devise-secure-password 1.1.1

data/app/views/devise/passwords_with_policy/edit.html.erb

@@ -0,0 +1,20 @@
+<h2><%= t('.titles.section_title') %></h2>
+
+<%= form_for(resource, as: resource_name, url: [resource_name, :password_with_policy], html: { method: :put }) do |f| %>
+  <% if resource.errors.full_messages.count.positive? %>
+    <%= devise_error_messages! %>
+  <% end %>
+
+  <%= f.hidden_field :update_action, value: :change_password %>
+
+  <p><%= f.label :current_password, t('.labels.current_password') %><br />
+  <%= f.password_field :current_password %></p>
+
+  <p><%= f.label :password, t('.labels.new_password') %><br />
+  <%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation, t('.labels.confirm_new_password') %><br />
+  <%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.submit t('.buttons.change_my_password') %></p>
+<% end %>

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "devise/secure_password"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install

data/config/locales/en.yml

@@ -0,0 +1,84 @@
+en:
+  secure_password:
+    character:
+      one: "character"
+      other: "characters"
+
+    types:
+      uppercase: "uppercase"
+      downcase: "downcase"
+      number: "number"
+      special: "special"
+
+    password_has_required_content:
+      errors:
+        messages:
+          unknown_characters: "contains %{count} invalid %{subject}"
+          minimum_characters: "must contain at least %{count} %{type} %{subject}"
+          maximum_characters: "must contain less than %{count} %{type} %{subject}"
+          minimum_length: "must contain at least %{count} %{subject}"
+          maximum_length: "must contain less than %{count} %{subject}"
+    password_disallows_frequent_reuse:
+      errors:
+        messages:
+          password_is_recent: "Last %{count} passwords may not be reused"
+    password_disallows_frequent_changes:
+      errors:
+        messages:
+          password_is_recent: "Password cannot be changed more than once per %{timeframe}"
+    password_requires_regular_updates:
+      alerts:
+        messages:
+          password_updated: "Your password has been updated."
+      errors:
+        messages:
+          password_expired: "Your password has expired. Passwords must be changed every %{timeframe}"
+    datetime:
+      # update distance_in_words translations to remove the determiner words:
+      #   about, almost, over, less than, etc.
+      precise_distance_in_words:
+        half_a_minute: "half a minute"
+        less_than_x_seconds:
+          one:   "1 second" # default was: "less than 1 second"
+          other: "%{count} seconds" # default was: "less than %{count} seconds"
+        x_seconds:
+          one:   "1 second"
+          other: "%{count} seconds"
+        less_than_x_minutes:
+          one:   "a minute" # default was: "less than a minute"
+          other: "%{count} minutes" # default was: "less than %{count} minutes"
+        x_minutes:
+          one:   "1 minute"
+          other: "%{count} minutes"
+        about_x_hours:
+          one:   "1 hour" # default was: "about 1 hour"
+          other: "%{count} hours" # default was: "about %{count} hours"
+        x_days:
+          one:   "1 day"
+          other: "%{count} days"
+        about_x_months:
+          one:   "1 month" # default was: "about 1 month"
+          other: "%{count} months" # default was: "about %{count} months"
+        x_months:
+          one:   "1 month"
+          other: "%{count} months"
+        about_x_years:
+          one:   "1 year" # default was: "about 1 year"
+          other: "%{count} years" # default was: "about %{count} years"
+        over_x_years:
+          one:   "1 year" # default was: "over 1 year"
+          other: "%{count} years" # default was: "over %{count} years"
+        almost_x_years:
+          one:   "1 year" # default was: "almost 1 year"
+          other: "%{count} years" # default was: "almost %{count} years"
+  devise:
+    passwords_with_policy:
+      edit:
+        titles:
+          section_title: "Change your password"
+        labels:
+          current_password: "Current password"
+          new_password: "New password"
+          confirm_new_password: "Confirm new password"
+        buttons:
+          change_my_password: "Change my password"

data/devise-secure-password.gemspec

@@ -0,0 +1,57 @@
+#
+#  devise-secure_password.gemspec
+#
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'date'
+require 'devise/secure_password/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'devise-secure-password'
+  spec.version       = Devise::SecurePassword::VERSION.dup
+  spec.platform      = Gem::Platform::RUBY
+
+  spec.authors       = ['Mark Eissler']
+  spec.email         = ['mark.eissler@valimail.com']
+
+  spec.summary       = 'A devise password policy enforcement extension.'
+  spec.description   = 'Adds configurable password policy enforcement to devise.'
+
+  spec.homepage      = 'https://github.com/valimail/devise-secure_password'
+  spec.license       = 'MIT'
+
+  spec.files         = Dir['./**/*'].reject do |f|
+    f.match(%r{^./(test|spec|features|lib/tasks)/|Gemfile.lock.ci})
+  end
+  spec.executables   = spec.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'devise', '>= 4.0.0', '< 5.0.0'
+  spec.add_runtime_dependency 'railties', '>= 5.0.0', '< 7.0.0'
+
+  spec.add_development_dependency 'bundler',                 '>= 1.16.1'
+  spec.add_development_dependency 'capybara',                '>= 2.16.1', '~> 3.11'
+  spec.add_development_dependency 'capybara-screenshot',     '>= 1.0.18'
+  spec.add_development_dependency 'coffee-rails',            '~> 4.2'
+  spec.add_development_dependency 'database_cleaner',        '~> 1.6',  '>= 1.6.2'
+  spec.add_development_dependency 'devise',                  '~> 4.0'
+  spec.add_development_dependency 'flay',                    '>= 2.10.0'
+  spec.add_development_dependency 'launchy',                 '>= 2.4.3'
+  spec.add_development_dependency 'rails',                   '~> 5.2',  '>= 5.2.0'
+  spec.add_development_dependency 'rake',                    '>= 12.3'
+  spec.add_development_dependency 'rspec',                   '>= 3.7'
+  spec.add_development_dependency 'rspec-rails',             '>= 3.7'
+  spec.add_development_dependency 'rspec_junit_formatter',   '>= 0.3'
+  spec.add_development_dependency 'rubocop',                 '>= 0.74.0'
+  spec.add_development_dependency 'rubocop-rails',           '>= 2.3.2'
+  spec.add_development_dependency 'rubocop-rspec',           '>= 1.35.0'
+  spec.add_development_dependency 'ruby2ruby',               '>= 2.4.0'
+  spec.add_development_dependency 'selenium-webdriver',      '>= 3.7.0'
+  spec.add_development_dependency 'simplecov',               '~> 0.18.2'
+  spec.add_development_dependency 'simplecov-console',       '>= 0.4.2'
+  spec.add_development_dependency 'sqlite3',                 '>= 1.3.13'
+
+  spec.required_ruby_version = '>= 2.4'
+end

data/docker-entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# Silence errors from Xvfb because we are starting it in non-priveleged mode.
+#
+Xvfb :99 -screen 0 1280x1024x24 > /dev/null 2>&1 &
+exec "$@"

data/gemfiles/rails_5_1.gemfile

@@ -0,0 +1,21 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+ENV['RAILS_TARGET'] ||= '5.1'
+
+gemspec path: '../'
+
+gem 'rails',         '~> 5.1.0'
+gem 'sass-rails',    '~> 5.0'
+gem 'sqlite3',       '~> 1.3.11'
+gem 'therubyracer',  '~> 0.12.3', platforms: :ruby
+
+group :development, :test do
+  gem 'byebug', '>= 0'
+end
+
+group :test do
+  gem 'codecov', require: false
+  gem 'shoulda-matchers', git: 'https://github.com/thoughtbot/shoulda-matchers.git', branch: 'rails-5'
+end

data/gemfiles/rails_5_2.gemfile

@@ -0,0 +1,22 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+ENV['RAILS_TARGET'] ||= '5.2'
+
+gemspec path: '../'
+
+gem 'bootsnap',     '>= 1.1.0', require: false
+gem 'mini_racer',   '~> 0.2.0', platforms: :ruby
+gem 'rails',        '~> 5.2.0'
+gem 'sassc-rails',  '~> 1.3.0'
+gem 'sqlite3',      '~> 1.3.13'
+
+group :development, :test do
+  gem 'byebug', '>= 0'
+end
+
+group :test do
+  gem 'codecov', require: false
+  gem 'shoulda-matchers', git: 'https://github.com/thoughtbot/shoulda-matchers.git', branch: 'rails-5'
+end

data/lib/devise/secure_password.rb

@@ -0,0 +1,71 @@
+#
+# lib/devise-secure_password.rb
+#
+require 'active_support/concern'
+require 'devise'
+require 'devise/secure_password/routes'
+require 'devise/secure_password/version'
+require 'devise/secure_password/models/password_has_required_content'
+require 'devise/secure_password/models/password_disallows_frequent_reuse'
+require 'devise/secure_password/models/password_disallows_frequent_changes'
+require 'devise/secure_password/models/password_requires_regular_updates'
+require 'devise/secure_password/grammar'
+
+module Devise
+  # password_content_enforcement configuration parameters
+  @password_required_uppercase_count = 1
+  @password_required_lowercase_count = 1
+  @password_required_number_count = 1
+  @password_required_special_character_count = 1
+
+  # password_frequent_reuse_prevention configuration parameters
+  @password_previously_used_count = 8
+
+  # password_frequent_change_prevention configuration parameters
+  @password_minimum_age = 1.day
+
+  # password_regular_update_enforcement configuration parameters
+  @password_maximum_age = 180.days
+
+  class << self
+    attr_accessor :password_required_uppercase_count
+    attr_accessor :password_required_lowercase_count
+    attr_accessor :password_required_number_count
+    attr_accessor :password_required_special_character_count
+    attr_accessor :password_previously_used_count
+    attr_accessor :password_minimum_age
+    attr_accessor :password_maximum_age
+  end
+
+  module SecurePassword
+    module Controllers
+      autoload :Helpers,       'devise/secure_password/controllers/helpers'
+      autoload :DeviseHelpers, 'devise/secure_password/controllers/devise_helpers'
+    end
+
+    class Engine < ::Rails::Engine
+      ActiveSupport.on_load(:devise_controller) do
+        include ActionView::Helpers::DateHelper
+        include Devise::SecurePassword::Controllers::DeviseHelpers
+      end
+      ActiveSupport.on_load(:action_controller) do
+        include ActionView::Helpers::DateHelper
+        include Devise::SecurePassword::Controllers::Helpers
+      end
+
+      # add exceptions to the inflector so it doesn't get tripped up by our concerns that end in an 's'
+      ActiveSupport::Inflector.inflections do |inflect|
+        inflect.uncountable :password_disallows_frequent_changes
+        inflect.uncountable :password_requires_regular_updates
+      end
+    end
+  end
+end
+
+# modules
+Devise.add_module :password_has_required_content, model: 'devise/secure_password/models/password_has_required_content'
+Devise.add_module :password_disallows_frequent_reuse, model: 'devise/secure_password/models/password_disallows_frequent_reuse'
+Devise.add_module :password_disallows_frequent_changes, model: 'devise/secure_password/models/password_disallows_frequent_changes'
+Devise.add_module :password_requires_regular_updates,
+                  model: 'devise/secure_password/models/password_requires_regular_updates',
+                  controller: :passwords_with_policy, route: :passwords_with_policy

data/lib/devise/secure_password/controllers/devise_helpers.rb

@@ -0,0 +1,23 @@
+module Devise
+  module SecurePassword
+    module Controllers
+      module DeviseHelpers
+        extend ActiveSupport::Concern
+
+        # rubocop:disable Style/ClassAndModuleChildren
+        class ::DeviseController
+          alias devise_sign_in sign_in
+
+          protected
+
+          def sign_in(*args)
+            devise_sign_in(*args).tap do
+              set_devise_secure_password_expired! if warden_user_has_password_expiration?
+            end
+          end
+        end
+        # rubocop:enable Style/ClassAndModuleChildren
+      end
+    end
+  end
+end

data/lib/devise/secure_password/controllers/helpers.rb

@@ -0,0 +1,58 @@
+module Devise
+  module SecurePassword
+    module Controllers
+      module Helpers
+        extend ActiveSupport::Concern
+
+        included do
+          include Devise::SecurePassword::Grammar
+
+          before_action :authenticate_secure_password!, unless: :devise_controller?
+        end
+
+        def authenticate_secure_password_expired?
+          return false if devise_controller?
+
+          session[:devise_secure_password_expired] == true
+        end
+
+        def authenticate_secure_password!
+          return unless authenticate_secure_password_expired?
+
+          redirect_to authenticate_secure_password_path, alert: "#{error_string_for_password_expired}."
+        end
+
+        def authenticate_secure_password_path
+          return unless warden.user
+
+          :"edit_#{devise_secure_password_scope}_password_with_policy"
+        end
+
+        private
+
+        def devise_secure_password_scope
+          Devise::Mapping.find_scope!(warden.user)
+        end
+
+        def error_string_for_password_expired
+          I18n.t(
+            'secure_password.password_requires_regular_updates.errors.messages.password_expired',
+            timeframe: precise_distance_of_time_in_words(warden.user.class.password_maximum_age)
+          )
+        end
+
+        def set_devise_secure_password_expired!
+          session[:devise_secure_password_expired] = warden.user.password_expired?
+        end
+
+        def unset_devise_secure_password_expired!
+          session.delete(:devise_secure_password_expired)
+        end
+
+        def warden_user_has_password_expiration?
+          warden&.user&.respond_to?(:password_expired?)
+        end
+      end
+    end
+  end
+end

data/lib/devise/secure_password/grammar.rb

@@ -0,0 +1,13 @@
+# lib/support/string/grammar.rb
+#
+module Devise
+  module SecurePassword
+    module Grammar
+      # distance_in_words without determiner words: about, almost, over, etc.
+      def precise_distance_of_time_in_words(from_time, to_time = 0, options = {})
+        precise_options = { scope: :'secure_password.datetime.precise_distance_in_words' }
+        distance_of_time_in_words(from_time, to_time, options.merge!(precise_options))
+      end
+    end
+  end
+end

data/lib/devise/secure_password/models/password_disallows_frequent_changes.rb

@@ -0,0 +1,62 @@
+module Devise
+  module Models
+    module PasswordDisallowsFrequentChanges
+      extend ActiveSupport::Concern
+
+      class ConfigurationError < RuntimeError; end
+
+      included do
+        include ActionView::Helpers::DateHelper
+        include Devise::SecurePassword::Grammar
+
+        validate :validate_password_frequent_change, if: :password_required?
+
+        set_callback(:initialize, :before, :before_resource_initialized)
+        set_callback(:initialize, :after, :after_resource_initialized)
+      end
+
+      def validate_password_frequent_change
+        if encrypted_password_changed? && password_recent?
+          error_string = I18n.t(
+            'secure_password.password_disallows_frequent_changes.errors.messages.password_is_recent',
+            timeframe: precise_distance_of_time_in_words(self.class.password_minimum_age)
+          )
+          errors.add(:base, error_string)
+        end
+
+        errors.count.zero?
+      end
+
+      def password_recent?
+        last_password = previous_passwords.first
+        last_password&.fresh?(self.class.password_minimum_age)
+      end
+
+      protected
+
+      def before_resource_initialized
+        return if self.class.respond_to?(:password_previously_used_count)
+
+        raise ConfigurationError, <<-ERROR.strip_heredoc
+
+        The password_disallows_frequent_changes module depends on the
+        password_disallows_frequent_reuse module. Verify that you have
+        added both modules to your model, for example:
+
+          devise :database_authenticatable, :registerable,
+            :password_disallows_frequent_reuse,
+            :password_disallows_frequent_changes
+        ERROR
+      end
+
+      def after_resource_initialized
+        raise ConfigurationError, 'invalid type for password_minimum_age' \
+          unless self.class.password_minimum_age.is_a?(::ActiveSupport::Duration)
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :password_minimum_age)
+      end
+    end
+  end
+end