sorcery 0.9.1 → 0.16.3

data/lib/sorcery/model/submodules/remember_me.rb

@@ -9,13 +9,14 @@ module Sorcery
           base.sorcery_config.class_eval do
             attr_accessor :remember_me_token_attribute_name,              # the attribute in the model class.
                           :remember_me_token_expires_at_attribute_name,   # the expires attribute in the model class.
+                          :remember_me_token_persist_globally,            # persist a single token globally for all logins/logouts (supporting multiple simultaneous browsers)
                           :remember_me_for                                # how long in seconds to remember.
-
           end
 
           base.sorcery_config.instance_eval do
             @defaults.merge!(:@remember_me_token_attribute_name            => :remember_me_token,
                              :@remember_me_token_expires_at_attribute_name => :remember_me_token_expires_at,
+                             :@remember_me_token_persist_globally          => false,
                              :@remember_me_for                             => 7 * 60 * 60 * 24)
 
             reset!
@@ -34,26 +35,37 @@ module Sorcery
             sorcery_adapter.define_field sorcery_config.remember_me_token_attribute_name, String
             sorcery_adapter.define_field sorcery_config.remember_me_token_expires_at_attribute_name, Time
           end
-
         end
 
         module InstanceMethods
           # You shouldn't really use this one yourself - it's called by the controller's 'remember_me!' method.
           def remember_me!
             config = sorcery_config
-            self.sorcery_adapter.update_attributes(config.remember_me_token_attribute_name => TemporaryToken.generate_random_token,
-                                        config.remember_me_token_expires_at_attribute_name => Time.now.in_time_zone + config.remember_me_for)
+
+            update_options = { config.remember_me_token_expires_at_attribute_name => Time.now.in_time_zone + config.remember_me_for }
+
+            unless config.remember_me_token_persist_globally && has_remember_me_token?
+              update_options[config.remember_me_token_attribute_name] = TemporaryToken.generate_random_token
+            end
+
+            sorcery_adapter.update_attributes(update_options)
           end
 
           def has_remember_me_token?
-            self.send(sorcery_config.remember_me_token_attribute_name).present?
+            send(sorcery_config.remember_me_token_attribute_name).present?
           end
 
           # You shouldn't really use this one yourself - it's called by the controller's 'forget_me!' method.
+          # We only clear the token value if remember_me_token_persist_globally = true.
           def forget_me!
+            sorcery_config.remember_me_token_persist_globally || force_forget_me!
+          end
+
+          # You shouldn't really use this one yourself - it's called by the controller's 'force_forget_me!' method.
+          def force_forget_me!
             config = sorcery_config
-            self.sorcery_adapter.update_attributes(config.remember_me_token_attribute_name => nil,
-                                        config.remember_me_token_expires_at_attribute_name => nil)
+            sorcery_adapter.update_attributes(config.remember_me_token_attribute_name => nil,
+                                              config.remember_me_token_expires_at_attribute_name => nil)
           end
         end
       end

data/lib/sorcery/model/submodules/reset_password.rb

@@ -12,37 +12,38 @@ module Sorcery
       module ResetPassword
         def self.included(base)
           base.sorcery_config.class_eval do
-            attr_accessor :reset_password_token_attribute_name,              # reset password code attribute name.
-                          :reset_password_token_expires_at_attribute_name,   # expires at attribute name.
-                          :reset_password_email_sent_at_attribute_name,      # when was email sent, used for hammering
-                                                                             # protection.
-
-                          :reset_password_mailer,                            # mailer class. Needed.
-
-                          :reset_password_mailer_disabled,                   # when true sorcery will not automatically
-                                                                             # email password reset details and allow you to
-                                                                             # manually handle how and when email is sent
-
-                          :reset_password_email_method_name,                 # reset password email method on your
-                                                                             # mailer class.
-
-                          :reset_password_expiration_period,                 # how many seconds before the reset request
-                                                                             # expires. nil for never expires.
-
-                          :reset_password_time_between_emails                # hammering protection, how long to wait
-                                                                             # before allowing another email to be sent.
-
+            # Reset password code attribute name.
+            attr_accessor :reset_password_token_attribute_name
+            # Expires at attribute name.
+            attr_accessor :reset_password_token_expires_at_attribute_name
+            # Counter access to reset password page
+            attr_accessor :reset_password_page_access_count_attribute_name
+            # When was email sent, used for hammering protection.
+            attr_accessor :reset_password_email_sent_at_attribute_name
+            # Mailer class (needed)
+            attr_accessor :reset_password_mailer
+            # When true sorcery will not automatically email password reset details and allow you to
+            # manually handle how and when email is sent
+            attr_accessor :reset_password_mailer_disabled
+            # Reset password email method on your mailer class.
+            attr_accessor :reset_password_email_method_name
+            # How many seconds before the reset request expires. nil for never expires.
+            attr_accessor :reset_password_expiration_period
+            # Hammering protection, how long to wait before allowing another email to be sent.
+            attr_accessor :reset_password_time_between_emails
           end
 
           base.sorcery_config.instance_eval do
             @defaults.merge!(:@reset_password_token_attribute_name            => :reset_password_token,
                              :@reset_password_token_expires_at_attribute_name => :reset_password_token_expires_at,
+                             :@reset_password_page_access_count_attribute_name =>
+                                 :access_count_to_reset_password_page,
                              :@reset_password_email_sent_at_attribute_name    => :reset_password_email_sent_at,
                              :@reset_password_mailer                          => nil,
                              :@reset_password_mailer_disabled                 => false,
                              :@reset_password_email_method_name               => :reset_password_email,
                              :@reset_password_expiration_period               => nil,
-                             :@reset_password_time_between_emails             => 5 * 60 )
+                             :@reset_password_time_between_emails             => 5 * 60)
 
             reset!
           end
@@ -53,16 +54,18 @@ module Sorcery
           base.sorcery_config.after_config << :define_reset_password_fields
 
           base.send(:include, InstanceMethods)
-
         end
 
         module ClassMethods
           # Find user by token, also checks for expiration.
           # Returns the user if token found and is valid.
-          def load_from_reset_password_token(token)
-            token_attr_name = @sorcery_config.reset_password_token_attribute_name
-            token_expiration_date_attr = @sorcery_config.reset_password_token_expires_at_attribute_name
-            load_from_token(token, token_attr_name, token_expiration_date_attr)
+          def load_from_reset_password_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.reset_password_token_attribute_name,
+              @sorcery_config.reset_password_token_expires_at_attribute_name,
+              &block
+            )
           end
 
           protected
@@ -70,8 +73,8 @@ module Sorcery
           # This submodule requires the developer to define his own mailer class to be used by it
           # when reset_password_mailer_disabled is false
           def validate_mailer_defined
-            msg = "To use reset_password submodule, you must define a mailer (config.reset_password_mailer = YourMailerClass)."
-            raise ArgumentError, msg if @sorcery_config.reset_password_mailer == nil and @sorcery_config.reset_password_mailer_disabled == false
+            message = 'To use reset_password submodule, you must define a mailer (config.reset_password_mailer = YourMailerClass).'
+            raise ArgumentError, message if @sorcery_config.reset_password_mailer.nil? && @sorcery_config.reset_password_mailer_disabled == false
           end
 
           def define_reset_password_fields
@@ -79,36 +82,56 @@ module Sorcery
             sorcery_adapter.define_field sorcery_config.reset_password_token_expires_at_attribute_name, Time
             sorcery_adapter.define_field sorcery_config.reset_password_email_sent_at_attribute_name, Time
           end
-
         end
 
         module InstanceMethods
-          # generates a reset code with expiration
+          # Generates a reset code with expiration
           def generate_reset_password_token!
             config = sorcery_config
-            attributes = {config.reset_password_token_attribute_name => TemporaryToken.generate_random_token,
-                          config.reset_password_email_sent_at_attribute_name => Time.now.in_time_zone}
+            attributes = { config.reset_password_token_attribute_name => TemporaryToken.generate_random_token,
+                           config.reset_password_email_sent_at_attribute_name => Time.now.in_time_zone }
             attributes[config.reset_password_token_expires_at_attribute_name] = Time.now.in_time_zone + config.reset_password_expiration_period if config.reset_password_expiration_period
 
-            self.sorcery_adapter.update_attributes(attributes)
+            sorcery_adapter.update_attributes(attributes)
           end
 
-          # generates a reset code with expiration and sends an email to the user.
+          # Generates a reset code with expiration and sends an email to the user.
           def deliver_reset_password_instructions!
+            mail = false
             config = sorcery_config
             # hammering protection
-            return false if config.reset_password_time_between_emails.present? && self.send(config.reset_password_email_sent_at_attribute_name) && self.send(config.reset_password_email_sent_at_attribute_name) > config.reset_password_time_between_emails.seconds.ago.utc
+            return false if config.reset_password_time_between_emails.present? && send(config.reset_password_email_sent_at_attribute_name) && send(config.reset_password_email_sent_at_attribute_name) > config.reset_password_time_between_emails.seconds.ago.utc
+
             self.class.sorcery_adapter.transaction do
               generate_reset_password_token!
-              send_reset_password_email! unless config.reset_password_mailer_disabled
+              mail = send_reset_password_email! unless config.reset_password_mailer_disabled
             end
+            mail
+          end
+
+          # Increment access_count_to_reset_password_page attribute.
+          # For example, access_count_to_reset_password_page attribute is over 1, which
+          # means the user doesn't have a right to access.
+          def increment_password_reset_page_access_counter
+            sorcery_adapter.increment(sorcery_config.reset_password_page_access_count_attribute_name)
+          end
+
+          # Reset access_count_to_reset_password_page attribute into 0.
+          # This is expected to be used after sending an instruction email.
+          def reset_password_reset_page_access_counter
+            send(:"#{sorcery_config.reset_password_page_access_count_attribute_name}=", 0)
+            sorcery_adapter.save
           end
 
           # Clears token and tries to update the new password for the user.
-          def change_password!(new_password)
+          def change_password(new_password, raise_on_failure: false)
             clear_reset_password_token
-            self.send(:"#{sorcery_config.password_attribute_name}=", new_password)
-            sorcery_adapter.save
+            send(:"#{sorcery_config.password_attribute_name}=", new_password)
+            sorcery_adapter.save raise_on_failure: raise_on_failure
+          end
+
+          def change_password!(new_password)
+            change_password(new_password, raise_on_failure: true)
           end
 
           protected
@@ -120,11 +143,10 @@ module Sorcery
           # Clears the token.
           def clear_reset_password_token
             config = sorcery_config
-            self.send(:"#{config.reset_password_token_attribute_name}=", nil)
-            self.send(:"#{config.reset_password_token_expires_at_attribute_name}=", nil) if config.reset_password_expiration_period
+            send(:"#{config.reset_password_token_attribute_name}=", nil)
+            send(:"#{config.reset_password_token_expires_at_attribute_name}=", nil) if config.reset_password_expiration_period
           end
         end
-
       end
     end
   end

data/lib/sorcery/model/submodules/user_activation.rb

@@ -8,33 +8,24 @@ module Sorcery
       module UserActivation
         def self.included(base)
           base.sorcery_config.class_eval do
-            attr_accessor :activation_state_attribute_name,               # the attribute name to hold activation state
-                                                                          # (active/pending).
-
-                          :activation_token_attribute_name,               # the attribute name to hold activation code
-                                                                          # (sent by email).
-
-                          :activation_token_expires_at_attribute_name,    # the attribute name to hold activation code
-                                                                          # expiration date.
-
-                          :activation_token_expiration_period,            # how many seconds before the activation code
-                                                                          # expires. nil for never expires.
-
-                          :user_activation_mailer,                        # your mailer class. Required when
-                                                                          # activation_mailer_disabled == false.
-
-                          :activation_mailer_disabled,                    # when true sorcery will not automatically
-                                                                          # email activation details and allow you to
-                                                                          # manually handle how and when email is sent
-
-                          :activation_needed_email_method_name,           # activation needed email method on your
-                                                                          # mailer class.
-
-                          :activation_success_email_method_name,          # activation success email method on your
-                                                                          # mailer class.
-
-                          :prevent_non_active_users_to_login              # do you want to prevent or allow users that
-                                                                          # did not activate by email to login?
+            # The attribute name to hold activation state (active/pending).
+            attr_accessor :activation_state_attribute_name
+            # The attribute name to hold activation code (sent by email).
+            attr_accessor :activation_token_attribute_name
+            # The attribute name to hold activation code expiration date.
+            attr_accessor :activation_token_expires_at_attribute_name
+            # How many seconds before the activation code expires. nil for never expires.
+            attr_accessor :activation_token_expiration_period
+            # Your mailer class. Required when activation_mailer_disabled == false.
+            attr_accessor :user_activation_mailer
+            # When true sorcery will not automatically email activation details and allow you to manually handle how and when email is sent
+            attr_accessor :activation_mailer_disabled
+            # Activation needed email method on your mailer class.
+            attr_accessor :activation_needed_email_method_name
+            # Activation success email method on your mailer class.
+            attr_accessor :activation_success_email_method_name
+            # Do you want to prevent or allow users that did not activate by email to login?
+            attr_accessor :prevent_non_active_users_to_login
           end
 
           base.sorcery_config.instance_eval do
@@ -52,9 +43,9 @@ module Sorcery
 
           base.class_eval do
             # don't setup activation if no password supplied - this user is created automatically
-            sorcery_adapter.define_callback :before, :create, :setup_activation, :if => Proc.new { |user| user.send(sorcery_config.password_attribute_name).present? }
+            sorcery_adapter.define_callback :before, :create, :setup_activation, if: proc { |user| user.send(sorcery_config.password_attribute_name).present? }
             # don't send activation needed email if no crypted password created - this user is external (OAuth etc.)
-            sorcery_adapter.define_callback :after, :create, :send_activation_needed_email!, :if => :send_activation_needed_email?
+            sorcery_adapter.define_callback :after, :commit, :send_activation_needed_email!, on: :create, if: :send_activation_needed_email?
           end
 
           base.sorcery_config.after_config << :validate_mailer_defined
@@ -63,17 +54,18 @@ module Sorcery
 
           base.extend(ClassMethods)
           base.send(:include, InstanceMethods)
-
-
         end
 
         module ClassMethods
           # Find user by token, also checks for expiration.
           # Returns the user if token found and is valid.
-          def load_from_activation_token(token)
-            token_attr_name = @sorcery_config.activation_token_attribute_name
-            token_expiration_date_attr = @sorcery_config.activation_token_expires_at_attribute_name
-            load_from_token(token, token_attr_name, token_expiration_date_attr)
+          def load_from_activation_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.activation_token_attribute_name,
+              @sorcery_config.activation_token_expires_at_attribute_name,
+              &block
+            )
           end
 
           protected
@@ -81,12 +73,12 @@ module Sorcery
           # This submodule requires the developer to define his own mailer class to be used by it
           # when activation_mailer_disabled is false
           def validate_mailer_defined
-            msg = "To use user_activation submodule, you must define a mailer (config.user_activation_mailer = YourMailerClass)."
-            raise ArgumentError, msg if @sorcery_config.user_activation_mailer == nil and @sorcery_config.activation_mailer_disabled == false
+            message = 'To use user_activation submodule, you must define a mailer (config.user_activation_mailer = YourMailerClass).'
+            raise ArgumentError, message if @sorcery_config.user_activation_mailer.nil? && @sorcery_config.activation_mailer_disabled == false
           end
 
           def define_user_activation_fields
-            self.class_eval do
+            class_eval do
               sorcery_adapter.define_field sorcery_config.activation_state_attribute_name, String
               sorcery_adapter.define_field sorcery_config.activation_token_attribute_name, String
               sorcery_adapter.define_field sorcery_config.activation_token_expires_at_attribute_name, Time
@@ -98,20 +90,22 @@ module Sorcery
           def setup_activation
             config = sorcery_config
             generated_activation_token = TemporaryToken.generate_random_token
-            self.send(:"#{config.activation_token_attribute_name}=", generated_activation_token)
-            self.send(:"#{config.activation_state_attribute_name}=", "pending")
-            self.send(:"#{config.activation_token_expires_at_attribute_name}=", Time.now.in_time_zone + config.activation_token_expiration_period) if config.activation_token_expiration_period
+            send(:"#{config.activation_token_attribute_name}=", generated_activation_token)
+            send(:"#{config.activation_state_attribute_name}=", 'pending')
+            send(:"#{config.activation_token_expires_at_attribute_name}=", Time.now.in_time_zone + config.activation_token_expiration_period) if config.activation_token_expiration_period
           end
 
           # clears activation code, sets the user as 'active' and optionaly sends a success email.
           def activate!
             config = sorcery_config
-            self.send(:"#{config.activation_token_attribute_name}=", nil)
-            self.send(:"#{config.activation_state_attribute_name}=", "active")
+            send(:"#{config.activation_token_attribute_name}=", nil)
+            send(:"#{config.activation_state_attribute_name}=", 'active')
             send_activation_success_email! if send_activation_success_email?
-            sorcery_adapter.save(:validate => false, :raise_on_failure => true)
+            sorcery_adapter.save(validate: false, raise_on_failure: true)
           end
 
+          attr_accessor :skip_activation_needed_email, :skip_activation_success_email
+
           protected
 
           # called automatically after user initial creation.
@@ -124,24 +118,28 @@ module Sorcery
           end
 
           def send_activation_success_email?
-            !external? && (
-              !(sorcery_config.activation_success_email_method_name.nil? ||
-                sorcery_config.activation_mailer_disabled == true)
-            )
+            !external? &&
+              !(sorcery_config.activation_success_email_method_name.nil? || sorcery_config.activation_mailer_disabled == true) &&
+              !skip_activation_success_email
           end
 
           def send_activation_needed_email?
-            !external? && (
-              !(sorcery_config.activation_needed_email_method_name.nil? ||
-                sorcery_config.activation_mailer_disabled == true)
-            )
+            !external? &&
+              !(sorcery_config.activation_needed_email_method_name.nil? || sorcery_config.activation_mailer_disabled == true) &&
+              !skip_activation_needed_email
           end
 
           def prevent_non_active_login
             config = sorcery_config
-            config.prevent_non_active_users_to_login ? self.send(config.activation_state_attribute_name) == "active" : true
-          end
 
+            if config.prevent_non_active_users_to_login
+              unless send(config.activation_state_attribute_name) == 'active'
+                return false, :inactive
+              end
+            end
+
+            true
+          end
         end
       end
     end

data/lib/sorcery/model/temporary_token.rb

@@ -7,22 +7,45 @@ module Sorcery
     # such as reseting password and activating the user by email.
     module TemporaryToken
       def self.included(base)
+        # FIXME: This may not be the ideal way of passing sorcery_config to generate_random_token.
+        @sorcery_config = base.sorcery_config
         base.extend(ClassMethods)
       end
 
       # Random code, used for salt and temporary tokens.
       def self.generate_random_token
-        SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
+        SecureRandom.urlsafe_base64(@sorcery_config.token_randomness).tr('lIO0', 'sxyz')
       end
 
       module ClassMethods
-        def load_from_token(token, token_attr_name, token_expiration_date_attr)
-          return nil if token.blank?
-          user = sorcery_adapter.find_by_token(token_attr_name,token)
-          if !user.blank? && !user.send(token_expiration_date_attr).nil?
-            return Time.now.in_time_zone < user.send(token_expiration_date_attr) ? user : nil
+        def load_from_token(token, token_attr_name, token_expiration_date_attr = nil, &block)
+          return token_response(failure: :invalid_token, &block) if token.blank?
+
+          user = sorcery_adapter.find_by_token(token_attr_name, token)
+
+          return token_response(failure: :user_not_found, &block) unless user
+
+          unless check_expiration_date(user, token_expiration_date_attr)
+            return token_response(user: user, failure: :token_expired, &block)
           end
-          user
+
+          token_response(user: user, return_value: user, &block)
+        end
+
+        protected
+
+        def check_expiration_date(user, token_expiration_date_attr)
+          return true unless token_expiration_date_attr
+
+          expires_at = user.send(token_expiration_date_attr)
+
+          !expires_at || (Time.now.in_time_zone < expires_at)
+        end
+
+        def token_response(options = {})
+          yield(options[:user], options[:failure]) if block_given?
+
+          options[:return_value]
         end
       end
     end