authlogic 3.7.0 → 3.8.0

data/.travis.yml

@@ -31,10 +31,14 @@ matrix:
       gemfile: test/gemfiles/Gemfile.rails-5.0.x
     - rvm: 1.9.3
       gemfile: test/gemfiles/Gemfile.rails-5.1.x
+    - rvm: 1.9.3
+      gemfile: test/gemfiles/Gemfile.rails-5.2.x
     - rvm: 2.1.10
       gemfile: test/gemfiles/Gemfile.rails-5.0.x
     - rvm: 2.1.10
       gemfile: test/gemfiles/Gemfile.rails-5.1.x
+    - rvm: 2.1.10
+      gemfile: test/gemfiles/Gemfile.rails-5.2.x
     - rvm: 2.2.6
       gemfile: test/gemfiles/Gemfile.rails-3.2.x
     - rvm: 2.3.3

data/CHANGELOG.md

@@ -1,165 +1,5 @@
 # Changelog
 
-## 3.7.0 2018-02-07
+The authlogic changelog is maintained on the master branch only.
 
-* Breaking Changes
-  * None
-
-* Added
-  * Deprecated ActionController::Parameters as arguments to credentials=(), will be removed in 4.0. (https://github.com/binarylogic/authlogic/pull/558)
-
-* Fixed
-  * None
-
-## 3.6.1 2017-09-30
-
-* Breaking Changes
-  * None
-
-* Added
-  * None
-
-* Fixed
-  * Allow tld up to 24 characters per https://data.iana.org/TLD/tlds-alpha-by-domain.txt
-  * [#561](https://github.com/binarylogic/authlogic/issues/561)
-    authenticates_many now works with scope_cookies:true
-
-## 3.6.0 2017-04-28
-
-* Added
-  * rails 5.1 support
-
-* Fixed
-  * ensure that login field validation uses correct locale (@sskirby)
-
-## 3.5.0 2016-08-29
-
-* new
-  * Rails 5.0 support! Thanks to all reporters and contributors.
-
-* changes
-  * increased default minimum password length to 8 (@iainbeeston)
-  * bind parameters in where statement for rails 5 support
-  * change callback for rails 5 support
-  * converts the ActionController::Parameters to a Hash for rails 5 support
-  * check last_request_at_threshold even if last_request_at_update_allowed returns true (@rofreg)
-
-## 3.4.6 2015
-
-* changes
-  * add Regex.email_nonascii for validation of emails w/unicode (@rchekaluk)
-  * allow scrypt 2.x (@jaredbeck)
-
-## 3.4.5 2015-03-01
-
-* changes
-  * security-hardening fix and cleanup in persistence_token lookup
-  * security-hardening fix in perishable_token lookup (thx @tomekr)
-
-## 3.4.4 2014-12-23
-
-* changes
-  * extract rw_config into an Authlogic::Config module
-  * improved the way config changes are made in tests
-  * fix for Rails 4.2 by extending ActiveModel
-
-## 3.4.3 2014-10-08
-
-* changes
-  * backfill CHANGELOG
-  * better compatibility with jruby (thx @petergoldstein)
-  * added scrypt as a dependency
-  * cleanup some code (thx @roryokane)
-  * reference 'bcrypt' gem instead of 'bcrypt-ruby' (thx @roryokane)
-  * fixed typo (thx @chamini2)
-  * fixed magic column validations for Rails 4.2 (thx @tom-kuca)
-
-## 3.4.2 2014-04-28
-
-* changes
-  * fixed the missing scrypt/bcrypt gem errors introduced in 3.4.1
-  * implemented autoloading for providers
-  * added longer subdomain support in email regex
-
-## 3.4.1 2014-04-04
-
-* changes
-  * undid an accidental revert of some code
-
-## 3.4.0 2014-03-03
-
-* new
-  * added cookie signing
-  * added request store for better concurency for threaded environments
-
-* changes
-  * BREAKING CHANGE: made scrypt the default crypto provider from SHA512 (https://github.com/binarylogic/authlogic#upgrading-to-authlogic-340)
-  * ditched appraisal
-  * officially support rails 4 (still supporting rails 3)
-  * improved find_with_case default performance
-  * added a rack adapter for Rack middleware support
-  * added travis ci support
-
-## 3.3.0 2014-04-04
-
-* changes
-  * added safeguard against a sqli that was also fixed in rails 3.2.10/3.1.9/3.0.18
-  * imposed the bcrypt gem's mincost
-  * removed shoulda macros
-
-## 3.2.0 2012-12-07
-
-* new
-  * scrypt support
-
-* changes
-  * moved back to LOWER for find_with_case ci lookups
-
-## 3.1.3 2012-06-13
-
-* changes
-  * removed jeweler
-
-## 3.1.2 2012-06-01
-
-* changes
-  * mostly test fixes
-
-## 3.1.1 2012-06-01
-
-* changes
-  * mostly doc fixes
-
-## 3.1.0 2011-10-19
-
-* changes
-  * mostly small bug fixes
-
-## 3.0.3 2011-05-17
-
-* changes
-  * rails 3.1 support
-
-* new
-  * http auth support
-
-## 3.0.2 2011-04-30
-
-* changes
-  * doc fixes
-
-## 3.0.1 2011-04-30
-
-* changes
-  * switch from LOWER to LIKE for find_with_case ci lookups
-
-## 3.0.0 2011-04-30
-
-* new
-  * ssl cookie support
-  * httponly cookie support
-  * added a session generator
-
-* changes
-  * rails 3 support
-  * ruby 1.9.2 support
+https://github.com/binarylogic/authlogic/blob/master/CHANGELOG.md

data/authlogic.gemspec

@@ -3,18 +3,17 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "authlogic"
-  s.version     = "3.7.0"
+  s.version     = "3.8.0"
   s.platform    = Gem::Platform::RUBY
   s.authors     = ["Ben Johnson"]
   s.email       = ["bjohnson@binarylogic.com"]
   s.homepage    = "http://github.com/binarylogic/authlogic"
   s.summary     = 'A clean, simple, and unobtrusive ruby authentication solution.'
-  s.description = 'A clean, simple, and unobtrusive ruby authentication solution.'
 
   s.license = 'MIT'
 
-  s.add_dependency 'activerecord', ['>= 3.2', '< 5.2']
-  s.add_dependency 'activesupport', ['>= 3.2', '< 5.2']
+  s.add_dependency 'activerecord', ['>= 3.2', '< 5.3']
+  s.add_dependency 'activesupport', ['>= 3.2', '< 5.3']
   s.add_dependency 'request_store', '~> 1.0'
   s.add_dependency 'scrypt', '>= 1.2', '< 4.0'
   s.add_development_dependency 'bcrypt', '~> 3.1'

data/lib/authlogic.rb

@@ -1,3 +1,9 @@
+# Authlogic uses ActiveSupport's core extensions like `strip_heredoc`, which
+# ActiveRecord does not `require`. It's possible that we could save a few
+# milliseconds by loading only the specific core extensions we need, but
+# `all.rb` is simpler. We can revisit this decision if it becomes a problem.
+require "active_support/all"
+
 require "active_record"
 
 path = File.dirname(__FILE__) + "/authlogic/"

data/lib/authlogic/crypto_providers/aes256.rb

@@ -38,8 +38,27 @@ module Authlogic
         private
 
           def aes
-            raise ArgumentError.new("You must provide a key like #{name}.key = my_key before using the #{name}") if @key.blank?
-            @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+            if @key.blank?
+              raise ArgumentError.new(
+                "You must provide a key like #{name}.key = my_key before using the #{name}"
+              )
+            end
+
+            @aes ||= openssl_cipher_class.new("AES-256-ECB")
+          end
+
+          # `::OpenSSL::Cipher::Cipher` has been deprecated since at least 2014,
+          # in favor of `::OpenSSL::Cipher`, but a deprecation warning was not
+          # printed until 2016
+          # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
+          # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
+          # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
+          def openssl_cipher_class
+            if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
+              ::OpenSSL::Cipher::Cipher
+            else
+              ::OpenSSL::Cipher
+            end
           end
       end
     end

data/lib/authlogic/session/password.rb

@@ -127,8 +127,40 @@ module Authlogic
         alias_method :verify_password_method=, :verify_password_method
       end
 
-      # Password related instance methods
+      # Password-related instance methods
       module InstanceMethods
+        E_AC_PARAMETERS = <<-STR.strip_heredoc.freeze
+          You have passed an ActionController::Parameters to Authlogic 3. That's
+          OK for now, but in Authlogic 4, it will raise an error. Please
+          replace:
+
+              UserSession.new(user_session_params)
+              UserSession.create(user_session_params)
+
+          with
+
+              UserSession.new(user_session_params.to_h)
+              UserSession.create(user_session_params.to_h)
+
+          And don't forget to `permit`!
+
+          During the transition of rails to Strong Parameters, it has been
+          common for Authlogic users to forget to `permit` their params. They
+          would pass their params into Authlogic, we'd call `to_h`, and they'd
+          be surprised when authentication failed.
+
+          In 2018, people are still making this mistake. We'd like to help them
+          and make authlogic a little simpler at the same time, so in Authlogic
+          3.7.0, we deprecated the use of ActionController::Parameters.
+
+          We discussed this issue thoroughly between late 2016 and early
+          2018. Notable discussions include:
+
+          - https://github.com/binarylogic/authlogic/issues/512
+          - https://github.com/binarylogic/authlogic/pull/558
+          - https://github.com/binarylogic/authlogic/pull/577
+        STR
+
         def initialize(*args)
           if !self.class.configured_password_methods
             configure_password_methods
@@ -264,25 +296,7 @@ module Authlogic
           # This method converts the ActionController::Parameters to a Hash
           def parse_param_val(value)
             if value.first.class.name == "ActionController::Parameters"
-              ActiveSupport::Deprecation.warn(
-                <<-STR.strip_heredoc
-                  You have passed an ActionController::Parameters to Authlogic 3.
-                  That's OK for now, but in Authlogic 4, anything other than a
-                  plain Hash will raise an error. Please replace:
-
-                      UserSession.new(user_session_params)
-                      UserSession.create(user_session_params)
-
-                  with
-
-                      UserSession.new(user_session_params.to_h)
-                      UserSession.create(user_session_params.to_h)
-
-                  Why this change? Well, ActionController is not a dependency of
-                  Authlogic. Therefore, Authlogic should not have special code
-                  that knows how to deal with ActionController.
-                STR
-              )
+              ActiveSupport::Deprecation.warn(E_AC_PARAMETERS)
               [value.first.to_h]
             else
               value.is_a?(Array) ? value : [value]

data/test/gemfiles/Gemfile.rails-5.2.x

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+gemspec :path => "./../.."
+
+gem "activerecord", "~> 5.2.x"
+gem "activesupport", "~> 5.2.x"
+gem 'sqlite3', :platforms => :ruby

data/test/test_helper.rb

@@ -114,7 +114,11 @@ require_relative 'libs/user'
 require_relative 'libs/user_session'
 require_relative 'libs/company'
 
-Authlogic::CryptoProviders::AES256.key = "myafdsfddddddddddddddddddddddddddddddddddddddddddddddd"
+# Recent change, 2017-10-23: We had used a 54-letter string here. In the default
+# encoding, UTF-8, that's 54 bytes, which is clearly incorrect for an algorithm
+# with a 256-bit key, but I guess it worked. With the release of ruby 2.4 (and
+# thus openssl gem 2.0), it is more strict, and must be exactly 32 bytes.
+Authlogic::CryptoProviders::AES256.key = ::OpenSSL::Random.random_bytes(32)
 
 class ActiveSupport::TestCase
   include ActiveRecord::TestFixtures

metadata

@@ -1,143 +1,158 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 3.7.0
+  version: 3.8.0
+  prerelease: 
 platform: ruby
 authors:
 - Ben Johnson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-07 00:00:00.000000000 Z
+date: 2018-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.3'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
-        version: '5.2'
+        version: '5.3'
 - !ruby/object:Gem::Dependency
   name: request_store
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: scrypt
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '1.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
         version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ">="
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '1.2'
-    - - "<"
+    - - <
       - !ruby/object:Gem::Version
         version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '0.7'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.41.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 0.41.2
-description: A clean, simple, and unobtrusive ruby authentication solution.
+description: 
 email:
 - bjohnson@binarylogic.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/ISSUE_TEMPLATE.md"
-- ".gitignore"
-- ".rubocop.yml"
-- ".rubocop_todo.yml"
-- ".travis.yml"
+- .github/ISSUE_TEMPLATE.md
+- .gitignore
+- .rubocop.yml
+- .rubocop_todo.yml
+- .travis.yml
 - CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
@@ -236,6 +251,7 @@ files:
 - test/gemfiles/Gemfile.rails-4.2.x
 - test/gemfiles/Gemfile.rails-5.0.x
 - test/gemfiles/Gemfile.rails-5.1.x
+- test/gemfiles/Gemfile.rails-5.2.x
 - test/i18n/lol.yml
 - test/i18n_test.rb
 - test/libs/affiliate.rb
@@ -273,26 +289,27 @@ files:
 homepage: http://github.com/binarylogic/authlogic
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - ">="
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 1.8.23.2
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: A clean, simple, and unobtrusive ruby authentication solution.
 test_files:
 - test/acts_as_authentic_test/base_test.rb
@@ -324,6 +341,7 @@ test_files:
 - test/gemfiles/Gemfile.rails-4.2.x
 - test/gemfiles/Gemfile.rails-5.0.x
 - test/gemfiles/Gemfile.rails-5.1.x
+- test/gemfiles/Gemfile.rails-5.2.x
 - test/i18n/lol.yml
 - test/i18n_test.rb
 - test/libs/affiliate.rb

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 8dadada58ca458ceab9c98ba5f65e2101537cf98
-  data.tar.gz: f4f3ddeba32aedb4270aacfafb209c7ae5a9c1f9
-SHA512:
-  metadata.gz: 0cfb2248649b20f491f9c76ef75963f54903091d2e7c2407baa4489450d1f3785a73a060aa94e3559cb06b3cc49536c0641eb4b8ebabb4aca048493286a617c6
-  data.tar.gz: 9d2cbf631385ecc85a887bf23676acbeeac2f7c65336ea9290c23de60a3bd0aaaab284281f6e5a439f287ea871180eb67bea29bc7a4e8cf996293decf852b634