devise-security 0.12.0 → 0.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ccd3b9a01ec2f531013bbed8d14cbf3131f2630d2c2d1a56d119268f1aa696c
-  data.tar.gz: f9305b860b267fd4f49dc724864d1d822c1e4d0f952be56f78d02d1c6b1a1b3c
+  metadata.gz: 85c4ba49803f532f05e0068cb2c2277385945e50af8afc92afd7fc2d11952872
+  data.tar.gz: 5267a9c636fe9dd641f1743e0d21d36a925c89878b91fb9c04e922a04719cd00
 SHA512:
-  metadata.gz: f176d4afaee6b712cc7fa83c234cca6f286729f8a03660c33d10cf5cd363f49f70e56440f3e9e960f275ef4f7b2a846f60984af73e46e55f73266b431314cee1
-  data.tar.gz: 00e810e6e1c6c1845cc67d534206378c111499f09bb849a8d4129b20bc4c52a89b9261cfaf07ec7bb243995cc016f50f26c99eba29a9c1c148b3d9ec8b6632c5
+  metadata.gz: d0155aafc0542df604d7c5f9c4041cb61b845942e321b818af1d0295196ab964ba1ef180061d6c2b2268091d6a47289e97bc6762fe6af6f0c5c4a32e1e4a9769
+  data.tar.gz: 958fac64a85c9cd791146c832d8a586b0c2a14ae0e561a828bef4766a97002910d033d84854b206e28d7ebb2c13a7b6e416044ccdcefb16afdff541a059e1500

data/.codeclimate.yml

@@ -0,0 +1,63 @@
+version: "2"
+checks:
+  argument-count:
+    enabled: true
+    config:
+      threshold: 4
+  complex-logic:
+    enabled: true
+    config:
+      threshold: 4
+  file-lines:
+    enabled: true
+    config:
+      threshold: 250
+  method-complexity:
+    enabled: true
+    config:
+      threshold: 5
+  method-count:
+    enabled: true
+    config:
+      threshold: 20
+  method-lines:
+    enabled: true
+    config:
+      threshold: 25
+  nested-control-flow:
+    enabled: true
+    config:
+      threshold: 4
+  return-statements:
+    enabled: true
+    config:
+      threshold: 4
+  similar-code:
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
+  identical-code:
+    enabled: true
+    config:
+      threshold: #language-specific defaults. overrides affect all languages.
+plugins:
+ rubocop:
+  enabled: true
+  channel: rubocop-0-58
+ markdownlint:
+  enabled: true
+ brakeman:
+  enabled: true
+exclude_patterns:
+- "config/"
+- "db/"
+- "dist/"
+- "features/"
+- "**/node_modules/"
+- "script/"
+- "**/spec/"
+- "**/test/"
+- "**/tests/"
+- "**/vendor/"
+- "**/*.d.ts"
+- "gemfiles/"

data/.gitignore

@@ -38,3 +38,5 @@ test/tmp/*
 *.gem
 Gemfile.lock
 *.lock
+bin/*
+.yardoc

data/.mdlrc

@@ -0,0 +1 @@
+rules "~MD013"

data/.rubocop.yml

@@ -6,6 +6,7 @@ AllCops:
     - 'lib/tasks/**/*'
   Exclude:
     - Gemfile*
+    - README
     - 'db/**/*'
     - 'config/**/*'
     - 'bin/**/*'
@@ -21,7 +22,7 @@ Metrics/MethodLength:
   Enabled: false
 
 Metrics/LineLength:
-  Max: 100
+  Enabled: false
 
 Naming/FileName:
   Exclude: ["devise-security.gemspec"]

data/.ruby-version

@@ -1 +1 @@
-2.2.9
+2.3.7

data/.travis.yml

@@ -1,25 +1,23 @@
 language: ruby
-before_install: gem install bundler && bundler -v
+before_install: gem install bundler && bundle -v
 install: bundle install --jobs=3 --retry=3
 before_script: bundle install
 script: bundle exec rake
 rvm:
-  - 2.2.9
-  - 2.3.6
-  - 2.4.3
-  - 2.5.0
+  - 2.3.7
+  - 2.4.4
+  - 2.5.1
   - ruby-head
 matrix:
   allow_failures:
     - rvm: ruby-head
     - gemfile: gemfiles/rails_5.2_rc1.gemfile
-    - rvm: 2.4.3
-      gemfile: gemfiles/rails_4.1_stable.gemfile
-    - rvm: 2.5.0
-      gemfile: gemfiles/rails_4.1_stable.gemfile
+    - rvm: 2.4.4
+      gemfile: gemfiles/rails_4.2_stable.gemfile
+    - rvm: 2.5.1
+      gemfile: gemfiles/rails_4.2_stable.gemfile
 gemfile:
-  - gemfiles/rails_4.1_stable.gemfile
   - gemfiles/rails_4.2_stable.gemfile
   - gemfiles/rails_5.0_stable.gemfile
   - gemfiles/rails_5.1_stable.gemfile
-  - gemfiles/rails_5.2_rc1.gemfile
+  - gemfiles/rails_5.2.0.gemfile

data/Appraisals

@@ -14,6 +14,6 @@ appraise 'rails-5.1-stable' do
   gem 'rails', '~> 5.1.0'
 end
 
-appraise 'rails-5.2-rc1' do
-  gem 'rails', '~> 5.2.0.rc1'
+appraise 'rails-5.2.0' do
+  gem 'rails', '~> 5.2.0'
 end

data/README.md

@@ -1,30 +1,28 @@
 # Devise Security
 
-[![Build Status](https://travis-ci.org/devise-security/devise-security.svg?branch=master)](https://travis-ci.org/devise-security/devise-security)
-[![Coverage Status](https://coveralls.io/repos/github/devise-security/devise-security/badge.svg?branch=master)](https://coveralls.io/github/devise-security/devise-security?branch=master)
-[![Maintainability](https://api.codeclimate.com/v1/badges/ace7cd003a0db8bffa5a/maintainability)](https://codeclimate.com/github/devise-security/devise-security/maintainability)
+[![Build Status](https://travis-ci.org/devise-security/devise-security.svg?branch=master)](https://travis-ci.org/devise-security/devise-security)[![Coverage Status](https://coveralls.io/repos/github/devise-security/devise-security/badge.svg?branch=master)](https://coveralls.io/github/devise-security/devise-security?branch=master)[![Maintainability](https://api.codeclimate.com/v1/badges/ace7cd003a0db8bffa5a/maintainability)](https://codeclimate.com/github/devise-security/devise-security/maintainability)
 
 A [Devise](https://github.com/plataformatec/devise) extension to add additional security features required by modern web applications. Forked from [Devise Security Extension](https://github.com/phatworx/devise_security_extension)
 
 It is composed of 7 additional Devise modules:
 
-* `:password_expirable` - passwords will expire after a configured time (and will need an update). You will most likely want to use `:password_expirable` together with the `:password_archivable` module to [prevent the current expired password being reused](https://github.com/phatworx/devise_security_extension/issues/175) immediately as the new password.
-* `:secure_validatable` - better way to validate a model (email, stronger password validation). Don't use with Devise `:validatable` module!
-* `:password_archivable` - save used passwords in an `old_passwords` table for history checks (don't be able to use a formerly used password)
-* `:session_limitable` - ensures, that there is only one session usable per account at once
-* `:expirable` - expires a user account after x days of inactivity (default 90 days)
-* `:security_questionable` - as accessible substitution for captchas (security question with captcha fallback)
-* `:paranoid_verification` - admin can generate verification code that user needs to fill in otherwise he wont be able to use the application.
+- `:password_expirable` - passwords will expire after a configured time (and will need to be changed by the user). You will most likely want to use `:password_expirable` together with the `:password_archivable` module to [prevent the current expired password being reused](https://github.com/phatworx/devise_security_extension/issues/175) immediately as the new password.
+- `:secure_validatable` - better way to validate a model (email, stronger password validation). Don't use with Devise `:validatable` module!
+- `:password_archivable` - save used passwords in an `old_passwords` table for history checks (don't be able to use a formerly used password)
+- `:session_limitable` - ensures, that there is only one session usable per account at once
+- `:expirable` - expires a user account after x days of inactivity (default 90 days)
+- `:security_questionable` - as accessible substitution for captchas (security question with captcha fallback)
+- `:paranoid_verification` - admin can generate verification code that user needs to fill in otherwise he wont be able to use the application.
 
 Configuration and database schema for each module below.
 
 ## Additional features
 
-* **captcha support** for `sign_up`, `sign_in`, `recover` and `unlock` (to make automated mass creation and brute forcing of accounts harder)
+- **captcha support** for `sign_up`, `sign_in`, `recover` and `unlock` (to make automated mass creation and brute forcing of accounts harder)
 
 ## Getting started
 
-Devise Security works with Devise on Rails 4.1 onwards. You can add it to your Gemfile after you successfully set up Devise (see [Devise documentation](https://github.com/plataformatec/devise)) with:
+Devise Security works with Devise on Rails 4.2 onwards. You can add it to your Gemfile after you successfully set up Devise (see [Devise documentation](https://github.com/plataformatec/devise)) with:
 
 ```ruby
 gem 'devise-security'
@@ -38,18 +36,21 @@ After you installed Devise Security you need to run the generator:
 rails generate devise_security:install
 ```
 
-The generator adds optional configurations to `config/initializers/devise-security.rb`. Enable
-the modules you wish to use in the initializer you are ready to add Devise Security modules on top of Devise modules to any of your Devise models:
+The generator adds optional configurations to `config/initializers/devise-security.rb`. Enable the modules you wish to use in the initializer you are ready to add Devise Security modules on top of Devise modules to any of your Devise models:
 
 ```ruby
 devise :password_expirable, :secure_validatable, :password_archivable, :session_limitable, :expirable
 ```
 
-for `:secure_validatable` you need to add
+### E-mail Validation
 
-```ruby
-gem 'rails_email_validator'
-```
+for `:secure_validatable` you need to have a way to validate an e-mail. There are multiple libraries that support this, and even a way built into Ruby!
+
+[Ruby Constant](http://yogodoshi.com/ruby-already-has-its-own-regular-expression-to-validate-emails/)
+  * Note: This method would require a `email_validation` method to be defined in order to hook into the `validates` method defined here.
+[email_address](https://github.com/afair/email_address) gem
+[valid_email2](https://github.com/micke/valid_email2) gem
+[rails_email_validator](https://github.com/phatworx/rails_email_validator) gem (deprecated)
 
 ## Configuration
 
@@ -58,11 +59,14 @@ Devise.setup do |config|
   # ==> Security Extension
   # Configure security extension for devise
 
-  # Should the password expire (e.g 3.months)
-  # config.expire_password_after = 3.months
+  # Password expires after a configurable time (in seconds).
+  # Or expire passwords on demand by setting this configuration to `true`
+  # Use `user.need_password_change!` to expire a password.
+  # Setting the configuration to `false` will completely disable expiration checks.
+  # config.expire_password_after = 3.months | true | false
 
-  # Need 1 char of A-Z, a-z and 0-9
-  # config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol
+  # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
   # Number of old passwords in archive
   # config.password_archiving_count = 5
@@ -101,20 +105,26 @@ end
 ```
 
 ## Captcha-Support
+
 The captcha support depends on [EasyCaptcha](https://github.com/phatworx/easy_captcha). See further documentation there.
 
 ### Installation
 
 1. Add EasyCaptcha to your `Gemfile` with
+
 ```ruby
 gem 'easy_captcha'
 ```
-2. Run the initializer
+
+1. Run the initializer
+
 ```ruby
 rails generate easy_captcha:install
 ```
-3. Enable captcha - see "Configuration" of Devise Security above.
-4. Add the captcha in the generated devise views for each controller you have activated
+
+1. Enable captcha - see "Configuration" of Devise Security above.
+1. Add the captcha in the generated devise views for each controller you have activated
+
 ```erb
 <p><%= captcha_tag %></p>
 <p><%= text_field_tag :captcha %></p>
@@ -122,9 +132,10 @@ rails generate easy_captcha:install
 
 ## Schema
 
-Note: Unlike Devise, devise-security does not currently support mongoid.  Pull requests are welcome!
+Note: Unlike Devise, devise-security does not currently support mongoid. Pull requests are welcome!
 
 ### Password expirable
+
 ```ruby
 create_table :the_resources do |t|
   # other devise fields
@@ -134,7 +145,10 @@ end
 add_index :the_resources, :password_changed_at
 ```
 
+Note: setting `password_changed_at` to `nil` will require the user to change their password.
+
 ### Password archivable
+
 ```ruby
 create_table :old_passwords do |t|
   t.string :encrypted_password, null: false
@@ -147,6 +161,7 @@ add_index :old_passwords, [:password_archivable_type, :password_archivable_id],
 ```
 
 ### Session limitable
+
 ```ruby
 create_table :the_resources do |t|
   # other devise fields
@@ -156,6 +171,7 @@ end
 ```
 
 ### Expirable
+
 ```ruby
 create_table :the_resources do |t|
   # other devise fields
@@ -168,6 +184,7 @@ add_index :the_resources, :expired_at
 ```
 
 ### Paranoid verifiable
+
 ```ruby
 create_table :the_resources do |t|
   # other devise fields
@@ -180,7 +197,7 @@ add_index :the_resources, :paranoid_verification_code
 add_index :the_resources, :paranoid_verified_at
 ```
 
-[Documentation for Paranoid Verifiable module]( https://github.com/devise-security/devise-security/wiki/Paranoid-Verification)
+[Documentation for Paranoid Verifiable module](https://github.com/devise-security/devise-security/wiki/Paranoid-Verification)
 
 ### Security questionable
 
@@ -207,7 +224,6 @@ SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingstier?'
 SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblings-Reiseland?'
 ```
 
-
 ```ruby
 add_column :the_resources, :security_question_id, :integer
 add_column :the_resources, :security_question_answer, :string
@@ -226,42 +242,45 @@ end
 
 ## Requirements
 
-* Devise (https://github.com/plataformatec/devise)
-* Rails 4.1 onwards (http://github.com/rails/rails)
-* recommendations:
-  * `autocomplete-off` (http://github.com/phatworx/autocomplete-off)
-  * `easy_captcha` (http://github.com/phatworx/easy_captcha)
-  * `rails_email_validator` (http://github.com/phatworx/rails_email_validator)
-
+- Devise (<https://github.com/plataformatec/devise>)
+- Rails 4.2 onwards (<http://github.com/rails/rails>)
+- recommendations:
+  - `autocomplete-off` (<http://github.com/phatworx/autocomplete-off>)
+  - `easy_captcha` (<http://github.com/phatworx/easy_captcha>)
 
 ## Todo
 
-* see the github issues (feature requests)
+- see the github issues (feature requests)
 
 ## History
-* 0.1 expire passwords
-* 0.2 strong password validation
-* 0.3 password archivable with validation
-* 0.4 captcha support for sign_up, sign_in, recover and unlock
-* 0.5 session_limitable module
-* 0.6 expirable module
-* 0.7 security questionable module for recover and unlock
-* 0.8 Support for Rails 4 (+ variety of patches)
-* 0.11 Support for Rails 5. Forked to allow project maintenance and features
+
+- 0.1 expire passwords
+- 0.2 strong password validation
+- 0.3 password archivable with validation
+- 0.4 captcha support for sign_up, sign_in, recover and unlock
+- 0.5 session_limitable module
+- 0.6 expirable module
+- 0.7 security questionable module for recover and unlock
+- 0.8 Support for Rails 4 (+ variety of patches)
+- 0.11 Support for Rails 5. Forked to allow project maintenance and features
+
+See also [Github Releases](https://github.com/devise-security/devise-security/releases)
 
 ## Maintainers
 
-* Nate Bird (https://github.com/natebird)
+- Nate Bird (<https://github.com/natebird>)
+- Kevin Olbrich (<http://github.com/olbrich>)
+- Dillon Welch (<http://github.com/oniofchaos>)
 
 ## Contributing to devise-security
 
-* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
-* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
-* Fork the project
-* Start a feature/bugfix branch
-* Commit and push until you are happy with your contribution
-* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
-* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+- Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+- Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+- Fork the project
+- Start a feature/bugfix branch
+- Commit and push until you are happy with your contribution
+- Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+- Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
 
 ## Copyright
 

data/app/controllers/devise/paranoid_verification_code_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Devise::ParanoidVerificationCodeController < DeviseController
   skip_before_action :handle_paranoid_verification
   prepend_before_action :authenticate_scope!, only: [:show, :update]

data/app/controllers/devise/password_expired_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Devise::PasswordExpiredController < DeviseController
   skip_before_action :handle_password_change
   before_action :skip_password_change, only: [:show, :update]

data/config/locales/de.yml

@@ -3,7 +3,19 @@ de:
     messages:
       taken_in_past: 'wurde bereits in der Vergangenheit verwendet!'
       equal_to_current_password: 'darf nicht dem aktuellen Passwort entsprechen!'
-      password_format: 'müssen große, kleine Buchstaben und Ziffern enthalten'
+      password_complexity:
+        digit:
+          one: muss mindestens eine Nummer enthalten
+          other: muss mindestens %{count} Zahlen enthalten
+        lower:
+          one: muss mindestens eine Kleinbuchstabe enthalten
+          other: muss mindestens %{count} Kleinbuchstaben enthalten
+        symbol:
+          one: muss mindestens eine Satzzeichen enthalten
+          other: muss mindestens %{count} Satzzeichen enthalten
+        upper:
+          one: muss mindestens eine Großbuchstabe enthalten
+          other: muss mindestens %{count} Großbuchstaben enthalten
   devise:
     invalid_captcha: 'Die Captchaeingabe ist nicht gültig!'
     paranoid_verify:

data/config/locales/en.yml

@@ -3,7 +3,19 @@ en:
     messages:
       taken_in_past: 'was used previously.'
       equal_to_current_password: 'must be different than the current password.'
-      password_format: 'must contain big, small letters and digits'
+      password_complexity:
+        digit:
+          one: must contain at least one digit
+          other: must contain at least %{count} numerals
+        lower:
+          one: must contain at least one lower-case letter
+          other: must contain at least %{count} lower-case letters
+        symbol:
+          one: must contain at least one punctuation mark or symbol
+          other: must contain at least %{count} puncutation marks or symbols
+        upper:
+          one: must contain at least one upper-case letter
+          other: must contain at least %{count} upper-case letters
   devise:
     invalid_captcha: 'The captcha input was invalid.'
     invalid_security_question: 'The security question answer was invalid.'