upstream-devise 2.1.0.rc

data/lib/devise/encryptors/clearance_sha1.rb

@@ -0,0 +1,17 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = ClearanceSha1
+    # Simulates Clearance's default encryption mechanism.
+    # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+    # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES
+    class ClearanceSha1 < Base
+      # Generates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+      end
+    end
+  end
+end

data/lib/devise/encryptors/restful_authentication_sha1.rb

@@ -0,0 +1,22 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = RestfulAuthenticationSha1
+    # Simulates Restful Authentication's default encryption mechanism.
+    # Warning: it uses Devise's pepper to port the concept of REST_AUTH_SITE_KEY
+    # Warning: it uses Devise's stretches configuration to port the concept of REST_AUTH_DIGEST_STRETCHES. Should be set to 10 in
+    # the initializer to simulate the default behavior.
+    class RestfulAuthenticationSha1 < Base
+
+      # Generates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = Digest::SHA1.hexdigest([digest, salt, password, pepper].flatten.join('--')) }
+        digest
+      end
+
+    end
+  end
+end

data/lib/devise/encryptors/sha1.rb

@@ -0,0 +1,25 @@
+require "digest/sha1"
+
+module Devise
+  module Encryptors
+    # = Sha1
+    # Uses the Sha1 hash algorithm to encrypt passwords.
+    class Sha1 < Base
+      # Generates a default password digest based on stretches, salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+        digest
+      end
+
+    private
+
+      # Generate a SHA1 digest joining args. Generated token is something like
+      #   --arg1--arg2--arg3--argN--
+      def self.secure_digest(*tokens)
+        ::Digest::SHA1.hexdigest('--' << tokens.flatten.join('--') << '--')
+      end
+    end
+  end
+end

data/lib/devise/encryptors/sha512.rb

@@ -0,0 +1,25 @@
+require "digest/sha2"
+
+module Devise
+  module Encryptors
+    # = Sha512
+    # Uses the Sha512 hash algorithm to encrypt passwords.
+    class Sha512 < Base
+      # Generates a default password digest based on salt, pepper and the
+      # incoming password.
+      def self.digest(password, stretches, salt, pepper)
+        digest = pepper
+        stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
+        digest
+      end
+
+    private
+
+      # Generate a Sha512 digest joining args. Generated token is something like
+      #   --arg1--arg2--arg3--argN--
+      def self.secure_digest(*tokens)
+        ::Digest::SHA512.hexdigest('--' << tokens.flatten.join('--') << '--')
+      end
+    end
+  end
+end

data/lib/devise/failure_app.rb

@@ -0,0 +1,185 @@
+require "action_controller/metal"
+
+module Devise
+  # Failure application that will be called every time :warden is thrown from
+  # any strategy or hook. Responsible for redirect the user to the sign in
+  # page based on current scope and mapping. If no scope is given, redirect
+  # to the default_url.
+  class FailureApp < ActionController::Metal
+    include ActionController::RackDelegation
+    include ActionController::UrlFor
+    include ActionController::Redirecting
+
+    include Rails.application.routes.url_helpers
+    include Rails.application.routes.mounted_helpers
+
+    delegate :flash, :to => :request
+
+    def self.call(env)
+      @respond ||= action(:respond)
+      @respond.call(env)
+    end
+
+    def self.default_url_options(*args)
+      if defined?(ApplicationController)
+        ApplicationController.default_url_options(*args)
+      else
+        {}
+      end
+    end
+
+    def respond
+      if http_auth?
+        http_auth
+      elsif warden_options[:recall]
+        recall
+      else
+        redirect
+      end
+    end
+
+    def http_auth
+      self.status = 401
+      self.headers["WWW-Authenticate"] = %(Basic realm=#{Devise.http_authentication_realm.inspect}) if http_auth_header?
+      self.content_type = request.format.to_s
+      self.response_body = http_auth_body
+    end
+
+    def recall
+      env["PATH_INFO"]  = attempted_path
+      flash.now[:alert] = i18n_message(:invalid)
+      self.response = recall_app(warden_options[:recall]).call(env)
+    end
+
+    def redirect
+      store_location!
+      if flash[:timedout] && flash[:alert]
+        flash.keep(:timedout)
+        flash.keep(:alert)
+      else
+        flash[:alert] = i18n_message
+      end
+      redirect_to redirect_url
+    end
+
+  protected
+
+    def i18n_message(default = nil)
+      message = warden_message || default || :unauthenticated
+
+      if message.is_a?(Symbol)
+        I18n.t(:"#{scope}.#{message}", :resource_name => scope,
+               :scope => "devise.failure", :default => [message])
+      else
+        message.to_s
+      end
+    end
+
+    def redirect_url
+      if warden_message == :timeout
+        flash[:timedout] = true
+        attempted_path || scope_path
+      else
+        scope_path
+      end
+    end
+
+    def scope_path
+      opts  = {}
+      route = :"new_#{scope}_session_path"
+      opts[:format] = request_format unless skip_format?
+      opts[:script_name] = nil
+
+      context = send(Devise.available_router_name)
+
+      if context.respond_to?(route)
+        context.send(route, opts)
+      elsif respond_to?(:root_path)
+        root_path(opts)
+      else
+        "/"
+      end
+    end
+
+    def skip_format?
+      %w(html */*).include? request_format.to_s
+    end
+
+    # Choose whether we should respond in a http authentication fashion,
+    # including 401 and optional headers.
+    #
+    # This method allows the user to explicitly disable http authentication
+    # on ajax requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your ajax API
+    # is the same as your public API and uses a format like JSON (so you
+    # cannot mark JSON as a navigational format).
+    def http_auth?
+      if request.xhr?
+        Devise.http_authenticatable_on_xhr
+      else
+        !(request_format && is_navigational_format?)
+      end
+    end
+
+    # It does not make sense to send authenticate headers in ajax requests
+    # or if the user disabled them.
+    def http_auth_header?
+      Devise.mappings[scope].to.http_authenticatable && !request.xhr?
+    end
+
+    def http_auth_body
+      return i18n_message unless request_format
+      method = "to_#{request_format}"
+      if method == "to_xml"
+        { :error => i18n_message }.to_xml(:root => "errors")
+      elsif {}.respond_to?(method)
+        { :error => i18n_message }.send(method)
+      else
+        i18n_message
+      end
+    end
+
+    def recall_app(app)
+      controller, action = app.split("#")
+      controller_name  = ActiveSupport::Inflector.camelize(controller)
+      controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+      controller_klass.action(action)
+    end
+
+    def warden
+      env['warden']
+    end
+
+    def warden_options
+      env['warden.options']
+    end
+
+    def warden_message
+      @message ||= warden.message || warden_options[:message]
+    end
+
+    def scope
+      @scope ||= warden_options[:scope] || Devise.default_scope
+    end
+
+    def attempted_path
+      warden_options[:attempted_path]
+    end
+
+    # Stores requested uri to redirect the user after signing in. We cannot use
+    # scoped session provided by warden here, since the user is not authenticated
+    # yet, but we still need to store the uri based on scope, so different scopes
+    # would never use the same uri to redirect.
+    def store_location!
+      session["#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
+    end
+
+    def is_navigational_format?
+      Devise.navigational_formats.include?(request_format)
+    end
+
+    def request_format
+      @request_format ||= request.format.try(:ref)
+    end
+  end
+end

data/lib/devise/hooks/activatable.rb

@@ -0,0 +1,11 @@
+# Deny user access whenever his account is not active yet. All strategies that inherits from
+# Devise::Strategies::Authenticatable and uses the validate already check if the user is active_for_authentication?
+# before actively signing him in. However, we need this as hook to validate the user activity
+# in each request and in case the user is using other strategies beside Devise ones.
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
+    scope = options[:scope]
+    warden.logout(scope)
+    throw :warden, :scope => scope, :message => record.inactive_message
+  end
+end

data/lib/devise/hooks/forgetable.rb

@@ -0,0 +1,9 @@
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is not persisted.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, options|
+  if record.respond_to?(:forget_me!)
+    Devise::Controllers::Rememberable::Proxy.new(warden).forget_me(record)
+  end
+end

data/lib/devise/hooks/lockable.rb

@@ -0,0 +1,7 @@
+# After each sign in, if resource responds to failed_attempts, sets it to 0
+# This is only triggered when the user is explicitly set (with set_user)
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
+    record.update_attribute(:failed_attempts, 0)
+  end
+end

data/lib/devise/hooks/rememberable.rb

@@ -0,0 +1,6 @@
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  scope = options[:scope]
+  if record.respond_to?(:remember_me) && record.remember_me && warden.authenticated?(scope)
+    Devise::Controllers::Rememberable::Proxy.new(warden).remember_me(record)
+  end
+end

data/lib/devise/hooks/timeoutable.rb

@@ -0,0 +1,22 @@
+# Each time a record is set we check whether its session has already timed out
+# or not, based on last request time. If so, the record is logged out and
+# redirected to the sign in page. Also, each time the request comes and the
+# record is set, we set the last request time inside its scoped session to
+# verify timeout in the following request.
+Warden::Manager.after_set_user do |record, warden, options|
+  scope = options[:scope]
+
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
+    last_request_at = warden.session(scope)['last_request_at']
+
+    if record.timedout?(last_request_at)
+      warden.logout(scope)
+      record.reset_authentication_token! if record.respond_to?(:reset_authentication_token!) && record.expire_auth_token_on_timeout
+      throw :warden, :scope => scope, :message => :timeout
+    end
+
+    unless warden.request.env['devise.skip_trackable']
+      warden.session(scope)['last_request_at'] = Time.now.utc
+    end
+  end
+end

data/lib/devise/hooks/trackable.rb

@@ -0,0 +1,9 @@
+# After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope]) && !warden.request.env['devise.skip_trackable']
+    record.update_tracked_fields!(warden.request)
+  end
+end

data/lib/devise/mailers/helpers.rb

@@ -0,0 +1,86 @@
+module Devise
+  module Mailers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        include Devise::Controllers::ScopedViews
+        attr_reader :scope_name, :resource
+      end
+
+      protected
+
+      # Configure default email options
+      def devise_mail(record, action)
+        initialize_from_record(record)
+        mail headers_for(action)
+      end
+
+      def initialize_from_record(record)
+        @scope_name = Devise::Mapping.find_scope!(record)
+        @resource   = instance_variable_set("@#{devise_mapping.name}", record)
+      end
+
+      def devise_mapping
+        @devise_mapping ||= Devise.mappings[scope_name]
+      end
+
+      def headers_for(action)
+        headers = {
+          :subject       => translate(devise_mapping, action),
+          :from          => mailer_sender(devise_mapping),
+          :to            => resource.email,
+          :template_path => template_paths
+        }
+
+        if resource.respond_to?(:headers_for)
+          headers.merge!(resource.headers_for(action))
+        end
+
+        unless headers.key?(:reply_to)
+          headers[:reply_to] = headers[:from]
+        end
+
+        headers
+      end
+
+      def mailer_sender(mapping)
+        if default_params[:from].present?
+          default_params[:from]
+        elsif Devise.mailer_sender.is_a?(Proc)
+          Devise.mailer_sender.call(mapping.name)
+        else
+          Devise.mailer_sender
+        end
+      end
+
+      def template_paths
+        template_path = [self.class.mailer_name]
+        template_path.unshift "#{@devise_mapping.scoped_path}/mailer" if self.class.scoped_views?
+        template_path
+      end
+
+      # Setup a subject doing an I18n lookup. At first, it attemps to set a subject
+      # based on the current mapping:
+      #
+      #   en:
+      #     devise:
+      #       mailer:
+      #         confirmation_instructions:
+      #           user_subject: '...'
+      #
+      # If one does not exist, it fallbacks to ActionMailer default:
+      #
+      #   en:
+      #     devise:
+      #       mailer:
+      #         confirmation_instructions:
+      #           subject: '...'
+      #
+      def translate(mapping, key)
+        I18n.t(:"#{mapping.name}_subject", :scope => [:devise, :mailer, key],
+          :default => [:subject, key.to_s.humanize])
+      end
+    end
+  end
+end

data/lib/devise/mapping.rb

@@ -0,0 +1,172 @@
+module Devise
+  # Responsible for handling devise mappings and routes configuration. Each
+  # resource configured by devise_for in routes is actually creating a mapping
+  # object. You can refer to devise_for in routes for usage options.
+  #
+  # The required value in devise_for is actually not used internally, but it's
+  # inflected to find all other values.
+  #
+  #   map.devise_for :users
+  #   mapping = Devise.mappings[:user]
+  #
+  #   mapping.name #=> :user
+  #   # is the scope used in controllers and warden, given in the route as :singular.
+  #
+  #   mapping.as   #=> "users"
+  #   # how the mapping should be search in the path, given in the route as :as.
+  #
+  #   mapping.to   #=> User
+  #   # is the class to be loaded from routes, given in the route as :class_name.
+  #
+  #   mapping.modules  #=> [:authenticatable]
+  #   # is the modules included in the class
+  #
+  class Mapping #:nodoc:
+    attr_reader :singular, :scoped_path, :path, :controllers, :path_names,
+                :class_name, :sign_out_via, :format, :used_routes, :used_helpers, :failure_app
+
+    alias :name :singular
+
+    # Receives an object and find a scope for it. If a scope cannot be found,
+    # raises an error. If a symbol is given, it's considered to be the scope.
+    def self.find_scope!(duck)
+      case duck
+      when String, Symbol
+        return duck
+      when Class
+        Devise.mappings.each_value { |m| return m.name if duck <= m.to }
+      else
+        Devise.mappings.each_value { |m| return m.name if duck.is_a?(m.to) }
+      end
+
+      raise "Could not find a valid mapping for #{duck.inspect}"
+    end
+
+    def self.find_by_path!(path, path_type=:fullpath)
+      Devise.mappings.each_value { |m| return m if path.include?(m.send(path_type)) }
+      raise "Could not find a valid mapping for path #{path.inspect}"
+    end
+
+    def initialize(name, options) #:nodoc:
+      @scoped_path = options[:as] ? "#{options[:as]}/#{name}" : name.to_s
+      @singular = (options[:singular] || @scoped_path.tr('/', '_').singularize).to_sym
+
+      @class_name = (options[:class_name] || name.to_s.classify).to_s
+      @klass = Devise.ref(@class_name)
+
+      @path = (options[:path] || name).to_s
+      @path_prefix = options[:path_prefix]
+
+      @sign_out_via = options[:sign_out_via] || Devise.sign_out_via
+      @format = options[:format]
+
+      default_failure_app(options)
+      default_controllers(options)
+      default_path_names(options)
+      default_used_route(options)
+      default_used_helpers(options)
+    end
+
+    # Return modules for the mapping.
+    def modules
+      @modules ||= to.respond_to?(:devise_modules) ? to.devise_modules : []
+    end
+
+    # Gives the class the mapping points to.
+    def to
+      @klass.get
+    end
+
+    def strategies
+      @strategies ||= STRATEGIES.values_at(*self.modules).compact.uniq.reverse
+    end
+
+    def no_input_strategies
+      self.strategies & Devise::NO_INPUT
+    end
+
+    def routes
+      @routes ||= ROUTES.values_at(*self.modules).compact.uniq
+    end
+
+    def authenticatable?
+      @authenticatable ||= self.modules.any? { |m| m.to_s =~ /authenticatable/ }
+    end
+
+    def fullpath
+      "/#{@path_prefix}/#{@path}".squeeze("/")
+    end
+
+    # Create magic predicates for verifying what module is activated by this map.
+    # Example:
+    #
+    #   def confirmable?
+    #     self.modules.include?(:confirmable)
+    #   end
+    #
+    def self.add_module(m)
+      class_eval <<-METHOD, __FILE__, __LINE__ + 1
+        def #{m}?
+          self.modules.include?(:#{m})
+        end
+      METHOD
+    end
+
+    private
+
+    def default_failure_app(options)
+      @failure_app = options[:failure_app] || Devise::FailureApp
+      if @failure_app.is_a?(String)
+        ref = Devise.ref(@failure_app)
+        @failure_app = lambda { |env| ref.get.call(env) }
+      end
+    end
+
+    def default_controllers(options)
+      mod = options[:module] || "devise"
+      @controllers = Hash.new { |h,k| h[k] = "#{mod}/#{k}" }
+      @controllers.merge!(options[:controllers]) if options[:controllers]
+      @controllers.each { |k,v| @controllers[k] = v.to_s }
+    end
+
+    def default_path_names(options)
+      @path_names = Hash.new { |h,k| h[k] = k.to_s }
+      @path_names[:registration] = ""
+      @path_names.merge!(options[:path_names]) if options[:path_names]
+    end
+
+    def default_constraints(options)
+      @constraints = Hash.new
+      @constraints.merge!(options[:constraints]) if options[:constraints]
+    end
+
+    def default_defaults(options)
+      @defaults = Hash.new
+      @defaults.merge!(options[:defaults]) if options[:defaults]
+    end
+
+    def default_used_route(options)
+      singularizer = lambda { |s| s.to_s.singularize.to_sym }
+
+      if options.has_key?(:only)
+        @used_routes = self.routes & Array(options[:only]).map(&singularizer)
+      elsif options[:skip] == :all
+        @used_routes = []
+      else
+        @used_routes = self.routes - Array(options[:skip]).map(&singularizer)
+      end
+    end
+
+    def default_used_helpers(options)
+      singularizer = lambda { |s| s.to_s.singularize.to_sym }
+
+      if options[:skip_helpers] == true
+        @used_helpers = @used_routes
+      elsif skip = options[:skip_helpers]
+        @used_helpers = self.routes - Array(skip).map(&singularizer)
+      else
+        @used_helpers = self.routes
+      end
+    end
+  end
+end