authlogic 3.2.0 → 3.3.0

Sign up to get free protection for your applications and to get access to all the features.
data/Gemfile CHANGED
@@ -1,2 +1,2 @@
1
- source :rubygems
1
+ source "https://rubygems.org"
2
2
  gemspec
data/Gemfile.lock CHANGED
@@ -1,34 +1,34 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- authlogic (3.2.0)
5
- activerecord (>= 3.0.0)
6
- activesupport (>= 3.0.0)
4
+ authlogic (3.3.0)
5
+ activerecord (>= 3.2)
6
+ activesupport (>= 3.2)
7
7
 
8
8
  GEM
9
- remote: http://rubygems.org/
9
+ remote: https://rubygems.org/
10
10
  specs:
11
- activemodel (3.2.9)
12
- activesupport (= 3.2.9)
11
+ activemodel (3.2.13)
12
+ activesupport (= 3.2.13)
13
13
  builder (~> 3.0.0)
14
- activerecord (3.2.9)
15
- activemodel (= 3.2.9)
16
- activesupport (= 3.2.9)
14
+ activerecord (3.2.13)
15
+ activemodel (= 3.2.13)
16
+ activesupport (= 3.2.13)
17
17
  arel (~> 3.0.2)
18
18
  tzinfo (~> 0.3.29)
19
- activesupport (3.2.9)
20
- i18n (~> 0.6)
19
+ activesupport (3.2.13)
20
+ i18n (= 0.6.1)
21
21
  multi_json (~> 1.0)
22
22
  arel (3.0.2)
23
23
  bcrypt-ruby (3.0.1)
24
24
  builder (3.0.4)
25
25
  i18n (0.6.1)
26
- multi_json (1.4.0)
27
- rake (10.0.2)
26
+ multi_json (1.7.2)
27
+ rake (10.0.4)
28
28
  scrypt (1.1.0)
29
- sqlite3 (1.3.6)
30
- timecop (0.5.4)
31
- tzinfo (0.3.35)
29
+ sqlite3 (1.3.7)
30
+ timecop (0.6.1)
31
+ tzinfo (0.3.37)
32
32
 
33
33
  PLATFORMS
34
34
  ruby
@@ -36,6 +36,7 @@ PLATFORMS
36
36
  DEPENDENCIES
37
37
  authlogic!
38
38
  bcrypt-ruby
39
+ i18n
39
40
  rake
40
41
  scrypt
41
42
  sqlite3
data/README.rdoc CHANGED
@@ -1,6 +1,6 @@
1
1
  = Authlogic
2
2
 
3
- ** Please note the latest version is compatible with rails 3 only. Please see the rails2 branch for Rails 2 compatibility.
3
+ ** Please note the latest version is compatible with rails 3.2 only. Please see the rails2 branch for Rails 2 compatibility.
4
4
 
5
5
  Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
6
6
 
@@ -54,15 +54,9 @@ Authlogic is very flexible, it has a strong public API and a plethora of hooks t
54
54
  * <b>Documentation:</b> http://rdoc.info/projects/binarylogic/authlogic
55
55
  * <b>Repository:</b> http://github.com/binarylogic/authlogic/tree/master
56
56
  * <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
57
- * <b>Live example with OpenID "add on":</b> http://authlogicexample.binarylogic.com
58
- * <b>Live example repository with tutorial in README:</b> http://github.com/binarylogic/authlogic_example/tree/master
57
+ * <b>Example repository with tutorial in README:</b> http://github.com/binarylogic/authlogic_example/tree/master
59
58
  * <b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
60
59
  * <b>Issues:</b> http://github.com/binarylogic/authlogic/issues
61
- * <b>Google group:</b> http://groups.google.com/group/authlogic
62
-
63
- <b>Before contacting me directly, please read:</b>
64
-
65
- If you find a bug or a problem please post it in the issues section. If you need help with something, please use google groups. I check both regularly and get emails when anything happens, so that is the best place to get help. This also benefits other people in the future with the same questions / problems. Thank you.
66
60
 
67
61
  == Authlogic "add ons"
68
62
 
@@ -78,10 +72,6 @@ If you find a bug or a problem please post it in the issues section. If you need
78
72
 
79
73
  If you create one of your own, please let me know about it so I can add it to this list. Or just fork the project, add your link, and send me a pull request.
80
74
 
81
- == Session bugs (please read if you are having issues with logging in / out)
82
-
83
- Apparently there is a bug with apache / passenger for v2.1.X with sessions not working properly. This is most likely your problem if you are having trouble logging in / out. This is *not* an Authlogic issue. This can be solved by updating passener or using an alternative session store solution, such as active record store.
84
-
85
75
  == Documentation explanation
86
76
 
87
77
  You can find anything you want about Authlogic in the {documentation}[http://rdoc.info/projects/binarylogic/authlogic], all that you need to do is understand the basic design behind it.
@@ -95,55 +85,6 @@ Each of the above has its various sub modules that contain common logic. The sub
95
85
 
96
86
  For example, if you want to timeout users after a certain period of inactivity, you would look in <b>Authlogic::Session::Timeout</b>. To help you out, I listed the following publicly relevant modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the {documentation}[http://rdoc.info/projects/binarylogic/authlogic].
97
87
 
98
- === Authlogic::ActsAsAuthentic sub modules
99
-
100
- These modules are for the ActiveRecord side of things, the models that call acts_as_authentic.
101
-
102
- * <b>Authlogic::ActsAsAuthentic::Base</b> - Provides the acts_as_authentic class method and includes all of the submodules.
103
- * <b>Authlogic::ActsAsAuthentic::Email</b> - Handles everything related to the email field.
104
- * <b>Authlogic::ActsAsAuthentic::LoggedInStatus</b> - Provides handy named scopes and methods for determining if the user is logged in or out.
105
- * <b>Authlogic::ActsAsAuthentic::Login</b> - Handles everything related to the login field.
106
- * <b>Authlogic::ActsAsAuthentic::MagicColumns</b> - Handles everything related to the "magic" fields: login_count, failed_login_count, last_request_at, etc.
107
- * <b>Authlogic::ActsAsAuthentic::Password</b> - This one is important. It handles encrypting your password, salting it, etc. It also has support for transitioning password algorithms.
108
- * <b>Authlogic::ActsAsAuthentic::PerishableToken</b> - Handles maintaining the perishable token field, also provides a class level method for finding record using the token.
109
- * <b>Authlogic::ActsAsAuthentic::PersistenceToken</b> - Handles maintaining the persistence token. This is the token stored in cookies and sessions to persist the users session.
110
- * <b>Authlogic::ActsAsAuthentic::RestfulAuthentication</b> - Provides configuration options to easily migrate from the restful_authentication plugin.
111
- * <b>Authlogic::ActsAsAuthentic::SessionMaintenance</b> - Handles automatic session maintenance. EX: a new user registers, automatically log them in. Or a user changes their password, update their session.
112
- * <b>Authlogic::ActsAsAuthentic::SingleAccessToken</b> - Handles maintaining the single access token.
113
- * <b>Authlogic::ActsAsAuthentic::ValidationsScope</b> - Allows you to scope all validations, etc. Just like the :scope option for validates_uniqueness_of
114
-
115
- === Authlogic::Session sub modules
116
-
117
- These modules are for the models that extend Authlogic::Session::Base.
118
-
119
- * <b>Authlogic::Session::BruteForceProtection</b> - Disables accounts after a certain number of consecutive failed logins attempted.
120
- * <b>Authlogic::Session::Callbacks</b> - Your tools to extend, change, or add onto Authlogic. Lets you hook in and do just about anything you want. Start here if you want to write a plugin or add-on for Authlogic
121
- * <b>Authlogic::Session::Cookies</b> - Authentication via cookies.
122
- * <b>Authlogic::Session::Existence</b> - Creating, saving, and destroying objects.
123
- * <b>Authlogic::Session::HttpAuth</b> - Authentication via basic HTTP authentication.
124
- * <b>Authlogic::Session::Id</b> - Allows sessions to be separated by an id, letting you have multiple sessions for a single user.
125
- * <b>Authlogic::Session::MagicColumns</b> - Maintains "magic" database columns, similar to created_at and updated_at for ActiveRecord.
126
- * <b>Authlogic::Session::MagicStates</b> - Automatically validates based on the records states: active?, approved?, and confirmed?. If those methods exist for the record.
127
- * <b>Authlogic::Session::Params</b> - Authentication via params, aka single access token.
128
- * <b>Authlogic::Session::Password</b> - Authentication via a traditional username and password.
129
- * <b>Authlogic::Session::Persistence</b> - Persisting sessions / finding sessions.
130
- * <b>Authlogic::Session::Session</b> - Authentication via the session, the controller session that is.
131
- * <b>Authlogic::Session::Timeout</b> - Automatically logging out after a certain period of inactivity.
132
- * <b>Authlogic::Session::UnauthorizedRecord</b> - Handles authentication by passing an ActiveRecord object directly.
133
- * <b>Authlogic::Session::Validation</b> - Validation / errors.
134
-
135
- === Miscellaneous modules
136
-
137
- Miscellaneous modules that shared across the authentication process and are more "utility" modules and classes.
138
-
139
- * <b>Authlogic::AuthenticatesMany</b> - Responsible for allowing you to scope sessions to a parent record. Similar to a has_many and belongs_to relationship. This lets you do the same thing with sessions.
140
- * <b>Authlogic::CryptoProviders</b> - Contains various encryption algorithms that Authlogic uses, allowing you to choose your encryption method.
141
- * <b>Authlogic::I18n</b> - Acts JUST LIKE the rails I18n library, and provides internationalization to Authlogic.
142
- * <b>Authlogic::Random</b> - A simple class to generate random tokens.
143
- * <b>Authlogic::Regex</b> - Contains regular expressions used in Authlogic. Such as those to validate the format of the log or email.
144
- * <b>Authlogic::TestCase</b> - Various helper methods for testing frameworks to help you test your code.
145
- * <b>Authlogic::Version</b> - A handy class for determine the version of Authlogic in a number of ways.
146
-
147
88
  == Quick Rails example
148
89
 
149
90
  What if creating sessions worked like an ORM library on the surface...
@@ -211,39 +152,13 @@ Or how about persisting the session...
211
152
  end
212
153
  end
213
154
 
214
- == Install & Use
215
-
216
- Add to your gem file
217
-
218
- gem 'authlogic'
219
-
220
- == Detailed Setup Tutorial
221
-
222
- See the {authlogic example}[http://github.com/binarylogic/authlogic_example/tree/master] for a detailed setup tutorial. I did this because not only do you have a tutorial to go by, but you have an example app that uses the same tutorial, so you can play around with with the code. If you have problems you can compare the code to see what you are doing differently.
223
-
224
155
  == Testing
225
156
 
226
- I think one of the best aspects of Authlogic is testing. For one, it cuts out <b>a lot</b> of redundant tests in your applications because Authlogic is already thoroughly tested for you. It doesn't include a bunch of tests into your application, because it comes tested, just like any other library.
227
-
228
- For example, think about ActiveRecord. You don't test the internals of ActiveRecord, because the creators of ActiveRecord have already tested the internals for you. It wouldn't make sense for ActiveRecord to copy it's hundreds of tests into your applications. The same concept applies to Authlogic. You only need to test code you write that is specific to your application, just like everything else in your application.
229
-
230
- That being said, testing your code that uses Authlogic is easy. Since everyone uses different testing suites, I created a helpful module called Authlogic::TestCase, which is basically a set of tools for testing code using Authlogic. I explain testing Authlogic thoroughly in the {Authlogic::TestCase section of the documentation}[http://rdoc.info/rdoc/binarylogic/authlogic/blob/f2f6988d3b97e11770b00b72a7a9733df69ffa5b/Authlogic/TestCase.html]. It should answer any questions you have in regards to testing Authlogic.
157
+ See Authlogic::TestCase
231
158
 
232
159
  == Tell me quickly how Authlogic works
233
160
 
234
161
  Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.
235
162
 
236
- == What sets Authlogic apart and why I created it
237
-
238
- What inspired me to create Authlogic was the messiness of the current authentication solutions. Put simply, they just didn't feel right, because the logic was not organized properly. As you may know, a common misconception with the MVC design pattern is that the model "M" is only for data access logic, which is wrong. A model is a place for domain logic. This is why the RESTful design pattern and the current authentication solutions don't play nice. Authlogic solves this by placing the session maintenance logic into its own domain (aka "model"). Moving session maintenance into its own domain has its benefits:
239
-
240
- 1. <b>It's cleaner.</b> There are no generators in Authlogic. Authlogic provides a class that you can use, it's plain and simple ruby. More importantly, the code in your app is code you write, written the way you want, nice and clean. It's code that should be in your app and is specific to your app, not a redundant authentication pattern.
241
- 2. <b>Easier to stay up-to-date.</b> To make my point, take a look at the commits to any other authentication solution, then look at the {commits for authlogic}[http://github.com/binarylogic/authlogic/commits/master]. How many commits could you easily start using if you already had an app using that solution? With an alternate solution, very few, if any. All of those cool new features and bug fixes are going to have be manually added or wait for your next application. Which is the main reason a generator is not suitable as an authentication solution. With Authlogic you can start using the latest code with a simple update of a gem. No generators, no mess.
242
- 3. <b>It ties everything together on the domain level.</b> Take a new user registration for example, no reason to manually log the user in, authlogic handles this for you via callbacks. The same applies to a user changing their password. Authlogic handles maintaining the session for you.
243
- 4. <b>No redundant tests.</b> Because Authlogic doesn't use generators, #1 also applies to tests. Authlogic is *thoroughly* tested for you. You don't go and test the internals of ActiveRecord in each of your apps do you? So why do the same for Authlogic? Your application tests should be for application specific code. Get rid of the noise and make your tests focused and concise, no reason to copy tests from app to app.
244
- 5. <b>Framework agnostic</b>. Authlogic can be used in *any* ruby framework you want: Rails, Merb, Sinatra, Mack, your own framework, whatever. It's not tied down to Rails. It does this by abstracting itself from these framework's controllers by using a controller adapter. Thanks to {Rack}[http://rack.rubyforge.org/], there is a defined standard for controller structure, and that's what Authlogic's abstract adapter follows. So if your controller follows the rack standards, you don't need to do anything. Any place it deviates from this is solved by a simple adapter for your framework that closes these gaps. For an example, checkout the Authlogic::ControllerAdapters::MerbAdapter.
245
- 5. <b>You are not restricted to a single session.</b> Think about Apple's me.com, where they need you to authenticate a second time before changing your billing information. Why not just create a second session for this? It works just like your initial session. Then your billing controller can require an "ultra secure" session.
246
- 6. <b>Easily extendable.</b> One of the distinct advantages of using a library is the ability to use its API, assuming it has one. Authlogic has an *excellent* public API, meaning it can easily be extended and grow beyond the core library. Checkout the "add ons" list above to see what I mean.
247
-
248
163
 
249
164
  Copyright (c) 2012 {Ben Johnson of Binary Logic}[http://www.binarylogic.com], released under the MIT license
data/authlogic.gemspec CHANGED
@@ -3,7 +3,7 @@ $:.push File.expand_path("../lib", __FILE__)
3
3
 
4
4
  Gem::Specification.new do |s|
5
5
  s.name = "authlogic"
6
- s.version = "3.2.0"
6
+ s.version = "3.3.0"
7
7
  s.platform = Gem::Platform::RUBY
8
8
  s.authors = ["Ben Johnson"]
9
9
  s.email = ["bjohnson@binarylogic.com"]
@@ -11,13 +11,14 @@ Gem::Specification.new do |s|
11
11
  s.summary = %q{A clean, simple, and unobtrusive ruby authentication solution.}
12
12
  s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
13
13
 
14
- s.add_dependency 'activerecord', '>= 3.0.0'
15
- s.add_dependency 'activesupport', '>= 3.0.0'
14
+ s.add_dependency 'activerecord', '>= 3.2'
15
+ s.add_dependency 'activesupport', '>= 3.2'
16
16
  s.add_development_dependency 'rake'
17
17
  s.add_development_dependency 'bcrypt-ruby'
18
18
  s.add_development_dependency 'scrypt'
19
19
  s.add_development_dependency 'sqlite3'
20
20
  s.add_development_dependency 'timecop'
21
+ s.add_development_dependency 'i18n'
21
22
 
22
23
  s.files = `git ls-files`.split("\n")
23
24
  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
data/lib/authlogic.rb CHANGED
@@ -1,14 +1,14 @@
1
1
  require "active_record"
2
2
 
3
- AUTHLOGIC_PATH = File.dirname(__FILE__) + "/authlogic/"
3
+ path = File.dirname(__FILE__) + "/authlogic/"
4
4
 
5
5
  [
6
6
  "i18n",
7
7
  "random",
8
8
  "regex",
9
-
9
+
10
10
  "controller_adapters/abstract_adapter",
11
-
11
+
12
12
  "crypto_providers/md5",
13
13
  "crypto_providers/sha1",
14
14
  "crypto_providers/sha256",
@@ -16,10 +16,10 @@ AUTHLOGIC_PATH = File.dirname(__FILE__) + "/authlogic/"
16
16
  "crypto_providers/bcrypt",
17
17
  "crypto_providers/aes256",
18
18
  "crypto_providers/scrypt",
19
-
19
+
20
20
  "authenticates_many/base",
21
21
  "authenticates_many/association",
22
-
22
+
23
23
  "acts_as_authentic/email",
24
24
  "acts_as_authentic/logged_in_status",
25
25
  "acts_as_authentic/login",
@@ -32,7 +32,7 @@ AUTHLOGIC_PATH = File.dirname(__FILE__) + "/authlogic/"
32
32
  "acts_as_authentic/single_access_token",
33
33
  "acts_as_authentic/validations_scope",
34
34
  "acts_as_authentic/base",
35
-
35
+
36
36
  "session/activation",
37
37
  "session/active_record_trickery",
38
38
  "session/brute_force_protection",
@@ -57,9 +57,8 @@ AUTHLOGIC_PATH = File.dirname(__FILE__) + "/authlogic/"
57
57
  "session/validation",
58
58
  "session/base"
59
59
  ].each do |library|
60
- require AUTHLOGIC_PATH + library
60
+ require path + library
61
61
  end
62
62
 
63
- require AUTHLOGIC_PATH + "controller_adapters/rails_adapter" if defined?( Rails )
64
- require AUTHLOGIC_PATH + "controller_adapters/merb_adapter" if defined?( Merb )
65
- require AUTHLOGIC_PATH + "controller_adapters/sinatra_adapter" if defined?( Sinatra )
63
+ require path + "controller_adapters/rails_adapter" if defined?( Rails )
64
+ require path + "controller_adapters/sinatra_adapter" if defined?( Sinatra )
@@ -62,10 +62,10 @@ module Authlogic
62
62
  # merge options into it. Checkout the convenience function merge_validates_format_of_email_field_options to merge
63
63
  # options.</b>
64
64
  #
65
- # * <tt>Default:</tt> {:with => Authlogic::Regex.email, :message => lambda {I18n.t('error_messages.email_invalid', :default => "should look like an email address.")}}
65
+ # * <tt>Default:</tt> {:with => Authlogic::Regex.email, :message => Proc.new {I18n.t('error_messages.email_invalid', :default => "should look like an email address.")}}
66
66
  # * <tt>Accepts:</tt> Hash of options accepted by validates_format_of
67
67
  def validates_format_of_email_field_options(value = nil)
68
- rw_config(:validates_format_of_email_field_options, value, {:with => Authlogic::Regex.email, :message => I18n.t('error_messages.email_invalid', :default => "should look like an email address.")})
68
+ rw_config(:validates_format_of_email_field_options, value, {:with => Authlogic::Regex.email, :message => Proc.new{I18n.t('error_messages.email_invalid', :default => "should look like an email address.")}})
69
69
  end
70
70
  alias_method :validates_format_of_email_field_options=, :validates_format_of_email_field_options
71
71
 
@@ -90,21 +90,19 @@ module Authlogic
90
90
  end
91
91
 
92
92
  # This method allows you to find a record with the given login. If you notice, with Active Record you have the
93
- # validates_uniqueness_of validation function. They give you a :case_sensitive option. I handle this in the same
94
- # manner that they handle that. If you are using the login field and set false for the :case_sensitive option in
95
- # validates_uniqueness_of_login_field_options this method will modify the query to look something like:
93
+ # UniquenessValidator class. They give you a :case_sensitive option. I handle this in the same
94
+ # manner that they handle that. If you are using the login field, set false for the :case_sensitive option in
95
+ # validates_uniqueness_of_login_field_options and the column doesn't have a case-insensitive collation,
96
+ # this method will modify the query to look something like:
96
97
  #
97
- # where("LOWER(#{quoted_table_name}.#{login_field}) = ?", login.downcase).first
98
+ # "LOWER(#{quoted_table_name}.#{login_field}) = LOWER(#{login})"
98
99
  #
99
- # If you don't specify this it calls the good old find_by_* method:
100
+ # If you don't specify this it just uses a regular case-sensitive search (with the binary modifier if necessary):
100
101
  #
101
- # find_by_login(login)
102
+ # "BINARY #{login_field} = #{login}"
102
103
  #
103
104
  # The above also applies for using email as your login, except that you need to set the :case_sensitive in
104
105
  # validates_uniqueness_of_email_field_options to false.
105
- #
106
- # The only reason I need to do the above is for Postgres and SQLite since they perform case sensitive searches with the
107
- # find_by_* methods.
108
106
  def find_by_smart_case_login_field(login)
109
107
  if login_field
110
108
  find_with_case(login_field, login, validates_uniqueness_of_login_field_options[:case_sensitive] != false)
@@ -115,11 +113,14 @@ module Authlogic
115
113
 
116
114
  private
117
115
  def find_with_case(field, value, sensitivity = true)
118
- if sensitivity
119
- send("find_by_#{field}", value)
116
+ relation = if not sensitivity
117
+ connection.case_insensitive_comparison(arel_table, field.to_s, columns_hash[field.to_s], value)
120
118
  else
121
- where("LOWER(#{quoted_table_name}.#{field}) = ?", value.mb_chars.downcase).first
119
+ value = connection.case_sensitive_modifier(value) if value
120
+ relation = arel_table[field.to_s].eq(value)
122
121
  end
122
+
123
+ where(relation).first
123
124
  end
124
125
  end
125
126
 
@@ -52,7 +52,7 @@ module Authlogic
52
52
 
53
53
  # Class level methods for the perishable token
54
54
  module ClassMethods
55
- # Use this methdo to find a record with a perishable token. This method does 2 things for you:
55
+ # Use this method to find a record with a perishable token. This method does 2 things for you:
56
56
  #
57
57
  # 1. It ignores blank tokens
58
58
  # 2. It enforces the perishable_token_valid_for configuration option.
@@ -1,6 +1,6 @@
1
1
  module Authlogic
2
2
  module ControllerAdapters # :nodoc:
3
- # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter or MerbAdapter
3
+ # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter
4
4
  # for an example of how to adapt Authlogic to work with your framework.
5
5
  class AbstractAdapter
6
6
  attr_accessor :controller
@@ -8,7 +8,7 @@ module Authlogic
8
8
  def initialize(controller)
9
9
  self.controller = controller
10
10
  end
11
-
11
+
12
12
  def authenticate_with_http_basic(&block)
13
13
  @auth = Rack::Auth::Basic::Request.new(controller.request.env)
14
14
  if @auth.provided? and @auth.basic?
@@ -17,11 +17,11 @@ module Authlogic
17
17
  false
18
18
  end
19
19
  end
20
-
20
+
21
21
  def cookies
22
22
  controller.cookies
23
23
  end
24
-
24
+
25
25
  def cookie_domain
26
26
  raise NotImplementedError.new("The cookie_domain method has not been implemented by the controller adapter")
27
27
  end
@@ -41,23 +41,23 @@ module Authlogic
41
41
  def session
42
42
  controller.session
43
43
  end
44
-
44
+
45
45
  def responds_to_single_access_allowed?
46
46
  controller.respond_to?(:single_access_allowed?, true)
47
47
  end
48
-
48
+
49
49
  def single_access_allowed?
50
50
  controller.send(:single_access_allowed?)
51
51
  end
52
-
52
+
53
53
  def responds_to_last_request_update_allowed?
54
54
  controller.respond_to?(:last_request_update_allowed?, true)
55
55
  end
56
-
56
+
57
57
  def last_request_update_allowed?
58
58
  controller.send(:last_request_update_allowed?)
59
59
  end
60
-
60
+
61
61
  private
62
62
  def method_missing(id, *args, &block)
63
63
  controller.send(id, *args, &block)
@@ -0,0 +1,63 @@
1
+ module Authlogic
2
+ module ControllerAdapters
3
+ # Adapter for authlogic to make it function as a Rack middleware.
4
+ # First you'll have write your own Rack adapter where you have to set your cookie domain.
5
+ #
6
+ # class YourRackAdapter < Authlogic::ControllerAdapters::RackAdapter
7
+ # def cookie_domain
8
+ # 'your_cookie_domain_here.com'
9
+ # end
10
+ # end
11
+ #
12
+ # Next you need to set up a rack middleware like this:
13
+ #
14
+ # class AuthlogicMiddleware
15
+ # def initialize(app)
16
+ # @app = app
17
+ # end
18
+ #
19
+ # def call(env)
20
+ # YourRackAdapter.new(env)
21
+ # @app.call(env)
22
+ # end
23
+ # end
24
+ #
25
+ # And that is all! Now just load this middleware into rack:
26
+ #
27
+ # use AuthlogicMiddleware
28
+ #
29
+ # Authlogic will expect a User and a UserSession object to be present:
30
+ #
31
+ # class UserSession < Authlogic::Session::Base
32
+ # # Authlogic options go here
33
+ # end
34
+ #
35
+ # class User < ActiveRecord::Base
36
+ # acts_as_authentic
37
+ # end
38
+ #
39
+ class RackAdapter < AbstractAdapter
40
+
41
+ def initialize(env)
42
+ # We use the Rack::Request object as the controller object.
43
+ # For this to work, we have to add some glue.
44
+ request = Rack::Request.new(env)
45
+
46
+ request.instance_eval do
47
+ def request; self; end
48
+ def remote_ip; self.ip; end
49
+ end
50
+
51
+ super(request)
52
+ Authlogic::Session::Base.controller = self
53
+ end
54
+
55
+ # Rack Requests stores cookies with not just the value, but also with flags and expire information in the hash.
56
+ # Authlogic does not like this, so we drop everything except the cookie value
57
+ def cookies
58
+ controller.cookies.map{|key, value_hash| {key => value_hash[:value]} }.inject(:merge) || {}
59
+ end
60
+ end
61
+ end
62
+
63
+ end
@@ -17,16 +17,16 @@ module Authlogic
17
17
  #
18
18
  # Benchmark.bm(18) do |x|
19
19
  # x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
20
- # x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
20
+ # x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
21
21
  # x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
22
22
  # x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
23
23
  # end
24
24
  #
25
- # user system total real
26
- # BCrypt (cost = 10): 10.780000 0.060000 10.840000 ( 11.100289)
27
- # BCrypt (cost = 2): 0.180000 0.000000 0.180000 ( 0.181914)
28
- # Sha512: 0.000000 0.000000 0.000000 ( 0.000829)
29
- # Sha1: 0.000000 0.000000 0.000000 ( 0.000395)
25
+ # user system total real
26
+ # BCrypt (cost = 10): 37.360000 0.020000 37.380000 ( 37.558943)
27
+ # BCrypt (cost = 4): 0.680000 0.000000 0.680000 ( 0.677460)
28
+ # Sha512: 0.000000 0.000000 0.000000 ( 0.000672)
29
+ # Sha1: 0.000000 0.000000 0.000000 ( 0.000454)
30
30
  #
31
31
  # You can play around with the cost to get that perfect balance between performance and security.
32
32
  #
@@ -44,11 +44,16 @@ module Authlogic
44
44
  class BCrypt
45
45
  class << self
46
46
  # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
47
- # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
47
+ # Set this to any value >= the engine's minimum (currently 4), play around with it to get that perfect balance between security and performance.
48
48
  def cost
49
49
  @cost ||= 10
50
50
  end
51
- attr_writer :cost
51
+ def cost=(val)
52
+ if val < ::BCrypt::Engine::MIN_COST
53
+ raise ArgumentError.new("Authlogic's bcrypt cost cannot be set below the engine's min cost (#{::BCrypt::Engine::MIN_COST})")
54
+ end
55
+ @cost = val
56
+ end
52
57
 
53
58
  # Creates a BCrypt hash for the password passed.
54
59
  def encrypt(*tokens)
@@ -27,17 +27,7 @@ module Authlogic
27
27
  def human_name(*args)
28
28
  I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
29
29
  end
30
-
31
- # For rails < 2.3, mispelled
32
- def self_and_descendents_from_active_record
33
- [self]
34
- end
35
-
36
- # For rails >= 2.3, mispelling fixed
37
- def self_and_descendants_from_active_record
38
- [self]
39
- end
40
-
30
+
41
31
  # For rails >= 3.0
42
32
  def model_name
43
33
  if defined?(::ActiveModel)
@@ -8,7 +8,7 @@ module Authlogic
8
8
  # last_request_at Updates every time the user logs in, either by explicitly logging in, or logging in by cookie, session, or http auth
9
9
  # current_login_at Updates with the current time when an explicit login is made.
10
10
  # last_login_at Updates with the value of current_login_at before it is reset.
11
- # current_login_ip Updates with the request remote_ip when an explicit login is made.
11
+ # current_login_ip Updates with the request ip when an explicit login is made.
12
12
  # last_login_ip Updates with the value of current_login_ip before it is reset.
13
13
  module MagicColumns
14
14
  def self.included(klass)
@@ -58,7 +58,7 @@ module Authlogic
58
58
 
59
59
  if record.respond_to?(:current_login_ip)
60
60
  record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
61
- record.current_login_ip = controller.request.remote_ip
61
+ record.current_login_ip = controller.request.ip
62
62
  end
63
63
  end
64
64
 
@@ -92,4 +92,4 @@ module Authlogic
92
92
  end
93
93
  end
94
94
  end
95
- end
95
+ end
@@ -35,8 +35,8 @@ module Authlogic
35
35
  # Allow finding by persistence token, because when records are created the session is maintained in a before_save, when there is no id.
36
36
  # This is done for performance reasons and to save on queries.
37
37
  record = record_id.nil? ?
38
- search_for_record("find_by_persistence_token", persistence_token) :
39
- search_for_record("find_by_#{klass.primary_key}", record_id)
38
+ search_for_record("find_by_persistence_token", persistence_token.to_s) :
39
+ search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
40
40
  self.unauthorized_record = record if record && record.persistence_token == persistence_token
41
41
  valid?
42
42
  else
@@ -7,7 +7,7 @@ module Authlogic
7
7
  self.controller = controller
8
8
  end
9
9
 
10
- def remote_ip
10
+ def ip
11
11
  (controller && controller.respond_to?(:env) && controller.env.is_a?(Hash) && controller.env['REMOTE_ADDR']) || "1.1.1.1"
12
12
  end
13
13
 
@@ -16,4 +16,4 @@ module Authlogic
16
16
  end
17
17
  end
18
18
  end
19
- end
19
+ end
@@ -33,9 +33,21 @@ module ActsAsAuthenticTest
33
33
  end
34
34
 
35
35
  def test_validates_format_of_email_field_options_config
36
- default = {:with => Authlogic::Regex.email, :message => I18n.t('error_messages.email_invalid', :default => "should look like an email address.")}
37
- assert_equal default, User.validates_format_of_email_field_options
38
- assert_equal default, Employee.validates_format_of_email_field_options
36
+ default = {:with => Authlogic::Regex.email, :message => Proc.new{I18n.t('error_messages.email_invalid', :default => "should look like an email address.")}}
37
+ dmessage = default.delete(:message).call
38
+
39
+ options = User.validates_format_of_email_field_options
40
+ message = options.delete(:message)
41
+ assert message.kind_of?(Proc)
42
+ assert_equal dmessage, message.call
43
+ assert_equal default, options
44
+
45
+ options = Employee.validates_format_of_email_field_options
46
+ message = options.delete(:message)
47
+ assert message.kind_of?(Proc)
48
+ assert_equal dmessage, message.call
49
+ assert_equal default, options
50
+
39
51
 
40
52
  User.validates_format_of_email_field_options = {:yes => "no"}
41
53
  assert_equal({:yes => "no"}, User.validates_format_of_email_field_options)
@@ -43,6 +55,31 @@ module ActsAsAuthenticTest
43
55
  assert_equal default, User.validates_format_of_email_field_options
44
56
  end
45
57
 
58
+ def test_deferred_error_message_translation
59
+
60
+ # ensure we successfully loaded the test locale
61
+ assert I18n.available_locales.include?(:lol), "Test locale failed to load"
62
+
63
+ original_locale = I18n.locale
64
+ I18n.locale = 'lol'
65
+ message = I18n.t("authlogic.error_messages.email_invalid")
66
+
67
+ begin
68
+ cat = User.new
69
+ cat.email = 'meow'
70
+ cat.valid?
71
+
72
+ # filter duplicate error messages
73
+ error = cat.errors[:email]
74
+ error = error.first if error.is_a?(Array)
75
+
76
+ assert_equal message, error
77
+
78
+ ensure
79
+ I18n.locale = original_locale
80
+ end
81
+ end
82
+
46
83
  def test_validates_uniqueness_of_email_field_options_config
47
84
  default = {:case_sensitive => false, :scope => Employee.validations_scope, :if => "#{Employee.email_field}_changed?".to_sym}
48
85
  assert_equal default, Employee.validates_uniqueness_of_email_field_options
@@ -10,5 +10,13 @@ module CryptoProviderTest
10
10
  hash = Authlogic::CryptoProviders::BCrypt.encrypt("mypass")
11
11
  assert Authlogic::CryptoProviders::BCrypt.matches?(hash, "mypass")
12
12
  end
13
+
14
+ def test_minimum_cost
15
+ Authlogic::CryptoProviders::BCrypt.cost = 4
16
+ assert_equal 4, Authlogic::CryptoProviders::BCrypt.cost
17
+
18
+ assert_raises(ArgumentError) { Authlogic::CryptoProviders::BCrypt.cost = 2 }
19
+ assert_equal 4, Authlogic::CryptoProviders::BCrypt.cost
20
+ end
13
21
  end
14
22
  end
data/test/i18n/lol.yml ADDED
@@ -0,0 +1,4 @@
1
+ lol:
2
+ authlogic:
3
+ error_messages:
4
+ email_invalid: LOL email should be valid.
@@ -12,14 +12,6 @@ module SessionTest
12
12
  assert_equal "Usersession", UserSession.human_name
13
13
  end
14
14
 
15
- def test_self_and_descendents_from_active_record
16
- assert_equal [UserSession], UserSession.self_and_descendents_from_active_record
17
- end
18
-
19
- def test_self_and_descendants_from_active_record
20
- assert_equal [UserSession], UserSession.self_and_descendants_from_active_record
21
- end
22
-
23
15
  def test_i18n_of_human_name
24
16
  I18n.backend.store_translations 'en', :authlogic => {:models => {:user_session => "MySession" } }
25
17
  assert_equal "MySession", UserSession.human_name
@@ -20,6 +20,24 @@ module SessionTest
20
20
  assert_equal ben, session.record
21
21
  assert_equal ben.persistence_token, controller.session["user_credentials"]
22
22
  end
23
+
24
+ def test_persist_persist_by_session_with_session_fixation_attack
25
+ ben = users(:ben)
26
+ controller.session["user_credentials"] = 'neo'
27
+ controller.session["user_credentials_id"] = {:select => " *,'neo' AS persistence_token FROM users WHERE id = #{ben.id} limit 1 -- "}
28
+ @user_session = UserSession.find
29
+ assert @user_session.blank?
30
+ end
31
+
32
+ def test_persist_persist_by_session_with_sql_injection_attack
33
+ ben = users(:ben)
34
+ controller.session["user_credentials"] = {:select => "ABRA CADABRA"}
35
+ controller.session["user_credentials_id"] = nil
36
+ assert_nothing_raised do
37
+ @user_session = UserSession.find
38
+ end
39
+ assert @user_session.blank?
40
+ end
23
41
 
24
42
  def test_persist_persist_by_session_with_token_only
25
43
  ben = users(:ben)
data/test/test_helper.rb CHANGED
@@ -3,6 +3,9 @@ require "rubygems"
3
3
  require "active_record"
4
4
  require "active_record/fixtures"
5
5
  require "timecop"
6
+ require "i18n"
7
+
8
+ I18n.load_path << File.dirname(__FILE__) + '/i18n/lol.yml'
6
9
 
7
10
  #ActiveRecord::Schema.verbose = false
8
11
  ActiveRecord::Base.establish_connection(:adapter => "sqlite3", :database => ":memory:")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: authlogic
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.0
4
+ version: 3.3.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-12-07 00:00:00.000000000 Z
12
+ date: 2013-04-04 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: activerecord
@@ -18,7 +18,7 @@ dependencies:
18
18
  requirements:
19
19
  - - ! '>='
20
20
  - !ruby/object:Gem::Version
21
- version: 3.0.0
21
+ version: '3.2'
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
@@ -26,7 +26,7 @@ dependencies:
26
26
  requirements:
27
27
  - - ! '>='
28
28
  - !ruby/object:Gem::Version
29
- version: 3.0.0
29
+ version: '3.2'
30
30
  - !ruby/object:Gem::Dependency
31
31
  name: activesupport
32
32
  requirement: !ruby/object:Gem::Requirement
@@ -34,7 +34,7 @@ dependencies:
34
34
  requirements:
35
35
  - - ! '>='
36
36
  - !ruby/object:Gem::Version
37
- version: 3.0.0
37
+ version: '3.2'
38
38
  type: :runtime
39
39
  prerelease: false
40
40
  version_requirements: !ruby/object:Gem::Requirement
@@ -42,7 +42,7 @@ dependencies:
42
42
  requirements:
43
43
  - - ! '>='
44
44
  - !ruby/object:Gem::Version
45
- version: 3.0.0
45
+ version: '3.2'
46
46
  - !ruby/object:Gem::Dependency
47
47
  name: rake
48
48
  requirement: !ruby/object:Gem::Requirement
@@ -123,6 +123,22 @@ dependencies:
123
123
  - - ! '>='
124
124
  - !ruby/object:Gem::Version
125
125
  version: '0'
126
+ - !ruby/object:Gem::Dependency
127
+ name: i18n
128
+ requirement: !ruby/object:Gem::Requirement
129
+ none: false
130
+ requirements:
131
+ - - ! '>='
132
+ - !ruby/object:Gem::Version
133
+ version: '0'
134
+ type: :development
135
+ prerelease: false
136
+ version_requirements: !ruby/object:Gem::Requirement
137
+ none: false
138
+ requirements:
139
+ - - ! '>='
140
+ - !ruby/object:Gem::Version
141
+ version: '0'
126
142
  description: A clean, simple, and unobtrusive ruby authentication solution.
127
143
  email:
128
144
  - bjohnson@binarylogic.com
@@ -137,7 +153,6 @@ files:
137
153
  - README.rdoc
138
154
  - Rakefile
139
155
  - authlogic.gemspec
140
- - init.rb
141
156
  - lib/authlogic.rb
142
157
  - lib/authlogic/acts_as_authentic/base.rb
143
158
  - lib/authlogic/acts_as_authentic/email.rb
@@ -154,7 +169,7 @@ files:
154
169
  - lib/authlogic/authenticates_many/association.rb
155
170
  - lib/authlogic/authenticates_many/base.rb
156
171
  - lib/authlogic/controller_adapters/abstract_adapter.rb
157
- - lib/authlogic/controller_adapters/merb_adapter.rb
172
+ - lib/authlogic/controller_adapters/rack_adapter.rb
158
173
  - lib/authlogic/controller_adapters/rails_adapter.rb
159
174
  - lib/authlogic/controller_adapters/sinatra_adapter.rb
160
175
  - lib/authlogic/crypto_providers/aes256.rb
@@ -198,7 +213,6 @@ files:
198
213
  - lib/authlogic/test_case/mock_logger.rb
199
214
  - lib/authlogic/test_case/mock_request.rb
200
215
  - lib/authlogic/test_case/rails_request_adapter.rb
201
- - shoulda_macros/authlogic.rb
202
216
  - test/acts_as_authentic_test/base_test.rb
203
217
  - test/acts_as_authentic_test/email_test.rb
204
218
  - test/acts_as_authentic_test/logged_in_status_test.rb
@@ -221,6 +235,7 @@ files:
221
235
  - test/fixtures/employees.yml
222
236
  - test/fixtures/projects.yml
223
237
  - test/fixtures/users.yml
238
+ - test/i18n/lol.yml
224
239
  - test/i18n_test.rb
225
240
  - test/libs/affiliate.rb
226
241
  - test/libs/company.rb
@@ -274,7 +289,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
274
289
  version: '0'
275
290
  requirements: []
276
291
  rubyforge_project:
277
- rubygems_version: 1.8.24
292
+ rubygems_version: 1.8.25
278
293
  signing_key:
279
294
  specification_version: 3
280
295
  summary: A clean, simple, and unobtrusive ruby authentication solution.
@@ -301,6 +316,7 @@ test_files:
301
316
  - test/fixtures/employees.yml
302
317
  - test/fixtures/projects.yml
303
318
  - test/fixtures/users.yml
319
+ - test/i18n/lol.yml
304
320
  - test/i18n_test.rb
305
321
  - test/libs/affiliate.rb
306
322
  - test/libs/company.rb
data/init.rb DELETED
@@ -1 +0,0 @@
1
- require File.dirname(__FILE__) + "/rails/init.rb"
@@ -1,30 +0,0 @@
1
- module Authlogic
2
- module ControllerAdapters
3
- # Adapts authlogic to work with merb. The point is to close the gap between what authlogic expects and what the merb controller object
4
- # provides. Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite, etc.
5
- class MerbAdapter < AbstractAdapter
6
- # Lets Authlogic know about the controller object via a before filter, AKA "activates" authlogic.
7
- module MerbImplementation
8
- def self.included(klass) # :nodoc:
9
- klass.before :activate_authlogic
10
- end
11
-
12
- def cookie_domain
13
- Merb::Config[:session_cookie_domain]
14
- end
15
-
16
- private
17
- def activate_authlogic
18
- Authlogic::Session::Base.controller = MerbAdapter.new(self)
19
- end
20
- end
21
- end
22
- end
23
- end
24
-
25
- # make sure we're running inside Merb
26
- if defined?(Merb::Plugins)
27
- Merb::BootLoader.before_app_loads do
28
- Merb::Controller.send(:include, Authlogic::ControllerAdapters::MerbAdapter::MerbImplementation)
29
- end
30
- end
@@ -1,69 +0,0 @@
1
- # Test::Unit
2
- # Place this file into your test/shoulda_macros directory
3
- #
4
- # Example:
5
- #
6
- # class UserTest
7
- # should_have_authlogic
8
- # end
9
- #
10
- # Rspec
11
- # Place this file into your spec/support/shoulda directory
12
- #
13
- # Example:
14
- #
15
- # describe User do
16
- # it { should have_authlogic }
17
- # end
18
-
19
- module Authlogic
20
- module Shoulda
21
-
22
- module Matchers
23
- def have_authlogic
24
- HaveAuthlogic.new
25
- end
26
- alias_method :be_authentic, :have_authlogic
27
-
28
- class HaveAuthlogic
29
-
30
- def matches?(subject)
31
- subject.respond_to?(:password=) && subject.respond_to?(:valid_password?)
32
- end
33
-
34
- def failure_message
35
- "Add the line 'acts_as_authentic' to your model"
36
- end
37
-
38
- def description
39
- "have Authlogic"
40
- end
41
- end
42
-
43
- end
44
-
45
- module Macros
46
- include Matchers
47
-
48
- def should_have_authlogic
49
- klass = described_type rescue model_class
50
- matcher = HaveAuthlogic.new
51
-
52
- should matcher.description do
53
- assert matcher.matches?(klass.new), matcher.failure_message
54
- end
55
- end
56
- alias_method :should_be_authentic, :should_have_authlogic
57
-
58
- end
59
-
60
- end
61
- end
62
-
63
- if defined? Spec
64
- Spec::Runner.configure do |config|
65
- config.include(Authlogic::Shoulda::Matchers)
66
- end
67
- else
68
- Test::Unit::TestCase.class_eval { extend Authlogic::Shoulda::Macros }
69
- end