sparkly-auth 1.0.0

data/lib/auth/behavior/core.rb

@@ -0,0 +1,87 @@
+module Auth
+  module Behavior
+    # Adds the most basic authentication behavior to registered models. Passwords have the following
+    # validations added:
+    #   - uniqueness of :secret, :scope => [ :authenticatable_type, :authenticatable_id ]
+    #   - presence of :secret
+    #   - format of :secret ("must be at least 7 characters with at least 1 uppercase, 1 lowercase and 1 number")
+    #   - confirmation of :secret, if secret has changed
+    #   - presence of :secret_confirmation, if secret has changed
+    #
+    # Additionally, the following methods are added:
+    #   #expired?
+    # 
+    # The authenticated model(s) will have the following methods added to them:
+    #   #password_expired?
+    #
+    class Core < Auth::Behavior::Base
+      migration "create_sparkly_passwords"
+      
+      def apply_to_passwords(password_model)
+        password_model.instance_eval do
+          belongs_to :authenticatable, :polymorphic => true
+          
+          validates_length_of :unencrypted_secret, :minimum => Auth.minimum_password_length,
+                              :message => "must be at least #{Auth.minimum_password_length} characters",
+                              :if => :secret_changed?
+          validates_format_of :unencrypted_secret, :with => Auth.password_format, :allow_blank => true,
+                       :message => Auth.password_format_message,
+                       :if => :secret_changed?
+                                          
+          validates_presence_of :secret
+          validates_confirmation_of :secret, :if => :secret_changed?
+          validates_presence_of :secret_confirmation, :if => :secret_changed?
+          validates_presence_of :persistence_token
+          validates_uniqueness_of :persistence_token, :if => :persistence_token_changed?
+          attr_protected :secret, :secret_confirmation
+          
+          include Auth::Behavior::Core::PasswordMethods
+          
+          validate do |password|
+            password.errors.rename_attribute("unencrypted_secret", "secret")
+          end
+        end
+      end
+      
+      def apply_to_accounts(model_config)
+        model_config.target.instance_eval do
+          has_many :passwords, :dependent => :destroy, :as => :authenticatable, :autosave => true
+          
+          attr_protected :password, :password_confirmation
+          validates_presence_of sparkly_config.key
+          validates_uniqueness_of sparkly_config.key
+          validates_presence_of :password
+  
+          include Auth::Behavior::Core::AuthenticatedModelMethods
+  
+          after_save do |record|
+            # clear out old passwords so we're conforming to Auth.password_history_length
+            while record.passwords.length > Auth.password_history_length
+              record.passwords.shift.destroy
+            end
+          end
+
+          validate do |account|
+            account.errors.rename_attribute("passwords.secret", "password")
+            account.errors.rename_attribute("passwords.secret_confirmation", "password_confirmation")
+
+            # the various salts make it impossible to do this:
+            #   validates_uniqueness_of :secret, :scope => [ :authenticatable_type, :authenticatable_id ],
+            #                           :message => Auth.password_uniqueness_message
+            # so we have to do it programmatically.
+            if account.password_changed?
+              secret = account.password_model.unencrypted_secret
+              account.passwords.each do |password|
+                unless password.new_record? # unless it's the one we're creating
+                  if password.matches?(secret)
+                    account.errors.add(:password, Auth.password_uniqueness_message)
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/behavior/core/authenticated_model_methods.rb

@@ -0,0 +1,52 @@
+module Auth::Behavior::Core::AuthenticatedModelMethods
+  def self.included(base)
+    base.instance_eval do
+      delegate :persistence_token, :single_access_token, :perishable_token, :to => :password_model
+    end
+  end
+  
+  def password_expired?
+    passwords.empty? || passwords.last.created_at < sparkly_config.password_update_frequency.ago
+  end
+      
+  def password_model
+    passwords.empty? || @new_password ? new_password : passwords.last
+  end
+  
+  def password_required?
+    new_record? || passwords.empty? || passwords.last.secret.blank?
+  end
+  
+  def password_matches?(phrase)
+    password_model.matches?(phrase)
+  end
+  
+  def password
+    password_model.secret
+  end
+  
+  def password=(value)
+    new_password.secret = value
+  end
+  
+  def password_confirmation=(value)
+    new_password.secret_confirmation = value
+  end
+  
+  def password_confirmation
+    password_model.secret_confirmation
+  end
+  
+  def password_changed?
+    password_model.new_record? || password_model.secret_changed?
+  end
+  
+  def after_save
+    @new_password = nil
+  end
+  
+  private
+  def new_password
+    @new_password ||= returning(Password.new) { |p| passwords << p }
+  end
+end

data/lib/auth/behavior/core/controller_extensions.rb

@@ -0,0 +1,52 @@
+module Auth::Behavior::Core::ControllerExtensions
+  def self.included(base)
+    base.instance_eval do
+      include Auth::Behavior::Core::ControllerExtensions::CurrentUser
+      extend Auth::Behavior::Core::ControllerExtensions::ClassMethods
+      helper_method :new_session_path, :current_user
+      hide_action :current_user, :find_current_session, :require_login, :require_logout, :login!, :logout!,
+                  :redirect_back_or_default, :new_session_path, :store_location
+    end
+  end
+  
+  def require_login                                    
+    unless current_user
+      store_location
+      flash[:notice] = @session_timeout_message || Auth.login_required_message
+      login_path = Auth.default_login_path ? send(Auth.default_login_path) : Auth.default_destination
+      redirect_to login_path
+    end
+  end
+  
+  def store_location(url = request.request_uri)
+    session[:destination] = url
+  end
+  
+  def require_logout
+    redirect_back_or_default Auth.default_destination, Auth.logout_required_message if current_user
+  end
+  
+  # Forcibly logs in the current client as the specified user.
+  #
+  # The options hash is unused, and is reserved for other behaviors to make use of.
+  # For instance, the "remember me" behavior checks for a :remember option and, if true, sets a remembrance token
+  # cookie.
+  def login!(user, options = {})
+    session[:session_token] = user.persistence_token
+    session[:active_at] = Time.now
+    @current_user = user
+  end
+  
+  # Forcibly logs out the current client.
+  #
+  # The options hash is unused, and is reserved for other behaviors to make use of.
+  #
+  def logout!(options = {})
+    session[:session_token] = session[:active_at] = nil
+  end
+  
+  def redirect_back_or_default(path, notice = nil)
+    flash[:notice] = notice if notice
+    redirect_to session.delete(:destination) || path
+  end
+end

data/lib/auth/behavior/core/controller_extensions/class_methods.rb

@@ -0,0 +1,24 @@
+module Auth::Behavior::Core::ControllerExtensions::ClassMethods
+  def require_login_for(*actions)
+    before_filter :require_login, actions.extract_options!.merge(:only => actions)
+  end
+  
+  def require_logout_for(*actions)
+    before_filter :require_logout, actions.extract_options!.merge(:only => actions)
+  end
+
+  def require_login(*args)
+    before_filter :require_login, *args
+  end
+
+  def require_logout(*args)
+    before_filter :require_logout, *args
+  end
+
+  alias_method :requires_login,   :require_login
+  alias_method :require_user,     :require_login
+  alias_method :requires_user,    :require_login
+  alias_method :requires_logout,  :require_logout
+  alias_method :require_no_user,  :require_logout
+  alias_method :requires_no_user, :require_logout
+end

data/lib/auth/behavior/core/controller_extensions/current_user.rb

@@ -0,0 +1,54 @@
+module Auth::Behavior::Core::ControllerExtensions::CurrentUser
+  def self.included(base)
+    base.send(:hide_action, :current_user_from_session, :timeout_current_session, :authenticate_with_persistence_token,
+              :authenticate_with_single_access_token, :authenticate_with_session_cookie, :authenticate_current_user)
+  end
+  
+  def current_user
+    return @current_user unless @current_user.nil?
+    @current_user = false
+    authenticate_current_user
+    @current_user
+  end
+  
+  def authenticate_current_user
+    if session && session[:session_token]
+      authenticate_with_session_cookie
+    elsif params && params[:single_access_token] # single access token, useful for WS APIs
+      authenticate_with_single_access_token
+    end
+  end
+  
+  def authenticate_with_session_cookie
+    if Auth.session_duration.nil? || session[:active_at] > Auth.session_duration.ago
+      authenticate_with_persistence_token
+    else
+      timeout_current_session
+    end
+  end
+  
+  def authenticate_with_single_access_token
+    # There is no session duration because this works per-request.
+    password = Password.find_by_single_access_token(params[:single_access_token], :include => :authenticatable)
+    @current_user = password.authenticatable if password
+  end
+  
+  def authenticate_with_persistence_token
+    password =  Password.find_by_persistence_token(session[:session_token], :include => :authenticatable)
+    if password
+      @current_user = password.authenticatable
+      login! @current_user # to refresh session timeout
+    else
+      # Something weird happened and the user's password data can no longer be found. Log him out to prevent
+      # anything else from going wrong.
+      logout!
+    end
+  end
+  
+  def timeout_current_session
+    logout!
+    # We'll put the message in the notice, but if the current page requires a login, the flash will be over
+    # written. That's where @session_timeout_message comes in.
+    flash[:notice] = @session_timeout_message = Auth.session_timeout_message
+  end
+end

data/lib/auth/behavior/core/password_methods.rb

@@ -0,0 +1,65 @@
+module Auth::Behavior::Core::PasswordMethods
+  def self.included(base)
+    # so apparently dynamic methods haven't been generated by AR yet, so this stuff's been moved to
+    # #after_initialize. Less than ideal but whatever.
+#    base.send(:alias_method_chain, :secret=, :encryption)
+#    base.send(:alias_method_chain, :secret_confirmation=, :encryption)
+  end
+  
+  def after_initialize
+    # FIXME: HACK - see self.included(base)
+    
+    if attributes.keys.include?('secret')
+      self.secret # uh, makes AR define the method, I guess? This feels clunky...
+    end
+    
+    class << self
+      alias_method_chain :secret=, :encryption
+      alias_method_chain :secret_confirmation=, :encryption
+    end
+  end
+  
+  def expired?
+    authenticatable.password_expired?
+  end
+  
+  def encrypt(p)
+    self.salt ||= Auth::Token.new.to_s
+    Auth.encryptor.encrypt(p, salt)
+  end
+  
+  def matches?(phrase)
+    Auth.encryptor.matches?(secret, phrase, salt)
+  end
+  
+  def reset_persistence_token
+    self.persistence_token = Auth::Token.new.to_s
+  end
+
+  def reset_single_access_token
+    self.single_access_token = Auth::Token.new.to_s
+  end
+
+  def reset_perishable_token
+    self.perishable_token = Auth::Token.new.to_s
+  end
+  
+  def secret_with_encryption=(phrase)
+    @unencrypted_secret = phrase
+    encrypted_phrase = phrase.blank? ? phrase : encrypt(phrase)
+    returning self.secret_without_encryption = encrypted_phrase do
+      reset_persistence_token
+      reset_single_access_token unless single_access_token # don't reset after it has a value
+      reset_perishable_token
+    end
+  end
+  
+  def secret_confirmation_with_encryption=(phrase)
+    encrypted_phrase = phrase.blank? ? phrase : encrypt(phrase)
+    self.secret_confirmation_without_encryption = encrypted_phrase
+  end
+  
+  def unencrypted_secret
+    @unencrypted_secret
+  end
+end

data/lib/auth/behavior/remember_me.rb

@@ -0,0 +1,17 @@
+module Auth
+  module Behavior
+    class RememberMe < Auth::Behavior::Base
+      migration "create_sparkly_remembered_tokens"
+      
+      def apply_to_passwords(password)
+        # no effect
+      end
+      
+      def apply_to_accounts(model_config)
+        model_config.target.instance_eval do
+          has_many :remembrance_tokens, :dependent => :destroy, :as => :authenticatable
+        end
+      end
+    end
+  end
+end

data/lib/auth/behavior/remember_me/configuration.rb

@@ -0,0 +1,21 @@
+class Auth::Behavior::RememberMe::Configuration
+  # Message to be displayed in flash[:error] when a likely theft of the remember token has been detected.
+  attr_accessor :token_theft_message
+  
+  # How long can a user stay logged in?
+  attr_accessor :duration
+  
+  # Provides a handle back to the root configuration object.
+  attr_reader :configuration
+  
+  # Returns true if the root configuration object's behaviors include :remember_me.
+  def enabled?
+    configuration.behaviors.include? :remember_me
+  end
+  
+  def initialize(configuration)
+    @configuration = configuration
+    @token_theft_message = "Your account may have been hijacked recently! Verify that all settings are correct."
+    @duration = 6.months
+  end
+end

data/lib/auth/behavior/remember_me/controller_extensions.rb

@@ -0,0 +1,66 @@
+module Auth::Behavior::RememberMe::ControllerExtensions
+  # If a :remember option is given, a remembrance cookie will be set. If omitted, the cookie will be, too.
+  def login_with_remembrance!(user, options = {})
+    login_without_remembrance!(user)
+    
+    if options[:remember]
+      token = RemembranceToken.create!(:authenticatable => user)
+      set_remembrance_token_cookie(token)
+    end
+  end
+  
+  # If a :forget option is given, the remembrance cookie will also be deleted.
+  def logout_with_remembrance!(options = {})
+    logout_without_remembrance!
+    if options[:forget]
+      cookies.delete(:remembrance_token)
+    end
+  end
+
+  def authenticate_current_user_with_remembrance
+    authenticate_current_user_without_remembrance
+    if @current_user == false
+      authenticate_with_remembrance_token
+    end
+  end
+  
+  def authenticate_with_remembrance_token
+    if token_value = cookies[:remembrance_token]
+      token = RemembranceToken.find_by_value(token_value)
+      if token
+        @current_user = token.authenticatable
+        handle_remembrance_token_theft(token) if token.theft?
+        token.regenerate
+        token.save
+        set_remembrance_token_cookie(token)
+      end
+    end
+  end
+  
+  def handle_remembrance_token_theft(token)
+    flash[:error] = Auth.remember_me.token_theft_message
+    token.authenticatable.remembrance_tokens.destroy_all
+  end
+  
+  def set_remembrance_token_cookie(token)
+    cookies[:remembrance_token] = {
+      :value => token.value,
+      :expires => Auth.remember_me.duration.from_now
+    }
+  end
+
+  def self.included(base)
+    base.class_eval do
+      hide_action :login_with_remembrance!, :login_without_remembrance!, :authenticate_current_user_without_remembrance,
+                  :authenticate_current_user_with_remembrance, :authenticate_with_remembrance_token,
+                  :set_remembrance_token_cookie, :handle_remembrance_token_theft, :logout_with_remembrance!,
+                  :logout_without_remembrance!
+      
+      unless method_defined?(:login_without_remembrance!)
+        alias_method_chain :login!, :remembrance
+        alias_method_chain :logout!, :remembrance
+        alias_method_chain :authenticate_current_user, :remembrance
+      end
+    end
+  end
+end