sorcery 0.11.0 → 0.12.0

data/.travis.yml

@@ -1,11 +1,10 @@
 language: ruby
 rvm:
   - jruby
-  - 2.0.0
-  - 2.1.10
-  - 2.2.6
-  - 2.3.3
-  - 2.4.0
+  - 2.2.9
+  - 2.3.6
+  - 2.4.3
+  - 2.5.0
 
 env:
   global:
@@ -29,29 +28,21 @@ matrix:
     - rvm: jruby
 
   exclude:
-    - rvm: 2.0.0
-      gemfile: gemfiles/active_record-rails42.gemfile
-
-    - rvm: 2.0.0
-      gemfile: Gemfile
-
-    - rvm: 2.1.10
-      gemfile: Gemfile
-
-    - rvm: 2.2.6
+    - rvm: 2.2.9
       gemfile: gemfiles/active_record-rails40.gemfile
-
-    - rvm: 2.3.3
+    - rvm: 2.3.6
       gemfile: gemfiles/active_record-rails40.gemfile
-
-    - rvm: 2.4.0
+    - rvm: 2.4.3
       gemfile: gemfiles/active_record-rails40.gemfile
-
-    - rvm: 2.4.0
+    - rvm: 2.4.3
       gemfile: gemfiles/active_record-rails41.gemfile
-
-    - rvm: 2.4.0
+    - rvm: 2.4.3
+      gemfile: gemfiles/active_record-rails42.gemfile
+    - rvm: 2.5.0
+      gemfile: gemfiles/active_record-rails40.gemfile
+    - rvm: 2.5.0
+      gemfile: gemfiles/active_record-rails41.gemfile
+    - rvm: 2.5.0
       gemfile: gemfiles/active_record-rails42.gemfile
-
     - rvm: jruby
       gemfile: Gemfile

data/CHANGELOG.md

@@ -1,11 +1,30 @@
 # Changelog
 ## HEAD
 
+## 0.12.0
+
+* Fix magic_login not inheriting from migration_class_name [#99](https://github.com/Sorcery/sorcery/pull/99)
+* Update YARD dependency [#100](https://github.com/Sorcery/sorcery/pull/100)
+* Make `#update_attributes` behave like `#update` [#98](https://github.com/Sorcery/sorcery/pull/98)
+* Add tests to the magic login submodule [#95](https://github.com/Sorcery/sorcery/pull/95)
+* Set user.stretches to 1 in test env by default [#81](https://github.com/Sorcery/sorcery/pull/81)
+* Allow user to be loaded from other source when session expires. fix #89 [#94](https://github.com/Sorcery/sorcery/pull/94)
+* Added a new ArgumentError for not defined user_class in config [#82](https://github.com/Sorcery/sorcery/pull/82)
+* Updated Required Ruby version to 2.2 [#85](https://github.com/Sorcery/sorcery/pull/85)
+* Add configuration for token randomness [#67](https://github.com/Sorcery/sorcery/pull/67)
+* Add facebook user_info_path option to initializer.rb [#63](https://github.com/Sorcery/sorcery/pull/63)
+* Add new function: `build_from` (allows building a user instance from OAuth without saving) [#54](https://github.com/Sorcery/sorcery/pull/54)
+* Add rubocop configuration and TODO list [#107](https://github.com/Sorcery/sorcery/pull/107)
+* Add support for VK OAuth (thanks to @Hirurg103) [#109](https://github.com/Sorcery/sorcery/pull/109)
+* Fix token leak via referrer header [#56](https://github.com/Sorcery/sorcery/pull/56)
+* Add `login_user` helper for request specs [#57](https://github.com/Sorcery/sorcery/pull/57)
+
 ## 0.11.0
 
 * Refer to User before calling remove_const to avoid NameError [#58](https://github.com/Sorcery/sorcery/pull/58)
 * Resurrect block authentication, showing auth failure reason. [#41](https://github.com/Sorcery/sorcery/pull/41)
 * Add github scope option to initializer.rb [#50](https://github.com/Sorcery/sorcery/pull/50)
+* Fix Facebook being broken due to API deprecation [#53](https://github.com/Sorcery/sorcery/pull/53)
 
 ## 0.10.3
 

data/Gemfile

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '~> 5.0.0'
+gem 'rails', '~> 5.1.0'
 gem 'rails-controller-testing'
 gem 'sqlite3'
 gem 'pry'

data/README.md

@@ -22,6 +22,18 @@ Sorcery is a stripped-down, bare-bones authentication library, with which you ca
 - Configuration over Confusion - Centralized (1 file), Simple & short configuration as possible, not drowning in syntactic sugar.
 - Keep MVC cleanly separated - DB is for models, sessions are for controllers. Models stay unaware of sessions.
 
+## Table of Contents
+
+1. [Useful Links](#useful-links)
+2. [API Summary](#api-summary)
+3. [Installation](#installation)
+4. [Configuration](#configuration)
+5. [Full Features List by Module](#full-features-list-by-module)
+6. [Planned Features](#planned-features)
+7. [Contributing](#contributing)
+8. [Contact](#contact)
+9. [License](#license)
+
 ## Useful Links
 
 - [Documentation](http://rubydoc.info/gems/sorcery)
@@ -70,6 +82,7 @@ require_login_from_http_basic # This is a before action
 login_at(provider) # Sends the user to an external service (Facebook, Twitter, etc.) to authenticate
 login_from(provider) # Tries to login from the external provider's callback
 create_from(provider) # Create the user in the local app database
+build_from(provider) # Build user instance using user_info_mappings
 ```
 
 ### Remember Me
@@ -209,16 +222,23 @@ Have an idea? Let us know, and it might get into the gem!
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/Sorcery/sorcery.
 
-If you feel sorcery has made your life easier, and you would like to express
-your thanks via a donation, my PayPal email is in the contact details.
+- [Git Workflow](https://github.com/Sorcery/sorcery/wiki/Git-Workflow)
+- [Running the specs](https://github.com/Sorcery/sorcery/wiki/Running-the-specs)
 
 ## Contact
 
 Feel free to ask questions using these contact details:
 
-- Noam Ben-Ari: [nbenari@gmail.com](mailto:nbenari@gmail.com) (also PayPal), [Twitter](https://twitter.com/nbenari)
-- Kir Shatrov: [shatrov@me.com](mailto:shatrov@me.com), [Twitter](https://twitter.com/Kiiiir)
-- Grzegorz Witek: [arnvald.to@gmail.com](mailto:arnvald.to@gmail.com), [Twitter](https://twitter.com/arnvald)
+**Current Maintainers:**
+
+- Chase Gilliam ([@Ch4s3](https://github.com/Ch4s3)) | [Email](mailto:chase.gilliam@gmail.com)
+- Josh Buker ([@athix](https://github.com/athix)) | [Email](mailto:jbuker@aeonsplice.com)
+
+**Past Maintainers:**
+
+- Noam Ben-Ari ([@NoamB](https://github.com/NoamB)) | [Email](mailto:nbenari@gmail.com) | [Twitter](https://twitter.com/nbenari)
+- Kir Shatrov ([@kirs](https://github.com/kirs)) | [Email](mailto:shatrov@me.com) | [Twitter](https://twitter.com/Kiiiir)
+- Grzegorz Witek ([@arnvald](https://github.com/arnvald)) | [Email](mailto:arnvald.to@gmail.com) | [Twitter](https://twitter.com/arnvald)
 
 ## License
 

data/lib/generators/sorcery/templates/initializer.rb

@@ -29,6 +29,12 @@ Rails.application.config.sorcery.configure do |config|
   #
   # config.remember_me_httponly =
 
+  # Set token randomness. (e.g. user activation tokens)
+  # The length of the result string is about 4/3 of `token_randomness`.
+  # Default: `15`
+  #
+  # config.token_randomness =
+
   # -- session timeout --
   # How long in seconds to keep the session alive.
   # Default: `3600`
@@ -106,7 +112,8 @@ Rails.application.config.sorcery.configure do |config|
   # config.facebook.key = ""
   # config.facebook.secret = ""
   # config.facebook.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=facebook"
-  # config.facebook.user_info_mapping = {:email => "name"}
+  # config.facebook.user_info_path = "me?fields=email"
+  # config.facebook.user_info_mapping = {:email => "email"}
   # config.facebook.access_permissions = ["email", "publish_actions"]
   # config.facebook.display = "page"
   # config.facebook.api_version = "v2.3"
@@ -147,6 +154,7 @@ Rails.application.config.sorcery.configure do |config|
   # config.vk.secret = ""
   # config.vk.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=vk"
   # config.vk.user_info_mapping = {:login => "domain", :name => "full_name"}
+  # config.vk.api_version = "5.71"
   #
   # config.slack.callback_url = "http://0.0.0.0:3000/oauth/callback?provider=slack"
   # config.slack.key = ''
@@ -225,9 +233,9 @@ Rails.application.config.sorcery.configure do |config|
     # user.salt_attribute_name =
 
     # how many times to apply encryption to the password.
-    # Default: `nil`
+    # Default: 1 in test env, `nil` otherwise
     #
-    # user.stretches =
+    user.stretches = 1 if Rails.env.test?
 
     # encryption key used to encrypt reversible encryptions such as AES256.
     # WARNING: If used for users' passwords, changing this key will leave passwords undecryptable!
@@ -358,6 +366,61 @@ Rails.application.config.sorcery.configure do |config|
     # Default: `5 * 60`
     #
     # user.reset_password_time_between_emails =
+    
+    # access counter to a reset password page attribute name
+    # Default: `:access_count_to_reset_password_page`
+    #
+    # user.reset_password_page_access_count_attribute_name =
+
+    # -- magic_login --
+    # magic login code attribute name.
+    # Default: `:magic_login_token`
+    #
+    # user.magic_login_token_attribute_name =
+
+
+    # expires at attribute name.
+    # Default: `:magic_login_token_expires_at`
+    #
+    # user.magic_login_token_expires_at_attribute_name =
+
+
+    # when was email sent, used for hammering protection.
+    # Default: `:magic_login_email_sent_at`
+    #
+    # user.magic_login_email_sent_at_attribute_name =
+
+
+    # mailer class. Needed.
+    # Default: `nil`
+    #
+    # user.magic_login_mailer_class =
+
+
+    # magic login email method on your mailer class.
+    # Default: `:magic_login_email`
+    #
+    # user.magic_login_email_method_name =
+
+
+    # when true sorcery will not automatically
+    # email magic login details and allow you to
+    # manually handle how and when email is sent
+    # Default: `true`
+    #
+    # user.magic_login_mailer_disabled =
+
+
+    # how many seconds before the request expires. nil for never expires.
+    # Default: `nil`
+    #
+    # user.magic_login_expiration_period =
+
+
+    # hammering protection, how long in seconds to wait before allowing another email to be sent.
+    # Default: `5 * 60`
+    #
+    # user.magic_login_time_between_emails =
 
     # -- brute_force_protection --
     # Failed logins attribute name.

data/lib/generators/sorcery/templates/migration/magic_login.rb

@@ -0,0 +1,9 @@
+class SorceryMagicLogin < <%= migration_class_name %>
+  def change
+    add_column :<%= model_class_name.tableize %>, :magic_login_token, :string, :default => nil
+    add_column :<%= model_class_name.tableize %>, :magic_login_token_expires_at, :datetime, :default => nil
+    add_column :<%= model_class_name.tableize %>, :magic_login_email_sent_at, :datetime, :default => nil
+
+    add_index :<%= model_class_name.tableize %>, :magic_login_token
+  end
+end

data/lib/generators/sorcery/templates/migration/reset_password.rb

@@ -3,6 +3,7 @@ class SorceryResetPassword < <%= migration_class_name %>
     add_column :<%= model_class_name.tableize %>, :reset_password_token, :string, :default => nil
     add_column :<%= model_class_name.tableize %>, :reset_password_token_expires_at, :datetime, :default => nil
     add_column :<%= model_class_name.tableize %>, :reset_password_email_sent_at, :datetime, :default => nil
+    add_column :<%= model_class_name.tableize %>, :access_count_to_reset_password_page, :integer, :default => 0
 
     add_index :<%= model_class_name.tableize %>, :reset_password_token
   end

data/lib/sorcery.rb

@@ -18,6 +18,7 @@ module Sorcery
       require 'sorcery/model/submodules/activity_logging'
       require 'sorcery/model/submodules/brute_force_protection'
       require 'sorcery/model/submodules/external'
+      require 'sorcery/model/submodules/magic_login'
     end
   end
 
@@ -56,6 +57,7 @@ module Sorcery
     module Rails
       require 'sorcery/test_helpers/rails/controller'
       require 'sorcery/test_helpers/rails/integration'
+      require 'sorcery/test_helpers/rails/request'
     end
 
     module Internal

data/lib/sorcery/adapters/active_record_adapter.rb

@@ -6,7 +6,8 @@ module Sorcery
           @model.send(:"#{name}=", value)
         end
         primary_key = @model.class.primary_key
-        @model.class.where(:"#{primary_key}" => @model.send(:"#{primary_key}")).update_all(attrs)
+        updated_count = @model.class.where(:"#{primary_key}" => @model.send(:"#{primary_key}")).update_all(attrs)
+        updated_count == 1
       end
 
       def save(options = {})

data/lib/sorcery/controller.rb

@@ -155,6 +155,8 @@ module Sorcery
 
       def user_class
         @user_class ||= Config.user_class.to_s.constantize
+      rescue NameError
+        raise ArgumentError, 'You have incorrectly defined user_class or have forgotten to define it in intitializer file (config.user_class = \'User\').'
       end
     end
   end

data/lib/sorcery/controller/submodules/external.rb

@@ -187,6 +187,15 @@ module Sorcery
             @user = user_class.create_from_provider(provider_name, @user_hash[:uid], attrs, &block)
           end
 
+          # follows the same patterns as create_from, but builds the user instead of creating
+          def build_from(provider_name, &block)
+            sorcery_fetch_user_hash provider_name
+            config = user_class.sorcery_config
+
+            attrs = user_attrs(@provider.user_info_mapping, @user_hash)
+            @user = user_class.build_from_provider(attrs, &block)
+          end
+
           def user_attrs(user_info_mapping, user_hash)
             attrs = {}
             user_info_mapping.each do |k, v|

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -39,7 +39,7 @@ module Sorcery
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
             if session_to_use && sorcery_session_expired?(session_to_use.to_time)
               reset_sorcery_session
-              @current_user = nil
+              remove_instance_variable :@current_user if defined? @current_user
             else
               session[:last_action_time] = Time.now.in_time_zone
             end

data/lib/sorcery/model/config.rb

@@ -35,6 +35,8 @@ module Sorcery
       attr_accessor :email_delivery_method
       # an array of method names to call after configuration by user. used internally.
       attr_accessor :after_config
+      # Set token randomness
+      attr_accessor :token_randomness
 
       # change default encryption_provider.
       attr_reader :encryption_provider
@@ -61,7 +63,8 @@ module Sorcery
           :@subclasses_inherit_config            => false,
           :@before_authenticate                  => [],
           :@after_config                         => [],
-          :@email_delivery_method                => default_email_delivery_method
+          :@email_delivery_method                => default_email_delivery_method,
+          :@token_randomness                     => 15
         }
         reset!
       end

data/lib/sorcery/model/submodules/external.rb

@@ -73,6 +73,21 @@ module Sorcery
             end
             user
           end
+
+          # NOTE: Should this build the authentication as well and return [user, auth]?
+          # Currently, users call this function for the user and call add_provider_to_user after saving
+          def build_from_provider(attrs)
+            user = new
+            attrs.each do |k, v|
+              user.send(:"#{k}=", v)
+            end
+
+            if block_given?
+              return false unless yield user
+            end
+
+            user
+          end
         end
 
         module InstanceMethods

data/lib/sorcery/model/submodules/magic_login.rb

@@ -0,0 +1,134 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This submodule adds the ability to login via email without password.
+      # When the user requests an email is sent to him with a url.
+      # The url includes a token, which is also saved with the user's record in the db.
+      # The token has configurable expiration.
+      # When the user clicks the url in the email, providing the token has not yet expired,
+      # he will be able to login.
+      #
+      # When using this submodule, supplying a mailer is mandatory.
+      module MagicLogin
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :magic_login_token_attribute_name, # magic login code attribute name.
+                          :magic_login_token_expires_at_attribute_name, # expires at attribute name.
+                          :magic_login_email_sent_at_attribute_name, # when was email sent, used for hammering
+                          # protection.
+            
+                          :magic_login_mailer_class, # mailer class. Needed.
+            
+                          :magic_login_mailer_disabled, # when true sorcery will not automatically
+                          # email magic login details and allow you to
+                          # manually handle how and when email is sent
+            
+                          :magic_login_email_method_name, # magic login email method on your
+                          # mailer class.
+            
+                          :magic_login_expiration_period, # how many seconds before the request
+                          # expires. nil for never expires.
+            
+                          :magic_login_time_between_emails # hammering protection, how long to wait
+            # before allowing another email to be sent.
+          
+          end
+          
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@magic_login_token_attribute_name => :magic_login_token,
+                             :@magic_login_token_expires_at_attribute_name => :magic_login_token_expires_at,
+                             :@magic_login_email_sent_at_attribute_name => :magic_login_email_sent_at,
+                             :@magic_login_mailer_class => nil,
+                             :@magic_login_mailer_disabled => true,
+                             :@magic_login_email_method_name => :magic_login_email,
+                             :@magic_login_expiration_period => 15 * 60,
+                             :@magic_login_time_between_emails => 5 * 60)
+            
+            reset!
+          end
+          
+          base.extend(ClassMethods)
+          
+          base.sorcery_config.after_config << :validate_mailer_defined
+          base.sorcery_config.after_config << :define_magic_login_fields
+          
+          base.send(:include, InstanceMethods)
+        
+        end
+        
+        module ClassMethods
+          # Find user by token, also checks for expiration.
+          # Returns the user if token found and is valid.
+          def load_from_magic_login_token(token)
+            token_attr_name = @sorcery_config.magic_login_token_attribute_name
+            token_expiration_date_attr = @sorcery_config.magic_login_token_expires_at_attribute_name
+            load_from_token(token, token_attr_name, token_expiration_date_attr)
+          end
+          
+          protected
+          
+          # This submodule requires the developer to define his own mailer class to be used by it
+          # when magic_login_mailer_disabled is false
+          def validate_mailer_defined
+            msg = "To use magic_login submodule, you must define a mailer (config.magic_login_mailer_class = YourMailerClass)."
+            raise ArgumentError, msg if @sorcery_config.magic_login_mailer_class.nil? and @sorcery_config.magic_login_mailer_disabled == false
+          end
+          
+          def define_magic_login_fields
+            sorcery_adapter.define_field sorcery_config.magic_login_token_attribute_name, String
+            sorcery_adapter.define_field sorcery_config.magic_login_token_expires_at_attribute_name, Time
+            sorcery_adapter.define_field sorcery_config.magic_login_email_sent_at_attribute_name, Time
+          end
+        
+        end
+        
+        module InstanceMethods
+          # generates a reset code with expiration
+          def generate_magic_login_token!
+            config = sorcery_config
+            attributes = {config.magic_login_token_attribute_name => TemporaryToken.generate_random_token,
+                          config.magic_login_email_sent_at_attribute_name => Time.now.in_time_zone}
+            attributes[config.magic_login_token_expires_at_attribute_name] = Time.now.in_time_zone + config.magic_login_expiration_period if config.magic_login_expiration_period
+            
+            self.sorcery_adapter.update_attributes(attributes)
+          end
+          
+          # generates a magic login code with expiration and sends an email to the user.
+          def deliver_magic_login_instructions!
+            mail = false
+            config = sorcery_config
+            # hammering protection
+            return false if !config.magic_login_time_between_emails.nil? &&
+                self.send(config.magic_login_email_sent_at_attribute_name) &&
+                self.send(config.magic_login_email_sent_at_attribute_name) > config.magic_login_time_between_emails.seconds.ago
+            
+            self.class.sorcery_adapter.transaction do
+              generate_magic_login_token!
+              unless config.magic_login_mailer_disabled
+                send_magic_login_email!
+                mail = true
+              end
+            end
+            mail
+          end
+          
+          # Clears the token.
+          def clear_magic_login_token!
+            config = sorcery_config
+            self.sorcery_adapter.update_attributes({
+                                                       config.magic_login_token_attribute_name => nil,
+                                                       config.magic_login_token_expires_at_attribute_name => nil
+                                                   })
+          end
+          
+          protected
+          
+          def send_magic_login_email!
+            generic_send_email(:magic_login_email_method_name, :magic_login_mailer_class)
+          end
+        end
+      
+      end
+    end
+  end
+end