minimalist_authentication 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 16ed1dfe1bdc98a54c7eb28354a075b3d0d2f750
-  data.tar.gz: e765bfe8fff4491147ba167239dc731ea632110d
+  metadata.gz: 06e297700ba62d9fef159d0cb8250f7740d020a9
+  data.tar.gz: c0d08dd52efbfa264a3e12b8be898baf81dacf4a
 SHA512:
-  metadata.gz: 672dc8cb16782c78e71b420e5496ef3ecb88eba36bbe7ff18fe3f526d5787d0ea1f70a66b982616048f8b6ff2327fa305aa4559ea1aa245525c1a0f1c5f776d7
-  data.tar.gz: 2773fe5d5534866f6e981b79002d13222ce2aa0a35d7fa9ebeb3908444e08bd62aadbb1a1271267ee4fa31530aade23321fb91a683d8140ccf877b3620b758ab
+  metadata.gz: d01e275ff312ba91f03abff19e221bc3bdcdb188fce8dce2b74d1f37df4bac82e61ef90740e101a808bde45be9b4004cf30c11fbdca4f61313ffc720cc1b3a8d
+  data.tar.gz: a6a28b7e973111b32620029d02a3f04927f743a42e1bd45fe608412cc231a5396a3232f104dcc3d1c5498b2ddab973fd4ed412870e9b2e656c7008f37c944be9

data/README.md

@@ -14,9 +14,14 @@ And then execute:
 $ bundle
 ```
 
-Create a user model:
+Create a user model for with **email** for an identifier:
 ```bash
-bin/rails generate model user active:boolean email:string crypted_password:string salt:string using_digest_version:integer last_logged_in_at:datetime
+bin/rails generate model user active:boolean email:string crypted_password:string salt:string last_logged_in_at:datetime
+```
+
+OR create a user model with **username** for an identifier:
+```bash
+bin/rails generate model user active:boolean username:string crypted_password:string salt:string last_logged_in_at:datetime
 ```
 
 
@@ -32,10 +37,6 @@ Include Minimalist::Authorization in your ApplicationController (app/controllers
 ```ruby
 class ApplicationController < ActionController::Base
   include Minimalist::Authorization
-
-  # Lock down everything by default
-  # use skip_before_action to open up specific actions
-  before_action :authorization_required
 end
 ```
 

data/lib/minimalist/authentication.rb

@@ -1,4 +1,3 @@
-require 'digest/sha1'
 require 'bcrypt'
 
 module Minimalist
@@ -6,24 +5,27 @@ module Minimalist
     extend ActiveSupport::Concern
 
     GUEST_USER_EMAIL = 'guest'
-    PREFERRED_DIGEST_VERSION = 3
+    EMAIL_REGEX = /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i
 
     # Recalibrates cost when class is loaded so that new user passwords
     # can automatically take advantage of faster server hardware in the
     # future for better encryption.
     # sets cost to BCrypt::Engine::MIN_COST in the test environment
-    CALIBRATED_BCRYPT_COST = (::Rails.env.test? ? BCrypt::Engine::MIN_COST : BCrypt::Engine.calibrate(750))
+    CALIBRATED_BCRYPT_COST = (::Rails.env.test? ? ::BCrypt::Engine::MIN_COST : ::BCrypt::Engine.calibrate(750))
 
     included do
       attr_accessor :password
       before_save :encrypt_password
 
-      validates_presence_of     :email, if: :validate_email_presence?
-      validates_uniqueness_of   :email, allow_blank: true, if: :validate_email_uniqueness?
-      validates_format_of       :email, allow_blank: true, with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\Z/i, if: :validate_email_format?
-      validates_presence_of     :password,                 if: :password_required?
-      validates_confirmation_of :password,                 if: :password_required?
-      validates_length_of       :password, within: 6..40,  if: :password_required?
+      # email validations
+      validates_presence_of     :email,                                       if: :validate_email_presence?
+      validates_uniqueness_of   :email, allow_blank: true,                    if: :validate_email?
+      validates_format_of       :email, allow_blank: true, with: EMAIL_REGEX, if: :validate_email?
+
+      # password validations
+      validates_presence_of     :password,                  if: :password_required?
+      validates_confirmation_of :password,                  if: :password_required?
+      validates_length_of       :password, within: 6..40,   if: :password_required?
 
       scope :active, ->(active = true) { where active: active }
     end
@@ -37,17 +39,12 @@ module Minimalist
         return user
       end
 
-      def secure_digest(string, salt, version = PREFERRED_DIGEST_VERSION)
-        case version
-          when 0 then Digest::MD5.hexdigest(string.to_s)
-          when 1 then Digest::SHA1.hexdigest("#{string}--#{salt}")
-          when 2 then Digest::SHA2.hexdigest("#{string}#{salt}", 512)
-          when 3 then BCrypt::Password.new(BCrypt::Engine.hash_secret(string, salt)).checksum
-        end
+      def password_hash(password)
+        ::BCrypt::Password.create(password, cost: calibrated_bcrypt_cost)
       end
 
-      def make_token
-        BCrypt::Engine.generate_salt(CALIBRATED_BCRYPT_COST)
+      def calibrated_bcrypt_cost
+        CALIBRATED_BCRYPT_COST
       end
 
       def guest
@@ -60,69 +57,69 @@ module Minimalist
     end
 
     def authenticated?(password)
-      if crypted_password == encrypt(password)
-        if self.respond_to?(:using_digest_version) && (using_digest_version != PREFERRED_DIGEST_VERSION || salt_cost < CALIBRATED_BCRYPT_COST)
-          new_salt = self.class.make_token
-          self.update_attribute(:crypted_password, self.class.secure_digest(password, new_salt))
-          self.update_attribute(:salt, new_salt)
-          self.update_attribute(:using_digest_version, PREFERRED_DIGEST_VERSION)
-        end
+      if bcrypt_password == password
+        update_encryption(password) if bcrypt_password.cost < self.class.calibrated_bcrypt_cost
         return true
-      else
-        return false
       end
+
+      return false
     end
 
     def logged_in
-      update_column(:last_logged_in_at, Time.current) # use update_column to avoid updated_on trigger
+      # use update_column to avoid updated_on trigger
+      update_column(:last_logged_in_at, Time.current)
     end
 
     def is_guest?
       email == GUEST_USER_EMAIL
     end
 
-
     private
 
     def password_required?
       active? && (crypted_password.blank? || !password.blank?)
     end
 
-    def encrypt(password)
-      self.class.secure_digest(password, salt, digest_version)
+    def update_encryption(password)
+      self.password = password
+      encrypt_password
+      save
     end
 
     def encrypt_password
       return if password.blank?
-      self.salt = self.class.make_token
-      self.crypted_password = self.class.secure_digest(password, salt)
-      self.using_digest_version = PREFERRED_DIGEST_VERSION if self.respond_to?(:using_digest_version)
+      # self.salt = self.class.make_token
+      # self.crypted_password = encrypt(password)
+      password_hash         = self.class.password_hash(password)
+      self.salt             = password_hash.salt
+      self.crypted_password = password_hash.checksum
     end
 
-    def digest_version
-      self.respond_to?(:using_digest_version) ? (using_digest_version || 1) : 1
+    def bcrypt_password
+      valid_hash? ? ::BCrypt::Password.new(password_hash) : null_password
     end
 
-    def salt_cost
-      BCrypt::Engine.valid_salt?(salt) ? salt.match(/\$[^\$]+\$([0-9]+)\$/)[1].to_i : 0
+    def valid_hash?
+      ::BCrypt::Password.valid_hash?(password_hash)
     end
 
-    # email validation
-    def validate_email?
-      # allows applications to turn off email validation
-      true
+    def password_hash
+      "#{salt}#{crypted_password}"
     end
 
-    def validate_email_presence?
-      validate_email? && active?
+    def null_password
+      MinimalistAuthentication::NullPassword.new
     end
 
-    def validate_email_format?
-      validate_email? && active?
+    # email validation
+    def validate_email?
+      # allows applications to turn off all email validation
+      active?
     end
 
-    def validate_email_uniqueness?
-      validate_email? && active?
+    def validate_email_presence?
+      # allows applications to turn off email presence validation
+      validate_email?
     end
   end
 end

data/lib/minimalist/authorization.rb

@@ -1,8 +1,12 @@
 module Minimalist
   module Authorization
     extend ActiveSupport::Concern
-    
+
     included do
+      # Lock down everything by default
+      # use skip_before_action to open up specific actions
+      before_action :authorization_required
+
       helper_method :current_user, :logged_in?, :authorized?
     end
 

data/lib/minimalist_authentication.rb

@@ -1,4 +1,5 @@
-require "minimalist_authentication/engine"
+require 'minimalist_authentication/engine'
+require 'minimalist_authentication/null_password'
 
 # MinimalistAuthentication
 require 'minimalist/authentication'

data/lib/minimalist_authentication/null_password.rb

@@ -0,0 +1,8 @@
+module MinimalistAuthentication
+  class NullPassword
+    # does not match any object
+    def ==(object)
+      false
+    end
+  end
+end

data/lib/minimalist_authentication/version.rb

@@ -1,3 +1,3 @@
 module MinimalistAuthentication
-  VERSION = '1.1.0'
+  VERSION = '1.1.1'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: minimalist_authentication
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Aaron Baldwin
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-13 00:00:00.000000000 Z
+date: 2017-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -80,6 +80,7 @@ files:
 - lib/minimalist/test_helper.rb
 - lib/minimalist_authentication.rb
 - lib/minimalist_authentication/engine.rb
+- lib/minimalist_authentication/null_password.rb
 - lib/minimalist_authentication/version.rb
 - lib/tasks/minimalist_authentication_tasks.rake
 homepage: https://github.com/wwidea/minimalist_authentication