devise-security 0.12.0 → 0.16.0

data/lib/devise-security/controllers/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DeviseSecurity
   module Controllers
     module Helpers
@@ -38,71 +40,80 @@ module DeviseSecurity
 
       # controller instance methods
 
-        private
-
-        # lookup if an password change needed
-        def handle_password_change
-          return if warden.nil?
-
-          if !devise_controller? && !ignore_password_expire? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['password_expired']
-                # re-check to avoid infinite loop if date changed after login attempt
-                if send(:"current_#{scope}").try(:need_change_password?)
-                  store_location_for(scope, request.original_fullpath) if request.get?
-                  redirect_for_password_change scope
-                  return
-                else
-                  warden.session(scope)[:password_expired] = false
-                end
+      private
+
+      # Called as a `before_action` on all actions on any controller that uses
+      # this helper. If the user's session is marked as having an expired
+      # password we double check in case it has been changed by another process,
+      # then redirect to the password change url.
+      #
+      # @note `Warden::Manager.after_authentication` is run AFTER this method
+      #
+      # @note Once the warden session has `'password_expired'` set to `false`,
+      #    it will **never** be checked again until the user re-logs in.
+      def handle_password_change
+        return if warden.nil?
+
+        if !devise_controller? &&
+           !ignore_password_expire? &&
+           !request.format.nil? &&
+           request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['password_expired'] == true
+              if send(:"current_#{scope}").try(:need_change_password?)
+                store_location_for(scope, request.original_fullpath) if request.get?
+                redirect_for_password_change(scope)
+              else
+                warden.session(scope)['password_expired'] = false
               end
             end
           end
         end
+      end
 
-        # lookup if extra (paranoid) code verification is needed
-        def handle_paranoid_verification
-          return if warden.nil?
+      # lookup if extra (paranoid) code verification is needed
+      def handle_paranoid_verification
+        return if warden.nil?
 
-          if !devise_controller? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
-                store_location_for(scope, request.original_fullpath) if request.get?
-                redirect_for_paranoid_verification scope
-                return
-              end
+        if !devise_controller? && !request.format.nil? && request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+              store_location_for(scope, request.original_fullpath) if request.get?
+              redirect_for_paranoid_verification scope
+              return
             end
           end
         end
+      end
 
-        # redirect for password update with alert message
-        def redirect_for_password_change(scope)
-          redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', {scope: 'devise.password_expired'})
-        end
+      # redirect for password update with alert message
+      def redirect_for_password_change(scope)
+        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', scope: 'devise.password_expired')
+      end
 
-        def redirect_for_paranoid_verification(scope)
-          redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', {scope: 'devise.paranoid_verify'})
-        end
+      def redirect_for_paranoid_verification(scope)
+        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', scope: 'devise.paranoid_verify')
+      end
 
-        # path for change password
-        def change_password_required_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_password_expired_path"
-          send(change_path)
-        end
+      # path for change password
+      def change_password_required_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_password_expired_path"
+        send(change_path)
+      end
 
-        def paranoid_verification_code_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_paranoid_verification_code_path"
-          send(change_path)
-        end
+      def paranoid_verification_code_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_paranoid_verification_code_path"
+        send(change_path)
+      end
 
-        protected
+      protected
 
-        # allow to overwrite for some special handlings
-        def ignore_password_expire?
-          false
-        end
+      # allow to overwrite for some special handlings
+      def ignore_password_expire?
+        false
+      end
     end
   end
 end

data/lib/devise-security/hooks/expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Updates the last_activity_at fields from the record. Only when the user is active 
 # for authentication and authenticated.
 # An expiry of the account is only checked on sign in OR on manually setting the 
@@ -7,4 +9,4 @@ Warden::Manager.after_set_user do |record, warden, options|
       warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activity!)
     record.update_last_activity!
   end
-end
+end

data/lib/devise-security/hooks/paranoid_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_set_user do |record, warden, options|
   if record.respond_to?(:need_paranoid_verification?)
     warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?

data/lib/devise-security/hooks/password_expirable.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+# @note This happens after
+#   {DeviseSecurity::Controller::Helpers#handle_password_change}
 Warden::Manager.after_authentication do |record, warden, options|
   if record.respond_to?(:need_change_password?)
     warden.session(options[:scope])['password_expired'] = record.need_change_password?

data/lib/devise-security/hooks/session_limitable.rb

@@ -1,24 +1,41 @@
-# After each sign in, update unique_session_id.
-# This is only triggered when the user is explicitly set (with set_user)
-# and on authentication. Retrieving the user from session (:fetch) does
-# not trigger it.
+# frozen_string_literal: true
+
+# After each sign in, update unique_session_id. This is only triggered when the
+# user is explicitly set (with set_user) and on authentication. Retrieving the
+# user from session (:fetch) does not trigger it.
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
-    unique_session_id = Devise.friendly_token
-    warden.session(options[:scope])['unique_session_id'] = unique_session_id
-    record.update_unique_session_id!(unique_session_id)
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(options[:scope]) &&
+     !record.skip_session_limitable?
+
+     if !options[:skip_session_limitable]
+      unique_session_id = Devise.friendly_token
+      warden.session(options[:scope])['unique_session_id'] = unique_session_id
+      record.update_unique_session_id!(unique_session_id)
+     else
+      warden.session(options[:scope])['devise.skip_session_limitable'] = true
+     end
   end
 end
 
-# Each time a record is fetched from session we check if a new session from another
-# browser was opened for the record or not, based on a unique session identifier.
-# If so, the old account is logged out and redirected to the sign in page on the next request.
+# Each time a record is fetched from session we check if a new session from
+# another browser was opened for the record or not, based on a unique session
+# identifier. If so, the old account is logged out and redirected to the sign in
+# page on the next request.
 Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
-  env   = warden.request.env
 
-  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
-    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(scope) &&
+     options[:store] != false
+    if record.unique_session_id != warden.session(scope)['unique_session_id'] &&
+       !record.skip_session_limitable? && 
+       !warden.session(scope)['devise.skip_session_limitable']
+      Rails.logger.warn do
+        '[devise-security][session_limitable] session id mismatch: '\
+        "expected=#{record.unique_session_id.inspect} "\
+        "actual=#{warden.session(scope)['unique_session_id'].inspect}"
+      end
       warden.raw_session.clear
       warden.logout(scope)
       throw :warden, scope: scope, message: :session_limited

data/lib/devise-security/models/active_record/old_password.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class OldPassword < ApplicationRecord
+  belongs_to :password_archivable, polymorphic: true
+end

data/lib/devise-security/models/compatibility/active_record_patch.rb

@@ -0,0 +1,40 @@
+module Devise
+  module Models
+    module Compatibility
+
+      class NotPersistedError < ActiveRecord::ActiveRecordError; end
+
+      module ActiveRecordPatch
+        extend ActiveSupport::Concern
+        unless Devise.activerecord51?
+          # When the record was saved, was the +encrypted_password+ changed?
+          # @return [Boolean]
+          def saved_change_to_encrypted_password?
+            encrypted_password_changed?
+          end
+
+          # The encrypted password that existed before the record was saved
+          # @return [String]
+          # @return [nil] if an +encrypted_password+ had not been set
+          def encrypted_password_before_last_save
+            previous_changes['encrypted_password'].try(:first)
+          end
+
+          # When the record is saved, will the +encrypted_password+ be changed?
+          # @return [Boolean]
+          def will_save_change_to_encrypted_password?
+            changed_attributes['encrypted_password'].present?
+          end
+        end
+
+        # Updates the record with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          update_column(name, value)
+        end
+
+      end
+    end
+  end
+end

data/lib/devise-security/models/compatibility/mongoid_patch.rb

@@ -0,0 +1,31 @@
+module Devise
+  module Models
+    module Compatibility
+
+      class NotPersistedError < Mongoid::Errors::MongoidError; end
+
+      module MongoidPatch
+        extend ActiveSupport::Concern
+
+        # Will saving this record change the +email+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_email?
+          changed.include? 'email'
+        end
+
+        # Will saving this record change the +encrypted_password+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_encrypted_password?
+          changed.include? 'encrypted_password'
+        end
+
+        # Updates the document with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          set(Hash[*[name, value]])
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/compatibility.rb

@@ -1,22 +1,15 @@
+# frozen_string_literal: true
+
+require_relative "compatibility/#{DEVISE_ORM}_patch"
+
 module Devise
   module Models
+    # These compatibility modules define methods used by devise-security
+    # that may need to be defined or re-defined for compatibility between ORMs
+    # and/or older versions of ORMs.
     module Compatibility
       extend ActiveSupport::Concern
-
-      # for backwards compatibility with Rails < 5.1.x
-      unless Devise.activerecord51?
-        def saved_change_to_encrypted_password?
-          encrypted_password_changed?
-        end
-
-        def encrypted_password_before_last_save
-          previous_changes['encrypted_password'].try(:first)
-        end
-
-        def will_save_change_to_encrypted_password?
-          changed_attributes['encrypted_password'].present?
-        end
-      end
+      include "Devise::Models::Compatibility::#{DEVISE_ORM.to_s.classify}Patch".constantize
     end
   end
 end

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     module DatabaseAuthenticatablePatch
@@ -8,7 +10,7 @@ module Devise
         new_password_confirmation = params[:password_confirmation]
 
         result = if valid_password?(current_password) && new_password.present? && new_password_confirmation.present?
-          update_attributes(params, *options)
+          update(params, *options)
         else
           self.assign_attributes(params, *options)
           self.valid?

data/lib/devise-security/models/expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/expirable'
 
 module Devise
@@ -20,7 +22,11 @@ module Devise
 
       # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
       def update_last_activity!
-        self.update_column(:last_activity_at, Time.now.utc)
+        if respond_to?(:update_column)
+          self.update_column(:last_activity_at, Time.now.utc)
+        elsif defined? Mongoid
+          self.update_attribute(:last_activity_at, Time.now.utc)
+        end
       end
 
       # Tells if the account has expired
@@ -101,7 +107,7 @@ module Devise
         # @example Overwritten version to blank out the object.
         #   def self.delete_all_expired_for(time = 90.days)
         #     expired_for(time).each do |u|
-        #       u.update_attributes first_name: nil, last_name: nil
+        #       u.update first_name: nil, last_name: nil
         #     end
         #   end
         def delete_all_expired_for(time)

data/lib/devise-security/models/mongoid/old_password.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class OldPassword
+  include Mongoid::Document
+
+  ## Database authenticatable
+  field :encrypted_password, type: String
+  validates_presence_of :encrypted_password
+  field :password_salt, type: String
+
+  field :password_archivable_type, type: String
+  validates_presence_of :password_archivable_type
+
+  field :password_archivable_id, type: String
+  validates_presence_of :password_archivable_id
+  index({ password_archivable_type: 1, password_archivable_id: 1 }, name: 'index_password_archivable')
+
+  include Mongoid::Timestamps
+
+  belongs_to :password_archivable, polymorphic: true
+end

data/lib/devise-security/models/paranoid_verification.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/paranoid_verification'
 
 module Devise

data/lib/devise-security/models/password_archivable.rb

@@ -1,4 +1,7 @@
+# frozen_string_literal: true
+
 require_relative 'compatibility'
+require_relative "#{DEVISE_ORM}/old_password"
 
 module Devise
   module Models
@@ -9,7 +12,7 @@ module Devise
       include Devise::Models::DatabaseAuthenticatable
 
       included do
-        has_many :old_passwords, as: :password_archivable, dependent: :destroy
+        has_many :old_passwords, class_name: 'OldPassword', as: :password_archivable, dependent: :destroy
         before_update :archive_password, if: :will_save_change_to_encrypted_password?
         validate :validate_password_archive, if: :password_present?
       end
@@ -36,11 +39,15 @@ module Devise
       # @return [true] if current password was used previously
       # @return [false] if disabled or not previously used
       def password_archive_included?
-        return false unless max_old_passwords > 0
-        old_passwords_including_cur_change = old_passwords.order(:id).reverse_order.limit(max_old_passwords).pluck(:encrypted_password)
+        return false unless max_old_passwords.positive?
+
+        old_passwords_including_cur_change = old_passwords.order(created_at: :desc).limit(max_old_passwords).pluck(:encrypted_password)
         old_passwords_including_cur_change << encrypted_password_was # include most recent change in list, but don't save it yet!
         old_passwords_including_cur_change.any? do |old_password|
-          self.class.new(encrypted_password: old_password).valid_password?(password)
+          # NOTE: we deliberately do not do mass assignment here so that users that
+          #   rely on `protected_attributes_continued` gem can still use this extension.
+          #   See issue #68
+          self.class.new.tap { |object| object.encrypted_password = old_password }.valid_password?(password)
         end
       end
 
@@ -58,11 +65,15 @@ module Devise
 
       private
 
-      # archive the last password before save and delete all to old passwords from archive
+      # Archive the last password before save and delete all to old passwords from archive
+      # @note we check to see if an old password has already been archived because
+      #   mongoid will keep re-triggering this callback when we add an old password
       def archive_password
-        if max_old_passwords > 0
+        if max_old_passwords.positive?
+          return true if old_passwords.where(encrypted_password: encrypted_password_was).exists?
+
           old_passwords.create!(encrypted_password: encrypted_password_was) if encrypted_password_was.present?
-          old_passwords.order(:id).reverse_order.offset(max_old_passwords).destroy_all
+          old_passwords.order(created_at: :desc).offset(max_old_passwords).destroy_all
         else
           old_passwords.destroy_all
         end

data/lib/devise-security/models/password_expirable.rb

@@ -1,67 +1,122 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/password_expirable'
 
-module Devise
-  module Models
+module Devise::Models
+  # PasswordExpirable makes passwords expire after a configurable amount of
+  # time, or on demand.
+  #
+  # == Configuration
+  # Set +expire_password_after+ to the number of seconds a password is valid for
+  # (example: +3.months+). Setting it to +true+ will allow passwords to be expired
+  # on-demand only, and +false+ disables this feature.
+  #
+  # == Expire On-Demand
+  # This is useful to force users to change passwords for complex business reasons.
+  # Call +need_change_password+ to indicate a record needs a new password.
+  module PasswordExpirable
+    extend ActiveSupport::Concern
 
-    # PasswordExpirable takes care of change password after
-    module PasswordExpirable
-      extend ActiveSupport::Concern
+    included do
+      scope :with_password_change_requested, -> { where(password_changed_at: nil) }
+      scope :without_password_change_requested, -> { where.not(password_changed_at: nil) }
+      scope :with_expired_password, -> { where('password_changed_at is NULL OR password_changed_at < ?', expire_password_after.seconds.ago) }
+      scope :without_expired_password, -> { without_password_change_requested.where('password_changed_at >= ?', expire_password_after.seconds.ago) }
+      before_save :update_password_changed
+    end
 
-      included do
-        before_save :update_password_changed
-      end
+    # Is a password change required?
+    # @return [Boolean]
+    # @return [true] if +password_changed_at+ has not been set or if it is old
+    #   enough based on +expire_password_after+ configuration.
+    def need_change_password?
+      password_change_requested? || password_too_old?
+    end
 
-      # is an password change required?
-      def need_change_password?
-        if expired_password_after_numeric?
-          self.password_changed_at.nil? || self.password_changed_at < self.expire_password_after.seconds.ago
-        else
-          false
-        end
-      end
+    # Clear the +password_changed_at+ field so that the user will be required to
+    # update their password.
+    # @note Saves the record (without validations)
+    # @return [Boolean]
+    def need_change_password!
+      return unless password_expiration_enabled?
 
-      # set a fake datetime so a password change is needed and save the record
-      def need_change_password!
-        if expired_password_after_numeric?
-          need_change_password
-          self.save(validate: false)
-        end
-      end
+      need_change_password
+      save(validate: false)
+    end
+    alias expire_password! need_change_password!
+    alias request_password_change! need_change_password!
 
-      # set a fake datetime so a password change is needed
-      def need_change_password
-        if expired_password_after_numeric?
-          self.password_changed_at = self.expire_password_after.seconds.ago
-        end
+    # Clear the +password_changed_at+ field so that the user will be required to
+    #   update their password.
+    # @note Does not save the record
+    # @return [void]
+    def need_change_password
+      return unless password_expiration_enabled?
 
-        # is date not set it will set default to need set new password next login
-        need_change_password if self.password_changed_at.nil?
+      self.password_changed_at = nil
+    end
+    alias expire_password need_change_password
+    alias request_password_change need_change_password
 
-        self.password_changed_at
-      end
+    # @return [Integer] number of seconds passwords are valid for
+    # @return [true] passwords are expired 'on demand' only.
+    # @return [false] passwords never expire (this feature is disabled)
+    def expire_password_after
+      self.class.expire_password_after
+    end
 
-      def expire_password_after
-        self.class.expire_password_after
-      end
+    # When +password_changed_at+ is set to +NULL+ in the database
+    # the user is required to change their password.  This only happens
+    # on demand or when the column is first added to the table.
+    # @return [Boolean]
+    def password_change_requested?
+      return false unless password_expiration_enabled?
+      return false if new_record?
 
-      private
+      password_changed_at.nil?
+    end
+
+    # Is this password older than the configured expiration timeout?
+    # @return [Boolean]
+    def password_too_old?
+      return false if new_record?
+      return false unless password_expiration_enabled?
+      return false if expire_password_on_demand?
 
-        # is password changed then update password_cahanged_at
-        def update_password_changed
-          self.password_changed_at = Time.now if (self.new_record? || self.encrypted_password_changed?) && !self.password_changed_at_changed?
-        end
+      password_changed_at < expire_password_after.seconds.ago
+    end
+    alias password_expired? password_too_old?
 
-        def expired_password_after_numeric?
-          return @_numeric if defined?(@_numeric)
-          @_numeric ||= self.expire_password_after.is_a?(1.class) ||
-            self.expire_password_after.is_a?(Float)
-        end
+    private
 
-      module ClassMethods
-        ::Devise::Models.config(self, :expire_password_after)
+    # Update +password_changed_at+ for new records and changed passwords.
+    # @note called as a +before_save+ hook
+    def update_password_changed
+      if defined?(will_save_change_to_attribute?)
+        return unless (new_record? || will_save_change_to_encrypted_password?) && !will_save_change_to_password_changed_at?
+      else
+        return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
       end
+
+      self.password_changed_at = Time.zone.now
     end
 
-  end
+    # Enabled if configuration +expire_password_after+ is set to an {Integer},
+    # {Float}, or {true}
+    def password_expiration_enabled?
+      expire_password_after.is_a?(1.class) ||
+        expire_password_after.is_a?(Float) ||
+        expire_password_on_demand?
+    end
+
+    # When +expire_password_after+ is set to +true+ then only expire passwords
+    # on demand.
+    def expire_password_on_demand?
+      expire_password_after.present? && expire_password_after == true
+    end
 
+    module ClassMethods
+      ::Devise::Models.config(self, :expire_password_after)
+    end
+  end
 end