vita-clearance 0.6.2

data/CHANGELOG.textile

@@ -0,0 +1,123 @@
+h2. 0.6.2 (04/22/2009)
+
+* Insert Clearance::User into User model if it exists. (Nick Quaranto)
+* World(NavigationHelpers) Cucumber 3.0 style. (Shay Arnett & Mark Cornick)
+
+h2. 0.6.1 (04/21/2009)
+* Scope operators are necessary to keep Rails happy. Reverting the original
+revert so they're back in the library now for constants referenced inside of
+the gem. (Nick Quaranto)
+
+h2. 0.6.0 (04/21/2009)
+
+* Converted Clearance to a Rails engine. (Dan Croak & Joe Ferris)
+* Include Clearance::User in User model in app. (Dan Croak & Joe Ferris)
+* Include Clearance::Authentication in ApplicationController. (Dan Croak & Joe Ferris)
+* Namespace controllers under Clearance. (Dan Croak & Joe Ferris)
+* Routes move to engine, use namespaced controllers but publicly the same. (Dan Croak & Joe Ferris)
+* If you want to override a controller, subclass it like SessionsController <
+Clearance::SessionsController. This gives you access to usual hooks such as
+url_after_create. (Dan Croak & Joe Ferris)
+* Controllers, mailer, model, routes all unit tested inside engine. Use
+script/generate clearance_features to test integration of Clearance with your
+Rails app. No longer including modules in your app's test files. (Dan Croak & Joe Ferris)
+* Moved views to engine. (Joe Ferris)
+* Converted generated test/factories/clearance.rb to use inheritence for
+email_confirmed_user. (Dan Croak)
+* Corrected some spelling errors with methods (Nick Quaranto)
+* Converted "I should see error messages" to use a regex in the features (Nick
+Quaranto)
+* Loading clearance routes after rails routes via some monkeypatching (Nick
+Quaranto)
+* Made the clearance controllers unloadable to stop constant loading errors in
+development mode (Nick Quaranto)
+
+h2. 0.5.6 (4/11/2009)
+
+* [#57] Step definition changed for "User should see error messages" so
+features won't fail for certain validations. (Nick Quaranto)
+
+h2. 0.5.5 (3/23/2009)
+
+* Removing duplicate test to get rid of warning. (Nick Quaranto)
+
+h2. 0.5.4 (3/21/2009)
+
+* When users fail logging in, redirect them instead of rendering. (Matt
+Jankowski)
+
+h2. 0.5.3 (3/5/2009)
+
+* Clearance now works with (and requires) Shoulda 2.10.0. (Mark Cornick, Joe
+Ferris, Dan Croak)
+* Prefer flat over nested contexts in sessions_controller_test. (Joe Ferris,
+Dan Croak)
+
+h2. 0.5.2 (3/2/2009)
+
+* Fixed last remaining errors in Rails 2.3 tests. Now fully compatible. (Joe
+Ferris, Dan Croak)
+
+h2. 0.5.1 (2/27/2009)
+
+* [#46] A user with unconfirmed email who resets password now confirms email.
+(Marcel Görner)
+* Refactored user_from_cookie, user_from_session, User#authenticate to use
+more direct return code instead of ugly, harder to read ternary. (Dan Croak)
+* Switch order of cookies and sessions to take advantage of Rails 2.3's "Rack-based lazy-loaded sessions":http://is.gd/i23E. (Dan Croak)
+* Altered generator to interact with application_controller.rb instead of
+application.rb in Rails 2.3 apps. (Dan Croak)
+* [#42] Bug fix. Rack-based session change altered how to test remember me
+cookie. (Mihai Anca)
+
+h2. 0.5.0 (2/27/2009)
+
+* Fixed problem with Cucumber features. (Dan Croak)
+* Fixed mising HTTP fluency use case. (Dan Croak)
+* Refactored User#update_password to take just parameters it needs. (Dan
+Croak)
+* Refactored User unit tests to be more readable. (Dan Croak)
+
+h2. 0.4.9 (2/20/2009)
+
+* Protect passwords & confirmations actions with forbidden filters. (Dan Croak)
+* Return 403 Forbidden status code in those cases. (Tim Pope)
+* Test 403 Forbidden status code in Cucumber feature. (Dan Croak, Joe Ferris)
+* Raise custom ActionController::Forbidden error internally. (Joe Ferris, Mike Burns, Jason Morrison)
+* Test ActionController::Forbidden error is raised in functional test. (Joe Ferris, Mike Burns, Dan Croak)
+* [#45] Fixed bug that allowed anyone to edit another user's password (Marcel Görner)
+* Required Factory Girl >= 1.2.0. (Dan Croak)
+
+h2. 0.4.8 (2/16/2009)
+
+* Added support paths for Cucumber. (Ben Mabey)
+* Added documentation for the flash. (Ben Mabey)
+* Generators require "test_helper" instead of File.join. for rr compatibility. (Joe Ferris)
+* Removed interpolated email address from flash message to make i18n easier. (Bence Nagy)
+* Standardized flash messages that refer to email delivery. (Dan Croak)
+
+h2. 0.4.7 (2/12/2009)
+
+* Removed Clearance::Test::TestHelper so there is one less setup step. (Dan Croak)
+* All test helpers now in shoulda_macros. (Dan Croak)
+
+h2. 0.4.6 (2/11/2009)
+
+* Made the modules behave like mixins again. (hat-tip Eloy Duran)
+* Created Actions and PrivateMethods modules on controllers for future RDoc reasons. (Dan Croak, Joe Ferris)
+
+h2. 0.4.5 (2/9/2009)
+
+* [#43] Removed email downcasing because local-part is case sensitive per RFC5321. (Dan Croak)
+* [#42] Removed dependency on Mocha. (Dan Croak)
+* Required Shoulda >= 2.9.1. (Dan Croak)
+* Added password reset feature to clearance_features generator. (Eugene Bolshakov, Dan Croak)
+* Removed unnecessary session[:salt]. (Dan Croak)
+* [#41] Only store location for session[:return_to] for GET requests. (Dan Croak)
+* Audited "sign up" naming convention. "Register" had slipped in a few places. (Dan Croak)
+* Switched to SHA1 encryption. Cypher doesn't matter much for email confirmation, password reset. Better to have shorter hashes in the emails for clients who line break on 72 chars. (Dan Croak)
+
+h2. 0.4.4 (2/2/2009)
+
+* Added a generator for Cucumber features. (Joe Ferris, Dan Croak)
+* Standarized naming for "Sign up," "Sign in," and "Sign out". (Dan Croak) 

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2008 thoughtbot, inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.textile

@@ -0,0 +1,109 @@
+h1. Clearance
+
+Rails authentication with email & password.
+
+"We have clearance, Clarence.":http://www.youtube.com/v/mNRXJEE3Nz8
+
+h2. Wiki
+
+Most information regarding Clearance is on the "Github Wiki":http://wiki.github.com/thoughtbot/clearance.
+
+h2. Engine
+
+Clearance is a Rails engine. It works with versions of Rails greater than 2.3.
+
+In config/environment.rb:
+
+    config.gem "thoughtbot-clearance", 
+      :lib     => 'clearance', 
+      :source  => 'http://gems.github.com', 
+      :version => '0.6.2'
+
+Vendor the gem:
+
+    rake gems:install
+    rake gems:unpack
+
+Make sure the development database exists and run the generator:
+
+    script/generate clearance
+
+A number of files will be created and instructions will be printed.
+
+You may already have some of these files. Don't worry. You'll be asked if you want to overwrite them.
+
+h2. Environment
+
+Define a HOST constant in your environment files.
+In config/environments/test.rb and config/environments/development.rb it can be:
+
+    HOST = "localhost"
+
+In production.rb it must be the actual host your application is deployed to.
+The constant is used by mailers to generate URLs in emails.
+
+In config/environment.rb:
+
+    DO_NOT_REPLY = "donotreply@example.com"
+
+Define root_url to *something* in your config/routes.rb:
+
+    map.root :controller => 'home'
+
+h2. Cucumber Features
+
+As your app evolves, you want to know that authentication still works. Clearance's opinion is that you should test its integration with your app using "Cucumber":http://cukes.info/.
+
+In config/environments/test.rb:
+
+    config.gem 'webrat',
+      :version => '= 0.4.4'
+    config.gem 'cucumber',
+      :version => '= 0.3.0'
+    config.gem 'thoughtbot-factory_girl',
+      :lib     => 'factory_girl',
+      :source  => "http://gems.github.com", 
+      :version => '1.2.1'
+
+Install nokogiri but don't vendor it (due to its native extensions):
+
+   sudo gem install nokogiri
+
+Vendor the gems:
+
+    rake gems:install RAILS_ENV=test
+    rake gems:unpack  RAILS_ENV=test
+
+Run the Cucumber generator (if you haven't already) and Clearance's feature generator:
+
+    script/generate cucumber
+    script/generate clearance_features
+
+All of the files generated should be new with the exception of the features/support/paths.rb file. If you have not modified your paths.rb then you will be okay to replace it with this one. If you need to keep your paths.rb file then add these locations in your paths.rb manually:
+
+    def path_to(page_name)
+      case page_name
+       ...
+      when /the sign up page/i
+       new_user_path
+      when /the sign in page/i
+       new_session_path 
+      when /the password reset request page/i
+       new_password_path
+      ...
+    end
+
+h2. Authors
+
+Clearance was extracted out of "Hoptoad":http://hoptoadapp.com. We merged the authentication code from two of thoughtbot's client's Rails apps. The following people have made significant contributions, suggestions, and generally improved the library. Thank you!
+
+Dan Croak, Mike Burns, Jason Morrison, Joe Ferris, Eugene Bolshakov, Nick Quaranto, Josh Nichols, Mike Breen, Marcel Görner, Bence Nagy, Ben Mabey, Eloy Duran, Tim Pope, Mihai Anca, Mark Cornick, & Shay Arnett.
+
+h2. Questions?
+
+* Ask the "mailing list":http://groups.google.com/group/thoughtbot-clearance
+
+h2. Bugs?
+
+* Open up a "Lighthouse ticket":https://thoughtbot.lighthouseapp.com/projects/18503-clearance
+

data/Rakefile

@@ -0,0 +1,73 @@
+require 'rake'
+require 'rake/testtask'
+require 'cucumber/rake/task'
+
+namespace :test do
+  Rake::TestTask.new(:all => ['generator:cleanup', 
+                              'generator:generate']) do |task|
+    task.libs << 'lib'
+    task.libs << "test"
+    task.pattern = 'test/**/*_test.rb'
+    task.verbose = false
+  end
+
+  Cucumber::Rake::Task.new(:features) do |t|
+    t.cucumber_opts = "--format progress"
+    t.feature_pattern = 'test/rails_root/features/*.feature'
+  end
+end
+
+generators = %w(clearance clearance_features)
+
+namespace :generator do
+  desc "Cleans up the test app before running the generator"
+  task :cleanup do
+    generators.each do |generator|
+      FileList["generators/#{generator}/templates/**/*.*"].each do |each|
+        file = "test/rails_root/#{each.gsub("generators/#{generator}/templates/",'')}"
+        File.delete(file) if File.exists?(file)
+      end
+    end
+
+    FileList["test/rails_root/db/**/*"].each do |each| 
+      FileUtils.rm_rf(each)
+    end
+    FileUtils.rm_rf("test/rails_root/vendor/plugins/clearance")
+    FileUtils.mkdir_p("test/rails_root/vendor/plugins")
+    clearance_root = File.expand_path(File.dirname(__FILE__))
+    system("ln -s #{clearance_root} test/rails_root/vendor/plugins/clearance")
+  end
+
+  desc "Run the generator on the tests"
+  task :generate do
+    generators.each do |generator|
+      system "cd test/rails_root && ./script/generate #{generator} && rake db:migrate db:test:prepare"
+    end
+  end
+end
+
+desc "Run the test suite"
+task :default => ['test:all', 'test:features']
+
+gem_spec = Gem::Specification.new do |gem_spec|
+  gem_spec.name        = "clearance"
+  gem_spec.version     = "0.6.2"
+  gem_spec.summary     = "Rails authentication with email & password."
+  gem_spec.email       = "support@thoughtbot.com"
+  gem_spec.homepage    = "http://github.com/thoughtbot/clearance"
+  gem_spec.description = "Rails authentication with email & password."
+  gem_spec.authors     = ["Dan Croak", "Mike Burns", "Jason Morrison",
+                          "Joe Ferris", "Eugene Bolshakov", "Nick Quaranto",
+                          "Josh Nichols", "Mike Breen", "Marcel Görner",
+                          "Bence Nagy", "Ben Mabey", "Eloy Duran",
+                          "Tim Pope", "Mihai Anca", "Mark Cornick",
+                          "Shay Arnett"]
+  gem_spec.files       = FileList["[A-Z]*", "{app,config,generators,lib,shoulda_macros,rails}/**/*"]
+end
+
+desc "Generate a gemspec file"
+task :gemspec do
+  File.open("#{gem_spec.name}.gemspec", 'w') do |f|
+    f.write gem_spec.to_yaml
+  end
+end

data/TODO.textile

@@ -0,0 +1,6 @@
+h1. To-do
+
+* Make insertion of Clearance::User into User model automatic from the generator.
+* Change generated README to include instruction about running the migration.
+* DO_NOT_REPLY, HOST refactoring.
+

data/app/controllers/clearance/confirmations_controller.rb

@@ -0,0 +1,47 @@
+class Clearance::ConfirmationsController < ApplicationController
+  unloadable
+
+  before_filter :forbid_confirmed_user,    :only => :new
+  before_filter :forbid_missing_token,     :only => :new
+  before_filter :forbid_non_existent_user, :only => :new
+  filter_parameter_logging :token
+
+  def new
+    create
+  end
+
+  def create
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+    @user.confirm_email!
+
+    sign_user_in(@user)
+    flash[:success] = "Confirmed email and signed in."
+    redirect_to url_after_create
+  end
+
+  private
+
+  def forbid_confirmed_user
+    user = ::User.find_by_id(params[:user_id])
+    if user && user.email_confirmed?
+      raise ActionController::Forbidden, "confirmed user"
+    end
+  end
+
+  def forbid_missing_token
+    if params[:token].blank?
+      raise ActionController::Forbidden, "missing token"
+    end
+  end
+
+  def forbid_non_existent_user
+    unless ::User.find_by_id_and_token(params[:user_id], params[:token])
+      raise ActionController::Forbidden, "non-existent user"
+    end
+  end
+
+  def url_after_create
+    root_url
+  end
+
+end

data/app/controllers/clearance/passwords_controller.rb

@@ -0,0 +1,65 @@
+class Clearance::PasswordsController < ApplicationController
+  unloadable
+
+  before_filter :forbid_missing_token,     :only => [:edit, :update]
+  before_filter :forbid_non_existent_user, :only => [:edit, :update]
+  filter_parameter_logging :password, :password_confirmation
+
+  def new
+    render :template => 'passwords/new'
+  end
+
+  def create
+    if user = ::User.find_by_email(params[:password][:email])
+      user.forgot_password!
+      ClearanceMailer.deliver_change_password user
+      flash[:notice] = "You will receive an email within the next few minutes. " <<
+                       "It contains instructions for changing your password."
+      redirect_to url_after_create
+    else
+      flash.now[:notice] = "Unknown email"
+      render :template => 'passwords/new'
+    end
+  end
+
+  def edit
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+    render :template => 'passwords/edit'
+  end
+
+  def update
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+
+    if @user.update_password(params[:user][:password], 
+                             params[:user][:password_confirmation])
+      @user.confirm_email! unless @user.email_confirmed?
+      sign_user_in(@user)
+      redirect_to url_after_update
+    else
+      render :template => 'passwords/edit'
+    end
+  end
+
+  private
+
+  def forbid_missing_token
+    if params[:token].blank?
+      raise ActionController::Forbidden, "missing token"
+    end
+  end
+
+  def forbid_non_existent_user
+    unless ::User.find_by_id_and_token(params[:user_id], params[:token])
+      raise ActionController::Forbidden, "non-existent user"
+    end
+  end
+
+  def url_after_create
+    new_session_url
+  end
+
+  def url_after_update
+    root_url
+  end
+
+end

data/app/controllers/clearance/sessions_controller.rb

@@ -0,0 +1,62 @@
+class Clearance::SessionsController < ApplicationController
+  unloadable
+
+  protect_from_forgery :except => :create
+  filter_parameter_logging :password
+
+  def new
+    render :template => 'sessions/new'
+  end
+
+  def create
+    @user = ::User.authenticate(params[:session][:email],
+                              params[:session][:password])
+    if @user.nil?
+      flash.now[:notice] = "Bad email or password."
+      render :template => 'sessions/new', :status => :unauthorized
+    else
+      if @user.email_confirmed?
+        remember(@user) if remember?
+        sign_user_in(@user)
+        flash[:notice] = "Signed in successfully."
+        redirect_back_or url_after_create
+      else
+        ClearanceMailer.deliver_confirmation(@user)
+        deny_access("User has not confirmed email. Confirmation email will be resent.")
+      end
+    end
+  end
+
+  def destroy
+    forget(current_user)
+    reset_session
+    flash[:notice] = "You have been signed out."
+    redirect_to url_after_destroy
+  end
+
+  private
+
+  def remember?
+    params[:session] && params[:session][:remember_me] == "1"
+  end
+
+  def remember(user)
+    user.remember_me!
+    cookies[:remember_token] = { :value   => user.token,
+                                 :expires => user.token_expires_at }
+  end
+
+  def forget(user)
+    user.forget_me! if user
+    cookies.delete :remember_token
+  end
+
+  def url_after_create
+    root_url
+  end
+
+  def url_after_destroy
+    new_session_url
+  end
+
+end

data/app/controllers/clearance/users_controller.rb

@@ -0,0 +1,30 @@
+class Clearance::UsersController < ApplicationController
+  unloadable
+
+  before_filter :redirect_to_root, :only => [:new, :create], :if => :signed_in?
+  filter_parameter_logging :password
+
+  def new
+    @user = ::User.new(params[:user])
+    render :template => 'users/new'
+  end
+
+  def create
+    @user = ::User.new params[:user]
+    if @user.save
+      ClearanceMailer.deliver_confirmation @user
+      flash[:notice] = "You will receive an email within the next few minutes. " <<
+                       "It contains instructions for confirming your account."
+      redirect_to url_after_create
+    else
+      render :template => 'users/new'
+    end
+  end
+
+  private
+
+  def url_after_create
+    new_session_url
+  end
+
+end

data/app/models/clearance_mailer.rb

@@ -0,0 +1,19 @@
+class ClearanceMailer < ActionMailer::Base
+
+  default_url_options[:host] = HOST
+
+  def change_password(user)
+    from       DO_NOT_REPLY
+    recipients user.email
+    subject    "Change your password"
+    body       :user => user
+  end
+
+  def confirmation(user)
+    from       DO_NOT_REPLY
+    recipients user.email
+    subject   "Account confirmation"
+    body      :user => user
+  end
+
+end

data/app/views/clearance_mailer/change_password.html.erb

@@ -0,0 +1,7 @@
+Someone, hopefully you, has requested that we send you a link to change your password.
+
+Here's the link:
+
+<%= edit_user_password_url(@user, :token => @user.token, :escape => false) %>
+
+If you didn't request this, ignore this email. Don't worry. Your password hasn't been changed.

data/app/views/clearance_mailer/confirmation.html.erb

@@ -0,0 +1,2 @@
+
+<%= new_user_confirmation_url :user_id => @user, :token => @user.token, :encode => false %>

data/app/views/passwords/edit.html.erb

@@ -0,0 +1,23 @@
+<h2>Change your password</h2>
+
+<p>
+  Your password has been reset. Choose a new password below.
+</p>
+
+<%= error_messages_for :user %>
+
+<% form_for(:user,
+            :url => user_password_path(@user, :token    => @user.token),
+            :html => { :method => :put }) do |form| %>
+  <div class="password_field">
+    <%= form.label :password, "Choose password" %>
+    <%= form.password_field :password %>
+  </div>
+  <div class="password_field">
+    <%= form.label :password_confirmation, "Confirm password" %>
+    <%= form.password_field :password_confirmation %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Save this password", :disable_with => "Please wait..." %>
+  </div>
+<% end %>

data/app/views/passwords/new.html.erb

@@ -0,0 +1,15 @@
+<h2>Change your password</h2>
+
+<p>
+  We will email you a link to change your password.
+</p>
+
+<% form_for :password, :url => passwords_path do |form| %>
+  <div class="text_field">
+    <%= form.label :email, "Email address" %>
+    <%= form.text_field :email %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Reset password", :disable_with => "Please wait..." %>
+  </div>
+<% end %>

data/app/views/sessions/new.html.erb

@@ -0,0 +1,28 @@
+<h2>Sign in</h2>
+
+<% form_for :session, :url => session_path do |form| %>
+  <div class="text_field">
+    <%= form.label :email %>
+    <%= form.text_field :email %>  
+  </div>
+  <div class="text_field">
+    <%= form.label :password %>
+    <%= form.password_field :password %>
+  </div>
+  <div class="text_field">
+    <%= form.check_box :remember_me %>
+    <%= form.label :remember_me %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Sign in", :disable_with => "Please wait..." %>
+  </div>
+<% end %>
+
+<ul>
+  <li>
+    <%= link_to "Sign up", new_user_path %>
+  </li>
+  <li>
+    <%= link_to "Forgot password?", new_password_path %>
+  </li>
+</ul>

data/app/views/users/_form.html.erb

@@ -0,0 +1,13 @@
+<%= form.error_messages %>
+<div class="text_field">
+  <%= form.label :email %>
+  <%= form.text_field :email %>
+</div>
+<div class="password_field">
+  <%= form.label :password %>
+  <%= form.password_field :password %>
+</div>
+<div class="password_field">
+  <%= form.label :password_confirmation, "Confirm password" %>
+  <%= form.password_field :password_confirmation %>
+</div>

data/app/views/users/new.html.erb

@@ -0,0 +1,6 @@
+<h2>Sign up</h2>
+
+<% form_for @user do |form| %>
+  <%= render :partial => '/users/form', :object => form %>
+  <%= form.submit 'Sign up', :disable_with => 'Please wait...' %>
+<% end %>