authlogic 3.8.0 → 6.0.0

data/lib/authlogic/acts_as_authentic/perishable_token.rb

@@ -1,13 +1,17 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
-    # This provides a handy token that is "perishable". Meaning the token is
-    # only good for a certain amount of time. This is perfect for resetting
-    # password, confirming accounts, etc. Typically during these actions you
-    # send them this token in via their email. Once they use the token and do
-    # what they need to do, that token should expire. Don't worry about
-    # maintaining this, changing it, or expiring it yourself. Authlogic does all
-    # of this for you. See the sub modules for all of the tools Authlogic
-    # provides to you.
+    # This provides a handy token that is "perishable", meaning the token is
+    # only good for a certain amount of time.
+    #
+    # This is useful for resetting password, confirming accounts, etc. Typically
+    # during these actions you send them this token in an email. Once they use
+    # the token and do what they need to do, that token should expire.
+    #
+    # Don't worry about maintaining the token, changing it, or expiring it
+    # yourself. Authlogic does all of this for you. See the sub modules for all
+    # of the tools Authlogic provides to you.
     module PerishableToken
       def self.included(klass)
         klass.class_eval do
@@ -16,7 +20,7 @@ module Authlogic
         end
       end
 
-      # Change how the perishable token works.
+      # Configure the perishable token.
       module Config
         # When using the find_using_perishable_token method the token can
         # expire. If the token is expired, no record will be returned. Use this
@@ -25,38 +29,42 @@ module Authlogic
         # * <tt>Default:</tt> 10.minutes
         # * <tt>Accepts:</tt> Fixnum
         def perishable_token_valid_for(value = nil)
-          rw_config(:perishable_token_valid_for, (!value.nil? && value.to_i) || value, 10.minutes.to_i)
+          rw_config(
+            :perishable_token_valid_for,
+            (!value.nil? && value.to_i) || value,
+            10.minutes.to_i
+          )
         end
-        alias_method :perishable_token_valid_for=, :perishable_token_valid_for
+        alias perishable_token_valid_for= perishable_token_valid_for
 
         # Authlogic tries to expire and change the perishable token as much as
-        # possible, without compromising it's purpose. This is for security
-        # reasons. If you want to manage it yourself, you can stop Authlogic
-        # from getting your in way by setting this to true.
+        # possible, without compromising its purpose. If you want to manage it
+        # yourself, set this to true.
         #
         # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
         def disable_perishable_token_maintenance(value = nil)
           rw_config(:disable_perishable_token_maintenance, value, false)
         end
-        alias_method :disable_perishable_token_maintenance=, :disable_perishable_token_maintenance
+        alias disable_perishable_token_maintenance= disable_perishable_token_maintenance
       end
 
       # All methods relating to the perishable token.
       module Methods
         def self.included(klass)
-          return if !klass.column_names.include?("perishable_token")
+          return unless klass.column_names.include?("perishable_token")
 
           klass.class_eval do
             extend ClassMethods
             include InstanceMethods
 
-            validates_uniqueness_of :perishable_token, :if => :perishable_token_changed?
-            before_save :reset_perishable_token, :unless => :disable_perishable_token_maintenance?
+            validates_uniqueness_of :perishable_token, case_sensitive: true,
+                                                       if: :will_save_change_to_perishable_token?
+            before_save :reset_perishable_token, unless: :disable_perishable_token_maintenance?
           end
         end
 
-        # Class level methods for the perishable token
+        # :nodoc:
         module ClassMethods
           # Use this method to find a record with a perishable token. This
           # method does 2 things for you:
@@ -68,7 +76,7 @@ module Authlogic
           # second parameter:
           #
           #   User.find_using_perishable_token(token, 1.hour)
-          def find_using_perishable_token(token, age = self.perishable_token_valid_for)
+          def find_using_perishable_token(token, age = perishable_token_valid_for)
             return if token.blank?
             age = age.to_i
 
@@ -89,7 +97,7 @@ module Authlogic
           end
         end
 
-        # Instance level methods for the perishable token.
+        # :nodoc:
         module InstanceMethods
           # Resets the perishable token to a random friendly token.
           def reset_perishable_token
@@ -99,7 +107,7 @@ module Authlogic
           # Same as reset_perishable_token, but then saves the record afterwards.
           def reset_perishable_token!
             reset_perishable_token
-            save_without_session_maintenance(:validate => false)
+            save_without_session_maintenance(validate: false)
           end
 
           # A convenience method based on the

data/lib/authlogic/acts_as_authentic/persistence_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # Maintains the persistence token, the token responsible for persisting sessions. This token
@@ -16,34 +18,33 @@ module Authlogic
             extend ClassMethods
             include InstanceMethods
 
+            # If the table does not have a password column, then
+            # `after_password_set` etc. will not be defined. See
+            # `Authlogic::ActsAsAuthentic::Password::Callbacks.included`
             if respond_to?(:after_password_set) && respond_to?(:after_password_verification)
               after_password_set :reset_persistence_token
-              after_password_verification :reset_persistence_token!, :if => :reset_persistence_token?
+              after_password_verification :reset_persistence_token!, if: :reset_persistence_token?
             end
 
             validates_presence_of :persistence_token
-            validates_uniqueness_of :persistence_token, :if => :persistence_token_changed?
+            validates_uniqueness_of :persistence_token, case_sensitive: true,
+                                                        if: :will_save_change_to_persistence_token?
 
-            before_validation :reset_persistence_token, :if => :reset_persistence_token?
+            before_validation :reset_persistence_token, if: :reset_persistence_token?
           end
         end
 
-        # Class level methods for the persistence token.
+        # :nodoc:
         module ClassMethods
-          # Resets ALL persistence tokens in the database, which will require all users to reauthenticate.
+          # Resets ALL persistence tokens in the database, which will require
+          # all users to re-authenticate.
           def forget_all
             # Paginate these to save on memory
-            records = nil
-            i = 0
-            begin
-              records = limit(50).offset(i)
-              records.each { |record| record.forget! }
-              i += 50
-            end while !records.blank?
+            find_each(batch_size: 50, &:forget!)
           end
         end
 
-        # Instance level methods for the persistence token.
+        # :nodoc:
         module InstanceMethods
           # Resets the persistence_token field to a random hex value.
           def reset_persistence_token
@@ -53,15 +54,15 @@ module Authlogic
           # Same as reset_persistence_token, but then saves the record.
           def reset_persistence_token!
             reset_persistence_token
-            save_without_session_maintenance(:validate => false)
+            save_without_session_maintenance(validate: false)
           end
-          alias_method :forget!, :reset_persistence_token!
+          alias forget! reset_persistence_token!
 
           private
 
-            def reset_persistence_token?
-              persistence_token.blank?
-            end
+          def reset_persistence_token?
+            persistence_token.blank?
+          end
         end
       end
     end

data/lib/authlogic/acts_as_authentic/queries/case_sensitivity.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    module Queries
+      # @api private
+      class CaseSensitivity
+        E_UNABLE_TO_DETERMINE_SENSITIVITY = <<~EOS
+          Authlogic was unable to determine what case-sensitivity to use when
+          searching for email/login. To specify a sensitivity, validate the
+          uniqueness of the email/login and use the `case_sensitive` option,
+          like this:
+
+              validates :email, uniqueness: { case_sensitive: false }
+
+          Authlogic will now perform a case-insensitive query.
+        EOS
+
+        # @api private
+        def initialize(model_class, attribute)
+          @model_class = model_class
+          @attribute = attribute.to_sym
+        end
+
+        # @api private
+        def sensitive?
+          sensitive = uniqueness_validator_options[:case_sensitive]
+          if sensitive.nil?
+            ::Kernel.warn(E_UNABLE_TO_DETERMINE_SENSITIVITY)
+            false
+          else
+            sensitive
+          end
+        end
+
+        private
+
+        # @api private
+        def uniqueness_validator
+          @model_class.validators.select { |v|
+            v.is_a?(::ActiveRecord::Validations::UniquenessValidator) &&
+              v.attributes == [@attribute]
+          }.first
+        end
+
+        # @api private
+        def uniqueness_validator_options
+          uniqueness_validator&.options || {}
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/queries/find_with_case.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    module Queries
+      # The query used by public-API method `find_by_smart_case_login_field`.
+      #
+      # We use the rails methods `case_insensitive_comparison` and
+      # `case_sensitive_comparison`. These methods nicely take into account
+      # MySQL collations. (Consider the case where a user *says* they want a
+      # case-sensitive uniqueness validation, but then they configure their
+      # database to have an insensitive collation. Rails will handle this for
+      # us, by downcasing, see
+      # `active_record/connection_adapters/abstract_mysql_adapter.rb`) So that's
+      # great! But, these methods are not part of rails' public API, so there
+      # are no docs. So, everything we know about how to use the methods
+      # correctly comes from mimicing what we find in
+      # `active_record/validations/uniqueness.rb`.
+      #
+      # @api private
+      class FindWithCase
+        # Dup ActiveRecord.gem_version before freezing, in case someone
+        # else wants to modify it. Freezing modifies an object in place.
+        # https://github.com/binarylogic/authlogic/pull/590
+        AR_GEM_VERSION = ::ActiveRecord.gem_version.dup.freeze
+
+        # @api private
+        def initialize(model_class, field, value, sensitive)
+          @model_class = model_class
+          @field = field.to_s
+          @value = value
+          @sensitive = sensitive
+        end
+
+        # @api private
+        def execute
+          @model_class.where(comparison).first
+        end
+
+        private
+
+        # @api private
+        # @return Arel::Nodes::Equality
+        def comparison
+          @sensitive ? sensitive_comparison : insensitive_comparison
+        end
+
+        # @api private
+        def insensitive_comparison
+          if AR_GEM_VERSION > Gem::Version.new("5.3")
+            @model_class.connection.case_insensitive_comparison(
+              @model_class.arel_table[@field], @value
+            )
+          else
+            @model_class.connection.case_insensitive_comparison(
+              @model_class.arel_table,
+              @field,
+              @model_class.columns_hash[@field],
+              @value
+            )
+          end
+        end
+
+        # @api private
+        def sensitive_comparison
+          bound_value = @model_class.predicate_builder.build_bind_attribute(@field, @value)
+          if AR_GEM_VERSION > Gem::Version.new("5.3")
+            @model_class.connection.case_sensitive_comparison(
+              @model_class.arel_table[@field], bound_value
+            )
+          else
+            @model_class.connection.case_sensitive_comparison(
+              @model_class.arel_table,
+              @field,
+              @model_class.columns_hash[@field],
+              bound_value
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This is one of my favorite features that I think is pretty cool. It's
@@ -29,18 +31,28 @@ module Authlogic
         end
       end
 
+      # Configuration for the session maintenance aspect of acts_as_authentic.
+      # These methods become class methods of ::ActiveRecord::Base.
       module Config
-        # This is more of a convenience method. In order to turn off automatic
-        # maintenance of sessions just set this to false, or you can also set
-        # the session_ids method to a blank array. Both accomplish the same
-        # thing. This method is a little clearer in it's intentions though.
+        # In order to turn off automatic maintenance of sessions
+        # after create, just set this to false.
         #
         # * <tt>Default:</tt> true
         # * <tt>Accepts:</tt> Boolean
-        def maintain_sessions(value = nil)
-          rw_config(:maintain_sessions, value, true)
+        def log_in_after_create(value = nil)
+          rw_config(:log_in_after_create, value, true)
         end
-        alias_method :maintain_sessions=, :maintain_sessions
+        alias log_in_after_create= log_in_after_create
+
+        # In order to turn off automatic maintenance of sessions when updating
+        # the password, just set this to false.
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def log_in_after_password_change(value = nil)
+          rw_config(:log_in_after_password_change, value, true)
+        end
+        alias log_in_after_password_change= log_in_after_password_change
 
         # As you may know, authlogic sessions can be separate by id (See
         # Authlogic::Session::Base#id). You can specify here what session ids
@@ -52,7 +64,7 @@ module Authlogic
         def session_ids(value = nil)
           rw_config(:session_ids, value, [nil])
         end
-        alias_method :session_ids=, :session_ids
+        alias session_ids= session_ids
 
         # The name of the associated session class. This is inferred by the name
         # of the model.
@@ -60,17 +72,23 @@ module Authlogic
         # * <tt>Default:</tt> "#{klass.name}Session".constantize
         # * <tt>Accepts:</tt> Class
         def session_class(value = nil)
-          const = "#{base_class.name}Session".constantize rescue nil
+          const = begin
+                    "#{base_class.name}Session".constantize
+                  rescue NameError
+                    nil
+                  end
           rw_config(:session_class, value, const)
         end
-        alias_method :session_class=, :session_class
+        alias session_class= session_class
       end
 
+      # This module, as one of the `acts_as_authentic_modules`, is only included
+      # into an ActiveRecord model if that model calls `acts_as_authentic`.
       module Methods
         def self.included(klass)
           klass.class_eval do
-            before_save :get_session_information, :if => :update_sessions?
-            before_save :maintain_sessions, :if => :update_sessions?
+            before_save :get_session_information, if: :update_sessions?
+            before_save :maintain_sessions, if: :update_sessions?
           end
         end
 
@@ -84,70 +102,84 @@ module Authlogic
 
         private
 
-          def skip_session_maintenance=(value)
-            @skip_session_maintenance = value
-          end
+        def skip_session_maintenance=(value)
+          @skip_session_maintenance = value
+        end
 
-          def skip_session_maintenance
-            @skip_session_maintenance ||= false
-          end
+        def skip_session_maintenance
+          @skip_session_maintenance ||= false
+        end
 
-          def update_sessions?
-            !skip_session_maintenance &&
-              session_class &&
-              session_class.activated? &&
-              self.class.maintain_sessions == true &&
-              !session_ids.blank? &&
-              persistence_token_changed?
-          end
+        def update_sessions?
+          !skip_session_maintenance &&
+            session_class &&
+            session_class.activated? &&
+            maintain_session? &&
+            !session_ids.blank? &&
+            will_save_change_to_persistence_token?
+        end
+
+        def maintain_session?
+          log_in_after_create? || log_in_after_password_change?
+        end
 
-          def get_session_information
-            # Need to determine if we are completely logged out, or logged in as
-            # another user.
-            @_sessions = []
+        def get_session_information
+          # Need to determine if we are completely logged out, or logged in as
+          # another user.
+          @_sessions = []
 
-            session_ids.each do |session_id|
-              session = session_class.find(session_id, self)
-              @_sessions << session if session && session.record
-            end
+          session_ids.each do |session_id|
+            session = session_class.find(session_id, self)
+            @_sessions << session if session&.record
           end
+        end
 
-          def maintain_sessions
-            if @_sessions.empty?
-              create_session
-            else
-              update_sessions
-            end
+        def maintain_sessions
+          if @_sessions.empty?
+            create_session
+          else
+            update_sessions
           end
+        end
 
-          def create_session
-            # We only want to automatically login into the first session, since
-            # this is the main session. The other sessions are sessions that
-            # need to be created after logging into the main session.
-            session_id = session_ids.first
-            session_class.create(*[self, self, session_id].compact)
+        def create_session
+          # We only want to automatically login into the first session, since
+          # this is the main session. The other sessions are sessions that
+          # need to be created after logging into the main session.
+          session_id = session_ids.first
+          session_class.create(*[self, self, session_id].compact)
+
+          true
+        end
 
-            return true
+        def update_sessions
+          # We found sessions above, let's update them with the new info
+          @_sessions.each do |stale_session|
+            next if stale_session.record != self
+            stale_session.unauthorized_record = self
+            stale_session.save
           end
 
-          def update_sessions
-            # We found sessions above, let's update them with the new info
-            @_sessions.each do |stale_session|
-              next if stale_session.record != self
-              stale_session.unauthorized_record = self
-              stale_session.save
-            end
+          true
+        end
 
-            return true
-          end
+        def session_ids
+          self.class.session_ids
+        end
 
-          def session_ids
-            self.class.session_ids
-          end
+        def session_class
+          self.class.session_class
+        end
 
-          def session_class
-            self.class.session_class
-          end
+        def log_in_after_create?
+          new_record? && self.class.log_in_after_create
+        end
+
+        def log_in_after_password_change?
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
+        end
       end
     end
   end

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
-    # This module is responsible for maintaining the single_access token. For more
-    # information the single access token and how to use it, see the
-    # Authlogic::Session::Params module.
+    # This module is responsible for maintaining the single_access token. For
+    # more information the single access token and how to use it, see "Params"
+    # in `Session::Base`.
     module SingleAccessToken
       def self.included(klass)
         klass.class_eval do
@@ -12,6 +14,8 @@ module Authlogic
       end
 
       # All configuration for the single_access token aspect of acts_as_authentic.
+      #
+      # These methods become class methods of ::ActiveRecord::Base.
       module Config
         # The single access token is used for authentication via URLs, such as a private
         # feed. That being said, if the user changes their password, that token probably
@@ -23,24 +27,34 @@ module Authlogic
         def change_single_access_token_with_password(value = nil)
           rw_config(:change_single_access_token_with_password, value, false)
         end
-        alias_method :change_single_access_token_with_password=, :change_single_access_token_with_password
+        alias change_single_access_token_with_password= change_single_access_token_with_password
       end
 
       # All method, for the single_access token aspect of acts_as_authentic.
+      #
+      # This module, as one of the `acts_as_authentic_modules`, is only included
+      # into an ActiveRecord model if that model calls `acts_as_authentic`.
       module Methods
         def self.included(klass)
-          return if !klass.column_names.include?("single_access_token")
+          return unless klass.column_names.include?("single_access_token")
 
           klass.class_eval do
             include InstanceMethods
-            validates_uniqueness_of :single_access_token, :if => :single_access_token_changed?
-            before_validation :reset_single_access_token, :if => :reset_single_access_token?
+            validates_uniqueness_of :single_access_token,
+              case_sensitive: true,
+              if: :will_save_change_to_single_access_token?
+
+            before_validation :reset_single_access_token, if: :reset_single_access_token?
             if respond_to?(:after_password_set)
-              after_password_set(:reset_single_access_token, :if => :change_single_access_token_with_password?)
+              after_password_set(
+                :reset_single_access_token,
+                if: :change_single_access_token_with_password?
+              )
             end
           end
         end
 
+        # :nodoc:
         module InstanceMethods
           # Resets the single_access_token to a random friendly token.
           def reset_single_access_token
@@ -55,13 +69,13 @@ module Authlogic
 
           protected
 
-            def reset_single_access_token?
-              single_access_token.blank?
-            end
+          def reset_single_access_token?
+            single_access_token.blank?
+          end
 
-            def change_single_access_token_with_password?
-              self.class.change_single_access_token_with_password == true
-            end
+          def change_single_access_token_with_password?
+            self.class.change_single_access_token_with_password == true
+          end
         end
       end
     end

data/lib/authlogic/config.rb

@@ -1,8 +1,21 @@
-# encoding: utf-8
+# frozen_string_literal: true
+
 module Authlogic
+  # Mixed into `Authlogic::ActsAsAuthentic::Base` and
+  # `Authlogic::Session::Base`.
   module Config
+    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS
+      This Authlogic configuration option (%s) is deprecated. Use normal
+      ActiveRecord validation instead. Detailed instructions:
+      https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
+    EOS
+
     def self.extended(klass)
       klass.class_eval do
+        # TODO: Is this a confusing name, given this module is mixed into
+        # both `Authlogic::ActsAsAuthentic::Base` and
+        # `Authlogic::Session::Base`? Perhaps a more generic name, like
+        # `authlogic_config` would be better?
         class_attribute :acts_as_authentic_config
         self.acts_as_authentic_config ||= {}
       end
@@ -10,15 +23,21 @@ module Authlogic
 
     private
 
-      # This is a one-liner method to write a config setting, read the config
-      # setting, and also set a default value for the setting.
-      def rw_config(key, value, default_value = nil)
-        if value.nil?
-          acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
-        else
-          self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
-          value
-        end
+    def deprecate_authlogic_config(method_name)
+      ::ActiveSupport::Deprecation.warn(
+        format(E_USE_NORMAL_RAILS_VALIDATION, method_name)
+      )
+    end
+
+    # This is a one-liner method to write a config setting, read the config
+    # setting, and also set a default value for the setting.
+    def rw_config(key, value, default_value = nil)
+      if value.nil?
+        acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
+      else
+        self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
+        value
       end
+    end
   end
 end