mongoid-devise 1.0.1

data/lib/devise/models/activatable.rb

@@ -0,0 +1,16 @@
+require 'devise/hooks/activatable'
+
+module Devise
+  module Models
+    # This module implements the default API required in activatable hook. 
+    module Activatable
+      def active?
+        true
+      end
+
+      def inactive_message
+        :inactive
+      end
+    end
+  end
+end

data/lib/devise/models/authenticatable.rb

@@ -0,0 +1,146 @@
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Models
+    # Authenticable Module, responsible for encrypting password and validating
+    # authenticity of a user while signing in.
+    #
+    # Configuration:
+    #
+    # You can overwrite configuration values by setting in globally in Devise,
+    # using devise method or overwriting the respective instance method.
+    #
+    #   pepper: encryption key used for creating encrypted password. Each time
+    #           password changes, it's gonna be encrypted again, and this key
+    #           is added to the password and salt to create a secure hash.
+    #           Always use `rake secret' to generate a new key.
+    #
+    #   stretches: defines how many times the password will be encrypted.
+    #
+    #   encryptor: the encryptor going to be used. By default :sha1.
+    #
+    #   authentication_keys: parameters used for authentication. By default [:email]
+    #
+    # Examples:
+    #
+    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
+    #    User.find(1).valid_password?('password123')         # returns true/false
+    #
+    module Authenticatable
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+
+          attr_reader :password, :current_password
+          attr_accessor :password_confirmation
+        end
+      end
+
+      # TODO Remove me in next release
+      def old_password
+        ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
+        @old_password
+      end
+
+      # Regenerates password salt and encrypted password each time password is set,
+      # and then trigger any "after_changed_password"-callbacks.
+      def password=(new_password)
+        @password = new_password
+
+        if @password.present?
+          self.password_salt = self.class.encryptor_class.salt
+          self.encrypted_password = password_digest(@password)
+        end
+      end
+
+      # Verifies whether an incoming_password (ie from sign in) is the user password.
+      def valid_password?(incoming_password)
+        password_digest(incoming_password) == self.encrypted_password
+      end
+
+      # Verifies whether an +incoming_authentication_token+ (i.e. from single access URL)
+      # is the user authentication token.
+      def valid_authentication_token?(incoming_auth_token)
+        incoming_auth_token == self.authentication_token
+      end
+
+      # Checks if a resource is valid upon authentication.
+      def valid_for_authentication?(attributes)
+        valid_password?(attributes[:password])
+      end
+
+      # Set password and password confirmation to nil
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # Update record attributes when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects :password and
+      # :password_confirmation if they are blank.
+      def update_with_password(params={})
+        # TODO Remove me in next release
+        if params[:old_password].present?
+          params[:current_password] ||= params[:old_password]
+          ActiveSupport::Deprecation.warn "old_password is deprecated, please use current_password instead", caller
+        end
+
+        params.delete(:password) if params[:password].blank?
+        params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        current_password = params.delete(:current_password)
+
+        result = if valid_password?(current_password)
+          update_attributes(params)
+        else
+          message = current_password.blank? ? :blank : :invalid
+          self.class.add_error_on(self, :current_password, message, false)
+          self.attributes = params
+          false
+        end
+
+        clean_up_passwords unless result
+        result
+      end
+
+      protected
+
+        # Digests the password using the configured encryptor.
+        def password_digest(password)
+          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
+        end
+
+      module ClassMethods
+        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)
+
+        # Authenticate a user based on configured attribute keys. Returns the
+        # authenticated user if it's valid or nil.
+        def authenticate(attributes={})
+          return unless authentication_keys.all? { |k| attributes[k].present? }
+          conditions = attributes.slice(*authentication_keys)
+          resource = find_for_authentication(conditions)
+          resource if resource.try(:valid_for_authentication?, attributes)
+        end
+
+        # Returns the class for the configured encryptor.
+        def encryptor_class
+          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
+        end
+
+      protected
+
+        # Find first record based on conditions given (ie by the sign in form).
+        # Overwrite to add customized conditions, create a join, or maybe use a
+        # namedscope to filter records while authenticating.
+        # Example:
+        #
+        #   def self.find_for_authentication(conditions={})
+        #     conditions[:active] = true
+        #     find(:first, :conditions => conditions)
+        #   end
+        #
+        def find_for_authentication(conditions)
+          find(:first, :conditions => conditions)
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/confirmable.rb

@@ -0,0 +1,172 @@
+require 'devise/models/activatable'
+
+module Devise
+  module Models
+
+    # Confirmable is responsible to verify if an account is already confirmed to
+    # sign in, and to send emails with confirmation instructions.
+    # Confirmation instructions are sent to the user email after creating a
+    # record, after updating it's email and also when manually requested by
+    # a new confirmation instruction request.
+    # Whenever the user update it's email, his account is automatically unconfirmed,
+    # it means it won't be able to sign in again without confirming the account
+    # again through the email that was sent.
+    #
+    # Configuration:
+    #
+    #   confirm_within: the time you want the user will have to confirm it's account
+    #                   without blocking his access. When confirm_within is zero, the
+    #                   user won't be able to sign in without confirming. You can
+    #                   use this to let your user access some features of your
+    #                   application without confirming the account, but blocking it
+    #                   after a certain period (ie 7 days). By default confirm_within is
+    #                   zero, it means users always have to confirm to sign in.
+    #
+    # Examples:
+    #
+    #   User.find(1).confirm!      # returns true unless it's already confirmed
+    #   User.find(1).confirmed?    # true/false
+    #   User.find(1).send_confirmation_instructions # manually send instructions
+    #   User.find(1).resend_confirmation! # generates a new token and resent it
+    module Confirmable
+      include Devise::Models::Activatable
+
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+
+          before_create :generate_confirmation_token, :if => :confirmation_required?
+          after_create  :send_confirmation_instructions, :if => :confirmation_required?
+        end
+      end
+
+      # Confirm a user by setting it's confirmed_at to actual time. If the user
+      # is already confirmed, add en error to email field
+      def confirm!
+        unless_confirmed do
+          self.confirmation_token = nil
+          self.confirmed_at = Time.now
+          save(false)
+        end
+      end
+
+      # Verifies whether a user is confirmed or not
+      def confirmed?
+        !new_record? && !confirmed_at.nil?
+      end
+
+      # Send confirmation instructions by email
+      def send_confirmation_instructions
+        ::DeviseMailer.deliver_confirmation_instructions(self)
+      end
+
+      # Remove confirmation date and send confirmation instructions, to ensure
+      # after sending these instructions the user won't be able to sign in without
+      # confirming it's account
+      def resend_confirmation!
+        unless_confirmed do
+          generate_confirmation_token
+          save(false)
+          send_confirmation_instructions
+        end
+      end
+
+      # Overwrites active? from Devise::Models::Activatable for confirmation
+      # by verifying whether an user is active to sign in or not. If the user
+      # is already confirmed, it should never be blocked. Otherwise we need to
+      # calculate if the confirm time has not expired for this user.
+      def active?
+        super && (confirmed? || confirmation_period_valid?)
+      end
+
+      # The message to be shown if the account is inactive.
+      def inactive_message
+        if !confirmed?
+          :unconfirmed
+        else
+          super
+        end
+      end
+
+      # If you don't want confirmation to be sent on create, neither a code
+      # to be generated, call skip_confirmation!
+      def skip_confirmation!
+        self.confirmed_at  = Time.now
+        @skip_confirmation = true
+      end
+
+      protected
+
+        # Callback to overwrite if confirmation is required or not.
+        def confirmation_required?
+          !@skip_confirmation
+        end
+
+        # Checks if the confirmation for the user is within the limit time.
+        # We do this by calculating if the difference between today and the
+        # confirmation sent date does not exceed the confirm in time configured.
+        # Confirm_in is a model configuration, must always be an integer value.
+        #
+        # Example:
+        #
+        #   # confirm_within = 1.day and confirmation_sent_at = today
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_within = 5.days and confirmation_sent_at = 4.days.ago
+        #   confirmation_period_valid?   # returns true
+        #
+        #   # confirm_within = 5.days and confirmation_sent_at = 5.days.ago
+        #   confirmation_period_valid?   # returns false
+        #
+        #   # confirm_within = 0.days
+        #   confirmation_period_valid?   # will always return false
+        #
+        def confirmation_period_valid?
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.confirm_within.ago
+        end
+
+        # Checks whether the record is confirmed or not, yielding to the block
+        # if it's already confirmed, otherwise adds an error to email.
+        def unless_confirmed
+          unless confirmed?
+            yield
+          else
+            self.class.add_error_on(self, :email, :already_confirmed)
+            false
+          end
+        end
+
+        # Generates a new random token for confirmation, and stores the time
+        # this token is being generated
+        def generate_confirmation_token
+          self.confirmed_at = nil
+          self.confirmation_token = Devise.friendly_token
+          self.confirmation_sent_at = Time.now.utc
+        end
+
+      module ClassMethods
+        # Attempt to find a user by it's email. If a record is found, send new
+        # confirmation instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_confirmation_instructions(attributes={})
+          confirmable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+          confirmable.resend_confirmation! unless confirmable.new_record?
+          confirmable
+        end
+
+        # Find a user by it's confirmation token and try to confirm it.
+        # If no user is found, returns a new user with an error.
+        # If the user is already confirmed, create an error for the user
+        # Options must have the confirmation_token
+        def confirm!(attributes={})
+          confirmable = find_or_initialize_with_error_by(:confirmation_token, attributes[:confirmation_token])
+          confirmable.confirm! unless confirmable.new_record?
+          confirmable
+        end
+
+        Devise::Models.config(self, :confirm_within)
+      end
+    end
+  end
+end

data/lib/devise/models/http_authenticatable.rb

@@ -0,0 +1,21 @@
+require 'devise/strategies/http_authenticatable'
+
+module Devise
+  module Models
+    # Adds HttpAuthenticatable behavior to your model. It expects that your
+    # model class responds to authenticate and authentication_keys methods
+    # (which for example are defined in authenticatable).
+    module HttpAuthenticatable
+      def self.included(base)
+        base.extend ClassMethods
+      end
+
+      module ClassMethods
+        # Authenticate an user using http.
+        def authenticate_with_http(username, password)
+          authenticate(authentication_keys.first => username, :password => password)
+        end
+      end
+    end
+  end
+end

data/lib/devise/models/lockable.rb

@@ -0,0 +1,160 @@
+require 'devise/models/activatable'
+
+module Devise
+  module Models
+
+    # Handles blocking a user access after a certain number of attempts.
+    # Lockable accepts two different strategies to unlock a user after it's
+    # blocked: email and time. The former will send an email to the user when
+    # the lock happens, containing a link to unlock it's account. The second
+    # will unlock the user automatically after some configured time (ie 2.hours).
+    # It's also possible to setup lockable to use both email and time strategies.
+    #
+    # Configuration:
+    #
+    #   maximum_attempts: how many attempts should be accepted before blocking the user.
+    #   unlock_strategy: unlock the user account by :time, :email or :both.
+    #   unlock_in: the time you want to lock the user after to lock happens. Only
+    #              available when unlock_strategy is :time or :both.
+    #
+    module Lockable
+      include Devise::Models::Activatable
+
+      def self.included(base)
+        base.class_eval do
+          extend ClassMethods
+        end
+      end
+
+      # Lock an user setting it's locked_at to actual time.
+      def lock
+        self.locked_at = Time.now
+        if unlock_strategy_enabled?(:email)
+          generate_unlock_token
+          send_unlock_instructions
+        end
+      end
+
+      # Lock an user also saving the record.
+      def lock!
+        lock
+        save(false)
+      end
+
+      # Unlock an user by cleaning locket_at and failed_attempts.
+      def unlock!
+        if_locked do
+          self.locked_at = nil
+          self.failed_attempts = 0
+          self.unlock_token = nil
+          save(false)
+        end
+      end
+
+      # Verifies whether a user is locked or not.
+      def locked?
+        locked_at && !lock_expired?
+      end
+
+      # Send unlock instructions by email
+      def send_unlock_instructions
+        ::DeviseMailer.deliver_unlock_instructions(self)
+      end
+
+      # Resend the unlock instructions if the user is locked.
+      def resend_unlock!
+        if_locked do
+          generate_unlock_token unless unlock_token.present?
+          save(false)
+          send_unlock_instructions
+        end
+      end
+
+      # Overwrites active? from Devise::Models::Activatable for locking purposes
+      # by verifying whether an user is active to sign in or not based on locked?
+      def active?
+        super && !locked?
+      end
+
+      # Overwrites invalid_message from Devise::Models::Authenticatable to define
+      # the correct reason for blocking the sign in.
+      def inactive_message
+        if locked?
+          :locked
+        else
+          super
+        end
+      end
+
+      # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
+      # for verifying whether an user is allowed to sign in or not. If the user
+      # is locked, it should never be allowed.
+      def valid_for_authentication?(attributes)
+        if result = super
+          self.failed_attempts = 0
+        else
+          self.failed_attempts += 1
+          lock if failed_attempts > self.class.maximum_attempts
+        end
+        save(false)
+        result
+      end
+
+      protected
+
+        # Generates unlock token
+        def generate_unlock_token
+          self.unlock_token = Devise.friendly_token
+        end
+
+        # Tells if the lock is expired if :time unlock strategy is active
+        def lock_expired?
+          if unlock_strategy_enabled?(:time)
+            locked_at && locked_at < self.class.unlock_in.ago
+          else
+            false
+          end
+        end
+
+        # Checks whether the record is locked or not, yielding to the block
+        # if it's locked, otherwise adds an error to email.
+        def if_locked
+          if locked?
+            yield
+          else
+            self.class.add_error_on(self, :email, :not_locked)
+            false
+          end
+        end
+
+        # Is the unlock enabled for the given unlock strategy?
+        def unlock_strategy_enabled?(strategy)
+          [:both, strategy].include?(self.class.unlock_strategy)
+        end
+
+      module ClassMethods
+        # Attempt to find a user by it's email. If a record is found, send new
+        # unlock instructions to it. If not user is found, returns a new user
+        # with an email not found error.
+        # Options must contain the user email
+        def send_unlock_instructions(attributes={})
+         lockable = find_or_initialize_with_error_by(:email, attributes[:email], :not_found)
+         lockable.resend_unlock! unless lockable.new_record?
+         lockable
+        end
+
+        # Find a user by it's unlock token and try to unlock it.
+        # If no user is found, returns a new user with an error.
+        # If the user is not locked, creates an error for the user
+        # Options must have the unlock_token
+        def unlock!(attributes={})
+          lockable = find_or_initialize_with_error_by(:unlock_token, attributes[:unlock_token])
+          lockable.unlock! unless lockable.new_record?
+          lockable
+        end
+
+        Devise::Models.config(self, :maximum_attempts, :unlock_strategy, :unlock_in)
+      end
+    end
+  end
+end