authlogic 5.2.0 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4ede36ceee21501805105c66349d58ba6c6d9d483d5fefc41b8d4cbd5189944
-  data.tar.gz: f323b446e8f8e2a722bb9d896249170596f64ebf8ff441b2740cb834c2b085b8
+  metadata.gz: 755961398552a88cf3761088e4521e71e243249b3a131632e281679d723c82fe
+  data.tar.gz: 2b739ad482ecdaad8218065a4c03882e730c86825bc7140691e451fc26032815
 SHA512:
-  metadata.gz: 26cda51c7c8e2b5a8be9395ef13e3d39d9ee1c73429542d107bb229747b9a004800771a96b8f516e4f994c8926b1d0ef2fb1bf45e38102646451c48a3e4fb453
-  data.tar.gz: 971d54be27f18e12d8d7eafad90e50627098c689b34e047c0ddea4a96f82abf8c80e45766f49fdd82a9efb45fd3508ca312ee4b0cc0508d06a37887d45f9fcb0
+  metadata.gz: 52e998e1210ac287f2bc91d01d2afba9416f5b0eee54cff13d89c6c9affdd2ff2a88ac1a80e78ce100c2a43dcbcf777a5f22dd3d72ff3571bc69c5242a89d97c
+  data.tar.gz: 6152232cf873d2c9be4fa24584b3d8bf8013f95ae58a8117f4494c3a6632df814e36b85d02c67efc0e2b73849a43333c0b9bcf9cb1d379f10587147aa69f808e

data/lib/authlogic.rb

@@ -13,6 +13,7 @@ require "active_record"
 path = File.dirname(__FILE__) + "/authlogic/"
 
 [
+  "errors",
   "i18n",
   "random",
   "config",

data/lib/authlogic/acts_as_authentic/password.rb

@@ -109,13 +109,23 @@ module Authlogic
         # transition to a better crypto provider without causing your users any
         # pain.
         #
-        # * <tt>Default:</tt> CryptoProviders::SCrypt
+        # * <tt>Default:</tt> There is no longer a default value. Prior to
+        #   Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+        #   to read this config option before setting it, it will raise a
+        #   `NilCryptoProvider` error. See that error's message for further
+        #   details, and rationale for this change.
         # * <tt>Accepts:</tt> Class
-        def crypto_provider(value = nil)
+        def crypto_provider
+          acts_as_authentic_config[:crypto_provider].tap { |provider|
+            raise NilCryptoProvider if provider.nil?
+          }
+        end
+
+        def crypto_provider=(value)
+          raise NilCryptoProvider if value.nil?
           CryptoProviders::Guidance.new(value).impart_wisdom
-          rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+          rw_config(:crypto_provider, value)
         end
-        alias crypto_provider= crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to

data/lib/authlogic/acts_as_authentic/session_maintenance.rb

@@ -176,7 +176,9 @@ module Authlogic
         end
 
         def log_in_after_password_change?
-          will_save_change_to_persistence_token? && self.class.log_in_after_password_change
+          persisted? &&
+            will_save_change_to_persistence_token? &&
+            self.class.log_in_after_password_change
         end
       end
     end

data/lib/authlogic/crypto_providers/md5.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class MD5
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "md5", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/md5/v2.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "digest/md5"
+
+module Authlogic
+  module CryptoProviders
+    class MD5
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 1
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a MD5 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::MD5.digest(digest) }
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha1.rb

@@ -6,6 +6,9 @@ module Authlogic
   module CryptoProviders
     # A poor choice. There are known attacks against this algorithm.
     class Sha1
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha1", "v2")
+
       class << self
         def join_token
           @join_token ||= "--"

data/lib/authlogic/crypto_providers/sha1/v2.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require "digest/sha1"
+
+module Authlogic
+  module CryptoProviders
+    class Sha1
+      # A poor choice. There are known attacks against this algorithm.
+      class V2
+        class << self
+          def join_token
+            @join_token ||= "--"
+          end
+          attr_writer :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 10
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha1 hash.
+          def encrypt(*tokens)
+            tokens = tokens.flatten
+            digest = tokens.shift
+            stretches.times do
+              digest = Digest::SHA1.digest([digest, *tokens].join(join_token))
+            end
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha256.rb

@@ -29,6 +29,9 @@ module Authlogic
     #
     # Uses the Sha256 hash algorithm to encrypt passwords.
     class Sha256
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha256", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha256/v2.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  # The acts_as_authentic method has a crypto_provider option. This allows you
+  # to use any type of encryption you like. Just create a class with a class
+  # level encrypt and matches? method. See example below.
+  #
+  # === Example
+  #
+  #   class MyAwesomeEncryptionMethod
+  #     def self.encrypt(*tokens)
+  #       # the tokens passed will be an array of objects, what type of object
+  #       # is irrelevant, just do what you need to do with them and return a
+  #       # single encrypted string. for example, you will most likely join all
+  #       # of the objects into a single string and then encrypt that string
+  #     end
+  #
+  #     def self.matches?(crypted, *tokens)
+  #       # return true if the crypted string matches the tokens. Depending on
+  #       # your algorithm you might decrypt the string then compare it to the
+  #       # token, or you might encrypt the tokens and make sure it matches the
+  #       # crypted string, its up to you.
+  #     end
+  #   end
+  module CryptoProviders
+    class Sha256
+      # = Sha256
+      #
+      # Uses the Sha256 hash algorithm to encrypt passwords.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha256 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times { digest = Digest::SHA256.digest(digest) }
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/crypto_providers/sha512.rb

@@ -8,6 +8,9 @@ module Authlogic
     # there are better choices. We recommend transitioning to a more secure,
     # adaptive hashing algorithm, like scrypt.
     class Sha512
+      # V2 hashes the digest bytes in repeated stretches instead of hex characters.
+      autoload :V2, File.join(__dir__, "sha512", "v2")
+
       class << self
         attr_accessor :join_token
 

data/lib/authlogic/crypto_providers/sha512/v2.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "digest/sha2"
+
+module Authlogic
+  module CryptoProviders
+    class Sha512
+      # SHA-512 does not have any practical known attacks against it. However,
+      # there are better choices. We recommend transitioning to a more secure,
+      # adaptive hashing algorithm, like scrypt.
+      class V2
+        class << self
+          attr_accessor :join_token
+
+          # The number of times to loop through the encryption.
+          def stretches
+            @stretches ||= 20
+          end
+          attr_writer :stretches
+
+          # Turns your raw password into a Sha512 hash.
+          def encrypt(*tokens)
+            digest = tokens.flatten.join(join_token)
+            stretches.times do
+              digest = Digest::SHA512.digest(digest)
+            end
+            digest.unpack("H*")[0]
+          end
+
+          # Does the crypted password match the tokens? Uses the same tokens that
+          # were used to encrypt.
+          def matches?(crypted, *tokens)
+            encrypt(*tokens) == crypted
+          end
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/errors.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |config|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+end

data/lib/authlogic/i18n/translator.rb

@@ -8,7 +8,7 @@ module Authlogic
       # arguments, else returns +options[:default]+.
       def translate(key, options = {})
         if defined?(::I18n)
-          ::I18n.translate key, options
+          ::I18n.translate key, **options
         else
           options[:default]
         end

data/lib/authlogic/session/base.rb

@@ -198,7 +198,7 @@ module Authlogic
     # 2. Enable logging out on timeouts
     #
     #   class UserSession < Authlogic::Session::Base
-    #     logout_on_timeout true # default if false
+    #     logout_on_timeout true # default is false
     #   end
     #
     # This will require a user to log back in if they are inactive for more than
@@ -472,14 +472,9 @@ module Authlogic
           !controller.nil?
         end
 
-        # Do you want to allow your users to log in via HTTP basic auth?
+        # Allow users to log in via HTTP basic authentication.
         #
-        # I recommend keeping this enabled. The only time I feel this should be
-        # disabled is if you are not comfortable having your users provide their
-        # raw username and password. Whatever the reason, you can disable it
-        # here.
-        #
-        # * <tt>Default:</tt> true
+        # * <tt>Default:</tt> false
         # * <tt>Accepts:</tt> Boolean
         def allow_http_basic_auth(value = nil)
           rw_config(:allow_http_basic_auth, value, false)
@@ -961,20 +956,6 @@ module Authlogic
         end
         alias sign_cookie= sign_cookie
 
-        # Should the cookie be encrypted? If the controller adapter supports it, this is a
-        # measure to hide the contents of the cookie (e.g. persistence_token)
-        def encrypt_cookie(value = nil)
-          if value && !controller.cookies.respond_to?(:encrypted)
-            raise "Encrypted cookies not supported with #{controller.class}!"
-          end
-          if value && sign_cookie
-            raise "It is recommended to use encrypt_cookie instead of sign_cookie. " \
-                  "You may not enable both options."
-          end
-          rw_config(:encrypt_cookie, value, false)
-        end
-        alias_method :encrypt_cookie=, :encrypt_cookie
-
         # Works exactly like cookie_key, but for sessions. See cookie_key for more info.
         #
         # * <tt>Default:</tt> cookie_key
@@ -1494,23 +1475,6 @@ module Authlogic
         sign_cookie == true || sign_cookie == "true" || sign_cookie == "1"
       end
 
-      # If the cookie should be encrypted
-      def encrypt_cookie
-        return @encrypt_cookie if defined?(@encrypt_cookie)
-        @encrypt_cookie = self.class.encrypt_cookie
-      end
-
-      # Accepts a boolean as to whether the cookie should be encrypted.  If true
-      # the cookie will be saved in an encrypted state.
-      def encrypt_cookie=(value)
-        @encrypt_cookie = value
-      end
-
-      # See encrypt_cookie
-      def encrypt_cookie?
-        encrypt_cookie == true || encrypt_cookie == "true" || encrypt_cookie == "1"
-      end
-
       # The scope of the current object
       def scope
         @scope ||= {}
@@ -1654,9 +1618,7 @@ module Authlogic
       end
 
       def cookie_jar
-        if self.class.encrypt_cookie
-          controller.cookies.encrypted
-        elsif self.class.sign_cookie
+        if self.class.sign_cookie
           controller.cookies.signed
         else
           controller.cookies
@@ -1738,8 +1700,13 @@ module Authlogic
 
       # @api private
       def generate_cookie_for_saving
+        creds = ::Authlogic::CookieCredentials.new(
+          record.persistence_token,
+          record.send(record.class.primary_key),
+          remember_me? ? remember_me_until : nil
+        )
         {
-          value: generate_cookie_value.to_s,
+          value: creds.to_s,
           expires: remember_me_until,
           secure: secure,
           httponly: httponly,
@@ -1748,14 +1715,6 @@ module Authlogic
         }
       end
 
-      def generate_cookie_value
-        ::Authlogic::CookieCredentials.new(
-          record.persistence_token,
-          record.send(record.class.primary_key),
-          remember_me? ? remember_me_until : nil
-        )
-      end
-
       # Returns a Proc to be executed by
       # `ActionController::HttpAuthentication::Basic` when credentials are
       # present in the HTTP request.
@@ -1971,7 +1930,11 @@ module Authlogic
       end
 
       def save_cookie
-        cookie_jar[cookie_key] = generate_cookie_for_saving
+        if sign_cookie?
+          controller.cookies.signed[cookie_key] = generate_cookie_for_saving
+        else
+          controller.cookies[cookie_key] = generate_cookie_for_saving
+        end
       end
 
       # @api private

data/lib/authlogic/test_case/mock_cookie_jar.rb

@@ -23,10 +23,6 @@ module Authlogic
       def signed
         @signed ||= MockSignedCookieJar.new(self)
       end
-
-      def encrypted
-        @encrypted ||= MockEncryptedCookieJar.new(self)
-      end
     end
 
     # A mock of `ActionDispatch::Cookies::SignedKeyRotatingCookieJar`
@@ -39,7 +35,6 @@ module Authlogic
 
       def initialize(parent_jar)
         @parent_jar = parent_jar
-        parent_jar.each { |k, v| self[k] = v }
       end
 
       def [](val)
@@ -56,35 +51,5 @@ module Authlogic
         @parent_jar[key] = options
       end
     end
-
-    class MockEncryptedCookieJar < MockCookieJar
-      attr_reader :parent_jar # helper for testing
-
-      def initialize(parent_jar)
-        @parent_jar = parent_jar
-        parent_jar.each { |k, v| self[k] = v }
-      end
-
-      def [](val)
-        encrypted_message = @parent_jar[val]
-        if encrypted_message
-          self.class.decrypt(encrypted_message)
-        end
-      end
-
-      def []=(key, options)
-        options[:value] = self.class.encrypt(options[:value])
-        @parent_jar[key] = options
-      end
-
-      # simple caesar cipher for testing
-      def self.encrypt(str)
-        str.unpack("U*").map(&:succ).pack("U*")
-      end
-
-      def self.decrypt(str)
-        str.unpack("U*").map(&:pred).pack("U*")
-      end
-    end
   end
 end

data/lib/authlogic/version.rb

@@ -17,6 +17,6 @@ module Authlogic
   #
   # @api public
   def self.gem_version
-    ::Gem::Version.new("5.2.0")
+    ::Gem::Version.new("6.0.0")
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlogic
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 6.0.0
 platform: ruby
 authors:
 - Ben Johnson
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-08 00:00:00.000000000 Z
+date: 2020-03-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -86,26 +86,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: scrypt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
@@ -218,6 +198,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: scrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.2'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -252,14 +252,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.13
+        version: 1.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.13
+        version: 1.4.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -305,10 +305,15 @@ files:
 - lib/authlogic/crypto_providers.rb
 - lib/authlogic/crypto_providers/bcrypt.rb
 - lib/authlogic/crypto_providers/md5.rb
+- lib/authlogic/crypto_providers/md5/v2.rb
 - lib/authlogic/crypto_providers/scrypt.rb
 - lib/authlogic/crypto_providers/sha1.rb
+- lib/authlogic/crypto_providers/sha1/v2.rb
 - lib/authlogic/crypto_providers/sha256.rb
+- lib/authlogic/crypto_providers/sha256/v2.rb
 - lib/authlogic/crypto_providers/sha512.rb
+- lib/authlogic/crypto_providers/sha512/v2.rb
+- lib/authlogic/errors.rb
 - lib/authlogic/i18n.rb
 - lib/authlogic/i18n/translator.rb
 - lib/authlogic/random.rb
@@ -333,7 +338,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="