adding a cucumber db to database.yml. unpacking clearance as a plugin. convertin…

…g webrat steps to use test::unit assertions instead of rspec matchers.

adding a cucumber db to database.yml. unpacking clearance as a plugin. convertin…
…g webrat steps to use test::unit assertions instead of rspec matchers.
Dan Croak
1 parent 384ed39e
Showing 48 changed files with 1817 additions and 25 deletions Show diff stats
config/database.yml
config/environments/cucumber.rb
features/step_definitions/webrat_steps.rb
features/support/env.rb
vendor/plugins/thoughtbot-clearance-0.6.8/CHANGELOG.textile
vendor/plugins/thoughtbot-clearance-0.6.8/LICENSE
vendor/plugins/thoughtbot-clearance-0.6.8/README.textile
vendor/plugins/thoughtbot-clearance-0.6.8/Rakefile
vendor/plugins/thoughtbot-clearance-0.6.8/TODO.textile
vendor/plugins/thoughtbot-clearance-0.6.8/app/controllers/clearance/confirmations_controller.rb
vendor/plugins/thoughtbot-clearance-0.6.8/app/controllers/clearance/passwords_controller.rb
vendor/plugins/thoughtbot-clearance-0.6.8/app/controllers/clearance/sessions_controller.rb
vendor/plugins/thoughtbot-clearance-0.6.8/app/controllers/clearance/users_controller.rb
vendor/plugins/thoughtbot-clearance-0.6.8/app/models/clearance_mailer.rb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/clearance_mailer/change_password.html.erb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/clearance_mailer/confirmation.html.erb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/passwords/edit.html.erb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/passwords/new.html.erb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/sessions/new.html.erb
vendor/plugins/thoughtbot-clearance-0.6.8/app/views/users/_form.html.erb
 # SQLite version 3.x
 #   gem install sqlite3-ruby (not necessary on OS X Leopard)
-development:
+development: &default
   adapter: sqlite3
   database: db/development.sqlite3
   pool: 5
   timeout: 5000
  
-# Warning: The database defined as "test" will be erased and
-# re-generated from your development database when you run "rake".
-# Do not set this db to the same as development or production.
 test:
-  adapter: sqlite3
+  <<: *default
   database: db/test.sqlite3
-  pool: 5
-  timeout: 5000
  
-production:
-  adapter: sqlite3
-  database: db/production.sqlite3
-  pool: 5
-  timeout: 5000
+cucumber:
+  <<: *default
+  database: db/cucumber.sqlite3
  
@@ -15,7 +15,13 @@ config.action_controller.allow_forgery_protection    = false
 # ActionMailer::Base.deliveries array.
 config.action_mailer.delivery_method = :test
  
-config.gem "cucumber",    :lib => false,        :version => ">=0.3.11" unless File.directory?(File.join(Rails.root, 'vendor/plugins/cucumber'))
-config.gem "webrat",      :lib => false,        :version => ">=0.4.4" unless File.directory?(File.join(Rails.root, 'vendor/plugins/webrat'))
-config.gem "rspec",       :lib => false,        :version => ">=1.2.6" unless File.directory?(File.join(Rails.root, 'vendor/plugins/rspec'))
-config.gem "rspec-rails", :lib => 'spec/rails', :version => ">=1.2.6" unless File.directory?(File.join(Rails.root, 'vendor/plugins/rspec-rails'))
+config.gem "cucumber", :lib => false, :version => ">=0.3.11"
+config.gem "webrat",   :lib => false, :version => ">=0.4.4"
+
+# config.gem "rspec",       :lib => false,        :version => ">=1.2.6"
+# config.gem "rspec-rails", :lib => 'spec/rails', :version => ">=1.2.6"
+
+require 'rubygems'
+require 'factory_girl'
+require 'shoulda'
+
@@ -91,29 +91,37 @@ When /^I attach the file at &quot;([^\&quot;]*)&quot; to &quot;([^\&quot;]*)&quot;$/ do |path, field|
 end
  
 Then /^I should see "([^\"]*)"$/ do |text|
-  response.should contain(text)
+  # response.should contain(text)
+  assert_match /#{text}/m, @response.body  
 end
  
 Then /^I should not see "([^\"]*)"$/ do |text|
-  response.should_not contain(text)
+  # response.should_not contain(text)
+  assert_no_match /#{text}/m, @response.body
 end
  
 Then /^the "([^\"]*)" field should contain "([^\"]*)"$/ do |field, value|
-  field_labeled(field).value.should =~ /#{value}/
+  # field_labeled(field).value.should =~ /#{value}/
+  assert_match /#{value}/, field_labeled(field).value
 end
  
 Then /^the "([^\"]*)" field should not contain "([^\"]*)"$/ do |field, value|
-  field_labeled(field).value.should_not =~ /#{value}/
+  # field_labeled(field).value.should_not =~ /#{value}/
+  assert_no_match /#{value}/, field_labeled(field).value
 end
-    
+
 Then /^the "([^\"]*)" checkbox should be checked$/ do |label|
-  field_labeled(label).should be_checked
+  # field_labeled(label).should be_checked
+  assert field_labeled(label).checked?
 end
  
 Then /^the "([^\"]*)" checkbox should not be checked$/ do |label|
-  field_labeled(label).should_not be_checked
+  # field_labeled(label).should_not be_checked
+  assert !field_labeled(label).checked?
 end
  
 Then /^I should be on (.+)$/ do |page_name|
-  URI.parse(current_url).path.should == path_to(page_name)
+  # URI.parse(current_url).path.should == path_to(page_name)
+  assert_equal path_to(page_name), URI.parse(current_url).path
 end
+
@@ -20,5 +20,5 @@ Webrat.configure do |config|
   config.mode = :rails
 end
  
-require 'cucumber/rails/rspec'
+# require 'cucumber/rails/rspec'
 require 'webrat/core/matchers'
@@ -0,0 +1,162 @@
+h2. 0.6.8 (06/24/2009)
+
+* Added defined? checks for various Rails constants such as ActionController
+for easier unit testing of Clearance extensions... particularly ActiveRecord
+extensions... particularly strong_password. (Dan Croak)
+
+h2. 0.6.7 (06/13/2009)
+
+* [#30] Added sign_up, sign_in, sign_out named routes. (Dan Croak)
+* [#22] Minimizing Reek smell: Duplication in redirect_back_or. (Dan Croak)
+* Deprecated sign_user_in. Told developers to use sign_in instead. (Dan
+Croak)
+* [#16] flash_success_after_create, flash_notice_after_create, flash_failure_after_create, flash_sucess_after_update, flash_success_after_destroy, etc. (Dan Croak)
+* [#17] bug. added #create to forbidden before_filters on confirmations controller. (Dan Croak)
+* [#24] should_be_signed_in_as shouldn't look in the session. (Dan Croak)
+* README improvements. (Dan Croak)
+* Move routes loading to separate file. (Joshua Clayton)
+
+h2. 0.6.6 (05/18/2009)
+
+* [#14] replaced class_eval in Clearance::User with modules. This was needed
+in a thoughtbot client app so we could write our own validations. (Dan Croak)
+
+h2. 0.6.5 (05/17/2009)
+
+* [#6] Make Clearance i18n aware. (Timur Vafin, Marcel Goerner, Eugene Bolshakov, Dan Croak)
+
+h2. 0.6.4 (05/12/2009)
+
+* Moved issue tracking to Github from Lighthouse. (Dan Croak)
+* [#7] asking higher-level questions of controllers in webrat steps, such as signed_in? instead of what's in the session. same for accessors. (Dan Croak)
+* [#11] replacing sign_in_as & sign_out shoulda macros with a stubbing (requires no dependency) approach. this will avoid dealing with the internals of current_user, such as session & cookies. added sign_in macro which signs in an email confirmed user from clearance's factories. (Dan Croak)
+* [#13] move private methods on sessions controller into Clearance::Authentication module (Dan Croak)
+* [#9] audited flash keys. (Dan Croak)
+
+h2. 0.6.3 (04/23/2009)
+
+* Scoping ClearanceMailer properly within controllers so it works in production environments. (Nick Quaranto)
+
+h2. 0.6.2 (04/22/2009)
+
+* Insert Clearance::User into User model if it exists. (Nick Quaranto)
+* World(NavigationHelpers) Cucumber 3.0 style. (Shay Arnett & Mark Cornick)
+
+h2. 0.6.1 (04/21/2009)
+* Scope operators are necessary to keep Rails happy. Reverting the original
+revert so they're back in the library now for constants referenced inside of
+the gem. (Nick Quaranto)
+
+h2. 0.6.0 (04/21/2009)
+
+* Converted Clearance to a Rails engine. (Dan Croak & Joe Ferris)
+* Include Clearance::User in User model in app. (Dan Croak & Joe Ferris)
+* Include Clearance::Authentication in ApplicationController. (Dan Croak & Joe Ferris)
+* Namespace controllers under Clearance. (Dan Croak & Joe Ferris)
+* Routes move to engine, use namespaced controllers but publicly the same. (Dan Croak & Joe Ferris)
+* If you want to override a controller, subclass it like SessionsController <
+Clearance::SessionsController. This gives you access to usual hooks such as
+url_after_create. (Dan Croak & Joe Ferris)
+* Controllers, mailer, model, routes all unit tested inside engine. Use
+script/generate clearance_features to test integration of Clearance with your
+Rails app. No longer including modules in your app's test files. (Dan Croak & Joe Ferris)
+* Moved views to engine. (Joe Ferris)
+* Converted generated test/factories/clearance.rb to use inheritence for
+email_confirmed_user. (Dan Croak)
+* Corrected some spelling errors with methods (Nick Quaranto)
+* Converted "I should see error messages" to use a regex in the features (Nick
+Quaranto)
+* Loading clearance routes after rails routes via some monkeypatching (Nick
+Quaranto)
+* Made the clearance controllers unloadable to stop constant loading errors in
+development mode (Nick Quaranto)
+
+h2. 0.5.6 (4/11/2009)
+
+* [#57] Step definition changed for "User should see error messages" so
+features won't fail for certain validations. (Nick Quaranto)
+
+h2. 0.5.5 (3/23/2009)
+
+* Removing duplicate test to get rid of warning. (Nick Quaranto)
+
+h2. 0.5.4 (3/21/2009)
+
+* When users fail logging in, redirect them instead of rendering. (Matt
+Jankowski)
+
+h2. 0.5.3 (3/5/2009)
+
+* Clearance now works with (and requires) Shoulda 2.10.0. (Mark Cornick, Joe
+Ferris, Dan Croak)
+* Prefer flat over nested contexts in sessions_controller_test. (Joe Ferris,
+Dan Croak)
+
+h2. 0.5.2 (3/2/2009)
+
+* Fixed last remaining errors in Rails 2.3 tests. Now fully compatible. (Joe
+Ferris, Dan Croak)
+
+h2. 0.5.1 (2/27/2009)
+
+* [#46] A user with unconfirmed email who resets password now confirms email.
+(Marcel Görner)
+* Refactored user_from_cookie, user_from_session, User#authenticate to use
+more direct return code instead of ugly, harder to read ternary. (Dan Croak)
+* Switch order of cookies and sessions to take advantage of Rails 2.3's "Rack-based lazy-loaded sessions":http://is.gd/i23E. (Dan Croak)
+* Altered generator to interact with application_controller.rb instead of
+application.rb in Rails 2.3 apps. (Dan Croak)
+* [#42] Bug fix. Rack-based session change altered how to test remember me
+cookie. (Mihai Anca)
+
+h2. 0.5.0 (2/27/2009)
+
+* Fixed problem with Cucumber features. (Dan Croak)
+* Fixed mising HTTP fluency use case. (Dan Croak)
+* Refactored User#update_password to take just parameters it needs. (Dan
+Croak)
+* Refactored User unit tests to be more readable. (Dan Croak)
+
+h2. 0.4.9 (2/20/2009)
+
+* Protect passwords & confirmations actions with forbidden filters. (Dan Croak)
+* Return 403 Forbidden status code in those cases. (Tim Pope)
+* Test 403 Forbidden status code in Cucumber feature. (Dan Croak, Joe Ferris)
+* Raise custom ActionController::Forbidden error internally. (Joe Ferris, Mike Burns, Jason Morrison)
+* Test ActionController::Forbidden error is raised in functional test. (Joe Ferris, Mike Burns, Dan Croak)
+* [#45] Fixed bug that allowed anyone to edit another user's password (Marcel Görner)
+* Required Factory Girl >= 1.2.0. (Dan Croak)
+
+h2. 0.4.8 (2/16/2009)
+
+* Added support paths for Cucumber. (Ben Mabey)
+* Added documentation for the flash. (Ben Mabey)
+* Generators require "test_helper" instead of File.join. for rr compatibility. (Joe Ferris)
+* Removed interpolated email address from flash message to make i18n easier. (Bence Nagy)
+* Standardized flash messages that refer to email delivery. (Dan Croak)
+
+h2. 0.4.7 (2/12/2009)
+
+* Removed Clearance::Test::TestHelper so there is one less setup step. (Dan Croak)
+* All test helpers now in shoulda_macros. (Dan Croak)
+
+h2. 0.4.6 (2/11/2009)
+
+* Made the modules behave like mixins again. (hat-tip Eloy Duran)
+* Created Actions and PrivateMethods modules on controllers for future RDoc reasons. (Dan Croak, Joe Ferris)
+
+h2. 0.4.5 (2/9/2009)
+
+* [#43] Removed email downcasing because local-part is case sensitive per RFC5321. (Dan Croak)
+* [#42] Removed dependency on Mocha. (Dan Croak)
+* Required Shoulda >= 2.9.1. (Dan Croak)
+* Added password reset feature to clearance_features generator. (Eugene Bolshakov, Dan Croak)
+* Removed unnecessary session[:salt]. (Dan Croak)
+* [#41] Only store location for session[:return_to] for GET requests. (Dan Croak)
+* Audited "sign up" naming convention. "Register" had slipped in a few places. (Dan Croak)
+* Switched to SHA1 encryption. Cypher doesn't matter much for email confirmation, password reset. Better to have shorter hashes in the emails for clients who line break on 72 chars. (Dan Croak)
+
+h2. 0.4.4 (2/2/2009)
+
+* Added a generator for Cucumber features. (Joe Ferris, Dan Croak)
+* Standarized naming for "Sign up," "Sign in," and "Sign out". (Dan Croak) 
@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2008 thoughtbot, inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
@@ -0,0 +1,123 @@
+h1. Clearance
+
+Rails authentication with email & password.
+
+"We have clearance, Clarence.":http://www.youtube.com/v/mNRXJEE3Nz8
+
+h2. Wiki
+
+Most information regarding Clearance is on the "Github Wiki":http://wiki.github.com/thoughtbot/clearance.
+
+h2. Installation
+
+Clearance is a Rails engine. It works with versions of Rails greater than 2.3.
+
+In config/environment.rb:
+
+<pre>
+config.gem "thoughtbot-clearance", 
+  :lib     => 'clearance', 
+  :source  => 'http://gems.github.com', 
+  :version => '0.6.6'
+</pre>
+
+Vendor the gem:
+
+<pre>
+rake gems:install
+rake gems:unpack
+</pre>
+
+Make sure the development database exists and run the generator:
+
+@script/generate clearance@
+
+A number of files will be created and instructions will be printed.
+
+You may already have some of these files. Don't worry. You'll be asked if you want to overwrite them.
+
+Run the migration:
+
+@rake db:migrate@
+
+Define a HOST constant in your environment files.
+In config/environments/test.rb and config/environments/development.rb it can be:
+
+@HOST = "localhost"@
+
+In production.rb it must be the actual host your application is deployed to.
+The constant is used by mailers to generate URLs in emails.
+
+In config/environment.rb:
+
+@DO_NOT_REPLY = "donotreply@example.com"@
+
+Define root_url to *something* in your config/routes.rb:
+
+@map.root :controller => 'home'@
+
+h2. Cucumber Features
+
+As your app evolves, you want to know that authentication still works. Clearance's opinion is that you should test its integration with your app using "Cucumber":http://cukes.info/.
+
+In config/environments/test.rb:
+
+<pre>
+config.gem 'webrat',
+  :version => '= 0.4.4'
+config.gem 'cucumber',
+  :version => '= 0.3.0'
+config.gem 'thoughtbot-factory_girl',
+  :lib     => 'factory_girl',
+  :source  => "http://gems.github.com", 
+  :version => '1.2.1'
+</pre>
+
+Vendor the gems:
+
+<pre>
+rake gems:install RAILS_ENV=test
+rake gems:unpack  RAILS_ENV=test
+</pre>
+
+We don't vendor nokogiri due to its native extensions, so install it normally on your machine:
+
+@sudo gem install nokogiri@
+
+Run the Cucumber generator (if you haven't already) and Clearance's feature generator:
+
+<pre>
+script/generate cucumber
+script/generate clearance_features
+</pre>
+
+All of the files generated should be new with the exception of the features/support/paths.rb file. If you have not modified your paths.rb then you will be okay to replace it with this one. If you need to keep your paths.rb file then add these locations in your paths.rb manually:
+
+<pre>
+def path_to(page_name)
+  case page_name
+   ...
+  when /the sign up page/i
+   new_user_path
+  when /the sign in page/i
+   new_session_path
+  when /the password reset request page/i
+   new_password_path
+  ...
+end
+</pre>
+
+h2. Authors
+
+Clearance was extracted out of "Hoptoad":http://hoptoadapp.com. We merged the authentication code from two of thoughtbot's clients' Rails apps and have since used it each time we need authentication. The following people have improved the library. Thank you!
+
+Dan Croak, Mike Burns, Jason Morrison, Joe Ferris, Eugene Bolshakov, Nick Quaranto, Josh Nichols, Mike Breen, Marcel Görner, Bence Nagy, Ben Mabey, Eloy Duran, Tim Pope, Mihai Anca, Mark Cornick, Shay Arnett, Joshua Clayton & Mustafa Ekim.
+
+h2. Questions?
+
+Ask the "mailing list":http://groups.google.com/group/thoughtbot-clearance
+
+h2. Suggestions, Bugs, Refactoring?
+
+Fork away and create a "Github Issue":http://github.com/thoughtbot/clearance/issues. Please don't send pull requests.
+
@@ -0,0 +1,76 @@
+# encoding: utf-8
+
+require 'rake'
+require 'rake/testtask'
+require 'cucumber/rake/task'
+
+namespace :test do
+  Rake::TestTask.new(:all => ["generator:cleanup",
+                              "generator:generate"]) do |task|
+    task.libs << "lib"
+    task.libs << "test"
+    task.pattern = "test/**/*_test.rb"
+    task.verbose = false
+  end
+
+  Cucumber::Rake::Task.new(:features) do |t|
+    t.cucumber_opts   = "--format progress"
+    t.feature_pattern = "test/rails_root/features/*.feature"
+  end
+end
+
+generators = %w(clearance clearance_features)
+
+namespace :generator do
+  desc "Cleans up the test app before running the generator"
+  task :cleanup do
+    generators.each do |generator|
+      FileList["generators/#{generator}/templates/**/*.*"].each do |each|
+        file = "test/rails_root/#{each.gsub("generators/#{generator}/templates/",'')}"
+        File.delete(file) if File.exists?(file)
+      end
+    end
+
+    FileList["test/rails_root/db/**/*"].each do |each| 
+      FileUtils.rm_rf(each)
+    end
+    FileUtils.rm_rf("test/rails_root/vendor/plugins/clearance")
+    FileUtils.mkdir_p("test/rails_root/vendor/plugins")
+    clearance_root = File.expand_path(File.dirname(__FILE__))
+    system("ln -s #{clearance_root} test/rails_root/vendor/plugins/clearance")
+  end
+
+  desc "Run the generator on the tests"
+  task :generate do
+    generators.each do |generator|
+      system "cd test/rails_root && ./script/generate #{generator} && rake db:migrate db:test:prepare"
+    end
+  end
+end
+
+desc "Run the test suite"
+task :default => ['test:all', 'test:features']
+
+gem_spec = Gem::Specification.new do |gem_spec|
+  gem_spec.name        = "clearance"
+  gem_spec.version     = "0.6.8"
+  gem_spec.summary     = "Rails authentication with email & password."
+  gem_spec.email       = "support@thoughtbot.com"
+  gem_spec.homepage    = "http://github.com/thoughtbot/clearance"
+  gem_spec.description = "Rails authentication with email & password."
+  gem_spec.authors     = ["Dan Croak", "Mike Burns", "Jason Morrison",
+                          "Joe Ferris", "Eugene Bolshakov", "Nick Quaranto",
+                          "Josh Nichols", "Mike Breen", "Marcel Görner",
+                          "Bence Nagy", "Ben Mabey", "Eloy Duran",
+                          "Tim Pope", "Mihai Anca", "Mark Cornick",
+                          "Shay Arnett"]
+  gem_spec.files       = FileList["[A-Z]*", "{app,config,generators,lib,shoulda_macros,rails}/**/*"]
+end
+
+desc "Generate a gemspec file"
+task :gemspec do
+  File.open("#{gem_spec.name}.gemspec", 'w') do |f|
+    f.write gem_spec.to_yaml
+  end
+end
+
@@ -0,0 +1,6 @@
+h1. To-do
+
+* Make insertion of Clearance::User into User model automatic from the generator.
+* Change generated README to include instruction about running the migration.
+* DO_NOT_REPLY, HOST refactoring.
+
@@ -0,0 +1,52 @@
+class Clearance::ConfirmationsController < ApplicationController
+  unloadable
+
+  before_filter :forbid_confirmed_user,    :only => [:new, :create]
+  before_filter :forbid_missing_token,     :only => [:new, :create]
+  before_filter :forbid_non_existent_user, :only => [:new, :create]
+  filter_parameter_logging :token
+
+  def new
+    create
+  end
+
+  def create
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+    @user.confirm_email!
+
+    sign_in(@user)
+    flash_success_after_create
+    redirect_to(url_after_create)
+  end
+
+  private
+
+  def forbid_confirmed_user
+    user = ::User.find_by_id(params[:user_id])
+    if user && user.email_confirmed?
+      raise ActionController::Forbidden, "confirmed user"
+    end
+  end
+
+  def forbid_missing_token
+    if params[:token].blank?
+      raise ActionController::Forbidden, "missing token"
+    end
+  end
+
+  def forbid_non_existent_user
+    unless ::User.find_by_id_and_token(params[:user_id], params[:token])
+      raise ActionController::Forbidden, "non-existent user"
+    end
+  end
+
+  def flash_success_after_create
+    flash[:success] = translate(:confirmed_email,
+      :scope   => [:clearance, :controllers, :confirmations],
+      :default => "Confirmed email and signed in.")
+  end
+
+  def url_after_create
+    root_url
+  end
+end
@@ -0,0 +1,81 @@
+class Clearance::PasswordsController < ApplicationController
+  unloadable
+
+  before_filter :forbid_missing_token,     :only => [:edit, :update]
+  before_filter :forbid_non_existent_user, :only => [:edit, :update]
+  filter_parameter_logging :password, :password_confirmation
+
+  def new
+    render :template => 'passwords/new'
+  end
+
+  def create
+    if user = ::User.find_by_email(params[:password][:email])
+      user.forgot_password!
+      ::ClearanceMailer.deliver_change_password user
+      flash_notice_after_create
+      redirect_to(url_after_create)
+    else
+      flash_failure_after_create
+      render :template => 'passwords/new'
+    end
+  end
+
+  def edit
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+    render :template => 'passwords/edit'
+  end
+
+  def update
+    @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
+
+    if @user.update_password(params[:user][:password],
+                             params[:user][:password_confirmation])
+      @user.confirm_email!
+      sign_in(@user)
+      flash_success_after_update
+      redirect_to(url_after_update)
+    else
+      render :template => 'passwords/edit'
+    end
+  end
+
+  private
+
+  def forbid_missing_token
+    if params[:token].blank?
+      raise ActionController::Forbidden, "missing token"
+    end
+  end
+
+  def forbid_non_existent_user
+    unless ::User.find_by_id_and_token(params[:user_id], params[:token])
+      raise ActionController::Forbidden, "non-existent user"
+    end
+  end
+
+  def flash_notice_after_create
+    flash[:notice] = translate(:deliver_change_password,
+      :scope   => [:clearance, :controllers, :passwords],
+      :default => "You will receive an email within the next few minutes. " <<
+                  "It contains instructions for changing your password.")
+  end
+
+  def flash_failure_after_create
+    flash.now[:failure] = translate(:unknown_email,
+      :scope   => [:clearance, :controllers, :passwords],
+      :default => "Unknown email.")
+  end
+
+  def url_after_create
+    new_session_url
+  end
+
+  def flash_success_after_update
+    flash[:success] = translate(:signed_in, :default => "Signed in.")
+  end
+
+  def url_after_update
+    root_url
+  end
+end
@@ -0,0 +1,67 @@
+class Clearance::SessionsController < ApplicationController
+  unloadable
+
+  protect_from_forgery :except => :create
+  filter_parameter_logging :password
+
+  def new
+    render :template => 'sessions/new'
+  end
+
+  def create
+    @user = ::User.authenticate(params[:session][:email],
+                                params[:session][:password])
+    if @user.nil?
+      flash_failure_after_create
+      render :template => 'sessions/new', :status => :unauthorized
+    else
+      if @user.email_confirmed?
+        sign_in(@user)
+        remember(@user) if remember?
+        flash_success_after_create
+        redirect_back_or(url_after_create)
+      else
+        ::ClearanceMailer.deliver_confirmation(@user)
+        flash_notice_after_create
+        redirect_to(new_session_url)
+      end
+    end
+  end
+
+  def destroy
+    forget(current_user)
+    flash_success_after_destroy
+    redirect_to(url_after_destroy)
+  end
+
+  private
+
+  def flash_failure_after_create
+    flash.now[:failure] = translate(:bad_email_or_password,
+      :scope   => [:clearance, :controllers, :sessions],
+      :default => "Bad email or password.")
+  end
+
+  def flash_success_after_create
+    flash[:success] = translate(:signed_in, :default =>  "Signed in.")
+  end
+
+  def flash_notice_after_create
+    flash[:notice] = translate(:unconfirmed_email,
+      :scope   => [:clearance, :controllers, :sessions],
+      :default => "User has not confirmed email. " <<
+                  "Confirmation email will be resent.")
+  end
+
+  def url_after_create
+    root_url
+  end
+
+  def flash_success_after_destroy
+    flash[:success] = translate(:signed_out, :default =>  "Signed out.")
+  end
+
+  def url_after_destroy
+    new_session_url
+  end
+end
@@ -0,0 +1,35 @@
+class Clearance::UsersController < ApplicationController
+  unloadable
+
+  before_filter :redirect_to_root, :only => [:new, :create], :if => :signed_in?
+  filter_parameter_logging :password
+
+  def new
+    @user = ::User.new(params[:user])
+    render :template => 'users/new'
+  end
+
+  def create
+    @user = ::User.new params[:user]
+    if @user.save
+      ::ClearanceMailer.deliver_confirmation @user
+      flash_notice_after_create
+      redirect_to(url_after_create)
+    else
+      render :template => 'users/new'
+    end
+  end
+
+  private
+
+  def flash_notice_after_create
+    flash[:notice] = translate(:deliver_confirmation,
+      :scope   => [:clearance, :controllers, :users],
+      :default => "You will receive an email within the next few minutes. " <<
+                  "It contains instructions for confirming your account.")
+  end
+
+  def url_after_create
+    new_session_url
+  end
+end
@@ -0,0 +1,23 @@
+class ClearanceMailer < ActionMailer::Base
+
+  default_url_options[:host] = HOST
+
+  def change_password(user)
+    from       DO_NOT_REPLY
+    recipients user.email
+    subject    I18n.t(:change_password,
+                      :scope   => [:clearance, :models, :clearance_mailer],
+                      :default => "Change your password")
+    body       :user => user
+  end
+
+  def confirmation(user)
+    from       DO_NOT_REPLY
+    recipients user.email
+    subject    I18n.t(:confirmation,
+                      :scope   => [:clearance, :models, :clearance_mailer],
+                      :default => "Account confirmation")
+    body      :user => user
+  end
+
+end
@@ -0,0 +1,7 @@
+Someone, hopefully you, has requested that we send you a link to change your password.
+
+Here's the link:
+
+<%= edit_user_password_url(@user, :token => @user.token, :escape => false) %>
+
+If you didn't request this, ignore this email. Don't worry. Your password hasn't been changed.
@@ -0,0 +1,2 @@
+
+<%= new_user_confirmation_url :user_id => @user, :token => @user.token, :encode => false %>
@@ -0,0 +1,23 @@
+<h2>Change your password</h2>
+
+<p>
+  Your password has been reset. Choose a new password below.
+</p>
+
+<%= error_messages_for :user %>
+
+<% form_for(:user,
+            :url => user_password_path(@user, :token    => @user.token),
+            :html => { :method => :put }) do |form| %>
+  <div class="password_field">
+    <%= form.label :password, "Choose password" %>
+    <%= form.password_field :password %>
+  </div>
+  <div class="password_field">
+    <%= form.label :password_confirmation, "Confirm password" %>
+    <%= form.password_field :password_confirmation %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Save this password", :disable_with => "Please wait..." %>
+  </div>
+<% end %>
@@ -0,0 +1,15 @@
+<h2>Change your password</h2>
+
+<p>
+  We will email you a link to change your password.
+</p>
+
+<% form_for :password, :url => passwords_path do |form| %>
+  <div class="text_field">
+    <%= form.label :email, "Email address" %>
+    <%= form.text_field :email %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Reset password", :disable_with => "Please wait..." %>
+  </div>
+<% end %>
 \ No newline at end of file
@@ -0,0 +1,28 @@
+<h2>Sign in</h2>
+
+<% form_for :session, :url => session_path do |form| %>
+  <div class="text_field">
+    <%= form.label :email %>
+    <%= form.text_field :email %>  
+  </div>
+  <div class="text_field">
+    <%= form.label :password %>
+    <%= form.password_field :password %>
+  </div>
+  <div class="text_field">
+    <%= form.check_box :remember_me %>
+    <%= form.label :remember_me %>
+  </div>
+  <div class="submit_field">
+    <%= form.submit "Sign in", :disable_with => "Please wait..." %>
+  </div>
+<% end %>
+
+<ul>
+  <li>
+    <%= link_to "Sign up", new_user_path %>
+  </li>
+  <li>
+    <%= link_to "Forgot password?", new_password_path %>
+  </li>
+</ul>
 \ No newline at end of file
@@ -0,0 +1,13 @@
+<%= form.error_messages %>
+<div class="text_field">
+  <%= form.label :email %>
+  <%= form.text_field :email %>
+</div>
+<div class="password_field">
+  <%= form.label :password %>
+  <%= form.password_field :password %>
+</div>
+<div class="password_field">
+  <%= form.label :password_confirmation, "Confirm password" %>
+  <%= form.password_field :password_confirmation %>
+</div>
 \ No newline at end of file
@@ -0,0 +1,6 @@
+<h2>Sign up</h2>
+
+<% form_for @user do |form| %>
+  <%= render :partial => '/users/form', :object => form %>
+  <%= form.submit 'Sign up', :disable_with => 'Please wait...' %>
+<% end %>
@@ -0,0 +1,30 @@
+ActionController::Routing::Routes.draw do |map|
+  map.resources :passwords,
+    :controller => 'clearance/passwords',
+    :only       => [:new, :create]
+
+  map.resource  :session,
+    :controller => 'clearance/sessions',
+    :only       => [:new, :create, :destroy]
+
+  map.resources :users, :controller => 'clearance/users' do |users|
+    users.resource :password,
+      :controller => 'clearance/passwords',
+      :only       => [:create, :edit, :update]
+
+    users.resource :confirmation,
+      :controller => 'clearance/confirmations',
+      :only       => [:new, :create]
+  end
+
+  map.sign_up  'sign_up',
+    :controller => 'clearance/users',
+    :action     => 'new'
+  map.sign_in  'sign_in',
+    :controller => 'clearance/sessions',
+    :action     => 'new'
+  map.sign_out 'sign_out',
+    :controller => 'clearance/sessions',
+    :action     => 'destroy',
+    :method     => :delete
+end
@@ -0,0 +1 @@
+script/generate clearance
 \ No newline at end of file
@@ -0,0 +1,41 @@
+require File.expand_path(File.dirname(__FILE__) + "/lib/insert_commands.rb")
+require File.expand_path(File.dirname(__FILE__) + "/lib/rake_commands.rb")
+require 'factory_girl'
+
+class ClearanceGenerator < Rails::Generator::Base
+
+  def manifest
+    record do |m|
+      m.insert_into "app/controllers/application_controller.rb",
+                    "include Clearance::Authentication"
+
+      user_model = "app/models/user.rb"
+      if File.exists?(user_model)
+        m.insert_into user_model, "include Clearance::User"
+      else
+        m.directory File.join("app", "models")
+        m.file "user.rb", user_model
+      end
+
+      m.directory File.join("test", "factories")
+      m.file "factories.rb", "test/factories/clearance.rb"
+
+      m.migration_template "migrations/#{migration_name}.rb",
+                           'db/migrate',
+                           :migration_file_name => "clearance_#{migration_name}"
+
+      m.readme "README"
+    end
+  end
+
+  private
+
+  def migration_name
+    if ActiveRecord::Base.connection.table_exists?(:users)
+      'update_users'
+    else
+      'create_users'
+    end
+  end
+
+end
@@ -0,0 +1,33 @@
+# Mostly pinched from http://github.com/ryanb/nifty-generators/tree/master
+
+Rails::Generator::Commands::Base.class_eval do
+  def file_contains?(relative_destination, line)
+    File.read(destination_path(relative_destination)).include?(line)
+  end
+end
+
+Rails::Generator::Commands::Create.class_eval do
+  def insert_into(file, line)
+    logger.insert "#{line} into #{file}"
+    unless options[:pretend] || file_contains?(file, line)
+      gsub_file file, /^(class|module) .+$/ do |match|
+        "#{match}\n  #{line}"
+      end
+    end
+  end
+end
+
+Rails::Generator::Commands::Destroy.class_eval do
+  def insert_into(file, line)
+    logger.remove "#{line} from #{file}"
+    unless options[:pretend]
+      gsub_file file, "\n  #{line}", ''
+    end
+  end
+end
+
+Rails::Generator::Commands::List.class_eval do
+  def insert_into(file, line)
+    logger.insert "#{line} into #{file}"
+  end
+end
@@ -0,0 +1,22 @@
+Rails::Generator::Commands::Create.class_eval do
+  def rake_db_migrate
+    logger.rake "db:migrate"
+    unless system("rake db:migrate")
+      logger.rake "db:migrate failed. Rolling back"      
+      command(:destroy).invoke!
+    end
+  end
+end
+
+Rails::Generator::Commands::Destroy.class_eval do
+  def rake_db_migrate
+    logger.rake "db:rollback"  
+    system "rake db:rollback"  
+  end
+end
+
+Rails::Generator::Commands::List.class_eval do
+  def rake_db_migrate
+    logger.rake "db:migrate"    
+  end
+end
@@ -0,0 +1,22 @@
+
+*******************************************************************************
+
+Ok, enough fancy automatic stuff. Time for some old school monkey copy-pasting.
+
+1. Define a HOST constant in your environments files.
+In config/environments/test.rb and config/environments/development.rb it can be:
+
+    HOST = "localhost"
+
+In production.rb it must be the actual host your application is deployed to.
+The constant is used by mailers to generate URLs in emails.
+
+2. In config/environment.rb:
+
+    DO_NOT_REPLY = "donotreply@example.com"
+
+3. Define root_url to *something* in your config/routes.rb:
+
+    map.root :controller => 'home'
+
+*******************************************************************************
@@ -0,0 +1,13 @@
+Factory.sequence :email do |n|
+  "user#{n}@example.com"
+end
+
+Factory.define :user do |user|
+  user.email                 { Factory.next :email }
+  user.password              { "password" }
+  user.password_confirmation { "password" }
+end
+
+Factory.define :email_confirmed_user, :parent => :user do |user|
+  user.email_confirmed { true }
+end
@@ -0,0 +1,20 @@
+class ClearanceCreateUsers < ActiveRecord::Migration
+  def self.up
+    create_table(:users) do |t|
+      t.string   :email
+      t.string   :encrypted_password, :limit => 128
+      t.string   :salt,               :limit => 128
+      t.string   :token,              :limit => 128
+      t.datetime :token_expires_at
+      t.boolean  :email_confirmed, :default => false, :null => false
+    end
+
+    add_index :users, [:id, :token]
+    add_index :users, :email
+    add_index :users, :token    
+  end
+  
+  def self.down
+    drop_table :users  
+  end
+end
@@ -0,0 +1,41 @@
+class ClearanceUpdateUsers < ActiveRecord::Migration
+  def self.up
+<% 
+      existing_columns = ActiveRecord::Base.connection.columns(:users).collect { |each| each.name }
+      columns = [
+        [:email,              't.string :email'],
+        [:encrypted_password, 't.string :encrypted_password, :limit => 128'],
+        [:salt,               't.string :salt, :limit => 128'],
+        [:token,              't.string :token, :limit => 128'],
+        [:token_expires_at,   't.datetime :token_expires_at'],
+        [:email_confirmed,    't.boolean :email_confirmed, :default => false, :null => false']
+      ].delete_if {|c| existing_columns.include?(c.first.to_s)} 
+-%>
+    change_table(:users) do |t|
+<% columns.each do |c| -%>
+      <%= c.last %>
+<% end -%>
+    end
+    
+<%
+    existing_indexes = ActiveRecord::Base.connection.indexes(:users)
+    index_names = existing_indexes.collect { |each| each.name }
+    new_indexes = [
+      [:index_users_on_id_and_token, 'add_index :users, [:id, :token]'],
+      [:index_users_on_email,        'add_index :users, :email'],
+      [:index_users_on_token,        'add_index :users, :token']
+    ].delete_if { |each| index_names.include?(each.first.to_s) }
+-%>
+<% new_indexes.each do |each| -%>
+    <%= each.last %>
+<% end -%>
+  end
+  
+  def self.down
+    change_table(:users) do |t|
+<% unless columns.empty? -%>
+      t.remove <%= columns.collect { |each| ":#{each.first}" }.join(',') %>
+<% end -%>
+    end
+  end
+end
@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+  include Clearance::User
+end
@@ -0,0 +1 @@
+script/generate clearance_features
@@ -0,0 +1,20 @@
+class ClearanceFeaturesGenerator < Rails::Generator::Base
+  
+  def manifest
+    record do |m|
+      m.directory File.join("features", "step_definitions")
+      m.directory File.join("features", "support")
+      
+      ["features/step_definitions/clearance_steps.rb",
+       "features/step_definitions/factory_girl_steps.rb",
+       "features/support/paths.rb",
+       "features/sign_in.feature",
+       "features/sign_out.feature",       
+       "features/sign_up.feature",
+       "features/password_reset.feature"].each do |file|
+        m.file file, file
+       end
+    end
+  end
+  
+end
@@ -0,0 +1,33 @@
+Feature: Password reset
+  In order to sign in even if user forgot their password
+  A user
+  Should be able to reset it
+
+    Scenario: User is not signed up
+      Given no user exists with an email of "email@person.com"
+      When I request password reset link to be sent to "email@person.com"
+      Then I should see "Unknown email"
+
+    Scenario: User is signed up and requests password reset
+      Given I signed up with "email@person.com/password"
+      When I request password reset link to be sent to "email@person.com"
+      Then I should see "instructions for changing your password"
+      And a password reset message should be sent to "email@person.com"
+
+    Scenario: User is signed up updated his password and types wrong confirmation
+      Given I signed up with "email@person.com/password"
+      When I follow the password reset link sent to "email@person.com"
+      And I update my password with "newpassword/wrongconfirmation"
+      Then I should see error messages
+      And I should be signed out
+
+    Scenario: User is signed up and updates his password
+      Given I signed up with "email@person.com/password"
+      When I follow the password reset link sent to "email@person.com"
+      And I update my password with "newpassword/newpassword"
+      Then I should be signed in
+      When I sign out
+      Then I should be signed out
+      And I sign in as "email@person.com/newpassword"
+      Then I should be signed in
+
@@ -0,0 +1,42 @@
+Feature: Sign in
+  In order to get access to protected sections of the site
+  A user
+  Should be able to sign in
+
+    Scenario: User is not signed up
+      Given no user exists with an email of "email@person.com"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "Bad email or password"
+      And I should be signed out
+
+    Scenario: User is not confirmed
+      Given I signed up with "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "User has not confirmed email"
+      And I should be signed out
+
+   Scenario: User enters wrong password
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/wrongpassword"
+      Then I should see "Bad email or password"
+      And I should be signed out
+
+   Scenario: User signs in successfully
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in as "email@person.com/password"
+      Then I should see "Signed in"
+      And I should be signed in
+
+   Scenario: User signs in and checks "remember me"
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I go to the sign in page
+      And I sign in with "remember me" as "email@person.com/password"
+      Then I should see "Signed in"
+      And I should be signed in
+      When I return next time
+      Then I should be signed in
+
@@ -0,0 +1,23 @@
+Feature: Sign out
+  To protect my account from unauthorized access
+  A signed in user
+  Should be able to sign out
+
+    Scenario: User signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "Signed out"
+      And I should be signed out
+
+    Scenario: User who was remembered signs out
+      Given I am signed up and confirmed as "email@person.com/password"
+      When I sign in with "remember me" as "email@person.com/password"
+      Then I should be signed in
+      And I sign out
+      Then I should see "Signed out"
+      And I should be signed out
+      When I return next time
+      Then I should be signed out
+
@@ -0,0 +1,28 @@
+Feature: Sign up
+  In order to get access to protected sections of the site
+  A user
+  Should be able to sign up
+
+    Scenario: User signs up with invalid data
+      When I go to the sign up page
+      And I fill in "Email" with "invalidemail"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with ""
+      And I press "Sign Up"
+      Then I should see error messages
+
+    Scenario: User signs up with valid data
+      When I go to the sign up page
+      And I fill in "Email" with "email@person.com"
+      And I fill in "Password" with "password"
+      And I fill in "Confirm password" with "password"
+      And I press "Sign Up"
+      Then I should see "instructions for confirming"
+      And a confirmation message should be sent to "email@person.com"
+
+    Scenario: User confirms his account
+      Given I signed up with "email@person.com/password"
+      When I follow the confirmation link sent to "email@person.com"
+      Then I should see "Confirmed email and signed in"
+      And I should be signed in
+
@@ -0,0 +1,110 @@
+# General
+
+Then /^I should see error messages$/ do
+  assert_match /error(s)? prohibited/m, response.body
+end
+
+# Database
+
+Given /^no user exists with an email of "(.*)"$/ do |email|
+  assert_nil User.find_by_email(email)
+end
+
+Given /^I signed up with "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :user,
+    :email                 => email,
+    :password              => password,
+    :password_confirmation => password
+end 
+
+Given /^I am signed up and confirmed as "(.*)\/(.*)"$/ do |email, password|
+  user = Factory :email_confirmed_user,
+    :email                 => email,
+    :password              => password,
+    :password_confirmation => password
+end
+
+# Session
+
+Then /^I should be signed in$/ do
+  assert controller.signed_in?
+end
+
+Then /^I should be signed out$/ do
+  assert ! controller.signed_in?
+end
+
+When /^session is cleared$/ do
+  request.reset_session
+  controller.instance_variable_set(:@_current_user, nil)
+end
+
+# Emails
+
+Then /^a confirmation message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /confirm/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the confirmation link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit new_user_confirmation_path(:user_id => user, :token => user.token)
+end
+
+Then /^a password reset message should be sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  sent = ActionMailer::Base.deliveries.first
+  assert_equal [user.email], sent.to
+  assert_match /password/i, sent.subject
+  assert !user.token.blank?
+  assert_match /#{user.token}/, sent.body
+end
+
+When /^I follow the password reset link sent to "(.*)"$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user, :token => user.token)
+end
+
+When /^I try to change the password of "(.*)" without token$/ do |email|
+  user = User.find_by_email(email)
+  visit edit_user_password_path(:user_id => user)
+end
+
+Then /^I should be forbidden$/ do
+  assert_response :forbidden
+end
+
+# Actions
+
+When /^I sign in( with "remember me")? as "(.*)\/(.*)"$/ do |remember, email, password|
+  When %{I go to the sign in page}
+  And %{I fill in "Email" with "#{email}"}
+  And %{I fill in "Password" with "#{password}"}
+  And %{I check "Remember me"} if remember
+  And %{I press "Sign In"}
+end
+
+When /^I sign out$/ do
+  visit '/session', :delete
+end
+
+When /^I request password reset link to be sent to "(.*)"$/ do |email|
+  When %{I go to the password reset request page}
+  And %{I fill in "Email address" with "#{email}"}
+  And %{I press "Reset password"}
+end
+
+When /^I update my password with "(.*)\/(.*)"$/ do |password, confirmation|
+  And %{I fill in "Choose password" with "#{password}"}
+  And %{I fill in "Confirm password" with "#{confirmation}"}
+  And %{I press "Save this password"}
+end
+
+When /^I return next time$/ do
+  When %{session is cleared}
+  And %{I go to the homepage}
+end
@@ -0,0 +1,5 @@
+Factory.factories.each do |name, factory|
+  Given /^an? #{name} exists with an? (.*) of "([^"]*)"$/ do |attr, value|
+    Factory(name, attr.gsub(' ', '_') => value)
+  end
+end
@@ -0,0 +1,22 @@
+module NavigationHelpers
+  def path_to(page_name)
+    case page_name
+    
+    when /the homepage/i
+      root_path
+    when /the sign up page/i
+      new_user_path
+    when /the sign in page/i
+      new_session_path
+    when /the password reset request page/i
+      new_password_path
+    
+    # Add more page name => path mappings here
+    
+    else
+      raise "Can't find mapping from \"#{page_name}\" to a path."
+    end
+  end
+end
+ 
+World(NavigationHelpers)
@@ -0,0 +1,6 @@
+require 'clearance/extensions/errors'
+require 'clearance/extensions/rescue'
+require 'clearance/extensions/routes'
+
+require 'clearance/authentication'
+require 'clearance/user'
@@ -0,0 +1,100 @@
+module Clearance
+  module Authentication
+
+    def self.included(controller)
+      controller.send(:include, InstanceMethods)
+
+      controller.class_eval do
+        helper_method :current_user
+        helper_method :signed_in?
+
+        hide_action :current_user, :signed_in?
+      end
+    end
+
+    module InstanceMethods
+      def current_user
+        @_current_user ||= (user_from_cookie || user_from_session)
+      end
+
+      def signed_in?
+        ! current_user.nil?
+      end
+
+      protected
+
+      def authenticate
+        deny_access unless signed_in?
+      end
+
+      def user_from_session
+        if session[:user_id]
+          return nil  unless user = ::User.find_by_id(session[:user_id])
+          return user if     user.email_confirmed?
+        end
+      end
+
+      def user_from_cookie
+        if token = cookies[:remember_token]
+          return nil  unless user = ::User.find_by_token(token)
+          return user if     user.remember?
+        end
+      end
+
+      def sign_user_in(user)
+        warn "[DEPRECATION] sign_user_in: unnecessary. use sign_in(user) instead."
+        sign_in(user)
+      end
+
+      def sign_in(user)
+        if user
+          session[:user_id] = user.id
+        end
+      end
+
+      def remember?
+        params[:session] && params[:session][:remember_me] == "1"
+      end
+
+      def remember(user)
+        user.remember_me!
+        cookies[:remember_token] = { :value   => user.token,
+                                     :expires => user.token_expires_at }
+      end
+
+      def forget(user)
+        user.forget_me! if user
+        cookies.delete(:remember_token)
+        reset_session
+      end
+
+      def redirect_back_or(default)
+        redirect_to(return_to || default)
+        clear_return_to
+      end
+
+      def return_to
+        session[:return_to] || params[:return_to]
+      end
+
+      def clear_return_to
+        session[:return_to] = nil
+      end
+
+      def redirect_to_root
+        redirect_to(root_url)
+      end
+
+      def store_location
+        session[:return_to] = request.request_uri if request.get?
+      end
+
+      def deny_access(flash_message = nil, opts = {})
+        store_location
+        flash[:failure] = flash_message if flash_message
+        redirect_to(new_session_url)
+      end
+    end
+
+  end
+end
@@ -0,0 +1,6 @@
+if defined?(ActionController)
+  module ActionController
+    class Forbidden < StandardError
+    end
+  end
+end
@@ -0,0 +1,3 @@
+if defined?(ActionController::Base)
+  ActionController::Base.rescue_responses.update('ActionController::Forbidden' => :forbidden)
+end
@@ -0,0 +1,14 @@
+if defined?(ActionController::Routing::RouteSet)
+  class ActionController::Routing::RouteSet
+    def load_routes_with_clearance!
+      lib_path = File.dirname(__FILE__)
+      clearance_routes = File.join(lib_path, *%w[.. .. .. config clearance_routes.rb])
+      unless configuration_files.include?(clearance_routes)
+        add_configuration_file(clearance_routes)
+      end
+      load_routes_without_clearance!
+    end
+
+    alias_method_chain :load_routes!, :clearance
+  end
+end
@@ -0,0 +1,143 @@
+require 'digest/sha1'
+
+module Clearance
+  module User
+
+    def self.included(model)
+      model.extend(ClassMethods)
+
+      model.send(:include, InstanceMethods)
+      model.send(:include, AttrAccessible)
+      model.send(:include, AttrAccessor)
+      model.send(:include, Validations)
+      model.send(:include, Callbacks)
+    end
+
+    module AttrAccessible
+      def self.included(model)
+        model.class_eval do
+          attr_accessible :email, :password, :password_confirmation
+        end
+      end
+    end
+
+    module AttrAccessor
+      def self.included(model)
+        model.class_eval do
+          attr_accessor :password, :password_confirmation
+        end
+      end
+    end
+
+    module Validations
+      def self.included(model)
+        model.class_eval do
+          validates_presence_of     :email
+          validates_uniqueness_of   :email, :case_sensitive => false
+          validates_format_of       :email, :with => %r{.+@.+\..+}
+
+          validates_presence_of     :password, :if => :password_required?
+          validates_confirmation_of :password, :if => :password_required?
+        end
+      end
+    end
+
+    module Callbacks
+      def self.included(model)
+        model.class_eval do
+          before_save :initialize_salt, :encrypt_password, :initialize_token
+        end
+      end
+    end
+
+    module InstanceMethods
+      def authenticated?(password)
+        encrypted_password == encrypt(password)
+      end
+
+      def encrypt(string)
+        generate_hash("--#{salt}--#{string}--")
+      end
+
+      def remember?
+        token_expires_at && Time.now.utc < token_expires_at
+      end
+
+      def remember_me!
+        remember_me_until! 2.weeks.from_now.utc
+      end
+
+      def forget_me!
+        clear_token
+        save(false)
+      end
+
+      def confirm_email!
+        self.email_confirmed  = true
+        self.token            = nil
+        save(false)
+      end
+
+      def forgot_password!
+        generate_token
+        save(false)
+      end
+
+      def update_password(new_password, new_password_confirmation)
+        self.password              = new_password
+        self.password_confirmation = new_password_confirmation
+        clear_token if valid?
+        save
+      end
+
+      protected
+
+      def generate_hash(string)
+        Digest::SHA1.hexdigest(string)
+      end
+
+      def initialize_salt
+        if new_record?
+          self.salt = generate_hash("--#{Time.now.utc.to_s}--#{password}--")
+        end
+      end
+
+      def encrypt_password
+        return if password.blank?
+        self.encrypted_password = encrypt(password)
+      end
+
+      def generate_token
+        self.token = encrypt("--#{Time.now.utc.to_s}--#{password}--")
+        self.token_expires_at = nil
+      end
+
+      def clear_token
+        self.token            = nil
+        self.token_expires_at = nil
+      end
+
+      def initialize_token
+        generate_token if new_record?
+      end
+
+      def password_required?
+        encrypted_password.blank? || !password.blank?
+      end
+
+      def remember_me_until!(time)
+        self.token_expires_at = time
+        self.token = encrypt("--#{token_expires_at}--#{password}--")
+        save(false)
+      end
+    end
+
+    module ClassMethods
+      def authenticate(email, password)
+        return nil  unless user = find_by_email(email)
+        return user if     user.authenticated?(password)
+      end
+    end
+
+  end
+end
@@ -0,0 +1 @@
+require 'clearance'
 \ No newline at end of file
@@ -0,0 +1,262 @@
+module Clearance
+  module Shoulda
+
+    # STATE OF AUTHENTICATION
+
+    def should_be_signed_in_as(&block)
+      should "be signed in as #{block.bind(self).call}" do
+        user = block.bind(self).call
+        assert_not_nil user,
+          "please pass a User. try: should_be_signed_in_as { @user }"
+        assert_equal user, @controller.send(:current_user),
+          "#{user.inspect} is not the current_user, " <<
+          "which is #{@controller.send(:current_user).inspect}"
+      end
+    end
+
+    def should_be_signed_in_and_email_confirmed_as(&block)
+      warn "[DEPRECATION] should_be_signed_in_and_email_confirmed_as: questionable usefulness"
+      should_be_signed_in_as &block
+
+      should "have confirmed email" do
+        user = block.bind(self).call
+
+        assert_not_nil user
+        assert_equal user, assigns(:user)
+        assert assigns(:user).email_confirmed?
+      end
+    end
+
+    def should_not_be_signed_in
+      should "not be signed in" do
+        assert_nil session[:user_id]
+      end
+    end
+
+    def should_deny_access_on(http_method, action, opts = {})
+      warn "[DEPRECATION] should_deny_access_on: use a setup & should_deny_access(:flash => ?)"
+      flash_message = opts.delete(:flash)
+      context "on #{http_method} to #{action}" do
+        setup do
+          send(http_method, action, opts)
+        end
+
+        should_deny_access(:flash => flash_message)
+      end
+    end
+
+    def should_deny_access(opts = {})
+      if opts[:flash]
+        should_set_the_flash_to opts[:flash]
+      else
+        should_not_set_the_flash
+      end
+
+      should_redirect_to('new_session_url') { new_session_url }
+    end
+
+    # HTTP FLUENCY
+
+    def should_forbid(description, &block)
+      should "forbid #{description}" do
+        assert_raises ActionController::Forbidden do
+          instance_eval(&block)
+        end
+      end
+    end
+
+    # CONTEXTS
+
+    def signed_in_user_context(&blk)
+      warn "[DEPRECATION] signed_in_user_context: creates a Mystery Guest, causes Obscure Test"
+      context "A signed in user" do
+        setup do
+          @user = Factory(:user)
+          @user.confirm_email!
+          sign_in_as @user
+        end
+        merge_block(&blk)
+      end
+    end
+
+    def public_context(&blk)
+      warn "[DEPRECATION] public_context: common case is no-op. call sign_out otherwise"
+      context "The public" do
+        setup { sign_out }
+        merge_block(&blk)
+      end
+    end
+
+    # CREATING USERS
+
+    def should_create_user_successfully
+      warn "[DEPRECATION] should_create_user_successfully: not meant to be public, no longer used internally"
+      should_assign_to :user
+      should_change 'User.count', :by => 1
+
+      should "send the confirmation email" do
+        assert_sent_email do |email|
+          email.subject =~ /account confirmation/i
+        end
+      end
+
+      should_set_the_flash_to /confirm/i
+      should_redirect_to_url_after_create
+    end
+
+    # RENDERING
+
+    def should_render_nothing
+      should "render nothing" do
+        assert @response.body.blank?
+      end
+    end
+
+    # REDIRECTS
+
+    def should_redirect_to_url_after_create
+      should_redirect_to("the post-create url") do
+        @controller.send(:url_after_create)
+      end
+    end
+
+    def should_redirect_to_url_after_update
+      should_redirect_to("the post-update url") do
+        @controller.send(:url_after_update)
+      end
+    end
+
+    def should_redirect_to_url_after_destroy
+      should_redirect_to("the post-destroy url") do
+        @controller.send(:url_after_destroy)
+      end
+    end
+
+    # VALIDATIONS
+
+    def should_validate_confirmation_of(attribute, opts = {})
+      warn "[DEPRECATION] should_validate_confirmation_of: not meant to be public, no longer used internally"
+      raise ArgumentError if opts[:factory].nil?
+
+      context "on save" do
+        should_validate_confirmation_is_not_blank opts[:factory], attribute
+        should_validate_confirmation_is_not_bad   opts[:factory], attribute
+      end
+    end
+
+    def should_validate_confirmation_is_not_blank(factory, attribute, opts = {})
+      warn "[DEPRECATION] should_validate_confirmation_is_not_blank: not meant to be public, no longer used internally"
+      should "validate #{attribute}_confirmation is not blank" do
+        model = Factory.build(factory, blank_confirmation_options(attribute))
+        model.save
+        assert_confirmation_error(model, attribute,
+          "#{attribute}_confirmation cannot be blank")
+      end
+    end
+
+    def should_validate_confirmation_is_not_bad(factory, attribute, opts = {})
+      warn "[DEPRECATION] should_validate_confirmation_is_not_bad: not meant to be public, no longer used internally"
+      should "validate #{attribute}_confirmation is different than #{attribute}" do
+        model = Factory.build(factory, bad_confirmation_options(attribute))
+        model.save
+        assert_confirmation_error(model, attribute, 
+          "#{attribute}_confirmation cannot be different than #{attribute}")
+      end
+    end
+
+    # FORMS
+
+    def should_display_a_password_update_form
+      warn "[DEPRECATION] should_display_a_password_update_form: not meant to be public, no longer used internally"
+      should "have a form for the user's token, password, and password confirm" do
+        update_path = ERB::Util.h(
+          user_password_path(@user, :token => @user.token)
+        )
+
+        assert_select 'form[action=?]', update_path do
+          assert_select 'input[name=_method][value=?]', 'put'
+          assert_select 'input[name=?]', 'user[password]'
+          assert_select 'input[name=?]', 'user[password_confirmation]'
+        end
+      end
+    end
+
+    def should_display_a_sign_up_form
+      warn "[DEPRECATION] should_display_a_sign_up_form: not meant to be public, no longer used internally"
+      should "display a form to sign up" do
+        assert_select "form[action=#{users_path}][method=post]",
+        true, "There must be a form to sign up" do
+          assert_select "input[type=text][name=?]",
+            "user[email]", true, "There must be an email field"
+          assert_select "input[type=password][name=?]",
+            "user[password]", true, "There must be a password field"
+          assert_select "input[type=password][name=?]",
+            "user[password_confirmation]", true, "There must be a password confirmation field"
+          assert_select "input[type=submit]", true,
+            "There must be a submit button"
+        end
+      end
+    end
+
+    def should_display_a_sign_in_form
+      warn "[DEPRECATION] should_display_a_sign_in_form: not meant to be public, no longer used internally"
+      should 'display a "sign in" form' do
+        assert_select "form[action=#{session_path}][method=post]",
+          true, "There must be a form to sign in" do
+            assert_select "input[type=text][name=?]",
+              "session[email]", true, "There must be an email field"
+            assert_select "input[type=password][name=?]",
+              "session[password]", true, "There must be a password field"
+            assert_select "input[type=checkbox][name=?]",
+              "session[remember_me]", true, "There must be a 'remember me' check box"
+            assert_select "input[type=submit]", true,
+              "There must be a submit button"
+        end
+      end
+    end
+  end
+end
+
+module Clearance
+  module Shoulda
+    module Helpers
+      def sign_in_as(user)
+        @controller.class_eval { attr_accessor :current_user }
+        @controller.current_user = user
+        return user
+      end
+
+      def sign_in
+        sign_in_as Factory(:email_confirmed_user)
+      end
+
+      def sign_out
+        @controller.class_eval { attr_accessor :current_user }
+        @controller.current_user = nil
+      end
+
+      def blank_confirmation_options(attribute)
+        warn "[DEPRECATION] blank_confirmation_options: not meant to be public, no longer used internally"
+        opts = { attribute => attribute.to_s }
+        opts.merge("#{attribute}_confirmation".to_sym => "")
+      end
+
+      def bad_confirmation_options(attribute)
+        warn "[DEPRECATION] bad_confirmation_options: not meant to be public, no longer used internally"
+        opts = { attribute => attribute.to_s }
+        opts.merge("#{attribute}_confirmation".to_sym => "not_#{attribute}")
+      end
+
+      def assert_confirmation_error(model, attribute, message = "confirmation error")
+        warn "[DEPRECATION] assert_confirmation_error: not meant to be public, no longer used internally"
+        assert model.errors.on(attribute).include?("doesn't match confirmation"),
+          message
+      end
+    end
+  end
+end
+
+class Test::Unit::TestCase
+  include Clearance::Shoulda::Helpers
+end
+Test::Unit::TestCase.extend(Clearance::Shoulda)
1	1	# SQLite version 3.x
2	2	# gem install sqlite3-ruby (not necessary on OS X Leopard)
3		-development:
	3	+development: &default
4	4	adapter: sqlite3
5	5	database: db/development.sqlite3
6	6	pool: 5
7	7	timeout: 5000
8	8
9		-# Warning: The database defined as "test" will be erased and
10		-# re-generated from your development database when you run "rake".
11		-# Do not set this db to the same as development or production.
12	9	test:
13		- adapter: sqlite3
	10	+ <<: *default
14	11	database: db/test.sqlite3
15		- pool: 5
16		- timeout: 5000
17	12
18		-production:
19		- adapter: sqlite3
20		- database: db/production.sqlite3
21		- pool: 5
22		- timeout: 5000
	13	+cucumber:
	14	+ <<: *default
	15	+ database: db/cucumber.sqlite3
23	16
...	...
...	...	@@ -15,7 +15,13 @@ config.action_controller.allow_forgery_protection = false
15	15	# ActionMailer::Base.deliveries array.
16	16	config.action_mailer.delivery_method = :test
17	17
18		-config.gem "cucumber", :lib => false, :version => ">=0.3.11" unless File.directory?(File.join(Rails.root, 'vendor/plugins/cucumber'))
19		-config.gem "webrat", :lib => false, :version => ">=0.4.4" unless File.directory?(File.join(Rails.root, 'vendor/plugins/webrat'))
20		-config.gem "rspec", :lib => false, :version => ">=1.2.6" unless File.directory?(File.join(Rails.root, 'vendor/plugins/rspec'))
21		-config.gem "rspec-rails", :lib => 'spec/rails', :version => ">=1.2.6" unless File.directory?(File.join(Rails.root, 'vendor/plugins/rspec-rails'))
	18	+config.gem "cucumber", :lib => false, :version => ">=0.3.11"
	19	+config.gem "webrat", :lib => false, :version => ">=0.4.4"
	20	+
	21	+# config.gem "rspec", :lib => false, :version => ">=1.2.6"
	22	+# config.gem "rspec-rails", :lib => 'spec/rails', :version => ">=1.2.6"
	23	+
	24	+require 'rubygems'
	25	+require 'factory_girl'
	26	+require 'shoulda'
	27	+
...	...
...	...	@@ -91,29 +91,37 @@ When /^I attach the file at "([^\"])" to "([^\"])"$/ do \|path, field\|
91	91	end
92	92
93	93	Then /^I should see "([^\"]*)"$/ do \|text\|
94		- response.should contain(text)
	94	+ # response.should contain(text)
	95	+ assert_match /#{text}/m, @response.body
95	96	end
96	97
97	98	Then /^I should not see "([^\"]*)"$/ do \|text\|
98		- response.should_not contain(text)
	99	+ # response.should_not contain(text)
	100	+ assert_no_match /#{text}/m, @response.body
99	101	end
100	102
101	103	Then /^the "([^\"])" field should contain "([^\"])"$/ do \|field, value\|
102		- field_labeled(field).value.should =~ /#{value}/
	104	+ # field_labeled(field).value.should =~ /#{value}/
	105	+ assert_match /#{value}/, field_labeled(field).value
103	106	end
104	107
105	108	Then /^the "([^\"])" field should not contain "([^\"])"$/ do \|field, value\|
106		- field_labeled(field).value.should_not =~ /#{value}/
	109	+ # field_labeled(field).value.should_not =~ /#{value}/
	110	+ assert_no_match /#{value}/, field_labeled(field).value
107	111	end
108		-
	112	+
109	113	Then /^the "([^\"]*)" checkbox should be checked$/ do \|label\|
110		- field_labeled(label).should be_checked
	114	+ # field_labeled(label).should be_checked
	115	+ assert field_labeled(label).checked?
111	116	end
112	117
113	118	Then /^the "([^\"]*)" checkbox should not be checked$/ do \|label\|
114		- field_labeled(label).should_not be_checked
	119	+ # field_labeled(label).should_not be_checked
	120	+ assert !field_labeled(label).checked?
115	121	end
116	122
117	123	Then /^I should be on (.+)$/ do \|page_name\|
118		- URI.parse(current_url).path.should == path_to(page_name)
	124	+ # URI.parse(current_url).path.should == path_to(page_name)
	125	+ assert_equal path_to(page_name), URI.parse(current_url).path
119	126	end
	127	+
...	...
...	...	@@ -20,5 +20,5 @@ Webrat.configure do \|config\|
20	20	config.mode = :rails
21	21	end
22	22
23		-require 'cucumber/rails/rspec'
	23	+# require 'cucumber/rails/rspec'
24	24	require 'webrat/core/matchers'
...	...
...	...	@@ -0,0 +1,162 @@
	1	+h2. 0.6.8 (06/24/2009)
	2	+
	3	+* Added defined? checks for various Rails constants such as ActionController
	4	+for easier unit testing of Clearance extensions... particularly ActiveRecord
	5	+extensions... particularly strong_password. (Dan Croak)
	6	+
	7	+h2. 0.6.7 (06/13/2009)
	8	+
	9	+* [#30] Added sign_up, sign_in, sign_out named routes. (Dan Croak)
	10	+* [#22] Minimizing Reek smell: Duplication in redirect_back_or. (Dan Croak)
	11	+* Deprecated sign_user_in. Told developers to use sign_in instead. (Dan
	12	+Croak)
	13	+* [#16] flash_success_after_create, flash_notice_after_create, flash_failure_after_create, flash_sucess_after_update, flash_success_after_destroy, etc. (Dan Croak)
	14	+* [#17] bug. added #create to forbidden before_filters on confirmations controller. (Dan Croak)
	15	+* [#24] should_be_signed_in_as shouldn't look in the session. (Dan Croak)
	16	+* README improvements. (Dan Croak)
	17	+* Move routes loading to separate file. (Joshua Clayton)
	18	+
	19	+h2. 0.6.6 (05/18/2009)
	20	+
	21	+* [#14] replaced class_eval in Clearance::User with modules. This was needed
	22	+in a thoughtbot client app so we could write our own validations. (Dan Croak)
	23	+
	24	+h2. 0.6.5 (05/17/2009)
	25	+
	26	+* [#6] Make Clearance i18n aware. (Timur Vafin, Marcel Goerner, Eugene Bolshakov, Dan Croak)
	27	+
	28	+h2. 0.6.4 (05/12/2009)
	29	+
	30	+* Moved issue tracking to Github from Lighthouse. (Dan Croak)
	31	+* [#7] asking higher-level questions of controllers in webrat steps, such as signed_in? instead of what's in the session. same for accessors. (Dan Croak)
	32	+* [#11] replacing sign_in_as & sign_out shoulda macros with a stubbing (requires no dependency) approach. this will avoid dealing with the internals of current_user, such as session & cookies. added sign_in macro which signs in an email confirmed user from clearance's factories. (Dan Croak)
	33	+* [#13] move private methods on sessions controller into Clearance::Authentication module (Dan Croak)
	34	+* [#9] audited flash keys. (Dan Croak)
	35	+
	36	+h2. 0.6.3 (04/23/2009)
	37	+
	38	+* Scoping ClearanceMailer properly within controllers so it works in production environments. (Nick Quaranto)
	39	+
	40	+h2. 0.6.2 (04/22/2009)
	41	+
	42	+* Insert Clearance::User into User model if it exists. (Nick Quaranto)
	43	+* World(NavigationHelpers) Cucumber 3.0 style. (Shay Arnett & Mark Cornick)
	44	+
	45	+h2. 0.6.1 (04/21/2009)
	46	+* Scope operators are necessary to keep Rails happy. Reverting the original
	47	+revert so they're back in the library now for constants referenced inside of
	48	+the gem. (Nick Quaranto)
	49	+
	50	+h2. 0.6.0 (04/21/2009)
	51	+
	52	+* Converted Clearance to a Rails engine. (Dan Croak & Joe Ferris)
	53	+* Include Clearance::User in User model in app. (Dan Croak & Joe Ferris)
	54	+* Include Clearance::Authentication in ApplicationController. (Dan Croak & Joe Ferris)
	55	+* Namespace controllers under Clearance. (Dan Croak & Joe Ferris)
	56	+* Routes move to engine, use namespaced controllers but publicly the same. (Dan Croak & Joe Ferris)
	57	+* If you want to override a controller, subclass it like SessionsController <
	58	+Clearance::SessionsController. This gives you access to usual hooks such as
	59	+url_after_create. (Dan Croak & Joe Ferris)
	60	+* Controllers, mailer, model, routes all unit tested inside engine. Use
	61	+script/generate clearance_features to test integration of Clearance with your
	62	+Rails app. No longer including modules in your app's test files. (Dan Croak & Joe Ferris)
	63	+* Moved views to engine. (Joe Ferris)
	64	+* Converted generated test/factories/clearance.rb to use inheritence for
	65	+email_confirmed_user. (Dan Croak)
	66	+* Corrected some spelling errors with methods (Nick Quaranto)
	67	+* Converted "I should see error messages" to use a regex in the features (Nick
	68	+Quaranto)
	69	+* Loading clearance routes after rails routes via some monkeypatching (Nick
	70	+Quaranto)
	71	+* Made the clearance controllers unloadable to stop constant loading errors in
	72	+development mode (Nick Quaranto)
	73	+
	74	+h2. 0.5.6 (4/11/2009)
	75	+
	76	+* [#57] Step definition changed for "User should see error messages" so
	77	+features won't fail for certain validations. (Nick Quaranto)
	78	+
	79	+h2. 0.5.5 (3/23/2009)
	80	+
	81	+* Removing duplicate test to get rid of warning. (Nick Quaranto)
	82	+
	83	+h2. 0.5.4 (3/21/2009)
	84	+
	85	+* When users fail logging in, redirect them instead of rendering. (Matt
	86	+Jankowski)
	87	+
	88	+h2. 0.5.3 (3/5/2009)
	89	+
	90	+* Clearance now works with (and requires) Shoulda 2.10.0. (Mark Cornick, Joe
	91	+Ferris, Dan Croak)
	92	+* Prefer flat over nested contexts in sessions_controller_test. (Joe Ferris,
	93	+Dan Croak)
	94	+
	95	+h2. 0.5.2 (3/2/2009)
	96	+
	97	+* Fixed last remaining errors in Rails 2.3 tests. Now fully compatible. (Joe
	98	+Ferris, Dan Croak)
	99	+
	100	+h2. 0.5.1 (2/27/2009)
	101	+
	102	+* [#46] A user with unconfirmed email who resets password now confirms email.
	103	+(Marcel Görner)
	104	+* Refactored user_from_cookie, user_from_session, User#authenticate to use
	105	+more direct return code instead of ugly, harder to read ternary. (Dan Croak)
	106	+* Switch order of cookies and sessions to take advantage of Rails 2.3's "Rack-based lazy-loaded sessions":http://is.gd/i23E. (Dan Croak)
	107	+* Altered generator to interact with application_controller.rb instead of
	108	+application.rb in Rails 2.3 apps. (Dan Croak)
	109	+* [#42] Bug fix. Rack-based session change altered how to test remember me
	110	+cookie. (Mihai Anca)
	111	+
	112	+h2. 0.5.0 (2/27/2009)
	113	+
	114	+* Fixed problem with Cucumber features. (Dan Croak)
	115	+* Fixed mising HTTP fluency use case. (Dan Croak)
	116	+* Refactored User#update_password to take just parameters it needs. (Dan
	117	+Croak)
	118	+* Refactored User unit tests to be more readable. (Dan Croak)
	119	+
	120	+h2. 0.4.9 (2/20/2009)
	121	+
	122	+* Protect passwords & confirmations actions with forbidden filters. (Dan Croak)
	123	+* Return 403 Forbidden status code in those cases. (Tim Pope)
	124	+* Test 403 Forbidden status code in Cucumber feature. (Dan Croak, Joe Ferris)
	125	+* Raise custom ActionController::Forbidden error internally. (Joe Ferris, Mike Burns, Jason Morrison)
	126	+* Test ActionController::Forbidden error is raised in functional test. (Joe Ferris, Mike Burns, Dan Croak)
	127	+* [#45] Fixed bug that allowed anyone to edit another user's password (Marcel Görner)
	128	+* Required Factory Girl >= 1.2.0. (Dan Croak)
	129	+
	130	+h2. 0.4.8 (2/16/2009)
	131	+
	132	+* Added support paths for Cucumber. (Ben Mabey)
	133	+* Added documentation for the flash. (Ben Mabey)
	134	+* Generators require "test_helper" instead of File.join. for rr compatibility. (Joe Ferris)
	135	+* Removed interpolated email address from flash message to make i18n easier. (Bence Nagy)
	136	+* Standardized flash messages that refer to email delivery. (Dan Croak)
	137	+
	138	+h2. 0.4.7 (2/12/2009)
	139	+
	140	+* Removed Clearance::Test::TestHelper so there is one less setup step. (Dan Croak)
	141	+* All test helpers now in shoulda_macros. (Dan Croak)
	142	+
	143	+h2. 0.4.6 (2/11/2009)
	144	+
	145	+* Made the modules behave like mixins again. (hat-tip Eloy Duran)
	146	+* Created Actions and PrivateMethods modules on controllers for future RDoc reasons. (Dan Croak, Joe Ferris)
	147	+
	148	+h2. 0.4.5 (2/9/2009)
	149	+
	150	+* [#43] Removed email downcasing because local-part is case sensitive per RFC5321. (Dan Croak)
	151	+* [#42] Removed dependency on Mocha. (Dan Croak)
	152	+* Required Shoulda >= 2.9.1. (Dan Croak)
	153	+* Added password reset feature to clearance_features generator. (Eugene Bolshakov, Dan Croak)
	154	+* Removed unnecessary session[:salt]. (Dan Croak)
	155	+* [#41] Only store location for session[:return_to] for GET requests. (Dan Croak)
	156	+* Audited "sign up" naming convention. "Register" had slipped in a few places. (Dan Croak)
	157	+* Switched to SHA1 encryption. Cypher doesn't matter much for email confirmation, password reset. Better to have shorter hashes in the emails for clients who line break on 72 chars. (Dan Croak)
	158	+
	159	+h2. 0.4.4 (2/2/2009)
	160	+
	161	+* Added a generator for Cucumber features. (Joe Ferris, Dan Croak)
	162	+* Standarized naming for "Sign up," "Sign in," and "Sign out". (Dan Croak)
...	...
...	...	@@ -0,0 +1,21 @@
	1	+The MIT License
	2	+
	3	+Copyright (c) 2008 thoughtbot, inc.
	4	+
	5	+Permission is hereby granted, free of charge, to any person obtaining a copy
	6	+of this software and associated documentation files (the "Software"), to deal
	7	+in the Software without restriction, including without limitation the rights
	8	+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	9	+copies of the Software, and to permit persons to whom the Software is
	10	+furnished to do so, subject to the following conditions:
	11	+
	12	+The above copyright notice and this permission notice shall be included in
	13	+all copies or substantial portions of the Software.
	14	+
	15	+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	16	+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	17	+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	18	+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	19	+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	20	+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
	21	+THE SOFTWARE.
...	...
...	...	@@ -0,0 +1,123 @@
	1	+h1. Clearance
	2	+
	3	+Rails authentication with email & password.
	4	+
	5	+"We have clearance, Clarence.":http://www.youtube.com/v/mNRXJEE3Nz8
	6	+
	7	+h2. Wiki
	8	+
	9	+Most information regarding Clearance is on the "Github Wiki":http://wiki.github.com/thoughtbot/clearance.
	10	+
	11	+h2. Installation
	12	+
	13	+Clearance is a Rails engine. It works with versions of Rails greater than 2.3.
	14	+
	15	+In config/environment.rb:
	16	+
	17	+<pre>
	18	+config.gem "thoughtbot-clearance",
	19	+ :lib => 'clearance',
	20	+ :source => 'http://gems.github.com',
	21	+ :version => '0.6.6'
	22	+</pre>
	23	+
	24	+Vendor the gem:
	25	+
	26	+<pre>
	27	+rake gems:install
	28	+rake gems:unpack
	29	+</pre>
	30	+
	31	+Make sure the development database exists and run the generator:
	32	+
	33	+@script/generate clearance@
	34	+
	35	+A number of files will be created and instructions will be printed.
	36	+
	37	+You may already have some of these files. Don't worry. You'll be asked if you want to overwrite them.
	38	+
	39	+Run the migration:
	40	+
	41	+@rake db:migrate@
	42	+
	43	+Define a HOST constant in your environment files.
	44	+In config/environments/test.rb and config/environments/development.rb it can be:
	45	+
	46	+@HOST = "localhost"@
	47	+
	48	+In production.rb it must be the actual host your application is deployed to.
	49	+The constant is used by mailers to generate URLs in emails.
	50	+
	51	+In config/environment.rb:
	52	+
	53	+@DO_NOT_REPLY = "donotreply@example.com"@
	54	+
	55	+Define root_url to something in your config/routes.rb:
	56	+
	57	+@map.root :controller => 'home'@
	58	+
	59	+h2. Cucumber Features
	60	+
	61	+As your app evolves, you want to know that authentication still works. Clearance's opinion is that you should test its integration with your app using "Cucumber":http://cukes.info/.
	62	+
	63	+In config/environments/test.rb:
	64	+
	65	+<pre>
	66	+config.gem 'webrat',
	67	+ :version => '= 0.4.4'
	68	+config.gem 'cucumber',
	69	+ :version => '= 0.3.0'
	70	+config.gem 'thoughtbot-factory_girl',
	71	+ :lib => 'factory_girl',
	72	+ :source => "http://gems.github.com",
	73	+ :version => '1.2.1'
	74	+</pre>
	75	+
	76	+Vendor the gems:
	77	+
	78	+<pre>
	79	+rake gems:install RAILS_ENV=test
	80	+rake gems:unpack RAILS_ENV=test
	81	+</pre>
	82	+
	83	+We don't vendor nokogiri due to its native extensions, so install it normally on your machine:
	84	+
	85	+@sudo gem install nokogiri@
	86	+
	87	+Run the Cucumber generator (if you haven't already) and Clearance's feature generator:
	88	+
	89	+<pre>
	90	+script/generate cucumber
	91	+script/generate clearance_features
	92	+</pre>
	93	+
	94	+All of the files generated should be new with the exception of the features/support/paths.rb file. If you have not modified your paths.rb then you will be okay to replace it with this one. If you need to keep your paths.rb file then add these locations in your paths.rb manually:
	95	+
	96	+<pre>
	97	+def path_to(page_name)
	98	+ case page_name
	99	+ ...
	100	+ when /the sign up page/i
	101	+ new_user_path
	102	+ when /the sign in page/i
	103	+ new_session_path
	104	+ when /the password reset request page/i
	105	+ new_password_path
	106	+ ...
	107	+end
	108	+</pre>
	109	+
	110	+h2. Authors
	111	+
	112	+Clearance was extracted out of "Hoptoad":http://hoptoadapp.com. We merged the authentication code from two of thoughtbot's clients' Rails apps and have since used it each time we need authentication. The following people have improved the library. Thank you!
	113	+
	114	+Dan Croak, Mike Burns, Jason Morrison, Joe Ferris, Eugene Bolshakov, Nick Quaranto, Josh Nichols, Mike Breen, Marcel Görner, Bence Nagy, Ben Mabey, Eloy Duran, Tim Pope, Mihai Anca, Mark Cornick, Shay Arnett, Joshua Clayton & Mustafa Ekim.
	115	+
	116	+h2. Questions?
	117	+
	118	+Ask the "mailing list":http://groups.google.com/group/thoughtbot-clearance
	119	+
	120	+h2. Suggestions, Bugs, Refactoring?
	121	+
	122	+Fork away and create a "Github Issue":http://github.com/thoughtbot/clearance/issues. Please don't send pull requests.
	123	+
...	...
...	...	@@ -0,0 +1,76 @@
	1	+# encoding: utf-8
	2	+
	3	+require 'rake'
	4	+require 'rake/testtask'
	5	+require 'cucumber/rake/task'
	6	+
	7	+namespace :test do
	8	+ Rake::TestTask.new(:all => ["generator:cleanup",
	9	+ "generator:generate"]) do \|task\|
	10	+ task.libs << "lib"
	11	+ task.libs << "test"
	12	+ task.pattern = "test/*/_test.rb"
	13	+ task.verbose = false
	14	+ end
	15	+
	16	+ Cucumber::Rake::Task.new(:features) do \|t\|
	17	+ t.cucumber_opts = "--format progress"
	18	+ t.feature_pattern = "test/rails_root/features/*.feature"
	19	+ end
	20	+end
	21	+
	22	+generators = %w(clearance clearance_features)
	23	+
	24	+namespace :generator do
	25	+ desc "Cleans up the test app before running the generator"
	26	+ task :cleanup do
	27	+ generators.each do \|generator\|
	28	+ FileList["generators/#{generator}/templates/*/.*"].each do \|each\|
	29	+ file = "test/rails_root/#{each.gsub("generators/#{generator}/templates/",'')}"
	30	+ File.delete(file) if File.exists?(file)
	31	+ end
	32	+ end
	33	+
	34	+ FileList["test/rails_root/db/*/"].each do \|each\|
	35	+ FileUtils.rm_rf(each)
	36	+ end
	37	+ FileUtils.rm_rf("test/rails_root/vendor/plugins/clearance")
	38	+ FileUtils.mkdir_p("test/rails_root/vendor/plugins")
	39	+ clearance_root = File.expand_path(File.dirname(__FILE__))
	40	+ system("ln -s #{clearance_root} test/rails_root/vendor/plugins/clearance")
	41	+ end
	42	+
	43	+ desc "Run the generator on the tests"
	44	+ task :generate do
	45	+ generators.each do \|generator\|
	46	+ system "cd test/rails_root && ./script/generate #{generator} && rake db:migrate db:test:prepare"
	47	+ end
	48	+ end
	49	+end
	50	+
	51	+desc "Run the test suite"
	52	+task :default => ['test:all', 'test:features']
	53	+
	54	+gem_spec = Gem::Specification.new do \|gem_spec\|
	55	+ gem_spec.name = "clearance"
	56	+ gem_spec.version = "0.6.8"
	57	+ gem_spec.summary = "Rails authentication with email & password."
	58	+ gem_spec.email = "support@thoughtbot.com"
	59	+ gem_spec.homepage = "http://github.com/thoughtbot/clearance"
	60	+ gem_spec.description = "Rails authentication with email & password."
	61	+ gem_spec.authors = ["Dan Croak", "Mike Burns", "Jason Morrison",
	62	+ "Joe Ferris", "Eugene Bolshakov", "Nick Quaranto",
	63	+ "Josh Nichols", "Mike Breen", "Marcel Görner",
	64	+ "Bence Nagy", "Ben Mabey", "Eloy Duran",
	65	+ "Tim Pope", "Mihai Anca", "Mark Cornick",
	66	+ "Shay Arnett"]
	67	+ gem_spec.files = FileList["[A-Z]", "{app,config,generators,lib,shoulda_macros,rails}//"]
	68	+end
	69	+
	70	+desc "Generate a gemspec file"
	71	+task :gemspec do
	72	+ File.open("#{gem_spec.name}.gemspec", 'w') do \|f\|
	73	+ f.write gem_spec.to_yaml
	74	+ end
	75	+end
	76	+
...	...
...	...	@@ -0,0 +1,6 @@
	1	+h1. To-do
	2	+
	3	+* Make insertion of Clearance::User into User model automatic from the generator.
	4	+* Change generated README to include instruction about running the migration.
	5	+* DO_NOT_REPLY, HOST refactoring.
	6	+
...	...
...	...	@@ -0,0 +1,52 @@
	1	+class Clearance::ConfirmationsController < ApplicationController
	2	+ unloadable
	3	+
	4	+ before_filter :forbid_confirmed_user, :only => [:new, :create]
	5	+ before_filter :forbid_missing_token, :only => [:new, :create]
	6	+ before_filter :forbid_non_existent_user, :only => [:new, :create]
	7	+ filter_parameter_logging :token
	8	+
	9	+ def new
	10	+ create
	11	+ end
	12	+
	13	+ def create
	14	+ @user = ::User.find_by_id_and_token(params[:user_id], params[:token])
	15	+ @user.confirm_email!
	16	+
	17	+ sign_in(@user)
	18	+ flash_success_after_create
	19	+ redirect_to(url_after_create)
	20	+ end
	21	+
	22	+ private
	23	+
	24	+ def forbid_confirmed_user
	25	+ user = ::User.find_by_id(params[:user_id])
	26	+ if user && user.email_confirmed?
	27	+ raise ActionController::Forbidden, "confirmed user"
	28	+ end
	29	+ end
	30	+
	31	+ def forbid_missing_token
	32	+ if params[:token].blank?
	33	+ raise ActionController::Forbidden, "missing token"
	34	+ end
	35	+ end
	36	+
	37	+ def forbid_non_existent_user
	38	+ unless ::User.find_by_id_and_token(params[:user_id], params[:token])
	39	+ raise ActionController::Forbidden, "non-existent user"
	40	+ end
	41	+ end
	42	+
	43	+ def flash_success_after_create
	44	+ flash[:success] = translate(:confirmed_email,
	45	+ :scope => [:clearance, :controllers, :confirmations],
	46	+ :default => "Confirmed email and signed in.")
	47	+ end
	48	+
	49	+ def url_after_create
	50	+ root_url
	51	+ end
	52	+end
...	...