kingsman 0.0.0.beta → 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +5 -4
- data/app/controllers/kingsman/confirmations_controller.rb +54 -0
- data/app/controllers/kingsman/omniauth_callbacks_controller.rb +36 -0
- data/app/controllers/kingsman/passwords_controller.rb +83 -0
- data/app/controllers/kingsman/registrations_controller.rb +168 -0
- data/app/controllers/kingsman/sessions_controller.rb +83 -0
- data/app/controllers/kingsman/unlocks_controller.rb +52 -0
- data/app/controllers/kingsman_controller.rb +252 -0
- data/app/jobs/application_job.rb +2 -0
- data/app/mailers/kingsman/mailer.rb +30 -0
- data/app/views/kingsman/confirmations/new.html.erb +16 -0
- data/app/views/kingsman/home/index.html.erb +1 -0
- data/app/views/kingsman/mailer/confirmation_instructions.html.erb +5 -0
- data/app/views/kingsman/mailer/email_changed.html.erb +7 -0
- data/app/views/kingsman/mailer/password_change.html.erb +3 -0
- data/app/views/kingsman/mailer/reset_password_instructions.html.erb +8 -0
- data/app/views/kingsman/mailer/unlock_instructions.html.erb +7 -0
- data/app/views/kingsman/passwords/edit.html.erb +25 -0
- data/app/views/kingsman/passwords/new.html.erb +16 -0
- data/app/views/kingsman/registrations/edit.html.erb +42 -0
- data/app/views/kingsman/registrations/new.html.erb +29 -0
- data/app/views/kingsman/sessions/new.html.erb +26 -0
- data/app/views/kingsman/shared/_error_messages.html.erb +15 -0
- data/app/views/kingsman/shared/_links.html.erb +25 -0
- data/app/views/kingsman/unlocks/new.html.erb +16 -0
- data/app/views/kingsman/up/index.html.erb +11 -0
- data/config/application.rb +0 -0
- data/config/locales/en.yml +63 -0
- data/config.ru +6 -0
- data/lib/generators/active_record/kingsman_generator.rb +127 -0
- data/lib/generators/active_record/templates/migration.rb +20 -0
- data/lib/generators/active_record/templates/migration_existing.rb +27 -0
- data/lib/generators/kingsman/controllers_generator.rb +46 -0
- data/lib/generators/kingsman/install_generator.rb +42 -0
- data/lib/generators/kingsman/kingsman_generator.rb +28 -0
- data/lib/generators/kingsman/orm_helpers.rb +40 -0
- data/lib/generators/kingsman/views_generator.rb +145 -0
- data/lib/generators/mongoid/kingsman_generator.rb +57 -0
- data/lib/generators/templates/README +36 -0
- data/lib/generators/templates/controllers/README +14 -0
- data/lib/generators/templates/controllers/confirmations_controller.rb +30 -0
- data/lib/generators/templates/controllers/omniauth_callbacks_controller.rb +30 -0
- data/lib/generators/templates/controllers/passwords_controller.rb +34 -0
- data/lib/generators/templates/controllers/registrations_controller.rb +62 -0
- data/lib/generators/templates/controllers/sessions_controller.rb +27 -0
- data/lib/generators/templates/controllers/unlocks_controller.rb +30 -0
- data/lib/generators/templates/kingsman.rb +313 -0
- data/lib/generators/templates/markerb/confirmation_instructions.markerb +5 -0
- data/lib/generators/templates/markerb/email_changed.markerb +7 -0
- data/lib/generators/templates/markerb/password_change.markerb +3 -0
- data/lib/generators/templates/markerb/reset_password_instructions.markerb +8 -0
- data/lib/generators/templates/markerb/unlock_instructions.markerb +7 -0
- data/lib/generators/templates/simple_form_for/confirmations/new.html.erb +20 -0
- data/lib/generators/templates/simple_form_for/passwords/edit.html.erb +27 -0
- data/lib/generators/templates/simple_form_for/passwords/new.html.erb +18 -0
- data/lib/generators/templates/simple_form_for/registrations/edit.html.erb +35 -0
- data/lib/generators/templates/simple_form_for/registrations/new.html.erb +25 -0
- data/lib/generators/templates/simple_form_for/sessions/new.html.erb +20 -0
- data/lib/generators/templates/simple_form_for/unlocks/new.html.erb +19 -0
- data/lib/kingsman/autoloader.rb +31 -0
- data/lib/kingsman/controllers/helpers.rb +221 -0
- data/lib/kingsman/controllers/rememberable.rb +57 -0
- data/lib/kingsman/controllers/responder.rb +35 -0
- data/lib/kingsman/controllers/scoped_views.rb +19 -0
- data/lib/kingsman/controllers/sign_in_out.rb +112 -0
- data/lib/kingsman/controllers/store_location.rb +76 -0
- data/lib/kingsman/controllers/url_helpers.rb +72 -0
- data/lib/kingsman/delegator.rb +18 -0
- data/lib/kingsman/encryptor.rb +19 -0
- data/lib/kingsman/failure_app.rb +280 -0
- data/lib/kingsman/hooks/activatable.rb +12 -0
- data/lib/kingsman/hooks/csrf_cleaner.rb +14 -0
- data/lib/kingsman/hooks/forgetable.rb +11 -0
- data/lib/kingsman/hooks/lockable.rb +9 -0
- data/lib/kingsman/hooks/proxy.rb +23 -0
- data/lib/kingsman/hooks/rememberable.rb +9 -0
- data/lib/kingsman/hooks/timeoutable.rb +35 -0
- data/lib/kingsman/hooks/trackable.rb +11 -0
- data/lib/kingsman/hooks.rb +6 -0
- data/lib/kingsman/jets/routes.rb +195 -0
- data/lib/kingsman/jets/warden_compat.rb +15 -0
- data/lib/kingsman/jets.rb +39 -0
- data/lib/kingsman/mailers/helpers.rb +93 -0
- data/lib/kingsman/mapping.rb +148 -0
- data/lib/kingsman/models/authenticatable.rb +310 -0
- data/lib/kingsman/models/confirmable.rb +369 -0
- data/lib/kingsman/models/database_authenticatable.rb +206 -0
- data/lib/kingsman/models/lockable.rb +214 -0
- data/lib/kingsman/models/omniauthable.rb +29 -0
- data/lib/kingsman/models/recoverable.rb +156 -0
- data/lib/kingsman/models/registerable.rb +29 -0
- data/lib/kingsman/models/rememberable.rb +158 -0
- data/lib/kingsman/models/timeoutable.rb +45 -0
- data/lib/kingsman/models/trackable.rb +51 -0
- data/lib/kingsman/models/validatable.rb +68 -0
- data/lib/kingsman/models.rb +122 -0
- data/lib/kingsman/modules.rb +33 -0
- data/lib/kingsman/omniauth/config.rb +47 -0
- data/lib/kingsman/omniauth/url_helpers.rb +28 -0
- data/lib/kingsman/omniauth.rb +20 -0
- data/lib/kingsman/orm/active_record.rb +13 -0
- data/lib/kingsman/orm/mongoid.rb +8 -0
- data/lib/kingsman/orm.rb +37 -0
- data/lib/kingsman/parameter_filter.rb +44 -0
- data/lib/kingsman/parameter_sanitizer.rb +173 -0
- data/lib/kingsman/secret_key_finder.rb +27 -0
- data/lib/kingsman/strategies/authenticatable.rb +178 -0
- data/lib/kingsman/strategies/base.rb +22 -0
- data/lib/kingsman/strategies/database_authenticatable.rb +31 -0
- data/lib/kingsman/strategies/rememberable.rb +67 -0
- data/lib/kingsman/token_generator.rb +32 -0
- data/lib/kingsman/version.rb +1 -1
- data/lib/kingsman.rb +427 -3
- metadata +289 -11
@@ -0,0 +1,178 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'kingsman/strategies/base'
|
4
|
+
|
5
|
+
module Kingsman
|
6
|
+
module Strategies
|
7
|
+
# This strategy should be used as basis for authentication strategies. It retrieves
|
8
|
+
# parameters both from params or from http authorization headers. See database_authenticatable
|
9
|
+
# for an example.
|
10
|
+
class Authenticatable < Base
|
11
|
+
attr_accessor :authentication_hash, :authentication_type, :password
|
12
|
+
|
13
|
+
def store?
|
14
|
+
super && !mapping.to.skip_session_storage.include?(authentication_type)
|
15
|
+
end
|
16
|
+
|
17
|
+
def valid?
|
18
|
+
valid_for_params_auth? || valid_for_http_auth?
|
19
|
+
end
|
20
|
+
|
21
|
+
# Override and set to false for things like OmniAuth that technically
|
22
|
+
# run through Authentication (user_set) very often, which would normally
|
23
|
+
# reset CSRF data in the session
|
24
|
+
def clean_up_csrf?
|
25
|
+
true
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
# Receives a resource and check if it is valid by calling valid_for_authentication?
|
31
|
+
# A block that will be triggered while validating can be optionally
|
32
|
+
# given as parameter. Check Kingsman::Models::Authenticatable.valid_for_authentication?
|
33
|
+
# for more information.
|
34
|
+
#
|
35
|
+
# In case the resource can't be validated, it will fail with the given
|
36
|
+
# unauthenticated_message.
|
37
|
+
def validate(resource, &block)
|
38
|
+
result = resource && resource.valid_for_authentication?(&block)
|
39
|
+
|
40
|
+
if result
|
41
|
+
true
|
42
|
+
else
|
43
|
+
if resource
|
44
|
+
fail!(resource.unauthenticated_message)
|
45
|
+
end
|
46
|
+
false
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
# Get values from params and set in the resource.
|
51
|
+
def remember_me(resource)
|
52
|
+
resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
|
53
|
+
end
|
54
|
+
|
55
|
+
# Should this resource be marked to be remembered?
|
56
|
+
def remember_me?
|
57
|
+
valid_params? && Kingsman::TRUE_VALUES.include?(params_auth_hash[:remember_me])
|
58
|
+
end
|
59
|
+
|
60
|
+
# Check if this is a valid strategy for http authentication by:
|
61
|
+
#
|
62
|
+
# * Validating if the model allows http authentication;
|
63
|
+
# * If any of the authorization headers were sent;
|
64
|
+
# * If all authentication keys are present;
|
65
|
+
#
|
66
|
+
def valid_for_http_auth?
|
67
|
+
http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
|
68
|
+
end
|
69
|
+
|
70
|
+
# Check if this is a valid strategy for params authentication by:
|
71
|
+
#
|
72
|
+
# * Validating if the model allows params authentication;
|
73
|
+
# * If the request hits the sessions controller through POST;
|
74
|
+
# * If the params[scope] returns a hash with credentials;
|
75
|
+
# * If all authentication keys are present;
|
76
|
+
#
|
77
|
+
def valid_for_params_auth?
|
78
|
+
params_authenticatable? && valid_params_request? &&
|
79
|
+
valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
|
80
|
+
end
|
81
|
+
|
82
|
+
# Check if the model accepts this strategy as http authenticatable.
|
83
|
+
def http_authenticatable?
|
84
|
+
mapping.to.http_authenticatable?(authenticatable_name)
|
85
|
+
end
|
86
|
+
|
87
|
+
# Check if the model accepts this strategy as params authenticatable.
|
88
|
+
def params_authenticatable?
|
89
|
+
mapping.to.params_authenticatable?(authenticatable_name)
|
90
|
+
end
|
91
|
+
|
92
|
+
# Extract the appropriate subhash for authentication from params.
|
93
|
+
def params_auth_hash
|
94
|
+
params[scope]
|
95
|
+
end
|
96
|
+
|
97
|
+
# Extract a hash with attributes:values from the http params.
|
98
|
+
def http_auth_hash
|
99
|
+
keys = [http_authentication_key, :password]
|
100
|
+
Hash[*keys.zip(decode_credentials).flatten]
|
101
|
+
end
|
102
|
+
|
103
|
+
# By default, a request is valid if the controller set the proper env variable.
|
104
|
+
def valid_params_request?
|
105
|
+
!!env["kingsman.allow_params_authentication"]
|
106
|
+
end
|
107
|
+
|
108
|
+
# If the request is valid, finally check if params_auth_hash returns a hash.
|
109
|
+
def valid_params?
|
110
|
+
params_auth_hash.is_a?(Hash)
|
111
|
+
end
|
112
|
+
|
113
|
+
# Note: unlike `Model.valid_password?`, this method does not actually
|
114
|
+
# ensure that the password in the params matches the password stored in
|
115
|
+
# the database. It only checks if the password is *present*. Do not rely
|
116
|
+
# on this method for validating that a given password is correct.
|
117
|
+
def valid_password?
|
118
|
+
password.present?
|
119
|
+
end
|
120
|
+
|
121
|
+
# Helper to decode credentials from HTTP.
|
122
|
+
def decode_credentials
|
123
|
+
return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
|
124
|
+
Base64.decode64($1).split(/:/, 2)
|
125
|
+
end
|
126
|
+
|
127
|
+
# Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
|
128
|
+
def with_authentication_hash(auth_type, auth_values)
|
129
|
+
self.authentication_hash, self.authentication_type = {}, auth_type
|
130
|
+
self.password = auth_values[:password]
|
131
|
+
|
132
|
+
parse_authentication_key_values(auth_values, authentication_keys) &&
|
133
|
+
parse_authentication_key_values(request_values, request_keys)
|
134
|
+
end
|
135
|
+
|
136
|
+
def authentication_keys
|
137
|
+
@authentication_keys ||= mapping.to.authentication_keys
|
138
|
+
end
|
139
|
+
|
140
|
+
def http_authentication_key
|
141
|
+
@http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
|
142
|
+
when Array then authentication_keys.first
|
143
|
+
when Hash then authentication_keys.keys.first
|
144
|
+
end
|
145
|
+
end
|
146
|
+
|
147
|
+
def request_keys
|
148
|
+
@request_keys ||= mapping.to.request_keys
|
149
|
+
end
|
150
|
+
|
151
|
+
def request_values
|
152
|
+
keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
|
153
|
+
values = keys.map { |k| self.request.send(k) }
|
154
|
+
Hash[keys.zip(values)]
|
155
|
+
end
|
156
|
+
|
157
|
+
def parse_authentication_key_values(hash, keys)
|
158
|
+
keys.each do |key, enforce|
|
159
|
+
value = hash[key].presence
|
160
|
+
if value
|
161
|
+
self.authentication_hash[key] = value
|
162
|
+
else
|
163
|
+
return false unless enforce == false
|
164
|
+
end
|
165
|
+
end
|
166
|
+
true
|
167
|
+
end
|
168
|
+
|
169
|
+
# Holds the authenticatable name for this class. Kingsman::Strategies::DatabaseAuthenticatable
|
170
|
+
# becomes simply :database.
|
171
|
+
def authenticatable_name
|
172
|
+
@authenticatable_name ||=
|
173
|
+
ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
|
174
|
+
sub("_authenticatable", "").to_sym
|
175
|
+
end
|
176
|
+
end
|
177
|
+
end
|
178
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Kingsman
|
4
|
+
module Strategies
|
5
|
+
# Base strategy for Kingsman. Responsible for verifying correct scope and mapping.
|
6
|
+
class Base < ::Warden::Strategies::Base
|
7
|
+
# Whenever CSRF cannot be verified, we turn off any kind of storage
|
8
|
+
def store?
|
9
|
+
!env["kingsman.skip_storage"]
|
10
|
+
end
|
11
|
+
|
12
|
+
# Checks if a valid scope was given for kingsman and find mapping based on this scope.
|
13
|
+
def mapping
|
14
|
+
@mapping ||= begin
|
15
|
+
mapping = Kingsman.mappings[scope]
|
16
|
+
raise "Could not find mapping for #{scope}" unless mapping
|
17
|
+
mapping
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'kingsman/strategies/authenticatable'
|
4
|
+
|
5
|
+
module Kingsman
|
6
|
+
module Strategies
|
7
|
+
# Default strategy for signing in a user, based on their email and password in the database.
|
8
|
+
class DatabaseAuthenticatable < Authenticatable
|
9
|
+
def authenticate!
|
10
|
+
resource = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
|
11
|
+
hashed = false
|
12
|
+
|
13
|
+
if validate(resource){ hashed = true; resource.valid_password?(password) }
|
14
|
+
remember_me(resource)
|
15
|
+
resource.after_database_authentication
|
16
|
+
success!(resource)
|
17
|
+
end
|
18
|
+
|
19
|
+
# In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
|
20
|
+
# This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
|
21
|
+
# exist in the database if the password hashing algorithm is not called.
|
22
|
+
mapping.to.new.password = password if !hashed && Kingsman.paranoid
|
23
|
+
unless resource
|
24
|
+
Kingsman.paranoid ? fail(:invalid) : fail(:not_found_in_database)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
Warden::Strategies.add(:database_authenticatable, Kingsman::Strategies::DatabaseAuthenticatable)
|
@@ -0,0 +1,67 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'kingsman/strategies/authenticatable'
|
4
|
+
|
5
|
+
module Kingsman
|
6
|
+
module Strategies
|
7
|
+
# Remember the user through the remember token. This strategy is responsible
|
8
|
+
# to verify whether there is a cookie with the remember token, and to
|
9
|
+
# recreate the user from this cookie if it exists. Must be called *before*
|
10
|
+
# authenticatable.
|
11
|
+
class Rememberable < Authenticatable
|
12
|
+
# A valid strategy for rememberable needs a remember token in the cookies.
|
13
|
+
def valid?
|
14
|
+
@remember_cookie = nil
|
15
|
+
remember_cookie.present?
|
16
|
+
end
|
17
|
+
|
18
|
+
# To authenticate a user we deserialize the cookie and attempt finding
|
19
|
+
# the record in the database. If the attempt fails, we pass to another
|
20
|
+
# strategy handle the authentication.
|
21
|
+
def authenticate!
|
22
|
+
resource = mapping.to.serialize_from_cookie(*remember_cookie)
|
23
|
+
|
24
|
+
unless resource
|
25
|
+
cookies.delete(remember_key)
|
26
|
+
return pass
|
27
|
+
end
|
28
|
+
|
29
|
+
if validate(resource)
|
30
|
+
remember_me(resource) if extend_remember_me?(resource)
|
31
|
+
resource.after_remembered
|
32
|
+
success!(resource)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
|
36
|
+
# No need to clean up the CSRF when using rememberable.
|
37
|
+
# In fact, cleaning it up here would be a bug because
|
38
|
+
# rememberable is triggered on GET requests which means
|
39
|
+
# we would render a page on first access with all csrf
|
40
|
+
# tokens expired.
|
41
|
+
def clean_up_csrf?
|
42
|
+
false
|
43
|
+
end
|
44
|
+
|
45
|
+
private
|
46
|
+
|
47
|
+
def extend_remember_me?(resource)
|
48
|
+
resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
|
49
|
+
end
|
50
|
+
|
51
|
+
def remember_me?
|
52
|
+
true
|
53
|
+
end
|
54
|
+
|
55
|
+
def remember_key
|
56
|
+
mapping.to.rememberable_options.fetch(:key, "remember_#{scope}_token")
|
57
|
+
end
|
58
|
+
|
59
|
+
def remember_cookie
|
60
|
+
@remember_cookie ||= cookies.signed[remember_key]
|
61
|
+
end
|
62
|
+
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
Warden::Strategies.add(:rememberable, Kingsman::Strategies::Rememberable)
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'openssl'
|
4
|
+
|
5
|
+
module Kingsman
|
6
|
+
class TokenGenerator
|
7
|
+
def initialize(key_generator, digest = "SHA256")
|
8
|
+
@key_generator = key_generator
|
9
|
+
@digest = digest
|
10
|
+
end
|
11
|
+
|
12
|
+
def digest(klass, column, value)
|
13
|
+
value.present? && OpenSSL::HMAC.hexdigest(@digest, key_for(column), value.to_s)
|
14
|
+
end
|
15
|
+
|
16
|
+
def generate(klass, column)
|
17
|
+
key = key_for(column)
|
18
|
+
|
19
|
+
loop do
|
20
|
+
raw = Kingsman.friendly_token
|
21
|
+
enc = OpenSSL::HMAC.hexdigest(@digest, key, raw)
|
22
|
+
break [raw, enc] unless klass.to_adapter.find_first({ column => enc })
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def key_for(column)
|
29
|
+
@key_generator.generate_key("Kingsman #{column}")
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
data/lib/kingsman/version.rb
CHANGED