devise-security 0.11.1 → 0.12.0

data/gemfiles/rails_5.0_stable.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "omniauth"
+gem "rails", "~> 5.0.0"
+
+gemspec path: "../"

data/gemfiles/rails_5.1_stable.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "omniauth"
+gem "rails", "~> 5.1.0"
+
+gemspec path: "../"

data/gemfiles/rails_5.2_rc1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "omniauth"
+gem "rails", "~> 5.2.0.rc1"
+
+gemspec path: "../"

data/lib/devise-security/controllers/helpers.rb

@@ -77,11 +77,11 @@ module DeviseSecurity
 
         # redirect for password update with alert message
         def redirect_for_password_change(scope)
-          redirect_to change_password_required_path_for(scope), :alert => I18n.t('change_required', {:scope => 'devise.password_expired'})
+          redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', {scope: 'devise.password_expired'})
         end
 
         def redirect_for_paranoid_verification(scope)
-          redirect_to paranoid_verification_code_path_for(scope), :alert => I18n.t('code_required', {:scope => 'devise.paranoid_verify'})
+          redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', {scope: 'devise.paranoid_verify'})
         end
 
         # path for change password

data/lib/devise-security/hooks/session_limitable.rb

@@ -2,7 +2,7 @@
 # This is only triggered when the user is explicitly set (with set_user)
 # and on authentication. Retrieving the user from session (:fetch) does
 # not trigger it.
-Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
     unique_session_id = Devise.friendly_token
     warden.session(options[:scope])['unique_session_id'] = unique_session_id
@@ -13,7 +13,7 @@ end
 # Each time a record is fetched from session we check if a new session from another
 # browser was opened for the record or not, based on a unique session identifier.
 # If so, the old account is logged out and redirected to the sign in page on the next request.
-Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
+Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
 
@@ -21,7 +21,7 @@ Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
     if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
       warden.raw_session.clear
       warden.logout(scope)
-      throw :warden, :scope => scope, :message => :session_limited
+      throw :warden, scope: scope, message: :session_limited
     end
   end
 end

data/lib/devise-security/models/compatibility.rb

@@ -0,0 +1,22 @@
+module Devise
+  module Models
+    module Compatibility
+      extend ActiveSupport::Concern
+
+      # for backwards compatibility with Rails < 5.1.x
+      unless Devise.activerecord51?
+        def saved_change_to_encrypted_password?
+          encrypted_password_changed?
+        end
+
+        def encrypted_password_before_last_save
+          previous_changes['encrypted_password'].try(:first)
+        end
+
+        def will_save_change_to_encrypted_password?
+          changed_attributes['encrypted_password'].present?
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/expirable.rb

@@ -2,7 +2,7 @@ require 'devise-security/hooks/expirable'
 
 module Devise
   module Models
-    # Deactivate the account after a configurable amount of time.  To be able to 
+    # Deactivate the account after a configurable amount of time.  To be able to
     # tell, it tracks activity about your account with the following columns:
     #
     # * last_activity_at - A timestamp updated when the user requests a page (only signed in)
@@ -11,10 +11,10 @@ module Devise
     # +:expire_after+ - Time interval to expire accounts after
     #
     # == Additions
-    # Best used with two cron jobs. One for expiring accounts after inactivity, 
-    # and another, that deletes accounts, which have expired for a given amount 
+    # Best used with two cron jobs. One for expiring accounts after inactivity,
+    # and another, that deletes accounts, which have expired for a given amount
     # of time (for example 90 days).
-    # 
+    #
     module Expirable
       extend ActiveSupport::Concern
 
@@ -37,13 +37,13 @@ module Devise
 
       # Expire an account. This is for cron jobs and manually expiring of accounts.
       #
-      # @example 
+      # @example
       #   User.expire!
       #   User.expire! 1.week.from_now
       # @note +expired_at+ can be in the future as well
       def expire!(at = Time.now.utc)
         self.expired_at = at
-        save(:validate => false)
+        save(validate: false)
       end
 
       # Overwrites active_for_authentication? from Devise::Models::Activatable
@@ -55,7 +55,7 @@ module Devise
         super && !self.expired?
       end
 
-      # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed 
+      # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed
       # for i18n.
       def inactive_message
         !self.expired? ? super : :expired
@@ -82,17 +82,17 @@ module Devise
           where('expired_at < ?', time.seconds.ago)
         end
 
-        # Sample method for daily cron to delete all expired entries after a 
+        # Sample method for daily cron to delete all expired entries after a
         # given amount of +time+.
         #
-        # In your overwritten method you can "blank out" the object instead of 
+        # In your overwritten method you can "blank out" the object instead of
         # deleting it.
         #
         # *Word of warning*: You have to handle the dependent method
-        # on the +resource+ relations (+:destroy+ or +:nullify+) and catch this 
+        # on the +resource+ relations (+:destroy+ or +:nullify+) and catch this
         # behavior (see  http://api.rubyonrails.org/classes/ActiveRecord/Associations/ClassMethods.html#label-Deleting+from+associations).
         #
-        # @example 
+        # @example
         #   Resource.delete_all_expired_for 90.days
         # @example You can overide this in your +resource+ model
         #   def self.delete_all_expired_for(time = 90.days)
@@ -108,7 +108,7 @@ module Devise
           expired_for(time).delete_all
         end
 
-        # Version of {#delete_all_expired_for} without arguments (uses 
+        # Version of {#delete_all_expired_for} without arguments (uses
         # configured +delete_expired_after+ default value).
         # @see #delete_all_expired_for
         def delete_all_expired
@@ -117,4 +117,4 @@ module Devise
       end
     end
   end
-end
+end

data/lib/devise-security/models/old_password.rb

@@ -1,4 +1,4 @@
 require 'active_record'
 class OldPassword < ActiveRecord::Base
-  belongs_to :password_archivable, :polymorphic => true
+  belongs_to :password_archivable, polymorphic: true
 end

data/lib/devise-security/models/paranoid_verification.rb

@@ -17,7 +17,9 @@ module Devise
           generate_paranoid_code
         elsif code == paranoid_verification_code
           attempt = 0
-          update_without_password paranoid_verification_code: nil, paranoid_verified_at: Time.now, paranoid_verification_attempt: attempt
+          update_without_password paranoid_verification_code: nil,
+                                  paranoid_verified_at: Time.now,
+                                  paranoid_verification_attempt: attempt
         else
           update_without_password paranoid_verification_attempt: attempt
         end
@@ -28,7 +30,8 @@ module Devise
       end
 
       def generate_paranoid_code
-        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(), paranoid_verification_attempt: 0
+        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(),
+                                paranoid_verification_attempt: 0
       end
     end
   end

data/lib/devise-security/models/password_archivable.rb

@@ -1,45 +1,47 @@
+require_relative 'compatibility'
+
 module Devise
   module Models
-    # PasswordArchivable
+    # PasswordArchivable, this depends on the DatabaseAuthenticatable module from devise
     module PasswordArchivable
       extend ActiveSupport::Concern
+      include Devise::Models::Compatibility
+      include Devise::Models::DatabaseAuthenticatable
 
       included do
         has_many :old_passwords, as: :password_archivable, dependent: :destroy
-        before_update :archive_password
-        validate :validate_password_archive
+        before_update :archive_password, if: :will_save_change_to_encrypted_password?
+        validate :validate_password_archive, if: :password_present?
       end
 
+      delegate :present?, to: :password, prefix: true
+
       def validate_password_archive
-        errors.add(:password, :taken_in_past) if encrypted_password_changed? && password_archive_included?
+        errors.add(:password, :taken_in_past) if will_save_change_to_encrypted_password? && password_archive_included?
       end
 
-      # validate is the password used in the past
-      def password_archive_included?
-        unless deny_old_passwords.is_a? 1.class
-          if deny_old_passwords.is_a?(TrueClass) && archive_count > 0
-            self.deny_old_passwords = archive_count
-          else
-            self.deny_old_passwords = 0
-          end
-        end
-
-        if self.class.deny_old_passwords > 0 && !self.password.nil?
-          old_passwords_including_cur_change = self.old_passwords.order(:id).reverse_order.limit(self.class.deny_old_passwords).to_a
-          old_passwords_including_cur_change << OldPassword.new(old_password_params)  # include most recent change in list, but don't save it yet!
-          old_passwords_including_cur_change.each do |old_password|
-            dummy                    = self.class.new
-            dummy.encrypted_password = old_password.encrypted_password
-            return true if dummy.valid_password?(password)
-          end
+      # @return [Integer] max number of old passwords to store and check
+      def max_old_passwords
+        case deny_old_passwords
+        when true
+          [1, archive_count].max
+        when false
+          0
+        else
+          deny_old_passwords.to_i
         end
-
-        false
       end
 
-      def password_changed_to_same?
-        pass_change = encrypted_password_change
-        pass_change && pass_change.first == pass_change.last
+      # validate is the password used in the past
+      # @return [true] if current password was used previously
+      # @return [false] if disabled or not previously used
+      def password_archive_included?
+        return false unless max_old_passwords > 0
+        old_passwords_including_cur_change = old_passwords.order(:id).reverse_order.limit(max_old_passwords).pluck(:encrypted_password)
+        old_passwords_including_cur_change << encrypted_password_was # include most recent change in list, but don't save it yet!
+        old_passwords_including_cur_change.any? do |old_password|
+          self.class.new(encrypted_password: old_password).valid_password?(password)
+        end
       end
 
       def deny_old_passwords
@@ -58,20 +60,14 @@ module Devise
 
       # archive the last password before save and delete all to old passwords from archive
       def archive_password
-        if encrypted_password_changed?
-          if archive_count.to_i > 0
-            old_passwords.create! old_password_params
-            old_passwords.order(:id).reverse_order.offset(archive_count).destroy_all
-          else
-            old_passwords.destroy_all
-          end
+        if max_old_passwords > 0
+          old_passwords.create!(encrypted_password: encrypted_password_was) if encrypted_password_was.present?
+          old_passwords.order(:id).reverse_order.offset(max_old_passwords).destroy_all
+        else
+          old_passwords.destroy_all
         end
       end
 
-      def old_password_params
-        { encrypted_password: encrypted_password_change.first }
-      end
-
       module ClassMethods
         ::Devise::Models.config(self, :password_archiving_count, :deny_old_passwords)
       end

data/lib/devise-security/models/password_expirable.rb

@@ -24,7 +24,7 @@ module Devise
       def need_change_password!
         if expired_password_after_numeric?
           need_change_password
-          self.save(:validate => false)
+          self.save(validate: false)
         end
       end
 

data/lib/devise-security/models/secure_validatable.rb

@@ -1,3 +1,5 @@
+require_relative 'compatibility'
+
 module Devise
   module Models
     # SecureValidatable creates better validations with more validation for security
@@ -11,6 +13,7 @@ module Devise
     #   * +password_regex+: need strong password. Defaults to /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
     #
     module SecureValidatable
+      include Devise::Models::Compatibility
 
       def self.included(base)
         base.extend ClassMethods
@@ -23,27 +26,27 @@ module Devise
           unless has_uniqueness_validation_of_login?
             validation_condition = "#{login_attribute}_changed?".to_sym
 
-            validates login_attribute, :uniqueness => {
-                                          :scope          => authentication_keys[1..-1],
-                                          :case_sensitive => !!case_insensitive_keys
+            validates login_attribute, uniqueness: {
+                                          scope:          authentication_keys[1..-1],
+                                          case_sensitive: !!case_insensitive_keys
                                         },
-                                        :if => validation_condition
+                                        if: validation_condition
 
             already_validated_email = login_attribute.to_s == 'email'
           end
 
           unless devise_validation_enabled?
-            validates :email, :presence => true, :if => :email_required?
+            validates :email, presence: true, if: :email_required?
             unless already_validated_email
-              validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
+              validates :email, uniqueness: true, allow_blank: true, if: :email_changed? # check uniq for email ever
             end
 
-            validates :password, :presence => true, :length => password_length, :confirmation => true, :if => :password_required?
+            validates :password, presence: true, length: password_length, confirmation: true, if: :password_required?
           end
 
           # extra validations
-          validates :email,    :email  => email_validation if email_validation # use rails_email_validator or similar
-          validates :password, :format => { :with => password_regex, :message => :password_format }, :if => :password_required?
+          validates :email, email: email_validation if email_validation # use rails_email_validator or similar
+          validates :password, format: { with: password_regex, message: :password_format }, if: :password_required?
 
           # don't allow use same password
           validate :current_equal_password_validation
@@ -55,12 +58,11 @@ module Devise
       end
 
       def current_equal_password_validation
-        if !self.new_record? && !self.encrypted_password_change.nil?
-          dummy = self.class.new
-          dummy.encrypted_password = self.encrypted_password_change.first
-          dummy.password_salt = self.password_salt_change.first if self.respond_to?(:password_salt_change) && !self.password_salt_change.nil?
-          self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(self.password)
+        return if new_record? || !will_save_change_to_encrypted_password? || password.blank?
+        dummy = self.class.new(encrypted_password: encrypted_password_was).tap do |user|
+          user.password_salt = password_salt_was if respond_to?(:password_salt)
         end
+        self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
       end
 
       protected

data/lib/devise-security/models/security_questionable.rb

@@ -12,7 +12,6 @@ module Devise
     # f.text_field :security_question_answer
     module SecurityQuestionable
       extend ActiveSupport::Concern
-
     end
   end
-end
+end

data/lib/devise-security/models/session_limitable.rb

@@ -5,7 +5,7 @@ module Devise
     # SessionLimited ensures, that there is only one session usable per account at once.
     # If someone logs in, and some other is logging in with the same credentials,
     # the session from the first one is invalidated and not usable anymore.
-    # The first one is redirected to the sign page with a message, telling that 
+    # The first one is redirected to the sign page with a message, telling that
     # someone used his credentials to sign in.
     module SessionLimitable
       extend ActiveSupport::Concern
@@ -13,9 +13,9 @@ module Devise
       def update_unique_session_id!(unique_session_id)
         self.unique_session_id = unique_session_id
 
-        save(:validate => false)
+        save(validate: false)
       end
 
     end
   end
-end
+end

data/lib/devise-security/orm/active_record.rb

@@ -9,12 +9,10 @@ module DeviseSecurity
     module ActiveRecord
       module Schema
         include DeviseSecurity::Schema
-
-
       end
     end
   end
 end
 
 ActiveRecord::ConnectionAdapters::Table.send :include, DeviseSecurity::Orm::ActiveRecord::Schema
-ActiveRecord::ConnectionAdapters::TableDefinition.send :include, DeviseSecurity::Orm::ActiveRecord::Schema
+ActiveRecord::ConnectionAdapters::TableDefinition.send :include, DeviseSecurity::Orm::ActiveRecord::Schema

data/lib/devise-security/patches/confirmations_controller_captcha.rb

@@ -7,13 +7,13 @@ module DeviseSecurity::Patches
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
           if successfully_sent?(resource)
-            respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+            respond_with({}, location: after_resending_confirmation_instructions_path_for(resource_name))
           else
             respond_with(resource)
           end
         else
           flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
-          respond_with({}, :location => new_confirmation_path(resource_name))
+          respond_with({}, location: new_confirmation_path(resource_name))
         end
       end
     end