devise-security 0.11.0

data/lib/devise-security/models/security_questionable.rb

@@ -0,0 +1,18 @@
+module Devise
+  module Models
+    # SecurityQuestionable is an accessible add-on for visually handicapped people,
+    # to ship around the captcha with screenreader compatibility.
+    #
+    # You need to add two text_field_tags to the associated forms (unlock,
+    # password, confirmation):
+    # :security_question_answer and :captcha
+    #
+    # And add the security_question to the register/edit form.
+    # f.select :security_question_id, SecurityQuestion.where(locale: I18n.locale).map{|s| [s.name, s.id]}
+    # f.text_field :security_question_answer
+    module SecurityQuestionable
+      extend ActiveSupport::Concern
+
+    end
+  end
+end

data/lib/devise-security/models/session_limitable.rb

@@ -0,0 +1,21 @@
+require 'devise-security/hooks/session_limitable'
+
+module Devise
+  module Models
+    # SessionLimited ensures, that there is only one session usable per account at once.
+    # If someone logs in, and some other is logging in with the same credentials,
+    # the session from the first one is invalidated and not usable anymore.
+    # The first one is redirected to the sign page with a message, telling that 
+    # someone used his credentials to sign in.
+    module SessionLimitable
+      extend ActiveSupport::Concern
+
+      def update_unique_session_id!(unique_session_id)
+        self.unique_session_id = unique_session_id
+
+        save(:validate => false)
+      end
+
+    end
+  end
+end

data/lib/devise-security/orm/active_record.rb

@@ -0,0 +1,20 @@
+module DeviseSecurity
+  module Orm
+    # This module contains some helpers and handle schema (migrations):
+    #
+    #   create_table :accounts do |t|
+    #     t.password_expirable
+    #   end
+    #
+    module ActiveRecord
+      module Schema
+        include DeviseSecurity::Schema
+
+
+      end
+    end
+  end
+end
+
+ActiveRecord::ConnectionAdapters::Table.send :include, DeviseSecurity::Orm::ActiveRecord::Schema
+ActiveRecord::ConnectionAdapters::TableDefinition.send :include, DeviseSecurity::Orm::ActiveRecord::Schema

data/lib/devise-security/patches.rb

@@ -0,0 +1,21 @@
+module DeviseSecurity
+  module Patches
+    autoload :ControllerCaptcha, 'devise-security/patches/controller_captcha'
+    autoload :ControllerSecurityQuestion, 'devise-security/patches/controller_security_question'
+
+    class << self
+      def apply
+        Devise::PasswordsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_recover || Devise.security_question_for_recover
+        Devise::UnlocksController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_unlock || Devise.security_question_for_unlock
+        Devise::ConfirmationsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_confirmation
+
+        Devise::PasswordsController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_recover
+        Devise::UnlocksController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_unlock
+        Devise::ConfirmationsController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_confirmation
+
+        Devise::RegistrationsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_up
+        Devise::SessionsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_in
+      end
+    end
+  end
+end

data/lib/devise-security/patches/confirmations_controller_captcha.rb

@@ -0,0 +1,21 @@
+module DeviseSecurity::Patches
+  module ConfirmationsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+          self.resource = resource_class.send_confirmation_instructions(params[resource_name])
+
+          if successfully_sent?(resource)
+            respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_confirmation_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/confirmations_controller_security_question.rb

@@ -0,0 +1,25 @@
+module DeviseSecurity::Patches
+  module ConfirmationsControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha])) or
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_confirmation_instructions(params[resource_name])
+
+          if successfully_sent?(resource)
+            respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_confirmation_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/controller_captcha.rb

@@ -0,0 +1,17 @@
+module DeviseSecurity::Patches
+  module ControllerCaptcha
+    extend ActiveSupport::Concern
+
+    included do
+      prepend_before_action :check_captcha, only: [:create]
+    end
+
+    private
+    def check_captcha
+      return if ((defined? verify_recaptcha) && (verify_recaptcha)) || ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+
+      flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+      respond_with({}, location: url_for(action: :new))
+    end
+  end
+end

data/lib/devise-security/patches/controller_security_question.rb

@@ -0,0 +1,20 @@
+module DeviseSecurity::Patches
+  module ControllerSecurityQuestion
+    extend ActiveSupport::Concern
+
+    included do
+      prepend_before_action :check_security_question, only: [:create]
+    end
+
+    private
+    def check_security_question
+      # only find via email, not login
+      resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+      return if (resource.security_question_answer.present? && resource.security_question_answer == params[:security_question_answer])
+
+      flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+      respond_with({}, location: url_for(action: :new))
+    end
+  end
+end
+

data/lib/devise-security/patches/passwords_controller_captcha.rb

@@ -0,0 +1,20 @@
+module DeviseSecurity::Patches
+  module PasswordsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+          self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_password_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/passwords_controller_security_question.rb

@@ -0,0 +1,24 @@
+module DeviseSecurity::Patches
+  module PasswordsControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_password_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/registrations_controller_captcha.rb

@@ -0,0 +1,33 @@
+module DeviseSecurity::Patches
+  module RegistrationsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do |&block|
+        build_resource(sign_up_params)
+
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+          if resource.save
+            block.call(resource) if block
+            if resource.active_for_authentication?
+              set_flash_message :notice, :signed_up if is_flashing_format?
+              sign_up(resource_name, resource)
+              respond_with resource, :location => after_sign_up_path_for(resource)
+            else
+              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+              expire_data_after_sign_in!
+              respond_with resource, :location => after_inactive_sign_up_path_for(resource)
+            end
+          else
+            clean_up_passwords resource
+            respond_with resource
+          end
+          
+        else
+          resource.errors.add :base, t('devise.invalid_captcha')
+          clean_up_passwords resource
+          respond_with resource
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/sessions_controller_captcha.rb

@@ -0,0 +1,24 @@
+module DeviseSecurity::Patches
+  module SessionsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do |&block|
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+          self.resource = warden.authenticate!(auth_options)
+          set_flash_message(:notice, :signed_in) if is_flashing_format?
+          sign_in(resource_name, resource)
+          block.call(resource) if block
+          respond_with resource, :location => after_sign_in_path_for(resource)
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_flashing_format?
+          respond_with({}, :location => new_session_path(resource_name))
+        end
+      end
+    
+      # for bad protected use in controller
+      define_method :auth_options do
+        { :scope => resource_name, :recall => "#{controller_path}#new" }
+      end
+    end
+  end
+end

data/lib/devise-security/patches/unlocks_controller_captcha.rb

@@ -0,0 +1,20 @@
+module DeviseSecurity::Patches
+  module UnlocksControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+          self.resource = resource_class.send_unlock_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_unlock_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/patches/unlocks_controller_security_question.rb

@@ -0,0 +1,24 @@
+module DeviseSecurity::Patches
+  module UnlocksControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if ((defined? verify_recaptcha) && (verify_recaptcha)) or ((defined? valid_captcha?) && (valid_captcha? params[:captcha]))
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_unlock_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_unlock_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/rails.rb

@@ -0,0 +1,17 @@
+module DeviseSecurity
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseSecurity::Controllers::Helpers
+    end
+    
+    if Rails.version > "5"
+      ActiveSupport::Reloader.to_prepare do
+        DeviseSecurity::Patches.apply
+      end
+    else
+      ActionDispatch::Callbacks.to_prepare do
+        DeviseSecurity::Patches.apply
+      end
+    end
+  end
+end

data/lib/devise-security/routes.rb

@@ -0,0 +1,17 @@
+module ActionDispatch::Routing
+  class Mapper
+
+    protected
+
+    # route for handle expired passwords
+    def devise_password_expired(mapping, controllers)
+      resource :password_expired, :only => [:show, :update], :path => mapping.path_names[:password_expired], :controller => controllers[:password_expired]
+    end
+
+    # route for handle paranoid verification
+    def devise_verification_code(mapping, controllers)
+      resource :paranoid_verification_code, :only => [:show, :update], :path => mapping.path_names[:verification_code], :controller => controllers[:paranoid_verification_code]
+    end
+  end
+end
+

data/lib/devise-security/schema.rb

@@ -0,0 +1,59 @@
+module DeviseSecurity
+  # add schema helper for migrations
+  module Schema
+    # Add password_changed_at columns in the resource's database table.
+    #
+    # Examples
+    #
+    # # For a new resource migration:
+    # create_table :the_resources do |t|
+    #   t.password_expirable
+    # ...
+    # end
+    #
+    # # or if the resource's table already exists, define a migration and put this in:
+    # change_table :the_resources do |t|
+    #   t.datetime :password_changed_at
+    # end
+    #
+    def password_expirable
+      apply_devise_schema :password_changed_at, DateTime
+    end
+
+    # Add password_archivable columns
+    #
+    # Examples
+    #
+    # create_table :old_passwords do
+    #   t.password_archivable
+    # end
+    # add_index :old_passwords, [:password_archivable_type, :password_archivable_id], :name => :index_password_archivable
+    #
+    def password_archivable
+      apply_devise_schema :encrypted_password, String, :limit => 128, :null => false
+      apply_devise_schema :password_salt, String
+      apply_devise_schema :password_archivable_id, Integer, :null => false
+      apply_devise_schema :password_archivable_type, String, :null => false
+      apply_devise_schema :created_at, DateTime
+    end
+
+    # Add session_limitable columns in the resource's database table.
+    #
+    # Examples
+    #
+    # # For a new resource migration:
+    # create_table :the_resources do |t|
+    #   t.session_limitable
+    # ...
+    # end
+    #
+    # # or if the resource's table already exists, define a migration and put this in:
+    # change_table :the_resources do |t|
+    #   t.string :unique_session_id, :limit => 20
+    # end
+    #
+    def session_limitable
+      apply_devise_schema :unique_session_id, String, :limit => 20
+    end
+  end
+end

data/lib/devise-security/version.rb

@@ -0,0 +1,3 @@
+module DeviseSecurity
+  VERSION = "0.11.0".freeze
+end

data/lib/generators/devise-security/install_generator.rb

@@ -0,0 +1,26 @@
+module DeviseSecurity
+  module Generators
+    # Generator for Rails to create or append to a Devise initializer.
+    class InstallGenerator < Rails::Generators::Base
+      LOCALES = %w[ en de it ]
+
+      source_root File.expand_path('../../templates', __FILE__)
+      desc 'Install the devise security extension'
+
+      def copy_initializer
+        template('devise-security.rb',
+                 'config/initializers/devise-security.rb',
+        )
+      end
+
+      def copy_locales
+        LOCALES.each do |locale|
+          copy_file(
+            "../../../config/locales/#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml",
+          )
+        end
+      end
+    end
+  end
+end