devise-security 0.14.1 → 0.14.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc16bc5c313bb9834b1ab7aedb0e84ff51b9e2f9a2574cea1191bd9c9ac59f81
-  data.tar.gz: 0b2129cc1557cf83338be9cf88792bdb60dca838c06b9903ec8b189289389572
+  metadata.gz: 5aa65f547b5acbc4207678cda6b4af888f94f3c18a7ebb1ccd80888433cf350f
+  data.tar.gz: ce3b96b475d683ba121c3db9477915c44c52ac27c9244a54f5c613e76a0e86e4
 SHA512:
-  metadata.gz: fe84191b2373f752b0de75b0d6072dfffe52ca2f76a332dde63db79e39d1ae9e80c7878f011e586080e8b9a7b8fbd488c0f02a3a47a2924a322ab188c9cbb17f
-  data.tar.gz: 2eece1cf95ebbbca4f1f0a6f03e780d5f24b2e8ba1134fe381d6cd2966e43aee7ef1d6f0d1bdedeb683bd634af7544143fb60e7b2b2c53585719dcfd390b76e6
+  metadata.gz: 540d6e0534dd9c37d28e7281ada99959d73f6afb0de030f406305e689c237afda6ea94fc3f84f4392c4a5cea2243191aa1aaae4bf0f9e77efb41a41cff2e8497
+  data.tar.gz: 6064b218564eb7c9b3d8b849185d4fe3bbd49c466e47716a6ee666dcbc5f02f27d7015dde4f32238c95f6189b32516afcf3101c2dea0cb0bd78e9f9bd2d70cfd

data/README.md

@@ -195,7 +195,7 @@ add_index :old_passwords, [:password_archivable_type, :password_archivable_id],
 create_table :the_resources do |t|
   # other devise fields
 
-  t.string :unique_session_id, limit: 20
+  t.string :unique_session_id
 end
 ```
 

data/Rakefile

@@ -12,7 +12,7 @@ task default: :test
 Rake::TestTask.new(:test) do |t|
   t.libs << 'lib'
   t.libs << 'test'
-  t.test_files = FileList['test/*test*.rb']
+  t.test_files = FileList['test/*test*.rb', 'test/**/*test*.rb']
   t.verbose = true
   t.warning = false
 end

data/gemfiles/rails_6.0_beta.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "rails", "~> 6.0.0.beta1"
+gem "rails", "~> 6.0.0.rc1"
 
 group :active_record do
   gem "sqlite3", "~> 1.3.0"

data/lib/devise-security/hooks/session_limitable.rb

@@ -1,9 +1,8 @@
 # frozen_string_literal: true
 
-# After each sign in, update unique_session_id.
-# This is only triggered when the user is explicitly set (with set_user)
-# and on authentication. Retrieving the user from session (:fetch) does
-# not trigger it.
+# After each sign in, update unique_session_id. This is only triggered when the
+# user is explicitly set (with set_user) and on authentication. Retrieving the
+# user from session (:fetch) does not trigger it.
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
     unique_session_id = Devise.friendly_token
@@ -12,15 +11,21 @@ Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   end
 end
 
-# Each time a record is fetched from session we check if a new session from another
-# browser was opened for the record or not, based on a unique session identifier.
-# If so, the old account is logged out and redirected to the sign in page on the next request.
+# Each time a record is fetched from session we check if a new session from
+# another browser was opened for the record or not, based on a unique session
+# identifier. If so, the old account is logged out and redirected to the sign in
+# page on the next request.
 Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
 
   if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
     if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+      Rails.logger.warn { 
+        "[devise-security][session_limitable] session id mismatch: "\
+        "expected=#{record.unique_session_id.inspect} "\
+        "actual=#{warden.session(scope)['unique_session_id'].inspect}" 
+      }
       warden.raw_session.clear
       warden.logout(scope)
       throw :warden, scope: scope, message: :session_limited

data/lib/devise-security/models/compatibility.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "compatibility/#{DEVISE_ORM}"
+require_relative "compatibility/#{DEVISE_ORM}_patch"
 
 module Devise
   module Models
@@ -9,7 +9,7 @@ module Devise
     # and/or older versions of ORMs.
     module Compatibility
       extend ActiveSupport::Concern
-      include "Devise::Models::Compatibility::#{DEVISE_ORM.to_s.classify}".constantize
+      include "Devise::Models::Compatibility::#{DEVISE_ORM.to_s.classify}Patch".constantize
     end
   end
 end

data/lib/devise-security/models/compatibility/{active_record.rb → active_record_patch.rb}

@@ -1,7 +1,10 @@
 module Devise
   module Models
     module Compatibility
-      module ActiveRecord
+
+      class NotPersistedError < ActiveRecord::ActiveRecordError; end
+
+      module ActiveRecordPatch
         extend ActiveSupport::Concern
         unless Devise.activerecord51?
           # When the record was saved, was the +encrypted_password+ changed?
@@ -23,6 +26,14 @@ module Devise
             changed_attributes['encrypted_password'].present?
           end
         end
+
+        # Updates the record with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          update_column(name, value)
+        end
+
       end
     end
   end

data/lib/devise-security/models/compatibility/{mongoid.rb → mongoid_patch.rb}

@@ -1,7 +1,10 @@
 module Devise
   module Models
     module Compatibility
-      module Mongoid
+
+      class NotPersistedError < Mongoid::Errors::MongoidError; end
+
+      module MongoidPatch
         extend ActiveSupport::Concern
 
         # Will saving this record change the +email+ attribute?
@@ -15,6 +18,13 @@ module Devise
         def will_save_change_to_encrypted_password?
           changed.include? 'encrypted_password'
         end
+
+        # Updates the document with the value and does not trigger validations or callbacks
+        # @param name [Symbol] attribute to update
+        # @param value [String] value to set
+        def update_attribute_without_validatons_or_callbacks(name, value)
+          set(Hash[*[name, value]])
+        end
       end
     end
   end

data/lib/devise-security/models/session_limitable.rb

@@ -12,10 +12,16 @@ module Devise
     module SessionLimitable
       extend ActiveSupport::Concern
 
+      # Update the unique_session_id on the model.  This will be checked in
+      # the Warden after_set_user hook in {file:devise-security/hooks/session_limitable}
+      # @param unique_session_id [String]
+      # @return [void]
+      # @raise [Devise::Models::Compatibility::NotPersistedError] if record is unsaved
       def update_unique_session_id!(unique_session_id)
-        self.unique_session_id = unique_session_id
-
-        save(validate: false)
+        raise Devise::Models::Compatibility::NotPersistedError, 'cannot update a new record' unless persisted?
+        update_attribute_without_validatons_or_callbacks(:unique_session_id, unique_session_id).tap do
+          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}"}
+        end
       end
 
     end

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.14.1'
+  VERSION = '0.14.2'
 end

data/test/dummy/app/controllers/widgets_controller.rb

@@ -0,0 +1,6 @@
+class WidgetsController < ApplicationController
+  before_action :authenticate_user!
+  def show
+    render plain: 'success'
+  end
+end

data/test/dummy/app/models/user.rb

@@ -25,5 +25,13 @@ class User < ApplicationRecord
   if DEVISE_ORM == :mongoid
     require './test/dummy/app/models/mongoid/mappings'
     include ::Mongoid::Mappings
+    
+    def some_method_calling_mongoid
+      Mongoid.logger
+    end
+  elsif DEVISE_ORM == :active_record
+    def some_method_calling_active_record
+      ActiveRecord::Base.transaction {}
+    end
   end
 end

data/test/dummy/config/routes.rb

@@ -7,6 +7,7 @@ RailsApp::Application.routes.draw do
   devise_for :security_question_users, only: [:sessions, :unlocks], controllers: { unlocks: "security_question/unlocks" }
 
   resources :foos
+  resource :widgets
 
   root to: 'foos#index'
 end

data/test/dummy/db/migrate/20120508165529_create_tables.rb

@@ -5,13 +5,22 @@ class CreateTables < MIGRATION_CLASS
     create_table :users do |t|
       t.string :username
       t.string :facebook_token
-      t.string :unique_session_id, :limit => 20
+
+      # session_limitable
+      t.string :unique_session_id
 
       ## Database authenticatable
       t.string :email,              null: false, default: ''
       t.string :encrypted_password, null: false, default: ''
 
       t.datetime :password_changed_at
+
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+      t.integer :sign_in_count, default: 0
+      t.integer :failed_attempts, default: 0
       t.timestamps null: false
     end
     add_index :users, :password_changed_at

data/test/integration/test_session_limitable_workflow.rb

@@ -0,0 +1,67 @@
+require 'test_helper'
+
+class TestSessionLimitableWorkflow < ActionDispatch::IntegrationTest
+  include IntegrationHelpers
+
+  setup do
+    @user = User.create!(password: 'passWord1',
+                         password_confirmation: 'passWord1',
+                         email: 'bob@microsoft.com')
+    @user.confirm
+  end
+
+  test 'failed login' do
+    assert_nil @user.unique_session_id
+
+    open_session do |session|
+      failed_sign_in(@user, session)
+      session.assert_response(:success)
+      assert_equal session.flash[:alert], I18n.t('devise.failure.invalid', authentication_keys: 'Email')
+      assert_nil @user.reload.unique_session_id
+    end
+  end
+
+  test 'successful login' do
+    assert_nil @user.unique_session_id
+
+    open_session do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      assert_not_nil @user.reload.unique_session_id
+    end
+  end
+
+  test 'session is logged out when another session is created' do
+    first_session = open_session
+    second_session = open_session
+    unique_session_id = nil
+
+    first_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      unique_session_id = @user.reload.unique_session_id
+      assert_not_nil unique_session_id
+    end
+
+    second_session.tap do |session|
+      sign_in(@user, session)
+      session.assert_redirected_to '/'
+      session.get widgets_path
+      session.assert_response(:success)
+      assert_equal session.response.body, 'success'
+      assert_not_equal unique_session_id, @user.reload.unique_session_id
+    end
+
+    first_session.tap do |session|
+      session.get widgets_path
+      session.assert_redirected_to new_user_session_path
+      assert_equal session.flash[:alert], I18n.t('devise.failure.session_limited')
+    end
+  end
+end

data/test/support/integration_helpers.rb

@@ -0,0 +1,47 @@
+module IntegrationHelpers
+  # login the user.  This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  # @note accounts for differences in the integration test API between rails versions
+  def sign_in(user, session)
+    if Rails.gem_version > Gem::Version.new('5.0')
+      session.post new_user_session_path, params: {
+        user: {
+          email: user.email,
+          password: user.password
+        }
+      }
+    else
+      session.post new_user_session_path, {
+        user: {
+          email: user.email,
+          password: user.password
+        }
+      }
+    end
+  end
+
+  # attempt to login the user with a bad password. This will exercise all the Warden Hooks
+  # @param user [User]
+  # @param session [ActionDispatch::Integration::Session]
+  # @return [void]
+  # @note accounts for differences in the integration test API between rails versions
+  def failed_sign_in(user, session)
+    if Rails.gem_version > Gem::Version.new('5.0')
+      session.post new_user_session_path, params: {
+        user: {
+          email: user.email,
+          password: 'bad-password'
+        }
+      }
+    else
+      session.post new_user_session_path, {
+        user: {
+          email: user.email,
+          password: 'bad-password'
+        }
+      }
+    end
+  end
+end

data/test/test_compatibility.rb

@@ -0,0 +1,13 @@
+require 'test_helper'
+
+class TestCompatibility < ActiveSupport::TestCase
+  test 'can access ActiveRecord namespace' do
+    skip unless DEVISE_ORM == :active_record
+    assert_nothing_raised { User.new.some_method_calling_active_record }
+  end
+
+  test 'can access Mongoid namespace' do
+    skip unless DEVISE_ORM == :mongoid
+    assert_nothing_raised { User.new.some_method_calling_mongoid }
+  end
+end

data/test/test_helper.rb

@@ -5,9 +5,17 @@ ENV['RAILS_ENV'] ||= 'test'
 require 'simplecov'
 SimpleCov.start do
   add_filter 'gemfiles'
+  add_filter 'test/dummy/db'
+  add_group 'ActiveRecord', 'active_record'
+  add_group 'Expirable', /(?<!password_)expirable/
+  add_group 'Mongoid', 'mongoid'
+  add_group 'Paranoid Verifiable', 'paranoid_verification'
+  add_group 'Password Archivable', /password_archivable|old_password/
+  add_group 'Password Expirable', /password_expirable|password_expired/
+  add_group 'Secure Validateable', 'secure_validatable'
+  add_group 'Security Questionable', 'security_question'
+  add_group 'Session Limitable', 'session_limitable'
   add_group 'Tests', 'test'
-  add_group 'Password Archivable', 'password_archivable'
-  add_group 'Password Expirable', 'password_expirable'
 end
 
 if ENV['CI']
@@ -23,6 +31,7 @@ require 'rails/test_help'
 require 'devise-security'
 require 'database_cleaner'
 require "orm/#{DEVISE_ORM}"
+require 'support/integration_helpers'
 
 class Minitest::Test
   def before_setup

data/test/test_session_limitable.rb

@@ -0,0 +1,31 @@
+require 'test_helper'
+
+class TestSessionLimitable < ActiveSupport::TestCase
+
+  test '#update_unique_session_id!(value) updates valid record' do
+    user = User.create! password: 'passWord1', password_confirmation: 'passWord1', email: 'bob@microsoft.com'
+    assert user.persisted?
+    assert_nil user.unique_session_id
+    user.update_unique_session_id!('unique_value')
+    user.reload
+    assert_equal user.unique_session_id, 'unique_value'
+  end
+
+  test '#update_unique_session_id!(value) updates invalid record atomically' do
+    user = User.create! password: 'passWord1', password_confirmation: 'passWord1', email: 'bob@microsoft.com'
+    assert user.persisted?
+    user.email = ''
+    assert user.invalid?
+    assert_nil user.unique_session_id
+    user.update_unique_session_id!('unique_value')
+    user.reload
+    assert_equal user.email, 'bob@microsoft.com'
+    assert_equal user.unique_session_id, 'unique_value'
+  end
+
+  test '#update_unique_session_id!(value) raises an exception on an unpersisted record' do
+    user = User.create
+    assert !user.persisted?
+    assert_raises(Devise::Models::Compatibility::NotPersistedError) { user.update_unique_session_id!('unique_value') }
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-security
 version: !ruby/object:Gem::Version
-  version: 0.14.1
+  version: 0.14.2
 platform: ruby
 authors:
 - Marco Scholl
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-26 00:00:00.000000000 Z
+date: 2019-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -293,8 +293,8 @@ files:
 - lib/devise-security/hooks/session_limitable.rb
 - lib/devise-security/models/active_record/old_password.rb
 - lib/devise-security/models/compatibility.rb
-- lib/devise-security/models/compatibility/active_record.rb
-- lib/devise-security/models/compatibility/mongoid.rb
+- lib/devise-security/models/compatibility/active_record_patch.rb
+- lib/devise-security/models/compatibility/mongoid_patch.rb
 - lib/devise-security/models/database_authenticatable_patch.rb
 - lib/devise-security/models/expirable.rb
 - lib/devise-security/models/mongoid/old_password.rb
@@ -324,11 +324,15 @@ files:
 - lib/devise-security/version.rb
 - lib/generators/devise_security/install_generator.rb
 - lib/generators/templates/devise-security.rb
+- test/controllers/test_captcha_controller.rb
+- test/controllers/test_password_expired_controller.rb
+- test/controllers/test_security_question_controller.rb
 - test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/controllers/captcha/sessions_controller.rb
 - test/dummy/app/controllers/foos_controller.rb
 - test/dummy/app/controllers/security_question/unlocks_controller.rb
+- test/dummy/app/controllers/widgets_controller.rb
 - test/dummy/app/models/.gitkeep
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/application_user_record.rb
@@ -390,19 +394,20 @@ files:
 - test/dummy/lib/shared_user_without_email.rb
 - test/dummy/lib/shared_user_without_omniauth.rb
 - test/dummy/lib/shared_verification_fields.rb
+- test/integration/test_session_limitable_workflow.rb
 - test/orm/active_record.rb
 - test/orm/mongoid.rb
+- test/support/integration_helpers.rb
 - test/support/mongoid.yml
-- test/test_captcha_controller.rb
+- test/test_compatibility.rb
 - test/test_complexity_validator.rb
 - test/test_helper.rb
 - test/test_install_generator.rb
 - test/test_paranoid_verification.rb
 - test/test_password_archivable.rb
 - test/test_password_expirable.rb
-- test/test_password_expired_controller.rb
 - test/test_secure_validatable.rb
-- test/test_security_question_controller.rb
+- test/test_session_limitable.rb
 homepage: https://github.com/devise-security/devise-security
 licenses:
 - MIT
@@ -428,11 +433,15 @@ signing_key:
 specification_version: 4
 summary: Security extension for devise
 test_files:
+- test/controllers/test_captcha_controller.rb
+- test/controllers/test_password_expired_controller.rb
+- test/controllers/test_security_question_controller.rb
 - test/dummy/Rakefile
 - test/dummy/app/controllers/application_controller.rb
 - test/dummy/app/controllers/captcha/sessions_controller.rb
 - test/dummy/app/controllers/foos_controller.rb
 - test/dummy/app/controllers/security_question/unlocks_controller.rb
+- test/dummy/app/controllers/widgets_controller.rb
 - test/dummy/app/models/.gitkeep
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/application_user_record.rb
@@ -494,16 +503,17 @@ test_files:
 - test/dummy/lib/shared_user_without_email.rb
 - test/dummy/lib/shared_user_without_omniauth.rb
 - test/dummy/lib/shared_verification_fields.rb
+- test/integration/test_session_limitable_workflow.rb
 - test/orm/active_record.rb
 - test/orm/mongoid.rb
+- test/support/integration_helpers.rb
 - test/support/mongoid.yml
-- test/test_captcha_controller.rb
+- test/test_compatibility.rb
 - test/test_complexity_validator.rb
 - test/test_helper.rb
 - test/test_install_generator.rb
 - test/test_paranoid_verification.rb
 - test/test_password_archivable.rb
 - test/test_password_expirable.rb
-- test/test_password_expired_controller.rb
 - test/test_secure_validatable.rb
-- test/test_security_question_controller.rb
+- test/test_session_limitable.rb