authlogic 3.4.6 → 4.2.0

data/lib/authlogic/session/activation.rb

@@ -1,59 +1,72 @@
-require 'request_store'
+require "request_store"
 
 module Authlogic
   module Session
-    # Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
-    # This is sort of like a database connection for an ORM library, Authlogic can't do anything until it is "connected" to a controller.
-    # If you are using a supported framework, Authlogic takes care of this for you.
+    # Activating Authlogic requires that you pass it an
+    # Authlogic::ControllerAdapters::AbstractAdapter object, or a class that
+    # extends it. This is sort of like a database connection for an ORM library,
+    # Authlogic can't do anything until it is "connected" to a controller. If
+    # you are using a supported framework, Authlogic takes care of this for you.
     module Activation
       class NotActivatedError < ::StandardError # :nodoc:
-        def initialize(session)
-          super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
+        def initialize
+          super(
+            "You must activate the Authlogic::Session::Base.controller with " \
+              "a controller object before creating objects"
+          )
         end
       end
-      
+
       def self.included(klass)
         klass.class_eval do
           extend ClassMethods
           include InstanceMethods
         end
       end
-      
+
       module ClassMethods
-        # Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
-        # Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
-        # environment this is done for you, but if you are using Authlogic outside of your framework, you need to assign a controller
-        # object to Authlogic via Authlogic::Session::Base.controller = obj. See the controller= method for more information.
+        # Returns true if a controller has been set and can be used properly.
+        # This MUST be set before anything can be done. Similar to how
+        # ActiveRecord won't allow you to do anything without establishing a DB
+        # connection. In your framework environment this is done for you, but if
+        # you are using Authlogic outside of your framework, you need to assign
+        # a controller object to Authlogic via
+        # Authlogic::Session::Base.controller = obj. See the controller= method
+        # for more information.
         def activated?
           !controller.nil?
         end
-        
-        # This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
-        # between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
-        # extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
+
+        # This accepts a controller object wrapped with the Authlogic controller
+        # adapter. The controller adapters close the gap between the different
+        # controllers in each framework. That being said, Authlogic is expecting
+        # your object's class to extend
+        # Authlogic::ControllerAdapters::AbstractAdapter. See
+        # Authlogic::ControllerAdapters for more info.
         #
         # Lastly, this is thread safe.
         def controller=(value)
           RequestStore.store[:authlogic_controller] = value
         end
-        
+
         # The current controller object
         def controller
           RequestStore.store[:authlogic_controller]
         end
       end
-      
+
       module InstanceMethods
         # Making sure we are activated before we start creating objects
         def initialize(*args)
-          raise NotActivatedError.new(self) unless self.class.activated?
+          raise NotActivatedError unless self.class.activated?
           super
         end
-        
+
         private
-          def controller
-            self.class.controller
-          end
+
+        def controller
+          self.class.controller
+        end
       end
     end
   end

data/lib/authlogic/session/active_record_trickery.rb

@@ -1,16 +1,18 @@
 module Authlogic
   module Session
-    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
-    # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
-    # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
-    # advantage of the many ActiveRecord tools.
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not
+    # ActiveRecord. That's the goal here. This is useful for the various rails
+    # helper methods such as form_for, error_messages_for, or any method that
+    # expects an ActiveRecord object. The point is to disguise the object as an
+    # ActiveRecord object so we can take advantage of the many ActiveRecord
+    # tools.
     module ActiveRecordTrickery
       def self.included(klass)
         klass.extend ActiveModel::Naming
         klass.extend ActiveModel::Translation
 
         # Support ActiveModel::Name#name for Rails versions before 4.0.
-        if !klass.model_name.respond_to?(:name)
+        unless klass.model_name.respond_to?(:name)
           ActiveModel::Name.module_eval do
             alias_method :name, :to_s
           end
@@ -21,21 +23,22 @@ module Authlogic
       end
 
       module ClassMethods
-        # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
+        # How to name the class, works JUST LIKE ActiveRecord, except it uses
+        # the following namespace:
         #
         #   authlogic.models.user_session
-        def human_name(*args)
-          I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
+        def human_name(*)
+          I18n.t("models.#{name.underscore}", count: 1, default: name.humanize)
         end
 
         def i18n_scope
           I18n.scope
         end
-
       end
 
       module InstanceMethods
-        # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
+        # Don't use this yourself, this is to just trick some of the helpers
+        # since this is the method it calls.
         def new_record?
           new_session?
         end

data/lib/authlogic/session/base.rb

@@ -1,25 +1,37 @@
 module Authlogic
   module Session # :nodoc:
-    # This is the base class Authlogic, where all modules are included. For information on functiionality see the various
-    # sub modules.
+    # This is the most important class in Authlogic. You will inherit this class
+    # for your own eg. `UserSession`.
+    #
+    # Code is organized topically. Each topic is represented by a module. So, to
+    # learn about password-based authentication, read the `Password` module.
+    #
+    # It is common for methods (.initialize and #credentials=, for example) to
+    # be implemented in multiple mixins. Those methods will call `super`, so the
+    # order of `include`s here is important.
+    #
+    # Also, to fully understand such a method (like #credentials=) you will need
+    # to mentally combine all of its definitions. This is perhaps the primary
+    # disadvantage of topical organization using modules.
     class Base
       include Foundation
       include Callbacks
-      
+
       # Included first so that the session resets itself to nil
       include Timeout
-      
+
       # Included in a specific order so they are tried in this order when persisting
       include Params
       include Cookies
       include Session
       include HttpAuth
-      
-      # Included in a specific order so magic states gets ran after a record is found
+
+      # Included in a specific order so magic states gets run after a record is found
+      # TODO: What does "magic states gets run" mean? Be specific.
       include Password
       include UnauthorizedRecord
       include MagicStates
-      
+
       include Activation
       include ActiveRecordTrickery
       include BruteForceProtection
@@ -34,4 +46,4 @@ module Authlogic
       include PriorityRecord
     end
   end
-end
+end

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,15 +1,21 @@
 module Authlogic
   module Session
-    # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
-    # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
-    # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
-    # and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
-    # and it would take MUCH longer.
+    # A brute force attacks is executed by hammering a login with as many password
+    # combinations as possible, until one works. A brute force attacked is generally
+    # combated with a slow hashing algorithm such as BCrypt. You can increase the cost,
+    # which makes the hash generation slower, and ultimately increases the time it takes
+    # to execute a brute force attack. Just to put this into perspective, if a hacker was
+    # to gain access to your server and execute a brute force attack locally, meaning
+    # there is no network lag, it would probably take decades to complete. Now throw in
+    # network lag and it would take MUCH longer.
     #
-    # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
-    # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
-    # after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
-    # If you wish to lower this number just set the configuration to a lower number:
+    # But for those that are extra paranoid and can't get enough protection, why not stop
+    # them as soon as you realize something isn't right? That's what this module is all
+    # about. By default the consecutive_failed_logins_limit configuration option is set to
+    # 50, if someone consecutively fails to login after 50 attempts their account will be
+    # suspended. This is a very liberal number and at this point it should be obvious that
+    # something is not right. If you wish to lower this number just set the configuration
+    # to a lower number:
     #
     #   class UserSession < Authlogic::Session::Base
     #     consecutive_failed_logins_limit 10
@@ -19,20 +25,26 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :reset_failed_login_count, :if => :reset_failed_login_count?
-          validate :validate_failed_logins, :if => :being_brute_force_protected?
+          validate :reset_failed_login_count, if: :reset_failed_login_count?
+          validate :validate_failed_logins, if: :being_brute_force_protected?
         end
       end
-      
+
       # Configuration for the brute force protection feature.
       module Config
-        # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
-        # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
+        # To help protect from brute force attacks you can set a limit on the
+        # allowed number of consecutive failed logins. By default this is 50,
+        # this is a very liberal number, and if someone fails to login after 50
+        # tries it should be pretty obvious that it's a machine trying to login
+        # in and very likely a brute force attack.
         #
-        # In order to enable this field your model MUST have a failed_login_count (integer) field.
+        # In order to enable this field your model MUST have a
+        # failed_login_count (integer) field.
         #
-        # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
-        # in possibly millions of attempts to log into an account.
+        # If you don't know what a brute force attack is, it's when a machine
+        # tries to login into a system using every combination of character
+        # possible. Thus resulting in possibly millions of attempts to log into
+        # an account.
         #
         # * <tt>Default:</tt> 50
         # * <tt>Accepts:</tt> Integer, set to 0 to disable
@@ -40,8 +52,9 @@ module Authlogic
           rw_config(:consecutive_failed_logins_limit, value, 50)
         end
         alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
-        
-        # Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
+
+        # Once the failed logins limit has been exceed, how long do you want to
+        # ban the user? This can be a temporary or permanent ban.
         #
         # * <tt>Default:</tt> 2.hours
         # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
@@ -50,47 +63,65 @@ module Authlogic
         end
         alias_method :failed_login_ban_for=, :failed_login_ban_for
       end
-      
-      # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
+
+      # The methods available for an Authlogic::Session::Base object that make
+      # up the brute force protection feature.
       module InstanceMethods
-        # Returns true when the consecutive_failed_logins_limit has been exceeded and is being temporarily banned.
-        # Notice the word temporary, the user will not be permanently banned unless you choose to do so with configuration.
-        # By default they will be banned for 2 hours. During that 2 hour period this method will return true.
+        # Returns true when the consecutive_failed_logins_limit has been
+        # exceeded and is being temporarily banned. Notice the word temporary,
+        # the user will not be permanently banned unless you choose to do so
+        # with configuration. By default they will be banned for 2 hours. During
+        # that 2 hour period this method will return true.
         def being_brute_force_protected?
-          exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
-            (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+          exceeded_failed_logins_limit? &&
+            (
+              failed_login_ban_for <= 0 ||
+              attempted_record.respond_to?(:updated_at) &&
+              attempted_record.updated_at >= failed_login_ban_for.seconds.ago
+            )
         end
-        
+
         private
-          def exceeded_failed_logins_limit?
-            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
-              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
-          end
-          
-          def reset_failed_login_count?
-            exceeded_failed_logins_limit? && !being_brute_force_protected?
-          end
-          
-          def reset_failed_login_count
-            attempted_record.failed_login_count = 0
-          end
-        
-          def validate_failed_logins
-            errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
-            errors.add(:base, I18n.t(
-              'error_messages.consecutive_failed_logins_limit_exceeded', 
-              :default => "Consecutive failed logins limit exceeded, account has been" + (failed_login_ban_for == 0 ? "" : " temporarily") + " disabled."
-            ))
-          end
-          
-          def consecutive_failed_logins_limit
-            self.class.consecutive_failed_logins_limit
-          end
-          
-          def failed_login_ban_for
-            self.class.failed_login_ban_for
-          end
+
+        def exceeded_failed_logins_limit?
+          !attempted_record.nil? &&
+            attempted_record.respond_to?(:failed_login_count) &&
+            consecutive_failed_logins_limit > 0 &&
+            attempted_record.failed_login_count &&
+            attempted_record.failed_login_count >= consecutive_failed_logins_limit
+        end
+
+        def reset_failed_login_count?
+          exceeded_failed_logins_limit? && !being_brute_force_protected?
+        end
+
+        def reset_failed_login_count
+          attempted_record.failed_login_count = 0
+        end
+
+        def validate_failed_logins
+          # Clear all other error messages, as they are irrelevant at this point and can
+          # only provide additional information that is not needed
+          errors.clear
+          errors.add(
+            :base,
+            I18n.t(
+              "error_messages.consecutive_failed_logins_limit_exceeded",
+              default: "Consecutive failed logins limit exceeded, account has been" +
+                (failed_login_ban_for.zero? ? "" : " temporarily") +
+                " disabled."
+            )
+          )
+        end
+
+        def consecutive_failed_logins_limit
+          self.class.consecutive_failed_logins_limit
+        end
+
+        def failed_login_ban_for
+          self.class.failed_login_ban_for
+        end
       end
     end
   end
-end
+end

data/lib/authlogic/session/callbacks.rb

@@ -1,21 +1,24 @@
 module Authlogic
   module Session
-    # Between these callsbacks and the configuration, this is the contract between me and you to safely
-    # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
+    # Between these callbacks and the configuration, this is the contract between me and
+    # you to safely modify Authlogic's behavior. I will do everything I can to make sure
+    # these do not change.
     #
-    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
-    # importantly they use the same API that you would use to extend Authlogic. That being said, they are great
-    # examples of how to extend Authlogic and add / modify behavior to Authlogic. These modules could easily be pulled out
-    # into their own plugin and become an "add on" without any change.
+    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and
+    # to the point. More importantly they use the same API that you would use to extend
+    # Authlogic. That being said, they are great examples of how to extend Authlogic and
+    # add / modify behavior to Authlogic. These modules could easily be pulled out into
+    # their own plugin and become an "add on" without any change.
     #
-    # Now to the point of this module. Just like in ActiveRecord you have before_save, before_validation, etc.
-    # You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
+    # Now to the point of this module. Just like in ActiveRecord you have before_save,
+    # before_validation, etc. You have similar callbacks with Authlogic, see the METHODS
+    # constant below. The order of execution is as follows:
     #
     #   before_persisting
     #   persist
     #   after_persisting
     #   [save record if record.changed?]
-    #   
+    #
     #   before_validation
     #   before_validation_on_create
     #   before_validation_on_update
@@ -24,7 +27,7 @@ module Authlogic
     #   after_validation_on_create
     #   after_validation
     #   [save record if record.changed?]
-    #   
+    #
     #   before_save
     #   before_create
     #   before_update
@@ -32,15 +35,16 @@ module Authlogic
     #   after_create
     #   after_save
     #   [save record if record.changed?]
-    #   
+    #
     #   before_destroy
     #   [save record if record.changed?]
     #   destroy
     #   after_destroy
     #
-    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make
-    # changes to the associated record, there is no need to save the record, Authlogic will do it for you.
-    # This allows multiple modules to modify the record and execute as few queries as possible.
+    # Notice the "save record if changed?" lines above. This helps with performance. If
+    # you need to make changes to the associated record, there is no need to save the
+    # record, Authlogic will do it for you. This allows multiple modules to modify the
+    # record and execute as few queries as possible.
     #
     # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
     #
@@ -50,52 +54,98 @@ module Authlogic
     #     # ..etc
     #   end
     #
-    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic
-    # to extend properly with multiple extensions. Please ONLY use the method above.
+    # You can NOT define a "before_validation" method, this is bad practice and does not
+    # allow Authlogic to extend properly with multiple extensions. Please ONLY use the
+    # method above.
     module Callbacks
-      METHODS = [
-        "before_persisting", "persist", "after_persisting",
-        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate",
-        "after_validation_on_update", "after_validation_on_create", "after_validation",
-        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
-        "before_destroy", "after_destroy"
-      ]
-      
-      def self.included(base) #:nodoc:
-        base.send :include, ActiveSupport::Callbacks
-        if ActiveSupport::VERSION::STRING >= '4.1'
-          base.define_callbacks *METHODS + [{:terminator => ->(target, result){ result == false } }]
-          base.define_callbacks *['persist', {:terminator => ->(target, result){ result == true } }]
-        else
-          base.define_callbacks *METHODS + [{:terminator => 'result == false'}]
-          base.define_callbacks *['persist', {:terminator => 'result == true'}]
+      METHODS = %w[
+        before_persisting
+        persist
+        after_persisting
+        before_validation
+        before_validation_on_create
+        before_validation_on_update
+        validate
+        after_validation_on_update
+        after_validation_on_create
+        after_validation
+        before_save
+        before_create
+        before_update
+        after_update
+        after_create
+        after_save
+        before_destroy
+        after_destroy
+      ].freeze
+
+      class << self
+        def included(base) #:nodoc:
+          base.send :include, ActiveSupport::Callbacks
+          define_session_callbacks(base)
+          define_session_callback_installation_methods(base)
         end
 
-        # If Rails 3, support the new callback syntax
-        if base.singleton_class.method_defined?(:set_callback)
+        private
+
+        # Defines the "callback installation methods". Other modules will use
+        # these class methods to install their callbacks. Examples:
+        #
+        # ```
+        # # session/timeout.rb, in `included`
+        # before_persisting :reset_stale_state
+        #
+        # # session/password.rb, in `included`
+        # validate :validate_by_password, if: :authenticating_with_password?
+        # ```
+        def define_session_callback_installation_methods(base)
           METHODS.each do |method|
-            base.class_eval <<-"end_eval", __FILE__, __LINE__
-              def self.#{method}(*methods, &block)
-                set_callback :#{method}, *methods, &block
+            base.class_eval <<-EOS, __FILE__, __LINE__ + 1
+              def self.#{method}(*filter_list, &block)
+                set_callback(:#{method}, *filter_list, &block)
               end
-            end_eval
+            EOS
+          end
+        end
+
+        # Defines session life cycle events that support callbacks.
+        def define_session_callbacks(base)
+          if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new("5")
+            base.define_callbacks(
+              *METHODS,
+              terminator: ->(_target, result_lambda) { result_lambda.call == false }
+            )
+            base.define_callbacks(
+              "persist",
+              terminator: ->(_target, result_lambda) { result_lambda.call == true }
+            )
+          else
+            base.define_callbacks(
+              *METHODS,
+              terminator: ->(_target, result) { result == false }
+            )
+            base.define_callbacks(
+              "persist",
+              terminator: ->(_target, result) { result == true }
+            )
           end
         end
       end
-      
-      private
-        METHODS.each do |method|
-          class_eval <<-"end_eval", __FILE__, __LINE__
+
+      METHODS.each do |method|
+        class_eval(
+          <<-EOS, __FILE__, __LINE__ + 1
             def #{method}
               run_callbacks(:#{method})
             end
-          end_eval
-        end
-        
-        def save_record(alternate_record = nil)
-          r = alternate_record || record
-          r.save_without_session_maintenance(:validate => false) if r && r.changed? && !r.readonly?
-        end
+          EOS
+        )
+      end
+
+      def save_record(alternate_record = nil)
+        r = alternate_record || record
+        r.save_without_session_maintenance(validate: false) if r && r.changed? && !r.readonly?
+      end
     end
   end
 end