authlogic 5.0.4 → 6.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f33a408b68b3809a5f68ee4a2c42aa60f472fd139f9e0a10fc1e20a6e32eb9a7
-  data.tar.gz: 75bfa342ae455b28fa5c12b46c6f03f3a872b3a65654a3bd911e4891b8b8e611
+  metadata.gz: e65309a22f2adc25c9c61f10910d6db41fe2c3f6b9d8037977bdfa094b90dd53
+  data.tar.gz: 2e5bb549974be424ad83ae20de60775bcb1b66c207031919caf978de7e5801ff
 SHA512:
-  metadata.gz: dbdfd4e20f62d723e1171326aae2b48d195b2ffcb8e31ed0b4ec451a118abcd6f5b8c9bbf3a2b0a7206383f73f81e7fb9983c81d02f6c76cef732deda40f2736
-  data.tar.gz: dac40f1a0049cb1e63d699f6dda6a1df5bdedcc4e1a5f412d3908e515edd877ce3c9ba1d4955f154da18c515381e9bbcb551ba84afbc4a8c8bbe53ae02e10b17
+  metadata.gz: 1198b8ff9bf45e98e8748365ba67112f249c738952b84a39a32b835353481a37b3b006106ff31031d5a78f2952fffa746c8764639f50ebc3cc0ae99f84f74b98
+  data.tar.gz: 9ab8911d8838f3ddf6b8b011d498b08941caba5e20d2c62c1d2ec9c8b17f446c68f7585db88bd0c3497ae26cd11cd6f565eb9da3ae27bd3faee5de7815c62fd6

data/lib/authlogic.rb

@@ -13,6 +13,7 @@ require "active_record"
 path = File.dirname(__FILE__) + "/authlogic/"
 
 [
+  "errors",
   "i18n",
   "random",
   "config",

data/lib/authlogic/acts_as_authentic/base.rb

@@ -31,8 +31,8 @@ module Authlogic
         #
         # See the various sub modules for the configuration they provide.
         def acts_as_authentic
-          return unless db_setup?
           yield self if block_given?
+          return unless db_setup?
           acts_as_authentic_modules.each { |mod| include mod }
         end
 
@@ -65,12 +65,27 @@ module Authlogic
           self.acts_as_authentic_modules = modules
         end
 
+        # Some Authlogic modules requires a database connection with a existing
+        # users table by the moment when you call the `acts_as_authentic`
+        # method. If you try to call `acts_as_authentic` without a database
+        # connection, it will raise a `Authlogic::ModelSetupError`.
+        #
+        # If you rely on the User model before the database is setup correctly,
+        # set this field to false.
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def raise_on_model_setup_error(value = nil)
+          rw_config(:raise_on_model_setup_error, value, false)
+        end
+        alias raise_on_model_setup_error= raise_on_model_setup_error
+
         private
 
         def db_setup?
           column_names
           true
         rescue StandardError
+          raise ModelSetupError if raise_on_model_setup_error
           false
         end
 

data/lib/authlogic/acts_as_authentic/password.rb

@@ -102,20 +102,30 @@ module Authlogic
         # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
         # best choice for password storage today. We recommend SCrypt. Other
         # one-way functions like SHA512 are inferior, but widely used.
-        # Reverisbile functions like AES256 are the worst choice, and we no
+        # Reversible functions like AES256 are the worst choice, and we no
         # longer support them.
         #
         # You can use the `transition_from_crypto_providers` option to gradually
         # transition to a better crypto provider without causing your users any
         # pain.
         #
-        # * <tt>Default:</tt> CryptoProviders::SCrypt
+        # * <tt>Default:</tt> There is no longer a default value. Prior to
+        #   Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+        #   to read this config option before setting it, it will raise a
+        #   `NilCryptoProvider` error. See that error's message for further
+        #   details, and rationale for this change.
         # * <tt>Accepts:</tt> Class
-        def crypto_provider(value = nil)
+        def crypto_provider
+          acts_as_authentic_config[:crypto_provider].tap { |provider|
+            raise NilCryptoProvider if provider.nil?
+          }
+        end
+
+        def crypto_provider=(value)
+          raise NilCryptoProvider if value.nil?
           CryptoProviders::Guidance.new(value).impart_wisdom
-          rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+          rw_config(:crypto_provider, value)
         end
-        alias crypto_provider= crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -93,9 +93,9 @@ module Authlogic
         end
 
         # Save the record and skip session maintenance all together.
-        def save_without_session_maintenance(*args)
+        def save_without_session_maintenance(**options)
           self.skip_session_maintenance = true
-          result = save(*args)
+          result = save(**options)
           self.skip_session_maintenance = false
           result
         end
@@ -176,7 +176,9 @@ module Authlogic
         end
 
         def log_in_after_password_change?
-          will_save_change_to_persistence_token? && self.class.log_in_after_password_change
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
         end
       end
     end

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -8,6 +8,7 @@ module Authlogic
     class AbstractAdapter
       E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
         "implemented by the controller adapter"
+      ENV_SESSION_OPTIONS = "rack.session.options"
 
       attr_accessor :controller
 
@@ -44,6 +45,26 @@ module Authlogic
         request.content_type
       end
 
+      # Inform Rack that we would like a new session ID to be assigned. Changes
+      # the ID, but not the contents of the session.
+      #
+      # The `:renew` option is read by `rack/session/abstract/id.rb`.
+      #
+      # This is how Devise (via warden) implements defense against Session
+      # Fixation. Our implementation is copied directly from the warden gem
+      # (set_user in warden/proxy.rb)
+      def renew_session_id
+        env = request.env
+        options = env[ENV_SESSION_OPTIONS]
+        if options
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+      end
+
       def session
         controller.session
       end

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -14,7 +14,7 @@ module Authlogic
       # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
       # http://guides.rubyonrails.org/action_controller_overview.html#cookies
       def cookies
-        controller.send(:cookies)
+        controller.respond_to?(:cookies, true) ? controller.send(:cookies) : nil
       end
 
       def cookie_domain

data/lib/authlogic/crypto_providers/md5.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class MD5
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "md5", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    class MD5
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 1
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a MD5 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::MD5.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class Sha1
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha1", "v2")
+
       class << self
         def join_token
           @join_token ||= "--"

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    class Sha1
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          def join_token
+            @join_token ||= "--"
+          end
+          attr_writer :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 10
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha1 hash.
+          def encrypt(*tokens)
+            tokens = tokens.flatten
+            digest = tokens.shift
+            stretches.times do
+              digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -29,6 +29,9 @@ module Authlogic
     #
     # Uses the Sha256 hash algorithm to encrypt passwords.
     class Sha256
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha256", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
+  module CryptoProviders
+    class Sha256
+      # = Sha256
+      #
+      # Uses the Sha256 hash algorithm to encrypt passwords.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha256 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::SHA256.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -8,6 +8,9 @@ module Authlogic
     # there are better choices. We recommend transitioning to a more secure,
     # adaptive hashing algorithm, like scrypt.
     class Sha512
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha512", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  module CryptoProviders
+    class Sha512
+      # SHA-512 does not have any practical known attacks against it. However,
+      # there are better choices. We recommend transitioning to a more secure,
+      # adaptive hashing algorithm, like scrypt.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha512 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times do
+              digest = Digest::SHA512.digest(digest)
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/errors.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |c|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+
+  # :nodoc:
+  class ModelSetupError < Error
+    def message
+      <<-EOS
+        You must establish a database connection and run the migrations before
+        using acts_as_authentic. If you need to load the User model before the
+        database is set up correctly, please set the following:
+
+            acts_as_authentic do |c|
+              c.raise_on_model_setup_error = false
+            end
+      EOS
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -8,7 +8,7 @@ module Authlogic
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)
-          ::I18n.translate key, options
+          ::I18n.translate key, **options
         else
           options[:default]
         end