devise-security 0.11.0

data/test/test_password_archivable.rb

@@ -0,0 +1,61 @@
+require 'test_helper'
+
+class TestPasswordArchivable < ActiveSupport::TestCase
+  setup do
+    Devise.password_archiving_count = 2
+  end
+
+  teardown do
+    Devise.password_archiving_count = 1
+  end
+
+  def set_password(user, password)
+    user.password = password
+    user.password_confirmation = password
+    user.save!
+  end
+
+  test 'cannot use same password' do
+    user = User.create password: 'password1', password_confirmation: 'password1'
+
+    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'password1') }
+  end
+
+  test 'cannot use archived passwords' do
+    assert_equal 2, Devise.password_archiving_count
+
+    user = User.create password: 'password1', password_confirmation: 'password1'
+    assert_equal 0, OldPassword.count
+
+    set_password(user,  'password2')
+    assert_equal 1, OldPassword.count
+
+    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'password1') }
+
+    set_password(user,  'password3')
+    assert_equal 2, OldPassword.count
+
+    # rotate first password out of archive
+    assert set_password(user,  'password4')
+
+    # archive count was 2, so first password should work again
+    assert set_password(user,  'password1')
+    assert set_password(user,  'password2')
+  end
+
+  test 'the option should be dynamic during runtime' do
+    class ::User
+      def archive_count
+        1
+      end
+    end
+
+    user = User.create password: 'password1', password_confirmation: 'password1'
+
+    assert set_password(user,  'password2')
+
+    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'password2') }
+
+    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'password1') }
+  end
+end

data/test/test_password_expirable.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class TestPasswordArchivable < ActiveSupport::TestCase
+  setup do
+    Devise.expire_password_after = 2.month
+  end
+
+  teardown do
+    Devise.expire_password_after = 90.days
+  end
+
+  test 'password expires' do
+    user = User.create password: 'password1', password_confirmation: 'password1'
+    refute user.need_change_password?
+
+    user.update(password_changed_at: Time.now.ago(3.month))
+    assert user.need_change_password?
+  end
+
+  test 'override expire after at runtime' do
+    user = User.new password: 'password1', password_confirmation: 'password1'
+    user.instance_eval do
+      def expire_password_after
+        4.month
+      end
+    end
+    user.password_changed_at = Time.now.ago(3.month)
+    refute user.need_change_password?
+    user.password_changed_at = Time.now.ago(5.month)
+    assert user.need_change_password?
+  end
+end

data/test/test_password_expired_controller.rb

@@ -0,0 +1,29 @@
+require 'test_helper'
+
+class Devise::PasswordExpiredControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @request.env["devise.mapping"] = Devise.mappings[:user]
+    @user = User.create(username: 'hello', email: 'hello@path.travel',
+                        password: '1234', password_changed_at: 3.months.ago)
+
+    sign_in(@user)
+  end
+
+  test 'should render show' do
+    get :show
+    assert_includes @response.body, 'Renew your password'
+  end
+
+  test 'shold update password' do
+    put :update, params: {
+      user: {
+        current_password: '1234',
+        password: '12345',
+        password_confirmation: '12345'
+      }
+    }
+    assert_redirected_to root_path
+  end
+end

data/test/test_secure_validatable.rb

@@ -0,0 +1,85 @@
+require 'test_helper'
+require 'rails_email_validator'
+
+class TestSecureValidatable < ActiveSupport::TestCase
+  class User < ActiveRecord::Base
+    devise :database_authenticatable, :password_archivable,
+           :paranoid_verification, :password_expirable, :secure_validatable
+  end
+
+  setup do
+    Devise.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+  end
+
+  test 'email cannot be blank' do
+    msg = "Email can't be blank"
+    user = User.create password: 'passWord1', password_confirmation: 'passWord1'
+    assert_equal(false, user.valid?)
+    assert_equal([msg], user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) do
+      user.save!
+    end
+  end
+
+  test 'email must be valid' do
+    msg = 'Email is invalid'
+    user = User.create email: 'bob', password: 'passWord1', password_confirmation: 'passWord1'
+    assert_equal(false, user.valid?)
+    assert_equal([msg], user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) do
+      user.save!
+    end
+  end
+
+  test 'valid both email and password' do
+    msgs = ['Email is invalid', 'Password must contain big, small letters and digits']
+    user = User.create email: 'bob@foo.tv', password: 'password1', password_confirmation: 'password1'
+    assert_equal(false, user.valid?)
+    assert_equal(msgs, user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+  end
+
+  test 'password must have capital letter' do
+    msgs = ['Email is invalid', 'Password must contain big, small letters and digits']
+    user = User.create email: 'bob@example.org', password: 'password1', password_confirmation: 'password1'
+    assert_equal(false, user.valid?)
+    assert_equal(msgs, user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+  end
+
+  test 'password must have lowercase letter' do
+    msg = 'Password must contain big, small letters and digits'
+    user = User.create email: 'bob@microsoft.com', password: 'PASSWORD1', password_confirmation: 'PASSWORD1'
+    assert_equal(false, user.valid?)
+    assert_equal([msg], user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+  end
+
+  test 'password must have number' do
+    msg = 'Password must contain big, small letters and digits'
+    user = User.create email: 'bob@microsoft.com', password: 'PASSword', password_confirmation: 'PASSword'
+    assert_equal(false, user.valid?)
+    assert_equal([msg], user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+  end
+
+  test 'password must have minimum length' do
+    msg = 'Password is too short (minimum is 6 characters)'
+    user = User.create email: 'bob@microsoft.com', password: 'Pa3zZ', password_confirmation: 'Pa3zZ'
+    assert_equal(false, user.valid?)
+    assert_equal([msg], user.errors.full_messages)
+    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+  end
+
+  test 'duplicate email validation message is added only once' do
+    options = {
+      email: 'test@example.org',
+      password: 'Test12345',
+      password_confirmation: 'Test12345',
+    }
+    SecureUser.create!(options)
+    user = SecureUser.new(options)
+    refute user.valid?
+    assert_equal ['Email has already been taken'], user.errors.full_messages
+  end
+end

data/test/test_security_question_controller.rb

@@ -0,0 +1,60 @@
+require 'test_helper'
+
+class TestWithSecurityQuestion < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests SecurityQuestion::UnlocksController
+
+  setup do
+    @user = User.create(username: 'hello', email: 'hello@path.travel',
+                        password: '1234', security_question_answer: "Right Answer")
+    @user.lock_access!
+
+    @request.env["devise.mapping"] = Devise.mappings[:security_question_user]
+  end
+
+  test 'When security question is enabled, it is inserted correctly' do
+    post :create, params: {
+      security_question_user: {
+        email: @user.email
+      }, security_question_answer: "wrong answer"
+    }
+
+    assert_equal "The security question answer was invalid.", flash[:alert]
+    assert_redirected_to new_security_question_user_unlock_path
+  end
+
+  test 'When security_question is valid, it runs as normal' do
+    post :create, params: {
+      security_question_user: {
+        email: @user.email
+      }, security_question_answer: @user.security_question_answer
+    }
+
+    assert_equal "You will receive an email with instructions for how to unlock your account in a few minutes.", flash[:notice]
+    assert_redirected_to new_security_question_user_session_path
+  end
+end
+
+class TestWithoutSecurityQuestion < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Devise::UnlocksController
+
+  setup do
+    @user = User.create(username: 'hello', email: 'hello@path.travel',
+                        password: '1234', security_question_answer: "Right Answer")
+    @user.lock_access!
+
+    @request.env["devise.mapping"] = Devise.mappings[:user]
+  end
+
+  test 'When security question is not enabled it is not inserted' do
+    post :create, params: {
+      user: {
+        email: @user.email
+      }
+    }
+
+    assert_equal "You will receive an email with instructions for how to unlock your account in a few minutes.", flash[:notice]
+    assert_redirected_to new_user_session_path
+  end
+end

metadata

@@ -0,0 +1,315 @@
+--- !ruby/object:Gem::Specification
+name: devise-security
+version: !ruby/object:Gem::Version
+  version: 0.11.0
+platform: ruby
+authors:
+- Marco Scholl
+- Alexander Dreher
+- Nate Bird
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-10-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.6
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.6
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.10
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.10
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: easy_captcha
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails_email_validator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: An enterprise security extension for devise, trying to meet industrial
+  standard security demands for web applications.
+email: natebird@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".document"
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- app/controllers/devise/paranoid_verification_code_controller.rb
+- app/controllers/devise/password_expired_controller.rb
+- app/views/devise/paranoid_verification_code/show.html.erb
+- app/views/devise/password_expired/show.html.erb
+- config/locales/de.yml
+- config/locales/en.yml
+- config/locales/es.yml
+- config/locales/it.yml
+- devise-security.gemspec
+- lib/devise-security.rb
+- lib/devise-security/controllers/helpers.rb
+- lib/devise-security/hooks/expirable.rb
+- lib/devise-security/hooks/paranoid_verification.rb
+- lib/devise-security/hooks/password_expirable.rb
+- lib/devise-security/hooks/session_limitable.rb
+- lib/devise-security/models/database_authenticatable_patch.rb
+- lib/devise-security/models/expirable.rb
+- lib/devise-security/models/old_password.rb
+- lib/devise-security/models/paranoid_verification.rb
+- lib/devise-security/models/password_archivable.rb
+- lib/devise-security/models/password_expirable.rb
+- lib/devise-security/models/secure_validatable.rb
+- lib/devise-security/models/security_questionable.rb
+- lib/devise-security/models/session_limitable.rb
+- lib/devise-security/orm/active_record.rb
+- lib/devise-security/patches.rb
+- lib/devise-security/patches/confirmations_controller_captcha.rb
+- lib/devise-security/patches/confirmations_controller_security_question.rb
+- lib/devise-security/patches/controller_captcha.rb
+- lib/devise-security/patches/controller_security_question.rb
+- lib/devise-security/patches/passwords_controller_captcha.rb
+- lib/devise-security/patches/passwords_controller_security_question.rb
+- lib/devise-security/patches/registrations_controller_captcha.rb
+- lib/devise-security/patches/sessions_controller_captcha.rb
+- lib/devise-security/patches/unlocks_controller_captcha.rb
+- lib/devise-security/patches/unlocks_controller_security_question.rb
+- lib/devise-security/rails.rb
+- lib/devise-security/routes.rb
+- lib/devise-security/schema.rb
+- lib/devise-security/version.rb
+- lib/generators/devise-security/install_generator.rb
+- lib/generators/templates/devise-security.rb
+- test/dummy/Rakefile
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/captcha/sessions_controller.rb
+- test/dummy/app/controllers/foos_controller.rb
+- test/dummy/app/controllers/security_question/unlocks_controller.rb
+- test/dummy/app/models/.gitkeep
+- test/dummy/app/models/captcha_user.rb
+- test/dummy/app/models/secure_user.rb
+- test/dummy/app/models/security_question_user.rb
+- test/dummy/app/models/user.rb
+- test/dummy/app/views/foos/index.html.erb
+- test/dummy/config.ru
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/database.yml
+- test/dummy/config/environment.rb
+- test/dummy/config/environments/test.rb
+- test/dummy/config/initializers/devise.rb
+- test/dummy/config/initializers/migration_class.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/secrets.yml
+- test/dummy/db/migrate/20120508165529_create_tables.rb
+- test/dummy/db/migrate/20150402165590_add_verification_columns.rb
+- test/dummy/db/migrate/20150407162345_add_verification_attempt_column.rb
+- test/dummy/db/migrate/20160320162345_add_security_questions_fields.rb
+- test/test_captcha_controller.rb
+- test/test_helper.rb
+- test/test_install_generator.rb
+- test/test_paranoid_verification.rb
+- test/test_password_archivable.rb
+- test/test_password_expirable.rb
+- test/test_password_expired_controller.rb
+- test/test_secure_validatable.rb
+- test/test_security_question_controller.rb
+homepage: https://github.com/devise-security/devise-security
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.13
+signing_key: 
+specification_version: 4
+summary: Security extension for devise
+test_files:
+- test/dummy/Rakefile
+- test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/captcha/sessions_controller.rb
+- test/dummy/app/controllers/foos_controller.rb
+- test/dummy/app/controllers/security_question/unlocks_controller.rb
+- test/dummy/app/models/.gitkeep
+- test/dummy/app/models/captcha_user.rb
+- test/dummy/app/models/secure_user.rb
+- test/dummy/app/models/security_question_user.rb
+- test/dummy/app/models/user.rb
+- test/dummy/app/views/foos/index.html.erb
+- test/dummy/config.ru
+- test/dummy/config/application.rb
+- test/dummy/config/boot.rb
+- test/dummy/config/database.yml
+- test/dummy/config/environment.rb
+- test/dummy/config/environments/test.rb
+- test/dummy/config/initializers/devise.rb
+- test/dummy/config/initializers/migration_class.rb
+- test/dummy/config/routes.rb
+- test/dummy/config/secrets.yml
+- test/dummy/db/migrate/20120508165529_create_tables.rb
+- test/dummy/db/migrate/20150402165590_add_verification_columns.rb
+- test/dummy/db/migrate/20150407162345_add_verification_attempt_column.rb
+- test/dummy/db/migrate/20160320162345_add_security_questions_fields.rb
+- test/test_captcha_controller.rb
+- test/test_helper.rb
+- test/test_install_generator.rb
+- test/test_paranoid_verification.rb
+- test/test_password_archivable.rb
+- test/test_password_expirable.rb
+- test/test_password_expired_controller.rb
+- test/test_secure_validatable.rb
+- test/test_security_question_controller.rb