authlogic 3.4.6 → 4.2.0

data/lib/authlogic/crypto_providers/sha256.rb

@@ -1,22 +1,25 @@
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
-  # Just create a class with a class level encrypt and matches? method. See example below.
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
   #
   # === Example
   #
   #   class MyAwesomeEncryptionMethod
   #     def self.encrypt(*tokens)
-  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
-  #       # just do what you need to do with them and return a single encrypted string.
-  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
   #     end
   #
   #     def self.matches?(crypted, *tokens)
-  #       # return true if the crypted string matches the tokens.
-  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
-  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
   #     end
   #   end
   module CryptoProviders
@@ -26,21 +29,22 @@ module Authlogic
     class Sha256
       class << self
         attr_accessor :join_token
-        
+
         # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 20
         end
         attr_writer :stretches
-        
+
         # Turns your raw password into a Sha256 hash.
         def encrypt(*tokens)
           digest = tokens.flatten.join(join_token)
           stretches.times { digest = Digest::SHA256.hexdigest(digest) }
           digest
         end
-        
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,24 +1,6 @@
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
-  # Just create a class with a class level encrypt and matches? method. See example below.
-  #
-  # === Example
-  #
-  #   class MyAwesomeEncryptionMethod
-  #     def self.encrypt(*tokens)
-  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
-  #       # just do what you need to do with them and return a single encrypted string.
-  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
-  #     end
-  #
-  #     def self.matches?(crypted, *tokens)
-  #       # return true if the crypted string matches the tokens.
-  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
-  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
-  #     end
-  #   end
   module CryptoProviders
     # = Sha512
     #
@@ -26,25 +8,27 @@ module Authlogic
     class Sha512
       class << self
         attr_accessor :join_token
-        
-        # The number of times to loop through the encryption. This is twenty because that is what restful_authentication defaults to.
+
+        # The number of times to loop through the encryption. This is twenty
+        # because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 20
         end
         attr_writer :stretches
-        
+
         # Turns your raw password into a Sha512 hash.
         def encrypt(*tokens)
           digest = tokens.flatten.join(join_token)
           stretches.times { digest = Digest::SHA512.hexdigest(digest) }
           digest
         end
-        
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end
       end
     end
   end
-end
+end

data/lib/authlogic/crypto_providers/wordpress.rb

@@ -1,39 +1,68 @@
-require 'digest/md5'
+require "digest/md5"
+
+::ActiveSupport::Deprecation.warn(
+  <<-EOS,
+    authlogic/crypto_providers/wordpress.rb is deprecated without replacement.
+    Yes, the entire file. Don't `require` it. Let us know ASAP if you are still
+    using it.
+
+    Reasons for deprecation: This file is not autoloaded by
+    `authlogic/crypto_providers.rb`. It's not documented. There are no tests.
+    So, it's likely used by a *very* small number of people, if any. It's never
+    had any contributions except by its original author, Jeffry Degrande, in
+    2009. It is unclear why it should live in the main authlogic codebase. It
+    could be in a separate gem, authlogic-wordpress, or it could just live in
+    Jeffry's codebase, if he still even needs it, in 2018, nine years later.
+  EOS
+  caller(1)
+)
+
 module Authlogic
   module CryptoProviders
+    # Crypto provider to transition from wordpress user accounts. Written by
+    # Jeffry Degrande in 2009. First released in 2.1.3.
+    #
+    # Problems:
+    #
+    # - There are no tests.
+    # - We can't even figure out how to run this without it crashing.
+    # - Presumably it implements some spec, but it doesn't mention which.
+    # - It is not documented anywhere.
+    # - There is no PR associated with this, and no discussion about it could be found.
+    #
     class Wordpress
       class << self
-        ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
+        ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".freeze
 
         def matches?(crypted, *tokens)
-          stretches = 1 << ITOA64.index(crypted[3,1])
-          plain, salt = *tokens 
-          hashed = Digest::MD5.digest(salt+plain)
-          stretches.times do |i|
-            hashed = Digest::MD5.digest(hashed+plain)
+          stretches = 1 << ITOA64.index(crypted[3, 1])
+          plain, salt = *tokens
+          hashed = Digest::MD5.digest(salt + plain)
+          stretches.times do
+            hashed = Digest::MD5.digest(hashed + plain)
           end
-          crypted[0,12]+encode_64(hashed, 16) == crypted
+          crypted[0, 12] + encode_64(hashed, 16) == crypted
         end
 
         def encode_64(input, length)
-          output = "" 
+          output = ""
           i = 0
           while i < length
-            value = input[i] 
-            i+=1
+            value = input[i]
+            i += 1
             break if value.nil?
             output += ITOA64[value & 0x3f, 1]
             value |= input[i] << 8 if i < length
             output += ITOA64[(value >> 6) & 0x3f, 1]
 
-            i+=1
+            i += 1
             break if i >= length
             value |= input[i] << 16 if i < length
-            output += ITOA64[(value >> 12) & 0x3f,1]
+            output += ITOA64[(value >> 12) & 0x3f, 1]
 
-            i+=1
+            i += 1
             break if i >= length
-            output += ITOA64[(value >> 18) & 0x3f,1]
+            output += ITOA64[(value >> 18) & 0x3f, 1]
           end
           output
         end

data/lib/authlogic/i18n.rb

@@ -1,38 +1,48 @@
 require "authlogic/i18n/translator"
 
 module Authlogic
-  # This class allows any message in Authlogic to use internationalization. In earlier versions of Authlogic each message was translated via configuration.
-  # This cluttered up the configuration and cluttered up Authlogic. So all translation has been extracted out into this class. Now all messages pass through
-  # this class, making it much easier to implement in I18n library / plugin you want. Use this as a layer that sits between Authlogic and whatever I18n
-  # library you want to use.
+  # This class allows any message in Authlogic to use internationalization. In
+  # earlier versions of Authlogic each message was translated via configuration.
+  # This cluttered up the configuration and cluttered up Authlogic. So all
+  # translation has been extracted out into this class. Now all messages pass
+  # through this class, making it much easier to implement in I18n library /
+  # plugin you want. Use this as a layer that sits between Authlogic and
+  # whatever I18n library you want to use.
   #
-  # By default this uses the rails I18n library, if it exists. If it doesnt exist it just returns the default english message. The Authlogic I18n class
-  # works EXACTLY like the rails I18n class. This is because the arguments are delegated to this class.
+  # By default this uses the rails I18n library, if it exists. If it doesn't
+  # exist it just returns the default English message. The Authlogic I18n class
+  # works EXACTLY like the rails I18n class. This is because the arguments are
+  # delegated to this class.
   #
   # Here is how all messages are translated internally with Authlogic:
   #
   #   Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
   #
-  # If you use a different I18n library just replace the build-in I18n::Translator class with your own. For example:
+  # If you use a different I18n library just replace the build-in
+  # I18n::Translator class with your own. For example:
   #
   #   class MyAuthlogicI18nTranslator
   #     def translate(key, options = {})
-  #       # you will have key which will be something like: "error_messages.password_invalid"
-  #       # you will also have options[:default], which will be the default english version of the message
+  #       # you will have key which will be something like:
+  #       # "error_messages.password_invalid"
+  #       # you will also have options[:default], which will be the default
+  #       # English version of the message
   #       # do whatever you want here with the arguments passed to you.
   #     end
   #   end
-  #   
+  #
   #   Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
   #
-  # That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
+  # That it's! Here is a complete list of the keys that are passed. Just define
+  # these however you wish:
   #
   #   authlogic:
   #     error_messages:
   #       login_blank: can not be blank
   #       login_not_found: is not valid
-  #       login_invalid: should use only letters, numbers, spaces, and .-_@ please.
-  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
+  #       login_invalid: should use only letters, numbers, spaces, and .-_@+ please.
+  #       consecutive_failed_logins_limit_exceeded: >
+  #         Consecutive failed logins limit exceeded, account is disabled.
   #       email_invalid: should look like an email address.
   #       email_invalid_international: should look like an international email address.
   #       password_blank: can not be blank
@@ -42,6 +52,7 @@ module Authlogic
   #       not_approved: Your account is not approved
   #       no_authentication_details: You did not provide any details for authentication.
   #       general_credentials_error: Login/Password combination is not valid
+  #       session_invalid: Your session is invalid and has the following errors:
   #     models:
   #       user_session: UserSession (or whatever name you are using)
   #     attributes:
@@ -53,31 +64,33 @@ module Authlogic
   module I18n
     @@scope = :authlogic
     @@translator = nil
-    
+
     class << self
       # Returns the current scope. Defaults to :authlogic
       def scope
         @@scope
       end
-   
+
       # Sets the current scope. Used to set a custom scope.
       def scope=(scope)
         @@scope = scope
       end
-      
+
       # Returns the current translator. Defaults to +Translator+.
       def translator
         @@translator ||= Translator.new
       end
-      
+
       # Sets the current translator. Used to set a custom translator.
       def translator=(translator)
         @@translator = translator
       end
-    
-      # All message translation is passed to this method. The first argument is the key for the message. The second is options, see the rails I18n library for a list of options used.
+
+      # All message translation is passed to this method. The first argument is
+      # the key for the message. The second is options, see the rails I18n
+      # library for a list of options used.
       def translate(key, options = {})
-        translator.translate key, { :scope => I18n.scope }.merge(options)
+        translator.translate key, { scope: I18n.scope }.merge(options)
       end
       alias :t :translate
     end

data/lib/authlogic/i18n/translator.rb

@@ -1,7 +1,7 @@
 module Authlogic
   module I18n
     class Translator
-      # If the I18n gem is present, calls +I18n.translate+ passing all 
+      # If the I18n gem is present, calls +I18n.translate+ passing all
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)

data/lib/authlogic/random.rb

@@ -1,33 +1,16 @@
+require "securerandom"
+
 module Authlogic
-  # Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
-  # So if you are using this in a rails app you should have this library.
+  # Generates random strings using ruby's SecureRandom library.
   module Random
-    extend self
-    
-    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
-    
-    if SecureRandom
-      def hex_token
-        SecureRandom.hex(64)
-      end
-      
-      def friendly_token
-        # use base64url as defined by RFC4648
-        SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
-      end
-    else
-      def hex_token
-        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
-      end
-      
-      FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
-      
-      def friendly_token
-        newpass = ""
-        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
-        newpass
-      end
+    def self.hex_token
+      SecureRandom.hex(64)
+    end
+
+    # Returns a string in base64url format as defined by RFC-3548 and RFC-4648.
+    # We call this a "friendly" token because it is short and safe for URLs.
+    def self.friendly_token
+      SecureRandom.urlsafe_base64(15)
     end
-    
   end
-end
+end

data/lib/authlogic/regex.rb

@@ -1,47 +1,79 @@
-#encoding: utf-8
 module Authlogic
-  # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
-  # them out into their own module is to make them easily available to you for other uses. Ex:
+  # This is a module the contains regular expressions used throughout Authlogic.
+  # The point of extracting them out into their own module is to make them
+  # easily available to you for other uses. Ex:
   #
   #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
   module Regex
-    # A general email regular expression. It allows top level domains (TLD) to be from 2 - 13 in length.
-    # The decisions behind this regular expression were made by analyzing the list of top-level domains
-    # maintained by IANA and by reading this website: http://www.regular-expressions.info/email.html,
-    # which is an excellent resource for regular expressions.
-    def self.email
-      @email_regex ||= begin
-        email_name_regex  = '[A-Z0-9_\.&%\+\-\']+'
-        domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-        domain_tld_regex  = '(?:[A-Z]{2,13})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-      end
-    end
+    # A general email regular expression. It allows top level domains (TLD) to
+    # be from 2 - 24 in length. The decisions behind this regular expression
+    # were made by analyzing the list of top-level domains maintained by IANA
+    # and by reading this website:
+    # http://www.regular-expressions.info/email.html, which is an excellent
+    # resource for regular expressions.
+    EMAIL = /
+      \A
+      [A-Z0-9_.&%+\-']+   # mailbox
+      @
+      (?:[A-Z0-9\-]+\.)+  # subdomains
+      (?:[A-Z]{2,25})     # TLD
+      \z
+    /ix
 
-    # A draft regular expression for internationalized email addresses.
-    # Given that the standard may be in flux, this simply emulates @email_regex but rather than
-    # allowing specific characters for each part, it instead disallows the complement set of characters:
+    # A draft regular expression for internationalized email addresses. Given
+    # that the standard may be in flux, this simply emulates @email_regex but
+    # rather than allowing specific characters for each part, it instead
+    # disallows the complement set of characters:
+    #
     # - email_name_regex disallows: @[]^ !"#$()*,/:;<=>?`{|}~\ and control characters
     # - domain_head_regex disallows: _%+ and all characters in email_name_regex
     # - domain_tld_regex disallows: 0123456789- and all characters in domain_head_regex
+    #
     # http://en.wikipedia.org/wiki/Email_address#Internationalization
     # http://tools.ietf.org/html/rfc6530
     # http://www.unicode.org/faq/idn.html
     # http://ruby-doc.org/core-2.1.5/Regexp.html#class-Regexp-label-Character+Classes
     # http://en.wikipedia.org/wiki/Unicode_character_property#General_Category
+    EMAIL_NONASCII = /
+      \A
+      [^[:cntrl:][@\[\]\^ \!"\#$\(\)*,\/:;<=>?`{|}~\\]]+                        # mailbox
+      @
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+']]+\.)+         # subdomains
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+\-'0-9]]{2,25})  # TLD
+      \z
+    /x
+
+    # A simple regular expression that only allows for letters, numbers, spaces, and
+    # .-_@+. Just a standard login / username regular expression.
+    LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
+
+    # Accessing the above constants using the following methods is deprecated.
+
+    # @deprecated
+    def self.email
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email is deprecated, use Authlogic::Regex::EMAIL",
+        caller(1)
+      )
+      EMAIL
+    end
+
+    # @deprecated
     def self.email_nonascii
-      @email_nonascii_regex ||= begin
-        email_name_regex  = '[^[:cntrl:][@\[\]\^ \!\"#$\(\)*,/:;<=>\?`{|}~\\\]]+'
-        domain_head_regex = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\']]+\.)+'
-        domain_tld_regex  = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\-\'0-9]]{2,13})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/
-      end
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email_nonascii is deprecated, use Authlogic::Regex::EMAIL_NONASCII",
+        caller(1)
+      )
+      EMAIL_NONASCII
     end
 
-    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
-    # regular expression.
+    # @deprecated
     def self.login
-      /\A\w[\w\.+\-_@ ]+\z/
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.login is deprecated, use Authlogic::Regex::LOGIN",
+        caller(1)
+      )
+      LOGIN
     end
   end
 end