clearance 2.0.0.beta1 → 2.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of clearance might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.travis.yml +8 -14
- data/Appraisals +11 -3
- data/Gemfile +1 -3
- data/Gemfile.lock +91 -86
- data/NEWS.md +86 -4
- data/README.md +54 -28
- data/app/controllers/clearance/base_controller.rb +8 -1
- data/app/controllers/clearance/passwords_controller.rb +23 -5
- data/clearance.gemspec +15 -9
- data/config/locales/clearance.en.yml +1 -0
- data/config/routes.rb +1 -1
- data/gemfiles/rails_5.0.gemfile +3 -3
- data/gemfiles/rails_5.1.gemfile +3 -3
- data/gemfiles/rails_5.2.gemfile +3 -3
- data/gemfiles/{rails_4.2.gemfile → rails_6.0.gemfile} +5 -4
- data/lib/clearance/authentication.rb +1 -1
- data/lib/clearance/back_door.rb +1 -1
- data/lib/clearance/configuration.rb +30 -19
- data/lib/clearance/password_strategies.rb +5 -4
- data/lib/clearance/password_strategies/argon2.rb +23 -0
- data/lib/clearance/password_strategies/bcrypt.rb +17 -11
- data/lib/clearance/rack_session.rb +5 -1
- data/lib/clearance/session.rb +39 -3
- data/lib/clearance/testing/deny_access_matcher.rb +1 -5
- data/lib/clearance/user.rb +12 -3
- data/lib/clearance/version.rb +1 -1
- data/lib/generators/clearance/install/install_generator.rb +11 -7
- data/lib/generators/clearance/install/templates/README +10 -4
- data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb +1 -1
- data/lib/generators/clearance/install/templates/db/migrate/create_users.rb.erb +1 -1
- data/lib/generators/clearance/routes/templates/routes.rb +1 -1
- data/spec/acceptance/clearance_installation_spec.rb +0 -4
- data/spec/app_templates/app/models/user.rb +1 -1
- data/spec/app_templates/testapp/app/controllers/home_controller.rb +1 -5
- data/spec/app_templates/testapp/app/views/layouts/application.html.erb +24 -0
- data/spec/clearance/back_door_spec.rb +12 -6
- data/spec/clearance/rack_session_spec.rb +2 -0
- data/spec/clearance/session_spec.rb +91 -16
- data/spec/clearance/testing/deny_access_matcher_spec.rb +32 -0
- data/spec/configuration_spec.rb +46 -15
- data/spec/controllers/passwords_controller_spec.rb +36 -0
- data/spec/controllers/permissions_controller_spec.rb +1 -1
- data/spec/dummy/app/controllers/application_controller.rb +1 -5
- data/spec/dummy/application.rb +7 -1
- data/spec/generators/clearance/install/install_generator_spec.rb +31 -6
- data/spec/generators/clearance/views/views_generator_spec.rb +0 -2
- data/spec/models/user_spec.rb +34 -5
- data/spec/password_strategies/argon2_spec.rb +79 -0
- data/spec/password_strategies/bcrypt_spec.rb +18 -1
- data/spec/requests/authentication_cookie_spec.rb +55 -0
- data/spec/requests/token_expiration_spec.rb +5 -0
- data/spec/spec_helper.rb +4 -7
- data/spec/support/generator_spec_helpers.rb +1 -9
- metadata +52 -26
- data/app/views/layouts/application.html.erb +0 -23
- data/spec/app_templates/app/models/rails5/user.rb +0 -5
- data/spec/support/environment.rb +0 -12
- data/spec/support/http_method_shim.rb +0 -25
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 54c7e8cc7022fa2b109ce9834c1b27752a4b84b4acbe2f65728ecc66119ad8a1
|
4
|
+
data.tar.gz: d7ee7f5c36b5feeb71799e791c283ca9644984cd5eb0cdcbefdd3882f9c726ba
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 754bdef335e4cfdc4239cf96f923847ee4330053eae153a69e19be7fa91d96641e1b8465d223d2c88858758c14eab9485147a95dbe792bed23a690b54e07cbd1
|
7
|
+
data.tar.gz: eb2c85479b87c42ee2f5e1824a07b55b8a72104fd690d01262182257bedfec12d33ade009acd9b01320a9ca1d26a1a8b5a511585a5e45f607a695cac23d5fd9f
|
data/.travis.yml
CHANGED
@@ -4,19 +4,16 @@ language:
|
|
4
4
|
- ruby
|
5
5
|
|
6
6
|
rvm:
|
7
|
-
- 2.
|
8
|
-
- 2.
|
9
|
-
- 2.
|
10
|
-
- 2.
|
7
|
+
- 2.4.9
|
8
|
+
- 2.5.7
|
9
|
+
- 2.6.5
|
10
|
+
- 2.7.0
|
11
11
|
|
12
12
|
gemfile:
|
13
|
-
- gemfiles/rails_4.2.gemfile
|
14
13
|
- gemfiles/rails_5.0.gemfile
|
15
14
|
- gemfiles/rails_5.1.gemfile
|
16
15
|
- gemfiles/rails_5.2.gemfile
|
17
|
-
|
18
|
-
before_install:
|
19
|
-
- gem update --system
|
16
|
+
- gemfiles/rails_6.0.gemfile
|
20
17
|
|
21
18
|
install:
|
22
19
|
- "bin/setup"
|
@@ -24,11 +21,8 @@ install:
|
|
24
21
|
branches:
|
25
22
|
only:
|
26
23
|
- master
|
27
|
-
- 2.0
|
28
24
|
|
29
25
|
matrix:
|
30
|
-
|
31
|
-
-
|
32
|
-
|
33
|
-
|
34
|
-
sudo: false
|
26
|
+
exclude:
|
27
|
+
- rvm: 2.4.9
|
28
|
+
gemfile: gemfiles/rails_6.0.gemfile
|
data/Appraisals
CHANGED
@@ -1,15 +1,23 @@
|
|
1
1
|
rails_versions = %w(
|
2
|
-
4.2
|
3
2
|
5.0
|
4
3
|
5.1
|
5
4
|
5.2
|
5
|
+
6.0
|
6
6
|
)
|
7
7
|
|
8
8
|
rails_versions.each do |version|
|
9
9
|
appraise "rails_#{version}" do
|
10
10
|
gem "railties", "~> #{version}.0"
|
11
|
-
|
12
|
-
|
11
|
+
gem "rails-controller-testing"
|
12
|
+
|
13
|
+
if Gem::Version.new(version) >= Gem::Version.new("6.0")
|
14
|
+
# TODO - Switch to 4.0 gem once release is made
|
15
|
+
gem 'rspec-rails', '~> 4.0.0.beta3'
|
16
|
+
gem 'sqlite3', '~> 1.4.0'
|
17
|
+
else
|
18
|
+
gem 'sqlite3', '~> 1.3.13'
|
19
|
+
gem 'rspec-rails', '~> 3.1'
|
13
20
|
end
|
21
|
+
|
14
22
|
end
|
15
23
|
end
|
data/Gemfile
CHANGED
@@ -10,7 +10,5 @@ gem 'database_cleaner', '~> 1.0'
|
|
10
10
|
gem 'factory_bot_rails', '~> 5.0'
|
11
11
|
gem 'nokogiri', '~> 1.10.0'
|
12
12
|
gem 'pry', require: false
|
13
|
-
gem '
|
14
|
-
gem 'shoulda-matchers', '~> 4.0'
|
15
|
-
gem 'sqlite3', '~> 1.3.13'
|
13
|
+
gem 'shoulda-matchers', '~> 4.1'
|
16
14
|
gem 'timecop', '~> 0.6'
|
data/Gemfile.lock
CHANGED
@@ -1,146 +1,153 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
clearance (2.
|
5
|
-
actionmailer (>=
|
6
|
-
activemodel (>=
|
7
|
-
activerecord (>=
|
8
|
-
|
9
|
-
|
10
|
-
|
4
|
+
clearance (2.2.1)
|
5
|
+
actionmailer (>= 5.0)
|
6
|
+
activemodel (>= 5.0)
|
7
|
+
activerecord (>= 5.0)
|
8
|
+
argon2 (~> 2.0, >= 2.0.2)
|
9
|
+
bcrypt (>= 3.1.1)
|
10
|
+
email_validator (~> 2.0)
|
11
|
+
railties (>= 5.0)
|
11
12
|
|
12
13
|
GEM
|
13
14
|
remote: https://rubygems.org/
|
14
15
|
specs:
|
15
|
-
actionmailer (
|
16
|
-
actionpack (=
|
17
|
-
actionview (=
|
18
|
-
activejob (=
|
16
|
+
actionmailer (6.0.3.2)
|
17
|
+
actionpack (= 6.0.3.2)
|
18
|
+
actionview (= 6.0.3.2)
|
19
|
+
activejob (= 6.0.3.2)
|
19
20
|
mail (~> 2.5, >= 2.5.4)
|
20
21
|
rails-dom-testing (~> 2.0)
|
21
|
-
actionpack (
|
22
|
-
actionview (=
|
23
|
-
activesupport (=
|
24
|
-
rack (~> 2.0)
|
22
|
+
actionpack (6.0.3.2)
|
23
|
+
actionview (= 6.0.3.2)
|
24
|
+
activesupport (= 6.0.3.2)
|
25
|
+
rack (~> 2.0, >= 2.0.8)
|
25
26
|
rack-test (>= 0.6.3)
|
26
27
|
rails-dom-testing (~> 2.0)
|
27
|
-
rails-html-sanitizer (~> 1.0, >= 1.0
|
28
|
-
actionview (
|
29
|
-
activesupport (=
|
28
|
+
rails-html-sanitizer (~> 1.0, >= 1.2.0)
|
29
|
+
actionview (6.0.3.2)
|
30
|
+
activesupport (= 6.0.3.2)
|
30
31
|
builder (~> 3.1)
|
31
32
|
erubi (~> 1.4)
|
32
33
|
rails-dom-testing (~> 2.0)
|
33
|
-
rails-html-sanitizer (~> 1.
|
34
|
-
activejob (
|
35
|
-
activesupport (=
|
34
|
+
rails-html-sanitizer (~> 1.1, >= 1.2.0)
|
35
|
+
activejob (6.0.3.2)
|
36
|
+
activesupport (= 6.0.3.2)
|
36
37
|
globalid (>= 0.3.6)
|
37
|
-
activemodel (
|
38
|
-
activesupport (=
|
39
|
-
activerecord (
|
40
|
-
activemodel (=
|
41
|
-
activesupport (=
|
42
|
-
|
43
|
-
activesupport (5.2.3)
|
38
|
+
activemodel (6.0.3.2)
|
39
|
+
activesupport (= 6.0.3.2)
|
40
|
+
activerecord (6.0.3.2)
|
41
|
+
activemodel (= 6.0.3.2)
|
42
|
+
activesupport (= 6.0.3.2)
|
43
|
+
activesupport (6.0.3.2)
|
44
44
|
concurrent-ruby (~> 1.0, >= 1.0.2)
|
45
45
|
i18n (>= 0.7, < 2)
|
46
46
|
minitest (~> 5.1)
|
47
47
|
tzinfo (~> 1.1)
|
48
|
+
zeitwerk (~> 2.2, >= 2.2.2)
|
48
49
|
addressable (2.6.0)
|
49
50
|
public_suffix (>= 2.0.2, < 4.0)
|
50
51
|
ammeter (1.1.4)
|
51
52
|
activesupport (>= 3.0)
|
52
53
|
railties (>= 3.0)
|
53
54
|
rspec-rails (>= 2.2)
|
54
|
-
appraisal (2.
|
55
|
+
appraisal (2.3.0)
|
55
56
|
bundler
|
56
57
|
rake
|
57
58
|
thor (>= 0.14.0)
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
59
|
+
argon2 (2.0.2)
|
60
|
+
ffi (~> 1.9)
|
61
|
+
ffi-compiler (>= 0.1)
|
62
|
+
bcrypt (3.1.13)
|
63
|
+
builder (3.2.4)
|
64
|
+
capybara (3.33.0)
|
62
65
|
addressable
|
63
66
|
mini_mime (>= 0.1.3)
|
64
67
|
nokogiri (~> 1.8)
|
65
68
|
rack (>= 1.6.0)
|
66
69
|
rack-test (>= 0.6.3)
|
67
|
-
regexp_parser (~> 1.
|
70
|
+
regexp_parser (~> 1.5)
|
68
71
|
xpath (~> 3.2)
|
69
|
-
coderay (1.1.
|
70
|
-
concurrent-ruby (1.1.
|
71
|
-
crass (1.0.
|
72
|
-
database_cleaner (1.
|
73
|
-
diff-lcs (1.
|
74
|
-
email_validator (
|
72
|
+
coderay (1.1.3)
|
73
|
+
concurrent-ruby (1.1.6)
|
74
|
+
crass (1.0.6)
|
75
|
+
database_cleaner (1.8.5)
|
76
|
+
diff-lcs (1.4.4)
|
77
|
+
email_validator (2.0.1)
|
75
78
|
activemodel
|
76
|
-
erubi (1.
|
77
|
-
factory_bot (5.0
|
79
|
+
erubi (1.9.0)
|
80
|
+
factory_bot (5.2.0)
|
78
81
|
activesupport (>= 4.2.0)
|
79
|
-
factory_bot_rails (5.0
|
80
|
-
factory_bot (~> 5.
|
82
|
+
factory_bot_rails (5.2.0)
|
83
|
+
factory_bot (~> 5.2.0)
|
81
84
|
railties (>= 4.2.0)
|
85
|
+
ffi (1.13.1)
|
86
|
+
ffi-compiler (1.0.1)
|
87
|
+
ffi (>= 1.0.0)
|
88
|
+
rake
|
82
89
|
globalid (0.4.2)
|
83
90
|
activesupport (>= 4.2.0)
|
84
|
-
i18n (1.
|
91
|
+
i18n (1.8.3)
|
85
92
|
concurrent-ruby (~> 1.0)
|
86
|
-
loofah (2.
|
93
|
+
loofah (2.6.0)
|
87
94
|
crass (~> 1.0.2)
|
88
95
|
nokogiri (>= 1.5.9)
|
89
96
|
mail (2.7.1)
|
90
97
|
mini_mime (>= 0.1.1)
|
91
|
-
method_source (0.
|
92
|
-
mini_mime (1.0.
|
98
|
+
method_source (1.0.0)
|
99
|
+
mini_mime (1.0.2)
|
93
100
|
mini_portile2 (2.4.0)
|
94
|
-
minitest (5.
|
95
|
-
nokogiri (1.10.
|
101
|
+
minitest (5.14.1)
|
102
|
+
nokogiri (1.10.10)
|
96
103
|
mini_portile2 (~> 2.4.0)
|
97
|
-
pry (0.
|
98
|
-
coderay (~> 1.1
|
99
|
-
method_source (~>
|
100
|
-
public_suffix (3.
|
101
|
-
rack (2.
|
104
|
+
pry (0.13.1)
|
105
|
+
coderay (~> 1.1)
|
106
|
+
method_source (~> 1.0)
|
107
|
+
public_suffix (3.1.1)
|
108
|
+
rack (2.2.3)
|
102
109
|
rack-test (1.1.0)
|
103
110
|
rack (>= 1.0, < 3)
|
104
111
|
rails-dom-testing (2.0.3)
|
105
112
|
activesupport (>= 4.2.0)
|
106
113
|
nokogiri (>= 1.6)
|
107
|
-
rails-html-sanitizer (1.0
|
108
|
-
loofah (~> 2.
|
109
|
-
railties (
|
110
|
-
actionpack (=
|
111
|
-
activesupport (=
|
114
|
+
rails-html-sanitizer (1.3.0)
|
115
|
+
loofah (~> 2.3)
|
116
|
+
railties (6.0.3.2)
|
117
|
+
actionpack (= 6.0.3.2)
|
118
|
+
activesupport (= 6.0.3.2)
|
112
119
|
method_source
|
113
120
|
rake (>= 0.8.7)
|
114
|
-
thor (>= 0.
|
115
|
-
rake (
|
116
|
-
regexp_parser (1.
|
117
|
-
rspec-core (3.
|
118
|
-
rspec-support (~> 3.
|
119
|
-
rspec-expectations (3.
|
121
|
+
thor (>= 0.20.3, < 2.0)
|
122
|
+
rake (13.0.1)
|
123
|
+
regexp_parser (1.7.1)
|
124
|
+
rspec-core (3.9.2)
|
125
|
+
rspec-support (~> 3.9.3)
|
126
|
+
rspec-expectations (3.9.2)
|
120
127
|
diff-lcs (>= 1.2.0, < 2.0)
|
121
|
-
rspec-support (~> 3.
|
122
|
-
rspec-mocks (3.
|
128
|
+
rspec-support (~> 3.9.0)
|
129
|
+
rspec-mocks (3.9.1)
|
123
130
|
diff-lcs (>= 1.2.0, < 2.0)
|
124
|
-
rspec-support (~> 3.
|
125
|
-
rspec-rails (
|
126
|
-
actionpack (>=
|
127
|
-
activesupport (>=
|
128
|
-
railties (>=
|
129
|
-
rspec-core (~> 3.
|
130
|
-
rspec-expectations (~> 3.
|
131
|
-
rspec-mocks (~> 3.
|
132
|
-
rspec-support (~> 3.
|
133
|
-
rspec-support (3.
|
134
|
-
shoulda-matchers (4.0
|
131
|
+
rspec-support (~> 3.9.0)
|
132
|
+
rspec-rails (4.0.1)
|
133
|
+
actionpack (>= 4.2)
|
134
|
+
activesupport (>= 4.2)
|
135
|
+
railties (>= 4.2)
|
136
|
+
rspec-core (~> 3.9)
|
137
|
+
rspec-expectations (~> 3.9)
|
138
|
+
rspec-mocks (~> 3.9)
|
139
|
+
rspec-support (~> 3.9)
|
140
|
+
rspec-support (3.9.3)
|
141
|
+
shoulda-matchers (4.3.0)
|
135
142
|
activesupport (>= 4.2.0)
|
136
|
-
|
137
|
-
thor (0.20.3)
|
143
|
+
thor (1.0.1)
|
138
144
|
thread_safe (0.3.6)
|
139
145
|
timecop (0.9.1)
|
140
|
-
tzinfo (1.2.
|
146
|
+
tzinfo (1.2.7)
|
141
147
|
thread_safe (~> 0.1)
|
142
148
|
xpath (3.2.0)
|
143
149
|
nokogiri (~> 1.8)
|
150
|
+
zeitwerk (2.3.1)
|
144
151
|
|
145
152
|
PLATFORMS
|
146
153
|
ruby
|
@@ -155,10 +162,8 @@ DEPENDENCIES
|
|
155
162
|
factory_bot_rails (~> 5.0)
|
156
163
|
nokogiri (~> 1.10.0)
|
157
164
|
pry
|
158
|
-
|
159
|
-
shoulda-matchers (~> 4.0)
|
160
|
-
sqlite3 (~> 1.3.13)
|
165
|
+
shoulda-matchers (~> 4.1)
|
161
166
|
timecop (~> 0.6)
|
162
167
|
|
163
168
|
BUNDLED WITH
|
164
|
-
1.
|
169
|
+
2.1.2
|
data/NEWS.md
CHANGED
@@ -3,12 +3,94 @@
|
|
3
3
|
The noteworthy changes for each Clearance version are included here. For a
|
4
4
|
complete changelog, see the git history for each version via the version links.
|
5
5
|
|
6
|
-
## [2.
|
6
|
+
## [2.2.1] - August 7, 2020
|
7
|
+
|
8
|
+
### Fixed
|
9
|
+
|
10
|
+
- Prevent user enumeration by timing attacks. Trying to log in with an
|
11
|
+
unrecognized email address will now take the same amount of time as for a user
|
12
|
+
that does exist in the system.
|
13
|
+
|
14
|
+
[2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
|
15
|
+
|
16
|
+
## [2.2.0] - July 9, 2020
|
17
|
+
|
18
|
+
### Added
|
19
|
+
|
20
|
+
- Add an Argon2 password strategy
|
21
|
+
|
22
|
+
### Fixed
|
23
|
+
|
24
|
+
- Use strings instead of classes on guard classes, avoids Rails deprecation
|
25
|
+
warning.
|
26
|
+
- Use `find_by` style for finders, improves neo4j support
|
27
|
+
- Provide explicit case sensitivity option for email uniqueness, avoid Rails
|
28
|
+
deprecation warning.
|
29
|
+
|
30
|
+
[2.2.0]: https://github.com/thoughtbot/clearance/compare/v2.1.0...v2.2.0
|
31
|
+
|
32
|
+
## [2.1.0] - December 19, 2019
|
33
|
+
|
34
|
+
### Added
|
35
|
+
|
36
|
+
- Add a `parent_controller` configuration option to specify the controller that
|
37
|
+
Clearance's `BaseController` will inherit from. Defaults to a value of
|
38
|
+
`ApplicationController`.
|
39
|
+
- Use the configured `primary_key_type` from the Active Record settings of the
|
40
|
+
project including Clearance, if it is set, while generating migrations. For
|
41
|
+
example, a setting of `:uuid` in a Rails app using Clearance will cause the
|
42
|
+
clearance-generated migrations to use this for the `users` table id type.
|
43
|
+
|
44
|
+
### Fixed
|
45
|
+
|
46
|
+
- Delete cookies correctly when a custom domain setting is being used.
|
47
|
+
- Do not set the authorization cookie on requests which did not exercise the
|
48
|
+
authorization code. Reduces the chances of leaving an auth cookie in a
|
49
|
+
publicly cacheable page that didn't require authorization to access.
|
50
|
+
|
51
|
+
### Changed
|
52
|
+
|
53
|
+
- Update the `email_validator` gem to a newer version embrace the more relaxed
|
54
|
+
email validation options which it now defaults to.
|
55
|
+
- When a password reset request is submitted without an email address, a flash
|
56
|
+
alert is now provided. Previously this continued silently as though it had
|
57
|
+
worked. We still proceed that way when there is an invalid (but present)
|
58
|
+
value, so as not to reveal existent vs. non-existent emails in the database.
|
59
|
+
|
60
|
+
### Removed
|
61
|
+
|
62
|
+
- Remove an unused route to `passwords#create` nested under `users`.
|
63
|
+
- No longer include the (rarely used in practice) application layout as part of
|
64
|
+
the views installer; but continue to provide some stock sign-in/out and flash
|
65
|
+
partial code in the gem installation README output.
|
66
|
+
|
67
|
+
### Deprecated
|
68
|
+
|
69
|
+
- Remove the existing deprecation notice around the `rotate_csrf_on_sign_in`
|
70
|
+
setting, and make that setting default to true.
|
71
|
+
|
72
|
+
[2.1.0]: https://github.com/thoughtbot/clearance/compare/v2.0.0...v2.1.0
|
73
|
+
|
74
|
+
## [2.0.0] - November 12, 2019
|
75
|
+
|
76
|
+
### Added
|
77
|
+
|
78
|
+
- Add support for Rails version 6
|
79
|
+
- Allow `cookie_domain` to be configured with a lambda for custom configuration
|
80
|
+
- Add ability to configure BCrypt computational cost of hash calculation.
|
81
|
+
- Add `same_site` configuration option for increased CSRF protection.
|
82
|
+
|
83
|
+
### Fixed
|
84
|
+
|
85
|
+
- Fix issue where invalid params could raise `NoMethodError` when updating and
|
86
|
+
resetting passwords.
|
87
|
+
- The backdoor auth mechanism now supports scenarios where `Rails.env` has been
|
88
|
+
configured via env variables other than `RAILS_ENV` (`RACK_ENV` for example).
|
7
89
|
|
8
90
|
### Removed
|
9
91
|
|
10
|
-
- Removed support for Ruby versions older than 2.
|
11
|
-
- Removed support for Rails versions older than
|
92
|
+
- Removed support for Ruby versions older than 2.4
|
93
|
+
- Removed support for Rails versions older than 5.0
|
12
94
|
- Removed all deprecated code from Clearance 1.x
|
13
95
|
|
14
96
|
### Changed
|
@@ -16,7 +98,7 @@ complete changelog, see the git history for each version via the version links.
|
|
16
98
|
- Flash messages now use `flash[:alert]` rather than `flash[:notice]` as they
|
17
99
|
were used as errors more often than notices.
|
18
100
|
|
19
|
-
[2.0.0
|
101
|
+
[2.0.0]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0
|
20
102
|
|
21
103
|
## [1.17.0] - April 11, 2019
|
22
104
|
|
data/README.md
CHANGED
@@ -19,7 +19,7 @@ monitored by contributors.
|
|
19
19
|
|
20
20
|
## Getting Started
|
21
21
|
|
22
|
-
Clearance is a Rails engine tested against Rails `>=
|
22
|
+
Clearance is a Rails engine tested against Rails `>= 5.0` and Ruby `>= 2.4.0`.
|
23
23
|
|
24
24
|
You can add it to your Gemfile with:
|
25
25
|
|
@@ -31,8 +31,8 @@ Run the bundle command to install it.
|
|
31
31
|
|
32
32
|
After you install Clearance, you need to run the generator:
|
33
33
|
|
34
|
-
```
|
35
|
-
|
34
|
+
```shell
|
35
|
+
rails generate clearance:install
|
36
36
|
```
|
37
37
|
|
38
38
|
The Clearance install generator:
|
@@ -59,17 +59,14 @@ Clearance.configure do |config|
|
|
59
59
|
config.mailer_sender = "reply@example.com"
|
60
60
|
config.password_strategy = Clearance::PasswordStrategies::BCrypt
|
61
61
|
config.redirect_url = "/"
|
62
|
-
config.rotate_csrf_on_sign_in =
|
62
|
+
config.rotate_csrf_on_sign_in = true
|
63
63
|
config.secure_cookie = false
|
64
64
|
config.sign_in_guards = []
|
65
|
-
config.user_model = User
|
65
|
+
config.user_model = "User"
|
66
|
+
config.parent_controller = "ApplicationController"
|
66
67
|
end
|
67
68
|
```
|
68
69
|
|
69
|
-
The install generator will set `rotate_csrf_on_sign_in` to `true`, so new
|
70
|
-
installations will get this behavior from the start. This helps avoid session
|
71
|
-
fixation attacks, and will become the default in Clearance 2.0.
|
72
|
-
|
73
70
|
## Use
|
74
71
|
|
75
72
|
### Access Control
|
@@ -130,6 +127,18 @@ Clearance.configure do |config|
|
|
130
127
|
end
|
131
128
|
```
|
132
129
|
|
130
|
+
### Multiple Domain Support
|
131
|
+
|
132
|
+
You can support multiple domains, or other special domain configurations by
|
133
|
+
optionally setting `cookie_domain` as a callable object. The first argument
|
134
|
+
passed to the method is an ActionDispatch::Request object.
|
135
|
+
|
136
|
+
```ruby
|
137
|
+
Clearance.configure do |config|
|
138
|
+
config.cookie_domain = lambda { |request| request.host }
|
139
|
+
end
|
140
|
+
```
|
141
|
+
|
133
142
|
### Integrating with Rack Applications
|
134
143
|
|
135
144
|
Clearance adds its session to the Rack environment hash so middleware and other
|
@@ -161,15 +170,16 @@ As of Clearance 1.5 it is recommended that you disable Clearance routes and take
|
|
161
170
|
full control over routing and URL design. This ensures that your app's URL design
|
162
171
|
won't be affected if the gem's routes and URL design are changed.
|
163
172
|
|
164
|
-
To disable the routes, change the `routes` configuration option to false:
|
173
|
+
To disable the routes, change the `routes` configuration option to false:
|
165
174
|
|
166
175
|
```ruby
|
167
176
|
Clearance.configure do |config|
|
168
177
|
config.routes = false
|
169
178
|
end
|
170
179
|
```
|
171
|
-
|
172
|
-
|
180
|
+
|
181
|
+
You can optionally run `rails generate clearance:routes` to dump a copy of the
|
182
|
+
default routes into your application for modification.
|
173
183
|
|
174
184
|
### Controllers
|
175
185
|
|
@@ -188,22 +198,29 @@ class UsersController < Clearance::UsersController
|
|
188
198
|
|
189
199
|
### Redirects
|
190
200
|
|
191
|
-
|
201
|
+
The post-action redirects in Clearance are simple methods which can be
|
202
|
+
overridden one by one, or configured globally.
|
203
|
+
|
204
|
+
These "success" methods are called for signed in users, and redirect to
|
192
205
|
`Clearance.configuration.redirect_url` (which is `/` by default):
|
193
206
|
|
194
|
-
|
195
|
-
|
196
|
-
sessions#
|
197
|
-
|
198
|
-
|
199
|
-
application#url_after_denied_access_when_signed_in
|
200
|
-
```
|
207
|
+
- `passwords#url_after_update`
|
208
|
+
- `sessions#url_after_create`
|
209
|
+
- `sessions#url_for_signed_in_users`
|
210
|
+
- `users#url_after_create`
|
211
|
+
- `application#url_after_denied_access_when_signed_in`
|
201
212
|
|
202
213
|
To override them all at once, change the global configuration of `redirect_url`.
|
203
|
-
To change individual URLs, override the appropriate method
|
214
|
+
To change individual URLs, override the appropriate method in your subclassed
|
215
|
+
controller.
|
204
216
|
|
205
|
-
|
206
|
-
|
217
|
+
These "failure" methods are called for signed out sessions:
|
218
|
+
|
219
|
+
- `application#url_after_denied_access_when_signed_out`
|
220
|
+
- `sessions#url_after_destroy`
|
221
|
+
|
222
|
+
They both default to `sign_in_url`. Override this method to change both of their
|
223
|
+
behavior, or override them individually to just change one.
|
207
224
|
|
208
225
|
### Views
|
209
226
|
|
@@ -226,7 +243,7 @@ You can use the Clearance views generator to copy the default views to your
|
|
226
243
|
application for modification.
|
227
244
|
|
228
245
|
```shell
|
229
|
-
|
246
|
+
rails generate clearance:views
|
230
247
|
```
|
231
248
|
|
232
249
|
### Layouts
|
@@ -245,8 +262,10 @@ end
|
|
245
262
|
|
246
263
|
### Translations
|
247
264
|
|
248
|
-
All flash messages and email subject lines are stored in [i18n translations]
|
249
|
-
translation.
|
265
|
+
All flash messages and email subject lines are stored in [i18n translations].
|
266
|
+
Override them like any other translation.
|
267
|
+
|
268
|
+
[i18n translations]: http://guides.rubyonrails.org/i18n.html
|
250
269
|
|
251
270
|
See [config/locales/clearance.en.yml](/config/locales/clearance.en.yml) for the
|
252
271
|
default behavior.
|
@@ -259,6 +278,13 @@ for access to additional, user-contributed translations.
|
|
259
278
|
See [lib/clearance/user.rb](/lib/clearance/user.rb) for the default behavior.
|
260
279
|
You can override those methods as needed.
|
261
280
|
|
281
|
+
Note that there are some model-level validations (see above link for detail)
|
282
|
+
which the `Clearance::User` module will add to the configured model class and
|
283
|
+
which may conflict with or duplicate already present validations on the `email`
|
284
|
+
and `password` attributes. Over-riding the `email_optional?` or
|
285
|
+
`skip_password_validation?` methods to return `true` will disable those
|
286
|
+
validations from being added.
|
287
|
+
|
262
288
|
### Deliver Email in Background Job
|
263
289
|
|
264
290
|
Clearance has a password reset mailer. If you are using Rails 4.2 and Clearance
|
@@ -307,7 +333,7 @@ Here's an example custom guard to handle email confirmation:
|
|
307
333
|
|
308
334
|
```ruby
|
309
335
|
Clearance.configure do |config|
|
310
|
-
config.sign_in_guards = [EmailConfirmationGuard]
|
336
|
+
config.sign_in_guards = ["EmailConfirmationGuard"]
|
311
337
|
end
|
312
338
|
```
|
313
339
|
|
@@ -377,7 +403,7 @@ feature specs, will also require `factory_bot_rails`.
|
|
377
403
|
To Generate the clearance specs, run:
|
378
404
|
|
379
405
|
```shell
|
380
|
-
|
406
|
+
rails generate clearance:specs
|
381
407
|
```
|
382
408
|
|
383
409
|
### Controller Test Helpers
|