Empact-authlogic 2.1.4

data/lib/authlogic/crypto_providers/aes256.rb

@@ -0,0 +1,43 @@
+require "openssl"
+
+module Authlogic
+  module CryptoProviders
+    # This encryption method is reversible if you have the supplied key. So in order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do the following:
+    #
+    #   Authlogic::CryptoProviders::AES256.key = "my really long and unique key, preferrably a bunch of random characters"
+    #
+    # My final comment is that this is a strong encryption method, but its main weakness is that its reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
+    #
+    # Keep your key in a safe place, some even say the key should be stored on a separate server.
+    # This won't hurt performance because the only time it will try and access the key on the separate server is during initialization, which only
+    # happens once. The reasoning behind this is if someone does compromise your server they won't have the key also. Basically, you don't want to
+    # store the key with the lock.
+    class AES256
+      class << self
+        attr_writer :key
+    
+        def encrypt(*tokens)
+          aes.encrypt
+          aes.key = @key
+          [aes.update(tokens.join) + aes.final].pack("m").chomp
+        end
+    
+        def matches?(crypted, *tokens)
+          aes.decrypt
+          aes.key = @key
+          (aes.update(crypted.unpack("m").first) + aes.final) == tokens.join
+        rescue OpenSSL::CipherError
+          false
+        end
+    
+        private
+          def aes
+            raise ArgumentError.new("You must provide a key like #{name}.key = my_key before using the #{name}") if @key.blank?
+            @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -0,0 +1,90 @@
+begin
+  require "bcrypt"
+rescue LoadError
+  "sudo gem install bcrypt-ruby"
+end
+
+module Authlogic
+  module CryptoProviders
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
+    # secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
+    # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
+    # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
+    #
+    #   require "bcrypt"
+    #   require "digest"
+    #   require "benchmark"
+    #
+    #   Benchmark.bm(18) do |x|
+    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
+    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
+    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #   end
+    #
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
+    #
+    # You can play around with the cost to get that perfect balance between performance and security.
+    #
+    # Decided BCrypt is for you? Just insall the bcrypt gem:
+    #
+    #   gem install bcrypt-ruby
+    #
+    # Tell acts_as_authentic to use it:
+    #
+    #   acts_as_authentic do |c|
+    #     c.crypto_provider = Authlogic::CryptoProviders::BCrypt
+    #   end
+    #
+    # You are good to go!
+    class BCrypt
+      class << self
+        # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
+        # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
+        def cost
+          @cost ||= 10
+        end
+        attr_writer :cost
+        
+        # Creates a BCrypt hash for the password passed.
+        def encrypt(*tokens)
+          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+        end
+        
+        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(hash, *tokens)
+          hash = new_from_hash(hash)
+          return false if hash.blank?
+          hash == join_tokens(tokens)
+        end
+        
+        # This method is used as a flag to tell Authlogic to "resave" the password upon a successful login, using the new cost
+        def cost_matches?(hash)
+          hash = new_from_hash(hash)
+          if hash.blank?
+            false
+          else
+            hash.cost == cost
+          end
+        end
+        
+        private
+          def join_tokens(tokens)
+            tokens.flatten.join
+          end
+          
+          def new_from_hash(hash)
+            begin
+              ::BCrypt::Password.new(hash)
+            rescue ::BCrypt::Errors::InvalidHash
+              return nil
+            end
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/md5.rb

@@ -0,0 +1,34 @@
+require "digest/md5"
+ 
+module Authlogic
+  module CryptoProviders
+    # This class was made for the users transitioning from md5 based systems. 
+    # I highly discourage using this crypto provider as it superbly inferior 
+    # to your other options.
+    #
+    # Please use any other provider offered by Authlogic.
+    class MD5
+      class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption.
+        def stretches
+          @stretches ||= 1
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a MD5 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::MD5.hexdigest(digest) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -0,0 +1,35 @@
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
+    # crypto provider as it inferior to your other options. Please use any other provider offered by Authlogic.
+    class Sha1
+      class << self
+        def join_token
+          @join_token ||= "--"
+        end
+        attr_writer :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        def stretches
+          @stretches ||= 10
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a Sha1 hash.
+        def encrypt(*tokens)
+          tokens = tokens.flatten
+          digest = tokens.shift
+          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token)) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -0,0 +1,50 @@
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
+  # Just create a class with a class level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
+  module CryptoProviders
+    # = Sha256
+    #
+    # Uses the Sha256 hash algorithm to encrypt passwords.
+    class Sha256
+      class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        def stretches
+          @stretches ||= 20
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a Sha256 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::SHA256.hexdigest(digest) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -0,0 +1,50 @@
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
+  # Just create a class with a class level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
+  module CryptoProviders
+    # = Sha512
+    #
+    # Uses the Sha512 hash algorithm to encrypt passwords.
+    class Sha512
+      class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        def stretches
+          @stretches ||= 20
+        end
+        attr_writer :stretches
+        
+        # Turns your raw password into a Sha512 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
+          stretches.times { digest = Digest::SHA512.hexdigest(digest) }
+          digest
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/wordpress.rb

@@ -0,0 +1,43 @@
+require 'digest/md5'
+module Authlogic
+  module CryptoProviders
+    class Wordpress
+      class << self
+        ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+
+        def matches?(crypted, *tokens)
+          stretches = 1 << ITOA64.index(crypted[3,1])
+          plain, salt = *tokens 
+          hashed = Digest::MD5.digest(salt+plain)
+          stretches.times do |i|
+            hashed = Digest::MD5.digest(hashed+plain)
+          end
+          crypted[0,12]+encode_64(hashed, 16) == crypted
+        end
+
+        def encode_64(input, length)
+          output = "" 
+          i = 0
+          while i < length
+            value = input[i] 
+            i+=1
+            break if value.nil?
+            output += ITOA64[value & 0x3f, 1]
+            value |= input[i] << 8 if i < length
+            output += ITOA64[(value >> 6) & 0x3f, 1]
+
+            i+=1
+            break if i >= length
+            value |= input[i] << 16 if i < length
+            output += ITOA64[(value >> 12) & 0x3f,1]
+
+            i+=1
+            break if i >= length
+            output += ITOA64[(value >> 18) & 0x3f,1]
+          end
+          output
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -0,0 +1,15 @@
+module Authlogic
+  module I18n
+    class Translator
+      # If the I18n gem is present, calls +I18n.translate+ passing all 
+      # arguments, else returns +options[:default]+.
+      def translate(key, options = {})
+        if defined?(::I18n)
+          ::I18n.translate key, options
+        else
+          options[:default]
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/i18n.rb

@@ -0,0 +1,83 @@
+require "authlogic/i18n/translator"
+
+module Authlogic
+  # This class allows any message in Authlogic to use internationalization. In earlier versions of Authlogic each message was translated via configuration.
+  # This cluttered up the configuration and cluttered up Authlogic. So all translation has been extracted out into this class. Now all messages pass through
+  # this class, making it much easier to implement in I18n library / plugin you want. Use this as a layer that sits between Authlogic and whatever I18n
+  # library you want to use.
+  #
+  # By default this uses the rails I18n library, if it exists. If it doesnt exist it just returns the default english message. The Authlogic I18n class
+  # works EXACTLY like the rails I18n class. This is because the arguments are delegated to this class.
+  #
+  # Here is how all messages are translated internally with Authlogic:
+  #
+  #   Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
+  #
+  # If you use a different I18n library just replace the build-in I18n::Translator class with your own. For example:
+  #
+  #   class MyAuthlogicI18nTranslator
+  #     def translate(key, options = {})
+  #       # you will have key which will be something like: "error_messages.password_invalid"
+  #       # you will also have options[:default], which will be the default english version of the message
+  #       # do whatever you want here with the arguments passed to you.
+  #     end
+  #   end
+  #   
+  #   Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
+  #
+  # That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
+  #
+  #   authlogic:
+  #     error_messages:
+  #       login_blank: can not be blank
+  #       login_not_found: is not valid
+  #       login_invalid: should use only letters, numbers, spaces, and .-_@ please.
+  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
+  #       email_invalid: should look like an email address.
+  #       password_blank: can not be blank
+  #       password_invalid: is not valid
+  #       not_active: Your account is not active
+  #       not_confirmed: Your account is not confirmed
+  #       not_approved: Your account is not approved
+  #       no_authentication_details: You did not provide any details for authentication.
+  #     models:
+  #       user_session: UserSession (or whatever name you are using)
+  #     attributes:
+  #       user_session: (or whatever name you are using)
+  #         login: login
+  #         email: email
+  #         password: password
+  #         remember_me: remember me
+  module I18n
+    @@scope = :authlogic
+    @@translator = nil
+    
+    class << self
+      # Returns the current scope. Defaults to :authlogic
+      def scope
+        @@scope
+      end
+   
+      # Sets the current scope. Used to set a custom scope.
+      def scope=(scope)
+        @@scope = scope
+      end
+      
+      # Returns the current translator. Defaults to +Translator+.
+      def translator
+        @@translator ||= Translator.new
+      end
+      
+      # Sets the current translator. Used to set a custom translator.
+      def translator=(translator)
+        @@translator = translator
+      end
+    
+      # All message translation is passed to this method. The first argument is the key for the message. The second is options, see the rails I18n library for a list of options used.
+      def translate(key, options = {})
+        translator.translate key, { :scope => I18n.scope }.merge(options)
+      end
+      alias :t :translate
+    end
+  end
+end

data/lib/authlogic/random.rb

@@ -0,0 +1,33 @@
+module Authlogic
+  # Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
+  # So if you are using this in a rails app you should have this library.
+  module Random
+    extend self
+    
+    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
+    
+    if SecureRandom
+      def hex_token
+        SecureRandom.hex(64)
+      end
+      
+      def friendly_token
+        # use base64url as defined by RFC4648
+        SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+      end
+    else
+      def hex_token
+        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+      end
+      
+      FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      
+      def friendly_token
+        newpass = ""
+        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
+        newpass
+      end
+    end
+    
+  end
+end

data/lib/authlogic/regex.rb

@@ -0,0 +1,25 @@
+module Authlogic
+  # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
+  # them out into their own module is to make them easily available to you for other uses. Ex:
+  #
+  #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
+  module Regex
+    # A general email regular expression. It allows top level domains (TLD) to be from 2 - 4 in length, any
+    # TLD longer than that must be manually specified. The decisions behind this regular expression were made
+    # by reading this website: http://www.regular-expressions.info/email.html, which is an excellent resource
+    # for regular expressions.
+    def self.email
+      return @email_regex if @email_regex
+      email_name_regex  = %{[A-Z0-9!#$\%&'*+/=?^_`{|}~\\-.]+}
+      domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
+      domain_tld_regex  = '(?:[A-Z]{2,4}|museum|travel)'
+      @email_regex = /^#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}$/i
+    end
+    
+    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
+    # regular expression.
+    def self.login
+      /\A\w[\w\.+\-_@ ]+$/
+    end
+  end
+end

data/lib/authlogic/session/activation.rb

@@ -0,0 +1,58 @@
+module Authlogic
+  module Session
+    # Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
+    # This is sort of like a database connection for an ORM library, Authlogic can't do anything until it is "connected" to a controller.
+    # If you are using a supported framework, Authlogic takes care of this for you.
+    module Activation
+      class NotActivatedError < ::StandardError # :nodoc:
+        def initialize(session)
+          super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
+        end
+      end
+      
+      def self.included(klass)
+        klass.class_eval do
+          extend ClassMethods
+          include InstanceMethods
+        end
+      end
+      
+      module ClassMethods
+        # Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
+        # Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
+        # environment this is done for you, but if you are using Authlogic outside of your framework, you need to assign a controller
+        # object to Authlogic via Authlogic::Session::Base.controller = obj. See the controller= method for more information.
+        def activated?
+          !controller.nil?
+        end
+        
+        # This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
+        # between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
+        # extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
+        #
+        # Lastly, this is thread safe.
+        def controller=(value)
+          Thread.current[:authlogic_controller] = value
+        end
+        
+        # The current controller object
+        def controller
+          Thread.current[:authlogic_controller]
+        end
+      end
+      
+      module InstanceMethods
+        # Making sure we are activated before we start creating objects
+        def initialize(*args)
+          raise NotActivatedError.new(self) unless self.class.activated?
+          super
+        end
+        
+        private
+          def controller
+            self.class.controller
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/active_record_trickery.rb

@@ -0,0 +1,64 @@
+module Authlogic
+  module Session
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
+    # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
+    # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
+    # advantage of the many ActiveRecord tools.
+    module ActiveRecordTrickery
+      def self.included(klass)
+        klass.extend ClassMethods
+        klass.send(:include, InstanceMethods)
+      end
+      
+      module ClassMethods
+        # How to name the attributes of Authlogic, works JUST LIKE ActiveRecord, but instead it uses the following
+        # namespace:
+        #
+        #   authlogic.attributes.user_session.login
+        def human_attribute_name(attribute_key_name, options = {})
+          options[:count] ||= 1
+          options[:default] ||= attribute_key_name.to_s.humanize
+          I18n.t("attributes.#{name.underscore}.#{attribute_key_name}", options)
+        end
+        
+        # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
+        #
+        #   authlogic.models.user_session
+        def human_name(*args)
+          I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
+        end
+        
+        # For rails < 2.3, mispelled
+        def self_and_descendents_from_active_record
+          [self]
+        end
+        
+        # For rails >= 2.3, mispelling fixed
+        def self_and_descendants_from_active_record
+          [self]
+        end
+        
+        # For rails >= 3.0
+        def model_name
+          if defined?(::ActiveModel)
+            ::ActiveModel::Name.new(self)
+          else
+            ::ActiveSupport::ModelName.new(self.to_s)
+          end
+        end
+      end
+      
+      module InstanceMethods
+        # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
+        def new_record?
+          new_session?
+        end
+        
+        # For rails >= 3.0
+        def to_model
+          self
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/session/base.rb

@@ -0,0 +1,37 @@
+module Authlogic
+  module Session # :nodoc:
+    # This is the base class Authlogic, where all modules are included. For information on functiionality see the various
+    # sub modules.
+    class Base
+      include Foundation
+      include Callbacks
+      
+      # Included first so that the session resets itself to nil
+      include Timeout
+      
+      # Included in a specific order so they are tried in this order when persisting
+      include Params
+      include Cookies
+      include Session
+      include HttpAuth
+      
+      # Included in a specific order so magic states gets ran after a record is found
+      include Password
+      include UnauthorizedRecord
+      include MagicStates
+      
+      include Activation
+      include ActiveRecordTrickery
+      include BruteForceProtection
+      include Existence
+      include Klass
+      include MagicColumns
+      include PerishableToken
+      include Persistence
+      include Scopes
+      include Id
+      include Validation
+      include PriorityRecord
+    end
+  end
+end