clearance 2.0.0 → 2.3.1

data/lib/clearance/password_strategies.rb

@@ -13,10 +13,7 @@ module Clearance
   # `password=(new_password)`. For an example of how to implement these methods,
   # see {Clearance::PasswordStrategies::BCrypt}.
   module PasswordStrategies
-    autoload :BCrypt, 'clearance/password_strategies/bcrypt'
-    autoload :BCryptMigrationFromSHA1,
-      'clearance/password_strategies/bcrypt_migration_from_sha1'
-    autoload :Blowfish, 'clearance/password_strategies/blowfish'
-    autoload :SHA1, 'clearance/password_strategies/sha1'
+    autoload :BCrypt, "clearance/password_strategies/bcrypt"
+    autoload :Argon2, "clearance/password_strategies/argon2"
   end
 end

data/lib/clearance/password_strategies/argon2.rb

@@ -0,0 +1,23 @@
+module Clearance
+  module PasswordStrategies
+    # Uses Argon2 to authenticate users and store encrypted passwords.
+
+    module Argon2
+      require "argon2"
+
+      def authenticated?(password)
+        if encrypted_password.present?
+          ::Argon2::Password.verify_password(password, encrypted_password)
+        end
+      end
+
+      def password=(new_password)
+        @password = new_password
+
+        if new_password.present?
+          self.encrypted_password = ::Argon2::Password.new.create(new_password)
+        end
+      end
+    end
+  end
+end

data/lib/clearance/rack_session.rb

@@ -21,7 +21,11 @@ module Clearance
       session = Clearance::Session.new(env)
       env[:clearance] = session
       response = @app.call(env)
-      session.add_cookie_to_headers response[1]
+
+      if session.authentication_successful?
+        session.add_cookie_to_headers
+      end
+
       response
     end
   end

data/lib/clearance/session.rb

@@ -14,15 +14,9 @@ module Clearance
     # Called by {RackSession} to add the Clearance session cookie to a response.
     #
     # @return [void]
-    def add_cookie_to_headers(headers)
+    def add_cookie_to_headers
       if signed_in_with_remember_token?
-        Rack::Utils.set_cookie_header!(
-          headers,
-          remember_token_cookie,
-          cookie_options.merge(
-            value: current_user.remember_token,
-          ),
-        )
+        set_remember_token(current_user.remember_token)
       end
     end
 
@@ -81,7 +75,7 @@ module Clearance
       end
 
       @current_user = nil
-      cookies.delete remember_token_cookie
+      cookies.delete remember_token_cookie, delete_cookie_options
     end
 
     # True if {#current_user} is set.
@@ -98,6 +92,13 @@ module Clearance
       ! signed_in?
     end
 
+    # True if a successful authentication has been performed
+    #
+    # @return [Boolean]
+    def authentication_successful?
+      !!@current_user
+    end
+
     private
 
     # @api private
@@ -105,9 +106,27 @@ module Clearance
       @cookies ||= ActionDispatch::Request.new(@env).cookie_jar
     end
 
+    # @api private
+    def set_remember_token(token)
+      case Clearance.configuration.signed_cookie
+      when true, :migrate
+        cookies.signed[remember_token_cookie] = cookie_options(token)
+      when false
+        cookies[remember_token_cookie] = cookie_options(token)
+      end
+      remember_token
+    end
+
     # @api private
     def remember_token
-      cookies[remember_token_cookie]
+      case Clearance.configuration.signed_cookie
+      when true
+        cookies.signed[remember_token_cookie]
+      when :migrate
+        cookies.signed[remember_token_cookie] || cookies[remember_token_cookie]
+      when false
+        cookies[remember_token_cookie]
+      end
     end
 
     # @api private
@@ -152,7 +171,7 @@ module Clearance
     end
 
     # @api private
-    def cookie_options
+    def cookie_options(value)
       {
         domain: domain,
         expires: remember_token_expires,
@@ -160,10 +179,19 @@ module Clearance
         same_site: Clearance.configuration.same_site,
         path: Clearance.configuration.cookie_path,
         secure: Clearance.configuration.secure_cookie,
-        value: remember_token,
+        value: value,
       }
     end
 
+    # @api private
+    def delete_cookie_options
+      Hash.new.tap do |options|
+        if configured_cookie_domain
+          options[:domain] = domain
+        end
+      end
+    end
+
     # @api private
     def domain
       if configured_cookie_domain.respond_to?(:call)

data/lib/clearance/user.rb

@@ -60,7 +60,7 @@ module Clearance
   #   @see PasswordStrategies
   #   @return [void]
   #
-  # @!method authenticated?
+  # @!method authenticated?(password)
   #   Check's the provided password against the user's encrypted password using
   #   the configured password strategy. By default, this will be
   #   {PasswordStrategies::BCrypt#authenticated?}, but can be changed with
@@ -117,11 +117,13 @@ module Clearance
           if password.present? && user.authenticated?(password)
             user
           end
+        else
+          prevent_timing_attack
         end
       end
 
       def find_by_normalized_email(email)
-        find_by_email normalize_email(email)
+        find_by(email: normalize_email(email))
       end
 
       def normalize_email(email)
@@ -130,6 +132,13 @@ module Clearance
 
       private
 
+      DUMMY_PASSWORD = "*"
+
+      def prevent_timing_attack
+        new(password: DUMMY_PASSWORD)
+        nil
+      end
+
       def password_strategy
         Clearance.configuration.password_strategy || PasswordStrategies::BCrypt
       end
@@ -143,7 +152,7 @@ module Clearance
         validates :email,
           email: { strict_mode: true },
           presence: true,
-          uniqueness: { allow_blank: true },
+          uniqueness: { allow_blank: true, case_sensitive: true },
           unless: :email_optional?
 
         validates :password, presence: true, unless: :skip_password_validation?

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.0.0".freeze
+  VERSION = "2.3.1".freeze
 end

data/lib/generators/clearance/install/install_generator.rb

@@ -122,6 +122,19 @@ module Clearance
         "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
       end
 
+      def migration_primary_key_type_string
+        if configured_key_type
+          ", id: :#{configured_key_type}"
+        end
+      end
+
+      def configured_key_type
+        active_record = Rails.configuration.generators.active_record
+        active_record ||= Rails.configuration.generators.options[:active_record]
+
+        active_record[:primary_key_type]
+      end
+
       def models_inherit_from
         "ApplicationRecord"
       end

data/lib/generators/clearance/install/templates/README

@@ -8,9 +8,11 @@ Next steps:
     # config/environments/{development,test}.rb
     config.action_mailer.default_url_options = { host: 'localhost:3000' }
 
-    In production it should be your app's domain name.
+    In the production environment it should be your application's full hostname.
 
-2. Display user session and flashes. For example, in your application layout:
+2. Display user session status.
+
+    From somewhere in your layout, render sign in and sign out buttons:
 
     <% if signed_in? %>
       Signed in as: <%= current_user.email %>
@@ -19,14 +21,18 @@ Next steps:
       <%= link_to 'Sign in', sign_in_path %>
     <% end %>
 
+3. Render the flash contents.
+
+    Make sure the flash is being rendered in your views using something like:
+
     <div id="flash">
       <% flash.each do |key, value| %>
         <div class="flash <%= key %>"><%= value %></div>
       <% end %>
     </div>
 
-3. Migrate:
+4. Migrate:
 
-    rails db:migrate
+    Run `rails db:migrate` to add the clearance database changes.
 
 *******************************************************************************

data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb

@@ -13,7 +13,7 @@ class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
     users = select_all("SELECT id FROM users WHERE remember_token IS NULL")
 
     users.each do |user|
-      update <<-SQL
+      update <<-SQL.squish
         UPDATE users
         SET remember_token = '#{Clearance::Token.new}'
         WHERE id = '#{user['id']}'

data/lib/generators/clearance/install/templates/db/migrate/create_users.rb.erb

@@ -1,6 +1,6 @@
 class CreateUsers < ActiveRecord::Migration<%= migration_version %>
   def change
-    create_table :users do |t|
+    create_table :users<%= migration_primary_key_type_string %> do |t|
       t.timestamps null: false
       t.string :email, null: false
       t.string :encrypted_password, limit: 128, null: false

data/lib/generators/clearance/routes/templates/routes.rb

@@ -4,7 +4,7 @@
   resources :users, controller: "clearance/users", only: [:create] do
     resource :password,
       controller: "clearance/passwords",
-      only: [:create, :edit, :update]
+      only: [:edit, :update]
   end
 
   get "/sign_in" => "clearance/sessions#new", as: "sign_in"

data/spec/acceptance/clearance_installation_spec.rb

@@ -36,9 +36,6 @@ describe "Clearance Installation" do
        --skip-keeps
        --skip-sprockets
     CMD
-
-    FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
   end
 
   def testapp_templates
@@ -47,7 +44,6 @@ describe "Clearance Installation" do
 
   def configure_test_app
     FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
     FileUtils.cp_r(testapp_templates, "..")
   end
 

data/spec/app_templates/app/models/user.rb

@@ -1,4 +1,4 @@
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   def previously_existed?
     true
   end

data/spec/app_templates/testapp/app/views/layouts/application.html.erb

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <%= javascript_include_tag 'application' %>
+    <%= csrf_meta_tag %>
+  </head>
+  <body>
+    <div id="header">
+      <% if signed_in? -%>
+        <%= button_to t(".sign_out"), sign_out_path, method: :delete %>
+      <% else -%>
+        <%= link_to t(".sign_in"), sign_in_path %>
+      <% end -%>
+    </div>
+
+    <div id="flash">
+      <% flash.each do |key, value| -%>
+        <div id="flash_<%= key %>"><%=h value %></div>
+      <% end %>
+    </div>
+
+    <%= yield %>
+  </body>
+</html>

data/spec/clearance/back_door_spec.rb

@@ -46,6 +46,18 @@ describe Clearance::BackDoor do
     end
   end
 
+  it "strips 'as' from the params" do
+    user_id = "123"
+    user = double("user")
+    allow(User).to receive(:find).with(user_id).and_return(user)
+    env = build_env(as: user_id, foo: :bar)
+    back_door = Clearance::BackDoor.new(mock_app)
+
+    back_door.call(env)
+
+    expect(env["QUERY_STRING"]).to eq("foo=bar")
+  end
+
   context "when the environments are disabled" do
     before do
       Clearance.configuration.allowed_backdoor_environments = nil
@@ -84,14 +96,18 @@ describe Clearance::BackDoor do
     env_for_user_id("")
   end
 
-  def env_for_user_id(user_id)
+  def build_env(params)
+    query = Rack::Utils.build_query(params)
     clearance = double("clearance", sign_in: true)
-    Rack::MockRequest.env_for("/?as=#{user_id}").merge(clearance: clearance)
+    Rack::MockRequest.env_for("/?#{query}").merge(clearance: clearance)
+  end
+
+  def env_for_user_id(user_id)
+    build_env(as: user_id)
   end
 
   def env_for_username(username)
-    clearance = double("clearance", sign_in: true)
-    Rack::MockRequest.env_for("/?as=#{username}").merge(clearance: clearance)
+    build_env(as: username)
   end
 
   def mock_app

data/spec/clearance/rack_session_spec.rb

@@ -11,6 +11,8 @@ describe Clearance::RackSession do
     env = Rack::MockRequest.env_for('/')
     expected_session = "the session"
     allow(expected_session).to receive(:add_cookie_to_headers)
+    allow(expected_session).to receive(:authentication_successful?).
+      and_return(true)
     allow(Clearance::Session).to receive(:new).
       with(env).
       and_return(expected_session)
@@ -18,7 +20,6 @@ describe Clearance::RackSession do
     response = Rack::MockResponse.new(*app.call(env))
 
     expect(response.body).to eq expected_session
-    expect(expected_session).to have_received(:add_cookie_to_headers).
-      with(hash_including(headers))
+    expect(expected_session).to have_received(:add_cookie_to_headers)
   end
 end

data/spec/clearance/session_spec.rb

@@ -4,7 +4,6 @@ describe Clearance::Session do
   before { Timecop.freeze }
   after { Timecop.return }
 
-  let(:headers) { {} }
   let(:session) { Clearance::Session.new(env_without_remember_token) }
   let(:user) { create(:user) }
 
@@ -35,9 +34,63 @@ describe Clearance::Session do
       Clearance.configuration.cookie_name = "custom_cookie_name"
 
       session.sign_in user
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to match(/custom_cookie_name=.+;/)
+      expect(remember_token_cookie(session, "custom_cookie_name")).to be_present
+    end
+  end
+
+  context "with signed cookies == false" do
+    it "uses cookies.signed" do
+      Clearance.configuration.signed_cookie = true
+
+      cookie_jar = {}
+      expect(session).to receive(:cookies).and_return(cookie_jar)
+      expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+      session.sign_in user
+    end
+  end
+
+  context "with signed cookies == true" do
+    it "uses cookies.signed" do
+      Clearance.configuration.signed_cookie = true
+
+      cookie_jar = {}
+      expect(session).to receive(:cookies).and_return(cookie_jar)
+      expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+      session.sign_in user
+    end
+  end
+
+  context "with signed cookies == :migrate" do
+    before do
+      Clearance.configuration.signed_cookie = :migrate
+    end
+
+    context "signed cookie exists" do
+      it "uses cookies.signed[remember_token]" do
+        cookie_jar = { "remember_token" => "signed cookie" }
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+        expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+        session.sign_in user
+      end
+    end
+
+    context "signed cookie does not exist yet" do
+      it "uses cookies[remember_token] instead" do
+        cookie_jar = { "remember_token" => "signed cookie" }
+        # first call will try to get the signed cookie
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+        # ... but signed_cookie doesn't exist
+        expect(cookie_jar).to receive(:signed).and_return({})
+        # then it attempts to retrieve the unsigned cookie
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+
+        session.sign_in user
+      end
     end
   end
 
@@ -157,9 +210,9 @@ describe Clearance::Session do
     end
 
     it 'sets a httponly cookie' do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers['Set-Cookie']).to match(/remember_token=.+; HttpOnly/)
+      expect(remember_token_cookie(session)[:httponly]).to be_truthy
     end
   end
 
@@ -170,9 +223,9 @@ describe Clearance::Session do
     end
 
     it 'sets a standard cookie' do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers['Set-Cookie']).not_to match(/remember_token=.+; HttpOnly/)
+      expect(remember_token_cookie(session)[:httponly]).to be_falsey
     end
   end
 
@@ -183,9 +236,9 @@ describe Clearance::Session do
     end
 
     it "sets a same-site cookie" do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to match(/remember_token=.+; SameSite/)
+      expect(remember_token_cookie(session)[:same_site]).to eq(:lax)
     end
   end
 
@@ -195,9 +248,9 @@ describe Clearance::Session do
     end
 
     it "sets a standard cookie" do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to_not match(/remember_token=.+; SameSite/)
+      expect(remember_token_cookie(session)[:same_site]).to be_nil
     end
   end
 
@@ -205,15 +258,11 @@ describe Clearance::Session do
     context 'default configuration' do
       it 'is set to 1 year from now' do
         user = double("User", remember_token: "123abc")
-        headers = {}
         session = Clearance::Session.new(env_without_remember_token)
         session.sign_in user
-        session.add_cookie_to_headers headers
+        session.add_cookie_to_headers
 
-        expect(headers).to set_cookie(
-          'remember_token',
-          user.remember_token, 1.year.from_now
-        )
+        expect(remember_token_cookie(session)[:expires]).to eq(1.year.from_now)
       end
     end
 
@@ -225,18 +274,14 @@ describe Clearance::Session do
         end
         with_custom_expiration expires_at do
           user = double("User", remember_token: "123abc")
-          headers = {}
           environment = env_with_cookies(remember_me: 'true')
           session = Clearance::Session.new(environment)
           session.sign_in user
-          session.add_cookie_to_headers headers
-
-          expect(headers).to set_cookie(
-            'remember_token',
-            user.remember_token,
-            remembered_expires
-          )
-
+          session.add_cookie_to_headers
+          expect(remember_token_cookie(session)[:expires]).to \
+            eq(remembered_expires)
+          expect(remember_token_cookie(session)[:value]).to \
+            eq(user.remember_token)
         end
       end
     end
@@ -249,9 +294,9 @@ describe Clearance::Session do
       end
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).not_to match(/remember_token=.+; secure/)
+        expect(remember_token_cookie(session)[:secure]).to be_falsey
       end
     end
 
@@ -262,9 +307,9 @@ describe Clearance::Session do
       end
 
       it 'sets a secure cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).to match(/remember_token=.+; secure/)
+        expect(remember_token_cookie(session)[:secure]).to be_truthy
       end
     end
   end
@@ -280,9 +325,9 @@ describe Clearance::Session do
         let(:cookie_domain) { ".example.com" }
 
         it "sets a standard cookie" do
-          session.add_cookie_to_headers(headers)
+          session.add_cookie_to_headers
 
-          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+          expect(remember_token_cookie(session)[:domain]).to eq(cookie_domain)
         end
       end
 
@@ -290,9 +335,9 @@ describe Clearance::Session do
         let(:cookie_domain) { lambda { |_r| ".example.com" } }
 
         it "sets a standard cookie" do
-          session.add_cookie_to_headers(headers)
+          session.add_cookie_to_headers
 
-          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+          expect(remember_token_cookie(session)[:domain]).to eq(".example.com")
         end
       end
     end
@@ -301,9 +346,9 @@ describe Clearance::Session do
       before { session.sign_in(user) }
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers["Set-Cookie"]).not_to match(/domain=.+; path/)
+        expect(remember_token_cookie(session)[:domain]).to be_nil
       end
     end
   end
@@ -313,9 +358,9 @@ describe Clearance::Session do
       before { session.sign_in(user) }
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers["Set-Cookie"]).to_not match(/domain=.+; path/)
+        expect(remember_token_cookie(session)[:domain]).to be_nil
       end
     end
 
@@ -326,28 +371,86 @@ describe Clearance::Session do
       end
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).to match(/path=\/user; expires/)
+        expect(remember_token_cookie(session)[:path]).to eq("/user")
       end
     end
   end
 
   it 'does not set a remember token when signed out' do
-    headers = {}
     session = Clearance::Session.new(env_without_remember_token)
-    session.add_cookie_to_headers headers
-    expect(headers["Set-Cookie"]).to be nil
+    session.add_cookie_to_headers
+    expect(remember_token_cookie(session)).to be_nil
   end
 
-  it 'signs out a user' do
-    user = create(:user)
-    old_remember_token = user.remember_token
-    env = env_with_remember_token(old_remember_token)
-    session = Clearance::Session.new(env)
-    session.sign_out
-    expect(session.current_user).to be_nil
-    expect(user.reload.remember_token).not_to eq old_remember_token
+  describe "#sign_out" do
+    it "signs out a user" do
+      user = create(:user)
+      old_remember_token = user.remember_token
+      env = env_with_remember_token(old_remember_token)
+      session = Clearance::Session.new(env)
+      cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+      expect(cookie_jar.deleted?(:remember_token)).to be false
+
+      session.sign_out
+
+      expect(cookie_jar.deleted?(:remember_token)).to be true
+      expect(session.current_user).to be_nil
+      expect(user.reload.remember_token).not_to eq old_remember_token
+    end
+
+    context "with custom cookie domain" do
+      let(:domain) { ".example.com" }
+
+      before do
+        Clearance.configuration.cookie_domain = domain
+      end
+
+      it "clears cookie" do
+        user = create(:user)
+        env = env_with_remember_token(
+          value: user.remember_token,
+          domain: domain,
+        )
+        session = Clearance::Session.new(env)
+        cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be false
+
+        session.sign_out
+
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
+      end
+    end
+
+    context 'with callable cookie domain' do
+      it 'clears cookie' do
+        domain = '.example.com'
+        Clearance.configuration.cookie_domain = ->(_) { domain }
+        user = create(:user)
+        env = env_with_remember_token(
+          value: user.remember_token,
+          domain: domain
+        )
+        session = Clearance::Session.new(env)
+        cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be false
+
+        session.sign_out
+
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
+      end
+    end
+  end
+
+  # a bit of a hack to get the cookies that ActionDispatch sets inside session
+  def remember_token_cookie(session, cookie_name = "remember_token")
+    cookies = session.send(:cookies)
+    # see https://stackoverflow.com/a/21315095
+    set_cookies = cookies.instance_eval <<-RUBY, __FILE__, __LINE__ + 1
+      @set_cookies
+    RUBY
+    set_cookies[cookie_name]
   end
 
   def env_with_cookies(cookies)