authlogic 3.4.6 → 4.2.0

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -32,7 +32,7 @@ module Authlogic
         end
 
         def session
-          env['rack.session']
+          env["rack.session"]
         end
 
         def method_missing(meth, *args, &block)
@@ -42,7 +42,7 @@ module Authlogic
 
       class Adapter < AbstractAdapter
         def cookie_domain
-          env['SERVER_NAME']
+          env["SERVER_NAME"]
         end
 
         module Implementation
@@ -58,4 +58,4 @@ module Authlogic
   end
 end
 
-Sinatra::Base.send(:include, Authlogic::ControllerAdapters::SinatraAdapter::Adapter::Implementation)
+Sinatra::Base.send(:include, Authlogic::ControllerAdapters::SinatraAdapter::Adapter::Implementation)

data/lib/authlogic/crypto_providers.rb

@@ -1,4 +1,25 @@
 module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # The tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. For example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string.
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # Return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
   module CryptoProviders
     autoload :MD5,    "authlogic/crypto_providers/md5"
     autoload :Sha1,   "authlogic/crypto_providers/sha1"
@@ -7,5 +28,75 @@ module Authlogic
     autoload :BCrypt, "authlogic/crypto_providers/bcrypt"
     autoload :AES256, "authlogic/crypto_providers/aes256"
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
+    # crypto_providers/wordpress.rb has never been autoloaded, and now it is
+    # deprecated.
+
+    # Guide users to choose a better crypto provider.
+    class Guidance
+      AES256_DEPRECATED = <<-EOS.strip_heredoc.freeze
+        You have selected AES256 as your authlogic crypto provider. This
+        choice is not suitable for password storage.
+
+        Authlogic will drop its AES256 crypto provider in the next major
+        version. If you're unable to transition away from AES256 please let us
+        know immediately.
+
+        We recommend using a one-way algorithm instead. There are many choices;
+        we recommend scrypt. Use the transition_from_crypto_providers option
+        to make this painless for your users.
+      EOS
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::".freeze
+      NONADAPTIVE_ALGORITHM = <<-EOS.strip_heredoc.freeze
+        You have selected %s as your authlogic crypto provider. This algorithm
+        does not have any practical known attacks against it. However, there are
+        better choices.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a more secure, adaptive hashing algorithm,
+        like scrypt. Adaptive algorithms are designed to slow down brute force
+        attacks, and over time the iteration count can be increased to make it
+        slower, so it remains resistant to brute-force search attacks even in
+        the face of increasing computation power.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+      VULNERABLE_ALGORITHM = <<-EOS.strip_heredoc.freeze
+        You have selected %s as your authlogic crypto provider. It is a poor
+        choice because there are known attacks against this algorithm.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a secure hashing algorithm. We recommend
+        an adaptive algorithm, like scrypt.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+
+      def initialize(provider)
+        @provider = provider
+      end
+
+      def impart_wisdom
+        return unless @provider.is_a?(Class)
+
+        # We can only impart wisdom about our own built-in providers.
+        absolute_name = @provider.name
+        return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)
+
+        # Inspect the string name of the provider, rather than using the
+        # constants in our `when` clauses. If we used the constants, we'd
+        # negate the benefits of the `autoload` above.
+        name = absolute_name.demodulize
+        case name
+        when "AES256"
+          ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
+        when "MD5", "Sha1"
+          warn(format(VULNERABLE_ALGORITHM, name))
+        when "Sha256", "Sha512"
+          warn(format(NONADAPTIVE_ALGORITHM, name))
+        end
+      end
+    end
   end
 end

data/lib/authlogic/crypto_providers/aes256.rb

@@ -2,28 +2,33 @@ require "openssl"
 
 module Authlogic
   module CryptoProviders
-    # This encryption method is reversible if you have the supplied key. So in order to use this encryption method you must supply it with a key first.
-    # In an initializer, or before your application initializes, you should do the following:
+    # This encryption method is reversible if you have the supplied key. So in
+    # order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do
+    # the following:
     #
-    #   Authlogic::CryptoProviders::AES256.key = "my really long and unique key, preferrably a bunch of random characters"
+    #   Authlogic::CryptoProviders::AES256.key = "long, unique, and random key"
     #
-    # My final comment is that this is a strong encryption method, but its main weakness is that it's reversible. If you do not need to reverse the hash
+    # My final comment is that this is a strong encryption method, but its main
+    # weakness is that it's reversible. If you do not need to reverse the hash
     # then you should consider Sha512 or BCrypt instead.
     #
-    # Keep your key in a safe place, some even say the key should be stored on a separate server.
-    # This won't hurt performance because the only time it will try and access the key on the separate server is during initialization, which only
-    # happens once. The reasoning behind this is if someone does compromise your server they won't have the key also. Basically, you don't want to
-    # store the key with the lock.
+    # Keep your key in a safe place, some even say the key should be stored on a
+    # separate server. This won't hurt performance because the only time it will
+    # try and access the key on the separate server is during initialization,
+    # which only happens once. The reasoning behind this is if someone does
+    # compromise your server they won't have the key also. Basically, you don't
+    # want to store the key with the lock.
     class AES256
       class << self
         attr_writer :key
-    
+
         def encrypt(*tokens)
           aes.encrypt
           aes.key = @key
           [aes.update(tokens.join) + aes.final].pack("m").chomp
         end
-    
+
         def matches?(crypted, *tokens)
           aes.decrypt
           aes.key = @key
@@ -31,12 +36,35 @@ module Authlogic
         rescue OpenSSL::CipherError
           false
         end
-    
+
         private
-          def aes
-            raise ArgumentError.new("You must provide a key like #{name}.key = my_key before using the #{name}") if @key.blank?
-            @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+
+        def aes
+          if @key.blank?
+            raise ArgumentError.new(
+              "You must provide a key like #{name}.key = my_key before using the #{name}"
+            )
           end
+
+          @aes ||= openssl_cipher_class.new("AES-256-ECB")
+        end
+
+        # `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
+        # in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
+        # printed until 2016
+        # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
+        # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
+        # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
+        #
+        # When we eventually drop support for ruby < 2.4, we can probably also
+        # drop support for openssl gem < 2.
+        def openssl_cipher_class
+          if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
+            ::OpenSSL::Cipher::Cipher
+          else
+            ::OpenSSL::Cipher
+          end
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -16,10 +16,18 @@ module Authlogic
     #   require "benchmark"
     #
     #   Benchmark.bm(18) do |x|
-    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
-    #     x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
-    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
-    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #     x.report("BCrypt (cost = 10:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 10) }
+    #     }
+    #     x.report("BCrypt (cost = 4:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 4) }
+    #     }
+    #     x.report("Sha512:") {
+    #       100.times { Digest::SHA512.hexdigest("mypass") }
+    #     }
+    #     x.report("Sha1:") {
+    #       100.times { Digest::SHA1.hexdigest("mypass") }
+    #     }
     #   end
     #
     #                            user     system      total        real
@@ -45,32 +53,40 @@ module Authlogic
     # You are good to go!
     class BCrypt
       class << self
-        # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
-        # Set this to any value >= the engine's minimum (currently 4), play around with it to get that perfect balance between security and performance.
+        # This is the :cost option for the BCrpyt library. The higher the cost
+        # the more secure it is and the longer is take the generate a hash. By
+        # default this is 10. Set this to any value >= the engine's minimum
+        # (currently 4), play around with it to get that perfect balance between
+        # security and performance.
         def cost
           @cost ||= 10
         end
 
         def cost=(val)
           if val < ::BCrypt::Engine::MIN_COST
-            raise ArgumentError.new("Authlogic's bcrypt cost cannot be set below the engine's min cost (#{::BCrypt::Engine::MIN_COST})")
+            raise ArgumentError.new(
+              "Authlogic's bcrypt cost cannot be set below the engine's " \
+                "min cost (#{::BCrypt::Engine::MIN_COST})"
+            )
           end
           @cost = val
         end
 
         # Creates a BCrypt hash for the password passed.
         def encrypt(*tokens)
-          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+          ::BCrypt::Password.create(join_tokens(tokens), cost: cost)
         end
 
-        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the hash match the tokens? Uses the same tokens that were used to
+        # encrypt.
         def matches?(hash, *tokens)
           hash = new_from_hash(hash)
           return false if hash.blank?
           hash == join_tokens(tokens)
         end
 
-        # This method is used as a flag to tell Authlogic to "resave" the password upon a successful login, using the new cost
+        # This method is used as a flag to tell Authlogic to "resave" the
+        # password upon a successful login, using the new cost
         def cost_matches?(hash)
           hash = new_from_hash(hash)
           if hash.blank?
@@ -81,17 +97,16 @@ module Authlogic
         end
 
         private
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
 
-          def new_from_hash(hash)
-            begin
-              ::BCrypt::Password.new(hash)
-            rescue ::BCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
+
+        def new_from_hash(hash)
+          ::BCrypt::Password.new(hash)
+        rescue ::BCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/md5.rb

@@ -1,34 +1,36 @@
 require "digest/md5"
- 
+
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from md5 based systems. 
-    # I highly discourage using this crypto provider as it superbly inferior 
+    # This class was made for the users transitioning from md5 based systems.
+    # I highly discourage using this crypto provider as it superbly inferior
     # to your other options.
     #
-    # Please use any other provider offered by Authlogic.
+    # Please use any other provider offered by Authlogic (except AES256, that
+    # would be even worse).
     class MD5
       class << self
         attr_accessor :join_token
-        
+
         # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 1
         end
         attr_writer :stretches
-        
+
         # Turns your raw password into a MD5 hash.
         def encrypt(*tokens)
           digest = tokens.flatten.join(join_token)
           stretches.times { digest = Digest::MD5.hexdigest(digest) }
           digest
         end
-        
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end
       end
     end
   end
-end
+end

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -19,7 +19,13 @@ module Authlogic
     #   end
     class SCrypt
       class << self
-        DEFAULTS = {:key_len => 32, :salt_size => 8, :max_time => 0.2, :max_mem => 1024 * 1024, :max_memfrac => 0.5}
+        DEFAULTS = {
+          key_len: 32,
+          salt_size: 8,
+          max_time: 0.2,
+          max_mem: 1024 * 1024,
+          max_memfrac: 0.5
+        }.freeze
 
         attr_writer :key_len, :salt_size, :max_time, :max_mem, :max_memfrac
         # Key length - length in bytes of generated key, from 16 to 512.
@@ -42,14 +48,22 @@ module Authlogic
           @max_mem ||= DEFAULTS[:max_mem]
         end
 
-        # Max memory fraction - maximum memory out of all available. Always greater than zero and <= 0.5.
+        # Max memory fraction - maximum memory out of all available. Always
+        # greater than zero and <= 0.5.
         def max_memfrac
           @max_memfrac ||= DEFAULTS[:max_memfrac]
         end
 
         # Creates an SCrypt hash for the password passed.
         def encrypt(*tokens)
-          ::SCrypt::Password.create(join_tokens(tokens), :key_len => key_len, :salt_size => salt_size, :max_mem => max_mem, :max_memfrac => max_memfrac, :max_time => max_time)
+          ::SCrypt::Password.create(
+            join_tokens(tokens),
+            key_len: key_len,
+            salt_size: salt_size,
+            max_mem: max_mem,
+            max_memfrac: max_memfrac,
+            max_time: max_time
+          )
         end
 
         # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
@@ -60,17 +74,16 @@ module Authlogic
         end
 
         private
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
 
-          def new_from_hash(hash)
-            begin
-              ::SCrypt::Password.new(hash)
-            rescue ::SCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
+
+        def new_from_hash(hash)
+          ::SCrypt::Password.new(hash)
+        rescue ::SCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -2,30 +2,36 @@ require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
-    # crypto provider as it is far inferior to your other options. Please use any other provider offered by Authlogic.
+    # This class was made for the users transitioning from
+    # restful_authentication. Use of this crypto provider is highly discouraged.
+    # It is far inferior to your other options. Please use any other provider
+    # offered by Authlogic.
     class Sha1
       class << self
         def join_token
           @join_token ||= "--"
         end
         attr_writer :join_token
-        
-        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+
+        # The number of times to loop through the encryption. This is ten
+        # because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 10
         end
         attr_writer :stretches
-        
+
         # Turns your raw password into a Sha1 hash.
         def encrypt(*tokens)
           tokens = tokens.flatten
           digest = tokens.shift
-          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token)) }
+          stretches.times do
+            digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token))
+          end
           digest
         end
-        
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end