restful-authentication 1.2.1

data/lib/generators/authenticated/templates/_model_partial.html.erb

@@ -0,0 +1,8 @@
+<%% if logged_in? -%>
+  <div id="<%= file_name %>-bar-greeting">Logged in as <%%= link_to_current_<%= file_name %> :content_method => :login %></div>
+  <div id="<%= file_name %>-bar-action"  >(<%%= link_to "Log out", logout_path, { :title => "Log out" }    %>)</div>
+<%% else -%>
+  <div id="<%= file_name %>-bar-greeting"><%%= link_to_login_with_IP 'Not logged in', :style => 'border: none;' %></div>
+  <div id="<%= file_name %>-bar-action"  ><%%= link_to "Log in",  login_path,  { :title => "Log in" } %> /
+                               <%%= link_to "Sign up", signup_path, { :title => "Create an account" } %></div>
+<%% end -%>

data/lib/generators/authenticated/templates/activation.erb

@@ -0,0 +1,3 @@
+<%%=h @<%= file_name %>.login %>, your account has been activated.  Welcome aboard!
+
+<%%=h @url %>

data/lib/generators/authenticated/templates/authenticated_system.rb

@@ -0,0 +1,189 @@
+module AuthenticatedSystem
+  protected
+    # Returns true or false if the <%= file_name %> is logged in.
+    # Preloads @current_<%= file_name %> with the <%= file_name %> model if they're logged in.
+    def logged_in?
+      !!current_<%= file_name %>
+    end
+
+    # Accesses the current <%= file_name %> from the session.
+    # Future calls avoid the database because nil is not equal to false.
+    def current_<%= file_name %>
+      @current_<%= file_name %> ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_<%= file_name %> == false
+    end
+
+    # Store the given <%= file_name %> id in the session.
+    def current_<%= file_name %>=(new_<%= file_name %>)
+      session[:<%= file_name %>_id] = new_<%= file_name %> ? new_<%= file_name %>.id : nil
+      @current_<%= file_name %> = new_<%= file_name %> || false
+    end
+
+    # Check if the <%= file_name %> is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the <%= file_name %>
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_<%= file_name %>.login != "bob"
+    #  end
+    #
+    def authorized?(action = action_name, resource = nil)
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the <%= file_name %> is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to new_<%= controller_routing_name %>_path
+        end
+        # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
+        # Add any other API formats here.  (Some browsers, notably IE6, send Accept: */* and trigger 
+        # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
+        # for a workaround.)
+        format.any(:json, :xml) do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.  Set an appropriately modified
+    #   after_filter :store_location, :only => [:index, :new, :show, :edit]
+    # for any controller you want to be bounce-backable.
+    def redirect_back_or_default(default, options = {})
+      redirect_to((session[:return_to] || default), options)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_<%= file_name %> and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_<%= file_name %>, :logged_in?, :authorized? if base.respond_to? :helper_method
+    end
+
+    #
+    # Login
+    #
+
+    # Called from #current_<%= file_name %>.  First attempt to login by the <%= file_name %> id stored in the session.
+    def login_from_session
+      self.current_<%= file_name %> = <%= class_name %>.find_by_id(session[:<%= file_name %>_id]) if session[:<%= file_name %>_id]
+    end
+
+    # Called from #current_<%= file_name %>.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |login, password|
+        self.current_<%= file_name %> = <%= class_name %>.authenticate(login, password)
+      end
+    end
+    
+    #
+    # Logout
+    #
+
+    # Called from #current_<%= file_name %>.  Finaly, attempt to login by an expiring token in the cookie.
+    # for the paranoid: we _should_ be storing <%= file_name %>_token = hash(cookie_token, request IP)
+    def login_from_cookie
+      <%= file_name %> = cookies[:auth_token] && <%= class_name %>.find_by_remember_token(cookies[:auth_token].value)
+      if <%= file_name %> && <%= file_name %>.remember_token?
+        self.current_<%= file_name %> = <%= file_name %>
+        handle_remember_cookie! false # freshen cookie token (keeping date)
+        self.current_<%= file_name %>
+      end
+    end
+
+    # This is ususally what you want; resetting the session willy-nilly wreaks
+    # havoc with forgery protection, and is only strictly necessary on login.
+    # However, **all session state variables should be unset here**.
+    def logout_keeping_session!
+      # Kill server-side auth cookie
+      @current_<%= file_name %>.forget_me if @current_<%= file_name %>.is_a? <%= class_name %>
+      @current_<%= file_name %> = false     # not logged in, and don't do it for me
+      kill_remember_cookie!     # Kill client-side auth cookie
+      session[:<%= file_name %>_id] = nil   # keeps the session but kill our variable
+      # explicitly kill any other session variables you set
+    end
+
+    # The session should only be reset at the tail end of a form POST --
+    # otherwise the request forgery protection fails. It's only really necessary
+    # when you cross quarantine (logged-out to logged-in).
+    def logout_killing_session!
+      logout_keeping_session!
+      reset_session
+    end
+    
+    #
+    # Remember_me Tokens
+    #
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    def valid_remember_cookie?
+      return nil unless @current_<%= file_name %>
+      (@current_<%= file_name %>.remember_token?) && 
+        (cookies[:auth_token] == @current_<%= file_name %>.remember_token)
+    end
+    
+    # Refresh the cookie auth token if it exists, create it otherwise
+    def handle_remember_cookie!(new_cookie_flag)
+      return unless @current_<%= file_name %>
+      case
+      when valid_remember_cookie? then @current_<%= file_name %>.refresh_token # keeping same expiry date
+      when new_cookie_flag        then @current_<%= file_name %>.remember_me 
+      else                             @current_<%= file_name %>.forget_me
+      end
+      send_remember_cookie!
+    end
+  
+    def kill_remember_cookie!
+      cookies.delete :auth_token
+    end
+    
+    def send_remember_cookie!
+      cookies[:auth_token] = {
+        :value   => @current_<%= file_name %>.remember_token,
+        :expires => @current_<%= file_name %>.remember_token_expires_at }
+    end
+
+end

data/lib/generators/authenticated/templates/authenticated_test_helper.rb

@@ -0,0 +1,22 @@
+module AuthenticatedTestHelper
+  # Sets the current <%= file_name %> in the session from the <%= file_name %> fixtures.
+  def login_as(<%= file_name %>)
+    @request.session[:<%= file_name %>_id] = <%= file_name %> ? (<%= file_name %>.is_a?(<%= file_name.camelize %>) ? <%= file_name %>.id : <%= table_name %>(<%= file_name %>).id) : nil
+  end
+
+  def authorize_as(<%= file_name %>)
+    @request.env["HTTP_AUTHORIZATION"] = <%= file_name %> ? ActionController::HttpAuthentication::Basic.encode_credentials(<%= table_name %>(<%= file_name %>).login, 'monkey') : nil
+  end
+  
+<% if options.rspec? -%>
+  # rspec
+  def mock_<%= file_name %>
+    <%= file_name %> = mock_model(<%= class_name %>, :id => 1,
+      :login  => 'user_name',
+      :name   => 'U. Surname',
+      :to_xml => "<%= class_name %>-in-XML", :to_json => "<%= class_name %>-in-JSON", 
+      :errors => [])
+    <%= file_name %>
+  end  
+<% end -%>
+end

data/lib/generators/authenticated/templates/controller.rb

@@ -0,0 +1,41 @@
+# This controller handles the login/logout function of the site.  
+class <%= controller_class_name %>Controller < ApplicationController
+  # Be sure to include AuthenticationSystem in Application Controller instead
+  include AuthenticatedSystem
+
+  # render new.rhtml
+  def new
+  end
+
+  def create
+    logout_keeping_session!
+    <%= file_name %> = <%= class_name %>.authenticate(params[:login], params[:password])
+    if <%= file_name %>
+      # Protects against session fixation attacks, causes request forgery
+      # protection if user resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset_session
+      self.current_<%= file_name %> = <%= file_name %>
+      new_cookie_flag = (params[:remember_me] == "1")
+      handle_remember_cookie! new_cookie_flag
+      redirect_back_or_default('/', :notice => "Logged in successfully")
+    else
+      note_failed_signin
+      @login       = params[:login]
+      @remember_me = params[:remember_me]
+      render :action => 'new'
+    end
+  end
+
+  def destroy
+    logout_killing_session!
+    redirect_back_or_default('/', :notice => "You have been logged out.")
+  end
+
+protected
+  # Track failed login attempts
+  def note_failed_signin
+    flash.now[:error] = "Couldn't log you in as '#{params[:login]}'"
+    logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
+  end
+end

data/lib/generators/authenticated/templates/features/accounts.feature

@@ -0,0 +1,109 @@
+Visitors should be in control of creating an account and of proving their
+essential humanity/accountability or whatever it is people think the
+id-validation does.  We should be fairly skeptical about this process, as the
+identity+trust chain starts here.
+
+Story: Creating an account
+  As an anonymous user
+  I want to be able to create an account
+  So that I can be one of the cool kids
+
+  #
+  # Account Creation: Get entry form
+  #
+  Scenario: Anonymous user can start creating an account
+    Given an anonymous user
+    When  she goes to /signup
+    Then  she should be at the 'users/new' page
+     And  the page should look AWESOME
+     And  she should see a <form> containing a textfield: Login, textfield: Email, password: Password, password: 'Confirm Password', submit: 'Sign up'
+
+  #
+  # Account Creation
+  #
+  Scenario: Anonymous user can create an account
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account as the preloaded 'Oona'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Thanks for signing up!'
+     And  a user with login: 'oona' should exist
+     And  the user should have login: 'oona', and email: 'unactivated@example.com'
+
+     And  oona should be logged in
+
+
+  #
+  # Account Creation Failure: Account exists
+  #
+
+
+  Scenario: Anonymous user can not create an account replacing an activated account
+    Given an anonymous user
+     And  an activated user named 'Reggie'
+     And  we try hard to remember the user's updated_at, and created_at
+    When  she registers an account with login: 'reggie', password: 'monkey', and email: 'reggie@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Login has already been taken'
+     And  she should not see an errorExplanation message 'Email has already been taken'
+     And  a user with login: 'reggie' should exist
+     And  the user should have email: 'registered@example.com'
+
+     And  the user's created_at should stay the same under to_s
+     And  the user's updated_at should stay the same under to_s
+     And  she should not be logged in
+
+  #
+  # Account Creation Failure: Incomplete input
+  #
+  Scenario: Anonymous user can not create an account with incomplete or incorrect input
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: '',     password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Login can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with no password
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: '',       password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with no password_confirmation
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: ''       and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password confirmation can't be blank'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with mismatched password & password_confirmation
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkeY' and email: 'unactivated@example.com'
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Password doesn't match confirmation'
+     And  no user with login: 'oona' should exist
+
+  Scenario: Anonymous user can not create an account with bad email
+    Given an anonymous user
+     And  no user with login: 'Oona' exists
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: ''
+    Then  she should be at the 'users/new' page
+     And  she should     see an errorExplanation message 'Email can't be blank'
+     And  no user with login: 'oona' should exist
+    When  she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Thanks for signing up!'
+     And  a user with login: 'oona' should exist
+     And  the user should have login: 'oona', and email: 'unactivated@example.com'
+
+     And  oona should be logged in
+
+
+

data/lib/generators/authenticated/templates/features/sessions.feature

@@ -0,0 +1,134 @@
+Users want to know that nobody can masquerade as them.  We want to extend trust
+only to visitors who present the appropriate credentials.  Everyone wants this
+identity verification to be as secure and convenient as possible.
+
+Story: Logging in
+  As an anonymous user with an account
+  I want to log in to my account
+  So that I can be myself
+
+  #
+  # Log in: get form
+  #
+  Scenario: Anonymous user can get a login form.
+    Given an anonymous user
+    When  she goes to /login
+    Then  she should be at the new sessions page
+     And  the page should look AWESOME
+     And  she should see a <form> containing a textfield: Login, password: Password, and submit: 'Log in'
+  
+  #
+  # Log in successfully, but don't remember me
+  #
+  Scenario: Anonymous user can log in
+    Given an anonymous user
+     And  an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: ''
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Logged in successfully'
+     And  reggie should be logged in
+     And  she should not have an auth_token cookie
+   
+  Scenario: Logged-in user who logs in should be the new one
+    Given an activated user named 'reggie'
+     And  an activated user logged in as 'oona'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: ''
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Logged in successfully'
+     And  reggie should be logged in
+     And  she should not have an auth_token cookie
+  
+  #
+  # Log in successfully, remember me
+  #
+  Scenario: Anonymous user can log in and be remembered
+    Given an anonymous user
+     And  an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: '1'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Logged in successfully'
+     And  reggie should be logged in
+     And  she should have an auth_token cookie
+	      # assumes fixtures were run sometime
+     And  her session store should have user_id: 4
+   
+  #
+  # Log in unsuccessfully
+  #
+  
+  Scenario: Logged-in user who fails logs in should be logged out
+    Given an activated user named 'oona'
+    When  she creates a singular sessions with login: 'oona', password: '1234oona', remember me: '1'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Logged in successfully'
+     And  oona should be logged in
+     And  she should have an auth_token cookie
+    When  she creates a singular sessions with login: 'reggie', password: 'i_haxxor_joo'
+    Then  she should be at the new sessions page
+    Then  she should see an error message 'Couldn't log you in as 'reggie''
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+  
+  Scenario: Log-in with bogus info should fail until it doesn't
+    Given an activated user named 'reggie'
+    When  she creates a singular sessions with login: 'reggie', password: 'i_haxxor_joo'
+    Then  she should be at the new sessions page
+    Then  she should see an error message 'Couldn't log you in as 'reggie''
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'reggie', password: ''
+    Then  she should be at the new sessions page
+    Then  she should see an error message 'Couldn't log you in as 'reggie''
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: '', password: 'monkey'
+    Then  she should be at the new sessions page
+    Then  she should see an error message 'Couldn't log you in as '''
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'leonard_shelby', password: 'monkey'
+    Then  she should be at the new sessions page
+    Then  she should see an error message 'Couldn't log you in as 'leonard_shelby''
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+    When  she creates a singular sessions with login: 'reggie', password: 'monkey', remember me: '1'
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'Logged in successfully'
+     And  reggie should be logged in
+     And  she should have an auth_token cookie
+	      # assumes fixtures were run sometime
+     And  her session store should have user_id: 4
+
+
+  #
+  # Log out successfully (should always succeed)
+  #
+  Scenario: Anonymous (logged out) user can log out.
+    Given an anonymous user
+    When  she goes to /logout
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'You have been logged out'
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id
+
+  Scenario: Logged in user can log out.
+    Given an activated user logged in as 'reggie'
+    When  she goes to /logout
+    Then  she should be redirected to the home page
+    When  she follows that redirect!
+    Then  she should see a notice message 'You have been logged out'
+     And  she should not be logged in
+     And  she should not have an auth_token cookie
+     And  her session store should not have user_id