0
@@ -0,0 +1,27 @@
0
+class PeopleController < ApplicationController
0
+  # Be sure to include AuthenticationSystem in Application Controller instead
0
+  include AuthenticatedSystem
0
+  
0
+
0
+  # render new.rhtml
0
+  def new
0
+  end
0
+
0
+  def create
0
+    cookies.delete :auth_token
0
+    # protects against session fixation attacks, wreaks havoc with 
0
+    # request forgery protection.
0
+    # uncomment at your own risk
0
+    # reset_session
0
+    @person = Person.new(params[:person])
0
+    @person.save
0
+    if @person.errors.empty?
0
+      self.current_person = @person
0
+      redirect_back_or_default('/')
0
+      flash[:notice] = "Thanks for signing up!"
0
+    else
0
+      render :action => 'new'
0
+    end
0
+  end
0
+
0
+end

0
@@ -0,0 +1,31 @@
0
+# This controller handles the login/logout function of the site.  
0
+class SessionsController < ApplicationController
0
+  # Be sure to include AuthenticationSystem in Application Controller instead
0
+  include AuthenticatedSystem
0
+
0
+  # render new.rhtml
0
+  def new
0
+  end
0
+
0
+  def create
0
+    self.current_person = Person.authenticate(params[:login], params[:password])
0
+    if logged_in?
0
+      if params[:remember_me] == "1"
0
+        self.current_person.remember_me
0
+        cookies[:auth_token] = { :value => self.current_person.remember_token , :expires => self.current_person.remember_token_expires_at }
0
+      end
0
+      redirect_back_or_default('/')
0
+      flash[:notice] = "Logged in successfully"
0
+    else
0
+      render :action => 'new'
0
+    end
0
+  end
0
+
0
+  def destroy
0
+    self.current_person.forget_me if logged_in?
0
+    cookies.delete :auth_token
0
+    reset_session
0
+    flash[:notice] = "You have been logged out."
0
+    redirect_back_or_default('/')
0
+  end
0
+end

0
@@ -0,0 +1,2 @@
0
+module PeopleHelper
0
+end
0
\ No newline at end of file

0
@@ -0,0 +1,2 @@
0
+module SessionsHelper
0
+end
0
\ No newline at end of file

0
@@ -0,0 +1,78 @@
0
+require 'digest/sha1'
0
+class Person < ActiveRecord::Base
0
+  # Virtual attribute for the unencrypted password
0
+  attr_accessor :password
0
+
0
+  validates_presence_of     :login, :email
0
+  validates_presence_of     :password,                   :if => :password_required?
0
+  validates_presence_of     :password_confirmation,      :if => :password_required?
0
+  validates_length_of       :password, :within => 4..40, :if => :password_required?
0
+  validates_confirmation_of :password,                   :if => :password_required?
0
+  validates_length_of       :login,    :within => 3..40
0
+  validates_length_of       :email,    :within => 3..100
0
+  validates_uniqueness_of   :login, :email, :case_sensitive => false
0
+  before_save :encrypt_password
0
+  
0
+  # prevents a user from submitting a crafted form that bypasses activation
0
+  # anything else you want your user to change should be added here.
0
+  attr_accessible :login, :email, :password, :password_confirmation
0
+
0
+  # Authenticates a user by their login name and unencrypted password.  Returns the user or nil.
0
+  def self.authenticate(login, password)
0
+    u = find_by_login(login) # need to get the salt
0
+    u && u.authenticated?(password) ? u : nil
0
+  end
0
+
0
+  # Encrypts some data with the salt.
0
+  def self.encrypt(password, salt)
0
+    Digest::SHA1.hexdigest("--#{salt}--#{password}--")
0
+  end
0
+
0
+  # Encrypts the password with the user salt
0
+  def encrypt(password)
0
+    self.class.encrypt(password, salt)
0
+  end
0
+
0
+  def authenticated?(password)
0
+    crypted_password == encrypt(password)
0
+  end
0
+
0
+  def remember_token?
0
+    remember_token_expires_at && Time.now.utc < remember_token_expires_at 
0
+  end
0
+
0
+  # These create and unset the fields required for remembering users between browser closes
0
+  def remember_me
0
+    remember_me_for 2.weeks
0
+  end
0
+
0
+  def remember_me_for(time)
0
+    remember_me_until time.from_now.utc
0
+  end
0
+
0
+  def remember_me_until(time)
0
+    self.remember_token_expires_at = time
0
+    self.remember_token            = encrypt("#{email}--#{remember_token_expires_at}")
0
+    save(false)
0
+  end
0
+
0
+  def forget_me
0
+    self.remember_token_expires_at = nil
0
+    self.remember_token            = nil
0
+    save(false)
0
+  end
0
+
0
+  protected
0
+    # before filter 
0
+    def encrypt_password
0
+      return if password.blank?
0
+      self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if new_record?
0
+      self.crypted_password = encrypt(password)
0
+    end
0
+      
0
+    def password_required?
0
+      crypted_password.blank? || !password.blank?
0
+    end
0
+    
0
+    
0
+end

0
@@ -0,0 +1,16 @@
0
+<%= error_messages_for :person %>
0
+<% form_for :person, :url => people_path do |f| -%>
0
+<p><label for="login">Login</label><br/>
0
+<%= f.text_field :login %></p>
0
+
0
+<p><label for="email">Email</label><br/>
0
+<%= f.text_field :email %></p>
0
+
0
+<p><label for="password">Password</label><br/>
0
+<%= f.password_field :password %></p>
0
+
0
+<p><label for="password_confirmation">Confirm Password</label><br/>
0
+<%= f.password_field :password_confirmation %></p>
0
+
0
+<p><%= submit_tag 'Sign up' %></p>
0
+<% end -%>

0
@@ -0,0 +1,14 @@
0
+<% form_tag session_path do -%>
0
+<p><label for="login">Login</label><br/>
0
+<%= text_field_tag 'login' %></p>
0
+
0
+<p><label for="password">Password</label><br/>
0
+<%= password_field_tag 'password' %></p>
0
+
0
+<!-- Uncomment this if you want this functionality
0
+<p><label for="remember_me">Remember me:</label>
0
+<%= check_box_tag 'remember_me' %></p>
0
+-->
0
+
0
+<p><%= submit_tag 'Log in' %></p>
0
+<% end -%>

0
@@ -1,4 +1,8 @@
0
 ActionController::Routing::Routes.draw do |map|
0
+  map.resources :people
0
+
0
+  map.resource :session
0
+
0
   # The priority is based upon order of creation: first created -> highest priority.
0
 
0
   # Sample of regular route:

0
@@ -0,0 +1,18 @@
0
+class CreatePeople < ActiveRecord::Migration
0
+  def self.up
0
+    create_table "people", :force => true do |t|
0
+      t.column :login,                     :string
0
+      t.column :email,                     :string
0
+      t.column :crypted_password,          :string, :limit => 40
0
+      t.column :salt,                      :string, :limit => 40
0
+      t.column :created_at,                :datetime
0
+      t.column :updated_at,                :datetime
0
+      t.column :remember_token,            :string
0
+      t.column :remember_token_expires_at, :datetime
0
+    end
0
+  end
0
+
0
+  def self.down
0
+    drop_table "people"
0
+  end
0
+end

0
@@ -0,0 +1,116 @@
0
+module AuthenticatedSystem
0
+  protected
0
+    # Returns true or false if the person is logged in.
0
+    # Preloads @current_person with the person model if they're logged in.
0
+    def logged_in?
0
+      current_person != :false
0
+    end
0
+
0
+    # Accesses the current person from the session.  Set it to :false if login fails
0
+    # so that future calls do not hit the database.
0
+    def current_person
0
+      @current_person ||= (login_from_session || login_from_basic_auth || login_from_cookie || :false)
0
+    end
0
+
0
+    # Store the given person id in the session.
0
+    def current_person=(new_person)
0
+      session[:person_id] = (new_person.nil? || new_person.is_a?(Symbol)) ? nil : new_person.id
0
+      @current_person = new_person || :false
0
+    end
0
+
0
+    # Check if the person is authorized
0
+    #
0
+    # Override this method in your controllers if you want to restrict access
0
+    # to only a few actions or if you want to check if the person
0
+    # has the correct rights.
0
+    #
0
+    # Example:
0
+    #
0
+    #  # only allow nonbobs
0
+    #  def authorized?
0
+    #    current_person.login != "bob"
0
+    #  end
0
+    def authorized?
0
+      logged_in?
0
+    end
0
+
0
+    # Filter method to enforce a login requirement.
0
+    #
0
+    # To require logins for all actions, use this in your controllers:
0
+    #
0
+    #   before_filter :login_required
0
+    #
0
+    # To require logins for specific actions, use this in your controllers:
0
+    #
0
+    #   before_filter :login_required, :only => [ :edit, :update ]
0
+    #
0
+    # To skip this in a subclassed controller:
0
+    #
0
+    #   skip_before_filter :login_required
0
+    #
0
+    def login_required
0
+      authorized? || access_denied
0
+    end
0
+
0
+    # Redirect as appropriate when an access request fails.
0
+    #
0
+    # The default action is to redirect to the login screen.
0
+    #
0
+    # Override this method in your controllers if you want to have special
0
+    # behavior in case the person is not authorized
0
+    # to access the requested action.  For example, a popup window might
0
+    # simply close itself.
0
+    def access_denied
0
+      respond_to do |format|
0
+        format.html do
0
+          store_location
0
+          redirect_to new_session_path
0
+        end
0
+        format.any do
0
+          request_http_basic_authentication 'Web Password'
0
+        end
0
+      end
0
+    end
0
+
0
+    # Store the URI of the current request in the session.
0
+    #
0
+    # We can return to this location by calling #redirect_back_or_default.
0
+    def store_location
0
+      session[:return_to] = request.request_uri
0
+    end
0
+
0
+    # Redirect to the URI stored by the most recent store_location call or
0
+    # to the passed default.
0
+    def redirect_back_or_default(default)
0
+      redirect_to(session[:return_to] || default)
0
+      session[:return_to] = nil
0
+    end
0
+
0
+    # Inclusion hook to make #current_person and #logged_in?
0
+    # available as ActionView helper methods.
0
+    def self.included(base)
0
+      base.send :helper_method, :current_person, :logged_in?
0
+    end
0
+
0
+    # Called from #current_person.  First attempt to login by the person id stored in the session.
0
+    def login_from_session
0
+      self.current_person = Person.find(session[:person_id]) if session[:person_id]
0
+    end
0
+
0
+    # Called from #current_person.  Now, attempt to login by basic authentication information.
0
+    def login_from_basic_auth
0
+      authenticate_with_http_basic do |username, password|
0
+        self.current_person = Person.authenticate(username, password)
0
+      end
0
+    end
0
+
0
+    # Called from #current_person.  Finaly, attempt to login by an expiring token in the cookie.
0
+    def login_from_cookie
0
+      person = cookies[:auth_token] && Person.find_by_remember_token(cookies[:auth_token])
0
+      if person && person.remember_token?
0
+        person.remember_me
0
+        cookies[:auth_token] = { :value => person.remember_token, :expires => person.remember_token_expires_at }
0
+        self.current_person = person
0
+      end
0
+    end
0
+end

0
@@ -0,0 +1,10 @@
0
+module AuthenticatedTestHelper
0
+  # Sets the current person in the session from the person fixtures.
0
+  def login_as(person)
0
+    @request.session[:person_id] = person ? people(person).id : nil
0
+  end
0
+
0
+  def authorize_as(user)
0
+    @request.env["HTTP_AUTHORIZATION"] = user ? ActionController::HttpAuthentication::Basic.encode_credentials(users(user).login, 'test') : nil
0
+  end
0
+end

0
@@ -0,0 +1,4 @@
0
+#!/usr/bin/env ruby
0
+$LOAD_PATH.unshift(File.expand_path(File.dirname(__FILE__) + "/../vendor/plugins/rspec/lib"))
0
+require 'spec'
0
+exit ::Spec::Runner::CommandLine.run(::Spec::Runner::OptionParser.parse(ARGV, STDERR, STDOUT))

0
@@ -0,0 +1,102 @@
0
+#!/usr/bin/env ruby
0
+$LOAD_PATH.unshift File.dirname(__FILE__) + '/../../rspec/lib' # For svn
0
+$LOAD_PATH.unshift File.dirname(__FILE__) + '/../vendor/plugins/rspec/lib' # For rspec installed as plugin
0
+require 'rubygems'
0
+require 'drb/drb'
0
+require 'rbconfig'
0
+require 'spec'
0
+require 'optparse'
0
+
0
+# This is based on Florian Weber's TDDMate
0
+module Spec
0
+  module Runner
0
+    class RailsSpecServer
0
+      def run(argv, stderr, stdout)
0
+        $stdout = stdout
0
+        $stderr = stderr
0
+
0
+        base = ActiveRecord::Base
0
+        def base.clear_reloadable_connections!
0
+          active_connections.each do |name, conn|
0
+            if conn.requires_reloading?
0
+              conn.disconnect!
0
+              active_connections.delete(name)
0
+            end
0
+          end
0
+        end        
0
+
0
+        if ActionController.const_defined?(:Dispatcher)
0
+          dispatcher = ::ActionController::Dispatcher.new($stdout)
0
+          dispatcher.cleanup_application(true)
0
+        elsif ::Dispatcher.respond_to?(:reset_application!)
0
+          ::Dispatcher.reset_application!
0
+        else
0
+          raise "Application reloading failed"
0
+        end
0
+        ::Dependencies.mechanism = :load
0
+        require_dependency('application.rb') unless Object.const_defined?(:ApplicationController)
0
+        load File.dirname(__FILE__) + '/../spec/spec_helper.rb'
0
+
0
+        ::Spec::Runner::CommandLine.run(
0
+          ::Spec::Runner::OptionParser.parse(
0
+            argv,
0
+            $stderr,
0
+            $stdout
0
+          )
0
+        )
0
+      end
0
+    end
0
+  end
0
+end
0
+puts "Loading Rails environment"
0
+
0
+ENV["RAILS_ENV"] = "test"
0
+require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
0
+require 'dispatcher'
0
+
0
+def restart_test_server
0
+  puts "restarting"
0
+  config       = ::Config::CONFIG
0
+  ruby         = File::join(config['bindir'], config['ruby_install_name']) + config['EXEEXT']
0
+  command_line = [ruby, $0, ARGV].flatten.join(' ')
0
+  exec(command_line)
0
+end
0
+
0
+def daemonize(pid_file = nil)
0
+  return yield if $DEBUG
0
+  pid = Process.fork{
0
+    Process.setsid
0
+    Dir.chdir(RAILS_ROOT)
0
+    trap("SIGINT"){ exit! 0 }
0
+    trap("SIGTERM"){ exit! 0 }
0
+    trap("SIGHUP"){ restart_test_server }
0
+    File.open("/dev/null"){|f|
0
+      STDERR.reopen f
0
+      STDIN.reopen  f
0
+      STDOUT.reopen f
0
+    }
0
+    yield
0
+  }
0
+  puts "spec_server launched. (PID: %d)" % pid
0
+  File.open(pid_file,"w"){|f| f.puts pid } if pid_file
0
+  exit! 0
0
+end
0
+
0
+options = Hash.new
0
+opts = OptionParser.new
0
+opts.on("-d", "--daemon"){|v| options[:daemon] = true }
0
+opts.on("-p", "--pid PIDFILE"){|v| options[:pid] = v }
0
+opts.parse!(ARGV)
0
+
0
+puts "Ready"
0
+exec_server = lambda {
0
+  trap("USR2") { restart_test_server } if Signal.list.has_key?("USR2")
0
+  DRb.start_service("druby://localhost:8989", Spec::Runner::RailsSpecServer.new)
0
+  DRb.thread.join
0
+}
0
+
0
+if options[:daemon]
0
+  daemonize(options[:pid], &exec_server)
0
+else
0
+  exec_server.call
0
+end

0
@@ -0,0 +1,59 @@
0
+require File.dirname(__FILE__) + '/../spec_helper'
0
+
0
+# Be sure to include AuthenticatedTestHelper in spec/spec_helper.rb instead
0
+# Then, you can remove it from this and the units test.
0
+include AuthenticatedTestHelper
0
+
0
+describe PeopleController do
0
+  fixtures :people
0
+
0
+  it 'allows signup' do
0
+    lambda do
0
+      create_person
0
+      response.should be_redirect      
0
+    end.should change(Person, :count).by(1)
0
+  end
0
+
0
+  
0
+
0
+  
0
+
0
+  it 'requires login on signup' do
0
+    lambda do
0
+      create_person(:login => nil)
0
+      assigns[:person].errors.on(:login).should_not be_nil
0
+      response.should be_success
0
+    end.should_not change(Person, :count)
0
+  end
0
+  
0
+  it 'requires password on signup' do
0
+    lambda do
0
+      create_person(:password => nil)
0
+      assigns[:person].errors.on(:password).should_not be_nil
0
+      response.should be_success
0
+    end.should_not change(Person, :count)
0
+  end
0
+  
0
+  it 'requires password confirmation on signup' do
0
+    lambda do
0
+      create_person(:password_confirmation => nil)
0
+      assigns[:person].errors.on(:password_confirmation).should_not be_nil
0
+      response.should be_success
0
+    end.should_not change(Person, :count)
0
+  end
0
+
0
+  it 'requires email on signup' do
0
+    lambda do
0
+      create_person(:email => nil)
0
+      assigns[:person].errors.on(:email).should_not be_nil
0
+      response.should be_success
0
+    end.should_not change(Person, :count)
0
+  end
0
+  
0
+  
0
+  
0
+  def create_person(options = {})
0
+    post :create, :person => { :login => 'quire', :email => 'quire@example.com',
0
+      :password => 'quire', :password_confirmation => 'quire' }.merge(options)
0
+  end
0
+end
0
\ No newline at end of file

0
@@ -0,0 +1,74 @@
0
+require File.dirname(__FILE__) + '/../spec_helper'
0
+
0
+# Be sure to include AuthenticatedTestHelper in spec/spec_helper.rb instead
0
+# Then, you can remove it from this and the units test.
0
+include AuthenticatedTestHelper
0
+
0
+describe SessionsController do
0
+  fixtures :people
0
+
0
+  it 'logins and redirects' do
0
+    post :create, :login => 'quentin', :password => 'test'
0
+    session[:person_id].should_not be_nil
0
+    response.should be_redirect
0
+  end
0
+  
0
+  it 'fails login and does not redirect' do
0
+    post :create, :login => 'quentin', :password => 'bad password'
0
+    session[:person_id].should be_nil
0
+    response.should be_success
0
+  end
0
+
0
+  it 'logs out' do
0
+    login_as :quentin
0
+    get :destroy
0
+    session[:person_id].should be_nil
0
+    response.should be_redirect
0
+  end
0
+
0
+  it 'remembers me' do
0
+    post :create, :login => 'quentin', :password => 'test', :remember_me => "1"
0
+    response.cookies["auth_token"].should_not be_nil
0
+  end
0
+  
0
+  it 'does not remember me' do
0
+    post :create, :login => 'quentin', :password => 'test', :remember_me => "0"
0
+    response.cookies["auth_token"].should be_nil
0
+  end
0
+
0
+  it 'deletes token on logout' do
0
+    login_as :quentin
0
+    get :destroy
0
+    response.cookies["auth_token"].should == []
0
+  end
0
+
0
+  it 'logs in with cookie' do
0
+    people(:quentin).remember_me
0
+    request.cookies["auth_token"] = cookie_for(:quentin)
0
+    get :new
0
+    controller.send(:logged_in?).should be_true
0
+  end
0
+  
0
+  it 'fails expired cookie login' do
0
+    people(:quentin).remember_me
0
+    people(:quentin).update_attribute :remember_token_expires_at, 5.minutes.ago
0
+    request.cookies["auth_token"] = cookie_for(:quentin)
0
+    get :new
0
+    controller.send(:logged_in?).should_not be_true
0
+  end
0
+  
0
+  it 'fails cookie login' do
0
+    people(:quentin).remember_me
0
+    request.cookies["auth_token"] = auth_token('invalid_auth_token')
0
+    get :new
0
+    controller.send(:logged_in?).should_not be_true
0
+  end
0
+
0
+  def auth_token(token)
0
+    CGI::Cookie.new('name' => 'auth_token', 'value' => token)
0
+  end
0
+    
0
+  def cookie_for(person)
0
+    auth_token people(person).remember_token
0
+  end
0
+end

0
@@ -0,0 +1,19 @@
0
+quentin:
0
+  id: 1
0
+  login: quentin
0
+  email: quentin@example.com
0
+  salt: 7e3041ebc2fc05a40c60028e2c4901a81035d3cd
0
+  crypted_password: 00742970dc9e6319f8019fd54864d3ea740f04b1 # test
0
+  created_at: <%= 5.days.ago.to_s :db %>
0
+
0
+
0
+
0
+aaron:
0
+  id: 2
0
+  login: aaron
0
+  email: aaron@example.com
0
+  salt: 7e3041ebc2fc05a40c60028e2c4901a81035d3cd
0
+  crypted_password: 00742970dc9e6319f8019fd54864d3ea740f04b1 # test
0
+  created_at: <%= 1.days.ago.to_s :db %>
0
+
0
+

0
@@ -0,0 +1,111 @@
0
+require File.dirname(__FILE__) + '/../spec_helper'
0
+
0
+# Be sure to include AuthenticatedTestHelper in spec/spec_helper.rb instead.
0
+# Then, you can remove it from this and the functional test.
0
+include AuthenticatedTestHelper
0
+
0
+describe Person do
0
+  fixtures :people
0
+
0
+  describe 'being created' do
0
+    before do
0
+      @person = nil
0
+      @creating_person = lambda do
0
+        @person = create_person
0
+        violated "#{@person.errors.full_messages.to_sentence}" if @person.new_record?
0
+      end
0
+    end
0
+    
0
+    it 'increments User#count' do
0
+      @creating_person.should change(Person, :count).by(1)
0
+    end
<