sorcery 0.1.0

data/lib/sorcery/controller/submodules/brute_force_protection.rb

@@ -0,0 +1,89 @@
+module Sorcery
+  module Controller
+    module Submodules
+      module BruteForceProtection
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :login_retries_amount_allowed,      # how many failed logins allowed.
+                            :login_retries_time_period,         # the time after which the failed logins counter is reset.
+                            :login_ban_time_period,             # how long the user should be banned. in seconds.
+                            :banned_action                      # what controller action should be called when a banned user tries.
+                            
+              def merge_brute_force_protection_defaults!
+                @defaults.merge!(:@login_retries_amount_allowed  => 50,
+                                 :@login_retries_time_period     => 30,
+                                 :@login_ban_time_period         => 3600,
+                                 :@banned_action                 => :default_banned_action)
+              end
+            end
+            merge_brute_force_protection_defaults!
+          end
+          Config.after_failed_login << :check_failed_logins_limit_reached
+          base.prepend_before_filter :deny_banned_user
+        end
+        
+        module InstanceMethods
+          def check_failed_logins_limit_reached(user, credentials)
+            now = Time.now.utc
+              
+            # not banned
+            if session[:first_failed_login_time]
+              reset_failed_logins_if_time_passed(now)
+            else
+              session[:first_failed_login_time] = now
+            end
+            increment_failed_logins
+            # ban
+            ban_if_above_limit(now)
+          end
+          
+          protected
+          
+          def release_ban_if_time_passed(now)
+            if now - session[:ban_start_time] > Config.login_ban_time_period
+              session[:banned] = nil
+              session[:failed_logins] = 0
+              return true
+            end
+            false
+          end
+          
+          def increment_failed_logins
+            session[:failed_logins] ||= 0
+            session[:failed_logins] += 1
+          end
+          
+          def reset_failed_logins_if_time_passed(now)
+            if now - session[:first_failed_login_time] > Config.login_retries_time_period
+              session[:failed_logins] = 0 
+              session[:first_failed_login_time] = now
+            end
+          end
+          
+          def ban_if_above_limit(now)
+            if session[:failed_logins] > Config.login_retries_amount_allowed
+              session[:banned] = true
+              session[:ban_start_time] = now
+            end
+          end
+          
+          def deny_banned_user
+            if session[:banned]
+              now = Time.now.utc
+              release_ban_if_time_passed(now)
+            end
+            
+            # if still banned
+            send(Config.banned_action) if session[:banned]
+          end
+          
+          def default_banned_action
+            render :nothing => true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -0,0 +1,43 @@
+module Sorcery
+  module Controller
+    module Submodules
+      module RememberMe
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.login_sources << :login_from_cookie
+          Config.after_login << :remember_me_if_asked_to
+          Config.after_logout << :forget_me!
+        end
+        
+        module InstanceMethods
+          def remember_me!
+            logged_in_user.remember_me!
+            cookies[:remember_me_token] = { :value => logged_in_user.remember_me_token, :expires => logged_in_user.remember_me_token_expires_at }        
+          end
+
+          def forget_me!
+            logged_in_user.forget_me!
+            cookies[:remember_me_token] = nil
+          end
+          
+          protected
+          
+          def remember_me_if_asked_to(user, credentials)
+            remember_me! if credentials.size == 3 && credentials[2]
+          end
+          
+          def login_from_cookie
+            user = cookies[:remember_me_token] && Config.user_class.find_by_remember_me_token(cookies[:remember_me_token])
+            if user && user.remember_me_token?
+              cookies[:remember_me_token] = { :value => user.remember_me_token, :expires => user.remember_me_token_expires_at }
+              @logged_in_user = user
+            else
+              @logged_in_user = false
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -0,0 +1,42 @@
+module Sorcery
+  module Controller
+    module Submodules
+      module SessionTimeout
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :session_timeout,                     # how long in seconds to keep the session alive.
+                            :session_timeout_from_last_action     # use the last action as the beginning of session timeout.
+                            
+              def merge_session_timeout_defaults!
+                @defaults.merge!(:@session_timeout                      => 3600, # 1.hour
+                                 :@session_timeout_from_last_action     => false)
+              end
+            end
+            merge_session_timeout_defaults!
+          end
+          Config.after_login << :register_login_time
+          base.prepend_before_filter :validate_session
+        end
+        
+        module InstanceMethods
+          def register_login_time(user, credentials)
+            session[:login_time] = session[:last_action_time] = Time.now.utc
+          end
+          
+          # To be used as a before_filter, before authenticate
+          def validate_session
+            session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
+            if session_to_use && (Time.now.utc - session_to_use > Config.session_timeout)
+              reset_session
+              @logged_in_user = false
+            else
+              session[:last_action_time] = Time.now.utc
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/aes256.rb

@@ -0,0 +1,44 @@
+require "openssl"
+
+module Sorcery
+  module CryptoProviders
+    # This encryption method is reversible if you have the supplied key. So in order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do the following:
+    #
+    #   Sorcery::Model::ConfigAES256.key = "my 32 bytes long key"
+    #
+    # My final comment is that this is a strong encryption method, but its main weakness is that its reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
+    #
+    # Keep your key in a safe place, some even say the key should be stored on a separate server.
+    # This won't hurt performance because the only time it will try and access the key on the separate server is during initialization, which only
+    # happens once. The reasoning behind this is if someone does compromise your server they won't have the key also. Basically, you don't want to
+    # store the key with the lock.
+    class AES256
+      class << self
+        attr_writer :key
+    
+        def encrypt(*tokens)
+          aes.encrypt
+          aes.key = @key
+          [aes.update(tokens.join) + aes.final].pack("m").chomp
+        end
+    
+        def matches?(crypted, *tokens)
+          aes.decrypt
+          aes.key = @key
+          (aes.update(crypted.unpack("m").first) + aes.final) == tokens.join
+        rescue OpenSSL::CipherError
+          false
+        end
+    
+        private
+        
+        def aes
+          raise ArgumentError.new("#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it.") if ( @key.nil? || @key == "" )
+          @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -0,0 +1,96 @@
+begin
+  require "bcrypt"
+rescue LoadError
+  "sudo gem install bcrypt-ruby"
+end
+
+module Sorcery
+  module CryptoProviders
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
+    # secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
+    # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
+    # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
+    #
+    #   require "bcrypt"
+    #   require "digest"
+    #   require "benchmark"
+    #
+    #   Benchmark.bm(18) do |x|
+    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
+    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
+    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #   end
+    #
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
+    #
+    # You can play around with the cost to get that perfect balance between performance and security.
+    #
+    # Decided BCrypt is for you? Just insall the bcrypt gem:
+    #
+    #   gem install bcrypt-ruby
+    #
+    # Tell activate_sorcery! to use it:
+    #
+    #   activate_sorcery! do |c|
+    #     c.encryption_algorithm = :bcrypt
+    #   end
+    #
+    # You are good to go!
+    class BCrypt
+      class << self
+        # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
+        # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
+        def cost
+          @cost ||= 10
+        end
+        attr_writer :cost
+        alias :stretches= :cost=
+        
+        # Creates a BCrypt hash for the password passed.
+        def encrypt(*tokens)
+          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+        end
+        
+        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(hash, *tokens)
+          hash = new_from_hash(hash)
+          return false if hash.nil? || hash == {}
+          hash == join_tokens(tokens)
+        end
+        
+        # This method is used as a flag to tell Sorcery to "resave" the password upon a successful login, using the new cost
+        def cost_matches?(hash)
+          hash = new_from_hash(hash)
+          if hash.nil? || hash == {}
+            false
+          else
+            hash.cost == cost
+          end
+        end
+        
+        def reset!
+          @cost = 10
+        end
+        
+        private
+        
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
+        
+        def new_from_hash(hash)
+          begin
+            ::BCrypt::Password.new(hash)
+          rescue ::BCrypt::Errors::InvalidHash
+            return nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/md5.rb

@@ -0,0 +1,39 @@
+require "digest/md5"
+ 
+module Sorcery
+  module CryptoProviders
+    # This class was made for the users transitioning from md5 based systems. 
+    # I highly discourage using this crypto provider as it superbly inferior 
+    # to your other options.
+    #
+    # Please use any other provider offered by Sorcery.
+    class MD5
+      class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption.
+        def stretches
+          @stretches ||= 1
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a MD5 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::MD5.hexdigest(digest) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+        
+        def reset!
+          @stretches = 1
+          @join_token = nil
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/sha1.rb

@@ -0,0 +1,40 @@
+require "digest/sha1"
+
+module Sorcery
+  module CryptoProviders
+    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
+    # crypto provider as it inferior to your other options. Please use any other provider offered by Sorcery.
+    class SHA1
+      class << self
+        def join_token
+          @join_token ||= "--"
+        end
+        attr_writer :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        def stretches
+          @stretches ||= 10
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a Sha1 hash.
+        def encrypt(*tokens)
+          tokens = tokens.flatten
+          digest = tokens.shift
+          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token)) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+        
+        def reset!
+          @stretches = 10
+          @join_token = nil
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/crypto_providers/sha256.rb

@@ -0,0 +1,55 @@
+require "digest/sha2"
+
+module Sorcery
+  # The activate_sorcery method has a custom_crypto_provider configuration option. This allows you to use any type of encryption you like.
+  # Just create a class with a class level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
+  module CryptoProviders
+    # = Sha256
+    #
+    # Uses the Sha256 hash algorithm to encrypt passwords.
+    class SHA256
+      class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption.
+        def stretches
+          @stretches ||= 20
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a Sha256 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::SHA256.hexdigest(digest) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+        
+        def reset!
+          @stretches = 20
+          @join_token = nil
+        end
+      end
+    end
+  end
+end