authlogic 4.5.0 → 6.4.2

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  module CryptoProviders
+    class Sha512
+      # SHA-512 does not have any practical known attacks against it. However,
+      # there are better choices. We recommend transitioning to a more secure,
+      # adaptive hashing algorithm, like scrypt.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha512 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times do
+              digest = Digest::SHA512.digest(digest)
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,16 +1,20 @@
+# frozen_string_literal: true
+
 require "digest/sha2"
 
 module Authlogic
   module CryptoProviders
-    # = Sha512
-    #
-    # Uses the Sha512 hash algorithm to encrypt passwords.
+    # SHA-512 does not have any practical known attacks against it. However,
+    # there are better choices. We recommend transitioning to a more secure,
+    # adaptive hashing algorithm, like scrypt.
     class Sha512
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha512", "v2")
+
       class << self
         attr_accessor :join_token
 
-        # The number of times to loop through the encryption. This is twenty
-        # because that is what restful_authentication defaults to.
+        # The number of times to loop through the encryption.
         def stretches
           @stretches ||= 20
         end

data/lib/authlogic/crypto_providers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authlogic
   # The acts_as_authentic method has a crypto_provider option. This allows you
   # to use any type of encryption you like. Just create a class with a class
@@ -26,27 +28,12 @@ module Authlogic
     autoload :Sha256, "authlogic/crypto_providers/sha256"
     autoload :Sha512, "authlogic/crypto_providers/sha512"
     autoload :BCrypt, "authlogic/crypto_providers/bcrypt"
-    autoload :AES256, "authlogic/crypto_providers/aes256"
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
-    # crypto_providers/wordpress.rb has never been autoloaded, and now it is
-    # deprecated.
 
     # Guide users to choose a better crypto provider.
     class Guidance
-      AES256_DEPRECATED = <<~EOS.freeze
-        You have selected AES256 as your authlogic crypto provider. This
-        choice is not suitable for password storage.
-
-        Authlogic will drop its AES256 crypto provider in the next major
-        version. If you're unable to transition away from AES256 please let us
-        know immediately.
-
-        We recommend using a one-way algorithm instead. There are many choices;
-        we recommend scrypt. Use the transition_from_crypto_providers option
-        to make this painless for your users.
-      EOS
-      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::".freeze
-      NONADAPTIVE_ALGORITHM = <<~EOS.freeze
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::"
+      NONADAPTIVE_ALGORITHM = <<~EOS
         You have selected %s as your authlogic crypto provider. This algorithm
         does not have any practical known attacks against it. However, there are
         better choices.
@@ -61,7 +48,7 @@ module Authlogic
         Use the transition_from_crypto_providers option to make the transition
         painless for your users.
       EOS
-      VULNERABLE_ALGORITHM = <<~EOS.freeze
+      VULNERABLE_ALGORITHM = <<~EOS
         You have selected %s as your authlogic crypto provider. It is a poor
         choice because there are known attacks against this algorithm.
 
@@ -89,8 +76,6 @@ module Authlogic
         # negate the benefits of the `autoload` above.
         name = absolute_name.demodulize
         case name
-        when "AES256"
-          ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
         when "MD5", "Sha1"
           warn(format(VULNERABLE_ALGORITHM, name))
         when "Sha256", "Sha512"

data/lib/authlogic/errors.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |c|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+
+  # :nodoc:
+  class ModelSetupError < Error
+    def message
+      <<-EOS
+        You must establish a database connection and run the migrations before
+        using acts_as_authentic. If you need to load the User model before the
+        database is set up correctly, please set the following:
+
+            acts_as_authentic do |c|
+              c.raise_on_model_setup_error = false
+            end
+      EOS
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -1,11 +1,14 @@
+# frozen_string_literal: true
+
 module Authlogic
   module I18n
+    # The default translator used by authlogic/i18n.rb
     class Translator
       # If the I18n gem is present, calls +I18n.translate+ passing all
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)
-          ::I18n.translate key, options
+          ::I18n.translate key, **options
         else
           options[:default]
         end

data/lib/authlogic/i18n.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "authlogic/i18n/translator"
 
 module Authlogic
@@ -92,7 +94,7 @@ module Authlogic
       def translate(key, options = {})
         translator.translate key, { scope: I18n.scope }.merge(options)
       end
-      alias :t :translate
+      alias t translate
     end
   end
 end

data/lib/authlogic/random.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "securerandom"
 
 module Authlogic