devise_session_expirable 0.1.0 → 0.1.1

data/README.rdoc

@@ -25,13 +25,41 @@ does not support invalidation of authentication tokens from the
 devise +token_authenticatable+ module when a request with a valid
 authentication token is accompanied by an expired session.
 
-== Migrating to SessionExpirable
+== Configuration
 
-For a less disruptive migration from sessions without timestamps, it is
-possible to set a +default_last_request_at+ value, which will be used in
-place of the timestamp for sessions which don't have one. After the
-+timeout_in+ interval passes, these legacy sessions will expire and
-the +default_last_request_at+ value can be unset.
+Add +devise_session_expirable+ to your Gemfile:
+
+  gem 'devise_session_expirable'
+
+Include +:session_expirable+ in your devise user model declaration:
+
+  class User < ActiveRecord::Base
+    devise :database_authenticatable, :session_expirable # ...
+  end
+
+Then update the Devise initializer:
+
+  Devise.setup do |config|
+    # ...
+    config.timeout_in = 15.minutes
+    config.default_last_request_at = Time.parse('2013-02-16T00:00:00Z')
+    # ...
+  end
+
+== Migrating from non-expiring sessions
+
+The +default_last_request_at+ option is intended to enable a less
+disruptive migration if sessions without timestamps have already been
+issued. The configured value will be used in place of the timestamp
+for sessions which don't have one.
+
+If +default_last_request_at+ is configured, it should be set to a fixed
+date/time, ideally matching the time of deployment. If set to a dynamic
+time (e.g. Time.now), the lifetime of sessions without timestamps will
+be extended every time Rails is initialized.
+
+After the +timeout_in+ interval passes, any legacy sessions will have
+expired and +default_last_request_at+ can be unset.
 
 == Alternatives
 

data/VERSION

@@ -1 +1 @@
-0.1.0
+0.1.1

data/devise_session_expirable.gemspec

@@ -0,0 +1,106 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "devise_session_expirable"
+  s.version = "0.1.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Riley Lynch"]
+  s.date = "2013-02-16"
+  s.description = "devise_session_expirable is an enhanced version of devise's timeoutable module that ensures that no session is allowed to last forever."
+  s.email = "oss+expirable@teleological.net"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "devise_session_expirable.gemspec",
+    "lib/devise_session_expirable.rb",
+    "lib/devise_session_expirable/hook.rb",
+    "lib/devise_session_expirable/model.rb",
+    "test/integration/session_expirable_test.rb",
+    "test/models/session_expirable_test.rb",
+    "test/orm/active_record.rb",
+    "test/rails_app/Rakefile",
+    "test/rails_app/app/active_record/admin.rb",
+    "test/rails_app/app/active_record/shim.rb",
+    "test/rails_app/app/active_record/user.rb",
+    "test/rails_app/app/controllers/admins/sessions_controller.rb",
+    "test/rails_app/app/controllers/admins_controller.rb",
+    "test/rails_app/app/controllers/application_controller.rb",
+    "test/rails_app/app/controllers/home_controller.rb",
+    "test/rails_app/app/controllers/users_controller.rb",
+    "test/rails_app/app/helpers/application_helper.rb",
+    "test/rails_app/app/views/admins/index.html.erb",
+    "test/rails_app/app/views/admins/sessions/new.html.erb",
+    "test/rails_app/app/views/home/index.html.erb",
+    "test/rails_app/app/views/layouts/application.html.erb",
+    "test/rails_app/app/views/users/index.html.erb",
+    "test/rails_app/app/views/users/sessions/new.html.erb",
+    "test/rails_app/config.ru",
+    "test/rails_app/config/application.rb",
+    "test/rails_app/config/boot.rb",
+    "test/rails_app/config/database.yml",
+    "test/rails_app/config/environment.rb",
+    "test/rails_app/config/environments/development.rb",
+    "test/rails_app/config/environments/production.rb",
+    "test/rails_app/config/environments/test.rb",
+    "test/rails_app/config/initializers/backtrace_silencers.rb",
+    "test/rails_app/config/initializers/devise.rb",
+    "test/rails_app/config/initializers/inflections.rb",
+    "test/rails_app/config/initializers/secret_token.rb",
+    "test/rails_app/config/routes.rb",
+    "test/rails_app/db/migrate/20100401102949_create_tables.rb",
+    "test/rails_app/lib/shared_admin.rb",
+    "test/rails_app/lib/shared_user.rb",
+    "test/rails_app/public/404.html",
+    "test/rails_app/public/422.html",
+    "test/rails_app/public/500.html",
+    "test/rails_app/public/favicon.ico",
+    "test/rails_app/script/rails",
+    "test/support/assertions.rb",
+    "test/support/helpers.rb",
+    "test/support/integration.rb",
+    "test/support/webrat/integrations/rails.rb",
+    "test/test_helper.rb"
+  ]
+  s.homepage = "http://github.com/teleological/devise_session_expirable"
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = "1.8.23"
+  s.summary = "Strict timeouts for devise-authenticated sessions"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<activesupport>, ["~> 3.2.12"])
+      s.add_runtime_dependency(%q<devise>, [">= 2.2.3"])
+      s.add_development_dependency(%q<bundler>, [">= 1.2.4"])
+      s.add_development_dependency(%q<jeweler>, [">= 1.8.4"])
+      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
+    else
+      s.add_dependency(%q<activesupport>, ["~> 3.2.12"])
+      s.add_dependency(%q<devise>, [">= 2.2.3"])
+      s.add_dependency(%q<bundler>, [">= 1.2.4"])
+      s.add_dependency(%q<jeweler>, [">= 1.8.4"])
+      s.add_dependency(%q<rdoc>, ["~> 3.12"])
+    end
+  else
+    s.add_dependency(%q<activesupport>, ["~> 3.2.12"])
+    s.add_dependency(%q<devise>, [">= 2.2.3"])
+    s.add_dependency(%q<bundler>, [">= 1.2.4"])
+    s.add_dependency(%q<jeweler>, [">= 1.8.4"])
+    s.add_dependency(%q<rdoc>, ["~> 3.12"])
+  end
+end
+

data/lib/devise_session_expirable.rb

@@ -0,0 +1,18 @@
+
+require 'active_support/core_ext/module/attribute_accessors'
+require 'active_support/concern'
+require 'devise'
+
+module Devise #:nodoc:
+
+  mattr_accessor :default_last_request_at
+  @default_last_request_at = nil
+
+  add_module :session_expirable,
+    :model => 'devise_session_expirable/model'
+
+end
+
+module DeviseSessionExpirable #:nodoc:
+end
+

data/lib/devise_session_expirable/hook.rb

@@ -0,0 +1,59 @@
+
+# Each time the user record is fetched from a session, the record is
+# consulted (via +#session_expired?+) to determine if the
+# +last_request_at+ time in the session is valid, or if the session
+# should be considered as having timed out. This validation is not
+# performed if +devise.skip_timeout+ is set in the rack environment.
+#
+# If the session is deemed to have timed out, the record is logged out
+# of the session and a +:timeout+ message is thrown, invoking the
+# +FailureApp+.
+#
+# Unlike the Devise +timeoutable+ module, devise_session_expirable does
+# not support invalidation of authentication tokens from the devise
+# +token_authenticatable+ module when a request with a valid
+# authentication token is accompanied by an expired session.
+
+Warden::Manager.after_fetch do |record, warden, options|
+  scope = options[:scope]
+  env = warden.request.env
+
+  puts "after fetch"
+
+  if record                               &&
+    record.respond_to?(:session_expired?) &&
+    warden.authenticated?(scope)          &&
+    options[:store] != false              &&
+    !env['devise.skip_timeout']
+
+    last_request_at = warden.session(scope)['last_request_at']
+    if record.session_expired?(last_request_at)
+      puts "expired!"
+      warden.logout(scope)
+      throw :warden, :scope => scope, :message => :timeout
+    end
+  end
+end
+
+# Each time the user record is set, the +last_request_at+ time
+# is updated in the scoped session. This update is not performed if
+# devise.skip_trackable is set in the rack environment.
+
+Warden::Manager.after_set_user do |record, warden, options|
+  scope = options[:scope]
+  env = warden.request.env
+
+  puts "after set_user"
+
+  if record                               &&
+    record.respond_to?(:session_expired?) &&
+    warden.authenticated?(scope)          &&
+    options[:store] != false              &&
+    !env['devise.skip_trackable']
+
+    puts "reset"
+
+    warden.session(scope)['last_request_at'] = Time.now.utc
+  end
+end
+

data/lib/devise_session_expirable/model.rb

@@ -0,0 +1,77 @@
+
+require 'devise_session_expirable/hook'
+
+module Devise #:nodoc:
+  module Models #:nodoc:
+
+    # SessionExpirable verifies whether a user session has expired
+    # via the +#session_expired?+ method.
+    #
+    # == Options
+    #
+    # SessionExpirable adds the following options to devise_for:
+    #
+    # * +timeout_in+: lifetime in seconds of an inactive user session
+    # * +default_last_request_at+: age to assume for sessions with nil +last_request_at+
+    #
+    # == Examples
+    #
+    #   user.session_expired?(30.minutes.ago)
+    #
+
+    module SessionExpirable
+
+      extend ActiveSupport::Concern
+
+      # Accepts the time a session was last used and compares it
+      # to the oldest valid +last_request_at+ date for a session.
+      # If nil or any other falsy value is passed and the
+      # +default_last_request_at+ option is configured, the configured
+      # value will be used for the comparison.
+      #
+      # Supports the Devise +rememberable+ module by deferring to
+      # +#remember_expired?+ if the +remember_created_at+ attribute
+      # is set.
+
+      def session_expired?(last_access)
+        puts "last_access #{last_access}"
+        puts "timeout_in #{timeout_in}"
+        puts "deadline #{timeout_in.ago}"
+        puts !timeout_in.nil? && (!last_access || last_access <= timeout_in.ago)
+
+        last_access ||= default_last_request_at
+        return false if remember_exists_and_not_expired?
+        !timeout_in.nil? && (!last_access || last_access <= timeout_in.ago)
+      end
+
+      def timeout_in
+        self.class.timeout_in
+      end
+
+      def default_last_request_at
+        self.class.default_last_request_at
+      end
+
+      #:nodoc:
+      def self.required_fields(klass); []; end
+
+      private
+
+      def remember_exists_and_not_expired?
+        return false unless respond_to?(:remember_expired?)
+        remember_created_at && !remember_expired?
+      end
+
+      module ClassMethods #:nodoc:
+
+        Devise::Models.config self,
+          :timeout_in,
+          :default_last_request_at
+
+      end
+
+    end
+
+  end
+end
+

data/test/integration/session_expirable_test.rb

@@ -0,0 +1,152 @@
+require 'test_helper'
+
+class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
+
+  def last_request_at
+    @controller.user_session['last_request_at']
+  end
+
+  test 'set last request at in user session after each request' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    get users_path
+    assert_not_nil last_request_at
+    assert_not_equal old_last_request, last_request_at
+  end
+
+  test 'set last request at in user session after each request is skipped if tracking is disabled' do
+    sign_in_as_user
+    old_last_request = last_request_at
+    assert_not_nil last_request_at
+
+    get users_path, {}, 'devise.skip_trackable' => true
+    assert_equal old_last_request, last_request_at
+  end
+
+  test 'does not time out user session before default limit time' do
+    sign_in_as_user
+    assert_response :success
+    assert warden.authenticated?(:user)
+
+    get users_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+
+  test 'session without last_request_at is not honored' do
+    user = sign_in_as_user
+    assert_response :success
+    assert warden.authenticated?(:user)
+
+    get clear_timeout_user_path(user)
+
+    get users_path
+    assert_redirected_to users_path
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'time out user session after default limit time' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+    assert_not_nil last_request_at
+
+    get users_path
+    assert_redirected_to users_path
+    assert_not warden.authenticated?(:user)
+  end
+
+  test 'time out is not triggered on sign out' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+
+    get destroy_user_session_path
+
+    assert_response :redirect
+    assert_redirected_to root_path
+    follow_redirect!
+    assert_contain 'Signed out successfully'
+  end
+
+  test 'time out is not triggered on sign in' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+
+    post "/users/sign_in", :email => user.email, :password => "123456"
+
+    assert_response :redirect
+    follow_redirect!
+    assert_contain 'You are signed in'
+  end
+
+  test 'admin does not explode on time out' do
+    admin = sign_in_as_admin
+    get expire_admin_path(admin)
+
+    Admin.send :define_method, :reset_authentication_token! do
+      nil
+    end
+
+    begin
+      get admins_path
+      assert_redirected_to admins_path
+      assert_not warden.authenticated?(:admin)
+    ensure
+      Admin.send(:remove_method, :reset_authentication_token!)
+    end
+  end
+
+  test 'user configured timeout limit' do
+    swap Devise, :timeout_in => 8.minutes do
+      user = sign_in_as_user
+
+      get users_path
+      assert_not_nil last_request_at
+      assert_response :success
+      assert warden.authenticated?(:user)
+
+      get expire_user_path(user)
+      get users_path
+      assert_redirected_to users_path
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
+  test 'error message with i18n' do
+    store_translations :en, :devise => {
+      :failure => { :user => { :timeout => 'Session expired!' } }
+    } do
+      user = sign_in_as_user
+
+      get expire_user_path(user)
+      get root_path
+      follow_redirect!
+      assert_contain 'Session expired!'
+    end
+  end
+
+  test 'error message with i18n with double redirect' do
+    store_translations :en, :devise => {
+      :failure => { :user => { :timeout => 'Session expired!' } }
+    } do
+      user = sign_in_as_user
+
+      get expire_user_path(user)
+      get users_path
+      follow_redirect!
+      follow_redirect!
+      assert_contain 'Session expired!'
+    end
+  end
+
+  test 'time out not triggered if remembered' do
+    user = sign_in_as_user :remember_me => true
+    get expire_user_path(user)
+    assert_not_nil last_request_at
+
+    get users_path
+    assert_response :success
+    assert warden.authenticated?(:user)
+  end
+end