sorcery 0.13.0 → 0.16.1

data/lib/generators/sorcery/templates/migration/activity_logging.rb

@@ -1,10 +1,10 @@
 class SorceryActivityLogging < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :last_login_at,     :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_logout_at,    :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_activity_at,  :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :last_login_from_ip_address, :string, :default => nil
+    add_column :<%= tableized_model_class %>, :last_login_at,     :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :last_logout_at,    :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :last_activity_at,  :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :last_login_from_ip_address, :string, default: nil
 
-    add_index :<%= model_class_name.tableize %>, [:last_logout_at, :last_activity_at]
+    add_index :<%= tableized_model_class %>, [:last_logout_at, :last_activity_at]
   end
 end

data/lib/generators/sorcery/templates/migration/brute_force_protection.rb

@@ -1,9 +1,9 @@
 class SorceryBruteForceProtection < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :failed_logins_count, :integer, :default => 0
-    add_column :<%= model_class_name.tableize %>, :lock_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :unlock_token, :string, :default => nil
+    add_column :<%= tableized_model_class %>, :failed_logins_count, :integer, default: 0
+    add_column :<%= tableized_model_class %>, :lock_expires_at, :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :unlock_token, :string, default: nil
 
-    add_index :<%= model_class_name.tableize %>, :unlock_token
+    add_index :<%= tableized_model_class %>, :unlock_token
   end
 end

data/lib/generators/sorcery/templates/migration/core.rb

@@ -1,13 +1,13 @@
 class SorceryCore < <%= migration_class_name %>
   def change
-    create_table :<%= model_class_name.tableize %> do |t|
-      t.string :email,            :null => false
+    create_table :<%= tableized_model_class %> do |t|
+      t.string :email,            null: false
       t.string :crypted_password
       t.string :salt
 
-      t.timestamps                :null => false
+      t.timestamps                null: false
     end
 
-    add_index :<%= model_class_name.tableize %>, :email, unique: true
+    add_index :<%= tableized_model_class %>, :email, unique: true
   end
 end

data/lib/generators/sorcery/templates/migration/external.rb

@@ -1,10 +1,10 @@
 class SorceryExternal < <%= migration_class_name %>
   def change
     create_table :authentications do |t|
-      t.integer :<%= model_class_name.tableize.singularize %>_id, :null => false
-      t.string :provider, :uid, :null => false
+      t.integer :<%= tableized_model_class.singularize %>_id, null: false
+      t.string :provider, :uid, null: false
 
-      t.timestamps              :null => false
+      t.timestamps              null: false
     end
 
     add_index :authentications, [:provider, :uid]

data/lib/generators/sorcery/templates/migration/magic_login.rb

@@ -1,9 +1,9 @@
 class SorceryMagicLogin < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :magic_login_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :magic_login_token_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :magic_login_email_sent_at, :datetime, :default => nil
+    add_column :<%= tableized_model_class %>, :magic_login_token, :string, default: nil
+    add_column :<%= tableized_model_class %>, :magic_login_token_expires_at, :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :magic_login_email_sent_at, :datetime, default: nil
 
-    add_index :<%= model_class_name.tableize %>, :magic_login_token
+    add_index :<%= tableized_model_class %>, :magic_login_token
   end
 end

data/lib/generators/sorcery/templates/migration/remember_me.rb

@@ -1,8 +1,8 @@
 class SorceryRememberMe < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :remember_me_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :remember_me_token_expires_at, :datetime, :default => nil
+    add_column :<%= tableized_model_class %>, :remember_me_token, :string, default: nil
+    add_column :<%= tableized_model_class %>, :remember_me_token_expires_at, :datetime, default: nil
 
-    add_index :<%= model_class_name.tableize %>, :remember_me_token
+    add_index :<%= tableized_model_class %>, :remember_me_token
   end
 end

data/lib/generators/sorcery/templates/migration/reset_password.rb

@@ -1,10 +1,10 @@
 class SorceryResetPassword < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :reset_password_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :reset_password_token_expires_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :reset_password_email_sent_at, :datetime, :default => nil
-    add_column :<%= model_class_name.tableize %>, :access_count_to_reset_password_page, :integer, :default => 0
+    add_column :<%= tableized_model_class %>, :reset_password_token, :string, default: nil
+    add_column :<%= tableized_model_class %>, :reset_password_token_expires_at, :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :reset_password_email_sent_at, :datetime, default: nil
+    add_column :<%= tableized_model_class %>, :access_count_to_reset_password_page, :integer, default: 0
 
-    add_index :<%= model_class_name.tableize %>, :reset_password_token
+    add_index :<%= tableized_model_class %>, :reset_password_token
   end
 end

data/lib/generators/sorcery/templates/migration/user_activation.rb

@@ -1,9 +1,9 @@
 class SorceryUserActivation < <%= migration_class_name %>
   def change
-    add_column :<%= model_class_name.tableize %>, :activation_state, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :activation_token, :string, :default => nil
-    add_column :<%= model_class_name.tableize %>, :activation_token_expires_at, :datetime, :default => nil
+    add_column :<%= tableized_model_class %>, :activation_state, :string, default: nil
+    add_column :<%= tableized_model_class %>, :activation_token, :string, default: nil
+    add_column :<%= tableized_model_class %>, :activation_token_expires_at, :datetime, default: nil
 
-    add_index :<%= model_class_name.tableize %>, :activation_token
+    add_index :<%= tableized_model_class %>, :activation_token
   end
 end

data/lib/sorcery/adapters/active_record_adapter.rb

@@ -12,7 +12,7 @@ module Sorcery
 
       def save(options = {})
         mthd = options.delete(:raise_on_failure) ? :save! : :save
-        @model.send(mthd, options)
+        @model.send(mthd, **options)
       end
 
       def increment(field)
@@ -35,7 +35,7 @@ module Sorcery
         end
 
         def define_callback(time, event, method_name, options = {})
-          @klass.send "#{time}_#{event}", method_name, options.slice(:if, :on)
+          @klass.send "#{time}_#{event}", method_name, **options.slice(:if, :on)
         end
 
         def find_by_oauth_credentials(provider, uid)

data/lib/sorcery/controller.rb

@@ -25,7 +25,10 @@ module Sorcery
       def require_login
         return if logged_in?
 
-        session[:return_to_url] = request.url if Config.save_return_to_url && request.get? && !request.xhr?
+        if Config.save_return_to_url && request.get? && !request.xhr? && !request.format.json?
+          session[:return_to_url] = request.url
+        end
+
         send(Config.not_authenticated_action)
       end
 

data/lib/sorcery/controller/config.rb

@@ -25,12 +25,12 @@ module Sorcery
             :@user_class                           => nil,
             :@submodules                           => [],
             :@not_authenticated_action             => :not_authenticated,
-            :@login_sources                        => [],
-            :@after_login                          => [],
-            :@after_failed_login                   => [],
-            :@before_logout                        => [],
-            :@after_logout                         => [],
-            :@after_remember_me                    => [],
+            :@login_sources                        => Set.new,
+            :@after_login                          => Set.new,
+            :@after_failed_login                   => Set.new,
+            :@before_logout                        => Set.new,
+            :@after_logout                         => Set.new,
+            :@after_remember_me                    => Set.new,
             :@save_return_to_url                   => true,
             :@cookie_domain                        => nil
           }

data/lib/sorcery/controller/submodules/activity_logging.rb

@@ -30,9 +30,11 @@ module Sorcery
             end
             merge_activity_logging_defaults!
           end
-          Config.after_login    << :register_login_time_to_db
-          Config.after_login    << :register_last_ip_address
-          Config.before_logout  << :register_logout_time_to_db
+
+          Config.after_login << :register_login_time_to_db
+          Config.after_login << :register_last_ip_address
+          Config.before_logout << :register_logout_time_to_db
+
           base.after_action :register_last_activity_time_to_db
         end
 

data/lib/sorcery/controller/submodules/external.rb

@@ -25,6 +25,9 @@ module Sorcery
           require 'sorcery/providers/microsoft'
           require 'sorcery/providers/instagram'
           require 'sorcery/providers/auth0'
+          require 'sorcery/providers/line'
+          require 'sorcery/providers/discord'
+          require 'sorcery/providers/battlenet'
 
           Config.module_eval do
             class << self
@@ -37,7 +40,7 @@ module Sorcery
                 providers.each do |name|
                   class_eval <<-RUBY, __FILE__, __LINE__ + 1
                     def self.#{name}
-                      @#{name} ||= Sorcery::Providers.const_get('#{name}'.to_s.capitalize).new
+                      @#{name} ||= Sorcery::Providers.const_get('#{name}'.to_s.classify).new
                     end
                   RUBY
                 end

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -19,6 +19,7 @@ module Sorcery
             end
             merge_http_basic_auth_defaults!
           end
+
           Config.login_sources << :login_from_basic_auth
         end
 

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -17,6 +17,7 @@ module Sorcery
             end
             merge_remember_me_defaults!
           end
+
           Config.login_sources << :login_from_cookie
           Config.before_logout << :forget_me!
         end
@@ -54,7 +55,7 @@ module Sorcery
           # and logs the user in if found.
           # Runs as a login source. See 'current_user' method for how it is used.
           def login_from_cookie
-            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token])
+            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token]) if defined? cookies
             if user && user.has_remember_me_token?
               set_remember_me_cookie!(user)
               session[:user_id] = user.id.to_s

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -23,8 +23,10 @@ module Sorcery
             end
             merge_session_timeout_defaults!
           end
+
           Config.after_login << :register_login_time
           Config.after_remember_me << :register_login_time
+
           base.prepend_before_action :validate_session
         end
 

data/lib/sorcery/crypto_providers/aes256.rb

@@ -29,7 +29,7 @@ module Sorcery
 
         def matches?(crypted, *tokens)
           decrypt(crypted) == tokens.join
-        rescue OpenSSL::CipherError
+        rescue OpenSSL::Cipher::CipherError
           false
         end
 

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -40,6 +40,10 @@ module Sorcery
     # You are good to go!
     class BCrypt
       class << self
+        # Setting the option :pepper allows users to append an app-specific secret token.
+        # Basically it's equivalent to :salt_join_token option, but have a different name to ensure
+        # backward compatibility in generating/matching passwords.
+        attr_accessor :pepper
         # This is the :cost option for the BCrpyt library.
         # The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
         # Set this to whatever you want, play around with it to get that perfect balance between
@@ -77,12 +81,13 @@ module Sorcery
 
         def reset!
           @cost = 10
+          @pepper = ''
         end
 
         private
 
         def join_tokens(tokens)
-          tokens.flatten.join
+          tokens.flatten.join.concat(pepper.to_s) # make sure to add pepper in case tokens have only one element
         end
 
         def new_from_hash(hash)

data/lib/sorcery/engine.rb

@@ -7,12 +7,18 @@ module Sorcery
   class Engine < Rails::Engine
     config.sorcery = ::Sorcery::Controller::Config
 
+    # TODO: Should this include a modified version of the helper methods?
     initializer 'extend Controller with sorcery' do
-      # TODO: Should this include a modified version of the helper methods?
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_api) do
       if defined?(ActionController::API)
         ActionController::API.send(:include, Sorcery::Controller)
       end
 
+      # FIXME: on_load is needed to fix Rails 6 deprecations, but it breaks
+      #        applications due to undefined method errors.
+      # ActiveSupport.on_load(:action_controller_base) do
       if defined?(ActionController::Base)
         ActionController::Base.send(:include, Sorcery::Controller)
         ActionController::Base.helper_method :current_user

data/lib/sorcery/model.rb

@@ -102,10 +102,6 @@ module Sorcery
 
         set_encryption_attributes
 
-        unless user.valid_password?(credentials[1])
-          return authentication_response(user: user, failure: :invalid_password, &block)
-        end
-
         if user.respond_to?(:active_for_authentication?) && !user.active_for_authentication?
           return authentication_response(user: user, failure: :inactive, &block)
         end
@@ -118,6 +114,10 @@ module Sorcery
           end
         end
 
+        unless user.valid_password?(credentials[1])
+          return authentication_response(user: user, failure: :invalid_password, &block)
+        end
+
         authentication_response(user: user, return_value: user, &block)
       end
 
@@ -142,6 +142,7 @@ module Sorcery
       def set_encryption_attributes
         @sorcery_config.encryption_provider.stretches = @sorcery_config.stretches if @sorcery_config.encryption_provider.respond_to?(:stretches) && @sorcery_config.stretches
         @sorcery_config.encryption_provider.join_token = @sorcery_config.salt_join_token if @sorcery_config.encryption_provider.respond_to?(:join_token) && @sorcery_config.salt_join_token
+        @sorcery_config.encryption_provider.pepper = @sorcery_config.pepper if @sorcery_config.encryption_provider.respond_to?(:pepper) && @sorcery_config.pepper
       end
 
       def add_config_inheritance
@@ -205,7 +206,7 @@ module Sorcery
       def generic_send_email(method, mailer)
         config = sorcery_config
         mail = config.send(mailer).send(config.send(method), self)
-        return unless defined?(ActionMailer) && config.send(mailer).is_a?(Class) && config.send(mailer) < ActionMailer::Base
+        return unless mail.respond_to?(config.email_delivery_method)
 
         mail.send(config.email_delivery_method)
       end

data/lib/sorcery/model/config.rb

@@ -12,7 +12,11 @@ module Sorcery
       attr_accessor :downcase_username_before_authenticating
       # change default crypted_password attribute.
       attr_accessor :crypted_password_attribute_name
+      # application-specific secret token that is joined with the password and its salt.
+      # Currently available with BCrypt (default crypt provider) only.
+      attr_accessor :pepper
       # what pattern to use to join the password with the salt
+      # APPLICABLE TO MD5, SHA1, SHA256, SHA512. Other crypt providers (incl. BCrypt) ignore this parameter.
       attr_accessor :salt_join_token
       # change default salt attribute.
       attr_accessor :salt_attribute_name
@@ -57,6 +61,7 @@ module Sorcery
           :@encryption_provider                  => CryptoProviders::BCrypt,
           :@custom_encryption_provider           => nil,
           :@encryption_key                       => nil,
+          :@pepper                               => '',
           :@salt_join_token                      => '',
           :@salt_attribute_name                  => :salt,
           :@stretches                            => nil,

data/lib/sorcery/model/submodules/magic_login.rb

@@ -52,10 +52,13 @@ module Sorcery
         module ClassMethods
           # Find user by token, also checks for expiration.
           # Returns the user if token found and is valid.
-          def load_from_magic_login_token(token)
-            token_attr_name = @sorcery_config.magic_login_token_attribute_name
-            token_expiration_date_attr = @sorcery_config.magic_login_token_expires_at_attribute_name
-            load_from_token(token, token_attr_name, token_expiration_date_attr)
+          def load_from_magic_login_token(token, &block)
+            load_from_token(
+              token,
+              @sorcery_config.magic_login_token_attribute_name,
+              @sorcery_config.magic_login_token_expires_at_attribute_name,
+              &block
+            )
           end
 
           protected

data/lib/sorcery/model/submodules/reset_password.rb

@@ -124,10 +124,14 @@ module Sorcery
           end
 
           # Clears token and tries to update the new password for the user.
-          def change_password!(new_password)
+          def change_password(new_password, raise_on_failure: false)
             clear_reset_password_token
             send(:"#{sorcery_config.password_attribute_name}=", new_password)
-            sorcery_adapter.save raise_on_failure: true
+            sorcery_adapter.save raise_on_failure: raise_on_failure
+          end
+
+          def change_password!(new_password)
+            change_password(new_password, raise_on_failure: true)
           end
 
           protected

data/lib/sorcery/providers/battlenet.rb

@@ -0,0 +1,51 @@
+module Sorcery
+  module Providers
+    # This class adds support for OAuth with BattleNet
+
+    class Battlenet < Base
+      include Protocols::Oauth2
+
+      attr_accessor :auth_path, :scope, :token_url, :user_info_path
+
+      def initialize
+        super
+
+        @scope          = 'openid'
+        @site           = 'https://eu.battle.net/'
+        @auth_path      = '/oauth/authorize'
+        @token_url      = '/oauth/token'
+        @user_info_path = '/oauth/userinfo'
+        @state          = SecureRandom.hex(16)
+      end
+
+      def get_user_hash(access_token)
+        response = access_token.get(user_info_path)
+        body = JSON.parse(response.body)
+        auth_hash(access_token).tap do |h|
+          h[:user_info] = body
+          h[:battletag] = body['battletag']
+          h[:uid] = body['id']
+        end
+      end
+
+      # calculates and returns the url to which the user should be redirected,
+      # to get authenticated at the external provider's site.
+      def login_url(_params, _session)
+        authorize_url(authorize_url: auth_path)
+      end
+
+      # tries to login the user from access token
+      def process_callback(params, _session)
+        args = { code: params[:code] }
+        get_access_token(
+          args,
+          token_url: token_url,
+          client_id: @key,
+          client_secret: @secret,
+          grant_type: 'authorization_code',
+          token_method: :post
+        )
+      end
+    end
+  end
+end