clearance 2.2.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 54c7e8cc7022fa2b109ce9834c1b27752a4b84b4acbe2f65728ecc66119ad8a1
-  data.tar.gz: d7ee7f5c36b5feeb71799e791c283ca9644984cd5eb0cdcbefdd3882f9c726ba
+  metadata.gz: 777ea26a3647f9d843995457a9fc073036fe60c7e3119c97a063345fbe85a7df
+  data.tar.gz: c57adcad1e84434b6ffc9dc6e4af275d14b1c4844736536ecf32ee00180f4429
 SHA512:
-  metadata.gz: 754bdef335e4cfdc4239cf96f923847ee4330053eae153a69e19be7fa91d96641e1b8465d223d2c88858758c14eab9485147a95dbe792bed23a690b54e07cbd1
-  data.tar.gz: eb2c85479b87c42ee2f5e1824a07b55b8a72104fd690d01262182257bedfec12d33ade009acd9b01320a9ca1d26a1a8b5a511585a5e45f607a695cac23d5fd9f
+  metadata.gz: fb8a5c80c163df705026f5ebbfde61ed51475abe3ce24681dce56bbdb4394b37cf491e4ec8aecf33c00d4cc11f1a8826afd45c49a3465864d825da5b651d8e64
+  data.tar.gz: 3f24bdba4f83baf3a62ec80457a62e4d8dccec82f1f5b2f37d4b9514badffde150dc2b85b6e207a91a875264a85e679da49a9fb38e22c898bcfb1d200f537161

data/.erb-lint.yml

@@ -0,0 +1,5 @@
+---
+EnableDefaultLinters: true
+linters:
+  ErbSafety:
+    enabled: true

data/Appraisals

@@ -1,23 +1,18 @@
-rails_versions = %w(
-  5.0
-  5.1
-  5.2
-  6.0
-)
+appraise "rails_5.0" do
+  gem "railties", "~> 5.0"
+  gem 'rspec-rails', '~> 3.1'
+  gem 'capybara', '>= 2.6.2', '< 3.33.0'
+  gem 'sqlite3', '~> 1.3.13'
+end
 
-rails_versions.each do |version|
-  appraise "rails_#{version}" do
-    gem "railties", "~> #{version}.0"
-    gem "rails-controller-testing"
+appraise "rails_5.1" do
+  gem "railties", "~> 5.1"
+end
 
-    if Gem::Version.new(version) >= Gem::Version.new("6.0")
-      # TODO - Switch to 4.0 gem once release is made
-      gem 'rspec-rails', '~> 4.0.0.beta3'
-      gem 'sqlite3', '~> 1.4.0'
-    else
-      gem 'sqlite3', '~> 1.3.13'
-      gem 'rspec-rails', '~> 3.1'
-    end
+appraise "rails_5.2" do
+  gem "railties", "~> 5.2"
+end
 
-  end
+appraise "rails_6.0" do
+  gem "railties", "~> 6.0"
 end

data/Gemfile

@@ -2,13 +2,17 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'addressable', '~> 2.6.0'
+gem 'addressable'
 gem 'ammeter'
 gem 'appraisal'
-gem 'capybara', '>= 2.6.2'
-gem 'database_cleaner', '~> 1.0'
-gem 'factory_bot_rails', '~> 5.0'
-gem 'nokogiri', '~> 1.10.0'
+gem 'capybara'
+gem 'database_cleaner'
+gem 'erb_lint', require: false
+gem 'factory_bot_rails'
+gem 'nokogiri'
 gem 'pry', require: false
-gem 'shoulda-matchers', '~> 4.1'
-gem 'timecop', '~> 0.6'
+gem 'rails-controller-testing'
+gem 'rspec-rails'
+gem 'shoulda-matchers'
+gem 'sqlite3'
+gem 'timecop'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (2.2.1)
+    clearance (2.3.0)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -46,8 +46,8 @@ GEM
       minitest (~> 5.1)
       tzinfo (~> 1.1)
       zeitwerk (~> 2.2, >= 2.2.2)
-    addressable (2.6.0)
-      public_suffix (>= 2.0.2, < 4.0)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
     ammeter (1.1.4)
       activesupport (>= 3.0)
       railties (>= 3.0)
@@ -59,7 +59,16 @@ GEM
     argon2 (2.0.2)
       ffi (~> 1.9)
       ffi-compiler (>= 0.1)
-    bcrypt (3.1.13)
+    ast (2.4.1)
+    bcrypt (3.1.15)
+    better_html (1.0.15)
+      actionview (>= 4.0)
+      activesupport (>= 4.0)
+      ast (~> 2.0)
+      erubi (~> 1.4)
+      html_tokenizer (~> 0.0.6)
+      parser (>= 2.4)
+      smart_properties
     builder (3.2.4)
     capybara (3.33.0)
       addressable
@@ -76,19 +85,27 @@ GEM
     diff-lcs (1.4.4)
     email_validator (2.0.1)
       activemodel
+    erb_lint (0.0.34)
+      activesupport
+      better_html (~> 1.0.7)
+      html_tokenizer
+      rainbow
+      rubocop (~> 0.79)
+      smart_properties
     erubi (1.9.0)
-    factory_bot (5.2.0)
-      activesupport (>= 4.2.0)
-    factory_bot_rails (5.2.0)
-      factory_bot (~> 5.2.0)
-      railties (>= 4.2.0)
+    factory_bot (6.1.0)
+      activesupport (>= 5.0.0)
+    factory_bot_rails (6.1.0)
+      factory_bot (~> 6.1.0)
+      railties (>= 5.0.0)
     ffi (1.13.1)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
-    i18n (1.8.3)
+    html_tokenizer (0.0.7)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
     loofah (2.6.0)
       crass (~> 1.0.2)
@@ -101,13 +118,20 @@ GEM
     minitest (5.14.1)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
+    parallel (1.19.2)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (3.1.1)
+    public_suffix (4.0.5)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
+    rails-controller-testing (1.0.5)
+      actionpack (>= 5.0.1.rc1)
+      actionview (>= 5.0.1.rc1)
+      activesupport (>= 5.0.1.rc1)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
@@ -119,8 +143,10 @@ GEM
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
+    rainbow (3.0.0)
     rake (13.0.1)
     regexp_parser (1.7.1)
+    rexml (3.2.4)
     rspec-core (3.9.2)
       rspec-support (~> 3.9.3)
     rspec-expectations (3.9.2)
@@ -138,32 +164,51 @@ GEM
       rspec-mocks (~> 3.9)
       rspec-support (~> 3.9)
     rspec-support (3.9.3)
+    rubocop (0.88.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
+      rexml
+      rubocop-ast (>= 0.1.0, < 1.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
+    ruby-progressbar (1.10.1)
     shoulda-matchers (4.3.0)
       activesupport (>= 4.2.0)
+    smart_properties (1.15.0)
+    sqlite3 (1.4.2)
     thor (1.0.1)
     thread_safe (0.3.6)
     timecop (0.9.1)
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
+    unicode-display_width (1.7.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.3.1)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  addressable (~> 2.6.0)
+  addressable
   ammeter
   appraisal
-  capybara (>= 2.6.2)
+  capybara
   clearance!
-  database_cleaner (~> 1.0)
-  factory_bot_rails (~> 5.0)
-  nokogiri (~> 1.10.0)
+  database_cleaner
+  erb_lint
+  factory_bot_rails
+  nokogiri
   pry
-  shoulda-matchers (~> 4.1)
-  timecop (~> 0.6)
+  rails-controller-testing
+  rspec-rails
+  shoulda-matchers
+  sqlite3
+  timecop
 
 BUNDLED WITH
-   2.1.2
+   2.1.4

data/NEWS.md

@@ -3,6 +3,22 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [2.3.0] - August 14, 2020
+
+### Fixed
+
+- Delete cookie correctly when a callable object is set as the custom domain
+  setting.
+- Strip `as` parameter when signing in through the back door.
+- Remove broken autoload for deprecated password strategies.
+
+### Changed
+
+- Deliver password reset email inline rather than in the background.
+- Remove unnecessary unsafe interpolation in erb templates.
+
+[2.3.0]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.3.0
+
 ## [2.2.1] - August 7, 2020
 
 ### Fixed

data/README.md

@@ -60,6 +60,7 @@ Clearance.configure do |config|
   config.password_strategy = Clearance::PasswordStrategies::BCrypt
   config.redirect_url = "/"
   config.rotate_csrf_on_sign_in = true
+  config.same_site = nil
   config.secure_cookie = false
   config.sign_in_guards = []
   config.user_model = "User"
@@ -285,24 +286,6 @@ and `password` attributes. Over-riding the `email_optional?` or
 `skip_password_validation?` methods to return `true` will disable those
 validations from being added.
 
-### Deliver Email in Background Job
-
-Clearance has a password reset mailer. If you are using Rails 4.2 and Clearance
-1.6 or greater, Clearance will use ActiveJob's `deliver_later` method to
-automatically take advantage of your configured queue.
-
-If you are using an earlier version of Rails, you can override the
-`Clearance::Passwords` controller and define the behavior you need in the
-`deliver_email` method.
-
-```ruby
-class PasswordsController < Clearance::PasswordsController
-  def deliver_email(user)
-    ClearanceMailer.delay.change_password(user)
-  end
-end
-```
-
 ## Extending Sign In
 
 By default, Clearance will sign in any user with valid credentials. If you need

data/RELEASING.md

@@ -0,0 +1,25 @@
+# Releasing
+
+1. Update version file accordingly.
+1. Run `bundle install` to update Gemfile.lock
+1. Update `NEWS.md` to reflect the changes since last release.
+1. Commit changes.
+   There shouldn't be code changes,
+   and thus CI doesn't need to run,
+   you can then add "[ci skip]" to the commit message.
+1. Push the new commit
+1. Tag the release: `git tag -s vVERSION`
+    - We recommend the [_quick guide on how to sign a commit_] from GitHub.
+1. Push changes: `git push --tags`
+1. Build and publish:
+    ```bash
+    gem build clearance.gemspec
+    gem push clearance-*.gem
+    ```
+1. Add a new GitHub release using the recent `NEWS.md` as the content. Sample
+   URL: https://github.com/thoughtbot/clearance/releases/new?tag=vVERSION
+1. Announce the new release,
+   making sure to say "thank you" to the contributors
+   who helped shape this version!
+
+[_quick guide on how to sign a commit_]: https://docs.github.com/en/github/authenticating-to-github/signing-commits

data/Rakefile

@@ -22,5 +22,10 @@ RSpec::Core::RakeTask.new("spec:acceptance") do |task|
   task.verbose = false
 end
 
+desc "Lint ERB templates"
+task :erb_lint do
+  sh("bundle", "exec", "erblint", "app/views/**/*.erb")
+end
+
 desc "Run the specs and acceptance tests"
-task default: %w(spec spec:acceptance)
+task default: %w(spec spec:acceptance erb_lint)

data/app/controllers/clearance/passwords_controller.rb

@@ -45,8 +45,7 @@ class Clearance::PasswordsController < Clearance::BaseController
   private
 
   def deliver_email(user)
-    mail = ::ClearanceMailer.change_password(user)
-    mail.deliver_later
+    ::ClearanceMailer.change_password(user).deliver_now
   end
 
   def password_from_password_reset_params

data/app/views/clearance_mailer/change_password.html.erb

@@ -2,7 +2,7 @@
 
 <p>
   <%= link_to t(".link_text", default: "Change my password"),
-    edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+    edit_user_password_url(@user, token: @user.confirmation_token) %>
 </p>
 
-<p><%= raw t(".closing") %></p>
+<p><%= t(".closing") %></p>

data/app/views/clearance_mailer/change_password.text.erb

@@ -1,5 +1,5 @@
 <%= t(".opening") %>
 
-<%= edit_user_password_url(@user, token: @user.confirmation_token.html_safe) %>
+<%= edit_user_password_url(@user, token: @user.confirmation_token) %>
 
-<%= raw t(".closing") %>
+<%= t(".closing") %>

data/gemfiles/rails_5.0.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara", ">= 2.6.2", "< 3.33.0"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.0.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
 gem "rspec-rails", "~> 3.1"
+gem "shoulda-matchers"
+gem "sqlite3", "~> 1.3.13"
+gem "timecop"
+gem "railties", "~> 5.0"
 
 gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.1.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
-gem "rspec-rails", "~> 3.1"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 5.1"
 
 gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 5.2.0"
 gem "rails-controller-testing"
-gem "sqlite3", "~> 1.3.13"
-gem "rspec-rails", "~> 3.1"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 5.2"
 
 gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -2,19 +2,20 @@
 
 source "https://rubygems.org"
 
-gem "addressable", "~> 2.6.0"
+gem "addressable"
 gem "ammeter"
 gem "appraisal"
-gem "capybara", ">= 2.6.2"
-gem "database_cleaner", "~> 1.0"
-gem "factory_bot_rails", "~> 5.0"
-gem "nokogiri", "~> 1.10.0"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
 gem "pry", require: false
-gem "shoulda-matchers", "~> 4.1"
-gem "timecop", "~> 0.6"
-gem "railties", "~> 6.0.0"
 gem "rails-controller-testing"
-gem "rspec-rails", "~> 4.0.0.beta3"
-gem "sqlite3", "~> 1.4.0"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 6.0"
 
 gemspec path: "../"

data/lib/clearance/back_door.rb

@@ -49,7 +49,8 @@ module Clearance
     # @api private
     def sign_in_through_the_back_door(env)
       params = Rack::Utils.parse_query(env["QUERY_STRING"])
-      user_param = params["as"]
+      user_param = params.delete("as")
+      env["QUERY_STRING"] = Rack::Utils.build_query(params)
 
       if user_param.present?
         user = find_user(user_param)

data/lib/clearance/password_strategies.rb

@@ -15,9 +15,5 @@ module Clearance
   module PasswordStrategies
     autoload :BCrypt, "clearance/password_strategies/bcrypt"
     autoload :Argon2, "clearance/password_strategies/argon2"
-    autoload :BCryptMigrationFromSHA1,
-             "clearance/password_strategies/bcrypt_migration_from_sha1"
-    autoload :Blowfish, "clearance/password_strategies/blowfish"
-    autoload :SHA1, "clearance/password_strategies/sha1"
   end
 end

data/lib/clearance/session.rb

@@ -175,7 +175,7 @@ module Clearance
     def delete_cookie_options
       Hash.new.tap do |options|
         if configured_cookie_domain
-          options[:domain] = configured_cookie_domain
+          options[:domain] = domain
         end
       end
     end

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.2.1".freeze
+  VERSION = "2.3.0".freeze
 end

data/spec/clearance/back_door_spec.rb

@@ -46,6 +46,18 @@ describe Clearance::BackDoor do
     end
   end
 
+  it "strips 'as' from the params" do
+    user_id = "123"
+    user = double("user")
+    allow(User).to receive(:find).with(user_id).and_return(user)
+    env = build_env(as: user_id, foo: :bar)
+    back_door = Clearance::BackDoor.new(mock_app)
+
+    back_door.call(env)
+
+    expect(env["QUERY_STRING"]).to eq("foo=bar")
+  end
+
   context "when the environments are disabled" do
     before do
       Clearance.configuration.allowed_backdoor_environments = nil
@@ -84,14 +96,18 @@ describe Clearance::BackDoor do
     env_for_user_id("")
   end
 
-  def env_for_user_id(user_id)
+  def build_env(params)
+    query = Rack::Utils.build_query(params)
     clearance = double("clearance", sign_in: true)
-    Rack::MockRequest.env_for("/?as=#{user_id}").merge(clearance: clearance)
+    Rack::MockRequest.env_for("/?#{query}").merge(clearance: clearance)
+  end
+
+  def env_for_user_id(user_id)
+    build_env(as: user_id)
   end
 
   def env_for_username(username)
-    clearance = double("clearance", sign_in: true)
-    Rack::MockRequest.env_for("/?as=#{username}").merge(clearance: clearance)
+    build_env(as: username)
   end
 
   def mock_app

data/spec/clearance/session_spec.rb

@@ -378,6 +378,25 @@ describe Clearance::Session do
         expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
       end
     end
+
+    context 'with callable cookie domain' do
+      it 'clears cookie' do
+        domain = '.example.com'
+        Clearance.configuration.cookie_domain = ->(_) { domain }
+        user = create(:user)
+        env = env_with_remember_token(
+          value: user.remember_token,
+          domain: domain
+        )
+        session = Clearance::Session.new(env)
+        cookie_jar = ActionDispatch::Request.new(env).cookie_jar
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be false
+
+        session.sign_out
+
+        expect(cookie_jar.deleted?(:remember_token, domain: domain)).to be true
+      end
+    end
   end
 
   def env_with_cookies(cookies)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.3.0
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-07 00:00:00.000000000 Z
+date: 2020-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -144,6 +144,7 @@ extra_rdoc_files:
 - LICENSE
 - README.md
 files:
+- ".erb-lint.yml"
 - ".gitignore"
 - ".travis.yml"
 - ".yardopts"
@@ -154,6 +155,7 @@ files:
 - LICENSE
 - NEWS.md
 - README.md
+- RELEASING.md
 - Rakefile
 - app/controllers/clearance/base_controller.rb
 - app/controllers/clearance/passwords_controller.rb
@@ -308,7 +310,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key:
 specification_version: 4
 summary: Rails authentication & authorization with email & password.