clearance 1.17.0 → 2.2.0

data/spec/password_strategies/bcrypt_spec.rb

@@ -22,10 +22,23 @@ describe Clearance::PasswordStrategies::BCrypt do
 
       expect(BCrypt::Password).to have_received(:create).with(
         password,
-        cost: ::BCrypt::Engine::DEFAULT_COST
+        cost: ::BCrypt::Engine::DEFAULT_COST,
       )
     end
 
+    it "uses an explicity configured BCrypt cost" do
+      stub_bcrypt_cost(8)
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(8)
+    end
+
+    it "uses the default BCrypt cost value implicitly" do
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(BCrypt::Engine::DEFAULT_COST)
+    end
+
     it "encrypts with BCrypt using minimum cost in test environment" do
       stub_bcrypt_password
       model_instance = fake_model_with_bcrypt_strategy
@@ -42,6 +55,10 @@ describe Clearance::PasswordStrategies::BCrypt do
       allow(BCrypt::Password).to receive(:create).and_return(encrypted_password)
     end
 
+    def stub_bcrypt_cost(cost)
+      allow(BCrypt::Engine).to receive(:cost).and_return(cost)
+    end
+
     def encrypted_password
       @encrypted_password ||= double("encrypted password")
     end

data/spec/requests/authentication_cookie_spec.rb

@@ -0,0 +1,55 @@
+require "spec_helper"
+
+class PagesController < ApplicationController
+  include Clearance::Controller
+  before_action :require_login, only: :private
+
+  # A page requiring user authentication
+  def private
+    head :ok
+  end
+
+  # A page that does not require user authentication
+  def public
+    head :ok
+  end
+end
+
+describe "Authentication cookies in the response" do
+  before do
+    draw_test_routes
+    create_user_and_sign_in
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "are not present if the request does not authenticate" do
+    get public_path
+
+    expect(headers["Set-Cookie"]).to be_nil
+  end
+
+  it "are present if the request does authenticate" do
+    get private_path
+
+    expect(headers["Set-Cookie"]).to match(/remember_token=/)
+  end
+
+  def draw_test_routes
+    Rails.application.routes.draw do
+      get "/private" => "pages#private", as: :private
+      get "/public" => "pages#public", as: :public
+      resource :session, controller: "clearance/sessions", only: [:create]
+    end
+  end
+
+  def create_user_and_sign_in
+    user = create(:user, password: "password")
+
+    post session_path, params: {
+      session: { email: user.email, password: "password" },
+    }
+  end
+end

data/spec/requests/token_expiration_spec.rb

@@ -3,10 +3,15 @@ require "spec_helper"
 describe "Token expiration" do
   describe "after signing in" do
     before do
+      Timecop.freeze
       create_user_and_sign_in
       @initial_cookies = remember_token_cookies
     end
 
+    after do
+      Timecop.return
+    end
+
     it "should have a remember_token cookie with a future expiration" do
       expect(first_cookie.expires).to be_between(
         1.years.from_now - 1.second,

data/spec/spec_helper.rb

@@ -29,12 +29,10 @@ RSpec.configure do |config|
 
   config.before { restore_default_warning_free_config }
 
-  if Rails::VERSION::MAJOR >= 5
-    require 'rails-controller-testing'
-    config.include Rails::Controller::Testing::TestProcess
-    config.include Rails::Controller::Testing::TemplateAssertions
-    config.include Rails::Controller::Testing::Integration
-  end
+  require 'rails-controller-testing'
+  config.include Rails::Controller::Testing::TestProcess
+  config.include Rails::Controller::Testing::TemplateAssertions
+  config.include Rails::Controller::Testing::Integration
 end
 
 Shoulda::Matchers.configure do |config|
@@ -48,5 +46,4 @@ end
 
 def restore_default_warning_free_config
   Clearance.configuration = nil
-  Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
 end

data/spec/support/generator_spec_helpers.rb

@@ -18,7 +18,7 @@ module GeneratorSpecHelpers
   end
 
   def provide_existing_user_class
-    copy_to_generator_root("app/models", versionize_template("user.rb"))
+    copy_to_generator_root("app/models", "user.rb")
     allow(File).to receive(:exist?).and_call_original
     allow(File).to receive(:exist?).with("app/models/user.rb").and_return(true)
   end
@@ -32,14 +32,6 @@ module GeneratorSpecHelpers
     FileUtils.mkdir_p(destination)
     FileUtils.cp(template_file, destination)
   end
-
-  def versionize_template(template_file)
-    if Rails.version >= "5.0.0"
-      template_file = ["rails5", template_file].join("/")
-    end
-
-    template_file
-  end
 end
 
 RSpec.configure do |config|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Dan Croak
@@ -22,10 +22,10 @@ authors:
 - Jason Morrison
 - Galen Frechette
 - Josh Steiner
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-04-11 00:00:00.000000000 Z
+date: 2020-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -33,85 +33,110 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.1
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: email_validator
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: actionmailer
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '3.1'
-description: Rails authentication & authorization with email & password.
+        version: '5.0'
+description: |2
+      Clearance is built to support authentication and authorization via an
+      email/password sign-in mechanism in applications.
+
+      It provides some core classes commonly used for these features, along with
+      some opinionated defaults - but is intended to be easy to override.
 email: support@thoughtbot.com
 executables: []
 extensions: []
@@ -137,7 +162,6 @@ files:
 - app/mailers/clearance_mailer.rb
 - app/views/clearance_mailer/change_password.html.erb
 - app/views/clearance_mailer/change_password.text.erb
-- app/views/layouts/application.html.erb
 - app/views/passwords/create.html.erb
 - app/views/passwords/edit.html.erb
 - app/views/passwords/new.html.erb
@@ -154,10 +178,10 @@ files:
 - config/routes.rb
 - db/migrate/20110111224543_create_clearance_users.rb
 - db/schema.rb
-- gemfiles/rails_4.2.gemfile
 - gemfiles/rails_5.0.gemfile
 - gemfiles/rails_5.1.gemfile
 - gemfiles/rails_5.2.gemfile
+- gemfiles/rails_6.0.gemfile
 - lib/clearance.rb
 - lib/clearance/authentication.rb
 - lib/clearance/authorization.rb
@@ -170,20 +194,16 @@ files:
 - lib/clearance/default_sign_in_guard.rb
 - lib/clearance/engine.rb
 - lib/clearance/password_strategies.rb
+- lib/clearance/password_strategies/argon2.rb
 - lib/clearance/password_strategies/bcrypt.rb
-- lib/clearance/password_strategies/bcrypt_migration_from_sha1.rb
-- lib/clearance/password_strategies/blowfish.rb
-- lib/clearance/password_strategies/sha1.rb
 - lib/clearance/rack_session.rb
 - lib/clearance/rspec.rb
 - lib/clearance/session.rb
 - lib/clearance/session_status.rb
 - lib/clearance/sign_in_guard.rb
 - lib/clearance/test_unit.rb
-- lib/clearance/testing.rb
 - lib/clearance/testing/controller_helpers.rb
 - lib/clearance/testing/deny_access_matcher.rb
-- lib/clearance/testing/helpers.rb
 - lib/clearance/testing/view_helpers.rb
 - lib/clearance/token.rb
 - lib/clearance/user.rb
@@ -210,12 +230,12 @@ files:
 - lib/generators/clearance/views/views_generator.rb
 - spec/acceptance/clearance_installation_spec.rb
 - spec/app_templates/app/controllers/application_controller.rb
-- spec/app_templates/app/models/rails5/user.rb
 - spec/app_templates/app/models/user.rb
 - spec/app_templates/config/initializers/clearance.rb
 - spec/app_templates/config/routes.rb
 - spec/app_templates/testapp/Gemfile
 - spec/app_templates/testapp/app/controllers/home_controller.rb
+- spec/app_templates/testapp/app/views/layouts/application.html.erb
 - spec/app_templates/testapp/config/initializers/action_mailer.rb
 - spec/app_templates/testapp/config/routes.rb
 - spec/clearance/back_door_spec.rb
@@ -227,6 +247,7 @@ files:
 - spec/clearance/session_spec.rb
 - spec/clearance/sign_in_guard_spec.rb
 - spec/clearance/testing/controller_helpers_spec.rb
+- spec/clearance/testing/deny_access_matcher_spec.rb
 - spec/clearance/testing/view_helpers_spec.rb
 - spec/clearance/token_spec.rb
 - spec/configuration_spec.rb
@@ -250,11 +271,10 @@ files:
 - spec/helpers/helper_helpers_spec.rb
 - spec/mailers/clearance_mailer_spec.rb
 - spec/models/user_spec.rb
-- spec/password_strategies/bcrypt_migration_from_sha1_spec.rb
+- spec/password_strategies/argon2_spec.rb
 - spec/password_strategies/bcrypt_spec.rb
-- spec/password_strategies/blowfish_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
-- spec/password_strategies/sha1_spec.rb
+- spec/requests/authentication_cookie_spec.rb
 - spec/requests/cookie_options_spec.rb
 - spec/requests/csrf_rotation_spec.rb
 - spec/requests/password_maintenance_spec.rb
@@ -263,18 +283,16 @@ files:
 - spec/spec_helper.rb
 - spec/support/clearance.rb
 - spec/support/cookies.rb
-- spec/support/environment.rb
 - spec/support/fake_model_with_password_strategy.rb
 - spec/support/fake_model_without_password_strategy.rb
 - spec/support/generator_spec_helpers.rb
-- spec/support/http_method_shim.rb
 - spec/support/request_with_remember_token.rb
 - spec/views/view_helpers_spec.rb
 homepage: https://github.com/thoughtbot/clearance
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -283,15 +301,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.9.2
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.
 test_files: []

data/app/views/layouts/application.html.erb

@@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <%= csrf_meta_tag %>
-</head>
-<body>
-  <div id="header">
-    <% if signed_in? -%>
-      <%= button_to t(".sign_out"), sign_out_path, method: :delete %>
-    <% else -%>
-      <%= link_to t(".sign_in"), sign_in_path %>
-    <% end -%>
-  </div>
-
-  <div id="flash">
-    <% flash.each do |key, value| -%>
-      <div id="flash_<%= key %>"><%=h value %></div>
-    <% end %>
-  </div>
-
-  <%= yield %>
-</body>
-</html>

data/lib/clearance/password_strategies/bcrypt_migration_from_sha1.rb

@@ -1,77 +0,0 @@
-module Clearance
-  module PasswordStrategies
-    # @deprecated Use {BCrypt} or `clearance-deprecated_password_strategies` gem
-    module BCryptMigrationFromSHA1
-      DEPRECATION_MESSAGE = "[DEPRECATION] The BCryptMigrationFromSha1 " \
-        "password strategy has been deprecated and will be removed from " \
-        "Clearance 2.0. BCrypt is the only officially supported strategy, " \
-        "though you are free to provide your own. To continue using this " \
-        "strategy, add clearance-deprecated_password_strategies to your " \
-        "Gemfile."
-
-      # @api private
-      class BCryptUser
-        include Clearance::PasswordStrategies::BCrypt
-
-        def initialize(user)
-          @user = user
-        end
-
-        delegate :encrypted_password, :encrypted_password=, to: :@user
-      end
-
-      # @api private
-      class SHA1User
-        include Clearance::PasswordStrategies::SHA1
-
-        def initialize(user)
-          @user = user
-        end
-
-        delegate :salt, :salt=, :encrypted_password, :encrypted_password=, to: :@user
-      end
-
-      # @deprecated Use {BCrypt} or `clearance-deprecated_password_strategies`
-      #   gem
-      def authenticated?(password)
-        warn "#{Kernel.caller.first}: #{DEPRECATION_MESSAGE}"
-        authenticated_with_sha1?(password) || authenticated_with_bcrypt?(password)
-      end
-
-      # @deprecated Use {BCrypt} or `clearance-deprecated_password_strategies`
-      #   gem
-      def password=(new_password)
-        warn "#{Kernel.caller.first}: #{DEPRECATION_MESSAGE}"
-        @password = new_password
-        BCryptUser.new(self).password = new_password
-      end
-
-      private
-
-      # @api private
-      def authenticated_with_bcrypt?(password)
-        begin
-          BCryptUser.new(self).authenticated? password
-        rescue ::BCrypt::Errors::InvalidHash
-          false
-        end
-      end
-
-      # @api private
-      def authenticated_with_sha1?(password)
-        if sha1_password?
-          if SHA1User.new(self).authenticated? password
-            self.password = password
-            self.save
-            true
-          end
-        end
-      end
-
-      # @api private
-      def sha1_password?
-        self.encrypted_password =~ /^[a-f0-9]{40}$/
-      end
-    end
-  end
-end