app/controllers/password_resets_controller.rb app/models/auth_session.rb app/views/mailer/password_reset.erb app/views/password_resets/index.html.erb app/views/password_resets/show.html.erb config/locales/session.en.yml spec/controllers/password_reset_controller_spec.rb spec/views/password_resets/index_spec.rb spec/views/password_resets/show_spec.rb @@ -18,13 +18,9 @@ class ApplicationController < ActionController::Base #:nodoc: helper :all # include all helpers, all the time - helper_method :current_session, :authenticated - - class UserSession < Authlogic::Session::Base - authenticate_with Person - params_key :access_key - single_access_allowed_request_types [Mime::ATOM, Mime::ICS] - end + # Returns currently authenticated person. + attr_reader :authenticated + helper_method :authenticated private @@ -38,25 +34,14 @@ private # See ActionController::RequestForgeryProtection for details protect_from_forgery - def current_session - return @current_session if defined?(@current_session) - @current_session = UserSession.find - end - - # Returns currently authenticated user. - def authenticated - return @authenticated if defined?(@authenticated) - @authenticated = current_session && current_session.person - end - before_filter :authenticate # Authentication filter enabled by default since most resources are guarded. def authenticate - # TODO: HTTP Basic might need this - # params[request_forgery_protection_token] = form_authenticity_token - if authenticated - I18n.locale = authenticated.locale.to_sym if authenticated.locale - Time.zone = authenticated.timezone + auth_session = AuthSession.find + @authenticated = auth_session && auth_session.person + if @authenticated + I18n.locale = @authenticated.locale.to_sym if @authenticated.locale + Time.zone = @authenticated.timezone elsif request.format.html? session[:return_url] = request.url redirect_to session_url app/controllers/application_controller.rb @@ -19,23 +19,21 @@ class SessionsController < ApplicationController #:nodoc: skip_before_filter :authenticate def show + @auth_session = AuthSession.new end def create - user_session = UserSession.new(params) - if user_session.save - redirect = session.delete(:return_url) || root_url - redirect_to redirect, :status=>:see_other + @auth_session = AuthSession.new(params) + if @auth_session.save + redirect_to session.delete(:return_url) || root_url else - flash[:error] = t('sessions.errors.nomatch') unless params[:login].blank? - redirect_to session_url, :status=>:see_other + render :action=>:show end end def destroy - @authenticated = nil - current_session.destroy - redirect_to root_url, :status=>:see_other + AuthSession.find.destroy + redirect_to root_url end end app/controllers/sessions_controller.rb @@ -19,6 +19,15 @@ class Mailer < ActionMailer::Base helper :application layout 'mailer' + def password_reset(person) + subject "Instructions for resetting your password" + from "Notifications <notifications@#{default_url_options[:host]}>" + reply_to "Do not reply <noreply@#{default_url_options[:host]}>" + recipients person.email + body :link=>password_reset_url(person.perishable_token) + + end + def notification(notification, recipient) subject notification.subject from "Notifications <notifications@#{default_url_options[:host]}>" app/models/mailer.rb @@ -109,7 +109,7 @@ class Person < ActiveRecord::Base end acts_as_authentic do |config| - # Configuration comes here. + perishable_token_valid_for 1.hour end app/models/person.rb @@ -28,6 +28,7 @@ </ol> </li> </ol> + <%= [:error, :notice, :success].select { |k| flash[k] }.map { |k| content_tag('div', h(flash[k]), :class=>k) }.join %> </div> <div id='container'> <%= yield(:content) or yield %> app/views/layouts/application.html.erb @@ -1,12 +1,14 @@ -<% form_for :session, :url=>session_url, :html=>{ :class=>'login' } do %> +<% form_for @auth_session, :url=>session_url, :html=>{ :class=>'login' } do |f| %> <fieldset> - <%= content_tag 'p', flash[:error], :class=>'error' if flash[:error] %> + <%= f.error_messages :header_message=>false, :message=>false, :class=>'error' %> <dl> <dt><%= label_tag 'login', t('.login.label') %></dt> <dd><%= text_field_tag 'login', nil, :size=>40, :title=>t('.login.hint'), :class=>'auto_focus' %></dd> <dt><%= label_tag 'password', t('.password.label') %></dt> <dd><%= password_field_tag 'password', nil, :size=>40, :title=>t('.password.hint') %></dd> + <dt></dt><dd><label><%= check_box_tag 'remember_me', 1, true %> <%= t('.remember_me.label') %></label></dd> <dt></dt><dd><%= submit_tag t('.submit.button'), :title=>t('.submit.hint') %></dd> + <dt></dt><dd><%= link_to t('.recover'), password_resets_path %></dd> </dl> </fieldset> <% end %> app/views/sessions/show.html.erb @@ -25,19 +25,6 @@ en: header: "Time to complete each task (dd:hh)" hover: "{{count}} tasks completed in under {{hours}} hours" format: "%0d:%02d" - sessions: - errors: - nomatch: "No account with this user name and password." - show: - submit: - button: "Login" - hint: "" - login: - label: "Username:" - hint: "Your username" - password: - label: "Password:" - hint: "Your password is case sensitive" # Layouts layouts: application: config/locales/en.yml @@ -16,7 +16,6 @@ ActionController::Routing::Routes.draw do |map| - map.resource 'session' map.resources 'tasks', :collection=>{ 'completed'=>:get, 'following'=>:get, 'complete_redirect'=>:get }, :member=>['activities'] do |tasks| tasks.with_options :controller=>'task_for' do |opts| @@ -34,6 +33,8 @@ ActionController::Routing::Routes.draw do |map| map.resources 'notifications' map.resources 'activities' map.resource 'graphs' + map.resource 'session' + map.resources 'password_resets' map.root :controller=>'tasks', :action=>'index' @@ -42,64 +43,66 @@ ActionController::Routing::Routes.draw do |map| map.connect ':controller/:action/:id.:format' end #== Route Map -# Generated on 20 May 2009 16:20 +# Generated on 11 Jun 2009 22:44 # -# new_session GET /session/new(.:format) {:action=>"new", :controller=>"sessions"} -# edit_session GET /session/edit(.:format) {:action=>"edit", :controller=>"sessions"} -# session GET /session(.:format) {:action=>"show", :controller=>"sessions"} -# PUT /session(.:format) {:action=>"update", :controller=>"sessions"} -# DELETE /session(.:format) {:action=>"destroy", :controller=>"sessions"} -# POST /session(.:format) {:action=>"create", :controller=>"sessions"} -# completed_tasks GET /tasks/completed(.:format) {:action=>"completed", :controller=>"tasks"} -# complete_redirect_tasks GET /tasks/complete_redirect(.:format) {:action=>"complete_redirect", :controller=>"tasks"} -# following_tasks GET /tasks/following(.:format) {:action=>"following", :controller=>"tasks"} -# tasks GET /tasks(.:format) {:action=>"index", :controller=>"tasks"} -# POST /tasks(.:format) {:action=>"create", :controller=>"tasks"} -# new_task GET /tasks/new(.:format) {:action=>"new", :controller=>"tasks"} -# activities_task /tasks/:id/activities(.:format) {:action=>"activities", :controller=>"tasks"} -# edit_task GET /tasks/:id/edit(.:format) {:action=>"edit", :controller=>"tasks"} -# task GET /tasks/:id(.:format) {:action=>"show", :controller=>"tasks"} -# PUT /tasks/:id(.:format) {:action=>"update", :controller=>"tasks"} -# DELETE /tasks/:id(.:format) {:action=>"destroy", :controller=>"tasks"} -# PUT /tasks/:task_id/for/:person_id {:action=>"update", :controller=>"task_for"} -# task_for_person /tasks/:task_id/for/:person_id {:action=>"show", :controller=>"task_for"} -# POST /tasks/:id {:action=>"update", :controller=>"tasks"} -# search /search {:action=>"search", :controller=>"tasks"} -# open_search /search/osd {:action=>"opensearch", :controller=>"tasks"} -# forms GET /forms(.:format) {:action=>"index", :controller=>"forms"} -# POST /forms(.:format) {:action=>"create", :controller=>"forms"} -# new_form GET /forms/new(.:format) {:action=>"new", :controller=>"forms"} -# edit_form GET /forms/:id/edit(.:format) {:action=>"edit", :controller=>"forms"} -# form GET /forms/:id(.:format) {:action=>"show", :controller=>"forms"} -# PUT /forms/:id(.:format) {:action=>"update", :controller=>"forms"} -# DELETE /forms/:id(.:format) {:action=>"destroy", :controller=>"forms"} -# templates GET /templates(.:format) {:action=>"index", :controller=>"templates"} -# POST /templates(.:format) {:action=>"create", :controller=>"templates"} -# new_template GET /templates/new(.:format) {:action=>"new", :controller=>"templates"} -# edit_template GET /templates/:id/edit(.:format) {:action=>"edit", :controller=>"templates"} -# template GET /templates/:id(.:format) {:action=>"show", :controller=>"templates"} -# PUT /templates/:id(.:format) {:action=>"update", :controller=>"templates"} -# DELETE /templates/:id(.:format) {:action=>"destroy", :controller=>"templates"} -# notifications GET /notifications(.:format) {:action=>"index", :controller=>"notifications"} -# POST /notifications(.:format) {:action=>"create", :controller=>"notifications"} -# new_notification GET /notifications/new(.:format) {:action=>"new", :controller=>"notifications"} -# edit_notification GET /notifications/:id/edit(.:format) {:action=>"edit", :controller=>"notifications"} -# notification GET /notifications/:id(.:format) {:action=>"show", :controller=>"notifications"} -# PUT /notifications/:id(.:format) {:action=>"update", :controller=>"notifications"} -# DELETE /notifications/:id(.:format) {:action=>"destroy", :controller=>"notifications"} -# activities GET /activities(.:format) {:action=>"index", :controller=>"activities"} -# POST /activities(.:format) {:action=>"create", :controller=>"activities"} -# new_activity GET /activities/new(.:format) {:action=>"new", :controller=>"activities"} -# edit_activity GET /activities/:id/edit(.:format) {:action=>"edit", :controller=>"activities"} -# activity GET /activities/:id(.:format) {:action=>"show", :controller=>"activities"} -# PUT /activities/:id(.:format) {:action=>"update", :controller=>"activities"} -# DELETE /activities/:id(.:format) {:action=>"destroy", :controller=>"activities"} -# new_graphs GET /graphs/new(.:format) {:action=>"new", :controller=>"graphs"} -# edit_graphs GET /graphs/edit(.:format) {:action=>"edit", :controller=>"graphs"} -# graphs GET /graphs(.:format) {:action=>"show", :controller=>"graphs"} -# PUT /graphs(.:format) {:action=>"update", :controller=>"graphs"} -# DELETE /graphs(.:format) {:action=>"destroy", :controller=>"graphs"} -# POST /graphs(.:format) {:action=>"create", :controller=>"graphs"} -# root / {:action=>"index", :controller=>"tasks"} +# completed_tasks GET /tasks/completed(.:format) {:controller=>"tasks", :action=>"completed"} +# complete_redirect_tasks GET /tasks/complete_redirect(.:format) {:controller=>"tasks", :action=>"complete_redirect"} +# following_tasks GET /tasks/following(.:format) {:controller=>"tasks", :action=>"following"} +# tasks GET /tasks(.:format) {:controller=>"tasks", :action=>"index"} +# POST /tasks(.:format) {:controller=>"tasks", :action=>"create"} +# new_task GET /tasks/new(.:format) {:controller=>"tasks", :action=>"new"} +# activities_task /tasks/:id/activities(.:format) {:controller=>"tasks", :action=>"activities"} +# edit_task GET /tasks/:id/edit(.:format) {:controller=>"tasks", :action=>"edit"} +# task GET /tasks/:id(.:format) {:controller=>"tasks", :action=>"show"} +# PUT /tasks/:id(.:format) {:controller=>"tasks", :action=>"update"} +# DELETE /tasks/:id(.:format) {:controller=>"tasks", :action=>"destroy"} +# PUT /tasks/:task_id/for/:person_id {:controller=>"task_for", :action=>"update"} +# task_for_person /tasks/:task_id/for/:person_id {:controller=>"task_for", :action=>"show"} +# POST /tasks/:id {:controller=>"tasks", :action=>"update"} +# search /search {:controller=>"tasks", :action=>"search"} +# open_search /search/osd {:controller=>"tasks", :action=>"opensearch"} +# forms GET /forms(.:format) {:controller=>"forms", :action=>"index"} +# POST /forms(.:format) {:controller=>"forms", :action=>"create"} +# new_form GET /forms/new(.:format) {:controller=>"forms", :action=>"new"} +# edit_form GET /forms/:id/edit(.:format) {:controller=>"forms", :action=>"edit"} +# form GET /forms/:id(.:format) {:controller=>"forms", :action=>"show"} +# PUT /forms/:id(.:format) {:controller=>"forms", :action=>"update"} +# DELETE /forms/:id(.:format) {:controller=>"forms", :action=>"destroy"} +# templates GET /templates(.:format) {:controller=>"templates", :action=>"index"} +# POST /templates(.:format) {:controller=>"templates", :action=>"create"} +# new_template GET /templates/new(.:format) {:controller=>"templates", :action=>"new"} +# edit_template GET /templates/:id/edit(.:format) {:controller=>"templates", :action=>"edit"} +# template GET /templates/:id(.:format) {:controller=>"templates", :action=>"show"} +# PUT /templates/:id(.:format) {:controller=>"templates", :action=>"update"} +# DELETE /templates/:id(.:format) {:controller=>"templates", :action=>"destroy"} +# notifications GET /notifications(.:format) {:controller=>"notifications", :action=>"index"} +# POST /notifications(.:format) {:controller=>"notifications", :action=>"create"} +# new_notification GET /notifications/new(.:format) {:controller=>"notifications", :action=>"new"} +# edit_notification GET /notifications/:id/edit(.:format) {:controller=>"notifications", :action=>"edit"} +# notification GET /notifications/:id(.:format) {:controller=>"notifications", :action=>"show"} +# PUT /notifications/:id(.:format) {:controller=>"notifications", :action=>"update"} +# DELETE /notifications/:id(.:format) {:controller=>"notifications", :action=>"destroy"} +# activities GET /activities(.:format) {:controller=>"activities", :action=>"index"} +# POST /activities(.:format) {:controller=>"activities", :action=>"create"} +# new_activity GET /activities/new(.:format) {:controller=>"activities", :action=>"new"} +# edit_activity GET /activities/:id/edit(.:format) {:controller=>"activities", :action=>"edit"} +# activity GET /activities/:id(.:format) {:controller=>"activities", :action=>"show"} +# PUT /activities/:id(.:format) {:controller=>"activities", :action=>"update"} +# DELETE /activities/:id(.:format) {:controller=>"activities", :action=>"destroy"} +# new_graphs GET /graphs/new(.:format) {:controller=>"graphs", :action=>"new"} +# edit_graphs GET /graphs/edit(.:format) {:controller=>"graphs", :action=>"edit"} +# graphs GET /graphs(.:format) {:controller=>"graphs", :action=>"show"} +# PUT /graphs(.:format) {:controller=>"graphs", :action=>"update"} +# DELETE /graphs(.:format) {:controller=>"graphs", :action=>"destroy"} +# POST /graphs(.:format) {:controller=>"graphs", :action=>"create"} +# recover_session GET /session/recover(.:format) {:controller=>"sessions", :action=>"recover"} +# POST /session/recover(.:format) {:controller=>"sessions", :action=>"recover"} +# new_session GET /session/new(.:format) {:controller=>"sessions", :action=>"new"} +# edit_session GET /session/edit(.:format) {:controller=>"sessions", :action=>"edit"} +# session GET /session(.:format) {:controller=>"sessions", :action=>"show"} +# PUT /session(.:format) {:controller=>"sessions", :action=>"update"} +# DELETE /session(.:format) {:controller=>"sessions", :action=>"destroy"} +# POST /session(.:format) {:controller=>"sessions", :action=>"create"} +# root / {:controller=>"tasks", :action=>"index"} # /:controller/:action/:id # /:controller/:action/:id(.:format) config/routes.rb @@ -81,6 +81,9 @@ $(function() { return false; }); + + setTimeout(function() { $('#header div.error, #header div.success, #header div.notice').slideUp(500) }, 5000); + }) public/javascripts/singleshot.js @@ -45,6 +45,17 @@ form dl dd { margin: 0 0 0.9em 0; } form dl dd input[type=radio] { margin: 0.3em 0 0.6em 0.3em; } .hidden { display: none; } +.error ul { list-style: none; padding: 0; margin: 0 } + + +/** Message **/ +.error, .notice, .success {padding:.8em;margin-bottom:1em;border:2px solid #ddd;} +.error {background:#FBE3E4;color:#8a1f11;border-color:#FBC2C4;} +.notice {background:#FFF6BF;color:#514721;border-color:#FFD324;} +.success {background:#E6EFC2;color:#264409;border-color:#C6D880;} +.error a {color:#8a1f11;} +.notice a {color:#514721;} +.success a {color:#264409;} /** Pagination **/ public/stylesheets/common.css @@ -41,7 +41,7 @@ class Person #:nodoc: end def me - named(ENV['USER']) + named('john') end end end spec/blueprints.rb @@ -32,6 +32,8 @@ end describe AuthenticationTestController do before { @person = Person.make(:email=>'john@example.com', :locale=>'tlh', :timezone=>-11) } + should_filter_params :password, :password_confirmation + describe 'unauthenticated request' do describe '(HTML)' do before { get :index } spec/controllers/authentication_spec.rb @@ -30,16 +30,7 @@ module Spec::Helpers #:nodoc: # # Without arguments, authenticates as 'person'. def authenticate(person = Person.named('john')) - @controller.instance_eval do - previous, @authenticated = @authenticated, person - if block_given? - begin - yield - ensure - @authenticated = previous - end - end - end + session[:person_credentials] = person && person.persistence_token self end spec/controllers/helpers.rb @@ -21,66 +21,75 @@ describe SessionsController do controller_name :sessions should_route :get, '/session', :controller =>'sessions', :action=>'show' - should_route :post, '/session', :controller =>'sessions', :action=>'create' - should_route :delete, '/session', :controller =>'sessions', :action=>'destroy' - should_filter_params :password - describe 'GET /session' do before { get :show } should_render_template 'sessions/show' end + + should_route :post, '/session', :controller =>'sessions', :action=>'create' describe 'POST /session' do before { Person.me } describe '(no credentials)' do before { post :create } - it('should have no authenticated user in session') { authenticated.should be_nil } - it('should have no error message in flash') { flash.should be_empty } - should_redirect_to { session_path } + should_not_login + should_render_template 'sessions/show' end describe '(wrong credentials)' do before { post :create, :login=>Person.me.login, :password=>'wrong' } - it('should have no authenticated user in session') { authenticated.should be_nil } - it('should have error message in flash') { flash[:error].should match(/no account/i) } - should_redirect_to { session_path } + should_not_login + should_render_template 'sessions/show' end describe '(valid credentials)' do before { post :create, :login=>Person.me.login, :password=>'secret' } - it('should store authenticated user in session') { authenticated.should == Person.me } - it('should clear flash') { flash.should be_empty } + should_login { Person.me } should_redirect_to { root_path } end describe '(valid credentials and return url)' do before { post :create, { :login=>Person.me.login, :password=>'secret' }, { :return_url=>'http://return_url' } } - it('should store authenticated user in session') { authenticated.should == Person.me } - it('should clear return url from session') { session[:return_url].should be_nil } + should_login { Person.me } should_redirect_to { 'http://return_url' } end end + should_route :delete, '/session', :controller =>'sessions', :action=>'destroy' describe 'DELETE /session' do before do - @controller.instance_eval do - @current_session = ApplicationController::UserSession.new - @current_session.should_receive(:destroy) - @authenticated = Person.me + AuthSession.should_receive(:find).and_return do + AuthSession.new(Person.me).tap(&:save) end delete :destroy end - it('should have no authenticated user in session') { authenticated.should be_nil } + should_not_login should_redirect_to { root_path } end + + def login(&block) + simple_matcher "login" do |given, matcher| + run_action! + if block + expected = block.call + actual = controller.session[:person_credentials_id] && Person.find_by_id(controller.session[:person_credentials_id]) + matcher.failure_message = "expected #{expected.inspect} but got #{actual.inspect}" + actual == expected + else + matcher.failure_message = "expected authenticated person" + controller.session[:person_credentials_id] + end + end + end + end spec/controllers/sessions_controller_spec.rb @@ -26,9 +26,4 @@ end Spec::Runner.configure do |config| config.include Spec::Helpers::Models, :type=>:model - config.before :each do - ActionMailer::Base.delivery_method = :test - ActionMailer::Base.perform_deliveries = true - ActionMailer::Base.deliveries = [] - end end spec/models/helpers.rb @@ -8,6 +8,7 @@ require File.expand_path(File.dirname(__FILE__) + '/blueprints') require 'remarkable' require 'remarkable_activerecord' require 'remarkable_rails' +require 'email_spec' trap("SIGINT"){ exit! 0 } @@ -50,4 +51,9 @@ Spec::Runner.configure do |config| # == Notes # # For more information take a look at Spec::Runner::Configuration and Spec::Runner + + config.before :each do + ActionMailer::Base.deliveries = [] + end + config.include EmailSpec::Matchers end spec/spec_helper.rb @@ -15,6 +15,7 @@ require File.dirname(__FILE__) + '/../spec_helper' +require 'authlogic/test_case' module Spec::Helpers #:nodoc: spec/views/helpers.rb @@ -18,7 +18,9 @@ require File.dirname(__FILE__) + '/../helpers' describe '/sessions/show' do before do - @controller.allow_forgery_protection = true + controller.allow_forgery_protection = true + Authlogic::Session::Base.controller = Authlogic::TestCase::MockController.new + assigns[:auth_session] = AuthSession.new render '/sessions/show' end @@ -30,7 +32,10 @@ describe '/sessions/show' do with_tag 'input[name=login][type=text][title=Your username]' with_tag 'label[for=password]', "Password:" with_tag 'input[name=password][type=password][title=Your password is case sensitive]' + with_tag 'label', "Remember me on this computer" + with_tag 'input[name=remember_me][type=checkbox][value=1][checked]' with_tag 'input[type=submit][value=Login]' + with_tag 'a[href=?]', password_resets_path, "Help, I lost my password!" end end end @@ -43,10 +48,12 @@ end describe '/sessions/show with error message' do before do - @controller.allow_forgery_protection = true - flash[:error] = 'Error message' + controller.allow_forgery_protection = true + Authlogic::Session::Base.controller = Authlogic::TestCase::MockController.new + assigns[:auth_session] = AuthSession.new + assigns[:auth_session].errors.add_to_base "Error message" render '/sessions/show' end - should_have_tag 'form.login fieldset p.error', "Error message" + should_have_tag 'form.login fieldset div.error', "Error message" end spec/views/sessions/show_spec.rb 7040bd5f1ee115806485cb7e183de744239dfdb8 Assaf Arkin assaf@labnotes.org http://github.com/intalio/singleshot/commit/181296932e308e279c72675d36abb336eb8c5703 181296932e308e279c72675d36abb336eb8c5703 2009-06-12T12:50:55-07:00 2009-06-11T21:02:21-07:00 Cleanup for authentication logic. Added remember me option to login. Cleanup of authentication UI. Added password recovery. Flash[:success/:notice/:error] now shown as part of layout and automatically removed after 5 seconds. Password recovery token good for 1 hour. dd12cdde6f4a77dde9c41a3ade41dc0a06145d8f Assaf Arkin assaf@labnotes.org