sorcery 0.9.1 → 0.16.3

data/lib/sorcery/controller/submodules/http_basic_auth.rb

@@ -2,46 +2,46 @@ module Sorcery
   module Controller
     module Submodules
       # This submodule integrates HTTP Basic authentication into sorcery.
-      # You are provided with a before filter, require_login_from_http_basic, 
+      # You are provided with a before action, require_login_from_http_basic,
       # which requests the browser for authentication.
-      # Then the rest of the submodule takes care of logging the user in 
+      # Then the rest of the submodule takes care of logging the user in
       # into the session, so that the next requests will keep him logged in.
       module HttpBasicAuth
         def self.included(base)
           base.send(:include, InstanceMethods)
           Config.module_eval do
             class << self
-              attr_accessor :controller_to_realm_map            # What realm to display for which controller name.
-                            
+              attr_accessor :controller_to_realm_map # What realm to display for which controller name.
+
               def merge_http_basic_auth_defaults!
-                @defaults.merge!(:@controller_to_realm_map  => {"application" => "Application"})
+                @defaults.merge!(:@controller_to_realm_map => { 'application' => 'Application' })
               end
             end
             merge_http_basic_auth_defaults!
           end
+
           Config.login_sources << :login_from_basic_auth
         end
-        
-        module InstanceMethods
 
+        module InstanceMethods
           protected
-          
-          # to be used as a before_filter.
+
+          # to be used as a before_action.
           # The method sets a session when requesting the user's credentials.
           # This is a trick to overcome the way HTTP authentication works (explained below):
           #
-          # Once the user fills the credentials once, the browser will always send it to the 
+          # Once the user fills the credentials once, the browser will always send it to the
           # server when visiting the website, until the browser is closed.
-          # This causes wierd behaviour if the user logs out. The session is reset, yet the 
-          # user is re-logged in by the before_filter calling 'login_from_basic_auth'.
+          # This causes wierd behaviour if the user logs out. The session is reset, yet the
+          # user is re-logged in by the before_action calling 'login_from_basic_auth'.
           # To overcome this, we set a session when requesting the password, which logout will
           # reset, and that's how we know if we need to request for HTTP auth again.
           def require_login_from_http_basic
-            (request_http_basic_authentication(realm_name_by_controller) and (session[:http_authentication_used] = true) and return) if (request.authorization.nil? || session[:http_authentication_used].nil?)
+            (request_http_basic_authentication(realm_name_by_controller) && (session[:http_authentication_used] = true) && return) if request.authorization.nil? || session[:http_authentication_used].nil?
             require_login
             session[:http_authentication_used] = nil unless logged_in?
           end
-          
+
           # given to main controller module as a login source callback
           def login_from_basic_auth
             authenticate_with_http_basic do |username, password|
@@ -50,7 +50,7 @@ module Sorcery
               @current_user
             end
           end
-          
+
           # Sets the realm name by searching the controller name in the hash given at configuration time.
           def realm_name_by_controller
             if defined?(ActionController::Base)
@@ -58,17 +58,16 @@ module Sorcery
               while current_controller != ActionController::Base
                 result = Config.controller_to_realm_map[current_controller.controller_name]
                 return result if result
+
                 current_controller = current_controller.superclass
               end
               nil
             else
-              Config.controller_to_realm_map["application"]
+              Config.controller_to_realm_map['application']
             end
           end
-          
         end
-
       end
     end
   end
-end
+end

data/lib/sorcery/controller/submodules/remember_me.rb

@@ -17,9 +17,9 @@ module Sorcery
             end
             merge_remember_me_defaults!
           end
+
           Config.login_sources << :login_from_cookie
-          Config.after_login << :remember_me_if_asked_to
-          Config.after_logout << :forget_me!
+          Config.before_logout << :forget_me!
         end
 
         module InstanceMethods
@@ -29,10 +29,16 @@ module Sorcery
             set_remember_me_cookie!(current_user)
           end
 
-          # Clears the cookie and clears the token from the db.
+          # Clears the cookie, and depending on the value of remember_me_token_persist_globally, may clear the token value.
           def forget_me!
             current_user.forget_me!
-            cookies.delete(:remember_me_token, :domain => Config.cookie_domain)
+            cookies.delete(:remember_me_token, domain: Config.cookie_domain)
+          end
+
+          # Clears the cookie, and clears the token value.
+          def force_forget_me!
+            current_user.force_forget_me!
+            cookies.delete(:remember_me_token, domain: Config.cookie_domain)
           end
 
           # Override.
@@ -45,20 +51,15 @@ module Sorcery
 
           protected
 
-          # calls remember_me! if a third credential was passed to the login method.
-          # Runs as a hook after login.
-          def remember_me_if_asked_to(user, credentials)
-            remember_me! if ( credentials.size == 3 && credentials[2] && credentials[2] != "0" )
-          end
-
           # Checks the cookie for a remember me token, tried to find a user with that token
           # and logs the user in if found.
           # Runs as a login source. See 'current_user' method for how it is used.
           def login_from_cookie
-            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token])
+            user = cookies.signed[:remember_me_token] && user_class.sorcery_adapter.find_by_remember_me_token(cookies.signed[:remember_me_token]) if defined? cookies
             if user && user.has_remember_me_token?
               set_remember_me_cookie!(user)
               session[:user_id] = user.id.to_s
+              after_remember_me!(user)
               @current_user = user
             else
               @current_user = false
@@ -67,14 +68,13 @@ module Sorcery
 
           def set_remember_me_cookie!(user)
             cookies.signed[:remember_me_token] = {
-              :value => user.send(user.sorcery_config.remember_me_token_attribute_name),
-              :expires => user.send(user.sorcery_config.remember_me_token_expires_at_attribute_name),
-              :httponly => Config.remember_me_httponly,
-              :domain => Config.cookie_domain
+              value: user.send(user.sorcery_config.remember_me_token_attribute_name),
+              expires: user.send(user.sorcery_config.remember_me_token_expires_at_attribute_name),
+              httponly: Config.remember_me_httponly,
+              domain: Config.cookie_domain
             }
           end
         end
-
       end
     end
   end

data/lib/sorcery/controller/submodules/session_timeout.rb

@@ -8,38 +8,52 @@ module Sorcery
           base.send(:include, InstanceMethods)
           Config.module_eval do
             class << self
-              attr_accessor :session_timeout,                     # how long in seconds to keep the session alive.
-
-                            :session_timeout_from_last_action     # use the last action as the beginning of session
-                                                                  # timeout.
+              # how long in seconds to keep the session alive.
+              attr_accessor :session_timeout
+              # use the last action as the beginning of session timeout.
+              attr_accessor :session_timeout_from_last_action
+              # allow users to invalidate active sessions
+              attr_accessor :session_timeout_invalidate_active_sessions_enabled
 
               def merge_session_timeout_defaults!
-                @defaults.merge!(:@session_timeout                      => 3600, # 1.hour
-                                 :@session_timeout_from_last_action     => false)
+                @defaults.merge!(:@session_timeout                                    => 3600, # 1.hour
+                                 :@session_timeout_from_last_action                   => false,
+                                 :@session_timeout_invalidate_active_sessions_enabled => false)
               end
             end
             merge_session_timeout_defaults!
           end
+
           Config.after_login << :register_login_time
-          base.prepend_before_filter :validate_session
+          Config.after_remember_me << :register_login_time
+
+          base.prepend_before_action :validate_session
         end
 
         module InstanceMethods
+          def invalidate_active_sessions!
+            return unless Config.session_timeout_invalidate_active_sessions_enabled
+            return unless current_user.present?
+
+            current_user.send(:invalidate_sessions_before=, Time.now.in_time_zone)
+            current_user.save
+          end
+
           protected
 
           # Registers last login to be used as the timeout starting point.
           # Runs as a hook after a successful login.
-          def register_login_time(user, credentials)
+          def register_login_time(_user, _credentials = nil)
             session[:login_time] = session[:last_action_time] = Time.now.in_time_zone
           end
 
           # Checks if session timeout was reached and expires the current session if so.
-          # To be used as a before_filter, before require_login
+          # To be used as a before_action, before require_login
           def validate_session
             session_to_use = Config.session_timeout_from_last_action ? session[:last_action_time] : session[:login_time]
-            if session_to_use && sorcery_session_expired?(session_to_use.to_time)
+            if (session_to_use && sorcery_session_expired?(session_to_use.to_time)) || sorcery_session_invalidated?
               reset_sorcery_session
-              @current_user = nil
+              remove_instance_variable :@current_user if defined? @current_user
             else
               session[:last_action_time] = Time.now.in_time_zone
             end
@@ -49,6 +63,14 @@ module Sorcery
             Time.now.in_time_zone - time > Config.session_timeout
           end
 
+          # Use login time if present, otherwise use last action time.
+          def sorcery_session_invalidated?
+            return false unless Config.session_timeout_invalidate_active_sessions_enabled
+            return false unless current_user.present? && current_user.try(:invalidate_sessions_before).present?
+
+            time = session[:login_time] || session[:last_action_time] || Time.now.in_time_zone
+            time < current_user.invalidate_sessions_before
+          end
         end
       end
     end

data/lib/sorcery/controller.rb

@@ -4,11 +4,14 @@ module Sorcery
       klass.class_eval do
         include InstanceMethods
         Config.submodules.each do |mod|
+          # FIXME: Is there a cleaner way to handle missing submodules?
+          # rubocop:disable Lint/HandleExceptions
           begin
-            include Submodules.const_get(mod.to_s.split('_').map { |p| p.capitalize }.join)
+            include Submodules.const_get(mod.to_s.split('_').map(&:capitalize).join)
           rescue NameError
             # don't stop on a missing submodule.
           end
+          # rubocop:enable Lint/HandleExceptions
         end
       end
       Config.update!
@@ -16,55 +19,63 @@ module Sorcery
     end
 
     module InstanceMethods
-      # To be used as before_filter.
+      # To be used as before_action.
       # Will trigger auto-login attempts via the call to logged_in?
       # If all attempts to auto-login fail, the failure callback will be called.
       def require_login
-        if !logged_in?
-          session[:return_to_url] = request.url if Config.save_return_to_url && request.get?
-          self.send(Config.not_authenticated_action)
+        return if logged_in?
+
+        if Config.save_return_to_url && request.get? && !request.xhr? && !request.format.json?
+          session[:return_to_url] = request.url
         end
+
+        send(Config.not_authenticated_action)
       end
 
       # Takes credentials and returns a user on successful authentication.
       # Runs hooks after login or failed login.
       def login(*credentials)
         @current_user = nil
-        user = user_class.authenticate(*credentials)
-        if user
+
+        user_class.authenticate(*credentials) do |user, failure_reason|
+          if failure_reason
+            after_failed_login!(credentials)
+
+            yield(user, failure_reason) if block_given?
+
+            # FIXME: Does using `break` or `return nil` change functionality?
+            # rubocop:disable Lint/NonLocalExitFromIterator
+            return
+            # rubocop:enable Lint/NonLocalExitFromIterator
+          end
+
           old_session = session.dup.to_hash
           reset_sorcery_session
-          old_session.each_pair do |k,v|
+          old_session.each_pair do |k, v|
             session[k.to_sym] = v
           end
           form_authenticity_token
 
-          auto_login(user)
+          auto_login(user, credentials[2])
           after_login!(user, credentials)
-          current_user
-        else
-          after_failed_login!(credentials)
-          nil
+
+          block_given? ? yield(current_user, nil) : current_user
         end
       end
 
-      # put this into the catch block to rescue undefined method `destroy_session'
-      # hotfix for https://github.com/NoamB/sorcery/issues/464
-      # can be removed when Rails 4.1 is out
       def reset_sorcery_session
         reset_session # protect from session fixation attacks
-      rescue NoMethodError
       end
 
       # Resets the session and runs hooks before and after.
       def logout
-        if logged_in?
-          @current_user = current_user if @current_user.nil?
-          before_logout!(@current_user)
-          reset_sorcery_session
-          after_logout!
-          @current_user = nil
-        end
+        return unless logged_in?
+
+        user = current_user
+        before_logout!
+        @current_user = nil
+        reset_sorcery_session
+        after_logout!(user)
       end
 
       def logged_in?
@@ -87,7 +98,7 @@ module Sorcery
       # used when a user tries to access a page while logged out, is asked to login,
       # and we want to return him back to the page he originally wanted.
       def redirect_back_or_to(url, flash_hash = {})
-        redirect_to(session[:return_to_url] || url, :flash => flash_hash)
+        redirect_to(session[:return_to_url] || url, flash: flash_hash)
         session[:return_to_url] = nil
       end
 
@@ -102,7 +113,7 @@ module Sorcery
       #
       # @param [<User-Model>] user the user instance.
       # @return - do not depend on the return value.
-      def auto_login(user, should_remember = false)
+      def auto_login(user, _should_remember = false)
         session[:user_id] = user.id.to_s
         @current_user = user
       end
@@ -132,26 +143,30 @@ module Sorcery
       end
 
       def after_login!(user, credentials = [])
-        Config.after_login.each {|c| self.send(c, user, credentials)}
+        Config.after_login.each { |c| send(c, user, credentials) }
       end
 
       def after_failed_login!(credentials)
-        Config.after_failed_login.each {|c| self.send(c, credentials)}
+        Config.after_failed_login.each { |c| send(c, credentials) }
       end
 
-      def before_logout!(user)
-        Config.before_logout.each {|c| self.send(c, user)}
+      def before_logout!
+        Config.before_logout.each { |c| send(c) }
       end
 
-      def after_logout!
-        Config.after_logout.each {|c| self.send(c)}
+      def after_logout!(user)
+        Config.after_logout.each { |c| send(c, user) }
+      end
+
+      def after_remember_me!(user)
+        Config.after_remember_me.each { |c| send(c, user) }
       end
 
       def user_class
         @user_class ||= Config.user_class.to_s.constantize
+      rescue NameError
+        raise ArgumentError, 'You have incorrectly defined user_class or have forgotten to define it in intitializer file (config.user_class = \'User\').'
       end
-
     end
-
-	end
+  end
 end

data/lib/sorcery/crypto_providers/aes256.rb

@@ -1,51 +1,52 @@
-require "openssl"
+require 'openssl'
 
 module Sorcery
   module CryptoProviders
-    # This encryption method is reversible if you have the supplied key. 
+    # This encryption method is reversible if you have the supplied key.
     # So in order to use this encryption method you must supply it with a key first.
     # In an initializer, or before your application initializes, you should do the following:
     #
     #   Sorcery::Model::ConfigAES256.key = "my 32 bytes long key"
     #
-    # My final comment is that this is a strong encryption method, 
+    # My final comment is that this is a strong encryption method,
     # but its main weakness is that its reversible. If you do not need to reverse the hash
     # then you should consider Sha512 or BCrypt instead.
     #
     # Keep your key in a safe place, some even say the key should be stored on a separate server.
-    # This won't hurt performance because the only time it will try and access the key on the 
+    # This won't hurt performance because the only time it will try and access the key on the
     # separate server is during initialization, which only
-    # happens once. The reasoning behind this is if someone does compromise your server they 
+    # happens once. The reasoning behind this is if someone does compromise your server they
     # won't have the key also. Basically, you don't want to store the key with the lock.
     class AES256
       class << self
         attr_writer :key
-    
+
         def encrypt(*tokens)
           aes.encrypt
           aes.key = @key
-          [aes.update(tokens.join) + aes.final].pack("m").chomp
+          [aes.update(tokens.join) + aes.final].pack('m').chomp
         end
-    
+
         def matches?(crypted, *tokens)
           decrypt(crypted) == tokens.join
-        rescue OpenSSL::CipherError
+        rescue OpenSSL::Cipher::CipherError
           false
         end
-        
+
         def decrypt(crypted)
           aes.decrypt
           aes.key = @key
-          (aes.update(crypted.unpack("m").first) + aes.final)
+          (aes.update(crypted.unpack('m').first) + aes.final)
         end
-    
+
         private
-        
+
         def aes
-          raise ArgumentError.new("#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it.") if ( @key.nil? || @key == "" )
-          @aes ||= OpenSSL::Cipher::Cipher.new("AES-256-ECB")
+          raise ArgumentError, "#{name} expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it." if @key.nil? || @key == ''
+
+          @aes ||= OpenSSL::Cipher.new('AES-256-ECB')
         end
       end
     end
   end
-end
+end

data/lib/sorcery/crypto_providers/bcrypt.rb

@@ -2,9 +2,9 @@ require 'bcrypt'
 
 module Sorcery
   module CryptoProviders
-    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear 
+    # For most apps Sha512 is plenty secure, but if you are building an app that stores nuclear
     # launch codes you might want to consier BCrypt. This is an extremely
-    # secure hashing algorithm, mainly because it is slow. 
+    # secure hashing algorithm, mainly because it is slow.
     # A brute force attack on a BCrypt encrypted password would take much longer than a brute force attack on a
     # password encrypted with a Sha algorithm. Keep in mind you are sacrificing performance by using this,
     # generating a password takes exponentially longer than any
@@ -40,30 +40,35 @@ module Sorcery
     # You are good to go!
     class BCrypt
       class << self
-        # This is the :cost option for the BCrpyt library. 
+        # Setting the option :pepper allows users to append an app-specific secret token.
+        # Basically it's equivalent to :salt_join_token option, but have a different name to ensure
+        # backward compatibility in generating/matching passwords.
+        attr_accessor :pepper
+        # This is the :cost option for the BCrpyt library.
         # The higher the cost the more secure it is and the longer is take the generate a hash. By default this is 10.
-        # Set this to whatever you want, play around with it to get that perfect balance between 
+        # Set this to whatever you want, play around with it to get that perfect balance between
         # security and performance.
         def cost
           @cost ||= 10
         end
         attr_writer :cost
-        alias :stretches :cost
-        alias :stretches= :cost=
-        
+        alias stretches cost
+        alias stretches= cost=
+
         # Creates a BCrypt hash for the password passed.
         def encrypt(*tokens)
-          ::BCrypt::Password.create(join_tokens(tokens), :cost => cost)
+          ::BCrypt::Password.create(join_tokens(tokens), cost: cost)
         end
-        
+
         # Does the hash match the tokens? Uses the same tokens that were used to encrypt.
         def matches?(hash, *tokens)
           hash = new_from_hash(hash)
           return false if hash.nil? || hash == {}
+
           hash == join_tokens(tokens)
         end
-        
-        # This method is used as a flag to tell Sorcery to "resave" the password 
+
+        # This method is used as a flag to tell Sorcery to "resave" the password
         # upon a successful login, using the new cost
         def cost_matches?(hash)
           hash = new_from_hash(hash)
@@ -73,25 +78,24 @@ module Sorcery
             hash.cost == cost
           end
         end
-        
+
         def reset!
           @cost = 10
+          @pepper = ''
         end
-        
+
         private
-        
+
         def join_tokens(tokens)
-          tokens.flatten.join
+          tokens.flatten.join.concat(pepper.to_s) # make sure to add pepper in case tokens have only one element
         end
-        
+
         def new_from_hash(hash)
-          begin
-            ::BCrypt::Password.new(hash)
-          rescue ::BCrypt::Errors::InvalidHash
-            return nil
-          end
+          ::BCrypt::Password.new(hash)
+        rescue ::BCrypt::Errors::InvalidHash
+          nil
         end
       end
     end
   end
-end
+end

data/lib/sorcery/crypto_providers/common.rb

@@ -32,4 +32,4 @@ module Sorcery
       end
     end
   end
-end
+end

data/lib/sorcery/crypto_providers/md5.rb

@@ -1,9 +1,9 @@
-require "digest/md5"
- 
+require 'digest/md5'
+
 module Sorcery
   module CryptoProviders
-    # This class was made for the users transitioning from md5 based systems. 
-    # I highly discourage using this crypto provider as it superbly inferior 
+    # This class was made for the users transitioning from md5 based systems.
+    # I highly discourage using this crypto provider as it superbly inferior
     # to your other options.
     #
     # Please use any other provider offered by Sorcery.
@@ -16,4 +16,4 @@ module Sorcery
       end
     end
   end
-end
+end

data/lib/sorcery/crypto_providers/sha1.rb

@@ -1,4 +1,4 @@
-require "digest/sha1"
+require 'digest/sha1'
 
 module Sorcery
   module CryptoProviders
@@ -8,9 +8,9 @@ module Sorcery
       include Common
       class << self
         def join_token
-          @join_token ||= "--"
+          @join_token ||= '--'
         end
-        
+
         # Turns your raw password into a Sha1 hash.
         def encrypt(*tokens)
           tokens = tokens.flatten
@@ -18,11 +18,11 @@ module Sorcery
           stretches.times { digest = secure_digest([digest, *tokens].join(join_token)) }
           digest
         end
-        
+
         def secure_digest(digest)
           Digest::SHA1.hexdigest(digest)
         end
       end
     end
   end
-end
+end

data/lib/sorcery/crypto_providers/sha256.rb

@@ -1,7 +1,7 @@
-require "digest/sha2"
+require 'digest/sha2'
 
 module Sorcery
-  # The activate_sorcery method has a custom_crypto_provider configuration option. 
+  # The activate_sorcery method has a custom_crypto_provider configuration option.
   # This allows you to use any type of encryption you like.
   # Just create a class with a class level encrypt and matches? method. See example below.
   #

data/lib/sorcery/crypto_providers/sha512.rb

@@ -1,7 +1,7 @@
-require "digest/sha2"
+require 'digest/sha2'
 
 module Sorcery
-  # The activate_sorcery method has a custom_crypto_provider configuration option. 
+  # The activate_sorcery method has a custom_crypto_provider configuration option.
   # This allows you to use any type of encryption you like.
   # Just create a class with a class level encrypt and matches? method. See example below.
   #
@@ -33,4 +33,4 @@ module Sorcery
       end
     end
   end
-end
+end