authlogic 3.4.6 → 3.5.0

data/lib/authlogic/session/password.rb

@@ -7,13 +7,13 @@ module Authlogic
           extend Config
           include InstanceMethods
           validate :validate_by_password, :if => :authenticating_with_password?
-          
+
           class << self
             attr_accessor :configured_password_methods
           end
         end
       end
-      
+
       # Password configuration
       module Config
         # Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and
@@ -23,8 +23,9 @@ module Authlogic
         # You can change what method UserSession calls by specifying it here. Then in your User model you can make that method do
         # anything you want, giving you complete control of how users are found by the UserSession.
         #
-        # Let's take an example: You want to allow users to login by username or email. Set this to the name of the class method
-        # that does this in the User model. Let's call it "find_by_username_or_email"
+        # Let's take an example: You want to allow users to login by username or email.
+        # Set this to the name of the class method that does this in the User model. Let's
+        # call it "find_by_username_or_email"
         #
         #   class User < ActiveRecord::Base
         #     def self.find_by_username_or_email(login)
@@ -32,8 +33,10 @@ module Authlogic
         #     end
         #   end
         #
-        # Now just specify the name of this method for this configuration option and you are all set. You can do anything you
-        # want here. Maybe you allow users to have multiple logins and you want to search a has_many relationship, etc. The sky is the limit.
+        # Now just specify the name of this method for this configuration option and you
+        # are all set. You can do anything you want here. Maybe you allow users to have
+        # multiple logins and you want to search a has_many relationship, etc. The sky is
+        # the limit.
         #
         # * <tt>Default:</tt> "find_by_smart_case_login_field"
         # * <tt>Accepts:</tt> Symbol or String
@@ -41,10 +44,11 @@ module Authlogic
           rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
         end
         alias_method :find_by_login_method=, :find_by_login_method
-        
-        # The text used to identify credentials (username/password) combination when a bad login attempt occurs.
-        # When you show error messages for a bad login, it's considered good security practice to hide which field
-        # the user has entered incorrectly (the login field or the password field). For a full explanation, see
+
+        # The text used to identify credentials (username/password) combination when a bad
+        # login attempt occurs. When you show error messages for a bad login, it's
+        # considered good security practice to hide which field the user has entered
+        # incorrectly (the login field or the password field). For a full explanation, see
         # http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
         #
         # Example of use:
@@ -56,9 +60,9 @@ module Authlogic
         #   This would make the error message for bad logins and bad passwords look identical:
         #
         #   Login/Password combination is not valid
-        #  
+        #
         #   Alternatively you may use a custom message:
-        # 
+        #
         #   class UserSession < AuthLogic::Session::Base
         #     generalize_credentials_error_messages "Your login information is invalid"
         #   end
@@ -71,18 +75,20 @@ module Authlogic
         #
         # If you are developing an app where security is an extreme priority (such as a financial application),
         # then you should enable this. Otherwise, leaving this off is fine.
-        # 
+        #
         # * <tt>Default</tt> false
         # * <tt>Accepts:</tt> Boolean
         def generalize_credentials_error_messages(value = nil)
           rw_config(:generalize_credentials_error_messages, value, false)
         end
         alias_method :generalize_credentials_error_messages=, :generalize_credentials_error_messages
-        
-        # The name of the method you want Authlogic to create for storing the login / username. Keep in mind this is just for your
-        # Authlogic::Session, if you want it can be something completely different than the field in your model. So if you wanted people to
-        # login with a field called "login" and then find users by email this is compeltely doable. See the find_by_login_method configuration
-        # option for more details.
+
+        # The name of the method you want Authlogic to create for storing the login /
+        # username. Keep in mind this is just for your Authlogic::Session, if you want it
+        # can be something completely different than the field in your model. So if you
+        # wanted people to login with a field called "login" and then find users by email
+        # this is completely doable. See the find_by_login_method configuration option for
+        # more details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -90,7 +96,7 @@ module Authlogic
           rw_config(:login_field, value, klass.login_field || klass.email_field)
         end
         alias_method :login_field=, :login_field
-        
+
         # Works exactly like login_field, but for the password instead. Returns :password if a login_field exists.
         #
         # * <tt>Default:</tt> :password
@@ -99,7 +105,7 @@ module Authlogic
           rw_config(:password_field, value, login_field && :password)
         end
         alias_method :password_field=, :password_field
-        
+
         # The name of the method in your model used to verify the password. This should be an instance method. It should also
         # be prepared to accept a raw password and a crytped password.
         #
@@ -110,7 +116,7 @@ module Authlogic
         end
         alias_method :verify_password_method=, :verify_password_method
       end
-      
+
       # Password related instance methods
       module InstanceMethods
         def initialize(*args)
@@ -120,7 +126,7 @@ module Authlogic
           end
           super
         end
-        
+
         # Returns the login_field / password_field credentials combination in hash form.
         def credentials
           if authenticating_with_password?
@@ -132,11 +138,12 @@ module Authlogic
             super
           end
         end
-        
+
         # Accepts the login_field / password_field credentials combination in hash form.
         def credentials=(value)
           super
-          values = value.is_a?(Array) ? value : [value]
+          values = parse_param_val(value) # add strong parameters check
+
           if values.first.is_a?(Hash)
             values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
               next if value.blank?
@@ -144,18 +151,19 @@ module Authlogic
             end
           end
         end
-        
+
         def invalid_password?
           invalid_password == true
         end
-        
+
         private
+
           def configure_password_methods
             if login_field
               self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
               self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
             end
-            
+
             if password_field
               self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
               self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
@@ -174,16 +182,19 @@ module Authlogic
           def authenticating_with_password?
             login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
           end
-          
+
           def validate_by_password
             self.invalid_password = false
-            
+
             # check for blank fields
-            errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank")) if send(login_field).blank?
-            errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank")) if send("protected_#{password_field}").blank?
+            if send(login_field).blank?
+              errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank"))
+            end
+            if send("protected_#{password_field}").blank?
+              errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank"))
+            end
             return if errors.count > 0
 
-            # check for unknown login
             self.attempted_record = search_for_record(find_by_login_method, send(login_field))
             if attempted_record.blank?
               generalize_credentials_error_messages? ?
@@ -201,19 +212,19 @@ module Authlogic
               return
             end
           end
-          
+
           attr_accessor :invalid_password
-          
+
           def find_by_login_method
             self.class.find_by_login_method
           end
-          
+
           def login_field
             self.class.login_field
           end
-          
+
           def add_general_credentials_error
-            error_message = 
+            error_message =
             if self.class.generalize_credentials_error_messages.is_a? String
               self.class.generalize_credentials_error_messages
             else
@@ -221,18 +232,29 @@ module Authlogic
             end
             errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
           end
-          
+
           def generalize_credentials_error_messages?
             self.class.generalize_credentials_error_messages
           end
-          
+
           def password_field
             self.class.password_field
           end
-          
+
           def verify_password_method
             self.class.verify_password_method
           end
+
+          # In Rails 5 the ActionController::Parameters no longer inherits from HashWithIndifferentAccess.
+          # See: http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#actioncontroller-parameters-no-longer-inherits-from-hashwithindifferentaccess
+          # This method converts the ActionController::Parameters to a Hash
+          def parse_param_val(value)
+            if value.first.class.name == "ActionController::Parameters"
+              [value.first.to_h]
+            else
+              value.is_a?(Array) ? value : [value]
+            end
+          end
       end
     end
   end

data/lib/authlogic/session/perishable_token.rb

@@ -8,11 +8,12 @@ module Authlogic
       def self.included(klass)
         klass.after_save :reset_perishable_token!
       end
-      
+
       private
+
         def reset_perishable_token!
           record.reset_perishable_token if record.respond_to?(:reset_perishable_token) && !record.disable_perishable_token_maintenance?
         end
     end
   end
-end
+end

data/lib/authlogic/session/persistence.rb

@@ -8,7 +8,7 @@ module Authlogic
           include InstanceMethods
         end
       end
-      
+
       module ClassMethods
         # This is how you persist a session. This finds the record for the current session using
         # a variety of methods. It basically tries to "log in" the user without the user having
@@ -34,7 +34,7 @@ module Authlogic
         #
         # See the id method for more information on ids.
         def find(id = nil, priority_record = nil)
-          session = new({:priority_record => priority_record}, id)
+          session = new({ :priority_record => priority_record }, id)
           session.priority_record = priority_record
           if session.persisting?
             session
@@ -43,7 +43,7 @@ module Authlogic
           end
         end
       end
-      
+
       module InstanceMethods
         # Let's you know if the session is being persisted or not, meaning the user does not have to explicitly log in
         # in order to be logged in. If the session has no associated record, it will try to find a record and persist

data/lib/authlogic/session/priority_record.rb

@@ -9,7 +9,7 @@ module Authlogic
           attr_accessor :priority_record
         end
       end
-      
+
       # Setting priority record if it is passed. The only way it can be passed is through an array:
       #
       #   session.credentials = [real_user_object, priority_user_object]
@@ -18,17 +18,18 @@ module Authlogic
         values = value.is_a?(Array) ? value : [value]
         self.priority_record = values[1] if values[1].class < ::ActiveRecord::Base
       end
-      
+
       private
+
         def attempted_record=(value)
           value = priority_record if value == priority_record
           super
         end
-        
+
         def save_record(alternate_record = nil)
           r = alternate_record || record
           super if r != priority_record
         end
     end
   end
-end
+end

data/lib/authlogic/session/scopes.rb

@@ -2,10 +2,13 @@ require 'request_store'
 
 module Authlogic
   module Session
-    # Authentication can be scoped, and it's easy, you just need to define how you want to scope everything. This should help you:
+    # Authentication can be scoped, and it's easy, you just need to define how you want to
+    # scope everything. This should help you:
     #
-    # 1. Want to scope by a parent object? Ex: An account has many users. Checkout Authlogic::AuthenticatesMany
-    # 2. Want to scope the validations in your model? Ex: 2 users can have the same login under different accounts. See Authlogic::ActsAsAuthentic::Scope
+    # 1. Want to scope by a parent object? Ex: An account has many users.
+    #    Checkout Authlogic::AuthenticatesMany
+    # 2. Want to scope the validations in your model? Ex: 2 users can have the same login
+    #    under different accounts. See Authlogic::ActsAsAuthentic::Scope
     module Scopes # :nodoc:
       def self.included(klass)
         klass.class_eval do
@@ -22,11 +25,15 @@ module Authlogic
           RequestStore.store[:authlogic_scope]
         end
 
-        # What with_scopes focuses on is scoping the query when finding the object and the name of the cookie / session. It works very similar to
-        # ActiveRecord::Base#with_scopes. It accepts a hash with any of the following options:
+        # What with_scopes focuses on is scoping the query when finding the object and the
+        # name of the cookie / session. It works very similar to
+        # ActiveRecord::Base#with_scopes. It accepts a hash with any of the following
+        # options:
         #
-        # * <tt>find_options:</tt> any options you can pass into ActiveRecord::Base.find. This is used when trying to find the record.
-        # * <tt>id:</tt> The id of the session, this gets merged with the real id. For information ids see the id method.
+        # * <tt>find_options:</tt> any options you can pass into ActiveRecord::Base.find.
+        #   This is used when trying to find the record.
+        # * <tt>id:</tt> The id of the session, this gets merged with the real id. For
+        #   information ids see the id method.
         #
         # Here is how you use it:
         #
@@ -34,7 +41,8 @@ module Authlogic
         #     UserSession.find
         #   end
         #
-        # Eseentially what the above does is scope the searching of the object with the sql you provided. So instead of:
+        # Essentially what the above does is scope the searching of the object with the
+        # sql you provided. So instead of:
         #
         #   User.where("login = 'ben'").first
         #
@@ -42,7 +50,8 @@ module Authlogic
         #
         #   User.where("login = 'ben' and account_id = 2").first
         #
-        # You will also notice the :id option. This works just like the id method. It scopes your cookies. So the name of your cookie will be:
+        # You will also notice the :id option. This works just like the id method. It
+        # scopes your cookies. So the name of your cookie will be:
         #
         #   account_2_user_credentials
         #
@@ -69,6 +78,7 @@ module Authlogic
         end
 
         private
+
           def scope=(value)
             RequestStore.store[:authlogic_scope] = value
           end
@@ -87,6 +97,7 @@ module Authlogic
         end
 
         private
+
           # Used for things like cookie_key, session_key, etc.
           def build_key(last_part)
             [scope[:id], super].compact.join("_")

data/lib/authlogic/session/session.rb

@@ -28,12 +28,14 @@ module Authlogic
       # Instance methods for the session feature.
       module InstanceMethods
         private
+
           # Tries to validate the session from information in the session
           def persist_by_session
             persistence_token, record_id = session_credentials
             if !persistence_token.nil?
-              # Allow finding by persistence token, because when records are created the session is maintained in a before_save, when there is no id.
-              # This is done for performance reasons and to save on queries.
+              # Allow finding by persistence token, because when records are created the
+              # session is maintained in a before_save, when there is no id. This is done
+              # for performance reasons and to save on queries.
               record = record_id.nil? ?
                 search_for_record("find_by_persistence_token", persistence_token.to_s) :
                 search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
@@ -45,7 +47,10 @@ module Authlogic
           end
 
           def session_credentials
-            [controller.session[session_key], controller.session["#{session_key}_#{klass.primary_key}"]].collect { |i| i.nil? ? i : i.to_s }.compact
+            [
+              controller.session[session_key],
+              controller.session["#{session_key}_#{klass.primary_key}"]
+            ].collect { |i| i.nil? ? i : i.to_s }.compact
           end
 
           def session_key
@@ -59,4 +64,4 @@ module Authlogic
       end
     end
   end
-end
+end

data/lib/authlogic/session/timeout.rb

@@ -1,7 +1,8 @@
 module Authlogic
   module Session
-    # Think about financial websites, if you are inactive for a certain period of time you will be asked to
-    # log back in on your next request. You can do this with Authlogic easily, there are 2 parts to this:
+    # Think about financial websites, if you are inactive for a certain period
+    # of time you will be asked to log back in on your next request. You can do
+    # this with Authlogic easily, there are 2 parts to this:
     #
     # 1. Define the timeout threshold:
     #
@@ -15,9 +16,10 @@ module Authlogic
     #     logout_on_timeout true # default if false
     #   end
     #
-    # This will require a user to log back in if they are inactive for more than 10 minutes. In order for
-    # this feature to be used you must have a last_request_at datetime column in your table for whatever model
-    # you are authenticating with.
+    # This will require a user to log back in if they are inactive for more than
+    # 10 minutes. In order for this feature to be used you must have a
+    # last_request_at datetime column in your table for whatever model you are
+    # authenticating with.
     module Timeout
       def self.included(klass)
         klass.class_eval do
@@ -28,22 +30,33 @@ module Authlogic
           attr_accessor :stale_record
         end
       end
-      
+
       # Configuration for the timeout feature.
       module Config
-        # With acts_as_authentic you get a :logged_in_timeout configuration option. If this is set, after this amount of time has passed the user
-        # will be marked as logged out. Obviously, since web based apps are on a per request basis, we have to define a time limit threshold that
-        # determines when we consider a user to be "logged out". Meaning, if they login and then leave the website, when do mark them as logged out?
-        # I recommend just using this as a fun feature on your website or reports, giving you a ballpark number of users logged in and active. This is
-        # not meant to be a dead accurate representation of a users logged in state, since there is really no real way to do this with web based apps.
-        # Think about a user that logs in and doesn't log out. There is no action that tells you that the user isn't technically still logged in and
-        # active.
+        # With acts_as_authentic you get a :logged_in_timeout configuration
+        # option. If this is set, after this amount of time has passed the user
+        # will be marked as logged out. Obviously, since web based apps are on a
+        # per request basis, we have to define a time limit threshold that
+        # determines when we consider a user to be "logged out". Meaning, if
+        # they login and then leave the website, when do mark them as logged
+        # out? I recommend just using this as a fun feature on your website or
+        # reports, giving you a ballpark number of users logged in and active.
+        # This is not meant to be a dead accurate representation of a users
+        # logged in state, since there is really no real way to do this with web
+        # based apps. Think about a user that logs in and doesn't log out. There
+        # is no action that tells you that the user isn't technically still
+        # logged in and active.
         #
-        # That being said, you can use that feature to require a new login if their session timesout. Similar to how financial sites work. Just set this option to
-        # true and if your record returns true for stale? then they will be required to log back in.
+        # That being said, you can use that feature to require a new login if
+        # their session times out. Similar to how financial sites work. Just set
+        # this option to true and if your record returns true for stale? then
+        # they will be required to log back in.
         #
-        # Lastly, UserSession.find will still return a object is the session is stale, but you will not get a record. This allows you to determine if the
-        # user needs to log back in because their session went stale, or because they just aren't logged in. Just call current_user_session.stale? as your flag.
+        # Lastly, UserSession.find will still return a object is the session is
+        # stale, but you will not get a record. This allows you to determine if
+        # the user needs to log back in because their session went stale, or
+        # because they just aren't logged in. Just call
+        # current_user_session.stale? as your flag.
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -52,11 +65,14 @@ module Authlogic
         end
         alias_method :logout_on_timeout=, :logout_on_timeout
       end
-      
+
       # Instance methods for the timeout feature.
       module InstanceMethods
-        # Tells you if the record is stale or not. Meaning the record has timed out. This will only return true if you set logout_on_timeout to true in your configuration.
-        # Basically how a bank website works. If you aren't active over a certain period of time your session becomes stale and requires you to log back in.
+        # Tells you if the record is stale or not. Meaning the record has timed
+        # out. This will only return true if you set logout_on_timeout to true
+        # in your configuration. Basically how a bank website works. If you
+        # aren't active over a certain period of time your session becomes stale
+        # and requires you to log back in.
         def stale?
           if remember_me?
             remember_me_expired?
@@ -64,19 +80,20 @@ module Authlogic
             !stale_record.nil? || (logout_on_timeout? && record && record.logged_out?)
           end
         end
-    
+
         private
+
           def reset_stale_state
             self.stale_record = nil
           end
-          
+
           def enforce_timeout
             if stale?
               self.stale_record = record
               self.record = nil
             end
           end
-          
+
           def logout_on_timeout?
             self.class.logout_on_timeout == true
           end