jeffrafter-clearance 0.5.4

data/generators/clearance_features/templates/features/sign_out.feature

@@ -0,0 +1,22 @@
+Feature: Sign out
+  To protect my account from unauthorized access
+  A signed in user
+  Should be able to sign out
+  
+    Scenario: User signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "You have been signed out"     
+      And I should not be signed in
+      
+    Scenario: User who was remembered signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in with "remember me" as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "You have been signed out"     
+      And I should not be signed in
+      When I return next time
+      Then I should not be signed in  

data/generators/clearance_features/templates/features/sign_up.feature

@@ -0,0 +1,30 @@
+Feature: Sign up
+  In order to get access to protected sections of the site
+  A user
+  Should be able to sign up
+  
+    Scenario: User signs up with invalid data
+      When I go to the sign up page
+      And I fill in "Email" with "invalidemail"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with ""
+      And I press "Sign Up"
+      Then I should see error messages
+      
+    Scenario: User signs up with valid data
+      When I go to the sign up page
+      And I fill in "Email" with "email@person.com"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with "password"
+      And I press "Sign Up"
+      Then I should see "instructions for confirming"
+      And a confirmation message should be sent to "email@person.com"
+      
+    Scenario: User confirms his account
+      Given I signed up with "email@person.com/password"
+      When I follow the confirmation link sent to "email@person.com"
+      Then I should see "Confirmed email and signed in"
+      And I should be signed in      
+      
+      
+      

data/generators/clearance_features/templates/features/step_definitions/clearance_steps.rb

@@ -0,0 +1,110 @@
+# General
+
+Then /^I should see error messages$/ do
+  Then %{I should see "error(s)? prohibited"}
+end
+
+# Database
+
+Given /^no user exists with an email of "(.*)"$/ do |email|
+  assert_nil User.find_by_email(email)
+end
+
+Given /^I signed up with "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :user, 
+    :email                 => email, 
+    :password              => password,
+    :password_confirmation => password
+end 
+
+Given /^I am signed up and confirmed as "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :email_confirmed_user,
+    :email                 => email, 
+    :password              => password,
+    :password_confirmation => password
+end
+
+# Session
+
+Then /^I should be signed in$/ do
+  assert_not_nil request.session[:user_id]
+end
+
+Then /^I should not be signed in$/ do
+  assert_nil request.session[:user_id]
+end
+
+When /^session is cleared$/ do
+  request.session[:user_id] = nil
+end
+
+# Emails
+
+Then /^a confirmation message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /confirm/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the confirmation link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit new_user_confirmation_path(:user_id => user, :token => user.token)
+end
+
+Then /^a password reset message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /password/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the password reset link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user, :token => user.token)
+end
+
+When /^I try to change the password of "(.*)" without token$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user)
+end
+
+Then /^I should be forbidden$/ do
+  assert_response :forbidden
+end
+
+
+# Actions
+
+When /^I sign in( with "remember me")? as "(.*)\/(.*)"$/ do |remember, email, password|
+  When %{I go to the sign in page}
+  And %{I fill in "Email" with "#{email}"}
+  And %{I fill in "Password" with "#{password}"}
+  And %{I check "Remember me"} if remember
+  And %{I press "Sign In"}
+end
+
+When /^I sign out$/ do
+  visit '/session', :delete
+end
+
+When /^I request password reset link to be sent to "(.*)"$/ do |email|
+  When %{I go to the password reset request page}
+  And %{I fill in "Email address" with "#{email}"}
+  And %{I press "Reset password"}
+end
+
+When /^I update my password with "(.*)\/(.*)"$/ do |password, confirmation|
+  And %{I fill in "Choose password" with "#{password}"}
+  And %{I fill in "Confirm password" with "#{confirmation}"}
+  And %{I press "Save this password"}
+end
+
+When /^I return next time$/ do
+  When %{session is cleared}
+  And %{I go to the homepage}
+end

data/generators/clearance_features/templates/features/step_definitions/factory_girl_steps.rb

@@ -0,0 +1,5 @@
+Factory.factories.each do |name, factory|
+  Given /^an? #{name} exists with an? (.*) of "([^"]*)"$/ do |attr, value|
+    Factory(name, attr.gsub(' ', '_') => value)
+  end
+end

data/generators/clearance_features/templates/features/support/paths.rb

@@ -0,0 +1,25 @@
+module NavigationHelpers
+  def path_to(page_name)
+    case page_name
+    
+    when /the homepage/i
+      root_path
+    when /the sign up page/i
+      new_user_path
+    when /the sign in page/i
+      new_session_path
+    when /the password reset request page/i
+      new_password_path
+    
+    # Add more page name => path mappings here
+    
+    else
+      raise "Can't find mapping from \"#{page_name}\" to a path."
+    end
+  end
+end
+ 
+World do |world|
+  world.extend NavigationHelpers
+  world
+end

data/lib/clearance.rb

@@ -0,0 +1,15 @@
+require 'clearance/lib/extensions/errors'
+require 'clearance/lib/extensions/rescue'
+require 'clearance/app/controllers/application_controller'
+require 'clearance/app/controllers/confirmations_controller'
+require 'clearance/app/controllers/passwords_controller'
+require 'clearance/app/controllers/sessions_controller'
+require 'clearance/app/controllers/users_controller'
+require 'clearance/app/models/clearance_mailer'
+require 'clearance/app/models/user'
+require 'clearance/test/functional/confirmations_controller_test'
+require 'clearance/test/functional/passwords_controller_test'
+require 'clearance/test/functional/sessions_controller_test'
+require 'clearance/test/functional/users_controller_test'
+require 'clearance/test/unit/clearance_mailer_test'
+require 'clearance/test/unit/user_test'

data/lib/clearance/app/controllers/application_controller.rb

@@ -0,0 +1,84 @@
+module Clearance
+  module App
+    module Controllers
+      module ApplicationController
+
+        def self.included(controller)
+          controller.send(:include, InstanceMethods)
+
+          controller.class_eval do
+            helper_method :current_user
+            helper_method :signed_in?
+
+            hide_action :current_user, :signed_in?
+          end
+        end
+
+        module InstanceMethods
+          def current_user
+            @_current_user ||= (user_from_cookie || user_from_session)
+          end
+
+          def signed_in?
+            ! current_user.nil?
+          end
+
+          protected
+
+          def authenticate
+            deny_access unless signed_in?
+          end
+
+          def user_from_session
+            if session[:user_id]
+              return nil  unless user = User.find_by_id(session[:user_id])
+              return user if     user.email_confirmed?
+            end
+          end
+
+          def user_from_cookie
+            if token = cookies[:remember_token]
+              return nil  unless user = User.find_by_token(token)
+              return user if     user.remember?
+            end
+          end
+
+          def sign_user_in(user)
+            sign_in(user)
+          end
+
+          def sign_in(user)
+            if user
+              session[:user_id] = user.id
+            end
+          end
+
+          def redirect_back_or(default)
+            session[:return_to] ||= params[:return_to]
+            if session[:return_to]
+              redirect_to(session[:return_to])
+            else
+              redirect_to(default)
+            end
+            session[:return_to] = nil
+          end
+
+          def redirect_to_root
+            redirect_to root_url
+          end
+
+          def store_location
+            session[:return_to] = request.request_uri if request.get?
+          end
+
+          def deny_access(flash_message = nil, opts = {})
+            store_location
+            flash[:failure] = flash_message if flash_message
+            render :template => "/sessions/new", :status => :unauthorized
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/app/controllers/confirmations_controller.rb

@@ -0,0 +1,63 @@
+module Clearance
+  module App
+    module Controllers
+      module ConfirmationsController
+
+        def self.included(controller)
+          controller.send(:include, Actions)
+          controller.send(:include, PrivateMethods)
+
+          controller.class_eval do
+            before_filter :forbid_confirmed_user,    :only => :new
+            before_filter :forbid_missing_token,     :only => :new
+            before_filter :forbid_non_existant_user, :only => :new
+            filter_parameter_logging :token
+          end
+        end
+
+        module Actions
+          def new
+            create
+          end
+
+          def create
+            @user = User.find_by_id_and_token(params[:user_id], params[:token])
+            @user.confirm_email!
+
+            sign_user_in(@user)
+            flash[:success] = "Confirmed email and signed in."
+            redirect_to url_after_create
+          end
+        end
+
+        module PrivateMethods
+          private
+
+          def forbid_confirmed_user
+            user = User.find_by_id(params[:user_id])
+            if user && user.email_confirmed?
+              raise ActionController::Forbidden, "confirmed user"
+            end
+          end
+
+          def forbid_missing_token
+            if params[:token].blank?
+              raise ActionController::Forbidden, "missing token"
+            end
+          end
+
+          def forbid_non_existant_user
+            unless User.find_by_id_and_token(params[:user_id], params[:token])
+              raise ActionController::Forbidden, "non-existant user"
+            end
+          end
+
+          def url_after_create
+            root_url
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/app/controllers/passwords_controller.rb

@@ -0,0 +1,79 @@
+module Clearance
+  module App
+    module Controllers
+      module PasswordsController
+
+        def self.included(controller)
+          controller.send(:include, Actions)
+          controller.send(:include, PrivateMethods)
+
+          controller.class_eval do
+            before_filter :forbid_missing_token,     :only => [:edit, :update]
+            before_filter :forbid_non_existant_user, :only => [:edit, :update]
+            filter_parameter_logging :password, :password_confirmation
+          end
+        end
+
+        module Actions
+          def new
+          end
+
+          def create
+            if user = User.find_by_email(params[:password][:email])
+              user.forgot_password!
+              ClearanceMailer.deliver_change_password user
+              flash[:notice] = "You will receive an email within the next few minutes. " <<
+                               "It contains instructions for changing your password."
+              redirect_to url_after_create
+            else
+              flash.now[:notice] = "Unknown email"
+              render :action => :new
+            end
+          end
+
+          def edit
+            @user = User.find_by_id_and_token(params[:user_id], params[:token])
+          end
+
+          def update
+            @user = User.find_by_id_and_token(params[:user_id], params[:token])
+
+            if @user.update_password(params[:user][:password], 
+                                     params[:user][:password_confirmation])
+              @user.confirm_email! unless @user.email_confirmed?
+              sign_user_in(@user)
+              redirect_to url_after_update
+            else
+              render :action => :edit
+            end
+          end
+        end
+
+        module PrivateMethods
+          private
+
+          def forbid_missing_token
+            if params[:token].blank?
+              raise ActionController::Forbidden, "missing token"
+            end
+          end
+
+          def forbid_non_existant_user
+            unless User.find_by_id_and_token(params[:user_id], params[:token])
+              raise ActionController::Forbidden, "non-existant user"
+            end
+          end
+
+          def url_after_create
+            new_session_url
+          end
+
+          def url_after_update
+            root_url
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/clearance/app/controllers/sessions_controller.rb

@@ -0,0 +1,74 @@
+module Clearance
+  module App
+    module Controllers
+      module SessionsController
+
+        def self.included(controller)
+          controller.send(:include, Actions)
+          controller.send(:include, PrivateMethods)
+
+          controller.class_eval do
+            protect_from_forgery :except => :create
+            filter_parameter_logging :password
+          end
+        end
+
+        module Actions
+          def create
+            @user = User.authenticate(params[:session][:email],
+                                      params[:session][:password])
+            if @user.nil?
+              flash.now[:notice] = "Bad email or password."
+              render :action => :new, :status => :unauthorized
+            else
+              if @user.email_confirmed?
+                remember(@user) if remember?
+                sign_user_in(@user)
+                flash[:notice] = "Signed in successfully."
+                redirect_back_or url_after_create
+              else
+                ClearanceMailer.deliver_confirmation(@user)
+                deny_access("User has not confirmed email. Confirmation email will be resent.")
+              end
+            end
+          end
+
+          def destroy
+            forget(current_user)
+            reset_session
+            flash[:notice] = "You have been signed out."
+            redirect_to url_after_destroy
+          end
+        end
+
+        module PrivateMethods
+          private
+
+          def remember?
+            params[:session] && params[:session][:remember_me] == "1"
+          end
+
+          def remember(user)
+            user.remember_me!
+            cookies[:remember_token] = { :value   => user.token,
+                                         :expires => user.token_expires_at }
+          end
+
+          def forget(user)
+            user.forget_me! if user
+            cookies.delete :remember_token
+          end
+
+          def url_after_create
+            root_url
+          end
+
+          def url_after_destroy
+            new_session_url
+          end
+        end
+
+      end
+    end
+  end
+end