sorcery 0.5.3 → 0.5.21
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of sorcery might be problematic. Click here for more details.
- data/README.rdoc +1 -1
- data/VERSION +1 -1
- data/lib/sorcery/controller.rb +3 -5
- data/lib/sorcery/controller/submodules/activity_logging.rb +6 -10
- data/lib/sorcery/controller/submodules/brute_force_protection.rb +3 -6
- data/lib/sorcery/controller/submodules/http_basic_auth.rb +5 -10
- data/lib/sorcery/controller/submodules/remember_me.rb +4 -13
- data/lib/sorcery/controller/submodules/session_timeout.rb +1 -3
- data/lib/sorcery/crypto_providers/aes256.rb +5 -8
- data/lib/sorcery/crypto_providers/bcrypt.rb +6 -12
- data/lib/sorcery/crypto_providers/sha256.rb +1 -2
- data/lib/sorcery/crypto_providers/sha512.rb +1 -2
- data/lib/sorcery/initializers/initializer.rb +36 -125
- data/lib/sorcery/model.rb +15 -28
- data/lib/sorcery/model/adapters/active_record.rb +2 -2
- data/lib/sorcery/model/adapters/mongoid.rb +2 -2
- data/lib/sorcery/model/submodules/activity_logging.rb +6 -7
- data/lib/sorcery/model/submodules/brute_force_protection.rb +6 -10
- data/lib/sorcery/model/submodules/external.rb +2 -4
- data/lib/sorcery/model/submodules/remember_me.rb +3 -4
- data/lib/sorcery/model/submodules/reset_password.rb +8 -16
- data/lib/sorcery/model/submodules/user_activation.rb +10 -23
- data/lib/sorcery/model/temporary_token.rb +2 -3
- data/lib/sorcery/test_helpers/internal.rb +1 -2
- data/lib/sorcery/test_helpers/internal/rails.rb +1 -5
- data/sorcery.gemspec +2 -16
- data/spec/Gemfile.lock +1 -1
- data/spec/rails3/Gemfile.lock +1 -1
- data/spec/rails3/spec/user_activation_spec.rb +168 -2
- data/spec/rails3/spec/user_activity_logging_spec.rb +30 -2
- data/spec/rails3/spec/user_brute_force_protection_spec.rb +35 -2
- data/spec/rails3/spec/user_oauth_spec.rb +26 -2
- data/spec/rails3/spec/user_remember_me_spec.rb +45 -2
- data/spec/rails3/spec/user_reset_password_spec.rb +168 -3
- data/spec/rails3/spec/user_spec.rb +283 -3
- data/spec/rails3_mongoid/Gemfile.lock +1 -1
- data/spec/rails3_mongoid/app/models/authentication.rb +3 -3
- data/spec/rails3_mongoid/spec/user_activation_spec.rb +171 -2
- data/spec/rails3_mongoid/spec/user_activity_logging_spec.rb +25 -2
- data/spec/rails3_mongoid/spec/user_brute_force_protection_spec.rb +35 -2
- data/spec/rails3_mongoid/spec/user_oauth_spec.rb +28 -2
- data/spec/rails3_mongoid/spec/user_remember_me_spec.rb +45 -2
- data/spec/rails3_mongoid/spec/user_reset_password_spec.rb +176 -2
- data/spec/rails3_mongoid/spec/user_spec.rb +285 -3
- data/spec/sinatra/Gemfile.lock +1 -1
- data/spec/sinatra_modular/Gemfile.lock +1 -1
- metadata +2 -16
- data/spec/shared_examples/user_activation_shared_examples.rb +0 -173
- data/spec/shared_examples/user_activity_logging_shared_examples.rb +0 -27
- data/spec/shared_examples/user_brute_force_protection_shared_examples.rb +0 -37
- data/spec/shared_examples/user_oauth_shared_examples.rb +0 -30
- data/spec/shared_examples/user_remember_me_shared_examples.rb +0 -47
- data/spec/shared_examples/user_reset_password_shared_examples.rb +0 -177
- data/spec/shared_examples/user_shared_examples.rb +0 -292
data/README.rdoc
CHANGED
@@ -29,7 +29,7 @@ Example Rails 3 app using sorcery: https://github.com/NoamB/sorcery-example-app
|
|
29
29
|
|
30
30
|
Example Sinatra app using sorcery: https://github.com/NoamB/sorcery-example-app-sinatra
|
31
31
|
|
32
|
-
Documentation: http://rubydoc.info/gems/sorcery/0.5.
|
32
|
+
Documentation: http://rubydoc.info/gems/sorcery/0.5.21/frames
|
33
33
|
|
34
34
|
Check out the tutorials in the github wiki!
|
35
35
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.5.
|
1
|
+
0.5.21
|
data/lib/sorcery/controller.rb
CHANGED
@@ -62,8 +62,7 @@ module Sorcery
|
|
62
62
|
@current_user ||= login_from_session || login_from_other_sources unless @current_user == false
|
63
63
|
end
|
64
64
|
|
65
|
-
# used when a user tries to access a page while logged out, is asked to login,
|
66
|
-
# and we want to return him back to the page he originally wanted.
|
65
|
+
# used when a user tries to access a page while logged out, is asked to login, and we want to return him back to the page he originally wanted.
|
67
66
|
def redirect_back_or_to(url, flash_hash = {})
|
68
67
|
redirect_to(session[:return_to_url] || url, :flash => flash_hash)
|
69
68
|
end
|
@@ -116,12 +115,11 @@ module Sorcery
|
|
116
115
|
class << self
|
117
116
|
attr_accessor :submodules,
|
118
117
|
|
119
|
-
:user_class, # what class to use as the user class.
|
118
|
+
:user_class, # what class to use as the user class. Set automatically when you call authenticates_with_sorcery! in the User class.
|
120
119
|
|
121
120
|
:not_authenticated_action, # what controller action to call for non-authenticated users.
|
122
121
|
|
123
|
-
:save_return_to_url, # when a non logged in user tries to enter a page that requires
|
124
|
-
# login, save the URL he wanted to reach,
|
122
|
+
:save_return_to_url, # when a non logged in user tries to enter a page that requires login, save the URL he wanted to reach,
|
125
123
|
# and send him there after login.
|
126
124
|
|
127
125
|
:login_sources,
|
@@ -1,16 +1,13 @@
|
|
1
1
|
module Sorcery
|
2
2
|
module Controller
|
3
3
|
module Submodules
|
4
|
-
# This submodule keeps track of events such as login, logout,
|
5
|
-
# and last activity time, per user.
|
4
|
+
# This submodule keeps track of events such as login, logout, and last activity time, per user.
|
6
5
|
# It helps in estimating which users are active now in the site.
|
7
|
-
# This cannot be determined absolutely because a user might be
|
8
|
-
|
9
|
-
# This is the controller part of the submodule, which adds hooks
|
10
|
-
# to register user events,
|
6
|
+
# This cannot be determined absolutely because a user might be reading a page without clicking anything for a while.
|
7
|
+
|
8
|
+
# This is the controller part of the submodule, which adds hooks to register user events,
|
11
9
|
# and methods to collect active users data for use in the app.
|
12
|
-
# see Socery::Model::Submodules::ActivityLogging for configuration
|
13
|
-
# options.
|
10
|
+
# see Socery::Model::Submodules::ActivityLogging for configuration options.
|
14
11
|
module ActivityLogging
|
15
12
|
def self.included(base)
|
16
13
|
base.send(:include, InstanceMethods)
|
@@ -24,8 +21,7 @@ module Sorcery
|
|
24
21
|
def current_users
|
25
22
|
Config.user_class.current_users
|
26
23
|
# A possible patch here:
|
27
|
-
# we'll add the current_user to the users list if he's not in it
|
28
|
-
# (can happen when he was inactive for more than activity timeout):
|
24
|
+
# we'll add the current_user to the users list if he's not in it (can happen when he was inactive for more than activity timeout):
|
29
25
|
#
|
30
26
|
# users.unshift!(current_user) if logged_in? && users.find {|u| u.id == current_user.id}.nil?
|
31
27
|
#
|
@@ -1,12 +1,9 @@
|
|
1
1
|
module Sorcery
|
2
2
|
module Controller
|
3
3
|
module Submodules
|
4
|
-
# This module helps protect user accounts by locking them down after too
|
5
|
-
#
|
6
|
-
#
|
7
|
-
# updating the failed logins and resetting them.
|
8
|
-
# See Sorcery::Model::Submodules::BruteForceProtection for configuration
|
9
|
-
# options.
|
4
|
+
# This module helps protect user accounts by locking them down after too many failed attemps to login were detected.
|
5
|
+
# This is the controller part of the submodule which takes care of updating the failed logins and resetting them.
|
6
|
+
# See Sorcery::Model::Submodules::BruteForceProtection for configuration options.
|
10
7
|
module BruteForceProtection
|
11
8
|
def self.included(base)
|
12
9
|
base.send(:include, InstanceMethods)
|
@@ -2,10 +2,8 @@ module Sorcery
|
|
2
2
|
module Controller
|
3
3
|
module Submodules
|
4
4
|
# This submodule integrates HTTP Basic authentication into sorcery.
|
5
|
-
# You are provided with a before filter, require_login_from_http_basic,
|
6
|
-
#
|
7
|
-
# Then the rest of the submodule takes care of logging the user in
|
8
|
-
# into the session, so that the next requests will keep him logged in.
|
5
|
+
# You are provided with a before filter, require_login_from_http_basic, which requests the browser for authentication.
|
6
|
+
# Then the rest of the submodule takes care of logging the user in into the session, so that the next requests will keep him logged in.
|
9
7
|
module HttpBasicAuth
|
10
8
|
def self.included(base)
|
11
9
|
base.send(:include, InstanceMethods)
|
@@ -30,12 +28,9 @@ module Sorcery
|
|
30
28
|
# The method sets a session when requesting the user's credentials.
|
31
29
|
# This is a trick to overcome the way HTTP authentication works (explained below):
|
32
30
|
#
|
33
|
-
# Once the user fills the credentials once, the browser will always send it to the
|
34
|
-
#
|
35
|
-
#
|
36
|
-
# user is re-logged in by the before_filter calling 'login_from_basic_auth'.
|
37
|
-
# To overcome this, we set a session when requesting the password, which logout will
|
38
|
-
# reset, and that's how we know if we need to request for HTTP auth again.
|
31
|
+
# Once the user fills the credentials once, the browser will always send it to the server when visiting the website, until the browser is closed.
|
32
|
+
# This causes wierd behaviour if the user logs out. The session is reset, yet the user is re-logged in by the before_filter calling 'login_from_basic_auth'.
|
33
|
+
# To overcome this, we set a session when requesting the password, which logout will reset, and that's how we know if we need to request for HTTP auth again.
|
39
34
|
def require_login_from_http_basic
|
40
35
|
(request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return) if (request.authorization.nil? || session[:http_authentication_used].nil?)
|
41
36
|
require_login
|
@@ -1,8 +1,7 @@
|
|
1
1
|
module Sorcery
|
2
2
|
module Controller
|
3
3
|
module Submodules
|
4
|
-
# The Remember Me submodule takes care of setting the user's cookie so that he will
|
5
|
-
# be automatically logged in to the site on every visit,
|
4
|
+
# The Remember Me submodule takes care of setting the user's cookie so that he will be automatically logged in to the site on every visit,
|
6
5
|
# until the cookie expires.
|
7
6
|
# See Sorcery::Model::Submodules::RememberMe for configuration options.
|
8
7
|
module RememberMe
|
@@ -17,7 +16,7 @@ module Sorcery
|
|
17
16
|
# This method sets the cookie and calls the user to save the token and the expiration to db.
|
18
17
|
def remember_me!
|
19
18
|
current_user.remember_me!
|
20
|
-
|
19
|
+
cookies[:remember_me_token] = { :value => current_user.remember_me_token, :expires => current_user.remember_me_token_expires_at }
|
21
20
|
end
|
22
21
|
|
23
22
|
# Clears the cookie and clears the token from the db.
|
@@ -34,25 +33,17 @@ module Sorcery
|
|
34
33
|
remember_me! if credentials.size == 3 && credentials[2]
|
35
34
|
end
|
36
35
|
|
37
|
-
# Checks the cookie for a remember me token, tried to find a user with that token
|
38
|
-
# and logs the user in if found.
|
36
|
+
# Checks the cookie for a remember me token, tried to find a user with that token and logs the user in if found.
|
39
37
|
# Runs as a login source. See 'current_user' method for how it is used.
|
40
38
|
def login_from_cookie
|
41
39
|
user = cookies[:remember_me_token] && Config.user_class.find_by_remember_me_token(cookies[:remember_me_token])
|
42
40
|
if user && user.remember_me_token?
|
43
|
-
|
41
|
+
cookies[:remember_me_token] = { :value => user.remember_me_token, :expires => user.remember_me_token_expires_at }
|
44
42
|
@current_user = user
|
45
43
|
else
|
46
44
|
@current_user = false
|
47
45
|
end
|
48
46
|
end
|
49
|
-
|
50
|
-
def set_remember_me_cookie!(user)
|
51
|
-
cookies[:remember_me_token] = {
|
52
|
-
:value => user.send(user.sorcery_config.remember_me_token_attribute_name),
|
53
|
-
:expires => user.send(user.sorcery_config.remember_me_token_expires_at_attribute_name)
|
54
|
-
}
|
55
|
-
end
|
56
47
|
end
|
57
48
|
|
58
49
|
end
|
@@ -9,9 +9,7 @@ module Sorcery
|
|
9
9
|
Config.module_eval do
|
10
10
|
class << self
|
11
11
|
attr_accessor :session_timeout, # how long in seconds to keep the session alive.
|
12
|
-
|
13
|
-
:session_timeout_from_last_action # use the last action as the beginning of session
|
14
|
-
# timeout.
|
12
|
+
:session_timeout_from_last_action # use the last action as the beginning of session timeout.
|
15
13
|
|
16
14
|
def merge_session_timeout_defaults!
|
17
15
|
@defaults.merge!(:@session_timeout => 3600, # 1.hour
|
@@ -2,21 +2,18 @@ require "openssl"
|
|
2
2
|
|
3
3
|
module Sorcery
|
4
4
|
module CryptoProviders
|
5
|
-
# This encryption method is reversible if you have the supplied key.
|
6
|
-
# So in order to use this encryption method you must supply it with a key first.
|
5
|
+
# This encryption method is reversible if you have the supplied key. So in order to use this encryption method you must supply it with a key first.
|
7
6
|
# In an initializer, or before your application initializes, you should do the following:
|
8
7
|
#
|
9
8
|
# Sorcery::Model::ConfigAES256.key = "my 32 bytes long key"
|
10
9
|
#
|
11
|
-
# My final comment is that this is a strong encryption method,
|
12
|
-
# but its main weakness is that its reversible. If you do not need to reverse the hash
|
10
|
+
# My final comment is that this is a strong encryption method, but its main weakness is that its reversible. If you do not need to reverse the hash
|
13
11
|
# then you should consider Sha512 or BCrypt instead.
|
14
12
|
#
|
15
13
|
# Keep your key in a safe place, some even say the key should be stored on a separate server.
|
16
|
-
# This won't hurt performance because the only time it will try and access the key on the
|
17
|
-
#
|
18
|
-
#
|
19
|
-
# won't have the key also. Basically, you don't want to store the key with the lock.
|
14
|
+
# This won't hurt performance because the only time it will try and access the key on the separate server is during initialization, which only
|
15
|
+
# happens once. The reasoning behind this is if someone does compromise your server they won't have the key also. Basically, you don't want to
|
16
|
+
# store the key with the lock.
|
20
17
|
class AES256
|
21
18
|
class << self
|
22
19
|
attr_writer :key
|
@@ -2,12 +2,9 @@ require 'bcrypt'
|
|
2
2
|
|
3
3
|
module Sorcery
|
4
4
|
module CryptoProviders
|
5
|
-
# For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear
|
6
|
-
#
|
7
|
-
#
|
8
|
-
# A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
|
9
|
-
# password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this,
|
10
|
-
# generating a password takes exponentially longer than any
|
5
|
+
# For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
|
6
|
+
# secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
|
7
|
+
# password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
|
11
8
|
# of the Sha algorithms. I did some benchmarking to save you some time with your decision:
|
12
9
|
#
|
13
10
|
# require "bcrypt"
|
@@ -40,10 +37,8 @@ module Sorcery
|
|
40
37
|
# You are good to go!
|
41
38
|
class BCrypt
|
42
39
|
class << self
|
43
|
-
# This is the :cost option for the BCrpyt library.
|
44
|
-
#
|
45
|
-
# Set this to whatever you want, play around with it to get that perfect balance between
|
46
|
-
# security and performance.
|
40
|
+
# This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
|
41
|
+
# Set this to whatever you want, play around with it to get that perfect balance between security and performance.
|
47
42
|
def cost
|
48
43
|
@cost ||= 10
|
49
44
|
end
|
@@ -62,8 +57,7 @@ module Sorcery
|
|
62
57
|
hash == join_tokens(tokens)
|
63
58
|
end
|
64
59
|
|
65
|
-
# This method is used as a flag to tell Sorcery to "resave" the password
|
66
|
-
# upon a successful login, using the new cost
|
60
|
+
# This method is used as a flag to tell Sorcery to "resave" the password upon a successful login, using the new cost
|
67
61
|
def cost_matches?(hash)
|
68
62
|
hash = new_from_hash(hash)
|
69
63
|
if hash.nil? || hash == {}
|
@@ -1,8 +1,7 @@
|
|
1
1
|
require "digest/sha2"
|
2
2
|
|
3
3
|
module Sorcery
|
4
|
-
# The activate_sorcery method has a custom_crypto_provider configuration option.
|
5
|
-
# This allows you to use any type of encryption you like.
|
4
|
+
# The activate_sorcery method has a custom_crypto_provider configuration option. This allows you to use any type of encryption you like.
|
6
5
|
# Just create a class with a class level encrypt and matches? method. See example below.
|
7
6
|
#
|
8
7
|
# === Example
|
@@ -1,8 +1,7 @@
|
|
1
1
|
require "digest/sha2"
|
2
2
|
|
3
3
|
module Sorcery
|
4
|
-
# The activate_sorcery method has a custom_crypto_provider configuration option.
|
5
|
-
# This allows you to use any type of encryption you like.
|
4
|
+
# The activate_sorcery method has a custom_crypto_provider configuration option. This allows you to use any type of encryption you like.
|
6
5
|
# Just create a class with a class level encrypt and matches? method. See example below.
|
7
6
|
#
|
8
7
|
# === Example
|
@@ -1,35 +1,25 @@
|
|
1
1
|
# The first thing you need to configure is which modules you need in your app.
|
2
2
|
# The default is nothing which will include only core features (password encryption, login/logout).
|
3
|
-
# Available submodules are: :user_activation, :http_basic_auth, :remember_me,
|
4
|
-
# :reset_password, :session_timeout, :brute_force_protection, :activity_logging, :external
|
3
|
+
# Available submodules are: :user_activation, :http_basic_auth, :remember_me, :reset_password, :session_timeout, :brute_force_protection, :activity_logging, :external
|
5
4
|
Rails.application.config.sorcery.submodules = []
|
6
5
|
|
7
6
|
# Here you can configure each submodule's features.
|
8
7
|
Rails.application.config.sorcery.configure do |config|
|
9
8
|
# -- core --
|
10
|
-
# config.not_authenticated_action = :not_authenticated # what controller action to call for
|
11
|
-
|
12
|
-
#
|
13
|
-
# instead.
|
14
|
-
|
15
|
-
# config.save_return_to_url = true # when a non logged in user tries to enter
|
16
|
-
# a page that requires login,
|
17
|
-
# save the URL he wanted to reach,
|
18
|
-
# and send him there after login, using
|
19
|
-
# 'redirect_back_or_to'.
|
9
|
+
# config.not_authenticated_action = :not_authenticated # what controller action to call for non-authenticated users. You can also override 'not_authenticated' instead.
|
10
|
+
# config.save_return_to_url = true # when a non logged in user tries to enter a page that requires login, save the URL he wanted to reach,
|
11
|
+
# and send him there after login, using 'redirect_back_or_to'.
|
20
12
|
|
21
13
|
# -- session timeout --
|
22
14
|
# config.session_timeout = 3600 # how long in seconds to keep the session alive.
|
23
|
-
# config.session_timeout_from_last_action = false # use the last action as the beginning of
|
24
|
-
# session timeout.
|
15
|
+
# config.session_timeout_from_last_action = false # use the last action as the beginning of session timeout.
|
25
16
|
|
26
17
|
# -- http_basic_auth --
|
27
18
|
# config.controller_to_realm_map = {"application" => "Application"} # What realm to display for which controller name.
|
28
19
|
# For example {"My App" => "Application"}
|
29
20
|
|
30
21
|
# -- external --
|
31
|
-
# config.external_providers = [] # What providers are supported by this app,
|
32
|
-
# i.e. [:twitter, :facebook] .
|
22
|
+
# config.external_providers = [] # What providers are supported by this app, i.e. [:twitter, :facebook] .
|
33
23
|
#
|
34
24
|
# config.twitter.key = "eYVNBjBDi33aa9GkA3w"
|
35
25
|
# config.twitter.secret = "XpbeSdCoaKSmQGSeokz5qcUATClRW5u08QWNfv71N8"
|
@@ -44,135 +34,56 @@ Rails.application.config.sorcery.configure do |config|
|
|
44
34
|
# --- user config ---
|
45
35
|
config.user_config do |user|
|
46
36
|
# -- core --
|
47
|
-
# user.username_attribute_name = :username # change default username
|
48
|
-
|
49
|
-
# to use :email as the login.
|
50
|
-
|
51
|
-
# user.password_attribute_name = :password # change *virtual* password
|
52
|
-
# attribute, the one which is used
|
53
|
-
# until an encrypted one is
|
54
|
-
# generated.
|
55
|
-
|
37
|
+
# user.username_attribute_name = :username # change default username attribute, for example, to use :email as the login.
|
38
|
+
# user.password_attribute_name = :password # change *virtual* password attribute, the one which is used until an encrypted one is generated.
|
56
39
|
# user.email_attribute_name = :email # change default email attribute.
|
57
|
-
|
58
|
-
# user.
|
59
|
-
# attribute.
|
60
|
-
|
61
|
-
# user.salt_join_token = "" # what pattern to use to join the
|
62
|
-
# password with the salt
|
63
|
-
|
40
|
+
# user.crypted_password_attribute_name = :crypted_password # change default crypted_password attribute.
|
41
|
+
# user.salt_join_token = "" # what pattern to use to join the password with the salt
|
64
42
|
# user.salt_attribute_name = :salt # change default salt attribute.
|
65
|
-
|
66
|
-
# user.
|
67
|
-
|
68
|
-
|
69
|
-
# user.
|
70
|
-
# reversible encryptions such as
|
71
|
-
# AES256.
|
72
|
-
|
73
|
-
# user.custom_encryption_provider = nil # use an external encryption
|
74
|
-
# class.
|
75
|
-
|
76
|
-
# user.encryption_algorithm = :bcrypt # encryption algorithm name. See
|
77
|
-
# 'encryption_algorithm=' for
|
78
|
-
# available options.
|
79
|
-
|
80
|
-
# user.subclasses_inherit_config = false # make this configuration
|
81
|
-
# inheritable for subclasses.
|
82
|
-
# Useful for ActiveRecord's STI.
|
43
|
+
# user.stretches = nil # how many times to apply encryption to the password.
|
44
|
+
# user.encryption_key = nil # encryption key used to encrypt reversible encryptions such as AES256.
|
45
|
+
# user.custom_encryption_provider = nil # use an external encryption class.
|
46
|
+
# user.encryption_algorithm = :bcrypt # encryption algorithm name. See 'encryption_algorithm=' for available options.
|
47
|
+
# user.subclasses_inherit_config = false # make this configuration inheritable for subclasses. Useful for ActiveRecord's STI.
|
83
48
|
|
84
49
|
# -- user_activation --
|
85
|
-
# user.activation_state_attribute_name = :activation_state # the attribute name to hold
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
# user.activation_token_attribute_name = :activation_token # the attribute name to hold
|
90
|
-
# activation code (sent by email).
|
91
|
-
|
92
|
-
# user.activation_token_expires_at_attribute_name = :activation_token_expires_at # the attribute name to hold
|
93
|
-
# activation code expiration date.
|
94
|
-
|
95
|
-
# user.activation_token_expiration_period = nil # how many seconds before the
|
96
|
-
# activation code expires. nil for
|
97
|
-
# never expires.
|
98
|
-
|
50
|
+
# user.activation_state_attribute_name = :activation_state # the attribute name to hold activation state (active/pending).
|
51
|
+
# user.activation_token_attribute_name = :activation_token # the attribute name to hold activation code (sent by email).
|
52
|
+
# user.activation_token_expires_at_attribute_name = :activation_token_expires_at # the attribute name to hold activation code expiration date.
|
53
|
+
# user.activation_token_expiration_period = nil # how many seconds before the activation code expires. nil for never expires.
|
99
54
|
# user.user_activation_mailer = nil # your mailer class. Required.
|
100
|
-
|
101
|
-
# user.
|
102
|
-
|
103
|
-
|
104
|
-
# user.activation_success_email_method_name = :activation_success_email # activation success email method
|
105
|
-
# on your mailer class.
|
106
|
-
|
107
|
-
# user.prevent_non_active_users_to_login = true # do you want to prevent or allow
|
108
|
-
# users that did not activate by
|
109
|
-
# email to login?
|
55
|
+
# user.activation_needed_email_method_name = :activation_needed_email # activation needed email method on your mailer class.
|
56
|
+
# user.activation_success_email_method_name = :activation_success_email # activation success email method on your mailer class.
|
57
|
+
# user.prevent_non_active_users_to_login = true # do you want to prevent or allow users that did not activate by email to login?
|
110
58
|
|
111
59
|
# -- reset_password --
|
112
|
-
# user.reset_password_token_attribute_name = :reset_password_token # reset password code
|
113
|
-
|
114
|
-
|
115
|
-
# user.reset_password_token_expires_at_attribute_name = :reset_password_token_expires_at # expires at attribute
|
116
|
-
# name.
|
117
|
-
|
118
|
-
# user.reset_password_email_sent_at_attribute_name = :reset_password_email_sent_at # when was email sent,
|
119
|
-
# used for hammering
|
120
|
-
# protection.
|
121
|
-
|
60
|
+
# user.reset_password_token_attribute_name = :reset_password_token # reset password code attribute name.
|
61
|
+
# user.reset_password_token_expires_at_attribute_name = :reset_password_token_expires_at # expires at attribute name.
|
62
|
+
# user.reset_password_email_sent_at_attribute_name = :reset_password_email_sent_at # when was email sent, used for hammering protection.
|
122
63
|
# user.reset_password_mailer = nil # mailer class. Needed.
|
123
|
-
|
124
|
-
# user.
|
125
|
-
|
126
|
-
# class.
|
127
|
-
|
128
|
-
# user.reset_password_expiration_period = nil # how many seconds
|
129
|
-
# before the reset
|
130
|
-
# request expires. nil
|
131
|
-
# for never expires.
|
132
|
-
|
133
|
-
# user.reset_password_time_between_emails = 5 * 60 # hammering protection,
|
134
|
-
# how long to wait
|
135
|
-
# before allowing
|
136
|
-
# another email to be
|
137
|
-
# sent.
|
64
|
+
# user.reset_password_email_method_name = :reset_password_email # reset password email method on your mailer class.
|
65
|
+
# user.reset_password_expiration_period = nil # how many seconds before the reset request expires. nil for never expires.
|
66
|
+
# user.reset_password_time_between_emails = 5 * 60 # hammering protection, how long to wait before allowing another email to be sent.
|
138
67
|
|
139
68
|
# -- brute_force_protection --
|
140
69
|
# user.failed_logins_count_attribute_name = :failed_logins_count # failed logins attribute name.
|
141
|
-
|
142
|
-
# user.lock_expires_at_attribute_name = :lock_expires_at # this field indicates whether
|
143
|
-
# user is banned and when it will
|
144
|
-
# be active again.
|
145
|
-
|
70
|
+
# user.lock_expires_at_attribute_name = :lock_expires_at # this field indicates whether user is banned and when it will be active again.
|
146
71
|
# user.consecutive_login_retries_amount_limit = 50 # how many failed logins allowed.
|
147
|
-
|
148
|
-
# user.login_lock_time_period = 60 * 60 # how long the user should be
|
149
|
-
# banned. in seconds. 0 for
|
150
|
-
# permanent.
|
72
|
+
# user.login_lock_time_period = 60 * 60 # how long the user should be banned. in seconds. 0 for permanent.
|
151
73
|
|
152
74
|
# -- activity logging --
|
153
75
|
# user.last_login_at_attribute_name = :last_login_at # last login attribute name.
|
154
76
|
# user.last_logout_at_attribute_name = :last_logout_at # last logout attribute name.
|
155
77
|
# user.last_activity_at_attribute_name = :last_activity_at # last activity attribute name.
|
156
|
-
# user.activity_timeout = 10 * 60 # how long since last activity is
|
157
|
-
# the user defined logged out?
|
78
|
+
# user.activity_timeout = 10 * 60 # how long since last activity is the user defined logged out?
|
158
79
|
|
159
80
|
# -- external --
|
160
|
-
# user.authentications_class = nil # class which holds the various
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
# user.authentications_user_id_attribute_name = :user_id # user's identifier in
|
165
|
-
# authentications class.
|
166
|
-
|
167
|
-
# user.provider_attribute_name = :provider # provider's identifier in
|
168
|
-
# authentications class.
|
169
|
-
|
170
|
-
# user.provider_uid_attribute_name = :uid # user's external unique
|
171
|
-
# identifier in authentications
|
172
|
-
# class.
|
81
|
+
# user.authentications_class = nil # class which holds the various external provider data for this user.
|
82
|
+
# user.authentications_user_id_attribute_name = :user_id # user's identifier in authentications class.
|
83
|
+
# user.provider_attribute_name = :provider # provider's identifier in authentications class.
|
84
|
+
# user.provider_uid_attribute_name = :uid # user's external unique identifier in authentications class.
|
173
85
|
end
|
174
86
|
|
175
87
|
# This line must come after the 'user config' block.
|
176
|
-
config.user_class = User # define which model authenticates
|
177
|
-
# with sorcery.
|
88
|
+
config.user_class = User # define which model authenticates with sorcery.
|
178
89
|
end
|