railsware-authlogic 2.1.6.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (126) hide show
  1. data/.gitignore +9 -0
  2. data/CHANGELOG.rdoc +345 -0
  3. data/LICENSE +20 -0
  4. data/README.rdoc +246 -0
  5. data/Rakefile +41 -0
  6. data/VERSION.yml +5 -0
  7. data/authlogic.gemspec +216 -0
  8. data/generators/session/session_generator.rb +9 -0
  9. data/generators/session/templates/session.rb +2 -0
  10. data/init.rb +1 -0
  11. data/lib/authlogic.rb +64 -0
  12. data/lib/authlogic/acts_as_authentic/base.rb +107 -0
  13. data/lib/authlogic/acts_as_authentic/email.rb +110 -0
  14. data/lib/authlogic/acts_as_authentic/logged_in_status.rb +65 -0
  15. data/lib/authlogic/acts_as_authentic/login.rb +141 -0
  16. data/lib/authlogic/acts_as_authentic/magic_columns.rb +24 -0
  17. data/lib/authlogic/acts_as_authentic/password.rb +355 -0
  18. data/lib/authlogic/acts_as_authentic/perishable_token.rb +105 -0
  19. data/lib/authlogic/acts_as_authentic/persistence_token.rb +68 -0
  20. data/lib/authlogic/acts_as_authentic/restful_authentication.rb +61 -0
  21. data/lib/authlogic/acts_as_authentic/session_maintenance.rb +139 -0
  22. data/lib/authlogic/acts_as_authentic/single_access_token.rb +65 -0
  23. data/lib/authlogic/acts_as_authentic/validations_scope.rb +32 -0
  24. data/lib/authlogic/authenticates_many/association.rb +42 -0
  25. data/lib/authlogic/authenticates_many/base.rb +55 -0
  26. data/lib/authlogic/controller_adapters/abstract_adapter.rb +67 -0
  27. data/lib/authlogic/controller_adapters/merb_adapter.rb +30 -0
  28. data/lib/authlogic/controller_adapters/rails_adapter.rb +48 -0
  29. data/lib/authlogic/controller_adapters/sinatra_adapter.rb +61 -0
  30. data/lib/authlogic/crypto_providers/aes256.rb +43 -0
  31. data/lib/authlogic/crypto_providers/bcrypt.rb +90 -0
  32. data/lib/authlogic/crypto_providers/md5.rb +34 -0
  33. data/lib/authlogic/crypto_providers/sha1.rb +35 -0
  34. data/lib/authlogic/crypto_providers/sha256.rb +50 -0
  35. data/lib/authlogic/crypto_providers/sha512.rb +50 -0
  36. data/lib/authlogic/crypto_providers/wordpress.rb +43 -0
  37. data/lib/authlogic/i18n.rb +83 -0
  38. data/lib/authlogic/i18n/translator.rb +15 -0
  39. data/lib/authlogic/random.rb +33 -0
  40. data/lib/authlogic/regex.rb +25 -0
  41. data/lib/authlogic/session/activation.rb +58 -0
  42. data/lib/authlogic/session/active_record_trickery.rb +64 -0
  43. data/lib/authlogic/session/base.rb +37 -0
  44. data/lib/authlogic/session/brute_force_protection.rb +96 -0
  45. data/lib/authlogic/session/callbacks.rb +99 -0
  46. data/lib/authlogic/session/cookies.rb +130 -0
  47. data/lib/authlogic/session/existence.rb +93 -0
  48. data/lib/authlogic/session/foundation.rb +71 -0
  49. data/lib/authlogic/session/http_auth.rb +58 -0
  50. data/lib/authlogic/session/id.rb +41 -0
  51. data/lib/authlogic/session/klass.rb +78 -0
  52. data/lib/authlogic/session/magic_columns.rb +95 -0
  53. data/lib/authlogic/session/magic_states.rb +59 -0
  54. data/lib/authlogic/session/params.rb +101 -0
  55. data/lib/authlogic/session/password.rb +240 -0
  56. data/lib/authlogic/session/perishable_token.rb +18 -0
  57. data/lib/authlogic/session/persistence.rb +70 -0
  58. data/lib/authlogic/session/priority_record.rb +34 -0
  59. data/lib/authlogic/session/scopes.rb +101 -0
  60. data/lib/authlogic/session/session.rb +62 -0
  61. data/lib/authlogic/session/timeout.rb +82 -0
  62. data/lib/authlogic/session/unauthorized_record.rb +50 -0
  63. data/lib/authlogic/session/validation.rb +82 -0
  64. data/lib/authlogic/test_case.rb +120 -0
  65. data/lib/authlogic/test_case/mock_controller.rb +45 -0
  66. data/lib/authlogic/test_case/mock_cookie_jar.rb +14 -0
  67. data/lib/authlogic/test_case/mock_logger.rb +10 -0
  68. data/lib/authlogic/test_case/mock_request.rb +19 -0
  69. data/lib/authlogic/test_case/rails_request_adapter.rb +30 -0
  70. data/rails/init.rb +1 -0
  71. data/shoulda_macros/authlogic.rb +69 -0
  72. data/test/acts_as_authentic_test/base_test.rb +18 -0
  73. data/test/acts_as_authentic_test/email_test.rb +101 -0
  74. data/test/acts_as_authentic_test/logged_in_status_test.rb +36 -0
  75. data/test/acts_as_authentic_test/login_test.rb +109 -0
  76. data/test/acts_as_authentic_test/magic_columns_test.rb +27 -0
  77. data/test/acts_as_authentic_test/password_test.rb +236 -0
  78. data/test/acts_as_authentic_test/perishable_token_test.rb +90 -0
  79. data/test/acts_as_authentic_test/persistence_token_test.rb +55 -0
  80. data/test/acts_as_authentic_test/restful_authentication_test.rb +40 -0
  81. data/test/acts_as_authentic_test/session_maintenance_test.rb +84 -0
  82. data/test/acts_as_authentic_test/single_access_test.rb +44 -0
  83. data/test/authenticates_many_test.rb +16 -0
  84. data/test/crypto_provider_test/aes256_test.rb +14 -0
  85. data/test/crypto_provider_test/bcrypt_test.rb +14 -0
  86. data/test/crypto_provider_test/sha1_test.rb +23 -0
  87. data/test/crypto_provider_test/sha256_test.rb +14 -0
  88. data/test/crypto_provider_test/sha512_test.rb +14 -0
  89. data/test/fixtures/companies.yml +5 -0
  90. data/test/fixtures/employees.yml +17 -0
  91. data/test/fixtures/projects.yml +3 -0
  92. data/test/fixtures/users.yml +24 -0
  93. data/test/i18n_test.rb +33 -0
  94. data/test/libs/affiliate.rb +7 -0
  95. data/test/libs/company.rb +6 -0
  96. data/test/libs/employee.rb +7 -0
  97. data/test/libs/employee_session.rb +2 -0
  98. data/test/libs/ldaper.rb +3 -0
  99. data/test/libs/ordered_hash.rb +9 -0
  100. data/test/libs/project.rb +3 -0
  101. data/test/libs/user.rb +5 -0
  102. data/test/libs/user_session.rb +6 -0
  103. data/test/random_test.rb +42 -0
  104. data/test/session_test/activation_test.rb +43 -0
  105. data/test/session_test/active_record_trickery_test.rb +36 -0
  106. data/test/session_test/brute_force_protection_test.rb +101 -0
  107. data/test/session_test/callbacks_test.rb +6 -0
  108. data/test/session_test/cookies_test.rb +112 -0
  109. data/test/session_test/credentials_test.rb +0 -0
  110. data/test/session_test/existence_test.rb +64 -0
  111. data/test/session_test/http_auth_test.rb +28 -0
  112. data/test/session_test/id_test.rb +17 -0
  113. data/test/session_test/klass_test.rb +40 -0
  114. data/test/session_test/magic_columns_test.rb +62 -0
  115. data/test/session_test/magic_states_test.rb +60 -0
  116. data/test/session_test/params_test.rb +53 -0
  117. data/test/session_test/password_test.rb +106 -0
  118. data/test/session_test/perishability_test.rb +15 -0
  119. data/test/session_test/persistence_test.rb +21 -0
  120. data/test/session_test/scopes_test.rb +60 -0
  121. data/test/session_test/session_test.rb +59 -0
  122. data/test/session_test/timeout_test.rb +52 -0
  123. data/test/session_test/unauthorized_record_test.rb +13 -0
  124. data/test/session_test/validation_test.rb +23 -0
  125. data/test/test_helper.rb +182 -0
  126. metadata +255 -0
data/.gitignore ADDED
@@ -0,0 +1,9 @@
1
+ .DS_Store
2
+ .swp
3
+ *.log
4
+ *.sqlite3
5
+ pkg/*
6
+ coverage/*
7
+ doc/*
8
+ benchmarks/*
9
+ .specification
data/CHANGELOG.rdoc ADDED
@@ -0,0 +1,345 @@
1
+ == 2.1.2
2
+
3
+ * Return the newly create object for the class level create method, instead of a boolean
4
+ * Add a model_name class method for Authlogic::Session for rails 3 compatibility. Will be using ActiveModel eventually, but this should be a quick fix.
5
+
6
+ == 2.1.1 released 2009-7-04
7
+
8
+ * Use mb_chars when downcasing the login string to support international characters.
9
+ * Check for the existence of the :remember_me key before setting remember_me off of a hash.
10
+ * Added check to make sure Authlogic is not loaded too late, causing a NotActivated error.
11
+
12
+ == 2.1.0 released 2009-6-27
13
+
14
+ * Fixed bug when using act_like_restful_authentication and setting passwords, needed to add a 2nd parameter to tell if to check against the database or not.
15
+ * Don't save record if they are read only.
16
+
17
+ == 2.0.14 released 2009-6-13
18
+
19
+ * Fixed issue with using brute force protection AND generalize_credentials_error_messages. Brute force protection was looking to see if there were password errors, which generalize_credentials_error_messages was obfuscating.
20
+ * Added db_setup? method to avoid errors during rake tasks where the db might not be set up. Ex: migrations
21
+ * Stop using errors.on(key) since that is now deprecated in Rails. Use errors[key] instead.
22
+ * Use valid_password? for the method name to validate a password instead of valid_#{password_field}?.
23
+
24
+ == 2.0.13 released 2009-5-13
25
+
26
+ * Add authlogic/regex.rb to manifest
27
+
28
+ == 2.0.12 released 2009-5-13
29
+
30
+ * Added the ability to add a last_request_update_allowed? method in your controller to pragmatically tell Authlogic when and when not to update the last_request_at field in your database. This only takes effect if the method if present.
31
+ * Extracted Authlogic's regular expressions into it's own module to allow easy use of them outside of Authlogic. See Authlogic::Regex for more info.
32
+ * Made being_brute_force_protected? true for the Authlogic::Session::BruteForceProtection module.
33
+ * Added the configuration option generalize_credentials_error_messages for the Authlogic::Session::Password module. This allows you to generalize your login / password errors messages as to not reveal was the problem was when authenticating. If enabled, when an invalid login is supplied it will use the same exact error message when an invalid password is supplied.
34
+ * Update email regular expression to use A-Z0-9 instead of /w as to not allow for diacritical marks in an email address.
35
+ * Changed config() convenience method to rw_config() to be more descriptive and less vague.
36
+
37
+ == 2.0.11 released 2009-4-25
38
+
39
+ * Fix bug when password is turned off and the SingleAccessToken module calls the after_password_set callback.
40
+ * HTTP basic auth can now be toggled on or off. It also checks for the existence of a standard username and password before enabling itself.
41
+ * Added option check_passwords_against_database for Authlogic::ActsAsAuthentic::Password to toggle between checking the password against the database value or the object value. Also added the same functionality to the instance method: valid_password?("password", true), where the second argument tells Authlogic to check the password against the database value. The default for this new feature is true.
42
+ * Add a maintain_sessions configuration option to Authlogic::ActsAsAuthentic::SessionMaintenance as a "clearer" option to disable automatic session maintenance.
43
+ * single_access_allowed_request_types can also be equal to :all instead of just [:all].
44
+ * Refactor params_enabled? so that the single_access_allowed? method in controllers takes precedence.
45
+ * Added testing comments in the README and expanded on the documentation in Authlogic::TestCase
46
+
47
+ == 2.0.10 released 2009-4-21
48
+
49
+ * Mock request is now transparent to non existent methods. Since the methods calls really have no functional value when testing authlogic.
50
+ * Allow password confirmation to be disabled.
51
+ * Modified login format validation to allow for the + character since emails addresses allow that as a valid character.
52
+ * Added merge_* configuration methods for acts_as_authentic to make merging options into configuration options that default to hashes. Just a few convenience methods.
53
+
54
+ == 2.0.9 released 2009-4-9
55
+
56
+ * Fixed bug where hooks provided by the password module were called when the password module was not being used due to the fact that the password field did not exist.
57
+ * Fixed bug where the find_with_login method was not being aliased if you were using an alternate field besides login.
58
+
59
+ == 2.0.8 release 2009-4-9
60
+
61
+ * Dont reset the @password_changed instance variable to false because its halts the callback chain, instead reset it to nil.
62
+
63
+ == 2.0.7 released 2009-4-9
64
+
65
+ * Rename TestCase::ControllerAdapter to TestCase::RailsRequestAdapter to help clarify it's usage and fix a constant typo.
66
+
67
+ == 2.0.6 released 2009-4-9
68
+
69
+ * Don't use second, use [1] instead so older rails versions don't complain.
70
+ * Update email regular expression to be less TLD specific: (?:[A-Z]{2,4}|museum|travel)
71
+ * Update shoulda macro for 2.0
72
+ * validates_length_of_password_confirmation_field_options defaults to validates_confirmation_of_password_field_options
73
+ * Use MockCookieJar in tests instead of a Hash in the MockController.
74
+ * Cookies now store the record id as well, for faster lookup. Also to avoid the need to use sessions since sessions are lazily loaded in rails 2.3+
75
+ * Add configuration option for Authlogic::ActsAsAuthentic: ignore_blank_passwords
76
+ * Fix cookie_domain in rails adapter
77
+ * Make password and login fields optional. This allows you to have an alternate authentication method as your main authentication source. Such as OpenID, LDAP, or whatever you want.
78
+ * Reset the @password_changed instance variable after the record has been saved.
79
+ * Add referer and user_agent to mock requests for testing purposes.
80
+ * Add :case_sensitive => false to validates_uniqueness_of calls on the login and email fields.
81
+ * MockRequest not tries to use controller.env['REMOTE_ADDR'] for the IP address in tests.
82
+ * Add in custom find_with_email and find_with_login methods to perform case insensitive searches for databases that are case sensitive by default. This is only done if the :case_insensitive option for validates_uniqueness_of_login_field_options or validates_uniqueness_of_email_field_options is set to false. Which, as of this version, it is. If you are using MySQL this has been the default behavior all along. If you are using SQLite or Postgres this has NOT been the default behavior.
83
+ * Added in exception explaining that you are using the old configuration for acts_as_authentic with an example of the new format.
84
+
85
+ == 2.0.5 released 2009-3-30
86
+
87
+ * Stub out authenticate_with_http_basic for TestCase::ControllerAdapter.
88
+ * Added second parameter for add_acts_as_authentic module to specify the position: append or prepend.
89
+
90
+ == 2.0.4 released 2009-3-28
91
+
92
+ * Added validates_uniqueness_of_login_field_options and validates_uniqueness_of_email_field_options configuration options
93
+ * Add in checks to make sure session_class is not nil.
94
+ * Cleaned up TestCase some more and added functionality to log users in during functional tests.
95
+
96
+ == 2.0.3 released 2009-3-26
97
+
98
+ * Fixed error where default session class does not exist.
99
+ * Fixed human_name for the model to use its own human name and not delegate to the associated model. Translation should be under authlogic.models.user_session (or whatever the name of your session is).
100
+ * Fixed human_attribute_name to use Authlogic keys for translation instead of ActiveRecord: authlogic.attributes.user_session.login
101
+ * For transitioning from restful_authentication, set the REST_AUTH_SITE_KEY to '' if it doesn't exist, instead of nil.
102
+ * Completely rewrote Authlogic::Testing, it's now called Authlogic::TestCase. Testing Authlogic is much easier now. Please see Authlogic::TestCase for more info.
103
+
104
+ == 2.0.2 released 2009-3-24
105
+
106
+ * Reset failed_login_count if consecutive_failed_logins_limit has been exceed and the failed_login_ban_for has passed.
107
+ * Update test helpers to use the new configuration scheme.
108
+ * Fixed issue when logging doesn't update last_request_at, so the next persistence try would fail.
109
+
110
+ == 2.0.1 released 2009-3-23
111
+
112
+ * Validate length of password.
113
+ * Dont save sessions with a ! during session maintenance.
114
+ * Add self_and_descendants_from_active_record for Rails 2.3
115
+ * Abort acts_as_authentic if there is no DB connection or table.
116
+
117
+ == 2.0.0 released 2009-3-23
118
+
119
+ * Refactored nearly all code and tests, especially acts_as_authentic. Got rid of the meta programming and rewrote to use modules and hooks. Also moved all configuration into their related modules.
120
+ * Set up a strong API with hooks to allow you to modify behavior and most importantly, easily create "add on" modules or alternate authentication methods, etc.
121
+ * Changed configuration method for acts_as_authentic to accept a block instead of a hash.
122
+ * The record attribute will NEVER be set until after validation passes, similar to how ActiveRecord executes UPDATEs and CREATEs.
123
+ * Fixed bug with session maintenance where user would log in as new user when creating another user account, typically an admin function.
124
+ * Brute force protection is only a temporary ban by default, not a permanent one.
125
+ * Switched to Hoe for gem management instead of Echoe.
126
+ * Added MD5 crypto provider for legacy systems.
127
+ * Make password salt field optional for legacy systems.
128
+
129
+ == 1.4.4 released 2009-3-2
130
+
131
+ * Moved session maintenance to a before_save, to save on queries executed and to skip an unexpected / additional save on the user object.
132
+ * Extracted random string generation into its own class and leverages SecureRandom if it is available
133
+ * Move cookies to a higher priority when trying to find the record to help with performance since Rails 3 lazily loads the sessions
134
+ * Reset perishable token in a before_save instead of a before_validation
135
+
136
+ == 1.4.3 released 2009-2-22
137
+
138
+ * Fixed issue with brute force protection.
139
+
140
+ == 1.4.2 released 2009-2-20
141
+
142
+ * Cleaned up callbacks system to use hooks and execute in the proper order.
143
+ * Added brute force protection. See the consecutive_failed_logins_limit configuration option in Authlogic::Session::Config. Also see Authlogic::Session:BruteForceProtection
144
+ * Fixed issue with calling stale? when there is no record.
145
+ * Simon Harris fixed the issue of using lock_version with the associated record and also optimized the library for better performance.
146
+ * Implemented saving the record during the callback chain to execute as few queries as possible. This way modules can hook into Authlogic, modify the associated record, and not have to worry about saving the record.
147
+
148
+ == 1.4.1 released 2009-2-8
149
+
150
+ * Fixed I18n key misspelling.
151
+ * Added I18n keys for ORM error messages.
152
+ * Use the password_field configuration value for the alias_methods defined in acts_as_authentic/credentials.rb
153
+ * Change shoulda macros implementation to follow the shoulda documentation
154
+ * Rails >2.3 uses :domain for the session option instead of :session_domain. Authlogic now uses the proper key in the rails adapter.
155
+ * Added validate_password attribute to force password validation regardless if the password is blank. This is useful for forms explicitly changing passwords.
156
+ * The class level find method will return a session object if the session is stale. The protection is that there will be no record associated with that session. This allows you to receive an object and call the stale? method on it to determine why the user must log back in.
157
+ * Added validate callbacks in Session::Base so you can run callbacks by calling validate :my_method, just like in AR.
158
+ * Checked for blank persistence tokens when trying to validate passwords, this is where transitioning occurs. People transitioning from older systems never had a persistence token, which means it would be nil here.
159
+ * Update allowed domain name extensions for email
160
+ * Ignore default length options for validations if alternate length options are provided, since AR raises an error if 2 different length specifications are provided.
161
+
162
+ == 1.4.0 released 2009-1-28
163
+
164
+ * Added support for cookie domain, based on your frameworks session domain configuration
165
+ * Updated test helper functions to use the persistence token config value
166
+ * Check for UTC times when using Time.now for current_login_at and last_request_at
167
+ * Single access now looks for a single_access_allowed? method in your controllers to determine if single access should be allowed or not. Allowing you to define exactly when single access is allowed.
168
+ * Finding the authenticated record uses klass.primary_key instead of assuming id.
169
+ * BREAKS BACKWARDS COMPATIBILITY: New I18n solution implemented. See Authlogic::I18n for more information.
170
+
171
+ == 1.3.9 released 2009-1-9
172
+
173
+ * Added the disable_perishable_token_maintenance option to disable the automatic resetting of the perishable_token, meaning you will have to maintain this yourself.
174
+ * Changed shoulda macro to conform to standards so model is not required to be passed
175
+ * Modified method definitions for the Session class to check for already defined methods, allowing you to write your own "credential" methods, and Authlogic will not overwrite your custom methods.
176
+ * Fixed bug when passing :all to single_access_allowed_request_types
177
+ * Added logout_on_timeout configuration option for Session::Base
178
+
179
+ == 1.3.8 released 2008-12-24
180
+
181
+ * Only change persistence token if the password is not blank
182
+ * Normalize the last_request_at_threshold so that you can pass an integer or a date/time range.
183
+ * Fixed bug where password length validations were not being run because the password value was not blank. It should be run if it is a new record, the password has changed, or the password is blank.
184
+ * Added disable_magic_states option for sessions, to turn off the automatic checking of "magic states" such as active?, confirmed?, and approved?.
185
+
186
+ == 1.3.7 released 2008-11-30
187
+
188
+ * Added session generator: script/generate session UserSession
189
+ * Added Test::Unit helpers file, see testing in the README
190
+
191
+ == 1.3.6 released 2008-11-30
192
+
193
+ * Modified validates_length_of for password so that there is a fallback validation if the passed "if statement" fails
194
+
195
+ == 1.3.5 released 2008-11-30
196
+
197
+ * :transition_from_crypto_provider for acts_as_authentic now accepts an array to transition from multiple providers. Which solves the problem of a double transition.
198
+ * Added AES256 as a crypto_provider option, for those that want to use a reversible encryption method by supplying a key.
199
+ * Fixed typo for using validates_format_of_options instead of validates_length_of_options
200
+ * Fixed bug when accessing the dynamic method for accessing the session record in a namespace, since it uses class_name.underscore which replaces :: with a /
201
+ * Added minimum length requirement of 4 for the password, and removed validates_presence_of for password since validates_length_of enforces this
202
+ * Set before_validation to reset the persistence token if it is blank, since a password is not required for open id authentication
203
+
204
+ == 1.3.4 released 2008-11-24
205
+
206
+ * Delegate human_attribute_name to the ActiveRecord class to take advantage of the I18n feature.
207
+ * Fixed issue with passwords from older versions of restful_authentication, the passwords end with --
208
+
209
+ == 1.3.3 released 2008-11-23
210
+
211
+ * Updated :act_like_restful_authentication for those using the older version where no site wide key is preset (REST_AUTH_SITE_KEY), Authlogic will adjust automatically based on the presence of this constant.
212
+ * Added :transition_from_crypto_provider option for acts_as_authentic to transition your user's passwords to a new algorithm.
213
+ * Added :transition_from_restful_authentication for acts_as_authentic to transition your users from restful_authentication to the Authlogic password system. Now you can choose to keep your passwords the same by using :act_like_restful_authentication, which will *NOT* do any transitioning, or you can use :transition_from_crypto_provider which will update your users passwords as they login or new accounts are created, while still allowing users with the old password system to log in.
214
+ * Modified the "interface" for the crypto providers to only provide a class level encrypt and matches? method, instead of a class level encrypt and decrypt method.
215
+
216
+ == 1.3.2 released 2008-11-22
217
+
218
+ * Updated code to work better with BCrypt, using root level class now.
219
+
220
+ == 1.3.1 released 2008-11-22
221
+
222
+ * Fixed typo in acts_as_authentic config when passing the :scope option.
223
+ * Added :act_like_restful_authentication option for acts_as_authentic
224
+ * Added a new crypto provider: BCrypt, this is for those storing the nuclear launch codes in their apps
225
+
226
+ == 1.3.0 released 2008-11-21
227
+
228
+ * BREAKS BACKWARDS COMPATIBILITY: changed the confirm_password field to password_confirmation for acts_as_authentic, since the rails validates_confirmation_of handles creating this attribute and there is no option to change the name of this.
229
+ * BREAKS BACKWARDS COMPATIBILITY: Cleaned up all of the validation configuration for acts_as_authentic, as well as the documentation that goes with it, you can accomplish the same things as before, but this is much more flexible and much more organized. This is mainly for those implementing i18n support. Instead of :whatever_message, its now :login_field_validates_length_of_options => {:message => "your i18n friendly message"}. As a side note, with the new i18n support in rails I would not be surprised if this is already done for you since Authlogic uses the ActiveRecord validation methods.
230
+ * Got rid of simple delegator for the abstract controller, apparently this has performance issues.
231
+ * Cleaned up validations to assume ActiveRecord dirty attributes are present, I think this is a safe assumption.
232
+
233
+ == 1.2.2 released 2008-11-20
234
+
235
+ * Added allow_blank_login_and_password_field and allow_blank_email_field options to acts_as_authentic, which allows you to have alternative logins, such as OpenID
236
+ * In the session Authlogic now also stores the record id. We use this id to find the record and then check the token against the record, thus allowing for quicker database lookups, while getting the same security.
237
+ * Skip validation for reset_perishable_token!
238
+ * Added checks for uniqueness validations to only perform if the values have changed, this cuts down on DB queries
239
+ * Abstract controller adapter now uses ruby's simple delegator class
240
+ * Allow to save with a block: user_session.save { |result| }, result will either be false or self, this is useful when implementing OpenID and other methods
241
+
242
+ == 1.2.1 released 2008-11-19
243
+
244
+ * Added build method to authenticates_many association to act like AR association collections.
245
+ * Added validation boolean configuration options for acts_as_authentic: validate_field, validate_login_field, validate_password_field, validate_email_field. This turns on and off validations for their respective fields.
246
+ * Renamed all password_reset_token terms to perishable_token, including configuration, etc. I still allow for the old configurations so this will not break compatibility, but perishable token is a better name and can be used for account confirmation as well as a password reset token, or anything else you want.
247
+ * Renamed all remember_token instances to persistence_token, the term "remember token" doesn't really make sense. I still allow for the old configuration, so this will not break backwards compatibility: persistence_token fits better and makes more sense.
248
+
249
+ == 1.2.0 released 2008-11-16
250
+
251
+ * Added check for database set up in acts_as_authentic to prevent errors during migrations.
252
+ * Forced logged_in and logged_out named scopes to use seconds.
253
+ * Hardened valid_password? method to only allow raw passwords.
254
+ * controllers and scopes are no longer stored in class variables but in the Thread.current hash so their instances die out with the thread, which frees up memory.
255
+ * Removed single_access_token_field and remember_token_field from Sesson::Config, they are not needed there.
256
+ * Added password_reset_token to assist in resetting passwords.
257
+ * Added email_field, email_field_regex, email_field_regex_failed_message configuration options to acts_as_authentic. So that you can validate emails as well as a login, instead of the either-or approach.
258
+ * Added configuration for all validation messages for the session so that you can modify them and provide I18n support.
259
+
260
+ == 1.1.1 released 2008-11-13
261
+
262
+ * Removed ActiveRecord dependency.
263
+ * Removed loading shoulda macros by default, moved to shoulda_macros dir.
264
+ * Modified how params access works. Added in single_access_token_field which params now uses. See the single access section in the README. Various configuration options added as well.
265
+ * Cleaned up acts_as_authentic configuration, added new config module to do this.
266
+ * Cleaned up acts_as_authentic tests
267
+ * Moved acts_as_authentic sub modules into the proper name spaces
268
+
269
+ == 1.1.0 released 2008-11-13
270
+
271
+ * Moved Rack standards into abstract_adapter for the controllers.
272
+ * Added authenticating_with_credentials?, authenticating_with_unauthorized_record?
273
+ * Fixed typo in abstract_adapter, black to block.
274
+ * Cleaned up / reorganized tests.
275
+ * Moved ActiveRecord additions to ORM Adapters name space to make way for Data Mapper.
276
+ * Reorganized and modified acts_as_authentic to be free standing and not get info from the related session.
277
+ * The session now gets its configuration from the model, since determining which fields are present is ORM specific.
278
+ * Extracted session and cookie logic into their own modules for Session.
279
+ * Moved crypto providers into their own module and added a Sha1 provider to help with the restful_authentication transition.
280
+ * Allow the unique_token method to use the alternate crypto_provider if it is a hash algorithm, otherwise default to Sha512.
281
+ * Added last_request_at_threshold configuration option.
282
+ * Changed Scoped class to AuthenticatesManyAssociation, like AR has HasManyAssociation, etc.
283
+ * Added should_be_authentic shoulda macro.
284
+ * Removed some magic from how sessions are initialized. See the initialize documentation, this method is a little more structured now, which was required for adding in openid.
285
+ * Added in logging via a params token, which is friendly for feed URLs. Works just like cookies and sessions when persisting the session.
286
+ * Added the option to use session.user, instead of session.record. This is based off of what model your session is authenticating with.
287
+
288
+ == 1.0.0 released 2008-11-05
289
+
290
+ * Checked for blank login counts, if a default wasnt set in the migrations.
291
+ * Added check for database table in acts_as_authentic to avoid errors in initial setup.
292
+ * Completely rewrote tests to be more conventional and thorough tests, removed test_app.
293
+ * Modified how validations work so that a validate method was added as well as callbacks for that method.
294
+ * Extracted scope support into its own module to help organize code better.
295
+ * Added in salt for encryption, just like hashes and removed :crypto_provider_type option for acts_as_authentic.
296
+ * Added merb adapters.
297
+ * Improved documentation throughout.
298
+
299
+ == 0.10.4 released 2008-10-31
300
+
301
+ * Changed configuration to use inheritable attributes
302
+ * Cleaned up requires to be in their proper files
303
+ * Added in scope support.
304
+
305
+ == 0.10.3 released 2008-10-31
306
+
307
+ * Instead of raising an error when extra fields are passed in credentials=, just ignore them.
308
+ * Added remember_me config option to set the default value.
309
+ * Only call credential methods if an argument was passed.
310
+ * More unit tests
311
+ * Hardened automatic session updating. Also automatically log the user in if they change their password when logged out.
312
+
313
+ == 0.10.2 released 2008-10-24
314
+
315
+ * Added in stretches to the default Sha512 encryption algorithm.
316
+ * Use column_names instead of columns when determining if a column is present.
317
+ * Improved validation callbacks. after_validation should only be run if valid? = true. Also clear errors before the "before_validation" callback.
318
+
319
+ == 0.10.1 released 2008-10-24
320
+
321
+ * Sessions now store the "remember token" instead of the id. This is much safer and guarantees all "sessions" that are logged in are logged in with a valid password. This way stale sessions can't be persisted.
322
+ * Bumped security to Sha512 from Sha256.
323
+ * Remove attr_protected call in acts_as_authentic
324
+ * protected_password should use pasword_field configuration value
325
+ * changed magic state "inactive" to "active"
326
+
327
+ == 0.10.0 released 2008-10-24
328
+
329
+ * Do not allow instantiation if the session has not been activated with a controller object. Just like ActiveRecord won't let you do anything without a DB connection.
330
+ * Abstracted controller implementation to allow for rails, merb, etc adapters. So this is not confined to the rails framework.
331
+ * Removed create and update methods and added save, like ActiveRecord.
332
+ * after_validation should be able to change the result if it adds errors on callbacks.
333
+ * Completed tests.
334
+
335
+ == 0.9.1 released 2008-10-24
336
+
337
+ * Changed scope to id. Makes more sense to call it an id and fits better with the ActiveRecord model.
338
+ * Removed saving_from_session flag, apparently it is not needed.
339
+ * Fixed updating sessions to make more sense and be stricter.
340
+ * change last_click_at to last_request_at
341
+ * Only run "after" callbacks if the result is successful.
342
+
343
+ == 0.9.0 released 2008-10-24
344
+
345
+ * Initial release.
data/LICENSE ADDED
@@ -0,0 +1,20 @@
1
+ Copyright (c) 2009 Ben Johnson of Binary Logic
2
+
3
+ Permission is hereby granted, free of charge, to any person obtaining
4
+ a copy of this software and associated documentation files (the
5
+ "Software"), to deal in the Software without restriction, including
6
+ without limitation the rights to use, copy, modify, merge, publish,
7
+ distribute, sublicense, and/or sell copies of the Software, and to
8
+ permit persons to whom the Software is furnished to do so, subject to
9
+ the following conditions:
10
+
11
+ The above copyright notice and this permission notice shall be
12
+ included in all copies or substantial portions of the Software.
13
+
14
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
15
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
17
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
18
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
19
+ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
20
+ WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.rdoc ADDED
@@ -0,0 +1,246 @@
1
+ = Authlogic
2
+
3
+ Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
4
+
5
+ A code example can replace a thousand words...
6
+
7
+ Authlogic introduces a new type of model. You can have as many as you want, and name them whatever you want, just like your other models. In this example, we want to authenticate with the User model, which is inferred by the name:
8
+
9
+ class UserSession < Authlogic::Session::Base
10
+ # specify configuration here, such as:
11
+ # logout_on_timeout true
12
+ # ...many more options in the documentation
13
+ end
14
+
15
+ Log in with any of the following. Create a UserSessionsController and use it just like your other models:
16
+
17
+ UserSession.create(:login => "bjohnson", :password => "my password", :remember_me => true)
18
+ session = UserSession.new(:login => "bjohnson", :password => "my password", :remember_me => true); session.save
19
+ UserSession.create(:openid_identifier => "identifier", :remember_me => true) # requires the authlogic-oid "add on" gem
20
+ UserSession.create(my_user_object, true) # skip authentication and log the user in directly, the true means "remember me"
21
+
22
+ The above handles the entire authentication process for you. It first authenticates, then it sets up the proper session values and cookies to persist the session. Just like you would if you rolled your own authentication solution.
23
+
24
+ You can also log out / destroy the session:
25
+
26
+ session.destroy
27
+
28
+ After a session has been created, you can persist it across requests. Thus keeping the user logged in:
29
+
30
+ session = UserSession.find
31
+
32
+ To get all of the nice authentication functionality in your model just do this:
33
+
34
+ class User < ActiveRecord::Base
35
+ acts_as_authentic do |c|
36
+ c.my_config_option = my_value
37
+ end # the configuration block is optional
38
+ end
39
+
40
+ This handles validations, etc. It is also "smart" in the sense that it if a login field is present it will use that to authenticate, if not it will look for an email field, etc. This is all configurable, but for 99% of cases that above is all you will need to do.
41
+
42
+ Also, sessions are automatically maintained. You can switch this on and off with configuration, but the following will automatically log a user in after a successful registration:
43
+
44
+ User.create(params[:user])
45
+
46
+ This also updates the session when the user changes his/her password.
47
+
48
+ Authlogic is very flexible, it has a strong public API and a plethora of hooks to allow you to modify behavior and extend it. Check out the helpful links below to dig deeper.
49
+
50
+ == Helpful links
51
+
52
+ * <b>Documentation:</b> http://rdoc.info/projects/binarylogic/authlogic
53
+ * <b>Repository:</b> http://github.com/binarylogic/authlogic/tree/master
54
+ * <b>Railscasts Screencast:</b> http://railscasts.com/episodes/160-authlogic
55
+ * <b>Live example with OpenID "add on":</b> http://authlogicexample.binarylogic.com
56
+ * <b>Live example repository with tutorial in README:</b> http://github.com/binarylogic/authlogic_example/tree/master
57
+ * <b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
58
+ * <b>Issues:</b> http://github.com/binarylogic/authlogic/issues
59
+ * <b>Google group:</b> http://groups.google.com/group/authlogic
60
+
61
+ <b>Before contacting me directly, please read:</b>
62
+
63
+ If you find a bug or a problem please post it in the issues section. If you need help with something, please use google groups. I check both regularly and get emails when anything happens, so that is the best place to get help. This also benefits other people in the future with the same questions / problems. Thank you.
64
+
65
+ == Authlogic "add ons"
66
+
67
+ * <b>Authlogic OpenID addon:</b> http://github.com/binarylogic/authlogic_openid
68
+ * <b>Authlogic LDAP addon:</b> http://github.com/binarylogic/authlogic_ldap
69
+ * <b>Authlogic Facebook Connect:</b> http://github.com/kalasjocke/authlogic_facebook_connect
70
+ * <b>Authlogic OAuth (Twitter):</b> http://github.com/jrallison/authlogic_oauth
71
+ * <b>Authlogic PAM:</b> http://github.com/nbudin/authlogic_pam
72
+
73
+ If you create one of your own, please let me know about it so I can add it to this list. Or just fork the project, add your link, and send me a pull request.
74
+
75
+ == Session bugs (please read if you are having issues with logging in / out)
76
+
77
+ Apparently there is a bug with apache / passenger for v2.1.X with sessions not working properly. This is most likely your problem if you are having trouble logging in / out. This is *not* an Authlogic issue. This can be solved by updating passener or using an alternative session store solution, such as active record store.
78
+
79
+ == Documentation explanation
80
+
81
+ You can find anything you want about Authlogic in the {documentation}[http://rdoc.info/projects/binarylogic/authlogic], all that you need to do is understand the basic design behind it.
82
+
83
+ That being said, there are 2 models involved during authentication. Your Authlogic model and your ActiveRecord model:
84
+
85
+ 1. <b>Authlogic::Session</b>, your session models that extend Authlogic::Session::Base.
86
+ 2. <b>Authlogic::ActsAsAuthentic</b>, which adds in functionality to your ActiveRecord model when you call acts_as_authentic.
87
+
88
+ Each of the above has its various sub modules that contain common logic. The sub modules are responsible for including *everything* related to it: configuration, class methods, instance methods, etc.
89
+
90
+ For example, if you want to timeout users after a certain period of inactivity, you would look in <b>Authlogic::Session::Timeout</b>. To help you out, I listed the following publicly relevant modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the {documentation}[http://rdoc.info/projects/binarylogic/authlogic].
91
+
92
+ === Authlogic::ActsAsAuthentic sub modules
93
+
94
+ These modules are for the ActiveRecord side of things, the models that call acts_as_authentic.
95
+
96
+ * <b>Authlogic::ActsAsAuthentic::Base</b> - Provides the acts_as_authentic class method and includes all of the submodules.
97
+ * <b>Authlogic::ActsAsAuthentic::Email</b> - Handles everything related to the email field.
98
+ * <b>Authlogic::ActsAsAuthentic::LoggedInStatus</b> - Provides handy named scopes and methods for determining if the user is logged in or out.
99
+ * <b>Authlogic::ActsAsAuthentic::Login</b> - Handles everything related to the login field.
100
+ * <b>Authlogic::ActsAsAuthentic::MagicColumns</b> - Handles everything related to the "magic" fields: login_count, failed_login_count, last_request_at, etc.
101
+ * <b>Authlogic::ActsAsAuthentic::Password</b> - This one is important. It handles encrypting your password, salting it, etc. It also has support for transitioning password algorithms.
102
+ * <b>Authlogic::ActsAsAuthentic::PerishableToken</b> - Handles maintaining the perishable token field, also provides a class level method for finding record using the token.
103
+ * <b>Authlogic::ActsAsAuthentic::PersistenceToken</b> - Handles maintaining the persistence token. This is the token stored in cookies and sessions to persist the users session.
104
+ * <b>Authlogic::ActsAsAuthentic::RestfulAuthentication</b> - Provides configuration options to easily migrate from the restful_authentication plugin.
105
+ * <b>Authlogic::ActsAsAuthentic::SessionMaintenance</b> - Handles automatic session maintenance. EX: a new user registers, automatically log them in. Or a user changes their password, update their session.
106
+ * <b>Authlogic::ActsAsAuthentic::SingleAccessToken</b> - Handles maintaining the single access token.
107
+ * <b>Authlogic::ActsAsAuthentic::ValidationsScope</b> - Allows you to scope all validations, etc. Just like the :scope option for validates_uniqueness_of
108
+
109
+ === Authlogic::Session sub modules
110
+
111
+ These modules are for the models that extend Authlogic::Session::Base.
112
+
113
+ * <b>Authlogic::Session::BruteForceProtection</b> - Disables accounts after a certain number of consecutive failed logins attempted.
114
+ * <b>Authlogic::Session::Callbacks</b> - Your tools to extend, change, or add onto Authlogic. Lets you hook in and do just about anything you want. Start here if you want to write a plugin or add-on for Authlogic
115
+ * <b>Authlogic::Session::Cookies</b> - Authentication via cookies.
116
+ * <b>Authlogic::Session::Existence</b> - Creating, saving, and destroying objects.
117
+ * <b>Authlogic::Session::HttpAuth</b> - Authentication via basic HTTP authentication.
118
+ * <b>Authlogic::Session::Id</b> - Allows sessions to be separated by an id, letting you have multiple sessions for a single user.
119
+ * <b>Authlogic::Session::MagicColumns</b> - Maintains "magic" database columns, similar to created_at and updated_at for ActiveRecord.
120
+ * <b>Authlogic::Session::MagicStates</b> - Automatically validates based on the records states: active?, approved?, and confirmed?. If those methods exist for the record.
121
+ * <b>Authlogic::Session::Params</b> - Authentication via params, aka single access token.
122
+ * <b>Authlogic::Session::Password</b> - Authentication via a traditional username and password.
123
+ * <b>Authlogic::Session::Persistence</b> - Persisting sessions / finding sessions.
124
+ * <b>Authlogic::Session::Session</b> - Authentication via the session, the controller session that is.
125
+ * <b>Authlogic::Session::Timeout</b> - Automatically logging out after a certain period of inactivity.
126
+ * <b>Authlogic::Session::UnauthorizedRecord</b> - Handles authentication by passing an ActiveRecord object directly.
127
+ * <b>Authlogic::Session::Validation</b> - Validation / errors.
128
+
129
+ === Miscellaneous modules
130
+
131
+ Miscellaneous modules that shared across the authentication process and are more "utility" modules and classes.
132
+
133
+ * <b>Authlogic::AuthenticatesMany</b> - Responsible for allowing you to scope sessions to a parent record. Similar to a has_many and belongs_to relationship. This lets you do the same thing with sessions.
134
+ * <b>Authlogic::CryptoProviders</b> - Contains various encryption algorithms that Authlogic uses, allowing you to choose your encryption method.
135
+ * <b>Authlogic::I18n</b> - Acts JUST LIKE the rails I18n library, and provides internationalization to Authlogic.
136
+ * <b>Authlogic::Random</b> - A simple class to generate random tokens.
137
+ * <b>Authlogic::Regex</b> - Contains regular expressions used in Authlogic. Such as those to validate the format of the log or email.
138
+ * <b>Authlogic::TestCase</b> - Various helper methods for testing frameworks to help you test your code.
139
+ * <b>Authlogic::Version</b> - A handy class for determine the version of Authlogic in a number of ways.
140
+
141
+ == Quick Rails example
142
+
143
+ What if creating sessions worked like an ORM library on the surface...
144
+
145
+ UserSession.create(params[:user_session])
146
+
147
+ What if your user sessions controller could look just like your other controllers...
148
+
149
+ class UserSessionsController < ApplicationController
150
+ def new
151
+ @user_session = UserSession.new
152
+ end
153
+
154
+ def create
155
+ @user_session = UserSession.new(params[:user_session])
156
+ if @user_session.save
157
+ redirect_to account_url
158
+ else
159
+ render :action => :new
160
+ end
161
+ end
162
+
163
+ def destroy
164
+ current_user_session.destroy
165
+ redirect_to new_user_session_url
166
+ end
167
+ end
168
+
169
+ As you can see, this fits nicely into the RESTful development pattern. What about the view...
170
+
171
+ <% form_for @user_session do |f| %>
172
+ <%= f.error_messages %>
173
+ <%= f.label :login %><br />
174
+ <%= f.text_field :login %><br />
175
+ <br />
176
+ <%= f.label :password %><br />
177
+ <%= f.password_field :password %><br />
178
+ <br />
179
+ <%= f.submit "Login" %>
180
+ <% end %>
181
+
182
+ Or how about persisting the session...
183
+
184
+ class ApplicationController
185
+ helper_method :current_user_session, :current_user
186
+
187
+ private
188
+ def current_user_session
189
+ return @current_user_session if defined?(@current_user_session)
190
+ @current_user_session = UserSession.find
191
+ end
192
+
193
+ def current_user
194
+ return @current_user if defined?(@current_user)
195
+ @current_user = current_user_session && current_user_session.user
196
+ end
197
+ end
198
+
199
+ == Install & Use
200
+
201
+ Install the gem / plugin (recommended)
202
+
203
+ From rubyforge:
204
+
205
+ $ sudo gem install authlogic
206
+
207
+ Or from github:
208
+
209
+ $ sudo gem install binarylogic-authlogic
210
+
211
+ Now just add the gem dependency in your projects configuration.
212
+
213
+ Or you can install this as a plugin:
214
+
215
+ script/plugin install git://github.com/binarylogic/authlogic.git
216
+
217
+ == Detailed Setup Tutorial
218
+
219
+ See the {authlogic example}[http://github.com/binarylogic/authlogic_example/tree/master] for a detailed setup tutorial. I did this because not only do you have a tutorial to go by, but you have an example app that uses the same tutorial, so you can play around with with the code. If you have problems you can compare the code to see what you are doing differently.
220
+
221
+ == Testing
222
+
223
+ I think one of the best aspects of Authlogic is testing. For one, it cuts out <b>a lot</b> of redundant tests in your applications because Authlogic is already thoroughly tested for you. It doesn't include a bunch of tests into your application, because it comes tested, just like any other library.
224
+
225
+ For example, think about ActiveRecord. You don't test the internals of ActiveRecord, because the creators of ActiveRecord have already tested the internals for you. It wouldn't make sense for ActiveRecord to copy it's hundreds of tests into your applications. The same concept applies to Authlogic. You only need to test code you write that is specific to your application, just like everything else in your application.
226
+
227
+ That being said, testing your code that uses Authlogic is easy. Since everyone uses different testing suites, I created a helpful module called Authlogic::TestCase, which is basically a set of tools for testing code using Authlogic. I explain testing Authlogic thoroughly in the {Authlogic::TestCase section of the documentation}[http://rdoc.info/rdoc/binarylogic/authlogic/blob/f2f6988d3b97e11770b00b72a7a9733df69ffa5b/Authlogic/TestCase.html]. It should answer any questions you have in regards to testing Authlogic.
228
+
229
+ == Tell me quickly how Authlogic works
230
+
231
+ Interested in how all of this all works? Think about an ActiveRecord model. A database connection must be established before you can use it. In the case of Authlogic, a controller connection must be established before you can use it. It uses that controller connection to modify cookies, the current session, login with HTTP basic, etc. It connects to the controller through a before filter that is automatically set in your controller which lets Authlogic know about the current controller object. Then Authlogic leverages that to do everything, it's a pretty simple design. Nothing crazy going on, Authlogic is just leveraging the tools your framework provides in the controller object.
232
+
233
+ == What sets Authlogic apart and why I created it
234
+
235
+ What inspired me to create Authlogic was the messiness of the current authentication solutions. Put simply, they just didn't feel right, because the logic was not organized properly. As you may know, a common misconception with the MVC design pattern is that the model "M" is only for data access logic, which is wrong. A model is a place for domain logic. This is why the RESTful design pattern and the current authentication solutions don't play nice. Authlogic solves this by placing the session maintenance logic into its own domain (aka "model"). Moving session maintenance into its own domain has its benefits:
236
+
237
+ 1. <b>It's cleaner.</b> There are no generators in Authlogic. Authlogic provides a class that you can use, it's plain and simple ruby. More importantly, the code in your app is code you write, written the way you want, nice and clean. It's code that should be in your app and is specific to your app, not a redundant authentication pattern.
238
+ 2. <b>Easier to stay up-to-date.</b> To make my point, take a look at the commits to any other authentication solution, then look at the {commits for authlogic}[http://github.com/binarylogic/authlogic/commits/master]. How many commits could you easily start using if you already had an app using that solution? With an alternate solution, very few, if any. All of those cool new features and bug fixes are going to have be manually added or wait for your next application. Which is the main reason a generator is not suitable as an authentication solution. With Authlogic you can start using the latest code with a simple update of a gem. No generators, no mess.
239
+ 3. <b>It ties everything together on the domain level.</b> Take a new user registration for example, no reason to manually log the user in, authlogic handles this for you via callbacks. The same applies to a user changing their password. Authlogic handles maintaining the session for you.
240
+ 4. <b>No redundant tests.</b> Because Authlogic doesn't use generators, #1 also applies to tests. Authlogic is *thoroughly* tested for you. You don't go and test the internals of ActiveRecord in each of your apps do you? So why do the same for Authlogic? Your application tests should be for application specific code. Get rid of the noise and make your tests focused and concise, no reason to copy tests from app to app.
241
+ 5. <b>Framework agnostic</b>. Authlogic can be used in *any* ruby framework you want: Rails, Merb, Sinatra, Mack, your own framework, whatever. It's not tied down to Rails. It does this by abstracting itself from these framework's controllers by using a controller adapter. Thanks to {Rack}[http://rack.rubyforge.org/], there is a defined standard for controller structure, and that's what Authlogic's abstract adapter follows. So if your controller follows the rack standards, you don't need to do anything. Any place it deviates from this is solved by a simple adapter for your framework that closes these gaps. For an example, checkout the Authlogic::ControllerAdapters::MerbAdapter.
242
+ 5. <b>You are not restricted to a single session.</b> Think about Apple's me.com, where they need you to authenticate a second time before changing your billing information. Why not just create a second session for this? It works just like your initial session. Then your billing controller can require an "ultra secure" session.
243
+ 6. <b>Easily extendable.</b> One of the distinct advantages of using a library is the ability to use its API, assuming it has one. Authlogic has an *excellent* public API, meaning it can easily be extended and grow beyond the core library. Checkout the "add ons" list above to see what I mean.
244
+
245
+
246
+ Copyright (c) 2009 {Ben Johnson of Binary Logic}[http://www.binarylogic.com], released under the MIT license