nulogy-authlogic 3.1.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/Gemfile +3 -0
- data/Gemfile.lock +62 -0
- data/LICENSE +20 -0
- data/README.rdoc +250 -0
- data/Rakefile +50 -0
- data/VERSION.yml +5 -0
- data/authlogic.gemspec +192 -0
- data/generators/session/session_generator.rb +9 -0
- data/generators/session/templates/session.rb +2 -0
- data/init.rb +1 -0
- data/lib/authlogic.rb +64 -0
- data/lib/authlogic/acts_as_authentic/base.rb +109 -0
- data/lib/authlogic/acts_as_authentic/email.rb +110 -0
- data/lib/authlogic/acts_as_authentic/logged_in_status.rb +59 -0
- data/lib/authlogic/acts_as_authentic/login.rb +142 -0
- data/lib/authlogic/acts_as_authentic/magic_columns.rb +24 -0
- data/lib/authlogic/acts_as_authentic/password.rb +355 -0
- data/lib/authlogic/acts_as_authentic/perishable_token.rb +105 -0
- data/lib/authlogic/acts_as_authentic/persistence_token.rb +68 -0
- data/lib/authlogic/acts_as_authentic/restful_authentication.rb +61 -0
- data/lib/authlogic/acts_as_authentic/session_maintenance.rb +139 -0
- data/lib/authlogic/acts_as_authentic/single_access_token.rb +65 -0
- data/lib/authlogic/acts_as_authentic/validations_scope.rb +32 -0
- data/lib/authlogic/authenticates_many/association.rb +42 -0
- data/lib/authlogic/authenticates_many/base.rb +54 -0
- data/lib/authlogic/controller_adapters/abstract_adapter.rb +67 -0
- data/lib/authlogic/controller_adapters/merb_adapter.rb +30 -0
- data/lib/authlogic/controller_adapters/rails_adapter.rb +50 -0
- data/lib/authlogic/controller_adapters/sinatra_adapter.rb +61 -0
- data/lib/authlogic/crypto_providers/aes256.rb +43 -0
- data/lib/authlogic/crypto_providers/bcrypt.rb +90 -0
- data/lib/authlogic/crypto_providers/md5.rb +34 -0
- data/lib/authlogic/crypto_providers/sha1.rb +35 -0
- data/lib/authlogic/crypto_providers/sha256.rb +50 -0
- data/lib/authlogic/crypto_providers/sha512.rb +50 -0
- data/lib/authlogic/crypto_providers/wordpress.rb +43 -0
- data/lib/authlogic/i18n.rb +84 -0
- data/lib/authlogic/i18n/translator.rb +15 -0
- data/lib/authlogic/random.rb +33 -0
- data/lib/authlogic/regex.rb +25 -0
- data/lib/authlogic/session/activation.rb +58 -0
- data/lib/authlogic/session/active_record_trickery.rb +72 -0
- data/lib/authlogic/session/base.rb +37 -0
- data/lib/authlogic/session/brute_force_protection.rb +96 -0
- data/lib/authlogic/session/callbacks.rb +96 -0
- data/lib/authlogic/session/cookies.rb +182 -0
- data/lib/authlogic/session/existence.rb +93 -0
- data/lib/authlogic/session/foundation.rb +77 -0
- data/lib/authlogic/session/http_auth.rb +99 -0
- data/lib/authlogic/session/id.rb +41 -0
- data/lib/authlogic/session/klass.rb +69 -0
- data/lib/authlogic/session/magic_columns.rb +95 -0
- data/lib/authlogic/session/magic_states.rb +59 -0
- data/lib/authlogic/session/params.rb +101 -0
- data/lib/authlogic/session/password.rb +240 -0
- data/lib/authlogic/session/perishable_token.rb +18 -0
- data/lib/authlogic/session/persistence.rb +70 -0
- data/lib/authlogic/session/priority_record.rb +34 -0
- data/lib/authlogic/session/scopes.rb +101 -0
- data/lib/authlogic/session/session.rb +62 -0
- data/lib/authlogic/session/timeout.rb +82 -0
- data/lib/authlogic/session/unauthorized_record.rb +50 -0
- data/lib/authlogic/session/validation.rb +82 -0
- data/lib/authlogic/test_case.rb +120 -0
- data/lib/authlogic/test_case/mock_controller.rb +55 -0
- data/lib/authlogic/test_case/mock_cookie_jar.rb +14 -0
- data/lib/authlogic/test_case/mock_logger.rb +10 -0
- data/lib/authlogic/test_case/mock_request.rb +19 -0
- data/lib/authlogic/test_case/rails_request_adapter.rb +30 -0
- data/lib/generators/authlogic/USAGE +8 -0
- data/lib/generators/authlogic/session_generator.rb +14 -0
- data/lib/generators/authlogic/templates/session.rb +2 -0
- data/rails/init.rb +1 -0
- data/shoulda_macros/authlogic.rb +69 -0
- data/test/acts_as_authentic_test/base_test.rb +18 -0
- data/test/acts_as_authentic_test/email_test.rb +116 -0
- data/test/acts_as_authentic_test/logged_in_status_test.rb +50 -0
- data/test/acts_as_authentic_test/login_test.rb +116 -0
- data/test/acts_as_authentic_test/magic_columns_test.rb +27 -0
- data/test/acts_as_authentic_test/password_test.rb +236 -0
- data/test/acts_as_authentic_test/perishable_token_test.rb +90 -0
- data/test/acts_as_authentic_test/persistence_token_test.rb +55 -0
- data/test/acts_as_authentic_test/restful_authentication_test.rb +40 -0
- data/test/acts_as_authentic_test/session_maintenance_test.rb +84 -0
- data/test/acts_as_authentic_test/single_access_test.rb +44 -0
- data/test/authenticates_many_test.rb +16 -0
- data/test/crypto_provider_test/aes256_test.rb +14 -0
- data/test/crypto_provider_test/bcrypt_test.rb +14 -0
- data/test/crypto_provider_test/sha1_test.rb +23 -0
- data/test/crypto_provider_test/sha256_test.rb +14 -0
- data/test/crypto_provider_test/sha512_test.rb +14 -0
- data/test/fixtures/companies.yml +5 -0
- data/test/fixtures/employees.yml +17 -0
- data/test/fixtures/projects.yml +3 -0
- data/test/fixtures/users.yml +24 -0
- data/test/i18n_test.rb +33 -0
- data/test/libs/affiliate.rb +7 -0
- data/test/libs/company.rb +6 -0
- data/test/libs/employee.rb +7 -0
- data/test/libs/employee_session.rb +2 -0
- data/test/libs/ldaper.rb +3 -0
- data/test/libs/ordered_hash.rb +9 -0
- data/test/libs/project.rb +3 -0
- data/test/libs/user.rb +5 -0
- data/test/libs/user_session.rb +5 -0
- data/test/random_test.rb +42 -0
- data/test/session_test/activation_test.rb +43 -0
- data/test/session_test/active_record_trickery_test.rb +46 -0
- data/test/session_test/brute_force_protection_test.rb +101 -0
- data/test/session_test/callbacks_test.rb +54 -0
- data/test/session_test/cookies_test.rb +136 -0
- data/test/session_test/credentials_test.rb +0 -0
- data/test/session_test/existence_test.rb +64 -0
- data/test/session_test/http_auth_test.rb +57 -0
- data/test/session_test/id_test.rb +17 -0
- data/test/session_test/klass_test.rb +40 -0
- data/test/session_test/magic_columns_test.rb +62 -0
- data/test/session_test/magic_states_test.rb +60 -0
- data/test/session_test/params_test.rb +53 -0
- data/test/session_test/password_test.rb +106 -0
- data/test/session_test/perishability_test.rb +15 -0
- data/test/session_test/persistence_test.rb +21 -0
- data/test/session_test/scopes_test.rb +60 -0
- data/test/session_test/session_test.rb +59 -0
- data/test/session_test/timeout_test.rb +52 -0
- data/test/session_test/unauthorized_record_test.rb +13 -0
- data/test/session_test/validation_test.rb +23 -0
- data/test/test_helper.rb +168 -0
- metadata +252 -0
@@ -0,0 +1,50 @@
|
|
1
|
+
require "digest/sha2"
|
2
|
+
|
3
|
+
module Authlogic
|
4
|
+
# The acts_as_authentic method has a crypto_provider option. This allows you to use any type of encryption you like.
|
5
|
+
# Just create a class with a class level encrypt and matches? method. See example below.
|
6
|
+
#
|
7
|
+
# === Example
|
8
|
+
#
|
9
|
+
# class MyAwesomeEncryptionMethod
|
10
|
+
# def self.encrypt(*tokens)
|
11
|
+
# # the tokens passed will be an array of objects, what type of object is irrelevant,
|
12
|
+
# # just do what you need to do with them and return a single encrypted string.
|
13
|
+
# # for example, you will most likely join all of the objects into a single string and then encrypt that string
|
14
|
+
# end
|
15
|
+
#
|
16
|
+
# def self.matches?(crypted, *tokens)
|
17
|
+
# # return true if the crypted string matches the tokens.
|
18
|
+
# # depending on your algorithm you might decrypt the string then compare it to the token, or you might
|
19
|
+
# # encrypt the tokens and make sure it matches the crypted string, its up to you
|
20
|
+
# end
|
21
|
+
# end
|
22
|
+
module CryptoProviders
|
23
|
+
# = Sha512
|
24
|
+
#
|
25
|
+
# Uses the Sha512 hash algorithm to encrypt passwords.
|
26
|
+
class Sha512
|
27
|
+
class << self
|
28
|
+
attr_accessor :join_token
|
29
|
+
|
30
|
+
# The number of times to loop through the encryption. This is twenty because that is what restful_authentication defaults to.
|
31
|
+
def stretches
|
32
|
+
@stretches ||= 20
|
33
|
+
end
|
34
|
+
attr_writer :stretches
|
35
|
+
|
36
|
+
# Turns your raw password into a Sha512 hash.
|
37
|
+
def encrypt(*tokens)
|
38
|
+
digest = tokens.flatten.join(join_token)
|
39
|
+
stretches.times { digest = Digest::SHA512.hexdigest(digest) }
|
40
|
+
digest
|
41
|
+
end
|
42
|
+
|
43
|
+
# Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
|
44
|
+
def matches?(crypted, *tokens)
|
45
|
+
encrypt(*tokens) == crypted
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
@@ -0,0 +1,43 @@
|
|
1
|
+
require 'digest/md5'
|
2
|
+
module Authlogic
|
3
|
+
module CryptoProviders
|
4
|
+
class Wordpress
|
5
|
+
class << self
|
6
|
+
ITOA64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
|
7
|
+
|
8
|
+
def matches?(crypted, *tokens)
|
9
|
+
stretches = 1 << ITOA64.index(crypted[3,1])
|
10
|
+
plain, salt = *tokens
|
11
|
+
hashed = Digest::MD5.digest(salt+plain)
|
12
|
+
stretches.times do |i|
|
13
|
+
hashed = Digest::MD5.digest(hashed+plain)
|
14
|
+
end
|
15
|
+
crypted[0,12]+encode_64(hashed, 16) == crypted
|
16
|
+
end
|
17
|
+
|
18
|
+
def encode_64(input, length)
|
19
|
+
output = ""
|
20
|
+
i = 0
|
21
|
+
while i < length
|
22
|
+
value = input[i]
|
23
|
+
i+=1
|
24
|
+
break if value.nil?
|
25
|
+
output += ITOA64[value & 0x3f, 1]
|
26
|
+
value |= input[i] << 8 if i < length
|
27
|
+
output += ITOA64[(value >> 6) & 0x3f, 1]
|
28
|
+
|
29
|
+
i+=1
|
30
|
+
break if i >= length
|
31
|
+
value |= input[i] << 16 if i < length
|
32
|
+
output += ITOA64[(value >> 12) & 0x3f,1]
|
33
|
+
|
34
|
+
i+=1
|
35
|
+
break if i >= length
|
36
|
+
output += ITOA64[(value >> 18) & 0x3f,1]
|
37
|
+
end
|
38
|
+
output
|
39
|
+
end
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
@@ -0,0 +1,84 @@
|
|
1
|
+
require "authlogic/i18n/translator"
|
2
|
+
|
3
|
+
module Authlogic
|
4
|
+
# This class allows any message in Authlogic to use internationalization. In earlier versions of Authlogic each message was translated via configuration.
|
5
|
+
# This cluttered up the configuration and cluttered up Authlogic. So all translation has been extracted out into this class. Now all messages pass through
|
6
|
+
# this class, making it much easier to implement in I18n library / plugin you want. Use this as a layer that sits between Authlogic and whatever I18n
|
7
|
+
# library you want to use.
|
8
|
+
#
|
9
|
+
# By default this uses the rails I18n library, if it exists. If it doesnt exist it just returns the default english message. The Authlogic I18n class
|
10
|
+
# works EXACTLY like the rails I18n class. This is because the arguments are delegated to this class.
|
11
|
+
#
|
12
|
+
# Here is how all messages are translated internally with Authlogic:
|
13
|
+
#
|
14
|
+
# Authlogic::I18n.t('error_messages.password_invalid', :default => "is invalid")
|
15
|
+
#
|
16
|
+
# If you use a different I18n library just replace the build-in I18n::Translator class with your own. For example:
|
17
|
+
#
|
18
|
+
# class MyAuthlogicI18nTranslator
|
19
|
+
# def translate(key, options = {})
|
20
|
+
# # you will have key which will be something like: "error_messages.password_invalid"
|
21
|
+
# # you will also have options[:default], which will be the default english version of the message
|
22
|
+
# # do whatever you want here with the arguments passed to you.
|
23
|
+
# end
|
24
|
+
# end
|
25
|
+
#
|
26
|
+
# Authlogic::I18n.translator = MyAuthlogicI18nTranslator.new
|
27
|
+
#
|
28
|
+
# That it's! Here is a complete list of the keys that are passed. Just define these however you wish:
|
29
|
+
#
|
30
|
+
# authlogic:
|
31
|
+
# error_messages:
|
32
|
+
# login_blank: can not be blank
|
33
|
+
# login_not_found: is not valid
|
34
|
+
# login_invalid: should use only letters, numbers, spaces, and .-_@ please.
|
35
|
+
# consecutive_failed_logins_limit_exceeded: Consecutive failed logins limit exceeded, account is disabled.
|
36
|
+
# email_invalid: should look like an email address.
|
37
|
+
# password_blank: can not be blank
|
38
|
+
# password_invalid: is not valid
|
39
|
+
# not_active: Your account is not active
|
40
|
+
# not_confirmed: Your account is not confirmed
|
41
|
+
# not_approved: Your account is not approved
|
42
|
+
# no_authentication_details: You did not provide any details for authentication.
|
43
|
+
# general_credentials_error: Login/Password combination is not valid
|
44
|
+
# models:
|
45
|
+
# user_session: UserSession (or whatever name you are using)
|
46
|
+
# attributes:
|
47
|
+
# user_session: (or whatever name you are using)
|
48
|
+
# login: login
|
49
|
+
# email: email
|
50
|
+
# password: password
|
51
|
+
# remember_me: remember me
|
52
|
+
module I18n
|
53
|
+
@@scope = :authlogic
|
54
|
+
@@translator = nil
|
55
|
+
|
56
|
+
class << self
|
57
|
+
# Returns the current scope. Defaults to :authlogic
|
58
|
+
def scope
|
59
|
+
@@scope
|
60
|
+
end
|
61
|
+
|
62
|
+
# Sets the current scope. Used to set a custom scope.
|
63
|
+
def scope=(scope)
|
64
|
+
@@scope = scope
|
65
|
+
end
|
66
|
+
|
67
|
+
# Returns the current translator. Defaults to +Translator+.
|
68
|
+
def translator
|
69
|
+
@@translator ||= Translator.new
|
70
|
+
end
|
71
|
+
|
72
|
+
# Sets the current translator. Used to set a custom translator.
|
73
|
+
def translator=(translator)
|
74
|
+
@@translator = translator
|
75
|
+
end
|
76
|
+
|
77
|
+
# All message translation is passed to this method. The first argument is the key for the message. The second is options, see the rails I18n library for a list of options used.
|
78
|
+
def translate(key, options = {})
|
79
|
+
translator.translate key, { :scope => I18n.scope }.merge(options)
|
80
|
+
end
|
81
|
+
alias :t :translate
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
@@ -0,0 +1,15 @@
|
|
1
|
+
module Authlogic
|
2
|
+
module I18n
|
3
|
+
class Translator
|
4
|
+
# If the I18n gem is present, calls +I18n.translate+ passing all
|
5
|
+
# arguments, else returns +options[:default]+.
|
6
|
+
def translate(key, options = {})
|
7
|
+
if defined?(::I18n)
|
8
|
+
::I18n.translate key, options
|
9
|
+
else
|
10
|
+
options[:default]
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
14
|
+
end
|
15
|
+
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
module Authlogic
|
2
|
+
# Handles generating random strings. If SecureRandom is installed it will default to this and use it instead. SecureRandom comes with ActiveSupport.
|
3
|
+
# So if you are using this in a rails app you should have this library.
|
4
|
+
module Random
|
5
|
+
extend self
|
6
|
+
|
7
|
+
SecureRandom = (defined?(::SecureRandom) && ::SecureRandom) || (defined?(::ActiveSupport::SecureRandom) && ::ActiveSupport::SecureRandom)
|
8
|
+
|
9
|
+
if SecureRandom
|
10
|
+
def hex_token
|
11
|
+
SecureRandom.hex(64)
|
12
|
+
end
|
13
|
+
|
14
|
+
def friendly_token
|
15
|
+
# use base64url as defined by RFC4648
|
16
|
+
SecureRandom.base64(15).tr('+/=', '').strip.delete("\n")
|
17
|
+
end
|
18
|
+
else
|
19
|
+
def hex_token
|
20
|
+
Authlogic::CryptoProviders::Sha512.encrypt(Time.now.to_s + (1..10).collect{ rand.to_s }.join)
|
21
|
+
end
|
22
|
+
|
23
|
+
FRIENDLY_CHARS = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
|
24
|
+
|
25
|
+
def friendly_token
|
26
|
+
newpass = ""
|
27
|
+
1.upto(20) { |i| newpass << FRIENDLY_CHARS[rand(FRIENDLY_CHARS.size-1)] }
|
28
|
+
newpass
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
33
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module Authlogic
|
2
|
+
# This is a module the contains regular expressions used throughout Authlogic. The point of extracting
|
3
|
+
# them out into their own module is to make them easily available to you for other uses. Ex:
|
4
|
+
#
|
5
|
+
# validates_format_of :my_email_field, :with => Authlogic::Regex.email
|
6
|
+
module Regex
|
7
|
+
# A general email regular expression. It allows top level domains (TLD) to be from 2 - 4 in length, any
|
8
|
+
# TLD longer than that must be manually specified. The decisions behind this regular expression were made
|
9
|
+
# by reading this website: http://www.regular-expressions.info/email.html, which is an excellent resource
|
10
|
+
# for regular expressions.
|
11
|
+
def self.email
|
12
|
+
return @email_regex if @email_regex
|
13
|
+
email_name_regex = '[A-Z0-9_\.%\+\-\']+'
|
14
|
+
domain_head_regex = '(?:[A-Z0-9\-]+\.)+'
|
15
|
+
domain_tld_regex = '(?:[A-Z]{2,4}|museum|travel)'
|
16
|
+
@email_regex = /\A#{email_name_regex}@#{domain_head_regex}#{domain_tld_regex}\z/i
|
17
|
+
end
|
18
|
+
|
19
|
+
# A simple regular expression that only allows for letters, numbers, spaces, and .-_@. Just a standard login / username
|
20
|
+
# regular expression.
|
21
|
+
def self.login
|
22
|
+
/\A\w[\w\.+\-_@ ]+$/
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module Authlogic
|
2
|
+
module Session
|
3
|
+
# Activating Authlogic requires that you pass it an Authlogic::ControllerAdapters::AbstractAdapter object, or a class that extends it.
|
4
|
+
# This is sort of like a database connection for an ORM library, Authlogic can't do anything until it is "connected" to a controller.
|
5
|
+
# If you are using a supported framework, Authlogic takes care of this for you.
|
6
|
+
module Activation
|
7
|
+
class NotActivatedError < ::StandardError # :nodoc:
|
8
|
+
def initialize(session)
|
9
|
+
super("You must activate the Authlogic::Session::Base.controller with a controller object before creating objects")
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
def self.included(klass)
|
14
|
+
klass.class_eval do
|
15
|
+
extend ClassMethods
|
16
|
+
include InstanceMethods
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
module ClassMethods
|
21
|
+
# Returns true if a controller has been set and can be used properly. This MUST be set before anything can be done.
|
22
|
+
# Similar to how ActiveRecord won't allow you to do anything without establishing a DB connection. In your framework
|
23
|
+
# environment this is done for you, but if you are using Authlogic outside of your framework, you need to assign a controller
|
24
|
+
# object to Authlogic via Authlogic::Session::Base.controller = obj. See the controller= method for more information.
|
25
|
+
def activated?
|
26
|
+
!controller.nil?
|
27
|
+
end
|
28
|
+
|
29
|
+
# This accepts a controller object wrapped with the Authlogic controller adapter. The controller adapters close the gap
|
30
|
+
# between the different controllers in each framework. That being said, Authlogic is expecting your object's class to
|
31
|
+
# extend Authlogic::ControllerAdapters::AbstractAdapter. See Authlogic::ControllerAdapters for more info.
|
32
|
+
#
|
33
|
+
# Lastly, this is thread safe.
|
34
|
+
def controller=(value)
|
35
|
+
Thread.current[:authlogic_controller] = value
|
36
|
+
end
|
37
|
+
|
38
|
+
# The current controller object
|
39
|
+
def controller
|
40
|
+
Thread.current[:authlogic_controller]
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
module InstanceMethods
|
45
|
+
# Making sure we are activated before we start creating objects
|
46
|
+
def initialize(*args)
|
47
|
+
raise NotActivatedError.new(self) unless self.class.activated?
|
48
|
+
super
|
49
|
+
end
|
50
|
+
|
51
|
+
private
|
52
|
+
def controller
|
53
|
+
self.class.controller
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,72 @@
|
|
1
|
+
module Authlogic
|
2
|
+
module Session
|
3
|
+
# Authlogic looks like ActiveRecord, sounds like ActiveRecord, but its not ActiveRecord. That's the goal here.
|
4
|
+
# This is useful for the various rails helper methods such as form_for, error_messages_for, or any method that
|
5
|
+
# expects an ActiveRecord object. The point is to disguise the object as an ActiveRecord object so we can take
|
6
|
+
# advantage of the many ActiveRecord tools.
|
7
|
+
module ActiveRecordTrickery
|
8
|
+
def self.included(klass)
|
9
|
+
klass.extend ClassMethods
|
10
|
+
klass.send(:include, InstanceMethods)
|
11
|
+
end
|
12
|
+
|
13
|
+
module ClassMethods
|
14
|
+
# How to name the attributes of Authlogic, works JUST LIKE ActiveRecord, but instead it uses the following
|
15
|
+
# namespace:
|
16
|
+
#
|
17
|
+
# authlogic.attributes.user_session.login
|
18
|
+
def human_attribute_name(attribute_key_name, options = {})
|
19
|
+
options[:count] ||= 1
|
20
|
+
options[:default] ||= attribute_key_name.to_s.humanize
|
21
|
+
I18n.t("attributes.#{name.underscore}.#{attribute_key_name}", options)
|
22
|
+
end
|
23
|
+
|
24
|
+
# How to name the class, works JUST LIKE ActiveRecord, except it uses the following namespace:
|
25
|
+
#
|
26
|
+
# authlogic.models.user_session
|
27
|
+
def human_name(*args)
|
28
|
+
I18n.t("models.#{name.underscore}", {:count => 1, :default => name.humanize})
|
29
|
+
end
|
30
|
+
|
31
|
+
# For rails < 2.3, mispelled
|
32
|
+
def self_and_descendents_from_active_record
|
33
|
+
[self]
|
34
|
+
end
|
35
|
+
|
36
|
+
# For rails >= 2.3, mispelling fixed
|
37
|
+
def self_and_descendants_from_active_record
|
38
|
+
[self]
|
39
|
+
end
|
40
|
+
|
41
|
+
# For rails >= 3.0
|
42
|
+
def model_name
|
43
|
+
if defined?(::ActiveModel)
|
44
|
+
::ActiveModel::Name.new(self)
|
45
|
+
else
|
46
|
+
::ActiveSupport::ModelName.new(self.to_s)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def i18n_scope
|
51
|
+
I18n.scope
|
52
|
+
end
|
53
|
+
|
54
|
+
def lookup_ancestors
|
55
|
+
ancestors.select { |x| x.respond_to?(:model_name) }
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
module InstanceMethods
|
60
|
+
# Don't use this yourself, this is to just trick some of the helpers since this is the method it calls.
|
61
|
+
def new_record?
|
62
|
+
new_session?
|
63
|
+
end
|
64
|
+
|
65
|
+
# For rails >= 3.0
|
66
|
+
def to_model
|
67
|
+
self
|
68
|
+
end
|
69
|
+
end
|
70
|
+
end
|
71
|
+
end
|
72
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
module Authlogic
|
2
|
+
module Session # :nodoc:
|
3
|
+
# This is the base class Authlogic, where all modules are included. For information on functiionality see the various
|
4
|
+
# sub modules.
|
5
|
+
class Base
|
6
|
+
include Foundation
|
7
|
+
include Callbacks
|
8
|
+
|
9
|
+
# Included first so that the session resets itself to nil
|
10
|
+
include Timeout
|
11
|
+
|
12
|
+
# Included in a specific order so they are tried in this order when persisting
|
13
|
+
include Params
|
14
|
+
include Cookies
|
15
|
+
include Session
|
16
|
+
include HttpAuth
|
17
|
+
|
18
|
+
# Included in a specific order so magic states gets ran after a record is found
|
19
|
+
include Password
|
20
|
+
include UnauthorizedRecord
|
21
|
+
include MagicStates
|
22
|
+
|
23
|
+
include Activation
|
24
|
+
include ActiveRecordTrickery
|
25
|
+
include BruteForceProtection
|
26
|
+
include Existence
|
27
|
+
include Klass
|
28
|
+
include MagicColumns
|
29
|
+
include PerishableToken
|
30
|
+
include Persistence
|
31
|
+
include Scopes
|
32
|
+
include Id
|
33
|
+
include Validation
|
34
|
+
include PriorityRecord
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,96 @@
|
|
1
|
+
module Authlogic
|
2
|
+
module Session
|
3
|
+
# A brute force attacks is executed by hammering a login with as many password combinations as possible, until one works. A brute force attacked is
|
4
|
+
# generally combated with a slow hasing algorithm such as BCrypt. You can increase the cost, which makes the hash generation slower, and ultimately
|
5
|
+
# increases the time it takes to execute a brute force attack. Just to put this into perspective, if a hacker was to gain access to your server
|
6
|
+
# and execute a brute force attack locally, meaning there is no network lag, it would probably take decades to complete. Now throw in network lag
|
7
|
+
# and it would take MUCH longer.
|
8
|
+
#
|
9
|
+
# But for those that are extra paranoid and can't get enough protection, why not stop them as soon as you realize something isn't right? That's
|
10
|
+
# what this module is all about. By default the consecutive_failed_logins_limit configuration option is set to 50, if someone consecutively fails to login
|
11
|
+
# after 50 attempts their account will be suspended. This is a very liberal number and at this point it should be obvious that something is not right.
|
12
|
+
# If you wish to lower this number just set the configuration to a lower number:
|
13
|
+
#
|
14
|
+
# class UserSession < Authlogic::Session::Base
|
15
|
+
# consecutive_failed_logins_limit 10
|
16
|
+
# end
|
17
|
+
module BruteForceProtection
|
18
|
+
def self.included(klass)
|
19
|
+
klass.class_eval do
|
20
|
+
extend Config
|
21
|
+
include InstanceMethods
|
22
|
+
validate :reset_failed_login_count, :if => :reset_failed_login_count?
|
23
|
+
validate :validate_failed_logins, :if => :being_brute_force_protected?
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
# Configuration for the brute force protection feature.
|
28
|
+
module Config
|
29
|
+
# To help protect from brute force attacks you can set a limit on the allowed number of consecutive failed logins. By default this is 50, this is a very liberal
|
30
|
+
# number, and if someone fails to login after 50 tries it should be pretty obvious that it's a machine trying to login in and very likely a brute force attack.
|
31
|
+
#
|
32
|
+
# In order to enable this field your model MUST have a failed_login_count (integer) field.
|
33
|
+
#
|
34
|
+
# If you don't know what a brute force attack is, it's when a machine tries to login into a system using every combination of character possible. Thus resulting
|
35
|
+
# in possibly millions of attempts to log into an account.
|
36
|
+
#
|
37
|
+
# * <tt>Default:</tt> 50
|
38
|
+
# * <tt>Accepts:</tt> Integer, set to 0 to disable
|
39
|
+
def consecutive_failed_logins_limit(value = nil)
|
40
|
+
rw_config(:consecutive_failed_logins_limit, value, 50)
|
41
|
+
end
|
42
|
+
alias_method :consecutive_failed_logins_limit=, :consecutive_failed_logins_limit
|
43
|
+
|
44
|
+
# Once the failed logins limit has been exceed, how long do you want to ban the user? This can be a temporary or permanent ban.
|
45
|
+
#
|
46
|
+
# * <tt>Default:</tt> 2.hours
|
47
|
+
# * <tt>Accepts:</tt> Fixnum, set to 0 for permanent ban
|
48
|
+
def failed_login_ban_for(value = nil)
|
49
|
+
rw_config(:failed_login_ban_for, (!value.nil? && value) || value, 2.hours.to_i)
|
50
|
+
end
|
51
|
+
alias_method :failed_login_ban_for=, :failed_login_ban_for
|
52
|
+
end
|
53
|
+
|
54
|
+
# The methods available for an Authlogic::Session::Base object that make up the brute force protection feature.
|
55
|
+
module InstanceMethods
|
56
|
+
# Returns true when the consecutive_failed_logins_limit has been exceeded and is being temporarily banned.
|
57
|
+
# Notice the word temporary, the user will not be permanently banned unless you choose to do so with configuration.
|
58
|
+
# By default they will be banned for 2 hours. During that 2 hour period this method will return true.
|
59
|
+
def being_brute_force_protected?
|
60
|
+
exceeded_failed_logins_limit? && (failed_login_ban_for <= 0 ||
|
61
|
+
(attempted_record.respond_to?(:updated_at) && attempted_record.updated_at >= failed_login_ban_for.seconds.ago))
|
62
|
+
end
|
63
|
+
|
64
|
+
private
|
65
|
+
def exceeded_failed_logins_limit?
|
66
|
+
!attempted_record.nil? && attempted_record.respond_to?(:failed_login_count) && consecutive_failed_logins_limit > 0 &&
|
67
|
+
attempted_record.failed_login_count && attempted_record.failed_login_count >= consecutive_failed_logins_limit
|
68
|
+
end
|
69
|
+
|
70
|
+
def reset_failed_login_count?
|
71
|
+
exceeded_failed_logins_limit? && !being_brute_force_protected?
|
72
|
+
end
|
73
|
+
|
74
|
+
def reset_failed_login_count
|
75
|
+
attempted_record.failed_login_count = 0
|
76
|
+
end
|
77
|
+
|
78
|
+
def validate_failed_logins
|
79
|
+
errors.clear # Clear all other error messages, as they are irrelevant at this point and can only provide additional information that is not needed
|
80
|
+
errors.add(:base, I18n.t(
|
81
|
+
'error_messages.consecutive_failed_logins_limit_exceeded',
|
82
|
+
:default => "Consecutive failed logins limit exceeded, account has been" + (failed_login_ban_for == 0 ? "" : " temporarily") + " disabled."
|
83
|
+
))
|
84
|
+
end
|
85
|
+
|
86
|
+
def consecutive_failed_logins_limit
|
87
|
+
self.class.consecutive_failed_logins_limit
|
88
|
+
end
|
89
|
+
|
90
|
+
def failed_login_ban_for
|
91
|
+
self.class.failed_login_ban_for
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
96
|
+
end
|