devise-security 0.12.0 → 0.13.0

data/config/locales/es.yml

@@ -3,7 +3,19 @@ es:
     messages:
       taken_in_past: 'la contraseña fue usada previamente, favor elegir otra.'
       equal_to_current_password: 'tiene que ser diferente a la contraseña actual.'
-      password_format: 'tiene que contener mayúsculas, minúsculas y digitos '
+      password_complexity:
+        digit:
+          one: tiene que contener al menos un digito
+          other: tiene que contener al menos %{count} digitos
+        lower:
+          one: tiene que contener al menos un minúscula
+          other: tiene que contener al menos %{count} minúsculas
+        symbol:
+          one: tiene que contener al menos un signo de puntuación
+          other: tiene que contener al menos %{count} signos de puntuación
+        upper:
+          one: tiene que contener al menos un mayúscula
+          other: tiene que contener al menos %{count} mayúsculas
   devise:
     invalid_captcha: 'El captcha ingresado es inválido.'
     invalid_security_question: 'La respuesta a la pregunta de suguridad fue incorrecta.'

data/config/locales/fr.yml

@@ -0,0 +1,29 @@
+fr:
+  errors:
+    messages:
+      taken_in_past: a été utilisé trop récemment - s'il vous plaît, choisissez un autre
+      equal_to_current_password: doit être différent du l'actuel
+      password_complexity:
+        digit:
+          one: doit containir en moins d'un chiffre
+          other: doit containir en moins de %{count} chiffres
+        lower:
+          one: doit containir en moins d'un miniscule
+          other: doit containir en moins de %{count} miniscules
+        symbol:
+          one: doit containir en moins d'un signe de ponctuation
+          other: doit containir en moins de %{count} signes de ponctuation
+        upper:
+          one: doit containir en moins d'un majuscule
+          other: doit containir en moins de %{count} majuscules
+  devise:
+    invalid_captcha: Le captcha n'est pas valide
+    invalid_security_question: La réponse à la question de sécurité était invalide
+    paranoid_verify:
+      code_required: Veuillez entrer le code fourni par notre équipe de support
+    password_expired:
+      updated: Votre nouveau mot de passe est enregistré
+      change_required: Votre mot de passe a expiré - s'il vous plaît, choisissez un autre
+    failure:
+      session_limited: Vos identifiants de connexion ont été utilisés dans un autre navigateur. Veuillez vous reconnecter pour continuer dans ce navigateur
+      expired: Votre compte a expiré en raison de l'inactivité. Veuillez contacter l'administrateur du site

data/config/locales/tr.yml

@@ -0,0 +1,17 @@
+tr:
+  errors:
+    messages:
+      taken_in_past: "daha önce kullanıldı."
+      equal_to_current_password: "mevcut paroladan farklı olmalı."
+      password_format: "büyük, küçük harfler ve sayılar içermeli."
+  devise:
+    invalid_captcha: "Captcha hatalı."
+    invalid_security_question: "Güvenlik sorusunun cevabı yanlış."
+    paranoid_verify:
+      code_required: "Destek ekibimizden aldığınız kodu girin."
+    password_expired:
+      updated: "Yeni parolanız kaydedildi."
+      change_required: "Parolanızın geçerlilik süresi dolmuş. Lütfen parolanızı yenileyin."
+    failure:
+      session_limited: 'Hesabınıza başka bir tarayıcıdan giriş yapılmış. Lütfen devam etmek için yeniden giriş yapın.'
+      expired: 'Hesabınız aktif olarak kullanılmadığı için artık geçerli değil. Lütfen yönetici ile irtibata geçin.'

data/devise-security.gemspec

@@ -20,25 +20,25 @@ Gem::Specification.new do |s|
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- test/*`.split("\n")
   s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.2.9'
+  s.required_ruby_version = '>= 2.3.7'
 
   if RUBY_VERSION >= '2.4'
-    s.add_runtime_dependency 'rails', '>= 4.1.0', '< 6.0'
+    s.add_runtime_dependency 'rails', '>= 4.2.0', '< 6.0'
   else
-    s.add_runtime_dependency 'railties', '>= 4.1.0', '< 6.0'
+    s.add_runtime_dependency 'railties', '>= 4.2.0', '< 6.0'
   end
   s.add_runtime_dependency 'devise', '>= 4.2.0', '< 5.0'
 
   s.add_development_dependency 'appraisal'
-  s.add_development_dependency 'bundler', '>= 1.3.0', '< 2.0'
-  s.add_development_dependency 'coveralls', '~> 0.8'
-  s.add_development_dependency 'easy_captcha', '~> 0'
+  s.add_development_dependency 'bundler'
+  s.add_development_dependency 'coveralls'
+  s.add_development_dependency 'easy_captcha'
   s.add_development_dependency 'm'
-  s.add_development_dependency 'minitest', '5.10.3' # see https://github.com/seattlerb/minitest/issues/730
+  s.add_development_dependency 'minitest'
   s.add_development_dependency 'pry-byebug'
   s.add_development_dependency 'pry-rescue'
   s.add_development_dependency 'pry'
-  s.add_development_dependency 'rails_email_validator', '~> 0'
-  s.add_development_dependency 'rubocop', '~> 0'
-  s.add_development_dependency 'sqlite3', '~> 1.3', '>= 1.3.10'
+  s.add_development_dependency 'rails_email_validator'
+  s.add_development_dependency 'rubocop', '~> 0.58.0'
+  s.add_development_dependency 'sqlite3'
 end

data/gemfiles/{rails_4.1_stable.gemfile → rails_5.2.0.gemfile}

@@ -3,6 +3,6 @@
 source "https://rubygems.org"
 
 gem "omniauth"
-gem "rails", "~> 4.1.0"
+gem "rails", "~> 5.2.0"
 
 gemspec path: "../"

data/lib/devise-security.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_record'
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
@@ -6,13 +8,15 @@ require 'devise'
 
 module Devise
 
-  # Should the password expire (e.g 3.months)
+  # Number of seconds that passwords are valid (e.g 3.months)
+  # Disable pasword expiration with +false+
+  # Expire only on demand with +true+
   mattr_accessor :expire_password_after
   @@expire_password_after = 3.months
 
   # Validate password for strongness
-  mattr_accessor :password_regex
-  @@password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+  mattr_accessor :password_complexity
+  @@password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
   # Number of old passwords in archive
   mattr_accessor :password_archiving_count
@@ -23,7 +27,7 @@ module Devise
   @@deny_old_passwords = true
 
   # enable email validation for :secure_validatable. (true, false, validation_options)
-  # dependency: need an email validator like rails_email_validator
+  # dependency: need an email validator, see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
   mattr_accessor :email_validation
   @@email_validation = true
 

data/lib/devise-security/controllers/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DeviseSecurity
   module Controllers
     module Helpers

data/lib/devise-security/hooks/expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Updates the last_activity_at fields from the record. Only when the user is active 
 # for authentication and authenticated.
 # An expiry of the account is only checked on sign in OR on manually setting the 
@@ -7,4 +9,4 @@ Warden::Manager.after_set_user do |record, warden, options|
       warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activity!)
     record.update_last_activity!
   end
-end
+end

data/lib/devise-security/hooks/paranoid_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_set_user do |record, warden, options|
   if record.respond_to?(:need_paranoid_verification?)
     warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?

data/lib/devise-security/hooks/password_expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_authentication do |record, warden, options|
   if record.respond_to?(:need_change_password?)
     warden.session(options[:scope])['password_expired'] = record.need_change_password?

data/lib/devise-security/hooks/session_limitable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # After each sign in, update unique_session_id.
 # This is only triggered when the user is explicitly set (with set_user)
 # and on authentication. Retrieving the user from session (:fetch) does

data/lib/devise-security/models/compatibility.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     module Compatibility

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     module DatabaseAuthenticatablePatch

data/lib/devise-security/models/expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/expirable'
 
 module Devise

data/lib/devise-security/models/old_password.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'active_record'
 class OldPassword < ActiveRecord::Base
   belongs_to :password_archivable, polymorphic: true

data/lib/devise-security/models/paranoid_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/paranoid_verification'
 
 module Devise

data/lib/devise-security/models/password_archivable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative 'compatibility'
 
 module Devise

data/lib/devise-security/models/password_expirable.rb

@@ -1,67 +1,113 @@
-require 'devise-security/hooks/password_expirable'
+# frozen_string_literal: true
 
-module Devise
-  module Models
+require 'devise-security/hooks/password_expirable'
 
-    # PasswordExpirable takes care of change password after
-    module PasswordExpirable
-      extend ActiveSupport::Concern
+module Devise::Models
+  # PasswordExpirable makes passwords expire after a configurable amount of
+  # time, or on demand.
+  #
+  # == Configuration
+  # Set +expire_password_after+ to the number of seconds a password is valid for
+  # (example: +3.months+). Setting it to +true+ will allow passwords to be expired
+  # on-demand only, and +false+ disables this feature.
+  #
+  # == Expire On-Demand
+  # This is useful to force users to change passwords for complex business reasons.
+  # Call +need_change_password+ to indicate a record needs a new password.
+  module PasswordExpirable
+    extend ActiveSupport::Concern
 
-      included do
-        before_save :update_password_changed
-      end
+    included do
+      scope :with_password_change_requested, -> { where(password_changed_at: nil) }
+      scope :without_password_change_requested, -> { where.not(password_changed_at: nil) }
+      scope :with_expired_password, -> { where('password_changed_at is NULL OR password_changed_at < ?', expire_password_after.seconds.ago) }
+      scope :without_expired_password, -> { without_password_change_requested.where('password_changed_at >= ?', expire_password_after.seconds.ago) }
+      before_save :update_password_changed
+    end
 
-      # is an password change required?
-      def need_change_password?
-        if expired_password_after_numeric?
-          self.password_changed_at.nil? || self.password_changed_at < self.expire_password_after.seconds.ago
-        else
-          false
-        end
-      end
+    # Is a password change required?
+    # @return [Boolean]
+    # @return [true] if +password_changed_at+ has not been set or if it is old
+    #   enough based on +expire_password_after+ configuration.
+    def need_change_password?
+      password_change_requested? || password_too_old?
+    end
 
-      # set a fake datetime so a password change is needed and save the record
-      def need_change_password!
-        if expired_password_after_numeric?
-          need_change_password
-          self.save(validate: false)
-        end
-      end
+    # Clear the +password_changed_at+ field so that the user will be required to
+    # update their password.
+    # @note Saves the record (without validations)
+    # @return [Boolean]
+    def need_change_password!
+      return unless password_expiration_enabled?
+      need_change_password
+      save(validate: false)
+    end
+    alias expire_password! need_change_password!
+    alias request_password_change! need_change_password!
 
-      # set a fake datetime so a password change is needed
-      def need_change_password
-        if expired_password_after_numeric?
-          self.password_changed_at = self.expire_password_after.seconds.ago
-        end
+    # Clear the +password_changed_at+ field so that the user will be required to
+    #   update their password.
+    # @note Does not save the record
+    # @return [void]
+    def need_change_password
+      return unless password_expiration_enabled?
+      self.password_changed_at = nil
+    end
+    alias expire_password need_change_password
+    alias request_password_change need_change_password
 
-        # is date not set it will set default to need set new password next login
-        need_change_password if self.password_changed_at.nil?
+    # @return [Integer] number of seconds passwords are valid for
+    # @return [true] passwords are expired 'on demand' only.
+    # @return [false] passwords never expire (this feature is disabled)
+    def expire_password_after
+      self.class.expire_password_after
+    end
 
-        self.password_changed_at
-      end
+    # When +password_changed_at+ is set to +NULL+ in the database
+    # the user is required to change their password.  This only happens
+    # on demand or when the column is first added to the table.
+    # @return [Boolean]
+    def password_change_requested?
+      return false unless password_expiration_enabled?
+      return false if new_record?
+      password_changed_at.nil?
+    end
 
-      def expire_password_after
-        self.class.expire_password_after
-      end
+    # Is this password older than the configured expiration timeout?
+    # @return [Boolean]
+    def password_too_old?
+      return false if new_record?
+      return false unless password_expiration_enabled?
+      return false if expire_password_on_demand?
+      password_changed_at < expire_password_after.seconds.ago
+    end
+    alias password_expired? password_too_old?
 
-      private
+    private
 
-        # is password changed then update password_cahanged_at
-        def update_password_changed
-          self.password_changed_at = Time.now if (self.new_record? || self.encrypted_password_changed?) && !self.password_changed_at_changed?
-        end
+    # Update +password_changed_at+ for new records and changed passwords.
+    # @note called as a +before_save+ hook
+    def update_password_changed
+      return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+      self.password_changed_at = Time.zone.now
+    end
 
-        def expired_password_after_numeric?
-          return @_numeric if defined?(@_numeric)
-          @_numeric ||= self.expire_password_after.is_a?(1.class) ||
-            self.expire_password_after.is_a?(Float)
-        end
+    # Enabled if configuration +expire_password_after+ is set to an {Integer},
+    # {Float}, or {true}
+    def password_expiration_enabled?
+      expire_password_after.is_a?(1.class) ||
+        expire_password_after.is_a?(Float) ||
+        expire_password_on_demand?
+    end
 
-      module ClassMethods
-        ::Devise::Models.config(self, :expire_password_after)
-      end
+    # When +expire_password_after+ is set to +true+ then only expire passwords
+    # on demand.
+    def expire_password_on_demand?
+      expire_password_after.present? && expire_password_after == true
     end
 
+    module ClassMethods
+      ::Devise::Models.config(self, :expire_password_after)
+    end
   end
-
 end

data/lib/devise-security/models/secure_validatable.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require_relative 'compatibility'
+require_relative '../validators/password_complexity_validator'
 
 module Devise
   module Models
@@ -45,8 +48,10 @@ module Devise
           end
 
           # extra validations
-          validates :email, email: email_validation if email_validation # use rails_email_validator or similar
-          validates :password, format: { with: password_regex, message: :password_format }, if: :password_required?
+          validates :email, email: email_validation if email_validation # see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
+          validates :password,
+                    'devise_security/password_complexity': password_complexity,
+                    if: :password_required?
 
           # don't allow use same password
           validate :current_equal_password_validation
@@ -79,9 +84,10 @@ module Devise
       end
 
       module ClassMethods
-        Devise::Models.config(self, :password_regex, :password_length, :email_validation)
+        Devise::Models.config(self, :password_complexity, :password_length, :email_validation)
+
+        private
 
-      private
         def has_uniqueness_validation_of_login?
           validators.any? do |validator|
             validator.kind_of?(ActiveRecord::Validations::UniquenessValidator) &&

data/lib/devise-security/models/security_questionable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     # SecurityQuestionable is an accessible add-on for visually handicapped people,

data/lib/devise-security/models/session_limitable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/session_limitable'
 
 module Devise

data/lib/devise-security/orm/active_record.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DeviseSecurity
   module Orm
     # This module contains some helpers and handle schema (migrations):