clearance 2.0.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd2d43e71f4cbe272a3a1b19577f453b986a27711e6327c6050d1170c73c09d8
-  data.tar.gz: ba32fcfb82fa0ab33f3764e381a2d2a93484dde956189b5395fa63b759142231
+  metadata.gz: 73e524b6026ced3c81ba4f5755fcc40190b5ca08e058d4297780600dc09dfa9a
+  data.tar.gz: 5c8fe49a083f5bddf070ed33eed1c78b5154d5da2c4f6bb3b52f5709c3db7875
 SHA512:
-  metadata.gz: 89cd499f030c7bb42c044e772eda264a899f382395b15331631dd4e7b148f173ca02b99ff232cf2f6a969ecad3ae284c341fd58f3cbd19ebf23de9f4126ae657
-  data.tar.gz: 51d38e93bdc439337d22c7e675f3ae826991ca40225c81309fcd8b131220b9463f7df4dd1015c72421907dd6989b60592a7d3235bb49969fcbb900a2c354ef89
+  metadata.gz: b8f2689813bcd73ed5d8cd9f5783f3659dbf001f924af4c595c2a5470ad5d1b9d9f57126117626204f0cec9e13b989d757e4baa33e077bc7b6cfde394d6a2f3d
+  data.tar.gz: ac38abe61a29243c8e253954accad74c8ada5532876b53483ce4991b745124c265674a6df908814a78b3ef4d467e8abd27e9355332e9162bfd25865f8b7bea2b

data/.erb-lint.yml

@@ -0,0 +1,5 @@
+---
+EnableDefaultLinters: true
+linters:
+  ErbSafety:
+    enabled: true

data/.github/workflows/tests.yml

@@ -0,0 +1,52 @@
+name: CI Tests
+
+on:
+  push:
+    branches: "master"
+  pull_request:
+    branches: "*"
+
+jobs:
+  test:
+    name: "Ruby ${{ matrix.ruby }}, Rails ${{ matrix.gemfile }}"
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        gemfile:
+          - "5.0"
+          - "5.1"
+          - "5.2"
+          - "6.0"
+          - "6.1"
+        ruby:
+          - "2.4.9"
+          - "2.5.7"
+          - "2.6.5"
+          - "2.7.2"
+        exclude:
+          - gemfile: "6.0"
+            ruby: "2.4.9"
+          - gemfile: "6.1"
+            ruby: "2.4.9"
+
+    env:
+      BUNDLE_GEMFILE: gemfiles/rails_${{ matrix.gemfile }}.gemfile
+      RAILS_ENV: test
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: "Install Ruby ${{ matrix.ruby  }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: "Reset app database"
+        run: bundle exec rake dummy:db:reset
+
+      - name: "Run tests"
+        run: bundle exec rake

data/Appraisals

@@ -1,23 +1,18 @@
-rails_versions = %w(
-  5.0
-  5.1
-  5.2
-  6.0
-)
+appraise "rails_5.0" do
+  gem "railties", "~> 5.0"
+  gem 'rspec-rails', '~> 3.1'
+  gem 'capybara', '>= 2.6.2', '< 3.33.0'
+  gem 'sqlite3', '~> 1.3.13'
+end
 
-rails_versions.each do |version|
-  appraise "rails_#{version}" do
-    gem "railties", "~> #{version}.0"
-    gem "rails-controller-testing"
+appraise "rails_5.1" do
+  gem "railties", "~> 5.1"
+end
 
-    if Gem::Version.new(version) >= Gem::Version.new("6.0")
-      # TODO - Switch to 4.0 gem once release is made
-      gem 'rspec-rails', '~> 4.0.0.beta2'
-      gem 'sqlite3', '~> 1.4.0'
-    else
-      gem 'sqlite3', '~> 1.3.13'
-      gem 'rspec-rails', '~> 3.1'
-    end
+appraise "rails_5.2" do
+  gem "railties", "~> 5.2"
+end
 
-  end
+appraise "rails_6.0" do
+  gem "railties", "~> 6.0"
 end

data/Gemfile

@@ -2,13 +2,17 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'addressable', '~> 2.6.0'
+gem 'addressable'
 gem 'ammeter'
 gem 'appraisal'
-gem 'capybara', '>= 2.6.2'
-gem 'database_cleaner', '~> 1.0'
-gem 'factory_bot_rails', '~> 5.0'
-gem 'nokogiri', '~> 1.10.0'
+gem 'capybara'
+gem 'database_cleaner'
+gem 'erb_lint', require: false
+gem 'factory_bot_rails'
+gem 'nokogiri'
 gem 'pry', require: false
-gem 'shoulda-matchers', '~> 4.1'
-gem 'timecop', '~> 0.6'
+gem 'rails-controller-testing'
+gem 'rspec-rails'
+gem 'shoulda-matchers'
+gem 'sqlite3'
+gem 'timecop'

data/Gemfile.lock

@@ -1,63 +1,77 @@
 PATH
   remote: .
   specs:
-    clearance (2.0.0)
+    clearance (2.3.1)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
+      argon2 (~> 2.0, >= 2.0.2)
       bcrypt (>= 3.1.1)
-      email_validator (~> 1.4)
+      email_validator (~> 2.0)
       railties (>= 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.1)
-      actionpack (= 6.0.1)
-      actionview (= 6.0.1)
-      activejob (= 6.0.1)
+    actionmailer (6.1.3)
+      actionpack (= 6.1.3)
+      actionview (= 6.1.3)
+      activejob (= 6.1.3)
+      activesupport (= 6.1.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.1)
-      actionview (= 6.0.1)
-      activesupport (= 6.0.1)
-      rack (~> 2.0)
+    actionpack (6.1.3)
+      actionview (= 6.1.3)
+      activesupport (= 6.1.3)
+      rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.1)
-      activesupport (= 6.0.1)
+    actionview (6.1.3)
+      activesupport (= 6.1.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.1)
-      activesupport (= 6.0.1)
+    activejob (6.1.3)
+      activesupport (= 6.1.3)
       globalid (>= 0.3.6)
-    activemodel (6.0.1)
-      activesupport (= 6.0.1)
-    activerecord (6.0.1)
-      activemodel (= 6.0.1)
-      activesupport (= 6.0.1)
-    activesupport (6.0.1)
+    activemodel (6.1.3)
+      activesupport (= 6.1.3)
+    activerecord (6.1.3)
+      activemodel (= 6.1.3)
+      activesupport (= 6.1.3)
+    activesupport (6.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2)
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (2.2.0)
+    appraisal (2.3.0)
       bundler
       rake
       thor (>= 0.14.0)
-    bcrypt (3.1.13)
-    builder (3.2.3)
-    capybara (3.29.0)
+    argon2 (2.0.3)
+      ffi (~> 1.14)
+      ffi-compiler (~> 1.0)
+    ast (2.4.2)
+    bcrypt (3.1.16)
+    better_html (1.0.16)
+      actionview (>= 4.0)
+      activesupport (>= 4.0)
+      ast (~> 2.0)
+      erubi (~> 1.4)
+      html_tokenizer (~> 0.0.6)
+      parser (>= 2.4)
+      smart_properties
+    builder (3.2.4)
+    capybara (3.33.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
@@ -65,97 +79,138 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (~> 1.5)
       xpath (~> 3.2)
-    coderay (1.1.2)
-    concurrent-ruby (1.1.5)
-    crass (1.0.5)
-    database_cleaner (1.7.0)
-    diff-lcs (1.3)
-    email_validator (1.6.0)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.8)
+    crass (1.0.6)
+    database_cleaner (1.8.5)
+    diff-lcs (1.4.4)
+    email_validator (2.2.2)
       activemodel
-    erubi (1.9.0)
-    factory_bot (5.1.1)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.1.1)
-      factory_bot (~> 5.1.0)
-      railties (>= 4.2.0)
+    erb_lint (0.0.34)
+      activesupport
+      better_html (~> 1.0.7)
+      html_tokenizer
+      rainbow
+      rubocop (~> 0.79)
+      smart_properties
+    erubi (1.10.0)
+    factory_bot (6.1.0)
+      activesupport (>= 5.0.0)
+    factory_bot_rails (6.1.0)
+      factory_bot (~> 6.1.0)
+      railties (>= 5.0.0)
+    ffi (1.14.2)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.7.0)
+    html_tokenizer (0.0.7)
+    i18n (1.8.9)
       concurrent-ruby (~> 1.0)
-    loofah (2.3.1)
+    loofah (2.9.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    method_source (0.9.2)
+    method_source (1.0.0)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.13.0)
-    nokogiri (1.10.5)
-      mini_portile2 (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (3.1.1)
-    rack (2.0.7)
+    mini_portile2 (2.5.0)
+    minitest (5.14.4)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    parallel (1.19.2)
+    parser (3.0.0.0)
+      ast (~> 2.4.1)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    public_suffix (4.0.5)
+    racc (1.5.2)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.1)
-      actionpack (= 6.0.1)
-      activesupport (= 6.0.1)
+    railties (6.1.3)
+      actionpack (= 6.1.3)
+      activesupport (= 6.1.3)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
-    rake (13.0.1)
-    regexp_parser (1.6.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-expectations (3.9.0)
+      thor (~> 1.0)
+    rainbow (3.0.0)
+    rake (13.0.3)
+    regexp_parser (1.7.1)
+    rexml (3.2.4)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-rails (3.9.0)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.0)
-    shoulda-matchers (4.1.2)
+    rspec-rails (4.0.1)
+      actionpack (>= 4.2)
+      activesupport (>= 4.2)
+      railties (>= 4.2)
+      rspec-core (~> 3.9)
+      rspec-expectations (~> 3.9)
+      rspec-mocks (~> 3.9)
+      rspec-support (~> 3.9)
+    rspec-support (3.9.3)
+    rubocop (0.88.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
+      rexml
+      rubocop-ast (>= 0.1.0, < 1.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
+    ruby-progressbar (1.10.1)
+    shoulda-matchers (4.3.0)
       activesupport (>= 4.2.0)
-    thor (0.20.3)
-    thread_safe (0.3.6)
+    smart_properties (1.15.0)
+    sqlite3 (1.4.2)
+    thor (1.1.0)
     timecop (0.9.1)
-    tzinfo (1.2.5)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (1.7.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.2.1)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  addressable (~> 2.6.0)
+  addressable
   ammeter
   appraisal
-  capybara (>= 2.6.2)
+  capybara
   clearance!
-  database_cleaner (~> 1.0)
-  factory_bot_rails (~> 5.0)
-  nokogiri (~> 1.10.0)
+  database_cleaner
+  erb_lint
+  factory_bot_rails
+  nokogiri
   pry
-  shoulda-matchers (~> 4.1)
-  timecop (~> 0.6)
+  rails-controller-testing
+  rspec-rails
+  shoulda-matchers
+  sqlite3
+  timecop
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/NEWS.md

@@ -3,6 +3,100 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [2.3.1] - March 5, 2021
+
+### Fixed
+
+- Support for accessing Rails 6.x primary_key_type in generator.
+- Fix password reset URLs when using a custom model
+- Fix flaky test that relied on too specific time delta
+- Revert case sensitivity for email uniqueness
+- Bump nokogiri and actionview dependencies to address security vulnerabilities
+
+## [2.3.0] - August 14, 2020
+
+### Fixed
+
+- Delete cookie correctly when a callable object is set as the custom domain
+  setting.
+- Strip `as` parameter when signing in through the back door.
+- Remove broken autoload for deprecated password strategies.
+
+### Changed
+
+- Deliver password reset email inline rather than in the background.
+- Remove unnecessary unsafe interpolation in erb templates.
+
+[2.3.0]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.3.0
+
+## [2.2.1] - August 7, 2020
+
+### Fixed
+
+- Prevent user enumeration by timing attacks. Trying to log in with an
+  unrecognized email address will now take the same amount of time as for a user
+  that does exist in the system.
+
+[2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
+
+## [2.2.0] - July 9, 2020
+
+### Added
+
+- Add an Argon2 password strategy
+
+### Fixed
+
+- Use strings instead of classes on guard classes, avoids Rails deprecation
+  warning.
+- Use `find_by` style for finders, improves neo4j support
+- Provide explicit case sensitivity option for email uniqueness, avoid Rails
+  deprecation warning.
+
+[2.2.0]: https://github.com/thoughtbot/clearance/compare/v2.1.0...v2.2.0
+
+## [2.1.0] - December 19, 2019
+
+### Added
+
+- Add a `parent_controller` configuration option to specify the controller that
+  Clearance's `BaseController` will inherit from. Defaults to a value of
+  `ApplicationController`.
+- Use the configured `primary_key_type` from the Active Record settings of the
+  project including Clearance, if it is set, while generating migrations. For
+  example, a setting of `:uuid` in a Rails app using Clearance will cause the
+  clearance-generated migrations to use this for the `users` table id type.
+
+### Fixed
+
+- Delete cookies correctly when a custom domain setting is being used.
+- Do not set the authorization cookie on requests which did not exercise the
+  authorization code. Reduces the chances of leaving an auth cookie in a
+  publicly cacheable page that didn't require authorization to access.
+
+### Changed
+
+- Update the `email_validator` gem to a newer version embrace the more relaxed
+  email validation options which it now defaults to.
+- When a password reset request is submitted without an email address, a flash
+  alert is now provided. Previously this continued silently as though it had
+  worked. We still proceed that way when there is an invalid (but present)
+  value, so as not to reveal existent vs. non-existent emails in the database.
+
+### Removed
+
+- Remove an unused route to `passwords#create` nested under `users`.
+- No longer include the (rarely used in practice) application layout as part of
+  the views installer; but continue to provide some stock sign-in/out and flash
+  partial code in the gem installation README output.
+
+### Deprecated
+
+- Remove the existing deprecation notice around the `rotate_csrf_on_sign_in`
+  setting, and make that setting default to true.
+
+[2.1.0]: https://github.com/thoughtbot/clearance/compare/v2.0.0...v2.1.0
+
 ## [2.0.0] - November 12, 2019
 
 ### Added