clearance 1.16.2 → 1.17.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of clearance might be problematic. Click here for more details.

Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +28 -28
  3. data/NEWS.md +11 -0
  4. data/README.md +1 -1
  5. data/lib/clearance/back_door.rb +24 -2
  6. data/lib/clearance/configuration.rb +12 -6
  7. data/lib/clearance/version.rb +1 -1
  8. data/spec/clearance/back_door_spec.rb +37 -2
  9. data/spec/clearance/session_spec.rb +1 -1
  10. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: eee44dd7c0385116b9826c9bb14cfddf034a0a9aa46ee2535af2da1f6ee77094
4
- data.tar.gz: cfe86952de1ec17473707638dfe70858790d0567c7ec5cf90fc486b2da6824b9
3
+ metadata.gz: 3d2b65ce30d78d380c94d95fc6fa32f1fa4340a145f6e33573ad746f5da4600e
4
+ data.tar.gz: a8b154b5ccfed1470fcc29155f3f57c676571539f9794c5b9a32ef2b3f4b8a20
5
5
  SHA512:
6
- metadata.gz: d1b61514574a5b9d164aad8bac7b1e33eb00aed80a53362fbfe84b8f8ae8279d4b902c212616571f1f6cd7d1e2133e26edd3b2ff2991d48edeedddac84644e93
7
- data.tar.gz: 60b43d39aaa046e6962557d83a95199da5190df3114a958a8938e632530c6dd8500b41eb5d026f0210a8c24078e20792cc57e032ebaf08772a54c4750646788a
6
+ metadata.gz: 7ec8917dc40e39108f0ceb7333d8968d31d2cfa5d902ad1fc533a85fcc98b10d0665bd84484256ff9a3e3114f4c8d27c7bdad24c70cf72c63f6dfc3d151bac2f
7
+ data.tar.gz: 839701911aea43402b13d2d4ea84f13d904ccf1576a7d9bc913eeac2f48a992a08e57c0859aceb04764afc927425852f18084c0638978937db974449a5f25b4b
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- clearance (1.16.2)
4
+ clearance (1.17.0)
5
5
  actionmailer (>= 3.1)
6
6
  activemodel (>= 3.1)
7
7
  activerecord (>= 3.1)
@@ -12,35 +12,35 @@ PATH
12
12
  GEM
13
13
  remote: https://rubygems.org/
14
14
  specs:
15
- actionmailer (5.2.2)
16
- actionpack (= 5.2.2)
17
- actionview (= 5.2.2)
18
- activejob (= 5.2.2)
15
+ actionmailer (5.2.3)
16
+ actionpack (= 5.2.3)
17
+ actionview (= 5.2.3)
18
+ activejob (= 5.2.3)
19
19
  mail (~> 2.5, >= 2.5.4)
20
20
  rails-dom-testing (~> 2.0)
21
- actionpack (5.2.2)
22
- actionview (= 5.2.2)
23
- activesupport (= 5.2.2)
21
+ actionpack (5.2.3)
22
+ actionview (= 5.2.3)
23
+ activesupport (= 5.2.3)
24
24
  rack (~> 2.0)
25
25
  rack-test (>= 0.6.3)
26
26
  rails-dom-testing (~> 2.0)
27
27
  rails-html-sanitizer (~> 1.0, >= 1.0.2)
28
- actionview (5.2.2)
29
- activesupport (= 5.2.2)
28
+ actionview (5.2.3)
29
+ activesupport (= 5.2.3)
30
30
  builder (~> 3.1)
31
31
  erubi (~> 1.4)
32
32
  rails-dom-testing (~> 2.0)
33
33
  rails-html-sanitizer (~> 1.0, >= 1.0.3)
34
- activejob (5.2.2)
35
- activesupport (= 5.2.2)
34
+ activejob (5.2.3)
35
+ activesupport (= 5.2.3)
36
36
  globalid (>= 0.3.6)
37
- activemodel (5.2.2)
38
- activesupport (= 5.2.2)
39
- activerecord (5.2.2)
40
- activemodel (= 5.2.2)
41
- activesupport (= 5.2.2)
37
+ activemodel (5.2.3)
38
+ activesupport (= 5.2.3)
39
+ activerecord (5.2.3)
40
+ activemodel (= 5.2.3)
41
+ activesupport (= 5.2.3)
42
42
  arel (>= 9.0)
43
- activesupport (5.2.2)
43
+ activesupport (5.2.3)
44
44
  concurrent-ruby (~> 1.0, >= 1.0.2)
45
45
  i18n (>= 0.7, < 2)
46
46
  minitest (~> 5.1)
@@ -58,7 +58,7 @@ GEM
58
58
  arel (9.0.0)
59
59
  bcrypt (3.1.12)
60
60
  builder (3.2.3)
61
- capybara (3.13.2)
61
+ capybara (3.16.1)
62
62
  addressable
63
63
  mini_mime (>= 0.1.3)
64
64
  nokogiri (~> 1.8)
@@ -67,7 +67,7 @@ GEM
67
67
  regexp_parser (~> 1.2)
68
68
  xpath (~> 3.2)
69
69
  coderay (1.1.2)
70
- concurrent-ruby (1.1.4)
70
+ concurrent-ruby (1.1.5)
71
71
  crass (1.0.4)
72
72
  database_cleaner (1.7.0)
73
73
  diff-lcs (1.3)
@@ -81,7 +81,7 @@ GEM
81
81
  railties (>= 4.2.0)
82
82
  globalid (0.4.2)
83
83
  activesupport (>= 4.2.0)
84
- i18n (1.5.3)
84
+ i18n (1.6.0)
85
85
  concurrent-ruby (~> 1.0)
86
86
  loofah (2.2.3)
87
87
  crass (~> 1.0.2)
@@ -92,13 +92,13 @@ GEM
92
92
  mini_mime (1.0.1)
93
93
  mini_portile2 (2.4.0)
94
94
  minitest (5.11.3)
95
- nokogiri (1.10.1)
95
+ nokogiri (1.10.2)
96
96
  mini_portile2 (~> 2.4.0)
97
97
  pry (0.12.2)
98
98
  coderay (~> 1.1.0)
99
99
  method_source (~> 0.9.0)
100
100
  public_suffix (3.0.3)
101
- rack (2.0.6)
101
+ rack (2.0.7)
102
102
  rack-test (1.1.0)
103
103
  rack (>= 1.0, < 3)
104
104
  rails-dom-testing (2.0.3)
@@ -106,14 +106,14 @@ GEM
106
106
  nokogiri (>= 1.6)
107
107
  rails-html-sanitizer (1.0.4)
108
108
  loofah (~> 2.2, >= 2.2.2)
109
- railties (5.2.2)
110
- actionpack (= 5.2.2)
111
- activesupport (= 5.2.2)
109
+ railties (5.2.3)
110
+ actionpack (= 5.2.3)
111
+ activesupport (= 5.2.3)
112
112
  method_source
113
113
  rake (>= 0.8.7)
114
114
  thor (>= 0.19.0, < 2.0)
115
115
  rake (12.3.2)
116
- regexp_parser (1.3.0)
116
+ regexp_parser (1.4.0)
117
117
  rspec-core (3.8.0)
118
118
  rspec-support (~> 3.8.0)
119
119
  rspec-expectations (3.8.2)
@@ -131,7 +131,7 @@ GEM
131
131
  rspec-mocks (~> 3.8.0)
132
132
  rspec-support (~> 3.8.0)
133
133
  rspec-support (3.8.0)
134
- shoulda-matchers (4.0.0)
134
+ shoulda-matchers (4.0.1)
135
135
  activesupport (>= 4.2.0)
136
136
  sqlite3 (1.3.13)
137
137
  thor (0.20.3)
data/NEWS.md CHANGED
@@ -3,6 +3,17 @@
3
3
  The noteworthy changes for each Clearance version are included here. For a
4
4
  complete changelog, see the git history for each version via the version links.
5
5
 
6
+ ## [1.17.0] - April 11, 2019
7
+
8
+ ### Changed
9
+
10
+ - Update the `HttpOnly` cookie setting for the remember token to default to
11
+ true, which prevents the value from being available to JavaScript.
12
+ - Add configuration option to allow the auth backdoor to work in specified
13
+ environments (defaults to `test`, `development`, `ci`).
14
+
15
+ [1.17.0]: https://github.com/thoughtbot/clearance/compare/v1.16.2...1.17.0
16
+
6
17
  ## [1.16.2] - February 25, 2019
7
18
 
8
19
  ### Fixed
data/README.md CHANGED
@@ -438,7 +438,7 @@ Thank you, [contributors]!
438
438
 
439
439
  ## License
440
440
 
441
- Clearance is copyright © 2009-2018 thoughtbot. It is free software, and may be
441
+ Clearance is copyright © 2009-2019 thoughtbot. It is free software, and may be
442
442
  redistributed under the terms specified in the [`LICENSE`] file.
443
443
 
444
444
  [`LICENSE`]: /LICENSE
data/lib/clearance/back_door.rb CHANGED
@@ -31,8 +31,8 @@ module Clearance
31
31
  # visit new_feedback_path(as: user)
32
32
  class BackDoor
33
33
  def initialize(app, &block)
34
- unless ENV["RAILS_ENV"] == "test"
35
- raise "Can't use backdoor outside test environment"
34
+ unless environment_is_allowed?
35
+ raise error_message
36
36
  end
37
37
 
38
38
  @app = app
@@ -65,5 +65,27 @@ module Clearance
65
65
  Clearance.configuration.user_model.find(user_param)
66
66
  end
67
67
  end
68
+
69
+ # @api private
70
+ def environment_is_allowed?
71
+ allowed_environments.include? ENV["RAILS_ENV"]
72
+ end
73
+
74
+ # @api private
75
+ def allowed_environments
76
+ Clearance.configuration.allowed_backdoor_environments || []
77
+ end
78
+
79
+ # @api private
80
+ def error_message
81
+ unless allowed_environments.empty?
82
+ <<-EOS.squish
83
+ Can't use auth backdoor outside of
84
+ configured environments (#{allowed_environments.join(", ")}).
85
+ EOS
86
+ else
87
+ "BackDoor auth is disabled."
88
+ end
89
+ end
68
90
  end
69
91
  end
data/lib/clearance/configuration.rb CHANGED
@@ -35,8 +35,8 @@ module Clearance
35
35
  # @return [String]
36
36
  attr_accessor :cookie_path
37
37
 
38
- # Controls whether the HttpOnly flag should be set on the remember token
39
- # cookie. Defaults to `false`. If `true`, the cookie will not be made
38
+ # Controls whether the HttpOnly flag should be set on the remember token
39
+ # cookie. Defaults to `true`, which prevents the cookie from being made
40
40
  # available to JavaScript. For more see
41
41
  # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.6).
42
42
  # @return [Boolean]
@@ -90,17 +90,23 @@ module Clearance
90
90
  # @return [ActiveRecord::Base]
91
91
  attr_accessor :user_model
92
92
 
93
+ # The array of allowed environments where `Clearance::BackDoor` is enabled.
94
+ # Defaults to ["test", "ci", "development"]
95
+ # @return [Array<String>]
96
+ attr_accessor :allowed_backdoor_environments
97
+
93
98
  def initialize
94
99
  @allow_sign_up = true
95
- @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
100
+ @allowed_backdoor_environments = ["test", "ci", "development"]
96
101
  @cookie_domain = nil
97
- @cookie_path = '/'
102
+ @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
98
103
  @cookie_name = "remember_token"
99
- @httponly = false
104
+ @cookie_path = '/'
105
+ @httponly = true
100
106
  @mailer_sender = 'reply@example.com'
101
107
  @redirect_url = '/'
102
- @routes = true
103
108
  @rotate_csrf_on_sign_in = nil
109
+ @routes = true
104
110
  @secure_cookie = false
105
111
  @sign_in_guards = []
106
112
  end
data/lib/clearance/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Clearance
2
- VERSION = "1.16.2".freeze
2
+ VERSION = "1.17.0".freeze
3
3
  end
data/spec/clearance/back_door_spec.rb CHANGED
@@ -41,10 +41,45 @@ describe Clearance::BackDoor do
41
41
  expect(result).to eq mock_app.call(env)
42
42
  end
43
43
 
44
- it "can't be used outside the test environment" do
44
+ it "can't be used outside the allowed environments" do
45
45
  with_environment("RAILS_ENV" => "production") do
46
46
  expect { Clearance::BackDoor.new(mock_app) }.
47
- to raise_exception "Can't use backdoor outside test environment"
47
+ to raise_exception "Can't use auth backdoor outside of configured \
48
+ environments (test, ci, development).".squish
49
+ end
50
+ end
51
+
52
+ context "when the environments are disabled" do
53
+ before do
54
+ Clearance.configuration.allowed_backdoor_environments = nil
55
+ end
56
+
57
+ it "raises an error for a default allowed env" do
58
+ with_environment("RAILS_ENV" => "test") do
59
+ expect { Clearance::BackDoor.new(mock_app) }.
60
+ to raise_exception "BackDoor auth is disabled."
61
+ end
62
+ end
63
+ end
64
+
65
+ context "when the environments are not defaults" do
66
+ before do
67
+ Clearance.configuration.allowed_backdoor_environments = ['demo']
68
+ end
69
+
70
+ it "can be used with configured allowed environments" do
71
+ with_environment("RAILS_ENV" => "demo") do
72
+ user_id = "123"
73
+ user = double("user")
74
+ allow(User).to receive(:find).with(user_id).and_return(user)
75
+ env = env_for_user_id(user_id)
76
+ back_door = Clearance::BackDoor.new(mock_app)
77
+
78
+ result = back_door.call(env)
79
+
80
+ expect(env[:clearance]).to have_received(:sign_in).with(user)
81
+ expect(result).to eq mock_app.call(env)
82
+ end
48
83
  end
49
84
  end
50
85
 
data/spec/clearance/session_spec.rb CHANGED
@@ -147,7 +147,6 @@ describe Clearance::Session do
147
147
 
148
148
  context 'if httponly is set' do
149
149
  before do
150
- Clearance.configuration.httponly = true
151
150
  session.sign_in(user)
152
151
  end
153
152
 
@@ -160,6 +159,7 @@ describe Clearance::Session do
160
159
 
161
160
  context 'if httponly is not set' do
162
161
  before do
162
+ Clearance.configuration.httponly = false
163
163
  session.sign_in(user)
164
164
  end
165
165
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: clearance
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.16.2
4
+ version: 1.17.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dan Croak
@@ -25,7 +25,7 @@ authors:
25
25
  autorequire:
26
26
  bindir: bin
27
27
  cert_chain: []
28
- date: 2019-02-25 00:00:00.000000000 Z
28
+ date: 2019-04-11 00:00:00.000000000 Z
29
29
  dependencies:
30
30
  - !ruby/object:Gem::Dependency
31
31
  name: bcrypt
@@ -290,8 +290,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
290
290
  - !ruby/object:Gem::Version
291
291
  version: '0'
292
292
  requirements: []
293
- rubyforge_project:
294
- rubygems_version: 2.7.6
293
+ rubygems_version: 3.0.3
295
294
  signing_key:
296
295
  specification_version: 4
297
296
  summary: Rails authentication & authorization with email & password.