clearance 2.3.0 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 777ea26a3647f9d843995457a9fc073036fe60c7e3119c97a063345fbe85a7df
-  data.tar.gz: c57adcad1e84434b6ffc9dc6e4af275d14b1c4844736536ecf32ee00180f4429
+  metadata.gz: 73e524b6026ced3c81ba4f5755fcc40190b5ca08e058d4297780600dc09dfa9a
+  data.tar.gz: 5c8fe49a083f5bddf070ed33eed1c78b5154d5da2c4f6bb3b52f5709c3db7875
 SHA512:
-  metadata.gz: fb8a5c80c163df705026f5ebbfde61ed51475abe3ce24681dce56bbdb4394b37cf491e4ec8aecf33c00d4cc11f1a8826afd45c49a3465864d825da5b651d8e64
-  data.tar.gz: 3f24bdba4f83baf3a62ec80457a62e4d8dccec82f1f5b2f37d4b9514badffde150dc2b85b6e207a91a875264a85e679da49a9fb38e22c898bcfb1d200f537161
+  metadata.gz: b8f2689813bcd73ed5d8cd9f5783f3659dbf001f924af4c595c2a5470ad5d1b9d9f57126117626204f0cec9e13b989d757e4baa33e077bc7b6cfde394d6a2f3d
+  data.tar.gz: ac38abe61a29243c8e253954accad74c8ada5532876b53483ce4991b745124c265674a6df908814a78b3ef4d467e8abd27e9355332e9162bfd25865f8b7bea2b

data/.github/workflows/tests.yml

@@ -0,0 +1,52 @@
+name: CI Tests
+
+on:
+  push:
+    branches: "master"
+  pull_request:
+    branches: "*"
+
+jobs:
+  test:
+    name: "Ruby ${{ matrix.ruby }}, Rails ${{ matrix.gemfile }}"
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        gemfile:
+          - "5.0"
+          - "5.1"
+          - "5.2"
+          - "6.0"
+          - "6.1"
+        ruby:
+          - "2.4.9"
+          - "2.5.7"
+          - "2.6.5"
+          - "2.7.2"
+        exclude:
+          - gemfile: "6.0"
+            ruby: "2.4.9"
+          - gemfile: "6.1"
+            ruby: "2.4.9"
+
+    env:
+      BUNDLE_GEMFILE: gemfiles/rails_${{ matrix.gemfile }}.gemfile
+      RAILS_ENV: test
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: "Install Ruby ${{ matrix.ruby  }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: "Reset app database"
+        run: bundle exec rake dummy:db:reset
+
+      - name: "Run tests"
+        run: bundle exec rake

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (2.3.0)
+    clearance (2.3.1)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -13,39 +13,40 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (6.0.3.2)
-      actionpack (= 6.0.3.2)
-      actionview (= 6.0.3.2)
-      activejob (= 6.0.3.2)
+    actionmailer (6.1.3)
+      actionpack (= 6.1.3)
+      actionview (= 6.1.3)
+      activejob (= 6.1.3)
+      activesupport (= 6.1.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.3.2)
-      actionview (= 6.0.3.2)
-      activesupport (= 6.0.3.2)
-      rack (~> 2.0, >= 2.0.8)
+    actionpack (6.1.3)
+      actionview (= 6.1.3)
+      activesupport (= 6.1.3)
+      rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.3.2)
-      activesupport (= 6.0.3.2)
+    actionview (6.1.3)
+      activesupport (= 6.1.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3.2)
-      activesupport (= 6.0.3.2)
+    activejob (6.1.3)
+      activesupport (= 6.1.3)
       globalid (>= 0.3.6)
-    activemodel (6.0.3.2)
-      activesupport (= 6.0.3.2)
-    activerecord (6.0.3.2)
-      activemodel (= 6.0.3.2)
-      activesupport (= 6.0.3.2)
-    activesupport (6.0.3.2)
+    activemodel (6.1.3)
+      activesupport (= 6.1.3)
+    activerecord (6.1.3)
+      activemodel (= 6.1.3)
+      activesupport (= 6.1.3)
+    activesupport (6.1.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     ammeter (1.1.4)
@@ -56,12 +57,12 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    argon2 (2.0.2)
-      ffi (~> 1.9)
-      ffi-compiler (>= 0.1)
-    ast (2.4.1)
-    bcrypt (3.1.15)
-    better_html (1.0.15)
+    argon2 (2.0.3)
+      ffi (~> 1.14)
+      ffi-compiler (~> 1.0)
+    ast (2.4.2)
+    bcrypt (3.1.16)
+    better_html (1.0.16)
       actionview (>= 4.0)
       activesupport (>= 4.0)
       ast (~> 2.0)
@@ -79,11 +80,11 @@ GEM
       regexp_parser (~> 1.5)
       xpath (~> 3.2)
     coderay (1.1.3)
-    concurrent-ruby (1.1.6)
+    concurrent-ruby (1.1.8)
     crass (1.0.6)
     database_cleaner (1.8.5)
     diff-lcs (1.4.4)
-    email_validator (2.0.1)
+    email_validator (2.2.2)
       activemodel
     erb_lint (0.0.34)
       activesupport
@@ -92,39 +93,41 @@ GEM
       rainbow
       rubocop (~> 0.79)
       smart_properties
-    erubi (1.9.0)
+    erubi (1.10.0)
     factory_bot (6.1.0)
       activesupport (>= 5.0.0)
     factory_bot_rails (6.1.0)
       factory_bot (~> 6.1.0)
       railties (>= 5.0.0)
-    ffi (1.13.1)
+    ffi (1.14.2)
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
     globalid (0.4.2)
       activesupport (>= 4.2.0)
     html_tokenizer (0.0.7)
-    i18n (1.8.5)
+    i18n (1.8.9)
       concurrent-ruby (~> 1.0)
-    loofah (2.6.0)
+    loofah (2.9.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
     method_source (1.0.0)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
+    mini_portile2 (2.5.0)
+    minitest (5.14.4)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     parallel (1.19.2)
-    parser (2.7.1.4)
+    parser (3.0.0.0)
       ast (~> 2.4.1)
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.5)
+    racc (1.5.2)
     rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
@@ -137,14 +140,14 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3.2)
-      actionpack (= 6.0.3.2)
-      activesupport (= 6.0.3.2)
+    railties (6.1.3)
+      actionpack (= 6.1.3)
+      activesupport (= 6.1.3)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
+      thor (~> 1.0)
     rainbow (3.0.0)
-    rake (13.0.1)
+    rake (13.0.3)
     regexp_parser (1.7.1)
     rexml (3.2.4)
     rspec-core (3.9.2)
@@ -180,15 +183,14 @@ GEM
       activesupport (>= 4.2.0)
     smart_properties (1.15.0)
     sqlite3 (1.4.2)
-    thor (1.0.1)
-    thread_safe (0.3.6)
+    thor (1.1.0)
     timecop (0.9.1)
-    tzinfo (1.2.7)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
     unicode-display_width (1.7.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.4.0)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby

data/NEWS.md

@@ -3,6 +3,16 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [2.3.1] - March 5, 2021
+
+### Fixed
+
+- Support for accessing Rails 6.x primary_key_type in generator.
+- Fix password reset URLs when using a custom model
+- Fix flaky test that relied on too specific time delta
+- Revert case sensitivity for email uniqueness
+- Bump nokogiri and actionview dependencies to address security vulnerabilities
+
 ## [2.3.0] - August 14, 2020
 
 ### Fixed

data/app/views/clearance_mailer/change_password.html.erb

@@ -2,7 +2,7 @@
 
 <p>
   <%= link_to t(".link_text", default: "Change my password"),
-    edit_user_password_url(@user, token: @user.confirmation_token) %>
+    url_for([@user, :password, action: :edit, token: @user.confirmation_token]) %>
 </p>
 
 <p><%= t(".closing") %></p>

data/app/views/clearance_mailer/change_password.text.erb

@@ -1,5 +1,5 @@
 <%= t(".opening") %>
 
-<%= edit_user_password_url(@user, token: @user.confirmation_token) %>
+<%= url_for([@user, :password, action: :edit, token: @user.confirmation_token]) %>
 
 <%= t(".closing") %>

data/app/views/passwords/edit.html.erb

@@ -4,7 +4,7 @@
   <p><%= t(".description") %></p>
 
   <%= form_for :password_reset,
-        url: user_password_path(@user, token: @user.confirmation_token),
+        url: [@user, :password, token: @user.confirmation_token],
         html: { method: :put } do |form| %>
     <div class="password-field">
       <%= form.label :password %>

data/gemfiles/rails_6.1.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "addressable"
+gem "ammeter"
+gem "appraisal"
+gem "capybara"
+gem "database_cleaner"
+gem "erb_lint", require: false
+gem "factory_bot_rails"
+gem "nokogiri"
+gem "pry", require: false
+gem "rails-controller-testing"
+gem "rspec-rails"
+gem "shoulda-matchers"
+gem "sqlite3"
+gem "timecop"
+gem "railties", "~> 6.1"
+
+gemspec path: "../"

data/lib/clearance/configuration.rb

@@ -88,6 +88,14 @@ module Clearance
     # @return [Boolean]
     attr_accessor :secure_cookie
 
+    # Controls whether cookies are signed.
+    # Defaults to `false` for backwards compatibility.
+    # When set, uses Rails' signed cookies
+    # (more secure against timing/brute-force attacks)
+    # see [ActionDispatch::Cookies](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html)
+    # @return [Boolean|:migrate]
+    attr_reader :signed_cookie
+
     # The array of sign in guards to run when signing a user in.
     # Defaults to an empty array. Sign in guards respond to `call` and are
     # initialized with a session and the current stack. Each guard can decide
@@ -124,9 +132,20 @@ module Clearance
       @rotate_csrf_on_sign_in = true
       @routes = true
       @secure_cookie = false
+      @signed_cookie = false
       @sign_in_guards = []
     end
 
+    def signed_cookie=(value)
+      if [true, false, :migrate].include? value
+        @signed_cookie = value
+      else
+        raise "Clearance's signed_cookie configuration value is invalid. " \
+              "Valid values are true, false, or :migrate. " \
+              "Set this option via Clearance.configure in an initializer"
+      end
+    end
+
     # The class representing the configured user model.
     # In the default configuration, this is the `User` class.
     # @return [Class]

data/lib/clearance/rack_session.rb

@@ -23,7 +23,7 @@ module Clearance
       response = @app.call(env)
 
       if session.authentication_successful?
-        session.add_cookie_to_headers response[1]
+        session.add_cookie_to_headers
       end
 
       response

data/lib/clearance/session.rb

@@ -14,15 +14,9 @@ module Clearance
     # Called by {RackSession} to add the Clearance session cookie to a response.
     #
     # @return [void]
-    def add_cookie_to_headers(headers)
+    def add_cookie_to_headers
       if signed_in_with_remember_token?
-        Rack::Utils.set_cookie_header!(
-          headers,
-          remember_token_cookie,
-          cookie_options.merge(
-            value: current_user.remember_token,
-          ),
-        )
+        set_remember_token(current_user.remember_token)
       end
     end
 
@@ -112,9 +106,27 @@ module Clearance
       @cookies ||= ActionDispatch::Request.new(@env).cookie_jar
     end
 
+    # @api private
+    def set_remember_token(token)
+      case Clearance.configuration.signed_cookie
+      when true, :migrate
+        cookies.signed[remember_token_cookie] = cookie_options(token)
+      when false
+        cookies[remember_token_cookie] = cookie_options(token)
+      end
+      remember_token
+    end
+
     # @api private
     def remember_token
-      cookies[remember_token_cookie]
+      case Clearance.configuration.signed_cookie
+      when true
+        cookies.signed[remember_token_cookie]
+      when :migrate
+        cookies.signed[remember_token_cookie] || cookies[remember_token_cookie]
+      when false
+        cookies[remember_token_cookie]
+      end
     end
 
     # @api private
@@ -159,7 +171,7 @@ module Clearance
     end
 
     # @api private
-    def cookie_options
+    def cookie_options(value)
       {
         domain: domain,
         expires: remember_token_expires,
@@ -167,7 +179,7 @@ module Clearance
         same_site: Clearance.configuration.same_site,
         path: Clearance.configuration.cookie_path,
         secure: Clearance.configuration.secure_cookie,
-        value: remember_token,
+        value: value,
       }
     end
 

data/lib/clearance/user.rb

@@ -152,7 +152,7 @@ module Clearance
         validates :email,
           email: { strict_mode: true },
           presence: true,
-          uniqueness: { allow_blank: true, case_sensitive: false },
+          uniqueness: { allow_blank: true, case_sensitive: true },
           unless: :email_optional?
 
         validates :password, presence: true, unless: :skip_password_validation?

data/lib/clearance/version.rb

@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "2.3.0".freeze
+  VERSION = "2.3.1".freeze
 end

data/lib/generators/clearance/install/install_generator.rb

@@ -129,7 +129,10 @@ module Clearance
       end
 
       def configured_key_type
-        Rails.configuration.generators.active_record[:primary_key_type]
+        active_record = Rails.configuration.generators.active_record
+        active_record ||= Rails.configuration.generators.options[:active_record]
+
+        active_record[:primary_key_type]
       end
 
       def models_inherit_from

data/spec/clearance/rack_session_spec.rb

@@ -20,7 +20,6 @@ describe Clearance::RackSession do
     response = Rack::MockResponse.new(*app.call(env))
 
     expect(response.body).to eq expected_session
-    expect(expected_session).to have_received(:add_cookie_to_headers).
-      with(hash_including(headers))
+    expect(expected_session).to have_received(:add_cookie_to_headers)
   end
 end

data/spec/clearance/session_spec.rb

@@ -4,7 +4,6 @@ describe Clearance::Session do
   before { Timecop.freeze }
   after { Timecop.return }
 
-  let(:headers) { {} }
   let(:session) { Clearance::Session.new(env_without_remember_token) }
   let(:user) { create(:user) }
 
@@ -35,9 +34,63 @@ describe Clearance::Session do
       Clearance.configuration.cookie_name = "custom_cookie_name"
 
       session.sign_in user
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to match(/custom_cookie_name=.+;/)
+      expect(remember_token_cookie(session, "custom_cookie_name")).to be_present
+    end
+  end
+
+  context "with signed cookies == false" do
+    it "uses cookies.signed" do
+      Clearance.configuration.signed_cookie = true
+
+      cookie_jar = {}
+      expect(session).to receive(:cookies).and_return(cookie_jar)
+      expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+      session.sign_in user
+    end
+  end
+
+  context "with signed cookies == true" do
+    it "uses cookies.signed" do
+      Clearance.configuration.signed_cookie = true
+
+      cookie_jar = {}
+      expect(session).to receive(:cookies).and_return(cookie_jar)
+      expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+      session.sign_in user
+    end
+  end
+
+  context "with signed cookies == :migrate" do
+    before do
+      Clearance.configuration.signed_cookie = :migrate
+    end
+
+    context "signed cookie exists" do
+      it "uses cookies.signed[remember_token]" do
+        cookie_jar = { "remember_token" => "signed cookie" }
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+        expect(cookie_jar).to receive(:signed).and_return(cookie_jar)
+
+        session.sign_in user
+      end
+    end
+
+    context "signed cookie does not exist yet" do
+      it "uses cookies[remember_token] instead" do
+        cookie_jar = { "remember_token" => "signed cookie" }
+        # first call will try to get the signed cookie
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+        # ... but signed_cookie doesn't exist
+        expect(cookie_jar).to receive(:signed).and_return({})
+        # then it attempts to retrieve the unsigned cookie
+        expect(session).to receive(:cookies).and_return(cookie_jar)
+
+        session.sign_in user
+      end
     end
   end
 
@@ -157,9 +210,9 @@ describe Clearance::Session do
     end
 
     it 'sets a httponly cookie' do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers['Set-Cookie']).to match(/remember_token=.+; HttpOnly/)
+      expect(remember_token_cookie(session)[:httponly]).to be_truthy
     end
   end
 
@@ -170,9 +223,9 @@ describe Clearance::Session do
     end
 
     it 'sets a standard cookie' do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers['Set-Cookie']).not_to match(/remember_token=.+; HttpOnly/)
+      expect(remember_token_cookie(session)[:httponly]).to be_falsey
     end
   end
 
@@ -183,9 +236,9 @@ describe Clearance::Session do
     end
 
     it "sets a same-site cookie" do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to match(/remember_token=.+; SameSite/)
+      expect(remember_token_cookie(session)[:same_site]).to eq(:lax)
     end
   end
 
@@ -195,9 +248,9 @@ describe Clearance::Session do
     end
 
     it "sets a standard cookie" do
-      session.add_cookie_to_headers(headers)
+      session.add_cookie_to_headers
 
-      expect(headers["Set-Cookie"]).to_not match(/remember_token=.+; SameSite/)
+      expect(remember_token_cookie(session)[:same_site]).to be_nil
     end
   end
 
@@ -205,15 +258,11 @@ describe Clearance::Session do
     context 'default configuration' do
       it 'is set to 1 year from now' do
         user = double("User", remember_token: "123abc")
-        headers = {}
         session = Clearance::Session.new(env_without_remember_token)
         session.sign_in user
-        session.add_cookie_to_headers headers
+        session.add_cookie_to_headers
 
-        expect(headers).to set_cookie(
-          'remember_token',
-          user.remember_token, 1.year.from_now
-        )
+        expect(remember_token_cookie(session)[:expires]).to eq(1.year.from_now)
       end
     end
 
@@ -225,18 +274,14 @@ describe Clearance::Session do
         end
         with_custom_expiration expires_at do
           user = double("User", remember_token: "123abc")
-          headers = {}
           environment = env_with_cookies(remember_me: 'true')
           session = Clearance::Session.new(environment)
           session.sign_in user
-          session.add_cookie_to_headers headers
-
-          expect(headers).to set_cookie(
-            'remember_token',
-            user.remember_token,
-            remembered_expires
-          )
-
+          session.add_cookie_to_headers
+          expect(remember_token_cookie(session)[:expires]).to \
+            eq(remembered_expires)
+          expect(remember_token_cookie(session)[:value]).to \
+            eq(user.remember_token)
         end
       end
     end
@@ -249,9 +294,9 @@ describe Clearance::Session do
       end
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).not_to match(/remember_token=.+; secure/)
+        expect(remember_token_cookie(session)[:secure]).to be_falsey
       end
     end
 
@@ -262,9 +307,9 @@ describe Clearance::Session do
       end
 
       it 'sets a secure cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).to match(/remember_token=.+; secure/)
+        expect(remember_token_cookie(session)[:secure]).to be_truthy
       end
     end
   end
@@ -280,9 +325,9 @@ describe Clearance::Session do
         let(:cookie_domain) { ".example.com" }
 
         it "sets a standard cookie" do
-          session.add_cookie_to_headers(headers)
+          session.add_cookie_to_headers
 
-          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+          expect(remember_token_cookie(session)[:domain]).to eq(cookie_domain)
         end
       end
 
@@ -290,9 +335,9 @@ describe Clearance::Session do
         let(:cookie_domain) { lambda { |_r| ".example.com" } }
 
         it "sets a standard cookie" do
-          session.add_cookie_to_headers(headers)
+          session.add_cookie_to_headers
 
-          expect(headers['Set-Cookie']).to match(/domain=\.example\.com; path/)
+          expect(remember_token_cookie(session)[:domain]).to eq(".example.com")
         end
       end
     end
@@ -301,9 +346,9 @@ describe Clearance::Session do
       before { session.sign_in(user) }
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers["Set-Cookie"]).not_to match(/domain=.+; path/)
+        expect(remember_token_cookie(session)[:domain]).to be_nil
       end
     end
   end
@@ -313,9 +358,9 @@ describe Clearance::Session do
       before { session.sign_in(user) }
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers["Set-Cookie"]).to_not match(/domain=.+; path/)
+        expect(remember_token_cookie(session)[:domain]).to be_nil
       end
     end
 
@@ -326,18 +371,17 @@ describe Clearance::Session do
       end
 
       it 'sets a standard cookie' do
-        session.add_cookie_to_headers(headers)
+        session.add_cookie_to_headers
 
-        expect(headers['Set-Cookie']).to match(/path=\/user; expires/)
+        expect(remember_token_cookie(session)[:path]).to eq("/user")
       end
     end
   end
 
   it 'does not set a remember token when signed out' do
-    headers = {}
     session = Clearance::Session.new(env_without_remember_token)
-    session.add_cookie_to_headers headers
-    expect(headers["Set-Cookie"]).to be nil
+    session.add_cookie_to_headers
+    expect(remember_token_cookie(session)).to be_nil
   end
 
   describe "#sign_out" do
@@ -399,6 +443,16 @@ describe Clearance::Session do
     end
   end
 
+  # a bit of a hack to get the cookies that ActionDispatch sets inside session
+  def remember_token_cookie(session, cookie_name = "remember_token")
+    cookies = session.send(:cookies)
+    # see https://stackoverflow.com/a/21315095
+    set_cookies = cookies.instance_eval <<-RUBY, __FILE__, __LINE__ + 1
+      @set_cookies
+    RUBY
+    set_cookies[cookie_name]
+  end
+
   def env_with_cookies(cookies)
     Rack::MockRequest.env_for '/', 'HTTP_COOKIE' => serialize_cookies(cookies)
   end

data/spec/configuration_spec.rb

@@ -66,6 +66,34 @@ describe Clearance::Configuration do
     end
   end
 
+  context "when signed_cookie is set to true" do
+    it "returns true" do
+      Clearance.configure { |config| config.signed_cookie = true }
+      expect(Clearance.configuration.signed_cookie).to eq true
+    end
+  end
+
+  context "when signed_cookie is not specified" do
+    it "defaults to false" do
+      expect(Clearance.configuration.signed_cookie).to eq false
+    end
+  end
+
+  context "when signed_cookie is set to :migrate" do
+    it "returns :migrate" do
+      Clearance.configure { |config| config.signed_cookie = :migrate }
+      expect(Clearance.configuration.signed_cookie).to eq :migrate
+    end
+  end
+
+  context "when signed_cookie is set to an unexpected value" do
+    it "returns :migrate" do
+      expect {
+        Clearance.configure { |config| config.signed_cookie = "unknown" }
+      }.to raise_exception(RuntimeError)
+    end
+  end
+
   context "when no redirect URL specified" do
     it 'returns "/" as redirect URL' do
       expect(Clearance::Configuration.new.redirect_url).to eq "/"

data/spec/generators/clearance/install/install_generator_spec.rb

@@ -147,9 +147,15 @@ describe Clearance::Generators::InstallGenerator, :generator do
   end
 
   def preserve_original_primary_key_type_setting
-    original = Rails.configuration.generators.active_record[:primary_key_type]
+    active_record = Rails.configuration.generators.active_record
+    active_record ||= Rails.configuration.generators.options[:active_record]
+    original = active_record[:primary_key_type]
+
     yield
-    Rails.configuration.generators.active_record[:primary_key_type] = original
+
+    Rails.application.config.generators do |g|
+      g.orm :active_record, primary_key_type: original
+    end
   end
 
   def contain_models_inherit_from

data/spec/mailers/clearance_mailer_spec.rb

@@ -55,4 +55,37 @@ describe ClearanceMailer do
       text: I18n.t("clearance_mailer.change_password.link_text")
     )
   end
+
+  context "when using a custom model" do
+    it "contains a link for a custom model" do
+      define_people_routes
+      Person = Class.new(User)
+      person = Person.new(email: "person@example.com", password: "password")
+
+      person.forgot_password!
+      host = ActionMailer::Base.default_url_options[:host]
+      link = "http://#{host}/people/#{person.id}/password/edit" \
+        "?token=#{person.confirmation_token}"
+
+      email = ClearanceMailer.change_password(person)
+
+      expect(email.text_part.body).to include(link)
+      expect(email.html_part.body).to include(link)
+
+      Object.send(:remove_const, :Person)
+      Rails.application.reload_routes!
+    end
+
+    def define_people_routes
+      Rails.application.routes.draw do
+        resources :people, controller: "clearance/users", only: :create do
+          resource(
+            :password,
+            controller: "clearance/passwords",
+            only: %i[edit update],
+          )
+        end
+      end
+    end
+  end
 end

data/spec/models/user_spec.rb

@@ -59,7 +59,7 @@ describe User do
         User.authenticate("bad_email@example.com", password)
       end
 
-      expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
     end
 
     it "takes the same amount of time to fail authentication regardless of whether user exists" do
@@ -73,7 +73,7 @@ describe User do
         User.authenticate("bad_email@example.com", "bad_password")
       end
 
-      expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
+      expect(user_does_not_exist_time). to be_within(0.01).of(user_exists_time)
     end
 
     it "is retrieved via a case-insensitive search" do

data/spec/support/clearance.rb

@@ -4,6 +4,17 @@ Clearance.configure do |config|
   # need an empty block to initialize the configuration object
 end
 
+# NOTE: to run the entire suite with signed cookies
+#       you can set the signed_cookie default to true
+#       and run all specs.
+#       However, to fake the actual signing process you
+#       can monkey-patch ActionDispatch so signed cookies
+#       behave like normal ones
+#
+# class ActionDispatch::Cookies::CookieJar
+#   def signed; self; end
+# end
+
 module Clearance
   module Test
     module Redirects

data/spec/support/request_with_remember_token.rb

@@ -1,11 +1,13 @@
 module RememberTokenHelpers
   def request_with_remember_token(remember_token)
-    cookies = {
-      'action_dispatch.cookies' => {
-        Clearance.configuration.cookie_name => remember_token
-      }
-    }
-    env = { clearance: Clearance::Session.new(cookies) }
+    cookies = ActionDispatch::Request.new({}).cookie_jar
+    if Clearance.configuration.signed_cookie
+      cookies.signed[Clearance.configuration.cookie_name] = remember_token
+    else
+      cookies[Clearance.configuration.cookie_name] = remember_token
+    end
+
+    env = { clearance: Clearance::Session.new(cookies.request.env) }
     Rack::Request.new env
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: clearance
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.1
 platform: ruby
 authors:
 - Dan Croak
@@ -25,7 +25,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-08-14 00:00:00.000000000 Z
+date: 2021-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -145,8 +145,8 @@ extra_rdoc_files:
 - README.md
 files:
 - ".erb-lint.yml"
+- ".github/workflows/tests.yml"
 - ".gitignore"
-- ".travis.yml"
 - ".yardopts"
 - Appraisals
 - CONTRIBUTING.md
@@ -184,6 +184,7 @@ files:
 - gemfiles/rails_5.1.gemfile
 - gemfiles/rails_5.2.gemfile
 - gemfiles/rails_6.0.gemfile
+- gemfiles/rails_6.1.gemfile
 - lib/clearance.rb
 - lib/clearance/authentication.rb
 - lib/clearance/authorization.rb

data/.travis.yml

@@ -1,28 +0,0 @@
-cache: bundler
-
-language:
-  - ruby
-
-rvm:
-  - 2.4.9
-  - 2.5.7
-  - 2.6.5
-  - 2.7.0
-
-gemfile:
-  - gemfiles/rails_5.0.gemfile
-  - gemfiles/rails_5.1.gemfile
-  - gemfiles/rails_5.2.gemfile
-  - gemfiles/rails_6.0.gemfile
-
-install:
-  - "bin/setup"
-
-branches:
-  only:
-    - master
-
-matrix:
-  exclude:
-    - rvm: 2.4.9
-      gemfile: gemfiles/rails_6.0.gemfile