forked from tomichj/authenticate
/
configuration.rb
330 lines (298 loc) · 10 KB
/
configuration.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
# Authenticate
module Authenticate
#
# Configuration for Authenticate.
#
class Configuration
#
# ActiveRecord model class name that represents your user. Specify as a String.
#
# Defaults to '::User'.
#
# To set to a different class:
#
# Authenticate.configure do |config|
# config.user_model = 'BlogUser'
# end
#
# @return [String]
attr_accessor :user_model
# Name of the session cookie Authenticate will send to client browser.
#
# Defaults to 'authenticate_session_token'.
#
# @return [String]
attr_accessor :cookie_name
# A lambda called to set the remember token cookie expires attribute.
#
# Defaults to 1 year expiration.
#
# Note this is NOT the authenticate session's max lifetime, but only the cookie's lifetime.
#
# See #max_session_lifetime for more on the session lifetime.
#
# To set cookie expiration yourself:
#
# Authenticate.configure do |config|
# config.cookie_expiration = { 1.month.from_now.utc }
# end
#
# @return [Lambda]
attr_accessor :cookie_expiration
# The domain to set for the Authenticate session cookie.
#
# Defaults to nil, which will cause the cookie domain to set to the domain of the request.
#
# @return [String]
attr_accessor :cookie_domain
# Controls which paths the session token cookie is valid for.
#
# Defaults to `"/"` for the entire domain.
#
# For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.1.4).
# @return [String]
attr_accessor :cookie_path
# Controls the secure setting on the session cookie.
#
# Defaults to `false`.
#
# When set to 'true', the browser will only send the cookie to the server over HTTPS.
# If set to true over an insecure http (not https) connection, the cookie will not
# be usable and the user will not be successfully authenticated.
#
# You should set this value to true in live environments to prevent session hijacking.
#
# Set to false in development environments.
#
# For more, see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.5).
# @return [Boolean]
attr_accessor :secure_cookie
# Controls whether the HttpOnly flag should be set on the session cookie.
# If `true`, the cookie will not be made available to JavaScript.
#
# Defaults to `true`.
#
# For more see [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.6).
# @return [Boolean]
attr_accessor :cookie_http_only
# Controls the 'from' address for Authenticate emails. Set this to a value appropriate to your application.
#
# Defaults to reply@example.com.
#
# @return [String]
attr_accessor :mailer_sender
# Determines what crypto is used when authenticating and setting passwords.
#
# Defaults to {Authenticate::Model::BCrypt}.
#
# At the moment Bcrypt is the only option offered.
#
# Crypto implementations must implement:
# * match?(secret, encrypted)
# * encrypt(secret)
#
# @return [Module #match? #encrypt]
attr_accessor :crypto_provider
# Invalidate the session after the specified period of idle time.
# If the interval between the current access time and the last access time is greater than timeout_in,
# the session is invalidated. The user will be prompted for authentication again.
#
# Defaults to nil, which is no idle timeout.
#
# Authenticate.configure do |config|
# config.timeout_in = 45.minutes
# end
#
# @return [ActiveSupport::CoreExtensions::Numeric::Time]
attr_accessor :timeout_in
# Allow a session to 'live' for no more than the given elapsed time, e.g. 8.hours.
#
# Defaults to nil, or no max session time.
#
# If set, a user session will expire once it has been active for max_session_lifetime.
# The user session is invalidated and the next access will will prompt the user for authentication.
#
# Authenticate.configure do |config|
# config.max_session_lifetime = 8.hours
# end
#
# @return [ActiveSupport::CoreExtensions::Numeric::Time]
attr_accessor :max_session_lifetime
# Number of consecutive bad login attempts allowed. Commonly called "brute force protection".
# The user's consecutive bad logins will be tracked, and if they exceed the allowed maximum,
# the user's account will be locked. The length of the lockout is determined by [#bad_login_lockout_period].
#
# Default is nil, which disables this feature.
#
# Authenticate.configure do |config|
# config.max_consecutive_bad_logins_allowed = 4
# config.bad_login_lockout_period = 10.minutes
# end
#
# @return [Integer]
attr_accessor :max_consecutive_bad_logins_allowed
# Time period to lock an account for if the user exceeds max_consecutive_bad_logins_allowed.
#
# If set to nil, account is locked out indefinitely.
#
# @return [ActiveSupport::CoreExtensions::Numeric::Time]
attr_accessor :bad_login_lockout_period
# Range requirement for password length.
#
# Defaults to `8..128`.
#
# @return [Range]
attr_accessor :password_length
# Strategy for authentication.
#
# Available strategies:
# * :email - requires user have attribute :email
# * :username - requires user have attribute :username
#
# Defaults to :email. To set to :username:
#
# Configuration.configure do |config|
# config.authentication_strategy = :username
# end
#
# Authenticate is designed to authenticate via :email. Some support for username is included.
# Username still requires an :email attribute on your User model.
#
# Alternatively, you can plug in your own authentication class:
#
# Configuration.configure do |config|
# config.authentication_strategy = MyFunkyAuthClass
# end
#
# @return [Symbol or Class]
attr_accessor :authentication_strategy
# The default path Authenticate will redirect signed in users to.
#
# Defaults to `"/"`.
#
# This can also be overridden for specific scenarios by overriding controller methods that rely on it.
# @return [String]
attr_accessor :redirect_url
# Rotate CSRF token on sign in if true.
#
# Defaults to false, but will default to true in 1.0.
#
# @return [Boolean]
attr_accessor :rotate_csrf_on_sign_in
# Controls whether the "sign up" route, allowing creation of users, is enabled.
#
# Defaults to `true`.
#
# Set to `false` to disable user creation routes. The setting is ignored if routes are disabled.
#
# @return [Boolean]
attr_writer :allow_sign_up
# Enable or disable Authenticate's built-in routes.
#
# Defaults to 'true'.
#
# If you disable the routes, your application is responsible for all routes.
#
# You can deploy a copy of Authenticate's routes with `rails generate authenticate:routes`,
# which will also set `config.routes = false`.
#
# @return [Boolean]
attr_accessor :routes
# The time period within which the password must be reset or the token expires.
# If set to nil, the password reset token does not expire.
#
# Defaults to `2.days`.
#
# @return [ActiveSupport::CoreExtensions::Numeric::Time]
attr_accessor :reset_password_within
# An array of additional modules to load into the User module.
#
# Defaults to an empty array.
#
# @return [Array]
attr_accessor :modules
# Enable debugging messages.
# @private
# @return [Boolean]
attr_accessor :debug
def initialize
# Defaults
@debug = false
@cookie_name = 'authenticate_session_token'
@cookie_expiration = -> { 1.year.from_now.utc }
@cookie_domain = nil
@cookie_path = '/'
@secure_cookie = false
@cookie_http_only = true
@mailer_sender = 'reply@example.com'
@redirect_url = '/'
@rotate_csrf_on_sign_in = false
@allow_sign_up = true
@routes = true
@reset_password_within = 2.days
@modules = []
@user_model = '::User'
@authentication_strategy = :email
@password_length = 8..128
end
def user_model_class
@user_model_class ||= user_model.constantize
end
# The routing key for user routes. See `routes.rb`.
# @return [Symbol]
def user_model_route_key
return :users if @user_model == '::User' # avoid nil in generator
user_model_class.model_name.route_key
end
# The key for accessing user parameters.
# @return [Symbol]
def user_model_param_key
return :user if @user_model == '::User' # avoid nil in generator
user_model_class.model_name.param_key.to_sym
end
# Actions allowed for :user resources (in routes.rb).
# If sign up is allowed, the [:create] action is allowed, otherwise [].
# @return [Array<Symbol>]
def user_actions
allow_sign_up? ? [:create] : []
end
# Is the user sign up route enabled?
# @return [Boolean]
def allow_sign_up?
@allow_sign_up
end
# @return [Boolean] are Authenticate's built-in routes enabled?
def routes_enabled?
@routes
end
def rotate_csrf_on_sign_in?
rotate_csrf_on_sign_in
end
# List of symbols naming modules to load.
def modules
modules = @modules.dup # in case the user pushes any on
modules << @authentication_strategy
modules << :db_password
modules << :password_reset
modules << :trackable # needs configuration
modules << :timeoutable if @timeout_in
modules << :lifetimed if @max_session_lifetime
modules << :brute_force if @max_consecutive_bad_logins_allowed
modules
end
end # end of Configuration class
#
# Access to Authenticate's configuration, e.g.:
#
# puts Authenticate.configuration.redirect_url
#
def self.configuration
@configuration ||= Configuration.new
end
def self.configuration=(config)
@configuration = config
end
def self.configure
yield configuration
end
end