2017-12-21 17:36:29 +00:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2010-03-29 14:13:19 +00:00
|
|
|
require 'devise/strategies/database_authenticatable'
|
2009-10-12 11:37:28 +00:00
|
|
|
|
2009-09-17 12:24:33 +00:00
|
|
|
module Devise
|
2009-10-09 11:30:25 +00:00
|
|
|
module Models
|
2016-02-10 19:00:49 +00:00
|
|
|
# Authenticatable Module, responsible for hashing the password and
|
|
|
|
# validating the authenticity of a user while signing in.
|
2009-10-09 12:27:44 +00:00
|
|
|
#
|
2010-07-15 11:01:31 +00:00
|
|
|
# == Options
|
2009-10-20 13:55:57 +00:00
|
|
|
#
|
2015-09-30 22:31:55 +00:00
|
|
|
# DatabaseAuthenticatable adds the following options to devise_for:
|
2009-10-20 13:55:57 +00:00
|
|
|
#
|
2011-08-05 10:07:54 +00:00
|
|
|
# * +pepper+: a random string used to provide a more secure hash. Use
|
2017-11-02 15:37:51 +00:00
|
|
|
# `rails secret` to generate new keys.
|
2011-08-05 10:07:54 +00:00
|
|
|
#
|
2010-09-25 14:08:46 +00:00
|
|
|
# * +stretches+: the cost given to bcrypt.
|
2009-11-15 05:31:13 +00:00
|
|
|
#
|
2017-03-10 11:56:33 +00:00
|
|
|
# * +send_email_changed_notification+: notify original email when it changes.
|
2017-03-06 20:33:34 +00:00
|
|
|
#
|
|
|
|
# * +send_password_change_notification+: notify email when password changes.
|
|
|
|
#
|
2010-07-15 11:01:31 +00:00
|
|
|
# == Examples
|
2009-10-09 12:27:44 +00:00
|
|
|
#
|
|
|
|
# User.find(1).valid_password?('password123') # returns true/false
|
2009-10-20 13:55:57 +00:00
|
|
|
#
|
2010-03-29 14:13:19 +00:00
|
|
|
module DatabaseAuthenticatable
|
2010-04-06 14:34:22 +00:00
|
|
|
extend ActiveSupport::Concern
|
2009-09-17 14:06:46 +00:00
|
|
|
|
2010-02-17 11:35:38 +00:00
|
|
|
included do
|
2017-03-10 11:56:33 +00:00
|
|
|
after_update :send_email_changed_notification, if: :send_email_changed_notification?
|
2015-06-19 19:22:37 +00:00
|
|
|
after_update :send_password_change_notification, if: :send_password_change_notification?
|
|
|
|
|
2010-02-17 11:35:38 +00:00
|
|
|
attr_reader :password, :current_password
|
|
|
|
attr_accessor :password_confirmation
|
2009-09-17 12:24:33 +00:00
|
|
|
end
|
|
|
|
|
2012-02-19 00:50:59 +00:00
|
|
|
def self.required_fields(klass)
|
|
|
|
[:encrypted_password] + klass.authentication_keys
|
2012-02-17 16:37:44 +00:00
|
|
|
end
|
|
|
|
|
2016-02-10 19:00:49 +00:00
|
|
|
# Generates a hashed password based on the given value.
|
|
|
|
# For legacy reasons, we use `encrypted_password` to store
|
|
|
|
# the hashed password.
|
2009-10-15 18:52:25 +00:00
|
|
|
def password=(new_password)
|
|
|
|
@password = new_password
|
2013-11-08 18:22:31 +00:00
|
|
|
self.encrypted_password = password_digest(@password) if @password.present?
|
2009-10-15 18:52:25 +00:00
|
|
|
end
|
|
|
|
|
2014-11-05 21:51:29 +00:00
|
|
|
# Verifies whether a password (ie from sign in) is the user password.
|
2010-09-28 15:45:06 +00:00
|
|
|
def valid_password?(password)
|
2014-03-25 13:44:40 +00:00
|
|
|
Devise::Encryptor.compare(self.class, encrypted_password, password)
|
2010-01-24 02:38:52 +00:00
|
|
|
end
|
|
|
|
|
2010-02-08 22:14:03 +00:00
|
|
|
# Set password and password confirmation to nil
|
|
|
|
def clean_up_passwords
|
2011-09-02 17:14:15 +00:00
|
|
|
self.password = self.password_confirmation = nil
|
2010-02-08 22:14:03 +00:00
|
|
|
end
|
|
|
|
|
2014-03-24 20:49:48 +00:00
|
|
|
# Update record attributes when :current_password matches, otherwise
|
|
|
|
# returns error on :current_password.
|
|
|
|
#
|
|
|
|
# This method also rejects the password field if it is blank (allowing
|
|
|
|
# users to change relevant information like the e-mail without changing
|
|
|
|
# their password). In case the password field is rejected, the confirmation
|
|
|
|
# is also rejected as long as it is also blank.
|
2011-11-24 08:51:03 +00:00
|
|
|
def update_with_password(params, *options)
|
2010-02-16 13:31:49 +00:00
|
|
|
current_password = params.delete(:current_password)
|
2010-02-08 19:38:47 +00:00
|
|
|
|
2010-04-25 07:38:56 +00:00
|
|
|
if params[:password].blank?
|
|
|
|
params.delete(:password)
|
|
|
|
params.delete(:password_confirmation) if params[:password_confirmation].blank?
|
|
|
|
end
|
2010-02-08 22:14:03 +00:00
|
|
|
|
2010-02-15 13:15:24 +00:00
|
|
|
result = if valid_password?(current_password)
|
2011-11-24 09:24:06 +00:00
|
|
|
update_attributes(params, *options)
|
2009-12-15 00:55:55 +00:00
|
|
|
else
|
2012-06-08 17:15:30 +00:00
|
|
|
self.assign_attributes(params, *options)
|
2011-06-21 21:23:07 +00:00
|
|
|
self.valid?
|
|
|
|
self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
|
2009-12-15 00:55:55 +00:00
|
|
|
false
|
|
|
|
end
|
2010-02-08 22:14:03 +00:00
|
|
|
|
2010-04-01 12:00:21 +00:00
|
|
|
clean_up_passwords
|
2010-02-08 22:14:03 +00:00
|
|
|
result
|
2009-12-15 00:55:55 +00:00
|
|
|
end
|
|
|
|
|
2011-06-22 16:01:49 +00:00
|
|
|
# Updates record attributes without asking for the current password.
|
2012-11-29 11:45:15 +00:00
|
|
|
# Never allows a change to the current password. If you are using this
|
2011-10-25 16:37:53 +00:00
|
|
|
# method, you should probably override this method to protect other
|
|
|
|
# attributes you would not like to be updated without a password.
|
|
|
|
#
|
|
|
|
# Example:
|
|
|
|
#
|
2013-06-25 09:27:35 +00:00
|
|
|
# def update_without_password(params, *options)
|
2011-10-25 16:37:53 +00:00
|
|
|
# params.delete(:email)
|
|
|
|
# super(params)
|
|
|
|
# end
|
|
|
|
#
|
2011-11-24 08:51:03 +00:00
|
|
|
def update_without_password(params, *options)
|
2011-05-05 07:24:21 +00:00
|
|
|
params.delete(:password)
|
|
|
|
params.delete(:password_confirmation)
|
|
|
|
|
2011-11-24 09:24:06 +00:00
|
|
|
result = update_attributes(params, *options)
|
2011-05-05 07:24:21 +00:00
|
|
|
clean_up_passwords
|
|
|
|
result
|
|
|
|
end
|
2011-11-24 09:24:06 +00:00
|
|
|
|
2013-04-29 13:06:13 +00:00
|
|
|
# Destroy record when :current_password matches, otherwise returns
|
2013-10-23 21:15:53 +00:00
|
|
|
# error on :current_password. It also automatically rejects
|
2013-04-29 13:06:13 +00:00
|
|
|
# :current_password if it is blank.
|
|
|
|
def destroy_with_password(current_password)
|
|
|
|
result = if valid_password?(current_password)
|
|
|
|
destroy
|
|
|
|
else
|
|
|
|
self.valid?
|
|
|
|
self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
result
|
|
|
|
end
|
|
|
|
|
2013-10-23 21:15:53 +00:00
|
|
|
# A callback initiated after successfully authenticating. This can be
|
|
|
|
# used to insert your own logic that is only run after the user successfully
|
|
|
|
# authenticates.
|
|
|
|
#
|
|
|
|
# Example:
|
|
|
|
#
|
|
|
|
# def after_database_authentication
|
|
|
|
# self.update_attribute(:invite_code, nil)
|
|
|
|
# end
|
|
|
|
#
|
2010-04-06 11:26:56 +00:00
|
|
|
def after_database_authentication
|
|
|
|
end
|
|
|
|
|
2010-09-25 14:08:46 +00:00
|
|
|
# A reliable way to expose the salt regardless of the implementation.
|
|
|
|
def authenticatable_salt
|
2012-03-10 10:10:57 +00:00
|
|
|
encrypted_password[0,29] if encrypted_password
|
2010-09-25 14:08:46 +00:00
|
|
|
end
|
|
|
|
|
2017-05-10 20:09:38 +00:00
|
|
|
if Devise.activerecord51?
|
2017-04-28 22:33:55 +00:00
|
|
|
# Send notification to user when email changes.
|
|
|
|
def send_email_changed_notification
|
|
|
|
send_devise_notification(:email_changed, to: email_before_last_save)
|
|
|
|
end
|
|
|
|
else
|
|
|
|
# Send notification to user when email changes.
|
|
|
|
def send_email_changed_notification
|
|
|
|
send_devise_notification(:email_changed, to: email_was)
|
|
|
|
end
|
2017-03-06 19:34:38 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Send notification to user when password changes.
|
2015-06-19 19:22:37 +00:00
|
|
|
def send_password_change_notification
|
|
|
|
send_devise_notification(:password_change)
|
|
|
|
end
|
|
|
|
|
2010-03-29 21:44:47 +00:00
|
|
|
protected
|
2009-11-18 11:26:47 +00:00
|
|
|
|
2016-02-10 19:00:49 +00:00
|
|
|
# Hashes the password using bcrypt. Custom hash functions should override
|
2013-11-08 18:22:31 +00:00
|
|
|
# this method to apply their own algorithm.
|
|
|
|
#
|
|
|
|
# See https://github.com/plataformatec/devise-encryptable for examples
|
2016-02-10 19:00:49 +00:00
|
|
|
# of other hashing engines.
|
2013-11-08 18:22:31 +00:00
|
|
|
def password_digest(password)
|
2014-03-25 13:44:40 +00:00
|
|
|
Devise::Encryptor.digest(self.class, password)
|
2013-11-08 18:22:31 +00:00
|
|
|
end
|
|
|
|
|
2017-05-10 20:09:38 +00:00
|
|
|
if Devise.activerecord51?
|
2017-04-28 23:05:39 +00:00
|
|
|
def send_email_changed_notification?
|
|
|
|
self.class.send_email_changed_notification && saved_change_to_email?
|
|
|
|
end
|
|
|
|
else
|
|
|
|
def send_email_changed_notification?
|
|
|
|
self.class.send_email_changed_notification && email_changed?
|
|
|
|
end
|
2017-03-06 19:34:38 +00:00
|
|
|
end
|
|
|
|
|
2017-05-10 20:09:38 +00:00
|
|
|
if Devise.activerecord51?
|
2017-04-28 23:05:39 +00:00
|
|
|
def send_password_change_notification?
|
|
|
|
self.class.send_password_change_notification && saved_change_to_encrypted_password?
|
|
|
|
end
|
|
|
|
else
|
|
|
|
def send_password_change_notification?
|
|
|
|
self.class.send_password_change_notification && encrypted_password_changed?
|
|
|
|
end
|
2015-06-19 19:22:37 +00:00
|
|
|
end
|
|
|
|
|
2009-10-09 11:30:25 +00:00
|
|
|
module ClassMethods
|
2017-03-10 11:56:33 +00:00
|
|
|
Devise::Models.config(self, :pepper, :stretches, :send_email_changed_notification, :send_password_change_notification)
|
2010-07-12 04:59:49 +00:00
|
|
|
|
2010-07-05 17:11:37 +00:00
|
|
|
# We assume this method already gets the sanitized values from the
|
|
|
|
# DatabaseAuthenticatable strategy. If you are using this method on
|
|
|
|
# your own, be sure to sanitize the conditions hash to only include
|
|
|
|
# the proper fields.
|
2010-04-06 11:26:56 +00:00
|
|
|
def find_for_database_authentication(conditions)
|
|
|
|
find_for_authentication(conditions)
|
2009-11-19 15:53:57 +00:00
|
|
|
end
|
2009-11-23 00:32:54 +00:00
|
|
|
end
|
2009-09-17 12:46:40 +00:00
|
|
|
end
|
2009-09-17 12:24:33 +00:00
|
|
|
end
|
|
|
|
end
|