clearance 2.1.0 → 2.4.0

data/spec/mailers/clearance_mailer_spec.rb

@@ -55,4 +55,37 @@ describe ClearanceMailer do
       text: I18n.t("clearance_mailer.change_password.link_text")
     )
   end
+
+  context "when using a custom model" do
+    it "contains a link for a custom model" do
+      define_people_routes
+      Person = Class.new(User)
+      person = Person.new(email: "person@example.com", password: "password")
+
+      person.forgot_password!
+      host = ActionMailer::Base.default_url_options[:host]
+      link = "http://#{host}/people/#{person.id}/password/edit" \
+        "?token=#{person.confirmation_token}"
+
+      email = ClearanceMailer.change_password(person)
+
+      expect(email.text_part.body).to include(link)
+      expect(email.html_part.body).to include(link)
+
+      Object.send(:remove_const, :Person)
+      Rails.application.reload_routes!
+    end
+
+    def define_people_routes
+      Rails.application.routes.draw do
+        resources :people, controller: "clearance/users", only: :create do
+          resource(
+            :password,
+            controller: "clearance/passwords",
+            only: %i[edit update],
+          )
+        end
+      end
+    end
+  end
 end

data/spec/models/user_spec.rb

@@ -47,6 +47,35 @@ describe User do
       expect(User.authenticate(user.email, "bad_password")).to be_nil
     end
 
+    it "takes the same amount of time to authenticate regardless of whether user exists" do
+      user = create(:user)
+      password = user.password
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, password)
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", password)
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
+    end
+
+    it "takes the same amount of time to fail authentication regardless of whether user exists" do
+      user = create(:user)
+
+      user_exists_time = Benchmark.realtime do
+        User.authenticate(user.email, "bad_password")
+      end
+
+      user_does_not_exist_time = Benchmark.realtime do
+        User.authenticate("bad_email@example.com", "bad_password")
+      end
+
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
+    end
+
     it "is retrieved via a case-insensitive search" do
       user = create(:user)
 

data/spec/password_strategies/argon2_spec.rb

@@ -0,0 +1,79 @@
+require "spec_helper"
+
+describe Clearance::PasswordStrategies::Argon2 do
+  include FakeModelWithPasswordStrategy
+
+  describe "#password=" do
+    it "encrypts the password into encrypted_password" do
+      stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(model_instance.encrypted_password).to eq encrypted_password
+    end
+
+    it "encrypts with Argon2 using default cost in non test environments" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      allow(Rails).to receive(:env).
+        and_return(ActiveSupport::StringInquirer.new("production"))
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    it "encrypts with Argon2 using minimum cost in test environment" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+
+      model_instance.password = password
+
+      expect(hasher).to have_received(:create).with(password)
+    end
+
+    def stub_argon2_password
+      hasher = double(Argon2::Password)
+      allow(hasher).to receive(:create).and_return(encrypted_password)
+      allow(Argon2::Password).to receive(:new).and_return(hasher)
+      hasher
+    end
+
+    def encrypted_password
+      @encrypted_password ||= double("encrypted password")
+    end
+  end
+
+  describe "#authenticated?" do
+    context "given a password" do
+      it "is authenticated with Argon2" do
+        model_instance = fake_model_with_argon2_strategy
+
+        model_instance.password = password
+
+        expect(model_instance).to be_authenticated(password)
+      end
+    end
+
+    context "given no password" do
+      it "is not authenticated" do
+        model_instance = fake_model_with_argon2_strategy
+
+        password = nil
+
+        expect(model_instance).not_to be_authenticated(password)
+      end
+    end
+  end
+
+  def fake_model_with_argon2_strategy
+    @fake_model_with_argon2_strategy ||= fake_model_with_password_strategy(
+      Clearance::PasswordStrategies::Argon2,
+    )
+  end
+
+  def password
+    "password"
+  end
+end

data/spec/support/clearance.rb

@@ -4,6 +4,17 @@ Clearance.configure do |config|
   # need an empty block to initialize the configuration object
 end
 
+# NOTE: to run the entire suite with signed cookies
+#       you can set the signed_cookie default to true
+#       and run all specs.
+#       However, to fake the actual signing process you
+#       can monkey-patch ActionDispatch so signed cookies
+#       behave like normal ones
+#
+# class ActionDispatch::Cookies::CookieJar
+#   def signed; self; end
+# end
+
 module Clearance
   module Test
     module Redirects

data/spec/support/request_with_remember_token.rb

@@ -1,11 +1,13 @@
 module RememberTokenHelpers
   def request_with_remember_token(remember_token)
-    cookies = {
-      'action_dispatch.cookies' => {
-        Clearance.configuration.cookie_name => remember_token
-      }
-    }
-    env = { clearance: Clearance::Session.new(cookies) }
+    cookies = ActionDispatch::Request.new({}).cookie_jar
+    if Clearance.configuration.signed_cookie
+      cookies.signed[Clearance.configuration.cookie_name] = remember_token
+    else
+      cookies[Clearance.configuration.cookie_name] = remember_token
+    end
+
+    env = { clearance: Clearance::Session.new(cookies.request.env) }
     Rack::Request.new env
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-19 00:00:00.000000000 Z
+date: 2021-04-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -41,6 +41,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: email_validator
   requirement: !ruby/object:Gem::Requirement
@@ -124,8 +144,9 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
+- ".erb-lint.yml"
+- ".github/workflows/tests.yml"
 - ".gitignore"
-- ".travis.yml"
 - ".yardopts"
 - Appraisals
 - CONTRIBUTING.md
@@ -134,6 +155,7 @@ files:
 - LICENSE
 - NEWS.md
 - README.md
+- RELEASING.md
 - Rakefile
 - app/controllers/clearance/base_controller.rb
 - app/controllers/clearance/passwords_controller.rb
@@ -162,6 +184,7 @@ files:
 - gemfiles/rails_5.1.gemfile
 - gemfiles/rails_5.2.gemfile
 - gemfiles/rails_6.0.gemfile
+- gemfiles/rails_6.1.gemfile
 - lib/clearance.rb
 - lib/clearance/authentication.rb
 - lib/clearance/authorization.rb
@@ -174,6 +197,7 @@ files:
 - lib/clearance/default_sign_in_guard.rb
 - lib/clearance/engine.rb
 - lib/clearance/password_strategies.rb
+- lib/clearance/password_strategies/argon2.rb
 - lib/clearance/password_strategies/bcrypt.rb
 - lib/clearance/rack_session.rb
 - lib/clearance/rspec.rb
@@ -250,6 +274,7 @@ files:
 - spec/helpers/helper_helpers_spec.rb
 - spec/mailers/clearance_mailer_spec.rb
 - spec/models/user_spec.rb
+- spec/password_strategies/argon2_spec.rb
 - spec/password_strategies/bcrypt_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
 - spec/requests/authentication_cookie_spec.rb
@@ -286,7 +311,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Rails authentication & authorization with email & password.

data/.travis.yml

@@ -1,27 +0,0 @@
-cache: bundler
-
-language:
-  - ruby
-
-rvm:
-  - 2.4.9
-  - 2.5.7
-  - 2.6.5
-
-gemfile:
-  - gemfiles/rails_5.0.gemfile
-  - gemfiles/rails_5.1.gemfile
-  - gemfiles/rails_5.2.gemfile
-  - gemfiles/rails_6.0.gemfile
-
-install:
-  - "bin/setup"
-
-branches:
-  only:
-    - master
-
-matrix:
-  exclude:
-    - rvm: 2.4.9
-      gemfile: gemfiles/rails_6.0.gemfile