      case duck
+      when String, Symbol
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
+      else
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
+      end
+
+      raise "Could not find a valid mapping for #{duck}"
+    end
+
+    def initialize(name, options) #:nodoc:
+      @plural   = (options[:as] ? "#{options[:as]}_#{name}" : name).to_sym
+      @singular = (options[:singular] || @plural.to_s.singularize).to_sym
+
+      @class_name = (options[:class_name] || name.to_s.classify).to_s
+      @ref = ActiveSupport::Dependencies.ref(@class_name)
+
+      @path = (options[:path] || name).to_s
+      @path_prefix = options[:path_prefix]
+
+      mod = options[:module] || "devise"
+      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
+      @controllers.merge!(options[:controllers] || {})
+
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names.merge!(:registration => "")
+      @path_names.merge!(options[:path_names] || {})
+
+      @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
+    end
+
+    # Return modules for the mapping.
+    def modules
+      @modules ||= to.respond_to?(:devise_modules) ? to.devise_modules : []
+    end
+
+    # Gives the class the mapping points to.
+    def to
+      @ref.get
+    end
+
+    def strategies
+      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
+    end
+
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
+    end
+
+    def authenticatable?
+      @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
+    def fullpath
+      "#{@path_prefix}/#{@path}".squeeze("/")
+    end
+
+    # Create magic predicates for verifying what module is activated by this map.
+    # Example:
+    #
+    #   def confirmable?
+    #     self.modules.include?(:confirmable)
+    #   end
+    #
+    def self.add_module(m)
+      class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        def #{m}?
+          self.modules.include?(:#{m})
+        end
+      METHOD
+    end
+  end
+end