authlogic 3.4.6 → 3.5.0

data/lib/authlogic/i18n/translator.rb

@@ -1,7 +1,7 @@
 module Authlogic
   module I18n
     class Translator
-      # If the I18n gem is present, calls +I18n.translate+ passing all 
+      # If the I18n gem is present, calls +I18n.translate+ passing all
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)

data/lib/authlogic/random.rb

@@ -1,33 +1,34 @@
 module Authlogic
-  # Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
-  # So if you are using this in a rails app you should have this library.
+  # Handles generating random strings. If SecureRandom is installed it will default to
+  # this and use it instead. SecureRandom comes with ActiveSupport. So if you are using
+  # this in a rails app you should have this library.
   module Random
     extend self
-    
-    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
-    
+
+    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) ||
+      (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
+
     if SecureRandom
       def hex_token
         SecureRandom.hex(64)
       end
-      
+
       def friendly_token
         # use base64url as defined by RFC4648
         SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
       end
     else
       def hex_token
-        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect { rand.to_s }.join)
       end
-      
+
       FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
-      
+
       def friendly_token
         newpass = ""
-        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
+        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size - 1)] }
         newpass
       end
     end
-    
   end
-end
+end

data/lib/authlogic/regex.rb

@@ -1,4 +1,4 @@
-#encoding: utf-8
+# encoding: utf-8
 module Authlogic
   # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
   # them out into their own module is to make them easily available to you for other uses. Ex:
@@ -38,10 +38,10 @@ module Authlogic
       end
     end
 
-    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
+    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@+. Just a standard login / username
     # regular expression.
     def self.login
-      /\A\w[\w\.+\-_@ ]+\z/
+      /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
     end
   end
 end

data/lib/authlogic/session/activation.rb

@@ -11,14 +11,14 @@ module Authlogic
           super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
         end
       end
-      
+
       def self.included(klass)
         klass.class_eval do
           extend ClassMethods
           include InstanceMethods
         end
       end
-      
+
       module ClassMethods
         # Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
         # Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
@@ -27,7 +27,7 @@ module Authlogic
         def activated?
           !controller.nil?
         end
-        
+
         # This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
         # between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
         # extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
@@ -36,21 +36,22 @@ module Authlogic
         def controller=(value)
           RequestStore.store[:authlogic_controller] = value
         end
-        
+
         # The current controller object
         def controller
           RequestStore.store[:authlogic_controller]
         end
       end
-      
+
       module InstanceMethods
         # Making sure we are activated before we start creating objects
         def initialize(*args)
           raise NotActivatedError.new(self) unless self.class.activated?
           super
         end
-        
+
         private
+
           def controller
             self.class.controller
           end

data/lib/authlogic/session/active_record_trickery.rb

@@ -25,13 +25,12 @@ module Authlogic
         #
         #   authlogic.models.user_session
         def human_name(*args)
-          I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
+          I18n.t("models.#{name.underscore}", { :count => 1, :default => name.humanize })
         end
 
         def i18n_scope
           I18n.scope
         end
-
       end
 
       module InstanceMethods

data/lib/authlogic/session/base.rb

@@ -1,25 +1,26 @@
 module Authlogic
   module Session # :nodoc:
-    # This is the base class Authlogic, where all modules are included. For information on functiionality see the various
+    # This is the base class Authlogic, where all modules are included. For information on functionality see the various
     # sub modules.
     class Base
       include Foundation
       include Callbacks
-      
+
       # Included first so that the session resets itself to nil
       include Timeout
-      
+
       # Included in a specific order so they are tried in this order when persisting
       include Params
       include Cookies
       include Session
       include HttpAuth
-      
+
       # Included in a specific order so magic states gets ran after a record is found
+      # TODO: What does "magic states gets ran" mean? Be specific.
       include Password
       include UnauthorizedRecord
       include MagicStates
-      
+
       include Activation
       include ActiveRecordTrickery
       include BruteForceProtection
@@ -34,4 +35,4 @@ module Authlogic
       include PriorityRecord
     end
   end
-end
+end

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,15 +1,21 @@
 module Authlogic
   module Session
-    # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
-    # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
-    # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
-    # and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
-    # and it would take MUCH longer.
+    # A brute force attacks is executed by hammering a login with as many password
+    # combinations as possible, until one works. A brute force attacked is generally
+    # combated with a slow hashing algorithm such as BCrypt. You can increase the cost,
+    # which makes the hash generation slower, and ultimately increases the time it takes
+    # to execute a brute force attack. Just to put this into perspective, if a hacker was
+    # to gain access to your server and execute a brute force attack locally, meaning
+    # there is no network lag, it would probably take decades to complete. Now throw in
+    # network lag and it would take MUCH longer.
     #
-    # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
-    # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
-    # after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
-    # If you wish to lower this number just set the configuration to a lower number:
+    # But for those that are extra paranoid and can't get enough protection, why not stop
+    # them as soon as you realize something isn't right? That's what this module is all
+    # about. By default the consecutive_failed_logins_limit configuration option is set to
+    # 50, if someone consecutively fails to login after 50 attempts their account will be
+    # suspended. This is a very liberal number and at this point it should be obvious that
+    # something is not right. If you wish to lower this number just set the configuration
+    # to a lower number:
     #
     #   class UserSession < Authlogic::Session::Base
     #     consecutive_failed_logins_limit 10
@@ -23,16 +29,22 @@ module Authlogic
           validate :validate_failed_logins, :if => :being_brute_force_protected?
         end
       end
-      
+
       # Configuration for the brute force protection feature.
       module Config
-        # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
-        # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
+        # To help protect from brute force attacks you can set a limit on the
+        # allowed number of consecutive failed logins. By default this is 50,
+        # this is a very liberal number, and if someone fails to login after 50
+        # tries it should be pretty obvious that it's a machine trying to login
+        # in and very likely a brute force attack.
         #
-        # In order to enable this field your model MUST have a failed_login_count (integer) field.
+        # In order to enable this field your model MUST have a
+        # failed_login_count (integer) field.
         #
-        # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
-        # in possibly millions of attempts to log into an account.
+        # If you don't know what a brute force attack is, it's when a machine
+        # tries to login into a system using every combination of character
+        # possible. Thus resulting in possibly millions of attempts to log into
+        # an account.
         #
         # * <tt>Default:</tt> 50
         # * <tt>Accepts:</tt> Integer, set to 0 to disable
@@ -40,8 +52,9 @@ module Authlogic
           rw_config(:consecutive_failed_logins_limit, value, 50)
         end
         alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
-        
-        # Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
+
+        # Once the failed logins limit has been exceed, how long do you want to
+        # ban the user? This can be a temporary or permanent ban.
         #
         # * <tt>Default:</tt> 2.hours
         # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
@@ -50,47 +63,58 @@ module Authlogic
         end
         alias_method :failed_login_ban_for=, :failed_login_ban_for
       end
-      
-      # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
+
+      # The methods available for an Authlogic::Session::Base object that make
+      # up the brute force protection feature.
       module InstanceMethods
-        # Returns true when the consecutive_failed_logins_limit has been exceeded and is being temporarily banned.
-        # Notice the word temporary, the user will not be permanently banned unless you choose to do so with configuration.
-        # By default they will be banned for 2 hours. During that 2 hour period this method will return true.
+        # Returns true when the consecutive_failed_logins_limit has been
+        # exceeded and is being temporarily banned. Notice the word temporary,
+        # the user will not be permanently banned unless you choose to do so
+        # with configuration. By default they will be banned for 2 hours. During
+        # that 2 hour period this method will return true.
         def being_brute_force_protected?
           exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
             (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
         end
-        
+
         private
+
           def exceeded_failed_logins_limit?
             !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
               attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
           end
-          
+
           def reset_failed_login_count?
             exceeded_failed_logins_limit? && !being_brute_force_protected?
           end
-          
+
           def reset_failed_login_count
             attempted_record.failed_login_count = 0
           end
-        
+
           def validate_failed_logins
-            errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
-            errors.add(:base, I18n.t(
-              'error_messages.consecutive_failed_logins_limit_exceeded', 
-              :default => "Consecutive failed logins limit exceeded, account has been" + (failed_login_ban_for == 0 ? "" : " temporarily") + " disabled."
-            ))
+            # Clear all other error messages, as they are irrelevant at this point and can
+            # only provide additional information that is not needed
+            errors.clear
+            errors.add(
+              :base,
+              I18n.t(
+                'error_messages.consecutive_failed_logins_limit_exceeded',
+                :default => "Consecutive failed logins limit exceeded, account has been" +
+                  (failed_login_ban_for == 0 ? "" : " temporarily") +
+                  " disabled."
+              )
+            )
           end
-          
+
           def consecutive_failed_logins_limit
             self.class.consecutive_failed_logins_limit
           end
-          
+
           def failed_login_ban_for
             self.class.failed_login_ban_for
           end
       end
     end
   end
-end
+end

data/lib/authlogic/session/callbacks.rb

@@ -1,6 +1,6 @@
 module Authlogic
   module Session
-    # Between these callsbacks and the configuration, this is the contract between me and you to safely
+    # Between these callbacks and the configuration, this is the contract between me and you to safely
     # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
     #
     # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
@@ -15,7 +15,7 @@ module Authlogic
     #   persist
     #   after_persisting
     #   [save record if record.changed?]
-    #   
+    #
     #   before_validation
     #   before_validation_on_create
     #   before_validation_on_update
@@ -24,7 +24,7 @@ module Authlogic
     #   after_validation_on_create
     #   after_validation
     #   [save record if record.changed?]
-    #   
+    #
     #   before_save
     #   before_create
     #   before_update
@@ -32,7 +32,7 @@ module Authlogic
     #   after_create
     #   after_save
     #   [save record if record.changed?]
-    #   
+    #
     #   before_destroy
     #   [save record if record.changed?]
     #   destroy
@@ -60,15 +60,18 @@ module Authlogic
         "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
         "before_destroy", "after_destroy"
       ]
-      
+
       def self.included(base) #:nodoc:
         base.send :include, ActiveSupport::Callbacks
-        if ActiveSupport::VERSION::STRING >= '4.1'
-          base.define_callbacks *METHODS + [{:terminator => ->(target, result){ result == false } }]
-          base.define_callbacks *['persist', {:terminator => ->(target, result){ result == true } }]
+        if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('5')
+          base.define_callbacks *METHODS + [{ :terminator => ->(target, result_lambda) { result_lambda.call == false } }]
+          base.define_callbacks *['persist', { :terminator => ->(target, result_lambda) { result_lambda.call == true } }]
+        elsif Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('4.1')
+          base.define_callbacks *METHODS + [{ :terminator => ->(target, result) { result == false } }]
+          base.define_callbacks *['persist', { :terminator => ->(target, result) { result == true } }]
         else
-          base.define_callbacks *METHODS + [{:terminator => 'result == false'}]
-          base.define_callbacks *['persist', {:terminator => 'result == true'}]
+          base.define_callbacks *METHODS + [{ :terminator => 'result == false' }]
+          base.define_callbacks *['persist', { :terminator => 'result == true' }]
         end
 
         # If Rails 3, support the new callback syntax
@@ -82,8 +85,9 @@ module Authlogic
           end
         end
       end
-      
+
       private
+
         METHODS.each do |method|
           class_eval <<-"end_eval", __FILE__, __LINE__
             def #{method}
@@ -91,7 +95,7 @@ module Authlogic
             end
           end_eval
         end
-        
+
         def save_record(alternate_record = nil)
           r = alternate_record || record
           r.save_without_session_maintenance(:validate => false) if r && r.changed? && !r.readonly?

data/lib/authlogic/session/cookies.rb

@@ -1,6 +1,7 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with cookies, such as persisting, saving, and destroying.
+    # Handles all authentication that deals with cookies, such as persisting,
+    # saving, and destroying.
     module Cookies
       def self.included(klass)
         klass.class_eval do
@@ -14,8 +15,10 @@ module Authlogic
 
       # Configuration for the cookie feature set.
       module Config
-        # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
-        # Also, if a id is set it will be inserted into the beginning of the string. Exmaple:
+        # The name of the cookie or the key in the cookies hash. Be sure and use
+        # a unique name. If you have multiple sessions and they use the same
+        # cookie it will cause problems. Also, if a id is set it will be
+        # inserted into the beginning of the string. Example:
         #
         #   session = UserSession.new
         #   session.cookie_key => "user_credentials"
@@ -48,7 +51,8 @@ module Authlogic
         end
         alias_method :remember_me_for=, :remember_me_for
 
-        # Should the cookie be set as secure?  If true, the cookie will only be sent over SSL connections
+        # Should the cookie be set as secure?  If true, the cookie will only be sent over
+        # SSL connections
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -57,7 +61,8 @@ module Authlogic
         end
         alias_method :secure=, :secure
 
-        # Should the cookie be set as httponly?  If true, the cookie will not be accessable from javascript
+        # Should the cookie be set as httponly?  If true, the cookie will not be
+        # accessible from javascript
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -66,7 +71,8 @@ module Authlogic
         end
         alias_method :httponly=, :httponly
 
-        # Should the cookie be signed? If the controller adapter supports it, this is a measure against cookie tampering.
+        # Should the cookie be signed? If the controller adapter supports it, this is a
+        # measure against cookie tampering.
         def sign_cookie(value = nil)
           if value && !controller.cookies.respond_to?(:signed)
             raise "Signed cookies not supported with #{controller.class}!"
@@ -76,7 +82,8 @@ module Authlogic
         alias_method :sign_cookie=, :sign_cookie
       end
 
-      # The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
+      # The methods available for an Authlogic::Session::Base object that make up the
+      # cookie feature set.
       module InstanceMethods
         # Allows you to set the remember_me option when passing credentials.
         def credentials=(value)
@@ -97,7 +104,9 @@ module Authlogic
           @remember_me = self.class.remember_me
         end
 
-        # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
+        # Accepts a boolean as a flag to remember the session or not. Basically
+        # to expire the cookie at the end of the session or keep it for
+        # "remember_me_until".
         def remember_me=(value)
           @remember_me = value
         end
@@ -107,13 +116,15 @@ module Authlogic
           remember_me == true || remember_me == "true" || remember_me == "1"
         end
 
-        # How long to remember the user if remember_me is true. This is based on the class level configuration: remember_me_for
+        # How long to remember the user if remember_me is true. This is based on the class
+        # level configuration: remember_me_for
         def remember_me_for
           return unless remember_me?
           self.class.remember_me_for
         end
 
-        # When to expire the cookie. See remember_me_for configuration option to change this.
+        # When to expire the cookie. See remember_me_for configuration option to change
+        # this.
         def remember_me_until
           return unless remember_me?
           remember_me_for.from_now
@@ -131,7 +142,8 @@ module Authlogic
           @secure = self.class.secure
         end
 
-        # Accepts a boolean as to whether the cookie should be marked as secure.  If true the cookie will only ever be sent over an SSL connection.
+        # Accepts a boolean as to whether the cookie should be marked as secure.  If true
+        # the cookie will only ever be sent over an SSL connection.
         def secure=(value)
           @secure = value
         end
@@ -141,13 +153,14 @@ module Authlogic
           secure == true || secure == "true" || secure == "1"
         end
 
-        # If the cookie should be marked as httponly (not accessable via javascript)
+        # If the cookie should be marked as httponly (not accessible via javascript)
         def httponly
           return @httponly if defined?(@httponly)
           @httponly = self.class.httponly
         end
 
-        # Accepts a boolean as to whether the cookie should be marked as httponly.  If true, the cookie will not be accessable from javascript
+        # Accepts a boolean as to whether the cookie should be marked as
+        # httponly.  If true, the cookie will not be accessible from javascript
         def httponly=(value)
           @httponly = value
         end
@@ -163,7 +176,8 @@ module Authlogic
           @sign_cookie = self.class.sign_cookie
         end
 
-        # Accepts a boolean as to whether the cookie should be signed.  If true the cookie will be saved and verified using a signature.
+        # Accepts a boolean as to whether the cookie should be signed.  If true
+        # the cookie will be saved and verified using a signature.
         def sign_cookie=(value)
           @sign_cookie = value
         end
@@ -174,6 +188,7 @@ module Authlogic
         end
 
         private
+
           def cookie_key
             build_key(self.class.cookie_key)
           end