mbleigh-twitter-auth 0.0.1

data/README.markdown

@@ -0,0 +1,52 @@
+TwitterAuth
+===========
+
+TwitterAuth is a plugin to provide a standard authentication stack using Twitter 
+as an SSO provider. This is obviously most useful and therefore targeted at
+apps that intend to heavily use the Twitter API.
+
+**Note:** TwitterAuth uses Rails Engines functionality from Rails 2.3 and is
+therefore incompatible with earlier versions of Rails.
+
+Getting Started
+---------------
+
+First, install either by gem or by plugin:
+
+    config.gem 'mbleigh-twitter-auth', :source => 'http://gems.github.com/'
+    
+OR
+    
+    script/plugin install git://github.com/mbleigh/twitter-auth.git
+
+Next, to get started, you will need to generate the migration for the User 
+model that TwitterAuth uses. It's simple:
+
+    script/generate migration twitter_auth_migration
+    
+If you look in the migration you will see that there are some information
+fields pre-populated (name, location, etc). These will automatically be
+retrieved from Twitter at each login and therefor kept both accessible
+and fresh for your usage.
+
+Believe it or not, that's it! You now have access to the standard suite
+of restful-auth controller helpers such as:
+
+* login_required
+* current_user
+* logged_in?
+
+And you also have the ability to login through the built-in SessionController.
+Just run the app and point your browser to '/login' to get started! You don't
+need to sign up because it will automatically create new users if the logging
+in user has never logged in before.
+
+Caveats
+-------
+
+This is **extremely alpha** code and has not been thoroughly spec'ed or even
+inspected. Use at your own risk as the functionality is likely to change
+drastically even in the near future.
+
+
+Copyright (c) 2009 [Michael Bleigh](http://www.mbleigh.com) and [Intridea, Inc.](http://www.intridea.com/), released under the MIT license

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+:major: 0
+:minor: 0
+:patch: 1

data/generators/twitter_auth_migration/templates/migration.rb

@@ -0,0 +1,24 @@
+class TwitterAuthMigration < ActiveRecord::Migration
+  def self.up
+    create_table :users do |t|
+      t.string   :login
+      t.string   :crypted_password
+      t.string   :salt
+      
+      # Basic info pulled automatically from Twitter. 
+      # Feel free to remove any of these columns you don't want.
+      t.string  :name
+      t.string  :location
+      t.text    :description
+      t.string  :profile_image_url
+      t.string  :url
+      t.boolean :protected
+      
+      t.timestamps
+    end
+  end
+  
+  def self.down
+    drop_table :users
+  end
+end

data/generators/twitter_auth_migration/twitter_auth_migration_generator.rb

@@ -0,0 +1,7 @@
+class TwitterAuthMigrationGenerator < Rails::Generator::Base 
+  def manifest 
+    record do |m| 
+      m.migration_template 'migration.rb', 'db/migrate', :migration_file_name => "twitter_auth_migration"
+    end
+  end
+end

data/lib/twitter_auth.rb

@@ -0,0 +1,5 @@
+module TwitterAuth
+  class Error < StandardError; end
+end
+
+require 'twitter_auth/controller_extensions'

data/lib/twitter_auth/controller_extensions.rb

@@ -0,0 +1,200 @@
+module TwitterAuth
+  # The extensions to ActionController to enable our
+  # usage of Twitter-based authentication. This is
+  # taken directly from restful-authentication, so
+  # no credit is due here.
+  module ControllerExtensions
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      !!current_user
+    end
+
+    # Accesses the current user from the session.
+    # Future calls avoid the database because nil is not equal to false.
+    def current_user
+      @current_user ||= (login_from_session || login_from_basic_auth) unless @current_user == false
+    end
+
+    # Store the given user id in the session.
+    def current_user=(new_user)
+      session[:user_id] = new_user ? new_user.id : nil
+      @current_user = new_user || false
+    end
+
+    # Check if the user is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_user.login != "bob"
+    #  end
+    #
+    def authorized?(action=nil, resource=nil, *args)
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to new_session_path
+        end
+        # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
+        # you may want to change format.any to e.g. format.any(:js, :xml)
+        format.any(:xml, :json) do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.  Set an appropriately modified
+    #   after_filter :store_location, :only => [:index, :new, :show, :edit]
+    # for any controller you want to be bounce-backable.
+    def redirect_back_or_default(default=nil)
+      redirect_to(session[:return_to] || default || default_location)
+      session[:return_to] = nil
+    end
+    
+    # Override this method with what you want your 'default default'
+    # to be (where it will redirect if there's no back and no explicit
+    # default).
+    def default_location
+      '/'
+    end
+
+    # Inclusion hook to make #current_user and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
+    end
+
+    #
+    # Login
+    #
+
+    # Called from #current_user.  First attempt to login by the user id stored in the session.
+    def login_from_session
+      self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
+    end
+
+    # Called from #current_user.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |login, password|
+        self.current_user = User.authenticate(login, password)
+      end
+    end
+    
+    #
+    # Logout
+    #
+
+    # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+    # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP)
+    # def login_from_cookie
+    #   user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+    #   if user && user.remember_token?
+    #     self.current_user = user
+    #     handle_remember_cookie! false # freshen cookie token (keeping date)
+    #     self.current_user
+    #   end
+    # end
+
+    # This is ususally what you want; resetting the session willy-nilly wreaks
+    # havoc with forgery protection, and is only strictly necessary on login.
+    # However, **all session state variables should be unset here**.
+    def logout_keeping_session!
+      # Kill server-side auth cookie
+      @current_user.forget_me if @current_user.is_a? User
+      @current_user = false     # not logged in, and don't do it for me
+      # kill_remember_cookie!     # Kill client-side auth cookie
+      session[:user_id] = nil   # keeps the session but kill our variable
+      # explicitly kill any other session variables you set
+    end
+
+    # The session should only be reset at the tail end of a form POST --
+    # otherwise the request forgery protection fails. It's only really necessary
+    # when you cross quarantine (logged-out to logged-in).
+    def logout_killing_session!
+      logout_keeping_session!
+      reset_session
+    end
+    
+    #
+    # Remember_me Tokens
+    #
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # def valid_remember_cookie?
+    #   return nil unless @current_user
+    #   (@current_user.remember_token?) && 
+    #     (cookies[:auth_token] == @current_user.remember_token)
+    # end
+    
+    # Refresh the cookie auth token if it exists, create it otherwise
+    # def handle_remember_cookie! new_cookie_flag
+    #       return unless @current_user
+    #       case
+    #       when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
+    #       when new_cookie_flag        then @current_user.remember_me 
+    #       else                             @current_user.forget_me
+    #       end
+    #       send_remember_cookie!
+    #     end
+    #   
+    #     def kill_remember_cookie!
+    #       cookies.delete :auth_token
+    #     end
+    #     
+    #     def send_remember_cookie!
+    #       cookies[:auth_token] = {
+    #         :value   => @current_user.remember_token,
+    #         :expires => @current_user.remember_token_expires_at }
+    #     end
+  end
+end
+
+ActionController::Base.send :include, TwitterAuth::ControllerExtensions

data/lib/twitter_auth/cryptify.rb

@@ -0,0 +1,28 @@
+require 'openssl'
+module TwitterAuth
+  module Cryptify
+    class Error < StandardError; end
+    mattr_accessor :crypt_password
+    @@crypt_password = '--TwitterAuth-!##@--2ef'
+    
+    def self.encrypt(data, salt)
+      cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+      cipher.encrypt
+      cipher.pkcs5_keyivgen(crypt_password, salt)
+      encrypted_data = cipher.update(data)
+      encrypted_data << cipher.final
+    end
+
+    def self.decrypt(encrypted_data, salt)
+      cipher = OpenSSL::Cipher::Cipher.new('aes-256-cbc')
+      cipher.decrypt
+      cipher.pkcs5_keyivgen(crypt_password, salt)
+      data = cipher.update(encrypted_data)
+      data << cipher.final
+    end
+  
+    def self.generate_salt
+      [rand(2**64 - 1)].pack("Q")
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+begin
+  require File.dirname(__FILE__) + '/../../../../spec/spec_helper'
+rescue LoadError
+  puts "You need to install rspec in your base app"
+  exit
+end
+
+plugin_spec_dir = File.dirname(__FILE__)
+ActiveRecord::Base.logger = Logger.new(plugin_spec_dir + "/debug.log")
+

data/spec/twitter_auth_spec.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + '/spec_helper'

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+require 'test/unit'
+require 'shoulda'
+require 'mocha'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'twitter_auth'
+
+class Test::Unit::TestCase
+end

data/test/twitter_auth_test.rb

@@ -0,0 +1,7 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class TwitterAuthTest < Test::Unit::TestCase
+  should "probably rename this file and start testing for real" do
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification 
+name: mbleigh-twitter-auth
+version: !ruby/object:Gem::Version 
+  version: 0.0.1
+platform: ruby
+authors: 
+- Michael Bleigh
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-02-06 00:00:00 -08:00
+default_executable: 
+dependencies: []
+
+description: TODO
+email: michael@intridea.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.markdown
+- VERSION.yml
+- generators/twitter_auth_migration
+- generators/twitter_auth_migration/templates
+- generators/twitter_auth_migration/templates/migration.rb
+- generators/twitter_auth_migration/twitter_auth_migration_generator.rb
+- lib/twitter_auth
+- lib/twitter_auth/controller_extensions.rb
+- lib/twitter_auth/cryptify.rb
+- lib/twitter_auth.rb
+- test/test_helper.rb
+- test/twitter_auth_test.rb
+- spec/spec_helper.rb
+- spec/twitter_auth_spec.rb
+has_rdoc: true
+homepage: http://github.com/mbleigh/twitter-auth
+post_install_message: 
+rdoc_options: 
+- --inline-source
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Standard authentication stack for Rails using Twitter to log in.
+test_files: []
+