nitro-auth 0.2.0

data/examples/basic/public/register.xhtml

@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Register a new account.</title>
+    <meta http-equiv="Content-Script-Type" content="text/javascript"/>
+    #{include_script "/js/behaviour.js"}
+  </head>
+  <body>
+    <h1>Register a new account.</h1>
+    <form id="new_user_form" action="#{new_user_url}" method="POST">
+      <table>
+        <tr>
+          <td><label for="login">Login:</label></td>
+          <td>
+            <input id="login" name="login" type="text"
+              value="#{@new_user.login}"/>
+          </td>
+        </tr>
+        <tr>
+          <td><label for="name">Name:</label></td>
+          <td>
+            <input id="name" name="name" type="text"
+              value="#{@new_user.name}"/>
+          </td>
+        </tr>
+        <tr>
+          <td><label for="email">Email Address:</label></td>
+          <td>
+            <input id="email" name="email" type="text"
+              value="#{@new_user.email}"/>
+          </td>
+        </tr>
+        <tr>
+          <td><label for="password">Password:</label></td>
+          <td><input id="password" name="password" type="password"/></td>
+        </tr>
+        <tr>
+          <td><label for="confirm_password">Confirm Password:</label></td>
+          <td>
+            <input id="confirm_password" name="confirm_password"
+              type="password"/>
+          </td>
+        </tr>
+        <tr>
+          <td colspan="2">
+            <button id="register_new_user" type="button">Register!</button>
+          </td>
+        </tr>
+        <tr>
+          <td id="error" colspan="2">#{@error}</td>
+        </tr>
+      </table>
+    </form>
+    <p class="login_link">
+      <a href="#{login_url}">Go back to the login page</a>.
+    </p>
+    <p class="back_link">
+      <a href="#{@backlink}">Go back to where I started</a>.
+    </p>
+    #{helper_script}
+  </body>
+</html>

data/examples/basic/run.rb

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+require 'nitro'
+
+require 'basic'
+
+include Nitro
+
+# Because it's not synced by default on Windows
+STDERR.sync = true if not STDERR.sync
+
+# Assuming you set up a database with these values...
+db_config = {
+    :store => 'mysql',
+    :name => 'basic',
+    :user => 'basic',
+    :password => 'basic'
+}
+Og.setup(db_config)
+
+# Tell the AuthController which User class to create
+# on new-user registration.
+Auth::AuthController.user_class = Basic::User
+
+# Set up the dispatcher, including an AuthController
+# at /auth.
+Server.map = {
+    '/' => Basic::BasicController,
+    '/auth' => Basic::AuthController
+}
+
+# Run the example.
+Nitro.run()

data/examples/basic/src/basic.rb

@@ -0,0 +1,4 @@
+require 'basic/user'
+require 'basic/site'
+require 'basic/controller'
+require 'basic/auth_controller'

data/examples/basic/src/basic/auth_controller.rb

@@ -0,0 +1,9 @@
+require 'nitro/auth'
+
+module Basic
+    # We want to provide some custom templates, so we need to tell
+    # Nitro where to look for them.
+    class AuthController < Auth::AuthController
+        @template_root = "public"
+    end
+end

data/examples/basic/src/basic/controller.rb

@@ -0,0 +1,29 @@
+require 'nitro'
+require 'nitro/auth'
+
+module Basic
+    class BasicController < Nitro::Controller
+        include Auth::Controller
+
+        @template_root = File.dirname(__FILE__) + "/view"
+
+        scaffold Site, :index => true
+
+        def list_site
+            if user.has_role? Auth.admin_role
+                @sites = Site.all()
+            else
+                @sites = Site.find(:where => "owner_oid = #{user.oid}")
+            end
+        end
+        protect :index
+        protect :list_site
+        protect :edit_site
+        protect :view_site
+        protect :save_site
+        protect :del_site
+        protect :delete_site
+
+        administrative :new_site
+    end
+end

data/examples/basic/src/basic/site.rb

@@ -0,0 +1,13 @@
+require 'og'
+
+module Basic
+    # A sample application object, just to illustrate.
+    class Site
+        property :url, String, :sql => "varchar(255) not null unique",
+            :unique => true
+        property :title, String, :sql => "varchar(255) not null unique",
+            :unique => true
+
+        belongs_to :owner, User
+    end
+end

data/examples/basic/src/basic/user.rb

@@ -0,0 +1,22 @@
+require 'nitro/auth'
+
+module Basic
+    # An extended user object.
+    class User < Auth::User
+        # Add name and email fields.
+        property :name, String, :sql => "varchar(255) not null"
+        property :email, String, :sql => "varchar(255) not null unique",
+            :unique => true
+
+        # Add a relationship with an application object.
+        has_many Site
+
+        def initialize(login = nil, password = nil, parameters = {})
+            super(login, password, parameters)
+            # Should probably sanity check these, since they're coming
+            # in over the web, but this'll do for now.
+            @name = parameters["name"]
+            @email = parameters["email"]
+        end
+    end
+end

data/examples/basic/src/basic/view/index.xhtml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Basic Nitro-Auth Example</title>
+  </head>
+  <body>
+    <h1>Basic Nitro-Auth Example</h1>
+    <table>
+      <tr>
+        <td class="sidebar">
+          <a href="/">List sites</a>
+          <?r if user.has_role? Auth.admin_role ?>
+          <br/><a href="/new_site">Add a new site</a>
+          <?r end ?>
+        </td>
+        <td>
+          <table>
+            <?r for site in @sites ?>
+            <tr>
+              <td><a href="#{site.url}">#{site.title}</a></td>
+              <td>Located at #{site.url}</td>
+              <td if="user.has_role? Auth.admin_role">
+                Owned by #{site.owner.name}
+              </td>
+            </tr>
+            <?r end ?>
+          </table>
+        </td>
+      </tr>
+    </table>
+  </body>
+</html>

data/lib/nitro/auth.rb

@@ -0,0 +1,41 @@
+require 'glue'
+
+# Auth provides authentication and authorization for Nitro.
+module Auth
+    Version = '0.2.0'
+
+    #--
+    # Things I wish were settings, but setting doesn't appear to do
+    # what I'm needing...
+    # FIXME:  Figure out some sane way to put these in config.
+    #
+    # setting :admin_role, :default => 'admin',
+    #     :doc => 'The administrative/superuser role name.'
+    # setting :user_role, :default => 'user',
+    #     :doc => 'The default role name (all users get this by default).'
+    # setting :session_key_expiration, :default => 60 * 60 * 24 * 30,
+    #     :doc => 'Number of seconds session keys last before expiring.'
+    #++
+
+    # The administrative/superuser role name.
+    def self.admin_role
+        'admin'
+    end
+
+    # The default role name (all users get this by default).
+    def self.user_role
+        'user'
+    end
+
+    # Number of seconds session keys last before expiring.
+    def self.session_key_expiration
+        60*60*24*30
+    end
+end
+
+require 'nitro/auth/util/crypt'
+
+require 'nitro/auth/model/user'
+
+require 'nitro/auth/controller'
+require 'nitro/auth/auth_controller'

data/lib/nitro/auth/auth_controller.rb

@@ -0,0 +1,199 @@
+require 'uri'
+
+require 'glue/uri'
+
+require 'nitro'
+require 'nitro/mixin/javascript'
+
+module Auth
+    # Provides basic login actions.
+    #
+    # In theory, +AuthController+ can be easily integrated into your
+    # application.  Or, at least, that's the goal -- we're early enough
+    # that it hasn't been tested much yet.
+    class AuthController < Nitro::Controller
+        include Nitro::JavascriptMixin
+
+        # Override the template_root for this controller.
+        @template_root = File.dirname(__FILE__) + "/view"
+
+        # Spits out the url to the register-a-new-user page.
+        def register_url
+            "#{controller_name}/register"
+        end
+
+        # Spits out the url to the login page.
+        def login_url
+            "#{controller_name}/login"
+        end
+
+        # Spits out the url to the try-to-login action.
+        def try_login_url
+            "#{controller_name}/try_login"
+        end
+
+        # Spits out the url to the create-a-new-user action.
+        def new_user_url
+            "#{controller_name}/new_user"
+        end
+
+        # The action run when the current user doesn't have sufficient
+        # permissions to run the requested action.
+        def access_denied
+            @backlink = session["prelogin_referer"]
+            session.delete "prelogin_uri"
+            session.delete "prelogin_referer"
+        end
+
+        # The main login action.
+        def login
+            @login_name = request.params["login"].to_s
+            @login_name = nil if @login_name.empty?
+            @error = "Login or password incorrect." if "false" == request.params["allowed"]
+            @error = request.params["error"] if request.params["error"]
+        end
+
+        # Log the current user out.
+        def logout
+            Logger.debug "Logging out."
+            session_cookie = Cookie.new "login_session_key", ""
+            response.add_cookie session_cookie
+        end
+
+        # Attempt to log the user in.  This is the action at which
+        # login forms should point (preferably using try_login_url).
+        #
+        # Redirects back wherever they originally came from if login
+        # is successful, or the login page again if not.
+        def try_login
+            Logger.debug("Trying to log in.")
+            user = nil
+            login = request.params['login']
+            password = request.params['password']
+            user = User.find_one(:where => "login = '#{login}'") if login
+            Logger.debug("Found user #{user.oid} with login #{login}.") if user
+
+            if user and authenticate(user, password)
+                session_key = user.session_key
+                if session_key
+                    session_cookie = Cookie.new "login_session_key", session_key
+                    session_cookie.expires = user.session_key_expires
+                    response.add_cookie session_cookie
+                end
+                Logger.debug("Sending them back from whence they came.")
+                return_to_original_location
+            end
+
+            Logger.debug("Login incorrect, sending them back to login page.")
+            redirect login_url + "?allowed=false"
+        end
+
+        # Returns the user back to their original location.
+        def return_to_original_location
+            prelogin_uri = session["prelogin_uri"]
+            session.delete "prelogin_uri"
+            session.delete "prelogin_referer"
+            Logger.debug("Redirecting back to #{prelogin_uri}.")
+            redirect prelogin_uri if prelogin_uri
+
+            Logger.debug("No prelogin URI, redirecting back to / instead.")
+            redirect "/"
+        end
+
+
+        # Register a new user.
+        #
+        # Expects a few things of its template:
+        # * Form action should point to new_user (using new_user_url).
+        # * Needs, at least:
+        #   * Text input named login.
+        #   * Password input named password.
+        #   * Password input named confirm_password.
+        #   * error (a text element for displaying errors,
+        #     should generally be rendered with #{@error} or the like).
+        #   * Form submit button named register_new_user.
+        # * Template should use the Nitro javascript mixin appropriately.
+        def register
+            @backlink = session["prelogin_referer"]
+            @error = request.params["error"] || ""
+            @new_user = @@user_class.new(nil, nil, request.params)
+            behaviour "#register_new_user", %{
+                el.onclick = function() {
+                    var form = this.form;
+                    var error = document.getElementById("error");
+                    if (0 == form.login.value.length) {
+                        error.innerHTML = "You must provide a login."
+                    } else if (0 == form.password.value.length) {
+                        error.innerHTML = "You must provide a password."
+                    } else if (form.password.value != form.confirm_password.value) {
+                        error.innerHTML = "Passwords do not match."
+                    } else {
+                        form.submit();
+                    }
+                }
+            }
+        end
+
+        # Try to create a new user.  This is the action at which
+        # "register a new user" forms should point.
+        #
+        # TODO:  Allow some sort of password quality check?  A plugin, perhaps?
+        # Or just assume that the user object's validation is sufficient?
+        #
+        # TODO:  Use Nitro form validation once it's all there.
+        #
+        # TODO:  Get rid of these hardcoded error messages.
+        def new_user
+            Logger.debug("Setting up new user.")
+            login = request.params['login']
+            password = request.params['password']
+            confirm = request.params['confirm_password']
+            # Doublecheck.  The Javascript should have checked this, but
+            # just in case...
+            registration_error "You must provide a login." if login.empty?
+            registration_error "You must provide a password." if password.empty?
+            registration_error "Passwords do not match." if password != confirm
+            # Further validation is delegated to the user object.
+
+            # See if the login is duplicate
+            existing_user = User.find_one(:where => "login = '#{login}'")
+            registration_error "Login #{login} already exists." if existing_user
+
+            # Okay, try to create it.
+            new_user = @@user_class.create(login, password, request.params)
+            user_role = Role.find_one(:where => "name = '#{Auth.user_role}'")
+            new_user.add_role user_role if user_role
+            Logger.debug("Finished new user setup, trying to log in.")
+            try_login
+        end
+
+        #--
+        # FIXME: This is sort of a hack for now.  Ugh.
+        #++
+
+        # Sets the default class all authentication controllers will use
+        # when creating new users.
+        #
+        # Uses Auth::User by default, but generally applications will
+        # extend that class rather than use it bare.
+        def self.user_class=(klass)
+            if klass.is_a? Class
+                @@user_class = klass
+            else
+                raise "Invalid default user_class set in Auth::AuthController."
+            end
+        end
+        @@user_class = Auth::User
+
+        protected
+            # Subclasses can override this to use some other authentication
+            # mechanism (LDAP or what have you).
+            def authenticate(user, password) # :doc:
+                user.hashed_password == Crypt.salt_password(user.salt, password)
+            end
+        private
+            def registration_error(error)
+                redirect URI.escape("#{register_url}?error=#{error}")
+            end
+    end
+end