devise-jdguyot 1.2.rc

data/lib/devise/hooks/activatable.rb

@@ -0,0 +1,11 @@
+# Deny user access whenever his account is not active yet. All strategies that inherits from
+# Devise::Strategies::Authenticatable and uses the validate already check if the user is active?
+# before actively signing him in. However, we need this as hook to validate the user activity
+# in each request and in case the user is using other strategies beside Devise ones.
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active?) && !record.active?
+    scope = options[:scope]
+    warden.logout(scope)
+    throw :warden, :scope => scope, :message => record.inactive_message
+  end
+end

data/lib/devise/hooks/forgetable.rb

@@ -0,0 +1,12 @@
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is frozen.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, options|
+  if record.respond_to?(:forget_me!)
+    record.forget_me! unless record.frozen?
+    cookie_options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+    cookie_options.merge!(record.cookie_options)
+    warden.cookies.delete("remember_#{options[:scope]}_token", cookie_options)
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -0,0 +1,48 @@
+module Devise
+  module Hooks
+    # Overwrite success! in authentication strategies allowing users to be remembered.
+    # We choose to implement this as an strategy hook instead of a warden hook to allow a specific
+    # strategy (like token authenticatable or facebook authenticatable) to turn off remember_me?
+    # cookies.
+    module Rememberable #:nodoc:
+      def success!(resource)
+        super
+
+        if succeeded? && resource.respond_to?(:remember_me!) && remember_me?
+          resource.remember_me!(extend_remember_period?)
+          cookies.signed["remember_#{scope}_token"] = cookie_values(resource)
+        end
+      end
+
+    protected
+
+      def cookie_values(resource)
+        options = Rails.configuration.session_options.slice(:path, :domain, :secure)
+        options[:httponly] = true
+
+        options.merge!(resource.cookie_options)
+        options.merge!(
+          :value => resource.class.serialize_into_cookie(resource),
+          :expires => resource.remember_expires_at
+        )
+
+        options
+      end
+
+      def succeeded?
+        @result == :success
+      end
+
+      def extend_remember_period?
+        false
+      end
+
+      def remember_me?
+        valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+    end
+  end
+end
+
+Devise::Strategies::Authenticatable.send :include, Devise::Hooks::Rememberable
+

data/lib/devise/hooks/timeoutable.rb

@@ -0,0 +1,22 @@
+# Each time a record is set we check whether its session has already timed out
+# or not, based on last request time. If so, the record is logged out and
+# redirected to the sign in page. Also, each time the request comes and the
+# record is set, we set the last request time inside it's scoped session to
+# verify timeout in the following request.
+Warden::Manager.after_set_user do |record, warden, options|
+  scope = options[:scope]
+
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope)
+    last_request_at = warden.session(scope)['last_request_at']
+
+    if record.timedout?(last_request_at)
+      path_checker = Devise::PathChecker.new(warden.env, scope)
+      unless path_checker.signing_out?
+        warden.logout(scope)
+        throw :warden, :scope => scope, :message => :timeout
+      end
+    end
+
+    warden.session(scope)['last_request_at'] = Time.now.utc
+  end
+end

data/lib/devise/hooks/trackable.rb

@@ -0,0 +1,9 @@
+# After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope])
+    record.update_tracked_fields!(warden.request)
+  end
+end

data/lib/devise/mapping.rb

@@ -0,0 +1,110 @@
+module Devise
+  # Responsible for handling devise mappings and routes configuration. Each
+  # resource configured by devise_for in routes is actually creating a mapping
+  # object. You can refer to devise_for in routes for usage options.
+  #
+  # The required value in devise_for is actually not used internally, but it's
+  # inflected to find all other values.
+  #
+  #   map.devise_for :users
+  #   mapping = Devise.mappings[:user]
+  #
+  #   mapping.name #=> :user
+  #   # is the scope used in controllers and warden, given in the route as :singular.
+  #
+  #   mapping.as   #=> "users"
+  #   # how the mapping should be search in the path, given in the route as :as.
+  #
+  #   mapping.to   #=> User
+  #   # is the class to be loaded from routes, given in the route as :class_name.
+  #
+  #   mapping.modules  #=> [:authenticatable]
+  #   # is the modules included in the class
+  #
+  class Mapping #:nodoc:
+    attr_reader :singular, :scoped_path, :path, :controllers, :path_names, :class_name, :sign_out_via
+    alias :name :singular
+
+    # Receives an object and find a scope for it. If a scope cannot be found,
+    # raises an error. If a symbol is given, it's considered to be the scope.
+    def self.find_scope!(duck)
+      case duck
+      when String, Symbol
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
+      else
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
+      end
+
+      raise "Could not find a valid mapping for #{duck.inspect}"
+    end
+
+    def self.find_by_path!(path, path_type=:fullpath)
+      Devise.mappings.each_value { |m| return m if path.include?(m.send(path_type)) }
+      raise "Could not find a valid mapping for path #{path.inspect}"
+    end
+
+    def initialize(name, options) #:nodoc:
+      @scoped_path = options[:as] ? "#{options[:as]}/#{name}" : name.to_s
+      @singular = (options[:singular] || @scoped_path.tr('/', '_').singularize).to_sym
+
+      @class_name = (options[:class_name] || name.to_s.classify).to_s
+      @ref = ActiveSupport::Dependencies.ref(@class_name)
+
+      @path = (options[:path] || name).to_s
+      @path_prefix = options[:path_prefix]
+
+      mod = options[:module] || "devise"
+      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
+      @controllers.merge!(options[:controllers] || {})
+
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names.merge!(:registration => "")
+      @path_names.merge!(options[:path_names] || {})
+
+      @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
+    end
+
+    # Return modules for the mapping.
+    def modules
+      @modules ||= to.respond_to?(:devise_modules) ? to.devise_modules : []
+    end
+
+    # Gives the class the mapping points to.
+    def to
+      @ref.get
+    end
+
+    def strategies
+      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
+    end
+
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
+    end
+
+    def authenticatable?
+      @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
+    def fullpath
+      "/#{@path_prefix}/#{@path}".squeeze("/")
+    end
+
+    # Create magic predicates for verifying what module is activated by this map.
+    # Example:
+    #
+    #   def confirmable?
+    #     self.modules.include?(:confirmable)
+    #   end
+    #
+    def self.add_module(m)
+      class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        def #{m}?
+          self.modules.include?(:#{m})
+        end
+      METHOD
+    end
+  end
+end

data/lib/devise/models/authenticatable.rb

@@ -0,0 +1,146 @@
+require 'devise/hooks/activatable'
+
+module Devise
+  module Models
+    # Authenticatable module. Holds common settings for authentication.
+    #
+    # == Options
+    #
+    # Authenticatable adds the following options to devise_for:
+    #
+    #   * +authentication_keys+: parameters used for authentication. By default [:email].
+    #
+    #   * +request_keys+: parameters from the request object used for authentication.
+    #     By specifying a symbol (which should be a request method), it will automatically be
+    #     passed to find_for_authentication method and considered in your model lookup.
+    #
+    #     For instance, if you set :request_keys to [:subdomain], :subdomain will be considered
+    #     as key on authentication. This can also be a hash where the value is a boolean expliciting
+    #     if the value is required or not.
+    #
+    #   * +http_authenticatable+: if this model allows http authentication. By default true.
+    #     It also accepts an array specifying the strategies that should allow http.
+    #
+    #   * +params_authenticatable+: if this model allows authentication through request params. By default true.
+    #     It also accepts an array specifying the strategies that should allow params authentication.
+    #
+    # == Active?
+    #
+    # Before authenticating an user and in each request, Devise checks if your model is active by
+    # calling model.active?. This method is overwriten by other devise modules. For instance,
+    # :confirmable overwrites .active? to only return true if your model was confirmed.
+    #
+    # You overwrite this method yourself, but if you do, don't forget to call super:
+    #
+    #   def active?
+    #     super && special_condition_is_valid?
+    #   end
+    #
+    # Whenever active? returns false, Devise asks the reason why your model is inactive using
+    # the inactive_message method. You can overwrite it as well:
+    #
+    #   def inactive_message
+    #     special_condition_is_valid? ? super : :special_condition_is_not_valid
+    #   end
+    #
+    module Authenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        class_attribute :devise_modules, :instance_writer => false
+        self.devise_modules ||= []
+      end
+
+      # Check if the current object is valid for authentication. This method and
+      # find_for_authentication are the methods used in a Warden::Strategy to check
+      # if a model should be signed in or not.
+      #
+      # However, you should not overwrite this method, you should overwrite active? and
+      # inactive_message instead.
+      def valid_for_authentication?
+        if active?
+          block_given? ? yield : true
+        else
+          inactive_message
+        end
+      end
+
+      def active?
+        true
+      end
+
+      def inactive_message
+        :inactive
+      end
+
+      def authenticatable_salt
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :authentication_keys, :request_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
+
+        def params_authenticatable?(strategy)
+          params_authenticatable.is_a?(Array) ?
+            params_authenticatable.include?(strategy) : params_authenticatable
+        end
+
+        def http_authenticatable?(strategy)
+          http_authenticatable.is_a?(Array) ?
+            http_authenticatable.include?(strategy) : http_authenticatable
+        end
+
+        # Find first record based on conditions given (ie by the sign in form).
+        # Overwrite to add customized conditions, create a join, or maybe use a
+        # namedscope to filter records while authenticating.
+        # Example:
+        #
+        #   def self.find_for_authentication(conditions={})
+        #     conditions[:active] = true
+        #     super
+        #   end
+        #
+        def find_for_authentication(conditions)
+          case_insensitive_keys.each { |k| conditions[k].try(:downcase!) }
+          to_adapter.find_first(conditions)
+        end
+
+        # Find an initialize a record setting an error if it can't be found.
+        def find_or_initialize_with_error_by(attribute, value, error=:invalid) #:nodoc:
+          find_or_initialize_with_errors([attribute], { attribute => value }, error)
+        end
+
+        # Find an initialize a group of attributes based on a list of required attributes.
+        def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
+          case_insensitive_keys.each { |k| attributes[k].try(:downcase!) }
+          
+          attributes = attributes.slice(*required_attributes)
+          attributes.delete_if { |key, value| value.blank? }
+
+          if attributes.size == required_attributes.size
+            record = to_adapter.find_first(attributes)
+          end
+          
+          unless record
+            record = new
+
+            required_attributes.each do |key|
+              value = attributes[key]
+              record.send("#{key}=", value)
+              record.errors.add(key, value.present? ? error : :blank)
+            end
+          end
+
+          record
+        end
+
+        # Generate a token by looping and ensuring does not already exist.
+        def generate_token(column)
+          loop do
+            token = Devise.friendly_token
+            break token unless to_adapter.find_first({ column => token })
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/confirmable.rb

@@ -0,0 +1,160 @@
+module Devise
+  module Models
+    # Confirmable is responsible to verify if an account is already confirmed to
+    # sign in, and to send emails with confirmation instructions.
+    # Confirmation instructions are sent to the user email after creating a
+    # record and when manually requested by a new confirmation instruction request.
+    #
+    # == Options
+    #
+    # Confirmable adds the following options to devise_for:
+    #
+    #   * +confirm_within+: the time you want to allow the user to access his account
+    #     before confirming it. After this period, the user access is denied. You can
+    #     use this to let your user access some features of your application without
+    #     confirming the account, but blocking it after a certain period (ie 7 days).
+    #     By default confirm_within is zero, it means users always have to confirm to sign in.
+    #
+    # == Examples
+    #
+    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirmed?    # true/false
+    #   User.find(1).send_confirmation_instructions # manually send instructions
+    #
+    module Confirmable
+      extend ActiveSupport::Concern
+
+      included do
+        before_create :generate_confirmation_token, :if => :confirmation_required?
+        after_create  :send_confirmation_instructions, :if => :confirmation_required?
+      end
+
+      # Confirm a user by setting it's confirmed_at to actual time. If the user
+      # is already confirmed, add en error to email field
+      def confirm!
+        unless_confirmed do
+          self.confirmation_token = nil
+          self.confirmed_at = Time.now
+          save(:validate => false)
+        end
+      end
+
+      # Verifies whether a user is confirmed or not
+      def confirmed?
+        !!confirmed_at
+      end
+
+      # Send confirmation instructions by email
+      def send_confirmation_instructions
+        generate_confirmation_token! if self.confirmation_token.nil?
+        ::Devise.mailer.confirmation_instructions(self).deliver
+      end
+
+      # Resend confirmation token. This method does not need to generate a new token.
+      def resend_confirmation_token
+        unless_confirmed { send_confirmation_instructions }
+      end
+
+      # Overwrites active? from Devise::Models::Activatable for confirmation
+      # by verifying whether an user is active to sign in or not. If the user
+      # is already confirmed, it should never be blocked. Otherwise we need to
+      # calculate if the confirm time has not expired for this user.
+      def active?
+        super && (!confirmation_required? || confirmed? || confirmation_period_valid?)
+      end
+
+      # The message to be shown if the account is inactive.
+      def inactive_message
+        !confirmed? ? :unconfirmed : super
+      end
+
+      # If you don't want confirmation to be sent on create, neither a code
+      # to be generated, call skip_confirmation!
+      def skip_confirmation!
+        self.confirmed_at = Time.now
+      end
+
+      protected
+
+        # Callback to overwrite if confirmation is required or not.
+        def confirmation_required?
+          !confirmed?
+        end
+
+        # Checks if the confirmation for the user is within the limit time.
+        # We do this by calculating if the difference between today and the
+        # confirmation sent date does not exceed the confirm in time configured.
+        # Confirm_within is a model configuration, must always be an integer value.
+        #
+        # Example:
+        #
+        #   # confirm_within = 1.day and confirmation_sent_at = today
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_within = 5.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_within = 5.days and confirmation_sent_at = 5.days.ago
+        #   confirmation_period_valid?   # returns false
+        #
+        #   # confirm_within = 0.days
+        #   confirmation_period_valid?   # will always return false
+        #
+        def confirmation_period_valid?
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.confirm_within.ago
+        end
+
+        # Checks whether the record is confirmed or not, yielding to the block
+        # if it's already confirmed, otherwise adds an error to email.
+        def unless_confirmed
+          unless confirmed?
+            yield
+          else
+            self.errors.add(:email, :already_confirmed)
+            false
+          end
+        end
+
+        # Generates a new random token for confirmation, and stores the time
+        # this token is being generated
+        def generate_confirmation_token
+          self.confirmed_at = nil
+          self.confirmation_token = self.class.confirmation_token
+          self.confirmation_sent_at = Time.now.utc
+        end
+
+        def generate_confirmation_token!
+          generate_confirmation_token && save(:validate => false)
+        end
+
+      module ClassMethods
+        # Attempt to find a user by it's email. If a record is found, send new
+        # confirmation instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_confirmation_instructions(attributes={})
+          confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+          confirmable.resend_confirmation_token if confirmable.persisted?
+          confirmable
+        end
+
+        # Find a user by it's confirmation token and try to confirm it.
+        # If no user is found, returns a new user with an error.
+        # If the user is already confirmed, create an error for the user
+        # Options must have the confirmation_token
+        def confirm_by_token(confirmation_token)
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, confirmation_token)
+          confirmable.confirm! if confirmable.persisted?
+          confirmable
+        end
+
+        # Generate a token checking if one does not already exist in the database.
+        def confirmation_token
+          generate_token(:confirmation_token)
+        end
+
+        Devise::Models.config(self, :confirm_within)
+      end
+    end
+  end
+end

data/lib/devise/models/database_authenticatable.rb

@@ -0,0 +1,100 @@
+require 'devise/strategies/database_authenticatable'
+require 'bcrypt'
+
+module Devise
+  module Models
+    # Authenticatable Module, responsible for encrypting password and validating
+    # authenticity of a user while signing in.
+    #
+    # == Options
+    #
+    # DatabaseAuthenticable adds the following options to devise_for:
+    #
+    #   * +stretches+: the cost given to bcrypt.
+    #
+    # == Examples
+    #
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module DatabaseAuthenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+        before_save :downcase_keys
+      end
+
+      # Generates password encryption based on the given value.
+      def password=(new_password)
+        @password = new_password
+        self.encrypted_password = password_digest(@password) if @password.present?
+      end
+
+      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      def valid_password?(password)
+        ::BCrypt::Password.new(self.encrypted_password) == "#{password}#{self.class.pepper}"
+      end
+
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
+      def update_with_password(params={})
+        current_password = params.delete(:current_password)
+
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        end
+
+        result = if valid_password?(current_password)
+          update_attributes(params)
+        else
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          self.attributes = params
+          false
+        end
+
+        clean_up_passwords
+        result
+      end
+
+      def after_database_authentication
+      end
+
+      # A reliable way to expose the salt regardless of the implementation.
+      def authenticatable_salt
+        self.encrypted_password[0,29] if self.encrypted_password
+      end
+
+    protected
+
+      # Downcase case-insensitive keys
+      def downcase_keys
+        self.class.case_insensitive_keys.each { |k| self[k].try(:downcase!) }
+      end
+
+      # Digests the password using bcrypt.
+      def password_digest(password)
+        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches)
+
+        # We assume this method already gets the sanitized values from the
+        # DatabaseAuthenticatable strategy. If you are using this method on
+        # your own, be sure to sanitize the conditions hash to only include
+        # the proper fields.
+        def find_for_database_authentication(conditions)
+          find_for_authentication(conditions)
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/encryptable.rb

@@ -0,0 +1,72 @@
+require 'devise/strategies/database_authenticatable'
+
+module Devise
+  module Models
+    # Encryptable Module adds support to several encryptors.
+    #
+    # == Options
+    #
+    # Encryptable adds the following options to devise_for:
+    #
+    #   * +pepper+: a random string used to provide a more secure hash.
+    #
+    #   * +encryptor+: the encryptor going to be used. By default is nil.
+    #
+    # == Examples
+    #
+    #    User.find(1).valid_password?('password123') # returns true/false
+    #
+    module Encryptable
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :password, :current_password
+        attr_accessor :password_confirmation
+      end
+
+      # Generates password salt.
+      def password=(new_password)
+        self.password_salt = self.class.password_salt if new_password.present?
+        super
+      end
+
+      def authenticatable_salt
+        self.password_salt
+      end
+
+      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      def valid_password?(incoming_password)
+        password_digest(incoming_password) == self.encrypted_password
+      end
+
+    protected
+
+      # Digests the password using the configured encryptor.
+      def password_digest(password)
+        if self.password_salt.present?
+          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        end
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :encryptor)
+
+        # Returns the class for the configured encryptor.
+        def encryptor_class
+          @encryptor_class ||= case encryptor
+            when :bcrypt
+              raise "In order to use bcrypt as encryptor, simply remove :encryptable from your devise model"
+            when nil
+              raise "You need to give an :encryptor as option in order to use :encryptable"
+            else
+              ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+          end
+        end
+
+        def password_salt
+          self.encryptor_class.salt(self.stretches)
+        end
+      end
+    end
+  end
+end