RubyGems - devise-login-cookie - Versions diffs - 0.0.5 → 0.1.0 - Mend

devise-login-cookie 0.0.5 → 0.1.0

Files changed (13) hide show

data/.gitignore +2 -0
data/README.md +96 -25
data/Rakefile +8 -0
data/devise-login-cookie.gemspec +7 -3
data/lib/devise-login-cookie.rb +1 -54
data/lib/devise_login_cookie.rb +12 -0
data/lib/devise_login_cookie/cookie.rb +81 -0
data/lib/devise_login_cookie/strategy.rb +45 -0
data/lib/{devise-login-cookie → devise_login_cookie}/version.rb +1 -1
data/spec/cookie_spec.rb +109 -0
data/spec/spec_helper.rb +52 -0
data/spec/strategy_spec.rb +30 -0
metadata +54 -6

data/.gitignore CHANGED Viewed

@@ -1,3 +1,5 @@
 pkg/*
 *.gem
 .bundle
+Gemfile.lock

data/README.md CHANGED Viewed

@@ -1,39 +1,110 @@
 devise-login-cookie
 ===================
-An extension for Devise which sets a signed login cookie upon authentication, making shared logins between same-domain applications possible.
+A simple [Devise][1] extension for Single Sign On across same-domain web applications, using an [HMAC][2] signed login cookie.  The cookie expiry is session-bound, and also contains a tamper-proof creation timestamp for server-enforced expiry.
+[`OpenSSL::HMAC`][3] signing is performed by [`signed_json`][4] which also has implementations in PHP and Python, and can easily be implemented in other languages with OpenSSL and JSON. Note that standard Rails signed cookies are not appropriate for cross-platform use, as they use `Marshal.dump` internally.
+  [1]: https://github.com/plataformatec/devise
+  [2]: http://en.wikipedia.org/wiki/HMAC
+  [3]: http://ruby-doc.org/ruby-1.9/classes/OpenSSL/HMAC.html
+  [4]: https://github.com/pda/signed_json
 Installation
 ------------
+Simple:
     gem install devise-login-cookie
+Bundler-style:
     echo 'gem "devise-login-cookie"' >> Gemfile
     bundle install
-    # load in config/initializers/devise
-    require 'devise-login-cookie'
-Information
------------
-While Devise sets a cookie for Remember Me logins, standard logins are only tracked in the session.
-This extension sets a separate cookie upon authentication.
+Rails:
-For the `:user` scope, the cookie is named `login_user_token`, consistent with `remember_user_token` from rememberable.
-The cookie is deleted via the before_logout Warden hook.
-TODO
-----
-* Cookie is write-only; create a Warden strategy to consume cookie for login.
-Meh
----
-(c) 2010 Paul Annesley, MIT license.
+    # in config/initializers/devise.rb inside Devise.setup block
+    require 'devise-login-cookie'
+    config.warden do |manager|
+      manager.default_strategies(:scope => :user) << :devise_login_cookie
+    end
+Background
+----------
+The `devise-login-cookie` extension was born from a web application composed of Rails, PHP and Django.  Because the components were on the same domain, Single Sign On could be implemented with a simple shared cookie.
+While Devise can set a cookie for Remember Me logins, standard logins are only tracked in the session.  Also, Devise cookies and Rails session cookies are tied to Ruby due to their reliance on `Marshal.dump`.
+This extension sets a separate cookie upon authentication, signed in a cross-platform manner, and deletes it via the `before_logout` Warden hook.  For the `:user` scope, the cookie is named `login_user_token`, consistent with `remember_user_token` from Devise's `rememberable`.  The same cookie, if valid, triggers authentication.
+Development and Tests
+---------------------
+Patches are welcome; fork and send a pull request.  Make sure the tests still work, and where possible, add to them.  Let me know if you can't get the tests green to begin with.
+RSpec 2 specifications cover the entire `Cookie` and part of the `Strategy`, but do not reach resource loading and authentication, nor cookie setting being triggered by login.  These aspects need tobe tested in the host Rails application.
+    $ rake
+    DeviseLoginCookie::Cookie
+      #unset
+        deletes cookie
+      without any cookies
+        Cookie instance
+          should not be present
+          should not be valid
+          should not be set since 1970-01-01 10:00:00 +1000
+        #id
+          should be nil
+        #created_at
+          should be nil
+        #set
+          accepts resource
+      with an invalid cookie
+        Cookie instance
+          should be present
+          should not be valid
+          should not be set since 1970-01-01 10:00:00 +1000
+        #id
+          should be nil
+        #created_at
+          should be nil
+        #set
+          accepts resource
+      with a valid cookie
+        Cookie instance
+          should be present
+          should be valid
+          should not be set since 2010-12-08 23:46:30 +1100
+          should be set since 2010-12-08 23:46:29 +1100
+          should be set since 2010-12-08 23:46:28 +1100
+        #id
+          should == 5
+        #created_at
+          should == 2010-12-08 23:46:29 +1100
+        #set
+          accepts resource
+    DeviseLoginCookie::Strategy
+      #valid?
+        with no cookies
+          should not be valid
+        with invalid cookie
+          should not be valid
+        with valid cookie
+          should be valid
+    Finished in 0.06065 seconds
+    24 examples, 0 failures
+Credits
+-------
+(c) 2010 Paul Annesley; MIT Licence.

data/Rakefile CHANGED Viewed

@@ -1,2 +1,10 @@
 require 'bundler'
 Bundler::GemHelper.install_tasks
+desc "Run all tests"
+task :default => :spec
+desc "Run specs"
+task :spec do
+  system 'bundle exec rspec --color --format documentation spec/*_spec.rb'
+end

data/devise-login-cookie.gemspec CHANGED Viewed

@@ -1,6 +1,6 @@
 # -*- encoding: utf-8 -*-
 $:.push File.expand_path("../lib", __FILE__)
-require "devise-login-cookie/version"
+require "devise_login_cookie/version"
 Gem::Specification.new do |s|
   s.name        = "devise-login-cookie"
@@ -19,7 +19,11 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
-  s.add_dependency("signed_json")
-  s.add_runtime_dependency("devise", ["~> 1.1"])
+  s.add_dependency("signed_json", ["~> 0.0.3"])
+  s.add_dependency("devise", ["~> 1.1"])
+  s.add_development_dependency("rspec", ["~> 2.2"])
+  s.add_development_dependency("rails") # devise requires this
+  s.add_development_dependency("rake")
 end

data/lib/devise-login-cookie.rb CHANGED Viewed

@@ -1,54 +1 @@
-module DeviseLoginCookie
-  class Cookie
-    def initialize(warden, scope)
-      @scope = scope
-      @warden = warden
-    end
-    def set(user)
-      cookies[cookie_name] = cookie_options.merge(:value => cookie_value(user))
-    end
-    def unset
-      cookies.delete cookie_name, cookie_options
-    end
-    private
-    def cookies
-      # .cookies provided by Devise in warden_compat.rb
-      # Roughly equivalent to: ActionDispatch::Request.new(env).cookie_jar
-      @warden.cookies
-    end
-    def cookie_name
-      "login_#{@scope}_token"
-    end
-    def cookie_value(user)
-      sign [ user.id, Time.now.to_i ]
-    end
-    def cookie_options
-      Rails.configuration.session_options.slice(:path, :domain, :secure, :httponly)
-    end
-    def sign(input)
-      require 'signed_json'
-      signer = SignedJson::Signer.new(Rails.configuration.secret_token)
-      signer.encode input
-    end
-  end
-  Warden::Manager.after_set_user do |user, warden, options|
-    Cookie.new(warden, options[:scope]).set(user)
-  end
-  Warden::Manager.before_logout do |user, warden, options|
-    Cookie.new(warden, options[:scope]).unset
-  end
-end
+require "devise_login_cookie"

data/lib/devise_login_cookie.rb ADDED Viewed

@@ -0,0 +1,12 @@
+require "devise_login_cookie/cookie"
+require "devise_login_cookie/strategy"
+Warden::Strategies.add(:devise_login_cookie, DeviseLoginCookie::Strategy)
+Warden::Manager.after_set_user do |user, warden, options|
+  DeviseLoginCookie::Cookie.new(warden.cookies, options[:scope]).set(user)
+end
+Warden::Manager.before_logout do |user, warden, options|
+  DeviseLoginCookie::Cookie.new(warden.cookies, options[:scope]).unset
+end

data/lib/devise_login_cookie/cookie.rb ADDED Viewed

@@ -0,0 +1,81 @@
+require "active_support/core_ext/hash/slice"
+module DeviseLoginCookie
+  class Cookie
+    # for non-Rails test environment.
+    attr_writer :session_options
+    attr_accessor :secret_token
+    def initialize(cookies, scope)
+      @cookies = cookies
+      @scope = scope
+    end
+    # Sets the cookie, referencing the given resource.id (e.g. User)
+    def set(resource)
+      @cookies[cookie_name] = cookie_options.merge(:value => encoded_value(resource))
+    end
+    # Unsets the cookie via the HTTP response.
+    def unset
+      @cookies.delete cookie_name, cookie_options
+    end
+    # The id of the resource (e.g. User) referenced in the cookie.
+    def id
+      value[0]
+    end
+    # The Time at which the cookie was created.
+    def created_at
+      valid? ? Time.at(value[1]) : nil
+    end
+    # Whether the cookie appears valid.
+    def valid?
+      present? && value.all?
+    end
+    def present?
+      @cookies[cookie_name].present?
+    end
+    # Whether the cookie was set since the given Time
+    def set_since?(time)
+      created_at && created_at >= time
+    end
+    private
+    def value
+      begin
+        @value = signer.decode @cookies[cookie_name]
+      rescue SignedJson::Error
+        [nil, nil]
+      end
+    end
+    def cookie_name
+      :"login_#{@scope}_token"
+    end
+    def encoded_value(resource)
+      signer.encode [ resource.id, Time.now.to_i ]
+    end
+    def cookie_options
+      @session_options ||= Rails.configuration.session_options
+      @session_options.slice(:path, :domain, :secure, :httponly)
+    end
+    def signer
+      require 'signed_json'
+      secret = secret_token || Rails.configuration.secret_token
+      @signer ||= SignedJson::Signer.new(secret)
+    end
+  end
+end

data/lib/devise_login_cookie/strategy.rb ADDED Viewed

@@ -0,0 +1,45 @@
+module DeviseLoginCookie
+  class Strategy < ::Devise::Strategies::Authenticatable
+    # TODO: configurable TTL
+    COOKIE_TTL = 86400 # one day
+    # for non-Rails test environment.
+    attr_accessor :secret_token
+    def valid?
+      cookie.valid?
+    end
+    def authenticate!
+      if fresh?(cookie) && validate(resource)
+        success!(resource)
+      else
+        pass
+      end
+    end
+    private
+    def cookie
+      @cookie ||= Cookie.new(cookies, scope).tap do |cookie|
+        cookie.secret_token = secret_token if secret_token
+      end
+    end
+    def fresh?(cookie)
+      cookie.set_since?(Time.now - COOKIE_TTL)
+    end
+    def resource
+      @resource ||= mapping.to.find(cookie.id)
+    end
+    def pass
+      cookie.unset
+      super
+    end
+  end
+end

data/lib/{devise-login-cookie → devise_login_cookie}/version.rb RENAMED Viewed

@@ -1,3 +1,3 @@
 module DeviseLoginCookie
-  VERSION = "0.0.5"
+  VERSION = "0.1.0"
 end

data/spec/cookie_spec.rb ADDED Viewed

@@ -0,0 +1,109 @@
+require "spec_helper"
+module DeviseLoginCookie
+  describe Cookie do
+    include DeviseLoginCookie::SpecHelpers
+    describe "#unset" do
+      it "deletes cookie" do
+        options = { :path => "/a", :domain => "a.bc", :secure => true, :httponly => true }
+        jar = double().tap do |jar|
+          jar.should_receive(:delete).with(:login_test_token, options)
+        end
+        Cookie.new(jar, :test).tap{ |c| c.session_options = options }.unset
+      end
+    end
+    describe "without any cookies" do
+      let(:cookie) { create_cookie }
+      subject { cookie }
+      describe "Cookie instance" do
+        it { should_not be_present }
+        it { should_not be_valid }
+        it { should_not be_set_since(Time.at(0)) }
+      end
+      describe "#id" do
+        subject { cookie.id }
+        it { should be_nil }
+      end
+      describe "#created_at" do
+        subject { cookie.created_at }
+        it { should be_nil }
+      end
+      describe "#set" do
+        it "accepts resource" do
+          cookie.set(resource(10))
+          cookie.id.should == 10
+        end
+      end
+    end
+    describe "with an invalid cookie" do
+      let(:cookie) { create_cookie :login_test_token => "blarg" }
+      subject { cookie }
+      describe "Cookie instance" do
+        it { should be_present }
+        it { should_not be_valid }
+        it { should_not be_set_since(Time.at(0)) }
+      end
+      describe "#id" do
+        subject { cookie.id }
+        it { should be_nil }
+      end
+      describe "#created_at" do
+        subject { cookie.created_at }
+        it { should be_nil }
+      end
+      describe "#set" do
+        it "accepts resource" do
+          cookie.set(resource(10))
+          cookie.id.should == 10
+        end
+      end
+    end
+    describe "with a valid cookie" do
+      # force integer precision, rather than float.
+      let(:now) { Time.at(Time.now.to_i) }
+      let(:cookie) { create_valid_cookie(5, now) }
+      subject { cookie }
+      describe "Cookie instance" do
+        it { should be_present }
+        it { should be_valid }
+        it { should_not be_set_since(now + 1) }
+        it { should be_set_since(now) }
+        it { should be_set_since(now - 1) }
+      end
+      describe "#id" do
+        subject { cookie.id }
+        it { should == 5 }
+      end
+      describe "#created_at" do
+        subject { cookie.created_at }
+        it { should == now }
+      end
+      describe "#set" do
+        it "accepts resource" do
+          cookie.set(resource(10))
+          cookie.id.should == 10
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb ADDED Viewed

@@ -0,0 +1,52 @@
+require "rails"
+require "devise"
+require "devise_login_cookie"
+require "action_dispatch/middleware/cookies"
+module DeviseLoginCookie
+  module SpecHelpers
+    def resource(id)
+      require "ostruct"
+      OpenStruct.new(:id => id)
+    end
+    def cookie_jar(cookies = {})
+      ActionDispatch::Cookies::CookieJar.new.tap do |jar|
+        cookies.each { |key, value| jar[key] = value }
+      end
+    end
+    def create_cookie(cookies = {})
+      Cookie.new(cookie_jar(cookies), :test).tap do |cookie|
+        cookie.session_options = {}
+        cookie.secret_token = "secret"
+      end
+    end
+    def create_valid_cookie(id, created_at)
+      create_cookie :login_test_token => signed_cookie_value(id, created_at.to_i)
+    end
+    def signed_cookie_value(id, created_at)
+      # hacky shortcut better than re-implementing?
+      Cookie.new(nil, nil).tap do |cookie|
+        cookie.secret_token = "secret"
+      end.send(:signer).encode [id, created_at]
+    end
+    def create_strategy(cookies = {})
+      env = { "action_dispatch.cookies" => cookie_jar(cookies) }
+      Strategy.new(env, :test).tap do |strategy|
+        strategy.secret_token = "secret"
+      end
+    end
+    def create_valid_strategy
+      create_strategy :login_test_token => signed_cookie_value(1, Time.now.to_i)
+    end
+  end
+end

data/spec/strategy_spec.rb ADDED Viewed

@@ -0,0 +1,30 @@
+require "spec_helper"
+module DeviseLoginCookie
+  describe Strategy do
+    include DeviseLoginCookie::SpecHelpers
+    describe "#valid?" do
+      describe "with no cookies" do
+        subject { create_strategy }
+        it { should_not be_valid }
+      end
+      describe "with invalid cookie" do
+        subject { create_strategy(:login_test_token => "blarg") }
+        it { should_not be_valid }
+      end
+      describe "with valid cookie" do
+        subject { create_valid_strategy }
+        it { should be_valid }
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments:
   - 0
+  - 1
   - 0
-  - 5
-  version: 0.0.5
+  version: 0.1.0
 platform: ruby
 authors:
 - Paul Annesley
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-11-18 00:00:00 +11:00
+date: 2010-12-09 00:00:00 +11:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -23,11 +23,13 @@ dependencies:
   requirement: &id001 !ruby/object:Gem::Requirement
     none: false
     requirements:
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version
         segments:
         - 0
-        version: "0"
+        - 0
+        - 3
+        version: 0.0.3
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency
@@ -44,6 +46,46 @@ dependencies:
         version: "1.1"
   type: :runtime
   version_requirements: *id002
+- !ruby/object:Gem::Dependency
+  name: rspec
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        segments:
+        - 2
+        - 2
+        version: "2.2"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency
+  name: rails
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency
+  name: rake
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        segments:
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id005
 description: Devise sets a "remember_token" cookie for Remember Me logins, but not for standard logins.  This extension sets a separate cookie on login, which makes sharing login state between same-domain web applications easier.
 email:
 - paul@annesley.cc
@@ -60,7 +102,13 @@ files:
 - Rakefile
 - devise-login-cookie.gemspec
 - lib/devise-login-cookie.rb
-- lib/devise-login-cookie/version.rb
+- lib/devise_login_cookie.rb
+- lib/devise_login_cookie/cookie.rb
+- lib/devise_login_cookie/strategy.rb
+- lib/devise_login_cookie/version.rb
+- spec/cookie_spec.rb
+- spec/spec_helper.rb
+- spec/strategy_spec.rb
 has_rdoc: true
 homepage: http://rubygems.org/gems/devise-login-cookie
 licenses: []