authlogic 4.1.0 → 4.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +1 -0
- data/.rubocop.yml +0 -4
- data/.rubocop_todo.yml +32 -33
- data/CHANGELOG.md +15 -0
- data/Rakefile +2 -4
- data/authlogic.gemspec +2 -1
- data/lib/authlogic/acts_as_authentic/base.rb +13 -13
- data/lib/authlogic/acts_as_authentic/logged_in_status.rb +3 -3
- data/lib/authlogic/acts_as_authentic/login.rb +4 -4
- data/lib/authlogic/acts_as_authentic/password.rb +99 -98
- data/lib/authlogic/acts_as_authentic/persistence_token.rb +3 -3
- data/lib/authlogic/acts_as_authentic/queries/find_with_case.rb +32 -32
- data/lib/authlogic/acts_as_authentic/restful_authentication.rb +14 -14
- data/lib/authlogic/acts_as_authentic/session_maintenance.rb +60 -60
- data/lib/authlogic/acts_as_authentic/single_access_token.rb +6 -6
- data/lib/authlogic/authenticates_many/association.rb +3 -3
- data/lib/authlogic/config.rb +9 -9
- data/lib/authlogic/controller_adapters/abstract_adapter.rb +28 -8
- data/lib/authlogic/controller_adapters/rails_adapter.rb +3 -3
- data/lib/authlogic/crypto_providers/aes256.rb +20 -20
- data/lib/authlogic/crypto_providers/bcrypt.rb +8 -8
- data/lib/authlogic/crypto_providers/scrypt.rb +8 -8
- data/lib/authlogic/session/activation.rb +3 -3
- data/lib/authlogic/session/brute_force_protection.rb +32 -32
- data/lib/authlogic/session/callbacks.rb +49 -35
- data/lib/authlogic/session/cookies.rb +58 -49
- data/lib/authlogic/session/foundation.rb +3 -3
- data/lib/authlogic/session/id.rb +9 -4
- data/lib/authlogic/session/klass.rb +6 -6
- data/lib/authlogic/session/magic_columns.rb +5 -17
- data/lib/authlogic/session/params.rb +3 -0
- data/lib/authlogic/session/password.rb +105 -104
- data/lib/authlogic/session/perishable_token.rb +5 -5
- data/lib/authlogic/session/persistence.rb +5 -4
- data/lib/authlogic/session/priority_record.rb +8 -8
- data/lib/authlogic/session/scopes.rb +23 -23
- data/lib/authlogic/session/timeout.rb +11 -11
- data/lib/authlogic/session/unauthorized_record.rb +6 -6
- data/lib/authlogic/session/validation.rb +9 -9
- data/lib/authlogic/test_case.rb +5 -0
- data/lib/authlogic/test_case/mock_request.rb +2 -2
- data/lib/authlogic/version.rb +4 -3
- data/test/acts_as_authentic_test/password_test.rb +23 -23
- data/test/test_helper.rb +96 -93
- metadata +18 -4
@@ -26,41 +26,41 @@ module Authlogic
|
|
26
26
|
|
27
27
|
private
|
28
28
|
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
end
|
29
|
+
# @api private
|
30
|
+
def bind(relation)
|
31
|
+
if AR_GEM_VERSION >= Gem::Version.new("5")
|
32
|
+
bind = ActiveRecord::Relation::QueryAttribute.new(
|
33
|
+
@field,
|
34
|
+
@value,
|
35
|
+
ActiveRecord::Type::Value.new
|
36
|
+
)
|
37
|
+
@model_class.where(relation, bind)
|
38
|
+
else
|
39
|
+
@model_class.where(relation)
|
41
40
|
end
|
41
|
+
end
|
42
42
|
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
62
|
-
end
|
43
|
+
# @api private
|
44
|
+
def relation
|
45
|
+
if !@sensitive
|
46
|
+
@model_class.connection.case_insensitive_comparison(
|
47
|
+
@model_class.arel_table,
|
48
|
+
@field,
|
49
|
+
@model_class.columns_hash[@field],
|
50
|
+
@value
|
51
|
+
)
|
52
|
+
elsif AR_GEM_VERSION >= Gem::Version.new("5.0")
|
53
|
+
@model_class.connection.case_sensitive_comparison(
|
54
|
+
@model_class.arel_table,
|
55
|
+
@field,
|
56
|
+
@model_class.columns_hash[@field],
|
57
|
+
@value
|
58
|
+
)
|
59
|
+
else
|
60
|
+
value = @model_class.connection.case_sensitive_modifier(@value, @field)
|
61
|
+
@model_class.arel_table[@field].eq(value)
|
63
62
|
end
|
63
|
+
end
|
64
64
|
end
|
65
65
|
end
|
66
66
|
end
|
@@ -69,24 +69,24 @@ module Authlogic
|
|
69
69
|
|
70
70
|
private
|
71
71
|
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
end
|
78
|
-
CryptoProviders::Sha1.stretches = 1
|
72
|
+
def set_restful_authentication_config
|
73
|
+
self.restful_auth_crypto_provider = CryptoProviders::Sha1
|
74
|
+
if !defined?(::REST_AUTH_SITE_KEY) || ::REST_AUTH_SITE_KEY.nil?
|
75
|
+
unless defined?(::REST_AUTH_SITE_KEY)
|
76
|
+
class_eval("::REST_AUTH_SITE_KEY = ''", __FILE__, __LINE__)
|
79
77
|
end
|
78
|
+
CryptoProviders::Sha1.stretches = 1
|
80
79
|
end
|
80
|
+
end
|
81
81
|
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
end
|
82
|
+
# @api private
|
83
|
+
def restful_auth_crypto_provider=(provider)
|
84
|
+
if act_like_restful_authentication
|
85
|
+
self.crypto_provider = provider
|
86
|
+
else
|
87
|
+
self.transition_from_crypto_providers = provider
|
89
88
|
end
|
89
|
+
end
|
90
90
|
end
|
91
91
|
|
92
92
|
# :nodoc:
|
@@ -100,82 +100,82 @@ module Authlogic
|
|
100
100
|
|
101
101
|
private
|
102
102
|
|
103
|
-
|
104
|
-
|
105
|
-
|
103
|
+
def skip_session_maintenance=(value)
|
104
|
+
@skip_session_maintenance = value
|
105
|
+
end
|
106
106
|
|
107
|
-
|
108
|
-
|
109
|
-
|
107
|
+
def skip_session_maintenance
|
108
|
+
@skip_session_maintenance ||= false
|
109
|
+
end
|
110
110
|
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
111
|
+
def update_sessions?
|
112
|
+
!skip_session_maintenance &&
|
113
|
+
session_class &&
|
114
|
+
session_class.activated? &&
|
115
|
+
maintain_session? &&
|
116
|
+
!session_ids.blank? &&
|
117
|
+
persistence_token_changed?
|
118
|
+
end
|
119
119
|
|
120
|
-
|
121
|
-
|
122
|
-
|
120
|
+
def maintain_session?
|
121
|
+
log_in_after_create? || log_in_after_password_change?
|
122
|
+
end
|
123
123
|
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
124
|
+
def get_session_information
|
125
|
+
# Need to determine if we are completely logged out, or logged in as
|
126
|
+
# another user.
|
127
|
+
@_sessions = []
|
128
128
|
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
end
|
129
|
+
session_ids.each do |session_id|
|
130
|
+
session = session_class.find(session_id, self)
|
131
|
+
@_sessions << session if session && session.record
|
133
132
|
end
|
133
|
+
end
|
134
134
|
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
140
|
-
end
|
135
|
+
def maintain_sessions
|
136
|
+
if @_sessions.empty?
|
137
|
+
create_session
|
138
|
+
else
|
139
|
+
update_sessions
|
141
140
|
end
|
141
|
+
end
|
142
142
|
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
true
|
151
|
-
end
|
143
|
+
def create_session
|
144
|
+
# We only want to automatically login into the first session, since
|
145
|
+
# this is the main session. The other sessions are sessions that
|
146
|
+
# need to be created after logging into the main session.
|
147
|
+
session_id = session_ids.first
|
148
|
+
session_class.create(*[self, self, session_id].compact)
|
152
149
|
|
153
|
-
|
154
|
-
|
155
|
-
@_sessions.each do |stale_session|
|
156
|
-
next if stale_session.record != self
|
157
|
-
stale_session.unauthorized_record = self
|
158
|
-
stale_session.save
|
159
|
-
end
|
150
|
+
true
|
151
|
+
end
|
160
152
|
|
161
|
-
|
153
|
+
def update_sessions
|
154
|
+
# We found sessions above, let's update them with the new info
|
155
|
+
@_sessions.each do |stale_session|
|
156
|
+
next if stale_session.record != self
|
157
|
+
stale_session.unauthorized_record = self
|
158
|
+
stale_session.save
|
162
159
|
end
|
163
160
|
|
164
|
-
|
165
|
-
|
166
|
-
end
|
161
|
+
true
|
162
|
+
end
|
167
163
|
|
168
|
-
|
169
|
-
|
170
|
-
|
164
|
+
def session_ids
|
165
|
+
self.class.session_ids
|
166
|
+
end
|
171
167
|
|
172
|
-
|
173
|
-
|
174
|
-
|
168
|
+
def session_class
|
169
|
+
self.class.session_class
|
170
|
+
end
|
175
171
|
|
176
|
-
|
177
|
-
|
178
|
-
|
172
|
+
def log_in_after_create?
|
173
|
+
new_record? && self.class.log_in_after_create
|
174
|
+
end
|
175
|
+
|
176
|
+
def log_in_after_password_change?
|
177
|
+
persistence_token_changed? && self.class.log_in_after_password_change
|
178
|
+
end
|
179
179
|
end
|
180
180
|
end
|
181
181
|
end
|
@@ -67,13 +67,13 @@ module Authlogic
|
|
67
67
|
|
68
68
|
protected
|
69
69
|
|
70
|
-
|
71
|
-
|
72
|
-
|
70
|
+
def reset_single_access_token?
|
71
|
+
single_access_token.blank?
|
72
|
+
end
|
73
73
|
|
74
|
-
|
75
|
-
|
76
|
-
|
74
|
+
def change_single_access_token_with_password?
|
75
|
+
self.class.change_single_access_token_with_password == true
|
76
|
+
end
|
77
77
|
end
|
78
78
|
end
|
79
79
|
end
|
data/lib/authlogic/config.rb
CHANGED
@@ -9,15 +9,15 @@ module Authlogic
|
|
9
9
|
|
10
10
|
private
|
11
11
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
end
|
12
|
+
# This is a one-liner method to write a config setting, read the config
|
13
|
+
# setting, and also set a default value for the setting.
|
14
|
+
def rw_config(key, value, default_value = nil)
|
15
|
+
if value.nil?
|
16
|
+
acts_as_authentic_config.include?(key) ? acts_as_authentic_config[key] : default_value
|
17
|
+
else
|
18
|
+
self.acts_as_authentic_config = acts_as_authentic_config.merge(key => value)
|
19
|
+
value
|
21
20
|
end
|
21
|
+
end
|
22
22
|
end
|
23
23
|
end
|
@@ -53,12 +53,32 @@ module Authlogic
|
|
53
53
|
controller.send(:single_access_allowed?)
|
54
54
|
end
|
55
55
|
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
56
|
+
# You can disable the updating of `last_request_at`
|
57
|
+
# on a per-controller basis.
|
58
|
+
#
|
59
|
+
# # in your controller
|
60
|
+
# def last_request_update_allowed?
|
61
|
+
# false
|
62
|
+
# end
|
63
|
+
#
|
64
|
+
# For example, what if you had a javascript function that polled the
|
65
|
+
# server updating how much time is left in their session before it
|
66
|
+
# times out. Obviously you would want to ignore this request, because
|
67
|
+
# then the user would never time out. So you can do something like
|
68
|
+
# this in your controller:
|
69
|
+
#
|
70
|
+
# def last_request_update_allowed?
|
71
|
+
# action_name != "update_session_time_left"
|
72
|
+
# end
|
73
|
+
#
|
74
|
+
# See `authlogic/session/magic_columns.rb` to learn more about the
|
75
|
+
# `last_request_at` column itself.
|
60
76
|
def last_request_update_allowed?
|
61
|
-
controller.
|
77
|
+
if controller.respond_to?(:last_request_update_allowed?, true)
|
78
|
+
controller.send(:last_request_update_allowed?)
|
79
|
+
else
|
80
|
+
true
|
81
|
+
end
|
62
82
|
end
|
63
83
|
|
64
84
|
def respond_to_missing?(*args)
|
@@ -67,9 +87,9 @@ module Authlogic
|
|
67
87
|
|
68
88
|
private
|
69
89
|
|
70
|
-
|
71
|
-
|
72
|
-
|
90
|
+
def method_missing(id, *args, &block)
|
91
|
+
controller.send(id, *args, &block)
|
92
|
+
end
|
73
93
|
end
|
74
94
|
end
|
75
95
|
end
|
@@ -37,29 +37,29 @@ module Authlogic
|
|
37
37
|
|
38
38
|
private
|
39
39
|
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
end
|
46
|
-
|
47
|
-
@aes ||= openssl_cipher_class.new("AES-256-ECB")
|
40
|
+
def aes
|
41
|
+
if @key.blank?
|
42
|
+
raise ArgumentError.new(
|
43
|
+
"You must provide a key like #{name}.key = my_key before using the #{name}"
|
44
|
+
)
|
48
45
|
end
|
49
46
|
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
47
|
+
@aes ||= openssl_cipher_class.new("AES-256-ECB")
|
48
|
+
end
|
49
|
+
|
50
|
+
# `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
|
51
|
+
# in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
|
52
|
+
# printed until 2016
|
53
|
+
# (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
|
54
|
+
# became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
|
55
|
+
# (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
|
56
|
+
def openssl_cipher_class
|
57
|
+
if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
|
58
|
+
::OpenSSL::Cipher::Cipher
|
59
|
+
else
|
60
|
+
::OpenSSL::Cipher
|
62
61
|
end
|
62
|
+
end
|
63
63
|
end
|
64
64
|
end
|
65
65
|
end
|
@@ -98,15 +98,15 @@ module Authlogic
|
|
98
98
|
|
99
99
|
private
|
100
100
|
|
101
|
-
|
102
|
-
|
103
|
-
|
101
|
+
def join_tokens(tokens)
|
102
|
+
tokens.flatten.join
|
103
|
+
end
|
104
104
|
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
105
|
+
def new_from_hash(hash)
|
106
|
+
::BCrypt::Password.new(hash)
|
107
|
+
rescue ::BCrypt::Errors::InvalidHash
|
108
|
+
nil
|
109
|
+
end
|
110
110
|
end
|
111
111
|
end
|
112
112
|
end
|