authlogic 3.8.0 → 4.0.0

data/lib/authlogic/session/http_auth.rb

@@ -1,17 +1,19 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol:
+    # Handles all authentication that deals with basic HTTP auth. Which is
+    # authentication built into the HTTP protocol:
     #
     #   http://username:password@whatever.com
     #
-    # Also, if you are not comfortable letting users pass their raw username and password you can always use the single
-    # access token. See Authlogic::Session::Params for more info.
+    # Also, if you are not comfortable letting users pass their raw username and
+    # password you can always use the single access token. See
+    # Authlogic::Session::Params for more info.
     module HttpAuth
       def self.included(klass)
         klass.class_eval do
           extend Config
           include InstanceMethods
-          persist :persist_by_http_auth, :if => :persist_by_http_auth?
+          persist :persist_by_http_auth, if: :persist_by_http_auth?
         end
       end
 
@@ -19,13 +21,15 @@ module Authlogic
       module Config
         # Do you want to allow your users to log in via HTTP basic auth?
         #
-        # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable
-        # having your users provide their raw username and password. Whatever the reason, you can disable it here.
+        # I recommend keeping this enabled. The only time I feel this should be
+        # disabled is if you are not comfortable having your users provide their
+        # raw username and password. Whatever the reason, you can disable it
+        # here.
         #
         # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def allow_http_basic_auth(value = nil)
-          rw_config(:allow_http_basic_auth, value, true)
+          rw_config(:allow_http_basic_auth, value, false)
         end
         alias_method :allow_http_basic_auth=, :allow_http_basic_auth
 
@@ -83,7 +87,10 @@ module Authlogic
             end
 
             if self.class.request_http_basic_auth
-              controller.authenticate_or_request_with_http_basic(self.class.http_basic_auth_realm, &login_proc)
+              controller.authenticate_or_request_with_http_basic(
+                self.class.http_basic_auth_realm,
+                &login_proc
+              )
             else
               controller.authenticate_with_http_basic(&login_proc)
             end

data/lib/authlogic/session/klass.rb

@@ -16,7 +16,8 @@ module Authlogic
       module Config
         # Lets you change which model to use for authentication.
         #
-        # * <tt>Default:</tt> inferred from the class name. UserSession would automatically try User
+        # * <tt>Default:</tt> inferred from the class name. UserSession would
+        #   automatically try User
         # * <tt>Accepts:</tt> an ActiveRecord class
         def authenticate_with(klass)
           @klass_name = klass.name
@@ -24,9 +25,10 @@ module Authlogic
         end
         alias_method :authenticate_with=, :authenticate_with
 
-        # The name of the class that this session is authenticating with. For example, the UserSession class will
-        # authenticate with the User class unless you specify otherwise in your configuration. See authenticate_with
-        # for information on how to change this value.
+        # The name of the class that this session is authenticating with. For
+        # example, the UserSession class will authenticate with the User class
+        # unless you specify otherwise in your configuration. See
+        # authenticate_with for information on how to change this value.
         def klass
           @klass ||= klass_name ? klass_name.constantize : nil
         end
@@ -48,7 +50,7 @@ module Authlogic
         #
         #   session.record
         def initialize(*args)
-          if !self.class.configured_klass_methods
+          unless self.class.configured_klass_methods
             self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
             self.class.configured_klass_methods = true
           end

data/lib/authlogic/session/magic_columns.rb

@@ -19,10 +19,10 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          after_persisting :set_last_request_at, :if => :set_last_request_at?
+          after_persisting :set_last_request_at, if: :set_last_request_at?
           validate :increase_failed_login_count
           before_save :update_info
-          before_save :set_last_request_at, :if => :set_last_request_at?
+          before_save :set_last_request_at, if: :set_last_request_at?
         end
       end
 
@@ -47,6 +47,12 @@ module Authlogic
       module InstanceMethods
         private
 
+          def clear_failed_login_count
+            if record.respond_to?(:failed_login_count)
+              record.failed_login_count = 0
+            end
+          end
+
           def increase_failed_login_count
             if invalid_password? && attempted_record.respond_to?(:failed_login_count)
               attempted_record.failed_login_count ||= 0
@@ -54,24 +60,31 @@ module Authlogic
             end
           end
 
-          def update_info
+          def increment_login_cout
             if record.respond_to?(:login_count)
               record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
             end
+          end
 
-            if record.respond_to?(:failed_login_count)
-              record.failed_login_count = 0
+          def update_info
+            increment_login_cout
+            clear_failed_login_count
+            update_login_timestamps
+            update_login_ip_addresses
+          end
+
+          def update_login_ip_addresses
+            if record.respond_to?(:current_login_ip)
+              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+              record.current_login_ip = controller.request.ip
             end
+          end
 
+          def update_login_timestamps
             if record.respond_to?(:current_login_at)
               record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
               record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
             end
-
-            if record.respond_to?(:current_login_ip)
-              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-              record.current_login_ip = controller.request.ip
-            end
           end
 
           # This method lets authlogic know whether it should allow the
@@ -92,7 +105,7 @@ module Authlogic
           #   end
           #
           # You can do whatever you want with that method.
-          def set_last_request_at? # :doc:
+          def set_last_request_at?
             if !record || !klass.column_names.include?("last_request_at")
               return false
             end

data/lib/authlogic/session/magic_states.rb

@@ -25,7 +25,7 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_magic_states, :unless => :disable_magic_states?
+          validate :validate_magic_states, unless: :disable_magic_states?
         end
       end
 
@@ -54,15 +54,22 @@ module Authlogic
             self.class.disable_magic_states == true
           end
 
+          # @api private
+          def required_magic_states_for(record)
+            [:active, :approved, :confirmed].select { |state|
+              record.respond_to?("#{state}?")
+            }
+          end
+
           def validate_magic_states
             return true if attempted_record.nil?
-            [:active, :approved, :confirmed].each do |required_status|
-              if attempted_record.respond_to?("#{required_status}?") && !attempted_record.send("#{required_status}?")
+            required_magic_states_for(attempted_record).each do |required_status|
+              unless attempted_record.send("#{required_status}?")
                 errors.add(
                   :base,
                   I18n.t(
                     "error_messages.not_#{required_status}",
-                    :default => "Your account is not #{required_status}"
+                    default: "Your account is not #{required_status}"
                   )
                 )
                 return false

data/lib/authlogic/session/params.rb

@@ -66,7 +66,11 @@ module Authlogic
         # * <tt>Accepts:</tt> String of a request type, or :all or :any to
         #   allow single access authentication for any and all request types
         def single_access_allowed_request_types(value = nil)
-          rw_config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
+          rw_config(
+            :single_access_allowed_request_types,
+            value,
+            ["application/rss+xml", "application/atom+xml"]
+          )
         end
         alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
       end
@@ -77,7 +81,7 @@ module Authlogic
         private
 
           def persist_by_params
-            return false if !params_enabled?
+            return false unless params_enabled?
             self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
             self.single_access = valid?
           end

data/lib/authlogic/session/password.rb

@@ -6,7 +6,7 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_by_password, :if => :authenticating_with_password?
+          validate :validate_by_password, if: :authenticating_with_password?
 
           class << self
             attr_accessor :configured_password_methods
@@ -127,42 +127,10 @@ module Authlogic
         alias_method :verify_password_method=, :verify_password_method
       end
 
-      # Password-related instance methods
+      # Password related instance methods
       module InstanceMethods
-        E_AC_PARAMETERS = <<-STR.strip_heredoc.freeze
-          You have passed an ActionController::Parameters to Authlogic 3. That's
-          OK for now, but in Authlogic 4, it will raise an error. Please
-          replace:
-
-              UserSession.new(user_session_params)
-              UserSession.create(user_session_params)
-
-          with
-
-              UserSession.new(user_session_params.to_h)
-              UserSession.create(user_session_params.to_h)
-
-          And don't forget to `permit`!
-
-          During the transition of rails to Strong Parameters, it has been
-          common for Authlogic users to forget to `permit` their params. They
-          would pass their params into Authlogic, we'd call `to_h`, and they'd
-          be surprised when authentication failed.
-
-          In 2018, people are still making this mistake. We'd like to help them
-          and make authlogic a little simpler at the same time, so in Authlogic
-          3.7.0, we deprecated the use of ActionController::Parameters.
-
-          We discussed this issue thoroughly between late 2016 and early
-          2018. Notable discussions include:
-
-          - https://github.com/binarylogic/authlogic/issues/512
-          - https://github.com/binarylogic/authlogic/pull/558
-          - https://github.com/binarylogic/authlogic/pull/577
-        STR
-
         def initialize(*args)
-          if !self.class.configured_password_methods
+          unless self.class.configured_password_methods
             configure_password_methods
             self.class.configured_password_methods = true
           end
@@ -184,14 +152,19 @@ module Authlogic
 
         # Accepts the login_field / password_field credentials combination in
         # hash form.
+        #
+        # You must pass an actual Hash, `ActionController::Parameters` is
+        # specifically not allowed.
+        #
+        # See `Authlogic::Session::Foundation#credentials=` for an overview of
+        # all method signatures.
         def credentials=(value)
           super
-          values = parse_param_val(value) # add strong parameters check
-
+          values = Array.wrap(value)
           if values.first.is_a?(Hash)
-            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-              next if value.blank?
-              send("#{field}=", value)
+            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, val|
+              next if val.blank?
+              send("#{field}=", val)
             end
           end
         end
@@ -202,26 +175,42 @@ module Authlogic
 
         private
 
+          def add_invalid_password_error
+            if generalize_credentials_error_messages?
+              add_general_credentials_error
+            else
+              errors.add(password_field, I18n.t('error_messages.password_invalid', default: "is not valid"))
+            end
+          end
+
+          def add_login_not_found_error
+            if generalize_credentials_error_messages?
+              add_general_credentials_error
+            else
+              errors.add(login_field, I18n.t('error_messages.login_not_found', default: "is not valid"))
+            end
+          end
+
           def configure_password_methods
             if login_field
-              self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
-              self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
+              self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
+              self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
             end
 
             if password_field
-              self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
-              self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
+              self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
+              self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
 
               # The password should not be accessible publicly. This way forms
               # using form_for don't fill the password with the attempted
               # password. To prevent this we just create this method that is
               # private.
-              self.class.class_eval <<-"end_eval", __FILE__, __LINE__
+              self.class.class_eval <<-EOS, __FILE__, __LINE__
                 private
                   def protected_#{password_field}
                     @#{password_field}
                   end
-              end_eval
+              EOS
             end
           end
 
@@ -234,27 +223,23 @@ module Authlogic
 
             # check for blank fields
             if send(login_field).blank?
-              errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank"))
+              errors.add(login_field, I18n.t('error_messages.login_blank', default: "cannot be blank"))
             end
             if send("protected_#{password_field}").blank?
-              errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank"))
+              errors.add(password_field, I18n.t('error_messages.password_blank', default: "cannot be blank"))
             end
             return if errors.count > 0
 
             self.attempted_record = search_for_record(find_by_login_method, send(login_field))
             if attempted_record.blank?
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
+              add_login_not_found_error
               return
             end
 
             # check for invalid password
-            if !attempted_record.send(verify_password_method, send("protected_#{password_field}"))
+            unless attempted_record.send(verify_password_method, send("protected_#{password_field}"))
               self.invalid_password = true
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
+              add_invalid_password_error
               return
             end
           end
@@ -271,12 +256,12 @@ module Authlogic
 
           def add_general_credentials_error
             error_message =
-            if self.class.generalize_credentials_error_messages.is_a? String
-              self.class.generalize_credentials_error_messages
-            else
-              "#{login_field.to_s.humanize}/Password combination is not valid"
-            end
-            errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
+              if self.class.generalize_credentials_error_messages.is_a? String
+                self.class.generalize_credentials_error_messages
+              else
+                "#{login_field.to_s.humanize}/Password combination is not valid"
+              end
+            errors.add(:base, I18n.t('error_messages.general_credentials_error', default: error_message))
           end
 
           def generalize_credentials_error_messages?
@@ -290,18 +275,6 @@ module Authlogic
           def verify_password_method
             self.class.verify_password_method
           end
-
-          # In Rails 5 the ActionController::Parameters no longer inherits from HashWithIndifferentAccess.
-          # See: http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#actioncontroller-parameters-no-longer-inherits-from-hashwithindifferentaccess
-          # This method converts the ActionController::Parameters to a Hash
-          def parse_param_val(value)
-            if value.first.class.name == "ActionController::Parameters"
-              ActiveSupport::Deprecation.warn(E_AC_PARAMETERS)
-              [value.first.to_h]
-            else
-              value.is_a?(Array) ? value : [value]
-            end
-          end
       end
     end
   end

data/lib/authlogic/session/persistence.rb

@@ -34,22 +34,26 @@ module Authlogic
         #
         # See the id method for more information on ids.
         def find(id = nil, priority_record = nil)
-          session = new({ :priority_record => priority_record }, id)
+          session = new({ priority_record: priority_record }, id)
           session.priority_record = priority_record
           if session.persisting?
             session
-          else
-            nil
           end
         end
       end
 
       module InstanceMethods
-        # Let's you know if the session is being persisted or not, meaning the user does not have to explicitly log in
-        # in order to be logged in. If the session has no associated record, it will try to find a record and persist
-        # the session. This is the method that the class level method find uses to ultimately persist the session.
+        # Returns boolean indicating if the session is being persisted or not,
+        # meaning the user does not have to explicitly log in in order to be
+        # logged in.
+        #
+        # If the session has no associated record, it will try to find a record
+        # and persist the session.
+        #
+        # This is the method that the class level method find uses to ultimately
+        # persist the session.
         def persisting?
-          return true if !record.nil?
+          return true unless record.nil?
           self.attempted_record = nil
           self.remember_me = !cookie_credentials.nil? && !cookie_credentials[2].nil?
           before_persisting

data/lib/authlogic/session/priority_record.rb

@@ -1,8 +1,10 @@
 module Authlogic
   module Session
-    # The point of this module is to avoid the StaleObjectError raised when lock_version is implemented in ActiveRecord.
-    # We accomplish this by using a "priority record". Meaning this record is used if possible, it gets priority.
-    # This way we don't save a record behind the scenes thus making an object being used stale.
+    # The point of this module is to avoid the StaleObjectError raised when
+    # lock_version is implemented in ActiveRecord. We accomplish this by using a
+    # "priority record". Meaning this record is used if possible, it gets
+    # priority. This way we don't save a record behind the scenes thus making an
+    # object being used stale.
     module PriorityRecord
       def self.included(klass)
         klass.class_eval do
@@ -10,7 +12,8 @@ module Authlogic
         end
       end
 
-      # Setting priority record if it is passed. The only way it can be passed is through an array:
+      # Setting priority record if it is passed. The only way it can be passed
+      # is through an array:
       #
       #   session.credentials = [real_user_object, priority_user_object]
       def credentials=(value)