devise-security 0.14.2 → 0.17.0

data/lib/devise-security/controllers/helpers.rb

@@ -40,71 +40,80 @@ module DeviseSecurity
 
       # controller instance methods
 
-        private
-
-        # lookup if an password change needed
-        def handle_password_change
-          return if warden.nil?
-
-          if !devise_controller? && !ignore_password_expire? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['password_expired']
-                # re-check to avoid infinite loop if date changed after login attempt
-                if send(:"current_#{scope}").try(:need_change_password?)
-                  store_location_for(scope, request.original_fullpath) if request.get?
-                  redirect_for_password_change scope
-                  return
-                else
-                  warden.session(scope)[:password_expired] = false
-                end
+      private
+
+      # Called as a `before_action` on all actions on any controller that uses
+      # this helper. If the user's session is marked as having an expired
+      # password we double check in case it has been changed by another process,
+      # then redirect to the password change url.
+      #
+      # @note `Warden::Manager.after_authentication` is run AFTER this method
+      #
+      # @note Once the warden session has `'password_expired'` set to `false`,
+      #    it will **never** be checked again until the user re-logs in.
+      def handle_password_change
+        return if warden.nil?
+
+        if !devise_controller? &&
+           !ignore_password_expire? &&
+           !request.format.nil? &&
+           request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['password_expired'] == true
+              if send(:"current_#{scope}").try(:need_change_password?)
+                store_location_for(scope, request.original_fullpath) if request.get?
+                redirect_for_password_change(scope)
+              else
+                warden.session(scope)['password_expired'] = false
               end
             end
           end
         end
+      end
 
-        # lookup if extra (paranoid) code verification is needed
-        def handle_paranoid_verification
-          return if warden.nil?
+      # lookup if extra (paranoid) code verification is needed
+      def handle_paranoid_verification
+        return if warden.nil?
 
-          if !devise_controller? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
-                store_location_for(scope, request.original_fullpath) if request.get?
-                redirect_for_paranoid_verification scope
-                return
-              end
+        if !devise_controller? && !request.format.nil? && request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+              store_location_for(scope, request.original_fullpath) if request.get?
+              redirect_for_paranoid_verification scope
+              return
             end
           end
         end
+      end
 
-        # redirect for password update with alert message
-        def redirect_for_password_change(scope)
-          redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', {scope: 'devise.password_expired'})
-        end
+      # redirect for password update with alert message
+      def redirect_for_password_change(scope)
+        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', scope: 'devise.password_expired')
+      end
 
-        def redirect_for_paranoid_verification(scope)
-          redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', {scope: 'devise.paranoid_verify'})
-        end
+      def redirect_for_paranoid_verification(scope)
+        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', scope: 'devise.paranoid_verify')
+      end
 
-        # path for change password
-        def change_password_required_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_password_expired_path"
-          send(change_path)
-        end
+      # path for change password
+      def change_password_required_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_password_expired_path"
+        send(change_path)
+      end
 
-        def paranoid_verification_code_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_paranoid_verification_code_path"
-          send(change_path)
-        end
+      def paranoid_verification_code_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_paranoid_verification_code_path"
+        send(change_path)
+      end
 
-        protected
+      protected
 
-        # allow to overwrite for some special handlings
-        def ignore_password_expire?
-          false
-        end
+      # allow to overwrite for some special handlings
+      def ignore_password_expire?
+        false
+      end
     end
   end
 end

data/lib/devise-security/hooks/password_expirable.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# @note This happens after
+#   {DeviseSecurity::Controller::Helpers#handle_password_change}
 Warden::Manager.after_authentication do |record, warden, options|
   if record.respond_to?(:need_change_password?)
     warden.session(options[:scope])['password_expired'] = record.need_change_password?

data/lib/devise-security/hooks/session_limitable.rb

@@ -4,10 +4,17 @@
 # user is explicitly set (with set_user) and on authentication. Retrieving the
 # user from session (:fetch) does not trigger it.
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
-    unique_session_id = Devise.friendly_token
-    warden.session(options[:scope])['unique_session_id'] = unique_session_id
-    record.update_unique_session_id!(unique_session_id)
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(options[:scope]) &&
+     !record.skip_session_limitable?
+
+     if !options[:skip_session_limitable]
+      unique_session_id = Devise.friendly_token
+      warden.session(options[:scope])['unique_session_id'] = unique_session_id
+      record.update_unique_session_id!(unique_session_id)
+     else
+      warden.session(options[:scope])['devise.skip_session_limitable'] = true
+     end
   end
 end
 
@@ -17,15 +24,18 @@ end
 # page on the next request.
 Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
-  env   = warden.request.env
 
-  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
-    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
-      Rails.logger.warn { 
-        "[devise-security][session_limitable] session id mismatch: "\
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(scope) &&
+     options[:store] != false
+    if record.unique_session_id != warden.session(scope)['unique_session_id'] &&
+       !record.skip_session_limitable? && 
+       !warden.session(scope)['devise.skip_session_limitable']
+      Rails.logger.warn do
+        '[devise-security][session_limitable] session id mismatch: '\
         "expected=#{record.unique_session_id.inspect} "\
-        "actual=#{warden.session(scope)['unique_session_id'].inspect}" 
-      }
+        "actual=#{warden.session(scope)['unique_session_id'].inspect}"
+      end
       warden.raw_session.clear
       warden.logout(scope)
       throw :warden, scope: scope, message: :session_limited

data/lib/devise-security/models/database_authenticatable_patch.rb

@@ -5,18 +5,28 @@ module Devise
     module DatabaseAuthenticatablePatch
       def update_with_password(params, *options)
         current_password = params.delete(:current_password)
+        valid_password = valid_password?(current_password)
 
         new_password = params[:password]
         new_password_confirmation = params[:password_confirmation]
 
-        result = if valid_password?(current_password) && new_password.present? && new_password_confirmation.present?
+        result = if valid_password && new_password.present? && new_password_confirmation.present?
           update(params, *options)
         else
           self.assign_attributes(params, *options)
-          self.valid?
-          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
-          self.errors.add(:password, new_password.blank? ? :blank : :invalid)
-          self.errors.add(:password_confirmation, new_password_confirmation.blank? ? :blank : :invalid)
+
+          if current_password.blank?
+            self.errors.add(:current_password, :blank)
+          elsif !valid_password
+            self.errors.add(:current_password, :invalid)
+          end
+
+          self.errors.add(:password, :blank) if new_password.blank?
+
+          if new_password_confirmation.blank?
+            self.errors.add(:password_confirmation, :blank)
+          end
+
           false
         end
 

data/lib/devise-security/models/password_archivable.rb

@@ -41,7 +41,7 @@ module Devise
       def password_archive_included?
         return false unless max_old_passwords.positive?
 
-        old_passwords_including_cur_change = old_passwords.order(created_at: :desc).limit(max_old_passwords).pluck(:encrypted_password)
+        old_passwords_including_cur_change = old_passwords.reorder(created_at: :desc).limit(max_old_passwords).pluck(:encrypted_password)
         old_passwords_including_cur_change << encrypted_password_was # include most recent change in list, but don't save it yet!
         old_passwords_including_cur_change.any? do |old_password|
           # NOTE: we deliberately do not do mass assignment here so that users that
@@ -73,7 +73,7 @@ module Devise
           return true if old_passwords.where(encrypted_password: encrypted_password_was).exists?
 
           old_passwords.create!(encrypted_password: encrypted_password_was) if encrypted_password_was.present?
-          old_passwords.order(created_at: :desc).offset(max_old_passwords).destroy_all
+          old_passwords.reorder(created_at: :desc).offset(max_old_passwords).destroy_all
         else
           old_passwords.destroy_all
         end

data/lib/devise-security/models/password_expirable.rb

@@ -92,7 +92,11 @@ module Devise::Models
     # Update +password_changed_at+ for new records and changed passwords.
     # @note called as a +before_save+ hook
     def update_password_changed
-      return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+      if defined?(will_save_change_to_attribute?)
+        return unless (new_record? || will_save_change_to_encrypted_password?) && !will_save_change_to_password_changed_at?
+      else
+        return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+      end
 
       self.password_changed_at = Time.zone.now
     end

data/lib/devise-security/models/secure_validatable.rb

@@ -44,17 +44,39 @@ module Devise
               validates :email, uniqueness: true, allow_blank: true, if: :email_changed? # check uniq for email ever
             end
 
-            validates :password, presence: true, length: password_length, confirmation: true, if: :password_required?
+            validates_presence_of :password, if: :password_required?
+            validates_confirmation_of :password, if: :password_required?
+
+            validate if: :password_required? do |record|
+              validates_with ActiveModel::Validations::LengthValidator,
+                             attributes: :password,
+                             allow_blank: true,
+                             in: record.password_length
+            end
           end
 
           # extra validations
-          validates :email, email: email_validation if email_validation # see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
-          validates :password,
-                    'devise_security/password_complexity': password_complexity,
-                    if: :password_required?
+          # see https://github.com/devise-security/devise-security/blob/master/README.md#e-mail-validation
+          validate do |record|
+            if email_validation
+              validates_with(
+                EmailValidator, { attributes: :email }
+              )
+            end
+          end
+
+          validate if: :password_required? do |record|
+            validates_with(
+              record.password_complexity_validator.is_a?(Class) ? record.password_complexity_validator : record.password_complexity_validator.classify.constantize,
+              { attributes: :password }.merge(record.password_complexity)
+            )
+          end
 
           # don't allow use same password
           validate :current_equal_password_validation
+
+          # don't allow email to equal password
+          validate :email_not_equal_password_validation
         end
       end
 
@@ -70,11 +92,23 @@ module Devise
         self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
       end
 
+      def email_not_equal_password_validation
+        return if allow_passwords_equal_to_email
+
+        return if password.blank? || email.blank? || (!new_record? && !will_save_change_to_encrypted_password?)
+
+        return unless Devise.secure_compare(password.downcase.strip, email.downcase.strip)
+
+        errors.add(:password, :equal_to_email)
+      end
+
       protected
 
       # Checks whether a password is needed or not. For validations only.
       # Passwords are always required if it's a new record, or if the password
       # or confirmation are being set somewhere.
+      #
+      # @return [Boolean]
       def password_required?
         !persisted? || !password.nil? || !password_confirmation.nil?
       end
@@ -83,8 +117,24 @@ module Devise
         true
       end
 
+      delegate(
+        :allow_passwords_equal_to_email,
+        :email_validation,
+        :password_complexity,
+        :password_complexity_validator,
+        :password_length,
+        to: :class
+      )
+
       module ClassMethods
-        Devise::Models.config(self, :password_complexity, :password_length, :email_validation)
+        Devise::Models.config(
+          self,
+          :allow_passwords_equal_to_email,
+          :email_validation,
+          :password_complexity,
+          :password_complexity_validator,
+          :password_length
+        )
 
         private
 

data/lib/devise-security/models/session_limitable.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require_relative 'compatibility'
 require 'devise-security/hooks/session_limitable'
 
 module Devise
@@ -11,6 +12,7 @@ module Devise
     # someone used his credentials to sign in.
     module SessionLimitable
       extend ActiveSupport::Concern
+      include Devise::Models::Compatibility
 
       # Update the unique_session_id on the model.  This will be checked in
       # the Warden after_set_user hook in {file:devise-security/hooks/session_limitable}
@@ -19,11 +21,18 @@ module Devise
       # @raise [Devise::Models::Compatibility::NotPersistedError] if record is unsaved
       def update_unique_session_id!(unique_session_id)
         raise Devise::Models::Compatibility::NotPersistedError, 'cannot update a new record' unless persisted?
+
         update_attribute_without_validatons_or_callbacks(:unique_session_id, unique_session_id).tap do
-          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}"}
+          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}" }
         end
       end
 
+      # Should session_limitable be skipped for this instance?
+      # @return [Boolean]
+      # @return [false] by default. This can be overridden by application logic as necessary.
+      def skip_session_limitable?
+        false
+      end
     end
   end
 end

data/lib/devise-security/validators/password_complexity_validator.rb

@@ -1,33 +1,62 @@
 # frozen_string_literal: true
 
-# Password complexity validator
+# (NIST)[https://pages.nist.gov/800-63-3/sp800-63b.html#appA] does not recommend
+# the use of a password complexity checks because...
+#
+# > Length and complexity requirements beyond those recommended here
+# > significantly increase the difficulty of memorized secrets and increase user
+# > frustration. As a result, users often work around these restrictions in a
+# > way that is counterproductive. Furthermore, other mitigations such as
+# > blacklists, secure hashed storage, and rate limiting are more effective at
+# > preventing modern brute-force attacks. Therefore, no additional complexity
+# > requirements are imposed.
+#
 # Options:
-# - digit:  minimum number of digits in the validated string
-# - lower:  minimum number of lower-case letters in the validated string
-# - symbol: minimum number of punctuation characters or symbols in the validated string
-# - upper:  minimum number of upper-case letters in the validated string
+# - `digit | digits`:  minimum number of digits in the validated string. Uses
+#   the `digit` localization key.
+# - `lower`:  minimum number of lower-case letters in the validated string
+# - `symbol | symbols`: minimum number of punctuation characters or symbols in
+#   the validated string. Uses the `symbol` localization key.
+# - `upper`:  minimum number of upper-case letters in the validated string
 class DeviseSecurity::PasswordComplexityValidator < ActiveModel::EachValidator
-  PATTERNS = {
-    digit: /\p{Digit}/,
-    digits: /\p{Digit}/,
-    lower: /\p{Lower}/,
-    upper: /\p{Upper}/,
-    symbol: /\p{Punct}|\p{S}/,
-    symbols: /\p{Punct}|\p{S}/
-  }.freeze
+  # A Hash of the possible valid patterns that can be checked against. The keys
+  # for this Hash are singular symbols corresponding to entries in the
+  # localization files. Override or redefine this method if you want to include
+  # custom patterns (e.g., `letter: /\p{Alpha}/` for all letters).
+  #
+  # @return [Hash<Symbol,Regexp>]
+  def patterns
+    {
+      digit: /\p{Digit}/,
+      lower: /\p{Lower}/,
+      symbol: /\p{Punct}|\p{S}/,
+      upper: /\p{Upper}/
+    }
+  end
 
-  def validate_each(record, attribute, value)
-    active_pattern_keys.each do |key|
-      minimum = [0, options[key].to_i].max
-      pattern = Regexp.new PATTERNS[key]
+  # Validate the complexity of the password. This validation does not check to
+  # ensure the password is not blank. That is the responsibility of other
+  # validations. This validator will also ignore any patterns that are not
+  # explicitly configured to be used or whose minimum limits are less than 1.
+  #
+  # @param record [ActiveModel::Model]
+  # @param attribute [Symbol]
+  # @param password [String]
+  def validate_each(record, attribute, password)
+    return if password.blank?
 
-      unless (value || '').scan(pattern).size >= minimum
-        record.errors.add attribute, :"password_complexity.#{key}", count: minimum
-      end
-    end
-  end
+    options.sort.each do |pattern_name, minimum|
+      normalized_option = pattern_name.to_s.singularize.to_sym
 
-  def active_pattern_keys
-    options.keys & PATTERNS.keys
+      next unless patterns.key?(normalized_option)
+      next unless minimum.positive?
+      next if password.scan(patterns[normalized_option]).size >= minimum
+
+      record.errors.add(
+        attribute,
+        :"password_complexity.#{normalized_option}",
+        count: minimum
+      )
+    end
   end
 end

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.14.2'
+  VERSION = '0.17.0'
 end

data/lib/devise-security.rb

@@ -9,15 +9,20 @@ require 'devise'
 
 module Devise
   # Number of seconds that passwords are valid (e.g 3.months)
-  # Disable pasword expiration with +false+
+  # Disable password expiration with +false+
   # Expire only on demand with +true+
   mattr_accessor :expire_password_after
   @@expire_password_after = 3.months
 
-  # Validate password for strongness
+  # Validate password complexity
   mattr_accessor :password_complexity
   @@password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
+  # Define the class used to validate password complexity. Set to a Class or a
+  # string which will be used to determine which class to use.
+  mattr_accessor :password_complexity_validator
+  @@password_complexity_validator = 'devise_security/password_complexity_validator'
+
   # Number of old passwords in archive
   mattr_accessor :password_archiving_count
   @@password_archiving_count = 5
@@ -79,11 +84,14 @@ module Devise
   # paranoid_verification will regenerate verifacation code after faild attempt
   mattr_accessor :paranoid_code_regenerate_after_attempt
   @@paranoid_code_regenerate_after_attempt = 10
+
+  # Whether to allow passwords that are equal (case insensitive) to the email
+  mattr_accessor :allow_passwords_equal_to_email
+  @@allow_passwords_equal_to_email = false
 end
 
-# an security extension for devise
+# a security extension for devise
 module DeviseSecurity
-  autoload :Schema, 'devise-security/schema'
   autoload :Patches, 'devise-security/patches'
 
   module Controllers
@@ -104,6 +112,6 @@ Devise.add_module :paranoid_verification, controller: :paranoid_verification_cod
 # requires
 require 'devise-security/routes'
 require 'devise-security/rails'
-require "devise-security/orm/#{DEVISE_ORM}"
+require "devise-security/orm/#{DEVISE_ORM}" if DEVISE_ORM == :mongoid
 require 'devise-security/models/database_authenticatable_patch'
 require 'devise-security/models/paranoid_verification'

data/lib/generators/devise_security/install_generator.rb

@@ -4,14 +4,14 @@ module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      LOCALES = %w[en es de fr it ja tr].freeze
+      LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
       source_root File.expand_path('../../templates', __FILE__)
       desc 'Install the devise security extension'
 
       def copy_initializer
-        template('devise-security.rb',
-                 'config/initializers/devise-security.rb',
+        template('devise_security.rb',
+                 'config/initializers/devise_security.rb',
         )
       end
 

data/lib/generators/templates/{devise-security.rb → devise_security.rb}

@@ -7,7 +7,9 @@ Devise.setup do |config|
   # Should the password expire (e.g 3.months)
   # config.expire_password_after = false
 
-  # Need 1 char of A-Z, a-z and 0-9
+  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol
+  # You may use "digits" in place of "digit" and "symbols" in place of
+  # "symbol" based on your preference
   # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
   # How many passwords to keep in archive
@@ -41,4 +43,7 @@ Devise.setup do |config|
 
   # Time period for account expiry from last_activity_at
   # config.expire_after = 90.days
+
+  # Allow password to equal the email
+  # config.allow_passwords_equal_to_email = false
 end

data/test/controllers/test_paranoid_verification_code_controller.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+
+    @user = User.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+    )
+
+    sign_in(@user)
+  end
+
+  test 'redirects to root on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test "redirects to root on show if user doesn't need paranoid verification" do
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'renders show on show if user needs paranoid verification' do
+    @user.update(paranoid_verification_code: 'cookies')
+    get :show
+    assert_template :show
+  end
+
+  test "redirects to root on update" do
+    patch :update, params: { user: { paranoid_verification_code: 'cookies' } }
+    assert_redirected_to :root
+    assert_equal 'Verification code accepted', flash[:notice]
+  end
+end
+
+class ParanoidVerificationCodeCustomRedirectTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Overrides::ParanoidVerificationCodeController
+
+  setup do
+    @request.env['devise.mapping'] = Devise.mappings[:paranoid_verification_user]
+
+    @user = ParanoidVerificationUser.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+    )
+
+    sign_in(@user)
+  end
+
+  test 'redirects to custom redirect route on update' do
+    patch :update, params: { paranoid_verification_user: { paranoid_verification_code: 'cookies' } }
+
+    assert_redirected_to '/cats'
+    assert_equal 'Verification code accepted', flash[:notice]
+  end
+end