sorcery 0.1.2 → 0.1.3

data/README.rdoc

@@ -37,16 +37,20 @@ Brute Force Protection (see lib/sorcery/controller/submodules/brute_force_protec
 * Brute force login hammering protection.
 * configurable logins before ban, logins within time period before ban, ban time and ban action.
 
+Basic HTTP Authentication (see lib/sorcery/controller/submodules/http_basic_auth.rb):
+* A before filter for requesting authentication with HTTP Basic.
+* automatic login from HTTP Basic.
+* automatic login is disabled if session key changed.
+
 Other:
 * Modular design, load only the modules you need.
 * 100% TDD'd code, 100% test coverage.
 
-== Planned Features:
+== Next Planned Features:
 
 I've got many plans which include:
-* Basic HTTP Authentication
-* Auto login
 * Hammering reset password protection
+* Configurable Auto login on registration/activation
 * Other reset password strategies (security questions?)
 * Sinatra support
 * Mongoid support

data/VERSION

@@ -1 +1 @@
-0.1.2
+0.1.3

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -0,0 +1,57 @@
+module Sorcery
+  module Controller
+    module Submodules
+      module HttpBasicAuth
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.module_eval do
+            class << self
+              attr_accessor :controller_to_realm_map            # how many failed logins allowed.
+                            
+              def merge_http_basic_auth_defaults!
+                @defaults.merge!(:@controller_to_realm_map  => {"application" => "Application"})
+              end
+            end
+            merge_http_basic_auth_defaults!
+          end
+          Config.login_sources << :login_from_basic_auth
+        end
+        
+        module InstanceMethods
+          
+          protected
+          
+          # to be used as a before_filter.
+          # The method sets a session when requesting the user's credentials.
+          # This is a trick to overcome the way HTTP authentication work (explained below):
+          #
+          # Once the user fills the credentials once, the browser will always send it to the server when visiting the website, until the browser is closed.
+          # This causes wierd behaviour if the user logs out. The session is reset, yet the user is re-logged in by the before_filter calling 'login_from_basic_auth'.
+          # To overcome this, we set a session when requesting the password, which logout will reset, and that's how we know if we need to request for HTTP auth again.
+          def require_user_login_from_http
+            request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return if request.authorization.nil? || session[:http_authentication_used].nil?
+            require_user_login
+          end
+          
+          def login_from_basic_auth
+            authenticate_with_http_basic do |username, password|
+              @logged_in_user = (Config.user_class.authenticate(username, password) if session[:http_authentication_used]) || false
+            end
+          end
+          
+          def realm_name_by_controller
+            current_controller = self.class
+            while current_controller != ActionController::Base
+              result = Config.controller_to_realm_map[current_controller.controller_name]
+              return result if result
+              current_controller = self.class.superclass
+            end
+            nil
+          end
+          
+        end
+
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -25,7 +25,7 @@ module Sorcery
             session[:login_time] = session[:last_action_time] = Time.now.utc
           end
           
-          # To be used as a before_filter, before authenticate
+          # To be used as a before_filter, before require_user_login
           def validate_session
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
             if session_to_use && (Time.now.utc - session_to_use > Config.session_timeout)

data/lib/sorcery.rb

@@ -13,6 +13,7 @@ module Sorcery
       autoload :RememberMe, 'sorcery/controller/submodules/remember_me'
       autoload :SessionTimeout, 'sorcery/controller/submodules/session_timeout'
       autoload :BruteForceProtection, 'sorcery/controller/submodules/brute_force_protection'
+      autoload :HttpBasicAuth, 'sorcery/controller/submodules/http_basic_auth'
     end
   end
   module CryptoProviders

data/sorcery.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{sorcery}
-  s.version = "0.1.2"
+  s.version = "0.1.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Noam Ben Ari"]
-  s.date = %q{2011-02-04}
+  s.date = %q{2011-02-05}
   s.description = %q{Provides common authentication needs such as signing in/out, activating by email and resetting password.}
   s.email = %q{nbenari@gmail.com}
   s.extra_rdoc_files = [
@@ -29,6 +29,7 @@ Gem::Specification.new do |s|
     "lib/sorcery.rb",
     "lib/sorcery/controller.rb",
     "lib/sorcery/controller/submodules/brute_force_protection.rb",
+    "lib/sorcery/controller/submodules/http_basic_auth.rb",
     "lib/sorcery/controller/submodules/remember_me.rb",
     "lib/sorcery/controller/submodules/session_timeout.rb",
     "lib/sorcery/crypto_providers/aes256.rb",
@@ -108,6 +109,7 @@ Gem::Specification.new do |s|
     "spec/rails3/app_root/test/unit/user_test.rb",
     "spec/rails3/app_root/vendor/plugins/.gitkeep",
     "spec/rails3/controller_brute_force_protection_spec.rb",
+    "spec/rails3/controller_http_basic_auth_spec.rb",
     "spec/rails3/controller_remember_me_spec.rb",
     "spec/rails3/controller_session_timeout_spec.rb",
     "spec/rails3/controller_spec.rb",
@@ -152,6 +154,7 @@ Gem::Specification.new do |s|
     "spec/rails3/app_root/test/test_helper.rb",
     "spec/rails3/app_root/test/unit/user_test.rb",
     "spec/rails3/controller_brute_force_protection_spec.rb",
+    "spec/rails3/controller_http_basic_auth_spec.rb",
     "spec/rails3/controller_remember_me_spec.rb",
     "spec/rails3/controller_session_timeout_spec.rb",
     "spec/rails3/controller_spec.rb",

data/spec/Gemfile

@@ -2,7 +2,7 @@ source 'http://rubygems.org'
 
 gem "rails", '3.0.3'
 gem 'bcrypt-ruby', :require => 'bcrypt'
-gem "sorcery", '0.1.1', :path => '../../../'
+gem "sorcery", '0.1.3', :path => '../../../'
 
 group :development do
   gem 'rspec'

data/spec/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../../../
   specs:
-    sorcery (0.1.1)
+    sorcery (0.1.3)
 
 GEM
   remote: http://rubygems.org/
@@ -105,4 +105,4 @@ DEPENDENCIES
   rspec
   ruby-debug19
   simplecov (>= 0.3.8)
-  sorcery (= 0.1.1)!
+  sorcery (= 0.1.3)!

data/spec/rails3/Gemfile

@@ -2,7 +2,7 @@ source 'http://rubygems.org'
 
 gem 'rails', '3.0.3'
 gem 'sqlite3-ruby', :require => 'sqlite3'
-gem "sorcery", '0.1.1', :path => '../../../'
+gem "sorcery", '0.1.3', :path => '../../../'
 gem 'bcrypt-ruby', '~> 2.1.4', :require => 'bcrypt'
   
 group :development do

data/spec/rails3/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../../../
   specs:
-    sorcery (0.1.1)
+    sorcery (0.1.3)
 
 GEM
   remote: http://rubygems.org/
@@ -112,5 +112,5 @@ DEPENDENCIES
   rspec-rails
   ruby-debug19
   simplecov (>= 0.3.8)
-  sorcery (= 0.1.1)!
+  sorcery (= 0.1.3)!
   sqlite3-ruby

data/spec/rails3/app_root/app/controllers/application_controller.rb

@@ -2,6 +2,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery
   
   #before_filter :validate_session, :only => [:test_should_be_logged_in] if defined?(:validate_session)
+  before_filter :require_user_login_from_http, :only => [:test_http_basic_auth]
   before_filter :require_user_login, :only => [:test_logout, :test_should_be_logged_in, :some_action]
   
   def index
@@ -54,6 +55,10 @@ class ApplicationController < ActionController::Base
     render :text => ""
   end
   
+  def test_http_basic_auth
+    render :text => "HTTP Basic Auth"
+  end
+  
   protected
   
   

data/spec/rails3/app_root/config/routes.rb

@@ -8,6 +8,7 @@ AppRoot::Application.routes.draw do
   match '/test_login_with_remember_in_login', :to => 'application#test_login_with_remember_in_login'
   match '/test_login_from_cookie', :to => 'application#test_login_from_cookie'
   match '/test_should_be_logged_in', :to => 'application#test_should_be_logged_in'
+  match '/test_http_basic_auth', :to => 'application#test_http_basic_auth'
   # The priority is based upon order of creation:
   # first created -> highest priority.
 

data/spec/rails3/controller_http_basic_auth_spec.rb

@@ -0,0 +1,40 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+describe ApplicationController do
+  
+  # ----------------- HTTP BASIC AUTH -----------------------
+  describe ApplicationController, "with http basic auth features" do
+    before(:all) do
+      plugin_model_configure([:http_basic_auth])
+      create_new_user
+    end
+    
+    it "requests basic authentication when before_filter is used" do
+      get :test_http_basic_auth
+      response.code.should == "401"
+    end
+    
+    it "authenticates from http basic if credentials are sent" do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{@user.username}:secret")
+      get :test_http_basic_auth, nil, :http_authentication_used => true
+      response.should be_a_success
+    end
+    
+    it "fails authentication if credentials are wrong" do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64::encode64("#{@user.username}:wrong!")
+      get :test_http_basic_auth, nil, :http_authentication_used => true
+      response.code.should redirect_to root_url
+    end
+    
+    it "should allow configuration option 'controller_to_realm_map'" do
+      plugin_set_controller_config_property(:controller_to_realm_map, {"1" => "2"})
+      Sorcery::Controller::Config.controller_to_realm_map.should == {"1" => "2"}
+    end
+    
+    it "should display the correct realm name configured for the controller" do
+      plugin_set_controller_config_property(:controller_to_realm_map, {"application" => "Salad"})
+      get :test_http_basic_auth
+      response.headers["WWW-Authenticate"].should == "Basic realm=\"Salad\""
+    end
+  end
+end

metadata

@@ -2,7 +2,7 @@
 name: sorcery
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors: 
 - Noam Ben Ari
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-02-04 00:00:00 +02:00
+date: 2011-02-05 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -145,6 +145,7 @@ files:
 - lib/sorcery.rb
 - lib/sorcery/controller.rb
 - lib/sorcery/controller/submodules/brute_force_protection.rb
+- lib/sorcery/controller/submodules/http_basic_auth.rb
 - lib/sorcery/controller/submodules/remember_me.rb
 - lib/sorcery/controller/submodules/session_timeout.rb
 - lib/sorcery/crypto_providers/aes256.rb
@@ -224,6 +225,7 @@ files:
 - spec/rails3/app_root/test/unit/user_test.rb
 - spec/rails3/app_root/vendor/plugins/.gitkeep
 - spec/rails3/controller_brute_force_protection_spec.rb
+- spec/rails3/controller_http_basic_auth_spec.rb
 - spec/rails3/controller_remember_me_spec.rb
 - spec/rails3/controller_session_timeout_spec.rb
 - spec/rails3/controller_spec.rb
@@ -290,6 +292,7 @@ test_files:
 - spec/rails3/app_root/test/test_helper.rb
 - spec/rails3/app_root/test/unit/user_test.rb
 - spec/rails3/controller_brute_force_protection_spec.rb
+- spec/rails3/controller_http_basic_auth_spec.rb
 - spec/rails3/controller_remember_me_spec.rb
 - spec/rails3/controller_session_timeout_spec.rb
 - spec/rails3/controller_spec.rb