devise-secure_password 1.0.0

data/bin/setup

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install

data/config/locales/en.yml

@@ -0,0 +1,71 @@
+en:
+  secure_password:
+    password_has_required_content:
+      errors:
+        messages:
+          unknown_characters: "contains %{count} invalid %{subject}"
+          minimum_characters: "must contain at least %{count} %{type} %{subject}"
+          maximum_characters: "must contain less than %{count} %{type} %{subject}"
+    password_disallows_frequent_reuse:
+      errors:
+        messages:
+          password_is_recent: "Last %{count} passwords may not be reused"
+    password_disallows_frequent_changes:
+      errors:
+        messages:
+          password_is_recent: "Password cannot be changed more than once per %{timeframe}"
+    password_requires_regular_updates:
+      alerts:
+        messages:
+          password_updated: "Your password has been updated."
+      errors:
+        messages:
+          password_expired: "Your password has expired. Passwords must be changed every %{timeframe}"
+  devise:
+    passwords_with_policy:
+      edit:
+        titles:
+          section_title: "Change your password"
+        labels:
+          current_password: "Current password"
+          new_password: "New password"
+          confirm_new_password: "Confirm new password"
+        buttons:
+          change_my_password: "Change my password"
+  # Used in distance_of_time_in_words(), distance_of_time_in_words_to_now(), time_ago_in_words()
+  datetime:
+    distance_in_words:
+      half_a_minute: "half a minute"
+      less_than_x_seconds:
+        one:   "1 second" # default was: "less than 1 second"
+        other: "%{count} seconds" # default was: "less than %{count} seconds"
+      x_seconds:
+        one:   "1 second"
+        other: "%{count} seconds"
+      less_than_x_minutes:
+        one:   "a minute" # default was: "less than a minute"
+        other: "%{count} minutes" # default was: "less than %{count} minutes"
+      x_minutes:
+        one:   "1 minute"
+        other: "%{count} minutes"
+      about_x_hours:
+        one:   "1 hour" # default was: "about 1 hour"
+        other: "%{count} hours" # default was: "about %{count} hours"
+      x_days:
+        one:   "1 day"
+        other: "%{count} days"
+      about_x_months:
+        one:   "1 month" # default was: "about 1 month"
+        other: "%{count} months" # default was: "about %{count} months"
+      x_months:
+        one:   "1 month"
+        other: "%{count} months"
+      about_x_years:
+        one:   "1 year" # default was: "about 1 year"
+        other: "%{count} years" # default was: "about %{count} years"
+      over_x_years:
+        one:   "1 year" # default was: "over 1 year"
+        other: "%{count} years" # default was: "over %{count} years"
+      almost_x_years:
+        one:   "1 year" # default was: "almost 1 year"
+        other: "%{count} years" # default was: "almost %{count} years"

data/devise-secure_password.gemspec

@@ -0,0 +1,57 @@
+#
+#  devise-secure_password.gemspec
+#
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+require 'date'
+require 'devise/secure_password/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'devise-secure_password'
+  spec.version       = Devise::SecurePassword::VERSION.dup
+  spec.platform      = Gem::Platform::RUBY
+
+  spec.authors       = ['Mark Eissler']
+  spec.email         = ['mark.eissler@valimail.com']
+
+  spec.summary       = 'A devise password policy enforcement extension.'
+  spec.description   = 'Adds configurable password policy enforcement to devise.'
+
+  spec.homepage      = 'https://github.com/valimail/devise-secure_password'
+  spec.license       = 'MIT'
+
+  spec.files         = Dir['./**/*'].reject do |f|
+    f.match(%r{^./(test|spec|features|lib/tasks)/|Gemfile.lock.ci})
+  end
+  spec.executables   = spec.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'devise', '>= 4.0.0', '< 5.0.0'
+  spec.add_runtime_dependency 'railties', '>= 5.0.0', '< 6.0.0'
+
+  spec.add_development_dependency 'bundler',                 '~> 1.16', '>= 1.16.1'
+  spec.add_development_dependency 'capybara',                '~> 2.16', '>= 2.16.1'
+  spec.add_development_dependency 'capybara-screenshot',     '~> 1.0',  '>= 1.0.18'
+  spec.add_development_dependency 'coffee-rails',            '~> 4.2'
+  spec.add_development_dependency 'database_cleaner',        '~> 1.6',  '>= 1.6.2'
+  spec.add_development_dependency 'devise',                  '~> 4.0'
+  spec.add_development_dependency 'flay',                    '~> 2.10', '>= 2.10.0'
+  spec.add_development_dependency 'launchy',                 '~> 2.4',  '>= 2.4.3'
+  spec.add_development_dependency 'rails',                   '~> 5.1',  '>= 5.1.4'
+  spec.add_development_dependency 'rake',                    '~> 12.3'
+  spec.add_development_dependency 'rspec',                   '~> 3.7'
+  spec.add_development_dependency 'rspec-rails',             '~> 3.7'
+  spec.add_development_dependency 'rspec_junit_formatter',   '~> 0.3'
+  spec.add_development_dependency 'rubocop',                 '~> 0'
+  spec.add_development_dependency 'ruby2ruby',               '~> 2.4',  '>= 2.4.0'
+  spec.add_development_dependency 'sass-rails',              '~> 5.0'
+  spec.add_development_dependency 'selenium-webdriver',      '~> 3.7',  '>= 3.7.0'
+  spec.add_development_dependency 'simplecov',               '~> 0.15.1'
+  spec.add_development_dependency 'simplecov-console',       '~> 0.4.2'
+  spec.add_development_dependency 'sqlite3',                 '~> 1.3',  '>= 1.3.13'
+  spec.add_development_dependency 'therubyracer',            '~> 0.12.3'
+
+  spec.required_ruby_version = '>= 2.4'
+end

data/docker-entrypoint.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# Silence errors from Xvfb because we are starting it in non-priveleged mode.
+#
+Xvfb :99 -screen 0 1280x1024x24 > /dev/null 2>&1 &
+exec "$@"

data/gemfiles/rails-5_0_6.gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+ENV['RAILS_TARGET'] ||= '5.0.6'
+
+gemspec path: '../'
+
+group :development, :test do
+  gem 'byebug', '>= 0'
+end
+
+group :test do
+  gem 'jquery-rails',            '~> 4.3.1'
+  gem 'rails',                   '~> 5.0.0'
+  gem 'shoulda-matchers', git: 'https://github.com/thoughtbot/shoulda-matchers.git', branch: 'rails-5'
+end

data/gemfiles/rails-5_1_4.gemfile

@@ -0,0 +1,16 @@
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+ENV['RAILS_TARGET'] ||= '5.1.4'
+
+gemspec path: '../'
+
+group :development, :test do
+  gem 'byebug', '>= 0'
+end
+
+group :test do
+  gem 'rails', '~> 5.1.0'
+  gem 'shoulda-matchers', git: 'https://github.com/thoughtbot/shoulda-matchers.git', branch: 'rails-5'
+end

data/lib/devise/secure_password.rb

@@ -0,0 +1,70 @@
+#
+# lib/devise-secure_password.rb
+#
+require 'active_support/concern'
+require 'devise'
+require 'devise/secure_password/routes'
+require 'devise/secure_password/version'
+require 'devise/secure_password/models/password_has_required_content'
+require 'devise/secure_password/models/password_disallows_frequent_reuse'
+require 'devise/secure_password/models/password_disallows_frequent_changes'
+require 'devise/secure_password/models/password_requires_regular_updates'
+
+module Devise
+  # password_content_enforcement configuration parameters
+  @password_required_uppercase_count = 1
+  @password_required_lowercase_count = 1
+  @password_required_number_count = 1
+  @password_required_special_count = 1
+
+  # password_frequent_reuse_prevention configuration parameters
+  @password_previously_used_count = 24
+
+  # password_frequent_change_prevention configuration parameters
+  @password_minimum_age = 1.day
+
+  # password_regular_update_enforcement configuration parameters
+  @password_maximum_age = 60.days
+
+  class << self
+    attr_accessor :password_required_uppercase_count
+    attr_accessor :password_required_lowercase_count
+    attr_accessor :password_required_number_count
+    attr_accessor :password_required_special_count
+    attr_accessor :password_previously_used_count
+    attr_accessor :password_minimum_age
+    attr_accessor :password_maximum_age
+  end
+
+  module SecurePassword
+    module Controllers
+      autoload :DeviseHelpers, 'devise/secure_password/controllers/devise_helpers'
+      autoload :ActiveHelpers, 'devise/secure_password/controllers/active_helpers'
+    end
+
+    class Engine < ::Rails::Engine
+      ActiveSupport.on_load(:devise_controller) do
+        include ActionView::Helpers::DateHelper
+        include Devise::SecurePassword::Controllers::DeviseHelpers
+      end
+      ActiveSupport.on_load(:action_controller) do
+        include ActionView::Helpers::DateHelper
+        include Devise::SecurePassword::Controllers::ActiveHelpers
+      end
+
+      # add exceptions to the inflector so it doesn't get tripped up by our concerns that end in an 's'
+      ActiveSupport::Inflector.inflections do |inflect|
+        inflect.uncountable :password_disallows_frequent_changes
+        inflect.uncountable :password_requires_regular_updates
+      end
+    end
+  end
+end
+
+# modules
+Devise.add_module :password_has_required_content, model: 'devise/secure_password/models/password_has_required_content'
+Devise.add_module :password_disallows_frequent_reuse, model: 'devise/secure_password/models/password_disallows_frequent_reuse'
+Devise.add_module :password_disallows_frequent_changes, model: 'devise/secure_password/models/password_disallows_frequent_changes'
+Devise.add_module :password_requires_regular_updates,
+                  model: 'devise/secure_password/models/password_requires_regular_updates',
+                  controller: :passwords_with_policy, route: :passwords_with_policy

data/lib/devise/secure_password/controllers/active_helpers.rb

@@ -0,0 +1,40 @@
+module Devise
+  module SecurePassword
+    module Controllers
+      module ActiveHelpers
+        extend ActiveSupport::Concern
+
+        included do
+          before_action :pending_password_expired_redirect!, except: [:destroy]
+        end
+
+        # Redirect to password change page if password needs to be changed.
+        def pending_password_expired_redirect!
+          return unless skip_current_controller? && redirected_in_session? && warden.session && warden.session['secure_password_expired']
+          redirect_to edit_user_password_with_policy_url, alert: "#{error_string_for_password_expired}."
+        end
+
+        def redirected_in_session?
+          warden.authenticated? && warden.session['secure_password_last_controller'] == 'Devise::SessionsController'
+        end
+
+        def skip_current_controller?
+          exclusion_list = [
+            'Devise::SessionsController',
+            'Devise::PasswordsWithPolicyController#edit',
+            'Devise::PasswordsWithPolicyController#update'
+          ]
+          exclusion_list.select { |e| e == "#{self.class.name}#" + action_name || e == self.class.name.to_s }.empty?
+        end
+
+        def error_string_for_password_expired
+          return 'password expired' unless warden.user.class.respond_to?(:password_maximum_age)
+          I18n.t(
+            'secure_password.password_requires_regular_updates.errors.messages.password_expired',
+            timeframe: distance_of_time_in_words(warden.user.class.password_maximum_age)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/devise/secure_password/controllers/devise_helpers.rb

@@ -0,0 +1,64 @@
+module Devise
+  module SecurePassword
+    module Controllers
+      module DeviseHelpers
+        extend ActiveSupport::Concern
+
+        # rubocop:disable Style/ClassAndModuleChildren
+        class ::DeviseController
+          alias old_require_no_authentication require_no_authentication
+
+          protected
+
+          # Override the devise require_no_authentication before callback so users
+          # have to prevent authenticated users with expired passwords from
+          # escaping to other pages without first updating their passwords.
+          def require_no_authentication
+            return if check_password_expired_and_redirect!
+
+            old_require_no_authentication
+          end
+
+          # Store the name of the current controller and action in the warden
+          # session store then redirect if signed in and password expired. The
+          # stored values will be used by non-devise controllers to prevent a
+          # user from escaping the change password process.
+          def check_password_expired_and_redirect!
+            assert_is_devise_resource!
+
+            return if skip_current_devise_controller?
+
+            if signed_in?(scope_name) && warden.session(scope_name)[:secure_password_expired]
+              save_controller_state
+              redirect_to edit_user_password_with_policy_url, alert: "#{error_string_for_password_expired}."
+              return true
+            end
+
+            false
+          end
+
+          def save_controller_state
+            warden.session(scope_name)[:secure_last_controller] = self.class.name
+            warden.session(scope_name)[:secure_last_action] = action_name
+          end
+
+          def skip_current_devise_controller?
+            exclusion_list = [
+              'Devise::SessionsController'
+            ]
+            exclusion_list.select { |e| e == "#{self.class.name}#" + action_name || e == self.class.name.to_s }.empty?
+          end
+
+          def error_string_for_password_expired
+            class_obj = scope_name.to_s.camelize.constantize
+            I18n.t(
+              'secure_password.password_requires_regular_updates.errors.messages.password_expired',
+              timeframe: distance_of_time_in_words(class_obj.password_maximum_age)
+            )
+          end
+        end
+        # rubocop:enable Style/ClassAndModuleChildren
+      end
+    end
+  end
+end

data/lib/devise/secure_password/hooks/password_requires_regular_updates.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |user, warden, options|
+  if user.respond_to?(:password_expired?)
+    warden.session(options[:scope])[:secure_password_expired] = user.password_expired?
+  end
+end

data/lib/devise/secure_password/models/password_disallows_frequent_changes.rb

@@ -0,0 +1,60 @@
+module Devise
+  module Models
+    module PasswordDisallowsFrequentChanges
+      extend ActiveSupport::Concern
+
+      class ConfigurationError < RuntimeError; end
+
+      included do
+        include ActionView::Helpers::DateHelper
+        validate :validate_password_frequent_change
+
+        set_callback(:initialize, :before, :before_resource_initialized)
+        set_callback(:initialize, :after, :after_resource_initialized)
+      end
+
+      def validate_password_frequent_change
+        if encrypted_password_changed? && password_recent?
+          error_string = I18n.t(
+            'secure_password.password_disallows_frequent_changes.errors.messages.password_is_recent',
+            timeframe: distance_of_time_in_words(self.class.password_minimum_age)
+          )
+          errors.add(:base, error_string)
+        end
+
+        errors.count.zero?
+      end
+
+      def password_recent?
+        last_password = previous_passwords.unscoped.last
+        last_password&.fresh?(self.class.password_minimum_age)
+      end
+
+      protected
+
+      def before_resource_initialized
+        return if self.class.respond_to?(:password_previously_used_count)
+
+        raise ConfigurationError, <<-ERROR.strip_heredoc
+
+        The password_disallows_frequent_changes module depends on the
+        password_disallows_frequent_reuse module. Verify that you have
+        added both modules to your model, for example:
+
+          devise :database_authenticatable, :registerable,
+            :password_disallows_frequent_reuse,
+            :password_disallows_frequent_changes
+        ERROR
+      end
+
+      def after_resource_initialized
+        raise ConfigurationError, 'invalid type for password_minimum_age' \
+          unless self.class.password_minimum_age.is_a?(::ActiveSupport::Duration)
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :password_minimum_age)
+      end
+    end
+  end
+end

data/lib/devise/secure_password/models/password_disallows_frequent_reuse.rb

@@ -0,0 +1,71 @@
+module Devise
+  module Models
+    module PasswordDisallowsFrequentReuse
+      extend ActiveSupport::Concern
+
+      require 'devise/secure_password/models/previous_password'
+
+      included do
+        # we need to specify the foreign_key here to support the use of isolated subclasses in tests
+        has_many :previous_passwords,
+                 -> { limit(User.password_previously_used_count) },
+                 class_name: 'Devise::Models::PreviousPassword',
+                 foreign_key: 'user_id',
+                 dependent: :destroy
+        validate :validate_password_frequent_reuse
+
+        set_callback(:save, :before, :before_resource_saved)
+        set_callback(:save, :after, :after_resource_saved, if: :dirty_password?)
+      end
+
+      def validate_password_frequent_reuse
+        if encrypted_password_changed? && previous_password?(password)
+          error_string = I18n.t(
+            'secure_password.password_disallows_frequent_reuse.errors.messages.password_is_recent',
+            count: self.class.password_previously_used_count
+          )
+          errors.add(:base, error_string)
+        end
+
+        errors.count.zero?
+      end
+
+      protected
+
+      def before_resource_saved; end
+
+      def after_resource_saved
+        salt = ::BCrypt::Password.new(encrypted_password).salt
+        previous_password = previous_passwords.build(user_id: id, salt: salt, encrypted_password: encrypted_password)
+        previous_password.save!
+      end
+
+      def previous_password?(password)
+        salts = previous_passwords.select(:salt).map(&:salt)
+        pepper = self.class.pepper.presence || ''
+
+        salts.each do |salt|
+          candidate = ::BCrypt::Engine.hash_secret("#{password}#{pepper}", salt)
+          return true unless previous_passwords.find_by(encrypted_password: candidate).nil?
+        end
+
+        false
+      end
+
+      def dirty_password?
+        if Rails.version > '5.1'
+          saved_change_to_encrypted_password?
+        else
+          encrypted_password_changed?
+        end
+      end
+
+      module ClassMethods
+        config_params = %i(
+          password_previously_used_count
+        )
+        ::Devise::Models.config(self, *config_params)
+      end
+    end
+  end
+end