uber_login 0.2.0 → 1.0.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MWU0YWFkMDg3NjA3MzFiM2QxN2Y3NmQzODBlOTFjMDIxZGY1YzliYg==
+    NjcyNWVjZmViMmQ3ZTY4MDljODFjYjAxZDc2YmY5YmE4ZDEyNjhiZA==
   data.tar.gz: !binary |-
-    ZGYxZmFmZjA0ZGEzOGIzY2RmODVmODczOWQ5OTc0MzlmYTM5NGQ4NQ==
+    ZDg0ZTA4MzZkODQ4ZThjN2FkOTYyNjllMTk5MDY1ZmUxZDdlN2NmYg==
 SHA512:
   metadata.gz: !binary |-
-    Mzc4YWVjYzM0ZmQ5N2YyMDdlOWYxOTMzMjAwMDVlNmIwNzdiODk4YjRmNjQ4
-    ZDhhY2FmZjg1ZmIwZDA4MDQyNGVjMjExMTE1MGQxMDE3Zjg2ZTQ3NjllMzE4
-    OGJjMWEwMjhlZjM5ZjUzYWFhNDM1Y2NhOTM3ZDY5NjE4NzQ0ZGY=
+    NWFjODkyYjYwN2FlNDFkY2I0NTUwZDZlMmIyMGJhMzRiNTg5MGM1YmY0YzVj
+    M2Y0YTBhY2U0NjNkNThiMDg4MDJlYjM4NjAwNWUxNzcxYTc0N2E1MjdmZDZh
+    NmQzYWNkN2Q0YzhhODNlYmQ2ZmNmYTNmMzZjZGRlMzdhNmNkMTE=
   data.tar.gz: !binary |-
-    Mjc0NGNiMGM4ZmU3ZTEzNjExOWQ2NGU4M2QyODExYTNhNGJkYzEwNWU2N2Yz
-    ZGZiMWY2ZWVjZTU0MDY5MTRiNzk2YWM0NzEzNTZlMWJiNTdhOWI2YjQ0ZWYx
-    YTA5YTc2NTFmYmJkZTAyMDJhNDU5ZTc5MDc3NGVlM2UzNTU4MTI=
+    MTJmMWI1MDhjODQzMWZlNWEzYjk2YzQxMTYxYzc3MGEzNWMyNDM5ZWU2MTc1
+    NDM0ZjQ2OGVhMjgxMzlkN2QyZGJlNThhODNiMDNmOWFjYTI1ZWU5MjVmMWVk
+    ZjlmOWI5N2JjMGJmYmY0MjdmNGNiODkzZjc0YWZkMzg2OGZiZTU=

data/lib/uber_login/configuration.rb

@@ -2,14 +2,37 @@
 # Use this class in app/config/initializers to change configuration parameters.
 module UberLogin
   class Configuration
+    # Allow the same user to login on many different devices.
+    # This is only effective if strong_sessions is +true+. Otherwise it only affects persistent logins.
+    # Defaults to +true+
     attr_accessor :allow_multiple_login
+
+    # The validity of a login token (be it a cookie or session token). Tokens whose age is larger than that are
+    # considered expired and not valid.
+    # Defaults to +nil+ (no expiration)
     attr_accessor :token_expiration
+
+    # A token is considered valid only if brought by the same IP address to which it was assigned.
+    # This would provide a very effective solution against Cookie sniffing, unless it would affect legitimate users a
+    # lot. 99% of ISPs will change user IP on each connecition. Also mobile devices might change IP many times in a
+    # hour. Setting this to true may disconnect many mobile users each minute.
+    # Only decently usable in a private network where all IPs are static (or if you're really paranoid).
+    # Defaults to +false+
     attr_accessor :tie_tokens_to_ip
 
+    # Non persistent sessions are saved to the database too. On each request the session token is checked against the
+    # database just like the cookies one. It won't refresh it, however.
+    # This allows you to do nice things, like logging out users, just by removing the token from the database. Or having
+    # a full list of open sessions of any kind on any device.
+    # Even though this is strongly suggested to be +true+, it might impact performance, issuing a query on almost
+    # each page load. Be sure to index :uid and :sequence together on the +login_tokens+ table.
+    attr_accessor :strong_sessions
+
     def initialize
       self.allow_multiple_login = true
       self.token_expiration = nil
       self.tie_tokens_to_ip = false
+      self.strong_sessions = true
     end
   end
 

data/lib/uber_login/cookie_manager.rb

@@ -1,66 +1,44 @@
+require 'uber_login/storage'
+require 'uber_login/token_encoder'
+require 'uber_login/token_validator'
+
 ##
 # This class handles the +:uid+ and +:ulogin+ cookies
 # It builds and sets the cookies, clears them, checks for their validity.
-class CookieManager
-  def initialize(cookies, request)
-    @cookies = cookies
-    @request = request
-    @validity_checks = [ :token_match ]
-
-    @validity_checks << :ip_equality if UberLogin.configuration.tie_tokens_to_ip
-    @validity_checks << :expiration if UberLogin.configuration.token_expiration
-  end
-
-  ##
-  # Clears +:uid+ and +:ulogin+ cookies
-  def clear
-    @cookies.delete :uid
-    @cookies.delete :ulogin
-  end
-
-  def valid?
-    token_row = LoginToken.find_by(uid: @cookies[:uid], sequence: sequence)
-    @validity_checks.all? { |check| send(check, token_row) }
-  rescue
-    false
-  end
-
-  def hashed_token
-    BCrypt::Password.create(token).to_s
-  end
-
-  def persistent_login(uid, sequence, token)
-    @cookies.permanent[:uid] = uid
-    @cookies.permanent[:ulogin] = ulogin_cookie(sequence, token)
-  end
-
-  def ulogin_cookie(sequence, token)
-    sequence + ':' + token
-  end
-
-  def sequence_and_token
-    @cookies[:ulogin].split(':')
-  end
-
-  def sequence
-    sequence_and_token[0]
-  end
-
-  def token
-    sequence_and_token[1]
-  end
-
-  # Validity checks
-
-  def token_match(row)
-    BCrypt::Password.new(row.token) == token
-  end
-
-  def ip_equality(row)
-    row.ip_address == @request.remote_ip
-  end
-
-  def expiration(row)
-    row.updated_at >= Time.now - UberLogin.configuration.token_expiration
+module UberLogin
+  class CookieManager
+    def initialize(cookies, request)
+      @cookies = cookies
+      @request = request
+    end
+
+    ##
+    # Sets the +:uid+ and +:ulogin+ cookies for next login
+    def persistent_login(uid, composite)
+      @cookies.permanent[:uid] = uid
+      @cookies.permanent[:ulogin] = TokenEncoder.encode_array composite
+    end
+
+    ##
+    # Clears +:uid+ and +:ulogin+ cookies
+    def clear
+      @cookies.delete :uid
+      @cookies.delete :ulogin
+    end
+
+    ##
+    # Returns true if cookies are considered valid from TokenEncoder validation rules
+    def valid?
+      token_row = Storage.find_composite(@cookies[:uid], @cookies[:ulogin])
+      TokenValidator.new(TokenEncoder.token(@cookies[:ulogin]), @request).valid?(token_row)
+    rescue
+      false
+    end
+
+    ##
+    # Returns true if the +:uid+ and +:ulogin+ cookies are set
+    def login_cookies?
+      @cookies[:uid] and @cookies[:ulogin]
+    end
   end
 end

data/lib/uber_login/session_manager.rb

@@ -0,0 +1,38 @@
+require 'uber_login/storage'
+require 'uber_login/token_encoder'
+require 'uber_login/token_validator'
+
+##
+# This class handles the +:uid+ and +:ulogin+ session variables
+# It builds and sets the session variables, clears them, checks for their validity.
+module UberLogin
+  class SessionManager
+    def initialize(session, request)
+      @session = session
+      @request = request
+    end
+
+    ##
+    # Sets the +:uid+ and +:ulogin+ session variables
+    def login(uid, composite)
+      @session[:uid] = uid
+      @session[:ulogin] = TokenEncoder.encode_array(composite) if UberLogin.configuration.strong_sessions
+    end
+
+    ##
+    # Clears +:uid+ and +:ulogin+ session variables
+    def clear
+      @session.delete :uid
+      @session.delete :ulogin
+    end
+
+    ##
+    # Returns true if the session is considered valid from TokenEncoder validation rules
+    def valid?
+      token_row = Storage.find_composite(@session[:uid], @session[:ulogin])
+      TokenValidator.new(TokenEncoder.token(@session[:ulogin]), @request).valid?(token_row)
+    rescue
+      false
+    end
+  end
+end

data/lib/uber_login/storage.rb

@@ -0,0 +1,31 @@
+module UberLogin
+  class Storage
+    class << self
+      def find(uid, sequence)
+        LoginToken.find_by(uid: uid, sequence: sequence)
+      end
+
+      def find_composite(uid, composite)
+        find(uid, TokenEncoder.sequence(composite))
+      rescue  # composite might invalid if cookies are tampered
+        nil
+      end
+
+      def build(uid, composite)
+        LoginToken.new(
+          uid: uid,
+          sequence: TokenEncoder.sequence(composite),
+          token: TokenEncoder.token_hash(composite)
+        )
+      end
+
+      def delete_all(uid)
+        LoginToken.destroy_all(uid: uid)
+      end
+
+      def delete_all_but(uid, composite)
+        # TODO: How to make this ORM agnostic?
+      end
+    end
+  end
+end

data/lib/uber_login/token_encoder.rb

@@ -0,0 +1,36 @@
+require 'bcrypt'
+
+module UberLogin
+  class TokenEncoder
+    class << self
+      def generate
+        # 9 and 21 are both multiple of 3, so we do not get base64 padding (==)
+        [ SecureRandom.urlsafe_base64(9), SecureRandom.base64(21) ]
+      end
+
+      def encode(sequence, token)
+        encode_array [ sequence, token ]
+      end
+
+      def encode_array(composite_array)
+        composite_array.join(':')
+      end
+
+      def decode(composite)
+        composite.split(':')
+      end
+
+      def sequence(composite)
+        decode(composite)[0]
+      end
+
+      def token(composite)
+        decode(composite)[1]
+      end
+
+      def token_hash(composite)
+        BCrypt::Password.create(token(composite)).to_s
+      end
+    end
+  end
+end

data/lib/uber_login/token_validator.rb

@@ -0,0 +1,28 @@
+module UberLogin
+  class TokenValidator
+    def initialize(token, request)
+      @token = token
+      @request = request
+      @validity_checks = [ :token_match ]
+      @validity_checks << :ip_equality if UberLogin.configuration.tie_tokens_to_ip
+      @validity_checks << :expiration if UberLogin.configuration.token_expiration
+    end
+
+    def valid?(row)
+      @validity_checks.all? { |check| send(check, row) }
+    end
+
+    private
+    def token_match(row)
+      BCrypt::Password.new(row.token) == @token
+    end
+
+    def ip_equality(row)
+      row.ip_address == @request.remote_ip
+    end
+
+    def expiration(row)
+      row.updated_at >= Time.now - UberLogin.configuration.token_expiration
+    end
+  end
+end

data/lib/uber_login/version.rb

@@ -1,3 +1,3 @@
 module UberLogin
-  VERSION = '0.2.0'
+  VERSION = '1.0.0'
 end

data/lib/uber_login.rb

@@ -1,6 +1,7 @@
 require 'uber_login/version'
 require 'uber_login/cookie_manager'
 require 'uber_login/configuration'
+require 'uber_login/session_manager'
 require 'securerandom'
 require 'bcrypt'
 require 'user_agent'
@@ -8,7 +9,10 @@ require 'user_agent'
 module UberLogin
   ##
   # Returns the logged in user.
-  # If session[+:uid+] is set it returns that user.
+  # If session[+:uid+] is set:
+  #  * if strong sessions are enabled, it checks for session[+:ulogin+] and tests its value against the database
+  #  * if strong sessions are not enabled, it only returns the corresponding +User+
+  #
   # If session[+:uid+] is NOT set but cookies[+:uid+] and cookies[+:ulogin+] ARE:
   #  * It dissects +:ulogin+ into Sequence and Token
   #  * Looks for a LoginToken from UID and Sequence
@@ -26,24 +30,31 @@ module UberLogin
   # Logs in the given +user+
   # If +remember+ is true all the needed cookies are set.
   # session[+:uid+] is set to user.id
+  # If strong sessions are enabled session[+:ulogin+] is set to the same value that cookies[+:ulogin+] would have
   def login(user, remember = false)
     logout_all unless UberLogin.configuration.allow_multiple_login
 
-    session[:uid] = user.id
-    generate_and_set_cookies(user.id) if remember
+    if strong_sessions or remember
+      composite = generate_and_save_token(user.id)
+      cookie_manager.persistent_login(user.id, composite) if remember
+    else
+      composite = nil
+    end
+
+    session_manager.login(user.id, composite)
   end
 
   ##
-  # Clears session[:uid]
-  # If remember cookies were set they're cleared and the token is
-  # removed from the database.
+  # If sequence is nil it clears the current session and if remember cookies are in place they're cleared
+  # and corresponding token removed from the database.
+  # If sequence is not nil it only removes the sequence and token from the database.
   def logout(sequence = nil)
-    if sequence
-      delete_from_database(sequence)
-    else
-      session.delete(:uid)
-      delete_from_database if cookies[:uid]
+    if sequence.nil? or sequence == current_sequence
+      delete_from_database if cookies[:uid] or strong_sessions
+      session_manager.clear
       cookie_manager.clear
+    else
+      delete_from_database(sequence)
     end
   end
 
@@ -51,8 +62,8 @@ module UberLogin
   # Deletes all "remember me" session for this user from whatever device
   # he/she has ever used to login.
   def logout_all
-    LoginToken.find_by(uid: session[:uid]).destroy
-    session.delete :uid
+    Storage.delete_all session[:uid]
+    session_manager.clear
     cookie_manager.clear
   end
 
@@ -61,11 +72,19 @@ module UberLogin
     @cookie_manager ||= CookieManager.new(cookies, request)
   end
 
+  def session_manager
+    @session_manager ||= SessionManager.new(session, request)
+  end
+
   # See +current_user+
   def current_user_uncached
-    sid = session[:uid]
-    sid = login_from_cookies if cookies[:uid] and !sid
-    User.find(sid) if sid
+    if session[:uid]
+      logout if strong_sessions and !session_manager.valid?
+    else
+      login_from_cookies if cookie_manager.login_cookies?
+    end
+
+    User.find(session[:uid]) rescue nil
   end
 
   ##
@@ -74,6 +93,7 @@ module UberLogin
     if cookie_manager.valid?
       session[:uid] = cookies[:uid]
       generate_new_token
+      session[:ulogin] = cookies[:ulogin]
       session[:uid]
     else
       cookie_manager.clear
@@ -86,7 +106,8 @@ module UberLogin
   # Sets the user cookies to match the new values
   def generate_new_token
     delete_from_database
-    generate_and_set_cookies(cookies[:uid])
+    composite = generate_and_save_token(cookies[:uid])
+    cookie_manager.persistent_login(cookies[:uid], composite)
   end
 
   ##
@@ -96,21 +117,16 @@ module UberLogin
   #
   # +:sequence+ is used to choose between all possible user login tokens
   # +:token+ is stored +bcrypt+ed in the database and then compared on login
-  def generate_and_set_cookies(uid)
-    sequence, token = generate_sequence_and_token
-    cookie_manager.persistent_login(uid, sequence, token)
-    save_to_database
+  def generate_and_save_token(uid)
+    sequence, token = TokenEncoder.generate
+    save_to_database(uid, sequence, token)
+    [ sequence, token ]
   end
 
   ##
   # Creates a LoginToken based on the +uid+, +sequence+ and hashed +token+
-  def save_to_database
-    token_row = LoginToken.new(
-        uid: cookies[:uid],
-        sequence: cookie_manager.sequence,
-        token: cookie_manager.hashed_token
-    )
-
+  def save_to_database(uid, sequence, token)
+    token_row = Storage.build(uid, TokenEncoder.encode(sequence, token))
     set_user_data token_row
 
     token_row.save!
@@ -119,15 +135,13 @@ module UberLogin
   ##
   # Removes a LoginToken with current +uid+ and given +sequence+
   # If +sequence+ is nil it is taken from the cookies.
+  #
+  # A token might have already been destroyed from another client with the intent of disconnecting
+  # the current session.
   def delete_from_database(sequence = nil)
-    sequence = sequence || cookie_manager.sequence
-    token = LoginToken.find_by(uid: cookies[:uid], sequence: sequence)
-    token.destroy
-  end
-
-  def generate_sequence_and_token
-    # 9 and 21 are both multiple of 3, so we do not get base64 padding (==)
-    [ SecureRandom.base64(9), SecureRandom.base64(21) ]
+    sequence = sequence || current_sequence
+    token = Storage.find(cookies[:uid] || session[:uid], sequence)
+    token.destroy if token
   end
 
   def set_user_data(row)
@@ -137,4 +151,12 @@ module UberLogin
     row.os = user_agent.os if row.respond_to? :os=
     row.browser = user_agent.browser + ' ' + user_agent.version if row.respond_to? :browser=
   end
+
+  def strong_sessions
+    UberLogin.configuration.strong_sessions
+  end
+
+  def current_sequence
+    TokenEncoder.sequence(cookies[:ulogin] || session[:ulogin])
+  end
 end

data/spec/cookie_manager_spec.rb

@@ -1,60 +1,54 @@
 require 'spec_helper'
 
-describe CookieManager do
-  let(:cookie_manager) { CookieManager.new({ uid: 100, ulogin: "dead:beef" }, FakeRequest.new) }
-
-  describe '#valid?' do
-    context 'User id and sequence combination is found' do
-      let(:fake_token) {
-        LoginToken.new(
-          token: BCrypt::Password.create("beef"),
-          ip_address: '192.168.1.1'
-        )
-      }
-
-      before { LoginToken.stub(:find_by).and_return fake_token }
-
-      it 'always executes token_match' do
-        expect(cookie_manager).to receive(:token_match)
-        cookie_manager.valid?
-      end
+describe UberLogin::CookieManager do
+  let(:user) { double(id: 100) }
+  let(:controller) { ApplicationController.new }
+  let(:session) { controller.session }
+  let(:cookies) { controller.cookies }
+  let(:cookie_manager) { UberLogin::CookieManager.new(cookies, FakeRequest.new) }
+
+  describe '#persistent_login' do
+    it 'sets the :uid cookie' do
+      cookie_manager.persistent_login(100, [ 'dead', 'beef' ])
+      expect(cookies[:uid]).to eq 100
+    end
 
-      it 'does not run ip_equality by default' do
-        expect(cookie_manager).to_not receive(:ip_equality)
-        cookie_manager.valid?
-      end
+    it 'sets the :ulogin cookie' do
+      cookie_manager.persistent_login(100, [ 'dead', 'beef' ])
+      expect(cookies[:ulogin]).to eq 'dead:beef'
+    end
+  end
 
-      context 'if IP are tied to Tokens' do
-        before { UberLogin.configuration.tie_tokens_to_ip = true }
+  describe '#clear' do
+    before { controller.login(user, true) }
 
-        it 'executes ip_equality' do
-          expect(cookie_manager).to receive(:ip_equality)
-          cookie_manager.valid?
-        end
-      end
+    it 'deletes the :uid cookie' do
+      cookie_manager.clear
+      expect(cookies[:uid]).to be_nil
+    end
 
-      it 'does not run expiration by default' do
-        expect(cookie_manager).to_not receive(:expiration)
-        cookie_manager.valid?
-      end
+    it 'deletes the :ulogin cookie' do
+      cookie_manager.clear
+      expect(cookies[:ulogin]).to be_nil
+    end
+  end
 
-      context 'if Tokens do expire' do
-        before { UberLogin.configuration.token_expiration = 86400 }
+  describe '#valid?' do
+    before { controller.login(user, true) }
 
-        it 'executes expiration' do
-          expect(cookie_manager).to receive(:expiration)
-          cookie_manager.valid?
-        end
-      end
+    context 'User id and sequence combination is found' do
+      before { UberLogin::Storage.stub(:find_composite).and_return user }
 
       context 'all checks return true' do
+        before { UberLogin::TokenValidator.any_instance.stub(:valid?).and_return true }
+
         it 'returns true' do
           expect(cookie_manager.valid?).to be_true
         end
       end
 
       context 'any check fails' do
-        before { Array.any_instance.stub(:all?).and_return false }
+        before { UberLogin::TokenValidator.any_instance.stub(:valid?).and_return false }
 
         it 'returns false' do
           expect(cookie_manager.valid?).to be_false
@@ -63,7 +57,7 @@ describe CookieManager do
     end
 
     context 'User id and sequence combination is not found' do
-      before { LoginToken.stub(:find_by).and_return nil }
+      before { UberLogin::Storage.stub(:find).and_return nil }
 
       it 'returns false' do
         expect(cookie_manager.valid?).to be_false
@@ -71,45 +65,23 @@ describe CookieManager do
     end
   end
 
-  describe '#token_match' do
-    before { cookie_manager.stub(:token).and_return 'secret' }
+  describe '#login_cookies?' do
+    before { controller.login(user, true) }
 
-    it 'returns true if tokens are matched' do
-      row = double(token: BCrypt::Password.create('secret', cost: 1))
-      expect(cookie_manager.token_match(row)).to be_true
-    end
-
-    it 'returns false if tokens are not matched' do
-      row = double(token: BCrypt::Password.create('s3cr3t', cost: 1))
-      expect(cookie_manager.token_match(row)).to be_false
-    end
-  end
-
-  describe '#ip_equality' do
-    before { FakeRequest.any_instance.stub(:remote_ip).and_return '10.10.10.10' }
-
-    it 'returns true if IPs are equal' do
-      row = double(ip_address: '10.10.10.10')
-      expect(cookie_manager.ip_equality(row)).to be_true
-    end
-
-    it 'returns false if IPs are different' do
-      row = double(ip_address: '192.168.1.1')
-      expect(cookie_manager.ip_equality(row)).to be_false
+    context 'both cookies are set' do
+      it 'returns true' do
+        expect(cookie_manager.login_cookies?).to be_true
+      end
     end
-  end
-
-  describe '#expiration' do
-    before { UberLogin.configuration.token_expiration = 86400 }
 
-    it 'returns true if less than token_expiration seconds are past' do
-      row = double(updated_at: Time.now - 100)
-      expect(cookie_manager.expiration(row)).to be_true
+    it 'returns false if uid is missing' do
+      cookies.delete :uid
+      expect(cookie_manager.login_cookies?).to be_false
     end
 
-    it 'returns false if more than token_expiration seconds are past' do
-      row = double(updated_at: Time.now - 86401)
-      expect(cookie_manager.expiration(row)).to be_false
+    it 'returns false if ulogin is missing' do
+      cookies.delete :ulogin
+      expect(cookie_manager.login_cookies?).to be_false
     end
   end
 end

data/spec/session_manager_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+
+describe UberLogin::SessionManager do
+  let(:user) { double(id: 100) }
+  let(:controller) { ApplicationController.new }
+  let(:session) { controller.session }
+  let(:cookies) { controller.cookies }
+  let(:session_manager) { UberLogin::SessionManager.new(session, FakeRequest.new) }
+
+  describe '#login' do
+    it 'sets the :uid variable' do
+      session_manager.login(100, [ 'dead', 'beef' ])
+      expect(session[:uid]).to eq 100
+    end
+
+    context 'strong_sessions are not enabled' do
+      before { UberLogin.configuration.strong_sessions = false }
+
+      it 'does not set the :ulogin cookie' do
+        session_manager.login(100, [ 'dead', 'beef' ])
+        expect(session[:ulogin]).to be_nil
+      end
+    end
+
+    context 'strong_sessions are enabled' do
+      before { UberLogin.configuration.strong_sessions = true }
+
+      it 'sets the :ulogin cookie' do
+        session_manager.login(100, [ 'dead', 'beef' ])
+        expect(session[:ulogin]).to_not be_nil
+      end
+    end
+  end
+
+  describe '#clear' do
+    before { controller.login(user, true) }
+
+    it 'deletes the :uid variable' do
+      session_manager.clear
+      expect(session[:uid]).to be_nil
+    end
+
+    it 'deletes the :ulogin variable' do
+      session_manager.clear
+      expect(session[:ulogin]).to be_nil
+    end
+  end
+
+  describe '#valid?' do
+    before { controller.login(user, true) }
+
+    context 'User id and sequence combination is found' do
+      before { UberLogin::Storage.stub(:find_composite).and_return user }
+
+      context 'all checks return true' do
+        before { UberLogin::TokenValidator.any_instance.stub(:valid?).and_return true }
+
+        it 'returns true' do
+          expect(session_manager.valid?).to be_true
+        end
+      end
+
+      context 'any check fails' do
+        before { UberLogin::TokenValidator.any_instance.stub(:valid?).and_return false }
+
+        it 'returns false' do
+          expect(session_manager.valid?).to be_false
+        end
+      end
+    end
+
+    context 'User id and sequence combination is not found' do
+      before { UberLogin::Storage.stub(:find).and_return nil }
+
+      it 'returns false' do
+        expect(session_manager.valid?).to be_false
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -63,6 +63,10 @@ class LoginToken
     new
   end
 
+  def self.destroy_all(hash)
+
+  end
+
   def updated_at
     Time.now - 100
   end
@@ -78,6 +82,6 @@ class User
   end
 
   def self.find(id)
-    User.new(id: id)
+    id ? User.new(id: id) : nil
   end
 end

data/spec/token_encoder_spec.rb

@@ -0,0 +1,58 @@
+describe UberLogin::TokenEncoder do
+  describe '#generate' do
+    it 'returns an array of size 2' do
+      expect(UberLogin::TokenEncoder.generate.size).to eq 2
+    end
+  end
+
+  describe '#encode' do
+    it 'retuns a string' do
+      expect(UberLogin::TokenEncoder.encode('what', 'ever').class).to eq String
+    end
+
+    it 'returns the two arguments separated by colons' do
+      expect(UberLogin::TokenEncoder.encode('what', 'ever')).to eq 'what:ever'
+    end
+  end
+
+  describe '#encode_array' do
+    it 'retuns a string' do
+      expect(UberLogin::TokenEncoder.encode_array([ 'what', 'ever' ]).class).to eq String
+    end
+
+    it 'returns the two arguments separated by colons' do
+      expect(UberLogin::TokenEncoder.encode_array([ 'what', 'ever' ])).to eq 'what:ever'
+    end
+  end
+
+  describe '#decode' do
+    it 'returns an array of size 2' do
+      expect(UberLogin::TokenEncoder.decode('dead:beef').size).to eq 2
+    end
+
+    it 'returns the two elements of the token' do
+      expect(UberLogin::TokenEncoder.decode('what:ever')).to eq [ 'what', 'ever' ]
+    end
+  end
+
+  describe '#sequence' do
+    it 'returns the first part of the token' do
+      expect(UberLogin::TokenEncoder.sequence('what:ever')).to eq 'what'
+    end
+  end
+
+  describe '#token' do
+    it 'returns the second part of the token' do
+      expect(UberLogin::TokenEncoder.token('what:ever')).to eq 'ever'
+    end
+  end
+
+  describe '#token_hash' do
+    it 'returns the second part of the token as a hash' do
+      token = UberLogin::TokenEncoder.token('what:ever')
+      hash = UberLogin::TokenEncoder.token_hash('what:ever')
+
+      expect(BCrypt::Password.new(hash)).to eq token
+    end
+  end
+end

data/spec/token_validator_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+describe UberLogin::TokenValidator do
+  let(:token_validator) { UberLogin::TokenValidator.new('secret', FakeRequest.new) }
+  let(:fake_token) {
+    LoginToken.new(
+        token: BCrypt::Password.create("beef"),
+        ip_address: '192.168.1.1'
+    )
+  }
+
+  describe '#valid?' do
+    it 'always executes token_match' do
+      expect(token_validator).to receive(:token_match)
+      token_validator.valid?(fake_token)
+    end
+
+    it 'does not run ip_equality by default' do
+      expect(token_validator).to_not receive(:ip_equality)
+      token_validator.valid?(fake_token)
+    end
+
+    context 'if IP are tied to tokens' do
+      before { UberLogin.configuration.tie_tokens_to_ip = true }
+      let(:token_validator) { UberLogin::TokenValidator.new('secret', FakeRequest.new) }
+
+      it 'executes ip_equality' do
+        token_validator.stub(:token_match).and_return true
+        expect(token_validator).to receive(:ip_equality)
+        token_validator.valid?(fake_token)
+      end
+    end
+
+    it 'does not run expiration by default' do
+      expect(token_validator).to_not receive(:expiration)
+      token_validator.valid?(fake_token)
+    end
+
+    context 'if tokens do expire' do
+      before { UberLogin.configuration.token_expiration = 86400 }
+      let(:token_validator) { UberLogin::TokenValidator.new('secret', FakeRequest.new) }
+
+      it 'executes expiration' do
+        token_validator.stub(:token_match).and_return true
+        expect(token_validator).to receive(:expiration)
+        token_validator.valid?(fake_token)
+      end
+    end
+
+    context 'all checks return true' do
+      before { Array.any_instance.stub(:all?).and_return true }
+
+      it 'returns true' do
+        expect(token_validator.valid?(fake_token)).to be_true
+      end
+    end
+
+    context 'any check fails' do
+      before { Array.any_instance.stub(:all?).and_return false }
+
+      it 'returns false' do
+        expect(token_validator.valid?(fake_token)).to be_false
+      end
+    end
+  end
+end

data/spec/uber_login_spec.rb

@@ -12,6 +12,34 @@ describe UberLogin do
         controller.login(user)
         expect(session[:uid]).to eq 100
       end
+
+      context 'sessions have stored tokens' do
+        before { UberLogin.configuration.strong_sessions = true }
+
+        it 'saves a token to database' do
+          expect_any_instance_of(LoginToken).to receive :save!
+          controller.login(user)
+        end
+
+        it 'sets session[:ulogin]' do
+          controller.login(user)
+          expect(session[:ulogin]).to_not be_nil
+        end
+      end
+
+      context 'sessions do not have stored tokens' do
+        before { UberLogin.configuration.strong_sessions = false }
+
+        it 'does not save a token to database' do
+          expect_any_instance_of(LoginToken).to_not receive :save!
+          controller.login(user)
+        end
+
+        it 'does not set session[:ulogin]' do
+          controller.login(user)
+          expect(session[:ulogin]).to be_nil
+        end
+      end
     end
 
     context 'remember is true' do
@@ -27,7 +55,7 @@ describe UberLogin do
 
       it 'sets the ulogin cookie' do
         controller.login(user, true)
-        expect(cookies[:ulogin]).to match(/[a-z0-9+\/]+:[a-z0-9+\/]+/i)
+        expect(cookies[:ulogin]).to match(/[a-z0-9_\-]+:[a-z0-9+\/]+/i)
       end
 
       it 'sets both cookies as persistent' do
@@ -37,37 +65,40 @@ describe UberLogin do
     end
 
     context 'only one session is allowed per user' do
-      before { UberLogin::Configuration.any_instance.stub(:allow_multiple_login).and_return false }
+      before { UberLogin.configuration.allow_multiple_login = false }
 
       it 'clears all the other tokens' do
-        expect_any_instance_of(LoginToken).to receive :destroy
+        expect(LoginToken).to receive :destroy_all
         controller.login(user)
       end
     end
   end
 
   describe '#logout' do
+    before { controller.login(user, true) }
+
     context 'sequence is nil' do
       it 'deletes session[:uid]' do
-        controller.login(user)
         controller.logout
         expect(session[:uid]).to be_nil
       end
 
-      context 'persistent login was made' do
-        before { controller.login(user, true) }
+      it 'deletes session[:ulogin]' do
+        controller.logout
+        expect(session[:ulogin]).to be_nil
+      end
 
-        it 'deletes session[:uid]' do
-          controller.logout
-          expect(session[:uid]).to be_nil
-        end
+      it 'deletes cookies[:uid]' do
+        controller.logout
+        expect(cookies[:uid]).to be_nil
+      end
 
-        it 'deletes login cookies' do
-          controller.logout
-          expect(cookies[:uid]).to be_nil
-          expect(cookies[:ulogin]).to be_nil
-        end
+      it 'deletes cookies[:ulogin]' do
+        controller.logout
+        expect(cookies[:ulogin]).to be_nil
+      end
 
+      context 'persistent login was made' do
         it 'deletes a LoginToken row' do
           expect {
             controller.logout
@@ -76,9 +107,37 @@ describe UberLogin do
       end
     end
 
-    context 'sequence is not nil' do
-      before { controller.login(user, true) }
+    context 'sequence is equal to current user sequence' do
+      it 'deletes session[:uid]' do
+        controller.logout(UberLogin::TokenEncoder.sequence(cookies[:ulogin]))
+        expect(session[:uid]).to be_nil
+      end
+
+      it 'deletes session[:ulogin]' do
+        controller.logout(UberLogin::TokenEncoder.sequence(cookies[:ulogin]))
+        expect(session[:ulogin]).to be_nil
+      end
+
+      it 'deletes cookies[:uid]' do
+        controller.logout(UberLogin::TokenEncoder.sequence(cookies[:ulogin]))
+        expect(cookies[:uid]).to be_nil
+      end
 
+      it 'deletes cookies[:ulogin]' do
+        controller.logout(UberLogin::TokenEncoder.sequence(cookies[:ulogin]))
+        expect(cookies[:ulogin]).to be_nil
+      end
+
+      context 'persistent login was made' do
+        it 'deletes a LoginToken row' do
+          expect {
+            controller.logout(UberLogin::TokenEncoder.sequence(cookies[:ulogin]))
+          }.to change{ LoginToken.count }.by -1
+        end
+      end
+    end
+
+    context 'sequence is not nil' do
       it 'does not clear session[:uid]' do
         controller.logout('sequence')
         expect(session[:uid]).to_not be_nil
@@ -103,72 +162,42 @@ describe UberLogin do
   end
 
   describe '#logout_all' do
+    before { controller.login(user, true) }
+
     it 'deletes session[:uid]' do
-      controller.login(user)
       controller.logout_all
       expect(session[:uid]).to be_nil
     end
 
-    it 'deletes session[:uid]' do
+    it 'deletes session[:ulogin]' do
       controller.logout_all
-      expect(session[:uid]).to be_nil
+      expect(session[:ulogin]).to be_nil
     end
 
-    it 'deletes login cookies' do
+    it 'deletes cookies[:uid]' do
       controller.logout_all
       expect(cookies[:uid]).to be_nil
-      expect(cookies[:ulogin]).to be_nil
     end
 
-    it 'deletes any token associated with the user' do
-      expect_any_instance_of(LoginToken).to receive :destroy
+    it 'deletes cookies[:ulogin]' do
       controller.logout_all
+      expect(cookies[:ulogin]).to be_nil
     end
-  end
-
-  describe '#save_to_database' do
-    before {
-      cookies[:uid] = "100"
-      cookies[:ulogin] = "dead:beef"
-    }
-
-    it 'saves the triplet to the database' do
-      expect_any_instance_of(LoginToken).to receive(:save!)
-      controller.send('save_to_database')
-    end
-  end
-
-  describe '#set_user_data' do
-    let(:row) { LoginToken.new }
-
-    context 'the token table has an "ip_address" field' do
-      it 'sets the field to the client IP' do
-        expect(row).to receive(:ip_address=).with('192.168.1.1')
-        controller.send('set_user_data', row)
-      end
-    end
-
-    context 'the token table has an "os" field' do
-      it 'sets the field to the client Operating System' do
-        expect(row).to receive(:os=).with('Linux x86_64')
-        controller.send('set_user_data', row)
-      end
-    end
-
-    context 'the token table has a "browser" field' do
-      it 'sets the field to the client Browser and version' do
-        expect(row).to receive(:browser=).with('Chrome 32.0.1667.0')
-        controller.send('set_user_data', row)
-      end
+    it 'deletes any token associated with the user' do
+      expect(LoginToken).to receive :destroy_all
+      controller.logout_all
     end
   end
 
-  describe '#current_user_uncached' do
+  describe '#current_user' do
     context 'session[:uid] is set' do
-      before { session[:uid] = 100 }
+      before {
+        session[:uid] = 100
+        session[:ulogin] = 'dead:beef'
+      }
 
       it 'returns an user object with that uid' do
-        expect(controller.send(:current_user_uncached).id).to eq 100
+        expect(controller.current_user.id).to eq 100
       end
     end
 
@@ -182,38 +211,38 @@ describe UberLogin do
         }
 
         context 'the cookies are valid' do
-          before { CookieManager.any_instance.stub(:valid?).and_return true }
+          before { UberLogin::CookieManager.any_instance.stub(:valid?).and_return true }
 
           it 'returns an user object with that uid' do
-            expect(controller.send(:current_user_uncached).id).to eq "100"
+            expect(controller.current_user.id).to eq "100"
           end
 
           it 'deletes the token from the database' do
             expect_any_instance_of(LoginToken).to receive(:destroy)
-            controller.send(:current_user_uncached)
+            controller.current_user
           end
 
           it 'creates a new token for the next login' do
             expect_any_instance_of(LoginToken).to receive(:save!)
-            controller.send(:current_user_uncached)
+            controller.current_user
           end
 
           it 'refreshes the cookie' do
-            controller.send(:current_user_uncached)
+            controller.current_user
             expect(cookies[:uid]).to eq "100"
             expect(cookies[:ulogin]).to_not eq "whatever:beef"
           end
         end
 
         context 'the cookies are not valid' do
-          before { CookieManager.any_instance.stub(:valid?).and_return false }
+          before { UberLogin::CookieManager.any_instance.stub(:valid?).and_return false }
 
           it 'returns nil' do
-            expect(controller.send(:current_user_uncached)).to be_nil
+            expect(controller.current_user).to be_nil
           end
 
           it 'clears the cookies for this user' do
-            controller.send(:current_user_uncached)
+            controller.current_user
             expect(cookies[:uid]).to be_nil
             expect(cookies[:ulogin]).to be_nil
           end
@@ -222,7 +251,7 @@ describe UberLogin do
 
       context 'cookies are not set' do
         it 'returns nil' do
-          expect(controller.send(:current_user_uncached)).to be_nil
+          expect(controller.current_user).to be_nil
         end
       end
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: uber_login
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Francesco Boffa
@@ -32,11 +32,19 @@ extra_rdoc_files: []
 files:
 - lib/uber_login.rb
 - lib/uber_login/cookie_manager.rb
+- lib/uber_login/token_validator.rb
+- lib/uber_login/token_encoder.rb
+- lib/uber_login/storage.rb
 - lib/uber_login/version.rb
+- lib/uber_login/session_manager.rb
 - lib/uber_login/configuration.rb
+- spec/token_encoder_spec.rb
+- spec/storage_spec.rb
 - spec/spec_helper.rb
 - spec/cookie_manager_spec.rb
 - spec/uber_login_spec.rb
+- spec/session_manager_spec.rb
+- spec/token_validator_spec.rb
 homepage: https://github.com/AlfaOmega08/uber_login
 licenses:
 - MIT
@@ -65,7 +73,11 @@ summary: Tired of rewriting the login, logout and current_user methods for the m
   This gem will solve all of this problems and still leave you the control over your
   application.
 test_files:
+- spec/token_encoder_spec.rb
+- spec/storage_spec.rb
 - spec/spec_helper.rb
 - spec/cookie_manager_spec.rb
 - spec/uber_login_spec.rb
+- spec/session_manager_spec.rb
+- spec/token_validator_spec.rb
 has_rdoc: