devise-security 0.11.0

data/lib/devise-security/hooks/expirable.rb

@@ -0,0 +1,10 @@
+# Updates the last_activity_at fields from the record. Only when the user is active 
+# for authentication and authenticated.
+# An expiry of the account is only checked on sign in OR on manually setting the 
+# expired_at to the past (see Devise::Models::Expirable for this)
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active_for_authentication?) && record.active_for_authentication? && 
+      warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activity!)
+    record.update_last_activity!
+  end
+end

data/lib/devise-security/hooks/paranoid_verification.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_set_user do |record, warden, options|
+  if record.respond_to?(:need_paranoid_verification?)
+    warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?
+  end
+end

data/lib/devise-security/hooks/password_expirable.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if record.respond_to?(:need_change_password?)
+    warden.session(options[:scope])['password_expired'] = record.need_change_password?
+  end
+end

data/lib/devise-security/hooks/session_limitable.rb

@@ -0,0 +1,27 @@
+# After each sign in, update unique_session_id.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
+    unique_session_id = Devise.friendly_token
+    warden.session(options[:scope])['unique_session_id'] = unique_session_id
+    record.update_unique_session_id!(unique_session_id)
+  end
+end
+
+# Each time a record is fetched from session we check if a new session from another
+# browser was opened for the record or not, based on a unique session identifier.
+# If so, the old account is logged out and redirected to the sign in page on the next request.
+Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
+  scope = options[:scope]
+  env   = warden.request.env
+
+  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
+    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+      warden.raw_session.clear
+      warden.logout(scope)
+      throw :warden, :scope => scope, :message => :session_limited
+    end
+  end
+end

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -0,0 +1,26 @@
+module Devise
+  module Models
+    module DatabaseAuthenticatablePatch
+      def update_with_password(params, *options)
+        current_password = params.delete(:current_password)
+
+        new_password = params[:password]
+        new_password_confirmation = params[:password_confirmation]
+
+        result = if valid_password?(current_password) && new_password.present? && new_password_confirmation.present?
+          update_attributes(params, *options)
+        else
+          self.assign_attributes(params, *options)
+          self.valid?
+          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
+          self.errors.add(:password, new_password.blank? ? :blank : :invalid)
+          self.errors.add(:password_confirmation, new_password_confirmation.blank? ? :blank : :invalid)
+          false
+        end
+
+        clean_up_passwords
+        result
+      end
+    end
+  end
+end

data/lib/devise-security/models/expirable.rb

@@ -0,0 +1,120 @@
+require 'devise-security/hooks/expirable'
+
+module Devise
+  module Models
+    # Deactivate the account after a configurable amount of time.  To be able to 
+    # tell, it tracks activity about your account with the following columns:
+    #
+    # * last_activity_at - A timestamp updated when the user requests a page (only signed in)
+    #
+    # == Options
+    # +:expire_after+ - Time interval to expire accounts after
+    #
+    # == Additions
+    # Best used with two cron jobs. One for expiring accounts after inactivity, 
+    # and another, that deletes accounts, which have expired for a given amount 
+    # of time (for example 90 days).
+    # 
+    module Expirable
+      extend ActiveSupport::Concern
+
+      # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
+      def update_last_activity!
+        self.update_column(:last_activity_at, Time.now.utc)
+      end
+
+      # Tells if the account has expired
+      #
+      # @return [bool]
+      def expired?
+        # expired_at set (manually, via cron, etc.)
+        return self.expired_at < Time.now.utc unless self.expired_at.nil?
+        # if it is not set, check the last activity against configured expire_after time range
+        return self.last_activity_at < self.class.expire_after.ago unless self.last_activity_at.nil?
+        # if last_activity_at is nil as well, the user has to be 'fresh' and is therefore not expired
+        false
+      end
+
+      # Expire an account. This is for cron jobs and manually expiring of accounts.
+      #
+      # @example 
+      #   User.expire!
+      #   User.expire! 1.week.from_now
+      # @note +expired_at+ can be in the future as well
+      def expire!(at = Time.now.utc)
+        self.expired_at = at
+        save(:validate => false)
+      end
+
+      # Overwrites active_for_authentication? from Devise::Models::Activatable
+      # for verifying whether a user is active to sign in or not. If the account
+      # is expired, it should never be allowed.
+      #
+      # @return [bool]
+      def active_for_authentication?
+        super && !self.expired?
+      end
+
+      # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed 
+      # for i18n.
+      def inactive_message
+        !self.expired? ? super : :expired
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :expire_after, :delete_expired_after)
+
+        # Sample method for daily cron to mark expired entries.
+        #
+        # @example You can overide this in your +resource+ model
+        #   def self.mark_expired
+        #     puts 'overwritten mark_expired'
+        #   end
+        def mark_expired
+          all.each do |u|
+            u.expire! if u.expired? && u.expired_at.nil?
+          end
+          return
+        end
+
+        # Scope method to collect all expired users since +time+ ago
+        def expired_for(time = delete_expired_after)
+          where('expired_at < ?', time.seconds.ago)
+        end
+
+        # Sample method for daily cron to delete all expired entries after a 
+        # given amount of +time+.
+        #
+        # In your overwritten method you can "blank out" the object instead of 
+        # deleting it.
+        #
+        # *Word of warning*: You have to handle the dependent method
+        # on the +resource+ relations (+:destroy+ or +:nullify+) and catch this 
+        # behavior (see  http://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html#label-Deleting+from+associations).
+        #
+        # @example 
+        #   Resource.delete_all_expired_for 90.days
+        # @example You can overide this in your +resource+ model
+        #   def self.delete_all_expired_for(time = 90.days)
+        #     puts 'overwritten delete call'
+        #   end
+        # @example Overwritten version to blank out the object.
+        #   def self.delete_all_expired_for(time = 90.days)
+        #     expired_for(time).each do |u|
+        #       u.update_attributes first_name: nil, last_name: nil
+        #     end
+        #   end
+        def delete_all_expired_for(time)
+          expired_for(time).delete_all
+        end
+
+        # Version of {#delete_all_expired_for} without arguments (uses 
+        # configured +delete_expired_after+ default value).
+        # @see #delete_all_expired_for
+        def delete_all_expired
+          delete_all_expired_for(delete_expired_after)
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/old_password.rb

@@ -0,0 +1,4 @@
+require 'active_record'
+class OldPassword < ActiveRecord::Base
+  belongs_to :password_archivable, :polymorphic => true
+end

data/lib/devise-security/models/paranoid_verification.rb

@@ -0,0 +1,35 @@
+require 'devise-security/hooks/paranoid_verification'
+
+module Devise
+  module Models
+    # PasswordExpirable takes care of change password after
+    module ParanoidVerification
+      extend ActiveSupport::Concern
+
+      def need_paranoid_verification?
+        !!paranoid_verification_code
+      end
+
+      def verify_code(code)
+        attempt = paranoid_verification_attempt
+
+        if (attempt += 1) >= Devise.paranoid_code_regenerate_after_attempt
+          generate_paranoid_code
+        elsif code == paranoid_verification_code
+          attempt = 0
+          update_without_password paranoid_verification_code: nil, paranoid_verified_at: Time.now, paranoid_verification_attempt: attempt
+        else
+          update_without_password paranoid_verification_attempt: attempt
+        end
+      end
+
+      def paranoid_attempts_remaining
+        Devise.paranoid_code_regenerate_after_attempt - paranoid_verification_attempt
+      end
+
+      def generate_paranoid_code
+        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(), paranoid_verification_attempt: 0
+      end
+    end
+  end
+end

data/lib/devise-security/models/password_archivable.rb

@@ -0,0 +1,80 @@
+module Devise
+  module Models
+    # PasswordArchivable
+    module PasswordArchivable
+      extend ActiveSupport::Concern
+
+      included do
+        has_many :old_passwords, as: :password_archivable, dependent: :destroy
+        before_update :archive_password
+        validate :validate_password_archive
+      end
+
+      def validate_password_archive
+        errors.add(:password, :taken_in_past) if encrypted_password_changed? and password_archive_included?
+      end
+
+      # validate is the password used in the past
+      def password_archive_included?
+        unless deny_old_passwords.is_a? 1.class
+          if deny_old_passwords.is_a? TrueClass and archive_count > 0
+            self.deny_old_passwords = archive_count
+          else
+            self.deny_old_passwords = 0
+          end
+        end
+
+        if self.class.deny_old_passwords > 0 and not self.password.nil?
+          old_passwords_including_cur_change = self.old_passwords.order(:id).reverse_order.limit(self.class.deny_old_passwords).to_a
+          old_passwords_including_cur_change << OldPassword.new(old_password_params)  # include most recent change in list, but don't save it yet!
+          old_passwords_including_cur_change.each do |old_password|
+            dummy                    = self.class.new
+            dummy.encrypted_password = old_password.encrypted_password
+            return true if dummy.valid_password?(password)
+          end
+        end
+
+        false
+      end
+
+      def password_changed_to_same?
+        pass_change = encrypted_password_change
+        pass_change && pass_change.first == pass_change.last
+      end
+
+      def deny_old_passwords
+        self.class.deny_old_passwords
+      end
+
+      def deny_old_passwords=(count)
+        self.class.deny_old_passwords = count
+      end
+
+      def archive_count
+        self.class.password_archiving_count
+      end
+
+      private
+
+      # archive the last password before save and delete all to old passwords from archive
+      def archive_password
+        if encrypted_password_changed?
+          if archive_count.to_i > 0
+            old_passwords.create! old_password_params
+            old_passwords.order(:id).reverse_order.offset(archive_count).destroy_all
+          else
+            old_passwords.destroy_all
+          end
+        end
+      end
+
+      def old_password_params
+        { encrypted_password: encrypted_password_change.first }
+      end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :password_archiving_count, :deny_old_passwords)
+      end
+    end
+  end
+end

data/lib/devise-security/models/password_expirable.rb

@@ -0,0 +1,67 @@
+require 'devise-security/hooks/password_expirable'
+
+module Devise
+  module Models
+
+    # PasswordExpirable takes care of change password after
+    module PasswordExpirable
+      extend ActiveSupport::Concern
+
+      included do
+        before_save :update_password_changed
+      end
+
+      # is an password change required?
+      def need_change_password?
+        if expired_password_after_numeric?
+          self.password_changed_at.nil? or self.password_changed_at < self.expire_password_after.seconds.ago
+        else
+          false
+        end
+      end
+
+      # set a fake datetime so a password change is needed and save the record
+      def need_change_password!
+        if expired_password_after_numeric?
+          need_change_password
+          self.save(:validate => false)
+        end
+      end
+
+      # set a fake datetime so a password change is needed
+      def need_change_password
+        if expired_password_after_numeric?
+          self.password_changed_at = self.expire_password_after.seconds.ago
+        end
+
+        # is date not set it will set default to need set new password next login
+        need_change_password if self.password_changed_at.nil?
+
+        self.password_changed_at
+      end
+
+      def expire_password_after
+        self.class.expire_password_after
+      end
+
+      private
+
+        # is password changed then update password_cahanged_at
+        def update_password_changed
+          self.password_changed_at = Time.now if (self.new_record? or self.encrypted_password_changed?) and not self.password_changed_at_changed?
+        end
+
+        def expired_password_after_numeric?
+          return @_numeric if defined?(@_numeric)
+          @_numeric ||= self.expire_password_after.is_a?(1.class) ||
+            self.expire_password_after.is_a?(Float)
+        end
+
+      module ClassMethods
+        ::Devise::Models.config(self, :expire_password_after)
+      end
+    end
+
+  end
+
+end

data/lib/devise-security/models/secure_validatable.rb

@@ -0,0 +1,100 @@
+module Devise
+  module Models
+    # SecureValidatable creates better validations with more validation for security
+    #
+    # == Options
+    #
+    # SecureValidatable adds the following options to devise_for:
+    #
+    #   * +email_regexp+: the regular expression used to validate e-mails;
+    #   * +password_length+: a range expressing password length. Defaults from devise
+    #   * +password_regex+: need strong password. Defaults to /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+    #
+    module SecureValidatable
+
+      def self.included(base)
+        base.extend ClassMethods
+        assert_secure_validations_api!(base)
+
+        base.class_eval do
+          already_validated_email = false
+
+          # validate login in a strict way if not yet validated
+          unless has_uniqueness_validation_of_login?
+            validation_condition = "#{login_attribute}_changed?".to_sym
+
+            validates login_attribute, :uniqueness => {
+                                          :scope          => authentication_keys[1..-1],
+                                          :case_sensitive => !!case_insensitive_keys
+                                        },
+                                        :if => validation_condition
+
+            already_validated_email = login_attribute.to_s == 'email'
+          end
+
+          unless devise_validation_enabled?
+            validates :email, :presence => true, :if => :email_required?
+            unless already_validated_email
+              validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
+            end
+
+            validates :password, :presence => true, :length => password_length, :confirmation => true, :if => :password_required?
+          end
+
+          # extra validations
+          validates :email,    :email  => email_validation if email_validation # use rails_email_validator or similar
+          validates :password, :format => { :with => password_regex, :message => :password_format }, :if => :password_required?
+
+          # don't allow use same password
+          validate :current_equal_password_validation
+        end
+      end
+
+      def self.assert_secure_validations_api!(base)
+        raise "Could not use SecureValidatable on #{base}" unless base.respond_to?(:validates)
+      end
+
+      def current_equal_password_validation
+        if not self.new_record? and not self.encrypted_password_change.nil?
+          dummy = self.class.new
+          dummy.encrypted_password = self.encrypted_password_change.first
+          dummy.password_salt = self.password_salt_change.first if self.respond_to? :password_salt_change and not self.password_salt_change.nil?
+          self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(self.password)
+        end
+      end
+
+      protected
+
+      # Checks whether a password is needed or not. For validations only.
+      # Passwords are always required if it's a new record, or if the password
+      # or confirmation are being set somewhere.
+      def password_required?
+        !persisted? || !password.nil? || !password_confirmation.nil?
+      end
+
+      def email_required?
+        true
+      end
+
+      module ClassMethods
+        Devise::Models.config(self, :password_regex, :password_length, :email_validation)
+
+      private
+        def has_uniqueness_validation_of_login?
+          validators.any? do |validator|
+            validator.kind_of?(ActiveRecord::Validations::UniquenessValidator) &&
+              validator.attributes.include?(login_attribute)
+          end
+        end
+
+        def login_attribute
+          authentication_keys[0]
+        end
+
+        def devise_validation_enabled?
+          self.ancestors.map(&:to_s).include? 'Devise::Models::Validatable'
+        end
+      end
+    end
+  end
+end