pillowfort 0.1.2 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 79ad110faff2311bfa921692616527606ab26a6b
-  data.tar.gz: 664c0965f9784ec4b2bb234b0069693a7e300b6d
+  metadata.gz: 090ed10762f83742768099773d63068509626187
+  data.tar.gz: ff8ca919af0d107937dad72486dfcfb90b825892
 SHA512:
-  metadata.gz: 986537184b9046344eaa78e13fd4dd4e1918ef720eac61eee0ee8fa9873d322d2e0402ee0fb38474c5f20ffa29c112948cf5f4621a1b1fbe806b068d9045ddcf
-  data.tar.gz: 22077770faa03688705f150e055fd1e3f112a2a9a9bd29a4349eeb519fe88cfc867c0cce62a01fc26305706546e609bf7f1d7431c466ef0a36ce0ed8905899c9
+  metadata.gz: 5fe28a307620e700011e9a3c99768a9f20380e116ac5dd5ed2c77c5ece56824f9d3ca849273c2ea5701b1587fc0350f2707d49c01c846963cd6e4845151bd1bd
+  data.tar.gz: c203cfc9f830a6c63dc00a05a40d15074d20f61f3002bada09d4346ef6b315086a35d6f14086526c284a7cc6f24f4f354eec94aa925524f11e2197786d113021

data/Rakefile

@@ -19,5 +19,15 @@ end
 load 'rails/tasks/statistics.rake'
 
 
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
 
 Bundler::GemHelper.install_tasks
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+desc "Run all the specs in the dummy app"
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task :default => :spec

data/app/controllers/pillowfort/concerns/controller_activation.rb

@@ -0,0 +1,27 @@
+require 'pillowfort/model_context'
+require 'pillowfort/controller_methods'
+
+module Pillowfort
+  module Concerns::ControllerActivation
+    extend ActiveSupport::Concern
+    include Pillowfort::ControllerMethods
+
+    included do
+      before_filter :enforce_activation!
+    end
+
+    private
+
+    def enforce_activation!
+      context = Pillowfort::ModelContext
+      if resource = self.send(context.resource_reader_name)
+        unless resource.activated?
+          head :forbidden
+        end
+      else
+        return false
+      end
+    end
+
+  end
+end

data/app/controllers/pillowfort/concerns/controller_authentication.rb

@@ -1,9 +1,11 @@
 require 'pillowfort/model_context'
+require 'pillowfort/controller_methods'
 
 module Pillowfort
   module Concerns::ControllerAuthentication
     extend ActiveSupport::Concern
     include ActionController::HttpAuthentication::Basic::ControllerMethods
+    include Pillowfort::ControllerMethods
 
     included do
       before_filter :authenticate_from_account_token!
@@ -26,15 +28,6 @@ module Pillowfort
       allow_client_to_handle_unauthorized_status
     end
 
-    def ensure_resource_reader(context)
-      reader_name = context.resource_reader_name
-      return if respond_to? reader_name
-
-      self.class.send :define_method, reader_name do
-        @authentication_resource
-      end
-    end
-
     # This is necessary, as it allows Cordova to properly delegate 401 response
     # handling to our application.  If we keep this header, Cordova will defer
     # handling to iOS, and we'll never see the 401 status in the app... it'll just

data/app/models/pillowfort/concerns/model_activation.rb

@@ -0,0 +1,84 @@
+require 'pillowfort/model_context'
+require 'pillowfort/token_generator'
+require 'pillowfort/model_finder'
+
+module Pillowfort
+  module Concerns::ModelActivation
+    extend ActiveSupport::Concern
+
+    included do
+      Pillowfort::ModelContext.model_class = self
+
+      # non-activated resource
+      validates :activation_token, presence: true, uniqueness: true, unless: :activated_at
+      validates :activation_token_expires_at, presence: true, unless: :activated_at
+      validates :activated_at, absence: true, if: :activation_token_expires_at
+
+      # Activated resource
+      validates :activation_token, presence: true, uniqueness: true, allow_nil: true, if: :activated_at
+      validates :activated_at, presence: true, unless: :activation_token_expires_at
+      validates :activation_token_expires_at, absence: true, if: :activated?
+
+      def create_activation_token(expiry: nil)
+        expiry ||= 1.hour.from_now
+        self.activation_token = generate_activation_token
+        self.activation_token_expires_at = expiry
+      end
+
+      def create_activation_token!(expiry: nil)
+        create_activation_token(expiry)
+        save validate: false
+      end
+
+      def activation_token_expired?
+        if activation_token_expires_at
+          activation_token_expires_at <= Time.now
+        else
+          true
+        end
+      end
+
+      def activated?
+        !!activated_at
+      end
+
+      def activate!
+        update_columns \
+          activated_at: Time.now,
+          activation_token_expires_at: nil
+      end
+
+      private
+
+      def generate_activation_token
+        resource_class = self.class
+        loop do
+          token = resource_class.friendly_token
+          break token unless resource_class.where(activation_token: token).first
+        end
+      end
+    end
+
+    module ClassMethods
+      include Pillowfort::TokenGenerator
+      include Pillowfort::ModelFinder
+
+      def find_and_activate(email, token)
+        return false if email.blank? || token.blank?
+
+        transaction do
+          if resource = find_by_email_case_insensitive(email)
+            if resource.activation_token_expired?
+              return false
+            else
+              if secure_compare(resource.activation_token, token)
+                resource.activate!
+                yield resource if block_given?
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/models/pillowfort/concerns/model_authentication.rb

@@ -1,5 +1,7 @@
 require 'bcrypt'
 require 'pillowfort/model_context'
+require 'pillowfort/token_generator'
+require 'pillowfort/model_finder'
 
 module Pillowfort
   module Concerns::ModelAuthentication
@@ -15,7 +17,7 @@ module Pillowfort
       has_secure_password
 
       validates :email, presence: true, uniqueness: true
-      validates :password, length: { minimum: MIN_PASSWORD_LENGTH }
+      validates :password, length: { minimum: MIN_PASSWORD_LENGTH }, allow_nil: true
 
       before_save :ensure_auth_token
 
@@ -33,14 +35,14 @@ module Pillowfort
         save validate: false
       end
 
-      def token_expired?
+      def auth_token_expired?
         auth_token_expires_at <= Time.now
       end
 
       private
 
       def touch_token_expiry!
-        update_column :auth_token_expires_at, 1.day.from_now
+        update_column :auth_token_expires_at, Time.now + auth_token_ttl
       end
 
       def generate_auth_token
@@ -53,6 +55,9 @@ module Pillowfort
     end
 
     module ClassMethods
+      include Pillowfort::TokenGenerator
+      include Pillowfort::ModelFinder
+
       def authenticate_securely(email, token)
         return false if email.blank? || token.blank?
 
@@ -63,7 +68,7 @@ module Pillowfort
 
             # if the resource token is expired, reset it and
             # return false, triggering a 401
-            if resource.token_expired?
+            if resource.auth_token_expired?
               resource.reset_auth_token!
               return false
             else
@@ -81,7 +86,7 @@ module Pillowfort
 
       def find_and_authenticate(email, password)
         resource = find_by_email_case_insensitive(email)
-  
+
         if resource && resource.authenticate(password)
           resource.tap do |u|
             u.reset_auth_token!
@@ -90,26 +95,6 @@ module Pillowfort
           return false
         end
       end
-
-      def find_by_email_case_insensitive(email)
-        find_by("lower(email) = ?", email.downcase)
-      end
-
-      # constant-time comparison algorithm to prevent timing attacks.  Lifted
-      # from Devise.
-      def secure_compare(a, b)
-        return false if a.blank? || b.blank? || a.bytesize != b.bytesize
-        l = a.unpack "C#{a.bytesize}"
-
-        res = 0
-        b.each_byte { |byte| res |= byte ^ l.shift }
-        res == 0
-      end
-
-      # Generates a value for our auth token.  Lifted from Devise.
-      def friendly_token
-        SecureRandom.base64(32).tr('+/=lIO0', 'pqrsxyz')
-      end
     end
   end
 end

data/app/models/pillowfort/concerns/model_password_reset.rb

@@ -0,0 +1,62 @@
+require 'pillowfort/model_context'
+require 'pillowfort/token_generator'
+require 'pillowfort/model_finder'
+
+module Pillowfort
+  module Concerns::ModelPasswordReset
+    extend ActiveSupport::Concern
+
+    included do
+      def create_password_reset_token(expiry: nil)
+        expiry ||= 1.hour.from_now
+        self.password_reset_token = generate_password_reset_token
+        self.password_reset_token_expires_at = expiry
+      end
+
+      def password_token_expired?
+        if password_reset_token_expires_at
+          password_reset_token_expires_at <= Time.now
+        else
+          true
+        end
+      end
+
+      def clear_password_reset_token
+        update_columns \
+          password_reset_token: nil,
+          password_reset_token_expires_at: nil
+      end
+
+      private
+
+      def generate_password_reset_token
+        resource_class = self.class
+        loop do
+          token = resource_class.friendly_token
+          break token unless resource_class.where(password_reset_token: token).first
+        end
+      end
+    end
+
+    module ClassMethods
+      include Pillowfort::TokenGenerator
+      include Pillowfort::ModelFinder
+
+      def find_and_validate_password_reset_token(email, token)
+        return false if email.blank? || token.blank?
+
+        transaction do
+          if resource = find_by_email_case_insensitive(email)
+            if resource.password_token_expired?
+              return false
+            else
+              if secure_compare(resource.password_reset_token, token)
+                yield resource if block_given?
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pillowfort/controller_methods.rb

@@ -0,0 +1,12 @@
+module Pillowfort
+  module ControllerMethods
+    def ensure_resource_reader(context)
+      reader_name = context.resource_reader_name
+      return if respond_to? reader_name
+
+      self.class.send :define_method, reader_name do
+        @authentication_resource
+      end
+    end
+  end
+end

data/lib/pillowfort/model_finder.rb

@@ -0,0 +1,7 @@
+module Pillowfort
+  module ModelFinder
+    def find_by_email_case_insensitive(email)
+      find_by("lower(email) = ?", email.downcase)
+    end
+  end
+end

data/lib/pillowfort/token_generator.rb

@@ -0,0 +1,19 @@
+module Pillowfort
+  module TokenGenerator
+    # constant-time comparison algorithm to prevent timing attacks.  Lifted
+    # from Devise.
+    def secure_compare(a, b)
+      return false if a.blank? || b.blank? || a.bytesize != b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    # Generates a value for our auth token.  Lifted from Devise.
+    def friendly_token
+      SecureRandom.base64(32).tr('+/=lIO0', 'pqrsxyz')
+    end
+  end
+end

data/lib/pillowfort/version.rb

@@ -1,3 +1,3 @@
 module Pillowfort
-  VERSION = "0.1.2"
+  VERSION = "0.2.1"
 end

data/spec/{dummy/spec/controllers → controllers}/accounts_controller_spec.rb

@@ -6,7 +6,10 @@ describe AccountsController, :type => :controller do
 
     context 'when authenticated' do
       let(:account) { FactoryGirl.create :account }
-      before { authenticate_with account }
+      before {
+        account.activate!
+        authenticate_with account
+      }
 
       describe 'unprotected #index' do
         before { get :index }
@@ -30,6 +33,21 @@ describe AccountsController, :type => :controller do
         it { should have_http_status :unauthorized }
       end
     end
+
+    context 'when not activated' do
+      let(:account) { FactoryGirl.create :account }
+      before { authenticate_with account }
+
+      describe 'unprotected #index' do
+        before { get :index }
+        it { should have_http_status :success }
+      end
+
+      describe 'protected #show' do
+        before { get :show, id: 1 }
+        it { should have_http_status :forbidden }
+      end
+    end
   end
 
   describe 'its methods' do

data/spec/dummy/app/controllers/accounts_controller.rb

@@ -1,7 +1,9 @@
 class AccountsController < ApplicationController
   include Pillowfort::Concerns::ControllerAuthentication
+  include Pillowfort::Concerns::ControllerActivation
 
   skip_filter :authenticate_from_account_token!, only: [:index]
+  skip_filter :enforce_activation!, only: [:index]
 
   def index
     head :ok

data/spec/dummy/app/models/account.rb

@@ -1,3 +1,5 @@
 class Account < ActiveRecord::Base
   include Pillowfort::Concerns::ModelAuthentication
+  include Pillowfort::Concerns::ModelPasswordReset
+  include Pillowfort::Concerns::ModelActivation
 end

data/spec/dummy/config/database.yml

@@ -8,10 +8,14 @@ default: &default
   adapter: sqlite3
   pool: 5
   timeout: 5000
-  
+
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
 # Do not set this db to the same as development or production.
 test:
   <<: *default
   database: db/test.sqlite3
+
+development:
+  <<: *default
+  database: db/development.sqlite3

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,42 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = true
+
+  # Configure static file server for tests with Cache-Control for performance.
+  config.serve_static_files   = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Randomize the order test cases are executed.
+  config.active_support.test_order = :random
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end