sorcery 0.12.0 → 0.13.0

data/lib/sorcery/controller/config.rb

@@ -18,6 +18,7 @@ module Sorcery
         attr_accessor :after_failed_login
         attr_accessor :before_logout
         attr_accessor :after_logout
+        attr_accessor :after_remember_me
 
         def init!
           @defaults = {
@@ -29,6 +30,7 @@ module Sorcery
             :@after_failed_login                   => [],
             :@before_logout                        => [],
             :@after_logout                         => [],
+            :@after_remember_me                    => [],
             :@save_return_to_url                   => true,
             :@cookie_domain                        => nil
           }

data/lib/sorcery/controller/submodules/activity_logging.rb

@@ -43,6 +43,7 @@ module Sorcery
           # This runs as a hook just after a successful login.
           def register_login_time_to_db(user, _credentials)
             return unless Config.register_login_time
+
             user.set_last_login_at(Time.now.in_time_zone)
           end
 
@@ -50,6 +51,7 @@ module Sorcery
           # This runs as a hook just before a logout.
           def register_logout_time_to_db
             return unless Config.register_logout_time
+
             current_user.set_last_logout_at(Time.now.in_time_zone)
           end
 
@@ -58,6 +60,7 @@ module Sorcery
           def register_last_activity_time_to_db
             return unless Config.register_last_activity_time
             return unless logged_in?
+
             current_user.set_last_activity_at(Time.now.in_time_zone)
           end
 
@@ -65,6 +68,7 @@ module Sorcery
           # This runs as a hook just after a successful login.
           def register_last_ip_address(_user, _credentials)
             return unless Config.register_last_ip_address
+
             current_user.set_last_ip_address(request.remote_ip)
           end
         end

data/lib/sorcery/controller/submodules/external.rb

@@ -23,6 +23,8 @@ module Sorcery
           require 'sorcery/providers/slack'
           require 'sorcery/providers/wechat'
           require 'sorcery/providers/microsoft'
+          require 'sorcery/providers/instagram'
+          require 'sorcery/providers/auth0'
 
           Config.module_eval do
             class << self
@@ -33,17 +35,17 @@ module Sorcery
                 @external_providers = providers
 
                 providers.each do |name|
-                  class_eval <<-E
+                  class_eval <<-RUBY, __FILE__, __LINE__ + 1
                     def self.#{name}
                       @#{name} ||= Sorcery::Providers.const_get('#{name}'.to_s.capitalize).new
                     end
-                  E
+                  RUBY
                 end
               end
 
               def merge_external_defaults!
                 @defaults.merge!(:@external_providers => [],
-                                 :@ca_file => File.join(File.expand_path(File.dirname(__FILE__)), '../../protocols/certs/ca-bundle.crt'))
+                                 :@ca_file => File.join(__dir__, '../../protocols/certs/ca-bundle.crt'))
               end
             end
             merge_external_defaults!
@@ -56,6 +58,7 @@ module Sorcery
           # save the singleton ProviderClient instance into @provider
           def sorcery_get_provider(provider_name)
             return unless Config.external_providers.include?(provider_name.to_sym)
+
             Config.send(provider_name.to_sym)
           end
 
@@ -64,12 +67,11 @@ module Sorcery
           def sorcery_login_url(provider_name, args = {})
             @provider = sorcery_get_provider provider_name
             sorcery_fixup_callback_url @provider
-            if @provider.respond_to?(:login_url) && @provider.has_callback?
-              @provider.state = args[:state]
-              return @provider.login_url(params, session)
-            else
-              return nil
-            end
+
+            return nil unless @provider.respond_to?(:login_url) && @provider.has_callback?
+
+            @provider.state = args[:state]
+            @provider.login_url(params, session)
           end
 
           # get the user hash from a provider using information from the params and session.
@@ -88,6 +90,7 @@ module Sorcery
             # cache them in instance variables.
             @access_token ||= @provider.process_callback(params, session) # sends request to oauth agent to get the token
             @user_hash ||= @provider.get_user_hash(@access_token) # uses the token to send another request to the oauth agent requesting user info
+            nil
           end
 
           # for backwards compatibility
@@ -98,14 +101,15 @@ module Sorcery
           # this method should be somewhere else.  It only does something once per application per provider.
           def sorcery_fixup_callback_url(provider)
             provider.original_callback_url ||= provider.callback_url
-            if provider.original_callback_url.present? && provider.original_callback_url[0] == '/'
-              uri = URI.parse(request.url.gsub(/\?.*$/, ''))
-              uri.path = ''
-              uri.query = nil
-              uri.scheme = 'https' if request.env['HTTP_X_FORWARDED_PROTO'] == 'https'
-              host = uri.to_s
-              provider.callback_url = "#{host}#{@provider.original_callback_url}"
-            end
+
+            return unless provider.original_callback_url.present? && provider.original_callback_url[0] == '/'
+
+            uri = URI.parse(request.url.gsub(/\?.*$/, ''))
+            uri.path = ''
+            uri.query = nil
+            uri.scheme = 'https' if request.env['HTTP_X_FORWARDED_PROTO'] == 'https'
+            host = uri.to_s
+            provider.callback_url = "#{host}#{@provider.original_callback_url}"
           end
 
           # sends user to authenticate at the provider's website.
@@ -118,26 +122,26 @@ module Sorcery
           def login_from(provider_name, should_remember = false)
             sorcery_fetch_user_hash provider_name
 
-            if user = user_class.load_from_provider(provider_name, @user_hash[:uid].to_s)
-              # we found the user.
-              # clear the session
-              return_to_url = session[:return_to_url]
-              reset_sorcery_session
-              session[:return_to_url] = return_to_url
+            return unless (user = user_class.load_from_provider(provider_name, @user_hash[:uid].to_s))
 
-              # sign in the user
-              auto_login(user, should_remember)
-              after_login!(user)
+            # we found the user.
+            # clear the session
+            return_to_url = session[:return_to_url]
+            reset_sorcery_session
+            session[:return_to_url] = return_to_url
 
-              # return the user
-              user
-            end
+            # sign in the user
+            auto_login(user, should_remember)
+            after_login!(user)
+
+            # return the user
+            user
           end
 
           # If user is logged, he can add all available providers into his account
           def add_provider_to_user(provider_name)
             sorcery_fetch_user_hash provider_name
-            config = user_class.sorcery_config
+            # config = user_class.sorcery_config # TODO: Unused, remove?
 
             current_user.add_provider_to_user(provider_name.to_s, @user_hash[:uid].to_s)
           end
@@ -181,7 +185,7 @@ module Sorcery
           #
           def create_from(provider_name, &block)
             sorcery_fetch_user_hash provider_name
-            config = user_class.sorcery_config
+            # config = user_class.sorcery_config # TODO: Unused, remove?
 
             attrs = user_attrs(@provider.user_info_mapping, @user_hash)
             @user = user_class.create_from_provider(provider_name, @user_hash[:uid], attrs, &block)
@@ -190,7 +194,7 @@ module Sorcery
           # follows the same patterns as create_from, but builds the user instead of creating
           def build_from(provider_name, &block)
             sorcery_fetch_user_hash provider_name
-            config = user_class.sorcery_config
+            # config = user_class.sorcery_config # TODO: Unused, remove?
 
             attrs = user_attrs(@provider.user_info_mapping, @user_hash)
             @user = user_class.build_from_provider(attrs, &block)
@@ -202,7 +206,7 @@ module Sorcery
               if (varr = v.split('/')).size > 1
                 attribute_value = begin
                                     varr.inject(user_hash[:user_info]) { |hash, value| hash[value] }
-                                  rescue
+                                  rescue StandardError
                                     nil
                                   end
                 attribute_value.nil? ? attrs : attrs.merge!(k => attribute_value)

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -57,6 +57,7 @@ module Sorcery
               while current_controller != ActionController::Base
                 result = Config.controller_to_realm_map[current_controller.controller_name]
                 return result if result
+
                 current_controller = current_controller.superclass
               end
               nil

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -18,7 +18,6 @@ module Sorcery
             merge_remember_me_defaults!
           end
           Config.login_sources << :login_from_cookie
-          Config.after_login << :remember_me_if_asked_to
           Config.before_logout << :forget_me!
         end
 
@@ -51,12 +50,6 @@ module Sorcery
 
           protected
 
-          # calls remember_me! if a third credential was passed to the login method.
-          # Runs as a hook after login.
-          def remember_me_if_asked_to(_user, credentials)
-            remember_me! if credentials.size == 3 && credentials[2] && credentials[2] != '0'
-          end
-
           # Checks the cookie for a remember me token, tried to find a user with that token
           # and logs the user in if found.
           # Runs as a login source. See 'current_user' method for how it is used.
@@ -65,6 +58,7 @@ module Sorcery
             if user && user.has_remember_me_token?
               set_remember_me_cookie!(user)
               session[:user_id] = user.id.to_s
+              after_remember_me!(user)
               @current_user = user
             else
               @current_user = false

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -12,24 +12,36 @@ module Sorcery
               attr_accessor :session_timeout
               # use the last action as the beginning of session timeout.
               attr_accessor :session_timeout_from_last_action
+              # allow users to invalidate active sessions
+              attr_accessor :session_timeout_invalidate_active_sessions_enabled
 
               def merge_session_timeout_defaults!
-                @defaults.merge!(:@session_timeout                      => 3600, # 1.hour
-                                 :@session_timeout_from_last_action     => false)
+                @defaults.merge!(:@session_timeout                                    => 3600, # 1.hour
+                                 :@session_timeout_from_last_action                   => false,
+                                 :@session_timeout_invalidate_active_sessions_enabled => false)
               end
             end
             merge_session_timeout_defaults!
           end
           Config.after_login << :register_login_time
+          Config.after_remember_me << :register_login_time
           base.prepend_before_action :validate_session
         end
 
         module InstanceMethods
+          def invalidate_active_sessions!
+            return unless Config.session_timeout_invalidate_active_sessions_enabled
+            return unless current_user.present?
+
+            current_user.send(:invalidate_sessions_before=, Time.now.in_time_zone)
+            current_user.save
+          end
+
           protected
 
           # Registers last login to be used as the timeout starting point.
           # Runs as a hook after a successful login.
-          def register_login_time(_user, _credentials)
+          def register_login_time(_user, _credentials = nil)
             session[:login_time] = session[:last_action_time] = Time.now.in_time_zone
           end
 
@@ -37,7 +49,7 @@ module Sorcery
           # To be used as a before_action, before require_login
           def validate_session
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
-            if session_to_use && sorcery_session_expired?(session_to_use.to_time)
+            if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
               reset_sorcery_session
               remove_instance_variable :@current_user if defined? @current_user
             else
@@ -48,6 +60,15 @@ module Sorcery
           def sorcery_session_expired?(time)
             Time.now.in_time_zone - time > Config.session_timeout
           end
+
+          # Use login time if present, otherwise use last action time.
+          def sorcery_session_invalidated?
+            return false unless Config.session_timeout_invalidate_active_sessions_enabled
+            return false unless current_user.present? && current_user.try(:invalidate_sessions_before).present?
+
+            time = session[:login_time] || session[:last_action_time] || Time.now.in_time_zone
+            time < current_user.invalidate_sessions_before
+          end
         end
       end
     end

data/lib/sorcery/crypto_providers/aes256.rb

@@ -43,6 +43,7 @@ module Sorcery
 
         def aes
           raise ArgumentError, "#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it." if @key.nil? || @key == ''
+
           @aes ||= OpenSSL::Cipher.new('AES-256-ECB')
         end
       end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -60,6 +60,7 @@ module Sorcery
         def matches?(hash, *tokens)
           hash = new_from_hash(hash)
           return false if hash.nil? || hash == {}
+
           hash == join_tokens(tokens)
         end
 
@@ -87,7 +88,7 @@ module Sorcery
         def new_from_hash(hash)
           ::BCrypt::Password.new(hash)
         rescue ::BCrypt::Errors::InvalidHash
-          return nil
+          nil
         end
       end
     end

data/lib/sorcery/engine.rb

@@ -8,9 +8,16 @@ module Sorcery
     config.sorcery = ::Sorcery::Controller::Config
 
     initializer 'extend Controller with sorcery' do
-      ActionController::Base.send(:include, Sorcery::Controller)
-      ActionController::Base.helper_method :current_user
-      ActionController::Base.helper_method :logged_in?
+      # TODO: Should this include a modified version of the helper methods?
+      if defined?(ActionController::API)
+        ActionController::API.send(:include, Sorcery::Controller)
+      end
+
+      if defined?(ActionController::Base)
+        ActionController::Base.send(:include, Sorcery::Controller)
+        ActionController::Base.helper_method :current_user
+        ActionController::Base.helper_method :logged_in?
+      end
     end
   end
 end

data/lib/sorcery/model.rb

@@ -47,12 +47,15 @@ module Sorcery
       class_eval do
         @sorcery_config.submodules = ::Sorcery::Controller::Config.submodules
         @sorcery_config.submodules.each do |mod|
+          # TODO: Is there a cleaner way to handle missing submodules?
+          # rubocop:disable Lint/HandleExceptions
           begin
             include Submodules.const_get(mod.to_s.split('_').map(&:capitalize).join)
           rescue NameError
             # don't stop on a missing submodule. Needed because some submodules are only defined
             # in the controller side.
           end
+          # rubocop:enable Lint/HandleExceptions
         end
       end
     end
@@ -192,9 +195,9 @@ module Sorcery
         config = sorcery_config
         send(:"#{config.password_attribute_name}=", nil)
 
-        if respond_to?(:"#{config.password_attribute_name}_confirmation=")
-          send(:"#{config.password_attribute_name}_confirmation=", nil)
-        end
+        return unless respond_to?(:"#{config.password_attribute_name}_confirmation=")
+
+        send(:"#{config.password_attribute_name}_confirmation=", nil)
       end
 
       # calls the requested email method on the configured mailer
@@ -202,9 +205,9 @@ module Sorcery
       def generic_send_email(method, mailer)
         config = sorcery_config
         mail = config.send(mailer).send(config.send(method), self)
-        if defined?(ActionMailer) && config.send(mailer).is_a?(Class) && config.send(mailer) < ActionMailer::Base
-          mail.send(config.email_delivery_method)
-        end
+        return unless defined?(ActionMailer) && config.send(mailer).is_a?(Class) && config.send(mailer) < ActionMailer::Base
+
+        mail.send(config.email_delivery_method)
       end
     end
   end

data/lib/sorcery/model/config.rb

@@ -4,8 +4,6 @@
 module Sorcery
   module Model
     class Config
-      # change default username attribute, for example, to use :email as the login.
-      attr_accessor :username_attribute_names
       # change *virtual* password attribute, the one which is used until an encrypted one is generated.
       attr_accessor :password_attribute_name
       # change default email attribute.
@@ -38,6 +36,8 @@ module Sorcery
       # Set token randomness
       attr_accessor :token_randomness
 
+      # change default username attribute, for example, to use :email as the login. See 'username_attribute_names=' below.
+      attr_reader :username_attribute_names
       # change default encryption_provider.
       attr_reader :encryption_provider
       # use an external encryption class.
@@ -96,7 +96,7 @@ module Sorcery
                                when :bcrypt then CryptoProviders::BCrypt
                                when :custom then @custom_encryption_provider
                                else raise ArgumentError, "Encryption algorithm supplied, #{algo}, is invalid"
-        end
+                               end
       end
 
       private

data/lib/sorcery/model/submodules/brute_force_protection.rb

@@ -14,7 +14,6 @@ module Sorcery
                           :consecutive_login_retries_amount_limit,    # how many failed logins allowed.
                           :login_lock_time_period,                    # how long the user should be banned.
                           # in seconds. 0 for permanent.
-
                           :unlock_token_attribute_name,               # Unlock token attribute name
                           :unlock_token_email_method_name,            # Mailer method name
                           :unlock_token_mailer_disabled,              # When true, dont send unlock token via email
@@ -70,9 +69,9 @@ module Sorcery
 
             sorcery_adapter.increment(config.failed_logins_count_attribute_name)
 
-            if send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
-              login_lock!
-            end
+            return unless send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
+
+            login_lock!
           end
 
           # /!\
@@ -98,9 +97,9 @@ module Sorcery
                            config.unlock_token_attribute_name => TemporaryToken.generate_random_token }
             sorcery_adapter.update_attributes(attributes)
 
-            unless config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
-              send_unlock_token_email!
-            end
+            return if config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
+
+            send_unlock_token_email!
           end
 
           def login_unlocked?