authlogic 3.8.0 → 4.0.0

data/.travis.yml

@@ -7,42 +7,20 @@ language: ruby
 # TODO: There's probably a way to configure the bundle path
 
 before_install:
+  - gem update --system
   - gem update bundler
 
 rvm:
-  - 1.9.3
-  - 2.1.10
-  - 2.2.6
-  - 2.3.3
+  - 2.2.9
+  - 2.5.0
 
 gemfile:
-  - test/gemfiles/Gemfile.rails-3.2.x
-  - test/gemfiles/Gemfile.rails-4.0.x
-  - test/gemfiles/Gemfile.rails-4.1.x
   - test/gemfiles/Gemfile.rails-4.2.x
   - test/gemfiles/Gemfile.rails-5.0.x
   - test/gemfiles/Gemfile.rails-5.1.x
+  - test/gemfiles/Gemfile.rails-5.2.x
 
 matrix:
-  exclude:
-    - rvm: 1.9.3
-      gemfile: test/gemfiles/Gemfile.rails-4.1.x
-    - rvm: 1.9.3
-      gemfile: test/gemfiles/Gemfile.rails-5.0.x
-    - rvm: 1.9.3
-      gemfile: test/gemfiles/Gemfile.rails-5.1.x
-    - rvm: 1.9.3
-      gemfile: test/gemfiles/Gemfile.rails-5.2.x
-    - rvm: 2.1.10
-      gemfile: test/gemfiles/Gemfile.rails-5.0.x
-    - rvm: 2.1.10
-      gemfile: test/gemfiles/Gemfile.rails-5.1.x
-    - rvm: 2.1.10
-      gemfile: test/gemfiles/Gemfile.rails-5.2.x
-    - rvm: 2.2.6
-      gemfile: test/gemfiles/Gemfile.rails-3.2.x
-    - rvm: 2.3.3
-      gemfile: test/gemfiles/Gemfile.rails-3.2.x
   fast_finish: true
 
 sudo: false

data/CHANGELOG.md

@@ -1,5 +1,229 @@
 # Changelog
 
-The authlogic changelog is maintained on the master branch only.
+## Unreleased
 
-https://github.com/binarylogic/authlogic/blob/master/CHANGELOG.md
+* Breaking Changes
+  * None
+* Added
+  * None
+* Fixed
+  * None
+
+## 4.0.0 (2018-03-18)
+
+* Breaking Changes, Major
+  * Drop support for ruby < 2.2
+  * Drop support for rails < 4.2
+  * HTTP Basic Auth is now disabled by default (use allow_http_basic_auth to enable)
+  * 'httponly' and 'secure' cookie options are enabled by default now
+  * maintain_sessions config has been removed. It has been split into 2 new options:
+    log_in_after_create & log_in_after_password_change (@lucasminissale)
+  * [#558](https://github.com/binarylogic/authlogic/pull/558) Passing an
+    ActionController::Parameters into authlogic will now raise an error
+
+* Breaking Changes, Minor
+  * Methods in Authlogic::Random are now module methods, and are no longer
+    instance methods. Previously, there were both. Do not use Authlogic::Random
+    as a mixin.
+  * Our mutable constants (e.g. arrays, hashes) are now frozen.
+
+* Added
+  * `Authlogic.gem_version`
+  * [#586](https://github.com/binarylogic/authlogic/pull/586) Support for SameSite cookies
+  * [#581](https://github.com/binarylogic/authlogic/pull/581) Support for rails 5.2
+  * Support for ruby 2.4, specifically openssl gem 2.0
+  * [#98](https://github.com/binarylogic/authlogic/issues/98)
+    I18n for invalid session error message. (@eugenebolshakov)
+
+* Fixed
+  * Random.friendly_token (used for e.g. perishable token) now returns strings
+    of consistent length, and conforms better to RFC-4648
+  * ensure that login field validation uses correct locale (@sskirby)
+  * add a respond_to_missing? in AbstractAdapter that also checks controller respond_to?
+  * [#561](https://github.com/binarylogic/authlogic/issues/561) authenticates_many now works with scope_cookies:true
+  * Allow tld up to 24 characters per https://data.iana.org/TLD/tlds-alpha-by-domain.txt
+
+## 3.8.0 2018-02-07
+
+* Breaking Changes
+  * None
+
+* Added
+  * [#582](https://github.com/binarylogic/authlogic/pull/582) Support rails 5.2
+  * [#583](https://github.com/binarylogic/authlogic/pull/583) Support openssl gem 2.0
+
+* Fixed
+  * None
+
+## 3.7.0 2018-02-07
+
+* Breaking Changes
+  * None
+
+* Added
+  * [#580](https://github.com/binarylogic/authlogic/pull/580) Deprecated
+    `ActionController::Parameters`, will be removed in 4.0.0
+
+* Fixed
+  * None
+
+## 3.6.1 2017-09-30
+
+* Breaking Changes
+  * None
+
+* Added
+  * None
+
+* Fixed
+  * Allow TLD up to 24 characters per
+    https://data.iana.org/TLD/tlds-alpha-by-domain.txt
+  * [#561](https://github.com/binarylogic/authlogic/issues/561)
+    authenticates_many now works with scope_cookies:true
+
+## 3.6.0 2017-04-28
+
+* Breaking Changes
+  * None
+
+* Added
+  * Support rails 5.1
+
+* Fixed
+  * ensure that login field validation uses correct locale (@sskirby)
+
+## 3.5.0 2016-08-29
+
+* new
+  * Rails 5.0 support! Thanks to all reporters and contributors.
+
+* changes
+  * increased default minimum password length to 8 (@iainbeeston)
+  * bind parameters in where statement for rails 5 support
+  * change callback for rails 5 support
+  * converts the ActionController::Parameters to a Hash for rails 5 support
+  * check last_request_at_threshold even if last_request_at_update_allowed returns true (@rofreg)
+
+## 3.4.6 2015
+
+* changes
+  * add Regex.email_nonascii for validation of emails w/unicode (@rchekaluk)
+  * allow scrypt 2.x (@jaredbeck)
+
+## 3.4.5 2015-03-01
+
+* changes
+  * security-hardening fix and cleanup in persistence_token lookup
+  * security-hardening fix in perishable_token lookup (thx @tomekr)
+
+## 3.4.4 2014-12-23
+
+* changes
+  * extract rw_config into an Authlogic::Config module
+  * improved the way config changes are made in tests
+  * fix for Rails 4.2 by extending ActiveModel
+
+## 3.4.3 2014-10-08
+
+* changes
+  * backfill CHANGELOG
+  * better compatibility with jruby (thx @petergoldstein)
+  * added scrypt as a dependency
+  * cleanup some code (thx @roryokane)
+  * reference 'bcrypt' gem instead of 'bcrypt-ruby' (thx @roryokane)
+  * fixed typo (thx @chamini2)
+  * fixed magic column validations for Rails 4.2 (thx @tom-kuca)
+
+## 3.4.2 2014-04-28
+
+* changes
+  * fixed the missing scrypt/bcrypt gem errors introduced in 3.4.1
+  * implemented autoloading for providers
+  * added longer subdomain support in email regex
+
+## 3.4.1 2014-04-04
+
+* changes
+  * undid an accidental revert of some code
+
+## 3.4.0 2014-03-03
+
+* Breaking Changes
+  * made scrypt the default crypto provider from SHA512
+    (https://github.com/binarylogic/authlogic#upgrading-to-authlogic-340)
+    See UPGRADING.md.
+
+* Added
+  * officially support rails 4 (still supporting rails 3)
+  * added cookie signing
+  * added request store for better concurency for threaded environments
+  * added a rack adapter for Rack middleware support
+
+* Fixed
+  * ditched appraisal
+  * improved find_with_case default performance
+  * added travis ci support
+
+## 3.3.0 2014-04-04
+
+* changes
+  * added safeguard against a sqli that was also fixed in rails 3.2.10/3.1.9/3.0.18
+  * imposed the bcrypt gem's mincost
+  * removed shoulda macros
+
+## 3.2.0 2012-12-07
+
+* new
+  * scrypt support
+
+* changes
+  * moved back to LOWER for find_with_case ci lookups
+
+## 3.1.3 2012-06-13
+
+* changes
+  * removed jeweler
+
+## 3.1.2 2012-06-01
+
+* changes
+  * mostly test fixes
+
+## 3.1.1 2012-06-01
+
+* changes
+  * mostly doc fixes
+
+## 3.1.0 2011-10-19
+
+* changes
+  * mostly small bug fixes
+
+## 3.0.3 2011-05-17
+
+* changes
+  * rails 3.1 support
+
+* new
+  * http auth support
+
+## 3.0.2 2011-04-30
+
+* changes
+  * doc fixes
+
+## 3.0.1 2011-04-30
+
+* changes
+  * switch from LOWER to LIKE for find_with_case ci lookups
+
+## 3.0.0 2011-04-30
+
+* new
+  * ssl cookie support
+  * httponly cookie support
+  * added a session generator
+
+* changes
+  * rails 3 support
+  * ruby 1.9.2 support

data/CONTRIBUTING.md

@@ -25,13 +25,23 @@ Please ask usage questions on
 
 ## Development
 
+Most local development should be done using the oldest supported version of
+ruby. See `required_ruby_version` in the gemspec.
+
 ### Testing
 
-Tests can be ran against different versions of Rails like so:
+Tests can be run against different versions of Rails like so:
+
+```
+BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle install
+BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x bundle exec rake
+```
+
+To run a single test:
 
 ```
-BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-3.2.x bundle install
-BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-3.2.x bundle exec rake
+BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-4.2.x \
+  bundle exec ruby –I test path/to/test.rb
 ```
 
 ### Linting
@@ -53,8 +63,8 @@ BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-3.2.x bundle exec rake test
 
 1. Update version number in gemspec
 1. Add release date to changelog entry
-1. Commit
-1. git tag -a -m "v3.6.0" "v3.6.0"
+1. Commit with message like "Release 3.6.0"
+1. git tag -a -m "v3.6.0" "v3.6.0" # or whatever number
 1. git push --tags origin 3-stable # or whatever branch
 1. gem build authlogic.gemspec
 1. gem push authlogic-3.6.0

data/Gemfile

@@ -1,5 +1,5 @@
 source "https://rubygems.org"
 gemspec
 
-gem 'activerecord-jdbcsqlite3-adapter', :platforms => :jruby
-gem 'sqlite3', :platforms => :ruby
+gem 'activerecord-jdbcsqlite3-adapter', platforms: :jruby
+gem 'sqlite3', platforms: :ruby

data/README.md

@@ -1,14 +1,56 @@
 # Authlogic
 
-**Authlogic supports rails 3, 4 and 5. For rails 2, see the [rails2 branch](https://github.com/binarylogic/authlogic/tree/rails2).**
+A clean, simple, and unobtrusive ruby authentication solution.
 
-[![Gem Version](https://badge.fury.io/rb/authlogic.png)](http://badge.fury.io/rb/authlogic)
-[![Build Status](https://travis-ci.org/binarylogic/authlogic.png?branch=master)](https://travis-ci.org/binarylogic/authlogic)
-[![Code Climate](https://codeclimate.com/github/binarylogic/authlogic.png)](https://codeclimate.com/github/binarylogic/authlogic)
+[![Gem Version][5]][6] [![Build Status][1]][2] [![Code Climate][7]][8] [![Dependency Status][3]][4]
 
-Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
+## Sponsors
 
-It introduces a new type of model. You can have as many as you want, and name them whatever you want, just like your other models. In this example, we want to authenticate with the User model, which is inferred by the name:
+[![Timber Logging](http://res.cloudinary.com/timber/image/upload/v1490556810/pricing/sponsorship.png)](https://timber.io?utm_source=github&utm_medium=authlogic)
+
+[Tail Authlogic users](https://timber.io/docs/app/console/tail-a-user) in your logs!
+
+## Documentation
+
+| Version     | Documentation |
+| ----------- | ------------- |
+| Unreleased  | https://github.com/binarylogic/authlogic/blob/master/README.md |
+| 3.7.0       | https://github.com/binarylogic/authlogic/blob/v3.7.0/README.md |
+| 2.1.11      | https://github.com/binarylogic/authlogic/blob/v2.1.11/README.rdoc |
+| 1.4.3       | https://github.com/binarylogic/authlogic/blob/v1.4.3/README.rdoc |
+
+## Table of Contents
+
+- [1. Introduction](#1-introduction)
+  - [1.a. Compatibility](#1a-compatibility)
+  - [1.b. Overview](#1b-overview)
+  - [1.c. Reference Documentation](#1c-reference-documentation)
+- [2. Rails](#2-rails)
+  - [2.a. The users table](#2a-the-users-table)
+  - [2.b. Controller](#2b-controller)
+  - [2.c. View](#2c-view)
+  - [2.d. CSRF Protection](#2d-csrf-protection)
+- [3. Testing](#3-testing)
+- [4. Helpful links](#4-helpful-links)
+- [5. Add-ons](#5-add-ons)
+- [6. Internals](#6-internals)
+
+## 1. Introduction
+
+### 1.a. Compatibility
+
+| Version    | branches         | tag     | ruby     | activerecord  |
+| ---------- | ---------------- | ------- | -------- | ------------- |
+| Unreleased | master, 4-stable |         | >= 2.2.0 | >= 4.2, < 5.3 |
+| 3          | 3-stable         | v3.6.0  | >= 1.9.3 | >= 3.2, < 5.2 |
+| 2          | rails2           | v2.1.11 | >= 1.9.3 | ~> 2.3.0      |
+| 1          | ?                | v1.4.3  | ?        | ?             |
+
+### 1.b. Overview
+
+Authlogic introduces a new type of model. You can have as many as you want, and
+name them whatever you want, just like your other models. In this example, we
+want to authenticate with our `User` model, which is inferred from the name:
 
 ```ruby
 class UserSession < Authlogic::Session::Base
@@ -44,7 +86,8 @@ You can also log out (i.e. **destroying** the session):
 session.destroy
 ```
 
-After a session has been created, you can persist it (i.e. **finding** the record) across requests. Thus keeping the user logged in:
+After a session has been created, you can persist it (i.e. **finding** the
+record) across requests. Thus keeping the user logged in:
 
 ``` ruby
 session = UserSession.find
@@ -60,9 +103,13 @@ class User < ActiveRecord::Base
 end
 ```
 
-This handles validations, etc. It is also "smart" in the sense that it if a login field is present it will use that to authenticate, if not it will look for an email field, etc. This is all configurable, but for 99% of cases that above is all you will need to do.
+This handles validations, etc. It is also "smart" in the sense that it if a
+login field is present it will use that to authenticate, if not it will look for
+an email field, etc. This is all configurable, but for 99% of cases that above
+is all you will need to do.
 
-You may specify how passwords are cryptographically hashed (or encrypted) by setting the Authlogic::CryptoProvider option:
+You may specify how passwords are cryptographically hashed (or encrypted) by
+setting the Authlogic::CryptoProvider option:
 
 ``` ruby
 c.crypto_provider = Authlogic::CryptoProviders::BCrypt
@@ -74,74 +121,64 @@ You may validate international email addresses by enabling the provided alternat
 c.validates_format_of_email_field_options = {:with => Authlogic::Regex.email_nonascii}
 ```
 
-Also, sessions are automatically maintained. You can switch this on and off with configuration, but the following will automatically log a user in after a successful registration:
+Also, sessions are automatically maintained. You can switch this on and off with
+configuration, but the following will automatically log a user in after a
+successful registration:
 
 ``` ruby
 User.create(params[:user])
 ```
 
-This also updates the session when the user changes his/her password.
+You can switch this on and off with the following configuration:
 
-Authlogic is very flexible, it has a strong public API and a plethora of hooks to allow you to modify behavior and extend it. Check out the helpful links below to dig deeper.
-
-## Upgrading to Authlogic 3.4.0
-
-In version 3.4.0, the default crypto_provider was changed from *Sha512* to *SCrypt*.
-
-If you never set a crypto_provider and are upgrading, your passwords will break unless you set the original:
-
-``` ruby
-c.crypto_provider = Authlogic::CryptoProviders::Sha512
+```ruby
+class User < ActiveRecord::Base
+  acts_as_authentic do |c|
+    c.log_in_after_create = false
+  end # the configuration block is optional
+end
 ```
 
-And if you want to automatically upgrade from *Sha512* to *SCrypt* as users login:
+Authlogic also updates the session when the user changes his/her password. You can also switch this on and off with the following configuration:
 
 ```ruby
-c.transition_from_crypto_providers = [Authlogic::CryptoProviders::Sha512]
-c.crypto_provider = Authlogic::CryptoProviders::SCrypt
+class User < ActiveRecord::Base
+  acts_as_authentic do |c|
+    c.log_in_after_password_change = false
+  end # the configuration block is optional
+end
 ```
 
-## Helpful links
+Authlogic is very flexible, it has a strong public API and a plethora of hooks
+to allow you to modify behavior and extend it. Check out the helpful links below
+to dig deeper.
 
-* <b>Documentation:</b> http://rdoc.info/projects/binarylogic/authlogic
-* <b>Repository:</b> http://github.com/binarylogic/authlogic/tree/master
-* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
-* <b>Example repository with tutorial in README:</b> http://github.com/binarylogic/authlogic_example/tree/master
-* <b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
-* <b>Tutorial</b>: Rails Authentication with Authlogic http://www.sitepoint.com/rails-authentication-with-authlogic
-* <b>Issues:</b> http://github.com/binarylogic/authlogic/issues
-
-## Authlogic "add ons"
-
-* <b>Authlogic OpenID addon:</b> http://github.com/binarylogic/authlogic_openid
-* <b>Authlogic LDAP addon:</b> http://github.com/binarylogic/authlogic_ldap
-* <b>Authlogic Facebook Connect:</b> http://github.com/kalasjocke/authlogic_facebook_connect
-* <b>Authlogic Facebook Connect (New JS API):</b> http://github.com/studybyte/authlogic_facebook_connect
-* <b>Authlogic Facebook Shim</b> http://github.com/james2m/authlogic_facebook_shim
-* <b>Authlogic OAuth (Twitter):</b> http://github.com/jrallison/authlogic_oauth
-* <b>Authlogic Oauth and OpenID:</b> http://github.com/viatropos/authlogic-connect
-* <b>Authlogic PAM:</b> http://github.com/nbudin/authlogic_pam
-* <b>Authlogic x509:</b> http://github.com/auth-scc/authlogic_x509
+### 1.c. Reference Documentation
 
-If you create one of your own, please let me know about it so I can add it to this list. Or just fork the project, add your link, and send me a pull request.
+This README is just an introduction, but we also have [reference
+documentation](http://www.rubydoc.info/github/binarylogic/authlogic).
 
-## Documentation explanation
+**To use the reference documentation, you must understand how Authlogic's
+code is organized.** There are 2 models, your Authlogic model and your
+ActiveRecord model:
 
-You can find anything you want about Authlogic in the [documentation](http://rdoc.info/projects/binarylogic/authlogic), all that you need to do is understand the basic design behind it.
+1. **Authlogic::Session**, your session models that
+  extend `Authlogic::Session::Base`.
+2. **Authlogic::ActsAsAuthentic**, which adds in functionality to your
+  ActiveRecord model when you call `acts_as_authentic`.
 
-That being said, there are 2 models involved during authentication. Your Authlogic model and your ActiveRecord model:
+Each of the above has various modules that are organized by topic: passwords,
+cookies, etc. For example, if you want to timeout users after a certain period
+of inactivity, you would look in `Authlogic::Session::Timeout`.
 
-1. <b>Authlogic::Session</b>, your session models that extend Authlogic::Session::Base.
-2. <b>Authlogic::ActsAsAuthentic</b>, which adds in functionality to your ActiveRecord model when you call acts_as_authentic.
+## 2. Rails
 
-Each of the above has its various sub modules that contain common logic. The sub modules are responsible for including *everything* related to it: configuration, class methods, instance methods, etc.
+Let's walk through a typical rails setup.
 
-For example, if you want to timeout users after a certain period of inactivity, you would look in <b>Authlogic::Session::Timeout</b>. To help you out, I listed the following publicly relevant modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the [documentation](http://rdoc.info/projects/binarylogic/authlogic).
-
-## Example migration
+### 2.a. The users table
 
 If you want to enable all the features of Authlogic, a migration to create a
-+User+ model, for example, might look like this:
+`User` model might look like this:
 
 ``` ruby
 class CreateUser < ActiveRecord::Migration
@@ -156,12 +193,15 @@ class CreateUser < ActiveRecord::Migration
 
       # Authlogic::ActsAsAuthentic::PersistenceToken
       t.string    :persistence_token
+      t.index     :persistence_token, unique: true
 
       # Authlogic::ActsAsAuthentic::SingleAccessToken
       t.string    :single_access_token
+      t.index     :single_access_token, unique: true
 
       # Authlogic::ActsAsAuthentic::PerishableToken
       t.string    :perishable_token
+      t.index     :perishable_token, unique: true
 
       # Authlogic::Session::MagicColumns
       t.integer   :login_count, default: 0, null: false
@@ -183,15 +223,9 @@ class CreateUser < ActiveRecord::Migration
 end
 ```
 
-## Quick Rails example
+### 2.b. Controller
 
-What if creating sessions worked like an ORM library on the surface...
-
-``` ruby
-UserSession.create(params[:user_session])
-```
-
-What if your user sessions controller could look just like your other controllers...
+Your sessions controller will look just like your other controllers.
 
 ```ruby
 class UserSessionsController < ApplicationController
@@ -200,7 +234,7 @@ class UserSessionsController < ApplicationController
   end
 
   def create
-    @user_session = UserSession.new(params[:user_session])
+    @user_session = UserSession.new(user_session_params)
     if @user_session.save
       redirect_to account_url
     else
@@ -212,10 +246,37 @@ class UserSessionsController < ApplicationController
     current_user_session.destroy
     redirect_to new_user_session_url
   end
+
+  private
+
+  def user_session_params
+    params.require(:user_session).permit(:email, :password, :remember_me)
+  end
 end
 ```
 
-As you can see, this fits nicely into the RESTful development pattern. What about the view...
+As you can see, this fits nicely into the [conventional controller methods][9].
+
+#### 2.b.1. Helper Methods
+
+```ruby
+class ApplicationController
+  helper_method :current_user_session, :current_user
+
+  private
+    def current_user_session
+      return @current_user_session if defined?(@current_user_session)
+      @current_user_session = UserSession.find
+    end
+
+    def current_user
+      return @current_user if defined?(@current_user)
+      @current_user = current_user_session && current_user_session.user
+    end
+end
+```
+
+### 2.c. View
 
 ```erb
 <%= form_for @user_session do |f| %>
@@ -239,32 +300,18 @@ As you can see, this fits nicely into the RESTful development pattern. What abou
 <% end %>
 ```
 
-Or how about persisting the session...
+### 2.d. CSRF Protection
 
-```ruby
-class ApplicationController
-  helper_method :current_user_session, :current_user
-
-  private
-    def current_user_session
-      return @current_user_session if defined?(@current_user_session)
-      @current_user_session = UserSession.find
-    end
-
-    def current_user
-      return @current_user if defined?(@current_user)
-      @current_user = current_user_session && current_user_session.user
-    end
-end
-```
+Because Authlogic introduces its own methods for storing user sessions, the CSRF
+(Cross Site Request Forgery) protection that is built into Rails will not work
+out of the box.
 
-## CSRF Protection
+No generally applicable mitigation by the authlogic library is possible, because
+the instance variable you use to store a reference to the user session in `def
+current_user_session` will not be known to authlogic.
 
-Because Authlogic introduces its own methods for storing user sessions, the CSRF (Cross Site Request Forgery) protection that is built into Rails will not work out of the box.
-
-No generally applicable mitigation by the authlogic library is possible, because the instance variable you use to store a reference to the user session in `def current_user_session` will not be known to authlogic.
-
-You will need to override `ActionController::Base#handle_unverified_request` to do something appropriate to how your app handles user sessions, e.g.:
+You will need to override `ActionController::Base#handle_unverified_request` to
+do something appropriate to how your app handles user sessions, e.g.:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -283,12 +330,57 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-## Testing
+## 3. Testing
 
 See [Authlogic::TestCase](https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/test_case.rb)
 
-## Tell me quickly how Authlogic works
+## 4. Helpful links
 
-Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.
+* <b>API Reference:</b> http://www.rubydoc.info/github/binarylogic/authlogic
+* <b>Repository:</b> https://github.com/binarylogic/authlogic/tree/master
+* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
+* <b>Example repository with tutorial in README:</b> https://github.com/binarylogic/authlogic_example/tree/master
+* <b>Tutorial</b>: Rails Authentication with Authlogic https://www.sitepoint.com/rails-authentication-with-authlogic
+* <b>Issues:</b> https://github.com/binarylogic/authlogic/issues
+* <b>Chrome is not logging out on browser close</b> https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion
+
+## 5. Add-ons
+
+* <b>Authlogic OpenID addon:</b> https://github.com/binarylogic/authlogic_openid
+* <b>Authlogic LDAP addon:</b> https://github.com/binarylogic/authlogic_ldap
+* <b>Authlogic Facebook Connect:</b> https://github.com/kalasjocke/authlogic-facebook-connect
+* <b>Authlogic Facebook Connect (New JS API):</b> https://github.com/studybyte/authlogic_facebook_connect
+* <b>Authlogic Facebook Shim</b> https://github.com/james2m/authlogic_facebook_shim
+* <b>Authlogic OAuth (Twitter):</b> https://github.com/jrallison/authlogic_oauth
+* <b>Authlogic Oauth and OpenID:</b> https://github.com/lancejpollard/authlogic-connect
+* <b>Authlogic PAM:</b> https://github.com/nbudin/authlogic_pam
+* <b>Authlogic x509:</b> https://github.com/auth-scc/authlogic_x509
+
+If you create one of your own, please let us know about it so we can add it to
+this list. Or just fork the project, add your link, and send us a pull request.
+
+## 6. Internals
+
+Interested in how all of this all works? Think about an ActiveRecord model. A
+database connection must be established before you can use it. In the case of
+Authlogic, a controller connection must be established before you can use it. It
+uses that controller connection to modify cookies, the current session, login
+with HTTP basic, etc. It connects to the controller through a before filter that
+is automatically set in your controller which lets Authlogic know about the
+current controller object. Then Authlogic leverages that to do everything, it's
+a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the
+tools your framework provides in the controller object.
+
+## Intellectual Property
 
 Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license
+
+[1]: https://api.travis-ci.org/binarylogic/authlogic.svg?branch=master
+[2]: https://travis-ci.org/binarylogic/authlogic
+[3]: https://gemnasium.com/badges/github.com/binarylogic/authlogic.svg
+[4]: https://gemnasium.com/binarylogic/authlogic
+[5]: https://badge.fury.io/rb/authlogic.png
+[6]: http://badge.fury.io/rb/authlogic
+[7]: https://codeclimate.com/github/binarylogic/authlogic.png
+[8]: https://codeclimate.com/github/binarylogic/authlogic
+[9]: http://guides.rubyonrails.org/routing.html#resource-routing-the-rails-default