authlogic 3.8.0 → 6.0.0

data/lib/authlogic/regex.rb

@@ -1,48 +0,0 @@
-# encoding: utf-8
-module Authlogic
-  # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
-  # them out into their own module is to make them easily available to you for other uses. Ex:
-  #
-  #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
-  module Regex
-    # A general email regular expression. It allows top level domains (TLD) to be from 2 -
-    # 24 in length. The decisions behind this regular expression were made by analyzing
-    # the list of top-level domains maintained by IANA and by reading this website:
-    # http://www.regular-expressions.info/email.html, which is an excellent resource for
-    # regular expressions.
-    def self.email
-      @email_regex ||= begin
-        email_name_regex  = '[A-Z0-9_\.&%\+\-\']+'
-        domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-        domain_tld_regex  = '(?:[A-Z]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-      end
-    end
-
-    # A draft regular expression for internationalized email addresses.
-    # Given that the standard may be in flux, this simply emulates @email_regex but rather than
-    # allowing specific characters for each part, it instead disallows the complement set of characters:
-    # - email_name_regex disallows: @[]^ !"#$()*,/:;<=>?`{|}~\ and control characters
-    # - domain_head_regex disallows: _%+ and all characters in email_name_regex
-    # - domain_tld_regex disallows: 0123456789- and all characters in domain_head_regex
-    # http://en.wikipedia.org/wiki/Email_address#Internationalization
-    # http://tools.ietf.org/html/rfc6530
-    # http://www.unicode.org/faq/idn.html
-    # http://ruby-doc.org/core-2.1.5/Regexp.html#class-Regexp-label-Character+Classes
-    # http://en.wikipedia.org/wiki/Unicode_character_property#General_Category
-    def self.email_nonascii
-      @email_nonascii_regex ||= begin
-        email_name_regex  = '[^[:cntrl:][@\[\]\^ \!\"#$\(\)*,/:;<=>\?`{|}~\\\]]+'
-        domain_head_regex = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\']]+\.)+'
-        domain_tld_regex  = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\-\'0-9]]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/
-      end
-    end
-
-    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@+. Just a standard login / username
-    # regular expression.
-    def self.login
-      /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
-    end
-  end
-end

data/lib/authlogic/session/activation.rb

@@ -1,70 +0,0 @@
-require 'request_store'
-
-module Authlogic
-  module Session
-    # Activating Authlogic requires that you pass it an
-    # Authlogic::ControllerAdapters::AbstractAdapter object, or a class that
-    # extends it. This is sort of like a database connection for an ORM library,
-    # Authlogic can't do anything until it is "connected" to a controller. If
-    # you are using a supported framework, Authlogic takes care of this for you.
-    module Activation
-      class NotActivatedError < ::StandardError # :nodoc:
-        def initialize(session)
-          super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
-        end
-      end
-
-      def self.included(klass)
-        klass.class_eval do
-          extend ClassMethods
-          include InstanceMethods
-        end
-      end
-
-      module ClassMethods
-        # Returns true if a controller has been set and can be used properly.
-        # This MUST be set before anything can be done. Similar to how
-        # ActiveRecord won't allow you to do anything without establishing a DB
-        # connection. In your framework environment this is done for you, but if
-        # you are using Authlogic outside of your framework, you need to assign
-        # a controller object to Authlogic via
-        # Authlogic::Session::Base.controller = obj. See the controller= method
-        # for more information.
-        def activated?
-          !controller.nil?
-        end
-
-        # This accepts a controller object wrapped with the Authlogic controller
-        # adapter. The controller adapters close the gap between the different
-        # controllers in each framework. That being said, Authlogic is expecting
-        # your object's class to extend
-        # Authlogic::ControllerAdapters::AbstractAdapter. See
-        # Authlogic::ControllerAdapters for more info.
-        #
-        # Lastly, this is thread safe.
-        def controller=(value)
-          RequestStore.store[:authlogic_controller] = value
-        end
-
-        # The current controller object
-        def controller
-          RequestStore.store[:authlogic_controller]
-        end
-      end
-
-      module InstanceMethods
-        # Making sure we are activated before we start creating objects
-        def initialize(*args)
-          raise NotActivatedError.new(self) unless self.class.activated?
-          super
-        end
-
-        private
-
-          def controller
-            self.class.controller
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/active_record_trickery.rb

@@ -1,61 +0,0 @@
-module Authlogic
-  module Session
-    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
-    # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
-    # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
-    # advantage of the many ActiveRecord tools.
-    module ActiveRecordTrickery
-      def self.included(klass)
-        klass.extend ActiveModel::Naming
-        klass.extend ActiveModel::Translation
-
-        # Support ActiveModel::Name#name for Rails versions before 4.0.
-        if !klass.model_name.respond_to?(:name)
-          ActiveModel::Name.module_eval do
-            alias_method :name, :to_s
-          end
-        end
-
-        klass.extend ClassMethods
-        klass.send(:include, InstanceMethods)
-      end
-
-      module ClassMethods
-        # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
-        #
-        #   authlogic.models.user_session
-        def human_name(*args)
-          I18n.t("models.#{name.underscore}", { :count => 1, :default => name.humanize })
-        end
-
-        def i18n_scope
-          I18n.scope
-        end
-      end
-
-      module InstanceMethods
-        # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
-        def new_record?
-          new_session?
-        end
-
-        def persisted?
-          !(new_record? || destroyed?)
-        end
-
-        def destroyed?
-          record.nil?
-        end
-
-        def to_key
-          new_record? ? nil : record.to_key
-        end
-
-        # For rails >= 3.0
-        def to_model
-          self
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,120 +0,0 @@
-module Authlogic
-  module Session
-    # A brute force attacks is executed by hammering a login with as many password
-    # combinations as possible, until one works. A brute force attacked is generally
-    # combated with a slow hashing algorithm such as BCrypt. You can increase the cost,
-    # which makes the hash generation slower, and ultimately increases the time it takes
-    # to execute a brute force attack. Just to put this into perspective, if a hacker was
-    # to gain access to your server and execute a brute force attack locally, meaning
-    # there is no network lag, it would probably take decades to complete. Now throw in
-    # network lag and it would take MUCH longer.
-    #
-    # But for those that are extra paranoid and can't get enough protection, why not stop
-    # them as soon as you realize something isn't right? That's what this module is all
-    # about. By default the consecutive_failed_logins_limit configuration option is set to
-    # 50, if someone consecutively fails to login after 50 attempts their account will be
-    # suspended. This is a very liberal number and at this point it should be obvious that
-    # something is not right. If you wish to lower this number just set the configuration
-    # to a lower number:
-    #
-    #   class UserSession < Authlogic::Session::Base
-    #     consecutive_failed_logins_limit 10
-    #   end
-    module BruteForceProtection
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          validate :reset_failed_login_count, :if => :reset_failed_login_count?
-          validate :validate_failed_logins, :if => :being_brute_force_protected?
-        end
-      end
-
-      # Configuration for the brute force protection feature.
-      module Config
-        # To help protect from brute force attacks you can set a limit on the
-        # allowed number of consecutive failed logins. By default this is 50,
-        # this is a very liberal number, and if someone fails to login after 50
-        # tries it should be pretty obvious that it's a machine trying to login
-        # in and very likely a brute force attack.
-        #
-        # In order to enable this field your model MUST have a
-        # failed_login_count (integer) field.
-        #
-        # If you don't know what a brute force attack is, it's when a machine
-        # tries to login into a system using every combination of character
-        # possible. Thus resulting in possibly millions of attempts to log into
-        # an account.
-        #
-        # * <tt>Default:</tt> 50
-        # * <tt>Accepts:</tt> Integer, set to 0 to disable
-        def consecutive_failed_logins_limit(value = nil)
-          rw_config(:consecutive_failed_logins_limit, value, 50)
-        end
-        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
-
-        # Once the failed logins limit has been exceed, how long do you want to
-        # ban the user? This can be a temporary or permanent ban.
-        #
-        # * <tt>Default:</tt> 2.hours
-        # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
-        def failed_login_ban_for(value = nil)
-          rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
-        end
-        alias_method :failed_login_ban_for=, :failed_login_ban_for
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make
-      # up the brute force protection feature.
-      module InstanceMethods
-        # Returns true when the consecutive_failed_logins_limit has been
-        # exceeded and is being temporarily banned. Notice the word temporary,
-        # the user will not be permanently banned unless you choose to do so
-        # with configuration. By default they will be banned for 2 hours. During
-        # that 2 hour period this method will return true.
-        def being_brute_force_protected?
-          exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
-            (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
-        end
-
-        private
-
-          def exceeded_failed_logins_limit?
-            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
-              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
-          end
-
-          def reset_failed_login_count?
-            exceeded_failed_logins_limit? && !being_brute_force_protected?
-          end
-
-          def reset_failed_login_count
-            attempted_record.failed_login_count = 0
-          end
-
-          def validate_failed_logins
-            # Clear all other error messages, as they are irrelevant at this point and can
-            # only provide additional information that is not needed
-            errors.clear
-            errors.add(
-              :base,
-              I18n.t(
-                'error_messages.consecutive_failed_logins_limit_exceeded',
-                :default => "Consecutive failed logins limit exceeded, account has been" +
-                  (failed_login_ban_for == 0 ? "" : " temporarily") +
-                  " disabled."
-              )
-            )
-          end
-
-          def consecutive_failed_logins_limit
-            self.class.consecutive_failed_logins_limit
-          end
-
-          def failed_login_ban_for
-            self.class.failed_login_ban_for
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/callbacks.rb

@@ -1,105 +0,0 @@
-module Authlogic
-  module Session
-    # Between these callbacks and the configuration, this is the contract between me and you to safely
-    # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
-    #
-    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
-    # importantly they use the same API that you would use to extend Authlogic. That being said, they are great
-    # examples of how to extend Authlogic and add / modify behavior to Authlogic. These modules could easily be pulled out
-    # into their own plugin and become an "add on" without any change.
-    #
-    # Now to the point of this module. Just like in ActiveRecord you have before_save, before_validation, etc.
-    # You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
-    #
-    #   before_persisting
-    #   persist
-    #   after_persisting
-    #   [save record if record.changed?]
-    #
-    #   before_validation
-    #   before_validation_on_create
-    #   before_validation_on_update
-    #   validate
-    #   after_validation_on_update
-    #   after_validation_on_create
-    #   after_validation
-    #   [save record if record.changed?]
-    #
-    #   before_save
-    #   before_create
-    #   before_update
-    #   after_update
-    #   after_create
-    #   after_save
-    #   [save record if record.changed?]
-    #
-    #   before_destroy
-    #   [save record if record.changed?]
-    #   destroy
-    #   after_destroy
-    #
-    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make
-    # changes to the associated record, there is no need to save the record, Authlogic will do it for you.
-    # This allows multiple modules to modify the record and execute as few queries as possible.
-    #
-    # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
-    #
-    #   class UserSession < Authlogic::Session::Base
-    #     before_validation :my_method
-    #     validate :another_method
-    #     # ..etc
-    #   end
-    #
-    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic
-    # to extend properly with multiple extensions. Please ONLY use the method above.
-    module Callbacks
-      METHODS = [
-        "before_persisting", "persist", "after_persisting",
-        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate",
-        "after_validation_on_update", "after_validation_on_create", "after_validation",
-        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
-        "before_destroy", "after_destroy"
-      ]
-
-      def self.included(base) #:nodoc:
-        base.send :include, ActiveSupport::Callbacks
-        if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('5')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result_lambda) { result_lambda.call == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result_lambda) { result_lambda.call == true } }]
-        elsif Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('4.1')
-          base.define_callbacks *METHODS + [{ :terminator => ->(target, result) { result == false } }]
-          base.define_callbacks *['persist', { :terminator => ->(target, result) { result == true } }]
-        else
-          base.define_callbacks *METHODS + [{ :terminator => 'result == false' }]
-          base.define_callbacks *['persist', { :terminator => 'result == true' }]
-        end
-
-        # If Rails 3, support the new callback syntax
-        if base.singleton_class.method_defined?(:set_callback)
-          METHODS.each do |method|
-            base.class_eval <<-"end_eval", __FILE__, __LINE__
-              def self.#{method}(*methods, &block)
-                set_callback :#{method}, *methods, &block
-              end
-            end_eval
-          end
-        end
-      end
-
-      private
-
-        METHODS.each do |method|
-          class_eval <<-"end_eval", __FILE__, __LINE__
-            def #{method}
-              run_callbacks(:#{method})
-            end
-          end_eval
-        end
-
-        def save_record(alternate_record = nil)
-          r = alternate_record || record
-          r.save_without_session_maintenance(:validate => false) if r && r.changed? && !r.readonly?
-        end
-    end
-  end
-end

data/lib/authlogic/session/cookies.rb

@@ -1,244 +0,0 @@
-module Authlogic
-  module Session
-    # Handles all authentication that deals with cookies, such as persisting,
-    # saving, and destroying.
-    module Cookies
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          persist :persist_by_cookie
-          after_save :save_cookie
-          after_destroy :destroy_cookie
-        end
-      end
-
-      # Configuration for the cookie feature set.
-      module Config
-        # The name of the cookie or the key in the cookies hash. Be sure and use
-        # a unique name. If you have multiple sessions and they use the same
-        # cookie it will cause problems. Also, if a id is set it will be
-        # inserted into the beginning of the string. Example:
-        #
-        #   session = UserSession.new
-        #   session.cookie_key => "user_credentials"
-        #
-        #   session = UserSession.new(:super_high_secret)
-        #   session.cookie_key => "super_high_secret_user_credentials"
-        #
-        # * <tt>Default:</tt> "#{klass_name.underscore}_credentials"
-        # * <tt>Accepts:</tt> String
-        def cookie_key(value = nil)
-          rw_config(:cookie_key, value, "#{klass_name.underscore}_credentials")
-        end
-        alias_method :cookie_key=, :cookie_key
-
-        # If sessions should be remembered by default or not.
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def remember_me(value = nil)
-          rw_config(:remember_me, value, false)
-        end
-        alias_method :remember_me=, :remember_me
-
-        # The length of time until the cookie expires.
-        #
-        # * <tt>Default:</tt> 3.months
-        # * <tt>Accepts:</tt> Integer, length of time in seconds, such as 60 or 3.months
-        def remember_me_for(value = nil)
-          rw_config(:remember_me_for, value, 3.months)
-        end
-        alias_method :remember_me_for=, :remember_me_for
-
-        # Should the cookie be set as secure?  If true, the cookie will only be sent over
-        # SSL connections
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def secure(value = nil)
-          rw_config(:secure, value, false)
-        end
-        alias_method :secure=, :secure
-
-        # Should the cookie be set as httponly?  If true, the cookie will not be
-        # accessible from javascript
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def httponly(value = nil)
-          rw_config(:httponly, value, false)
-        end
-        alias_method :httponly=, :httponly
-
-        # Should the cookie be signed? If the controller adapter supports it, this is a
-        # measure against cookie tampering.
-        def sign_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:signed)
-            raise "Signed cookies not supported with #{controller.class}!"
-          end
-          rw_config(:sign_cookie, value, false)
-        end
-        alias_method :sign_cookie=, :sign_cookie
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make up the
-      # cookie feature set.
-      module InstanceMethods
-        # Allows you to set the remember_me option when passing credentials.
-        def credentials=(value)
-          super
-          values = value.is_a?(Array) ? value : [value]
-          case values.first
-          when Hash
-            if values.first.with_indifferent_access.key?(:remember_me)
-              self.remember_me = values.first.with_indifferent_access[:remember_me]
-            end
-          else
-            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
-            self.remember_me = r if !r.nil?
-          end
-        end
-
-        # Is the cookie going to expire after the session is over, or will it stick around?
-        def remember_me
-          return @remember_me if defined?(@remember_me)
-          @remember_me = self.class.remember_me
-        end
-
-        # Accepts a boolean as a flag to remember the session or not. Basically
-        # to expire the cookie at the end of the session or keep it for
-        # "remember_me_until".
-        def remember_me=(value)
-          @remember_me = value
-        end
-
-        # See remember_me
-        def remember_me?
-          remember_me == true || remember_me == "true" || remember_me == "1"
-        end
-
-        # How long to remember the user if remember_me is true. This is based on the class
-        # level configuration: remember_me_for
-        def remember_me_for
-          return unless remember_me?
-          self.class.remember_me_for
-        end
-
-        # When to expire the cookie. See remember_me_for configuration option to change
-        # this.
-        def remember_me_until
-          return unless remember_me?
-          remember_me_for.from_now
-        end
-
-        # Has the cookie expired due to current time being greater than remember_me_until.
-        def remember_me_expired?
-          return unless remember_me?
-          (Time.parse(cookie_credentials[2]) < Time.now)
-        end
-
-        # If the cookie should be marked as secure (SSL only)
-        def secure
-          return @secure if defined?(@secure)
-          @secure = self.class.secure
-        end
-
-        # Accepts a boolean as to whether the cookie should be marked as secure.  If true
-        # the cookie will only ever be sent over an SSL connection.
-        def secure=(value)
-          @secure = value
-        end
-
-        # See secure
-        def secure?
-          secure == true || secure == "true" || secure == "1"
-        end
-
-        # If the cookie should be marked as httponly (not accessible via javascript)
-        def httponly
-          return @httponly if defined?(@httponly)
-          @httponly = self.class.httponly
-        end
-
-        # Accepts a boolean as to whether the cookie should be marked as
-        # httponly.  If true, the cookie will not be accessible from javascript
-        def httponly=(value)
-          @httponly = value
-        end
-
-        # See httponly
-        def httponly?
-          httponly == true || httponly == "true" || httponly == "1"
-        end
-
-        # If the cookie should be signed
-        def sign_cookie
-          return @sign_cookie if defined?(@sign_cookie)
-          @sign_cookie = self.class.sign_cookie
-        end
-
-        # Accepts a boolean as to whether the cookie should be signed.  If true
-        # the cookie will be saved and verified using a signature.
-        def sign_cookie=(value)
-          @sign_cookie = value
-        end
-
-        # See sign_cookie
-        def sign_cookie?
-          sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
-        end
-
-        private
-
-          def cookie_key
-            build_key(self.class.cookie_key)
-          end
-
-          def cookie_credentials
-            if self.class.sign_cookie
-              cookie = controller.cookies.signed[cookie_key]
-            else
-              cookie = controller.cookies[cookie_key]
-            end
-            cookie && cookie.split("::")
-          end
-
-          # Tries to validate the session from information in the cookie
-          def persist_by_cookie
-            persistence_token, record_id = cookie_credentials
-            if persistence_token.present?
-              record = search_for_record("find_by_#{klass.primary_key}", record_id)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
-              valid?
-            else
-              false
-            end
-          end
-
-          def save_cookie
-            if sign_cookie?
-              controller.cookies.signed[cookie_key] = generate_cookie_for_saving
-            else
-              controller.cookies[cookie_key] = generate_cookie_for_saving
-            end
-          end
-
-          def generate_cookie_for_saving
-            remember_me_until_value = "::#{remember_me_until.iso8601}" if remember_me?
-            {
-              :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}#{remember_me_until_value}",
-              :expires => remember_me_until,
-              :secure => secure,
-              :httponly => httponly,
-              :domain => controller.cookie_domain
-            }
-          end
-
-          def destroy_cookie
-            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
-          end
-      end
-    end
-  end
-end