authlogic 3.4.6 → 4.2.0

data/lib/authlogic/session/cookies.rb

@@ -1,7 +1,10 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with cookies, such as persisting, saving, and destroying.
+    # Handles all authentication that deals with cookies, such as persisting,
+    # saving, and destroying.
     module Cookies
+      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict"].freeze
+
       def self.included(klass)
         klass.class_eval do
           extend Config
@@ -14,8 +17,10 @@ module Authlogic
 
       # Configuration for the cookie feature set.
       module Config
-        # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
-        # Also, if a id is set it will be inserted into the beginning of the string. Exmaple:
+        # The name of the cookie or the key in the cookies hash. Be sure and use
+        # a unique name. If you have multiple sessions and they use the same
+        # cookie it will cause problems. Also, if a id is set it will be
+        # inserted into the beginning of the string. Example:
         #
         #   session = UserSession.new
         #   session.cookie_key => "user_credentials"
@@ -48,25 +53,42 @@ module Authlogic
         end
         alias_method :remember_me_for=, :remember_me_for
 
-        # Should the cookie be set as secure?  If true, the cookie will only be sent over SSL connections
+        # Should the cookie be set as secure?  If true, the cookie will only be sent over
+        # SSL connections
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def secure(value = nil)
-          rw_config(:secure, value, false)
+          rw_config(:secure, value, true)
         end
         alias_method :secure=, :secure
 
-        # Should the cookie be set as httponly?  If true, the cookie will not be accessable from javascript
+        # Should the cookie be set as httponly?  If true, the cookie will not be
+        # accessible from javascript
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def httponly(value = nil)
-          rw_config(:httponly, value, false)
+          rw_config(:httponly, value, true)
         end
         alias_method :httponly=, :httponly
 
-        # Should the cookie be signed? If the controller adapter supports it, this is a measure against cookie tampering.
+        # Should the cookie be prevented from being send along with cross-site
+        # requests?
+        #
+        # * <tt>Default:</tt> nil
+        # * <tt>Accepts:</tt> String, one of nil, 'Lax' or 'Strict'
+        def same_site(value = nil)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          rw_config(:same_site, value)
+        end
+        alias_method :same_site=, :same_site
+
+        # Should the cookie be signed? If the controller adapter supports it, this is a
+        # measure against cookie tampering.
         def sign_cookie(value = nil)
           if value && !controller.cookies.respond_to?(:signed)
             raise "Signed cookies not supported with #{controller.class}!"
@@ -76,7 +98,8 @@ module Authlogic
         alias_method :sign_cookie=, :sign_cookie
       end
 
-      # The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
+      # The methods available for an Authlogic::Session::Base object that make up the
+      # cookie feature set.
       module InstanceMethods
         # Allows you to set the remember_me option when passing credentials.
         def credentials=(value)
@@ -84,10 +107,12 @@ module Authlogic
           values = value.is_a?(Array) ? value : [value]
           case values.first
           when Hash
-            self.remember_me = values.first.with_indifferent_access[:remember_me] if values.first.with_indifferent_access.key?(:remember_me)
+            if values.first.with_indifferent_access.key?(:remember_me)
+              self.remember_me = values.first.with_indifferent_access[:remember_me]
+            end
           else
-            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
-            self.remember_me = r if !r.nil?
+            r = values.find { |val| val.is_a?(TrueClass) || val.is_a?(FalseClass) }
+            self.remember_me = r unless r.nil?
           end
         end
 
@@ -97,7 +122,9 @@ module Authlogic
           @remember_me = self.class.remember_me
         end
 
-        # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
+        # Accepts a boolean as a flag to remember the session or not. Basically
+        # to expire the cookie at the end of the session or keep it for
+        # "remember_me_until".
         def remember_me=(value)
           @remember_me = value
         end
@@ -107,13 +134,15 @@ module Authlogic
           remember_me == true || remember_me == "true" || remember_me == "1"
         end
 
-        # How long to remember the user if remember_me is true. This is based on the class level configuration: remember_me_for
+        # How long to remember the user if remember_me is true. This is based on the class
+        # level configuration: remember_me_for
         def remember_me_for
           return unless remember_me?
           self.class.remember_me_for
         end
 
-        # When to expire the cookie. See remember_me_for configuration option to change this.
+        # When to expire the cookie. See remember_me_for configuration option to change
+        # this.
         def remember_me_until
           return unless remember_me?
           remember_me_for.from_now
@@ -131,7 +160,8 @@ module Authlogic
           @secure = self.class.secure
         end
 
-        # Accepts a boolean as to whether the cookie should be marked as secure.  If true the cookie will only ever be sent over an SSL connection.
+        # Accepts a boolean as to whether the cookie should be marked as secure.  If true
+        # the cookie will only ever be sent over an SSL connection.
         def secure=(value)
           @secure = value
         end
@@ -141,13 +171,14 @@ module Authlogic
           secure == true || secure == "true" || secure == "1"
         end
 
-        # If the cookie should be marked as httponly (not accessable via javascript)
+        # If the cookie should be marked as httponly (not accessible via javascript)
         def httponly
           return @httponly if defined?(@httponly)
           @httponly = self.class.httponly
         end
 
-        # Accepts a boolean as to whether the cookie should be marked as httponly.  If true, the cookie will not be accessable from javascript
+        # Accepts a boolean as to whether the cookie should be marked as
+        # httponly.  If true, the cookie will not be accessible from javascript
         def httponly=(value)
           @httponly = value
         end
@@ -157,13 +188,29 @@ module Authlogic
           httponly == true || httponly == "true" || httponly == "1"
         end
 
+        # If the cookie should be marked as SameSite with 'Lax' or 'Strict' flag.
+        def same_site
+          return @same_site if defined?(@same_site)
+          @same_site = self.class.same_site(nil)
+        end
+
+        # Accepts nil, 'Lax' or 'Strict' as possible flags.
+        def same_site=(value)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          @same_site = value
+        end
+
         # If the cookie should be signed
         def sign_cookie
           return @sign_cookie if defined?(@sign_cookie)
           @sign_cookie = self.class.sign_cookie
         end
 
-        # Accepts a boolean as to whether the cookie should be signed.  If true the cookie will be saved and verified using a signature.
+        # Accepts a boolean as to whether the cookie should be signed.  If true
+        # the cookie will be saved and verified using a signature.
         def sign_cookie=(value)
           @sign_cookie = value
         end
@@ -174,53 +221,75 @@ module Authlogic
         end
 
         private
-          def cookie_key
-            build_key(self.class.cookie_key)
-          end
 
-          def cookie_credentials
-            if self.class.sign_cookie
-              cookie = controller.cookies.signed[cookie_key]
-            else
-              cookie = controller.cookies[cookie_key]
-            end
-            cookie && cookie.split("::")
-          end
+        def cookie_key
+          build_key(self.class.cookie_key)
+        end
 
-          # Tries to validate the session from information in the cookie
-          def persist_by_cookie
-            persistence_token, record_id = cookie_credentials
-            if persistence_token.present?
-              record = search_for_record("find_by_#{klass.primary_key}", record_id)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
-              valid?
-            else
-              false
-            end
+        # Returns an array of cookie elements. See cookie format in
+        # `generate_cookie_for_saving`. If no cookie is found, returns nil.
+        def cookie_credentials
+          cookie = cookie_jar[cookie_key]
+          cookie && cookie.split("::")
+        end
+
+        # The third element of the cookie indicates whether the user wanted
+        # to be remembered (Actually, it's a timestamp, `remember_me_until`)
+        # See cookie format in `generate_cookie_for_saving`.
+        def cookie_credentials_remember_me?
+          !cookie_credentials.nil? && !cookie_credentials[2].nil?
+        end
+
+        def cookie_jar
+          if self.class.sign_cookie
+            controller.cookies.signed
+          else
+            controller.cookies
           end
+        end
 
-          def save_cookie
-            if sign_cookie?
-              controller.cookies.signed[cookie_key] = generate_cookie_for_saving
-            else
-              controller.cookies[cookie_key] = generate_cookie_for_saving
+        # Tries to validate the session from information in the cookie
+        def persist_by_cookie
+          persistence_token, record_id = cookie_credentials
+          if persistence_token.present?
+            record = search_for_record("find_by_#{klass.primary_key}", record_id)
+            if record && record.persistence_token == persistence_token
+              self.unauthorized_record = record
             end
+            valid?
+          else
+            false
           end
+        end
 
-          def generate_cookie_for_saving
-            remember_me_until_value = "::#{remember_me_until.iso8601}" if remember_me?
-            {
-              :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}#{remember_me_until_value}",
-              :expires => remember_me_until,
-              :secure => secure,
-              :httponly => httponly,
-              :domain => controller.cookie_domain
-            }
+        def save_cookie
+          if sign_cookie?
+            controller.cookies.signed[cookie_key] = generate_cookie_for_saving
+          else
+            controller.cookies[cookie_key] = generate_cookie_for_saving
           end
+        end
 
-          def destroy_cookie
-            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
-          end
+        def generate_cookie_for_saving
+          value = format(
+            "%s::%s%s",
+            record.persistence_token,
+            record.send(record.class.primary_key),
+            remember_me? ? "::#{remember_me_until.iso8601}" : ""
+          )
+          {
+            value: value,
+            expires: remember_me_until,
+            secure: secure,
+            httponly: httponly,
+            same_site: same_site,
+            domain: controller.cookie_domain
+          }
+        end
+
+        def destroy_cookie
+          controller.cookies.delete cookie_key, domain: controller.cookie_domain
+        end
       end
     end
   end

data/lib/authlogic/session/existence.rb

@@ -1,13 +1,19 @@
 module Authlogic
   module Session
-    # Provides methods to create and destroy objects. Basically controls their "existence".
+    # Provides methods to create and destroy objects. Basically controls their
+    # "existence".
     module Existence
       class SessionInvalidError < ::StandardError # :nodoc:
         def initialize(session)
-          super("Your session is invalid and has the following errors: #{session.errors.full_messages.to_sentence}")
+          message = I18n.t(
+            "error_messages.session_invalid",
+            default: "Your session is invalid and has the following errors:"
+          )
+          message += " #{session.errors.full_messages.to_sentence}"
+          super message
         end
       end
-      
+
       def self.included(klass)
         klass.class_eval do
           extend ClassMethods
@@ -15,9 +21,9 @@ module Authlogic
           attr_accessor :new_session, :record
         end
       end
-      
+
       module ClassMethods
-        # A convenince method. The same as:
+        # A convenience method. The same as:
         #
         #   session = UserSession.new(*args)
         #   session.save
@@ -30,7 +36,7 @@ module Authlogic
           session.save(&block)
           session
         end
-        
+
         # Same as create but calls create!, which raises an exception when validation fails.
         def create!(*args)
           session = new(*args)
@@ -38,10 +44,11 @@ module Authlogic
           session
         end
       end
-      
+
       module InstanceMethods
-        # Clears all errors and the associated record, you should call this terminate a session, thus requring
-        # the user to authenticate again if it is needed.
+        # Clears all errors and the associated record, you should call this
+        # terminate a session, thus requiring the user to authenticate again if
+        # it is needed.
         def destroy
           before_destroy
           save_record
@@ -50,17 +57,19 @@ module Authlogic
           after_destroy
           true
         end
-        
-        # Returns true if the session is new, meaning no action has been taken on it and a successful save
-        # has not taken place.
+
+        # Returns true if the session is new, meaning no action has been taken
+        # on it and a successful save has not taken place.
         def new_session?
           new_session != false
         end
-        
-        # After you have specified all of the details for your session you can try to save it. This will
-        # run validation checks and find the associated record, if all validation passes. If validation
-        # does not pass, the save will fail and the erorrs will be stored in the errors object.
-        def save(&block)
+
+        # After you have specified all of the details for your session you can
+        # try to save it. This will run validation checks and find the
+        # associated record, if all validation passes. If validation does not
+        # pass, the save will fail and the errors will be stored in the errors
+        # object.
+        def save
           result = nil
           if valid?
             self.record = attempted_record
@@ -81,7 +90,8 @@ module Authlogic
           result
         end
 
-        # Same as save but raises an exception of validation errors when validation fails
+        # Same as save but raises an exception of validation errors when
+        # validation fails
         def save!
           result = save
           raise SessionInvalidError.new(self) unless result
@@ -90,4 +100,4 @@ module Authlogic
       end
     end
   end
-end
+end

data/lib/authlogic/session/foundation.rb

@@ -1,8 +1,8 @@
 module Authlogic
   module Session
-    # Sort of like an interface, it sets the foundation for the class, such as the required methods. This also allows
-    # other modules to overwrite methods and call super on them. It's also a place to put "utility" methods used
-    # throughout Authlogic.
+    # Sort of like an interface, it sets the foundation for the class, such as the
+    # required methods. This also allows other modules to overwrite methods and call super
+    # on them. It's also a place to put "utility" methods used throughout Authlogic.
     module Foundation
       def self.included(klass)
         klass.class_eval do
@@ -12,39 +12,93 @@ module Authlogic
       end
 
       module InstanceMethods
+        E_AC_PARAMETERS = <<-EOS.strip_heredoc.freeze
+          Passing an ActionController::Parameters to Authlogic is not allowed.
+
+          In Authlogic 3, especially during the transition of rails to Strong
+          Parameters, it was common for Authlogic users to forget to `permit`
+          their params. They would pass their params into Authlogic, we'd call
+          `to_h`, and they'd be surprised when authentication failed.
+
+          In 2018, people are still making this mistake. We'd like to help them
+          and make authlogic a little simpler at the same time, so in Authlogic
+          3.7.0, we deprecated the use of ActionController::Parameters. Instead,
+          pass a plain Hash. Please replace:
+
+              UserSession.new(user_session_params)
+              UserSession.create(user_session_params)
+
+          with
+
+              UserSession.new(user_session_params.to_h)
+              UserSession.create(user_session_params.to_h)
+
+          And don't forget to `permit`!
+
+          We discussed this issue thoroughly between late 2016 and early
+          2018. Notable discussions include:
+
+          - https://github.com/binarylogic/authlogic/issues/512
+          - https://github.com/binarylogic/authlogic/pull/558
+          - https://github.com/binarylogic/authlogic/pull/577
+        EOS
+
         def initialize(*args)
           self.credentials = args
         end
 
-        # The credentials you passed to create your session. See credentials= for more info.
+        # The credentials you passed to create your session. See credentials= for more
+        # info.
         def credentials
           []
         end
 
-        # Set your credentials before you save your session. You can pass a hash of credentials:
+        # Set your credentials before you save your session. There are many
+        # method signatures.
         #
-        #   session.credentials = {:login => "my login", :password => "my password", :remember_me => true}
+        # ```
+        # # A hash of credentials is most common
+        # session.credentials = { login: "foo", password: "bar", remember_me: true }
         #
-        # or you can pass an array of objects:
+        # # You must pass an actual Hash, `ActionController::Parameters` is
+        # # specifically not allowed.
         #
-        #   session.credentials = [my_user_object, true]
+        # # You can pass an array of objects:
+        # session.credentials = [my_user_object, true]
         #
-        # and if you need to set an id, just pass it last. This value need be the last item in the array you pass, since the id is something that
-        # you control yourself, it should never be set from a hash or a form. Examples:
+        # # If you need to set an id (see `Authlogic::Session::Id`) pass it
+        # # last. It needs be the last item in the array you pass, since the id
+        # # is something that you control yourself, it should never be set from
+        # # a hash or a form. Examples:
+        # session.credentials = [
+        #   {:login => "foo", :password => "bar", :remember_me => true},
+        #   :my_id
+        # ]
+        # session.credentials = [my_user_object, true, :my_id]
         #
-        #   session.credentials = [{:login => "my login", :password => "my password", :remember_me => true}, :my_id]
-        #   session.credentials = [my_user_object, true, :my_id]
+        # # Finally, there's priority_record
+        # [{ priority_record: my_object }, :my_id]
+        # ```
         def credentials=(values)
+          normalized = Array.wrap(values)
+          if normalized.first.class.name == "ActionController::Parameters"
+            raise TypeError.new(E_AC_PARAMETERS)
+          end
         end
 
         def inspect
-          "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
+          format(
+            "#<%s: %s>",
+            self.class.name,
+            credentials.blank? ? "no credentials provided" : credentials.inspect
+          )
         end
 
         private
-          def build_key(last_part)
-            last_part
-          end
+
+        def build_key(last_part)
+          last_part
+        end
       end
     end
   end