authlogic 3.3.0 → 3.4.0

data/lib/authlogic/acts_as_authentic/perishable_token.rb

@@ -52,7 +52,7 @@ module Authlogic
 
         # Class level methods for the perishable token
         module ClassMethods
-          # Use this method to find a record with a perishable token. This method does 2 things for you:
+          # Use this methdo to find a record with a perishable token. This method does 2 things for you:
           #
           # 1. It ignores blank tokens
           # 2. It enforces the perishable_token_valid_for configuration option.

data/lib/authlogic/acts_as_authentic/persistence_token.rb

@@ -36,7 +36,7 @@ module Authlogic
             records = nil
             i = 0
             begin
-              records = find(:all, :limit => 50, :offset => i)
+              records = limit(50).offset(i)
               records.each { |record| record.forget! }
               i += 50
             end while !records.blank?

data/lib/authlogic/authenticates_many/base.rb

@@ -42,7 +42,7 @@ module Authlogic
         options[:relationship_name] ||= options[:session_class].klass_name.underscore.pluralize
         class_eval <<-"end_eval", __FILE__, __LINE__
           def #{name}
-            find_options = #{options[:find_options].inspect} || #{options[:relationship_name]}.scoped
+            find_options = #{options[:find_options].inspect} || #{options[:relationship_name]}.where(nil)
             @#{name} ||= Authlogic::AuthenticatesMany::Association.new(#{options[:session_class]}, find_options, #{options[:scope_cookies] ? "self.class.model_name.underscore + '_' + self.send(self.class.primary_key).to_s" : "nil"})
           end
         end_eval

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -11,7 +11,7 @@ module Authlogic
         end
 
         def delete(key, options = {})
-          @request.cookies.delete(key)
+          @response.delete_cookie(key, options)
         end
 
         def []=(key, options)

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -6,10 +6,14 @@ end
 
 module Authlogic
   module CryptoProviders
-    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
-    # secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
-    # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
-    # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
+    # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2)
+    # is the best choice for password storage today. They have the
+    # three properties of password hashing that are desirable. They
+    # are one-way, unique, and slow. While a salted SHA or MD5 hash is
+    # one-way and unique, preventing rainbow table attacks, they are
+    # still lightning fast and attacks on the stored passwords are
+    # much more effective. This benchmark demonstrates the effective
+    # slowdown that BCrypt provides:
     #
     #   require "bcrypt"
     #   require "digest"
@@ -17,18 +21,20 @@ module Authlogic
     #
     #   Benchmark.bm(18) do |x|
     #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
-    #     x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
     #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
     #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
     #   end
     #
-    #                            user     system      total        real
-    #   BCrypt (cost = 10):  37.360000   0.020000  37.380000 ( 37.558943)
-    #   BCrypt (cost = 4):    0.680000   0.000000   0.680000 (  0.677460)
-    #   Sha512:               0.000000   0.000000   0.000000 (  0.000672)
-    #   Sha1:                 0.000000   0.000000   0.000000 (  0.000454)
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
     #
-    # You can play around with the cost to get that perfect balance between performance and security.
+    # You can play around with the cost to get that perfect balance
+    # between performance and security. A default cost of 10 is the
+    # best place to start.
     #
     # Decided BCrypt is for you? Just install the bcrypt gem:
     #
@@ -44,16 +50,11 @@ module Authlogic
     class BCrypt
       class << self
         # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
-        # Set this to any value >= the engine's minimum (currently 4), play around with it to get that perfect balance between security and performance.
+        # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
         def cost
           @cost ||= 10
         end
-        def cost=(val)
-          if val < ::BCrypt::Engine::MIN_COST
-            raise ArgumentError.new("Authlogic's bcrypt cost cannot be set below the engine's min cost (#{::BCrypt::Engine::MIN_COST})")
-          end
-          @cost = val
-        end
+        attr_writer :cost
         
         # Creates a BCrypt hash for the password passed.
         def encrypt(*tokens)

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -6,12 +6,13 @@ end
 
 module Authlogic
   module CryptoProviders
-    # If you want a stronger hashing algorithm, but would prefer not to use BCrypt, SCrypt is another option.
-    # SCrypt is newer and less popular (and so less-tested), but it's designed specifically to avoid a theoretical
-    # hardware attack against BCrypt. Just as with BCrypt, you are sacrificing performance relative to SHA2 algorithms,
-    # but the increased security may well be worth it. (That performance sacrifice is the exact reason it's much, much
-    # harder for an attacker to brute-force your paswords).
-    # Decided SCrypt is for you? Just install the bcrypt gem:
+    # SCrypt is the default provider for Authlogic. It is the only
+    # choice in the adaptive hash family that accounts for hardware
+    # based attacks by compensating with memory bound as well as cpu
+    # bound computational constraints. It offers the same guarantees
+    # as BCrypt in the way of one-way, unique and slow.
+    #
+    # Decided SCrypt is for you? Just install the scrypt gem:
     #
     #   gem install scrypt
     #

data/lib/authlogic/regex.rb

@@ -1,3 +1,4 @@
+#encoding: utf-8
 module Authlogic
   # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
   # them out into their own module is to make them easily available to you for other uses. Ex:
@@ -12,11 +13,11 @@ module Authlogic
       @email_regex ||= begin
         email_name_regex  = '[A-Z0-9_\.%\+\-\']+'
         domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-        domain_tld_regex  = '(?:[A-Z]{2,4}|museum|travel)'
+        domain_tld_regex  = '(?:[A-Z]{2,4}|museum|travel|онлайн)'
         /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
       end
     end
-    
+
     # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
     # regular expression.
     def self.login

data/lib/authlogic/session/activation.rb

@@ -1,3 +1,5 @@
+require 'request_store'
+
 module Authlogic
   module Session
     # Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
@@ -32,12 +34,12 @@ module Authlogic
         #
         # Lastly, this is thread safe.
         def controller=(value)
-          Thread.current[:authlogic_controller] = value
+          RequestStore.store[:authlogic_controller] = value
         end
         
         # The current controller object
         def controller
-          Thread.current[:authlogic_controller]
+          RequestStore.store[:authlogic_controller]
         end
       end
       
@@ -55,4 +57,4 @@ module Authlogic
       end
     end
   end
-end
+end

data/lib/authlogic/session/active_record_trickery.rb

@@ -27,7 +27,17 @@ module Authlogic
         def human_name(*args)
           I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
         end
-
+        
+        # For rails < 2.3, mispelled
+        def self_and_descendents_from_active_record
+          [self]
+        end
+        
+        # For rails >= 2.3, mispelling fixed
+        def self_and_descendants_from_active_record
+          [self]
+        end
+        
         # For rails >= 3.0
         def model_name
           if defined?(::ActiveModel)
@@ -51,7 +61,19 @@ module Authlogic
         def new_record?
           new_session?
         end
+
+        def persisted?
+          !(new_record? || destroyed?)
+        end
+
+        def destroyed?
+          record.nil?
+        end
         
+        def to_key
+          new_record? ? nil : record.to_key
+        end
+
         # For rails >= 3.0
         def to_model
           self

data/lib/authlogic/session/callbacks.rb

@@ -63,8 +63,13 @@ module Authlogic
       
       def self.included(base) #:nodoc:
         base.send :include, ActiveSupport::Callbacks
-        base.define_callbacks *METHODS + [{:terminator => 'result == false'}]
-        base.define_callbacks *['persist', {:terminator => 'result == true'}]
+        if ActiveSupport::VERSION::STRING >= '4.1'
+          base.define_callbacks *METHODS + [{:terminator => ->(target, result){ result == false } }]
+          base.define_callbacks *['persist', {:terminator => ->(target, result){ result == true } }]
+        else
+          base.define_callbacks *METHODS + [{:terminator => 'result == false'}]
+          base.define_callbacks *['persist', {:terminator => 'result == true'}]
+        end
 
         # If Rails 3, support the new callback syntax
         if base.singleton_class.method_defined?(:set_callback)
@@ -93,4 +98,4 @@ module Authlogic
         end
     end
   end
-end
+end

data/lib/authlogic/session/cookies.rb

@@ -11,7 +11,7 @@ module Authlogic
           after_destroy :destroy_cookie
         end
       end
-      
+
       # Configuration for the cookie feature set.
       module Config
         # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
@@ -19,7 +19,7 @@ module Authlogic
         #
         #   session = UserSession.new
         #   session.cookie_key => "user_credentials"
-        #   
+        #
         #   session = UserSession.new(:super_high_secret)
         #   session.cookie_key => "super_high_secret_user_credentials"
         #
@@ -29,7 +29,7 @@ module Authlogic
           rw_config(:cookie_key, value, "#{klass_name.underscore}_credentials")
         end
         alias_method :cookie_key=, :cookie_key
-        
+
         # If sessions should be remembered by default or not.
         #
         # * <tt>Default:</tt> false
@@ -38,7 +38,7 @@ module Authlogic
           rw_config(:remember_me, value, false)
         end
         alias_method :remember_me=, :remember_me
-        
+
         # The length of time until the cookie expires.
         #
         # * <tt>Default:</tt> 3.months
@@ -65,8 +65,17 @@ module Authlogic
           rw_config(:httponly, value, false)
         end
         alias_method :httponly=, :httponly
+
+        # Should the cookie be signed? If the controller adapter supports it, this is a measure against cookie tampering.
+        def sign_cookie(value = nil)
+          if value && !controller.cookies.respond_to?(:signed)
+            raise "Signed cookies not supported with #{controller.class}!"
+          end
+          rw_config(:sign_cookie, value, false)
+        end
+        alias_method :sign_cookie=, :sign_cookie
       end
-      
+
       # The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
       module InstanceMethods
         # Allows you to set the remember_me option when passing credentials.
@@ -81,29 +90,29 @@ module Authlogic
             self.remember_me = r if !r.nil?
           end
         end
-        
+
         # Is the cookie going to expire after the session is over, or will it stick around?
         def remember_me
           return @remember_me if defined?(@remember_me)
           @remember_me = self.class.remember_me
         end
-        
+
         # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
         def remember_me=(value)
           @remember_me = value
         end
-        
+
         # See remember_me
         def remember_me?
           remember_me == true || remember_me == "true" || remember_me == "1"
         end
-        
+
         # How long to remember the user if remember_me is true. This is based on the class level configuration: remember_me_for
         def remember_me_for
           return unless remember_me?
           self.class.remember_me_for
         end
-        
+
         # When to expire the cookie. See remember_me_for configuration option to change this.
         def remember_me_until
           return unless remember_me?
@@ -148,15 +157,35 @@ module Authlogic
           httponly == true || httponly == "true" || httponly == "1"
         end
 
+        # If the cookie should be signed
+        def sign_cookie
+          return @sign_cookie if defined?(@sign_cookie)
+          @sign_cookie = self.class.sign_cookie
+        end
+
+        # Accepts a boolean as to whether the cookie should be signed.  If true the cookie will be saved and verified using a signature.
+        def sign_cookie=(value)
+          @sign_cookie = value
+        end
+
+        # See sign_cookie
+        def sign_cookie?
+          sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
+        end
+
         private
           def cookie_key
             build_key(self.class.cookie_key)
           end
-          
+
           def cookie_credentials
-            controller.cookies[cookie_key] && controller.cookies[cookie_key].split("::")
+            if self.class.sign_cookie
+              controller.cookies.signed[cookie_key] && controller.cookies.signed[cookie_key].split("::")
+            else
+              controller.cookies[cookie_key] && controller.cookies[cookie_key].split("::")
+            end
           end
-          
+
           # Tries to validate the session from information in the cookie
           def persist_by_cookie
             persistence_token, record_id = cookie_credentials
@@ -168,18 +197,24 @@ module Authlogic
               false
             end
           end
-          
+
           def save_cookie
-            remember_me_until_value = "::#{remember_me_until}" if remember_me?
-            controller.cookies[cookie_key] = {
+            remember_me_until_value = "::#{remember_me_until.iso8601}" if remember_me?
+            cookie = {
               :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}#{remember_me_until_value}",
               :expires => remember_me_until,
               :secure => secure,
               :httponly => httponly,
               :domain => controller.cookie_domain
             }
+
+            if sign_cookie?
+              controller.cookies.signed[cookie_key] = cookie
+            else
+              controller.cookies[cookie_key] = cookie
+            end
           end
-          
+
           def destroy_cookie
             controller.cookies.delete cookie_key, :domain => controller.cookie_domain
           end

data/lib/authlogic/session/foundation.rb

@@ -58,15 +58,7 @@ module Authlogic
         def inspect
           "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
         end
-        
-        def persisted?
-          !(new_record? || destroyed?)
-        end
-        
-        def to_key
-          new_record? ? nil : [ self.send(self.class.primary_key) ]
-        end
-        
+                
         private
           def build_key(last_part)
             last_part

data/lib/authlogic/session/magic_columns.rb

@@ -8,7 +8,7 @@ module Authlogic
     #   last_request_at       Updates every time the user logs in, either by explicitly logging in, or logging in by cookie, session, or http auth
     #   current_login_at      Updates with the current time when an explicit login is made.
     #   last_login_at         Updates with the value of current_login_at before it is reset.
-    #   current_login_ip      Updates with the request ip when an explicit login is made.
+    #   current_login_ip      Updates with the request remote_ip when an explicit login is made.
     #   last_login_ip         Updates with the value of current_login_ip before it is reset.
     module MagicColumns
       def self.included(klass)
@@ -58,7 +58,7 @@ module Authlogic
           
             if record.respond_to?(:current_login_ip)
               record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-              record.current_login_ip = controller.request.ip
+              record.current_login_ip = controller.request.remote_ip
             end
           end
           
@@ -72,7 +72,7 @@ module Authlogic
           # So you can do something like this in your controller:
           #
           #   def last_request_update_allowed?
-          #     action_name =! "update_session_time_left"
+          #     action_name != "update_session_time_left"
           #   end
           #
           # You can do whatever you want with that method.

data/lib/authlogic/session/scopes.rb

@@ -1,3 +1,5 @@
+require 'request_store'
+
 module Authlogic
   module Session
     # Authentication can be scoped, and it's easy, you just need to define how you want to scope everything. This should help you:
@@ -17,7 +19,7 @@ module Authlogic
       module ClassMethods
         # The current scope set, should be used in the block passed to with_scope.
         def scope
-          Thread.current[:authlogic_scope]
+          RequestStore.store[:authlogic_scope]
         end
 
         # What with_scopes focuses on is scoping the query when finding the object and the name of the cookie / session. It works very similar to
@@ -68,7 +70,7 @@ module Authlogic
 
         private
           def scope=(value)
-            Thread.current[:authlogic_scope] = value
+            RequestStore.store[:authlogic_scope] = value
           end
       end
 
@@ -91,11 +93,16 @@ module Authlogic
           end
 
           def search_for_record(*args)
-            klass.send(:with_scope, :find => (scope[:find_options] || {})) do
+            session_scope = if scope[:find_options].is_a?(ActiveRecord::Relation)
+              scope[:find_options]
+            else
+              klass.send(:where, scope[:find_options] && scope[:find_options][:conditions] || {})
+            end
+            session_scope.scoping do
               klass.send(*args)
             end
           end
       end
     end
   end
-end
+end