clearance 2.7.2 → 2.9.0

data/gemfiles/{rails_6.1.gemfile → rails_7.2.gemfile}

@@ -15,8 +15,6 @@ gem "rails-controller-testing"
 gem "rspec-rails"
 gem "shoulda-matchers"
 gem "sqlite3", "~> 1.7"
-gem "timecop"
-gem "railties", "~> 6.1.0"
-gem "net-smtp", require: false
+gem "railties", "~> 7.2.0"
 
 gemspec path: "../"

data/lib/clearance/back_door.rb

@@ -48,11 +48,13 @@ module Clearance
 
     # @api private
     def sign_in_through_the_back_door(env)
-      params = Rack::Utils.parse_query(env["QUERY_STRING"])
+      params = Rack::Utils.parse_query(env[Rack::QUERY_STRING])
       user_param = params.delete("as")
 
       if user_param.present?
-        env["QUERY_STRING"] = Rack::Utils.build_query(params)
+        query_string = Rack::Utils.build_query(params)
+        env[Rack::QUERY_STRING] = query_string
+        env[Rack::RACK_REQUEST_QUERY_STRING] = query_string
         user = find_user(user_param)
         env[:clearance].sign_in(user)
       end

data/lib/clearance/configuration.rb

@@ -7,6 +7,13 @@ module Clearance
     # @return [Boolean]
     attr_writer :allow_sign_up
 
+    # Controls whether the password reset routes are enabled
+    # Defaults to `true`. Set to False to disable password reset routes
+    # The setting is ignored if routes are disabled.
+    # @param [Boolean] value
+    # @return [Boolean]
+    attr_writer :allow_password_reset
+
     # The domain to use for the clearance remember token cookie.
     # Defaults to `nil`, which causes the cookie domain to default to the
     # domain of the request. For more, see
@@ -145,6 +152,7 @@ module Clearance
 
     def initialize
       @allow_sign_up = true
+      @allow_password_reset = true
       @allowed_backdoor_environments = ["test", "ci", "development"]
       @cookie_domain = nil
       @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
@@ -195,6 +203,12 @@ module Clearance
       @allow_sign_up
     end
 
+    # Are the password reset routes enabled?
+    # @return [Boolean]
+    def allow_password_reset?
+      @allow_password_reset
+    end
+    
     # Specifies which controller actions are allowed for user resources.
     # This will be `[:create]` is `allow_sign_up` is true (the default), and
     # empty otherwise.

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.7.2".freeze
+  VERSION = "2.9.0".freeze
 end

data/spec/clearance/session_spec.rb

@@ -1,8 +1,8 @@
 require 'spec_helper'
 
 describe Clearance::Session do
-  before { Timecop.freeze }
-  after { Timecop.return }
+  before { freeze_time }
+  after { unfreeze_time }
 
   let(:session) { Clearance::Session.new(env_without_remember_token) }
   let(:user) { create(:user) }

data/spec/configuration_spec.rb

@@ -179,6 +179,21 @@ describe Clearance::Configuration do
     end
   end
 
+  describe "#allow_password_reset?" do
+    context "when allow_password_reset is configured to false" do
+      it "returns false" do
+        Clearance.configure { |config| config.allow_password_reset = false }
+        expect(Clearance.configuration.allow_password_reset?).to eq false
+      end
+    end
+
+    context "when allow_sign_up has not been configured" do
+      it "returns true" do
+        expect(Clearance.configuration.allow_password_reset?).to eq true
+      end
+    end
+  end  
+
   describe "#user_actions" do
     context "when allow_sign_up is configured to false" do
       it "returns empty array" do

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/spec/dummy/config/application.rb

@@ -0,0 +1,13 @@
+require_relative "boot"
+
+require "rails/all"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module Dummy
+  class Application < Rails::Application
+    config.load_defaults Rails::VERSION::STRING.to_f
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,5 @@
+# Set up gems listed in the Gemfile.
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
+
+require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+$LOAD_PATH.unshift File.expand_path("../../../lib", __dir__)

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require_relative "application"
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,31 @@
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+  config.enable_reloading = false
+
+  config.eager_load = ENV["CI"].present?
+
+  config.public_file_server.headers = { "Cache-Control" => "public, max-age=#{1.hour.to_i}" }
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local = true
+  config.action_controller.perform_caching = false
+  config.cache_store = :null_store
+
+  config.action_dispatch.show_exceptions = :rescuable
+
+  config.action_controller.allow_forgery_protection = false
+
+  config.action_mailer.perform_caching = false
+  config.action_mailer.delivery_method = :test
+
+  config.action_mailer.default_url_options = { host: "www.example.com" }
+
+  config.active_support.deprecation = :stderr
+  config.active_support.disallowed_deprecation = :raise
+  config.active_support.disallowed_deprecation_warnings = []
+
+  config.factory_bot.definition_file_paths = [File.expand_path('../../../factories', __dir__)]
+
+  config.middleware.use Clearance::BackDoor
+end

data/spec/dummy/config.ru

@@ -0,0 +1,6 @@
+# This file is used by Rack-based servers to start the application.
+
+require_relative "config/environment"
+
+run Rails.application
+Rails.application.load_server

data/{db → spec/dummy/db}/migrate/20110111224543_create_clearance_users.rb

@@ -1,4 +1,4 @@
-class CreateClearanceUsers < ActiveRecord::Migration
+class CreateClearanceUsers < ActiveRecord::Migration[Rails::VERSION::STRING.to_f]
   def self.up
     create_table :users do |t|
       t.timestamps null: false
@@ -9,7 +9,8 @@ class CreateClearanceUsers < ActiveRecord::Migration
     end
 
     add_index :users, :email
-    add_index :users, :remember_token
+    add_index :users, :confirmation_token, unique: true
+    add_index :users, :remember_token, unique: true
   end
 
   def self.down

data/spec/dummy/db/schema.rb

@@ -0,0 +1,25 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2011_01_11_224543) do
+  create_table "users", force: :cascade do |t|
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "email", null: false
+    t.string "encrypted_password", limit: 128, null: false
+    t.string "confirmation_token", limit: 128
+    t.string "remember_token", limit: 128, null: false
+    t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
+    t.index ["email"], name: "index_users_on_email"
+    t.index ["remember_token"], name: "index_users_on_remember_token", unique: true
+  end
+end

data/spec/requests/backdoor_spec.rb

@@ -0,0 +1,11 @@
+require "spec_helper"
+
+describe "Backdoor Middleware" do
+  it "allows signing in using query parameter" do
+    user = create(:user)
+
+    get root_path(as: user.to_param)
+
+    expect(cookies["remember_token"]).to eq user.remember_token
+  end
+end

data/spec/requests/csrf_rotation_spec.rb

@@ -16,7 +16,7 @@ describe "CSRF Rotation" do
         original_token = csrf_token
 
         post session_path, params: {
-          session: session_params(user, "password"),
+          authenticity_token: csrf_token, session: { email: user.email, password: "password" }
         }
 
         expect(csrf_token).not_to eq original_token
@@ -28,8 +28,4 @@ describe "CSRF Rotation" do
   def csrf_token
     session[:_csrf_token]
   end
-
-  def session_params(user, password)
-    { email: user.email, password: password, authenticity_token: csrf_token }
-  end
 end

data/spec/requests/token_expiration_spec.rb

@@ -3,13 +3,13 @@ require "spec_helper"
 describe "Token expiration" do
   describe "after signing in" do
     before do
-      Timecop.freeze
+      freeze_time
       create_user_and_sign_in
       @initial_cookies = remember_token_cookies
     end
 
     after do
-      Timecop.return
+      unfreeze_time
     end
 
     it "should have a remember_token cookie with a future expiration" do
@@ -25,7 +25,7 @@ describe "Token expiration" do
       create_user_and_sign_in
       @initial_cookies = remember_token_cookies
 
-      Timecop.travel(1.minute.from_now) do
+      travel_to(1.minute.from_now) do
         get root_path
         @followup_cookies = remember_token_cookies
       end

data/spec/routing/clearance_routes_spec.rb

@@ -62,4 +62,36 @@ describe 'routes for Clearance' do
       expect(post: 'users').to be_routable
     end
   end
+
+  context 'password reset disabled' do
+    around do |example|
+      Clearance.configure { |config| config.allow_password_reset = false }
+      Rails.application.reload_routes!
+      example.run
+      Clearance.configuration = Clearance::Configuration.new
+      Rails.application.reload_routes!
+    end
+
+    it 'does not route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").not_to be_routable
+    end
+
+    it 'does not route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").not_to be_routable
+    end
+  end
+
+  context 'reset enabled' do
+    it 'does route password edit' do
+      user = create(:user)
+      expect(get: "users/#{user.id}/password/edit").to be_routable
+    end
+
+    it 'does route to clearance/passwords#update' do
+      user = create(:user)
+      expect(patch: "/users/#{user.id}/password").to be_routable
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -1,20 +1,13 @@
 ENV["RAILS_ENV"] ||= "test"
+require_relative "dummy/config/environment"
 
-require "rails/all"
-require "dummy/application"
-
-require "clearance/rspec"
-require "factory_bot_rails"
-require "rails-controller-testing"
 require "rspec/rails"
-require "shoulda-matchers"
-require "timecop"
-
-Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+require "clearance/rspec"
 
-Dummy::Application.initialize!
+Dir[File.expand_path("spec/support/**/*.rb")].each { |f| require f }
 
 RSpec.configure do |config|
+  config.include ActiveSupport::Testing::TimeHelpers
   config.include FactoryBot::Syntax::Methods
   config.infer_spec_type_from_file_location!
   config.order = :random

data/spec/support/generator_spec_helpers.rb

@@ -3,6 +3,16 @@ require "ammeter/rspec/generator/matchers.rb"
 require "ammeter/init"
 
 module GeneratorSpecHelpers
+  module FileMethods
+    def file(path)
+      Pathname.new(super)
+    end
+
+    def migration_file(path)
+      Pathname.new(super)
+    end
+  end
+
   TEMPLATE_PATH = File.expand_path("../../app_templates", __FILE__)
 
   def provide_existing_routes_file
@@ -36,6 +46,7 @@ end
 
 RSpec.configure do |config|
   config.include GeneratorSpecHelpers
+  config.prepend GeneratorSpecHelpers::FileMethods
 
   config.before(:example, :generator) do
     destination File.expand_path("../../../tmp", __FILE__)

data/spec/support/html_escape_helper.rb

@@ -1,6 +1,6 @@
 module HTMLEscapeHelper
   def translated_string(key)
-    if Rails.version >= "7.0"
+    if [7.0].include?(Rails::VERSION::STRING.to_f)
       ERB::Util.html_escape_once(I18n.t(key))
     else
       I18n.t(key)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.7.2
+  version: 2.9.0
 platform: ruby
 authors:
 - Dan Croak
@@ -23,15 +23,19 @@ authors:
 - Galen Frechette
 - Josh Steiner
 - Dorian Marié
+- Sara Jackson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-28 00:00:00.000000000 Z
+date: 2024-10-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
@@ -39,6 +43,9 @@ dependencies:
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
@@ -80,56 +87,56 @@ dependencies:
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 - !ruby/object:Gem::Dependency
   name: actionmailer
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
 description: |2
@@ -146,7 +153,9 @@ extra_rdoc_files:
 - README.md
 files:
 - ".erb-lint.yml"
+- ".github/dependabot.yml"
 - ".github/workflows/dynamic-readme.yml"
+- ".github/workflows/dynamic-security.yml"
 - ".github/workflows/tests.yml"
 - ".gitignore"
 - ".yardopts"
@@ -182,11 +191,9 @@ files:
 - clearance.gemspec
 - config/locales/clearance.en.yml
 - config/routes.rb
-- db/migrate/20110111224543_create_clearance_users.rb
-- db/schema.rb
-- gemfiles/rails_6.1.gemfile
 - gemfiles/rails_7.0.gemfile
 - gemfiles/rails_7.1.gemfile
+- gemfiles/rails_7.2.gemfile
 - lib/clearance.rb
 - lib/clearance/authentication.rb
 - lib/clearance/authorization.rb
@@ -262,14 +269,22 @@ files:
 - spec/controllers/permissions_controller_spec.rb
 - spec/controllers/sessions_controller_spec.rb
 - spec/controllers/users_controller_spec.rb
+- spec/dummy/Rakefile
+- spec/dummy/app/assets/config/manifest.js
 - spec/dummy/app/controllers/application_controller.rb
 - spec/dummy/app/models/user.rb
 - spec/dummy/app/models/user_with_optional_password.rb
-- spec/dummy/application.rb
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
 - spec/dummy/config/database.yml
+- spec/dummy/config/environment.rb
+- spec/dummy/config/environments/test.rb
 - spec/dummy/config/routes.rb
 - spec/dummy/db/.keep
-- spec/factories.rb
+- spec/dummy/db/migrate/20110111224543_create_clearance_users.rb
+- spec/dummy/db/schema.rb
+- spec/factories/users.rb
 - spec/generators/clearance/install/install_generator_spec.rb
 - spec/generators/clearance/routes/routes_generator_spec.rb
 - spec/generators/clearance/specs/specs_generator_spec.rb
@@ -281,6 +296,7 @@ files:
 - spec/password_strategies/bcrypt_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
 - spec/requests/authentication_cookie_spec.rb
+- spec/requests/backdoor_spec.rb
 - spec/requests/cookie_options_spec.rb
 - spec/requests/csrf_rotation_spec.rb
 - spec/requests/password_maintenance_spec.rb
@@ -288,7 +304,6 @@ files:
 - spec/routing/clearance_routes_spec.rb
 - spec/spec_helper.rb
 - spec/support/clearance.rb
-- spec/support/cookies.rb
 - spec/support/fake_model_with_password_strategy.rb
 - spec/support/fake_model_without_password_strategy.rb
 - spec/support/generator_spec_helpers.rb
@@ -308,14 +323,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.4.0
+      version: 3.1.6
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.5.16
 signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.

data/db/schema.rb

@@ -1,28 +0,0 @@
-# encoding: UTF-8
-# This file is auto-generated from the current state of the database. Instead
-# of editing this file, please use the migrations feature of Active Record to
-# incrementally modify your database, and then regenerate this schema definition.
-#
-# Note that this schema.rb definition is the authoritative source for your
-# database schema. If you need to create the application database on another
-# system, you should be using db:schema:load, not running all the migrations
-# from scratch. The latter is a flawed and unsustainable approach (the more migrations
-# you'll amass, the slower it'll run and the greater likelihood for issues).
-#
-# It's strongly recommended that you check this file into your version control system.
-
-ActiveRecord::Schema.define(version: 20110111224543) do
-
-  create_table "users", force: true do |t|
-    t.datetime "created_at",                     null: false
-    t.datetime "updated_at",                     null: false
-    t.string   "email",                          null: false
-    t.string   "encrypted_password", limit: 128, null: false
-    t.string   "confirmation_token", limit: 128
-    t.string   "remember_token",     limit: 128, null: false
-  end
-
-  add_index "users", ["email"], name: "index_users_on_email"
-  add_index "users", ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
-  add_index "users", ["remember_token"], name: "index_users_on_remember_token", unique: true
-end

data/spec/dummy/application.rb

@@ -1,30 +0,0 @@
-require "rails/all"
-
-require "clearance"
-
-module Dummy
-  APP_ROOT = File.expand_path("..", __FILE__).freeze
-
-  class Application < Rails::Application
-    config.action_controller.perform_caching = false
-    config.action_mailer.default_url_options = { host: "dummy.example.com" }
-    config.action_mailer.delivery_method = :test
-    config.active_support.deprecation = :stderr
-    config.eager_load = false
-
-    config.paths["app/controllers"] << "#{APP_ROOT}/app/controllers"
-    config.paths["app/models"] << "#{APP_ROOT}/app/models"
-    config.paths["app/views"] << "#{APP_ROOT}/app/views"
-    config.paths["config/database"] = "#{APP_ROOT}/config/database.yml"
-    config.paths["log"] = "tmp/log/development.log"
-    config.paths.add "config/routes.rb", with: "#{APP_ROOT}/config/routes.rb"
-
-    def require_environment!
-      initialize!
-    end
-
-    def initialize!(&block)
-      super unless @initialized
-    end
-  end
-end