devise-edge 1.2.rc

data/lib/devise/models/timeoutable.rb

@@ -0,0 +1,33 @@
+require 'devise/hooks/timeoutable'
+
+module Devise
+  module Models
+    # Timeoutable takes care of veryfing whether a user session has already
+    # expired or not. When a session expires after the configured time, the user
+    # will be asked for credentials again, it means, he/she will be redirected
+    # to the sign in page.
+    #
+    # == Options
+    #
+    # Timeoutable adds the following options to devise_for:
+    #
+    #   * +timeout_in+: the interval to timeout the user session without activity.
+    #
+    # == Examples
+    #
+    #   user.timedout?(30.minutes.ago)
+    #
+    module Timeoutable
+      extend ActiveSupport::Concern
+
+      # Checks whether the user session has expired based on configured time.
+      def timedout?(last_access)
+        last_access && last_access <= self.class.timeout_in.ago
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :timeout_in)
+      end
+    end
+  end
+end

data/lib/devise/models/token_authenticatable.rb

@@ -0,0 +1,72 @@
+require 'devise/strategies/token_authenticatable'
+
+module Devise
+  module Models
+    # The TokenAuthenticatable module is responsible for generating an authentication token and
+    # validating the authenticity of the same while signing in.
+    #
+    # This module only provides a few helpers to help you manage the token, but it is up to you
+    # to choose how to use it. For example, if you want to have a new token every time the user
+    # saves his account, you can do the following:
+    #
+    #   before_save :reset_authentication_token
+    #
+    # On the other hand, if you want to generate token unless one exists, you should use instead:
+    #
+    #   before_save :ensure_authentication_token
+    #
+    # If you want to delete the token after it is used, you can do so in the
+    # after_token_authentication callback.
+    #
+    # == Options
+    #
+    # TokenAuthenticable adds the following options to devise_for:
+    #
+    #   * +token_authentication_key+: Defines name of the authentication token params key. E.g. /users/sign_in?some_key=...
+    #
+    #   * +stateless_token+: By default, when you sign up with a token, Devise will store the user in session
+    #     as any other authentication strategy. You can set stateless_token to true to avoid this.
+    #
+    module TokenAuthenticatable
+      extend ActiveSupport::Concern
+
+      # Generate new authentication token (a.k.a. "single access token").
+      def reset_authentication_token
+        self.authentication_token = self.class.authentication_token
+      end
+
+      # Generate new authentication token and save the record.
+      def reset_authentication_token!
+        reset_authentication_token
+        self.save(:validate => false)
+      end
+
+      # Generate authentication token unless already exists.
+      def ensure_authentication_token
+        self.reset_authentication_token if self.authentication_token.blank?
+      end
+
+      # Generate authentication token unless already exists and save the record.
+      def ensure_authentication_token!
+        self.reset_authentication_token! if self.authentication_token.blank?
+      end
+
+      # Hook called after token authentication.
+      def after_token_authentication
+      end
+
+      module ClassMethods
+        def find_for_token_authentication(conditions)
+          find_for_authentication(:authentication_token => conditions[token_authentication_key])
+        end
+
+        # Generate a token checking if one does not already exist in the database.
+        def authentication_token
+          generate_token(:authentication_token)
+        end
+
+        ::Devise::Models.config(self, :token_authentication_key, :stateless_token)
+      end
+    end
+  end
+end

data/lib/devise/models/trackable.rb

@@ -0,0 +1,30 @@
+require 'devise/hooks/trackable'
+
+module Devise
+  module Models
+    # Track information about your user sign in. It tracks the following columns:
+    #
+    # * sign_in_count      - Increased every time a sign in is made (by form, openid, oauth)
+    # * current_sign_in_at - A tiemstamp updated when the user signs in
+    # * last_sign_in_at    - Holds the timestamp of the previous sign in
+    # * current_sign_in_ip - The remote ip updated when the user sign in
+    # * last_sign_in_at    - Holds the remote ip of the previous sign in
+    #
+    module Trackable
+      def update_tracked_fields!(request)
+        old_current, new_current = self.current_sign_in_at, Time.now
+        self.last_sign_in_at     = old_current || new_current
+        self.current_sign_in_at  = new_current
+
+        old_current, new_current = self.current_sign_in_ip, request.remote_ip
+        self.last_sign_in_ip     = old_current || new_current
+        self.current_sign_in_ip  = new_current
+
+        self.sign_in_count ||= 0
+        self.sign_in_count += 1
+
+        save(:validate => false)
+      end
+    end
+  end
+end

data/lib/devise/models/validatable.rb

@@ -0,0 +1,60 @@
+module Devise
+  module Models
+    # Validatable creates all needed validations for a user email and password.
+    # It's optional, given you may want to create the validations by yourself.
+    # Automatically validate if the email is present, unique and it's format is
+    # valid. Also tests presence of password, confirmation and length.
+    #
+    # == Options
+    #
+    # Validatable adds the following options to devise_for:
+    #
+    #   * +email_regexp+: the regular expression used to validate e-mails;
+    #   * +password_length+: a range expressing password length. Defaults to 6..20.
+    #
+    module Validatable
+      # All validations used by this module.
+      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                      :validates_confirmation_of, :validates_length_of ].freeze
+
+      def self.included(base)
+        base.extend ClassMethods
+        assert_validations_api!(base)
+
+        base.class_eval do
+          validates_presence_of   :email
+          validates_uniqueness_of :email, :scope => authentication_keys[1..-1], :case_sensitive => false, :allow_blank => true
+          validates_format_of     :email, :with  => email_regexp, :allow_blank => true
+
+          with_options :if => :password_required? do |v|
+            v.validates_presence_of     :password
+            v.validates_confirmation_of :password
+            v.validates_length_of       :password, :within => password_length, :allow_blank => true
+          end
+        end
+      end
+
+      def self.assert_validations_api!(base) #:nodoc:
+        unavailable_validations = VALIDATIONS.select { |v| !base.respond_to?(v) }
+
+        unless unavailable_validations.empty?
+          raise "Could not use :validatable module since #{base} does not respond " <<
+                "to the following methods: #{unavailable_validations.to_sentence}."
+        end
+      end
+
+    protected
+
+      # Checks whether a password is needed or not. For validations only.
+      # Passwords are always required if it's a new record, or if the password
+      # or confirmation are being set somewhere.
+      def password_required?
+        !persisted? || !password.nil? || !password_confirmation.nil?
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :email_regexp, :password_length)
+      end
+    end
+  end
+end

data/lib/devise/modules.rb

@@ -0,0 +1,30 @@
+require 'active_support/core_ext/object/with_options'
+
+Devise.with_options :model => true do |d|
+  # Strategies first
+  d.with_options :strategy => true do |s|
+    routes = [nil, :new, :destroy]
+    s.add_module :database_authenticatable, :controller => :sessions, :route => { :session => routes }
+    s.add_module :token_authenticatable,    :controller => :sessions, :route => { :session => routes }
+    s.add_module :rememberable
+  end
+
+  # Other authentications
+  d.add_module :encryptable
+  d.add_module :oauthable, :controller => :oauth_callbacks,  :route => :oauth_callback
+
+  # Misc after
+  routes = [nil, :new, :edit]
+  d.add_module :recoverable,  :controller => :passwords,     :route => { :password => routes }
+  d.add_module :registerable, :controller => :registrations, :route => { :registration => (routes << :cancel) }
+  d.add_module :validatable
+
+  # The ones which can sign out after
+  routes = [nil, :new]
+  d.add_module :confirmable,  :controller => :confirmations, :route => { :confirmation => routes }
+  d.add_module :lockable,     :controller => :unlocks,       :route => { :unlock => routes }
+  d.add_module :timeoutable
+
+  # Stats for last, so we make sure the user is really signed in
+  d.add_module :trackable
+end

data/lib/devise/oauth.rb

@@ -0,0 +1,41 @@
+begin
+  require "oauth2"
+rescue LoadError => e
+  warn "Could not load 'oauth2'. Please ensure you have the gem installed and listed in your Gemfile."
+  raise
+end
+
+module Devise
+  module Oauth
+    autoload :Config,          "devise/oauth/config"
+    autoload :Helpers,         "devise/oauth/helpers"
+    autoload :InternalHelpers, "devise/oauth/internal_helpers"
+    autoload :UrlHelpers,      "devise/oauth/url_helpers"
+    autoload :TestHelpers,     "devise/oauth/test_helpers"
+
+    class << self
+      delegate :short_circuit_authorizers!, :unshort_circuit_authorizers!, :to => "Devise::Oauth::TestHelpers"
+
+      def test_mode!
+        Faraday.default_adapter = :test
+        ActiveSupport.on_load(:action_controller) { include Devise::Oauth::TestHelpers }
+        ActiveSupport.on_load(:action_view) { include Devise::Oauth::TestHelpers }
+      end
+
+      def stub!(provider, stubs=nil, &block)
+        raise "You either need to pass stubs as a block or as a parameter" unless block_given? || stubs
+        stubs ||= Faraday::Adapter::Test::Stubs.new(&block)
+        Devise.oauth_configs[provider].build_connection do |b|
+          b.adapter :test, stubs
+        end
+      end
+
+      def reset_stubs!(*providers)
+        target = providers.any? ? Devise.oauth_configs.slice(*providers) : Devise.oauth_configs
+        target.each_value do |v|
+          v.build_connection { |b| b.adapter Faraday.default_adapter }
+        end
+      end
+    end
+  end
+end

data/lib/devise/oauth/config.rb

@@ -0,0 +1,33 @@
+require 'active_support/core_ext/array/wrap'
+
+module Devise
+  module Oauth
+    # A configuration object that holds the OAuth2::Client object
+    # and all configuration values given config.oauth.
+    class Config
+      attr_reader :scope, :client
+
+      def initialize(app_id, app_secret, options)
+        @scope  = Array.wrap(options.delete(:scope))
+        @client = OAuth2::Client.new(app_id, app_secret, options)
+      end
+
+      def authorize_url(options)
+        options[:scope] ||= @scope.join(',')
+        client.web_server.authorize_url(options)
+      end
+
+      def access_token_by_code(code, redirect_uri=nil)
+        client.web_server.get_access_token(code, :redirect_uri => redirect_uri)
+      end
+
+      def access_token_by_token(token)
+        OAuth2::AccessToken.new(client, token)
+      end
+
+      def build_connection(&block)
+        client.connection.build(&block)
+      end
+    end
+  end
+end

data/lib/devise/oauth/helpers.rb

@@ -0,0 +1,18 @@
+module Devise
+  module Oauth
+    # Provides a few helpers that are included in ActionController::Base
+    # for convenience.
+    module Helpers
+
+    protected
+
+      # Overwrite expire_session_data_after_sign_in! so it removes all
+      # oauth tokens from session ensuring registrations done in a row
+      # do not try to store the same token in the database.
+      def expire_session_data_after_sign_in!
+        super
+        session.keys.grep(/_oauth_token$/).each { |k| session.delete(k) }
+      end
+    end
+  end
+end

data/lib/devise/oauth/internal_helpers.rb

@@ -0,0 +1,182 @@
+module Devise
+  module Oauth
+    module InternalHelpers
+      extend ActiveSupport::Concern
+
+      def self.define_oauth_helpers(name) #:nodoc:
+        alias_method(name, :callback_action)
+        public name
+      end
+
+      included do
+        helpers = %w(oauth_callback oauth_provider oauth_config)
+        hide_action *helpers
+        helper_method *helpers
+        before_filter :valid_oauth_callback?, :oauth_error_happened?
+      end
+
+      # Returns the oauth_callback (also aliased as oauth_provider) as a symbol.
+      # For example: :github.
+      def oauth_callback
+        @oauth_callback ||= action_name.to_sym
+      end
+      alias :oauth_provider :oauth_callback
+
+      # Returns the configuration object for this oauth callback.
+      def oauth_config
+        @oauth_client ||= resource_class.oauth_configs[oauth_callback]
+      end
+
+    protected
+
+      # This method checks three things:
+      #
+      #   * If the URL being accessed is a valid provider for the given scope;
+      #   * If code or error was streamed back from the server;
+      #   * If the resource class implements the required hook;
+      #
+      def valid_oauth_callback?
+        unless oauth_config
+          unknown_action! "Skipping #{oauth_callback} OAuth because configuration " <<
+            "could not be found for model #{resource_name}."
+        end
+
+        unless params[:code] || params[:error] || params[:error_reason]
+          unknown_action! "Skipping #{oauth_callback} OAuth because code nor error were sent."
+        end
+
+        unless resource_class.respond_to?(oauth_model_callback)
+          raise "#{resource_class.name} does not respond to #{oauth_model_callback}. " <<
+            "Check the OAuth section in the README for more information."
+        end
+      end
+
+      # Check if an error was sent by the authorizer. If it happened, we redirect
+      # to url specified by after_oauth_failure_path_for, which defaults to new_session_path.
+      #
+      # By default, Devise shows a custom message from I18n saying the user could
+      # not be authenticated and the reason:
+      #
+      #   en:
+      #     devise:
+      #       oauth_callbacks:
+      #         failure: 'Could not authorize you from %{kind} because "%{reason}".'
+      #
+      # Let's suppose the reason returned by a Github was "access_denied". It will show:
+      #
+      #   Could not authorize you from Github because "Access denied"
+      #
+      # And it will also be logged on console:
+      #
+      #   github oauth failed: "access_denied".
+      #
+      # However, each specific error message can be customized using I18n:
+      #
+      #   en:
+      #     devise:
+      #       oauth_callbacks:
+      #         access_denied: 'You did not give access to our application on %{kind}.'
+      #
+      # Note "access_denied" follows the same lookup rule described in set_oauth_flash_message
+      # method. Besides, is important to remember most errors are specified by OAuth 2
+      # specification. But a few providers do not use them yet.
+      #
+      # TODO: Currently, Facebook is returning error_reason=user_denied when
+      # the user denies, but the specification defines error=access_denied instead.
+      def oauth_error_happened?
+        if error = params[:error] || params[:error_reason]
+          # Some providers returns access-denied instead of access_denied.
+          error = error.to_s.gsub("-", "_")
+          logger.warn "[Devise] #{oauth_callback} oauth failed: #{error.inspect}."
+
+          set_oauth_flash_message :alert, error[0,25], :default => :failure, :reason => error.humanize
+          redirect_to after_oauth_failure_path_for(resource_name)
+        end
+      end
+
+      # The model method used as hook.
+      def oauth_model_callback #:nodoc:
+        "find_for_#{oauth_callback}_oauth"
+      end
+
+      # The session key to store the token.
+      def oauth_session_key #:nodoc:
+        "#{resource_name}_#{oauth_callback}_oauth_token"
+      end
+
+      # The callback redirect uri. Used to request the access token.
+      def oauth_redirect_uri #:nodoc:
+        oauth_callback_url(resource_name, oauth_callback)
+      end
+
+      # This is the implementation for all OAuth actions.
+      def callback_action
+        access_token  = oauth_config.access_token_by_code(params[:code], oauth_redirect_uri)
+        self.resource = resource_class.send(oauth_model_callback, access_token, signed_in_resource)
+
+        if resource.persisted? && resource.errors.empty?
+          set_oauth_flash_message :notice, :success
+          sign_in_and_redirect resource_name, resource, :event => :authentication
+        else
+          session[oauth_session_key] = access_token.token
+          clean_up_passwords(resource)
+          render_for_oauth
+        end
+      end
+
+      # Handles oauth flash messages by adding a cascade. The default messages
+      # are always in the controller namespace:
+      #
+      #   en:
+      #     devise:
+      #       oauth_callbacks:
+      #         success: 'Successfully authorized from %{kind} account.'
+      #         failure: 'Could not authorize you from %{kind} because "%{reason}".'
+      #         skipped: 'Skipped Oauth authorization for %{kind}.'
+      #
+      # But they can also be nested according to the oauth provider:
+      #
+      #   en:
+      #     devise:
+      #       oauth_callbacks:
+      #         github:
+      #           success: 'Hello coder! Welcome to our app!'
+      #
+      # And finally by Devise scope:
+      #
+      #   en:
+      #     devise:
+      #       oauth_callbacks:
+      #         admin:
+      #           github:
+      #             success: 'Hello coder with high permissions! Can I get a raise?'
+      #
+      def set_oauth_flash_message(key, type, options={})
+        options[:kind]    = oauth_callback.to_s.titleize
+        options[:default] = Array(options[:default]).unshift(type.to_sym)
+        set_flash_message(key, "#{oauth_callback}.#{type}", options)
+      end
+
+      # Choose which template to render when a not persisted resource is
+      # returned in the find_for_x_oauth. By default, it renders registrations/new.
+      def render_for_oauth
+        render_with_scope :new, devise_mapping.controllers[:registrations]
+      end
+
+      # The default hook used by oauth to specify the redirect url for success.
+      def after_oauth_success_path_for(resource_or_scope)
+        after_sign_in_path_for(resource_or_scope)
+      end
+
+      # The default hook used by oauth to specify the redirect url for failure.
+      def after_oauth_failure_path_for(scope)
+        new_session_path(scope)
+      end
+
+      # Overwrite redirect_for_sign_in so it takes uses after_oauth_success_path_for.
+      def redirect_for_sign_in(scope, resource) #:nodoc:
+        redirect_to stored_location_for(scope) || after_oauth_success_path_for(resource)
+      end
+    end
+  end
+end