@@ -17,7 +17,7 @@ class SessionController < ApplicationController # button. Uncomment if you understand the tradeoffs. # reset_session self.current_user = user - if params[:remember_me] == '1' + if params[:remember_me] == "1" make_or_refresh_remember_cookie! else refresh_remember_cookie_if_set! @@ -39,6 +39,7 @@ class SessionController < ApplicationController end protected + # Track failed login attempts def note_failed_signin flash[:error] = "Couldn't log you in as '#{params[:login]}'" logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" app/controllers/session_controller.rb @@ -12,6 +12,12 @@ module AuthenticatedSystem @current_user ||= (login_from_session || login_from_basic_auth || login_from_cookie) unless @current_user == false end + # Store the given user id in the session. + def current_user=(new_user) + session[:user_id] = new_user ? new_user.id : nil + @current_user = new_user || false + end + # Check if the user is authorized # # Override this method in your controllers if you want to restrict access @@ -24,31 +30,11 @@ module AuthenticatedSystem # def authorized? # current_user.login != "bob" # end - def authorized?(action=nil, resource=nil) + # + def authorized?(action=nil, resource=nil, *args) logged_in? end - # Store the given user id in the session. - def current_user=(new_user) - session[:user_id] = new_user ? new_user.id : nil - @current_user = new_user || false - end - - def logout_keeping_session! - # Kill server-side auth cookie - @current_user.forget_me if @current_user.is_a? User - @current_user = false # not logged in, and don't do it for me - kill_remember_cookie! # Kill client-side auth cookie - session[:user_id] = nil # keeps the session but kill our variable - end - - # The session should only be reset at the tail end of a form POST -- otherwise the - # request forgery protection fails. - def logout_killing_session! - logout_keeping_session! - reset_session - end - # Filter method to enforce a login requirement. # # To require logins for all actions, use this in your controllers: @@ -104,13 +90,17 @@ module AuthenticatedSystem redirect_to(session[:return_to] || default) session[:return_to] = nil end - + # Inclusion hook to make #current_user and #logged_in? # available as ActionView helper methods. def self.included(base) base.send :helper_method, :current_user, :logged_in?, :authorized? if base.respond_to? :helper_method end + # + # Login + # + # Called from #current_user. First attempt to login by the user id stored in the session. def login_from_session self.current_user = User.find_by_id(session[:user_id]) if session[:user_id] @@ -123,11 +113,43 @@ module AuthenticatedSystem end end + # Called from #current_user. Finaly, attempt to login by an expiring token in the cookie. + # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP) + def login_from_cookie + user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token]) + if user && user.remember_token? + self.current_user = user + refresh_remember_cookie_if_set! # freshen cookie token (keeping date) + end + end + + # + # Logout + # + + def logout_keeping_session! + # Kill server-side auth cookie + @current_user.forget_me if @current_user.is_a? User + @current_user = false # not logged in, and don't do it for me + kill_remember_cookie! # Kill client-side auth cookie + session[:user_id] = nil # keeps the session but kill our variable + end + + # The session should only be reset at the tail end of a form POST -- otherwise the + # request forgery protection fails. + def logout_killing_session! + logout_keeping_session! + reset_session + end + + # + # Remember_me Tokens + # # Cookies shouldn't be allowed to persist past their freshness date, # and they should be changed at each login # Refresh the cookie auth token if it exists, create it otherwise - def make_remember_cookie! + def make_or_refresh_remember_cookie! return unless @current_user if @current_user.remember_token? then @current_user.refresh_token else @current_user.remember_me end send_remember_cookie! @@ -144,17 +166,6 @@ module AuthenticatedSystem cookies.delete :auth_token end - # Called from #current_user. Finaly, attempt to login by an expiring token in the cookie. - # for the paranoid: we _should_ be storing user_token = hash(cookie_token, request IP) - def login_from_cookie - user = cookies[:auth_token] && User.find_by_remember_token(cookies[:auth_token]) - if user && user.remember_token? - self.current_user = user - refresh_remember_cookie_if_set! # freshen cookie token (keeping date) - end - end - - private def send_remember_cookie! cookies[:auth_token] = { :value => @current_user.remember_token, lib/authenticated_system.rb @@ -10,4 +10,22 @@ module AuthenticatedTestHelper @request.env["HTTP_AUTHORIZATION"] = user ? ActionController::HttpAuthentication::Basic.encode_credentials(users(user).login, 'test') : nil end + + # For tests that include a mailer + def set_mailer_in_test + ActionMailer::Base.delivery_method = :test + ActionMailer::Base.perform_deliveries = true + ActionMailer::Base.deliveries = [] + end + + # rspec + def mock_user + user = mock_model(User, :id => 1, + :login => 'user_name', + :name => 'U. Surname', + :to_xml => "XML", :to_json => "JSON", + :errors => []) + user + end + end lib/authenticated_test_helper.rb @@ -52,26 +52,5 @@ Spec::Runner.configure do |config| # == Notes # # For more information take a look at Spec::Example::Configuration and Spec::Runner - - - # - # For tests that include a mailer - # - def set_mailer_in_test - ActionMailer::Base.delivery_method = :test - ActionMailer::Base.perform_deliveries = true - ActionMailer::Base.deliveries = [] - end - - def mock_user - user = mock_model(User, :id => 1, - :login => 'user_name', - :name => 'U. Surname', - :to_xml => "XML", :to_json => "JSON", - :errors => []) - #User.stub!(:find).with('1').and_return(user) - #stub!(:users).and_return(user) # to play nice with authenticated_test_helper - user - end end spec/spec_helper.rb ca734764a9b1046184fb8ffe874f4f27717d3659 Philip (flip) Kromer flip@infochimps.org http://github.com/mrflip/restful_authentication_example/commit/8eee21c8147f2ddb7780a19a0843e1c7b83e577c 8eee21c8147f2ddb7780a19a0843e1c7b83e577c 2008-05-16T11:41:55-07:00 2008-05-16T11:41:55-07:00 forward (sigh) porting some things I noticed fixin' up the restful_authentication b8c4055018db2a437269135969b25ced120f724f Philip (flip) Kromer flip@infochimps.org