token_authenticate_me 0.2.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6bf685e7c83d225932af75831c2adf88c38057ce
+  data.tar.gz: 153e157ba981b72d510a6bfc5c0eb6cc2bf6f2d6
+SHA512:
+  metadata.gz: 4ec02dc8c34693f6330f4f987d4dcbeaa6b4535e3e0f9917c0b729094ef3b85d6a6111ca5c0f4e3421dec673759cdd7b7e642a71a75e257c725fd79d3be88d5f
+  data.tar.gz: 1e1c50ffd2dc2cc1c1be0e9e90e71b09b64b3dbdd522035e2bbd5acc5aa1606f02e92a468f83c91a5083ff2c3af80b2ce762186e8c2ce1adc18fe6f4ee1777b7

data/.gitignore

@@ -0,0 +1,4 @@
+Gemfile.lock
+spec/internal/db/*sqlite
+pkg/
+spec/internal/log/*

data/.rubocop.yml

@@ -0,0 +1,8 @@
+AllCops:
+  Exclude:
+    - '**/templates/*'
+    - '*.gemspec'
+LineLength:
+  Max: 100
+Documentation:
+  Enabled: false

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :test do
+  gem 'active_model_serializers', '~> 0.8.0'
+end

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2014 Sam Clopton
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,47 @@
+TokenAuthenticateMe
+=====================
+
+This gem adds simple API based token authentication. We at [inigo](http://inigo.io) wanted to be able to handle our entire authentication process -- including account creation and logging in -- through a RESTful API over JSON using token authentication, and found that solutions like Devise required too much hand holding due to its complexity to ultimately get the functionality that we wanted. Unfortunately we were unable to find a satisfactory existing solution -- though I'm sure one does exist, this isn't a new problem -- so we set out to create our own. After using internally on one project, we decided to roll it out into a gem to use on another.
+
+## Getting started
+
+Add the gem to your Gemfile:
+`gem token_authenticate_me`
+
+Run `bundle install` to install it.
+
+To add or create a user with token authentication run:
+`rails generate token_authenticate_me:install <model>`
+
+Replace `<model>` with the class name used for users. This will create the necessary migration files, and optionally create the model file if it does not exist.
+
+**Right now this gem only supports creating the authentication model `User`, so it is recommended to call `rails generate token_authenticate_me:install user`**
+
+Include TokenAuthenticateMe::TokenAuthentication into the application controller or any controllers that require authorization:
+````rb
+require 'token_authenticate_me/token_authentication'
+
+class ApplicationController < ActionController::Base
+  force_ssl if Rails.env.production?
+
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+
+  include TokenAuthenticateMe::TokenAuthentication
+
+  #...
+end
+````
+
+To skip authentication in a controller, just skip the authenticate before action:
+````rb
+class Api::V1::UsersController < Api::BaseController
+
+  # Allow new users to create an account
+  skip_before_action :authenticate, only: [:create]
+end
+````
+
+### TODO:
+[ ] - Make it so any resource name can be used for authentication (initial thought is either specify the default or pass resource name in token string?).

data/Rakefile

@@ -0,0 +1,17 @@
+require 'bundler'
+
+Bundler::GemHelper.install_tasks
+
+task :console do
+  require 'irb'
+  require 'irb/completion'
+  require 'token_authenticate_me' # You know what to do.
+  ARGV.clear
+  IRB.start
+end
+
+task default: [:rubocop]
+
+task :rubocop do
+  system 'bundle exec rubocop -RD'
+end

data/app/mailers/token_authenticate_me_mailer.rb

@@ -0,0 +1,28 @@
+class TokenAuthenticateMeMailer < ActionMailer::Base
+  SIGNUP_PATH = 'sign-up'
+  RESET_PATH = 'reset-password/:token/'
+
+  def valid_user_reset_password_email(root_url, user)
+    @root_url = root_url
+    @user = user
+    @reset_path = RESET_PATH
+
+    @token_reset_path = token_reset_path
+
+    mail(to: user.email, subject: 'Password Reset')
+  end
+
+  def invalid_user_reset_password_email(root_url, email)
+    @root_url = root_url
+    @email = email
+    @signup_path = SIGNUP_PATH
+
+    mail(to: email, subject: 'Password Reset Error')
+  end
+
+  private
+
+  def token_reset_path
+    @reset_path.sub(/:token/, @user.reset_password_token)
+  end
+end

data/app/views/token_authenticate_me_mailer/invalid_user_reset_password_email.html.erb

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
+  </head>
+  <body>
+    <h1>Hi <%= @email %></h1>
+
+    <p>
+      Someone has requested a link to change your password, but we
+      do not have account associated with this email.
+    </p>
+
+    <p>To create a new account, please click the link below.</p>
+
+    <p><a href="<%= "#{@root_url}#{@signup_path}" %>">Create new account.</a></p>
+
+    <p>If you didn't request this password reset, please ignore this email.</p>
+  </body>
+</html>

data/app/views/token_authenticate_me_mailer/invalid_user_reset_password_email.text.erb

@@ -0,0 +1,13 @@
+Hi <%= @email %>
+=================================
+
+<p>
+Someone has requested a link to change your password, but we
+do not have account associated with this email.
+</p>
+
+To create a new account, please go to the url below to create a new account.
+
+<%= "#{@root_url}#{@signup_path}" %>
+
+If you didn't request this password reset, please ignore this email.

data/app/views/token_authenticate_me_mailer/valid_user_reset_password_email.html.erb

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type' />
+  </head>
+  <body>
+    <h1>Hi <%= @user.username %></h1>
+
+    <p>Someone has requested a link to change your password. You can do this through the link below.</p>
+
+    <p><a href="<%= "#{@root_url}#{@token_reset_path}" %>">Change my password</a></p>
+
+    <p>If you didn't request this, please ignore this email.</p>
+    <p>Your password won't change until you access the link above and create a new one.</p>
+  </body>
+</html>

data/app/views/token_authenticate_me_mailer/valid_user_reset_password_email.text.erb

@@ -0,0 +1,9 @@
+Hi <%= @user.username %>
+==================================
+
+Someone has requested to change your password. You can do this through the link below.
+
+Please go to <%= "#{@root_url}#{@token_reset_path}" %> to change your password.
+
+If you didn't request this, please ignore this email.
+Your password won't change until you access the link above and create a new one.

data/config.ru

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'bundler'
+
+Bundler.require :default, :development
+
+Combustion.initialize!
+run Combustion::Application

data/lib/generators/token_authenticate_me/controllers/controllers_generator.rb

@@ -0,0 +1,37 @@
+# TODO: Update so path (/api) isn't fixed
+module TokenAuthenticateMe
+  module Generators
+    class ControllersGenerator < ::Rails::Generators::NamedBase
+      source_root File.expand_path('../templates', __FILE__)
+      check_class_collision suffix: 'Controller'
+
+      def create_sessions_controller
+        template 'sessions.rb', 'app/controllers/api/sessions_controller.rb'
+
+        # Inject /api/sesssion route into routes file
+        route <<-ROUTE
+namespace :api do
+    resource :session, only: [:create, :show, :destroy]
+  end
+        ROUTE
+      end
+
+      def create_password_reset_controller # rubocop:disable Metrics/MethodLength
+        template 'password_reset.rb', 'app/controllers/api/password_resets_controller.rb'
+
+        # Inject /api/password_resets route into routes file
+        route <<-ROUTE
+namespace :api do
+    resources(
+      :password_resets,
+      only: [:create, :update],
+      constraints: {
+        id: TokenAuthenticateMe::UUID_REGEX
+      }
+    )
+  end
+        ROUTE
+      end
+    end
+  end
+end

data/lib/generators/token_authenticate_me/controllers/templates/password_reset.rb

@@ -0,0 +1,6 @@
+require 'token_authenticate_me/controllers/password_resetable'
+
+class PasswordResetsController < ApplicationController
+  include TokenAuthenticateMe::Controllers::PasswordResetable
+
+end

data/lib/generators/token_authenticate_me/controllers/templates/sessions.rb

@@ -0,0 +1,6 @@
+require 'token_authenticate_me/controllers/sessionable'
+
+class SessionsController < ApplicationController
+  include TokenAuthenticateMe::Controllers::Sessionable
+
+end

data/lib/generators/token_authenticate_me/install/install_generator.rb

@@ -0,0 +1,12 @@
+module TokenAuthenticateMe
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      def run_generators
+        params = @_initializer[0]
+
+        invoke 'token_authenticate_me:models', params
+        invoke 'token_authenticate_me:controllers', params
+      end
+    end
+  end
+end

data/lib/generators/token_authenticate_me/models/models_generator.rb

@@ -0,0 +1,55 @@
+module TokenAuthenticateMe
+  module Generators
+    class ModelsGenerator < ::Rails::Generators::NamedBase
+      include Rails::Generators::Migration
+
+      source_root File.expand_path('../templates', __FILE__)
+      check_class_collision suffix: ''
+
+      def self.next_migration_number(dirname)
+        next_migration_number = current_migration_number(dirname) + 1
+        ActiveRecord::Migration.next_migration_number(next_migration_number)
+      end
+
+      def create_authentication_model_file
+        template 'authentication_model.rb', File.join('app/models', 'user.rb')
+      end
+
+      def create_authentication_migration_file
+        # When the switch is made to allow resource names to be specified, could use something like:
+        #    migration_file_name = "#{next_migration_number}_#{plural_name}.rb"
+        #    migration_template(
+        #      'authentication_migration.rb',
+        #      File.join('db/migrations', migration_file_name)
+        #    )
+        migration_template(
+          'authentication_migration.rb',
+          File.join('db/migrations', "create_users.rb")
+        )
+      end
+
+      def create_session_model_file
+        template 'session_model.rb', File.join('app/models', 'session.rb')
+      end
+
+      def create_session_migration_file
+        # When the switch is made to allow resource names to be specified, could use something like:
+        #    migration_file_name = "#{next_migration_number}_#{singular_name}_sessions.rb"
+        #    migration_template(
+        #      'authentication_migration.rb',
+        #      File.join('db/migrations', migration_file_name)
+        #    )
+        migration_template(
+          'session_migration.rb',
+          File.join('db/migrations', "create_sessions.rb")
+        )
+      end
+
+      private
+
+      def next_migration_number
+        self.class.next_migration_number('db/migrations')
+      end
+    end
+  end
+end

data/lib/generators/token_authenticate_me/models/templates/authentication_migration.rb

@@ -0,0 +1,20 @@
+class UserMigration < ActiveRecord::Migration
+  def up
+    create_table :users do |t|
+      t.string :username,  null: false
+      t.string :email, null: false
+      t.string :password_digest, null: false
+      t.string :reset_password_token
+      t.datetime :reset_password_token_exp
+      t.timestamps
+    end
+
+    add_index :users, :email,                unique: true
+    add_index :users, :username,             unique: true
+    add_index :users, :reset_password_token, unique: true
+  end
+
+  def down
+    drop_table :users
+  end
+end

data/lib/generators/token_authenticate_me/models/templates/authentication_model.rb

@@ -0,0 +1,6 @@
+require 'token_authenticate_me/models/authenticatable'
+
+class User < ActiveRecord::Base
+  include TokenAuthenticateMe::Models::Authenticatable
+
+end

data/lib/generators/token_authenticate_me/models/templates/session_migration.rb

@@ -0,0 +1,17 @@
+class SessionMigration < ActiveRecord::Migration
+  def up
+    create_table :sessions do |t|
+      t.string   :key,        null: false
+      t.datetime :expiration
+      t.integer  :user_id
+
+      t.timestamps
+    end
+
+    add_index :key, unique: true
+  end
+
+  def down
+    drop_table :sessions
+  end
+end

data/lib/generators/token_authenticate_me/models/templates/session_model.rb

@@ -0,0 +1,6 @@
+require 'token_authenticate_me/models/sessionable'
+
+class Session < ActiveRecord::Base
+  include TokenAuthenticateMe::Models::Sessionable
+
+end

data/lib/token_authenticate_me.rb

@@ -0,0 +1,6 @@
+require 'token_authenticate_me/engine'
+require 'token_authenticate_me/version'
+
+module TokenAuthenticateMe
+  UUID_REGEX = /([a-f0-9]){32}/
+end

data/lib/token_authenticate_me/controllers/password_resetable.rb

@@ -0,0 +1,90 @@
+require 'active_support/concern'
+
+require 'token_authenticate_me/controllers/token_authenticateable'
+
+module TokenAuthenticateMe
+  module Controllers
+    module PasswordResetable
+      extend ActiveSupport::Concern
+
+      included do
+        include TokenAuthenticateMe::Controllers::TokenAuthenticateable
+
+        skip_before_action :authenticate, only: [:create, :update]
+        before_action :validate_reset_token, only: [:update]
+
+        # Send reset token to user with e-mail address
+        def create
+          @user = User.find_by_email(params[:email])
+
+          if @user
+            send_valid_reset_email(@user)
+          else
+            send_invalid_reset_email(params[:email])
+          end
+
+          render status: 204, nothing: true
+        end
+
+        # Allow user to reset password when the token is valid
+        # and not expired
+        def update
+          @user.update!(
+            password: params[:password],
+            password_confirmation: params[:password_confirmation],
+            reset_password_token: nil,
+            reset_password_token_exp: nil
+          )
+
+          render status: 204, nothing: true
+        rescue ActiveRecord::RecordInvalid => e
+          handle_errors(e)
+        end
+
+        private
+
+        def send_valid_reset_email(user)
+          user.create_reset_token!
+
+          TokenAuthenticateMeMailer.valid_user_reset_password_email(
+            request.base_url,
+            user
+          ).deliver
+        end
+
+        def send_invalid_reset_email(email)
+          TokenAuthenticateMeMailer.invalid_user_reset_password_email(
+            request.base_url,
+            email
+          ).deliver
+        end
+
+        def session_params
+          params.permit(:password, :password_confirmation)
+        end
+
+        def render_errors(errors, status = 422)
+          render(json: { errors: errors }, status: status)
+        end
+
+        def handle_errors(e)
+          render_errors(e.record.errors.messages)
+        end
+
+        def validate_reset_token
+          valid_reset_token? || render_not_found
+        end
+
+        def render_not_found
+          render status: 404, nothing: true
+        end
+
+        def valid_reset_token?
+          @user = User.find_by_reset_password_token(params[:id])
+
+          @user && @user.reset_password_token_exp > DateTime.now
+        end
+      end
+    end
+  end
+end