nulogy-authlogic 3.1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (129) hide show
  1. data/Gemfile +3 -0
  2. data/Gemfile.lock +62 -0
  3. data/LICENSE +20 -0
  4. data/README.rdoc +250 -0
  5. data/Rakefile +50 -0
  6. data/VERSION.yml +5 -0
  7. data/authlogic.gemspec +192 -0
  8. data/generators/session/session_generator.rb +9 -0
  9. data/generators/session/templates/session.rb +2 -0
  10. data/init.rb +1 -0
  11. data/lib/authlogic.rb +64 -0
  12. data/lib/authlogic/acts_as_authentic/base.rb +109 -0
  13. data/lib/authlogic/acts_as_authentic/email.rb +110 -0
  14. data/lib/authlogic/acts_as_authentic/logged_in_status.rb +59 -0
  15. data/lib/authlogic/acts_as_authentic/login.rb +142 -0
  16. data/lib/authlogic/acts_as_authentic/magic_columns.rb +24 -0
  17. data/lib/authlogic/acts_as_authentic/password.rb +355 -0
  18. data/lib/authlogic/acts_as_authentic/perishable_token.rb +105 -0
  19. data/lib/authlogic/acts_as_authentic/persistence_token.rb +68 -0
  20. data/lib/authlogic/acts_as_authentic/restful_authentication.rb +61 -0
  21. data/lib/authlogic/acts_as_authentic/session_maintenance.rb +139 -0
  22. data/lib/authlogic/acts_as_authentic/single_access_token.rb +65 -0
  23. data/lib/authlogic/acts_as_authentic/validations_scope.rb +32 -0
  24. data/lib/authlogic/authenticates_many/association.rb +42 -0
  25. data/lib/authlogic/authenticates_many/base.rb +54 -0
  26. data/lib/authlogic/controller_adapters/abstract_adapter.rb +67 -0
  27. data/lib/authlogic/controller_adapters/merb_adapter.rb +30 -0
  28. data/lib/authlogic/controller_adapters/rails_adapter.rb +50 -0
  29. data/lib/authlogic/controller_adapters/sinatra_adapter.rb +61 -0
  30. data/lib/authlogic/crypto_providers/aes256.rb +43 -0
  31. data/lib/authlogic/crypto_providers/bcrypt.rb +90 -0
  32. data/lib/authlogic/crypto_providers/md5.rb +34 -0
  33. data/lib/authlogic/crypto_providers/sha1.rb +35 -0
  34. data/lib/authlogic/crypto_providers/sha256.rb +50 -0
  35. data/lib/authlogic/crypto_providers/sha512.rb +50 -0
  36. data/lib/authlogic/crypto_providers/wordpress.rb +43 -0
  37. data/lib/authlogic/i18n.rb +84 -0
  38. data/lib/authlogic/i18n/translator.rb +15 -0
  39. data/lib/authlogic/random.rb +33 -0
  40. data/lib/authlogic/regex.rb +25 -0
  41. data/lib/authlogic/session/activation.rb +58 -0
  42. data/lib/authlogic/session/active_record_trickery.rb +72 -0
  43. data/lib/authlogic/session/base.rb +37 -0
  44. data/lib/authlogic/session/brute_force_protection.rb +96 -0
  45. data/lib/authlogic/session/callbacks.rb +96 -0
  46. data/lib/authlogic/session/cookies.rb +182 -0
  47. data/lib/authlogic/session/existence.rb +93 -0
  48. data/lib/authlogic/session/foundation.rb +77 -0
  49. data/lib/authlogic/session/http_auth.rb +99 -0
  50. data/lib/authlogic/session/id.rb +41 -0
  51. data/lib/authlogic/session/klass.rb +69 -0
  52. data/lib/authlogic/session/magic_columns.rb +95 -0
  53. data/lib/authlogic/session/magic_states.rb +59 -0
  54. data/lib/authlogic/session/params.rb +101 -0
  55. data/lib/authlogic/session/password.rb +240 -0
  56. data/lib/authlogic/session/perishable_token.rb +18 -0
  57. data/lib/authlogic/session/persistence.rb +70 -0
  58. data/lib/authlogic/session/priority_record.rb +34 -0
  59. data/lib/authlogic/session/scopes.rb +101 -0
  60. data/lib/authlogic/session/session.rb +62 -0
  61. data/lib/authlogic/session/timeout.rb +82 -0
  62. data/lib/authlogic/session/unauthorized_record.rb +50 -0
  63. data/lib/authlogic/session/validation.rb +82 -0
  64. data/lib/authlogic/test_case.rb +120 -0
  65. data/lib/authlogic/test_case/mock_controller.rb +55 -0
  66. data/lib/authlogic/test_case/mock_cookie_jar.rb +14 -0
  67. data/lib/authlogic/test_case/mock_logger.rb +10 -0
  68. data/lib/authlogic/test_case/mock_request.rb +19 -0
  69. data/lib/authlogic/test_case/rails_request_adapter.rb +30 -0
  70. data/lib/generators/authlogic/USAGE +8 -0
  71. data/lib/generators/authlogic/session_generator.rb +14 -0
  72. data/lib/generators/authlogic/templates/session.rb +2 -0
  73. data/rails/init.rb +1 -0
  74. data/shoulda_macros/authlogic.rb +69 -0
  75. data/test/acts_as_authentic_test/base_test.rb +18 -0
  76. data/test/acts_as_authentic_test/email_test.rb +116 -0
  77. data/test/acts_as_authentic_test/logged_in_status_test.rb +50 -0
  78. data/test/acts_as_authentic_test/login_test.rb +116 -0
  79. data/test/acts_as_authentic_test/magic_columns_test.rb +27 -0
  80. data/test/acts_as_authentic_test/password_test.rb +236 -0
  81. data/test/acts_as_authentic_test/perishable_token_test.rb +90 -0
  82. data/test/acts_as_authentic_test/persistence_token_test.rb +55 -0
  83. data/test/acts_as_authentic_test/restful_authentication_test.rb +40 -0
  84. data/test/acts_as_authentic_test/session_maintenance_test.rb +84 -0
  85. data/test/acts_as_authentic_test/single_access_test.rb +44 -0
  86. data/test/authenticates_many_test.rb +16 -0
  87. data/test/crypto_provider_test/aes256_test.rb +14 -0
  88. data/test/crypto_provider_test/bcrypt_test.rb +14 -0
  89. data/test/crypto_provider_test/sha1_test.rb +23 -0
  90. data/test/crypto_provider_test/sha256_test.rb +14 -0
  91. data/test/crypto_provider_test/sha512_test.rb +14 -0
  92. data/test/fixtures/companies.yml +5 -0
  93. data/test/fixtures/employees.yml +17 -0
  94. data/test/fixtures/projects.yml +3 -0
  95. data/test/fixtures/users.yml +24 -0
  96. data/test/i18n_test.rb +33 -0
  97. data/test/libs/affiliate.rb +7 -0
  98. data/test/libs/company.rb +6 -0
  99. data/test/libs/employee.rb +7 -0
  100. data/test/libs/employee_session.rb +2 -0
  101. data/test/libs/ldaper.rb +3 -0
  102. data/test/libs/ordered_hash.rb +9 -0
  103. data/test/libs/project.rb +3 -0
  104. data/test/libs/user.rb +5 -0
  105. data/test/libs/user_session.rb +5 -0
  106. data/test/random_test.rb +42 -0
  107. data/test/session_test/activation_test.rb +43 -0
  108. data/test/session_test/active_record_trickery_test.rb +46 -0
  109. data/test/session_test/brute_force_protection_test.rb +101 -0
  110. data/test/session_test/callbacks_test.rb +54 -0
  111. data/test/session_test/cookies_test.rb +136 -0
  112. data/test/session_test/credentials_test.rb +0 -0
  113. data/test/session_test/existence_test.rb +64 -0
  114. data/test/session_test/http_auth_test.rb +57 -0
  115. data/test/session_test/id_test.rb +17 -0
  116. data/test/session_test/klass_test.rb +40 -0
  117. data/test/session_test/magic_columns_test.rb +62 -0
  118. data/test/session_test/magic_states_test.rb +60 -0
  119. data/test/session_test/params_test.rb +53 -0
  120. data/test/session_test/password_test.rb +106 -0
  121. data/test/session_test/perishability_test.rb +15 -0
  122. data/test/session_test/persistence_test.rb +21 -0
  123. data/test/session_test/scopes_test.rb +60 -0
  124. data/test/session_test/session_test.rb +59 -0
  125. data/test/session_test/timeout_test.rb +52 -0
  126. data/test/session_test/unauthorized_record_test.rb +13 -0
  127. data/test/session_test/validation_test.rb +23 -0
  128. data/test/test_helper.rb +168 -0
  129. metadata +252 -0
@@ -0,0 +1,50 @@
1
+ require "digest/sha2"
2
+
3
+ module Authlogic
4
+ # The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
5
+ # Just create a class with a class level encrypt and matches? method. See example below.
6
+ #
7
+ # === Example
8
+ #
9
+ # class MyAwesomeEncryptionMethod
10
+ # def self.encrypt(*tokens)
11
+ # # the tokens passed will be an array of objects, what type of object is irrelevant,
12
+ # # just do what you need to do with them and return a single encrypted string.
13
+ # # for example, you will most likely join all of the objects into a single string and then encrypt that string
14
+ # end
15
+ #
16
+ # def self.matches?(crypted, *tokens)
17
+ # # return true if the crypted string matches the tokens.
18
+ # # depending on your algorithm you might decrypt the string then compare it to the token, or you might
19
+ # # encrypt the tokens and make sure it matches the crypted string, its up to you
20
+ # end
21
+ # end
22
+ module CryptoProviders
23
+ # = Sha512
24
+ #
25
+ # Uses the Sha512 hash algorithm to encrypt passwords.
26
+ class Sha512
27
+ class << self
28
+ attr_accessor :join_token
29
+
30
+ # The number of times to loop through the encryption. This is twenty because that is what restful_authentication defaults to.
31
+ def stretches
32
+ @stretches ||= 20
33
+ end
34
+ attr_writer :stretches
35
+
36
+ # Turns your raw password into a Sha512 hash.
37
+ def encrypt(*tokens)
38
+ digest = tokens.flatten.join(join_token)
39
+ stretches.times { digest = Digest::SHA512.hexdigest(digest) }
40
+ digest
41
+ end
42
+
43
+ # Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
44
+ def matches?(crypted, *tokens)
45
+ encrypt(*tokens) == crypted
46
+ end
47
+ end
48
+ end
49
+ end
50
+ end
@@ -0,0 +1,43 @@
1
+ require 'digest/md5'
2
+ module Authlogic
3
+ module CryptoProviders
4
+ class Wordpress
5
+ class << self
6
+ ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
7
+
8
+ def matches?(crypted, *tokens)
9
+ stretches = 1 << ITOA64.index(crypted[3,1])
10
+ plain, salt = *tokens
11
+ hashed = Digest::MD5.digest(salt+plain)
12
+ stretches.times do |i|
13
+ hashed = Digest::MD5.digest(hashed+plain)
14
+ end
15
+ crypted[0,12]+encode_64(hashed, 16) == crypted
16
+ end
17
+
18
+ def encode_64(input, length)
19
+ output = ""
20
+ i = 0
21
+ while i < length
22
+ value = input[i]
23
+ i+=1
24
+ break if value.nil?
25
+ output += ITOA64[value & 0x3f, 1]
26
+ value |= input[i] << 8 if i < length
27
+ output += ITOA64[(value >> 6) & 0x3f, 1]
28
+
29
+ i+=1
30
+ break if i >= length
31
+ value |= input[i] << 16 if i < length
32
+ output += ITOA64[(value >> 12) & 0x3f,1]
33
+
34
+ i+=1
35
+ break if i >= length
36
+ output += ITOA64[(value >> 18) & 0x3f,1]
37
+ end
38
+ output
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
@@ -0,0 +1,84 @@
1
+ require "authlogic/i18n/translator"
2
+
3
+ module Authlogic
4
+ # This class allows any message in Authlogic to use internationalization. In earlier versions of Authlogic each message was translated via configuration.
5
+ # This cluttered up the configuration and cluttered up Authlogic. So all translation has been extracted out into this class. Now all messages pass through
6
+ # this class, making it much easier to implement in I18n library / plugin you want. Use this as a layer that sits between Authlogic and whatever I18n
7
+ # library you want to use.
8
+ #
9
+ # By default this uses the rails I18n library, if it exists. If it doesnt exist it just returns the default english message. The Authlogic I18n class
10
+ # works EXACTLY like the rails I18n class. This is because the arguments are delegated to this class.
11
+ #
12
+ # Here is how all messages are translated internally with Authlogic:
13
+ #
14
+ # Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
15
+ #
16
+ # If you use a different I18n library just replace the build-in I18n::Translator class with your own. For example:
17
+ #
18
+ # class MyAuthlogicI18nTranslator
19
+ # def translate(key, options = {})
20
+ # # you will have key which will be something like: "error_messages.password_invalid"
21
+ # # you will also have options[:default], which will be the default english version of the message
22
+ # # do whatever you want here with the arguments passed to you.
23
+ # end
24
+ # end
25
+ #
26
+ # Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
27
+ #
28
+ # That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
29
+ #
30
+ # authlogic:
31
+ # error_messages:
32
+ # login_blank: can not be blank
33
+ # login_not_found: is not valid
34
+ # login_invalid: should use only letters, numbers, spaces, and .-_@ please.
35
+ # consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
36
+ # email_invalid: should look like an email address.
37
+ # password_blank: can not be blank
38
+ # password_invalid: is not valid
39
+ # not_active: Your account is not active
40
+ # not_confirmed: Your account is not confirmed
41
+ # not_approved: Your account is not approved
42
+ # no_authentication_details: You did not provide any details for authentication.
43
+ # general_credentials_error: Login/Password combination is not valid
44
+ # models:
45
+ # user_session: UserSession (or whatever name you are using)
46
+ # attributes:
47
+ # user_session: (or whatever name you are using)
48
+ # login: login
49
+ # email: email
50
+ # password: password
51
+ # remember_me: remember me
52
+ module I18n
53
+ @@scope = :authlogic
54
+ @@translator = nil
55
+
56
+ class << self
57
+ # Returns the current scope. Defaults to :authlogic
58
+ def scope
59
+ @@scope
60
+ end
61
+
62
+ # Sets the current scope. Used to set a custom scope.
63
+ def scope=(scope)
64
+ @@scope = scope
65
+ end
66
+
67
+ # Returns the current translator. Defaults to +Translator+.
68
+ def translator
69
+ @@translator ||= Translator.new
70
+ end
71
+
72
+ # Sets the current translator. Used to set a custom translator.
73
+ def translator=(translator)
74
+ @@translator = translator
75
+ end
76
+
77
+ # All message translation is passed to this method. The first argument is the key for the message. The second is options, see the rails I18n library for a list of options used.
78
+ def translate(key, options = {})
79
+ translator.translate key, { :scope => I18n.scope }.merge(options)
80
+ end
81
+ alias :t :translate
82
+ end
83
+ end
84
+ end
@@ -0,0 +1,15 @@
1
+ module Authlogic
2
+ module I18n
3
+ class Translator
4
+ # If the I18n gem is present, calls +I18n.translate+ passing all
5
+ # arguments, else returns +options[:default]+.
6
+ def translate(key, options = {})
7
+ if defined?(::I18n)
8
+ ::I18n.translate key, options
9
+ else
10
+ options[:default]
11
+ end
12
+ end
13
+ end
14
+ end
15
+ end
@@ -0,0 +1,33 @@
1
+ module Authlogic
2
+ # Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
3
+ # So if you are using this in a rails app you should have this library.
4
+ module Random
5
+ extend self
6
+
7
+ SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
8
+
9
+ if SecureRandom
10
+ def hex_token
11
+ SecureRandom.hex(64)
12
+ end
13
+
14
+ def friendly_token
15
+ # use base64url as defined by RFC4648
16
+ SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
17
+ end
18
+ else
19
+ def hex_token
20
+ Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
21
+ end
22
+
23
+ FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
24
+
25
+ def friendly_token
26
+ newpass = ""
27
+ 1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
28
+ newpass
29
+ end
30
+ end
31
+
32
+ end
33
+ end
@@ -0,0 +1,25 @@
1
+ module Authlogic
2
+ # This is a module the contains regular expressions used throughout Authlogic. The point of extracting
3
+ # them out into their own module is to make them easily available to you for other uses. Ex:
4
+ #
5
+ # validates_format_of :my_email_field, :with => Authlogic::Regex.email
6
+ module Regex
7
+ # A general email regular expression. It allows top level domains (TLD) to be from 2 - 4 in length, any
8
+ # TLD longer than that must be manually specified. The decisions behind this regular expression were made
9
+ # by reading this website: http://www.regular-expressions.info/email.html, which is an excellent resource
10
+ # for regular expressions.
11
+ def self.email
12
+ return @email_regex if @email_regex
13
+ email_name_regex = '[A-Z0-9_\.%\+\-\']+'
14
+ domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
15
+ domain_tld_regex = '(?:[A-Z]{2,4}|museum|travel)'
16
+ @email_regex = /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
17
+ end
18
+
19
+ # A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
20
+ # regular expression.
21
+ def self.login
22
+ /\A\w[\w\.+\-_@ ]+$/
23
+ end
24
+ end
25
+ end
@@ -0,0 +1,58 @@
1
+ module Authlogic
2
+ module Session
3
+ # Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
4
+ # This is sort of like a database connection for an ORM library, Authlogic can't do anything until it is "connected" to a controller.
5
+ # If you are using a supported framework, Authlogic takes care of this for you.
6
+ module Activation
7
+ class NotActivatedError < ::StandardError # :nodoc:
8
+ def initialize(session)
9
+ super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
10
+ end
11
+ end
12
+
13
+ def self.included(klass)
14
+ klass.class_eval do
15
+ extend ClassMethods
16
+ include InstanceMethods
17
+ end
18
+ end
19
+
20
+ module ClassMethods
21
+ # Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
22
+ # Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
23
+ # environment this is done for you, but if you are using Authlogic outside of your framework, you need to assign a controller
24
+ # object to Authlogic via Authlogic::Session::Base.controller = obj. See the controller= method for more information.
25
+ def activated?
26
+ !controller.nil?
27
+ end
28
+
29
+ # This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
30
+ # between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
31
+ # extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
32
+ #
33
+ # Lastly, this is thread safe.
34
+ def controller=(value)
35
+ Thread.current[:authlogic_controller] = value
36
+ end
37
+
38
+ # The current controller object
39
+ def controller
40
+ Thread.current[:authlogic_controller]
41
+ end
42
+ end
43
+
44
+ module InstanceMethods
45
+ # Making sure we are activated before we start creating objects
46
+ def initialize(*args)
47
+ raise NotActivatedError.new(self) unless self.class.activated?
48
+ super
49
+ end
50
+
51
+ private
52
+ def controller
53
+ self.class.controller
54
+ end
55
+ end
56
+ end
57
+ end
58
+ end
@@ -0,0 +1,72 @@
1
+ module Authlogic
2
+ module Session
3
+ # Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
4
+ # This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
5
+ # expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
6
+ # advantage of the many ActiveRecord tools.
7
+ module ActiveRecordTrickery
8
+ def self.included(klass)
9
+ klass.extend ClassMethods
10
+ klass.send(:include, InstanceMethods)
11
+ end
12
+
13
+ module ClassMethods
14
+ # How to name the attributes of Authlogic, works JUST LIKE ActiveRecord, but instead it uses the following
15
+ # namespace:
16
+ #
17
+ # authlogic.attributes.user_session.login
18
+ def human_attribute_name(attribute_key_name, options = {})
19
+ options[:count] ||= 1
20
+ options[:default] ||= attribute_key_name.to_s.humanize
21
+ I18n.t("attributes.#{name.underscore}.#{attribute_key_name}", options)
22
+ end
23
+
24
+ # How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
25
+ #
26
+ # authlogic.models.user_session
27
+ def human_name(*args)
28
+ I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
29
+ end
30
+
31
+ # For rails < 2.3, mispelled
32
+ def self_and_descendents_from_active_record
33
+ [self]
34
+ end
35
+
36
+ # For rails >= 2.3, mispelling fixed
37
+ def self_and_descendants_from_active_record
38
+ [self]
39
+ end
40
+
41
+ # For rails >= 3.0
42
+ def model_name
43
+ if defined?(::ActiveModel)
44
+ ::ActiveModel::Name.new(self)
45
+ else
46
+ ::ActiveSupport::ModelName.new(self.to_s)
47
+ end
48
+ end
49
+
50
+ def i18n_scope
51
+ I18n.scope
52
+ end
53
+
54
+ def lookup_ancestors
55
+ ancestors.select { |x| x.respond_to?(:model_name) }
56
+ end
57
+ end
58
+
59
+ module InstanceMethods
60
+ # Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
61
+ def new_record?
62
+ new_session?
63
+ end
64
+
65
+ # For rails >= 3.0
66
+ def to_model
67
+ self
68
+ end
69
+ end
70
+ end
71
+ end
72
+ end
@@ -0,0 +1,37 @@
1
+ module Authlogic
2
+ module Session # :nodoc:
3
+ # This is the base class Authlogic, where all modules are included. For information on functiionality see the various
4
+ # sub modules.
5
+ class Base
6
+ include Foundation
7
+ include Callbacks
8
+
9
+ # Included first so that the session resets itself to nil
10
+ include Timeout
11
+
12
+ # Included in a specific order so they are tried in this order when persisting
13
+ include Params
14
+ include Cookies
15
+ include Session
16
+ include HttpAuth
17
+
18
+ # Included in a specific order so magic states gets ran after a record is found
19
+ include Password
20
+ include UnauthorizedRecord
21
+ include MagicStates
22
+
23
+ include Activation
24
+ include ActiveRecordTrickery
25
+ include BruteForceProtection
26
+ include Existence
27
+ include Klass
28
+ include MagicColumns
29
+ include PerishableToken
30
+ include Persistence
31
+ include Scopes
32
+ include Id
33
+ include Validation
34
+ include PriorityRecord
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,96 @@
1
+ module Authlogic
2
+ module Session
3
+ # A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
4
+ # generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
5
+ # increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
6
+ # and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
7
+ # and it would take MUCH longer.
8
+ #
9
+ # But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
10
+ # what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
11
+ # after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
12
+ # If you wish to lower this number just set the configuration to a lower number:
13
+ #
14
+ # class UserSession < Authlogic::Session::Base
15
+ # consecutive_failed_logins_limit 10
16
+ # end
17
+ module BruteForceProtection
18
+ def self.included(klass)
19
+ klass.class_eval do
20
+ extend Config
21
+ include InstanceMethods
22
+ validate :reset_failed_login_count, :if => :reset_failed_login_count?
23
+ validate :validate_failed_logins, :if => :being_brute_force_protected?
24
+ end
25
+ end
26
+
27
+ # Configuration for the brute force protection feature.
28
+ module Config
29
+ # To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
30
+ # number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
31
+ #
32
+ # In order to enable this field your model MUST have a failed_login_count (integer) field.
33
+ #
34
+ # If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
35
+ # in possibly millions of attempts to log into an account.
36
+ #
37
+ # * <tt>Default:</tt> 50
38
+ # * <tt>Accepts:</tt> Integer, set to 0 to disable
39
+ def consecutive_failed_logins_limit(value = nil)
40
+ rw_config(:consecutive_failed_logins_limit, value, 50)
41
+ end
42
+ alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
43
+
44
+ # Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
45
+ #
46
+ # * <tt>Default:</tt> 2.hours
47
+ # * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
48
+ def failed_login_ban_for(value = nil)
49
+ rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
50
+ end
51
+ alias_method :failed_login_ban_for=, :failed_login_ban_for
52
+ end
53
+
54
+ # The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
55
+ module InstanceMethods
56
+ # Returns true when the consecutive_failed_logins_limit has been exceeded and is being temporarily banned.
57
+ # Notice the word temporary, the user will not be permanently banned unless you choose to do so with configuration.
58
+ # By default they will be banned for 2 hours. During that 2 hour period this method will return true.
59
+ def being_brute_force_protected?
60
+ exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
61
+ (attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
62
+ end
63
+
64
+ private
65
+ def exceeded_failed_logins_limit?
66
+ !attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
67
+ attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
68
+ end
69
+
70
+ def reset_failed_login_count?
71
+ exceeded_failed_logins_limit? && !being_brute_force_protected?
72
+ end
73
+
74
+ def reset_failed_login_count
75
+ attempted_record.failed_login_count = 0
76
+ end
77
+
78
+ def validate_failed_logins
79
+ errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
80
+ errors.add(:base, I18n.t(
81
+ 'error_messages.consecutive_failed_logins_limit_exceeded',
82
+ :default => "Consecutive failed logins limit exceeded, account has been" + (failed_login_ban_for == 0 ? "" : " temporarily") + " disabled."
83
+ ))
84
+ end
85
+
86
+ def consecutive_failed_logins_limit
87
+ self.class.consecutive_failed_logins_limit
88
+ end
89
+
90
+ def failed_login_ban_for
91
+ self.class.failed_login_ban_for
92
+ end
93
+ end
94
+ end
95
+ end
96
+ end