clearance 2.2.1 → 2.5.0

data/README.md

@@ -1,8 +1,8 @@
 # Clearance
 
-[![Build Status](https://secure.travis-ci.org/thoughtbot/clearance.svg)](http://travis-ci.org/thoughtbot/clearance?branch=master)
+[![Build Status](https://github.com/thoughtbot/clearance/actions/workflows/tests.yml/badge.svg)]( https://github.com/thoughtbot/clearance/actions/workflows/tests.yml?query=branch%3Amain)
 [![Code Climate](https://codeclimate.com/github/thoughtbot/clearance.svg)](https://codeclimate.com/github/thoughtbot/clearance)
-[![Documentation Quality](https://inch-ci.org/github/thoughtbot/clearance.svg?branch=master)](https://inch-ci.org/github/thoughtbot/clearance)
+[![Documentation Quality](https://inch-ci.org/github/thoughtbot/clearance.svg?branch=main)](https://inch-ci.org/github/thoughtbot/clearance)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
 Rails authentication with email & password.
@@ -55,12 +55,14 @@ Clearance.configure do |config|
   config.cookie_name = "remember_token"
   config.cookie_path = "/"
   config.routes = true
-  config.httponly = false
+  config.httponly = true
   config.mailer_sender = "reply@example.com"
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
   config.rotate_csrf_on_sign_in = true
+  config.same_site = nil
   config.secure_cookie = false
+  config.signed_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
   config.parent_controller = "ApplicationController"
@@ -285,24 +287,33 @@ and `password` attributes. Over-riding the `email_optional?` or
 `skip_password_validation?` methods to return `true` will disable those
 validations from being added.
 
-### Deliver Email in Background Job
+### Signed Cookies
 
-Clearance has a password reset mailer. If you are using Rails 4.2 and Clearance
-1.6 or greater, Clearance will use ActiveJob's `deliver_later` method to
-automatically take advantage of your configured queue.
+By default, Clearance uses unsigned cookies. If you would like to use signed
+cookies you can do so by overriding the default in an initializer like so:
 
-If you are using an earlier version of Rails, you can override the
-`Clearance::Passwords` controller and define the behavior you need in the
-`deliver_email` method.
+```ruby
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = true
+end
+```
+
+If you are currently not using signed cookies but would like to migrate your
+users over to them without breaking current sessions, you can do so by passing
+in `:migrate` rather than `true` as so:
 
 ```ruby
-class PasswordsController < Clearance::PasswordsController
-  def deliver_email(user)
-    ClearanceMailer.delay.change_password(user)
-  end
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = :migrate
 end
 ```
 
+You can read more about signed cookies in Clearance and why they are a good idea
+in the [pull request that added them](https://github.com/thoughtbot/clearance/pull/917).
+
+
 ## Extending Sign In
 
 By default, Clearance will sign in any user with valid credentials. If you need

data/RELEASING.md

@@ -0,0 +1,25 @@
+# Releasing
+
+1. Update version file accordingly.
+1. Run `bundle install` to update Gemfile.lock
+1. Update `NEWS.md` to reflect the changes since last release.
+1. Commit changes.
+   There shouldn't be code changes,
+   and thus CI doesn't need to run,
+   you can then add "[ci skip]" to the commit message.
+1. Push the new commit
+1. Tag the release: `git tag -s vVERSION`
+    - We recommend the [_quick guide on how to sign a commit_] from GitHub.
+1. Push changes: `git push --tags`
+1. Build and publish:
+    ```bash
+    gem build clearance.gemspec
+    gem push clearance-*.gem
+    ```
+1. Add a new GitHub release using the recent `NEWS.md` as the content. Sample
+   URL: https://github.com/thoughtbot/clearance/releases/new?tag=vVERSION
+1. Announce the new release,
+   making sure to say "thank you" to the contributors
+   who helped shape this version!
+
+[_quick guide on how to sign a commit_]: https://docs.github.com/en/github/authenticating-to-github/signing-commits

data/Rakefile

@@ -22,5 +22,10 @@ RSpec::Core::RakeTask.new("spec:acceptance") do |task|
   task.verbose = false
 end
 
+desc "Lint ERB templates"
+task :erb_lint do
+  sh("bundle", "exec", "erblint", "app/views/**/*.erb")
+end
+
 desc "Run the specs and acceptance tests"
-task default: %w(spec spec:acceptance)
+task default: %w(spec spec:acceptance erb_lint)

data/app/controllers/clearance/passwords_controller.rb

@@ -45,8 +45,7 @@ class Clearance::PasswordsController < Clearance::BaseController
   private
 
   def deliver_email(user)
-    mail = ::ClearanceMailer.change_password(user)
-    mail.deliver_later
+    ::ClearanceMailer.change_password(user).deliver_now
   end
 
   def password_from_password_reset_params

data/app/views/clearance_mailer/change_password.html.erb

@@ -2,7 +2,7 @@
 
 <p>
   <%= link_to t(".link_text", default: "Change my password"),
-    edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+    url_for([@user, :password, action: :edit, token: @user.confirmation_token]) %>
 </p>
 
-<p><%= raw t(".closing") %></p>
+<p><%= t(".closing") %></p>

data/app/views/clearance_mailer/change_password.text.erb

@@ -1,5 +1,5 @@
 <%= t(".opening") %>
 
-<%= edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+<%= url_for([@user, :password, action: :edit, token: @user.confirmation_token]) %>
 
-<%= raw t(".closing") %>
+<%= t(".closing") %>

data/app/views/passwords/edit.html.erb

@@ -4,7 +4,7 @@
   <p><%= t(".description") %></p>
 
   <%= form_for :password_reset,
-        url: user_password_path(@user, token: @user.confirmation_token),
+        url: [@user, :password, token: @user.confirmation_token],
         html: { method: :put } do |form| %>
     <div class="password-field">
       <%= form.label :password %>

data/gemfiles/rails_5.0.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara", ">= 2.6.2", "< 3.33.0"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.0.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
 gem "rspec-rails", "~> 3.1"
+gem "shoulda-matchers"
+gem "sqlite3", "~> 1.3.13"
+gem "timecop"
+gem "railties", "~> 5.0"
 
 gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.1.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
-gem "rspec-rails", "~> 3.1"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 5.1"
 
 gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.2.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
-gem "rspec-rails", "~> 3.1"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 5.2"
 
 gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 6.0.0"
 gem "rails-controller-testing"
-gem "rspec-rails", "~> 4.0.0.beta3"
-gem "sqlite3", "~> 1.4.0"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 6.0"
 
 gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "addressable"
+gem "ammeter"
+gem "appraisal"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
+gem "pry", require: false
+gem "rails-controller-testing"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 6.1"
+
+gemspec path: "../"

data/lib/clearance/authorization.rb

@@ -86,10 +86,16 @@ module Clearance
     def return_to
       if return_to_url
         uri = URI.parse(return_to_url)
-        "#{uri.path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
+        path = path_without_leading_slashes(uri)
+        "#{path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
       end
     end
 
+    # @api private
+    def path_without_leading_slashes(uri)
+      uri.path.sub(/\A\/+/, "/")
+    end
+
     # @api private
     def return_to_url
       session[:return_to]

data/lib/clearance/back_door.rb

@@ -49,7 +49,8 @@ module Clearance
     # @api private
     def sign_in_through_the_back_door(env)
       params = Rack::Utils.parse_query(env["QUERY_STRING"])
-      user_param = params["as"]
+      user_param = params.delete("as")
+      env["QUERY_STRING"] = Rack::Utils.build_query(params)
 
       if user_param.present?
         user = find_user(user_param)

data/lib/clearance/configuration.rb

@@ -88,6 +88,14 @@ module Clearance
     # @return [Boolean]
     attr_accessor :secure_cookie
 
+    # Controls whether cookies are signed.
+    # Defaults to `false` for backwards compatibility.
+    # When set, uses Rails' signed cookies
+    # (more secure against timing/brute-force attacks)
+    # see [ActionDispatch::Cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html)
+    # @return [Boolean|:migrate]
+    attr_reader :signed_cookie
+
     # The array of sign in guards to run when signing a user in.
     # Defaults to an empty array. Sign in guards respond to `call` and are
     # initialized with a session and the current stack. Each guard can decide
@@ -124,9 +132,20 @@ module Clearance
       @rotate_csrf_on_sign_in = true
       @routes = true
       @secure_cookie = false
+      @signed_cookie = false
       @sign_in_guards = []
     end
 
+    def signed_cookie=(value)
+      if [true, false, :migrate].include? value
+        @signed_cookie = value
+      else
+        raise "Clearance's signed_cookie configuration value is invalid. " \
+              "Valid values are true, false, or :migrate. " \
+              "Set this option via Clearance.configure in an initializer"
+      end
+    end
+
     # The class representing the configured user model.
     # In the default configuration, this is the `User` class.
     # @return [Class]

data/lib/clearance/password_strategies.rb

@@ -15,9 +15,5 @@ module Clearance
   module PasswordStrategies
     autoload :BCrypt, "clearance/password_strategies/bcrypt"
     autoload :Argon2, "clearance/password_strategies/argon2"
-    autoload :BCryptMigrationFromSHA1,
-             "clearance/password_strategies/bcrypt_migration_from_sha1"
-    autoload :Blowfish, "clearance/password_strategies/blowfish"
-    autoload :SHA1, "clearance/password_strategies/sha1"
   end
 end

data/lib/clearance/rack_session.rb

@@ -23,7 +23,7 @@ module Clearance
       response = @app.call(env)
 
       if session.authentication_successful?
-        session.add_cookie_to_headers response[1]
+        session.add_cookie_to_headers
       end
 
       response

data/lib/clearance/session.rb

@@ -14,15 +14,9 @@ module Clearance
     # Called by {RackSession} to add the Clearance session cookie to a response.
     #
     # @return [void]
-    def add_cookie_to_headers(headers)
+    def add_cookie_to_headers
       if signed_in_with_remember_token?
-        Rack::Utils.set_cookie_header!(
-          headers,
-          remember_token_cookie,
-          cookie_options.merge(
-            value: current_user.remember_token,
-          ),
-        )
+        set_remember_token(current_user.remember_token)
       end
     end
 
@@ -112,9 +106,27 @@ module Clearance
       @cookies ||= ActionDispatch::Request.new(@env).cookie_jar
     end
 
+    # @api private
+    def set_remember_token(token)
+      case Clearance.configuration.signed_cookie
+      when true, :migrate
+        cookies.signed[remember_token_cookie] = cookie_options(token)
+      when false
+        cookies[remember_token_cookie] = cookie_options(token)
+      end
+      remember_token
+    end
+
     # @api private
     def remember_token
-      cookies[remember_token_cookie]
+      case Clearance.configuration.signed_cookie
+      when true
+        cookies.signed[remember_token_cookie]
+      when :migrate
+        cookies.signed[remember_token_cookie] || cookies[remember_token_cookie]
+      when false
+        cookies[remember_token_cookie]
+      end
     end
 
     # @api private
@@ -159,7 +171,7 @@ module Clearance
     end
 
     # @api private
-    def cookie_options
+    def cookie_options(value)
       {
         domain: domain,
         expires: remember_token_expires,
@@ -167,7 +179,7 @@ module Clearance
         same_site: Clearance.configuration.same_site,
         path: Clearance.configuration.cookie_path,
         secure: Clearance.configuration.secure_cookie,
-        value: remember_token,
+        value: value,
       }
     end
 
@@ -175,7 +187,7 @@ module Clearance
     def delete_cookie_options
       Hash.new.tap do |options|
         if configured_cookie_domain
-          options[:domain] = configured_cookie_domain
+          options[:domain] = domain
         end
       end
     end