Browse files

Released v1.1.1

  • Loading branch information...
binarylogic committed Nov 14, 2008
1 parent 4bdf3fd commit ebdebfa942a0b5faf1d26dd1bb5d02fc05accf80
Showing with 1,006 additions and 774 deletions.
  1. +11 −2 CHANGELOG.rdoc
  2. +9 −3 Manifest
  3. +32 −7 README.rdoc
  4. +1 −1 Rakefile
  5. +2 −4 lib/authlogic.rb
  6. +4 −0 lib/authlogic/controller_adapters/abstract_adapter.rb
  7. +4 −0 lib/authlogic/controller_adapters/rails_adapter.rb
  8. +2 −76 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb
  9. +132 −0 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb
  10. +77 −116 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb
  11. +35 −24 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb
  12. +51 −44 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb
  13. +64 −54 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb
  14. +61 −0 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb
  15. +20 −9 lib/authlogic/session/base.rb
  16. +54 −63 lib/authlogic/session/config.rb
  17. +2 −2 lib/authlogic/session/cookies.rb
  18. +0 −106 lib/authlogic/session/openid.rb
  19. +9 −6 lib/authlogic/session/params.rb
  20. +3 −3 lib/authlogic/session/session.rb
  21. +0 −17 lib/authlogic/testing/shoulda_macros.rb
  22. +1 −1 lib/authlogic/version.rb
  23. +13 −0 shoulda_macros/authlogic.rb
  24. +2 −2 test/fixtures/employees.yml
  25. +2 −0 test/fixtures/users.yml
  26. +5 −0 test/libs/mock_controller.rb
  27. +0 −217 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_test.rb
  28. +36 −0 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb
  29. +129 −0 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb
  30. +24 −0 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb
  31. +45 −0 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb
  32. +62 −0 ...rm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb
  33. +41 −0 test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb
  34. +15 −0 test/session_tests/base_test.rb
  35. +31 −14 test/session_tests/config_test.rb
  36. +17 −1 test/session_tests/params_test.rb
  37. +10 −2 test/test_helper.rb
@@ -1,4 +1,13 @@
-== 1.1.0 released 2008-11-05
+== 1.1.1 released 2008-11-13
+* Removed ActiveRecord dependency.
+* Removed loading shoulda macros by default, moved to shoulda_macros dir.
+* Modified how params access works. Added in single_access_token_field which params now uses. See the single access section in the README. Various configuration options added as well.
+* Cleaned up acts_as_authentic configuration, added new config module to do this.
+* Cleaned up acts_as_authentic tests
+* Moved acts_as_authentic sub modules into the proper name spaces
+== 1.1.0 released 2008-11-13
* Moved Rack standards into abstract_adapter for the controllers.
* Added authenticating_with_credentials?, authenticating_with_unauthorized_record?
@@ -7,7 +16,7 @@
* Moved ActiveRecord additions to ORM Adapters name space to make way for Data Mapper.
* Reorganized and modified acts_as_authentic to be free standing and not get info from the related session.
* The session now gets its configuration from the model, since determining which fields are present is ORM specific.
-* Extracted session and cookie logic into their own modules.
+* Extracted session and cookie logic into their own modules for Session.
* Moved crypto providers into their own module and added a Sha1 provider to help with the restful_authentication transition.
* Allow the unique_token method to use the alternate crypto_provider if it is a hash algorithm, otherwise default to Sha512.
* Added last_request_at_threshold configuration option.
@@ -5,10 +5,12 @@ lib/authlogic/controller_adapters/merb_adapter.rb
@@ -18,17 +20,16 @@ lib/authlogic/session/callbacks.rb
@@ -38,7 +39,12 @@ test/libs/mock_controller.rb
@@ -31,7 +31,7 @@ What if your user sessions controller could look just like your other controller
def destroy
- @user_session.destroy
+ current_user_session.destroy
@@ -51,12 +51,17 @@ Look familiar? If you didn't know any better, you would think UserSession was an
Or how about persisting the session...
class ApplicationController
- before_filter :load_user
+ helper_method :current_user_session, :current_user
- def load_user
- @user_session = UserSession.find
- @current_user = @user_session && @user_session.user
+ def current_user_session
+ return @current_user_session if defined?(@current_user_session)
+ @current_user_session = UserSession.find
+ end
+ end current_user
+ return @current_user if defined?(@current_user)
+ @current_user = current_user_session && current_user_session.user
@@ -78,7 +83,7 @@ Install the gem / plugin (recommended)
Now add the gem dependency in your config:
# config/environment.rb
- config.gem :authlogic
+ config.gem "authlogic"
Or you install this as a plugin (for older versions of rails)
@@ -111,7 +116,7 @@ The user model needs to have the following columns. The names of these columns c
Make sure you have a model that you will be authenticating with. For this example let's say you have a User model:
class User < ActiveRecord::Base
- acts_as_authentic # for options see documentation: Authlogic::ActsAsAuthentic::ClassMethods
+ acts_as_authentic # for options see documentation: Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::Config
Done! Now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this readme or check out the tutorial (see above in "helpful links") for a more detailed walk through.
@@ -179,6 +184,26 @@ This will keep everything separate. The :secure session will store its info in a
For more information on ids checkout Authlogic::Session::Base#initialize
+== Single Access / Private Feeds Access
+Need to provide a single / one time access to an account where the session does NOT get persisted? Take a private feed for example, if everyone followed standards basic http auth should work just fine, but since we live in a world where following standards is a hard concept (*cough* Microsoft *cough*), the feed url needs to have some sort of "credentials" to log the user in and get their user specific feed items. This is easy, Authlogic has a nifty little feature for doing just this. All that you need to do is add the following field in your table:
+ t.string :single_access_token, :null => false # or call it feeds_token or feed_token
+Authlogic will notice you have this and adjust accordingly. You have the follow configuration options for your session (Authlogic::Session::Config) to customize how this works:
+1. <tt>params_key:</tt> params_key is the key Authlogic will look for when trying to find your session. It works just like your cookie and session key, except this is for params. Take a UserSession:
+2. <tt>single_access_allowed_request_types:</tt> Single access needs to be handled with care, after all, it gives the user access to their account. But maybe you don't want to allow this for your entire application. Maybe you only want to allow this for certain request types, such as application/rss+xml or application/atom+xml. By default single access is only allowed for these requests types.
+3. <tt>single_access_token_field:</tt> This works just like remember_token_field. It basically allows you to name the column that the single_access_token is stored in.
+4. change_single_access_token_with_password
+You also have the following options when calling acts_as_authentic (Authlogic::ORMAdapters::ActiveRecordAdapter::Config):
+1. <tt>single_access_token_field:</tt> Works the same as remember_token field.
+2. <tt>change_single_access_token_with_password:</tt> If the user changes their password do you want to change the single access token as well? This will require that they re-add the feed with the new token, as their old URL will not longer work. It's really up to you if you want to do this. The other alternative is to provide an option when they are changing their password to change their "feed token" as well. You can call user.reset_single_access_token to do this yourself.
+Please use this with care and make sure you warn your users that the URL you provide them is to remain private. Even if Billy 13 year old gets this URL and tries to log in, the only way he can login is through a GET or POST parameter with an rss or atom request. Billy can't create a cookie with this token and Billy wont have access to anything else on the site, unless you change the above configuration.
== Scoping
Scoping with authentication is a little tricky because it can come in many different flavors:
@@ -10,6 +10,6 @@ 'authlogic' do |p|
p.project = 'authlogic'
p.summary = "A clean, simple, and unobtrusive ruby authentication solution."
p.url = ""
- p.dependencies = %w(activesupport activerecord)
+ p.dependencies = %w(activesupport)
p.include_rakefile = true
@@ -15,6 +15,8 @@
require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in"
require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence"
require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance"
+ require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access"
+ require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config" # call this last so the configuration options are passed down the chain
require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/authenticates_many"
@@ -24,21 +26,17 @@
require File.dirname(__FILE__) + "/authlogic/session/config"
require File.dirname(__FILE__) + "/authlogic/session/cookies"
require File.dirname(__FILE__) + "/authlogic/session/errors"
-#require File.dirname(__FILE__) + "/authlogic/session/openid"
require File.dirname(__FILE__) + "/authlogic/session/params"
require File.dirname(__FILE__) + "/authlogic/session/session"
require File.dirname(__FILE__) + "/authlogic/session/scopes"
require File.dirname(__FILE__) + "/authlogic/session/base"
-require File.dirname(__FILE__) + "/authlogic/testing/shoulda_macros"
module Authlogic
module Session
class Base
include ActiveRecordTrickery
include Callbacks
include Cookies
- #include OpenID
include Params
include Session
include Scopes
@@ -30,6 +30,10 @@ def request
+ def request_content_type
+ request.content_type
+ end
def session
@@ -12,6 +12,10 @@ def cookies
+ def request_content_type
+ request.format.to_s
+ end
# = Rails Implementation
# Lets Authlogic know about the controller object, AKA "activates" authlogic.
module RailsImplementation
@@ -2,84 +2,10 @@ module Authlogic
module ORMAdapters # :nodoc:
module ActiveRecordAdapter # :nodoc:
# = Acts As Authentic
- # Provides the acts_as_authentic method to include in your models to help with authentication. See method below.
+ # Provides the acts_as_authentic method to include in your models to help with authentication. See sub modules for more information.
module ActsAsAuthentic
- # Call this method in your model to add in basic authentication madness that your authlogic session expects.
- #
- # === Methods
- # For example purposes lets assume you have a User model.
- #
- # Class method name Description
- # User.crypto_provider The class that you set in your :crypto_provider option
- # User.forget_all! Finds all records, loops through them, and calls forget! on each record. This is paginated to save on memory.
- # User.unique_token returns unique token generated by your :crypto_provider
- #
- # Named Scopes
- # User.logged_in Find all users who are logged in, based on your :logged_in_timeout option.
- # User.logged_out Same as above, but logged out.
- #
- # Isntace method name
- # user.password= Method name based on the :password_field option. This is used to set the password. Pass the *raw* password to this.
- # user.confirm_password= Confirms the password, needed to change the password.
- # user.valid_password?(pass) Determines if the password passed is valid. The password could be encrypted or raw.
- # user.reset_password Resets the password to a random password using only letters and numbers.
- # user.reset_password! The same as reset_password but saves the record.
- # user.logged_in? Based on the :logged_in_timeout option. Tells you if the user is logged in or not.
- # user.forget! Changes their remember token, making their cookie and session invalid. A way to log the user out withouth changing their password.
- #
- # === Options
- #
- # * <tt>session_class:</tt> default: "#{name}Session",
- # This is the related session class. A lot of the configuration will be based off of the configuration values of this class.
- #
- # * <tt>crypto_provider:</tt> default: Authlogic::CryptoProviders::Sha512,
- # This is the class that provides your encryption. By default Authlogic provides its own crypto provider that uses Sha512 encrypton.
- #
- # * <tt>login_field:</tt> default: options[:session_class].login_field,
- # The name of the field used for logging in, this is guess based on what columns are in your db. Only specify if you aren't using:
- # login, username, or email
- #
- # * <tt>login_field_type:</tt> default: options[:login_field] == :email ? :email : :login,
- # Tells authlogic how to validation the field, what regex to use, etc. If the field name is email it will automatically use email,
- # otherwise it uses login.
- #
- # * <tt>login_field_regex:</tt> default: if email then typical email regex, otherwise typical login regex.
- # This is used in validates_format_of for the login_field.
- #
- # * <tt>login_field_regex_message:</tt> the message to use when the validates_format_of for the login field fails.
- #
- # * <tt>password_field:</tt> default: options[:session_class].password_field,
- # This is the name of the field to set the password, *NOT* the field the encrypted password is stored.
- #
- # * <tt>crypted_password_field:</tt> default: depends on which columns are present,
- # The name of the database field where your encrypted password is stored. If the name of the field is different from any of the following
- # you need to specify it with this option: crypted_password, encrypted_password, password_hash, pw_hash
- #
- # * <tt>password_salt_field:</tt> default: depends on which columns are present,
- # This is the name of the field in your database that stores your password salt. If the name of the field is different from any of the
- # following then you need to specify it with this option: password_salt, pw_salt, salt
- #
- # * <tt>remember_token_field:</tt> default: options[:session_class].remember_token_field,
- # This is the name of the field your remember_token is stored. The remember token is a unique token that is stored in the users cookie and
- # session. This way you have complete control of when session expire and you don't have to change passwords to expire sessions. This also
- # ensures that stale sessions can not be persisted. By stale, I mean sessions that are logged in using an outdated password. If the name
- # of the field is anything other than the following you need to specify it with this option: remember_token, remember_key, cookie_token,
- # cookie_key
- #
- # * <tt>scope:</tt> default: nil,
- # This scopes validations. If all of your users belong to an account you might want to scope everything to the account. Just pass :account_id
- #
- # * <tt>logged_in_timeout:</tt> default: 10.minutes,
- # This is really just a nifty feature to tell if a user is logged in or not. It's based on activity. So if the user in inactive longer than
- # the value you pass here they are assumed "logged out".
- #
- # * <tt>session_ids:</tt> default: [nil],
- # The sessions that we want to automatically reset when a user is created or updated so you don't have to worry about this. Set to [] to disable.
- # Should be an array of ids. See the Authlogic::Session documentation for information on ids. The order is important.
- # The first id should be your main session, the session they need to log into first. This is generally nil. When you don't specify an id
- # in your session you are really just inexplicitly saying you want to use the id of nil.
+ # All logic for this method is split up into sub modules. This a stub to create a method chain off of and provide documentation. See sub modules for more details.
def acts_as_authentic(options = {})
- # All logic for this method is split up into sub modules. This a stub to create a method chain off of and provide documentation.
Oops, something went wrong.

0 comments on commit ebdebfa

Please sign in to comment.