RubyGems - devise-security - Versions diffs - 0.14.0.rc1 → 0.15.0 - Mend

devise-security 0.14.0.rc1 → 0.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (86) hide show

checksums.yaml +4 -4
data/README.md +116 -60
data/app/controllers/devise/password_expired_controller.rb +10 -1
data/app/views/devise/paranoid_verification_code/show.html.erb +3 -3
data/app/views/devise/password_expired/show.html.erb +5 -5
data/config/locales/by.yml +48 -0
data/config/locales/cs.yml +40 -0
data/config/locales/de.yml +12 -2
data/config/locales/en.yml +12 -1
data/config/locales/es.yml +9 -9
data/config/locales/fa.yml +40 -0
data/config/locales/hi.yml +41 -0
data/config/locales/it.yml +34 -4
data/config/locales/ja.yml +1 -1
data/config/locales/nl.yml +40 -0
data/config/locales/pt.yml +40 -0
data/config/locales/ru.yml +48 -0
data/config/locales/uk.yml +48 -0
data/config/locales/zh_CN.yml +40 -0
data/config/locales/zh_TW.yml +40 -0
data/lib/devise-security.rb +1 -0
data/lib/devise-security/controllers/helpers.rb +59 -50
data/lib/devise-security/hooks/password_expirable.rb +2 -0
data/lib/devise-security/hooks/session_limitable.rb +21 -10
data/lib/devise-security/models/compatibility.rb +2 -2
data/lib/devise-security/models/compatibility/{active_record.rb → active_record_patch.rb} +12 -1
data/lib/devise-security/models/compatibility/{mongoid.rb → mongoid_patch.rb} +11 -1
data/lib/devise-security/models/mongoid/old_password.rb +1 -1
data/lib/devise-security/models/password_expirable.rb +5 -1
data/lib/devise-security/models/session_limitable.rb +17 -2
data/lib/devise-security/schema.rb +1 -1
data/lib/devise-security/validators/password_complexity_validator.rb +4 -2
data/lib/devise-security/version.rb +1 -1
data/lib/generators/devise_security/install_generator.rb +2 -2
data/test/{test_captcha_controller.rb → controllers/test_captcha_controller.rb} +0 -0
data/test/controllers/test_password_expired_controller.rb +141 -0
data/test/{test_security_question_controller.rb → controllers/test_security_question_controller.rb} +0 -0
data/test/dummy/app/assets/config/manifest.js +3 -0
data/test/dummy/app/controllers/widgets_controller.rb +6 -0
data/test/dummy/app/models/user.rb +8 -0
data/test/dummy/config/application.rb +1 -0
data/test/dummy/config/routes.rb +4 -3
data/test/dummy/db/migrate/20120508165529_create_tables.rb +11 -2
data/test/dummy/log/test.log +1799 -0
data/test/integration/test_password_expirable_workflow.rb +57 -0
data/test/integration/test_session_limitable_workflow.rb +67 -0
data/test/orm/active_record.rb +4 -1
data/test/support/integration_helpers.rb +47 -0
data/test/test_compatibility.rb +13 -0
data/test/test_complexity_validator.rb +12 -0
data/test/test_helper.rb +21 -6
data/test/test_install_generator.rb +10 -0
data/test/test_session_limitable.rb +57 -0
data/test/tmp/config/initializers/devise-security.rb +44 -0
data/test/tmp/config/locales/devise.security_extension.de.yml +38 -0
data/test/tmp/config/locales/devise.security_extension.en.yml +40 -0
data/test/tmp/config/locales/devise.security_extension.es.yml +29 -0
data/test/tmp/config/locales/devise.security_extension.fa.yml +40 -0
data/test/tmp/config/locales/devise.security_extension.fr.yml +29 -0
data/test/tmp/config/locales/devise.security_extension.it.yml +40 -0
data/test/tmp/config/locales/devise.security_extension.ja.yml +29 -0
data/test/tmp/config/locales/devise.security_extension.nl.yml +40 -0
data/test/tmp/config/locales/devise.security_extension.pt.yml +40 -0
data/test/tmp/config/locales/devise.security_extension.ru.yml +48 -0
data/test/tmp/config/locales/devise.security_extension.tr.yml +17 -0
data/test/tmp/config/locales/devise.security_extension.uk.yml +48 -0
data/test/tmp/config/locales/devise.security_extension.zh_CN.yml +40 -0
metadata +165 -121
data/.codeclimate.yml +0 -63
data/.document +0 -5
data/.gitignore +0 -43
data/.mdlrc +0 -1
data/.rubocop.yml +0 -64
data/.ruby-version +0 -1
data/.travis.yml +0 -41
data/Appraisals +0 -35
data/Gemfile +0 -10
data/Rakefile +0 -28
data/devise-security.gemspec +0 -50
data/gemfiles/rails_4.2_stable.gemfile +0 -16
data/gemfiles/rails_5.0_stable.gemfile +0 -15
data/gemfiles/rails_5.1_stable.gemfile +0 -15
data/gemfiles/rails_5.2_stable.gemfile +0 -15
data/gemfiles/rails_6.0_beta.gemfile +0 -15
data/test/dummy/app/models/.gitkeep +0 -0
data/test/test_password_expired_controller.rb +0 -46

data/test/integration/test_password_expirable_workflow.rb ADDED

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestPasswordExpirableWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+  setup do
+    @user = User.create!(password: 'passWord1',
+                         password_confirmation: 'passWord1',
+                         email: 'bob@microsoft.com',
+                         password_changed_at: 4.months.ago) # the default expiration time is 3.months.ago
+    @user.confirm
+    assert @user.valid?
+    assert @user.need_change_password?
+  end
+  test 'sign in and change expired password' do
+    skip("Does not work in Rails < 5.0") if Rails.gem_version < Gem::Version.new('5.0')
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    follow_redirect!
+    assert_redirected_to(user_password_expired_path)
+    # @note This is not the same controller used by Devise for password changes
+    put '/users/password_expired', params: {
+      user: {
+        current_password: 'passWord1',
+        password: 'Password12345!',
+        password_confirmation: 'Password12345!',
+      },
+    }
+    assert_redirected_to(root_path)
+    @user.reload
+    assert_not @user.need_change_password?
+  end
+  test 'sign in and password is updated before redirect completes' do
+    skip("Does not work in Rails < 5.0") if Rails.gem_version < Gem::Version.new('5.0')
+    sign_in(@user)
+    assert_redirected_to(root_path)
+    # simulates an external process updating the password
+    @user.update(password_changed_at: Time.zone.now)
+    assert_not @user.need_change_password?
+    follow_redirect!
+    assert_response :success
+    # if the password is expired at this point they will be redirected to the
+    # password change controller.
+    get root_path
+    assert_response :success
+  end
+end

data/test/integration/test_session_limitable_workflow.rb ADDED

@@ -0,0 +1,67 @@
+require 'test_helper'
+class TestSessionLimitableWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+  setup do
+    @user = User.create!(password: 'passWord1',
+                         password_confirmation: 'passWord1',
+                         email: 'bob@microsoft.com')
+    @user.confirm
+  end
+  test 'failed login' do
+    assert_nil @user.unique_session_id
+    open_session do |session|
+      failed_sign_in(@user, session)
+      session.assert_response(:success)
+      assert_equal session.flash[:alert], I18n.t('devise.failure.invalid', authentication_keys: 'Email')
+      assert_nil @user.reload.unique_session_id
+    end
+  end
+  test 'successful login' do
+    assert_nil @user.unique_session_id
+    open_session do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      assert_not_nil @user.reload.unique_session_id
+    end
+  end
+  test 'session is logged out when another session is created' do
+    first_session = open_session
+    second_session = open_session
+    unique_session_id = nil
+    first_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      unique_session_id = @user.reload.unique_session_id
+      assert_not_nil unique_session_id
+    end
+    second_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      assert_not_equal unique_session_id, @user.reload.unique_session_id
+    end
+    first_session.tap do |session|
+      session.get widgets_path
+      session.assert_redirected_to new_user_session_path
+      assert_equal session.flash[:alert], I18n.t('devise.failure.session_limited')
+    end
+  end
+end

data/test/orm/active_record.rb CHANGED

@@ -2,7 +2,10 @@ require 'active_record'
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
-if Rails.gem_version >= Gem::Version.new('5.2.0')
+case
+when Rails.gem_version >= Gem::Version.new('6.0.0')
+  ActiveRecord::MigrationContext.new(File.expand_path('../../dummy/db/migrate', __FILE__), ActiveRecord::SchemaMigration).migrate
+when Rails.gem_version >= Gem::Version.new('5.2.0')
   ActiveRecord::MigrationContext.new(File.expand_path('../../dummy/db/migrate', __FILE__)).migrate
 else
   ActiveRecord::Migrator.migrate(File.expand_path('../../dummy/db/migrate', __FILE__))

data/test/support/integration_helpers.rb ADDED

@@ -0,0 +1,47 @@
+module IntegrationHelpers
+  # login the user.  This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  # @note accounts for differences in the integration test API between rails versions
+  def sign_in(user, session = integration_session)
+    if Rails.gem_version > Gem::Version.new('5.0')
+      session.post new_user_session_path, params: {
+        user: {
+          email: user.email,
+          password: user.password
+        }
+      }
+    else
+      session.post new_user_session_path, {
+        user: {
+          email: user.email,
+          password: user.password
+        }
+      }
+    end
+  end
+  # attempt to login the user with a bad password. This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  # @note accounts for differences in the integration test API between rails versions
+  def failed_sign_in(user, session)
+    if Rails.gem_version > Gem::Version.new('5.0')
+      session.post new_user_session_path, params: {
+        user: {
+          email: user.email,
+          password: 'bad-password'
+        }
+      }
+    else
+      session.post new_user_session_path, {
+        user: {
+          email: user.email,
+          password: 'bad-password'
+        }
+      }
+    end
+  end
+end

data/test/test_compatibility.rb ADDED

@@ -0,0 +1,13 @@
+require 'test_helper'
+class TestCompatibility < ActiveSupport::TestCase
+  test 'can access ActiveRecord namespace' do
+    skip unless DEVISE_ORM == :active_record
+    assert_nothing_raised { User.new.some_method_calling_active_record }
+  end
+  test 'can access Mongoid namespace' do
+    skip unless DEVISE_ORM == :mongoid
+    assert_nothing_raised { User.new.some_method_calling_mongoid }
+  end
+end

data/test/test_complexity_validator.rb CHANGED

@@ -37,6 +37,12 @@ class PasswordComplexityValidatorTest < Minitest::Test
     assert(ModelWithPassword.new('aaa1').valid?)
   end
+  def test_enforces_digits
+    ModelWithPassword.validates :password, 'devise_security/password_complexity': { digits: 2 }
+    refute(ModelWithPassword.new('aaa1').valid?)
+    assert(ModelWithPassword.new('aa12').valid?)
+  end
   def test_enforces_lower
     ModelWithPassword.validates :password, 'devise_security/password_complexity': { lower: 1 }
     refute(ModelWithPassword.new('AAAA').valid?)
@@ -49,6 +55,12 @@ class PasswordComplexityValidatorTest < Minitest::Test
     assert(ModelWithPassword.new('aaa!').valid?)
   end
+  def test_enforces_symbols
+    ModelWithPassword.validates :password, 'devise_security/password_complexity': { symbols: 2 }
+    refute(ModelWithPassword.new('aaa!').valid?)
+    assert(ModelWithPassword.new('aa!?').valid?)
+  end
   def test_enforces_combination
     ModelWithPassword.validates :password, 'devise_security/password_complexity': { lower: 1, upper: 1, digit: 1, symbol: 1 }
     refute(ModelWithPassword.new('abcd').valid?)

data/test/test_helper.rb CHANGED

@@ -1,20 +1,29 @@
 # frozen_string_literal: true
 ENV['RAILS_ENV'] ||= 'test'
-DEVISE_ORM = ENV.fetch('DEVISE_ORM',  'active_record').to_sym
 require 'simplecov'
 SimpleCov.start do
   add_filter 'gemfiles'
+  add_filter 'test/dummy/db'
+  add_group 'ActiveRecord', 'active_record'
+  add_group 'Expirable', /(?<!password_)expirable/
+  add_group 'Mongoid', 'mongoid'
+  add_group 'Paranoid Verifiable', 'paranoid_verification'
+  add_group 'Password Archivable', /password_archivable|old_password/
+  add_group 'Password Expirable', /password_expirable|password_expired/
+  add_group 'Secure Validateable', 'secure_validatable'
+  add_group 'Security Questionable', 'security_question'
+  add_group 'Session Limitable', 'session_limitable'
   add_group 'Tests', 'test'
-  add_group 'Password Archivable', 'password_archivable'
-  add_group 'Password Expirable', 'password_expirable'
 end
 if ENV['CI']
-  require 'coveralls'
-  SimpleCov.formatter = Coveralls::SimpleCov::Formatter
-  Coveralls.wear!
+  require 'simplecov'
+  require 'simplecov-lcov'
+  SimpleCov.formatter = SimpleCov::Formatter::LcovFormatter
+  SimpleCov::Formatter::LcovFormatter.config.report_with_single_file = true
+  SimpleCov.start
 end
 require 'pry'
@@ -25,6 +34,12 @@ require 'devise-security'
 require 'database_cleaner'
 require "orm/#{DEVISE_ORM}"
+if Rails.gem_version >= Gem::Version.new('5.0.0')
+  require 'rails-controller-testing'
+  Rails::Controller::Testing.install
+end
+require 'support/integration_helpers'
 class Minitest::Test
   def before_setup
     DatabaseCleaner.start

data/test/test_install_generator.rb CHANGED

@@ -12,12 +12,22 @@ class TestInstallGenerator < Rails::Generators::TestCase
   test 'Assert all files are properly created' do
     run_generator
     assert_file 'config/initializers/devise-security.rb'
+    assert_file 'config/locales/devise.security_extension.by.yml'
+    assert_file 'config/locales/devise.security_extension.cs.yml'
     assert_file 'config/locales/devise.security_extension.de.yml'
     assert_file 'config/locales/devise.security_extension.en.yml'
     assert_file 'config/locales/devise.security_extension.es.yml'
+    assert_file 'config/locales/devise.security_extension.fa.yml'
     assert_file 'config/locales/devise.security_extension.fr.yml'
+    assert_file 'config/locales/devise.security_extension.hi.yml'
     assert_file 'config/locales/devise.security_extension.it.yml'
     assert_file 'config/locales/devise.security_extension.ja.yml'
+    assert_file 'config/locales/devise.security_extension.nl.yml'
+    assert_file 'config/locales/devise.security_extension.pt.yml'
+    assert_file 'config/locales/devise.security_extension.ru.yml'
     assert_file 'config/locales/devise.security_extension.tr.yml'
+    assert_file 'config/locales/devise.security_extension.uk.yml'
+    assert_file 'config/locales/devise.security_extension.zh_CN.yml'
+    assert_file 'config/locales/devise.security_extension.zh_TW.yml'
   end
 end

data/test/test_session_limitable.rb ADDED

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+require 'test_helper'
+class TestSessionLimitable < ActiveSupport::TestCase
+  class ModifiedUser < User
+    def skip_session_limitable?
+      true
+    end
+  end
+  test 'check is not skipped by default' do
+    user = User.create email: 'bob@microsoft.com', password: 'password1', password_confirmation: 'password1'
+    assert_equal(false, user.skip_session_limitable?)
+  end
+  test 'default check can be overridden by record instance' do
+    modified_user = ModifiedUser.create email: 'bob2@microsoft.com', password: 'password1', password_confirmation: 'password1'
+    assert_equal(true, modified_user.skip_session_limitable?)
+  end
+  class SessionLimitableUser < User
+    devise :session_limitable
+    include ::Mongoid::Mappings if DEVISE_ORM == :mongoid
+  end
+  test 'includes Devise::Models::Compatibility' do
+    assert_kind_of(Devise::Models::Compatibility, SessionLimitableUser.new)
+  end
+  test '#update_unique_session_id!(value) updates valid record' do
+    user = User.create! password: 'passWord1', password_confirmation: 'passWord1', email: 'bob@microsoft.com'
+    assert user.persisted?
+    assert_nil user.unique_session_id
+    user.update_unique_session_id!('unique_value')
+    user.reload
+    assert_equal user.unique_session_id, 'unique_value'
+  end
+  test '#update_unique_session_id!(value) updates invalid record atomically' do
+    user = User.create! password: 'passWord1', password_confirmation: 'passWord1', email: 'bob@microsoft.com'
+    assert user.persisted?
+    user.email = ''
+    assert user.invalid?
+    assert_nil user.unique_session_id
+    user.update_unique_session_id!('unique_value')
+    user.reload
+    assert_equal user.email, 'bob@microsoft.com'
+    assert_equal user.unique_session_id, 'unique_value'
+  end
+  test '#update_unique_session_id!(value) raises an exception on an unpersisted record' do
+    user = User.create
+    assert !user.persisted?
+    assert_raises(Devise::Models::Compatibility::NotPersistedError) { user.update_unique_session_id!('unique_value') }
+  end
+end

data/test/tmp/config/initializers/devise-security.rb ADDED

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+  # Deny old passwords (true, false, number_of_old_passwords_to_check)
+  # Examples:
+  # config.deny_old_passwords = false # allow old passwords
+  # config.deny_old_passwords = true # will deny all the old passwords
+  # config.deny_old_passwords = 3 # will deny new passwords that matches with the last 3 passwords
+  # config.deny_old_passwords = true
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
+  # config.email_validation = true
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end

data/test/tmp/config/locales/devise.security_extension.de.yml ADDED

@@ -0,0 +1,38 @@
+de:
+  errors:
+    messages:
+      taken_in_past: 'wurde bereits in der Vergangenheit verwendet.'
+      equal_to_current_password: 'darf nicht dem aktuellen Passwort entsprechen.'
+      password_complexity:
+        digit:
+          one: muss mindestens eine Ziffer enthalten
+          other: muss mindestens %{count} Ziffern enthalten
+        lower:
+          one: muss mindestens einen Kleinbuchstaben enthalten
+          other: muss mindestens %{count} Kleinbuchstaben enthalten
+        symbol:
+          one: muss mindestens ein Sonderzeichen enthalten
+          other: muss mindestens %{count} Sonderzeichen enthalten
+        upper:
+          one: muss mindestens einen Großbuchstaben enthalten
+          other: muss mindestens %{count} Großbuchstaben enthalten
+  devise:
+    invalid_captcha: 'Die Captcha-Eingabe ist nicht gültig.'
+    paranoid_verify:
+      code_required: 'Bitte geben Sie den Code ein, den unser Support-Team zur Verfügung gestellt hat.'
+      show:
+        submit_verification_code: Bestätigungscode eingeben
+        verification_code: Bestätigungscode
+        submit: Bestätigen
+    password_expired:
+      updated: 'Das neue Passwort wurde übernommen.'
+      change_required: 'Ihr Passwort ist abgelaufen. Bitte vergeben Sie ein neues Passwort.'
+      show:
+        renew_your_password: Vergeben Sie ein neues Passwort
+        current_password: Aktuelles Passwort
+        new_password: Neues Passwort
+        new_password_confirmation: Passwort bestätigen
+        change_my_password: Passwort ändern
+    failure:
+      session_limited: 'Ihre Anmeldedaten wurden in einem anderen Browser genutzt. Bitte melden Sie sich erneut an, um in diesem Browser fortzufahren.'
+      expired: 'Ihr Account ist aufgrund zu langer Inaktivität abgelaufen. Bitte kontaktieren Sie den Administrator.'

data/test/tmp/config/locales/devise.security_extension.en.yml ADDED

@@ -0,0 +1,40 @@
+en:
+  errors:
+    messages:
+      taken_in_past: 'was used previously.'
+      equal_to_current_password: 'must be different than the current password.'
+      password_complexity:
+        digit:
+          one: must contain at least one digit
+          other: must contain at least %{count} numerals
+        lower:
+          one: must contain at least one lower-case letter
+          other: must contain at least %{count} lower-case letters
+        symbol:
+          one: must contain at least one punctuation mark or symbol
+          other: must contain at least %{count} punctuation marks or symbols
+        upper:
+          one: must contain at least one upper-case letter
+          other: must contain at least %{count} upper-case letters
+  devise:
+    invalid_captcha: 'The captcha input was invalid.'
+    invalid_security_question: 'The security question answer was invalid.'
+    paranoid_verify:
+      code_required: 'Please enter the code our support team provided'
+    paranoid_verification_code:
+      show:
+        submit_verification_code: Submit verification code
+        verification_code: Verification code
+        submit: Submit
+    password_expired:
+      updated: 'Your new password is saved.'
+      change_required: 'Your password is expired. Please renew your password.'
+      show:
+        renew_your_password: Renew your password
+        current_password: Current password
+        new_password: New password
+        new_password_confirmation: Confirm new password
+        change_my_password: Change my password
+    failure:
+      session_limited: 'Your login credentials were used in another browser. Please sign in again to continue in this browser.'
+      expired: 'Your account has expired due to inactivity. Please contact the site administrator.'