clearance 2.0.0.beta2 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c7eb11d597ee18d41e6655e608bb82c9e774baa30e0e4f05dbcd7cc99c553e5
-  data.tar.gz: c221f519c1191b0d8487d302db40a3c69724e6a59df5b67efd9bbaffbf2f10cf
+  metadata.gz: 777ea26a3647f9d843995457a9fc073036fe60c7e3119c97a063345fbe85a7df
+  data.tar.gz: c57adcad1e84434b6ffc9dc6e4af275d14b1c4844736536ecf32ee00180f4429
 SHA512:
-  metadata.gz: 586d54d09d31cbdae4caf13a1aa3920559806feb92701e6e9bb73d5dcf9001790c5e73e7d0f4af9a9e2e5b4cf72ae7865e1b7013bbe8ab18235353842449ca9c
-  data.tar.gz: 2df91d418506ba30981dec2b0139074f543193e389b1b00a79163a61c48de714ce1b480a215e98e1c13a95076d09dc271ce7f4bdb34539c822d83fc2f46d61e2
+  metadata.gz: fb8a5c80c163df705026f5ebbfde61ed51475abe3ce24681dce56bbdb4394b37cf491e4ec8aecf33c00d4cc11f1a8826afd45c49a3465864d825da5b651d8e64
+  data.tar.gz: 3f24bdba4f83baf3a62ec80457a62e4d8dccec82f1f5b2f37d4b9514badffde150dc2b85b6e207a91a875264a85e679da49a9fb38e22c898bcfb1d200f537161

data/.erb-lint.yml

@@ -0,0 +1,5 @@
+---
+EnableDefaultLinters: true
+linters:
+  ErbSafety:
+    enabled: true

data/.travis.yml

@@ -4,9 +4,10 @@ language:
   - ruby
 
 rvm:
-  - 2.4.6
-  - 2.5.5
-  - 2.6.2
+  - 2.4.9
+  - 2.5.7
+  - 2.6.5
+  - 2.7.0
 
 gemfile:
   - gemfiles/rails_5.0.gemfile
@@ -14,9 +15,6 @@ gemfile:
   - gemfiles/rails_5.2.gemfile
   - gemfiles/rails_6.0.gemfile
 
-before_install:
-  - gem update --system
-
 install:
   - "bin/setup"
 
@@ -26,7 +24,5 @@ branches:
 
 matrix:
   exclude:
-    - rvm: 2.4.6
+    - rvm: 2.4.9
       gemfile: gemfiles/rails_6.0.gemfile
-
-sudo: false

data/Appraisals

@@ -1,23 +1,18 @@
-rails_versions = %w(
-  5.0
-  5.1
-  5.2
-  6.0
-)
+appraise "rails_5.0" do
+  gem "railties", "~> 5.0"
+  gem 'rspec-rails', '~> 3.1'
+  gem 'capybara', '>= 2.6.2', '< 3.33.0'
+  gem 'sqlite3', '~> 1.3.13'
+end
 
-rails_versions.each do |version|
-  appraise "rails_#{version}" do
-    gem "railties", "~> #{version}.0"
-    gem "rails-controller-testing"
+appraise "rails_5.1" do
+  gem "railties", "~> 5.1"
+end
 
-    if Gem::Version.new(version) >= Gem::Version.new("6.0")
-      # TODO - Switch to 4.0 gem once release is made
-      gem 'rspec-rails', '~> 4.0.0.beta2'
-      gem 'sqlite3', '~> 1.4.0'
-    else
-      gem 'sqlite3', '~> 1.3.13'
-      gem 'rspec-rails', '~> 3.1'
-    end
+appraise "rails_5.2" do
+  gem "railties", "~> 5.2"
+end
 
-  end
+appraise "rails_6.0" do
+  gem "railties", "~> 6.0"
 end

data/Gemfile

@@ -2,13 +2,17 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'addressable', '~> 2.6.0'
+gem 'addressable'
 gem 'ammeter'
 gem 'appraisal'
-gem 'capybara', '>= 2.6.2'
-gem 'database_cleaner', '~> 1.0'
-gem 'factory_bot_rails', '~> 5.0'
-gem 'nokogiri', '~> 1.10.0'
+gem 'capybara'
+gem 'database_cleaner'
+gem 'erb_lint', require: false
+gem 'factory_bot_rails'
+gem 'nokogiri'
 gem 'pry', require: false
-gem 'shoulda-matchers', '~> 4.1'
-gem 'timecop', '~> 0.6'
+gem 'rails-controller-testing'
+gem 'rspec-rails'
+gem 'shoulda-matchers'
+gem 'sqlite3'
+gem 'timecop'

data/Gemfile.lock

@@ -1,63 +1,76 @@
 PATH
   remote: .
   specs:
-    clearance (2.0.0.beta2)
+    clearance (2.3.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
-      bcrypt
-      email_validator (~> 1.4)
+      argon2 (~> 2.0, >= 2.0.2)
+      bcrypt (>= 3.1.1)
+      email_validator (~> 2.0)
       railties (>= 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.0)
-      actionpack (= 6.0.0)
-      actionview (= 6.0.0)
-      activejob (= 6.0.0)
+    actionmailer (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      actionview (= 6.0.3.2)
+      activejob (= 6.0.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0)
-      actionview (= 6.0.0)
-      activesupport (= 6.0.0)
-      rack (~> 2.0)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.0)
-      activesupport (= 6.0.0)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.0)
-      activesupport (= 6.0.0)
+    activejob (6.0.3.2)
+      activesupport (= 6.0.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.0.0)
-      activesupport (= 6.0.0)
-    activerecord (6.0.0)
-      activemodel (= 6.0.0)
-      activesupport (= 6.0.0)
-    activesupport (6.0.0)
+    activemodel (6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activerecord (6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (2.2.0)
+    appraisal (2.3.0)
       bundler
       rake
       thor (>= 0.14.0)
-    bcrypt (3.1.13)
-    builder (3.2.3)
-    capybara (3.29.0)
+    argon2 (2.0.2)
+      ffi (~> 1.9)
+      ffi-compiler (>= 0.1)
+    ast (2.4.1)
+    bcrypt (3.1.15)
+    better_html (1.0.15)
+      actionview (>= 4.0)
+      activesupport (>= 4.0)
+      ast (~> 2.0)
+      erubi (~> 1.4)
+      html_tokenizer (~> 0.0.6)
+      parser (>= 2.4)
+      smart_properties
+    builder (3.2.4)
+    capybara (3.33.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
@@ -65,97 +78,137 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (~> 1.5)
       xpath (~> 3.2)
-    coderay (1.1.2)
-    concurrent-ruby (1.1.5)
-    crass (1.0.4)
-    database_cleaner (1.7.0)
-    diff-lcs (1.3)
-    email_validator (1.6.0)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.6)
+    crass (1.0.6)
+    database_cleaner (1.8.5)
+    diff-lcs (1.4.4)
+    email_validator (2.0.1)
       activemodel
-    erubi (1.8.0)
-    factory_bot (5.0.2)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.2)
-      factory_bot (~> 5.0.2)
-      railties (>= 4.2.0)
+    erb_lint (0.0.34)
+      activesupport
+      better_html (~> 1.0.7)
+      html_tokenizer
+      rainbow
+      rubocop (~> 0.79)
+      smart_properties
+    erubi (1.9.0)
+    factory_bot (6.1.0)
+      activesupport (>= 5.0.0)
+    factory_bot_rails (6.1.0)
+      factory_bot (~> 6.1.0)
+      railties (>= 5.0.0)
+    ffi (1.13.1)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.6.0)
+    html_tokenizer (0.0.7)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
-    loofah (2.2.3)
+    loofah (2.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    method_source (0.9.2)
+    method_source (1.0.0)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
-    nokogiri (1.10.4)
+    minitest (5.14.1)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (3.1.1)
-    rack (2.0.7)
+    parallel (1.19.2)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.5)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0)
-      actionpack (= 6.0.0)
-      activesupport (= 6.0.0)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.3)
-    regexp_parser (1.6.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rainbow (3.0.0)
+    rake (13.0.1)
+    regexp_parser (1.7.1)
+    rexml (3.2.4)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.2)
-    shoulda-matchers (4.1.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (4.0.1)
+      actionpack (>= 4.2)
+      activesupport (>= 4.2)
+      railties (>= 4.2)
+      rspec-core (~> 3.9)
+      rspec-expectations (~> 3.9)
+      rspec-mocks (~> 3.9)
+      rspec-support (~> 3.9)
+    rspec-support (3.9.3)
+    rubocop (0.88.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
+      rexml
+      rubocop-ast (>= 0.1.0, < 1.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
+    ruby-progressbar (1.10.1)
+    shoulda-matchers (4.3.0)
       activesupport (>= 4.2.0)
-    thor (0.20.3)
+    smart_properties (1.15.0)
+    sqlite3 (1.4.2)
+    thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    unicode-display_width (1.7.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.1.10)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  addressable (~> 2.6.0)
+  addressable
   ammeter
   appraisal
-  capybara (>= 2.6.2)
+  capybara
   clearance!
-  database_cleaner (~> 1.0)
-  factory_bot_rails (~> 5.0)
-  nokogiri (~> 1.10.0)
+  database_cleaner
+  erb_lint
+  factory_bot_rails
+  nokogiri
   pry
-  shoulda-matchers (~> 4.1)
-  timecop (~> 0.6)
+  rails-controller-testing
+  rspec-rails
+  shoulda-matchers
+  sqlite3
+  timecop
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/NEWS.md

@@ -3,15 +3,103 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
-## [2.0.0.beta2] - September 17, 2019
+## [2.3.0] - August 14, 2020
+
+### Fixed
+
+- Delete cookie correctly when a callable object is set as the custom domain
+  setting.
+- Strip `as` parameter when signing in through the back door.
+- Remove broken autoload for deprecated password strategies.
+
+### Changed
+
+- Deliver password reset email inline rather than in the background.
+- Remove unnecessary unsafe interpolation in erb templates.
+
+[2.3.0]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.3.0
+
+## [2.2.1] - August 7, 2020
+
+### Fixed
+
+- Prevent user enumeration by timing attacks. Trying to log in with an
+  unrecognized email address will now take the same amount of time as for a user
+  that does exist in the system.
+
+[2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
+
+## [2.2.0] - July 9, 2020
+
+### Added
+
+- Add an Argon2 password strategy
+
+### Fixed
+
+- Use strings instead of classes on guard classes, avoids Rails deprecation
+  warning.
+- Use `find_by` style for finders, improves neo4j support
+- Provide explicit case sensitivity option for email uniqueness, avoid Rails
+  deprecation warning.
+
+[2.2.0]: https://github.com/thoughtbot/clearance/compare/v2.1.0...v2.2.0
+
+## [2.1.0] - December 19, 2019
+
+### Added
+
+- Add a `parent_controller` configuration option to specify the controller that
+  Clearance's `BaseController` will inherit from. Defaults to a value of
+  `ApplicationController`.
+- Use the configured `primary_key_type` from the Active Record settings of the
+  project including Clearance, if it is set, while generating migrations. For
+  example, a setting of `:uuid` in a Rails app using Clearance will cause the
+  clearance-generated migrations to use this for the `users` table id type.
+
+### Fixed
+
+- Delete cookies correctly when a custom domain setting is being used.
+- Do not set the authorization cookie on requests which did not exercise the
+  authorization code. Reduces the chances of leaving an auth cookie in a
+  publicly cacheable page that didn't require authorization to access.
+
+### Changed
+
+- Update the `email_validator` gem to a newer version embrace the more relaxed
+  email validation options which it now defaults to.
+- When a password reset request is submitted without an email address, a flash
+  alert is now provided. Previously this continued silently as though it had
+  worked. We still proceed that way when there is an invalid (but present)
+  value, so as not to reveal existent vs. non-existent emails in the database.
+
+### Removed
+
+- Remove an unused route to `passwords#create` nested under `users`.
+- No longer include the (rarely used in practice) application layout as part of
+  the views installer; but continue to provide some stock sign-in/out and flash
+  partial code in the gem installation README output.
+
+### Deprecated
+
+- Remove the existing deprecation notice around the `rotate_csrf_on_sign_in`
+  setting, and make that setting default to true.
+
+[2.1.0]: https://github.com/thoughtbot/clearance/compare/v2.0.0...v2.1.0
+
+## [2.0.0] - November 12, 2019
 
 ### Added
 
 - Add support for Rails version 6
 - Allow `cookie_domain` to be configured with a lambda for custom configuration
+- Add ability to configure BCrypt computational cost of hash calculation.
+- Add `same_site` configuration option for increased CSRF protection.
 
 ### Fixed
 
+- Fix issue where invalid params could raise `NoMethodError` when updating and
+  resetting passwords.
 - The backdoor auth mechanism now supports scenarios where `Rails.env` has been
   configured via env variables other than `RAILS_ENV` (`RACK_ENV` for example).
 
@@ -19,15 +107,6 @@ complete changelog, see the git history for each version via the version links.
 
 - Removed support for Ruby versions older than 2.4
 - Removed support for Rails versions older than 5.0
-
-[2.0.0.beta2]: https://github.com/thoughtbot/clearance/compare/v2.0.0.beta1...v2.0.0.beta2
-
-## [2.0.0.beta1] - April 12, 2019
-
-### Removed
-
-- Removed support for Ruby versions older than 2.3
-- Removed support for Rails versions older than 4.2
 - Removed all deprecated code from Clearance 1.x
 
 ### Changed
@@ -35,7 +114,7 @@ complete changelog, see the git history for each version via the version links.
 - Flash messages now use `flash[:alert]` rather than `flash[:notice]` as they
   were used as errors more often than notices.
 
-[2.0.0.beta1]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0.beta1
+[2.0.0]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0
 
 ## [1.17.0] - April 11, 2019