From 63e54e4f906e9e75b789d377ed120d33948b6945 Mon Sep 17 00:00:00 2001 From: Jared Beck Date: Sat, 7 Sep 2019 22:13:06 -0400 Subject: [PATCH 1/2] Consolidate error classes into errors.rb 1. Errors should share a parent class Authlogic::Error 2. Having them in one file is kind of convenient because they often have long messages, and it's nice to keep that copywriting out of the way. Also, it's sort of nice if a file like rails_adapter.rb only defines the adapter class and not any other classes? --- lib/authlogic.rb | 1 + lib/authlogic/errors.rb | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 lib/authlogic/errors.rb diff --git a/lib/authlogic.rb b/lib/authlogic.rb index 9525594c..13e94c11 100644 --- a/lib/authlogic.rb +++ b/lib/authlogic.rb @@ -13,6 +13,7 @@ path = File.dirname(__FILE__) + "/authlogic/" [ + "errors", "i18n", "random", "config", diff --git a/lib/authlogic/errors.rb b/lib/authlogic/errors.rb new file mode 100644 index 00000000..89eabf69 --- /dev/null +++ b/lib/authlogic/errors.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Authlogic + # Parent class of all Authlogic errors. + class Error < StandardError + end +end From ae4fef1426ad1bc32659ccf9b5b489443dade2af Mon Sep 17 00:00:00 2001 From: Jared Beck Date: Sat, 7 Sep 2019 22:35:16 -0400 Subject: [PATCH 2/2] Breaking change: No default crypto_provider [Fixes #668] See changelog for description, rationale. --- CHANGELOG.md | 21 ++++++++++++--- authlogic.gemspec | 2 +- lib/authlogic/acts_as_authentic/password.rb | 18 ++++++++++--- lib/authlogic/errors.rb | 28 ++++++++++++++++++++ test/acts_as_authentic_test/password_test.rb | 2 +- test/libs/admin.rb | 4 ++- test/libs/user.rb | 1 + 7 files changed, 66 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2efdbfc7..f8fb32dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,12 +7,27 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ## Unreleased -* Breaking Changes - * None +* Breaking Changes, Major + * There is no longer a default `crypto_provider`. We still recommend SCrypt, + but don't want users of other providers to be forced to install it. You + must now explicitly specify your `crypto_provider`, eg. in your `user.rb`. + + acts_as_authentic do |config| + c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt + end + + To continue to use the `scrypt` gem, add it to your `Gemfile`. + + gem "scrypt", "~> 3.0" + +* Breaking Changes, Minor + * The arity of `crypto_provider` has changed from -1 (one optional arg) to 0 + (no arguments). To set the provider, use `crypto_provider=`. * Added * None * Fixed - * None + * [#668](https://github.com/binarylogic/authlogic/pull/668) - + BCrypt user forced to load SCrypt ## 5.0.4 (2019-09-11) diff --git a/authlogic.gemspec b/authlogic.gemspec index 9b4dfd03..12768183 100644 --- a/authlogic.gemspec +++ b/authlogic.gemspec @@ -29,7 +29,6 @@ require "authlogic/version" s.add_dependency "activerecord", [">= 5.2", "< 6.1"] s.add_dependency "activesupport", [">= 5.2", "< 6.1"] s.add_dependency "request_store", "~> 1.0" - s.add_dependency "scrypt", ">= 1.2", "< 4.0" s.add_development_dependency "bcrypt", "~> 3.1" s.add_development_dependency "byebug", "~> 10.0" s.add_development_dependency "coveralls", "~> 0.8.22" @@ -38,6 +37,7 @@ require "authlogic/version" s.add_development_dependency "pg", "~> 1.1.4" s.add_development_dependency "rubocop", "~> 0.67.2" s.add_development_dependency "rubocop-performance", "~> 1.1" + s.add_development_dependency "scrypt", ">= 1.2", "< 4.0" s.add_development_dependency "simplecov", "~> 0.16.1" s.add_development_dependency "simplecov-console", "~> 0.4.2" s.add_development_dependency "sqlite3", "~> 1.3.13" diff --git a/lib/authlogic/acts_as_authentic/password.rb b/lib/authlogic/acts_as_authentic/password.rb index 30bc2ee0..ad168a87 100644 --- a/lib/authlogic/acts_as_authentic/password.rb +++ b/lib/authlogic/acts_as_authentic/password.rb @@ -109,13 +109,23 @@ def check_passwords_against_database(value = nil) # transition to a better crypto provider without causing your users any # pain. # - # * Default: CryptoProviders::SCrypt + # * Default: There is no longer a default value. Prior to + # Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try + # to read this config option before setting it, it will raise a + # `NilCryptoProvider` error. See that error's message for further + # details, and rationale for this change. # * Accepts: Class - def crypto_provider(value = nil) + def crypto_provider + acts_as_authentic_config[:crypto_provider].tap { |provider| + raise NilCryptoProvider if provider.nil? + } + end + + def crypto_provider=(value) + raise NilCryptoProvider if value.nil? CryptoProviders::Guidance.new(value).impart_wisdom - rw_config(:crypto_provider, value, CryptoProviders::SCrypt) + rw_config(:crypto_provider, value) end - alias crypto_provider= crypto_provider # Let's say you originally encrypted your passwords with Sha1. Sha1 is # starting to join the party with MD5 and you want to switch to diff --git a/lib/authlogic/errors.rb b/lib/authlogic/errors.rb index 89eabf69..8f0f3404 100644 --- a/lib/authlogic/errors.rb +++ b/lib/authlogic/errors.rb @@ -4,4 +4,32 @@ module Authlogic # Parent class of all Authlogic errors. class Error < StandardError end + + # :nodoc: + class InvalidCryptoProvider < Error + end + + # :nodoc: + class NilCryptoProvider < InvalidCryptoProvider + def message + <<~EOS + In version 5, Authlogic used SCrypt by default. As of version 6, there + is no default. We still recommend SCrypt. If you previously relied on + this default, then, in your User model (or equivalent), please set the + following: + + acts_as_authentic do |config| + c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt + end + + Furthermore, the authlogic gem no longer depends on the scrypt gem. In + your Gemfile, please add scrypt. + + gem "scrypt", "~> 3.0" + + We have made this change in Authlogic 6 so that users of other crypto + providers no longer need to install the scrypt gem. + EOS + end + end end diff --git a/test/acts_as_authentic_test/password_test.rb b/test/acts_as_authentic_test/password_test.rb index 1c60e4d1..14c2c2a3 100644 --- a/test/acts_as_authentic_test/password_test.rb +++ b/test/acts_as_authentic_test/password_test.rb @@ -52,7 +52,7 @@ def test_crypto_provider_config end assert_equal Authlogic::CryptoProviders::BCrypt, User.crypto_provider silence_warnings do - User.crypto_provider Authlogic::CryptoProviders::Sha512 + User.crypto_provider = Authlogic::CryptoProviders::Sha512 end assert_equal Authlogic::CryptoProviders::Sha512, User.crypto_provider end diff --git a/test/libs/admin.rb b/test/libs/admin.rb index faa724ad..95c00c95 100644 --- a/test/libs/admin.rb +++ b/test/libs/admin.rb @@ -2,7 +2,9 @@ # This model demonstrates an `after_save` callback. class Admin < ActiveRecord::Base - acts_as_authentic + acts_as_authentic do |c| + c.crypto_provider = Authlogic::CryptoProviders::SCrypt + end validates :password, confirmation: true diff --git a/test/libs/user.rb b/test/libs/user.rb index cbc0459e..9f574857 100644 --- a/test/libs/user.rb +++ b/test/libs/user.rb @@ -12,6 +12,7 @@ class User < ActiveRecord::Base LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/.freeze acts_as_authentic do |c| + c.crypto_provider = Authlogic::CryptoProviders::SCrypt c.transition_from_crypto_providers Authlogic::CryptoProviders::Sha512 end belongs_to :company