authlogic 3.4.6 → 4.2.0

data/lib/authlogic/session/params.rb

@@ -1,15 +1,19 @@
 module Authlogic
   module Session
-    # This module is responsible for authenticating the user via params, which ultimately allows the user to log in using a URL like the following:
+    # This module is responsible for authenticating the user via params, which ultimately
+    # allows the user to log in using a URL like the following:
     #
     #   https://www.domain.com?user_credentials=4LiXF7FiGUppIPubBPey
     #
-    # Notice the token in the URL, this is a single access token. A single access token is used for single access only, it is not persisted. Meaning the user
-    # provides it, Authlogic grants them access, and that's it. If they want access again they need to provide the token again. Authlogic will
-    # *NEVER* try to persist the session after authenticating through this method.
+    # Notice the token in the URL, this is a single access token. A single access token is
+    # used for single access only, it is not persisted. Meaning the user provides it,
+    # Authlogic grants them access, and that's it. If they want access again they need to
+    # provide the token again. Authlogic will *NEVER* try to persist the session after
+    # authenticating through this method.
     #
-    # For added security, this token is *ONLY* allowed for RSS and ATOM requests. You can change this with the configuration. You can also define if
-    # it is allowed dynamically by defining a single_access_allowed? method in your controller. For example:
+    # For added security, this token is *ONLY* allowed for RSS and ATOM requests. You can
+    # change this with the configuration. You can also define if it is allowed dynamically
+    # by defining a single_access_allowed? method in your controller. For example:
     #
     #   class UsersController < ApplicationController
     #     private
@@ -17,8 +21,9 @@ module Authlogic
     #         action_name == "index"
     #       end
     #
-    # Also, by default, this token is permanent. Meaning if the user changes their password, this token will remain the same. It will only change
-    # when it is explicitly reset.
+    # Also, by default, this token is permanent. Meaning if the user changes their
+    # password, this token will remain the same. It will only change when it is explicitly
+    # reset.
     #
     # You can modify all of this behavior with the Config sub module.
     module Params
@@ -30,15 +35,19 @@ module Authlogic
           persist :persist_by_params
         end
       end
-      
+
       # Configuration for the params / single access feature.
       module Config
-        # Works exactly like cookie_key, but for params. So a user can login via params just like a cookie or a session. Your URL would look like:
+        # Works exactly like cookie_key, but for params. So a user can login via
+        # params just like a cookie or a session. Your URL would look like:
         #
         #   http://www.domain.com?user_credentials=my_single_access_key
         #
-        # You can change the "user_credentials" key above with this configuration option. Keep in mind, just like cookie_key, if you supply an id
-        # the id will be appended to the front. Check out cookie_key for more details. Also checkout the "Single Access / Private Feeds Access" section in the README.
+        # You can change the "user_credentials" key above with this
+        # configuration option. Keep in mind, just like cookie_key, if you
+        # supply an id the id will be appended to the front. Check out
+        # cookie_key for more details. Also checkout the "Single Access /
+        # Private Feeds Access" section in the README.
         #
         # * <tt>Default:</tt> cookie_key
         # * <tt>Accepts:</tt> String
@@ -46,56 +55,76 @@ module Authlogic
           rw_config(:params_key, value, cookie_key)
         end
         alias_method :params_key=, :params_key
-        
-        # Authentication is allowed via a single access token, but maybe this is something you don't want for your application as a whole. Maybe this is
-        # something you only want for specific request types. Specify a list of allowed request types and single access authentication will only be
+
+        # Authentication is allowed via a single access token, but maybe this is
+        # something you don't want for your application as a whole. Maybe this
+        # is something you only want for specific request types. Specify a list
+        # of allowed request types and single access authentication will only be
         # allowed for the ones you specify.
         #
         # * <tt>Default:</tt> ["application/rss+xml", "application/atom+xml"]
-        # * <tt>Accepts:</tt> String of a request type, or :all or :any to allow single access authentication for any and all request types
+        # * <tt>Accepts:</tt> String of a request type, or :all or :any to
+        #   allow single access authentication for any and all request types
         def single_access_allowed_request_types(value = nil)
-          rw_config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
+          rw_config(
+            :single_access_allowed_request_types,
+            value,
+            ["application/rss+xml", "application/atom+xml"]
+          )
         end
         alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
       end
-      
-      # The methods available for an Authlogic::Session::Base object that make up the params / single access feature.
+
+      # The methods available for an Authlogic::Session::Base object that make
+      # up the params / single access feature.
       module InstanceMethods
         private
-          def persist_by_params
-            return false if !params_enabled?
-            self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
-            self.single_access = valid?
-          end
-          
-          def params_enabled?
-            return false if !params_credentials || !klass.column_names.include?("single_access_token")
-            return controller.single_access_allowed? if controller.responds_to_single_access_allowed?
-            
-            case single_access_allowed_request_types
-            when Array
-              single_access_allowed_request_types.include?(controller.request_content_type) || single_access_allowed_request_types.include?(:all)
-            else
-              [:all, :any].include?(single_access_allowed_request_types)
-            end
-          end
-          
-          def params_key
-            build_key(self.class.params_key)
-          end
-          
-          def single_access?
-            single_access == true
+
+        def persist_by_params
+          return false unless params_enabled?
+          self.unauthorized_record = search_for_record(
+            "find_by_single_access_token",
+            params_credentials
+          )
+          self.single_access = valid?
+        end
+
+        def params_enabled?
+          if !params_credentials || !klass.column_names.include?("single_access_token")
+            return false
           end
-          
-          def single_access_allowed_request_types
-            self.class.single_access_allowed_request_types
+          if controller.responds_to_single_access_allowed?
+            return controller.single_access_allowed?
           end
-          
-          def params_credentials
-            controller.params[params_key]
+          params_enabled_by_allowed_request_types?
+        end
+
+        def params_enabled_by_allowed_request_types?
+          case single_access_allowed_request_types
+          when Array
+            single_access_allowed_request_types.include?(controller.request_content_type) ||
+              single_access_allowed_request_types.include?(:all)
+          else
+            %i[all any].include?(single_access_allowed_request_types)
           end
+        end
+
+        def params_key
+          build_key(self.class.params_key)
+        end
+
+        def single_access?
+          single_access == true
+        end
+
+        def single_access_allowed_request_types
+          self.class.single_access_allowed_request_types
+        end
+
+        def params_credentials
+          controller.params[params_key]
+        end
       end
     end
   end
-end
+end

data/lib/authlogic/session/password.rb

@@ -6,25 +6,29 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_by_password, :if => :authenticating_with_password?
-          
+          validate :validate_by_password, if: :authenticating_with_password?
+
           class << self
             attr_accessor :configured_password_methods
           end
         end
       end
-      
+
       # Password configuration
       module Config
-        # Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and
-        # making sure it exists. What method it uses the do this is up to you.
+        # Authlogic tries to validate the credentials passed to it. One part of
+        # validation is actually finding the user and making sure it exists.
+        # What method it uses the do this is up to you.
         #
-        # Let's say you have a UserSession that is authenticating a User. By default UserSession will call User.find_by_login(login).
-        # You can change what method UserSession calls by specifying it here. Then in your User model you can make that method do
-        # anything you want, giving you complete control of how users are found by the UserSession.
+        # Let's say you have a UserSession that is authenticating a User. By
+        # default UserSession will call User.find_by_login(login). You can
+        # change what method UserSession calls by specifying it here. Then in
+        # your User model you can make that method do anything you want, giving
+        # you complete control of how users are found by the UserSession.
         #
-        # Let's take an example: You want to allow users to login by username or email. Set this to the name of the class method
-        # that does this in the User model. Let's call it "find_by_username_or_email"
+        # Let's take an example: You want to allow users to login by username or
+        # email. Set this to the name of the class method that does this in the
+        # User model. Let's call it "find_by_username_or_email"
         #
         #   class User < ActiveRecord::Base
         #     def self.find_by_username_or_email(login)
@@ -32,8 +36,10 @@ module Authlogic
         #     end
         #   end
         #
-        # Now just specify the name of this method for this configuration option and you are all set. You can do anything you
-        # want here. Maybe you allow users to have multiple logins and you want to search a has_many relationship, etc. The sky is the limit.
+        # Now just specify the name of this method for this configuration option
+        # and you are all set. You can do anything you want here. Maybe you
+        # allow users to have multiple logins and you want to search a has_many
+        # relationship, etc. The sky is the limit.
         #
         # * <tt>Default:</tt> "find_by_smart_case_login_field"
         # * <tt>Accepts:</tt> Symbol or String
@@ -41,10 +47,12 @@ module Authlogic
           rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
         end
         alias_method :find_by_login_method=, :find_by_login_method
-        
-        # The text used to identify credentials (username/password) combination when a bad login attempt occurs.
-        # When you show error messages for a bad login, it's considered good security practice to hide which field
-        # the user has entered incorrectly (the login field or the password field). For a full explanation, see
+
+        # The text used to identify credentials (username/password) combination
+        # when a bad login attempt occurs. When you show error messages for a
+        # bad login, it's considered good security practice to hide which field
+        # the user has entered incorrectly (the login field or the password
+        # field). For a full explanation, see
         # http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
         #
         # Example of use:
@@ -53,36 +61,42 @@ module Authlogic
         #     generalize_credentials_error_messages true
         #   end
         #
-        #   This would make the error message for bad logins and bad passwords look identical:
+        #   This would make the error message for bad logins and bad passwords
+        #   look identical:
         #
         #   Login/Password combination is not valid
-        #  
+        #
         #   Alternatively you may use a custom message:
-        # 
+        #
         #   class UserSession < AuthLogic::Session::Base
         #     generalize_credentials_error_messages "Your login information is invalid"
         #   end
         #
         #   This will instead show your custom error message when the UserSession is invalid.
         #
-        # The downside to enabling this is that is can be too vague for a user that has a hard time remembering
-        # their username and password combinations. It also disables the ability to to highlight the field
+        # The downside to enabling this is that is can be too vague for a user
+        # that has a hard time remembering their username and password
+        # combinations. It also disables the ability to to highlight the field
         # with the error when you use form_for.
         #
-        # If you are developing an app where security is an extreme priority (such as a financial application),
-        # then you should enable this. Otherwise, leaving this off is fine.
-        # 
+        # If you are developing an app where security is an extreme priority
+        # (such as a financial application), then you should enable this.
+        # Otherwise, leaving this off is fine.
+        #
         # * <tt>Default</tt> false
         # * <tt>Accepts:</tt> Boolean
         def generalize_credentials_error_messages(value = nil)
           rw_config(:generalize_credentials_error_messages, value, false)
         end
         alias_method :generalize_credentials_error_messages=, :generalize_credentials_error_messages
-        
-        # The name of the method you want Authlogic to create for storing the login / username. Keep in mind this is just for your
-        # Authlogic::Session, if you want it can be something completely different than the field in your model. So if you wanted people to
-        # login with a field called "login" and then find users by email this is compeltely doable. See the find_by_login_method configuration
-        # option for more details.
+
+        # The name of the method you want Authlogic to create for storing the
+        # login / username. Keep in mind this is just for your
+        # Authlogic::Session, if you want it can be something completely
+        # different than the field in your model. So if you wanted people to
+        # login with a field called "login" and then find users by email this is
+        # completely doable. See the find_by_login_method configuration option
+        # for more details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -90,8 +104,9 @@ module Authlogic
           rw_config(:login_field, value, klass.login_field || klass.email_field)
         end
         alias_method :login_field=, :login_field
-        
-        # Works exactly like login_field, but for the password instead. Returns :password if a login_field exists.
+
+        # Works exactly like login_field, but for the password instead. Returns
+        # :password if a login_field exists.
         #
         # * <tt>Default:</tt> :password
         # * <tt>Accepts:</tt> Symbol or String
@@ -99,29 +114,32 @@ module Authlogic
           rw_config(:password_field, value, login_field && :password)
         end
         alias_method :password_field=, :password_field
-        
-        # The name of the method in your model used to verify the password. This should be an instance method. It should also
-        # be prepared to accept a raw password and a crytped password.
+
+        # The name of the method in your model used to verify the password. This
+        # should be an instance method. It should also be prepared to accept a
+        # raw password and a crytped password.
         #
-        # * <tt>Default:</tt> "valid_password?"
+        # * <tt>Default:</tt> "valid_password?" defined in acts_as_authentic/password.rb
         # * <tt>Accepts:</tt> Symbol or String
         def verify_password_method(value = nil)
           rw_config(:verify_password_method, value, "valid_password?")
         end
         alias_method :verify_password_method=, :verify_password_method
       end
-      
+
       # Password related instance methods
       module InstanceMethods
         def initialize(*args)
-          if !self.class.configured_password_methods
+          unless self.class.configured_password_methods
             configure_password_methods
             self.class.configured_password_methods = true
           end
+          instance_variable_set("@#{password_field}", nil)
           super
         end
-        
-        # Returns the login_field / password_field credentials combination in hash form.
+
+        # Returns the login_field / password_field credentials combination in
+        # hash form.
         def credentials
           if authenticating_with_password?
             details = {}
@@ -132,107 +150,168 @@ module Authlogic
             super
           end
         end
-        
-        # Accepts the login_field / password_field credentials combination in hash form.
+
+        # Accepts the login_field / password_field credentials combination in
+        # hash form.
+        #
+        # You must pass an actual Hash, `ActionController::Parameters` is
+        # specifically not allowed.
+        #
+        # See `Authlogic::Session::Foundation#credentials=` for an overview of
+        # all method signatures.
         def credentials=(value)
           super
-          values = value.is_a?(Array) ? value : [value]
+          values = Array.wrap(value)
           if values.first.is_a?(Hash)
-            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-              next if value.blank?
-              send("#{field}=", value)
+            sliced = values
+              .first
+              .with_indifferent_access
+              .slice(login_field, password_field)
+            sliced.each do |field, val|
+              next if val.blank?
+              send("#{field}=", val)
             end
           end
         end
-        
+
         def invalid_password?
           invalid_password == true
         end
-        
+
         private
-          def configure_password_methods
-            if login_field
-              self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
-              self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
-            end
-            
-            if password_field
-              self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
-              self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
-
-              self.class.class_eval <<-"end_eval", __FILE__, __LINE__
-                private
-                  # The password should not be accessible publicly. This way forms using form_for don't fill the password with the
-                  # attempted password. To prevent this we just create this method that is private.
-                  def protected_#{password_field}
-                    @#{password_field}
-                  end
-              end_eval
-            end
+
+        def add_invalid_password_error
+          if generalize_credentials_error_messages?
+            add_general_credentials_error
+          else
+            errors.add(
+              password_field,
+              I18n.t("error_messages.password_invalid", default: "is not valid")
+            )
           end
+        end
 
-          def authenticating_with_password?
-            login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+        def add_login_not_found_error
+          if generalize_credentials_error_messages?
+            add_general_credentials_error
+          else
+            errors.add(
+              login_field,
+              I18n.t("error_messages.login_not_found", default: "is not valid")
+            )
           end
-          
-          def validate_by_password
-            self.invalid_password = false
-            
-            # check for blank fields
-            errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank")) if send(login_field).blank?
-            errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank")) if send("protected_#{password_field}").blank?
-            return if errors.count > 0
-
-            # check for unknown login
-            self.attempted_record = search_for_record(find_by_login_method, send(login_field))
-            if attempted_record.blank?
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
-              return
-            end
+        end
 
-            # check for invalid password
-            if !attempted_record.send(verify_password_method, send("protected_#{password_field}"))
-              self.invalid_password = true
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
-              return
-            end
+        def authenticating_with_password?
+          login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+        end
+
+        def configure_password_methods
+          define_login_field_methods
+          define_password_field_methods
+        end
+
+        def define_login_field_methods
+          return unless login_field
+          self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
+          self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
+        end
+
+        def define_password_field_methods
+          return unless password_field
+          self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
+          self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+
+          # The password should not be accessible publicly. This way forms
+          # using form_for don't fill the password with the attempted
+          # password. To prevent this we just create this method that is
+          # private.
+          self.class.class_eval(
+            <<-EOS, __FILE__, __LINE__ + 1
+              private
+                def protected_#{password_field}
+                  @#{password_field}
+                end
+            EOS
+          )
+        end
+
+        # In keeping with the metaphor of ActiveRecord, verification of the
+        # password is referred to as a "validation".
+        def validate_by_password
+          self.invalid_password = false
+          validate_by_password__blank_fields
+          return if errors.count > 0
+          self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+          if attempted_record.blank?
+            add_login_not_found_error
+            return
+          end
+          validate_by_password__invalid_password
+        end
+
+        def validate_by_password__blank_fields
+          if send(login_field).blank?
+            errors.add(
+              login_field,
+              I18n.t("error_messages.login_blank", default: "cannot be blank")
+            )
           end
-          
-          attr_accessor :invalid_password
-          
-          def find_by_login_method
-            self.class.find_by_login_method
+          if send("protected_#{password_field}").blank?
+            errors.add(
+              password_field,
+              I18n.t("error_messages.password_blank", default: "cannot be blank")
+            )
           end
-          
-          def login_field
-            self.class.login_field
+        end
+
+        # Verify the password, usually using `valid_password?` in
+        # `acts_as_authentic/password.rb`. If it cannot be verified, we
+        # refer to it as "invalid".
+        def validate_by_password__invalid_password
+          unless attempted_record.send(
+            verify_password_method,
+            send("protected_#{password_field}")
+          )
+            self.invalid_password = true
+            add_invalid_password_error
           end
-          
-          def add_general_credentials_error
-            error_message = 
+        end
+
+        attr_accessor :invalid_password
+
+        def find_by_login_method
+          self.class.find_by_login_method
+        end
+
+        def login_field
+          self.class.login_field
+        end
+
+        def add_general_credentials_error
+          error_message =
             if self.class.generalize_credentials_error_messages.is_a? String
               self.class.generalize_credentials_error_messages
             else
               "#{login_field.to_s.humanize}/Password combination is not valid"
             end
-            errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
-          end
-          
-          def generalize_credentials_error_messages?
-            self.class.generalize_credentials_error_messages
-          end
-          
-          def password_field
-            self.class.password_field
-          end
-          
-          def verify_password_method
-            self.class.verify_password_method
-          end
+          errors.add(
+            :base,
+            I18n.t("error_messages.general_credentials_error", default: error_message)
+          )
+        end
+
+        def generalize_credentials_error_messages?
+          self.class.generalize_credentials_error_messages
+        end
+
+        def password_field
+          self.class.password_field
+        end
+
+        def verify_password_method
+          self.class.verify_password_method
+        end
       end
     end
   end