Permalink
Browse files

Merge branch 'master' of git://github.com/bryan-ash/restful-authentic…

…ation
  • Loading branch information...
2 parents 5799593 + aee09f8 commit 343053568449db5a9e70014561240bb9ada5525f @technoweenie committed Feb 25, 2009
View
@@ -8,8 +8,8 @@ authentication:
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.
-Several features were updated in May, 2008.
-* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master
+Several features were updated in May, 2008.
+* "Stable newer version":http://github.com/technoweenie/restful-authentication/tree/master
* "'Classic' (backward-compatible) version":http://github.com/technoweenie/restful-authentication/tree/classic
* "Experimental version":http://github.com/technoweenie/restful-authentication/tree/modular (Much more modular, needs testing & review)
@@ -54,22 +54,22 @@ These best version of the release notes are in the notes/ directory in the
"source code":http://github.com/technoweenie/restful-authentication/tree/master
-- look there for the latest version. The wiki versions are taken (manually)
from there.
-
+
***************************************************************************
<a id="AWESOME"/> </a>
h2. Exciting new features
h3. Stories
-There are now RSpec stories that allow expressive, enjoyable tests for the
+There are now "Cucumber":http://wiki.github.com/aslakhellesoy/cucumber/home features that allow expressive, enjoyable tests for the
authentication code. The flexible code for resource testing in stories was
extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/
h3. Modularize to match security design patterns:
* Authentication (currently: password, browser cookie token, HTTP basic)
-* Trust metric (email validation)
+* Trust metric (email validation)
* Authorization (stateful roles)
* Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins
@@ -111,8 +111,8 @@ h2. Installation
This is a basic restful authentication generator for rails, taken from
acts as authenticated. Currently it requires Rails 1.2.6 or above.
-**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name:
-* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code>
+**IMPORTANT FOR RAILS > 2.1 USERS** To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an _underscore_ and not _dash_ in its name:
+* either use <code>git clone git://github.com/technoweenie/restful-authentication.git restful_authentication</code>
* or rename the plugin's directory to be <code>restful_authentication</code> after fetching it.
To use the generator:
@@ -140,19 +140,19 @@ To use the generator:
activation code. (@--stateful@ implies @--include-activation@). Based on the
idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing
@--skip-migration@ will skip the user migration, and @--skip-routes@ will skip
- resource generation -- both useful if you've already run this generator.
+ resource generation -- both useful if you've already run this generator.
(Needs the "acts_as_state_machine plugin":http://elitists.textdriven.com/svn/plugins/acts_as_state_machine/,
but new installs should probably run with @--aasm@ instead.)
* --aasm: Works the same as stateful but uses the "updated aasm gem":http://github.com/rubyist/aasm/tree/master
-
+
* --rspec: Generate RSpec tests and Stories in place of standard rails tests.
This requires the
"RSpec and Rspec-on-rails plugins":http://rspec.info/
(make sure you "./script/generate rspec" after installing RSpec.) The rspec
and story suite are much more thorough than the rails tests, and changes are
unlikely to be backported.
-
+
* --old-passwords: Use the older password scheme (see [[#COMPATIBILITY]], above)
* --skip-migration: Don't generate a migration file for this model
@@ -169,30 +169,30 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@
* Add these familiar login URLs to your @config/routes.rb@ if you like:
- <pre><code>
- map.signup '/signup', :controller => 'users', :action => 'new'
+ <pre><code>
+ map.signup '/signup', :controller => 'users', :action => 'new'
map.login '/login', :controller => 'session', :action => 'new'
- map.logout '/logout', :controller => 'session', :action => 'destroy'
+ map.logout '/logout', :controller => 'session', :action => 'destroy'
</code></pre>
* With @--include-activation@, also add to your @config/routes.rb@:
- <pre><code>
- map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil
- </code></pre>
+ <pre><code>
+ map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil
+ </code></pre>
and add an observer to @config/environment.rb@:
-
- <pre><code>
+
+ <pre><code>
config.active_record.observers = :user_observer
- </code></pre>
+ </code></pre>
Pay attention, may be this is not an issue for everybody, but if you should
have problems, that the sent activation_code does match with that in the
database stored, reload your user object before sending its data through email
something like:
- <pre><code>
+ <pre><code>
class UserObserver < ActiveRecord::Observer
def after_create(user)
user.reload
@@ -207,16 +207,16 @@ alter to suit. There are additional security minutae in @notes/README-Tradeoffs@
* With @--stateful@, add an observer to config/environment.rb:
-
- <pre><code>
+
+ <pre><code>
config.active_record.observers = :user_observer
</code></pre>
-
+
and modify the users resource line to read
-
+
map.resources :users, :member => { :suspend => :put,
:unsuspend => :put,
- :purge => :delete }
+ :purge => :delete }
* If you use a public repository for your code (such as github, rubyforge,
gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like
@@ -103,8 +103,8 @@ def manifest
m.directory File.join('spec/models', class_path)
m.directory File.join('spec/helpers', model_controller_class_path)
m.directory File.join('spec/fixtures', class_path)
- m.directory File.join('stories', model_controller_file_path)
- m.directory File.join('stories', 'steps')
+ m.directory 'features'
+ m.directory File.join('features', 'step_definitions')
else
m.directory File.join('test/functional', controller_class_path)
m.directory File.join('test/functional', model_controller_class_path)
@@ -174,23 +174,23 @@ def manifest
class_path,
"#{table_name}.yml")
- # RSpec Stories
- m.template 'stories/steps/ra_navigation_steps.rb',
- File.join('stories/steps/ra_navigation_steps.rb')
- m.template 'stories/steps/ra_response_steps.rb',
- File.join('stories/steps/ra_response_steps.rb')
- m.template 'stories/steps/ra_resource_steps.rb',
- File.join('stories/steps/ra_resource_steps.rb')
- m.template 'stories/steps/user_steps.rb',
- File.join('stories/steps/', "#{file_name}_steps.rb")
- m.template 'stories/users/accounts.story',
- File.join('stories', model_controller_file_path, 'accounts.story')
- m.template 'stories/users/sessions.story',
- File.join('stories', model_controller_file_path, 'sessions.story')
- m.template 'stories/rest_auth_stories_helper.rb',
- File.join('stories', 'rest_auth_stories_helper.rb')
- m.template 'stories/rest_auth_stories.rb',
- File.join('stories', 'rest_auth_stories.rb')
+ # Cucumber features
+ m.template 'features/step_definitions/ra_navigation_steps.rb',
+ File.join('features/step_definitions/ra_navigation_steps.rb')
+ m.template 'features/step_definitions/ra_response_steps.rb',
+ File.join('features/step_definitions/ra_response_steps.rb')
+ m.template 'features/step_definitions/ra_resource_steps.rb',
+ File.join('features/step_definitions/ra_resource_steps.rb')
+ m.template 'features/step_definitions/user_steps.rb',
+ File.join('features/step_definitions/', "#{file_name}_steps.rb")
+ m.template 'features/accounts.feature',
+ File.join('features', 'accounts.feature')
+ m.template 'features/sessions.feature',
+ File.join('features', 'sessions.feature')
+ m.template 'features/step_definitions/rest_auth_features_helper.rb',
+ File.join('features', 'step_definitions', 'rest_auth_features_helper.rb')
+ m.template 'features/step_definitions/ra_env.rb',
+ File.join('features', 'step_definitions', 'ra_env.rb')
else
m.template 'test/functional_test.rb',
@@ -0,0 +1,109 @@
+Visitors should be in control of creating an account and of proving their
+essential humanity/accountability or whatever it is people think the
+id-validation does. We should be fairly skeptical about this process, as the
+identity+trust chain starts here.
+
+Story: Creating an account
+ As an anonymous user
+ I want to be able to create an account
+ So that I can be one of the cool kids
+
+ #
+ # Account Creation: Get entry form
+ #
+ Scenario: Anonymous user can start creating an account
+ Given an anonymous user
+ When she goes to /signup
+ Then she should be at the 'users/new' page
+ And the page should look AWESOME
+ And she should see a <form> containing a textfield: Login, textfield: Email, password: Password, password: 'Confirm Password', submit: 'Sign up'
+
+ #
+ # Account Creation
+ #
+ Scenario: Anonymous user can create an account
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account as the preloaded 'Oona'
+ Then she should be redirected to the home page
+ When she follows that redirect!
+ Then she should see a notice message 'Thanks for signing up!'
+ And a user with login: 'oona' should exist
+ And the user should have login: 'oona', and email: 'unactivated@example.com'
+
+ And oona should be logged in
+
+
+ #
+ # Account Creation Failure: Account exists
+ #
+
+
+ Scenario: Anonymous user can not create an account replacing an activated account
+ Given an anonymous user
+ And an activated user named 'Reggie'
+ And we try hard to remember the user's updated_at, and created_at
+ When she registers an account with login: 'reggie', password: 'monkey', and email: 'reggie@example.com'
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Login has already been taken'
+ And she should not see an errorExplanation message 'Email has already been taken'
+ And a user with login: 'reggie' should exist
+ And the user should have email: 'registered@example.com'
+
+ And the user's created_at should stay the same under to_s
+ And the user's updated_at should stay the same under to_s
+ And she should not be logged in
+
+ #
+ # Account Creation Failure: Incomplete input
+ #
+ Scenario: Anonymous user can not create an account with incomplete or incorrect input
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account with login: '', password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Login can't be blank'
+ And no user with login: 'oona' should exist
+
+ Scenario: Anonymous user can not create an account with no password
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account with login: 'oona', password: '', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Password can't be blank'
+ And no user with login: 'oona' should exist
+
+ Scenario: Anonymous user can not create an account with no password_confirmation
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account with login: 'oona', password: 'monkey', password_confirmation: '' and email: 'unactivated@example.com'
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Password confirmation can't be blank'
+ And no user with login: 'oona' should exist
+
+ Scenario: Anonymous user can not create an account with mismatched password & password_confirmation
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkeY' and email: 'unactivated@example.com'
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Password doesn't match confirmation'
+ And no user with login: 'oona' should exist
+
+ Scenario: Anonymous user can not create an account with bad email
+ Given an anonymous user
+ And no user with login: 'Oona' exists
+ When she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: ''
+ Then she should be at the 'users/new' page
+ And she should see an errorExplanation message 'Email can't be blank'
+ And no user with login: 'oona' should exist
+ When she registers an account with login: 'oona', password: 'monkey', password_confirmation: 'monkey' and email: 'unactivated@example.com'
+ Then she should be redirected to the home page
+ When she follows that redirect!
+ Then she should see a notice message 'Thanks for signing up!'
+ And a user with login: 'oona' should exist
+ And the user should have login: 'oona', and email: 'unactivated@example.com'
+
+ And oona should be logged in
+
+
+
Oops, something went wrong.

0 comments on commit 3430535

Please sign in to comment.