devise-security 0.13.0 → 0.14.0.rc1

data/test/dummy/app/mongoid/user_without_email.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "shared_user_without_email"
+
+class UserWithoutEmail
+  include Mongoid::Document
+  include Shim
+  include SharedUserWithoutEmail
+
+  field :username, type: String
+  field :facebook_token, type: String
+
+  ## Database authenticatable
+  field :email, type: String, default: ""
+  field :encrypted_password, type: String, default: ""
+
+  ## Recoverable
+  field :reset_password_token, type: String
+  field :reset_password_sent_at, type: Time
+
+  ## Rememberable
+  field :remember_created_at, type: Time
+
+  ## Trackable
+  field :sign_in_count, type: Integer, default: 0
+  field :current_sign_in_at, type: Time
+  field :last_sign_in_at, type: Time
+  field :current_sign_in_ip, type: String
+  field :last_sign_in_ip, type: String
+
+  ## Lockable
+  field :failed_attempts, type: Integer, default: 0 # Only if lock strategy is :failed_attempts
+  field :unlock_token, type: String # Only if unlock strategy is :email or :both
+  field :locked_at, type: Time
+end

data/test/dummy/config/application.rb

@@ -2,22 +2,25 @@
 
 require File.expand_path('../boot', __FILE__)
 
+require 'action_mailer/railtie'
+require "action_mailer/railtie"
+require "rails/test_unit/railtie"
+
+Bundler.require :default, DEVISE_ORM
+require "#{DEVISE_ORM}/railtie"
+
 require 'rails/all'
 require 'devise-security'
 
-if defined?(Bundler)
-  # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(assets: %w[development test]))
-  # If you want your assets lazily compiled in production, use this line
-  # Bundler.require(:default, :assets, Rails.env)
-end
-
 module RailsApp
   class Application < Rails::Application
     config.encoding = 'utf-8'
 
     config.filter_parameters += [:password]
 
+    config.autoload_paths += ["#{config.root}/app/#{DEVISE_ORM}"]
+    config.autoload_paths += ["#{config.root}/lib"]
+
     config.assets.enabled = true
 
     config.assets.version = '1.0'

data/test/dummy/config/environments/test.rb

@@ -27,10 +27,10 @@ RailsApp::Application.configure do
 
   config.active_support.test_order = :sorted
   config.log_level = :debug
-  if Rails.gem_version >= Gem::Version.new('4.2') && Rails.gem_version < Gem::Version.new('5.0')
+  if Rails.gem_version >= Gem::Version.new('4.2') && Rails.gem_version.release < Gem::Version.new('5.0')
     config.active_record.raise_in_transactional_callbacks = true
   end
-  if Rails.gem_version.release >= Gem::Version.new('5.2')
+  if Rails.gem_version.release >= Gem::Version.new('5.2') && Rails.gem_version.release < Gem::Version.new('6.0')
     config.active_record.sqlite3.represent_boolean_as_integer = true
   end
 end

data/test/dummy/config/initializers/devise.rb

@@ -1,18 +1,17 @@
 # frozen_string_literal: true
 
 require 'rails_email_validator'
+require "devise/orm/#{DEVISE_ORM}"
+
 Devise.setup do |config|
   config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
-
-  require 'devise/orm/active_record'
   config.secret_key = 'f08cf11a38906f531d2dfc9a2c2d671aa0021be806c21255d4'
   config.case_insensitive_keys = [:email]
-
   config.strip_whitespace_keys = [:email]
-
   config.password_complexity = {
     digit: 1,
     lower: 1,
     upper: 1,
   }
+  config.password_length = 7..128
 end

data/test/dummy/config/initializers/migration_class.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
-MIGRATION_CLASS =
-  if ActiveRecord::VERSION::MAJOR >= 5
-    ActiveRecord::Migration[4.2]
-  else
-    ActiveRecord::Migration
-  end
+if DEVISE_ORM == :active_record
+  MIGRATION_CLASS =
+    if Rails.gem_version >= Gem::Version.new('5.0')
+      ActiveRecord::Migration[Rails.version.to_f]
+    else
+      ActiveRecord::Migration
+    end
+end

data/test/dummy/config/mongoid.yml

@@ -0,0 +1,6 @@
+test:
+  <%= Mongoid::VERSION.to_i > 4 ? 'clients' : 'sessions' %>:
+    default:
+      database: devise_security_test
+      hosts:
+        - localhost: <%= ENV.fetch('MONGODB_PORT', '27017') %>

data/test/dummy/lib/shared_expirable_columns.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+require 'shared_user'
+
+module SharedVerificationColumns
+  extend ActiveSupport::Concern
+
+  included do
+    include SharedUser
+    devise :expirable
+
+    field :expired_at, type: Time
+    field :last_activity_at, type: Time
+  end
+end

data/test/dummy/lib/shared_security_questions_fields.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+require 'shared_user'
+
+module SharedSecurityQuestionsFields
+  extend ActiveSupport::Concern
+
+  included do
+    include SharedUser
+    devise :lockable, :security_questionable
+
+    field :locked_at, type: Time
+    field :unlock_token, type: String
+    field :security_question_id, type: Integer
+    field :security_question_answer, type: String
+  end
+end

data/test/dummy/lib/shared_user.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module SharedUser
+  extend ActiveSupport::Concern
+
+  included do
+    devise :database_authenticatable, :confirmable, :lockable, :recoverable,
+           :registerable, :rememberable, :timeoutable,
+           :trackable, :secure_validatable, :omniauthable, :validatable, password_length: 7..72,
+           reconfirmable: false
+
+    attr_accessor :other_key
+
+    # They need to be included after Devise is called.
+    extend ExtendMethods
+  end
+
+  def raw_confirmation_token
+    @raw_confirmation_token
+  end
+
+  module ExtendMethods
+    def new_with_session(params, session)
+      super.tap do |user|
+        if data = session["devise.facebook_data"]
+          user.email = data["email"]
+          user.confirmed_at = Time.zone.now
+        end
+      end
+    end
+  end
+end

data/test/dummy/lib/shared_user_with_password_verification.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module SharedUserWithPasswordVerification
+  extend ActiveSupport::Concern
+
+  included do
+    include SharedVerificationFields
+  end
+
+  def raw_confirmation_token
+    @raw_confirmation_token
+  end
+end

data/test/dummy/lib/shared_user_without_email.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module SharedUserWithoutEmail
+  extend ActiveSupport::Concern
+
+  included do
+    # NOTE: This is missing :validatable and :confirmable, as they both require
+    # an email field at the moment. It is also missing :omniauthable because that
+    # adds unnecessary complexity to the setup
+    devise :database_authenticatable, :lockable, :recoverable,
+           :registerable, :rememberable, :timeoutable,
+           :trackable
+  end
+
+  # This test stub is a bit rubbish because it's tied very closely to the
+  # implementation where we care about this one case. However, completely
+  # removing the email field breaks "recoverable" tests completely, so we are
+  # just taking the approach here that "email" is something that is a not an
+  # ActiveRecord field.
+  def email_changed?
+    raise NoMethodError
+  end
+
+  def respond_to?(method_name, include_all=false)
+    return false if method_name.to_sym == :email_changed?
+    super(method_name, include_all)
+  end
+end

data/test/dummy/lib/shared_user_without_omniauth.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module SharedUserWithoutOmniauth
+  extend ActiveSupport::Concern
+
+  included do
+    devise :database_authenticatable, :confirmable, :lockable, :recoverable,
+      :registerable, :rememberable, :timeoutable,
+      :trackable, :validatable, reconfirmable: false
+  end
+
+  def raw_confirmation_token
+    @raw_confirmation_token
+  end
+end

data/test/dummy/lib/shared_verification_fields.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require 'shared_user'
+
+module SharedVerificationFields
+  extend ActiveSupport::Concern
+
+  included do
+    include SharedUser
+    devise :paranoid_verification
+
+    field :paranoid_verified_at, type: Time
+    field :paranoid_verification_attempt, type: Integer, default: 0
+    field :paranoid_verification_code, type: String
+  end
+end

data/test/orm/active_record.rb

@@ -0,0 +1,12 @@
+require 'active_record'
+
+ActiveRecord::Migration.verbose = false
+ActiveRecord::Base.logger = Logger.new(nil)
+if Rails.gem_version >= Gem::Version.new('5.2.0')
+  ActiveRecord::MigrationContext.new(File.expand_path('../../dummy/db/migrate', __FILE__)).migrate
+else
+  ActiveRecord::Migrator.migrate(File.expand_path('../../dummy/db/migrate', __FILE__))
+end
+
+DatabaseCleaner[:active_record].strategy = :transaction
+ORMInvalidRecordException = ActiveRecord::RecordInvalid

data/test/orm/mongoid.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'mongoid/version'
+
+Mongoid.configure do |config|
+  config.load!('test/support/mongoid.yml', Rails.env)
+  config.use_utc = true
+  config.include_root_in_json = true
+end
+
+DatabaseCleaner[:mongoid].strategy = :truncation
+ORMInvalidRecordException = Mongoid::Errors::Validations

data/test/support/mongoid.yml

@@ -0,0 +1,6 @@
+test:
+  <%= Mongoid::VERSION.to_i > 4 ? 'clients' : 'sessions' %>:
+    default:
+      database: devise-test-suite
+      hosts:
+        - localhost:<%= ENV.fetch('MONGODB_PORT', '27017') %>

data/test/test_helper.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 ENV['RAILS_ENV'] ||= 'test'
+DEVISE_ORM = ENV.fetch('DEVISE_ORM',  'active_record').to_sym
 
 require 'simplecov'
 SimpleCov.start do
   add_filter 'gemfiles'
   add_group 'Tests', 'test'
-  add_group 'Password Expireable', "password_expirable"
+  add_group 'Password Archivable', 'password_archivable'
+  add_group 'Password Expirable', 'password_expirable'
 end
 
 if ENV['CI']
@@ -15,17 +17,22 @@ if ENV['CI']
   Coveralls.wear!
 end
 
+require 'pry'
 require 'dummy/config/environment'
 require 'minitest/autorun'
 require 'rails/test_help'
-
 require 'devise-security'
-require 'pry'
+require 'database_cleaner'
+require "orm/#{DEVISE_ORM}"
 
-ActiveRecord::Migration.verbose = false
-ActiveRecord::Base.logger = Logger.new(nil)
-if Rails.gem_version >= Gem::Version.new('5.2.0')
-  ActiveRecord::MigrationContext.new(File.expand_path('../dummy/db/migrate', __FILE__)).migrate
-else
-  ActiveRecord::Migrator.migrate(File.expand_path('../dummy/db/migrate', __FILE__))
+class Minitest::Test
+  def before_setup
+    DatabaseCleaner.start
+  end
+
+  def after_teardown
+    DatabaseCleaner.clean
+  end
 end
+
+DatabaseCleaner.clean

data/test/test_install_generator.rb

@@ -17,6 +17,7 @@ class TestInstallGenerator < Rails::Generators::TestCase
     assert_file 'config/locales/devise.security_extension.es.yml'
     assert_file 'config/locales/devise.security_extension.fr.yml'
     assert_file 'config/locales/devise.security_extension.it.yml'
+    assert_file 'config/locales/devise.security_extension.ja.yml'
     assert_file 'config/locales/devise.security_extension.tr.yml'
   end
 end

data/test/test_password_archivable.rb

@@ -3,6 +3,7 @@
 require 'test_helper'
 
 class TestPasswordArchivable < ActiveSupport::TestCase
+
   setup do
     Devise.password_archiving_count = 2
   end
@@ -19,7 +20,7 @@ class TestPasswordArchivable < ActiveSupport::TestCase
 
   test 'cannot use same password' do
     user = User.create email: 'bob@microsoft.com', password: 'Password1', password_confirmation: 'Password1'
-    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'Password1') }
+    assert_raises(ORMInvalidRecordException) { set_password(user,  'Password1') }
   end
 
   test 'indirectly saving associated user does not cause deprecation warning' do
@@ -37,17 +38,15 @@ class TestPasswordArchivable < ActiveSupport::TestCase
     assert_equal 0, OldPassword.count
   end
 
-  test 'cannot use archived passwords' do
+  test 'cannot reuse archived passwords' do
     assert_equal 2, Devise.password_archiving_count
 
     user = User.create! email: 'bob@microsoft.com', password: 'Password1', password_confirmation: 'Password1'
     assert_equal 0, OldPassword.count
-
     set_password(user,  'Password2')
     assert_equal 1, OldPassword.count
 
-    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'Password1') }
-
+    assert_raises(ORMInvalidRecordException) { set_password(user,  'Password1') }
     set_password(user,  'Password3')
     assert_equal 2, OldPassword.count
 
@@ -70,8 +69,8 @@ class TestPasswordArchivable < ActiveSupport::TestCase
 
     assert set_password(user,  'Password2')
 
-    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'Password2') }
+    assert_raises(ORMInvalidRecordException) { set_password(user,  'Password2') }
 
-    assert_raises(ActiveRecord::RecordInvalid) { set_password(user,  'Password1') }
+    assert_raises(ORMInvalidRecordException) { set_password(user,  'Password1') }
   end
 end

data/test/test_password_expirable.rb

@@ -58,12 +58,14 @@ class TestPasswordArchivable < ActiveSupport::TestCase
 
   test 'updating a record updates the time the password was changed if the password is changed' do
     user = User.create email: 'bob@microsoft.com', password: 'Password1', password_confirmation: 'Password1'
+    user.update(password_changed_at: Time.now.ago(3.months))
+    original_password_changed_at = user.password_changed_at
     user.expire_password!
     assert user.password_change_requested?
     user.password = "NewPassword1"
     user.password_confirmation = "NewPassword1"
     user.save
-    assert user.previous_changes.key?(:password_changed_at)
+    assert user.password_changed_at > original_password_changed_at
     refute user.password_change_requested?
   end
 

data/test/test_secure_validatable.rb

@@ -4,9 +4,10 @@ require 'test_helper'
 require 'rails_email_validator'
 
 class TestSecureValidatable < ActiveSupport::TestCase
-  class User < ActiveRecord::Base
+  class User < ApplicationRecord
     devise :database_authenticatable, :password_archivable,
            :paranoid_verification, :password_expirable, :secure_validatable
+    include ::Mongoid::Mappings if DEVISE_ORM == :mongoid
   end
 
   test 'email cannot be blank' do
@@ -15,7 +16,7 @@ class TestSecureValidatable < ActiveSupport::TestCase
 
     assert_equal(false, user.valid?)
     assert_equal([msg], user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) do
+    assert_raises(ORMInvalidRecordException) do
       user.save!
     end
   end
@@ -25,7 +26,7 @@ class TestSecureValidatable < ActiveSupport::TestCase
     user = User.create email: 'bob', password: 'passWord1', password_confirmation: 'passWord1'
     assert_equal(false, user.valid?)
     assert_equal([msg], user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) do
+    assert_raises(ORMInvalidRecordException) do
       user.save!
     end
   end
@@ -35,7 +36,7 @@ class TestSecureValidatable < ActiveSupport::TestCase
     user = User.create email: 'bob@@foo.tv', password: 'password1', password_confirmation: 'password1'
     assert_equal(false, user.valid?)
     assert_equal(msgs, user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+    assert_raises(ORMInvalidRecordException) { user.save! }
   end
 
   test 'password must have capital letter' do
@@ -43,7 +44,7 @@ class TestSecureValidatable < ActiveSupport::TestCase
     user = User.create email: 'bob@microsoft.com', password: 'password1', password_confirmation: 'password1'
     assert_equal(false, user.valid?)
     assert_equal(msgs, user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+    assert_raises(ORMInvalidRecordException) { user.save! }
   end
 
   test 'password must have lowercase letter' do
@@ -51,7 +52,7 @@ class TestSecureValidatable < ActiveSupport::TestCase
     user = User.create email: 'bob@microsoft.com', password: 'PASSWORD1', password_confirmation: 'PASSWORD1'
     assert_equal(false, user.valid?)
     assert_equal([msg], user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+    assert_raises(ORMInvalidRecordException) { user.save! }
   end
 
   test 'password must have number' do
@@ -59,15 +60,15 @@ class TestSecureValidatable < ActiveSupport::TestCase
     user = User.create email: 'bob@microsoft.com', password: 'PASSword', password_confirmation: 'PASSword'
     assert_equal(false, user.valid?)
     assert_equal([msg], user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+    assert_raises(ORMInvalidRecordException) { user.save! }
   end
 
   test 'password must have minimum length' do
-    msg = 'Password is too short (minimum is 6 characters)'
+    msg = 'Password is too short (minimum is 7 characters)'
     user = User.create email: 'bob@microsoft.com', password: 'Pa3zZ', password_confirmation: 'Pa3zZ'
     assert_equal(false, user.valid?)
     assert_equal([msg], user.errors.full_messages)
-    assert_raises(ActiveRecord::RecordInvalid) { user.save! }
+    assert_raises(ORMInvalidRecordException) { user.save! }
   end
 
   test 'duplicate email validation message is added only once' do
@@ -79,6 +80,6 @@ class TestSecureValidatable < ActiveSupport::TestCase
     SecureUser.create!(options)
     user = SecureUser.new(options)
     refute user.valid?
-    assert_equal ['Email has already been taken'], user.errors.full_messages
+    assert_equal DEVISE_ORM == :active_record ? ['Email has already been taken'] : ['Email is already taken'], user.errors.full_messages
   end
 end