authlogic 3.8.0 → 4.0.0

data/lib/authlogic/session/base.rb

@@ -1,7 +1,18 @@
 module Authlogic
   module Session # :nodoc:
-    # This is the base class Authlogic, where all modules are included. For information on functionality see the various
-    # sub modules.
+    # This is the most important class in Authlogic. You will inherit this class
+    # for your own eg. `UserSession`.
+    #
+    # Code is organized topically. Each topic is represented by a module. So, to
+    # learn about password-based authentication, read the `Password` module.
+    #
+    # It is common for methods (.initialize and #credentials=, for example) to
+    # be implemented in multiple mixins. Those methods will call `super`, so the
+    # order of `include`s here is important.
+    #
+    # Also, to fully understand such a method (like #credentials=) you will need
+    # to mentally combine all of its definitions. This is perhaps the primary
+    # disadvantage of topical organization using modules.
     class Base
       include Foundation
       include Callbacks
@@ -15,8 +26,8 @@ module Authlogic
       include Session
       include HttpAuth
 
-      # Included in a specific order so magic states gets ran after a record is found
-      # TODO: What does "magic states gets ran" mean? Be specific.
+      # Included in a specific order so magic states gets run after a record is found
+      # TODO: What does "magic states gets run" mean? Be specific.
       include Password
       include UnauthorizedRecord
       include MagicStates

data/lib/authlogic/session/brute_force_protection.rb

@@ -25,8 +25,8 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :reset_failed_login_count, :if => :reset_failed_login_count?
-          validate :validate_failed_logins, :if => :being_brute_force_protected?
+          validate :reset_failed_login_count, if: :reset_failed_login_count?
+          validate :validate_failed_logins, if: :being_brute_force_protected?
         end
       end
 
@@ -73,15 +73,22 @@ module Authlogic
         # with configuration. By default they will be banned for 2 hours. During
         # that 2 hour period this method will return true.
         def being_brute_force_protected?
-          exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
-            (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+          exceeded_failed_logins_limit? &&
+            (
+              failed_login_ban_for <= 0 ||
+              attempted_record.respond_to?(:updated_at) &&
+              attempted_record.updated_at >= failed_login_ban_for.seconds.ago
+            )
         end
 
         private
 
           def exceeded_failed_logins_limit?
-            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
-              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
+            !attempted_record.nil? &&
+              attempted_record.respond_to?(:failed_login_count) &&
+              consecutive_failed_logins_limit > 0 &&
+              attempted_record.failed_login_count &&
+              attempted_record.failed_login_count >= consecutive_failed_logins_limit
           end
 
           def reset_failed_login_count?
@@ -100,7 +107,7 @@ module Authlogic
               :base,
               I18n.t(
                 'error_messages.consecutive_failed_logins_limit_exceeded',
-                :default => "Consecutive failed logins limit exceeded, account has been" +
+                default: "Consecutive failed logins limit exceeded, account has been" +
                   (failed_login_ban_for == 0 ? "" : " temporarily") +
                   " disabled."
               )

data/lib/authlogic/session/callbacks.rb

@@ -1,15 +1,18 @@
 module Authlogic
   module Session
-    # Between these callbacks and the configuration, this is the contract between me and you to safely
-    # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
+    # Between these callbacks and the configuration, this is the contract between me and
+    # you to safely modify Authlogic's behavior. I will do everything I can to make sure
+    # these do not change.
     #
-    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
-    # importantly they use the same API that you would use to extend Authlogic. That being said, they are great
-    # examples of how to extend Authlogic and add / modify behavior to Authlogic. These modules could easily be pulled out
-    # into their own plugin and become an "add on" without any change.
+    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and
+    # to the point. More importantly they use the same API that you would use to extend
+    # Authlogic. That being said, they are great examples of how to extend Authlogic and
+    # add / modify behavior to Authlogic. These modules could easily be pulled out into
+    # their own plugin and become an "add on" without any change.
     #
-    # Now to the point of this module. Just like in ActiveRecord you have before_save, before_validation, etc.
-    # You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
+    # Now to the point of this module. Just like in ActiveRecord you have before_save,
+    # before_validation, etc. You have similar callbacks with Authlogic, see the METHODS
+    # constant below. The order of execution is as follows:
     #
     #   before_persisting
     #   persist
@@ -38,9 +41,10 @@ module Authlogic
     #   destroy
     #   after_destroy
     #
-    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make
-    # changes to the associated record, there is no need to save the record, Authlogic will do it for you.
-    # This allows multiple modules to modify the record and execute as few queries as possible.
+    # Notice the "save record if changed?" lines above. This helps with performance. If
+    # you need to make changes to the associated record, there is no need to save the
+    # record, Authlogic will do it for you. This allows multiple modules to modify the
+    # record and execute as few queries as possible.
     #
     # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
     #
@@ -50,38 +54,57 @@ module Authlogic
     #     # ..etc
     #   end
     #
-    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic
-    # to extend properly with multiple extensions. Please ONLY use the method above.
+    # You can NOT define a "before_validation" method, this is bad practice and does not
+    # allow Authlogic to extend properly with multiple extensions. Please ONLY use the
+    # method above.
     module Callbacks
       METHODS = [
-        "before_persisting", "persist", "after_persisting",
-        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate",
-        "after_validation_on_update", "after_validation_on_create", "after_validation",
-        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
-        "before_destroy", "after_destroy"
-      ]
+        "before_persisting",
+        "persist",
+        "after_persisting",
+        "before_validation",
+        "before_validation_on_create",
+        "before_validation_on_update",
+        "validate",
+        "after_validation_on_update",
+        "after_validation_on_create",
+        "after_validation",
+        "before_save",
+        "before_create",
+        "before_update",
+        "after_update",
+        "after_create",
+        "after_save",
+        "before_destroy",
+        "after_destroy"
+      ].freeze
 
       def self.included(base) #:nodoc:
         base.send :include, ActiveSupport::Callbacks
         if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('5')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result_lambda) { result_lambda.call == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result_lambda) { result_lambda.call == true } }]
+          base.define_callbacks(
+            *METHODS + [{ terminator: ->(_target, result_lambda) { result_lambda.call == false } }]
+          )
+          base.define_callbacks(
+            'persist',
+            terminator: ->(_target, result_lambda) { result_lambda.call == true }
+          )
         elsif Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('4.1')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result) { result == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result) { result == true } }]
+          base.define_callbacks(*METHODS + [{ terminator: ->(_target, result) { result == false } }])
+          base.define_callbacks('persist', terminator: ->(_target, result) { result == true })
         else
-          base.define_callbacks *METHODS + [{ :terminator => 'result == false' }]
-          base.define_callbacks *['persist', { :terminator => 'result == true' }]
+          base.define_callbacks(*METHODS + [{ terminator: 'result == false' }])
+          base.define_callbacks('persist', terminator: 'result == true')
         end
 
         # If Rails 3, support the new callback syntax
         if base.singleton_class.method_defined?(:set_callback)
           METHODS.each do |method|
-            base.class_eval <<-"end_eval", __FILE__, __LINE__
+            base.class_eval <<-EOS, __FILE__, __LINE__
               def self.#{method}(*methods, &block)
                 set_callback :#{method}, *methods, &block
               end
-            end_eval
+            EOS
           end
         end
       end
@@ -89,16 +112,16 @@ module Authlogic
       private
 
         METHODS.each do |method|
-          class_eval <<-"end_eval", __FILE__, __LINE__
+          class_eval <<-EOS, __FILE__, __LINE__
             def #{method}
               run_callbacks(:#{method})
             end
-          end_eval
+          EOS
         end
 
         def save_record(alternate_record = nil)
           r = alternate_record || record
-          r.save_without_session_maintenance(:validate => false) if r && r.changed? && !r.readonly?
+          r.save_without_session_maintenance(validate: false) if r && r.changed? && !r.readonly?
         end
     end
   end

data/lib/authlogic/session/cookies.rb

@@ -3,6 +3,8 @@ module Authlogic
     # Handles all authentication that deals with cookies, such as persisting,
     # saving, and destroying.
     module Cookies
+      VALID_SAME_SITE_VALUES = [nil, 'Lax', 'Strict'].freeze
+
       def self.included(klass)
         klass.class_eval do
           extend Config
@@ -54,23 +56,37 @@ module Authlogic
         # Should the cookie be set as secure?  If true, the cookie will only be sent over
         # SSL connections
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def secure(value = nil)
-          rw_config(:secure, value, false)
+          rw_config(:secure, value, true)
         end
         alias_method :secure=, :secure
 
         # Should the cookie be set as httponly?  If true, the cookie will not be
         # accessible from javascript
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def httponly(value = nil)
-          rw_config(:httponly, value, false)
+          rw_config(:httponly, value, true)
         end
         alias_method :httponly=, :httponly
 
+        # Should the cookie be prevented from being send along with cross-site
+        # requests?
+        #
+        # * <tt>Default:</tt> nil
+        # * <tt>Accepts:</tt> String, one of nil, 'Lax' or 'Strict'
+        def same_site(value = nil)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          rw_config(:same_site, value)
+        end
+        alias_method :same_site=, :same_site
+
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
@@ -95,8 +111,8 @@ module Authlogic
               self.remember_me = values.first.with_indifferent_access[:remember_me]
             end
           else
-            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
-            self.remember_me = r if !r.nil?
+            r = values.find { |val| val.is_a?(TrueClass) || val.is_a?(FalseClass) }
+            self.remember_me = r unless r.nil?
           end
         end
 
@@ -172,6 +188,21 @@ module Authlogic
           httponly == true || httponly == "true" || httponly == "1"
         end
 
+        # If the cookie should be marked as SameSite with 'Lax' or 'Strict' flag.
+        def same_site
+          return @same_site if defined?(@same_site)
+          @same_site = self.class.same_site(nil)
+        end
+
+        # Accepts nil, 'Lax' or 'Strict' as possible flags.
+        def same_site=(value)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          @same_site = value
+        end
+
         # If the cookie should be signed
         def sign_cookie
           return @sign_cookie if defined?(@sign_cookie)
@@ -196,12 +227,16 @@ module Authlogic
           end
 
           def cookie_credentials
+            cookie = cookie_jar[cookie_key]
+            cookie && cookie.split("::")
+          end
+
+          def cookie_jar
             if self.class.sign_cookie
-              cookie = controller.cookies.signed[cookie_key]
+              controller.cookies.signed
             else
-              cookie = controller.cookies[cookie_key]
+              controller.cookies
             end
-            cookie && cookie.split("::")
           end
 
           # Tries to validate the session from information in the cookie
@@ -225,18 +260,24 @@ module Authlogic
           end
 
           def generate_cookie_for_saving
-            remember_me_until_value = "::#{remember_me_until.iso8601}" if remember_me?
+            value = format(
+              "%s::%s%s",
+              record.persistence_token,
+              record.send(record.class.primary_key),
+              remember_me? ? "::#{remember_me_until.iso8601}" : ""
+            )
             {
-              :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}#{remember_me_until_value}",
-              :expires => remember_me_until,
-              :secure => secure,
-              :httponly => httponly,
-              :domain => controller.cookie_domain
+              value: value,
+              expires: remember_me_until,
+              secure: secure,
+              httponly: httponly,
+              same_site: same_site,
+              domain: controller.cookie_domain
             }
           end
 
           def destroy_cookie
-            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
+            controller.cookies.delete cookie_key, domain: controller.cookie_domain
           end
       end
     end

data/lib/authlogic/session/existence.rb

@@ -1,10 +1,16 @@
 module Authlogic
   module Session
-    # Provides methods to create and destroy objects. Basically controls their "existence".
+    # Provides methods to create and destroy objects. Basically controls their
+    # "existence".
     module Existence
       class SessionInvalidError < ::StandardError # :nodoc:
         def initialize(session)
-          super("Your session is invalid and has the following errors: #{session.errors.full_messages.to_sentence}")
+          message = I18n.t(
+            'error_messages.session_invalid',
+            default: "Your session is invalid and has the following errors:"
+          )
+          message += " #{session.errors.full_messages.to_sentence}"
+          super message
         end
       end
 
@@ -40,8 +46,9 @@ module Authlogic
       end
 
       module InstanceMethods
-        # Clears all errors and the associated record, you should call this terminate a session, thus requiring
-        # the user to authenticate again if it is needed.
+        # Clears all errors and the associated record, you should call this
+        # terminate a session, thus requiring the user to authenticate again if
+        # it is needed.
         def destroy
           before_destroy
           save_record
@@ -51,16 +58,18 @@ module Authlogic
           true
         end
 
-        # Returns true if the session is new, meaning no action has been taken on it and a successful save
-        # has not taken place.
+        # Returns true if the session is new, meaning no action has been taken
+        # on it and a successful save has not taken place.
         def new_session?
           new_session != false
         end
 
-        # After you have specified all of the details for your session you can try to save it. This will
-        # run validation checks and find the associated record, if all validation passes. If validation
-        # does not pass, the save will fail and the errors will be stored in the errors object.
-        def save(&block)
+        # After you have specified all of the details for your session you can
+        # try to save it. This will run validation checks and find the
+        # associated record, if all validation passes. If validation does not
+        # pass, the save will fail and the errors will be stored in the errors
+        # object.
+        def save
           result = nil
           if valid?
             self.record = attempted_record
@@ -81,7 +90,8 @@ module Authlogic
           result
         end
 
-        # Same as save but raises an exception of validation errors when validation fails
+        # Same as save but raises an exception of validation errors when
+        # validation fails
         def save!
           result = save
           raise SessionInvalidError.new(self) unless result

data/lib/authlogic/session/foundation.rb

@@ -12,6 +12,37 @@ module Authlogic
       end
 
       module InstanceMethods
+        E_AC_PARAMETERS = <<-EOS.strip_heredoc.freeze
+          Passing an ActionController::Parameters to Authlogic is not allowed.
+
+          In Authlogic 3, especially during the transition of rails to Strong
+          Parameters, it was common for Authlogic users to forget to `permit`
+          their params. They would pass their params into Authlogic, we'd call
+          `to_h`, and they'd be surprised when authentication failed.
+
+          In 2018, people are still making this mistake. We'd like to help them
+          and make authlogic a little simpler at the same time, so in Authlogic
+          3.7.0, we deprecated the use of ActionController::Parameters. Instead,
+          pass a plain Hash. Please replace:
+
+              UserSession.new(user_session_params)
+              UserSession.create(user_session_params)
+
+          with
+
+              UserSession.new(user_session_params.to_h)
+              UserSession.create(user_session_params.to_h)
+
+          And don't forget to `permit`!
+
+          We discussed this issue thoroughly between late 2016 and early
+          2018. Notable discussions include:
+
+          - https://github.com/binarylogic/authlogic/issues/512
+          - https://github.com/binarylogic/authlogic/pull/558
+          - https://github.com/binarylogic/authlogic/pull/577
+        EOS
+
         def initialize(*args)
           self.credentials = args
         end
@@ -22,22 +53,37 @@ module Authlogic
           []
         end
 
-        # Set your credentials before you save your session. You can pass a hash of
-        # credentials:
+        # Set your credentials before you save your session. There are many
+        # method signatures.
         #
-        #   session.credentials = {:login => "my login", :password => "my password", :remember_me => true}
+        # ```
+        # # A hash of credentials is most common
+        # session.credentials = { login: "foo", password: "bar", remember_me: true }
         #
-        # or you can pass an array of objects:
+        # # You must pass an actual Hash, `ActionController::Parameters` is
+        # # specifically not allowed.
         #
-        #   session.credentials = [my_user_object, true]
+        # # You can pass an array of objects:
+        # session.credentials = [my_user_object, true]
         #
-        # and if you need to set an id, just pass it last. This value need be the last
-        # item in the array you pass, since the id is something that you control yourself,
-        # it should never be set from a hash or a form. Examples:
+        # # If you need to set an id (see `Authlogic::Session::Id`) pass it
+        # # last. It needs be the last item in the array you pass, since the id
+        # # is something that you control yourself, it should never be set from
+        # # a hash or a form. Examples:
+        # session.credentials = [
+        #   {:login => "foo", :password => "bar", :remember_me => true},
+        #   :my_id
+        # ]
+        # session.credentials = [my_user_object, true, :my_id]
         #
-        #   session.credentials = [{:login => "my login", :password => "my password", :remember_me => true}, :my_id]
-        #   session.credentials = [my_user_object, true, :my_id]
+        # # Finally, there's priority_record
+        # [{ priority_record: my_object }, :my_id]
+        # ```
         def credentials=(values)
+          normalized = Array.wrap(values)
+          if normalized.first.class.name == "ActionController::Parameters"
+            raise TypeError.new(E_AC_PARAMETERS)
+          end
         end
 
         def inspect