authlogic 3.8.0 → 4.5.0

data/lib/authlogic/session/callbacks.rb

@@ -1,15 +1,18 @@
 module Authlogic
   module Session
-    # Between these callbacks and the configuration, this is the contract between me and you to safely
-    # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
+    # Between these callbacks and the configuration, this is the contract between me and
+    # you to safely modify Authlogic's behavior. I will do everything I can to make sure
+    # these do not change.
     #
-    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
-    # importantly they use the same API that you would use to extend Authlogic. That being said, they are great
-    # examples of how to extend Authlogic and add / modify behavior to Authlogic. These modules could easily be pulled out
-    # into their own plugin and become an "add on" without any change.
+    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and
+    # to the point. More importantly they use the same API that you would use to extend
+    # Authlogic. That being said, they are great examples of how to extend Authlogic and
+    # add / modify behavior to Authlogic. These modules could easily be pulled out into
+    # their own plugin and become an "add on" without any change.
     #
-    # Now to the point of this module. Just like in ActiveRecord you have before_save, before_validation, etc.
-    # You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
+    # Now to the point of this module. Just like in ActiveRecord you have before_save,
+    # before_validation, etc. You have similar callbacks with Authlogic, see the METHODS
+    # constant below. The order of execution is as follows:
     #
     #   before_persisting
     #   persist
@@ -38,9 +41,10 @@ module Authlogic
     #   destroy
     #   after_destroy
     #
-    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make
-    # changes to the associated record, there is no need to save the record, Authlogic will do it for you.
-    # This allows multiple modules to modify the record and execute as few queries as possible.
+    # Notice the "save record if changed?" lines above. This helps with performance. If
+    # you need to make changes to the associated record, there is no need to save the
+    # record, Authlogic will do it for you. This allows multiple modules to modify the
+    # record and execute as few queries as possible.
     #
     # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
     #
@@ -50,56 +54,100 @@ module Authlogic
     #     # ..etc
     #   end
     #
-    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic
-    # to extend properly with multiple extensions. Please ONLY use the method above.
+    # You can NOT define a "before_validation" method, this is bad practice and does not
+    # allow Authlogic to extend properly with multiple extensions. Please ONLY use the
+    # method above.
     module Callbacks
-      METHODS = [
-        "before_persisting", "persist", "after_persisting",
-        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate",
-        "after_validation_on_update", "after_validation_on_create", "after_validation",
-        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
-        "before_destroy", "after_destroy"
-      ]
+      METHODS = %w[
+        before_persisting
+        persist
+        after_persisting
+        before_validation
+        before_validation_on_create
+        before_validation_on_update
+        validate
+        after_validation_on_update
+        after_validation_on_create
+        after_validation
+        before_save
+        before_create
+        before_update
+        after_update
+        after_create
+        after_save
+        before_destroy
+        after_destroy
+      ].freeze
 
-      def self.included(base) #:nodoc:
-        base.send :include, ActiveSupport::Callbacks
-        if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('5')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result_lambda) { result_lambda.call == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result_lambda) { result_lambda.call == true } }]
-        elsif Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('4.1')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result) { result == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result) { result == true } }]
-        else
-          base.define_callbacks *METHODS + [{ :terminator => 'result == false' }]
-          base.define_callbacks *['persist', { :terminator => 'result == true' }]
+      class << self
+        def included(base) #:nodoc:
+          base.send :include, ActiveSupport::Callbacks
+          define_session_callbacks(base)
+          define_session_callback_installation_methods(base)
         end
 
-        # If Rails 3, support the new callback syntax
-        if base.singleton_class.method_defined?(:set_callback)
+        private
+
+        # Defines the "callback installation methods". Other modules will use
+        # these class methods to install their callbacks. Examples:
+        #
+        # ```
+        # # session/timeout.rb, in `included`
+        # before_persisting :reset_stale_state
+        #
+        # # session/password.rb, in `included`
+        # validate :validate_by_password, if: :authenticating_with_password?
+        # ```
+        def define_session_callback_installation_methods(base)
           METHODS.each do |method|
-            base.class_eval <<-"end_eval", __FILE__, __LINE__
-              def self.#{method}(*methods, &block)
-                set_callback :#{method}, *methods, &block
+            base.class_eval <<-EOS, __FILE__, __LINE__ + 1
+              def self.#{method}(*filter_list, &block)
+                set_callback(:#{method}, *filter_list, &block)
               end
-            end_eval
+            EOS
           end
         end
-      end
 
-      private
+        # Defines session life cycle events that support callbacks.
+        def define_session_callbacks(base)
+          if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new("5")
+            base.define_callbacks(
+              *METHODS,
+              terminator: ->(_target, result_lambda) { result_lambda.call == false }
+            )
+            base.define_callbacks(
+              "persist",
+              terminator: ->(_target, result_lambda) { result_lambda.call == true }
+            )
+          else
+            base.define_callbacks(
+              *METHODS,
+              terminator: ->(_target, result) { result == false }
+            )
+            base.define_callbacks(
+              "persist",
+              terminator: ->(_target, result) { result == true }
+            )
+          end
+        end
+      end
 
-        METHODS.each do |method|
-          class_eval <<-"end_eval", __FILE__, __LINE__
+      METHODS.each do |method|
+        class_eval(
+          <<-EOS, __FILE__, __LINE__ + 1
             def #{method}
               run_callbacks(:#{method})
             end
-          end_eval
-        end
+          EOS
+        )
+      end
 
-        def save_record(alternate_record = nil)
-          r = alternate_record || record
-          r.save_without_session_maintenance(:validate => false) if r && r.changed? && !r.readonly?
+      def save_record(alternate_record = nil)
+        r = alternate_record || record
+        if r&.changed? && !r.readonly?
+          r.save_without_session_maintenance(validate: false)
         end
+      end
     end
   end
 end

data/lib/authlogic/session/cookies.rb

@@ -3,6 +3,8 @@ module Authlogic
     # Handles all authentication that deals with cookies, such as persisting,
     # saving, and destroying.
     module Cookies
+      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict", "None"].freeze
+
       def self.included(klass)
         klass.class_eval do
           extend Config
@@ -54,23 +56,37 @@ module Authlogic
         # Should the cookie be set as secure?  If true, the cookie will only be sent over
         # SSL connections
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def secure(value = nil)
-          rw_config(:secure, value, false)
+          rw_config(:secure, value, true)
         end
         alias_method :secure=, :secure
 
         # Should the cookie be set as httponly?  If true, the cookie will not be
         # accessible from javascript
         #
-        # * <tt>Default:</tt> false
+        # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def httponly(value = nil)
-          rw_config(:httponly, value, false)
+          rw_config(:httponly, value, true)
         end
         alias_method :httponly=, :httponly
 
+        # Should the cookie be prevented from being send along with cross-site
+        # requests?
+        #
+        # * <tt>Default:</tt> nil
+        # * <tt>Accepts:</tt> String, one of nil, 'Lax' or 'Strict'
+        def same_site(value = nil)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          rw_config(:same_site, value)
+        end
+        alias_method :same_site=, :same_site
+
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
@@ -80,6 +96,20 @@ module Authlogic
           rw_config(:sign_cookie, value, false)
         end
         alias_method :sign_cookie=, :sign_cookie
+
+        # Should the cookie be encrypted? If the controller adapter supports it, this is a
+        # measure to hide the contents of the cookie (e.g. persistence_token)"
+        def encrypt_cookie(value = nil)
+          if value && !controller.cookies.respond_to?(:encrypted)
+            raise "Encrypted cookies not supported with #{controller.class}!"
+          end
+          if value && sign_cookie
+            raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
+                  "You may not enable both options."
+          end
+          rw_config(:encrypt_cookie, value, false)
+        end
+        alias_method :encrypt_cookie=, :encrypt_cookie
       end
 
       # The methods available for an Authlogic::Session::Base object that make up the
@@ -95,8 +125,8 @@ module Authlogic
               self.remember_me = values.first.with_indifferent_access[:remember_me]
             end
           else
-            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
-            self.remember_me = r if !r.nil?
+            r = values.find { |val| val.is_a?(TrueClass) || val.is_a?(FalseClass) }
+            self.remember_me = r unless r.nil?
           end
         end
 
@@ -172,6 +202,21 @@ module Authlogic
           httponly == true || httponly == "true" || httponly == "1"
         end
 
+        # If the cookie should be marked as SameSite with 'Lax' or 'Strict' flag.
+        def same_site
+          return @same_site if defined?(@same_site)
+          @same_site = self.class.same_site(nil)
+        end
+
+        # Accepts nil, 'Lax' or 'Strict' as possible flags.
+        def same_site=(value)
+          unless VALID_SAME_SITE_VALUES.include?(value)
+            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
+            raise ArgumentError.new(msg)
+          end
+          @same_site = value
+        end
+
         # If the cookie should be signed
         def sign_cookie
           return @sign_cookie if defined?(@sign_cookie)
@@ -189,55 +234,95 @@ module Authlogic
           sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
         end
 
+        # If the cookie should be encrypted
+        def encrypt_cookie
+          return @encrypt_cookie if defined?(@encrypt_cookie)
+          @encrypt_cookie = self.class.encrypt_cookie
+        end
+
+        # Accepts a boolean as to whether the cookie should be encrypted.  If true
+        # the cookie will be saved in an encrypted state.
+        def encrypt_cookie=(value)
+          @encrypt_cookie = value
+        end
+
+        # See encrypt_cookie
+        def encrypt_cookie?
+          encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
+        end
+
         private
 
-          def cookie_key
-            build_key(self.class.cookie_key)
-          end
+        def cookie_key
+          build_key(self.class.cookie_key)
+        end
 
-          def cookie_credentials
-            if self.class.sign_cookie
-              cookie = controller.cookies.signed[cookie_key]
-            else
-              cookie = controller.cookies[cookie_key]
-            end
-            cookie && cookie.split("::")
-          end
+        # Returns an array of cookie elements. See cookie format in
+        # `generate_cookie_for_saving`. If no cookie is found, returns nil.
+        def cookie_credentials
+          cookie = cookie_jar[cookie_key]
+          cookie&.split("::")
+        end
 
-          # Tries to validate the session from information in the cookie
-          def persist_by_cookie
-            persistence_token, record_id = cookie_credentials
-            if persistence_token.present?
-              record = search_for_record("find_by_#{klass.primary_key}", record_id)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
-              valid?
-            else
-              false
-            end
+        # The third element of the cookie indicates whether the user wanted
+        # to be remembered (Actually, it's a timestamp, `remember_me_until`)
+        # See cookie format in `generate_cookie_for_saving`.
+        def cookie_credentials_remember_me?
+          !cookie_credentials.nil? && !cookie_credentials[2].nil?
+        end
+
+        def cookie_jar
+          if self.class.encrypt_cookie
+            controller.cookies.encrypted
+          elsif self.class.sign_cookie
+            controller.cookies.signed
+          else
+            controller.cookies
           end
+        end
 
-          def save_cookie
-            if sign_cookie?
-              controller.cookies.signed[cookie_key] = generate_cookie_for_saving
-            else
-              controller.cookies[cookie_key] = generate_cookie_for_saving
+        # Tries to validate the session from information in the cookie
+        def persist_by_cookie
+          persistence_token, record_id = cookie_credentials
+          if persistence_token.present?
+            record = search_for_record("find_by_#{klass.primary_key}", record_id)
+            if record && record.persistence_token == persistence_token
+              self.unauthorized_record = record
             end
+            valid?
+          else
+            false
           end
+        end
 
-          def generate_cookie_for_saving
-            remember_me_until_value = "::#{remember_me_until.iso8601}" if remember_me?
-            {
-              :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}#{remember_me_until_value}",
-              :expires => remember_me_until,
-              :secure => secure,
-              :httponly => httponly,
-              :domain => controller.cookie_domain
-            }
-          end
+        def save_cookie
+          cookie_jar[cookie_key] = generate_cookie_for_saving
+          true
+        end
 
-          def destroy_cookie
-            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
-          end
+        def generate_cookie_for_saving
+          {
+            value: generate_cookie_value,
+            expires: remember_me_until,
+            secure: secure,
+            httponly: httponly,
+            same_site: same_site,
+            domain: controller.cookie_domain
+          }
+        end
+
+        def generate_cookie_value
+          format(
+            "%s::%s%s",
+            record.persistence_token.to_s,
+            record.send(record.class.primary_key).to_s,
+            remember_me? ? "::#{remember_me_until.iso8601}" : ""
+          )
+        end
+
+        def destroy_cookie
+          controller.cookies.delete cookie_key, domain: controller.cookie_domain
+        end
       end
     end
   end

data/lib/authlogic/session/existence.rb

@@ -1,10 +1,16 @@
 module Authlogic
   module Session
-    # Provides methods to create and destroy objects. Basically controls their "existence".
+    # Provides methods to create and destroy objects. Basically controls their
+    # "existence".
     module Existence
       class SessionInvalidError < ::StandardError # :nodoc:
         def initialize(session)
-          super("Your session is invalid and has the following errors: #{session.errors.full_messages.to_sentence}")
+          message = I18n.t(
+            "error_messages.session_invalid",
+            default: "Your session is invalid and has the following errors:"
+          )
+          message += " #{session.errors.full_messages.to_sentence}"
+          super message
         end
       end
 
@@ -40,8 +46,9 @@ module Authlogic
       end
 
       module InstanceMethods
-        # Clears all errors and the associated record, you should call this terminate a session, thus requiring
-        # the user to authenticate again if it is needed.
+        # Clears all errors and the associated record, you should call this
+        # terminate a session, thus requiring the user to authenticate again if
+        # it is needed.
         def destroy
           before_destroy
           save_record
@@ -51,16 +58,18 @@ module Authlogic
           true
         end
 
-        # Returns true if the session is new, meaning no action has been taken on it and a successful save
-        # has not taken place.
+        # Returns true if the session is new, meaning no action has been taken
+        # on it and a successful save has not taken place.
         def new_session?
           new_session != false
         end
 
-        # After you have specified all of the details for your session you can try to save it. This will
-        # run validation checks and find the associated record, if all validation passes. If validation
-        # does not pass, the save will fail and the errors will be stored in the errors object.
-        def save(&block)
+        # After you have specified all of the details for your session you can
+        # try to save it. This will run validation checks and find the
+        # associated record, if all validation passes. If validation does not
+        # pass, the save will fail and the errors will be stored in the errors
+        # object.
+        def save
           result = nil
           if valid?
             self.record = attempted_record
@@ -81,7 +90,8 @@ module Authlogic
           result
         end
 
-        # Same as save but raises an exception of validation errors when validation fails
+        # Same as save but raises an exception of validation errors when
+        # validation fails
         def save!
           result = save
           raise SessionInvalidError.new(self) unless result

data/lib/authlogic/session/foundation.rb

@@ -12,6 +12,37 @@ module Authlogic
       end
 
       module InstanceMethods
+        E_AC_PARAMETERS = <<~EOS.freeze
+          Passing an ActionController::Parameters to Authlogic is not allowed.
+
+          In Authlogic 3, especially during the transition of rails to Strong
+          Parameters, it was common for Authlogic users to forget to `permit`
+          their params. They would pass their params into Authlogic, we'd call
+          `to_h`, and they'd be surprised when authentication failed.
+
+          In 2018, people are still making this mistake. We'd like to help them
+          and make authlogic a little simpler at the same time, so in Authlogic
+          3.7.0, we deprecated the use of ActionController::Parameters. Instead,
+          pass a plain Hash. Please replace:
+
+              UserSession.new(user_session_params)
+              UserSession.create(user_session_params)
+
+          with
+
+              UserSession.new(user_session_params.to_h)
+              UserSession.create(user_session_params.to_h)
+
+          And don't forget to `permit`!
+
+          We discussed this issue thoroughly between late 2016 and early
+          2018. Notable discussions include:
+
+          - https://github.com/binarylogic/authlogic/issues/512
+          - https://github.com/binarylogic/authlogic/pull/558
+          - https://github.com/binarylogic/authlogic/pull/577
+        EOS
+
         def initialize(*args)
           self.credentials = args
         end
@@ -22,33 +53,52 @@ module Authlogic
           []
         end
 
-        # Set your credentials before you save your session. You can pass a hash of
-        # credentials:
+        # Set your credentials before you save your session. There are many
+        # method signatures.
         #
-        #   session.credentials = {:login => "my login", :password => "my password", :remember_me => true}
+        # ```
+        # # A hash of credentials is most common
+        # session.credentials = { login: "foo", password: "bar", remember_me: true }
         #
-        # or you can pass an array of objects:
+        # # You must pass an actual Hash, `ActionController::Parameters` is
+        # # specifically not allowed.
         #
-        #   session.credentials = [my_user_object, true]
+        # # You can pass an array of objects:
+        # session.credentials = [my_user_object, true]
         #
-        # and if you need to set an id, just pass it last. This value need be the last
-        # item in the array you pass, since the id is something that you control yourself,
-        # it should never be set from a hash or a form. Examples:
+        # # If you need to set an id (see `Authlogic::Session::Id`) pass it
+        # # last. It needs be the last item in the array you pass, since the id
+        # # is something that you control yourself, it should never be set from
+        # # a hash or a form. Examples:
+        # session.credentials = [
+        #   {:login => "foo", :password => "bar", :remember_me => true},
+        #   :my_id
+        # ]
+        # session.credentials = [my_user_object, true, :my_id]
         #
-        #   session.credentials = [{:login => "my login", :password => "my password", :remember_me => true}, :my_id]
-        #   session.credentials = [my_user_object, true, :my_id]
+        # # Finally, there's priority_record
+        # [{ priority_record: my_object }, :my_id]
+        # ```
         def credentials=(values)
+          normalized = Array.wrap(values)
+          if normalized.first.class.name == "ActionController::Parameters"
+            raise TypeError.new(E_AC_PARAMETERS)
+          end
         end
 
         def inspect
-          "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
+          format(
+            "#<%s: %s>",
+            self.class.name,
+            credentials.blank? ? "no credentials provided" : credentials.inspect
+          )
         end
 
         private
 
-          def build_key(last_part)
-            last_part
-          end
+        def build_key(last_part)
+          last_part
+        end
       end
     end
   end