expertiza-authlogic 2.1.6.1

data/lib/authlogic/acts_as_authentic/perishable_token.rb

@@ -0,0 +1,105 @@
+module Authlogic
+  module ActsAsAuthentic
+    # This provides a handy token that is "perishable". Meaning the token is only good for a certain amount of time. This is perfect for
+    # resetting password, confirming accounts, etc. Typically during these actions you send them this token in via their email. Once they
+    # use the token and do what they need to do, that token should expire. Don't worry about maintaining this, changing it, or expiring it
+    # yourself. Authlogic does all of this for you. See the sub modules for all of the tools Authlogic provides to you.
+    module PerishableToken
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+      
+      # Change how the perishable token works.
+      module Config
+        # When using the find_using_perishable_token method the token can expire. If the token is expired, no
+        # record will be returned. Use this option to specify how long the token is valid for.
+        #
+        # * <tt>Default:</tt> 10.minutes
+        # * <tt>Accepts:</tt> Fixnum
+        def perishable_token_valid_for(value = nil)
+          rw_config(:perishable_token_valid_for, (!value.nil? && value.to_i) || value, 10.minutes.to_i)
+        end
+        alias_method :perishable_token_valid_for=, :perishable_token_valid_for
+        
+        # Authlogic tries to expire and change the perishable token as much as possible, without comprising
+        # it's purpose. This is for security reasons. If you want to manage it yourself, you can stop
+        # Authlogic from getting your in way by setting this to true.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def disable_perishable_token_maintenance(value = nil)
+          rw_config(:disable_perishable_token_maintenance, value, false)
+        end
+        alias_method :disable_perishable_token_maintenance=, :disable_perishable_token_maintenance
+      end
+      
+      # All methods relating to the perishable token.
+      module Methods
+        def self.included(klass)
+          return if !klass.column_names.include?("perishable_token")
+          
+          klass.class_eval do
+            extend ClassMethods
+            include InstanceMethods
+            
+            validates_uniqueness_of :perishable_token, :if => :perishable_token_changed?
+            before_save :reset_perishable_token, :unless => :disable_perishable_token_maintenance?
+          end
+        end
+        
+        # Class level methods for the perishable token
+        module ClassMethods
+          # Use this methdo to find a record with a perishable token. This method does 2 things for you:
+          #
+          # 1. It ignores blank tokens
+          # 2. It enforces the perishable_token_valid_for configuration option.
+          #
+          # If you want to use a different timeout value, just pass it as the second parameter:
+          #
+          #   User.find_using_perishable_token(token, 1.hour)
+          def find_using_perishable_token(token, age = self.perishable_token_valid_for)
+            return if token.blank?
+            age = age.to_i
+            
+            conditions_sql = "perishable_token = ?"
+            conditions_subs = [token]
+            
+            if column_names.include?("updated_at") && age > 0
+              conditions_sql += " and updated_at > ?"
+              conditions_subs << age.seconds.ago
+            end
+            
+            find(:first, :conditions => [conditions_sql, *conditions_subs])
+          end
+          
+          # This method will raise ActiveRecord::NotFound if no record is found.
+          def find_using_perishable_token!(token, age = perishable_token_valid_for)
+            find_using_perishable_token(token, age) || raise(ActiveRecord::RecordNotFound)
+          end
+        end
+        
+        # Instance level methods for the perishable token.
+        module InstanceMethods
+          # Resets the perishable token to a random friendly token.
+          def reset_perishable_token
+            self.perishable_token = Random.friendly_token
+          end
+          
+          # Same as reset_perishable_token, but then saves the record afterwards.
+          def reset_perishable_token!
+            reset_perishable_token
+            save_without_session_maintenance(false)
+          end
+          
+          # A convenience method based on the disable_perishable_token_maintenance configuration option.
+          def disable_perishable_token_maintenance?
+            self.class.disable_perishable_token_maintenance == true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/persistence_token.rb

@@ -0,0 +1,68 @@
+module Authlogic
+  module ActsAsAuthentic
+    # Maintains the persistence token, the token responsible for persisting sessions. This token
+    # gets stores in the session and the cookie.
+    module PersistenceToken
+      def self.included(klass)
+        klass.class_eval do
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+      
+      # Methods for the persistence token.
+      module Methods
+        def self.included(klass)
+          klass.class_eval do
+            extend ClassMethods
+            include InstanceMethods
+            
+            if respond_to?(:after_password_set) && respond_to?(:after_password_verification)
+              after_password_set :reset_persistence_token
+              after_password_verification :reset_persistence_token!, :if => :reset_persistence_token?
+            end
+            
+            validates_presence_of :persistence_token
+            validates_uniqueness_of :persistence_token, :if => :persistence_token_changed?
+            
+            before_validation :reset_persistence_token, :if => :reset_persistence_token?
+          end
+        end
+        
+        # Class level methods for the persistence token.
+        module ClassMethods
+          # Resets ALL persistence tokens in the database, which will require all users to reauthenticate.
+          def forget_all
+            # Paginate these to save on memory
+            records = nil
+            i = 0
+            begin
+              records = find(:all, :limit => 50, :offset => i)
+              records.each { |record| record.forget! }
+              i += 50
+            end while !records.blank?
+          end
+        end
+        
+        # Instance level methods for the persistence token.
+        module InstanceMethods
+          # Resets the persistence_token field to a random hex value.
+          def reset_persistence_token
+            self.persistence_token = Authlogic::Random.hex_token
+          end
+          
+          # Same as reset_persistence_token, but then saves the record.
+          def reset_persistence_token!
+            reset_persistence_token
+            save_without_session_maintenance(false)
+          end
+          alias_method :forget!, :reset_persistence_token!
+          
+          private
+            def reset_persistence_token?
+              persistence_token.blank?
+            end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/restful_authentication.rb

@@ -0,0 +1,76 @@
+module Authlogic
+  module ActsAsAuthentic
+    # This module is responsible for transitioning existing applications from the restful_authentication plugin.
+    module RestfulAuthentication
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+        end
+      end
+      
+      module Config
+        # Switching an existing app to Authlogic from restful_authentication? No problem, just set this true and your users won't know
+        # anything changed. From your database perspective nothing will change at all. Authlogic will continue to encrypt passwords
+        # just like restful_authentication, so your app won't skip a beat. Although, might consider transitioning your users to a newer
+        # and stronger algorithm. Checkout the transition_from_restful_authentication option.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def act_like_restful_authentication(value = nil)
+          r = rw_config(:act_like_restful_authentication, value, false)
+          set_restful_authentication_config if value
+          r
+        end
+        alias_method :act_like_restful_authentication=, :act_like_restful_authentication
+        
+        # If migrating from an password encryption system that prepends the salt to the raw password before hashing, set this to true.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def salt_first(value = nil)
+          r = rw_config(:salt_first, value, false)
+          set_restful_authentication_config if value
+          r
+        end
+        alias_method :salt_first=, :salt_first
+        
+        # This works just like act_like_restful_authentication except that it will start transitioning your users to the algorithm you
+        # specify with the crypto provider option. The next time they log in it will resave their password with the new algorithm
+        # and any new record will use the new algorithm as well. Make sure to update your users table if you are using the default
+        # migration since it will set crypted_password and salt columns to a maximum width of 40 characters which is not enough. 
+        def transition_from_restful_authentication(value = nil)
+          r = rw_config(:transition_from_restful_authentication, value, false)
+          set_restful_authentication_config if value
+          r
+        end
+        alias_method :transition_from_restful_authentication=, :transition_from_restful_authentication
+        
+        private
+          def set_restful_authentication_config
+            crypto_provider_key = act_like_restful_authentication ? :crypto_provider : :transition_from_crypto_providers
+            self.send("#{crypto_provider_key}=", CryptoProviders::Sha1)
+            if !defined?(::REST_AUTH_SITE_KEY) || ::REST_AUTH_SITE_KEY.nil?
+              class_eval("::REST_AUTH_SITE_KEY = ''") if !defined?(::REST_AUTH_SITE_KEY)
+              CryptoProviders::Sha1.stretches = 1
+            end
+          end
+      end
+      
+      module InstanceMethods
+        private
+          def act_like_restful_authentication?
+            self.class.act_like_restful_authentication == true
+          end
+          
+          def transition_from_restful_authentication?
+            self.class.transition_from_restful_authentication == true
+          end
+
+          def salt_first?
+            self.class.salt_first == true
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -0,0 +1,139 @@
+module Authlogic
+  module ActsAsAuthentic
+    # This is one of my favorite features that I think is pretty cool. It's things like this that make a library great
+    # and let you know you are on the right track.
+    #
+    # Just to clear up any confusion, Authlogic stores both the record id and the persistence token in the session.
+    # Why? So stale sessions can not be persisted. It stores the id so it can quickly find the record, and the
+    # persistence token to ensure no sessions are stale. So if the persistence token changes, the user must log
+    # back in.
+    #
+    # Well, the persistence token changes with the password. What happens if the user changes his own password?
+    # He shouldn't have to log back in, he's the one that made the change.
+    #
+    # That being said, wouldn't it be nice if their session and cookie information was automatically updated?
+    # Instead of cluttering up your controller with redundant session code. The same thing goes for new
+    # registrations.
+    #
+    # That's what this module is all about. This will automatically maintain the cookie and session values as
+    # records are saved.
+    module SessionMaintenance
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+      
+      module Config
+        # This is more of a convenience method. In order to turn off automatic maintenance of sessions just
+        # set this to false, or you can also set the session_ids method to a blank array. Both accomplish
+        # the same thing. This method is a little clearer in it's intentions though.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def maintain_sessions(value = nil)
+          rw_config(:maintain_sessions, value, true)
+        end
+        alias_method :maintain_sessions=, :maintain_sessions
+        
+        # As you may know, authlogic sessions can be separate by id (See Authlogic::Session::Base#id). You can
+        # specify here what session ids you want auto maintained. By default it is the main session, which has
+        # an id of nil.
+        #
+        # * <tt>Default:</tt> [nil]
+        # * <tt>Accepts:</tt> Array
+        def session_ids(value = nil)
+          rw_config(:session_ids, value, [nil])
+        end
+        alias_method :session_ids=, :session_ids
+        
+        # The name of the associated session class. This is inferred by the name of the model.
+        #
+        # * <tt>Default:</tt> "#{klass.name}Session".constantize
+        # * <tt>Accepts:</tt> Class
+        def session_class(value = nil)
+          const = "#{base_class.name}Session".constantize rescue nil
+          rw_config(:session_class, value, const)
+        end
+        alias_method :session_class=, :session_class
+      end
+      
+      module Methods
+        def self.included(klass)
+          klass.class_eval do
+            before_save :get_session_information, :if => :update_sessions?
+            before_save :maintain_sessions, :if => :update_sessions?
+          end
+        end
+        
+        # Save the record and skip session maintenance all together.
+        def save_without_session_maintenance(*args)
+          self.skip_session_maintenance = true
+          result = save(*args)
+          self.skip_session_maintenance = false
+          result
+        end
+        
+        private
+          def skip_session_maintenance=(value)
+            @skip_session_maintenance = value
+          end
+          
+          def skip_session_maintenance
+            @skip_session_maintenance ||= false
+          end
+          
+          def update_sessions?
+            !skip_session_maintenance && session_class && session_class.activated? && self.class.maintain_sessions == true && !session_ids.blank? && persistence_token_changed?
+          end
+          
+          def get_session_information
+            # Need to determine if we are completely logged out, or logged in as another user
+            @_sessions = []
+            
+            session_ids.each do |session_id|
+              session = session_class.find(session_id, self)
+              @_sessions << session if session && session.record
+            end
+          end
+          
+          def maintain_sessions
+            if @_sessions.empty?
+              create_session
+            else
+              update_sessions
+            end
+          end
+          
+          def create_session
+            # We only want to automatically login into the first session, since this is the main session. The other sessions are sessions
+            # that need to be created after logging into the main session.
+            session_id = session_ids.first
+            session_class.create(*[self, self, session_id].compact)
+
+            return true
+          end
+          
+          def update_sessions
+            # We found sessions above, let's update them with the new info
+            @_sessions.each do |stale_session|
+              next if stale_session.record != self
+              stale_session.unauthorized_record = self
+              stale_session.save
+            end
+
+            return true
+          end
+          
+          def session_ids
+            self.class.session_ids
+          end
+          
+          def session_class
+            self.class.session_class
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -0,0 +1,65 @@
+module Authlogic
+  module ActsAsAuthentic
+    # This module is responsible for maintaining the single_access token. For more information the single access token and how to use it,
+    # see the Authlogic::Session::Params module.
+    module SingleAccessToken
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+      
+      # All configuration for the single_access token aspect of acts_as_authentic.
+      module Config
+        # The single access token is used for authentication via URLs, such as a private feed. That being said,
+        # if the user changes their password, that token probably shouldn't change. If it did, the user would have
+        # to update all of their URLs. So be default this is option is disabled, if you need it, feel free to turn
+        # it on.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def change_single_access_token_with_password(value = nil)
+          rw_config(:change_single_access_token_with_password, value, false)
+        end
+        alias_method :change_single_access_token_with_password=, :change_single_access_token_with_password
+      end
+      
+      # All method, for the single_access token aspect of acts_as_authentic.
+      module Methods
+        def self.included(klass)
+          return if !klass.column_names.include?("single_access_token")
+          
+          klass.class_eval do
+            include InstanceMethods
+            validates_uniqueness_of :single_access_token, :if => :single_access_token_changed?
+            before_validation :reset_single_access_token, :if => :reset_single_access_token?
+            after_password_set(:reset_single_access_token, :if => :change_single_access_token_with_password?) if respond_to?(:after_password_set)
+          end
+        end
+        
+        module InstanceMethods
+          # Resets the single_access_token to a random friendly token.
+          def reset_single_access_token
+            self.single_access_token = Authlogic::Random.friendly_token
+          end
+        
+          # same as reset_single_access_token, but then saves the record.
+          def reset_single_access_token!
+            reset_single_access_token
+            save_without_session_maintenance
+          end
+      
+          protected
+            def reset_single_access_token?
+              single_access_token.blank?
+            end
+          
+            def change_single_access_token_with_password?
+              self.class.change_single_access_token_with_password == true
+            end
+        end
+      end
+    end
+  end
+end