devise 0.6.1 → 0.6.2

data/CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+== 0.6.2
+
+* enhancements
+  * More DataMapper compatibility
+  * Devise::Trackable - track sign in count, timestamps and ips
+
 == 0.6.1
 
 * enhancements

data/README.rdoc

@@ -7,13 +7,14 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-Right now it's composed of five mainly modules:
+Right now it's composed of seven mainly modules:
 
 * Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
 * Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
 * Recoverable: takes care of reseting the user password and send reset instructions.
 * Rememberable: manages generating and clearing token for remember the user from a saved cookie.
 * Timeoutable: expires sessions without activity in a certain period of time.
+* Trackable: tracks sign in count, timestamps and ip.
 * Validatable: creates all needed validations for email and password. It's totally optional, so you're able to to customize validations by yourself.
 
 There's an example application using Devise at http://github.com/plataformatec/devise_example .

data/TODO

@@ -1,5 +1,2 @@
 * Create update_with_password
 * Make test run with different ORMs
-* Use request_ip in session cookies
-* Devise::BruteForceProtection
-* Devise::Trackeable

data/generators/devise_install/templates/devise.rb

@@ -36,7 +36,7 @@ Devise.setup do |config|
 
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again.
-  # config.timeout = 10.minutes
+  # config.timeout_in = 10.minutes
 
   # Configure the e-mail address which will be shown in DeviseMailer.
   # config.mailer_sender = "foo.bar@yourapp.com"

data/lib/devise.rb

@@ -1,5 +1,6 @@
 module Devise
-  ALL = [:authenticatable, :confirmable, :recoverable, :rememberable, :timeoutable, :validatable].freeze
+  ALL = [:authenticatable, :confirmable, :recoverable, :rememberable,
+         :timeoutable, :trackable, :validatable].freeze
 
   # Maps controller names to devise modules
   CONTROLLERS = {
@@ -46,8 +47,8 @@ module Devise
   @@confirm_within = 0.days
 
   # Time interval to timeout the user session without activity.
-  mattr_accessor :timeout
-  @@timeout = 30.minutes
+  mattr_accessor :timeout_in
+  @@timeout_in = 30.minutes
 
   # Used to define the password encryption algorithm.
   mattr_accessor :encryptor

data/lib/devise/hooks/timeoutable.rb

@@ -4,16 +4,13 @@
 # record is set, we set the last request time inside it's scoped session to
 # verify timeout in the following request.
 Warden::Manager.after_set_user do |record, warden, options|
-  if record && record.respond_to?(:timeout?)
-    scope = options[:scope]
-    # Record may have already been logged out by another hook (ie confirmable).
-    if warden.authenticated?(scope)
-      last_request_at = warden.session(scope)['last_request_at']
-      if record.timeout?(last_request_at)
-        warden.logout(scope)
-        throw :warden, :scope => scope, :message => :timeout
-      end
-      warden.session(scope)['last_request_at'] = Time.now.utc
+  scope = options[:scope]
+  if record && record.respond_to?(:timeout?) && warden.authenticated?(scope)
+    last_request_at = warden.session(scope)['last_request_at']
+    if record.timeout?(last_request_at)
+      warden.logout(scope)
+      throw :warden, :scope => scope, :message => :timeout
     end
+    warden.session(scope)['last_request_at'] = Time.now.utc
   end
 end

data/lib/devise/hooks/trackable.rb

@@ -0,0 +1,18 @@
+# After each sign in, update sign in time, sign in count and sign in IP.
+Warden::Manager.after_authentication do |record, warden, options|
+  scope = options[:scope]
+  if Devise.mappings[scope].try(:trackable?) && warden.authenticated?(scope)
+    old_current, new_current  = record.current_sign_in_at, Time.now
+    record.last_sign_in_at    = old_current || new_current
+    record.current_sign_in_at = new_current
+
+    old_current, new_current  = record.current_sign_in_ip, warden.request.remote_ip
+    record.last_sign_in_ip    = old_current || new_current
+    record.current_sign_in_ip = new_current
+
+    record.sign_in_count ||= 0
+    record.sign_in_count += 1
+
+    record.save(false)
+  end
+end

data/lib/devise/models.rb

@@ -75,6 +75,7 @@ module Devise
       options  = modules.extract_options!
       modules  = Devise.all if modules.include?(:all)
       modules -= Array(options.delete(:except))
+      modules  = Devise::ALL & modules
 
       if !modules.include?(:authenticatable)
         modules  = [:authenticatable] | modules
@@ -96,5 +97,26 @@ module Devise
     def devise_modules
       @devise_modules ||= []
     end
+
+    # Find an initialize a record setting an error if it can't be found
+    def find_or_initialize_with_error_by(attribute, value, error=:invalid)
+      if value.present?
+        conditions = { attribute => value }
+        record = find(:first, :conditions => conditions)
+      end
+
+      unless record
+        record = new
+
+        if value.present?
+          record.send(:"#{attribute}=", value)
+          record.errors.add(attribute, error, :default => error.to_s.gsub("_", " "))
+        else
+          record.errors.add(attribute, :blank)
+        end
+      end
+
+      record
+    end
   end
 end

data/lib/devise/models/authenticatable.rb

@@ -38,16 +38,17 @@ module Devise
         end
       end
 
-      # Regenerates password salt and encrypted password each time password is
-      # setted.
+      # Regenerates password salt and encrypted password each time password is set.
       def password=(new_password)
         @password = new_password
-        self.password_salt = Devise.friendly_token
-        self.encrypted_password = password_digest(@password)
+
+        if @password.present?
+          self.password_salt = Devise.friendly_token
+          self.encrypted_password = password_digest(@password)
+        end
       end
 
-      # Verifies whether an incoming_password (ie from login) is the user
-      # password.
+      # Verifies whether an incoming_password (ie from login) is the user password.
       def valid_password?(incoming_password)
         password_digest(incoming_password) == encrypted_password
       end
@@ -66,31 +67,8 @@ module Devise
         def authenticate(attributes={})
           return unless authentication_keys.all? { |k| attributes[k].present? }
           conditions = attributes.slice(*authentication_keys)
-          authenticatable = find_for_authentication(conditions)
-          authenticatable if authenticatable.try(:valid_password?, attributes[:password])
-        end
-
-        # Find first record based on conditions given (ie by the sign in form).
-        # Overwrite to add customized conditions, create a join, or maybe use a
-        # namedscope to filter records while authenticating.
-        # Example:
-        #
-        #   def self.find_for_authentication(conditions={})
-        #     conditions[:active] = true
-        #     find(:first, :conditions => conditions)
-        #   end
-        #
-        def find_for_authentication(conditions)
-          find(:first, :conditions => conditions)
-        end
-
-        # Attempt to find a user by it's email. If not user is found, returns a
-        # new user with an email not found error.
-        def find_or_initialize_with_error_by_email(email)
-          attributes = { :email => email }
-          record = find(:first, :conditions => attributes) || new(attributes)
-          record.errors.add(:email, :not_found, :default => 'not found') if record.new_record?
-          record
+          resource = find_for_authentication(conditions)
+          valid_for_authentication(resource, attributes) if resource
         end
 
         # Hook to serialize user into session. Overwrite if you want.
@@ -110,6 +88,27 @@ module Devise
           @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
         end
 
+      protected
+
+        # Find first record based on conditions given (ie by the sign in form).
+        # Overwrite to add customized conditions, create a join, or maybe use a
+        # namedscope to filter records while authenticating.
+        # Example:
+        #
+        #   def self.find_for_authentication(conditions={})
+        #     conditions[:active] = true
+        #     find(:first, :conditions => conditions)
+        #   end
+        #
+        def find_for_authentication(conditions)
+          find(:first, :conditions => conditions)
+        end
+
+        # Contains the logic used in authentication. Overwritten by other devise modules.
+        def valid_for_authentication(resource, attributes)
+          resource if resource.valid_password?(attributes[:password])
+        end
+
         Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
       end
     end

data/lib/devise/models/confirmable.rb

@@ -100,8 +100,7 @@ module Devise
         #   confirmation_period_valid?   # will always return false
         #
         def confirmation_period_valid?
-          confirmation_sent_at &&
-            ((Time.now.utc - confirmation_sent_at.utc) < self.class.confirm_within)
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.confirm_within.ago
         end
 
         # Checks whether the record is confirmed or not, yielding to the block
@@ -129,7 +128,7 @@ module Devise
         # with an email not found error.
         # Options must contain the user email
         def send_confirmation_instructions(attributes={})
-          confirmable = find_or_initialize_with_error_by_email(attributes[:email])
+          confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
           confirmable.reset_confirmation! unless confirmable.new_record?
           confirmable
         end
@@ -139,12 +138,8 @@ module Devise
         # If the user is already confirmed, create an error for the user
         # Options must have the confirmation_token
         def confirm!(attributes={})
-          confirmable = find_or_initialize_by_confirmation_token(attributes[:confirmation_token])
-          if confirmable.new_record?
-            confirmable.errors.add(:confirmation_token, :invalid)
-          else
-            confirmable.confirm!
-          end
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])        
+          confirmable.confirm! unless confirmable.new_record?
           confirmable
         end
 

data/lib/devise/models/recoverable.rb

@@ -6,9 +6,11 @@ module Devise
     #
     #   # resets the user password and save the record, true if valid passwords are given, otherwise false
     #   User.find(1).reset_password!('password123', 'password123')
+    #
     #   # only resets the user password, without saving the record
     #   user = User.find(1)
     #   user.reset_password('password123', 'password123')
+    #
     #   # creates a new token and send it with instructions about how to reset the password
     #   User.find(1).send_reset_password_instructions
     module Recoverable
@@ -62,7 +64,7 @@ module Devise
         # with an email not found error.
         # Attributes must contain the user email
         def send_reset_password_instructions(attributes={})
-          recoverable = find_or_initialize_with_error_by_email(attributes[:email])
+          recoverable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
           recoverable.send_reset_password_instructions unless recoverable.new_record?
           recoverable
         end
@@ -73,12 +75,8 @@ module Devise
         # containing an error in reset_password_token attribute.
         # Attributes must contain reset_password_token, password and confirmation
         def reset_password!(attributes={})
-          recoverable = find_or_initialize_by_reset_password_token(attributes[:reset_password_token])
-          if recoverable.new_record?
-            recoverable.errors.add(:reset_password_token, :invalid)
-          else
-            recoverable.reset_password!(attributes[:password], attributes[:password_confirmation])
-          end
+          recoverable = find_or_initialize_with_error_by(:reset_password_token, attributes[:reset_password_token])
+          recoverable.reset_password!(attributes[:password], attributes[:password_confirmation]) unless recoverable.new_record?
           recoverable
         end
       end

data/lib/devise/models/rememberable.rb

@@ -82,7 +82,7 @@ module Devise
         # Recreate the user based on the stored cookie
         def serialize_from_cookie(cookie)
           rememberable_id, remember_token = cookie.split('::')
-          rememberable = find_by_id(rememberable_id) if rememberable_id
+          rememberable = find(:first, :conditions => { :id => rememberable_id }) if rememberable_id
           rememberable if rememberable.try(:valid_remember_token?, remember_token)
         end
 

data/lib/devise/models/timeoutable.rb

@@ -19,11 +19,11 @@ module Devise
 
       # Checks whether the user session has expired based on configured time.
       def timeout?(last_access)
-        last_access && last_access <= self.class.timeout.ago.utc
+        last_access && last_access <= self.class.timeout_in.ago
       end
 
       module ClassMethods
-        Devise::Models.config(self, :timeout)
+        Devise::Models.config(self, :timeout_in)
       end
     end
   end

data/lib/devise/models/trackable.rb

@@ -0,0 +1,16 @@
+require 'devise/hooks/trackable'
+
+module Devise
+  module Models
+    # Track information about your user sign in. It tracks the following columns:
+    #
+    # * sign_in_count      - Increased every time a sign in is made (by form, openid, oauth)
+    # * current_sign_in_at - A tiemstamp updated when the user signs in
+    # * last_sign_in_at    - Holds the timestamp of the previous sign in
+    # * current_sign_in_ip - The remote ip updated when the user sign in
+    # * last_sign_in_at    - Holds the remote ip of the previous sign in
+    #
+    module Trackable
+    end
+  end
+end

data/lib/devise/models/validatable.rb

@@ -10,7 +10,13 @@ module Devise
       # Email regex used to validate email formats. Retrieved from authlogic.
       EMAIL_REGEX = /\A[\w\.%\+\-]+@(?:[A-Z0-9\-]+\.)+(?:[A-Z]{2,4}|museum|travel)\z/i
 
+      # All validations used by this module.
+      VALIDATIONS = [ :validates_presence_of, :validates_uniqueness_of, :validates_format_of,
+                      :validates_confirmation_of, :validates_length_of ].freeze
+
       def self.included(base)
+        assert_validations_api!(base)
+
         base.class_eval do
           attribute = authentication_keys.first
 
@@ -27,6 +33,15 @@ module Devise
         end
       end
 
+      def self.assert_validations_api!(base) #:nodoc:
+        unavailable_validations = VALIDATIONS.select { |v| !base.respond_to?(v) }
+
+        unless unavailable_validations.empty?
+          raise "Could not use :validatable module since #{base} does not respond " <<
+                "to the following methods: #{unavailable_validations.to_sentence}."
+        end
+      end
+
       protected
 
         # Checks whether a password is needed or not. For validations only.

data/lib/devise/orm/data_mapper.rb

@@ -5,11 +5,6 @@ module Devise
         klass.send :extend, self
         yield
 
-        # DataMapper validations have a completely different API
-        if modules.include?(:validatable) && !klass.respond_to?(:validates_presence_of)
-          raise ":validatable is not supported in DataMapper, please craft your validations by hand"
-        end
-
         modules.each do |mod|
           klass.send(mod) if klass.respond_to?(mod)
         end
@@ -44,6 +39,15 @@ module Devise
         end
       end
 
+      # In Datamapper, we need to call save! if we don't want to execute callbacks.
+      def save(flag=nil)
+        if flag == false
+          save!
+        else
+          super()
+        end
+      end
+
       # Tell how to apply schema methods. This automatically maps :limit to
       # :length and :null to :nullable.
       def apply_schema(name, type, options={})

data/lib/devise/schema.rb

@@ -41,6 +41,16 @@ module Devise
       apply_schema :remember_created_at, DateTime
     end
 
+    # Creates sign_in_count, current_sign_in_at, last_sign_in_at,
+    # current_sign_in_ip, last_sign_in_ip.
+    def trackable
+      apply_schema :sign_in_count,      Integer
+      apply_schema :current_sign_in_at, DateTime
+      apply_schema :last_sign_in_at,    DateTime
+      apply_schema :current_sign_in_ip, String
+      apply_schema :last_sign_in_ip,    String
+    end
+
     # Overwrite with specific modification to create your own schema.
     def apply_schema(name, type, options={})
       raise NotImplementedError

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "0.6.1".freeze
+  VERSION = "0.6.2".freeze
 end

data/test/integration/confirmable_test.rb

@@ -43,7 +43,8 @@ class ConfirmationTest < ActionController::IntegrationTest
   end
 
   test 'user already confirmed user should not be able to confirm the account again' do
-    user = create_user
+    user = create_user(:confirm => false)
+    user.update_attribute(:confirmed_at, Time.now)
     visit_user_confirmation_with_token(user.confirmation_token)
 
     assert_template 'confirmations/new'

data/test/integration/timeoutable_test.rb

@@ -10,17 +10,16 @@ class SessionTimeoutTest < ActionController::IntegrationTest
     sign_in_as_user
     old_last_request = last_request_at
     assert_not_nil last_request_at
+
     get users_path
     assert_not_nil last_request_at
     assert_not_equal old_last_request, last_request_at
   end
 
   test 'not time out user session before default limit time' do
-    user = sign_in_as_user
-
-    # Setup last_request_at to timeout
-    get edit_user_path(user)
-    assert_not_nil last_request_at
+    sign_in_as_user
+    assert_response :success
+    assert warden.authenticated?(:user)
 
     get users_path
     assert_response :success
@@ -28,12 +27,8 @@ class SessionTimeoutTest < ActionController::IntegrationTest
   end
 
   test 'time out user session after default limit time' do
-    sign_in_as_user
-    assert_response :success
-    assert warden.authenticated?(:user)
-
-    # Setup last_request_at to timeout
-    get new_user_path
+    user = sign_in_as_user
+    get expire_user_path(user)
     assert_not_nil last_request_at
 
     get users_path
@@ -42,15 +37,15 @@ class SessionTimeoutTest < ActionController::IntegrationTest
   end
 
   test 'user configured timeout limit' do
-    swap Devise, :timeout => 8.minutes do
+    swap Devise, :timeout_in => 8.minutes do
       user = sign_in_as_user
 
-      # Setup last_request_at to timeout
-      get edit_user_path(user)
+      get users_path
       assert_not_nil last_request_at
       assert_response :success
       assert warden.authenticated?(:user)
 
+      get expire_user_path(user)
       get users_path
       assert_redirected_to new_user_session_path(:timeout => true)
       assert_not warden.authenticated?(:user)
@@ -61,9 +56,9 @@ class SessionTimeoutTest < ActionController::IntegrationTest
     store_translations :en, :devise => {
       :sessions => { :user => { :timeout => 'Session expired!' } }
     } do
-      sign_in_as_user
-      # Setup last_request_at to timeout
-      get new_user_path
+      user = sign_in_as_user
+
+      get expire_user_path(user)
       get users_path
       follow_redirect!
       assert_contain 'Session expired!'