clearance 1.10.1 → 1.17.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: f17291a4d13d462f49a5fc69684b8709714749aa
-  data.tar.gz: 30d2cbfaf5855833fa24c7c33b1d51bf50e7db25
+SHA256:
+  metadata.gz: 3d2b65ce30d78d380c94d95fc6fa32f1fa4340a145f6e33573ad746f5da4600e
+  data.tar.gz: a8b154b5ccfed1470fcc29155f3f57c676571539f9794c5b9a32ef2b3f4b8a20
 SHA512:
-  metadata.gz: ee5ec1d2dd6d3790e53379b09da0b00654268ec650dc1b4fca1b7776c647d9ca34ddd0940d6fe0e4657619e1cc67d8546066bc31744c3d342954ed6a3a573cfb
-  data.tar.gz: 46ee3ac5bf3104289785a31bd935133d46325ef5da7c3827477fcd2fcc294569cbd992b58ba92765f7acf265ee5e90bec66f6908e06ac9b990bcaf67f858e46e
+  metadata.gz: 7ec8917dc40e39108f0ceb7333d8968d31d2cfa5d902ad1fc533a85fcc98b10d0665bd84484256ff9a3e3114f4c8d27c7bdad24c70cf72c63f6dfc3d151bac2f
+  data.tar.gz: 839701911aea43402b13d2d4ea84f13d904ccf1576a7d9bc913eeac2f48a992a08e57c0859aceb04764afc927425852f18084c0638978937db974449a5f25b4b

data/.gitignore

@@ -6,6 +6,7 @@
 .bundle
 db/*.sqlite3
 gemfiles/*.lock
+gemfiles/vendor/
 log/*.log
 pkg
 tmp/

data/.travis.yml

@@ -4,19 +4,31 @@ language:
   - ruby
 
 rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.6
-  - 2.2.2
+  - 2.3.8
+  - 2.4.5
+  - 2.5.3
+  - 2.6.1
 
-install:
-  - "travis_retry bin/setup"
+gemfile:
+  - gemfiles/rails_4.2.gemfile
+  - gemfiles/rails_5.0.gemfile
+  - gemfiles/rails_5.1.gemfile
+  - gemfiles/rails_5.2.gemfile
+
+before_install:
+  - gem update --system
 
-script:
-  - "bundle exec appraisal rake"
+install:
+  - "bin/setup"
 
 branches:
   only:
     - master
+    - 2.0
+
+matrix:
+  allow_failures:
+    - gemfile: gemfiles/rails_4.2.gemfile
+      rvm: 2.6.1
 
 sudo: false

data/.yardopts

@@ -1,3 +1,6 @@
+--protected
+--private
+--hide-api private
 --exclude templates
 --markup markdown
 --markup-provider redcarpet

data/Appraisals

@@ -1,18 +1,15 @@
-if RUBY_VERSION < "2.2.0"
-  appraise 'rails3.2' do
-    gem 'rails', '~> 3.2.21'
-  end
-end
-
-appraise 'rails4.0' do
-  gem 'rails', '~> 4.0.13'
-  gem 'test-unit'
-end
+rails_versions = %w(
+  4.2
+  5.0
+  5.1
+  5.2
+)
 
-appraise 'rails4.1' do
-  gem 'rails', '~> 4.1.9'
-end
-
-appraise 'rails4.2' do
-  gem 'rails', '~> 4.2.0'
+rails_versions.each do |version|
+  appraise "rails_#{version}" do
+    gem "railties", "~> #{version}.0"
+    if Gem::Version.new(version) >= Gem::Version.new("5.0")
+      gem "rails-controller-testing"
+    end
+  end
 end

data/Gemfile

@@ -2,14 +2,16 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'appraisal', '~> 1.0'
+gem 'addressable', '~> 2.6.0'
+gem 'appraisal'
 gem 'ammeter'
 gem 'bundler', '~> 1.3'
-gem 'capybara', '>= 2.3'
+gem 'capybara', '>= 2.6.2'
 gem 'database_cleaner', '~> 1.0'
-gem 'factory_girl_rails', '~> 4.2'
+gem 'factory_bot_rails', '~> 5.0'
+gem 'nokogiri', '~> 1.10.0'
 gem 'rspec-rails', '~> 3.1'
-gem 'shoulda-matchers', '~> 2.8'
-gem 'sqlite3', '~> 1.3'
+gem 'shoulda-matchers', '~> 4.0'
+gem 'sqlite3', '~> 1.3.13'
 gem 'timecop', '~> 0.6'
 gem 'pry', require: false

data/Gemfile.lock

@@ -1,171 +1,165 @@
 PATH
   remote: .
   specs:
-    clearance (1.10.1)
+    clearance (1.17.0)
+      actionmailer (>= 3.1)
+      activemodel (>= 3.1)
+      activerecord (>= 3.1)
       bcrypt
       email_validator (~> 1.4)
-      rails (>= 3.1)
+      railties (>= 3.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (4.2.0)
-      actionpack (= 4.2.0)
-      actionview (= 4.2.0)
-      activejob (= 4.2.0)
+    actionmailer (5.2.3)
+      actionpack (= 5.2.3)
+      actionview (= 5.2.3)
+      activejob (= 5.2.3)
       mail (~> 2.5, >= 2.5.4)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-    actionpack (4.2.0)
-      actionview (= 4.2.0)
-      activesupport (= 4.2.0)
-      rack (~> 1.6.0)
-      rack-test (~> 0.6.2)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    actionview (4.2.0)
-      activesupport (= 4.2.0)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.2.3)
+      actionview (= 5.2.3)
+      activesupport (= 5.2.3)
+      rack (~> 2.0)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.3)
+      activesupport (= 5.2.3)
       builder (~> 3.1)
-      erubis (~> 2.7.0)
-      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.1)
-    activejob (4.2.0)
-      activesupport (= 4.2.0)
-      globalid (>= 0.3.0)
-    activemodel (4.2.0)
-      activesupport (= 4.2.0)
-      builder (~> 3.1)
-    activerecord (4.2.0)
-      activemodel (= 4.2.0)
-      activesupport (= 4.2.0)
-      arel (~> 6.0)
-    activesupport (4.2.0)
-      i18n (~> 0.7)
-      json (~> 1.7, >= 1.7.7)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activejob (5.2.3)
+      activesupport (= 5.2.3)
+      globalid (>= 0.3.6)
+    activemodel (5.2.3)
+      activesupport (= 5.2.3)
+    activerecord (5.2.3)
+      activemodel (= 5.2.3)
+      activesupport (= 5.2.3)
+      arel (>= 9.0)
+    activesupport (5.2.3)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
-    ammeter (1.1.2)
+    addressable (2.6.0)
+      public_suffix (>= 2.0.2, < 4.0)
+    ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (1.0.2)
+    appraisal (2.2.0)
       bundler
       rake
       thor (>= 0.14.0)
-    arel (6.0.0)
-    bcrypt (3.1.10)
-    builder (3.2.2)
-    capybara (2.4.4)
-      mime-types (>= 1.16)
-      nokogiri (>= 1.3.3)
-      rack (>= 1.0.0)
-      rack-test (>= 0.5.4)
-      xpath (~> 2.0)
-    coderay (1.1.0)
-    database_cleaner (1.3.0)
-    diff-lcs (1.2.5)
+    arel (9.0.0)
+    bcrypt (3.1.12)
+    builder (3.2.3)
+    capybara (3.16.1)
+      addressable
+      mini_mime (>= 0.1.3)
+      nokogiri (~> 1.8)
+      rack (>= 1.6.0)
+      rack-test (>= 0.6.3)
+      regexp_parser (~> 1.2)
+      xpath (~> 3.2)
+    coderay (1.1.2)
+    concurrent-ruby (1.1.5)
+    crass (1.0.4)
+    database_cleaner (1.7.0)
+    diff-lcs (1.3)
     email_validator (1.6.0)
       activemodel
-    erubis (2.7.0)
-    factory_girl (4.5.0)
-      activesupport (>= 3.0.0)
-    factory_girl_rails (4.5.0)
-      factory_girl (~> 4.5.0)
-      railties (>= 3.0.0)
-    globalid (0.3.5)
-      activesupport (>= 4.1.0)
-    i18n (0.7.0)
-    json (1.8.2)
-    loofah (2.0.2)
+    erubi (1.8.0)
+    factory_bot (5.0.2)
+      activesupport (>= 4.2.0)
+    factory_bot_rails (5.0.1)
+      factory_bot (~> 5.0.0)
+      railties (>= 4.2.0)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    i18n (1.6.0)
+      concurrent-ruby (~> 1.0)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.6.3)
-      mime-types (>= 1.16, < 3)
-    method_source (0.8.2)
-    mime-types (2.5)
-    mini_portile (0.6.2)
-    minitest (5.6.1)
-    nokogiri (1.6.6.2)
-      mini_portile (~> 0.6.0)
-    pry (0.10.1)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    method_source (0.9.2)
+    mini_mime (1.0.1)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    nokogiri (1.10.2)
+      mini_portile2 (~> 2.4.0)
+    pry (0.12.2)
       coderay (~> 1.1.0)
-      method_source (~> 0.8.1)
-      slop (~> 3.4)
-    rack (1.6.1)
-    rack-test (0.6.3)
-      rack (>= 1.0)
-    rails (4.2.0)
-      actionmailer (= 4.2.0)
-      actionpack (= 4.2.0)
-      actionview (= 4.2.0)
-      activejob (= 4.2.0)
-      activemodel (= 4.2.0)
-      activerecord (= 4.2.0)
-      activesupport (= 4.2.0)
-      bundler (>= 1.3.0, < 2.0)
-      railties (= 4.2.0)
-      sprockets-rails
-    rails-deprecated_sanitizer (1.0.3)
-      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.6)
-      activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
-      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.2)
-      loofah (~> 2.0)
-    railties (4.2.0)
-      actionpack (= 4.2.0)
-      activesupport (= 4.2.0)
+      method_source (~> 0.9.0)
+    public_suffix (3.0.3)
+    rack (2.0.7)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.0.4)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (5.2.3)
+      actionpack (= 5.2.3)
+      activesupport (= 5.2.3)
+      method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
-    rake (10.4.2)
-    rspec-core (3.2.0)
-      rspec-support (~> 3.2.0)
-    rspec-expectations (3.2.0)
+      thor (>= 0.19.0, < 2.0)
+    rake (12.3.2)
+    regexp_parser (1.4.0)
+    rspec-core (3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.2.0)
-    rspec-mocks (3.2.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.2.0)
-    rspec-rails (3.2.0)
-      actionpack (>= 3.0, <= 4.2)
-      activesupport (>= 3.0, <= 4.2)
-      railties (>= 3.0, <= 4.2)
-      rspec-core (~> 3.2.0)
-      rspec-expectations (~> 3.2.0)
-      rspec-mocks (~> 3.2.0)
-      rspec-support (~> 3.2.0)
-    rspec-support (3.2.1)
-    shoulda-matchers (2.8.0)
-      activesupport (>= 3.0.0)
-    slop (3.6.0)
-    sprockets (3.1.0)
-      rack (~> 1.0)
-    sprockets-rails (2.3.1)
+      rspec-support (~> 3.8.0)
+    rspec-rails (3.8.2)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
-      sprockets (>= 2.8, < 4.0)
-    sqlite3 (1.3.10)
-    thor (0.19.1)
-    thread_safe (0.3.5)
-    timecop (0.7.1)
-    tzinfo (1.2.2)
+      railties (>= 3.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-support (3.8.0)
+    shoulda-matchers (4.0.1)
+      activesupport (>= 4.2.0)
+    sqlite3 (1.3.13)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    xpath (2.0.0)
-      nokogiri (~> 1.3)
+    xpath (3.2.0)
+      nokogiri (~> 1.8)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
+  addressable (~> 2.6.0)
   ammeter
-  appraisal (~> 1.0)
+  appraisal
   bundler (~> 1.3)
-  capybara (>= 2.3)
+  capybara (>= 2.6.2)
   clearance!
   database_cleaner (~> 1.0)
-  factory_girl_rails (~> 4.2)
+  factory_bot_rails (~> 5.0)
+  nokogiri (~> 1.10.0)
   pry
   rspec-rails (~> 3.1)
-  shoulda-matchers (~> 2.8)
-  sqlite3 (~> 1.3)
+  shoulda-matchers (~> 4.0)
+  sqlite3 (~> 1.3.13)
   timecop (~> 0.6)
+
+BUNDLED WITH
+   1.17.3

data/NEWS.md

@@ -1,7 +1,177 @@
 # News
 
 The noteworthy changes for each Clearance version are included here. For a
-complete changelog, see the git history.
+complete changelog, see the git history for each version via the version links.
+
+## [1.17.0] - April 11, 2019
+
+### Changed
+
+- Update the `HttpOnly` cookie setting for the remember token to default to
+  true, which prevents the value from being available to JavaScript.
+- Add configuration option to allow the auth backdoor to work in specified
+  environments (defaults to `test`, `development`, `ci`).
+
+[1.17.0]: https://github.com/thoughtbot/clearance/compare/v1.16.2...1.17.0
+
+## [1.16.2] - February 25, 2019
+
+### Fixed
+- Added missing translation keys
+- Fix issue where a cookie value could be set more than once when interacting
+  with the `httponly` option
+
+### Changed
+- Remove Rails as a dependency so that clearance does not trigger a cascade of
+  requirements as rails pulls in every framework. Instead, depend on just the
+  frameworks relevant to Clearance.
+- Prevent `Clearance::BackDoor` from being used outside the "test" environment.
+
+[1.16.2]: https://github.com/thoughtbot/clearance/compare/v1.16.1...v1.16.2
+
+## [1.16.1] - November 2, 2017
+
+### Fixed
+- Fixed issue where tokens from abandoned password reset attempts were stored in
+  the session, preventing newly generated password reset tokens from working.
+- Improve compatibility with Rails API projects by calling `helper_method` only
+  when it is defined.
+- URL fragment in server-set `session[:return_to]` values are preserved when
+  redirecting to the stored value.
+- Eliminated deprecation in Clearance test helpers that were related to the
+  renaming of FactoryGirl to FactoryBot.
+
+[1.16.1]: https://github.com/thoughtbot/clearance/compare/v1.16.0...v1.16.1
+
+## [1.16.0] - January 16, 2017
+
+### Security
+- Clearance users can now help prevent [session fixation attacks] by setting
+  `Clearance.configuration.rotate_csrf_on_sign_in` to `true`. This will cause
+  the user's CSRF token to be rotated on sign in and is recommended for all
+  Clearance applications. This setting will default to `true` in Clearance 2.0.
+  Clearance will emit a warning on each sign in until this configuration setting
+  is explicitly set to `true` or `false`.
+
+[session fixation attacks]: https://www.owasp.org/index.php/Session_fixation
+[1.16.0]: https://github.com/thoughtbot/clearance/compare/v1.15.1...v1.16.0
+
+## [1.15.1] - October 6, 2016
+
+### Fixed
+- Password reset form redirect no longer uses a named route helper, which means
+  it will work for developers that have customized their routes.
+
+[1.15.1]: https://github.com/thoughtbot/clearance/compare/v1.15.0...v1.15.1
+
+## [1.15.0] - September 26, 2016
+
+### Security
+- Prevent possible password reset token leak to external sites linked to on the
+  password reset page. See [PR #707] for more information.
+
+[PR #707]: https://github.com/thoughtbot/clearance/pull/707
+[1.15.0]: https://github.com/thoughtbot/clearance/compare/v1.14.2...v1.15.0
+
+## [1.14.2] - August 10, 2016
+
+### Fixed
+- Fixed incompatibility with `attr_encrypted` gem by inlining the body of the
+  `encrypt` helper method used in the BCrypt password strategy.
+
+[1.14.2]: https://github.com/thoughtbot/clearance/compare/v1.14.1...v1.14.2
+
+## [1.14.1] - May 12, 2016
+
+### Fixed
+- Fixed insertion of `include Clearance::User` when running the install
+  generator in an app that already has a `User` model.
+- Updated `deny_access` matcher to assert against configured redirect location
+  rather than hard coded `/`.
+
+[1.14.1]: https://github.com/thoughtbot/clearance/compare/v1.14.0...v1.14.1
+
+## [1.14.0] - April 29, 2016
+
+### Added
+- `Clearance::BackDoor` now accepts a block, allowing the user for a test to be
+  looked up by a parameter other than `id` if you have overridden `to_param` for
+  the `User` model.
+
+### Fixed
+- We now correctly track the dirty state of `User#encrypted_password`, which
+  fixes custom validations on `User#password` (e.g. validating password length)
+  that were conditional on the password actually changing.
+- The `clearance:install` generator will now generate a `User` model that
+  inherits from `ApplicationRecord` if run on a Rails 5 app that doesn't already
+  have a `User` model.
+
+### Deprecated
+- `User#password_changing` is deprecated in favor of automatic dirty tracking on
+  `encrypted_password` and `password`. If you are calling this in your
+  application you should be able to remove it.
+
+[1.14.0]: https://github.com/thoughtbot/clearance/compare/v1.13.0...v1.14.0
+
+## [1.13.0] - March 4, 2016
+
+### Added
+- Clearance now supports Rails 5.0.0.beta3 and newer.
+
+### Fixed
+- Clearance will now infer the parameter name to use when accessing user
+  parameters in a request. This previously used `:user`, which was incorrect for
+  customized user models.
+- Generated feature specs no longer rely on RSpec monkey patches.
+
+[1.13.0]: https://github.com/thoughtbot/clearance/compare/v1.12.1...v1.13.0
+
+## [1.12.1] - January 7, 2016
+
+### Fixed
+- Fixed the `create_users` migration generated by `rails generate
+  clearance:install` under Rails 3.x.
+
+[1.12.1]: https://github.com/thoughtbot/clearance/compare/v1.12.0...v1.12.1
+
+## [1.12.0] - November 17, 2015
+
+### Added
+- Users will now see a flash message when redirected to sign in by
+  `require_login`. This I18n key for this message is
+  `flashes.failure_when_not_signed_in` and defaults to "Please sign in to
+  continue".
+- Added significant API documentation. API documentation effort is ongoing.
+
+### Fixed
+- Fixed expectation in the generated `visitor_resets_password_spec.rb` file.
+- Corrected indentation of routes inserted by the routes generator.
+- Corrected indentation of `include Clearance::User` when the install generator
+  adds it to an existing user class.
+
+[1.12.0]: https://github.com/thoughtbot/clearance/compare/v1.11.0...v1.12.0
+
+## [1.11.0] - August 21, 2015
+
+### Added
+- Add `sign_in` and `sign_in_as` helper methods to view specs. These helpers
+  avoid errors from verified partial doubles that come from. See
+  [462c009].
+
+### Fixed
+- `clearance:routes` generator now properly disables internal routes in your
+  Clearance initializer.
+- Clearance now accesses the cookie jar via ActionDispatch::Request rather than
+  `Rack::Request`. This is more consistent with what Rails does internally.
+
+### Deprecated
+- `Clearance::Testing::Helpers` has been deprecated in favor of
+  `Clearance::Testing::ControllerHelpers`. Most users are accessing these
+  helpers by requiring `clearance/rspec` or `clearance/test_unit` and should be
+  unaffected.
+
+[462c009]: https://github.com/thoughtbot/clearance/commit/462c00965c14b2492500fbb4fecd7b84b9790bb9
+[1.11.0]: https://github.com/thoughtbot/clearance/compare/v1.10.1...v1.11.0
 
 ## [1.10.1] - May 15, 2015
 
@@ -203,7 +373,6 @@ complete changelog, see the git history.
 
 [1.1.0]: https://github.com/thoughtbot/clearance/compare/v1.0.1...v1.1.0
 
-
 ## [1.0.1] - August 9, 2013
 
 ### Fixed