authlogic 4.5.0 → 6.4.2

data/lib/authlogic/acts_as_authentic/password.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This module has a lot of neat functionality. It is responsible for encrypting your
@@ -31,7 +33,7 @@ module Authlogic
             )
           )
         end
-        alias_method :crypted_password_field=, :crypted_password_field
+        alias crypted_password_field= crypted_password_field
 
         # The name of the password_salt field in the database.
         #
@@ -44,7 +46,7 @@ module Authlogic
             first_column_to_exist(nil, :password_salt, :pw_salt, :salt)
           )
         end
-        alias_method :password_salt_field=, :password_salt_field
+        alias password_salt_field= password_salt_field
 
         # Whether or not to require a password confirmation. If you don't want your users
         # to confirm their password just set this to false.
@@ -54,7 +56,7 @@ module Authlogic
         def require_password_confirmation(value = nil)
           rw_config(:require_password_confirmation, value, true)
         end
-        alias_method :require_password_confirmation=, :require_password_confirmation
+        alias require_password_confirmation= require_password_confirmation
 
         # By default passwords are required when a record is new or the crypted_password
         # is blank, but if both of these things are met a password is not required. In
@@ -73,7 +75,7 @@ module Authlogic
         def ignore_blank_passwords(value = nil)
           rw_config(:ignore_blank_passwords, value, true)
         end
-        alias_method :ignore_blank_passwords=, :ignore_blank_passwords
+        alias ignore_blank_passwords= ignore_blank_passwords
 
         # When calling valid_password?("some pass") do you want to check that password
         # against what's in that object or whats in the database. Take this example:
@@ -91,143 +93,7 @@ module Authlogic
         def check_passwords_against_database(value = nil)
           rw_config(:check_passwords_against_database, value, true)
         end
-        alias_method :check_passwords_against_database=, :check_passwords_against_database
-
-        # Whether or not to validate the password field.
-        #
-        # * <tt>Default:</tt> true
-        # * <tt>Accepts:</tt> Boolean
-        #
-        # @deprecated
-        def validate_password_field(value = nil)
-          rw_config(:validate_password_field, value, true)
-        end
-        alias_method :validate_password_field=, :validate_password_field
-
-        # A hash of options for the validates_length_of call for the password field.
-        # Allows you to change this however you want.
-        #
-        # **Keep in mind this is ruby. I wanted to keep this as flexible as
-        # possible, so you can completely replace the hash or merge options into
-        # it. Checkout the convenience function
-        # merge_validates_length_of_password_field_options to merge options.**
-        #
-        # * <tt>Default:</tt> {:minimum => 8, :if => :require_password?}
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
-        #
-        # @deprecated
-        def validates_length_of_password_field_options(value = nil)
-          deprecate_authlogic_config("validates_length_of_password_field_options") if value
-          rw_config(
-            :validates_length_of_password_field_options,
-            value,
-            minimum: 8,
-            if: :require_password?
-          )
-        end
-        alias_method(
-          :validates_length_of_password_field_options=,
-          :validates_length_of_password_field_options
-        )
-
-        # A convenience function to merge options into the
-        # validates_length_of_login_field_options. So instead of:
-        #
-        #   self.validates_length_of_password_field_options =
-        #     validates_length_of_password_field_options.merge(:my_option => my_value)
-        #
-        # You can do this:
-        #
-        #   merge_validates_length_of_password_field_options :my_option => my_value
-        #
-        # @deprecated
-        def merge_validates_length_of_password_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_length_of_password_field_options"
-          )
-          self.validates_length_of_password_field_options =
-            validates_length_of_password_field_options.merge(options)
-        end
-
-        # A hash of options for the validates_confirmation_of call for the
-        # password field. Allows you to change this however you want.
-        #
-        # **Keep in mind this is ruby. I wanted to keep this as flexible as
-        # possible, so you can completely replace the hash or merge options into
-        # it. Checkout the convenience function
-        # merge_validates_length_of_password_field_options to merge options.**
-        #
-        # * <tt>Default:</tt> {:if => :require_password?}
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_confirmation_of
-        #
-        # @deprecated
-        def validates_confirmation_of_password_field_options(value = nil)
-          if value
-            deprecate_authlogic_config(
-              "validates_confirmation_of_password_field_options"
-            )
-          end
-          rw_config(
-            :validates_confirmation_of_password_field_options,
-            value,
-            if: :require_password?
-          )
-        end
-        alias_method :validates_confirmation_of_password_field_options=,
-          :validates_confirmation_of_password_field_options
-
-        # See merge_validates_length_of_password_field_options. The same thing, except for
-        # validates_confirmation_of_password_field_options
-        #
-        # @deprecated
-        def merge_validates_confirmation_of_password_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_confirmation_of_password_field_options"
-          )
-          self.validates_confirmation_of_password_field_options =
-            validates_confirmation_of_password_field_options.merge(options)
-        end
-
-        # A hash of options for the validates_length_of call for the password_confirmation
-        # field. Allows you to change this however you want.
-        #
-        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so
-        # you can completely replace the hash or merge options into it. Checkout the
-        # convenience function merge_validates_length_of_password_field_options to merge
-        # options.</b>
-        #
-        # * <tt>Default:</tt> validates_length_of_password_field_options
-        # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
-        #
-        # @deprecated
-        def validates_length_of_password_confirmation_field_options(value = nil)
-          if value
-            deprecate_authlogic_config(
-              "validates_length_of_password_confirmation_field_options"
-            )
-          end
-          rw_config(
-            :validates_length_of_password_confirmation_field_options,
-            value,
-            validates_length_of_password_field_options
-          )
-        end
-        alias_method(
-          :validates_length_of_password_confirmation_field_options=,
-          :validates_length_of_password_confirmation_field_options
-        )
-
-        # See merge_validates_length_of_password_field_options. The same thing, except for
-        # validates_length_of_password_confirmation_field_options
-        #
-        # @deprecated
-        def merge_validates_length_of_password_confirmation_field_options(options = {})
-          deprecate_authlogic_config(
-            "merge_validates_length_of_password_confirmation_field_options"
-          )
-          self.validates_length_of_password_confirmation_field_options =
-            validates_length_of_password_confirmation_field_options.merge(options)
-        end
+        alias check_passwords_against_database= check_passwords_against_database
 
         # The class you want to use to encrypt and verify your encrypted
         # passwords. See the Authlogic::CryptoProviders module for more info on
@@ -236,19 +102,30 @@ module Authlogic
         # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
         # best choice for password storage today. We recommend SCrypt. Other
         # one-way functions like SHA512 are inferior, but widely used.
-        # Reverisbile functions like AES256 are the worst choice.
+        # Reversible functions like AES256 are the worst choice, and we no
+        # longer support them.
         #
         # You can use the `transition_from_crypto_providers` option to gradually
         # transition to a better crypto provider without causing your users any
         # pain.
         #
-        # * <tt>Default:</tt> CryptoProviders::SCrypt
+        # * <tt>Default:</tt> There is no longer a default value. Prior to
+        #   Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+        #   to read this config option before setting it, it will raise a
+        #   `NilCryptoProvider` error. See that error's message for further
+        #   details, and rationale for this change.
         # * <tt>Accepts:</tt> Class
-        def crypto_provider(value = nil)
+        def crypto_provider
+          acts_as_authentic_config[:crypto_provider].tap { |provider|
+            raise NilCryptoProvider if provider.nil?
+          }
+        end
+
+        def crypto_provider=(value)
+          raise NilCryptoProvider if value.nil?
           CryptoProviders::Guidance.new(value).impart_wisdom
-          rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+          rw_config(:crypto_provider, value)
         end
-        alias_method :crypto_provider=, :crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to
@@ -274,46 +151,24 @@ module Authlogic
             []
           )
         end
-        alias_method :transition_from_crypto_providers=, :transition_from_crypto_providers
+        alias transition_from_crypto_providers= transition_from_crypto_providers
       end
 
       # Callbacks / hooks to allow other modules to modify the behavior of this module.
       module Callbacks
         # Does the order of this array matter?
         METHODS = %w[
-          before_password_set
-          after_password_set
-          before_password_verification
-          after_password_verification
+          password_set
+          password_verification
         ].freeze
 
         def self.included(klass)
           return if klass.crypted_password_field.nil?
-          klass.define_callbacks(*METHODS)
-
-          # If Rails 3, support the new callback syntax
-          if klass.singleton_class.method_defined?(:set_callback)
-            METHODS.each do |method|
-              klass.class_eval <<-EOS, __FILE__, __LINE__ + 1
-                def self.#{method}(*methods, &block)
-                  set_callback :#{method}, *methods, &block
-                end
-              EOS
-            end
+          klass.send :extend, ActiveModel::Callbacks
+          METHODS.each do |method|
+            klass.define_model_callbacks method, only: %i[before after]
           end
         end
-
-        # TODO: Ideally, once this module is included, the included copies of
-        # the following methods would be private. This cannot be accomplished
-        # by using calling `private` here in the module. Maybe we can set the
-        # privacy inside `included`?
-        METHODS.each do |method|
-          class_eval <<-EOS, __FILE__, __LINE__ + 1
-            def #{method}
-              run_callbacks(:#{method}) { |result, object| result == false }
-            end
-          EOS
-        end
       end
 
       # The methods related to the password field.
@@ -323,22 +178,6 @@ module Authlogic
 
           klass.class_eval do
             include InstanceMethods
-
-            if validate_password_field
-              validates_length_of :password, validates_length_of_password_field_options
-
-              if require_password_confirmation
-                validates_confirmation_of(
-                  :password,
-                  validates_confirmation_of_password_field_options
-                )
-                validates_length_of(
-                  :password_confirmation,
-                  validates_length_of_password_confirmation_field_options
-                )
-              end
-            end
-
             after_save :reset_password_changed
           end
         end
@@ -355,20 +194,17 @@ module Authlogic
           # create new password salt as well as encrypt the password.
           def password=(pass)
             return if ignore_blank_passwords? && pass.blank?
-            before_password_set
-            @password = pass
-            if password_salt_field
-              send("#{password_salt_field}=", Authlogic::Random.friendly_token)
-            end
-            encryptor_args_type = act_like_restful_authentication? ? :restful_authentication : nil
-            send(
-              "#{crypted_password_field}=",
-              crypto_provider.encrypt(
-                *encrypt_arguments(@password, false, encryptor_args_type)
+            run_callbacks :password_set do
+              @password = pass
+              if password_salt_field
+                send("#{password_salt_field}=", Authlogic::Random.friendly_token)
+              end
+              send(
+                "#{crypted_password_field}=",
+                crypto_provider.encrypt(*encrypt_arguments(@password, false))
               )
-            )
-            @password_changed = true
-            after_password_set
+              @password_changed = true
+            end
           end
 
           # Accepts a raw password to determine if it is the correct password.
@@ -384,24 +220,23 @@ module Authlogic
           )
             crypted = crypted_password_to_validate_against(check_against_database)
             return false if attempted_password.blank? || crypted.blank?
-            before_password_verification
-
-            crypto_providers.each_with_index do |encryptor, index|
-              next unless encryptor_matches?(
-                crypted,
-                encryptor,
-                index,
-                attempted_password,
-                check_against_database
-              )
-              if transition_password?(index, encryptor, check_against_database)
-                transition_password(attempted_password)
+            run_callbacks :password_verification do
+              crypto_providers.each_with_index.any? do |encryptor, index|
+                if encryptor_matches?(
+                  crypted,
+                  encryptor,
+                  attempted_password,
+                  check_against_database
+                )
+                  if transition_password?(index, encryptor, check_against_database)
+                    transition_password(attempted_password)
+                  end
+                  true
+                else
+                  false
+                end
               end
-              after_password_verification
-              return true
             end
-
-            false
           end
 
           # Resets the password to a random friendly token.
@@ -410,20 +245,20 @@ module Authlogic
             self.password = friendly_token
             self.password_confirmation = friendly_token if self.class.require_password_confirmation
           end
-          alias_method :randomize_password, :reset_password
+          alias randomize_password reset_password
 
           # Resets the password to a random friendly token and then saves the record.
           def reset_password!
             reset_password
             save_without_session_maintenance(validate: false)
           end
-          alias_method :randomize_password!, :reset_password!
+          alias randomize_password! reset_password!
 
           private
 
           def crypted_password_to_validate_against(check_against_database)
-            if check_against_database && send("#{crypted_password_field}_changed?")
-              send("#{crypted_password_field}_was")
+            if check_against_database && send("will_save_change_to_#{crypted_password_field}?")
+              send("#{crypted_password_field}_in_database")
             else
               send(crypted_password_field)
             end
@@ -439,53 +274,28 @@ module Authlogic
 
           # Returns an array of arguments to be passed to a crypto provider, either its
           # `matches?` or its `encrypt` method.
-          def encrypt_arguments(raw_password, check_against_database, arguments_type = nil)
+          def encrypt_arguments(raw_password, check_against_database)
             salt = nil
             if password_salt_field
               salt =
-                if check_against_database && send("#{password_salt_field}_changed?")
-                  send("#{password_salt_field}_was")
+                if check_against_database && send("will_save_change_to_#{password_salt_field}?")
+                  send("#{password_salt_field}_in_database")
                 else
                   send(password_salt_field)
                 end
             end
-
-            case arguments_type
-            when :restful_authentication
-              [REST_AUTH_SITE_KEY, salt, raw_password, REST_AUTH_SITE_KEY].compact
-            when nil
-              [raw_password, salt].compact
-            else
-              raise "Invalid encryptor arguments_type: #{arguments_type}"
-            end
+            [raw_password, salt].compact
           end
 
           # Given `encryptor`, does `attempted_password` match the `crypted` password?
-          def encryptor_matches?(
-            crypted,
-            encryptor,
-            index,
-            attempted_password,
-            check_against_database
-          )
-            # The arguments_type for the transitioning from restful_authentication
-            acting_restful = act_like_restful_authentication? && index.zero?
-            transitioning = transition_from_restful_authentication? &&
-              index > 0 &&
-              encryptor == Authlogic::CryptoProviders::Sha1
-            restful = acting_restful || transitioning
-            arguments_type = restful ? :restful_authentication : nil
-            encryptor_args = encrypt_arguments(
-              attempted_password,
-              check_against_database,
-              arguments_type
-            )
+          def encryptor_matches?(crypted, encryptor, attempted_password, check_against_database)
+            encryptor_args = encrypt_arguments(attempted_password, check_against_database)
             encryptor.matches?(crypted, *encryptor_args)
           end
 
           # Determines if we need to transition the password.
           #
-          # - If the index > 0 then we are using an "transition from" crypto
+          # - If the index > 0 then we are using a "transition from" crypto
           #   provider.
           # - If the encryptor has a cost and the cost it outdated.
           # - If we aren't using database values
@@ -499,7 +309,7 @@ module Authlogic
             ) &&
               (
                 !check_against_database ||
-                !send("#{crypted_password_field}_changed?")
+                !send("will_save_change_to_#{crypted_password_field}?")
               )
           end
 
@@ -509,6 +319,7 @@ module Authlogic
           end
 
           def require_password?
+            # this is _not_ the activemodel changed? method, see below
             new_record? || password_changed? || send(crypted_password_field).blank?
           end
 

data/lib/authlogic/acts_as_authentic/perishable_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # This provides a handy token that is "perishable", meaning the token is
@@ -33,7 +35,7 @@ module Authlogic
             10.minutes.to_i
           )
         end
-        alias_method :perishable_token_valid_for=, :perishable_token_valid_for
+        alias perishable_token_valid_for= perishable_token_valid_for
 
         # Authlogic tries to expire and change the perishable token as much as
         # possible, without compromising its purpose. If you want to manage it
@@ -44,7 +46,7 @@ module Authlogic
         def disable_perishable_token_maintenance(value = nil)
           rw_config(:disable_perishable_token_maintenance, value, false)
         end
-        alias_method :disable_perishable_token_maintenance=, :disable_perishable_token_maintenance
+        alias disable_perishable_token_maintenance= disable_perishable_token_maintenance
       end
 
       # All methods relating to the perishable token.
@@ -56,12 +58,13 @@ module Authlogic
             extend ClassMethods
             include InstanceMethods
 
-            validates_uniqueness_of :perishable_token, if: :perishable_token_changed?
+            validates_uniqueness_of :perishable_token, case_sensitive: true,
+                                                       if: :will_save_change_to_perishable_token?
             before_save :reset_perishable_token, unless: :disable_perishable_token_maintenance?
           end
         end
 
-        # Class methods for the perishable token
+        # :nodoc:
         module ClassMethods
           # Use this method to find a record with a perishable token. This
           # method does 2 things for you:
@@ -94,7 +97,7 @@ module Authlogic
           end
         end
 
-        # Instance level methods for the perishable token.
+        # :nodoc:
         module InstanceMethods
           # Resets the perishable token to a random friendly token.
           def reset_perishable_token

data/lib/authlogic/acts_as_authentic/persistence_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   module ActsAsAuthentic
     # Maintains the persistence token, the token responsible for persisting sessions. This token
@@ -16,19 +18,23 @@ module Authlogic
             extend ClassMethods
             include InstanceMethods
 
+            # If the table does not have a password column, then
+            # `after_password_set` etc. will not be defined. See
+            # `Authlogic::ActsAsAuthentic::Password::Callbacks.included`
             if respond_to?(:after_password_set) && respond_to?(:after_password_verification)
               after_password_set :reset_persistence_token
               after_password_verification :reset_persistence_token!, if: :reset_persistence_token?
             end
 
             validates_presence_of :persistence_token
-            validates_uniqueness_of :persistence_token, if: :persistence_token_changed?
+            validates_uniqueness_of :persistence_token, case_sensitive: true,
+                                                        if: :will_save_change_to_persistence_token?
 
             before_validation :reset_persistence_token, if: :reset_persistence_token?
           end
         end
 
-        # Class level methods for the persistence token.
+        # :nodoc:
         module ClassMethods
           # Resets ALL persistence tokens in the database, which will require
           # all users to re-authenticate.
@@ -38,7 +44,7 @@ module Authlogic
           end
         end
 
-        # Instance level methods for the persistence token.
+        # :nodoc:
         module InstanceMethods
           # Resets the persistence_token field to a random hex value.
           def reset_persistence_token
@@ -50,7 +56,7 @@ module Authlogic
             reset_persistence_token
             save_without_session_maintenance(validate: false)
           end
-          alias_method :forget!, :reset_persistence_token!
+          alias forget! reset_persistence_token!
 
           private
 

data/lib/authlogic/acts_as_authentic/queries/case_sensitivity.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module ActsAsAuthentic
+    module Queries
+      # @api private
+      class CaseSensitivity
+        E_UNABLE_TO_DETERMINE_SENSITIVITY = <<~EOS
+          Authlogic was unable to determine what case-sensitivity to use when
+          searching for email/login. To specify a sensitivity, validate the
+          uniqueness of the email/login and use the `case_sensitive` option,
+          like this:
+
+              validates :email, uniqueness: { case_sensitive: false }
+
+          Authlogic will now perform a case-insensitive query.
+        EOS
+
+        # @api private
+        def initialize(model_class, attribute)
+          @model_class = model_class
+          @attribute = attribute.to_sym
+        end
+
+        # @api private
+        def sensitive?
+          sensitive = uniqueness_validator_options[:case_sensitive]
+          if sensitive.nil?
+            ::Kernel.warn(E_UNABLE_TO_DETERMINE_SENSITIVITY)
+            false
+          else
+            sensitive
+          end
+        end
+
+        private
+
+        # @api private
+        def uniqueness_validator
+          @model_class.validators.select { |v|
+            v.is_a?(::ActiveRecord::Validations::UniquenessValidator) &&
+              v.attributes == [@attribute]
+          }.first
+        end
+
+        # @api private
+        def uniqueness_validator_options
+          uniqueness_validator&.options || {}
+        end
+      end
+    end
+  end
+end