authlogic 3.8.0 → 6.0.0

data/lib/authlogic/session/password.rb

@@ -1,308 +0,0 @@
-module Authlogic
-  module Session
-    # Handles authenticating via a traditional username and password.
-    module Password
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          validate :validate_by_password, :if => :authenticating_with_password?
-
-          class << self
-            attr_accessor :configured_password_methods
-          end
-        end
-      end
-
-      # Password configuration
-      module Config
-        # Authlogic tries to validate the credentials passed to it. One part of
-        # validation is actually finding the user and making sure it exists.
-        # What method it uses the do this is up to you.
-        #
-        # Let's say you have a UserSession that is authenticating a User. By
-        # default UserSession will call User.find_by_login(login). You can
-        # change what method UserSession calls by specifying it here. Then in
-        # your User model you can make that method do anything you want, giving
-        # you complete control of how users are found by the UserSession.
-        #
-        # Let's take an example: You want to allow users to login by username or
-        # email. Set this to the name of the class method that does this in the
-        # User model. Let's call it "find_by_username_or_email"
-        #
-        #   class User < ActiveRecord::Base
-        #     def self.find_by_username_or_email(login)
-        #       find_by_username(login) || find_by_email(login)
-        #     end
-        #   end
-        #
-        # Now just specify the name of this method for this configuration option
-        # and you are all set. You can do anything you want here. Maybe you
-        # allow users to have multiple logins and you want to search a has_many
-        # relationship, etc. The sky is the limit.
-        #
-        # * <tt>Default:</tt> "find_by_smart_case_login_field"
-        # * <tt>Accepts:</tt> Symbol or String
-        def find_by_login_method(value = nil)
-          rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
-        end
-        alias_method :find_by_login_method=, :find_by_login_method
-
-        # The text used to identify credentials (username/password) combination
-        # when a bad login attempt occurs. When you show error messages for a
-        # bad login, it's considered good security practice to hide which field
-        # the user has entered incorrectly (the login field or the password
-        # field). For a full explanation, see
-        # http://www.gnucitizen.org/blog/username-enumeration-vulnerabilities/
-        #
-        # Example of use:
-        #
-        #   class UserSession < Authlogic::Session::Base
-        #     generalize_credentials_error_messages true
-        #   end
-        #
-        #   This would make the error message for bad logins and bad passwords
-        #   look identical:
-        #
-        #   Login/Password combination is not valid
-        #
-        #   Alternatively you may use a custom message:
-        #
-        #   class UserSession < AuthLogic::Session::Base
-        #     generalize_credentials_error_messages "Your login information is invalid"
-        #   end
-        #
-        #   This will instead show your custom error message when the UserSession is invalid.
-        #
-        # The downside to enabling this is that is can be too vague for a user
-        # that has a hard time remembering their username and password
-        # combinations. It also disables the ability to to highlight the field
-        # with the error when you use form_for.
-        #
-        # If you are developing an app where security is an extreme priority
-        # (such as a financial application), then you should enable this.
-        # Otherwise, leaving this off is fine.
-        #
-        # * <tt>Default</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def generalize_credentials_error_messages(value = nil)
-          rw_config(:generalize_credentials_error_messages, value, false)
-        end
-        alias_method :generalize_credentials_error_messages=, :generalize_credentials_error_messages
-
-        # The name of the method you want Authlogic to create for storing the
-        # login / username. Keep in mind this is just for your
-        # Authlogic::Session, if you want it can be something completely
-        # different than the field in your model. So if you wanted people to
-        # login with a field called "login" and then find users by email this is
-        # completely doable. See the find_by_login_method configuration option
-        # for more details.
-        #
-        # * <tt>Default:</tt> klass.login_field || klass.email_field
-        # * <tt>Accepts:</tt> Symbol or String
-        def login_field(value = nil)
-          rw_config(:login_field, value, klass.login_field || klass.email_field)
-        end
-        alias_method :login_field=, :login_field
-
-        # Works exactly like login_field, but for the password instead. Returns
-        # :password if a login_field exists.
-        #
-        # * <tt>Default:</tt> :password
-        # * <tt>Accepts:</tt> Symbol or String
-        def password_field(value = nil)
-          rw_config(:password_field, value, login_field && :password)
-        end
-        alias_method :password_field=, :password_field
-
-        # The name of the method in your model used to verify the password. This
-        # should be an instance method. It should also be prepared to accept a
-        # raw password and a crytped password.
-        #
-        # * <tt>Default:</tt> "valid_password?"
-        # * <tt>Accepts:</tt> Symbol or String
-        def verify_password_method(value = nil)
-          rw_config(:verify_password_method, value, "valid_password?")
-        end
-        alias_method :verify_password_method=, :verify_password_method
-      end
-
-      # Password-related instance methods
-      module InstanceMethods
-        E_AC_PARAMETERS = <<-STR.strip_heredoc.freeze
-          You have passed an ActionController::Parameters to Authlogic 3. That's
-          OK for now, but in Authlogic 4, it will raise an error. Please
-          replace:
-
-              UserSession.new(user_session_params)
-              UserSession.create(user_session_params)
-
-          with
-
-              UserSession.new(user_session_params.to_h)
-              UserSession.create(user_session_params.to_h)
-
-          And don't forget to `permit`!
-
-          During the transition of rails to Strong Parameters, it has been
-          common for Authlogic users to forget to `permit` their params. They
-          would pass their params into Authlogic, we'd call `to_h`, and they'd
-          be surprised when authentication failed.
-
-          In 2018, people are still making this mistake. We'd like to help them
-          and make authlogic a little simpler at the same time, so in Authlogic
-          3.7.0, we deprecated the use of ActionController::Parameters.
-
-          We discussed this issue thoroughly between late 2016 and early
-          2018. Notable discussions include:
-
-          - https://github.com/binarylogic/authlogic/issues/512
-          - https://github.com/binarylogic/authlogic/pull/558
-          - https://github.com/binarylogic/authlogic/pull/577
-        STR
-
-        def initialize(*args)
-          if !self.class.configured_password_methods
-            configure_password_methods
-            self.class.configured_password_methods = true
-          end
-          super
-        end
-
-        # Returns the login_field / password_field credentials combination in
-        # hash form.
-        def credentials
-          if authenticating_with_password?
-            details = {}
-            details[login_field.to_sym] = send(login_field)
-            details[password_field.to_sym] = "<protected>"
-            details
-          else
-            super
-          end
-        end
-
-        # Accepts the login_field / password_field credentials combination in
-        # hash form.
-        def credentials=(value)
-          super
-          values = parse_param_val(value) # add strong parameters check
-
-          if values.first.is_a?(Hash)
-            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-              next if value.blank?
-              send("#{field}=", value)
-            end
-          end
-        end
-
-        def invalid_password?
-          invalid_password == true
-        end
-
-        private
-
-          def configure_password_methods
-            if login_field
-              self.class.send(:attr_writer, login_field) if !respond_to?("#{login_field}=")
-              self.class.send(:attr_reader, login_field) if !respond_to?(login_field)
-            end
-
-            if password_field
-              self.class.send(:attr_writer, password_field) if !respond_to?("#{password_field}=")
-              self.class.send(:define_method, password_field) {} if !respond_to?(password_field)
-
-              # The password should not be accessible publicly. This way forms
-              # using form_for don't fill the password with the attempted
-              # password. To prevent this we just create this method that is
-              # private.
-              self.class.class_eval <<-"end_eval", __FILE__, __LINE__
-                private
-                  def protected_#{password_field}
-                    @#{password_field}
-                  end
-              end_eval
-            end
-          end
-
-          def authenticating_with_password?
-            login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
-          end
-
-          def validate_by_password
-            self.invalid_password = false
-
-            # check for blank fields
-            if send(login_field).blank?
-              errors.add(login_field, I18n.t('error_messages.login_blank', :default => "cannot be blank"))
-            end
-            if send("protected_#{password_field}").blank?
-              errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank"))
-            end
-            return if errors.count > 0
-
-            self.attempted_record = search_for_record(find_by_login_method, send(login_field))
-            if attempted_record.blank?
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
-              return
-            end
-
-            # check for invalid password
-            if !attempted_record.send(verify_password_method, send("protected_#{password_field}"))
-              self.invalid_password = true
-              generalize_credentials_error_messages? ?
-                add_general_credentials_error :
-                errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid"))
-              return
-            end
-          end
-
-          attr_accessor :invalid_password
-
-          def find_by_login_method
-            self.class.find_by_login_method
-          end
-
-          def login_field
-            self.class.login_field
-          end
-
-          def add_general_credentials_error
-            error_message =
-            if self.class.generalize_credentials_error_messages.is_a? String
-              self.class.generalize_credentials_error_messages
-            else
-              "#{login_field.to_s.humanize}/Password combination is not valid"
-            end
-            errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
-          end
-
-          def generalize_credentials_error_messages?
-            self.class.generalize_credentials_error_messages
-          end
-
-          def password_field
-            self.class.password_field
-          end
-
-          def verify_password_method
-            self.class.verify_password_method
-          end
-
-          # In Rails 5 the ActionController::Parameters no longer inherits from HashWithIndifferentAccess.
-          # See: http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#actioncontroller-parameters-no-longer-inherits-from-hashwithindifferentaccess
-          # This method converts the ActionController::Parameters to a Hash
-          def parse_param_val(value)
-            if value.first.class.name == "ActionController::Parameters"
-              ActiveSupport::Deprecation.warn(E_AC_PARAMETERS)
-              [value.first.to_h]
-            else
-              value.is_a?(Array) ? value : [value]
-            end
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/perishable_token.rb

@@ -1,23 +0,0 @@
-module Authlogic
-  module Session
-    # Maintains the perishable token, which is helpful for confirming records or
-    # authorizing records to reset their password. All that this module does is
-    # reset it after a session have been saved, just keep it changing. The more
-    # it changes, the tighter the security.
-    #
-    # See Authlogic::ActsAsAuthentic::PerishableToken for more information.
-    module PerishableToken
-      def self.included(klass)
-        klass.after_save :reset_perishable_token!
-      end
-
-      private
-
-        def reset_perishable_token!
-          if record.respond_to?(:reset_perishable_token) && !record.disable_perishable_token_maintenance?
-            record.reset_perishable_token
-          end
-        end
-    end
-  end
-end

data/lib/authlogic/session/persistence.rb

@@ -1,71 +0,0 @@
-module Authlogic
-  module Session
-    # Responsible for allowing you to persist your sessions.
-    module Persistence
-      def self.included(klass)
-        klass.class_eval do
-          extend ClassMethods
-          include InstanceMethods
-        end
-      end
-
-      module ClassMethods
-        # This is how you persist a session. This finds the record for the current session using
-        # a variety of methods. It basically tries to "log in" the user without the user having
-        # to explicitly log in. Check out the other Authlogic::Session modules for more information.
-        #
-        # The best way to use this method is something like:
-        #
-        #   helper_method :current_user_session, :current_user
-        #
-        #   def current_user_session
-        #     return @current_user_session if defined?(@current_user_session)
-        #     @current_user_session = UserSession.find
-        #   end
-        #
-        #   def current_user
-        #     return @current_user if defined?(@current_user)
-        #     @current_user = current_user_session && current_user_session.user
-        #   end
-        #
-        # Also, this method accepts a single parameter as the id, to find session that you marked with an id:
-        #
-        #   UserSession.find(:secure)
-        #
-        # See the id method for more information on ids.
-        def find(id = nil, priority_record = nil)
-          session = new({ :priority_record => priority_record }, id)
-          session.priority_record = priority_record
-          if session.persisting?
-            session
-          else
-            nil
-          end
-        end
-      end
-
-      module InstanceMethods
-        # Let's you know if the session is being persisted or not, meaning the user does not have to explicitly log in
-        # in order to be logged in. If the session has no associated record, it will try to find a record and persist
-        # the session. This is the method that the class level method find uses to ultimately persist the session.
-        def persisting?
-          return true if !record.nil?
-          self.attempted_record = nil
-          self.remember_me = !cookie_credentials.nil? && !cookie_credentials[2].nil?
-          before_persisting
-          persist
-          ensure_authentication_attempted
-          if errors.empty? && !attempted_record.nil?
-            self.record = attempted_record
-            after_persisting
-            save_record
-            self.new_session = false
-            true
-          else
-            false
-          end
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/priority_record.rb

@@ -1,35 +0,0 @@
-module Authlogic
-  module Session
-    # The point of this module is to avoid the StaleObjectError raised when lock_version is implemented in ActiveRecord.
-    # We accomplish this by using a "priority record". Meaning this record is used if possible, it gets priority.
-    # This way we don't save a record behind the scenes thus making an object being used stale.
-    module PriorityRecord
-      def self.included(klass)
-        klass.class_eval do
-          attr_accessor :priority_record
-        end
-      end
-
-      # Setting priority record if it is passed. The only way it can be passed is through an array:
-      #
-      #   session.credentials = [real_user_object, priority_user_object]
-      def credentials=(value)
-        super
-        values = value.is_a?(Array) ? value : [value]
-        self.priority_record = values[1] if values[1].class < ::ActiveRecord::Base
-      end
-
-      private
-
-        def attempted_record=(value)
-          value = priority_record if value == priority_record
-          super
-        end
-
-        def save_record(alternate_record = nil)
-          r = alternate_record || record
-          super if r != priority_record
-        end
-    end
-  end
-end

data/lib/authlogic/session/scopes.rb

@@ -1,119 +0,0 @@
-require 'request_store'
-
-module Authlogic
-  module Session
-    # Authentication can be scoped, and it's easy, you just need to define how you want to
-    # scope everything. This should help you:
-    #
-    # 1. Want to scope by a parent object? Ex: An account has many users.
-    #    Checkout Authlogic::AuthenticatesMany
-    # 2. Want to scope the validations in your model? Ex: 2 users can have the same login
-    #    under different accounts. See Authlogic::ActsAsAuthentic::Scope
-    module Scopes # :nodoc:
-      def self.included(klass)
-        klass.class_eval do
-          extend ClassMethods
-          include InstanceMethods
-          attr_writer :scope
-        end
-      end
-
-      # = Scopes
-      module ClassMethods
-        # The current scope set, should be used in the block passed to with_scope.
-        def scope
-          RequestStore.store[:authlogic_scope]
-        end
-
-        # What with_scopes focuses on is scoping the query when finding the object and the
-        # name of the cookie / session. It works very similar to
-        # ActiveRecord::Base#with_scopes. It accepts a hash with any of the following
-        # options:
-        #
-        # * <tt>find_options:</tt> any options you can pass into ActiveRecord::Base.find.
-        #   This is used when trying to find the record.
-        # * <tt>id:</tt> The id of the session, this gets merged with the real id. For
-        #   information ids see the id method.
-        #
-        # Here is how you use it:
-        #
-        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
-        #     UserSession.find
-        #   end
-        #
-        # Essentially what the above does is scope the searching of the object with the
-        # sql you provided. So instead of:
-        #
-        #   User.where("login = 'ben'").first
-        #
-        # it would be:
-        #
-        #   User.where("login = 'ben' and account_id = 2").first
-        #
-        # You will also notice the :id option. This works just like the id method. It
-        # scopes your cookies. So the name of your cookie will be:
-        #
-        #   account_2_user_credentials
-        #
-        # instead of:
-        #
-        #   user_credentials
-        #
-        # What is also nifty about scoping with an :id is that it merges your id's. So if you do:
-        #
-        #   UserSession.with_scope(:find_options => {:conditions => "account_id = 2"}, :id => "account_2") do
-        #     session = UserSession.new
-        #     session.id = :secure
-        #   end
-        #
-        # The name of your cookies will be:
-        #
-        #   secure_account_2_user_credentials
-        def with_scope(options = {}, &block)
-          raise ArgumentError.new("You must provide a block") unless block_given?
-          self.scope = options
-          result = yield
-          self.scope = nil
-          result
-        end
-
-        private
-
-          def scope=(value)
-            RequestStore.store[:authlogic_scope] = value
-          end
-      end
-
-      module InstanceMethods
-        # Setting the scope if it exists upon instantiation.
-        def initialize(*args)
-          self.scope = self.class.scope
-          super
-        end
-
-        # The scope of the current object
-        def scope
-          @scope ||= {}
-        end
-
-        private
-
-          # Used for things like cookie_key, session_key, etc.
-          def build_key(last_part)
-            [scope[:id], super].compact.join("_")
-          end
-
-          def search_for_record(*args)
-            session_scope = if scope[:find_options].is_a?(ActiveRecord::Relation)
-              scope[:find_options]
-            else
-              klass.send(:where, scope[:find_options] && scope[:find_options][:conditions] || {})
-            end
-            session_scope.scoping do
-              klass.send(*args)
-            end
-          end
-      end
-    end
-  end
-end

data/lib/authlogic/session/session.rb

@@ -1,67 +0,0 @@
-module Authlogic
-  module Session
-    # Handles all parts of authentication that deal with sessions. Such as persisting a session and saving / destroy a session.
-    module Session
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          persist :persist_by_session
-          after_save :update_session
-          after_destroy :update_session
-          after_persisting :update_session, :unless => :single_access?
-        end
-      end
-
-      # Configuration for the session feature.
-      module Config
-        # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
-        #
-        # * <tt>Default:</tt> cookie_key
-        # * <tt>Accepts:</tt> Symbol or String
-        def session_key(value = nil)
-          rw_config(:session_key, value, cookie_key)
-        end
-        alias_method :session_key=, :session_key
-      end
-
-      # Instance methods for the session feature.
-      module InstanceMethods
-        private
-
-          # Tries to validate the session from information in the session
-          def persist_by_session
-            persistence_token, record_id = session_credentials
-            if !persistence_token.nil?
-              # Allow finding by persistence token, because when records are created the
-              # session is maintained in a before_save, when there is no id. This is done
-              # for performance reasons and to save on queries.
-              record = record_id.nil? ?
-                search_for_record("find_by_persistence_token", persistence_token.to_s) :
-                search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
-              valid?
-            else
-              false
-            end
-          end
-
-          def session_credentials
-            [
-              controller.session[session_key],
-              controller.session["#{session_key}_#{klass.primary_key}"]
-            ].collect { |i| i.nil? ? i : i.to_s }.compact
-          end
-
-          def session_key
-            build_key(self.class.session_key)
-          end
-
-          def update_session
-            controller.session[session_key] = record && record.persistence_token
-            controller.session["#{session_key}_#{klass.primary_key}"] = record && record.send(record.class.primary_key)
-          end
-      end
-    end
-  end
-end