devise-argon2 2.0.0 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d20fef20b04b01fd33fd4e8b7104f50ef57ce75e6a4406df46a3ea10fe693a1
-  data.tar.gz: 7b66c6a1e646eea75a16c43ae37a95b557e6342488885a73ab60a80d3d5903a5
+  metadata.gz: 7542aed226ac27c831a5f6acdbb6011fe8b6632e83a60902341c4f44bad38b27
+  data.tar.gz: 63891613bb7343641df64221d56533f646543c8eb0c8b3f9fe32186a4f4c46df
 SHA512:
-  metadata.gz: 668de52215782a24691ec1d44ced5c85376d99099da8352c583a3452fb78d60e928fef311efe5bdfadffc5dfac130b1affabf9ce26b0197ea807d5602ed257d8
-  data.tar.gz: 12669cb6bbd94d3cc6e0427a6bf805152417f47858145daf6fba20907d32c10f9c8bedf4535a7ede8af0c572723886537ee782967e7b9b7e5566ec01c6f6ec27
+  metadata.gz: 958d4df9feceff3bb4b28c85eed86f0072cd9914ba7f00cfdc26379def7af570647812fb72e14303b02ad435d4e8450d6cbc63b76a7b23380de1218828fac365
+  data.tar.gz: f639d484fe68ff7d39df88511a06c15b4518ddce58cf02057d39f99524aa5942af83427bb2268f66fe2facd36c30cb72477782f903d2d17e1dfd8f7e644a4fc7

data/.github/workflows/test.yml

@@ -1,35 +1,73 @@
 name: Test suite
 
-on: [push, pull_request]
+on: [push, pull_request, workflow_dispatch]
 
 jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1', '3.2', 'ruby-head']
-        rails-version: ['~> 7.0', '~> 6.1']
+        ruby-version: ['2.7', '3.0', '3.1', '3.2', '3.3']
+        rails-version: ['~> 6.1', '~> 7.0', '~> 7.1', '~> 7.2', '8.0.0.beta1']
+        argon2-version: ['2.2', '2.3']
         orm:
           - adapter: active_record
           - adapter: mongoid
-            mongoid-version: 8.1.2
+            mongoid-version: 9.0.2
           - adapter: mongoid
-            mongoid-version: 8.0.6
+            mongoid-version: 8.1.6
+          - adapter: mongoid
+            mongoid-version: 8.0.8
           - adapter: mongoid
             mongoid-version: 7.5.4
-        include:
-          - rails-version: '~> 7.1'
+        exclude:
+          - rails-version: '~> 7.2'
+            ruby-version: '2.7'
+          - rails-version: '~> 7.2'
+            ruby-version: '3.0'
+          - rails-version: '8.0.0.beta1'
+            ruby-version: '2.7'
+          - rails-version: '8.0.0.beta1'
+            ruby-version: '3.0'
+          - rails-version: '8.0.0.beta1'
             ruby-version: '3.1'
-            orm:
-              adapter: active_record
-          - rails-version: '~> 7.1'
+          - orm:
+              adapter: mongoid
+            rails-version: '8.0.0.beta1'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 8.0.8
+            ruby-version: '3.3'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 8.0.8
+            ruby-version: '3.2'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 7.5.4
+            ruby-version: '3.3'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 7.5.4
             ruby-version: '3.2'
-            orm:
-              adapter: active_record
+          - orm:
+              adapter: mongoid
+              mongoid-version: 8.0.8
+            rails-version: '~> 7.2'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 7.5.4
+            rails-version: '~> 7.2'
+          - orm:
+              adapter: mongoid
+              mongoid-version: 7.5.4
+            rails-version: '~> 7.1'
     env:
       RAILS_VERSION: ${{ matrix.rails-version  || '~> 7.0'}}
-      MONGOID_VERSION: ${{ matrix.orm.mongoid-version || '8.1.2'}}
+      MONGOID_VERSION: ${{ matrix.orm.mongoid-version || '8.1.6'}}
       ORM: ${{ matrix.orm.adapter }}
+      ARGON2_VERSION: ${{ matrix.argon2-version }}
+      DEVISE_VERSION: ${{ matrix.devise-version || '~> 4.9' }}
     steps:
     - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby-version }}
@@ -37,6 +75,7 @@ jobs:
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true
+        cache-version: 1
     - uses: supercharge/mongodb-github-action@1.10.0
       if: ${{ matrix.orm.adapter == 'mongoid' }}
     - name: Setup rails test environment

data/.gitignore

@@ -14,7 +14,7 @@ rdoc
 spec/reports
 spec/rails_app/log/*
 spec/rails_app/tmp/*
-spec/rails_app/db/test.sqlite3
+spec/rails_app/db/test.sqlite3*
 test/tmp
 test/version_tmp
 tmp

data/CHANGELOG.md

@@ -1,20 +1,40 @@
-# Changelog 
+# Changelog
 
 ## Unreleased
 
+## [2.0.2] - 2024-09-30
+
+### Changed
+- When migrating users from v1 to v2, the `encrypted_password` update will no longer trigger callbacks (ie send email to users)
+
+### Added
+- Tests for newer dependency versions
+
+## [2.0.1] - 2023-10-18
+
+### Added
+- Add Argon2 and devise to the test suite
+- Add @moritzhoeppner as an author
+
+### Fixed
+- Fix work factors implementation
+
+## [2.0.0] - 2023-10-16
+
 ### Added
 - Expose Argon2 options for configuring hashing work factors
 - Add support for migration v1 hashes
 - Add support for migrating bcrypt hashes
 - Add tests for Mongoid
 - Add Changelog :)
- 
+
 ### Changed
 - Change salting / peppering mechanism
 - Change CI from Travis to GitHub Actions
- 
-### Removed 
+
+### Removed
 - Remove `devise-encryptable` dependency
 - Remove superflous dependency on devise `password_salt` column
 
+Thank you to @moritzhoeppner for the significant contributions to this release!
 

data/Gemfile

@@ -5,9 +5,16 @@ gemspec
 gem 'rspec'
 gem 'simplecov'
 gem 'activerecord'
-gem 'sqlite3'
 gem 'rails', ENV['RAILS_VERSION'] || '~> 7.0'
+gem 'argon2', ENV['ARGON2_VERSION'] || '~> 2.3'
+gem 'devise', ENV['DEVISE_VERSION'] || '~> 4.9'
 
 if ENV['ORM'] == 'mongoid'
   gem 'mongoid', ENV['MONGOID_VERSION'] || '~> 7.5'
 end
+
+if ENV['RAILS_VERSION'] == '8.0.0.beta1'
+  gem 'sqlite3', '~> 2.1'
+else
+  gem 'sqlite3', '~> 1.6', '>= 1.6.6'
+end

data/README.md

@@ -1,5 +1,6 @@
 # devise-argon2 
 [![Gem Version](https://badge.fury.io/rb/devise-argon2.svg)](https://badge.fury.io/rb/devise-argon2)
+![](https://github.com/erdostom/devise-argon2/actions/workflows/test.yml/badge.svg)
 
 A ruby gem that gives Devise models which use `database_authenticatable` the ability to hash
 passwords with Argon2id.
@@ -39,7 +40,7 @@ or `secret` to `Argon2::Password.new`. These parameters can be set like this:
 class User < ApplicationRecord
   devise :database_authenticatable,
     :argon2,
-    argon2_options: {  t_cost: 3, p_cost: 2 }
+    argon2_options: { t_cost: 3, p_cost: 2 }
 end
 ```
 

data/devise-argon2.gemspec

@@ -6,7 +6,7 @@ require "devise-argon2/version"
 Gem::Specification.new do |gem|
   gem.name = "devise-argon2"
   gem.version = Devise::Argon2::ARGON2_VERSION
-  gem.authors = ["Tamas Erdos"]
+  gem.authors = ["Tamas Erdos", "Moritz Höppner"]
   gem.email = ["tamas at tamaserdos com"]
   gem.description = %q{Enables Devise to hash passwords with Argon2id}
   gem.summary = %q{Enables Devise to hash passwords with Argon2id}
@@ -18,8 +18,8 @@ Gem::Specification.new do |gem|
   gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency 'devise', '>= 2.1.0'
-  gem.add_dependency 'argon2', '~> 2.0'
+  gem.add_dependency 'devise', '~> 4.0'
+  gem.add_dependency 'argon2', '~> 2.1'
 
 
   gem.post_install_message = "Version 2 of devise-argon2 introduces breaking changes, please see README.md for details."

data/lib/devise-argon2/model.rb

@@ -53,26 +53,49 @@ module Devise
         attributes = { encrypted_password: password_digest(password) }
         attributes[:password_salt] = nil if migrate_hash_from_devise_argon2_v1?
 
-        self.assign_attributes(attributes)
-        self.save if self.persisted?
+        if self.persisted?
+          update_without_callbacks(attributes)
+        else
+          self.assign_attributes(attributes)
+        end
+      end
+
+      def update_without_callbacks(attributes)
+        if defined?(Mongoid) && Mongoid.models.include?(self.class)
+          self.set(attributes)
+        else
+          self.update_columns(attributes)
+        end
       end
 
       def outdated_work_factors?
+        hash_format = ::Argon2::HashFormat.new(encrypted_password)
+        current_work_factors = {
+          t_cost: hash_format.t_cost,
+          m_cost: hash_format.m_cost,
+          p_cost: hash_format.p_cost
+        }
+        current_work_factors != configured_work_factors
+      end
+
+      def configured_work_factors
         # Since version 2.3.0 the argon2 gem exposes the default work factors via constants, see
         # https://github.com/technion/ruby-argon2/commit/d62ecf8b4ec6b8c1651fade5a5ebdc856e8aef42
-        default_t_cost = defined?(::Argon2::Password::DEFAULT_T_COST) ? ::Argon2::Password::DEFAULT_T_COST : 2
-        default_m_cost = defined?(::Argon2::Password::DEFAULT_M_COST) ? ::Argon2::Password::DEFAULT_M_COST : 16
-        default_p_cost = defined?(::Argon2::Password::DEFAULT_P_COST) ? ::Argon2::Password::DEFAULT_P_COST : 1
+        work_factors = {
+          t_cost: defined?(::Argon2::Password::DEFAULT_T_COST) ? ::Argon2::Password::DEFAULT_T_COST : 2,
+          m_cost: defined?(::Argon2::Password::DEFAULT_M_COST) ? ::Argon2::Password::DEFAULT_M_COST : 16,
+          p_cost: defined?(::Argon2::Password::DEFAULT_P_COST) ? ::Argon2::Password::DEFAULT_P_COST : 1
+        }.merge(self.class.argon2_options.slice(:t_cost, :m_cost, :p_cost))
 
-        current_t_cost = self.class.argon2_options[:t_cost] || default_t_cost
-        current_m_cost = self.class.argon2_options[:m_cost] || default_m_cost
-        current_p_cost = self.class.argon2_options[:p_cost] || default_p_cost
-        
-        hash_format = ::Argon2::HashFormat.new(encrypted_password)
+        # Since version 2.3.0 the argon2 gem supports defining work factors with named profiles, see
+        # https://github.com/technion/ruby-argon2/commit/6312a8fb3a6c6c5e771a736572e63d47485e8613
+        if self.class.argon2_options[:profile] && defined?(::Argon2::Profiles)
+          work_factors.merge!(::Argon2::Profiles[self.class.argon2_options[:profile]])
+        end
+
+        work_factors[:m_cost] = (1 << work_factors[:m_cost])
 
-        hash_format.t_cost != current_t_cost ||
-          hash_format.m_cost != (1 << current_m_cost) ||
-          hash_format.p_cost != current_p_cost
+        work_factors
       end
 
       def migrate_hash_from_devise_argon2_v1?

data/lib/devise-argon2/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Argon2
-    ARGON2_VERSION = '2.0.0'
+    ARGON2_VERSION = '2.0.2'
   end
 end

data/spec/devise-argon2_spec.rb

@@ -19,6 +19,7 @@ describe Devise::Models::Argon2 do
       p_cost: DEFAULT_P_COST
     }
     User.destroy_all
+    OldUser.destroy_all
   end
 
   def work_factors(hash)
@@ -127,6 +128,14 @@ describe Devise::Models::Argon2 do
       it 'does not update the hash if an invalid password is given' do
         expect{ user.valid_password?(INCORRECT_PASSWORD) }.not_to(change(user, :encrypted_password))
       end
+
+      it 'does not send password change notification emails on hash updates' do
+        user.email = 'test@example.com'
+        user.save!
+        Devise.send_password_change_notification = true
+        expect{ user.valid_password?(CORRECT_PASSWORD) }
+          .not_to(change { ActionMailer::Base.deliveries.count })
+      end
     end
 
     describe 'updating outdated work factors' do
@@ -174,6 +183,55 @@ describe Devise::Models::Argon2 do
             .to({ m_cost: 1 << 4, t_cost: 3, p_cost: 2 })
         )
       end
+
+      if Argon2::VERSION >= '2.3.0'
+        it 'updates work factors if they changed via profile option' do
+          # Build user with argon2 default work factors (which match the RFC_9106_LOW_MEMORY
+          # profile.)
+          Devise.argon2_options = {}
+          user
+
+          Devise.argon2_options = { profile: :pre_rfc_9106 }
+          
+          expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+            change{ work_factors(user.encrypted_password) }
+              .to(
+                {
+                  m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
+                  t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
+                  p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
+                }
+              )
+          )
+        end
+
+        it 'gives precendence to the profile option over explicit configuration of work factors' do
+          Devise.argon2_options = {
+            m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
+            t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
+            p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
+          }
+          user # build user
+
+          Devise.argon2_options = {
+            profile: :pre_rfc_9106,
+            m_cost: Argon2::Profiles[:pre_rfc_9106][:m_cost] + 1,
+            t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost] + 1,
+            p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost] + 1
+          }
+          
+          expect{ user.valid_password?(CORRECT_PASSWORD) }.to(
+            change{ work_factors(user.encrypted_password) }
+              .to(
+                {
+                  m_cost: 1 << Argon2::Profiles[:pre_rfc_9106][:m_cost],
+                  t_cost: Argon2::Profiles[:pre_rfc_9106][:t_cost],
+                  p_cost: Argon2::Profiles[:pre_rfc_9106][:p_cost]
+                }
+              )
+          )
+        end
+      end
     end
 
     it 'ignores migrate_from_devise_argon2_v1 if password_salt is not present' do

data/spec/rails_app/config/application.rb

@@ -20,5 +20,7 @@ module DummyRailsApp
     config.eager_load = false
     config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
     config.autoload_paths += ["#{config.root}/app/#{ORM}"]
+    config.action_mailer.delivery_method = :test
+    config.action_mailer.default_options = { from: 'test@example.com' }
   end
 end

data/spec/rails_app/config/routes.rb

@@ -0,0 +1,3 @@
+Rails.application.routes.draw do
+  devise_for :old_users
+end

metadata

@@ -1,43 +1,44 @@
 --- !ruby/object:Gem::Specification
 name: devise-argon2
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.0.2
 platform: ruby
 authors:
 - Tamas Erdos
+- Moritz Höppner
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-10-16 00:00:00.000000000 Z
+date: 2024-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: argon2
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '2.1'
 description: Enables Devise to hash passwords with Argon2id
 email:
 - tamas at tamaserdos com
@@ -77,6 +78,7 @@ files:
 - spec/rails_app/config/environment.rb
 - spec/rails_app/config/initializers/devise.rb
 - spec/rails_app/config/mongoid.yml
+- spec/rails_app/config/routes.rb
 - spec/rails_app/db/migrate/20230617201921_devise_create_users.rb
 - spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb
 - spec/rails_app/db/schema.rb
@@ -101,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
+rubygems_version: 3.4.22
 signing_key: 
 specification_version: 4
 summary: Enables Devise to hash passwords with Argon2id
@@ -126,6 +128,7 @@ test_files:
 - spec/rails_app/config/environment.rb
 - spec/rails_app/config/initializers/devise.rb
 - spec/rails_app/config/mongoid.yml
+- spec/rails_app/config/routes.rb
 - spec/rails_app/db/migrate/20230617201921_devise_create_users.rb
 - spec/rails_app/db/migrate/20231004084147_devise_create_old_users.rb
 - spec/rails_app/db/schema.rb