authlogic 3.8.0 → 4.5.0

data/README.md

@@ -1,14 +1,61 @@
 # Authlogic
 
-**Authlogic supports rails 3, 4 and 5. For rails 2, see the [rails2 branch](https://github.com/binarylogic/authlogic/tree/rails2).**
+A clean, simple, and unobtrusive ruby authentication solution.
 
-[![Gem Version](https://badge.fury.io/rb/authlogic.png)](http://badge.fury.io/rb/authlogic)
-[![Build Status](https://travis-ci.org/binarylogic/authlogic.png?branch=master)](https://travis-ci.org/binarylogic/authlogic)
-[![Code Climate](https://codeclimate.com/github/binarylogic/authlogic.png)](https://codeclimate.com/github/binarylogic/authlogic)
+[![Gem Version][5]][6] [![Build Status][1]][2] [![Code Climate][7]][8] [![Dependency Status][3]][4]
 
-Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
+## Sponsors
 
-It introduces a new type of model. You can have as many as you want, and name them whatever you want, just like your other models. In this example, we want to authenticate with the User model, which is inferred by the name:
+[![Timber Logging](http://res.cloudinary.com/timber/image/upload/v1490556810/pricing/sponsorship.png)](https://timber.io?utm_source=github&utm_medium=authlogic)
+
+[Tail Authlogic users](https://timber.io/docs/app/console/tail-a-user) in your logs!
+
+## Documentation
+
+| Version     | Documentation |
+| ----------- | ------------- |
+| Unreleased  | https://github.com/binarylogic/authlogic/blob/master/README.md |
+| 4.5.0       | https://github.com/binarylogic/authlogic/blob/v4.5.0/README.md |
+| 3.7.0       | https://github.com/binarylogic/authlogic/blob/v3.7.0/README.md |
+| 2.1.11      | https://github.com/binarylogic/authlogic/blob/v2.1.11/README.rdoc |
+| 1.4.3       | https://github.com/binarylogic/authlogic/blob/v1.4.3/README.rdoc |
+
+## Table of Contents
+
+- [1. Introduction](#1-introduction)
+  - [1.a. Compatibility](#1a-compatibility)
+  - [1.b. Overview](#1b-overview)
+  - [1.c. Reference Documentation](#1c-reference-documentation)
+- [2. Rails](#2-rails)
+  - [2.a. The users table](#2a-the-users-table)
+  - [2.b. Controller](#2b-controller)
+  - [2.c. View](#2c-view)
+  - [2.d. CSRF Protection](#2d-csrf-protection)
+- [3. Testing](#3-testing)
+- [4. Helpful links](#4-helpful-links)
+- [5. Add-ons](#5-add-ons)
+- [6. Internals](#6-internals)
+
+## 1. Introduction
+
+### 1.a. Compatibility
+
+| Version | branch       | ruby     | activerecord  |
+| ------- | ------------ | -------- | ------------- |
+| 4.4     | 4-4-stable   | >= 2.3.0 | >= 4.2, < 5.3 |
+| 4.3     | 4-3-stable   | >= 2.3.0 | >= 4.2, < 5.3 |
+| 4.2     | 4-2-stable   | >= 2.2.0 | >= 4.2, < 5.3 |
+| 3       | 3-stable     | >= 1.9.3 | >= 3.2, < 5.2 |
+| 2       | rails2       | >= 1.9.3 | ~> 2.3.0      |
+| 1       | ?            | ?        | ?             |
+
+Under SemVer, [changes to dependencies][10] do not require a major release.
+
+### 1.b. Overview
+
+Authlogic introduces a new type of model. You can have as many as you want, and
+name them whatever you want, just like your other models. In this example, we
+want to authenticate with our `User` model, which is inferred from the name:
 
 ```ruby
 class UserSession < Authlogic::Session::Base
@@ -44,7 +91,8 @@ You can also log out (i.e. **destroying** the session):
 session.destroy
 ```
 
-After a session has been created, you can persist it (i.e. **finding** the record) across requests. Thus keeping the user logged in:
+After a session has been created, you can persist it (i.e. **finding** the
+record) across requests. Thus keeping the user logged in:
 
 ``` ruby
 session = UserSession.find
@@ -53,16 +101,20 @@ session = UserSession.find
 To get all of the nice authentication functionality in your model just do this:
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   acts_as_authentic do |c|
     c.my_config_option = my_value
   end # the configuration block is optional
 end
 ```
 
-This handles validations, etc. It is also "smart" in the sense that it if a login field is present it will use that to authenticate, if not it will look for an email field, etc. This is all configurable, but for 99% of cases that above is all you will need to do.
+This handles validations, etc. It is also "smart" in the sense that it if a
+login field is present it will use that to authenticate, if not it will look for
+an email field, etc. This is all configurable, but for 99% of cases that above
+is all you will need to do.
 
-You may specify how passwords are cryptographically hashed (or encrypted) by setting the Authlogic::CryptoProvider option:
+You may specify how passwords are cryptographically hashed (or encrypted) by
+setting the Authlogic::CryptoProvider option:
 
 ``` ruby
 c.crypto_provider = Authlogic::CryptoProviders::BCrypt
@@ -74,74 +126,64 @@ You may validate international email addresses by enabling the provided alternat
 c.validates_format_of_email_field_options = {:with => Authlogic::Regex.email_nonascii}
 ```
 
-Also, sessions are automatically maintained. You can switch this on and off with configuration, but the following will automatically log a user in after a successful registration:
+Also, sessions are automatically maintained. You can switch this on and off with
+configuration, but the following will automatically log a user in after a
+successful registration:
 
 ``` ruby
 User.create(params[:user])
 ```
 
-This also updates the session when the user changes his/her password.
-
-Authlogic is very flexible, it has a strong public API and a plethora of hooks to allow you to modify behavior and extend it. Check out the helpful links below to dig deeper.
-
-## Upgrading to Authlogic 3.4.0
-
-In version 3.4.0, the default crypto_provider was changed from *Sha512* to *SCrypt*.
-
-If you never set a crypto_provider and are upgrading, your passwords will break unless you set the original:
+You can switch this on and off with the following configuration:
 
-``` ruby
-c.crypto_provider = Authlogic::CryptoProviders::Sha512
+```ruby
+class User < ApplicationRecord
+  acts_as_authentic do |c|
+    c.log_in_after_create = false
+  end # the configuration block is optional
+end
 ```
 
-And if you want to automatically upgrade from *Sha512* to *SCrypt* as users login:
+Authlogic also updates the session when the user changes his/her password. You can also switch this on and off with the following configuration:
 
 ```ruby
-c.transition_from_crypto_providers = [Authlogic::CryptoProviders::Sha512]
-c.crypto_provider = Authlogic::CryptoProviders::SCrypt
+class User < ApplicationRecord
+  acts_as_authentic do |c|
+    c.log_in_after_password_change = false
+  end # the configuration block is optional
+end
 ```
 
-## Helpful links
-
-* <b>Documentation:</b> http://rdoc.info/projects/binarylogic/authlogic
-* <b>Repository:</b> http://github.com/binarylogic/authlogic/tree/master
-* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
-* <b>Example repository with tutorial in README:</b> http://github.com/binarylogic/authlogic_example/tree/master
-* <b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
-* <b>Tutorial</b>: Rails Authentication with Authlogic http://www.sitepoint.com/rails-authentication-with-authlogic
-* <b>Issues:</b> http://github.com/binarylogic/authlogic/issues
-
-## Authlogic "add ons"
-
-* <b>Authlogic OpenID addon:</b> http://github.com/binarylogic/authlogic_openid
-* <b>Authlogic LDAP addon:</b> http://github.com/binarylogic/authlogic_ldap
-* <b>Authlogic Facebook Connect:</b> http://github.com/kalasjocke/authlogic_facebook_connect
-* <b>Authlogic Facebook Connect (New JS API):</b> http://github.com/studybyte/authlogic_facebook_connect
-* <b>Authlogic Facebook Shim</b> http://github.com/james2m/authlogic_facebook_shim
-* <b>Authlogic OAuth (Twitter):</b> http://github.com/jrallison/authlogic_oauth
-* <b>Authlogic Oauth and OpenID:</b> http://github.com/viatropos/authlogic-connect
-* <b>Authlogic PAM:</b> http://github.com/nbudin/authlogic_pam
-* <b>Authlogic x509:</b> http://github.com/auth-scc/authlogic_x509
+Authlogic is very flexible, it has a strong public API and a plethora of hooks
+to allow you to modify behavior and extend it. Check out the helpful links below
+to dig deeper.
 
-If you create one of your own, please let me know about it so I can add it to this list. Or just fork the project, add your link, and send me a pull request.
+### 1.c. Reference Documentation
 
-## Documentation explanation
+This README is just an introduction, but we also have [reference
+documentation](http://www.rubydoc.info/github/binarylogic/authlogic).
 
-You can find anything you want about Authlogic in the [documentation](http://rdoc.info/projects/binarylogic/authlogic), all that you need to do is understand the basic design behind it.
+**To use the reference documentation, you must understand how Authlogic's
+code is organized.** There are 2 models, your Authlogic model and your
+ActiveRecord model:
 
-That being said, there are 2 models involved during authentication. Your Authlogic model and your ActiveRecord model:
+1. **Authlogic::Session**, your session models that
+  extend `Authlogic::Session::Base`.
+2. **Authlogic::ActsAsAuthentic**, which adds in functionality to your
+  ActiveRecord model when you call `acts_as_authentic`.
 
-1. <b>Authlogic::Session</b>, your session models that extend Authlogic::Session::Base.
-2. <b>Authlogic::ActsAsAuthentic</b>, which adds in functionality to your ActiveRecord model when you call acts_as_authentic.
+Each of the above has various modules that are organized by topic: passwords,
+cookies, etc. For example, if you want to timeout users after a certain period
+of inactivity, you would look in `Authlogic::Session::Timeout`.
 
-Each of the above has its various sub modules that contain common logic. The sub modules are responsible for including *everything* related to it: configuration, class methods, instance methods, etc.
+## 2. Rails
 
-For example, if you want to timeout users after a certain period of inactivity, you would look in <b>Authlogic::Session::Timeout</b>. To help you out, I listed the following publicly relevant modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the [documentation](http://rdoc.info/projects/binarylogic/authlogic).
+Let's walk through a typical rails setup.
 
-## Example migration
+### 2.a. The users table
 
 If you want to enable all the features of Authlogic, a migration to create a
-+User+ model, for example, might look like this:
+`User` model might look like this:
 
 ``` ruby
 class CreateUser < ActiveRecord::Migration
@@ -156,12 +198,15 @@ class CreateUser < ActiveRecord::Migration
 
       # Authlogic::ActsAsAuthentic::PersistenceToken
       t.string    :persistence_token
+      t.index     :persistence_token, unique: true
 
       # Authlogic::ActsAsAuthentic::SingleAccessToken
       t.string    :single_access_token
+      t.index     :single_access_token, unique: true
 
       # Authlogic::ActsAsAuthentic::PerishableToken
       t.string    :perishable_token
+      t.index     :perishable_token, unique: true
 
       # Authlogic::Session::MagicColumns
       t.integer   :login_count, default: 0, null: false
@@ -183,15 +228,56 @@ class CreateUser < ActiveRecord::Migration
 end
 ```
 
-## Quick Rails example
-
-What if creating sessions worked like an ORM library on the surface...
+In the `User` model,
 
-``` ruby
-UserSession.create(params[:user_session])
+```ruby
+class User < ApplicationRecord
+  acts_as_authentic
+
+  # Validate email, login, and password as you see fit.
+  #
+  # Authlogic < 5 added these validation for you, making them a little awkward
+  # to change. In 4.4.0, those automatic validations were deprecated. See
+  # https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
+  validates :email,
+    format: {
+      with: ::Authlogic::Regex::EMAIL,
+      message: "should look like an email address."
+    },
+    length: { maximum: 100 },
+    uniqueness: {
+      case_sensitive: false,
+      if: :email_changed?
+    }
+
+  validates :login,
+    format: {
+      with: ::Authlogic::Regex::LOGIN,
+      message: "should use only letters, numbers, spaces, and .-_@+ please."
+    },
+    length: { within: 3..100 },
+    uniqueness: {
+      case_sensitive: false,
+      if: :login_changed?
+    }
+
+  validates :password,
+    confirmation: { if: :require_password? },
+    length: {
+      minimum: 8,
+      if: :require_password?
+    }
+  validates :password_confirmation,
+    length: {
+      minimum: 8,
+      if: :require_password?
+  }
+end
 ```
 
-What if your user sessions controller could look just like your other controllers...
+### 2.b. Controller
+
+Your sessions controller will look just like your other controllers.
 
 ```ruby
 class UserSessionsController < ApplicationController
@@ -200,7 +286,7 @@ class UserSessionsController < ApplicationController
   end
 
   def create
-    @user_session = UserSession.new(params[:user_session])
+    @user_session = UserSession.new(user_session_params)
     if @user_session.save
       redirect_to account_url
     else
@@ -212,10 +298,37 @@ class UserSessionsController < ApplicationController
     current_user_session.destroy
     redirect_to new_user_session_url
   end
+
+  private
+
+  def user_session_params
+    params.require(:user_session).permit(:email, :password, :remember_me)
+  end
 end
 ```
 
-As you can see, this fits nicely into the RESTful development pattern. What about the view...
+As you can see, this fits nicely into the [conventional controller methods][9].
+
+#### 2.b.1. Helper Methods
+
+```ruby
+class ApplicationController
+  helper_method :current_user_session, :current_user
+
+  private
+    def current_user_session
+      return @current_user_session if defined?(@current_user_session)
+      @current_user_session = UserSession.find
+    end
+
+    def current_user
+      return @current_user if defined?(@current_user)
+      @current_user = current_user_session && current_user_session.user
+    end
+end
+```
+
+### 2.c. View
 
 ```erb
 <%= form_for @user_session do |f| %>
@@ -239,32 +352,18 @@ As you can see, this fits nicely into the RESTful development pattern. What abou
 <% end %>
 ```
 
-Or how about persisting the session...
+### 2.d. CSRF Protection
 
-```ruby
-class ApplicationController
-  helper_method :current_user_session, :current_user
+Because Authlogic introduces its own methods for storing user sessions, the CSRF
+(Cross Site Request Forgery) protection that is built into Rails will not work
+out of the box.
 
-  private
-    def current_user_session
-      return @current_user_session if defined?(@current_user_session)
-      @current_user_session = UserSession.find
-    end
-
-    def current_user
-      return @current_user if defined?(@current_user)
-      @current_user = current_user_session && current_user_session.user
-    end
-end
-```
+No generally applicable mitigation by the authlogic library is possible, because
+the instance variable you use to store a reference to the user session in `def
+current_user_session` will not be known to authlogic.
 
-## CSRF Protection
-
-Because Authlogic introduces its own methods for storing user sessions, the CSRF (Cross Site Request Forgery) protection that is built into Rails will not work out of the box.
-
-No generally applicable mitigation by the authlogic library is possible, because the instance variable you use to store a reference to the user session in `def current_user_session` will not be known to authlogic.
-
-You will need to override `ActionController::Base#handle_unverified_request` to do something appropriate to how your app handles user sessions, e.g.:
+You will need to override `ActionController::Base#handle_unverified_request` to
+do something appropriate to how your app handles user sessions, e.g.:
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -283,12 +382,67 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-## Testing
+### 2.e SameSite Cookie Attribute
+The SameSite attribute tells browsers when and how to fire cookies in first- or third-party situations. SameSite is used by a variety of browsers to identify whether or not to allow a cookie to be accessed.
+
+Up until recently, the standard default value when SameSite was not explicitly defined was to allow cookies in both first- and third-party contexts. However, starting with Chrome 80+, the SameSite attribute will not default to Lax behavior meaning cookies will only be permitted in first-party contexts. 
+
+Authlogic can allow you to explicitly set the value of SameSite to one of: Lax, Strict, or None. Note that when setting SameSite to None, the `secure` flag must also be set (secure is the default in Authlogic). 
+
+Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#SameSite
+
+## 3. Testing
 
 See [Authlogic::TestCase](https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/test_case.rb)
 
-## Tell me quickly how Authlogic works
+## 4. Helpful links
 
-Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.
+* <b>API Reference:</b> http://www.rubydoc.info/github/binarylogic/authlogic
+* <b>Repository:</b> https://github.com/binarylogic/authlogic/tree/master
+* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
+* <b>Example repository with tutorial in README:</b> https://github.com/binarylogic/authlogic_example/tree/master
+* <b>Tutorial</b>: Rails Authentication with Authlogic https://www.sitepoint.com/rails-authentication-with-authlogic
+* <b>Issues:</b> https://github.com/binarylogic/authlogic/issues
+* <b>Chrome is not logging out on browser close</b> https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion
+
+## 5. Add-ons
+
+* <b>Authlogic OpenID addon:</b> https://github.com/binarylogic/authlogic_openid
+* <b>Authlogic LDAP addon:</b> https://github.com/binarylogic/authlogic_ldap
+* <b>Authlogic Facebook Connect:</b> https://github.com/kalasjocke/authlogic-facebook-connect
+* <b>Authlogic Facebook Connect (New JS API):</b> https://github.com/studybyte/authlogic_facebook_connect
+* <b>Authlogic Facebook Shim</b> https://github.com/james2m/authlogic_facebook_shim
+* <b>Authlogic OAuth (Twitter):</b> https://github.com/jrallison/authlogic_oauth
+* <b>Authlogic Oauth and OpenID:</b> https://github.com/lancejpollard/authlogic-connect
+* <b>Authlogic PAM:</b> https://github.com/nbudin/authlogic_pam
+* <b>Authlogic x509:</b> https://github.com/auth-scc/authlogic_x509
+
+If you create one of your own, please let us know about it so we can add it to
+this list. Or just fork the project, add your link, and send us a pull request.
+
+## 6. Internals
+
+Interested in how all of this all works? Think about an ActiveRecord model. A
+database connection must be established before you can use it. In the case of
+Authlogic, a controller connection must be established before you can use it. It
+uses that controller connection to modify cookies, the current session, login
+with HTTP basic, etc. It connects to the controller through a before filter that
+is automatically set in your controller which lets Authlogic know about the
+current controller object. Then Authlogic leverages that to do everything, it's
+a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the
+tools your framework provides in the controller object.
+
+## Intellectual Property
 
 Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license
+
+[1]: https://api.travis-ci.org/binarylogic/authlogic.svg?branch=master
+[2]: https://travis-ci.org/binarylogic/authlogic
+[3]: https://gemnasium.com/badges/github.com/binarylogic/authlogic.svg
+[4]: https://gemnasium.com/binarylogic/authlogic
+[5]: https://badge.fury.io/rb/authlogic.png
+[6]: http://badge.fury.io/rb/authlogic
+[7]: https://codeclimate.com/github/binarylogic/authlogic.png
+[8]: https://codeclimate.com/github/binarylogic/authlogic
+[9]: http://guides.rubyonrails.org/routing.html#resource-routing-the-rails-default
+[10]: https://semver.org/spec/v2.0.0.html#what-should-i-do-if-i-update-my-own-dependencies-without-changing-the-public-api

data/Rakefile

@@ -1,21 +1,21 @@
-require 'rubygems'
-require 'bundler'
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler"
 
 Bundler.setup
 
-require 'rake/testtask'
+require "rake/testtask"
 Rake::TestTask.new(:test) do |test|
-  test.libs << 'test'
-  test.pattern = 'test/**/*_test.rb'
+  test.libs << "test"
+  test.pattern = "test/**/*_test.rb"
   test.verbose = false
 
-  # Set interpreter warning level to 1 (medium). Level 2 produces hundreds of warnings
-  # about uninitialized instance variables.
-  # TODO: Find a good way to deal with the level 2 warnings.
-  test.ruby_opts += ["-W1"]
+  # Set interpreter warning level to 2 (verbose)
+  test.ruby_opts += ["-W2"]
 end
 
 require "rubocop/rake_task"
 RuboCop::RakeTask.new
 
-task :default => [:rubocop, :test]
+task default: %i[rubocop test]

data/UPGRADING.md

@@ -0,0 +1,22 @@
+# Upgrading Authlogic
+
+Supplemental instructions to complement CHANGELOG.md.
+
+## 3.4.0
+
+In version 3.4.0, released 2014-03-03, the default crypto_provider was changed
+from *Sha512* to *SCrypt*.
+
+If you never set a crypto_provider and are upgrading, your passwords will break
+unless you specify `Sha512`.
+
+``` ruby
+c.crypto_provider = Authlogic::CryptoProviders::Sha512
+```
+
+And if you want to automatically upgrade from *Sha512* to *SCrypt* as users login:
+
+```ruby
+c.transition_from_crypto_providers = [Authlogic::CryptoProviders::Sha512]
+c.crypto_provider = Authlogic::CryptoProviders::SCrypt
+```

data/authlogic.gemspec

@@ -1,27 +1,40 @@
-# -*- encoding: utf-8 -*-
-$:.push File.expand_path("../lib", __FILE__)
+# frozen_string_literal: true
 
-Gem::Specification.new do |s|
-  s.name        = "authlogic"
-  s.version     = "3.8.0"
-  s.platform    = Gem::Platform::RUBY
-  s.authors     = ["Ben Johnson"]
-  s.email       = ["bjohnson@binarylogic.com"]
-  s.homepage    = "http://github.com/binarylogic/authlogic"
-  s.summary     = 'A clean, simple, and unobtrusive ruby authentication solution.'
+require "English"
+$LOAD_PATH.push File.expand_path("lib", __dir__)
+require "authlogic/version"
 
-  s.license = 'MIT'
+::Gem::Specification.new do |s|
+  s.name = "authlogic"
+  s.version = ::Authlogic.gem_version.to_s
+  s.platform = ::Gem::Platform::RUBY
+  s.authors = [
+    "Ben Johnson",
+    "Tieg Zaharia",
+    "Jared Beck"
+  ]
+  s.email = [
+    "bjohnson@binarylogic.com",
+    "tieg.zaharia@gmail.com",
+    "jared@jaredbeck.com"
+  ]
+  s.homepage = "http://github.com/binarylogic/authlogic"
+  s.summary = "A clean, simple, and unobtrusive ruby authentication solution."
+  s.license = "MIT"
 
-  s.add_dependency 'activerecord', ['>= 3.2', '< 5.3']
-  s.add_dependency 'activesupport', ['>= 3.2', '< 5.3']
-  s.add_dependency 'request_store', '~> 1.0'
-  s.add_dependency 'scrypt', '>= 1.2', '< 4.0'
-  s.add_development_dependency 'bcrypt', '~> 3.1'
-  s.add_development_dependency 'timecop', '~> 0.7'
-  s.add_development_dependency 'rubocop', '~> 0.41.2'
+  s.required_ruby_version = ">= 2.3.0"
+  s.add_dependency "activerecord", [">= 4.2", "< 5.3"]
+  s.add_dependency "activesupport", [">= 4.2", "< 5.3"]
+  s.add_dependency "request_store", "~> 1.0"
+  s.add_dependency "scrypt", ">= 1.2", "< 4.0"
+  s.add_development_dependency "bcrypt", "~> 3.1"
+  s.add_development_dependency "byebug", "~> 10.0"
+  s.add_development_dependency "minitest-reporters", "~> 1.3"
+  s.add_development_dependency "rubocop", "~> 0.58.1"
+  s.add_development_dependency "timecop", "~> 0.7"
 
-  s.files         = `git ls-files`.split("\n")
-  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.files = `git ls-files`.split("\n")
+  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   s.require_paths = ["lib"]
 end

data/doc/use_normal_rails_validation.md

@@ -0,0 +1,82 @@
+# Use Normal ActiveRecord Validation
+
+In Authlogic 4.4.0, [we deprecated][1] the features of Authlogic related to
+validating email, login, and password. In 5.0.0 these features will be dropped.
+Use normal ActiveRecord validations instead.
+
+## Instructions
+
+First, disable the deprecated Authlogic validations:
+
+    acts_as_authentic do |c|
+      c.validate_email_field = false
+      c.validate_login_field = false
+      c.validate_password_field = false
+    end
+
+Then, use normal ActiveRecord validations instead. For example, instead of
+the Authlogic method validates_length_of_email_field_options, use
+
+    validates :email, length: { ... }
+
+It might be a good idea to replace these one field at a time, ie. email,
+then login, then password; one field per commit.
+
+## Default Values
+
+The following validations represent the Authlogic < 5 defaults. Merge these
+defaults with any settings you may have overwritten.
+
+```
+validates :email,
+  format: {
+    with: ::Authlogic::Regex::EMAIL,
+    message: proc {
+      ::Authlogic::I18n.t(
+        "error_messages.email_invalid",
+        default: "should look like an email address."
+      )
+    }
+  },
+  length: { maximum: 100 },
+  uniqueness: {
+    case_sensitive: false,
+    if: :email_changed?
+  }
+
+validates :login,
+  format: {
+    with: ::Authlogic::Regex::LOGIN,
+    message: proc {
+      ::Authlogic::I18n.t(
+        "error_messages.login_invalid",
+        default: "should use only letters, numbers, spaces, and .-_@+ please."
+      )
+    }
+  },
+  length: { within: 3..100 },
+  uniqueness: {
+    case_sensitive: false,
+    if: :login_changed?
+  }
+
+validates :password,
+  confirmation: { if: :require_password? },
+  length: {
+    minimum: 8,
+    if: :require_password?
+  }
+validates :password_confirmation,
+  length: {
+    minimum: 8,
+    if: :require_password?
+}
+```
+
+## Motivation
+
+The deprecated features save people some time in the begginning, when setting up
+Authlogic. But, later in the life of a project, when these settings need to
+change, it is obscure compared to normal ActiveRecord validations.
+
+[1]: https://github.com/binarylogic/authlogic/pull/623

data/gemfiles/Gemfile.rails-4.2.x

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+gemspec :path => ".."
+
+gem "activerecord", "~> 4.2.8.rc1"
+gem "activesupport", "~> 4.2.8.rc1"
+gem "sqlite3", "~> 1.3.6", platforms: :ruby