devise-security 0.12.0 → 0.18.0

data/config/locales/uk.yml

@@ -0,0 +1,50 @@
+uk:
+  errors:
+    messages:
+      taken_in_past: 'раніше використовувався.'
+      equal_to_current_password: 'має відрізнятися від поточного паролю.'
+      equal_to_email: 'має відрізнятися від електронної пошти.'
+      password_complexity:
+        digit:
+          one: 'повинен включати хоча б одну цифру'
+          few: 'повинен включати хоча б %{count} цифри'
+          many: 'повинен включати хоча б %{count} цифр'
+          other: 'повинен включати хоча б %{count} цифри'
+        lower:
+          one: 'повинен включати хоча б одну малу букву'
+          few: 'повинен включати хоча б %{count} малі букви'
+          many: 'повинен включати хоча б %{count} малих букв'
+          other: 'повинен включати хоча б %{count} малі букви'
+        symbol:
+          one: 'повинен включати хоча б один розділовий знак або символ'
+          few: 'повинен включати хоча б %{count} розділові знаки або символи'
+          many: 'повинен включати хоча б %{count} розділових знаків або символів'
+          other: 'повинен включати хоча б %{count} розділові знаки або символи'
+        upper:
+          one: 'повинен включати хоча б одну прописну букву'
+          few: 'повинен включати хоча б %{count} прописні букви'
+          many: 'повинен включати хоча б %{count} прописних букв'
+          other: 'повинен включати хоча б %{count} прописні букви'
+  devise:
+    invalid_captcha: 'Введення капчі недійсне.'
+    invalid_security_question: 'Неправильна відповідь на секретне питання.'
+    paranoid_verify:
+      code_required: 'Введіть, будь ласка, код від нашої команди підтримки'
+    paranoid_verification_code:
+      updated: Код підтвердження прийнято
+      show:
+        submit_verification_code: Відправити код підтвердження
+        verification_code: Код підтвердження
+        submit: Відправити
+    password_expired:
+      updated: 'Ваш новий пароль збережено.'
+      change_required: 'Ваш пароль застарілий. Будь ласка, оновіть пароль.'
+      show:
+        renew_your_password: Оновити свій пароль
+        current_password: Теперішній пароль
+        new_password: Новий пароль
+        new_password_confirmation: Підтвердити новий пароль
+        change_my_password: Змінити пароль
+    failure:
+      session_limited: 'Ваші облікові дані були використані в іншому браузері. Будь ласка, авторизуйтесь знову щоб продовжити в цьому браузері.'
+      expired: "Ваш аккаунт застарів через неактивність. Будь ласка, зв'яжіться з адміністратором."

data/config/locales/zh_CN.yml

@@ -0,0 +1,42 @@
+zh_CN:
+  errors:
+    messages:
+      taken_in_past: '曾被使用过。'
+      equal_to_current_password: '必须与当前密码不同。'
+      equal_to_email: '必须与电子邮件地址不同。'
+      password_complexity:
+        digit:
+          one: 必须包含至少1个数字
+          other: 必须包含至少%{count}个数字
+        lower:
+          one: 必须包含至少1个小写字母
+          other: 必须包含至少%{count}个小写字母
+        symbol:
+          one: 必须包含至少1个特殊符号（!"#$%&'()*+,-./:;<=>?@[\]^_‘{|}~)
+          other: 必须包含至少%{count}个特殊符号（!"#$%&'()*+,-./:;<=>?@[\]^_‘{|}~）
+        upper:
+          one: 必须包含至少1个大写字母
+          other: 必须包含至少%{count}个大写字母
+  devise:
+    invalid_captcha: '验证码无效。'
+    invalid_security_question: '安全问题答案无效。'
+    paranoid_verify:
+      code_required: '请输入我们支持团队提供的代码'
+    paranoid_verification_code:
+      updated: 接受验证码
+      show:
+        submit_verification_code: 提交验证码
+        verification_code: 验证码
+        submit: 提交
+    password_expired:
+      updated: '你的新密码已保存。'
+      change_required: '你的密码已过期，请更新密码。'
+      show:
+        renew_your_password: 更新你的密码
+        current_password: 当前密码
+        new_password: 新密码
+        new_password_confirmation: 确认新密码
+        change_my_password: 更改密码
+    failure:
+      session_limited: '你的登录凭据已在另一个浏览器上被使用。请重新登录以在此浏览器继续。'
+      expired: '由于不活跃，你的账户已过期。请联系站点管理员。'

data/config/locales/zh_TW.yml

@@ -0,0 +1,42 @@
+zh_TW:
+  errors:
+    messages:
+      taken_in_past: '曾被使用過。'
+      equal_to_current_password: '必須與目前密碼不同。'
+      equal_to_email: '必須與電子郵件地址不同。'
+      password_complexity:
+        digit:
+          one: 必須包含至少一個數字
+          other: 必須包含至少 %{count} 個數字
+        lower:
+          one: 必須包含至少一個小寫字母
+          other: 必須包含至少 %{count} 個小寫字母
+        symbol:
+          one: 必須包含至少一個特殊符號
+          other: 必須包含至少 %{count} 個特殊符號
+        upper:
+          one: 必須包含至少一個大寫字母
+          other: 必須包含至少 %{count} 個大寫字母
+  devise:
+    invalid_captcha: '輸入的驗證碼無效。'
+    invalid_security_question: '安全問題答案無效。'
+    paranoid_verify:
+      code_required: '請輸入由我們客服團隊提供的代碼'
+    paranoid_verification_code:
+      updated: 接受驗證碼
+      show:
+        submit_verification_code: 送出驗證碼
+        verification_code: 驗證碼
+        submit: 送出
+    password_expired:
+      updated: '你的新密碼已儲存'
+      change_required: '你的密碼已經過期，請更新密碼。'
+      show:
+        renew_your_password: 更新你的密碼
+        current_password: 目前密碼
+        new_password: 新密碼
+        new_password_confirmation: 確認新密碼
+        change_my_password: 更改我的密碼
+    failure:
+      session_limited: '你的登入憑證已在另一個瀏覽器上被使用，請重新登入以在此瀏覽器繼續使用。'
+      expired: '你的帳號因過久沒使用而已經過期，請洽網站管理員。'

data/lib/devise-security/controllers/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DeviseSecurity
   module Controllers
     module Helpers
@@ -27,8 +29,8 @@ module DeviseSecurity
       end
 
       def valid_captcha_if_defined?(captcha)
-        defined?(verify_recaptcha) && verify_recaptcha ||
-          defined?(valid_captcha?) && valid_captcha?(captcha)
+        (defined?(verify_recaptcha) && verify_recaptcha) ||
+          (defined?(valid_captcha?) && valid_captcha?(captcha))
       end
 
       def valid_security_question_answer?(resource, answer)
@@ -38,71 +40,92 @@ module DeviseSecurity
 
       # controller instance methods
 
-        private
-
-        # lookup if an password change needed
-        def handle_password_change
-          return if warden.nil?
-
-          if !devise_controller? && !ignore_password_expire? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['password_expired']
-                # re-check to avoid infinite loop if date changed after login attempt
-                if send(:"current_#{scope}").try(:need_change_password?)
-                  store_location_for(scope, request.original_fullpath) if request.get?
-                  redirect_for_password_change scope
-                  return
-                else
-                  warden.session(scope)[:password_expired] = false
-                end
+      private
+
+      # Called as a `before_action` on all actions on any controller that uses
+      # this helper. If the user's session is marked as having an expired
+      # password we double check in case it has been changed by another process,
+      # then redirect to the password change url.
+      #
+      # @note `Warden::Manager.after_authentication` is run AFTER this method
+      #
+      # @note Once the warden session has `'password_expired'` set to `false`,
+      #    it will **never** be checked again until the user re-logs in.
+      def handle_password_change
+        return if warden.nil?
+
+        if !devise_controller? &&
+           !ignore_password_expire? &&
+           !request.format.nil? &&
+           request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['password_expired'] == true
+              if send(:"current_#{scope}").try(:need_change_password?)
+                store_location_for(scope, request.original_fullpath) if request.get?
+                redirect_for_password_change(scope)
+              else
+                warden.session(scope)['password_expired'] = false
               end
             end
           end
         end
+      end
 
-        # lookup if extra (paranoid) code verification is needed
-        def handle_paranoid_verification
-          return if warden.nil?
-
-          if !devise_controller? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+      # lookup if extra (paranoid) code verification is needed
+      def handle_paranoid_verification
+        return if warden.nil?
+
+        if !devise_controller? &&
+           !ignore_paranoid_verification_code? &&
+           !request.format.nil? &&
+           request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['paranoid_verify'] == true
+              if send(:"current_#{scope}").try(:need_paranoid_verification?)
                 store_location_for(scope, request.original_fullpath) if request.get?
-                redirect_for_paranoid_verification scope
-                return
+                redirect_for_paranoid_verification(scope)
+              else
+                warden.session(scope)['paranoid_verify'] = false
               end
             end
           end
         end
+      end
 
-        # redirect for password update with alert message
-        def redirect_for_password_change(scope)
-          redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', {scope: 'devise.password_expired'})
-        end
+      # redirect for password update with alert message
+      def redirect_for_password_change(scope)
+        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', scope: 'devise.password_expired')
+      end
 
-        def redirect_for_paranoid_verification(scope)
-          redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', {scope: 'devise.paranoid_verify'})
-        end
+      def redirect_for_paranoid_verification(scope)
+        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', scope: 'devise.paranoid_verify')
+      end
 
-        # path for change password
-        def change_password_required_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_password_expired_path"
-          send(change_path)
-        end
+      # path for change password
+      def change_password_required_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        router_name = Devise.mappings[scope].router_name
+        context     = router_name ? send(router_name) : _devise_route_context
+        context.send("#{scope}_password_expired_path")
+      end
 
-        def paranoid_verification_code_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_paranoid_verification_code_path"
-          send(change_path)
-        end
+      def paranoid_verification_code_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        router_name = Devise.mappings[scope].router_name
+        context     = router_name ? send(router_name) : _devise_route_context
+        context.send("#{scope}_paranoid_verification_code_path")
+      end
 
-        protected
+      protected
 
-        # allow to overwrite for some special handlings
-        def ignore_password_expire?
-          false
-        end
+      # allow to overwrite for some special handlings
+      def ignore_password_expire?
+        false
+      end
+
+      def ignore_paranoid_verification_code?
+        false
+      end
     end
   end
 end

data/lib/devise-security/hooks/expirable.rb

@@ -1,10 +1,12 @@
-# Updates the last_activity_at fields from the record. Only when the user is active 
+# frozen_string_literal: true
+
+# Updates the last_activity_at fields from the record. Only when the user is active
 # for authentication and authenticated.
-# An expiry of the account is only checked on sign in OR on manually setting the 
+# An expiry of the account is only checked on sign in OR on manually setting the
 # expired_at to the past (see Devise::Models::Expirable for this)
 Warden::Manager.after_set_user do |record, warden, options|
-  if record && record.respond_to?(:active_for_authentication?) && record.active_for_authentication? && 
+  if record && record.respond_to?(:active_for_authentication?) && record.active_for_authentication? &&
       warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activity!)
     record.update_last_activity!
   end
-end
+end

data/lib/devise-security/hooks/paranoid_verification.rb

@@ -1,5 +1,5 @@
+# frozen_string_literal: true
+
 Warden::Manager.after_set_user do |record, warden, options|
-  if record.respond_to?(:need_paranoid_verification?)
-    warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?
-  end
+  warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification? if record.respond_to?(:need_paranoid_verification?)
 end

data/lib/devise-security/hooks/password_expirable.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
+# @note This happens after
+#   {DeviseSecurity::Controller::Helpers#handle_password_change}
 Warden::Manager.after_authentication do |record, warden, options|
-  if record.respond_to?(:need_change_password?)
-    warden.session(options[:scope])['password_expired'] = record.need_change_password?
-  end
+  warden.session(options[:scope])['password_expired'] = record.need_change_password? if record.respond_to?(:need_change_password?)
 end

data/lib/devise-security/hooks/session_limitable.rb

@@ -1,24 +1,41 @@
-# After each sign in, update unique_session_id.
-# This is only triggered when the user is explicitly set (with set_user)
-# and on authentication. Retrieving the user from session (:fetch) does
-# not trigger it.
+# frozen_string_literal: true
+
+# After each sign in, update unique_session_id. This is only triggered when the
+# user is explicitly set (with set_user) and on authentication. Retrieving the
+# user from session (:fetch) does not trigger it.
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
-    unique_session_id = Devise.friendly_token
-    warden.session(options[:scope])['unique_session_id'] = unique_session_id
-    record.update_unique_session_id!(unique_session_id)
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(options[:scope]) &&
+     !record.skip_session_limitable?
+
+    if !options[:skip_session_limitable]
+      unique_session_id = Devise.friendly_token
+      warden.session(options[:scope])['unique_session_id'] = unique_session_id
+      record.update_unique_session_id!(unique_session_id)
+    else
+      warden.session(options[:scope])['devise.skip_session_limitable'] = true
+    end
   end
 end
 
-# Each time a record is fetched from session we check if a new session from another
-# browser was opened for the record or not, based on a unique session identifier.
-# If so, the old account is logged out and redirected to the sign in page on the next request.
+# Each time a record is fetched from session we check if a new session from
+# another browser was opened for the record or not, based on a unique session
+# identifier. If so, the old account is logged out and redirected to the sign in
+# page on the next request.
 Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
-  env   = warden.request.env
 
-  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
-    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(scope) &&
+     options[:store] != false
+    if record.unique_session_id != warden.session(scope)['unique_session_id'] &&
+       !record.skip_session_limitable? &&
+       !warden.session(scope)['devise.skip_session_limitable']
+      Rails.logger.warn do
+        '[devise-security][session_limitable] session id mismatch: '\
+        "expected=#{record.unique_session_id.inspect} "\
+        "actual=#{warden.session(scope)['unique_session_id'].inspect}"
+      end
       warden.raw_session.clear
       warden.logout(scope)
       throw :warden, scope: scope, message: :session_limited

data/lib/devise-security/models/active_record/old_password.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class OldPassword < ApplicationRecord
+  belongs_to :password_archivable, polymorphic: true
+end

data/lib/devise-security/models/compatibility/active_record_patch.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Devise
+  module Models
+    module Compatibility
+      class NotPersistedError < ActiveRecord::ActiveRecordError; end
+
+      module ActiveRecordPatch
+        extend ActiveSupport::Concern
+
+        unless defined?(ActiveRecord) && ActiveRecord.gem_version >= Gem::Version.new("5.1.x")
+          # When the record was saved, was the +encrypted_password+ changed?
+          # @return [Boolean]
+          def saved_change_to_encrypted_password?
+            encrypted_password_changed?
+          end
+
+          # The encrypted password that existed before the record was saved
+          # @return [String]
+          # @return [nil] if an +encrypted_password+ had not been set
+          def encrypted_password_before_last_save
+            previous_changes['encrypted_password'].try(:first)
+          end
+
+          # When the record is saved, will the +encrypted_password+ be changed?
+          # @return [Boolean]
+          def will_save_change_to_encrypted_password?
+            changed_attributes['encrypted_password'].present?
+          end
+        end
+
+        # Updates the record with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          update_column(name, value)
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/compatibility/mongoid_patch.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Devise
+  module Models
+    module Compatibility
+      class NotPersistedError < Mongoid::Errors::MongoidError; end
+
+      module MongoidPatch
+        extend ActiveSupport::Concern
+
+        # Will saving this record change the +email+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_email?
+          changed.include? 'email'
+        end
+
+        # Will saving this record change the +encrypted_password+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_encrypted_password?
+          changed.include? 'encrypted_password'
+        end
+
+        # Updates the document with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          set(Hash[name, value])
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/compatibility.rb

@@ -1,22 +1,15 @@
+# frozen_string_literal: true
+
+require_relative "compatibility/#{DEVISE_ORM}_patch"
+
 module Devise
   module Models
+    # These compatibility modules define methods used by devise-security
+    # that may need to be defined or re-defined for compatibility between ORMs
+    # and/or older versions of ORMs.
     module Compatibility
       extend ActiveSupport::Concern
-
-      # for backwards compatibility with Rails < 5.1.x
-      unless Devise.activerecord51?
-        def saved_change_to_encrypted_password?
-          encrypted_password_changed?
-        end
-
-        def encrypted_password_before_last_save
-          previous_changes['encrypted_password'].try(:first)
-        end
-
-        def will_save_change_to_encrypted_password?
-          changed_attributes['encrypted_password'].present?
-        end
-      end
+      include "Devise::Models::Compatibility::#{DEVISE_ORM.to_s.classify}Patch".constantize
     end
   end
 end

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -1,22 +1,32 @@
+# frozen_string_literal: true
+
 module Devise
   module Models
     module DatabaseAuthenticatablePatch
       def update_with_password(params, *options)
         current_password = params.delete(:current_password)
+        valid_password = valid_password?(current_password)
 
         new_password = params[:password]
         new_password_confirmation = params[:password_confirmation]
 
-        result = if valid_password?(current_password) && new_password.present? && new_password_confirmation.present?
-          update_attributes(params, *options)
-        else
-          self.assign_attributes(params, *options)
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
-          self.errors.add(:password, new_password.blank? ? :blank : :invalid)
-          self.errors.add(:password_confirmation, new_password_confirmation.blank? ? :blank : :invalid)
-          false
-        end
+        result = if valid_password && new_password.present? && new_password_confirmation.present?
+                   update(params, *options)
+                 else
+                   assign_attributes(params, *options)
+
+                   if current_password.blank?
+                     errors.add(:current_password, :blank)
+                   elsif !valid_password
+                     errors.add(:current_password, :invalid)
+                   end
+
+                   errors.add(:password, :blank) if new_password.blank?
+
+                   errors.add(:password_confirmation, :blank) if new_password_confirmation.blank?
+
+                   false
+                 end
 
         clean_up_passwords
         result

data/lib/devise-security/models/expirable.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'devise-security/hooks/expirable'
 
 module Devise
@@ -20,7 +22,11 @@ module Devise
 
       # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
       def update_last_activity!
-        self.update_column(:last_activity_at, Time.now.utc)
+        if respond_to?(:update_column)
+          self.update_column(:last_activity_at, Time.now.utc)
+        elsif defined? Mongoid
+          self.update_attribute(:last_activity_at, Time.now.utc)
+        end
       end
 
       # Tells if the account has expired
@@ -28,9 +34,11 @@ module Devise
       # @return [bool]
       def expired?
         # expired_at set (manually, via cron, etc.)
-        return self.expired_at < Time.now.utc unless self.expired_at.nil?
+        return expired_at < Time.now.utc unless expired_at.nil?
+
         # if it is not set, check the last activity against configured expire_after time range
-        return self.last_activity_at < self.class.expire_after.ago unless self.last_activity_at.nil?
+        return last_activity_at < self.class.expire_after.ago unless last_activity_at.nil?
+
         # if last_activity_at is nil as well, the user has to be 'fresh' and is therefore not expired
         false
       end
@@ -52,13 +60,13 @@ module Devise
       #
       # @return [bool]
       def active_for_authentication?
-        super && !self.expired?
+        super && !expired?
       end
 
       # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed
       # for i18n.
       def inactive_message
-        !self.expired? ? super : :expired
+        !expired? ? super : :expired
       end
 
       module ClassMethods
@@ -74,7 +82,6 @@ module Devise
           all.each do |u|
             u.expire! if u.expired? && u.expired_at.nil?
           end
-          return
         end
 
         # Scope method to collect all expired users since +time+ ago
@@ -101,7 +108,7 @@ module Devise
         # @example Overwritten version to blank out the object.
         #   def self.delete_all_expired_for(time = 90.days)
         #     expired_for(time).each do |u|
-        #       u.update_attributes first_name: nil, last_name: nil
+        #       u.update first_name: nil, last_name: nil
         #     end
         #   end
         def delete_all_expired_for(time)

data/lib/devise-security/models/mongoid/old_password.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class OldPassword
+  include Mongoid::Document
+
+  ## Database authenticatable
+  field :encrypted_password, type: String
+  validates_presence_of :encrypted_password
+  field :password_salt, type: String
+
+  field :password_archivable_type, type: String
+  validates_presence_of :password_archivable_type
+
+  field :password_archivable_id, type: String
+  validates_presence_of :password_archivable_id
+  index({ password_archivable_type: 1, password_archivable_id: 1 }, name: 'index_password_archivable')
+
+  include Mongoid::Timestamps
+
+  belongs_to :password_archivable, polymorphic: true
+end