authlogic 4.0.1 → 4.1.0

data/lib/authlogic/regex.rb

@@ -1,28 +1,29 @@
 module Authlogic
-  # This is a module the contains regular expressions used throughout Authlogic. The point
-  # of extracting them out into their own module is to make them easily available to you
-  # for other uses. Ex:
+  # This is a module the contains regular expressions used throughout Authlogic.
+  # The point of extracting them out into their own module is to make them
+  # easily available to you for other uses. Ex:
   #
   #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
   module Regex
-    # A general email regular expression. It allows top level domains (TLD) to be from 2 -
-    # 24 in length. The decisions behind this regular expression were made by analyzing
-    # the list of top-level domains maintained by IANA and by reading this website:
-    # http://www.regular-expressions.info/email.html, which is an excellent resource for
-    # regular expressions.
-    def self.email
-      @email_regex ||= begin
-        email_name_regex  = '[A-Z0-9_\.&%\+\-\']+'
-        domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
-        domain_tld_regex  = '(?:[A-Z]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
-      end
-    end
+    # A general email regular expression. It allows top level domains (TLD) to
+    # be from 2 - 24 in length. The decisions behind this regular expression
+    # were made by analyzing the list of top-level domains maintained by IANA
+    # and by reading this website:
+    # http://www.regular-expressions.info/email.html, which is an excellent
+    # resource for regular expressions.
+    EMAIL = /
+      \A
+      [A-Z0-9_.&%+\-']+   # mailbox
+      @
+      (?:[A-Z0-9\-]+\.)+  # subdomains
+      (?:[A-Z]{2,25})     # TLD
+      \z
+    /ix
 
-    # A draft regular expression for internationalized email addresses. Given that the
-    # standard may be in flux, this simply emulates @email_regex but rather than allowing
-    # specific characters for each part, it instead disallows the complement set of
-    # characters:
+    # A draft regular expression for internationalized email addresses. Given
+    # that the standard may be in flux, this simply emulates @email_regex but
+    # rather than allowing specific characters for each part, it instead
+    # disallows the complement set of characters:
     #
     # - email_name_regex disallows: @[]^ !"#$()*,/:;<=>?`{|}~\ and control characters
     # - domain_head_regex disallows: _%+ and all characters in email_name_regex
@@ -33,19 +34,46 @@ module Authlogic
     # http://www.unicode.org/faq/idn.html
     # http://ruby-doc.org/core-2.1.5/Regexp.html#class-Regexp-label-Character+Classes
     # http://en.wikipedia.org/wiki/Unicode_character_property#General_Category
-    def self.email_nonascii
-      @email_nonascii_regex ||= begin
-        email_name_regex  = '[^[:cntrl:][@\[\]\^ \!\"#$\(\)*,/:;<=>\?`{|}~\\\]]+'
-        domain_head_regex = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\']]+\.)+'
-        domain_tld_regex  = '(?:[^[:cntrl:][@\[\]\^ \!\"#$&\(\)*,/:;<=>\?`{|}~\\\_\.%\+\-\'0-9]]{2,25})'
-        /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/
-      end
-    end
+    EMAIL_NONASCII = /
+      \A
+      [^[:cntrl:][@\[\]\^ \!"\#$\(\)*,\/:;<=>?`{|}~\\]]+                        # mailbox
+      @
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+']]+\.)+         # subdomains
+      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+\-'0-9]]{2,25})  # TLD
+      \z
+    /x
 
     # A simple regular expression that only allows for letters, numbers, spaces, and
     # .-_@+. Just a standard login / username regular expression.
+    LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
+
+    # Accessing the above constants using the following methods is deprecated.
+
+    # @deprecated
+    def self.email
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email is deprecated, use Authlogic::Regex::EMAIL",
+        caller(1)
+      )
+      EMAIL
+    end
+
+    # @deprecated
+    def self.email_nonascii
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.email_nonascii is deprecated, use Authlogic::Regex::EMAIL_NONASCII",
+        caller(1)
+      )
+      EMAIL_NONASCII
+    end
+
+    # @deprecated
     def self.login
-      /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
+      ::ActiveSupport::Deprecation.warn(
+        "Authlogic::Regex.login is deprecated, use Authlogic::Regex::LOGIN",
+        caller(1)
+      )
+      LOGIN
     end
   end
 end

data/lib/authlogic/session/activation.rb

@@ -1,4 +1,4 @@
-require 'request_store'
+require "request_store"
 
 module Authlogic
   module Session

data/lib/authlogic/session/brute_force_protection.rb

@@ -106,9 +106,9 @@ module Authlogic
             errors.add(
               :base,
               I18n.t(
-                'error_messages.consecutive_failed_logins_limit_exceeded',
+                "error_messages.consecutive_failed_logins_limit_exceeded",
                 default: "Consecutive failed logins limit exceeded, account has been" +
-                  (failed_login_ban_for == 0 ? "" : " temporarily") +
+                  (failed_login_ban_for.zero? ? "" : " temporarily") +
                   " disabled."
               )
             )

data/lib/authlogic/session/callbacks.rb

@@ -58,61 +58,68 @@ module Authlogic
     # allow Authlogic to extend properly with multiple extensions. Please ONLY use the
     # method above.
     module Callbacks
-      METHODS = [
-        "before_persisting",
-        "persist",
-        "after_persisting",
-        "before_validation",
-        "before_validation_on_create",
-        "before_validation_on_update",
-        "validate",
-        "after_validation_on_update",
-        "after_validation_on_create",
-        "after_validation",
-        "before_save",
-        "before_create",
-        "before_update",
-        "after_update",
-        "after_create",
-        "after_save",
-        "before_destroy",
-        "after_destroy"
+      METHODS = %w[
+        before_persisting
+        persist
+        after_persisting
+        before_validation
+        before_validation_on_create
+        before_validation_on_update
+        validate
+        after_validation_on_update
+        after_validation_on_create
+        after_validation
+        before_save
+        before_create
+        before_update
+        after_update
+        after_create
+        after_save
+        before_destroy
+        after_destroy
       ].freeze
 
       def self.included(base) #:nodoc:
         base.send :include, ActiveSupport::Callbacks
-        if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('5')
+
+        if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new("5")
           base.define_callbacks(
             *METHODS + [{ terminator: ->(_target, result_lambda) { result_lambda.call == false } }]
           )
           base.define_callbacks(
-            'persist',
+            "persist",
             terminator: ->(_target, result_lambda) { result_lambda.call == true }
           )
-        elsif Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new('4.1')
-          base.define_callbacks(*METHODS + [{ terminator: ->(_target, result) { result == false } }])
-          base.define_callbacks('persist', terminator: ->(_target, result) { result == true })
         else
-          base.define_callbacks(*METHODS + [{ terminator: 'result == false' }])
-          base.define_callbacks('persist', terminator: 'result == true')
+          base.define_callbacks(
+            *METHODS + [{ terminator: ->(_target, result) { result == false } }]
+          )
+          base.define_callbacks("persist", terminator: ->(_target, result) { result == true })
         end
 
-        # If Rails 3, support the new callback syntax
-        if base.singleton_class.method_defined?(:set_callback)
-          METHODS.each do |method|
-            base.class_eval <<-EOS, __FILE__, __LINE__
-              def self.#{method}(*methods, &block)
-                set_callback :#{method}, *methods, &block
-              end
-            EOS
-          end
+        # Now we define the "callback installation methods". These class methods
+        # will be used by other modules to install their callbacks. Examples:
+        #
+        # ```
+        # # Timeout.included
+        # before_persisting :reset_stale_state
+        #
+        # # Session::Password.included
+        # validate :validate_by_password, if: :authenticating_with_password?
+        # ```
+        METHODS.each do |method|
+          base.class_eval <<-EOS, __FILE__, __LINE__ + 1
+            def self.#{method}(*methods, &block)
+              set_callback :#{method}, *methods, &block
+            end
+          EOS
         end
       end
 
       private
 
         METHODS.each do |method|
-          class_eval <<-EOS, __FILE__, __LINE__
+          class_eval <<-EOS, __FILE__, __LINE__ + 1
             def #{method}
               run_callbacks(:#{method})
             end

data/lib/authlogic/session/cookies.rb

@@ -3,7 +3,7 @@ module Authlogic
     # Handles all authentication that deals with cookies, such as persisting,
     # saving, and destroying.
     module Cookies
-      VALID_SAME_SITE_VALUES = [nil, 'Lax', 'Strict'].freeze
+      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict"].freeze
 
       def self.included(klass)
         klass.class_eval do
@@ -244,7 +244,9 @@ module Authlogic
             persistence_token, record_id = cookie_credentials
             if persistence_token.present?
               record = search_for_record("find_by_#{klass.primary_key}", record_id)
-              self.unauthorized_record = record if record && record.persistence_token == persistence_token
+              if record && record.persistence_token == persistence_token
+                self.unauthorized_record = record
+              end
               valid?
             else
               false

data/lib/authlogic/session/existence.rb

@@ -6,7 +6,7 @@ module Authlogic
       class SessionInvalidError < ::StandardError # :nodoc:
         def initialize(session)
           message = I18n.t(
-            'error_messages.session_invalid',
+            "error_messages.session_invalid",
             default: "Your session is invalid and has the following errors:"
           )
           message += " #{session.errors.full_messages.to_sentence}"

data/lib/authlogic/session/foundation.rb

@@ -87,7 +87,11 @@ module Authlogic
         end
 
         def inspect
-          "#<#{self.class.name}: #{credentials.blank? ? "no credentials provided" : credentials.inspect}>"
+          format(
+            "#<%s: %s>",
+            self.class.name,
+            credentials.blank? ? "no credentials provided" : credentials.inspect
+          )
         end
 
         private

data/lib/authlogic/session/http_auth.rb

@@ -64,7 +64,7 @@ module Authlogic
         # * <tt>Default:</tt> 'Application'
         # * <tt>Accepts:</tt> String
         def http_basic_auth_realm(value = nil)
-          rw_config(:http_basic_auth_realm, value, 'Application')
+          rw_config(:http_basic_auth_realm, value, "Application")
         end
         alias_method :http_basic_auth_realm=, :http_basic_auth_realm
       end
@@ -78,7 +78,7 @@ module Authlogic
           end
 
           def persist_by_http_auth
-            login_proc = Proc.new do |login, password|
+            login_proc = proc do |login, password|
               if !login.blank? && !password.blank?
                 send("#{login_field}=", login)
                 send("#{password_field}=", password)

data/lib/authlogic/session/klass.rb

@@ -42,7 +42,8 @@ module Authlogic
       end
 
       module InstanceMethods
-        # Creating an alias method for the "record" method based on the klass name, so that we can do:
+        # Creating an alias method for the "record" method based on the klass
+        # name, so that we can do:
         #
         #   session.user
         #

data/lib/authlogic/session/magic_columns.rb

@@ -43,7 +43,8 @@ module Authlogic
         alias_method :last_request_at_threshold=, :last_request_at_threshold
       end
 
-      # The methods available for an Authlogic::Session::Base object that make up the magic columns feature.
+      # The methods available for an Authlogic::Session::Base object that make
+      # up the magic columns feature.
       module InstanceMethods
         private
 
@@ -109,7 +110,8 @@ module Authlogic
             if !record || !klass.column_names.include?("last_request_at")
               return false
             end
-            if controller.responds_to_last_request_update_allowed? && !controller.last_request_update_allowed?
+            if controller.responds_to_last_request_update_allowed? &&
+                !controller.last_request_update_allowed?
               return false
             end
             record.last_request_at.blank? ||

data/lib/authlogic/session/magic_states.rb

@@ -56,7 +56,7 @@ module Authlogic
 
           # @api private
           def required_magic_states_for(record)
-            [:active, :approved, :confirmed].select { |state|
+            %i[active approved confirmed].select { |state|
               record.respond_to?("#{state}?")
             }
           end
@@ -64,16 +64,15 @@ module Authlogic
           def validate_magic_states
             return true if attempted_record.nil?
             required_magic_states_for(attempted_record).each do |required_status|
-              unless attempted_record.send("#{required_status}?")
-                errors.add(
-                  :base,
-                  I18n.t(
-                    "error_messages.not_#{required_status}",
-                    default: "Your account is not #{required_status}"
-                  )
+              next if attempted_record.send("#{required_status}?")
+              errors.add(
+                :base,
+                I18n.t(
+                  "error_messages.not_#{required_status}",
+                  default: "Your account is not #{required_status}"
                 )
-                return false
-              end
+              )
+              return false
             end
             true
           end

data/lib/authlogic/session/params.rb

@@ -82,20 +82,27 @@ module Authlogic
 
           def persist_by_params
             return false unless params_enabled?
-            self.unauthorized_record = search_for_record("find_by_single_access_token", params_credentials)
+            self.unauthorized_record = search_for_record(
+              "find_by_single_access_token",
+              params_credentials
+            )
             self.single_access = valid?
           end
 
           def params_enabled?
-            return false if !params_credentials || !klass.column_names.include?("single_access_token")
-            return controller.single_access_allowed? if controller.responds_to_single_access_allowed?
+            if !params_credentials || !klass.column_names.include?("single_access_token")
+              return false
+            end
+            if controller.responds_to_single_access_allowed?
+              return controller.single_access_allowed?
+            end
 
             case single_access_allowed_request_types
             when Array
               single_access_allowed_request_types.include?(controller.request_content_type) ||
                 single_access_allowed_request_types.include?(:all)
             else
-              [:all, :any].include?(single_access_allowed_request_types)
+              %i[all any].include?(single_access_allowed_request_types)
             end
           end
 

data/lib/authlogic/session/password.rb

@@ -119,7 +119,7 @@ module Authlogic
         # should be an instance method. It should also be prepared to accept a
         # raw password and a crytped password.
         #
-        # * <tt>Default:</tt> "valid_password?"
+        # * <tt>Default:</tt> "valid_password?" defined in acts_as_authentic/password.rb
         # * <tt>Accepts:</tt> Symbol or String
         def verify_password_method(value = nil)
           rw_config(:verify_password_method, value, "valid_password?")
@@ -162,7 +162,11 @@ module Authlogic
           super
           values = Array.wrap(value)
           if values.first.is_a?(Hash)
-            values.first.with_indifferent_access.slice(login_field, password_field).each do |field, val|
+            sliced = values
+              .first
+              .with_indifferent_access
+              .slice(login_field, password_field)
+            sliced.each do |field, val|
               next if val.blank?
               send("#{field}=", val)
             end
@@ -179,7 +183,10 @@ module Authlogic
             if generalize_credentials_error_messages?
               add_general_credentials_error
             else
-              errors.add(password_field, I18n.t('error_messages.password_invalid', default: "is not valid"))
+              errors.add(
+                password_field,
+                I18n.t("error_messages.password_invalid", default: "is not valid")
+              )
             end
           end
 
@@ -187,60 +194,84 @@ module Authlogic
             if generalize_credentials_error_messages?
               add_general_credentials_error
             else
-              errors.add(login_field, I18n.t('error_messages.login_not_found', default: "is not valid"))
+              errors.add(
+                login_field,
+                I18n.t("error_messages.login_not_found", default: "is not valid")
+              )
             end
           end
 
-          def configure_password_methods
-            if login_field
-              self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
-              self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
-            end
+          def authenticating_with_password?
+            login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+          end
 
-            if password_field
-              self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
-              self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+          def configure_password_methods
+            define_login_field_methods
+            define_password_field_methods
+          end
 
-              # The password should not be accessible publicly. This way forms
-              # using form_for don't fill the password with the attempted
-              # password. To prevent this we just create this method that is
-              # private.
-              self.class.class_eval <<-EOS, __FILE__, __LINE__
-                private
-                  def protected_#{password_field}
-                    @#{password_field}
-                  end
-              EOS
-            end
+          def define_login_field_methods
+            return unless login_field
+            self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
+            self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
           end
 
-          def authenticating_with_password?
-            login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+          def define_password_field_methods
+            return unless password_field
+            self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
+            self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+
+            # The password should not be accessible publicly. This way forms
+            # using form_for don't fill the password with the attempted
+            # password. To prevent this we just create this method that is
+            # private.
+            self.class.class_eval <<-EOS, __FILE__, __LINE__ + 1
+              private
+                def protected_#{password_field}
+                  @#{password_field}
+                end
+            EOS
           end
 
+          # In keeping with the metaphor of ActiveRecord, verification of the
+          # password is referred to as a "validation".
           def validate_by_password
             self.invalid_password = false
-
-            # check for blank fields
-            if send(login_field).blank?
-              errors.add(login_field, I18n.t('error_messages.login_blank', default: "cannot be blank"))
-            end
-            if send("protected_#{password_field}").blank?
-              errors.add(password_field, I18n.t('error_messages.password_blank', default: "cannot be blank"))
-            end
+            validate_by_password__blank_fields
             return if errors.count > 0
-
             self.attempted_record = search_for_record(find_by_login_method, send(login_field))
             if attempted_record.blank?
               add_login_not_found_error
               return
             end
+            validate_by_password__invalid_password
+          end
+
+          def validate_by_password__blank_fields
+            if send(login_field).blank?
+              errors.add(
+                login_field,
+                I18n.t("error_messages.login_blank", default: "cannot be blank")
+              )
+            end
+            if send("protected_#{password_field}").blank?
+              errors.add(
+                password_field,
+                I18n.t("error_messages.password_blank", default: "cannot be blank")
+              )
+            end
+          end
 
-            # check for invalid password
-            unless attempted_record.send(verify_password_method, send("protected_#{password_field}"))
+          # Verify the password, usually using `valid_password?` in
+          # `acts_as_authentic/password.rb`. If it cannot be verified, we
+          # refer to it as "invalid".
+          def validate_by_password__invalid_password
+            unless attempted_record.send(
+              verify_password_method,
+              send("protected_#{password_field}")
+            )
               self.invalid_password = true
               add_invalid_password_error
-              return
             end
           end
 
@@ -261,7 +292,10 @@ module Authlogic
               else
                 "#{login_field.to_s.humanize}/Password combination is not valid"
               end
-            errors.add(:base, I18n.t('error_messages.general_credentials_error', default: error_message))
+            errors.add(
+              :base,
+              I18n.t("error_messages.general_credentials_error", default: error_message)
+            )
           end
 
           def generalize_credentials_error_messages?