login_generator 1.1.0

data/USAGE

@@ -0,0 +1,24 @@
+NAME
+     login - creates a functional login system
+
+SYNOPSIS
+     login [Controller name]
+     
+     Good names are Account Myaccount Security
+
+DESCRIPTION
+     This generator creates a general purpose login system.
+
+     Included:
+      - a User model which uses sha1 encryption for passwords
+      - a Controller with signup, login, welcome and logoff actions
+      - a mixin which lets you easily add advanced authentication 
+        features to your abstract base controller
+      - a user_model.sql with the minimal sql required to get the model to work. 
+      - extensive unit and functional test cases to make sure nothing breaks.
+            
+EXAMPLE
+      ./script/generate login Account
+
+     This will generate an Account controller with login and logout methods. 
+     The model is always called User 

data/login_generator.rb

@@ -0,0 +1,36 @@
+class LoginGenerator < Rails::Generator::NamedBase
+  def manifest
+    record do |m|
+      
+      # Login module, controller class, functional test, and helper.
+      m.template "login_system.rb", "lib/login_system.rb"
+      m.template "controller.rb", File.join("app/controllers", class_path, "#{file_name}_controller.rb")
+      m.template "controller_test.rb", File.join("test/functional", class_path, "#{file_name}_controller_test.rb")
+      m.template "helper.rb", File.join("app/helpers", class_path, "#{file_name}_helper.rb")
+
+      # Model class, unit test, fixtures, and example schema.
+      m.template "user.rb", "app/models/user.rb"
+      m.template "user_test.rb", "test/unit/user_test.rb"
+      m.template "users.yml", "test/fixtures/users.yml"
+
+      # Layout and stylesheet.
+      m.template "scaffold:layout.rhtml", "app/views/layouts/scaffold.rhtml"
+      m.template "scaffold:style.css", "public/stylesheets/scaffold.css"
+
+      # Views. 
+      m.directory File.join("app/views", class_path, file_name)
+      login_views.each do |action|
+        m.template "view_#{action}.rhtml",
+          File.join("app/views", class_path, file_name, "#{action}.rhtml")
+      end
+
+      m.template "README", "README_LOGIN"
+    end
+  end
+
+  attr_accessor :controller_class_name
+  
+  def login_views
+    %w(welcome login logout signup)
+  end
+end

data/templates/README

@@ -0,0 +1,119 @@
+== Installation
+
+Done generating the login system. but there are still a few things you have to
+do manually. First open your application.rb and add
+
+  require_dependency "login_system"
+
+to the top of the file and include the login system with
+
+  include LoginSystem 
+
+The beginning of your ApplicationController.
+It should look something like this : 
+
+  require_dependency "login_system"
+
+  class ApplicationController < ActionController::Base
+    include LoginSystem
+    model :user
+
+After you have done the modifications the the AbstractController you can import
+the user model into the database. This model is meant as an example and you
+should extend it. If you just want to get things up and running you can find
+some create table syntax in db/user_model.sql.
+
+The model :user is required when you are hitting problems to the degree of
+"Session could not be restored becuase not all items in it are known"
+
+== Requirements
+
+You need a database table corresponding to the User model. 
+
+  mysql syntax:
+  CREATE TABLE users (
+    id int(11) NOT NULL auto_increment,
+    login varchar(80) default NULL,
+    password varchar(40) default NULL,
+    PRIMARY KEY  (id)
+  );
+ 
+  postgres :
+  CREATE TABLE "users" (
+   "id" SERIAL NOT NULL UNIQUE,
+   "login" VARCHAR(80),
+   "password" VARCHAR,
+   PRIMARY KEY("id")
+  ) WITH OIDS;
+
+
+  sqlite:
+  CREATE TABLE 'users' (
+    'id' INTEGER PRIMARY KEY NOT NULL,
+    'user' VARCHAR(80) DEFAULT NULL,
+    'password' VARCHAR(40) DEFAULT NULL
+  );
+
+Of course your user model can have any amount of extra fields. This is just a
+starting point
+
+== How to use it 
+
+Now you can go around and happily add "before_filter :login_required" to the
+controllers which you would like to protect. 
+
+After integrating the login system with your rails application navigate to your
+new controller's signup method. There you can create a new account. After you
+are done you should have a look at your DB. Your freshly created user will be
+there but the password will be a sha1 hashed 40 digit mess. I find this should
+be the minimum of security which every page offering login&password should give
+its customers. Now you can move to one of those controllers which you protected
+with the before_filter :login_required snippet. You will automatically be re-
+directed to your freshly created login controller and you are asked for a
+password. After entering valid account data you will be taken back to the
+controller which you requested earlier. Simple huh?
+
+== Tips & Tricks
+
+How do I...
+
+  ... access the user who is currently logged in
+
+  A: You can get the user object from the session using @session['user']
+     Example: 
+       Welcome <%%= @session[:user].name %> 
+
+  ... restrict access to only a few methods? 
+  
+  A: Use before_filters build in scoping. 
+     Example: 
+       before_filter :login_required, :only => [:myaccount, :changepassword]
+       before_filter :login_required, :except => [:index]
+     
+  ... check if a user is logged-in in my views?
+  
+  A: @session[:user] will tell you. Here is an example helper which you can use to make this more pretty:
+     Example: 
+       def user?
+         !@session[:user].nil?
+       end
+
+  ... return a user to the page they came from before logging in?
+
+  A: The user will be send back to the last url which called the method "store_location"
+     Example:
+       User was at /articles/show/1, wants to log in.
+       in articles_controller.rb, add store_location to the show function and send the user
+       to the login form. 
+       After he logs in he will be send back to /articles/show/1
+
+
+You can find more help at http://wiki.rubyonrails.com/rails/show/LoginGenerator
+
+== Changelog
+
+1.1.0 Major security bugfix and modernisation
+1.0.5 Bugfix in generator code
+1.0.2 Updated the readme with more tips&tricks
+1.0.1 Fixed problem in the readme
+1.0.0 First gem release

data/templates/controller.rb

@@ -0,0 +1,36 @@
+class <%= class_name %>Controller < ApplicationController
+  layout  'scaffold'
+
+  def login
+    case @request.method
+      when :post
+      if @session[:user] = User.authenticate(@params[:user_login], @params[:user_password])
+
+        flash['notice']  = "Login successful"
+        redirect_back_or_default :action => "welcome"
+      else
+        flash.now['notice']  = "Login unsuccessful"
+
+        @login = @params[:user_login]
+      end
+    end
+  end
+  
+  def signup
+    @user = User.new(@params[:user])
+
+    if @request.post? and @user.save
+      @session[:user] = User.authenticate(@user.login, @params[:user][:password])
+      flash['notice']  = "Signup successful"
+      redirect_back_or_default :action => "welcome"
+    end      
+  end  
+  
+  def logout
+    @session[:user] = nil
+  end
+    
+  def welcome
+  end
+  
+end

data/templates/controller_test.rb

@@ -0,0 +1,74 @@
+require File.dirname(__FILE__) + '/../test_helper'
+require '<%= file_name  %>_controller'
+
+# Set salt to 'change-me' because thats what the fixtures assume. 
+User.salt = 'change-me'
+
+# Raise errors beyond the default web-based presentation
+class <%= class_name %>Controller; def rescue_action(e) raise e end; end
+
+class <%= class_name %>ControllerTest < Test::Unit::TestCase
+  
+  fixtures :users
+  
+  def setup
+    @controller = <%= class_name %>Controller.new
+    @request, @response = ActionController::TestRequest.new, ActionController::TestResponse.new
+    @request.host = "localhost"
+  end
+  
+  def test_auth_bob
+    @request.session[:return_to] = "/bogus/location"
+
+    post :login, :user_login => "bob", :user_password => "test"
+    assert_session_has :user
+
+    assert_equal @bob, @response.session[:user]
+    
+    assert_redirect_url "/bogus/location"
+  end
+  
+  def test_signup
+    @request.session[:return_to] = "/bogus/location"
+
+    post :signup, :user => { :login => "newbob", :password => "newpassword", :password_confirmation => "newpassword" }
+    assert_session_has :user
+    
+    assert_redirect_url "/bogus/location"
+  end
+
+  def test_bad_signup
+    @request.session[:return_to] = "/bogus/location"
+
+    post :signup, :user => { :login => "newbob", :password => "newpassword", :password_confirmation => "wrong" }
+    assert_invalid_column_on_record "user", :password
+    assert_success
+    
+    post :signup, :user => { :login => "yo", :password => "newpassword", :password_confirmation => "newpassword" }
+    assert_invalid_column_on_record "user", :login
+    assert_success
+
+    post :signup, :user => { :login => "yo", :password => "newpassword", :password_confirmation => "wrong" }
+    assert_invalid_column_on_record "user", [:login, :password]
+    assert_success
+  end
+
+  def test_invalid_login
+    post :login, :user_login => "bob", :user_password => "not_correct"
+     
+    assert_session_has_no :user
+    
+    assert_template_has "login"
+  end
+  
+  def test_login_logoff
+
+    post :login, :user_login => "bob", :user_password => "test"
+    assert_session_has :user
+
+    get :logout
+    assert_session_has_no :user
+
+  end
+  
+end

data/templates/helper.rb

@@ -0,0 +1,2 @@
+module <%= class_name %>Helper
+end

data/templates/login_system.rb

@@ -0,0 +1,87 @@
+require_dependency "user"
+
+module LoginSystem 
+  
+  protected
+  
+  # overwrite this if you want to restrict access to only a few actions
+  # or if you want to check if the user has the correct rights  
+  # example:
+  #
+  #  # only allow nonbobs
+  #  def authorize?(user)
+  #    user.login != "bob"
+  #  end
+  def authorize?(user)
+     true
+  end
+  
+  # overwrite this method if you only want to protect certain actions of the controller
+  # example:
+  # 
+  #  # don't protect the login and the about method
+  #  def protect?(action)
+  #    if ['action', 'about'].include?(action)
+  #       return false
+  #    else
+  #       return true
+  #    end
+  #  end
+  def protect?(action)
+    true
+  end
+   
+  # login_required filter. add 
+  #
+  #   before_filter :login_required
+  #
+  # if the controller should be under any rights management. 
+  # for finer access control you can overwrite
+  #   
+  #   def authorize?(user)
+  # 
+  def login_required
+    
+    if not protect?(action_name)
+      return true  
+    end
+
+    if @session[:user] and authorize?(@session[:user])
+      return true
+    end
+
+    # store current location so that we can 
+    # come back after the user logged in
+    store_location
+  
+    # call overwriteable reaction to unauthorized access
+    access_denied
+    return false 
+  end
+
+  # overwrite if you want to have special behavior in case the user is not authorized
+  # to access the current operation. 
+  # the default action is to redirect to the login screen
+  # example use :
+  # a popup window might just close itself for instance
+  def access_denied
+    redirect_to :controller=>"/<%= file_name %>", :action =>"login"
+  end  
+  
+  # store current uri in  the session.
+  # we can return to this location by calling return_location
+  def store_location
+    @session[:return_to] = @request.request_uri
+  end
+
+  # move to the last store_location call or to the passed default one
+  def redirect_back_or_default(default)
+    if @session[:return_to].nil?
+      redirect_to default
+    else
+      redirect_to_url @session[:return_to]
+      @session[:return_to] = nil
+    end
+  end
+
+end

data/templates/user.rb

@@ -0,0 +1,59 @@
+require 'digest/sha1'
+
+# this model expects a certain database layout and its based on the name/login pattern. 
+class User < ActiveRecord::Base
+
+  # Please change the salt to something else, 
+  # Every application should use a different one 
+  @@salt = 'change-me'
+  cattr_accessor :salt
+
+  # Authenticate a user. 
+  #
+  # Example:
+  #   @user = User.authenticate('bob', 'bobpass')
+  #
+  def self.authenticate(login, pass)
+    find_first(["login = ? AND password = ?", login, sha1(pass)])
+  end  
+  
+
+  protected
+
+  # Apply SHA1 encryption to the supplied password. 
+  # We will additionally surround the password with a salt 
+  # for additional security. 
+  def self.sha1(pass)
+    Digest::SHA1.hexdigest("#{salt}--#{pass}--")
+  end
+    
+  before_create :crypt_password
+  
+  # Before saving the record to database we will crypt the password 
+  # using SHA1. 
+  # We never store the actual password in the DB.
+  def crypt_password
+    write_attribute "password", self.class.sha1(password)
+  end
+  
+  before_update :crypt_unless_empty
+  
+  # If the record is updated we will check if the password is empty.
+  # If its empty we assume that the user didn't want to change his
+  # password and just reset it to the old value.
+  def crypt_unless_empty
+    if password.empty?      
+      user = self.class.find(self.id)
+      self.password = user.password
+    else
+      write_attribute "password", self.class.sha1(password)
+    end        
+  end  
+  
+  validates_uniqueness_of :login, :on => :create
+
+  validates_confirmation_of :password
+  validates_length_of :login, :within => 3..40
+  validates_length_of :password, :within => 5..40
+  validates_presence_of :login, :password, :password_confirmation
+end

data/templates/user_test.rb

@@ -0,0 +1,91 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+# Set salt to 'change-me' because thats what the fixtures assume. 
+User.salt = 'change-me'
+
+class UserTest < Test::Unit::TestCase
+  
+  fixtures :users
+    
+  def test_auth
+    
+    assert_equal  @bob, User.authenticate("bob", "test")    
+    assert_nil    User.authenticate("nonbob", "test")
+    
+  end
+
+  def test_disallowed_passwords
+    
+    u = User.new    
+    u.login = "nonbob"
+
+    u.password = u.password_confirmation = "tiny"
+    assert !u.save     
+    assert u.errors.invalid?('password')
+
+    u.password = u.password_confirmation = "hugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehugehuge"
+    assert !u.save     
+    assert u.errors.invalid?('password')
+        
+    u.password = u.password_confirmation = ""
+    assert !u.save    
+    assert u.errors.invalid?('password')
+        
+    u.password = u.password_confirmation = "bobs_secure_password"
+    assert u.save     
+    assert u.errors.empty?
+        
+  end
+  
+  def test_bad_logins
+
+    u = User.new  
+    u.password = u.password_confirmation = "bobs_secure_password"
+
+    u.login = "x"
+    assert !u.save     
+    assert u.errors.invalid?('login')
+    
+    u.login = "hugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhugebobhug"
+    assert !u.save     
+    assert u.errors.invalid?('login')
+
+    u.login = ""
+    assert !u.save
+    assert u.errors.invalid?('login')
+
+    u.login = "okbob"
+    assert u.save  
+    assert u.errors.empty?
+      
+  end
+
+
+  def test_collision
+    u = User.new
+    u.login      = "existingbob"
+    u.password = u.password_confirmation = "bobs_secure_password"
+    assert !u.save
+  end
+
+
+  def test_create
+    u = User.new
+    u.login      = "nonexistingbob"
+    u.password = u.password_confirmation = "bobs_secure_password"
+      
+    assert u.save  
+    
+  end
+  
+  def test_sha1
+    u = User.new
+    u.login      = "nonexistingbob"
+    u.password = u.password_confirmation = "bobs_secure_password"
+    assert u.save
+        
+    assert_equal '98740ff87bade6d895010bceebbd9f718e7856bb', u.password    
+  end
+
+  
+end

data/templates/users.yml

@@ -0,0 +1,16 @@
+# Read about fixtures at http://ar.rubyonrails.org/classes/Fixtures.html
+
+bob:
+  id: 1000001
+  login: bob
+  password: 9a91e1d8d95b6315991a88121bb0aa9f03ba0dfc # test
+  
+existingbob:
+  id: 1000002
+  login: existingbob
+  password: 9a91e1d8d95b6315991a88121bb0aa9f03ba0dfc # test
+  
+longbob:
+  id: 1000003
+  login: longbob
+  password: 8e9b1a9a38e66ca572a5e8fdac8e256848842dfa # longtest

data/templates/view_login.rhtml

@@ -0,0 +1,22 @@
+<%%= start_form_tag :action=> "login" %>
+
+<div title="Account login" id="loginform" class="form">
+    <h3>Please login</h3>
+    
+    <%% if @flash['notice'] %>
+      <div id="message"><%%= @flash['notice'] %></div>
+    <%% end %>
+
+    <label for="user_login">Login:</label><br/>
+    <input type="text" name="user_login" id="user_login" size="30" value="<%= @login %>"/><br/>
+
+    <label for="user_password">Password:</label><br/>
+    <input type="password" name="user_password" id="user_password" size="30"/>
+
+    <br/>
+    <input type="submit" name="login" value="Login &#187;" class="primary" />
+
+</div>
+
+<%%= end_form_tag %>
+

data/templates/view_logout.rhtml

@@ -0,0 +1,10 @@
+
+<div class="memo">
+    <h3>Logoff</h3>
+
+    <p>You are now logged out of the system...</p>
+      
+    <%%= link_to "&#171; login", :action=>"login"%>  
+      
+</div>
+

data/templates/view_signup.rhtml

@@ -0,0 +1,17 @@
+<%%= start_form_tag :action=> "signup" %>
+
+<div title="Account signup" id="signupform" class="form">
+  <h3>Signup</h3>
+  <%%= error_messages_for 'user' %><br/>
+  
+  <label for="user_login">Desired login:</label><br/>
+  <%%= text_field "user", "login", :size => 30 %><br/>
+  <label for="user_password">Choose password:</label><br/>
+  <%%= password_field "user", "password", :size => 30 %><br/>
+  <label for="user_password_confirmation">Confirm password:</label><br/>
+  <%%= password_field "user", "password_confirmation", :size => 30 %><br/>
+
+<input type="submit" value="Signup &#187;" class="primary" />
+
+<%%= end_form_tag %>
+

data/templates/view_welcome.rhtml

@@ -0,0 +1,13 @@
+
+<div class="memo">
+    <h3>Welcome</h3>
+
+    <p>You are now logged into the system...</p>
+    <p>
+    Since you are here it's safe to assume the application never called store_location, otherwise
+    you would have been redirected somewhere else after a successful login.
+    </p>
+      
+    <%%= link_to "&#171; logout", :action=>"logout"%>  
+      
+</div>

metadata

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification 
+rubygems_version: 0.8.10.1
+specification_version: 1
+name: login_generator
+version: !ruby/object:Gem::Version 
+  version: 1.1.0
+date: 2005-04-09
+summary: "[Rails] Login generator."
+require_paths: 
+  - "."
+email: tobi@leetsoft.com
+homepage: http://www.rubyonrails.org/show/Generators
+rubyforge_project: 
+description: Generates Rails code implementing a login system for your Rails app.
+autorequire: 
+default_executable: 
+bindir: bin
+has_rdoc: false
+required_ruby_version: !ruby/object:Gem::Version::Requirement 
+  requirements: 
+    - 
+      - ">"
+      - !ruby/object:Gem::Version 
+        version: 0.0.0
+  version: 
+platform: ruby
+authors: 
+  - Tobias Luetke
+files: 
+  - USAGE
+  - login_generator.rb
+  - templates/controller.rb
+  - templates/controller_test.rb
+  - templates/helper.rb
+  - templates/login_system.rb
+  - templates/README
+  - templates/user.rb
+  - templates/user_test.rb
+  - templates/users.yml
+  - templates/view_login.rhtml
+  - templates/view_logout.rhtml
+  - templates/view_signup.rhtml
+  - templates/view_welcome.rhtml
+test_files: []
+rdoc_options: []
+extra_rdoc_files: []
+executables: []
+extensions: []
+requirements: []
+dependencies: 
+  - !ruby/object:Gem::Dependency 
+    name: rails
+    version_requirement: 
+    version_requirements: !ruby/object:Gem::Version::Requirement 
+      requirements: 
+        - 
+          - ">="
+          - !ruby/object:Gem::Version 
+            version: 0.10.0
+      version: