authlogic 3.8.0 → 4.5.0

data/lib/authlogic/authenticates_many/base.rb

@@ -3,7 +3,7 @@ module Authlogic
   # to an account, you want to make sure only users that belong to that account can
   # actually login into that account. Simple, just do:
   #
-  #   class Account < ActiveRecord::Base
+  #   class Account < ApplicationRecord
   #     authenticates_many :user_sessions
   #   end
   #
@@ -17,8 +17,16 @@ module Authlogic
   # Checkout the authenticates_many method for a list of options.
   # You may also want to checkout Authlogic::ActsAsAuthentic::Scope to scope your model.
   module AuthenticatesMany
+    # These methods become class methods of ::ActiveRecord::Base.
     module Base
-      # Allows you set essentially set up a relationship with your sessions. See module
+      DPR_AUTH_MANY = <<~EOS.freeze
+        authenticates_many is deprecated without replacement. Let us know
+        if you would like to take over maintenance of this feature as a separate
+        gem. If no one volunteers to extract and maintain a new gem, then this
+        feature will simply be deleted.
+      EOS
+
+      # Allows you to set up a relationship with your sessions. See module
       # definition above for more details.
       #
       # === Options
@@ -26,37 +34,45 @@ module Authlogic
       # * <tt>session_class:</tt> default: "#{name}Session",
       #   This is the related session class.
       #
-      # * <tt>relationship_name:</tt> default: options[:session_class].klass_name.underscore.pluralize,
-      #   This is the name of the relationship you want to use to scope everything. For
-      #   example an Account has many Users. There should be a relationship called :users
-      #   that you defined with a has_many. The reason we use the relationship is so you
-      #   don't have to repeat yourself. The relationship could have all kinds of custom
-      #   options. So instead of repeating yourself we essentially use the scope that the
+      # * <tt>relationship_name:</tt>
+      #   default: options[:session_class].klass_name.underscore.pluralize,
+      #   This is the name of the relationship you want to use to scope
+      #   everything. For example an Account has many Users. There should be a
+      #   relationship called :users that you defined with a has_many. The
+      #   reason we use the relationship is so you don't have to repeat
+      #   yourself. The relationship could have all kinds of custom options. So
+      #   instead of repeating yourself we essentially use the scope that the
       #   relationship creates.
       #
       # * <tt>find_options:</tt> default: nil,
-      #   By default the find options are created from the relationship you specify with
-      #   :relationship_name. But if you want to override this and manually specify
-      #   find_options you can do it here. Specify options just as you would in
-      #   ActiveRecord::Base.find.
+      #   By default the find options are created from the relationship you
+      #   specify with :relationship_name. But if you want to override this and
+      #   manually specify find_options you can do it here. Specify options just
+      #   as you would in ActiveRecord::Base.find.
       #
       # * <tt>scope_cookies:</tt> default: false
-      #   By the nature of cookies they scope themselves if you are using subdomains to
-      #   access accounts. If you aren't using subdomains you need to have separate
-      #   cookies for each account, assuming a user is logging into more than one account.
-      #   Authlogic can take care of this for you by prefixing the name of the cookie and
-      #   session with the model id. Because it affects both cookies names and session keys,
-      #   the name `scope_cookies` is misleading. Perhaps simply `scope` or `scoped`
+      #   By the nature of cookies they scope themselves if you are using
+      #   subdomains to access accounts. If you aren't using subdomains you need
+      #   to have separate cookies for each account, assuming a user is logging
+      #   into more than one account. Authlogic can take care of this for you by
+      #   prefixing the name of the cookie and session with the model id.
+      #   Because it affects both cookies names and session keys, the name
+      #   `scope_cookies` is misleading. Perhaps simply `scope` or `scoped`
       #   would have been better.
       def authenticates_many(name, options = {})
+        ::ActiveSupport::Deprecation.warn(DPR_AUTH_MANY)
         options[:session_class] ||= name.to_s.classify.constantize
         options[:relationship_name] ||= options[:session_class].klass_name.underscore.pluralize
-        class_eval <<-"end_eval", __FILE__, __LINE__
+        class_eval <<-EOS, __FILE__, __LINE__ + 1
           def #{name}
             find_options = #{options[:find_options].inspect} || #{options[:relationship_name]}.where(nil)
-            @#{name} ||= Authlogic::AuthenticatesMany::Association.new(#{options[:session_class]}, find_options, #{options[:scope_cookies] ? "self.class.model_name.name.underscore + '_' + self.send(self.class.primary_key).to_s" : "nil"})
+            @#{name} ||= Authlogic::AuthenticatesMany::Association.new(
+              #{options[:session_class]},
+              find_options,
+              #{options[:scope_cookies] ? "self.class.model_name.name.underscore + '_' + self.send(self.class.primary_key).to_s" : 'nil'}
+            )
           end
-        end_eval
+        EOS
       end
     end
 

data/lib/authlogic/config.rb

@@ -1,6 +1,11 @@
-# encoding: utf-8
 module Authlogic
   module Config
+    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS.freeze
+      This Authlogic configuration option (%s) is deprecated. Use normal
+      ActiveRecord validation instead. Detailed instructions:
+      https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
+    EOS
+
     def self.extended(klass)
       klass.class_eval do
         class_attribute :acts_as_authentic_config
@@ -10,15 +15,21 @@ module Authlogic
 
     private
 
-      # This is a one-liner method to write a config setting, read the config
-      # setting, and also set a default value for the setting.
-      def rw_config(key, value, default_value = nil)
-        if value.nil?
-          acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
-        else
-          self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
-          value
-        end
+    def deprecate_authlogic_config(method_name)
+      ::ActiveSupport::Deprecation.warn(
+        format(E_USE_NORMAL_RAILS_VALIDATION, method_name)
+      )
+    end
+
+    # This is a one-liner method to write a config setting, read the config
+    # setting, and also set a default value for the setting.
+    def rw_config(key, value, default_value = nil)
+      if value.nil?
+        acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
+      else
+        self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
+        value
       end
+    end
   end
 end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -3,16 +3,19 @@ module Authlogic
     # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter
     # for an example of how to adapt Authlogic to work with your framework.
     class AbstractAdapter
+      E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
+        "implemented by the controller adapter".freeze
+
       attr_accessor :controller
 
       def initialize(controller)
         self.controller = controller
       end
 
-      def authenticate_with_http_basic(&block)
+      def authenticate_with_http_basic
         @auth = Rack::Auth::Basic::Request.new(controller.request.env)
-        if @auth.provided? and @auth.basic?
-          block.call(*@auth.credentials)
+        if @auth.provided? && @auth.basic?
+          yield(*@auth.credentials)
         else
           false
         end
@@ -23,7 +26,7 @@ module Authlogic
       end
 
       def cookie_domain
-        raise NotImplementedError.new("The cookie_domain method has not been implemented by the controller adapter")
+        raise NotImplementedError.new(E_COOKIE_DOMAIN_ADAPTER)
       end
 
       def params
@@ -50,19 +53,43 @@ module Authlogic
         controller.send(:single_access_allowed?)
       end
 
-      def responds_to_last_request_update_allowed?
-        controller.respond_to?(:last_request_update_allowed?, true)
+      # You can disable the updating of `last_request_at`
+      # on a per-controller basis.
+      #
+      #   # in your controller
+      #   def last_request_update_allowed?
+      #     false
+      #   end
+      #
+      # For example, what if you had a javascript function that polled the
+      # server updating how much time is left in their session before it
+      # times out. Obviously you would want to ignore this request, because
+      # then the user would never time out. So you can do something like
+      # this in your controller:
+      #
+      #   def last_request_update_allowed?
+      #     action_name != "update_session_time_left"
+      #   end
+      #
+      # See `authlogic/session/magic_columns.rb` to learn more about the
+      # `last_request_at` column itself.
+      def last_request_update_allowed?
+        if controller.respond_to?(:last_request_update_allowed?, true)
+          controller.send(:last_request_update_allowed?)
+        else
+          true
+        end
       end
 
-      def last_request_update_allowed?
-        controller.send(:last_request_update_allowed?)
+      def respond_to_missing?(*args)
+        super(*args) || controller.respond_to?(*args)
       end
 
       private
 
-        def method_missing(id, *args, &block)
-          controller.send(id, *args, &block)
-        end
+      def method_missing(id, *args, &block)
+        controller.send(id, *args, &block)
+      end
     end
   end
 end

data/lib/authlogic/controller_adapters/rack_adapter.rb

@@ -32,7 +32,7 @@ module Authlogic
     #       # Authlogic options go here
     #     end
     #
-    #     class User < ActiveRecord::Base
+    #     class User < ApplicationRecord
     #       acts_as_authentic
     #     end
     #
@@ -48,7 +48,7 @@ module Authlogic
           end
 
           def remote_ip
-            self.ip
+            ip
           end
         end
 
@@ -56,10 +56,14 @@ module Authlogic
         Authlogic::Session::Base.controller = self
       end
 
-      # Rack Requests stores cookies with not just the value, but also with flags and expire information in the hash.
-      # Authlogic does not like this, so we drop everything except the cookie value
+      # Rack Requests stores cookies with not just the value, but also with
+      # flags and expire information in the hash. Authlogic does not like this,
+      # so we drop everything except the cookie value.
       def cookies
-        controller.cookies.map { |key, value_hash| { key => value_hash[:value] } }.inject(:merge) || {}
+        controller
+          .cookies
+          .map { |key, value_hash| { key => value_hash[:value] } }
+          .inject(:merge) || {}
       end
     end
   end

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -1,4 +1,4 @@
-require 'action_controller'
+require "action_controller"
 
 module Authlogic
   module ControllerAdapters
@@ -13,12 +13,14 @@ module Authlogic
         controller.authenticate_with_http_basic(&block)
       end
 
+      # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
+      # http://guides.rubyonrails.org/action_controller_overview.html#cookies
       def cookies
         controller.send(:cookies)
       end
 
       def cookie_domain
-        @cookie_domain_key ||= Rails::VERSION::STRING >= '2.3' ? :domain : :session_domain
+        @cookie_domain_key ||= Rails::VERSION::STRING >= "2.3" ? :domain : :session_domain
         controller.request.session_options[@cookie_domain_key]
       end
 
@@ -32,7 +34,7 @@ module Authlogic
         def self.included(klass) # :nodoc:
           if defined?(::ApplicationController)
             raise AuthlogicLoadedTooLateError.new(
-              <<-EOS.strip_heredoc
+              <<~EOS.squish
                 Authlogic is trying to add a callback to ActionController::Base
                 but ApplicationController has already been loaded, so the
                 callback won't be copied into your application. Generally this
@@ -54,12 +56,15 @@ module Authlogic
 
         private
 
-          def activate_authlogic
-            Authlogic::Session::Base.controller = RailsAdapter.new(self)
-          end
+        def activate_authlogic
+          Authlogic::Session::Base.controller = RailsAdapter.new(self)
+        end
       end
     end
   end
 end
 
-ActionController::Base.send(:include, Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation)
+ActionController::Base.send(
+  :include,
+  Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation
+)

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -32,7 +32,7 @@ module Authlogic
         end
 
         def session
-          env['rack.session']
+          env["rack.session"]
         end
 
         def method_missing(meth, *args, &block)
@@ -42,7 +42,7 @@ module Authlogic
 
       class Adapter < AbstractAdapter
         def cookie_domain
-          env['SERVER_NAME']
+          env["SERVER_NAME"]
         end
 
         module Implementation

data/lib/authlogic/crypto_providers/aes256.rb

@@ -2,21 +2,23 @@ require "openssl"
 
 module Authlogic
   module CryptoProviders
-    # This encryption method is reversible if you have the supplied key. So in order to
-    # use this encryption method you must supply it with a key first. In an initializer,
-    # or before your application initializes, you should do the following:
+    # This encryption method is reversible if you have the supplied key. So in
+    # order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do
+    # the following:
     #
-    #   Authlogic::CryptoProviders::AES256.key = "my really long and unique key, preferably a bunch of random characters"
+    #   Authlogic::CryptoProviders::AES256.key = "long, unique, and random key"
     #
-    # My final comment is that this is a strong encryption method, but its main weakness
-    # is that it's reversible. If you do not need to reverse the hash then you should
-    # consider Sha512 or BCrypt instead.
+    # My final comment is that this is a strong encryption method, but its main
+    # weakness is that it's reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
     #
-    # Keep your key in a safe place, some even say the key should be stored on a separate
-    # server. This won't hurt performance because the only time it will try and access the
-    # key on the separate server is during initialization, which only happens once. The
-    # reasoning behind this is if someone does compromise your server they won't have the
-    # key also. Basically, you don't want to store the key with the lock.
+    # Keep your key in a safe place, some even say the key should be stored on a
+    # separate server. This won't hurt performance because the only time it will
+    # try and access the key on the separate server is during initialization,
+    # which only happens once. The reasoning behind this is if someone does
+    # compromise your server they won't have the key also. Basically, you don't
+    # want to store the key with the lock.
     class AES256
       class << self
         attr_writer :key
@@ -37,29 +39,32 @@ module Authlogic
 
         private
 
-          def aes
-            if @key.blank?
-              raise ArgumentError.new(
-                "You must provide a key like #{name}.key = my_key before using the #{name}"
-              )
-            end
-
-            @aes ||= openssl_cipher_class.new("AES-256-ECB")
+        def aes
+          if @key.blank?
+            raise ArgumentError.new(
+              "You must provide a key like #{name}.key = my_key before using the #{name}"
+            )
           end
 
-          # `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
-          # in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
-          # printed until 2016
-          # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
-          # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
-          # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
-          def openssl_cipher_class
-            if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
-              ::OpenSSL::Cipher::Cipher
-            else
-              ::OpenSSL::Cipher
-            end
+          @aes ||= openssl_cipher_class.new("AES-256-ECB")
+        end
+
+        # `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
+        # in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
+        # printed until 2016
+        # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
+        # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
+        # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
+        #
+        # When we eventually drop support for ruby < 2.4, we can probably also
+        # drop support for openssl gem < 2.
+        def openssl_cipher_class
+          if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
+            ::OpenSSL::Cipher::Cipher
+          else
+            ::OpenSSL::Cipher
           end
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -16,10 +16,18 @@ module Authlogic
     #   require "benchmark"
     #
     #   Benchmark.bm(18) do |x|
-    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
-    #     x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
-    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
-    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #     x.report("BCrypt (cost = 10:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 10) }
+    #     }
+    #     x.report("BCrypt (cost = 4:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 4) }
+    #     }
+    #     x.report("Sha512:") {
+    #       100.times { Digest::SHA512.hexdigest("mypass") }
+    #     }
+    #     x.report("Sha1:") {
+    #       100.times { Digest::SHA1.hexdigest("mypass") }
+    #     }
     #   end
     #
     #                            user     system      total        real
@@ -66,7 +74,7 @@ module Authlogic
 
         # Creates a BCrypt hash for the password passed.
         def encrypt(*tokens)
-          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+          ::BCrypt::Password.create(join_tokens(tokens), cost: cost)
         end
 
         # Does the hash match the tokens? Uses the same tokens that were used to
@@ -90,17 +98,15 @@ module Authlogic
 
         private
 
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
 
-          def new_from_hash(hash)
-            begin
-              ::BCrypt::Password.new(hash)
-            rescue ::BCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def new_from_hash(hash)
+          ::BCrypt::Password.new(hash)
+        rescue ::BCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/md5.rb

@@ -6,7 +6,8 @@ module Authlogic
     # I highly discourage using this crypto provider as it superbly inferior
     # to your other options.
     #
-    # Please use any other provider offered by Authlogic.
+    # Please use any other provider offered by Authlogic (except AES256, that
+    # would be even worse).
     class MD5
       class << self
         attr_accessor :join_token
@@ -24,7 +25,8 @@ module Authlogic
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -19,7 +19,13 @@ module Authlogic
     #   end
     class SCrypt
       class << self
-        DEFAULTS = { :key_len => 32, :salt_size => 8, :max_time => 0.2, :max_mem => 1024 * 1024, :max_memfrac => 0.5 }
+        DEFAULTS = {
+          key_len: 32,
+          salt_size: 8,
+          max_time: 0.2,
+          max_mem: 1024 * 1024,
+          max_memfrac: 0.5
+        }.freeze
 
         attr_writer :key_len, :salt_size, :max_time, :max_mem, :max_memfrac
         # Key length - length in bytes of generated key, from 16 to 512.
@@ -42,7 +48,8 @@ module Authlogic
           @max_mem ||= DEFAULTS[:max_mem]
         end
 
-        # Max memory fraction - maximum memory out of all available. Always greater than zero and <= 0.5.
+        # Max memory fraction - maximum memory out of all available. Always
+        # greater than zero and <= 0.5.
         def max_memfrac
           @max_memfrac ||= DEFAULTS[:max_memfrac]
         end
@@ -51,11 +58,11 @@ module Authlogic
         def encrypt(*tokens)
           ::SCrypt::Password.create(
             join_tokens(tokens),
-            :key_len => key_len,
-            :salt_size => salt_size,
-            :max_mem => max_mem,
-            :max_memfrac => max_memfrac,
-            :max_time => max_time
+            key_len: key_len,
+            salt_size: salt_size,
+            max_mem: max_mem,
+            max_memfrac: max_memfrac,
+            max_time: max_time
           )
         end
 
@@ -68,17 +75,15 @@ module Authlogic
 
         private
 
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
 
-          def new_from_hash(hash)
-            begin
-              ::SCrypt::Password.new(hash)
-            rescue ::SCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def new_from_hash(hash)
+          ::SCrypt::Password.new(hash)
+        rescue ::SCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -2,8 +2,10 @@ require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
-    # crypto provider as it is far inferior to your other options. Please use any other provider offered by Authlogic.
+    # This class was made for the users transitioning from
+    # restful_authentication. Use of this crypto provider is highly discouraged.
+    # It is far inferior to your other options. Please use any other provider
+    # offered by Authlogic.
     class Sha1
       class << self
         def join_token
@@ -11,7 +13,8 @@ module Authlogic
         end
         attr_writer :join_token
 
-        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption. This is ten
+        # because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 10
         end
@@ -21,11 +24,14 @@ module Authlogic
         def encrypt(*tokens)
           tokens = tokens.flatten
           digest = tokens.shift
-          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token)) }
+          stretches.times do
+            digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token))
+          end
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -1,22 +1,25 @@
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
-  # Just create a class with a class level encrypt and matches? method. See example below.
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
   #
   # === Example
   #
   #   class MyAwesomeEncryptionMethod
   #     def self.encrypt(*tokens)
-  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
-  #       # just do what you need to do with them and return a single encrypted string.
-  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
   #     end
   #
   #     def self.matches?(crypted, *tokens)
-  #       # return true if the crypted string matches the tokens.
-  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
-  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
   #     end
   #   end
   module CryptoProviders
@@ -40,7 +43,8 @@ module Authlogic
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end