authlogic 4.4.2 → 5.0.3

data/lib/authlogic/crypto_providers/aes256.rb

@@ -1,71 +0,0 @@
-require "openssl"
-
-module Authlogic
-  module CryptoProviders
-    # This encryption method is reversible if you have the supplied key. So in
-    # order to use this encryption method you must supply it with a key first.
-    # In an initializer, or before your application initializes, you should do
-    # the following:
-    #
-    #   Authlogic::CryptoProviders::AES256.key = "long, unique, and random key"
-    #
-    # My final comment is that this is a strong encryption method, but its main
-    # weakness is that it's reversible. If you do not need to reverse the hash
-    # then you should consider Sha512 or BCrypt instead.
-    #
-    # Keep your key in a safe place, some even say the key should be stored on a
-    # separate server. This won't hurt performance because the only time it will
-    # try and access the key on the separate server is during initialization,
-    # which only happens once. The reasoning behind this is if someone does
-    # compromise your server they won't have the key also. Basically, you don't
-    # want to store the key with the lock.
-    class AES256
-      class << self
-        attr_writer :key
-
-        def encrypt(*tokens)
-          aes.encrypt
-          aes.key = @key
-          [aes.update(tokens.join) + aes.final].pack("m").chomp
-        end
-
-        def matches?(crypted, *tokens)
-          aes.decrypt
-          aes.key = @key
-          (aes.update(crypted.unpack("m").first) + aes.final) == tokens.join
-        rescue OpenSSL::CipherError
-          false
-        end
-
-        private
-
-        def aes
-          if @key.blank?
-            raise ArgumentError.new(
-              "You must provide a key like #{name}.key = my_key before using the #{name}"
-            )
-          end
-
-          @aes ||= openssl_cipher_class.new("AES-256-ECB")
-        end
-
-        # `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
-        # in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
-        # printed until 2016
-        # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
-        # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
-        # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
-        #
-        # When we eventually drop support for ruby < 2.4, we can probably also
-        # drop support for openssl gem < 2.
-        def openssl_cipher_class
-          if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
-            ::OpenSSL::Cipher::Cipher
-          else
-            ::OpenSSL::Cipher
-          end
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/crypto_providers/wordpress.rb

@@ -1,72 +0,0 @@
-require "digest/md5"
-
-::ActiveSupport::Deprecation.warn(
-  <<~EOS,
-    authlogic/crypto_providers/wordpress.rb is deprecated without replacement.
-    Yes, the entire file. Don't `require` it. Let us know ASAP if you are still
-    using it.
-
-    Reasons for deprecation: This file is not autoloaded by
-    `authlogic/crypto_providers.rb`. It's not documented. There are no tests.
-    So, it's likely used by a *very* small number of people, if any. It's never
-    had any contributions except by its original author, Jeffry Degrande, in
-    2009. It is unclear why it should live in the main authlogic codebase. It
-    could be in a separate gem, authlogic-wordpress, or it could just live in
-    Jeffry's codebase, if he still even needs it, in 2018, nine years later.
-  EOS
-  caller(1)
-)
-
-module Authlogic
-  module CryptoProviders
-    # Crypto provider to transition from wordpress user accounts. Written by
-    # Jeffry Degrande in 2009. First released in 2.1.3.
-    #
-    # Problems:
-    #
-    # - There are no tests.
-    # - We can't even figure out how to run this without it crashing.
-    # - Presumably it implements some spec, but it doesn't mention which.
-    # - It is not documented anywhere.
-    # - There is no PR associated with this, and no discussion about it could be found.
-    #
-    class Wordpress
-      class << self
-        ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".freeze
-
-        def matches?(crypted, *tokens)
-          stretches = 1 << ITOA64.index(crypted[3, 1])
-          plain, salt = *tokens
-          hashed = Digest::MD5.digest(salt + plain)
-          stretches.times do
-            hashed = Digest::MD5.digest(hashed + plain)
-          end
-          crypted[0, 12] + encode_64(hashed, 16) == crypted
-        end
-
-        def encode_64(input, length)
-          output = ""
-          i = 0
-          while i < length
-            value = input[i]
-            i += 1
-            break if value.nil?
-            output += ITOA64[value & 0x3f, 1]
-            value |= input[i] << 8 if i < length
-            output += ITOA64[(value >> 6) & 0x3f, 1]
-
-            i += 1
-            break if i >= length
-            value |= input[i] << 16 if i < length
-            output += ITOA64[(value >> 12) & 0x3f, 1]
-
-            i += 1
-            break if i >= length
-            output += ITOA64[(value >> 18) & 0x3f, 1]
-          end
-          output
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/regex.rb

@@ -1,79 +0,0 @@
-module Authlogic
-  # This is a module the contains regular expressions used throughout Authlogic.
-  # The point of extracting them out into their own module is to make them
-  # easily available to you for other uses. Ex:
-  #
-  #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
-  module Regex
-    # A general email regular expression. It allows top level domains (TLD) to
-    # be from 2 - 24 in length. The decisions behind this regular expression
-    # were made by analyzing the list of top-level domains maintained by IANA
-    # and by reading this website:
-    # http://www.regular-expressions.info/email.html, which is an excellent
-    # resource for regular expressions.
-    EMAIL = /
-      \A
-      [A-Z0-9_.&%+\-']+   # mailbox
-      @
-      (?:[A-Z0-9\-]+\.)+  # subdomains
-      (?:[A-Z]{2,25})     # TLD
-      \z
-    /ix
-
-    # A draft regular expression for internationalized email addresses. Given
-    # that the standard may be in flux, this simply emulates @email_regex but
-    # rather than allowing specific characters for each part, it instead
-    # disallows the complement set of characters:
-    #
-    # - email_name_regex disallows: @[]^ !"#$()*,/:;<=>?`{|}~\ and control characters
-    # - domain_head_regex disallows: _%+ and all characters in email_name_regex
-    # - domain_tld_regex disallows: 0123456789- and all characters in domain_head_regex
-    #
-    # http://en.wikipedia.org/wiki/Email_address#Internationalization
-    # http://tools.ietf.org/html/rfc6530
-    # http://www.unicode.org/faq/idn.html
-    # http://ruby-doc.org/core-2.1.5/Regexp.html#class-Regexp-label-Character+Classes
-    # http://en.wikipedia.org/wiki/Unicode_character_property#General_Category
-    EMAIL_NONASCII = /
-      \A
-      [^[:cntrl:][@\[\]\^ \!"\#$\(\)*,\/:;<=>?`{|}~\\]]+                        # mailbox
-      @
-      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+']]+\.)+         # subdomains
-      (?:[^[:cntrl:][@\[\]\^ \!\"\#$&\(\)*,\/:;<=>\?`{|}~\\_.%+\-'0-9]]{2,25})  # TLD
-      \z
-    /x
-
-    # A simple regular expression that only allows for letters, numbers, spaces, and
-    # .-_@+. Just a standard login / username regular expression.
-    LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/
-
-    # Accessing the above constants using the following methods is deprecated.
-
-    # @deprecated
-    def self.email
-      ::ActiveSupport::Deprecation.warn(
-        "Authlogic::Regex.email is deprecated, use Authlogic::Regex::EMAIL",
-        caller(1)
-      )
-      EMAIL
-    end
-
-    # @deprecated
-    def self.email_nonascii
-      ::ActiveSupport::Deprecation.warn(
-        "Authlogic::Regex.email_nonascii is deprecated, use Authlogic::Regex::EMAIL_NONASCII",
-        caller(1)
-      )
-      EMAIL_NONASCII
-    end
-
-    # @deprecated
-    def self.login
-      ::ActiveSupport::Deprecation.warn(
-        "Authlogic::Regex.login is deprecated, use Authlogic::Regex::LOGIN",
-        caller(1)
-      )
-      LOGIN
-    end
-  end
-end

data/lib/authlogic/session/activation.rb

@@ -1,73 +0,0 @@
-require "request_store"
-
-module Authlogic
-  module Session
-    # Activating Authlogic requires that you pass it an
-    # Authlogic::ControllerAdapters::AbstractAdapter object, or a class that
-    # extends it. This is sort of like a database connection for an ORM library,
-    # Authlogic can't do anything until it is "connected" to a controller. If
-    # you are using a supported framework, Authlogic takes care of this for you.
-    module Activation
-      class NotActivatedError < ::StandardError # :nodoc:
-        def initialize
-          super(
-            "You must activate the Authlogic::Session::Base.controller with " \
-              "a controller object before creating objects"
-          )
-        end
-      end
-
-      def self.included(klass)
-        klass.class_eval do
-          extend ClassMethods
-          include InstanceMethods
-        end
-      end
-
-      module ClassMethods
-        # Returns true if a controller has been set and can be used properly.
-        # This MUST be set before anything can be done. Similar to how
-        # ActiveRecord won't allow you to do anything without establishing a DB
-        # connection. In your framework environment this is done for you, but if
-        # you are using Authlogic outside of your framework, you need to assign
-        # a controller object to Authlogic via
-        # Authlogic::Session::Base.controller = obj. See the controller= method
-        # for more information.
-        def activated?
-          !controller.nil?
-        end
-
-        # This accepts a controller object wrapped with the Authlogic controller
-        # adapter. The controller adapters close the gap between the different
-        # controllers in each framework. That being said, Authlogic is expecting
-        # your object's class to extend
-        # Authlogic::ControllerAdapters::AbstractAdapter. See
-        # Authlogic::ControllerAdapters for more info.
-        #
-        # Lastly, this is thread safe.
-        def controller=(value)
-          RequestStore.store[:authlogic_controller] = value
-        end
-
-        # The current controller object
-        def controller
-          RequestStore.store[:authlogic_controller]
-        end
-      end
-
-      module InstanceMethods
-        # Making sure we are activated before we start creating objects
-        def initialize(*args)
-          raise NotActivatedError unless self.class.activated?
-          super
-        end
-
-        private
-
-        def controller
-          self.class.controller
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/active_record_trickery.rb

@@ -1,65 +0,0 @@
-module Authlogic
-  module Session
-    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not
-    # ActiveRecord. That's the goal here. This is useful for the various rails
-    # helper methods such as form_for, error_messages_for, or any method that
-    # expects an ActiveRecord object. The point is to disguise the object as an
-    # ActiveRecord object so we can take advantage of the many ActiveRecord
-    # tools.
-    module ActiveRecordTrickery
-      def self.included(klass)
-        klass.extend ActiveModel::Naming
-        klass.extend ActiveModel::Translation
-
-        # Support ActiveModel::Name#name for Rails versions before 4.0.
-        unless klass.model_name.respond_to?(:name)
-          ActiveModel::Name.module_eval do
-            alias_method :name, :to_s
-          end
-        end
-
-        klass.extend ClassMethods
-        klass.send(:include, InstanceMethods)
-      end
-
-      module ClassMethods
-        # How to name the class, works JUST LIKE ActiveRecord, except it uses
-        # the following namespace:
-        #
-        #   authlogic.models.user_session
-        def human_name(*)
-          I18n.t("models.#{name.underscore}", count: 1, default: name.humanize)
-        end
-
-        def i18n_scope
-          I18n.scope
-        end
-      end
-
-      module InstanceMethods
-        # Don't use this yourself, this is to just trick some of the helpers
-        # since this is the method it calls.
-        def new_record?
-          new_session?
-        end
-
-        def persisted?
-          !(new_record? || destroyed?)
-        end
-
-        def destroyed?
-          record.nil?
-        end
-
-        def to_key
-          new_record? ? nil : record.to_key
-        end
-
-        # For rails >= 3.0
-        def to_model
-          self
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,127 +0,0 @@
-module Authlogic
-  module Session
-    # A brute force attacks is executed by hammering a login with as many password
-    # combinations as possible, until one works. A brute force attacked is generally
-    # combated with a slow hashing algorithm such as BCrypt. You can increase the cost,
-    # which makes the hash generation slower, and ultimately increases the time it takes
-    # to execute a brute force attack. Just to put this into perspective, if a hacker was
-    # to gain access to your server and execute a brute force attack locally, meaning
-    # there is no network lag, it would probably take decades to complete. Now throw in
-    # network lag and it would take MUCH longer.
-    #
-    # But for those that are extra paranoid and can't get enough protection, why not stop
-    # them as soon as you realize something isn't right? That's what this module is all
-    # about. By default the consecutive_failed_logins_limit configuration option is set to
-    # 50, if someone consecutively fails to login after 50 attempts their account will be
-    # suspended. This is a very liberal number and at this point it should be obvious that
-    # something is not right. If you wish to lower this number just set the configuration
-    # to a lower number:
-    #
-    #   class UserSession < Authlogic::Session::Base
-    #     consecutive_failed_logins_limit 10
-    #   end
-    module BruteForceProtection
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          validate :reset_failed_login_count, if: :reset_failed_login_count?
-          validate :validate_failed_logins, if: :being_brute_force_protected?
-        end
-      end
-
-      # Configuration for the brute force protection feature.
-      module Config
-        # To help protect from brute force attacks you can set a limit on the
-        # allowed number of consecutive failed logins. By default this is 50,
-        # this is a very liberal number, and if someone fails to login after 50
-        # tries it should be pretty obvious that it's a machine trying to login
-        # in and very likely a brute force attack.
-        #
-        # In order to enable this field your model MUST have a
-        # failed_login_count (integer) field.
-        #
-        # If you don't know what a brute force attack is, it's when a machine
-        # tries to login into a system using every combination of character
-        # possible. Thus resulting in possibly millions of attempts to log into
-        # an account.
-        #
-        # * <tt>Default:</tt> 50
-        # * <tt>Accepts:</tt> Integer, set to 0 to disable
-        def consecutive_failed_logins_limit(value = nil)
-          rw_config(:consecutive_failed_logins_limit, value, 50)
-        end
-        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
-
-        # Once the failed logins limit has been exceed, how long do you want to
-        # ban the user? This can be a temporary or permanent ban.
-        #
-        # * <tt>Default:</tt> 2.hours
-        # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
-        def failed_login_ban_for(value = nil)
-          rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
-        end
-        alias_method :failed_login_ban_for=, :failed_login_ban_for
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make
-      # up the brute force protection feature.
-      module InstanceMethods
-        # Returns true when the consecutive_failed_logins_limit has been
-        # exceeded and is being temporarily banned. Notice the word temporary,
-        # the user will not be permanently banned unless you choose to do so
-        # with configuration. By default they will be banned for 2 hours. During
-        # that 2 hour period this method will return true.
-        def being_brute_force_protected?
-          exceeded_failed_logins_limit? &&
-            (
-              failed_login_ban_for <= 0 ||
-              attempted_record.respond_to?(:updated_at) &&
-              attempted_record.updated_at >= failed_login_ban_for.seconds.ago
-            )
-        end
-
-        private
-
-        def exceeded_failed_logins_limit?
-          !attempted_record.nil? &&
-            attempted_record.respond_to?(:failed_login_count) &&
-            consecutive_failed_logins_limit > 0 &&
-            attempted_record.failed_login_count &&
-            attempted_record.failed_login_count >= consecutive_failed_logins_limit
-        end
-
-        def reset_failed_login_count?
-          exceeded_failed_logins_limit? && !being_brute_force_protected?
-        end
-
-        def reset_failed_login_count
-          attempted_record.failed_login_count = 0
-        end
-
-        def validate_failed_logins
-          # Clear all other error messages, as they are irrelevant at this point and can
-          # only provide additional information that is not needed
-          errors.clear
-          errors.add(
-            :base,
-            I18n.t(
-              "error_messages.consecutive_failed_logins_limit_exceeded",
-              default: "Consecutive failed logins limit exceeded, account has been" +
-                (failed_login_ban_for.zero? ? "" : " temporarily") +
-                " disabled."
-            )
-          )
-        end
-
-        def consecutive_failed_logins_limit
-          self.class.consecutive_failed_logins_limit
-        end
-
-        def failed_login_ban_for
-          self.class.failed_login_ban_for
-        end
-      end
-    end
-  end
-end