devise-security 0.14.0 → 0.16.0

data/lib/devise-security/models/secure_validatable.rb

@@ -55,6 +55,9 @@ module Devise
 
           # don't allow use same password
           validate :current_equal_password_validation
+
+          # don't allow email to equal password
+          validate :email_not_equal_password_validation unless allow_passwords_equal_to_email
         end
       end
 
@@ -70,6 +73,17 @@ module Devise
         self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
       end
 
+      def email_not_equal_password_validation
+        return if password.blank? || (!new_record? && !will_save_change_to_encrypted_password?)
+        dummy = self.class.new.tap do |user|
+          user.password_salt = password_salt if respond_to?(:password_salt)
+          # whether case_insensitive_keys or strip_whitespace_keys include email or not, any
+          # variation of the email should not be a supported password
+          user.password = email.downcase.strip
+        end
+        self.errors.add(:password, :equal_to_email) if dummy.valid_password?(password.downcase.strip)
+      end
+
       protected
 
       # Checks whether a password is needed or not. For validations only.
@@ -84,7 +98,7 @@ module Devise
       end
 
       module ClassMethods
-        Devise::Models.config(self, :password_complexity, :password_length, :email_validation)
+        Devise::Models.config(self, :password_complexity, :password_length, :email_validation, :allow_passwords_equal_to_email)
 
         private
 

data/lib/devise-security/models/session_limitable.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'compatibility'
 require 'devise-security/hooks/session_limitable'
 
 module Devise
@@ -11,13 +12,27 @@ module Devise
     # someone used his credentials to sign in.
     module SessionLimitable
       extend ActiveSupport::Concern
+      include Devise::Models::Compatibility
 
+      # Update the unique_session_id on the model.  This will be checked in
+      # the Warden after_set_user hook in {file:devise-security/hooks/session_limitable}
+      # @param unique_session_id [String]
+      # @return [void]
+      # @raise [Devise::Models::Compatibility::NotPersistedError] if record is unsaved
       def update_unique_session_id!(unique_session_id)
-        self.unique_session_id = unique_session_id
+        raise Devise::Models::Compatibility::NotPersistedError, 'cannot update a new record' unless persisted?
 
-        save(validate: false)
+        update_attribute_without_validatons_or_callbacks(:unique_session_id, unique_session_id).tap do
+          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}" }
+        end
       end
 
+      # Should session_limitable be skipped for this instance?
+      # @return [Boolean]
+      # @return [false] by default. This can be overridden by application logic as necessary.
+      def skip_session_limitable?
+        false
+      end
     end
   end
 end

data/lib/devise-security/validators/password_complexity_validator.rb

@@ -3,17 +3,19 @@
 # Password complexity validator
 # Options:
 # - digit:  minimum number of digits in the validated string
+# - digits: minimum number of digits in the validated string
 # - lower:  minimum number of lower-case letters in the validated string
 # - symbol: minimum number of punctuation characters or symbols in the validated string
+# - symbols: minimum number of punctuation characters or symbols in the validated string
 # - upper:  minimum number of upper-case letters in the validated string
 class DeviseSecurity::PasswordComplexityValidator < ActiveModel::EachValidator
   PATTERNS = {
     digit: /\p{Digit}/,
     digits: /\p{Digit}/,
     lower: /\p{Lower}/,
-    upper: /\p{Upper}/,
     symbol: /\p{Punct}|\p{S}/,
-    symbols: /\p{Punct}|\p{S}/
+    symbols: /\p{Punct}|\p{S}/,
+    upper: /\p{Upper}/
   }.freeze
 
   def validate_each(record, attribute, value)

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.14.0'
+  VERSION = '0.16.0'
 end

data/lib/generators/devise_security/install_generator.rb

@@ -4,14 +4,14 @@ module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      LOCALES = %w[en es de fr it ja tr].freeze
+      LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
       source_root File.expand_path('../../templates', __FILE__)
       desc 'Install the devise security extension'
 
       def copy_initializer
-        template('devise-security.rb',
-                 'config/initializers/devise-security.rb',
+        template('devise_security.rb',
+                 'config/initializers/devise_security.rb',
         )
       end
 

data/lib/generators/templates/devise_security.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
+
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+
+  # Deny old passwords (true, false, number_of_old_passwords_to_check)
+  # Examples:
+  # config.deny_old_passwords = false # allow old passwords
+  # config.deny_old_passwords = true # will deny all the old passwords
+  # config.deny_old_passwords = 3 # will deny new passwords that matches with the last 3 passwords
+  # config.deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
+  # config.email_validation = true
+
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+
+  # Allow password to equal the email
+  # config.allow_passwords_equal_to_email = false
+end

data/test/controllers/test_password_expired_controller.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Devise::PasswordExpiredControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    @user = User.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      password_changed_at: 4.months.ago,
+      confirmed_at: 5.months.ago,
+    )
+    assert @user.valid?
+    assert @user.need_change_password?
+
+    sign_in(@user)
+  end
+
+  test 'redirects on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'redirects on show if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'should render show' do
+    get :show
+    assert_includes @response.body, 'Renew your password'
+  end
+
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    put :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    put :update
+    assert_redirected_to :root
+  end
+
+  test 'update password with default format' do
+    put :update,
+        params: {
+          user: {
+            current_password: 'Password4',
+            password: 'Password5',
+            password_confirmation: 'Password5',
+          },
+        }
+    assert_redirected_to root_path
+    assert_equal response.media_type, 'text/html'
+  end
+
+  test 'password confirmation does not match' do
+    put :update,
+        params: {
+          user: {
+            current_password: 'Password4',
+            password: 'Password5',
+            password_confirmation: 'Password6',
+          },
+        }
+
+    assert_response :success
+    assert_template :show
+    assert_equal response.media_type, 'text/html'
+  end
+
+  test 'update password using JSON format' do
+    put :update,
+        format: :json,
+        params: {
+          user: {
+            current_password: 'Password4',
+            password: 'Password5',
+            password_confirmation: 'Password5',
+          },
+        }
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+
+  test 'update password using XML format' do
+    put :update,
+        format: :xml,
+        params: {
+          user: {
+            current_password: 'Password4',
+            password: 'Password5',
+            password_confirmation: 'Password5',
+          },
+        }
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+end

data/test/{test_security_question_controller.rb → controllers/test_security_question_controller.rb}

@@ -8,44 +8,28 @@ class TestWithSecurityQuestion < ActionController::TestCase
 
   setup do
     @user = SecurityQuestionUser.create!(username: 'hello', email: 'hello@microsoft.com',
-                        password: 'A1234567z!', security_question_answer: 'Right Answer')
+                                         password: 'A1234567z!', security_question_answer: 'Right Answer')
     @user.lock_access!
     assert @user.locked_at.present?
     @request.env['devise.mapping'] = Devise.mappings[:security_question_user]
   end
 
   test 'When security question is enabled, it is inserted correctly' do
-    if Rails.gem_version.release <= Gem::Version.new('5.0')
-      post :create, {
-        security_question_user: {
-          email: @user.email
-        }, security_question_answer: "wrong answer"
-      }
-    else
-      post :create, params: {
-        security_question_user: {
-          email: @user.email
-        }, security_question_answer: "wrong answer"
-      }
-    end
+    post :create, params: {
+      security_question_user: {
+        email: @user.email,
+      }, security_question_answer: 'wrong answer'
+    }
     assert_equal I18n.t('devise.invalid_security_question'), flash[:alert]
     assert_redirected_to new_security_question_user_unlock_path
   end
 
   test 'When security_question is valid, it runs as normal' do
-    if Rails.gem_version.release <= Gem::Version.new('5.0')
-      post :create, {
-        security_question_user: {
-          email: @user.email
-        }, security_question_answer: @user.security_question_answer
-      }
-    else
-      post :create, params: {
-        security_question_user: {
-          email: @user.email
-        }, security_question_answer: @user.security_question_answer
-      }
-    end
+    post :create, params: {
+      security_question_user: {
+        email: @user.email,
+      }, security_question_answer: @user.security_question_answer
+    }
 
     assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
     assert_redirected_to new_security_question_user_session_path
@@ -64,19 +48,11 @@ class TestWithoutSecurityQuestion < ActionController::TestCase
   end
 
   test 'When security question is not enabled it is not inserted' do
-    if Rails.gem_version.release <= Gem::Version.new('5.0')
-      post :create, {
-        user: {
-          email: @user.email
-        }
-      }
-    else
-      post :create, params: {
-        user: {
-          email: @user.email
-        }
-      }
-    end
+    post :create, params: {
+      user: {
+        email: @user.email,
+      },
+    }
 
     assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
     assert_redirected_to new_user_session_path

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+// = link_tree ../images
+// = link_directory ../javascripts .js
+// = link_directory ../stylesheets .css

data/test/dummy/app/controllers/widgets_controller.rb

@@ -0,0 +1,6 @@
+class WidgetsController < ApplicationController
+  before_action :authenticate_user!
+  def show
+    render plain: 'success'
+  end
+end

data/test/dummy/app/models/user.rb

@@ -25,5 +25,13 @@ class User < ApplicationRecord
   if DEVISE_ORM == :mongoid
     require './test/dummy/app/models/mongoid/mappings'
     include ::Mongoid::Mappings
+    
+    def some_method_calling_mongoid
+      Mongoid.logger
+    end
+  elsif DEVISE_ORM == :active_record
+    def some_method_calling_active_record
+      ActiveRecord::Base.transaction {}
+    end
   end
 end

data/test/dummy/config/application.rb

@@ -5,6 +5,7 @@ require File.expand_path('../boot', __FILE__)
 require 'action_mailer/railtie'
 require "action_mailer/railtie"
 require "rails/test_unit/railtie"
+DEVISE_ORM = ENV.fetch('DEVISE_ORM', 'active_record').to_sym
 
 Bundler.require :default, DEVISE_ORM
 require "#{DEVISE_ORM}/railtie"

data/test/dummy/config/environments/test.rb

@@ -4,13 +4,8 @@ RailsApp::Application.configure do
   config.cache_classes = true
   config.eager_load = false
 
-  if Rails.version > '5'
-    config.public_file_server.enabled = true
-    config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
-  else
-    config.serve_static_files = true
-    config.static_cache_control = 'public, max-age=3600'
-  end
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = { 'Cache-Control' => 'public, max-age=3600' }
 
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
@@ -27,11 +22,6 @@ RailsApp::Application.configure do
 
   config.active_support.test_order = :sorted
   config.log_level = :debug
-  if Rails.gem_version >= Gem::Version.new('4.2') && Rails.gem_version.release < Gem::Version.new('5.0')
-    config.active_record.raise_in_transactional_callbacks = true
-  end
-  if Rails.gem_version.release >= Gem::Version.new('5.2') && Rails.gem_version.release < Gem::Version.new('6.0')
-    config.active_record.sqlite3.represent_boolean_as_integer = true
-  end
+  config.active_record.sqlite3.represent_boolean_as_integer = true if Rails.gem_version.release >= Gem::Version.new('5.2') && Rails.gem_version.release < Gem::Version.new('6.0')
 end
 ActiveSupport::Deprecation.debug = true

data/test/dummy/config/initializers/migration_class.rb

@@ -1,10 +1,3 @@
 # frozen_string_literal: true
 
-if DEVISE_ORM == :active_record
-  MIGRATION_CLASS =
-    if Rails.gem_version >= Gem::Version.new('5.0')
-      ActiveRecord::Migration[Rails.version.to_f]
-    else
-      ActiveRecord::Migration
-    end
-end
+MIGRATION_CLASS = ActiveRecord::Migration[Rails.version.to_f] if DEVISE_ORM == :active_record