devise-security 0.12.0 → 0.18.0

data/lib/devise-security.rb

@@ -1,18 +1,28 @@
-require 'active_record'
+# frozen_string_literal: true
+
+DEVISE_ORM = ENV.fetch('DEVISE_ORM', 'active_record').to_sym unless defined?(DEVISE_ORM)
+
+require DEVISE_ORM.to_s if DEVISE_ORM.in? %i[active_record mongoid]
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
 require 'active_support/concern'
 require 'devise'
 
 module Devise
-
-  # Should the password expire (e.g 3.months)
+  # Number of seconds that passwords are valid (e.g 3.months)
+  # Disable password expiration with +false+
+  # Expire only on demand with +true+
   mattr_accessor :expire_password_after
   @@expire_password_after = 3.months
 
-  # Validate password for strongness
-  mattr_accessor :password_regex
-  @@password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+  # Validate password complexity
+  mattr_accessor :password_complexity
+  @@password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
+
+  # Define the class used to validate password complexity. Set to a Class or a
+  # string which will be used to determine which class to use.
+  mattr_accessor :password_complexity_validator
+  @@password_complexity_validator = 'devise_security/password_complexity_validator'
 
   # Number of old passwords in archive
   mattr_accessor :password_archiving_count
@@ -23,7 +33,7 @@ module Devise
   @@deny_old_passwords = true
 
   # enable email validation for :secure_validatable. (true, false, validation_options)
-  # dependency: need an email validator like rails_email_validator
+  # dependency: need an email validator, see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
   mattr_accessor :email_validation
   @@email_validation = true
 
@@ -75,11 +85,14 @@ module Devise
   # paranoid_verification will regenerate verifacation code after faild attempt
   mattr_accessor :paranoid_code_regenerate_after_attempt
   @@paranoid_code_regenerate_after_attempt = 10
+
+  # Whether to allow passwords that are equal (case insensitive) to the email
+  mattr_accessor :allow_passwords_equal_to_email
+  @@allow_passwords_equal_to_email = false
 end
 
-# an security extension for devise
+# a security extension for devise
 module DeviseSecurity
-  autoload :Schema, 'devise-security/schema'
   autoload :Patches, 'devise-security/patches'
 
   module Controllers
@@ -100,7 +113,6 @@ Devise.add_module :paranoid_verification, controller: :paranoid_verification_cod
 # requires
 require 'devise-security/routes'
 require 'devise-security/rails'
-require 'devise-security/orm/active_record'
-require 'devise-security/models/old_password'
+require "devise-security/orm/#{DEVISE_ORM}" if DEVISE_ORM == :mongoid
 require 'devise-security/models/database_authenticatable_patch'
 require 'devise-security/models/paranoid_verification'

data/lib/generators/devise_security/install_generator.rb

@@ -1,23 +1,23 @@
+# frozen_string_literal: true
+
 module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      LOCALES = %w[ en de it ]
+      LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
-      source_root File.expand_path('../../templates', __FILE__)
+      source_root File.expand_path('../templates', __dir__)
       desc 'Install the devise security extension'
 
       def copy_initializer
-        template('devise-security.rb',
-                 'config/initializers/devise-security.rb',
-        )
+        template('devise_security.rb', 'config/initializers/devise_security.rb')
       end
 
       def copy_locales
         LOCALES.each do |locale|
           copy_file(
             "../../../config/locales/#{locale}.yml",
-            "config/locales/devise.security_extension.#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml"
           )
         end
       end

data/lib/generators/templates/devise_security.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+
+  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol
+  # You may use "digits" in place of "digit" and "symbols" in place of
+  # "symbol" based on your preference
+  # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
+
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+
+  # Deny old passwords (true, false, number_of_old_passwords_to_check)
+  # Examples:
+  # config.deny_old_passwords = false # allow old passwords
+  # config.deny_old_passwords = true # will deny all the old passwords
+  # config.deny_old_passwords = 3 # will deny new passwords that matches with the last 3 passwords
+  # config.deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
+  # config.email_validation = true
+
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+
+  # Allow password to equal the email
+  # config.allow_passwords_equal_to_email = false
+
+  # paranoid_verification will regenerate verification code after failed attempt
+  # config.paranoid_code_regenerate_after_attempt = 10
+end

data/test/{test_captcha_controller.rb → controllers/test_captcha_controller.rb}

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'test_helper'
 
 class TestWithCaptcha < ActionController::TestCase

data/test/controllers/test_paranoid_verification_code_controller.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    @user = User.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
+    )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
+
+    sign_in(@user)
+  end
+
+  test 'redirects to root on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test "redirects to root on show if user doesn't need paranoid verification" do
+    @user.update(paranoid_verification_code: nil)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'renders show on show if user needs paranoid verification' do
+    @user.update(paranoid_verification_code: 'cookies')
+    get :show
+    assert_template :show
+  end
+
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    patch :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need paranoid verification' do
+    @user.update(paranoid_verification_code: nil)
+    patch :update
+    assert_redirected_to :root
+  end
+
+  test 'update paranoid_verification_code with default format' do
+    patch(
+      :update,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_redirected_to root_path
+    assert_equal 'Verification code accepted', flash[:notice]
+    assert_equal('text/html', response.media_type)
+  end
+
+  test 'update paranoid_verification_code using JSON format' do
+    patch(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+
+  test 'update paranoid_verification_code using XML format' do
+    patch(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+end
+
+class ParanoidVerificationCodeCustomRedirectTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Overrides::ParanoidVerificationCodeController
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:paranoid_verification_user]
+    @user = ParanoidVerificationUser.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
+    )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
+
+    sign_in(@user)
+  end
+
+  test 'redirects to custom redirect route on update' do
+    patch(
+      :update,
+      params: {
+        paranoid_verification_user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+
+    assert_redirected_to '/cats'
+    assert_equal 'Verification code accepted', flash[:notice]
+  end
+end

data/test/controllers/test_password_expired_controller.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Devise::PasswordExpiredControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    @user = User.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      password_changed_at: 4.months.ago,
+      confirmed_at: 5.months.ago
+    )
+    assert @user.valid?
+    assert @user.need_change_password?
+
+    sign_in(@user)
+  end
+
+  test 'redirects on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'redirects on show if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'should render show' do
+    get :show
+    assert_includes @response.body, 'Renew your password'
+  end
+
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    put :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    put :update
+    assert_redirected_to :root
+  end
+
+  test 'update password with default format' do
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+    assert_redirected_to root_path
+    assert_equal('text/html', response.media_type)
+  end
+
+  test 'password confirmation does not match' do
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password6'
+        }
+      }
+    )
+
+    assert_response :success
+    assert_template :show
+    assert_equal('text/html', response.media_type)
+    assert_includes(
+      response.body,
+      'Password confirmation doesn&#39;t match Password'
+    )
+  end
+
+  test 'update password using JSON format' do
+    put(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+
+  test 'update password using XML format' do
+    put(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+end
+
+class PasswordExpiredCustomRedirectTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Overrides::PasswordExpiredController
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:password_expired_user]
+    @user = PasswordExpiredUser.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      password_changed_at: 4.months.ago,
+      confirmed_at: 5.months.ago
+    )
+    assert @user.valid?
+    assert @user.need_change_password?
+
+    sign_in(@user)
+  end
+
+  test 'update password with custom redirect route' do
+    put(
+      :update,
+      params: {
+        password_expired_user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+
+    assert_redirected_to '/cookies'
+  end
+
+  test 'yield resource to block on update' do
+    put(:update, params: { password_expired_user: { current_password: '123' } })
+    assert @controller.update_block_called?, 'Update failed to yield resource to provided block'
+  end
+end

data/test/controllers/test_security_question_controller.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class TestWithSecurityQuestion < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests SecurityQuestion::UnlocksController
+
+  setup do
+    @user = SecurityQuestionUser.create!(
+      username: 'hello', email: 'hello@microsoft.com', password: 'A1234567z!', security_question_answer: 'Right Answer'
+    )
+    @user.lock_access!
+    assert @user.locked_at.present?
+    @request.env['devise.mapping'] = Devise.mappings[:security_question_user]
+  end
+
+  test 'When security question is enabled, it is inserted correctly' do
+    post(
+      :create,
+      params: {
+        security_question_answer: 'wrong answer',
+        security_question_user: {
+          email: @user.email
+        }
+      }
+    )
+    assert_equal I18n.t('devise.invalid_security_question'), flash[:alert]
+    assert_redirected_to new_security_question_user_unlock_path
+  end
+
+  test 'When security_question is valid, it runs as normal' do
+    post(
+      :create,
+      params: {
+        security_question_answer: @user.security_question_answer,
+        security_question_user: {
+          email: @user.email
+        }
+      }
+    )
+
+    assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
+    assert_redirected_to new_security_question_user_session_path
+  end
+end
+
+class TestWithoutSecurityQuestion < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Devise::UnlocksController
+
+  setup do
+    @user = User.create(
+      username: 'hello', email: 'hello@path.travel', password: '1234', security_question_answer: 'Right Answer'
+    )
+    @user.lock_access!
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+  end
+
+  test 'When security question is not enabled it is not inserted' do
+    post :create, params: { user: { email: @user.email } }
+
+    assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
+    assert_redirected_to new_user_session_path
+  end
+end

data/test/dummy/Rakefile

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
 
-require File.expand_path('../config/application', __FILE__)
+require File.expand_path('config/application', __dir__)
 
 Rails.application.load_tasks

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+// = link_tree ../images
+// = link_directory ../javascripts .js
+// = link_directory ../stylesheets .css

data/test/dummy/app/controllers/application_controller.rb

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
 end

data/test/dummy/app/controllers/captcha/sessions_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Captcha::SessionsController < Devise::SessionsController
   include DeviseSecurity::Patches::ControllerCaptcha
 end

data/test/dummy/app/controllers/overrides/paranoid_verification_code_controller.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class Overrides::ParanoidVerificationCodeController < Devise::ParanoidVerificationCodeController
+  def after_paranoid_verification_code_update_path_for(_)
+    '/cats'
+  end
+end

data/test/dummy/app/controllers/overrides/password_expired_controller.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Overrides::PasswordExpiredController < Devise::PasswordExpiredController
+  def update
+    super do |resource|
+      @update_block_called = true
+    end
+  end
+
+  def after_password_expired_update_path_for(_)
+    '/cookies'
+  end
+
+  def update_block_called?
+    @update_block_called == true
+  end
+end

data/test/dummy/app/controllers/security_question/unlocks_controller.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class SecurityQuestion::UnlocksController < Devise::UnlocksController
   include DeviseSecurity::Patches::ControllerSecurityQuestion
 end

data/test/dummy/app/controllers/widgets_controller.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class WidgetsController < ApplicationController
+  before_action :authenticate_user!
+
+  def show
+    render plain: 'success'
+  end
+end

data/test/dummy/app/models/application_record.rb

@@ -1,3 +1,11 @@
-class ApplicationRecord < ActiveRecord::Base
-  self.abstract_class = true
+# frozen_string_literal: true
+
+if DEVISE_ORM == :active_record
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+else
+  class ApplicationRecord
+    include Mongoid::Document
+  end
 end

data/test/dummy/app/models/application_user_record.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+if DEVISE_ORM == :active_record
+  class ApplicationUserRecord < ApplicationRecord
+    self.table_name = 'users'
+  end
+else
+  class ApplicationUserRecord
+    include Mongoid::Document
+    store_in collection: 'users'
+  end
+end

data/test/dummy/app/models/captcha_user.rb

@@ -1,5 +1,10 @@
-class CaptchaUser < ActiveRecord::Base
-  self.table_name = 'users'
+# frozen_string_literal: true
+
+class CaptchaUser < ApplicationUserRecord
   devise :database_authenticatable, :password_archivable,
          :paranoid_verification, :password_expirable
+  if DEVISE_ORM == :mongoid
+    require './test/dummy/app/models/mongoid/mappings'
+    include ::Mongoid::Mappings
+  end
 end

data/test/dummy/app/models/mongoid/confirmable_fields.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ConfirmableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    ## Confirmable
+    field :confirmation_token, type: String
+    field :confirmed_at, type: Time
+    field :confirmation_sent_at, type: Time
+    field :unconfirmed_email, type: String # Only if using reconfirmable
+  end
+end

data/test/dummy/app/models/mongoid/database_authenticable_fields.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module DatabaseAuthenticatableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    ## Database authenticatable
+    field :username, type: String
+    field :email, type: String, default: ''
+
+    field :encrypted_password, type: String, default: ''
+    validates_presence_of :encrypted_password
+
+    include Mongoid::Timestamps
+  end
+end