ruby script/plugin install git://github.com/technoweenie/restful-authentication.git

Restful Authentication Generator

This widely-used plugin provides a foundation for securely managing user authentication:
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.

Several features were updated in May, 2008. The newest version of this plugin may be found in
http://github.com/technoweenie/restful-authentication/tree/master
While a "classic" (backward-compatible) version may be found in
http://github.com/technoweenie/restful-authentication/tree/classic

!! important: if you upgrade your site, existing user account !!
!! passwords will stop working unless you use --old-passwords !!

Installation

This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2.6 or above.

To use:

  ./script/generate authenticated user sessions \
    --include-activation \
    --stateful \
    --rspec \
    --skip-migration \
    --skip-routes \
    --old-passwords

* The first parameter specifies the model that gets created in signup (typically a user or account model). A model with migration is created, as well as a basic controller with the create method. You probably want to say "User" here.

* The second parameter specifies the session controller name. This is the controller that handles the actual login/logout function on the site. (probably: "Session").

* --include-activation: Generates the code for a ActionMailer and its respective Activation Code through email.

* --stateful: Builds in support for acts_as_state_machine and generates activation code. (@--stateful@ implies @--include-activation@). Based on the idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing @--skip-migration@ will skip the user migration, and @--skip-routes@ will skip resource generation -- both useful if you've already run this generator.

* --aasm: Works the same as stateful but uses the updated aasm gem

* --rspec: Generate RSpec tests and Stories in place of standard rails tests.
This requires the "RSpec and Rspec-on-rails plugins":http://rspec.info/ (make sure you "./script/generate rspec" after installing RSpec.) The rspec and story suite are much more thorough than the rails tests, and changes are unlikely to be backported.

* --old-passwords: Use the older password scheme (see [[#COMPATIBILITY]], above)

* --skip-migration: Don't generate a migration file for this model

* --skip-routes: Don't generate a resource line in @config/routes.rb@


***************************************************************************

After installing

The below assumes a Model named 'User' and a Controller named 'Session'; please alter to suit. There are additional security minutae in @notes/README-Tradeoffs@
-- only the paranoid or the curious need bother, though.

* Add these familiar login URLs to your @config/routes.rb@ if you like:

     map.signup '/signup', :controller => 'users', :action => 'new' @
     map.login '/login', :controller => 'sessions', :action => 'new' @
     map.logout '/logout', :controller => 'sessions', :action => 'destroy' @

* With @--include-activation@, also add to your @config/routes.rb@:

    map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil)

and add an observer to @config/environment.rb@:

    config.active_record.observers = :users_observer

* With @--stateful@, add an observer to config/environment.rb:

    config.active_record.observers = :user_observer

and modify the users resource line to read

    map.resources :users, :member => { :suspend => :put,
                                       :unsuspend => :put,
                                       :purge => :delete }

* If you use a public repository for your code (such as github, rubyforge, gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like '/config/initializers/site_keys.rb' to your .gitignore or do the svn ignore dance), but make sure you DO keep it backed up somewhere safe.

• Change password