Module: Authlogic::Session::Password::Config

Defined in:

lib/authlogic/session/password.rb

Overview

Password configuration

Instance Method Summary

• #find_by_login_method(value = nil) ⇒ Object (also: #find_by_login_method=)

  Authlogic tries to validate the credentials passed to it.

• #generalize_credentials_error_messages(value = nil) ⇒ Object (also: #generalize_credentials_error_messages=)

  The text used to identify credentials (username/password) combination when a bad login attempt occurs.

• #login_field(value = nil) ⇒ Object (also: #login_field=)

  The name of the method you want Authlogic to create for storing the login / username.

• #password_field(value = nil) ⇒ Object (also: #password_field=)

  Works exactly like login_field, but for the password instead.

• #verify_password_method(value = nil) ⇒ Object (also: #verify_password_method=)

  The name of the method in your model used to verify the password.

Instance Method Details

#find_by_login_method(value = nil) ⇒ Object Also known as: find_by_login_method=

Authlogic tries to validate the credentials passed to it. One part of validation is actually finding the user and making sure it exists. What method it uses the do this is up to you.

Let’s say you have a UserSession that is authenticating a User. By default UserSession will call User.find_by_login(login). You can change what method UserSession calls by specifying it here. Then in your User model you can make that method do anything you want, giving you complete control of how users are found by the UserSession.

Let’s take an example: You want to allow users to login by username or email. Set this to the name of the class method that does this in the User model. Let’s call it “find_by_username_or_email”

class User < ActiveRecord::Base
  def self.find_by_username_or_email(login)
    find_by_username(login) || find_by_email(login)
  end
end

Now just specify the name of this method for this configuration option and you are all set. You can do anything you want here. Maybe you allow users to have multiple logins and you want to search a has_many relationship, etc. The sky is the limit.

• Default: “find_by_smart_case_login_field”

• Accepts: Symbol or String

# File 'lib/authlogic/session/password.rb', line 40

def find_by_login_method(value = nil)
  rw_config(:find_by_login_method, value, "find_by_smart_case_login_field")
end

#generalize_credentials_error_messages(value = nil) ⇒ Object Also known as: generalize_credentials_error_messages=

The text used to identify credentials (username/password) combination when a bad login attempt occurs. When you show error messages for a bad login, it’s considered good security practice to hide which field the user has entered incorrectly (the login field or the password field). For a full explanation, see www.gnucitizen.org/blog/username-enumeration-vulnerabilities/

Example of use:

class UserSession < Authlogic::Session::Base
  generalize_credentials_error_messages true
end

This would make the error message for bad logins and bad passwords look identical:

Login/Password combination is not valid

Alternatively you may use a custom message:

class UserSession < AuthLogic::Session::Base
  generalize_credentials_error_messages "Your login information is invalid"
end

This will instead show your custom error message when the UserSession is invalid.

The downside to enabling this is that is can be too vague for a user that has a hard time remembering their username and password combinations. It also disables the ability to to highlight the field with the error when you use form_for.

If you are developing an app where security is an extreme priority (such as a financial application), then you should enable this. Otherwise, leaving this off is fine.

• Default false

• Accepts: Boolean

# File 'lib/authlogic/session/password.rb', line 77

def generalize_credentials_error_messages(value = nil)
  rw_config(:generalize_credentials_error_messages, value, false)
end

#login_field(value = nil) ⇒ Object Also known as: login_field=

The name of the method you want Authlogic to create for storing the login / username. Keep in mind this is just for your Authlogic::Session, if you want it can be something completely different than the field in your model. So if you wanted people to login with a field called “login” and then find users by email this is compeltely doable. See the find_by_login_method configuration option for more details.

• Default: klass.login_field || klass.email_field

• Accepts: Symbol or String

# File 'lib/authlogic/session/password.rb', line 89

def login_field(value = nil)
  rw_config(:login_field, value, klass.login_field || klass.email_field)
end

#password_field(value = nil) ⇒ Object Also known as: password_field=

Works exactly like login_field, but for the password instead. Returns :password if a login_field exists.

• Default: :password

• Accepts: Symbol or String

# File 'lib/authlogic/session/password.rb', line 98

def password_field(value = nil)
  rw_config(:password_field, value, login_field && :password)
end

#verify_password_method(value = nil) ⇒ Object Also known as: verify_password_method=

The name of the method in your model used to verify the password. This should be an instance method. It should also be prepared to accept a raw password and a crytped password.

• Default: “valid_password?”

• Accepts: Symbol or String

# File 'lib/authlogic/session/password.rb', line 108

def verify_password_method(value = nil)
  rw_config(:verify_password_method, value, "valid_password?")
end