authlogic 3.8.0 → 4.5.0

data/lib/authlogic/session/http_auth.rb

@@ -1,17 +1,19 @@
 module Authlogic
   module Session
-    # Handles all authentication that deals with basic HTTP auth. Which is authentication built into the HTTP protocol:
+    # Handles all authentication that deals with basic HTTP auth. Which is
+    # authentication built into the HTTP protocol:
     #
     #   http://username:password@whatever.com
     #
-    # Also, if you are not comfortable letting users pass their raw username and password you can always use the single
-    # access token. See Authlogic::Session::Params for more info.
+    # Also, if you are not comfortable letting users pass their raw username and
+    # password you can always use the single access token. See
+    # Authlogic::Session::Params for more info.
     module HttpAuth
       def self.included(klass)
         klass.class_eval do
           extend Config
           include InstanceMethods
-          persist :persist_by_http_auth, :if => :persist_by_http_auth?
+          persist :persist_by_http_auth, if: :persist_by_http_auth?
         end
       end
 
@@ -19,13 +21,15 @@ module Authlogic
       module Config
         # Do you want to allow your users to log in via HTTP basic auth?
         #
-        # I recommend keeping this enabled. The only time I feel this should be disabled is if you are not comfortable
-        # having your users provide their raw username and password. Whatever the reason, you can disable it here.
+        # I recommend keeping this enabled. The only time I feel this should be
+        # disabled is if you are not comfortable having your users provide their
+        # raw username and password. Whatever the reason, you can disable it
+        # here.
         #
         # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
         def allow_http_basic_auth(value = nil)
-          rw_config(:allow_http_basic_auth, value, true)
+          rw_config(:allow_http_basic_auth, value, false)
         end
         alias_method :allow_http_basic_auth=, :allow_http_basic_auth
 
@@ -60,7 +64,7 @@ module Authlogic
         # * <tt>Default:</tt> 'Application'
         # * <tt>Accepts:</tt> String
         def http_basic_auth_realm(value = nil)
-          rw_config(:http_basic_auth_realm, value, 'Application')
+          rw_config(:http_basic_auth_realm, value, "Application")
         end
         alias_method :http_basic_auth_realm=, :http_basic_auth_realm
       end
@@ -69,31 +73,34 @@ module Authlogic
       module InstanceMethods
         private
 
-          def persist_by_http_auth?
-            allow_http_basic_auth? && login_field && password_field
-          end
-
-          def persist_by_http_auth
-            login_proc = Proc.new do |login, password|
-              if !login.blank? && !password.blank?
-                send("#{login_field}=", login)
-                send("#{password_field}=", password)
-                valid?
-              end
-            end
+        def persist_by_http_auth?
+          allow_http_basic_auth? && login_field && password_field
+        end
 
-            if self.class.request_http_basic_auth
-              controller.authenticate_or_request_with_http_basic(self.class.http_basic_auth_realm, &login_proc)
-            else
-              controller.authenticate_with_http_basic(&login_proc)
+        def persist_by_http_auth
+          login_proc = proc do |login, password|
+            if !login.blank? && !password.blank?
+              send("#{login_field}=", login)
+              send("#{password_field}=", password)
+              valid?
             end
-
-            false
           end
 
-          def allow_http_basic_auth?
-            self.class.allow_http_basic_auth == true
+          if self.class.request_http_basic_auth
+            controller.authenticate_or_request_with_http_basic(
+              self.class.http_basic_auth_realm,
+              &login_proc
+            )
+          else
+            controller.authenticate_with_http_basic(&login_proc)
           end
+
+          false
+        end
+
+        def allow_http_basic_auth?
+          self.class.allow_http_basic_auth == true
+        end
       end
     end
   end

data/lib/authlogic/session/id.rb

@@ -3,6 +3,11 @@ module Authlogic
     # Allows you to separate sessions with an id, ultimately letting you create
     # multiple sessions for the same user.
     module Id
+      def initialize(*args)
+        @id = nil
+        super
+      end
+
       def self.included(klass)
         klass.class_eval do
           attr_writer :id
@@ -39,10 +44,10 @@ module Authlogic
 
       private
 
-        # Used for things like cookie_key, session_key, etc.
-        def build_key(last_part)
-          [id, super].compact.join("_")
-        end
+      # Used for things like cookie_key, session_key, etc.
+      def build_key(last_part)
+        [id, super].compact.join("_")
+      end
     end
   end
 end

data/lib/authlogic/session/klass.rb

@@ -16,7 +16,8 @@ module Authlogic
       module Config
         # Lets you change which model to use for authentication.
         #
-        # * <tt>Default:</tt> inferred from the class name. UserSession would automatically try User
+        # * <tt>Default:</tt> inferred from the class name. UserSession would
+        #   automatically try User
         # * <tt>Accepts:</tt> an ActiveRecord class
         def authenticate_with(klass)
           @klass_name = klass.name
@@ -24,9 +25,10 @@ module Authlogic
         end
         alias_method :authenticate_with=, :authenticate_with
 
-        # The name of the class that this session is authenticating with. For example, the UserSession class will
-        # authenticate with the User class unless you specify otherwise in your configuration. See authenticate_with
-        # for information on how to change this value.
+        # The name of the class that this session is authenticating with. For
+        # example, the UserSession class will authenticate with the User class
+        # unless you specify otherwise in your configuration. See
+        # authenticate_with for information on how to change this value.
         def klass
           @klass ||= klass_name ? klass_name.constantize : nil
         end
@@ -40,7 +42,8 @@ module Authlogic
       end
 
       module InstanceMethods
-        # Creating an alias method for the "record" method based on the klass name, so that we can do:
+        # Creating an alias method for the "record" method based on the klass
+        # name, so that we can do:
         #
         #   session.user
         #
@@ -48,7 +51,7 @@ module Authlogic
         #
         #   session.record
         def initialize(*args)
-          if !self.class.configured_klass_methods
+          unless self.class.configured_klass_methods
             self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
             self.class.configured_klass_methods = true
           end
@@ -57,13 +60,13 @@ module Authlogic
 
         private
 
-          def klass
-            self.class.klass
-          end
+        def klass
+          self.class.klass
+        end
 
-          def klass_name
-            self.class.klass_name
-          end
+        def klass_name
+          self.class.klass_name
+        end
       end
     end
   end

data/lib/authlogic/session/magic_columns.rb

@@ -19,10 +19,10 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          after_persisting :set_last_request_at, :if => :set_last_request_at?
+          after_persisting :set_last_request_at, if: :set_last_request_at?
           validate :increase_failed_login_count
           before_save :update_info
-          before_save :set_last_request_at, :if => :set_last_request_at?
+          before_save :set_last_request_at, if: :set_last_request_at?
         end
       end
 
@@ -43,73 +43,76 @@ module Authlogic
         alias_method :last_request_at_threshold=, :last_request_at_threshold
       end
 
-      # The methods available for an Authlogic::Session::Base object that make up the magic columns feature.
+      # The methods available for an Authlogic::Session::Base object that make
+      # up the magic columns feature.
       module InstanceMethods
         private
 
-          def increase_failed_login_count
-            if invalid_password? && attempted_record.respond_to?(:failed_login_count)
-              attempted_record.failed_login_count ||= 0
-              attempted_record.failed_login_count += 1
-            end
+        def clear_failed_login_count
+          if record.respond_to?(:failed_login_count)
+            record.failed_login_count = 0
           end
+        end
 
-          def update_info
-            if record.respond_to?(:login_count)
-              record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
-            end
+        def increase_failed_login_count
+          if invalid_password? && attempted_record.respond_to?(:failed_login_count)
+            attempted_record.failed_login_count ||= 0
+            attempted_record.failed_login_count += 1
+          end
+        end
 
-            if record.respond_to?(:failed_login_count)
-              record.failed_login_count = 0
-            end
+        def increment_login_cout
+          if record.respond_to?(:login_count)
+            record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
+          end
+        end
 
-            if record.respond_to?(:current_login_at)
-              record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
-              record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-            end
+        def update_info
+          increment_login_cout
+          clear_failed_login_count
+          update_login_timestamps
+          update_login_ip_addresses
+        end
 
-            if record.respond_to?(:current_login_ip)
-              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-              record.current_login_ip = controller.request.ip
-            end
+        def update_login_ip_addresses
+          if record.respond_to?(:current_login_ip)
+            record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+            record.current_login_ip = controller.request.ip
           end
+        end
 
-          # This method lets authlogic know whether it should allow the
-          # last_request_at field to be updated with the current time
-          # (Time.now). One thing to note here is that it also checks for the
-          # existence of a last_request_update_allowed? method in your
-          # controller. This allows you to control this method pragmatically in
-          # your controller.
-          #
-          # For example, what if you had a javascript function that polled the
-          # server updating how much time is left in their session before it
-          # times out. Obviously you would want to ignore this request, because
-          # then the user would never time out. So you can do something like
-          # this in your controller:
-          #
-          #   def last_request_update_allowed?
-          #     action_name != "update_session_time_left"
-          #   end
-          #
-          # You can do whatever you want with that method.
-          def set_last_request_at? # :doc:
-            if !record || !klass.column_names.include?("last_request_at")
-              return false
-            end
-            if controller.responds_to_last_request_update_allowed? && !controller.last_request_update_allowed?
-              return false
-            end
-            record.last_request_at.blank? ||
-              last_request_at_threshold.to_i.seconds.ago >= record.last_request_at
+        def update_login_timestamps
+          if record.respond_to?(:current_login_at)
+            record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+            record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
           end
+        end
 
-          def set_last_request_at
-            record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+        # This method lets authlogic know whether it should allow the
+        # last_request_at field to be updated with the current time.
+        #
+        # See also `last_request_update_allowed?` in
+        # `Authlogic::ControllerAdapters::AbstractAdapter`
+        #
+        # @api private
+        def set_last_request_at?
+          if !record || !klass.column_names.include?("last_request_at")
+            return false
           end
-
-          def last_request_at_threshold
-            self.class.last_request_at_threshold
+          unless controller.last_request_update_allowed?
+            return false
           end
+          record.last_request_at.blank? ||
+            last_request_at_threshold.to_i.seconds.ago >= record.last_request_at
+        end
+
+        def set_last_request_at
+          record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+        end
+
+        def last_request_at_threshold
+          self.class.last_request_at_threshold
+        end
       end
     end
   end

data/lib/authlogic/session/magic_states.rb

@@ -25,7 +25,7 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :validate_magic_states, :unless => :disable_magic_states?
+          validate :validate_magic_states, unless: :disable_magic_states?
         end
       end
 
@@ -50,26 +50,32 @@ module Authlogic
       module InstanceMethods
         private
 
-          def disable_magic_states?
-            self.class.disable_magic_states == true
-          end
+        def disable_magic_states?
+          self.class.disable_magic_states == true
+        end
 
-          def validate_magic_states
-            return true if attempted_record.nil?
-            [:active, :approved, :confirmed].each do |required_status|
-              if attempted_record.respond_to?("#{required_status}?") && !attempted_record.send("#{required_status}?")
-                errors.add(
-                  :base,
-                  I18n.t(
-                    "error_messages.not_#{required_status}",
-                    :default => "Your account is not #{required_status}"
-                  )
-                )
-                return false
-              end
-            end
-            true
+        # @api private
+        def required_magic_states_for(record)
+          %i[active approved confirmed].select { |state|
+            record.respond_to?("#{state}?")
+          }
+        end
+
+        def validate_magic_states
+          return true if attempted_record.nil?
+          required_magic_states_for(attempted_record).each do |required_status|
+            next if attempted_record.send("#{required_status}?")
+            errors.add(
+              :base,
+              I18n.t(
+                "error_messages.not_#{required_status}",
+                default: "Your account is not #{required_status}"
+              )
+            )
+            return false
           end
+          true
+        end
       end
     end
   end

data/lib/authlogic/session/params.rb

@@ -66,7 +66,11 @@ module Authlogic
         # * <tt>Accepts:</tt> String of a request type, or :all or :any to
         #   allow single access authentication for any and all request types
         def single_access_allowed_request_types(value = nil)
-          rw_config(:single_access_allowed_request_types, value, ["application/rss+xml", "application/atom+xml"])
+          rw_config(
+            :single_access_allowed_request_types,
+            value,
+            ["application/rss+xml", "application/atom+xml"]
+          )
         end
         alias_method :single_access_allowed_request_types=, :single_access_allowed_request_types
       end
@@ -76,40 +80,50 @@ module Authlogic
       module InstanceMethods
         private
 
-          def persist_by_params
-            return false if !params_enabled?
-            self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
-            self.single_access = valid?
-          end
-
-          def params_enabled?
-            return false if !params_credentials || !klass.column_names.include?("single_access_token")
-            return controller.single_access_allowed? if controller.responds_to_single_access_allowed?
+        def persist_by_params
+          return false unless params_enabled?
+          self.unauthorized_record = search_for_record(
+            "find_by_single_access_token",
+            params_credentials
+          )
+          self.single_access = valid?
+        end
 
-            case single_access_allowed_request_types
-            when Array
-              single_access_allowed_request_types.include?(controller.request_content_type) ||
-                single_access_allowed_request_types.include?(:all)
-            else
-              [:all, :any].include?(single_access_allowed_request_types)
-            end
+        def params_enabled?
+          if !params_credentials || !klass.column_names.include?("single_access_token")
+            return false
           end
-
-          def params_key
-            build_key(self.class.params_key)
+          if controller.responds_to_single_access_allowed?
+            return controller.single_access_allowed?
           end
+          params_enabled_by_allowed_request_types?
+        end
 
-          def single_access?
-            single_access == true
+        def params_enabled_by_allowed_request_types?
+          case single_access_allowed_request_types
+          when Array
+            single_access_allowed_request_types.include?(controller.request_content_type) ||
+              single_access_allowed_request_types.include?(:all)
+          else
+            %i[all any].include?(single_access_allowed_request_types)
           end
+        end
 
-          def single_access_allowed_request_types
-            self.class.single_access_allowed_request_types
-          end
+        def params_key
+          build_key(self.class.params_key)
+        end
 
-          def params_credentials
-            controller.params[params_key]
-          end
+        def single_access?
+          single_access == true
+        end
+
+        def single_access_allowed_request_types
+          self.class.single_access_allowed_request_types
+        end
+
+        def params_credentials
+          controller.params[params_key]
+        end
       end
     end
   end