heartcombo--devise/lib/devise/models/database_authenticatable.rb

require 'devise/strategies/database_authenticatable'
require 'bcrypt'

module Devise
  module Models
    # Authenticatable Module, responsible for encrypting password and validating
    # authenticity of a user while signing in.
    #
    # == Options
    #
    # DatabaseAuthenticable adds the following options to devise_for:
    #
    #   * +pepper+: a random string used to provide a more secure hash. Use
    #     `rake secret` to generate new keys.
    #
    #   * +stretches+: the cost given to bcrypt.
    #
    # == Examples
    #
    #    User.find(1).valid_password?('password123')         # returns true/false
    #
    module DatabaseAuthenticatable
      extend ActiveSupport::Concern

      included do
        attr_reader :password, :current_password
        attr_accessor :password_confirmation
      end

      module ModuleMethods
        extend self

        def required_fields
          [:encrypted_password] + Devise.authentication_keys
        end
      end

      # Generates password encryption based on the given value.
      def password=(new_password)
        @password = new_password
        self.encrypted_password = password_digest(@password) if @password.present?
      end

      # Verifies whether an password (ie from sign in) is the user password.
      def valid_password?(password)
        return false if encrypted_password.blank?
        bcrypt   = ::BCrypt::Password.new(self.encrypted_password)
        password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)
        Devise.secure_compare(password, self.encrypted_password)
      end

      # Set password and password confirmation to nil
      def clean_up_passwords
        self.password = self.password_confirmation = nil
      end

      # Update record attributes when :current_password matches, otherwise returns
      # error on :current_password. It also automatically rejects :password and
      # :password_confirmation if they are blank.
      def update_with_password(params, *options)
        current_password = params.delete(:current_password)

        if params[:password].blank?
          params.delete(:password)
          params.delete(:password_confirmation) if params[:password_confirmation].blank?
        end

        result = if valid_password?(current_password)
          update_attributes(params, *options)
        else
          self.attributes = params
          self.valid?
          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
          false
        end

        clean_up_passwords
        result
      end

      # Updates record attributes without asking for the current password.
      # Never allows to change the current password. If you are using this
      # method, you should probably override this method to protect other
      # attributes you would not like to be updated without a password.
      #
      # Example:
      #
      #   def update_without_password(params={})
      #     params.delete(:email)
      #     super(params)
      #   end
      #
      def update_without_password(params, *options)
        params.delete(:password)
        params.delete(:password_confirmation)

        result = update_attributes(params, *options)
        clean_up_passwords
        result
      end

      def after_database_authentication
      end

      # A reliable way to expose the salt regardless of the implementation.
      def authenticatable_salt
        self.encrypted_password[0,29] if self.encrypted_password
      end

    protected

      # Digests the password using bcrypt.
      def password_digest(password)
        ::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s
      end

      module ClassMethods
        Devise::Models.config(self, :pepper, :stretches)

        # We assume this method already gets the sanitized values from the
        # DatabaseAuthenticatable strategy. If you are using this method on
        # your own, be sure to sanitize the conditions hash to only include
        # the proper fields.
        def find_for_database_authentication(conditions)
          find_for_authentication(conditions)
        end
      end
    end
  end
end
Initial work on making the authentication stack more flexible. 2010-03-29 14:13:19 +00:00			`require 'devise/strategies/database_authenticatable'`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`require 'bcrypt'`
Kick tests back to life. 2009-10-12 11:37:28 +00:00
Authenticable module: generating salt and encrypting password 2009-09-17 12:24:33 +00:00			`module Devise`
Moving modules inside respective Models module. 2009-10-09 11:30:25 +00:00			`module Models`
typos (remaining instances of authenticable -> authenticatable) 2011-01-11 18:53:17 +00:00			`# Authenticatable Module, responsible for encrypting password and validating`
Adding some documentation. 2009-10-09 12:27:44 +00:00			`# authenticity of a user while signing in.`
			`#`
Add OAuth2 documentation. 2010-07-15 11:01:31 +00:00			`# == Options`
Define Devise.model_config. 2009-10-20 13:55:57 +00:00			`#`
Add OAuth2 documentation. 2010-07-15 11:01:31 +00:00			`# DatabaseAuthenticable adds the following options to devise_for:`
Define Devise.model_config. 2009-10-20 13:55:57 +00:00			`#`
Doc: DatabaseAuthenticatable still uses pepper option 2011-08-05 10:07:54 +00:00			`# * +pepper+: a random string used to provide a more secure hash. Use`
			# `rake secret` to generate new keys.
			`#`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`# * +stretches+: the cost given to bcrypt.`
Add authentication_keys. 2009-11-15 05:31:13 +00:00			`#`
Add OAuth2 documentation. 2010-07-15 11:01:31 +00:00			`# == Examples`
Adding some documentation. 2009-10-09 12:27:44 +00:00			`#`
			`# User.find(1).valid_password?('password123') # returns true/false`
Define Devise.model_config. 2009-10-20 13:55:57 +00:00			`#`
Initial work on making the authentication stack more flexible. 2010-03-29 14:13:19 +00:00			`module DatabaseAuthenticatable`
:activatable is included by default in your models. If you are building a strategy for devise, you now need to call validate(resource), since Devise has now a default API to validate resources before and after signing them in. You can still use other Warden::Strategies with Devise, but they won't work with a few modules like unlockable (they never did, but now we have a single point to make it work). 2010-04-06 14:34:22 +00:00			`extend ActiveSupport::Concern`
Adding confirmable module, generating confirmation code and confirming a user account. 2009-09-17 14:06:46 +00:00
Use ActiveSupport::Concern. 2010-02-17 11:35:38 +00:00			`included do`
			`attr_reader :password, :current_password`
			`attr_accessor :password_confirmation`
Authenticable module: generating salt and encrypting password 2009-09-17 12:24:33 +00:00			`end`

Added check_model! method 2012-02-17 16:37:44 +00:00			`module ModuleMethods`
			`extend self`

			`def required_fields`
Added required_fields to database_authenticatable 2012-02-17 16:52:42 +00:00			`[:encrypted_password] + Devise.authentication_keys`
Added check_model! method 2012-02-17 16:37:44 +00:00			`end`
			`end`

Don't need to extend ActiveSupport::Concern anymore in oauth helpers 2010-09-26 14:47:56 +00:00			`# Generates password encryption based on the given value.`
Change how salt and encrypt works. 2009-10-15 18:52:25 +00:00			`def password=(new_password)`
			`@password = new_password`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`self.encrypted_password = password_digest(@password) if @password.present?`
Change how salt and encrypt works. 2009-10-15 18:52:25 +00:00			`end`

Use secure compare as well. 2011-02-15 10:33:54 +00:00			`# Verifies whether an password (ie from sign in) is the user password.`
Ensure bcrypt also uses pepper for backward compatibility. 2010-09-28 15:45:06 +00:00			`def valid_password?(password)`
Simply check instead or rescueing. 2011-04-16 10:43:43 +00:00			`return false if encrypted_password.blank?`
			`bcrypt = ::BCrypt::Password.new(self.encrypted_password)`
			`password = ::BCrypt::Engine.hash_secret("#{password}#{self.class.pepper}", bcrypt.salt)`
			`Devise.secure_compare(password, self.encrypted_password)`
Initial support for authorization using "authentication token" (a.k.a. "single access token") - new module. Corresponding changes to Devise core to hook events like "after_changed_password" (only one added now - only one that makes much sense for latest module) easily. Unit and integration tests included. NOTE: One failing test for hooking Warden::Manager.after_authentication - gets ignored for some reason. Signed-off-by: José Valim <jose.valim@gmail.com> 2010-01-24 02:38:52 +00:00			`end`

More changes in update_with_password. 2010-02-08 22:14:03 +00:00			`# Set password and password confirmation to nil`
			`def clean_up_passwords`
DatabaseAuthenticatable#clean_up_passwords should set accessors to nil, not empty string. 2011-09-02 17:14:15 +00:00			`self.password = self.password_confirmation = nil`
More changes in update_with_password. 2010-02-08 22:14:03 +00:00			`end`

			`# Update record attributes when :current_password matches, otherwise returns`
			`# error on :current_password. It also automatically rejects :password and`
			`# :password_confirmation if they are blank.`
Added support for rails 3.1 new mass assignment conventions 2011-11-24 08:51:03 +00:00			`def update_with_password(params, *options)`
Got tests running on Rails 3: 369 tests, 486 assertions, 45 failures, 124 errors. 2010-02-16 13:31:49 +00:00			`current_password = params.delete(:current_password)`
More work on edit. 2010-02-08 19:38:47 +00:00
Ensure password confirmation is always required, closes #228 2010-04-25 07:38:56 +00:00			`if params[:password].blank?`
			`params.delete(:password)`
			`params.delete(:password_confirmation) if params[:password_confirmation].blank?`
			`end`
More changes in update_with_password. 2010-02-08 22:14:03 +00:00
Avoid mass assignment error messages with current password. 2010-02-15 13:15:24 +00:00			`result = if valid_password?(current_password)`
Fix up previous commit and update CHANGELOG. 2011-11-24 09:24:06 +00:00			`update_attributes(params, *options)`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-15 00:55:55 +00:00			`else`
Ensure customs pass through sessions_controller. 2010-04-01 12:00:21 +00:00			`self.attributes = params`
Run validations even when password change will fail, to show a complete list of errors 2011-06-21 21:23:07 +00:00			`self.valid?`
			`self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-15 00:55:55 +00:00			`false`
			`end`
More changes in update_with_password. 2010-02-08 22:14:03 +00:00
Ensure customs pass through sessions_controller. 2010-04-01 12:00:21 +00:00			`clean_up_passwords`
More changes in update_with_password. 2010-02-08 22:14:03 +00:00			`result`
Adding update_with_password to authenticable. Updates the record only when the :old_password is valid. 2009-12-15 00:55:55 +00:00			`end`

Update CHANGELOG. 2011-06-22 16:01:49 +00:00			`# Updates record attributes without asking for the current password.`
Improve docs for update_without_password. 2011-10-25 16:37:53 +00:00			`# Never allows to change the current password. If you are using this`
			`# method, you should probably override this method to protect other`
			`# attributes you would not like to be updated without a password.`
			`#`
			`# Example:`
			`#`
			`# def update_without_password(params={})`
			`# params.delete(:email)`
			`# super(params)`
			`# end`
			`#`
Added support for rails 3.1 new mass assignment conventions 2011-11-24 08:51:03 +00:00			`def update_without_password(params, *options)`
added update_without_password method 2011-05-05 07:24:21 +00:00			`params.delete(:password)`
			`params.delete(:password_confirmation)`

Fix up previous commit and update CHANGELOG. 2011-11-24 09:24:06 +00:00			`result = update_attributes(params, *options)`
added update_without_password method 2011-05-05 07:24:21 +00:00			`clean_up_passwords`
			`result`
			`end`
Fix up previous commit and update CHANGELOG. 2011-11-24 09:24:06 +00:00
Small changes to token_authenticatable. 2010-04-06 11:26:56 +00:00			`def after_database_authentication`
			`end`

Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`# A reliable way to expose the salt regardless of the implementation.`
			`def authenticatable_salt`
Ensure authenticatable_salt can be nil. 2010-11-11 21:51:19 +00:00			`self.encrypted_password[0,29] if self.encrypted_password`
Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`end`

Allow several authentications to share a common path. 2010-03-29 21:44:47 +00:00			`protected`
Added Devise.all to freeze your app strategies and moved friendly_token to Devise module. 2009-11-18 11:26:47 +00:00
Extract encryptors into their own module for better bcrypt support. 2010-09-25 14:08:46 +00:00			`# Digests the password using bcrypt.`
Allow several authentications to share a common path. 2010-03-29 21:44:47 +00:00			`def password_digest(password)`
Ensure bcrypt also uses pepper for backward compatibility. 2010-09-28 15:45:06 +00:00			`::BCrypt::Password.create("#{password}#{self.class.pepper}", :cost => self.class.stretches).to_s`
Allow several authentications to share a common path. 2010-03-29 21:44:47 +00:00			`end`
Moving modules inside respective Models module. 2009-10-09 11:30:25 +00:00
			`module ClassMethods`
Tidy up and update CHANGELOG. 2010-11-20 20:19:12 +00:00			`Devise::Models.config(self, :pepper, :stretches)`
Also pass stretches to salt generation. 2010-07-12 04:59:49 +00:00
Improve docs on finders after taking a look at the wiki. 2010-07-05 17:11:37 +00:00			`# We assume this method already gets the sanitized values from the`
			`# DatabaseAuthenticatable strategy. If you are using this method on`
			`# your own, be sure to sanitize the conditions hash to only include`
			`# the proper fields.`
Small changes to token_authenticatable. 2010-04-06 11:26:56 +00:00			`def find_for_database_authentication(conditions)`
			`find_for_authentication(conditions)`
Allow overwriting find for authentication method. 2009-11-19 15:53:57 +00:00			`end`
Ensure all encryptor returns a symbol. Get the class using encryptor_class. 2009-11-23 00:32:54 +00:00			`end`
Creating authenticate method for user. 2009-09-17 12:46:40 +00:00			`end`
Authenticable module: generating salt and encrypting password 2009-09-17 12:24:33 +00:00			`end`
			`end`