binarylogic · jaredbeck · Sep 26, 2019 · Sep 8, 2019 · Sep 8, 2019 · tiegz
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,12 +7,27 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Unreleased
 
-* Breaking Changes
-  * None
+* Breaking Changes, Major
+  * There is no longer a default `crypto_provider`. We still recommend SCrypt,
+    but don't want users of other providers to be forced to install it. You
+    must now explicitly specify your `crypto_provider`, eg. in your `user.rb`.
+
+        acts_as_authentic do |config|
+          c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+        end
+
+    To continue to use the `scrypt` gem, add it to your `Gemfile`.
+
+        gem "scrypt", "~> 3.0"
+
+* Breaking Changes, Minor
+  * The arity of `crypto_provider` has changed from -1 (one optional arg) to 0
+    (no arguments). To set the provider, use `crypto_provider=`.
 * Added
   * None
 * Fixed
-  * None
+  * [#668](https://github.com/binarylogic/authlogic/pull/668) -
+    BCrypt user forced to load SCrypt
 
 ## 5.0.4 (2019-09-11)
 

diff --git a/authlogic.gemspec b/authlogic.gemspec
@@ -29,7 +29,6 @@ require "authlogic/version"
   s.add_dependency "activerecord", [">= 5.2", "< 6.1"]
   s.add_dependency "activesupport", [">= 5.2", "< 6.1"]
   s.add_dependency "request_store", "~> 1.0"
-  s.add_dependency "scrypt", ">= 1.2", "< 4.0"
   s.add_development_dependency "bcrypt", "~> 3.1"
   s.add_development_dependency "byebug", "~> 10.0"
   s.add_development_dependency "coveralls", "~> 0.8.22"
@@ -38,6 +37,7 @@ require "authlogic/version"
   s.add_development_dependency "pg", "~> 1.1.4"
   s.add_development_dependency "rubocop", "~> 0.67.2"
   s.add_development_dependency "rubocop-performance", "~> 1.1"
+  s.add_development_dependency "scrypt", ">= 1.2", "< 4.0"
   s.add_development_dependency "simplecov", "~> 0.16.1"
   s.add_development_dependency "simplecov-console", "~> 0.4.2"
   s.add_development_dependency "sqlite3", "~> 1.3.13"

diff --git a/lib/authlogic.rb b/lib/authlogic.rb
@@ -13,6 +13,7 @@
 path = File.dirname(__FILE__) + "/authlogic/"
 
 [
+  "errors",
   "i18n",
   "random",
   "config",

diff --git a/lib/authlogic/acts_as_authentic/password.rb b/lib/authlogic/acts_as_authentic/password.rb
@@ -109,13 +109,23 @@ def check_passwords_against_database(value = nil)
         # transition to a better crypto provider without causing your users any
         # pain.
         #
-        # * <tt>Default:</tt> CryptoProviders::SCrypt
+        # * <tt>Default:</tt> There is no longer a default value. Prior to
+        #   Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+        #   to read this config option before setting it, it will raise a
+        #   `NilCryptoProvider` error. See that error's message for further
+        #   details, and rationale for this change.
         # * <tt>Accepts:</tt> Class
-        def crypto_provider(value = nil)
+        def crypto_provider
+          acts_as_authentic_config[:crypto_provider].tap { |provider|
+            raise NilCryptoProvider if provider.nil?
+          }
+        end
+
+        def crypto_provider=(value)
+          raise NilCryptoProvider if value.nil?
           CryptoProviders::Guidance.new(value).impart_wisdom
-          rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+          rw_config(:crypto_provider, value)
         end
-        alias crypto_provider= crypto_provider
 
         # Let's say you originally encrypted your passwords with Sha1. Sha1 is
         # starting to join the party with MD5 and you want to switch to

diff --git a/lib/authlogic/errors.rb b/lib/authlogic/errors.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Authlogic
+  # Parent class of all Authlogic errors.
+  class Error < StandardError
+  end
+
+  # :nodoc:
+  class InvalidCryptoProvider < Error
+  end
+
+  # :nodoc:
+  class NilCryptoProvider < InvalidCryptoProvider
+    def message
+      <<~EOS
+        In version 5, Authlogic used SCrypt by default. As of version 6, there
+        is no default. We still recommend SCrypt. If you previously relied on
+        this default, then, in your User model (or equivalent), please set the
+        following:
+
+            acts_as_authentic do |config|
+              c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+            end
+
+        Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+        your Gemfile, please add scrypt.
+
+            gem "scrypt", "~> 3.0"
+
+        We have made this change in Authlogic 6 so that users of other crypto
+        providers no longer need to install the scrypt gem.
+      EOS
+    end
+  end
+end
diff --git a/test/acts_as_authentic_test/password_test.rb b/test/acts_as_authentic_test/password_test.rb
@@ -52,7 +52,7 @@ def test_crypto_provider_config
       end
       assert_equal Authlogic::CryptoProviders::BCrypt, User.crypto_provider
       silence_warnings do
-        User.crypto_provider Authlogic::CryptoProviders::Sha512
+        User.crypto_provider = Authlogic::CryptoProviders::Sha512
       end
       assert_equal Authlogic::CryptoProviders::Sha512, User.crypto_provider
     end

diff --git a/test/libs/admin.rb b/test/libs/admin.rb
@@ -2,7 +2,9 @@
 
 # This model demonstrates an `after_save` callback.
 class Admin < ActiveRecord::Base
-  acts_as_authentic
+  acts_as_authentic do |c|
+    c.crypto_provider = Authlogic::CryptoProviders::SCrypt
+  end
 
   validates :password, confirmation: true
 

diff --git a/test/libs/user.rb b/test/libs/user.rb
@@ -12,6 +12,7 @@ class User < ActiveRecord::Base
   LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/.freeze
 
   acts_as_authentic do |c|
+    c.crypto_provider = Authlogic::CryptoProviders::SCrypt
     c.transition_from_crypto_providers Authlogic::CryptoProviders::Sha512
   end
   belongs_to :company