binarylogic-authlogic 2.1.0

data/lib/authlogic/random.rb

@@ -0,0 +1,33 @@
+module Authlogic
+  # Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
+  # So if you are using this in a rails app you should have this library.
+  module Random
+    extend self
+    
+    SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
+    
+    if SecureRandom
+      def hex_token
+        SecureRandom.hex(64)
+      end
+      
+      def friendly_token
+        # use base64url as defined by RFC4648
+        SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+      end
+    else
+      def hex_token
+        Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
+      end
+      
+      FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      
+      def friendly_token
+        newpass = ""
+        1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
+        newpass
+      end
+    end
+    
+  end
+end

data/lib/authlogic/regex.rb

@@ -0,0 +1,25 @@
+module Authlogic
+  # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
+  # them out into their own module is to make them easily available to you for other uses. Ex:
+  #
+  #   validates_format_of :my_email_field, :with => Authlogic::Regex.email
+  module Regex
+    # A general email regular expression. It allows top level domains (TLD) to be from 2 - 4 in length, any
+    # TLD longer than that must be manually specified. The decisions behind this regular expression were made
+    # by reading this website: http://www.regular-expressions.info/email.html, which is an excellent resource
+    # for regular expressions.
+    def self.email
+      return @email_regex if @email_regex
+      email_name_regex  = '[A-Z0-9_\.%\+\-]+'
+      domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
+      domain_tld_regex  = '(?:[A-Z]{2,4}|museum|travel)'
+      @email_regex = /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
+    end
+    
+    # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
+    # regular expression.
+    def self.login
+      /\A\w[\w\.+\-_@ ]+\z/
+    end
+  end
+end

data/lib/authlogic/session/activation.rb

@@ -0,0 +1,58 @@
+module Authlogic
+  module Session
+    # Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
+    # This is sort of like a database connection for an ORM library, Authlogic can't do anything until it is "connected" to a controller.
+    # If you are using a supported framework, Authlogic takes care of this for you.
+    module Activation
+      class NotActivatedError < ::StandardError # :nodoc:
+        def initialize(session)
+          super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
+        end
+      end
+      
+      def self.included(klass)
+        klass.class_eval do
+          extend ClassMethods
+          include InstanceMethods
+        end
+      end
+      
+      module ClassMethods
+        # Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
+        # Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
+        # environment this is done for you, but if you are using Authlogic outside of your framework, you need to assign a controller
+        # object to Authlogic via Authlogic::Session::Base.controller = obj. See the controller= method for more information.
+        def activated?
+          !controller.nil?
+        end
+        
+        # This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
+        # between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
+        # extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
+        #
+        # Lastly, this is thread safe.
+        def controller=(value)
+          Thread.current[:authlogic_controller] = value
+        end
+        
+        # The current controller object
+        def controller
+          Thread.current[:authlogic_controller]
+        end
+      end
+      
+      module InstanceMethods
+        # Making sure we are activated before we start creating objects
+        def initialize(*args)
+          raise NotActivatedError.new(self) unless self.class.activated?
+          super
+        end
+        
+        private
+          def controller
+            self.class.controller
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/active_record_trickery.rb

@@ -0,0 +1,50 @@
+module Authlogic
+  module Session
+    # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
+    # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
+    # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
+    # advantage of the many ActiveRecord tools.
+    module ActiveRecordTrickery
+      def self.included(klass)
+        klass.extend ClassMethods
+        klass.send(:include, InstanceMethods)
+      end
+      
+      module ClassMethods
+        # How to name the attributes of Authlogic, works JUST LIKE ActiveRecord, but instead it uses the following
+        # namespace:
+        #
+        #   authlogic.attributes.user_session.login
+        def human_attribute_name(attribute_key_name, options = {})
+          options[:count] ||= 1
+          options[:default] ||= attribute_key_name.to_s.humanize
+          I18n.t("attributes.#{name.underscore}.#{attribute_key_name}", options)
+        end
+        
+        # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
+        #
+        #   authlogic.models.user_session
+        def human_name(*args)
+          I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
+        end
+        
+        # For rails < 2.3, mispelled
+        def self_and_descendents_from_active_record
+          [self]
+        end
+        
+        # For Rails >2.3, fix mispelling
+        def self_and_descendants_from_active_record
+          [self]
+        end
+      end
+      
+      module InstanceMethods
+        # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
+        def new_record?
+          new_session?
+        end
+      end
+    end
+  end
+end

data/lib/authlogic/session/base.rb

@@ -0,0 +1,37 @@
+module Authlogic
+  module Session # :nodoc:
+    # This is the base class Authlogic, where all modules are included. For information on functiionality see the various
+    # sub modules.
+    class Base
+      include Foundation
+      include Callbacks
+      
+      # Included first so that the session resets itself to nil
+      include Timeout
+      
+      # Included in a specific order so they are tried in this order when persisting
+      include Params
+      include Cookies
+      include Session
+      include HttpAuth
+      
+      # Included in a specific order so magic states gets ran after a record is found
+      include Password
+      include UnauthorizedRecord
+      include MagicStates
+      
+      include Activation
+      include ActiveRecordTrickery
+      include BruteForceProtection
+      include Existence
+      include Klass
+      include MagicColumns
+      include PerishableToken
+      include Persistence
+      include Scopes
+      include Id
+      include Validation
+      include PriorityRecord
+    end
+  end
+end

data/lib/authlogic/session/brute_force_protection.rb

@@ -0,0 +1,92 @@
+module Authlogic
+  module Session
+    # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
+    # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
+    # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
+    # and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
+    # and it would take MUCH longer.
+    #
+    # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
+    # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
+    # after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
+    # If you wish to lower this number just set the configuration to a lower number:
+    #
+    #   class UserSession < Authlogic::Session::Base
+    #     consecutive_failed_logins_limit 10
+    #   end
+    module BruteForceProtection
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          validate :reset_failed_login_count, :if => :reset_failed_login_count?
+          validate :validate_failed_logins, :if => :being_brute_force_protected?
+        end
+      end
+      
+      # Configuration for the brute force protection feature.
+      module Config
+        # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
+        # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
+        #
+        # In order to enable this field your model MUST have a failed_login_count (integer) field.
+        #
+        # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
+        # in possibly millions of attempts to log into an account.
+        #
+        # * <tt>Default:</tt> 50
+        # * <tt>Accepts:</tt> Integer, set to 0 to disable
+        def consecutive_failed_logins_limit(value = nil)
+          rw_config(:consecutive_failed_logins_limit, value, 50)
+        end
+        alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
+        
+        # Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
+        #
+        # * <tt>Default:</tt> 2.hours
+        # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
+        def failed_login_ban_for(value = nil)
+          rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
+        end
+        alias_method :failed_login_ban_for=, :failed_login_ban_for
+      end
+      
+      # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
+      module InstanceMethods
+        # Returns true when the consecutive_failed_logins_limit has been exceeded and is being temporarily banned.
+        # Notice the word temporary, the user will not be permanently banned unless you choose to do so with configuration.
+        # By default they will be banned for 2 hours. During that 2 hour period this method will return true.
+        def being_brute_force_protected?
+          exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 || (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
+        end
+        
+        private
+          def exceeded_failed_logins_limit?
+            !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
+              attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
+          end
+          
+          def reset_failed_login_count?
+            exceeded_failed_logins_limit? && !being_brute_force_protected?
+          end
+          
+          def reset_failed_login_count
+            attempted_record.failed_login_count = 0
+          end
+        
+          def validate_failed_logins
+            errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
+            errors.add(:base, I18n.t('error_messages.consecutive_failed_logins_limit_exceeded', :default => "Consecutive failed logins limit exceeded, account is disabled."))
+          end
+          
+          def consecutive_failed_logins_limit
+            self.class.consecutive_failed_logins_limit
+          end
+          
+          def failed_login_ban_for
+            self.class.failed_login_ban_for
+          end
+      end
+    end
+  end
+end

data/lib/authlogic/session/callbacks.rb

@@ -0,0 +1,87 @@
+module Authlogic
+  module Session
+    # Between these callsbacks and the configuration, this is the contract between me and you to safely
+    # modify Authlogic's behavior. I will do everything I can to make sure these do not change.
+    #
+    # Check out the sub modules of Authlogic::Session. They are very concise, clear, and to the point. More
+    # importantly they use the same API that you would use to extend Authlogic. That being said, they are great
+    # examples of how to extend Authlogic and add / modify behavior to Authlogic. These modules could easily be pulled out
+    # into their own plugin and become an "add on" without any change.
+    #
+    # Now to the point of this module. Just like in ActiveRecord you have before_save, before_validation, etc.
+    # You have similar callbacks with Authlogic, see the METHODS constant below. The order of execution is as follows:
+    #
+    #   before_persisting
+    #   persist
+    #   after_persisting
+    #   [save record if record.changed?]
+    #   
+    #   before_validation
+    #   before_validation_on_create
+    #   before_validation_on_update
+    #   validate
+    #   after_validation_on_update
+    #   after_validation_on_create
+    #   after_validation
+    #   [save record if record.changed?]
+    #   
+    #   before_save
+    #   before_create
+    #   before_update
+    #   after_update
+    #   after_create
+    #   after_save
+    #   [save record if record.changed?]
+    #   
+    #   before_destroy
+    #   [save record if record.changed?]
+    #   destroy
+    #   after_destroy
+    #
+    # Notice the "save record if changed?" lines above. This helps with performance. If you need to make
+    # changes to the associated record, there is no need to save the record, Authlogic will do it for you.
+    # This allows multiple modules to modify the record and execute as few queries as possible.
+    #
+    # **WARNING**: unlike ActiveRecord, these callbacks must be set up on the class level:
+    #
+    #   class UserSession < Authlogic::Session::Base
+    #     before_validation :my_method
+    #     validate :another_method
+    #     # ..etc
+    #   end
+    #
+    # You can NOT define a "before_validation" method, this is bad practice and does not allow Authlogic
+    # to extend properly with multiple extensions. Please ONLY use the method above.
+    module Callbacks
+      METHODS = [
+        "before_persisting", "persist", "after_persisting",
+        "before_validation", "before_validation_on_create", "before_validation_on_update", "validate", "after_validation_on_update", "after_validation_on_create", "after_validation",
+        "before_save", "before_create", "before_update", "after_update", "after_create", "after_save",
+        "before_destroy", "after_destroy"
+      ]
+      
+      def self.included(base) #:nodoc:
+        base.send :include, ActiveSupport::Callbacks
+        base.define_callbacks *METHODS
+      end
+      
+      private
+        METHODS.each do |method|
+          class_eval <<-"end_eval", __FILE__, __LINE__
+            def #{method}
+              run_callbacks(:#{method}) { |result, object| result == false }
+            end
+          end_eval
+        end
+      
+        def persist
+          run_callbacks(:persist) { |result, object| result == true }
+        end
+        
+        def save_record(alternate_record = nil)
+          r = alternate_record || record
+          r.save_without_session_maintenance(false) if r && r.changed? && !r.readonly?
+        end
+    end
+  end
+end

data/lib/authlogic/session/cookies.rb

@@ -0,0 +1,130 @@
+module Authlogic
+  module Session
+    # Handles all authentication that deals with cookies, such as persisting, saving, and destroying.
+    module Cookies
+      def self.included(klass)
+        klass.class_eval do
+          extend Config
+          include InstanceMethods
+          persist :persist_by_cookie
+          after_save :save_cookie
+          after_destroy :destroy_cookie
+        end
+      end
+      
+      # Configuration for the cookie feature set.
+      module Config
+        # The name of the cookie or the key in the cookies hash. Be sure and use a unique name. If you have multiple sessions and they use the same cookie it will cause problems.
+        # Also, if a id is set it will be inserted into the beginning of the string. Exmaple:
+        #
+        #   session = UserSession.new
+        #   session.cookie_key => "user_credentials"
+        #   
+        #   session = UserSession.new(:super_high_secret)
+        #   session.cookie_key => "super_high_secret_user_credentials"
+        #
+        # * <tt>Default:</tt> "#{klass_name.underscore}_credentials"
+        # * <tt>Accepts:</tt> String
+        def cookie_key(value = nil)
+          rw_config(:cookie_key, value, "#{klass_name.underscore}_credentials")
+        end
+        alias_method :cookie_key=, :cookie_key
+        
+        # If sessions should be remembered by default or not.
+        #
+        # * <tt>Default:</tt> false
+        # * <tt>Accepts:</tt> Boolean
+        def remember_me(value = nil)
+          rw_config(:remember_me, value, false)
+        end
+        alias_method :remember_me=, :remember_me
+        
+        # The length of time until the cookie expires.
+        #
+        # * <tt>Default:</tt> 3.months
+        # * <tt>Accepts:</tt> Integer, length of time in seconds, such as 60 or 3.months
+        def remember_me_for(value = :_read)
+          rw_config(:remember_me_for, value, 3.months, :_read)
+        end
+        alias_method :remember_me_for=, :remember_me_for
+      end
+      
+      # The methods available for an Authlogic::Session::Base object that make up the cookie feature set.
+      module InstanceMethods
+        # Allows you to set the remember_me option when passing credentials.
+        def credentials=(value)
+          super
+          values = value.is_a?(Array) ? value : [value]
+          case values.first
+          when Hash
+            self.remember_me = values.first.with_indifferent_access[:remember_me]
+          else
+            r = values.find { |value| value.is_a?(TrueClass) || value.is_a?(FalseClass) }
+            self.remember_me = r if !r.nil?
+          end
+        end
+        
+        # Is the cookie going to expire after the session is over, or will it stick around?
+        def remember_me
+          return @remember_me if defined?(@remember_me)
+          @remember_me = self.class.remember_me
+        end
+      
+        # Accepts a boolean as a flag to remember the session or not. Basically to expire the cookie at the end of the session or keep it for "remember_me_until".
+        def remember_me=(value)
+          @remember_me = value
+        end
+      
+        # See remember_me
+        def remember_me?
+          remember_me == true || remember_me == "true" || remember_me == "1"
+        end
+        
+        # How long to remember the user if remember_me is true. This is based on the class level configuration: remember_me_for
+        def remember_me_for
+          return unless remember_me?
+          self.class.remember_me_for
+        end
+      
+        # When to expire the cookie. See remember_me_for configuration option to change this.
+        def remember_me_until
+          return unless remember_me?
+          remember_me_for.from_now
+        end
+        
+        private
+          def cookie_key
+            build_key(self.class.cookie_key)
+          end
+          
+          def cookie_credentials
+            controller.cookies[cookie_key] && controller.cookies[cookie_key].split("::")
+          end
+          
+          # Tries to validate the session from information in the cookie
+          def persist_by_cookie
+            persistence_token, record_id = cookie_credentials
+            if !persistence_token.nil?
+              record = record_id.nil? ? search_for_record("find_by_persistence_token", persistence_token) : search_for_record("find_by_#{klass.primary_key}", record_id)
+              self.unauthorized_record = record if record && record.persistence_token == persistence_token
+              valid?
+            else
+              false
+            end
+          end
+        
+          def save_cookie
+            controller.cookies[cookie_key] = {
+              :value => "#{record.persistence_token}::#{record.send(record.class.primary_key)}",
+              :expires => remember_me_until,
+              :domain => controller.cookie_domain
+            }
+          end
+        
+          def destroy_cookie
+            controller.cookies.delete cookie_key, :domain => controller.cookie_domain
+          end
+      end
+    end
+  end
+end