authlogic 1.4.1 → 1.4.2

data/CHANGELOG.rdoc

@@ -1,3 +1,11 @@
+== 1.4.2 released 2009-2-20
+
+* Cleaned up callbacks system to use hooks and execute in the proper order.
+* Added brute force protection. See the consecutive_failed_logins_limit configuration option in Authlogic::Session::Config. Also see Authlogic::Session:BruteForceProtection
+* Fixed issue with calling stale? when there is no record.
+* Simon Harris fixed the issue of using lock_version with the associated record and also optimized the library for better performance.
+* Implemented saving the record during the callback chain to execute as few queries as possible. This way modules can hook into Authlogic, modify the associated record, and not have to worry about saving the record.
+
 == 1.4.1 released 2009-2-8
 
 * Fixed I18n key misspelling.

data/Manifest

@@ -10,6 +10,7 @@ lib/authlogic/crypto_providers/bcrypt.rb
 lib/authlogic/crypto_providers/sha1.rb
 lib/authlogic/crypto_providers/sha512.rb
 lib/authlogic/i18n.rb
+lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb
@@ -17,17 +18,18 @@ lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb
 lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb
-lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb
 lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb
 lib/authlogic/session/active_record_trickery.rb
 lib/authlogic/session/authenticates_many_association.rb
 lib/authlogic/session/base.rb
+lib/authlogic/session/brute_force_protection.rb
 lib/authlogic/session/callbacks.rb
 lib/authlogic/session/config.rb
 lib/authlogic/session/cookies.rb
 lib/authlogic/session/errors.rb
 lib/authlogic/session/params.rb
 lib/authlogic/session/perishability.rb
+lib/authlogic/session/record_info.rb
 lib/authlogic/session/scopes.rb
 lib/authlogic/session/session.rb
 lib/authlogic/session/timeout.rb
@@ -63,6 +65,7 @@ test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb
 test/session_tests/active_record_trickery_test.rb
 test/session_tests/authenticates_many_association_test.rb
 test/session_tests/base_test.rb
+test/session_tests/brute_force_protection_test.rb
 test/session_tests/config_test.rb
 test/session_tests/cookies_test.rb
 test/session_tests/params_test.rb

data/README.rdoc

@@ -129,6 +129,7 @@ The user model needs to have the following columns. The names of these columns c
     t.string    :single_access_token,   :null => false # optional, see the tokens section below.
     t.string    :perishable_token,      :null => false # optional, see the tokens section below.
     t.integer   :login_count,           :null => false, :default => 0 # optional, this is a "magic" column, see the magic columns section below
+    t.integer   :failed_login_count,    :null => false, :default => 0 # optional, this is a "magic" column, see the magic columns section below
 
 === Set up your model
 
@@ -178,6 +179,7 @@ Just like ActiveRecord has "magic" columns, such as: created_at and updated_at.
 
   Column name           Description
   login_count           Increased every time an explicit login is made. This will *NOT* increase if logging in by a session, cookie, or basic http auth
+  failed_login_count    This increases for each consecutive failed login. See Authlogic::Session::BruteForceProtection and the consecutive_failed_logins_limit config option for more details.
   last_request_at       Updates every time the user logs in, either by explicitly logging in, or logging in by cookie, session, or http auth
   current_login_at      Updates with the current time when an explicit login is made.
   last_login_at         Updates with the value of current_login_at before it is reset.
@@ -203,26 +205,7 @@ Need Authlogic to check your own "state"? No problem, check out the hooks sectio
 
 Just like ActiveRecord you can create your own hooks / callbacks so that you can do whatever you want when certain actions are performed. Such as before_save, after_save, etc.
 
-  before_create
-  after_create
-  
-  before_destroy
-  after_destroy
-  
-  before_find
-  after_find
-  
-  before_save
-  after_save
-  
-  before_update
-  after_update
-  
-  before_validation
-  validate
-  after_validation
-
-See Authlogic::Session::Callbacks for more information
+See Authlogic::Session::Callbacks for more information.
 
 == Multiple Sessions / Session Identifiers
 
@@ -429,7 +412,7 @@ With the above information you should be able to scope your sessions any way you
 The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses the exact same ActiveRecord errors class. Use it the same way:
 
   class UserSession
-    before_validation :check_if_awesome
+    validate :check_if_awesome
     
     private
       def check_if_awesome
@@ -438,7 +421,7 @@ The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses the exact
       end
   end
 
-== Timing Out Sessions
+== Timing Out Sessions (Logging out after inactivity)
 
 Think about financial websites, if you are inactive for a certain period of time you will be asked to log back in on your next request. You can do this with Authlogic easily, there are 2 parts to this:
 
@@ -483,7 +466,7 @@ Obviously there is a little more to it than this, but hopefully this clarifies a
 
 When things come together like this I think its a sign that you are doing something right. Put that in your pipe and smoke it!
 
-== Internationalization (I18n)
+== Internationalization (I18n) / Changing Messages
 
 Please see Authlogic::I18n for more information. Internationalization is very easy to implement, in fact if you are using the default rails I18n library then you don't need to do anything other than defining the messages in your localization configuration files. See Authlogic::I18n for a complete list of keys you need to define.
 

data/authlogic.gemspec

@@ -2,15 +2,15 @@
 
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "1.4.1"
+  s.version = "1.4.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2009-02-08}
+  s.date = %q{2009-02-20}
   s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
   s.email = %q{bjohnson@binarylogic.com}
-  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/i18n.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/session/timeout.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
-  s.files = ["CHANGELOG.rdoc", "generators/session/session_generator.rb", "generators/session/templates/session.rb", "init.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/i18n.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/session/timeout.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "shoulda_macros/authlogic.rb", "test/crypto_provider_tests/aes256_test.rb", "test/crypto_provider_tests/bcrypt_test.rb", "test/crypto_provider_tests/sha1_test.rb", "test/crypto_provider_tests/sha512_test.rb", "test/fixtures/companies.yml", "test/fixtures/employees.yml", "test/fixtures/projects.yml", "test/fixtures/users.yml", "test/libs/mock_controller.rb", "test/libs/mock_cookie_jar.rb", "test/libs/mock_request.rb", "test/libs/ordered_hash.rb", "test/libs/user.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/perishability_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/perishability_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/session_tests/timeout_test.rb", "test/test_helper.rb", "authlogic.gemspec"]
+  s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/i18n.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/brute_force_protection.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/record_info.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/session/timeout.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]
+  s.files = ["CHANGELOG.rdoc", "generators/session/session_generator.rb", "generators/session/templates/session.rb", "init.rb", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/i18n.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/brute_force_protection.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/record_info.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/session/timeout.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "Manifest", "MIT-LICENSE", "Rakefile", "README.rdoc", "shoulda_macros/authlogic.rb", "test/crypto_provider_tests/aes256_test.rb", "test/crypto_provider_tests/bcrypt_test.rb", "test/crypto_provider_tests/sha1_test.rb", "test/crypto_provider_tests/sha512_test.rb", "test/fixtures/companies.yml", "test/fixtures/employees.yml", "test/fixtures/projects.yml", "test/fixtures/users.yml", "test/libs/mock_controller.rb", "test/libs/mock_cookie_jar.rb", "test/libs/mock_request.rb", "test/libs/ordered_hash.rb", "test/libs/user.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/perishability_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/brute_force_protection_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/perishability_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/session_tests/timeout_test.rb", "test/test_helper.rb", "authlogic.gemspec"]
   s.has_rdoc = true
   s.homepage = %q{http://github.com/binarylogic/authlogic}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Authlogic", "--main", "README.rdoc"]
@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   s.rubyforge_project = %q{authlogic}
   s.rubygems_version = %q{1.3.1}
   s.summary = %q{A clean, simple, and unobtrusive ruby authentication solution.}
-  s.test_files = ["test/crypto_provider_tests/aes256_test.rb", "test/crypto_provider_tests/bcrypt_test.rb", "test/crypto_provider_tests/sha1_test.rb", "test/crypto_provider_tests/sha512_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/perishability_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/perishability_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/session_tests/timeout_test.rb", "test/test_helper.rb"]
+  s.test_files = ["test/crypto_provider_tests/aes256_test.rb", "test/crypto_provider_tests/bcrypt_test.rb", "test/crypto_provider_tests/sha1_test.rb", "test/crypto_provider_tests/sha512_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/logged_in_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/perishability_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/persistence_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/session_maintenance_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/single_access_test.rb", "test/orm_adapters_tests/active_record_adapter_tests/authenticates_many_test.rb", "test/session_tests/active_record_trickery_test.rb", "test/session_tests/authenticates_many_association_test.rb", "test/session_tests/base_test.rb", "test/session_tests/brute_force_protection_test.rb", "test/session_tests/config_test.rb", "test/session_tests/cookies_test.rb", "test/session_tests/params_test.rb", "test/session_tests/perishability_test.rb", "test/session_tests/scopes_test.rb", "test/session_tests/session_test.rb", "test/session_tests/timeout_test.rb", "test/test_helper.rb"]
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
@@ -27,15 +27,12 @@ Gem::Specification.new do |s|
     if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<activesupport>, [">= 0"])
       s.add_runtime_dependency(%q<echoe>, [">= 0"])
-      s.add_development_dependency(%q<echoe>, [">= 0"])
     else
       s.add_dependency(%q<activesupport>, [">= 0"])
       s.add_dependency(%q<echoe>, [">= 0"])
-      s.add_dependency(%q<echoe>, [">= 0"])
     end
   else
     s.add_dependency(%q<activesupport>, [">= 0"])
     s.add_dependency(%q<echoe>, [">= 0"])
-    s.add_dependency(%q<echoe>, [">= 0"])
   end
 end

data/lib/authlogic.rb

@@ -13,7 +13,7 @@ require File.dirname(__FILE__) + "/authlogic/crypto_providers/bcrypt"
 require File.dirname(__FILE__) + "/authlogic/crypto_providers/aes256"
 
 if defined?(ActiveRecord)
-  require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic"
+  require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in"
   require File.dirname(__FILE__) + "/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability"
@@ -26,12 +26,14 @@ end
 
 require File.dirname(__FILE__) + "/authlogic/session/authenticates_many_association"
 require File.dirname(__FILE__) + "/authlogic/session/active_record_trickery"
+require File.dirname(__FILE__) + "/authlogic/session/brute_force_protection"
 require File.dirname(__FILE__) + "/authlogic/session/callbacks"
 require File.dirname(__FILE__) + "/authlogic/session/config"
 require File.dirname(__FILE__) + "/authlogic/session/cookies"
 require File.dirname(__FILE__) + "/authlogic/session/errors"
 require File.dirname(__FILE__) + "/authlogic/session/params"
 require File.dirname(__FILE__) + "/authlogic/session/perishability"
+require File.dirname(__FILE__) + "/authlogic/session/record_info"
 require File.dirname(__FILE__) + "/authlogic/session/session"
 require File.dirname(__FILE__) + "/authlogic/session/scopes"
 require File.dirname(__FILE__) + "/authlogic/session/timeout"
@@ -42,9 +44,11 @@ module Authlogic
     class Base
       include ActiveRecordTrickery
       include Callbacks
+      include BruteForceProtection
       include Cookies
       include Params
       include Perishability
+      include RecordInfo
       include Session
       include Scopes
       include Timeout

data/lib/authlogic/i18n.rb

@@ -33,6 +33,7 @@ module Authlogic
   #       login_blank: can not be blank
   #       login_not_found: does not exist
   #       login_invalid: should use only letters, numbers, spaces, and .-_@ please.
+  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded.
   #       email_invalid: should look like an email address.
   #       password_blank: can not be blank
   #       password_invalid: is not valid

data/lib/authlogic/orm_adapters/active_record_adapter/{acts_as_authentic.rb → acts_as_authentic/base.rb}

@@ -2,9 +2,16 @@ module Authlogic
   module ORMAdapters # :nodoc:
     module ActiveRecordAdapter # :nodoc:
       # = Acts As Authentic
-      # Provides the acts_as_authentic method to include in your models to help with authentication. See sub modules for more information.
+      #
+      # Provides the acts_as_authentic method to include in your models to help with authentication. You can include it as follows:
+      #
+      #   class User < ActiveRecord::Base
+      #     acts_as_authentic :option => "value"
+      #   end
+      #
+      # For a list of configuration options see the ActsAsAuthentic::Config module.
       module ActsAsAuthentic
-        # All logic for this method is split up into sub modules. This a stub to create a method chain off of and provide documentation. See sub modules for more details.
+        # All logic for this method is split up into sub modules. See sub modules for more details.
         def acts_as_authentic(options = {})
         end
       end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb

@@ -150,15 +150,6 @@ module Authlogic
         # * <tt>email_field_validates_uniqueness_of_options</tt> - default: same as :login_field if :login_field_type == :email,
         #   These options are applied to the validates_uniqueness_of call for the :email_field
         module Config
-          def first_column_to_exist(*columns_to_check) # :nodoc:
-            columns_to_check.each { |column_name| return column_name.to_sym if column_names.include?(column_name.to_s) }
-            columns_to_check.first ? columns_to_check.first.to_sym : nil
-          end
-          
-          def meta_def(name, &block)
-            (class << self; self; end).instance_eval { define_method name, &block }
-          end
-        
           def acts_as_authentic_with_config(options = {})
             # Stop all configuration if the DB is not set up
             begin
@@ -224,12 +215,15 @@ module Authlogic
             
             options[:transition_from_crypto_provider] = [options[:transition_from_crypto_provider]].compact unless options[:transition_from_crypto_provider].is_a?(Array)
             
-            meta_def :acts_as_authentic_config do
-              options
-            end
-          
+            cattr_accessor :acts_as_authentic_config
+            self.acts_as_authentic_config = options
             acts_as_authentic_without_config(options)
           end
+          
+          def first_column_to_exist(*columns_to_check) # :nodoc:
+            columns_to_check.each { |column_name| return column_name.to_sym if column_names.include?(column_name.to_s) }
+            columns_to_check.first ? columns_to_check.first.to_sym : nil
+          end
         end
       end
     end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb

@@ -39,7 +39,7 @@ module Authlogic
                   @_logged_out = true
           
                   #{options[:session_ids].inspect}.each do |session_id|
-                    session = #{options[:session_class]}.find(*[session_id].compact)
+                    session = #{options[:session_class]}.find(session_id, self)
                     if session
                       if !session.record.blank?
                         @_logged_out = false
@@ -63,7 +63,7 @@ module Authlogic
                   session_id = #{options[:session_ids].inspect}.first
           
                   # If we are already logged in, ignore this completely. All that we care about is updating ourself.
-                  next if #{options[:session_class]}.find(*[session_id].compact)
+                  next if #{options[:session_class]}.find(session_id, self)
                         
                   # Log me in
                   args = [self, session_id].compact

data/lib/authlogic/session/base.rb

@@ -61,10 +61,12 @@ module Authlogic
         #   UserSession.find(:secure)
         #
         # See the id method for more information on ids.
-        def find(id = nil)
-          args = [id].compact
-          session = new(*args)
-          if session.find_record
+        def find(id = nil, priority_record = nil)
+          session = new(id)
+          session.before_find
+          if record = session.find_record
+            session.after_find
+            record.save_without_session_maintenance(false) if record.changed? && record != priority_record
             session
           else
             nil
@@ -90,7 +92,7 @@ module Authlogic
             end
         end
       end
-    
+      
       attr_accessor :new_session
       attr_reader :record, :unauthorized_record
       attr_writer :authenticating_with, :id, :persisting
@@ -165,8 +167,13 @@ module Authlogic
       
       # Resets everything, your errors, record, cookies, and session. Basically "logs out" a user.
       def destroy
+        before_destroy
+        
         errors.clear
         @record = nil
+        
+        after_destroy
+        
         true
       end
       
@@ -276,20 +283,13 @@ module Authlogic
       def save(&block)
         result = nil
         if valid?
-          record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1) if record.respond_to?(:login_count)
-          
-          if record.respond_to?(:current_login_at)
-            record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
-            record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-          end
-          
-          if record.respond_to?(:current_login_ip)
-            record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-            record.current_login_ip = controller.request.remote_ip
-          end
-          
-          record.save_without_session_maintenance(false)
+          # hooks
+          before_save
+          new_session? ? before_create : before_update
+          new_session? ? after_create : after_update
+          after_save
           
+          record.save_without_session_maintenance(false) if record.changed?
           self.new_session = false
           result = self
         else
@@ -323,8 +323,19 @@ module Authlogic
       def valid?
         errors.clear
         if valid_credentials?
+          # hooks
+          before_validation
+          new_session? ? before_validation_on_create : before_validation_on_update
           validate
+          
           valid_record?
+          
+          # hooks
+          new_session? ? after_validation_on_create : after_validation_on_update
+          after_validation
+          
+          record.save_without_session_maintenance(false) if record.changed?
+          
           return true if errors.empty?
         end
         
@@ -345,10 +356,6 @@ module Authlogic
         false
       end
       
-      # Overwite this method to add your own validation, or use callbacks: before_validation, after_validation
-      def validate
-      end
-      
       private
         def controller
           self.class.controller

data/lib/authlogic/session/brute_force_protection.rb

@@ -0,0 +1,54 @@
+module Authlogic
+  module Session
+    # = Brute Force Protection
+    #
+    # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
+    # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
+    # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
+    # and execute a brute force attack locally, meaning there is no network lag, it would take decades to complete. Now throw in network lag for hackers
+    # executing this attack over a network, and it would take centuries.
+    #
+    # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
+    # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
+    # after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
+    # If you wish to lower this number just set the configuration to a lower number:
+    #
+    #   class UserSession < Authlogic::Session::Base
+    #     consecutive_failed_logins_limit 10
+    #   end
+    module BruteForceProtection
+      def self.included(klass)
+        klass.validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
+        klass.after_validation :increase_failed_login_count, :if => :protect_from_brute_force_attacks?
+        klass.after_save :reset_failed_login_count, :if => :protect_from_brute_force_attacks?
+      end
+      
+      # This allows you to reset the failed_login_count for the associated record, allowing that account to start at 0 and continue
+      # trying to login. So, if an account exceeds the limit the only way they will be able to log back in is if your execute this
+      # method, which merely resets the failed_login_count field to 0.
+      def reset_failed_login_count
+        record.update_attribute(:failed_login_count, 0)
+      end
+      
+      private
+        def protect_from_brute_force_attacks?
+          record && record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0
+        end
+        
+        def record_by_login
+          unchecked_record = search_for_record(find_by_login_method, send(login_field))
+        end
+        
+        def validate_failed_logins
+          errors.add_to_base(I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded.")) if record.failed_login_count && record.failed_login_count >= consecutive_failed_logins_limit
+        end
+
+        def increase_failed_login_count
+          if !errors.empty?
+            record.failed_login_count ||= 0
+            record.failed_login_count += 1
+          end
+        end
+    end
+  end
+end

data/lib/authlogic/session/callbacks.rb

@@ -2,83 +2,66 @@ module Authlogic
   module Session
     # = Callbacks
     #
-    # Just like in ActiveRecord you have before_save, before_validation, etc. You have similar callbacks with Authlogic, see all callbacks below.
+    # Just like in ActiveRecord you have before_save, before_validation, etc. You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
+    #
+    # Here is the order they execute
+    #
+    #   before_find
+    #   after_find
+    #   save record if changed?
+    #   
+    #   before_validation
+    #   before_validation_on_create
+    #   before_validation_on_update
+    #   validate
+    #   after_validation_on_update
+    #   after_validation_on_create
+    #   after_validation
+    #   save record if changed?
+    #   
+    #   before_save
+    #   before_create
+    #   before_update
+    #   after_update
+    #   after_create
+    #   after_save
+    #   save record if changed?
+    #   
+    #   before_destroy
+    #   destroy
+    #   after_destroy
+    #
+    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make changes to the associated record, there is no need to save the record, Authlogic will do it for you.
+    # This allow multiple modules to modify the record and execute as few queries as possible.
+    #
+    # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
+    #
+    #   class UserSession < Authlogic::Session::Base
+    #     before_validation :my_method
+    #     validate :another_method
+    #     # ..etc
+    #   end
+    #
+    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic to extend properly with multiple extensions. Please ONLY use the method above.
     module Callbacks
-      CALLBACKS = %w(before_create after_create before_destroy after_destroy before_find after_find before_save after_save before_update after_update before_validation validate after_validation)
-
+      METHODS = [
+        "before_find", "after_find",
+        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate", "after_validation_on_update", "after_validation_on_create", "after_validation",
+        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
+        "before_destroy", "after_destroy"
+      ]
+      
       def self.included(base) #:nodoc:
-        [:destroy, :find_record, :save, :validate].each do |method|
-          base.send :alias_method_chain, method, :callbacks
-        end
-
         base.send :include, ActiveSupport::Callbacks
-        base.define_callbacks *CALLBACKS
+        base.define_callbacks *METHODS
       end
       
-      # Runs the following callbacks:
-      #
-      #   before_destroy
-      #   destroy
-      #   after_destroy # only if destroy is successful
-      def destroy_with_callbacks
-        run_callbacks(:before_destroy)
-        result = destroy_without_callbacks
-        run_callbacks(:after_destroy) if result
-        result
-      end
-      
-      # Runs the following callbacks:
-      #
-      #   before_find
-      #   find_record
-      #   after_find # if a record was found
-      def find_record_with_callbacks
-        run_callbacks(:before_find)
-        result = find_record_without_callbacks
-        run_callbacks(:after_find) if result
-        result
-      end
-      
-      # Runs the following callbacks:
-      #
-      #   before_save
-      #   before_create # only if new_session? == true
-      #   before_update # only if new_session? == false
-      #   save
-      #   # the following are only run is save is successful
-      #   after_save
-      #   before_update # only if new_session? == false
-      #   before_create # only if new_session? == true
-      def save_with_callbacks(&block)
-        run_callbacks(:before_save)
-        if new_session?
-          run_callbacks(:before_create)
-        else
-          run_callbacks(:before_update)
-        end
-        result = save_without_callbacks(&block)
-        if result
-          run_callbacks(:after_save)
-          
-          if new_session?
-            run_callbacks(:after_create)
-          else
-            run_callbacks(:after_update)
+      METHODS.each do |method|
+        class_eval <<-"end_eval", __FILE__, __LINE__
+          def #{method}
+            run_callbacks(:#{method})
           end
-        end
-        result
-      end
-      
-      # Runs the following callbacks:
-      #
-      #   before_validation
-      #   validate
-      #   after_validation # only if errors.empty?
-      def validate_with_callbacks
-        run_callbacks(:before_validation)
-        validate_without_callbacks
-        run_callbacks(:validate)
-        run_callbacks(:after_validation) if errors.empty?
+        end_eval
       end
     end
   end

data/lib/authlogic/session/config.rb

@@ -185,6 +185,25 @@ module Authlogic
         end
         alias_method :logout_on_timeout=, :logout_on_timeout
         
+        # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
+        # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
+        #
+        # In order to enable this field your model MUST have a failed_login_count (integer) field.
+        #
+        # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
+        # in possibly millions of attempts to log into an account.
+        #
+        # * <tt>Default:</tt> 50
+        # * <tt>Accepts:</tt> Integer, set to 0 to disable
+        def consecutive_failed_logins_limit(value = nil)
+          if value.nil?
+            read_inheritable_attribute(:consecutive_failed_logins_limit) || consecutive_failed_logins_limit(50)
+          else
+            write_inheritable_attribute(:consecutive_failed_logins_limit, value)
+          end
+        end
+        alias_method :logout_on_timeout=, :logout_on_timeout
+        
         def not_active_message(value = nil) # :nodoc:
           new_i18n_error
         end
@@ -318,6 +337,10 @@ module Authlogic
           self.class.change_single_access_token_with_password == true
         end
         
+        def consecutive_failed_logins_limit
+          self.class.consecutive_failed_logins_limit
+        end
+        
         def cookie_key
           build_key(self.class.cookie_key)
         end

data/lib/authlogic/session/perishability.rb

@@ -11,7 +11,7 @@ module Authlogic
       
       private
         def reset_perishable_token!
-          record.send("reset_#{perishable_token_field}!") if record.respond_to?("reset_#{perishable_token_field}!") && !record.send("disable_#{perishable_token_field}_maintenance?")
+          record.send("reset_#{perishable_token_field}") if record.respond_to?("reset_#{perishable_token_field}") && !record.send("disable_#{perishable_token_field}_maintenance?")
         end
     end
   end

data/lib/authlogic/session/record_info.rb

@@ -0,0 +1,24 @@
+module Authlogic
+  module Session
+    module RecordInfo
+      def self.included(klass)
+        klass.before_create :update_info
+      end
+      
+      private
+        def update_info
+          record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1) if record.respond_to?(:login_count)
+          
+          if record.respond_to?(:current_login_at)
+            record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+            record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+          end
+          
+          if record.respond_to?(:current_login_ip)
+            record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+            record.current_login_ip = controller.request.remote_ip
+          end
+        end
+    end
+  end
+end

data/lib/authlogic/session/session.rb

@@ -5,9 +5,9 @@ module Authlogic
     # Handles all parts of authentication that deal with sessions. Such as persisting a session and saving / destroy a session.
     module Session
       def self.included(klass)
-        klass.after_save :update_session!, :if => :persisting?
-        klass.after_destroy :update_session!, :if => :persisting?
-        klass.after_find :update_session!, :if => :persisting?
+        klass.after_save :update_session, :if => :persisting?
+        klass.after_destroy :update_session, :if => :persisting?
+        klass.after_find :update_session, :if => :persisting? # to continue persisting the session after an http_auth request
       end
       
       # Tries to validate the session from information in the session
@@ -36,7 +36,7 @@ module Authlogic
           [controller.session[session_key], controller.session["#{session_key}_id"]].compact
         end
         
-        def update_session!
+        def update_session
           controller.session[session_key] = record && record.send(persistence_token_field)
           controller.session["#{session_key}_id"] = record && record.send(record.class.primary_key)
         end

data/lib/authlogic/session/timeout.rb

@@ -10,8 +10,9 @@ module Authlogic
       def self.included(klass)
         klass.class_eval do
           alias_method_chain :find_record, :timeout
-          after_find :update_last_request_at!
-          after_save :update_last_request_at!
+          before_find :reset_stale_state
+          after_find :set_last_request_at
+          before_save :set_last_request_at
         end
       end
       
@@ -19,21 +20,27 @@ module Authlogic
       # returned. This allows you to perform a current_user_session.stale? query in order to inform your users of why they need to log back in.
       def find_record_with_timeout
         result = find_record_without_timeout
-        self.record = nil if result && stale?
+        if result && stale?
+          self.record = nil
+          @stale = true
+        end
         result
       end
     
       # Tells you if the record is stale or not. Meaning the record has timed out. This will only return true if you set logout_on_timeout to true in your configuration.
       # Basically how a bank website works. If you aren't active over a certain period of time your session becomes stale and requires you to log back in.
       def stale?
-        logout_on_timeout? && record && record.logged_out?
+        @stale == true || (logout_on_timeout? && record && record.logged_out?)
       end
     
       private
-        def update_last_request_at!
-          if record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
+        def reset_stale_state
+          @stale = nil
+        end
+
+        def set_last_request_at
+          if record && record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
             record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-            record.save_without_session_maintenance(false)
           end
         end
     end

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 1
     MINOR = 4
-    TINY  = 1
+    TINY  = 2
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/credentials_test.rb

@@ -133,7 +133,17 @@ module ORMAdaptersTests
           assert_not_equal old_salt, ben.password_salt
           assert_not_equal old_persistence_token, ben.persistence_token
           assert UserSession.find
+        end
+        
+        def test_reset_password!
+          UserSession.create(users(:ben))
+          session = UserSession.find
+          assert session
+          ben = session.record
           
+          old_password = ben.crypted_password
+          old_salt = ben.password_salt
+          old_persistence_token = ben.persistence_token
           ben.reset_password!
           ben.reload
           assert_not_equal old_password, ben.crypted_password

data/test/session_tests/brute_force_protection_test.rb

@@ -0,0 +1,19 @@
+require File.dirname(__FILE__) + '/../test_helper.rb'
+
+module SessionTests
+  class BruteForceProtectionTest < ActiveSupport::TestCase
+    def test_under_limit
+      ben = users(:ben)
+      ben.failed_login_count = UserSession.consecutive_failed_logins_limit - 1
+      assert ben.save
+      assert UserSession.create(:login => ben.login, :password => "benrocks")
+    end
+
+    def test_exceeded_limit
+      ben = users(:ben)
+      ben.failed_login_count = UserSession.consecutive_failed_logins_limit
+      assert ben.save
+      assert !UserSession.create(:login => ben.login, :password => "benrocks")
+    end
+  end
+end

data/test/session_tests/timeout_test.rb

@@ -33,16 +33,39 @@ module SessionTests
       assert !session.stale?
     end
     
-    def test_stale
+    def test_not_stale
       UserSession.logout_on_timeout = true
       ben = users(:ben)
       ben.update_attribute(:last_request_at, Time.now)
       set_session_for(ben)
       session = UserSession.find
       assert !session.stale?
-      session.record.last_request_at = 3.years.ago
+    end
+    
+    def test_stale
+      ben = users(:ben)
+      set_session_for(ben)
+      ben.update_attribute(:last_request_at, 3.years.ago)
+      session = UserSession.find
       assert session.stale?
+      assert_nil @controller.session["user_credentials"]
+      assert_nil @controller.session["user_credentials_id"]
       UserSession.logout_on_timeout = false
     end
+    
+    def test_stale_find
+      UserSession.logout_on_timeout = true
+      ben = users(:ben)
+      
+      ben.update_attribute(:last_request_at, 3.years.ago)
+      set_session_for(ben)
+      session = UserSession.find
+      assert session.stale?
+      
+      ben.update_attribute(:last_request_at, Time.now)
+      set_session_for(ben)
+      session = UserSession.find
+      assert !session.stale?
+    end
   end
 end

data/test/test_helper.rb

@@ -34,6 +34,7 @@ ActiveRecord::Schema.define(:version => 1) do
   create_table :users do |t|
     t.datetime  :created_at      
     t.datetime  :updated_at
+    t.integer   :lock_version, :default => 0
     t.integer   :company_id
     t.string    :login
     t.string    :crypted_password
@@ -45,6 +46,7 @@ ActiveRecord::Schema.define(:version => 1) do
     t.string    :first_name
     t.string    :last_name
     t.integer   :login_count
+    t.integer   :failed_login_count
     t.datetime  :last_request_at
     t.datetime  :current_login_at
     t.datetime  :last_login_at

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authlogic
 version: !ruby/object:Gem::Version 
-  version: 1.4.1
+  version: 1.4.2
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-02-08 00:00:00 -05:00
+date: 2009-02-20 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -32,16 +32,6 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: "0"
     version: 
-- !ruby/object:Gem::Dependency 
-  name: echoe
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        version: "0"
-    version: 
 description: A clean, simple, and unobtrusive ruby authentication solution.
 email: bjohnson@binarylogic.com
 executables: []
@@ -58,6 +48,7 @@ extra_rdoc_files:
 - lib/authlogic/crypto_providers/sha1.rb
 - lib/authlogic/crypto_providers/sha512.rb
 - lib/authlogic/i18n.rb
+- lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb
@@ -65,17 +56,18 @@ extra_rdoc_files:
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb
-- lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb
 - lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb
 - lib/authlogic/session/active_record_trickery.rb
 - lib/authlogic/session/authenticates_many_association.rb
 - lib/authlogic/session/base.rb
+- lib/authlogic/session/brute_force_protection.rb
 - lib/authlogic/session/callbacks.rb
 - lib/authlogic/session/config.rb
 - lib/authlogic/session/cookies.rb
 - lib/authlogic/session/errors.rb
 - lib/authlogic/session/params.rb
 - lib/authlogic/session/perishability.rb
+- lib/authlogic/session/record_info.rb
 - lib/authlogic/session/scopes.rb
 - lib/authlogic/session/session.rb
 - lib/authlogic/session/timeout.rb
@@ -96,6 +88,7 @@ files:
 - lib/authlogic/crypto_providers/sha1.rb
 - lib/authlogic/crypto_providers/sha512.rb
 - lib/authlogic/i18n.rb
+- lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb
@@ -103,17 +96,18 @@ files:
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb
 - lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb
-- lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb
 - lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb
 - lib/authlogic/session/active_record_trickery.rb
 - lib/authlogic/session/authenticates_many_association.rb
 - lib/authlogic/session/base.rb
+- lib/authlogic/session/brute_force_protection.rb
 - lib/authlogic/session/callbacks.rb
 - lib/authlogic/session/config.rb
 - lib/authlogic/session/cookies.rb
 - lib/authlogic/session/errors.rb
 - lib/authlogic/session/params.rb
 - lib/authlogic/session/perishability.rb
+- lib/authlogic/session/record_info.rb
 - lib/authlogic/session/scopes.rb
 - lib/authlogic/session/session.rb
 - lib/authlogic/session/timeout.rb
@@ -149,6 +143,7 @@ files:
 - test/session_tests/active_record_trickery_test.rb
 - test/session_tests/authenticates_many_association_test.rb
 - test/session_tests/base_test.rb
+- test/session_tests/brute_force_protection_test.rb
 - test/session_tests/config_test.rb
 - test/session_tests/cookies_test.rb
 - test/session_tests/params_test.rb
@@ -205,6 +200,7 @@ test_files:
 - test/session_tests/active_record_trickery_test.rb
 - test/session_tests/authenticates_many_association_test.rb
 - test/session_tests/base_test.rb
+- test/session_tests/brute_force_protection_test.rb
 - test/session_tests/config_test.rb
 - test/session_tests/cookies_test.rb
 - test/session_tests/params_test.rb