authlogic 4.1.1 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0ca1b9d96dbb4d00cf0cad78c6a10bfbc8f893c931834eb560e2fa1a2db10b5
-  data.tar.gz: 274d571aafec37f865edd29222343e88545877ef79caade6f87bfca9b27f50da
+  metadata.gz: 3081d87618bffbf9f31777254d99aefe983f895699098458ca7583e32935ecef
+  data.tar.gz: 10bdd5b58605ce5c2081a4bc8c9ee206fe5ba679444581446469e03dfde615dc
 SHA512:
-  metadata.gz: 96c6ea47f5a5b6f98e4fadc427d0e1bbfa6b86f2d4a250757270fa375e0cda5a22a5e4fb7704a14e74a63ba87ef617a2adc489ea7ced107864635f98fa736c35
-  data.tar.gz: 7c3905f05ebb0c4e2694a57ef5e5c04a8cb2c2de97f8b4af965bbf5b41f71aba63646c9fcedc44d3e2916b178855ff56296ca97ecdd151a24d1abb72cc3133df
+  metadata.gz: 4c9afb5dfb70b62983cd5db0c0ae0576c4c956e8c43cc9ff9c4cdb7a803ed0eb8367e84e9978e28ad354cb7f4e443bb54b8b83a3be9fc3edd5f17426627cb9f6
+  data.tar.gz: d56d7d0629606635a73103fdd3da0424c051af48b15a3e4fd6317f7386ba42698cb970e441651bb6febbc098940f113ff4ca417eb0b0506e821bab0b69075e86

data/CHANGELOG.md

@@ -14,6 +14,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 * Fixed
   * None
 
+## 4.2.0 (2018-07-18)
+
+* Breaking Changes
+  * None
+* Added
+  * [#611](https://github.com/binarylogic/authlogic/pull/611) -  Deprecate
+    AES256, guide users to choose a better crypto provider
+* Fixed
+  * None
+
 ## 4.1.1 (2018-05-23)
 
 * Breaking Changes

data/UPGRADING.md

@@ -4,9 +4,11 @@ Supplemental instructions to complement CHANGELOG.md.
 
 ## 3.4.0
 
-In version 3.4.0, the default crypto_provider was changed from *Sha512* to *SCrypt*.
+In version 3.4.0, released 2014-03-03, the default crypto_provider was changed
+from *Sha512* to *SCrypt*.
 
-If you never set a crypto_provider and are upgrading, your passwords will break unless you set the original:
+If you never set a crypto_provider and are upgrading, your passwords will break
+unless you specify `Sha512`.
 
 ``` ruby
 c.crypto_provider = Authlogic::CryptoProviders::Sha512

data/authlogic.gemspec

@@ -27,8 +27,8 @@ require "authlogic/version"
   s.add_dependency "scrypt", ">= 1.2", "< 4.0"
   s.add_development_dependency "bcrypt", "~> 3.1"
   s.add_development_dependency "byebug", "~> 10.0"
-  s.add_development_dependency "minitest-reporters", "~> 1.2"
-  s.add_development_dependency "rubocop", "~> 0.56.0"
+  s.add_development_dependency "minitest-reporters", "~> 1.3"
+  s.add_development_dependency "rubocop", "~> 0.58.1"
   s.add_development_dependency "timecop", "~> 0.7"
 
   s.files = `git ls-files`.split("\n")

data/lib/authlogic.rb

@@ -1,7 +1,9 @@
-# Authlogic uses ActiveSupport's core extensions like `strip_heredoc`, which
-# ActiveRecord does not `require`. It's possible that we could save a few
-# milliseconds by loading only the specific core extensions we need, but
-# `all.rb` is simpler. We can revisit this decision if it becomes a problem.
+# Authlogic uses ActiveSupport's core extensions like `strip_heredoc` and
+# `squish`. ActiveRecord does not `require` these exensions, so we must.
+#
+# It's possible that we could save a few milliseconds by loading only the
+# specific core extensions we need, but `all.rb` is simpler. We can revisit this
+# decision if it becomes a problem.
 require "active_support/all"
 
 require "active_record"

data/lib/authlogic/acts_as_authentic/password.rb

@@ -195,13 +195,23 @@ module Authlogic
             validates_length_of_password_confirmation_field_options.merge(options)
         end
 
-        # The class you want to use to encrypt and verify your encrypted passwords. See
-        # the Authlogic::CryptoProviders module for more info on the available methods and
-        # how to create your own.
+        # The class you want to use to encrypt and verify your encrypted
+        # passwords. See the Authlogic::CryptoProviders module for more info on
+        # the available methods and how to create your own.
+        #
+        # The family of adaptive hash functions (BCrypt, SCrypt, PBKDF2) is the
+        # best choice for password storage today. We recommend SCrypt. Other
+        # one-way functions like SHA512 are inferior, but widely used.
+        # Reverisbile functions like AES256 are the worst choice.
+        #
+        # You can use the `transition_from_crypto_providers` option to gradually
+        # transition to a better crypto provider without causing your users any
+        # pain.
         #
         # * <tt>Default:</tt> CryptoProviders::SCrypt
         # * <tt>Accepts:</tt> Class
         def crypto_provider(value = nil)
+          CryptoProviders::Guidance.new(value).impart_wisdom
           rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
         end
         alias_method :crypto_provider=, :crypto_provider

data/lib/authlogic/acts_as_authentic/restful_authentication.rb

@@ -93,13 +93,13 @@ module Authlogic
       module InstanceMethods
         private
 
-          def act_like_restful_authentication?
-            self.class.act_like_restful_authentication == true
-          end
+        def act_like_restful_authentication?
+          self.class.act_like_restful_authentication == true
+        end
 
-          def transition_from_restful_authentication?
-            self.class.transition_from_restful_authentication == true
-          end
+        def transition_from_restful_authentication?
+          self.class.transition_from_restful_authentication == true
+        end
       end
     end
   end

data/lib/authlogic/crypto_providers.rb

@@ -1,4 +1,25 @@
 module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # The tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. For example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string.
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # Return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
   module CryptoProviders
     autoload :MD5,    "authlogic/crypto_providers/md5"
     autoload :Sha1,   "authlogic/crypto_providers/sha1"
@@ -9,5 +30,73 @@ module Authlogic
     autoload :SCrypt, "authlogic/crypto_providers/scrypt"
     # crypto_providers/wordpress.rb has never been autoloaded, and now it is
     # deprecated.
+
+    # Guide users to choose a better crypto provider.
+    class Guidance
+      AES256_DEPRECATED = <<-EOS.strip_heredoc.freeze
+        You have selected AES256 as your authlogic crypto provider. This
+        choice is not suitable for password storage.
+
+        Authlogic will drop its AES256 crypto provider in the next major
+        version. If you're unable to transition away from AES256 please let us
+        know immediately.
+
+        We recommend using a one-way algorithm instead. There are many choices;
+        we recommend scrypt. Use the transition_from_crypto_providers option
+        to make this painless for your users.
+      EOS
+      BUILTIN_PROVIDER_PREFIX = "Authlogic::CryptoProviders::".freeze
+      NONADAPTIVE_ALGORITHM = <<-EOS.strip_heredoc.freeze
+        You have selected %s as your authlogic crypto provider. This algorithm
+        does not have any practical known attacks against it. However, there are
+        better choices.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a more secure, adaptive hashing algorithm,
+        like scrypt. Adaptive algorithms are designed to slow down brute force
+        attacks, and over time the iteration count can be increased to make it
+        slower, so it remains resistant to brute-force search attacks even in
+        the face of increasing computation power.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+      VULNERABLE_ALGORITHM = <<-EOS.strip_heredoc.freeze
+        You have selected %s as your authlogic crypto provider. It is a poor
+        choice because there are known attacks against this algorithm.
+
+        Authlogic has no plans yet to deprecate this crypto provider. However,
+        we recommend transitioning to a secure hashing algorithm. We recommend
+        an adaptive algorithm, like scrypt.
+
+        Use the transition_from_crypto_providers option to make the transition
+        painless for your users.
+      EOS
+
+      def initialize(provider)
+        @provider = provider
+      end
+
+      def impart_wisdom
+        return unless @provider.is_a?(Class)
+
+        # We can only impart wisdom about our own built-in providers.
+        absolute_name = @provider.name
+        return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX)
+
+        # Inspect the string name of the provider, rather than using the
+        # constants in our `when` clauses. If we used the constants, we'd
+        # negate the benefits of the `autoload` above.
+        name = absolute_name.demodulize
+        case name
+        when "AES256"
+          ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED)
+        when "MD5", "Sha1"
+          warn(format(VULNERABLE_ALGORITHM, name))
+        when "Sha256", "Sha512"
+          warn(format(NONADAPTIVE_ALGORITHM, name))
+        end
+      end
+    end
   end
 end

data/lib/authlogic/crypto_providers/aes256.rb

@@ -2,21 +2,23 @@ require "openssl"
 
 module Authlogic
   module CryptoProviders
-    # This encryption method is reversible if you have the supplied key. So in order to
-    # use this encryption method you must supply it with a key first. In an initializer,
-    # or before your application initializes, you should do the following:
+    # This encryption method is reversible if you have the supplied key. So in
+    # order to use this encryption method you must supply it with a key first.
+    # In an initializer, or before your application initializes, you should do
+    # the following:
     #
     #   Authlogic::CryptoProviders::AES256.key = "long, unique, and random key"
     #
-    # My final comment is that this is a strong encryption method, but its main weakness
-    # is that it's reversible. If you do not need to reverse the hash then you should
-    # consider Sha512 or BCrypt instead.
+    # My final comment is that this is a strong encryption method, but its main
+    # weakness is that it's reversible. If you do not need to reverse the hash
+    # then you should consider Sha512 or BCrypt instead.
     #
-    # Keep your key in a safe place, some even say the key should be stored on a separate
-    # server. This won't hurt performance because the only time it will try and access the
-    # key on the separate server is during initialization, which only happens once. The
-    # reasoning behind this is if someone does compromise your server they won't have the
-    # key also. Basically, you don't want to store the key with the lock.
+    # Keep your key in a safe place, some even say the key should be stored on a
+    # separate server. This won't hurt performance because the only time it will
+    # try and access the key on the separate server is during initialization,
+    # which only happens once. The reasoning behind this is if someone does
+    # compromise your server they won't have the key also. Basically, you don't
+    # want to store the key with the lock.
     class AES256
       class << self
         attr_writer :key
@@ -53,6 +55,9 @@ module Authlogic
         # (https://github.com/ruby/openssl/commit/5c20a4c014) when openssl
         # became a gem. Its first release as a gem was 2.0.0, in ruby 2.4.
         # (See https://github.com/ruby/ruby/blob/v2_4_0/NEWS)
+        #
+        # When we eventually drop support for ruby < 2.4, we can probably also
+        # drop support for openssl gem < 2.
         def openssl_cipher_class
           if ::Gem::Version.new(::OpenSSL::VERSION) < ::Gem::Version.new("2.0.0")
             ::OpenSSL::Cipher::Cipher

data/lib/authlogic/crypto_providers/md5.rb

@@ -6,7 +6,8 @@ module Authlogic
     # I highly discourage using this crypto provider as it superbly inferior
     # to your other options.
     #
-    # Please use any other provider offered by Authlogic.
+    # Please use any other provider offered by Authlogic (except AES256, that
+    # would be even worse).
     class MD5
       class << self
         attr_accessor :join_token

data/lib/authlogic/crypto_providers/sha1.rb

@@ -2,9 +2,10 @@ require "digest/sha1"
 
 module Authlogic
   module CryptoProviders
-    # This class was made for the users transitioning from restful_authentication. I
-    # highly discourage using this crypto provider as it is far inferior to your other
-    # options. Please use any other provider offered by Authlogic.
+    # This class was made for the users transitioning from
+    # restful_authentication. Use of this crypto provider is highly discouraged.
+    # It is far inferior to your other options. Please use any other provider
+    # offered by Authlogic.
     class Sha1
       class << self
         def join_token
@@ -12,8 +13,8 @@ module Authlogic
         end
         attr_writer :join_token
 
-        # The number of times to loop through the encryption. This is ten because that is
-        # what restful_authentication defaults to.
+        # The number of times to loop through the encryption. This is ten
+        # because that is what restful_authentication defaults to.
         def stretches
           @stretches ||= 10
         end
@@ -29,8 +30,8 @@ module Authlogic
           digest
         end
 
-        # Does the crypted password match the tokens? Uses the same tokens that were used
-        # to encrypt.
+        # Does the crypted password match the tokens? Uses the same tokens that
+        # were used to encrypt.
         def matches?(crypted, *tokens)
           encrypt(*tokens) == crypted
         end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -1,27 +1,6 @@
 require "digest/sha2"
 
 module Authlogic
-  # The acts_as_authentic method has a crypto_provider option. This allows you
-  # to use any type of encryption you like. Just create a class with a class
-  # level encrypt and matches? method. See example below.
-  #
-  # === Example
-  #
-  #   class MyAwesomeEncryptionMethod
-  #     def self.encrypt(*tokens)
-  #       # The tokens passed will be an array of objects, what type of object
-  #       # is irrelevant, just do what you need to do with them and return a
-  #       # single encrypted string. For example, you will most likely join all
-  #       # of the objects into a single string and then encrypt that string.
-  #     end
-  #
-  #     def self.matches?(crypted, *tokens)
-  #       # Return true if the crypted string matches the tokens. Depending on
-  #       # your algorithm you might decrypt the string then compare it to the
-  #       # token, or you might encrypt the tokens and make sure it matches the
-  #       # crypted string, its up to you.
-  #     end
-  #   end
   module CryptoProviders
     # = Sha512
     #

data/lib/authlogic/session/callbacks.rb

@@ -133,11 +133,13 @@ module Authlogic
       end
 
       METHODS.each do |method|
-        class_eval <<-EOS, __FILE__, __LINE__ + 1
+        class_eval(
+          <<-EOS, __FILE__, __LINE__ + 1
             def #{method}
               run_callbacks(:#{method})
             end
           EOS
+        )
       end
 
       def save_record(alternate_record = nil)

data/lib/authlogic/session/http_auth.rb

@@ -73,34 +73,34 @@ module Authlogic
       module InstanceMethods
         private
 
-          def persist_by_http_auth?
-            allow_http_basic_auth? && login_field && password_field
-          end
-
-          def persist_by_http_auth
-            login_proc = proc do |login, password|
-              if !login.blank? && !password.blank?
-                send("#{login_field}=", login)
-                send("#{password_field}=", password)
-                valid?
-              end
-            end
+        def persist_by_http_auth?
+          allow_http_basic_auth? && login_field && password_field
+        end
 
-            if self.class.request_http_basic_auth
-              controller.authenticate_or_request_with_http_basic(
-                self.class.http_basic_auth_realm,
-                &login_proc
-              )
-            else
-              controller.authenticate_with_http_basic(&login_proc)
+        def persist_by_http_auth
+          login_proc = proc do |login, password|
+            if !login.blank? && !password.blank?
+              send("#{login_field}=", login)
+              send("#{password_field}=", password)
+              valid?
             end
-
-            false
           end
 
-          def allow_http_basic_auth?
-            self.class.allow_http_basic_auth == true
+          if self.class.request_http_basic_auth
+            controller.authenticate_or_request_with_http_basic(
+              self.class.http_basic_auth_realm,
+              &login_proc
+            )
+          else
+            controller.authenticate_with_http_basic(&login_proc)
           end
+
+          false
+        end
+
+        def allow_http_basic_auth?
+          self.class.allow_http_basic_auth == true
+        end
       end
     end
   end

data/lib/authlogic/session/magic_columns.rb

@@ -48,71 +48,71 @@ module Authlogic
       module InstanceMethods
         private
 
-          def clear_failed_login_count
-            if record.respond_to?(:failed_login_count)
-              record.failed_login_count = 0
-            end
+        def clear_failed_login_count
+          if record.respond_to?(:failed_login_count)
+            record.failed_login_count = 0
           end
+        end
 
-          def increase_failed_login_count
-            if invalid_password? && attempted_record.respond_to?(:failed_login_count)
-              attempted_record.failed_login_count ||= 0
-              attempted_record.failed_login_count += 1
-            end
+        def increase_failed_login_count
+          if invalid_password? && attempted_record.respond_to?(:failed_login_count)
+            attempted_record.failed_login_count ||= 0
+            attempted_record.failed_login_count += 1
           end
+        end
 
-          def increment_login_cout
-            if record.respond_to?(:login_count)
-              record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
-            end
+        def increment_login_cout
+          if record.respond_to?(:login_count)
+            record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1)
           end
+        end
 
-          def update_info
-            increment_login_cout
-            clear_failed_login_count
-            update_login_timestamps
-            update_login_ip_addresses
-          end
+        def update_info
+          increment_login_cout
+          clear_failed_login_count
+          update_login_timestamps
+          update_login_ip_addresses
+        end
 
-          def update_login_ip_addresses
-            if record.respond_to?(:current_login_ip)
-              record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
-              record.current_login_ip = controller.request.ip
-            end
+        def update_login_ip_addresses
+          if record.respond_to?(:current_login_ip)
+            record.last_login_ip = record.current_login_ip if record.respond_to?(:last_login_ip)
+            record.current_login_ip = controller.request.ip
           end
+        end
 
-          def update_login_timestamps
-            if record.respond_to?(:current_login_at)
-              record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
-              record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
-            end
+        def update_login_timestamps
+          if record.respond_to?(:current_login_at)
+            record.last_login_at = record.current_login_at if record.respond_to?(:last_login_at)
+            record.current_login_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
           end
+        end
 
-          # This method lets authlogic know whether it should allow the
-          # last_request_at field to be updated with the current time.
-          #
-          # See also `last_request_update_allowed?` in
-          # `Authlogic::ControllerAdapters::AbstractAdapter`
-          #
-          # @api private
-          def set_last_request_at?
-            if !record || !klass.column_names.include?("last_request_at")
-              return false
-            end
-            unless controller.last_request_update_allowed?
-              return false
-            end
-            record.last_request_at.blank? ||
-              last_request_at_threshold.to_i.seconds.ago >= record.last_request_at
+        # This method lets authlogic know whether it should allow the
+        # last_request_at field to be updated with the current time.
+        #
+        # See also `last_request_update_allowed?` in
+        # `Authlogic::ControllerAdapters::AbstractAdapter`
+        #
+        # @api private
+        def set_last_request_at?
+          if !record || !klass.column_names.include?("last_request_at")
+            return false
           end
-
-          def set_last_request_at
-            record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+          unless controller.last_request_update_allowed?
+            return false
           end
+          record.last_request_at.blank? ||
+            last_request_at_threshold.to_i.seconds.ago >= record.last_request_at
+        end
 
-          def last_request_at_threshold
-            self.class.last_request_at_threshold
-          end
+        def set_last_request_at
+          record.last_request_at = klass.default_timezone == :utc ? Time.now.utc : Time.now
+        end
+
+        def last_request_at_threshold
+          self.class.last_request_at_threshold
+        end
       end
     end
   end

data/lib/authlogic/session/magic_states.rb

@@ -50,32 +50,32 @@ module Authlogic
       module InstanceMethods
         private
 
-          def disable_magic_states?
-            self.class.disable_magic_states == true
-          end
+        def disable_magic_states?
+          self.class.disable_magic_states == true
+        end
 
-          # @api private
-          def required_magic_states_for(record)
-            %i[active approved confirmed].select { |state|
-              record.respond_to?("#{state}?")
-            }
-          end
+        # @api private
+        def required_magic_states_for(record)
+          %i[active approved confirmed].select { |state|
+            record.respond_to?("#{state}?")
+          }
+        end
 
-          def validate_magic_states
-            return true if attempted_record.nil?
-            required_magic_states_for(attempted_record).each do |required_status|
-              next if attempted_record.send("#{required_status}?")
-              errors.add(
-                :base,
-                I18n.t(
-                  "error_messages.not_#{required_status}",
-                  default: "Your account is not #{required_status}"
-                )
+        def validate_magic_states
+          return true if attempted_record.nil?
+          required_magic_states_for(attempted_record).each do |required_status|
+            next if attempted_record.send("#{required_status}?")
+            errors.add(
+              :base,
+              I18n.t(
+                "error_messages.not_#{required_status}",
+                default: "Your account is not #{required_status}"
               )
-              return false
-            end
-            true
+            )
+            return false
           end
+          true
+        end
       end
     end
   end

data/lib/authlogic/session/params.rb

@@ -80,50 +80,50 @@ module Authlogic
       module InstanceMethods
         private
 
-          def persist_by_params
-            return false unless params_enabled?
-            self.unauthorized_record = search_for_record(
-              "find_by_single_access_token",
-              params_credentials
-            )
-            self.single_access = valid?
-          end
+        def persist_by_params
+          return false unless params_enabled?
+          self.unauthorized_record = search_for_record(
+            "find_by_single_access_token",
+            params_credentials
+          )
+          self.single_access = valid?
+        end
 
-          def params_enabled?
-            if !params_credentials || !klass.column_names.include?("single_access_token")
-              return false
-            end
-            if controller.responds_to_single_access_allowed?
-              return controller.single_access_allowed?
-            end
-            params_enabled_by_allowed_request_types?
+        def params_enabled?
+          if !params_credentials || !klass.column_names.include?("single_access_token")
+            return false
           end
-
-          def params_enabled_by_allowed_request_types?
-            case single_access_allowed_request_types
-            when Array
-              single_access_allowed_request_types.include?(controller.request_content_type) ||
-                single_access_allowed_request_types.include?(:all)
-            else
-              %i[all any].include?(single_access_allowed_request_types)
-            end
+          if controller.responds_to_single_access_allowed?
+            return controller.single_access_allowed?
           end
+          params_enabled_by_allowed_request_types?
+        end
 
-          def params_key
-            build_key(self.class.params_key)
+        def params_enabled_by_allowed_request_types?
+          case single_access_allowed_request_types
+          when Array
+            single_access_allowed_request_types.include?(controller.request_content_type) ||
+              single_access_allowed_request_types.include?(:all)
+          else
+            %i[all any].include?(single_access_allowed_request_types)
           end
+        end
 
-          def single_access?
-            single_access == true
-          end
+        def params_key
+          build_key(self.class.params_key)
+        end
 
-          def single_access_allowed_request_types
-            self.class.single_access_allowed_request_types
-          end
+        def single_access?
+          single_access == true
+        end
 
-          def params_credentials
-            controller.params[params_key]
-          end
+        def single_access_allowed_request_types
+          self.class.single_access_allowed_request_types
+        end
+
+        def params_credentials
+          controller.params[params_key]
+        end
       end
     end
   end

data/lib/authlogic/session/password.rb

@@ -226,12 +226,14 @@ module Authlogic
           # using form_for don't fill the password with the attempted
           # password. To prevent this we just create this method that is
           # private.
-          self.class.class_eval <<-EOS, __FILE__, __LINE__ + 1
+          self.class.class_eval(
+            <<-EOS, __FILE__, __LINE__ + 1
               private
                 def protected_#{password_field}
                   @#{password_field}
                 end
             EOS
+          )
         end
 
         # In keeping with the metaphor of ActiveRecord, verification of the

data/lib/authlogic/session/session.rb

@@ -30,47 +30,47 @@ module Authlogic
       module InstanceMethods
         private
 
-          # Tries to validate the session from information in the session
-          def persist_by_session
-            persistence_token, record_id = session_credentials
-            if !persistence_token.nil?
-              record = persist_by_session_search(persistence_token, record_id)
-              if record && record.persistence_token == persistence_token
-                self.unauthorized_record = record
-              end
-              valid?
-            else
-              false
+        # Tries to validate the session from information in the session
+        def persist_by_session
+          persistence_token, record_id = session_credentials
+          if !persistence_token.nil?
+            record = persist_by_session_search(persistence_token, record_id)
+            if record && record.persistence_token == persistence_token
+              self.unauthorized_record = record
             end
+            valid?
+          else
+            false
           end
+        end
 
-          # Allow finding by persistence token, because when records are created
-          # the session is maintained in a before_save, when there is no id.
-          # This is done for performance reasons and to save on queries.
-          def persist_by_session_search(persistence_token, record_id)
-            if record_id.nil?
-              search_for_record("find_by_persistence_token", persistence_token.to_s)
-            else
-              search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
-            end
+        # Allow finding by persistence token, because when records are created
+        # the session is maintained in a before_save, when there is no id.
+        # This is done for performance reasons and to save on queries.
+        def persist_by_session_search(persistence_token, record_id)
+          if record_id.nil?
+            search_for_record("find_by_persistence_token", persistence_token.to_s)
+          else
+            search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
           end
+        end
 
-          def session_credentials
-            [
-              controller.session[session_key],
-              controller.session["#{session_key}_#{klass.primary_key}"]
-            ].collect { |i| i.nil? ? i : i.to_s }.compact
-          end
+        def session_credentials
+          [
+            controller.session[session_key],
+            controller.session["#{session_key}_#{klass.primary_key}"]
+          ].collect { |i| i.nil? ? i : i.to_s }.compact
+        end
 
-          def session_key
-            build_key(self.class.session_key)
-          end
+        def session_key
+          build_key(self.class.session_key)
+        end
 
-          def update_session
-            controller.session[session_key] = record && record.persistence_token
-            compound_key = "#{session_key}_#{klass.primary_key}"
-            controller.session[compound_key] = record && record.send(record.class.primary_key)
-          end
+        def update_session
+          controller.session[session_key] = record && record.persistence_token
+          compound_key = "#{session_key}_#{klass.primary_key}"
+          controller.session[compound_key] = record && record.send(record.class.primary_key)
+        end
       end
     end
   end

data/lib/authlogic/version.rb

@@ -16,6 +16,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("4.1.1")
+    ::Gem::Version.new("4.2.0")
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.2.0
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-23 00:00:00.000000000 Z
+date: 2018-07-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activerecord
@@ -120,28 +120,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.56.0
+        version: 0.58.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.56.0
+        version: 0.58.1
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement