clearance 1.15.1 → 1.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ed1114d2ef322be26b340c854c009cf3a43d11a6
-  data.tar.gz: 06e17413cf20d6969c32ba696de6a8aa7dfb6162
+  metadata.gz: 4600924513a7c46fd73ebf5028b704bbff640f50
+  data.tar.gz: cb14d831486ab789f5a05e57787b3bcf7bd86be3
 SHA512:
-  metadata.gz: 049710acdb4130cb12100d922f9c4191aadb3b43e13bec6b46edcf328a04622a458d771656d5cabb429dbc836812f9361ff7493c3f743f1925aff3e4d558d99b
-  data.tar.gz: 73ecf1acaf7c2c5b365f9e43ab0c530b8bc3366b21c578ba08b071146224cf08960f161237dd030b79b9e50fe3d627934969f5082193ca91c4220cc72a475af1
+  metadata.gz: a3badd570870c53b355ea9bbd915bfc283064fdbd06cc97947bd6b01bf514b2f8fa4395545d4b9487fb8c0cb3eaf0f5e86487abb227cdf36d09ef57d1d104dfa
+  data.tar.gz: 61d3af42b4d82470966ad8b0f805ec656e6afb98f4c1ad5c0db5398f7b85e71a8c2f5bbb49cf838aff67e43255223791e9e86bc6741865e0b572bb5f0937899b

data/Gemfile

@@ -2,12 +2,14 @@ source 'https://rubygems.org'
 
 gemspec
 
+gem 'addressable', '~> 2.4.0'
 gem 'appraisal'
 gem 'ammeter'
 gem 'bundler', '~> 1.3'
 gem 'capybara', '>= 2.6.2'
 gem 'database_cleaner', '~> 1.0'
 gem 'factory_girl_rails', '~> 4.2'
+gem 'nokogiri', '~> 1.6.8'
 gem 'rspec-rails', '~> 3.1'
 gem 'shoulda-matchers', '~> 2.8'
 gem 'sqlite3', '~> 1.3'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (1.15.1)
+    clearance (1.16.0)
       bcrypt
       email_validator (~> 1.4)
       rails (>= 3.1)
@@ -53,9 +53,9 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    arel (6.0.3)
+    arel (6.0.4)
     bcrypt (3.1.11)
-    builder (3.2.2)
+    builder (3.2.3)
     capybara (2.7.1)
       addressable
       mime-types (>= 1.16)
@@ -64,7 +64,7 @@ GEM
       rack-test (>= 0.5.4)
       xpath (~> 2.0)
     coderay (1.1.1)
-    concurrent-ruby (1.0.2)
+    concurrent-ruby (1.0.4)
     database_cleaner (1.5.3)
     diff-lcs (1.2.5)
     email_validator (1.6.0)
@@ -78,7 +78,7 @@ GEM
     globalid (0.3.7)
       activesupport (>= 4.1.0)
     i18n (0.7.0)
-    json (1.8.3)
+    json (1.8.6)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
     mail (2.6.4)
@@ -88,14 +88,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_portile2 (2.1.0)
-    minitest (5.9.1)
+    minitest (5.10.1)
     nokogiri (1.6.8.1)
       mini_portile2 (~> 2.1.0)
     pry (0.10.3)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.6.4)
+    rack (1.6.5)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.7.1)
@@ -111,9 +111,9 @@ GEM
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
       activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
@@ -122,7 +122,7 @@ GEM
       activesupport (= 4.2.7.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.3.0)
+    rake (12.0.0)
     rspec-core (3.4.4)
       rspec-support (~> 3.4.0)
     rspec-expectations (3.4.0)
@@ -143,7 +143,7 @@ GEM
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)
     slop (3.6.0)
-    sprockets (3.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.0)
@@ -151,7 +151,7 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
-    thor (0.19.1)
+    thor (0.19.4)
     thread_safe (0.3.5)
     timecop (0.8.1)
     tzinfo (1.2.2)
@@ -163,6 +163,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  addressable (~> 2.4.0)
   ammeter
   appraisal
   bundler (~> 1.3)
@@ -170,6 +171,7 @@ DEPENDENCIES
   clearance!
   database_cleaner (~> 1.0)
   factory_girl_rails (~> 4.2)
+  nokogiri (~> 1.6.8)
   pry
   rspec-rails (~> 3.1)
   shoulda-matchers (~> 2.8)

data/NEWS.md

@@ -3,6 +3,19 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [1.16.0] - January 16, 2017
+
+### Security
+- Clearance users can now help prevent [session fixation attacks] by setting
+  `Clearance.configuration.rotate_csrf_on_sign_in` to `true`. This will cause
+  the user's CSRF token to be rotated on sign in and is recommended for all
+  Clearance applications. This setting will default to `true` in Clearance 2.0.
+  Clearance will emit a warning on each sign in until this configuration setting
+  is explicitly set to `true` or `false`.
+
+[session fixation attacks]: https://www.owasp.org/index.php/Session_fixation
+[1.16.0]: https://github.com/thoughtbot/clearance/compare/v1.15.1...v1.16.0
+
 ## [1.15.1] - October 6, 2016
 
 ### Fixed

data/README.md

@@ -58,12 +58,17 @@ Clearance.configure do |config|
   config.mailer_sender = "reply@example.com"
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
+  config.rotate_csrf_on_sign_in = false
   config.secure_cookie = false
   config.sign_in_guards = []
   config.user_model = User
 end
 ```
 
+The install generator will set `rotate_csrf_on_sign_in` to `true`, so new
+installations will get this behavior from the start. This helps avoid session
+fixation attacks, and will become the default in Clearance 2.0.
+
 ## Use
 
 ### Access Control

data/gemfiles/rails32.gemfile

@@ -2,12 +2,14 @@
 
 source "https://rubygems.org"
 
+gem "addressable", "~> 2.4.0"
 gem "appraisal", "~> 1.0"
 gem "ammeter"
 gem "bundler", "~> 1.3"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_girl_rails", "~> 4.2"
+gem "nokogiri", "~> 1.6.8"
 gem "rspec-rails", "~> 3.1"
 gem "shoulda-matchers", "~> 2.8"
 gem "sqlite3", "~> 1.3"

data/gemfiles/rails40.gemfile

@@ -2,12 +2,14 @@
 
 source "https://rubygems.org"
 
+gem "addressable", "~> 2.4.0"
 gem "appraisal"
 gem "ammeter"
 gem "bundler", "~> 1.3"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_girl_rails", "~> 4.2"
+gem "nokogiri", "~> 1.6.8"
 gem "rspec-rails", "~> 3.1"
 gem "shoulda-matchers", "~> 2.8"
 gem "sqlite3", "~> 1.3"

data/gemfiles/rails41.gemfile

@@ -2,12 +2,14 @@
 
 source "https://rubygems.org"
 
+gem "addressable", "~> 2.4.0"
 gem "appraisal"
 gem "ammeter"
 gem "bundler", "~> 1.3"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_girl_rails", "~> 4.2"
+gem "nokogiri", "~> 1.6.8"
 gem "rspec-rails", "~> 3.1"
 gem "shoulda-matchers", "~> 2.8"
 gem "sqlite3", "~> 1.3"

data/gemfiles/rails42.gemfile

@@ -2,12 +2,14 @@
 
 source "https://rubygems.org"
 
+gem "addressable", "~> 2.4.0"
 gem "appraisal"
 gem "ammeter"
 gem "bundler", "~> 1.3"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_girl_rails", "~> 4.2"
+gem "nokogiri", "~> 1.6.8"
 gem "rspec-rails", "~> 3.1"
 gem "shoulda-matchers", "~> 2.8"
 gem "sqlite3", "~> 1.3"

data/gemfiles/rails50.gemfile

@@ -2,12 +2,14 @@
 
 source "https://rubygems.org"
 
+gem "addressable", "~> 2.4.0"
 gem "appraisal"
 gem "ammeter"
 gem "bundler", "~> 1.3"
 gem "capybara", ">= 2.6.2"
 gem "database_cleaner", "~> 1.0"
 gem "factory_girl_rails", "~> 4.2"
+gem "nokogiri", "~> 1.6.8"
 gem "rspec-rails", "~> 3.5.0.beta1"
 gem "shoulda-matchers", "~> 2.8"
 gem "sqlite3", "~> 1.3"

data/lib/clearance/authentication.rb

@@ -62,8 +62,16 @@ module Clearance
     #
     # For an example of how clearance uses this internally, see
     # {SessionsController#create}.
+    #
+    # Signing in will also regenerate the CSRF token for the current session,
+    # provided {Configuration#rotate_csrf_token_on_sign_in} is set.
     def sign_in(user, &block)
-      clearance_session.sign_in user, &block
+      clearance_session.sign_in(user, &block)
+
+      if signed_in? && Clearance.configuration.rotate_csrf_on_sign_in?
+        session.delete(:_csrf_token)
+        form_authenticity_token
+      end
     end
 
     # Destroy the current user's Clearance session.

data/lib/clearance/configuration.rb

@@ -58,6 +58,11 @@ module Clearance
     # @return [String]
     attr_accessor :redirect_url
 
+    # Controls whether Clearance will rotate the CSRF token on sign in.
+    # Defaults to `nil` which generates a warning. Will default to true in
+    # Clearance 2.0.
+    attr_accessor :rotate_csrf_on_sign_in
+
     # Set to `false` to disable Clearance's built-in routes.
     # Defaults to `true`. When set to false, your app is responsible for all
     # routes. You can dump a copy of Clearance's default routes with
@@ -95,6 +100,7 @@ module Clearance
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
       @routes = true
+      @rotate_csrf_on_sign_in = nil
       @secure_cookie = false
       @sign_in_guards = []
     end
@@ -153,6 +159,25 @@ module Clearance
         @user_model = @user_model.to_s.constantize
       end
     end
+
+    def rotate_csrf_on_sign_in?
+      if rotate_csrf_on_sign_in.nil?
+        warn <<-EOM.squish
+          Clearance's `rotate_csrf_on_sign_in` configration setting is unset and
+          will be treated as `false`. Setting this value to `true` is
+          recommended to avoid session fixation attacks and will be the default
+          in Clearance 2.0. It is recommended that you opt-in to this setting
+          now and test your application. To silence this warning, set
+          `rotate_csrf_on_sign_in` to `true` or `false` in Clearance's
+          inializer.
+
+          For more information on session fixation, see:
+            https://www.owasp.org/index.php/Session_fixation
+        EOM
+      end
+
+      rotate_csrf_on_sign_in
+    end
   end
 
   # @return [Clearance::Configuration] Clearance's current configuration

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "1.15.1".freeze
+  VERSION = "1.16.0".freeze
 end

data/lib/generators/clearance/install/templates/clearance.rb

@@ -1,3 +1,4 @@
 Clearance.configure do |config|
   config.mailer_sender = "reply@example.com"
+  config.rotate_csrf_on_sign_in = true
 end

data/spec/clearance/session_spec.rb

@@ -39,8 +39,6 @@ describe Clearance::Session do
 
       expect(headers["Set-Cookie"]).to match(/custom_cookie_name=.+;/)
     end
-
-    after { restore_default_config }
   end
 
   describe '#sign_in' do
@@ -113,7 +111,6 @@ describe Clearance::Session do
         expect(session.current_user).to be_nil
       end
 
-
       def stub_sign_in_guard(options)
         session_status = stub_status(options.fetch(:succeed))
 
@@ -159,8 +156,6 @@ describe Clearance::Session do
 
       expect(headers['Set-Cookie']).to match(/remember_token=.+; HttpOnly/)
     end
-
-    after { restore_default_config }
   end
 
   context 'if httponly is not set' do
@@ -270,8 +265,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/remember_token=.+; secure/)
       end
-
-      after { restore_default_config }
     end
   end
 
@@ -287,8 +280,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
       end
-
-      after { restore_default_config }
     end
 
     context 'when not set' do
@@ -324,8 +315,6 @@ describe Clearance::Session do
 
         expect(headers['Set-Cookie']).to match(/path=\/user; expires/)
       end
-
-      after { restore_default_config }
     end
   end
 
@@ -375,7 +364,5 @@ describe Clearance::Session do
   def with_custom_expiration(custom_duration)
     Clearance.configuration.cookie_expiration = custom_duration
     yield
-  ensure
-    restore_default_config
   end
 end

data/spec/configuration_spec.rb

@@ -1,8 +1,6 @@
 require "spec_helper"
 
 describe Clearance::Configuration do
-  after { restore_default_config }
-
   context "when no user_model_name is specified" do
     it "defaults to User" do
       expect(Clearance.configuration.user_model).to eq ::User
@@ -146,4 +144,30 @@ describe Clearance::Configuration do
       expect(Clearance.configuration.reload_user_model).to be_nil
     end
   end
+
+  describe "#rotate_csrf_on_sign_in?" do
+    it "defaults to falsey and warns" do
+      Clearance.configuration = Clearance::Configuration.new
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be_falsey
+      expect(Clearance.configuration).to have_received(:warn)
+    end
+
+    it "is true and does not warn when `rotate_csrf_on_sign_in` is true" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be true
+      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+
+    it "is false and does not warn when `rotate_csrf_on_sign_in` is false" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = false }
+      allow(Clearance.configuration).to receive(:warn)
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
+      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+  end
 end

data/spec/controllers/passwords_controller_spec.rb

@@ -5,9 +5,7 @@ describe Clearance::PasswordsController do
 
   describe "#new" do
     it "renders the password reset form" do
-      user = create(:user)
-
-      get :new, user_id: user
+      get :new
 
       expect(response).to be_success
       expect(response).to render_template(:new)

data/spec/requests/csrf_rotation_spec.rb

@@ -0,0 +1,33 @@
+require "spec_helper"
+
+describe "CSRF Rotation" do
+  around do |example|
+    ActionController::Base.allow_forgery_protection = true
+    example.run
+    ActionController::Base.allow_forgery_protection = false
+  end
+
+  context "Clearance is configured to rotate CSRF token on sign in" do
+    describe "sign in" do
+      it "rotates the CSRF token" do
+        Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
+        get sign_in_path
+        user = create(:user, password: "password")
+        original_token = csrf_token
+
+        post session_path, session: session_params(user, "password")
+
+        expect(csrf_token).not_to eq original_token
+        expect(csrf_token).to be_present
+      end
+    end
+  end
+
+  def csrf_token
+    session[:_csrf_token]
+  end
+
+  def session_params(user, password)
+    { email: user.email, password: password, authenticity_token: csrf_token }
+  end
+end

data/spec/spec_helper.rb

@@ -27,6 +27,8 @@ RSpec.configure do |config|
     mocks.syntax = :expect
   end
 
+  config.before { restore_default_warning_free_config }
+
   if Rails::VERSION::MAJOR >= 5
     require 'rails-controller-testing'
     config.include Rails::Controller::Testing::TestProcess
@@ -35,7 +37,7 @@ RSpec.configure do |config|
   end
 end
 
-def restore_default_config
+def restore_default_warning_free_config
   Clearance.configuration = nil
-  Clearance.configure {}
+  Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 1.15.1
+  version: 1.16.0
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-06 00:00:00.000000000 Z
+date: 2017-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -213,6 +213,7 @@ files:
 - spec/password_strategies/blowfish_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
 - spec/password_strategies/sha1_spec.rb
+- spec/requests/csrf_rotation_spec.rb
 - spec/routing/clearance_routes_spec.rb
 - spec/spec_helper.rb
 - spec/support/clearance.rb