authlogic 4.4.2 → 5.0.3

data/lib/authlogic/acts_as_authentic/magic_columns.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
-    # Magic columns are like ActiveRecord's created_at and updated_at columns. They are
-    # "magically" maintained for you. Authlogic has the same thing, but these are
-    # maintained on the session side. Please see Authlogic::Session::MagicColumns for more
-    # details. This module merely adds validations for the magic columns if they exist.
+    # Magic columns are like ActiveRecord's created_at and updated_at columns.
+    # They are "magically" maintained for you. Authlogic has the same thing, but
+    # these are maintained on the session side. Please see "Magic Columns" in
+    # `Session::Base` for more details. This module merely adds validations for
+    # the magic columns if they exist.
     module MagicColumns
       def self.included(klass)
         klass.class_eval do

data/lib/authlogic/acts_as_authentic/password.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This module has a lot of neat functionality. It is responsible for encrypting your
@@ -31,7 +33,7 @@ module Authlogic
             )
           )
         end
-        alias_method :crypted_password_field=, :crypted_password_field
+        alias crypted_password_field= crypted_password_field
 
         # The name of the password_salt field in the database.
         #
@@ -44,7 +46,7 @@ module Authlogic
             first_column_to_exist(nil, :password_salt, :pw_salt, :salt)
           )
         end
-        alias_method :password_salt_field=, :password_salt_field
+        alias password_salt_field= password_salt_field
 
         # Whether or not to require a password confirmation. If you don't want your users
         # to confirm their password just set this to false.
@@ -54,7 +56,7 @@ module Authlogic
         def require_password_confirmation(value = nil)
           rw_config(:require_password_confirmation, value, true)
         end
-        alias_method :require_password_confirmation=, :require_password_confirmation
+        alias require_password_confirmation= require_password_confirmation
 
         # By default passwords are required when a record is new or the crypted_password
         # is blank, but if both of these things are met a password is not required. In
@@ -73,7 +75,7 @@ module Authlogic
         def ignore_blank_passwords(value = nil)
           rw_config(:ignore_blank_passwords, value, true)
         end
-        alias_method :ignore_blank_passwords=, :ignore_blank_passwords
+        alias ignore_blank_passwords= ignore_blank_passwords
 
         # When calling valid_password?("some pass") do you want to check that password
         # against what's in that object or whats in the database. Take this example:
@@ -91,143 +93,7 @@ module Authlogic
         def check_passwords_against_database(value = nil)
           rw_config(:check_passwords_against_database, value, true)
         end
-        alias_method :check_passwords_against_database=, :check_passwords_against_database
-
-        # Whether or not to validate the password field.
-        #
-        # * <tt>Default:</tt> true
-        # * <tt>Accepts:</tt> Boolean
-        #
-        # @deprecated
-        def validate_password_field(value = nil)
-          rw_config(:validate_password_field, value, true)
-        end
-        alias_method :validate_password_field=, :validate_password_field
-
-        # A hash of options for the validates_length_of call for the password field.
-        # Allows you to change this however you want.
-        #
-        # **Keep in mind this is ruby. I wanted to keep this as flexible as
-        # possible, so you can completely replace the hash or merge options into
-        # it. Checkout the convenience function
-        # merge_validates_length_of_password_field_options to merge options.**
-        #
-        # * <tt>Default:</tt> {:minimum => 8, :if => :require_password?}
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
-        #
-        # @deprecated
-        def validates_length_of_password_field_options(value = nil)
-          deprecate_authlogic_config("validates_length_of_password_field_options") if value
-          rw_config(
-            :validates_length_of_password_field_options,
-            value,
-            minimum: 8,
-            if: :require_password?
-          )
-        end
-        alias_method(
-          :validates_length_of_password_field_options=,
-          :validates_length_of_password_field_options
-        )
-
-        # A convenience function to merge options into the
-        # validates_length_of_login_field_options. So instead of:
-        #
-        #   self.validates_length_of_password_field_options =
-        #     validates_length_of_password_field_options.merge(:my_option => my_value)
-        #
-        # You can do this:
-        #
-        #   merge_validates_length_of_password_field_options :my_option => my_value
-        #
-        # @deprecated
-        def merge_validates_length_of_password_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_length_of_password_field_options"
-          )
-          self.validates_length_of_password_field_options =
-            validates_length_of_password_field_options.merge(options)
-        end
-
-        # A hash of options for the validates_confirmation_of call for the
-        # password field. Allows you to change this however you want.
-        #
-        # **Keep in mind this is ruby. I wanted to keep this as flexible as
-        # possible, so you can completely replace the hash or merge options into
-        # it. Checkout the convenience function
-        # merge_validates_length_of_password_field_options to merge options.**
-        #
-        # * <tt>Default:</tt> {:if => :require_password?}
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_confirmation_of
-        #
-        # @deprecated
-        def validates_confirmation_of_password_field_options(value = nil)
-          if value
-            deprecate_authlogic_config(
-              "validates_confirmation_of_password_field_options"
-            )
-          end
-          rw_config(
-            :validates_confirmation_of_password_field_options,
-            value,
-            if: :require_password?
-          )
-        end
-        alias_method :validates_confirmation_of_password_field_options=,
-          :validates_confirmation_of_password_field_options
-
-        # See merge_validates_length_of_password_field_options. The same thing, except for
-        # validates_confirmation_of_password_field_options
-        #
-        # @deprecated
-        def merge_validates_confirmation_of_password_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_confirmation_of_password_field_options"
-          )
-          self.validates_confirmation_of_password_field_options =
-            validates_confirmation_of_password_field_options.merge(options)
-        end
-
-        # A hash of options for the validates_length_of call for the password_confirmation
-        # field. Allows you to change this however you want.
-        #
-        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so
-        # you can completely replace the hash or merge options into it. Checkout the
-        # convenience function merge_validates_length_of_password_field_options to merge
-        # options.</b>
-        #
-        # * <tt>Default:</tt> validates_length_of_password_field_options
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
-        #
-        # @deprecated
-        def validates_length_of_password_confirmation_field_options(value = nil)
-          if value
-            deprecate_authlogic_config(
-              "validates_length_of_password_confirmation_field_options"
-            )
-          end
-          rw_config(
-            :validates_length_of_password_confirmation_field_options,
-            value,
-            validates_length_of_password_field_options
-          )
-        end
-        alias_method(
-          :validates_length_of_password_confirmation_field_options=,
-          :validates_length_of_password_confirmation_field_options
-        )
-
-        # See merge_validates_length_of_password_field_options. The same thing, except for
-        # validates_length_of_password_confirmation_field_options
-        #
-        # @deprecated
-        def merge_validates_length_of_password_confirmation_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_length_of_password_confirmation_field_options"
-          )
-          self.validates_length_of_password_confirmation_field_options =
-            validates_length_of_password_confirmation_field_options.merge(options)
-        end
+        alias check_passwords_against_database= check_passwords_against_database
 
         # The class you want to use to encrypt and verify your encrypted
         # passwords. See the Authlogic::CryptoProviders module for more info on
@@ -236,7 +102,8 @@ module Authlogic
         # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
         # best choice for password storage today. We recommend SCrypt. Other
         # one-way functions like SHA512 are inferior, but widely used.
-        # Reverisbile functions like AES256 are the worst choice.
+        # Reverisbile functions like AES256 are the worst choice, and we no
+        # longer support them.
         #
         # You can use the `transition_from_crypto_providers` option to gradually
         # transition to a better crypto provider without causing your users any
@@ -248,7 +115,7 @@ module Authlogic
           CryptoProviders::Guidance.new(value).impart_wisdom
           rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
         end
-        alias_method :crypto_provider=, :crypto_provider
+        alias crypto_provider= crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to
@@ -274,46 +141,24 @@ module Authlogic
             []
           )
         end
-        alias_method :transition_from_crypto_providers=, :transition_from_crypto_providers
+        alias transition_from_crypto_providers= transition_from_crypto_providers
       end
 
       # Callbacks / hooks to allow other modules to modify the behavior of this module.
       module Callbacks
         # Does the order of this array matter?
         METHODS = %w[
-          before_password_set
-          after_password_set
-          before_password_verification
-          after_password_verification
+          password_set
+          password_verification
         ].freeze
 
         def self.included(klass)
           return if klass.crypted_password_field.nil?
-          klass.define_callbacks(*METHODS)
-
-          # If Rails 3, support the new callback syntax
-          if klass.singleton_class.method_defined?(:set_callback)
-            METHODS.each do |method|
-              klass.class_eval <<-EOS, __FILE__, __LINE__ + 1
-                def self.#{method}(*methods, &block)
-                  set_callback :#{method}, *methods, &block
-                end
-              EOS
-            end
+          klass.send :extend, ActiveModel::Callbacks
+          METHODS.each do |method|
+            klass.define_model_callbacks method, only: %i[before after]
           end
         end
-
-        # TODO: Ideally, once this module is included, the included copies of
-        # the following methods would be private. This cannot be accomplished
-        # by using calling `private` here in the module. Maybe we can set the
-        # privacy inside `included`?
-        METHODS.each do |method|
-          class_eval <<-EOS, __FILE__, __LINE__ + 1
-            def #{method}
-              run_callbacks(:#{method}) { |result, object| result == false }
-            end
-          EOS
-        end
       end
 
       # The methods related to the password field.
@@ -323,22 +168,6 @@ module Authlogic
 
           klass.class_eval do
             include InstanceMethods
-
-            if validate_password_field
-              validates_length_of :password, validates_length_of_password_field_options
-
-              if require_password_confirmation
-                validates_confirmation_of(
-                  :password,
-                  validates_confirmation_of_password_field_options
-                )
-                validates_length_of(
-                  :password_confirmation,
-                  validates_length_of_password_confirmation_field_options
-                )
-              end
-            end
-
             after_save :reset_password_changed
           end
         end
@@ -355,20 +184,17 @@ module Authlogic
           # create new password salt as well as encrypt the password.
           def password=(pass)
             return if ignore_blank_passwords? && pass.blank?
-            before_password_set
-            @password = pass
-            if password_salt_field
-              send("#{password_salt_field}=", Authlogic::Random.friendly_token)
-            end
-            encryptor_args_type = act_like_restful_authentication? ? :restful_authentication : nil
-            send(
-              "#{crypted_password_field}=",
-              crypto_provider.encrypt(
-                *encrypt_arguments(@password, false, encryptor_args_type)
+            run_callbacks :password_set do
+              @password = pass
+              if password_salt_field
+                send("#{password_salt_field}=", Authlogic::Random.friendly_token)
+              end
+              send(
+                "#{crypted_password_field}=",
+                crypto_provider.encrypt(*encrypt_arguments(@password, false))
               )
-            )
-            @password_changed = true
-            after_password_set
+              @password_changed = true
+            end
           end
 
           # Accepts a raw password to determine if it is the correct password.
@@ -384,24 +210,23 @@ module Authlogic
           )
             crypted = crypted_password_to_validate_against(check_against_database)
             return false if attempted_password.blank? || crypted.blank?
-            before_password_verification
-
-            crypto_providers.each_with_index do |encryptor, index|
-              next unless encryptor_matches?(
-                crypted,
-                encryptor,
-                index,
-                attempted_password,
-                check_against_database
-              )
-              if transition_password?(index, encryptor, check_against_database)
-                transition_password(attempted_password)
+            run_callbacks :password_verification do
+              crypto_providers.each_with_index.any? do |encryptor, index|
+                if encryptor_matches?(
+                  crypted,
+                  encryptor,
+                  attempted_password,
+                  check_against_database
+                )
+                  if transition_password?(index, encryptor, check_against_database)
+                    transition_password(attempted_password)
+                  end
+                  true
+                else
+                  false
+                end
               end
-              after_password_verification
-              return true
             end
-
-            false
           end
 
           # Resets the password to a random friendly token.
@@ -410,20 +235,20 @@ module Authlogic
             self.password = friendly_token
             self.password_confirmation = friendly_token if self.class.require_password_confirmation
           end
-          alias_method :randomize_password, :reset_password
+          alias randomize_password reset_password
 
           # Resets the password to a random friendly token and then saves the record.
           def reset_password!
             reset_password
             save_without_session_maintenance(validate: false)
           end
-          alias_method :randomize_password!, :reset_password!
+          alias randomize_password! reset_password!
 
           private
 
           def crypted_password_to_validate_against(check_against_database)
-            if check_against_database && send("#{crypted_password_field}_changed?")
-              send("#{crypted_password_field}_was")
+            if check_against_database && send("will_save_change_to_#{crypted_password_field}?")
+              send("#{crypted_password_field}_in_database")
             else
               send(crypted_password_field)
             end
@@ -439,53 +264,28 @@ module Authlogic
 
           # Returns an array of arguments to be passed to a crypto provider, either its
           # `matches?` or its `encrypt` method.
-          def encrypt_arguments(raw_password, check_against_database, arguments_type = nil)
+          def encrypt_arguments(raw_password, check_against_database)
             salt = nil
             if password_salt_field
               salt =
-                if check_against_database && send("#{password_salt_field}_changed?")
-                  send("#{password_salt_field}_was")
+                if check_against_database && send("will_save_change_to_#{password_salt_field}?")
+                  send("#{password_salt_field}_in_database")
                 else
                   send(password_salt_field)
                 end
             end
-
-            case arguments_type
-            when :restful_authentication
-              [REST_AUTH_SITE_KEY, salt, raw_password, REST_AUTH_SITE_KEY].compact
-            when nil
-              [raw_password, salt].compact
-            else
-              raise "Invalid encryptor arguments_type: #{arguments_type}"
-            end
+            [raw_password, salt].compact
           end
 
           # Given `encryptor`, does `attempted_password` match the `crypted` password?
-          def encryptor_matches?(
-            crypted,
-            encryptor,
-            index,
-            attempted_password,
-            check_against_database
-          )
-            # The arguments_type for the transitioning from restful_authentication
-            acting_restful = act_like_restful_authentication? && index.zero?
-            transitioning = transition_from_restful_authentication? &&
-              index > 0 &&
-              encryptor == Authlogic::CryptoProviders::Sha1
-            restful = acting_restful || transitioning
-            arguments_type = restful ? :restful_authentication : nil
-            encryptor_args = encrypt_arguments(
-              attempted_password,
-              check_against_database,
-              arguments_type
-            )
+          def encryptor_matches?(crypted, encryptor, attempted_password, check_against_database)
+            encryptor_args = encrypt_arguments(attempted_password, check_against_database)
             encryptor.matches?(crypted, *encryptor_args)
           end
 
           # Determines if we need to transition the password.
           #
-          # - If the index > 0 then we are using an "transition from" crypto
+          # - If the index > 0 then we are using a "transition from" crypto
           #   provider.
           # - If the encryptor has a cost and the cost it outdated.
           # - If we aren't using database values
@@ -499,7 +299,7 @@ module Authlogic
             ) &&
               (
                 !check_against_database ||
-                !send("#{crypted_password_field}_changed?")
+                !send("will_save_change_to_#{crypted_password_field}?")
               )
           end
 
@@ -509,6 +309,7 @@ module Authlogic
           end
 
           def require_password?
+            # this is _not_ the activemodel changed? method, see below
             new_record? || password_changed? || send(crypted_password_field).blank?
           end