clearance 2.4.0 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/tests.yml +1 -1
- data/Gemfile.lock +6 -6
- data/NEWS.md +12 -0
- data/README.md +4 -4
- data/lib/clearance/authorization.rb +7 -1
- data/lib/clearance/version.rb +1 -1
- data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb +5 -1
- data/spec/controllers/sessions_controller_spec.rb +13 -0
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d60bf1a6126821259c777a4d6c34169e0ac643d4c88f74133b13400b99c9140f
|
|
4
|
+
data.tar.gz: 42a4077da0d6bca303752a3ef9b224167b3510f3ea9649c3439148c6242591d5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a62015195770da36e79c06e228a9e368d20fb3c2e91c92f3bf168f5a2706bbaef4fc98c28bcde3cb5a80bf3eb16f2acc589cb7da920e151cb0060290cea5cc44
|
|
7
|
+
data.tar.gz: cec9f3ce0c48cadd04b43b0a5280fd34db24c532ea1f01e92b76b7acd3413220fb568f7d4e3f180b4aa80669264af0d0216da3c4806bc2d24af59276e4d50635
|
data/.github/workflows/tests.yml
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
clearance (2.
|
|
4
|
+
clearance (2.5.0)
|
|
5
5
|
actionmailer (>= 5.0)
|
|
6
6
|
activemodel (>= 5.0)
|
|
7
7
|
activerecord (>= 5.0)
|
|
@@ -84,7 +84,7 @@ GEM
|
|
|
84
84
|
crass (1.0.6)
|
|
85
85
|
database_cleaner (1.8.5)
|
|
86
86
|
diff-lcs (1.4.4)
|
|
87
|
-
email_validator (2.2.
|
|
87
|
+
email_validator (2.2.3)
|
|
88
88
|
activemodel
|
|
89
89
|
erb_lint (0.0.34)
|
|
90
90
|
activesupport
|
|
@@ -99,12 +99,12 @@ GEM
|
|
|
99
99
|
factory_bot_rails (6.1.0)
|
|
100
100
|
factory_bot (~> 6.1.0)
|
|
101
101
|
railties (>= 5.0.0)
|
|
102
|
-
ffi (1.
|
|
102
|
+
ffi (1.15.4)
|
|
103
103
|
ffi-compiler (1.0.1)
|
|
104
104
|
ffi (>= 1.0.0)
|
|
105
105
|
rake
|
|
106
|
-
globalid (0.
|
|
107
|
-
activesupport (>=
|
|
106
|
+
globalid (0.5.2)
|
|
107
|
+
activesupport (>= 5.0)
|
|
108
108
|
html_tokenizer (0.0.7)
|
|
109
109
|
i18n (1.8.9)
|
|
110
110
|
concurrent-ruby (~> 1.0)
|
|
@@ -149,7 +149,7 @@ GEM
|
|
|
149
149
|
rainbow (3.0.0)
|
|
150
150
|
rake (13.0.3)
|
|
151
151
|
regexp_parser (1.7.1)
|
|
152
|
-
rexml (3.2.
|
|
152
|
+
rexml (3.2.5)
|
|
153
153
|
rspec-core (3.9.2)
|
|
154
154
|
rspec-support (~> 3.9.3)
|
|
155
155
|
rspec-expectations (3.9.2)
|
data/NEWS.md
CHANGED
|
@@ -3,6 +3,18 @@
|
|
|
3
3
|
The noteworthy changes for each Clearance version are included here. For a
|
|
4
4
|
complete changelog, see the git history for each version via the version links.
|
|
5
5
|
|
|
6
|
+
## [2.5.0] - September 10, 2021
|
|
7
|
+
|
|
8
|
+
### Fixed
|
|
9
|
+
|
|
10
|
+
- Fix open redirect vulnerability
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
|
|
14
|
+
- Rename default branch to `main`
|
|
15
|
+
|
|
16
|
+
[2.4.0]: https://github.com/thoughtbot/clearance/compare/v2.3.1...v2.4.0
|
|
17
|
+
|
|
6
18
|
## [2.4.0] - March 5, 2021
|
|
7
19
|
|
|
8
20
|
### Added
|
data/README.md
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Clearance
|
|
2
2
|
|
|
3
|
-
[]( https://github.com/thoughtbot/clearance/actions/workflows/tests.yml?query=branch%3Amain)
|
|
4
4
|
[](https://codeclimate.com/github/thoughtbot/clearance)
|
|
5
|
-
[](https://inch-ci.org/github/thoughtbot/clearance)
|
|
6
6
|
[](https://houndci.com)
|
|
7
7
|
|
|
8
8
|
Rails authentication with email & password.
|
|
@@ -55,7 +55,7 @@ Clearance.configure do |config|
|
|
|
55
55
|
config.cookie_name = "remember_token"
|
|
56
56
|
config.cookie_path = "/"
|
|
57
57
|
config.routes = true
|
|
58
|
-
config.httponly =
|
|
58
|
+
config.httponly = true
|
|
59
59
|
config.mailer_sender = "reply@example.com"
|
|
60
60
|
config.password_strategy = Clearance::PasswordStrategies::BCrypt
|
|
61
61
|
config.redirect_url = "/"
|
|
@@ -299,7 +299,7 @@ Clearance.configure do |config|
|
|
|
299
299
|
end
|
|
300
300
|
```
|
|
301
301
|
|
|
302
|
-
If you are currently not using
|
|
302
|
+
If you are currently not using signed cookies but would like to migrate your
|
|
303
303
|
users over to them without breaking current sessions, you can do so by passing
|
|
304
304
|
in `:migrate` rather than `true` as so:
|
|
305
305
|
|
|
@@ -86,10 +86,16 @@ module Clearance
|
|
|
86
86
|
def return_to
|
|
87
87
|
if return_to_url
|
|
88
88
|
uri = URI.parse(return_to_url)
|
|
89
|
-
|
|
89
|
+
path = path_without_leading_slashes(uri)
|
|
90
|
+
"#{path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
|
|
90
91
|
end
|
|
91
92
|
end
|
|
92
93
|
|
|
94
|
+
# @api private
|
|
95
|
+
def path_without_leading_slashes(uri)
|
|
96
|
+
uri.path.sub(/\A\/+/, "/")
|
|
97
|
+
end
|
|
98
|
+
|
|
93
99
|
# @api private
|
|
94
100
|
def return_to_url
|
|
95
101
|
session[:return_to]
|
data/lib/clearance/version.rb
CHANGED
|
@@ -21,7 +21,11 @@ class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
|
|
|
21
21
|
end
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def self.down
|
|
24
|
+
def self.down
|
|
25
|
+
<% config[:new_indexes].values.each do |index| -%>
|
|
26
|
+
<%= index.gsub("add_index", "remove_index") %>
|
|
27
|
+
<% end -%>
|
|
28
|
+
|
|
25
29
|
change_table :users do |t|
|
|
26
30
|
<% if config[:new_columns].any? -%>
|
|
27
31
|
t.remove <%= new_columns.keys.map { |column| ":#{column}" }.join(", ") %>
|
|
@@ -58,6 +58,19 @@ describe Clearance::SessionsController do
|
|
|
58
58
|
end
|
|
59
59
|
|
|
60
60
|
context "with good credentials and a session return url" do
|
|
61
|
+
it "redirects to the return URL removing leading slashes" do
|
|
62
|
+
user = create(:user)
|
|
63
|
+
url = "/url_in_the_session?foo=bar#baz"
|
|
64
|
+
return_url = "//////#{url}"
|
|
65
|
+
request.session[:return_to] = return_url
|
|
66
|
+
|
|
67
|
+
post :create, params: {
|
|
68
|
+
session: { email: user.email, password: user.password },
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
should redirect_to(url)
|
|
72
|
+
end
|
|
73
|
+
|
|
61
74
|
it "redirects to the return URL maintaining query and fragment" do
|
|
62
75
|
user = create(:user)
|
|
63
76
|
return_url = "/url_in_the_session?foo=bar#baz"
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: clearance
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Croak
|
|
@@ -22,10 +22,10 @@ authors:
|
|
|
22
22
|
- Jason Morrison
|
|
23
23
|
- Galen Frechette
|
|
24
24
|
- Josh Steiner
|
|
25
|
-
autorequire:
|
|
25
|
+
autorequire:
|
|
26
26
|
bindir: bin
|
|
27
27
|
cert_chain: []
|
|
28
|
-
date: 2021-
|
|
28
|
+
date: 2021-09-10 00:00:00.000000000 Z
|
|
29
29
|
dependencies:
|
|
30
30
|
- !ruby/object:Gem::Dependency
|
|
31
31
|
name: bcrypt
|
|
@@ -295,7 +295,7 @@ homepage: https://github.com/thoughtbot/clearance
|
|
|
295
295
|
licenses:
|
|
296
296
|
- MIT
|
|
297
297
|
metadata: {}
|
|
298
|
-
post_install_message:
|
|
298
|
+
post_install_message:
|
|
299
299
|
rdoc_options:
|
|
300
300
|
- "--charset=UTF-8"
|
|
301
301
|
require_paths:
|
|
@@ -311,8 +311,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
311
311
|
- !ruby/object:Gem::Version
|
|
312
312
|
version: '0'
|
|
313
313
|
requirements: []
|
|
314
|
-
rubygems_version: 3.1.
|
|
315
|
-
signing_key:
|
|
314
|
+
rubygems_version: 3.1.4
|
|
315
|
+
signing_key:
|
|
316
316
|
specification_version: 4
|
|
317
317
|
summary: Rails authentication & authorization with email & password.
|
|
318
318
|
test_files: []
|