sorcery 0.1.3 → 0.1.4

data/Gemfile

@@ -6,13 +6,12 @@ source "http://rubygems.org"
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "rails", "3.0.3"
+  gem "rails", ">= 3.0.0"
   gem "rspec", "~> 2.3.0"
   gem 'rspec-rails'
   gem 'ruby-debug19'
   gem 'sqlite3-ruby', :require => 'sqlite3'
   gem "yard", "~> 0.6.0"
-  gem "cucumber", ">= 0"
   gem "bundler", "~> 1.0.0"
   gem "jeweler", "~> 1.5.2"
   gem 'simplecov', '>= 0.3.8', :require => false # Will install simplecov-html as a dependency

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2010 Noam Ben-Ari
+Copyright (c) 2010 Noam Ben-Ari <mailto:nbenari@gmail.com>
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -19,11 +19,13 @@ User Activation (see lib/sorcery/model/submodules/user_activation.rb):
 * User activation by email with optional success email.
 * configurable attribute names.
 * configurable mailer.
-* Optionally prevent active users to login.
+* Optionally prevent non-active users to login.
 
-Password Reset (see lib/sorcery/model/submodules/password_reset.rb):
+Reset Password (see lib/sorcery/model/submodules/reset_password.rb):
 * Reset password with email verification.
 * configurable mailer, method name, and attribute name.
+* configurable expiration.
+* configurable time between emails (hammering protection).
 
 Remember Me (see lib/sorcery/model/submodules/remember_me.rb):
 * Remember me with configurable expiration.
@@ -33,15 +35,20 @@ Session Timeout (see lib/sorcery/controller/submodules/session_timeout.rb):
 * Configurable session timeout.
 * Optionally session timeout will be calculated from last user action.
 
-Brute Force Protection (see lib/sorcery/controller/submodules/brute_force_protection.rb):
+Brute Force Protection (see lib/sorcery/model/submodules/brute_force_protection.rb):
 * Brute force login hammering protection.
-* configurable logins before ban, logins within time period before ban, ban time and ban action.
+* configurable logins before lock and lock duration.
 
 Basic HTTP Authentication (see lib/sorcery/controller/submodules/http_basic_auth.rb):
 * A before filter for requesting authentication with HTTP Basic.
 * automatic login from HTTP Basic.
 * automatic login is disabled if session key changed.
 
+Activity Logging (see lib/sorcery/model/submodules/activity_logging.rb):
+* automatic logging of last login, last logout and last activity time.
+* an easy method of collecting the list of currently logged in users.
+* configurable timeout by which to decide whether to include a user in the list of logged in users.
+
 Other:
 * Modular design, load only the modules you need.
 * 100% TDD'd code, 100% test coverage.
@@ -49,13 +56,12 @@ Other:
 == Next Planned Features:
 
 I've got many plans which include:
-* Hammering reset password protection
 * Configurable Auto login on registration/activation
 * Other reset password strategies (security questions?)
+* Other brute force protection strategies (captcha)
 * Sinatra support
 * Mongoid support
-* OmniAuth integration
-* Activity logging
+* OAuth1 and OAuth2 support
 * Have an idea? Let me know, and it might get into the gem!
 
 == Project Goals:
@@ -75,9 +81,9 @@ Hopefully, I've achieved this. If not, let me know.
 
 == Installation:
 
-You can either git clone and then 'rake install',
+You can either git clone and then 'rake install' to live on the edge (unstable),
 
-In the future will be available:
+Or simply (stable):
 
 	gem install sorcery
 
@@ -122,11 +128,21 @@ The configuration options vary with the modules you've chosen to use.
 
 == Contributing to sorcery
 
-I can use help of any kind, be it comments on code, suggestions, features, bug reports, bug fixes, documentation and if you like, a donation.
+Your feedback is very welcome and will make this gem much much better for you, me and everyone else.
+Besides feedback on code, features, suggestions and bug reports, you may want to actually make an impact on the code.
+For this:
+
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add tests for it. This is important so I don’t break it in a future version unintentionally.
+* Commit, do not mess with Rakefiles, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+If you feel my work has made your life easier, and you would like to thank me through a donation, my paypal email is in the contact details.
 
 == Contact
 
-	email: nbenari@gmail.com
+	email: nbenari@gmail.com ( also for paypal )
 	twitter: @nbenari
 	
 == Copyright

data/Rakefile

@@ -22,31 +22,20 @@ Jeweler::Tasks.new do |gem|
   # and development dependencies are only needed for development (ie running rake tasks, tests, etc)
   #  gem.add_runtime_dependency 'jabber4r', '> 0.1'
   #  gem.add_development_dependency 'rspec', '> 1.2.3'
-  #  gem.add_runtime_dependency 'bcrypt-ruby', '~> 2.1.4'
+  gem.add_runtime_dependency 'bcrypt-ruby', '~> 2.1.4'
 end
 Jeweler::RubygemsDotOrgTasks.new
 
 require 'rspec/core'
 require 'rspec/core/rake_task'
+
 RSpec::Core::RakeTask.new(:spec) do |spec|
   spec.pattern = FileList['spec/**/*_spec.rb']
 end
 
-RSpec::Core::RakeTask.new(:rcov) do |spec|
-  spec.pattern = 'spec/**/*_spec.rb'
-  spec.rcov = true
-end
-
-require 'cucumber/rake/task'
-Cucumber::Rake::Task.new(:features)
-
-
-
 require 'yard'
 YARD::Rake::YardocTask.new
 
-
-#task :default => :spec
 desc 'Default: Run all specs.'
 task :default => :all_specs
 

data/VERSION

@@ -1 +1 @@
-0.1.3
+0.1.4

data/lib/sorcery.rb

@@ -3,8 +3,10 @@ module Sorcery
   module Model
     module Submodules
       autoload :UserActivation, 'sorcery/model/submodules/user_activation'
-      autoload :PasswordReset, 'sorcery/model/submodules/password_reset'
+      autoload :ResetPassword, 'sorcery/model/submodules/reset_password'
       autoload :RememberMe, 'sorcery/model/submodules/remember_me'
+      autoload :ActivityLogging, 'sorcery/model/submodules/activity_logging'
+      autoload :BruteForceProtection, 'sorcery/model/submodules/brute_force_protection'
     end
   end
   autoload :Controller, 'sorcery/controller'
@@ -14,6 +16,7 @@ module Sorcery
       autoload :SessionTimeout, 'sorcery/controller/submodules/session_timeout'
       autoload :BruteForceProtection, 'sorcery/controller/submodules/brute_force_protection'
       autoload :HttpBasicAuth, 'sorcery/controller/submodules/http_basic_auth'
+      autoload :ActivityLogging, 'sorcery/controller/submodules/activity_logging'
     end
   end
   module CryptoProviders

data/lib/sorcery/controller.rb

@@ -12,7 +12,6 @@ module Sorcery
           end
         end
         Config.update!
-        Config.user_class = User
       end
     end
     
@@ -31,7 +30,7 @@ module Sorcery
       # To be used as before_filter.
       # Will trigger auto-login attempts via the call to logged_in?
       # If all attempts to auto-login fail, the failure callback will be called.
-      def require_user_login
+      def require_login
         if !logged_in?
           session[:user_wanted_url] = request.url if Config.save_user_wanted_url
           self.send(Config.not_authenticated_action) 
@@ -46,13 +45,14 @@ module Sorcery
           after_login!(user, credentials)
           logged_in_user
         else
-          after_failed_login!(user, credentials)
+          after_failed_login!(credentials)
           nil
         end
       end
       
       def logout
         if logged_in?
+          before_logout!(logged_in_user)
           reset_session
           after_logout!
         end
@@ -63,9 +63,9 @@ module Sorcery
       end
       
       # attempts to auto-login from the sources defined (session, basic_auth, cookie, etc.)
-      # returns the logged in user if found, false if not (using old restful-authentication trick).
+      # returns the logged in user if found, false if not (using old restful-authentication trick, nil != false).
       def logged_in_user
-        @logged_in_user ||= login_from_session || login_from_other_sources unless @logged_in_user == false # || login_from_basic_auth || )
+        @logged_in_user ||= login_from_session || login_from_other_sources unless @logged_in_user == false
       end
       
       def login_from_other_sources
@@ -94,8 +94,12 @@ module Sorcery
         Config.after_login.each {|c| self.send(c, user, credentials)}
       end
       
-      def after_failed_login!(user, credentials)
-        Config.after_failed_login.each {|c| self.send(c, user, credentials)}
+      def after_failed_login!(credentials)
+        Config.after_failed_login.each {|c| self.send(c, credentials)}
+      end
+      
+      def before_logout!(user)
+        Config.before_logout.each {|c| self.send(c, user)}
       end
       
       def after_logout!
@@ -118,6 +122,7 @@ module Sorcery
                       :login_sources,
                       :after_login,
                       :after_failed_login,
+                      :before_logout,
                       :after_logout,
                       :after_config
                       
@@ -130,6 +135,7 @@ module Sorcery
             :@login_sources                        => [],
             :@after_login                          => [],
             :@after_failed_login                   => [],
+            :@before_logout                        => [],
             :@after_logout                         => [],
             :@after_config                         => [],
             :@save_user_wanted_url                 => true

data/lib/sorcery/controller/submodules/activity_logging.rb

@@ -0,0 +1,45 @@
+module Sorcery
+  module Controller
+    module Submodules
+      module ActivityLogging
+        def self.included(base)
+          base.send(:include, InstanceMethods)
+          Config.after_login << :register_login_time_to_db
+          Config.before_logout << :register_logout_time_to_db
+          base.after_filter :register_last_activity_time_to_db
+        end
+        
+        module InstanceMethods
+          def logged_in_users
+            Config.user_class.logged_in_users
+            # A possible patch here:
+            # we'll add the logged_in_user to the users list if he's not in it (can happen when he was inactive for more than activity timeout):
+            #
+            #   users.unshift!(logged_in_user) if logged_in? && users.find {|u| u.id == logged_in_user.id}.nil?
+            #
+            # disadvantages: can hurt performance.
+          end
+          
+          protected
+          
+          def register_login_time_to_db(user, credentials)
+            user.send(:"#{user.sorcery_config.last_login_at_attribute_name}=", Time.now.utc.to_s(:db))
+            user.save!(:validate => false)
+          end
+          
+          def register_logout_time_to_db(user)
+            user.send(:"#{user.sorcery_config.last_logout_at_attribute_name}=", Time.now.utc.to_s(:db))
+            user.save!(:validate => false)
+          end
+          
+          # we do not update activity on logout
+          def register_last_activity_time_to_db
+            return if !logged_in?
+            logged_in_user.send(:"#{logged_in_user.sorcery_config.last_activity_at_attribute_name}=", Time.now.utc.to_s(:db))
+            logged_in_user.save!(:validate => false)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sorcery/controller/submodules/brute_force_protection.rb

@@ -4,83 +4,22 @@ module Sorcery
       module BruteForceProtection
         def self.included(base)
           base.send(:include, InstanceMethods)
-          Config.module_eval do
-            class << self
-              attr_accessor :login_retries_amount_allowed,      # how many failed logins allowed.
-                            :login_retries_time_period,         # the time after which the failed logins counter is reset.
-                            :login_ban_time_period,             # how long the user should be banned. in seconds.
-                            :banned_action                      # what controller action should be called when a banned user tries.
-                            
-              def merge_brute_force_protection_defaults!
-                @defaults.merge!(:@login_retries_amount_allowed  => 50,
-                                 :@login_retries_time_period     => 30,
-                                 :@login_ban_time_period         => 3600,
-                                 :@banned_action                 => :default_banned_action)
-              end
-            end
-            merge_brute_force_protection_defaults!
-          end
-          Config.after_failed_login << :check_failed_logins_limit_reached
-          base.prepend_before_filter :deny_banned_user
+
+          Config.after_login << :reset_failed_logins_count!
+          Config.after_failed_login << :update_failed_logins_count!
         end
         
         module InstanceMethods
-          def check_failed_logins_limit_reached(user, credentials)
-            now = Time.now.utc
-              
-            # not banned
-            if session[:first_failed_login_time]
-              reset_failed_logins_if_time_passed(now)
-            else
-              session[:first_failed_login_time] = now
-            end
-            increment_failed_logins
-            # ban
-            ban_if_above_limit(now)
-          end
           
           protected
           
-          def release_ban_if_time_passed(now)
-            if now - session[:ban_start_time] > Config.login_ban_time_period
-              session[:banned] = nil
-              session[:failed_logins] = 0
-              return true
-            end
-            false
-          end
-          
-          def increment_failed_logins
-            session[:failed_logins] ||= 0
-            session[:failed_logins] += 1
-          end
-          
-          def reset_failed_logins_if_time_passed(now)
-            if now - session[:first_failed_login_time] > Config.login_retries_time_period
-              session[:failed_logins] = 0 
-              session[:first_failed_login_time] = now
-            end
-          end
-          
-          def ban_if_above_limit(now)
-            if session[:failed_logins] > Config.login_retries_amount_allowed
-              session[:banned] = true
-              session[:ban_start_time] = now
-            end
-          end
-          
-          def deny_banned_user
-            if session[:banned]
-              now = Time.now.utc
-              release_ban_if_time_passed(now)
-            end
-            
-            # if still banned
-            send(Config.banned_action) if session[:banned]
+          def update_failed_logins_count!(credentials)
+            user = User.where("#{User.sorcery_config.username_attribute_name} = ?", credentials[0]).first
+            user.register_failed_login! if user
           end
           
-          def default_banned_action
-            render :nothing => true
+          def reset_failed_logins_count!(user, credentials)
+            user.update_attributes!(User.sorcery_config.failed_logins_count_attribute_name => 0)
           end
         end
       end

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -23,19 +23,22 @@ module Sorcery
           
           # to be used as a before_filter.
           # The method sets a session when requesting the user's credentials.
-          # This is a trick to overcome the way HTTP authentication work (explained below):
+          # This is a trick to overcome the way HTTP authentication works (explained below):
           #
           # Once the user fills the credentials once, the browser will always send it to the server when visiting the website, until the browser is closed.
           # This causes wierd behaviour if the user logs out. The session is reset, yet the user is re-logged in by the before_filter calling 'login_from_basic_auth'.
           # To overcome this, we set a session when requesting the password, which logout will reset, and that's how we know if we need to request for HTTP auth again.
-          def require_user_login_from_http
-            request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return if request.authorization.nil? || session[:http_authentication_used].nil?
-            require_user_login
+          def require_login_from_http_basic
+            (request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return) if (request.authorization.nil? || session[:http_authentication_used].nil?)
+            require_login
           end
           
+          # given to main controller module as a login source callback
           def login_from_basic_auth
             authenticate_with_http_basic do |username, password|
               @logged_in_user = (Config.user_class.authenticate(username, password) if session[:http_authentication_used]) || false
+              login_user(@logged_in_user) if @logged_in_user
+              @logged_in_user
             end
           end
           

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -21,11 +21,13 @@ module Sorcery
         end
         
         module InstanceMethods
+          protected
+          
           def register_login_time(user, credentials)
             session[:login_time] = session[:last_action_time] = Time.now.utc
           end
           
-          # To be used as a before_filter, before require_user_login
+          # To be used as a before_filter, before require_login
           def validate_session
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
             if session_to_use && (Time.now.utc - session_to_use > Config.session_timeout)
@@ -35,6 +37,7 @@ module Sorcery
               session[:last_action_time] = Time.now.utc
             end
           end
+
         end
       end
     end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -1,8 +1,4 @@
-begin
-  require "bcrypt"
-rescue LoadError
-  "sudo gem install bcrypt-ruby"
-end
+require 'bcrypt'
 
 module Sorcery
   module CryptoProviders