simonmenke-mr_authentication 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/License.txt +20 -0
- data/README +9 -0
- data/about.yml +9 -0
- data/app/controllers/lalala/base_controller.rb +4 -0
- data/app/controllers/lalala/sessions_controller.rb +42 -0
- data/app/controllers/lalala/users_controller.rb +24 -0
- data/app/models/user.rb +56 -0
- data/app/views/lalala/sessions/new.html.erb +24 -0
- data/app/views/lalala/users/_form.html.erb +33 -0
- data/app/views/lalala/users/_user.html.erb +3 -0
- data/app/views/lalala/users/edit.html.erb +2 -0
- data/app/views/lalala/users/index.html.erb +9 -0
- data/app/views/lalala/users/new.html.erb +2 -0
- data/app/views/lalala/users/show.html.erb +17 -0
- data/config/routes.rb +7 -0
- data/db/fixtures/users.rb +8 -0
- data/db/migrations/20081022101325_create_users.rb +22 -0
- data/lib/authenticated_system.rb +189 -0
- data/lib/authenticated_test_helper.rb +11 -0
- data/lib/mr_authentication.rb +6 -0
- data/lib/mr_authentication/version.rb +10 -0
- data/rails/init.rb +4 -0
- data/setup/setup.rb +8 -0
- data/vendor/plugins/restful-authentication/CHANGELOG +68 -0
- data/vendor/plugins/restful-authentication/README.textile +224 -0
- data/vendor/plugins/restful-authentication/Rakefile +22 -0
- data/vendor/plugins/restful-authentication/TODO +15 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/USAGE +1 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/authenticated_generator.rb +478 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/lib/insert_routes.rb +54 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/_model_partial.html.erb +8 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/activation.erb +3 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/authenticated_system.rb +189 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/authenticated_test_helper.rb +22 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/controller.rb +43 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/helper.rb +2 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/login.html.erb +16 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/mailer.rb +25 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/migration.rb +26 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/model.rb +83 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/model_controller.rb +85 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/model_helper.rb +93 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/model_helper_spec.rb +158 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/observer.rb +11 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/signup.html.erb +19 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/signup_notification.erb +8 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/site_keys.rb +38 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/controllers/access_control_spec.rb +90 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/controllers/authenticated_system_spec.rb +102 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/controllers/sessions_controller_spec.rb +139 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/controllers/users_controller_spec.rb +198 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/fixtures/users.yml +60 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/helpers/users_helper_spec.rb +141 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/spec/models/user_spec.rb +290 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/rest_auth_stories.rb +22 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/rest_auth_stories_helper.rb +81 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/steps/ra_navigation_steps.rb +49 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/steps/ra_resource_steps.rb +179 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/steps/ra_response_steps.rb +171 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/steps/user_steps.rb +153 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/users/accounts.story +186 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/stories/users/sessions.story +134 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/test/functional_test.rb +82 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/test/mailer_test.rb +31 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/test/model_functional_test.rb +93 -0
- data/vendor/plugins/restful-authentication/generators/authenticated/templates/test/unit_test.rb +164 -0
- data/vendor/plugins/restful-authentication/init.rb +3 -0
- data/vendor/plugins/restful-authentication/install.rb +1 -0
- data/vendor/plugins/restful-authentication/lib/authentication.rb +40 -0
- data/vendor/plugins/restful-authentication/lib/authentication/by_cookie_token.rb +82 -0
- data/vendor/plugins/restful-authentication/lib/authentication/by_password.rb +64 -0
- data/vendor/plugins/restful-authentication/lib/authorization.rb +14 -0
- data/vendor/plugins/restful-authentication/lib/authorization/aasm_roles.rb +63 -0
- data/vendor/plugins/restful-authentication/lib/authorization/stateful_roles.rb +62 -0
- data/vendor/plugins/restful-authentication/lib/trustification.rb +14 -0
- data/vendor/plugins/restful-authentication/lib/trustification/email_validation.rb +20 -0
- data/vendor/plugins/restful-authentication/notes/AccessControl.txt +2 -0
- data/vendor/plugins/restful-authentication/notes/Authentication.txt +5 -0
- data/vendor/plugins/restful-authentication/notes/Authorization.txt +154 -0
- data/vendor/plugins/restful-authentication/notes/RailsPlugins.txt +78 -0
- data/vendor/plugins/restful-authentication/notes/SecurityFramework.graffle +0 -0
- data/vendor/plugins/restful-authentication/notes/SecurityFramework.png +0 -0
- data/vendor/plugins/restful-authentication/notes/SecurityPatterns.txt +163 -0
- data/vendor/plugins/restful-authentication/notes/Tradeoffs.txt +126 -0
- data/vendor/plugins/restful-authentication/notes/Trustification.txt +49 -0
- data/vendor/plugins/restful-authentication/tasks/auth.rake +33 -0
- metadata +220 -0
data/License.txt
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2008 FIX_ME:author
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README
ADDED
data/about.yml
ADDED
@@ -0,0 +1,9 @@
|
|
1
|
+
name: mr_authentication
|
2
|
+
github: simonmenke
|
3
|
+
description: a restfull_authentication diamond for mr_henry
|
4
|
+
author: Simon Menke
|
5
|
+
email: simon.menke@gmail.com
|
6
|
+
dependencies:
|
7
|
+
- simonmenke-diamonds >= 0.0.1
|
8
|
+
- simonmenke-mr_henry >= 0.0.1
|
9
|
+
- simonmenke-mr_seed >= 0.0.1
|
@@ -0,0 +1,42 @@
|
|
1
|
+
class Lalala::SessionsController < Lalala::BaseController
|
2
|
+
|
3
|
+
skip_before_filter :login_required
|
4
|
+
|
5
|
+
# render new.rhtml
|
6
|
+
def new
|
7
|
+
end
|
8
|
+
|
9
|
+
def create
|
10
|
+
logout_keeping_session!
|
11
|
+
user = User.authenticate(params[:login], params[:password])
|
12
|
+
if user
|
13
|
+
# Protects against session fixation attacks, causes request forgery
|
14
|
+
# protection if user resubmits an earlier form using back
|
15
|
+
# button. Uncomment if you understand the tradeoffs.
|
16
|
+
# reset_session
|
17
|
+
self.current_user = user
|
18
|
+
new_cookie_flag = (params[:remember_me] == "1")
|
19
|
+
handle_remember_cookie! new_cookie_flag
|
20
|
+
redirect_back_or_default('/')
|
21
|
+
flash[:notice] = "Logged in successfully"
|
22
|
+
else
|
23
|
+
note_failed_signin
|
24
|
+
@login = params[:login]
|
25
|
+
@remember_me = params[:remember_me]
|
26
|
+
render :action => 'new'
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def destroy
|
31
|
+
logout_killing_session!
|
32
|
+
flash[:notice] = "You have been logged out."
|
33
|
+
redirect_back_or_default('/')
|
34
|
+
end
|
35
|
+
|
36
|
+
protected
|
37
|
+
# Track failed login attempts
|
38
|
+
def note_failed_signin
|
39
|
+
flash[:error] = "Couldn't log you in as '#{params[:login]}'"
|
40
|
+
logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
|
41
|
+
end
|
42
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
class Lalala::UsersController < Lalala::BaseController
|
2
|
+
|
3
|
+
resources :users, :order => "name", :paginate => true
|
4
|
+
|
5
|
+
def create
|
6
|
+
user.save!
|
7
|
+
redirect_to [:lalala, user]
|
8
|
+
rescue ActiveRecord::RecordInvalid => e
|
9
|
+
render :action => "new"
|
10
|
+
end
|
11
|
+
|
12
|
+
def update
|
13
|
+
user.update_attributes!(params[:user])
|
14
|
+
redirect_to [:lalala, user]
|
15
|
+
rescue ActiveRecord::RecordInvalid => e
|
16
|
+
render :action => "edit"
|
17
|
+
end
|
18
|
+
|
19
|
+
def destroy
|
20
|
+
user.destroy
|
21
|
+
redirect_to lalala_users_path
|
22
|
+
end
|
23
|
+
|
24
|
+
end
|
data/app/models/user.rb
ADDED
@@ -0,0 +1,56 @@
|
|
1
|
+
require 'digest/sha1'
|
2
|
+
|
3
|
+
class User < ActiveRecord::Base
|
4
|
+
include ::Authentication
|
5
|
+
include ::Authentication::ByPassword
|
6
|
+
include ::Authentication::ByCookieToken
|
7
|
+
|
8
|
+
validates_presence_of :login
|
9
|
+
validates_length_of :login, :within => 3..40
|
10
|
+
validates_uniqueness_of :login
|
11
|
+
validates_format_of :login, :with => Authentication.login_regex, :message => Authentication.bad_login_message
|
12
|
+
|
13
|
+
validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true
|
14
|
+
validates_length_of :name, :maximum => 100
|
15
|
+
|
16
|
+
validates_presence_of :email
|
17
|
+
validates_length_of :email, :within => 6..100 #r@a.wk
|
18
|
+
validates_uniqueness_of :email
|
19
|
+
validates_format_of :email, :with => Authentication.email_regex, :message => Authentication.bad_email_message
|
20
|
+
|
21
|
+
|
22
|
+
|
23
|
+
# HACK HACK HACK -- how to do attr_accessible from here?
|
24
|
+
# prevents a user from submitting a crafted form that bypasses activation
|
25
|
+
# anything else you want your user to change should be added here.
|
26
|
+
attr_accessible :login, :email, :name, :password, :password_confirmation
|
27
|
+
|
28
|
+
|
29
|
+
|
30
|
+
# Authenticates a user by their login name and unencrypted password. Returns the user or nil.
|
31
|
+
#
|
32
|
+
# uff. this is really an authorization, not authentication routine.
|
33
|
+
# We really need a Dispatch Chain here or something.
|
34
|
+
# This will also let us return a human error message.
|
35
|
+
#
|
36
|
+
def self.authenticate(login, password)
|
37
|
+
return nil if login.blank? || password.blank?
|
38
|
+
u = find_by_login(login) # need to get the salt
|
39
|
+
u && u.authenticated?(password) ? u : nil
|
40
|
+
end
|
41
|
+
|
42
|
+
def login=(value)
|
43
|
+
write_attribute :login, (value ? value.downcase : nil)
|
44
|
+
end
|
45
|
+
|
46
|
+
def email=(value)
|
47
|
+
write_attribute :email, (value ? value.downcase : nil)
|
48
|
+
end
|
49
|
+
|
50
|
+
protected
|
51
|
+
|
52
|
+
|
53
|
+
|
54
|
+
end
|
55
|
+
|
56
|
+
Diamonds.extendable
|
@@ -0,0 +1,24 @@
|
|
1
|
+
<h1>Log In</h1>
|
2
|
+
|
3
|
+
<% form_tag lalala_session_path do %>
|
4
|
+
|
5
|
+
<div>
|
6
|
+
<%= label_tag 'login' %>
|
7
|
+
<%= text_field_tag 'login', @login %>
|
8
|
+
</div>
|
9
|
+
|
10
|
+
<div>
|
11
|
+
<%= label_tag 'password' %>
|
12
|
+
<%= password_field_tag 'password', nil %>
|
13
|
+
</div>
|
14
|
+
|
15
|
+
<div>
|
16
|
+
<%= label_tag 'remember_me', 'Remember me' %>
|
17
|
+
<%= check_box_tag 'remember_me', '1', @remember_me %>
|
18
|
+
</div>
|
19
|
+
|
20
|
+
<div class="button">
|
21
|
+
<%= submit_tag 'Log in' %>
|
22
|
+
</div>
|
23
|
+
|
24
|
+
<% end -%>
|
@@ -0,0 +1,33 @@
|
|
1
|
+
<% form_for([:lalala, user]) do |f| %>
|
2
|
+
|
3
|
+
<div>
|
4
|
+
<%= f.label :name %>
|
5
|
+
<%= f.text_field :name %>
|
6
|
+
</div>
|
7
|
+
|
8
|
+
<div>
|
9
|
+
<%= f.label :email %>
|
10
|
+
<%= f.text_field :email %>
|
11
|
+
</div>
|
12
|
+
|
13
|
+
<div>
|
14
|
+
<%= f.label :login %>
|
15
|
+
<%= f.text_field :login %>
|
16
|
+
</div>
|
17
|
+
|
18
|
+
<div>
|
19
|
+
<%= f.label :password %>
|
20
|
+
<%= f.password_field :password %>
|
21
|
+
</div>
|
22
|
+
|
23
|
+
<div>
|
24
|
+
<%= f.label :password_confirmation %>
|
25
|
+
<%= f.password_field :password_confirmation %>
|
26
|
+
</div>
|
27
|
+
|
28
|
+
<div class="button">
|
29
|
+
<%= f.submit (user.new_record? ? "Create" : "Update") %>
|
30
|
+
<%= link_to "Cancel", lalala_users_path %>
|
31
|
+
</div>
|
32
|
+
|
33
|
+
<% end %>
|
@@ -0,0 +1,17 @@
|
|
1
|
+
<h1 id="title"><%= user.name %></h1>
|
2
|
+
|
3
|
+
<div class="actions">
|
4
|
+
<%= link_to "Edit", [:edit, :lalala, user] %>
|
5
|
+
<%= link_to_if (User.count > 1), "Delete", [:lalala, user], :method => :delete, :confirm => "Are you sure?" %>
|
6
|
+
</div>
|
7
|
+
|
8
|
+
<dl>
|
9
|
+
<dt>name:</dt>
|
10
|
+
<dd><%= user.name %></dd>
|
11
|
+
|
12
|
+
<dt>login:</dt>
|
13
|
+
<dd><%= user.login %></dd>
|
14
|
+
|
15
|
+
<dt>email:</dt>
|
16
|
+
<dd><%= link_to user.email, "mailto:"+user.email %></dd>
|
17
|
+
</dl>
|
data/config/routes.rb
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
class CreateUsers < ActiveRecord::Migration
|
2
|
+
def self.up
|
3
|
+
create_table "users", :force => true do |t|
|
4
|
+
t.column :login, :string, :limit => 40
|
5
|
+
t.column :name, :string, :limit => 100, :default => '', :null => true
|
6
|
+
t.column :email, :string, :limit => 100
|
7
|
+
t.column :crypted_password, :string, :limit => 40
|
8
|
+
t.column :salt, :string, :limit => 40
|
9
|
+
t.column :created_at, :datetime
|
10
|
+
t.column :updated_at, :datetime
|
11
|
+
t.column :remember_token, :string, :limit => 40
|
12
|
+
t.column :remember_token_expires_at, :datetime
|
13
|
+
|
14
|
+
|
15
|
+
end
|
16
|
+
add_index :users, :login, :unique => true
|
17
|
+
end
|
18
|
+
|
19
|
+
def self.down
|
20
|
+
drop_table "users"
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,189 @@
|
|
1
|
+
module AuthenticatedSystem
|
2
|
+
protected
|
3
|
+
# Returns true or false if the user is logged in.
|
4
|
+
# Preloads @current_user with the user model if they're logged in.
|
5
|
+
def logged_in?
|
6
|
+
!!current_user
|
7
|
+
end
|
8
|
+
|
9
|
+
# Accesses the current user from the session.
|
10
|
+
# Future calls avoid the database because nil is not equal to false.
|
11
|
+
def current_user
|
12
|
+
@current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
|
13
|
+
end
|
14
|
+
|
15
|
+
# Store the given user id in the session.
|
16
|
+
def current_user=(new_user)
|
17
|
+
session[:user_id] = new_user ? new_user.id : nil
|
18
|
+
@current_user = new_user || false
|
19
|
+
end
|
20
|
+
|
21
|
+
# Check if the user is authorized
|
22
|
+
#
|
23
|
+
# Override this method in your controllers if you want to restrict access
|
24
|
+
# to only a few actions or if you want to check if the user
|
25
|
+
# has the correct rights.
|
26
|
+
#
|
27
|
+
# Example:
|
28
|
+
#
|
29
|
+
# # only allow nonbobs
|
30
|
+
# def authorized?
|
31
|
+
# current_user.login != "bob"
|
32
|
+
# end
|
33
|
+
#
|
34
|
+
def authorized?(action = action_name, resource = nil)
|
35
|
+
logged_in?
|
36
|
+
end
|
37
|
+
|
38
|
+
# Filter method to enforce a login requirement.
|
39
|
+
#
|
40
|
+
# To require logins for all actions, use this in your controllers:
|
41
|
+
#
|
42
|
+
# before_filter :login_required
|
43
|
+
#
|
44
|
+
# To require logins for specific actions, use this in your controllers:
|
45
|
+
#
|
46
|
+
# before_filter :login_required, :only => [ :edit, :update ]
|
47
|
+
#
|
48
|
+
# To skip this in a subclassed controller:
|
49
|
+
#
|
50
|
+
# skip_before_filter :login_required
|
51
|
+
#
|
52
|
+
def login_required
|
53
|
+
authorized? || access_denied
|
54
|
+
end
|
55
|
+
|
56
|
+
# Redirect as appropriate when an access request fails.
|
57
|
+
#
|
58
|
+
# The default action is to redirect to the login screen.
|
59
|
+
#
|
60
|
+
# Override this method in your controllers if you want to have special
|
61
|
+
# behavior in case the user is not authorized
|
62
|
+
# to access the requested action. For example, a popup window might
|
63
|
+
# simply close itself.
|
64
|
+
def access_denied
|
65
|
+
respond_to do |format|
|
66
|
+
format.html do
|
67
|
+
store_location
|
68
|
+
redirect_to new_lalala_session_path
|
69
|
+
end
|
70
|
+
# format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
|
71
|
+
# Add any other API formats here. (Some browsers, notably IE6, send Accept: */* and trigger
|
72
|
+
# the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
|
73
|
+
# for a workaround.)
|
74
|
+
format.any(:json, :xml) do
|
75
|
+
request_http_basic_authentication 'Web Password'
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
# Store the URI of the current request in the session.
|
81
|
+
#
|
82
|
+
# We can return to this location by calling #redirect_back_or_default.
|
83
|
+
def store_location
|
84
|
+
session[:return_to] = request.request_uri
|
85
|
+
end
|
86
|
+
|
87
|
+
# Redirect to the URI stored by the most recent store_location call or
|
88
|
+
# to the passed default. Set an appropriately modified
|
89
|
+
# after_filter :store_location, :only => [:index, :new, :show, :edit]
|
90
|
+
# for any controller you want to be bounce-backable.
|
91
|
+
def redirect_back_or_default(default)
|
92
|
+
redirect_to(session[:return_to] || default)
|
93
|
+
session[:return_to] = nil
|
94
|
+
end
|
95
|
+
|
96
|
+
# Inclusion hook to make #current_user and #logged_in?
|
97
|
+
# available as ActionView helper methods.
|
98
|
+
def self.included(base)
|
99
|
+
base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
|
100
|
+
end
|
101
|
+
|
102
|
+
#
|
103
|
+
# Login
|
104
|
+
#
|
105
|
+
|
106
|
+
# Called from #current_user. First attempt to login by the user id stored in the session.
|
107
|
+
def login_from_session
|
108
|
+
self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
|
109
|
+
end
|
110
|
+
|
111
|
+
# Called from #current_user. Now, attempt to login by basic authentication information.
|
112
|
+
def login_from_basic_auth
|
113
|
+
authenticate_with_http_basic do |login, password|
|
114
|
+
self.current_user = User.authenticate(login, password)
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
118
|
+
#
|
119
|
+
# Logout
|
120
|
+
#
|
121
|
+
|
122
|
+
# Called from #current_user. Finaly, attempt to login by an expiring token in the cookie.
|
123
|
+
# for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP)
|
124
|
+
def login_from_cookie
|
125
|
+
user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
|
126
|
+
if user && user.remember_token?
|
127
|
+
self.current_user = user
|
128
|
+
handle_remember_cookie! false # freshen cookie token (keeping date)
|
129
|
+
self.current_user
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
# This is ususally what you want; resetting the session willy-nilly wreaks
|
134
|
+
# havoc with forgery protection, and is only strictly necessary on login.
|
135
|
+
# However, **all session state variables should be unset here**.
|
136
|
+
def logout_keeping_session!
|
137
|
+
# Kill server-side auth cookie
|
138
|
+
@current_user.forget_me if @current_user.is_a? User
|
139
|
+
@current_user = false # not logged in, and don't do it for me
|
140
|
+
kill_remember_cookie! # Kill client-side auth cookie
|
141
|
+
session[:user_id] = nil # keeps the session but kill our variable
|
142
|
+
# explicitly kill any other session variables you set
|
143
|
+
end
|
144
|
+
|
145
|
+
# The session should only be reset at the tail end of a form POST --
|
146
|
+
# otherwise the request forgery protection fails. It's only really necessary
|
147
|
+
# when you cross quarantine (logged-out to logged-in).
|
148
|
+
def logout_killing_session!
|
149
|
+
logout_keeping_session!
|
150
|
+
reset_session
|
151
|
+
end
|
152
|
+
|
153
|
+
#
|
154
|
+
# Remember_me Tokens
|
155
|
+
#
|
156
|
+
# Cookies shouldn't be allowed to persist past their freshness date,
|
157
|
+
# and they should be changed at each login
|
158
|
+
|
159
|
+
# Cookies shouldn't be allowed to persist past their freshness date,
|
160
|
+
# and they should be changed at each login
|
161
|
+
|
162
|
+
def valid_remember_cookie?
|
163
|
+
return nil unless @current_user
|
164
|
+
(@current_user.remember_token?) &&
|
165
|
+
(cookies[:auth_token] == @current_user.remember_token)
|
166
|
+
end
|
167
|
+
|
168
|
+
# Refresh the cookie auth token if it exists, create it otherwise
|
169
|
+
def handle_remember_cookie!(new_cookie_flag)
|
170
|
+
return unless @current_user
|
171
|
+
case
|
172
|
+
when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
|
173
|
+
when new_cookie_flag then @current_user.remember_me
|
174
|
+
else @current_user.forget_me
|
175
|
+
end
|
176
|
+
send_remember_cookie!
|
177
|
+
end
|
178
|
+
|
179
|
+
def kill_remember_cookie!
|
180
|
+
cookies.delete :auth_token
|
181
|
+
end
|
182
|
+
|
183
|
+
def send_remember_cookie!
|
184
|
+
cookies[:auth_token] = {
|
185
|
+
:value => @current_user.remember_token,
|
186
|
+
:expires => @current_user.remember_token_expires_at }
|
187
|
+
end
|
188
|
+
|
189
|
+
end
|