clearance 2.0.0.beta1 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f79f5aa24e81ddb8b9fc746a557db5bcf7770e17ee52f758c070656afda4434
-  data.tar.gz: c8bfc11a5c5b3e4035aaa4fb118dd24f45a72e148499ed935a15c2a5fb4764dd
+  metadata.gz: 54c7e8cc7022fa2b109ce9834c1b27752a4b84b4acbe2f65728ecc66119ad8a1
+  data.tar.gz: d7ee7f5c36b5feeb71799e791c283ca9644984cd5eb0cdcbefdd3882f9c726ba
 SHA512:
-  metadata.gz: af3771ef9f0981c1666f01b8dad6271e61cd1ed7a13d8268f9214827682c6ba1da9e6c0fac1c81cfa89f71b44dde927d3f71b829324a6c3794b0c90e66f6c8f1
-  data.tar.gz: 8f69cf0a50f4064a120f8e63a9c80e0ebdf5aa69be0fc68998bbe6e4e73b14ba78789c1bdd28c3f7c3c02623135036189c764d7bd6c93a8125767cebd09cf458
+  metadata.gz: 754bdef335e4cfdc4239cf96f923847ee4330053eae153a69e19be7fa91d96641e1b8465d223d2c88858758c14eab9485147a95dbe792bed23a690b54e07cbd1
+  data.tar.gz: eb2c85479b87c42ee2f5e1824a07b55b8a72104fd690d01262182257bedfec12d33ade009acd9b01320a9ca1d26a1a8b5a511585a5e45f607a695cac23d5fd9f

data/.travis.yml

@@ -4,19 +4,16 @@ language:
   - ruby
 
 rvm:
-  - 2.3.8
-  - 2.4.6
-  - 2.5.5
-  - 2.6.2
+  - 2.4.9
+  - 2.5.7
+  - 2.6.5
+  - 2.7.0
 
 gemfile:
-  - gemfiles/rails_4.2.gemfile
   - gemfiles/rails_5.0.gemfile
   - gemfiles/rails_5.1.gemfile
   - gemfiles/rails_5.2.gemfile
-
-before_install:
-  - gem update --system
+  - gemfiles/rails_6.0.gemfile
 
 install:
   - "bin/setup"
@@ -24,11 +21,8 @@ install:
 branches:
   only:
     - master
-    - 2.0
 
 matrix:
-  allow_failures:
-    - gemfile: gemfiles/rails_4.2.gemfile
-      rvm: 2.6.2
-
-sudo: false
+  exclude:
+    - rvm: 2.4.9
+      gemfile: gemfiles/rails_6.0.gemfile

data/Appraisals

@@ -1,15 +1,23 @@
 rails_versions = %w(
-  4.2
   5.0
   5.1
   5.2
+  6.0
 )
 
 rails_versions.each do |version|
   appraise "rails_#{version}" do
     gem "railties", "~> #{version}.0"
-    if Gem::Version.new(version) >= Gem::Version.new("5.0")
-      gem "rails-controller-testing"
+    gem "rails-controller-testing"
+
+    if Gem::Version.new(version) >= Gem::Version.new("6.0")
+      # TODO - Switch to 4.0 gem once release is made
+      gem 'rspec-rails', '~> 4.0.0.beta3'
+      gem 'sqlite3', '~> 1.4.0'
+    else
+      gem 'sqlite3', '~> 1.3.13'
+      gem 'rspec-rails', '~> 3.1'
     end
+
   end
 end

data/Gemfile

@@ -10,7 +10,5 @@ gem 'database_cleaner', '~> 1.0'
 gem 'factory_bot_rails', '~> 5.0'
 gem 'nokogiri', '~> 1.10.0'
 gem 'pry', require: false
-gem 'rspec-rails', '~> 3.5'
-gem 'shoulda-matchers', '~> 4.0'
-gem 'sqlite3', '~> 1.3.13'
+gem 'shoulda-matchers', '~> 4.1'
 gem 'timecop', '~> 0.6'

data/Gemfile.lock

@@ -1,146 +1,153 @@
 PATH
   remote: .
   specs:
-    clearance (2.0.0.beta1)
-      actionmailer (>= 4.2)
-      activemodel (>= 4.2)
-      activerecord (>= 4.2)
-      bcrypt
-      email_validator (~> 1.4)
-      railties (>= 4.2)
+    clearance (2.2.1)
+      actionmailer (>= 5.0)
+      activemodel (>= 5.0)
+      activerecord (>= 5.0)
+      argon2 (~> 2.0, >= 2.0.2)
+      bcrypt (>= 3.1.1)
+      email_validator (~> 2.0)
+      railties (>= 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (5.2.3)
-      actionpack (= 5.2.3)
-      actionview (= 5.2.3)
-      activejob (= 5.2.3)
+    actionmailer (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      actionview (= 6.0.3.2)
+      activejob (= 6.0.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.2.3)
-      actionview (= 5.2.3)
-      activesupport (= 5.2.3)
-      rack (~> 2.0)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.3)
-      activesupport (= 5.2.3)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (5.2.3)
-      activesupport (= 5.2.3)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.3.2)
+      activesupport (= 6.0.3.2)
       globalid (>= 0.3.6)
-    activemodel (5.2.3)
-      activesupport (= 5.2.3)
-    activerecord (5.2.3)
-      activemodel (= 5.2.3)
-      activesupport (= 5.2.3)
-      arel (>= 9.0)
-    activesupport (5.2.3)
+    activemodel (6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activerecord (6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
     ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (2.2.0)
+    appraisal (2.3.0)
       bundler
       rake
       thor (>= 0.14.0)
-    arel (9.0.0)
-    bcrypt (3.1.12)
-    builder (3.2.3)
-    capybara (3.16.2)
+    argon2 (2.0.2)
+      ffi (~> 1.9)
+      ffi-compiler (>= 0.1)
+    bcrypt (3.1.13)
+    builder (3.2.4)
+    capybara (3.33.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
-      regexp_parser (~> 1.2)
+      regexp_parser (~> 1.5)
       xpath (~> 3.2)
-    coderay (1.1.2)
-    concurrent-ruby (1.1.5)
-    crass (1.0.4)
-    database_cleaner (1.7.0)
-    diff-lcs (1.3)
-    email_validator (1.6.0)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.6)
+    crass (1.0.6)
+    database_cleaner (1.8.5)
+    diff-lcs (1.4.4)
+    email_validator (2.0.1)
       activemodel
-    erubi (1.8.0)
-    factory_bot (5.0.2)
+    erubi (1.9.0)
+    factory_bot (5.2.0)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.1)
-      factory_bot (~> 5.0.0)
+    factory_bot_rails (5.2.0)
+      factory_bot (~> 5.2.0)
       railties (>= 4.2.0)
+    ffi (1.13.1)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.6.0)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    loofah (2.2.3)
+    loofah (2.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    method_source (0.9.2)
-    mini_mime (1.0.1)
+    method_source (1.0.0)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
-    nokogiri (1.10.2)
+    minitest (5.14.1)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (3.0.3)
-    rack (2.0.7)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (3.1.1)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.3)
-      actionpack (= 5.2.3)
-      activesupport (= 5.2.3)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.19.0, < 2.0)
-    rake (12.3.2)
-    regexp_parser (1.4.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+      thor (>= 0.20.3, < 2.0)
+    rake (13.0.1)
+    regexp_parser (1.7.1)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    shoulda-matchers (4.0.1)
+      rspec-support (~> 3.9.0)
+    rspec-rails (4.0.1)
+      actionpack (>= 4.2)
+      activesupport (>= 4.2)
+      railties (>= 4.2)
+      rspec-core (~> 3.9)
+      rspec-expectations (~> 3.9)
+      rspec-mocks (~> 3.9)
+      rspec-support (~> 3.9)
+    rspec-support (3.9.3)
+    shoulda-matchers (4.3.0)
       activesupport (>= 4.2.0)
-    sqlite3 (1.3.13)
-    thor (0.20.3)
+    thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
+    zeitwerk (2.3.1)
 
 PLATFORMS
   ruby
@@ -155,10 +162,8 @@ DEPENDENCIES
   factory_bot_rails (~> 5.0)
   nokogiri (~> 1.10.0)
   pry
-  rspec-rails (~> 3.5)
-  shoulda-matchers (~> 4.0)
-  sqlite3 (~> 1.3.13)
+  shoulda-matchers (~> 4.1)
   timecop (~> 0.6)
 
 BUNDLED WITH
-   1.17.3
+   2.1.2

data/NEWS.md

@@ -3,12 +3,94 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
-## [2.0.0.beta1] - April 12, 2019
+## [2.2.1] - August 7, 2020
+
+### Fixed
+
+- Prevent user enumeration by timing attacks. Trying to log in with an
+  unrecognized email address will now take the same amount of time as for a user
+  that does exist in the system.
+
+[2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
+
+## [2.2.0] - July 9, 2020
+
+### Added
+
+- Add an Argon2 password strategy
+
+### Fixed
+
+- Use strings instead of classes on guard classes, avoids Rails deprecation
+  warning.
+- Use `find_by` style for finders, improves neo4j support
+- Provide explicit case sensitivity option for email uniqueness, avoid Rails
+  deprecation warning.
+
+[2.2.0]: https://github.com/thoughtbot/clearance/compare/v2.1.0...v2.2.0
+
+## [2.1.0] - December 19, 2019
+
+### Added
+
+- Add a `parent_controller` configuration option to specify the controller that
+  Clearance's `BaseController` will inherit from. Defaults to a value of
+  `ApplicationController`.
+- Use the configured `primary_key_type` from the Active Record settings of the
+  project including Clearance, if it is set, while generating migrations. For
+  example, a setting of `:uuid` in a Rails app using Clearance will cause the
+  clearance-generated migrations to use this for the `users` table id type.
+
+### Fixed
+
+- Delete cookies correctly when a custom domain setting is being used.
+- Do not set the authorization cookie on requests which did not exercise the
+  authorization code. Reduces the chances of leaving an auth cookie in a
+  publicly cacheable page that didn't require authorization to access.
+
+### Changed
+
+- Update the `email_validator` gem to a newer version embrace the more relaxed
+  email validation options which it now defaults to.
+- When a password reset request is submitted without an email address, a flash
+  alert is now provided. Previously this continued silently as though it had
+  worked. We still proceed that way when there is an invalid (but present)
+  value, so as not to reveal existent vs. non-existent emails in the database.
+
+### Removed
+
+- Remove an unused route to `passwords#create` nested under `users`.
+- No longer include the (rarely used in practice) application layout as part of
+  the views installer; but continue to provide some stock sign-in/out and flash
+  partial code in the gem installation README output.
+
+### Deprecated
+
+- Remove the existing deprecation notice around the `rotate_csrf_on_sign_in`
+  setting, and make that setting default to true.
+
+[2.1.0]: https://github.com/thoughtbot/clearance/compare/v2.0.0...v2.1.0
+
+## [2.0.0] - November 12, 2019
+
+### Added
+
+- Add support for Rails version 6
+- Allow `cookie_domain` to be configured with a lambda for custom configuration
+- Add ability to configure BCrypt computational cost of hash calculation.
+- Add `same_site` configuration option for increased CSRF protection.
+
+### Fixed
+
+- Fix issue where invalid params could raise `NoMethodError` when updating and
+  resetting passwords.
+- The backdoor auth mechanism now supports scenarios where `Rails.env` has been
+  configured via env variables other than `RAILS_ENV` (`RACK_ENV` for example).
 
 ### Removed
 
-- Removed support for Ruby versions older than 2.3
-- Removed support for Rails versions older than 4.2
+- Removed support for Ruby versions older than 2.4
+- Removed support for Rails versions older than 5.0
 - Removed all deprecated code from Clearance 1.x
 
 ### Changed
@@ -16,7 +98,7 @@ complete changelog, see the git history for each version via the version links.
 - Flash messages now use `flash[:alert]` rather than `flash[:notice]` as they
   were used as errors more often than notices.
 
-[2.0.0.beta1]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0.beta1
+[2.0.0]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0
 
 ## [1.17.0] - April 11, 2019
 

data/README.md

@@ -19,7 +19,7 @@ monitored by contributors.
 
 ## Getting Started
 
-Clearance is a Rails engine tested against Rails `>= 3.2` and Ruby `>= 1.9.3`.
+Clearance is a Rails engine tested against Rails `>= 5.0` and Ruby `>= 2.4.0`.
 
 You can add it to your Gemfile with:
 
@@ -31,8 +31,8 @@ Run the bundle command to install it.
 
 After you install Clearance, you need to run the generator:
 
-```sh
-$ rails generate clearance:install
+```shell
+rails generate clearance:install
 ```
 
 The Clearance install generator:
@@ -59,17 +59,14 @@ Clearance.configure do |config|
   config.mailer_sender = "reply@example.com"
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
-  config.rotate_csrf_on_sign_in = false
+  config.rotate_csrf_on_sign_in = true
   config.secure_cookie = false
   config.sign_in_guards = []
-  config.user_model = User
+  config.user_model = "User"
+  config.parent_controller = "ApplicationController"
 end
 ```
 
-The install generator will set `rotate_csrf_on_sign_in` to `true`, so new
-installations will get this behavior from the start. This helps avoid session
-fixation attacks, and will become the default in Clearance 2.0.
-
 ## Use
 
 ### Access Control
@@ -130,6 +127,18 @@ Clearance.configure do |config|
 end
 ```
 
+### Multiple Domain Support
+
+You can support multiple domains, or other special domain configurations by
+optionally setting `cookie_domain` as a callable object. The first argument
+passed to the method is an ActionDispatch::Request object.
+
+```ruby
+Clearance.configure do |config|
+  config.cookie_domain = lambda { |request| request.host }
+end
+```
+
 ### Integrating with Rack Applications
 
 Clearance adds its session to the Rack environment hash so middleware and other
@@ -161,15 +170,16 @@ As of Clearance 1.5 it is recommended that you disable Clearance routes and take
 full control over routing and URL design. This ensures that your app's URL design
 won't be affected if the gem's routes and URL design are changed.
 
-To disable the routes, change the `routes` configuration option to false: 
+To disable the routes, change the `routes` configuration option to false:
 
 ```ruby
 Clearance.configure do |config|
   config.routes = false
 end
 ```
-You can optionally run `rails generate clearance:routes` to dump a copy of the default routes into your
-application for modification.
+
+You can optionally run `rails generate clearance:routes` to dump a copy of the
+default routes into your application for modification.
 
 ### Controllers
 
@@ -188,22 +198,29 @@ class UsersController < Clearance::UsersController
 
 ### Redirects
 
-All of these controller methods redirect to
+The post-action redirects in Clearance are simple methods which can be
+overridden one by one, or configured globally.
+
+These "success" methods are called for signed in users, and redirect to
 `Clearance.configuration.redirect_url` (which is `/` by default):
 
-```
-passwords#url_after_update
-sessions#url_after_create
-sessions#url_for_signed_in_users
-users#url_after_create
-application#url_after_denied_access_when_signed_in
-```
+- `passwords#url_after_update`
+- `sessions#url_after_create`
+- `sessions#url_for_signed_in_users`
+- `users#url_after_create`
+- `application#url_after_denied_access_when_signed_in`
 
 To override them all at once, change the global configuration of `redirect_url`.
-To change individual URLs, override the appropriate method.
+To change individual URLs, override the appropriate method in your subclassed
+controller.
 
-`application#url_after_denied_access_when_signed_out` defaults to `sign_in_url`.
-Override this method to change this.
+These "failure" methods are called for signed out sessions:
+
+- `application#url_after_denied_access_when_signed_out`
+- `sessions#url_after_destroy`
+
+They both default to `sign_in_url`. Override this method to change both of their
+behavior, or override them individually to just change one.
 
 ### Views
 
@@ -226,7 +243,7 @@ You can use the Clearance views generator to copy the default views to your
 application for modification.
 
 ```shell
-$ rails generate clearance:views
+rails generate clearance:views
 ```
 
 ### Layouts
@@ -245,8 +262,10 @@ end
 
 ### Translations
 
-All flash messages and email subject lines are stored in [i18n translations](http://guides.rubyonrails.org/i18n.html). Override them like any other
-translation.
+All flash messages and email subject lines are stored in [i18n translations].
+Override them like any other translation.
+
+[i18n translations]: http://guides.rubyonrails.org/i18n.html
 
 See [config/locales/clearance.en.yml](/config/locales/clearance.en.yml) for the
 default behavior.
@@ -259,6 +278,13 @@ for access to additional, user-contributed translations.
 See [lib/clearance/user.rb](/lib/clearance/user.rb) for the default behavior.
 You can override those methods as needed.
 
+Note that there are some model-level validations (see above link for detail)
+which the `Clearance::User` module will add to the configured model class and
+which may conflict with or duplicate already present validations on the `email`
+and `password` attributes. Over-riding the `email_optional?` or
+`skip_password_validation?` methods to return `true` will disable those
+validations from being added.
+
 ### Deliver Email in Background Job
 
 Clearance has a password reset mailer. If you are using Rails 4.2 and Clearance
@@ -307,7 +333,7 @@ Here's an example custom guard to handle email confirmation:
 
 ```ruby
 Clearance.configure do |config|
-  config.sign_in_guards = [EmailConfirmationGuard]
+  config.sign_in_guards = ["EmailConfirmationGuard"]
 end
 ```
 
@@ -377,7 +403,7 @@ feature specs, will also require `factory_bot_rails`.
 To Generate the clearance specs, run:
 
 ```shell
-$ rails generate clearance:specs
+rails generate clearance:specs
 ```
 
 ### Controller Test Helpers