authlogic 4.5.0 → 6.4.2

data/lib/authlogic/session/brute_force_protection.rb

@@ -1,127 +0,0 @@
-module Authlogic
-  module Session
-    # A brute force attacks is executed by hammering a login with as many password
-    # combinations as possible, until one works. A brute force attacked is generally
-    # combated with a slow hashing algorithm such as BCrypt. You can increase the cost,
-    # which makes the hash generation slower, and ultimately increases the time it takes
-    # to execute a brute force attack. Just to put this into perspective, if a hacker was
-    # to gain access to your server and execute a brute force attack locally, meaning
-    # there is no network lag, it would probably take decades to complete. Now throw in
-    # network lag and it would take MUCH longer.
-    #
-    # But for those that are extra paranoid and can't get enough protection, why not stop
-    # them as soon as you realize something isn't right? That's what this module is all
-    # about. By default the consecutive_failed_logins_limit configuration option is set to
-    # 50, if someone consecutively fails to login after 50 attempts their account will be
-    # suspended. This is a very liberal number and at this point it should be obvious that
-    # something is not right. If you wish to lower this number just set the configuration
-    # to a lower number:
-    #
-    #   class UserSession < Authlogic::Session::Base
-    #     consecutive_failed_logins_limit 10
-    #   end
-    module BruteForceProtection
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          validate :reset_failed_login_count, if: :reset_failed_login_count?
-          validate :validate_failed_logins, if: :being_brute_force_protected?
-        end
-      end
-
-      # Configuration for the brute force protection feature.
-      module Config
-        # To help protect from brute force attacks you can set a limit on the
-        # allowed number of consecutive failed logins. By default this is 50,
-        # this is a very liberal number, and if someone fails to login after 50
-        # tries it should be pretty obvious that it's a machine trying to login
-        # in and very likely a brute force attack.
-        #
-        # In order to enable this field your model MUST have a
-        # failed_login_count (integer) field.
-        #
-        # If you don't know what a brute force attack is, it's when a machine
-        # tries to login into a system using every combination of character
-        # possible. Thus resulting in possibly millions of attempts to log into
-        # an account.
-        #
-        # * <tt>Default:</tt> 50
-        # * <tt>Accepts:</tt> Integer, set to 0 to disable
-        def consecutive_failed_logins_limit(value = nil)
-          rw_config(:consecutive_failed_logins_limit, value, 50)
-        end
-        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
-
-        # Once the failed logins limit has been exceed, how long do you want to
-        # ban the user? This can be a temporary or permanent ban.
-        #
-        # * <tt>Default:</tt> 2.hours
-        # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
-        def failed_login_ban_for(value = nil)
-          rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
-        end
-        alias_method :failed_login_ban_for=, :failed_login_ban_for
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make
-      # up the brute force protection feature.
-      module InstanceMethods
-        # Returns true when the consecutive_failed_logins_limit has been
-        # exceeded and is being temporarily banned. Notice the word temporary,
-        # the user will not be permanently banned unless you choose to do so
-        # with configuration. By default they will be banned for 2 hours. During
-        # that 2 hour period this method will return true.
-        def being_brute_force_protected?
-          exceeded_failed_logins_limit? &&
-            (
-              failed_login_ban_for <= 0 ||
-              attempted_record.respond_to?(:updated_at) &&
-              attempted_record.updated_at >= failed_login_ban_for.seconds.ago
-            )
-        end
-
-        private
-
-        def exceeded_failed_logins_limit?
-          !attempted_record.nil? &&
-            attempted_record.respond_to?(:failed_login_count) &&
-            consecutive_failed_logins_limit > 0 &&
-            attempted_record.failed_login_count &&
-            attempted_record.failed_login_count >= consecutive_failed_logins_limit
-        end
-
-        def reset_failed_login_count?
-          exceeded_failed_logins_limit? && !being_brute_force_protected?
-        end
-
-        def reset_failed_login_count
-          attempted_record.failed_login_count = 0
-        end
-
-        def validate_failed_logins
-          # Clear all other error messages, as they are irrelevant at this point and can
-          # only provide additional information that is not needed
-          errors.clear
-          errors.add(
-            :base,
-            I18n.t(
-              "error_messages.consecutive_failed_logins_limit_exceeded",
-              default: "Consecutive failed logins limit exceeded, account has been" +
-                (failed_login_ban_for.zero? ? "" : " temporarily") +
-                " disabled."
-            )
-          )
-        end
-
-        def consecutive_failed_logins_limit
-          self.class.consecutive_failed_logins_limit
-        end
-
-        def failed_login_ban_for
-          self.class.failed_login_ban_for
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/callbacks.rb

@@ -1,153 +0,0 @@
-module Authlogic
-  module Session
-    # Between these callbacks and the configuration, this is the contract between me and
-    # you to safely modify Authlogic's behavior. I will do everything I can to make sure
-    # these do not change.
-    #
-    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and
-    # to the point. More importantly they use the same API that you would use to extend
-    # Authlogic. That being said, they are great examples of how to extend Authlogic and
-    # add / modify behavior to Authlogic. These modules could easily be pulled out into
-    # their own plugin and become an "add on" without any change.
-    #
-    # Now to the point of this module. Just like in ActiveRecord you have before_save,
-    # before_validation, etc. You have similar callbacks with Authlogic, see the METHODS
-    # constant below. The order of execution is as follows:
-    #
-    #   before_persisting
-    #   persist
-    #   after_persisting
-    #   [save record if record.changed?]
-    #
-    #   before_validation
-    #   before_validation_on_create
-    #   before_validation_on_update
-    #   validate
-    #   after_validation_on_update
-    #   after_validation_on_create
-    #   after_validation
-    #   [save record if record.changed?]
-    #
-    #   before_save
-    #   before_create
-    #   before_update
-    #   after_update
-    #   after_create
-    #   after_save
-    #   [save record if record.changed?]
-    #
-    #   before_destroy
-    #   [save record if record.changed?]
-    #   destroy
-    #   after_destroy
-    #
-    # Notice the "save record if changed?" lines above. This helps with performance. If
-    # you need to make changes to the associated record, there is no need to save the
-    # record, Authlogic will do it for you. This allows multiple modules to modify the
-    # record and execute as few queries as possible.
-    #
-    # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
-    #
-    #   class UserSession < Authlogic::Session::Base
-    #     before_validation :my_method
-    #     validate :another_method
-    #     # ..etc
-    #   end
-    #
-    # You can NOT define a "before_validation" method, this is bad practice and does not
-    # allow Authlogic to extend properly with multiple extensions. Please ONLY use the
-    # method above.
-    module Callbacks
-      METHODS = %w[
-        before_persisting
-        persist
-        after_persisting
-        before_validation
-        before_validation_on_create
-        before_validation_on_update
-        validate
-        after_validation_on_update
-        after_validation_on_create
-        after_validation
-        before_save
-        before_create
-        before_update
-        after_update
-        after_create
-        after_save
-        before_destroy
-        after_destroy
-      ].freeze
-
-      class << self
-        def included(base) #:nodoc:
-          base.send :include, ActiveSupport::Callbacks
-          define_session_callbacks(base)
-          define_session_callback_installation_methods(base)
-        end
-
-        private
-
-        # Defines the "callback installation methods". Other modules will use
-        # these class methods to install their callbacks. Examples:
-        #
-        # ```
-        # # session/timeout.rb, in `included`
-        # before_persisting :reset_stale_state
-        #
-        # # session/password.rb, in `included`
-        # validate :validate_by_password, if: :authenticating_with_password?
-        # ```
-        def define_session_callback_installation_methods(base)
-          METHODS.each do |method|
-            base.class_eval <<-EOS, __FILE__, __LINE__ + 1
-              def self.#{method}(*filter_list, &block)
-                set_callback(:#{method}, *filter_list, &block)
-              end
-            EOS
-          end
-        end
-
-        # Defines session life cycle events that support callbacks.
-        def define_session_callbacks(base)
-          if Gem::Version.new(ActiveSupport::VERSION::STRING) >= Gem::Version.new("5")
-            base.define_callbacks(
-              *METHODS,
-              terminator: ->(_target, result_lambda) { result_lambda.call == false }
-            )
-            base.define_callbacks(
-              "persist",
-              terminator: ->(_target, result_lambda) { result_lambda.call == true }
-            )
-          else
-            base.define_callbacks(
-              *METHODS,
-              terminator: ->(_target, result) { result == false }
-            )
-            base.define_callbacks(
-              "persist",
-              terminator: ->(_target, result) { result == true }
-            )
-          end
-        end
-      end
-
-      METHODS.each do |method|
-        class_eval(
-          <<-EOS, __FILE__, __LINE__ + 1
-            def #{method}
-              run_callbacks(:#{method})
-            end
-          EOS
-        )
-      end
-
-      def save_record(alternate_record = nil)
-        r = alternate_record || record
-        if r&.changed? && !r.readonly?
-          r.save_without_session_maintenance(validate: false)
-        end
-      end
-    end
-  end
-end

data/lib/authlogic/session/cookies.rb

@@ -1,329 +0,0 @@
-module Authlogic
-  module Session
-    # Handles all authentication that deals with cookies, such as persisting,
-    # saving, and destroying.
-    module Cookies
-      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict", "None"].freeze
-
-      def self.included(klass)
-        klass.class_eval do
-          extend Config
-          include InstanceMethods
-          persist :persist_by_cookie
-          after_save :save_cookie
-          after_destroy :destroy_cookie
-        end
-      end
-
-      # Configuration for the cookie feature set.
-      module Config
-        # The name of the cookie or the key in the cookies hash. Be sure and use
-        # a unique name. If you have multiple sessions and they use the same
-        # cookie it will cause problems. Also, if a id is set it will be
-        # inserted into the beginning of the string. Example:
-        #
-        #   session = UserSession.new
-        #   session.cookie_key => "user_credentials"
-        #
-        #   session = UserSession.new(:super_high_secret)
-        #   session.cookie_key => "super_high_secret_user_credentials"
-        #
-        # * <tt>Default:</tt> "#{klass_name.underscore}_credentials"
-        # * <tt>Accepts:</tt> String
-        def cookie_key(value = nil)
-          rw_config(:cookie_key, value, "#{klass_name.underscore}_credentials")
-        end
-        alias_method :cookie_key=, :cookie_key
-
-        # If sessions should be remembered by default or not.
-        #
-        # * <tt>Default:</tt> false
-        # * <tt>Accepts:</tt> Boolean
-        def remember_me(value = nil)
-          rw_config(:remember_me, value, false)
-        end
-        alias_method :remember_me=, :remember_me
-
-        # The length of time until the cookie expires.
-        #
-        # * <tt>Default:</tt> 3.months
-        # * <tt>Accepts:</tt> Integer, length of time in seconds, such as 60 or 3.months
-        def remember_me_for(value = nil)
-          rw_config(:remember_me_for, value, 3.months)
-        end
-        alias_method :remember_me_for=, :remember_me_for
-
-        # Should the cookie be set as secure?  If true, the cookie will only be sent over
-        # SSL connections
-        #
-        # * <tt>Default:</tt> true
-        # * <tt>Accepts:</tt> Boolean
-        def secure(value = nil)
-          rw_config(:secure, value, true)
-        end
-        alias_method :secure=, :secure
-
-        # Should the cookie be set as httponly?  If true, the cookie will not be
-        # accessible from javascript
-        #
-        # * <tt>Default:</tt> true
-        # * <tt>Accepts:</tt> Boolean
-        def httponly(value = nil)
-          rw_config(:httponly, value, true)
-        end
-        alias_method :httponly=, :httponly
-
-        # Should the cookie be prevented from being send along with cross-site
-        # requests?
-        #
-        # * <tt>Default:</tt> nil
-        # * <tt>Accepts:</tt> String, one of nil, 'Lax' or 'Strict'
-        def same_site(value = nil)
-          unless VALID_SAME_SITE_VALUES.include?(value)
-            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
-            raise ArgumentError.new(msg)
-          end
-          rw_config(:same_site, value)
-        end
-        alias_method :same_site=, :same_site
-
-        # Should the cookie be signed? If the controller adapter supports it, this is a
-        # measure against cookie tampering.
-        def sign_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:signed)
-            raise "Signed cookies not supported with #{controller.class}!"
-          end
-          rw_config(:sign_cookie, value, false)
-        end
-        alias_method :sign_cookie=, :sign_cookie
-
-        # Should the cookie be encrypted? If the controller adapter supports it, this is a
-        # measure to hide the contents of the cookie (e.g. persistence_token)"
-        def encrypt_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:encrypted)
-            raise "Encrypted cookies not supported with #{controller.class}!"
-          end
-          if value && sign_cookie
-            raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
-                  "You may not enable both options."
-          end
-          rw_config(:encrypt_cookie, value, false)
-        end
-        alias_method :encrypt_cookie=, :encrypt_cookie
-      end
-
-      # The methods available for an Authlogic::Session::Base object that make up the
-      # cookie feature set.
-      module InstanceMethods
-        # Allows you to set the remember_me option when passing credentials.
-        def credentials=(value)
-          super
-          values = value.is_a?(Array) ? value : [value]
-          case values.first
-          when Hash
-            if values.first.with_indifferent_access.key?(:remember_me)
-              self.remember_me = values.first.with_indifferent_access[:remember_me]
-            end
-          else
-            r = values.find { |val| val.is_a?(TrueClass) || val.is_a?(FalseClass) }
-            self.remember_me = r unless r.nil?
-          end
-        end
-
-        # Is the cookie going to expire after the session is over, or will it stick around?
-        def remember_me
-          return @remember_me if defined?(@remember_me)
-          @remember_me = self.class.remember_me
-        end
-
-        # Accepts a boolean as a flag to remember the session or not. Basically
-        # to expire the cookie at the end of the session or keep it for
-        # "remember_me_until".
-        def remember_me=(value)
-          @remember_me = value
-        end
-
-        # See remember_me
-        def remember_me?
-          remember_me == true || remember_me == "true" || remember_me == "1"
-        end
-
-        # How long to remember the user if remember_me is true. This is based on the class
-        # level configuration: remember_me_for
-        def remember_me_for
-          return unless remember_me?
-          self.class.remember_me_for
-        end
-
-        # When to expire the cookie. See remember_me_for configuration option to change
-        # this.
-        def remember_me_until
-          return unless remember_me?
-          remember_me_for.from_now
-        end
-
-        # Has the cookie expired due to current time being greater than remember_me_until.
-        def remember_me_expired?
-          return unless remember_me?
-          (Time.parse(cookie_credentials[2]) < Time.now)
-        end
-
-        # If the cookie should be marked as secure (SSL only)
-        def secure
-          return @secure if defined?(@secure)
-          @secure = self.class.secure
-        end
-
-        # Accepts a boolean as to whether the cookie should be marked as secure.  If true
-        # the cookie will only ever be sent over an SSL connection.
-        def secure=(value)
-          @secure = value
-        end
-
-        # See secure
-        def secure?
-          secure == true || secure == "true" || secure == "1"
-        end
-
-        # If the cookie should be marked as httponly (not accessible via javascript)
-        def httponly
-          return @httponly if defined?(@httponly)
-          @httponly = self.class.httponly
-        end
-
-        # Accepts a boolean as to whether the cookie should be marked as
-        # httponly.  If true, the cookie will not be accessible from javascript
-        def httponly=(value)
-          @httponly = value
-        end
-
-        # See httponly
-        def httponly?
-          httponly == true || httponly == "true" || httponly == "1"
-        end
-
-        # If the cookie should be marked as SameSite with 'Lax' or 'Strict' flag.
-        def same_site
-          return @same_site if defined?(@same_site)
-          @same_site = self.class.same_site(nil)
-        end
-
-        # Accepts nil, 'Lax' or 'Strict' as possible flags.
-        def same_site=(value)
-          unless VALID_SAME_SITE_VALUES.include?(value)
-            msg = "Invalid same_site value: #{value}. Valid: #{VALID_SAME_SITE_VALUES.inspect}"
-            raise ArgumentError.new(msg)
-          end
-          @same_site = value
-        end
-
-        # If the cookie should be signed
-        def sign_cookie
-          return @sign_cookie if defined?(@sign_cookie)
-          @sign_cookie = self.class.sign_cookie
-        end
-
-        # Accepts a boolean as to whether the cookie should be signed.  If true
-        # the cookie will be saved and verified using a signature.
-        def sign_cookie=(value)
-          @sign_cookie = value
-        end
-
-        # See sign_cookie
-        def sign_cookie?
-          sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
-        end
-
-        # If the cookie should be encrypted
-        def encrypt_cookie
-          return @encrypt_cookie if defined?(@encrypt_cookie)
-          @encrypt_cookie = self.class.encrypt_cookie
-        end
-
-        # Accepts a boolean as to whether the cookie should be encrypted.  If true
-        # the cookie will be saved in an encrypted state.
-        def encrypt_cookie=(value)
-          @encrypt_cookie = value
-        end
-
-        # See encrypt_cookie
-        def encrypt_cookie?
-          encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
-        end
-
-        private
-
-        def cookie_key
-          build_key(self.class.cookie_key)
-        end
-
-        # Returns an array of cookie elements. See cookie format in
-        # `generate_cookie_for_saving`. If no cookie is found, returns nil.
-        def cookie_credentials
-          cookie = cookie_jar[cookie_key]
-          cookie&.split("::")
-        end
-
-        # The third element of the cookie indicates whether the user wanted
-        # to be remembered (Actually, it's a timestamp, `remember_me_until`)
-        # See cookie format in `generate_cookie_for_saving`.
-        def cookie_credentials_remember_me?
-          !cookie_credentials.nil? && !cookie_credentials[2].nil?
-        end
-
-        def cookie_jar
-          if self.class.encrypt_cookie
-            controller.cookies.encrypted
-          elsif self.class.sign_cookie
-            controller.cookies.signed
-          else
-            controller.cookies
-          end
-        end
-
-        # Tries to validate the session from information in the cookie
-        def persist_by_cookie
-          persistence_token, record_id = cookie_credentials
-          if persistence_token.present?
-            record = search_for_record("find_by_#{klass.primary_key}", record_id)
-            if record && record.persistence_token == persistence_token
-              self.unauthorized_record = record
-            end
-            valid?
-          else
-            false
-          end
-        end
-
-        def save_cookie
-          cookie_jar[cookie_key] = generate_cookie_for_saving
-          true
-        end
-
-        def generate_cookie_for_saving
-          {
-            value: generate_cookie_value,
-            expires: remember_me_until,
-            secure: secure,
-            httponly: httponly,
-            same_site: same_site,
-            domain: controller.cookie_domain
-          }
-        end
-
-        def generate_cookie_value
-          format(
-            "%s::%s%s",
-            record.persistence_token.to_s,
-            record.send(record.class.primary_key).to_s,
-            remember_me? ? "::#{remember_me_until.iso8601}" : ""
-          )
-        end
-
-        def destroy_cookie
-          controller.cookies.delete cookie_key, domain: controller.cookie_domain
-        end
-      end
-    end
-  end
-end