devise.rb 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439
  1. require 'rails'
  2. require 'active_support/core_ext/numeric/time'
  3. require 'active_support/dependencies'
  4. require 'orm_adapter'
  5. require 'set'
  6. require 'securerandom'
  7. module Devise
  8. autoload :Delegator, 'devise/delegator'
  9. autoload :FailureApp, 'devise/failure_app'
  10. autoload :OmniAuth, 'devise/omniauth'
  11. autoload :ParamFilter, 'devise/param_filter'
  12. autoload :TestHelpers, 'devise/test_helpers'
  13. module Controllers
  14. autoload :Helpers, 'devise/controllers/helpers'
  15. autoload :Rememberable, 'devise/controllers/rememberable'
  16. autoload :ScopedViews, 'devise/controllers/scoped_views'
  17. autoload :UrlHelpers, 'devise/controllers/url_helpers'
  18. end
  19. module Mailers
  20. autoload :Helpers, 'devise/mailers/helpers'
  21. end
  22. module Strategies
  23. autoload :Base, 'devise/strategies/base'
  24. autoload :Authenticatable, 'devise/strategies/authenticatable'
  25. end
  26. # Constants which holds devise configuration for extensions. Those should
  27. # not be modified by the "end user" (this is why they are constants).
  28. ALL = []
  29. CONTROLLERS = ActiveSupport::OrderedHash.new
  30. ROUTES = ActiveSupport::OrderedHash.new
  31. STRATEGIES = ActiveSupport::OrderedHash.new
  32. URL_HELPERS = ActiveSupport::OrderedHash.new
  33. # Strategies that do not require user input.
  34. NO_INPUT = []
  35. # True values used to check params
  36. TRUE_VALUES = [true, 1, '1', 't', 'T', 'true', 'TRUE']
  37. # Custom domain for cookies. Not set by default
  38. mattr_accessor :rememberable_options
  39. @@rememberable_options = {}
  40. # The number of times to encrypt password.
  41. mattr_accessor :stretches
  42. @@stretches = 10
  43. # Keys used when authenticating a user.
  44. mattr_accessor :authentication_keys
  45. @@authentication_keys = [ :email ]
  46. # Request keys used when authenticating a user.
  47. mattr_accessor :request_keys
  48. @@request_keys = []
  49. # Keys that should be case-insensitive.
  50. mattr_accessor :case_insensitive_keys
  51. @@case_insensitive_keys = [ :email ]
  52. # Keys that should have whitespace stripped.
  53. mattr_accessor :strip_whitespace_keys
  54. @@strip_whitespace_keys = []
  55. # If http authentication is enabled by default.
  56. mattr_accessor :http_authenticatable
  57. @@http_authenticatable = false
  58. # If http headers should be returned for ajax requests. True by default.
  59. mattr_accessor :http_authenticatable_on_xhr
  60. @@http_authenticatable_on_xhr = true
  61. # If params authenticatable is enabled by default.
  62. mattr_accessor :params_authenticatable
  63. @@params_authenticatable = true
  64. # The realm used in Http Basic Authentication.
  65. mattr_accessor :http_authentication_realm
  66. @@http_authentication_realm = "Application"
  67. # Email regex used to validate email formats. It simply asserts that
  68. # an one (and only one) @ exists in the given string. This is mainly
  69. # to give user feedback and not to assert the e-mail validity.
  70. mattr_accessor :email_regexp
  71. @@email_regexp = /\A[^@]+@([^@\.]+\.)+[^@\.]+\z/
  72. # Range validation for password length
  73. mattr_accessor :password_length
  74. @@password_length = 6..128
  75. # The time the user will be remembered without asking for credentials again.
  76. mattr_accessor :remember_for
  77. @@remember_for = 2.weeks
  78. # If true, extends the user's remember period when remembered via cookie.
  79. mattr_accessor :extend_remember_period
  80. @@extend_remember_period = false
  81. # Time interval you can access your account before confirming your account.
  82. mattr_accessor :allow_unconfirmed_access_for
  83. @@allow_unconfirmed_access_for = 0.days
  84. # Defines which key will be used when confirming an account.
  85. mattr_accessor :confirmation_keys
  86. @@confirmation_keys = [ :email ]
  87. # Defines if email should be reconfirmable.
  88. # False by default for backwards compatibility.
  89. mattr_accessor :reconfirmable
  90. @@reconfirmable = false
  91. # Time interval to timeout the user session without activity.
  92. mattr_accessor :timeout_in
  93. @@timeout_in = 30.minutes
  94. # Authentication token expiration on timeout
  95. mattr_accessor :expire_auth_token_on_timeout
  96. @@expire_auth_token_on_timeout = false
  97. # Used to encrypt password. Please generate one with rake secret.
  98. mattr_accessor :pepper
  99. @@pepper = nil
  100. # Scoped views. Since it relies on fallbacks to render default views, it's
  101. # turned off by default.
  102. mattr_accessor :scoped_views
  103. @@scoped_views = false
  104. # Defines which strategy can be used to lock an account.
  105. # Values: :failed_attempts, :none
  106. mattr_accessor :lock_strategy
  107. @@lock_strategy = :failed_attempts
  108. # Defines which key will be used when locking and unlocking an account
  109. mattr_accessor :unlock_keys
  110. @@unlock_keys = [ :email ]
  111. # Defines which strategy can be used to unlock an account.
  112. # Values: :email, :time, :both
  113. mattr_accessor :unlock_strategy
  114. @@unlock_strategy = :both
  115. # Number of authentication tries before locking an account
  116. mattr_accessor :maximum_attempts
  117. @@maximum_attempts = 20
  118. # Time interval to unlock the account if :time is defined as unlock_strategy.
  119. mattr_accessor :unlock_in
  120. @@unlock_in = 1.hour
  121. # Defines which key will be used when recovering the password for an account
  122. mattr_accessor :reset_password_keys
  123. @@reset_password_keys = [ :email ]
  124. # Time interval you can reset your password with a reset password key
  125. mattr_accessor :reset_password_within
  126. @@reset_password_within = 6.hours
  127. # The default scope which is used by warden.
  128. mattr_accessor :default_scope
  129. @@default_scope = nil
  130. # Address which sends Devise e-mails.
  131. mattr_accessor :mailer_sender
  132. @@mailer_sender = nil
  133. # Authentication token params key name of choice. E.g. /users/sign_in?some_key=...
  134. mattr_accessor :token_authentication_key
  135. @@token_authentication_key = :auth_token
  136. # Skip session storage for the following strategies
  137. mattr_accessor :skip_session_storage
  138. @@skip_session_storage = []
  139. # Which formats should be treated as navigational.
  140. mattr_accessor :navigational_formats
  141. @@navigational_formats = ["*/*", :html]
  142. # When set to true, signing out a user signs out all other scopes.
  143. mattr_accessor :sign_out_all_scopes
  144. @@sign_out_all_scopes = true
  145. # The default method used while signing out
  146. mattr_accessor :sign_out_via
  147. @@sign_out_via = :get
  148. # The parent controller all Devise controllers inherits from.
  149. # Defaults to ApplicationController. This should be set early
  150. # in the initialization process and should be set to a string.
  151. mattr_accessor :parent_controller
  152. @@parent_controller = "ApplicationController"
  153. # The router Devise should use to generate routes. Defaults
  154. # to :main_app. Should be overriden by engines in order
  155. # to provide custom routes.
  156. mattr_accessor :router_name
  157. @@router_name = nil
  158. # Set the omniauth path prefix so it can be overriden when
  159. # Devise is used in a mountable engine
  160. mattr_accessor :omniauth_path_prefix
  161. @@omniauth_path_prefix = nil
  162. def self.encryptor=(value)
  163. warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
  164. end
  165. def self.use_salt_as_remember_token=(value)
  166. warn "\n[DEVISE] Devise.use_salt_as_remember_token is deprecated and has no effect. Please remove it.\n"
  167. end
  168. def self.apply_schema=(value)
  169. warn "\n[DEVISE] Devise.apply_schema is deprecated and has no effect. Please remove it.\n"
  170. end
  171. # PRIVATE CONFIGURATION
  172. # Store scopes mappings.
  173. mattr_reader :mappings
  174. @@mappings = ActiveSupport::OrderedHash.new
  175. # Omniauth configurations.
  176. mattr_reader :omniauth_configs
  177. @@omniauth_configs = ActiveSupport::OrderedHash.new
  178. # Define a set of modules that are called when a mapping is added.
  179. mattr_reader :helpers
  180. @@helpers = Set.new
  181. @@helpers << Devise::Controllers::Helpers
  182. # Private methods to interface with Warden.
  183. mattr_accessor :warden_config
  184. @@warden_config = nil
  185. @@warden_config_block = nil
  186. # When true, enter in paranoid mode to avoid user enumeration.
  187. mattr_accessor :paranoid
  188. @@paranoid = false
  189. # Default way to setup Devise. Run rails generate devise_install to create
  190. # a fresh initializer with all configuration values.
  191. def self.setup
  192. yield self
  193. end
  194. class Getter
  195. def initialize name
  196. @name = name
  197. end
  198. def get
  199. ActiveSupport::Dependencies.constantize(@name)
  200. end
  201. end
  202. def self.ref(arg)
  203. if defined?(ActiveSupport::Dependencies::ClassCache)
  204. ActiveSupport::Dependencies::reference(arg)
  205. Getter.new(arg)
  206. else
  207. ActiveSupport::Dependencies.ref(arg)
  208. end
  209. end
  210. def self.available_router_name
  211. router_name || :main_app
  212. end
  213. def self.omniauth_providers
  214. omniauth_configs.keys
  215. end
  216. # Get the mailer class from the mailer reference object.
  217. def self.mailer
  218. @@mailer_ref.get
  219. end
  220. # Set the mailer reference object to access the mailer.
  221. def self.mailer=(class_name)
  222. @@mailer_ref = ref(class_name)
  223. end
  224. self.mailer = "Devise::Mailer"
  225. # Small method that adds a mapping to Devise.
  226. def self.add_mapping(resource, options)
  227. mapping = Devise::Mapping.new(resource, options)
  228. @@mappings[mapping.name] = mapping
  229. @@default_scope ||= mapping.name
  230. @@helpers.each { |h| h.define_helpers(mapping) }
  231. mapping
  232. end
  233. # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
  234. #
  235. # == Options:
  236. #
  237. # +model+ - String representing the load path to a custom *model* for this module (to autoload.)
  238. # +controller+ - Symbol representing the name of an exisiting or custom *controller* for this module.
  239. # +route+ - Symbol representing the named *route* helper for this module.
  240. # +strategy+ - Symbol representing if this module got a custom *strategy*.
  241. #
  242. # All values, except :model, accept also a boolean and will have the same name as the given module
  243. # name.
  244. #
  245. # == Examples:
  246. #
  247. # Devise.add_module(:party_module)
  248. # Devise.add_module(:party_module, :strategy => true, :controller => :sessions)
  249. # Devise.add_module(:party_module, :model => 'party_module/model')
  250. #
  251. def self.add_module(module_name, options = {})
  252. ALL << module_name
  253. options.assert_valid_keys(:strategy, :model, :controller, :route, :no_input)
  254. if strategy = options[:strategy]
  255. strategy = (strategy == true ? module_name : strategy)
  256. STRATEGIES[module_name] = strategy
  257. end
  258. if controller = options[:controller]
  259. controller = (controller == true ? module_name : controller)
  260. CONTROLLERS[module_name] = controller
  261. end
  262. NO_INPUT << strategy if options[:no_input]
  263. if route = options[:route]
  264. case route
  265. when TrueClass
  266. key, value = module_name, []
  267. when Symbol
  268. key, value = route, []
  269. when Hash
  270. key, value = route.keys.first, route.values.flatten
  271. else
  272. raise ArgumentError, ":route should be true, a Symbol or a Hash"
  273. end
  274. URL_HELPERS[key] ||= []
  275. URL_HELPERS[key].concat(value)
  276. URL_HELPERS[key].uniq!
  277. ROUTES[module_name] = key
  278. end
  279. if options[:model]
  280. path = (options[:model] == true ? "devise/models/#{module_name}" : options[:model])
  281. camelized = ActiveSupport::Inflector.camelize(module_name.to_s)
  282. Devise::Models.send(:autoload, camelized.to_sym, path)
  283. end
  284. Devise::Mapping.add_module module_name
  285. end
  286. # Sets warden configuration using a block that will be invoked on warden
  287. # initialization.
  288. #
  289. # Devise.initialize do |config|
  290. # config.allow_unconfirmed_access_for = 2.days
  291. #
  292. # config.warden do |manager|
  293. # # Configure warden to use other strategies, like oauth.
  294. # manager.oauth(:twitter)
  295. # end
  296. # end
  297. def self.warden(&block)
  298. @@warden_config_block = block
  299. end
  300. # Specify an omniauth provider.
  301. #
  302. # config.omniauth :github, APP_ID, APP_SECRET
  303. #
  304. def self.omniauth(provider, *args)
  305. @@helpers << Devise::OmniAuth::UrlHelpers
  306. config = Devise::OmniAuth::Config.new(provider, args)
  307. @@omniauth_configs[config.strategy_name.to_sym] = config
  308. end
  309. # Include helpers in the given scope to AC and AV.
  310. def self.include_helpers(scope)
  311. ActiveSupport.on_load(:action_controller) do
  312. include scope::Helpers if defined?(scope::Helpers)
  313. include scope::UrlHelpers
  314. end
  315. ActiveSupport.on_load(:action_view) do
  316. include scope::UrlHelpers
  317. end
  318. end
  319. # Regenerates url helpers considering Devise.mapping
  320. def self.regenerate_helpers!
  321. Devise::Controllers::UrlHelpers.remove_helpers!
  322. Devise::Controllers::UrlHelpers.generate_helpers!
  323. end
  324. # A method used internally to setup warden manager from the Rails initialize
  325. # block.
  326. def self.configure_warden! #:nodoc:
  327. @@warden_configured ||= begin
  328. warden_config.failure_app = Devise::Delegator.new
  329. warden_config.default_scope = Devise.default_scope
  330. warden_config.intercept_401 = false
  331. Devise.mappings.each_value do |mapping|
  332. warden_config.scope_defaults mapping.name, :strategies => mapping.strategies
  333. end
  334. @@warden_config_block.try :call, Devise.warden_config
  335. true
  336. end
  337. end
  338. # Generate a friendly string randomically to be used as token.
  339. def self.friendly_token
  340. SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz')
  341. end
  342. # constant-time comparison algorithm to prevent timing attacks
  343. def self.secure_compare(a, b)
  344. return false if a.blank? || b.blank? || a.bytesize != b.bytesize
  345. l = a.unpack "C#{a.bytesize}"
  346. res = 0
  347. b.each_byte { |byte| res |= byte ^ l.shift }
  348. res == 0
  349. end
  350. end
  351. require 'warden'
  352. require 'devise/mapping'
  353. require 'devise/models'
  354. require 'devise/modules'
  355. require 'devise/rails'