innetra-easy_authentication 0.1.0

data/generators/easy_authentication/templates/views/users/_user.html.erb

@@ -0,0 +1,4 @@
+<div class="user_actions">
+  <%%= link_to t("users.actions.change_password_link"), edit_user_password_url(current_user) %>&nbsp;|
+  <%%= link_to t("users.actions.logout_link"), logout_url %>
+</div>

data/generators/easy_authentication/templates/views/users/edit.html.erb

@@ -0,0 +1,14 @@
+<%% content_for :header do -%>
+  <%%= stylesheet_link_tag "easy_authentication/users", :media => :all %>
+<%% end -%>
+
+<h1>
+  <div class="title_actions">
+    <%%= link_to t("users.edit.cancel"), @user %>
+  </div>
+  <%%= t("users.edit.title", :full_name => @user.full_name, :login => @user.login) %>
+</h1>
+
+<%% form_for @user do |form| %>
+  <%%= render :partial => form %>
+<%% end %>

data/generators/easy_authentication/templates/views/users/index.html.erb

@@ -0,0 +1,21 @@
+<%% content_for :header do -%>
+  <%%= stylesheet_link_tag "easy_authentication/users", :media => :all %>
+<%% end -%>
+
+<%% content_for :sidebar do -%>
+  <%% shadowbox "users_actions", :class => "sidebar_section" do %>
+    <%%= link_to t("users.index.new_link"), new_user_url %>
+  <%% end %>
+<%% end -%>
+
+<h1><%%= t "users.index.title" %></h1>
+
+<ul>
+  <%% for user in @users -%>
+    <%% content_tag_for(:li, user) do %>
+    <%%= link_to user.full_name, user, :class => "full_name important" %>
+    (<%%= user.login %>)<br />
+    <%%= auto_link user.email %>
+    <%% end %>
+  <%% end -%>
+</ul>

data/generators/easy_authentication/templates/views/users/new.html.erb

@@ -0,0 +1,14 @@
+<%% content_for :header do -%>
+  <%%= stylesheet_link_tag "easy_authentication/users", :media => :all %>
+<%% end -%>
+
+<h1>
+  <div class="title_actions">
+    <%%= link_to t("users.new.cancel"), users_url %>
+  </div>
+  <%%= t "users.new.title" %>
+</h1>
+
+<%% form_for @user do |form| %>
+  <%%= render :partial => form %>
+<%% end %>

data/generators/easy_authentication/templates/views/users/show.html.erb

@@ -0,0 +1,53 @@
+<%% content_for :header do -%>
+  <%%= stylesheet_link_tag "easy_authentication/users", :media => :all %>
+<%% end -%>
+
+<%% content_for :sidebar do -%>
+  <%% shadowbox "user_details", :class => "sidebar_section" do %>
+    <h1>
+      <div class="title_actions">
+        <%%= link_to t("users.show.user_details.edit_link"), edit_user_url(@user) %>
+      </div>
+      <%%= t("users.show.user_details.title") %>
+    </h1>
+    <table>
+      <tr>
+        <td class="label"><%%= t("users.show.user_details.login") %></td>
+        <td><%%= @user.login %></td>
+      </tr>
+      <tr>
+        <td class="label"><%%= t("users.show.user_details.email") %></td>
+        <td><%%= auto_link @user.email %></td>
+      </tr>
+    </table>
+  <%% end %>
+
+  <%% shadowbox "roles_section", :class => "sidebar_section" do %>
+    <h1>
+      <div class="title_actions">
+        <%%= link_to t("users.show.roles_section.edit_link"), edit_user_role_url(@user) %>
+      </div>
+      <%%= t("users.show.roles_section.title") %>
+    </h1>
+    <%% unless @user.roles.blank? -%>
+      <ul>
+        <%% for role in @user.roles -%>
+          <%% content_tag_for(:li, role) do -%>
+            <%%= role.name %>
+          <%% end -%>
+        <%% end -%>
+      </ul>
+    <%% end -%>
+  <%% end %>
+
+  <%% shadowbox "password_section", :class => "sidebar_section" do %>
+    <%%= link_to t("users.show.password_section.edit_link"), edit_user_url(@user) %>
+  <%% end %>
+
+<%% end -%>
+<h1>
+  <div class="title_actions">
+    <%%= link_to t("users.show.back"), users_url %>
+  </div>
+  <%%= @user.full_name %>
+</h1>

data/init.rb

@@ -0,0 +1,5 @@
+require File.dirname(__FILE__) + '/lib/cookie_authentication'
+require File.dirname(__FILE__) + '/lib/password_authentication'
+require File.dirname(__FILE__) + '/lib/user_methods'
+require File.dirname(__FILE__) + '/lib/helper_methods'
+require File.dirname(__FILE__) + '/lib/controller_methods'

data/lib/controller_methods.rb

@@ -0,0 +1,14 @@
+module EasyAuthentication
+  module ControllerMethods
+    def self.included(recipient)
+      recipient.class_eval do
+        # Requires valid user credentials on all actions and controllers
+        before_filter :login_required
+        # Filter password from log
+        filter_parameter_logging :password
+      end
+    end
+  end
+end
+
+ActionController::Base.send :include, EasyAuthentication::ControllerMethods

data/lib/cookie_authentication.rb

@@ -0,0 +1,63 @@
+module EasyAuthentication
+  module CookieAuthentication
+
+    # Mixin
+    def self.included(recipient)
+      recipient.extend(ClassMethods)
+      recipient.class_eval do
+        include InstanceMethods
+      end
+    end
+
+    module ClassMethods
+      def secure_digest(*args)
+        Digest::SHA1.hexdigest(args.flatten.join('--'))
+      end
+
+      def make_token
+        secure_digest(Time.now, (1..10).map{ rand.to_s })
+      end
+    end # ClassMethods
+
+    module InstanceMethods
+      def remember_token?
+        (!remember_token.blank?) &&
+          remember_token_expires_at && (Time.now.utc < remember_token_expires_at.utc)
+      end
+
+      def remember_me
+        remember_me_for 2.weeks
+      end
+
+      def remember_me_for(time)
+        remember_me_until time.from_now.utc
+      end
+
+      def remember_me_until(time)
+        self.remember_token_expires_at = time
+        self.remember_token            = self.class.make_token
+        save(false)
+      end
+
+      # refresh token (keeping same expires_at) if it exists
+      def refresh_token
+        if remember_token?
+          self.remember_token = self.class.make_token
+          save(false)
+        end
+      end
+
+
+      # Deletes the server-side record of the authentication token.  The
+      # client-side (browser cookie) and server-side (this remember_token) must
+      # always be deleted together.
+      def forget_me
+        self.remember_token_expires_at = nil
+        self.remember_token            = nil
+        save(false)
+      end
+
+    end # InstanceMethods
+
+  end # CookieAuthentication
+end # EasyAuthentication

data/lib/helper_methods.rb

@@ -0,0 +1,198 @@
+module EasyAuthentication
+  module HelperMethods
+    protected
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      !!current_user
+    end
+
+    # Accesses the current user from the session.
+    # Future calls avoid the database because nil is not equal to false.
+    def current_user
+      @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
+    end
+
+    # Store the given user id in the session.
+    def current_user=(new_user)
+      session[:user_id] = new_user ? new_user.id : nil
+      @current_user = new_user || false
+    end
+
+    # Check if the user is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_user.login != "bob"
+    #  end
+    #
+    def authorized?
+      return false if !current_user
+      current_user.authorized?(controller_name, action_name)
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      (logged_in? && authorized?) || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          if current_user.blank?
+            redirect_to login_url
+          else
+            flash[:error] = t("easy_authentication.access_denied")
+            redirect_to :back
+          end
+        end
+        # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
+        # Add any other API formats here.  (Some browsers, notably IE6, send Accept: */* and trigger
+        # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
+        # for a workaround.)
+        format.any(:json, :xml) do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.  Set an appropriately modified
+    #   after_filter :store_location, :only => [:index, :new, :show, :edit]
+    # for any controller you want to be bounce-backable.
+    def redirect_back_or_default(default)
+      redirect_to(session[:return_to] || default)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_user and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
+    end
+
+    #
+    # Login
+    #
+
+    # Called from #current_user.  First attempt to login by the user id stored in the session.
+    def login_from_session
+      self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
+    end
+
+    # Called from #current_user.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |login, password|
+        self.current_user = User.authenticate(login, password)
+      end
+    end
+
+    #
+    # Logout
+    #
+
+    # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+    # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP)
+    def login_from_cookie
+      user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+      if user && user.remember_token?
+        self.current_user = user
+        handle_remember_cookie! false # freshen cookie token (keeping date)
+        self.current_user
+      end
+    end
+
+    # This is ususally what you want; resetting the session willy-nilly wreaks
+    # havoc with forgery protection, and is only strictly necessary on login.
+    # However, **all session state variables should be unset here**.
+    def logout_keeping_session!
+      # Kill server-side auth cookie
+      @current_user.forget_me if @current_user.is_a? User
+      @current_user = false     # not logged in, and don't do it for me
+      kill_remember_cookie!     # Kill client-side auth cookie
+      session[:user_id] = nil   # keeps the session but kill our variable
+      # explicitly kill any other session variables you set
+    end
+
+    # The session should only be reset at the tail end of a form POST --
+    # otherwise the request forgery protection fails. It's only really necessary
+    # when you cross quarantine (logged-out to logged-in).
+    def logout_killing_session!
+      logout_keeping_session!
+      reset_session
+    end
+
+    #
+    # Remember_me Tokens
+    #
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    def valid_remember_cookie?
+      return nil unless @current_user
+      (@current_user.remember_token?) &&
+        (cookies[:auth_token] == @current_user.remember_token)
+    end
+
+    # Refresh the cookie auth token if it exists, create it otherwise
+    def handle_remember_cookie!(new_cookie_flag)
+      return unless @current_user
+      case
+      when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
+      when new_cookie_flag        then @current_user.remember_me
+      else                             @current_user.forget_me
+      end
+      send_remember_cookie!
+    end
+
+    def kill_remember_cookie!
+      cookies.delete :auth_token
+    end
+
+    def send_remember_cookie!
+      cookies[:auth_token] = {
+        :value   => @current_user.remember_token,
+        :expires => @current_user.remember_token_expires_at }
+    end
+  end # EasyAuthentication::UserHelper
+end # EasyAuthentication
+
+ActionController::Base.send :include, EasyAuthentication::HelperMethods

data/lib/password_authentication.rb

@@ -0,0 +1,64 @@
+module EasyAuthentication
+  module PasswordAuthentication
+
+    # Mixin
+    def self.included(recipient)
+      recipient.extend(ClassMethods)
+      recipient.class_eval do
+
+        include InstanceMethods
+
+        # Virtual attribute for the unencrypted password
+        attr_accessor :password
+
+        validates_presence_of     :password,                   :if => :password_required?
+        validates_presence_of     :password_confirmation,      :if => :password_required?
+        validates_confirmation_of :password,                   :if => :password_required?
+        validates_length_of       :password, :minimum => 6,    :if => :password_required?
+
+        before_save :encrypt_password
+
+      end
+    end
+
+    module ClassMethods
+      # This provides a modest increased defense against a dictionary attack if
+      # your db were ever compromised, but will invalidate existing passwords.
+      # See the README and the file config/initializers/site_keys.rb
+      #
+      # It may not be obvious, but if you set REST_AUTH_SITE_KEY to nil and
+      # REST_AUTH_DIGEST_STRETCHES to 1 you'll have backwards compatibility with
+      # older versions of restful-authentication.
+      def password_digest(password, salt)
+        digest = AUTH_SITE_KEY
+        AUTH_DIGEST_STRETCHES.times do
+          digest = secure_digest(digest, salt, password, AUTH_SITE_KEY)
+        end
+        digest
+      end
+    end # ClassMethods
+
+    module InstanceMethods
+      # Encrypts the password with the user salt
+      def encrypt(password)
+        self.class.password_digest(password, password_salt)
+      end
+
+      def authenticated?(password)
+        password_hash == encrypt(password)
+      end
+
+      # before filter
+      def encrypt_password
+        return if password.blank?
+        self.password_salt = self.class.make_token if new_record?
+        self.password_hash = encrypt(password)
+      end
+
+      def password_required?
+        password_hash.blank? || (!password.blank? || !current_password.blank?)
+      end
+    end # InstanceMethods
+
+  end # PasswordAuthentication
+end # EasyAuthentication