RubyGems - authlogic - Versions diffs - 6.4.0 → 6.4.1 - Mend

authlogic 6.4.0 → 6.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/authlogic/controller_adapters/abstract_adapter.rb +21 -0
data/lib/authlogic/session/base.rb +18 -0
data/lib/authlogic/test_case/mock_request.rb +6 -0
data/lib/authlogic/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa943f509bfe67c9cd576f8201f0fce5f0dd8c417458a629185590257a34f0af
-  data.tar.gz: 01bb91b140d913dc7c75c1c78d70b70ae23ea3254c01c8165a2c29e785a00a9e
+  metadata.gz: e65309a22f2adc25c9c61f10910d6db41fe2c3f6b9d8037977bdfa094b90dd53
+  data.tar.gz: 2e5bb549974be424ad83ae20de60775bcb1b66c207031919caf978de7e5801ff
 SHA512:
-  metadata.gz: efb0ecbdb2a535817297ccbb3d687b25387353a02aaa7ee5d0d05a1cc629adc5e52d81edb7a166ef74f071cf9e584bd4a3f994690f4a82e60c7f54fc9a1df880
-  data.tar.gz: 85de14bc97e1e3eecb6f77b346d7953e1f64504c9e91373167555dbb9e352b59cc61a85933135d6b358b049a0b482268f630e9ea6aed1fb341554dd6b7ab6feb
+  metadata.gz: 1198b8ff9bf45e98e8748365ba67112f249c738952b84a39a32b835353481a37b3b006106ff31031d5a78f2952fffa746c8764639f50ebc3cc0ae99f84f74b98
+  data.tar.gz: 9ab8911d8838f3ddf6b8b011d498b08941caba5e20d2c62c1d2ec9c8b17f446c68f7585db88bd0c3497ae26cd11cd6f565eb9da3ae27bd3faee5de7815c62fd6

data/lib/authlogic/controller_adapters/abstract_adapter.rb CHANGED Viewed

@@ -8,6 +8,7 @@ module Authlogic
     class AbstractAdapter
       E_COOKIE_DOMAIN_ADAPTER = "The cookie_domain method has not been " \
         "implemented by the controller adapter"
+      ENV_SESSION_OPTIONS = "rack.session.options"
       attr_accessor :controller
@@ -44,6 +45,26 @@ module Authlogic
         request.content_type
       end
+      # Inform Rack that we would like a new session ID to be assigned. Changes
+      # the ID, but not the contents of the session.
+      #
+      # The `:renew` option is read by `rack/session/abstract/id.rb`.
+      #
+      # This is how Devise (via warden) implements defense against Session
+      # Fixation. Our implementation is copied directly from the warden gem
+      # (set_user in warden/proxy.rb)
+      def renew_session_id
+        env = request.env
+        options = env[ENV_SESSION_OPTIONS]
+        if options
+          if options.frozen?
+            env[ENV_SESSION_OPTIONS] = options.merge(renew: true).freeze
+          else
+            options[:renew] = true
+          end
+        end
+      end
       def session
         controller.session
       end

data/lib/authlogic/session/base.rb CHANGED Viewed

@@ -424,6 +424,7 @@ module Authlogic
       after_save :reset_perishable_token!
       after_save :save_cookie, if: :cookie_enabled?
       after_save :update_session
+      after_create :renew_session_id
       after_destroy :destroy_cookie, if: :cookie_enabled?
       after_destroy :update_session
@@ -976,6 +977,16 @@ module Authlogic
         end
         alias secure= secure
+        # Should the Rack session ID be reset after authentication, to protect
+        # against Session Fixation attacks?
+        #
+        # * <tt>Default:</tt> true
+        # * <tt>Accepts:</tt> Boolean
+        def session_fixation_defense(value = nil)
+          rw_config(:session_fixation_defense, value, true)
+        end
+        alias session_fixation_defense= session_fixation_defense
         # Should the cookie be signed? If the controller adapter supports it, this is a
         # measure against cookie tampering.
         def sign_cookie(value = nil)
@@ -1681,6 +1692,13 @@ module Authlogic
         define_password_field_methods
       end
+      # Assign a new controller-session ID, to defend against Session Fixation.
+      # https://guides.rubyonrails.org/v6.0/security.html#session-fixation
+      def renew_session_id
+        return unless self.class.session_fixation_defense
+        controller.renew_session_id
+      end
       def define_login_field_methods
         return unless login_field
         self.class.send(:attr_writer, login_field) unless respond_to?("#{login_field}=")

data/lib/authlogic/test_case/mock_request.rb CHANGED Viewed

@@ -9,6 +9,12 @@ module Authlogic
         self.controller = controller
       end
+      def env
+        @env ||= {
+          ControllerAdapters::AbstractAdapter::ENV_SESSION_OPTIONS => {}
+        }
+      end
       def format
         controller.request_content_type if controller.respond_to? :request_content_type
       end

data/lib/authlogic/version.rb CHANGED Viewed

@@ -17,6 +17,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("6.4.0")
+    ::Gem::Version.new("6.4.1")
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 6.4.0
+  version: 6.4.1
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-22 00:00:00.000000000 Z
+date: 2021-02-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel