authlogic 1.3.2 → 1.3.3

data/CHANGELOG.rdoc

@@ -1,3 +1,10 @@
+== 1.3.3 released 2008-11-23
+
+* Updated :act_like_restful_authentication for those using the older version where no site wide key is preset (REST_AUTH_SITE_KEY), Authlogic will adjust automatically based on the presence of this constant.
+* Added :transition_from_crypto_provider option for acts_as_authentic to transition your user's passwords to a new algorithm.
+* Added :transition_from_restful_authentication for acts_as_authentic to transition your users from restful_authentication to the Authlogic password system. Now you can choose to keep your passwords the same by using :act_like_restful_authentication, which will *NOT* do any transitioning, or you can use :transition_from_crypto_provider which will update your users passwords as they login or new accounts are created, while still allowing users with the old password system to log in.
+* Modified the "interface" for the crypto providers to only provide a class level encrypt and matches? method, instead of a class level encrypt and decrypt method.
+
 == 1.3.2 released 2008-11-22
 
 * Updated code to work better with BCrypt, using root level class now.

data/README.rdoc

@@ -74,7 +74,9 @@ Authlogic makes this a reality. This is just the tip of the ice berg. Keep readi
 *	<b>Tutorial: Authlogic basic setup:</b> http://www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup
 *	<b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
 *	<b>Tutorial: Using OpenID with Authlogic:</b> http://www.binarylogic.com/2008/11/21/tutorial-using-openid-with-authlogic
-*	<b>Live example of the setup tutorial above (with source):</b> http://authlogicexample.binarylogic.com
+*	<b>Live example of the tutorials above (with source):</b> http://authlogicexample.binarylogic.com
+*	<b>Tutorial: Easily migrate from restful_authentication:</b> http://www.binarylogic.com/2008/11/23/tutorial-easily-migrate-from-restful_authentication-to-authlogic
+*	<b>Tutorial: Upgrade passwords easily with Authlogic:</b> http://www.binarylogic.com/2008/11/23/tutorial-upgrade-passwords-easily-with-authlogic
 * <b>Bugs / feature suggestions:</b> http://binarylogic.lighthouseapp.com/projects/18752-authlogic
 
 == Install and use
@@ -124,7 +126,9 @@ Make sure you have a model that you will be authenticating with. For this exampl
     acts_as_authentic # for options see documentation: Authlogic::ORMAdapters::ActiveRecordAdapter::ActsAsAuthentic::Config
   end
 
-Done! Now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this README or check out the tutorials (see above in "helpful links") for a more detailed walk through.
+One thing to keep in mind here is that the default :crypto_provider for Authlogic is Sha512. You are *NOT* forced to use this. See the encryption methods section below for more information.
+
+You are all set, now go use it just like you would with any other ActiveRecord model. Either glance at the code at the beginning of this README or check out the tutorials (see above in "helpful links") for a more detailed walk through.
 
 == Magic Columns
 
@@ -193,6 +197,25 @@ This will keep everything separate. The :secure session will store its info in a
 
 For more information on ids checkout Authlogic::Session::Base#id
 
+== Encryption methods
+
+Authlogic is designed so you can use *any* encryption method you want. It delegates this task to a class of your choice. By default Authlogic uses salted Sha512 with 20 stretches. It also comes preloaded with some other common encryption algorithms so that you can choose. For example, if you wanted to use the BCrypt algorithm just do the following:
+
+  acts_as_authentic :crypto_provider => Authlogic::CryptoProviders::BCrypt
+
+For more information on BCrypt checkout my blog post on it: http://www.binarylogic.com/2008/11/22/storing-nuclear-launch-codes-in-your-app-enter-bcrypt-for-authlogic
+
+Also, check out the Authlogic::CryptoProviders module and sublcasses to get an idea of how to write your own crypto provider. It's extremely easy, all that you have to do is make a class with a class level encrypt and matches? method. That's it, the sky is the limit.
+
+== Switching to a new encryption method
+
+Switching to a new encryption method used to be a pain in the ass. Authlogic has an option that makes this dead simple. Let's say you want to migrate to the BCrypt encryption method from Sha512:
+
+  acts_as_authentic :crypto_provider => Authlogic::CryptoProviders::BCrypt,
+    :transition_from_crypto_provider => Authlogic::CryptoProviders::Sha512
+
+That's it. When a user successfully logs in and is using the old method their password will be updated with the new method and all new registrations will use the new method as well. Your users won't know anything changed.
+
 == Tokens (persistence, resetting passwords, private feed access, etc.)
 
 To start, let me define tokens as Authlogic sees it. A token is a form of credentials that grants some type of access to their account. Depending on the type of access, a different type of token may be needed. Put simply, it's a way for the user to say "I am this person, let me proceed". What types of different access you ask? Here are just a few:
@@ -369,12 +392,17 @@ Migrating from the restful_authentication plugin? I made an option especially fo
 
   # app/models/user.rb
   class User < ActiveRecord::Base
-    acts_as_authentic :acts_like_restful_authentication => true
+    acts_as_authentic :act_like_restful_authentication => true
   end
 
-**What's the difference?**
+Or you can transition your users to the Authlogic password system:
+
+  # app/models/user.rb
+  class User < ActiveRecord::Base
+    acts_as_authentic :transition_from_restful_authentication => true
+  end
 
-restful\_authentication uses Sha1 with 10 stretches to encrypt the password. Authlogic uses Sha512 with 20 stretches. Sha512 is stronger and more secure.
+For more information checkout my blog post on this: http://www.binarylogic.com/2008/11/23/tutorial-easily-migrate-from-restful_authentication-to-authlogic
 
 == Framework agnostic (Rails, Merb, etc.)
 

data/authlogic.gemspec

@@ -2,11 +2,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{authlogic}
-  s.version = "1.3.2"
+  s.version = "1.3.3"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ben Johnson of Binary Logic"]
-  s.date = %q{2008-11-22}
+  s.date = %q{2008-11-23}
   s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
   s.email = %q{bjohnson@binarylogic.com}
   s.extra_rdoc_files = ["CHANGELOG.rdoc", "lib/authlogic/controller_adapters/abstract_adapter.rb", "lib/authlogic/controller_adapters/merb_adapter.rb", "lib/authlogic/controller_adapters/rails_adapter.rb", "lib/authlogic/crypto_providers/bcrypt.rb", "lib/authlogic/crypto_providers/sha1.rb", "lib/authlogic/crypto_providers/sha512.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/logged_in.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/perishability.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/session_maintenance.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/single_access.rb", "lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic.rb", "lib/authlogic/orm_adapters/active_record_adapter/authenticates_many.rb", "lib/authlogic/session/active_record_trickery.rb", "lib/authlogic/session/authenticates_many_association.rb", "lib/authlogic/session/base.rb", "lib/authlogic/session/callbacks.rb", "lib/authlogic/session/config.rb", "lib/authlogic/session/cookies.rb", "lib/authlogic/session/errors.rb", "lib/authlogic/session/params.rb", "lib/authlogic/session/perishability.rb", "lib/authlogic/session/scopes.rb", "lib/authlogic/session/session.rb", "lib/authlogic/version.rb", "lib/authlogic.rb", "README.rdoc"]

data/lib/authlogic/crypto_providers/bcrypt.rb

@@ -7,7 +7,7 @@ module Authlogic
   module CryptoProviders
     # = Bcrypt
     #
-    # For most apps Sha512 is plenty secure, but if you are building an app that stores the nuclear launch codes you might want to consier BCrypt. This is an extremely
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear launch codes you might want to consier BCrypt. This is an extremely
     # secure hashing algorithm, mainly because it is slow. A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
     # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this, generating a password takes exponentially longer than any
     # of the Sha algorithms. I did some benchmarking to save you some time with your decision:
@@ -16,14 +16,20 @@ module Authlogic
     #   require "digest"
     #   require "benchmark"
     #
-    #   Benchmark.bm do |x|
-    #     x.report("BCrypt:") { BCrypt::Password.create("mypass") }
-    #     x.report("Sha512:") { Digest::SHA512.hexdigest("mypass") }
+    #   Benchmark.bm(18) do |x|
+    #     x.report("BCrypt (cost = 10:") { 100.times { BCrypt::Password.create("mypass", :cost => 10) } }
+    #     x.report("BCrypt (cost = 2:") { 100.times { BCrypt::Password.create("mypass", :cost => 2) } }
+    #     x.report("Sha512:") { 100.times { Digest::SHA512.hexdigest("mypass") } }
+    #     x.report("Sha1:") { 100.times { Digest::SHA1.hexdigest("mypass") } }
     #   end
     #
-    #             user     system      total        real
-    #   BCrypt:  0.110000   0.000000   0.110000 (  0.113493)
-    #   Sha512:  0.010000   0.000000   0.010000 (  0.000554)
+    #                           user     system      total        real
+    #   BCrypt (cost = 10): 10.780000   0.060000  10.840000 ( 11.100289)
+    #   BCrypt (cost = 2):  0.180000   0.000000   0.180000 (  0.181914)
+    #   Sha512:             0.000000   0.000000   0.000000 (  0.000829)
+    #   Sha1:               0.000000   0.000000   0.000000 (  0.000395)
+    #
+    # You can play around with the cost to get that perfect balance between performance and security.
     #
     # Decided BCrypt is for you? Just insall the bcrypt gem:
     #
@@ -37,20 +43,46 @@ module Authlogic
     class BCrypt
       class << self
         # This is the :cost option for the BCrpyt library. The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
+        # Set this to whatever you want, play around with it to get that perfect balance between security and performance.
         def cost
           @cost ||= 10
         end
         attr_writer :cost
         
         # Creates a BCrypt hash for the password passed.
-        def encrypt(pass)
-          ::BCrypt::Password.create(pass, :cost => cost)
+        def encrypt(*tokens)
+          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+        end
+        
+        # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(hash, *tokens)
+          hash = new_from_hash(hash)
+          return false if hash.blank?
+          hash == join_tokens(tokens)
         end
         
-        # This does not actually decrypt the password, BCrypt is *not* reversible. The way the bcrypt library is set up requires us to do it this way.
-        def decrypt(crypted_pass)
-          ::BCrypt::Password.new(crypted_pass)
+        # This method is used as a flag to tell Authlogic to "resave" the password upon a successful login, using the new cost
+        def cost_matches?(hash)
+          hash = new_from_hash(hash)
+          if hash.blank?
+            false
+          else
+            hash.cost == cost
+          end
         end
+        
+        private
+          def join_tokens(tokens)
+            tokens.flatten.join
+          end
+          
+          def new_from_hash(hash)
+            begin
+              ::BCrypt::Password.new(hash)
+            rescue ::BCrypt::Errors::InvalidHash
+              return nil
+            end
+          end
       end
     end
   end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -4,19 +4,31 @@ module Authlogic
   module CryptoProviders
     # = Sha1
     #
-    # Uses the Sha1 hash algorithm to encrypt passwords. This class is useful if you are migrating from restful_authentication. This uses the
-    # exact same excryption algorithm with 10 stretches, just like restful_authentication.
+    # This class was made for the users transitioning from restful_authentication. I highly discourage using this crypto provider as it inferior to your other options.
+    # Please use the Sha512 crypto provider or the BCrypt provider.
     class Sha1
       class << self
+        def join_token
+          @join_token ||= "--"
+        end
+        attr_writer :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 10
         end
         attr_writer :stretches
         
-        def encrypt(pass)
-          digest = pass
-          stretches.times { digest = Digest::SHA1.hexdigest(digest) }
-          digest
+        # Turns your raw password into a Sha1 hash.
+        def encrypt(*tokens)
+          tokens = tokens.flatten
+          digest = tokens.shift
+          stretches.times { digest = Digest::SHA1.hexdigest([digest, *tokens].compact.join(join_token)) }
+        end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
         end
       end
     end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -4,26 +4,48 @@ module Authlogic
   # = Crypto Providers
   #
   # The acts_as_authentic method allows you to pass a :crypto_provider option. This allows you to use any type of encryption you like.
-  # Just create a class with a class level encrypt and decrypt method. The password will be passed as the single parameter to each of these
-  # methods so you can do your magic.
+  # Just create a class with a class level encrypt and matches? method. See example below.
   #
-  # If you are encrypting via a hash just don't include a decrypt method, since hashes can't be decrypted. Authlogic will notice this adjust accordingly.
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed wil be an array of objects, what type of object is irrelevant
+  #       # just do what you need to do with them and return a single encrypted string.
+  #       # for example, you will most likely join all of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens.
+  #       # depending on your algorithm you might decrypt the string then compare it to the token, or you might
+  #       # encrypt the tokens and make sure it matches the crypted string, its up to you
+  #     end
+  #   end
   module CryptoProviders
     # = Sha512
     #
     # Uses the Sha512 hash algorithm to encrypt passwords.
     class Sha512
       class << self
+        attr_accessor :join_token
+        
+        # The number of times to loop through the encryption. This is ten because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 20
         end
         attr_writer :stretches
         
-        def encrypt(pass)
-          digest = pass
+        # Turns your raw password into a Sha512 hash.
+        def encrypt(*tokens)
+          digest = tokens.flatten.join(join_token)
           stretches.times { digest = Digest::SHA512.hexdigest(digest) }
           digest
         end
+        
+        # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
+        def matches?(crypted, *tokens)
+          encrypt(*tokens) == crypted
+        end
       end
     end
   end

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/config.rb

@@ -22,12 +22,21 @@ module Authlogic
         # * <tt>crypto_provider</tt> - default: Authlogic::CryptoProviders::Sha512,
         #   This is the class that provides your encryption. By default Authlogic provides its own crypto provider that uses Sha512 encrypton.
         #
+        # * <tt>transition_from_crypto_provider</tt> - default: nil,
+        #   This will transition your users to a new encryption algorithm. Let's say you are using Sha1 and you want to transition to Sha512. Just set the
+        #   :crypto_provider option to Authlogic::CryptoProviders::Sha512 and then set this option to Authlogic::CryptoProviders::Sha1. Every time a user
+        #   logs in their password will be resaved with the new algorithm and all new registrations will use the new algorithm as well.
+        #
         # * <tt>act_like_restful_authentication</tt> - default: false,
         #   If you are migrating from restful_authentication you will want to set this to true, this way your users will still be able to log in and it will seems as
         #   if nothing has changed. If you don't do this none of your users will be able to log in. If you are starting a new project I do not recommend enabling this
         #   as the password encryption algorithm used in restful_authentication (Sha1) is not as secure as the one used in authlogic (Sha512). IF you REALLY want to be secure
         #   checkout Authlogic::CryptoProviders::BCrypt.
         #
+        # * <tt>transition_from_restful_authentication</tt> - default: false,
+        #   This works just like :transition_from_crypto_provider, but it makes some special exceptions so that your users will transition from restful_authentication, since
+        #   restful_authentication does things a little different than Authlogic.
+        #
         # * <tt>login_field</tt> - default: :login, :username, or :email, depending on which column is present, if none are present defaults to :login
         #   The name of the field used for logging in. Only specify if you aren't using any of the defaults.
         #   
@@ -190,8 +199,13 @@ module Authlogic
               options[:email_field_validates_uniqueness_of_options][:scope] ||= options[:scope]
             end
             
-            if options[:act_like_restful_authentication]
-              options[:crypto_provider] = CryptoProviders::Sha1
+            if options[:act_like_restful_authentication] || options[:transition_from_restful_authentication]
+              crypto_provider_key = options[:act_like_restful_authentication] ? :crypto_provider : :transition_from_crypto_provider
+              options[crypto_provider_key] = CryptoProviders::Sha1
+              if !defined?(REST_AUTH_SITE_KEY) || REST_AUTH_SITE_KEY.nil?
+                class_eval("::REST_AUTH_SITE_KEY = nil") unless defined?(REST_AUTH_SITE_KEY)
+                options[crypto_provider_key].stretches = 1
+              end
             end
           
             class_eval <<-"end_eval", __FILE__, __LINE__

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/credentials.rb

@@ -53,6 +53,7 @@ module Authlogic
             end
             
             attr_reader options[:password_field]
+            attr_accessor :crypto_provider
             
             class_eval <<-"end_eval", __FILE__, __LINE__
               def self.friendly_unique_token
@@ -66,13 +67,37 @@ module Authlogic
                 return if pass.blank?
                 @#{options[:password_field]} = pass
                 self.#{options[:password_salt_field]} = self.class.unique_token
-                self.#{options[:crypted_password_field]} = #{options[:crypto_provider]}.encrypt(obfuscate_password(@#{options[:password_field]}))
+                self.#{options[:crypted_password_field]} = #{options[:crypto_provider]}.encrypt(*encrypt_arguments(@#{options[:password_field]}, #{options[:act_like_restful_authentication].inspect} ? :restful_authentication : nil))
               end
+              alias_method :update_#{options[:password_field]}, :#{options[:password_field]}= # this is to avoids the method chain, so we are ONLY changing the password
               
               def valid_#{options[:password_field]}?(attempted_password)
                 return false if attempted_password.blank? || #{options[:crypted_password_field]}.blank? || #{options[:password_salt_field]}.blank?
-                (#{options[:crypto_provider]}.respond_to?(:decrypt) && #{options[:crypto_provider]}.decrypt(#{options[:crypted_password_field]}) == attempted_password + #{options[:password_salt_field]}) ||
-                  (!#{options[:crypto_provider]}.respond_to?(:decrypt) && #{options[:crypto_provider]}.encrypt(obfuscate_password(attempted_password)) == #{options[:crypted_password_field]})
+                
+                [#{options[:crypto_provider]}, #{options[:transition_from_crypto_provider].inspect}].compact.each do |encryptor|
+                  # The arguments_type of for the transitioning from restful_authentication
+                  arguments_type = nil
+                  case encryptor
+                  when #{options[:crypto_provider]}
+                    arguments_type = :restful_authentication if #{options[:act_like_restful_authentication].inspect}
+                  when #{options[:transition_from_crypto_provider].inspect}
+                    arguments_type = :restful_authentication if #{options[:transition_from_restful_authentication].inspect}
+                  end
+                  
+                  if encryptor.matches?(#{options[:crypted_password_field]}, *encrypt_arguments(attempted_password, arguments_type))
+                    # If we are transitioning from an older encryption algorithm and the password is still using the old algorithm
+                    # then let's reset the password using the new algorithm. If the algorithm has a cost (BCrypt) and the cost has changed, update the password with
+                    # the new cost.
+                    if encryptor == #{options[:transition_from_crypto_provider].inspect} || (encryptor.respond_to?(:cost_matches?) && !encryptor.cost_matches?(#{options[:crypted_password_field]}))
+                      update_#{options[:password_field]}(attempted_password)
+                      save(false)
+                    end
+                    
+                    return true
+                  end
+                end
+                
+                false
               end
               
               def reset_#{options[:password_field]}
@@ -82,6 +107,11 @@ module Authlogic
               end
               alias_method :randomize_password, :reset_password
               
+              def confirm_#{options[:password_field]}
+                raise "confirm_#{options[:password_field]} has been removed, please use #{options[:password_field]}_confirmation. " +
+                  "As this is the field that ActiveRecord automatically creates with validates_confirmation_of."
+              end
+              
               def reset_#{options[:password_field]}!
                 reset_#{options[:password_field]}
                 save_without_session_maintenance(false)
@@ -89,11 +119,12 @@ module Authlogic
               alias_method :randomize_password!, :reset_password!
               
               private
-                def obfuscate_password(raw_password)
-                  if #{options[:act_like_restful_authentication].inspect}
-                    [REST_AUTH_SITE_KEY, raw_password, #{options[:password_salt_field]}, REST_AUTH_SITE_KEY].join("--")
+                def encrypt_arguments(raw_password, arguments_type = nil)
+                  case arguments_type
+                  when :restful_authentication
+                    [REST_AUTH_SITE_KEY, raw_password, #{options[:password_salt_field]}, REST_AUTH_SITE_KEY]
                   else
-                    raw_password + #{options[:password_salt_field]}
+                    [raw_password, #{options[:password_salt_field]}]
                   end
                 end
             end_eval

data/lib/authlogic/orm_adapters/active_record_adapter/acts_as_authentic/persistence.rb

@@ -37,10 +37,7 @@ module Authlogic
           
             class_eval <<-"end_eval", __FILE__, __LINE__
               def self.unique_token
-                # The persistence token should be a unique string that is not reversible, which is what a hash is all about
-                # if you using encryption this defaults to Sha512.
-                token_class = #{options[:crypto_provider].respond_to?(:decrypt) ? Authlogic::CryptoProviders::Sha512 : options[:crypto_provider]}
-                token_class.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+                Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
               end
             
               def forget!

data/lib/authlogic/session/config.rb

@@ -45,19 +45,6 @@ module Authlogic
           yield self
         end
         
-        # This works just like ActiveRecord's attr_accessible, except by default this ONLY allows the login, password, and remember me option.
-        #
-        # * <tt>Default:</tt> {:login_field}, {:password_field}, :remember_me, set to nil to disable
-        # * <tt>Accepts:</tt> String
-        def attr_accessible(*values)
-          if values.blank?
-            read_inheritable_attribute(:attr_accessible) || attr_accessible(login_field, password_field, :remember_me)
-          else
-            write_inheritable_attribute(:attr_accessible, value)
-          end
-        end
-        alias_method :attr_accessible=, :attr_accessible
-        
         # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
         # Also, if a id is set it will be inserted into the beginning of the string. Exmaple:
         #
@@ -193,7 +180,7 @@ module Authlogic
         # * <tt>Accepts:</tt> String
         def not_approved_message(value = nil)
           if value.nil?
-            read_inheritable_attribute(:not_approved_message) || not_active_message("Your account is not approved")
+            read_inheritable_attribute(:not_approved_message) || not_approved_message("Your account is not approved")
           else
             write_inheritable_attribute(:not_approved_message, value)
           end
@@ -206,7 +193,7 @@ module Authlogic
         # * <tt>Accepts:</tt> String
         def not_confirmed_message(value = nil)
           if value.nil?
-            read_inheritable_attribute(:not_confirmed_message) || not_active_message("Your account is not confirmed")
+            read_inheritable_attribute(:not_confirmed_message) || not_confirmed_message("Your account is not confirmed")
           else
             write_inheritable_attribute(:not_confirmed_message, value)
           end
@@ -263,7 +250,7 @@ module Authlogic
         # * <tt>Accepts:</tt> String
         def password_invalid_message(value = nil)
           if value.nil?
-            read_inheritable_attribute(:password_invalid_message) || login_not_found_message("is invalid")
+            read_inheritable_attribute(:password_invalid_message) || password_invalid_message("is invalid")
           else
             write_inheritable_attribute(:password_invalid_message, value)
           end

data/lib/authlogic/version.rb

@@ -44,7 +44,7 @@ module Authlogic # :nodoc:
 
     MAJOR = 1
     MINOR = 3
-    TINY  = 2
+    TINY  = 3
 
     # The current version as a Version instance
     CURRENT = new(MAJOR, MINOR, TINY)

data/test/crypto_provider_tests/bcrypt_test.rb

@@ -6,9 +6,9 @@ module CryptoProviderTests
       assert Authlogic::CryptoProviders::BCrypt.encrypt("mypass")
     end
     
-    def test_decrypt
+    def test_matches
       hash = Authlogic::CryptoProviders::BCrypt.encrypt("mypass")
-      assert Authlogic::CryptoProviders::BCrypt.decrypt(hash) == "mypass"
+      assert Authlogic::CryptoProviders::BCrypt.matches?(hash, "mypass")
     end
   end
 end

data/test/crypto_provider_tests/sha1_test.rb

@@ -5,5 +5,10 @@ module CryptoProviderTests
     def test_encrypt
       assert Authlogic::CryptoProviders::Sha1.encrypt("mypass")
     end
+    
+    def test_matches
+      hash = Authlogic::CryptoProviders::Sha1.encrypt("mypass")
+      assert Authlogic::CryptoProviders::Sha1.matches?(hash, "mypass")
+    end
   end
 end

data/test/crypto_provider_tests/sha512_test.rb

@@ -5,5 +5,10 @@ module CryptoProviderTests
     def test_encrypt
       assert Authlogic::CryptoProviders::Sha512.encrypt("mypass")
     end
+    
+    def test_matches
+      hash = Authlogic::CryptoProviders::Sha512.encrypt("mypass")
+      assert Authlogic::CryptoProviders::Sha512.matches?(hash, "mypass")
+    end
   end
 end

data/test/libs/aes128_crypto_provider.rb

@@ -2,12 +2,12 @@ require "ezcrypto"
 
 class AES128CryptoProvider
   class << self
-    def encrypt(term)
-      [key.encrypt(term)].pack("m").chomp
+    def encrypt(*tokens)
+      [key.encrypt(tokens.join)].pack("m").chomp
     end
     
-    def decrypt(term)
-      key.decrypt(term.unpack("m").first)
+    def matches?(crypted, *tokens)
+      key.decrypt(crypted.unpack("m").first) == tokens.join
     end
     
     def key

data/test/orm_adapters_tests/active_record_adapter_tests/acts_as_authentic_tests/config_test.rb

@@ -4,6 +4,9 @@ module ORMAdaptersTests
   module ActiveRecordAdapterTests
     module ActsAsAuthenticTests
       class ConfigTest < ActiveSupport::TestCase
+        setup :get_default_configuration
+        teardown :restore_default_configuration
+        
         def test_first_column_to_exist
           assert_equal :login, User.first_column_to_exist(:login, :crypted_password)
           assert_equal nil, User.first_column_to_exist(nil, :unknown)
@@ -45,6 +48,68 @@ module ORMAdaptersTests
            }
           assert_equal default_config, User.acts_as_authentic_config
         end
+        
+        def test_session_class
+          EmployeeSession.authenticate_with User
+          User.acts_as_authentic(:session_class => EmployeeSession)
+          assert_equal EmployeeSession, User.acts_as_authentic_config[:session_class]
+          
+          ben = users(:ben)
+          assert !EmployeeSession.find
+          ben.password = "benrocks"
+          ben.password_confirmation = "benrocks"
+          assert ben.save
+          assert EmployeeSession.find
+          EmployeeSession.authenticate_with Employee
+        end
+        
+        def test_crypto_provider
+          User.acts_as_authentic(:crypto_provider => Authlogic::CryptoProviders::BCrypt)
+          ben = users(:ben)
+          assert !ben.valid_password?("benrocks")
+          ben.password = "benrocks"
+          ben.password_confirmation = "benrocks"
+          assert ben.save
+          assert ben.valid_password?("benrocks")
+        end
+        
+        def test_transition_from_crypto_provider
+          ben = users(:ben)
+          convert_password_to(Authlogic::CryptoProviders::BCrypt, ben)
+        end
+        
+        def test_act_like_restful_authentication
+          ben = users(:ben)
+          convert_password_to(Authlogic::CryptoProviders::Sha1, ben)
+          User.acts_as_authentic(:act_like_restful_authentication => true)
+          set_session_for(ben)
+          assert UserSession.find
+        end
+        
+        def test_transition_from_restful_authentication
+          User.acts_as_authentic(:transition_from_restful_authentication => true)
+          assert_equal Authlogic::CryptoProviders::Sha512, User.acts_as_authentic_config[:crypto_provider]
+          assert_equal Authlogic::CryptoProviders::Sha1, User.acts_as_authentic_config[:transition_from_crypto_provider]
+        end
+        
+        private
+          def get_default_configuration
+            @default_configuration = User.acts_as_authentic_config
+          end
+          
+          def restore_default_configuration
+            User.acts_as_authentic @default_configuration
+          end
+          
+          def convert_password_to(crypto_provider, *records)
+            User.acts_as_authentic(:crypto_provider => crypto_provider, :transition_from_crypto_provider => Authlogic::CryptoProviders::Sha512)
+            records.each do |record|
+              old_hash = record.crypted_password
+              assert record.valid_password?(password_for(record))
+              assert_not_equal old_hash, record.crypted_password
+              assert record.valid_password?(password_for(record))
+            end
+          end
       end
     end
   end

data/test/test_helper.rb

@@ -113,19 +113,19 @@ class Test::Unit::TestCase
       Authlogic::Session::Base.controller = @controller
     end
     
+    def password_for(user)
+      case user
+      when users(:ben)
+        "benrocks"
+      when users(:zack)
+        "zackrocks"
+      end
+    end
+    
     def http_basic_auth_for(user = nil, &block)
       unless user.blank?
         @controller.http_user = user.login
-        
-        password = nil
-        case user
-        when users(:ben)
-          password = "benrocks"
-        when users(:zack)
-          password = "zackrocks"
-        end
-        
-        @controller.http_password = password
+        @controller.http_password = password_for(user)
       end
       yield
       @controller.http_user = @controller.http_password = nil

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: authlogic
 version: !ruby/object:Gem::Version 
-  version: 1.3.2
+  version: 1.3.3
 platform: ruby
 authors: 
 - Ben Johnson of Binary Logic
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2008-11-22 00:00:00 -05:00
+date: 2008-11-23 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency