authlogic 3.4.3 → 3.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/README.rdoc +13 -2
- data/authlogic.gemspec +1 -1
- data/lib/authlogic.rb +1 -0
- data/lib/authlogic/acts_as_authentic/base.rb +2 -13
- data/lib/authlogic/config.rb +23 -0
- data/lib/authlogic/session/active_record_trickery.rb +10 -22
- data/lib/authlogic/session/cookies.rb +3 -3
- data/lib/authlogic/session/foundation.rb +5 -23
- data/test/acts_as_authentic_test/base_test.rb +3 -3
- data/test/acts_as_authentic_test/email_test.rb +6 -12
- data/test/acts_as_authentic_test/logged_in_status_test.rb +4 -1
- data/test/acts_as_authentic_test/password_test.rb +53 -59
- data/test/acts_as_authentic_test/persistence_token_test.rb +14 -13
- data/test/acts_as_authentic_test/restful_authentication_test.rb +5 -8
- data/test/config_test.rb +36 -0
- data/test/fixtures/users.yml +7 -2
- data/test/gemfiles/Gemfile.rails-4.2.x +7 -0
- data/test/libs/user.rb +4 -2
- data/test/libs/user_session.rb +20 -0
- data/test/session_test/active_record_trickery_test.rb +10 -4
- data/test/session_test/brute_force_protection_test.rb +18 -16
- data/test/session_test/callbacks_test.rb +5 -25
- data/test/session_test/foundation_test.rb +6 -0
- data/test/session_test/http_auth_test.rb +13 -11
- data/test/session_test/magic_columns_test.rb +27 -27
- data/test/session_test/password_test.rb +15 -15
- data/test/session_test/persistence_test.rb +8 -8
- data/test/test_helper.rb +33 -10
- metadata +54 -49
- data/test/libs/ordered_hash.rb +0 -9
|
@@ -8,25 +8,26 @@ module ActsAsAuthenticTest
|
|
|
8
8
|
ben.password = "newpass"
|
|
9
9
|
assert_not_equal old_persistence_token, ben.persistence_token
|
|
10
10
|
end
|
|
11
|
-
|
|
11
|
+
|
|
12
12
|
def test_after_password_verification_reset_persistence_token
|
|
13
|
-
|
|
14
|
-
old_persistence_token =
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
13
|
+
aaron = users(:aaron)
|
|
14
|
+
old_persistence_token = aaron.persistence_token
|
|
15
|
+
|
|
16
|
+
assert aaron.valid_password?(password_for(aaron))
|
|
17
|
+
assert_equal old_persistence_token, aaron.reload.persistence_token
|
|
18
|
+
|
|
18
19
|
# only update it if it is nil
|
|
19
|
-
assert
|
|
20
|
-
assert
|
|
21
|
-
assert_not_equal old_persistence_token,
|
|
20
|
+
assert aaron.update_attribute(:persistence_token, nil)
|
|
21
|
+
assert aaron.valid_password?(password_for(aaron))
|
|
22
|
+
assert_not_equal old_persistence_token, aaron.persistence_token
|
|
22
23
|
end
|
|
23
|
-
|
|
24
|
+
|
|
24
25
|
def test_before_validate_reset_persistence_token
|
|
25
26
|
u = User.new
|
|
26
27
|
assert !u.valid?
|
|
27
28
|
assert_not_nil u.persistence_token
|
|
28
29
|
end
|
|
29
|
-
|
|
30
|
+
|
|
30
31
|
def test_forget_all
|
|
31
32
|
http_basic_auth_for(users(:ben)) { UserSession.find }
|
|
32
33
|
http_basic_auth_for(users(:zack)) { UserSession.find(:ziggity_zack) }
|
|
@@ -36,7 +37,7 @@ module ActsAsAuthenticTest
|
|
|
36
37
|
assert !UserSession.find
|
|
37
38
|
assert !UserSession.find(:ziggity_zack)
|
|
38
39
|
end
|
|
39
|
-
|
|
40
|
+
|
|
40
41
|
def test_forget
|
|
41
42
|
ben = users(:ben)
|
|
42
43
|
zack = users(:zack)
|
|
@@ -52,4 +53,4 @@ module ActsAsAuthenticTest
|
|
|
52
53
|
assert UserSession.find(:ziggity_zack)
|
|
53
54
|
end
|
|
54
55
|
end
|
|
55
|
-
end
|
|
56
|
+
end
|
|
@@ -5,7 +5,7 @@ module ActsAsAuthenticTest
|
|
|
5
5
|
def test_act_like_restful_authentication_config
|
|
6
6
|
assert !User.act_like_restful_authentication
|
|
7
7
|
assert !Employee.act_like_restful_authentication
|
|
8
|
-
|
|
8
|
+
|
|
9
9
|
User.act_like_restful_authentication = true
|
|
10
10
|
assert User.act_like_restful_authentication
|
|
11
11
|
assert_equal Authlogic::CryptoProviders::Sha1, User.crypto_provider
|
|
@@ -15,7 +15,7 @@ module ActsAsAuthenticTest
|
|
|
15
15
|
|
|
16
16
|
User.act_like_restful_authentication false
|
|
17
17
|
assert !User.act_like_restful_authentication
|
|
18
|
-
|
|
18
|
+
|
|
19
19
|
User.crypto_provider = Authlogic::CryptoProviders::Sha512
|
|
20
20
|
User.transition_from_crypto_providers = []
|
|
21
21
|
end
|
|
@@ -23,18 +23,15 @@ module ActsAsAuthenticTest
|
|
|
23
23
|
def test_transition_from_restful_authentication_config
|
|
24
24
|
assert !User.transition_from_restful_authentication
|
|
25
25
|
assert !Employee.transition_from_restful_authentication
|
|
26
|
-
|
|
26
|
+
|
|
27
27
|
User.transition_from_restful_authentication = true
|
|
28
28
|
assert User.transition_from_restful_authentication
|
|
29
29
|
assert defined?(::REST_AUTH_SITE_KEY)
|
|
30
30
|
assert_equal '', ::REST_AUTH_SITE_KEY
|
|
31
31
|
assert_equal 1, Authlogic::CryptoProviders::Sha1.stretches
|
|
32
|
-
|
|
32
|
+
|
|
33
33
|
User.transition_from_restful_authentication false
|
|
34
34
|
assert !User.transition_from_restful_authentication
|
|
35
|
-
|
|
36
|
-
User.crypto_provider = Authlogic::CryptoProviders::Sha512
|
|
37
|
-
User.transition_from_crypto_providers = []
|
|
38
35
|
end
|
|
39
36
|
end
|
|
40
|
-
end
|
|
37
|
+
end
|
data/test/config_test.rb
ADDED
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
require 'test_helper'
|
|
2
|
+
|
|
3
|
+
class ConfigTest < ActiveSupport::TestCase
|
|
4
|
+
def setup
|
|
5
|
+
@klass = Class.new {
|
|
6
|
+
extend Authlogic::Config
|
|
7
|
+
|
|
8
|
+
def self.foobar(value = nil)
|
|
9
|
+
rw_config(:foobar_field, value, 'default_foobar')
|
|
10
|
+
end
|
|
11
|
+
}
|
|
12
|
+
|
|
13
|
+
@subklass = Class.new(@klass)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def test_config
|
|
17
|
+
assert_equal({}, @klass.acts_as_authentic_config)
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def test_rw_config_read_with_default
|
|
21
|
+
assert 'default_foobar', @klass.foobar
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def test_rw_config_write
|
|
25
|
+
assert_equal 'my_foobar', @klass.foobar('my_foobar')
|
|
26
|
+
assert_equal 'my_foobar', @klass.foobar
|
|
27
|
+
|
|
28
|
+
assert_equal 'my_new_foobar', @klass.foobar('my_new_foobar')
|
|
29
|
+
assert_equal 'my_new_foobar', @klass.foobar
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def test_subclass_rw_config_write
|
|
33
|
+
assert_equal 'subklass_foobar', @subklass.foobar('subklass_foobar')
|
|
34
|
+
assert_equal 'default_foobar', @klass.foobar
|
|
35
|
+
end
|
|
36
|
+
end
|
data/test/fixtures/users.yml
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
# NB :ben and :zack use the legacy crypto provider (Sha512) ... when they're
|
|
2
|
+
# tested for valid_password?() it will transition their password
|
|
3
|
+
# (re: test/libs/user.rb). This could have unintended side-effects (like auto-
|
|
4
|
+
# resetting their persistence token when checking password) -- one solution
|
|
5
|
+
# is to just switch in users(:aaron) for those tests.
|
|
1
6
|
ben:
|
|
2
7
|
company: binary_logic
|
|
3
8
|
projects: web_services
|
|
@@ -10,7 +15,7 @@ ben:
|
|
|
10
15
|
email: bjohnson@binarylogic.com
|
|
11
16
|
first_name: Ben
|
|
12
17
|
last_name: Johnson
|
|
13
|
-
|
|
18
|
+
|
|
14
19
|
zack:
|
|
15
20
|
company: logic_over_data
|
|
16
21
|
projects: web_services
|
|
@@ -28,7 +33,7 @@ aaron:
|
|
|
28
33
|
projects: web_services
|
|
29
34
|
login: abedra
|
|
30
35
|
crypted_password: <%= Authlogic::CryptoProviders::SCrypt.encrypt("aaronrocks") %>
|
|
31
|
-
persistence_token:
|
|
36
|
+
persistence_token: e3d853f5aa0dacac5c257d03c4e097a3a7f51b182a8fc4f62096d05e939b019855aff0290157ac854e4195f13284ff5223f1996d0fd073e7e360171de54db278
|
|
32
37
|
single_access_token: <%= Authlogic::Random.friendly_token %>
|
|
33
38
|
perishable_token: <%= Authlogic::Random.friendly_token %>
|
|
34
39
|
email: abedra@cigital.com
|
data/test/libs/user.rb
CHANGED
data/test/libs/user_session.rb
CHANGED
|
@@ -3,3 +3,23 @@ end
|
|
|
3
3
|
|
|
4
4
|
class BackOfficeUserSession < Authlogic::Session::Base
|
|
5
5
|
end
|
|
6
|
+
|
|
7
|
+
class WackyUserSession < Authlogic::Session::Base
|
|
8
|
+
attr_accessor :counter
|
|
9
|
+
authenticate_with User
|
|
10
|
+
|
|
11
|
+
def initialize
|
|
12
|
+
@counter = 0
|
|
13
|
+
super
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def persist_by_false
|
|
17
|
+
self.counter += 1
|
|
18
|
+
return false
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def persist_by_true
|
|
22
|
+
self.counter += 1
|
|
23
|
+
return true
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -7,11 +7,11 @@ module SessionTest
|
|
|
7
7
|
assert_equal "Some attribute", UserSession.human_attribute_name("some_attribute")
|
|
8
8
|
assert_equal "Some attribute", UserSession.human_attribute_name(:some_attribute)
|
|
9
9
|
end
|
|
10
|
-
|
|
10
|
+
|
|
11
11
|
def test_human_name
|
|
12
12
|
assert_equal "Usersession", UserSession.human_name
|
|
13
13
|
end
|
|
14
|
-
|
|
14
|
+
|
|
15
15
|
def test_i18n_of_human_name
|
|
16
16
|
I18n.backend.store_translations 'en', :authlogic => {:models => {:user_session => "MySession" } }
|
|
17
17
|
assert_equal "MySession", UserSession.human_name
|
|
@@ -21,8 +21,14 @@ module SessionTest
|
|
|
21
21
|
I18n.backend.store_translations 'en', :authlogic => {:models => {:user_session => "MySession" } }
|
|
22
22
|
assert_equal "MySession", UserSession.model_name.human
|
|
23
23
|
end
|
|
24
|
+
|
|
25
|
+
def test_model_name
|
|
26
|
+
assert_equal "UserSession", UserSession.model_name.name
|
|
27
|
+
assert_equal "user_session", UserSession.model_name.singular
|
|
28
|
+
assert_equal "user_sessions", UserSession.model_name.plural
|
|
29
|
+
end
|
|
24
30
|
end
|
|
25
|
-
|
|
31
|
+
|
|
26
32
|
class InstanceMethodsTest < ActiveSupport::TestCase
|
|
27
33
|
def test_new_record
|
|
28
34
|
session = UserSession.new
|
|
@@ -49,7 +55,7 @@ module SessionTest
|
|
|
49
55
|
session.destroy
|
|
50
56
|
assert ! session.persisted?
|
|
51
57
|
end
|
|
52
|
-
|
|
58
|
+
|
|
53
59
|
def test_destroyed?
|
|
54
60
|
session = UserSession.create(users(:ben))
|
|
55
61
|
assert ! session.destroyed?
|
|
@@ -6,20 +6,20 @@ module SessionTest
|
|
|
6
6
|
def test_consecutive_failed_logins_limit
|
|
7
7
|
UserSession.consecutive_failed_logins_limit = 10
|
|
8
8
|
assert_equal 10, UserSession.consecutive_failed_logins_limit
|
|
9
|
-
|
|
9
|
+
|
|
10
10
|
UserSession.consecutive_failed_logins_limit 50
|
|
11
11
|
assert_equal 50, UserSession.consecutive_failed_logins_limit
|
|
12
12
|
end
|
|
13
|
-
|
|
13
|
+
|
|
14
14
|
def test_failed_login_ban_for
|
|
15
15
|
UserSession.failed_login_ban_for = 10
|
|
16
16
|
assert_equal 10, UserSession.failed_login_ban_for
|
|
17
|
-
|
|
17
|
+
|
|
18
18
|
UserSession.failed_login_ban_for 2.hours
|
|
19
19
|
assert_equal 2.hours.to_i, UserSession.failed_login_ban_for
|
|
20
20
|
end
|
|
21
21
|
end
|
|
22
|
-
|
|
22
|
+
|
|
23
23
|
class InstanceMethodsTest < ActiveSupport::TestCase
|
|
24
24
|
def test_under_limit
|
|
25
25
|
ben = users(:ben)
|
|
@@ -34,46 +34,48 @@ module SessionTest
|
|
|
34
34
|
assert ben.save
|
|
35
35
|
assert UserSession.create(:login => ben.login, :password => "benrocks").new_session?
|
|
36
36
|
assert UserSession.create(ben).new_session?
|
|
37
|
+
|
|
38
|
+
ben.reload
|
|
37
39
|
ben.updated_at = (UserSession.failed_login_ban_for + 2.hours.to_i).seconds.ago
|
|
38
40
|
assert !UserSession.create(ben).new_session?
|
|
39
41
|
end
|
|
40
|
-
|
|
42
|
+
|
|
41
43
|
def test_exceeding_failed_logins_limit
|
|
42
44
|
UserSession.consecutive_failed_logins_limit = 2
|
|
43
45
|
ben = users(:ben)
|
|
44
|
-
|
|
46
|
+
|
|
45
47
|
2.times do |i|
|
|
46
48
|
session = UserSession.new(:login => ben.login, :password => "badpassword1")
|
|
47
49
|
assert !session.save
|
|
48
50
|
assert session.errors[:password].size > 0
|
|
49
51
|
assert_equal i + 1, ben.reload.failed_login_count
|
|
50
52
|
end
|
|
51
|
-
|
|
53
|
+
|
|
52
54
|
session = UserSession.new(:login => ben.login, :password => "badpassword2")
|
|
53
55
|
assert !session.save
|
|
54
56
|
assert session.errors[:password].size == 0
|
|
55
57
|
assert_equal 3, ben.reload.failed_login_count
|
|
56
|
-
|
|
58
|
+
|
|
57
59
|
UserSession.consecutive_failed_logins_limit = 50
|
|
58
60
|
end
|
|
59
|
-
|
|
61
|
+
|
|
60
62
|
def test_exceeded_ban_for
|
|
61
63
|
UserSession.consecutive_failed_logins_limit = 2
|
|
62
64
|
UserSession.generalize_credentials_error_messages true
|
|
63
65
|
ben = users(:ben)
|
|
64
|
-
|
|
66
|
+
|
|
65
67
|
2.times do |i|
|
|
66
68
|
session = UserSession.new(:login => ben.login, :password => "badpassword1")
|
|
67
69
|
assert !session.save
|
|
68
70
|
assert session.invalid_password?
|
|
69
71
|
assert_equal i + 1, ben.reload.failed_login_count
|
|
70
72
|
end
|
|
71
|
-
|
|
73
|
+
|
|
72
74
|
ActiveRecord::Base.connection.execute("update users set updated_at = '#{1.day.ago.to_s(:db)}' where login = '#{ben.login}'")
|
|
73
75
|
session = UserSession.new(:login => ben.login, :password => "benrocks")
|
|
74
76
|
assert session.save
|
|
75
77
|
assert_equal 0, ben.reload.failed_login_count
|
|
76
|
-
|
|
78
|
+
|
|
77
79
|
UserSession.consecutive_failed_logins_limit = 50
|
|
78
80
|
UserSession.generalize_credentials_error_messages false
|
|
79
81
|
end
|
|
@@ -81,21 +83,21 @@ module SessionTest
|
|
|
81
83
|
def test_exceeded_ban_and_failed_doesnt_ban_again
|
|
82
84
|
UserSession.consecutive_failed_logins_limit = 2
|
|
83
85
|
ben = users(:ben)
|
|
84
|
-
|
|
86
|
+
|
|
85
87
|
2.times do |i|
|
|
86
88
|
session = UserSession.new(:login => ben.login, :password => "badpassword1")
|
|
87
89
|
assert !session.save
|
|
88
90
|
assert session.errors[:password].size > 0
|
|
89
91
|
assert_equal i + 1, ben.reload.failed_login_count
|
|
90
92
|
end
|
|
91
|
-
|
|
93
|
+
|
|
92
94
|
ActiveRecord::Base.connection.execute("update users set updated_at = '#{1.day.ago.to_s(:db)}' where login = '#{ben.login}'")
|
|
93
95
|
session = UserSession.new(:login => ben.login, :password => "badpassword1")
|
|
94
96
|
assert !session.save
|
|
95
97
|
assert_equal 1, ben.reload.failed_login_count
|
|
96
|
-
|
|
98
|
+
|
|
97
99
|
UserSession.consecutive_failed_logins_limit = 50
|
|
98
100
|
end
|
|
99
101
|
end
|
|
100
102
|
end
|
|
101
|
-
end
|
|
103
|
+
end
|
|
@@ -1,31 +1,11 @@
|
|
|
1
1
|
require 'test_helper'
|
|
2
2
|
|
|
3
|
-
class WackyUserSession < Authlogic::Session::Base
|
|
4
|
-
attr_accessor :counter
|
|
5
|
-
authenticate_with User
|
|
6
|
-
|
|
7
|
-
def initialize
|
|
8
|
-
@counter = 0
|
|
9
|
-
super
|
|
10
|
-
end
|
|
11
|
-
|
|
12
|
-
def persist_by_false
|
|
13
|
-
self.counter += 1
|
|
14
|
-
return false
|
|
15
|
-
end
|
|
16
|
-
|
|
17
|
-
def persist_by_true
|
|
18
|
-
self.counter += 1
|
|
19
|
-
return true
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
|
|
23
3
|
module SessionTest
|
|
24
4
|
class CallbacksTest < ActiveSupport::TestCase
|
|
25
5
|
def setup
|
|
26
6
|
WackyUserSession.reset_callbacks(:persist)
|
|
27
7
|
end
|
|
28
|
-
|
|
8
|
+
|
|
29
9
|
def test_no_callbacks
|
|
30
10
|
assert_equal [], WackyUserSession._persist_callbacks.map(&:filter)
|
|
31
11
|
session = WackyUserSession.new
|
|
@@ -36,19 +16,19 @@ module SessionTest
|
|
|
36
16
|
def test_true_callback_cancelling_later_callbacks
|
|
37
17
|
WackyUserSession.persist :persist_by_true, :persist_by_false
|
|
38
18
|
assert_equal [:persist_by_true, :persist_by_false], WackyUserSession._persist_callbacks.map(&:filter)
|
|
39
|
-
|
|
19
|
+
|
|
40
20
|
session = WackyUserSession.new
|
|
41
21
|
session.send(:persist)
|
|
42
22
|
assert_equal 1, session.counter
|
|
43
23
|
end
|
|
44
|
-
|
|
24
|
+
|
|
45
25
|
def test_false_callback_continuing_to_later_callbacks
|
|
46
26
|
WackyUserSession.persist :persist_by_false, :persist_by_true
|
|
47
27
|
assert_equal [:persist_by_false, :persist_by_true], WackyUserSession._persist_callbacks.map(&:filter)
|
|
48
|
-
|
|
28
|
+
|
|
49
29
|
session = WackyUserSession.new
|
|
50
30
|
session.send(:persist)
|
|
51
31
|
assert_equal 2, session.counter
|
|
52
32
|
end
|
|
53
33
|
end
|
|
54
|
-
end
|
|
34
|
+
end
|
|
@@ -6,7 +6,7 @@ module SessionTest
|
|
|
6
6
|
def test_allow_http_basic_auth
|
|
7
7
|
UserSession.allow_http_basic_auth = false
|
|
8
8
|
assert_equal false, UserSession.allow_http_basic_auth
|
|
9
|
-
|
|
9
|
+
|
|
10
10
|
UserSession.allow_http_basic_auth true
|
|
11
11
|
assert_equal true, UserSession.allow_http_basic_auth
|
|
12
12
|
end
|
|
@@ -20,34 +20,36 @@ module SessionTest
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
def test_http_basic_auth_realm
|
|
23
|
+
original_http_basic_auth_realm = UserSession.http_basic_auth_realm
|
|
24
|
+
|
|
23
25
|
assert_equal 'Application', UserSession.http_basic_auth_realm
|
|
24
26
|
|
|
25
27
|
UserSession.http_basic_auth_realm = 'TestRealm'
|
|
26
28
|
assert_equal 'TestRealm', UserSession.http_basic_auth_realm
|
|
27
29
|
end
|
|
28
30
|
end
|
|
29
|
-
|
|
31
|
+
|
|
30
32
|
class InstanceMethodsTest < ActiveSupport::TestCase
|
|
31
33
|
def test_persist_persist_by_http_auth
|
|
32
|
-
|
|
34
|
+
aaron = users(:aaron)
|
|
33
35
|
http_basic_auth_for do
|
|
34
36
|
assert !UserSession.find
|
|
35
37
|
end
|
|
36
|
-
http_basic_auth_for(
|
|
38
|
+
http_basic_auth_for(aaron) do
|
|
37
39
|
assert session = UserSession.find
|
|
38
|
-
assert_equal
|
|
39
|
-
assert_equal
|
|
40
|
-
assert_equal "
|
|
40
|
+
assert_equal aaron, session.record
|
|
41
|
+
assert_equal aaron.login, session.login
|
|
42
|
+
assert_equal "aaronrocks", session.send(:protected_password)
|
|
41
43
|
assert !controller.http_auth_requested?
|
|
42
44
|
end
|
|
43
45
|
unset_session
|
|
44
46
|
UserSession.request_http_basic_auth = true
|
|
45
47
|
UserSession.http_basic_auth_realm = 'PersistTestRealm'
|
|
46
|
-
http_basic_auth_for(
|
|
48
|
+
http_basic_auth_for(aaron) do
|
|
47
49
|
assert session = UserSession.find
|
|
48
|
-
assert_equal
|
|
49
|
-
assert_equal
|
|
50
|
-
assert_equal "
|
|
50
|
+
assert_equal aaron, session.record
|
|
51
|
+
assert_equal aaron.login, session.login
|
|
52
|
+
assert_equal "aaronrocks", session.send(:protected_password)
|
|
51
53
|
assert_equal 'PersistTestRealm', controller.realm
|
|
52
54
|
assert controller.http_auth_requested?
|
|
53
55
|
end
|