authlogic 3.5.0 → 3.8.0
Sign up to get free protection for your applications and to get access to all the features.
- data/.github/ISSUE_TEMPLATE.md +13 -0
- data/.rubocop_todo.yml +1 -37
- data/.travis.yml +15 -6
- data/CHANGELOG.md +2 -130
- data/CONTRIBUTING.md +13 -2
- data/README.md +2 -3
- data/authlogic.gemspec +4 -5
- data/lib/authlogic/acts_as_authentic/base.rb +4 -2
- data/lib/authlogic/acts_as_authentic/email.rb +8 -3
- data/lib/authlogic/acts_as_authentic/logged_in_status.rb +21 -3
- data/lib/authlogic/acts_as_authentic/login.rb +44 -25
- data/lib/authlogic/acts_as_authentic/password.rb +28 -12
- data/lib/authlogic/acts_as_authentic/perishable_token.rb +21 -12
- data/lib/authlogic/acts_as_authentic/restful_authentication.rb +16 -9
- data/lib/authlogic/acts_as_authentic/session_maintenance.rb +5 -3
- data/lib/authlogic/authenticates_many/association.rb +11 -4
- data/lib/authlogic/authenticates_many/base.rb +5 -4
- data/lib/authlogic/controller_adapters/rack_adapter.rb +6 -2
- data/lib/authlogic/controller_adapters/rails_adapter.rb +11 -8
- data/lib/authlogic/crypto_providers/aes256.rb +21 -2
- data/lib/authlogic/crypto_providers/bcrypt.rb +4 -1
- data/lib/authlogic/crypto_providers/sha512.rb +15 -10
- data/lib/authlogic/regex.rb +7 -6
- data/lib/authlogic/session/activation.rb +19 -10
- data/lib/authlogic/session/cookies.rb +3 -1
- data/lib/authlogic/session/id.rb +13 -7
- data/lib/authlogic/session/magic_columns.rb +19 -10
- data/lib/authlogic/session/magic_states.rb +7 -1
- data/lib/authlogic/session/password.rb +82 -35
- data/lib/authlogic/session/perishable_token.rb +7 -3
- data/lib/authlogic/session/validation.rb +13 -11
- data/lib/authlogic/test_case.rb +52 -32
- data/lib/authlogic.rb +6 -0
- data/test/acts_as_authentic_test/email_test.rb +33 -27
- data/test/acts_as_authentic_test/logged_in_status_test.rb +2 -2
- data/test/acts_as_authentic_test/login_test.rb +50 -37
- data/test/acts_as_authentic_test/magic_columns_test.rb +8 -8
- data/test/acts_as_authentic_test/password_test.rb +14 -14
- data/test/acts_as_authentic_test/perishable_token_test.rb +5 -5
- data/test/acts_as_authentic_test/persistence_token_test.rb +4 -4
- data/test/acts_as_authentic_test/restful_authentication_test.rb +6 -6
- data/test/acts_as_authentic_test/session_maintenance_test.rb +15 -10
- data/test/acts_as_authentic_test/single_access_test.rb +6 -6
- data/test/authenticates_many_test.rb +21 -6
- data/test/gemfiles/Gemfile.rails-5.1.x +6 -0
- data/test/gemfiles/Gemfile.rails-5.2.x +6 -0
- data/test/libs/company.rb +1 -1
- data/test/session_test/activation_test.rb +1 -1
- data/test/session_test/active_record_trickery_test.rb +3 -3
- data/test/session_test/brute_force_protection_test.rb +19 -14
- data/test/session_test/cookies_test.rb +21 -12
- data/test/session_test/existence_test.rb +15 -10
- data/test/session_test/http_auth_test.rb +2 -2
- data/test/session_test/magic_columns_test.rb +7 -4
- data/test/session_test/magic_states_test.rb +7 -9
- data/test/session_test/params_test.rb +6 -6
- data/test/session_test/password_test.rb +2 -2
- data/test/session_test/perishability_test.rb +1 -1
- data/test/session_test/persistence_test.rb +2 -2
- data/test/session_test/timeout_test.rb +7 -5
- data/test/session_test/validation_test.rb +1 -1
- data/test/test_helper.rb +37 -6
- metadata +57 -36
- checksums.yaml +0 -7
@@ -89,11 +89,11 @@ module SessionTest
|
|
89
89
|
def test_remember_me
|
90
90
|
session = UserSession.new
|
91
91
|
assert_equal false, session.remember_me
|
92
|
-
|
92
|
+
refute session.remember_me?
|
93
93
|
|
94
94
|
session.remember_me = false
|
95
95
|
assert_equal false, session.remember_me
|
96
|
-
|
96
|
+
refute session.remember_me?
|
97
97
|
|
98
98
|
session.remember_me = true
|
99
99
|
assert_equal true, session.remember_me
|
@@ -101,7 +101,7 @@ module SessionTest
|
|
101
101
|
|
102
102
|
session.remember_me = nil
|
103
103
|
assert_nil session.remember_me
|
104
|
-
|
104
|
+
refute session.remember_me?
|
105
105
|
|
106
106
|
session.remember_me = "1"
|
107
107
|
assert_equal "1", session.remember_me
|
@@ -122,7 +122,7 @@ module SessionTest
|
|
122
122
|
|
123
123
|
def test_persist_persist_by_cookie
|
124
124
|
ben = users(:ben)
|
125
|
-
|
125
|
+
refute UserSession.find
|
126
126
|
set_cookie_for(ben)
|
127
127
|
assert session = UserSession.find
|
128
128
|
assert_equal ben, session.record
|
@@ -131,9 +131,9 @@ module SessionTest
|
|
131
131
|
def test_persist_persist_by_cookie_with_blank_persistence_token
|
132
132
|
ben = users(:ben)
|
133
133
|
ben.update_column(:persistence_token, "")
|
134
|
-
|
134
|
+
refute UserSession.find
|
135
135
|
set_cookie_for(ben)
|
136
|
-
|
136
|
+
refute UserSession.find
|
137
137
|
end
|
138
138
|
|
139
139
|
def test_remember_me_expired
|
@@ -141,19 +141,22 @@ module SessionTest
|
|
141
141
|
session = UserSession.new(ben)
|
142
142
|
session.remember_me = true
|
143
143
|
assert session.save
|
144
|
-
|
144
|
+
refute session.remember_me_expired?
|
145
145
|
|
146
146
|
session = UserSession.new(ben)
|
147
147
|
session.remember_me = false
|
148
148
|
assert session.save
|
149
|
-
|
149
|
+
refute session.remember_me_expired?
|
150
150
|
end
|
151
151
|
|
152
152
|
def test_after_save_save_cookie
|
153
153
|
ben = users(:ben)
|
154
154
|
session = UserSession.new(ben)
|
155
155
|
assert session.save
|
156
|
-
assert_equal
|
156
|
+
assert_equal(
|
157
|
+
"#{ben.persistence_token}::#{ben.id}",
|
158
|
+
controller.cookies["user_credentials"]
|
159
|
+
)
|
157
160
|
end
|
158
161
|
|
159
162
|
def test_after_save_save_cookie_signed
|
@@ -166,7 +169,10 @@ module SessionTest
|
|
166
169
|
session.sign_cookie = true
|
167
170
|
assert session.save
|
168
171
|
assert_equal payload, controller.cookies.signed["user_credentials"]
|
169
|
-
assert_equal
|
172
|
+
assert_equal(
|
173
|
+
"#{payload}--#{Digest::SHA1.hexdigest payload}",
|
174
|
+
controller.cookies.signed.parent_jar["user_credentials"]
|
175
|
+
)
|
170
176
|
end
|
171
177
|
|
172
178
|
def test_after_save_save_cookie_with_remember_me
|
@@ -175,7 +181,10 @@ module SessionTest
|
|
175
181
|
session = UserSession.new(ben)
|
176
182
|
session.remember_me = true
|
177
183
|
assert session.save
|
178
|
-
assert_equal
|
184
|
+
assert_equal(
|
185
|
+
"#{ben.persistence_token}::#{ben.id}::#{session.remember_me_until.iso8601}",
|
186
|
+
controller.cookies["user_credentials"]
|
187
|
+
)
|
179
188
|
end
|
180
189
|
end
|
181
190
|
|
@@ -185,7 +194,7 @@ module SessionTest
|
|
185
194
|
session = UserSession.find
|
186
195
|
assert controller.cookies["user_credentials"]
|
187
196
|
assert session.destroy
|
188
|
-
|
197
|
+
refute controller.cookies["user_credentials"]
|
189
198
|
end
|
190
199
|
end
|
191
200
|
end
|
@@ -3,10 +3,15 @@ require 'test_helper'
|
|
3
3
|
module SessionTest
|
4
4
|
module ExistenceTest
|
5
5
|
class ClassMethodsTest < ActiveSupport::TestCase
|
6
|
-
def
|
6
|
+
def test_create_with_good_credentials
|
7
7
|
ben = users(:ben)
|
8
|
-
|
9
|
-
refute
|
8
|
+
session = UserSession.create(:login => ben.login, :password => "benrocks")
|
9
|
+
refute session.new_session?
|
10
|
+
end
|
11
|
+
|
12
|
+
def test_create_with_bad_credentials
|
13
|
+
session = UserSession.create(:login => "somelogin", :password => "badpw2")
|
14
|
+
assert session.new_session?
|
10
15
|
end
|
11
16
|
|
12
17
|
def test_create_bang
|
@@ -26,21 +31,21 @@ module SessionTest
|
|
26
31
|
|
27
32
|
set_session_for(users(:ben))
|
28
33
|
session = UserSession.find
|
29
|
-
|
34
|
+
refute session.new_session?
|
30
35
|
end
|
31
36
|
|
32
37
|
def test_save_with_nothing
|
33
38
|
session = UserSession.new
|
34
|
-
|
39
|
+
refute session.save
|
35
40
|
assert session.new_session?
|
36
41
|
end
|
37
42
|
|
38
43
|
def test_save_with_block
|
39
44
|
session = UserSession.new
|
40
45
|
block_result = session.save do |result|
|
41
|
-
|
46
|
+
refute result
|
42
47
|
end
|
43
|
-
|
48
|
+
refute block_result
|
44
49
|
assert session.new_session?
|
45
50
|
end
|
46
51
|
|
@@ -55,15 +60,15 @@ module SessionTest
|
|
55
60
|
def test_destroy
|
56
61
|
ben = users(:ben)
|
57
62
|
session = UserSession.new
|
58
|
-
|
59
|
-
|
63
|
+
refute session.valid?
|
64
|
+
refute session.errors.empty?
|
60
65
|
assert session.destroy
|
61
66
|
assert session.errors.empty?
|
62
67
|
session.unauthorized_record = ben
|
63
68
|
assert session.save
|
64
69
|
assert session.record
|
65
70
|
assert session.destroy
|
66
|
-
|
71
|
+
refute session.record
|
67
72
|
end
|
68
73
|
end
|
69
74
|
end
|
@@ -30,14 +30,14 @@ module SessionTest
|
|
30
30
|
def test_persist_persist_by_http_auth
|
31
31
|
aaron = users(:aaron)
|
32
32
|
http_basic_auth_for do
|
33
|
-
|
33
|
+
refute UserSession.find
|
34
34
|
end
|
35
35
|
http_basic_auth_for(aaron) do
|
36
36
|
assert session = UserSession.find
|
37
37
|
assert_equal aaron, session.record
|
38
38
|
assert_equal aaron.login, session.login
|
39
39
|
assert_equal "aaronrocks", session.send(:protected_password)
|
40
|
-
|
40
|
+
refute controller.http_auth_requested?
|
41
41
|
end
|
42
42
|
unset_session
|
43
43
|
UserSession.request_http_basic_auth = true
|
@@ -15,7 +15,7 @@ module SessionTest
|
|
15
15
|
class InstanceMethodsTest < ActiveSupport::TestCase
|
16
16
|
def test_after_persisting_set_last_request_at
|
17
17
|
ben = users(:ben)
|
18
|
-
|
18
|
+
refute UserSession.create(ben).new_session?
|
19
19
|
|
20
20
|
set_cookie_for(ben)
|
21
21
|
old_last_request_at = ben.last_request_at
|
@@ -27,7 +27,8 @@ module SessionTest
|
|
27
27
|
def test_valid_increase_failed_login_count
|
28
28
|
ben = users(:ben)
|
29
29
|
old_failed_login_count = ben.failed_login_count
|
30
|
-
|
30
|
+
session = UserSession.create(:login => ben.login, :password => "wrong")
|
31
|
+
assert session.new_session?
|
31
32
|
ben.reload
|
32
33
|
assert_equal old_failed_login_count + 1, ben.failed_login_count
|
33
34
|
end
|
@@ -36,7 +37,8 @@ module SessionTest
|
|
36
37
|
aaron = users(:aaron)
|
37
38
|
|
38
39
|
# increase failed login count
|
39
|
-
|
40
|
+
session = UserSession.create(:login => aaron.login, :password => "wrong")
|
41
|
+
assert session.new_session?
|
40
42
|
aaron.reload
|
41
43
|
|
42
44
|
# grab old values
|
@@ -44,7 +46,8 @@ module SessionTest
|
|
44
46
|
old_current_login_at = aaron.current_login_at
|
45
47
|
old_current_login_ip = aaron.current_login_ip
|
46
48
|
|
47
|
-
|
49
|
+
session = UserSession.create(:login => aaron.login, :password => "aaronrocks")
|
50
|
+
assert session.valid?
|
48
51
|
|
49
52
|
aaron.reload
|
50
53
|
assert_equal old_login_count + 1, aaron.login_count
|
@@ -15,11 +15,9 @@ module SessionTest
|
|
15
15
|
class InstanceMethodsTest < ActiveSupport::TestCase
|
16
16
|
def test_disabling_magic_states
|
17
17
|
UserSession.disable_magic_states = true
|
18
|
-
|
19
18
|
ben = users(:ben)
|
20
19
|
ben.update_attribute(:active, false)
|
21
|
-
|
22
|
-
|
20
|
+
refute UserSession.create(ben).new_session?
|
23
21
|
UserSession.disable_magic_states = false
|
24
22
|
end
|
25
23
|
|
@@ -30,8 +28,8 @@ module SessionTest
|
|
30
28
|
assert session.valid?
|
31
29
|
|
32
30
|
ben.update_attribute(:active, false)
|
33
|
-
|
34
|
-
|
31
|
+
refute session.valid?
|
32
|
+
refute session.errors[:base].empty?
|
35
33
|
end
|
36
34
|
|
37
35
|
def test_validate_validate_magic_states_approved
|
@@ -41,8 +39,8 @@ module SessionTest
|
|
41
39
|
assert session.valid?
|
42
40
|
|
43
41
|
ben.update_attribute(:approved, false)
|
44
|
-
|
45
|
-
|
42
|
+
refute session.valid?
|
43
|
+
refute session.errors[:base].empty?
|
46
44
|
end
|
47
45
|
|
48
46
|
def test_validate_validate_magic_states_confirmed
|
@@ -52,8 +50,8 @@ module SessionTest
|
|
52
50
|
assert session.valid?
|
53
51
|
|
54
52
|
ben.update_attribute(:confirmed, false)
|
55
|
-
|
56
|
-
|
53
|
+
refute session.valid?
|
54
|
+
refute session.errors[:base].empty?
|
57
55
|
end
|
58
56
|
end
|
59
57
|
end
|
@@ -25,17 +25,17 @@ module SessionTest
|
|
25
25
|
ben = users(:ben)
|
26
26
|
session = UserSession.new
|
27
27
|
|
28
|
-
|
28
|
+
refute session.persisting?
|
29
29
|
set_params_for(ben)
|
30
30
|
|
31
|
-
|
32
|
-
|
33
|
-
|
31
|
+
refute session.persisting?
|
32
|
+
refute session.unauthorized_record
|
33
|
+
refute session.record
|
34
34
|
assert_nil controller.session["user_credentials"]
|
35
35
|
|
36
36
|
set_request_content_type("text/plain")
|
37
|
-
|
38
|
-
|
37
|
+
refute session.persisting?
|
38
|
+
refute session.unauthorized_record
|
39
39
|
assert_nil controller.session["user_credentials"]
|
40
40
|
|
41
41
|
set_request_content_type("application/atom+xml")
|
@@ -21,7 +21,7 @@ module SessionTest
|
|
21
21
|
|
22
22
|
def test_generalize_credentials_error_mesages_set_to_false
|
23
23
|
UserSession.generalize_credentials_error_messages false
|
24
|
-
|
24
|
+
refute UserSession.generalize_credentials_error_messages
|
25
25
|
session = UserSession.create(:login => users(:ben).login, :password => "invalud-password")
|
26
26
|
assert_equal ["Password is not valid"], session.errors.full_messages
|
27
27
|
end
|
@@ -95,7 +95,7 @@ module SessionTest
|
|
95
95
|
aaron = users(:aaron)
|
96
96
|
session = UserSession.new(:login => aaron.login, :password => "aaronrocks")
|
97
97
|
assert session.save
|
98
|
-
|
98
|
+
refute session.new_session?
|
99
99
|
assert_equal 1, session.record.login_count
|
100
100
|
assert Time.now >= session.record.current_login_at
|
101
101
|
assert_equal "1.1.1.1", session.record.current_login_ip
|
@@ -4,7 +4,7 @@ module SessionTest
|
|
4
4
|
class PersistenceTest < ActiveSupport::TestCase
|
5
5
|
def test_find
|
6
6
|
aaron = users(:aaron)
|
7
|
-
|
7
|
+
refute UserSession.find
|
8
8
|
http_basic_auth_for(aaron) { assert UserSession.find }
|
9
9
|
set_cookie_for(aaron)
|
10
10
|
assert UserSession.find
|
@@ -22,7 +22,7 @@ module SessionTest
|
|
22
22
|
aaron = users(:aaron)
|
23
23
|
session = UserSession.new(aaron)
|
24
24
|
session.remember_me = true
|
25
|
-
|
25
|
+
refute UserSession.remember_me
|
26
26
|
assert session.save
|
27
27
|
assert session.remember_me?
|
28
28
|
session = UserSession.find(aaron)
|
@@ -8,7 +8,7 @@ module SessionTest
|
|
8
8
|
assert UserSession.logout_on_timeout
|
9
9
|
|
10
10
|
UserSession.logout_on_timeout false
|
11
|
-
|
11
|
+
refute UserSession.logout_on_timeout
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
@@ -33,7 +33,7 @@ module SessionTest
|
|
33
33
|
ben.save
|
34
34
|
|
35
35
|
assert session.persisting?
|
36
|
-
|
36
|
+
refute session.stale?
|
37
37
|
assert_nil session.stale_record
|
38
38
|
|
39
39
|
UserSession.logout_on_timeout = false
|
@@ -63,15 +63,17 @@ module SessionTest
|
|
63
63
|
assert session.save
|
64
64
|
Timecop.freeze(Time.now + 2.months)
|
65
65
|
assert session.persisting?
|
66
|
-
|
66
|
+
refute session.stale?
|
67
67
|
UserSession.remember_me = false
|
68
68
|
end
|
69
69
|
|
70
70
|
def test_successful_login
|
71
71
|
UserSession.logout_on_timeout = true
|
72
72
|
ben = users(:ben)
|
73
|
-
|
74
|
-
|
73
|
+
session = UserSession.create(:login => ben.login, :password => "benrocks")
|
74
|
+
refute session.new_session?
|
75
|
+
session = UserSession.find
|
76
|
+
assert session
|
75
77
|
assert_equal ben, session.record
|
76
78
|
UserSession.logout_on_timeout = false
|
77
79
|
end
|
data/test/test_helper.rb
CHANGED
@@ -114,13 +114,25 @@ require_relative 'libs/user'
|
|
114
114
|
require_relative 'libs/user_session'
|
115
115
|
require_relative 'libs/company'
|
116
116
|
|
117
|
-
|
117
|
+
# Recent change, 2017-10-23: We had used a 54-letter string here. In the default
|
118
|
+
# encoding, UTF-8, that's 54 bytes, which is clearly incorrect for an algorithm
|
119
|
+
# with a 256-bit key, but I guess it worked. With the release of ruby 2.4 (and
|
120
|
+
# thus openssl gem 2.0), it is more strict, and must be exactly 32 bytes.
|
121
|
+
Authlogic::CryptoProviders::AES256.key = ::OpenSSL::Random.random_bytes(32)
|
118
122
|
|
119
123
|
class ActiveSupport::TestCase
|
120
124
|
include ActiveRecord::TestFixtures
|
121
125
|
self.fixture_path = File.dirname(__FILE__) + "/fixtures"
|
122
|
-
|
123
|
-
|
126
|
+
|
127
|
+
# use_transactional_fixtures= is deprecated and will be removed from Rails 5.1
|
128
|
+
# (use use_transactional_tests= instead)
|
129
|
+
if respond_to?(:use_transactional_tests=)
|
130
|
+
self.use_transactional_tests = false
|
131
|
+
else
|
132
|
+
self.use_transactional_fixtures = false
|
133
|
+
end
|
134
|
+
|
135
|
+
self.use_instantiated_fixtures = false
|
124
136
|
self.pre_loaded_fixtures = false
|
125
137
|
fixtures :all
|
126
138
|
setup :activate_authlogic
|
@@ -191,9 +203,28 @@ class ActiveSupport::TestCase
|
|
191
203
|
controller.request_content_type = nil
|
192
204
|
end
|
193
205
|
|
194
|
-
def
|
195
|
-
|
196
|
-
|
206
|
+
def session_credentials_prefix(scope_record)
|
207
|
+
if scope_record.nil?
|
208
|
+
""
|
209
|
+
else
|
210
|
+
format(
|
211
|
+
"%s_%d_",
|
212
|
+
scope_record.class.model_name.name.underscore,
|
213
|
+
scope_record.id
|
214
|
+
)
|
215
|
+
end
|
216
|
+
end
|
217
|
+
|
218
|
+
# Sets the session variables that `record` (eg. a `User`) would have after
|
219
|
+
# logging in.
|
220
|
+
#
|
221
|
+
# If `record` belongs to an `authenticates_many` association that uses the
|
222
|
+
# `scope_cookies` option, then a `scope_record` can be provided.
|
223
|
+
def set_session_for(record, scope_record = nil)
|
224
|
+
prefix = session_credentials_prefix(scope_record)
|
225
|
+
record_class_name = record.class.model_name.name.underscore
|
226
|
+
controller.session["#{prefix}#{record_class_name}_credentials"] = record.persistence_token
|
227
|
+
controller.session["#{prefix}#{record_class_name}_credentials_id"] = record.id
|
197
228
|
end
|
198
229
|
|
199
230
|
def unset_session
|