clearance 1.17.0 → 2.2.0

data/config/routes.rb

@@ -13,7 +13,7 @@ if Clearance.configuration.routes_enabled?
       only: Clearance.configuration.user_actions do
         resource :password,
           controller: 'clearance/passwords',
-          only: [:create, :edit, :update]
+          only: [:edit, :update]
       end
 
     get '/sign_in' => 'clearance/sessions#new', as: 'sign_in'

data/gemfiles/rails_5.0.gemfile

@@ -3,19 +3,18 @@
 source "https://rubygems.org"
 
 gem "addressable", "~> 2.6.0"
-gem "appraisal"
 gem "ammeter"
-gem "bundler", "~> 1.3"
+gem "appraisal"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_bot_rails", "~> 5.0"
 gem "nokogiri", "~> 1.10.0"
-gem "rspec-rails", "~> 3.1"
-gem "shoulda-matchers", "~> 4.0"
-gem "sqlite3", "~> 1.3.13"
-gem "timecop", "~> 0.6"
 gem "pry", require: false
+gem "shoulda-matchers", "~> 4.1"
+gem "timecop", "~> 0.6"
 gem "railties", "~> 5.0.0"
 gem "rails-controller-testing"
+gem "sqlite3", "~> 1.3.13"
+gem "rspec-rails", "~> 3.1"
 
 gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -3,19 +3,18 @@
 source "https://rubygems.org"
 
 gem "addressable", "~> 2.6.0"
-gem "appraisal"
 gem "ammeter"
-gem "bundler", "~> 1.3"
+gem "appraisal"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_bot_rails", "~> 5.0"
 gem "nokogiri", "~> 1.10.0"
-gem "rspec-rails", "~> 3.1"
-gem "shoulda-matchers", "~> 4.0"
-gem "sqlite3", "~> 1.3.13"
-gem "timecop", "~> 0.6"
 gem "pry", require: false
+gem "shoulda-matchers", "~> 4.1"
+gem "timecop", "~> 0.6"
 gem "railties", "~> 5.1.0"
 gem "rails-controller-testing"
+gem "sqlite3", "~> 1.3.13"
+gem "rspec-rails", "~> 3.1"
 
 gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -3,19 +3,18 @@
 source "https://rubygems.org"
 
 gem "addressable", "~> 2.6.0"
-gem "appraisal"
 gem "ammeter"
-gem "bundler", "~> 1.3"
+gem "appraisal"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_bot_rails", "~> 5.0"
 gem "nokogiri", "~> 1.10.0"
-gem "rspec-rails", "~> 3.1"
-gem "shoulda-matchers", "~> 4.0"
-gem "sqlite3", "~> 1.3.13"
-gem "timecop", "~> 0.6"
 gem "pry", require: false
+gem "shoulda-matchers", "~> 4.1"
+gem "timecop", "~> 0.6"
 gem "railties", "~> 5.2.0"
 gem "rails-controller-testing"
+gem "sqlite3", "~> 1.3.13"
+gem "rspec-rails", "~> 3.1"
 
 gemspec path: "../"

data/gemfiles/{rails_4.2.gemfile → rails_6.0.gemfile}

@@ -3,18 +3,18 @@
 source "https://rubygems.org"
 
 gem "addressable", "~> 2.6.0"
-gem "appraisal"
 gem "ammeter"
-gem "bundler", "~> 1.3"
+gem "appraisal"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_bot_rails", "~> 5.0"
 gem "nokogiri", "~> 1.10.0"
-gem "rspec-rails", "~> 3.1"
-gem "shoulda-matchers", "~> 4.0"
-gem "sqlite3", "~> 1.3.13"
-gem "timecop", "~> 0.6"
 gem "pry", require: false
-gem "railties", "~> 4.2.0"
+gem "shoulda-matchers", "~> 4.1"
+gem "timecop", "~> 0.6"
+gem "railties", "~> 6.0.0"
+gem "rails-controller-testing"
+gem "rspec-rails", "~> 4.0.0.beta3"
+gem "sqlite3", "~> 1.4.0"
 
 gemspec path: "../"

data/lib/clearance.rb

@@ -10,12 +10,4 @@ require 'clearance/password_strategies'
 require 'clearance/constraints'
 
 module Clearance
-  # @deprecated Use `Gem::Specification` API if you need to access Clearance's
-  #   Gem root.
-  def self.root
-    warn "#{Kernel.caller.first}: [DEPRECATION] `Clearance.root` is " +
-      "deprecated and will be removed in the next major release. If you need " +
-      "to find Clearance's root, you can use the `Gem::Specification` API."
-    File.expand_path('../..', __FILE__)
-  end
 end

data/lib/clearance/authentication.rb

@@ -10,7 +10,6 @@ module Clearance
       private(
         :authenticate,
         :current_user,
-        :current_user=,
         :handle_unverified_request,
         :sign_in,
         :sign_out,
@@ -40,13 +39,6 @@ module Clearance
       clearance_session.current_user
     end
 
-    # @deprecated Use the {#sign_in} method instead.
-    def current_user=(user)
-      warn "#{Kernel.caller.first}: [DEPRECATION] " +
-        'Assigning the current_user has been deprecated. Use the sign_in method instead.'
-      clearance_session.sign_in user
-    end
-
     # Sign in the provided user.
     # @param [User] user
     #
@@ -67,7 +59,7 @@ module Clearance
     # {SessionsController#create}.
     #
     # Signing in will also regenerate the CSRF token for the current session,
-    # provided {Configuration#rotate_csrf_token_on_sign_in} is set.
+    # provided {Configuration#rotate_csrf_on_sign_in?} is set.
     def sign_in(user, &block)
       clearance_session.sign_in(user, &block)
 

data/lib/clearance/authorization.rb

@@ -3,7 +3,7 @@ module Clearance
     extend ActiveSupport::Concern
 
     included do
-      private :authorize, :deny_access, :require_login
+      private :deny_access, :require_login
     end
 
     # Use as a `before_action` to require a user be signed in to proceed.
@@ -23,15 +23,6 @@ module Clearance
       end
     end
 
-    # @deprecated use {#require_login}
-    def authorize
-      warn "[DEPRECATION] Clearance's `authorize` before_action is " +
-        "deprecated. Use `require_login` instead. Be sure to update any " +
-        "instances of `skip_before_action :authorize` or " +
-        "`skip_before_action :authorize` as well"
-      require_login
-    end
-
     # Responds to unauthorized requests in a manner fitting the request format.
     # `js`, `json`, and `xml` requests will receive a 401 with no body. All
     # other formats will be redirected appropriately and can optionally have the
@@ -63,7 +54,7 @@ module Clearance
       store_location
 
       if flash_message
-        flash[:notice] = flash_message
+        flash[:alert] = flash_message
       end
 
       if signed_in?

data/lib/clearance/back_door.rb

@@ -68,7 +68,7 @@ module Clearance
 
     # @api private
     def environment_is_allowed?
-      allowed_environments.include? ENV["RAILS_ENV"]
+      allowed_environments.include? Rails.env
     end
 
     # @api private

data/lib/clearance/configuration.rb

@@ -42,6 +42,16 @@ module Clearance
     # @return [Boolean]
     attr_accessor :httponly
 
+    # Same-site cookies ("First-Party-Only" or "First-Party") allow servers to
+    # mitigate the risk of CSRF and information leakage attacks by asserting
+    # that a particular cookie should only be sent with requests initiated from
+    # the same registrable domain.
+    # Defaults to `nil`. For more, see
+    # [RFC6265](https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-4.1.1).
+    # and https://github.com/rack/rack/blob/6eda04886e3a57918ca2d6a482fda02a678fef0a/lib/rack/utils.rb#L232-L244
+    # @return [String]
+    attr_accessor :same_site
+
     # Controls the address the password reset email is sent from.
     # Defaults to reply@example.com.
     # @return [String]
@@ -88,7 +98,12 @@ module Clearance
     # The ActiveRecord class that represents users in your application.
     # Defaults to `::User`.
     # @return [ActiveRecord::Base]
-    attr_accessor :user_model
+    attr_writer :user_model
+
+    # The controller class that all Clearance controllers will inherit from.
+    # Defaults to `::ApplicationController`.
+    # @return [ActionController::Base]
+    attr_writer :parent_controller
 
     # The array of allowed environments where `Clearance::BackDoor` is enabled.
     # Defaults to ["test", "ci", "development"]
@@ -103,16 +118,27 @@ module Clearance
       @cookie_name = "remember_token"
       @cookie_path = '/'
       @httponly = true
+      @same_site = nil
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
-      @rotate_csrf_on_sign_in = nil
+      @rotate_csrf_on_sign_in = true
       @routes = true
       @secure_cookie = false
       @sign_in_guards = []
     end
 
+    # The class representing the configured user model.
+    # In the default configuration, this is the `User` class.
+    # @return [Class]
     def user_model
-      @user_model ||= ::User
+      (@user_model || "User").to_s.constantize
+    end
+
+    # The class representing the configured base controller.
+    # In the default configuration, this is the `ApplicationController` class.
+    # @return [Class]
+    def parent_controller
+      (@parent_controller || "ApplicationController").to_s.constantize
     end
 
     # Is the user sign up route enabled?
@@ -167,22 +193,7 @@ module Clearance
     end
 
     def rotate_csrf_on_sign_in?
-      if rotate_csrf_on_sign_in.nil?
-        warn <<-EOM.squish
-          Clearance's `rotate_csrf_on_sign_in` configuration setting is unset and
-          will be treated as `false`. Setting this value to `true` is
-          recommended to avoid session fixation attacks and will be the default
-          in Clearance 2.0. It is recommended that you opt-in to this setting
-          now and test your application. To silence this warning, set
-          `rotate_csrf_on_sign_in` to `true` or `false` in Clearance's
-          initializer.
-
-          For more information on session fixation, see:
-            https://www.owasp.org/index.php/Session_fixation
-        EOM
-      end
-
-      rotate_csrf_on_sign_in
+      !!rotate_csrf_on_sign_in
     end
   end
 

data/lib/clearance/password_strategies.rb

@@ -13,10 +13,11 @@ module Clearance
   # `password=(new_password)`. For an example of how to implement these methods,
   # see {Clearance::PasswordStrategies::BCrypt}.
   module PasswordStrategies
-    autoload :BCrypt, 'clearance/password_strategies/bcrypt'
+    autoload :BCrypt, "clearance/password_strategies/bcrypt"
+    autoload :Argon2, "clearance/password_strategies/argon2"
     autoload :BCryptMigrationFromSHA1,
-      'clearance/password_strategies/bcrypt_migration_from_sha1'
-    autoload :Blowfish, 'clearance/password_strategies/blowfish'
-    autoload :SHA1, 'clearance/password_strategies/sha1'
+             "clearance/password_strategies/bcrypt_migration_from_sha1"
+    autoload :Blowfish, "clearance/password_strategies/blowfish"
+    autoload :SHA1, "clearance/password_strategies/sha1"
   end
 end

data/lib/clearance/password_strategies/argon2.rb

@@ -0,0 +1,23 @@
+module Clearance
+  module PasswordStrategies
+    # Uses Argon2 to authenticate users and store encrypted passwords.
+
+    module Argon2
+      require "argon2"
+
+      def authenticated?(password)
+        if encrypted_password.present?
+          ::Argon2::Password.verify_password(password, encrypted_password)
+        end
+      end
+
+      def password=(new_password)
+        @password = new_password
+
+        if new_password.present?
+          self.encrypted_password = ::Argon2::Password.new.create(new_password)
+        end
+      end
+    end
+  end
+end

data/lib/clearance/password_strategies/bcrypt.rb

@@ -2,10 +2,14 @@ module Clearance
   module PasswordStrategies
     # Uses BCrypt to authenticate users and store encrypted passwords.
     #
-    # The BCrypt cost (the measure of how many key expansion iterations BCrypt
-    # will perform) is automatically set to the minimum allowed value when
-    # Rails is operating in the test environment and the default cost in all
-    # other envionments. This provides a speed boost in tests.
+    # BCrypt has a `cost` argument which determines how computationally
+    # expensive the hash is to calculate. The higher the cost, the harder it is
+    # for attackers to crack passwords even if they posess a database dump of
+    # the encrypted passwords. Clearance uses the `bcrypt-ruby` default cost
+    # except in the test environment, where it uses the minimum cost value for
+    # speed. If you wish to increase the cost over the default, you can do so
+    # by setting a higher cost in an initializer:
+    # `BCrypt::Engine.cost = 12`
     module BCrypt
       require 'bcrypt'
 
@@ -19,18 +23,20 @@ module Clearance
         @password = new_password
 
         if new_password.present?
-          cost = if defined?(::Rails) && ::Rails.env.test?
-                   ::BCrypt::Engine::MIN_COST
-                 else
-                   ::BCrypt::Engine::DEFAULT_COST
-                 end
-
           self.encrypted_password = ::BCrypt::Password.create(
             new_password,
-            cost: cost,
+            cost: configured_bcrypt_cost,
           )
         end
       end
+
+      def configured_bcrypt_cost
+        if defined?(::Rails) && ::Rails.env.test?
+          ::BCrypt::Engine::MIN_COST
+        else
+          ::BCrypt::Engine.cost
+        end
+      end
     end
   end
 end

data/lib/clearance/rack_session.rb

@@ -21,7 +21,11 @@ module Clearance
       session = Clearance::Session.new(env)
       env[:clearance] = session
       response = @app.call(env)
-      session.add_cookie_to_headers response[1]
+
+      if session.authentication_successful?
+        session.add_cookie_to_headers response[1]
+      end
+
       response
     end
   end

data/lib/clearance/session.rb

@@ -81,7 +81,7 @@ module Clearance
       end
 
       @current_user = nil
-      cookies.delete remember_token_cookie
+      cookies.delete remember_token_cookie, delete_cookie_options
     end
 
     # True if {#current_user} is set.
@@ -98,6 +98,13 @@ module Clearance
       ! signed_in?
     end
 
+    # True if a successful authentication has been performed
+    #
+    # @return [Boolean]
+    def authentication_successful?
+      !!@current_user
+    end
+
     private
 
     # @api private
@@ -112,15 +119,7 @@ module Clearance
 
     # @api private
     def remember_token_expires
-      if expires_configuration.arity == 1
-        expires_configuration.call(cookies)
-      else
-        warn "#{Kernel.caller.first}: [DEPRECATION] " +
-          'Clearance.configuration.cookie_expiration lambda with no parameters ' +
-          'has been deprecated and will be removed from a future release. The ' +
-          'lambda should accept the collection of previously set cookies.'
-        expires_configuration.call
-      end
+      expires_configuration.call(cookies)
     end
 
     # @api private
@@ -155,20 +154,49 @@ module Clearance
       guards = Clearance.configuration.sign_in_guards
 
       guards.inject(default_guard) do |stack, guard_class|
-        guard_class.new(self, stack)
+        guard_class.to_s.constantize.new(self, stack)
       end
     end
 
     # @api private
     def cookie_options
       {
-        domain: Clearance.configuration.cookie_domain,
+        domain: domain,
         expires: remember_token_expires,
         httponly: Clearance.configuration.httponly,
+        same_site: Clearance.configuration.same_site,
         path: Clearance.configuration.cookie_path,
         secure: Clearance.configuration.secure_cookie,
         value: remember_token,
       }
     end
+
+    # @api private
+    def delete_cookie_options
+      Hash.new.tap do |options|
+        if configured_cookie_domain
+          options[:domain] = configured_cookie_domain
+        end
+      end
+    end
+
+    # @api private
+    def domain
+      if configured_cookie_domain.respond_to?(:call)
+        configured_cookie_domain.call(request_with_env)
+      else
+        configured_cookie_domain
+      end
+    end
+
+    # @api private
+    def configured_cookie_domain
+      Clearance.configuration.cookie_domain
+    end
+
+    # @api private
+    def request_with_env
+      ActionDispatch::Request.new(@env)
+    end
   end
 end