sorcery 0.9.1 → 0.16.3

data/lib/sorcery/engine.rb

@@ -6,16 +6,24 @@ module Sorcery
   # With the plugin logic.
   class Engine < Rails::Engine
     config.sorcery = ::Sorcery::Controller::Config
-    
-    initializer "extend Controller with sorcery" do |app|
-      ActionController::Base.send(:include, Sorcery::Controller)
-      ActionController::Base.helper_method :current_user
-      ActionController::Base.helper_method :logged_in?
-    end
-    
-    rake_tasks do
-      load "sorcery/railties/tasks.rake"
+
+    # TODO: Should this include a modified version of the helper methods?
+    initializer 'extend Controller with sorcery' do
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_api) do
+      if defined?(ActionController::API)
+        ActionController::API.send(:include, Sorcery::Controller)
+      end
+
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_base) do
+      if defined?(ActionController::Base)
+        ActionController::Base.send(:include, Sorcery::Controller)
+        ActionController::Base.helper_method :current_user
+        ActionController::Base.helper_method :logged_in?
+      end
     end
-    
   end
-end
+end

data/lib/sorcery/model/config.rb

@@ -4,43 +4,55 @@
 module Sorcery
   module Model
     class Config
-
-      attr_accessor :username_attribute_names,           # change default username attribute, for example, to use :email
-                                                        # as the login.
-
-                    :password_attribute_name,           # change *virtual* password attribute, the one which is used
-                                                        # until an encrypted one is generated.
-
-                    :email_attribute_name,              # change default email attribute.
-
-                    :downcase_username_before_authenticating, # downcase the username before trying to authenticate, default is false
-
-                    :crypted_password_attribute_name,   # change default crypted_password attribute.
-                    :salt_join_token,                   # what pattern to use to join the password with the salt
-                    :salt_attribute_name,               # change default salt attribute.
-                    :stretches,                         # how many times to apply encryption to the password.
-                    :encryption_key,                    # encryption key used to encrypt reversible encryptions such as
-                                                        # AES256.
-
-                    :subclasses_inherit_config,         # make this configuration inheritable for subclasses. Useful for
-                                                        # ActiveRecord's STI.
-
-                    :submodules,                        # configured in config/application.rb
-                    :before_authenticate,               # an array of method names to call before authentication
-                                                        # completes. used internally.
-
-                    :after_config                       # an array of method names to call after configuration by user.
-                                                        # used internally.
-
-      attr_reader   :encryption_provider,               # change default encryption_provider.
-                    :custom_encryption_provider,        # use an external encryption class.
-                    :encryption_algorithm               # encryption algorithm name. See 'encryption_algorithm=' below
-                                                        # for available options.
+      # change *virtual* password attribute, the one which is used until an encrypted one is generated.
+      attr_accessor :password_attribute_name
+      # change default email attribute.
+      attr_accessor :email_attribute_name
+      # downcase the username before trying to authenticate, default is false
+      attr_accessor :downcase_username_before_authenticating
+      # change default crypted_password attribute.
+      attr_accessor :crypted_password_attribute_name
+      # application-specific secret token that is joined with the password and its salt.
+      # Currently available with BCrypt (default crypt provider) only.
+      attr_accessor :pepper
+      # what pattern to use to join the password with the salt
+      # APPLICABLE TO MD5, SHA1, SHA256, SHA512. Other crypt providers (incl. BCrypt) ignore this parameter.
+      attr_accessor :salt_join_token
+      # change default salt attribute.
+      attr_accessor :salt_attribute_name
+      # how many times to apply encryption to the password.
+      attr_accessor :stretches
+      # encryption key used to encrypt reversible encryptions such as AES256.
+      attr_accessor :encryption_key
+      # make this configuration inheritable for subclasses. Useful for ActiveRecord's STI.
+      attr_accessor :subclasses_inherit_config
+      # configured in config/application.rb
+      attr_accessor :submodules
+      # an array of method names to call before authentication completes. used internally.
+      attr_accessor :before_authenticate
+      # method to send email related
+      # options: `:deliver_later`, `:deliver_now`, `:deliver`
+      # Default: :deliver (Rails version < 4.2) or :deliver_now (Rails version 4.2+)
+      # method to send email related
+      attr_accessor :email_delivery_method
+      # an array of method names to call after configuration by user. used internally.
+      attr_accessor :after_config
+      # Set token randomness
+      attr_accessor :token_randomness
+
+      # change default username attribute, for example, to use :email as the login. See 'username_attribute_names=' below.
+      attr_reader :username_attribute_names
+      # change default encryption_provider.
+      attr_reader :encryption_provider
+      # use an external encryption class.
+      attr_reader :custom_encryption_provider
+      # encryption algorithm name. See 'encryption_algorithm=' below for available options.
+      attr_reader :encryption_algorithm
 
       def initialize
         @defaults = {
           :@submodules                           => [],
-          :@username_attribute_names              => [:email],
+          :@username_attribute_names             => [:email],
           :@password_attribute_name              => :password,
           :@downcase_username_before_authenticating => false,
           :@email_attribute_name                 => :email,
@@ -49,25 +61,28 @@ module Sorcery
           :@encryption_provider                  => CryptoProviders::BCrypt,
           :@custom_encryption_provider           => nil,
           :@encryption_key                       => nil,
-          :@salt_join_token                      => "",
+          :@pepper                               => '',
+          :@salt_join_token                      => '',
           :@salt_attribute_name                  => :salt,
           :@stretches                            => nil,
           :@subclasses_inherit_config            => false,
           :@before_authenticate                  => [],
-          :@after_config                         => []
+          :@after_config                         => [],
+          :@email_delivery_method                => default_email_delivery_method,
+          :@token_randomness                     => 15
         }
         reset!
       end
 
       # Resets all configuration options to their default values.
       def reset!
-        @defaults.each do |k,v|
-          instance_variable_set(k,v)
+        @defaults.each do |k, v|
+          instance_variable_set(k, v)
         end
       end
 
       def username_attribute_names=(fields)
-        @username_attribute_names = fields.kind_of?(Array) ? fields : [fields]
+        @username_attribute_names = fields.is_a?(Array) ? fields : [fields]
       end
 
       def custom_encryption_provider=(provider)
@@ -77,20 +92,28 @@ module Sorcery
       def encryption_algorithm=(algo)
         @encryption_algorithm = algo
         @encryption_provider = case @encryption_algorithm.to_sym
-        when :none   then nil
-        when :md5    then CryptoProviders::MD5
-        when :sha1   then CryptoProviders::SHA1
-        when :sha256 then CryptoProviders::SHA256
-        when :sha512 then CryptoProviders::SHA512
-        when :aes256 then CryptoProviders::AES256
-        when :bcrypt then CryptoProviders::BCrypt
-        when :custom then @custom_encryption_provider
-        else raise ArgumentError.new("Encryption algorithm supplied, #{algo}, is invalid")
-        end
+                               when :none   then nil
+                               when :md5    then CryptoProviders::MD5
+                               when :sha1   then CryptoProviders::SHA1
+                               when :sha256 then CryptoProviders::SHA256
+                               when :sha512 then CryptoProviders::SHA512
+                               when :aes256 then CryptoProviders::AES256
+                               when :bcrypt then CryptoProviders::BCrypt
+                               when :custom then @custom_encryption_provider
+                               else raise ArgumentError, "Encryption algorithm supplied, #{algo}, is invalid"
+                               end
       end
 
-    end
+      private
+
+      def default_email_delivery_method
+        # Rails 4.2 deprecates #deliver
+        rails_version_bigger_than_or_equal?('4.2.0') ? :deliver_now : :deliver
+      end
 
+      def rails_version_bigger_than_or_equal?(version)
+        Gem::Version.new(version) <= Gem::Version.new(Rails.version)
+      end
+    end
   end
 end
-

data/lib/sorcery/model/submodules/activity_logging.rb

@@ -12,12 +12,16 @@ module Sorcery
           base.send(:include, InstanceMethods)
 
           base.sorcery_config.class_eval do
-            attr_accessor :last_login_at_attribute_name,                  # last login attribute name.
-                          :last_logout_at_attribute_name,                 # last logout attribute name.
-                          :last_activity_at_attribute_name,               # last activity attribute name.
-                          :last_login_from_ip_address_name,               # last activity login source
-                          :activity_timeout                               # how long since last activity is
-                                                                          #the user defined logged out?
+            # last login attribute name.
+            attr_accessor :last_login_at_attribute_name
+            # last logout attribute name.
+            attr_accessor :last_logout_at_attribute_name
+            # last activity attribute name.
+            attr_accessor :last_activity_at_attribute_name
+            # last activity login source
+            attr_accessor :last_login_from_ip_address_name
+            # how long since last activity is the user defined offline
+            attr_accessor :activity_timeout
           end
 
           base.sorcery_config.instance_eval do
@@ -45,18 +49,33 @@ module Sorcery
             sorcery_adapter.update_attribute(sorcery_config.last_activity_at_attribute_name, time)
           end
 
-          def set_last_ip_addess(ip_address)
+          def set_last_ip_address(ip_address)
             sorcery_adapter.update_attribute(sorcery_config.last_login_from_ip_address_name, ip_address)
           end
-        end
 
-        module ClassMethods
-          # get all users with last_activity within timeout
-          def current_users
-            sorcery_adapter.get_current_users
+          # online method shows if user is active (logout action makes user inactive too)
+          def online?
+            return false if send(sorcery_config.last_activity_at_attribute_name).nil?
+
+            logged_in? && send(sorcery_config.last_activity_at_attribute_name) > sorcery_config.activity_timeout.seconds.ago
+          end
+
+          #  shows if user is logged in, but it not show if user is online - see online?
+          def logged_in?
+            return false if send(sorcery_config.last_login_at_attribute_name).nil?
+            return true if send(sorcery_config.last_login_at_attribute_name).present? && send(sorcery_config.last_logout_at_attribute_name).nil?
+
+            send(sorcery_config.last_login_at_attribute_name) > send(sorcery_config.last_logout_at_attribute_name)
           end
 
+          def logged_out?
+            !logged_in?
+          end
+        end
+
+        module ClassMethods
           protected
+
           def define_activity_logging_fields
             sorcery_adapter.define_field sorcery_config.last_login_at_attribute_name,    Time
             sorcery_adapter.define_field sorcery_config.last_logout_at_attribute_name,   Time

data/lib/sorcery/model/submodules/brute_force_protection.rb

@@ -10,15 +10,14 @@ module Sorcery
           base.sorcery_config.class_eval do
             attr_accessor :failed_logins_count_attribute_name,        # failed logins attribute name.
                           :lock_expires_at_attribute_name,            # this field indicates whether user
-                                                                      # is banned and when it will be active again.
+                          # is banned and when it will be active again.
                           :consecutive_login_retries_amount_limit,    # how many failed logins allowed.
                           :login_lock_time_period,                    # how long the user should be banned.
-                                                                      # in seconds. 0 for permanent.
-
+                          # in seconds. 0 for permanent.
                           :unlock_token_attribute_name,               # Unlock token attribute name
                           :unlock_token_email_method_name,            # Mailer method name
                           :unlock_token_mailer_disabled,              # When true, dont send unlock token via email
-                          :unlock_token_mailer                        # Mailer class
+                          :unlock_token_mailer                        # Mailer class
           end
 
           base.sorcery_config.instance_eval do
@@ -41,16 +40,21 @@ module Sorcery
         end
 
         module ClassMethods
-          def load_from_unlock_token(token)
-            return nil if token.blank?
-            user = sorcery_adapter.find_by_token(sorcery_config.unlock_token_attribute_name,token)
-            user
+          # This doesn't check to see if the account is still locked
+          def load_from_unlock_token(token, &block)
+            return if token.blank?
+
+            load_from_token(
+              token,
+              sorcery_config.unlock_token_attribute_name,
+              &block
+            )
           end
 
           protected
 
           def define_brute_force_protection_fields
-            sorcery_adapter.define_field sorcery_config.failed_logins_count_attribute_name, Integer, :default => 0
+            sorcery_adapter.define_field sorcery_config.failed_logins_count_attribute_name, Integer, default: 0
             sorcery_adapter.define_field sorcery_config.lock_expires_at_attribute_name, Time
             sorcery_adapter.define_field sorcery_config.unlock_token_attribute_name, String
           end
@@ -58,49 +62,49 @@ module Sorcery
 
         module InstanceMethods
           # Called by the controller to increment the failed logins counter.
-          # Calls 'lock!' if login retries limit was reached.
+          # Calls 'login_lock!' if login retries limit was reached.
           def register_failed_login!
             config = sorcery_config
-            return if !unlocked?
+            return unless login_unlocked?
 
             sorcery_adapter.increment(config.failed_logins_count_attribute_name)
 
-            if self.send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
-              lock!
-            end
+            return unless send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
+
+            login_lock!
           end
 
           # /!\
           # Moved out of protected for use like activate! in controller
           # /!\
-          def unlock!
+          def login_unlock!
             config = sorcery_config
-            attributes = {config.lock_expires_at_attribute_name => nil,
-                          config.failed_logins_count_attribute_name => 0,
-                          config.unlock_token_attribute_name => nil}
+            attributes = { config.lock_expires_at_attribute_name => nil,
+                           config.failed_logins_count_attribute_name => 0,
+                           config.unlock_token_attribute_name => nil }
             sorcery_adapter.update_attributes(attributes)
           end
 
-          def locked?
-            !unlocked?
+          def login_locked?
+            !login_unlocked?
           end
 
           protected
 
-          def lock!
+          def login_lock!
             config = sorcery_config
-            attributes = {config.lock_expires_at_attribute_name => Time.now.in_time_zone + config.login_lock_time_period,
-                          config.unlock_token_attribute_name => TemporaryToken.generate_random_token}
+            attributes = { config.lock_expires_at_attribute_name => Time.now.in_time_zone + config.login_lock_time_period,
+                           config.unlock_token_attribute_name => TemporaryToken.generate_random_token }
             sorcery_adapter.update_attributes(attributes)
 
-            unless config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
-              send_unlock_token_email!
-            end
+            return if config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
+
+            send_unlock_token_email!
           end
 
-          def unlocked?
+          def login_unlocked?
             config = sorcery_config
-            self.send(config.lock_expires_at_attribute_name).nil?
+            send(config.lock_expires_at_attribute_name).nil?
           end
 
           def send_unlock_token_email!
@@ -113,10 +117,13 @@ module Sorcery
           # Runs as a hook before authenticate.
           def prevent_locked_user_login
             config = sorcery_config
-            if !self.unlocked? && config.login_lock_time_period != 0
-              self.unlock! if self.send(config.lock_expires_at_attribute_name) <= Time.now.in_time_zone
+            if !login_unlocked? && config.login_lock_time_period != 0
+              login_unlock! if send(config.lock_expires_at_attribute_name) <= Time.now.in_time_zone
             end
-            unlocked?
+
+            return false, :locked unless login_unlocked?
+
+            true
           end
         end
       end

data/lib/sorcery/model/submodules/external.rb

@@ -20,7 +20,6 @@ module Sorcery
                           :authentications_user_id_attribute_name,
                           :provider_attribute_name,
                           :provider_uid_attribute_name
-
           end
 
           base.sorcery_config.instance_eval do
@@ -34,20 +33,20 @@ module Sorcery
 
           base.send(:include, InstanceMethods)
           base.extend(ClassMethods)
-
         end
 
         module ClassMethods
           # takes a provider and uid and finds a user by them.
-          def load_from_provider(provider,uid)
+          def load_from_provider(provider, uid)
             config = sorcery_config
             authentication = config.authentications_class.sorcery_adapter.find_by_oauth_credentials(provider, uid)
-            user = sorcery_adapter.find_by_id(authentication.send(config.authentications_user_id_attribute_name)) if authentication
+            # Return user if matching authentication found
+            sorcery_adapter.find_by_id(authentication.send(config.authentications_user_id_attribute_name)) if authentication
           end
 
           def create_and_validate_from_provider(provider, uid, attrs)
             user = new(attrs)
-            user.send(sorcery_config.authentications_class.to_s.downcase.pluralize).build(
+            user.send(sorcery_config.authentications_class.name.demodulize.underscore.pluralize).build(
               sorcery_config.provider_uid_attribute_name => uid,
               sorcery_config.provider_attribute_name => provider
             )
@@ -57,7 +56,7 @@ module Sorcery
 
           def create_from_provider(provider, uid, attrs)
             user = new
-            attrs.each do |k,v|
+            attrs.each do |k, v|
               user.send(:"#{k}=", v)
             end
 
@@ -66,7 +65,7 @@ module Sorcery
             end
 
             sorcery_adapter.transaction do
-              user.sorcery_adapter.save(:validate => false)
+              user.sorcery_adapter.save(validate: false)
               sorcery_config.authentications_class.create!(
                 sorcery_config.authentications_user_id_attribute_name => user.id,
                 sorcery_config.provider_attribute_name => provider,
@@ -75,11 +74,26 @@ module Sorcery
             end
             user
           end
+
+          # NOTE: Should this build the authentication as well and return [user, auth]?
+          # Currently, users call this function for the user and call add_provider_to_user after saving
+          def build_from_provider(attrs)
+            user = new
+            attrs.each do |k, v|
+              user.send(:"#{k}=", v)
+            end
+
+            if block_given?
+              return false unless yield user
+            end
+
+            user
+          end
         end
 
         module InstanceMethods
           def add_provider_to_user(provider, uid)
-            authentications = sorcery_config.authentications_class.name.underscore.pluralize
+            authentications = sorcery_config.authentications_class.name.demodulize.underscore.pluralize
             # first check to see if user has a particular authentication already
             if sorcery_adapter.find_authentication_by_oauth_credentials(authentications, provider, uid).nil?
               user = send(authentications).build(sorcery_config.provider_uid_attribute_name => uid,
@@ -91,9 +105,7 @@ module Sorcery
 
             user
           end
-
         end
-
       end
     end
   end

data/lib/sorcery/model/submodules/magic_login.rb

@@ -0,0 +1,130 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This submodule adds the ability to login via email without password.
+      # When the user requests an email is sent to him with a url.
+      # The url includes a token, which is also saved with the user's record in the db.
+      # The token has configurable expiration.
+      # When the user clicks the url in the email, providing the token has not yet expired,
+      # he will be able to login.
+      #
+      # When using this submodule, supplying a mailer is mandatory.
+      module MagicLogin
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :magic_login_token_attribute_name, # magic login code attribute name.
+                          :magic_login_token_expires_at_attribute_name, # expires at attribute name.
+                          :magic_login_email_sent_at_attribute_name, # when was email sent, used for hammering
+                          # protection.
+                          :magic_login_mailer_class, # mailer class. Needed.
+                          :magic_login_mailer_disabled, # when true sorcery will not automatically
+                          # email magic login details and allow you to
+                          # manually handle how and when email is sent
+                          :magic_login_email_method_name, # magic login email method on your
+                          # mailer class.
+                          :magic_login_expiration_period, # how many seconds before the request
+                          # expires. nil for never expires.
+                          :magic_login_time_between_emails # hammering protection, how long to wait
+            # before allowing another email to be sent.
+          end
+
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@magic_login_token_attribute_name => :magic_login_token,
+                             :@magic_login_token_expires_at_attribute_name => :magic_login_token_expires_at,
+                             :@magic_login_email_sent_at_attribute_name => :magic_login_email_sent_at,
+                             :@magic_login_mailer_class => nil,
+                             :@magic_login_mailer_disabled => true,
+                             :@magic_login_email_method_name => :magic_login_email,
+                             :@magic_login_expiration_period => 15 * 60,
+                             :@magic_login_time_between_emails => 5 * 60)
+
+            reset!
+          end
+
+          base.extend(ClassMethods)
+
+          base.sorcery_config.after_config << :validate_mailer_defined
+          base.sorcery_config.after_config << :define_magic_login_fields
+
+          base.send(:include, InstanceMethods)
+        end
+
+        module ClassMethods
+          # Find user by token, also checks for expiration.
+          # Returns the user if token found and is valid.
+          def load_from_magic_login_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.magic_login_token_attribute_name,
+              @sorcery_config.magic_login_token_expires_at_attribute_name,
+              &block
+            )
+          end
+
+          protected
+
+          # This submodule requires the developer to define his own mailer class to be used by it
+          # when magic_login_mailer_disabled is false
+          def validate_mailer_defined
+            msg = 'To use magic_login submodule, you must define a mailer (config.magic_login_mailer_class = YourMailerClass).'
+            raise ArgumentError, msg if @sorcery_config.magic_login_mailer_class.nil? && @sorcery_config.magic_login_mailer_disabled == false
+          end
+
+          def define_magic_login_fields
+            sorcery_adapter.define_field sorcery_config.magic_login_token_attribute_name, String
+            sorcery_adapter.define_field sorcery_config.magic_login_token_expires_at_attribute_name, Time
+            sorcery_adapter.define_field sorcery_config.magic_login_email_sent_at_attribute_name, Time
+          end
+        end
+
+        module InstanceMethods
+          # generates a reset code with expiration
+          def generate_magic_login_token!
+            config = sorcery_config
+            attributes = {
+              config.magic_login_token_attribute_name => TemporaryToken.generate_random_token,
+              config.magic_login_email_sent_at_attribute_name => Time.now.in_time_zone
+            }
+            attributes[config.magic_login_token_expires_at_attribute_name] = Time.now.in_time_zone + config.magic_login_expiration_period if config.magic_login_expiration_period
+
+            sorcery_adapter.update_attributes(attributes)
+          end
+
+          # generates a magic login code with expiration and sends an email to the user.
+          def deliver_magic_login_instructions!
+            mail = false
+            config = sorcery_config
+            # hammering protection
+            return false if !config.magic_login_time_between_emails.nil? &&
+                            send(config.magic_login_email_sent_at_attribute_name) &&
+                            send(config.magic_login_email_sent_at_attribute_name) > config.magic_login_time_between_emails.seconds.ago
+
+            self.class.sorcery_adapter.transaction do
+              generate_magic_login_token!
+              unless config.magic_login_mailer_disabled
+                send_magic_login_email!
+                mail = true
+              end
+            end
+            mail
+          end
+
+          # Clears the token.
+          def clear_magic_login_token!
+            config = sorcery_config
+            sorcery_adapter.update_attributes(
+              config.magic_login_token_attribute_name => nil,
+              config.magic_login_token_expires_at_attribute_name => nil
+            )
+          end
+
+          protected
+
+          def send_magic_login_email!
+            generic_send_email(:magic_login_email_method_name, :magic_login_mailer_class)
+          end
+        end
+      end
+    end
+  end
+end