The doc specifies that instead of the value 'true' a string can be specified like this:

generalize_credentials_error_messages I18n.t('authlogic.error_messages.login_credentials_invalid')

However, this does not seem to work: when passing a string the whole statement is ignored.

Logout works on my local machine (mac os x leopard, rails 2.3.4, mongral) but fails on Production in Heroku. Authlogic is integrated into my app in the same way that the railscast episode on authlogic suggests - the only difference is that I included all of the authlogic database columns.

Creating a new instance automatically loads errors into @base and populates those errors on my sign in form:

(rdb:1) @account_session = AccountSession.new

<AccountSession: no credentials provided>

(rdb:1) @account_session.errors

<Authlogic::Session::Validation::Errors:0x213cc78 @errors={}, @base=#<AccountSession: no credentials provided>>

Is this correct behavior or am I missing something?

Gavin

• The salt is being saved in base64 getting 22 chars but If it's stored as bytes strings it were only 16 chars. The difference is very great when you have 100K o 1M of users.
• The same happens with the hashes which are being saved in hexadecimal, althought the difference is a lot of great.

Digest::SHA512.hexdigest => 128 chars.

instead of

Digest::SHA512.digest => 64 chars.

AuthLogic helps an attacker by letting them know if a username is valid or not while logging in.

A more secure (but slightly less user-friendly) behavior would be not letting the user know whether the login or password (or both) is wrong.

I think the secure behavior should be enabled by default, and have a configuration parameter to behave in the current mode.

(note that information might also be leaked from the register and forgotten password page)

SHA-512 is overkill for a web application. It would be best if it'd use SHA-256 by default but that the developer could change to SHA-384 or SHA-512.

In addition with a digest of 512 bytes you get 64 bytes, and with 256 bytes you get 32 chars.

Bruce Schneier has said: "I have, and continue to, recommend SHA-256 for
immediate applications, and will probably continue to recommend the algorithm
until this process (a new secure hash standard) is completed. SHA-384 and
SHA-512 are also fine, but overkill for most applications."

http://www.schneier.com/blog/archives/2007/02/a_new_secure_ha.html

Hey there.

Ran into a couple of problems customising the error messages that Authlogic raises using the I18n functionality, stemming from a couple of inaccuracies in your RDOC.

Firstly, this example (from http://rdoc.info/rdoc/binarylogic/authlogic/blob/81af95e639570822667ec817f42aaad54f8865ed/Authlogic/I18n.html):

*** START CODE ***

module MyAuthlogicI18nAdapter

def t(key, options = {})

# you will have key which will be something like: "error_messages.password_invalid"
# you will also have options[:default], which will be the default english version of the message
# do whatever you want here with the arguments passed to you.

end

end

Authlogic::I18n.extend MyAuthlogicI18nAdapter

*** END CODE ***

..contains a subtle misunderstanding of how Object#extend works, and of Ruby’s OO semantics in general. In a nutshell, extend places the module with which your object is being extended in the inheritance tree above it, rather than overriding the methods on the object itself (The object in this place being the Authlogic::I18n singleton class). In practical terms, this means that if your object already has a method of the same name as one defined by the module (as is true in this case - Authlogic::I18n defines its own self.t method), the object’s own implementation will still be called, as it is lower down in the inheritance tree than that in the module with which it is being extended.

However, this is pretty much a moot point, as, looking at the source in i18n.rb - the built-in Authlogic::I18n.t attempts to call the t method on a top-level class called I18n, so a simpler method of overriding auth messages is simply to define that top-level I18n class itself, with a t method (no need for that extend). As a further improvement, i might suggest making this top-level classname configurable, as I18n seems pretty generic and potentially prone to namespace clashes. However, if the documentation for this feature could be updated to correct this, that’d be great.

Cheers!

Tim

original LH ticket

This ticket has 0 attachment(s).

In UserSessionsControllerTest using shoulda

context "not redirect non-logged in user" do
  setup do
    get :new
  end
  should_respond_with :success 
end

Fails with 302 status, but in simple Unit Test

test "should get new" do
  get :new
  assert_response :success
end

Passes successfully, this is second time I am trying Authlogic with shoulda which is resulting in same Test result (302 for response :success)

I added a translations file for AuthLogic to my rails app. This correctly resulted in error messages for users being translated into the default locale. However, when I change the locale in a before filter, AuthLogic keeps returning error messages in the default locale while AR starts providing validation errors in the current locale. It seems like the call to I18n translate (t) is being made only once with the default locale when the AuthLogic gem is loaded.

original LH ticket

This ticket has 0 attachment(s).

HTTP Basic authentication works when going through curl, but not when using a browser (safari or firefox). In firefox, the attached dialog shows up. This happens in all of my projects using authlogic and the authlogic_example application from github. It’s the same whether I use mongrel or passenger.

original LH ticket

This ticket has 2 attachment(s).

Using authlogic with models that extend the User class (using Single Table Inheritance)
seems to break things since you end up with nil objects for @current_user in your controllers

@@@ ruby
class User < ActiveRecord::Base
acts_as_authentic
end
class NormalUser < User;end
class SpecialUser < User;end
@@@

Is it possible to use authlogic with STI?

original LH ticket

This ticket has 0 attachment(s).

Hi

With 2.3.3 I started to see strange ’A copy of ApplicationController has been removed from the module tree but is still active!’ errors every few requests. Switching back to 2.3.2 removed the problem.

I think I was able to locate the problem somewhere within authlogic.

It might have something to do with this outstanding ticket (https://rails.lighthouseapp.com/projects/8994/tickets/1339-arbase-should-not-be-nuking-its-children-just-because-it-lost-interest), but so far I haven’t seen any activity in it.

The problem can be reproduced by fetching my fork of the authlogic example application:

• http://github.com/retoo/authlogic_example/tree/rails233bug
• cp config/database.yml{-bug-example,} (or use your own, shoudln’t matter)
• rake db:migrate
• start server
• register a user
• fetch the page right after the registration (users/show) repeatedly and fast (keep reload button pressed)
• The error should occour withhin 10-30 requests,

Now if you like you can switch back to 2.3.2 and repeat the test, with 2.3.2 nothing happens.

Attached you can find the full backtrace.

Thanks!

Cheers,
Reto

original LH ticket

This ticket has 1 attachment(s).

Hi,
There are problem with UserSessions on rails 2.3.4. code in view like this

<% form_for @user_session, :url => login_path do |f| -%>
<%= f.error_messages %>
<%= f.text_field :login %>
<%= f.password_field :password %>
<%= f.check_box :remember_me %>
<%= submit_tag 'Login' %>
<% end %>

causes ActionView::TemplateError (can't convert ActiveRecord::Error into String) on line <%= f.error_messages %>

Hi,
I'm a happy user of Authlogic.
In my projects, manaed with Git, I have a pre-commit hook that checks all the modified files to see if they are valid. They go through Ruby or ERB syntax check and the commit is aborted if an error is raised.

When I pack my gems in "vendor/gems", they are added to the next commit checked.

This process stumbles upon the session template which ends on *.rb and so is checked by Ruby and so is not valid because it's in fact an ERB template.

Maybe this file could be renamed into something either *.erb or *.tpl, …

The exact file is : authlogic-2.1.1/generators/session/templates/session.rb

I'll try to fork and make a patch, but I'm not sure that's in my reach ;-)

Thanks for Authlogic and everything else that you make. It's great.
Cheers
Jeremy

to add email field do i just modify create_users.rb file and then run migration.Or are there other steps?
sorry I am a complete newbie

If I enable logout_on_timeout and try to use HTTP Basic Auth then Authlogic will not validate the session (JosUserSession.find.record returns nil)

User and UserSession models below. I'm using the the ApplicationController methods as shown in the tutorials.

class UserSession < Authlogic::Session::Base
  login_field :username
  verify_password_method :valid_credentials?
  logout_on_timeout true
  allow_http_basic_auth true
end 

class User < ActiveRecord::Base
  acts_as_authentic do |c| 
    c.validate_password_field = false
    c.login_field = :username
    c.logged_in_timeout = 30.minutes
  end 

  def valid_credentials?(password_plaintext)
    valid_jos_user_credentials?(password_plaintext)
  end 

  def valid_jos_user_credentials?(password_plaintext)
    salt = password.split(':')[1]
    encrypted = Digest::MD5.hexdigest("#{password_plaintext}#{salt}")
    password.eql? "#{encrypted}:#{salt}"
  end 
end 

http://github.com/binarylogic/authlogic/blob/81af95e639570822667ec817f42aaad54f8865ed/lib/authlogic/random.rb#L16

By default SecureRandom [1] uses 16 bytes (which has an entropy of 128 bits [2]), so:

SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")

should be:

SecureRandom.base64().tr('+/=', '-_ ').rstrip

[1] http://api.rubyonrails.org/classes/ActiveSupport/SecureRandom.html#M001107

[2] https://bitbucket.org/ares/cryha/src/tip/doc/sym_crypto.txt#cl-113

http://github.com/binarylogic/authlogic/blob/81af95e639570822667ec817f42aaad54f8865ed/lib/authlogic/random.rb#L11

SecureRandom.hex(64)

Why do use 64 bytes?

It shoulds be

SecureRandom.hex()

which uses 16 random bytes to return them into a hexadecimal string.

Use hash instead of encrypted

Another thing. I've seen that it's used 'encrypted' or 'crypted' to refer to the hashs. An hash is not a cryptographic algorithm, they are both different. Please use 'hash' to refer a SHA and any term related to crypto. to refer to AES.

Is there an easy way to merge validation options for all validations? I would like to disable validations when a user is registered as a guest and currently have to do this.

acts_as_authentic do |c|
  c.merge_validates_confirmation_of_password_field_options :unless => :guest?
  c.merge_validates_length_of_password_field_options :unless => :guest?
  c.merge_validates_length_of_password_confirmation_field_options :unless => :guest?
  c.merge_validates_length_of_login_field_options :unless => :guest
  c.merge_validates_format_of_login_field_options :unless => :guest
  c.merge_validates_uniqueness_of_login_field_options :unless => :guest
  c.merge_validates_format_of_email_field_options :unless => :guest
  c.merge_validates_length_of_email_field_options :unless => :guest
  c.merge_validates_uniqueness_of_email_field_options :unless => :guest
end

It would be nice if there was one merge_validation_options config method which merged all of them. Or is there a better way to do this?

Authlogic will randomly log in a logged out user. I am using the basic authlogic_example setup and have added just one more 'orders' resource controller with the basic actions and no other filters.

I can log out of my session, and view the orders index action logged out. Then I can keep refreshing my browser and within 5 - 15 refreshes, I will suddenly be logged back in again to the previous user session.

I followed the example verbatim.

here is the error i get
undefined local variable or method `my_value' for User(id: integer, created_at: datetime, updated_at: datetime):Class

Full trace:
/usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/base.rb:1964:in method_missing' /home/smpmode/racebench/app/models/user.rb:3 /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/acts_as_authentic/base.rb:33:inacts_as_authentic'
/home/smpmode/racebench/app/models/user.rb:2
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:380:in load_without_new_constant_marking' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:380:inload_file'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:521:in new_constants_in' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:379:inload_file'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:259:in require_or_load' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:425:inload_missing_constant'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:80:in const_missing' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/dependencies.rb:92:inconst_missing'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/inflector.rb:361:in constantize' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/inflector.rb:360:ineach'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/inflector.rb:360:in constantize' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/core_ext/string/inflections.rb:162:inconstantize'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/klass.rb:33:in klass' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/password.rb:79:inlogin_field'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/password.rb:197:in login_field' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/password.rb:106:ininitialize'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/activation.rb:48:in initialize' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/klass.rb:61:ininitialize'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/scopes.rb:79:in initialize' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/persistence.rb:37:innew'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/persistence.rb:37:in find' /home/smpmode/racebench/app/controllers/application_controller.rb:12:incurrent_user_session'
/home/smpmode/racebench/app/controllers/application_controller.rb:17:in current_user' /home/smpmode/racebench/app/controllers/application_controller.rb:30:inrequire_no_user'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:178:in send' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:178:inevaluate_method'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:166:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/filters.rb:225:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/filters.rb:629:in run_before_filters' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/filters.rb:615:incall_filters'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/filters.rb:610:in perform_action_without_benchmark' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/benchmarking.rb:68:inperform_action_without_rescue'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/core_ext/benchmark.rb:17:in ms' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/core_ext/benchmark.rb:10:inrealtime'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/core_ext/benchmark.rb:17:in ms' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/benchmarking.rb:68:inperform_action_without_rescue'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/rescue.rb:160:in perform_action_without_flash' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/flash.rb:141:inperform_action'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/base.rb:523:in send' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/base.rb:523:inprocess_without_filters'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/filters.rb:606:in process' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/base.rb:391:inprocess'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/base.rb:386:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/routing/route_set.rb:433:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/dispatcher.rb:88:in dispatch' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/dispatcher.rb:111:in_call'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/dispatcher.rb:82:in initialize' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/head.rb:9:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/head.rb:9:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/methodoverride.rb:24:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/params_parser.rb:15:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/rewindable_input.rb:25:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/session/abstract_store.rb:122:in call' /usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/query_cache.rb:29:incall'
/usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/connection_adapters/abstract/query_cache.rb:34:in cache' /usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/query_cache.rb:9:incache'
/usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/query_cache.rb:28:in call' /usr/local/lib/ruby/gems/1.8/gems/activerecord-2.3.2/lib/active_record/connection_adapters/abstract/connection_pool.rb:361:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/reloader.rb:9:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/failsafe.rb:11:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/lock.rb:11:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/lock.rb:11:insynchronize'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/lock.rb:11:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/dispatcher.rb:106:incall'
/usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/content_length.rb:13:in call' /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.3.2/lib/action_controller/vendor/rack-1.0/rack/handler/fastcgi.rb:60:inserve'
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:103:in process_request' /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:153:inwith_signal_handler'
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:101:in process_request' /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:78:inprocess_each_request'
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:77:in each' /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:77:inprocess_each_request'
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:76:in catch' /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:76:inprocess_each_request'
/usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:51:in process!' /usr/local/lib/ruby/gems/1.8/gems/rails-2.3.2/lib/fcgi_handler.rb:23:inprocess!'
dispatch.fcgi:24

This tests the response_code for each user to a page, the session[:user_credentials_id] will change when using the helper ‘set_session_for’ in a loop, but the ‘current user’ does not change. The response body, does not change.

This is the smallest test I could create.

```
test ‘All users hit home page’ do
for user in User.all
set_session_for(user)
get :home
assert_response :success
assert_tag :tag => ‘span’, :attributes => {:id => "name"}, :content => user.display_name
end
end
```

I have a span on the page that holds the users first name. This test will succeed the first time and fail on the second time through the loop. In the test output, the value in the tag is the name of the user that was set to the session the first time through the loop.

I would expect to be able to change the user in a functional test.

I can't seem to find any information in the docs on how to remove the "_ is not valid" validations on the user session fields. generalize_credentials_error_messages did not seem to return the results I was looking for. Is there a way to remove the validations completely for email/login/password and only use the validates_presence_of. Thank you.

View

@@@

• if current_user
  %p= "Signed in as " << current_user.email << "!"
  %p= current_user_session.remember_me?
• else
  %h1 Login
  %p
  • form_for :login_info, :url => login_path do |f|
    = f.label :email
    = f.text_field :email
    = f.label :password
    = f.password_field :password
    = f.submit "Submit"
    = f.check_box :remember_me
    = f.label :remember_me
    @@@

Controller

@@@
class UserSessionsController < ApplicationController
before_filter :require_no_user, :only => :create
before_filter :require_user, :only => :destroy

def create
user_session = UserSession.new(params[:login_info])
if user_session.save
flash[:notice] = "Logged in!"
redirect_to home_path
else
flash[:error] = "Error: Login unsuccessful!"
redirect_to home_path
end
end

def destroy
current_user_session.destroy
flash[:notice] = "Logged out!"
redirect_to home_path
end
end
@@@

Problem

Now when I login with the option ’Remember me?’ checked, Rails passes:
@@@
Processing UserSessionsController#create (for 127.0.0.1 at 2009-07-11 03:39:15) [POST]
Parameters:
{"commit"=>"Submit", "action"=>"create", "controller"=>"user_sessions",
"login_info"=>{"password"=>"[FILTERED]", "remember_me"=>"1", "email"=>"[email protected]"}}
@@@

But the View displays:
@@@
Signed in as [email protected]!
false
@@@

No matter how hard I try I can’t get the current_user_session to remember the remember_me option.

original LH ticket

This ticket has 0 attachment(s).

irb> require 'rubygems'
=> true
irb> require 'authlogic'
NameError: uninitialized constant ActiveRecord
from ...
from /path/to/authlogic-2.1.1/lib/authlogic/session/validation.rb:16
from ...

Authlogic::Session::Validation::Errors inherits from ::ActiveRecord::Errors, but no require "active_record" can be found in the code and no dependency has been added to the gemspec.

Please note: In Rails 3, ActiveRecord::Errors has been moved to ActiveModel, so it might be better to roll your own Errors class.

Normally Rails would do this:

@object.errors[:non_existent_attribute] # => nil

Authlogic returns []

This is because of the following method:

class Errors < ::ActiveRecord::Errors
  def [](key)
    value = super
    value.is_a?(Array) ? value : [value].compact
  end
end

as an example:
nil.is_a?(Array) ? nil : [nil].compact # => []

This causes issues when using the Formtastic plugin which expects nil when there are no errors for a given attribute.

This would be a fix:

class Errors < ::ActiveRecord::Errors
  def [](key)
    value = super
    return nil if value.is_nil?
    value.is_a?(Array) ? value : [value].compact
  end
end

Hello, I think there still are some keys missing.

I can’t translate during validation :

model names :

user_session
user

attributes :

all the attributes for user

The rest is working just fine.

I’m using the latest gem.

original LH ticket

This ticket has 0 attachment(s).

I implemented the tutorial exactly but when i go to mywebsite/account/new I get:

NoMethodError in Users#new

Showing app/views/users/_form.html.erb where line #5 raised:

undefined method `username' for #User:0xb74d5bf4

Extracted source (around line #5):

2: <%= f.error_messages %>
3:

4: <%= f.label :username %>

5: <%= f.text_field :username %>
6:

8: <%= f.label :email %>

I get an error if my user's password = 123456.

It's fixed if you just change line 50 of lib/authlogic/session/magic_columns.rb (notice the to_i)

current:

record.login_count = (record.login_count.blank? ? 1 : record.login_count + 1) if record.respond_to?(:login_count)

patched:

record.login_count = (record.login_count.blank? ? 1 : record.login_count.to_i + 1) if record.respond_to?(:login_count)

With such a simple fix, I figured it was more trouble than it was worth to fork and then submit a patch. Hope this helps.

Best,
Bryce

Error msg:

TypeError in User sessionsController#create

can't convert Fixnum into String

RAILS_ROOT: /Library/WebServer/Documents/Projects/smsFood
Application Trace | Framework Trace | Full Trace

/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/magic_columns.rb:50:in +' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/magic_columns.rb:50:inupdate_info'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:178:in send' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:178:inevaluate_method'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:166:in call' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:93:inrun'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:92:in each' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:92:insend'
/usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:92:in run' /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.3.2/lib/active_support/callbacks.rb:276:inrun_callbacks'
/usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/callbacks.rb:71:in before_save' /usr/local/lib/ruby/gems/1.8/gems/authlogic-2.0.14/lib/authlogic/session/existence.rb:66:insave'
/Library/WebServer/Documents/Projects/smsFood/app/controllers/user_sessions_controller.rb:10:in create' /Library/WebServer/Documents/Projects/smsFood/app/controllers/user_sessions_controller.rb:9:increate'

The admin of my webapp needs to be able to log in and masquerade as any user. Is there any easy way to set a "skeleton key" admin password to create a valid UserSession even if it doesn't match the user's actual password?

I am not sure if this bug is related to authlogic not being compatible with rails 2.3.3 or not, but I encounter an undefined method 'rewind' for # error when attempting to login using authlogic. This only occurs for me when attempting to use Rails 2.3.3. Once I switch back to 2.3.2 everything works fine. Here is a backtrace:

Status: 500 Internal Server Error
undefined method rewind' for #<TCPSocket:0x2536630> /Library/Ruby/Gems/1.8/gems/rack-1.0.0/lib/rack/request.rb:150:inPOST'
/Library/Ruby/Gems/1.8/gems/rack-1.0.0/lib/rack/methodoverride.rb:15:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.3/lib/action_controller/params_parser.rb:15:incall'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.3/lib/action_controller/session/cookie_store.rb:93:in call' /Library/Ruby/Gems/1.8/gems/actionpack-2.3.3/lib/action_controller/reloader.rb:29:incall'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.3/lib/action_controller/failsafe.rb:26:in call' /Library/Ruby/Gems/1.8/gems/rack-1.0.0/lib/rack/lock.rb:11:incall'
/Library/Ruby/Gems/1.8/gems/rack-1.0.0/lib/rack/lock.rb:11:in synchronize' /Library/Ruby/Gems/1.8/gems/rack-1.0.0/lib/rack/lock.rb:11:incall'
/Library/Ruby/Gems/1.8/gems/actionpack-2.3.3/lib/action_controller/dispatcher.rb:106:in call' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/rack/request_handler.rb:65:inprocess_request'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_request_handler.rb:197:in main_loop' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/railz/application_spawner.rb:340:instart_request_handler'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/railz/application_spawner.rb:298:in handle_spawn_application' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/utils.rb:176:insafe_fork'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/railz/application_spawner.rb:296:in handle_spawn_application' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:332:insend'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:332:in main_loop' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:182:instart_synchronously'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:149:in start' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/railz/application_spawner.rb:192:instart'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/spawn_manager.rb:260:in spawn_rails_application' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server_collection.rb:121:inlookup_or_add'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/spawn_manager.rb:254:in spawn_rails_application' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server_collection.rb:75:insynchronize'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server_collection.rb:74:in synchronize' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/spawn_manager.rb:253:inspawn_rails_application'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/spawn_manager.rb:148:in spawn_application' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/spawn_manager.rb:285:inhandle_spawn_application'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:332:in __send__' /Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:332:inmain_loop'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/lib/phusion_passenger/abstract_server.rb:182:in `start_synchronously'
/Library/Ruby/Gems/1.8/gems/passenger-2.1.2/bin/passenger-spawn-server:50

Authlogic::TestCase docs in README points to:
http://authlogic.rubyforge.org/classes/Authlogic/TestCase.html
which is broken. Should point to rdoc.info...

Does Authlogic could to working with Mongomapper (a wrapper to MongoDB)?

http://railstips.org/2009/6/27/mongomapper-the-rad-mongo-wrapper

I've created two controller tests that test the same controller, but do it for different users (with a different set of privileges).

In the controller tests that tests a visitor I have

  setup :activate_authlogic
 def setup
    UserSession.create(users(:visitor))
 end

Which works perfectly. When I remove that code the tests fail because no one is logged on (perfect). However, in another tests, that should tests an admin the code, does not fail when the above is removed. Just to reiterate I'm testing the same controller. What's more, when I do include the code above, it does not work as expected, but does when I include "UserSession.create(users(:admin))" within each test method.

http://www.mrkris.com/2009/09/21/not-using-ipaddr-should-result-in-you-being-mauled-by-a-bear/

Using Ruby 1.9.1 and Rails 2.3.4 i got that error

NoMethodError (undefined method ^' for "a":String): authlogic (2.1.1) lib/authlogic/session/session.rb:46:insession_credentials'
authlogic (2.1.1) lib/authlogic/session/session.rb:33:in persist_by_session' authlogic (2.1.1) lib/authlogic/session/callbacks.rb:78:inpersist'
authlogic (2.1.1) lib/authlogic/session/persistence.rb:55:in persisting?' authlogic (2.1.1) lib/authlogic/session/persistence.rb:39:infind'
app/controllers/application_controller.rb:16:in `current_user_session'

The regex in regex.rb for the login field currently is:

/\A\w[\w.+-_@ ]+\z/

This requires the login field to be a minimum of two characters. Shouldn't the first \w be removed or the + be changed to a *? I figure it makes most sense to remove the \w.

I'm not sure what I am doing wrong here, but I keep getting the YAML tab error when I run my tests now. Here is what I have, which I've looked for tabs and have found none. Is there maybe a problem with the output from the ruby code?

superuser:
login:ben
email: [email protected]
crypted_password: <%= Authlogic::CryptoProviders::Sha512.encrypt("ben"+salt) %>
password_salt: <%= salt = Authlogic::Random.hex_token %>
persistence_token: <%= Authlogic::Random.hex_token %>
super: true

I have a fairly generic setup of Authlogic using all defaults against a User table in my primary DB.

I have a 2nd separate database setup in my database.yml/models ala something like..

In database.yml ... a second_db entry

In an example model...
class ModelInOtherDB < ActiveRecord::Base
establish_connection :second_db
...
end

Whenever I use this MonelInOtherDB .. it works but when I reload the authlogic tries hitting the 2nd database not the primary DB with the User in it and faults with a ...

Could not find table ’user’ error

Authlogic(2.1.1)
Ruby version 1.9.1 (i386-darwin9.6.0)
RubyGems version 1.3.3

original LH ticket

This ticket has 0 attachment(s).

If you include generalize_credentials_error_messages true in your UserSession object, the failed_login_count will stop incrementing when the password is bad but the login is valid. This in turn stops the brute force protection from working.

Is it possible that the generalize_credentials_error_messages can be included in UserSession, but still have the failed_login_count increment when the password is incorrect.

Thanks,

When using the latest v2.0.12 the web server won't start.

=> Booting Mongrel
=> Rails 2.3.2 application starting on http://0.0.0.0:3000
no such file to load -- /opt/local/lib/ruby/gems/1.8/gems/authlogic-2.0.12/lib/authlogic/regex
/opt/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:in gem_original_require' /opt/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:31:inrequire'

It is missing there.

Love your work. Incredibly useful.

Some suggested features and/or tutorials:

Users creates a session before creating their account, and retains their session data through the process. For example, user adds items to shopping cart before creating account, then creates account in order to buy.

System sends confirmation email to user when they create account. User clicks link in confirmation email to complete account registration process.

User edit page asks for old password before allowing user to create new password.

I change a user's password through the console, then reload that user and the valid_password? returns false for the new password.

Any ideas where to look from here before I end up deep into the authlogic code?

Here's a console dump:

?> u.password = "foobar"
=> "foobar"

u.password_confirmation = "foobar"
=> "foobar"
u.save!
=> true
u.reload
=> #<User id: 6, login: "jgoodsen", name: "John Goodsen", email: "[email protected]", crypted_password: "359a452e8e91642bfcd20141fb405c9412ef3481", salt: "AZJQAz8QBgtKVfBpuPq9", created_at: "2009-05-11 19:15:39", updated_at: "2009-08-23 00:47:58", remember_token: nil, remember_token_expires_at: nil, activation_code: nil, activated_at: "2009-05-11 19:15:40", admin: true, persistence_token: "ab5f1db3eb8e83bdcf6491414f58e2116022c783cb727538d92...", perishable_token: "nYxQrm_0hOmMirPmpTR5", login_count: 9, failed_login_count: 2, current_login_at: "2009-08-23 00:32:49", current_login_ip: nil, last_login_at: "2009-08-23 00:31:35", last_login_ip: nil>
u.valid_password?("foobar")
=> false

It would be really great with a dead simple example showing how to create an Authlogic "add on".

My User class has a boolean field named "enabled". I’d like to prevent the login if that field is set to false. I found here an example code:
http://rdoc.info/rdoc/binarylogic/authlogic/blob/72992b9effaea12f109465fc904fa5431538775a/Authlogic/Session/Validation/Errors.html

class UserSession
validate :check_if_awesome

private
  def check_if_awesome
    errors.add(:login, "must contain awesome") if login && !login.include?("awesome")
    errors.add(:base, "You must be awesome to log in") unless attempted_record.awesome?
  end

end

that I’ve adapted into this:

class UserSession < Authlogic::Session::Base
validate :check_if_user_enabled

private
    def check_if_user_enabled
        debugger
#        User.find_by_login(object.login).enabled
    end

end

so, why does UserSession doesn’t inherit from Authlogic::Session::Base ?
Moreover, using the debugger I can’t see the "errors" object, I can only access to it by "object.errors".

so, if I’m not doing anything wrong, the problem in this ticket should only be about syncing this to the documentation.

Maurizio De Magnis

original LH ticket

This ticket has 0 attachment(s).

Is this possible? I have tried to add either the 'login' or 'username' column to the Client migration (where acts_as_authentic is placed) and I get the following error when going to the login page:

ActionView::TemplateError (undefined method `email' for #<ClientSession: no credentials provided>) on line #8 of app/views/client_sessions/new.html.erb:
5:
6:

7: <%= f.label :email, "Email Address" %>

8: <%= f.text_field :email %>
9:

However, the migration (and specifically in the message below it) in the example states that the data model can have both login and email columns, and that we might be able to use them both at login?

Basically, I want all users to use email addresses to login. However, we do have legacy users with logins/usernames, and I need to accommodate them as well.

Thanks! :) Great module ;)

Hi!

I'm probably being an idiot, but I've just set up Authlogic by following your comprehensive tutorial - while trying to register a new account, the email validation doesn't pass, regardless of how long or how "valid" an email address I use.

Register
2 errors prohibited this user from being saved

There were problems with the following fields:

* Email is too short (minimum is 6 characters)
* Email should look like an email address.

Any ideas?

P

I’m using authlogic_openid version 1.0.4 because of problems with the current version of authlogic_openid. The error exists in the demo at http://authlogicexample.binarylogic.com/ as well.

Visit the demo. Enter http://google.com (or some other non-OpenID aware URL).

The problem is that the save block never gets yielded to. Here is the Mongrel output from my development environment:
[OPENID] No usable OpenID services were found for "http://google.com/"

A similar problem exists when a URL to a non-existing server is entered:
[OPENID] Failed to fetch identity URL http://b.com/ : Error fetching http://b.com/: getaddrinfo: Name or service not known

Best,

Daniel

original LH ticket

This ticket has 0 attachment(s).