sorcery 0.11.0 → 0.15.1

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -19,7 +19,10 @@ module Sorcery
             end
             merge_http_basic_auth_defaults!
           end
-          Config.login_sources << :login_from_basic_auth
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.login_sources.include?(:login_from_basic_auth)
+            Config.login_sources << :login_from_basic_auth
+          end
         end
 
         module InstanceMethods
@@ -57,6 +60,7 @@ module Sorcery
               while current_controller != ActionController::Base
                 result = Config.controller_to_realm_map[current_controller.controller_name]
                 return result if result
+
                 current_controller = current_controller.superclass
               end
               nil

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -17,9 +17,13 @@ module Sorcery
             end
             merge_remember_me_defaults!
           end
-          Config.login_sources << :login_from_cookie
-          Config.after_login << :remember_me_if_asked_to
-          Config.before_logout << :forget_me!
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.login_sources.include?(:login_from_cookie)
+            Config.login_sources << :login_from_cookie
+          end
+          unless Config.before_logout.include?(:forget_me!)
+            Config.before_logout << :forget_me!
+          end
         end
 
         module InstanceMethods
@@ -51,20 +55,15 @@ module Sorcery
 
           protected
 
-          # calls remember_me! if a third credential was passed to the login method.
-          # Runs as a hook after login.
-          def remember_me_if_asked_to(_user, credentials)
-            remember_me! if credentials.size == 3 && credentials[2] && credentials[2] != '0'
-          end
-
           # Checks the cookie for a remember me token, tried to find a user with that token
           # and logs the user in if found.
           # Runs as a login source. See 'current_user' method for how it is used.
           def login_from_cookie
-            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token])
+            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token]) if defined? cookies
             if user && user.has_remember_me_token?
               set_remember_me_cookie!(user)
               session[:user_id] = user.id.to_s
+              after_remember_me!(user)
               @current_user = user
             else
               @current_user = false

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -12,24 +12,41 @@ module Sorcery
               attr_accessor :session_timeout
               # use the last action as the beginning of session timeout.
               attr_accessor :session_timeout_from_last_action
+              # allow users to invalidate active sessions
+              attr_accessor :session_timeout_invalidate_active_sessions_enabled
 
               def merge_session_timeout_defaults!
-                @defaults.merge!(:@session_timeout                      => 3600, # 1.hour
-                                 :@session_timeout_from_last_action     => false)
+                @defaults.merge!(:@session_timeout                                    => 3600, # 1.hour
+                                 :@session_timeout_from_last_action                   => false,
+                                 :@session_timeout_invalidate_active_sessions_enabled => false)
               end
             end
             merge_session_timeout_defaults!
           end
-          Config.after_login << :register_login_time
+          # FIXME: There is likely a more elegant way to safeguard these callbacks.
+          unless Config.after_login.include?(:register_login_time)
+            Config.after_login << :register_login_time
+          end
+          unless Config.after_remember_me.include?(:register_login_time)
+            Config.after_remember_me << :register_login_time
+          end
           base.prepend_before_action :validate_session
         end
 
         module InstanceMethods
+          def invalidate_active_sessions!
+            return unless Config.session_timeout_invalidate_active_sessions_enabled
+            return unless current_user.present?
+
+            current_user.send(:invalidate_sessions_before=, Time.now.in_time_zone)
+            current_user.save
+          end
+
           protected
 
           # Registers last login to be used as the timeout starting point.
           # Runs as a hook after a successful login.
-          def register_login_time(_user, _credentials)
+          def register_login_time(_user, _credentials = nil)
             session[:login_time] = session[:last_action_time] = Time.now.in_time_zone
           end
 
@@ -37,9 +54,9 @@ module Sorcery
           # To be used as a before_action, before require_login
           def validate_session
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
-            if session_to_use && sorcery_session_expired?(session_to_use.to_time)
+            if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
               reset_sorcery_session
-              @current_user = nil
+              remove_instance_variable :@current_user if defined? @current_user
             else
               session[:last_action_time] = Time.now.in_time_zone
             end
@@ -48,6 +65,15 @@ module Sorcery
           def sorcery_session_expired?(time)
             Time.now.in_time_zone - time > Config.session_timeout
           end
+
+          # Use login time if present, otherwise use last action time.
+          def sorcery_session_invalidated?
+            return false unless Config.session_timeout_invalidate_active_sessions_enabled
+            return false unless current_user.present? && current_user.try(:invalidate_sessions_before).present?
+
+            time = session[:login_time] || session[:last_action_time] || Time.now.in_time_zone
+            time < current_user.invalidate_sessions_before
+          end
         end
       end
     end

data/lib/sorcery/crypto_providers/aes256.rb

@@ -29,7 +29,7 @@ module Sorcery
 
         def matches?(crypted, *tokens)
           decrypt(crypted) == tokens.join
-        rescue OpenSSL::CipherError
+        rescue OpenSSL::Cipher::CipherError
           false
         end
 
@@ -43,6 +43,7 @@ module Sorcery
 
         def aes
           raise ArgumentError, "#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it." if @key.nil? || @key == ''
+
           @aes ||= OpenSSL::Cipher.new('AES-256-ECB')
         end
       end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -40,6 +40,10 @@ module Sorcery
     # You are good to go!
     class BCrypt
       class << self
+        # Setting the option :pepper allows users to append an app-specific secret token.
+        # Basically it's equivalent to :salt_join_token option, but have a different name to ensure
+        # backward compatibility in generating/matching passwords.
+        attr_accessor :pepper
         # This is the :cost option for the BCrpyt library.
         # The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
         # Set this to whatever you want, play around with it to get that perfect balance between
@@ -60,6 +64,7 @@ module Sorcery
         def matches?(hash, *tokens)
           hash = new_from_hash(hash)
           return false if hash.nil? || hash == {}
+
           hash == join_tokens(tokens)
         end
 
@@ -76,18 +81,19 @@ module Sorcery
 
         def reset!
           @cost = 10
+          @pepper = ''
         end
 
         private
 
         def join_tokens(tokens)
-          tokens.flatten.join
+          tokens.flatten.join.concat(pepper.to_s) # make sure to add pepper in case tokens have only one element
         end
 
         def new_from_hash(hash)
           ::BCrypt::Password.new(hash)
         rescue ::BCrypt::Errors::InvalidHash
-          return nil
+          nil
         end
       end
     end

data/lib/sorcery/engine.rb

@@ -7,10 +7,23 @@ module Sorcery
   class Engine < Rails::Engine
     config.sorcery = ::Sorcery::Controller::Config
 
+    # TODO: Should this include a modified version of the helper methods?
     initializer 'extend Controller with sorcery' do
-      ActionController::Base.send(:include, Sorcery::Controller)
-      ActionController::Base.helper_method :current_user
-      ActionController::Base.helper_method :logged_in?
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_api) do
+      if defined?(ActionController::API)
+        ActionController::API.send(:include, Sorcery::Controller)
+      end
+
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_base) do
+      if defined?(ActionController::Base)
+        ActionController::Base.send(:include, Sorcery::Controller)
+        ActionController::Base.helper_method :current_user
+        ActionController::Base.helper_method :logged_in?
+      end
     end
   end
 end

data/lib/sorcery/model.rb

@@ -47,12 +47,15 @@ module Sorcery
       class_eval do
         @sorcery_config.submodules = ::Sorcery::Controller::Config.submodules
         @sorcery_config.submodules.each do |mod|
+          # TODO: Is there a cleaner way to handle missing submodules?
+          # rubocop:disable Lint/HandleExceptions
           begin
             include Submodules.const_get(mod.to_s.split('_').map(&:capitalize).join)
           rescue NameError
             # don't stop on a missing submodule. Needed because some submodules are only defined
             # in the controller side.
           end
+          # rubocop:enable Lint/HandleExceptions
         end
       end
     end
@@ -99,10 +102,6 @@ module Sorcery
 
         set_encryption_attributes
 
-        unless user.valid_password?(credentials[1])
-          return authentication_response(user: user, failure: :invalid_password, &block)
-        end
-
         if user.respond_to?(:active_for_authentication?) && !user.active_for_authentication?
           return authentication_response(user: user, failure: :inactive, &block)
         end
@@ -115,6 +114,10 @@ module Sorcery
           end
         end
 
+        unless user.valid_password?(credentials[1])
+          return authentication_response(user: user, failure: :invalid_password, &block)
+        end
+
         authentication_response(user: user, return_value: user, &block)
       end
 
@@ -139,6 +142,7 @@ module Sorcery
       def set_encryption_attributes
         @sorcery_config.encryption_provider.stretches = @sorcery_config.stretches if @sorcery_config.encryption_provider.respond_to?(:stretches) && @sorcery_config.stretches
         @sorcery_config.encryption_provider.join_token = @sorcery_config.salt_join_token if @sorcery_config.encryption_provider.respond_to?(:join_token) && @sorcery_config.salt_join_token
+        @sorcery_config.encryption_provider.pepper = @sorcery_config.pepper if @sorcery_config.encryption_provider.respond_to?(:pepper) && @sorcery_config.pepper
       end
 
       def add_config_inheritance
@@ -192,9 +196,9 @@ module Sorcery
         config = sorcery_config
         send(:"#{config.password_attribute_name}=", nil)
 
-        if respond_to?(:"#{config.password_attribute_name}_confirmation=")
-          send(:"#{config.password_attribute_name}_confirmation=", nil)
-        end
+        return unless respond_to?(:"#{config.password_attribute_name}_confirmation=")
+
+        send(:"#{config.password_attribute_name}_confirmation=", nil)
       end
 
       # calls the requested email method on the configured mailer
@@ -202,9 +206,9 @@ module Sorcery
       def generic_send_email(method, mailer)
         config = sorcery_config
         mail = config.send(mailer).send(config.send(method), self)
-        if defined?(ActionMailer) && config.send(mailer).is_a?(Class) && config.send(mailer) < ActionMailer::Base
-          mail.send(config.email_delivery_method)
-        end
+        return unless mail.respond_to?(config.email_delivery_method)
+
+        mail.send(config.email_delivery_method)
       end
     end
   end

data/lib/sorcery/model/config.rb

@@ -4,8 +4,6 @@
 module Sorcery
   module Model
     class Config
-      # change default username attribute, for example, to use :email as the login.
-      attr_accessor :username_attribute_names
       # change *virtual* password attribute, the one which is used until an encrypted one is generated.
       attr_accessor :password_attribute_name
       # change default email attribute.
@@ -14,7 +12,11 @@ module Sorcery
       attr_accessor :downcase_username_before_authenticating
       # change default crypted_password attribute.
       attr_accessor :crypted_password_attribute_name
+      # application-specific secret token that is joined with the password and its salt.
+      # Currently available with BCrypt (default crypt provider) only.
+      attr_accessor :pepper
       # what pattern to use to join the password with the salt
+      # APPLICABLE TO MD5, SHA1, SHA256, SHA512. Other crypt providers (incl. BCrypt) ignore this parameter.
       attr_accessor :salt_join_token
       # change default salt attribute.
       attr_accessor :salt_attribute_name
@@ -35,7 +37,11 @@ module Sorcery
       attr_accessor :email_delivery_method
       # an array of method names to call after configuration by user. used internally.
       attr_accessor :after_config
+      # Set token randomness
+      attr_accessor :token_randomness
 
+      # change default username attribute, for example, to use :email as the login. See 'username_attribute_names=' below.
+      attr_reader :username_attribute_names
       # change default encryption_provider.
       attr_reader :encryption_provider
       # use an external encryption class.
@@ -55,13 +61,15 @@ module Sorcery
           :@encryption_provider                  => CryptoProviders::BCrypt,
           :@custom_encryption_provider           => nil,
           :@encryption_key                       => nil,
+          :@pepper                               => '',
           :@salt_join_token                      => '',
           :@salt_attribute_name                  => :salt,
           :@stretches                            => nil,
           :@subclasses_inherit_config            => false,
           :@before_authenticate                  => [],
           :@after_config                         => [],
-          :@email_delivery_method                => default_email_delivery_method
+          :@email_delivery_method                => default_email_delivery_method,
+          :@token_randomness                     => 15
         }
         reset!
       end
@@ -93,7 +101,7 @@ module Sorcery
                                when :bcrypt then CryptoProviders::BCrypt
                                when :custom then @custom_encryption_provider
                                else raise ArgumentError, "Encryption algorithm supplied, #{algo}, is invalid"
-        end
+                               end
       end
 
       private

data/lib/sorcery/model/submodules/brute_force_protection.rb

@@ -14,7 +14,6 @@ module Sorcery
                           :consecutive_login_retries_amount_limit,    # how many failed logins allowed.
                           :login_lock_time_period,                    # how long the user should be banned.
                           # in seconds. 0 for permanent.
-
                           :unlock_token_attribute_name,               # Unlock token attribute name
                           :unlock_token_email_method_name,            # Mailer method name
                           :unlock_token_mailer_disabled,              # When true, dont send unlock token via email
@@ -70,9 +69,9 @@ module Sorcery
 
             sorcery_adapter.increment(config.failed_logins_count_attribute_name)
 
-            if send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
-              login_lock!
-            end
+            return unless send(config.failed_logins_count_attribute_name) >= config.consecutive_login_retries_amount_limit
+
+            login_lock!
           end
 
           # /!\
@@ -98,9 +97,9 @@ module Sorcery
                            config.unlock_token_attribute_name => TemporaryToken.generate_random_token }
             sorcery_adapter.update_attributes(attributes)
 
-            unless config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
-              send_unlock_token_email!
-            end
+            return if config.unlock_token_mailer_disabled || config.unlock_token_mailer.nil?
+
+            send_unlock_token_email!
           end
 
           def login_unlocked?

data/lib/sorcery/model/submodules/external.rb

@@ -40,12 +40,13 @@ module Sorcery
           def load_from_provider(provider, uid)
             config = sorcery_config
             authentication = config.authentications_class.sorcery_adapter.find_by_oauth_credentials(provider, uid)
-            user = sorcery_adapter.find_by_id(authentication.send(config.authentications_user_id_attribute_name)) if authentication
+            # Return user if matching authentication found
+            sorcery_adapter.find_by_id(authentication.send(config.authentications_user_id_attribute_name)) if authentication
           end
 
           def create_and_validate_from_provider(provider, uid, attrs)
             user = new(attrs)
-            user.send(sorcery_config.authentications_class.to_s.downcase.pluralize).build(
+            user.send(sorcery_config.authentications_class.name.demodulize.underscore.pluralize).build(
               sorcery_config.provider_uid_attribute_name => uid,
               sorcery_config.provider_attribute_name => provider
             )
@@ -73,11 +74,26 @@ module Sorcery
             end
             user
           end
+
+          # NOTE: Should this build the authentication as well and return [user, auth]?
+          # Currently, users call this function for the user and call add_provider_to_user after saving
+          def build_from_provider(attrs)
+            user = new
+            attrs.each do |k, v|
+              user.send(:"#{k}=", v)
+            end
+
+            if block_given?
+              return false unless yield user
+            end
+
+            user
+          end
         end
 
         module InstanceMethods
           def add_provider_to_user(provider, uid)
-            authentications = sorcery_config.authentications_class.name.underscore.pluralize
+            authentications = sorcery_config.authentications_class.name.demodulize.underscore.pluralize
             # first check to see if user has a particular authentication already
             if sorcery_adapter.find_authentication_by_oauth_credentials(authentications, provider, uid).nil?
               user = send(authentications).build(sorcery_config.provider_uid_attribute_name => uid,

data/lib/sorcery/model/submodules/magic_login.rb

@@ -0,0 +1,130 @@
+module Sorcery
+  module Model
+    module Submodules
+      # This submodule adds the ability to login via email without password.
+      # When the user requests an email is sent to him with a url.
+      # The url includes a token, which is also saved with the user's record in the db.
+      # The token has configurable expiration.
+      # When the user clicks the url in the email, providing the token has not yet expired,
+      # he will be able to login.
+      #
+      # When using this submodule, supplying a mailer is mandatory.
+      module MagicLogin
+        def self.included(base)
+          base.sorcery_config.class_eval do
+            attr_accessor :magic_login_token_attribute_name, # magic login code attribute name.
+                          :magic_login_token_expires_at_attribute_name, # expires at attribute name.
+                          :magic_login_email_sent_at_attribute_name, # when was email sent, used for hammering
+                          # protection.
+                          :magic_login_mailer_class, # mailer class. Needed.
+                          :magic_login_mailer_disabled, # when true sorcery will not automatically
+                          # email magic login details and allow you to
+                          # manually handle how and when email is sent
+                          :magic_login_email_method_name, # magic login email method on your
+                          # mailer class.
+                          :magic_login_expiration_period, # how many seconds before the request
+                          # expires. nil for never expires.
+                          :magic_login_time_between_emails # hammering protection, how long to wait
+            # before allowing another email to be sent.
+          end
+
+          base.sorcery_config.instance_eval do
+            @defaults.merge!(:@magic_login_token_attribute_name => :magic_login_token,
+                             :@magic_login_token_expires_at_attribute_name => :magic_login_token_expires_at,
+                             :@magic_login_email_sent_at_attribute_name => :magic_login_email_sent_at,
+                             :@magic_login_mailer_class => nil,
+                             :@magic_login_mailer_disabled => true,
+                             :@magic_login_email_method_name => :magic_login_email,
+                             :@magic_login_expiration_period => 15 * 60,
+                             :@magic_login_time_between_emails => 5 * 60)
+
+            reset!
+          end
+
+          base.extend(ClassMethods)
+
+          base.sorcery_config.after_config << :validate_mailer_defined
+          base.sorcery_config.after_config << :define_magic_login_fields
+
+          base.send(:include, InstanceMethods)
+        end
+
+        module ClassMethods
+          # Find user by token, also checks for expiration.
+          # Returns the user if token found and is valid.
+          def load_from_magic_login_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.magic_login_token_attribute_name,
+              @sorcery_config.magic_login_token_expires_at_attribute_name,
+              &block
+            )
+          end
+
+          protected
+
+          # This submodule requires the developer to define his own mailer class to be used by it
+          # when magic_login_mailer_disabled is false
+          def validate_mailer_defined
+            msg = 'To use magic_login submodule, you must define a mailer (config.magic_login_mailer_class = YourMailerClass).'
+            raise ArgumentError, msg if @sorcery_config.magic_login_mailer_class.nil? && @sorcery_config.magic_login_mailer_disabled == false
+          end
+
+          def define_magic_login_fields
+            sorcery_adapter.define_field sorcery_config.magic_login_token_attribute_name, String
+            sorcery_adapter.define_field sorcery_config.magic_login_token_expires_at_attribute_name, Time
+            sorcery_adapter.define_field sorcery_config.magic_login_email_sent_at_attribute_name, Time
+          end
+        end
+
+        module InstanceMethods
+          # generates a reset code with expiration
+          def generate_magic_login_token!
+            config = sorcery_config
+            attributes = {
+              config.magic_login_token_attribute_name => TemporaryToken.generate_random_token,
+              config.magic_login_email_sent_at_attribute_name => Time.now.in_time_zone
+            }
+            attributes[config.magic_login_token_expires_at_attribute_name] = Time.now.in_time_zone + config.magic_login_expiration_period if config.magic_login_expiration_period
+
+            sorcery_adapter.update_attributes(attributes)
+          end
+
+          # generates a magic login code with expiration and sends an email to the user.
+          def deliver_magic_login_instructions!
+            mail = false
+            config = sorcery_config
+            # hammering protection
+            return false if !config.magic_login_time_between_emails.nil? &&
+                            send(config.magic_login_email_sent_at_attribute_name) &&
+                            send(config.magic_login_email_sent_at_attribute_name) > config.magic_login_time_between_emails.seconds.ago
+
+            self.class.sorcery_adapter.transaction do
+              generate_magic_login_token!
+              unless config.magic_login_mailer_disabled
+                send_magic_login_email!
+                mail = true
+              end
+            end
+            mail
+          end
+
+          # Clears the token.
+          def clear_magic_login_token!
+            config = sorcery_config
+            sorcery_adapter.update_attributes(
+              config.magic_login_token_attribute_name => nil,
+              config.magic_login_token_expires_at_attribute_name => nil
+            )
+          end
+
+          protected
+
+          def send_magic_login_email!
+            generic_send_email(:magic_login_email_method_name, :magic_login_mailer_class)
+          end
+        end
+      end
+    end
+  end
+end