authlogic-nicho 6.5

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    # This is one of my favorite features that I think is pretty cool. It's
+    # things like this that make a library great and let you know you are on the
+    # right track.
+    #
+    # Just to clear up any confusion, Authlogic stores both the record id and
+    # the persistence token in the session. Why? So stale sessions can not be
+    # persisted. It stores the id so it can quickly find the record, and the
+    # persistence token to ensure no sessions are stale. So if the persistence
+    # token changes, the user must log back in.
+    #
+    # Well, the persistence token changes with the password. What happens if the
+    # user changes his own password? He shouldn't have to log back in, he's the
+    # one that made the change.
+    #
+    # That being said, wouldn't it be nice if their session and cookie
+    # information was automatically updated? Instead of cluttering up your
+    # controller with redundant session code. The same thing goes for new
+    # registrations.
+    #
+    # That's what this module is all about. This will automatically maintain the
+    # cookie and session values as records are saved.
+    module SessionMaintenance
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+
+      # Configuration for the session maintenance aspect of acts_as_authentic.
+      # These methods become class methods of ::ActiveRecord::Base.
+      module Config
+        # In order to turn off automatic maintenance of sessions
+        # after create, just set this to false.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def log_in_after_create(value = nil)
+          rw_config(:log_in_after_create, value, true)
+        end
+        alias log_in_after_create= log_in_after_create
+
+        # In order to turn off automatic maintenance of sessions when updating
+        # the password, just set this to false.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def log_in_after_password_change(value = nil)
+          rw_config(:log_in_after_password_change, value, true)
+        end
+        alias log_in_after_password_change= log_in_after_password_change
+
+        # As you may know, authlogic sessions can be separate by id (See
+        # Authlogic::Session::Base#id). You can specify here what session ids
+        # you want auto maintained. By default it is the main session, which has
+        # an id of nil.
+        #
+        # * <tt>Default:</tt> [nil]
+        # * <tt>Accepts:</tt> Array
+        def session_ids(value = nil)
+          rw_config(:session_ids, value, [nil])
+        end
+        alias session_ids= session_ids
+
+        # The name of the associated session class. This is inferred by the name
+        # of the model.
+        #
+        # * <tt>Default:</tt> "#{klass.name}Session".constantize
+        # * <tt>Accepts:</tt> Class
+        def session_class(value = nil)
+          const = begin
+                    "#{base_class.name}Session".constantize
+                  rescue NameError
+                    nil
+                  end
+          rw_config(:session_class, value, const)
+        end
+        alias session_class= session_class
+      end
+
+      # This module, as one of the `acts_as_authentic_modules`, is only included
+      # into an ActiveRecord model if that model calls `acts_as_authentic`.
+      module Methods
+        def self.included(klass)
+          klass.class_eval do
+            before_save :get_session_information, if: :update_sessions?
+            before_save :maintain_sessions, if: :update_sessions?
+          end
+        end
+
+        # Save the record and skip session maintenance all together.
+        def save_without_session_maintenance(**options)
+          self.skip_session_maintenance = true
+          result = save(**options)
+          self.skip_session_maintenance = false
+          result
+        end
+
+        private
+
+        def skip_session_maintenance=(value)
+          @skip_session_maintenance = value
+        end
+
+        def skip_session_maintenance
+          @skip_session_maintenance ||= false
+        end
+
+        def update_sessions?
+          !skip_session_maintenance &&
+            session_class &&
+            session_class.activated? &&
+            maintain_session? &&
+            !session_ids.blank? &&
+            will_save_change_to_persistence_token?
+        end
+
+        def maintain_session?
+          log_in_after_create? || log_in_after_password_change?
+        end
+
+        def get_session_information
+          # Need to determine if we are completely logged out, or logged in as
+          # another user.
+          @_sessions = []
+
+          session_ids.each do |session_id|
+            session = session_class.find(session_id, self)
+            @_sessions << session if session&.record
+          end
+        end
+
+        def maintain_sessions
+          if @_sessions.empty?
+            create_session
+          else
+            update_sessions
+          end
+        end
+
+        def create_session
+          # We only want to automatically login into the first session, since
+          # this is the main session. The other sessions are sessions that
+          # need to be created after logging into the main session.
+          session_id = session_ids.first
+          session_class.create(*[self, self, session_id].compact)
+
+          true
+        end
+
+        def update_sessions
+          # We found sessions above, let's update them with the new info
+          @_sessions.each do |stale_session|
+            next if stale_session.record != self
+            stale_session.unauthorized_record = self
+            stale_session.save
+          end
+
+          true
+        end
+
+        def session_ids
+          self.class.session_ids
+        end
+
+        def session_class
+          self.class.session_class
+        end
+
+        def log_in_after_create?
+          new_record? && self.class.log_in_after_create
+        end
+
+        def log_in_after_password_change?
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    # This module is responsible for maintaining the single_access token. For
+    # more information the single access token and how to use it, see "Params"
+    # in `Session::Base`.
+    module SingleAccessToken
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          add_acts_as_authentic_module(Methods)
+        end
+      end
+
+      # All configuration for the single_access token aspect of acts_as_authentic.
+      #
+      # These methods become class methods of ::ActiveRecord::Base.
+      module Config
+        # The single access token is used for authentication via URLs, such as a private
+        # feed. That being said, if the user changes their password, that token probably
+        # shouldn't change. If it did, the user would have to update all of their URLs. So
+        # be default this is option is disabled, if you need it, feel free to turn it on.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def change_single_access_token_with_password(value = nil)
+          rw_config(:change_single_access_token_with_password, value, false)
+        end
+        alias change_single_access_token_with_password= change_single_access_token_with_password
+      end
+
+      # All method, for the single_access token aspect of acts_as_authentic.
+      #
+      # This module, as one of the `acts_as_authentic_modules`, is only included
+      # into an ActiveRecord model if that model calls `acts_as_authentic`.
+      module Methods
+        def self.included(klass)
+          return unless klass.column_names.include?("single_access_token")
+
+          klass.class_eval do
+            include InstanceMethods
+            validates_uniqueness_of :single_access_token,
+              case_sensitive: true,
+              if: :will_save_change_to_single_access_token?
+
+            before_validation :reset_single_access_token, if: :reset_single_access_token?
+            if respond_to?(:after_password_set)
+              after_password_set(
+                :reset_single_access_token,
+                if: :change_single_access_token_with_password?
+              )
+            end
+          end
+        end
+
+        # :nodoc:
+        module InstanceMethods
+          # Resets the single_access_token to a random friendly token.
+          def reset_single_access_token
+            self.single_access_token = Authlogic::Random.friendly_token
+          end
+
+          # same as reset_single_access_token, but then saves the record.
+          def reset_single_access_token!
+            reset_single_access_token
+            save_without_session_maintenance
+          end
+
+          protected
+
+          def reset_single_access_token?
+            single_access_token.blank?
+          end
+
+          def change_single_access_token_with_password?
+            self.class.change_single_access_token_with_password == true
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/config.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Mixed into `Authlogic::ActsAsAuthentic::Base` and
+  # `Authlogic::Session::Base`.
+  module Config
+    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS
+      This Authlogic configuration option (%s) is deprecated. Use normal
+      ActiveRecord validation instead. Detailed instructions:
+      https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
+    EOS
+
+    def self.extended(klass)
+      klass.class_eval do
+        # TODO: Is this a confusing name, given this module is mixed into
+        # both `Authlogic::ActsAsAuthentic::Base` and
+        # `Authlogic::Session::Base`? Perhaps a more generic name, like
+        # `authlogic_config` would be better?
+        class_attribute :acts_as_authentic_config
+        self.acts_as_authentic_config ||= {}
+      end
+    end
+
+    private
+
+    def deprecate_authlogic_config(method_name)
+      ::ActiveSupport::Deprecation.warn(
+        format(E_USE_NORMAL_RAILS_VALIDATION, method_name)
+      )
+    end
+
+    # This is a one-liner method to write a config setting, read the config
+    # setting, and also set a default value for the setting.
+    def rw_config(key, value, default_value = nil)
+      if value.nil?
+        acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
+      else
+        self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
+        value
+      end
+    end
+  end
+end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ControllerAdapters # :nodoc:
+    # Allows you to use Authlogic in any framework you want, not just rails. See
+    # the RailsAdapter for an example of how to adapt Authlogic to work with
+    # your framework.
+    class AbstractAdapter
+      E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
+        "implemented by the controller adapter"
+      ENV_SESSION_OPTIONS = "rack.session.options"
+
+      attr_accessor :controller
+
+      def initialize(controller)
+        self.controller = controller
+      end
+
+      def authenticate_with_http_basic
+        @auth = Rack::Auth::Basic::Request.new(controller.request.env)
+        if @auth.provided? && @auth.basic?
+          yield(*@auth.credentials)
+        else
+          false
+        end
+      end
+
+      def cookies
+        controller.cookies
+      end
+
+      def cookie_domain
+        raise NotImplementedError, E_COOKIE_DOMAIN_ADAPTER
+      end
+
+      def params
+        controller.params
+      end
+
+      def request
+        controller.request
+      end
+
+      def request_content_type
+        request.content_type
+      end
+
+      # Inform Rack that we would like a new session ID to be assigned. Changes
+      # the ID, but not the contents of the session.
+      #
+      # The `:renew` option is read by `rack/session/abstract/id.rb`.
+      #
+      # This is how Devise (via warden) implements defense against Session
+      # Fixation. Our implementation is copied directly from the warden gem
+      # (set_user in warden/proxy.rb)
+      def renew_session_id
+        env = request.env
+        options = env[ENV_SESSION_OPTIONS]
+        if options
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+      end
+
+      def session
+        controller.session
+      end
+
+      def responds_to_single_access_allowed?
+        controller.respond_to?(:single_access_allowed?, true)
+      end
+
+      def single_access_allowed?
+        controller.send(:single_access_allowed?)
+      end
+
+      # You can disable the updating of `last_request_at`
+      # on a per-controller basis.
+      #
+      #   # in your controller
+      #   def last_request_update_allowed?
+      #     false
+      #   end
+      #
+      # For example, what if you had a javascript function that polled the
+      # server updating how much time is left in their session before it
+      # times out. Obviously you would want to ignore this request, because
+      # then the user would never time out. So you can do something like
+      # this in your controller:
+      #
+      #   def last_request_update_allowed?
+      #     action_name != "update_session_time_left"
+      #   end
+      #
+      # See `authlogic/session/magic_columns.rb` to learn more about the
+      # `last_request_at` column itself.
+      def last_request_update_allowed?
+        if controller.respond_to?(:last_request_update_allowed?, true)
+          controller.send(:last_request_update_allowed?)
+        else
+          true
+        end
+      end
+
+      def respond_to_missing?(*args)
+        super(*args) || controller.respond_to?(*args)
+      end
+
+      private
+
+      def method_missing(id, *args, &block)
+        controller.send(id, *args, &block)
+      end
+    end
+  end
+end

data/lib/authlogic/controller_adapters/rack_adapter.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ControllerAdapters
+    # Adapter for authlogic to make it function as a Rack middleware.
+    # First you'll have write your own Rack adapter where you have to set your cookie domain.
+    #
+    #     class YourRackAdapter < Authlogic::ControllerAdapters::RackAdapter
+    #       def cookie_domain
+    #         'your_cookie_domain_here.com'
+    #       end
+    #     end
+    #
+    # Next you need to set up a rack middleware like this:
+    #
+    #     class AuthlogicMiddleware
+    #       def initialize(app)
+    #         @app = app
+    #       end
+    #
+    #       def call(env)
+    #         YourRackAdapter.new(env)
+    #         @app.call(env)
+    #       end
+    #     end
+    #
+    # And that is all! Now just load this middleware into rack:
+    #
+    #     use AuthlogicMiddleware
+    #
+    # Authlogic will expect a User and a UserSession object to be present:
+    #
+    #     class UserSession < Authlogic::Session::Base
+    #       # Authlogic options go here
+    #     end
+    #
+    #     class User < ApplicationRecord
+    #       acts_as_authentic
+    #     end
+    #
+    class RackAdapter < AbstractAdapter
+      def initialize(env)
+        # We use the Rack::Request object as the controller object.
+        # For this to work, we have to add some glue.
+        request = Rack::Request.new(env)
+
+        request.instance_eval do
+          def request
+            self
+          end
+
+          def remote_ip
+            ip
+          end
+        end
+
+        super(request)
+        Authlogic::Session::Base.controller = self
+      end
+
+      # Rack Requests stores cookies with not just the value, but also with
+      # flags and expire information in the hash. Authlogic does not like this,
+      # so we drop everything except the cookie value.
+      def cookies
+        controller
+          .cookies
+          .map { |key, value_hash| { key => value_hash[:value] } }
+          .inject(:merge) || {}
+      end
+    end
+  end
+end

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ControllerAdapters
+    # Adapts authlogic to work with rails. The point is to close the gap between
+    # what authlogic expects and what the rails controller object provides.
+    # Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite,
+    # etc.
+    class RailsAdapter < AbstractAdapter
+      def authenticate_with_http_basic(&block)
+        controller.authenticate_with_http_basic(&block)
+      end
+
+      # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
+      # http://guides.rubyonrails.org/action_controller_overview.html#cookies
+      def cookies
+        controller.respond_to?(:cookies, true) ? controller.send(:cookies) : nil
+      end
+
+      def cookie_domain
+        controller.request.session_options[:domain]
+      end
+
+      def request_content_type
+        request.format.to_s
+      end
+
+      # Lets Authlogic know about the controller object via a before filter, AKA
+      # "activates" authlogic.
+      module RailsImplementation
+        def self.included(klass) # :nodoc:
+          klass.prepend_before_action :activate_authlogic
+        end
+
+        private
+
+        def activate_authlogic
+          Authlogic::Session::Base.controller = RailsAdapter.new(self)
+        end
+      end
+    end
+  end
+end
+
+ActiveSupport.on_load(:action_controller) do
+  include Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation
+end

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+# Authlogic bridge for Sinatra
+module Authlogic
+  module ControllerAdapters
+    module SinatraAdapter
+      # Cookie management functions
+      class Cookies
+        attr_reader :request, :response
+
+        def initialize(request, response)
+          @request = request
+          @response = response
+        end
+
+        def delete(key, options = {})
+          @response.delete_cookie(key, options)
+        end
+
+        def []=(key, options)
+          @response.set_cookie(key, options)
+        end
+
+        def method_missing(meth, *args, &block)
+          @request.cookies.send(meth, *args, &block)
+        end
+      end
+
+      # Thin wrapper around request and response.
+      class Controller
+        attr_reader :request, :response, :cookies
+
+        def initialize(request, response)
+          @request = request
+          @cookies = Cookies.new(request, response)
+        end
+
+        def session
+          env["rack.session"]
+        end
+
+        def method_missing(meth, *args, &block)
+          @request.send meth, *args, &block
+        end
+      end
+
+      # Sinatra controller adapter
+      class Adapter < AbstractAdapter
+        def cookie_domain
+          env["SERVER_NAME"]
+        end
+
+        # Mixed into `Sinatra::Base`
+        module Implementation
+          def self.included(klass)
+            klass.send :before do
+              controller = Controller.new(request, response)
+              Authlogic::Session::Base.controller = Adapter.new(controller)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+Sinatra::Base.send(:include, Authlogic::ControllerAdapters::SinatraAdapter::Adapter::Implementation)

data/lib/authlogic/cookie_credentials.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Represents the credentials *in* the cookie. The value of the cookie.
+  # This is primarily a data object. It doesn't interact with controllers.
+  # It doesn't know about eg. cookie expiration.
+  #
+  # @api private
+  class CookieCredentials
+    # @api private
+    class ParseError < RuntimeError
+    end
+
+    DELIMITER = "::"
+
+    attr_reader :persistence_token, :record_id, :remember_me_until
+
+    # @api private
+    # @param persistence_token [String]
+    # @param record_id [String, Numeric]
+    # @param remember_me_until [ActiveSupport::TimeWithZone]
+    def initialize(persistence_token, record_id, remember_me_until)
+      @persistence_token = persistence_token
+      @record_id = record_id
+      @remember_me_until = remember_me_until
+    end
+
+    class << self
+      # @api private
+      def parse(string)
+        parts = string.split(DELIMITER)
+        unless (1..3).cover?(parts.length)
+          raise ParseError, format("Expected 1..3 parts, got %d", parts.length)
+        end
+        new(parts[0], parts[1], parse_time(parts[2]))
+      end
+
+      private
+
+      # @api private
+      def parse_time(string)
+        return if string.nil?
+        ::Time.parse(string)
+      rescue ::ArgumentError => e
+        raise ParseError, format("Found cookie, cannot parse remember_me_until: #{e}")
+      end
+    end
+
+    # @api private
+    def remember_me?
+      !@remember_me_until.nil?
+    end
+
+    # @api private
+    def to_s
+      [
+        @persistence_token,
+        @record_id.to_s,
+        @remember_me_until&.iso8601
+      ].compact.join(DELIMITER)
+    end
+  end
+end