clearance 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd2d43e71f4cbe272a3a1b19577f453b986a27711e6327c6050d1170c73c09d8
-  data.tar.gz: ba32fcfb82fa0ab33f3764e381a2d2a93484dde956189b5395fa63b759142231
+  metadata.gz: a955d1866bf1879846034e89ca4f5a85cdf4602e67667e1ba93fae12ec5c832e
+  data.tar.gz: 3e2c19f661f4910f0bf6c31a12dfae58b44c4a49283750e07ae28eb33ced6d17
 SHA512:
-  metadata.gz: 89cd499f030c7bb42c044e772eda264a899f382395b15331631dd4e7b148f173ca02b99ff232cf2f6a969ecad3ae284c341fd58f3cbd19ebf23de9f4126ae657
-  data.tar.gz: 51d38e93bdc439337d22c7e675f3ae826991ca40225c81309fcd8b131220b9463f7df4dd1015c72421907dd6989b60592a7d3235bb49969fcbb900a2c354ef89
+  metadata.gz: c8a2870d5567ae747cccbeda37a88fc6f31d5fca6cac57d2d2cbdb7016e22112f413c19a73b8f0edeb390b01ee04efe8da4633b69a2bd629bbfdfd2b6dbbbe5d
+  data.tar.gz: ed611c62911b8ac335ae12fd6af9e4eeaa36b6541451ec2322b29a07820b6eb6d2ce3232262cc75d69697e2530e93746ee0089911e9b7ff39ee9ef64961fbe15

data/.travis.yml

@@ -4,9 +4,9 @@ language:
   - ruby
 
 rvm:
-  - 2.4.6
-  - 2.5.5
-  - 2.6.2
+  - 2.4.9
+  - 2.5.7
+  - 2.6.5
 
 gemfile:
   - gemfiles/rails_5.0.gemfile
@@ -14,9 +14,6 @@ gemfile:
   - gemfiles/rails_5.2.gemfile
   - gemfiles/rails_6.0.gemfile
 
-before_install:
-  - gem update --system
-
 install:
   - "bin/setup"
 
@@ -26,7 +23,5 @@ branches:
 
 matrix:
   exclude:
-    - rvm: 2.4.6
+    - rvm: 2.4.9
       gemfile: gemfiles/rails_6.0.gemfile
-
-sudo: false

data/Appraisals

@@ -12,7 +12,7 @@ rails_versions.each do |version|
 
     if Gem::Version.new(version) >= Gem::Version.new("6.0")
       # TODO - Switch to 4.0 gem once release is made
-      gem 'rspec-rails', '~> 4.0.0.beta2'
+      gem 'rspec-rails', '~> 4.0.0.beta3'
       gem 'sqlite3', '~> 1.4.0'
     else
       gem 'sqlite3', '~> 1.3.13'

data/Gemfile.lock

@@ -1,45 +1,45 @@
 PATH
   remote: .
   specs:
-    clearance (2.0.0)
+    clearance (2.1.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
       bcrypt (>= 3.1.1)
-      email_validator (~> 1.4)
+      email_validator (~> 2.0)
       railties (>= 5.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.1)
-      actionpack (= 6.0.1)
-      actionview (= 6.0.1)
-      activejob (= 6.0.1)
+    actionmailer (6.0.2.1)
+      actionpack (= 6.0.2.1)
+      actionview (= 6.0.2.1)
+      activejob (= 6.0.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.1)
-      actionview (= 6.0.1)
-      activesupport (= 6.0.1)
-      rack (~> 2.0)
+    actionpack (6.0.2.1)
+      actionview (= 6.0.2.1)
+      activesupport (= 6.0.2.1)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.1)
-      activesupport (= 6.0.1)
+    actionview (6.0.2.1)
+      activesupport (= 6.0.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.1)
-      activesupport (= 6.0.1)
+    activejob (6.0.2.1)
+      activesupport (= 6.0.2.1)
       globalid (>= 0.3.6)
-    activemodel (6.0.1)
-      activesupport (= 6.0.1)
-    activerecord (6.0.1)
-      activemodel (= 6.0.1)
-      activesupport (= 6.0.1)
-    activesupport (6.0.1)
+    activemodel (6.0.2.1)
+      activesupport (= 6.0.2.1)
+    activerecord (6.0.2.1)
+      activemodel (= 6.0.2.1)
+      activesupport (= 6.0.2.1)
+    activesupport (6.0.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -56,7 +56,7 @@ GEM
       rake
       thor (>= 0.14.0)
     bcrypt (3.1.13)
-    builder (3.2.3)
+    builder (3.2.4)
     capybara (3.29.0)
       addressable
       mini_mime (>= 0.1.3)
@@ -70,7 +70,7 @@ GEM
     crass (1.0.5)
     database_cleaner (1.7.0)
     diff-lcs (1.3)
-    email_validator (1.6.0)
+    email_validator (2.0.1)
       activemodel
     erubi (1.9.0)
     factory_bot (5.1.1)
@@ -82,7 +82,7 @@ GEM
       activesupport (>= 4.2.0)
     i18n (1.7.0)
       concurrent-ruby (~> 1.0)
-    loofah (2.3.1)
+    loofah (2.4.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -91,13 +91,13 @@ GEM
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.13.0)
-    nokogiri (1.10.5)
+    nokogiri (1.10.7)
       mini_portile2 (~> 2.4.0)
     pry (0.12.2)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
     public_suffix (3.1.1)
-    rack (2.0.7)
+    rack (2.0.8)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -105,9 +105,9 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.1)
-      actionpack (= 6.0.1)
-      activesupport (= 6.0.1)
+    railties (6.0.2.1)
+      actionpack (= 6.0.2.1)
+      activesupport (= 6.0.2.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
@@ -132,14 +132,14 @@ GEM
     rspec-support (3.9.0)
     shoulda-matchers (4.1.2)
       activesupport (>= 4.2.0)
-    thor (0.20.3)
+    thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.2.1)
+    zeitwerk (2.2.2)
 
 PLATFORMS
   ruby

data/NEWS.md

@@ -3,6 +3,48 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [2.1.0] - December 19, 2019
+
+### Added
+
+- Add a `parent_controller` configuration option to specify the controller that
+  Clearance's `BaseController` will inherit from. Defaults to a value of
+  `ApplicationController`.
+- Use the configured `primary_key_type` from the Active Record settings of the
+  project including Clearance, if it is set, while generating migrations. For
+  example, a setting of `:uuid` in a Rails app using Clearance will cause the
+  clearance-generated migrations to use this for the `users` table id type.
+
+### Fixed
+
+- Delete cookies correctly when a custom domain setting is being used.
+- Do not set the authorization cookie on requests which did not exercise the
+  authorization code. Reduces the chances of leaving an auth cookie in a
+  publicly cacheable page that didn't require authorization to access.
+
+### Changed
+
+- Update the `email_validator` gem to a newer version embrace the more relaxed
+  email validation options which it now defaults to.
+- When a password reset request is submitted without an email address, a flash
+  alert is now provided. Previously this continued silently as though it had
+  worked. We still proceed that way when there is an invalid (but present)
+  value, so as not to reveal existent vs. non-existent emails in the database.
+
+### Removed
+
+- Remove an unused route to `passwords#create` nested under `users`.
+- No longer include the (rarely used in practice) application layout as part of
+  the views installer; but continue to provide some stock sign-in/out and flash
+  partial code in the gem installation README output.
+
+### Deprecated
+
+- Remove the existing deprecation notice around the `rotate_csrf_on_sign_in`
+  setting, and make that setting default to true.
+
+[2.1.0]: https://github.com/thoughtbot/clearance/compare/v2.0.0...v2.1.0
+
 ## [2.0.0] - November 12, 2019
 
 ### Added

data/README.md

@@ -59,17 +59,14 @@ Clearance.configure do |config|
   config.mailer_sender = "reply@example.com"
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
-  config.rotate_csrf_on_sign_in = false
+  config.rotate_csrf_on_sign_in = true
   config.secure_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
+  config.parent_controller = "ApplicationController"
 end
 ```
 
-The install generator will set `rotate_csrf_on_sign_in` to `true`, so new
-installations will get this behavior from the start. This helps avoid session
-fixation attacks, and will become the default in Clearance 2.0.
-
 ## Use
 
 ### Access Control

data/app/controllers/clearance/base_controller.rb

@@ -1,2 +1,9 @@
-class Clearance::BaseController < ApplicationController
+module Clearance
+  # Top-level base class that all Clearance controllers inherit from.
+  # Inherits from `ApplicationController` by default and can be overridden by
+  # setting a new value with {Configuration#parent_controller=}.
+  # @!parse
+  #   class BaseController < ApplicationController; end
+  class BaseController < Clearance.configuration.parent_controller
+  end
 end

data/app/controllers/clearance/passwords_controller.rb

@@ -2,6 +2,7 @@ require 'active_support/deprecation'
 
 class Clearance::PasswordsController < Clearance::BaseController
   before_action :ensure_existing_user, only: [:edit, :update]
+  before_action :ensure_email_present, only: [:create]
   skip_before_action :require_login, only: [:create, :edit, :new, :update], raise: false
 
   def new
@@ -77,6 +78,13 @@ class Clearance::PasswordsController < Clearance::BaseController
     find_user_by_id_and_confirmation_token
   end
 
+  def ensure_email_present
+    if email_from_password_params.blank?
+      flash_failure_when_missing_email
+      render template: "passwords/new"
+    end
+  end
+
   def ensure_existing_user
     unless find_user_by_id_and_confirmation_token
       flash_failure_when_forbidden
@@ -96,6 +104,12 @@ class Clearance::PasswordsController < Clearance::BaseController
       default: t("flashes.failure_after_update"))
   end
 
+  def flash_failure_when_missing_email
+    flash.now[:alert] = translate(:missing_email,
+      scope: [:clearance, :controllers, :passwords],
+      default: t("flashes.failure_when_missing_email"))
+  end
+
   def url_after_update
     Clearance.configuration.redirect_url
   end

data/clearance.gemspec

@@ -3,7 +3,7 @@ require 'clearance/version'
 
 Gem::Specification.new do |s|
   s.add_dependency 'bcrypt', '>= 3.1.1'
-  s.add_dependency 'email_validator', '~> 1.4'
+  s.add_dependency 'email_validator', '~> 2.0'
   s.add_dependency 'railties', '>= 5.0'
   s.add_dependency 'activemodel', '>= 5.0'
   s.add_dependency 'activerecord', '>= 5.0'
@@ -28,7 +28,13 @@ Gem::Specification.new do |s|
     'Galen Frechette',
     'Josh Steiner'
   ]
-  s.description = 'Rails authentication & authorization with email & password.'
+  s.description = <<-DESCRIPTION
+    Clearance is built to support authentication and authorization via an
+    email/password sign-in mechanism in applications.
+
+    It provides some core classes commonly used for these features, along with
+    some opinionated defaults - but is intended to be easy to override.
+  DESCRIPTION
   s.email = 'support@thoughtbot.com'
   s.extra_rdoc_files = %w(LICENSE README.md)
   s.files = `git ls-files`.split("\n")

data/config/locales/clearance.en.yml

@@ -17,6 +17,7 @@ en:
     failure_when_forbidden: Please double check the URL or try submitting
       the form again.
     failure_when_not_signed_in: Please sign in to continue.
+    failure_when_missing_email: Email can't be blank.
   helpers:
     label:
       password:

data/config/routes.rb

@@ -13,7 +13,7 @@ if Clearance.configuration.routes_enabled?
       only: Clearance.configuration.user_actions do
         resource :password,
           controller: 'clearance/passwords',
-          only: [:create, :edit, :update]
+          only: [:edit, :update]
       end
 
     get '/sign_in' => 'clearance/sessions#new', as: 'sign_in'

data/gemfiles/rails_6.0.gemfile

@@ -14,7 +14,7 @@ gem "shoulda-matchers", "~> 4.1"
 gem "timecop", "~> 0.6"
 gem "railties", "~> 6.0.0"
 gem "rails-controller-testing"
-gem "rspec-rails", "~> 4.0.0.beta2"
+gem "rspec-rails", "~> 4.0.0.beta3"
 gem "sqlite3", "~> 1.4.0"
 
 gemspec path: "../"

data/lib/clearance/authentication.rb

@@ -59,7 +59,7 @@ module Clearance
     # {SessionsController#create}.
     #
     # Signing in will also regenerate the CSRF token for the current session,
-    # provided {Configuration#rotate_csrf_token_on_sign_in} is set.
+    # provided {Configuration#rotate_csrf_on_sign_in?} is set.
     def sign_in(user, &block)
       clearance_session.sign_in(user, &block)
 

data/lib/clearance/configuration.rb

@@ -98,7 +98,12 @@ module Clearance
     # The ActiveRecord class that represents users in your application.
     # Defaults to `::User`.
     # @return [ActiveRecord::Base]
-    attr_accessor :user_model
+    attr_writer :user_model
+
+    # The controller class that all Clearance controllers will inherit from.
+    # Defaults to `::ApplicationController`.
+    # @return [ActionController::Base]
+    attr_writer :parent_controller
 
     # The array of allowed environments where `Clearance::BackDoor` is enabled.
     # Defaults to ["test", "ci", "development"]
@@ -116,16 +121,26 @@ module Clearance
       @same_site = nil
       @mailer_sender = 'reply@example.com'
       @redirect_url = '/'
-      @rotate_csrf_on_sign_in = nil
+      @rotate_csrf_on_sign_in = true
       @routes = true
       @secure_cookie = false
       @sign_in_guards = []
     end
 
+    # The class representing the configured user model.
+    # In the default configuration, this is the `User` class.
+    # @return [Class]
     def user_model
       (@user_model || "User").to_s.constantize
     end
 
+    # The class representing the configured base controller.
+    # In the default configuration, this is the `ApplicationController` class.
+    # @return [Class]
+    def parent_controller
+      (@parent_controller || "ApplicationController").to_s.constantize
+    end
+
     # Is the user sign up route enabled?
     # @return [Boolean]
     def allow_sign_up?
@@ -178,22 +193,7 @@ module Clearance
     end
 
     def rotate_csrf_on_sign_in?
-      if rotate_csrf_on_sign_in.nil?
-        warn <<-EOM.squish
-          Clearance's `rotate_csrf_on_sign_in` configuration setting is unset and
-          will be treated as `false`. Setting this value to `true` is
-          recommended to avoid session fixation attacks and will be the default
-          in Clearance 2.0. It is recommended that you opt-in to this setting
-          now and test your application. To silence this warning, set
-          `rotate_csrf_on_sign_in` to `true` or `false` in Clearance's
-          initializer.
-
-          For more information on session fixation, see:
-            https://www.owasp.org/index.php/Session_fixation
-        EOM
-      end
-
-      rotate_csrf_on_sign_in
+      !!rotate_csrf_on_sign_in
     end
   end
 

data/lib/clearance/rack_session.rb

@@ -21,7 +21,11 @@ module Clearance
       session = Clearance::Session.new(env)
       env[:clearance] = session
       response = @app.call(env)
-      session.add_cookie_to_headers response[1]
+
+      if session.authentication_successful?
+        session.add_cookie_to_headers response[1]
+      end
+
       response
     end
   end

data/lib/clearance/session.rb

@@ -81,7 +81,7 @@ module Clearance
       end
 
       @current_user = nil
-      cookies.delete remember_token_cookie
+      cookies.delete remember_token_cookie, delete_cookie_options
     end
 
     # True if {#current_user} is set.
@@ -98,6 +98,13 @@ module Clearance
       ! signed_in?
     end
 
+    # True if a successful authentication has been performed
+    #
+    # @return [Boolean]
+    def authentication_successful?
+      !!@current_user
+    end
+
     private
 
     # @api private
@@ -164,6 +171,15 @@ module Clearance
       }
     end
 
+    # @api private
+    def delete_cookie_options
+      Hash.new.tap do |options|
+        if configured_cookie_domain
+          options[:domain] = configured_cookie_domain
+        end
+      end
+    end
+
     # @api private
     def domain
       if configured_cookie_domain.respond_to?(:call)

data/lib/clearance/user.rb

@@ -60,7 +60,7 @@ module Clearance
   #   @see PasswordStrategies
   #   @return [void]
   #
-  # @!method authenticated?
+  # @!method authenticated?(password)
   #   Check's the provided password against the user's encrypted password using
   #   the configured password strategy. By default, this will be
   #   {PasswordStrategies::BCrypt#authenticated?}, but can be changed with

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.0.0".freeze
+  VERSION = "2.1.0".freeze
 end

data/lib/generators/clearance/install/install_generator.rb

@@ -122,6 +122,16 @@ module Clearance
         "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
       end
 
+      def migration_primary_key_type_string
+        if configured_key_type
+          ", id: :#{configured_key_type}"
+        end
+      end
+
+      def configured_key_type
+        Rails.configuration.generators.active_record[:primary_key_type]
+      end
+
       def models_inherit_from
         "ApplicationRecord"
       end

data/lib/generators/clearance/install/templates/README

@@ -8,9 +8,11 @@ Next steps:
     # config/environments/{development,test}.rb
     config.action_mailer.default_url_options = { host: 'localhost:3000' }
 
-    In production it should be your app's domain name.
+    In the production environment it should be your application's full hostname.
 
-2. Display user session and flashes. For example, in your application layout:
+2. Display user session status.
+
+    From somewhere in your layout, render sign in and sign out buttons:
 
     <% if signed_in? %>
       Signed in as: <%= current_user.email %>
@@ -19,14 +21,18 @@ Next steps:
       <%= link_to 'Sign in', sign_in_path %>
     <% end %>
 
+3. Render the flash contents.
+
+    Make sure the flash is being rendered in your views using something like:
+
     <div id="flash">
       <% flash.each do |key, value| %>
         <div class="flash <%= key %>"><%= value %></div>
       <% end %>
     </div>
 
-3. Migrate:
+4. Migrate:
 
-    rails db:migrate
+    Run `rails db:migrate` to add the clearance database changes.
 
 *******************************************************************************

data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb

@@ -13,7 +13,7 @@ class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
     users = select_all("SELECT id FROM users WHERE remember_token IS NULL")
 
     users.each do |user|
-      update <<-SQL
+      update <<-SQL.squish
         UPDATE users
         SET remember_token = '#{Clearance::Token.new}'
         WHERE id = '#{user['id']}'

data/lib/generators/clearance/install/templates/db/migrate/create_users.rb.erb

@@ -1,6 +1,6 @@
 class CreateUsers < ActiveRecord::Migration<%= migration_version %>
   def change
-    create_table :users do |t|
+    create_table :users<%= migration_primary_key_type_string %> do |t|
       t.timestamps null: false
       t.string :email, null: false
       t.string :encrypted_password, limit: 128, null: false

data/lib/generators/clearance/routes/templates/routes.rb

@@ -4,7 +4,7 @@
   resources :users, controller: "clearance/users", only: [:create] do
     resource :password,
       controller: "clearance/passwords",
-      only: [:create, :edit, :update]
+      only: [:edit, :update]
   end
 
   get "/sign_in" => "clearance/sessions#new", as: "sign_in"

data/spec/acceptance/clearance_installation_spec.rb

@@ -36,9 +36,6 @@ describe "Clearance Installation" do
        --skip-keeps
        --skip-sprockets
     CMD
-
-    FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
   end
 
   def testapp_templates
@@ -47,7 +44,6 @@ describe "Clearance Installation" do
 
   def configure_test_app
     FileUtils.rm_f("public/index.html")
-    FileUtils.rm_f("app/views/layouts/application.html.erb")
     FileUtils.cp_r(testapp_templates, "..")
   end
 

data/spec/app_templates/app/models/user.rb

@@ -1,4 +1,4 @@
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   def previously_existed?
     true
   end

data/spec/app_templates/testapp/app/views/layouts/application.html.erb

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <%= javascript_include_tag 'application' %>
+    <%= csrf_meta_tag %>
+  </head>
+  <body>
+    <div id="header">
+      <% if signed_in? -%>
+        <%= button_to t(".sign_out"), sign_out_path, method: :delete %>
+      <% else -%>
+        <%= link_to t(".sign_in"), sign_in_path %>
+      <% end -%>
+    </div>
+
+    <div id="flash">
+      <% flash.each do |key, value| -%>
+        <div id="flash_<%= key %>"><%=h value %></div>
+      <% end %>
+    </div>
+
+    <%= yield %>
+  </body>
+</html>

data/spec/clearance/rack_session_spec.rb

@@ -11,6 +11,8 @@ describe Clearance::RackSession do
     env = Rack::MockRequest.env_for('/')
     expected_session = "the session"
     allow(expected_session).to receive(:add_cookie_to_headers)
+    allow(expected_session).to receive(:authentication_successful?).
+      and_return(true)
     allow(Clearance::Session).to receive(:new).
       with(env).
       and_return(expected_session)

data/spec/clearance/session_spec.rb

@@ -340,14 +340,44 @@ describe Clearance::Session do
     expect(headers["Set-Cookie"]).to be nil
   end
 
-  it 'signs out a user' do
-    user = create(:user)
-    old_remember_token = user.remember_token
-    env = env_with_remember_token(old_remember_token)
-    session = Clearance::Session.new(env)
-    session.sign_out
-    expect(session.current_user).to be_nil
-    expect(user.reload.remember_token).not_to eq old_remember_token
+  describe "#sign_out" do
+    it "signs out a user" do
+      user = create(:user)
+      old_remember_token = user.remember_token
+      env = env_with_remember_token(old_remember_token)
+      session = Clearance::Session.new(env)
+      cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+      expect(cookie_jar.deleted?(:remember_token)).to be false
+
+      session.sign_out
+
+      expect(cookie_jar.deleted?(:remember_token)).to be true
+      expect(session.current_user).to be_nil
+      expect(user.reload.remember_token).not_to eq old_remember_token
+    end
+
+    context "with custom cookie domain" do
+      let(:domain) { ".example.com" }
+
+      before do
+        Clearance.configuration.cookie_domain = domain
+      end
+
+      it "clears cookie" do
+        user = create(:user)
+        env = env_with_remember_token(
+          value: user.remember_token,
+          domain: domain,
+        )
+        session = Clearance::Session.new(env)
+        cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be false
+
+        session.sign_out
+
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
+      end
+    end
   end
 
   def env_with_cookies(cookies)

data/spec/configuration_spec.rb

@@ -1,6 +1,8 @@
 require "spec_helper"
 
 describe Clearance::Configuration do
+  let(:config) { Clearance.configuration }
+
   context "when no user_model_name is specified" do
     it "defaults to User" do
       expect(Clearance.configuration.user_model).to eq ::User
@@ -29,6 +31,28 @@ describe Clearance::Configuration do
     end
   end
 
+  context "when no parent_controller is specified" do
+    it "defaults to ApplicationController" do
+      expect(config.parent_controller).to eq ::ApplicationController
+    end
+  end
+
+  context "when a custom parent_controller is specified" do
+    before(:each) do
+      MyController = Class.new
+    end
+
+    after(:each) do
+      Object.send(:remove_const, :MyController)
+    end
+
+    it "is used instead of ApplicationController" do
+      Clearance.configure { |config| config.parent_controller = MyController }
+
+      expect(config.parent_controller).to eq ::MyController
+    end
+  end
+
   context "when secure_cookie is set to true" do
     it "returns true" do
       Clearance.configure { |config| config.secure_cookie = true }
@@ -159,28 +183,22 @@ describe Clearance::Configuration do
   end
 
   describe "#rotate_csrf_on_sign_in?" do
-    it "defaults to falsey and warns" do
-      Clearance.configuration = Clearance::Configuration.new
-      allow(Clearance.configuration).to receive(:warn)
-
-      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be_falsey
-      expect(Clearance.configuration).to have_received(:warn)
-    end
-
-    it "is true and does not warn when `rotate_csrf_on_sign_in` is true" do
+    it "is true when `rotate_csrf_on_sign_in` is set to true" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be true
-      expect(Clearance.configuration).not_to have_received(:warn)
     end
 
-    it "is false and does not warn when `rotate_csrf_on_sign_in` is false" do
+    it "is false when `rotate_csrf_on_sign_in` is set to false" do
       Clearance.configure { |config| config.rotate_csrf_on_sign_in = false }
-      allow(Clearance.configuration).to receive(:warn)
 
       expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
-      expect(Clearance.configuration).not_to have_received(:warn)
+    end
+
+    it "is false when `rotate_csrf_on_sign_in` is set to nil" do
+      Clearance.configure { |config| config.rotate_csrf_on_sign_in = nil }
+
+      expect(Clearance.configuration.rotate_csrf_on_sign_in?).to be false
     end
   end
 end

data/spec/controllers/passwords_controller_spec.rb

@@ -38,12 +38,26 @@ describe Clearance::PasswordsController do
     end
 
     context "email param is missing" do
-      it "does not raise error" do
-        expect do
-          post :create, params: {
-            password: {},
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {},
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
+      end
+    end
+
+    context "email param is blank" do
+      it "displays flash error on new page" do
+        post :create, params: {
+          password: {
+            email: "",
           }
-        end.not_to raise_error
+        }
+
+        expect(flash.now[:alert]).to match(/email can't be blank/i)
+        expect(response).to render_template(:new)
       end
     end
 

data/spec/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,6 @@ class ApplicationController < ActionController::Base
   include Clearance::Controller
 
   def show
-    render html: "", layout: "application"
+    render inline: "Hello user #<%= current_user.id %>", layout: false
   end
 end

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -70,7 +70,30 @@ describe Clearance::Generators::InstallGenerator, :generator do
 
         expect(migration).to exist
         expect(migration).to have_correct_syntax
-        expect(migration).to contain("create_table :users")
+        expect(migration).to contain("create_table :users do")
+      end
+
+      context "active record configured for uuid" do
+        around do |example|
+          preserve_original_primary_key_type_setting do
+            Rails.application.config.generators do |g|
+              g.orm :active_record, primary_key_type: :uuid
+            end
+            example.run
+          end
+        end
+
+        it "creates a migration to create the users table with key type set" do
+          provide_existing_application_controller
+          table_does_not_exist(:users)
+
+          run_generator
+          migration = migration_file("db/migrate/create_users.rb")
+
+          expect(migration).to exist
+          expect(migration).to have_correct_syntax
+          expect(migration).to contain("create_table :users, id: :uuid do")
+        end
       end
     end
 
@@ -123,6 +146,12 @@ describe Clearance::Generators::InstallGenerator, :generator do
       and_return(false)
   end
 
+  def preserve_original_primary_key_type_setting
+    original = Rails.configuration.generators.active_record[:primary_key_type]
+    yield
+    Rails.configuration.generators.active_record[:primary_key_type] = original
+  end
+
   def contain_models_inherit_from
     contain "< #{models_inherit_from}\n"
   end

data/spec/generators/clearance/views/views_generator_spec.rb

@@ -8,7 +8,6 @@ describe Clearance::Generators::ViewsGenerator, :generator do
     views = %w(
       clearance_mailer/change_password.html.erb
       clearance_mailer/change_password.text.erb
-      layouts/application.html.erb
       passwords/create.html.erb
       passwords/edit.html.erb
       passwords/new.html.erb

data/spec/models/user_spec.rb

@@ -5,15 +5,15 @@ describe User do
   it { is_expected.to have_db_index(:remember_token) }
   it { is_expected.to validate_presence_of(:email) }
   it { is_expected.to validate_presence_of(:password) }
+  it { is_expected.to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.to allow_value("foo@.example.com").for(:email) }
+  it { is_expected.to allow_value("foo@example..com").for(:email) }
   it { is_expected.to allow_value("foo@example.co.uk").for(:email) }
   it { is_expected.to allow_value("foo@example.com").for(:email) }
   it { is_expected.to allow_value("foo+bar@example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo@").for(:email) }
-  it { is_expected.not_to allow_value("foo@example..com").for(:email) }
-  it { is_expected.not_to allow_value("foo@.example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo").for(:email) }
   it { is_expected.not_to allow_value("example.com").for(:email) }
-  it { is_expected.not_to allow_value("foo;@example.com").for(:email) }
+  it { is_expected.not_to allow_value("foo").for(:email) }
+  it { is_expected.not_to allow_value("foo@").for(:email) }
 
   describe "#email" do
     it "stores email in down case and removes whitespace" do

data/spec/requests/authentication_cookie_spec.rb

@@ -0,0 +1,55 @@
+require "spec_helper"
+
+class PagesController < ApplicationController
+  include Clearance::Controller
+  before_action :require_login, only: :private
+
+  # A page requiring user authentication
+  def private
+    head :ok
+  end
+
+  # A page that does not require user authentication
+  def public
+    head :ok
+  end
+end
+
+describe "Authentication cookies in the response" do
+  before do
+    draw_test_routes
+    create_user_and_sign_in
+  end
+
+  after do
+    Rails.application.reload_routes!
+  end
+
+  it "are not present if the request does not authenticate" do
+    get public_path
+
+    expect(headers["Set-Cookie"]).to be_nil
+  end
+
+  it "are present if the request does authenticate" do
+    get private_path
+
+    expect(headers["Set-Cookie"]).to match(/remember_token=/)
+  end
+
+  def draw_test_routes
+    Rails.application.routes.draw do
+      get "/private" => "pages#private", as: :private
+      get "/public" => "pages#public", as: :public
+      resource :session, controller: "clearance/sessions", only: [:create]
+    end
+  end
+
+  def create_user_and_sign_in
+    user = create(:user, password: "password")
+
+    post session_path, params: {
+      session: { email: user.email, password: "password" },
+    }
+  end
+end

data/spec/spec_helper.rb

@@ -46,5 +46,4 @@ end
 
 def restore_default_warning_free_config
   Clearance.configuration = nil
-  Clearance.configure { |config| config.rotate_csrf_on_sign_in = true }
 end

data/spec/support/generator_spec_helpers.rb

@@ -18,7 +18,7 @@ module GeneratorSpecHelpers
   end
 
   def provide_existing_user_class
-    copy_to_generator_root("app/models", versionize_template("user.rb"))
+    copy_to_generator_root("app/models", "user.rb")
     allow(File).to receive(:exist?).and_call_original
     allow(File).to receive(:exist?).with("app/models/user.rb").and_return(true)
   end
@@ -32,10 +32,6 @@ module GeneratorSpecHelpers
     FileUtils.mkdir_p(destination)
     FileUtils.cp(template_file, destination)
   end
-
-  def versionize_template(template_file)
-    ["rails5", template_file].join("/")
-  end
 end
 
 RSpec.configure do |config|

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-12 00:00:00.000000000 Z
+date: 2019-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -47,14 +47,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
@@ -111,7 +111,12 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '5.0'
-description: Rails authentication & authorization with email & password.
+description: |2
+      Clearance is built to support authentication and authorization via an
+      email/password sign-in mechanism in applications.
+
+      It provides some core classes commonly used for these features, along with
+      some opinionated defaults - but is intended to be easy to override.
 email: support@thoughtbot.com
 executables: []
 extensions: []
@@ -137,7 +142,6 @@ files:
 - app/mailers/clearance_mailer.rb
 - app/views/clearance_mailer/change_password.html.erb
 - app/views/clearance_mailer/change_password.text.erb
-- app/views/layouts/application.html.erb
 - app/views/passwords/create.html.erb
 - app/views/passwords/edit.html.erb
 - app/views/passwords/new.html.erb
@@ -205,12 +209,12 @@ files:
 - lib/generators/clearance/views/views_generator.rb
 - spec/acceptance/clearance_installation_spec.rb
 - spec/app_templates/app/controllers/application_controller.rb
-- spec/app_templates/app/models/rails5/user.rb
 - spec/app_templates/app/models/user.rb
 - spec/app_templates/config/initializers/clearance.rb
 - spec/app_templates/config/routes.rb
 - spec/app_templates/testapp/Gemfile
 - spec/app_templates/testapp/app/controllers/home_controller.rb
+- spec/app_templates/testapp/app/views/layouts/application.html.erb
 - spec/app_templates/testapp/config/initializers/action_mailer.rb
 - spec/app_templates/testapp/config/routes.rb
 - spec/clearance/back_door_spec.rb
@@ -248,6 +252,7 @@ files:
 - spec/models/user_spec.rb
 - spec/password_strategies/bcrypt_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
+- spec/requests/authentication_cookie_spec.rb
 - spec/requests/cookie_options_spec.rb
 - spec/requests/csrf_rotation_spec.rb
 - spec/requests/password_maintenance_spec.rb

data/app/views/layouts/application.html.erb

@@ -1,23 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-  <%= csrf_meta_tag %>
-</head>
-<body>
-  <div id="header">
-    <% if signed_in? -%>
-      <%= button_to t(".sign_out"), sign_out_path, method: :delete %>
-    <% else -%>
-      <%= link_to t(".sign_in"), sign_in_path %>
-    <% end -%>
-  </div>
-
-  <div id="flash">
-    <% flash.each do |key, value| -%>
-      <div id="flash_<%= key %>"><%=h value %></div>
-    <% end %>
-  </div>
-
-  <%= yield %>
-</body>
-</html>

data/spec/app_templates/app/models/rails5/user.rb

@@ -1,5 +0,0 @@
-class User < ApplicationRecord
-  def previously_existed?
-    true
-  end
-end