authlogic 3.8.0 → 4.5.0

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,27 +1,6 @@
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you
-  # to use any type of encryption you like. Just create a class with a class
-  # level encrypt and matches? method. See example below.
-  #
-  # === Example
-  #
-  #   class MyAwesomeEncryptionMethod
-  #     def self.encrypt(*tokens)
-  #       # The tokens passed will be an array of objects, what type of object
-  #       # is irrelevant, just do what you need to do with them and return a
-  #       # single encrypted string. For example, you will most likely join all
-  #       # of the objects into a single string and then encrypt that string.
-  #     end
-  #
-  #     def self.matches?(crypted, *tokens)
-  #       # Return true if the crypted string matches the tokens. Depending on
-  #       # your algorithm you might decrypt the string then compare it to the
-  #       # token, or you might encrypt the tokens and make sure it matches the
-  #       # crypted string, its up to you.
-  #     end
-  #   end
   module CryptoProviders
     # = Sha512
     #

data/lib/authlogic/crypto_providers/wordpress.rb

@@ -1,15 +1,44 @@
-require 'digest/md5'
+require "digest/md5"
+
+::ActiveSupport::Deprecation.warn(
+  <<~EOS,
+    authlogic/crypto_providers/wordpress.rb is deprecated without replacement.
+    Yes, the entire file. Don't `require` it. Let us know ASAP if you are still
+    using it.
+
+    Reasons for deprecation: This file is not autoloaded by
+    `authlogic/crypto_providers.rb`. It's not documented. There are no tests.
+    So, it's likely used by a *very* small number of people, if any. It's never
+    had any contributions except by its original author, Jeffry Degrande, in
+    2009. It is unclear why it should live in the main authlogic codebase. It
+    could be in a separate gem, authlogic-wordpress, or it could just live in
+    Jeffry's codebase, if he still even needs it, in 2018, nine years later.
+  EOS
+  caller(1)
+)
+
 module Authlogic
   module CryptoProviders
+    # Crypto provider to transition from wordpress user accounts. Written by
+    # Jeffry Degrande in 2009. First released in 2.1.3.
+    #
+    # Problems:
+    #
+    # - There are no tests.
+    # - We can't even figure out how to run this without it crashing.
+    # - Presumably it implements some spec, but it doesn't mention which.
+    # - It is not documented anywhere.
+    # - There is no PR associated with this, and no discussion about it could be found.
+    #
     class Wordpress
       class << self
-        ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+        ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".freeze
 
         def matches?(crypted, *tokens)
           stretches = 1 << ITOA64.index(crypted[3, 1])
           plain, salt = *tokens
           hashed = Digest::MD5.digest(salt + plain)
-          stretches.times do |i|
+          stretches.times do
             hashed = Digest::MD5.digest(hashed + plain)
           end
           crypted[0, 12] + encode_64(hashed, 16) == crypted

data/lib/authlogic/crypto_providers.rb

@@ -1,4 +1,25 @@
 module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # The tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. For example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string.
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # Return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
   module CryptoProviders
     autoload :MD5,    "authlogic/crypto_providers/md5"
     autoload :Sha1,   "authlogic/crypto_providers/sha1"
@@ -7,5 +28,75 @@ module Authlogic
     autoload :BCrypt, "authlogic/crypto_providers/bcrypt"
     autoload :AES256, "authlogic/crypto_providers/aes256"
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
+    # crypto_providers/wordpress.rb has never been autoloaded, and now it is
+    # deprecated.
+
+    # Guide users to choose a better crypto provider.
+    class Guidance
+      AES256_DEPRECATED = <<~EOS.freeze
+        You have selected AES256 as your authlogic crypto provider. This
+        choice is not suitable for password storage.
+
+        Authlogic will drop its AES256 crypto provider in the next major
+        version. If you're unable to transition away from AES256 please let us
+        know immediately.
+
+        We recommend using a one-way algorithm instead. There are many choices;
+        we recommend scrypt. Use the transition_from_crypto_providers option
+        to make this painless for your users.
+      EOS
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::".freeze
+      NONADAPTIVE_ALGORITHM = <<~EOS.freeze
+        You have selected %s as your authlogic crypto provider. This algorithm
+        does not have any practical known attacks against it. However, there are
+        better choices.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a more secure, adaptive hashing algorithm,
+        like scrypt. Adaptive algorithms are designed to slow down brute force
+        attacks, and over time the iteration count can be increased to make it
+        slower, so it remains resistant to brute-force search attacks even in
+        the face of increasing computation power.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+      VULNERABLE_ALGORITHM = <<~EOS.freeze
+        You have selected %s as your authlogic crypto provider. It is a poor
+        choice because there are known attacks against this algorithm.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a secure hashing algorithm. We recommend
+        an adaptive algorithm, like scrypt.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+
+      def initialize(provider)
+        @provider = provider
+      end
+
+      def impart_wisdom
+        return unless @provider.is_a?(Class)
+
+        # We can only impart wisdom about our own built-in providers.
+        absolute_name = @provider.name
+        return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)
+
+        # Inspect the string name of the provider, rather than using the
+        # constants in our `when` clauses. If we used the constants, we'd
+        # negate the benefits of the `autoload` above.
+        name = absolute_name.demodulize
+        case name
+        when "AES256"
+          ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
+        when "MD5", "Sha1"
+          warn(format(VULNERABLE_ALGORITHM, name))
+        when "Sha256", "Sha512"
+          warn(format(NONADAPTIVE_ALGORITHM, name))
+        end
+      end
+    end
   end
 end

data/lib/authlogic/i18n.rb

@@ -1,42 +1,48 @@
 require "authlogic/i18n/translator"
 
 module Authlogic
-  # This class allows any message in Authlogic to use internationalization. In earlier
-  # versions of Authlogic each message was translated via configuration. This cluttered up
-  # the configuration and cluttered up Authlogic. So all translation has been extracted
-  # out into this class. Now all messages pass through this class, making it much easier
-  # to implement in I18n library / plugin you want. Use this as a layer that sits between
-  # Authlogic and whatever I18n library you want to use.
+  # This class allows any message in Authlogic to use internationalization. In
+  # earlier versions of Authlogic each message was translated via configuration.
+  # This cluttered up the configuration and cluttered up Authlogic. So all
+  # translation has been extracted out into this class. Now all messages pass
+  # through this class, making it much easier to implement in I18n library /
+  # plugin you want. Use this as a layer that sits between Authlogic and
+  # whatever I18n library you want to use.
   #
-  # By default this uses the rails I18n library, if it exists. If it doesn't exist it just
-  # returns the default English message. The Authlogic I18n class works EXACTLY like the
-  # rails I18n class. This is because the arguments are delegated to this class.
+  # By default this uses the rails I18n library, if it exists. If it doesn't
+  # exist it just returns the default English message. The Authlogic I18n class
+  # works EXACTLY like the rails I18n class. This is because the arguments are
+  # delegated to this class.
   #
   # Here is how all messages are translated internally with Authlogic:
   #
   #   Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
   #
-  # If you use a different I18n library just replace the build-in I18n::Translator class
-  # with your own. For example:
+  # If you use a different I18n library just replace the build-in
+  # I18n::Translator class with your own. For example:
   #
   #   class MyAuthlogicI18nTranslator
   #     def translate(key, options = {})
-  #       # you will have key which will be something like: "error_messages.password_invalid"
-  #       # you will also have options[:default], which will be the default English version of the message
+  #       # you will have key which will be something like:
+  #       # "error_messages.password_invalid"
+  #       # you will also have options[:default], which will be the default
+  #       # English version of the message
   #       # do whatever you want here with the arguments passed to you.
   #     end
   #   end
   #
   #   Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
   #
-  # That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
+  # That it's! Here is a complete list of the keys that are passed. Just define
+  # these however you wish:
   #
   #   authlogic:
   #     error_messages:
   #       login_blank: can not be blank
   #       login_not_found: is not valid
   #       login_invalid: should use only letters, numbers, spaces, and .-_@+ please.
-  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
+  #       consecutive_failed_logins_limit_exceeded: >
+  #         Consecutive failed logins limit exceeded, account is disabled.
   #       email_invalid: should look like an email address.
   #       email_invalid_international: should look like an international email address.
   #       password_blank: can not be blank
@@ -46,6 +52,7 @@ module Authlogic
   #       not_approved: Your account is not approved
   #       no_authentication_details: You did not provide any details for authentication.
   #       general_credentials_error: Login/Password combination is not valid
+  #       session_invalid: Your session is invalid and has the following errors:
   #     models:
   #       user_session: UserSession (or whatever name you are using)
   #     attributes:
@@ -79,11 +86,11 @@ module Authlogic
         @@translator = translator
       end
 
-      # All message translation is passed to this method. The first argument is the key
-      # for the message. The second is options, see the rails I18n library for a list of
-      # options used.
+      # All message translation is passed to this method. The first argument is
+      # the key for the message. The second is options, see the rails I18n
+      # library for a list of options used.
       def translate(key, options = {})
-        translator.translate key, { :scope => I18n.scope }.merge(options)
+        translator.translate key, { scope: I18n.scope }.merge(options)
       end
       alias :t :translate
     end

data/lib/authlogic/random.rb

@@ -1,34 +1,16 @@
+require "securerandom"
+
 module Authlogic
-  # Handles generating random strings. If SecureRandom is installed it will default to
-  # this and use it instead. SecureRandom comes with ActiveSupport. So if you are using
-  # this in a rails app you should have this library.
+  # Generates random strings using ruby's SecureRandom library.
   module Random
-    extend self
-
-    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) ||
-      (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
-
-    if SecureRandom
-      def hex_token
-        SecureRandom.hex(64)
-      end
-
-      def friendly_token
-        # use base64url as defined by RFC4648
-        SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
-      end
-    else
-      def hex_token
-        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect { rand.to_s }.join)
-      end
-
-      FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+    def self.hex_token
+      SecureRandom.hex(64)
+    end
 
-      def friendly_token
-        newpass = ""
-        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size - 1)] }
-        newpass
-      end
+    # Returns a string in base64url format as defined by RFC-3548 and RFC-4648.
+    # We call this a "friendly" token because it is short and safe for URLs.
+    def self.friendly_token
+      SecureRandom.urlsafe_base64(15)
     end
   end
 end

data/lib/authlogic/regex.rb

@@ -1,48 +1,79 @@
-# encoding: utf-8
 module Authlogic
-  # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
-  # them out into their own module is to make them easily available to you for other uses. Ex:
+  # This is a module the contains regular expressions used throughout Authlogic.
+  # The point of extracting them out into their own module is to make them
+  # easily available to you for other uses. Ex:
   #
   #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
   module Regex
-    # A general email regular expression. It allows top level domains (TLD) to be from 2 -
-    # 24 in length. The decisions behind this regular expression were made by analyzing
-    # the list of top-level domains maintained by IANA and by reading this website:
-    # http://www.regular-expressions.info/email.html, which is an excellent resource for
-    # regular expressions.
-    def self.email
-      @email_regex ||= begin
-        email_name_regex  = '[A-Z0-9_\.&%\+\-\']+'
-        domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-        domain_tld_regex  = '(?:[A-Z]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-      end
-    end
+    # A general email regular expression. It allows top level domains (TLD) to
+    # be from 2 - 24 in length. The decisions behind this regular expression
+    # were made by analyzing the list of top-level domains maintained by IANA
+    # and by reading this website:
+    # http://www.regular-expressions.info/email.html, which is an excellent
+    # resource for regular expressions.
+    EMAIL = /
+      \A
+      [A-Z0-9_.&%+\-']+   # mailbox
+      @
+      (?:[A-Z0-9\-]+\.)+  # subdomains
+      (?:[A-Z]{2,25})     # TLD
+      \z
+    /ix
 
-    # A draft regular expression for internationalized email addresses.
-    # Given that the standard may be in flux, this simply emulates @email_regex but rather than
-    # allowing specific characters for each part, it instead disallows the complement set of characters:
+    # A draft regular expression for internationalized email addresses. Given
+    # that the standard may be in flux, this simply emulates @email_regex but
+    # rather than allowing specific characters for each part, it instead
+    # disallows the complement set of characters:
+    #
     # - email_name_regex disallows: @[]^ !"#$()*,/:;<=>?`{|}~\ and control characters
     # - domain_head_regex disallows: _%+ and all characters in email_name_regex
     # - domain_tld_regex disallows: 0123456789- and all characters in domain_head_regex
+    #
     # http://en.wikipedia.org/wiki/Email_address#Internationalization
     # http://tools.ietf.org/html/rfc6530
     # http://www.unicode.org/faq/idn.html
     # http://ruby-doc.org/core-2.1.5/Regexp.html#class-Regexp-label-Character+Classes
     # http://en.wikipedia.org/wiki/Unicode_character_property#General_Category
+    EMAIL_NONASCII = /
+      \A
+      [^[:cntrl:][@\[\]\^ \!"\#$\(\)*,\/:;<=>?`{|}~\\]]+                        # mailbox
+      @
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+']]+\.)+         # subdomains
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+\-'0-9]]{2,25})  # TLD
+      \z
+    /x
+
+    # A simple regular expression that only allows for letters, numbers, spaces, and
+    # .-_@+. Just a standard login / username regular expression.
+    LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
+
+    # Accessing the above constants using the following methods is deprecated.
+
+    # @deprecated
+    def self.email
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email is deprecated, use Authlogic::Regex::EMAIL",
+        caller(1)
+      )
+      EMAIL
+    end
+
+    # @deprecated
     def self.email_nonascii
-      @email_nonascii_regex ||= begin
-        email_name_regex  = '[^[:cntrl:][@\[\]\^ \!\"#$\(\)*,/:;<=>\?`{|}~\\\]]+'
-        domain_head_regex = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\']]+\.)+'
-        domain_tld_regex  = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\-\'0-9]]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/
-      end
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email_nonascii is deprecated, use Authlogic::Regex::EMAIL_NONASCII",
+        caller(1)
+      )
+      EMAIL_NONASCII
     end
 
-    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@+. Just a standard login / username
-    # regular expression.
+    # @deprecated
     def self.login
-      /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.login is deprecated, use Authlogic::Regex::LOGIN",
+        caller(1)
+      )
+      LOGIN
     end
   end
 end

data/lib/authlogic/session/activation.rb

@@ -1,4 +1,4 @@
-require 'request_store'
+require "request_store"
 
 module Authlogic
   module Session
@@ -9,8 +9,11 @@ module Authlogic
     # you are using a supported framework, Authlogic takes care of this for you.
     module Activation
       class NotActivatedError < ::StandardError # :nodoc:
-        def initialize(session)
-          super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
+        def initialize
+          super(
+            "You must activate the Authlogic::Session::Base.controller with " \
+              "a controller object before creating objects"
+          )
         end
       end
 
@@ -55,15 +58,15 @@ module Authlogic
       module InstanceMethods
         # Making sure we are activated before we start creating objects
         def initialize(*args)
-          raise NotActivatedError.new(self) unless self.class.activated?
+          raise NotActivatedError unless self.class.activated?
           super
         end
 
         private
 
-          def controller
-            self.class.controller
-          end
+        def controller
+          self.class.controller
+        end
       end
     end
   end

data/lib/authlogic/session/active_record_trickery.rb

@@ -1,16 +1,18 @@
 module Authlogic
   module Session
-    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
-    # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
-    # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
-    # advantage of the many ActiveRecord tools.
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not
+    # ActiveRecord. That's the goal here. This is useful for the various rails
+    # helper methods such as form_for, error_messages_for, or any method that
+    # expects an ActiveRecord object. The point is to disguise the object as an
+    # ActiveRecord object so we can take advantage of the many ActiveRecord
+    # tools.
     module ActiveRecordTrickery
       def self.included(klass)
         klass.extend ActiveModel::Naming
         klass.extend ActiveModel::Translation
 
         # Support ActiveModel::Name#name for Rails versions before 4.0.
-        if !klass.model_name.respond_to?(:name)
+        unless klass.model_name.respond_to?(:name)
           ActiveModel::Name.module_eval do
             alias_method :name, :to_s
           end
@@ -21,11 +23,12 @@ module Authlogic
       end
 
       module ClassMethods
-        # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
+        # How to name the class, works JUST LIKE ActiveRecord, except it uses
+        # the following namespace:
         #
         #   authlogic.models.user_session
-        def human_name(*args)
-          I18n.t("models.#{name.underscore}", { :count => 1, :default => name.humanize })
+        def human_name(*)
+          I18n.t("models.#{name.underscore}", count: 1, default: name.humanize)
         end
 
         def i18n_scope
@@ -34,7 +37,8 @@ module Authlogic
       end
 
       module InstanceMethods
-        # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
+        # Don't use this yourself, this is to just trick some of the helpers
+        # since this is the method it calls.
         def new_record?
           new_session?
         end

data/lib/authlogic/session/base.rb

@@ -1,7 +1,18 @@
 module Authlogic
   module Session # :nodoc:
-    # This is the base class Authlogic, where all modules are included. For information on functionality see the various
-    # sub modules.
+    # This is the most important class in Authlogic. You will inherit this class
+    # for your own eg. `UserSession`.
+    #
+    # Code is organized topically. Each topic is represented by a module. So, to
+    # learn about password-based authentication, read the `Password` module.
+    #
+    # It is common for methods (.initialize and #credentials=, for example) to
+    # be implemented in multiple mixins. Those methods will call `super`, so the
+    # order of `include`s here is important.
+    #
+    # Also, to fully understand such a method (like #credentials=) you will need
+    # to mentally combine all of its definitions. This is perhaps the primary
+    # disadvantage of topical organization using modules.
     class Base
       include Foundation
       include Callbacks
@@ -15,8 +26,8 @@ module Authlogic
       include Session
       include HttpAuth
 
-      # Included in a specific order so magic states gets ran after a record is found
-      # TODO: What does "magic states gets ran" mean? Be specific.
+      # Included in a specific order so magic states gets run after a record is found
+      # TODO: What does "magic states gets run" mean? Be specific.
       include Password
       include UnauthorizedRecord
       include MagicStates

data/lib/authlogic/session/brute_force_protection.rb

@@ -25,8 +25,8 @@ module Authlogic
         klass.class_eval do
           extend Config
           include InstanceMethods
-          validate :reset_failed_login_count, :if => :reset_failed_login_count?
-          validate :validate_failed_logins, :if => :being_brute_force_protected?
+          validate :reset_failed_login_count, if: :reset_failed_login_count?
+          validate :validate_failed_logins, if: :being_brute_force_protected?
         end
       end
 
@@ -73,47 +73,54 @@ module Authlogic
         # with configuration. By default they will be banned for 2 hours. During
         # that 2 hour period this method will return true.
         def being_brute_force_protected?
-          exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
-            (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+          exceeded_failed_logins_limit? &&
+            (
+              failed_login_ban_for <= 0 ||
+              attempted_record.respond_to?(:updated_at) &&
+              attempted_record.updated_at >= failed_login_ban_for.seconds.ago
+            )
         end
 
         private
 
-          def exceeded_failed_logins_limit?
-            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
-              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
-          end
+        def exceeded_failed_logins_limit?
+          !attempted_record.nil? &&
+            attempted_record.respond_to?(:failed_login_count) &&
+            consecutive_failed_logins_limit > 0 &&
+            attempted_record.failed_login_count &&
+            attempted_record.failed_login_count >= consecutive_failed_logins_limit
+        end
 
-          def reset_failed_login_count?
-            exceeded_failed_logins_limit? && !being_brute_force_protected?
-          end
+        def reset_failed_login_count?
+          exceeded_failed_logins_limit? && !being_brute_force_protected?
+        end
 
-          def reset_failed_login_count
-            attempted_record.failed_login_count = 0
-          end
+        def reset_failed_login_count
+          attempted_record.failed_login_count = 0
+        end
 
-          def validate_failed_logins
-            # Clear all other error messages, as they are irrelevant at this point and can
-            # only provide additional information that is not needed
-            errors.clear
-            errors.add(
-              :base,
-              I18n.t(
-                'error_messages.consecutive_failed_logins_limit_exceeded',
-                :default => "Consecutive failed logins limit exceeded, account has been" +
-                  (failed_login_ban_for == 0 ? "" : " temporarily") +
-                  " disabled."
-              )
+        def validate_failed_logins
+          # Clear all other error messages, as they are irrelevant at this point and can
+          # only provide additional information that is not needed
+          errors.clear
+          errors.add(
+            :base,
+            I18n.t(
+              "error_messages.consecutive_failed_logins_limit_exceeded",
+              default: "Consecutive failed logins limit exceeded, account has been" +
+                (failed_login_ban_for.zero? ? "" : " temporarily") +
+                " disabled."
             )
-          end
+          )
+        end
 
-          def consecutive_failed_logins_limit
-            self.class.consecutive_failed_logins_limit
-          end
+        def consecutive_failed_logins_limit
+          self.class.consecutive_failed_logins_limit
+        end
 
-          def failed_login_ban_for
-            self.class.failed_login_ban_for
-          end
+        def failed_login_ban_for
+          self.class.failed_login_ban_for
+        end
       end
     end
   end