negroni 0.1.0

data/lib/negroni/models.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+module Negroni
+  # Namespace for Model-specific configuration.
+  module Models
+    extend ActiveSupport::Autoload
+
+    # Raised if a required attribute is missing.
+    class MissingAttribute < StandardError
+      # Create a MissingAttribute error with a list of attributes
+      def initialize(attributes)
+        @attributes = attributes
+        super(message)
+      end
+
+      # The error message
+      def message
+        verb, s = @attributes.count > 1 ? %w(are s) : ['is']
+        list = @attributes.join(', ')
+
+        "The following attribute#{s} #{verb} missing on your model: #{list}"
+      end
+    end
+
+    # Creates configuration values for Negroni and for the given module.
+    #
+    #   Negroni::Models.config(Negroni::Authenticatable, :authentication_keys)
+    #
+    # The line above creates:
+    #
+    #   1) An accessor called Negroni.authentication_keys, which value is used
+    #      by default;
+    #
+    #   2) Some class methods for your model Model.authentication_keys and
+    #      Model.authentication_keys= which have higher priority than
+    #      Negroni.authentication_keys;
+    #
+    #   3) And an instance method authentication_keys.
+    #
+    # To add the class methods you need to have a module ClassMethods defined
+    # inside the given class.
+    #
+    # @api private
+    def self.config(mod, *accessors) # rubocop:disable Metrics/MethodLength
+      class << mod; attr_accessor :available_configs; end
+      mod.available_configs = accessors
+
+      accessors.each do |accessor|
+        mod.class_eval <<-METHOD, __FILE__, __LINE__ + 1
+          def #{accessor}
+            if defined?(@#{accessor})
+              @#{accessor}
+            elsif superclass.respond_to?(:#{accessor})
+              superclass.#{accessor}
+            else
+              Negroni.#{accessor}
+            end
+          end
+
+          def #{accessor}=(value)
+            @#{accessor} = value
+          end
+        METHOD
+      end
+    end
+
+    # Checks that the including class has the appropriate required fields.
+    #
+    # @param klass [Class] the including class
+    # @raise [Negroni::Models::MissingAttribute] if the check fails.
+    # @return [Void]
+    def self.check_fields!(klass)
+      failed_attributes = []
+      instance = klass.new
+
+      klass.negroni_modules.each do |mod|
+        constant = const_get(mod.to_s.classify)
+
+        constant.required_fields(klass).each do |field|
+          failed_attributes << field unless instance.respond_to?(field)
+        end
+      end
+
+      return unless failed_attributes.any?
+      raise Negroni::Models::MissingAttribute, failed_attributes
+    end
+
+    # rubocop:disable Metrics/AbcSize,MethodLength
+
+    # Include the given Negroni modules in your model.  Authenticate is always
+    # included.
+    #
+    # @param modules [Symbol, Array<Symbol>] the modules to include.
+    # @return [Void]
+    def negroni(*modules)
+      options = modules.extract_options!.dup
+
+      selected_modules = modules.map(&:to_sym).uniq.sort_by do |sym|
+        Negroni::ALL.index(sym) != -1
+      end
+
+      aa_module_hook! do
+        include Negroni::Models::Base
+
+        selected_modules.each do |m|
+          mod = Negroni::Models.const_get m.to_s.classify
+
+          if mod.const_defined? 'ClassMethods'
+            class_mod = mod.const_get('ClassMethods')
+            extend class_mod
+
+            if class_mod.respond_to? :available_configs
+              available_configs = class_mod.available_configs
+
+              available_configs.each do |config|
+                next unless options.key? config
+                send(:"#{config}=", options.delete(config))
+              end
+            end
+          end
+
+          include mod
+        end
+
+        self.negroni_modules |= selected_modules
+        options.each { |key, value| send(:"#{key}=", value) }
+      end
+    end
+    # rubocop:enable all
+
+    # a hook
+    def aa_module_hook!
+      yield
+    end
+  end
+end
+
+require 'negroni/models/base'

data/lib/negroni/models/authenticable.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+require 'active_support/concern'
+
+module Negroni
+  module Models
+    # The `Authenticable` module should be included in any application classes
+    # that should be authenticable via a JSON web token.
+    #
+    # This module makes a few assumptions about your class:
+    #   * It has an `email` attribute
+    #
+    module Authenticable
+      extend ActiveSupport::Concern
+
+      included do
+        after_update :send_password_change_notification,
+                     if: :send_password_change_notification?
+
+        attr_reader :password, :current_password
+
+        attr_accessor :password_confirmation
+      end
+
+      # Required fields for this module
+      def self.required_fields(klass)
+        [:password_digest] + klass.authentication_keys
+      end
+
+      # Generates a hashed password based on the given value.
+      def password=(new_password)
+        @password = new_password
+        self.password_digest = digest_password(@password) if @password.present?
+      end
+
+      # Checks if a password is valid for the given instance
+      def valid_password?(password)
+        Negroni::Encryptor.compare(self.class, password_digest, password)
+      end
+
+      # @!group Updating a Record
+
+      # Update record attributes when :current_password matches, otherwise
+      # returns error on :current_password.
+      #
+      # This method also rejects the password field if it is blank (allowing
+      # users to change relevant information like the e-mail without changing
+      # their password). In case the password field is rejected, the confirmation
+      # is also rejected as long as it is also blank.
+      #
+      # @param params [Hash] params from the controller
+      # @param options [Hash] a hash of options
+      def update_with_password(params, *options)
+        current_password = params.delete :current_password
+
+        params = _sanitize_password_params(params)
+
+        result = if valid_password?(current_password)
+                   update_attributes(params, *options)
+                 else
+                   _invalid_update(current_password, params, *options)
+                 end
+
+        clean_up_passwords
+        result
+      end
+
+      # Updates record attributes without asking for the current password.
+      # Never allows a change to the current password. If you are using this
+      # method, you should probably override this method to protect other
+      # attributes you would not like to be updated without a password.
+      #
+      # @example
+      #
+      #   def update_without_password(params, *options)
+      #     params.delete(:email)
+      #     super(params)
+      #   end
+      #
+      def update_without_password(params, *options)
+        params.delete(:password)
+        params.delete(:password_confirmation)
+
+        result = update_attributes(params, *options)
+        clean_up_passwords
+        result
+      end
+
+      # Destroy record when :current_password matches, otherwise returns
+      # error on :current_password. It also automatically rejects
+      # :current_password if it is blank.
+      #
+      # @param current_password [String] the current password for the record
+      #
+      def destroy_with_password(current_password)
+        result = if valid_password?(current_password)
+                   destroy # rubocop:disable Rails/SaveBang
+                 else
+                   valid?
+                   message = current_password.blank? ? :blank : :invalid
+                   errors.add(:current_password, message)
+                   false
+                 end
+
+        result
+      end
+
+      # @!group Authentication Methods
+
+      # Authenticates the including class with `unencrypted_password`.
+      #
+      # @param unencrypted_password [String] the password to auth against
+      #
+      # @return [Boolean] if the user is successfully authenticated
+      def authenticate(unencrypted_password)
+        valid_password?(unencrypted_password) && self
+      end
+
+      # Authenticates the including class with `unencrypted_password`.
+      #
+      # @param unencrypted_password [String] the password to auth against
+      #
+      # @raise [ActiveRecord::RecordNotFound] if the user is not successfully
+      #       authenticated
+      #
+      # @return [Boolean] if the user is successfully authenticated
+      def authenticate!(unencrypted_password)
+        authenticate(unencrypted_password) || raise('Bad password!')
+      end
+
+      # @!endgroup
+
+      # Reliably returns the salt, regardless of implementation
+      #
+      # @return [String]
+      def authenticable_salt
+        password_digest[0, 29] if password_digest
+      end
+
+      protected
+
+      def digest_password(password)
+        Negroni::Encryptor.digest(self.class, password)
+      end
+
+      def send_password_change_notification?
+        self.class.send_password_change_notification && password_digest_changed?
+      end
+
+      # @!group Callbacks
+
+      def send_password_change_notification
+        send_auth_notification(:password_change)
+      end
+
+      # Cleans up the @password and @password_confirmation ivars
+      def clean_up_passwords
+        self.password = self.password_confirmation = nil
+      end
+
+      # @!endgroup Callbacks
+
+      private
+
+      # remove :password and :password_confirmation if they are present
+      #
+      # @param params [Hash] the params hash to sanitize
+      # @return [Hash] the sanitized params
+      def _sanitize_password_params(params, remove_all: false)
+        params.delete(:password) if params[:password].blank? || remove_all
+
+        if params[:password_confirmation].blank? || remove_all
+          params.delete(:password_confirmation)
+        end
+
+        params
+      end
+
+      def _invalid_update(current_password, params, *options)
+        _sanitize_password_params(params, remove_all: true)
+        assign_attributes(params, *options)
+        valid?
+
+        message = current_password.blank? ? :blank : :invalid
+        errors.add(:current_password, message)
+        false
+      end
+
+      # Class methods for the Authenticate module.
+      module ClassMethods
+        Negroni::Models.config(
+          self, :pepper, :stretches, :send_password_change_notification
+        )
+      end
+    end
+  end
+end

data/lib/negroni/models/base.rb

@@ -0,0 +1,318 @@
+# frozen_string_literal: true
+
+module Negroni
+  module Models
+    # The `Base` module contains methods that should be included in all Negroni
+    # models.  It holds common settings for all authentication, as well as some
+    # shared behavior across all modules.
+    #
+    # ## Options
+    #
+    # Base adds the following options:
+    #
+    #   * `authentication_keys`: parameters used for authentication.
+    #      Default [:email].
+    #
+    #   * `strip_whitespace_keys`: keys from which whitespace should be
+    #      stripped prior to validation.  Default [:email].
+    #
+    module Base
+      extend ActiveSupport::Concern
+
+      # Blacklisted attributes for serialization.
+      SERIALIZATION_BLACKLIST = [
+        :password_digest, :reset_password_token, :reset_password_sent_at,
+        :password_salt, :confirmation_token, :confirmed_at,
+        :confirmation_sent_at, :failed_attempts, :unlock_token, :locked_at
+      ].freeze
+
+      included do
+        class_attribute :negroni_modules, instance_writer: false
+        self.negroni_modules ||= []
+
+        before_validation :downcase_keys
+        before_validation :strip_whitespace
+      end
+
+      # Required fields for this module (_none_).
+      def self.required_fields(_klass)
+        []
+      end
+
+      # Returns whether or not the including class is active for
+      # authentication.  This method is primarily intended to be overriden by
+      # other modules, including `Lockable`.
+      #
+      # Yields and returns the return value of the given block, if a block is
+      # given.  Otherwise returns true.
+      #
+      # @return [Boolean]
+      def valid_for_auth?
+        block_given? ? yield : true
+      end
+
+      # The message that will be populated if an invalid record attempts to
+      # authenticate.
+      #
+      # @return [Symbol] the key of the translation to look up
+      def unauthenticated_message
+        :invalid
+      end
+
+      # Returns whether or not the including class is active for
+      # authentication.  This method is primarily intended to be overriden by
+      # other modules, including `Lockable`.
+      #
+      # @return [Boolean]
+      def active_for_auth?
+        true
+      end
+
+      # The message that will be populated if an inactive record attempts to
+      # authenticate.
+      #
+      # @return [Symbol] the key of the translation to look up
+      def inactive_message
+        :inactive
+      end
+
+      # Redefine serializable_hash in models for more secure defaults.  By
+      # default, it removes from the serializable model all attributes that are
+      # __not__ accessible. You can remove this default by using :force_except
+      # and passing a new list of attributes you want to exempt. All attributes
+      # given to :except will simply add names to exempt to Negroni internal
+      # list.
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
+
+        if options[:force_except]
+          options[:except].concat Array(options[:force_except])
+        else
+          options[:except].concat SERIALIZATION_BLACKLIST
+        end
+
+        super(options)
+      end
+
+      # Redefine inspect using serializable_hash, to ensure we don't accidentally
+      # leak passwords into exceptions.
+      def inspect
+        inspection = serializable_hash.collect do |k, v|
+          value = if respond_to?(:attribute_for_inspect)
+                    attribute_for_inspect(k)
+                  else
+                    v.inspect
+                  end
+
+          "#{k}: #{value}"
+        end
+
+        "#<#{self.class} #{inspection.join(', ')}>"
+      end
+
+      protected
+
+      def auth_mailer
+        Negroni.mailer
+      end
+
+      # This is an internal method called every time Negroni needs to send a
+      # notification/mail. This can be overridden if you need to customize the
+      # e-mail delivery logic. For instance, if you are using a queue to deliver
+      # e-mails (delayed job, sidekiq, resque, etc), you must add the delivery
+      # to the queue just after the transaction was committed. To achieve this,
+      # you can override send_auth_notification to store the deliveries
+      # until the after_commit callback is triggered:
+      #
+      # @example
+      #     class User
+      #       negroni :authenticable, :confirmable
+      #
+      #       after_commit :send_pending_notifications
+      #
+      #       protected
+      #
+      #       def send_auth_notification(notification, *args)
+      #         # If the record is new or changed then delay the
+      #         # delivery until the after_commit callback otherwise
+      #         # send now because after_commit will not be called.
+      #         if new_record? || changed?
+      #           pending_notifications << [notification, args]
+      #         else
+      #           message = auth_mailer.send(notification, self, *args)
+      #           Remove once we move to Rails 4.2+ only.
+      #           if message.respond_to?(:deliver_now)
+      #             message.deliver_now
+      #           else
+      #             message.deliver
+      #           end
+      #         end
+      #       end
+      #
+      #       def send_pending_notifications
+      #         pending_notifications.each do |notification, args|
+      #           message = auth_mailer.send(notification, self, *args)
+      #           Remove once we move to Rails 4.2+ only.
+      #           if message.respond_to?(:deliver_now)
+      #             message.deliver_now
+      #           else
+      #             message.deliver
+      #           end
+      #         end
+      #
+      #         # Empty the pending notifications array because the
+      #         # after_commit hook can be called multiple times which
+      #         # could cause multiple emails to be sent.
+      #         pending_notifications.clear
+      #       end
+      #
+      #       def pending_notifications
+      #         \@pending_notifications ||= []
+      #       end
+      #     end
+      #
+      def send_auth_notification(notification, *args)
+        message = auth_mailer.send(notification, self, *args)
+        message.deliver_now
+      end
+
+      # @!group Callbacks
+
+      # Downcase keys before validation
+      def downcase_keys
+        self.class.case_insensitive_keys.each { |k| _apply(k, :downcase) }
+      end
+
+      # Strip whitespace from requested keys before validation
+      def strip_whitespace
+        self.class.strip_whitespace_keys.each { |k| _apply(k, :strip) }
+      end
+
+      # @!endgroup Callbacks
+
+      private
+
+      # Apply `method` to `attr`
+      def _apply(attr, method)
+        if self[attr]
+          self[attr] = self[attr].try(method)
+        elsif respond_to?(attr) && respond_to?("#{attr}=")
+          new_value = send(attr).try(method)
+          send("#{attr}=", new_value)
+        end
+      end
+
+      # Class Methods for the `Base` module.
+      module ClassMethods
+        Negroni::Models.config(self,
+                               :authentication_keys,
+                               :strip_whitespace_keys,
+                               :case_insensitive_keys)
+
+        # Find first record based on conditions given (ie by the sign in form).
+        # This method is always called during an authentication process but
+        # it may be wrapped as well. For instance, database authenticable
+        # provides a `find_for_database_authentication` that wraps a call to
+        # this method. This allows you to customize both database authenticable
+        # or the whole authenticate stack by customize `find_for_authentication.`
+        #
+        # Overwrite to add customized conditions, create a join, or maybe use a
+        # namedscope to filter records while authenticating.
+        #
+        # @example
+        #   def self.find_for_authentication(tainted_conditions)
+        #     find_first_by_auth_conditions(tainted_conditions, active: true)
+        #   end
+        #
+        # Finally, notice that Negroni also queries for users in other scenarios
+        # besides authentication, for example when retrieving an user to send
+        # an e-mail for password reset. In such cases, find_for_authentication
+        # is not called.
+        def find_for_authentication(tainted_conditions)
+          find_first_by_auth_conditions(tainted_conditions)
+        end
+
+        # Find the first record, given a set of `tainted_conditions`, and
+        # options.
+        #
+        # @param tainted_conditions [Hash, ActionDispatch::Parameters]
+        #        the conditions used to find the record
+        # @param options [Hash] additional conditions and options for the find
+        #        operation
+        #
+        # @return [Object] the first record returned from the database
+        def find_first_by_auth_conditions(tainted_conditions, options = {})
+          to_adapter.find_first(
+            _param_filter.filter(tainted_conditions).merge(options)
+          )
+        end
+
+        # Find or initialize a record setting an error if it can't be found.
+        def find_or_initialize_with_error_by(attr, value, error = :invalid)
+          find_or_initialize_with_errors([attr], { attr => value }, error)
+        end
+
+        # Find or initialize a record with a group of attributes, based on a
+        # list of required attributes
+        def find_or_initialize_with_errors(required, attrs, error = :invalid)
+          attrs = _indifferently(required, attrs).delete_if { |_, v| v.blank? }
+
+          if attrs.size == required.size
+            record = find_first_by_auth_conditions(attrs)
+          end
+
+          unless record
+            record = new
+
+            required.each do |key|
+              value = attrs[key]
+              record.send("#{key}=", value)
+              record.errors.add(key, value.present? ? error : :blank)
+            end
+          end
+
+          record
+        end
+
+        # Finds an entity of the including class by a token auth request.
+        # This allows users to sign in with either an email address or
+        # thier username.
+        #
+        # @param request [Request] The request which contains the sign in params.
+        #
+        # @return [Object, nil] The found entity, or `nil` if one was not found.
+        def from_token_request(request)
+          # Bail if there is no `auth` param
+          return nil unless (auth_params = request.params['auth'])
+
+          # find_first_by_auth_conditions(auth_params)
+
+          authentication_keys.each do |key|
+            if (found_key = auth_params[key.to_s])
+              return to_adapter.find_first(key => found_key)
+            end
+          end
+        end
+
+        protected
+
+        def _param_filter
+          @_param_filter ||= Negroni::ParamFilter.new(
+            case_insensitive_keys, strip_whitespace_keys
+          )
+        end
+
+        private
+
+        def _indifferently(required, attributes)
+          if attributes.respond_to?(:permit!)
+            attributes.slice(*required).permit!.to_h.with_indifferent_access
+          else
+            attributes.with_indifferent_access.slice(*required)
+          end
+        end
+      end
+    end
+  end
+end