github/devise
1
1
Fork 0
mirror of https://github.com/heartcombo/devise.git synced 2026-04-28 03:00:29 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
77203e3d97346378806e35fc96a541403323deda
devise/lib/devise.rb
Drew Ulmer 78f137368c Add support for Rails 4 strong_parameters 
This brings support for Rails 4 StrongParameters changes.

- Parameter sanitizing is setup for Devise controllers via
  resource_params except Omniauth Callbacks which doesn't use
  resource_params.

- Change #build_resource to not call resource_params for get requests.
  Parameter sanitizing is only needed when params are posted to the
  server so there's no need to try to construct resource params on get
  requests (new, edit).
2013-03-31 21:31:48 -05:00

468 lines
14 KiB
Ruby
Raw Blame History

require 'rails'
require 'active_support/core_ext/numeric/time'
require 'active_support/dependencies'
require 'orm_adapter'
require 'set'
require 'securerandom'
module Devise
autoload :Delegator, 'devise/delegator'
autoload :FailureApp, 'devise/failure_app'
autoload :OmniAuth, 'devise/omniauth'
autoload :ParamFilter, 'devise/param_filter'
autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
autoload :TestHelpers, 'devise/test_helpers'
autoload :TimeInflector, 'devise/time_inflector'
module Controllers
autoload :Helpers, 'devise/controllers/helpers'
autoload :Rememberable, 'devise/controllers/rememberable'
autoload :ScopedViews, 'devise/controllers/scoped_views'
autoload :UrlHelpers, 'devise/controllers/url_helpers'
end
module Mailers
autoload :Helpers, 'devise/mailers/helpers'
end
module Strategies
autoload :Base, 'devise/strategies/base'
autoload :Authenticatable, 'devise/strategies/authenticatable'
end
# Constants which holds devise configuration for extensions. Those should
# not be modified by the "end user" (this is why they are constants).
ALL = []
CONTROLLERS = ActiveSupport::OrderedHash.new
ROUTES = ActiveSupport::OrderedHash.new
STRATEGIES = ActiveSupport::OrderedHash.new
URL_HELPERS = ActiveSupport::OrderedHash.new
# Strategies that do not require user input.
NO_INPUT = []
# True values used to check params
TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
# Custom domain or key for cookies. Not set by default
mattr_accessor :rememberable_options
@@rememberable_options = {}
# The number of times to encrypt password.
mattr_accessor :stretches
@@stretches = 10
# The default key used when authenticating over http auth.
mattr_accessor :http_auth_key
@@http_auth_key = nil
# Keys used when authenticating a user.
mattr_accessor :authentication_keys
@@authentication_keys = [ :email ]
# Request keys used when authenticating a user.
mattr_accessor :request_keys
@@request_keys = []
# Keys that should be case-insensitive.
mattr_accessor :case_insensitive_keys
@@case_insensitive_keys = [ :email ]
# Keys that should have whitespace stripped.
mattr_accessor :strip_whitespace_keys
@@strip_whitespace_keys = []
# If http authentication is enabled by default.
mattr_accessor :http_authenticatable
@@http_authenticatable = false
# If http headers should be returned for ajax requests. True by default.
mattr_accessor :http_authenticatable_on_xhr
@@http_authenticatable_on_xhr = true
# If params authenticatable is enabled by default.
mattr_accessor :params_authenticatable
@@params_authenticatable = true
# The realm used in Http Basic Authentication.
mattr_accessor :http_authentication_realm
@@http_authentication_realm = "Application"
# Email regex used to validate email formats. It simply asserts that
# an one (and only one) @ exists in the given string. This is mainly
# to give user feedback and not to assert the e-mail validity.
mattr_accessor :email_regexp
@@email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\s]+\z/
# Range validation for password length
mattr_accessor :password_length
@@password_length = 6..128
# The time the user will be remembered without asking for credentials again.
mattr_accessor :remember_for
@@remember_for = 2.weeks
# If true, extends the user's remember period when remembered via cookie.
mattr_accessor :extend_remember_period
@@extend_remember_period = false
# Time interval you can access your account before confirming your account.
# nil - allows unconfirmed access for unlimited time
mattr_accessor :allow_unconfirmed_access_for
@@allow_unconfirmed_access_for = 0.days
# Time interval the confirmation token is valid. nil = unlimited
mattr_accessor :confirm_within
@@confirm_within = nil
# Defines which key will be used when confirming an account.
mattr_accessor :confirmation_keys
@@confirmation_keys = [ :email ]
# Defines if email should be reconfirmable.
# False by default for backwards compatibility.
mattr_accessor :reconfirmable
@@reconfirmable = false
# Time interval to timeout the user session without activity.
mattr_accessor :timeout_in
@@timeout_in = 30.minutes
# Authentication token expiration on timeout
mattr_accessor :expire_auth_token_on_timeout
@@expire_auth_token_on_timeout = false
# Used to encrypt password. Please generate one with rake secret.
mattr_accessor :pepper
@@pepper = nil
# Scoped views. Since it relies on fallbacks to render default views, it's
# turned off by default.
mattr_accessor :scoped_views
@@scoped_views = false
# Defines which strategy can be used to lock an account.
# Values: :failed_attempts, :none
mattr_accessor :lock_strategy
@@lock_strategy = :failed_attempts
# Defines which key will be used when locking and unlocking an account
mattr_accessor :unlock_keys
@@unlock_keys = [ :email ]
# Defines which strategy can be used to unlock an account.
# Values: :email, :time, :both
mattr_accessor :unlock_strategy
@@unlock_strategy = :both
# Number of authentication tries before locking an account
mattr_accessor :maximum_attempts
@@maximum_attempts = 20
# Time interval to unlock the account if :time is defined as unlock_strategy.
mattr_accessor :unlock_in
@@unlock_in = 1.hour
# Defines which key will be used when recovering the password for an account
mattr_accessor :reset_password_keys
@@reset_password_keys = [ :email ]
# Time interval you can reset your password with a reset password key
mattr_accessor :reset_password_within
@@reset_password_within = 6.hours
# The default scope which is used by warden.
mattr_accessor :default_scope
@@default_scope = nil
# Address which sends Devise e-mails.
mattr_accessor :mailer_sender
@@mailer_sender = nil
# Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
mattr_accessor :token_authentication_key
@@token_authentication_key = :auth_token
# Skip session storage for the following strategies
mattr_accessor :skip_session_storage
@@skip_session_storage = []
# Which formats should be treated as navigational.
mattr_accessor :navigational_formats
@@navigational_formats = ["*/*", :html]
# When set to true, signing out a user signs out all other scopes.
mattr_accessor :sign_out_all_scopes
@@sign_out_all_scopes = true
# The default method used while signing out
mattr_accessor :sign_out_via
@@sign_out_via = :get
# The parent controller all Devise controllers inherits from.
# Defaults to ApplicationController. This should be set early
# in the initialization process and should be set to a string.
mattr_accessor :parent_controller
@@parent_controller = "ApplicationController"
# The parent mailer all Devise mailers inherit from.
# Defaults to ActionMailer::Base. This should be set early
# in the initialization process and should be set to a string.
mattr_accessor :parent_mailer
@@parent_mailer = "ActionMailer::Base"
# The router Devise should use to generate routes. Defaults
# to :main_app. Should be overriden by engines in order
# to provide custom routes.
mattr_accessor :router_name
@@router_name = nil
# Set the omniauth path prefix so it can be overriden when
# Devise is used in a mountable engine
mattr_accessor :omniauth_path_prefix
@@omniauth_path_prefix = nil
def self.encryptor=(value)
warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
end
def self.use_salt_as_remember_token=(value)
warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
end
def self.apply_schema=(value)
warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
end
# PRIVATE CONFIGURATION
# Store scopes mappings.
mattr_reader :mappings
@@mappings = ActiveSupport::OrderedHash.new
# Omniauth configurations.
mattr_reader :omniauth_configs
@@omniauth_configs = ActiveSupport::OrderedHash.new
# Define a set of modules that are called when a mapping is added.
mattr_reader :helpers
@@helpers = Set.new
@@helpers << Devise::Controllers::Helpers
# Private methods to interface with Warden.
mattr_accessor :warden_config
@@warden_config = nil
@@warden_config_block = nil
# When true, enter in paranoid mode to avoid user enumeration.
mattr_accessor :paranoid
@@paranoid = false
# Default way to setup Devise. Run rails generate devise_install to create
# a fresh initializer with all configuration values.
def self.setup
yield self
end
class Getter
def initialize name
@name = name
end
def get
ActiveSupport::Dependencies.constantize(@name)
end
end
def self.ref(arg)
if defined?(ActiveSupport::Dependencies::ClassCache)
ActiveSupport::Dependencies::reference(arg)
Getter.new(arg)
else
ActiveSupport::Dependencies.ref(arg)
end
end
def self.available_router_name
router_name || :main_app
end
def self.omniauth_providers
omniauth_configs.keys
end
# Get the mailer class from the mailer reference object.
def self.mailer
@@mailer_ref.get
end
# Set the mailer reference object to access the mailer.
def self.mailer=(class_name)
@@mailer_ref = ref(class_name)
end
self.mailer = "Devise::Mailer"
# Small method that adds a mapping to Devise.
def self.add_mapping(resource, options)
mapping = Devise::Mapping.new(resource, options)
@@mappings[mapping.name] = mapping
@@default_scope ||= mapping.name
@@helpers.each { |h| h.define_helpers(mapping) }
mapping
end
# Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
#
# == Options:
#
# +model+ - String representing the load path to a custom *model* for this module (to autoload.)
# +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
# +route+ - Symbol representing the named *route* helper for this module.
# +strategy+ - Symbol representing if this module got a custom *strategy*.
#
# All values, except :model, accept also a boolean and will have the same name as the given module
# name.
#
# == Examples:
#
# Devise.add_module(:party_module)
# Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
# Devise.add_module(:party_module, :model => 'party_module/model')
#
def self.add_module(module_name, options = {})
ALL << module_name
options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
if strategy = options[:strategy]
strategy = (strategy == true ? module_name : strategy)
STRATEGIES[module_name] = strategy
end
if controller = options[:controller]
controller = (controller == true ? module_name : controller)
CONTROLLERS[module_name] = controller
end
NO_INPUT << strategy if options[:no_input]
if route = options[:route]
case route
when TrueClass
key, value = module_name, []
when Symbol
key, value = route, []
when Hash
key, value = route.keys.first, route.values.flatten
else
raise ArgumentError, ":route should be true, a Symbol or a Hash"
end
URL_HELPERS[key] ||= []
URL_HELPERS[key].concat(value)
URL_HELPERS[key].uniq!
ROUTES[module_name] = key
end
if options[:model]
path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
Devise::Models.send(:autoload, camelized.to_sym, path)
end
Devise::Mapping.add_module module_name
end
# Sets warden configuration using a block that will be invoked on warden
# initialization.
#
# Devise.initialize do |config|
# config.allow_unconfirmed_access_for = 2.days
#
# config.warden do |manager|
# # Configure warden to use other strategies, like oauth.
# manager.oauth(:twitter)
# end
# end
def self.warden(&block)
@@warden_config_block = block
end
# Specify an omniauth provider.
#
# config.omniauth :github, APP_ID, APP_SECRET
#
def self.omniauth(provider, *args)
@@helpers << Devise::OmniAuth::UrlHelpers
config = Devise::OmniAuth::Config.new(provider, args)
@@omniauth_configs[config.strategy_name.to_sym] = config
end
# Include helpers in the given scope to AC and AV.
def self.include_helpers(scope)
ActiveSupport.on_load(:action_controller) do
include scope::Helpers if defined?(scope::Helpers)
include scope::UrlHelpers
end
ActiveSupport.on_load(:action_view) do
include scope::UrlHelpers
end
end
# Regenerates url helpers considering Devise.mapping
def self.regenerate_helpers!
Devise::Controllers::UrlHelpers.remove_helpers!
Devise::Controllers::UrlHelpers.generate_helpers!
end
# A method used internally to setup warden manager from the Rails initialize
# block.
def self.configure_warden! #:nodoc:
@@warden_configured ||= begin
warden_config.failure_app = Devise::Delegator.new
warden_config.default_scope = Devise.default_scope
warden_config.intercept_401 = false
Devise.mappings.each_value do |mapping|
warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
warden_config.serialize_into_session(mapping.name) do |record|
mapping.to.serialize_into_session(record)
end
warden_config.serialize_from_session(mapping.name) do |key|
# Previous versions contained an additional entry at the beginning of
# key with the record's class name.
args = key[-2, 2]
mapping.to.serialize_from_session(*args)
end
end
@@warden_config_block.try :call, Devise.warden_config
true
end
end
# Generate a friendly string randomically to be used as token.
def self.friendly_token
SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
end
# constant-time comparison algorithm to prevent timing attacks
def self.secure_compare(a, b)
return false if a.blank? || b.blank? || a.bytesize != b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
end
require 'warden'
require 'devise/mapping'
require 'devise/models'
require 'devise/modules'
require 'devise/rails'
Reference in New Issue View Git Blame Copy Permalink