authlogic 4.4.2 → 5.0.0

data/README.md

@@ -1,439 +0,0 @@
-# Authlogic
-
-A clean, simple, and unobtrusive ruby authentication solution.
-
-[![Gem Version][5]][6] [![Build Status][1]][2] [![Code Climate][7]][8] [![Dependency Status][3]][4]
-
-## Sponsors
-
-[![Timber Logging](http://res.cloudinary.com/timber/image/upload/v1490556810/pricing/sponsorship.png)](https://timber.io?utm_source=github&utm_medium=authlogic)
-
-[Tail Authlogic users](https://timber.io/docs/app/console/tail-a-user) in your logs!
-
-## Documentation
-
-| Version     | Documentation |
-| ----------- | ------------- |
-| Unreleased  | https://github.com/binarylogic/authlogic/blob/master/README.md |
-| 4.4.2       | https://github.com/binarylogic/authlogic/blob/v4.4.2/README.md |
-| 3.7.0       | https://github.com/binarylogic/authlogic/blob/v3.7.0/README.md |
-| 2.1.11      | https://github.com/binarylogic/authlogic/blob/v2.1.11/README.rdoc |
-| 1.4.3       | https://github.com/binarylogic/authlogic/blob/v1.4.3/README.rdoc |
-
-## Table of Contents
-
-- [1. Introduction](#1-introduction)
-  - [1.a. Compatibility](#1a-compatibility)
-  - [1.b. Overview](#1b-overview)
-  - [1.c. Reference Documentation](#1c-reference-documentation)
-- [2. Rails](#2-rails)
-  - [2.a. The users table](#2a-the-users-table)
-  - [2.b. Controller](#2b-controller)
-  - [2.c. View](#2c-view)
-  - [2.d. CSRF Protection](#2d-csrf-protection)
-- [3. Testing](#3-testing)
-- [4. Helpful links](#4-helpful-links)
-- [5. Add-ons](#5-add-ons)
-- [6. Internals](#6-internals)
-
-## 1. Introduction
-
-### 1.a. Compatibility
-
-| Version | branch       | ruby     | activerecord  |
-| ------- | ------------ | -------- | ------------- |
-| 4.4     | 4-4-stable   | >= 2.3.0 | >= 4.2, < 5.3 |
-| 4.3     | 4-3-stable   | >= 2.3.0 | >= 4.2, < 5.3 |
-| 4.2     | 4-2-stable   | >= 2.2.0 | >= 4.2, < 5.3 |
-| 3       | 3-stable     | >= 1.9.3 | >= 3.2, < 5.2 |
-| 2       | rails2       | >= 1.9.3 | ~> 2.3.0      |
-| 1       | ?            | ?        | ?             |
-
-Under SemVer, [changes to dependencies][10] do not require a major release.
-
-### 1.b. Overview
-
-Authlogic introduces a new type of model. You can have as many as you want, and
-name them whatever you want, just like your other models. In this example, we
-want to authenticate with our `User` model, which is inferred from the name:
-
-```ruby
-class UserSession < Authlogic::Session::Base
-  # specify configuration here, such as:
-  # logout_on_timeout true
-  # ...many more options in the documentation
-end
-```
-
-In a `UserSessionsController`, login the user by using it just like your other models:
-
-```ruby
-UserSession.create(:login => "bjohnson", :password => "my password", :remember_me => true)
-
-session = UserSession.new(:login => "bjohnson", :password => "my password", :remember_me => true)
-session.save
-
-# requires the authlogic-oid "add on" gem
-UserSession.create(:openid_identifier => "identifier", :remember_me => true)
-
-# skip authentication and log the user in directly, the true means "remember me"
-UserSession.create(my_user_object, true)
-```
-
-The above handles the entire authentication process for you by:
-
-1. authenticating (i.e. **validating** the record)
-2. sets up the proper session values and cookies to persist the session (i.e. **saving** the record).
-
-You can also log out (i.e. **destroying** the session):
-
-``` ruby
-session.destroy
-```
-
-After a session has been created, you can persist it (i.e. **finding** the
-record) across requests. Thus keeping the user logged in:
-
-``` ruby
-session = UserSession.find
-```
-
-To get all of the nice authentication functionality in your model just do this:
-
-```ruby
-class User < ApplicationRecord
-  acts_as_authentic do |c|
-    c.my_config_option = my_value
-  end # the configuration block is optional
-end
-```
-
-This handles validations, etc. It is also "smart" in the sense that it if a
-login field is present it will use that to authenticate, if not it will look for
-an email field, etc. This is all configurable, but for 99% of cases that above
-is all you will need to do.
-
-You may specify how passwords are cryptographically hashed (or encrypted) by
-setting the Authlogic::CryptoProvider option:
-
-``` ruby
-c.crypto_provider = Authlogic::CryptoProviders::BCrypt
-```
-
-You may validate international email addresses by enabling the provided alternate regex:
-
-``` ruby
-c.validates_format_of_email_field_options = {:with => Authlogic::Regex.email_nonascii}
-```
-
-Also, sessions are automatically maintained. You can switch this on and off with
-configuration, but the following will automatically log a user in after a
-successful registration:
-
-``` ruby
-User.create(params[:user])
-```
-
-You can switch this on and off with the following configuration:
-
-```ruby
-class User < ApplicationRecord
-  acts_as_authentic do |c|
-    c.log_in_after_create = false
-  end # the configuration block is optional
-end
-```
-
-Authlogic also updates the session when the user changes his/her password. You can also switch this on and off with the following configuration:
-
-```ruby
-class User < ApplicationRecord
-  acts_as_authentic do |c|
-    c.log_in_after_password_change = false
-  end # the configuration block is optional
-end
-```
-
-Authlogic is very flexible, it has a strong public API and a plethora of hooks
-to allow you to modify behavior and extend it. Check out the helpful links below
-to dig deeper.
-
-### 1.c. Reference Documentation
-
-This README is just an introduction, but we also have [reference
-documentation](http://www.rubydoc.info/github/binarylogic/authlogic).
-
-**To use the reference documentation, you must understand how Authlogic's
-code is organized.** There are 2 models, your Authlogic model and your
-ActiveRecord model:
-
-1. **Authlogic::Session**, your session models that
-  extend `Authlogic::Session::Base`.
-2. **Authlogic::ActsAsAuthentic**, which adds in functionality to your
-  ActiveRecord model when you call `acts_as_authentic`.
-
-Each of the above has various modules that are organized by topic: passwords,
-cookies, etc. For example, if you want to timeout users after a certain period
-of inactivity, you would look in `Authlogic::Session::Timeout`.
-
-## 2. Rails
-
-Let's walk through a typical rails setup.
-
-### 2.a. The users table
-
-If you want to enable all the features of Authlogic, a migration to create a
-`User` model might look like this:
-
-``` ruby
-class CreateUser < ActiveRecord::Migration
-  def change
-    create_table :users do |t|
-      # Authlogic::ActsAsAuthentic::Email
-      t.string    :email
-
-      # Authlogic::ActsAsAuthentic::Password
-      t.string    :crypted_password
-      t.string    :password_salt
-
-      # Authlogic::ActsAsAuthentic::PersistenceToken
-      t.string    :persistence_token
-      t.index     :persistence_token, unique: true
-
-      # Authlogic::ActsAsAuthentic::SingleAccessToken
-      t.string    :single_access_token
-      t.index     :single_access_token, unique: true
-
-      # Authlogic::ActsAsAuthentic::PerishableToken
-      t.string    :perishable_token
-      t.index     :perishable_token, unique: true
-
-      # Authlogic::Session::MagicColumns
-      t.integer   :login_count, default: 0, null: false
-      t.integer   :failed_login_count, default: 0, null: false
-      t.datetime  :last_request_at
-      t.datetime  :current_login_at
-      t.datetime  :last_login_at
-      t.string    :current_login_ip
-      t.string    :last_login_ip
-
-      # Authlogic::Session::MagicStates
-      t.boolean   :active, default: false
-      t.boolean   :approved, default: false
-      t.boolean   :confirmed, default: false
-
-      t.timestamps
-    end
-  end
-end
-```
-
-In the `User` model,
-
-```ruby
-class User < ApplicationRecord
-  acts_as_authentic
-
-  # Validate email, login, and password as you see fit.
-  #
-  # Authlogic < 5 added these validation for you, making them a little awkward
-  # to change. In 4.4.0, those automatic validations were deprecated. See
-  # https://github.com/binarylogic/authlogic/blob/master/doc/use_normal_rails_validation.md
-  validates :email,
-    format: {
-      with: ::Authlogic::Regex::EMAIL,
-      message: "should look like an email address."
-    },
-    length: { maximum: 100 },
-    uniqueness: {
-      case_sensitive: false,
-      if: :email_changed?
-    }
-
-  validates :login,
-    format: {
-      with: ::Authlogic::Regex::LOGIN,
-      message: "should use only letters, numbers, spaces, and .-_@+ please."
-    },
-    length: { within: 3..100 },
-    uniqueness: {
-      case_sensitive: false,
-      if: :login_changed?
-    }
-
-  validates :password,
-    confirmation: { if: :require_password? },
-    length: {
-      minimum: 8,
-      if: :require_password?
-    }
-  validates :password_confirmation,
-    length: {
-      minimum: 8,
-      if: :require_password?
-  }
-end
-```
-
-### 2.b. Controller
-
-Your sessions controller will look just like your other controllers.
-
-```ruby
-class UserSessionsController < ApplicationController
-  def new
-    @user_session = UserSession.new
-  end
-
-  def create
-    @user_session = UserSession.new(user_session_params)
-    if @user_session.save
-      redirect_to account_url
-    else
-      render :action => :new
-    end
-  end
-
-  def destroy
-    current_user_session.destroy
-    redirect_to new_user_session_url
-  end
-
-  private
-
-  def user_session_params
-    params.require(:user_session).permit(:email, :password, :remember_me)
-  end
-end
-```
-
-As you can see, this fits nicely into the [conventional controller methods][9].
-
-#### 2.b.1. Helper Methods
-
-```ruby
-class ApplicationController
-  helper_method :current_user_session, :current_user
-
-  private
-    def current_user_session
-      return @current_user_session if defined?(@current_user_session)
-      @current_user_session = UserSession.find
-    end
-
-    def current_user
-      return @current_user if defined?(@current_user)
-      @current_user = current_user_session && current_user_session.user
-    end
-end
-```
-
-### 2.c. View
-
-```erb
-<%= form_for @user_session do |f| %>
-  <% if @user_session.errors.any? %>
-  <div id="error_explanation">
-    <h2><%= pluralize(@user_session.errors.count, "error") %> prohibited:</h2>
-    <ul>
-      <% @user_session.errors.full_messages.each do |msg| %>
-        <li><%= msg %></li>
-      <% end %>
-    </ul>
-  </div>
-  <% end %>
-  <%= f.label :login %><br />
-  <%= f.text_field :login %><br />
-  <br />
-  <%= f.label :password %><br />
-  <%= f.password_field :password %><br />
-  <br />
-  <%= f.submit "Login" %>
-<% end %>
-```
-
-### 2.d. CSRF Protection
-
-Because Authlogic introduces its own methods for storing user sessions, the CSRF
-(Cross Site Request Forgery) protection that is built into Rails will not work
-out of the box.
-
-No generally applicable mitigation by the authlogic library is possible, because
-the instance variable you use to store a reference to the user session in `def
-current_user_session` will not be known to authlogic.
-
-You will need to override `ActionController::Base#handle_unverified_request` to
-do something appropriate to how your app handles user sessions, e.g.:
-
-```ruby
-class ApplicationController < ActionController::Base
-  ...
-  protected
-
-  def handle_unverified_request
-    # raise an exception
-    fail ActionController::InvalidAuthenticityToken
-    # or destroy session, redirect
-    if current_user_session
-      current_user_session.destroy
-    end
-    redirect_to root_url
-  end
-end
-```
-
-## 3. Testing
-
-See [Authlogic::TestCase](https://github.com/binarylogic/authlogic/blob/master/lib/authlogic/test_case.rb)
-
-## 4. Helpful links
-
-* <b>API Reference:</b> http://www.rubydoc.info/github/binarylogic/authlogic
-* <b>Repository:</b> https://github.com/binarylogic/authlogic/tree/master
-* <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
-* <b>Example repository with tutorial in README:</b> https://github.com/binarylogic/authlogic_example/tree/master
-* <b>Tutorial</b>: Rails Authentication with Authlogic https://www.sitepoint.com/rails-authentication-with-authlogic
-* <b>Issues:</b> https://github.com/binarylogic/authlogic/issues
-* <b>Chrome is not logging out on browser close</b> https://productforums.google.com/forum/#!topic/chrome/9l-gKYIUg50/discussion
-
-## 5. Add-ons
-
-* <b>Authlogic OpenID addon:</b> https://github.com/binarylogic/authlogic_openid
-* <b>Authlogic LDAP addon:</b> https://github.com/binarylogic/authlogic_ldap
-* <b>Authlogic Facebook Connect:</b> https://github.com/kalasjocke/authlogic-facebook-connect
-* <b>Authlogic Facebook Connect (New JS API):</b> https://github.com/studybyte/authlogic_facebook_connect
-* <b>Authlogic Facebook Shim</b> https://github.com/james2m/authlogic_facebook_shim
-* <b>Authlogic OAuth (Twitter):</b> https://github.com/jrallison/authlogic_oauth
-* <b>Authlogic Oauth and OpenID:</b> https://github.com/lancejpollard/authlogic-connect
-* <b>Authlogic PAM:</b> https://github.com/nbudin/authlogic_pam
-* <b>Authlogic x509:</b> https://github.com/auth-scc/authlogic_x509
-
-If you create one of your own, please let us know about it so we can add it to
-this list. Or just fork the project, add your link, and send us a pull request.
-
-## 6. Internals
-
-Interested in how all of this all works? Think about an ActiveRecord model. A
-database connection must be established before you can use it. In the case of
-Authlogic, a controller connection must be established before you can use it. It
-uses that controller connection to modify cookies, the current session, login
-with HTTP basic, etc. It connects to the controller through a before filter that
-is automatically set in your controller which lets Authlogic know about the
-current controller object. Then Authlogic leverages that to do everything, it's
-a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the
-tools your framework provides in the controller object.
-
-## Intellectual Property
-
-Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license
-
-[1]: https://api.travis-ci.org/binarylogic/authlogic.svg?branch=master
-[2]: https://travis-ci.org/binarylogic/authlogic
-[3]: https://gemnasium.com/badges/github.com/binarylogic/authlogic.svg
-[4]: https://gemnasium.com/binarylogic/authlogic
-[5]: https://badge.fury.io/rb/authlogic.png
-[6]: http://badge.fury.io/rb/authlogic
-[7]: https://codeclimate.com/github/binarylogic/authlogic.png
-[8]: https://codeclimate.com/github/binarylogic/authlogic
-[9]: http://guides.rubyonrails.org/routing.html#resource-routing-the-rails-default
-[10]: https://semver.org/spec/v2.0.0.html#what-should-i-do-if-i-update-my-own-dependencies-without-changing-the-public-api

data/Rakefile

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-require "rubygems"
-require "bundler"
-
-Bundler.setup
-
-require "rake/testtask"
-Rake::TestTask.new(:test) do |test|
-  test.libs << "test"
-  test.pattern = "test/**/*_test.rb"
-  test.verbose = false
-
-  # Set interpreter warning level to 2 (verbose)
-  test.ruby_opts += ["-W2"]
-end
-
-require "rubocop/rake_task"
-RuboCop::RakeTask.new
-
-task default: %i[rubocop test]

data/UPGRADING.md

@@ -1,22 +0,0 @@
-# Upgrading Authlogic
-
-Supplemental instructions to complement CHANGELOG.md.
-
-## 3.4.0
-
-In version 3.4.0, released 2014-03-03, the default crypto_provider was changed
-from *Sha512* to *SCrypt*.
-
-If you never set a crypto_provider and are upgrading, your passwords will break
-unless you specify `Sha512`.
-
-``` ruby
-c.crypto_provider = Authlogic::CryptoProviders::Sha512
-```
-
-And if you want to automatically upgrade from *Sha512* to *SCrypt* as users login:
-
-```ruby
-c.transition_from_crypto_providers = [Authlogic::CryptoProviders::Sha512]
-c.crypto_provider = Authlogic::CryptoProviders::SCrypt
-```

data/authlogic.gemspec

@@ -1,40 +0,0 @@
-# frozen_string_literal: true
-
-require "English"
-$LOAD_PATH.push File.expand_path("lib", __dir__)
-require "authlogic/version"
-
-::Gem::Specification.new do |s|
-  s.name = "authlogic"
-  s.version = ::Authlogic.gem_version.to_s
-  s.platform = ::Gem::Platform::RUBY
-  s.authors = [
-    "Ben Johnson",
-    "Tieg Zaharia",
-    "Jared Beck"
-  ]
-  s.email = [
-    "bjohnson@binarylogic.com",
-    "tieg.zaharia@gmail.com",
-    "jared@jaredbeck.com"
-  ]
-  s.homepage = "http://github.com/binarylogic/authlogic"
-  s.summary = "A clean, simple, and unobtrusive ruby authentication solution."
-  s.license = "MIT"
-
-  s.required_ruby_version = ">= 2.3.0"
-  s.add_dependency "activerecord", [">= 4.2", "< 5.3"]
-  s.add_dependency "activesupport", [">= 4.2", "< 5.3"]
-  s.add_dependency "request_store", "~> 1.0"
-  s.add_dependency "scrypt", ">= 1.2", "< 4.0"
-  s.add_development_dependency "bcrypt", "~> 3.1"
-  s.add_development_dependency "byebug", "~> 10.0"
-  s.add_development_dependency "minitest-reporters", "~> 1.3"
-  s.add_development_dependency "rubocop", "~> 0.58.1"
-  s.add_development_dependency "timecop", "~> 0.7"
-
-  s.files = `git ls-files`.split("\n")
-  s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
-  s.executables = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
-  s.require_paths = ["lib"]
-end

data/doc/use_normal_rails_validation.md

@@ -1,82 +0,0 @@
-# Use Normal ActiveRecord Validation
-
-In Authlogic 4.4.0, [we deprecated][1] the features of Authlogic related to
-validating email, login, and password. In 5.0.0 these features will be dropped.
-Use normal ActiveRecord validations instead.
-
-## Instructions
-
-First, disable the deprecated Authlogic validations:
-
-    acts_as_authentic do |c|
-      c.validate_email_field = false
-      c.validate_login_field = false
-      c.validate_password_field = false
-    end
-
-Then, use normal ActiveRecord validations instead. For example, instead of
-the Authlogic method validates_length_of_email_field_options, use
-
-    validates :email, length: { ... }
-
-It might be a good idea to replace these one field at a time, ie. email,
-then login, then password; one field per commit.
-
-## Default Values
-
-The following validations represent the Authlogic < 5 defaults. Merge these
-defaults with any settings you may have overwritten.
-
-```
-validates :email,
-  format: {
-    with: ::Authlogic::Regex::EMAIL,
-    message: proc {
-      ::Authlogic::I18n.t(
-        "error_messages.email_invalid",
-        default: "should look like an email address."
-      )
-    }
-  },
-  length: { maximum: 100 },
-  uniqueness: {
-    case_sensitive: false,
-    if: :email_changed?
-  }
-
-validates :login,
-  format: {
-    with: ::Authlogic::Regex::LOGIN,
-    message: proc {
-      ::Authlogic::I18n.t(
-        "error_messages.login_invalid",
-        default: "should use only letters, numbers, spaces, and .-_@+ please."
-      )
-    }
-  },
-  length: { within: 3..100 },
-  uniqueness: {
-    case_sensitive: false,
-    if: :login_changed?
-  }
-
-validates :password,
-  confirmation: { if: :require_password? },
-  length: {
-    minimum: 8,
-    if: :require_password?
-  }
-validates :password_confirmation,
-  length: {
-    minimum: 8,
-    if: :require_password?
-}
-```
-
-## Motivation
-
-The deprecated features save people some time in the begginning, when setting up
-Authlogic. But, later in the life of a project, when these settings need to
-change, it is obscure compared to normal ActiveRecord validations.
-
-[1]: https://github.com/binarylogic/authlogic/pull/623

data/gemfiles/Gemfile.rails-4.2.x

@@ -1,6 +0,0 @@
-source "https://rubygems.org"
-gemspec :path => ".."
-
-gem "activerecord", "~> 4.2.8.rc1"
-gem "activesupport", "~> 4.2.8.rc1"
-gem 'sqlite3', :platforms => :ruby

data/gemfiles/Gemfile.rails-5.1.x

@@ -1,6 +0,0 @@
-source "https://rubygems.org"
-gemspec :path => ".."
-
-gem "activerecord", "~> 5.1.0"
-gem "activesupport", "~> 5.1.0"
-gem 'sqlite3', :platforms => :ruby

data/gemfiles/Gemfile.rails-5.2.x

@@ -1,6 +0,0 @@
-source "https://rubygems.org"
-gemspec :path => ".."
-
-gem "activerecord", "~> 5.2.x"
-gem "activesupport", "~> 5.2.x"
-gem 'sqlite3', :platforms => :ruby