authlogic 3.8.0 → 6.0.0

data/lib/authlogic/crypto_providers/sha256.rb

@@ -1,22 +1,27 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
-  # Just create a class with a class level encrypt and matches? method. See example below.
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
   #
   # === Example
   #
   #   class MyAwesomeEncryptionMethod
   #     def self.encrypt(*tokens)
-  #       # the tokens passed will be an array of objects, what type of object is irrelevant,
-  #       # just do what you need to do with them and return a single encrypted string.
-  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
   #     end
   #
   #     def self.matches?(crypted, *tokens)
-  #       # return true if the crypted string matches the tokens.
-  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
-  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
   #     end
   #   end
   module CryptoProviders
@@ -24,6 +29,9 @@ module Authlogic
     #
     # Uses the Sha256 hash algorithm to encrypt passwords.
     class Sha256
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha256", "v2")
+
       class << self
         attr_accessor :join_token
 
@@ -40,7 +48,8 @@ module Authlogic
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  module CryptoProviders
+    class Sha512
+      # SHA-512 does not have any practical known attacks against it. However,
+      # there are better choices. We recommend transitioning to a more secure,
+      # adaptive hashing algorithm, like scrypt.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha512 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times do
+              digest = Digest::SHA512.digest(digest)
+            end
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,37 +1,20 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you
-  # to use any type of encryption you like. Just create a class with a class
-  # level encrypt and matches? method. See example below.
-  #
-  # === Example
-  #
-  #   class MyAwesomeEncryptionMethod
-  #     def self.encrypt(*tokens)
-  #       # The tokens passed will be an array of objects, what type of object
-  #       # is irrelevant, just do what you need to do with them and return a
-  #       # single encrypted string. For example, you will most likely join all
-  #       # of the objects into a single string and then encrypt that string.
-  #     end
-  #
-  #     def self.matches?(crypted, *tokens)
-  #       # Return true if the crypted string matches the tokens. Depending on
-  #       # your algorithm you might decrypt the string then compare it to the
-  #       # token, or you might encrypt the tokens and make sure it matches the
-  #       # crypted string, its up to you.
-  #     end
-  #   end
   module CryptoProviders
-    # = Sha512
-    #
-    # Uses the Sha512 hash algorithm to encrypt passwords.
+    # SHA-512 does not have any practical known attacks against it. However,
+    # there are better choices. We recommend transitioning to a more secure,
+    # adaptive hashing algorithm, like scrypt.
     class Sha512
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha512", "v2")
+
       class << self
         attr_accessor :join_token
 
-        # The number of times to loop through the encryption. This is twenty
-        # because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 20
         end

data/lib/authlogic/crypto_providers.rb

@@ -1,11 +1,87 @@
+# frozen_string_literal: true
+
 module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # The tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. For example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string.
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # Return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
   module CryptoProviders
     autoload :MD5,    "authlogic/crypto_providers/md5"
     autoload :Sha1,   "authlogic/crypto_providers/sha1"
     autoload :Sha256, "authlogic/crypto_providers/sha256"
     autoload :Sha512, "authlogic/crypto_providers/sha512"
     autoload :BCrypt, "authlogic/crypto_providers/bcrypt"
-    autoload :AES256, "authlogic/crypto_providers/aes256"
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
+
+    # Guide users to choose a better crypto provider.
+    class Guidance
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::"
+      NONADAPTIVE_ALGORITHM = <<~EOS
+        You have selected %s as your authlogic crypto provider. This algorithm
+        does not have any practical known attacks against it. However, there are
+        better choices.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a more secure, adaptive hashing algorithm,
+        like scrypt. Adaptive algorithms are designed to slow down brute force
+        attacks, and over time the iteration count can be increased to make it
+        slower, so it remains resistant to brute-force search attacks even in
+        the face of increasing computation power.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+      VULNERABLE_ALGORITHM = <<~EOS
+        You have selected %s as your authlogic crypto provider. It is a poor
+        choice because there are known attacks against this algorithm.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a secure hashing algorithm. We recommend
+        an adaptive algorithm, like scrypt.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+
+      def initialize(provider)
+        @provider = provider
+      end
+
+      def impart_wisdom
+        return unless @provider.is_a?(Class)
+
+        # We can only impart wisdom about our own built-in providers.
+        absolute_name = @provider.name
+        return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)
+
+        # Inspect the string name of the provider, rather than using the
+        # constants in our `when` clauses. If we used the constants, we'd
+        # negate the benefits of the `autoload` above.
+        name = absolute_name.demodulize
+        case name
+        when "MD5", "Sha1"
+          warn(format(VULNERABLE_ALGORITHM, name))
+        when "Sha256", "Sha512"
+          warn(format(NONADAPTIVE_ALGORITHM, name))
+        end
+      end
+    end
   end
 end

data/lib/authlogic/errors.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |config|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -1,11 +1,14 @@
+# frozen_string_literal: true
+
 module Authlogic
   module I18n
+    # The default translator used by authlogic/i18n.rb
     class Translator
       # If the I18n gem is present, calls +I18n.translate+ passing all
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)
-          ::I18n.translate key, options
+          ::I18n.translate key, **options
         else
           options[:default]
         end

data/lib/authlogic/i18n.rb

@@ -1,42 +1,50 @@
+# frozen_string_literal: true
+
 require "authlogic/i18n/translator"
 
 module Authlogic
-  # This class allows any message in Authlogic to use internationalization. In earlier
-  # versions of Authlogic each message was translated via configuration. This cluttered up
-  # the configuration and cluttered up Authlogic. So all translation has been extracted
-  # out into this class. Now all messages pass through this class, making it much easier
-  # to implement in I18n library / plugin you want. Use this as a layer that sits between
-  # Authlogic and whatever I18n library you want to use.
+  # This class allows any message in Authlogic to use internationalization. In
+  # earlier versions of Authlogic each message was translated via configuration.
+  # This cluttered up the configuration and cluttered up Authlogic. So all
+  # translation has been extracted out into this class. Now all messages pass
+  # through this class, making it much easier to implement in I18n library /
+  # plugin you want. Use this as a layer that sits between Authlogic and
+  # whatever I18n library you want to use.
   #
-  # By default this uses the rails I18n library, if it exists. If it doesn't exist it just
-  # returns the default English message. The Authlogic I18n class works EXACTLY like the
-  # rails I18n class. This is because the arguments are delegated to this class.
+  # By default this uses the rails I18n library, if it exists. If it doesn't
+  # exist it just returns the default English message. The Authlogic I18n class
+  # works EXACTLY like the rails I18n class. This is because the arguments are
+  # delegated to this class.
   #
   # Here is how all messages are translated internally with Authlogic:
   #
   #   Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
   #
-  # If you use a different I18n library just replace the build-in I18n::Translator class
-  # with your own. For example:
+  # If you use a different I18n library just replace the build-in
+  # I18n::Translator class with your own. For example:
   #
   #   class MyAuthlogicI18nTranslator
   #     def translate(key, options = {})
-  #       # you will have key which will be something like: "error_messages.password_invalid"
-  #       # you will also have options[:default], which will be the default English version of the message
+  #       # you will have key which will be something like:
+  #       # "error_messages.password_invalid"
+  #       # you will also have options[:default], which will be the default
+  #       # English version of the message
   #       # do whatever you want here with the arguments passed to you.
   #     end
   #   end
   #
   #   Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
   #
-  # That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
+  # That it's! Here is a complete list of the keys that are passed. Just define
+  # these however you wish:
   #
   #   authlogic:
   #     error_messages:
   #       login_blank: can not be blank
   #       login_not_found: is not valid
   #       login_invalid: should use only letters, numbers, spaces, and .-_@+ please.
-  #       consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
+  #       consecutive_failed_logins_limit_exceeded: >
+  #         Consecutive failed logins limit exceeded, account is disabled.
   #       email_invalid: should look like an email address.
   #       email_invalid_international: should look like an international email address.
   #       password_blank: can not be blank
@@ -46,6 +54,7 @@ module Authlogic
   #       not_approved: Your account is not approved
   #       no_authentication_details: You did not provide any details for authentication.
   #       general_credentials_error: Login/Password combination is not valid
+  #       session_invalid: Your session is invalid and has the following errors:
   #     models:
   #       user_session: UserSession (or whatever name you are using)
   #     attributes:
@@ -79,13 +88,13 @@ module Authlogic
         @@translator = translator
       end
 
-      # All message translation is passed to this method. The first argument is the key
-      # for the message. The second is options, see the rails I18n library for a list of
-      # options used.
+      # All message translation is passed to this method. The first argument is
+      # the key for the message. The second is options, see the rails I18n
+      # library for a list of options used.
       def translate(key, options = {})
-        translator.translate key, { :scope => I18n.scope }.merge(options)
+        translator.translate key, { scope: I18n.scope }.merge(options)
       end
-      alias :t :translate
+      alias t translate
     end
   end
 end

data/lib/authlogic/random.rb

@@ -1,34 +1,18 @@
-module Authlogic
-  # Handles generating random strings. If SecureRandom is installed it will default to
-  # this and use it instead. SecureRandom comes with ActiveSupport. So if you are using
-  # this in a rails app you should have this library.
-  module Random
-    extend self
-
-    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) ||
-      (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
-
-    if SecureRandom
-      def hex_token
-        SecureRandom.hex(64)
-      end
+# frozen_string_literal: true
 
-      def friendly_token
-        # use base64url as defined by RFC4648
-        SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
-      end
-    else
-      def hex_token
-        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect { rand.to_s }.join)
-      end
+require "securerandom"
 
-      FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+module Authlogic
+  # Generates random strings using ruby's SecureRandom library.
+  module Random
+    def self.hex_token
+      SecureRandom.hex(64)
+    end
 
-      def friendly_token
-        newpass = ""
-        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size - 1)] }
-        newpass
-      end
+    # Returns a string in base64url format as defined by RFC-3548 and RFC-4648.
+    # We call this a "friendly" token because it is short and safe for URLs.
+    def self.friendly_token
+      SecureRandom.urlsafe_base64(15)
     end
   end
 end