devise_session_expirable 0.1.1 → 0.2.0

data/README.rdoc

@@ -2,7 +2,7 @@
 
 All good things come to an end: At least that's how it's supposed to work.
 
-SessionExpirable is an enhanced version of Devise's +timeoutable+ module
+SessionExpirable is an enhanced version of Devise[https://github.com/plataformatec/devise]'s +timeoutable+ module
 that ensures that no session is allowed to last forever.
 
 Like Devise +timeoutable+, SessionExpirable adds a timestamp to sessions
@@ -20,10 +20,19 @@ never be considered as having timed out.
 In order to prevent the abuse of non-expiring sessions, SessionExpirable
 treats sessions without timestamps as having already expired.
 
-One other difference with +timeoutable+ is that SessionExpirable
-does not support invalidation of authentication tokens from the
-devise +token_authenticatable+ module when a request with a valid
-authentication token is accompanied by an expired session.
+Another difference is that in the case of a timeout, +timeoutable+
+prevents other authentication strategies from being tried, although
+it has custom logic to allow Devise +rememberable+ to work in spite of a
+timed-out session.
+
+SessionExpirable does not allow a timed-out session to interfere with any
+authentication strategies that are configured. One consequence is that
+SessionExpirable does not support invalidation of authentication tokens
+from the Devise +token_authenticatable+ module when a request with a
+valid authentication token is accompanied by an expired session.
+
+One final difference is that SessionExpirable does not invoke the Devise
+FailureApp for requests that do not require authentication.
 
 == Configuration
 

data/VERSION

@@ -1 +1 @@
-0.1.1
+0.2.0

data/devise_session_expirable.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "devise_session_expirable"
-  s.version = "0.1.1"
+  s.version = "0.2.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Riley Lynch"]
-  s.date = "2013-02-16"
+  s.date = "2013-03-11"
   s.description = "devise_session_expirable is an enhanced version of devise's timeoutable module that ensures that no session is allowed to last forever."
   s.email = "oss+expirable@teleological.net"
   s.extra_rdoc_files = [

data/lib/devise_session_expirable.rb

@@ -3,16 +3,11 @@ require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/concern'
 require 'devise'
 
-module Devise #:nodoc:
-
-  mattr_accessor :default_last_request_at
-  @default_last_request_at = nil
-
-  add_module :session_expirable,
-    :model => 'devise_session_expirable/model'
-
-end
+require 'devise_session_expirable/warden_extensions'
+require 'devise_session_expirable/devise_extensions'
 
 module DeviseSessionExpirable #:nodoc:
+  autoload :Delegator,  'devise_session_expirable/delegator'
+  autoload :FailureApp, 'devise_session_expirable/failure_app'
 end
 

data/lib/devise_session_expirable/delegator.rb

@@ -0,0 +1,13 @@
+
+class DeviseSessionExpirable::Delegator < Devise::Delegator
+
+  def failure_app(env)
+    app = env["warden.options"] &&
+      (scope = env["warden.options"][:scope]) &&
+      Devise.mappings[scope.to_sym].failure_app
+
+    app || DeviseSessionExpirable::FailureApp
+  end
+
+end
+

data/lib/devise_session_expirable/devise_extensions.rb

@@ -0,0 +1,38 @@
+
+module Devise #:nodoc:
+
+  mattr_accessor :default_last_request_at
+  @default_last_request_at = nil
+
+  add_module :session_expirable,
+    :model => 'devise_session_expirable/model'
+
+  def self.configure_warden! #:nodoc:
+    warden_config.failure_app   = DeviseSessionExpirable::Delegator.new
+    warden_config.default_scope = Devise.default_scope
+    warden_config.intercept_401 = false
+
+    Devise.mappings.each_value do |mapping|
+      warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
+    end
+
+    @@warden_config_block.try :call, Devise.warden_config
+    true
+  end
+
+  class Mapping #:nodoc:
+
+    private
+
+    def default_failure_app(options)
+      @failure_app = options[:failure_app] || DeviseSessionExpirable::FailureApp
+      if @failure_app.is_a?(String)
+        ref = Devise.ref(@failure_app)
+        @failure_app = lambda { |env| ref.get.call(env) }
+      end
+    end
+
+  end
+
+end
+

data/lib/devise_session_expirable/failure_app.rb

@@ -0,0 +1,21 @@
+
+class DeviseSessionExpirable::FailureApp < Devise::FailureApp
+
+  def redirect_url
+    flash[:timedout] = true if timeout?
+    scope_path
+  end
+
+protected
+
+  def warden_message
+    @message ||=
+      warden.message || warden_options[:message] || (timeout? ? :timeout : nil)
+  end
+
+  def timeout?
+    !! env['devise.timeout']
+  end
+
+end
+

data/lib/devise_session_expirable/hook.rb

@@ -1,40 +1,3 @@
-
-# Each time the user record is fetched from a session, the record is
-# consulted (via +#session_expired?+) to determine if the
-# +last_request_at+ time in the session is valid, or if the session
-# should be considered as having timed out. This validation is not
-# performed if +devise.skip_timeout+ is set in the rack environment.
-#
-# If the session is deemed to have timed out, the record is logged out
-# of the session and a +:timeout+ message is thrown, invoking the
-# +FailureApp+.
-#
-# Unlike the Devise +timeoutable+ module, devise_session_expirable does
-# not support invalidation of authentication tokens from the devise
-# +token_authenticatable+ module when a request with a valid
-# authentication token is accompanied by an expired session.
-
-Warden::Manager.after_fetch do |record, warden, options|
-  scope = options[:scope]
-  env = warden.request.env
-
-  puts "after fetch"
-
-  if record                               &&
-    record.respond_to?(:session_expired?) &&
-    warden.authenticated?(scope)          &&
-    options[:store] != false              &&
-    !env['devise.skip_timeout']
-
-    last_request_at = warden.session(scope)['last_request_at']
-    if record.session_expired?(last_request_at)
-      puts "expired!"
-      warden.logout(scope)
-      throw :warden, :scope => scope, :message => :timeout
-    end
-  end
-end
-
 # Each time the user record is set, the +last_request_at+ time
 # is updated in the scoped session. This update is not performed if
 # devise.skip_trackable is set in the rack environment.
@@ -43,16 +6,12 @@ Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
   env = warden.request.env
 
-  puts "after set_user"
-
   if record                               &&
     record.respond_to?(:session_expired?) &&
     warden.authenticated?(scope)          &&
     options[:store] != false              &&
     !env['devise.skip_trackable']
 
-    puts "reset"
-
     warden.session(scope)['last_request_at'] = Time.now.utc
   end
 end

data/lib/devise_session_expirable/model.rb

@@ -34,11 +34,6 @@ module Devise #:nodoc:
       # is set.
 
       def session_expired?(last_access)
-        puts "last_access #{last_access}"
-        puts "timeout_in #{timeout_in}"
-        puts "deadline #{timeout_in.ago}"
-        puts !timeout_in.nil? && (!last_access || last_access <= timeout_in.ago)
-
         last_access ||= default_last_request_at
         return false if remember_exists_and_not_expired?
         !timeout_in.nil? && (!last_access || last_access <= timeout_in.ago)

data/lib/devise_session_expirable/warden_extensions.rb

@@ -0,0 +1,46 @@
+
+# Each time the user record is fetched from a session, the record is
+# consulted (via +#session_expired?+) to determine if the
+# +last_request_at+ time in the session is valid, or if the session
+# should be considered as having timed out. If the session is deemed
+# to have timed out, the record is disregarded.
+#
+# Unlike the Devise +timeoutable+ module, devise_session_expirable does
+# not support invalidation of authentication tokens from the devise
+# +token_authenticatable+ module when a request with a valid
+# authentication token is accompanied by an expired session.
+
+class Warden::SessionSerializer
+
+  def fetch(scope)
+    key = session[key_for(scope)]
+    return nil unless key
+
+    method_name = "#{scope}_deserialize"
+    user = respond_to?(method_name) ? send(method_name, key) : deserialize(key)
+    user = nil unless valid_for_deserialization?(scope, user)
+    delete(scope) unless user
+    user
+  end
+
+  private
+
+  def valid_for_deserialization?(scope, user)
+    ! validate_session_expiration(scope, user)
+  end
+
+  def validate_session_expiration(scope, user)
+    is_expired = false
+    if user && user.respond_to?(:session_expired?)
+      last_request_at = session_for_scope(scope)['last_request_at']
+      is_expired = user.session_expired?(last_request_at)
+    end
+    env['devise.timeout'] = is_expired
+  end
+
+  def session_for_scope(scope)
+    session["warden.user.#{scope}.session"] ||= {}
+  end
+
+end
+

data/test/integration/session_expirable_test.rb

@@ -43,7 +43,7 @@ class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
     get clear_timeout_user_path(user)
 
     get users_path
-    assert_redirected_to users_path
+    assert_redirected_to new_user_session_path
     assert_not warden.authenticated?(:user)
   end
 
@@ -53,27 +53,39 @@ class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
     assert_not_nil last_request_at
 
     get users_path
-    assert_redirected_to users_path
+    assert_redirected_to new_user_session_path
     assert_not warden.authenticated?(:user)
   end
 
-  test 'time out is not triggered on sign out' do
+  test 'sign out when timed out is ignored' do
     user = sign_in_as_user
     get expire_user_path(user)
 
     get destroy_user_session_path
-
     assert_response :redirect
     assert_redirected_to root_path
+    assert_not warden.authenticated?(:user)
     follow_redirect!
-    assert_contain 'Signed out successfully'
+    assert_not_contain 'Signed out successfully'
+  end
+
+  test 'expired session is not extended by sign in page' do
+    user = sign_in_as_user
+    get expire_user_path(user)
+    assert warden.authenticated?(:user)
+
+    get "/users/sign_in"
+    assert_response :success
+    assert_contain 'Sign in'
+    assert_not warden.authenticated?(:user)
   end
 
   test 'time out is not triggered on sign in' do
     user = sign_in_as_user
     get expire_user_path(user)
 
-    post "/users/sign_in", :email => user.email, :password => "123456"
+    post "/users/sign_in",
+      :user => { :email => user.email, :password => "12345678" }
 
     assert_response :redirect
     follow_redirect!
@@ -90,7 +102,7 @@ class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
 
     begin
       get admins_path
-      assert_redirected_to admins_path
+      assert_redirected_to new_admin_session_path
       assert_not warden.authenticated?(:admin)
     ensure
       Admin.send(:remove_method, :reset_authentication_token!)
@@ -108,25 +120,12 @@ class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
 
       get expire_user_path(user)
       get users_path
-      assert_redirected_to users_path
+      assert_redirected_to new_user_session_path
       assert_not warden.authenticated?(:user)
     end
   end
 
   test 'error message with i18n' do
-    store_translations :en, :devise => {
-      :failure => { :user => { :timeout => 'Session expired!' } }
-    } do
-      user = sign_in_as_user
-
-      get expire_user_path(user)
-      get root_path
-      follow_redirect!
-      assert_contain 'Session expired!'
-    end
-  end
-
-  test 'error message with i18n with double redirect' do
     store_translations :en, :devise => {
       :failure => { :user => { :timeout => 'Session expired!' } }
     } do
@@ -135,7 +134,6 @@ class SessionExpirableIntegrationTest < ActionDispatch::IntegrationTest
       get expire_user_path(user)
       get users_path
       follow_redirect!
-      follow_redirect!
       assert_contain 'Session expired!'
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_session_expirable
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-16 00:00:00.000000000 Z
+date: 2013-03-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -108,8 +108,12 @@ files:
 - VERSION
 - devise_session_expirable.gemspec
 - lib/devise_session_expirable.rb
+- lib/devise_session_expirable/delegator.rb
+- lib/devise_session_expirable/devise_extensions.rb
+- lib/devise_session_expirable/failure_app.rb
 - lib/devise_session_expirable/hook.rb
 - lib/devise_session_expirable/model.rb
+- lib/devise_session_expirable/warden_extensions.rb
 - test/integration/session_expirable_test.rb
 - test/models/session_expirable_test.rb
 - test/orm/active_record.rb
@@ -168,6 +172,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: 1721273659600446097
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: