uber_login 0.1.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OGZjMzFmM2JhZGY0ZmJlZGE5MWY5ODc0ZWY4OTE1MDI4MjdkMTc0OA==
+  data.tar.gz: !binary |-
+    MWQ3YTdhYzI1MzU2YTFlZjQxMjFhYzk4NjI2NTgyZDA5Y2E4MDVkNw==
+SHA512:
+  metadata.gz: !binary |-
+    MmIyNGE2MzhkYmE3NmI1OTk5MWU0OTM2Y2RmYTI3NWYzNDI2YzUxNDNmNTQy
+    MmUxZTdhNjRiMDU0NmJjNDY5NjMxZGZlZWVkNTRmZDQwN2RjNGZmMWE5Mzcz
+    YzU2NGRkZGQ0NGI5MWVmNTUzM2RjOGFkNzFiYWQzOGFjNmExYWI=
+  data.tar.gz: !binary |-
+    MWEyNzkzODc4ZGFiMGE3MDlkYTQyMWUxMDFjNTNhNTYwZWQyNTM0ODY5YzNk
+    ZTNhNjkxZDc3YmJmNGI2NTkxZDRmYTk1MTVmNmNlYmMwNzZlNzNmM2E2MjA1
+    MmE5MTQ4OWZlZDgxNDk1Njc0NzVmMjJlZTAwN2IwZTBhZTI0OTE=

data/lib/uber_login.rb

@@ -0,0 +1,135 @@
+require 'uber_login/version'
+require 'uber_login/cookie_manager'
+require 'uber_login/configuration'
+require 'securerandom'
+require 'bcrypt'
+require 'user_agent'
+
+module UberLogin
+  ##
+  # Returns the logged in user.
+  # If session[+:uid+] is set it returns that user.
+  # If session[+:uid+] is NOT set but cookies[+:uid+] and cookies[+:ulogin+] ARE:
+  #  * It dissects +:ulogin+ into Sequence and Token
+  #  * Looks for a LoginToken from UID and Sequence
+  #  * Test Token against the stored and strong hashed one
+  #  * If they match, session[+:uid+] is set and it returns the +User+
+  # If none of the previous cases, +nil+ is returned.
+  # If the cookie did not match, they are cleared from the user browser.
+  #
+  # All the checks are runt only once and the result is cached
+  def current_user
+    @current_user ||= current_user_uncached
+  end
+
+  ##
+  # Logs in the given +user+
+  # If +remember+ is true all the needed cookies are set.
+  # session[+:uid+] is set to user.id
+  def login(user, remember = false)
+    logout_all unless UberLogin.configuration.allow_multiple_login
+
+    session[:uid] = user.id
+    generate_and_set_cookies(user.id) if remember
+  end
+
+  ##
+  # Clears session[:uid]
+  # If remember cookies were set they're cleared and the token is
+  # removed from the database.
+  def logout
+    session.delete(:uid)
+    delete_from_database if cookies[:uid]
+    cookie_manager.clear
+  end
+
+  ##
+  # Deletes all "remember me" session for this user from whatever device
+  # he/she has ever used to login.
+  def logout_all
+    LoginToken.find_by(uid: session[:uid]).destroy
+    session.delete :uid
+    cookie_manager.clear
+  end
+
+  private
+  def cookie_manager
+    @cookie_manager ||= CookieManager.new(cookies, request)
+  end
+
+  # See +current_user+
+  def current_user_uncached
+    sid = session[:uid]
+    sid = login_from_cookies if cookies[:uid] and !sid
+    User.find(sid) if sid
+  end
+
+  ##
+  # Attempts a login from the +:uid+ and +:ulogin+ cookies.
+  def login_from_cookies
+    if cookie_manager.valid?
+      session[:uid] = cookies[:uid]
+      generate_new_token
+      session[:uid]
+    else
+      cookie_manager.clear
+      nil
+    end
+  end
+
+  ##
+  # Deletes the current token from the database and creates a new one in place.
+  # Sets the user cookies to match the new values
+  def generate_new_token
+    delete_from_database
+    generate_and_set_cookies(cookies[:uid])
+  end
+
+  ##
+  # Creates a pair of cookies.
+  # +:uid+ is set to the user id
+  # +:ulogin+ is a composite field made of +:sequence+ and +:token+
+  #
+  # +:sequence+ is used to choose between all possible user login tokens
+  # +:token+ is stored +bcrypt+ed in the database and then compared on login
+  def generate_and_set_cookies(uid)
+    sequence, token = generate_sequence_and_token
+    cookie_manager.persistent_login(uid, sequence, token)
+    save_to_database
+  end
+
+  ##
+  # Creates a LoginToken based on the +uid+, +sequence+ and hashed +token+
+  def save_to_database
+    token_row = LoginToken.new(
+        uid: cookies[:uid],
+        sequence: cookie_manager.sequence,
+        token: cookie_manager.hashed_token
+    )
+
+    set_user_data token_row
+
+    token_row.save!
+  end
+
+  ##
+  # Removes a LoginToken with +uid+ and +sequence+ taken from the cookies
+  def delete_from_database
+    sequence = cookie_manager.sequence
+    token = LoginToken.find_by(uid: cookies[:uid], sequence: sequence)
+    token.destroy
+  end
+
+  def generate_sequence_and_token
+    # 9 and 21 are both multiple of 3, so we do not get base64 padding (==)
+    [ SecureRandom.base64(9), SecureRandom.base64(21) ]
+  end
+
+  def set_user_data(row)
+    user_agent = UserAgent.parse(request.user_agent)
+
+    row.ip_address = request.remote_ip if row.respond_to? :ip_address=
+    row.os = user_agent.os if row.respond_to? :os=
+    row.browser = user_agent.browser + ' ' + user_agent.version if row.respond_to? :browser=
+  end
+end

data/lib/uber_login/configuration.rb

@@ -0,0 +1,24 @@
+##
+# Use this class in app/config/initializers to change configuration parameters.
+module UberLogin
+  class Configuration
+    attr_accessor :allow_multiple_login
+    attr_accessor :token_expiration
+    attr_accessor :tie_tokens_to_ip
+
+    def initialize
+      self.allow_multiple_login = true
+      self.token_expiration = nil
+      self.tie_tokens_to_ip = false
+    end
+  end
+
+  def self.configure
+    yield(configuration) if block_given?
+  end
+
+  private
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+end

data/lib/uber_login/cookie_manager.rb

@@ -0,0 +1,66 @@
+##
+# This class handles the +:uid+ and +:ulogin+ cookies
+# It builds and sets the cookies, clears them, checks for their validity.
+class CookieManager
+  def initialize(cookies, request)
+    @cookies = cookies
+    @request = request
+    @validity_checks = [ :token_match ]
+
+    @validity_checks << :ip_equality if UberLogin.configuration.tie_tokens_to_ip
+    @validity_checks << :expiration if UberLogin.configuration.token_expiration
+  end
+
+  ##
+  # Clears +:uid+ and +:ulogin+ cookies
+  def clear
+    @cookies.delete :uid
+    @cookies.delete :ulogin
+  end
+
+  def valid?
+    token_row = LoginToken.find_by(uid: @cookies[:uid], sequence: sequence)
+    @validity_checks.all? { |check| send(check, token_row) }
+  rescue
+    false
+  end
+
+  def hashed_token
+    BCrypt::Password.create(token).to_s
+  end
+
+  def persistent_login(uid, sequence, token)
+    @cookies.permanent[:uid] = uid
+    @cookies.permanent[:ulogin] = ulogin_cookie(sequence, token)
+  end
+
+  def ulogin_cookie(sequence, token)
+    sequence + ':' + token
+  end
+
+  def sequence_and_token
+    @cookies[:ulogin].split(':')
+  end
+
+  def sequence
+    sequence_and_token[0]
+  end
+
+  def token
+    sequence_and_token[1]
+  end
+
+  # Validity checks
+
+  def token_match(row)
+    BCrypt::Password.new(row.token) == token
+  end
+
+  def ip_equality(row)
+    row.ip_address == @request.remote_ip
+  end
+
+  def expiration(row)
+    row.updated_at >= Time.now - UberLogin.configuration.token_expiration
+  end
+end

data/lib/uber_login/version.rb

@@ -0,0 +1,3 @@
+module UberLogin
+  VERSION = '0.1.1'
+end

data/spec/cookie_manager_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper'
+
+describe CookieManager do
+  let(:cookie_manager) { CookieManager.new({ uid: 100, ulogin: "dead:beef" }, FakeRequest.new) }
+
+  describe '#valid?' do
+    context 'User id and sequence combination is found' do
+      let(:fake_token) {
+        LoginToken.new(
+          token: BCrypt::Password.create("beef"),
+          ip_address: '192.168.1.1'
+        )
+      }
+
+      before { LoginToken.stub(:find_by).and_return fake_token }
+
+      it 'always executes token_match' do
+        expect(cookie_manager).to receive(:token_match)
+        cookie_manager.valid?
+      end
+
+      it 'does not run ip_equality by default' do
+        expect(cookie_manager).to_not receive(:ip_equality)
+        cookie_manager.valid?
+      end
+
+      context 'if IP are tied to Tokens' do
+        before { UberLogin.configuration.tie_tokens_to_ip = true }
+
+        it 'executes ip_equality' do
+          expect(cookie_manager).to receive(:ip_equality)
+          cookie_manager.valid?
+        end
+      end
+
+      it 'does not run expiration by default' do
+        expect(cookie_manager).to_not receive(:expiration)
+        cookie_manager.valid?
+      end
+
+      context 'if Tokens do expire' do
+        before { UberLogin.configuration.token_expiration = 86400 }
+
+        it 'executes expiration' do
+          expect(cookie_manager).to receive(:expiration)
+          cookie_manager.valid?
+        end
+      end
+
+      context 'all checks return true' do
+        it 'returns true' do
+          expect(cookie_manager.valid?).to be_true
+        end
+      end
+
+      context 'any check fails' do
+        before { Array.any_instance.stub(:all?).and_return false }
+
+        it 'returns false' do
+          expect(cookie_manager.valid?).to be_false
+        end
+      end
+    end
+
+    context 'User id and sequence combination is not found' do
+      before { LoginToken.stub(:find_by).and_return nil }
+
+      it 'returns false' do
+        expect(cookie_manager.valid?).to be_false
+      end
+    end
+  end
+
+  describe '#token_match' do
+    before { cookie_manager.stub(:token).and_return 'secret' }
+
+    it 'returns true if tokens are matched' do
+      row = double(token: BCrypt::Password.create('secret', cost: 1))
+      expect(cookie_manager.token_match(row)).to be_true
+    end
+
+    it 'returns false if tokens are not matched' do
+      row = double(token: BCrypt::Password.create('s3cr3t', cost: 1))
+      expect(cookie_manager.token_match(row)).to be_false
+    end
+  end
+
+  describe '#ip_equality' do
+    before { FakeRequest.any_instance.stub(:remote_ip).and_return '10.10.10.10' }
+
+    it 'returns true if IPs are equal' do
+      row = double(ip_address: '10.10.10.10')
+      expect(cookie_manager.ip_equality(row)).to be_true
+    end
+
+    it 'returns false if IPs are different' do
+      row = double(ip_address: '192.168.1.1')
+      expect(cookie_manager.ip_equality(row)).to be_false
+    end
+  end
+
+  describe '#expiration' do
+    before { UberLogin.configuration.token_expiration = 86400 }
+
+    it 'returns true if less than token_expiration seconds are past' do
+      row = double(updated_at: Time.now - 100)
+      expect(cookie_manager.expiration(row)).to be_true
+    end
+
+    it 'returns false if more than token_expiration seconds are past' do
+      row = double(updated_at: Time.now - 86401)
+      expect(cookie_manager.expiration(row)).to be_false
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,83 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
+
+require 'uber_login'
+
+class FakeCookieJar < Hash
+  def permanent
+    self
+  end
+end
+
+class FakeRequest
+  def remote_ip
+    '192.168.1.1'
+  end
+
+  def user_agent
+    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36"
+  end
+end
+
+class ApplicationController
+  include UberLogin
+
+  attr_accessor :session
+  attr_accessor :cookies
+  attr_accessor :request
+
+  def initialize
+    @session = {}
+    @cookies = FakeCookieJar.new
+    @request = FakeRequest.new
+  end
+end
+
+# This is required to be an ActiveRecord like class
+# Mongoid and MongoMapper should be just fine and probably others too.
+class LoginToken
+  attr_accessor :uid, :sequence, :token
+  attr_accessor :ip_address, :os, :browser
+
+  @@count = 0
+
+  def initialize(attributes = {})
+    attributes.each do |k, v|
+      send("#{k}=", v)
+    end
+  end
+
+  def save!
+    true
+    @@count += 1
+  end
+
+  def self.count
+    @@count
+  end
+
+  def destroy
+    @@count -= 1
+  end
+
+  def self.find_by(hash)
+    new
+  end
+
+  def updated_at
+    Time.now - 100
+  end
+end
+
+class User
+  attr_accessor :id
+
+  def initialize(attributes = {})
+    attributes.each do |k, v|
+      send("#{k}=", v)
+    end
+  end
+
+  def self.find(id)
+    User.new(id: id)
+  end
+end

data/spec/uber_login_spec.rb

@@ -0,0 +1,203 @@
+require 'spec_helper'
+
+describe UberLogin do
+  let(:user) { double(id: 100) }
+  let(:controller) { ApplicationController.new }
+  let(:session) { controller.session }
+  let(:cookies) { controller.cookies }
+
+  describe '#login' do
+    context 'remember is false' do
+      it 'sets session[:uid]' do
+        controller.login(user)
+        expect(session[:uid]).to eq 100
+      end
+    end
+
+    context 'remember is true' do
+      it 'sets session[:uid]' do
+        controller.login(user, true)
+        expect(session[:uid]).to eq 100
+      end
+
+      it 'sets the uid cookie' do
+        controller.login(user, true)
+        expect(cookies[:uid]).to eq 100
+      end
+
+      it 'sets the ulogin cookie' do
+        controller.login(user, true)
+        expect(cookies[:ulogin]).to match(/[a-z0-9+\/]+:[a-z0-9+\/]+/i)
+      end
+
+      it 'sets both cookies as persistent' do
+        expect(cookies).to receive(:permanent).twice.and_return cookies
+        controller.login(user, true)
+      end
+    end
+
+    context 'only one session is allowed per user' do
+      before { UberLogin::Configuration.any_instance.stub(:allow_multiple_login).and_return false }
+
+      it 'clears all the other tokens' do
+        expect_any_instance_of(LoginToken).to receive :destroy
+        controller.login(user)
+      end
+    end
+  end
+
+  describe '#logout' do
+    it 'deletes session[:uid]' do
+      controller.login(user)
+      controller.logout
+      expect(session[:uid]).to be_nil
+    end
+
+    context 'persistent login was made' do
+      before { controller.login(user, true) }
+
+      it 'deletes session[:uid]' do
+        controller.logout
+        expect(session[:uid]).to be_nil
+      end
+
+      it 'deletes login cookies' do
+        controller.logout
+        expect(cookies[:uid]).to be_nil
+        expect(cookies[:ulogin]).to be_nil
+      end
+
+      it 'deletes a LoginToken row' do
+        expect {
+          controller.logout
+        }.to change{ LoginToken.count }.by -1
+      end
+    end
+  end
+
+  describe '#logout_all' do
+    it 'deletes session[:uid]' do
+      controller.login(user)
+      controller.logout_all
+      expect(session[:uid]).to be_nil
+    end
+
+    it 'deletes session[:uid]' do
+      controller.logout_all
+      expect(session[:uid]).to be_nil
+    end
+
+    it 'deletes login cookies' do
+      controller.logout_all
+      expect(cookies[:uid]).to be_nil
+      expect(cookies[:ulogin]).to be_nil
+    end
+
+    it 'deletes any token associated with the user' do
+      expect_any_instance_of(LoginToken).to receive :destroy
+      controller.logout_all
+    end
+  end
+
+  describe '#save_to_database' do
+    before {
+      cookies[:uid] = "100"
+      cookies[:ulogin] = "dead:beef"
+    }
+
+    it 'saves the triplet to the database' do
+      expect_any_instance_of(LoginToken).to receive(:save!)
+      controller.send('save_to_database')
+    end
+  end
+
+  describe '#set_user_data' do
+    let(:row) { LoginToken.new }
+
+    context 'the token table has an "ip_address" field' do
+      it 'sets the field to the client IP' do
+        expect(row).to receive(:ip_address=).with('192.168.1.1')
+        controller.send('set_user_data', row)
+      end
+    end
+
+    context 'the token table has an "os" field' do
+      it 'sets the field to the client Operating System' do
+        expect(row).to receive(:os=).with('Linux x86_64')
+        controller.send('set_user_data', row)
+      end
+    end
+
+    context 'the token table has a "browser" field' do
+      it 'sets the field to the client Browser and version' do
+        expect(row).to receive(:browser=).with('Chrome 32.0.1667.0')
+        controller.send('set_user_data', row)
+      end
+    end
+  end
+
+  describe '#current_user_uncached' do
+    context 'session[:uid] is set' do
+      before { session[:uid] = 100 }
+
+      it 'returns an user object with that uid' do
+        expect(controller.send(:current_user_uncached).id).to eq 100
+      end
+    end
+
+    context 'session[:uid] is nil' do
+      before { session[:uid] = nil }
+
+      context 'cookies[:uid] and cookies[:ulogin] are set' do
+        before {
+          cookies[:uid] = "100"
+          cookies[:ulogin] = "whatever:beef"
+        }
+
+        context 'the cookies are valid' do
+          before { CookieManager.any_instance.stub(:valid?).and_return true }
+
+          it 'returns an user object with that uid' do
+            expect(controller.send(:current_user_uncached).id).to eq "100"
+          end
+
+          it 'deletes the token from the database' do
+            expect_any_instance_of(LoginToken).to receive(:destroy)
+            controller.send(:current_user_uncached)
+          end
+
+          it 'creates a new token for the next login' do
+            expect_any_instance_of(LoginToken).to receive(:save!)
+            controller.send(:current_user_uncached)
+          end
+
+          it 'refreshes the cookie' do
+            controller.send(:current_user_uncached)
+            expect(cookies[:uid]).to eq "100"
+            expect(cookies[:ulogin]).to_not eq "whatever:beef"
+          end
+        end
+
+        context 'the cookies are not valid' do
+          before { CookieManager.any_instance.stub(:valid?).and_return false }
+
+          it 'returns nil' do
+            expect(controller.send(:current_user_uncached)).to be_nil
+          end
+
+          it 'clears the cookies for this user' do
+            controller.send(:current_user_uncached)
+            expect(cookies[:uid]).to be_nil
+            expect(cookies[:ulogin]).to be_nil
+          end
+        end
+      end
+
+      context 'cookies are not set' do
+        it 'returns nil' do
+          expect(controller.send(:current_user_uncached)).to be_nil
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification
+name: uber_login
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Francesco Boffa
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-12-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: useragent
+  type: :runtime
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.0
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 0.10.0
+description: Login and logout management with secure "remember me" capabilities
+email: fra.boffa@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/uber_login.rb
+- lib/uber_login/cookie_manager.rb
+- lib/uber_login/version.rb
+- lib/uber_login/configuration.rb
+- spec/spec_helper.rb
+- spec/cookie_manager_spec.rb
+- spec/uber_login_spec.rb
+homepage: https://github.com/AlfaOmega08/uber_login
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.1.10
+signing_key: 
+specification_version: 4
+summary: Tired of rewriting the login, logout and current_user methods for the millionth
+  time? Scared of all the security concerns of writing your own authentication methods?
+  This gem will solve all of this problems and still leave you the control over your
+  application.
+test_files:
+- spec/spec_helper.rb
+- spec/cookie_manager_spec.rb
+- spec/uber_login_spec.rb
+has_rdoc: