authlogic 3.5.0 → 3.8.0

data/lib/authlogic/session/password.rb

@@ -16,16 +16,19 @@ module Authlogic
 
       # Password configuration
       module Config
-        # Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and
-        # making sure it exists. What method it uses the do this is up to you.
+        # Authlogic tries to validate the credentials passed to it. One part of
+        # validation is actually finding the user and making sure it exists.
+        # What method it uses the do this is up to you.
         #
-        # Let's say you have a UserSession that is authenticating a User. By default UserSession will call User.find_by_login(login).
-        # You can change what method UserSession calls by specifying it here. Then in your User model you can make that method do
-        # anything you want, giving you complete control of how users are found by the UserSession.
+        # Let's say you have a UserSession that is authenticating a User. By
+        # default UserSession will call User.find_by_login(login). You can
+        # change what method UserSession calls by specifying it here. Then in
+        # your User model you can make that method do anything you want, giving
+        # you complete control of how users are found by the UserSession.
         #
-        # Let's take an example: You want to allow users to login by username or email.
-        # Set this to the name of the class method that does this in the User model. Let's
-        # call it "find_by_username_or_email"
+        # Let's take an example: You want to allow users to login by username or
+        # email. Set this to the name of the class method that does this in the
+        # User model. Let's call it "find_by_username_or_email"
         #
         #   class User < ActiveRecord::Base
         #     def self.find_by_username_or_email(login)
@@ -33,10 +36,10 @@ module Authlogic
         #     end
         #   end
         #
-        # Now just specify the name of this method for this configuration option and you
-        # are all set. You can do anything you want here. Maybe you allow users to have
-        # multiple logins and you want to search a has_many relationship, etc. The sky is
-        # the limit.
+        # Now just specify the name of this method for this configuration option
+        # and you are all set. You can do anything you want here. Maybe you
+        # allow users to have multiple logins and you want to search a has_many
+        # relationship, etc. The sky is the limit.
         #
         # * <tt>Default:</tt> "find_by_smart_case_login_field"
         # * <tt>Accepts:</tt> Symbol or String
@@ -45,10 +48,11 @@ module Authlogic
         end
         alias_method :find_by_login_method=, :find_by_login_method
 
-        # The text used to identify credentials (username/password) combination when a bad
-        # login attempt occurs. When you show error messages for a bad login, it's
-        # considered good security practice to hide which field the user has entered
-        # incorrectly (the login field or the password field). For a full explanation, see
+        # The text used to identify credentials (username/password) combination
+        # when a bad login attempt occurs. When you show error messages for a
+        # bad login, it's considered good security practice to hide which field
+        # the user has entered incorrectly (the login field or the password
+        # field). For a full explanation, see
         # http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
         #
         # Example of use:
@@ -57,7 +61,8 @@ module Authlogic
         #     generalize_credentials_error_messages true
         #   end
         #
-        #   This would make the error message for bad logins and bad passwords look identical:
+        #   This would make the error message for bad logins and bad passwords
+        #   look identical:
         #
         #   Login/Password combination is not valid
         #
@@ -69,12 +74,14 @@ module Authlogic
         #
         #   This will instead show your custom error message when the UserSession is invalid.
         #
-        # The downside to enabling this is that is can be too vague for a user that has a hard time remembering
-        # their username and password combinations. It also disables the ability to to highlight the field
+        # The downside to enabling this is that is can be too vague for a user
+        # that has a hard time remembering their username and password
+        # combinations. It also disables the ability to to highlight the field
         # with the error when you use form_for.
         #
-        # If you are developing an app where security is an extreme priority (such as a financial application),
-        # then you should enable this. Otherwise, leaving this off is fine.
+        # If you are developing an app where security is an extreme priority
+        # (such as a financial application), then you should enable this.
+        # Otherwise, leaving this off is fine.
         #
         # * <tt>Default</tt> false
         # * <tt>Accepts:</tt> Boolean
@@ -83,12 +90,13 @@ module Authlogic
         end
         alias_method :generalize_credentials_error_messages=, :generalize_credentials_error_messages
 
-        # The name of the method you want Authlogic to create for storing the login /
-        # username. Keep in mind this is just for your Authlogic::Session, if you want it
-        # can be something completely different than the field in your model. So if you
-        # wanted people to login with a field called "login" and then find users by email
-        # this is completely doable. See the find_by_login_method configuration option for
-        # more details.
+        # The name of the method you want Authlogic to create for storing the
+        # login / username. Keep in mind this is just for your
+        # Authlogic::Session, if you want it can be something completely
+        # different than the field in your model. So if you wanted people to
+        # login with a field called "login" and then find users by email this is
+        # completely doable. See the find_by_login_method configuration option
+        # for more details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -97,7 +105,8 @@ module Authlogic
         end
         alias_method :login_field=, :login_field
 
-        # Works exactly like login_field, but for the password instead. Returns :password if a login_field exists.
+        # Works exactly like login_field, but for the password instead. Returns
+        # :password if a login_field exists.
         #
         # * <tt>Default:</tt> :password
         # * <tt>Accepts:</tt> Symbol or String
@@ -106,8 +115,9 @@ module Authlogic
         end
         alias_method :password_field=, :password_field
 
-        # The name of the method in your model used to verify the password. This should be an instance method. It should also
-        # be prepared to accept a raw password and a crytped password.
+        # The name of the method in your model used to verify the password. This
+        # should be an instance method. It should also be prepared to accept a
+        # raw password and a crytped password.
         #
         # * <tt>Default:</tt> "valid_password?"
         # * <tt>Accepts:</tt> Symbol or String
@@ -117,8 +127,40 @@ module Authlogic
         alias_method :verify_password_method=, :verify_password_method
       end
 
-      # Password related instance methods
+      # Password-related instance methods
       module InstanceMethods
+        E_AC_PARAMETERS = <<-STR.strip_heredoc.freeze
+          You have passed an ActionController::Parameters to Authlogic 3. That's
+          OK for now, but in Authlogic 4, it will raise an error. Please
+          replace:
+
+              UserSession.new(user_session_params)
+              UserSession.create(user_session_params)
+
+          with
+
+              UserSession.new(user_session_params.to_h)
+              UserSession.create(user_session_params.to_h)
+
+          And don't forget to `permit`!
+
+          During the transition of rails to Strong Parameters, it has been
+          common for Authlogic users to forget to `permit` their params. They
+          would pass their params into Authlogic, we'd call `to_h`, and they'd
+          be surprised when authentication failed.
+
+          In 2018, people are still making this mistake. We'd like to help them
+          and make authlogic a little simpler at the same time, so in Authlogic
+          3.7.0, we deprecated the use of ActionController::Parameters.
+
+          We discussed this issue thoroughly between late 2016 and early
+          2018. Notable discussions include:
+
+          - https://github.com/binarylogic/authlogic/issues/512
+          - https://github.com/binarylogic/authlogic/pull/558
+          - https://github.com/binarylogic/authlogic/pull/577
+        STR
+
         def initialize(*args)
           if !self.class.configured_password_methods
             configure_password_methods
@@ -127,7 +169,8 @@ module Authlogic
           super
         end
 
-        # Returns the login_field / password_field credentials combination in hash form.
+        # Returns the login_field / password_field credentials combination in
+        # hash form.
         def credentials
           if authenticating_with_password?
             details = {}
@@ -139,7 +182,8 @@ module Authlogic
           end
         end
 
-        # Accepts the login_field / password_field credentials combination in hash form.
+        # Accepts the login_field / password_field credentials combination in
+        # hash form.
         def credentials=(value)
           super
           values = parse_param_val(value) # add strong parameters check
@@ -168,10 +212,12 @@ module Authlogic
               self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
               self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
 
+              # The password should not be accessible publicly. This way forms
+              # using form_for don't fill the password with the attempted
+              # password. To prevent this we just create this method that is
+              # private.
               self.class.class_eval <<-"end_eval", __FILE__, __LINE__
                 private
-                  # The password should not be accessible publicly. This way forms using form_for don't fill the password with the
-                  # attempted password. To prevent this we just create this method that is private.
                   def protected_#{password_field}
                     @#{password_field}
                   end
@@ -250,6 +296,7 @@ module Authlogic
           # This method converts the ActionController::Parameters to a Hash
           def parse_param_val(value)
             if value.first.class.name == "ActionController::Parameters"
+              ActiveSupport::Deprecation.warn(E_AC_PARAMETERS)
               [value.first.to_h]
             else
               value.is_a?(Array) ? value : [value]

data/lib/authlogic/session/perishable_token.rb

@@ -1,7 +1,9 @@
 module Authlogic
   module Session
-    # Maintains the perishable token, which is helpful for confirming records or authorizing records to reset their password. All that this
-    # module does is reset it after a session have been saved, just keep it changing. The more it changes, the tighter the security.
+    # Maintains the perishable token, which is helpful for confirming records or
+    # authorizing records to reset their password. All that this module does is
+    # reset it after a session have been saved, just keep it changing. The more
+    # it changes, the tighter the security.
     #
     # See Authlogic::ActsAsAuthentic::PerishableToken for more information.
     module PerishableToken
@@ -12,7 +14,9 @@ module Authlogic
       private
 
         def reset_perishable_token!
-          record.reset_perishable_token if record.respond_to?(:reset_perishable_token) && !record.disable_perishable_token_maintenance?
+          if record.respond_to?(:reset_perishable_token) && !record.disable_perishable_token_maintenance?
+            record.reset_perishable_token
+          end
         end
     end
   end

data/lib/authlogic/session/validation.rb

@@ -2,7 +2,8 @@ module Authlogic
   module Session
     # Responsible for session validation
     module Validation
-      # The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses the exact same ActiveRecord errors class. Use it the same way:
+      # The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses
+      # the exact same ActiveRecord errors class. Use it the same way:
       #
       #   class UserSession
       #     validate :check_if_awesome
@@ -22,9 +23,10 @@ module Authlogic
         end
       end
 
-      # You should use this as a place holder for any records that you find during validation. The main reason for this is to
-      # allow other modules to use it if needed. Take the failed_login_count feature, it needs this in order to increase
-      # the failed login count.
+      # You should use this as a place holder for any records that you find
+      # during validation. The main reason for this is to allow other modules to
+      # use it if needed. Take the failed_login_count feature, it needs this in
+      # order to increase the failed login count.
       def attempted_record
         @attempted_record
       end
@@ -34,8 +36,8 @@ module Authlogic
         @attempted_record = value
       end
 
-      # The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses the exact same ActiveRecord errors class.
-      # Use it the same way:
+      # The errors in Authlogic work JUST LIKE ActiveRecord. In fact, it uses
+      # the exact same ActiveRecord errors class. Use it the same way:
       #
       # === Example
       #
@@ -52,9 +54,9 @@ module Authlogic
         @errors ||= Errors.new(self)
       end
 
-      # Determines if the information you provided for authentication is valid or not. If there is
-      # a problem with the information provided errors will be added to the errors object and this
-      # method will return false.
+      # Determines if the information you provided for authentication is valid
+      # or not. If there is a problem with the information provided errors will
+      # be added to the errors object and this method will return false.
       def valid?
         errors.clear
         self.attempted_record = nil
@@ -64,13 +66,13 @@ module Authlogic
         validate
         ensure_authentication_attempted
 
-        if errors.size == 0
+        if errors.empty?
           new_session? ? after_validation_on_create : after_validation_on_update
           after_validation
         end
 
         save_record(attempted_record)
-        errors.size == 0
+        errors.empty?
       end
 
       private

data/lib/authlogic/test_case.rb

@@ -5,8 +5,9 @@ require File.dirname(__FILE__) + "/test_case/mock_logger"
 require File.dirname(__FILE__) + "/test_case/mock_request"
 
 module Authlogic
-  # This module is a collection of methods and classes that help you easily test Authlogic. In fact,
-  # I use these same tools to test the internals of Authlogic.
+  # This module is a collection of methods and classes that help you easily test
+  # Authlogic. In fact, I use these same tools to test the internals of
+  # Authlogic.
   #
   # === The quick and dirty
   #
@@ -18,26 +19,33 @@ module Authlogic
   #
   # === Setting up
   #
-  # Authlogic comes with some simple testing tools. To get these, you need to first require Authlogic's TestCase. If
-  # you are doing this in a rails app, you would require this file at the top of your test_helper.rb file:
+  # Authlogic comes with some simple testing tools. To get these, you need to
+  # first require Authlogic's TestCase. If you are doing this in a rails app,
+  # you would require this file at the top of your test_helper.rb file:
   #
   #   require "authlogic/test_case"
   #
-  # If you are using Test::Unit::TestCase, the standard testing library that comes with ruby, then you can skip this next part.
-  # If you are not, you need to include the Authlogic::TestCase into your testing suite as follows:
+  # If you are using Test::Unit::TestCase, the standard testing library that
+  # comes with ruby, then you can skip this next part. If you are not, you need
+  # to include the Authlogic::TestCase into your testing suite as follows:
   #
   #   include Authlogic::TestCase
   #
-  # Now that everything is ready to go, let's move onto actually testing. Here is the basic idea behind testing:
+  # Now that everything is ready to go, let's move onto actually testing. Here
+  # is the basic idea behind testing:
   #
-  # Authlogic requires a "connection" to your controller to activate it. In the same manner that ActiveRecord requires a connection to
-  # your database. It can't do anything until it gets connected. That being said, Authlogic will raise an
-  # Authlogic::Session::Activation::NotActivatedError any time you try to instantiate an object without a "connection".
-  # So before you do anything with Authlogic, you need to activate / connect Authlogic. Let's walk through how to do this in tests:
+  # Authlogic requires a "connection" to your controller to activate it. In the
+  # same manner that ActiveRecord requires a connection to your database. It
+  # can't do anything until it gets connected. That being said, Authlogic will
+  # raise an Authlogic::Session::Activation::NotActivatedError any time you try
+  # to instantiate an object without a "connection". So before you do anything
+  # with Authlogic, you need to activate / connect Authlogic. Let's walk through
+  # how to do this in tests:
   #
   # === Fixtures / Factories
   #
-  # Creating users via fixtures / factories is easy. Here's an example of a fixture:
+  # Creating users via fixtures / factories is easy. Here's an example of a
+  # fixture:
   #
   #   ben:
   #     email: whatever@whatever.com
@@ -47,43 +55,52 @@ module Authlogic
   #     single_access_token: <%= Authlogic::Random.friendly_token %>
   #     perishable_token: <%= Authlogic::Random.friendly_token %>
   #
-  # Notice the crypted_password value. Just supplement that with whatever crypto provider you are using, if you are not using the default.
+  # Notice the crypted_password value. Just supplement that with whatever crypto
+  # provider you are using, if you are not using the default.
   #
   # === Functional tests
   #
-  # Activating Authlogic isn't a problem here, because making a request will activate Authlogic for you. The problem is
-  # logging users in so they can access restricted areas. Solving this is simple, just do this:
+  # Activating Authlogic isn't a problem here, because making a request will
+  # activate Authlogic for you. The problem is logging users in so they can
+  # access restricted areas. Solving this is simple, just do this:
   #
   #   setup :activate_authlogic
   #
-  # For those of you unfamiliar with TestUnit, the setup method basically just executes a method before any test is ran.
-  # It is essentially "setting up" your tests.
+  # For those of you unfamiliar with TestUnit, the setup method basically just
+  # executes a method before any test is ran. It is essentially "setting up"
+  # your tests.
   #
   # Once you have done this, just log users in like usual:
   #
   #   UserSession.create(users(:whomever))
   #   # access my restricted area here
   #
-  # Do this before you make your request and it will act as if that user is logged in.
+  # Do this before you make your request and it will act as if that user is
+  # logged in.
   #
   # === Integration tests
   #
-  # Again, just like functional tests, you don't have to do anything. As soon as you make a request, Authlogic will be
-  # connected. If you want to activate Authlogic before making a request follow the same steps described in the
+  # Again, just like functional tests, you don't have to do anything. As soon as
+  # you make a request, Authlogic will be connected. If you want to activate
+  # Authlogic before making a request follow the same steps described in the
   # "functional tests" section above. It works in the same manner.
   #
   # === Unit tests
   #
-  # The only time you need to do any trickiness here is if you want to test Authlogic models. Maybe you added some custom
-  # code or methods in your Authlogic models. Maybe you are writing a plugin or a library that extends Authlogic.
+  # The only time you need to do any trickiness here is if you want to test
+  # Authlogic models. Maybe you added some custom code or methods in your
+  # Authlogic models. Maybe you are writing a plugin or a library that extends
+  # Authlogic.
   #
-  # That being said, in this environment there is no controller. So you need to use a "mock" controller. Something
-  # that looks like a controller, acts like a controller, but isn't a "real" controller. You are essentially connecting
-  # Authlogic to your "mock" controller, then you can test off of the mock controller to make sure everything is functioning
-  # properly.
+  # That being said, in this environment there is no controller. So you need to
+  # use a "mock" controller. Something that looks like a controller, acts like a
+  # controller, but isn't a "real" controller. You are essentially connecting
+  # Authlogic to your "mock" controller, then you can test off of the mock
+  # controller to make sure everything is functioning properly.
   #
-  # I use a mock controller to test Authlogic myself. It's part of the Authlogic library that you can easily use. It's as simple
-  # as functional and integration tests. Just do the following:
+  # I use a mock controller to test Authlogic myself. It's part of the Authlogic
+  # library that you can easily use. It's as simple as functional and
+  # integration tests. Just do the following:
   #
   #   setup :activate_authlogic
   #
@@ -94,9 +111,11 @@ module Authlogic
   #   assert UserSession.create(ben)
   #   assert_equal controller.session["user_credentials"], ben.persistence_token
   #
-  # See how I am checking that Authlogic is interacting with the controller properly? That's the idea here.
+  # See how I am checking that Authlogic is interacting with the controller
+  # properly? That's the idea here.
   module TestCase
-    # Activates authlogic so that you can use it in your tests. You should call this method in your test's setup. Ex:
+    # Activates authlogic so that you can use it in your tests. You should call
+    # this method in your test's setup. Ex:
     #
     #   setup :activate_authlogic
     def activate_authlogic
@@ -109,8 +128,9 @@ module Authlogic
       Authlogic::Session::Base.controller = (@request && Authlogic::TestCase::RailsRequestAdapter.new(@request)) || controller
     end
 
-    # The Authlogic::TestCase::MockController object passed to Authlogic to activate it. You can access this in your test.
-    # See the module description for an example.
+    # The Authlogic::TestCase::MockController object passed to Authlogic to
+    # activate it. You can access this in your test. See the module description
+    # for an example.
     def controller
       @controller ||= Authlogic::TestCase::MockController.new
     end

data/lib/authlogic.rb

@@ -1,3 +1,9 @@
+# Authlogic uses ActiveSupport's core extensions like `strip_heredoc`, which
+# ActiveRecord does not `require`. It's possible that we could save a few
+# milliseconds by loading only the specific core extensions we need, but
+# `all.rb` is simpler. We can revisit this decision if it becomes a problem.
+require "active_support/all"
+
 require "active_record"
 
 path = File.dirname(__FILE__) + "/authlogic/"

data/test/acts_as_authentic_test/email_test.rb

@@ -9,6 +9,7 @@ module ActsAsAuthenticTest
       "dakota.dux+1@gmail.com",
       "dakota.d'ux@gmail.com",
       "a&b@c.com",
+      "someuser@somedomain.travelersinsurance"
     ]
 
     BAD_ASCII_EMAILS = [
@@ -17,6 +18,7 @@ module ActsAsAuthenticTest
       "question?mark@gmail.com",
       "backslash@g\\mail.com",
       "<script>alert(123);</script>\nnobody@example.com",
+      "someuser@somedomain.isreallytoolongandimeanreallytoolong"
     ]
 
     # http://en.wikipedia.org/wiki/ISO/IEC_8859-1#Codepage_layout
@@ -58,7 +60,7 @@ module ActsAsAuthenticTest
       "我>.香港",                    # greater than
       "我?本@屋企.香港",              # question mark
       "чебурша@ьн\\ами.рф",         # backslash
-      "user@domain.com%0A<script>alert('hello')</script>",
+      "user@domain.com%0A<script>alert('hello')</script>"
     ]
 
     def test_email_field_config
@@ -76,7 +78,7 @@ module ActsAsAuthenticTest
       assert Employee.validate_email_field
 
       User.validate_email_field = false
-      assert !User.validate_email_field
+      refute User.validate_email_field
       User.validate_email_field true
       assert User.validate_email_field
     end
@@ -94,25 +96,25 @@ module ActsAsAuthenticTest
     def test_validates_format_of_email_field_options_config
       default = {
         :with => Authlogic::Regex.email,
-        :message => Proc.new do
+        :message => proc do
           I18n.t(
             'error_messages.email_invalid',
             :default => "should look like an email address."
           )
         end
       }
-      dmessage = default.delete(:message).call
+      default_message = default.delete(:message).call
 
       options = User.validates_format_of_email_field_options
       message = options.delete(:message)
-      assert message.kind_of?(Proc)
-      assert_equal dmessage, message.call
+      assert message.is_a?(Proc)
+      assert_equal default_message, message.call
       assert_equal default, options
 
       options = Employee.validates_format_of_email_field_options
       message = options.delete(:message)
-      assert message.kind_of?(Proc)
-      assert_equal dmessage, message.call
+      assert message.is_a?(Proc)
+      assert_equal default_message, message.call
       assert_equal default, options
 
       User.validates_format_of_email_field_options = { :yes => "no" }
@@ -155,7 +157,11 @@ module ActsAsAuthenticTest
     end
 
     def test_validates_uniqueness_of_email_field_options_config
-      default = { :case_sensitive => false, :scope => Employee.validations_scope, :if => "#{Employee.email_field}_changed?".to_sym }
+      default = {
+        :case_sensitive => false,
+        :scope => Employee.validations_scope,
+        :if => "#{Employee.email_field}_changed?".to_sym
+      }
       assert_equal default, Employee.validates_uniqueness_of_email_field_options
 
       Employee.validates_uniqueness_of_email_field_options = { :yes => "no" }
@@ -167,43 +173,43 @@ module ActsAsAuthenticTest
     def test_validates_length_of_email_field
       u = User.new
       u.email = "a@a.a"
-      assert !u.valid?
-      assert u.errors[:email].size > 0
+      refute u.valid?
+      refute u.errors[:email].empty?
 
       u.email = "a@a.com"
-      assert !u.valid?
-      assert u.errors[:email].size == 0
+      refute u.valid?
+      assert u.errors[:email].empty?
     end
 
     def test_validates_format_of_email_field
       u = User.new
       u.email = "aaaaaaaaaaaaa"
       u.valid?
-      assert u.errors[:email].size > 0
+      refute u.errors[:email].empty?
 
       u.email = "a@a.com"
       u.valid?
-      assert u.errors[:email].size == 0
+      assert u.errors[:email].empty?
 
       u.email = "damien+test1...etc..@mydomain.com"
       u.valid?
-      assert u.errors[:email].size == 0
+      assert u.errors[:email].empty?
 
       u.email = "dakota.dux+1@gmail.com"
       u.valid?
-      assert u.errors[:email].size == 0
+      assert u.errors[:email].empty?
 
       u.email = "dakota.d'ux@gmail.com"
       u.valid?
-      assert u.errors[:email].size == 0
+      assert u.errors[:email].empty?
 
       u.email = "<script>alert(123);</script>\nnobody@example.com"
-      assert !u.valid?
-      assert u.errors[:email].size > 0
+      refute u.valid?
+      refute u.errors[:email].empty?
 
       u.email = "a&b@c.com"
       u.valid?
-      assert u.errors[:email].size == 0
+      assert u.errors[:email].empty?
     end
 
     def test_validates_format_of_nonascii_email_field
@@ -219,16 +225,16 @@ module ActsAsAuthenticTest
     def test_validates_uniqueness_of_email_field
       u = User.new
       u.email = "bjohnson@binarylogic.com"
-      assert !u.valid?
-      assert u.errors[:email].size > 0
+      refute u.valid?
+      refute u.errors[:email].empty?
 
       u.email = "BJOHNSON@binarylogic.com"
-      assert !u.valid?
-      assert u.errors[:email].size > 0
+      refute u.valid?
+      refute u.errors[:email].empty?
 
       u.email = "a@a.com"
-      assert !u.valid?
-      assert u.errors[:email].size == 0
+      refute u.valid?
+      assert u.errors[:email].empty?
     end
   end
 end

data/test/acts_as_authentic_test/logged_in_status_test.rb

@@ -52,11 +52,11 @@ module ActsAsAuthenticTest
 
     def test_logged_in_logged_out
       u = User.first
-      assert !u.logged_in?
+      refute u.logged_in?
       assert u.logged_out?
       u.last_request_at = Time.now
       assert u.logged_in?
-      assert !u.logged_out?
+      refute u.logged_out?
     end
   end
 end