omniauth-identity 3.0.3 → 3.0.8

data/lib/omniauth/identity/models/mongoid.rb

@@ -5,6 +5,7 @@ require 'mongoid'
 module OmniAuth
   module Identity
     module Models
+      # NOTE: Mongoid is based on ActiveModel.
       module Mongoid
         def self.included(base)
           base.class_eval do

data/lib/omniauth/identity/models/{no_brainer.rb → nobrainer.rb}

@@ -6,6 +6,7 @@ module OmniAuth
   module Identity
     module Models
       # http://nobrainer.io/ an ORM for RethinkDB
+      # NOTE: NoBrainer is based on ActiveModel.
       module NoBrainer
         def self.included(base)
           base.class_eval do

data/lib/omniauth/identity/models/sequel.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'nobrainer'
+
+module OmniAuth
+  module Identity
+    module Models
+      # http://sequel.jeremyevans.net/ an SQL ORM
+      # NOTE: Sequel is *not* based on ActiveModel, but supports the API we need, except for `persisted?`:
+      # * create
+      # * save
+      module Sequel
+        def self.included(base)
+          base.class_eval do
+            # NOTE: Using the deprecated :validations_class_methods because it defines
+            #       validates_confirmation_of, while current :validation_helpers does not.
+            # plugin :validation_helpers
+            plugin :validation_class_methods
+
+            include ::OmniAuth::Identity::Model
+            include ::OmniAuth::Identity::SecurePassword
+
+            has_secure_password
+
+            alias_method :persisted?, :valid?
+
+            def self.auth_key=(key)
+              super
+              validates_uniqueness_of :key, case_sensitive: false
+            end
+
+            def self.locate(search_hash)
+              where(search_hash).first
+            end
+
+            def persisted?
+              exists?
+            end
+
+            def save
+              super
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/omniauth/identity/secure_password.rb

@@ -4,7 +4,7 @@ require 'bcrypt'
 
 module OmniAuth
   module Identity
-    # This is taken directly from Rails 3.1 code and is used if
+    # This is lightly edited from Rails 6.1 code and is used if
     # the version of ActiveModel that's being used does not
     # include SecurePassword. The only difference is that instead of
     # using ActiveSupport::Concern, it checks to see if there is already
@@ -14,63 +14,124 @@ module OmniAuth
         base.extend ClassMethods unless base.respond_to?(:has_secure_password)
       end
 
+      # BCrypt hash function can handle maximum 72 bytes, and if we pass
+      # password of length more than 72 bytes it ignores extra characters.
+      # Hence need to put a restriction on password length.
+      MAX_PASSWORD_LENGTH_ALLOWED = 72
+
+      class << self
+        attr_accessor :min_cost # :nodoc:
+      end
+      self.min_cost = false
+
       module ClassMethods
         # Adds methods to set and authenticate against a BCrypt password.
-        # This mechanism requires you to have a password_digest attribute.
+        # This mechanism requires you to have a +XXX_digest+ attribute.
+        # Where +XXX+ is the attribute name of your desired password.
+        #
+        # The following validations are added automatically:
+        # * Password must be present on creation
+        # * Password length should be less than or equal to 72 bytes
+        # * Confirmation of password (using a +XXX_confirmation+ attribute)
         #
-        # Validations for presence of password, confirmation of password (using
-        # a "password_confirmation" attribute) are automatically added.
-        # You can add more validations by hand if need be.
+        # If confirmation validation is not needed, simply leave out the
+        # value for +XXX_confirmation+ (i.e. don't provide a form field for
+        # it). When this attribute has a +nil+ value, the validation will not be
+        # triggered.
+        #
+        # For further customizability, it is possible to suppress the default
+        # validations by passing <tt>validations: false</tt> as an argument.
+        #
+        # Add bcrypt (~> 3.1.7) to Gemfile to use #has_secure_password:
+        #
+        #   gem 'bcrypt', '~> 3.1.7'
         #
         # Example using Active Record (which automatically includes ActiveModel::SecurePassword):
         #
-        #   # Schema: User(name:string, password_digest:string)
+        #   # Schema: User(name:string, password_digest:string, recovery_password_digest:string)
         #   class User < ActiveRecord::Base
         #     has_secure_password
+        #     has_secure_password :recovery_password, validations: false
         #   end
         #
-        #   user = User.new(:name => "david", :password => "", :password_confirmation => "nomatch")
-        #   user.save                                                      # => false, password required
-        #   user.password = "mUc3m00RsqyRe"
-        #   user.save                                                      # => false, confirmation doesn't match
-        #   user.password_confirmation = "mUc3m00RsqyRe"
-        #   user.save                                                      # => true
-        #   user.authenticate("notright")                                  # => false
-        #   user.authenticate("mUc3m00RsqyRe")                             # => user
-        #   User.find_by_name("david").try(:authenticate, "notright")      # => nil
-        #   User.find_by_name("david").try(:authenticate, "mUc3m00RsqyRe") # => user
-        def has_secure_password
-          attr_reader :password
+        #   user = User.new(name: 'david', password: '', password_confirmation: 'nomatch')
+        #   user.save                                                  # => false, password required
+        #   user.password = 'mUc3m00RsqyRe'
+        #   user.save                                                  # => false, confirmation doesn't match
+        #   user.password_confirmation = 'mUc3m00RsqyRe'
+        #   user.save                                                  # => true
+        #   user.recovery_password = "42password"
+        #   user.recovery_password_digest                              # => "$2a$04$iOfhwahFymCs5weB3BNH/uXkTG65HR.qpW.bNhEjFP3ftli3o5DQC"
+        #   user.save                                                  # => true
+        #   user.authenticate('notright')                              # => false
+        #   user.authenticate('mUc3m00RsqyRe')                         # => user
+        #   user.authenticate_recovery_password('42password')          # => user
+        #   User.find_by(name: 'david')&.authenticate('notright')      # => false
+        #   User.find_by(name: 'david')&.authenticate('mUc3m00RsqyRe') # => user
+        def has_secure_password(attribute = :password, validations: true)
+          # Load bcrypt gem only when has_secure_password is used.
+          # This is to avoid ActiveModel (and by extension the entire framework)
+          # being dependent on a binary library.
+          begin
+            require 'bcrypt'
+          rescue LoadError
+            warn "You don't have bcrypt installed in your application. Please add it to your Gemfile and run bundle install"
+            raise
+          end
 
-          validates_confirmation_of :password
-          validates_presence_of     :password_digest
+          include InstanceMethodsOnActivation.new(attribute)
 
-          include InstanceMethodsOnActivation
+          if validations
+            include ActiveModel::Validations
 
-          if respond_to?(:attributes_protected_by_default)
-            def self.attributes_protected_by_default
-              super + ['password_digest']
+            # This ensures the model has a password by checking whether the password_digest
+            # is present, so that this works with both new and existing records. However,
+            # when there is an error, the message is added to the password attribute instead
+            # so that the error message will make sense to the end-user.
+            validate do |record|
+              record.errors.add(attribute, :blank) unless record.public_send("#{attribute}_digest").present?
             end
+
+            validates_length_of attribute, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
+            validates_confirmation_of attribute, allow_blank: true
           end
         end
       end
 
-      module InstanceMethodsOnActivation
-        # Returns self if the password is correct, otherwise false.
-        def authenticate(unencrypted_password)
-          if BCrypt::Password.new(password_digest) == unencrypted_password
-            self
-          else
-            false
+      class InstanceMethodsOnActivation < Module
+        def initialize(attribute)
+          attr_reader attribute
+
+          define_method("#{attribute}=") do |unencrypted_password|
+            if unencrypted_password.nil?
+              public_send("#{attribute}_digest=", nil)
+            elsif !unencrypted_password.empty?
+              instance_variable_set("@#{attribute}", unencrypted_password)
+              cost = ActiveModel::SecurePassword.min_cost ? BCrypt::Engine::MIN_COST : BCrypt::Engine.cost
+              public_send("#{attribute}_digest=", BCrypt::Password.create(unencrypted_password, cost: cost))
+            end
           end
-        end
 
-        # Encrypts the password into the password_digest attribute.
-        def password=(unencrypted_password)
-          @password = unencrypted_password
-          if unencrypted_password && !unencrypted_password.empty?
-            self.password_digest = BCrypt::Password.create(unencrypted_password)
+          define_method("#{attribute}_confirmation=") do |unencrypted_password|
+            instance_variable_set("@#{attribute}_confirmation", unencrypted_password)
           end
+
+          # Returns +self+ if the password is correct, otherwise +false+.
+          #
+          #   class User < ActiveRecord::Base
+          #     has_secure_password validations: false
+          #   end
+          #
+          #   user = User.new(name: 'david', password: 'mUc3m00RsqyRe')
+          #   user.save
+          #   user.authenticate_password('notright')      # => false
+          #   user.authenticate_password('mUc3m00RsqyRe') # => user
+          define_method("authenticate_#{attribute}") do |unencrypted_password|
+            attribute_digest = public_send("#{attribute}_digest")
+            BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
+          end
+
+          alias_method :authenticate, :authenticate_password if attribute == :password
         end
       end
     end

data/lib/omniauth/strategies/identity.rb

@@ -6,8 +6,8 @@ module OmniAuth
     # user authentication using the same process flow that you
     # use for external OmniAuth providers.
     class Identity
+      DEFAULT_REGISTRATION_FIELDS = %i[password password_confirmation].freeze
       include OmniAuth::Strategy
-
       option :fields, %i[name email]
 
       # Primary Feature Switches:
@@ -20,6 +20,11 @@ module OmniAuth
       option :on_registration, nil        # See #registration_phase
       option :on_failed_registration, nil # See #registration_phase
       option :locate_conditions, ->(req) { { model.auth_key => req['auth_key'] } }
+      option :create_identity_link_text, 'Create an Identity'
+      option :registration_failure_message, 'One or more fields were invalid'
+      option :validation_failure_message, 'Validation failed'
+      option :title, 'Identity Verification' # Title for Login Form
+      option :registration_form_title, 'Register Identity' # Title for Registration Form
 
       def request_phase
         if options[:on_login]
@@ -65,29 +70,25 @@ module OmniAuth
       end
 
       def registration_phase
-        attributes = (options[:fields] + %i[password password_confirmation]).each_with_object({}) do |k, h|
+        attributes = (options[:fields] + DEFAULT_REGISTRATION_FIELDS).each_with_object({}) do |k, h|
           h[k] = request[k.to_s]
         end
         if model.respond_to?(:column_names) && model.column_names.include?('provider')
           attributes.reverse_merge!(provider: 'identity')
         end
-        @identity = model.new(attributes)
-
-        # on_validation may run a Captcha or other validation mechanism
-        # Must return true when validation passes, false otherwise
-        if options[:on_validation] && !options[:on_validation].call(env: env)
-          if options[:on_failed_registration]
-            env['omniauth.identity'] = @identity
-            options[:on_failed_registration].call(env)
+        if validating?
+          @identity = model.new(attributes)
+          env['omniauth.identity'] = @identity
+          if valid?
+            @identity.save
+            registration_result
           else
-            validation_message = 'Validation failed'
-            registration_form(validation_message)
+            registration_failure(options[:validation_failure_message])
           end
-        elsif @identity.save && @identity.persisted?
-          env['PATH_INFO'] = callback_path
-          callback_phase
         else
-          show_custom_options_or_default
+          @identity = model.create(attributes)
+          env['omniauth.identity'] = @identity
+          registration_result
         end
       end
 
@@ -120,19 +121,19 @@ module OmniAuth
 
       def build_omniauth_login_form
         OmniAuth::Form.build(
-          title: (options[:title] || 'Identity Verification'),
+          title: options[:title],
           url: callback_path
         ) do |f|
           f.text_field 'Login', 'auth_key'
           f.password_field 'Password', 'password'
           if options[:enable_registration]
-            f.html "<p align='center'><a href='#{registration_path}'>Create an Identity</a></p>"
+            f.html "<p align='center'><a href='#{registration_path}'>#{options[:create_identity_link_text]}</a></p>"
           end
         end
       end
 
       def build_omniauth_registration_form(validation_message)
-        OmniAuth::Form.build(title: 'Register Identity') do |f|
+        OmniAuth::Form.build(title: options[:registration_form_title]) do |f|
           f.html "<p style='color:red'>#{validation_message}</p>" if validation_message
           options[:fields].each do |field|
             f.text_field field.to_s.capitalize, field.to_s
@@ -142,13 +143,36 @@ module OmniAuth
         end
       end
 
-      def show_custom_options_or_default
+      # Validates the model before it is persisted
+      #
+      # @return [truthy or falsey] :on_validation option is truthy or falsey
+      def validating?
+        !!options[:on_validation]
+      end
+
+      # Validates the model before it is persisted
+      #
+      # @return [true or false] result of :on_validation call
+      def valid?
+        # on_validation may run a Captcha or other validation mechanism
+        # Must return true when validation passes, false otherwise
+        !!options[:on_validation].call(env: env)
+      end
+
+      def registration_failure(message)
         if options[:on_failed_registration]
-          env['omniauth.identity'] = @identity
           options[:on_failed_registration].call(env)
         else
-          validation_message = 'One or more fields were invalid'
-          registration_form(validation_message)
+          registration_form(message)
+        end
+      end
+
+      def registration_result
+        if @identity.persisted?
+          env['PATH_INFO'] = callback_path
+          callback_phase
+        else
+          registration_failure(options[:registration_failure_message])
         end
       end
     end

data/spec/omniauth/identity/model_spec.rb

@@ -1,123 +1,43 @@
 # frozen_string_literal: true
 
-class ExampleModel
-  include OmniAuth::Identity::Model
-end
-
 RSpec.describe OmniAuth::Identity::Model do
-  context 'Class Methods' do
-    subject { ExampleModel }
-
-    describe '.locate' do
-      it('is abstract') { expect { subject.locate('abc') }.to raise_error(NotImplementedError) }
+  before do
+    identity_test_klass = Class.new do
+      include OmniAuth::Identity::Model
     end
+    stub_const('IdentityTestClass', identity_test_klass)
+  end
 
-    describe '.authenticate' do
-      it 'calls locate and then authenticate' do
-        mocked_instance = double('ExampleModel', authenticate: 'abbadoo')
-        allow(subject).to receive(:locate).with('email' => 'example').and_return(mocked_instance)
-        expect(subject.authenticate({ 'email' => 'example' }, 'pass')).to eq('abbadoo')
-      end
+  describe 'Class Methods' do
+    subject(:model_klass) { IdentityTestClass }
 
-      it 'calls locate with additional scopes when provided' do
-        mocked_instance = double('ExampleModel', authenticate: 'abbadoo')
-        allow(subject).to receive(:locate).with('email' => 'example',
-                                                'user_type' => 'admin').and_return(mocked_instance)
-        expect(subject.authenticate({ 'email' => 'example', 'user_type' => 'admin' }, 'pass')).to eq('abbadoo')
-      end
+    include_context 'model with class methods'
 
-      it 'recovers gracefully if locate is nil' do
-        allow(subject).to receive(:locate).and_return(nil)
-        expect(subject.authenticate('blah', 'foo')).to be false
+    describe '::locate' do
+      it('is abstract') do
+        expect { model_klass.locate('email' => 'example') }.to raise_error(NotImplementedError)
       end
     end
   end
 
-  context 'Instance Methods' do
-    subject { ExampleModel.new }
+  describe 'Instance Methods' do
+    subject(:instance) { IdentityTestClass.new }
 
-    describe '#authenticate' do
-      it('is abstract') { expect { subject.authenticate('abc') }.to raise_error(NotImplementedError) }
-    end
+    include_context 'instance with instance methods'
 
-    describe '#uid' do
-      it 'defaults to #id' do
-        allow(subject).to receive(:respond_to?).with(:id).and_return(true)
-        allow(subject).to receive(:id).and_return 'wakka-do'
-        expect(subject.uid).to eq('wakka-do')
-      end
-
-      it 'stringifies it' do
-        allow(subject).to receive(:id).and_return 123
-        expect(subject.uid).to eq('123')
-      end
-
-      it 'raises NotImplementedError if #id is not defined' do
-        allow(subject).to receive(:respond_to?).with(:id).and_return(false)
-        expect { subject.uid }.to raise_error(NotImplementedError)
-      end
+    describe '#authenticate' do
+      it('is abstract') { expect { instance.authenticate('my-password') }.to raise_error(NotImplementedError) }
     end
 
     describe '#auth_key' do
-      it 'defaults to #email' do
-        allow(subject).to receive(:respond_to?).with(:email).and_return(true)
-        allow(subject).to receive(:email).and_return('bob@bob.com')
-        expect(subject.auth_key).to eq('bob@bob.com')
-      end
-
-      it 'uses the class .auth_key' do
-        subject.class.auth_key 'login'
-        allow(subject).to receive(:login).and_return 'bob'
-        expect(subject.auth_key).to eq('bob')
-        subject.class.auth_key nil
-      end
-
       it 'raises a NotImplementedError if the auth_key method is not defined' do
-        expect { subject.auth_key }.to raise_error(NotImplementedError)
+        expect { instance.auth_key }.to raise_error(NotImplementedError)
       end
     end
 
     describe '#auth_key=' do
-      it 'defaults to setting email' do
-        allow(subject).to receive(:respond_to?).with(:email=).and_return(true)
-        expect(subject).to receive(:email=).with 'abc'
-
-        subject.auth_key = 'abc'
-      end
-
-      it 'uses a custom .auth_key if one is provided' do
-        subject.class.auth_key 'login'
-        allow(subject).to receive(:respond_to?).with(:login=).and_return(true)
-        expect(subject).to receive(:login=).with('abc')
-
-        subject.auth_key = 'abc'
-      end
-
-      it 'raises a NotImplementedError if the autH_key method is not defined' do
-        expect { subject.auth_key = 'broken' }.to raise_error(NotImplementedError)
-      end
-    end
-
-    describe '#info' do
-      it 'includes attributes that are set' do
-        allow(subject).to receive(:name).and_return('Bob Bobson')
-        allow(subject).to receive(:nickname).and_return('bob')
-
-        expect(subject.info).to eq({
-                                     'name' => 'Bob Bobson',
-                                     'nickname' => 'bob'
-                                   })
-      end
-
-      it 'automaticallies set name off of nickname' do
-        allow(subject).to receive(:nickname).and_return('bob')
-        subject.info['name'] == 'bob'
-      end
-
-      it 'does not overwrite a provided name' do
-        allow(subject).to receive(:name).and_return('Awesome Dude')
-        allow(subject).to receive(:first_name).and_return('Frank')
-        expect(subject.info['name']).to eq('Awesome Dude')
+      it 'raises a NotImplementedError if the auth_key method is not defined' do
+        expect { instance.auth_key = 'broken' }.to raise_error(NotImplementedError)
       end
     end
   end