rails-identity 0.0.1

data/app/models/rails_identity/session.rb

@@ -0,0 +1,44 @@
+module RailsIdentity
+  class Session < ActiveRecord::Base
+    include UUIDModel
+    # does not act as paranoid!
+
+    belongs_to :user, foreign_key: "user_uuid", primary_key: "uuid"
+    validates :user, presence: true
+
+    ##
+    # Creates a session object. The attributes must include user. The secret
+    # to the JWT is generated here and is unique to the session being
+    # created. Since the JWT includes the session id, the secret can be
+    # retrieved.
+    #
+    def initialize(attributes = {})
+      seconds = attributes.delete(:seconds) || (24 * 3600 * 14)
+      super
+      self.uuid = UUIDTools::UUID.timestamp_create().to_s
+      iat = Time.now.to_i
+      payload = {
+        user_uuid: self.user_uuid,
+        session_uuid: self.uuid,
+        role: self.user.role,
+        iat: iat,
+        exp: iat + seconds
+      }
+      self.secret = UUIDTools::UUID.random_create
+      self.token = JWT.encode(payload, self.secret, 'HS256')
+    end
+
+    ##
+    # Determines if the session has expired or not.
+    #
+    def expired?
+      begin
+        JWT.decode self.token, nil, false
+      rescue JWT::ExpiredSignature
+        return true
+      end
+      return false
+    end
+
+  end
+end

data/app/models/rails_identity/user.rb

@@ -0,0 +1,48 @@
+module RailsIdentity
+  class User < ActiveRecord::Base
+    include UUIDModel
+    acts_as_paranoid
+    has_secure_password
+
+    validates :username, presence: true, uniqueness: true,
+              format: { with: /\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/i,
+                        on: [:create, :update] }
+    validates :password, confirmation: true
+    before_save :default_role
+
+    alias_attribute :email, :username
+
+    ##
+    # Initializes the user. User is not verified initially. The user has one
+    # hour to get verified. After that, a PATCH request must be made to
+    # re-issue the verification token.
+    #
+    def initialize(attributes = {})
+      super
+      session = Session.new(user: self, seconds: 3600)
+      self.verification_token = session.token
+      self.verified = false
+    end
+
+    ##
+    # Sets the default the role for the user if not set.
+    #
+    def default_role
+      self.role ||= Roles::USER
+    end
+
+    ##
+    # This method will generate a reset token that lasts for an hour.
+    #
+    def issue_token(kind)
+      session = Session.new(user: self, seconds: 3600)
+      session.save
+      if kind == :reset_token
+        self.reset_token = session.token
+      elsif kind == :verification_token
+        self.verification_token = session.token
+      end
+    end
+
+  end
+end

data/app/views/layouts/mailer.html.erb

@@ -0,0 +1,5 @@
+<html>
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/app/views/layouts/mailer.text.erb

@@ -0,0 +1 @@
+<%= yield %>

data/app/views/layouts/rails_identity/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>RailsIdentity</title>
+  <%= stylesheet_link_tag    "rails_identity/application", media: "all" %>
+  <%= javascript_include_tag "rails_identity/application" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/rails_identity/user_mailer/email_verification.html.erb

@@ -0,0 +1,12 @@
+<p>Dear <%= @user.username %>,</p>
+
+<p>Please confirm your account with rails-identity by making a PATCH request
+on the current user with a provided verification token. For example,
+<pre>http PATCH /users/current token=<%= @user.verification_token %>
+verified=true</pre> will confirm the account. Here is the verification
+token:</p>
+
+<pre><%= @user.verification_token %></pre>
+
+<p>Thank you for using rails-identity</p>
+<p><b>rails-identity</b></p>

data/app/views/rails_identity/user_mailer/email_verification.text.erb

@@ -0,0 +1,13 @@
+Dear <%= @user.username %>,
+
+Please confirm your account with rails-identity by making a PATCH request
+on the current user with a provided verification token. For example,
+
+http PATCH /users/current token=<%= @user.verification_token %> verified=true
+
+will confirm the account. Here is the verification token:
+
+<%= @user.verification_token %>
+
+Thank you for using rails-identity,
+rails-identity

data/app/views/rails_identity/user_mailer/password_reset.html.erb

@@ -0,0 +1,14 @@
+<p>Dear <%= @user.username %>,</p>
+
+<p>You have requested to reset your password. Here are the user UUID and
+reset token. Make a PATCH request on the UUID with the reset token to set a
+new password. For instance, <pre>http PATCH /users/current token=<%=
+@user.reset_token %> password=reallysecret
+password_confirmation=reallysecret</pre> will set the password to
+<pre>reallysecret</pre> for the user to whom the reset token was issued.
+Here is the reset token:</p>
+
+<pre><%= @user.reset_token %></pre>
+
+<p>Good luck! :)</p>
+<p><b>rails-identity</b></p>

data/app/views/rails_identity/user_mailer/password_reset.text.erb

@@ -0,0 +1,15 @@
+Dear <%= @user.username %>,
+
+You have requested to reset your password. Here are the user UUID and reset
+token. Make a PATCH request on the UUID with the reset token to set a new
+password. For instance, 
+
+http PATCH /users/current token=...  password=reallysecret password_confirmation=reallysecret
+
+will set the password to "reallysecret" (without quotes) for the user to
+whom the reset token was issued.
+
+Here is the reset token: @user.reset_token
+
+Good luck! :)
+rails-identity

data/config/routes.rb

@@ -0,0 +1,7 @@
+RailsIdentity::Engine.routes.draw do
+  resources :sessions
+  match 'sessions(/:id)' => 'sessions#options', via: [:options]
+
+  resources :users
+  match 'users(/:id)' => 'users#options', via: [:options]
+end

data/db/migrate/20160323210013_create_rails_identity_users.rb

@@ -0,0 +1,13 @@
+class CreateRailsIdentityUsers < ActiveRecord::Migration
+  def change
+    create_table :rails_identity_users do |t|
+      t.string :uuid, primary_key: true, null: false
+      t.string :username
+      t.string :password_digest
+      t.integer :role
+      t.string :metadata
+      t.datetime :deleted_at, index: true
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20160323210017_create_rails_identity_sessions.rb

@@ -0,0 +1,12 @@
+class CreateRailsIdentitySessions < ActiveRecord::Migration
+  def change
+    create_table :rails_identity_sessions do |t|
+      t.string :uuid, primary_key: true, null: false
+      t.string :user_uuid, null: false
+      t.string :token, null: false
+      t.string :secret, null: false
+      t.string :metadata
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20160401223433_add_reset_token_to_users.rb

@@ -0,0 +1,5 @@
+class AddResetTokenToUsers < ActiveRecord::Migration
+  def change
+    add_column :rails_identity_users, :reset_token, :string
+  end
+end

data/db/migrate/20160411215917_add_verification_token_to_users.rb

@@ -0,0 +1,10 @@
+class AddVerificationTokenToUsers < ActiveRecord::Migration
+  def change
+    add_column :rails_identity_users, :verification_token, :string
+    add_column :rails_identity_users, :verified, :boolean, default: false
+
+    # Assign true for existing accounts since they existed without
+    # a verification token.
+    users = RailsIdentity::User.update_all(verified: true)
+  end
+end

data/db/migrate/20160414145851_add_api_key_to_users.rb

@@ -0,0 +1,5 @@
+class AddApiKeyToUsers < ActiveRecord::Migration
+  def change
+    add_column :rails_identity_users, :api_key, :string
+  end
+end

data/lib/rails_identity/engine.rb

@@ -0,0 +1,9 @@
+Gem.loaded_specs['rails-identity'].dependencies.each do |d|
+ require d.name
+end
+
+module RailsIdentity
+  class Engine < ::Rails::Engine
+    isolate_namespace RailsIdentity
+  end
+end

data/lib/rails_identity/version.rb

@@ -0,0 +1,3 @@
+module RailsIdentity
+  VERSION = "0.0.1"
+end

data/lib/rails_identity.rb

@@ -0,0 +1,52 @@
+require "rails_identity/engine"
+
+module RailsIdentity
+
+  # App MUST monkey patch this constant
+  MAILER_EMAIL = "no-reply@rails-identity.com"
+
+  # To be able to break cache when backwards compatibility breaks
+  CACHE_PREFIX = "rails-identity-#{RailsIdentity::VERSION}"
+
+  # Fixed set of roles.
+  module Roles
+    PUBLIC = 0
+    USER = 10
+    ADMIN = 100
+    OWNER = 1000
+  end
+
+  # Errors defined by RailsIdentity
+  module Errors
+    class InvalidTokenError < StandardError; end
+    class ObjectNotFoundError < StandardError; end
+    class UnauthorizedError < StandardError; end
+    class InvalidOldPasswordError < StandardError; end
+    class InvalidResetTokenError < StandardError; end
+  end
+
+  # This module is a mixin that allows the model to use UUIDs instead of
+  # normal IDs. By including this module, the model class declares that the
+  # primary key is called "uuid" and an UUID is generated right before
+  # save(). You may assign an UUID prior to save, in which case, no new UUID
+  # will be generated.
+  module UUIDModel
+
+    def self.included(klass)
+      # Triggered when this module is included.
+
+      klass.primary_key = "uuid"
+      klass.before_create :generate_uuid
+    end
+
+    def generate_uuid()
+      # Generates an UUID for the model object only if it hasn't been assigned
+      # one yet.
+
+      if self.uuid.nil?
+        self.uuid = UUIDTools::UUID.timestamp_create().to_s
+      end
+    end
+  end
+
+end

data/lib/tasks/rails_identity_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :rails_identity do
+#   # Task goes here
+# end

data/test/controllers/rails_identity/sessions_controller_test.rb

@@ -0,0 +1,192 @@
+require 'test_helper'
+
+module RailsIdentity
+  class SessionsControllerTest < ActionController::TestCase
+    setup do
+      Rails.cache.clear
+      @routes = Engine.routes
+      @session = rails_identity_sessions(:one)
+      @token = @session.token
+    end
+
+    test "public can see options" do
+      get :options
+      assert_response :success
+    end
+
+    test "user can list all his sessions" do 
+      get :index, token: @token
+      assert_response :success
+      sessions = assigns(:sessions)
+      assert_not_nil sessions
+      all_his_sessions = Session.where(user: @session.user)
+      assert_equal sessions.length, all_his_sessions.length
+      sessions.each do |session|
+        assert session.user == @session.user
+      end
+    end
+
+    test "user can list all his sessions using user id in routing" do
+      get :index, user_id: @session.user.uuid, token: @token
+      assert_response :success
+      sessions = assigns(:sessions)
+      assert_not_nil sessions
+      all_his_sessions = Session.where(user: @session.user)
+      assert_equal sessions.length, all_his_sessions.length
+      sessions.each do |session|
+        assert session.user == @session.user
+      end
+    end
+
+    test "user cannot list expired session" do
+      session = Session.new(user: @session.user, seconds: -1)
+      session.save()
+      get :index, user_id: session.user.uuid, token: @token
+      assert_response :success
+      json = JSON.parse(@response.body)
+      assert_equal 1, json.length
+    end
+
+    test "user cannot list other's sessions" do
+      get :index, user_id: rails_identity_users(:two), token: @token
+      assert_response 401
+    end
+
+    test "public cannot list sessions" do
+      get :index
+      assert_response 401
+    end
+
+    test "create a session" do
+      user = rails_identity_users(:one)
+      post :create, username: user.username, password: "password"
+      assert_response :success
+      session = assigns(:session)
+      assert_not_nil session
+      json = JSON.parse(@response.body)
+      assert json.has_key?("token")
+      assert !json.has_key?("secret")
+    end 
+
+    test "cannot create a session if not verified" do
+      user = rails_identity_users(:one)
+      user.verified = false
+      user.save()
+      post :create, username: user.username, password: "password"
+      assert_response 401
+    end 
+
+    test "cannot create a session with non-existent username" do
+      post :create, username: 'idontexist', password: "secret"
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end 
+
+    test "cannot create a session without username" do
+      post :create, password: "secret"
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end 
+
+    test "cannot create a session without a password" do
+      post :create, username: rails_identity_users(:one).username
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end 
+
+    test "cannot create a session with a wrong password" do
+      post :create, username: rails_identity_users(:one).username, password: "notsecret"
+      assert_response 401
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end 
+
+    test "public cannot create sessions" do
+      get :index
+      assert_response 401
+    end
+
+    test "show a session" do
+      get :show, id: 1, token: @token
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal @token, json["token"]
+      # Do a quick cache check
+      session = Rails.cache.fetch("#{CACHE_PREFIX}-session-#{json["uuid"]}")
+      assert_not_nil session
+      assert_equal @token, session.token
+    end
+
+    test "show a current session" do
+      get :show, id: "current", token: @token
+      assert_response 200
+      json = JSON.parse(@response.body)
+      assert_equal @token, json["token"]
+    end
+
+    test "cannot show other's session" do
+      get :show, id: 2, token: @token
+      assert_response 401
+    end
+
+    test "cannot show expired session" do
+      session = Session.new(user: @session.user, seconds: -1)
+      session.save()
+      get :show, id: session.uuid, token: @token
+      assert_response 404
+    end
+
+    test "public cannot show session" do
+      get :show, id:1
+      assert_response 401
+    end
+
+    test "admin can show other's session" do
+      @session = rails_identity_sessions(:admin_one)
+      @token = @session.token
+      get :show, id: 1, token: @token
+      assert_response :success
+      json = JSON.parse(@response.body)
+      session = rails_identity_sessions(:one)
+      assert_equal session.token, json["token"]
+    end
+
+    test "cannot show a nonexisting session" do
+      get :show, id: 999, token: @token
+      assert_response 404
+      json = JSON.parse(@response.body)
+      assert json["errors"].length == 1
+    end
+
+    test "delete a session" do
+      delete :destroy, id: 1, token: @token
+      assert_response 204
+    end
+
+    test "delete a current session" do
+      delete :destroy, id: "current", token: @token
+      assert_response 204
+    end
+
+    test "cannot delete a non-existent session" do
+      delete :destroy, id: 999, token: @token
+      assert_response 404
+    end
+
+    test "cannot delete other's session" do
+      delete :destroy, id: 2, token: @token
+      assert_response 401
+    end
+
+    test "admin can delete other's session" do
+      @session = rails_identity_sessions(:admin_one)
+      @token = @session.token
+      delete :destroy, id: 1, token: @token
+      assert_response :success
+    end
+
+  end
+end