initial

Author: Adam Cooke

.gitignore

@@ -0,0 +1,2 @@
+*.gem
+

MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2014 Adam Cooke.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,130 @@
+# Authie
+
+This is a Rails library which provides applications with a database-backed user
+sessions. This ensures that user sessions can be invalidated from the server and
+users activity can be easily tracked.
+
+The "traditional" way of simply setting a user ID in your session is insecure
+and unwise. If you simply do something like the example below, it means that anyone
+with access to the session cookie can login as the user whenever and wherever they wish.
+
+```ruby
+if user = User.authenticate(params[:username], params[:password])
+  # Don't do this...
+  session[:user_id] = user.id
+  redirect_to root_path, :notice => "Logged in successfully!"
+end
+```
+
+The design goals behind Authie are:
+
+* Any session can be invalidated instantly from the server without needing to make
+  changes to remote cookies.
+* We can see who is logged in to our application at any point in time.
+* Sessions should automatically expire after a certain period of inactivity.
+* Sessions can be either permanent or temporary.
+
+## Installation
+
+As usual, just pop this in your Gemfile:
+
+```ruby
+gem 'authie', '~> 1.0.0'
+```
+
+You will then need to run your `db:migrate` task to add the Authie sessions table 
+to your local database.
+
+```
+rake db:migrate
+```
+
+## Usage
+
+Authie is just a session manager and doesn't provide any functionality for your authentication or User models. Your `User` model should implement any methods needed to authenticate a username & password.
+
+### Creating a new session
+
+When a user has been authenticated, you can simply set `current_user` to the user
+you wish to login. You may have a method like this in a controller.
+
+```ruby
+class AuthenticationController < ApplicationController
+
+  skip_before_filter: login_required
+
+  def login
+    if request.post?
+      if user = User.authenticate(params[:username], params[:password])
+        self.current_user = user
+        redirect_to root_path
+      else
+        flash.now[:alert] = "Username/password was invalid"
+      end
+    end
+  end
+
+end
+```
+
+### Checking whether user's are logged in
+
+On any subsequent request, you should make sure that your user is logged in.
+You may wish to implement a `login_required` controller method which is called 
+before every action in your application.
+
+```ruby
+class ApplicationController < ActionController::Base
+  
+  before_filter :login_required
+  
+  private
+  
+  def login_required
+    unless logged_in?
+      redirect_to login_path, :alert => "You must login to view this resource"
+    end
+  end
+  
+end
+```
+
+### Accessing the current user (and session)
+
+There are a few controller methods which you can call which will return information about the current session:
+
+* `current_user` - returns the currently logged in user model
+* `auth_session` - returns the current auth session
+* `logged_in?` - returns a true if there's a session or false if no user is logged in
+
+### Logging out
+
+In order to invalidate a session you can simply invalidate it.
+
+```
+def logout
+  auth_session.invalidate!
+  redirect_to login_path, :notice => "Logged out successfully."
+end
+```
+
+### Persisting sessions
+
+In some cases, you may wish users to have a permanent sessions. In this case, you should ask users after they have logged in if they wish to "persist" their session across browser restarts. If they do wish to do this, just do something like this:
+
+```ruby
+def persist_session
+  auth_session.persist!
+  redirect_to root_path, :notice => "You will now be remembered!"
+end
+```
+
+### Accessing all user sessions
+
+If you want to provide users with a list of their sessions, you can access all active sessions for a user. The best way to do this will be to add a `has_many` association to your User model.
+
+```ruby
+class User < ActiveRecord::Base
+  has_many :sessions, :class_name => 'Authie::Session', :foriegn_key => 'user_id', :dependent => :destroy
+end
+```

authie.gemspec

@@ -0,0 +1,14 @@
+require File.expand_path('../lib/authie/version', __FILE__)
+
+Gem::Specification.new do |s|
+  s.name          = "authie"
+  s.description   = %q{A Rails library for storing user sessions in a backend database}
+  s.summary       = s.description
+  s.homepage      = "https://github.com/adamcooke/authie"
+  s.licenses      = ['MIT']
+  s.version       = Authie::VERSION
+  s.files         = Dir.glob("{lib,db}/**/*")
+  s.require_paths = ["lib"]
+  s.authors       = ["Adam Cooke"]
+  s.email         = ["[email protected]"]
+end

db/migrate/20141012174250_create_authie_sessions.rb

@@ -0,0 +1,17 @@
+class CreateAuthieSessions < ActiveRecord::Migration
+  def change
+    create_table :authie_sessions do |t|
+      t.string :token, :browser_id
+      t.integer :user_id
+      t.boolean :active, :default => true
+      t.text :data
+      t.datetime :expires_at
+      t.datetime :login_at
+      t.string :login_ip
+      t.datetime :last_activity_at
+      t.string :last_activity_ip, :last_activity_path
+      t.string :user_agent
+      t.timestamps
+    end
+  end
+end

lib/authie.rb

@@ -0,0 +1,4 @@
+require 'authie/version'
+require 'authie/engine'
+require 'authie/config'
+require 'authie/error'

lib/authie/config.rb

@@ -0,0 +1,24 @@
+module Authie
+  class Config
+    
+    def session_inactivity_timeout
+      @session_inactivity_timeout || 12.hours
+    end
+    attr_writer :session_inactivity_timeout
+    
+    def persistent_session_length
+      @persistent_session_length || 2.months
+    end
+    attr_writer :persistent_session_length
+    
+    def user_model_class_name
+      @user_model_class_name || 'User'
+    end
+    attr_writer :user_model_class_name
+    
+  end
+  
+  def self.config
+    @config ||= Config.new
+  end
+end

lib/authie/controller_extension.rb

@@ -0,0 +1,48 @@
+module Authie
+  module ControllerExtension
+    
+    def self.included(base)
+      base.helper_method :logged_in?, :current_user, :auth_session
+      base.before_filter :set_browser_id
+    end
+    
+    private
+    
+    # Set a random browser ID for this browser. 
+    # TODO: check that this is unique before setting it.
+    def set_browser_id
+      unless cookies[:browser_id]
+        cookies[:browser_id] = {:value => SecureRandom.uuid, :expires => 20.years.from_now}
+      end
+    end
+    
+    # Return the currently logged in user object
+    def current_user
+      auth_session.user
+    end
+    
+    # Set the currently logged in user
+    def current_user=(user)
+      if user.is_a?(Authie.config.user_model_class_name.constantize)
+        unless logged_in?
+          @auth_session = Session.start(self, :user => user)
+        end
+        @current_user = user
+      else
+        auth_session.destroy if logged_in?
+        @current_user = nil
+      end
+    end
+    
+    # Is anyone currently logged in?
+    def logged_in?
+      auth_session.is_a?(Session)
+    end
+    
+    # Return the currently logged in user session
+    def auth_session
+      @auth_session ||= Session.get_session(self)
+    end
+    
+  end
+end

lib/authie/engine.rb

@@ -0,0 +1,21 @@
+module Authie
+  class Engine < ::Rails::Engine
+    
+    initializer 'authie.initialize' do |app|
+      config.paths["db/migrate"].expanded.each do |expanded_path|
+        app.config.paths["db/migrate"] << expanded_path
+      end
+      
+      ActiveSupport.on_load :active_record do
+        require 'authie/session'
+      end
+      
+      ActiveSupport.on_load :action_controller do
+        require 'authie/controller_extension'
+        include Authie::ControllerExtension
+      end
+      
+    end
+    
+  end
+end

lib/authie/error.rb

@@ -0,0 +1,4 @@
+module Authie
+  class Error < StandardError
+  end
+end