authenticate 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba37abc88aa432eb70096681623f51de2ccac5fb
-  data.tar.gz: d836124e6f702044bdaa98d4cb46a54967c586b8
+  metadata.gz: a77403e50b229de8318c79477ee44062589afb05
+  data.tar.gz: c6bf923d8809f923a48cb4211d97dd406b42e03f
 SHA512:
-  metadata.gz: d2e1fe07144aee9fb948d4f8b6b0932785ba2ce0dc00ca927d17a9e5dc1529cecbd121ccdf985388176e62c7315723ec78f5b956e2f29d4fd6a1c0b88fa980c9
-  data.tar.gz: 95b8c5be797479eb243ba7b45f3833033aafab28f54a0f7579127387754d5a40018356c39f0f9411f86a0ee4dfc9e38e6acf1e9088dde16eae679926d19d396b
+  metadata.gz: 55cd9cb2b412bb87ebe3d6e6a46ce89eebd23147946aaa31b0f7e3fbf566f24bdf237a010be18eb6b1cb785d424821df3e9a55ad798b18b420246d6a18cfa963
+  data.tar.gz: 5f5f9aeaf98ce47c9ce16d90c7ebcc7930fc58a2013c909fdec27c18979e4fe3b0821a6075eecab22d5433fc7dd21d9071d28cc7493f53116d4fbf18f9000a74

data/.gitignore

@@ -10,3 +10,4 @@ spec/dummy/log/test.log
 spec/dummy/log/development.log
 /.idea
 Gemfile.lock
+*.gemfile.lock

data/.ruby-version

@@ -1 +1 @@
-2.3.0
+2.4.1

data/.travis.yml

@@ -1,17 +1,24 @@
-language: ruby
+cache: bundler
+
+language:
+  - ruby
 
 rvm:
   - 2.1.8
   - 2.2.4
-  - 2.3.0
+  - 2.3.3
 
 gemfile:
-  - gemfiles/rails42.gemfile
+  - gemfiles/4.2.gemfile
+  - gemfiles/5.0.gemfile
 
-branches:
-  only:
-    - master
 
-sudo: false
+matrix:
+  exclude:
+    - rvm: 2.1.8
+      gemfile: gemfiles/5.0.gemfile
 
-script: bundle exec rspec --color --format documentation
+install:
+  - "bin/setup"
+
+sudo: false

data/Appraisals

@@ -0,0 +1,10 @@
+appraise "4.2" do
+  gem "rails", "~> 4.2.0"
+end
+
+if RUBY_VERSION >= "2.2.0"
+  appraise "5.0" do
+    gem "rails", "~> 5.0.0"
+  end
+end
+

data/CHANGELOG.md

@@ -1,8 +1,40 @@
 # Authenticate Changelog
 
+
+## [0.6.0] - May 16, 2017
+
+### Security
+- Prevent [password reset token leakage] through HTTP referrer across domains. password#edit removes the password 
+  reset token from the url, sets it into the user's session (typically a cookie), and redirects to password#url 
+  without the token in the url.
+
+- Prevent [session fixation] attacks by rotating CSRF tokens on sign-in by setting
+  `Authentication.configuration.rotate_csrf_on_sign_in` to `true`. This is recommended for
+  all applications. The setting defaults to `false` in this release, but will default to `true`
+  in a future release.
+
+### Fixed
+- Location to return to after login is now written to session. Was previously written explicitly to a cookie.
+- Most controller tests rewritten as feature and request tests.
+
+[password reset token leakage]: https://security.stackexchange.com/questions/69074/how-to-implement-password-reset-functionality-without-becoming-susceptible-to-cr
+[session fixation]: http://guides.rubyonrails.org/security.html#session-fixation
+[0.6.0]: https://github.com/tomichj/authenticate/compare/v0.5.0...v0.6.0
+
+
+
+## [0.5.0] - March 26, 2017
+
+### Support for rails 5.1.
+
+[0.5.0]: https://github.com/tomichj/authenticate/compare/v0.4.0...v0.5.0
+
+
+
 ## [0.4.0] - June 2, 2016
 
-Install generator User:  ActiveRecord::Base for Rails 4 apps, ApplicationRecord for rails 5 (issue #2).
+### Fixed
+- Install generator User:  ActiveRecord::Base for Rails 4 apps, ApplicationRecord for rails 5 (issue #2).
 
 [0.4.0]: https://github.com/tomichj/authenticate/compare/v0.3.3...v0.4.0
 
@@ -10,10 +42,10 @@ Install generator User:  ActiveRecord::Base for Rails 4 apps, ApplicationRecord
 
 ## [0.3.3] - April 29, 2016
 
-Password change uses active record's dirty bit to detect that password was updated. 
-password_updated attribute removed.
-spec_helper now calls ActiveRecord::Migration.maintain_test_schema! (or check_pending!) to handle dummy test db.
-Added CodeClimate config.
+- Password change uses active record's dirty bit to detect that password was updated. 
+- password_updated attribute removed.
+- spec_helper now calls ActiveRecord::Migration.maintain_test_schema! (or check_pending!) to handle dummy test db.
+- Added CodeClimate config.
 
 [0.3.3]: https://github.com/tomichj/authenticate/compare/v0.3.2...v0.3.3
 
@@ -21,8 +53,8 @@ Added CodeClimate config.
 
 ## [0.3.2] - April 28, 2016
 
-Error now raised if User model is missing required attributes.
-All code now conforms to a rubocode profile.
+- Error now raised if User model is missing required attributes.
+- All code now conforms to a rubocode profile.
 
 [0.3.2]: https://github.com/tomichj/authenticate/compare/v0.3.1...v0.3.2
 
@@ -30,11 +62,10 @@ All code now conforms to a rubocode profile.
 
 ## [0.3.1] - March 10, 2016
 
-User controller now allows arbitrary parameters without having to explicitly declare
-them. Still requires email and password.
-Mailer now checks for mail.respond_to?(:deliver_later) rather than rails version, 
-to decide deliver vs deliver_later.
-Removed unused user_id_parameter config method.
+- User controller now allows arbitrary parameters without having to explicitly declare
+  them. Still requires email and password.
+- Mailer now checks for mail.respond_to?(:deliver_later) rather than rails version, to decide deliver vs deliver_later.
+- Removed unused user_id_parameter config method.
 
 [0.3.1]: https://github.com/tomichj/authenticate/compare/v0.3.0...v0.3.1
 
@@ -42,11 +73,12 @@ Removed unused user_id_parameter config method.
 
 ## [0.3.0] - February 24, 2016
 
-Moved normalize_email and find_normalized_email methods to base User module.
-Added full suite of controller and feature tests.
-Bug fixes: 
-* failed login count fix was off by one.
-* password validation now done only in correct circumstances
+- Moved normalize_email and find_normalized_email methods to base User module.
+- Added full suite of controller and feature tests.
+
+### Fixes
+- failed login count fix was off by one.
+- password validation now done only in correct circumstances
 
 [0.3.0]: https://github.com/tomichj/authenticate/compare/v0.2.2...v0.3.0
 
@@ -54,8 +86,8 @@ Bug fixes:
 
 ## [0.2.3] - February 13, 2016
 
-Small bugfix for :username authentication.
-Improved documentation, started adding wiki pages.
+- Small bugfix for :username authentication.
+- Improved documentation, started adding wiki pages.
 
 [0.2.3]: https://github.com/tomichj/authenticate/compare/v0.2.2...v0.2.3
 
@@ -63,8 +95,8 @@ Improved documentation, started adding wiki pages.
 
 ## [0.2.2] - February 9, 2016
 
-Password length range requirements added, defaults to 8..128.
-Generators and app now respect model class more completely, including in routes.
+- Password length range requirements added, defaults to 8..128.
+- Generators and app now respect model class more completely, including in routes.
 
 [0.2.2]: https://github.com/tomichj/authenticate/compare/v0.2.1...v0.2.2
 
@@ -72,9 +104,9 @@ Generators and app now respect model class more completely, including in routes.
 
 ## [0.2.1] - February 9, 2016
 
-Fixed potential password_reset nil pointer.
-Continued adding I18n support.
-Minor documentation improvments.
+- Fixed potential password_reset nil pointer.
+- Continued adding I18n support.
+- Minor documentation improvements.
 
 [0.2.1]: https://github.com/tomichj/authenticate/compare/v0.2.0...v0.2.1
 
@@ -82,7 +114,7 @@ Minor documentation improvments.
 
 ## [0.2.0] - February 2, 2016
 
-Added app/ including controllers, views, routes, mailers.
+- Added app/ including controllers, views, routes, mailers.
 
 [0.2.0]: https://github.com/tomichj/authenticate/compare/v0.1.0...v0.2.0
 
@@ -90,5 +122,5 @@ Added app/ including controllers, views, routes, mailers.
 
 ## 0.1.0 - January 23, 2016
 
-Initial Release, barely functioning
+- Initial Release, barely functioning
 

data/Rakefile

@@ -1,4 +1,18 @@
+require 'rubygems'
+require 'bundler/setup'
 require 'bundler/gem_tasks'
+require 'appraisal'
+
+APP_RAKEFILE = File.expand_path('../spec/dummy/Rakefile', __FILE__)
+load 'rails/tasks/engine.rake'
 require 'rspec/core/rake_task'
+
+namespace :dummy do
+  require_relative "spec/dummy/config/application"
+  Dummy::Application.load_tasks
+end
+
 RSpec::Core::RakeTask.new(:spec)
+
+desc 'Run all specs in spec directory (excluding plugin specs)'
 task default: :spec

data/app/controllers/authenticate/passwords_controller.rb

@@ -23,10 +23,19 @@ class Authenticate::PasswordsController < Authenticate::AuthenticateController
 
   # Screen to enter your new password.
   #
-  # GET /users/passwords/3/edit?token=abcdef
+  # A get with the token in the url is expected:
+  #   GET /users/passwords/3/edit?token=abcdef
+  #
+  # This results in a redirect with the token removed from the url & copied to the session:
+  #   GET /users/passwords/3/edit
+  #
   def edit
     @user = find_user_for_edit
-    if !@user.reset_password_period_valid?
+
+    if params[:token]
+      session[:password_reset_token] = params[:token]
+      redirect_to edit_users_password_url(@user)
+    elsif !@user.reset_password_period_valid?
       redirect_to sign_in_path, notice: flash_failure_token_expired
     else
       render template: 'passwords/edit'
@@ -87,7 +96,9 @@ class Authenticate::PasswordsController < Authenticate::AuthenticateController
   end
 
   def find_user_by_id_and_password_reset_token
-    Authenticate.configuration.user_model_class.where(id: params[:id], password_reset_token: params[:token].to_s).first
+    token = session[:password_reset_token] || params[:token]
+    # Authenticate.configuration.user_model_class.where(id: params[:id], password_reset_token: token).first
+    Authenticate.configuration.user_model_class.find_by_id_and_password_reset_token params[:id], token.to_s
   end
 
   def flash_create_description

data/authenticate.gemspec

@@ -21,18 +21,20 @@ Gem::Specification.new do |s|
   s.extra_rdoc_files = %w(LICENSE README.md CHANGELOG.md)
   s.rdoc_options = ['--charset=UTF-8']
 
-  s.add_dependency 'bcrypt', '~> 3.1'
+  s.add_dependency 'bcrypt'
   s.add_dependency 'email_validator', '~> 1.6'
   s.add_dependency 'rails', '>= 4.0', '< 5.2'
 
-  s.add_development_dependency 'factory_girl', '~> 4.4'
-  s.add_development_dependency 'rspec-rails', '~> 3.1'
+  s.add_development_dependency 'factory_girl', '~> 4.8'
+  s.add_development_dependency 'rspec-rails', '~> 3.6'
   s.add_development_dependency 'pry', '~> 0.10'
   s.add_development_dependency 'sqlite3', '~> 1.3'
   s.add_development_dependency 'shoulda-matchers', '~> 2.8'
-  s.add_development_dependency 'capybara', '~> 2.6'
+  s.add_development_dependency 'capybara', '~> 2.14'
   s.add_development_dependency 'database_cleaner', '~> 1.5'
   s.add_development_dependency 'timecop', '~> 0.8'
+  s.add_development_dependency 'appraisal'
+  s.add_development_dependency 'rake'
 
   s.required_ruby_version = Gem::Requirement.new('>= 2.0')
 end

data/bin/setup

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+# Install required gems, including Appraisal, which helps us test against
+# multiple Rails versions
+gem install bundler --conservative
+bundle check || bundle install
+
+if [ -z "$CI" ]; then
+  bundle exec appraisal install
+fi
+
+# Set up database for the application that Clearance tests against
+RAILS_ENV=test bundle exec rake dummy:db:reset

data/gemfiles/4.2.gemfile

@@ -0,0 +1,7 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 4.2.0"
+
+gemspec path: "../"

data/gemfiles/5.0.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 5.0.0"
+gem "rails-controller-testing"
+
+gemspec path: "../"

data/lib/authenticate/configuration.rb

@@ -169,7 +169,10 @@ module Authenticate
     #     config.authentication_strategy = :username
     #   end
     #
-    # Or, you can plug in your own authentication class, eg:
+    # Authenticate is designed to authenticate via :email. Some support for username is included.
+    # Username still requires an :email attribute on your User model.
+    #
+    # Alternatively, you can plug in your own authentication class:
     #
     #   Configuration.configure do |config|
     #     config.authentication_strategy = MyFunkyAuthClass
@@ -186,6 +189,13 @@ module Authenticate
     # @return [String]
     attr_accessor :redirect_url
 
+    # Rotate CSRF token on sign in if true.
+    #
+    # Defaults to false, but will default to true in 1.0.
+    #
+    # @return [Boolean]
+    attr_accessor :rotate_csrf_on_sign_in
+
     # Controls whether the "sign up" route, allowing creation of users, is enabled.
     #
     # Defaults to `true`.
@@ -239,6 +249,7 @@ module Authenticate
       @cookie_http_only = true
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
+      @rotate_csrf_on_sign_in = false
       @allow_sign_up = true
       @routes = true
       @reset_password_within = 2.days
@@ -277,6 +288,10 @@ module Authenticate
       @routes
     end
 
+    def rotate_csrf_on_sign_in?
+      rotate_csrf_on_sign_in
+    end
+
     # List of symbols naming modules to load.
     def modules
       modules = @modules.dup # in case the user pushes any on

data/lib/authenticate/controller.rb

@@ -42,6 +42,11 @@ module Authenticate
     # Runs all valid callbacks and sends the user a session token.
     def login(user, &block)
       authenticate_session.login user, &block
+
+      if authenticated? && Authenticate.configuration.rotate_csrf_on_sign_in?
+        session.delete(:_csrf_token)
+        form_authenticity_token
+      end
     end
 
     # Log the user out. Typically used in session controller.
@@ -158,26 +163,19 @@ module Authenticate
 
     private
 
-    # Write location to return to in a cookie. This is 12-factor compliant, cloud-safe.
+    # Write location to return to in user's session (normally a cookie).
     def store_location
       if request.get?
-        value = {
-          expires: nil,
-          httponly: true,
-          path: nil,
-          secure: Authenticate.configuration.secure_cookie,
-          value: request.original_fullpath
-        }
-        cookies[:authenticate_return_to] = value
+        session[:authenticate_return_to] = request.original_fullpath
       end
     end
 
     def stored_location
-      cookies[:authenticate_return_to]
+      session[:authenticate_return_to]
     end
 
     def clear_stored_location
-      cookies.delete :authenticate_return_to
+      session[:authenticate_return_to] = nil
     end
 
     def authenticate_session

data/lib/authenticate/version.rb

@@ -1,3 +1,3 @@
 module Authenticate
-  VERSION = '0.5.0'.freeze
+  VERSION = '0.6.0'.freeze
 end

data/lib/generators/authenticate/install/templates/authenticate.rb

@@ -1,19 +1,20 @@
 Authenticate.configure do |config|
-  # config.user_model = 'User'
+  config.rotate_csrf_on_sign_in = true
 
+  # config.user_model = 'User'
   # config.cookie_name = 'authenticate_session_token'
   # config.cookie_expiration = { 1.month.from_now.utc }
   # config.cookie_domain = nil
   # config.cookie_path = '/'
   # config.secure_cookie = false   # set to true in production https environments
   # config.cookie_http_only = false # set to true if you can
-
   # config.mailer_sender = 'reply@example.com'
   # config.crypto_provider = Authenticate::Model::BCrypt
   # config.timeout_in = 45.minutes
   # config.max_session_lifetime = 8.hours
   # config.max_consecutive_bad_logins_allowed = 4
   # config.bad_login_lockout_period = 10.minutes
+  # config.password_length = 8..128
   # config.authentication_strategy = :email
   # config.redirect_url = '/'
   # config.allow_sign_up = true