omniauth-identity 3.0.2 → 3.0.7

data/lib/omniauth/identity/models/active_record.rb

@@ -6,8 +6,8 @@ module OmniAuth
   module Identity
     module Models
       class ActiveRecord < ::ActiveRecord::Base
-        include OmniAuth::Identity::Model
-        include OmniAuth::Identity::SecurePassword
+        include ::OmniAuth::Identity::Model
+        include ::OmniAuth::Identity::SecurePassword
 
         self.abstract_class = true
         has_secure_password

data/lib/omniauth/identity/models/couch_potato.rb

@@ -6,6 +6,8 @@ module OmniAuth
   module Identity
     module Models
       # can not be named CouchPotato since there is a class with that name
+      # NOTE: CouchPotato is based on ActiveModel.
+      # NOTE: CouchPotato::Persistence must be included before OmniAuth::Identity::Models::CouchPotatoModule
       module CouchPotatoModule
         def self.included(base)
           base.class_eval do
@@ -22,6 +24,10 @@ module OmniAuth
             def self.locate(search_hash)
               where(search_hash).first
             end
+
+            def save
+              CouchPotato.database.save(self)
+            end
           end
         end
       end

data/lib/omniauth/identity/models/mongoid.rb

@@ -5,6 +5,7 @@ require 'mongoid'
 module OmniAuth
   module Identity
     module Models
+      # NOTE: Mongoid is based on ActiveModel.
       module Mongoid
         def self.included(base)
           base.class_eval do

data/lib/omniauth/identity/models/nobrainer.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'nobrainer'
+
+module OmniAuth
+  module Identity
+    module Models
+      # http://nobrainer.io/ an ORM for RethinkDB
+      # NOTE: NoBrainer is based on ActiveModel.
+      module NoBrainer
+        def self.included(base)
+          base.class_eval do
+            include ::OmniAuth::Identity::Model
+            include ::OmniAuth::Identity::SecurePassword
+
+            has_secure_password
+
+            def self.auth_key=(key)
+              super
+              validates_uniqueness_of key, case_sensitive: false
+            end
+
+            def self.locate(search_hash)
+              where(search_hash).first
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/identity/models/sequel.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'nobrainer'
+
+module OmniAuth
+  module Identity
+    module Models
+      # http://sequel.jeremyevans.net/ an SQL ORM
+      # NOTE: Sequel is *not* based on ActiveModel, but supports the API we need, except for `persisted?`:
+      # * create
+      # * save
+      module Sequel
+        def self.included(base)
+          base.class_eval do
+            # NOTE: Using the deprecated :validations_class_methods because it defines
+            #       validates_confirmation_of, while current :validation_helpers does not.
+            # plugin :validation_helpers
+            plugin :validation_class_methods
+
+            include ::OmniAuth::Identity::Model
+            include ::OmniAuth::Identity::SecurePassword
+
+            has_secure_password
+
+            alias_method :persisted?, :valid?
+
+            def self.auth_key=(key)
+              super
+              validates_uniqueness_of :key, case_sensitive: false
+            end
+
+            def self.locate(search_hash)
+              where(search_hash).first
+            end
+
+            def persisted?
+              exists?
+            end
+
+            def save
+              super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/identity/secure_password.rb

@@ -4,7 +4,7 @@ require 'bcrypt'
 
 module OmniAuth
   module Identity
-    # This is taken directly from Rails 3.1 code and is used if
+    # This is lightly edited from Rails 6.1 code and is used if
     # the version of ActiveModel that's being used does not
     # include SecurePassword. The only difference is that instead of
     # using ActiveSupport::Concern, it checks to see if there is already
@@ -14,63 +14,124 @@ module OmniAuth
         base.extend ClassMethods unless base.respond_to?(:has_secure_password)
       end
 
+      # BCrypt hash function can handle maximum 72 bytes, and if we pass
+      # password of length more than 72 bytes it ignores extra characters.
+      # Hence need to put a restriction on password length.
+      MAX_PASSWORD_LENGTH_ALLOWED = 72
+
+      class << self
+        attr_accessor :min_cost # :nodoc:
+      end
+      self.min_cost = false
+
       module ClassMethods
         # Adds methods to set and authenticate against a BCrypt password.
-        # This mechanism requires you to have a password_digest attribute.
+        # This mechanism requires you to have a +XXX_digest+ attribute.
+        # Where +XXX+ is the attribute name of your desired password.
+        #
+        # The following validations are added automatically:
+        # * Password must be present on creation
+        # * Password length should be less than or equal to 72 bytes
+        # * Confirmation of password (using a +XXX_confirmation+ attribute)
         #
-        # Validations for presence of password, confirmation of password (using
-        # a "password_confirmation" attribute) are automatically added.
-        # You can add more validations by hand if need be.
+        # If confirmation validation is not needed, simply leave out the
+        # value for +XXX_confirmation+ (i.e. don't provide a form field for
+        # it). When this attribute has a +nil+ value, the validation will not be
+        # triggered.
+        #
+        # For further customizability, it is possible to suppress the default
+        # validations by passing <tt>validations: false</tt> as an argument.
+        #
+        # Add bcrypt (~> 3.1.7) to Gemfile to use #has_secure_password:
+        #
+        #   gem 'bcrypt', '~> 3.1.7'
         #
         # Example using Active Record (which automatically includes ActiveModel::SecurePassword):
         #
-        #   # Schema: User(name:string, password_digest:string)
+        #   # Schema: User(name:string, password_digest:string, recovery_password_digest:string)
         #   class User < ActiveRecord::Base
         #     has_secure_password
+        #     has_secure_password :recovery_password, validations: false
         #   end
         #
-        #   user = User.new(:name => "david", :password => "", :password_confirmation => "nomatch")
-        #   user.save                                                      # => false, password required
-        #   user.password = "mUc3m00RsqyRe"
-        #   user.save                                                      # => false, confirmation doesn't match
-        #   user.password_confirmation = "mUc3m00RsqyRe"
-        #   user.save                                                      # => true
-        #   user.authenticate("notright")                                  # => false
-        #   user.authenticate("mUc3m00RsqyRe")                             # => user
-        #   User.find_by_name("david").try(:authenticate, "notright")      # => nil
-        #   User.find_by_name("david").try(:authenticate, "mUc3m00RsqyRe") # => user
-        def has_secure_password
-          attr_reader :password
+        #   user = User.new(name: 'david', password: '', password_confirmation: 'nomatch')
+        #   user.save                                                  # => false, password required
+        #   user.password = 'mUc3m00RsqyRe'
+        #   user.save                                                  # => false, confirmation doesn't match
+        #   user.password_confirmation = 'mUc3m00RsqyRe'
+        #   user.save                                                  # => true
+        #   user.recovery_password = "42password"
+        #   user.recovery_password_digest                              # => "$2a$04$iOfhwahFymCs5weB3BNH/uXkTG65HR.qpW.bNhEjFP3ftli3o5DQC"
+        #   user.save                                                  # => true
+        #   user.authenticate('notright')                              # => false
+        #   user.authenticate('mUc3m00RsqyRe')                         # => user
+        #   user.authenticate_recovery_password('42password')          # => user
+        #   User.find_by(name: 'david')&.authenticate('notright')      # => false
+        #   User.find_by(name: 'david')&.authenticate('mUc3m00RsqyRe') # => user
+        def has_secure_password(attribute = :password, validations: true)
+          # Load bcrypt gem only when has_secure_password is used.
+          # This is to avoid ActiveModel (and by extension the entire framework)
+          # being dependent on a binary library.
+          begin
+            require 'bcrypt'
+          rescue LoadError
+            warn "You don't have bcrypt installed in your application. Please add it to your Gemfile and run bundle install"
+            raise
+          end
 
-          validates_confirmation_of :password
-          validates_presence_of     :password_digest
+          include InstanceMethodsOnActivation.new(attribute)
 
-          include InstanceMethodsOnActivation
+          if validations
+            include ActiveModel::Validations
 
-          if respond_to?(:attributes_protected_by_default)
-            def self.attributes_protected_by_default
-              super + ['password_digest']
+            # This ensures the model has a password by checking whether the password_digest
+            # is present, so that this works with both new and existing records. However,
+            # when there is an error, the message is added to the password attribute instead
+            # so that the error message will make sense to the end-user.
+            validate do |record|
+              record.errors.add(attribute, :blank) unless record.public_send("#{attribute}_digest").present?
             end
+
+            validates_length_of attribute, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
+            validates_confirmation_of attribute, allow_blank: true
           end
         end
       end
 
-      module InstanceMethodsOnActivation
-        # Returns self if the password is correct, otherwise false.
-        def authenticate(unencrypted_password)
-          if BCrypt::Password.new(password_digest) == unencrypted_password
-            self
-          else
-            false
+      class InstanceMethodsOnActivation < Module
+        def initialize(attribute)
+          attr_reader attribute
+
+          define_method("#{attribute}=") do |unencrypted_password|
+            if unencrypted_password.nil?
+              public_send("#{attribute}_digest=", nil)
+            elsif !unencrypted_password.empty?
+              instance_variable_set("@#{attribute}", unencrypted_password)
+              cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
+              public_send("#{attribute}_digest=", BCrypt::Password.create(unencrypted_password, cost: cost))
+            end
           end
-        end
 
-        # Encrypts the password into the password_digest attribute.
-        def password=(unencrypted_password)
-          @password = unencrypted_password
-          if unencrypted_password && !unencrypted_password.empty?
-            self.password_digest = BCrypt::Password.create(unencrypted_password)
+          define_method("#{attribute}_confirmation=") do |unencrypted_password|
+            instance_variable_set("@#{attribute}_confirmation", unencrypted_password)
           end
+
+          # Returns +self+ if the password is correct, otherwise +false+.
+          #
+          #   class User < ActiveRecord::Base
+          #     has_secure_password validations: false
+          #   end
+          #
+          #   user = User.new(name: 'david', password: 'mUc3m00RsqyRe')
+          #   user.save
+          #   user.authenticate_password('notright')      # => false
+          #   user.authenticate_password('mUc3m00RsqyRe') # => user
+          define_method("authenticate_#{attribute}") do |unencrypted_password|
+            attribute_digest = public_send("#{attribute}_digest")
+            BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
+          end
+
+          alias_method :authenticate, :authenticate_password if attribute == :password
         end
       end
     end

data/lib/omniauth/strategies/identity.rb

@@ -6,30 +6,31 @@ module OmniAuth
     # user authentication using the same process flow that you
     # use for external OmniAuth providers.
     class Identity
+      DEFAULT_REGISTRATION_FIELDS = %i[password password_confirmation].freeze
       include OmniAuth::Strategy
-
       option :fields, %i[name email]
-      option :enable_login, true # See #other_phase documentation
-      option :on_login, nil
-      option :on_registration, nil
-      option :on_failed_registration, nil
-      option :enable_registration, true
+
+      # Primary Feature Switches:
+      option :enable_registration, true   # See #other_phase and #request_phase
+      option :enable_login, true          # See #other_phase
+
+      # Customization Options:
+      option :on_login, nil               # See #request_phase
+      option :on_validation, nil          # See #registration_phase
+      option :on_registration, nil        # See #registration_phase
+      option :on_failed_registration, nil # See #registration_phase
       option :locate_conditions, ->(req) { { model.auth_key => req['auth_key'] } }
+      option :create_identity_link_text, 'Create an Identity'
+      option :registration_failure_message, 'One or more fields were invalid'
+      option :validation_failure_message, 'Validation failed'
+      option :title, 'Identity Verification' # Title for Login Form
+      option :registration_form_title, 'Register Identity' # Title for Registration Form
 
       def request_phase
         if options[:on_login]
           options[:on_login].call(env)
         else
-          OmniAuth::Form.build(
-            title: (options[:title] || 'Identity Verification'),
-            url: callback_path
-          ) do |f|
-            f.text_field 'Login', 'auth_key'
-            f.password_field 'Password', 'password'
-            if options[:enable_registration]
-              f.html "<p align='center'><a href='#{registration_path}'>Create an Identity</a></p>"
-            end
-          end.to_response
+          build_omniauth_login_form.to_response
         end
       end
 
@@ -60,36 +61,32 @@ module OmniAuth
         end
       end
 
-      def registration_form
+      def registration_form(validation_message = nil)
         if options[:on_registration]
           options[:on_registration].call(env)
         else
-          OmniAuth::Form.build(title: 'Register Identity') do |f|
-            options[:fields].each do |field|
-              f.text_field field.to_s.capitalize, field.to_s
-            end
-            f.password_field 'Password', 'password'
-            f.password_field 'Confirm Password', 'password_confirmation'
-          end.to_response
+          build_omniauth_registration_form(validation_message).to_response
         end
       end
 
       def registration_phase
-        attributes = (options[:fields] + %i[password password_confirmation]).each_with_object({}) do |k, h|
+        attributes = (options[:fields] + DEFAULT_REGISTRATION_FIELDS).each_with_object({}) do |k, h|
           h[k] = request[k.to_s]
         end
         if model.respond_to?(:column_names) && model.column_names.include?('provider')
           attributes.reverse_merge!(provider: 'identity')
         end
-        @identity = model.create(attributes)
-        if @identity.persisted?
-          env['PATH_INFO'] = callback_path
-          callback_phase
-        elsif options[:on_failed_registration]
+        @identity = model.new(attributes)
+        if saving_instead_of_creating?
           env['omniauth.identity'] = @identity
-          options[:on_failed_registration].call(env)
+          if !validating? || valid?
+            @identity.save
+            registration_result
+          else
+            registration_failure(options[:validation_failure_message])
+          end
         else
-          registration_form
+          deprecated_registration(attributes)
         end
       end
 
@@ -117,6 +114,80 @@ module OmniAuth
       def model
         options[:model] || ::Identity
       end
+
+      private
+
+      def build_omniauth_login_form
+        OmniAuth::Form.build(
+          title: options[:title],
+          url: callback_path
+        ) do |f|
+          f.text_field 'Login', 'auth_key'
+          f.password_field 'Password', 'password'
+          if options[:enable_registration]
+            f.html "<p align='center'><a href='#{registration_path}'>#{options[:create_identity_link_text]}</a></p>"
+          end
+        end
+      end
+
+      def build_omniauth_registration_form(validation_message)
+        OmniAuth::Form.build(title: options[:registration_form_title]) do |f|
+          f.html "<p style='color:red'>#{validation_message}</p>" if validation_message
+          options[:fields].each do |field|
+            f.text_field field.to_s.capitalize, field.to_s
+          end
+          f.password_field 'Password', 'password'
+          f.password_field 'Confirm Password', 'password_confirmation'
+        end
+      end
+
+      def saving_instead_of_creating?
+        @identity.respond_to?(:save) && @identity.respond_to?(:persisted?)
+      end
+
+      # Validates the model before it is persisted
+      #
+      # @return [truthy or falsey] :on_validation option is truthy or falsey
+      def validating?
+        !!options[:on_validation]
+      end
+
+      # Validates the model before it is persisted
+      #
+      # @return [true or false] result of :on_validation call
+      def valid?
+        # on_validation may run a Captcha or other validation mechanism
+        # Must return true when validation passes, false otherwise
+        !!options[:on_validation].call(env: env)
+      end
+
+      def registration_failure(message)
+        if options[:on_failed_registration]
+          options[:on_failed_registration].call(env)
+        else
+          registration_form(message)
+        end
+      end
+
+      def registration_result
+        if @identity.persisted?
+          env['PATH_INFO'] = callback_path
+          callback_phase
+        else
+          registration_failure(options[:registration_failure_message])
+        end
+      end
+
+      def deprecated_registration(attributes)
+        warn <<~CREATEDEP
+          [DEPRECATION] Please define '#{model.class}#save'.
+                        Behavior based on '#{model.class}.create' will be removed in omniauth-identity v4.0.
+                        See lib/omniauth/identity/model.rb
+        CREATEDEP
+        @identity = model.create(attributes)
+        env['omniauth.identity'] = @identity
+        registration_result
+      end
     end
   end
 end