clearance 2.4.0 → 2.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/tests.yml +1 -1
- data/Gemfile.lock +6 -6
- data/NEWS.md +12 -0
- data/README.md +4 -4
- data/lib/clearance/authorization.rb +7 -1
- data/lib/clearance/version.rb +1 -1
- data/lib/generators/clearance/install/templates/db/migrate/add_clearance_to_users.rb.erb +5 -1
- data/spec/controllers/sessions_controller_spec.rb +13 -0
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d60bf1a6126821259c777a4d6c34169e0ac643d4c88f74133b13400b99c9140f
|
|
4
|
+
data.tar.gz: 42a4077da0d6bca303752a3ef9b224167b3510f3ea9649c3439148c6242591d5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a62015195770da36e79c06e228a9e368d20fb3c2e91c92f3bf168f5a2706bbaef4fc98c28bcde3cb5a80bf3eb16f2acc589cb7da920e151cb0060290cea5cc44
|
|
7
|
+
data.tar.gz: cec9f3ce0c48cadd04b43b0a5280fd34db24c532ea1f01e92b76b7acd3413220fb568f7d4e3f180b4aa80669264af0d0216da3c4806bc2d24af59276e4d50635
|
data/.github/workflows/tests.yml
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
clearance (2.
|
|
4
|
+
clearance (2.5.0)
|
|
5
5
|
actionmailer (>= 5.0)
|
|
6
6
|
activemodel (>= 5.0)
|
|
7
7
|
activerecord (>= 5.0)
|
|
@@ -84,7 +84,7 @@ GEM
|
|
|
84
84
|
crass (1.0.6)
|
|
85
85
|
database_cleaner (1.8.5)
|
|
86
86
|
diff-lcs (1.4.4)
|
|
87
|
-
email_validator (2.2.
|
|
87
|
+
email_validator (2.2.3)
|
|
88
88
|
activemodel
|
|
89
89
|
erb_lint (0.0.34)
|
|
90
90
|
activesupport
|
|
@@ -99,12 +99,12 @@ GEM
|
|
|
99
99
|
factory_bot_rails (6.1.0)
|
|
100
100
|
factory_bot (~> 6.1.0)
|
|
101
101
|
railties (>= 5.0.0)
|
|
102
|
-
ffi (1.
|
|
102
|
+
ffi (1.15.4)
|
|
103
103
|
ffi-compiler (1.0.1)
|
|
104
104
|
ffi (>= 1.0.0)
|
|
105
105
|
rake
|
|
106
|
-
globalid (0.
|
|
107
|
-
activesupport (>=
|
|
106
|
+
globalid (0.5.2)
|
|
107
|
+
activesupport (>= 5.0)
|
|
108
108
|
html_tokenizer (0.0.7)
|
|
109
109
|
i18n (1.8.9)
|
|
110
110
|
concurrent-ruby (~> 1.0)
|
|
@@ -149,7 +149,7 @@ GEM
|
|
|
149
149
|
rainbow (3.0.0)
|
|
150
150
|
rake (13.0.3)
|
|
151
151
|
regexp_parser (1.7.1)
|
|
152
|
-
rexml (3.2.
|
|
152
|
+
rexml (3.2.5)
|
|
153
153
|
rspec-core (3.9.2)
|
|
154
154
|
rspec-support (~> 3.9.3)
|
|
155
155
|
rspec-expectations (3.9.2)
|
data/NEWS.md
CHANGED
|
@@ -3,6 +3,18 @@
|
|
|
3
3
|
The noteworthy changes for each Clearance version are included here. For a
|
|
4
4
|
complete changelog, see the git history for each version via the version links.
|
|
5
5
|
|
|
6
|
+
## [2.5.0] - September 10, 2021
|
|
7
|
+
|
|
8
|
+
### Fixed
|
|
9
|
+
|
|
10
|
+
- Fix open redirect vulnerability
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
|
|
14
|
+
- Rename default branch to `main`
|
|
15
|
+
|
|
16
|
+
[2.4.0]: https://github.com/thoughtbot/clearance/compare/v2.3.1...v2.4.0
|
|
17
|
+
|
|
6
18
|
## [2.4.0] - March 5, 2021
|
|
7
19
|
|
|
8
20
|
### Added
|
data/README.md
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Clearance
|
|
2
2
|
|
|
3
|
-
[]( https://github.com/thoughtbot/clearance/actions/workflows/tests.yml?query=branch%3Amain)
|
|
4
4
|
[](https://codeclimate.com/github/thoughtbot/clearance)
|
|
5
|
-
[](https://inch-ci.org/github/thoughtbot/clearance)
|
|
6
6
|
[](https://houndci.com)
|
|
7
7
|
|
|
8
8
|
Rails authentication with email & password.
|
|
@@ -55,7 +55,7 @@ Clearance.configure do |config|
|
|
|
55
55
|
config.cookie_name = "remember_token"
|
|
56
56
|
config.cookie_path = "/"
|
|
57
57
|
config.routes = true
|
|
58
|
-
config.httponly =
|
|
58
|
+
config.httponly = true
|
|
59
59
|
config.mailer_sender = "reply@example.com"
|
|
60
60
|
config.password_strategy = Clearance::PasswordStrategies::BCrypt
|
|
61
61
|
config.redirect_url = "/"
|
|
@@ -299,7 +299,7 @@ Clearance.configure do |config|
|
|
|
299
299
|
end
|
|
300
300
|
```
|
|
301
301
|
|
|
302
|
-
If you are currently not using
|
|
302
|
+
If you are currently not using signed cookies but would like to migrate your
|
|
303
303
|
users over to them without breaking current sessions, you can do so by passing
|
|
304
304
|
in `:migrate` rather than `true` as so:
|
|
305
305
|
|
|
@@ -86,10 +86,16 @@ module Clearance
|
|
|
86
86
|
def return_to
|
|
87
87
|
if return_to_url
|
|
88
88
|
uri = URI.parse(return_to_url)
|
|
89
|
-
|
|
89
|
+
path = path_without_leading_slashes(uri)
|
|
90
|
+
"#{path}?#{uri.query}".chomp("?") + "##{uri.fragment}".chomp("#")
|
|
90
91
|
end
|
|
91
92
|
end
|
|
92
93
|
|
|
94
|
+
# @api private
|
|
95
|
+
def path_without_leading_slashes(uri)
|
|
96
|
+
uri.path.sub(/\A\/+/, "/")
|
|
97
|
+
end
|
|
98
|
+
|
|
93
99
|
# @api private
|
|
94
100
|
def return_to_url
|
|
95
101
|
session[:return_to]
|
data/lib/clearance/version.rb
CHANGED
|
@@ -21,7 +21,11 @@ class AddClearanceToUsers < ActiveRecord::Migration<%= migration_version %>
|
|
|
21
21
|
end
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
-
def self.down
|
|
24
|
+
def self.down
|
|
25
|
+
<% config[:new_indexes].values.each do |index| -%>
|
|
26
|
+
<%= index.gsub("add_index", "remove_index") %>
|
|
27
|
+
<% end -%>
|
|
28
|
+
|
|
25
29
|
change_table :users do |t|
|
|
26
30
|
<% if config[:new_columns].any? -%>
|
|
27
31
|
t.remove <%= new_columns.keys.map { |column| ":#{column}" }.join(", ") %>
|
|
@@ -58,6 +58,19 @@ describe Clearance::SessionsController do
|
|
|
58
58
|
end
|
|
59
59
|
|
|
60
60
|
context "with good credentials and a session return url" do
|
|
61
|
+
it "redirects to the return URL removing leading slashes" do
|
|
62
|
+
user = create(:user)
|
|
63
|
+
url = "/url_in_the_session?foo=bar#baz"
|
|
64
|
+
return_url = "//////#{url}"
|
|
65
|
+
request.session[:return_to] = return_url
|
|
66
|
+
|
|
67
|
+
post :create, params: {
|
|
68
|
+
session: { email: user.email, password: user.password },
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
should redirect_to(url)
|
|
72
|
+
end
|
|
73
|
+
|
|
61
74
|
it "redirects to the return URL maintaining query and fragment" do
|
|
62
75
|
user = create(:user)
|
|
63
76
|
return_url = "/url_in_the_session?foo=bar#baz"
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: clearance
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.5.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Croak
|
|
@@ -22,10 +22,10 @@ authors:
|
|
|
22
22
|
- Jason Morrison
|
|
23
23
|
- Galen Frechette
|
|
24
24
|
- Josh Steiner
|
|
25
|
-
autorequire:
|
|
25
|
+
autorequire:
|
|
26
26
|
bindir: bin
|
|
27
27
|
cert_chain: []
|
|
28
|
-
date: 2021-
|
|
28
|
+
date: 2021-09-10 00:00:00.000000000 Z
|
|
29
29
|
dependencies:
|
|
30
30
|
- !ruby/object:Gem::Dependency
|
|
31
31
|
name: bcrypt
|
|
@@ -295,7 +295,7 @@ homepage: https://github.com/thoughtbot/clearance
|
|
|
295
295
|
licenses:
|
|
296
296
|
- MIT
|
|
297
297
|
metadata: {}
|
|
298
|
-
post_install_message:
|
|
298
|
+
post_install_message:
|
|
299
299
|
rdoc_options:
|
|
300
300
|
- "--charset=UTF-8"
|
|
301
301
|
require_paths:
|
|
@@ -311,8 +311,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
311
311
|
- !ruby/object:Gem::Version
|
|
312
312
|
version: '0'
|
|
313
313
|
requirements: []
|
|
314
|
-
rubygems_version: 3.1.
|
|
315
|
-
signing_key:
|
|
314
|
+
rubygems_version: 3.1.4
|
|
315
|
+
signing_key:
|
|
316
316
|
specification_version: 4
|
|
317
317
|
summary: Rails authentication & authorization with email & password.
|
|
318
318
|
test_files: []
|