clearance 2.3.1 → 2.6.0

data/gemfiles/rails_7.0.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "addressable"
+gem "ammeter"
+gem "appraisal"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
+gem "pry", require: false
+gem "rails-controller-testing"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 7.0"
+
+gemspec path: "../"

data/lib/clearance/authentication.rb

@@ -24,8 +24,10 @@ module Clearance
     #   `params[:session][:password]` are required.
     # @return [User, nil] The user or nil if authentication fails.
     def authenticate(params)
+      session_params = params.require(:session)
+
       Clearance.configuration.user_model.authenticate(
-        params[:session][:email], params[:session][:password]
+        session_params[:email], session_params[:password]
       )
     end
 

data/lib/clearance/authorization.rb

@@ -77,8 +77,8 @@ module Clearance
     end
 
     # @api private
-    def redirect_back_or(default)
-      redirect_to(return_to || default)
+    def redirect_back_or(default, **options)
+      redirect_to(return_to || default, **options)
       clear_return_to
     end
 
@@ -86,10 +86,16 @@ module Clearance
     def return_to
       if return_to_url
         uri = URI.parse(return_to_url)
-        "#{uri.path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
+        path = path_without_leading_slashes(uri)
+        "#{path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
       end
     end
 
+    # @api private
+    def path_without_leading_slashes(uri)
+      uri.path.sub(/\A\/+/, "/")
+    end
+
     # @api private
     def return_to_url
       session[:return_to]

data/lib/clearance/configuration.rb

@@ -118,6 +118,17 @@ module Clearance
     # @return [Array<String>]
     attr_accessor :allowed_backdoor_environments
 
+    # The parameter for user routes. By default this is derived from the user
+    # model.
+    # @return [Symbol]
+    attr_accessor :user_parameter
+
+    # Controls wether users are automatically signed in after successfully
+    # resetting their password.
+    # Defaults to `true`.
+    # @return [Boolean]
+    attr_writer :sign_in_on_password_reset
+
     def initialize
       @allow_sign_up = true
       @allowed_backdoor_environments = ["test", "ci", "development"]
@@ -134,6 +145,8 @@ module Clearance
       @secure_cookie = false
       @signed_cookie = false
       @sign_in_guards = []
+      @user_parameter = nil
+      @sign_in_on_password_reset = true
     end
 
     def signed_cookie=(value)
@@ -183,7 +196,7 @@ module Clearance
     # In the default configuration, this is `user`.
     # @return [Symbol]
     def user_parameter
-      user_model.model_name.singular.to_sym
+      @user_parameter ||= user_model.model_name.singular.to_sym
     end
 
     # The name of foreign key parameter for the configured user model.
@@ -214,6 +227,10 @@ module Clearance
     def rotate_csrf_on_sign_in?
       !!rotate_csrf_on_sign_in
     end
+
+    def sign_in_on_password_reset?
+      @sign_in_on_password_reset
+    end
   end
 
   # @return [Clearance::Configuration] Clearance's current configuration

data/lib/clearance/sign_in_guard.rb

@@ -16,10 +16,10 @@ module Clearance
   #
   #     # in config/initializers/clearance.rb
   #     Clearance.configure do |config|
-  #       config.sign_in_guards = [ConfirmationGuard]
+  #       config.sign_in_guards = ["ConfirmationGuard"]
   #     end
   #
-  #     # in lib/guards/confirmation_guard.rb
+  #     # in app/guards/confirmation_guard.rb
   #     class ConfirmationGuard < Clearance::SignInGuard
   #       def call
   #         if signed_in? && current_user.email_confirmed?

data/lib/clearance/user.rb

@@ -234,7 +234,7 @@ module Clearance
     # Always false. Override this method in your user model to allow for other
     # forms of user authentication (username, Facebook, etc).
     #
-    # @return [false]
+    # @return [Boolean]
     def email_optional?
       false
     end
@@ -242,7 +242,7 @@ module Clearance
     # Always false. Override this method in your user model to allow for other
     # forms of user authentication (username, Facebook, etc).
     #
-    # @return [false]
+    # @return [Boolean]
     def password_optional?
       false
     end

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.3.1".freeze
+  VERSION = "2.6.0".freeze
 end

data/lib/generators/clearance/install/install_generator.rb

@@ -73,17 +73,21 @@ module Clearance
 
       def new_columns
         @new_columns ||= {
-          email: 't.string :email',
-          encrypted_password: 't.string :encrypted_password, limit: 128',
-          confirmation_token: 't.string :confirmation_token, limit: 128',
-          remember_token: 't.string :remember_token, limit: 128'
+          email: "t.string :email",
+          encrypted_password: "t.string :encrypted_password, limit: 128",
+          confirmation_token: "t.string :confirmation_token, limit: 128",
+          remember_token: "t.string :remember_token, limit: 128",
         }.reject { |column| existing_users_columns.include?(column.to_s) }
       end
 
       def new_indexes
         @new_indexes ||= {
-          index_users_on_email: 'add_index :users, :email',
-          index_users_on_remember_token: 'add_index :users, :remember_token'
+          index_users_on_email:
+            "add_index :users, :email",
+          index_users_on_confirmation_token:
+            "add_index :users, :confirmation_token, unique: true",
+          index_users_on_remember_token:
+            "add_index :users, :remember_token, unique: true",
         }.reject { |index| existing_users_indexes.include?(index.to_s) }
       end
 

data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb

@@ -1,31 +1,34 @@
 class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
   def self.up
+<% if config[:new_columns].any? -%>
     change_table :users do |t|
 <% config[:new_columns].values.each do |column| -%>
       <%= column %>
 <% end -%>
     end
-
+<% end -%>
+<% if config[:new_indexes].any? -%>
 <% config[:new_indexes].values.each do |index| -%>
     <%= index %>
 <% end -%>
-
-    users = select_all("SELECT id FROM users WHERE remember_token IS NULL")
-
-    users.each do |user|
-      update <<-SQL.squish
-        UPDATE users
-        SET remember_token = '#{Clearance::Token.new}'
-        WHERE id = '#{user['id']}'
-      SQL
+<% end -%>
+<% if config[:new_columns].keys.include?(:remember_token) -%>
+    Clearance.configuration.user_model.where(remember_token: nil).each do |user|
+      user.update_columns(remember_token: Clearance::Token.new)
     end
+<% end -%>
   end
 
   def self.down
-    change_table :users do |t|
+<% config[:new_indexes].values.each do |index| -%>
+    <%= index.sub("add_index", "remove_index") %>
+<% end -%>
 <% if config[:new_columns].any? -%>
-      t.remove <%= new_columns.keys.map { |column| ":#{column}" }.join(", ") %>
+    change_table :users do |t|
+<% config[:new_columns].keys.each do |key| -%>
+      t.remove <%= key.inspect %>
 <% end -%>
     end
+<% end -%>
   end
 end

data/lib/generators/clearance/install/templates/db/migrate/create_users.rb.erb

@@ -9,6 +9,7 @@ class CreateUsers < ActiveRecord::Migration<%= migration_version %>
     end
 
     add_index :users, :email
-    add_index :users, :remember_token
+    add_index :users, :confirmation_token, unique: true
+    add_index :users, :remember_token, unique: true
   end
 end

data/lib/generators/clearance/specs/templates/support/features/clearance_helpers.rb

@@ -36,6 +36,7 @@ module Features
     end
 
     def expect_user_to_be_signed_out
+      visit root_path
       expect(page).to have_content I18n.t("layouts.application.sign_in")
     end
 

data/spec/acceptance/clearance_installation_spec.rb

@@ -35,6 +35,7 @@ describe "Clearance Installation" do
        --skip-javascript
        --skip-keeps
        --skip-sprockets
+       --skip-asset-pipeline
     CMD
   end
 

data/spec/app_templates/testapp/Gemfile

@@ -1,3 +1,5 @@
+source "https://rubygems.org"
+
 gem "rails"
 gem "sqlite3"
 gem "rspec-rails"

data/spec/configuration_spec.rb

@@ -167,7 +167,14 @@ describe Clearance::Configuration do
   end
 
   describe "#user_parameter" do
-    it "returns the parameter key to use based on the user_model" do
+    context "when user_parameter is configured" do
+      it "returns the configured parameter" do
+        Clearance.configure { |config| config.user_parameter = :custom_param }
+        expect(Clearance.configuration.user_parameter).to eq :custom_param
+      end
+    end
+
+    it "returns the parameter key to use based on the user_model by default" do
       Account = Class.new(ActiveRecord::Base)
       Clearance.configure { |config| config.user_model = Account }
 

data/spec/controllers/passwords_controller_spec.rb

@@ -35,6 +35,16 @@ describe Clearance::PasswordsController do
         email = ActionMailer::Base.deliveries.last
         expect(email.subject).to match(/change your password/i)
       end
+
+      it "re-renders the page when turbo is enabled" do
+        user = create(:user)
+
+        post :create, params: {
+          password: { email: user.email.upcase },
+        }
+
+        expect(response).to have_http_status(:accepted)
+      end
     end
 
     context "email param is missing" do
@@ -46,6 +56,14 @@ describe Clearance::PasswordsController do
         expect(flash.now[:alert]).to match(/email can't be blank/i)
         expect(response).to render_template(:new)
       end
+
+      it "re-renders the page when turbo is enabled" do
+        post :create, params: {
+          password: {},
+        }
+
+        expect(response).to have_http_status(:unprocessable_entity)
+      end
     end
 
     context "email param is blank" do
@@ -53,12 +71,22 @@ describe Clearance::PasswordsController do
         post :create, params: {
           password: {
             email: "",
-          }
+          },
         }
 
         expect(flash.now[:alert]).to match(/email can't be blank/i)
         expect(response).to render_template(:new)
       end
+
+      it "re-renders the page when turbo is enabled" do
+        post :create, params: {
+          password: {
+            email: "",
+          },
+        }
+
+        expect(response).to have_http_status(:unprocessable_entity)
+      end
     end
 
     context "email does not belong to an existing user" do
@@ -73,7 +101,7 @@ describe Clearance::PasswordsController do
         expect(ActionMailer::Base.deliveries).to be_empty
       end
 
-      it "still responds with success so as not to leak registered users" do
+      it "still responds with error so as not to leak registered users" do
         email = "this_user_does_not_exist@non_existent_domain.com"
 
         post :create, params: {
@@ -83,6 +111,16 @@ describe Clearance::PasswordsController do
         expect(response).to be_successful
         expect(response).to render_template "passwords/create"
       end
+
+      it "has the same status code as a successful request" do
+        email = "this_user_does_not_exist@non_existent_domain.com"
+
+        post :create, params: {
+          password: { email: email },
+        }
+
+        expect(response).to have_http_status(:accepted)
+      end
     end
   end
 
@@ -97,6 +135,7 @@ describe Clearance::PasswordsController do
         }
 
         expect(response).to be_redirect
+        expect(response).to have_http_status(:found)
         expect(response).to redirect_to edit_user_password_url(user)
         expect(session[:password_reset_token]).to eq user.confirmation_token
       end
@@ -172,6 +211,35 @@ describe Clearance::PasswordsController do
         )
 
         expect(user.reload.encrypted_password).not_to eq old_encrypted_password
+        expect(response).to have_http_status(:see_other)
+      end
+
+      it "signs in the user" do
+        user = create(:user, :with_forgotten_password)
+
+        put :update, params: update_parameters(
+          user,
+          new_password: "my_new_password",
+        )
+
+        expect(current_user).to eq(user)
+      end
+
+      context "when Clearance is configured to not sign in the user" do
+        it "doesn't sign in the user" do
+          Clearance.configure do |config|
+            config.sign_in_on_password_reset = false
+          end
+
+          user = create(:user, :with_forgotten_password)
+
+          put :update, params: update_parameters(
+            user,
+            new_password: "my_new_password",
+          )
+
+          expect(current_user).to be_nil
+        end
       end
     end
 
@@ -211,8 +279,19 @@ describe Clearance::PasswordsController do
         )
 
         expect(flash.now[:alert]).to match(/password can't be blank/i)
+        expect(response).to have_http_status(:unprocessable_entity)
         expect(response).to render_template(:edit)
-        expect(cookies[:remember_token]).to be_nil
+      end
+
+      it "doesn't sign in the user" do
+        user = create(:user, :with_forgotten_password)
+
+        put :update, params: update_parameters(
+          user,
+          new_password: "",
+        )
+
+        expect(current_user).to be_nil
       end
     end
   end
@@ -226,4 +305,8 @@ describe Clearance::PasswordsController do
       password_reset: { password: new_password }
     }
   end
+
+  def current_user
+    request.env[:clearance].current_user
+  end
 end

data/spec/controllers/sessions_controller_spec.rb

@@ -24,6 +24,14 @@ describe Clearance::SessionsController do
   end
 
   describe "on POST to #create" do
+    context "when missing parameters" do
+      it "raises an error" do
+        expect do
+          post :create
+        end.to raise_error(ActionController::ParameterMissing)
+      end
+    end
+
     context "when password is optional" do
       it "renders the page with error" do
         user = create(:user_with_optional_password)
@@ -58,6 +66,19 @@ describe Clearance::SessionsController do
     end
 
     context "with good credentials and a session return url" do
+      it "redirects to the return URL removing leading slashes" do
+        user = create(:user)
+        url = "/url_in_the_session?foo=bar#baz"
+        return_url = "//////#{url}"
+        request.session[:return_to] = return_url
+
+        post :create, params: {
+          session: { email: user.email, password: user.password },
+        }
+
+        should redirect_to(url)
+      end
+
       it "redirects to the return URL maintaining query and fragment" do
         user = create(:user)
         return_url = "/url_in_the_session?foo=bar#baz"
@@ -104,6 +125,7 @@ describe Clearance::SessionsController do
       end
 
       it { should redirect_to_url_after_destroy }
+      it { expect(response).to have_http_status(:see_other) }
     end
 
     context "with a cookie" do

data/spec/controllers/users_controller_spec.rb

@@ -67,6 +67,20 @@ describe Clearance::UsersController do
           expect(response).to redirect_to(return_url)
         end
       end
+
+      context "with invalid attributes" do
+        it "renders the page with error" do
+          user_attributes = FactoryBot.attributes_for(:user, email: nil)
+          old_user_count = User.count
+
+          post :create, params: {
+            user: user_attributes,
+          }
+
+          expect(User.count).to eq old_user_count
+          expect(response).to have_http_status(:unprocessable_entity)
+        end
+      end
     end
 
     context "when signed in" do

data/spec/dummy/application.rb

@@ -1,50 +1,35 @@
 require "rails/all"
+
 require "clearance"
 
 module Dummy
   APP_ROOT = File.expand_path("..", __FILE__).freeze
 
-  I18n.enforce_available_locales = true
-
   class Application < Rails::Application
-    config.action_controller.allow_forgery_protection = false
     config.action_controller.perform_caching = false
-    config.action_dispatch.show_exceptions = false
     config.action_mailer.default_url_options = { host: "dummy.example.com" }
     config.action_mailer.delivery_method = :test
     config.active_support.deprecation = :stderr
-    config.active_support.test_order = :random
-    config.cache_classes = true
-    config.consider_all_requests_local = true
     config.eager_load = false
-    config.encoding = "utf-8"
+
     config.paths["app/controllers"] << "#{APP_ROOT}/app/controllers"
     config.paths["app/models"] << "#{APP_ROOT}/app/models"
     config.paths["app/views"] << "#{APP_ROOT}/app/views"
     config.paths["config/database"] = "#{APP_ROOT}/config/database.yml"
     config.paths["log"] = "tmp/log/development.log"
-
     config.paths.add "config/routes.rb", with: "#{APP_ROOT}/config/routes.rb"
-    config.secret_key_base = "SECRET_KEY_BASE"
 
-    if config.active_record.sqlite3.respond_to?(:represent_boolean_as_integer)
-      if Rails::VERSION::MAJOR < 6
-        config.active_record.sqlite3.represent_boolean_as_integer = true
-      end
+    if Rails.version.match?(/^6.0/)
+      config.active_record.sqlite3.represent_boolean_as_integer = true
+    else
+      config.active_record.legacy_connection_handling = false
     end
 
-    if Rails::VERSION::MAJOR >= 6
-      config.action_mailer.delivery_job = "ActionMailer::MailDeliveryJob"
-    end
-
-    config.active_job.queue_adapter = :inline
-
     def require_environment!
       initialize!
     end
 
     def initialize!(&block)
-      FileUtils.mkdir_p(Rails.root.join("db").to_s)
       super unless @initialized
     end
   end

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -135,6 +135,12 @@ describe Clearance::Generators::InstallGenerator, :generator do
         expect(migration).to contain("add_index :users, :email")
         expect(migration).not_to contain("t.string :remember_token")
         expect(migration).not_to contain("add_index :users, :remember_token")
+        expect(migration).to(
+          contain("add_index :users, :confirmation_token, unique: true"),
+        )
+        expect(migration).to(
+          contain("remove_index :users, :confirmation_token, unique: true"),
+        )
       end
     end
   end

data/spec/requests/password_maintenance_spec.rb

@@ -12,6 +12,7 @@ describe "Password maintenance" do
       }
 
       expect(response).to redirect_to(Clearance.configuration.redirect_url)
+      expect(response).to have_http_status(:see_other)
       expect(cookies["remember_token"]).to be_present
     end
   end

data/spec/spec_helper.rb

@@ -5,6 +5,7 @@ require "dummy/application"
 
 require "clearance/rspec"
 require "factory_bot_rails"
+require "rails-controller-testing"
 require "rspec/rails"
 require "shoulda-matchers"
 require "timecop"
@@ -28,11 +29,6 @@ RSpec.configure do |config|
   end
 
   config.before { restore_default_warning_free_config }
-
-  require 'rails-controller-testing'
-  config.include Rails::Controller::Testing::TestProcess
-  config.include Rails::Controller::Testing::TemplateAssertions
-  config.include Rails::Controller::Testing::Integration
 end
 
 Shoulda::Matchers.configure do |config|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.3.1
+  version: 2.6.0
 platform: ruby
 authors:
 - Dan Croak
@@ -22,10 +22,11 @@ authors:
 - Jason Morrison
 - Galen Frechette
 - Josh Steiner
+- Dorian Marié
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-05 00:00:00.000000000 Z
+date: 2022-06-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -149,11 +150,11 @@ files:
 - ".gitignore"
 - ".yardopts"
 - Appraisals
+- CHANGELOG.md
 - CONTRIBUTING.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
-- NEWS.md
 - README.md
 - RELEASING.md
 - Rakefile
@@ -185,6 +186,7 @@ files:
 - gemfiles/rails_5.2.gemfile
 - gemfiles/rails_6.0.gemfile
 - gemfiles/rails_6.1.gemfile
+- gemfiles/rails_7.0.gemfile
 - lib/clearance.rb
 - lib/clearance/authentication.rb
 - lib/clearance/authorization.rb
@@ -266,6 +268,7 @@ files:
 - spec/dummy/application.rb
 - spec/dummy/config/database.yml
 - spec/dummy/config/routes.rb
+- spec/dummy/db/.keep
 - spec/factories.rb
 - spec/generators/clearance/install/install_generator_spec.rb
 - spec/generators/clearance/routes/routes_generator_spec.rb
@@ -311,7 +314,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.