authlogic 3.5.0 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 43f0752648b77b7ed8b4392d28703d1b723ec48e
-  data.tar.gz: e724514e5180624f979083825eca98c7528ba322
+  metadata.gz: c557e744965cb622f19c7b32421c8a6a7d35be45
+  data.tar.gz: 603d34bc61e526d460501e1417e176d559b2dbcb
 SHA512:
-  metadata.gz: a0e47fbdd2fbe66b84ad573418e784846db2dcf50520cc93068610e2fb5fd6a5d4f82302012e64935d43e3fec57b374ae315b2725b54ebcf69f9afe5a46eeebc
-  data.tar.gz: afe89e5753414a0f05978171d007adc8a20db99056fb214e9223126b6e4da91f64e230940495240418638fc221fe8f6c006bc7600307767a7d5e9e0154233e7e
+  metadata.gz: 699ca0bd6ec372e1705e2b74de803026cf04b9a620f17fcceaf88de768639188c5237e2ea876db4725f0002813c22e22752cc1d8b3d3ee36d21dbeed32a0fc1f
+  data.tar.gz: e70bca58e4aae93d5a8e412a1d774c80331f3fa4b2687e1db07a7c0c366a58b7de1ac97b11b343773ce92ff71337fd08cd906ec7119179dba893ff932ead4202

data/.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,13 @@
+Thanks for your interest in authlogic! Our volunteers' time is limited, so we
+can only respond on GitHub to bug reports and feature requests. Please ask
+usage questions on StackOverflow so that the whole community has a chance to
+answer your question.
+
+http://stackoverflow.com/questions/tagged/authlogic
+
+Do not disclose security issues in public. See our contributing guide
+for instructions.
+
+https://github.com/binarylogic/authlogic/blob/master/CONTRIBUTING.md
+
+Thanks for your contribution!

data/.rubocop_todo.yml

@@ -79,7 +79,7 @@ Metrics/CyclomaticComplexity:
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes.
 # URISchemes: http, https
 Metrics/LineLength:
-  Max: 140
+  Max: 130
 
 Metrics/ModuleLength:
   Enabled: false
@@ -250,11 +250,6 @@ Style/Lambda:
   Exclude:
     - 'lib/authlogic/acts_as_authentic/logged_in_status.rb'
 
-# Cop supports --auto-correct.
-Style/LineEndConcatenation:
-  Exclude:
-    - 'lib/authlogic/acts_as_authentic/base.rb'
-
 # Configuration parameters: EnforcedStyle, SupportedStyles.
 # SupportedStyles: module_function, extend_self
 Style/ModuleFunction:
@@ -362,12 +357,6 @@ Style/RescueModifier:
   Exclude:
     - 'lib/authlogic/acts_as_authentic/session_maintenance.rb'
 
-# Cop supports --auto-correct.
-# Configuration parameters: AllowIfMethodIsEmpty.
-Style/SingleLineMethods:
-  Exclude:
-    - 'lib/authlogic/controller_adapters/rack_adapter.rb'
-
 # Cop supports --auto-correct.
 # Configuration parameters: SupportedStyles.
 # SupportedStyles: use_perl_names, use_english_names
@@ -395,33 +384,8 @@ Style/SymbolProc:
   Exclude:
     - 'lib/authlogic/acts_as_authentic/persistence_token.rb'
 
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyleForMultiline, SupportedStyles.
-# SupportedStyles: comma, consistent_comma, no_comma
-Style/TrailingCommaInLiteral:
-  Exclude:
-    - 'test/acts_as_authentic_test/email_test.rb'
-
-# Cop supports --auto-correct.
-Style/UnneededPercentQ:
-  Exclude:
-    - 'authlogic.gemspec'
-
 # Cop supports --auto-correct.
 # Configuration parameters: SupportedStyles, MinSize, WordRegex.
 # SupportedStyles: percent, brackets
 Style/WordArray:
   EnforcedStyle: brackets
-
-# Cop supports --auto-correct.
-Style/ZeroLengthPredicate:
-  Exclude:
-    - 'lib/authlogic/session/validation.rb'
-    - 'test/acts_as_authentic_test/email_test.rb'
-    - 'test/acts_as_authentic_test/login_test.rb'
-    - 'test/acts_as_authentic_test/magic_columns_test.rb'
-    - 'test/acts_as_authentic_test/password_test.rb'
-    - 'test/acts_as_authentic_test/perishable_token_test.rb'
-    - 'test/acts_as_authentic_test/single_access_test.rb'
-    - 'test/session_test/brute_force_protection_test.rb'
-    - 'test/session_test/magic_states_test.rb'

data/.travis.yml

@@ -11,9 +11,9 @@ before_install:
 
 rvm:
   - 1.9.3
-  - 2.1.9
-  - 2.2.5
-  - 2.3.1
+  - 2.1.10
+  - 2.2.6
+  - 2.3.3
 
 gemfile:
   - test/gemfiles/Gemfile.rails-3.2.x
@@ -21,6 +21,7 @@ gemfile:
   - test/gemfiles/Gemfile.rails-4.1.x
   - test/gemfiles/Gemfile.rails-4.2.x
   - test/gemfiles/Gemfile.rails-5.0.x
+  - test/gemfiles/Gemfile.rails-5.1.x
 
 matrix:
   exclude:
@@ -28,11 +29,15 @@ matrix:
       gemfile: test/gemfiles/Gemfile.rails-4.1.x
     - rvm: 1.9.3
       gemfile: test/gemfiles/Gemfile.rails-5.0.x
-    - rvm: 2.1.9
+    - rvm: 1.9.3
+      gemfile: test/gemfiles/Gemfile.rails-5.1.x
+    - rvm: 2.1.10
       gemfile: test/gemfiles/Gemfile.rails-5.0.x
-    - rvm: 2.2.5
+    - rvm: 2.1.10
+      gemfile: test/gemfiles/Gemfile.rails-5.1.x
+    - rvm: 2.2.6
       gemfile: test/gemfiles/Gemfile.rails-3.2.x
-    - rvm: 2.3.1
+    - rvm: 2.3.3
       gemfile: test/gemfiles/Gemfile.rails-3.2.x
   fast_finish: true
 

data/CHANGELOG.md

@@ -1,5 +1,24 @@
 # Changelog
 
+## Unreleased
+
+* Breaking Changes
+  * None
+
+* Added
+  * None
+
+* Fixed
+  * None
+
+## 3.6.0 2017-04-28
+
+* Added
+  * rails 5.1 support
+
+* Fixed
+  * ensure that login field validation uses correct locale (@sskirby)
+
 ## 3.5.0 2016-08-29
 
 * new

data/CONTRIBUTING.md

@@ -16,11 +16,12 @@ We will review security issues promptly.
 
 ### Non-Security Issues
 
-Please use github issues for reproducible, minimal bug reports.
+Please use github issues only for bug reports and feature requests.
 
 ### Usage Questions
 
-Please use stackoverflow for usage questions.
+Please ask usage questions on
+[stackoverflow](http://stackoverflow.com/questions/tagged/authlogic).
 
 ## Development
 
@@ -47,3 +48,13 @@ To run the tests without linting, use `rake test`.
 ```
 BUNDLE_GEMFILE=test/gemfiles/Gemfile.rails-3.2.x bundle exec rake test
 ```
+
+### Release
+
+1. Update version number in gemspec
+1. Add release date to changelog entry
+1. Commit
+1. git tag -a -m "v3.6.0" "v3.6.0"
+1. git push --tags origin 3-stable # or whatever branch
+1. gem build authlogic.gemspec
+1. gem push authlogic-3.6.0

data/README.md

@@ -1,6 +1,6 @@
 # Authlogic
 
-**Authlogic supports both rails 3 and 4. For rails 2, see the [rails2 branch](https://github.com/binarylogic/authlogic/tree/rails2).**
+**Authlogic supports rails 3, 4 and 5. For rails 2, see the [rails2 branch](https://github.com/binarylogic/authlogic/tree/rails2).**
 
 [![Gem Version](https://badge.fury.io/rb/authlogic.png)](http://badge.fury.io/rb/authlogic)
 [![Build Status](https://travis-ci.org/binarylogic/authlogic.png?branch=master)](https://travis-ci.org/binarylogic/authlogic)
@@ -291,5 +291,4 @@ See [Authlogic::TestCase](https://github.com/binarylogic/authlogic/blob/master/l
 
 Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.
 
-
-Copyright (c) 2012 [Ben Johnson of Binary Logic](http://www.binarylogic.com), released under the MIT license
+Copyright (c) 2012 Ben Johnson of Binary Logic, released under the MIT license

data/authlogic.gemspec

@@ -3,18 +3,18 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "authlogic"
-  s.version     = "3.5.0"
+  s.version     = "3.6.0"
   s.platform    = Gem::Platform::RUBY
   s.authors     = ["Ben Johnson"]
   s.email       = ["bjohnson@binarylogic.com"]
   s.homepage    = "http://github.com/binarylogic/authlogic"
-  s.summary     = %q{A clean, simple, and unobtrusive ruby authentication solution.}
-  s.description = %q{A clean, simple, and unobtrusive ruby authentication solution.}
+  s.summary     = 'A clean, simple, and unobtrusive ruby authentication solution.'
+  s.description = 'A clean, simple, and unobtrusive ruby authentication solution.'
 
   s.license = 'MIT'
 
-  s.add_dependency 'activerecord', ['>= 3.2', '< 5.1']
-  s.add_dependency 'activesupport', ['>= 3.2', '< 5.1']
+  s.add_dependency 'activerecord', ['>= 3.2', '< 5.2']
+  s.add_dependency 'activesupport', ['>= 3.2', '< 5.2']
   s.add_dependency 'request_store', '~> 1.0'
   s.add_dependency 'scrypt', '>= 1.2', '< 4.0'
   s.add_development_dependency 'bcrypt', '~> 3.1'

data/lib/authlogic/acts_as_authentic/base.rb

@@ -32,8 +32,10 @@ module Authlogic
 
           if !unsupported_options.nil?
             raise ArgumentError.new(
-              "You are using the old v1.X.X configuration method for Authlogic. Instead of passing a hash of " +
-              "configuration options to acts_as_authentic, pass a block: acts_as_authentic { |c| c.my_option = my_value }"
+              "You are using the old v1.X.X configuration method for " \
+                "Authlogic. Instead of passing a hash of configuration " \
+                "options to acts_as_authentic, pass a block: " \
+                "acts_as_authentic { |c| c.my_option = my_value }"
             )
           end
 

data/lib/authlogic/acts_as_authentic/email.rb

@@ -133,11 +133,16 @@ module Authlogic
             }
           )
         end
-        alias_method :validates_uniqueness_of_email_field_options=, :validates_uniqueness_of_email_field_options
+        alias_method(
+          :validates_uniqueness_of_email_field_options=,
+          :validates_uniqueness_of_email_field_options
+        )
 
-        # See merge_validates_length_of_email_field_options. The same thing except for validates_uniqueness_of_email_field_options.
+        # See merge_validates_length_of_email_field_options. The same thing
+        # except for validates_uniqueness_of_email_field_options.
         def merge_validates_uniqueness_of_email_field_options(options = {})
-          self.validates_uniqueness_of_email_field_options = validates_uniqueness_of_email_field_options.merge(options)
+          self.validates_uniqueness_of_email_field_options =
+            validates_uniqueness_of_email_field_options.merge(options)
         end
       end
 

data/lib/authlogic/acts_as_authentic/logged_in_status.rb

@@ -31,15 +31,33 @@ module Authlogic
 
           klass.class_eval do
             include InstanceMethods
-            scope :logged_in, lambda { where("last_request_at > ? and current_login_at IS NOT NULL", logged_in_timeout.seconds.ago) }
-            scope :logged_out, lambda { where("last_request_at is NULL or last_request_at <= ?", logged_in_timeout.seconds.ago) }
+            scope(
+              :logged_in,
+              lambda do
+                where(
+                  "last_request_at > ? and current_login_at IS NOT NULL",
+                  logged_in_timeout.seconds.ago
+                )
+              end
+            )
+            scope(
+              :logged_out,
+              lambda do
+                where(
+                  "last_request_at is NULL or last_request_at <= ?",
+                  logged_in_timeout.seconds.ago
+                )
+              end
+            )
           end
         end
 
         module InstanceMethods
           # Returns true if the last_request_at > logged_in_timeout.
           def logged_in?
-            raise "Can not determine the records login state because there is no last_request_at column" if !respond_to?(:last_request_at)
+            unless respond_to?(:last_request_at)
+              raise "Can not determine the records login state because there is no last_request_at column"
+            end
             !last_request_at.nil? && last_request_at > logged_in_timeout.seconds.ago
           end
 

data/lib/authlogic/acts_as_authentic/login.rb

@@ -29,11 +29,13 @@ module Authlogic
         end
         alias_method :validate_login_field=, :validate_login_field
 
-        # A hash of options for the validates_length_of call for the login field. Allows you to change this however you want.
+        # A hash of options for the validates_length_of call for the login
+        # field. Allows you to change this however you want.
         #
-        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
-        # merge options into it. Checkout the convenience function merge_validates_length_of_login_field_options to merge
-        # options.</b>
+        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as
+        # possible, so you can completely replace the hash or merge options into
+        # it. Checkout the convenience function
+        # merge_validates_length_of_login_field_options to merge options.</b>
         #
         # * <tt>Default:</tt> {:within => 3..100}
         # * <tt>Accepts:</tt> Hash of options accepted by validates_length_of
@@ -42,9 +44,11 @@ module Authlogic
         end
         alias_method :validates_length_of_login_field_options=, :validates_length_of_login_field_options
 
-        # A convenience function to merge options into the validates_length_of_login_field_options. So instead of:
+        # A convenience function to merge options into the
+        # validates_length_of_login_field_options. So instead of:
         #
-        #   self.validates_length_of_login_field_options = validates_length_of_login_field_options.merge(:my_option => my_value)
+        #   self.validates_length_of_login_field_options =
+        #     validates_length_of_login_field_options.merge(:my_option => my_value)
         #
         # You can do this:
         #
@@ -53,11 +57,13 @@ module Authlogic
           self.validates_length_of_login_field_options = validates_length_of_login_field_options.merge(options)
         end
 
-        # A hash of options for the validates_format_of call for the login field. Allows you to change this however you want.
+        # A hash of options for the validates_format_of call for the login
+        # field. Allows you to change this however you want.
         #
-        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as possible, so you can completely replace the hash or
-        # merge options into it. Checkout the convenience function merge_validates_format_of_login_field_options to merge
-        # options.</b>
+        # <b>Keep in mind this is ruby. I wanted to keep this as flexible as
+        # possible, so you can completely replace the hash or merge options into
+        # it. Checkout the convenience function
+        # merge_validates_format_of_login_field_options to merge options.</b>
         #
         # * <tt>Default:</tt>
         #
@@ -78,16 +84,19 @@ module Authlogic
             value,
             {
               :with => Authlogic::Regex.login,
-              :message => I18n.t(
-                'error_messages.login_invalid',
-                :default => "should use only letters, numbers, spaces, and .-_@+ please."
-              )
+              :message => proc do
+                I18n.t(
+                  'error_messages.login_invalid',
+                  :default => "should use only letters, numbers, spaces, and .-_@+ please."
+                )
+              end
             }
           )
         end
         alias_method :validates_format_of_login_field_options=, :validates_format_of_login_field_options
 
-        # See merge_validates_length_of_login_field_options. The same thing, except for validates_format_of_login_field_options
+        # See merge_validates_length_of_login_field_options. The same thing,
+        # except for validates_format_of_login_field_options
         def merge_validates_format_of_login_field_options(options = {})
           self.validates_format_of_login_field_options = validates_format_of_login_field_options.merge(options)
         end
@@ -120,26 +129,36 @@ module Authlogic
             }
           )
         end
-        alias_method :validates_uniqueness_of_login_field_options=, :validates_uniqueness_of_login_field_options
+        alias_method(
+          :validates_uniqueness_of_login_field_options=,
+          :validates_uniqueness_of_login_field_options
+        )
 
-        # See merge_validates_length_of_login_field_options. The same thing, except for validates_uniqueness_of_login_field_options
+        # See merge_validates_length_of_login_field_options. The same thing,
+        # except for validates_uniqueness_of_login_field_options
         def merge_validates_uniqueness_of_login_field_options(options = {})
-          self.validates_uniqueness_of_login_field_options = validates_uniqueness_of_login_field_options.merge(options)
+          self.validates_uniqueness_of_login_field_options =
+            validates_uniqueness_of_login_field_options.merge(options)
         end
 
-        # This method allows you to find a record with the given login. If you notice, with Active Record you have the
-        # UniquenessValidator class. They give you a :case_sensitive option. I handle this in the same
-        # manner that they handle that. If you are using the login field, set false for the :case_sensitive option in
-        # validates_uniqueness_of_login_field_options and the column doesn't have a case-insensitive collation,
-        # this method will modify the query to look something like:
+        # This method allows you to find a record with the given login. If you
+        # notice, with Active Record you have the UniquenessValidator class.
+        # They give you a :case_sensitive option. I handle this in the same
+        # manner that they handle that. If you are using the login field, set
+        # false for the :case_sensitive option in
+        # validates_uniqueness_of_login_field_options and the column doesn't
+        # have a case-insensitive collation, this method will modify the query
+        # to look something like:
         #
         #   "LOWER(#{quoted_table_name}.#{login_field}) = LOWER(#{login})"
         #
-        # If you don't specify this it just uses a regular case-sensitive search (with the binary modifier if necessary):
+        # If you don't specify this it just uses a regular case-sensitive search
+        # (with the binary modifier if necessary):
         #
         #   "BINARY #{login_field} = #{login}"
         #
-        # The above also applies for using email as your login, except that you need to set the :case_sensitive in
+        # The above also applies for using email as your login, except that you
+        # need to set the :case_sensitive in
         # validates_uniqueness_of_email_field_options to false.
         def find_by_smart_case_login_field(login)
           if login_field

data/lib/authlogic/acts_as_authentic/password.rb

@@ -162,7 +162,10 @@ module Authlogic
             validates_length_of_password_field_options
           )
         end
-        alias_method :validates_length_of_password_confirmation_field_options=, :validates_length_of_password_confirmation_field_options
+        alias_method(
+          :validates_length_of_password_confirmation_field_options=,
+          :validates_length_of_password_confirmation_field_options
+        )
 
         # See merge_validates_length_of_password_field_options. The same thing, except for
         # validates_length_of_password_confirmation_field_options
@@ -270,11 +273,10 @@ module Authlogic
             before_password_set
             @password = pass
             send("#{password_salt_field}=", Authlogic::Random.friendly_token) if password_salt_field
+            encryptor_arguments_type = act_like_restful_authentication? ? :restful_authentication : nil
             send(
               "#{crypted_password_field}=",
-              crypto_provider.encrypt(
-                *encrypt_arguments(@password, false, act_like_restful_authentication? ? :restful_authentication : nil)
-              )
+              crypto_provider.encrypt(*encrypt_arguments(@password, false, encryptor_arguments_type))
             )
             @password_changed = true
             after_password_set
@@ -297,13 +299,10 @@ module Authlogic
             before_password_verification
 
             crypto_providers.each_with_index do |encryptor, index|
-              # The arguments_type of for the transitioning from restful_authentication
-              arguments_type = (act_like_restful_authentication? && index == 0) ||
-                (transition_from_restful_authentication? && index > 0 && encryptor == Authlogic::CryptoProviders::Sha1) ?
-                :restful_authentication : nil
-
-              if encryptor.matches?(crypted, *encrypt_arguments(attempted_password, check_against_database, arguments_type))
-                transition_password(attempted_password) if transition_password?(index, encryptor, crypted, check_against_database)
+              if encryptor_matches?(crypted, encryptor, index, attempted_password, check_against_database)
+                if transition_password?(index, encryptor, crypted, check_against_database)
+                  transition_password(attempted_password)
+                end
                 after_password_verification
                 return true
               end
@@ -337,6 +336,8 @@ module Authlogic
               [crypto_provider] + transition_from_crypto_providers
             end
 
+            # Returns an array of arguments to be passed to a crypto provider, either its
+            # `matches?` or its `encrypt` method.
             def encrypt_arguments(raw_password, check_against_database, arguments_type = nil)
               salt = nil
               if password_salt_field
@@ -351,11 +352,26 @@ module Authlogic
               case arguments_type
               when :restful_authentication
                 [REST_AUTH_SITE_KEY, salt, raw_password, REST_AUTH_SITE_KEY].compact
-              else
+              when nil
                 [raw_password, salt].compact
+              else
+                raise "Invalid encryptor arguments_type: #{arguments_type}"
               end
             end
 
+            # Given `encryptor`, does `attempted_password` match the `crypted` password?
+            def encryptor_matches?(crypted, encryptor, index, attempted_password, check_against_database)
+              # The arguments_type for the transitioning from restful_authentication
+              acting_restful = act_like_restful_authentication? && index == 0
+              transitioning = transition_from_restful_authentication? &&
+                index > 0 &&
+                encryptor == Authlogic::CryptoProviders::Sha1
+              restful = acting_restful || transitioning
+              arguments_type = restful ? :restful_authentication : nil
+              encryptor_args = encrypt_arguments(attempted_password, check_against_database, arguments_type)
+              encryptor.matches?(crypted, *encryptor_args)
+            end
+
             # Determines if we need to transition the password.
             # If the index > 0 then we are using an "transition from" crypto provider.
             # If the encryptor has a cost and the cost it outdated.