restful-authentication 1.2.1

data/lib/generators/authenticated/templates/features/step_definitions/user_steps.rb

@@ -0,0 +1,131 @@
+RE_User      = %r{(?:(?:the )? *(\w+) *)}
+RE_User_TYPE = %r{(?: *(\w+)? *)}
+
+#
+# Setting
+#
+
+Given "an anonymous user" do
+  log_out!
+end
+
+Given "$an $user_type user with $attributes" do |_, user_type, attributes|
+  create_user! user_type, attributes.to_hash_from_story
+end
+
+Given "$an $user_type user named '$login'" do |_, user_type, login|
+  create_user! user_type, named_user(login)
+end
+
+Given "$an $user_type user logged in as '$login'" do |_, user_type, login|
+  create_user! user_type, named_user(login)
+  log_in_user!
+end
+
+Given "$actor is logged in" do |_, login|
+  log_in_user! @user_params || named_user(login)
+end
+
+Given "there is no $user_type user named '$login'" do |_, login|
+  @user = User.find_by_login(login)
+  @user.destroy! if @user
+  @user.should be_nil
+end
+
+#
+# Actions
+#
+When "$actor logs out" do
+  log_out
+end
+
+When "$actor registers an account as the preloaded '$login'" do |_, login|
+  user = named_user(login)
+  user['password_confirmation'] = user['password']
+  create_user user
+end
+
+When "$actor registers an account with $attributes" do |_, attributes|
+  create_user attributes.to_hash_from_story
+end
+
+
+When "$actor logs in with $attributes" do |_, attributes|
+  log_in_user attributes.to_hash_from_story
+end
+
+#
+# Result
+#
+Then "$actor should be invited to sign in" do |_|
+  response.should render_template('/sessions/new')
+end
+
+Then "$actor should not be logged in" do |_|
+  controller.logged_in?.should_not be_true
+end
+
+Then "$login should be logged in" do |login|
+  controller.logged_in?.should be_true
+  controller.current_user.should === @user
+  controller.current_user.login.should == login
+end
+
+def named_user login
+  user_params = {
+    'admin'   => {'id' => 1, 'login' => 'addie', 'password' => '1234addie', 'email' => 'admin@example.com',       },
+    'oona'    => {          'login' => 'oona',   'password' => '1234oona',  'email' => 'unactivated@example.com'},
+    'reggie'  => {          'login' => 'reggie', 'password' => 'monkey',    'email' => 'registered@example.com' },
+    }
+  user_params[login.downcase]
+end
+
+#
+# User account actions.
+#
+# The ! methods are 'just get the job done'.  It's true, they do some testing of
+# their own -- thus un-DRY'ing tests that do and should live in the user account
+# stories -- but the repetition is ultimately important so that a faulty test setup
+# fails early.
+#
+
+def log_out
+  get '/sessions/destroy'
+end
+
+def log_out!
+  log_out
+  response.should redirect_to('/')
+  follow_redirect!
+end
+
+def create_user(user_params={})
+  @user_params       ||= user_params
+  post "/users", :user => user_params
+  @user = User.find_by_login(user_params['login'])
+end
+
+def create_user!(user_type, user_params)
+  user_params['password_confirmation'] ||= user_params['password'] ||= user_params['password']
+  create_user user_params
+  response.should redirect_to('/')
+  follow_redirect!
+
+end
+
+
+
+def log_in_user user_params=nil
+  @user_params ||= user_params
+  user_params  ||= @user_params
+  post "/session", user_params
+  @user = User.find_by_login(user_params['login'])
+  controller.current_user
+end
+
+def log_in_user! *args
+  log_in_user *args
+  response.should redirect_to('/')
+  follow_redirect!
+  response.should have_flash("notice", /Logged in successfully/)
+end

data/lib/generators/authenticated/templates/helper.rb

@@ -0,0 +1,2 @@
+module <%= controller_class_name %>Helper
+end

data/lib/generators/authenticated/templates/login.html.erb

@@ -0,0 +1,16 @@
+<h1>Log In</h1>
+
+<%%= form_tag <%= controller_routing_name %>_path do -%>
+<p><%%= label_tag 'login' %><br />
+<%%= text_field_tag 'login', @login %></p>
+
+<p><%%= label_tag 'password' %><br/>
+<%%= password_field_tag 'password', nil %></p>
+
+<!-- Uncomment this if you want this functionality
+<p><%%= label_tag 'remember_me', 'Remember me' %>
+<%%= check_box_tag 'remember_me', '1', @remember_me %></p>
+-->
+
+<p><%%= submit_tag 'Log in' %></p>
+<%% end -%>

data/lib/generators/authenticated/templates/mailer.rb

@@ -0,0 +1,26 @@
+class <%= class_name %>Mailer < ActionMailer::Base
+
+  def signup_notification(<%= file_name %>)
+    setup_email(<%= file_name %>)
+    @subject    += 'Please activate your new account'
+       @url  = <% if options.include_activation? %>"http://YOURSITE/activate/#{<%= file_name %>.activation_code}"<%
+     else %>"http://YOURSITE/login/" <% end %>
+  end
+  
+  def activation(<%= file_name %>)
+    setup_email(<%= file_name %>)
+    @subject    += 'Your account has been activated!'
+    @url  = "http://YOURSITE/"
+  end
+  
+  protected
+
+  def setup_email(<%= file_name %>)
+    @recipients  = "#{<%= file_name %>.email}"
+    @from        = "ADMINEMAIL"
+    @subject     = "[YOURSITE] "
+    @sent_on     = Time.now
+    @<%= file_name %> = <%= file_name %>
+  end
+
+end

data/lib/generators/authenticated/templates/migration.rb

@@ -0,0 +1,26 @@
+class <%= migration_name %> < ActiveRecord::Migration
+  def self.up
+    create_table "<%= table_name %>" do |t|
+      t.column :login,                     :string, :limit => 40
+      t.column :name,                      :string, :limit => 100, :default => '', :null => true
+      t.column :email,                     :string, :limit => 100
+      t.column :crypted_password,          :string, :limit => 40
+      t.column :salt,                      :string, :limit => 40
+      t.column :created_at,                :datetime
+      t.column :updated_at,                :datetime
+      t.column :remember_token,            :string, :limit => 40
+      t.column :remember_token_expires_at, :datetime
+<% if options.include_activation? -%>
+      t.column :activation_code,           :string, :limit => 40
+      t.column :activated_at,              :datetime<% end %>
+<% if options.stateful? -%>
+      t.column :state,                     :string, :null => :no, :default => 'passive'
+      t.column :deleted_at,                :datetime<% end %>
+    end
+    add_index :<%= table_name %>, :login, :unique => true
+  end
+
+  def self.down
+    drop_table "<%= table_name %>"
+  end
+end

data/lib/generators/authenticated/templates/model.rb

@@ -0,0 +1,87 @@
+require 'digest/sha1'
+
+class <%= class_name %> < ActiveRecord::Base
+  include Authentication
+  include Authentication::ByPassword
+  include Authentication::ByCookieToken
+<% if options.aasm? -%>
+  include Authorization::AasmRoles
+<% elsif options.stateful? -%>
+  include Authorization::StatefulRoles<% end %>
+<% unless options.skip_migration? -%>
+  set_table_name '<%= table_name %>'<% end %>
+
+  validates :login, :presence   => true,
+                    :uniqueness => true,
+                    :length     => { :within => 3..40 },
+                    :format     => { :with => Authentication.login_regex, :message => Authentication.bad_login_message }
+
+  validates :name,  :format     => { :with => Authentication.name_regex, :message => Authentication.bad_name_message },
+                    :length     => { :maximum => 100 },
+                    :allow_nil  => true
+
+  validates :email, :presence   => true,
+                    :uniqueness => true,
+                    :format     => { :with => Authentication.email_regex, :message => Authentication.bad_email_message },
+                    :length     => { :within => 6..100 }
+
+  <% if options.include_activation? && !options.stateful? %>before_create :make_activation_code <% end %>
+
+  # HACK HACK HACK -- how to do attr_accessible from here?
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  attr_accessible :login, :email, :name, :password, :password_confirmation
+
+<% if options.include_activation? && !options.stateful? %>
+  # Activates the user in the database.
+  def activate!
+    @activated = true
+    self.activated_at = Time.now.utc
+    self.activation_code = nil
+    save(:validate => false)
+  end
+
+  # Returns true if the user has just been activated.
+  def recently_activated?
+    @activated
+  end
+
+  def active?
+    # the existence of an activation code means they have not activated yet
+    activation_code.nil?
+  end<% end %>
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  #
+  # uff.  this is really an authorization, not authentication routine.  
+  # We really need a Dispatch Chain here or something.
+  # This will also let us return a human error message.
+  #
+  def self.authenticate(login, password)
+    return nil if login.blank? || password.blank?
+    u = <% if options.stateful? %>find_in_state :first, :active, :conditions => {:login => login.downcase}<%
+           elsif options.include_activation? %>where(['login = ? and activated_at IS NOT NULL', login]).first<%
+           else %>find_by_login(login.downcase)<% end %> # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  def login=(value)
+    write_attribute :login, (value ? value.downcase : nil)
+  end
+
+  def email=(value)
+    write_attribute :email, (value ? value.downcase : nil)
+  end
+
+  protected
+    
+<% if options.include_activation? -%>
+  def make_activation_code
+  <% if options.stateful? -%>
+      self.deleted_at = nil
+    <% end -%>
+    self.activation_code = self.class.make_token
+  end
+<% end %>
+
+end

data/lib/generators/authenticated/templates/model_controller.rb

@@ -0,0 +1,83 @@
+class <%= model_controller_class_name %>Controller < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+  <% if options.stateful? %>
+  # Protect these actions behind an admin login
+  # before_filter :admin_required, :only => [:suspend, :unsuspend, :destroy, :purge]
+  before_filter :find_<%= file_name %>, :only => [:suspend, :unsuspend, :destroy, :purge]
+  <% end %>
+
+  # render new.rhtml
+  def new
+    @<%= file_name %> = <%= class_name %>.new
+  end
+ 
+  def create
+    logout_keeping_session!
+    @<%= file_name %> = <%= class_name %>.new(params[:<%= file_name %>])
+<% if options.stateful? -%>
+    @<%= file_name %>.register! if @<%= file_name %> && @<%= file_name %>.valid?
+    success = @<%= file_name %> && @<%= file_name %>.valid?
+<% else -%>
+    success = @<%= file_name %> && @<%= file_name %>.save
+<% end -%>
+    if success && @<%= file_name %>.errors.empty?
+      <% if !options.include_activation? -%>
+      # Protects against session fixation attacks, causes request forgery
+      # protection if visitor resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset session
+      self.current_<%= file_name %> = @<%= file_name %> # !! now logged in
+      <% end -%>redirect_back_or_default('/', :notice => "Thanks for signing up!  We're sending you an email with your activation code.")
+    else
+      flash.now[:error]  = "We couldn't set up that account, sorry.  Please try again, or contact an admin (link is above)."
+      render :action => 'new'
+    end
+  end
+<% if options.include_activation? %>
+  def activate
+    logout_keeping_session!
+    <%= file_name %> = <%= class_name %>.find_by_activation_code(params[:activation_code]) unless params[:activation_code].blank?
+    case
+    when (!params[:activation_code].blank?) && <%= file_name %> && !<%= file_name %>.active?
+      <%= file_name %>.activate!
+      redirect_to '/login', :notice => "Signup complete! Please sign in to continue."
+    when params[:activation_code].blank?
+      redirect_back_or_default('/', :flash => { :error => "The activation code was missing.  Please follow the URL from your email." })
+    else 
+      redirect_back_or_default('/', :flash => { :error  => "We couldn't find a <%= file_name %> with that activation code -- check your email? Or maybe you've already activated -- try signing in." })
+    end
+  end
+<% end %><% if options.stateful? %>
+  def suspend
+    @<%= file_name %>.suspend! 
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def unsuspend
+    @<%= file_name %>.unsuspend! 
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def destroy
+    @<%= file_name %>.delete!
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+
+  def purge
+    @<%= file_name %>.destroy
+    redirect_to <%= model_controller_routing_name %>_path
+  end
+  
+  # There's no page here to update or destroy a <%= file_name %>.  If you add those, be
+  # smart -- make sure you check that the visitor is authorized to do so, that they
+  # supply their old password along with a new one to update it, etc.
+
+  protected
+
+  def find_<%= file_name %>
+    @<%= file_name %> = <%= class_name %>.find(params[:id])
+  end
+<% end -%>
+
+end

data/lib/generators/authenticated/templates/model_helper.rb

@@ -0,0 +1,93 @@
+module <%= model_controller_class_name %>Helper
+  
+  #
+  # Use this to wrap view elements that the user can't access.
+  # !! Note: this is an *interface*, not *security* feature !!
+  # You need to do all access control at the controller level.
+  #
+  # Example:
+  # <%%= if_authorized?(:index,   User)  do link_to('List all users', users_path) end %> |
+  # <%%= if_authorized?(:edit,    @user) do link_to('Edit this user', edit_user_path) end %> |
+  # <%%= if_authorized?(:destroy, @user) do link_to 'Destroy', @user, :confirm => 'Are you sure?', :method => :delete end %> 
+  #
+  #
+  def if_authorized?(action, resource, &block)
+    if authorized?(action, resource)
+      yield action, resource
+    end
+  end
+
+  #
+  # Link to user's page ('<%= table_name %>/1')
+  #
+  # By default, their login is used as link text and link title (tooltip)
+  #
+  # Takes options
+  # * :content_text => 'Content text in place of <%= file_name %>.login', escaped with
+  #   the standard h() function.
+  # * :content_method => :<%= file_name %>_instance_method_to_call_for_content_text
+  # * :title_method => :<%= file_name %>_instance_method_to_call_for_title_attribute
+  # * as well as link_to()'s standard options
+  #
+  # Examples:
+  #   link_to_<%= file_name %> @<%= file_name %>
+  #   # => <a href="/<%= table_name %>/3" title="barmy">barmy</a>
+  #
+  #   # if you've added a .name attribute:
+  #  content_tag :span, :class => :vcard do
+  #    (link_to_<%= file_name %> <%= file_name %>, :class => 'fn n', :title_method => :login, :content_method => :name) +
+  #          ': ' + (content_tag :span, <%= file_name %>.email, :class => 'email')
+  #   end
+  #   # => <span class="vcard"><a href="/<%= table_name %>/3" title="barmy" class="fn n">Cyril Fotheringay-Phipps</a>: <span class="email">barmy@blandings.com</span></span>
+  #
+  #   link_to_<%= file_name %> @<%= file_name %>, :content_text => 'Your user page'
+  #   # => <a href="/<%= table_name %>/3" title="barmy" class="nickname">Your user page</a>
+  #
+  def link_to_<%= file_name %>(<%= file_name %>, options={})
+    raise "Invalid <%= file_name %>" unless <%= file_name %>
+    options.reverse_merge! :content_method => :login, :title_method => :login, :class => :nickname
+    content_text      = options.delete(:content_text)
+    content_text    ||= <%= file_name %>.send(options.delete(:content_method))
+    options[:title] ||= <%= file_name %>.send(options.delete(:title_method))
+    link_to h(content_text), <%= model_controller_routing_name.singularize %>_path(<%= file_name %>), options
+  end
+
+  #
+  # Link to login page using remote ip address as link content
+  #
+  # The :title (and thus, tooltip) is set to the IP address 
+  #
+  # Examples:
+  #   link_to_login_with_IP
+  #   # => <a href="/login" title="169.69.69.69">169.69.69.69</a>
+  #
+  #   link_to_login_with_IP :content_text => 'not signed in'
+  #   # => <a href="/login" title="169.69.69.69">not signed in</a>
+  #
+  def link_to_login_with_IP content_text=nil, options={}
+    ip_addr           = request.remote_ip
+    content_text    ||= ip_addr
+    options.reverse_merge! :title => ip_addr
+    if tag = options.delete(:tag)
+      content_tag tag, h(content_text), options
+    else
+      link_to h(content_text), login_path, options
+    end
+  end
+
+  #
+  # Link to the current user's page (using link_to_<%= file_name %>) or to the login page
+  # (using link_to_login_with_IP).
+  #
+  def link_to_current_<%= file_name %>(options={})
+    if current_<%= file_name %>
+      link_to_<%= file_name %> current_<%= file_name %>, options
+    else
+      content_text = options.delete(:content_text) || 'not signed in'
+      # kill ignored options from link_to_<%= file_name %>
+      [:content_method, :title_method].each{|opt| options.delete(opt)} 
+      link_to_login_with_IP content_text, options
+    end
+  end
+
+end