diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2efdbfc7..f8fb32dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,12 +7,27 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
## Unreleased
-* Breaking Changes
- * None
+* Breaking Changes, Major
+ * There is no longer a default `crypto_provider`. We still recommend SCrypt,
+ but don't want users of other providers to be forced to install it. You
+ must now explicitly specify your `crypto_provider`, eg. in your `user.rb`.
+
+ acts_as_authentic do |config|
+ c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+ end
+
+ To continue to use the `scrypt` gem, add it to your `Gemfile`.
+
+ gem "scrypt", "~> 3.0"
+
+* Breaking Changes, Minor
+ * The arity of `crypto_provider` has changed from -1 (one optional arg) to 0
+ (no arguments). To set the provider, use `crypto_provider=`.
* Added
* None
* Fixed
- * None
+ * [#668](https://github.com/binarylogic/authlogic/pull/668) -
+ BCrypt user forced to load SCrypt
## 5.0.4 (2019-09-11)
diff --git a/authlogic.gemspec b/authlogic.gemspec
index 9b4dfd03..12768183 100644
--- a/authlogic.gemspec
+++ b/authlogic.gemspec
@@ -29,7 +29,6 @@ require "authlogic/version"
s.add_dependency "activerecord", [">= 5.2", "< 6.1"]
s.add_dependency "activesupport", [">= 5.2", "< 6.1"]
s.add_dependency "request_store", "~> 1.0"
- s.add_dependency "scrypt", ">= 1.2", "< 4.0"
s.add_development_dependency "bcrypt", "~> 3.1"
s.add_development_dependency "byebug", "~> 10.0"
s.add_development_dependency "coveralls", "~> 0.8.22"
@@ -38,6 +37,7 @@ require "authlogic/version"
s.add_development_dependency "pg", "~> 1.1.4"
s.add_development_dependency "rubocop", "~> 0.67.2"
s.add_development_dependency "rubocop-performance", "~> 1.1"
+ s.add_development_dependency "scrypt", ">= 1.2", "< 4.0"
s.add_development_dependency "simplecov", "~> 0.16.1"
s.add_development_dependency "simplecov-console", "~> 0.4.2"
s.add_development_dependency "sqlite3", "~> 1.3.13"
diff --git a/lib/authlogic/acts_as_authentic/password.rb b/lib/authlogic/acts_as_authentic/password.rb
index 30bc2ee0..ad168a87 100644
--- a/lib/authlogic/acts_as_authentic/password.rb
+++ b/lib/authlogic/acts_as_authentic/password.rb
@@ -109,13 +109,23 @@ def check_passwords_against_database(value = nil)
# transition to a better crypto provider without causing your users any
# pain.
#
- # * Default: CryptoProviders::SCrypt
+ # * Default: There is no longer a default value. Prior to
+ # Authlogic 6, the default was `CryptoProviders::SCrypt`. If you try
+ # to read this config option before setting it, it will raise a
+ # `NilCryptoProvider` error. See that error's message for further
+ # details, and rationale for this change.
# * Accepts: Class
- def crypto_provider(value = nil)
+ def crypto_provider
+ acts_as_authentic_config[:crypto_provider].tap { |provider|
+ raise NilCryptoProvider if provider.nil?
+ }
+ end
+
+ def crypto_provider=(value)
+ raise NilCryptoProvider if value.nil?
CryptoProviders::Guidance.new(value).impart_wisdom
- rw_config(:crypto_provider, value, CryptoProviders::SCrypt)
+ rw_config(:crypto_provider, value)
end
- alias crypto_provider= crypto_provider
# Let's say you originally encrypted your passwords with Sha1. Sha1 is
# starting to join the party with MD5 and you want to switch to
diff --git a/lib/authlogic/errors.rb b/lib/authlogic/errors.rb
index 89eabf69..8f0f3404 100644
--- a/lib/authlogic/errors.rb
+++ b/lib/authlogic/errors.rb
@@ -4,4 +4,32 @@ module Authlogic
# Parent class of all Authlogic errors.
class Error < StandardError
end
+
+ # :nodoc:
+ class InvalidCryptoProvider < Error
+ end
+
+ # :nodoc:
+ class NilCryptoProvider < InvalidCryptoProvider
+ def message
+ <<~EOS
+ In version 5, Authlogic used SCrypt by default. As of version 6, there
+ is no default. We still recommend SCrypt. If you previously relied on
+ this default, then, in your User model (or equivalent), please set the
+ following:
+
+ acts_as_authentic do |config|
+ c.crypto_provider = ::Authlogic::CryptoProviders::SCrypt
+ end
+
+ Furthermore, the authlogic gem no longer depends on the scrypt gem. In
+ your Gemfile, please add scrypt.
+
+ gem "scrypt", "~> 3.0"
+
+ We have made this change in Authlogic 6 so that users of other crypto
+ providers no longer need to install the scrypt gem.
+ EOS
+ end
+ end
end
diff --git a/test/acts_as_authentic_test/password_test.rb b/test/acts_as_authentic_test/password_test.rb
index 1c60e4d1..14c2c2a3 100644
--- a/test/acts_as_authentic_test/password_test.rb
+++ b/test/acts_as_authentic_test/password_test.rb
@@ -52,7 +52,7 @@ def test_crypto_provider_config
end
assert_equal Authlogic::CryptoProviders::BCrypt, User.crypto_provider
silence_warnings do
- User.crypto_provider Authlogic::CryptoProviders::Sha512
+ User.crypto_provider = Authlogic::CryptoProviders::Sha512
end
assert_equal Authlogic::CryptoProviders::Sha512, User.crypto_provider
end
diff --git a/test/libs/admin.rb b/test/libs/admin.rb
index faa724ad..95c00c95 100644
--- a/test/libs/admin.rb
+++ b/test/libs/admin.rb
@@ -2,7 +2,9 @@
# This model demonstrates an `after_save` callback.
class Admin < ActiveRecord::Base
- acts_as_authentic
+ acts_as_authentic do |c|
+ c.crypto_provider = Authlogic::CryptoProviders::SCrypt
+ end
validates :password, confirmation: true
diff --git a/test/libs/user.rb b/test/libs/user.rb
index cbc0459e..9f574857 100644
--- a/test/libs/user.rb
+++ b/test/libs/user.rb
@@ -12,6 +12,7 @@ class User < ActiveRecord::Base
LOGIN = /\A[a-zA-Z0-9_][a-zA-Z0-9\.+\-_@ ]+\z/.freeze
acts_as_authentic do |c|
+ c.crypto_provider = Authlogic::CryptoProviders::SCrypt
c.transition_from_crypto_providers Authlogic::CryptoProviders::Sha512
end
belongs_to :company