authlogic 6.0.0 → 6.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 755961398552a88cf3761088e4521e71e243249b3a131632e281679d723c82fe
-  data.tar.gz: 2b739ad482ecdaad8218065a4c03882e730c86825bc7140691e451fc26032815
+  metadata.gz: 88e14eb91ceaf33fca0867ad9816d8ee719215bdb9f5ff26c2c4754d84c82dd8
+  data.tar.gz: 1dfbc1800a0fd0766bde87dfaa4a351b4b377e4240ad81aaa7d163c547d4d2a4
 SHA512:
-  metadata.gz: 52e998e1210ac287f2bc91d01d2afba9416f5b0eee54cff13d89c6c9affdd2ff2a88ac1a80e78ce100c2a43dcbcf777a5f22dd3d72ff3571bc69c5242a89d97c
-  data.tar.gz: 6152232cf873d2c9be4fa24584b3d8bf8013f95ae58a8117f4494c3a6632df814e36b85d02c67efc0e2b73849a43333c0b9bcf9cb1d379f10587147aa69f808e
+  metadata.gz: a9e01562988e0b0a1660b7fa51009d71a76c01bca17711d278fd9d5e7271c3ef0e165da9622a7049b15f45d994d108e51c6fff0689ad4afe063df62525ddc572
+  data.tar.gz: b0930fa9bc9d370cb71b1e502ece7885319429aff8f49039a8150621f9eb79bd9301c6e028933e156eb28f50a571a0586c23c918280a23f681bc7f45e440aa4f

data/lib/authlogic/acts_as_authentic/password.rb

@@ -102,7 +102,7 @@ module Authlogic
         # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
         # best choice for password storage today. We recommend SCrypt. Other
         # one-way functions like SHA512 are inferior, but widely used.
-        # Reverisbile functions like AES256 are the worst choice, and we no
+        # Reversible functions like AES256 are the worst choice, and we no
         # longer support them.
         #
         # You can use the `transition_from_crypto_providers` option to gradually

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -20,7 +20,7 @@ module Authlogic
           def encrypt(*tokens)
             digest = tokens.flatten.join(join_token)
             stretches.times { digest = Digest::MD5.digest(digest) }
-            digest.unpack("H*")[0]
+            digest.unpack1("H*")
           end
 
           # Does the crypted password match the tokens? Uses the same tokens that

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -26,7 +26,7 @@ module Authlogic
             stretches.times do
               digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
             end
-            digest.unpack("H*")[0]
+            digest.unpack1("H*")
           end
 
           # Does the crypted password match the tokens? Uses the same tokens that

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -43,7 +43,7 @@ module Authlogic
           def encrypt(*tokens)
             digest = tokens.flatten.join(join_token)
             stretches.times { digest = Digest::SHA256.digest(digest) }
-            digest.unpack("H*")[0]
+            digest.unpack1("H*")
           end
 
           # Does the crypted password match the tokens? Uses the same tokens that

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -24,7 +24,7 @@ module Authlogic
             stretches.times do
               digest = Digest::SHA512.digest(digest)
             end
-            digest.unpack("H*")[0]
+            digest.unpack1("H*")
           end
 
           # Does the crypted password match the tokens? Uses the same tokens that

data/lib/authlogic/errors.rb

@@ -18,7 +18,7 @@ module Authlogic
         this default, then, in your User model (or equivalent), please set the
         following:
 
-            acts_as_authentic do |config|
+            acts_as_authentic do |c|
               c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
             end
 

data/lib/authlogic/session/base.rb

@@ -438,8 +438,7 @@ module Authlogic
 
       class << self
         attr_accessor(
-          :configured_password_methods,
-          :configured_klass_methods
+          :configured_password_methods
         )
       end
       attr_accessor(
@@ -956,6 +955,20 @@ module Authlogic
         end
         alias sign_cookie= sign_cookie
 
+        # Should the cookie be encrypted? If the controller adapter supports it, this is a
+        # measure to hide the contents of the cookie (e.g. persistence_token)
+        def encrypt_cookie(value = nil)
+          if value && !controller.cookies.respond_to?(:encrypted)
+            raise "Encrypted cookies not supported with #{controller.class}!"
+          end
+          if value && sign_cookie
+            raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
+                  "You may not enable both options."
+          end
+          rw_config(:encrypt_cookie, value, false)
+        end
+        alias_method :encrypt_cookie=, :encrypt_cookie
+
         # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
         #
         # * <tt>Default:</tt> cookie_key
@@ -1060,24 +1073,10 @@ module Authlogic
       # Constructor
       # ===========
 
-      # rubocop:disable Metrics/AbcSize
       def initialize(*args)
         @id = nil
         self.scope = self.class.scope
-
-        # Creating an alias method for the "record" method based on the klass
-        # name, so that we can do:
-        #
-        #   session.user
-        #
-        # instead of:
-        #
-        #   session.record
-        unless self.class.configured_klass_methods
-          self.class.send(:alias_method, klass_name.demodulize.underscore.to_sym, :record)
-          self.class.configured_klass_methods = true
-        end
-
+        define_record_alias_method
         raise Activation::NotActivatedError unless self.class.activated?
         unless self.class.configured_password_methods
           configure_password_methods
@@ -1086,7 +1085,6 @@ module Authlogic
         instance_variable_set("@#{password_field}", nil)
         self.credentials = args
       end
-      # rubocop:enable Metrics/AbcSize
 
       # Public instance methods
       # =======================
@@ -1475,6 +1473,23 @@ module Authlogic
         sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
       end
 
+      # If the cookie should be encrypted
+      def encrypt_cookie
+        return @encrypt_cookie if defined?(@encrypt_cookie)
+        @encrypt_cookie = self.class.encrypt_cookie
+      end
+
+      # Accepts a boolean as to whether the cookie should be encrypted.  If true
+      # the cookie will be saved in an encrypted state.
+      def encrypt_cookie=(value)
+        @encrypt_cookie = value
+      end
+
+      # See encrypt_cookie
+      def encrypt_cookie?
+        encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
+      end
+
       # The scope of the current object
       def scope
         @scope ||= {}
@@ -1492,24 +1507,21 @@ module Authlogic
       # Determines if the information you provided for authentication is valid
       # or not. If there is a problem with the information provided errors will
       # be added to the errors object and this method will return false.
+      #
+      # @api public
       def valid?
         errors.clear
         self.attempted_record = nil
-
-        run_callbacks(:before_validation)
-        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+        run_the_before_validation_callbacks
 
         # Run the `validate` callbacks, eg. `validate_by_password`.
         # This is when `attempted_record` is set.
         run_callbacks(:validate)
 
         ensure_authentication_attempted
-
         if errors.empty?
-          run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
-          run_callbacks(:after_validation)
+          run_the_after_validation_callbacks
         end
-
         save_record(attempted_record)
         errors.empty?
       end
@@ -1618,7 +1630,9 @@ module Authlogic
       end
 
       def cookie_jar
-        if self.class.sign_cookie
+        if self.class.encrypt_cookie
+          controller.cookies.encrypted
+        elsif self.class.sign_cookie
           controller.cookies.signed
         else
           controller.cookies
@@ -1636,15 +1650,23 @@ module Authlogic
         self.class.send(:attr_reader, login_field) unless respond_to?(login_field)
       end
 
+      # @api private
       def define_password_field_methods
         return unless password_field
-        self.class.send(:attr_writer, password_field) unless respond_to?("#{password_field}=")
-        self.class.send(:define_method, password_field) {} unless respond_to?(password_field)
+        define_password_field_writer_method
+        define_password_field_reader_methods
+      end
 
-        # The password should not be accessible publicly. This way forms
-        # using form_for don't fill the password with the attempted
-        # password. To prevent this we just create this method that is
-        # private.
+      # The password should not be accessible publicly. This way forms using
+      # form_for don't fill the password with the attempted password. To prevent
+      # this we just create this method that is private.
+      #
+      # @api private
+      def define_password_field_reader_methods
+        unless respond_to?(password_field)
+          # Deliberate no-op method, see rationale above.
+          self.class.send(:define_method, password_field) {}
+        end
         self.class.class_eval(
           <<-EOS, __FILE__, __LINE__ + 1
             private
@@ -1655,6 +1677,28 @@ module Authlogic
         )
       end
 
+      def define_password_field_writer_method
+        unless respond_to?("#{password_field}=")
+          self.class.send(:attr_writer, password_field)
+        end
+      end
+
+      # Creating an alias method for the "record" method based on the klass
+      # name, so that we can do:
+      #
+      #   session.user
+      #
+      # instead of:
+      #
+      #   session.record
+      #
+      # @api private
+      def define_record_alias_method
+        noun = klass_name.demodulize.underscore.to_sym
+        return if respond_to?(noun)
+        self.class.send(:alias_method, noun, :record)
+      end
+
       def destroy_cookie
         controller.cookies.delete cookie_key, domain: controller.cookie_domain
       end
@@ -1700,13 +1744,8 @@ module Authlogic
 
       # @api private
       def generate_cookie_for_saving
-        creds = ::Authlogic::CookieCredentials.new(
-          record.persistence_token,
-          record.send(record.class.primary_key),
-          remember_me? ? remember_me_until : nil
-        )
         {
-          value: creds.to_s,
+          value: generate_cookie_value.to_s,
           expires: remember_me_until,
           secure: secure,
           httponly: httponly,
@@ -1715,6 +1754,14 @@ module Authlogic
         }
       end
 
+      def generate_cookie_value
+        ::Authlogic::CookieCredentials.new(
+          record.persistence_token,
+          record.send(record.class.primary_key),
+          remember_me? ? remember_me_until : nil
+        )
+      end
+
       # Returns a Proc to be executed by
       # `ActionController::HttpAuthentication::Basic` when credentials are
       # present in the HTTP request.
@@ -1893,6 +1940,18 @@ module Authlogic
         attempted_record.failed_login_count = 0
       end
 
+      # @api private
+      def run_the_after_validation_callbacks
+        run_callbacks(new_session? ? :after_validation_on_create : :after_validation_on_update)
+        run_callbacks(:after_validation)
+      end
+
+      # @api private
+      def run_the_before_validation_callbacks
+        run_callbacks(:before_validation)
+        run_callbacks(new_session? ? :before_validation_on_create : :before_validation_on_update)
+      end
+
       # `args[0]` is the name of a model method, like
       # `find_by_single_access_token` or `find_by_smart_case_login_field`.
       def search_for_record(*args)
@@ -1930,11 +1989,7 @@ module Authlogic
       end
 
       def save_cookie
-        if sign_cookie?
-          controller.cookies.signed[cookie_key] = generate_cookie_for_saving
-        else
-          controller.cookies[cookie_key] = generate_cookie_for_saving
-        end
+        cookie_jar[cookie_key] = generate_cookie_for_saving
       end
 
       # @api private

data/lib/authlogic/test_case/mock_cookie_jar.rb

@@ -23,6 +23,10 @@ module Authlogic
       def signed
         @signed ||= MockSignedCookieJar.new(self)
       end
+
+      def encrypted
+        @encrypted ||= MockEncryptedCookieJar.new(self)
+      end
     end
 
     # A mock of `ActionDispatch::Cookies::SignedKeyRotatingCookieJar`
@@ -35,6 +39,7 @@ module Authlogic
 
       def initialize(parent_jar)
         @parent_jar = parent_jar
+        parent_jar.each { |k, v| self[k] = v }
       end
 
       def [](val)
@@ -51,5 +56,35 @@ module Authlogic
         @parent_jar[key] = options
       end
     end
+
+    class MockEncryptedCookieJar < MockCookieJar
+      attr_reader :parent_jar # helper for testing
+
+      def initialize(parent_jar)
+        @parent_jar = parent_jar
+        parent_jar.each { |k, v| self[k] = v }
+      end
+
+      def [](val)
+        encrypted_message = @parent_jar[val]
+        if encrypted_message
+          self.class.decrypt(encrypted_message)
+        end
+      end
+
+      def []=(key, options)
+        options[:value] = self.class.encrypt(options[:value])
+        @parent_jar[key] = options
+      end
+
+      # simple caesar cipher for testing
+      def self.encrypt(str)
+        str.unpack("U*").map(&:succ).pack("U*")
+      end
+
+      def self.decrypt(str)
+        str.unpack("U*").map(&:pred).pack("U*")
+      end
+    end
   end
 end

data/lib/authlogic/version.rb

@@ -17,6 +17,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("6.0.0")
+    ::Gem::Version.new("6.1.0")
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 6.1.0
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-24 00:00:00.000000000 Z
+date: 2020-05-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -176,14 +176,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.80.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.67.2
+        version: 0.80.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement