oath 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 68aae5082f1c535f427988290c1424f11b415313
+  data.tar.gz: 680198b631bfc9e899c17ed0618cd62d0af0d4f4
+SHA512:
+  metadata.gz: 953c7077d5abff66905acdd54eee2de098ade20a6d39edc7ca3f718d97ae26b6a52a9c3dbbc7c846f3c55ac0b79ab87cb53139e046a192b8e46ff05517180a63
+  data.tar.gz: b389a8c3bea393096bc1114f0de8aa5ece4332019ad7e4d8c7de36cff6e197e2269a3528ec6231d02cf5be3405fb21da9403e63fc59be0fc888856cfb4ba73db

data/.gitignore

@@ -0,0 +1,7 @@
+spec/rails_app/log/*
+spec/rails_app/tmp/*
+*.sqlite3
+pkg
+/.yardoc/
+/_yardoc/
+/doc/

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+ - 2.1.1

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,165 @@
+PATH
+  remote: .
+  specs:
+    oath (1.1.0)
+      bcrypt
+      rails
+      warden
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.1.4)
+      actionpack (= 5.1.4)
+      nio4r (~> 2.0)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.1.4)
+      actionpack (= 5.1.4)
+      actionview (= 5.1.4)
+      activejob (= 5.1.4)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.1.4)
+      actionview (= 5.1.4)
+      activesupport (= 5.1.4)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.1.4)
+      activesupport (= 5.1.4)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    active_hash (1.5.2)
+      activesupport (>= 2.2.2)
+    activejob (5.1.4)
+      activesupport (= 5.1.4)
+      globalid (>= 0.3.6)
+    activemodel (5.1.4)
+      activesupport (= 5.1.4)
+    activerecord (5.1.4)
+      activemodel (= 5.1.4)
+      activesupport (= 5.1.4)
+      arel (~> 8.0)
+    activesupport (5.1.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.5.2)
+      public_suffix (>= 2.0.2, < 4.0)
+    arel (8.0.0)
+    bcrypt (3.1.11)
+    builder (3.2.3)
+    capybara (2.16.1)
+      addressable
+      mini_mime (>= 0.1.3)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
+    concurrent-ruby (1.0.5)
+    crass (1.0.3)
+    diff-lcs (1.3)
+    erubi (1.7.0)
+    globalid (0.4.1)
+      activesupport (>= 4.2.0)
+    i18n (0.9.1)
+      concurrent-ruby (~> 1.0)
+    loofah (2.1.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.0)
+      mini_mime (>= 0.1.1)
+    method_source (0.9.0)
+    mini_mime (1.0.0)
+    mini_portile2 (2.3.0)
+    minitest (5.10.3)
+    nio4r (2.1.0)
+    nokogiri (1.8.1)
+      mini_portile2 (~> 2.3.0)
+    public_suffix (3.0.1)
+    rack (2.0.3)
+    rack-test (0.8.2)
+      rack (>= 1.0, < 3)
+    rails (5.1.4)
+      actioncable (= 5.1.4)
+      actionmailer (= 5.1.4)
+      actionpack (= 5.1.4)
+      actionview (= 5.1.4)
+      activejob (= 5.1.4)
+      activemodel (= 5.1.4)
+      activerecord (= 5.1.4)
+      activesupport (= 5.1.4)
+      bundler (>= 1.3.0)
+      railties (= 5.1.4)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.1.4)
+      actionpack (= 5.1.4)
+      activesupport (= 5.1.4)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.3.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.0)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-rails (3.7.2)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.0)
+    sprockets (3.7.1)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.13)
+    thor (0.20.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.4)
+      thread_safe (~> 0.1)
+    warden (1.2.7)
+      rack (>= 1.0)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.3)
+    xpath (2.1.0)
+      nokogiri (~> 1.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  active_hash
+  capybara
+  oath!
+  rake
+  rspec
+  rspec-rails
+  sqlite3
+
+BUNDLED WITH
+   1.16.0

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 halogenandtoast
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/NEWS.rdoc

@@ -0,0 +1,118 @@
+== 1.1.0
+* `Oath.config.sign_in_notice` should now be a callable object in order for I18n to work correctly
+* [DEPRECATED] you should no longer set `Oath.config.sign_in_notice` to a string value
+
+== 1.0.1
+* Wrap helper_method calls in respond_to?(:helper_method)
+* param_transformations now correctly use string keys
+
+== 1.0.0
+* Do not perform lookup if no params are passed to lookup
+* Add param transformer for sanitizing and normalizing
+
+== 0.3.1
+* Extend private interface for services
+
+== 0.3.0
+* Warden serialization is now configurable
+
+== 0.2.1
+* Updated documentation for test helpers
+* Updated documentation for using oath in console
+* Fixed bug with failure app now allowing actual http auth to occur
+
+== 0.2.0
+* `sign_in` test helper now returns the user
+* `authenticate_session` arguments are coerced to Hash
+* Oath::BackDoor can be configured with a block
+* Document validation suggestions
+* Document locale suggestions
+* Deprecate usage of Oath.user_class in favor of Oath.config.user_class
+* Make warden strategy configurable via Oath.config.authentication_strategy
+* Extract warden setup into the WardenSetup class
+* Document layout suggestions
+
+== 0.1.1
+* Link to Rubydoc in documentation
+* Fix header in documentation
+* Fix no_login_redirect to default to a properly named controller
+* Fix documentation reference to sign_up to mention user_params instead of user
+
+== 0.1.0
+* Fix PasswordStrategy to use configuration options
+* Documentation
+* Renamed encryption to hashing
+* Renamed encrypted to digested
+* Renamed unencrypted to undigested
+* A configuration for `no_login_redirect` was added. This accepts anything that
+  can be passed to `redirect_to` and is used when `require_login` is called with
+  no logged in user.
+* A configuration for `no_login_handler` was added. This allows developers to
+  completely customize the response when `require_login` is called with no
+  logged in user.
+
+== 0.0.15
+* Delegate user_class correctly so that config returns class
+* Fixed issue authenticate session not allowing for multiple fields
+* Do not hardcode User class
+* Add signed out routing constraint
+* Backfill NEWS.md
+
+== 0.0.14
+* Encryption of empty string is empty string.
+* Remove last trace of generators.
+
+== 0.0.13
+* Oath requires Rails 4+.
+* Move generators to the oath-generators gem.
+
+== 0.0.12
+* Ensure forms can't be tampered with by providing no username.
+* Prevent hashing of empty string passwords.
+* Memoize the configuration.
+
+== 0.0.11
+* Add `Oath::Backdoor` for easier tests.
+
+== 0.0.10
+* Add Oath::Test::ControllerHelpers for controller specs.
+* Depend on the bcrypt gem, not the bcrypt-ruby gem.
+
+== 0.0.9
+* Make user creation method configurable.
+* Redirect to SessionsController#new, ignoring namespace.
+* Add `Oath.config.creation_method`.
+
+== 0.0.8
+* Now configurable via `Oath.configure`:
+  * sign in service
+  * sign up service
+  * authentication service
+  * user_token_store_field
+  * user_token_field
+* Add PasswordReset service.
+* Rename controller_helpers to services.
+* Allos blocks to be passed into sign_in and sign_up.
+* Fix error on trying to respond with HTTP 401.
+* Oath does not generate a User model for you.
+* Add `Oath.test_mode!` and `Oath.test_reset!`.
+* Add a lot of tests.
+
+== 0.0.7
+* Check for Rails 4 or the strong_parameters gem, not just the strong_parameters gem
+
+== 0.0.6
+* [FIX] require_login should use controller and action for routing.
+
+== 0.0.5
+* [FIX] Scaffolded SessionsController should have respond_to.
+* [FIX] SignUp should get the value instead of slicing.
+
+== 0.0.4
+* Cleaned up generated controllers.
+* Use find_by_id instead of find so invalid sessions don't cause apps to crash.
+* Hashes passed in are no longer mutated via delete.
+
+== 0.0.3
+
+* Fixed bug where password wasn't deleted from session params which would cause lookup to fail.

data/README.md

@@ -0,0 +1,384 @@
+
+# Oath
+
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/halogenandtoast/oath?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+[![Build Status](https://travis-ci.org/halogenandtoast/oath.png?branch=master)](https://travis-ci.org/halogenandtoast/oath)
+[![Code Climate](https://codeclimate.com/github/halogenandtoast/oath.png)](https://codeclimate.com/github/halogenandtoast/oath)
+
+Oath is designed to be a very simple and extensible user authentication
+library for rails. Its goal is to give all the power to the developer instead
+of forcing them to make Oath work with their system.
+
+## Why use Oath?
+
+Oath makes authentication simple:
+
+- Easy to use in tests with dependency injection
+- Provides convenient controller helpers
+- Very customizable
+
+Oath doesn't do the following:
+
+- Doesn't automatically add routes to your application
+- Doesn't force you to use engine based controllers or views
+- Doesn't require you to make changes to your user model
+
+## Documentation
+
+You can read the full documentation at [rubydoc](http://rubydoc.info/github/halogenandtoast/oath)
+
+## Installation
+
+Oath was designed to work with Rails > 4.0. Add this line to your Gemfile:
+
+    gem 'oath'
+
+Then inside of your ApplicationController add the following:
+
+    include Oath::ControllerHelpers
+
+And you're ready to start designing your authentication system.
+
+## Generators
+
+If you'd like a good starting point for building an app using Oath, it is suggested to use the [oath generators]
+
+## Usage
+
+Oath does currently have some out-of-the-box expectations, but you can
+configure and change any of these:
+
+- By default the model should be called `User`
+- Oath expects your user model to respond to `create`, `id`, and `find_by`
+- You should have an `email` and `password_digest` column on your `User`
+- Passwords will be handled with BCrypt
+
+### Suggestions
+
+#### Console Usage
+
+If you're trying to sign up a User in a console you won't be able to call User#new or User#create because the User model does not know how to encrypt passwords.
+You should instead use the sign up service in order to create the user:
+
+```ruby
+Oath.config.sign_up_service.new(email: "foo@example.com", password: "password").perform
+```
+
+#### Validations
+
+Oath doesn't add validations to your user model unless you're using [oath generators] so it's suggested to add the following validations:
+
+```ruby
+validates :email, presence: true, uniqueness: true
+validates :password_digest, presence: true
+```
+
+In addition to that you'll want to add the following to your `config/locale/en.yml`:
+
+```yaml
+en:
+  activerecord:
+    attributes:
+      user:
+        password_digest: "Password"
+```
+
+Which will generate the error message `Password can't be blank` instead of `Password digest can't be blank`.
+
+#### Layout changes
+
+It is suggested you add something like this to your application layout:
+
+```erb
+<% if signed_in? %>
+  <%= link_to "Sign out", session_path, method: :delete %>
+<% else %>
+  <%= link_to "Sign in", new_session_path %>
+  <%= link_to "Sign up", new_user_path %>
+<% end %>
+```
+
+#### Guest user
+
+If you want to introduce a Guest object when a user is not signed in, you can override Oath's `current_user` method in your `ApplicationController`:
+
+```ruby
+def current_user
+  super || Guest.new
+end
+```
+
+In `app/models/`, define a `Guest` class:
+
+```ruby
+class Guest
+  def name
+    "Guest"
+  end
+end
+```
+
+This article on the [Null Object Pattern](http://robots.thoughtbot.com/handling-associations-on-null-objects) provides a good explanation of why you might want to do this.
+
+#### Using I18n for sign in notice
+
+If you want to use I18n for the notice instructing users to sign in when they try to access an unauthorized page you can do so with the following configuration:
+
+```ruby
+Oath.configure do |config|
+  config.sign_in_notice = -> { I18n.t("sign_in_notice") }
+end
+```
+
+It is suggested to store this file at `config/initializers/oath.rb`
+
+### Controller Additions
+
+Oath provides the following controller methods:
+
+- `sign_in(user)`
+- `sign_out`
+- `sign_up(user_params)`
+- `authenticate(user, password)`
+- `authenticate_session(session_params)`
+- `reset_password(user, password)`
+
+These helpers:
+
+- `current_user`
+- `signed_in?`
+
+And this filter:
+
+- `require_login`
+
+### Routing Constraints
+
+To authorize users in `config/routes.rb`:
+
+```ruby
+require "oath/constraints/signed_in"
+require "oath/constraints/signed_out"
+
+Blog::Application.routes.draw do
+  constraints Oath::Constraints::SignedIn.new do
+    root "dashboards#show", as: :dashboard
+  end
+
+  constraints Oath::Constraints::SignedOut.new do
+    root "landings#show"
+  end
+end
+```
+
+## Usage in Tests
+
+### Test mode
+
+Oath provides the following:
+
+```ruby
+Oath.test_mode!
+```
+
+Which will change password hashing method to provide plaintext responses instead of using BCrypt. This will allow you to write factories using the password_digest field:
+
+```ruby
+FactoryBot.define do
+  factory :user do
+    username 'wombat'
+    password_digest 'password'
+  end
+end
+```
+
+### Spec helpers
+
+A couple of convenience methods are available in your tests. In order to set this up you'll want to add the following to `rails_helper.rb` or if that doesn't exist `spec_helper.rb`
+
+```ruby
+Oath.test_mode!
+
+RSpec.configure do |config|
+  config.include Oath::Test::Helpers, type: :feature
+  config.after :each do
+    Oath.test_reset!
+  end
+end
+```
+
+Then you can use any of the [test helpers] in your scenarios
+
+```ruby
+feature "A feature spec" do
+  scenario "that requires login" do
+    user = create(:user)
+    sign_in(user)
+    # do something
+    sign_out
+    # do something else
+  end
+end
+```
+
+### Oath Backdoor
+
+Similar to clearance's backdoor you can visit a path and sign in quickly via
+
+```ruby
+user = create(:user)
+visit dashboard_path(as: user)
+```
+
+To enable this functionality you'll want to add the following to `config/environments/test.rb`:
+
+```ruby
+config.middleware.insert_after Warden::Manager, Oath::BackDoor
+```
+
+If you'd like to find your User model by a field other than `id`, insert the
+middleware with a block that accepts the `as` query parameter and returns an
+instance of your User model:
+
+```ruby
+config.middleware.insert_after Warden::Manager, Oath::BackDoor do |user_param|
+  User.find_by(username: user_param)
+end
+```
+
+### Controller Specs
+
+If you are going to write controller tests, helpers are provided for those as well:
+
+```ruby
+Oath.test_mode!
+
+RSpec.configure do |config|
+  config.include Oath::Test::ControllerHelpers, type: :controller
+  config.after :each do
+    Oath.test_reset!
+  end
+end
+```
+
+```ruby
+require 'spec_helper'
+
+describe ProtectedController do
+
+  describe "GET 'index'" do
+    it "returns http success when signed in" do
+      user = create(:user)
+      sign_in(user)
+      get 'index'
+      response.should be_success
+    end
+
+    it "redirects when not signed in" do
+      get 'index'
+      response.should be_redirect
+    end
+  end
+end
+```
+
+## Advanced Functionality
+
+### Authentication with username instead of email
+
+If you want to sign in with username instead of email just change the configuration option
+
+```ruby
+# config/initializers/oath.rb
+Oath.configure do |config|
+  config.user_lookup_field = :username
+end
+```
+
+If you used the oath:scaffold generator from [oath generators] you'll have to change the following four references to email.
+
+* In SessionsController#session_params
+* In UsersController#user_params
+* The email form field on sessions#new
+* The email form field on users#new
+
+### Using multiple lookup fields
+
+You may perform a look up on a user using multiple fields by doing something like the following:
+
+```ruby
+class SessionsController < ApplicationController
+  def create
+    user = authenticate_session(session_params, email_or_username: [:email, :username])
+
+    if sign_in(user)
+      redirect_to(root_path)
+    else
+      render :new
+    end
+  end
+
+  private
+
+  def session_params
+    params.require(:session).permit(:email_or_username, :password)
+  end
+
+end
+```
+
+This will allow the user to enter either their username or email to login
+
+## Configuration
+
+Oath::Configuration has lots of options for changing how oath works. Currently the options you can change are as follows:
+
+### User values
+
+* **user_lookup_field**: (default `:email`) Field in the database to lookup a user by.
+* **user_token_field**: (default `:password`) Field the form submits containing the undigested password.
+* **user_token_store_field**: (default: `:password_digest`) Field in the database that stores the user's digested password.
+* **user_class**: (default: `'User'`) The user class.
+
+### Services
+
+* **sign_in_notice**: (default: `You must be signed in`) Rails flash message to set when user signs in.
+* **sign_in_service**: (default: `Oath::Services::SignIn`) Service for signing a user in.
+* **sign_up_service**: (default: `Oath::Services::SignUp`) Service for signing a user up.
+* **sign_out_service**: (default: `Oath::Services::SignOut`) Service for signing a user out.
+* **authentication_service**: (default: `Oath::Services::Authentication`) Service for authenticated a user.
+* **password_reset_service**: (default: `Oath::Services::PasswordReset`) Service for resetting a user's password.
+
+### Rails values
+
+* **no_login_handler**: A before_action for rails that handles when a user is not signed in.
+* **no_login_redirect**: Used by the no_login_handler to redirect the user
+
+### Methods
+
+* **hashing_method**: Method to hash an undigested password.
+* **token_comparison**: Method to compare a digested and undigested password.
+* **creation_method**: Method for creating a user.
+* **find_method**: Method for finding a user.
+
+### Warden Settings
+
+* **failure_app**: Necessary for warden to work. A rack app that handles failures in authentication.
+
+## Limitations
+
+Here are a few of the current limitations of oath:
+
+- Oath assumes you only have one user model.
+
+## Contributing
+
+1. [Fork it](https://github.com/halogenandtoast/oath/fork)
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+[oath generators]: https://github.com/halogenandtoast/oath-generators
+[test helpers]: https://github.com/halogenandtoast/oath/blob/master/lib/oath/test/helpers.rb