authentication-logic 0.1.0

data/lib/auth/logic/acts_as_authentic/password.rb

@@ -0,0 +1,362 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      # This module has a lot of neat functionality. It is responsible for encrypting your
+      # password, salting it, and verifying it. It can also help you transition to a new
+      # encryption algorithm. See the Config sub module for configuration options.
+      module Password
+        def self.included(klass)
+          klass.class_eval do
+            extend Config
+            add_acts_as_authentic_module(Callbacks)
+            add_acts_as_authentic_module(Methods)
+          end
+        end
+
+        # All configuration for the password aspect of acts_as_authentic.
+        module Config
+          # The name of the crypted_password field in the database.
+          #
+          # * <tt>Default:</tt> :crypted_password, :encrypted_password, :password_hash, or :pw_hash
+          # * <tt>Accepts:</tt> Symbol
+          def crypted_password_field(value = nil)
+            rw_config(
+              :crypted_password_field,
+              value,
+              first_column_to_exist(
+                nil,
+                :crypted_password,
+                :encrypted_password,
+                :password_hash,
+                :pw_hash
+              )
+            )
+          end
+          alias crypted_password_field= crypted_password_field
+
+          # The name of the password_salt field in the database.
+          #
+          # * <tt>Default:</tt> :password_salt, :pw_salt, :salt, nil if none exist
+          # * <tt>Accepts:</tt> Symbol
+          def password_salt_field(value = nil)
+            rw_config(
+              :password_salt_field,
+              value,
+              first_column_to_exist(nil, :password_salt, :pw_salt, :salt)
+            )
+          end
+          alias password_salt_field= password_salt_field
+
+          # Whether or not to require a password confirmation. If you don't want your users
+          # to confirm their password just set this to false.
+          #
+          # * <tt>Default:</tt> true
+          # * <tt>Accepts:</tt> Boolean
+          def require_password_confirmation(value = nil)
+            rw_config(:require_password_confirmation, value, true)
+          end
+          alias require_password_confirmation= require_password_confirmation
+
+          # By default passwords are required when a record is new or the crypted_password
+          # is blank, but if both of these things are met a password is not required. In
+          # this case, blank passwords are ignored.
+          #
+          # Think about a profile page, where the user can edit all of their information,
+          # including changing their password. If they do not want to change their password
+          # they just leave the fields blank. This will try to set the password to a blank
+          # value, in which case is incorrect behavior. As such, Authentication::Logic ignores this. But
+          # let's say you have a completely separate page for resetting passwords, you might
+          # not want to ignore blank passwords. If this is the case for you, then just set
+          # this value to false.
+          #
+          # * <tt>Default:</tt> true
+          # * <tt>Accepts:</tt> Boolean
+          def ignore_blank_passwords(value = nil)
+            rw_config(:ignore_blank_passwords, value, true)
+          end
+          alias ignore_blank_passwords= ignore_blank_passwords
+
+          # When calling valid_password?("some pass") do you want to check that password
+          # against what's in that object or whats in the database. Take this example:
+          #
+          #   u = User.first
+          #   u.password = "new pass"
+          #   u.valid_password?("old pass")
+          #
+          # Should the last line above return true or false? The record hasn't been saved
+          # yet, so most would assume true. Other would assume false. So I let you decide by
+          # giving you this option.
+          #
+          # * <tt>Default:</tt> true
+          # * <tt>Accepts:</tt> Boolean
+          def check_passwords_against_database(value = nil)
+            rw_config(:check_passwords_against_database, value, true)
+          end
+          alias check_passwords_against_database= check_passwords_against_database
+
+          # The class you want to use to encrypt and verify your encrypted
+          # passwords. See the Authentication::Logic::CryptoProviders module for more info on
+          # the available methods and how to create your own.
+          #
+          # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
+          # best choice for password storage today. We recommend SCrypt. Other
+          # one-way functions like SHA512 are inferior, but widely used.
+          # Reversible functions like AES256 are the worst choice, and we no
+          # longer support them.
+          #
+          # You can use the `transition_from_crypto_providers` option to gradually
+          # transition to a better crypto provider without causing your users any
+          # pain.
+          #
+          # * <tt>Default:</tt> There is no longer a default value. Prior to
+          #   Authentication::Logic 6, the default was `CryptoProviders::SCrypt`. If you try
+          #   to read this config option before setting it, it will raise a
+          #   `NilCryptoProvider` error. See that error's message for further
+          #   details, and rationale for this change.
+          # * <tt>Accepts:</tt> Class
+          def crypto_provider
+            acts_as_authentic_config[:crypto_provider].tap do |provider|
+              raise NilCryptoProvider if provider.nil?
+            end
+          end
+
+          def crypto_provider=(value)
+            raise NilCryptoProvider if value.nil?
+
+            CryptoProviders::Guidance.new(value).impart_wisdom
+            rw_config(:crypto_provider, value)
+          end
+
+          # Let's say you originally encrypted your passwords with Sha1. Sha1 is
+          # starting to join the party with MD5 and you want to switch to
+          # something stronger. No problem, just specify your new and improved
+          # algorithm with the crypt_provider option and then let Authentication::Logic know
+          # you are transitioning from Sha1 using this option. Authentication::Logic will take
+          # care of everything, including transitioning your users to the new
+          # algorithm. The next time a user logs in, they will be granted access
+          # using the old algorithm and their password will be resaved with the
+          # new algorithm. All new users will obviously use the new algorithm as
+          # well.
+          #
+          # Lastly, if you want to transition again, you can pass an array of
+          # crypto providers. So you can transition from as many algorithms as you
+          # want.
+          #
+          # * <tt>Default:</tt> nil
+          # * <tt>Accepts:</tt> Class or Array
+          def transition_from_crypto_providers(value = nil)
+            rw_config(
+              :transition_from_crypto_providers,
+              (!value.nil? && [value].flatten.compact) || value,
+              []
+            )
+          end
+          alias transition_from_crypto_providers= transition_from_crypto_providers
+        end
+
+        # Callbacks / hooks to allow other modules to modify the behavior of this module.
+        module Callbacks
+          # Does the order of this array matter?
+          METHODS = %w[
+            password_set
+            password_verification
+          ].freeze
+
+          def self.included(klass)
+            return if klass.crypted_password_field.nil?
+
+            klass.send :extend, ActiveModel::Callbacks
+            METHODS.each do |method|
+              klass.define_model_callbacks method, only: %i[before after]
+            end
+          end
+        end
+
+        # The methods related to the password field.
+        module Methods
+          def self.included(klass)
+            return if klass.crypted_password_field.nil?
+
+            klass.class_eval do
+              include InstanceMethods
+              after_save :reset_password_changed
+            end
+          end
+
+          # :nodoc:
+          module InstanceMethods
+            # The password
+            def password
+              return nil unless defined?(@password)
+
+              @password
+            end
+
+            # This is a virtual method. Once a password is passed to it, it will
+            # create new password salt as well as encrypt the password.
+            def password=(pass)
+              return if ignore_blank_passwords? && pass.blank?
+
+              run_callbacks :password_set do
+                @password = pass
+                send("#{password_salt_field}=", Authentication::Logic::Random.friendly_token) if password_salt_field
+                send(
+                  "#{crypted_password_field}=",
+                  crypto_provider.encrypt(*encrypt_arguments(@password, false))
+                )
+                @password_changed = true
+              end
+            end
+
+            # Accepts a raw password to determine if it is the correct password.
+            #
+            # - attempted_password [String] - password entered by user
+            # - check_against_database [boolean] - Should we check the password
+            #   against the value in the database or the value in the object?
+            #   Default taken from config option check_passwords_against_database.
+            #   See config method for more information.
+            def valid_password?(
+              attempted_password,
+              check_against_database = check_passwords_against_database?
+            )
+              crypted = crypted_password_to_validate_against(check_against_database)
+              return false if attempted_password.blank? || crypted.blank?
+
+              run_callbacks :password_verification do
+                crypto_providers.each_with_index.any? do |encryptor, index|
+                  if encryptor_matches?(
+                    crypted,
+                    encryptor,
+                    attempted_password,
+                    check_against_database
+                  )
+                    if transition_password?(index, encryptor, check_against_database)
+                      transition_password(attempted_password)
+                    end
+                    true
+                  else
+                    false
+                  end
+                end
+              end
+            end
+
+            # Resets the password to a random friendly token.
+            def reset_password
+              friendly_token = Authentication::Logic::Random.friendly_token
+              self.password = friendly_token
+              self.password_confirmation = friendly_token if self.class.require_password_confirmation
+            end
+            alias randomize_password reset_password
+
+            # Resets the password to a random friendly token and then saves the record.
+            def reset_password!
+              reset_password
+              save_without_session_maintenance(validate: false)
+            end
+            alias randomize_password! reset_password!
+
+            private
+
+            def crypted_password_to_validate_against(check_against_database)
+              if check_against_database && send("will_save_change_to_#{crypted_password_field}?")
+                send("#{crypted_password_field}_in_database")
+              else
+                send(crypted_password_field)
+              end
+            end
+
+            def check_passwords_against_database?
+              self.class.check_passwords_against_database == true
+            end
+
+            def crypto_providers
+              [crypto_provider] + transition_from_crypto_providers
+            end
+
+            # Returns an array of arguments to be passed to a crypto provider, either its
+            # `matches?` or its `encrypt` method.
+            def encrypt_arguments(raw_password, check_against_database)
+              salt = nil
+              if password_salt_field
+                salt =
+                  if check_against_database && send("will_save_change_to_#{password_salt_field}?")
+                    send("#{password_salt_field}_in_database")
+                  else
+                    send(password_salt_field)
+                  end
+              end
+              [raw_password, salt].compact
+            end
+
+            # Given `encryptor`, does `attempted_password` match the `crypted` password?
+            def encryptor_matches?(crypted, encryptor, attempted_password, check_against_database)
+              encryptor_args = encrypt_arguments(attempted_password, check_against_database)
+              encryptor.matches?(crypted, *encryptor_args)
+            end
+
+            # Determines if we need to transition the password.
+            #
+            # - If the index > 0 then we are using a "transition from" crypto
+            #   provider.
+            # - If the encryptor has a cost and the cost it outdated.
+            # - If we aren't using database values
+            # - If we are using database values, only if the password hasn't
+            #   changed so we don't overwrite any changes
+            def transition_password?(index, encryptor, check_against_database)
+              (
+                index.positive? ||
+                (encryptor.respond_to?(:cost_matches?) &&
+                !encryptor.cost_matches?(send(crypted_password_field)))
+              ) &&
+                (
+                  !check_against_database ||
+                  !send("will_save_change_to_#{crypted_password_field}?")
+                )
+            end
+
+            def transition_password(attempted_password)
+              self.password = attempted_password
+              save(validate: false)
+            end
+
+            def require_password?
+              # this is _not_ the activemodel changed? method, see below
+              new_record? || password_changed? || send(crypted_password_field).blank?
+            end
+
+            def ignore_blank_passwords?
+              self.class.ignore_blank_passwords == true
+            end
+
+            def password_changed?
+              defined?(@password_changed) && @password_changed == true
+            end
+
+            def reset_password_changed
+              @password_changed = nil
+            end
+
+            def crypted_password_field
+              self.class.crypted_password_field
+            end
+
+            def password_salt_field
+              self.class.password_salt_field
+            end
+
+            def crypto_provider
+              self.class.crypto_provider
+            end
+
+            def transition_from_crypto_providers
+              self.class.transition_from_crypto_providers
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/acts_as_authentic/perishable_token.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      # This provides a handy token that is "perishable", meaning the token is
+      # only good for a certain amount of time.
+      #
+      # This is useful for resetting password, confirming accounts, etc. Typically
+      # during these actions you send them this token in an email. Once they use
+      # the token and do what they need to do, that token should expire.
+      #
+      # Don't worry about maintaining the token, changing it, or expiring it
+      # yourself. Authentication::Logic does all of this for you. See the sub modules for all
+      # of the tools Authentication::Logic provides to you.
+      module PerishableToken
+        def self.included(klass)
+          klass.class_eval do
+            extend Config
+            add_acts_as_authentic_module(Methods)
+          end
+        end
+
+        # Configure the perishable token.
+        module Config
+          # When using the find_using_perishable_token method the token can
+          # expire. If the token is expired, no record will be returned. Use this
+          # option to specify how long the token is valid for.
+          #
+          # * <tt>Default:</tt> 10.minutes
+          # * <tt>Accepts:</tt> Fixnum
+          def perishable_token_valid_for(value = nil)
+            rw_config(
+              :perishable_token_valid_for,
+              (!value.nil? && value.to_i) || value,
+              10.minutes.to_i
+            )
+          end
+          alias perishable_token_valid_for= perishable_token_valid_for
+
+          # Authentication::Logic tries to expire and change the perishable token as much as
+          # possible, without compromising its purpose. If you want to manage it
+          # yourself, set this to true.
+          #
+          # * <tt>Default:</tt> false
+          # * <tt>Accepts:</tt> Boolean
+          def disable_perishable_token_maintenance(value = nil)
+            rw_config(:disable_perishable_token_maintenance, value, false)
+          end
+          alias disable_perishable_token_maintenance= disable_perishable_token_maintenance
+        end
+
+        # All methods relating to the perishable token.
+        module Methods
+          def self.included(klass)
+            return unless klass.column_names.include?("perishable_token")
+
+            klass.class_eval do
+              extend ClassMethods
+              include InstanceMethods
+
+              validates_uniqueness_of :perishable_token, case_sensitive: true,
+                                                         if: :will_save_change_to_perishable_token?
+              before_save :reset_perishable_token, unless: :disable_perishable_token_maintenance?
+            end
+          end
+
+          # :nodoc:
+          module ClassMethods
+            # Use this method to find a record with a perishable token. This
+            # method does 2 things for you:
+            #
+            # 1. It ignores blank tokens
+            # 2. It enforces the perishable_token_valid_for configuration option.
+            #
+            # If you want to use a different timeout value, just pass it as the
+            # second parameter:
+            #
+            #   User.find_using_perishable_token(token, 1.hour)
+            def find_using_perishable_token(token, age = perishable_token_valid_for)
+              return if token.blank?
+
+              age = age.to_i
+
+              conditions_sql = "perishable_token = ?"
+              conditions_subs = [token.to_s]
+
+              if column_names.include?("updated_at") && age.positive?
+                conditions_sql += " and updated_at > ?"
+                conditions_subs << age.seconds.ago
+              end
+
+              where(conditions_sql, *conditions_subs).first
+            end
+
+            # This method will raise ActiveRecord::NotFound if no record is found.
+            def find_using_perishable_token!(token, age = perishable_token_valid_for)
+              find_using_perishable_token(token, age) || raise(ActiveRecord::RecordNotFound)
+            end
+          end
+
+          # :nodoc:
+          module InstanceMethods
+            # Resets the perishable token to a random friendly token.
+            def reset_perishable_token
+              self.perishable_token = Random.friendly_token
+            end
+
+            # Same as reset_perishable_token, but then saves the record afterwards.
+            def reset_perishable_token!
+              reset_perishable_token
+              save_without_session_maintenance(validate: false)
+            end
+
+            # A convenience method based on the
+            # disable_perishable_token_maintenance configuration option.
+            def disable_perishable_token_maintenance?
+              self.class.disable_perishable_token_maintenance == true
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/acts_as_authentic/persistence_token.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      # Maintains the persistence token, the token responsible for persisting sessions. This token
+      # gets stored in the session and the cookie.
+      module PersistenceToken
+        def self.included(klass)
+          klass.class_eval do
+            add_acts_as_authentic_module(Methods)
+          end
+        end
+
+        # Methods for the persistence token.
+        module Methods
+          def self.included(klass)
+            klass.class_eval do
+              extend ClassMethods
+              include InstanceMethods
+
+              # If the table does not have a password column, then
+              # `after_password_set` etc. will not be defined. See
+              # `Authentication::Logic::ActsAsAuthentic::Password::Callbacks.included`
+              if respond_to?(:after_password_set) && respond_to?(:after_password_verification)
+                after_password_set :reset_persistence_token
+                after_password_verification :reset_persistence_token!, if: :reset_persistence_token?
+              end
+
+              validates_presence_of :persistence_token
+              validates_uniqueness_of :persistence_token, case_sensitive: true,
+                                                          if: :will_save_change_to_persistence_token?
+
+              before_validation :reset_persistence_token, if: :reset_persistence_token?
+            end
+          end
+
+          # :nodoc:
+          module ClassMethods
+            # Resets ALL persistence tokens in the database, which will require
+            # all users to re-authenticate.
+            def forget_all
+              # Paginate these to save on memory
+              find_each(batch_size: 50, &:forget!)
+            end
+          end
+
+          # :nodoc:
+          module InstanceMethods
+            # Resets the persistence_token field to a random hex value.
+            def reset_persistence_token
+              self.persistence_token = Authentication::Logic::Random.hex_token
+            end
+
+            # Same as reset_persistence_token, but then saves the record.
+            def reset_persistence_token!
+              reset_persistence_token
+              save_without_session_maintenance(validate: false)
+            end
+            alias forget! reset_persistence_token!
+
+            private
+
+            def reset_persistence_token?
+              persistence_token.blank?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/acts_as_authentic/queries/case_sensitivity.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      module Queries
+        # @api private
+        class CaseSensitivity
+          E_UNABLE_TO_DETERMINE_SENSITIVITY = <<~EOS
+            Authentication::Logic was unable to determine what case-sensitivity to use when
+            searching for email/login. To specify a sensitivity, validate the
+            uniqueness of the email/login and use the `case_sensitive` option,
+            like this:
+
+                validates :email, uniqueness: { case_sensitive: false }
+
+            Authentication::Logic will now perform a case-insensitive query.
+          EOS
+
+          # @api private
+          def initialize(model_class, attribute)
+            @model_class = model_class
+            @attribute = attribute.to_sym
+          end
+
+          # @api private
+          def sensitive?
+            sensitive = uniqueness_validator_options[:case_sensitive]
+            if sensitive.nil?
+              ::Kernel.warn(E_UNABLE_TO_DETERMINE_SENSITIVITY)
+              false
+            else
+              sensitive
+            end
+          end
+
+          private
+
+          # @api private
+          def uniqueness_validator
+            @model_class.validators.select do |v|
+              v.is_a?(::ActiveRecord::Validations::UniquenessValidator) &&
+                v.attributes == [@attribute]
+            end.first
+          end
+
+          # @api private
+          def uniqueness_validator_options
+            uniqueness_validator&.options || {}
+          end
+        end
+      end
+    end
+  end
+end

data/lib/auth/logic/acts_as_authentic/queries/find_with_case.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Authentication
+  module Logic
+    module ActsAsAuthentic
+      module Queries
+        # The query used by public-API method `find_by_smart_case_login_field`.
+        #
+        # We use the rails methods `case_insensitive_comparison` and
+        # `case_sensitive_comparison`. These methods nicely take into account
+        # MySQL collations. (Consider the case where a user *says* they want a
+        # case-sensitive uniqueness validation, but then they configure their
+        # database to have an insensitive collation. Rails will handle this for
+        # us, by downcasing, see
+        # `active_record/connection_adapters/abstract_mysql_adapter.rb`) So that's
+        # great! But, these methods are not part of rails' public API, so there
+        # are no docs. So, everything we know about how to use the methods
+        # correctly comes from mimicing what we find in
+        # `active_record/validations/uniqueness.rb`.
+        #
+        # @api private
+        class FindWithCase
+          # Dup ActiveRecord.gem_version before freezing, in case someone
+          # else wants to modify it. Freezing modifies an object in place.
+          # https://github.com/binarylogic/authlogic/pull/590
+          AR_GEM_VERSION = ::ActiveRecord.gem_version.dup.freeze
+
+          # @api private
+          def initialize(model_class, field, value, sensitive)
+            @model_class = model_class
+            @field = field.to_s
+            @value = value
+            @sensitive = sensitive
+          end
+
+          # @api private
+          def execute
+            @model_class.where(comparison).first
+          end
+
+          private
+
+          # @api private
+          # @return Arel::Nodes::Equality
+          def comparison
+            @sensitive ? sensitive_comparison : insensitive_comparison
+          end
+
+          # @api private
+          def insensitive_comparison
+            if Gem::Version.new("5.3") < AR_GEM_VERSION
+              @model_class.connection.case_insensitive_comparison(
+                @model_class.arel_table[@field], @value
+              )
+            else
+              @model_class.connection.case_insensitive_comparison(
+                @model_class.arel_table,
+                @field,
+                @model_class.columns_hash[@field],
+                @value
+              )
+            end
+          end
+
+          # @api private
+          def sensitive_comparison
+            bound_value = @model_class.predicate_builder.build_bind_attribute(@field, @value)
+            if Gem::Version.new("5.3") < AR_GEM_VERSION
+              @model_class.connection.case_sensitive_comparison(
+                @model_class.arel_table[@field], bound_value
+              )
+            else
+              @model_class.connection.case_sensitive_comparison(
+                @model_class.arel_table,
+                @field,
+                @model_class.columns_hash[@field],
+                bound_value
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end