devise-secure-password 1.1.1

data/lib/devise/secure_password/models/password_disallows_frequent_reuse.rb

@@ -0,0 +1,73 @@
+module Devise
+  module Models
+    module PasswordDisallowsFrequentReuse
+      extend ActiveSupport::Concern
+
+      require 'devise/secure_password/models/previous_password'
+
+      included do
+        # we need to specify the foreign_key here to support the use of isolated subclasses in tests
+        has_many :previous_passwords,
+                 -> { limit(User.password_previously_used_count) },
+                 class_name: 'Devise::Models::PreviousPassword',
+                 foreign_key: 'user_id',
+                 dependent: :destroy
+        validate :validate_password_frequent_reuse, if: :password_required?
+
+        set_callback(:save, :before, :before_resource_saved)
+        set_callback(:save, :after, :after_resource_saved, if: :dirty_password?)
+      end
+
+      def validate_password_frequent_reuse
+        if encrypted_password_changed? && previous_password?(password)
+          error_string = I18n.t(
+            'secure_password.password_disallows_frequent_reuse.errors.messages.password_is_recent',
+            count: self.class.password_previously_used_count
+          )
+          errors.add(:base, error_string)
+        end
+
+        errors.count.zero?
+      end
+
+      protected
+
+      def before_resource_saved; end
+
+      def after_resource_saved
+        salt = ::BCrypt::Password.new(encrypted_password).salt
+        previous_password = previous_passwords.build(user_id: id, salt: salt, encrypted_password: encrypted_password)
+        previous_password.save!
+      end
+
+      def previous_password?(password)
+        salts = previous_passwords.select(:salt).map(&:salt)
+        pepper = self.class.pepper.presence || ''
+
+        salts.each do |salt|
+          candidate = ::BCrypt::Engine.hash_secret("#{password}#{pepper}", salt)
+          return true unless previous_passwords.find_by(encrypted_password: candidate).nil?
+        end
+
+        false
+      end
+
+      def dirty_password?
+        return false unless password_required?
+
+        if Rails.version > '5.1'
+          saved_change_to_encrypted_password?
+        else
+          encrypted_password_changed?
+        end
+      end
+
+      module ClassMethods
+        config_params = %i(
+          password_previously_used_count
+        )
+        ::Devise::Models.config(self, *config_params)
+      end
+    end
+  end
+end

data/lib/devise/secure_password/models/password_has_required_content.rb

@@ -0,0 +1,170 @@
+module Devise
+  module Models
+    module PasswordHasRequiredContent
+      extend ActiveSupport::Concern
+
+      require 'support/string/character_counter'
+
+      LENGTH_MAX = 255
+
+      included do
+        validate :validate_password_content, if: :password_required?
+        validate :validate_password_confirmation_content, if: :password_required?
+        validate :validate_password_confirmation, if: :password_required?
+      end
+
+      def validate_password_content
+        self.password ||= ''
+        errors.delete(:password)
+        validate_password_content_for(:password)
+        errors[:password].count.zero?
+      end
+
+      def validate_password_confirmation_content
+        return true if password_confirmation.nil? # rails skips password_confirmation validation if nil!
+
+        errors.delete(:password_confirmation)
+        validate_password_content_for(:password_confirmation)
+        errors[:password_confirmation].count.zero?
+      end
+
+      def validate_password_confirmation
+        return true if password_confirmation.nil? # rails skips password_confirmation validation if nil!
+
+        unless password == password_confirmation
+          human_attribute_name = self.class.human_attribute_name(:password)
+          errors.add(:password_confirmation, :confirmation, attribute: human_attribute_name)
+        end
+        errors[:password_confirmation].count.zero?
+      end
+
+      def validate_password_content_for(attr)
+        return unless respond_to?(attr) && !(password_obj = send(attr)).nil?
+
+        ::Support::String::CharacterCounter.new.count(password_obj).each do |type, dict|
+          error_string =  case type
+                          when :length then validate_length(dict[:count])
+                          when :unknown then validate_unknown(dict)
+                          else validate_type(type, dict)
+                          end
+          errors.add(attr, error_string) if error_string.present?
+        end
+      end
+
+      protected
+
+      def validate_unknown(dict)
+        type_total = dict.values.reduce(0, :+)
+        return if type_total <= required_char_counts_for_type(:unknown)[:max]
+
+        error_string_for_unknown_chars(type_total, dict.keys)
+      end
+
+      def validate_type(type, dict)
+        type_total = dict.values.reduce(0, :+)
+        error_string = if type_total < required_char_counts_for_type(type)[:min]
+                         error_string_for_type_length(type, :min)
+                       elsif type_total > required_char_counts_for_type(type)[:max]
+                         error_string_for_type_length(type, :max)
+                       end
+        error_string
+      end
+
+      def validate_length(dict)
+        if dict < Devise.password_length.min
+          error_string_for_length(:min)
+        elsif dict > Devise.password_length.max
+          error_string_for_length(:max)
+        end
+      end
+
+      def error_string_for_length(threshold = :min)
+        lang_key = case threshold
+                   when :min then 'secure_password.password_has_required_content.errors.messages.minimum_length'
+                   when :max then 'secure_password.password_has_required_content.errors.messages.maximum_length'
+                   else return ''
+                   end
+
+        count = required_char_counts_for_type(:length)[threshold]
+        I18n.t(lang_key, count: count, subject: I18n.t('secure_password.character', count: count))
+      end
+
+      def error_string_for_type_length(type, threshold = :min)
+        lang_key = case threshold
+                   when :min then 'secure_password.password_has_required_content.errors.messages.minimum_characters'
+                   when :max then 'secure_password.password_has_required_content.errors.messages.maximum_characters'
+                   else return ''
+                   end
+
+        count = required_char_counts_for_type(type)[threshold]
+        error_string = I18n.t(lang_key, count: count, type: I18n.t("secure_password.types.#{type}"), subject: I18n.t('secure_password.character', count: count))
+        error_string + ' ' + dict_for_type(type)
+      end
+
+      def error_string_for_unknown_chars(count, chars = [])
+        I18n.t(
+          'secure_password.password_has_required_content.errors.messages.unknown_characters',
+          count: count,
+          subject: I18n.t('secure_password.character', count: count)
+        ) + " (#{chars.join('')})"
+      end
+
+      def dict_for_type(type)
+        character_counter = ::Support::String::CharacterCounter.new
+
+        case type
+        when :special, :unknown then "(#{character_counter.count_hash[type].keys.join('')})"
+        else
+          "(#{character_counter.count_hash[type].keys.first}..#{character_counter.count_hash[type].keys.last})"
+        end
+      end
+
+      def required_char_counts_for_type(type)
+        self.class.config[:REQUIRED_CHAR_COUNTS][type]
+      end
+
+      module ClassMethods
+        config_params = %i(
+          password_required_uppercase_count
+          password_required_lowercase_count
+          password_required_number_count
+          password_required_special_character_count
+        )
+        ::Devise::Models.config(self, *config_params)
+
+        # rubocop:disable Metrics/MethodLength
+        def config
+          {
+            REQUIRED_CHAR_COUNTS: {
+              length: {
+                min: Devise.password_length.min,
+                max: Devise.password_length.max
+              },
+              uppercase: {
+                min: password_required_uppercase_count,
+                max: LENGTH_MAX
+              },
+              lowercase: {
+                min: password_required_lowercase_count,
+                max: LENGTH_MAX
+              },
+              number: {
+                min: password_required_number_count,
+                max: LENGTH_MAX
+              },
+              special: {
+                min: password_required_special_character_count,
+                max: LENGTH_MAX
+              },
+              unknown: {
+                min: 0,
+                max: 0
+              }
+            }
+          }
+        end
+        # rubocop:enable Metrics/MethodLength
+      end
+    end
+  end
+end

data/lib/devise/secure_password/models/password_requires_regular_updates.rb

@@ -0,0 +1,54 @@
+module Devise
+  module Models
+    module PasswordRequiresRegularUpdates
+      extend ActiveSupport::Concern
+
+      class ConfigurationError < RuntimeError; end
+
+      included do
+        set_callback(:initialize, :before, :before_regular_update_initialized)
+        set_callback(:initialize, :after, :after_regular_update_initialized)
+      end
+
+      def password_expired?
+        last_password = previous_passwords.first
+        inconsistent_password?(last_password) || last_password.stale?(self.class.password_maximum_age)
+      end
+
+      protected
+
+      def before_regular_update_initialized
+        return if self.class.respond_to?(:password_previously_used_count)
+
+        raise ConfigurationError, <<-ERROR.strip_heredoc
+
+        The password_requires_regular_updates module depends on the
+        password_disallows_frequent_reuse module. Verify that you have
+        added both modules to your model, for example:
+
+          devise :database_authenticatable, :registerable,
+            :password_disallows_frequent_reuse,
+            :password_requires_regular_updates
+        ERROR
+      end
+
+      def after_regular_update_initialized
+        raise ConfigurationError, 'invalid type for password_maximum_age' \
+          unless self.class.password_maximum_age.is_a?(::ActiveSupport::Duration)
+      end
+
+      # Check if current password is out of sync with last_password
+      #
+      # @param last_password [PreviousPassword] Password to compare with current password
+      # @return [Boolean] True if password is nil or out of sync, otherwise false
+      #
+      def inconsistent_password?(last_password = nil)
+        last_password.nil? || (encrypted_password != last_password.encrypted_password)
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :password_maximum_age)
+      end
+    end
+  end
+end

data/lib/devise/secure_password/models/previous_password.rb

@@ -0,0 +1,20 @@
+module Devise
+  module Models
+    class PreviousPassword < ::ActiveRecord::Base
+      self.table_name = 'previous_passwords'
+      belongs_to :user
+      default_scope -> { order(id: :desc) }
+      validates :user_id, presence: true
+      validates :salt, presence: true
+      validates :encrypted_password, presence: true
+
+      def fresh?(minimum_age_duration, now = ::Time.zone.now)
+        now <= (created_at + minimum_age_duration)
+      end
+
+      def stale?(maximum_age_duration, now = ::Time.zone.now)
+        now > (created_at + maximum_age_duration)
+      end
+    end
+  end
+end

data/lib/devise/secure_password/routes.rb

@@ -0,0 +1,11 @@
+module ActionDispatch
+  module Routing
+    class Mapper
+      protected
+
+      def devise_passwords_with_policy(mapping, controllers)
+        resource :password_with_policy, only: %i(edit update), path: mapping.path_names[:change_password], controller: controllers[:passwords_with_policy]
+      end
+    end
+  end
+end

data/lib/devise/secure_password/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module SecurePassword
+    VERSION = '1.1.1'.freeze
+  end
+end

data/lib/generators/devise/secure_password/install_generator.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Devise
+  module SecurePassword
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        LOCALES = %w(en).freeze
+
+        source_root File.expand_path('../templates', __dir__)
+
+        desc 'Creates a Devise Secure Password extension initializer and copies locale files to your application.'
+
+        def copy_initializer
+          template 'secure_password.rb', 'config/initializers/secure_password.rb'
+        end
+
+        def copy_locale
+          LOCALES.each do |locale|
+            copy_file "../../../../config/locales/#{locale}.yml",
+                      "config/locales/secure_password.#{locale}.yml"
+          end
+        end
+
+        def show_readme
+          readme 'README.txt' if behavior == :invoke
+        end
+      end
+    end
+  end
+end

data/lib/generators/devise/templates/README.txt

@@ -0,0 +1,21 @@
+===============================================================================
+
+Additional setup required:
+
+  1. Verify that default settings in config/initializers/secure_password.rb
+     are suitable for your purposes.
+
+  2. Enable secure_password modules by adding all of them or just the ones you
+     want to your User model. See the README for instructions.
+
+  3. Perform a database migration to create the PreviousPasswords table. This
+     step is not necessary if you only intend to enable the password content
+     module (password_has_required_content). See the README for instructions.
+
+  4. Add flash messages in app/views/layouts/application.html.erb.
+     For example:
+
+       <p class="notice"><%= notice %></p>
+       <p class="alert"><%= alert %></p>
+
+===============================================================================

data/lib/generators/devise/templates/secure_password.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  # ==> Configuration for the Devise Secure Password extension
+  #     Module: password_has_required_content
+  #
+  # Configure password content requirements including the number of uppercase,
+  # lowercase, number, and special characters that are required. To configure the
+  # minimum and maximum length refer to the Devise config.password_length
+  # standard configuration parameter.
+
+  # The number of uppercase letters (latin A-Z) required in a password:
+  # config.password_required_uppercase_count = 1
+
+  # The number of lowercase letters (latin A-Z) required in a password:
+  # config.password_required_lowercase_count = 1
+
+  # The number of numbers (0-9) required in a password:
+  # config.password_required_number_count = 1
+
+  # The number of special characters (!@#$%^&*()_+-=[]{}|') required in a password:
+  # config.password_required_special_character_count = 1
+
+  # ==> Configuration for the Devise Secure Password extension
+  #     Module: password_disallows_frequent_reuse
+  #
+  # The number of previously used passwords that can not be reused:
+  # config.password_previously_used_count = 8
+
+  # ==> Configuration for the Devise Secure Password extension
+  #     Module: password_disallows_frequent_changes
+  #     *Requires* password_disallows_frequent_reuse
+  #
+  # The minimum time that must pass between password changes:
+  # config.password_minimum_age = 1.days
+
+  # ==> Configuration for the Devise Secure Password extension
+  #     Module: password_requires_regular_updates
+  #     *Requires* password_disallows_frequent_reuse
+  #
+  # The maximum allowed age of a password:
+  # config.password_maximum_age = 180.days
+end

data/lib/support/string/character_counter.rb

@@ -0,0 +1,55 @@
+# lib/support/character_counter.rb
+#
+module Support
+  module String
+    class CharacterCounter
+      attr_reader :count_hash
+
+      def initialize
+        @count_hash = {
+          length: { count: 0 },
+          uppercase: characters_to_dictionary(('A'..'Z').to_a),
+          lowercase: characters_to_dictionary(('a'..'z').to_a),
+          number: characters_to_dictionary(('0'..'9').to_a),
+          special: characters_to_dictionary(%w(! @ # $ % ^ & * ( ) _ + - = [ ] { } | ')),
+          unknown: {}
+        }
+      end
+
+      def count(string)
+        raise ArgumentError, "Invalid value for string: #{string}" if string.nil?
+
+        string.split('').each { |c| tally_character(c) }
+        @count_hash[:length][:count] = string.length
+
+        @count_hash
+      end
+
+      private
+
+      def characters_to_dictionary(array)
+        dictionary = {}
+        array.each { |c| dictionary.store(c, 0) }
+
+        dictionary
+      end
+
+      def tally_character(character)
+        %i(uppercase lowercase number special unknown).each do |type|
+          if @count_hash[type].key?(character)
+            @count_hash[type][character] += 1
+            return @count_hash[type][character]
+          end
+        end
+
+        # must be new unknown char
+        @count_hash[:unknown][character] = 1
+        @count_hash[:unknown][character]
+      end
+
+      def character_in_dictionary?(character, dictionary)
+        dictionary.key?(character)
+      end
+    end
+  end
+end