devise 1.0.5 → 1.0.6

data/CHANGELOG.rdoc

@@ -1,3 +1,12 @@
+== 1.0.6
+
+* bug fix
+  * Do not allow unlockable strategies based on time to access a controller.
+  * Do not send unlockable email several times.
+  * Allow controller to upstram custom! failures to Warden.
+
+== 1.0.5
+
 * bug fix
   * Use prepend_before_filter in require_no_authentication.
   * require_no_authentication on unlockable.

data/Rakefile

@@ -44,10 +44,10 @@ begin
     s.description = "Flexible authentication solution for Rails with Warden"
     s.authors = ['José Valim', 'Carlos Antônio']
     s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "rails/init.rb"]
-    s.add_dependency("warden", "~> 0.10.2")
+    s.add_dependency("warden", "~> 0.10.3")
   end
 
   Jeweler::GemcutterTasks.new
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+  puts "Jeweler, or one of its dependencies, is not available. Install it with: gem install jeweler"
 end

data/app/controllers/sessions_controller.rb

@@ -19,6 +19,8 @@ class SessionsController < ApplicationController
     if resource = authenticate(resource_name)
       set_flash_message :notice, :signed_in
       sign_in_and_redirect(resource_name, resource, true)
+    elsif [:custom, :redirect].include?(warden.result)
+      throw :warden, :scope => resource_name
     else
       set_now_flash_message :alert, (warden.message || :invalid)
       clean_up_passwords(build_resource)

data/app/controllers/unlocks_controller.rb

@@ -1,4 +1,5 @@
 class UnlocksController < ApplicationController
+  prepend_before_filter :ensure_email_as_unlock_strategy
   prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
@@ -31,4 +32,10 @@ class UnlocksController < ApplicationController
       render_with_scope :new
     end
   end
+
+  protected
+
+  def ensure_email_as_unlock_strategy
+    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
+  end
 end

data/generators/devise/templates/migration.rb

@@ -1,7 +1,7 @@
 class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
   def self.up
     create_table(:<%= table_name %>) do |t|
-      t.authenticatable :encryptor => :sha1, :null => false
+      t.database_authenticatable :null => false
       t.confirmable
       t.recoverable
       t.rememberable

data/lib/devise.rb

@@ -29,7 +29,7 @@ module Devise
   ALL = []
 
   # Authentication ones first
-  ALL.push :authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
+  ALL.push :database_authenticatable, :http_authenticatable, :token_authenticatable, :rememberable
 
   # Misc after
   ALL.push :recoverable, :registerable, :validatable
@@ -42,7 +42,7 @@ module Devise
 
   # Maps controller names to devise modules.
   CONTROLLERS = {
-    :sessions => [:authenticatable, :token_authenticatable],
+    :sessions => [:database_authenticatable, :token_authenticatable],
     :passwords => [:recoverable],
     :confirmations => [:confirmable],
     :registrations => [:registerable],
@@ -52,7 +52,7 @@ module Devise
   # Routes for generating url helpers.
   ROUTES = [:session, :password, :confirmation, :registration, :unlock]
 
-  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable]
+  STRATEGIES  = [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable]
 
   TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
 

data/lib/devise/mapping.rb

@@ -103,6 +103,10 @@ module Devise
       end
     end
 
+    def authenticatable?
+      @authenticatable ||= self.for.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
     # Create magic predicates for verifying what module is activated by this map.
     # Example:
     #

data/lib/devise/models.rb

@@ -1,7 +1,7 @@
 module Devise
   module Models
     autoload :Activatable, 'devise/models/activatable'
-    autoload :Authenticatable, 'devise/models/authenticatable'
+    autoload :DatabaseAuthenticatable, 'devise/models/database_authenticatable'
     autoload :Confirmable, 'devise/models/confirmable'
     autoload :Lockable, 'devise/models/lockable'
     autoload :Recoverable, 'devise/models/recoverable'
@@ -57,7 +57,12 @@ module Devise
     #
     def devise(*modules)
       raise "You need to give at least one Devise module" if modules.empty?
-      options  = modules.extract_options!
+      options = modules.extract_options!
+
+      if modules.delete(:authenticatable)
+        ActiveSupport::Deprecation.warn ":authenticatable as module is deprecated. Please give :database_authenticatable instead.", caller
+        modules << :database_authenticatable
+      end
 
       @devise_modules = Devise::ALL & modules.map(&:to_sym).uniq
 

data/lib/devise/models/confirmable.rb

@@ -60,15 +60,9 @@ module Devise
         ::DeviseMailer.deliver_confirmation_instructions(self)
       end
 
-      # Remove confirmation date and send confirmation instructions, to ensure
-      # after sending these instructions the user won't be able to sign in without
-      # confirming it's account
+      # Resend confirmation token. This method does not need to generate a new token.
       def resend_confirmation_token
-        unless_confirmed do
-          generate_confirmation_token
-          save(false)
-          send_confirmation_instructions
-        end
+        unless_confirmed { send_confirmation_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for confirmation

data/lib/devise/models/{authenticatable.rb → database_authenticatable.rb}

@@ -1,4 +1,4 @@
-require 'devise/strategies/authenticatable'
+require 'devise/strategies/database_authenticatable'
 
 module Devise
   module Models
@@ -26,7 +26,7 @@ module Devise
     #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
     #    User.find(1).valid_password?('password123')         # returns true/false
     #
-    module Authenticatable
+    module DatabaseAuthenticatable
       def self.included(base)
         base.class_eval do
           extend ClassMethods
@@ -58,12 +58,6 @@ module Devise
         password_digest(incoming_password) == self.encrypted_password
       end
 
-      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
-      # is the user authentication token.
-      def valid_authentication_token?(incoming_auth_token)
-        incoming_auth_token == self.authentication_token
-      end
-
       # Checks if a resource is valid upon authentication.
       def valid_for_authentication?(attributes)
         valid_password?(attributes[:password])

data/lib/devise/models/lockable.rb

@@ -28,9 +28,10 @@ module Devise
 
       # Lock an user setting it's locked_at to actual time.
       def lock_access!
+        return true if access_locked?
         self.locked_at = Time.now
 
-        if unlock_strategy_enabled?(:email)
+        if self.class.unlock_strategy_enabled?(:email)
           generate_unlock_token
           send_unlock_instructions
         end
@@ -60,11 +61,7 @@ module Devise
 
       # Resend the unlock instructions if the user is locked.
       def resend_unlock_token
-        if_access_locked do
-          generate_unlock_token unless unlock_token.present?
-          save(false)
-          send_unlock_instructions
-        end
+        if_access_locked { send_unlock_instructions }
       end
 
       # Overwrites active? from Devise::Models::Activatable for locking purposes
@@ -87,10 +84,7 @@ module Devise
           self.failed_attempts = 0
         else
           self.failed_attempts += 1
-          if failed_attempts > self.class.maximum_attempts
-            lock_access! 
-            return false
-          end
+          lock_access! if failed_attempts > self.class.maximum_attempts
         end
         save(false) if changed?
         result
@@ -105,7 +99,7 @@ module Devise
 
         # Tells if the lock is expired if :time unlock strategy is active
         def lock_expired?
-          if unlock_strategy_enabled?(:time)
+          if self.class.unlock_strategy_enabled?(:time)
             locked_at && locked_at < self.class.unlock_in.ago
           else
             false
@@ -123,11 +117,6 @@ module Devise
           end
         end
 
-        # Is the unlock enabled for the given unlock strategy?
-        def unlock_strategy_enabled?(strategy)
-          [:both, strategy].include?(self.class.unlock_strategy)
-        end
-
       module ClassMethods
         # Attempt to find a user by it's email. If a record is found, send new
         # unlock instructions to it. If not user is found, returns a new user
@@ -149,6 +138,11 @@ module Devise
           lockable
         end
 
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.unlock_strategy)
+        end
+
         Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
       end
     end

data/lib/devise/rails/routes.rb

@@ -97,7 +97,7 @@ module ActionController::Routing
 
       protected
 
-        def authenticatable(routes, mapping)
+        def database_authenticatable(routes, mapping)
           routes.with_options(:controller => 'sessions', :name_prefix => nil) do |session|
             session.send(:"new_#{mapping.name}_session",     mapping.path_names[:sign_in],  :action => 'new',     :conditions => { :method => :get })
             session.send(:"#{mapping.name}_session",         mapping.path_names[:sign_in],  :action => 'create',  :conditions => { :method => :post })

data/lib/devise/schema.rb

@@ -3,41 +3,48 @@ module Devise
   # and overwrite the apply_schema method.
   module Schema
 
+    def authenticatable(*args)
+      ActiveSupport::Deprecation.warn "t.authenticatable in migrations is deprecated. Please use t.database_authenticatable instead.", caller
+      database_authenticatable(*args)
+    end
+
     # Creates email, encrypted_password and password_salt.
     #
     # == Options
     # * :null - When true, allow columns to be null.
-    # * :encryptor - The encryptor going to be used, necessary for setting the proper encrypter password length.
-    def authenticatable(options={})
-      null      = options[:null] || false
-      default   = options[:default]
-      encryptor = options[:encryptor] || (respond_to?(:encryptor) ? self.encryptor : :sha1)
+    def database_authenticatable(options={})
+      null    = options[:null] || false
+      default = options[:default] || ""
+
+      if options.delete(:encryptor)
+        ActiveSupport::Deprecation.warn ":encryptor as option is deprecated, simply remove it."
+      end
 
       apply_schema :email,              String, :null => null, :default => default
-      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => Devise::ENCRYPTORS_LENGTH[encryptor]
+      apply_schema :encrypted_password, String, :null => null, :default => default, :limit => 128
       apply_schema :password_salt,      String, :null => null, :default => default
     end
 
     # Creates authentication_token.
     def token_authenticatable
-      apply_schema :authentication_token, String, :limit => 20
+      apply_schema :authentication_token, String
     end
 
     # Creates confirmation_token, confirmed_at and confirmation_sent_at.
     def confirmable
-      apply_schema :confirmation_token,   String, :limit => 20
+      apply_schema :confirmation_token,   String
       apply_schema :confirmed_at,         DateTime
       apply_schema :confirmation_sent_at, DateTime
     end
 
     # Creates reset_password_token.
     def recoverable
-      apply_schema :reset_password_token, String, :limit => 20
+      apply_schema :reset_password_token, String
     end
 
     # Creates remember_token and remember_created_at.
     def rememberable
-      apply_schema :remember_token,      String, :limit => 20
+      apply_schema :remember_token,      String
       apply_schema :remember_created_at, DateTime
     end
 
@@ -54,7 +61,7 @@ module Devise
     # Creates failed_attempts, unlock_token and locked_at
     def lockable
       apply_schema :failed_attempts, Integer, :default => 0
-      apply_schema :unlock_token,    String,  :limit => 20
+      apply_schema :unlock_token,    String
       apply_schema :locked_at,       DateTime
     end
 

data/lib/devise/strategies/{authenticatable.rb → database_authenticatable.rb}

@@ -4,7 +4,7 @@ module Devise
   module Strategies
     # Default strategy for signing in a user, based on his email and password.
     # Redirects to sign_in page if it's not authenticated
-    class Authenticatable < Base
+    class DatabaseAuthenticatable < Base
       def valid?
         valid_controller? && valid_params? && mapping.to.respond_to?(:authenticate)
       end
@@ -16,7 +16,7 @@ module Devise
         if resource = mapping.to.authenticate(params[scope])
           success!(resource)
         else
-          fail!(:invalid)
+          fail(:invalid)
         end
       end
 
@@ -33,4 +33,4 @@ module Devise
   end
 end
 
-Warden::Strategies.add(:authenticatable, Devise::Strategies::Authenticatable)
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.0.5".freeze
+  VERSION = "1.0.6".freeze
 end

data/test/devise_test.rb

@@ -25,7 +25,7 @@ class DeviseTest < ActiveSupport::TestCase
     Devise.configure_warden(config)
 
     assert_equal Devise::FailureApp, config.failure_app
-    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :authenticatable], config.default_strategies
+    assert_equal [:rememberable, :http_authenticatable, :token_authenticatable, :database_authenticatable], config.default_strategies
     assert_equal :user, config.default_scope
     assert config.silence_missing_strategies?
   end

data/test/integration/lockable_test.rb

@@ -36,6 +36,16 @@ class LockTest < ActionController::IntegrationTest
     assert_equal 0, ActionMailer::Base.deliveries.size
   end
 
+  test 'unlocked pages should not be available if email strategy is disabled' do
+    visit new_user_unlock_path
+    assert_response :success
+
+    swap Devise, :unlock_strategy => :time do
+      visit new_user_unlock_path
+      assert_response :not_found
+    end
+  end
+
   test 'user with invalid unlock token should not be able to unlock an account' do
     visit_user_unlock_with_token('invalid_token')
 
@@ -60,7 +70,6 @@ class LockTest < ActionController::IntegrationTest
   test "sign in user automatically after unlocking it's account" do
     user = create_user(:locked => true)
     visit_user_unlock_with_token(user.unlock_token)
-
     assert warden.authenticated?(:user)
   end
 
@@ -71,6 +80,16 @@ class LockTest < ActionController::IntegrationTest
     assert_not warden.authenticated?(:user)
   end
 
+  test "user should not send a new e-mail if already locked" do
+    user = create_user(:locked => true)
+    user.update_attribute(:failed_attempts, User.maximum_attempts + 1)
+    ActionMailer::Base.deliveries.clear
+
+    sign_in_as_user(:password => "invalid")
+    assert_contain 'Invalid email or password.'
+    assert ActionMailer::Base.deliveries.empty?
+  end
+
   test 'error message is configurable by resource name' do
     store_translations :en, :devise => {
       :sessions => { :admin => { :locked => "You are locked!" } }

data/test/integration/rack_middleware_test.rb

@@ -0,0 +1,47 @@
+require "test/test_helper"
+require "rack/test"
+
+class RackMiddlewareTest < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def app
+    ActionController::Dispatcher.new
+  end
+
+  def warden
+    last_request.env['warden']
+  end
+
+  def with_custom_strategy
+    get '/'
+
+    Warden::Strategies.add(:custom_test) do
+      def valid?
+        true
+      end
+
+      def authenticate!
+        custom! [599, {
+            "X-Custom-Response" => "Custom response test",
+            "Content-type" => "text/plain"
+          }, "Custom response test"]
+      end
+    end
+
+    #ActionController::Dispatcher.middleware.use CustomStrategyInterceptor
+    default_strategies = warden.manager.config.default_strategies
+    warden.manager.config.default_strategies :custom_test
+    yield
+    warden.manager.config.default_strategies default_strategies
+  end
+
+  def test_custom_strategy_response
+    with_custom_strategy do
+      post('/users/sign_in')
+
+      assert_equal 599, last_response.status
+      assert_equal "Custom response test", last_response.body
+      assert_equal "Custom response test", last_response.headers["X-Custom-Response"]
+    end
+  end
+end

data/test/models/confirmable_test.rb

@@ -11,15 +11,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil create_user.confirmation_token
   end
 
-  test 'should regenerate confirmation token each time' do
-    user = create_user
-    3.times do
-      token = user.confirmation_token
-      user.resend_confirmation_token
-      assert_not_equal token, user.confirmation_token
-    end
-  end
-
   test 'should never generate the same confirmation token for different users' do
     confirmation_tokens = []
     3.times do
@@ -137,13 +128,6 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_equal 'not found', confirmation_user.errors[:email]
   end
 
-  test 'should generate a confirmation token before send the confirmation instructions email' do
-    user = create_user
-    token = user.confirmation_token
-    confirmation_user = User.send_confirmation_instructions(:email => user.email)
-    assert_not_equal token, user.reload.confirmation_token
-  end
-
   test 'should send email instructions for the user confirm it\'s email' do
     user = create_user
     assert_email_sent do

data/test/models/lockable_test.rb

@@ -36,7 +36,7 @@ class LockableTest < ActiveSupport::TestCase
     assert_equal 0, user.reload.failed_attempts
   end
 
-  test "should verify wheter a user is locked or not" do
+  test "should verify whether a user is locked or not" do
     user = create_user
     assert_not user.access_locked?
     user.lock_access!
@@ -63,6 +63,14 @@ class LockableTest < ActiveSupport::TestCase
     assert 0, user.reload.failed_attempts
   end
 
+  test "should not lock a locked account" do
+    user = create_user
+    user.lock_access!
+    assert_no_difference "ActionMailer::Base.deliveries.size" do
+      user.lock_access!
+    end
+  end
+
   test 'should not unlock an unlocked user' do
     user = create_user
 
@@ -101,16 +109,6 @@ class LockableTest < ActiveSupport::TestCase
     assert_not_nil user.unlock_token
   end
 
-  test 'should not regenerate unlock token if it already exists' do
-    user = create_user
-    user.lock!
-    3.times do
-      token = user.unlock_token
-      user.resend_unlock_token
-      assert_equal token, user.unlock_token
-    end
-  end
-
   test "should never generate the same unlock token for different users" do
     unlock_tokens = []
     3.times do

data/test/models_test.rb

@@ -23,12 +23,12 @@ class ActiveRecordTest < ActiveSupport::TestCase
   end
 
   test 'add modules cherry pick' do
-    assert_include_modules Admin, :authenticatable, :registerable, :timeoutable
+    assert_include_modules Admin, :database_authenticatable, :registerable, :timeoutable
   end
 
   test 'order of module inclusion' do
-    correct_module_order   = [:authenticatable, :registerable, :timeoutable]
-    incorrect_module_order = [:authenticatable, :timeoutable, :registerable]
+    correct_module_order   = [:database_authenticatable, :registerable, :timeoutable]
+    incorrect_module_order = [:database_authenticatable, :timeoutable, :registerable]
 
     assert_include_modules Admin, *incorrect_module_order
 

data/test/support/integration_tests_helper.rb

@@ -32,7 +32,7 @@ class ActionController::IntegrationTest
     user = create_user(options)
     visit new_user_session_path unless options[:visit] == false
     fill_in 'email', :with => 'user@test.com'
-    fill_in 'password', :with => '123456'
+    fill_in 'password', :with => options[:password] || '123456'
     check 'remember me' if options[:remember_me] == true
     yield if block_given?
     click_button 'Sign In'

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 1
   - 0
-  - 5
-  version: 1.0.5
+  - 6
+  version: 1.0.6
 platform: ruby
 authors: 
 - "Jos\xC3\xA9 Valim"
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-03-26 00:00:00 +01:00
+date: 2010-04-03 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -28,8 +28,8 @@ dependencies:
         segments: 
         - 0
         - 10
-        - 2
-        version: 0.10.2
+        - 3
+        version: 0.10.3
   type: :runtime
   version_requirements: *id001
 description: Flexible authentication solution for Rails with Warden
@@ -95,8 +95,8 @@ files:
 - lib/devise/mapping.rb
 - lib/devise/models.rb
 - lib/devise/models/activatable.rb
-- lib/devise/models/authenticatable.rb
 - lib/devise/models/confirmable.rb
+- lib/devise/models/database_authenticatable.rb
 - lib/devise/models/http_authenticatable.rb
 - lib/devise/models/lockable.rb
 - lib/devise/models/recoverable.rb
@@ -113,8 +113,8 @@ files:
 - lib/devise/rails/routes.rb
 - lib/devise/rails/warden_compat.rb
 - lib/devise/schema.rb
-- lib/devise/strategies/authenticatable.rb
 - lib/devise/strategies/base.rb
+- lib/devise/strategies/database_authenticatable.rb
 - lib/devise/strategies/http_authenticatable.rb
 - lib/devise/strategies/rememberable.rb
 - lib/devise/strategies/token_authenticatable.rb
@@ -162,6 +162,7 @@ test_files:
 - test/integration/confirmable_test.rb
 - test/integration/http_authenticatable_test.rb
 - test/integration/lockable_test.rb
+- test/integration/rack_middleware_test.rb
 - test/integration/recoverable_test.rb
 - test/integration/registerable_test.rb
 - test/integration/rememberable_test.rb