b891b8f2f7553bfb3e464a033cdedcb298368fdd Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/4885bf2b27a89cbdd254ddac117040ae9ca9743c 4885bf2b27a89cbdd254ddac117040ae9ca9743c 2008-06-02T07:54:27-07:00 2008-06-02T07:54:27-07:00 Added email verification -- still needs tests, less-crappy integration tho fc5ff2d86469aebabb3f0b9ed1886ae3c7aac85f Philip (flip) Kromer flip@infochimps.org 673fcf889fe420a1dd20ec7e9306af9287286d62 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/b891b8f2f7553bfb3e464a033cdedcb298368fdd b891b8f2f7553bfb3e464a033cdedcb298368fdd 2008-06-02T01:19:26-07:00 2008-06-02T01:19:26-07:00 Added email verification -- still needs tests, less-crappy integration tho f2d0b9f267fcebaa4b05582a28bbe014f74c6831 Philip (flip) Kromer flip@infochimps.org 682c8f9193d9d4f38e34cdcb0fb772c5594b052f Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/673fcf889fe420a1dd20ec7e9306af9287286d62 673fcf889fe420a1dd20ec7e9306af9287286d62 2008-06-01T23:11:29-07:00 2008-06-01T23:11:29-07:00 Added simple roles, simple automatic role assignment hook; minor fixes: * handle_login_error lives in sessions_controller, as it should * get_authorization takes :context => /anything extra/ (was spelled :extra) * security_components uses .camelize, not .classify (so that pluralization remains intact) * some notes on existing rails plugins, and on rule resolution / policy / authz f4c5ef381bde1ae88d84ce9928ac2d9751c926d1 Philip (flip) Kromer flip@infochimps.org b755f4011b3d47cdfe8a317bb81d2070ba39dd65 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/682c8f9193d9d4f38e34cdcb0fb772c5594b052f 682c8f9193d9d4f38e34cdcb0fb772c5594b052f 2008-06-01T22:58:16-07:00 2008-06-01T22:58:16-07:00 fixed a bug in logout -- it needs to retrieve the session login (if any) before calling logout_chain, or cookie is never cleared c29f809ea4dd3b229742d63452b3203c75b556c3 Philip (flip) Kromer flip@infochimps.org dfa9f375e43970ca6e1d47a70d7f1304cc31a422 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/b755f4011b3d47cdfe8a317bb81d2070ba39dd65 b755f4011b3d47cdfe8a317bb81d2070ba39dd65 2008-05-31T00:21:54-07:00 2008-05-31T00:21:54-07:00 Improvements to access_control. * added a new method become_logged_in_as, which logs in if it can but doesn't raise an error on failure (like save vs. save!). * Authentication.authorization_filter for use in a :before_filter -- constructs a demand_authorization! :for => current_user, :to => action, :on => self.class, :extras => params. * Beefed up access_control specs * Signup now calls become_logged_in_as (the non-failing login) instead of the awful conditional logic of before 02e512d89113c7b219558feb1420c31a4f0de3db Philip (flip) Kromer flip@infochimps.org e8552f367bf3e9a983f6a05703634a89c4bad5f3 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/dfa9f375e43970ca6e1d47a70d7f1304cc31a422 dfa9f375e43970ca6e1d47a70d7f1304cc31a422 2008-05-31T00:14:34-07:00 2008-05-31T00:14:34-07:00 moving generator lib up one level so all generators can share it. Also stripped a couple puts'es 9efcb2fdb2352c1be7b57fd8b07f5f9873e2c3db Philip (flip) Kromer flip@infochimps.org 64372dafeae77097e86fdba29752ba6c32ab6acb Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/e8552f367bf3e9a983f6a05703634a89c4bad5f3 e8552f367bf3e9a983f6a05703634a89c4bad5f3 2008-05-30T12:34:33-07:00 2008-05-30T12:34:33-07:00 Updated README for newer version dceece465dc03a51416ab339f2f28d5213766e85 Philip (flip) Kromer flip@infochimps.org a95a7421b82b10473ba9638631120ae883df42d1 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/64372dafeae77097e86fdba29752ba6c32ab6acb 64372dafeae77097e86fdba29752ba6c32ab6acb 2008-05-30T12:08:21-07:00 2008-05-30T12:08:21-07:00 Fixed oopsie in stories runner. Now all specs tests and stories run out of the box for fresh rails install a84a5dd774afb4e329a860eac61e0b01566963af Philip (flip) Kromer flip@infochimps.org 737ea670c405fc9b58ecf63d64d3423130209a80 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/a95a7421b82b10473ba9638631120ae883df42d1 a95a7421b82b10473ba9638631120ae883df42d1 2008-05-30T11:13:48-07:00 2008-05-30T11:13:48-07:00 Large reorganization (v2.0b0) - User model and friends. * User model now mostly lives in Identity:: sub modules. Cookie handling (controller & model) is all in authentication/by_cookie_token. Password handling (controller & model) is all in authentication/by_password. I know the MVC-pattern violation will make some squirm, but this code *should* be opaque to the model at large, and security code should be compartmentalized -- this is all properly controller code, even the parts within the model. * password and password_confirmation now have filter_parameter_logging by default. * User#authenticate is now spelled User#authenticate_by_password and now **only** checks the password. User activation & other authorization is handled by the demand_authorization! chain -- specifically, by demand_authorization :for => user, :to => :login * Stateful Roles and Email Validation are no longer in this plugin, will get their own generator * Much stricter validation by default (from svn version): logins can only be /[\w\.\+@\-]+/, email has to look liken an email, password between 6, 40 long. * salt and remember_token now a tad more entropic (from svn version) 306a58d80aeb1a6242090733ccea2d1ceb625cba Philip (flip) Kromer flip@infochimps.org 592316c55444ceeeeb3a7cb40680ef761d0a5fde Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/737ea670c405fc9b58ecf63d64d3423130209a80 737ea670c405fc9b58ecf63d64d3423130209a80 2008-05-30T11:13:48-07:00 2008-05-30T11:13:48-07:00 Large reorganization (v2.0b0) - users controller and friends. * controller much skinnier, by handing almost everything off to library code * Cookie handling (controller & model) is all in authentication/by_cookie_token. Password handling (controller & model) is all in authentication/by_password. I know the MVC-pattern violation will make some squirm, but this code *should* be opaque to the model at large, and security code should be compartmentalized -- this is all properly controller code, even the parts within the model. * Logic done with exception handling and not conditional branching. routines 'Fail-closed' (aka Positive Authentication; see http://owasp.org/index.php/Guide_to_Authentication#Positive_Authentication) -- use exception handling to route authentication/access control violations, and commit no resources until all conditions pass (or rollback on failure). handle_signin_error shows one reasonable response chain. * password and password_confirmation now have filter_parameter_logging by default. * User#authenticate is now spelled User#authenticate_by_password and now **only** checks the password. User activation & other authorization is handled by the demand_authorization! chain -- specifically, by demand_authorization :for => user, :to => :login * Stateful Roles and Email Validation are no longer in this plugin, will get their own generator * On a failed signup, strip out the password & confirmation before kick you back to the signin screen cfee966eecd003b41fded13f4b6519dd7cc31958 Philip (flip) Kromer flip@infochimps.org 787b63bb18306a9c8f91f8d228473df9b2f7a558 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/592316c55444ceeeeb3a7cb40680ef761d0a5fde 592316c55444ceeeeb3a7cb40680ef761d0a5fde 2008-05-30T11:13:48-07:00 2008-05-30T11:13:48-07:00 Large reorganization (v2.0b0) - sessions controller and friends. * controller much skinnier, by handing almost everything off to library code. * Logic done with exception handling and not conditional branching. routines 'Fail-closed' (aka Positive Authentication; see http://owasp.org/index.php/Guide_to_Authentication#Positive_Authentication) -- use exception handling to route authentication/access control violations, and commit no resources until all conditions pass (or rollback on failure). handle_signin_error shows one reasonable response chain. * Cookie handling (controller & model) is all in authentication/by_cookie_token. Password handling (controller & model) is all in authentication/by_password. I know the MVC-pattern violation will make some squirm, but this code *should* be opaque to the model at large, and security code should be compartmentalized -- this is all properly controller code, even the parts within the model. * The logout routine calls a logout_chain for any resources that need to be destroyed on logout. (Clearing the server&client cookie token, for example). * User#authenticate is now spelled User#authenticate_by_password and now **only** checks the password. User activation & other authorization is handled by the demand_authorization! chain -- specifically, by demand_authorization :for => user, :to => :login 9492790b0d266a1d3e059aa1716605d6da7d9078 Philip (flip) Kromer flip@infochimps.org 14bb68ca76bab985ec46b78ee0443c48afa80df0 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/787b63bb18306a9c8f91f8d228473df9b2f7a558 787b63bb18306a9c8f91f8d228473df9b2f7a558 2008-05-30T11:13:47-07:00 2008-05-30T11:13:47-07:00 Large reorganization (v2.0b0) - authenticated_system => lib/authentication, lib/access_control, lib/security_policy * abstract implementation is divided among lib/authentication.rb and lib/access_control.rb, with concrete code (Authentication::ByPassword, AccessControl::LoginRequired, &c) in subdirectories. * logged_in?, current_user, current_user= are basically the same. current_user's passive login behaviour now happens through the try_login_chain. Cookie_token & basic_auth hook in automagically when included, restoring the old behaviour. * A session login is 'passive' -- it's meant to mimic the presence of state, and implies no change in logged-in status. All other login methods should call become_logged_in_as!, and should not set current_user= directly. (The old version of restful_authentication will let a non-activated user log in by HTTP basic). * authorize? now has a bossy friend, demand_authorization! -- where authorize returns false, demand_authorization! raises an exception. Both now take a params hash of the form :for => subject, :to => action, :on => resource, :extra => whatever and hand it off to the #get_authorization stub. get_authorization returns something that is_denial? (false or a SecurityError exception) to say 'deny', and any other true value to say 'allow'. * handle_signin_error shows one reasonable response chain for 'fail-closed' behavior. * access_denied is now named handle_access_denied as is automatically installed as a rescue_from handler. * Cookie handling (controller & model) is all in authentication/by_cookie_token. Password handling (controller & model) is all in authentication/by_password. I know the MVC-pattern violation will make some squirm, but this code *should* be opaque to the model at large, and security code should be compartmentalized -- this is all properly controller code, even the parts within the model. * The logout routine calls a logout_chain for any resources that need to be destroyed on logout. (Clearing the server&client cookie token, for example). 29a74f4b3996ddcefc39bd97742aef8976220150 Philip (flip) Kromer flip@infochimps.org 95fdc5b65f99933e5033a25138a4e0c3411ab5bd Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/14bb68ca76bab985ec46b78ee0443c48afa80df0 14bb68ca76bab985ec46b78ee0443c48afa80df0 2008-05-30T11:13:47-07:00 2008-05-30T11:13:47-07:00 Large reorganization (v2.0b0) - stories: story steps now live in plugin space, not user space. Moved story_helpers into their own deal. 8f4f63374f60458b05e62107c0e536fb55336436 Philip (flip) Kromer flip@infochimps.org 94f629a2479deedcefbed74125456b058a03773e Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/95fdc5b65f99933e5033a25138a4e0c3411ab5bd 95fdc5b65f99933e5033a25138a4e0c3411ab5bd 2008-05-30T11:13:47-07:00 2008-05-30T11:13:47-07:00 Large reorganization (v2.0b0) - tests: tests still work, but there's no reason to keep using them. 5c0dc5cce156e7057c60eabc5fac247fbef9e432 Philip (flip) Kromer flip@infochimps.org 65e882297289875b582d6edabc4043d296066e02 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/94f629a2479deedcefbed74125456b058a03773e 94f629a2479deedcefbed74125456b058a03773e 2008-05-30T11:13:46-07:00 2008-05-30T11:13:46-07:00 Large reorganization (v2.0b0) - views: views get their own directory in templates, new generator variables; otherwise not much changed. cef47f33ebec9eed4140ed84f20b3fe1f42b74a6 Philip (flip) Kromer flip@infochimps.org fb844a3e6d86658ced2085a2507f95290f01e1b5 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/65e882297289875b582d6edabc4043d296066e02 65e882297289875b582d6edabc4043d296066e02 2008-05-30T11:13:46-07:00 2008-05-30T11:13:46-07:00 Large reorganization (v2.0b0) - users helper and friends: helper methods for authorization, and for giving a 'hello,bob -or- login' bar fd6d25590deecfcdfb33f599bbc999ca98761f41 Philip (flip) Kromer flip@infochimps.org 14e3079023c27154aa3e43c89d4dfc2d317ba7ea Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/fb844a3e6d86658ced2085a2507f95290f01e1b5 fb844a3e6d86658ced2085a2507f95290f01e1b5 2008-05-30T11:13:46-07:00 2008-05-30T11:13:46-07:00 Large reorganization (v2.0b0) - stateful-roles and email-validation are stripped out, will get their own plugin. a9eee9671c8185e1dd62483d1d1aaaa47afc8fdb Philip (flip) Kromer flip@infochimps.org cff7cbca33d3d1c10f219a7628539712e62bda93 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/14e3079023c27154aa3e43c89d4dfc2d317ba7ea 14e3079023c27154aa3e43c89d4dfc2d317ba7ea 2008-05-30T11:13:45-07:00 2008-05-30T11:13:45-07:00 Large reorganization (v2.0b0) - code more modular, clean hooks for external components and ~100% spec coverage. The system has been split up to give a clear distinction between authentication (who are you?), authorization (is he allowed to just take the plutonium like that?), policy (note to staff: no one is allowed to take plutonium) and access control (step away from the reactor, bubba). The plugin now generates *much* less app-space code: the controllers are super skinny now, and if any security flaws are discovered it should be less painful to stay current. Out of the box, the plugin will stay the heck out of your way, implementing the popular "users can do stuff and no-one else can" security model. But if your security needs extend beyond that, there are clear hooks for you to add security components that play nice with restful-authentication. It should also be easy to *decouple* components such as login-by-password or remember-me-tokens if you don't want that. There is a robust rspec test suite with near-100% coverage, along with a framework for building RSpec stories. Finally, there have been several minor security fixes, largely centered around implementing best practices recommended in the "Open Web Application Security Project":http://www.owasp.org/index.php/Guide_Table_of_Contents and other references (see notes/ for more). bc65ef00948f424e2593d3e0a1a4253942586da2 Philip (flip) Kromer flip@infochimps.org 18fc4d66359f8b681c0bbefb23465ebca9c8be72 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/cff7cbca33d3d1c10f219a7628539712e62bda93 cff7cbca33d3d1c10f219a7628539712e62bda93 2008-05-29T14:29:07-07:00 2008-05-29T14:29:07-07:00 fixed the routing issues maybe? * model_controller_routing_path means nest/users * controller_routing_path means nest/session * model_controller_routing_name = users, (used for users_path etc and must be singularized for things like new_user_path) * controller_routing_name = session (used for session_path, new_session_path, etc.) * controller_controller_name = sessions, the name of the controller If any of this is wrong, at least is should hopefully be easier to resolve with the nice overly-prolix semantic generator names. I tried to make the names correct for nested resources. However, the app explodes into horrible flames with anything like "generate Admin::User Session", and in fact with "generate users session". I don\'t know when this broke, but I can't justify taking the time to fix it unless someone complains. Other than that, the specs and stories all pass for the three activation versions AFAICT. dc6807dd5c79c6f7c0c82fad856c6f8de83ac5c0 Philip (flip) Kromer flip@infochimps.org 26f4cbfd75f6bfaf6edc44ed9d7d6666ff7bafe5 d6528c02d6a53850ca3232b61c8b5236c564fe7f Sean O'Brien sean@slacklabs.com http://github.com/danielharan/restful-authentication/commit/18fc4d66359f8b681c0bbefb23465ebca9c8be72 18fc4d66359f8b681c0bbefb23465ebca9c8be72 2008-05-28T15:53:47-07:00 2008-05-28T15:53:47-07:00 Merge branch 'master' of git://github.com/technoweenie/restful-authentication Conflicts: generators/authenticated/authenticated_generator.rb 46a64d9cd45ff6a1edde58607c159050ee214884 Sean O'Brien sean@slacklabs.com 5e292e7ac802bf0373d355bdfab29c98b3c2a2e1 Sean O'Brien sean@slacklabs.com http://github.com/danielharan/restful-authentication/commit/26f4cbfd75f6bfaf6edc44ed9d7d6666ff7bafe5 26f4cbfd75f6bfaf6edc44ed9d7d6666ff7bafe5 2008-05-28T15:35:08-07:00 2008-05-28T15:35:08-07:00 looks like it's plural routes 83b26d8e8ff6dc08cd827b76b4831d77bbbc6205 Sean O'Brien sean@slacklabs.com d36c27a388dec9a0a35de6f745efb8a5ca8114d8 Sean O'Brien sean@slacklabs.com http://github.com/danielharan/restful-authentication/commit/5e292e7ac802bf0373d355bdfab29c98b3c2a2e1 5e292e7ac802bf0373d355bdfab29c98b3c2a2e1 2008-05-28T15:32:05-07:00 2008-05-28T15:32:05-07:00 fixed hardcoding of controller names (my bad) a83e57b63b6fbf8866728bdd3acc0e718f707979 Sean O'Brien sean@slacklabs.com cbe902da71566eb04396cadf0aac9759dd0ab50e Sean O'Brien sean@slacklabs.com http://github.com/danielharan/restful-authentication/commit/d36c27a388dec9a0a35de6f745efb8a5ca8114d8 d36c27a388dec9a0a35de6f745efb8a5ca8114d8 2008-05-28T15:28:58-07:00 2008-05-28T15:28:58-07:00 added support for creating named routes, added named routes to generator 8a168d6543113a438cf9475316222547fccfb79d Sean O'Brien sean@slacklabs.com d300c6956afe6c24663dc1476351f7dd8c1f92b7 5c3bc5052e93725c1e4a0f06870c5fd0bde3fe80 rick technoweenie@gmail.com http://github.com/danielharan/restful-authentication/commit/d6528c02d6a53850ca3232b61c8b5236c564fe7f d6528c02d6a53850ca3232b61c8b5236c564fe7f 2008-05-26T19:05:25-07:00 2008-05-26T19:05:25-07:00 Merge commit 'postpostmodern/master' 89702fbbe4b2f6d8a45159b82f0267a52b8c37ef rick technoweenie@gmail.com 189ce881985d96ad74aba88c87271ca1997c437c e29cf33c6560e2135e88b69993b456e7c8c29ccd rick technoweenie@gmail.com http://github.com/danielharan/restful-authentication/commit/d300c6956afe6c24663dc1476351f7dd8c1f92b7 d300c6956afe6c24663dc1476351f7dd8c1f92b7 2008-05-26T19:04:14-07:00 2008-05-26T19:04:14-07:00 Merge branch 'master' of git@github.com:technoweenie/restful-authentication 7865e207eb6ffb2f8b0a170511f399e69c956fb7 rick technoweenie@gmail.com 00bd10c581a7e7c26a6dec800446b05554c33015 Jason T Johnson git@postpostmodern.com http://github.com/danielharan/restful-authentication/commit/5c3bc5052e93725c1e4a0f06870c5fd0bde3fe80 5c3bc5052e93725c1e4a0f06870c5fd0bde3fe80 2008-05-26T16:13:46-07:00 2008-05-26T16:13:46-07:00 Changed singular session resource to plural to satisfy specs aafba99640b784147d248393252e0e56c5fb0fe5 Jason T Johnson git@postpostmodern.com 008e6ee3611e5bb54a232719f87d540491d3af36 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/e29cf33c6560e2135e88b69993b456e7c8c29ccd e29cf33c6560e2135e88b69993b456e7c8c29ccd 2008-05-26T14:55:41-07:00 2008-05-26T14:55:41-07:00 Merge branches 'master' and 'mainline' 7865e207eb6ffb2f8b0a170511f399e69c956fb7 Philip (flip) Kromer flip@infochimps.org 036dbec5a257c3dd337ef304f44cb0348ac7b248 815b11e3ba141d878f5390f4b5135a7d3b6be497 Philip (flip) Kromer flip@infochimps.org http://github.com/danielharan/restful-authentication/commit/008e6ee3611e5bb54a232719f87d540491d3af36 008e6ee3611e5bb54a232719f87d540491d3af36 2008-05-26T14:53:52-07:00 2008-05-26T14:53:52-07:00 Merge git://github.com/redmar/restful-authentication into mainline 7865e207eb6ffb2f8b0a170511f399e69c956fb7 Philip (flip) Kromer flip@infochimps.org 95a0e3381b82c30b4ba84c98b9d2878edcdeb113 a0a09e1e4b757d734368d5e976d33fec320e3cd4 Jason T Johnson git@postpostmodern.com http://github.com/danielharan/restful-authentication/commit/00bd10c581a7e7c26a6dec800446b05554c33015 00bd10c581a7e7c26a6dec800446b05554c33015 2008-05-26T14:49:41-07:00 2008-05-26T14:49:41-07:00 Merge branch 'generatorfixes' 2b6ec5231245c7034fc1b9cd956ae9311e7f89ff Jason T Johnson git@postpostmodern.com 036dbec5a257c3dd337ef304f44cb0348ac7b248 282e4ad339edbfa1a241d218816cf3ae67363340 Jason T Johnson git@postpostmodern.com http://github.com/danielharan/restful-authentication/commit/95a0e3381b82c30b4ba84c98b9d2878edcdeb113 95a0e3381b82c30b4ba84c98b9d2878edcdeb113 2008-05-26T14:49:34-07:00 2008-05-26T14:49:34-07:00 Merge branch 'readmefixes' bd5f1dd5cb6c4760186d8abd72ddeda633d05f8d Jason T Johnson git@postpostmodern.com