authlogic 3.4.6 → 4.2.0

data/lib/authlogic/acts_as_authentic/perishable_token.rb

@@ -1,9 +1,15 @@
 module Authlogic
   module ActsAsAuthentic
-    # This provides a handy token that is "perishable". Meaning the token is only good for a certain amount of time. This is perfect for
-    # resetting password, confirming accounts, etc. Typically during these actions you send them this token in via their email. Once they
-    # use the token and do what they need to do, that token should expire. Don't worry about maintaining this, changing it, or expiring it
-    # yourself. Authlogic does all of this for you. See the sub modules for all of the tools Authlogic provides to you.
+    # This provides a handy token that is "perishable", meaning the token is
+    # only good for a certain amount of time.
+    #
+    # This is useful for resetting password, confirming accounts, etc. Typically
+    # during these actions you send them this token in an email. Once they use
+    # the token and do what they need to do, that token should expire.
+    #
+    # Don't worry about maintaining the token, changing it, or expiring it
+    # yourself. Authlogic does all of this for you. See the sub modules for all
+    # of the tools Authlogic provides to you.
     module PerishableToken
       def self.included(klass)
         klass.class_eval do
@@ -12,21 +18,26 @@ module Authlogic
         end
       end
 
-      # Change how the perishable token works.
+      # Configure the perishable token.
       module Config
-        # When using the find_using_perishable_token method the token can expire. If the token is expired, no
-        # record will be returned. Use this option to specify how long the token is valid for.
+        # When using the find_using_perishable_token method the token can
+        # expire. If the token is expired, no record will be returned. Use this
+        # option to specify how long the token is valid for.
         #
         # * <tt>Default:</tt> 10.minutes
         # * <tt>Accepts:</tt> Fixnum
         def perishable_token_valid_for(value = nil)
-          rw_config(:perishable_token_valid_for, (!value.nil? && value.to_i) || value, 10.minutes.to_i)
+          rw_config(
+            :perishable_token_valid_for,
+            (!value.nil? && value.to_i) || value,
+            10.minutes.to_i
+          )
         end
         alias_method :perishable_token_valid_for=, :perishable_token_valid_for
 
-        # Authlogic tries to expire and change the perishable token as much as possible, without compromising
-        # it's purpose. This is for security reasons. If you want to manage it yourself, you can stop
-        # Authlogic from getting your in way by setting this to true.
+        # Authlogic tries to expire and change the perishable token as much as
+        # possible, without compromising its purpose. If you want to manage it
+        # yourself, set this to true.
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -39,28 +50,30 @@ module Authlogic
       # All methods relating to the perishable token.
       module Methods
         def self.included(klass)
-          return if !klass.column_names.include?("perishable_token")
+          return unless klass.column_names.include?("perishable_token")
 
           klass.class_eval do
             extend ClassMethods
             include InstanceMethods
 
-            validates_uniqueness_of :perishable_token, :if => :perishable_token_changed?
-            before_save :reset_perishable_token, :unless => :disable_perishable_token_maintenance?
+            validates_uniqueness_of :perishable_token, if: :perishable_token_changed?
+            before_save :reset_perishable_token, unless: :disable_perishable_token_maintenance?
           end
         end
 
-        # Class level methods for the perishable token
+        # Class methods for the perishable token
         module ClassMethods
-          # Use this method to find a record with a perishable token. This method does 2 things for you:
+          # Use this method to find a record with a perishable token. This
+          # method does 2 things for you:
           #
           # 1. It ignores blank tokens
           # 2. It enforces the perishable_token_valid_for configuration option.
           #
-          # If you want to use a different timeout value, just pass it as the second parameter:
+          # If you want to use a different timeout value, just pass it as the
+          # second parameter:
           #
           #   User.find_using_perishable_token(token, 1.hour)
-          def find_using_perishable_token(token, age = self.perishable_token_valid_for)
+          def find_using_perishable_token(token, age = perishable_token_valid_for)
             return if token.blank?
             age = age.to_i
 
@@ -91,10 +104,11 @@ module Authlogic
           # Same as reset_perishable_token, but then saves the record afterwards.
           def reset_perishable_token!
             reset_perishable_token
-            save_without_session_maintenance(:validate => false)
+            save_without_session_maintenance(validate: false)
           end
 
-          # A convenience method based on the disable_perishable_token_maintenance configuration option.
+          # A convenience method based on the
+          # disable_perishable_token_maintenance configuration option.
           def disable_perishable_token_maintenance?
             self.class.disable_perishable_token_maintenance == true
           end

data/lib/authlogic/acts_as_authentic/persistence_token.rb

@@ -8,61 +8,57 @@ module Authlogic
           add_acts_as_authentic_module(Methods)
         end
       end
-      
+
       # Methods for the persistence token.
       module Methods
         def self.included(klass)
           klass.class_eval do
             extend ClassMethods
             include InstanceMethods
-            
+
             if respond_to?(:after_password_set) && respond_to?(:after_password_verification)
               after_password_set :reset_persistence_token
-              after_password_verification :reset_persistence_token!, :if => :reset_persistence_token?
+              after_password_verification :reset_persistence_token!, if: :reset_persistence_token?
             end
-            
+
             validates_presence_of :persistence_token
-            validates_uniqueness_of :persistence_token, :if => :persistence_token_changed?
-            
-            before_validation :reset_persistence_token, :if => :reset_persistence_token?
+            validates_uniqueness_of :persistence_token, if: :persistence_token_changed?
+
+            before_validation :reset_persistence_token, if: :reset_persistence_token?
           end
         end
-        
+
         # Class level methods for the persistence token.
         module ClassMethods
-          # Resets ALL persistence tokens in the database, which will require all users to reauthenticate.
+          # Resets ALL persistence tokens in the database, which will require
+          # all users to re-authenticate.
           def forget_all
             # Paginate these to save on memory
-            records = nil
-            i = 0
-            begin
-              records = limit(50).offset(i)
-              records.each { |record| record.forget! }
-              i += 50
-            end while !records.blank?
+            find_each(batch_size: 50, &:forget!)
           end
         end
-        
+
         # Instance level methods for the persistence token.
         module InstanceMethods
           # Resets the persistence_token field to a random hex value.
           def reset_persistence_token
             self.persistence_token = Authlogic::Random.hex_token
           end
-          
+
           # Same as reset_persistence_token, but then saves the record.
           def reset_persistence_token!
             reset_persistence_token
-            save_without_session_maintenance(:validate => false)
+            save_without_session_maintenance(validate: false)
           end
           alias_method :forget!, :reset_persistence_token!
-          
+
           private
-            def reset_persistence_token?
-              persistence_token.blank?
-            end
+
+          def reset_persistence_token?
+            persistence_token.blank?
+          end
         end
       end
     end
   end
-end
+end

data/lib/authlogic/acts_as_authentic/queries/find_with_case.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    module Queries
+      # The query used by public-API method `find_by_smart_case_login_field`.
+      # @api private
+      class FindWithCase
+        # Dup ActiveRecord.gem_version before freezing, in case someone
+        # else wants to modify it. Freezing modifies an object in place.
+        # https://github.com/binarylogic/authlogic/pull/590
+        AR_GEM_VERSION = ActiveRecord.gem_version.dup.freeze
+
+        # @api private
+        def initialize(model_class, field, value, sensitive)
+          @model_class = model_class
+          @field = field.to_s
+          @value = value
+          @sensitive = sensitive
+        end
+
+        # @api private
+        def execute
+          bind(relation).first
+        end
+
+        private
+
+        # @api private
+        def bind(relation)
+          if AR_GEM_VERSION >= Gem::Version.new("5")
+            bind = ActiveRecord::Relation::QueryAttribute.new(
+              @field,
+              @value,
+              ActiveRecord::Type::Value.new
+            )
+            @model_class.where(relation, bind)
+          else
+            @model_class.where(relation)
+          end
+        end
+
+        # @api private
+        def relation
+          if !@sensitive
+            @model_class.connection.case_insensitive_comparison(
+              @model_class.arel_table,
+              @field,
+              @model_class.columns_hash[@field],
+              @value
+            )
+          elsif AR_GEM_VERSION >= Gem::Version.new("5.0")
+            @model_class.connection.case_sensitive_comparison(
+              @model_class.arel_table,
+              @field,
+              @model_class.columns_hash[@field],
+              @value
+            )
+          else
+            value = @model_class.connection.case_sensitive_modifier(@value, @field)
+            @model_class.arel_table[@field].eq(value)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/restful_authentication.rb

@@ -1,6 +1,7 @@
 module Authlogic
   module ActsAsAuthentic
-    # This module is responsible for transitioning existing applications from the restful_authentication plugin.
+    # This module is responsible for transitioning existing applications from
+    # the restful_authentication plugin.
     module RestfulAuthentication
       def self.included(klass)
         klass.class_eval do
@@ -9,11 +10,25 @@ module Authlogic
         end
       end
 
+      # Configures the restful_authentication aspect of acts_as_authentic.
+      # These methods become class methods of ::ActiveRecord::Base.
       module Config
-        # Switching an existing app to Authlogic from restful_authentication? No problem, just set this true and your users won't know
-        # anything changed. From your database perspective nothing will change at all. Authlogic will continue to encrypt passwords
-        # just like restful_authentication, so your app won't skip a beat. Although, might consider transitioning your users to a newer
-        # and stronger algorithm. Checkout the transition_from_restful_authentication option.
+        DPR_MSG = <<-STR.squish
+          Support for transitioning to authlogic from restful_authentication
+          (%s) is deprecated without replacement. restful_authentication is no
+          longer used in the ruby community, and the transition away from it is
+          complete. There is only one version of restful_authentication on
+          rubygems.org, it was released in 2009, and it's only compatible with
+          rails 2.3. It has been nine years since it was released.
+        STR
+
+        # Switching an existing app to Authlogic from restful_authentication? No
+        # problem, just set this true and your users won't know anything
+        # changed. From your database perspective nothing will change at all.
+        # Authlogic will continue to encrypt passwords just like
+        # restful_authentication, so your app won't skip a beat. Although, might
+        # consider transitioning your users to a newer and stronger algorithm.
+        # Checkout the transition_from_restful_authentication option.
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -22,39 +37,69 @@ module Authlogic
           set_restful_authentication_config if value
           r
         end
-        alias_method :act_like_restful_authentication=, :act_like_restful_authentication
 
-        # This works just like act_like_restful_authentication except that it will start transitioning your users to the algorithm you
-        # specify with the crypto provider option. The next time they log in it will resave their password with the new algorithm
-        # and any new record will use the new algorithm as well. Make sure to update your users table if you are using the default
-        # migration since it will set crypted_password and salt columns to a maximum width of 40 characters which is not enough.
+        def act_like_restful_authentication=(value = nil)
+          ::ActiveSupport::Deprecation.warn(
+            format(DPR_MSG, "act_like_restful_authentication="),
+            caller(1)
+          )
+          act_like_restful_authentication(value)
+        end
+
+        # This works just like act_like_restful_authentication except that it
+        # will start transitioning your users to the algorithm you specify with
+        # the crypto provider option. The next time they log in it will resave
+        # their password with the new algorithm and any new record will use the
+        # new algorithm as well. Make sure to update your users table if you are
+        # using the default migration since it will set crypted_password and
+        # salt columns to a maximum width of 40 characters which is not enough.
         def transition_from_restful_authentication(value = nil)
           r = rw_config(:transition_from_restful_authentication, value, false)
           set_restful_authentication_config if value
           r
         end
-        alias_method :transition_from_restful_authentication=, :transition_from_restful_authentication
+
+        def transition_from_restful_authentication=(value = nil)
+          ::ActiveSupport::Deprecation.warn(
+            format(DPR_MSG, "transition_from_restful_authentication="),
+            caller(1)
+          )
+          transition_from_restful_authentication(value)
+        end
 
         private
-          def set_restful_authentication_config
-            crypto_provider_key = act_like_restful_authentication ? :crypto_provider : :transition_from_crypto_providers
-            self.send("#{crypto_provider_key}=", CryptoProviders::Sha1)
-            if !defined?(::REST_AUTH_SITE_KEY) || ::REST_AUTH_SITE_KEY.nil?
-              class_eval("::REST_AUTH_SITE_KEY = ''") if !defined?(::REST_AUTH_SITE_KEY)
-              CryptoProviders::Sha1.stretches = 1
+
+        def set_restful_authentication_config
+          self.restful_auth_crypto_provider = CryptoProviders::Sha1
+          if !defined?(::REST_AUTH_SITE_KEY) || ::REST_AUTH_SITE_KEY.nil?
+            unless defined?(::REST_AUTH_SITE_KEY)
+              class_eval("::REST_AUTH_SITE_KEY = ''", __FILE__, __LINE__)
             end
+            CryptoProviders::Sha1.stretches = 1
           end
+        end
+
+        # @api private
+        def restful_auth_crypto_provider=(provider)
+          if act_like_restful_authentication
+            self.crypto_provider = provider
+          else
+            self.transition_from_crypto_providers = provider
+          end
+        end
       end
 
+      # :nodoc:
       module InstanceMethods
         private
-          def act_like_restful_authentication?
-            self.class.act_like_restful_authentication == true
-          end
 
-          def transition_from_restful_authentication?
-            self.class.transition_from_restful_authentication == true
-          end
+        def act_like_restful_authentication?
+          self.class.act_like_restful_authentication == true
+        end
+
+        def transition_from_restful_authentication?
+          self.class.transition_from_restful_authentication == true
+        end
       end
     end
   end

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -1,22 +1,26 @@
 module Authlogic
   module ActsAsAuthentic
-    # This is one of my favorite features that I think is pretty cool. It's things like this that make a library great
-    # and let you know you are on the right track.
+    # This is one of my favorite features that I think is pretty cool. It's
+    # things like this that make a library great and let you know you are on the
+    # right track.
     #
-    # Just to clear up any confusion, Authlogic stores both the record id and the persistence token in the session.
-    # Why? So stale sessions can not be persisted. It stores the id so it can quickly find the record, and the
-    # persistence token to ensure no sessions are stale. So if the persistence token changes, the user must log
-    # back in.
+    # Just to clear up any confusion, Authlogic stores both the record id and
+    # the persistence token in the session. Why? So stale sessions can not be
+    # persisted. It stores the id so it can quickly find the record, and the
+    # persistence token to ensure no sessions are stale. So if the persistence
+    # token changes, the user must log back in.
     #
-    # Well, the persistence token changes with the password. What happens if the user changes his own password?
-    # He shouldn't have to log back in, he's the one that made the change.
+    # Well, the persistence token changes with the password. What happens if the
+    # user changes his own password? He shouldn't have to log back in, he's the
+    # one that made the change.
     #
-    # That being said, wouldn't it be nice if their session and cookie information was automatically updated?
-    # Instead of cluttering up your controller with redundant session code. The same thing goes for new
+    # That being said, wouldn't it be nice if their session and cookie
+    # information was automatically updated? Instead of cluttering up your
+    # controller with redundant session code. The same thing goes for new
     # registrations.
     #
-    # That's what this module is all about. This will automatically maintain the cookie and session values as
-    # records are saved.
+    # That's what this module is all about. This will automatically maintain the
+    # cookie and session values as records are saved.
     module SessionMaintenance
       def self.included(klass)
         klass.class_eval do
@@ -24,21 +28,33 @@ module Authlogic
           add_acts_as_authentic_module(Methods)
         end
       end
-      
+
+      # Configuration for the session maintenance aspect of acts_as_authentic.
+      # These methods become class methods of ::ActiveRecord::Base.
       module Config
-        # This is more of a convenience method. In order to turn off automatic maintenance of sessions just
-        # set this to false, or you can also set the session_ids method to a blank array. Both accomplish
-        # the same thing. This method is a little clearer in it's intentions though.
+        # In order to turn off automatic maintenance of sessions
+        # after create, just set this to false.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def log_in_after_create(value = nil)
+          rw_config(:log_in_after_create, value, true)
+        end
+        alias_method :log_in_after_create=, :log_in_after_create
+
+        # In order to turn off automatic maintenance of sessions when updating
+        # the password, just set this to false.
         #
         # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
-        def maintain_sessions(value = nil)
-          rw_config(:maintain_sessions, value, true)
+        def log_in_after_password_change(value = nil)
+          rw_config(:log_in_after_password_change, value, true)
         end
-        alias_method :maintain_sessions=, :maintain_sessions
-        
-        # As you may know, authlogic sessions can be separate by id (See Authlogic::Session::Base#id). You can
-        # specify here what session ids you want auto maintained. By default it is the main session, which has
+        alias_method :log_in_after_password_change=, :log_in_after_password_change
+
+        # As you may know, authlogic sessions can be separate by id (See
+        # Authlogic::Session::Base#id). You can specify here what session ids
+        # you want auto maintained. By default it is the main session, which has
         # an id of nil.
         #
         # * <tt>Default:</tt> [nil]
@@ -47,26 +63,33 @@ module Authlogic
           rw_config(:session_ids, value, [nil])
         end
         alias_method :session_ids=, :session_ids
-        
-        # The name of the associated session class. This is inferred by the name of the model.
+
+        # The name of the associated session class. This is inferred by the name
+        # of the model.
         #
         # * <tt>Default:</tt> "#{klass.name}Session".constantize
         # * <tt>Accepts:</tt> Class
         def session_class(value = nil)
-          const = "#{base_class.name}Session".constantize rescue nil
+          const = begin
+                    "#{base_class.name}Session".constantize
+                  rescue NameError
+                    nil
+                  end
           rw_config(:session_class, value, const)
         end
         alias_method :session_class=, :session_class
       end
-      
+
+      # This module, as one of the `acts_as_authentic_modules`, is only included
+      # into an ActiveRecord model if that model calls `acts_as_authentic`.
       module Methods
         def self.included(klass)
           klass.class_eval do
-            before_save :get_session_information, :if => :update_sessions?
-            before_save :maintain_sessions, :if => :update_sessions?
+            before_save :get_session_information, if: :update_sessions?
+            before_save :maintain_sessions, if: :update_sessions?
           end
         end
-        
+
         # Save the record and skip session maintenance all together.
         def save_without_session_maintenance(*args)
           self.skip_session_maintenance = true
@@ -74,66 +97,86 @@ module Authlogic
           self.skip_session_maintenance = false
           result
         end
-        
+
         private
-          def skip_session_maintenance=(value)
-            @skip_session_maintenance = value
-          end
-          
-          def skip_session_maintenance
-            @skip_session_maintenance ||= false
-          end
-          
-          def update_sessions?
-            !skip_session_maintenance && session_class && session_class.activated? && self.class.maintain_sessions == true && !session_ids.blank? && persistence_token_changed?
-          end
-          
-          def get_session_information
-            # Need to determine if we are completely logged out, or logged in as another user
-            @_sessions = []
-            
-            session_ids.each do |session_id|
-              session = session_class.find(session_id, self)
-              @_sessions << session if session && session.record
-            end
-          end
-          
-          def maintain_sessions
-            if @_sessions.empty?
-              create_session
-            else
-              update_sessions
-            end
-          end
-          
-          def create_session
-            # We only want to automatically login into the first session, since this is the main session. The other sessions are sessions
-            # that need to be created after logging into the main session.
-            session_id = session_ids.first
-            session_class.create(*[self, self, session_id].compact)
-
-            return true
-          end
-          
-          def update_sessions
-            # We found sessions above, let's update them with the new info
-            @_sessions.each do |stale_session|
-              next if stale_session.record != self
-              stale_session.unauthorized_record = self
-              stale_session.save
-            end
-
-            return true
+
+        def skip_session_maintenance=(value)
+          @skip_session_maintenance = value
+        end
+
+        def skip_session_maintenance
+          @skip_session_maintenance ||= false
+        end
+
+        def update_sessions?
+          !skip_session_maintenance &&
+            session_class &&
+            session_class.activated? &&
+            maintain_session? &&
+            !session_ids.blank? &&
+            persistence_token_changed?
+        end
+
+        def maintain_session?
+          log_in_after_create? || log_in_after_password_change?
+        end
+
+        def get_session_information
+          # Need to determine if we are completely logged out, or logged in as
+          # another user.
+          @_sessions = []
+
+          session_ids.each do |session_id|
+            session = session_class.find(session_id, self)
+            @_sessions << session if session && session.record
           end
-          
-          def session_ids
-            self.class.session_ids
+        end
+
+        def maintain_sessions
+          if @_sessions.empty?
+            create_session
+          else
+            update_sessions
           end
-          
-          def session_class
-            self.class.session_class
+        end
+
+        def create_session
+          # We only want to automatically login into the first session, since
+          # this is the main session. The other sessions are sessions that
+          # need to be created after logging into the main session.
+          session_id = session_ids.first
+          session_class.create(*[self, self, session_id].compact)
+
+          true
+        end
+
+        def update_sessions
+          # We found sessions above, let's update them with the new info
+          @_sessions.each do |stale_session|
+            next if stale_session.record != self
+            stale_session.unauthorized_record = self
+            stale_session.save
           end
+
+          true
+        end
+
+        def session_ids
+          self.class.session_ids
+        end
+
+        def session_class
+          self.class.session_class
+        end
+
+        def log_in_after_create?
+          new_record? && self.class.log_in_after_create
+        end
+
+        def log_in_after_password_change?
+          persistence_token_changed? && self.class.log_in_after_password_change
+        end
       end
     end
   end
-end
+end