devise 0.1.1 → 0.2.0

data/lib/devise/active_record.rb

@@ -17,8 +17,18 @@ module Devise
     #
     #    devise :all, :stretches => 20
     #
-    # You can refer to Authenticable for more information about writing your own
-    # method to setup pepper and stretches.
+    # * confirm_in: the time you want your user to confirm it's account. During
+    #   this time he will be able to access your application without confirming.
+    #
+    #    devise :all, :confirm_in => 7.days
+    #
+    # * remember_for: the time the user will be remembered without asking for
+    #   credentials again.
+    #
+    #    devise :all, :remember_for => 2.weeks
+    #
+    # You can refer to Authenticable, Confirmable and Rememberable for more
+    # information about writing your own method to setup each model apart.
     #
     # Examples:
     #
@@ -48,10 +58,9 @@ module Devise
     #
     def devise(*modules)
       options  = modules.extract_options!
-      options.assert_valid_keys(:except, *Devise::MODEL_CONFIG)
 
-      modules  = Devise::ALL                    if modules.include?(:all)
-      modules -= Array(options.delete(:except)) if options.key?(:except)
+      modules  = Devise::ALL if modules.include?(:all)
+      modules -= Array(options.delete(:except))
       modules |= [:authenticable]
 
       modules.each do |m|
@@ -60,21 +69,7 @@ module Devise
       end
 
       # Convert new keys to methods which overwrites Devise defaults
-      options.each do |key, value|
-        case value
-          when Proc
-            define_method key, &value
-            next
-          when ActiveSupport::Duration
-            value = value.to_i
-        end
-
-        class_eval <<-END_EVAL, __FILE__, __LINE__
-          def #{key}
-            #{value.inspect}
-          end
-        END_EVAL
-      end
+      options.each { |key, value| send(:"#{key}=", value) }
     end
 
     # Stores all modules included inside the model, so we are able to verify

data/lib/devise/controllers/helpers.rb

@@ -81,11 +81,17 @@ module Devise
       #
       # Please refer to README or en.yml locale file to check what messages are
       # available.
-      def set_flash_message(key, kind)
-        flash[key] = I18n.t(:"#{resource_name}.#{kind}",
+      def set_flash_message(key, kind, now=false)
+        flash_hash = now ? flash.now : flash
+        flash_hash[key] = I18n.t(:"#{resource_name}.#{kind}",
                             :scope => [:devise, controller_name.to_sym], :default => kind)
       end
 
+      # Shortcut to set flash.now message. Same rules applied from set_flash_message
+      def set_now_flash_message(key, kind)
+        set_flash_message(key, kind, true)
+      end
+
     end
   end
 end

data/lib/devise/failure.rb

@@ -0,0 +1,29 @@
+module Devise
+  module Failure
+    mattr_accessor :default_url
+
+    # Failure application that will be called every time :warden is thrown from
+    # any strategy or hook. Responsible for redirect the user to the sign in
+    # page based on current scope and mapping. If no scope is given, redirect
+    # to the default_url.
+    def self.call(env)
+      options = env['warden.options']
+      params  = options[:params] || {}
+      scope   = options[:scope]
+
+      redirect_path = if mapping = Devise.mappings[scope]
+        "/#{mapping.as}/#{mapping.path_names[:sign_in]}"
+      else
+        "/#{default_url}"
+      end
+
+      headers = {}
+      headers["Location"] = redirect_path
+      headers["Location"] << "?" << Rack::Utils.build_query(params) unless params.empty?
+      headers["Content-Type"] = 'text/plain'
+
+      message = options[:message] || "You are being redirected to #{redirect_path}"
+      [302, headers, message]
+    end
+  end
+end

data/lib/devise/hooks/confirmable.rb

@@ -0,0 +1,11 @@
+# Each time the user is set we verify if it is still able to really sign in.
+# This is done by checking the time frame the user is able to sign in without
+# confirming it's account. If the user has not confirmed it's account during
+# this time frame, he/she will not able to sign in anymore.
+Warden::Manager.after_set_user do |record, auth, options|
+  if record && record.respond_to?(:active?) && !record.active?
+    scope = options[:scope]
+    auth.logout(scope)
+    throw :warden, :scope => scope, :params => { :unconfirmed => true }
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -9,7 +9,10 @@ Warden::Manager.after_authentication do |record, auth, options|
 
   if Devise::TRUE_VALUES.include?(remember_me) && record.respond_to?(:remember_me!)
     record.remember_me!
-    auth.cookies['remember_token'] = record.class.serialize_into_cookie(record)
+    auth.cookies['remember_token'] = {
+      :value => record.class.serialize_into_cookie(record),
+      :expires => record.remember_expires_at
+    }
   end
 end
 
@@ -19,6 +22,6 @@ end
 Warden::Manager.before_logout do |record, auth, scope|
   if record.respond_to?(:forget_me!)
     record.forget_me!
-    auth.cookies['remember_token'] = nil
+    auth.cookies.delete('remember_token')
   end
 end

data/lib/devise/migrations.rb

@@ -19,10 +19,11 @@ module Devise
 
     # Creates email, encrypted_password and password_salt.
     #
-    def authenticable
-      string :email,              :limit => 100, :null => false
-      string :encrypted_password, :limit =>  40, :null => false
-      string :password_salt,      :limit =>  20, :null => false
+    def authenticable(options={})
+      null = options[:null] || false
+      string :email,              :limit => 100, :null => null
+      string :encrypted_password, :limit =>  40, :null => null
+      string :password_salt,      :limit =>  20, :null => null
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
@@ -39,11 +40,11 @@ module Devise
       string :reset_password_token, :limit => 20
     end
 
-    # Creates remember_token and remember_expires_at.
+    # Creates remember_token and remember_created_at.
     #
     def rememberable
       string   :remember_token, :limit => 20
-      datetime :remember_expires_at
+      datetime :remember_created_at
     end
 
   end

data/lib/devise/models/authenticable.rb

@@ -1,4 +1,5 @@
 require 'digest/sha1'
+require 'devise/strategies/authenticable'
 
 module Devise
   module Models
@@ -24,16 +25,12 @@ module Devise
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
     module Authenticable
-      Devise.model_config(self, :pepper)
-      Devise.model_config(self, :stretches, 10)
-
       def self.included(base)
         base.class_eval do
           extend ClassMethods
 
           attr_reader :password
           attr_accessor :password_confirmation
-          attr_accessible :email, :password, :password_confirmation
         end
       end
 
@@ -74,7 +71,6 @@ module Devise
         end
 
       module ClassMethods
-
         # Authenticate a user based on email and password. Returns the
         # authenticated user if it's valid or nil.
         # Attributes are :email and :password
@@ -93,6 +89,9 @@ module Devise
           perishable
         end
       end
+
+      Devise.model_config(self, :pepper)
+      Devise.model_config(self, :stretches, 10)
     end
   end
 end

data/lib/devise/models/confirmable.rb

@@ -1,3 +1,5 @@
+require 'devise/hooks/confirmable'
+
 module Devise
   module Models
 
@@ -9,6 +11,17 @@ module Devise
     # Whenever the user update it's email, his account is automatically unconfirmed,
     # it means it won't be able to sign in again without confirming the account
     # again through the email that was sent.
+    #
+    # Configuration:
+    #
+    #   confirm_in: the time you want the user will have to confirm it's account
+    #               without blocking his access. When confirm_in is zero, the
+    #               user won't be able to sign in without confirming. You can
+    #               use this to let your user access some features of your
+    #               application without confirming the account, but blocking it
+    #               after a certain period (ie 7 days). By default confirm_in is
+    #               zero, it means users always have to confirm to sign in.
+    #
     # Examples:
     #
     #   User.find(1).confirm!      # returns true unless it's already confirmed
@@ -30,8 +43,9 @@ module Devise
       # is already confirmed, add en error to email field
       def confirm!
         unless_confirmed do
-          clear_confirmation_token
-          update_attribute(:confirmed_at, Time.now)
+          self.confirmation_token = nil
+          self.confirmed_at = Time.now
+          save(false)
         end
       end
 
@@ -56,13 +70,38 @@ module Devise
         end
       end
 
+      # Verify whether a user is active to sign in or not. If the user is
+      # already confirmed, it should never be blocked. Otherwise we need to
+      # calculate if the confirm time has not expired for this user, in other
+      # words, if the confirmation is still valid.
+      def active?
+        confirmed? || confirmation_period_valid?
+      end
+
       protected
 
-        # Remove confirmation date from the user, ensuring after a user update
-        # it's email, it won't be able to sign in without confirming it.
-        def reset_confirmation
-          generate_confirmation_token
-          self.confirmed_at = nil
+        # Checks if the confirmation for the user is within the limit time.
+        # We do this by calculating if the difference between today and the
+        # confirmation sent date does not exceed the confirm in time configured.
+        # Confirm_in is a model configuration, must always be an integer value.
+        #
+        # Example:
+        #
+        #   # confirm_in = 1.day and confirmation_sent_at = today
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_in = 5.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_in = 5.days and confirmation_sent_at = 5.days.ago
+        #   confirmation_period_valid?   # returns false
+        #
+        #   # confirm_in = 0.days
+        #   confirmation_period_valid?   # will always return false
+        #
+        def confirmation_period_valid?
+          confirmation_sent_at? &&
+            (Date.today - confirmation_sent_at.to_date).days < confirm_in
         end
 
         # Checks whether the record is confirmed or not, yielding to the block
@@ -76,6 +115,13 @@ module Devise
           end
         end
 
+        # Remove confirmation date from the user, ensuring after a user update
+        # it's email, it won't be able to sign in without confirming it.
+        def reset_confirmation
+          generate_confirmation_token
+          self.confirmed_at = nil
+        end
+
         # Generates a new random token for confirmation, and stores the time
         # this token is being generated
         def generate_confirmation_token
@@ -89,11 +135,6 @@ module Devise
           generate_confirmation_token && save(false)
         end
 
-        # Removes confirmation token
-        def clear_confirmation_token
-          self.confirmation_token = nil
-        end
-
       module ClassMethods
 
         # Attempt to find a user by it's email. If a record is found, send new
@@ -120,6 +161,8 @@ module Devise
           confirmable
         end
       end
+
+      Devise.model_config(self, :confirm_in, 0.days)
     end
   end
 end

data/lib/devise/models/rememberable.rb

@@ -1,4 +1,6 @@
 require 'digest/sha1'
+require 'devise/hooks/rememberable'
+require 'devise/strategies/rememberable'
 
 module Devise
   module Models
@@ -9,6 +11,16 @@ module Devise
     # to lookup the record based on the saved information.
     # You probably wouldn't use rememberable methods directly, they are used
     # mostly internally for handling the remember token.
+    #
+    # Configuration:
+    #
+    #   remember_for: the time you want the user will be remembered without
+    #                 asking for credentials. After this time the user will be
+    #                 blocked and will have to enter his credentials again.
+    #                 This configuration is also used to calculate the expires
+    #                 time for the cookie created to remember the user.
+    #                 By default remember_for is 2.weeks.
+    #
     # Examples:
     #
     #   User.find(1).remember_me!  # regenerating the token
@@ -27,13 +39,13 @@ module Devise
 
           # Remember me option available in after_authentication hook.
           attr_accessor :remember_me
-          attr_accessible :remember_me
         end
       end
 
       # Generate a new remember token and save the record without validations.
       def remember_me!
         self.remember_token = friendly_token
+        self.remember_created_at = Time.now
         save(false)
       end
 
@@ -42,30 +54,42 @@ module Devise
       def forget_me!
         if remember_token?
           self.remember_token = nil
+          self.remember_created_at = nil
           save(false)
         end
       end
 
       # Checks whether the incoming token matches or not with the record token.
       def valid_remember_token?(token)
-        remember_token.present? && remember_token == token
+        remember_token? && !remember_expired? && remember_token == token
+      end
+
+      # Remember token should be expired if expiration time not overpass now.
+      def remember_expired?
+        remember_expires_at <= Time.now
+      end
+
+      # Remember token expires at created time + remember_for configuration
+      def remember_expires_at
+        remember_created_at + remember_for
       end
 
       module ClassMethods
 
         # Create the cookie key using the record id and remember_token
-        def serialize_into_cookie(record)
-          "#{record.id}::#{record.remember_token}"
+        def serialize_into_cookie(rememberable)
+          "#{rememberable.id}::#{rememberable.remember_token}"
         end
 
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(cookie)
-          record_id, remember_token = cookie.split('::')
-          record = find_by_id(record_id)
-          record if record.try(:valid_remember_token?, remember_token)
+          rememberable_id, remember_token = cookie.split('::')
+          rememberable = find_by_id(rememberable_id) if rememberable_id
+          rememberable if rememberable.try(:valid_remember_token?, remember_token)
         end
-
       end
+
+      Devise.model_config(self, :remember_for, 2.weeks)
     end
   end
 end

data/lib/devise/strategies/authenticable.rb

@@ -12,7 +12,7 @@ module Devise
           success!(resource)
         else
           store_location
-          redirect!(sign_in_path, :unauthenticated => true)
+          throw :warden, :scope => scope, :params => { :unauthenticated => true }
         end
       end
 
@@ -35,11 +35,8 @@ module Devise
         def store_location
           session[:"#{mapping.name}.return_to"] = request.request_uri if request.get?
         end
-
-        # Create path to sign in the resource
-        def sign_in_path
-          "/#{mapping.as}/#{mapping.path_names[:sign_in]}"
-        end
     end
   end
 end
+
+Warden::Strategies.add(:authenticable, Devise::Strategies::Authenticable)

data/lib/devise/strategies/rememberable.rb

@@ -31,3 +31,5 @@ module Devise
     end
   end
 end
+
+Warden::Strategies.add(:rememberable, Devise::Strategies::Rememberable)

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "0.1.1".freeze
+  VERSION = "0.2.0".freeze
 end

data/lib/devise/warden.rb

@@ -49,16 +49,13 @@ Warden::Manager.before_failure do |env, opts|
   env['warden'].request.params['action'] = 'new'
 end
 
+# Setup devise strategies for Warden
+require 'devise/strategies/base'
+
 # Adds Warden Manager to Rails middleware stack, configuring default devise
 # strategy and also the controller who will manage not authenticated users.
 Rails.configuration.middleware.use Warden::Manager do |manager|
   manager.default_strategies :rememberable, :authenticable
-  manager.failure_app = SessionsController
+  manager.failure_app = Devise::Failure
+  manager.silence_missing_strategies!
 end
-
-# Setup devise strategies for Warden
-Warden::Strategies.add(:rememberable, Devise::Strategies::Rememberable)
-Warden::Strategies.add(:authenticable, Devise::Strategies::Authenticable)
-
-# Require rememberable hooks
-require 'devise/hooks/rememberable'