sorcery 0.1.3 → 0.1.4

data/lib/sorcery/model/submodules/activity_logging.rb

@@ -0,0 +1,35 @@
+module Sorcery
+  module Model
+    module Submodules
+      module ActivityLogging
+        def self.included(base)
+          base.extend(ClassMethods)
+          base.sorcery_config.class_eval do
+            attr_accessor :last_login_at_attribute_name,                     # last login attribute name.
+                          :last_logout_at_attribute_name,                    # last logout attribute name.
+                          :last_activity_at_attribute_name,                  # last activity attribute name.
+                          :activity_timeout                               # how long since last activity is the user defined logged out?
+          end
+          
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@last_login_at_attribute_name                   => :last_login_at,
+                             :@last_logout_at_attribute_name                  => :last_logout_at,
+                             :@last_activity_at_attribute_name                => :last_activity_at,
+                             :@activity_timeout                            => 10.minutes)
+            reset!
+          end
+        end
+        
+        module ClassMethods
+          # get all users with last_activity within timeout
+          def logged_in_users
+            config = sorcery_config
+            where("#{config.last_activity_at_attribute_name} IS NOT NULL") \
+            .where("#{config.last_logout_at_attribute_name} IS NULL OR #{config.last_activity_at_attribute_name} > #{config.last_logout_at_attribute_name}") \
+            .where("#{config.last_activity_at_attribute_name} > ? ", config.activity_timeout.seconds.ago)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/model/submodules/brute_force_protection.rb

@@ -0,0 +1,72 @@
+module Sorcery
+  module Model
+    module Submodules
+      module BruteForceProtection
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :failed_logins_count_attribute_name,        # failed logins attribute name.
+                          :lock_expires_at_attribute_name,            # this field indicates whether user is banned and when it will be active again.
+                          :consecutive_login_retries_amount_allowed,  # how many failed logins allowed.
+                          :login_lock_time_period                     # how long the user should be banned. in seconds. 0 for permanent.
+          end
+          
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@failed_logins_count_attribute_name              => :failed_logins_count,
+                             :@lock_expires_at_attribute_name                  => :lock_expires_at,
+                             :@consecutive_login_retries_amount_allowed        => 50,
+                             :@login_lock_time_period                          => 3600)
+            reset!
+          end
+          
+          base.class_eval do
+
+          end
+          
+          base.sorcery_config.before_authenticate << :prevent_locked_user_login
+          base.extend(ClassMethods)
+          base.send(:include, InstanceMethods)
+        end
+        
+        module ClassMethods
+          protected
+          
+        end
+        
+        module InstanceMethods
+          def register_failed_login!
+            config = sorcery_config
+            self.increment(config.failed_logins_count_attribute_name)
+            save!
+            self.lock! if self.send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_allowed
+          end
+          
+          protected
+
+          def lock!
+            config = sorcery_config
+            self.update_attributes!(config.lock_expires_at_attribute_name => Time.now.utc + config.login_lock_time_period)
+          end
+
+          def unlock!
+            config = sorcery_config
+            self.update_attributes!(config.lock_expires_at_attribute_name => nil, 
+                                    config.failed_logins_count_attribute_name => 0)
+          end
+          
+          def unlocked?
+            config = sorcery_config
+            self.send(config.lock_expires_at_attribute_name).nil?
+          end
+          
+          def prevent_locked_user_login
+            config = sorcery_config
+            if !self.unlocked?
+              self.unlock! if self.send(config.lock_expires_at_attribute_name) <= Time.now.utc
+            end
+            unlocked?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/model/submodules/remember_me.rb

@@ -22,13 +22,15 @@ module Sorcery
         end
         
         module InstanceMethods
+          # You shouldn't really use this one - it's called by the controller's 'remember_me!' method.
           def remember_me!
             config = sorcery_config
             self.send(:"#{config.remember_me_token_attribute_name}=", generate_random_code)
             self.send(:"#{config.remember_me_token_expires_at_attribute_name}=", Time.now + config.remember_me_for)
             self.save!(:validate => false)
           end
-
+          
+          # You shouldn't really use this one - it's called by the controller's 'forget_me!' method.
           def forget_me!
             config = sorcery_config
             self.send(:"#{config.remember_me_token_attribute_name}=", nil)

data/lib/sorcery/model/submodules/reset_password.rb

@@ -0,0 +1,93 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This submodule adds the ability to reset password via email confirmation.
+      module ResetPassword       
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :reset_password_token_attribute_name,              # reset password code attribute name.
+                          :reset_password_token_expires_at_attribute_name,   # expires at attribute name.
+                          :reset_password_email_sent_at_attribute_name,      # when was email sent, used for hammering protection.
+                          :reset_password_mailer,                            # mailer class. Needed.
+                          :reset_password_email_method_name,                 # reset password email method on your mailer class.
+                          :reset_password_expiration_period,                 # how many seconds before the reset request expires. nil for never expires.
+                          :reset_password_time_between_emails                # hammering protection, how long to wait before allowing another email to be sent.
+
+          end
+          
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@reset_password_token_attribute_name            => :reset_password_token,
+                             :@reset_password_token_expires_at_attribute_name => :reset_password_token_expires_at,
+                             :@reset_password_email_sent_at_attribute_name    => :reset_password_email_sent_at,
+                             :@reset_password_mailer                          => nil,
+                             :@reset_password_email_method_name               => :reset_password_email,
+                             :@reset_password_expiration_period               => nil,
+                             :@reset_password_time_between_emails             => 5.minutes )
+
+            reset!
+          end
+          
+          base.sorcery_config.after_config << :validate_mailer_defined
+          
+          base.extend(ClassMethods)
+          base.send(:include, InstanceMethods)
+        end
+        
+        module ClassMethods
+          
+          def load_from_reset_password_token(token)
+            return nil if token.blank?
+            user = where("#{@sorcery_config.reset_password_token_attribute_name} = ?", token).first
+            if !user.blank? && !@sorcery_config.reset_password_expiration_period.nil?
+              return user.reset_password_token_valid? ? user : nil
+            end
+            user
+          end
+          
+          protected
+          
+          def validate_mailer_defined
+            msg = "To use reset_password submodule, you must define a mailer (config.reset_password_mailer = YourMailerClass)."
+            raise ArgumentError, msg if @sorcery_config.reset_password_mailer == nil
+          end
+
+        end
+        
+        module InstanceMethods
+          # generates a reset code with expiration and sends an email to the user.
+          def deliver_reset_password_instructions!
+            config = sorcery_config
+            # hammering protection
+            return if config.reset_password_time_between_emails && self.send(config.reset_password_email_sent_at_attribute_name) && self.send(config.reset_password_email_sent_at_attribute_name) > config.reset_password_time_between_emails.ago.utc
+            self.send(:"#{config.reset_password_token_attribute_name}=", generate_random_code)
+            self.send(:"#{config.reset_password_token_expires_at_attribute_name}=", Time.now.utc + config.reset_password_expiration_period) if config.reset_password_expiration_period
+            self.send(:"#{config.reset_password_email_sent_at_attribute_name}=", Time.now.utc)
+            self.class.transaction do
+              self.save!(:validate => false)
+              generic_send_email(:reset_password_email_method_name, :reset_password_mailer)
+            end
+          end
+          
+          def reset_password!(params)
+            clear_reset_password_token
+            update_attributes(params)
+          end
+          
+          def reset_password_token_valid?
+            config = sorcery_config
+            config.reset_password_expiration_period ? Time.now.utc < self.send(config.reset_password_token_expires_at_attribute_name) : true
+          end
+
+          protected
+
+          def clear_reset_password_token
+            config = sorcery_config
+            self.send(:"#{config.reset_password_token_attribute_name}=", nil)
+            self.send(:"#{config.reset_password_token_expires_at_attribute_name}=", nil) if config.reset_password_expiration_period
+          end
+        end
+        
+      end
+    end
+  end
+end

data/lib/sorcery/model/submodules/user_activation.rb

@@ -40,6 +40,8 @@ module Sorcery
         end
         
         module ClassMethods
+          protected
+          
           def validate_mailer_defined
             msg = "To use user_activation submodule, you must define a mailer (config.user_activation_mailer = YourMailerClass)."
             raise ArgumentError, msg if @sorcery_config.user_activation_mailer == nil

data/sorcery.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{sorcery}
-  s.version = "0.1.3"
+  s.version = "0.1.4"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Noam Ben Ari"]
-  s.date = %q{2011-02-05}
+  s.date = %q{2011-02-19}
   s.description = %q{Provides common authentication needs such as signing in/out, activating by email and resetting password.}
   s.email = %q{nbenari@gmail.com}
   s.extra_rdoc_files = [
@@ -25,9 +25,9 @@ Gem::Specification.new do |s|
     "README.rdoc",
     "Rakefile",
     "VERSION",
-    "features/support/env.rb",
     "lib/sorcery.rb",
     "lib/sorcery/controller.rb",
+    "lib/sorcery/controller/submodules/activity_logging.rb",
     "lib/sorcery/controller/submodules/brute_force_protection.rb",
     "lib/sorcery/controller/submodules/http_basic_auth.rb",
     "lib/sorcery/controller/submodules/remember_me.rb",
@@ -40,8 +40,10 @@ Gem::Specification.new do |s|
     "lib/sorcery/crypto_providers/sha512.rb",
     "lib/sorcery/engine.rb",
     "lib/sorcery/model.rb",
-    "lib/sorcery/model/submodules/password_reset.rb",
+    "lib/sorcery/model/submodules/activity_logging.rb",
+    "lib/sorcery/model/submodules/brute_force_protection.rb",
     "lib/sorcery/model/submodules/remember_me.rb",
+    "lib/sorcery/model/submodules/reset_password.rb",
     "lib/sorcery/model/submodules/user_activation.rb",
     "sorcery.gemspec",
     "spec/Gemfile",
@@ -82,9 +84,11 @@ Gem::Specification.new do |s|
     "spec/rails3/app_root/config/locales/en.yml",
     "spec/rails3/app_root/config/routes.rb",
     "spec/rails3/app_root/db/migrate/activation/20101224223622_add_activation_to_users.rb",
+    "spec/rails3/app_root/db/migrate/activity_logging/20101224223624_add_activity_logging_to_users.rb",
+    "spec/rails3/app_root/db/migrate/brute_force_protection/20101224223626_add_brute_force_protection_to_users.rb",
     "spec/rails3/app_root/db/migrate/core/20101224223620_create_users.rb",
-    "spec/rails3/app_root/db/migrate/password_reset/20101224223622_add_password_reset_to_users.rb",
     "spec/rails3/app_root/db/migrate/remember_me/20101224223623_add_remember_me_token_to_users.rb",
+    "spec/rails3/app_root/db/migrate/reset_password/20101224223622_add_reset_password_to_users.rb",
     "spec/rails3/app_root/db/schema.rb",
     "spec/rails3/app_root/db/seeds.rb",
     "spec/rails3/app_root/lib/tasks/.gitkeep",
@@ -108,6 +112,7 @@ Gem::Specification.new do |s|
     "spec/rails3/app_root/test/test_helper.rb",
     "spec/rails3/app_root/test/unit/user_test.rb",
     "spec/rails3/app_root/vendor/plugins/.gitkeep",
+    "spec/rails3/controller_activity_logging_spec.rb",
     "spec/rails3/controller_brute_force_protection_spec.rb",
     "spec/rails3/controller_http_basic_auth_spec.rb",
     "spec/rails3/controller_remember_me_spec.rb",
@@ -115,8 +120,10 @@ Gem::Specification.new do |s|
     "spec/rails3/controller_spec.rb",
     "spec/rails3/spec_helper.rb",
     "spec/rails3/user_activation_spec.rb",
-    "spec/rails3/user_password_reset_spec.rb",
+    "spec/rails3/user_activity_logging_spec.rb",
+    "spec/rails3/user_brute_force_protection_spec.rb",
     "spec/rails3/user_remember_me_spec.rb",
+    "spec/rails3/user_reset_password_spec.rb",
     "spec/rails3/user_spec.rb",
     "spec/sorcery_crypto_providers_spec.rb",
     "spec/spec_helper.rb"
@@ -145,14 +152,17 @@ Gem::Specification.new do |s|
     "spec/rails3/app_root/config/initializers/session_store.rb",
     "spec/rails3/app_root/config/routes.rb",
     "spec/rails3/app_root/db/migrate/activation/20101224223622_add_activation_to_users.rb",
+    "spec/rails3/app_root/db/migrate/activity_logging/20101224223624_add_activity_logging_to_users.rb",
+    "spec/rails3/app_root/db/migrate/brute_force_protection/20101224223626_add_brute_force_protection_to_users.rb",
     "spec/rails3/app_root/db/migrate/core/20101224223620_create_users.rb",
-    "spec/rails3/app_root/db/migrate/password_reset/20101224223622_add_password_reset_to_users.rb",
     "spec/rails3/app_root/db/migrate/remember_me/20101224223623_add_remember_me_token_to_users.rb",
+    "spec/rails3/app_root/db/migrate/reset_password/20101224223622_add_reset_password_to_users.rb",
     "spec/rails3/app_root/db/schema.rb",
     "spec/rails3/app_root/db/seeds.rb",
     "spec/rails3/app_root/test/performance/browsing_test.rb",
     "spec/rails3/app_root/test/test_helper.rb",
     "spec/rails3/app_root/test/unit/user_test.rb",
+    "spec/rails3/controller_activity_logging_spec.rb",
     "spec/rails3/controller_brute_force_protection_spec.rb",
     "spec/rails3/controller_http_basic_auth_spec.rb",
     "spec/rails3/controller_remember_me_spec.rb",
@@ -160,8 +170,10 @@ Gem::Specification.new do |s|
     "spec/rails3/controller_spec.rb",
     "spec/rails3/spec_helper.rb",
     "spec/rails3/user_activation_spec.rb",
-    "spec/rails3/user_password_reset_spec.rb",
+    "spec/rails3/user_activity_logging_spec.rb",
+    "spec/rails3/user_brute_force_protection_spec.rb",
     "spec/rails3/user_remember_me_spec.rb",
+    "spec/rails3/user_reset_password_spec.rb",
     "spec/rails3/user_spec.rb",
     "spec/sorcery_crypto_providers_spec.rb",
     "spec/spec_helper.rb"
@@ -171,39 +183,39 @@ Gem::Specification.new do |s|
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_development_dependency(%q<rails>, ["= 3.0.3"])
+      s.add_development_dependency(%q<rails>, [">= 3.0.0"])
       s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
       s.add_development_dependency(%q<rspec-rails>, [">= 0"])
       s.add_development_dependency(%q<ruby-debug19>, [">= 0"])
       s.add_development_dependency(%q<sqlite3-ruby>, [">= 0"])
       s.add_development_dependency(%q<yard>, ["~> 0.6.0"])
-      s.add_development_dependency(%q<cucumber>, [">= 0"])
       s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
       s.add_development_dependency(%q<simplecov>, [">= 0.3.8"])
+      s.add_runtime_dependency(%q<bcrypt-ruby>, ["~> 2.1.4"])
     else
-      s.add_dependency(%q<rails>, ["= 3.0.3"])
+      s.add_dependency(%q<rails>, [">= 3.0.0"])
       s.add_dependency(%q<rspec>, ["~> 2.3.0"])
       s.add_dependency(%q<rspec-rails>, [">= 0"])
       s.add_dependency(%q<ruby-debug19>, [">= 0"])
       s.add_dependency(%q<sqlite3-ruby>, [">= 0"])
       s.add_dependency(%q<yard>, ["~> 0.6.0"])
-      s.add_dependency(%q<cucumber>, [">= 0"])
       s.add_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
       s.add_dependency(%q<simplecov>, [">= 0.3.8"])
+      s.add_dependency(%q<bcrypt-ruby>, ["~> 2.1.4"])
     end
   else
-    s.add_dependency(%q<rails>, ["= 3.0.3"])
+    s.add_dependency(%q<rails>, [">= 3.0.0"])
     s.add_dependency(%q<rspec>, ["~> 2.3.0"])
     s.add_dependency(%q<rspec-rails>, [">= 0"])
     s.add_dependency(%q<ruby-debug19>, [">= 0"])
     s.add_dependency(%q<sqlite3-ruby>, [">= 0"])
     s.add_dependency(%q<yard>, ["~> 0.6.0"])
-    s.add_dependency(%q<cucumber>, [">= 0"])
     s.add_dependency(%q<bundler>, ["~> 1.0.0"])
     s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
     s.add_dependency(%q<simplecov>, [">= 0.3.8"])
+    s.add_dependency(%q<bcrypt-ruby>, ["~> 2.1.4"])
   end
 end
 

data/spec/rails3/app_root/app/controllers/application_controller.rb

@@ -2,8 +2,8 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
   
   #before_filter :validate_session, :only => [:test_should_be_logged_in] if defined?(:validate_session)
-  before_filter :require_user_login_from_http, :only => [:test_http_basic_auth]
-  before_filter :require_user_login, :only => [:test_logout, :test_should_be_logged_in, :some_action]
+  before_filter :require_login_from_http_basic, :only => [:test_http_basic_auth]
+  before_filter :require_login, :only => [:test_logout, :test_should_be_logged_in, :some_action]
   
   def index
     render :text => ""

data/spec/rails3/app_root/db/migrate/activity_logging/20101224223624_add_activity_logging_to_users.rb

@@ -0,0 +1,17 @@
+class AddActivityLoggingToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :last_login_at,     :datetime, :default => nil
+    add_column :users, :last_logout_at,    :datetime, :default => nil
+    add_column :users, :last_activity_at,  :datetime, :default => nil
+    
+    add_index :users, [:last_logout_at, :last_activity_at]
+  end
+
+  def self.down
+    remove_index :users, [:last_logout_at, :last_activity_at]
+    
+    remove_column :users, :last_activity_at
+    remove_column :users, :last_logout_at
+    remove_column :users, :last_login_at
+  end
+end

data/spec/rails3/app_root/db/migrate/brute_force_protection/20101224223626_add_brute_force_protection_to_users.rb

@@ -0,0 +1,11 @@
+class AddBruteForceProtectionToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :failed_logins_count, :integer, :default => 0
+    add_column :users, :lock_expires_at, :datetime, :default => nil
+  end
+
+  def self.down
+    remove_column :users, :lock_expires_at
+    remove_column :users, :failed_logins_count
+  end
+end

data/spec/rails3/app_root/db/migrate/reset_password/20101224223622_add_reset_password_to_users.rb

@@ -0,0 +1,13 @@
+class AddResetPasswordToUsers < ActiveRecord::Migration
+  def self.up
+    add_column :users, :reset_password_token, :string, :default => nil
+    add_column :users, :reset_password_token_expires_at, :datetime, :default => nil
+    add_column :users, :reset_password_email_sent_at, :datetime, :default => nil
+  end
+
+  def self.down
+    remove_column :users, :reset_password_email_sent_at
+    remove_column :users, :reset_password_token_expires_at
+    remove_column :users, :reset_password_token
+  end
+end

data/spec/rails3/controller_activity_logging_spec.rb

@@ -0,0 +1,84 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe ApplicationController do
+  before(:all) do
+    ActiveRecord::Migrator.migrate("#{Rails.root}/db/migrate/activity_logging")
+  end
+  
+  after(:all) do
+    ActiveRecord::Migrator.rollback("#{Rails.root}/db/migrate/activity_logging")
+  end
+  
+  # ----------------- ACTIVITY LOGGING -----------------------
+  describe ApplicationController, "with activity logging features" do
+    before(:all) do
+      plugin_model_configure([:activity_logging])
+    end
+
+    before(:each) do
+      create_new_user
+    end
+
+    after(:each) do
+      User.delete_all
+    end
+
+    it "should respond to 'logged_in_users'" do
+      subject.should respond_to(:logged_in_users)
+    end
+
+    it "'logged_in_users' should be empty when no users are logged in" do
+      subject.logged_in_users.size.should == 0
+    end
+
+    it "should log login time on login" do
+      now = Time.now.utc
+      login_user
+      @user.last_login_at.should_not be_nil
+      @user.last_login_at.to_s(:db).should >= now.to_s(:db)
+      @user.last_login_at.to_s(:db).should <= (now+2).to_s(:db)
+    end
+
+    it "should log logout time on logout" do
+      login_user
+      now = Time.now.utc
+      logout_user
+      User.first.last_logout_at.should_not be_nil
+      User.first.last_logout_at.to_s(:db).should >= now.to_s(:db)
+      User.first.last_logout_at.to_s(:db).should <= (now+2).to_s(:db)
+    end
+
+    it "should log last activity time when logged in" do
+      login_user
+      now = Time.now.utc
+      get :some_action
+      User.first.last_activity_at.to_s(:db).should >= now.to_s(:db)
+      User.first.last_activity_at.to_s(:db).should <= (now+2).to_s(:db)
+    end
+
+    it "'logged_in_users' should hold the user object when 1 user is logged in" do
+      login_user
+      get :some_action
+      subject.logged_in_users.size.should == 1
+      subject.logged_in_users[0].should == @user
+    end
+
+    it "'logged_in_users' should show all logged_in_users, whether they have logged out before or not." do
+      user1 = create_new_user({:username => 'gizmo1', :email => "bla1@bla.com", :password => 'secret1'})
+      login_user(user1)
+      get :some_action
+      clear_user_without_logout
+      user2 = create_new_user({:username => 'gizmo2', :email => "bla2@bla.com", :password => 'secret2'})
+      login_user(user2)
+      get :some_action
+      clear_user_without_logout
+      user3 = create_new_user({:username => 'gizmo3', :email => "bla3@bla.com", :password => 'secret3'})
+      login_user(user3)
+      get :some_action
+      subject.logged_in_users.size.should == 3
+      subject.logged_in_users[0].should == user1
+      subject.logged_in_users[1].should == user2
+      subject.logged_in_users[2].should == user3
+    end
+  end
+end