heartcombo--devise/lib/devise/models/database_authenticatable.rb

require 'devise/strategies/database_authenticatable'
require 'bcrypt'

module Devise
  module Models
    # Authenticatable Module, responsible for encrypting password and validating
    # authenticity of a user while signing in.
    #
    # == Options
    #
    # DatabaseAuthenticable adds the following options to devise_for:
    #
    #   * +stretches+: the cost given to bcrypt.
    #
    # == Examples
    #
    #    User.find(1).valid_password?('password123')         # returns true/false
    #
    module DatabaseAuthenticatable
      extend ActiveSupport::Concern

      included do
        attr_reader :password, :current_password
        attr_accessor :password_confirmation
        before_validation :downcase_keys
        before_validation :strip_whitespace
      end

      # Generates password encryption based on the given value.
      def password=(new_password)
        @password = new_password
        self.encrypted_password = password_digest(@password) if @password.present?
      end

      # Verifies whether an password (ie from sign in) is the user password.
      def valid_password?(password)
        return false if encrypted_password.blank?
        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
        Devise.secure_compare(password, self.encrypted_password)
      end

      # Set password and password confirmation to nil
      def clean_up_passwords
        self.password = self.password_confirmation = ""
      end

      # Update record attributes when :current_password matches, otherwise returns
      # error on :current_password. It also automatically rejects :password and
      # :password_confirmation if they are blank.
      def update_with_password(params={})
        current_password = params.delete(:current_password)

        if params[:password].blank?
          params.delete(:password)
          params.delete(:password_confirmation) if params[:password_confirmation].blank?
        end

        result = if valid_password?(current_password)
          update_attributes(params)
        else
          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
          self.attributes = params
          false
        end

        clean_up_passwords
        result
      end

      # Update record attributes without asking for the current password. Never allow to
      # change the current password
      def update_without_password(params={})
        params.delete(:password)
        params.delete(:password_confirmation)

        result = update_attributes(params)
        clean_up_passwords
        result
      end
      
      def after_database_authentication
      end

      # A reliable way to expose the salt regardless of the implementation.
      def authenticatable_salt
        self.encrypted_password[0,29] if self.encrypted_password
      end

    protected

      # Downcase case-insensitive keys
      def downcase_keys
        (self.class.case_insensitive_keys || []).each { |k| self[k].try(:downcase!) }
      end
      
      def strip_whitespace
        (self.class.strip_whitespace_keys || []).each { |k| self[k].try(:strip!) }
      end

      # Digests the password using bcrypt.
      def password_digest(password)
        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
      end

      module ClassMethods
        Devise::Models.config(self, :pepper, :stretches)

        # We assume this method already gets the sanitized values from the
        # DatabaseAuthenticatable strategy. If you are using this method on
        # your own, be sure to sanitize the conditions hash to only include
        # the proper fields.
        def find_for_database_authentication(conditions)
          find_for_authentication(conditions)
        end
      end
    end
  end
end
Initial work on making the authentication stack more flexible. 2010-03-29 16:13:19 +02:00			`require 'devise/strategies/database_authenticatable'`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`require 'bcrypt'`
Kick tests back to life. 2009-10-12 08:37:28 -03:00
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`module Devise`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00			`module Models`
typos (remaining instances of authenticable -> authenticatable) 2011-01-12 02:53:17 +08:00			`# Authenticatable Module, responsible for encrypting password and validating`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`# authenticity of a user while signing in.`
			`#`
Add OAuth2 documentation. 2010-07-15 13:01:31 +02:00			`# == Options`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			`#`
Add OAuth2 documentation. 2010-07-15 13:01:31 +02:00			`# DatabaseAuthenticable adds the following options to devise_for:`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			`#`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`# * +stretches+: the cost given to bcrypt.`
Add authentication_keys. 2009-11-15 03:31:13 -02:00			`#`
Add OAuth2 documentation. 2010-07-15 13:01:31 +02:00			`# == Examples`
Adding some documentation. 2009-10-09 09:27:44 -03:00			`#`
			`# User.find(1).valid_password?('password123') # returns true/false`
Define Devise.model_config. 2009-10-20 11:55:57 -02:00			`#`
Initial work on making the authentication stack more flexible. 2010-03-29 16:13:19 +02:00			`module DatabaseAuthenticatable`
:activatable is included by default in your models. If you are building a strategy for devise, you now need to call validate(resource), since Devise has now a default API to validate resources before and after signing them in. You can still use other Warden::Strategies with Devise, but they won't work with a few modules like unlockable (they never did, but now we have a single point to make it work). 2010-04-06 16:34:22 +02:00			`extend ActiveSupport::Concern`
Adding confirmable module, generating confirmation code and confirming a user account. 2009-09-17 11:06:46 -03:00
Use ActiveSupport::Concern. 2010-02-17 12:35:38 +01:00			`included do`
			`attr_reader :password, :current_password`
			`attr_accessor :password_confirmation`
Downcase keys before validation. 2011-04-16 12:52:59 +02:00			`before_validation :downcase_keys`
Add strip_whitespace_keys which works like case_insensitive_keys but strips whitespace from emails 2011-06-10 01:37:43 -07:00			`before_validation :strip_whitespace`
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`end`

Don't need to extend ActiveSupport::Concern anymore in oauth helpers 2010-09-26 11:47:56 -03:00			`# Generates password encryption based on the given value.`
Change how salt and encrypt works. 2009-10-15 15:52:25 -03:00			`def password=(new_password)`
			`@password = new_password`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`self.encrypted_password = password_digest(@password) if @password.present?`
Change how salt and encrypt works. 2009-10-15 15:52:25 -03:00			`end`

Use secure compare as well. 2011-02-15 11:33:54 +01:00			`# Verifies whether an password (ie from sign in) is the user password.`
Ensure bcrypt also uses pepper for backward compatibility. 2010-09-28 17:45:06 +02:00			`def valid_password?(password)`
Simply check instead or rescueing. 2011-04-16 12:43:43 +02:00			`return false if encrypted_password.blank?`
			`bcrypt = ::BCrypt::Password.new(self.encrypted_password)`
			`password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)`
			`Devise.secure_compare(password, self.encrypted_password)`
Initial support for authorization using "authentication token" (a.k.a. "single access token") - new module. Corresponding changes to Devise core to hook events like "after_changed_password" (only one added now - only one that makes much sense for latest module) easily. Unit and integration tests included. NOTE: One failing test for hooking Warden::Manager.after_authentication - gets ignored for some reason. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-24 03:38:52 +01:00			`end`

More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`# Set password and password confirmation to nil`
			`def clean_up_passwords`
sessions/new also responds to xml and json now 2011-04-18 09:56:24 +02:00			`self.password = self.password_confirmation = ""`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`end`

			`# Update record attributes when :current_password matches, otherwise returns`
			`# error on :current_password. It also automatically rejects :password and`
			`# :password_confirmation if they are blank.`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`def update_with_password(params={})`
Got tests running on Rails 3: 369 tests, 486 assertions, 45 failures, 124 errors. 2010-02-16 14:31:49 +01:00			`current_password = params.delete(:current_password)`
More work on edit. 2010-02-08 20:38:47 +01:00
Ensure password confirmation is always required, closes #228 2010-04-25 09:38:56 +02:00			`if params[:password].blank?`
			`params.delete(:password)`
			`params.delete(:password_confirmation) if params[:password_confirmation].blank?`
			`end`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00
Avoid mass assignment error messages with current password. 2010-02-15 14:15:24 +01:00			`result = if valid_password?(current_password)`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`update_attributes(params)`
			`else`
Got all tests in test/models and failure app ones passing. 369 tests, 805 assertions, 13 failures, 2 errors. 2010-02-16 17:00:36 +01:00			`self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)`
Ensure customs pass through sessions_controller. 2010-04-01 14:00:21 +02:00			`self.attributes = params`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`false`
			`end`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00
Ensure customs pass through sessions_controller. 2010-04-01 14:00:21 +02:00			`clean_up_passwords`
More changes in update_with_password. 2010-02-08 23:14:03 +01:00			`result`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-14 22:55:55 -02:00			`end`

added update_without_password method 2011-05-05 09:24:21 +02:00			`# Update record attributes without asking for the current password. Never allow to`
			`# change the current password`
			`def update_without_password(params={})`
			`params.delete(:password)`
			`params.delete(:password_confirmation)`

			`result = update_attributes(params)`
			`clean_up_passwords`
			`result`
			`end`

Small changes to token_authenticatable. 2010-04-06 13:26:56 +02:00			`def after_database_authentication`
			`end`

Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`# A reliable way to expose the salt regardless of the implementation.`
			`def authenticatable_salt`
Ensure authenticatable_salt can be nil. 2010-11-11 22:51:19 +01:00			`self.encrypted_password[0,29] if self.encrypted_password`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`end`

Allow several authentications to share a common path. 2010-03-29 23:44:47 +02:00			`protected`
Added Devise.all to freeze your app strategies and moved friendly_token to Devise module. 2009-11-18 09:26:47 -02:00
changed case_insensitive_keys config setting to an array and added downcasing of keys as a before filter on database authentication module 2010-11-18 23:29:53 +01:00			`# Downcase case-insensitive keys`
			`def downcase_keys`
Faster uniqueness queries, closes #917 2011-03-15 12:52:53 +01:00			`(self.class.case_insensitive_keys \|\| []).each { \|k\| self[k].try(:downcase!) }`
changed case_insensitive_keys config setting to an array and added downcasing of keys as a before filter on database authentication module 2010-11-18 23:29:53 +01:00			`end`
Add strip_whitespace_keys which works like case_insensitive_keys but strips whitespace from emails 2011-06-10 01:37:43 -07:00
			`def strip_whitespace`
			`(self.class.strip_whitespace_keys \|\| []).each { \|k\| self[k].try(:strip!) }`
			`end`
changed case_insensitive_keys config setting to an array and added downcasing of keys as a before filter on database authentication module 2010-11-18 23:29:53 +01:00
Extract encryptors into their own module for better bcrypt support. 2010-09-25 16:08:46 +02:00			`# Digests the password using bcrypt.`
Allow several authentications to share a common path. 2010-03-29 23:44:47 +02:00			`def password_digest(password)`
Ensure bcrypt also uses pepper for backward compatibility. 2010-09-28 17:45:06 +02:00			`::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s`
Allow several authentications to share a common path. 2010-03-29 23:44:47 +02:00			`end`
Moving modules inside respective Models module. 2009-10-09 08:30:25 -03:00
			`module ClassMethods`
Tidy up and update CHANGELOG. 2010-11-20 21:19:12 +01:00			`Devise::Models.config(self, :pepper, :stretches)`
Also pass stretches to salt generation. 2010-07-12 06:59:49 +02:00
Improve docs on finders after taking a look at the wiki. 2010-07-05 19:11:37 +02:00			`# We assume this method already gets the sanitized values from the`
			`# DatabaseAuthenticatable strategy. If you are using this method on`
			`# your own, be sure to sanitize the conditions hash to only include`
			`# the proper fields.`
Small changes to token_authenticatable. 2010-04-06 13:26:56 +02:00			`def find_for_database_authentication(conditions)`
			`find_for_authentication(conditions)`
Allow overwriting find for authentication method. 2009-11-19 13:53:57 -02:00			`end`
Ensure all encryptor returns a symbol. Get the class using encryptor_class. 2009-11-22 22:32:54 -02:00			`end`
Creating authenticate method for user. 2009-09-17 09:46:40 -03:00			`end`
Authenticable module: generating salt and encrypting password 2009-09-17 09:24:33 -03:00			`end`
			`end`