RubyGems - sorcery - Versions diffs - 0.8.4 → 0.8.5 - Mend

sorcery 0.8.4 → 0.8.5

Potentially problematic release.

This version of sorcery might be problematic. Click here for more details.

Files changed (281) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 852f11fb25475891c41e9aaf09efdb40850ebdb3
-  data.tar.gz: 98c1c278ba5d6f411fff896e207d502e7a8564c5
+  metadata.gz: ece0272de9fa2ea03bbc1be9b2f9aa3b80e0f870
+  data.tar.gz: 5369015b55c79aab6aeeeae13328624a8e20b7c8
 SHA512:
-  metadata.gz: f7a9a26c4842f54afe756640f1f11aa4a5e642726f7f737aee979c6a7d28145a0fe5c5f34a270679b4dda0f81da5c4ef80e9f73a7e809f2f213e499490c61e45
-  data.tar.gz: b5a0a55191a6e7fdbdd343b5be124bc80aece5f9ce127ee8e42530894dc77d6efe83e81f511ef1ec17568d91523a901acf0d11dc912dd3e4796aede75964c957
+  metadata.gz: 1a45a1696ebbcf7e4e8e248918389a38ea4555c263f12e290b1fdfd92c4e413d9713c29bbe98aa909ab9cb8642ff3e872a15405e6db9398afdf4f940521f68d5
+  data.tar.gz: aed312b559bbdecd335535df0814989b906d4768fe56382ae18a029f534fb0d9904e8540913e2c6dccc51de9d5e8d2096212a3dbf7f6b787df647987aa72076a

data/.gitignore ADDED

@@ -0,0 +1,54 @@
+# rcov generated
+coverage
+# rdoc generated
+rdoc
+# yard generated
+doc
+.yardoc
+# bundler
+.bundle
+# jeweler generated
+pkg
+# for RVM
+.rvmrc
+# for RubyMine
+.idea
+# Have editor/IDE/OS specific files you need to ignore? Consider using a global gitignore:
+#
+# * Create a file at ~/.gitignore
+# * Include files you want ignored
+# * Run: git config --global core.excludesfile ~/.gitignore
+#
+# After doing this, these files will be ignored in all your git projects,
+# saving you from having to 'pollute' every project you touch with them
+#
+# Not sure what to needs to be ignored for particular editors/OSes? Here's some ideas to get you started. (Remember, remove the leading # of the line)
+#
+# For MacOS:
+#
+#.DS_Store
+#
+# For TextMate
+#*.tmproj
+tmtags
+#
+# For emacs:
+#*~
+#\#*
+#.\#*
+#
+# For vim:
+#*.swp
+#
+spec/rails_app/log/*
+*.log
+*.sqlite3
+Gemfile*.lock
+.ruby-version

data/.travis.yml CHANGED

@@ -1,3 +1,15 @@
 language: ruby
 rvm:
-  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+services: mongodb
+gemfile:
+  - Gemfile
+  - Gemfile.rails4
+script:
+  - "SORCERY_ORM=active_record bundle exec rake spec SPEC=spec/active_record"
+  - "SORCERY_ORM=mongoid bundle exec rake spec SPEC=spec/mongoid"
+  - "SORCERY_ORM=mongo_mapper bundle exec rake spec SPEC=spec/mongo_mapper"

data/CHANGELOG.md ADDED

@@ -0,0 +1,234 @@
+# Changelog
+## 0.8.5 (not released)
+* Fixed add_provider_to_user with CamelCased authentications_class model (#382)
+* Fixed unlock_token_mailer_disabled to only disable automatic mailing (#467)
+* Make send_email_* methods easier to overwrite (#473)
+* Don't add `:username` field for User. Config option `username_attribute_names` is now `:email` by default instead of `:username`.
+  If you're using `username` as main field for users to login, you'll need to tune your Sorcery config:
+    ```ruby
+    config.user_config do |user|
+      # ...
+      user.username_attribute_names = [:username]
+    end
+    ```
+* `rails generate sorcery:install` now works inside Rails engine
+## 0.8.4
+  * Few security fixes in `external` module
+## 0.8.3 (yanked because of bad Jeweler release)
+## 0.8.2
+* Activity logging feature has a new column called `last_login_from_ip_address` (string type). If you use ActiveRecord, you will have to add this column to DB ([#465](https://github.com/NoamB/sorcery/issues/465))
+## 0.8.1
+<!-- TO BE WRITTEN -->
+## 0.8.0
+<!-- TO BE WRITTEN -->
+## 0.7.13
+<!-- TO BE WRITTEN -->
+## 0.7.12
+<!-- TO BE WRITTEN -->
+## 0.7.11
+<!-- TO BE WRITTEN -->
+## 0.7.10
+<!-- TO BE WRITTEN -->
+## 0.7.9
+<!-- TO BE WRITTEN -->
+## 0.7.8
+<!-- TO BE WRITTEN -->
+## 0.7.7
+<!-- TO BE WRITTEN -->
+## 0.7.6
+<!-- TO BE WRITTEN -->
+## 0.7.5
+<!-- TO BE WRITTEN -->
+## 0.7.1-0.7.4
+* Fixed a bug in the new generator
+* Many bugfixes
+* MongoMapper added to supported ORMs list, thanks @kbighorse
+* Sinatra support discontinued!
+* New generator contributed by @ahazem
+* Cookie domain setting contributed by @Highcode
+## 0.7.0
+* Many bugfixes
+* Added default SSL certificate for oauth2
+* Added multi-username ability
+* Security fixes (CSRF, cookie digesting)
+* Added auto_login(user) to the API
+* Updated gem versions of oauth(1/2)
+* Added logged_in? as a view helper
+* Github provider added to external submodule
+## 0.6.1
+Gemfile versions updated due to public demand.
+(bcrypt 3.0.0 and oauth2 0.4.1)
+## 0.6.0
+Fixes issues with external user_hash not including some fields, and an issue with User model not loaded when user_class is called. Now config.user_class should be a string or a symbol.
+Improved specs.
+## 0.5.3
+Fixed #9
+Fixed hardcoded method names in remember_me submodule.
+Improved specs.
+## 0.5.21
+Fixed typo in initializer - MUST be "config.user_class = User"
+## 0.5.2
+Fixed #3 and #4 - Modular Sinatra apps work now, and User model isn't cached in development mode.
+## 0.5.1
+Fixed bug in reset_password - after reset can't login due to bad salt creation. Affected only Mongoid.
+## 0.5.0
+Added support for Mongoid! (still buggy and not recommended for serious use)
+'reset_password!(:password => new_password)' changed into 'change_password!(new_password)'
+## 0.4.2
+Added test helpers for Rails 3 & Sinatra.
+## 0.4.1
+Fixing Rails app name in initializer.
+## 0.4.0
+Changed the way Sorcery is configured.
+Now inside the model only add:
+```
+authenticates_with_sorcery!
+```
+In the controller no code is needed! All configuration is done in an initializer.
+Added a rake task to create it.
+```
+rake sorcery:bootstrap
+```
+## 0.3.1
+Renamed "oauth" module to "external" and made API prettier.
+```
+auth_at_provider(provider) => login_at(provider)
+login_from_access_token(provider) => login_from(provider)
+create_from_provider!(provider) => create_from(provider)
+```
+## 0.3.0
+Added Sinatra support!
+Added Rails 3 generator for migrations
+## 0.2.1
+Fixed bug with OAuth submodule - oauth gems were not required properly in gem.
+Fixed bug with OAuth submodule - Authentications class was not passed between model and controller in all cases resulting in Nil exception.
+## 0.2.0
+Added OAuth submodule.
+### OAuth:
+* OAuth1 and OAuth2 support (currently twitter & facebook)
+* configurable db field names and authentications table.
+Some bug fixes: 'return_to' feature, brute force permanent ban.
+## 0.1.4
+Added activity logging submodule.
+### Activity Logging:
+* automatic logging of last login, last logout and last activity time.
+* an easy method of collecting the list of currently logged in users.
+* configurable timeout by which to decide whether to include a user in the list of logged in users.
+Fixed bug in basic_auth - it didn't set the session[:user_id] on successful login and tried to relogin from basic_auth on every action.
+Added Reset Password hammering protection and updated the API.
+Totally rewritten Brute Force Protection submodule.
+## 0.1.3
+Added support for Basic HTTP Auth.
+## 0.1.2
+Separated mailers between user_activation and password_reset and updated readme.
+## 0.1.1
+Fixed bug with BCrypt not being used properly by the lib and thus not working for authentication.
+## 0.1.0
+### Core Features:
+* login/logout, optional redirect on login to where the user tried to reach before, configurable redirect for non-logged-in users.
+* password encryption, algorithms: bcrypt(default), md5, sha1, sha256, sha512, aes256, custom(yours!), none. Configurable stretches and salt.
+* configurable attribute names for username, password and email.
+### User Activation:
+* User activation by email with optional success email.
+* configurable attribute names.
+* configurable mailer.
+* Optionally prevent active users to login.
+### Password Reset:
+* Reset password with email verification.
+* configurable mailer, method name, and attribute name.
+### Remember Me:
+* Remember me with configurable expiration.
+* configurable attribute names.
+## Session Timeout:
+* Configurable session timeout.
+* Optionally session timeout will be calculated from last user action.
+### Brute Force Protection:
+* Brute force login hammering protection.
+* configurable logins before ban, logins within time period before ban, ban time and ban action.

data/Gemfile CHANGED

@@ -8,20 +8,23 @@ gem 'bcrypt-ruby', "~> 3.0.0"
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
-group :development do
-  gem 'abstract', '>= 1.0.0'
-  gem "rails", ">= 3.0.0"
-  gem 'json', ">= 1.7.7"
-  gem "rspec", "~> 2.5.0"
-  gem 'rspec-rails', "~> 2.5.0"
-  #gem 'ruby-debug19'
-  gem 'sqlite3'
-  gem "yard", "~> 0.6.0"
-  gem "bundler", ">= 1.1.0"
-  gem "jeweler", "~> 1.8.3"
-  gem 'simplecov', '>= 0.3.8', :require => false # Will install simplecov-html as a dependency
-  gem 'timecop'
-  gem 'capybara'
+gem 'abstract', '>= 1.0.0'
+gem "rails", "~> 3.2.15"
+gem 'json', ">= 1.7.7"
+gem "rspec", "~> 2.14.0"
+gem 'rspec-rails', "~> 2.14.0"
+gem 'sqlite3'
+gem "yard", "~> 0.6.0"
+gem "bundler", ">= 1.1.0"
+gem 'simplecov', '>= 0.3.8', :require => false # Will install simplecov-html as a dependency
+gem 'timecop'
+group :mongomapper do
   gem 'mongo_mapper'
+end
+group :mongoid do
   gem 'mongoid', "~> 2.4.4"
+  gem 'bson_ext'
 end

data/Gemfile.rails4 ADDED

@@ -0,0 +1,24 @@
+source 'https://rubygems.org'
+gem 'oauth', "~> 0.4.4"
+gem 'oauth2', "~> 0.8.0"
+gem 'bcrypt-ruby', "~> 3.0.0"
+gem "rspec", "~> 2.14.0"
+gem 'rspec-rails', "~> 2.14.0"
+#gem 'ruby-debug19'
+gem 'sqlite3'
+gem "yard", "~> 0.6.0"
+gem "bundler", ">= 1.1.0"
+gem 'timecop'
+group :mongomapper do
+  gem 'mongo_mapper', github: 'jnunemaker/mongomapper'
+end
+group :mongoid do
+  gem 'mongoid', github: 'mongoid/mongoid', ref: 'f91feef0a0c6b83a1b878e154f1014536aa1c298'
+  gem 'bson_ext'
+end
+gem 'rails', '~> 4.0.1'

data/README.md ADDED

@@ -0,0 +1,300 @@
+[<img src="https://secure.travis-ci.org/NoamB/sorcery.png"
+/>](http://travis-ci.org/NoamB/sorcery) [<img
+src="https://codeclimate.com/github/NoamB/sorcery.png"
+/>](https://codeclimate.com/github/NoamB/sorcery)
+# sorcery
+Magical Authentication for Rails 3 and 4. Supports ActiveRecord, Mongoid and
+MongoMapper.
+Inspired by restful_authentication, Authlogic and Devise. Crypto code taken
+almost unchanged from Authlogic. OAuth code inspired by OmniAuth and Ryan
+Bates's railscasts about it.
+**Rails 4 status:** basicly it works without issues, except
+[the issue with protect_from_forgery](https://github.com/NoamB/sorcery/issues/464).
+We will release new version soon, which will be updated for Rails 4.
+https://github.com/NoamB/sorcery/wiki/Simple-Password-Authentication
+## Philosophy
+Sorcery is a stripped-down, bare-bones authentication library, with which you
+can write your own authentication flow. It was built with a few goals in mind:
+*   Less is more - less than 20 public methods to remember for the entire
+    feature-set make the lib easy to 'get'.
+*   No built-in or generated code - use the library's methods inside *your
+    own* MVC structures, and don't fight to fix someone else's.
+*   Magic yes, Voodoo no - the lib should be easy to hack for most developers.
+*   Configuration over Confusion - Centralized (1 file), Simple & short
+    configuration as possible, not drowning in syntactic sugar.
+*   Keep MVC cleanly separated - DB is for models, sessions are for
+    controllers. Models stay unaware of sessions.
+Hopefully, I've achieved this. If not, let me know.
+## Useful Links:
+Railscast: http://railscasts.com/episodes/283-authentication-with-sorcery
+Example Rails 3 app using sorcery:
+https://github.com/NoamB/sorcery-example-app
+Documentation: http://rubydoc.info/gems/sorcery
+Check out the tutorials in the github wiki!
+## API Summary
+Below is a summary of the library methods. Most method names are self
+explaining and the rest are commented:
+    # core
+    require_login # this is a before filter
+    login(email, password, remember_me = false)
+    auto_login(user)# login without credentials
+    logout
+    logged_in?      # available to view
+    current_user    # available to view
+    redirect_back_or_to # used when a user tries to access a page while logged out, is asked to login, and we want to return him back to the page he originally wanted.
+    @user.external? # external users, such as facebook/twitter etc.
+    User.authenticates_with_sorcery!
+    # activity logging
+    current_users
+    # http basic auth
+    require_login_from_http_basic # this is a before filter
+    # external
+    login_at(provider) # sends the user to an external service (twitter etc.) to authenticate.
+    login_from(provider) # tries to login from the external provider's callback.
+    create_from(provider) # create the user in the local app db.
+    # remember me
+    auto_login(user, should_remember=false)  # login without credentials, optional remember_me
+    remember_me!
+    forget_me!
+    # reset password
+    User.load_from_reset_password_token(token)
+    @user.deliver_reset_password_instructions!
+    @user.change_password!(new_password)
+    # user activation
+    User.load_from_activation_token(token)
+    @user.activate!
+Please see the tutorials in the github wiki for detailed usage information.
+## Installation:
+If using bundler, first add 'sorcery' to your Gemfile:
+    gem "sorcery"
+And run
+    bundle install
+Otherwise simply
+    gem install sorcery
+## Rails configuration:
+    rails generate sorcery:install
+This will generate the core migration file, the initializer file and the
+'User' model class.
+    rails generate sorcery:install remember_me reset_password
+This will generate the migrations files for remember_me and reset_password
+submodules and will create the initializer file (and add submodules to it),
+and create the 'User' model class.
+    rails generate sorcery:install --model Person
+This will generate the core migration file, the initializer and change the
+model class (in the initializer and migration files) to the class 'Person'
+(and its pluralized version, 'people')
+    rails generate sorcery:install http_basic_auth external remember_me --migrations
+This will generate only the migration files for the specified submodules and
+will add them to the initializer file.
+Inside the initializer, the comments will tell you what each setting does.
+## DelayedJob Integration
+By default emails are sent synchronously. You can send them asynchronously by
+using the [delayed_job gem](https://github.com/collectiveidea/delayed_job).
+After implementing the `delayed_job` into your project add the code below at
+the end of the `config/initializers/sorcery.rb` file. After that all emails
+will be sent asynchronously.
+    module Sorcery
+      module Model
+        module InstanceMethods
+          def generic_send_email(method, mailer)
+            config = sorcery_config
+            mail = config.send(mailer).delay.send(config.send(method), self)
+          end
+        end
+      end
+    end
+Sidekiq and Resque integrations are coming soon.
+## Single Table Inheritance (STI) Support
+STI is supported via a single setting in config/initializers/sorcery.rb.
+## Full Features List by module:
+Core (see lib/sorcery/model.rb and lib/sorcery/controller.rb):
+*   login/logout, optional return user to requested url on login, configurable
+    redirect for non-logged-in users.
+*   password encryption, algorithms: bcrypt(default), md5, sha1, sha256,
+    sha512, aes256, custom(yours!), none. Configurable stretches and salt.
+*   configurable attribute names for username, password and email.
+*   allow multiple fields to serve as username.
+User Activation (see lib/sorcery/model/submodules/user_activation.rb):
+*   User activation by email with optional success email.
+*   configurable attribute names.
+*   configurable mailer, method name, and attribute name.
+*   configurable temporary token expiration.
+*   Optionally prevent non-active users to login.
+Reset Password (see lib/sorcery/model/submodules/reset_password.rb):
+*   Reset password with email verification.
+*   configurable mailer, method name, and attribute name.
+*   configurable temporary token expiration.
+*   configurable time between emails (hammering protection).
+Remember Me (see lib/sorcery/model/submodules/remember_me.rb):
+*   Remember me with configurable expiration.
+*   configurable attribute names.
+Session Timeout (see lib/sorcery/controller/submodules/session_timeout.rb):
+*   Configurable session timeout.
+*   Optionally session timeout will be calculated from last user action.
+Brute Force Protection (see
+lib/sorcery/model/submodules/brute_force_protection.rb):
+*   Brute force login hammering protection.
+*   configurable logins before lock and lock duration.
+Basic HTTP Authentication (see
+lib/sorcery/controller/submodules/http_basic_auth.rb):
+*   A before filter for requesting authentication with HTTP Basic.
+*   automatic login from HTTP Basic.
+*   automatic login is disabled if session key changed.
+Activity Logging (see lib/sorcery/model/submodules/activity_logging.rb):
+*   automatic logging of last login, last logout, last activity time and IP
+    address for last login.
+*   an easy method of collecting the list of currently logged in users.
+*   configurable timeout by which to decide whether to include a user in the
+    list of logged in users.
+External (see lib/sorcery/controller/submodules/external.rb):
+*   OAuth1 and OAuth2 support (currently twitter & facebook)
+*   configurable db field names and authentications table.
+## Next Planned Features:
+I've got some thoughts which include (unordered):
+*   Passing a block to encrypt, allowing the developer to define his own mix
+    of salting and encrypting
+*   Forgot username, maybe as part of the reset_password module
+*   Scoping logins (to a subdomain or another arbitrary field)
+*   Allowing storing the salt and crypted password in the same DB field for
+    extra security
+*   Other reset password strategies (security questions?)
+*   Other brute force protection strategies (captcha)
+Have an idea? Let me know, and it might get into the gem!
+## Backward compatibility
+While the lib is young and evolving fast I'm breaking backward compatibility
+quite often. I'm constantly finding better ways to do things and throwing away
+old ways. To let you know when things are changing in a non-compatible way,
+I'm bumping the minor version of the gem. The patch version changes are
+backward compatible.
+In short, an app that works with x.3.1 should be able to upgrade to x.3.2 with
+no code changes. The same cannot be said about upgrading to x.4.0 and above,
+however.
+## Upgrading
+Important notes while upgrading:
+*   If are upgrading to **0.8.2** and use activity_logging feature with
+    ActiveRecord, you will have to add a new column
+    `last_login_from_ip_address`
+    [#465](https://github.com/NoamB/sorcery/issues/465)
+*   Sinatra support existed until **v0.7.0** (including), but was dropped
+    later due to being a maintenance nightmare.
+*   If upgrading from <= **0.6.1 to >= <b>0.7.0** you need to change
+    'username_attribute_name' to 'username_attribute_names' in initializer.
+*   If upgrading from <= **v0.5.1** to >= **v0.5.2** you need to explicitly
+    set your user_class model in the initializer file.
+        # This line must come after the 'user config' block.
+        config.user_class = User
+## Contributing to sorcery
+Your feedback is very welcome and will make this gem much much better for you,
+me and everyone else. Besides feedback on code, features, suggestions and bug
+reports, you may want to actually make an impact on the code. For this:
+*   Fork it.
+*   Fix it.
+*   Test it.
+*   Commit it.
+*   Send me a pull request so I'll... Pull it.
+If you feel sorcery has made your life easier, and you would like to express
+your thanks via a donation, my paypal email is in the contact details.
+## Contact
+Feel free to ask questions using these contact details:
+#### Noam Ben-Ari
+email: nbenari@gmail.com ( also for paypal )
+twitter: @nbenari
+#### Kir Shatrov
+email: shatrov@me.com
+twitter: @Kiiiir
+## Copyright
+Copyright (c) 2010 Noam Ben Ari (nbenari@gmail.com). See LICENSE.txt for
+further details.