authlogic 5.2.0 → 6.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4ede36ceee21501805105c66349d58ba6c6d9d483d5fefc41b8d4cbd5189944
-  data.tar.gz: f323b446e8f8e2a722bb9d896249170596f64ebf8ff441b2740cb834c2b085b8
+  metadata.gz: aa943f509bfe67c9cd576f8201f0fce5f0dd8c417458a629185590257a34f0af
+  data.tar.gz: 01bb91b140d913dc7c75c1c78d70b70ae23ea3254c01c8165a2c29e785a00a9e
 SHA512:
-  metadata.gz: 26cda51c7c8e2b5a8be9395ef13e3d39d9ee1c73429542d107bb229747b9a004800771a96b8f516e4f994c8926b1d0ef2fb1bf45e38102646451c48a3e4fb453
-  data.tar.gz: 971d54be27f18e12d8d7eafad90e50627098c689b34e047c0ddea4a96f82abf8c80e45766f49fdd82a9efb45fd3508ca312ee4b0cc0508d06a37887d45f9fcb0
+  metadata.gz: efb0ecbdb2a535817297ccbb3d687b25387353a02aaa7ee5d0d05a1cc629adc5e52d81edb7a166ef74f071cf9e584bd4a3f994690f4a82e60c7f54fc9a1df880
+  data.tar.gz: 85de14bc97e1e3eecb6f77b346d7953e1f64504c9e91373167555dbb9e352b59cc61a85933135d6b358b049a0b482268f630e9ea6aed1fb341554dd6b7ab6feb

data/lib/authlogic.rb

@@ -13,6 +13,7 @@ require "active_record"
 path = File.dirname(__FILE__) + "/authlogic/"
 
 [
+  "errors",
   "i18n",
   "random",
   "config",

data/lib/authlogic/acts_as_authentic/base.rb

@@ -31,8 +31,8 @@ module Authlogic
         #
         # See the various sub modules for the configuration they provide.
         def acts_as_authentic
-          return unless db_setup?
           yield self if block_given?
+          return unless db_setup?
           acts_as_authentic_modules.each { |mod| include mod }
         end
 
@@ -65,12 +65,27 @@ module Authlogic
           self.acts_as_authentic_modules = modules
         end
 
+        # Some Authlogic modules requires a database connection with a existing
+        # users table by the moment when you call the `acts_as_authentic`
+        # method. If you try to call `acts_as_authentic` without a database
+        # connection, it will raise a `Authlogic::ModelSetupError`.
+        #
+        # If you rely on the User model before the database is setup correctly,
+        # set this field to false.
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def raise_on_model_setup_error(value = nil)
+          rw_config(:raise_on_model_setup_error, value, false)
+        end
+        alias raise_on_model_setup_error= raise_on_model_setup_error
+
         private
 
         def db_setup?
           column_names
           true
         rescue StandardError
+          raise ModelSetupError if raise_on_model_setup_error
           false
         end
 

data/lib/authlogic/acts_as_authentic/password.rb

@@ -102,20 +102,30 @@ module Authlogic
         # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
         # best choice for password storage today. We recommend SCrypt. Other
         # one-way functions like SHA512 are inferior, but widely used.
-        # Reverisbile functions like AES256 are the worst choice, and we no
+        # Reversible functions like AES256 are the worst choice, and we no
         # longer support them.
         #
         # You can use the `transition_from_crypto_providers` option to gradually
         # transition to a better crypto provider without causing your users any
         # pain.
         #
-        # * <tt>Default:</tt> CryptoProviders::SCrypt
+        # * <tt>Default:</tt> There is no longer a default value. Prior to
+        #   Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+        #   to read this config option before setting it, it will raise a
+        #   `NilCryptoProvider` error. See that error's message for further
+        #   details, and rationale for this change.
         # * <tt>Accepts:</tt> Class
-        def crypto_provider(value = nil)
+        def crypto_provider
+          acts_as_authentic_config[:crypto_provider].tap { |provider|
+            raise NilCryptoProvider if provider.nil?
+          }
+        end
+
+        def crypto_provider=(value)
+          raise NilCryptoProvider if value.nil?
           CryptoProviders::Guidance.new(value).impart_wisdom
-          rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+          rw_config(:crypto_provider, value)
         end
-        alias crypto_provider= crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -93,9 +93,9 @@ module Authlogic
         end
 
         # Save the record and skip session maintenance all together.
-        def save_without_session_maintenance(*args)
+        def save_without_session_maintenance(**options)
           self.skip_session_maintenance = true
-          result = save(*args)
+          result = save(**options)
           self.skip_session_maintenance = false
           result
         end
@@ -176,7 +176,9 @@ module Authlogic
         end
 
         def log_in_after_password_change?
-          will_save_change_to_persistence_token? && self.class.log_in_after_password_change
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
         end
       end
     end

data/lib/authlogic/controller_adapters/rails_adapter.rb

@@ -14,7 +14,7 @@ module Authlogic
       # Returns a `ActionDispatch::Cookies::CookieJar`. See the AC guide
       # http://guides.rubyonrails.org/action_controller_overview.html#cookies
       def cookies
-        controller.send(:cookies)
+        controller.respond_to?(:cookies, true) ? controller.send(:cookies) : nil
       end
 
       def cookie_domain

data/lib/authlogic/crypto_providers/md5.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class MD5
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "md5", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    class MD5
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 1
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a MD5 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::MD5.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class Sha1
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha1", "v2")
+
       class << self
         def join_token
           @join_token ||= "--"

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    class Sha1
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          def join_token
+            @join_token ||= "--"
+          end
+          attr_writer :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 10
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha1 hash.
+          def encrypt(*tokens)
+            tokens = tokens.flatten
+            digest = tokens.shift
+            stretches.times do
+              digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -29,6 +29,9 @@ module Authlogic
     #
     # Uses the Sha256 hash algorithm to encrypt passwords.
     class Sha256
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha256", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
+  module CryptoProviders
+    class Sha256
+      # = Sha256
+      #
+      # Uses the Sha256 hash algorithm to encrypt passwords.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha256 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::SHA256.digest(digest) }
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -8,6 +8,9 @@ module Authlogic
     # there are better choices. We recommend transitioning to a more secure,
     # adaptive hashing algorithm, like scrypt.
     class Sha512
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha512", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  module CryptoProviders
+    class Sha512
+      # SHA-512 does not have any practical known attacks against it. However,
+      # there are better choices. We recommend transitioning to a more secure,
+      # adaptive hashing algorithm, like scrypt.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha512 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times do
+              digest = Digest::SHA512.digest(digest)
+            end
+            digest.unpack1("H*")
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/errors.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |c|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+
+  # :nodoc:
+  class ModelSetupError < Error
+    def message
+      <<-EOS
+        You must establish a database connection and run the migrations before
+        using acts_as_authentic. If you need to load the User model before the
+        database is set up correctly, please set the following:
+
+            acts_as_authentic do |c|
+              c.raise_on_model_setup_error = false
+            end
+      EOS
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -8,7 +8,7 @@ module Authlogic
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)
-          ::I18n.translate key, options
+          ::I18n.translate key, **options
         else
           options[:default]
         end

data/lib/authlogic/session/base.rb

@@ -198,7 +198,7 @@ module Authlogic
     # 2. Enable logging out on timeouts
     #
     #   class UserSession < Authlogic::Session::Base
-    #     logout_on_timeout true # default if false
+    #     logout_on_timeout true # default is false
     #   end
     #
     # This will require a user to log back in if they are inactive for more than
@@ -351,6 +351,13 @@ module Authlogic
         - https://github.com/binarylogic/authlogic/pull/558
         - https://github.com/binarylogic/authlogic/pull/577
       EOS
+      E_DPR_FIND_BY_LOGIN_METHOD = <<~EOS.squish.freeze
+        find_by_login_method is deprecated in favor of record_selection_method,
+        to avoid confusion with ActiveRecord's "Dynamic Finders".
+        (https://guides.rubyonrails.org/v6.0/active_record_querying.html#dynamic-finders)
+        For example, rubocop-rails is confused by the deprecated method.
+        (https://github.com/rubocop-hq/rubocop-rails/blob/master/lib/rubocop/cop/rails/dynamic_find_by.rb)
+      EOS
       VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict", "None"].freeze
 
       # Callbacks
@@ -415,10 +422,10 @@ module Authlogic
       before_save :set_last_request_at
 
       after_save :reset_perishable_token!
-      after_save :save_cookie
+      after_save :save_cookie, if: :cookie_enabled?
       after_save :update_session
 
-      after_destroy :destroy_cookie
+      after_destroy :destroy_cookie, if: :cookie_enabled?
       after_destroy :update_session
 
       # `validate` callbacks, in deliberate order. For example,
@@ -438,8 +445,7 @@ module Authlogic
 
       class << self
         attr_accessor(
-          :configured_password_methods,
-          :configured_klass_methods
+          :configured_password_methods
         )
       end
       attr_accessor(
@@ -472,14 +478,9 @@ module Authlogic
           !controller.nil?
         end
 
-        # Do you want to allow your users to log in via HTTP basic auth?
-        #
-        # I recommend keeping this enabled. The only time I feel this should be
-        # disabled is if you are not comfortable having your users provide their
-        # raw username and password. Whatever the reason, you can disable it
-        # here.
+        # Allow users to log in via HTTP basic authentication.
         #
-        # * <tt>Default:</tt> true
+        # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
         def allow_http_basic_auth(value = nil)
           rw_config(:allow_http_basic_auth, value, false)
@@ -669,35 +670,10 @@ module Authlogic
           end
         end
 
-        # Authlogic tries to validate the credentials passed to it. One part of
-        # validation is actually finding the user and making sure it exists.
-        # What method it uses the do this is up to you.
-        #
-        # Let's say you have a UserSession that is authenticating a User. By
-        # default UserSession will call User.find_by_login(login). You can
-        # change what method UserSession calls by specifying it here. Then in
-        # your User model you can make that method do anything you want, giving
-        # you complete control of how users are found by the UserSession.
-        #
-        # Let's take an example: You want to allow users to login by username or
-        # email. Set this to the name of the class method that does this in the
-        # User model. Let's call it "find_by_username_or_email"
-        #
-        #   class User < ActiveRecord::Base
-        #     def self.find_by_username_or_email(login)
-        #       find_by_username(login) || find_by_email(login)
-        #     end
-        #   end
-        #
-        # Now just specify the name of this method for this configuration option
-        # and you are all set. You can do anything you want here. Maybe you
-        # allow users to have multiple logins and you want to search a has_many
-        # relationship, etc. The sky is the limit.
-        #
-        # * <tt>Default:</tt> "find_by_smart_case_login_field"
-        # * <tt>Accepts:</tt> Symbol or String
+        # @deprecated in favor of record_selection_method
         def find_by_login_method(value = nil)
-          rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
+          ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+          record_selection_method(value)
         end
         alias find_by_login_method= find_by_login_method
 
@@ -782,15 +758,23 @@ module Authlogic
         # example, the UserSession class will authenticate with the User class
         # unless you specify otherwise in your configuration. See
         # authenticate_with for information on how to change this value.
+        #
+        # @api public
         def klass
           @klass ||= klass_name ? klass_name.constantize : nil
         end
 
-        # The string of the model name class guessed from the actual session class name.
+        # The model name, guessed from the session class name, e.g. "User",
+        # from "UserSession".
+        #
+        # TODO: This method can return nil. We should explore this. It seems
+        # likely to cause a NoMethodError later, so perhaps we should raise an
+        # error instead.
+        #
+        # @api private
         def klass_name
-          return @klass_name if defined?(@klass_name)
-          @klass_name = name.scan(/(.*)Session/)[0]
-          @klass_name = klass_name ? klass_name[0] : nil
+          return @klass_name if instance_variable_defined?(:@klass_name)
+          @klass_name = name.scan(/(.*)Session/)[0]&.first
         end
 
         # The name of the method you want Authlogic to create for storing the
@@ -798,8 +782,8 @@ module Authlogic
         # Authlogic::Session, if you want it can be something completely
         # different than the field in your model. So if you wanted people to
         # login with a field called "login" and then find users by email this is
-        # completely doable. See the find_by_login_method configuration option
-        # for more details.
+        # completely doable. See the `record_selection_method` configuration
+        # option for details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -882,6 +866,47 @@ module Authlogic
         end
         alias password_field= password_field
 
+        # Authlogic tries to validate the credentials passed to it. One part of
+        # validation is actually finding the user and making sure it exists.
+        # What method it uses the do this is up to you.
+        #
+        # ```
+        # # user_session.rb
+        # record_selection_method :find_by_email
+        # ```
+        #
+        # This is the recommended way to find the user by email address.
+        # The resulting query will be `User.find_by_email(send(login_field))`.
+        # (`login_field` will fall back to `email_field` if there's no `login`
+        # or `username` column).
+        #
+        # In your User model you can make that method do anything you want,
+        # giving you complete control of how users are found by the UserSession.
+        #
+        # Let's take an example: You want to allow users to login by username or
+        # email. Set this to the name of the class method that does this in the
+        # User model. Let's call it "find_by_username_or_email"
+        #
+        # ```
+        # class User < ActiveRecord::Base
+        #   def self.find_by_username_or_email(login)
+        #     find_by_username(login) || find_by_email(login)
+        #   end
+        # end
+        # ```
+        #
+        # Now just specify the name of this method for this configuration option
+        # and you are all set. You can do anything you want here. Maybe you
+        # allow users to have multiple logins and you want to search a has_many
+        # relationship, etc. The sky is the limit.
+        #
+        # * <tt>Default:</tt> "find_by_smart_case_login_field"
+        # * <tt>Accepts:</tt> Symbol or String
+        def record_selection_method(value = nil)
+          rw_config(:record_selection_method, value, "find_by_smart_case_login_field")
+        end
+        alias record_selection_method= record_selection_method
+
         # Whether or not to request HTTP authentication
         #
         # If set to true and no HTTP authentication credentials are sent with
@@ -954,7 +979,7 @@ module Authlogic
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:signed)
+          if value && controller && !controller.cookies.respond_to?(:signed)
             raise "Signed cookies not supported with #{controller.class}!"
           end
           rw_config(:sign_cookie, value, false)
@@ -964,7 +989,7 @@ module Authlogic
         # Should the cookie be encrypted? If the controller adapter supports it, this is a
         # measure to hide the contents of the cookie (e.g. persistence_token)
         def encrypt_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:encrypted)
+          if value && controller && !controller.cookies.respond_to?(:encrypted)
             raise "Encrypted cookies not supported with #{controller.class}!"
           end
           if value && sign_cookie
@@ -973,7 +998,7 @@ module Authlogic
           end
           rw_config(:encrypt_cookie, value, false)
         end
-        alias_method :encrypt_cookie=, :encrypt_cookie
+        alias encrypt_cookie= encrypt_cookie
 
         # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
         #
@@ -1079,24 +1104,10 @@ module Authlogic
       # Constructor
       # ===========
 
-      # rubocop:disable Metrics/AbcSize
       def initialize(*args)
         @id = nil
         self.scope = self.class.scope
-
-        # Creating an alias method for the "record" method based on the klass
-        # name, so that we can do:
-        #
-        #   session.user
-        #
-        # instead of:
-        #
-        #   session.record
-        unless self.class.configured_klass_methods
-          self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
-          self.class.configured_klass_methods = true
-        end
-
+        define_record_alias_method
         raise Activation::NotActivatedError unless self.class.activated?
         unless self.class.configured_password_methods
           configure_password_methods
@@ -1105,7 +1116,6 @@ module Authlogic
         instance_variable_set("@#{password_field}", nil)
         self.credentials = args
       end
-      # rubocop:enable Metrics/AbcSize
 
       # Public instance methods
       # =======================
@@ -1528,24 +1538,21 @@ module Authlogic
       # Determines if the information you provided for authentication is valid
       # or not. If there is a problem with the information provided errors will
       # be added to the errors object and this method will return false.
+      #
+      # @api public
       def valid?
         errors.clear
         self.attempted_record = nil
-
-        run_callbacks(:before_validation)
-        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+        run_the_before_validation_callbacks
 
         # Run the `validate` callbacks, eg. `validate_by_password`.
         # This is when `attempted_record` is set.
         run_callbacks(:validate)
 
         ensure_authentication_attempted
-
         if errors.empty?
-          run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
-          run_callbacks(:after_validation)
+          run_the_after_validation_callbacks
         end
-
         save_record(attempted_record)
         errors.empty?
       end
@@ -1647,12 +1654,18 @@ module Authlogic
       # @api private
       # @return ::Authlogic::CookieCredentials or if no cookie is found, nil
       def cookie_credentials
+        return unless cookie_enabled?
+
         cookie_value = cookie_jar[cookie_key]
         unless cookie_value.nil?
           ::Authlogic::CookieCredentials.parse(cookie_value)
         end
       end
 
+      def cookie_enabled?
+        !controller.cookies.nil?
+      end
+
       def cookie_jar
         if self.class.encrypt_cookie
           controller.cookies.encrypted
@@ -1674,15 +1687,23 @@ module Authlogic
         self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
       end
 
+      # @api private
       def define_password_field_methods
         return unless password_field
-        self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
-        self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+        define_password_field_writer_method
+        define_password_field_reader_methods
+      end
 
-        # The password should not be accessible publicly. This way forms
-        # using form_for don't fill the password with the attempted
-        # password. To prevent this we just create this method that is
-        # private.
+      # The password should not be accessible publicly. This way forms using
+      # form_for don't fill the password with the attempted password. To prevent
+      # this we just create this method that is private.
+      #
+      # @api private
+      def define_password_field_reader_methods
+        unless respond_to?(password_field)
+          # Deliberate no-op method, see rationale above.
+          self.class.send(:define_method, password_field) {}
+        end
         self.class.class_eval(
           <<-EOS, __FILE__, __LINE__ + 1
             private
@@ -1693,6 +1714,28 @@ module Authlogic
         )
       end
 
+      def define_password_field_writer_method
+        unless respond_to?("#{password_field}=")
+          self.class.send(:attr_writer, password_field)
+        end
+      end
+
+      # Creating an alias method for the "record" method based on the klass
+      # name, so that we can do:
+      #
+      #   session.user
+      #
+      # instead of:
+      #
+      #   session.record
+      #
+      # @api private
+      def define_record_alias_method
+        noun = klass_name.demodulize.underscore.to_sym
+        return if respond_to?(noun)
+        self.class.send(:alias_method, noun, :record)
+      end
+
       def destroy_cookie
         controller.cookies.delete cookie_key, domain: controller.cookie_domain
       end
@@ -1728,8 +1771,10 @@ module Authlogic
           attempted_record.failed_login_count >= consecutive_failed_logins_limit
       end
 
+      # @deprecated in favor of `self.class.record_selection_method`
       def find_by_login_method
-        self.class.find_by_login_method
+        ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+        self.class.record_selection_method
       end
 
       def generalize_credentials_error_messages?
@@ -1783,7 +1828,7 @@ module Authlogic
         end
       end
 
-      def increment_login_cout
+      def increment_login_count
         if record.respond_to?(:login_count)
           record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
         end
@@ -1934,6 +1979,18 @@ module Authlogic
         attempted_record.failed_login_count = 0
       end
 
+      # @api private
+      def run_the_after_validation_callbacks
+        run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
+        run_callbacks(:after_validation)
+      end
+
+      # @api private
+      def run_the_before_validation_callbacks
+        run_callbacks(:before_validation)
+        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+      end
+
       # `args[0]` is the name of a model method, like
       # `find_by_single_access_token` or `find_by_smart_case_login_field`.
       def search_for_record(*args)
@@ -2001,7 +2058,7 @@ module Authlogic
       end
 
       def update_info
-        increment_login_cout
+        increment_login_count
         clear_failed_login_count
         update_login_timestamps
         update_login_ip_addresses
@@ -2048,7 +2105,10 @@ module Authlogic
         self.invalid_password = false
         validate_by_password__blank_fields
         return if errors.count > 0
-        self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+        self.attempted_record = search_for_record(
+          self.class.record_selection_method,
+          send(login_field)
+        )
         if attempted_record.blank?
           add_login_not_found_error
           return

data/lib/authlogic/test_case.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require File.dirname(__FILE__) + "/test_case/rails_request_adapter"
+require File.dirname(__FILE__) + "/test_case/mock_api_controller"
 require File.dirname(__FILE__) + "/test_case/mock_cookie_jar"
 require File.dirname(__FILE__) + "/test_case/mock_controller"
 require File.dirname(__FILE__) + "/test_case/mock_logger"

data/lib/authlogic/test_case/mock_api_controller.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Authlogic
+  module TestCase
+    # Basically acts like an API controller but doesn't do anything.
+    # Authlogic can interact with this, do it's thing and then you can look at
+    # the controller object to see if anything changed.
+    class MockAPIController < ControllerAdapters::AbstractAdapter
+      attr_writer :request_content_type
+
+      def initialize
+      end
+
+      # Expected API controller has no cookies method.
+      undef :cookies
+
+      def cookie_domain
+        nil
+      end
+
+      def logger
+        @logger ||= MockLogger.new
+      end
+
+      def params
+        @params ||= {}
+      end
+
+      def request
+        @request ||= MockRequest.new(self)
+      end
+
+      def request_content_type
+        @request_content_type ||= "text/html"
+      end
+
+      def session
+        @session ||= {}
+      end
+
+      # If method is defined, it causes below behavior...
+      #   controller = Authlogic::ControllerAdapters::RailsAdapter.new(
+      #     Authlogic::TestCase::MockAPIController.new
+      #   )
+      #   controller.responds_to_single_access_allowed? #=> true
+      #   controller.single_access_allowed?
+      #     #=> NoMethodError: undefined method `single_access_allowed?' for nil:NilClass
+      #
+      undef :single_access_allowed?
+    end
+  end
+end

data/lib/authlogic/test_case/mock_controller.rb

@@ -39,7 +39,7 @@ module Authlogic
       end
 
       def request
-        @request ||= MockRequest.new(controller)
+        @request ||= MockRequest.new(self)
       end
 
       def request_content_type

data/lib/authlogic/test_case/mock_cookie_jar.rb

@@ -3,6 +3,7 @@
 module Authlogic
   module TestCase
     # A mock of `ActionDispatch::Cookies::CookieJar`.
+    # See action_dispatch/middleware/cookies.rb
     class MockCookieJar < Hash # :nodoc:
       attr_accessor :set_cookies
 
@@ -11,9 +12,12 @@ module Authlogic
         hash && hash[:value]
       end
 
+      # @param options - "the cookie's value [usually a string] or a hash of
+      # options as documented above [in action_dispatch/middleware/cookies.rb]"
       def []=(key, options)
-        (@set_cookies ||= {})[key.to_s] = options
-        super
+        opt = cookie_options_to_hash(options)
+        (@set_cookies ||= {})[key.to_s] = opt
+        super(key, opt)
       end
 
       def delete(key, _options = {})
@@ -27,6 +31,17 @@ module Authlogic
       def encrypted
         @encrypted ||= MockEncryptedCookieJar.new(self)
       end
+
+      private
+
+      # @api private
+      def cookie_options_to_hash(options)
+        if options.is_a?(Hash)
+          options
+        else
+          { value: options }
+        end
+      end
     end
 
     # A mock of `ActionDispatch::Cookies::SignedKeyRotatingCookieJar`
@@ -52,11 +67,14 @@ module Authlogic
       end
 
       def []=(key, options)
-        options[:value] = "#{options[:value]}--#{Digest::SHA1.hexdigest options[:value]}"
-        @parent_jar[key] = options
+        opt = cookie_options_to_hash(options)
+        opt[:value] = "#{opt[:value]}--#{Digest::SHA1.hexdigest opt[:value]}"
+        @parent_jar[key] = opt
       end
     end
 
+    # Which ActionDispatch class is this a mock of?
+    # TODO: Document as with other mocks above.
     class MockEncryptedCookieJar < MockCookieJar
       attr_reader :parent_jar # helper for testing
 
@@ -73,8 +91,9 @@ module Authlogic
       end
 
       def []=(key, options)
-        options[:value] = self.class.encrypt(options[:value])
-        @parent_jar[key] = options
+        opt = cookie_options_to_hash(options)
+        opt[:value] = self.class.encrypt(opt[:value])
+        @parent_jar[key] = opt
       end
 
       # simple caesar cipher for testing

data/lib/authlogic/test_case/mock_request.rb

@@ -9,6 +9,10 @@ module Authlogic
         self.controller = controller
       end
 
+      def format
+        controller.request_content_type if controller.respond_to? :request_content_type
+      end
+
       def ip
         controller&.respond_to?(:env) &&
           controller.env.is_a?(Hash) &&

data/lib/authlogic/test_case/rails_request_adapter.rb

@@ -12,7 +12,7 @@ module Authlogic
       def cookies
         new_cookies = MockCookieJar.new
         super.each do |key, value|
-          new_cookies[key] = value[:value]
+          new_cookies[key] = cookie_value(value)
         end
         new_cookies
       end
@@ -28,6 +28,12 @@ module Authlogic
       def request_content_type
         request.format.to_s
       end
+
+      private
+
+      def cookie_value(value)
+        value.is_a?(Hash) ? value[:value] : value
+      end
     end
   end
 end

data/lib/authlogic/version.rb

@@ -17,6 +17,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("5.2.0")
+    ::Gem::Version.new("6.4.0")
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 6.4.0
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-08 00:00:00.000000000 Z
+date: 2020-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -21,7 +21,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -31,7 +31,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -41,7 +41,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -51,7 +51,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -61,7 +61,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -71,7 +71,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '6.2'
 - !ruby/object:Gem::Dependency
   name: request_store
   requirement: !ruby/object:Gem::Requirement
@@ -86,26 +86,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: scrypt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
@@ -190,20 +170,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.1.4
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.80.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -218,6 +212,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: scrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -252,14 +266,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.13
+        version: 1.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.13
+        version: 1.4.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -305,16 +319,22 @@ files:
 - lib/authlogic/crypto_providers.rb
 - lib/authlogic/crypto_providers/bcrypt.rb
 - lib/authlogic/crypto_providers/md5.rb
+- lib/authlogic/crypto_providers/md5/v2.rb
 - lib/authlogic/crypto_providers/scrypt.rb
 - lib/authlogic/crypto_providers/sha1.rb
+- lib/authlogic/crypto_providers/sha1/v2.rb
 - lib/authlogic/crypto_providers/sha256.rb
+- lib/authlogic/crypto_providers/sha256/v2.rb
 - lib/authlogic/crypto_providers/sha512.rb
+- lib/authlogic/crypto_providers/sha512/v2.rb
+- lib/authlogic/errors.rb
 - lib/authlogic/i18n.rb
 - lib/authlogic/i18n/translator.rb
 - lib/authlogic/random.rb
 - lib/authlogic/session/base.rb
 - lib/authlogic/session/magic_column/assigns_last_request_at.rb
 - lib/authlogic/test_case.rb
+- lib/authlogic/test_case/mock_api_controller.rb
 - lib/authlogic/test_case/mock_controller.rb
 - lib/authlogic/test_case/mock_cookie_jar.rb
 - lib/authlogic/test_case/mock_logger.rb
@@ -333,7 +353,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="