authlogic 5.0.4 → 6.4.1

data/lib/authlogic/session/base.rb

@@ -198,7 +198,7 @@ module Authlogic
     # 2. Enable logging out on timeouts
     #
     #   class UserSession < Authlogic::Session::Base
-    #     logout_on_timeout true # default if false
+    #     logout_on_timeout true # default is false
     #   end
     #
     # This will require a user to log back in if they are inactive for more than
@@ -351,7 +351,14 @@ module Authlogic
         - https://github.com/binarylogic/authlogic/pull/558
         - https://github.com/binarylogic/authlogic/pull/577
       EOS
-      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict"].freeze
+      E_DPR_FIND_BY_LOGIN_METHOD = <<~EOS.squish.freeze
+        find_by_login_method is deprecated in favor of record_selection_method,
+        to avoid confusion with ActiveRecord's "Dynamic Finders".
+        (https://guides.rubyonrails.org/v6.0/active_record_querying.html#dynamic-finders)
+        For example, rubocop-rails is confused by the deprecated method.
+        (https://github.com/rubocop-hq/rubocop-rails/blob/master/lib/rubocop/cop/rails/dynamic_find_by.rb)
+      EOS
+      VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict", "None"].freeze
 
       # Callbacks
       # =========
@@ -415,10 +422,11 @@ module Authlogic
       before_save :set_last_request_at
 
       after_save :reset_perishable_token!
-      after_save :save_cookie
+      after_save :save_cookie, if: :cookie_enabled?
       after_save :update_session
+      after_create :renew_session_id
 
-      after_destroy :destroy_cookie
+      after_destroy :destroy_cookie, if: :cookie_enabled?
       after_destroy :update_session
 
       # `validate` callbacks, in deliberate order. For example,
@@ -438,8 +446,7 @@ module Authlogic
 
       class << self
         attr_accessor(
-          :configured_password_methods,
-          :configured_klass_methods
+          :configured_password_methods
         )
       end
       attr_accessor(
@@ -472,14 +479,9 @@ module Authlogic
           !controller.nil?
         end
 
-        # Do you want to allow your users to log in via HTTP basic auth?
-        #
-        # I recommend keeping this enabled. The only time I feel this should be
-        # disabled is if you are not comfortable having your users provide their
-        # raw username and password. Whatever the reason, you can disable it
-        # here.
+        # Allow users to log in via HTTP basic authentication.
         #
-        # * <tt>Default:</tt> true
+        # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
         def allow_http_basic_auth(value = nil)
           rw_config(:allow_http_basic_auth, value, false)
@@ -669,35 +671,10 @@ module Authlogic
           end
         end
 
-        # Authlogic tries to validate the credentials passed to it. One part of
-        # validation is actually finding the user and making sure it exists.
-        # What method it uses the do this is up to you.
-        #
-        # Let's say you have a UserSession that is authenticating a User. By
-        # default UserSession will call User.find_by_login(login). You can
-        # change what method UserSession calls by specifying it here. Then in
-        # your User model you can make that method do anything you want, giving
-        # you complete control of how users are found by the UserSession.
-        #
-        # Let's take an example: You want to allow users to login by username or
-        # email. Set this to the name of the class method that does this in the
-        # User model. Let's call it "find_by_username_or_email"
-        #
-        #   class User < ActiveRecord::Base
-        #     def self.find_by_username_or_email(login)
-        #       find_by_username(login) || find_by_email(login)
-        #     end
-        #   end
-        #
-        # Now just specify the name of this method for this configuration option
-        # and you are all set. You can do anything you want here. Maybe you
-        # allow users to have multiple logins and you want to search a has_many
-        # relationship, etc. The sky is the limit.
-        #
-        # * <tt>Default:</tt> "find_by_smart_case_login_field"
-        # * <tt>Accepts:</tt> Symbol or String
+        # @deprecated in favor of record_selection_method
         def find_by_login_method(value = nil)
-          rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
+          ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+          record_selection_method(value)
         end
         alias find_by_login_method= find_by_login_method
 
@@ -782,15 +759,23 @@ module Authlogic
         # example, the UserSession class will authenticate with the User class
         # unless you specify otherwise in your configuration. See
         # authenticate_with for information on how to change this value.
+        #
+        # @api public
         def klass
           @klass ||= klass_name ? klass_name.constantize : nil
         end
 
-        # The string of the model name class guessed from the actual session class name.
+        # The model name, guessed from the session class name, e.g. "User",
+        # from "UserSession".
+        #
+        # TODO: This method can return nil. We should explore this. It seems
+        # likely to cause a NoMethodError later, so perhaps we should raise an
+        # error instead.
+        #
+        # @api private
         def klass_name
-          return @klass_name if defined?(@klass_name)
-          @klass_name = name.scan(/(.*)Session/)[0]
-          @klass_name = klass_name ? klass_name[0] : nil
+          return @klass_name if instance_variable_defined?(:@klass_name)
+          @klass_name = name.scan(/(.*)Session/)[0]&.first
         end
 
         # The name of the method you want Authlogic to create for storing the
@@ -798,8 +783,8 @@ module Authlogic
         # Authlogic::Session, if you want it can be something completely
         # different than the field in your model. So if you wanted people to
         # login with a field called "login" and then find users by email this is
-        # completely doable. See the find_by_login_method configuration option
-        # for more details.
+        # completely doable. See the `record_selection_method` configuration
+        # option for details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -882,6 +867,47 @@ module Authlogic
         end
         alias password_field= password_field
 
+        # Authlogic tries to validate the credentials passed to it. One part of
+        # validation is actually finding the user and making sure it exists.
+        # What method it uses the do this is up to you.
+        #
+        # ```
+        # # user_session.rb
+        # record_selection_method :find_by_email
+        # ```
+        #
+        # This is the recommended way to find the user by email address.
+        # The resulting query will be `User.find_by_email(send(login_field))`.
+        # (`login_field` will fall back to `email_field` if there's no `login`
+        # or `username` column).
+        #
+        # In your User model you can make that method do anything you want,
+        # giving you complete control of how users are found by the UserSession.
+        #
+        # Let's take an example: You want to allow users to login by username or
+        # email. Set this to the name of the class method that does this in the
+        # User model. Let's call it "find_by_username_or_email"
+        #
+        # ```
+        # class User < ActiveRecord::Base
+        #   def self.find_by_username_or_email(login)
+        #     find_by_username(login) || find_by_email(login)
+        #   end
+        # end
+        # ```
+        #
+        # Now just specify the name of this method for this configuration option
+        # and you are all set. You can do anything you want here. Maybe you
+        # allow users to have multiple logins and you want to search a has_many
+        # relationship, etc. The sky is the limit.
+        #
+        # * <tt>Default:</tt> "find_by_smart_case_login_field"
+        # * <tt>Accepts:</tt> Symbol or String
+        def record_selection_method(value = nil)
+          rw_config(:record_selection_method, value, "find_by_smart_case_login_field")
+        end
+        alias record_selection_method= record_selection_method
+
         # Whether or not to request HTTP authentication
         #
         # If set to true and no HTTP authentication credentials are sent with
@@ -951,16 +977,40 @@ module Authlogic
         end
         alias secure= secure
 
+        # Should the Rack session ID be reset after authentication, to protect
+        # against Session Fixation attacks?
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def session_fixation_defense(value = nil)
+          rw_config(:session_fixation_defense, value, true)
+        end
+        alias session_fixation_defense= session_fixation_defense
+
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:signed)
+          if value && controller && !controller.cookies.respond_to?(:signed)
             raise "Signed cookies not supported with #{controller.class}!"
           end
           rw_config(:sign_cookie, value, false)
         end
         alias sign_cookie= sign_cookie
 
+        # Should the cookie be encrypted? If the controller adapter supports it, this is a
+        # measure to hide the contents of the cookie (e.g. persistence_token)
+        def encrypt_cookie(value = nil)
+          if value && controller && !controller.cookies.respond_to?(:encrypted)
+            raise "Encrypted cookies not supported with #{controller.class}!"
+          end
+          if value && sign_cookie
+            raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
+                  "You may not enable both options."
+          end
+          rw_config(:encrypt_cookie, value, false)
+        end
+        alias encrypt_cookie= encrypt_cookie
+
         # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
         #
         # * <tt>Default:</tt> cookie_key
@@ -1065,24 +1115,10 @@ module Authlogic
       # Constructor
       # ===========
 
-      # rubocop:disable Metrics/AbcSize
       def initialize(*args)
         @id = nil
         self.scope = self.class.scope
-
-        # Creating an alias method for the "record" method based on the klass
-        # name, so that we can do:
-        #
-        #   session.user
-        #
-        # instead of:
-        #
-        #   session.record
-        unless self.class.configured_klass_methods
-          self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
-          self.class.configured_klass_methods = true
-        end
-
+        define_record_alias_method
         raise Activation::NotActivatedError unless self.class.activated?
         unless self.class.configured_password_methods
           configure_password_methods
@@ -1091,7 +1127,6 @@ module Authlogic
         instance_variable_set("@#{password_field}", nil)
         self.credentials = args
       end
-      # rubocop:enable Metrics/AbcSize
 
       # Public instance methods
       # =======================
@@ -1480,6 +1515,23 @@ module Authlogic
         sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
       end
 
+      # If the cookie should be encrypted
+      def encrypt_cookie
+        return @encrypt_cookie if defined?(@encrypt_cookie)
+        @encrypt_cookie = self.class.encrypt_cookie
+      end
+
+      # Accepts a boolean as to whether the cookie should be encrypted.  If true
+      # the cookie will be saved in an encrypted state.
+      def encrypt_cookie=(value)
+        @encrypt_cookie = value
+      end
+
+      # See encrypt_cookie
+      def encrypt_cookie?
+        encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
+      end
+
       # The scope of the current object
       def scope
         @scope ||= {}
@@ -1497,24 +1549,21 @@ module Authlogic
       # Determines if the information you provided for authentication is valid
       # or not. If there is a problem with the information provided errors will
       # be added to the errors object and this method will return false.
+      #
+      # @api public
       def valid?
         errors.clear
         self.attempted_record = nil
-
-        run_callbacks(:before_validation)
-        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+        run_the_before_validation_callbacks
 
         # Run the `validate` callbacks, eg. `validate_by_password`.
         # This is when `attempted_record` is set.
         run_callbacks(:validate)
 
         ensure_authentication_attempted
-
         if errors.empty?
-          run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
-          run_callbacks(:after_validation)
+          run_the_after_validation_callbacks
         end
-
         save_record(attempted_record)
         errors.empty?
       end
@@ -1616,14 +1665,22 @@ module Authlogic
       # @api private
       # @return ::Authlogic::CookieCredentials or if no cookie is found, nil
       def cookie_credentials
+        return unless cookie_enabled?
+
         cookie_value = cookie_jar[cookie_key]
         unless cookie_value.nil?
           ::Authlogic::CookieCredentials.parse(cookie_value)
         end
       end
 
+      def cookie_enabled?
+        !controller.cookies.nil?
+      end
+
       def cookie_jar
-        if self.class.sign_cookie
+        if self.class.encrypt_cookie
+          controller.cookies.encrypted
+        elsif self.class.sign_cookie
           controller.cookies.signed
         else
           controller.cookies
@@ -1635,21 +1692,36 @@ module Authlogic
         define_password_field_methods
       end
 
+      # Assign a new controller-session ID, to defend against Session Fixation.
+      # https://guides.rubyonrails.org/v6.0/security.html#session-fixation
+      def renew_session_id
+        return unless self.class.session_fixation_defense
+        controller.renew_session_id
+      end
+
       def define_login_field_methods
         return unless login_field
         self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
         self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
       end
 
+      # @api private
       def define_password_field_methods
         return unless password_field
-        self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
-        self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+        define_password_field_writer_method
+        define_password_field_reader_methods
+      end
 
-        # The password should not be accessible publicly. This way forms
-        # using form_for don't fill the password with the attempted
-        # password. To prevent this we just create this method that is
-        # private.
+      # The password should not be accessible publicly. This way forms using
+      # form_for don't fill the password with the attempted password. To prevent
+      # this we just create this method that is private.
+      #
+      # @api private
+      def define_password_field_reader_methods
+        unless respond_to?(password_field)
+          # Deliberate no-op method, see rationale above.
+          self.class.send(:define_method, password_field) {}
+        end
         self.class.class_eval(
           <<-EOS, __FILE__, __LINE__ + 1
             private
@@ -1660,6 +1732,28 @@ module Authlogic
         )
       end
 
+      def define_password_field_writer_method
+        unless respond_to?("#{password_field}=")
+          self.class.send(:attr_writer, password_field)
+        end
+      end
+
+      # Creating an alias method for the "record" method based on the klass
+      # name, so that we can do:
+      #
+      #   session.user
+      #
+      # instead of:
+      #
+      #   session.record
+      #
+      # @api private
+      def define_record_alias_method
+        noun = klass_name.demodulize.underscore.to_sym
+        return if respond_to?(noun)
+        self.class.send(:alias_method, noun, :record)
+      end
+
       def destroy_cookie
         controller.cookies.delete cookie_key, domain: controller.cookie_domain
       end
@@ -1695,8 +1789,10 @@ module Authlogic
           attempted_record.failed_login_count >= consecutive_failed_logins_limit
       end
 
+      # @deprecated in favor of `self.class.record_selection_method`
       def find_by_login_method
-        self.class.find_by_login_method
+        ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+        self.class.record_selection_method
       end
 
       def generalize_credentials_error_messages?
@@ -1705,13 +1801,8 @@ module Authlogic
 
       # @api private
       def generate_cookie_for_saving
-        creds = ::Authlogic::CookieCredentials.new(
-          record.persistence_token,
-          record.send(record.class.primary_key),
-          remember_me? ? remember_me_until : nil
-        )
         {
-          value: creds.to_s,
+          value: generate_cookie_value.to_s,
           expires: remember_me_until,
           secure: secure,
           httponly: httponly,
@@ -1720,6 +1811,14 @@ module Authlogic
         }
       end
 
+      def generate_cookie_value
+        ::Authlogic::CookieCredentials.new(
+          record.persistence_token,
+          record.send(record.class.primary_key),
+          remember_me? ? remember_me_until : nil
+        )
+      end
+
       # Returns a Proc to be executed by
       # `ActionController::HttpAuthentication::Basic` when credentials are
       # present in the HTTP request.
@@ -1747,7 +1846,7 @@ module Authlogic
         end
       end
 
-      def increment_login_cout
+      def increment_login_count
         if record.respond_to?(:login_count)
           record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
         end
@@ -1898,6 +1997,18 @@ module Authlogic
         attempted_record.failed_login_count = 0
       end
 
+      # @api private
+      def run_the_after_validation_callbacks
+        run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
+        run_callbacks(:after_validation)
+      end
+
+      # @api private
+      def run_the_before_validation_callbacks
+        run_callbacks(:before_validation)
+        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+      end
+
       # `args[0]` is the name of a model method, like
       # `find_by_single_access_token` or `find_by_smart_case_login_field`.
       def search_for_record(*args)
@@ -1935,11 +2046,7 @@ module Authlogic
       end
 
       def save_cookie
-        if sign_cookie?
-          controller.cookies.signed[cookie_key] = generate_cookie_for_saving
-        else
-          controller.cookies[cookie_key] = generate_cookie_for_saving
-        end
+        cookie_jar[cookie_key] = generate_cookie_for_saving
       end
 
       # @api private
@@ -1969,7 +2076,7 @@ module Authlogic
       end
 
       def update_info
-        increment_login_cout
+        increment_login_count
         clear_failed_login_count
         update_login_timestamps
         update_login_ip_addresses
@@ -2016,7 +2123,10 @@ module Authlogic
         self.invalid_password = false
         validate_by_password__blank_fields
         return if errors.count > 0
-        self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+        self.attempted_record = search_for_record(
+          self.class.record_selection_method,
+          send(login_field)
+        )
         if attempted_record.blank?
           add_login_not_found_error
           return