authpwn_rails 0.21.0 → 0.21.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -2
- data/Gemfile +1 -1
- data/Gemfile.lock +60 -57
- data/Gemfile.rails41 +1 -1
- data/Gemfile.rails42 +1 -1
- data/Rakefile +1 -1
- data/VERSION +1 -1
- data/app/models/tokens/session_uid.rb +2 -2
- data/authpwn_rails.gemspec +6 -6
- data/legacy/migrate_020_to_021.rb +6 -6
- data/lib/authpwn_rails/expires.rb +1 -1
- data/lib/authpwn_rails/generators/templates/session/api_token.html.erb +4 -0
- data/lib/authpwn_rails/generators/templates/session_controller_test.rb +22 -2
- data/lib/authpwn_rails/routes.rb +3 -0
- data/lib/authpwn_rails/session_controller.rb +28 -0
- data/test/cookie_controller_test.rb +7 -7
- data/test/credentials/api_token_test.rb +6 -2
- data/test/credentials/password_credential_test.rb +5 -5
- data/test/credentials/session_uid_token_test.rb +11 -7
- data/test/credentials/token_crendential_test.rb +2 -2
- data/test/routes_test.rb +2 -0
- data/test/session_controller_api_test.rb +65 -9
- metadata +8 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 79347acf991659271a428bfb677c3cee133139a0
|
4
|
+
data.tar.gz: 589da4ac9e17ef7b4991615066a2c145fcb14a95
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 74e5f7e2bc4418a0da94ead6d3300a7896294f27752f958863611d2412e2770149fb1afa1e9d0578afc6ab0073f2053336e24cd5e7fb5e992de08a27fad9b220
|
7
|
+
data.tar.gz: ea7df2b177956b08482bf5c11ab3e503e88f46777e8412798bef4307d617a6bba83ecc96ada668a4daa4ed9be83de59f60a83753988bf6bf435526b513bfdde9
|
data/.travis.yml
CHANGED
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
@@ -1,36 +1,36 @@
|
|
1
1
|
GEM
|
2
2
|
remote: https://rubygems.org/
|
3
3
|
specs:
|
4
|
-
actionmailer (4.2.
|
5
|
-
actionpack (= 4.2.
|
6
|
-
actionview (= 4.2.
|
7
|
-
activejob (= 4.2.
|
4
|
+
actionmailer (4.2.7.1)
|
5
|
+
actionpack (= 4.2.7.1)
|
6
|
+
actionview (= 4.2.7.1)
|
7
|
+
activejob (= 4.2.7.1)
|
8
8
|
mail (~> 2.5, >= 2.5.4)
|
9
9
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
10
|
-
actionpack (4.2.
|
11
|
-
actionview (= 4.2.
|
12
|
-
activesupport (= 4.2.
|
10
|
+
actionpack (4.2.7.1)
|
11
|
+
actionview (= 4.2.7.1)
|
12
|
+
activesupport (= 4.2.7.1)
|
13
13
|
rack (~> 1.6)
|
14
14
|
rack-test (~> 0.6.2)
|
15
15
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
16
16
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
17
|
-
actionview (4.2.
|
18
|
-
activesupport (= 4.2.
|
17
|
+
actionview (4.2.7.1)
|
18
|
+
activesupport (= 4.2.7.1)
|
19
19
|
builder (~> 3.1)
|
20
20
|
erubis (~> 2.7.0)
|
21
21
|
rails-dom-testing (~> 1.0, >= 1.0.5)
|
22
22
|
rails-html-sanitizer (~> 1.0, >= 1.0.2)
|
23
|
-
activejob (4.2.
|
24
|
-
activesupport (= 4.2.
|
23
|
+
activejob (4.2.7.1)
|
24
|
+
activesupport (= 4.2.7.1)
|
25
25
|
globalid (>= 0.3.0)
|
26
|
-
activemodel (4.2.
|
27
|
-
activesupport (= 4.2.
|
26
|
+
activemodel (4.2.7.1)
|
27
|
+
activesupport (= 4.2.7.1)
|
28
28
|
builder (~> 3.1)
|
29
|
-
activerecord (4.2.
|
30
|
-
activemodel (= 4.2.
|
31
|
-
activesupport (= 4.2.
|
29
|
+
activerecord (4.2.7.1)
|
30
|
+
activemodel (= 4.2.7.1)
|
31
|
+
activesupport (= 4.2.7.1)
|
32
32
|
arel (~> 6.0)
|
33
|
-
activesupport (4.2.
|
33
|
+
activesupport (4.2.7.1)
|
34
34
|
i18n (~> 0.7)
|
35
35
|
json (~> 1.7, >= 1.7.7)
|
36
36
|
minitest (~> 5.1)
|
@@ -40,7 +40,7 @@ GEM
|
|
40
40
|
arel (6.0.3)
|
41
41
|
base32 (0.3.2)
|
42
42
|
builder (3.2.2)
|
43
|
-
concurrent-ruby (1.0.
|
43
|
+
concurrent-ruby (1.0.2)
|
44
44
|
descendants_tracker (0.0.4)
|
45
45
|
thread_safe (~> 0.3, >= 0.3.1)
|
46
46
|
docile (1.1.5)
|
@@ -49,19 +49,18 @@ GEM
|
|
49
49
|
multipart-post (>= 1.2, < 3)
|
50
50
|
ffi2-generators (0.1.1)
|
51
51
|
git (1.3.0)
|
52
|
-
github_api (0.
|
52
|
+
github_api (0.14.5)
|
53
53
|
addressable (~> 2.4.0)
|
54
54
|
descendants_tracker (~> 0.0.4)
|
55
55
|
faraday (~> 0.8, < 0.10)
|
56
56
|
hashie (>= 3.4)
|
57
|
-
|
58
|
-
|
59
|
-
globalid (0.3.6)
|
57
|
+
oauth2 (~> 1.0)
|
58
|
+
globalid (0.3.7)
|
60
59
|
activesupport (>= 4.1.0)
|
61
|
-
hashie (3.4.
|
60
|
+
hashie (3.4.4)
|
62
61
|
highline (1.7.8)
|
63
62
|
i18n (0.7.0)
|
64
|
-
jeweler (2.
|
63
|
+
jeweler (2.1.1)
|
65
64
|
builder
|
66
65
|
bundler (>= 1.0)
|
67
66
|
git (>= 1.2.5)
|
@@ -70,29 +69,31 @@ GEM
|
|
70
69
|
nokogiri (>= 1.5.10)
|
71
70
|
rake
|
72
71
|
rdoc
|
72
|
+
semver
|
73
73
|
json (1.8.3)
|
74
|
-
jwt (1.5.
|
74
|
+
jwt (1.5.4)
|
75
75
|
loofah (2.0.3)
|
76
76
|
nokogiri (>= 1.5.9)
|
77
77
|
mail (2.6.4)
|
78
78
|
mime-types (>= 1.16, < 4)
|
79
79
|
metaclass (0.0.4)
|
80
|
-
mime-types (3.
|
80
|
+
mime-types (3.1)
|
81
81
|
mime-types-data (~> 3.2015)
|
82
|
-
mime-types-data (3.2016.
|
83
|
-
mini_portile2 (2.
|
84
|
-
minitest (5.
|
82
|
+
mime-types-data (3.2016.0521)
|
83
|
+
mini_portile2 (2.1.0)
|
84
|
+
minitest (5.9.0)
|
85
85
|
mocha (1.1.0)
|
86
86
|
metaclass (~> 0.0.1)
|
87
|
-
multi_json (1.
|
87
|
+
multi_json (1.12.1)
|
88
88
|
multi_xml (0.5.5)
|
89
89
|
multipart-post (2.0.0)
|
90
|
-
mysql2 (0.4.
|
91
|
-
nokogiri (1.6.
|
92
|
-
mini_portile2 (~> 2.
|
93
|
-
|
90
|
+
mysql2 (0.4.4)
|
91
|
+
nokogiri (1.6.8)
|
92
|
+
mini_portile2 (~> 2.1.0)
|
93
|
+
pkg-config (~> 1.1.7)
|
94
|
+
oauth2 (1.2.0)
|
94
95
|
faraday (>= 0.8, < 0.10)
|
95
|
-
jwt (~> 1.0
|
96
|
+
jwt (~> 1.0)
|
96
97
|
multi_json (~> 1.3)
|
97
98
|
multi_xml (~> 0.5)
|
98
99
|
rack (>= 1.2, < 3)
|
@@ -100,19 +101,20 @@ GEM
|
|
100
101
|
hashie (>= 1.2, < 4)
|
101
102
|
rack (>= 1.0, < 3)
|
102
103
|
pg (0.18.4)
|
104
|
+
pkg-config (1.1.7)
|
103
105
|
rack (1.6.4)
|
104
106
|
rack-test (0.6.3)
|
105
107
|
rack (>= 1.0)
|
106
|
-
rails (4.2.
|
107
|
-
actionmailer (= 4.2.
|
108
|
-
actionpack (= 4.2.
|
109
|
-
actionview (= 4.2.
|
110
|
-
activejob (= 4.2.
|
111
|
-
activemodel (= 4.2.
|
112
|
-
activerecord (= 4.2.
|
113
|
-
activesupport (= 4.2.
|
108
|
+
rails (4.2.7.1)
|
109
|
+
actionmailer (= 4.2.7.1)
|
110
|
+
actionpack (= 4.2.7.1)
|
111
|
+
actionview (= 4.2.7.1)
|
112
|
+
activejob (= 4.2.7.1)
|
113
|
+
activemodel (= 4.2.7.1)
|
114
|
+
activerecord (= 4.2.7.1)
|
115
|
+
activesupport (= 4.2.7.1)
|
114
116
|
bundler (>= 1.3.0, < 2.0)
|
115
|
-
railties (= 4.2.
|
117
|
+
railties (= 4.2.7.1)
|
116
118
|
sprockets-rails
|
117
119
|
rails-deprecated_sanitizer (1.0.3)
|
118
120
|
activesupport (>= 4.2.0.alpha)
|
@@ -122,12 +124,12 @@ GEM
|
|
122
124
|
rails-deprecated_sanitizer (>= 1.0.1)
|
123
125
|
rails-html-sanitizer (1.0.3)
|
124
126
|
loofah (~> 2.0)
|
125
|
-
railties (4.2.
|
126
|
-
actionpack (= 4.2.
|
127
|
-
activesupport (= 4.2.
|
127
|
+
railties (4.2.7.1)
|
128
|
+
actionpack (= 4.2.7.1)
|
129
|
+
activesupport (= 4.2.7.1)
|
128
130
|
rake (>= 0.8.7)
|
129
131
|
thor (>= 0.18.1, < 2.0)
|
130
|
-
rake (11.
|
132
|
+
rake (11.2.2)
|
131
133
|
rdoc (4.2.2)
|
132
134
|
json (~> 1.4)
|
133
135
|
rubysl (2.2.0)
|
@@ -240,7 +242,7 @@ GEM
|
|
240
242
|
rubysl-cmath (2.0.0)
|
241
243
|
rubysl-complex (2.0.0)
|
242
244
|
rubysl-continuation (2.0.0)
|
243
|
-
rubysl-coverage (2.
|
245
|
+
rubysl-coverage (2.1)
|
244
246
|
rubysl-csv (2.0.2)
|
245
247
|
rubysl-english (~> 2.0)
|
246
248
|
rubysl-curses (2.0.1)
|
@@ -277,7 +279,7 @@ GEM
|
|
277
279
|
rubysl-mathn (2.0.0)
|
278
280
|
rubysl-matrix (2.1.0)
|
279
281
|
rubysl-e2mmap (~> 2.0)
|
280
|
-
rubysl-mkmf (2.
|
282
|
+
rubysl-mkmf (2.1)
|
281
283
|
rubysl-fileutils (~> 2.0)
|
282
284
|
rubysl-shellwords (~> 2.0)
|
283
285
|
rubysl-monitor (2.0.0)
|
@@ -304,7 +306,7 @@ GEM
|
|
304
306
|
rubysl-prettyprint (2.0.3)
|
305
307
|
rubysl-prime (2.0.1)
|
306
308
|
rubysl-profile (2.0.0)
|
307
|
-
rubysl-profiler (2.
|
309
|
+
rubysl-profiler (2.1)
|
308
310
|
rubysl-pstore (2.0.0)
|
309
311
|
rubysl-pty (2.0.3)
|
310
312
|
rubysl-rake (2.0.0)
|
@@ -330,7 +332,7 @@ GEM
|
|
330
332
|
rubysl-set (2.0.1)
|
331
333
|
rubysl-shellwords (2.0.0)
|
332
334
|
rubysl-singleton (2.0.0)
|
333
|
-
rubysl-socket (2.1.
|
335
|
+
rubysl-socket (2.1.2)
|
334
336
|
rubysl-fcntl (~> 2.0)
|
335
337
|
rubysl-stringio (2.1.0)
|
336
338
|
rubysl-strscan (2.0.0)
|
@@ -354,15 +356,16 @@ GEM
|
|
354
356
|
rubysl-xmlrpc (2.0.0)
|
355
357
|
rubysl-yaml (2.1.0)
|
356
358
|
rubysl-zlib (2.0.1)
|
357
|
-
|
359
|
+
semver (1.0.1)
|
360
|
+
simplecov (0.12.0)
|
358
361
|
docile (~> 1.1.0)
|
359
|
-
json (
|
362
|
+
json (>= 1.8, < 3)
|
360
363
|
simplecov-html (~> 0.10.0)
|
361
364
|
simplecov-html (0.10.0)
|
362
|
-
sprockets (3.
|
365
|
+
sprockets (3.7.0)
|
363
366
|
concurrent-ruby (~> 1.0)
|
364
367
|
rack (> 1, < 3)
|
365
|
-
sprockets-rails (3.0
|
368
|
+
sprockets-rails (3.2.0)
|
366
369
|
actionpack (>= 4.0)
|
367
370
|
activesupport (>= 4.0)
|
368
371
|
sprockets (>= 3.0.0)
|
@@ -383,7 +386,7 @@ DEPENDENCIES
|
|
383
386
|
mysql2 (>= 0.3.20)
|
384
387
|
omniauth (>= 1.3.1)
|
385
388
|
pg (>= 0.18.4)
|
386
|
-
rails (>= 4.0.13)
|
389
|
+
rails (~> 4.0, >= 4.0.13)
|
387
390
|
rake (>= 11.1.1)
|
388
391
|
rubysl
|
389
392
|
rubysl-bundler
|
data/Gemfile.rails41
CHANGED
data/Gemfile.rails42
CHANGED
data/Rakefile
CHANGED
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
0.21.
|
1
|
+
0.21.1
|
@@ -38,7 +38,7 @@ class SessionUid < Tokens::Base
|
|
38
38
|
|
39
39
|
# Updates the time associated with the session.
|
40
40
|
def spend
|
41
|
-
self.touch if Time.
|
41
|
+
self.touch if Time.current - updated_at >= updates_after
|
42
42
|
end
|
43
43
|
|
44
44
|
# Garbage-collects database records of expired sessions.
|
@@ -46,7 +46,7 @@ class SessionUid < Tokens::Base
|
|
46
46
|
# This method should be called periodically to keep the size of the session
|
47
47
|
# table under control.
|
48
48
|
def self.remove_expired
|
49
|
-
self.where('updated_at < ?', Time.
|
49
|
+
self.where('updated_at < ?', Time.current - expires_after).delete_all
|
50
50
|
self
|
51
51
|
end
|
52
52
|
end # class Tokens::SessionUid
|
data/authpwn_rails.gemspec
CHANGED
@@ -2,16 +2,16 @@
|
|
2
2
|
# DO NOT EDIT THIS FILE DIRECTLY
|
3
3
|
# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
|
4
4
|
# -*- encoding: utf-8 -*-
|
5
|
-
# stub: authpwn_rails 0.21.
|
5
|
+
# stub: authpwn_rails 0.21.1 ruby lib
|
6
6
|
|
7
7
|
Gem::Specification.new do |s|
|
8
8
|
s.name = "authpwn_rails"
|
9
|
-
s.version = "0.21.
|
9
|
+
s.version = "0.21.1"
|
10
10
|
|
11
11
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
12
12
|
s.require_paths = ["lib"]
|
13
13
|
s.authors = ["Victor Costan"]
|
14
|
-
s.date = "2016-03
|
14
|
+
s.date = "2016-09-03"
|
15
15
|
s.description = "Works with Facebook."
|
16
16
|
s.email = "victor@costan.us"
|
17
17
|
s.extra_rdoc_files = [
|
@@ -140,7 +140,7 @@ Gem::Specification.new do |s|
|
|
140
140
|
|
141
141
|
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
|
142
142
|
s.add_runtime_dependency(%q<base32>, [">= 0.3.2"])
|
143
|
-
s.add_runtime_dependency(%q<rails>, [">= 4.0.13"])
|
143
|
+
s.add_runtime_dependency(%q<rails>, [">= 4.0.13", "~> 4.0"])
|
144
144
|
s.add_development_dependency(%q<bundler>, [">= 1.6.6"])
|
145
145
|
s.add_development_dependency(%q<mocha>, [">= 1.1.0"])
|
146
146
|
s.add_development_dependency(%q<jeweler>, [">= 2.0.1"])
|
@@ -155,7 +155,7 @@ Gem::Specification.new do |s|
|
|
155
155
|
s.add_development_dependency(%q<rubysl-rake>, [">= 0"])
|
156
156
|
else
|
157
157
|
s.add_dependency(%q<base32>, [">= 0.3.2"])
|
158
|
-
s.add_dependency(%q<rails>, [">= 4.0.13"])
|
158
|
+
s.add_dependency(%q<rails>, [">= 4.0.13", "~> 4.0"])
|
159
159
|
s.add_dependency(%q<bundler>, [">= 1.6.6"])
|
160
160
|
s.add_dependency(%q<mocha>, [">= 1.1.0"])
|
161
161
|
s.add_dependency(%q<jeweler>, [">= 2.0.1"])
|
@@ -171,7 +171,7 @@ Gem::Specification.new do |s|
|
|
171
171
|
end
|
172
172
|
else
|
173
173
|
s.add_dependency(%q<base32>, [">= 0.3.2"])
|
174
|
-
s.add_dependency(%q<rails>, [">= 4.0.13"])
|
174
|
+
s.add_dependency(%q<rails>, [">= 4.0.13", "~> 4.0"])
|
175
175
|
s.add_dependency(%q<bundler>, [">= 1.6.6"])
|
176
176
|
s.add_dependency(%q<mocha>, [">= 1.1.0"])
|
177
177
|
s.add_dependency(%q<jeweler>, [">= 2.0.1"])
|
@@ -2,14 +2,14 @@
|
|
2
2
|
# 0.21 format.
|
3
3
|
# It should be run in a rails console.
|
4
4
|
|
5
|
-
User.all.each do |user|
|
6
|
-
user.exuid = nil
|
7
|
-
user.set_default_exuid
|
8
|
-
user.save!
|
9
|
-
end
|
10
|
-
|
11
5
|
Credential.all.each do |token|
|
12
6
|
next unless token.kind_of? Tokens::Base
|
13
7
|
token.code = Tokens::Base.random_code
|
14
8
|
token.save!
|
15
9
|
end
|
10
|
+
|
11
|
+
User.all.each do |user|
|
12
|
+
user.exuid = nil
|
13
|
+
user.set_default_exuid
|
14
|
+
user.save!
|
15
|
+
end
|
@@ -16,7 +16,7 @@ module Expires
|
|
16
16
|
# True if this password is too old and should not be used for authentication.
|
17
17
|
def expired?
|
18
18
|
return false unless expires_after
|
19
|
-
updated_at < Time.
|
19
|
+
updated_at < Time.current - expires_after
|
20
20
|
end
|
21
21
|
end # module Authpwn::Expires
|
22
22
|
|
@@ -18,7 +18,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
18
18
|
|
19
19
|
test "user login works and purges old sessions" do
|
20
20
|
old_token = credentials(:jane_session_token)
|
21
|
-
old_token.updated_at = Time.
|
21
|
+
old_token.updated_at = Time.current - 1.year
|
22
22
|
old_token.save!
|
23
23
|
post :create, session: { email: @email_credential.email,
|
24
24
|
password: 'pa55w0rd' }
|
@@ -126,6 +126,8 @@ class SessionControllerTest < ActionController::TestCase
|
|
126
126
|
get :api_token
|
127
127
|
|
128
128
|
assert_select 'span[class="api-token"]', credentials(:john_api_token).code
|
129
|
+
assert_select 'a[href="/session/api_token"][data-method="delete"]',
|
130
|
+
'regenerate token'
|
129
131
|
end
|
130
132
|
|
131
133
|
test "API token JSON request" do
|
@@ -137,6 +139,24 @@ class SessionControllerTest < ActionController::TestCase
|
|
137
139
|
ActiveSupport::JSON.decode(response.body)['api_token']
|
138
140
|
end
|
139
141
|
|
142
|
+
test "API token destroy request" do
|
143
|
+
user = users(:john)
|
144
|
+
set_session_current_user user
|
145
|
+
delete :destroy_api_token
|
146
|
+
|
147
|
+
assert_redirected_to api_token_session_url
|
148
|
+
assert_nil Tokens::Api.where(user: user).first
|
149
|
+
end
|
150
|
+
|
151
|
+
test "API token destroy JSON request" do
|
152
|
+
user = users(:john)
|
153
|
+
set_session_current_user user
|
154
|
+
delete :destroy_api_token, format: 'json'
|
155
|
+
|
156
|
+
assert_equal({}, ActiveSupport::JSON.decode(response.body))
|
157
|
+
assert_nil Tokens::Api.where(user: user).first
|
158
|
+
end
|
159
|
+
|
140
160
|
test "OmniAuth failure" do
|
141
161
|
get :omniauth_failure
|
142
162
|
|
@@ -147,7 +167,7 @@ class SessionControllerTest < ActionController::TestCase
|
|
147
167
|
ActionController::Base.allow_forgery_protection = true
|
148
168
|
begin
|
149
169
|
old_token = credentials(:jane_session_token)
|
150
|
-
old_token.updated_at = Time.
|
170
|
+
old_token.updated_at = Time.current - 1.year
|
151
171
|
old_token.save!
|
152
172
|
|
153
173
|
request.env['omniauth.auth'] = {
|
data/lib/authpwn_rails/routes.rb
CHANGED
@@ -39,6 +39,9 @@ module MapperMixin
|
|
39
39
|
|
40
40
|
get "/#{paths}/api_token", controller: controller, action: 'api_token',
|
41
41
|
as: "api_token_#{methods}"
|
42
|
+
delete "/#{paths}/api_token", controller: controller,
|
43
|
+
action: 'destroy_api_token',
|
44
|
+
as: "destroy_api_token_#{methods}"
|
42
45
|
get "/#{paths}/change_password", controller: controller,
|
43
46
|
action: 'password_change',
|
44
47
|
as: "change_password_#{methods}"
|
@@ -109,6 +109,34 @@ module SessionController
|
|
109
109
|
end
|
110
110
|
end
|
111
111
|
|
112
|
+
# DELETE /api_token
|
113
|
+
def destroy_api_token
|
114
|
+
unless current_user
|
115
|
+
bounce_user
|
116
|
+
return
|
117
|
+
end
|
118
|
+
|
119
|
+
api_token = Tokens::Api.where(user_id: current_user.id).first
|
120
|
+
if api_token
|
121
|
+
api_token.destroy
|
122
|
+
respond_to do |format|
|
123
|
+
format.html do
|
124
|
+
redirect_to api_token_session_url,
|
125
|
+
notice: 'Your old API token has been revoked'
|
126
|
+
end
|
127
|
+
format.json { render json: {} }
|
128
|
+
end
|
129
|
+
else
|
130
|
+
respond_to do |format|
|
131
|
+
format.html do
|
132
|
+
redirect_to api_token_session_url,
|
133
|
+
alert: 'You had no old API token to revoke'
|
134
|
+
end
|
135
|
+
format.json { head :not_found }
|
136
|
+
end
|
137
|
+
end
|
138
|
+
end
|
139
|
+
|
112
140
|
# POST /session/reset_password
|
113
141
|
def reset_password
|
114
142
|
email = params[:session] && params[:session][:email]
|
@@ -50,27 +50,27 @@ class CookieControllerTest < ActionController::TestCase
|
|
50
50
|
|
51
51
|
test "valid suid in session does not refresh very recent session" do
|
52
52
|
request.session[:authpwn_suid] = @token.suid
|
53
|
-
@token.updated_at = Time.
|
53
|
+
@token.updated_at = Time.current - 5.minutes
|
54
54
|
@token.save!
|
55
55
|
get :show
|
56
56
|
assert_response :success
|
57
57
|
assert_equal @user, assigns(:current_user)
|
58
|
-
assert_operator @token.reload.updated_at, :<=, Time.
|
58
|
+
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
59
59
|
end
|
60
60
|
|
61
61
|
test "valid suid in session refreshes recent session" do
|
62
62
|
request.session[:authpwn_suid] = @token.suid
|
63
|
-
@token.updated_at = Time.
|
63
|
+
@token.updated_at = Time.current - 5.minutes
|
64
64
|
@token.save!
|
65
65
|
get :show
|
66
66
|
assert_response :success
|
67
67
|
assert_equal @user, assigns(:current_user)
|
68
|
-
assert_operator @token.reload.updated_at, :<=, Time.
|
68
|
+
assert_operator @token.reload.updated_at, :<=, Time.current - 5.minutes
|
69
69
|
end
|
70
70
|
|
71
71
|
test "valid suid in session is discarded if the session is old" do
|
72
72
|
request.session[:authpwn_suid] = @token.suid
|
73
|
-
@token.updated_at = Time.
|
73
|
+
@token.updated_at = Time.current - 3.months
|
74
74
|
@token.save!
|
75
75
|
get :show
|
76
76
|
assert_response :success
|
@@ -114,13 +114,13 @@ class CookieControllerTest < ActionController::TestCase
|
|
114
114
|
end
|
115
115
|
|
116
116
|
test "set_session_current_user refreshes old token" do
|
117
|
-
@token.updated_at = Time.
|
117
|
+
@token.updated_at = Time.current - 1.day
|
118
118
|
request.session[:authpwn_suid] = @token.suid
|
119
119
|
assert_no_difference 'Credential.count', 'existing token not reused' do
|
120
120
|
put :update, exuid: @user.exuid
|
121
121
|
end
|
122
122
|
assert_response :success
|
123
|
-
assert_operator @token.reload.updated_at, :>=, Time.
|
123
|
+
assert_operator @token.reload.updated_at, :>=, Time.current - 1.hour,
|
124
124
|
'Old token not refreshed'
|
125
125
|
assert_equal @user, assigns(:current_user)
|
126
126
|
|
@@ -41,12 +41,16 @@ class ApiTokenTest < ActiveSupport::TestCase
|
|
41
41
|
end
|
42
42
|
|
43
43
|
test 'expired?' do
|
44
|
-
@credential.updated_at = Time.
|
44
|
+
@credential.updated_at = Time.current - 1.year
|
45
45
|
assert_equal false, @credential.expired?
|
46
46
|
end
|
47
47
|
|
48
48
|
test 'spend does not update old token' do
|
49
|
-
|
49
|
+
# NOTE: Some databases don't support sub-second precision. In Rails 5, the
|
50
|
+
# time values reflect this, and would cause the test to fail if we
|
51
|
+
# don't round Time.current down to the nearest second.
|
52
|
+
old_updated_at = @credential.updated_at =
|
53
|
+
(Time.current - 1.year).change usec: 0
|
50
54
|
@credential.spend
|
51
55
|
assert_equal old_updated_at, @credential.updated_at
|
52
56
|
end
|
@@ -71,27 +71,27 @@ class PasswordCredentialTest < ActiveSupport::TestCase
|
|
71
71
|
end
|
72
72
|
|
73
73
|
test 'expired?' do
|
74
|
-
@credential.updated_at = Time.
|
74
|
+
@credential.updated_at = Time.current
|
75
75
|
assert_equal false, @credential.expired?
|
76
|
-
@credential.updated_at = Time.
|
76
|
+
@credential.updated_at = Time.current - 2.years
|
77
77
|
assert_equal true, @credential.expired?
|
78
78
|
Credentials::Password.expires_after = nil
|
79
79
|
assert_equal false, @credential.expired?
|
80
80
|
end
|
81
81
|
|
82
82
|
test 'authenticate' do
|
83
|
-
@credential.updated_at = Time.
|
83
|
+
@credential.updated_at = Time.current
|
84
84
|
assert_equal users(:bill), @credential.authenticate('awesome')
|
85
85
|
assert_equal :invalid, @credential.authenticate('not awesome')
|
86
86
|
Credentials::Password.expires_after = 1.month
|
87
|
-
@credential.updated_at = Time.
|
87
|
+
@credential.updated_at = Time.current - 1.year
|
88
88
|
assert_equal :expired, @credential.authenticate('awesome')
|
89
89
|
end
|
90
90
|
|
91
91
|
test 'authenticate calls User#auth_bounce_reason' do
|
92
92
|
user = @credential.user
|
93
93
|
user.expects(:auth_bounce_reason).at_least_once.returns(:reason)
|
94
|
-
@credential.updated_at = Time.
|
94
|
+
@credential.updated_at = Time.current
|
95
95
|
assert_equal :reason, @credential.authenticate('awesome')
|
96
96
|
assert_equal :invalid, @credential.authenticate('not awesome')
|
97
97
|
end
|
@@ -46,9 +46,9 @@ class SessionUidTokenTest < ActiveSupport::TestCase
|
|
46
46
|
|
47
47
|
test 'expired?' do
|
48
48
|
Tokens::SessionUid.expires_after = 14.days
|
49
|
-
@credential.updated_at = Time.
|
49
|
+
@credential.updated_at = Time.current - 1.day
|
50
50
|
assert_equal false, @credential.expired?
|
51
|
-
@credential.updated_at = Time.
|
51
|
+
@credential.updated_at = Time.current - 1.month
|
52
52
|
assert_equal true, @credential.expired?
|
53
53
|
|
54
54
|
Tokens::SessionUid.expires_after = nil
|
@@ -56,24 +56,28 @@ class SessionUidTokenTest < ActiveSupport::TestCase
|
|
56
56
|
end
|
57
57
|
|
58
58
|
test 'spend updates old token' do
|
59
|
-
@credential.updated_at = Time.
|
59
|
+
@credential.updated_at = Time.current - 1.day
|
60
60
|
@credential.save!
|
61
61
|
@credential.spend
|
62
|
-
assert_operator @credential.updated_at, :>=, Time.
|
62
|
+
assert_operator @credential.updated_at, :>=, Time.current - 1.minute
|
63
63
|
end
|
64
64
|
|
65
65
|
test 'spend does not update reasonably new token' do
|
66
|
-
|
66
|
+
# NOTE: Some databases don't support sub-second precision. In Rails 5, the
|
67
|
+
# time values reflect this, and would cause the test to fail if we
|
68
|
+
# don't round Time.current down to the nearest second.
|
69
|
+
old_updated_at = @credential.updated_at =
|
70
|
+
(Time.current - 5.minutes).change(usec: 0)
|
67
71
|
@credential.spend
|
68
72
|
assert_equal old_updated_at, @credential.updated_at
|
69
73
|
end
|
70
74
|
|
71
75
|
test 'remove_expired gets rid of old tokens' do
|
72
76
|
old_token = credentials(:john_session_token)
|
73
|
-
old_token.updated_at = Time.
|
77
|
+
old_token.updated_at = Time.current - 1.year
|
74
78
|
old_token.save!
|
75
79
|
fresh_token = credentials(:jane_session_token)
|
76
|
-
fresh_token.updated_at = Time.
|
80
|
+
fresh_token.updated_at = Time.current - 1.minute
|
77
81
|
fresh_token.save!
|
78
82
|
|
79
83
|
assert_difference 'Credential.count', -1 do
|
@@ -113,7 +113,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
113
113
|
jane = 'skygyoxxmnerxwe4zbi3p5yjtg7zpjl2peyfcwh5wnc37fyfc4xa'
|
114
114
|
|
115
115
|
Tokens::Base.all.each do |token|
|
116
|
-
token.updated_at = Time.
|
116
|
+
token.updated_at = Time.current - 1.year
|
117
117
|
token.class.stubs(:expires_after).returns 1.week
|
118
118
|
token.save!
|
119
119
|
end
|
@@ -148,7 +148,7 @@ class TokenCredentialTest < ActiveSupport::TestCase
|
|
148
148
|
|
149
149
|
test 'instance authenticate with expired tokens' do
|
150
150
|
token = Tokens::Base.with_code(credentials(:jane_token).code).first
|
151
|
-
token.updated_at = Time.
|
151
|
+
token.updated_at = Time.current - 1.year
|
152
152
|
token.save!
|
153
153
|
token.class.stubs(:expires_after).returns 1.week
|
154
154
|
assert_equal :invalid, token.authenticate,
|
data/test/routes_test.rb
CHANGED
@@ -17,6 +17,8 @@ class RoutesTest < ActionController::TestCase
|
|
17
17
|
{controller: 'session', action: 'destroy'})
|
18
18
|
assert_routing({path: '/session/api_token', method: :get},
|
19
19
|
{controller: 'session', action: 'api_token'})
|
20
|
+
assert_routing({path: '/session/api_token', method: :delete},
|
21
|
+
{controller: 'session', action: 'destroy_api_token'})
|
20
22
|
assert_routing({path: '/session/change_password', method: :get},
|
21
23
|
{controller: 'session', action: 'password_change'})
|
22
24
|
assert_routing({path: '/session/change_password', method: :post},
|
@@ -117,7 +117,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
117
117
|
test "create purges sessions when logging in" do
|
118
118
|
BareSessionController.auto_purge_sessions = true
|
119
119
|
old_token = credentials(:jane_session_token)
|
120
|
-
old_token.updated_at = Time.
|
120
|
+
old_token.updated_at = Time.current - 1.year
|
121
121
|
old_token.save!
|
122
122
|
post :create, session: { email: @email_credential.email,
|
123
123
|
password: 'pa55w0rd' }
|
@@ -129,7 +129,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
129
129
|
test "create does not purge sessions if auto_purge_sessions is false" do
|
130
130
|
BareSessionController.auto_purge_sessions = false
|
131
131
|
old_token = credentials(:jane_session_token)
|
132
|
-
old_token.updated_at = Time.
|
132
|
+
old_token.updated_at = Time.current - 1.year
|
133
133
|
old_token.save!
|
134
134
|
post :create, email: @email_credential.email, password: 'pa55w0rd'
|
135
135
|
assert_equal @user, session_current_user, 'session'
|
@@ -159,7 +159,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
159
159
|
test "create by json purges sessions when logging in" do
|
160
160
|
BareSessionController.auto_purge_sessions = true
|
161
161
|
old_token = credentials(:jane_session_token)
|
162
|
-
old_token.updated_at = Time.
|
162
|
+
old_token.updated_at = Time.current - 1.year
|
163
163
|
old_token.save!
|
164
164
|
post :create, email: @email_credential.email, password: 'pa55w0rd',
|
165
165
|
format: 'json'
|
@@ -188,7 +188,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
188
188
|
end
|
189
189
|
|
190
190
|
test "create does not log in with expired password" do
|
191
|
-
@password_credential.updated_at = Time.
|
191
|
+
@password_credential.updated_at = Time.current - 2.years
|
192
192
|
@password_credential.save!
|
193
193
|
post :create, session: { email: @email_credential.email,
|
194
194
|
password: 'pa55w0rd' }
|
@@ -202,7 +202,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
202
202
|
test "create does not purge sessions if not logged in" do
|
203
203
|
BareSessionController.auto_purge_sessions = true
|
204
204
|
old_token = credentials(:jane_session_token)
|
205
|
-
old_token.updated_at = Time.
|
205
|
+
old_token.updated_at = Time.current - 1.year
|
206
206
|
old_token.save!
|
207
207
|
post :create, session: { email: @email_credential.email, password: 'fail' }
|
208
208
|
assert_nil session_current_user, 'session'
|
@@ -246,7 +246,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
246
246
|
end
|
247
247
|
|
248
248
|
test "create by json does not log in with expired password" do
|
249
|
-
@password_credential.updated_at = Time.
|
249
|
+
@password_credential.updated_at = Time.current - 2.years
|
250
250
|
@password_credential.save!
|
251
251
|
post :create, email: @email_credential.email, password: 'pa55w0rd',
|
252
252
|
format: 'json'
|
@@ -450,6 +450,62 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
450
450
|
assert_equal 'Please sign in', data['error']
|
451
451
|
end
|
452
452
|
|
453
|
+
test "api_token destroy request" do
|
454
|
+
user = users(:john)
|
455
|
+
set_session_current_user user
|
456
|
+
assert_difference 'Tokens::Api.count', -1 do
|
457
|
+
delete :destroy_api_token
|
458
|
+
end
|
459
|
+
assert_nil user.credentials.where(type: 'Tokens::Api').first
|
460
|
+
assert_redirected_to api_token_session_url
|
461
|
+
assert_match(/token.*revoked/, flash[:notice])
|
462
|
+
end
|
463
|
+
|
464
|
+
test "api_token destroy request from user without token" do
|
465
|
+
set_session_current_user @user
|
466
|
+
assert_no_difference 'Tokens::Api.count' do
|
467
|
+
delete :destroy_api_token
|
468
|
+
end
|
469
|
+
assert_nil @user.credentials.where(type: 'Tokens::Api').first
|
470
|
+
assert_redirected_to api_token_session_url
|
471
|
+
assert_match(/no.*token.*to.*revoke/, flash[:alert])
|
472
|
+
end
|
473
|
+
|
474
|
+
test "api_token destroy request without logged in user" do
|
475
|
+
delete :destroy_api_token
|
476
|
+
assert_response :forbidden
|
477
|
+
end
|
478
|
+
|
479
|
+
test "api_token destroy JSON request" do
|
480
|
+
user = users(:john)
|
481
|
+
set_session_current_user user
|
482
|
+
assert_difference 'Tokens::Api.count', -1 do
|
483
|
+
delete :destroy_api_token, format: 'json'
|
484
|
+
end
|
485
|
+
|
486
|
+
assert_nil user.credentials.where(type: 'Tokens::Api').first
|
487
|
+
assert_equal({}, ActiveSupport::JSON.decode(response.body))
|
488
|
+
assert_response :ok
|
489
|
+
end
|
490
|
+
|
491
|
+
test "api_token destroy JSON request from user without token" do
|
492
|
+
set_session_current_user @user
|
493
|
+
assert_no_difference 'Tokens::Api.count' do
|
494
|
+
delete :destroy_api_token, format: 'json'
|
495
|
+
end
|
496
|
+
|
497
|
+
assert_nil @user.credentials.where(type: 'Tokens::Api').first
|
498
|
+
assert_response :not_found
|
499
|
+
end
|
500
|
+
|
501
|
+
test "api_token destroy JSON request without logged in user" do
|
502
|
+
delete :destroy_api_token, format: 'json'
|
503
|
+
assert_response :ok
|
504
|
+
|
505
|
+
data = ActiveSupport::JSON.decode response.body
|
506
|
+
assert_equal 'Please sign in', data['error']
|
507
|
+
end
|
508
|
+
|
453
509
|
test "password_change bounces without logged in user" do
|
454
510
|
get :password_change
|
455
511
|
assert_response :forbidden
|
@@ -737,7 +793,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
737
793
|
begin
|
738
794
|
BareSessionController.auto_purge_sessions = true
|
739
795
|
old_token = credentials(:jane_session_token)
|
740
|
-
old_token.updated_at = Time.
|
796
|
+
old_token.updated_at = Time.current - 1.year
|
741
797
|
old_token.save!
|
742
798
|
request.env['omniauth.auth'] =
|
743
799
|
{ 'provider' => @omniauth_credential.provider,
|
@@ -756,7 +812,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
756
812
|
begin
|
757
813
|
BareSessionController.auto_purge_sessions = false
|
758
814
|
old_token = credentials(:jane_session_token)
|
759
|
-
old_token.updated_at = Time.
|
815
|
+
old_token.updated_at = Time.current - 1.year
|
760
816
|
old_token.save!
|
761
817
|
request.env['omniauth.auth'] =
|
762
818
|
{ 'provider' => @omniauth_credential.provider,
|
@@ -775,7 +831,7 @@ class SessionControllerApiTest < ActionController::TestCase
|
|
775
831
|
begin
|
776
832
|
BareSessionController.auto_purge_sessions = true
|
777
833
|
old_token = credentials(:jane_session_token)
|
778
|
-
old_token.updated_at = Time.
|
834
|
+
old_token.updated_at = Time.current - 1.year
|
779
835
|
old_token.save!
|
780
836
|
request.env['omniauth.auth'] =
|
781
837
|
{ 'provider' => @omniauth_credential.provider, 'uid' => 'fail' }
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: authpwn_rails
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.21.
|
4
|
+
version: 0.21.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Victor Costan
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-03
|
11
|
+
date: 2016-09-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: base32
|
@@ -31,6 +31,9 @@ dependencies:
|
|
31
31
|
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
33
|
version: 4.0.13
|
34
|
+
- - "~>"
|
35
|
+
- !ruby/object:Gem::Version
|
36
|
+
version: '4.0'
|
34
37
|
type: :runtime
|
35
38
|
prerelease: false
|
36
39
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -38,6 +41,9 @@ dependencies:
|
|
38
41
|
- - ">="
|
39
42
|
- !ruby/object:Gem::Version
|
40
43
|
version: 4.0.13
|
44
|
+
- - "~>"
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '4.0'
|
41
47
|
- !ruby/object:Gem::Dependency
|
42
48
|
name: bundler
|
43
49
|
requirement: !ruby/object:Gem::Requirement
|