auther 6.1.0 → 7.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ae23c670e1240c68aa73f18205a4b9edbbbeb57a
-  data.tar.gz: 198026f67de190a9fa075483ef954f7d7076d1e4
+  metadata.gz: f18a67c138885193bca861c0f4e5da9e120b24a9
+  data.tar.gz: 6a9dd5ea153ad990342de7f8a76abd1722a6cfe0
 SHA512:
-  metadata.gz: 32962315d8a930ad0c5df710098f14e5f47c5931b739d3a6dfd141797000bc9acd1b8bd81c2db713452dd5bbc4b4c0a53e668788de904c35f00e382af594a603
-  data.tar.gz: 0f9a269fce1f1afd0e747c2c26a339159d14920eaaf807003b529a08537506e62b83c7549fcef18d939122b0ad7fa7067c4ff6786bb5e2569dd91a36f87df4ef
+  metadata.gz: 339180597982acb766251a3cdb0d5ea205e71146c0cc20784cec31de12b2df37150592c41df90823579f0a2afd151ee75aa525a6d98b560739dd3e72e64e89e1
+  data.tar.gz: cc8a275ee79ae2734b7d9e3fe61f7fffc240be4f4ebf9c95ee0800dd9e217b4ad364e174f1aa59cea73c1afef5568dff5f81bc68303b2486b3c6502edaf38f71

data/README.md

@@ -7,10 +7,11 @@
 [![Travis CI Status](https://secure.travis-ci.org/bkuhlmann/auther.svg)](https://travis-ci.org/bkuhlmann/auther)
 [![Patreon](https://img.shields.io/badge/patreon-donate-brightgreen.svg)](https://www.patreon.com/bkuhlmann)
 
-Provides simple, form-based authentication for apps that need security but don't want to deal with the clunky UI
-of HTTP Basic Authentication or something as heavyweight as [Devise](https://github.com/plataformatec/devise). It
-doesn't require a database and is compatible with password managers like [1Password](https://agilebits.com/onepassword)
-making for a pleasent user experience.
+Provides simple, form-based authentication for apps that need security but don't want to deal with
+the clunky UI of HTTP Basic Authentication or something as heavyweight as
+[Devise](https://github.com/plataformatec/devise). It doesn't require a database and is compatible
+with password managers like [1Password](https://agilebits.com/onepassword) making for a pleasent
+user experience.
 
 <!-- Tocer[start]: Auto-generated, don't remove. -->
 
@@ -51,8 +52,8 @@ making for a pleasent user experience.
 [![Screenshot - Mobile Valid](doc/screenshots/mobile-valid.png)](https://github.com/bkuhlmann/auther)
 [![Screenshot - Mobile Invalid](doc/screenshots/mobile-invalid.png)](https://github.com/bkuhlmann/auther)
 
-- Uses [Bourbon](http://bourbon.io), [Neat](http://neat.bourbon.io), and [Bitters](http://bitters.bourbon.io) for
-  lightweight styling.
+- Uses [Bourbon](http://bourbon.io), [Neat](http://neat.bourbon.io), and
+  [Bitters](http://bitters.bourbon.io) for lightweight styling.
 - Uses encrypted account credentials to keep sensitive information secure.
 - Supports multiple accounts with account specific blacklists.
 - Supports customizable routes, models, presenters, views, controllers, and loggers.
@@ -61,7 +62,7 @@ making for a pleasent user experience.
 
 # Requirements
 
-0. [Ruby 2.x.x](https://www.ruby-lang.org).
+0. [Ruby 2.4.x](https://www.ruby-lang.org).
 0. [Ruby on Rails 5.x.x](http://rubyonrails.org).
 
 # Setup
@@ -71,8 +72,9 @@ For a secure install, type the following from the command line (recommended):
     gem cert --add <(curl --location --silent https://www.alchemists.io/gem-public.pem)
     gem install auther --trust-policy MediumSecurity
 
-NOTE: A HighSecurity trust policy would be best but MediumSecurity enables signed gem verification while
-allowing the installation of unsigned dependencies since they are beyond the scope of this gem.
+NOTE: A HighSecurity trust policy would be best but MediumSecurity enables signed gem verification
+while allowing the installation of unsigned dependencies since they are beyond the scope of this
+gem.
 
 For an insecure install, type the following (not recommended):
 
@@ -88,11 +90,12 @@ Run the generator to configure and initialize your application:
 
 # Usage
 
-Assuming you are using the [dotenv](https://github.com/bkeepers/dotenv) gem, add the following to your `.env` settings:
+Assuming you are using the [dotenv](https://github.com/bkeepers/dotenv) gem, add the following to
+your `.env` settings:
 
-    AUTHER_SECRET=66is2tB4EbekG74DPGRmyQkdtZkQyNWZY6yeeNsmQ4Rpu42esdnP9X6puxpKfs64Gy2ghPu6QGTKsvQ73wXuDyWzDr
-    AUTHER_ADMIN_LOGIN=aHdMWUhiVGRyVHBPMmhTRWNRR082MFhNdVFkL2ZaSGpvY2VoVS90dGRpRT0tLXFBWWZDRkJ4aDR3Qy9aamNOeU1JekE9PQ==--bf077a68a8e654ed9e480851c9597dae57ec34b8
-    AUTHER_ADMIN_PASSWORD=VTloc285SVNrbnlHN0xhOTlMVEx6WnZ0VnFOMjFNWWdkZlRKdGVjZ1FtUT0tLTkrSDdweU1meVdFV1FIRnhpenZiK1E9PQ==--85c415da879ffab2491d37d767d108254d1ed57e
+    AUTHER_SECRET=\x14\xCE\xCB\xECc\xCFl$.\xCE\xA7J}\xEE\xD5\xEA}\x86\xE7\xF6\xE3\xF3DA\x8F\x90m\xED\xA5\xA4=Z
+    AUTHER_ADMIN_LOGIN=cEgyd2hHSit6NkpwN000aUNiU3BkNThxcjRRd1AyT1RmbFFqaGJRR0FjVT0tLWR6Mm1sUmxscHlxQU1leHF2d3ZoZ2c9PQ==--6d4b8bfadc54bfba6a41164675b14980caf01445
+    AUTHER_ADMIN_PASSWORD=LzlDekNYVW5UK05rRXZnekJuN1g5OXNhYUFRLy96TWI1NEMzbHFnVHpqND0tLUJUSGJTS1djQjlFR0ZkS0VCcE14VEE9PQ==--6331922bb9dace39e402818ce4ebf87ab9a73317
 
 Launch your Rails application and visit the following:
 
@@ -101,7 +104,7 @@ Launch your Rails application and visit the following:
 Use these credentials to login:
 
 - Login: test@test.com
-- Password: password
+- Password: nevermore
 
 ## Initializer
 
@@ -121,21 +124,24 @@ The initializer comes installed with the following settings:
       ]
     }
 
-**IMPORTANT**: The encrypted secret, login, and password credentials used in the `.env` setup above must be re-encrypted
-before deploying to production! To encrypt/decrypt account credentials, launch a rails console and run the following:
+**IMPORTANT**: The encrypted secret, login, and password credentials used in the `.env` setup above
+must be re-encrypted before deploying to production! To encrypt/decrypt account credentials, launch
+a rails console and run the following:
 
-    # Best if more than 150 characters and gibberish to read. Must be equal to what is defined in the `auther_settings`.
-    cipher = Auther::Cipher.new "vuKrwD9XWoYuv@s99?tR(9VqryiL,KV{W7wFnejUa4QcVBP+D{2rD4JfuD(mXgA=$tNK4Pfn#NeGs3o3TZ3CqNc^Qb"
+    # Best is generated via `SecureRandom.random_bytes 32`. `32` bytes is the minimum but using a
+    # number higher than `32` is recommend. Must be equal to what is defined in `auther_settings`.
+    cipher = Auther::Cipher.new "\x14\xCE\xCB\xECc\xCFl$.\xCE\xA7J}\xEE\xD5\xEA}\x86\xE7\xF6\xE3\xF3DA\x8F\x90m\xED\xA5\xA4=Z"
 
     # Do this to encrypt an unecrypted value.
     cipher.encrypt "test@test.com"
 
     # Do this to decrypt an encrypted value.
-    cipher.decrypt "N3JzR213WlBISDZsMjJQNkRXbEVmYVczbVdnMHRYVHRud29lOWRCekp6ST0tLWpFMkROekUvWDBkOHZ4ZngxZHV6clE9PQ==--cd863c39991fa4bb9a35de918aa16da54514e331"
+    cipher.decrypt "cEgyd2hHSit6NkpwN000aUNiU3BkNThxcjRRd1AyT1RmbFFqaGJRR0FjVT0tLWR6Mm1sUmxscHlxQU1leHF2d3ZoZ2c9PQ==--6d4b8bfadc54bfba6a41164675b14980caf01445"
 
 The initializer can be customized as follows:
 
-- *title* - Optional. The HTML page title (as rendered within a browser tab). Default: "Authorization".
+- *title* - Optional. The HTML page title (as rendered within a browser tab). Default:
+  "Authorization".
 - *label* - Optional. The page label (what would appear above the form). Default: "Authorization".
 - *secret* - Required. The secret passphrase used to encrypt/decrypt account credentials.
 - *accounts* - Required. The array of accounts with different or similar access to the application.
@@ -143,17 +149,18 @@ The initializer can be customized as follows:
     - *encrypted_login* - Required. The encrypted account login.
     - *encrypted_password* - Required. The encrypted account password.
     - *paths* - Required. The array of blacklisted paths for which only this account has access to.
-    - *authorized_url* - Optional. The URL to redirect to upon successful authorization. Authorized redirection works
-      in the order defined:
+    - *authorized_url* - Optional. The URL to redirect to upon successful authorization. Authorized
+      redirection works in the order defined:
         0. The blacklisted path (if requested prior to authorization but now authorized).
         0. The authorized URL (if defined and the blacklisted path wasn't requested).
         0. The root path (if none of the above).
-    - *deauthorized_url* - Optional. The URL to redirect to upon successful deauthorization (i.e. logout). Deauthorized
-      redirections works as follows (in the order defined):
+    - *deauthorized_url* - Optional. The URL to redirect to upon successful deauthorization (i.e.
+      logout). Deauthorized redirections works as follows (in the order defined):
         0. The deauthorized URL (if defined).
         0. The auth URL.
 - *auth_url* - Optional. The URL to redirect to when enforcing authentication. Default: “/login”.
-- *logger* - Optional. The logger used to log path/account authorization messages. Default: `Auther::NullLogger`.
+- *logger* - Optional. The logger used to log path/account authorization messages. Default:
+  `Auther::NullLogger`.
 
 ## Routes
 
@@ -167,40 +174,42 @@ The routes can be customized as follows (installed, by default, via the install
 
 ## Model
 
-The [Auther::Account](app/models/auther/account.rb) is a plain old Ruby object that uses ActiveModel validations to aid
-in attribute validation. This model could potentially be replaced with a database-backed object (would require
-controller customization)...but you should question if you have outgrown the use of this gem and need a different
-solution altogether if it comes to that.
+The [Auther::Account](app/models/auther/account.rb) is a plain old Ruby object that uses ActiveModel
+validations to aid in attribute validation. This model could potentially be replaced with a
+database-backed object (would require controller customization)...but you should question if you
+have outgrown the use of this gem and need a different solution altogether if it comes to that.
 
 ## Presenter
 
-The [Auther::Presenter::Account](app/presenters/auther/account.rb) is a plain old Ruby object that uses ActiveModel
-validations to aid in form validation. This presenter makes it easy to construct form data for input and validation.
+The [Auther::Presenter::Account](app/presenters/auther/account.rb) is a plain old Ruby object that
+uses ActiveModel validations to aid in form validation. This presenter makes it easy to construct
+form data for input and validation.
 
 ## View
 
-The view can be customized by creating the following file within your Rails application (assumes that the
-default Auther::SessionController implementation is sufficient):
+The view can be customized by creating the following file within your Rails application (assumes
+that the default Auther::SessionController implementation is sufficient):
 
     app/views/auther/session/new.html
 
-The form uses `@account` instance variable which is an instance of the Auther::Presenter::Account presenter (as
-mentioned above). The form can be stylized by attaching new styles to the .authorization class (see
-[auther.scss](app/assets/stylesheets/auther/auther.scss) for details).
+The form uses `@account` instance variable which is an instance of the Auther::Presenter::Account
+presenter (as mentioned above). The form can be stylized by attaching new styles to the
+.authorization class (see [auther.scss](app/assets/stylesheets/auther/auther.scss) for details).
 
 ## Controller
 
 The [Auther::SessionController](app/controllers/auther/session_controller.rb) inherits from the
-[Auther::BaseController](app/controllers/auther/base_controller.rb). To customize, it is recommended that
-you add a controller to your app that inherits from the Auther::BaseController. Example:
+[Auther::BaseController](app/controllers/auther/base_controller.rb). To customize, it is recommended
+that you add a controller to your app that inherits from the Auther::BaseController. Example:
 
     # Example Path:  app/controllers/session_controller.rb
     class SessionController < Auther::BaseController
       layout "example"
     end
 
-This allows customization of session controller behavior to serve any special business needs. See the
-`Auther::BaseController` for additional details or the `Auther::SessionController` for default implementation.
+This allows customization of session controller behavior to serve any special business needs. See
+the `Auther::BaseController` for additional details or the `Auther::SessionController` for default
+implementation.
 
 ## Logging
 
@@ -210,8 +219,8 @@ As mentioned in the setup above, the logger can be customized as follows:
     ActiveSupport::Logger.new("log/#{Rails.env}.log") # Can be used to log to the environment log.
     Logger.new(STDOUT) # Can be used to log to standard output.
 
-When logging is enabled, you'll be able to see the following information in the server logs to help debug custom
-Auther settings:
+When logging is enabled, you'll be able to see the following information in the server logs to help
+debug custom Auther settings:
 
 - Requested path and blacklist path detection.
 - Finding (or not finding) of account.
@@ -220,15 +229,17 @@ Auther settings:
 
 ## Troubleshooting
 
-- If upgrading Rails, changing the cookie/session settings, generating a new secret base key, etc. this might
-  cause Auther authentication to fail. Make sure to clear your browser cookies in this situation or use Google
-  Chrome (incognito mode) to verify.
+- With Ruby 2.4.0, it's imporant that the secret is generated via `SecureRandom.random_bytes`. Use
+  `32` bytes or higher for a secure secret.
+- If upgrading Rails, changing the cookie/session settings, generating a new secret base key, etc.
+  this might cause Auther authentication to fail. Make sure to clear your browser cookies in this
+  situation or use Google Chrome (incognito mode) to verify.
 - If the authentication view/form looks broken (stylewise) this could be due to custom
-  `ActionView::Base.field_error_proc` settings defined by your app (usually via an initializer). Auther uses this
-  configuration `ActionView::Base.field_error_proc = proc { |html_tag, _| html_tag.html_safe }` so that no additional
-  markup is added to the DOM when errors are raised. If you have customized this to something else, you might want to
-  read the usage documentation (mentioned above) to rebuild the authentication view/form for your specific business
-  needs.
+  `ActionView::Base.field_error_proc` settings defined by your app (usually via an initializer).
+  Auther uses this configuration `ActionView::Base.field_error_proc = proc { |html_tag, _|
+  html_tag.html_safe }` so that no additional markup is added to the DOM when errors are raised. If
+  you have customized this to something else, you might want to read the usage documentation
+  (mentioned above) to rebuild the authentication view/form for your specific business needs.
 
 # Tests
 
@@ -246,8 +257,8 @@ Read [Semantic Versioning](http://semver.org) for details. Briefly, it means:
 
 # Code of Conduct
 
-Please note that this project is released with a [CODE OF CONDUCT](CODE_OF_CONDUCT.md). By participating in this project
-you agree to abide by its terms.
+Please note that this project is released with a [CODE OF CONDUCT](CODE_OF_CONDUCT.md). By
+participating in this project you agree to abide by its terms.
 
 # Contributions
 
@@ -265,4 +276,5 @@ Built with [Gemsmith](https://github.com/bkuhlmann/gemsmith).
 
 # Credits
 
-Developed by [Brooke Kuhlmann](https://www.alchemists.io) at [Alchemists](https://www.alchemists.io).
+Developed by [Brooke Kuhlmann](https://www.alchemists.io) at
+[Alchemists](https://www.alchemists.io).

data/app/models/auther/account.rb

@@ -7,10 +7,18 @@ module Auther
   class Account
     include ActiveModel::Validations
 
-    attr_accessor :name, :encrypted_login, :encrypted_password, :paths, :authorized_url, :deauthorized_url
+    attr_accessor :name,
+                  :encrypted_login,
+                  :encrypted_password,
+                  :paths,
+                  :authorized_url,
+                  :deauthorized_url
 
     validates :name, :encrypted_login, :encrypted_password, presence: true
-    validates :paths, presence: {unless: ->(account) { account.paths.is_a? Array }, message: "must be an array"}
+    validates :paths, presence: {
+      unless: ->(account) { account.paths.is_a? Array },
+      message: "must be an array"
+    }
 
     def initialize options = {}
       @name = options.fetch :name, nil

data/lib/auther/authenticator.rb

@@ -3,6 +3,7 @@
 module Auther
   # Manages account authentication.
   class Authenticator
+    # rubocop:disable Metrics/ParameterLists
     def initialize secret, account_model, account_presenter, logger: Auther::NullLogger.new(STDOUT)
       @cipher = Auther::Cipher.new secret
       @account_model = account_model

data/lib/auther/engine.rb

@@ -12,7 +12,9 @@ module Auther
     config.action_view.field_error_proc = proc { |html_tag, _| html_tag.html_safe }
 
     config.to_prepare do
-      Dir.glob(Engine.root + "app/presenters/**/*.rb").each { |presenter| require_dependency presenter }
+      Dir.glob(Engine.root + "app/presenters/**/*.rb").each do |presenter|
+        require_dependency presenter
+      end
     end
 
     initializer "auther.initialize" do |app|

data/lib/auther/gatekeeper.rb

@@ -2,6 +2,7 @@
 
 module Auther
   # Rack middleware that guards access to sensitive routes.
+  # rubocop:disable Metrics/ClassLength
   class Gatekeeper
     attr_reader :application, :environment, :settings
 
@@ -53,8 +54,11 @@ module Auther
       end
     end
 
+    # rubocop:disable Metrics/ParameterLists
     def log_authorization authorized, account_name, blacklist, request_path
-      details = %(Account: "#{account_name}". Blacklist: #{blacklist}. Request Path: "#{request_path}".)
+      details = %(Account: "#{account_name}". ) +
+                %(Blacklist: #{blacklist}. ) +
+                %(Request Path: "#{request_path}".)
 
       if authorized
         log_info %(Authorization passed. #{details})
@@ -118,7 +122,8 @@ module Auther
 
     def authorized? path
       if blacklisted_matched_paths(path).any?
-        log_info %(Requested path "#{request.path}" found in blacklisted paths: #{blacklisted_paths}.)
+        log_info %(Requested path "#{request.path}" found in blacklisted paths: ) +
+                 %(#{blacklisted_paths}.)
         account = find_account
         account && authenticated?(account) && account_authorized?(account, path)
       else

data/lib/auther/identity.rb

@@ -12,7 +12,7 @@ module Auther
     end
 
     def self.version
-      "6.1.0"
+      "7.0.0"
     end
 
     def self.version_label

data/lib/generators/auther/install/install_generator.rb

@@ -14,7 +14,8 @@ module Auther
     private
 
     def install_initializer
-      template File.join("config", "initializers", "auther.rb"), File.join("config", "initializers", "auther.rb")
+      template File.join("config", "initializers", "auther.rb"),
+               File.join("config", "initializers", "auther.rb")
     end
 
     def add_routes

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: auther
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 7.0.0
 platform: ruby
 authors:
 - Brooke Kuhlmann
@@ -30,7 +30,7 @@ cert_chain:
   n/LUZ1dKhIHzfKx1B4+TEIefArObGfkLIDM8+Dq1RX7TF1k81Men7iu4MgE9bYBn
   3dE+xI3FdB5gWcdWxdtgRCmWjtXeYYyb4z6NQQ==
   -----END CERTIFICATE-----
-date: 2016-12-18 00:00:00.000000000 Z
+date: 2017-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -122,14 +122,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.2'
+        version: '9.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '8.2'
+        version: '9.0'
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -304,14 +304,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.46'
+        version: '0.47'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.46'
+        version: '0.47'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -376,7 +376,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - "~>"
     - !ruby/object:Gem::Version
-      version: '2.3'
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -384,7 +384,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.9
 signing_key: 
 specification_version: 4
 summary: Enhances Rails with multi-account, form-based, database-less, application-wide