simonmenke-mr_authentication 0.0.1

data/License.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2008 FIX_ME:author
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,9 @@
+
+Install
+
+environment.rb:
+  config.gem "simonmenke-mr_authentication", :lib => 'mr_authentication', :source => "http://gems.github.com"
+
+bash:
+  diamonds setup # only the first time
+  rake auth:gen:site_key

data/about.yml

@@ -0,0 +1,9 @@
+name: mr_authentication
+github: simonmenke
+description: a restfull_authentication diamond for mr_henry
+author: Simon Menke
+email: simon.menke@gmail.com
+dependencies:
+  - simonmenke-diamonds >= 0.0.1
+  - simonmenke-mr_henry >= 0.0.1
+  - simonmenke-mr_seed >= 0.0.1

data/app/controllers/lalala/base_controller.rb

@@ -0,0 +1,4 @@
+class Lalala::BaseController
+  include AuthenticatedSystem
+  before_filter :login_required
+end

data/app/controllers/lalala/sessions_controller.rb

@@ -0,0 +1,42 @@
+class Lalala::SessionsController < Lalala::BaseController
+
+  skip_before_filter :login_required
+
+  # render new.rhtml
+  def new
+  end
+
+  def create
+    logout_keeping_session!
+    user = User.authenticate(params[:login], params[:password])
+    if user
+      # Protects against session fixation attacks, causes request forgery
+      # protection if user resubmits an earlier form using back
+      # button. Uncomment if you understand the tradeoffs.
+      # reset_session
+      self.current_user = user
+      new_cookie_flag = (params[:remember_me] == "1")
+      handle_remember_cookie! new_cookie_flag
+      redirect_back_or_default('/')
+      flash[:notice] = "Logged in successfully"
+    else
+      note_failed_signin
+      @login       = params[:login]
+      @remember_me = params[:remember_me]
+      render :action => 'new'
+    end
+  end
+
+  def destroy
+    logout_killing_session!
+    flash[:notice] = "You have been logged out."
+    redirect_back_or_default('/')
+  end
+
+protected
+  # Track failed login attempts
+  def note_failed_signin
+    flash[:error] = "Couldn't log you in as '#{params[:login]}'"
+    logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}"
+  end
+end

data/app/controllers/lalala/users_controller.rb

@@ -0,0 +1,24 @@
+class Lalala::UsersController < Lalala::BaseController
+
+  resources :users, :order => "name", :paginate => true
+
+  def create
+    user.save!
+    redirect_to [:lalala, user]
+  rescue ActiveRecord::RecordInvalid => e
+    render :action => "new"
+  end
+
+  def update
+    user.update_attributes!(params[:user])
+    redirect_to [:lalala, user]
+  rescue ActiveRecord::RecordInvalid => e
+    render :action => "edit"
+  end
+
+  def destroy
+    user.destroy
+    redirect_to lalala_users_path
+  end
+
+end

data/app/models/user.rb

@@ -0,0 +1,56 @@
+require 'digest/sha1'
+
+class User < ActiveRecord::Base
+  include ::Authentication
+  include ::Authentication::ByPassword
+  include ::Authentication::ByCookieToken
+
+  validates_presence_of     :login
+  validates_length_of       :login,    :within => 3..40
+  validates_uniqueness_of   :login
+  validates_format_of       :login,    :with => Authentication.login_regex, :message => Authentication.bad_login_message
+
+  validates_format_of       :name,     :with => Authentication.name_regex,  :message => Authentication.bad_name_message, :allow_nil => true
+  validates_length_of       :name,     :maximum => 100
+
+  validates_presence_of     :email
+  validates_length_of       :email,    :within => 6..100 #r@a.wk
+  validates_uniqueness_of   :email
+  validates_format_of       :email,    :with => Authentication.email_regex, :message => Authentication.bad_email_message
+
+  
+
+  # HACK HACK HACK -- how to do attr_accessible from here?
+  # prevents a user from submitting a crafted form that bypasses activation
+  # anything else you want your user to change should be added here.
+  attr_accessible :login, :email, :name, :password, :password_confirmation
+
+
+
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
+  #
+  # uff.  this is really an authorization, not authentication routine.  
+  # We really need a Dispatch Chain here or something.
+  # This will also let us return a human error message.
+  #
+  def self.authenticate(login, password)
+    return nil if login.blank? || password.blank?
+    u = find_by_login(login) # need to get the salt
+    u && u.authenticated?(password) ? u : nil
+  end
+
+  def login=(value)
+    write_attribute :login, (value ? value.downcase : nil)
+  end
+
+  def email=(value)
+    write_attribute :email, (value ? value.downcase : nil)
+  end
+
+  protected
+    
+
+
+end
+
+Diamonds.extendable

data/app/views/lalala/sessions/new.html.erb

@@ -0,0 +1,24 @@
+<h1>Log In</h1>
+
+<% form_tag lalala_session_path do %>
+
+<div>
+  <%= label_tag 'login' %>
+  <%= text_field_tag 'login', @login %>
+</div>
+
+<div>
+  <%= label_tag 'password' %>
+  <%= password_field_tag 'password', nil %>
+</div>
+
+<div>
+  <%= label_tag 'remember_me', 'Remember me' %>
+  <%= check_box_tag 'remember_me', '1', @remember_me %>
+</div>
+
+<div class="button">
+  <%= submit_tag 'Log in' %>
+</div>
+
+<% end -%>

data/app/views/lalala/users/_form.html.erb

@@ -0,0 +1,33 @@
+<% form_for([:lalala, user]) do |f| %>
+  
+  <div>
+    <%= f.label :name %>
+    <%= f.text_field :name %>
+  </div>
+  
+  <div>
+    <%= f.label :email %>
+    <%= f.text_field :email %>
+  </div>
+  
+  <div>
+    <%= f.label :login %>
+    <%= f.text_field :login %>
+  </div>
+  
+  <div>
+    <%= f.label :password %>
+    <%= f.password_field :password %>
+  </div>
+  
+  <div>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation %>
+  </div>
+  
+  <div class="button">
+    <%= f.submit (user.new_record? ? "Create" : "Update") %>
+    <%= link_to "Cancel", lalala_users_path %>
+  </div>
+  
+<% end %>

data/app/views/lalala/users/_user.html.erb

@@ -0,0 +1,3 @@
+<% div_for user, :class => "record" do %>
+  <%= link_to user.name, [:lalala, user] %>
+<% end %>

data/app/views/lalala/users/edit.html.erb

@@ -0,0 +1,2 @@
+<h1>Edit user</h1>
+<%= render :partial => 'form' %>

data/app/views/lalala/users/index.html.erb

@@ -0,0 +1,9 @@
+<h1>Users</h1>
+<div id="actions">
+  <%= link_to "New user", new_lalala_user_path %>
+</div>
+<% paginated_section users do %>
+  <div id="users" class="records">
+    <%= render :partial => users %>
+  </div>
+<% end %>

data/app/views/lalala/users/new.html.erb

@@ -0,0 +1,2 @@
+<h1>New subject</h1>
+<%= render :partial => 'form' %>

data/app/views/lalala/users/show.html.erb

@@ -0,0 +1,17 @@
+<h1 id="title"><%= user.name %></h1>
+
+<div class="actions">
+  <%= link_to "Edit", [:edit, :lalala, user] %>
+  <%= link_to_if (User.count > 1), "Delete", [:lalala, user], :method => :delete, :confirm => "Are you sure?" %>
+</div>
+
+<dl>
+  <dt>name:</dt>
+  <dd><%= user.name %></dd>
+  
+  <dt>login:</dt>
+  <dd><%= user.login %></dd>
+  
+  <dt>email:</dt>
+  <dd><%= link_to user.email, "mailto:"+user.email %></dd>
+</dl>

data/config/routes.rb

@@ -0,0 +1,7 @@
+
+map.namespace :lalala do |lalala|
+  lalala.logout '/logout', :controller => 'sessions', :action => 'destroy'
+  lalala.login '/login', :controller => 'sessions', :action => 'new'
+  lalala.resources :users
+  lalala.resource :session
+end

data/db/fixtures/users.rb

@@ -0,0 +1,8 @@
+
+User.seed :login do |s|
+  s.name  = "Mr. Henry"
+  s.login = "mrhenry"
+  s.email = "hello@mrhenry.be"
+  s.password = "sayhello"
+  s.password_confirmation = "sayhello"
+end

data/db/migrations/20081022101325_create_users.rb

@@ -0,0 +1,22 @@
+class CreateUsers < ActiveRecord::Migration
+  def self.up
+    create_table "users", :force => true do |t|
+      t.column :login,                     :string, :limit => 40
+      t.column :name,                      :string, :limit => 100, :default => '', :null => true
+      t.column :email,                     :string, :limit => 100
+      t.column :crypted_password,          :string, :limit => 40
+      t.column :salt,                      :string, :limit => 40
+      t.column :created_at,                :datetime
+      t.column :updated_at,                :datetime
+      t.column :remember_token,            :string, :limit => 40
+      t.column :remember_token_expires_at, :datetime
+
+
+    end
+    add_index :users, :login, :unique => true
+  end
+
+  def self.down
+    drop_table "users"
+  end
+end

data/lib/authenticated_system.rb

@@ -0,0 +1,189 @@
+module AuthenticatedSystem
+  protected
+    # Returns true or false if the user is logged in.
+    # Preloads @current_user with the user model if they're logged in.
+    def logged_in?
+      !!current_user
+    end
+
+    # Accesses the current user from the session.
+    # Future calls avoid the database because nil is not equal to false.
+    def current_user
+      @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false
+    end
+
+    # Store the given user id in the session.
+    def current_user=(new_user)
+      session[:user_id] = new_user ? new_user.id : nil
+      @current_user = new_user || false
+    end
+
+    # Check if the user is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the user
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_user.login != "bob"
+    #  end
+    #
+    def authorized?(action = action_name, resource = nil)
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_filter :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_filter :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_filter :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the user is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to new_lalala_session_path
+        end
+        # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987
+        # Add any other API formats here.  (Some browsers, notably IE6, send Accept: */* and trigger 
+        # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2
+        # for a workaround.)
+        format.any(:json, :xml) do
+          request_http_basic_authentication 'Web Password'
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location
+      session[:return_to] = request.request_uri
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.  Set an appropriately modified
+    #   after_filter :store_location, :only => [:index, :new, :show, :edit]
+    # for any controller you want to be bounce-backable.
+    def redirect_back_or_default(default)
+      redirect_to(session[:return_to] || default)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_user and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method
+    end
+
+    #
+    # Login
+    #
+
+    # Called from #current_user.  First attempt to login by the user id stored in the session.
+    def login_from_session
+      self.current_user = User.find_by_id(session[:user_id]) if session[:user_id]
+    end
+
+    # Called from #current_user.  Now, attempt to login by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |login, password|
+        self.current_user = User.authenticate(login, password)
+      end
+    end
+    
+    #
+    # Logout
+    #
+
+    # Called from #current_user.  Finaly, attempt to login by an expiring token in the cookie.
+    # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP)
+    def login_from_cookie
+      user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token])
+      if user && user.remember_token?
+        self.current_user = user
+        handle_remember_cookie! false # freshen cookie token (keeping date)
+        self.current_user
+      end
+    end
+
+    # This is ususally what you want; resetting the session willy-nilly wreaks
+    # havoc with forgery protection, and is only strictly necessary on login.
+    # However, **all session state variables should be unset here**.
+    def logout_keeping_session!
+      # Kill server-side auth cookie
+      @current_user.forget_me if @current_user.is_a? User
+      @current_user = false     # not logged in, and don't do it for me
+      kill_remember_cookie!     # Kill client-side auth cookie
+      session[:user_id] = nil   # keeps the session but kill our variable
+      # explicitly kill any other session variables you set
+    end
+
+    # The session should only be reset at the tail end of a form POST --
+    # otherwise the request forgery protection fails. It's only really necessary
+    # when you cross quarantine (logged-out to logged-in).
+    def logout_killing_session!
+      logout_keeping_session!
+      reset_session
+    end
+    
+    #
+    # Remember_me Tokens
+    #
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    # Cookies shouldn't be allowed to persist past their freshness date,
+    # and they should be changed at each login
+
+    def valid_remember_cookie?
+      return nil unless @current_user
+      (@current_user.remember_token?) && 
+        (cookies[:auth_token] == @current_user.remember_token)
+    end
+    
+    # Refresh the cookie auth token if it exists, create it otherwise
+    def handle_remember_cookie!(new_cookie_flag)
+      return unless @current_user
+      case
+      when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date
+      when new_cookie_flag        then @current_user.remember_me 
+      else                             @current_user.forget_me
+      end
+      send_remember_cookie!
+    end
+  
+    def kill_remember_cookie!
+      cookies.delete :auth_token
+    end
+    
+    def send_remember_cookie!
+      cookies[:auth_token] = {
+        :value   => @current_user.remember_token,
+        :expires => @current_user.remember_token_expires_at }
+    end
+
+end