authlogic 4.4.2 → 4.4.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/CHANGELOG.md +11 -1
- data/Gemfile +1 -1
- data/README.md +1 -1
- data/gemfiles/Gemfile.rails-4.2.x +1 -1
- data/gemfiles/Gemfile.rails-5.1.x +1 -1
- data/gemfiles/Gemfile.rails-5.2.x +1 -1
- data/lib/authlogic/session/cookies.rb +46 -13
- data/lib/authlogic/test_case/mock_cookie_jar.rb +35 -0
- data/lib/authlogic/version.rb +1 -1
- data/test/session_test/cookies_test.rb +16 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 2ddee07d72769ceaa9ba7e1cb47f8f4642df0ab981de7bac607f69796c9d0d6f
|
|
4
|
+
data.tar.gz: b1ee15e2637cf3379e6c24b1dda35abcf05527fb848c0d73ed25cf64633cf5fb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e9f6bab4ddc5418fc74229a12912ef3411cf6252f8c9b22f88343ee9d8241bf7b3f4b82b159ea1375b1f69c107ebfb37cefb8503d8ba8971f9446994f21016dd
|
|
7
|
+
data.tar.gz: b8da5a086e0bb4b9047d16dda29877a2ddd5c791a2fa7998d1ffbd1d56dec04cb78026525070d008f05b7267e2a16c49810e688131c725b625499ecda53af0cf
|
data/CHANGELOG.md
CHANGED
|
@@ -5,7 +5,7 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
|
|
6
6
|
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
-
## 5.0.0
|
|
8
|
+
## [5.0.0](https://github.com/binarylogic/authlogic/blob/5-0-stable/CHANGELOG.md)
|
|
9
9
|
|
|
10
10
|
* Breaking Changes
|
|
11
11
|
* Drop AES256 crypto provider, deprecated in 4.2.0
|
|
@@ -16,6 +16,16 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
|
|
|
16
16
|
* Fixed
|
|
17
17
|
* None
|
|
18
18
|
|
|
19
|
+
## 4.4.3 (2019-03-23)
|
|
20
|
+
|
|
21
|
+
* Breaking Changes
|
|
22
|
+
* None
|
|
23
|
+
* Added
|
|
24
|
+
* [#660](https://github.com/binarylogic/authlogic/pull/660) -
|
|
25
|
+
Authlogic::Session::Cookies.encrypt_cookie option
|
|
26
|
+
* Fixed
|
|
27
|
+
* Restrict sqlite3 version so tests can run normally
|
|
28
|
+
|
|
19
29
|
## 4.4.2 (2018-09-23)
|
|
20
30
|
|
|
21
31
|
* Breaking Changes
|
data/Gemfile
CHANGED
data/README.md
CHANGED
|
@@ -15,7 +15,7 @@ A clean, simple, and unobtrusive ruby authentication solution.
|
|
|
15
15
|
| Version | Documentation |
|
|
16
16
|
| ----------- | ------------- |
|
|
17
17
|
| Unreleased | https://github.com/binarylogic/authlogic/blob/master/README.md |
|
|
18
|
-
| 4.4.
|
|
18
|
+
| 4.4.3 | https://github.com/binarylogic/authlogic/blob/v4.4.3/README.md |
|
|
19
19
|
| 3.7.0 | https://github.com/binarylogic/authlogic/blob/v3.7.0/README.md |
|
|
20
20
|
| 2.1.11 | https://github.com/binarylogic/authlogic/blob/v2.1.11/README.rdoc |
|
|
21
21
|
| 1.4.3 | https://github.com/binarylogic/authlogic/blob/v1.4.3/README.rdoc |
|
|
@@ -96,6 +96,20 @@ module Authlogic
|
|
|
96
96
|
rw_config(:sign_cookie, value, false)
|
|
97
97
|
end
|
|
98
98
|
alias_method :sign_cookie=, :sign_cookie
|
|
99
|
+
|
|
100
|
+
# Should the cookie be encrypted? If the controller adapter supports it, this is a
|
|
101
|
+
# measure to hide the contents of the cookie (e.g. persistence_token)"
|
|
102
|
+
def encrypt_cookie(value = nil)
|
|
103
|
+
if value && !controller.cookies.respond_to?(:encrypted)
|
|
104
|
+
raise "Encrypted cookies not supported with #{controller.class}!"
|
|
105
|
+
end
|
|
106
|
+
if value && sign_cookie
|
|
107
|
+
raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
|
|
108
|
+
"You may not enable both options."
|
|
109
|
+
end
|
|
110
|
+
rw_config(:encrypt_cookie, value, false)
|
|
111
|
+
end
|
|
112
|
+
alias_method :encrypt_cookie=, :encrypt_cookie
|
|
99
113
|
end
|
|
100
114
|
|
|
101
115
|
# The methods available for an Authlogic::Session::Base object that make up the
|
|
@@ -220,6 +234,23 @@ module Authlogic
|
|
|
220
234
|
sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
|
|
221
235
|
end
|
|
222
236
|
|
|
237
|
+
# If the cookie should be encrypted
|
|
238
|
+
def encrypt_cookie
|
|
239
|
+
return @encrypt_cookie if defined?(@encrypt_cookie)
|
|
240
|
+
@encrypt_cookie = self.class.encrypt_cookie
|
|
241
|
+
end
|
|
242
|
+
|
|
243
|
+
# Accepts a boolean as to whether the cookie should be encrypted. If true
|
|
244
|
+
# the cookie will be saved in an encrypted state.
|
|
245
|
+
def encrypt_cookie=(value)
|
|
246
|
+
@encrypt_cookie = value
|
|
247
|
+
end
|
|
248
|
+
|
|
249
|
+
# See encrypt_cookie
|
|
250
|
+
def encrypt_cookie?
|
|
251
|
+
encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
|
|
252
|
+
end
|
|
253
|
+
|
|
223
254
|
private
|
|
224
255
|
|
|
225
256
|
def cookie_key
|
|
@@ -241,7 +272,9 @@ module Authlogic
|
|
|
241
272
|
end
|
|
242
273
|
|
|
243
274
|
def cookie_jar
|
|
244
|
-
if self.class.
|
|
275
|
+
if self.class.encrypt_cookie
|
|
276
|
+
controller.cookies.encrypted
|
|
277
|
+
elsif self.class.sign_cookie
|
|
245
278
|
controller.cookies.signed
|
|
246
279
|
else
|
|
247
280
|
controller.cookies
|
|
@@ -263,22 +296,13 @@ module Authlogic
|
|
|
263
296
|
end
|
|
264
297
|
|
|
265
298
|
def save_cookie
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
else
|
|
269
|
-
controller.cookies[cookie_key] = generate_cookie_for_saving
|
|
270
|
-
end
|
|
299
|
+
cookie_jar[cookie_key] = generate_cookie_for_saving
|
|
300
|
+
true
|
|
271
301
|
end
|
|
272
302
|
|
|
273
303
|
def generate_cookie_for_saving
|
|
274
|
-
value = format(
|
|
275
|
-
"%s::%s%s",
|
|
276
|
-
record.persistence_token,
|
|
277
|
-
record.send(record.class.primary_key),
|
|
278
|
-
remember_me? ? "::#{remember_me_until.iso8601}" : ""
|
|
279
|
-
)
|
|
280
304
|
{
|
|
281
|
-
value:
|
|
305
|
+
value: generate_cookie_value,
|
|
282
306
|
expires: remember_me_until,
|
|
283
307
|
secure: secure,
|
|
284
308
|
httponly: httponly,
|
|
@@ -287,6 +311,15 @@ module Authlogic
|
|
|
287
311
|
}
|
|
288
312
|
end
|
|
289
313
|
|
|
314
|
+
def generate_cookie_value
|
|
315
|
+
format(
|
|
316
|
+
"%s::%s%s",
|
|
317
|
+
record.persistence_token.to_s,
|
|
318
|
+
record.send(record.class.primary_key).to_s,
|
|
319
|
+
remember_me? ? "::#{remember_me_until.iso8601}" : ""
|
|
320
|
+
)
|
|
321
|
+
end
|
|
322
|
+
|
|
290
323
|
def destroy_cookie
|
|
291
324
|
controller.cookies.delete cookie_key, domain: controller.cookie_domain
|
|
292
325
|
end
|
|
@@ -21,6 +21,10 @@ module Authlogic
|
|
|
21
21
|
def signed
|
|
22
22
|
@signed ||= MockSignedCookieJar.new(self)
|
|
23
23
|
end
|
|
24
|
+
|
|
25
|
+
def encrypted
|
|
26
|
+
@encrypted ||= MockEncryptedCookieJar.new(self)
|
|
27
|
+
end
|
|
24
28
|
end
|
|
25
29
|
|
|
26
30
|
class MockSignedCookieJar < MockCookieJar
|
|
@@ -28,6 +32,7 @@ module Authlogic
|
|
|
28
32
|
|
|
29
33
|
def initialize(parent_jar)
|
|
30
34
|
@parent_jar = parent_jar
|
|
35
|
+
parent_jar.each { |k, v| self[k] = v }
|
|
31
36
|
end
|
|
32
37
|
|
|
33
38
|
def [](val)
|
|
@@ -44,5 +49,35 @@ module Authlogic
|
|
|
44
49
|
@parent_jar[key] = options
|
|
45
50
|
end
|
|
46
51
|
end
|
|
52
|
+
|
|
53
|
+
class MockEncryptedCookieJar < MockCookieJar
|
|
54
|
+
attr_reader :parent_jar # helper for testing
|
|
55
|
+
|
|
56
|
+
def initialize(parent_jar)
|
|
57
|
+
@parent_jar = parent_jar
|
|
58
|
+
parent_jar.each { |k, v| self[k] = v }
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
def [](val)
|
|
62
|
+
encrypted_message = @parent_jar[val]
|
|
63
|
+
if encrypted_message
|
|
64
|
+
self.class.decrypt(encrypted_message)
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
def []=(key, options)
|
|
69
|
+
options[:value] = self.class.encrypt(options[:value])
|
|
70
|
+
@parent_jar[key] = options
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
# simple caesar cipher for testing
|
|
74
|
+
def self.encrypt(str)
|
|
75
|
+
str.unpack("U*").map(&:succ).pack("U*")
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def self.decrypt(str)
|
|
79
|
+
str.unpack("U*").map(&:pred).pack("U*")
|
|
80
|
+
end
|
|
81
|
+
end
|
|
47
82
|
end
|
|
48
83
|
end
|
data/lib/authlogic/version.rb
CHANGED
|
@@ -174,6 +174,22 @@ module SessionTest
|
|
|
174
174
|
)
|
|
175
175
|
end
|
|
176
176
|
|
|
177
|
+
def test_after_save_save_cookie_encrypted
|
|
178
|
+
ben = users(:ben)
|
|
179
|
+
|
|
180
|
+
assert_nil controller.cookies["user_credentials"]
|
|
181
|
+
payload = "#{ben.persistence_token}::#{ben.id}"
|
|
182
|
+
|
|
183
|
+
session = UserSession.new(ben)
|
|
184
|
+
session.encrypt_cookie = true
|
|
185
|
+
assert session.save
|
|
186
|
+
assert_equal payload, controller.cookies.encrypted["user_credentials"]
|
|
187
|
+
assert_equal(
|
|
188
|
+
Authlogic::TestCase::MockEncryptedCookieJar.encrypt(payload),
|
|
189
|
+
controller.cookies.encrypted.parent_jar["user_credentials"]
|
|
190
|
+
)
|
|
191
|
+
end
|
|
192
|
+
|
|
177
193
|
def test_after_save_save_cookie_signed
|
|
178
194
|
ben = users(:ben)
|
|
179
195
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: authlogic
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.4.
|
|
4
|
+
version: 4.4.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ben Johnson
|
|
@@ -10,7 +10,7 @@ authors:
|
|
|
10
10
|
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2019-03-24 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: activerecord
|
|
@@ -327,7 +327,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
327
327
|
version: '0'
|
|
328
328
|
requirements: []
|
|
329
329
|
rubyforge_project:
|
|
330
|
-
rubygems_version: 2.
|
|
330
|
+
rubygems_version: 2.7.6
|
|
331
331
|
signing_key:
|
|
332
332
|
specification_version: 4
|
|
333
333
|
summary: A clean, simple, and unobtrusive ruby authentication solution.
|