authlogic 3.8.0 → 6.0.0

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -1,18 +1,24 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters # :nodoc:
-    # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter
-    # for an example of how to adapt Authlogic to work with your framework.
+    # Allows you to use Authlogic in any framework you want, not just rails. See
+    # the RailsAdapter for an example of how to adapt Authlogic to work with
+    # your framework.
     class AbstractAdapter
+      E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
+        "implemented by the controller adapter"
+
       attr_accessor :controller
 
       def initialize(controller)
         self.controller = controller
       end
 
-      def authenticate_with_http_basic(&block)
+      def authenticate_with_http_basic
         @auth = Rack::Auth::Basic::Request.new(controller.request.env)
-        if @auth.provided? and @auth.basic?
-          block.call(*@auth.credentials)
+        if @auth.provided? && @auth.basic?
+          yield(*@auth.credentials)
         else
           false
         end
@@ -23,7 +29,7 @@ module Authlogic
       end
 
       def cookie_domain
-        raise NotImplementedError.new("The cookie_domain method has not been implemented by the controller adapter")
+        raise NotImplementedError, E_COOKIE_DOMAIN_ADAPTER
       end
 
       def params
@@ -50,19 +56,43 @@ module Authlogic
         controller.send(:single_access_allowed?)
       end
 
-      def responds_to_last_request_update_allowed?
-        controller.respond_to?(:last_request_update_allowed?, true)
+      # You can disable the updating of `last_request_at`
+      # on a per-controller basis.
+      #
+      #   # in your controller
+      #   def last_request_update_allowed?
+      #     false
+      #   end
+      #
+      # For example, what if you had a javascript function that polled the
+      # server updating how much time is left in their session before it
+      # times out. Obviously you would want to ignore this request, because
+      # then the user would never time out. So you can do something like
+      # this in your controller:
+      #
+      #   def last_request_update_allowed?
+      #     action_name != "update_session_time_left"
+      #   end
+      #
+      # See `authlogic/session/magic_columns.rb` to learn more about the
+      # `last_request_at` column itself.
+      def last_request_update_allowed?
+        if controller.respond_to?(:last_request_update_allowed?, true)
+          controller.send(:last_request_update_allowed?)
+        else
+          true
+        end
       end
 
-      def last_request_update_allowed?
-        controller.send(:last_request_update_allowed?)
+      def respond_to_missing?(*args)
+        super(*args) || controller.respond_to?(*args)
       end
 
       private
 
-        def method_missing(id, *args, &block)
-          controller.send(id, *args, &block)
-        end
+      def method_missing(id, *args, &block)
+        controller.send(id, *args, &block)
+      end
     end
   end
 end

data/lib/authlogic/controller_adapters/rack_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters
     # Adapter for authlogic to make it function as a Rack middleware.
@@ -32,7 +34,7 @@ module Authlogic
     #       # Authlogic options go here
     #     end
     #
-    #     class User < ActiveRecord::Base
+    #     class User < ApplicationRecord
     #       acts_as_authentic
     #     end
     #
@@ -48,7 +50,7 @@ module Authlogic
           end
 
           def remote_ip
-            self.ip
+            ip
           end
         end
 
@@ -56,10 +58,14 @@ module Authlogic
         Authlogic::Session::Base.controller = self
       end
 
-      # Rack Requests stores cookies with not just the value, but also with flags and expire information in the hash.
-      # Authlogic does not like this, so we drop everything except the cookie value
+      # Rack Requests stores cookies with not just the value, but also with
+      # flags and expire information in the hash. Authlogic does not like this,
+      # so we drop everything except the cookie value.
       def cookies
-        controller.cookies.map { |key, value_hash| { key => value_hash[:value] } }.inject(:merge) || {}
+        controller
+          .cookies
+          .map { |key, value_hash| { key => value_hash[:value] } }
+          .inject(:merge) || {}
       end
     end
   end

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -1,4 +1,4 @@
-require 'action_controller'
+# frozen_string_literal: true
 
 module Authlogic
   module ControllerAdapters
@@ -7,19 +7,18 @@ module Authlogic
     # Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite,
     # etc.
     class RailsAdapter < AbstractAdapter
-      class AuthlogicLoadedTooLateError < StandardError; end
-
       def authenticate_with_http_basic(&block)
         controller.authenticate_with_http_basic(&block)
       end
 
+      # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
+      # http://guides.rubyonrails.org/action_controller_overview.html#cookies
       def cookies
         controller.send(:cookies)
       end
 
       def cookie_domain
-        @cookie_domain_key ||= Rails::VERSION::STRING >= '2.3' ? :domain : :session_domain
-        controller.request.session_options[@cookie_domain_key]
+        controller.request.session_options[:domain]
       end
 
       def request_content_type
@@ -30,36 +29,19 @@ module Authlogic
       # "activates" authlogic.
       module RailsImplementation
         def self.included(klass) # :nodoc:
-          if defined?(::ApplicationController)
-            raise AuthlogicLoadedTooLateError.new(
-              <<-EOS.strip_heredoc
-                Authlogic is trying to add a callback to ActionController::Base
-                but ApplicationController has already been loaded, so the
-                callback won't be copied into your application. Generally this
-                is due to another gem or plugin requiring your
-                ApplicationController prematurely, such as the
-                resource_controller plugin. Please require Authlogic first,
-                before these other gems / plugins.
-              EOS
-            )
-          end
-
-          # In Rails 4.0.2, the *_filter methods were renamed to *_action.
-          if klass.respond_to? :prepend_before_action
-            klass.prepend_before_action :activate_authlogic
-          else
-            klass.prepend_before_filter :activate_authlogic
-          end
+          klass.prepend_before_action :activate_authlogic
         end
 
         private
 
-          def activate_authlogic
-            Authlogic::Session::Base.controller = RailsAdapter.new(self)
-          end
+        def activate_authlogic
+          Authlogic::Session::Base.controller = RailsAdapter.new(self)
+        end
       end
     end
   end
 end
 
-ActionController::Base.send(:include, Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation)
+ActiveSupport.on_load(:action_controller) do
+  include Authlogic::ControllerAdapters::RailsAdapter::RailsImplementation
+end

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 # Authlogic bridge for Sinatra
 module Authlogic
   module ControllerAdapters
     module SinatraAdapter
+      # Cookie management functions
       class Cookies
         attr_reader :request, :response
 
@@ -23,6 +26,7 @@ module Authlogic
         end
       end
 
+      # Thin wrapper around request and response.
       class Controller
         attr_reader :request, :response, :cookies
 
@@ -32,7 +36,7 @@ module Authlogic
         end
 
         def session
-          env['rack.session']
+          env["rack.session"]
         end
 
         def method_missing(meth, *args, &block)
@@ -40,11 +44,13 @@ module Authlogic
         end
       end
 
+      # Sinatra controller adapter
       class Adapter < AbstractAdapter
         def cookie_domain
-          env['SERVER_NAME']
+          env["SERVER_NAME"]
         end
 
+        # Mixed into `Sinatra::Base`
         module Implementation
           def self.included(klass)
             klass.send :before do

data/lib/authlogic/cookie_credentials.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Represents the credentials *in* the cookie. The value of the cookie.
+  # This is primarily a data object. It doesn't interact with controllers.
+  # It doesn't know about eg. cookie expiration.
+  #
+  # @api private
+  class CookieCredentials
+    # @api private
+    class ParseError < RuntimeError
+    end
+
+    DELIMITER = "::"
+
+    attr_reader :persistence_token, :record_id, :remember_me_until
+
+    # @api private
+    # @param persistence_token [String]
+    # @param record_id [String, Numeric]
+    # @param remember_me_until [ActiveSupport::TimeWithZone]
+    def initialize(persistence_token, record_id, remember_me_until)
+      @persistence_token = persistence_token
+      @record_id = record_id
+      @remember_me_until = remember_me_until
+    end
+
+    class << self
+      # @api private
+      def parse(string)
+        parts = string.split(DELIMITER)
+        unless (1..3).cover?(parts.length)
+          raise ParseError, format("Expected 1..3 parts, got %d", parts.length)
+        end
+        new(parts[0], parts[1], parse_time(parts[2]))
+      end
+
+      private
+
+      # @api private
+      def parse_time(string)
+        return if string.nil?
+        ::Time.parse(string)
+      rescue ::ArgumentError => e
+        raise ParseError, format("Found cookie, cannot parse remember_me_until: #{e}")
+      end
+    end
+
+    # @api private
+    def remember_me?
+      !@remember_me_until.nil?
+    end
+
+    # @api private
+    def to_s
+      [
+        @persistence_token,
+        @record_id.to_s,
+        @remember_me_until&.iso8601
+      ].compact.join(DELIMITER)
+    end
+  end
+end

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bcrypt"
 
 module Authlogic
@@ -16,10 +18,18 @@ module Authlogic
     #   require "benchmark"
     #
     #   Benchmark.bm(18) do |x|
-    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
-    #     x.report("BCrypt (cost = 4:") { 100.times { BCrypt::Password.create("mypass", :cost => 4) } }
-    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
-    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
+    #     x.report("BCrypt (cost = 10:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 10) }
+    #     }
+    #     x.report("BCrypt (cost = 4:") {
+    #       100.times { BCrypt::Password.create("mypass", :cost => 4) }
+    #     }
+    #     x.report("Sha512:") {
+    #       100.times { Digest::SHA512.hexdigest("mypass") }
+    #     }
+    #     x.report("Sha1:") {
+    #       100.times { Digest::SHA1.hexdigest("mypass") }
+    #     }
     #   end
     #
     #                            user     system      total        real
@@ -56,17 +66,15 @@ module Authlogic
 
         def cost=(val)
           if val < ::BCrypt::Engine::MIN_COST
-            raise ArgumentError.new(
-              "Authlogic's bcrypt cost cannot be set below the engine's " \
+            raise ArgumentError, "Authlogic's bcrypt cost cannot be set below the engine's " \
                 "min cost (#{::BCrypt::Engine::MIN_COST})"
-            )
           end
           @cost = val
         end
 
         # Creates a BCrypt hash for the password passed.
         def encrypt(*tokens)
-          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+          ::BCrypt::Password.create(join_tokens(tokens), cost: cost)
         end
 
         # Does the hash match the tokens? Uses the same tokens that were used to
@@ -90,17 +98,15 @@ module Authlogic
 
         private
 
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
 
-          def new_from_hash(hash)
-            begin
-              ::BCrypt::Password.new(hash)
-            rescue ::BCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def new_from_hash(hash)
+          ::BCrypt::Password.new(hash)
+        rescue ::BCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    class MD5
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 1
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a MD5 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::MD5.digest(digest) }
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/md5.rb

@@ -1,13 +1,14 @@
+# frozen_string_literal: true
+
 require "digest/md5"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from md5 based systems.
-    # I highly discourage using this crypto provider as it superbly inferior
-    # to your other options.
-    #
-    # Please use any other provider offered by Authlogic.
+    # A poor choice. There are known attacks against this algorithm.
     class MD5
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "md5", "v2")
+
       class << self
         attr_accessor :join_token
 
@@ -24,7 +25,8 @@ module Authlogic
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "scrypt"
 
 module Authlogic
@@ -19,7 +21,13 @@ module Authlogic
     #   end
     class SCrypt
       class << self
-        DEFAULTS = { :key_len => 32, :salt_size => 8, :max_time => 0.2, :max_mem => 1024 * 1024, :max_memfrac => 0.5 }
+        DEFAULTS = {
+          key_len: 32,
+          salt_size: 8,
+          max_time: 0.2,
+          max_mem: 1024 * 1024,
+          max_memfrac: 0.5
+        }.freeze
 
         attr_writer :key_len, :salt_size, :max_time, :max_mem, :max_memfrac
         # Key length - length in bytes of generated key, from 16 to 512.
@@ -42,7 +50,8 @@ module Authlogic
           @max_mem ||= DEFAULTS[:max_mem]
         end
 
-        # Max memory fraction - maximum memory out of all available. Always greater than zero and <= 0.5.
+        # Max memory fraction - maximum memory out of all available. Always
+        # greater than zero and <= 0.5.
         def max_memfrac
           @max_memfrac ||= DEFAULTS[:max_memfrac]
         end
@@ -51,11 +60,11 @@ module Authlogic
         def encrypt(*tokens)
           ::SCrypt::Password.create(
             join_tokens(tokens),
-            :key_len => key_len,
-            :salt_size => salt_size,
-            :max_mem => max_mem,
-            :max_memfrac => max_memfrac,
-            :max_time => max_time
+            key_len: key_len,
+            salt_size: salt_size,
+            max_mem: max_mem,
+            max_memfrac: max_memfrac,
+            max_time: max_time
           )
         end
 
@@ -68,17 +77,15 @@ module Authlogic
 
         private
 
-          def join_tokens(tokens)
-            tokens.flatten.join
-          end
+        def join_tokens(tokens)
+          tokens.flatten.join
+        end
 
-          def new_from_hash(hash)
-            begin
-              ::SCrypt::Password.new(hash)
-            rescue ::SCrypt::Errors::InvalidHash
-              return nil
-            end
-          end
+        def new_from_hash(hash)
+          ::SCrypt::Password.new(hash)
+        rescue ::SCrypt::Errors::InvalidHash
+          nil
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    class Sha1
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          def join_token
+            @join_token ||= "--"
+          end
+          attr_writer :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 10
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha1 hash.
+          def encrypt(*tokens)
+            tokens = tokens.flatten
+            digest = tokens.shift
+            stretches.times do
+              digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
+            end
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -1,17 +1,21 @@
+# frozen_string_literal: true
+
 require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from restful_authentication. I highly discourage using this
-    # crypto provider as it is far inferior to your other options. Please use any other provider offered by Authlogic.
+    # A poor choice. There are known attacks against this algorithm.
     class Sha1
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha1", "v2")
+
       class << self
         def join_token
           @join_token ||= "--"
         end
         attr_writer :join_token
 
-        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 10
         end
@@ -21,11 +25,14 @@ module Authlogic
         def encrypt(*tokens)
           tokens = tokens.flatten
           digest = tokens.shift
-          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token)) }
+          stretches.times do
+            digest = Digest::SHA1.hexdigest([digest, *tokens].join(join_token))
+          end
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
+  module CryptoProviders
+    class Sha256
+      # = Sha256
+      #
+      # Uses the Sha256 hash algorithm to encrypt passwords.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha256 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::SHA256.digest(digest) }
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end