mini_auth 0.1.0 → 0.2.0.beta

data/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.2.0 (2011-12-19)
+
+* Two attributes `changing_password` and `setting_password` are introduced.
+* When `changing_password` is set to `true`, users should enter `current_password`
+  and `new_password` to change their password. If they enter wrong `current_passwod`,
+  validation on `current_password` fails.
+* When `setting_password` is set to `true`, users should enter not-blank `password`.
+  Unlike the version 0.1.0, nil password is not accepted.
+* When neither of these two attributes is set to `true`, users can't set or change
+  their password. If the `password` parameter is passed to the object,
+  it is neglected and all validations relating password are skipped.
+* Besides, two attributes `password_confirmation` and `new_password_confirmation`
+  are added.
+
 ## 0.1.0 (2011-12-13)
 
 * The `authenticate` method returns `self` instead of `true`

data/README.md

@@ -1,7 +1,8 @@
 mini_auth
 =========
 
-A replacement for `has_secure_password` of ActiveModel
+A replacement for `has_secure_password` of ActiveModel with some enhancements
+
 
 Install
 -------
@@ -15,8 +16,15 @@ or install as a plugin
     $ cd RAILS_ROOT
     $ rails plugin install git://github.com/kuroda/mini_auth.git
 
-Usage
------
+
+Requirements
+------------
+
+* Ruby on Rails 3.1 or higher
+
+
+Synopsis
+--------
 
     class CreateUsers < ActiveRecord::Migration
       def change
@@ -34,62 +42,174 @@ Usage
     end
     
     a = User.new(:name => "alice", :password => "hotyoga")
+    a.setting_password => true
     
     a.save                              # => true
     a.password_digest                   # => "$2a$10$F5YbEd..."
     a.authenticate("hotyoga)            # => a
     a.authenticate("wrong")             # => false
+    
+    a.attributes = { :current_password => 'hotyoga', :new_password => 'almond' }
+    a.changing_password = true
+    a.save
+    a.authenticate("hotyoga)            # => false
+    a.authenticate("almond")            # => a
 
-Requirements
-------------
+Usage
+-----
 
-* Ruby on Rails 3.1 or higher
+### Migration
 
-Remarks
--------
+To use `mini_auth`, you must add the `password_digest` column to the relevant table.
+
+    class CreateUsers < ActiveRecord::Migration
+      def change
+        create_table :users do |t|
+          t.string :name, :null => false
+          t.string :password_digest, :null => true
+    
+          t.timestamps
+        end
+      end
+    end
+
+The raw (unencrypted) password will never be saved on the database. Only its hash value
+is recorded on the `password_digest` column.
+
+
+### Default behavior
+
+The module `MiniAuth` introduces two basic attributes: `setting_password` and `changing_password`
+
+When neither of them is set to `true`, you can NOT set or change the user's `password_digest`.
+
+    a = User.find_by_name("alice")
+    a.password = 'foobar'
+    a.password_digest_changed?          # => false
+    a.valid?                            # => true
+
+
+### `setting_password` attribute
+
+When the user's `setting_password` attribute is set to `true`, its password can
+be set without knowing the current password.
+
+    a = User.find_by_name("alice")
+    a.setting_password => true
+    a.update_attributes(:password => 'p@ssword')
+    a.authenticate("p@ssword")          # => a
 
 Password can't be blank.
 
+    b = User.new(:name => "bob", :password => "")
+    b.setting_password => true
+    b.valid?                            # => false
+    b.errors[:password]                 # => "can't be blank"
+
+Password can be nil.
+
+    b = User.new(:name => "bob", :password => nil)
+    b.setting_password => true
+    b.valid?                            # => false
+    b.errors[:password]                 # => "can't be blank"
+
+Password should be given.
+
     b = User.new(:name => "bob")
-    
-    b.password = ""
+    b.setting_password => true
     b.valid?                            # => false
     b.errors[:password]                 # => "can't be blank"
 
-But, password can be nil.
 
-    b.password = nil
-    b.valid?                            # => true
+### `changing_password` attribute
 
-You can save a user whose `password_digest` is nil.
+When the user's `changing_password` attribute is set to `true`, its password can
+NOT be set without knowing the current password. You should provide `current_password`
+and `new_password` attributes to change its password.
 
-    b.save!
-    b.password_digest                   # => nil
+    a = User.find_by_name("alice")
+    a.changing_password => true
+    a.update_attributes(:current_password => 'p@ssword', :new_password => 'opensesame')
+    a.authenticate("opensesame")        # => a
 
-Such a user can't get authenticated.
+If the `current_password` is wrong, the validation fails.
+
+    a = User.find_by_name("alice")
+    a.changing_password => true
+    a.attributes = { :current_password => 'pumpkin', :new_password => '0000' }
+    a.valid?                            # => false
+    a.errors[:current_password]         # => [ "is invalid" ]
 
-    b.authenticate(nil)                 # => false
+When both of the `setting_password` and the `changing_password` are set to `true`,
+only the latter is effective.
 
-The `password_digest` field is protected against mass assignment.
 
-    b.update_attributes :password_digest => 'dummy'
-    b.password_digest                   # => nil (unchanged)
+### A user whose `password_digest` is nil
 
-The `password_confirmation` field is not created automatically. If you need it, add it for yourself.
+You can save a user whose `password_digest` is nil.
+
+    c = User.new(:name => "carol")
+    c.save!
+    c.password_digest                   # => nil
+
+Such a user can't get authenticated.
+
+    c.authenticate(nil)                 # => false
+
+If you don't want such a user to be created, add a validation to your class.
 
     class User < ActiveRecord::Base
       include MiniAuth
       
-      attr_accessor :password_confirmation
-      validates :password, :confirmation => true
+      validates :password_digest, :presence => true
     end
 
+
+### Confirmation of password
+
+The `password_confirmation` and `new_password_confirmation` attributes are created automatically.
+
+    c = User.find_by_name("carol")
+    c.setting_password = true
+    c.attributes = { :password => 'snowman', :password_confirmation => 'iceman' }
+    c.valid?                            # => false
+    c.errors[:password]                 # => [ "doesn't match confirmation" ]
+    
+    a = User.find_by_name("alice")
+    a.changing_password => true
+    a.attributes = { :current_password => 'opensesame',
+      :new_password => 'snowman', :new_password_confirmation => 'iceman' }
+    a.valid?                            # => false
+    a.errors[:new_password]             # => [ "doesn't match confirmation" ]
+
+You don't have to use them, however.
+
+    c = User.find_by_name("carol")
+    c.setting_password = true
+    c.attributes = { :password => 'snowman' }
+    c.valid?                            # => true
+
+
+### Mass assignment security
+
+The `password_digest` column is protected against mass assignment.
+
+    c.update_attributes(:password_digest => 'dummy')
+    c.password_digest                   # => nil (unchanged)
+
+Similarly, the `setting_password` and `changing_password` attributes are protected.
+
+    c.attributes = { :setting_password => true, :password => '0000' }
+    c.setting_password?                 # => false
+
+
 License
 -------
 
 `mini_auth` is distributed under the MIT license. ([MIT-LICENSE](https://github.com/kuroda/mini_auth/blob/master/MIT-LICENSE))
 
+
 Copyright
 ---------
 
-Copyright (c) 2011 Tsutomu Kuroda.
+Copyright (c) 2011 Tsutomu Kuroda <t-kuroda@oiax.jp>.

data/lib/mini_auth.rb

@@ -4,34 +4,67 @@ require "bcrypt"
 module MiniAuth
   extend ActiveSupport::Concern
   
+  BASIC_ATTRIBUTES = [
+    :password, :password_confirmation,
+    :current_password,
+    :new_password, :new_password_confirmation
+  ]
+  
   included do
-    attr_accessor :password
+    attr_accessor :changing_password, :setting_password
+    attr_accessor *BASIC_ATTRIBUTES
+    attr_accessible *BASIC_ATTRIBUTES
+    
+    validates :password, :new_password, :confirmation => true
 
     if respond_to?(:attributes_protected_by_default)
       def self.attributes_protected_by_default
-        super + [ 'password_digest' ]
+        super + [ 'password_digest', 'changing_password', 'setting_password' ]
       end
     end
     
     validate do
-      if password && password.blank?
-        errors.add(:password, :blank)
+      if changing_password?
+        unless authenticate(current_password)
+          errors.add(:current_password, :invalid)
+        end
+        
+        if new_password.blank?
+          errors.add(:new_password, :blank)
+        end
+      elsif setting_password?
+        if password.blank?
+          errors.add(:password, :blank)
+        end
       end
     end
     
-    before_save do
-      if password
+    after_validation do
+      if changing_password?
+        self.password_digest = BCrypt::Password.create(new_password)
+      elsif setting_password?
         self.password_digest = BCrypt::Password.create(password)
-        self.password = nil
       end
     end
+    
+    after_save do
+      self.password = nil
+    end
   end
   
-  def authenticate(password)
-    if password_digest && BCrypt::Password.new(password_digest) == password
+  def authenticate(raw_password)
+    if password_digest && BCrypt::Password.new(password_digest) == raw_password
       self
     else
       false
     end
   end
+  
+  def changing_password?
+    !!changing_password
+  end
+  
+  def setting_password?
+    !!setting_password
+  end
 end

data/lib/mini_auth/version.rb

@@ -1,3 +1,3 @@
 module MiniAuth
-  VERSION = "0.1.0"
+  VERSION = "0.2.0.beta"
 end

data/spec/fake_app.rb

@@ -24,11 +24,3 @@ migration.change
 class User < ActiveRecord::Base
   include MiniAuth
 end
-
-class Administrator < ActiveRecord::Base
-  attr_accessible :name, :password, :password_confirmation
-  
-  include MiniAuth
-  
-  validates :password, :presence => { :on => :create }, :confirmation => true
-end

data/spec/mini_auth/authenticate_spec.rb

@@ -3,6 +3,7 @@ require 'spec_helper'
 describe "authenticate" do
   it "should authenticate with a valid password" do
     u = User.new(:name => 'alice', :password => 'hotyoga')
+    u.setting_password = true
     u.save!
     
     u.authenticate('hotyoga').should == u
@@ -10,15 +11,9 @@ describe "authenticate" do
   
   it "should not authenticate with a wrong password" do
     u = User.new(:name => 'alice', :password => 'hotyoga')
+    u.setting_password = true
     u.save!
     
     u.authenticate('wrong').should be_false
   end
-  
-  it "should not authenticate with ni; password" do
-    u = User.new(:name => 'alice', :password => nil)
-    u.save!
-    
-    u.authenticate(nil).should be_false
-  end
 end

data/spec/mini_auth/change_password_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe "change_password" do
+  let(:user) do
+    u = User.create!(:name => 'alice', :new_password => 'password')
+    u.changing_password = true
+    u
+  end
+  
+  it "should change password" do
+    user.update_attributes(:current_password => 'password', :new_password => 'banana')
+    
+    user.authenticate('banana').should be_true
+  end
+  
+  it "should reject wrong current password" do
+    user.assign_attributes(:current_password => 'lemon', :new_password => 'banana')
+    
+    user.should_not be_valid
+    user.should have(1).error_on(:current_password)
+    user.errors[:current_password].first.should == "is invalid"
+  end
+  
+  it "should reject blank string as new password" do
+    user.assign_attributes(:current_password => 'password', :new_password => '')
+    
+    user.should_not be_valid
+    user.should have(1).error_on(:new_password)
+    user.errors[:new_password].first.should == "can't be blank"
+  end
+end

data/spec/mini_auth/password_digest_spec.rb

@@ -7,11 +7,4 @@ describe "password_digest" do
     u.update_attributes :password_digest => 'dummy'
     u.password_digest.to_s.should == d
   end
-  
-  it "should be protected against mass assignment also for Administrator" do
-    a = Administrator.create!(:name => 'alice', :password => 'hotyoga', :password_confirmation => 'hotyoga')
-    d = a.password_digest.to_s
-    a.update_attributes :password_digest => 'dummy'
-    a.password_digest.to_s.should == d
-  end
 end

data/spec/mini_auth/setting_password_spec.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe "setting_password" do
+  it "should set password" do
+    u = User.new(:name => 'alice', :password => 'hotyoga')
+    u.setting_password = true
+    u.should be_valid
+    u.save!
+    u.authenticate('hotyoga').should be_true
+  end
+  
+  it "should update password" do
+    u = User.create!(:name => 'alice')
+    u.setting_password = true
+    u.update_attributes(:password => 'hotyoga')
+    u.authenticate('hotyoga').should be_true
+  end
+
+  it "should reject blank password" do
+    u = User.new(:name => 'alice', :password => '')
+    u.setting_password = true
+    u.should_not be_valid
+    u.should have(1).error_on(:password)
+    u.errors[:password].first.should == "can't be blank"
+  end
+
+  it "should reject nil password" do
+    u = User.new(:name => 'alice', :password => nil)
+    u.setting_password = true
+    u.should_not be_valid
+    u.should have(1).error_on(:password)
+    u.errors[:password].first.should == "can't be blank"
+  end
+  
+  it "should set user's password without confirmation" do
+    u = User.new(:name => 'alice', :password => 'apple')
+    u.setting_password = true
+    u.should be_valid
+    u.save!
+    u.authenticate('apple').should be_true
+  end
+  
+  it "should validate password_confirmation if it is given" do
+    u = User.new(:name => 'alice', :password => 'apple', :password_confirmation => 'almond')
+    u.setting_password = true
+    u.should_not be_valid
+    u.should have(1).error_on(:password)
+    u.errors[:password].first.should == "doesn't match confirmation"
+  end
+end

metadata

@@ -1,19 +1,19 @@
 --- !ruby/object:Gem::Specification
 name: mini_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
-  prerelease: 
+  version: 0.2.0.beta
+  prerelease: 6
 platform: ruby
 authors:
 - Tsutomu Kuroda
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-13 00:00:00.000000000 Z
+date: 2011-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &13259840 !ruby/object:Gem::Requirement
+  requirement: &19514420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 3.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *13259840
+  version_requirements: *19514420
 - !ruby/object:Gem::Dependency
   name: bcrypt-ruby
-  requirement: &13259180 !ruby/object:Gem::Requirement
+  requirement: &19513860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *13259180
+  version_requirements: *19513860
 - !ruby/object:Gem::Dependency
   name: rspec-rails
-  requirement: &13258540 !ruby/object:Gem::Requirement
+  requirement: &19512860 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 2.7.0
   type: :development
   prerelease: false
-  version_requirements: *13258540
+  version_requirements: *19512860
 - !ruby/object:Gem::Dependency
   name: sqlite3
-  requirement: &13258120 !ruby/object:Gem::Requirement
+  requirement: &19512320 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +54,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *13258120
+  version_requirements: *19512320
 description: A minimal authentication module for Rails
 email:
 - t-kuroda@oiax.jp
@@ -73,8 +73,9 @@ files:
 - mini_auth.gemspec
 - spec/fake_app.rb
 - spec/mini_auth/authenticate_spec.rb
+- spec/mini_auth/change_password_spec.rb
 - spec/mini_auth/password_digest_spec.rb
-- spec/mini_auth/password_spec.rb
+- spec/mini_auth/setting_password_spec.rb
 - spec/spec_helper.rb
 homepage: ''
 licenses: []
@@ -91,9 +92,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>='
+  - - ! '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: mini_auth
 rubygems_version: 1.8.10

data/spec/mini_auth/password_spec.rb

@@ -1,29 +0,0 @@
-require 'spec_helper'
-
-describe "password" do
-  it "should accept nil password" do
-    u = User.new(:name => 'alice', :password => nil)
-    u.should be_valid
-  end
-  
-  it "should reject blank password" do
-    u = User.new(:name => 'alice', :password => '')
-    u.should_not be_valid
-    u.should have(1).error_on(:password)
-    u.errors[:password].first.should == "can't be blank"
-  end
-  
-  it "should reject nil password for Administrator" do
-    a = Administrator.new(:name => 'alice', :password => nil)
-    a.should_not be_valid
-    a.should have(1).error_on(:password)
-    a.errors[:password].first.should == "can't be blank"
-  end
-  
-  it "should validate password_confirmation for Administrator" do
-    a = Administrator.new(:name => 'alice', :password => 'apple', :password_confirmation => 'almond')
-    a.should_not be_valid
-    a.should have(1).error_on(:password)
-    a.errors[:password].first.should == "doesn't match confirmation"
-  end
-end