first attempt

Author: beno

.gitignore

@@ -0,0 +1,2 @@
+.bundle
+vendor

Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

Gemfile.lock

@@ -0,0 +1,28 @@
+PATH
+  remote: .
+  specs:
+    roda-auth (0.0.1)
+      roda (~> 1.2)
+      warden (~> 1.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    minitest (5.5.0)
+    rack (1.6.0)
+    rack-test (0.6.2)
+      rack (>= 1.0)
+    rake (10.4.2)
+    roda (1.2.0)
+      rack
+    warden (1.2.3)
+      rack (>= 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  minitest (~> 5.5)
+  rack-test (~> 0.6)
+  rake (~> 10)
+  roda-auth!

README.md

@@ -0,0 +1,62 @@
+Roda plugin for Authentication
+=============
+
+### Quick start
+
+Install gem with
+
+    gem 'roda-auth'          #Gemfile
+
+
+Create rack app 
+
+```ruby
+#api.ru
+
+require 'roda/auth'
+
+class App < Roda
+  
+  # :user_class defaults to ::User
+  
+  plugin :auth, :form, user_class: MyUser, redirect: '/login'
+  
+  route do |r|
+    r.post 'login' do
+      sign_in
+    end
+    r.get 'login' do
+      #render login form
+    end
+    r.on 'public' do
+      #public content
+    end
+    authenticate!
+    r.on 'private' do
+      #private content
+    end
+  end
+
+end
+
+class MyUser
+
+  #required - should return either a valid user or nil
+  
+  def self.authentic?(credentials)
+    #credentials is either {'username' => 'foo', 'password' => 'bar'} or {'token' => '123'}
+    if token = credentials['token']
+      self.find_by_token(token) #make sure to use a safe (constant time) method of looking up tokens
+    else
+      self.check_password(credentials['username'], credentials['password'])
+    end
+  end
+  
+  #optional - used for  generating/updating auth tokens or tracking logins
+  
+  def authentic!
+    #call for each successful authentication request
+  end
+  
+end
+  

Rakefile

@@ -0,0 +1,6 @@
+require 'rake/testtask'
+
+Rake::TestTask.new do |t|
+	t.libs << "test"
+	t.pattern = "test/*_test.rb"
+end

lib/roda/auth.rb

@@ -0,0 +1 @@
+require 'roda/plugins/auth'

lib/roda/plugins/auth.rb

@@ -0,0 +1,197 @@
+require 'base64'
+require 'warden'
+require 'roda'
+
+class Roda
+	
+	module RodaPlugins
+
+		module Auth
+			
+			def self.load_dependencies(app, *args, &block)
+				Warden::Strategies.add(:token, Strategies::Token)
+				Warden::Strategies.add(:password, Strategies::Password)
+				Warden::Strategies.add(:basic, Strategies::Basic)
+			end
+			
+			def self.configure(app, *args)
+				options = args.last.is_a?(Hash) ? args.pop : {}
+				user_class = options.delete(:user_class) || ::User
+				type = args[0] || :basic
+				redirect = options.delete(:redirect) || '/unautenticated'
+				case type
+				when :basic
+					strategies = [:basic]
+				when :form
+					strategies = [:password]
+					app.use Rack::Session::Cookie, secret:'foo'
+				when :token
+					strategies = [:token, :password]
+				end
+				app.use Warden::Manager do |config|
+					config.default_scope = :user
+					config.failure_app = self.fail(type)
+					config[:user_class] = user_class
+					config.scope_defaults(
+						:user,
+						:strategies => strategies,
+						:action       => redirect
+					)
+ 				end
+			end
+			
+			def self.fail(type)
+				auth_fail  = case type
+				when :basic
+					->(env) {[401, {"WWW-AUTHENTICATE" => "Basic: Realm=\"#{env['warden.options'][:attempted_path]}\""}, []] }
+				when :form
+					->(env) {[302, {"HTTP-LOCATION" => env['warden.options'][:action]} , []] }
+				when :token
+					->(env) {[401, {"WWW-AUTHENTICATE" => "\"Token\""}, []] }
+				end
+				->(env) { auth_fail.call(env) }
+			end
+						
+			module InstanceMethods
+				
+				def authenticate!
+					user = warden.authenticate!
+					warden.set_user(user)
+				end
+				
+				def current_user
+					warden.user
+				end
+				
+				def sign_in &block
+					raise RodaError 'sign_in with POST only' unless request.env['REQUEST_METHOD'] == "POST"
+					user = warden.authenticate!
+					warden.set_user(user)
+					request.is(&block) if block
+					request.response.status = 201
+					user
+				end
+				
+				def sign_out &block
+					warden.set_user(nil)
+					request.is(&block) if block
+					request.response.status = 204
+				end
+				
+				private
+				
+				def warden
+					request.env['warden']
+				end
+				
+				def session_path
+					roda_class.opts[:session_path].to_s
+				end
+				
+			end
+			
+		end
+		
+		module Strategies
+		
+			class Base < Warden::Strategies::Base
+						
+				def success!(u)
+					u.authentic! if u.respond_to?(:authentic!)
+					super
+				end
+				
+				def authenticate!
+					u = warden.config[:user_class].authentic?(credentials)
+					u.nil? ? fail!("Could not log in") : success!(u)
+				end
+		
+				private
+		
+				def warden
+					@env['warden']
+				end
+		
+				def credentials_from_basic
+					header = authorization_header
+					return unless header && header =~ /\ABasic (.*)/m
+					username, password = Base64.decode64($1).split(/:/, 2)
+					return unless username and password
+					{ 'username' => username, 'password' => password }
+				end
+		
+				def credentials_from_form
+					request.media_type == "application/x-www-form-urlencoded" && params
+				end
+		
+				def credentials_from_body
+					request.body && JSON.parse(request.body.string)
+				end
+		
+				def token_from_auth_header
+					return unless header = authorization_header
+					match = header =~ /\AAuth (.*)/m
+					match && { 'token' => $1 }
+				end
+		
+				def authorization_header
+					@env['HTTP_AUTHORIZATION'] || @env['X-HTTP_AUTHORIZATION'] || @env['X_HTTP_AUTHORIZATION'] || @env['REDIRECT_X_HTTP_AUTHORIZATION']
+				end
+		
+			end
+
+		
+			class Password < Base
+		
+				def valid?
+					credentials['username'] && credentials['password']
+				end
+				
+				private
+		
+				def credentials
+					@credentials if @credentials
+					@credentials = credentials_from_form || credentials_from_body || {}
+				end
+		
+			end
+			
+			class Basic < Password
+							
+				def valid?
+					credentials['username'] && credentials['password']
+				end
+				
+				private
+			
+				def credentials
+					@credentials if @credentials
+					@credentials = credentials_from_basic || {}
+				end
+			
+			end
+
+		
+			class Token < Base
+		
+				def valid?
+					credentials['token']
+				end
+				
+				private
+		
+				def credentials
+					@credentials if @credentials
+					@credentials = token_from_auth_header || {}
+				end
+		
+			end
+		
+		end
+		
+		register_plugin(:auth, Auth)
+		
+	end
+	
+
+end

roda-auth.gemspec

@@ -0,0 +1,20 @@
+Gem::Specification.new do |s|
+	s.name        = 'roda-auth'
+	s.version     = '0.0.1'
+	s.date        = '2014-12-21'
+	s.summary     = "Roda authentication"
+	s.description = "A Roda plugin for authentication with Warden"
+	s.authors     = ["Michel Benevento"]
+	s.email       = '[email protected]'
+	s.files       = ["lib/roda/auth.rb", "lib/roda/plugins/auth.rb"]
+	s.homepage    = 'http://github.com/beno/roda-auth'
+	s.license     = 'MIT'
+	
+	s.add_runtime_dependency 'roda', '~> 1.2'
+	s.add_runtime_dependency 'warden', '~> 1.2'
+
+	s.add_development_dependency 'rake', '~> 10'
+	s.add_development_dependency 'minitest', '~> 5.5'
+	s.add_development_dependency 'rack-test', '~> 0.6'
+
+end

test/auth_basic_test.rb

@@ -0,0 +1,47 @@
+require "test_helpers"
+require 'json'
+require 'roda/auth'
+
+class AuthBasicTest < Minitest::Test
+	include Rack::Test::Methods
+	include TestHelpers
+
+	
+	def setup
+		u = User.new(valid_credentials)
+		User.db[:users][u.username] = u
+
+		app :bare do |app|
+			
+			app.plugin :auth
+			
+			app.route do |r|
+				r.on 'public' do
+					'public'
+				end
+				authenticate!
+				r.on 'private' do
+					'private'
+				end
+			end
+		end
+	end
+	
+	def test_public
+		assert_equal 200, status('/public')
+	end
+
+	def test_private_refused
+		assert_equal 401, status('/private')
+		assert_equal "Basic: Realm=\"/private\"", header('WWW-AUTHENTICATE', '/private')
+	end
+	
+	def test_private_accepted
+		assert_equal 200, status('/private', {"HTTP_AUTHORIZATION" => "Basic #{http_auth(valid_credentials)}"})
+	end
+		
+end
+
+
+class User < TestHelpers::User ; end
+