devise-security 0.11.0

data/Rakefile

@@ -0,0 +1,26 @@
+$:.unshift File.join(File.dirname(__FILE__), 'lib')
+require 'rubygems'
+require 'bundler'
+require 'rake/testtask'
+require 'rdoc/task'
+require 'devise-security/version'
+
+desc 'Default: Run DeviseSecurity unit tests'
+task default: :test
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.test_files = FileList['test/*test*.rb']
+  t.verbose = true
+  t.warning = false
+end
+
+Rake::RDocTask.new do |rdoc|
+  version = DeviseSecurity::VERSION.dup
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "devise-security #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/app/controllers/devise/paranoid_verification_code_controller.rb

@@ -0,0 +1,42 @@
+class Devise::ParanoidVerificationCodeController < DeviseController
+  skip_before_action :handle_paranoid_verification
+  prepend_before_action :authenticate_scope!, :only => [:show, :update]
+
+  def show
+    if !resource.nil? && resource.need_paranoid_verification?
+      respond_with(resource)
+    else
+      redirect_to :root
+    end
+  end
+
+  def update
+    if resource.verify_code(resource_params[:paranoid_verification_code])
+      warden.session(scope)['paranoid_verify'] = false
+      set_flash_message :notice, :updated
+      bypass_sign_in resource, scope: scope
+      redirect_to stored_location_for(scope) || :root
+    else
+      respond_with(resource, action: :show)
+    end
+  end
+
+  private
+
+  def resource_params
+    if params.respond_to?(:permit)
+      params.require(resource_name).permit(:paranoid_verification_code)
+    else
+      params[scope].slice(:paranoid_verification_code)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+
+  def authenticate_scope!
+    send(:"authenticate_#{resource_name}!")
+    self.resource = send("current_#{resource_name}")
+  end
+end

data/app/controllers/devise/password_expired_controller.rb

@@ -0,0 +1,48 @@
+class Devise::PasswordExpiredController < DeviseController
+  skip_before_action :handle_password_change
+  before_action :skip_password_change, only: [:show, :update]
+  prepend_before_action :authenticate_scope!, :only => [:show, :update]
+
+  def show
+    respond_with(resource)
+  end
+
+  def update
+    resource.extend(Devise::Models::DatabaseAuthenticatablePatch)
+    if resource.update_with_password(resource_params)
+      warden.session(scope)['password_expired'] = false
+      set_flash_message :notice, :updated
+      bypass_sign_in resource, scope: scope
+      redirect_to stored_location_for(scope) || :root
+    else
+      clean_up_passwords(resource)
+      respond_with(resource, action: :show)
+    end
+  end
+
+  private
+
+  def skip_password_change
+    return if !resource.nil? && resource.need_change_password?
+    redirect_to :root
+  end
+
+  def resource_params
+    permitted_params = [:current_password, :password, :password_confirmation]
+
+    if params.respond_to?(:permit)
+      params.require(resource_name).permit(*permitted_params)
+    else
+      params[scope].slice(*permitted_params)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+
+  def authenticate_scope!
+    send(:"authenticate_#{resource_name}!")
+    self.resource = send("current_#{resource_name}")
+  end
+end

data/app/views/devise/paranoid_verification_code/show.html.erb

@@ -0,0 +1,10 @@
+<h2>Submit verification code</h2>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :paranoid_verification_code], :html => { :method => :put }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :paranoid_verification_code, 'Verification code' %><br />
+  <%= f.text_field :paranoid_verification_code, value: '' %></p>
+
+  <p><%= f.submit "Submit" %></p>
+<% end %>

data/app/views/devise/password_expired/show.html.erb

@@ -0,0 +1,16 @@
+<h2>Renew your password</h2>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :password_expired], :html => { :method => :put }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :current_password, "Current password" %><br />
+  <%= f.password_field :current_password %></p>
+
+  <p><%= f.label :password, "New password" %><br />
+  <%= f.password_field :password %></p>
+
+  <p><%= f.label :password_confirmation, "Confirm new password" %><br />
+  <%= f.password_field :password_confirmation %></p>
+
+  <p><%= f.submit "Change my password" %></p>
+<% end %>

data/config/locales/de.yml

@@ -0,0 +1,16 @@
+de:
+  errors:
+    messages:
+      taken_in_past: "wurde bereits in der Vergangenheit verwendet!"
+      equal_to_current_password: "darf nicht dem aktuellen Passwort entsprechen!"
+      password_format: "müssen große, kleine Buchstaben und Ziffern enthalten"
+  devise:
+    invalid_captcha: "Die Captchaeingabe ist nicht gültig!"
+    paranoid_verify:
+      code_required: "Bitte geben Sie den Code unser Support-Team zur Verfügung gestellt"
+    password_expired:
+      updated: "Das neue Passwort wurde übernommen."
+      change_required: "Ihr Passwort ist abgelaufen. Bitte vergeben sie ein neues Passwort!"
+    failure:
+      session_limited: 'Ihre Anmeldedaten wurden in einem anderen Browser genutzt. Bitte melden Sie sich erneut an, um in diesem Browser fortzufahren.'
+      expired: 'Ihr Account ist aufgrund zu langer Inaktiviät abgelaufen. Bitte kontaktieren Sie den Administrator.'

data/config/locales/en.yml

@@ -0,0 +1,17 @@
+en:
+  errors:
+    messages:
+      taken_in_past: "was used previously."
+      equal_to_current_password: "must be different than the current password."
+      password_format: "must contain big, small letters and digits"
+  devise:
+    invalid_captcha: "The captcha input was invalid."
+    invalid_security_question: "The security question answer was invalid."
+    paranoid_verify:
+      code_required: "Please enter the code our support team provided"
+    password_expired:
+      updated: "Your new password is saved."
+      change_required: "Your password is expired. Please renew your password."
+    failure:
+      session_limited: 'Your login credentials were used in another browser. Please sign in again to continue in this browser.'
+      expired: 'Your account has expired due to inactivity. Please contact the site administrator.'

data/config/locales/es.yml

@@ -0,0 +1,17 @@
+es:
+  errors:
+    messages:
+      taken_in_past: "la contraseña fue usada previamente, favor elegir otra."
+      equal_to_current_password: "tiene que ser diferente a la contraseña actual."
+      password_format: "tiene que contener mayúsculas, minúsculas y digitos "
+  devise:
+    invalid_captcha: "El captcha ingresado es inválido."
+    invalid_security_question: "La respuesta a la pregunta de suguridad fue incorrecta."
+    paranoid_verify:
+      code_required: "Por favor ingrese el código provisto por nuestro equipo de soporte"
+    password_expired:
+      updated: "Su nueva contraña ha sido guardada."
+      change_required: "Su contraña ha expirado. Por favor renueve su contraseña."
+    failure:
+      session_limited: 'Sus credenciales de inicio de sesión fueron usadas en otro navegador. Por favor inicie sesión nuevamente para continuar en éste navegador.'
+      expired: 'Su cuenta ha expirado debido a inactividad. Por favor contacte al administrador de la aplicación.'

data/config/locales/it.yml

@@ -0,0 +1,10 @@
+it:
+  errors:
+    messages:
+      taken_in_past: "e' stata gia' utilizzata in passato!"
+      equal_to_current_password: " deve essere differente dalla password corrente!"
+  devise:
+    invalid_captcha: "Il captcha inserito non e' valido!"
+    password_expired:
+      updated: "La tua nuova password e' stata salvata."
+      change_required: "La tua password e' scaduta. Si prega di rinnovarla!"

data/devise-security.gemspec

@@ -0,0 +1,34 @@
+# -*- encoding: utf-8 -*-
+$LOAD_PATH.unshift(File.expand_path('../lib', __FILE__))
+require 'devise-security/version'
+
+Gem::Specification.new do |s|
+  s.name = 'devise-security'
+  s.version     = DeviseSecurity::VERSION.dup
+  s.platform    = Gem::Platform::RUBY
+  s.licenses    = ['MIT']
+  s.summary     = 'Security extension for devise'
+  s.email       = 'natebird@gmail.com'
+  s.homepage    = 'https://github.com/devise-security/devise-security'
+  s.description = 'An enterprise security extension for devise, trying to meet industrial standard security demands for web applications.'
+  s.authors     = ['Marco Scholl', 'Alexander Dreher', 'Nate Bird']
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 2.1.0'
+
+  if RUBY_VERSION >= '2.4'
+    s.add_runtime_dependency 'rails', '>= 4.2.8', '< 6.0'
+  else
+    s.add_runtime_dependency 'railties', '>= 3.2.6', '< 6.0'
+  end
+  s.add_runtime_dependency 'devise', '>= 3.0.0', '< 5.0'
+  s.add_development_dependency 'bundler', '>= 1.3.0', '< 2.0'
+  s.add_development_dependency 'sqlite3', '~> 1.3', '>= 1.3.10'
+  s.add_development_dependency 'rubocop', '~> 0'
+  s.add_development_dependency 'minitest', '~> 5.0'
+  s.add_development_dependency 'easy_captcha', '~> 0'
+  s.add_development_dependency 'rails_email_validator', '~> 0'
+  s.add_development_dependency 'coveralls', '~> 0.8'
+end

data/lib/devise-security.rb

@@ -0,0 +1,106 @@
+require 'active_record'
+require 'active_support/core_ext/integer'
+require 'active_support/ordered_hash'
+require 'active_support/concern'
+require 'devise'
+
+module Devise
+
+  # Should the password expire (e.g 3.months)
+  mattr_accessor :expire_password_after
+  @@expire_password_after = 3.months
+
+  # Validate password for strongness
+  mattr_accessor :password_regex
+  @@password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+
+  # Number of old passwords in archive
+  mattr_accessor :password_archiving_count
+  @@password_archiving_count = 5
+
+  # Deny old password (true, false, count)
+  mattr_accessor :deny_old_passwords
+  @@deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: need an email validator like rails_email_validator
+  mattr_accessor :email_validation
+  @@email_validation = true
+
+  # captcha integration for recover form
+  mattr_accessor :captcha_for_recover
+  @@captcha_for_recover = false
+
+  # captcha integration for sign up form
+  mattr_accessor :captcha_for_sign_up
+  @@captcha_for_sign_up = false
+
+  # captcha integration for sign in form
+  mattr_accessor :captcha_for_sign_in
+  @@captcha_for_sign_in = false
+
+  # captcha integration for unlock form
+  mattr_accessor :captcha_for_unlock
+  @@captcha_for_unlock = false
+
+  # security_question integration for recover form
+  # this automatically enables captchas (captcha_for_recover, as fallback)
+  mattr_accessor :security_question_for_recover
+  @@security_question_for_recover = false
+
+  # security_question integration for unlock form
+  # this automatically enables captchas (captcha_for_unlock, as fallback)
+  mattr_accessor :security_question_for_unlock
+  @@security_question_for_unlock = false
+
+  # security_question integration for confirmation form
+  # this automatically enables captchas (captcha_for_confirmation, as fallback)
+  mattr_accessor :security_question_for_confirmation
+  @@security_question_for_confirmation = false
+
+  # captcha integration for confirmation form
+  mattr_accessor :captcha_for_confirmation
+  @@captcha_for_confirmation = false
+
+  # captcha integration for confirmation form
+  mattr_accessor :verification_code_generator
+  @@verification_code_generator = -> { SecureRandom.hex[0..4] }
+
+  # Time period for account expiry from last_activity_at
+  mattr_accessor :expire_after
+  @@expire_after = 90.days
+  mattr_accessor :delete_expired_after
+  @@delete_expired_after = 90.days
+
+  # paranoid_verification will regenerate verifacation code after faild attempt
+  mattr_accessor :paranoid_code_regenerate_after_attempt
+  @@paranoid_code_regenerate_after_attempt = 10
+end
+
+# an security extension for devise
+module DeviseSecurity
+  autoload :Schema, 'devise-security/schema'
+  autoload :Patches, 'devise-security/patches'
+
+  module Controllers
+    autoload :Helpers, 'devise-security/controllers/helpers'
+  end
+end
+
+# modules
+Devise.add_module :password_expirable, controller: :password_expirable, model: 'devise-security/models/password_expirable', route: :password_expired
+Devise.add_module :secure_validatable, model: 'devise-security/models/secure_validatable'
+Devise.add_module :password_archivable, model: 'devise-security/models/password_archivable'
+Devise.add_module :session_limitable, model: 'devise-security/models/session_limitable'
+Devise.add_module :session_non_transferable, model: 'devise-security/models/session_non_transferable'
+Devise.add_module :expirable, model: 'devise-security/models/expirable'
+Devise.add_module :security_questionable, model: 'devise-security/models/security_questionable'
+Devise.add_module :paranoid_verification, controller: :paranoid_verification_code, model: 'devise-security/models/paranoid_verification', route: :verification_code
+
+# requires
+require 'devise-security/routes'
+require 'devise-security/rails'
+require 'devise-security/orm/active_record'
+require 'devise-security/models/old_password'
+require 'devise-security/models/database_authenticatable_patch'
+require 'devise-security/models/paranoid_verification'

data/lib/devise-security/controllers/helpers.rb

@@ -0,0 +1,96 @@
+module DeviseSecurity
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :handle_password_change
+        before_action :handle_paranoid_verification
+      end
+
+      module ClassMethods
+        # helper for captcha
+        def init_recover_password_captcha
+          include RecoverPasswordCaptcha
+        end
+      end
+
+      module RecoverPasswordCaptcha
+        def new
+          super
+        end
+      end
+
+      # controller instance methods
+
+        private
+
+        # lookup if an password change needed
+        def handle_password_change
+          return if warden.nil?
+
+          if not devise_controller? and not ignore_password_expire? and not request.format.nil? and request.format.html?
+            Devise.mappings.keys.flatten.any? do |scope|
+              if signed_in?(scope) and warden.session(scope)['password_expired']
+                # re-check to avoid infinite loop if date changed after login attempt
+                if send(:"current_#{scope}").try(:need_change_password?)
+                  store_location_for(scope, request.original_fullpath) if request.get?
+                  redirect_for_password_change scope
+                  return
+                else
+                  warden.session(scope)[:password_expired] = false
+                end
+              end
+            end
+          end
+        end
+
+        # lookup if extra (paranoid) code verification is needed
+        def handle_paranoid_verification
+          return if warden.nil?
+
+          if !devise_controller? && !request.format.nil? && request.format.html?
+            Devise.mappings.keys.flatten.any? do |scope|
+              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+                store_location_for(scope, request.original_fullpath) if request.get?
+                redirect_for_paranoid_verification scope
+                return
+              end
+            end
+          end
+        end
+
+        # redirect for password update with alert message
+        def redirect_for_password_change(scope)
+          redirect_to change_password_required_path_for(scope), :alert => I18n.t('change_required', {:scope => 'devise.password_expired'})
+        end
+
+        def redirect_for_paranoid_verification(scope)
+          redirect_to paranoid_verification_code_path_for(scope), :alert => I18n.t('code_required', {:scope => 'devise.paranoid_verify'})
+        end
+
+        # path for change password
+        def change_password_required_path_for(resource_or_scope = nil)
+          scope       = Devise::Mapping.find_scope!(resource_or_scope)
+          change_path = "#{scope}_password_expired_path"
+          send(change_path)
+        end
+
+        def paranoid_verification_code_path_for(resource_or_scope = nil)
+          scope       = Devise::Mapping.find_scope!(resource_or_scope)
+          change_path = "#{scope}_paranoid_verification_code_path"
+          send(change_path)
+        end
+
+        protected
+
+        # allow to overwrite for some special handlings
+        def ignore_password_expire?
+          false
+        end
+
+
+    end
+  end
+
+end