sorcery 0.1.0

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/.rspec

@@ -0,0 +1 @@
+--color

data/Gemfile

@@ -0,0 +1,19 @@
+source "http://rubygems.org"
+# Add dependencies required to use your gem here.
+# Example:
+#   gem "activesupport", ">= 2.3.5"
+
+# Add dependencies to develop your gem here.
+# Include everything needed to run rake, tests, features, etc.
+group :development do
+  gem "rails", "3.0.3"
+  gem "rspec", "~> 2.3.0"
+  gem 'rspec-rails'
+  gem 'ruby-debug19'
+  gem 'sqlite3-ruby', :require => 'sqlite3'
+  gem "yard", "~> 0.6.0"
+  gem "cucumber", ">= 0"
+  gem "bundler", "~> 1.0.0"
+  gem "jeweler", "~> 1.5.2"
+  gem 'simplecov', '>= 0.3.8', :require => false # Will install simplecov-html as a dependency
+end

data/Gemfile.lock

@@ -0,0 +1,129 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    actionmailer (3.0.3)
+      actionpack (= 3.0.3)
+      mail (~> 2.2.9)
+    actionpack (3.0.3)
+      activemodel (= 3.0.3)
+      activesupport (= 3.0.3)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.4)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.13)
+      rack-test (~> 0.5.6)
+      tzinfo (~> 0.3.23)
+    activemodel (3.0.3)
+      activesupport (= 3.0.3)
+      builder (~> 2.1.2)
+      i18n (~> 0.4)
+    activerecord (3.0.3)
+      activemodel (= 3.0.3)
+      activesupport (= 3.0.3)
+      arel (~> 2.0.2)
+      tzinfo (~> 0.3.23)
+    activeresource (3.0.3)
+      activemodel (= 3.0.3)
+      activesupport (= 3.0.3)
+    activesupport (3.0.3)
+    archive-tar-minitar (0.5.2)
+    arel (2.0.6)
+    builder (2.1.2)
+    columnize (0.3.2)
+    cucumber (0.10.0)
+      builder (>= 2.1.2)
+      diff-lcs (~> 1.1.2)
+      gherkin (~> 2.3.2)
+      json (~> 1.4.6)
+      term-ansicolor (~> 1.0.5)
+    diff-lcs (1.1.2)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    gherkin (2.3.2)
+      json (~> 1.4.6)
+      term-ansicolor (~> 1.0.5)
+    git (1.2.5)
+    i18n (0.5.0)
+    jeweler (1.5.2)
+      bundler (~> 1.0.0)
+      git (>= 1.2.5)
+      rake
+    json (1.4.6)
+    linecache19 (0.5.11)
+      ruby_core_source (>= 0.1.4)
+    mail (2.2.13)
+      activesupport (>= 2.3.6)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.16)
+    polyglot (0.3.1)
+    rack (1.2.1)
+    rack-mount (0.6.13)
+      rack (>= 1.0.0)
+    rack-test (0.5.6)
+      rack (>= 1.0)
+    rails (3.0.3)
+      actionmailer (= 3.0.3)
+      actionpack (= 3.0.3)
+      activerecord (= 3.0.3)
+      activeresource (= 3.0.3)
+      activesupport (= 3.0.3)
+      bundler (~> 1.0)
+      railties (= 3.0.3)
+    railties (3.0.3)
+      actionpack (= 3.0.3)
+      activesupport (= 3.0.3)
+      rake (>= 0.8.7)
+      thor (~> 0.14.4)
+    rake (0.8.7)
+    rspec (2.3.0)
+      rspec-core (~> 2.3.0)
+      rspec-expectations (~> 2.3.0)
+      rspec-mocks (~> 2.3.0)
+    rspec-core (2.3.1)
+    rspec-expectations (2.3.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.3.0)
+    rspec-rails (2.3.1)
+      actionpack (~> 3.0)
+      activesupport (~> 3.0)
+      railties (~> 3.0)
+      rspec (~> 2.3.0)
+    ruby-debug-base19 (0.11.24)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby_core_source (>= 0.1.4)
+    ruby-debug19 (0.11.6)
+      columnize (>= 0.3.1)
+      linecache19 (>= 0.5.11)
+      ruby-debug-base19 (>= 0.11.19)
+    ruby_core_source (0.1.4)
+      archive-tar-minitar (>= 0.5.2)
+    simplecov (0.3.9)
+      simplecov-html (>= 0.3.7)
+    simplecov-html (0.3.9)
+    sqlite3-ruby (1.3.2)
+    term-ansicolor (1.0.5)
+    thor (0.14.6)
+    treetop (1.4.9)
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.23)
+    yard (0.6.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.0.0)
+  cucumber
+  jeweler (~> 1.5.2)
+  rails (= 3.0.3)
+  rspec (~> 2.3.0)
+  rspec-rails
+  ruby-debug19
+  simplecov (>= 0.3.8)
+  sqlite3-ruby
+  yard (~> 0.6.0)

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Noam Ben-Ari
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,139 @@
+= sorcery
+Magical Authentication for Rails 3.
+
+Inspired by restful_authentication, Authlogic and Devise.
+Crypto code taken almost unchanged from Authlogic.
+
+== Example app using sorcery:
+
+https://github.com/NoamB/sorcery-example-app
+
+== Current Features:
+
+* Basic Login/Logout.
+* Password encryption with configurable algorithm.
+* User activation by email with optional success email.
+* Reset password with email verification.
+* Remember me with configurable expiration.
+* Configurable session timeout.
+* Brute force login hammering protection.
+* Modular design, load only the modules you need.
+* 100% TDD'd code, 100% test coverage.
+
+== Planned Features:
+
+I've got many plans which include:
+* Basic HTTP Authentication
+* Auto login
+* Hammering reset password protection
+* Other reset password strategies (security questions?)
+* Sinatra support
+* Mongoid support
+* OmniAuth integration
+* Activity logging
+* Have an idea? Let me know, and it might get into the gem!
+
+== Project Goals:
+
+This gem plugin was started out of a few personal goals which are not related to the problem solved by it at all:
+* I wanted to write something 100% TDD from start to finish.
+* I wanted to learn how to write an engine for Rails 3.
+
+In addition to the above goals, when I decided this will be an authentication plugin, and while looking at existing solutions, these goals came up:
+* Simple & short configuration as possible, not drowning in syntactic sugar.
+* Keep MVC cleanly separated - DB is for models, sessions are for controllers. Models stay unaware of sessions.
+* Magic yes, Voodoo no.
+* No generated code polluting the application's code.
+* No built-in controllers, models, mailers, migrations or templates; Real apps will need all of these custom made.
+
+Hopefully, I've achieved this. If not, let me know.
+
+== Installation:
+
+You can either git clone and then 'rake install',
+
+In the future will be available:
+
+	gem install sorcery
+
+== Configuration:
+
+First add 'sorcery' to your Gemfile:
+
+	gem "sorcery"
+
+And run 
+	
+	bundle install
+
+There are 2 required places to configure the plugin, and an optional one:
+1. config/application.rb
+
+	config.sorcery.submodules = [:user_activation, :remember_me] # add the modules you want to use
+
+You can also configure here any controller and any controller-submodule option here.
+For example:
+
+	config.sorcery.session_timeout = 10.minutes
+
+
+2. app/models/user.rb (or another model of your choice)
+
+	activate_sorcery! do |config|
+  	  config.sorcery_mailer = MyMailer
+	  config.username_attribute_name = :email
+	end
+
+3. app/controllers/application_controller.rb (OPTIONAL: this is actually needed only in some cases)
+
+	activate_sorcery! do |config|
+  	  config.session_timeout = 10.minutes
+	end
+
+Also check the migrations in the example app to see what database fields are expected.
+
+
+
+The configuration options vary with the modules you've chosen to use.
+
+== Basic Configuration (in Model):
+
+see lib/sorcery/model.rb
+
+== User Activation Configuration (in Model):
+
+see lib/sorcery/model/submodules/user_activation.rb
+
+== Remember Me Configuration (in Model):
+
+see lib/sorcery/model/submodules/remember_me.rb
+
+== Password Reset Configuration (in Model):
+
+see lib/sorcery/model/submodules/password_reset.rb
+
+
+
+== Session Timeout Configuration (in Controller or config/application.rb):
+
+see lib/sorcery/controller/submodules/session_timeout.rb
+
+== Brute Force Protection Configuration (in Controller or config/application.rb):
+
+see lib/sorcery/controller/submodules/brute_force_protection.rb
+
+
+
+== Contributing to sorcery
+
+I can use help of any kind, be it comments on code (code review), suggestions, features, bug reports, bug fixes and even a donation.
+
+== Contact
+
+	email: nbenari@gmail.com
+	
+== Copyright
+
+Copyright (c) 2010 Noam Ben Ari (nbenari@gmail.com). See LICENSE.txt for further details.
+Released with permission from Kontera (http://www.kontera.com), where I work.
+

data/Rakefile

@@ -0,0 +1,61 @@
+# require 'bundler'
+# begin
+#   Bundler.setup(:default, :development)
+# rescue Bundler::BundlerError => e
+#   $stderr.puts e.message
+#   $stderr.puts "Run `bundle install` to install missing gems"
+#   exit e.status_code
+# end
+require 'rake'
+
+require 'jeweler'
+Jeweler::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
+  gem.name = "sorcery"
+  gem.homepage = "http://github.com/NoamB/sorcery"
+  gem.license = "MIT"
+  gem.summary = "Magical authentication for Rails 3 applications"
+  gem.description = "Provides common authentication needs such as signing in/out, activating by email and resetting password."
+  gem.email = "nbenari@gmail.com"
+  gem.authors = ["Noam Ben Ari"]
+  # Include your dependencies below. Runtime dependencies are required when using your gem,
+  # and development dependencies are only needed for development (ie running rake tasks, tests, etc)
+  #  gem.add_runtime_dependency 'jabber4r', '> 0.1'
+  #  gem.add_development_dependency 'rspec', '> 1.2.3'
+end
+Jeweler::RubygemsDotOrgTasks.new
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+RSpec::Core::RakeTask.new(:rcov) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+require 'cucumber/rake/task'
+Cucumber::Rake::Task.new(:features)
+
+
+
+require 'yard'
+YARD::Rake::YardocTask.new
+
+
+#task :default => :spec
+desc 'Default: Run all specs.'
+task :default => :all_specs
+
+desc "Run all specs"
+task :all_specs do
+  Dir['spec/**/Rakefile'].each do |rakefile|
+    directory_name = File.dirname(rakefile)
+    sh <<-CMD
+      cd #{directory_name}
+      bundle exec rake
+    CMD
+  end
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/features/support/env.rb

@@ -0,0 +1,13 @@
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+
+$LOAD_PATH.unshift(File.dirname(__FILE__) + '/../../lib')
+require 'sorcery'
+
+require 'rspec/expectations'

data/lib/sorcery.rb

@@ -0,0 +1,28 @@
+module Sorcery
+  autoload :Model, 'sorcery/model'
+  module Model
+    module Submodules
+      autoload :UserActivation, 'sorcery/model/submodules/user_activation'
+      autoload :PasswordReset, 'sorcery/model/submodules/password_reset'
+      autoload :RememberMe, 'sorcery/model/submodules/remember_me'
+    end
+  end
+  autoload :Controller, 'sorcery/controller'
+  module Controller
+    module Submodules
+      autoload :RememberMe, 'sorcery/controller/submodules/remember_me'
+      autoload :SessionTimeout, 'sorcery/controller/submodules/session_timeout'
+      autoload :BruteForceProtection, 'sorcery/controller/submodules/brute_force_protection'
+    end
+  end
+  module CryptoProviders
+    autoload :AES256, 'sorcery/crypto_providers/aes256'
+    autoload :BCrypt, 'sorcery/crypto_providers/bcrypt'
+    autoload :MD5,    'sorcery/crypto_providers/md5'
+    autoload :SHA1,   'sorcery/crypto_providers/sha1'
+    autoload :SHA256, 'sorcery/crypto_providers/sha256'
+    autoload :SHA512, 'sorcery/crypto_providers/sha512'
+  end
+  
+  require 'sorcery/engine' if defined?(Rails) && Rails::VERSION::MAJOR == 3
+end

data/lib/sorcery/controller.rb

@@ -0,0 +1,156 @@
+module Sorcery
+  module Controller
+    def self.included(klass)
+      klass.class_eval do
+        extend ClassMethods
+        include InstanceMethods
+        Config.submodules.each do |mod|
+          begin
+            include Submodules.const_get(mod.to_s.split("_").map {|p| p.capitalize}.join("")) 
+          rescue NameError
+            # don't stop on a missing submodule.
+          end
+        end
+        Config.update!
+        Config.user_class = User
+      end
+    end
+    
+    module ClassMethods
+      def activate_sorcery!(&block)
+        yield Config if block_given?
+        after_config!
+      end
+      
+      def after_config!
+        Config.after_config.each {|c| send(c)}       
+      end
+    end
+    
+    module InstanceMethods
+      # To be used as before_filter.
+      # Will trigger auto-login attempts via the call to logged_in?
+      # If all attempts to auto-login fail, the failure callback will be called.
+      def require_user_login
+        if !logged_in?
+          session[:user_wanted_url] = request.url if Config.save_user_wanted_url
+          self.send(Config.not_authenticated_action) 
+        end
+      end
+      
+      def login(*credentials)
+        user = Config.user_class.authenticate(*credentials)
+        if user
+          reset_session # protect from session fixation attacks
+          login_user(user)
+          after_login!(user, credentials)
+          logged_in_user
+        else
+          after_failed_login!(user, credentials)
+          nil
+        end
+      end
+      
+      def logout
+        if logged_in?
+          reset_session
+          after_logout!
+        end
+      end
+      
+      def logged_in?
+        !!logged_in_user
+      end
+      
+      # attempts to auto-login from the sources defined (session, basic_auth, cookie, etc.)
+      # returns the logged in user if found, false if not (using old restful-authentication trick).
+      def logged_in_user
+        @logged_in_user ||= login_from_session || login_from_other_sources unless @logged_in_user == false # || login_from_basic_auth || )
+      end
+      
+      def login_from_other_sources
+        result = nil
+        Config.login_sources.find do |source|
+          result = send(source)
+        end
+        result || false
+      end
+      
+      def not_authenticated
+        redirect_to root_path
+      end
+      
+      protected
+      
+      def login_user(user)
+        session[:user_id] = user.id
+      end
+      
+      def login_from_session
+        @logged_in_user = (Config.user_class.find_by_id(session[:user_id]) if session[:user_id]) || false
+      end
+      
+      def after_login!(user, credentials)
+        Config.after_login.each {|c| self.send(c, user, credentials)}
+      end
+      
+      def after_failed_login!(user, credentials)
+        Config.after_failed_login.each {|c| self.send(c, user, credentials)}
+      end
+      
+      def after_logout!
+        Config.after_logout.each {|c| self.send(c)}
+      end
+      
+    end
+    
+    module Config
+      class << self
+        attr_accessor :submodules,
+        
+                      :user_class,                    # what class to use as the user class.
+                      
+                      :not_authenticated_action,      # what controller action to call for non-authenticated users.
+                      
+                      :save_user_wanted_url,          # when a non logged in user tries to enter a page that requires login, save the URL he wanted to reach, 
+                                                      # and send him there after login.
+                      
+                      :login_sources,
+                      :after_login,
+                      :after_failed_login,
+                      :after_logout,
+                      :after_config
+                      
+                      
+        def init!
+          @defaults = {
+            :@user_class                           => nil,
+            :@submodules                           => [],
+            :@not_authenticated_action             => :not_authenticated,
+            :@login_sources                        => [],
+            :@after_login                          => [],
+            :@after_failed_login                   => [],
+            :@after_logout                         => [],
+            :@after_config                         => [],
+            :@save_user_wanted_url                 => true
+          }
+        end
+        
+        # Resets all configuration options to their default values.
+        def reset!
+          @defaults.each do |k,v|
+            instance_variable_set(k,v)
+          end       
+        end
+        
+        def update!
+          @defaults.each do |k,v|
+            instance_variable_set(k,v) if !instance_variable_defined?(k)
+          end
+        end
+      end
+      init!
+      reset!
+    end
+  end
+end