devise-security 0.13.0 → 0.14.0.rc1

data/gemfiles/{rails_5.2.0.gemfile → rails_5.2_stable.gemfile}

@@ -2,7 +2,14 @@
 
 source "https://rubygems.org"
 
-gem "omniauth"
 gem "rails", "~> 5.2.0"
 
+group :active_record do
+  gem "sqlite3", "~> 1.3.0"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 6.0"
+end
+
 gemspec path: "../"

data/gemfiles/rails_6.0_beta.gemfile

@@ -0,0 +1,15 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "rails", "~> 6.0.0.beta1"
+
+group :active_record do
+  gem "sqlite3", "~> 1.3.0"
+end
+
+group :mongoid do
+  gem "mongoid", "~> 6.0"
+end
+
+gemspec path: "../"

data/lib/devise-security.rb

@@ -1,13 +1,12 @@
 # frozen_string_literal: true
 
-require 'active_record'
+require DEVISE_ORM.to_s if DEVISE_ORM.in? [:active_record, :mongoid]
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
 require 'active_support/concern'
 require 'devise'
 
 module Devise
-
   # Number of seconds that passwords are valid (e.g 3.months)
   # Disable pasword expiration with +false+
   # Expire only on demand with +true+
@@ -104,7 +103,6 @@ Devise.add_module :paranoid_verification, controller: :paranoid_verification_cod
 # requires
 require 'devise-security/routes'
 require 'devise-security/rails'
-require 'devise-security/orm/active_record'
-require 'devise-security/models/old_password'
+require "devise-security/orm/#{DEVISE_ORM}"
 require 'devise-security/models/database_authenticatable_patch'
 require 'devise-security/models/paranoid_verification'

data/lib/devise-security/models/{old_password.rb → active_record/old_password.rb}

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'active_record'
-class OldPassword < ActiveRecord::Base
+class OldPassword < ApplicationRecord
   belongs_to :password_archivable, polymorphic: true
 end

data/lib/devise-security/models/compatibility.rb

@@ -1,24 +1,15 @@
 # frozen_string_literal: true
 
+require_relative "compatibility/#{DEVISE_ORM}"
+
 module Devise
   module Models
+    # These compatibility modules define methods used by devise-security
+    # that may need to be defined or re-defined for compatibility between ORMs
+    # and/or older versions of ORMs.
     module Compatibility
       extend ActiveSupport::Concern
-
-      # for backwards compatibility with Rails < 5.1.x
-      unless Devise.activerecord51?
-        def saved_change_to_encrypted_password?
-          encrypted_password_changed?
-        end
-
-        def encrypted_password_before_last_save
-          previous_changes['encrypted_password'].try(:first)
-        end
-
-        def will_save_change_to_encrypted_password?
-          changed_attributes['encrypted_password'].present?
-        end
-      end
+      include "Devise::Models::Compatibility::#{DEVISE_ORM.to_s.classify}".constantize
     end
   end
 end

data/lib/devise-security/models/compatibility/active_record.rb

@@ -0,0 +1,29 @@
+module Devise
+  module Models
+    module Compatibility
+      module ActiveRecord
+        extend ActiveSupport::Concern
+        unless Devise.activerecord51?
+          # When the record was saved, was the +encrypted_password+ changed?
+          # @return [Boolean]
+          def saved_change_to_encrypted_password?
+            encrypted_password_changed?
+          end
+
+          # The encrypted password that existed before the record was saved
+          # @return [String]
+          # @return [nil] if an +encrypted_password+ had not been set
+          def encrypted_password_before_last_save
+            previous_changes['encrypted_password'].try(:first)
+          end
+
+          # When the record is saved, will the +encrypted_password+ be changed?
+          # @return [Boolean]
+          def will_save_change_to_encrypted_password?
+            changed_attributes['encrypted_password'].present?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/compatibility/mongoid.rb

@@ -0,0 +1,21 @@
+module Devise
+  module Models
+    module Compatibility
+      module Mongoid
+        extend ActiveSupport::Concern
+
+        # Will saving this record change the +email+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_email?
+          changed.include? 'email'
+        end
+
+        # Will saving this record change the +encrypted_password+ attribute?
+        # @return [Boolean]
+        def will_save_change_to_encrypted_password?
+          changed.include? 'encrypted_password'
+        end
+      end
+    end
+  end
+end

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -10,7 +10,7 @@ module Devise
         new_password_confirmation = params[:password_confirmation]
 
         result = if valid_password?(current_password) && new_password.present? && new_password_confirmation.present?
-          update_attributes(params, *options)
+          update(params, *options)
         else
           self.assign_attributes(params, *options)
           self.valid?

data/lib/devise-security/models/expirable.rb

@@ -22,7 +22,11 @@ module Devise
 
       # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
       def update_last_activity!
-        self.update_column(:last_activity_at, Time.now.utc)
+        if respond_to?(:update_column)
+          self.update_column(:last_activity_at, Time.now.utc)
+        elsif defined? Mongoid
+          self.update_attribute(:last_activity_at, Time.now.utc)
+        end
       end
 
       # Tells if the account has expired
@@ -103,7 +107,7 @@ module Devise
         # @example Overwritten version to blank out the object.
         #   def self.delete_all_expired_for(time = 90.days)
         #     expired_for(time).each do |u|
-        #       u.update_attributes first_name: nil, last_name: nil
+        #       u.update first_name: nil, last_name: nil
         #     end
         #   end
         def delete_all_expired_for(time)

data/lib/devise-security/models/mongoid/old_password.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class OldPassword
+  include Mongoid::Document
+
+  ## Database authenticatable
+  field :encrypted_password, type: String
+  validates_presence_of :encrypted_password
+  field :password_salt, type: String
+
+  field :password_archivable_type, type: String
+  validates_presence_of :password_archivable_type
+
+  field :password_archivable_id, type: String
+  validates_presence_of :password_archivable_id
+  index({ password_archivable_type: 1, password_archivable_id: 1 }, name: :index_password_archivable)
+
+  include Mongoid::Timestamps
+
+  belongs_to :password_archivable, polymorphic: true
+end

data/lib/devise-security/models/password_archivable.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'compatibility'
+require_relative "#{DEVISE_ORM}/old_password"
 
 module Devise
   module Models
@@ -11,7 +12,7 @@ module Devise
       include Devise::Models::DatabaseAuthenticatable
 
       included do
-        has_many :old_passwords, as: :password_archivable, dependent: :destroy
+        has_many :old_passwords, class_name: 'OldPassword', as: :password_archivable, dependent: :destroy
         before_update :archive_password, if: :will_save_change_to_encrypted_password?
         validate :validate_password_archive, if: :password_present?
       end
@@ -38,11 +39,15 @@ module Devise
       # @return [true] if current password was used previously
       # @return [false] if disabled or not previously used
       def password_archive_included?
-        return false unless max_old_passwords > 0
-        old_passwords_including_cur_change = old_passwords.order(:id).reverse_order.limit(max_old_passwords).pluck(:encrypted_password)
+        return false unless max_old_passwords.positive?
+
+        old_passwords_including_cur_change = old_passwords.order(created_at: :desc).limit(max_old_passwords).pluck(:encrypted_password)
         old_passwords_including_cur_change << encrypted_password_was # include most recent change in list, but don't save it yet!
         old_passwords_including_cur_change.any? do |old_password|
-          self.class.new(encrypted_password: old_password).valid_password?(password)
+          # NOTE: we deliberately do not do mass assignment here so that users that
+          #   rely on `protected_attributes_continued` gem can still use this extension.
+          #   See issue #68
+          self.class.new.tap { |object| object.encrypted_password = old_password }.valid_password?(password)
         end
       end
 
@@ -60,11 +65,15 @@ module Devise
 
       private
 
-      # archive the last password before save and delete all to old passwords from archive
+      # Archive the last password before save and delete all to old passwords from archive
+      # @note we check to see if an old password has already been archived because
+      #   mongoid will keep re-triggering this callback when we add an old password
       def archive_password
-        if max_old_passwords > 0
+        if max_old_passwords.positive?
+          return true if old_passwords.where(encrypted_password: encrypted_password_was).exists?
+
           old_passwords.create!(encrypted_password: encrypted_password_was) if encrypted_password_was.present?
-          old_passwords.order(:id).reverse_order.offset(max_old_passwords).destroy_all
+          old_passwords.order(created_at: :desc).offset(max_old_passwords).destroy_all
         else
           old_passwords.destroy_all
         end

data/lib/devise-security/models/password_expirable.rb

@@ -39,6 +39,7 @@ module Devise::Models
     # @return [Boolean]
     def need_change_password!
       return unless password_expiration_enabled?
+
       need_change_password
       save(validate: false)
     end
@@ -51,6 +52,7 @@ module Devise::Models
     # @return [void]
     def need_change_password
       return unless password_expiration_enabled?
+
       self.password_changed_at = nil
     end
     alias expire_password need_change_password
@@ -70,6 +72,7 @@ module Devise::Models
     def password_change_requested?
       return false unless password_expiration_enabled?
       return false if new_record?
+
       password_changed_at.nil?
     end
 
@@ -79,6 +82,7 @@ module Devise::Models
       return false if new_record?
       return false unless password_expiration_enabled?
       return false if expire_password_on_demand?
+
       password_changed_at < expire_password_after.seconds.ago
     end
     alias password_expired? password_too_old?
@@ -89,6 +93,7 @@ module Devise::Models
     # @note called as a +before_save+ hook
     def update_password_changed
       return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+
       self.password_changed_at = Time.zone.now
     end
 

data/lib/devise-security/models/secure_validatable.rb

@@ -90,8 +90,8 @@ module Devise
 
         def has_uniqueness_validation_of_login?
           validators.any? do |validator|
-            validator.kind_of?(ActiveRecord::Validations::UniquenessValidator) &&
-              validator.attributes.include?(login_attribute)
+            validator_orm_klass = DEVISE_ORM == :active_record ? ActiveRecord::Validations::UniquenessValidator : ::Mongoid::Validatable::UniquenessValidator
+            validator.kind_of?(validator_orm_klass) && validator.attributes.include?(login_attribute)
           end
         end
 

data/lib/devise-security/orm/mongoid.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+ActiveSupport.on_load(:mongoid) do
+  require 'orm_adapter/adapters/mongoid'
+
+  Mongoid::Document::ClassMethods.send :include, Devise::Models
+end

data/lib/devise-security/patches/controller_security_question.rb

@@ -9,6 +9,7 @@ module DeviseSecurity::Patches
     end
 
     private
+
     def check_security_question
       # only find via email, not login
       resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
@@ -19,4 +20,3 @@ module DeviseSecurity::Patches
     end
   end
 end
-

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.13.0'
+  VERSION = '0.14.0.rc1'
 end

data/lib/generators/devise_security/install_generator.rb

@@ -4,7 +4,7 @@ module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      LOCALES = %w[en es de fr it tr].freeze
+      LOCALES = %w[en es de fr it ja tr].freeze
 
       source_root File.expand_path('../../templates', __FILE__)
       desc 'Install the devise security extension'

data/test/dummy/app/models/application_record.rb

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
 
-class ApplicationRecord < ActiveRecord::Base
-  self.abstract_class = true
+if DEVISE_ORM == :active_record
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+else
+  class ApplicationRecord
+    include Mongoid::Document
+  end
 end

data/test/dummy/app/models/application_user_record.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+if DEVISE_ORM == :active_record
+  class ApplicationUserRecord < ActiveRecord::Base
+    self.table_name = 'users'
+  end
+else
+  class ApplicationUserRecord
+    include Mongoid::Document
+    store_in collection: 'users'
+  end
+end

data/test/dummy/app/models/captcha_user.rb

@@ -1,7 +1,10 @@
 # frozen_string_literal: true
 
-class CaptchaUser < ApplicationRecord
-  self.table_name = 'users'
+class CaptchaUser < ApplicationUserRecord
   devise :database_authenticatable, :password_archivable,
          :paranoid_verification, :password_expirable
+  if DEVISE_ORM == :mongoid
+    require './test/dummy/app/models/mongoid/mappings'
+    include ::Mongoid::Mappings
+  end
 end

data/test/dummy/app/models/mongoid/confirmable_fields.rb

@@ -0,0 +1,13 @@
+module ConfirmableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    ## Confirmable
+    field :confirmation_token, type: String
+    field :confirmed_at, type: Time
+    field :confirmation_sent_at, type: Time
+    field :unconfirmed_email, type: String # Only if using reconfirmable
+  end
+end

data/test/dummy/app/models/mongoid/database_authenticable_fields.rb

@@ -0,0 +1,17 @@
+module DatabaseAuthenticatableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    ## Database authenticatable
+    field :username, type: String
+    field :email, type: String, default: ""
+    #validates_presence_of :email
+
+    field :encrypted_password, type: String, default: ""
+    validates_presence_of :encrypted_password
+
+    include Mongoid::Timestamps
+  end
+end

data/test/dummy/app/models/mongoid/expirable_fields.rb

@@ -0,0 +1,11 @@
+module ExpirableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    ## Expirable
+    field :expired_at, type: Time
+    field :last_activity_at, type: Time
+  end
+end

data/test/dummy/app/models/mongoid/lockable_fields.rb

@@ -0,0 +1,13 @@
+module LockableFields
+  extend ::ActiveSupport::Concern
+
+  included do
+    include Mongoid::Document
+
+    field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+    field :unlock_token, type: String # Only if unlock strategy is :email or :both
+    field :locked_at, type: Time
+    include Mongoid::Timestamps
+    index({ unlock_token: 1 }, { unique: true })
+  end
+end