heartcombo--devise/lib/devise/models/database_authenticatable.rb

require 'devise/strategies/database_authenticatable'

module Devise
  module Models
    # Authenticable Module, responsible for encrypting password and validating
    # authenticity of a user while signing in.
    #
    # Configuration:
    #
    # You can overwrite configuration values by setting in globally in Devise,
    # using devise method or overwriting the respective instance method.
    #
    #   pepper: encryption key used for creating encrypted password. Each time
    #           password changes, it's gonna be encrypted again, and this key
    #           is added to the password and salt to create a secure hash.
    #           Always use `rake secret' to generate a new key.
    #
    #   stretches: defines how many times the password will be encrypted.
    #
    #   encryptor: the encryptor going to be used. By default :sha1.
    #
    #   authentication_keys: parameters used for authentication. By default [:email]
    #
    # Examples:
    #
    #    User.authenticate('email@test.com', 'password123')  # returns authenticated user or nil
    #    User.find(1).valid_password?('password123')         # returns true/false
    #
    module DatabaseAuthenticatable
      extend ActiveSupport::Concern

      included do
        attr_reader :password, :current_password
        attr_accessor :password_confirmation
      end

      # Regenerates password salt and encrypted password each time password is set,
      # and then trigger any "after_changed_password"-callbacks.
      def password=(new_password)
        @password = new_password

        if @password.present?
          self.password_salt = self.class.encryptor_class.salt
          self.encrypted_password = password_digest(@password)
        end
      end

      # Verifies whether an incoming_password (ie from sign in) is the user password.
      def valid_password?(incoming_password)
        password_digest(incoming_password) == self.encrypted_password
      end

      # Checks if a resource is valid upon authentication.
      def valid_for_authentication?(attributes)
        valid_password?(attributes[:password])
      end

      # Set password and password confirmation to nil
      def clean_up_passwords
        self.password = self.password_confirmation = nil
      end

      # Update record attributes when :current_password matches, otherwise returns
      # error on :current_password. It also automatically rejects :password and
      # :password_confirmation if they are blank.
      def update_with_password(params={})
        current_password = params.delete(:current_password)

        params.delete(:password)              if params[:password].blank?
        params.delete(:password_confirmation) if params[:password_confirmation].blank?

        result = if valid_password?(current_password)
          update_attributes(params)
        else
          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
          self.attributes = params
          false
        end

        clean_up_passwords unless result
        result
      end

      protected

        # Digests the password using the configured encryptor.
        def password_digest(password)
          self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)
        end

      module ClassMethods
        Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)

        # Authenticate a user based on configured attribute keys. Returns the
        # authenticated user if it's valid or nil.
        def authenticate(attributes={})
          return unless authentication_keys.all? { |k| attributes[k].present? }
          conditions = attributes.slice(*authentication_keys)
          resource = find_for_authentication(conditions)
          resource if resource.try(:valid_for_authentication?, attributes)
        end

        # Returns the class for the configured encryptor.
        def encryptor_class
          @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
        end

      protected

        # Find first record based on conditions given (ie by the sign in form).
        # Overwrite to add customized conditions, create a join, or maybe use a
        # namedscope to filter records while authenticating.
        # Example:
        #
        #   def self.find_for_authentication(conditions={})
        #     conditions[:active] = true
        #     find(:first, :conditions => conditions)
        #   end
        #
        def find_for_authentication(conditions)
          find(:first, :conditions => conditions)
        end
      end
    end
  end
end
Initial work on making the authentication stack more flexible. 2010-03-29 16:13:19 +02:00			`require 'devise/strategies/database_authenticatable'`
Kick tests back to life. 2009-10-12 08:37:28 -03:00
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`module Devise`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00			`module Models`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`# Authenticable Module, responsible for encrypting password and validating`
			`# authenticity of a user while signing in.`
			`#`
			`# Configuration:`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			`#`
			`# You can overwrite configuration values by setting in globally in Devise,`
			`# using devise method or overwriting the respective instance method.`
			`#`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`# pepper: encryption key used for creating encrypted password. Each time`
			`# password changes, it's gonna be encrypted again, and this key`
			`# is added to the password and salt to create a secure hash.`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			# Always use `rake secret' to generate a new key.
Change how salt and encrypt works. 2009-10-15 15:52:25 -03:00			`#`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`# stretches: defines how many times the password will be encrypted.`
			`#`
Add authentication_keys. 2009-11-15 03:31:13 -02:00			`# encryptor: the encryptor going to be used. By default :sha1.`
			`#`
			`# authentication_keys: parameters used for authentication. By default [:email]`
			`#`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`# Examples:`
			`#`
			`# User.authenticate('email@test.com', 'password123') # returns authenticated user or nil`
			`# User.find(1).valid_password?('password123') # returns true/false`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			`#`
Initial work on making the authentication stack more flexible. 2010-03-29 16:13:19 +02:00			`module DatabaseAuthenticatable`
Use ActiveSupport::Concern. 2010-02-17 12:35:38 +01:00			`extend ActiveSupport::Concern`
Adding confirmable module, generating confirmation code and confirming a user account. 2009-09-17 11:06:46 -03:00
Use ActiveSupport::Concern. 2010-02-17 12:35:38 +01:00			`included do`
			`attr_reader :password, :current_password`
			`attr_accessor :password_confirmation`
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`end`

Initial support for authorization using "authentication token" (a.k.a. "single access token") - new module. Corresponding changes to Devise core to hook events like "after_changed_password" (only one added now - only one that makes much sense for latest module) easily. Unit and integration tests included. NOTE: One failing test for hooking Warden::Manager.after_authentication - gets ignored for some reason. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-24 03:38:52 +01:00			`# Regenerates password salt and encrypted password each time password is set,`
			`# and then trigger any "after_changed_password"-callbacks.`
Change how salt and encrypt works. 2009-10-15 15:52:25 -03:00			`def password=(new_password)`
			`@password = new_password`
Refactor tests a little bit and gain more speed (from 12s to 9s in my machine). 2009-11-24 23:19:12 -02:00
			`if @password.present?`
Ensure bcrypt works and move salt generation to encryptors (needed for bcrypt). 2010-01-08 23:19:57 +01:00			`self.password_salt = self.class.encryptor_class.salt`
Refactor tests a little bit and gain more speed (from 12s to 9s in my machine). 2009-11-24 23:19:12 -02:00			`self.encrypted_password = password_digest(@password)`
			`end`
Change how salt and encrypt works. 2009-10-15 15:52:25 -03:00			`end`

Do not care blank passwords on update 2009-12-15 01:20:59 +01:00			`# Verifies whether an incoming_password (ie from sign in) is the user password.`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00			`def valid_password?(incoming_password)`
Initial support for authorization using "authentication token" (a.k.a. "single access token") - new module. Corresponding changes to Devise core to hook events like "after_changed_password" (only one added now - only one that makes much sense for latest module) easily. Unit and integration tests included. NOTE: One failing test for hooking Warden::Manager.after_authentication - gets ignored for some reason. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-24 03:38:52 +01:00			`password_digest(incoming_password) == self.encrypted_password`
			`end`

Extract CookieSerializer from Rememberable. 2009-12-20 21:49:12 +01:00			`# Checks if a resource is valid upon authentication.`
			`def valid_for_authentication?(attributes)`
			`valid_password?(attributes[:password])`
			`end`

More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`# Set password and password confirmation to nil`
			`def clean_up_passwords`
			`self.password = self.password_confirmation = nil`
			`end`

			`# Update record attributes when :current_password matches, otherwise returns`
			`# error on :current_password. It also automatically rejects :password and`
			`# :password_confirmation if they are blank.`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`def update_with_password(params={})`
Got tests running on Rails 3: 369 tests, 486 assertions, 45 failures, 124 errors. 2010-02-16 14:31:49 +01:00			`current_password = params.delete(:current_password)`
More work on edit. 2010-02-08 20:38:47 +01:00
Got tests running on Rails 3: 369 tests, 486 assertions, 45 failures, 124 errors. 2010-02-16 14:31:49 +01:00			`params.delete(:password) if params[:password].blank?`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`params.delete(:password_confirmation) if params[:password_confirmation].blank?`

Avoid mass assignment error messages with current password. 2010-02-15 14:15:24 +01:00			`result = if valid_password?(current_password)`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`update_attributes(params)`
			`else`
Got all tests in test/models and failure app ones passing. 369 tests, 805 assertions, 13 failures, 2 errors. 2010-02-16 17:00:36 +01:00			`self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`self.attributes = params`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`false`
			`end`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00
			`clean_up_passwords unless result`
			`result`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`end`

Adding pepper and stretches configuration per model, and globaly setup through Devise.pepper and Devise.stretches 2009-10-20 11:08:40 -02:00			`protected`
Added Devise.all to freeze your app strategies and moved friendly_token to Devise module. 2009-11-18 09:26:47 -02:00
Ensure all encryptor returns a symbol. Get the class using encryptor_class. 2009-11-22 22:32:54 -02:00			`# Digests the password using the configured encryptor.`
finished implementation of encryptors and created encryptors for clearance, authlogic and restful-authentication 2009-11-10 13:27:43 -02:00			`def password_digest(password)`
Use self. just to stay in the same pattern. 2010-01-21 17:03:13 +01:00			`self.class.encryptor_class.digest(password, self.class.stretches, self.password_salt, self.class.pepper)`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00			`end`

			`module ClassMethods`
Initial support for authorization using "authentication token" (a.k.a. "single access token") - new module. Corresponding changes to Devise core to hook events like "after_changed_password" (only one added now - only one that makes much sense for latest module) easily. Unit and integration tests included. NOTE: One failing test for hooking Warden::Manager.after_authentication - gets ignored for some reason. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-24 03:38:52 +01:00			`Devise::Models.config(self, :pepper, :stretches, :encryptor, :authentication_keys)`

Allow overwriting find for authentication method. 2009-11-19 13:53:57 -02:00			`# Authenticate a user based on configured attribute keys. Returns the`
Add Http Basic Authentication support. 2010-02-06 01:33:32 +01:00			`# authenticated user if it's valid or nil.`
Updating sessions controller to use resource oriented style. Changing authenticate method to accept a hash of attributes. 2009-10-10 16:20:23 -03:00			`def authenticate(attributes={})`
Add authentication_keys. 2009-11-15 03:31:13 -02:00			`return unless authentication_keys.all? { \|k\| attributes[k].present? }`
			`conditions = attributes.slice(*authentication_keys)`
Extract valid_for_authentication to allow overwriting. 2009-11-24 12:53:03 -02:00			`resource = find_for_authentication(conditions)`
Clean up whitespace and remove deprecated stuff. 2010-01-13 18:23:04 +01:00			`resource if resource.try(:valid_for_authentication?, attributes)`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00			`end`
Separating perishable token into confirmation and reset_password tokens. Adding confirmation_sent_at attribute. 2009-10-18 09:14:52 -02:00
Extract valid_for_authentication to allow overwriting. 2009-11-24 12:53:03 -02:00			`# Returns the class for the configured encryptor.`
			`def encryptor_class`
			`@encryptor_class \|\|= ::Devise::Encryptors.const_get(encryptor.to_s.classify)`
			`end`

			`protected`

Allow overwriting find for authentication method. 2009-11-19 13:53:57 -02:00			`# Find first record based on conditions given (ie by the sign in form).`
			`# Overwrite to add customized conditions, create a join, or maybe use a`
			`# namedscope to filter records while authenticating.`
Updating changelog and adding example doc. 2009-11-19 14:00:15 -02:00			`# Example:`
			`#`
			`# def self.find_for_authentication(conditions={})`
			`# conditions[:active] = true`
			`# find(:first, :conditions => conditions)`
			`# end`
			`#`
Allow overwriting find for authentication method. 2009-11-19 13:53:57 -02:00			`def find_for_authentication(conditions)`
			`find(:first, :conditions => conditions)`
			`end`
Ensure all encryptor returns a symbol. Get the class using encryptor_class. 2009-11-22 22:32:54 -02:00			`end`
Creating authenticate method for user. 2009-09-17 09:46:40 -03:00			`end`
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`end`
			`end`