clearance 2.0.0.beta2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6c7eb11d597ee18d41e6655e608bb82c9e774baa30e0e4f05dbcd7cc99c553e5
-  data.tar.gz: c221f519c1191b0d8487d302db40a3c69724e6a59df5b67efd9bbaffbf2f10cf
+  metadata.gz: fd2d43e71f4cbe272a3a1b19577f453b986a27711e6327c6050d1170c73c09d8
+  data.tar.gz: ba32fcfb82fa0ab33f3764e381a2d2a93484dde956189b5395fa63b759142231
 SHA512:
-  metadata.gz: 586d54d09d31cbdae4caf13a1aa3920559806feb92701e6e9bb73d5dcf9001790c5e73e7d0f4af9a9e2e5b4cf72ae7865e1b7013bbe8ab18235353842449ca9c
-  data.tar.gz: 2df91d418506ba30981dec2b0139074f543193e389b1b00a79163a61c48de714ce1b480a215e98e1c13a95076d09dc271ce7f4bdb34539c822d83fc2f46d61e2
+  metadata.gz: 89cd499f030c7bb42c044e772eda264a899f382395b15331631dd4e7b148f173ca02b99ff232cf2f6a969ecad3ae284c341fd58f3cbd19ebf23de9f4126ae657
+  data.tar.gz: 51d38e93bdc439337d22c7e675f3ae826991ca40225c81309fcd8b131220b9463f7df4dd1015c72421907dd6989b60592a7d3235bb49969fcbb900a2c354ef89

data/Gemfile.lock

@@ -1,50 +1,50 @@
 PATH
   remote: .
   specs:
-    clearance (2.0.0.beta2)
+    clearance (2.0.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
-      bcrypt
+      bcrypt (>= 3.1.1)
       email_validator (~> 1.4)
       railties (>= 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.0)
-      actionpack (= 6.0.0)
-      actionview (= 6.0.0)
-      activejob (= 6.0.0)
+    actionmailer (6.0.1)
+      actionpack (= 6.0.1)
+      actionview (= 6.0.1)
+      activejob (= 6.0.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0)
-      actionview (= 6.0.0)
-      activesupport (= 6.0.0)
+    actionpack (6.0.1)
+      actionview (= 6.0.1)
+      activesupport (= 6.0.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.0)
-      activesupport (= 6.0.0)
+    actionview (6.0.1)
+      activesupport (= 6.0.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.0)
-      activesupport (= 6.0.0)
+    activejob (6.0.1)
+      activesupport (= 6.0.1)
       globalid (>= 0.3.6)
-    activemodel (6.0.0)
-      activesupport (= 6.0.0)
-    activerecord (6.0.0)
-      activemodel (= 6.0.0)
-      activesupport (= 6.0.0)
-    activesupport (6.0.0)
+    activemodel (6.0.1)
+      activesupport (= 6.0.1)
+    activerecord (6.0.1)
+      activemodel (= 6.0.1)
+      activesupport (= 6.0.1)
+    activesupport (6.0.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
+      zeitwerk (~> 2.2)
     addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
     ammeter (1.1.4)
@@ -67,22 +67,22 @@ GEM
       xpath (~> 3.2)
     coderay (1.1.2)
     concurrent-ruby (1.1.5)
-    crass (1.0.4)
+    crass (1.0.5)
     database_cleaner (1.7.0)
     diff-lcs (1.3)
     email_validator (1.6.0)
       activemodel
-    erubi (1.8.0)
-    factory_bot (5.0.2)
+    erubi (1.9.0)
+    factory_bot (5.1.1)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.0.2)
-      factory_bot (~> 5.0.2)
+    factory_bot_rails (5.1.1)
+      factory_bot (~> 5.1.0)
       railties (>= 4.2.0)
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.6.0)
+    i18n (1.7.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.2.3)
+    loofah (2.3.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -90,8 +90,8 @@ GEM
     method_source (0.9.2)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
-    nokogiri (1.10.4)
+    minitest (5.13.0)
+    nokogiri (1.10.5)
       mini_portile2 (~> 2.4.0)
     pry (0.12.2)
       coderay (~> 1.1.0)
@@ -103,33 +103,33 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0)
-      actionpack (= 6.0.0)
-      activesupport (= 6.0.0)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.1)
+      actionpack (= 6.0.1)
+      activesupport (= 6.0.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.3)
+    rake (13.0.1)
     regexp_parser (1.6.0)
-    rspec-core (3.8.2)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.4)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.1)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.0)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.2)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
     shoulda-matchers (4.1.2)
       activesupport (>= 4.2.0)
     thor (0.20.3)
@@ -139,7 +139,7 @@ GEM
       thread_safe (~> 0.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.1.10)
+    zeitwerk (2.2.1)
 
 PLATFORMS
   ruby

data/NEWS.md

@@ -3,15 +3,19 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
-## [2.0.0.beta2] - September 17, 2019
+## [2.0.0] - November 12, 2019
 
 ### Added
 
 - Add support for Rails version 6
 - Allow `cookie_domain` to be configured with a lambda for custom configuration
+- Add ability to configure BCrypt computational cost of hash calculation.
+- Add `same_site` configuration option for increased CSRF protection.
 
 ### Fixed
 
+- Fix issue where invalid params could raise `NoMethodError` when updating and
+  resetting passwords.
 - The backdoor auth mechanism now supports scenarios where `Rails.env` has been
   configured via env variables other than `RAILS_ENV` (`RACK_ENV` for example).
 
@@ -19,15 +23,6 @@ complete changelog, see the git history for each version via the version links.
 
 - Removed support for Ruby versions older than 2.4
 - Removed support for Rails versions older than 5.0
-
-[2.0.0.beta2]: https://github.com/thoughtbot/clearance/compare/v2.0.0.beta1...v2.0.0.beta2
-
-## [2.0.0.beta1] - April 12, 2019
-
-### Removed
-
-- Removed support for Ruby versions older than 2.3
-- Removed support for Rails versions older than 4.2
 - Removed all deprecated code from Clearance 1.x
 
 ### Changed
@@ -35,7 +30,7 @@ complete changelog, see the git history for each version via the version links.
 - Flash messages now use `flash[:alert]` rather than `flash[:notice]` as they
   were used as errors more often than notices.
 
-[2.0.0.beta1]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0.beta1
+[2.0.0]: https://github.com/thoughtbot/clearance/compare/v1.17.0...v2.0.0
 
 ## [1.17.0] - April 11, 2019
 

data/README.md

@@ -19,7 +19,7 @@ monitored by contributors.
 
 ## Getting Started
 
-Clearance is a Rails engine tested against Rails `>= 3.2` and Ruby `>= 1.9.3`.
+Clearance is a Rails engine tested against Rails `>= 5.0` and Ruby `>= 2.4.0`.
 
 You can add it to your Gemfile with:
 
@@ -281,6 +281,13 @@ for access to additional, user-contributed translations.
 See [lib/clearance/user.rb](/lib/clearance/user.rb) for the default behavior.
 You can override those methods as needed.
 
+Note that there are some model-level validations (see above link for detail)
+which the `Clearance::User` module will add to the configured model class and
+which may conflict with or duplicate already present validations on the `email`
+and `password` attributes. Over-riding the `email_optional?` or
+`skip_password_validation?` methods to return `true` will disable those
+validations from being added.
+
 ### Deliver Email in Background Job
 
 Clearance has a password reset mailer. If you are using Rails 4.2 and Clearance

data/app/controllers/clearance/passwords_controller.rb

@@ -31,7 +31,7 @@ class Clearance::PasswordsController < Clearance::BaseController
   def update
     @user = find_user_for_update
 
-    if @user.update_password password_reset_params
+    if @user.update_password(password_from_password_reset_params)
       sign_in @user
       redirect_to url_after_update
       session[:password_reset_token] = nil
@@ -48,8 +48,8 @@ class Clearance::PasswordsController < Clearance::BaseController
     mail.deliver_later
   end
 
-  def password_reset_params
-    params[:password_reset][:password]
+  def password_from_password_reset_params
+    params.dig(:password_reset, :password)
   end
 
   def find_user_by_id_and_confirmation_token
@@ -60,9 +60,13 @@ class Clearance::PasswordsController < Clearance::BaseController
       find_by_id_and_confirmation_token params[user_param], token.to_s
   end
 
+  def email_from_password_params
+    params.dig(:password, :email)
+  end
+
   def find_user_for_create
     Clearance.configuration.user_model.
-      find_by_normalized_email params[:password][:email]
+      find_by_normalized_email(email_from_password_params)
   end
 
   def find_user_for_edit

data/clearance.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.push File.expand_path('../lib', __FILE__)
 require 'clearance/version'
 
 Gem::Specification.new do |s|
-  s.add_dependency 'bcrypt'
+  s.add_dependency 'bcrypt', '>= 3.1.1'
   s.add_dependency 'email_validator', '~> 1.4'
   s.add_dependency 'railties', '>= 5.0'
   s.add_dependency 'activemodel', '>= 5.0'

data/lib/clearance/configuration.rb

@@ -42,6 +42,16 @@ module Clearance
     # @return [Boolean]
     attr_accessor :httponly
 
+    # Same-site cookies ("First-Party-Only" or "First-Party") allow servers to
+    # mitigate the risk of CSRF and information leakage attacks by asserting
+    # that a particular cookie should only be sent with requests initiated from
+    # the same registrable domain.
+    # Defaults to `nil`. For more, see
+    # [RFC6265](https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-4.1.1).
+    # and https://github.com/rack/rack/blob/6eda04886e3a57918ca2d6a482fda02a678fef0a/lib/rack/utils.rb#L232-L244
+    # @return [String]
+    attr_accessor :same_site
+
     # Controls the address the password reset email is sent from.
     # Defaults to reply@example.com.
     # @return [String]
@@ -103,6 +113,7 @@ module Clearance
       @cookie_name = "remember_token"
       @cookie_path = '/'
       @httponly = true
+      @same_site = nil
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
       @rotate_csrf_on_sign_in = nil

data/lib/clearance/password_strategies/bcrypt.rb

@@ -2,10 +2,14 @@ module Clearance
   module PasswordStrategies
     # Uses BCrypt to authenticate users and store encrypted passwords.
     #
-    # The BCrypt cost (the measure of how many key expansion iterations BCrypt
-    # will perform) is automatically set to the minimum allowed value when
-    # Rails is operating in the test environment and the default cost in all
-    # other envionments. This provides a speed boost in tests.
+    # BCrypt has a `cost` argument which determines how computationally
+    # expensive the hash is to calculate. The higher the cost, the harder it is
+    # for attackers to crack passwords even if they posess a database dump of
+    # the encrypted passwords. Clearance uses the `bcrypt-ruby` default cost
+    # except in the test environment, where it uses the minimum cost value for
+    # speed. If you wish to increase the cost over the default, you can do so
+    # by setting a higher cost in an initializer:
+    # `BCrypt::Engine.cost = 12`
     module BCrypt
       require 'bcrypt'
 
@@ -19,18 +23,20 @@ module Clearance
         @password = new_password
 
         if new_password.present?
-          cost = if defined?(::Rails) && ::Rails.env.test?
-                   ::BCrypt::Engine::MIN_COST
-                 else
-                   ::BCrypt::Engine::DEFAULT_COST
-                 end
-
           self.encrypted_password = ::BCrypt::Password.create(
             new_password,
-            cost: cost,
+            cost: configured_bcrypt_cost,
           )
         end
       end
+
+      def configured_bcrypt_cost
+        if defined?(::Rails) && ::Rails.env.test?
+          ::BCrypt::Engine::MIN_COST
+        else
+          ::BCrypt::Engine.cost
+        end
+      end
     end
   end
 end

data/lib/clearance/session.rb

@@ -147,7 +147,7 @@ module Clearance
       guards = Clearance.configuration.sign_in_guards
 
       guards.inject(default_guard) do |stack, guard_class|
-        guard_class.new(self, stack)
+        guard_class.to_s.constantize.new(self, stack)
       end
     end
 
@@ -157,6 +157,7 @@ module Clearance
         domain: domain,
         expires: remember_token_expires,
         httponly: Clearance.configuration.httponly,
+        same_site: Clearance.configuration.same_site,
         path: Clearance.configuration.cookie_path,
         secure: Clearance.configuration.secure_cookie,
         value: remember_token,

data/lib/clearance/testing/deny_access_matcher.rb

@@ -78,12 +78,8 @@ module Clearance
           @controller.request.env[:clearance]
         end
 
-        def flash_alert
-          @controller.flash[:alert]
-        end
-
         def flash_alert_value
-          flash_alert.values.first
+          @controller.flash[:alert]
         end
 
         def redirects_to_url?

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.0.0.beta2".freeze
+  VERSION = "2.0.0".freeze
 end

data/spec/clearance/session_spec.rb

@@ -129,6 +129,12 @@ describe Clearance::Session do
 
       def stub_guard_class(guard)
         double("guard_class").tap do |guard_class|
+          allow(guard_class).to receive(:to_s).
+            and_return(guard_class)
+
+          allow(guard_class).to receive(:constantize).
+            and_return(guard_class)
+
           allow(guard_class).to receive(:new).
             with(session, stub_default_sign_in_guard).
             and_return(guard)
@@ -170,6 +176,31 @@ describe Clearance::Session do
     end
   end
 
+  context "if same_site is set" do
+    before do
+      Clearance.configuration.same_site = :lax
+      session.sign_in(user)
+    end
+
+    it "sets a same-site cookie" do
+      session.add_cookie_to_headers(headers)
+
+      expect(headers["Set-Cookie"]).to match(/remember_token=.+; SameSite/)
+    end
+  end
+
+  context "if same_site is not set" do
+    before do
+      session.sign_in(user)
+    end
+
+    it "sets a standard cookie" do
+      session.add_cookie_to_headers(headers)
+
+      expect(headers["Set-Cookie"]).to_not match(/remember_token=.+; SameSite/)
+    end
+  end
+
   describe 'remember token cookie expiration' do
     context 'default configuration' do
       it 'is set to 1 year from now' do

data/spec/clearance/testing/deny_access_matcher_spec.rb

@@ -0,0 +1,32 @@
+require "spec_helper"
+
+class PretendFriendsController < ActionController::Base
+  include Clearance::Controller
+  before_action :require_login
+
+  def index
+  end
+end
+
+describe PretendFriendsController, type: :controller do
+  before do
+    Rails.application.routes.draw do
+      resources :pretend_friends, only: :index
+      get "/sign_in"  => "clearance/sessions#new", as: "sign_in"
+    end
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "checks contents of deny access flash" do
+    get :index
+
+    expect(subject).to deny_access(flash: failure_message)
+  end
+
+  def failure_message
+    I18n.t("flashes.failure_when_not_signed_in")
+  end
+end

data/spec/controllers/passwords_controller_spec.rb

@@ -37,6 +37,16 @@ describe Clearance::PasswordsController do
       end
     end
 
+    context "email param is missing" do
+      it "does not raise error" do
+        expect do
+          post :create, params: {
+            password: {},
+          }
+        end.not_to raise_error
+      end
+    end
+
     context "email does not belong to an existing user" do
       it "does not deliver an email" do
         ActionMailer::Base.deliveries.clear
@@ -166,6 +176,18 @@ describe Clearance::PasswordsController do
         expect(user.confirmation_token).to be_present
       end
 
+      it "does not raise NoMethodError from incomplete password_reset params" do
+        user = create(:user, :with_forgotten_password)
+
+        expect do
+          put :update, params: {
+            user_id: user,
+            token: user.confirmation_token,
+            password_reset: {},
+          }
+        end.not_to raise_error
+      end
+
       it "re-renders the password edit form" do
         user = create(:user, :with_forgotten_password)
 

data/spec/password_strategies/bcrypt_spec.rb

@@ -22,10 +22,23 @@ describe Clearance::PasswordStrategies::BCrypt do
 
       expect(BCrypt::Password).to have_received(:create).with(
         password,
-        cost: ::BCrypt::Engine::DEFAULT_COST
+        cost: ::BCrypt::Engine::DEFAULT_COST,
       )
     end
 
+    it "uses an explicity configured BCrypt cost" do
+      stub_bcrypt_cost(8)
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(8)
+    end
+
+    it "uses the default BCrypt cost value implicitly" do
+      bcrypt_password = BCrypt::Password.create(password, cost: nil)
+
+      expect(bcrypt_password.cost).to eq(BCrypt::Engine::DEFAULT_COST)
+    end
+
     it "encrypts with BCrypt using minimum cost in test environment" do
       stub_bcrypt_password
       model_instance = fake_model_with_bcrypt_strategy
@@ -42,6 +55,10 @@ describe Clearance::PasswordStrategies::BCrypt do
       allow(BCrypt::Password).to receive(:create).and_return(encrypted_password)
     end
 
+    def stub_bcrypt_cost(cost)
+      allow(BCrypt::Engine).to receive(:cost).and_return(cost)
+    end
+
     def encrypted_password
       @encrypted_password ||= double("encrypted password")
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.0.0.beta2
+  version: 2.0.0
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-17 00:00:00.000000000 Z
+date: 2019-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -33,14 +33,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: email_validator
   requirement: !ruby/object:Gem::Requirement
@@ -222,6 +222,7 @@ files:
 - spec/clearance/session_spec.rb
 - spec/clearance/sign_in_guard_spec.rb
 - spec/clearance/testing/controller_helpers_spec.rb
+- spec/clearance/testing/deny_access_matcher_spec.rb
 - spec/clearance/testing/view_helpers_spec.rb
 - spec/clearance/token_spec.rb
 - spec/configuration_spec.rb
@@ -276,9 +277,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.0.3
 signing_key: