authlogic 4.4.2 → 5.0.0

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This is one of my favorite features that I think is pretty cool. It's
@@ -40,7 +42,7 @@ module Authlogic
         def log_in_after_create(value = nil)
           rw_config(:log_in_after_create, value, true)
         end
-        alias_method :log_in_after_create=, :log_in_after_create
+        alias log_in_after_create= log_in_after_create
 
         # In order to turn off automatic maintenance of sessions when updating
         # the password, just set this to false.
@@ -50,7 +52,7 @@ module Authlogic
         def log_in_after_password_change(value = nil)
           rw_config(:log_in_after_password_change, value, true)
         end
-        alias_method :log_in_after_password_change=, :log_in_after_password_change
+        alias log_in_after_password_change= log_in_after_password_change
 
         # As you may know, authlogic sessions can be separate by id (See
         # Authlogic::Session::Base#id). You can specify here what session ids
@@ -62,7 +64,7 @@ module Authlogic
         def session_ids(value = nil)
           rw_config(:session_ids, value, [nil])
         end
-        alias_method :session_ids=, :session_ids
+        alias session_ids= session_ids
 
         # The name of the associated session class. This is inferred by the name
         # of the model.
@@ -77,7 +79,7 @@ module Authlogic
                   end
           rw_config(:session_class, value, const)
         end
-        alias_method :session_class=, :session_class
+        alias session_class= session_class
       end
 
       # This module, as one of the `acts_as_authentic_modules`, is only included
@@ -114,7 +116,7 @@ module Authlogic
             session_class.activated? &&
             maintain_session? &&
             !session_ids.blank? &&
-            persistence_token_changed?
+            will_save_change_to_persistence_token?
         end
 
         def maintain_session?
@@ -174,7 +176,7 @@ module Authlogic
         end
 
         def log_in_after_password_change?
-          persistence_token_changed? && self.class.log_in_after_password_change
+          will_save_change_to_persistence_token? && self.class.log_in_after_password_change
         end
       end
     end

data/lib/authlogic/acts_as_authentic/single_access_token.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
-    # This module is responsible for maintaining the single_access token. For more
-    # information the single access token and how to use it, see the
-    # Authlogic::Session::Params module.
+    # This module is responsible for maintaining the single_access token. For
+    # more information the single access token and how to use it, see "Params"
+    # in `Session::Base`.
     module SingleAccessToken
       def self.included(klass)
         klass.class_eval do
@@ -25,10 +27,7 @@ module Authlogic
         def change_single_access_token_with_password(value = nil)
           rw_config(:change_single_access_token_with_password, value, false)
         end
-        alias_method(
-          :change_single_access_token_with_password=,
-          :change_single_access_token_with_password
-        )
+        alias change_single_access_token_with_password= change_single_access_token_with_password
       end
 
       # All method, for the single_access token aspect of acts_as_authentic.
@@ -41,7 +40,9 @@ module Authlogic
 
           klass.class_eval do
             include InstanceMethods
-            validates_uniqueness_of :single_access_token, if: :single_access_token_changed?
+            validates_uniqueness_of :single_access_token,
+              if: :will_save_change_to_single_access_token?
+
             before_validation :reset_single_access_token, if: :reset_single_access_token?
             if respond_to?(:after_password_set)
               after_password_set(

data/lib/authlogic/config.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 module Authlogic
+  # Mixed into `Authlogic::ActsAsAuthentic::Base` and
+  # `Authlogic::Session::Base`.
   module Config
-    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS.freeze
+    E_USE_NORMAL_RAILS_VALIDATION = <<~EOS
       This Authlogic configuration option (%s) is deprecated. Use normal
       ActiveRecord validation instead. Detailed instructions:
       https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
@@ -8,6 +12,10 @@ module Authlogic
 
     def self.extended(klass)
       klass.class_eval do
+        # TODO: Is this a confusing name, given this module is mixed into
+        # both `Authlogic::ActsAsAuthentic::Base` and
+        # `Authlogic::Session::Base`? Perhaps a more generic name, like
+        # `authlogic_config` would be better?
         class_attribute :acts_as_authentic_config
         self.acts_as_authentic_config ||= {}
       end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -1,10 +1,13 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters # :nodoc:
-    # Allows you to use Authlogic in any framework you want, not just rails. See the RailsAdapter
-    # for an example of how to adapt Authlogic to work with your framework.
+    # Allows you to use Authlogic in any framework you want, not just rails. See
+    # the RailsAdapter for an example of how to adapt Authlogic to work with
+    # your framework.
     class AbstractAdapter
       E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
-        "implemented by the controller adapter".freeze
+        "implemented by the controller adapter"
 
       attr_accessor :controller
 
@@ -26,7 +29,7 @@ module Authlogic
       end
 
       def cookie_domain
-        raise NotImplementedError.new(E_COOKIE_DOMAIN_ADAPTER)
+        raise NotImplementedError, E_COOKIE_DOMAIN_ADAPTER
       end
 
       def params

data/lib/authlogic/controller_adapters/rack_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ControllerAdapters
     # Adapter for authlogic to make it function as a Rack middleware.

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_controller"
 
 module Authlogic
@@ -7,7 +9,19 @@ module Authlogic
     # Similar to how ActiveRecord has an adapter for MySQL, PostgreSQL, SQLite,
     # etc.
     class RailsAdapter < AbstractAdapter
-      class AuthlogicLoadedTooLateError < StandardError; end
+      # :nodoc:
+      class AuthlogicLoadedTooLateError < StandardError
+        def message
+          <<~EOS.squish
+            Authlogic is trying to add a callback to ActionController::Base but
+            ApplicationController has already been loaded, so the callback won't
+            be copied into your application. Generally this is due to another
+            gem or plugin requiring your ApplicationController prematurely, such
+            as the resource_controller plugin. Please require Authlogic first,
+            before these other gems / plugins.
+          EOS
+        end
+      end
 
       def authenticate_with_http_basic(&block)
         controller.authenticate_with_http_basic(&block)
@@ -20,8 +34,7 @@ module Authlogic
       end
 
       def cookie_domain
-        @cookie_domain_key ||= Rails::VERSION::STRING >= "2.3" ? :domain : :session_domain
-        controller.request.session_options[@cookie_domain_key]
+        controller.request.session_options[:domain]
       end
 
       def request_content_type
@@ -33,17 +46,7 @@ module Authlogic
       module RailsImplementation
         def self.included(klass) # :nodoc:
           if defined?(::ApplicationController)
-            raise AuthlogicLoadedTooLateError.new(
-              <<~EOS.squish
-                Authlogic is trying to add a callback to ActionController::Base
-                but ApplicationController has already been loaded, so the
-                callback won't be copied into your application. Generally this
-                is due to another gem or plugin requiring your
-                ApplicationController prematurely, such as the
-                resource_controller plugin. Please require Authlogic first,
-                before these other gems / plugins.
-              EOS
-            )
+            raise AuthlogicLoadedTooLateError
           end
 
           # In Rails 4.0.2, the *_filter methods were renamed to *_action.

data/lib/authlogic/controller_adapters/sinatra_adapter.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 # Authlogic bridge for Sinatra
 module Authlogic
   module ControllerAdapters
     module SinatraAdapter
+      # Cookie management functions
       class Cookies
         attr_reader :request, :response
 
@@ -23,6 +26,7 @@ module Authlogic
         end
       end
 
+      # Thin wrapper around request and response.
       class Controller
         attr_reader :request, :response, :cookies
 
@@ -40,11 +44,13 @@ module Authlogic
         end
       end
 
+      # Sinatra controller adapter
       class Adapter < AbstractAdapter
         def cookie_domain
           env["SERVER_NAME"]
         end
 
+        # Mixed into `Sinatra::Base`
         module Implementation
           def self.included(klass)
             klass.send :before do

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bcrypt"
 
 module Authlogic
@@ -64,10 +66,8 @@ module Authlogic
 
         def cost=(val)
           if val < ::BCrypt::Engine::MIN_COST
-            raise ArgumentError.new(
-              "Authlogic's bcrypt cost cannot be set below the engine's " \
+            raise ArgumentError, "Authlogic's bcrypt cost cannot be set below the engine's " \
                 "min cost (#{::BCrypt::Engine::MIN_COST})"
-            )
           end
           @cost = val
         end

data/lib/authlogic/crypto_providers/md5.rb

@@ -1,13 +1,10 @@
+# frozen_string_literal: true
+
 require "digest/md5"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from md5 based systems.
-    # I highly discourage using this crypto provider as it superbly inferior
-    # to your other options.
-    #
-    # Please use any other provider offered by Authlogic (except AES256, that
-    # would be even worse).
+    # A poor choice. There are known attacks against this algorithm.
     class MD5
       class << self
         attr_accessor :join_token

data/lib/authlogic/crypto_providers/scrypt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "scrypt"
 
 module Authlogic

data/lib/authlogic/crypto_providers/sha1.rb

@@ -1,11 +1,10 @@
+# frozen_string_literal: true
+
 require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from
-    # restful_authentication. Use of this crypto provider is highly discouraged.
-    # It is far inferior to your other options. Please use any other provider
-    # offered by Authlogic.
+    # A poor choice. There are known attacks against this algorithm.
     class Sha1
       class << self
         def join_token
@@ -13,8 +12,7 @@ module Authlogic
         end
         attr_writer :join_token
 
-        # The number of times to loop through the encryption. This is ten
-        # because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 10
         end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,16 +1,17 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic
   module CryptoProviders
-    # = Sha512
-    #
-    # Uses the Sha512 hash algorithm to encrypt passwords.
+    # SHA-512 does not have any practical known attacks against it. However,
+    # there are better choices. We recommend transitioning to a more secure,
+    # adaptive hashing algorithm, like scrypt.
     class Sha512
       class << self
         attr_accessor :join_token
 
-        # The number of times to loop through the encryption. This is twenty
-        # because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 20
         end

data/lib/authlogic/crypto_providers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   # The acts_as_authentic method has a crypto_provider option. This allows you
   # to use any type of encryption you like. Just create a class with a class
@@ -26,27 +28,12 @@ module Authlogic
     autoload :Sha256, "authlogic/crypto_providers/sha256"
     autoload :Sha512, "authlogic/crypto_providers/sha512"
     autoload :BCrypt, "authlogic/crypto_providers/bcrypt"
-    autoload :AES256, "authlogic/crypto_providers/aes256"
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
-    # crypto_providers/wordpress.rb has never been autoloaded, and now it is
-    # deprecated.
 
     # Guide users to choose a better crypto provider.
     class Guidance
-      AES256_DEPRECATED = <<~EOS.freeze
-        You have selected AES256 as your authlogic crypto provider. This
-        choice is not suitable for password storage.
-
-        Authlogic will drop its AES256 crypto provider in the next major
-        version. If you're unable to transition away from AES256 please let us
-        know immediately.
-
-        We recommend using a one-way algorithm instead. There are many choices;
-        we recommend scrypt. Use the transition_from_crypto_providers option
-        to make this painless for your users.
-      EOS
-      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::".freeze
-      NONADAPTIVE_ALGORITHM = <<~EOS.freeze
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::"
+      NONADAPTIVE_ALGORITHM = <<~EOS
         You have selected %s as your authlogic crypto provider. This algorithm
         does not have any practical known attacks against it. However, there are
         better choices.
@@ -61,7 +48,7 @@ module Authlogic
         Use the transition_from_crypto_providers option to make the transition
         painless for your users.
       EOS
-      VULNERABLE_ALGORITHM = <<~EOS.freeze
+      VULNERABLE_ALGORITHM = <<~EOS
         You have selected %s as your authlogic crypto provider. It is a poor
         choice because there are known attacks against this algorithm.
 
@@ -89,8 +76,6 @@ module Authlogic
         # negate the benefits of the `autoload` above.
         name = absolute_name.demodulize
         case name
-        when "AES256"
-          ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
         when "MD5", "Sha1"
           warn(format(VULNERABLE_ALGORITHM, name))
         when "Sha256", "Sha512"

data/lib/authlogic/i18n/translator.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 module Authlogic
   module I18n
+    # The default translator used by authlogic/i18n.rb
     class Translator
       # If the I18n gem is present, calls +I18n.translate+ passing all
       # arguments, else returns +options[:default]+.

data/lib/authlogic/i18n.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "authlogic/i18n/translator"
 
 module Authlogic
@@ -92,7 +94,7 @@ module Authlogic
       def translate(key, options = {})
         translator.translate key, { scope: I18n.scope }.merge(options)
       end
-      alias :t :translate
+      alias t translate
     end
   end
 end

data/lib/authlogic/random.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "securerandom"
 
 module Authlogic