authlogic 2.0.1 → 2.0.2

data/CHANGELOG.rdoc

@@ -1,4 +1,10 @@
-== 2.0.1
+== 2.0.2
+
+* Reset failed_login_count if consecutive_failed_logins_limit has been exceed and the failed_login_ban_for has passed.
+* Update test helpers to use the new configuration scheme.
+* Fixed issue when logging doesn't update last_request_at, so the next persistence try would fail.
+
+== 2.0.1 released 2009-3-23
 
 * Validate length of password.
 * Dont save sessions with a ! during session maintenance.

data/lib/authlogic/session/brute_force_protection.rb

@@ -19,7 +19,8 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_failed_logins, :if => :protect_from_brute_force_attacks?
+          validate :reset_failed_login_count, :if => :reset_failed_login_count?
+          validate :validate_failed_logins, :if => :being_brute_force_protected?
         end
       end
       
@@ -53,24 +54,35 @@ module Authlogic
       # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
       module InstanceMethods
         private
-          def protect_from_brute_force_attacks?
+          def exceeded_failed_logins_limit?
             !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
-              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit &&
-              (failed_login_ban_for <= 0 || (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
           end
           
-          def consecutive_failed_logins_limit
-            self.class.consecutive_failed_logins_limit
+          def being_brute_force_protected?
+            exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 || (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
           end
           
-          def failed_login_ban_for
-            self.class.failed_login_ban_for
+          def reset_failed_login_count?
+            exceeded_failed_logins_limit? && !being_brute_force_protected?
+          end
+          
+          def reset_failed_login_count
+            attempted_record.failed_login_count = 0
           end
         
           def validate_failed_logins
             errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
             errors.add_to_base(I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded, account is disabled."))
           end
+          
+          def consecutive_failed_logins_limit
+            self.class.consecutive_failed_logins_limit
+          end
+          
+          def failed_login_ban_for
+            self.class.failed_login_ban_for
+          end
       end
     end
   end

data/lib/authlogic/session/magic_columns.rb

@@ -15,9 +15,10 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          after_persisting :set_last_request_at
+          after_persisting :set_last_request_at, :if => :set_last_request_at?
           validate :increase_failed_login_count
           before_save :update_info
+          before_save :set_last_request_at, :if => :set_last_request_at?
         end
       end
       
@@ -59,11 +60,13 @@ module Authlogic
               record.current_login_ip = controller.request.remote_ip
             end
           end
+          
+          def set_last_request_at?
+            record && record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
+          end
         
           def set_last_request_at
-            if record && record.class.column_names.include?("last_request_at") && (record.last_request_at.blank? || last_request_at_threshold.to_i.seconds.ago >= record.last_request_at)
-              record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-            end
+            record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
           end
           
           def last_request_at_threshold

data/lib/authlogic/testing/test_unit_helpers.rb

@@ -9,21 +9,21 @@ module Authlogic
     # Then you will have the methods below to use in your tests.
     module TestUnitHelpers
       private
-        def session_class(record) # :nodoc:
-          record.class.acts_as_authentic_config[:session_class].constantize
+        def session_class(record)
+          record.class.session_class
         end
         
         # Sets the session for a record. This way when you execute a request in your test, session values will be present.
         def set_session_for(record)
           session_class = session_class(record)
-          @request.session[session_class.session_key] = record.send(record.class.acts_as_authentic_config[:persistence_token_field])
-          @request.session["#{session_class.session_key}_id"] = record.id
+          @request.session[session_class.session_key] = record.persistence_token
+          @request.session["#{session_class.session_key}_#{record.class.primary_key}"] = record.id
         end
         
         # Sets the cookie for a record. This way when you execute a request in your test, cookie values will be present.
         def set_cookie_for(record)
           session_class = session_class(record)
-          @request.cookies[session_class.cookie_key] = record.send(record.class.acts_as_authentic_config[:persistence_token_field])
+          @request.cookies[session_class.cookie_key] = record.persistence_token
         end
         
         # Sets the HTTP_AUTHORIZATION header for basic HTTP auth. This way when you execute a request in your test that is trying to authenticate

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 2
     MINOR = 0
-    TINY  = 1
+    TINY  = 2
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test/session_test/brute_force_protection_test.rb

@@ -56,20 +56,43 @@ module SessionTest
       
         UserSession.consecutive_failed_logins_limit = 50
       end
-    
-      def test_resetting_failed_logins_count
+      
+      def test_exceeded_ban_for
+        UserSession.consecutive_failed_logins_limit = 2
         ben = users(:ben)
       
         2.times do |i|
-          session = UserSession.new(:login => ben.login, :password => "badpassword")
+          session = UserSession.new(:login => ben.login, :password => "badpassword1")
           assert !session.save
           assert session.errors.on(:password)
           assert_equal i + 1, ben.reload.failed_login_count
         end
-      
+        
+        ActiveRecord::Base.connection.execute("update users set updated_at = '#{1.day.ago.to_s(:db)}' where login = '#{ben.login}'")
         session = UserSession.new(:login => ben.login, :password => "benrocks")
         assert session.save
         assert_equal 0, ben.reload.failed_login_count
+      
+        UserSession.consecutive_failed_logins_limit = 50
+      end
+
+      def test_exceeded_ban_and_failed_doesnt_ban_again
+        UserSession.consecutive_failed_logins_limit = 2
+        ben = users(:ben)
+      
+        2.times do |i|
+          session = UserSession.new(:login => ben.login, :password => "badpassword1")
+          assert !session.save
+          assert session.errors.on(:password)
+          assert_equal i + 1, ben.reload.failed_login_count
+        end
+        
+        ActiveRecord::Base.connection.execute("update users set updated_at = '#{1.day.ago.to_s(:db)}' where login = '#{ben.login}'")
+        session = UserSession.new(:login => ben.login, :password => "badpassword1")
+        assert !session.save
+        assert_equal 1, ben.reload.failed_login_count
+      
+        UserSession.consecutive_failed_logins_limit = 50
       end
     end
   end

data/test/session_test/magic_columns_test.rb

@@ -15,6 +15,8 @@ module SessionTest
     class InstanceMethodsTest < ActiveSupport::TestCase
       def test_after_persisting_set_last_request_at
         ben = users(:ben)
+        assert UserSession.create(ben)
+        
         set_cookie_for(ben)
         old_last_request_at = ben.last_request_at
         assert UserSession.find
@@ -22,7 +24,7 @@ module SessionTest
         assert ben.last_request_at != old_last_request_at
       end
     
-      def test_valide_increase_failed_login_count
+      def test_valid_increase_failed_login_count
         ben = users(:ben)
         old_failed_login_count = ben.failed_login_count
         assert !UserSession.create(:login => ben.login, :password => "wrong")
@@ -45,10 +47,11 @@ module SessionTest
         old_last_login_ip = ben.last_login_ip
         old_current_login_ip = ben.current_login_ip
       
-        assert UserSession.create(ben)
-      
+        assert UserSession.create(:login => ben.login, :password => "benrocks")
+        
+        ben.reload
         assert_equal old_login_count + 1, ben.login_count
-        assert_equal old_failed_login_count - 1, ben.failed_login_count
+        assert_equal 0, ben.failed_login_count
         assert_equal old_current_login_at, ben.last_login_at
         assert ben.current_login_at != old_current_login_at
         assert_equal old_current_login_ip, ben.last_login_ip

data/test/session_test/timeout_test.rb

@@ -38,6 +38,15 @@ module SessionTest
       
         UserSession.logout_on_timeout = false
       end
+      
+      def test_successful_login
+        UserSession.logout_on_timeout = true
+        ben = users(:ben)
+        assert UserSession.create(:login => ben.login, :password => "benrocks")
+        assert session = UserSession.find
+        assert_equal ben, session.record
+        UserSession.logout_on_timeout = false
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authlogic
 version: !ruby/object:Gem::Version 
-  version: 2.0.1
+  version: 2.0.2
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-03-23 00:00:00 -04:00
+date: 2009-03-24 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency