quo_vadis 1.0.1 → 1.0.2

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    quo_vadis (1.0.1)
+    quo_vadis (1.0.2)
       bcrypt-ruby (~> 2.1.4)
       rails (~> 3.0)
 

data/README.md

@@ -8,11 +8,11 @@ Features:
 * No surprises: it does what you expect.
 * Easy to customise.
 * Uses BCrypt to encrypt passwords.
-* Sign in, sign out, authenticate actions.
+* Sign in, sign out, forgotten password, authenticate actions.
 
 Forthcoming features:
 
-* Handle forgotten-details.
+* Generate the views for you.
 * Let you choose which model(s) to authenticate (currently `User`).
 * Let you choose the identification field (currently `username`).
 * Remember authenticated user across browser sessions.
@@ -35,9 +35,9 @@ What it doesn't and won't do:
 
 If this takes you more than 5 minutes, you can have your money back ;)
 
-Install and run the generator: add `gem 'quo_vadis'` to your Gemfile and run `rails generate quo_vadis:install`.
+Install and run the generator: add `gem 'quo_vadis'` to your Gemfile, run `bundle install`, then `rails generate quo_vadis:install`.
 
-Edit and run the generated migration to add authentication columns: `rake db:migrate`.  Note the migration (currently) assumes you already have a `User` model.
+Edit and run the generated migration to add the authentication columns: `rake db:migrate`.  Note the migration (currently) assumes you already have a `User` model.
 
 In your `User` model, add `authenticates`:
 
@@ -45,7 +45,7 @@ In your `User` model, add `authenticates`:
       authenticates
     end
 
-Note Quo Vadis validates the presence of the password, but it's up to you to add any other validations you want.
+Note Quo Vadis validates the presence and uniqueness of the username, and the presence of the password, but it's up to you to add any other validations you want.
 
 Use `:authenticate` in a `before_filter` to protect your controllers' actions.  For example:
 
@@ -56,11 +56,52 @@ Use `:authenticate` in a `before_filter` to protect your controllers' actions.
 Write the sign-in view.  Your sign-in form must:
 
 * be in `app/views/sessions/new.html.:format`
-* post the parameters `:username` and `:password` to `sign_in_url`
+* POST the parameters `:username` and `:password` to `sign_in_url`
 
 You have to write the view yourself because you'd inevitably want to change whatever markup I generated for you.
 
-In your layout, use `current_user` to retrieve the signed-in user, and `sign_in_path` and `sign_out_path` as appropriate.
+Remember to serve your sign in form over HTTPS -- to avoid [the credentials being stolen](http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html).
+
+In your layout, use `current_user` to retrieve the signed-in user; and `sign_in_path`, `sign_out_path`, and `forgotten_sign_in_path` as appropriate.
+
+
+## Forgotten Password
+
+Here's the workflow:
+
+1. [Sign in page] The user clicks the "I've forgotten my password" link.
+2. [Forgotten password page] The user enters their username in the form and submits it.
+3. Quo Vadis emails the user a message with a change-password link.  The link is valid for 3 hours.
+4. [The email] The user clicks the link.
+5. [Change password page] The user types in a new password and saves it.
+6. Quo Vadis changes the user's password and signs the user in.
+
+It'll take you about 5 minutes to implement this.
+
+On your sign-in page, link to the forgotten-password view at `forgotten_sign_in_url`.
+
+Write the forgotten-password view.  The form must:
+
+* be in `app/views/sessions/forgotten.html.:format`
+* POST the parameter `:username` to `forgotten_sign_in_url`
+
+Now write the mailer view, i.e. the email which will be sent to your forgetful users.  The view must:
+
+* be at `app/views/quo_vadis/notifier/change_password.text.erb`
+* render `@url` somewhere (this is the link the user clicks to go to the change-password page)
+
+You can also refer to `@username` in the email view.
+
+Configure the email's from address in `config/initializers/quo_vadis.rb`.
+
+Configure the default host so ActionMailer can generate the URL.  In `config/environments/<env>.rb`:
+
+    config.action_mailer.default_url_options = {:host => 'yourdomain.com'}
+
+Finally, write the change-password page.  The form must:
+
+* be in `app/views/sessions/edit.html.:format`
+* PUT the parameter `:password` to `change_password_url(params[:token])`
 
 
 ## Customisation

data/app/controllers/controller_mixin.rb

@@ -3,7 +3,7 @@ module ControllerMixin
     base.helper_method :current_user
   end
 
-  private  # TODO: does this mark them as private once mixed in?
+  private
 
   def current_user=(user)
     session[:current_user_id] = user ? user.id : nil
@@ -16,7 +16,7 @@ module ControllerMixin
   def authenticate
     unless current_user
       session[:quo_vadis_original_url] = request.fullpath
-      flash[:notice] = t('quo_vadis.flash.before_sign_in') unless t('quo_vadis.flash.before_sign_in').blank?
+      flash[:notice] = t('quo_vadis.flash.sign_in.before') unless t('quo_vadis.flash.sign_in.before').blank?
       redirect_to sign_in_url
     end
   end

data/app/controllers/quo_vadis/sessions_controller.rb

@@ -1,26 +1,24 @@
 class QuoVadis::SessionsController < ApplicationController
   layout :quo_vadis_layout
 
-  # sign in
+  # GET sign_in_path
   def new
     render 'sessions/new'
   end
 
-  # sign in
+  # POST sign_in_path
   def create
     if user = User.authenticate(params[:username], params[:password])
-      self.current_user = user
-      QuoVadis.signed_in_hook user, self
-      flash[:notice] = t('quo_vadis.flash.after_sign_in') unless t('quo_vadis.flash.after_sign_in').blank?
-      redirect_to QuoVadis.signed_in_url(user, original_url)
+      flash[:notice] = t('quo_vadis.flash.sign_in.after') unless t('quo_vadis.flash.sign_in.after').blank?
+      sign_in user
     else
       QuoVadis.failed_sign_in_hook self
-      flash.now[:alert] = t('quo_vadis.flash.failed_sign_in') unless t('quo_vadis.flash.failed_sign_in').blank?
+      flash.now[:alert] = t('quo_vadis.flash.sign_in.failed') unless t('quo_vadis.flash.sign_in.failed').blank?
       render 'sessions/new'
     end
   end
 
-  # sign out
+  # GET sign_out_path
   def destroy
     QuoVadis.signed_out_hook current_user, self
     self.current_user = nil
@@ -28,14 +26,73 @@ class QuoVadis::SessionsController < ApplicationController
     redirect_to QuoVadis.signed_out_url
   end
 
+  # GET forgotten_sign_in_path
+  # POST forgotten_sign_in_path
+  def forgotten
+    if request.get?
+      render 'sessions/forgotten'
+    elsif request.post?
+      if (user = User.where(:username => params[:username]).first)
+        if user.email.present?
+          user.generate_token
+          QuoVadis::Notifier.change_password(user).deliver
+          flash[:notice] = t('quo_vadis.flash.forgotten.sent_email') unless t('quo_vadis.flash.forgotten.sent_email').blank?
+          redirect_to :root
+        else
+          flash.now[:alert] = t('quo_vadis.flash.forgotten.no_email') unless t('quo_vadis.flash.forgotten.no_email').blank?
+          render 'sessions/forgotten'
+        end
+      else
+        flash.now[:alert] = t('quo_vadis.flash.forgotten.unknown') unless t('quo_vadis.flash.forgotten.unknown').blank?
+        render 'sessions/forgotten'
+      end
+    end
+  end
+
+  # GET change_password_path /sign-in/change-password/:token
+  def edit
+    if User.valid_token(params[:token]).first
+      render 'sessions/edit'
+    else
+      invalid_token
+    end
+  end
+
+  # PUT change_password_path /sign-in/change-password/:token
+  def update
+    if (user = User.valid_token(params[:token]).first)
+      user.password = params[:password]
+      if user.save
+        user.clear_token
+        flash[:notice] = t('quo_vadis.flash.forgotten.password_changed') unless t('quo_vadis.flash.forgotten.password_changed').blank?
+        sign_in user
+      else
+        render 'sessions/edit'
+      end
+    else
+      invalid_token
+    end
+  end
+
   private
 
+  def sign_in(user)
+    self.current_user = user
+    QuoVadis.signed_in_hook user, self
+    redirect_to QuoVadis.signed_in_url(user, original_url)
+  end
+
   def original_url
     url = session[:quo_vadis_original_url]
     session[:quo_vadis_original_url] = nil
     url
   end
 
+  def invalid_token
+    flash[:alert] = t('quo_vadis.flash.forgotten.invalid_token') unless t('quo_vadis.flash.forgotten.invalid_token').blank?
+    redirect_to forgotten_sign_in_url
+  end
+
   def quo_vadis_layout
     QuoVadis.layout
   end

data/app/mailers/quo_vadis/notifier.rb

@@ -0,0 +1,11 @@
+module QuoVadis
+  class Notifier < ActionMailer::Base
+
+    def change_password(user)
+      @username = user.username
+      @url = change_password_url user.token
+      mail :to => user.email, :from => QuoVadis.from, :subject => QuoVadis.subject
+    end
+
+  end
+end

data/app/models/model_mixin.rb

@@ -13,9 +13,11 @@ module ModelMixin
       attr_reader    :password
       attr_protected :password_digest
 
-      validates      :username,        :presence => true, :uniqueness => true
-      validates      :password,        :on => :create, :presence => true
-      validates      :password_digest, :presence => true
+      validates :username,        :presence => true, :uniqueness => true
+      validates :password,        :presence => true, :if => Proc.new { |u| u.changed.include?('password_digest') }
+      validates :password_digest, :presence => true
+
+      scope :valid_token, lambda { |token| where("token = ? AND token_created_at > ?", token, 3.hours.ago) }
 
       instance_eval <<-END
         def authenticate(username, plain_text_password)
@@ -36,9 +38,27 @@ module ModelMixin
       self.password_digest = BCrypt::Password.create plain_text_password
     end
 
+    def generate_token
+      begin
+        self.token = url_friendly_token
+      end while self.class.exists?(:token => token)
+      self.token_created_at = Time.now.utc
+      save
+    end
+
+    def clear_token
+      update_attributes :token => nil, :token_created_at => nil
+    end
+
     def has_matching_password?(plain_text_password)
       BCrypt::Password.new(password_digest) == plain_text_password
     end
+
+    private
+
+    def url_friendly_token
+      ActiveSupport::SecureRandom.base64(10).tr('+/=', 'xyz')
+    end
   end
 
 end

data/config/initializers/quo_vadis.rb

@@ -48,6 +48,17 @@ QuoVadis.configure do |config|
   config.signed_out_hook = nil
 
 
+  #
+  # Forgotten-password Mailer
+  #
+
+  # From whom the forgotten-password email should be sent.
+  config.from = 'noreply@example.com'
+
+  # Subject of the forgotten-password email.
+  config.subject = 'Change your password'
+
+
   #
   # Miscellaneous
   #

data/config/locales/quo_vadis.en.yml

@@ -1,7 +1,16 @@
 en:
   quo_vadis:
     flash:
-      before_sign_in: 'Please sign in first.'
-      after_sign_in: 'You have successfully signed in.'
-      failed_sign_in: 'Sorry, we did not recognise you.'
+      sign_in:
+        before: 'Please sign in first.'
+        after: 'You have successfully signed in.'
+        failed: 'Sorry, we did not recognise you.'
+
       sign_out: 'You have successfully signed out.'
+
+      forgotten:
+        unknown: "Sorry, we did not recognise you."
+        no_email: "Sorry, we don't have an email address for you."
+        sent_email: "We've emailed you a link where you can change your password."
+        invalid_token: "Sorry, this link isn't valid anymore."
+        password_changed: "You have successfully changed your password and you're now signed in."

data/config/routes.rb

@@ -1,7 +1,13 @@
-Rails.application.routes.draw do |map|
+Rails.application.routes.draw do
   scope :module => 'quo_vadis' do
-    get  'sign-in'  => 'sessions#new',     :as => 'sign_in'
-    post 'sign-in'  => 'sessions#create',  :as => 'sign_in'
-    get  'sign-out' => 'sessions#destroy', :as => 'sign_out'
+    get  'sign-in'                 => 'sessions#new',       :as => 'sign_in'
+    post 'sign-in'                 => 'sessions#create',    :as => 'sign_in'
+    get  'sign-out'                => 'sessions#destroy',   :as => 'sign_out'
+    get  'sign-in/forgotten'       => 'sessions#forgotten', :as => 'forgotten_sign_in'
+    post 'sign-in/forgotten'       => 'sessions#forgotten', :as => 'forgotten_sign_in'
+    constraints :token => /.+/ do
+      get 'sign-in/change-password/:token' => 'sessions#edit',   :as => 'change_password'
+      put 'sign-in/change-password/:token' => 'sessions#update', :as => 'change_password'
+    end
   end
 end

data/lib/generators/quo_vadis/templates/migration.rb

@@ -1,11 +1,18 @@
 class AddAuthenticationToUsers < ActiveRecord::Migration
   def self.up
-    add_column :users, :username,        :string  # for user identification
-    add_column :users, :password_digest, :string
+    add_column :users, :username,         :string  # for user identification
+    add_column :users, :password_digest,  :string
+
+    add_column :users, :email,            :string  # for forgotten-credentials
+    add_column :users, :token,            :string  # for forgotten-credentials
+    add_column :users, :token_created_at, :string  # for forgotten-credentials
   end
 
   def self.down
     remove_column :users, :username
     remove_column :users, :password_digest
+    remove_column :users, :email
+    remove_column :users, :token
+    remove_column :users, :token_created_at
   end
 end

data/lib/quo_vadis/version.rb

@@ -1,3 +1,3 @@
 module QuoVadis
-  VERSION = '1.0.1'
+  VERSION = '1.0.2'
 end

data/lib/quo_vadis.rb

@@ -57,6 +57,19 @@ module QuoVadis
   end
 
 
+  #
+  # Forgotten-password Mailer
+  #
+
+  # From whom the forgotten-password email should be sent.
+  mattr_accessor :from
+  @@from = 'noreply@example.com'
+
+  # Subject of the forgotten-password email.
+  mattr_accessor :subject
+  @@subject = 'Change your password.'
+
+
   #
   # Miscellaneous
   #

data/test/dummy/Rakefile

@@ -0,0 +1,7 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+require 'rake'
+
+Dummy::Application.load_tasks

data/test/dummy/app/views/quo_vadis/notifier/change_password.text.erb

@@ -0,0 +1,9 @@
+Hello <%= @username %>,
+
+We've received a request to change your password.  If this wasn't you,
+please ignore this email and your password will be left alone.
+
+If you do want to change your password, just click this link (valid for 3 hours):
+<%= @url %>
+
+Thanks!

data/test/dummy/app/views/sessions/edit.html.erb

@@ -0,0 +1,11 @@
+<h1>Change your password</h1>
+
+<%= form_tag change_password_path(params[:token]), :method => :put do %>
+  <p>
+    <%= label_tag :password %>
+    <%= password_field_tag :password %>
+  </p>
+  <p>
+    <%= submit_tag 'Change my password' %>
+  </p>
+<% end %>

data/test/dummy/app/views/sessions/forgotten.html.erb

@@ -0,0 +1,13 @@
+<h1>Forgotten your password?</h1>
+
+<p>Don't worry, it happens to the best of us.  Just tell us who you are, and we'll send you an email explaining how to change your password.</p>
+
+<%= form_tag forgotten_sign_in_path do %>
+  <p>
+    <%= label_tag :username %>
+    <%= text_field_tag :username %>
+  </p>
+  <p>
+    <%= submit_tag 'Send me that email' %>
+  </p>
+<% end %>

data/test/dummy/config/environments/test.rb

@@ -25,6 +25,8 @@ Dummy::Application.configure do
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
+  config.action_mailer.default_url_options = {:host => 'www.example.com'}
+
   # Use SQL instead of Active Record's schema dumper when creating the test database.
   # This is necessary if your schema can't be completely dumped by the schema dumper,
   # like if you have constraints or database-specific column types

data/test/dummy/config/initializers/quo_vadis.rb

@@ -0,0 +1,58 @@
+QuoVadis.configure do |config|
+
+  #
+  # Redirection URLs
+  #
+
+  # The URL to redirect the user to after s/he signs in.
+  # Use a proc if the URL depends on the user.  E.g.:
+  #
+  # config.signed_in_url = Proc.new do |user|
+  #   user.admin? ? :admin : :root
+  # end
+  #
+  # See also `:override_original_url`.
+  config.signed_in_url = :root
+
+  # Whether the `:signed_in_url` should override the URL the user was trying
+  # to reach when they were made to authenticate.
+  config.override_original_url = false
+
+  # The URL to redirect the user to after s/he signs out.
+  config.signed_out_url = :root
+
+
+  #
+  # Hooks
+  #
+
+  # Code to run when the user has signed in.  E.g.:
+  #
+  # config.signed_in_hook = Proc.new do |user, controller|
+  #   user.increment! :sign_in_count  # assuming this attribute exists
+  # end
+  config.signed_in_hook = nil
+
+  # Code to run when someone has tried but failed to sign in.  E.g.:
+  #
+  # config.failed_sign_in_hook = Proc.new do |controller|
+  #   logger.info "Failed sign in from #{controller.request.remote_ip}"
+  # end
+  config.failed_sign_in_hook = nil
+
+  # Code to run just before the user has signed out.  E.g.:
+  #
+  # config.signed_out_hook = Proc.new do |user, controller|
+  #   controller.session.reset
+  # end
+  config.signed_out_hook = nil
+
+
+  #
+  # Miscellaneous
+  #
+
+  # Layout for the sign-in view.  Pass a string or a symbol.
+  config.layout = 'application'
+
+end

data/test/dummy/config/locales/quo_vadis.en.yml

@@ -0,0 +1,7 @@
+en:
+  quo_vadis:
+    flash:
+      before_sign_in: 'Please sign in first.'
+      after_sign_in: 'You have successfully signed in.'
+      failed_sign_in: 'Sorry, we did not recognise you.'
+      sign_out: 'You have successfully signed out.'

data/test/dummy/db/migrate/20110127094709_add_authentication_to_users.rb

@@ -0,0 +1,18 @@
+class AddAuthenticationToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :username,         :string  # for user identification
+    add_column :users, :password_digest,  :string
+
+    add_column :users, :email,            :string  # for forgotten-credentials
+    add_column :users, :token,            :string  # for forgotten-credentials
+    add_column :users, :token_created_at, :string  # for forgotten-credentials
+  end
+
+  def self.down
+    remove_column :users, :username
+    remove_column :users, :password_digest
+    remove_column :users, :email
+    remove_column :users, :token
+    remove_column :users, :token_created_at
+  end
+end

data/test/dummy/db/schema.rb

@@ -0,0 +1,33 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended to check this file into your version control system.
+
+ActiveRecord::Schema.define(:version => 20110127094709) do
+
+  create_table "articles", :force => true do |t|
+    t.string   "title"
+    t.text     "content"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  create_table "users", :force => true do |t|
+    t.string   "name"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+    t.string   "username"
+    t.string   "password_digest"
+    t.string   "email"
+    t.string   "token"
+    t.string   "token_created_at"
+  end
+
+end

data/test/integration/config_test.rb

@@ -99,4 +99,18 @@ class ConfigTest < ActiveSupport::IntegrationCase
     assert page.has_content?('Sessions layout')
   end
 
+  test 'mailer from config' do
+    QuoVadis.from = 'jim@example.com'
+    (user = User.last).generate_token
+    email = QuoVadis::Notifier.change_password(user)
+    assert_equal ['jim@example.com'], email.from
+  end
+
+  test 'mailer subject config' do
+    QuoVadis.subject = 'You idiot!'
+    (user = User.last).generate_token
+    email = QuoVadis::Notifier.change_password(user)
+    assert_equal 'You idiot!', email.subject
+  end
+
 end

data/test/integration/forgotten_test.rb

@@ -0,0 +1,83 @@
+require 'test_helper'
+
+class ForgottenTest < ActiveSupport::IntegrationCase
+
+  teardown do
+    Capybara.reset_sessions!
+  end
+
+  test 'user fills in forgotten-password form with invalid username' do
+    submit_forgotten_details 'bob'
+    assert_equal forgotten_sign_in_path, current_path
+    within '.flash.alert' do
+      assert page.has_content?("Sorry, we did not recognise you.")
+    end
+  end
+
+  test 'user without email requests password-change email' do
+    user_factory 'Bob', 'bob', 'secret'
+    submit_forgotten_details 'bob'
+    assert_equal forgotten_sign_in_path, current_path
+    within '.flash.alert' do
+      assert page.has_content?("Sorry, we don't have an email address for you.")
+    end
+  end
+
+  test 'user can request password-change email' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    submit_forgotten_details 'bob'
+
+    assert_equal root_path, current_path
+    within '.flash.notice' do
+      assert page.has_content?("We've emailed you a link where you can change your password.")
+    end
+    assert !ActionMailer::Base.deliveries.empty?
+    email = ActionMailer::Base.deliveries.last
+    assert_equal ['bob@example.com'],     email.to
+    assert_equal ['noreply@example.com'], email.from
+    assert_equal 'Change your password',  email.subject
+    # Why doesn't this use the default url option set up in test/test_helper.rb#9?
+    assert_match Regexp.new(Regexp.escape(change_password_url User.last.token, :host => 'www.example.com')), email.encoded
+  end
+
+  test 'user can follow emailed link while valid to change password' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    submit_forgotten_details 'bob'
+    
+    link_in_email = ActionMailer::Base.deliveries.last.encoded[%r{http://.*}].strip
+    visit link_in_email
+    fill_in :password, :with => 'topsecret'
+    click_button 'Change my password'
+    assert_equal root_path, current_path
+    within '.flash.notice' do
+      assert page.has_content?("You have successfully changed your password and you're now signed in.")
+    end
+    assert_nil User.last.token
+    assert_nil User.last.token_created_at
+  end
+
+  test 'user cannot change password to an invalid one' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    submit_forgotten_details 'bob'
+    
+    link_in_email = ActionMailer::Base.deliveries.last.encoded[%r{http://.*}].strip
+    visit link_in_email
+    fill_in :password, :with => ''
+    click_button 'Change my password'
+    assert_equal change_password_path(User.last.token), current_path
+  end
+
+  test 'user cannot change password once emailed link is invalid' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    submit_forgotten_details 'bob'
+    User.last.update_attributes :token_created_at => 1.day.ago
+    
+    link_in_email = ActionMailer::Base.deliveries.last.encoded[%r{http://.*}].strip
+    visit link_in_email
+    assert_equal forgotten_sign_in_path, current_path
+    within '.flash.alert' do
+      assert page.has_content?("Sorry, this link isn't valid anymore.")
+    end
+  end
+
+end

data/test/integration/locale_test.rb

@@ -6,14 +6,14 @@ class LocaleTest < ActiveSupport::IntegrationCase
     Capybara.reset_sessions!
   end
 
-  test 'before_sign_in flash' do
+  test 'sign_in.before flash' do
     visit new_article_path
     within '.flash' do
       assert page.has_content?('Please sign in first.')
     end
   end
 
-  test 'after_sign_in flash' do
+  test 'sign_in.after flash' do
     user_factory 'Bob', 'bob', 'secret'
     sign_in_as 'bob', 'secret'
     within '.flash' do
@@ -21,7 +21,7 @@ class LocaleTest < ActiveSupport::IntegrationCase
     end
   end
 
-  test 'failed_sign_in flash' do
+  test 'sign_in.failed flash' do
     sign_in_as 'bob', 'secret'
     within '.flash' do
       assert page.has_content?('Sorry, we did not recognise you.')
@@ -35,9 +35,9 @@ class LocaleTest < ActiveSupport::IntegrationCase
     end
   end
 
-  test 'before_sign_in flash is optional' do
+  test 'sign_in.before flash is optional' do
     begin
-      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:before_sign_in => ''}}}
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:sign_in => {:before => ''}}}}
       visit new_article_path
       assert page.has_no_css?('div.flash')
     ensure
@@ -45,10 +45,10 @@ class LocaleTest < ActiveSupport::IntegrationCase
     end
   end
 
-  test 'after_sign_in flash is optional' do
+  test 'sign_in.after flash is optional' do
     user_factory 'Bob', 'bob', 'secret'
     begin
-      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:after_sign_in => ''}}}
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:sign_in => {:after => ''}}}}
       sign_in_as 'bob', 'secret'
       assert page.has_no_css?('div.flash')
     ensure
@@ -56,9 +56,9 @@ class LocaleTest < ActiveSupport::IntegrationCase
     end
   end
 
-  test 'failed_sign_in flash is optional' do
+  test 'sign_in.failed flash is optional' do
     begin
-      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:failed_sign_in => ''}}}
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:sign_in => {:failed => ''}}}}
       sign_in_as 'bob', 'secret'
       assert page.has_no_css?('div.flash')
     ensure
@@ -75,4 +75,102 @@ class LocaleTest < ActiveSupport::IntegrationCase
       I18n.reload!
     end
   end
+
+  test 'forgotten.unknown flash' do
+    submit_forgotten_details 'bob'
+    within '.flash.alert' do
+      assert page.has_content?('Sorry, we did not recognise you.')
+    end
+  end
+
+  test 'forgotten.unknown flash is optional' do
+    begin
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:forgotten => {:unknown => ''}}}}
+      submit_forgotten_details 'bob'
+      assert page.has_no_css?('div.flash')
+    ensure
+      I18n.reload!
+    end
+  end
+
+  test 'forgotten.no_email flash' do
+    user_factory 'Bob', 'bob', 'secret'
+    submit_forgotten_details 'bob'
+    within '.flash.alert' do
+      assert page.has_content?("Sorry, we don't have an email address for you.")
+    end
+  end
+
+  test 'forgotten.no_email flash is optional' do
+    begin
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:forgotten => {:no_email => ''}}}}
+      user_factory 'Bob', 'bob', 'secret'
+      submit_forgotten_details 'bob'
+      assert page.has_no_css?('div.flash')
+    ensure
+      I18n.reload!
+    end
+  end
+
+  test 'forgotten.sent_email flash' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    submit_forgotten_details 'bob'
+    within '.flash.notice' do
+      assert page.has_content?("We've emailed you a link where you can change your password.")
+    end
+  end
+
+  test 'forgotten.sent_email flash is optional' do
+    begin
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:forgotten => {:sent_email => ''}}}}
+      user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+      submit_forgotten_details 'bob'
+      assert page.has_no_css?('div.flash')
+    ensure
+      I18n.reload!
+    end
+  end
+
+  test 'forgotten.invalid_token flash' do
+    visit change_password_path('123')
+    within '.flash.alert' do
+      assert page.has_content?("Sorry, this link isn't valid anymore.")
+    end
+  end
+
+  test 'forgotten.invalid_token flash is optional' do
+    begin
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:forgotten => {:invalid_token => ''}}}}
+      visit change_password_path('123')
+      assert page.has_no_css?('div.flash')
+    ensure
+      I18n.reload!
+    end
+  end
+
+  test 'forgotten.password_changed flash' do
+    user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+    User.last.generate_token
+    visit change_password_path(User.last.token)
+    fill_in :password, :with => 'topsecret'
+    click_button 'Change my password'
+    within '.flash.notice' do
+      assert page.has_content?("You have successfully changed your password and you're now signed in.")
+    end
+  end
+
+  test 'forgotten.password_changed flash is optional' do
+    begin
+      I18n.backend.store_translations :en, {:quo_vadis => {:flash => {:forgotten => {:password_changed => ''}}}}
+      user_factory 'Bob', 'bob', 'secret', 'bob@example.com'
+      User.last.generate_token
+      visit change_password_path(User.last.token)
+      fill_in :password, :with => 'topsecret'
+      click_button 'Change my password'
+      assert page.has_no_css?('div.flash')
+    ensure
+      I18n.reload!
+    end
+  end
+
 end

data/test/test_helper.rb

@@ -6,7 +6,7 @@ require "rails/test_help"
 
 ActionMailer::Base.delivery_method = :test
 ActionMailer::Base.perform_deliveries = true
-ActionMailer::Base.default_url_options[:host] = "test.com"
+ActionMailer::Base.default_url_options[:host] = "www.example.com"
 
 Rails.backtrace_cleaner.remove_silencers!
 
@@ -32,8 +32,14 @@ def sign_in_as(username, password)
   click_button 'Sign in'
 end
 
-def user_factory(name, username, password)
-  User.create! :name => name, :username => username, :password => password
+def submit_forgotten_details(username)
+  visit forgotten_sign_in_path
+  fill_in 'username', :with => username
+  click_button 'Send me that email'
+end
+
+def user_factory(name, username, password, email = nil)
+  User.create! :name => name, :username => username, :password => password, :email => email
 end
 
 def reset_quo_vadis_configuration
@@ -44,4 +50,6 @@ def reset_quo_vadis_configuration
   QuoVadis.failed_sign_in_hook   = nil
   QuoVadis.signed_out_hook       = nil
   QuoVadis.layout                = 'application'
+  QuoVadis.from                  = 'noreply@example.com'
+  QuoVadis.subject               = 'Change your password'
 end

data/test/unit/user_test.rb

@@ -0,0 +1,31 @@
+require 'test_helper'
+
+class UserTest < ActiveSupport::TestCase
+
+  test 'user must have a valid password on create' do
+    assert !User.create(:username => 'bob', :password => nil).valid?
+    assert !User.create(:username => 'bob', :password => '').valid?
+    assert  User.create(:username => 'bob', :password => 'secret').valid?
+  end
+
+  test 'user need not supply password when updating other attributes' do
+    User.create :username => 'bob', :password => 'secret'
+    user = User.last  # reload from database so password is nil
+    assert_nil user.password
+    assert user.update_attributes(:username => 'Robert')
+  end
+
+  test 'user must have a valid password when updating password' do
+    user = User.create :username => 'bob', :password => 'secret'
+    assert !user.update_attributes(:password => '')
+    assert !user.update_attributes(:password => nil)
+    assert  user.update_attributes(:password => 'topsecret')
+  end
+
+  test 'has_matching_password?' do
+    User.create :username => 'bob', :password => 'secret'
+    user = User.last
+    assert user.has_matching_password?('secret')
+  end
+
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: quo_vadis
 version: !ruby/object:Gem::Version 
-  hash: 21
+  hash: 19
   prerelease: false
   segments: 
   - 1
   - 0
-  - 1
-  version: 1.0.1
+  - 2
+  version: 1.0.2
 platform: ruby
 authors: 
 - Andy Stewart
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-01-26 00:00:00 +00:00
+date: 2011-01-27 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -110,6 +110,7 @@ files:
 - Rakefile
 - app/controllers/controller_mixin.rb
 - app/controllers/quo_vadis/sessions_controller.rb
+- app/mailers/quo_vadis/notifier.rb
 - app/models/model_mixin.rb
 - config/initializers/quo_vadis.rb
 - config/locales/quo_vadis.en.yml
@@ -121,6 +122,7 @@ files:
 - lib/quo_vadis/version.rb
 - quo_vadis.gemspec
 - test/dummy/.gitignore
+- test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/controllers/articles_controller.rb
 - test/dummy/app/helpers/application_helper.rb
@@ -131,6 +133,9 @@ files:
 - test/dummy/app/views/articles/new.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/sessions.html.erb
+- test/dummy/app/views/quo_vadis/notifier/change_password.text.erb
+- test/dummy/app/views/sessions/edit.html.erb
+- test/dummy/app/views/sessions/forgotten.html.erb
 - test/dummy/app/views/sessions/new.html.erb
 - test/dummy/config.ru
 - test/dummy/config/application.rb
@@ -143,13 +148,16 @@ files:
 - test/dummy/config/initializers/backtrace_silencers.rb
 - test/dummy/config/initializers/inflections.rb
 - test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/quo_vadis.rb
 - test/dummy/config/initializers/secret_token.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/locales/en.yml
+- test/dummy/config/locales/quo_vadis.en.yml
 - test/dummy/config/routes.rb
 - test/dummy/db/migrate/20110124125037_create_users.rb
-- test/dummy/db/migrate/20110124125216_add_authentication_to_users.rb
 - test/dummy/db/migrate/20110124131535_create_articles.rb
+- test/dummy/db/migrate/20110127094709_add_authentication_to_users.rb
+- test/dummy/db/schema.rb
 - test/dummy/public/404.html
 - test/dummy/public/422.html
 - test/dummy/public/500.html
@@ -169,6 +177,7 @@ files:
 - test/dummy/tmp/capybara/capybara-20110124135435.html
 - test/integration/authenticate_test.rb
 - test/integration/config_test.rb
+- test/integration/forgotten_test.rb
 - test/integration/helper_test.rb
 - test/integration/locale_test.rb
 - test/integration/navigation_test.rb
@@ -177,6 +186,7 @@ files:
 - test/quo_vadis_test.rb
 - test/support/integration_case.rb
 - test/test_helper.rb
+- test/unit/user_test.rb
 has_rdoc: true
 homepage: https://github.com/airblade/quo_vadis
 licenses: []
@@ -213,6 +223,7 @@ specification_version: 3
 summary: Simple username/password authentication for Rails 3.
 test_files: 
 - test/dummy/.gitignore
+- test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/controllers/articles_controller.rb
 - test/dummy/app/helpers/application_helper.rb
@@ -223,6 +234,9 @@ test_files:
 - test/dummy/app/views/articles/new.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/sessions.html.erb
+- test/dummy/app/views/quo_vadis/notifier/change_password.text.erb
+- test/dummy/app/views/sessions/edit.html.erb
+- test/dummy/app/views/sessions/forgotten.html.erb
 - test/dummy/app/views/sessions/new.html.erb
 - test/dummy/config.ru
 - test/dummy/config/application.rb
@@ -235,13 +249,16 @@ test_files:
 - test/dummy/config/initializers/backtrace_silencers.rb
 - test/dummy/config/initializers/inflections.rb
 - test/dummy/config/initializers/mime_types.rb
+- test/dummy/config/initializers/quo_vadis.rb
 - test/dummy/config/initializers/secret_token.rb
 - test/dummy/config/initializers/session_store.rb
 - test/dummy/config/locales/en.yml
+- test/dummy/config/locales/quo_vadis.en.yml
 - test/dummy/config/routes.rb
 - test/dummy/db/migrate/20110124125037_create_users.rb
-- test/dummy/db/migrate/20110124125216_add_authentication_to_users.rb
 - test/dummy/db/migrate/20110124131535_create_articles.rb
+- test/dummy/db/migrate/20110127094709_add_authentication_to_users.rb
+- test/dummy/db/schema.rb
 - test/dummy/public/404.html
 - test/dummy/public/422.html
 - test/dummy/public/500.html
@@ -261,6 +278,7 @@ test_files:
 - test/dummy/tmp/capybara/capybara-20110124135435.html
 - test/integration/authenticate_test.rb
 - test/integration/config_test.rb
+- test/integration/forgotten_test.rb
 - test/integration/helper_test.rb
 - test/integration/locale_test.rb
 - test/integration/navigation_test.rb
@@ -269,3 +287,4 @@ test_files:
 - test/quo_vadis_test.rb
 - test/support/integration_case.rb
 - test/test_helper.rb
+- test/unit/user_test.rb

data/test/dummy/db/migrate/20110124125216_add_authentication_to_users.rb

@@ -1,11 +0,0 @@
-class AddAuthenticationToUsers < ActiveRecord::Migration
-  def self.up
-    add_column :users, :username,        :string  # for user identification
-    add_column :users, :password_digest, :string
-  end
-
-  def self.down
-    remove_column :users, :username
-    remove_column :users, :password_digest
-  end
-end