sparkly-auth 1.0.2 → 1.1.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,25 @@
+.idea
+log/*.log
+
+
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/HISTORY.txt

@@ -1,3 +1,10 @@
+* 1.1.0 - 08-13-2010
+  * Official support for Rails 3 (tested against rails-3.0.0.rc)
+  * Better internal design
+  * Minor bugfixes
+  * Better support for per-model configuration
+  * Improved API for custom behaviors
+
 * 1.0.1 - 08-09-2010
   * Added /[user]/login and /[user]/logout to routes ([user]_login_path and [user]_logout_path, respectively)
 

data/README.rdoc

@@ -1,6 +1,132 @@
 = sparkly-auth
 
-Description goes here.
+Rails authentication -- with sparkles!
+
+== about the gem
+
+After playing with a bunch of other auth gems out there, in the end I decided I had to roll my own. Unlike the
+others (and the reason I undertook this task), Sparkly Auth errs on the side of security. By default, (that is,
+unless you go changing configuration options that water down its auth mechanisms), this gem produces a PCI/DSS-
+compliant authentication scheme which I'm now putting to work at my Real Job at Ingenico (www.ingenico.com). (We
+now have two Web-based payment applications depending on Sparkly Auth.)
+
+There is an ongoing battle between security and convenience. They say you can pick one, but not both. While
+I'm not going to claim that Sparkly singlehandedly settles this dispute, I will say that Sparkly lets you choose
+between varying shades of gray, rather than choosing between black and white. Sparkly Auth provides a plethora of
+configuration options to let you apply a more user-friendly authentication solution to your site, while making
+it crystal clear what the security tradeoff will be.
+
+Sparkly supports multiple user models, multiple controllers, and all that jazz -- but doesn't force it on you.
+A default value is provided for virtually every possible option, and the options are conveniently tucked away
+in the class documentation -- there for you when you need it, but not breathing down your neck when you don't.
+
+=== what does security mean?
+
+So that's the high level overview. If you've read this far then maybe you're wondering exactly what kind of
+authentication security Sparkly Auth brings to the table. Well, here's The List. Some other solutions out there
+cover portions of it; others cover other portions. But I've yet to find one (besides Sparkly) that does it all.
+
+One last disclaimer: all of this can be modified or disabled entirely. So don't think that because it's listed
+here, dependencies HAVE to use it. I've got a number of side apps written that use Sparkly but, for example,
+completely disable the password update policy.
+
+* Enforces a strong password policy by default (7-digit uppercase, lowercase and numeric)
+* Enforces a periodic password update (once every 30 days)
+* Enforces a unique password (can't match any of the previous 4 passwords by default)
+* Automatically signs the user out after 30 minutes of inactivity
+* Provides secure single-access tokens for authentication without cookies (e.g. Web Service consumers)
+* Locks an account for 30 minutes after 5 invalid login attempts
+* Provides generators for controllers and views, so that you can add (or remove) layers quickly and painlessly
+  -- even on a per-model or per-controller basis, if your application uses more than one
+* Allows you to change which parent controller has access to the logged-in user (defaults to ApplicationController)
+* Behaviors (including even the core behavior) are plug-and-play and can be easily swapped in/out, and custom
+  behaviors can be added
+* Encryption methods can be easily replaced
+
+
+Since my own personal use cases for Sparkly Auth vary widely, so do its capabilities. Not only can the above
+be disabled, but it also sports (for example) a "Remember Me" checkbox that would otherwise circumvent some
+of the above precautions. Obviously, the checkbox is disabled by default.
+
+== installation
+
+In Rails 2, add "sparkly-auth" to your gem dependencies:
+  config.gem 'sparkly-auth'
+  
+In Rails 3, add "sparkly-auth" to your Gemfile:
+  gem 'sparkly-auth'
+  
+== setting up
+
+(In the examples below, replace 'script/generate' with 'rails generate' if you're using Rails 3.)
+
+For a step-by-step guide, run
+
+  script/generate sparkly help
+
+Basically, the you have to run
+
+  script/generate sparkly config
+  script/generate sparkly migrations
+  
+and optionally (if you plan to override the controllers and/or views),
+
+  script/generate sparkly controllers
+  script/generate sparkly views
+  
+Assuming you have a User model (or that you've edited config/initializers/sparkly_authentication.rb to taste),
+you should be ready to go!
+
+You should take a quick gander at config/initializers/sparkly_authentication.rb just to see what's in there.
+
+== routes
+
+Unless you disable them, Sparkly Auth will automatically generate a set of routes for its controllers. Run
+
+  rake routes
+
+and you should see something like this:
+
+   new_user_session GET    /user/session/new(.:format)        
+  edit_user_session GET    /user/session/edit(.:format)       
+       user_session GET    /user/session(.:format)            
+                    PUT    /user/session(.:format)            
+                    DELETE /user/session(.:format)            
+                    POST   /user/session(.:format)           
+         user_login        /user/login                   
+        user_logout        /user/logout                  
+           new_user GET    /user/new(.:format)                
+          edit_user GET    /user/edit(.:format)               
+               user GET    /user(.:format)                    
+                    PUT    /user(.:format)                    
+                    DELETE /user(.:format)                    
+                    POST   /user(.:format)                    
+                           /:controller/:action/:id           
+                           /:controller/:action/:id(.:format) 
+
+This assumes you're authenticating against a single User model. Obviously, if you're authenticating against
+a different model (or more than one), the routes will be changed to suit.
+
+== migration
+
+I'm working on rake tasks that help you migrate from other authentication solutions to Sparkly Auth, largely
+because I had to do so myself. So without further ado, here's how you can do that:
+
+=== Authlogic
+
+After running the various Sparkly migrations, simply run:
+
+  rake auth:migrate:authlogic
+  
+Done.
+
+If you've set up an Authlogic encryptor other than SHA512, you'll want to use that encryptor for Sparkly. In
+this case, don't disable Authlogic the dependency (but DO remove the various hooks from your code), and in your
+config/initializers/sparkly_authentication.rb file, add the following line:
+
+  config.encryptor = Authlogic::CryptoProviders::Wordpress # or whatever.
+
+That should be it (it was for me). If you have any troubles, drop me a line so I can update this documentation!
 
 == Note on Patches/Pull Requests
  

data/Rakefile

@@ -6,33 +6,47 @@ begin
   Jeweler::Tasks.new do |gem|
     gem.name = "sparkly-auth"
     gem.summary = %Q{User authentication with Sparkles!}
-    gem.description = %Q{As fate would have it, I found other authentication solutions unable to suit my needs. So I rolled my own.}
+    gem.description = %Q{As fate would have it, I found other authentication solutions unable to suit my needs. So I rolled my own, totally supporting Rails 2 AND 3.}
     gem.email = "sinisterchipmunk@gmail.com"
     gem.homepage = "http://www.thoughtsincomputation.com"
     gem.authors = ["Colin MacKenzie IV"]
-    gem.add_dependency "sc-core-ext", ">= 1.2.0"
+    gem.add_dependency "sc-core-ext", ">= 1.2.1"
     gem.add_development_dependency 'rspec-rails', '>= 1.3.2'
     gem.add_development_dependency 'webrat', '>= 0.7.1'
     gem.add_development_dependency 'genspec', '>= 0.1.1'
     gem.add_development_dependency 'email_spec', '>= 0.6.2'
     # WHY does jeweler insist on using test/* files? THEY DON'T EXIST!
-    gem.test_files = FileList['spec/**/*']
+    gem.test_files = FileList['spec/**/*'] + FileList['spec_env/**/*'] + FileList['features/**/*']
   end
   Jeweler::GemcutterTasks.new
 rescue LoadError
   puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
 end
 
-require 'spec/rake/spectask'
-Spec::Rake::SpecTask.new(:spec) do |spec|
-  spec.libs << 'lib' << 'spec'
-  spec.spec_files = FileList['spec/**/*_spec.rb']
-end
-
-Spec::Rake::SpecTask.new(:rcov) do |spec|
-  spec.libs << 'lib' << 'spec'
-  spec.pattern = 'spec/**/*_spec.rb'
-  spec.rcov = true
+begin
+  require 'spec/rake/spectask'
+  Spec::Rake::SpecTask.new(:spec) do |spec|
+    spec.libs << 'lib' << 'spec'
+    spec.spec_files = FileList['spec/**/*_spec.rb']
+  end
+  
+  Spec::Rake::SpecTask.new(:rcov) do |spec|
+    spec.libs << 'lib' << 'spec'
+    spec.pattern = 'spec/**/*_spec.rb'
+    spec.rcov = true
+    spec.rcov_opts = %w{--rails --exclude osx\/objc,gems\/,spec\/,features\/}
+  end
+rescue LoadError
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec) do |spec|
+    spec.pattern = "spec/**/*_spec.rb"
+  end
+  
+  RSpec::Core::RakeTask.new(:rcov) do |spec|
+    spec.pattern = "spec/**/*_spec.rb"
+    spec.rcov = true
+    spec.rcov_opts = %w{--rails --exclude osx\/objc,gems\/,spec\/,features\/}
+  end
 end
 
 task :spec => :check_dependencies
@@ -46,5 +60,23 @@ Rake::RDocTask.new do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = "sparkly-auth #{version}"
   rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('HISTORY*')
+  rdoc.rdoc_files.include('LICENSE*')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
+
+# Haven't got this working yet.
+#namespace :spec do
+#  desc "runs specs, and if they pass, runs Rails2 specs and then Rails3 specs."
+#  task :all => [:spec, :rails2, :rails3]
+#  
+#  desc "runs Rails2 specs"
+#  task :rails2 do
+#    system("cd spec/support/rails2 && spec spec -c && cucumber")
+#  end
+#  
+#  desc "runs Rails3 specs"
+#  task :rails3 do
+#    system("cd spec/support/rails3 && rspec spec -c && cucumber")
+#  end
+#end

data/TODO

@@ -0,0 +1,4 @@
+ * Rememberable behavior
+ * current_user helper delegated to Views
+ * Confirmation behavior
+ * A generic login form partial to be rendered anywhere

data/VERSION

@@ -1 +1 @@
-1.0.2
+1.1.0

data/app/controllers/sparkly_accounts_controller.rb

@@ -1,5 +1,4 @@
 class SparklyAccountsController < SparklyController
-  unloadable
   require_login_for :show, :edit, :update, :destroy
 
   # GET new_model_url
@@ -9,8 +8,8 @@ class SparklyAccountsController < SparklyController
   # POST model_url
   def create
     if model.save
-      login!(model)
-      redirect_back_or_default Auth.default_destination, Auth.account_created_message
+      login!(model) if sparkly_config.login_after_signup
+      redirect_back_or_default sparkly_config.default_destination, sparkly_config.account_created_message
     else
       render :action => 'new'
     end
@@ -32,7 +31,7 @@ class SparklyAccountsController < SparklyController
     end
     
     if model.save
-      redirect_back_or_default user_path, Auth.account_updated_message
+      redirect_back_or_default user_path, sparkly_config.account_updated_message
     else
       render :action => 'edit'
     end
@@ -43,17 +42,25 @@ class SparklyAccountsController < SparklyController
     current_user && current_user.destroy
     logout!
     @current_user = nil
-    flash[:notice] = Auth.account_deleted_message
-    redirect_back_or_default Auth.default_destination
+    flash[:notice] = sparkly_config.account_deleted_message
+    redirect_back_or_default sparkly_config.default_destination
   end
 
   protected
-    def find_user_model
-      # password fields are protected attrs, so we need to exclude them then add them explicitly.
-      self.model_instance = current_user ||
-              returning(model_class.new(model_params.without(:password, :password_confirmation))) { |model|
-                model.password = model_params[:password]
-                model.password_confirmation = model_params[:password_confirmation]
-              }
+  def find_user_model
+    # password fields are protected attrs, so we need to exclude them then add them explicitly.
+    self.model_instance = current_user || begin
+            model = model_class.new(model_params.without(:password, :password_confirmation))
+            model.password = model_params[:password]
+            model.password_confirmation = model_params[:password_confirmation]
+            model
     end
+  end
+
+  # Uncomment if you don't trust the params[:model] set up by Sparkly routing, or if you've
+  # disabled them.
+  #
+  #def model_name
+  #  "User"
+  #end
 end

data/app/controllers/sparkly_controller.rb

@@ -1,7 +1,6 @@
 class SparklyController < (Auth.base_controller)
-  unloadable
   helper_method :model_class, :model_instance, :model_name, :model, :model_path, :new_model_path, :edit_model_path,
-                :model_config, :model_session_path, :model_params
+                :model_config, :model_session_path, :model_params, :sparkly_config, :auth_config
   before_filter :find_user_model
 
   protected
@@ -36,12 +35,14 @@ class SparklyController < (Auth.base_controller)
     end
     
     def model_config
-      Auth.configuration.for_model(model_name)
+      model_class.sparkly_config
     end
   
     def model_params
       params[model_name.underscore] || {}
     end
   
-    alias_method :model, :model_instance  
+    alias_method :model, :model_instance
+    alias_method :auth_config, :model_config
+    alias_method :sparkly_config, :model_config
 end

data/app/controllers/sparkly_sessions_controller.rb

@@ -1,14 +1,14 @@
 class SparklySessionsController < SparklyController
-  unloadable
-
+  require_logout_for :new, :create
+  
   # GET new_model_session_url
   def new
   end
 
   # POST model_session_url
   def create
-    if session[:locked_out_at] && session[:locked_out_at] > Auth.account_lock_duration.ago
-      flash[:error] = Auth.account_locked_message
+    if session[:locked_out_at] && session[:locked_out_at] > sparkly_config.account_lock_duration.ago
+      flash[:error] = sparkly_config.account_locked_message
       render :action => 'new'
       return
     end
@@ -18,14 +18,14 @@ class SparklySessionsController < SparklyController
     
     if model && model.password_matches?(model_params[:password])
       login! model, :remember => remember_me?
-      redirect_back_or_default Auth.default_destination, Auth.login_successful_message
+      redirect_back_or_default sparkly_config.default_destination, sparkly_config.login_successful_message
     else
       session[:login_failures] = session[:login_failures].to_i + 1
-      if Auth.max_login_failures && session[:login_failures] >= Auth.max_login_failures
+      if sparkly_config.max_login_failures && session[:login_failures] >= sparkly_config.max_login_failures
         session[:locked_out_at] = Time.now
-        flash[:error] = Auth.account_locked_message
+        flash[:error] = sparkly_config.account_locked_message
       else
-        flash[:error] = Auth.invalid_credentials_message
+        flash[:error] = sparkly_config.invalid_credentials_message
       end
       render :action => "new"
     end
@@ -34,10 +34,17 @@ class SparklySessionsController < SparklyController
   # DELETE model_session_url
   def destroy
     logout!(:forget => true)
-    redirect_back_or_default Auth.default_destination, Auth.logout_message
+    redirect_back_or_default sparkly_config.default_destination, sparkly_config.logout_message
   end
   
   private
+  # Uncomment if you don't trust the params[:model] set up by Sparkly routing, or if you've
+  # disabled them.
+  #
+  #def model_name
+  #  "User"
+  #end
+
   def remember_me?
     remembrance = model_params[:remember_me]
     if remembrance.kind_of?(String)

data/app/helpers/sparkly_accounts_helper.rb

@@ -0,0 +1,2 @@
+module SparklyAccountsHelper
+end

data/app/helpers/sparkly_helper.rb

@@ -0,0 +1,2 @@
+module SparklyHelper
+end

data/app/helpers/sparkly_sessions_helper.rb

@@ -0,0 +1,2 @@
+module SparklySessionsHelper
+end

data/app/models/remembrance_token.rb

@@ -9,7 +9,9 @@ class RemembranceToken < ActiveRecord::Base
     "#{authenticatable_type}|#{authenticatable_id}|#{series_token}|#{remembrance_token}"
   end
   
-  def before_validation
+  before_validation :regenerate_remembrance_token
+  
+  def regenerate_remembrance_token
     regenerate if new_record?
   end
   

data/app/views/sparkly_accounts/_rails2_form.html.erb

@@ -0,0 +1,24 @@
+<%form_for model, :url => model_path do |f|%>
+  <p>
+    <%=f.error_messages%>
+  </p>
+
+  <p>
+    <%=f.label model_config.key%><br/>
+    <%=f.text_field model_config.key%>
+  </p>
+
+  <p>
+    <%=f.label :password%><br/>
+    <%=f.password_field :password, :value => ''%>
+  </p>
+
+  <p>
+    <%=f.label :password_confirmation%><br/>
+    <%=f.password_field :password_confirmation, :value => ''%>
+  </p>
+
+  <p>
+    <%=f.submit(model.new_record? ? "Sign up" : "Update Profile")%>
+  </p>
+<%end%>