authlogic 6.2.0 → 6.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3db4f35b09d1723bab91b36afb8fbd79c1583896b19186846f8b1b25cb7793e
-  data.tar.gz: a517af1c9f5341e9bd58722711f7046fb51dfd2c1440e072f81170be196d2518
+  metadata.gz: b9fad0a99beb89fdac894ff1979b59459073fbf597d375b6749b263e86be930d
+  data.tar.gz: 4ea061519a7a881f78cfaddf1a86e312d082dba28ce22c51e52c38ac51c62581
 SHA512:
-  metadata.gz: dd2fa0ad62c54eb721a8d3fb1d85ca1aa59b122bed688eca908a4cde2487fce1a5c084ffa365fd3b975d576f99a6a86bd243f950a1f2d07ddc1b6f171afed345
-  data.tar.gz: 519fcf4568fee21a0a43c9f7ec5ea740edcb84cf5cb95f48bf5a1819a1c091ba882f2f54f169497c20cf3821eb556a537687330950643b1b7d4f0d2a138961f0
+  metadata.gz: db0557f858087739e3a292ab6ba63becbca9a0204874f2794e934e442c58fc6d7cf814450d9df4adc76c8d1e41d18f625fc7fa942df2810248aa7b9176aa60ee
+  data.tar.gz: 8c349c4e3a8579384c2e1b7f3fc2f85b2974e7871d02a9e9a93117f83777110e21ad57fa4f04493f8116aaba113ebd9f735cea7ff9ae8b02e73897a51b044593

data/lib/authlogic/controller_adapters/abstract_adapter.rb

@@ -8,6 +8,7 @@ module Authlogic
     class AbstractAdapter
       E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
         "implemented by the controller adapter"
+      ENV_SESSION_OPTIONS = "rack.session.options"
 
       attr_accessor :controller
 
@@ -44,6 +45,26 @@ module Authlogic
         request.content_type
       end
 
+      # Inform Rack that we would like a new session ID to be assigned. Changes
+      # the ID, but not the contents of the session.
+      #
+      # The `:renew` option is read by `rack/session/abstract/id.rb`.
+      #
+      # This is how Devise (via warden) implements defense against Session
+      # Fixation. Our implementation is copied directly from the warden gem
+      # (set_user in warden/proxy.rb)
+      def renew_session_id
+        env = request.env
+        options = env[ENV_SESSION_OPTIONS]
+        if options
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+      end
+
       def session
         controller.session
       end

data/lib/authlogic/session/base.rb

@@ -351,6 +351,13 @@ module Authlogic
         - https://github.com/binarylogic/authlogic/pull/558
         - https://github.com/binarylogic/authlogic/pull/577
       EOS
+      E_DPR_FIND_BY_LOGIN_METHOD = <<~EOS.squish.freeze
+        find_by_login_method is deprecated in favor of record_selection_method,
+        to avoid confusion with ActiveRecord's "Dynamic Finders".
+        (https://guides.rubyonrails.org/v6.0/active_record_querying.html#dynamic-finders)
+        For example, rubocop-rails is confused by the deprecated method.
+        (https://github.com/rubocop-hq/rubocop-rails/blob/master/lib/rubocop/cop/rails/dynamic_find_by.rb)
+      EOS
       VALID_SAME_SITE_VALUES = [nil, "Lax", "Strict", "None"].freeze
 
       # Callbacks
@@ -417,6 +424,7 @@ module Authlogic
       after_save :reset_perishable_token!
       after_save :save_cookie, if: :cookie_enabled?
       after_save :update_session
+      after_create :renew_session_id
 
       after_destroy :destroy_cookie, if: :cookie_enabled?
       after_destroy :update_session
@@ -663,35 +671,10 @@ module Authlogic
           end
         end
 
-        # Authlogic tries to validate the credentials passed to it. One part of
-        # validation is actually finding the user and making sure it exists.
-        # What method it uses the do this is up to you.
-        #
-        # Let's say you have a UserSession that is authenticating a User. By
-        # default UserSession will call User.find_by_login(login). You can
-        # change what method UserSession calls by specifying it here. Then in
-        # your User model you can make that method do anything you want, giving
-        # you complete control of how users are found by the UserSession.
-        #
-        # Let's take an example: You want to allow users to login by username or
-        # email. Set this to the name of the class method that does this in the
-        # User model. Let's call it "find_by_username_or_email"
-        #
-        #   class User < ActiveRecord::Base
-        #     def self.find_by_username_or_email(login)
-        #       find_by_username(login) || find_by_email(login)
-        #     end
-        #   end
-        #
-        # Now just specify the name of this method for this configuration option
-        # and you are all set. You can do anything you want here. Maybe you
-        # allow users to have multiple logins and you want to search a has_many
-        # relationship, etc. The sky is the limit.
-        #
-        # * <tt>Default:</tt> "find_by_smart_case_login_field"
-        # * <tt>Accepts:</tt> Symbol or String
+        # @deprecated in favor of record_selection_method
         def find_by_login_method(value = nil)
-          rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
+          ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+          record_selection_method(value)
         end
         alias find_by_login_method= find_by_login_method
 
@@ -776,15 +759,23 @@ module Authlogic
         # example, the UserSession class will authenticate with the User class
         # unless you specify otherwise in your configuration. See
         # authenticate_with for information on how to change this value.
+        #
+        # @api public
         def klass
           @klass ||= klass_name ? klass_name.constantize : nil
         end
 
-        # The string of the model name class guessed from the actual session class name.
+        # The model name, guessed from the session class name, e.g. "User",
+        # from "UserSession".
+        #
+        # TODO: This method can return nil. We should explore this. It seems
+        # likely to cause a NoMethodError later, so perhaps we should raise an
+        # error instead.
+        #
+        # @api private
         def klass_name
-          return @klass_name if defined?(@klass_name)
-          @klass_name = name.scan(/(.*)Session/)[0]
-          @klass_name = klass_name ? klass_name[0] : nil
+          return @klass_name if instance_variable_defined?(:@klass_name)
+          @klass_name = name.scan(/(.*)Session/)[0]&.first
         end
 
         # The name of the method you want Authlogic to create for storing the
@@ -792,8 +783,8 @@ module Authlogic
         # Authlogic::Session, if you want it can be something completely
         # different than the field in your model. So if you wanted people to
         # login with a field called "login" and then find users by email this is
-        # completely doable. See the find_by_login_method configuration option
-        # for more details.
+        # completely doable. See the `record_selection_method` configuration
+        # option for details.
         #
         # * <tt>Default:</tt> klass.login_field || klass.email_field
         # * <tt>Accepts:</tt> Symbol or String
@@ -876,6 +867,47 @@ module Authlogic
         end
         alias password_field= password_field
 
+        # Authlogic tries to validate the credentials passed to it. One part of
+        # validation is actually finding the user and making sure it exists.
+        # What method it uses the do this is up to you.
+        #
+        # ```
+        # # user_session.rb
+        # record_selection_method :find_by_email
+        # ```
+        #
+        # This is the recommended way to find the user by email address.
+        # The resulting query will be `User.find_by_email(send(login_field))`.
+        # (`login_field` will fall back to `email_field` if there's no `login`
+        # or `username` column).
+        #
+        # In your User model you can make that method do anything you want,
+        # giving you complete control of how users are found by the UserSession.
+        #
+        # Let's take an example: You want to allow users to login by username or
+        # email. Set this to the name of the class method that does this in the
+        # User model. Let's call it "find_by_username_or_email"
+        #
+        # ```
+        # class User < ActiveRecord::Base
+        #   def self.find_by_username_or_email(login)
+        #     find_by_username(login) || find_by_email(login)
+        #   end
+        # end
+        # ```
+        #
+        # Now just specify the name of this method for this configuration option
+        # and you are all set. You can do anything you want here. Maybe you
+        # allow users to have multiple logins and you want to search a has_many
+        # relationship, etc. The sky is the limit.
+        #
+        # * <tt>Default:</tt> "find_by_smart_case_login_field"
+        # * <tt>Accepts:</tt> Symbol or String
+        def record_selection_method(value = nil)
+          rw_config(:record_selection_method, value, "find_by_smart_case_login_field")
+        end
+        alias record_selection_method= record_selection_method
+
         # Whether or not to request HTTP authentication
         #
         # If set to true and no HTTP authentication credentials are sent with
@@ -945,6 +977,16 @@ module Authlogic
         end
         alias secure= secure
 
+        # Should the Rack session ID be reset after authentication, to protect
+        # against Session Fixation attacks?
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def session_fixation_defense(value = nil)
+          rw_config(:session_fixation_defense, value, true)
+        end
+        alias session_fixation_defense= session_fixation_defense
+
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
@@ -1650,6 +1692,13 @@ module Authlogic
         define_password_field_methods
       end
 
+      # Assign a new controller-session ID, to defend against Session Fixation.
+      # https://guides.rubyonrails.org/v6.0/security.html#session-fixation
+      def renew_session_id
+        return unless self.class.session_fixation_defense
+        controller.renew_session_id
+      end
+
       def define_login_field_methods
         return unless login_field
         self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")
@@ -1740,8 +1789,10 @@ module Authlogic
           attempted_record.failed_login_count >= consecutive_failed_logins_limit
       end
 
+      # @deprecated in favor of `self.class.record_selection_method`
       def find_by_login_method
-        self.class.find_by_login_method
+        ::ActiveSupport::Deprecation.warn(E_DPR_FIND_BY_LOGIN_METHOD)
+        self.class.record_selection_method
       end
 
       def generalize_credentials_error_messages?
@@ -1795,7 +1846,7 @@ module Authlogic
         end
       end
 
-      def increment_login_cout
+      def increment_login_count
         if record.respond_to?(:login_count)
           record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
         end
@@ -1980,7 +2031,7 @@ module Authlogic
 
       # @api private
       def set_last_request_at
-        current_time = klass.default_timezone == :utc ? Time.now.utc : Time.now
+        current_time = Time.current
         MagicColumn::AssignsLastRequestAt
           .new(current_time, record, controller, last_request_at_threshold)
           .assign
@@ -2025,7 +2076,7 @@ module Authlogic
       end
 
       def update_info
-        increment_login_cout
+        increment_login_count
         clear_failed_login_count
         update_login_timestamps
         update_login_ip_addresses
@@ -2041,7 +2092,7 @@ module Authlogic
       def update_login_timestamps
         if record.respond_to?(:current_login_at)
           record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
-          record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+          record.current_login_at = Time.current
         end
       end
 
@@ -2072,7 +2123,10 @@ module Authlogic
         self.invalid_password = false
         validate_by_password__blank_fields
         return if errors.count > 0
-        self.attempted_record = search_for_record(find_by_login_method, send(login_field))
+        self.attempted_record = search_for_record(
+          self.class.record_selection_method,
+          send(login_field)
+        )
         if attempted_record.blank?
           add_login_not_found_error
           return

data/lib/authlogic/test_case/mock_cookie_jar.rb

@@ -3,6 +3,7 @@
 module Authlogic
   module TestCase
     # A mock of `ActionDispatch::Cookies::CookieJar`.
+    # See action_dispatch/middleware/cookies.rb
     class MockCookieJar < Hash # :nodoc:
       attr_accessor :set_cookies
 
@@ -11,9 +12,12 @@ module Authlogic
         hash && hash[:value]
       end
 
+      # @param options - "the cookie's value [usually a string] or a hash of
+      # options as documented above [in action_dispatch/middleware/cookies.rb]"
       def []=(key, options)
-        (@set_cookies ||= {})[key.to_s] = options
-        super
+        opt = cookie_options_to_hash(options)
+        (@set_cookies ||= {})[key.to_s] = opt
+        super(key, opt)
       end
 
       def delete(key, _options = {})
@@ -27,6 +31,17 @@ module Authlogic
       def encrypted
         @encrypted ||= MockEncryptedCookieJar.new(self)
       end
+
+      private
+
+      # @api private
+      def cookie_options_to_hash(options)
+        if options.is_a?(Hash)
+          options
+        else
+          { value: options }
+        end
+      end
     end
 
     # A mock of `ActionDispatch::Cookies::SignedKeyRotatingCookieJar`
@@ -52,8 +67,9 @@ module Authlogic
       end
 
       def []=(key, options)
-        options[:value] = "#{options[:value]}--#{Digest::SHA1.hexdigest options[:value]}"
-        @parent_jar[key] = options
+        opt = cookie_options_to_hash(options)
+        opt[:value] = "#{opt[:value]}--#{Digest::SHA1.hexdigest opt[:value]}"
+        @parent_jar[key] = opt
       end
     end
 
@@ -75,8 +91,9 @@ module Authlogic
       end
 
       def []=(key, options)
-        options[:value] = self.class.encrypt(options[:value])
-        @parent_jar[key] = options
+        opt = cookie_options_to_hash(options)
+        opt[:value] = self.class.encrypt(opt[:value])
+        @parent_jar[key] = opt
       end
 
       # simple caesar cipher for testing

data/lib/authlogic/test_case/mock_request.rb

@@ -9,6 +9,12 @@ module Authlogic
         self.controller = controller
       end
 
+      def env
+        @env ||= {
+          ControllerAdapters::AbstractAdapter::ENV_SESSION_OPTIONS => {}
+        }
+      end
+
       def format
         controller.request_content_type if controller.respond_to? :request_content_type
       end

data/lib/authlogic/test_case/rails_request_adapter.rb

@@ -12,7 +12,7 @@ module Authlogic
       def cookies
         new_cookies = MockCookieJar.new
         super.each do |key, value|
-          new_cookies[key] = value[:value]
+          new_cookies[key] = cookie_value(value)
         end
         new_cookies
       end
@@ -28,6 +28,12 @@ module Authlogic
       def request_content_type
         request.format.to_s
       end
+
+      private
+
+      def cookie_value(value)
+        value.is_a?(Hash) ? value[:value] : value
+      end
     end
   end
 end

data/lib/authlogic/version.rb

@@ -17,6 +17,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("6.2.0")
+    ::Gem::Version.new("6.4.2")
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 6.2.0
+  version: 6.4.2
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-10 00:00:00.000000000 Z
+date: 2021-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -21,7 +21,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -31,7 +31,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
@@ -41,7 +41,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -51,7 +51,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -61,7 +61,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -71,7 +71,7 @@ dependencies:
         version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: request_store
   requirement: !ruby/object:Gem::Requirement
@@ -170,6 +170,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 1.1.4
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -327,7 +341,7 @@ files:
 - lib/authlogic/test_case/mock_request.rb
 - lib/authlogic/test_case/rails_request_adapter.rb
 - lib/authlogic/version.rb
-homepage: http://github.com/binarylogic/authlogic
+homepage: https://github.com/binarylogic/authlogic
 licenses:
 - MIT
 metadata: {}
@@ -339,7 +353,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="