RubyGems - clearance - Versions diffs - 2.1.0 → 2.2.0 - Mend

clearance 2.1.0 → 2.2.0

Potentially problematic release.

This version of clearance might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/.travis.yml +1 -0
data/Gemfile.lock +67 -59
data/NEWS.md +16 -0
data/README.md +1 -1
data/app/controllers/clearance/passwords_controller.rb +1 -1
data/clearance.gemspec +1 -0
data/lib/clearance/password_strategies.rb +5 -4
data/lib/clearance/password_strategies/argon2.rb +23 -0
data/lib/clearance/user.rb +2 -2
data/lib/clearance/version.rb +1 -1
data/spec/password_strategies/argon2_spec.rb +79 -0
metadata +28 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a955d1866bf1879846034e89ca4f5a85cdf4602e67667e1ba93fae12ec5c832e
-  data.tar.gz: 3e2c19f661f4910f0bf6c31a12dfae58b44c4a49283750e07ae28eb33ced6d17
+  metadata.gz: 1a6869cfdd76b965d10f6809fe4ad1639a57d242de11fd4a414ac017c515c94c
+  data.tar.gz: 759e38cd4bd2525c5f35ab53c1f994317d13f3e449248b2fdec521808b398346
 SHA512:
-  metadata.gz: c8a2870d5567ae747cccbeda37a88fc6f31d5fca6cac57d2d2cbdb7016e22112f413c19a73b8f0edeb390b01ee04efe8da4633b69a2bd629bbfdfd2b6dbbbe5d
-  data.tar.gz: ed611c62911b8ac335ae12fd6af9e4eeaa36b6541451ec2322b29a07820b6eb6d2ce3232262cc75d69697e2530e93746ee0089911e9b7ff39ee9ef64961fbe15
+  metadata.gz: fb078764b744a5763476b7e0098196b9cbafe21043943591e6a0deeeeee291fb3b745cdd3ce666f4fdce031dcf5602f3d7fab42424658c726f0da3a82bfecccd
+  data.tar.gz: 43108490f1763fbb0a46edfde7c13dbe09af98e29998345868e96b0d7d49e02ec9788a1147c78301563e8a26ae2b659200dd2864b9ff798ca8fba99833a1bf84

data/.travis.yml CHANGED

@@ -7,6 +7,7 @@ rvm:
   - 2.4.9
   - 2.5.7
   - 2.6.5
+  - 2.7.0
 gemfile:
   - gemfiles/rails_5.0.gemfile

data/Gemfile.lock CHANGED

@@ -1,10 +1,11 @@
 PATH
   remote: .
   specs:
-    clearance (2.1.0)
+    clearance (2.2.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
+      argon2 (~> 2.0, >= 2.0.2)
       bcrypt (>= 3.1.1)
       email_validator (~> 2.0)
       railties (>= 5.0)
@@ -12,52 +13,55 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.2.1)
-      actionpack (= 6.0.2.1)
-      actionview (= 6.0.2.1)
-      activejob (= 6.0.2.1)
+    actionmailer (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      actionview (= 6.0.3.2)
+      activejob (= 6.0.3.2)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.2.1)
-      actionview (= 6.0.2.1)
-      activesupport (= 6.0.2.1)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.2.1)
-      activesupport (= 6.0.2.1)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.2.1)
-      activesupport (= 6.0.2.1)
+    activejob (6.0.3.2)
+      activesupport (= 6.0.3.2)
       globalid (>= 0.3.6)
-    activemodel (6.0.2.1)
-      activesupport (= 6.0.2.1)
-    activerecord (6.0.2.1)
-      activemodel (= 6.0.2.1)
-      activesupport (= 6.0.2.1)
-    activesupport (6.0.2.1)
+    activemodel (6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activerecord (6.0.3.2)
+      activemodel (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.2)
+      zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.6.0)
       public_suffix (>= 2.0.2, < 4.0)
     ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
       rspec-rails (>= 2.2)
-    appraisal (2.2.0)
+    appraisal (2.3.0)
       bundler
       rake
       thor (>= 0.14.0)
+    argon2 (2.0.2)
+      ffi (~> 1.9)
+      ffi-compiler (>= 0.1)
     bcrypt (3.1.13)
     builder (3.2.4)
-    capybara (3.29.0)
+    capybara (3.33.0)
       addressable
       mini_mime (>= 0.1.3)
       nokogiri (~> 1.8)
@@ -65,39 +69,43 @@ GEM
       rack-test (>= 0.6.3)
       regexp_parser (~> 1.5)
       xpath (~> 3.2)
-    coderay (1.1.2)
-    concurrent-ruby (1.1.5)
-    crass (1.0.5)
-    database_cleaner (1.7.0)
-    diff-lcs (1.3)
+    coderay (1.1.3)
+    concurrent-ruby (1.1.6)
+    crass (1.0.6)
+    database_cleaner (1.8.5)
+    diff-lcs (1.4.4)
     email_validator (2.0.1)
       activemodel
     erubi (1.9.0)
-    factory_bot (5.1.1)
+    factory_bot (5.2.0)
       activesupport (>= 4.2.0)
-    factory_bot_rails (5.1.1)
-      factory_bot (~> 5.1.0)
+    factory_bot_rails (5.2.0)
+      factory_bot (~> 5.2.0)
       railties (>= 4.2.0)
+    ffi (1.13.1)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.7.0)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    loofah (2.4.0)
+    loofah (2.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
-    method_source (0.9.2)
+    method_source (1.0.0)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.13.0)
-    nokogiri (1.10.7)
+    minitest (5.14.1)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    pry (0.12.2)
-      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
     public_suffix (3.1.1)
-    rack (2.0.8)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -105,41 +113,41 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.2.1)
-      actionpack (= 6.0.2.1)
-      activesupport (= 6.0.2.1)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
     rake (13.0.1)
-    regexp_parser (1.6.0)
-    rspec-core (3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-expectations (3.9.0)
+    regexp_parser (1.7.1)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-mocks (3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.9.0)
-    rspec-rails (3.9.0)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 3.9.0)
-      rspec-expectations (~> 3.9.0)
-      rspec-mocks (~> 3.9.0)
-      rspec-support (~> 3.9.0)
-    rspec-support (3.9.0)
-    shoulda-matchers (4.1.2)
+    rspec-rails (4.0.1)
+      actionpack (>= 4.2)
+      activesupport (>= 4.2)
+      railties (>= 4.2)
+      rspec-core (~> 3.9)
+      rspec-expectations (~> 3.9)
+      rspec-mocks (~> 3.9)
+      rspec-support (~> 3.9)
+    rspec-support (3.9.3)
+    shoulda-matchers (4.3.0)
       activesupport (>= 4.2.0)
     thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.2.2)
+    zeitwerk (2.3.1)
 PLATFORMS
   ruby
@@ -158,4 +166,4 @@ DEPENDENCIES
   timecop (~> 0.6)
 BUNDLED WITH
-   1.17.3
+   2.1.2

data/NEWS.md CHANGED

@@ -3,6 +3,22 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
+## [2.2.0] - July 9, 2020
+### Added
+- Add an Argon2 password strategy
+### Fixed
+- Use strings instead of classes on guard classes, avoids Rails deprecation
+  warning.
+- Use `find_by` style for finders, improves neo4j support
+- Provide explicit case sensitivity option for email uniqueness, avoid Rails
+  deprecation warning.
+[2.2.0]: https://github.com/thoughtbot/clearance/compare/v2.1.0...v2.2.0
 ## [2.1.0] - December 19, 2019
 ### Added

data/README.md CHANGED

@@ -333,7 +333,7 @@ Here's an example custom guard to handle email confirmation:
 ```ruby
 Clearance.configure do |config|
-  config.sign_in_guards = [EmailConfirmationGuard]
+  config.sign_in_guards = ["EmailConfirmationGuard"]
 end
 ```

data/app/controllers/clearance/passwords_controller.rb CHANGED

@@ -58,7 +58,7 @@ class Clearance::PasswordsController < Clearance::BaseController
     token = params[:token] || session[:password_reset_token]
     Clearance.configuration.user_model.
-      find_by_id_and_confirmation_token params[user_param], token.to_s
+      find_by(id: params[user_param], confirmation_token: token.to_s)
   end
   def email_from_password_params

data/clearance.gemspec CHANGED

@@ -3,6 +3,7 @@ require 'clearance/version'
 Gem::Specification.new do |s|
   s.add_dependency 'bcrypt', '>= 3.1.1'
+  s.add_dependency 'argon2', '~> 2.0', '>= 2.0.2'
   s.add_dependency 'email_validator', '~> 2.0'
   s.add_dependency 'railties', '>= 5.0'
   s.add_dependency 'activemodel', '>= 5.0'

data/lib/clearance/password_strategies.rb CHANGED

@@ -13,10 +13,11 @@ module Clearance
   # `password=(new_password)`. For an example of how to implement these methods,
   # see {Clearance::PasswordStrategies::BCrypt}.
   module PasswordStrategies
-    autoload :BCrypt, 'clearance/password_strategies/bcrypt'
+    autoload :BCrypt, "clearance/password_strategies/bcrypt"
+    autoload :Argon2, "clearance/password_strategies/argon2"
     autoload :BCryptMigrationFromSHA1,
-      'clearance/password_strategies/bcrypt_migration_from_sha1'
-    autoload :Blowfish, 'clearance/password_strategies/blowfish'
-    autoload :SHA1, 'clearance/password_strategies/sha1'
+             "clearance/password_strategies/bcrypt_migration_from_sha1"
+    autoload :Blowfish, "clearance/password_strategies/blowfish"
+    autoload :SHA1, "clearance/password_strategies/sha1"
   end
 end

data/lib/clearance/password_strategies/argon2.rb ADDED

@@ -0,0 +1,23 @@
+module Clearance
+  module PasswordStrategies
+    # Uses Argon2 to authenticate users and store encrypted passwords.
+    module Argon2
+      require "argon2"
+      def authenticated?(password)
+        if encrypted_password.present?
+          ::Argon2::Password.verify_password(password, encrypted_password)
+        end
+      end
+      def password=(new_password)
+        @password = new_password
+        if new_password.present?
+          self.encrypted_password = ::Argon2::Password.new.create(new_password)
+        end
+      end
+    end
+  end
+end

data/lib/clearance/user.rb CHANGED

@@ -121,7 +121,7 @@ module Clearance
       end
       def find_by_normalized_email(email)
-        find_by_email normalize_email(email)
+        find_by(email: normalize_email(email))
       end
       def normalize_email(email)
@@ -143,7 +143,7 @@ module Clearance
         validates :email,
           email: { strict_mode: true },
           presence: true,
-          uniqueness: { allow_blank: true },
+          uniqueness: { allow_blank: true, case_sensitive: false },
           unless: :email_optional?
         validates :password, presence: true, unless: :skip_password_validation?

data/lib/clearance/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.1.0".freeze
+  VERSION = "2.2.0".freeze
 end

data/spec/password_strategies/argon2_spec.rb ADDED

@@ -0,0 +1,79 @@
+require "spec_helper"
+describe Clearance::PasswordStrategies::Argon2 do
+  include FakeModelWithPasswordStrategy
+  describe "#password=" do
+    it "encrypts the password into encrypted_password" do
+      stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      model_instance.password = password
+      expect(model_instance.encrypted_password).to eq encrypted_password
+    end
+    it "encrypts with Argon2 using default cost in non test environments" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      allow(Rails).to receive(:env).
+        and_return(ActiveSupport::StringInquirer.new("production"))
+      model_instance.password = password
+      expect(hasher).to have_received(:create).with(password)
+    end
+    it "encrypts with Argon2 using minimum cost in test environment" do
+      hasher = stub_argon2_password
+      model_instance = fake_model_with_argon2_strategy
+      model_instance.password = password
+      expect(hasher).to have_received(:create).with(password)
+    end
+    def stub_argon2_password
+      hasher = double(Argon2::Password)
+      allow(hasher).to receive(:create).and_return(encrypted_password)
+      allow(Argon2::Password).to receive(:new).and_return(hasher)
+      hasher
+    end
+    def encrypted_password
+      @encrypted_password ||= double("encrypted password")
+    end
+  end
+  describe "#authenticated?" do
+    context "given a password" do
+      it "is authenticated with Argon2" do
+        model_instance = fake_model_with_argon2_strategy
+        model_instance.password = password
+        expect(model_instance).to be_authenticated(password)
+      end
+    end
+    context "given no password" do
+      it "is not authenticated" do
+        model_instance = fake_model_with_argon2_strategy
+        password = nil
+        expect(model_instance).not_to be_authenticated(password)
+      end
+    end
+  end
+  def fake_model_with_argon2_strategy
+    @fake_model_with_argon2_strategy ||= fake_model_with_password_strategy(
+      Clearance::PasswordStrategies::Argon2,
+    )
+  end
+  def password
+    "password"
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Dan Croak
@@ -22,10 +22,10 @@ authors:
 - Jason Morrison
 - Galen Frechette
 - Josh Steiner
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-19 00:00:00.000000000 Z
+date: 2020-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -41,6 +41,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
+- !ruby/object:Gem::Dependency
+  name: argon2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.2
 - !ruby/object:Gem::Dependency
   name: email_validator
   requirement: !ruby/object:Gem::Requirement
@@ -174,6 +194,7 @@ files:
 - lib/clearance/default_sign_in_guard.rb
 - lib/clearance/engine.rb
 - lib/clearance/password_strategies.rb
+- lib/clearance/password_strategies/argon2.rb
 - lib/clearance/password_strategies/bcrypt.rb
 - lib/clearance/rack_session.rb
 - lib/clearance/rspec.rb
@@ -250,6 +271,7 @@ files:
 - spec/helpers/helper_helpers_spec.rb
 - spec/mailers/clearance_mailer_spec.rb
 - spec/models/user_spec.rb
+- spec/password_strategies/argon2_spec.rb
 - spec/password_strategies/bcrypt_spec.rb
 - spec/password_strategies/password_strategies_spec.rb
 - spec/requests/authentication_cookie_spec.rb
@@ -270,7 +292,7 @@ homepage: https://github.com/thoughtbot/clearance
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options:
 - "--charset=UTF-8"
 require_paths:
@@ -286,8 +308,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.
 test_files: []