clearance 1.17.0 → 2.2.0

data/lib/clearance/testing/deny_access_matcher.rb

@@ -8,7 +8,7 @@ module Clearance
     module Matchers
       # The `deny_access` matcher is used to assert that a
       #   request is denied access by clearance.
-      # @option opts [String] :flash The expected flash notice message. Defaults
+      # @option opts [String] :flash The expected flash alert message. Defaults
       #   to nil, which means the flash will not be checked.
       # @option opts [String] :redirect The expected redirect url. Defaults to
       #   `'/'` if signed in or the `sign_in_url` if signed out.
@@ -78,16 +78,8 @@ module Clearance
           @controller.request.env[:clearance]
         end
 
-        def flash_notice
-          @controller.flash[:notice]
-        end
-
-        def flash_notice_value
-          if flash_notice.respond_to?(:values)
-            flash_notice.values.first
-          else
-            flash_notice
-          end
+        def flash_alert_value
+          @controller.flash[:alert]
         end
 
         def redirects_to_url?
@@ -107,16 +99,14 @@ module Clearance
         def sets_the_flash?
           if @flash.blank?
             true
+          elsif flash_alert_value == @flash
+            @failure_message_when_negated <<
+              "Didn't expect to set the flash to #{@flash}"
+            true
           else
-            if flash_notice_value == @flash
-              @failure_message_when_negated <<
-                "Didn't expect to set the flash to #{@flash}"
-              true
-            else
-              @failure_message << "Expected the flash to be set to #{@flash} "\
-                "but was #{flash_notice_value}"
-              false
-            end
+            @failure_message << "Expected the flash to be set to #{@flash} "\
+              "but was #{flash_alert_value}"
+            false
           end
         end
       end

data/lib/clearance/user.rb

@@ -47,9 +47,6 @@ module Clearance
   #   @return [String] The value used to identify this user in the password
   #     reset link.
   #
-  # @!attribute password_changing
-  #   @deprecated Dirty tracking is now handled automatically.
-  #
   # @!attribute [r] password
   #   @return [String] Transient (non-persisted) attribute that is set when
   #     updating a user's password. Only the {#encrypted_password} is persisted.
@@ -63,7 +60,7 @@ module Clearance
   #   @see PasswordStrategies
   #   @return [void]
   #
-  # @!method authenticated?
+  # @!method authenticated?(password)
   #   Check's the provided password against the user's encrypted password using
   #   the configured password strategy. By default, this will be
   #   {PasswordStrategies::BCrypt#authenticated?}, but can be changed with
@@ -111,24 +108,6 @@ module Clearance
         encrypted_password_will_change!
         super
       end
-
-      def password_changing
-        warn "#{Kernel.caller.first}: [DEPRECATION] " \
-          "The `password_changing` attribute is deprecated. Clearance uses " \
-          "the dirty state of the `encrypted_password` field to track this " \
-          "automatically."
-
-        @password_changing
-      end
-
-      def password_changing=(value)
-        warn "#{Kernel.caller.first}: [DEPRECATION] " \
-          "The `password_changing` attribute is deprecated. Clearance uses " \
-          "the dirty state of the `encrypted_password` field to track this " \
-          "automatically."
-
-        @password_changing = value
-      end
     end
 
     # @api private
@@ -142,7 +121,7 @@ module Clearance
       end
 
       def find_by_normalized_email(email)
-        find_by_email normalize_email(email)
+        find_by(email: normalize_email(email))
       end
 
       def normalize_email(email)
@@ -164,7 +143,7 @@ module Clearance
         validates :email,
           email: { strict_mode: true },
           presence: true,
-          uniqueness: { allow_blank: true },
+          uniqueness: { allow_blank: true, case_sensitive: false },
           unless: :email_optional?
 
         validates :password, presence: true, unless: :skip_password_validation?

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "1.17.0".freeze
+  VERSION = "2.2.0".freeze
 end

data/lib/generators/clearance/install/install_generator.rb

@@ -102,11 +102,7 @@ module Clearance
       end
 
       def users_table_exists?
-        if ActiveRecord::Base.connection.respond_to?(:data_source_exists?)
-          ActiveRecord::Base.connection.data_source_exists?(:users)
-        else
-          ActiveRecord::Base.connection.table_exists?(:users)
-        end
+        ActiveRecord::Base.connection.data_source_exists?(:users)
       end
 
       def existing_users_columns
@@ -123,17 +119,21 @@ module Clearance
       end
 
       def migration_version
-        if Rails.version >= "5.0.0"
-          "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+      end
+
+      def migration_primary_key_type_string
+        if configured_key_type
+          ", id: :#{configured_key_type}"
         end
       end
 
+      def configured_key_type
+        Rails.configuration.generators.active_record[:primary_key_type]
+      end
+
       def models_inherit_from
-        if Rails.version >= "5.0.0"
-          "ApplicationRecord"
-        else
-          "ActiveRecord::Base"
-        end
+        "ApplicationRecord"
       end
     end
   end

data/lib/generators/clearance/install/templates/README

@@ -8,9 +8,11 @@ Next steps:
     # config/environments/{development,test}.rb
     config.action_mailer.default_url_options = { host: 'localhost:3000' }
 
-    In production it should be your app's domain name.
+    In the production environment it should be your application's full hostname.
 
-2. Display user session and flashes. For example, in your application layout:
+2. Display user session status.
+
+    From somewhere in your layout, render sign in and sign out buttons:
 
     <% if signed_in? %>
       Signed in as: <%= current_user.email %>
@@ -19,14 +21,18 @@ Next steps:
       <%= link_to 'Sign in', sign_in_path %>
     <% end %>
 
+3. Render the flash contents.
+
+    Make sure the flash is being rendered in your views using something like:
+
     <div id="flash">
       <% flash.each do |key, value| %>
         <div class="flash <%= key %>"><%= value %></div>
       <% end %>
     </div>
 
-3. Migrate:
+4. Migrate:
 
-    rails db:migrate
+    Run `rails db:migrate` to add the clearance database changes.
 
 *******************************************************************************

data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb

@@ -13,7 +13,7 @@ class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
     users = select_all("SELECT id FROM users WHERE remember_token IS NULL")
 
     users.each do |user|
-      update <<-SQL
+      update <<-SQL.squish
         UPDATE users
         SET remember_token = '#{Clearance::Token.new}'
         WHERE id = '#{user['id']}'

data/lib/generators/clearance/install/templates/db/migrate/create_users.rb.erb

@@ -1,6 +1,6 @@
 class CreateUsers < ActiveRecord::Migration<%= migration_version %>
   def change
-    create_table :users do |t|
+    create_table :users<%= migration_primary_key_type_string %> do |t|
       t.timestamps null: false
       t.string :email, null: false
       t.string :encrypted_password, limit: 128, null: false

data/lib/generators/clearance/routes/templates/routes.rb

@@ -4,7 +4,7 @@
   resources :users, controller: "clearance/users", only: [:create] do
     resource :password,
       controller: "clearance/passwords",
-      only: [:create, :edit, :update]
+      only: [:edit, :update]
   end
 
   get "/sign_in" => "clearance/sessions#new", as: "sign_in"

data/spec/acceptance/clearance_installation_spec.rb

@@ -36,9 +36,6 @@ describe "Clearance Installation" do
        --skip-keeps
        --skip-sprockets
     CMD
-
-    FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
   end
 
   def testapp_templates
@@ -47,7 +44,6 @@ describe "Clearance Installation" do
 
   def configure_test_app
     FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
     FileUtils.cp_r(testapp_templates, "..")
   end
 

data/spec/app_templates/app/models/user.rb

@@ -1,4 +1,4 @@
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   def previously_existed?
     true
   end

data/spec/app_templates/testapp/app/controllers/home_controller.rb

@@ -1,9 +1,5 @@
 class HomeController < ApplicationController
   def show
-    if Rails::VERSION::MAJOR >= 5
-      render html: "", layout: "application"
-    else
-      render text: "", layout: "application"
-    end
+    render html: "", layout: "application"
   end
 end

data/spec/app_templates/testapp/app/views/layouts/application.html.erb

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <%= javascript_include_tag 'application' %>
+    <%= csrf_meta_tag %>
+  </head>
+  <body>
+    <div id="header">
+      <% if signed_in? -%>
+        <%= button_to t(".sign_out"), sign_out_path, method: :delete %>
+      <% else -%>
+        <%= link_to t(".sign_in"), sign_in_path %>
+      <% end -%>
+    </div>
+
+    <div id="flash">
+      <% flash.each do |key, value| -%>
+        <div id="flash_<%= key %>"><%=h value %></div>
+      <% end %>
+    </div>
+
+    <%= yield %>
+  </body>
+</html>

data/spec/clearance/back_door_spec.rb

@@ -1,9 +1,6 @@
 require "spec_helper"
-require "support/environment"
 
 describe Clearance::BackDoor do
-  include EnvironmentSupport
-
   it "signs in as a given user" do
     user_id = "123"
     user = double("user")
@@ -42,7 +39,7 @@ describe Clearance::BackDoor do
   end
 
   it "can't be used outside the allowed environments" do
-    with_environment("RAILS_ENV" => "production") do
+    with_environment("production") do
       expect { Clearance::BackDoor.new(mock_app) }.
         to raise_exception "Can't use auth backdoor outside of configured \
           environments (test, ci, development).".squish
@@ -55,7 +52,7 @@ describe Clearance::BackDoor do
     end
 
     it "raises an error for a default allowed env" do
-      with_environment("RAILS_ENV" => "test") do
+      with_environment("test") do
         expect { Clearance::BackDoor.new(mock_app) }.
           to raise_exception "BackDoor auth is disabled."
       end
@@ -68,7 +65,7 @@ describe Clearance::BackDoor do
     end
 
     it "can be used with configured allowed environments" do
-      with_environment("RAILS_ENV" => "demo") do
+      with_environment("demo") do
         user_id = "123"
         user = double("user")
         allow(User).to receive(:find).with(user_id).and_return(user)
@@ -100,4 +97,13 @@ describe Clearance::BackDoor do
   def mock_app
     lambda { |env| [200, {}, ["okay"]] }
   end
+
+  def with_environment(environment)
+    original_env = Rails.env
+    Rails.env = environment
+
+    yield
+  ensure
+    Rails.env = original_env
+  end
 end

data/spec/clearance/rack_session_spec.rb

@@ -11,6 +11,8 @@ describe Clearance::RackSession do
     env = Rack::MockRequest.env_for('/')
     expected_session = "the session"
     allow(expected_session).to receive(:add_cookie_to_headers)
+    allow(expected_session).to receive(:authentication_successful?).
+      and_return(true)
     allow(Clearance::Session).to receive(:new).
       with(env).
       and_return(expected_session)

data/spec/clearance/session_spec.rb

@@ -129,6 +129,12 @@ describe Clearance::Session do
 
       def stub_guard_class(guard)
         double("guard_class").tap do |guard_class|
+          allow(guard_class).to receive(:to_s).
+            and_return(guard_class)
+
+          allow(guard_class).to receive(:constantize).
+            and_return(guard_class)
+
           allow(guard_class).to receive(:new).
             with(session, stub_default_sign_in_guard).
             and_return(guard)
@@ -170,6 +176,31 @@ describe Clearance::Session do
     end
   end
 
+  context "if same_site is set" do
+    before do
+      Clearance.configuration.same_site = :lax
+      session.sign_in(user)
+    end
+
+    it "sets a same-site cookie" do
+      session.add_cookie_to_headers(headers)
+
+      expect(headers["Set-Cookie"]).to match(/remember_token=.+; SameSite/)
+    end
+  end
+
+  context "if same_site is not set" do
+    before do
+      session.sign_in(user)
+    end
+
+    it "sets a standard cookie" do
+      session.add_cookie_to_headers(headers)
+
+      expect(headers["Set-Cookie"]).to_not match(/remember_token=.+; SameSite/)
+    end
+  end
+
   describe 'remember token cookie expiration' do
     context 'default configuration' do
       it 'is set to 1 year from now' do
@@ -186,37 +217,6 @@ describe Clearance::Session do
       end
     end
 
-    context 'configured with lambda taking no arguments' do
-      it 'logs a deprecation warning' do
-        expiration = -> { Time.now }
-        with_custom_expiration expiration do
-          session = Clearance::Session.new(env_without_remember_token)
-          session.sign_in user
-          allow(session).to receive(:warn)
-          session.add_cookie_to_headers headers
-
-          expect(session).to have_received(:warn).once
-        end
-      end
-
-      it 'is set to the value of the evaluated lambda' do
-        expires_at = -> { 1.day.from_now }
-        with_custom_expiration expires_at do
-          user = double("User", remember_token: "123abc")
-          headers = {}
-          session = Clearance::Session.new(env_without_remember_token)
-          session.sign_in user
-          allow(session).to receive(:warn)
-          session.add_cookie_to_headers headers
-
-          expect(headers).to set_cookie(
-            'remember_token',
-            user.remember_token, expires_at.call
-          )
-        end
-      end
-    end
-
     context 'configured with lambda taking one argument' do
       it 'it can use other cookies to set the value of the expires token' do
         remembered_expires = 12.hours.from_now
@@ -269,17 +269,31 @@ describe Clearance::Session do
     end
   end
 
-  describe 'cookie domain option' do
-    context 'when set' do
+  describe "cookie domain option" do
+    context "when set" do
       before do
-        Clearance.configuration.cookie_domain = '.example.com'
+        Clearance.configuration.cookie_domain = cookie_domain
         session.sign_in(user)
       end
 
-      it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+      context "with string" do
+        let(:cookie_domain) { ".example.com" }
+
+        it "sets a standard cookie" do
+          session.add_cookie_to_headers(headers)
+
+          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+        end
+      end
+
+      context "with lambda" do
+        let(:cookie_domain) { lambda { |_r| ".example.com" } }
 
-        expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+        it "sets a standard cookie" do
+          session.add_cookie_to_headers(headers)
+
+          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+        end
       end
     end
 
@@ -289,7 +303,7 @@ describe Clearance::Session do
       it 'sets a standard cookie' do
         session.add_cookie_to_headers(headers)
 
-        expect(headers['Set-Cookie']).not_to match(/domain=.+; path/)
+        expect(headers["Set-Cookie"]).not_to match(/domain=.+; path/)
       end
     end
   end
@@ -301,7 +315,7 @@ describe Clearance::Session do
       it 'sets a standard cookie' do
         session.add_cookie_to_headers(headers)
 
-        expect(headers['Set-Cookie']).to_not match(/domain=.+; path/)
+        expect(headers["Set-Cookie"]).to_not match(/domain=.+; path/)
       end
     end
 
@@ -326,14 +340,44 @@ describe Clearance::Session do
     expect(headers["Set-Cookie"]).to be nil
   end
 
-  it 'signs out a user' do
-    user = create(:user)
-    old_remember_token = user.remember_token
-    env = env_with_remember_token(old_remember_token)
-    session = Clearance::Session.new(env)
-    session.sign_out
-    expect(session.current_user).to be_nil
-    expect(user.reload.remember_token).not_to eq old_remember_token
+  describe "#sign_out" do
+    it "signs out a user" do
+      user = create(:user)
+      old_remember_token = user.remember_token
+      env = env_with_remember_token(old_remember_token)
+      session = Clearance::Session.new(env)
+      cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+      expect(cookie_jar.deleted?(:remember_token)).to be false
+
+      session.sign_out
+
+      expect(cookie_jar.deleted?(:remember_token)).to be true
+      expect(session.current_user).to be_nil
+      expect(user.reload.remember_token).not_to eq old_remember_token
+    end
+
+    context "with custom cookie domain" do
+      let(:domain) { ".example.com" }
+
+      before do
+        Clearance.configuration.cookie_domain = domain
+      end
+
+      it "clears cookie" do
+        user = create(:user)
+        env = env_with_remember_token(
+          value: user.remember_token,
+          domain: domain,
+        )
+        session = Clearance::Session.new(env)
+        cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be false
+
+        session.sign_out
+
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
+      end
+    end
   end
 
   def env_with_cookies(cookies)