From 9f94a70c3e3d9bf766cb9663b0a904d30a190d85 Mon Sep 17 00:00:00 2001 From: simon Date: Sun, 8 Feb 2009 23:15:11 +0100 Subject: * initial commit of the stripped restful-authentication * http basic auth and login from cookie have been removed * no it does not work yet, it's so f*cking secure, it won't even let legitimate users login --- app/controllers/application_controller.rb | 4 +++- app/controllers/sessions_controller.rb | 40 +++++++++++++++++++++++++++++++ app/helpers/sessions_helper.rb | 2 ++ app/models/user.rb | 34 ++++++++++++++++++++++++++ app/views/sessions/new.html.erb | 16 +++++++++++++ 5 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 app/controllers/sessions_controller.rb create mode 100644 app/helpers/sessions_helper.rb create mode 100644 app/views/sessions/new.html.erb (limited to 'app') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 6635a3f..b481317 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -2,9 +2,11 @@ # Likewise, all the methods added will be available for all controllers. class ApplicationController < ActionController::Base + include AuthenticatedSystem + helper :all # include all helpers, all the time protect_from_forgery # See ActionController::RequestForgeryProtection for details # Scrub sensitive parameters from your log - # filter_parameter_logging :password + filter_parameter_logging :password, :password_confirmation end diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb new file mode 100644 index 0000000..7c06ac8 --- /dev/null +++ b/app/controllers/sessions_controller.rb @@ -0,0 +1,40 @@ +# This controller handles the login/logout function of the site. +class SessionsController < ApplicationController + + # render new.rhtml + def new + end + + def create + logout_keeping_session! + user = User.authenticate(params[:login], params[:password]) + if user + # Protects against session fixation attacks, causes request forgery + # protection if user resubmits an earlier form using back + # button. Uncomment if you understand the tradeoffs. + reset_session + + self.current_user = user + redirect_back_or_default('/') # TODO: insert appropriate path to cms main page + flash[:notice] = "Logged in successfully" + else + note_failed_signin + @login = params[:login] + @remember_me = params[:remember_me] + render :action => 'new' + end + end + + def destroy + logout_killing_session! + flash[:notice] = "You have been logged out." + redirect_back_or_default('/login') + end + +protected + # Track failed login attempts + def note_failed_signin + flash[:error] = "Couldn't log you in as '#{params[:login]}'" + logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}" + end +end diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb new file mode 100644 index 0000000..f54a8fc --- /dev/null +++ b/app/helpers/sessions_helper.rb @@ -0,0 +1,2 @@ +module SessionsHelper +end \ No newline at end of file diff --git a/app/models/user.rb b/app/models/user.rb index 4a57cf0..3ac0712 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,2 +1,36 @@ +require 'digest/sha1' + class User < ActiveRecord::Base + include Authentication + include Authentication::ByPassword + + validates_presence_of :login + validates_length_of :login, :within => 3..40 + validates_uniqueness_of :login + validates_format_of :login, :with => Authentication.login_regex, + :message => Authentication.bad_login_message + + validates_presence_of :email + validates_length_of :email, :within => 6..100 #r@a.wk + validates_uniqueness_of :email + validates_format_of :email, :with => Authentication.email_regex, + :message => Authentication.bad_email_message + + attr_accessible :login, :email, :password, :password_confirmation + + # Authenticates a user by their login name and unencrypted password. Returns the user or nil. + def self.authenticate(login, password) + return nil if login.blank? || password.blank? + u = find_by_login(login) # need to get the salt + u && u.authenticated?(password) ? u : nil + end + + # TODO: Do we really want to have downcase logins only? + def login=(value) + write_attribute :login, (value ? value.downcase : nil) + end + + def email=(value) + write_attribute :email, (value ? value.downcase : nil) + end end diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb new file mode 100644 index 0000000..84f8469 --- /dev/null +++ b/app/views/sessions/new.html.erb @@ -0,0 +1,16 @@ +

Log In

+ +<% form_tag session_path do -%> +

<%= label_tag 'login' %>
+<%= text_field_tag 'login', @login %>

+ +

<%= label_tag 'password' %>
+<%= password_field_tag 'password', nil %>

+ + + +

<%= submit_tag 'Log in' %>

+<% end -%> -- cgit v1.3