authlogic 3.8.0 → 4.5.0

data/lib/authlogic/session/timeout.rb

@@ -41,7 +41,7 @@ module Authlogic
         # they login and then leave the website, when do mark them as logged
         # out? I recommend just using this as a fun feature on your website or
         # reports, giving you a ballpark number of users logged in and active.
-        # This is not meant to be a dead accurate representation of a users
+        # This is not meant to be a dead accurate representation of a user's
         # logged in state, since there is really no real way to do this with web
         # based apps. Think about a user that logs in and doesn't log out. There
         # is no action that tells you that the user isn't technically still
@@ -52,7 +52,7 @@ module Authlogic
         # this option to true and if your record returns true for stale? then
         # they will be required to log back in.
         #
-        # Lastly, UserSession.find will still return a object is the session is
+        # Lastly, UserSession.find will still return an object if the session is
         # stale, but you will not get a record. This allows you to determine if
         # the user needs to log back in because their session went stale, or
         # because they just aren't logged in. Just call
@@ -83,20 +83,20 @@ module Authlogic
 
         private
 
-          def reset_stale_state
-            self.stale_record = nil
-          end
+        def reset_stale_state
+          self.stale_record = nil
+        end
 
-          def enforce_timeout
-            if stale?
-              self.stale_record = record
-              self.record = nil
-            end
+        def enforce_timeout
+          if stale?
+            self.stale_record = record
+            self.record = nil
           end
+        end
 
-          def logout_on_timeout?
-            self.class.logout_on_timeout == true
-          end
+        def logout_on_timeout?
+          self.class.logout_on_timeout == true
+        end
       end
     end
   end

data/lib/authlogic/session/unauthorized_record.rb

@@ -4,18 +4,23 @@ module Authlogic
     #
     #   UserSession.create(my_user_object)
     #
-    # Be careful with this, because Authlogic is assuming that you have already confirmed that the
-    # user is who he says he is.
+    # Be careful with this, because Authlogic is assuming that you have already
+    # confirmed that the user is who he says he is.
     #
-    # For example, this is the method used to persist the session internally. Authlogic finds the user with
-    # the persistence token. At this point we know the user is who he says he is, so Authlogic just creates a
-    # session with the record. This is particularly useful for 3rd party authentication methods, such as
-    # OpenID. Let that method verify the identity, once it's verified, pass the object and create a session.
+    # For example, this is the method used to persist the session internally.
+    # Authlogic finds the user with the persistence token. At this point we know
+    # the user is who he says he is, so Authlogic just creates a session with
+    # the record. This is particularly useful for 3rd party authentication
+    # methods, such as OpenID. Let that method verify the identity, once it's
+    # verified, pass the object and create a session.
     module UnauthorizedRecord
       def self.included(klass)
         klass.class_eval do
           attr_accessor :unauthorized_record
-          validate :validate_by_unauthorized_record, :if => :authenticating_with_unauthorized_record?
+          validate(
+            :validate_by_unauthorized_record,
+            if: :authenticating_with_unauthorized_record?
+          )
         end
       end
 
@@ -39,13 +44,13 @@ module Authlogic
 
       private
 
-        def authenticating_with_unauthorized_record?
-          !unauthorized_record.nil?
-        end
+      def authenticating_with_unauthorized_record?
+        !unauthorized_record.nil?
+      end
 
-        def validate_by_unauthorized_record
-          self.attempted_record = unauthorized_record
-        end
+      def validate_by_unauthorized_record
+        self.attempted_record = unauthorized_record
+      end
     end
   end
 end

data/lib/authlogic/session/validation.rb

@@ -77,17 +77,17 @@ module Authlogic
 
       private
 
-        def ensure_authentication_attempted
-          if errors.empty? && attempted_record.nil?
-            errors.add(
-              :base,
-              I18n.t(
-                'error_messages.no_authentication_details',
-                :default => "You did not provide any details for authentication."
-              )
+      def ensure_authentication_attempted
+        if errors.empty? && attempted_record.nil?
+          errors.add(
+            :base,
+            I18n.t(
+              "error_messages.no_authentication_details",
+              default: "You did not provide any details for authentication."
             )
-          end
+          )
         end
+      end
     end
   end
 end

data/lib/authlogic/test_case/mock_controller.rb

@@ -1,7 +1,8 @@
 module Authlogic
   module TestCase
-    # Basically acts like a controller but doesn't do anything. Authlogic can interact with this, do it's thing and then you
-    # can look at the controller object to see if anything changed.
+    # Basically acts like a controller but doesn't do anything. Authlogic can interact
+    # with this, do it's thing and then you can look at the controller object to see if
+    # anything changed.
     class MockController < ControllerAdapters::AbstractAdapter
       attr_accessor :http_user, :http_password, :realm
       attr_writer :request_content_type
@@ -9,11 +10,11 @@ module Authlogic
       def initialize
       end
 
-      def authenticate_with_http_basic(&block)
+      def authenticate_with_http_basic
         yield http_user, http_password
       end
 
-      def authenticate_or_request_with_http_basic(realm = 'DefaultRealm', &block)
+      def authenticate_or_request_with_http_basic(realm = "DefaultRealm")
         self.realm = realm
         @http_auth_requested = true
         yield http_user, http_password

data/lib/authlogic/test_case/mock_cookie_jar.rb

@@ -1,18 +1,30 @@
 module Authlogic
   module TestCase
+    # A mock of `ActionDispatch::Cookies::CookieJar`.
     class MockCookieJar < Hash # :nodoc:
+      attr_accessor :set_cookies
+
       def [](key)
         hash = super
         hash && hash[:value]
       end
 
-      def delete(key, options = {})
+      def []=(key, options)
+        (@set_cookies ||= {})[key.to_s] = options
+        super
+      end
+
+      def delete(key, _options = {})
         super(key)
       end
 
       def signed
         @signed ||= MockSignedCookieJar.new(self)
       end
+
+      def encrypted
+        @encrypted ||= MockEncryptedCookieJar.new(self)
+      end
     end
 
     class MockSignedCookieJar < MockCookieJar
@@ -20,11 +32,13 @@ module Authlogic
 
       def initialize(parent_jar)
         @parent_jar = parent_jar
+        parent_jar.each { |k, v| self[k] = v }
       end
 
       def [](val)
-        if signed_message = @parent_jar[val]
-          payload, signature = signed_message.split('--')
+        signed_message = @parent_jar[val]
+        if signed_message
+          payload, signature = signed_message.split("--")
           raise "Invalid signature" unless Digest::SHA1.hexdigest(payload) == signature
           payload
         end
@@ -35,5 +49,35 @@ module Authlogic
         @parent_jar[key] = options
       end
     end
+
+    class MockEncryptedCookieJar < MockCookieJar
+      attr_reader :parent_jar # helper for testing
+
+      def initialize(parent_jar)
+        @parent_jar = parent_jar
+        parent_jar.each { |k, v| self[k] = v }
+      end
+
+      def [](val)
+        encrypted_message = @parent_jar[val]
+        if encrypted_message
+          self.class.decrypt(encrypted_message)
+        end
+      end
+
+      def []=(key, options)
+        options[:value] = self.class.encrypt(options[:value])
+        @parent_jar[key] = options
+      end
+
+      # simple caesar cipher for testing
+      def self.encrypt(str)
+        str.unpack("U*").map(&:succ).pack("U*")
+      end
+
+      def self.decrypt(str)
+        str.unpack("U*").map(&:pred).pack("U*")
+      end
+    end
   end
 end

data/lib/authlogic/test_case/mock_request.rb

@@ -8,13 +8,16 @@ module Authlogic
       end
 
       def ip
-        (controller && controller.respond_to?(:env) && controller.env.is_a?(Hash) && controller.env['REMOTE_ADDR']) || "1.1.1.1"
+        controller&.respond_to?(:env) &&
+          controller.env.is_a?(Hash) &&
+          controller.env["REMOTE_ADDR"] ||
+          "1.1.1.1"
       end
 
       private
 
-        def method_missing(*args, &block)
-        end
+      def method_missing(*args, &block)
+      end
     end
   end
 end

data/lib/authlogic/test_case/rails_request_adapter.rb

@@ -1,7 +1,8 @@
 module Authlogic
   module TestCase
-    # Adapts authlogic to work with the @request object when testing. This way Authlogic can set cookies and what not before
-    # a request is made, ultimately letting you log in users in functional tests.
+    # Adapts authlogic to work with the @request object when testing. This way Authlogic
+    # can set cookies and what not before a request is made, ultimately letting you log in
+    # users in functional tests.
     class RailsRequestAdapter < ControllerAdapters::AbstractAdapter
       def authenticate_with_http_basic(&block)
       end

data/lib/authlogic/test_case.rb

@@ -50,7 +50,7 @@ module Authlogic
   #   ben:
   #     email: whatever@whatever.com
   #     password_salt: <%= salt = Authlogic::Random.hex_token %>
-  #     crypted_password: <%= Authlogic::CryptoProviders::Sha512.encrypt("benrocks" + salt) %>
+  #     crypted_password: <%= Authlogic::CryptoProviders::SCrypt.encrypt("benrocks" + salt) %>
   #     persistence_token: <%= Authlogic::Random.hex_token %>
   #     single_access_token: <%= Authlogic::Random.friendly_token %>
   #     perishable_token: <%= Authlogic::Random.friendly_token %>
@@ -113,7 +113,73 @@ module Authlogic
   #
   # See how I am checking that Authlogic is interacting with the controller
   # properly? That's the idea here.
+  #
+  # === Testing with Rails 5
+  #
+  # Rails 5 has [deprecated classic controller tests](https://goo.gl/4zmt6y).
+  # Controller tests now inherit from `ActionDispatch::IntegrationTest` making
+  # them plain old integration tests now. You have two options for testing
+  # AuthLogic in Rails 5:
+  #
+  # * Add the `rails-controller-testing` gem to bring back the original
+  #   controller testing usage
+  # * Go full steam ahead with integration testing and actually log a user in
+  #   by submitting a form in the integration test.
+  #
+  # Naturally DHH recommends the second method and this is
+  # [what he does in his own tests](https://goo.gl/Ar6p0u). This is useful
+  # for testing not only AuthLogic itself (submitting login credentials to a
+  # UserSessionsController, for example) but any controller action that is
+  # behind a login wall. Add a helper method and use that before testing your
+  # actual controller action:
+  #
+  #   # test/test_helper.rb
+  #   def login(user)
+  #     post user_sessions_url, :params => { :email => user.email, :password => 'password' }
+  #   end
+  #
+  #   # test/controllers/posts_controller_test.rb
+  #   test "#create requires a user to be logged in
+  #     post posts_url, :params => { :body => 'Lorem ipsum' }
+  #
+  #     assert_redirected_to new_user_session_url
+  #   end
+  #
+  #   test "#create lets a logged in user create a new post" do
+  #     login(users(:admin))
+  #
+  #     assert_difference 'Posts.count' do
+  #       post posts_url, :params => { :body => 'Lorem ipsum' }
+  #     end
+  #
+  #     assert_redirected_to posts_url
+  #   end
+  #
+  # You still have access to the `session` helper in an integration test and so
+  # you can still test to see if a user is logged in. A couple of helper methods
+  # might look like:
+  #
+  #   # test/test_helper.rb
+  #   def assert_logged_in
+  #     assert session[:user_credentials].present?
+  #   end
+  #
+  #   def assert_not_logged_in
+  #     assert session[:user_credentials].blank?
+  #   end
+  #
+  #   # test/user_sessions_controller_test.rb
+  #   test "#create logs in a user" do
+  #     login(users(:admin))
+  #
+  #     assert_logged_in
+  #   end
   module TestCase
+    def initialize(*args)
+      @request = nil
+      super
+    end
+
     # Activates authlogic so that you can use it in your tests. You should call
     # this method in your test's setup. Ex:
     #
@@ -125,7 +191,9 @@ module Authlogic
         end
       end
 
-      Authlogic::Session::Base.controller = (@request && Authlogic::TestCase::RailsRequestAdapter.new(@request)) || controller
+      Authlogic::Session::Base.controller = @request &&
+        Authlogic::TestCase::RailsRequestAdapter.new(@request) ||
+        controller
     end
 
     # The Authlogic::TestCase::MockController object passed to Authlogic to

data/lib/authlogic/version.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "rubygems"
+
+module Authlogic
+  # Returns a `::Gem::Version`, the version number of the authlogic gem.
+  #
+  # It is preferable for a library to provide a `gem_version` method, rather
+  # than a `VERSION` string, because `::Gem::Version` is easier to use in a
+  # comparison.
+  #
+  # We cannot return a frozen `Version`, because rubygems will try to modify it.
+  # https://github.com/binarylogic/authlogic/pull/590
+  #
+  # Added in 4.0.0
+  #
+  # @api public
+  def self.gem_version
+    ::Gem::Version.new("4.5.0")
+  end
+end

data/lib/authlogic.rb

@@ -1,7 +1,9 @@
-# Authlogic uses ActiveSupport's core extensions like `strip_heredoc`, which
-# ActiveRecord does not `require`. It's possible that we could save a few
-# milliseconds by loading only the specific core extensions we need, but
-# `all.rb` is simpler. We can revisit this decision if it becomes a problem.
+# Authlogic uses ActiveSupport's core extensions like `strip_heredoc` and
+# `squish`. ActiveRecord does not `require` these exensions, so we must.
+#
+# It's possible that we could save a few milliseconds by loading only the
+# specific core extensions we need, but `all.rb` is simpler. We can revisit this
+# decision if it becomes a problem.
 require "active_support/all"
 
 require "active_record"
@@ -9,57 +11,57 @@ require "active_record"
 path = File.dirname(__FILE__) + "/authlogic/"
 
 [
- "i18n",
- "random",
- "regex",
- "config",
+  "i18n",
+  "random",
+  "regex",
+  "config",
 
- "controller_adapters/abstract_adapter",
+  "controller_adapters/abstract_adapter",
 
- "crypto_providers",
+  "crypto_providers",
 
- "authenticates_many/base",
- "authenticates_many/association",
+  "authenticates_many/base",
+  "authenticates_many/association",
 
- "acts_as_authentic/email",
- "acts_as_authentic/logged_in_status",
- "acts_as_authentic/login",
- "acts_as_authentic/magic_columns",
- "acts_as_authentic/password",
- "acts_as_authentic/perishable_token",
- "acts_as_authentic/persistence_token",
- "acts_as_authentic/restful_authentication",
- "acts_as_authentic/session_maintenance",
- "acts_as_authentic/single_access_token",
- "acts_as_authentic/validations_scope",
- "acts_as_authentic/base",
+  "acts_as_authentic/email",
+  "acts_as_authentic/logged_in_status",
+  "acts_as_authentic/login",
+  "acts_as_authentic/magic_columns",
+  "acts_as_authentic/password",
+  "acts_as_authentic/perishable_token",
+  "acts_as_authentic/persistence_token",
+  "acts_as_authentic/restful_authentication",
+  "acts_as_authentic/session_maintenance",
+  "acts_as_authentic/single_access_token",
+  "acts_as_authentic/validations_scope",
+  "acts_as_authentic/base",
 
- "session/activation",
- "session/active_record_trickery",
- "session/brute_force_protection",
- "session/callbacks",
- "session/cookies",
- "session/existence",
- "session/foundation",
- "session/http_auth",
- "session/id",
- "session/klass",
- "session/magic_columns",
- "session/magic_states",
- "session/params",
- "session/password",
- "session/perishable_token",
- "session/persistence",
- "session/priority_record",
- "session/scopes",
- "session/session",
- "session/timeout",
- "session/unauthorized_record",
- "session/validation",
- "session/base"
+  "session/activation",
+  "session/active_record_trickery",
+  "session/brute_force_protection",
+  "session/callbacks",
+  "session/cookies",
+  "session/existence",
+  "session/foundation",
+  "session/http_auth",
+  "session/id",
+  "session/klass",
+  "session/magic_columns",
+  "session/magic_states",
+  "session/params",
+  "session/password",
+  "session/perishable_token",
+  "session/persistence",
+  "session/priority_record",
+  "session/scopes",
+  "session/session",
+  "session/timeout",
+  "session/unauthorized_record",
+  "session/validation",
+  "session/base"
 ].each do |library|
-   require path + library
- end
+  require path + library
+end
 
 require path + "controller_adapters/rails_adapter"   if defined?(Rails)
 require path + "controller_adapters/sinatra_adapter" if defined?(Sinatra)

data/test/acts_as_authentic_test/base_test.rb

@@ -1,4 +1,6 @@
-require 'test_helper'
+# frozen_string_literal: true
+
+require "test_helper"
 
 module ActsAsAuthenticTest
   class BaseTest < ActiveSupport::TestCase