token_authenticate_me 0.2.0

data/lib/token_authenticate_me/controllers/sessionable.rb

@@ -0,0 +1,63 @@
+require 'active_support/concern'
+
+require 'token_authenticate_me/controllers/token_authenticateable'
+
+module TokenAuthenticateMe
+  module Controllers
+    module Sessionable
+      extend ActiveSupport::Concern
+
+      include TokenAuthenticateMe::Controllers::TokenAuthenticateable
+
+      included do
+        skip_before_action :authenticate, only: [:create]
+        after_action :cleanup_sessions, only: [:destroy]
+
+        def create
+          resource = User.where('username=? OR email=?', params[:username], params[:username]).first
+          if resource && resource.authenticate(params[:password])
+            @session = Session.create(user_id: resource.id)
+            render json: serialize_session(@session), status: 201
+          else
+            render json: { message: 'Bad credentials' }, status: 401
+          end
+        end
+
+        def show
+          @session = authenticate_token
+          render json: serialize_session(@session)
+        end
+
+        def destroy
+          authenticate_token.destroy
+
+          render status: 204, nothing: true
+        rescue
+          render_unauthorized
+        end
+
+        private
+
+        def serialize_session(session)
+          {
+            session: {
+              key: session.key,
+              user_id: session.user_id,
+              expiration: session.expiration
+            }
+          }
+        end
+
+        def session_params
+          params.permit(:username, :email, :password)
+        end
+
+        def cleanup_sessions
+          ApiSession.where('expiration < ?', DateTime.now).delete_all
+        rescue
+          Rails.logger.warn 'Error cleaning up old authentication sessions'
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/controllers/token_authenticateable.rb

@@ -0,0 +1,43 @@
+require 'active_support/concern'
+
+module TokenAuthenticateMe
+  module Controllers
+    module TokenAuthenticateable
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :authenticate
+      end
+
+      protected
+
+      def authenticate
+        authenticate_token || render_unauthorized
+      end
+
+      def current_user
+        if authenticate_token
+          @current_user ||= User.find_by_id(authenticate_token.user_id)
+        else
+          nil
+        end
+      end
+
+      def authenticate_token
+        @session ||= authenticate_with_http_token do |token, _options|
+          session = Session.find_by_key(token)
+          if session && session.expiration > DateTime.now
+            session
+          else
+            false
+          end
+        end
+      end
+
+      def render_unauthorized
+        headers['WWW-Authenticate'] = 'Token realm="Application"'
+        render json: 'Bad credentials', status: 401
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/engine.rb

@@ -0,0 +1,5 @@
+module TokenAuthenticateMe
+  class Engine < Rails::Engine
+    # engine_name :token_authenticate_me
+  end
+end

data/lib/token_authenticate_me/models/authenticatable.rb

@@ -0,0 +1,40 @@
+require 'active_support/concern'
+
+module TokenAuthenticateMe
+  module Models
+    module Authenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        has_secure_password
+
+        validates(
+          :email,
+          presence: true,
+          uniqueness: { case_sensitive: false }
+        )
+
+        validates(
+          :username,
+          format: { with: /\A[a-zA-Z0-9]+\Z/ },
+          presence: true,
+          uniqueness: { case_sensitive: false }
+        )
+
+        def create_reset_token!
+          # rubocop:disable Lint/Loop
+          begin
+            self.reset_password_token = SecureRandom.hex
+          end while self.class.exists?(reset_password_token: reset_password_token)
+
+          self.reset_password_token_exp = password_expiration_hours.hours.from_now
+          self.save!
+        end
+
+        def password_expiration_hours
+          8
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/models/sessionable.rb

@@ -0,0 +1,27 @@
+require 'active_support/concern'
+
+module TokenAuthenticateMe
+  module Models
+    module Sessionable
+      extend ActiveSupport::Concern
+
+      included do
+        before_create :generate_unique_key
+
+        private
+
+        def generate_unique_key
+          begin
+            self.key = SecureRandom.hex
+          end while self.class.exists?(key: key) # rubocop:disable Lint/Loop
+
+          self.expiration = expiration_hours.hours.from_now
+        end
+
+        def expiration_hours
+          24
+        end
+      end
+    end
+  end
+end

data/lib/token_authenticate_me/version.rb

@@ -0,0 +1,3 @@
+module TokenAuthenticateMe
+  VERSION = '0.2.0'
+end

data/spec/acceptance/password_reset_api_spec.rb

@@ -0,0 +1,111 @@
+require 'spec_helper'
+
+describe 'Password Reset API' do
+  it 'resets the users password when called with the correct token' do
+    user = create_user
+
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+
+    expect(last_response.status).to eq(204)
+    expect(User.find(user.id).password_digest).not_to eq(encrypted_pw)
+  end
+
+  it 'does not allow replay attacks' do
+    user = create_user
+
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+
+    expect(last_response.status).to eq(204)
+    expect(User.find(user.id).password_digest).not_to eq(encrypted_pw)
+
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test'
+    expect(last_response.status).to eq(404)
+  end
+
+  it 'fails to reset the users password when the confirmation does not match' do
+    user = create_user
+
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+    reset_token = user.reset_password_token.to_s
+
+    put '/password_resets/' + reset_token + '/',
+        password: 'test', password_confirmation: 'test_ops'
+
+    expect(last_response.status).to eq(422)
+    expect(User.find(user.id).password_digest).to eq(encrypted_pw)
+  end
+
+  it 'raises a routing error when called with an empty token' do
+    user = create_user
+
+    user.create_reset_token!
+    encrypted_pw = user.password_digest
+
+    expect do
+      put '/password_resets//',  password: 'test', password_confirmation: 'test'
+    end.to raise_error(ActionController::RoutingError)
+    expect(User.find(user.id).password_digest).to eq(encrypted_pw)
+  end
+
+  it 'returns a 404 when reset is requested with a bad token' do
+    user = create_user
+
+    user.create_reset_token!
+
+    put '/password_resets/' + SecureRandom.hex.to_s + '/',
+        password: 'test', password_confirmation: 'test'
+
+    expect(last_response.status).to eq(404)
+  end
+
+  it 'returns a 204 when a password reset is requested with a valid e-mail' do
+    user = create_user
+
+    post '/password_resets/',  email: user.email
+
+    expect(last_response.status).to eq(204)
+  end
+
+  it 'returns a 204 when a password reset is requested with a invalid e-mail' do
+    user = create_user # rubocop:disable Lint/UselessAssignment
+
+    post '/password_resets/',  email: 'foo@bar.com'
+
+    expect(last_response.status).to eq(204)
+  end
+
+  it 'sends a valid e-mail when a password reset is requested with a valid e-mail' do
+    user = create_user
+
+    post '/password_resets/',  email: user.email
+
+    mail = ActionMailer::Base.deliveries.last
+
+    expect(mail['to'].to_s).to eq(user.email)
+    expect(mail['subject'].to_s).to eq('Password Reset')
+  end
+
+  it 'sends a invalid e-mail when a password reset is requested with a invalid e-mail' do
+    user = create_user # rubocop:disable Lint/UselessAssignment
+    email = 'foo@bar.com'
+
+    post '/password_resets/',  email: email
+
+    mail = ActionMailer::Base.deliveries.last
+
+    expect(mail['to'].to_s).to eq(email)
+    expect(mail['subject'].to_s).to eq('Password Reset Error')
+  end
+end

data/spec/acceptance/session_api_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+describe 'Session API' do
+  it 'creates a new session when authenticating with a username and password' do
+    password = 'text'
+    user = create_user(password: password)
+
+    post '/session/',
+         username: user.username, password: password
+
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+
+  it 'creates a new session when authenticating with a email and password' do
+    password = 'text'
+    user = create_user(password: password)
+
+    post '/session/',
+         username: user.email, password: password
+
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+
+  it 'fails to create a new session when authenticating with an invalid password' do
+    password = 'text'
+    user = create_user(password: password)
+
+    post '/session/',
+         username: user.email, password: 'not_test'
+
+    expect(last_response.status).to eq(401)
+  end
+
+  it 'fetches an existing session when authenticated' do
+    password = 'text'
+    user = create_user(password: password)
+
+    post '/session/',
+         username: user.email, password: password
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+
+    header 'Authorization', 'Token token=' + json['session']['key']
+    get '/session/'
+    expect(last_response.status).to eq(200)
+
+    json = JSON.parse(last_response.body)
+
+    expect(json['session']).not_to be_nil
+    expect(json['session']['key']).not_to be_nil
+    expect(json['session']['expiration']).not_to be_nil
+    expect(user.id).to eq(json['session']['user_id'])
+  end
+
+  it 'fetching an expired session fails' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    session.update!(expiration: 5.minutes.ago)
+
+    header 'Authorization', 'Token token=' + session.key
+    get '/session/'
+    expect(last_response.status).to eq(401)
+  end
+
+  it 'destroying an existing session succeeds' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+
+    header 'Authorization', 'Token token=' + session.key
+    delete '/session/'
+    expect(last_response.status).to eq(204)
+  end
+
+  it 'destroying an expired session fails' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+    session.update!(expiration: 5.minutes.ago)
+
+    header 'Authorization', 'Token token=' + session.key
+    delete '/session/'
+    expect(last_response.status).to eq(401)
+  end
+end

data/spec/acceptance/users_api_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe 'Users API' do
+  it 'creates a new user when unauthenticated' do
+    username = 'test'
+    password = 'test'
+    email = 'test'
+
+    post '/users/',
+         user: {
+           username: username,
+           password: password,
+           password_confirmation: password,
+           email: email
+         }
+
+    expect(last_response.status).to eq(201)
+    json = JSON.parse(last_response.body)
+
+    expect(json['user']).not_to be_nil
+    expect(json['user']['username']).to eq(username)
+    expect(json['user']['email']).to eq(email)
+  end
+
+  it 'fails to create a new user when the password confirmation does not match' do
+    username = 'test'
+    password = 'test'
+    email = 'test'
+
+    post '/users/',
+         user: {
+           username: username,
+           password: password,
+           password_confirmation: 'invalid',
+           email: email
+         }
+
+    expect(last_response.status).to eq(422)
+  end
+
+  it 'succeeds to list users when authenticated' do
+    user = create_user
+    session = Session.create!(user_id: user.id)
+
+    header 'Authorization', 'Token token=' + session.key
+    get '/users/'
+
+    expect(last_response.status).to eq(200)
+  end
+
+  it 'fails to list users without being authenticated' do
+    get '/users/'
+
+    expect(last_response.status).to eq(401)
+  end
+end