clearance 2.3.1 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 73e524b6026ced3c81ba4f5755fcc40190b5ca08e058d4297780600dc09dfa9a
-  data.tar.gz: 5c8fe49a083f5bddf070ed33eed1c78b5154d5da2c4f6bb3b52f5709c3db7875
+  metadata.gz: cd4f8ec16fd316714fb0f5020e634855d109e260bd164f7b68947f3e36f9d7c7
+  data.tar.gz: 5a78cfeca3fc95dee50bba6bd81026f32692de107d6be1d7aca4541837f5d579
 SHA512:
-  metadata.gz: b8f2689813bcd73ed5d8cd9f5783f3659dbf001f924af4c595c2a5470ad5d1b9d9f57126117626204f0cec9e13b989d757e4baa33e077bc7b6cfde394d6a2f3d
-  data.tar.gz: ac38abe61a29243c8e253954accad74c8ada5532876b53483ce4991b745124c265674a6df908814a78b3ef4d467e8abd27e9355332e9162bfd25865f8b7bea2b
+  metadata.gz: 6cdabe74719baedad2e9f8c221fd0abdd377856936fee0aa5b1572dd67c6a5b7925f01641116e0213ed2fcbe07cda870582acebd198aa57228fe4c0a2f90af9c
+  data.tar.gz: d0c1c9298dfdc961798bb65170f0b9b43d5eb6a25c956428cfa12ab7375be820e405d72e2c4ad34ed15c487bf7912bb6c17bb311e4a7768f302b6276f85e5920

data/.github/workflows/tests.yml

@@ -2,7 +2,7 @@ name: CI Tests
 
 on:
   push:
-    branches: "master"
+    branches: "main"
   pull_request:
     branches: "*"
 
@@ -16,21 +16,13 @@ jobs:
       fail-fast: false
       matrix:
         gemfile:
-          - "5.0"
-          - "5.1"
-          - "5.2"
           - "6.0"
           - "6.1"
+          - "7.0"
         ruby:
-          - "2.4.9"
-          - "2.5.7"
-          - "2.6.5"
-          - "2.7.2"
-        exclude:
-          - gemfile: "6.0"
-            ruby: "2.4.9"
-          - gemfile: "6.1"
-            ruby: "2.4.9"
+          - "2.7.6"
+          - "3.0.4"
+          - "3.1.2"
 
     env:
       BUNDLE_GEMFILE: gemfiles/rails_${{ matrix.gemfile }}.gemfile

data/Appraisals

@@ -1,18 +1,14 @@
-appraise "rails_5.0" do
-  gem "railties", "~> 5.0"
-  gem 'rspec-rails', '~> 3.1'
-  gem 'capybara', '>= 2.6.2', '< 3.33.0'
-  gem 'sqlite3', '~> 1.3.13'
-end
-
-appraise "rails_5.1" do
-  gem "railties", "~> 5.1"
+appraise "rails_6.0" do
+  gem "railties", "~> 6.0"
+  gem "net-smtp", require: false # not bundled in ruby 3.1
+  gem "psych", "< 4" # psych 4 switched from unsafe load to safe load
 end
 
-appraise "rails_5.2" do
-  gem "railties", "~> 5.2"
+appraise "rails_6.1" do
+  gem "railties", "~> 6.1"
+  gem "net-smtp", require: false # not bundled in ruby 3.1
 end
 
-appraise "rails_6.0" do
-  gem "railties", "~> 6.0"
+appraise "rails_7.0" do
+  gem "railties", "~> 7.0"
 end

data/{NEWS.md → CHANGELOG.md}

@@ -1,8 +1,47 @@
-# News
+# CHANGELOG
 
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [Unreleased]
+
+[Unreleased]: https://github.com/thoughtbot/clearance/compare/v2.6.0...main
+
+## [2.6.0] - June 12, 2022
+
+- Drops support for Rails 5.0, 5.1 and 5.2, see https://endoflife.date/rails #964
+- Drops support for Ruby 2.4, 2.5 and 2.6, see https://endoflife.date/ruby #964
+- Adds support for Turbo with appropriate status codes #965
+- Adds unique constraints on `remember_token` and `confirmation_token` #966
+- Allows `user_parameter` to be configuration, e.g. `params[:custom_id]` instead of
+  `params[:user_id]` #782 (Bryan Marble)
+- Updates SignInGuard documentation #950 (Matthew LS)
+- Forward options in redirect_back_or helper (#968) (Matthew LS)
+- Add configuration option to disable sign in after password reset (#969) (Till
+  Prochaska)
+
+[2.6.0]: https://github.com/thoughtbot/clearance/compare/v2.5.0...v2.6.0
+
+## [2.5.0] - September 10, 2021
+
+### Fixed
+
+- Fix open redirect vulnerability
+
+### Changed
+
+- Rename default branch to `main`
+
+[2.5.0]: https://github.com/thoughtbot/clearance/compare/v2.4.0...v2.5.0
+
+## [2.4.0] - March 5, 2021
+
+### Added
+
+- Optionally use signed cookies to prevent remember token timing attacks
+
+[2.4.0]: https://github.com/thoughtbot/clearance/compare/v2.3.1...v2.4.0
+
 ## [2.3.1] - March 5, 2021
 
 ### Fixed
@@ -13,6 +52,8 @@ complete changelog, see the git history for each version via the version links.
 - Revert case sensitivity for email uniqueness
 - Bump nokogiri and actionview dependencies to address security vulnerabilities
 
+[2.3.1]: https://github.com/thoughtbot/clearance/compare/v2.3.0...v2.3.1
+
 ## [2.3.0] - August 14, 2020
 
 ### Fixed

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (2.3.1)
+    clearance (2.5.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -13,55 +13,57 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.1.3)
-      actionpack (= 6.1.3)
-      actionview (= 6.1.3)
-      activejob (= 6.1.3)
-      activesupport (= 6.1.3)
+    actionmailer (7.0.3)
+      actionpack (= 7.0.3)
+      actionview (= 7.0.3)
+      activejob (= 7.0.3)
+      activesupport (= 7.0.3)
       mail (~> 2.5, >= 2.5.4)
+      net-imap
+      net-pop
+      net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (6.1.3)
-      actionview (= 6.1.3)
-      activesupport (= 6.1.3)
-      rack (~> 2.0, >= 2.0.9)
+    actionpack (7.0.3)
+      actionview (= 7.0.3)
+      activesupport (= 7.0.3)
+      rack (~> 2.0, >= 2.2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.3)
-      activesupport (= 6.1.3)
+    actionview (7.0.3)
+      activesupport (= 7.0.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.1.3)
-      activesupport (= 6.1.3)
+    activejob (7.0.3)
+      activesupport (= 7.0.3)
       globalid (>= 0.3.6)
-    activemodel (6.1.3)
-      activesupport (= 6.1.3)
-    activerecord (6.1.3)
-      activemodel (= 6.1.3)
-      activesupport (= 6.1.3)
-    activesupport (6.1.3)
+    activemodel (7.0.3)
+      activesupport (= 7.0.3)
+    activerecord (7.0.3)
+      activemodel (= 7.0.3)
+      activesupport (= 7.0.3)
+    activesupport (7.0.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
-    addressable (2.7.0)
+    addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
-    ammeter (1.1.4)
+    ammeter (1.1.5)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (2.3.0)
+    appraisal (2.4.1)
       bundler
       rake
       thor (>= 0.14.0)
-    argon2 (2.0.3)
+    argon2 (2.1.1)
       ffi (~> 1.14)
       ffi-compiler (~> 1.0)
     ast (2.4.2)
-    bcrypt (3.1.16)
+    bcrypt (3.1.18)
     better_html (1.0.16)
       actionview (>= 4.0)
       activesupport (>= 4.0)
@@ -71,64 +73,87 @@ GEM
       parser (>= 2.4)
       smart_properties
     builder (3.2.4)
-    capybara (3.33.0)
+    capybara (3.37.1)
       addressable
+      matrix
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
-      regexp_parser (~> 1.5)
+      regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.8)
+    concurrent-ruby (1.1.10)
     crass (1.0.6)
-    database_cleaner (1.8.5)
-    diff-lcs (1.4.4)
-    email_validator (2.2.2)
+    database_cleaner (2.0.1)
+      database_cleaner-active_record (~> 2.0.0)
+    database_cleaner-active_record (2.0.1)
+      activerecord (>= 5.a)
+      database_cleaner-core (~> 2.0.0)
+    database_cleaner-core (2.0.1)
+    diff-lcs (1.5.0)
+    digest (3.1.0)
+    email_validator (2.2.3)
       activemodel
-    erb_lint (0.0.34)
+    erb_lint (0.1.1)
       activesupport
       better_html (~> 1.0.7)
       html_tokenizer
+      parser (>= 2.7.1.4)
       rainbow
-      rubocop (~> 0.79)
+      rubocop
       smart_properties
     erubi (1.10.0)
-    factory_bot (6.1.0)
+    factory_bot (6.2.1)
       activesupport (>= 5.0.0)
-    factory_bot_rails (6.1.0)
-      factory_bot (~> 6.1.0)
+    factory_bot_rails (6.2.0)
+      factory_bot (~> 6.2.0)
       railties (>= 5.0.0)
-    ffi (1.14.2)
+    ffi (1.15.5)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
+    globalid (1.0.0)
+      activesupport (>= 5.0)
     html_tokenizer (0.0.7)
-    i18n (1.8.9)
+    i18n (1.10.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.9.0)
+    loofah (2.18.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
+    matrix (0.4.2)
     method_source (1.0.0)
-    mini_mime (1.0.2)
-    mini_portile2 (2.5.0)
-    minitest (5.14.4)
-    nokogiri (1.11.1)
-      mini_portile2 (~> 2.5.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.0)
+    minitest (5.15.0)
+    net-imap (0.2.3)
+      digest
+      net-protocol
+      strscan
+    net-pop (0.1.1)
+      digest
+      net-protocol
+      timeout
+    net-protocol (0.1.3)
+      timeout
+    net-smtp (0.3.1)
+      digest
+      net-protocol
+      timeout
+    nokogiri (1.13.6)
+      mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    parallel (1.19.2)
-    parser (3.0.0.0)
+    parallel (1.22.1)
+    parser (3.1.2.0)
       ast (~> 2.4.1)
-    pry (0.13.1)
+    pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (4.0.5)
-    racc (1.5.2)
-    rack (2.2.3)
+    public_suffix (4.0.7)
+    racc (1.6.0)
+    rack (2.2.3.1)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-controller-testing (1.0.5)
@@ -138,59 +163,62 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
+    rails-html-sanitizer (1.4.3)
       loofah (~> 2.3)
-    railties (6.1.3)
-      actionpack (= 6.1.3)
-      activesupport (= 6.1.3)
+    railties (7.0.3)
+      actionpack (= 7.0.3)
+      activesupport (= 7.0.3)
       method_source
-      rake (>= 0.8.7)
+      rake (>= 12.2)
       thor (~> 1.0)
-    rainbow (3.0.0)
-    rake (13.0.3)
-    regexp_parser (1.7.1)
-    rexml (3.2.4)
-    rspec-core (3.9.2)
-      rspec-support (~> 3.9.3)
-    rspec-expectations (3.9.2)
+      zeitwerk (~> 2.5)
+    rainbow (3.1.1)
+    rake (13.0.6)
+    regexp_parser (2.5.0)
+    rexml (3.2.5)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.1)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.9.0)
-    rspec-rails (4.0.1)
-      actionpack (>= 4.2)
-      activesupport (>= 4.2)
-      railties (>= 4.2)
-      rspec-core (~> 3.9)
-      rspec-expectations (~> 3.9)
-      rspec-mocks (~> 3.9)
-      rspec-support (~> 3.9)
-    rspec-support (3.9.3)
-    rubocop (0.88.0)
+      rspec-support (~> 3.11.0)
+    rspec-rails (5.1.2)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
+      railties (>= 5.2)
+      rspec-core (~> 3.10)
+      rspec-expectations (~> 3.10)
+      rspec-mocks (~> 3.10)
+      rspec-support (~> 3.10)
+    rspec-support (3.11.0)
+    rubocop (1.30.1)
       parallel (~> 1.10)
-      parser (>= 2.7.1.1)
+      parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.7)
-      rexml
-      rubocop-ast (>= 0.1.0, < 1.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml (>= 3.2.5, < 4.0)
+      rubocop-ast (>= 1.18.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (0.3.0)
-      parser (>= 2.7.1.4)
-    ruby-progressbar (1.10.1)
-    shoulda-matchers (4.3.0)
-      activesupport (>= 4.2.0)
-    smart_properties (1.15.0)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.18.0)
+      parser (>= 3.1.1.0)
+    ruby-progressbar (1.11.0)
+    shoulda-matchers (5.1.0)
+      activesupport (>= 5.2.0)
+    smart_properties (1.17.0)
     sqlite3 (1.4.2)
-    thor (1.1.0)
-    timecop (0.9.1)
+    strscan (3.0.3)
+    thor (1.2.1)
+    timecop (0.9.5)
+    timeout (0.3.0)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (1.7.0)
+    unicode-display_width (2.1.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.4.2)
+    zeitwerk (2.5.4)
 
 PLATFORMS
   ruby
@@ -213,4 +241,4 @@ DEPENDENCIES
   timecop
 
 BUNDLED WITH
-   2.1.4
+   2.3.15

data/README.md

@@ -1,8 +1,8 @@
 # Clearance
 
-[![Build Status](https://secure.travis-ci.org/thoughtbot/clearance.svg)](http://travis-ci.org/thoughtbot/clearance?branch=master)
+[![Build Status](https://github.com/thoughtbot/clearance/actions/workflows/tests.yml/badge.svg)]( https://github.com/thoughtbot/clearance/actions/workflows/tests.yml?query=branch%3Amain)
 [![Code Climate](https://codeclimate.com/github/thoughtbot/clearance.svg)](https://codeclimate.com/github/thoughtbot/clearance)
-[![Documentation Quality](https://inch-ci.org/github/thoughtbot/clearance.svg?branch=master)](https://inch-ci.org/github/thoughtbot/clearance)
+[![Documentation Quality](https://inch-ci.org/github/thoughtbot/clearance.svg?branch=main)](https://inch-ci.org/github/thoughtbot/clearance)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
 Rails authentication with email & password.
@@ -19,7 +19,7 @@ monitored by contributors.
 
 ## Getting Started
 
-Clearance is a Rails engine tested against Rails `>= 5.0` and Ruby `>= 2.4.0`.
+Clearance is a Rails engine tested against Rails `>= 6.0` and Ruby `>= 2.7.0`.
 
 You can add it to your Gemfile with:
 
@@ -55,16 +55,18 @@ Clearance.configure do |config|
   config.cookie_name = "remember_token"
   config.cookie_path = "/"
   config.routes = true
-  config.httponly = false
+  config.httponly = true
   config.mailer_sender = "reply@example.com"
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
   config.rotate_csrf_on_sign_in = true
   config.same_site = nil
   config.secure_cookie = false
+  config.signed_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
   config.parent_controller = "ApplicationController"
+  config.sign_in_on_password_reset = false
 end
 ```
 
@@ -286,6 +288,33 @@ and `password` attributes. Over-riding the `email_optional?` or
 `skip_password_validation?` methods to return `true` will disable those
 validations from being added.
 
+### Signed Cookies
+
+By default, Clearance uses unsigned cookies. If you would like to use signed
+cookies you can do so by overriding the default in an initializer like so:
+
+```ruby
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = true
+end
+```
+
+If you are currently not using signed cookies but would like to migrate your
+users over to them without breaking current sessions, you can do so by passing
+in `:migrate` rather than `true` as so:
+
+```ruby
+Clearance.configure do |config|
+  # ... other overrides
+  config.signed_cookie = :migrate
+end
+```
+
+You can read more about signed cookies in Clearance and why they are a good idea
+in the [pull request that added them](https://github.com/thoughtbot/clearance/pull/917).
+
+
 ## Extending Sign In
 
 By default, Clearance will sign in any user with valid credentials. If you need
@@ -321,6 +350,7 @@ end
 ```
 
 ```ruby
+# app/guards/email_confirmation_guard.rb
 class EmailConfirmationGuard < Clearance::SignInGuard
   def call
     if unconfirmed?

data/app/controllers/clearance/passwords_controller.rb

@@ -15,7 +15,7 @@ class Clearance::PasswordsController < Clearance::BaseController
       deliver_email(user)
     end
 
-    render template: "passwords/create"
+    render template: "passwords/create", status: :accepted
   end
 
   def edit
@@ -33,12 +33,12 @@ class Clearance::PasswordsController < Clearance::BaseController
     @user = find_user_for_update
 
     if @user.update_password(password_from_password_reset_params)
-      sign_in @user
-      redirect_to url_after_update
+      sign_in @user if Clearance.configuration.sign_in_on_password_reset?
+      redirect_to url_after_update, status: :see_other
       session[:password_reset_token] = nil
     else
       flash_failure_after_update
-      render template: "passwords/edit"
+      render template: "passwords/edit", status: :unprocessable_entity
     end
   end
 
@@ -80,14 +80,14 @@ class Clearance::PasswordsController < Clearance::BaseController
   def ensure_email_present
     if email_from_password_params.blank?
       flash_failure_when_missing_email
-      render template: "passwords/new"
+      render template: "passwords/new", status: :unprocessable_entity
     end
   end
 
   def ensure_existing_user
     unless find_user_by_id_and_confirmation_token
       flash_failure_when_forbidden
-      render template: "passwords/new"
+      render template: "passwords/new", status: :unprocessable_entity
     end
   end
 

data/app/controllers/clearance/sessions_controller.rb

@@ -17,7 +17,7 @@ class Clearance::SessionsController < Clearance::BaseController
 
   def destroy
     sign_out
-    redirect_to url_after_destroy
+    redirect_to url_after_destroy, status: :see_other
   end
 
   def new

data/app/controllers/clearance/users_controller.rb

@@ -14,7 +14,7 @@ class Clearance::UsersController < Clearance::BaseController
       sign_in @user
       redirect_back_or url_after_create
     else
-      render template: "users/new"
+      render template: "users/new", status: :unprocessable_entity
     end
   end
 

data/app/views/passwords/new.html.erb

@@ -6,7 +6,7 @@
   <%= form_for :password, url: passwords_path do |form| %>
     <div class="text-field">
       <%= form.label :email %>
-      <%= form.text_field :email, type: 'email' %>
+      <%= form.email_field :email %>
     </div>
 
     <div class="submit-field">

data/app/views/sessions/_form.html.erb

@@ -1,7 +1,7 @@
 <%= form_for :session, url: session_path do |form| %>
   <div class="text-field">
     <%= form.label :email %>
-    <%= form.text_field :email, type: 'email' %>
+    <%= form.email_field :email %>
   </div>
 
   <div class="password-field">

data/app/views/users/_form.html.erb

@@ -1,6 +1,6 @@
 <div class="text-field">
   <%= form.label :email %>
-  <%= form.text_field :email, type: 'email' %>
+  <%= form.email_field :email %>
 </div>
 
 <div class="password-field">

data/clearance.gemspec

@@ -27,7 +27,8 @@ Gem::Specification.new do |s|
     'Derek Prior',
     'Jason Morrison',
     'Galen Frechette',
-    'Josh Steiner'
+    'Josh Steiner',
+    'Dorian Marié'
   ]
   s.description = <<-DESCRIPTION
     Clearance is built to support authentication and authorization via an

data/db/schema.rb

@@ -23,6 +23,6 @@ ActiveRecord::Schema.define(version: 20110111224543) do
   end
 
   add_index "users", ["email"], name: "index_users_on_email"
-  add_index "users", ["remember_token"], name: "index_users_on_remember_token"
-
+  add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
+  add_index "users", ["remember_token"], name: "index_users_on_remember_token", unique: true
 end

data/gemfiles/rails_6.0.gemfile

@@ -17,5 +17,7 @@ gem "shoulda-matchers"
 gem "sqlite3"
 gem "timecop"
 gem "railties", "~> 6.0"
+gem "net-smtp", require: false
+gem "psych", "< 4"
 
 gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -17,5 +17,6 @@ gem "shoulda-matchers"
 gem "sqlite3"
 gem "timecop"
 gem "railties", "~> 6.1"
+gem "net-smtp", require: false
 
 gemspec path: "../"