devise_invalidatable 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f92232200260dbb1d0e4052ad0e17a6d7e6fdc6c
+  data.tar.gz: 925c9619e77588dddb81a9e94dfd5834c0c5277a
+SHA512:
+  metadata.gz: 0ce8619f19ff1f1a5e5c9988273f318b4902920f7f473e09feb9b20bbc1187c38ed57bdfe9ca74a0b2181a74d2b6db95602a1a5c2aa5654515d6e9fcd98d9ea3
+  data.tar.gz: c336ff382bc2a9cf22e2d71c43476967f3f778d365453757d78044c4b4ccd6dccf65c5cbe3be1675ed00a1b000c58a405ce151d68207b625ec4bce2af9ee6e3a

data/lib/devise_invalidatable.rb

@@ -0,0 +1,16 @@
+unless defined?(Devise)
+  require 'devise'
+end
+require 'devise_invalidatable'
+
+Devise.add_module(:invalidatable,
+                  model: 'devise_invalidatable/model')
+
+module DeviseInvalidatable
+end
+
+class UserSession < ActiveRecord::Base
+  def self.deactivate(session_id)
+    where(session_id: session_id).delete_all
+  end
+end

data/lib/devise_invalidatable/hooks/invalidatable.rb

@@ -0,0 +1,25 @@
+# After authenticating, we’re removing any session activation that may already
+# exist, and creating a new session# activation. We generate our own random id
+# (in User#activate_session) and store it in the auth_id key. There is already
+# a session_id key, but the session gets renewed (and the session id changes)
+# after authentication in order to avoid session fixation attacks. So it’s
+# easier to just use our own id.
+Warden::Manager.after_set_user except: :fetch do |user, warden, _|
+  UserSession.deactivate(warden.raw_session['auth_id'])
+  warden.raw_session['auth_id'] = user.activate_session
+end
+
+# After fetching a user from the session, we check that the session is marked
+# as active for that user. If it’s not we log the user out.
+Warden::Manager.after_fetch do |user, warden, _|
+  unless user.session_active?(warden.raw_session['auth_id'])
+    warden.logout
+    throw :warden, message: :unauthenticated
+  end
+end
+
+# When logging out, we deactivate the current session. This ensures that the
+# session cookie can’t be reused afterwards.
+Warden::Manager.before_logout do |_, warden, _|
+  UserSession.deactivate(warden.raw_session['auth_id'])
+end

data/lib/devise_invalidatable/model.rb

@@ -0,0 +1,37 @@
+require 'devise_invalidatable/hooks/invalidatable'
+
+module Devise
+  module Models
+    module Invalidatable
+      extend ActiveSupport::Concern
+
+      included do
+        has_many :user_sessions,
+                 class_name: 'UserSession',
+                 foreign_key: :user_id,
+                 dependent: :destroy
+      end
+
+      def activate_session
+        new_session = user_sessions.new
+        new_session.session_id = SecureRandom.hex(127)
+        new_session.save
+        purge_old_sessions
+        new_session.session_id
+      end
+
+      def exclusive_session(session_id)
+        user_sessions.where('session_id != ?', session_id).delete_all
+      end
+
+      def session_active?(session_id)
+        user_sessions.where(session_id: session_id).exists?
+      end
+
+      def purge_old_sessions
+        user_sessions.order('created_at desc').offset(10).destroy_all
+      end
+
+    end
+  end
+end

data/lib/devise_invalidatable/version.rb

@@ -0,0 +1,3 @@
+module DeviseInvalidatable
+  VERSION = '0.0.1'.freeze
+end

data/lib/generators/devise_invalidatable/devise_invalidatable_generator.rb

@@ -0,0 +1,36 @@
+require 'rails/generators'
+
+class DeviseInvalidatableGenerator < Rails::Generators::NamedBase
+  include Rails::Generators::Migration
+
+  desc 'Creates a migration to add the required attributes to NAME, and adds' \
+       'the necessary Devise directives to the model'
+
+  def self.source_root
+    @_devise_source_root ||= File.expand_path('../templates', __FILE__)
+  end
+
+  def self.next_migration_number(dirname)
+    if ActiveRecord::Base.timestamped_migrations
+      Time.now.utc.strftime('%Y%m%d%H%M%S')
+    else
+      '%.3d' % (current_migration_number(dirname) + 1)
+    end
+  end
+
+  def create_migration_file
+    migration_template 'migration.rb', 'db/migrate/devise_create_user_sessions.rb'
+  end
+
+  def inject_devise_directives_into_model
+    model_path = File.join('app', 'models', "#{file_path}.rb")
+    class_path = namespaced? ? class_name.to_s.split('::') : [class_name]
+    indent_depth = class_path.size
+
+    content = ['devise :invalidatable']
+    content = content.map { |line| '  ' * indent_depth + line }.join("\n") << "\n"
+
+    inject_into_class(model_path, class_path.last, content)
+  end
+
+end

data/lib/generators/devise_invalidatable/templates/migration.rb

@@ -0,0 +1,18 @@
+class DeviseCreateUserSessions < ActiveRecord::Migration
+  @@table_name = :user_sessions
+  @@column_name = :user_id
+
+  def up
+    create_table @@table_name do |t|
+      t.integer @@column_name
+      t.string :session_id
+      t.timestamps
+    end
+    add_index(@@table_name, @@column_name)
+    add_index(@@table_name, :session_id, unique: true)
+  end
+
+  def down
+    drop_table(@@table_name)
+  end
+end

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification
+name: devise_invalidatable
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Michael Adkins
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-09-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Adds the ability to invalidate a session with Devise
+email: mdadki@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/devise_invalidatable.rb
+- lib/devise_invalidatable/hooks/invalidatable.rb
+- lib/devise_invalidatable/model.rb
+- lib/devise_invalidatable/version.rb
+- lib/generators/devise_invalidatable/devise_invalidatable_generator.rb
+- lib/generators/devise_invalidatable/templates/migration.rb
+homepage: https://github.com/madkins/devise_invalidatable
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Adds the ability to invalidate a session with Devise
+test_files: []