clearance 2.7.1 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0877a789add508c0031bbccf949369fa360271e2f42d9bfb32f16259b9135a3
-  data.tar.gz: 9ca1d73291bd91c1811edbfc69f3acef51d35edad753743badfb38341687d20b
+  metadata.gz: e5f7f15515653096a81f567271c72a5bc138dac396acb3d7727fb7eb95b89540
+  data.tar.gz: 61b53d47ef673fe4f171aa32c6239c80fca531c4edaa239446bb0f3d8478df18
 SHA512:
-  metadata.gz: 67e231abb3b4ee087b0da4c258fab6ba07190945a365b7c3ac37577a9e84a2982fedfccb6578d6d661e8301fb293d061ddcad67af17da1faf8254e31bc336f3e
-  data.tar.gz: 4bede194d2b6adc4cab0caaf4297435440df9967075a167aca064a3dd9dfa4ebc648f5fdc0588a2c1364f3c43c29aeefcff882e031d02c65e9cf5f0e517eb934
+  metadata.gz: a695e60bfb14845d6bb5a1481766f2104f68fc92149fc0de3191af403bc7719803013cb8cb4a93fa74c1d334d1190e7206ba017502d40f109d0e96fb381fb3e0
+  data.tar.gz: cc12e0563b4106d22e4d4c23a8d2f50621cc1f2a61f905ea82ea697369e1e916bc5e5d69b65900d8b146244fe9a8dbf50e54e752c9b0cbd9243c53c285011226

data/.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+
+updates:
+  - package-ecosystem: bundler
+    directory: "/"
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 5
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      time: "02:00"
+      timezone: "Etc/UTC"

data/.github/workflows/dynamic-security.yml

@@ -0,0 +1,19 @@
+name: update-security
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - SECURITY.md
+  workflow_dispatch:
+
+jobs:
+  update-security:
+    permissions:
+      contents: write
+      pull-requests: write
+      pages: write
+    uses: thoughtbot/templates/.github/workflows/dynamic-security.yaml@main
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}

data/CHANGELOG.md

@@ -5,9 +5,27 @@ complete changelog, see the git history for each version via the version links.
 
 ## [Unreleased]
 
-[Unreleased]: https://github.com/thoughtbot/clearance/compare/v2.7.1...main
+[Unreleased]: https://github.com/thoughtbot/clearance/compare/v2.8.0...main
 
-## [2.7.1] May 8, 2024
+## [2.8.0] - August 9, 2024
+- Feature: Added allow_password_resets config option (#1019) Jos O'shea
+- Added dependabot (#1028) Karine Vieira
+- Fixed some deprecation warnings (#1018)
+- Added a dynamic workflow to update SECURITY.md
+
+[2.8.0]: https://github.com/thoughtbot/clearance/compare/v2.7.2...v2.8.0
+
+## [2.7.2] - June 28, 2024
+- Fix method redefinition and circular require issues (#1027)
+- Add specs for email validator strict mode (#1001)
+- Create SECURITY.md (#972)
+- Fix validating email in strict mode (#976)
+- Update the example config in README.md (#977)
+- Remove Hound README badge (#1020)
+
+[2.7.2]: https://github.com/thoughtbot/clearance/compare/v2.7.1...v2.7.2
+
+## [2.7.1] - May 8, 2024
 - Update sqlite3 and erb_lint gems (#1017) Jos O'shea
 
 [2.7.1]: https://github.com/thoughtbot/clearance/compare/v2.7.0...v2.7.1

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (2.7.0)
+    clearance (2.8.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -107,7 +107,7 @@ GEM
     factory_bot_rails (6.2.0)
       factory_bot (~> 6.2.0)
       railties (>= 5.0.0)
-    ffi (1.16.3)
+    ffi (1.17.0)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
@@ -130,7 +130,7 @@ GEM
     mini_mime (1.1.2)
     mini_portile2 (2.8.6)
     minitest (5.22.3)
-    net-imap (0.4.10)
+    net-imap (0.4.14)
       date
       net-protocol
     net-pop (0.1.2)

data/README.md

@@ -3,7 +3,6 @@
 [![Build Status](https://github.com/thoughtbot/clearance/actions/workflows/tests.yml/badge.svg)]( https://github.com/thoughtbot/clearance/actions/workflows/tests.yml?query=branch%3Amain)
 [![Code Climate](https://codeclimate.com/github/thoughtbot/clearance.svg)](https://codeclimate.com/github/thoughtbot/clearance)
 [![Documentation Quality](https://inch-ci.org/github/thoughtbot/clearance.svg?branch=main)](https://inch-ci.org/github/thoughtbot/clearance)
-[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
 Rails authentication with email & password.
 
@@ -50,6 +49,7 @@ Override any of these defaults in `config/initializers/clearance.rb`:
 ```ruby
 Clearance.configure do |config|
   config.allow_sign_up = true
+  config.allow_password_reset = true
   config.cookie_domain = ".example.com"
   config.cookie_expiration = lambda { |cookies| 1.year.from_now.utc }
   config.cookie_name = "remember_token"
@@ -63,7 +63,7 @@ Clearance.configure do |config|
   config.url_after_denied_access_when_signed_out = nil
   config.rotate_csrf_on_sign_in = true
   config.same_site = nil
-  config.secure_cookie = false
+  config.secure_cookie = Rails.configuration.force_ssl
   config.signed_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
@@ -497,4 +497,19 @@ redistributed under the terms specified in the [`LICENSE`] file.
 [`LICENSE`]: /LICENSE
 
 <!-- START /templates/footer.md -->
+## About thoughtbot
+
+![thoughtbot](https://thoughtbot.com/thoughtbot-logo-for-readmes.svg)
+
+This repo is maintained and funded by thoughtbot, inc.
+The names and logos for thoughtbot are trademarks of thoughtbot, inc.
+
+We love open source software!
+See [our other projects][community].
+We are [available for hire][hire].
+
+[community]: https://thoughtbot.com/community?utm_source=github
+[hire]: https://thoughtbot.com/hire-us?utm_source=github
+
+
 <!-- END /templates/footer.md -->

data/SECURITY.md

@@ -0,0 +1,20 @@
+<!-- START /templates/security.md -->
+# Security Policy
+
+## Supported Versions
+
+Only the the latest version of this project is supported at a given time. If
+you find a security issue with an older version, please try updating to the
+latest version first.
+
+If for some reason you can't update to the latest version, please let us know
+your reasons so that we can have a better understanding of your situation.
+
+## Reporting a Vulnerability
+
+For security inquiries or vulnerability reports, visit
+<https://thoughtbot.com/security>.
+
+If you have any suggestions to improve this policy, visit <https://thoughtbot.com/security>.
+
+<!-- END /templates/security.md -->

data/app/views/sessions/_form.html.erb

@@ -17,6 +17,8 @@
     <% if Clearance.configuration.allow_sign_up? %>
       <%= link_to t(".sign_up"), sign_up_path %>
     <% end %>
-    <%= link_to t(".forgot_password"), new_password_path %>
+    <% if Clearance.configuration.allow_password_reset? %>
+      <%= link_to t(".forgot_password"), new_password_path %>
+    <% end %>
   </div>
 <% end %>

data/clearance.gemspec

@@ -28,7 +28,8 @@ Gem::Specification.new do |s|
     'Jason Morrison',
     'Galen Frechette',
     'Josh Steiner',
-    'Dorian Marié'
+    'Dorian Marié',
+    'Sara Jackson'
   ]
   s.description = <<-DESCRIPTION
     Clearance is built to support authentication and authorization via an

data/config/routes.rb

@@ -11,9 +11,11 @@ if Clearance.configuration.routes_enabled?
     resources :users,
       controller: 'clearance/users',
       only: Clearance.configuration.user_actions do
-        resource :password,
-          controller: 'clearance/passwords',
-          only: [:edit, :update]
+        if Clearance.configuration.allow_password_reset?
+          resource :password,
+            controller: 'clearance/passwords',
+            only: [:edit, :update]
+        end
       end
 
     get '/sign_in' => 'clearance/sessions#new', as: 'sign_in'

data/lib/clearance/configuration.rb

@@ -7,6 +7,13 @@ module Clearance
     # @return [Boolean]
     attr_writer :allow_sign_up
 
+    # Controls whether the password reset routes are enabled
+    # Defaults to `true`. Set to False to disable password reset routes
+    # The setting is ignored if routes are disabled.
+    # @param [Boolean] value
+    # @return [Boolean]
+    attr_writer :allow_password_reset
+
     # The domain to use for the clearance remember token cookie.
     # Defaults to `nil`, which causes the cookie domain to default to the
     # domain of the request. For more, see
@@ -135,7 +142,7 @@ module Clearance
     # The parameter for user routes. By default this is derived from the user
     # model.
     # @return [Symbol]
-    attr_accessor :user_parameter
+    attr_writer :user_parameter
 
     # Controls wether users are automatically signed in after successfully
     # resetting their password.
@@ -145,6 +152,7 @@ module Clearance
 
     def initialize
       @allow_sign_up = true
+      @allow_password_reset = true
       @allowed_backdoor_environments = ["test", "ci", "development"]
       @cookie_domain = nil
       @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
@@ -195,6 +203,12 @@ module Clearance
       @allow_sign_up
     end
 
+    # Are the password reset routes enabled?
+    # @return [Boolean]
+    def allow_password_reset?
+      @allow_password_reset
+    end
+    
     # Specifies which controller actions are allowed for user resources.
     # This will be `[:create]` is `allow_sign_up` is true (the default), and
     # empty otherwise.

data/lib/clearance/engine.rb

@@ -1,4 +1,3 @@
-require "clearance"
 require "rails/engine"
 
 module Clearance

data/lib/clearance/user.rb

@@ -150,7 +150,7 @@ module Clearance
 
       included do
         validates :email,
-          email: { strict_mode: true },
+          email: { mode: :strict },
           presence: true,
           uniqueness: { allow_blank: true, case_sensitive: true },
           unless: :email_optional?

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.7.1".freeze
+  VERSION = "2.8.0".freeze
 end

data/lib/clearance.rb

@@ -5,9 +5,9 @@ require 'clearance/rack_session'
 require 'clearance/back_door'
 require 'clearance/controller'
 require 'clearance/user'
-require 'clearance/engine'
 require 'clearance/password_strategies'
 require 'clearance/constraints'
+require 'clearance/engine'
 
 module Clearance
 end

data/spec/configuration_spec.rb

@@ -179,6 +179,21 @@ describe Clearance::Configuration do
     end
   end
 
+  describe "#allow_password_reset?" do
+    context "when allow_password_reset is configured to false" do
+      it "returns false" do
+        Clearance.configure { |config| config.allow_password_reset = false }
+        expect(Clearance.configuration.allow_password_reset?).to eq false
+      end
+    end
+
+    context "when allow_sign_up has not been configured" do
+      it "returns true" do
+        expect(Clearance.configuration.allow_password_reset?).to eq true
+      end
+    end
+  end  
+
   describe "#user_actions" do
     context "when allow_sign_up is configured to false" do
       it "returns empty array" do

data/spec/dummy/application.rb

@@ -9,6 +9,9 @@ module Dummy
     config.action_controller.perform_caching = false
     config.action_mailer.default_url_options = { host: "dummy.example.com" }
     config.action_mailer.delivery_method = :test
+    if Rails.version.match?(/(6.1|7.0)/)
+      config.active_record.legacy_connection_handling = false
+    end
     config.active_support.deprecation = :stderr
     config.eager_load = false
 

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -2,6 +2,10 @@ require "spec_helper"
 require "generators/clearance/install/install_generator"
 
 describe Clearance::Generators::InstallGenerator, :generator do
+  def get_migration(path)
+    Pathname.new(migration_file(path))
+  end
+
   describe "initializer" do
     it "is copied to the application" do
       provide_existing_application_controller
@@ -66,7 +70,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
         table_does_not_exist(:users)
 
         run_generator
-        migration = migration_file("db/migrate/create_users.rb")
+        migration = get_migration("db/migrate/create_users.rb")
 
         expect(migration).to exist
         expect(migration).to have_correct_syntax
@@ -88,7 +92,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
           table_does_not_exist(:users)
 
           run_generator
-          migration = migration_file("db/migrate/create_users.rb")
+          migration = get_migration("db/migrate/create_users.rb")
 
           expect(migration).to exist
           expect(migration).to have_correct_syntax
@@ -102,8 +106,8 @@ describe Clearance::Generators::InstallGenerator, :generator do
         provide_existing_application_controller
 
         run_generator
-        create_migration = migration_file("db/migrate/create_users.rb")
-        add_migration = migration_file("db/migrate/add_clearance_to_users.rb")
+        create_migration = get_migration("db/migrate/create_users.rb")
+        add_migration = get_migration("db/migrate/add_clearance_to_users.rb")
 
         expect(create_migration).not_to exist
         expect(add_migration).not_to exist
@@ -126,7 +130,7 @@ describe Clearance::Generators::InstallGenerator, :generator do
           and_return(existing_indexes)
 
         run_generator
-        migration = migration_file("db/migrate/add_clearance_to_users.rb")
+        migration = get_migration("db/migrate/add_clearance_to_users.rb")
 
         expect(migration).to exist
         expect(migration).to have_correct_syntax

data/spec/models/user_spec.rb

@@ -5,15 +5,16 @@ describe User do
   it { is_expected.to have_db_index(:remember_token) }
   it { is_expected.to validate_presence_of(:email) }
   it { is_expected.to validate_presence_of(:password) }
-  it { is_expected.to allow_value("foo;@example.com").for(:email) }
-  it { is_expected.to allow_value("foo@.example.com").for(:email) }
-  it { is_expected.to allow_value("foo@example..com").for(:email) }
   it { is_expected.to allow_value("foo@example.co.uk").for(:email) }
   it { is_expected.to allow_value("foo@example.com").for(:email) }
   it { is_expected.to allow_value("foo+bar@example.com").for(:email) }
   it { is_expected.not_to allow_value("example.com").for(:email) }
   it { is_expected.not_to allow_value("foo").for(:email) }
   it { is_expected.not_to allow_value("foo@").for(:email) }
+  it { is_expected.not_to allow_value("foo@bar").for(:email) }
+  it { is_expected.not_to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.not_to allow_value("foo@.example.com").for(:email) }
+  it { is_expected.not_to allow_value("foo@example..com").for(:email) }
 
   describe "#email" do
     it "stores email in down case and removes whitespace" do

data/spec/routing/clearance_routes_spec.rb

@@ -62,4 +62,36 @@ describe 'routes for Clearance' do
       expect(post: 'users').to be_routable
     end
   end
+
+  context 'password reset disabled' do
+    around do |example|
+      Clearance.configure { |config| config.allow_password_reset = false }
+      Rails.application.reload_routes!
+      example.run
+      Clearance.configuration = Clearance::Configuration.new
+      Rails.application.reload_routes!
+    end
+
+    it 'does not route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").not_to be_routable
+    end
+
+    it 'does not route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").not_to be_routable
+    end
+  end
+
+  context 'reset enabled' do
+    it 'does route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").to be_routable
+    end
+
+    it 'does route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").to be_routable
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.7.1
+  version: 2.8.0
 platform: ruby
 authors:
 - Dan Croak
@@ -23,10 +23,11 @@ authors:
 - Galen Frechette
 - Josh Steiner
 - Dorian Marié
+- Sara Jackson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-08 00:00:00.000000000 Z
+date: 2024-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -146,7 +147,9 @@ extra_rdoc_files:
 - README.md
 files:
 - ".erb-lint.yml"
+- ".github/dependabot.yml"
 - ".github/workflows/dynamic-readme.yml"
+- ".github/workflows/dynamic-security.yml"
 - ".github/workflows/tests.yml"
 - ".gitignore"
 - ".yardopts"
@@ -160,6 +163,7 @@ files:
 - README.md
 - RELEASING.md
 - Rakefile
+- SECURITY.md
 - app/controllers/clearance/base_controller.rb
 - app/controllers/clearance/passwords_controller.rb
 - app/controllers/clearance/sessions_controller.rb
@@ -314,7 +318,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.15
 signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.