authlogic 1.4.2 → 1.4.3

data/CHANGELOG.rdoc

@@ -1,3 +1,7 @@
+== 1.4.3 released 2009-2-22
+
+* Fixed issue with brute force protection.
+
 == 1.4.2 released 2009-2-20
 
 * Cleaned up callbacks system to use hooks and execute in the proper order.

data/authlogic.gemspec

@@ -2,11 +2,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "1.4.2"
+  s.version = "1.4.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2009-02-20}
+  s.date = %q{2009-02-22}
   s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
   s.email = %q{bjohnson@binarylogic.com}
   s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/aes256.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/i18n.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/base.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/brute_force_protection.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/record_info.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/session/timeout.rb", "lib/authlogic/testing/test_unit_helpers.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]

data/lib/authlogic/i18n.rb

@@ -33,7 +33,7 @@ module Authlogic
   #       login_blank: can not be blank
   #       login_not_found: does not exist
   #       login_invalid: should use only letters, numbers, spaces, and .-_@ please.
-  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded.
+  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
   #       email_invalid: should look like an email address.
   #       password_blank: can not be blank
   #       password_invalid: is not valid

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb

@@ -40,11 +40,9 @@ module Authlogic
           
                   #{options[:session_ids].inspect}.each do |session_id|
                     session = #{options[:session_class]}.find(session_id, self)
-                    if session
-                      if !session.record.blank?
-                        @_logged_out = false
-                        @_sessions << session if session.record == self
-                      end
+                    if session && !session.record.blank?
+                      @_logged_out = false
+                      @_sessions << session if session.record == self
                     end
                   end
                 end
@@ -61,13 +59,9 @@ module Authlogic
                   # We only want to automatically login into the first session, since this is the main session. The other sessions are sessions
                   # that need to be created after logging into the main session.
                   session_id = #{options[:session_ids].inspect}.first
-          
-                  # If we are already logged in, ignore this completely. All that we care about is updating ourself.
-                  next if #{options[:session_class]}.find(session_id, self)
-                        
-                  # Log me in
-                  args = [self, session_id].compact
-                  #{options[:session_class]}.create(*args)
+                   
+                  # Log me in, only if we aren't already logged in
+                  #{options[:session_class]}.create(*[self, session_id].compact) if !#{options[:session_class]}.find(session_id, self)
                 end
         
                 def update_sessions!

data/lib/authlogic/session/base.rb

@@ -93,8 +93,8 @@ module Authlogic
         end
       end
       
-      attr_accessor :new_session
-      attr_reader :record, :unauthorized_record
+      attr_accessor :attempted_record, :new_session, :record
+      attr_reader :unauthorized_record
       attr_writer :authenticating_with, :id, :persisting
     
       # You can initialize a session by doing any of the following:
@@ -322,25 +322,23 @@ module Authlogic
       # you will not have a record.
       def valid?
         errors.clear
-        if valid_credentials?
-          # hooks
-          before_validation
-          new_session? ? before_validation_on_create : before_validation_on_update
-          validate
-          
-          valid_record?
-          
-          # hooks
+        self.attempted_record = nil
+        
+        before_validation
+        new_session? ? before_validation_on_create : before_validation_on_update
+        valid_credentials?
+        validate
+        
+        if errors.empty?
           new_session? ? after_validation_on_create : after_validation_on_update
           after_validation
-          
-          record.save_without_session_maintenance(false) if record.changed?
-          
-          return true if errors.empty?
+        else
+          self.record = nil
         end
         
-        self.record = nil
-        false
+        attempted_record.save_without_session_maintenance(false) if attempted_record && attempted_record.changed?
+        self.attempted_record = nil
+        errors.empty?
       end
       
       # Tries to validate the session from information from a basic http auth, if it was provided.
@@ -409,53 +407,44 @@ module Authlogic
           self.class.klass_name
         end
         
-        def record=(value)
-          @record = value
-        end
-        
         def search_for_record(method, value)
           klass.send(method, value)
         end
         
         def valid_credentials?
-          unchecked_record = nil
-          
           case authenticating_with
           when :password
             errors.add(login_field, I18n.t('error_messages.login_blank', :default => "can not be blank")) if send(login_field).blank?
             errors.add(password_field, I18n.t('error_messages.password_blank', :default => "can not be blank")) if send("protected_#{password_field}").blank?
             return false if errors.count > 0
             
-            unchecked_record = search_for_record(find_by_login_method, send(login_field))
+            self.attempted_record = search_for_record(find_by_login_method, send(login_field))
             
-            if unchecked_record.blank?
+            if attempted_record.blank?
               errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "does not exist"))
               return false
             end
             
-            unless unchecked_record.send(verify_password_method, send("protected_#{password_field}"))
+            unless attempted_record.send(verify_password_method, send("protected_#{password_field}"))
               errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
               return false
             end
-            
-            self.record = unchecked_record
           when :unauthorized_record
-            unchecked_record = unauthorized_record
+            self.attempted_record = unauthorized_record
             
-            if unchecked_record.blank?
+            if attempted_record.blank?
               errors.add_to_base(I18n.t('error_messages.blank_record', :default => "You can not login with a blank record"))
               return false
             end
             
-            if unchecked_record.new_record?
+            if attempted_record.new_record?
               errors.add_to_base(I18n.t('error_messages.new_record', :default => "You can not login with a new record"))
               return false
             end
-            
-            self.record = unchecked_record
           end
           
-          true
+          self.record = attempted_record
+          valid_record?
         end
         
         def valid_record?

data/lib/authlogic/session/brute_force_protection.rb

@@ -19,7 +19,7 @@ module Authlogic
     module BruteForceProtection
       def self.included(klass)
         klass.validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
-        klass.after_validation :increase_failed_login_count, :if => :protect_from_brute_force_attacks?
+        klass.validate :increase_failed_login_count, :if => :protect_from_brute_force_attacks?
         klass.after_save :reset_failed_login_count, :if => :protect_from_brute_force_attacks?
       end
       
@@ -27,26 +27,26 @@ module Authlogic
       # trying to login. So, if an account exceeds the limit the only way they will be able to log back in is if your execute this
       # method, which merely resets the failed_login_count field to 0.
       def reset_failed_login_count
-        record.update_attribute(:failed_login_count, 0)
+        record.failed_login_count = 0
       end
       
       private
         def protect_from_brute_force_attacks?
-          record && record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0
-        end
-        
-        def record_by_login
-          unchecked_record = search_for_record(find_by_login_method, send(login_field))
+          r = attempted_record || record
+          r && r.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0
         end
         
         def validate_failed_logins
-          errors.add_to_base(I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded.")) if record.failed_login_count && record.failed_login_count >= consecutive_failed_logins_limit
+          if attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
+            errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
+            errors.add_to_base(I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded, account is disabled."))
+          end
         end
 
         def increase_failed_login_count
-          if !errors.empty?
-            record.failed_login_count ||= 0
-            record.failed_login_count += 1
+          if errors.on(password_field)
+            attempted_record.failed_login_count ||= 0
+            attempted_record.failed_login_count += 1
           end
         end
     end

data/lib/authlogic/session/config.rb

@@ -202,7 +202,7 @@ module Authlogic
             write_inheritable_attribute(:consecutive_failed_logins_limit, value)
           end
         end
-        alias_method :logout_on_timeout=, :logout_on_timeout
+        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
         
         def not_active_message(value = nil) # :nodoc:
           new_i18n_error

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 1
     MINOR = 4
-    TINY  = 2
+    TINY  = 3
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test/session_tests/brute_force_protection_test.rb

@@ -15,5 +15,39 @@ module SessionTests
       assert ben.save
       assert !UserSession.create(:login => ben.login, :password => "benrocks")
     end
+    
+    def test_exeeding_failed_logins_limit
+      UserSession.consecutive_failed_logins_limit = 2
+      ben = users(:ben)
+      
+      2.times do |i|
+        session = UserSession.new(:login => ben.login, :password => "badpassword")
+        assert !session.save
+        assert session.errors.on(:password)
+        assert_equal i + 1, ben.reload.failed_login_count
+      end
+      
+      session = UserSession.new(:login => ben.login, :password => "badpassword2")
+      assert !session.save
+      assert !session.errors.on(:password)
+      assert_equal 2, ben.reload.failed_login_count
+      
+      UserSession.consecutive_failed_logins_limit = 50
+    end
+    
+    def test_resetting_failed_logins_count
+      ben = users(:ben)
+      
+      2.times do |i|
+        session = UserSession.new(:login => ben.login, :password => "badpassword")
+        assert !session.save
+        assert session.errors.on(:password)
+        assert_equal i + 1, ben.reload.failed_login_count
+      end
+      
+      session = UserSession.new(:login => ben.login, :password => "benrocks")
+      assert session.save
+      assert_equal 0, ben.reload.failed_login_count
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authlogic
 version: !ruby/object:Gem::Version 
-  version: 1.4.2
+  version: 1.4.3
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-02-20 00:00:00 -05:00
+date: 2009-02-22 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency