db/migrate/20090115014420_create_users.rb @@ -18,7 +18,7 @@ class UsersController < ApplicationController # button. Uncomment if you understand the tradeoffs. # reset session self.current_user = @user # !! now logged in - redirect_to('/?add=true') + redirect_back_or_default('/?add=true') flash[:notice] = "Thanks for signing up! We're sending you an email with your activation code." else flash[:error] = "We couldn't set up that account, sorry. Please try again, or contact an admin (link is above)." app/controllers/users_controller.rb @@ -7,16 +7,16 @@ class User < ActiveRecord::Base validates_presence_of :login validates_length_of :login, :within => 3..40 - validates_uniqueness_of :login, :case_sensitive => false - validates_format_of :login, :with => RE_LOGIN_OK, :message => MSG_LOGIN_BAD + validates_uniqueness_of :login + validates_format_of :login, :with => Authentication.login_regex, :message => Authentication.bad_login_message - validates_format_of :name, :with => RE_NAME_OK, :message => MSG_NAME_BAD, :allow_nil => true + validates_format_of :name, :with => Authentication.name_regex, :message => Authentication.bad_name_message, :allow_nil => true validates_length_of :name, :maximum => 100 validates_presence_of :email validates_length_of :email, :within => 6..100 #r@a.wk - validates_uniqueness_of :email, :case_sensitive => false - validates_format_of :email, :with => RE_EMAIL_OK, :message => MSG_EMAIL_BAD + validates_uniqueness_of :email + validates_format_of :email, :with => Authentication.email_regex, :message => Authentication.bad_email_message @@ -34,12 +34,17 @@ class User < ActiveRecord::Base # This will also let us return a human error message. # def self.authenticate(login, password) + return nil if login.blank? || password.blank? u = find_by_login(login) # need to get the salt u && u.authenticated?(password) ? u : nil end - def name - return login + def login=(value) + write_attribute :login, (value ? value.downcase : nil) + end + + def email=(value) + write_attribute :email, (value ? value.downcase : nil) end protected app/models/user.rb @@ -1,14 +1,14 @@ <h1>Log In</h1> <% form_tag session_path do -%> -<p><label for="login">Login</label><br/> +<p><%= label_tag 'login' %><br /> <%= text_field_tag 'login', @login %></p> -<p><label for="password">Password</label><br/> +<p><%= label_tag 'password' %><br/> <%= password_field_tag 'password', nil %></p> <!-- Uncomment this if you want this functionality -<p><label for="remember_me">Remember me:</label> +<p><%= label_tag 'remember_me', 'Remember me' %> <%= check_box_tag 'remember_me', '1', @remember_me %></p> --> app/views/sessions/new.html.erb @@ -1,8 +1,8 @@ <% if logged_in? -%> <div id="user-bar-greeting">Logged in as <%= link_to_current_user :content_method => :login %></div> - <div id="user-bar-action" >(<%= link_to "log out", logout_path, { :title => "Log out" } %>)</div> + <div id="user-bar-action" >(<%= link_to "Log out", logout_path, { :title => "Log out" } %>)</div> <% else -%> - <div id="user-bar-greeting"><%= abbr_tag_with_IP 'Not logged in', :style => 'border: none;' %></div> + <div id="user-bar-greeting"><%= link_to_login_with_IP 'Not logged in', :style => 'border: none;' %></div> <div id="user-bar-action" ><%= link_to "Log in", login_path, { :title => "Log in" } %> / <%= link_to "Sign up", signup_path, { :title => "Create an account" } %></div> <% end -%> app/views/users/_user_bar.html.erb @@ -3,16 +3,16 @@ <%= error_messages_for :user %> <% form_for :user, :url => users_path do |f| -%> -<p><label for="login">Login</label><br/> +<p><%= label_tag 'login' %><br/> <%= f.text_field :login %></p> -<p><label for="email">Email</label><br/> +<p><%= label_tag 'email' %><br/> <%= f.text_field :email %></p> -<p><label for="password">Password</label><br/> +<p><%= label_tag 'password' %><br/> <%= f.password_field :password %></p> -<p><label for="password_confirmation">Confirm Password</label><br/> +<p><%= label_tag 'password_confirmation', 'Confirm Password' %><br/> <%= f.password_field :password_confirmation %></p> <p><%= submit_tag 'Sign up' %></p> app/views/users/new.html.erb @@ -1,23 +1,23 @@ # A Site key gives additional protection against a dictionary attack if your # DB is ever compromised. With no site key, we store -# DB_password = hash(password, DB_salt) +# DB_password = hash(user_password, DB_user_salt) # If your database were to be compromised you'd be vulnerable to a dictionary -# attack on all your stupid clients' passwords. With a site key, we store -# DB_password = hash(password, DB_salt, Code_site_key) +# attack on all your stupid users' passwords. With a site key, we store +# DB_password = hash(user_password, DB_user_salt, Code_site_key) # That means an attacker needs access to both your site's code *and* its # database to mount an "offline dictionary attack.":http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/web-authentication.html -# +# # It's probably of minor importance, but recommended by best practices: 'defense # in depth'. Needless to say, if you upload this to github or the youtubes or -# otherwise place it in public view you'll kinda defeat the point. Your visitors' +# otherwise place it in public view you'll kinda defeat the point. Your users' # passwords are still secure, and the world won't end, but defense_in_depth -= 1. -# +# # Please note: if you change this, all the passwords will be invalidated, so DO # keep it someplace secure. Use the random value given or type in the lyrics to # your favorite Jay-Z song or something; any moderately long, unpredictable text. REST_AUTH_SITE_KEY = '0aba9bade1647edd7bd3a0a2d72451978a2e06f3' - + # Repeated applications of the hash make brute force (even with a compromised # database and site key) harder, and scale with Moore's law. # @@ -26,13 +26,13 @@ REST_AUTH_SITE_KEY = '0aba9bade1647edd7bd3a0a2d72451978a2e06f3' # so simple and obvious that they should be used in every password system. # There is really no excuse not to use them." http://tinyurl.com/37lb73 # Practical Security (Ferguson & Scheier) p350 -# +# # A modest 10 foldings (the default here) adds 3ms. This makes brute forcing 10 # times harder, while reducing an app that otherwise serves 100 reqs/s to 78 signin # reqs/s, an app that does 10reqs/s to 9.7 reqs/s -# +# # More: # * http://www.owasp.org/index.php/Hashing_Java # * "An Illustrated Guide to Cryptographic Hashes":http://www.unixwiz.net/techtips/iguide-crypto-hashes.html -REST_AUTH_DIGEST_STRETCHES = 10 \ No newline at end of file +REST_AUTH_DIGEST_STRETCHES = 10 config/initializers/site_keys.rb @@ -31,7 +31,7 @@ module AuthenticatedSystem # current_user.login != "bob" # end # - def authorized?(action=nil, resource=nil, *args) + def authorized?(action = action_name, resource = nil) logged_in? end @@ -68,8 +68,10 @@ module AuthenticatedSystem redirect_to new_session_path end # format.any doesn't work in rails version < http://dev.rubyonrails.org/changeset/8987 - # you may want to change format.any to e.g. format.any(:js, :xml) - format.any do + # Add any other API formats here. (Some browsers, notably IE6, send Accept: */* and trigger + # the 'format.any' block incorrectly. See http://bit.ly/ie6_borken or http://bit.ly/ie6_borken2 + # for a workaround.) + format.any(:json, :xml) do request_http_basic_authentication 'Web Password' end end @@ -164,7 +166,7 @@ module AuthenticatedSystem end # Refresh the cookie auth token if it exists, create it otherwise - def handle_remember_cookie! new_cookie_flag + def handle_remember_cookie!(new_cookie_flag) return unless @current_user case when valid_remember_cookie? then @current_user.refresh_token # keeping same expiry date lib/authenticated_system.rb @@ -4,19 +4,13 @@ require 'sessions_controller' # Re-raise errors caught by the controller. class SessionsController; def rescue_action(e) raise e end; end -class SessionsControllerTest < Test::Unit::TestCase +class SessionsControllerTest < ActionController::TestCase # Be sure to include AuthenticatedTestHelper in test/test_helper.rb instead # Then, you can remove it from this and the units test. include AuthenticatedTestHelper fixtures :users - def setup - @controller = SessionsController.new - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new - end - def test_should_login_and_redirect post :create, :login => 'quentin', :password => 'monkey' assert session[:user_id] test/functional/sessions_controller_test.rb @@ -4,19 +4,13 @@ require 'users_controller' # Re-raise errors caught by the controller. class UsersController; def rescue_action(e) raise e end; end -class UsersControllerTest < Test::Unit::TestCase +class UsersControllerTest < ActionController::TestCase # Be sure to include AuthenticatedTestHelper in test/test_helper.rb instead # Then, you can remove it from this and the units test. include AuthenticatedTestHelper fixtures :users - def setup - @controller = UsersController.new - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new - end - def test_should_allow_signup assert_difference 'User.count' do create_user test/functional/users_controller_test.rb @@ -1,6 +1,6 @@ require File.dirname(__FILE__) + '/../test_helper' -class UserTest < Test::Unit::TestCase +class UserTest < ActiveSupport::TestCase # Be sure to include AuthenticatedTestHelper in test/test_helper.rb instead. # Then, you can remove it from this and the functional test. include AuthenticatedTestHelper test/unit/user_test.rb db/migrate/005_create_users.rb cfd7d26f7e106f26f475ecccf057d11017d2c231 rodrigo franco (caffo) caffeine@gmail.com http://github.com/caffo/colorplan/commit/84a53b449d35009ccdef3dd0ad9f1a5d47b9be8b 84a53b449d35009ccdef3dd0ad9f1a5d47b9be8b 2009-01-14T17:47:16-08:00 2009-01-14T17:47:16-08:00 User system refactored e382291745db2638ef16f59a1b8d624fa8057175 rodrigo franco (caffo) caffeine@gmail.com