devise-security 0.14.3 → 0.15.0

data/config/locales/zh_TW.yml

@@ -0,0 +1,40 @@
+zh_TW:
+  errors:
+    messages:
+      taken_in_past: '曾被使用過。'
+      equal_to_current_password: '必須與目前密碼不同。'
+      password_complexity:
+        digit:
+          one: 必須包含至少一個數字
+          other: 必須包含至少 %{count} 個數字
+        lower:
+          one: 必須包含至少一個小寫字母
+          other: 必須包含至少 %{count} 個小寫字母
+        symbol:
+          one: 必須包含至少一個特殊符號
+          other: 必須包含至少 %{count} 個特殊符號
+        upper:
+          one: 必須包含至少一個大寫字母
+          other: 必須包含至少 %{count} 個大寫字母
+  devise:
+    invalid_captcha: '輸入的驗證碼無效。'
+    invalid_security_question: '安全問題答案無效。'
+    paranoid_verify:
+      code_required: '請輸入由我們客服團隊提供的代碼'
+    paranoid_verification_code:
+      show:
+        submit_verification_code: 送出驗證碼
+        verification_code: 驗證碼
+        submit: 送出
+    password_expired:
+      updated: '你的新密碼已儲存'
+      change_required: '你的密碼已經過期，請更新密碼。'
+      show:
+        renew_your_password: 更新你的密碼
+        current_password: 目前密碼
+        new_password: 新密碼
+        new_password_confirmation: 確認新密碼
+        change_my_password: 更改我的密碼
+    failure:
+      session_limited: '你的登入憑證已在另一個瀏覽器上被使用，請重新登入以在此瀏覽器繼續使用。'
+      expired: '你的帳號因過久沒使用而已經過期，請洽網站管理員。'

data/lib/devise-security/controllers/helpers.rb

@@ -40,71 +40,80 @@ module DeviseSecurity
 
       # controller instance methods
 
-        private
-
-        # lookup if an password change needed
-        def handle_password_change
-          return if warden.nil?
-
-          if !devise_controller? && !ignore_password_expire? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['password_expired']
-                # re-check to avoid infinite loop if date changed after login attempt
-                if send(:"current_#{scope}").try(:need_change_password?)
-                  store_location_for(scope, request.original_fullpath) if request.get?
-                  redirect_for_password_change scope
-                  return
-                else
-                  warden.session(scope)[:password_expired] = false
-                end
+      private
+
+      # Called as a `before_action` on all actions on any controller that uses
+      # this helper. If the user's session is marked as having an expired
+      # password we double check in case it has been changed by another process,
+      # then redirect to the password change url.
+      #
+      # @note `Warden::Manager.after_authentication` is run AFTER this method
+      #
+      # @note Once the warden session has `'password_expired'` set to `false`,
+      #    it will **never** be checked again until the user re-logs in.
+      def handle_password_change
+        return if warden.nil?
+
+        if !devise_controller? &&
+           !ignore_password_expire? &&
+           !request.format.nil? &&
+           request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['password_expired'] == true
+              if send(:"current_#{scope}").try(:need_change_password?)
+                store_location_for(scope, request.original_fullpath) if request.get?
+                redirect_for_password_change(scope)
+              else
+                warden.session(scope)['password_expired'] = false
               end
             end
           end
         end
+      end
 
-        # lookup if extra (paranoid) code verification is needed
-        def handle_paranoid_verification
-          return if warden.nil?
+      # lookup if extra (paranoid) code verification is needed
+      def handle_paranoid_verification
+        return if warden.nil?
 
-          if !devise_controller? && !request.format.nil? && request.format.html?
-            Devise.mappings.keys.flatten.any? do |scope|
-              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
-                store_location_for(scope, request.original_fullpath) if request.get?
-                redirect_for_paranoid_verification scope
-                return
-              end
+        if !devise_controller? && !request.format.nil? && request.format.html?
+          Devise.mappings.keys.flatten.any? do |scope|
+            if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+              store_location_for(scope, request.original_fullpath) if request.get?
+              redirect_for_paranoid_verification scope
+              return
             end
           end
         end
+      end
 
-        # redirect for password update with alert message
-        def redirect_for_password_change(scope)
-          redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', {scope: 'devise.password_expired'})
-        end
+      # redirect for password update with alert message
+      def redirect_for_password_change(scope)
+        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', { scope: 'devise.password_expired' })
+      end
 
-        def redirect_for_paranoid_verification(scope)
-          redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', {scope: 'devise.paranoid_verify'})
-        end
+      def redirect_for_paranoid_verification(scope)
+        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', { scope: 'devise.paranoid_verify' })
+      end
 
-        # path for change password
-        def change_password_required_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_password_expired_path"
-          send(change_path)
-        end
+      # path for change password
+      def change_password_required_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_password_expired_path"
+        send(change_path)
+      end
 
-        def paranoid_verification_code_path_for(resource_or_scope = nil)
-          scope       = Devise::Mapping.find_scope!(resource_or_scope)
-          change_path = "#{scope}_paranoid_verification_code_path"
-          send(change_path)
-        end
+      def paranoid_verification_code_path_for(resource_or_scope = nil)
+        scope       = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_paranoid_verification_code_path"
+        send(change_path)
+      end
 
-        protected
+      protected
 
-        # allow to overwrite for some special handlings
-        def ignore_password_expire?
-          false
-        end
+      # allow to overwrite for some special handlings
+      def ignore_password_expire?
+        false
+      end
     end
   end
 end

data/lib/devise-security/hooks/password_expirable.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# @note This happens after
+#   {DeviseSecurity::Controller::Helpers#handle_password_change}
 Warden::Manager.after_authentication do |record, warden, options|
   if record.respond_to?(:need_change_password?)
     warden.session(options[:scope])['password_expired'] = record.need_change_password?

data/lib/devise-security/hooks/session_limitable.rb

@@ -4,7 +4,9 @@
 # user is explicitly set (with set_user) and on authentication. Retrieving the
 # user from session (:fetch) does not trigger it.
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(options[:scope]) &&
+     !record.skip_session_limitable?
     unique_session_id = Devise.friendly_token
     warden.session(options[:scope])['unique_session_id'] = unique_session_id
     record.update_unique_session_id!(unique_session_id)
@@ -19,13 +21,17 @@ Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
 
-  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
-    if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
-      Rails.logger.warn { 
-        "[devise-security][session_limitable] session id mismatch: "\
+  if record.devise_modules.include?(:session_limitable) &&
+     warden.authenticated?(scope) &&
+     options[:store] != false
+    if record.unique_session_id != warden.session(scope)['unique_session_id'] &&
+       !env['devise.skip_session_limitable'] &&
+       !record.skip_session_limitable?
+      Rails.logger.warn do
+        '[devise-security][session_limitable] session id mismatch: '\
         "expected=#{record.unique_session_id.inspect} "\
-        "actual=#{warden.session(scope)['unique_session_id'].inspect}" 
-      }
+        "actual=#{warden.session(scope)['unique_session_id'].inspect}"
+      end
       warden.raw_session.clear
       warden.logout(scope)
       throw :warden, scope: scope, message: :session_limited

data/lib/devise-security/models/password_expirable.rb

@@ -92,7 +92,11 @@ module Devise::Models
     # Update +password_changed_at+ for new records and changed passwords.
     # @note called as a +before_save+ hook
     def update_password_changed
-      return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+      if defined?(will_save_change_to_attribute?)
+        return unless (new_record? || will_save_change_to_encrypted_password?) && !will_save_change_to_password_changed_at?
+      else
+        return unless (new_record? || encrypted_password_changed?) && !password_changed_at_changed?
+      end
 
       self.password_changed_at = Time.zone.now
     end

data/lib/devise-security/models/session_limitable.rb

@@ -21,11 +21,18 @@ module Devise
       # @raise [Devise::Models::Compatibility::NotPersistedError] if record is unsaved
       def update_unique_session_id!(unique_session_id)
         raise Devise::Models::Compatibility::NotPersistedError, 'cannot update a new record' unless persisted?
+
         update_attribute_without_validatons_or_callbacks(:unique_session_id, unique_session_id).tap do
-          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}"}
+          Rails.logger.debug { "[devise-security][session_limitable] unique_session_id=#{unique_session_id}" }
         end
       end
 
+      # Should session_limitable be skipped for this instance?
+      # @return [Boolean]
+      # @return [false] by default. This can be overridden by application logic as necessary.
+      def skip_session_limitable?
+        false
+      end
     end
   end
 end

data/lib/devise-security/validators/password_complexity_validator.rb

@@ -3,17 +3,19 @@
 # Password complexity validator
 # Options:
 # - digit:  minimum number of digits in the validated string
+# - digits: minimum number of digits in the validated string
 # - lower:  minimum number of lower-case letters in the validated string
 # - symbol: minimum number of punctuation characters or symbols in the validated string
+# - symbols: minimum number of punctuation characters or symbols in the validated string
 # - upper:  minimum number of upper-case letters in the validated string
 class DeviseSecurity::PasswordComplexityValidator < ActiveModel::EachValidator
   PATTERNS = {
     digit: /\p{Digit}/,
     digits: /\p{Digit}/,
     lower: /\p{Lower}/,
-    upper: /\p{Upper}/,
     symbol: /\p{Punct}|\p{S}/,
-    symbols: /\p{Punct}|\p{S}/
+    symbols: /\p{Punct}|\p{S}/,
+    upper: /\p{Upper}/
   }.freeze
 
   def validate_each(record, attribute, value)

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.14.3'
+  VERSION = '0.15.0'
 end

data/lib/generators/devise_security/install_generator.rb

@@ -3,8 +3,8 @@
 module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
-    class InstallGenerator < Rails::Generators::Base
-      LOCALES = %w[en es de fr it ja tr].freeze
+    class InstallGenerator < Rails::Generators::Base     
+      LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
       source_root File.expand_path('../../templates', __FILE__)
       desc 'Install the devise security extension'

data/test/controllers/test_password_expired_controller.rb

@@ -6,6 +6,7 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
   include Devise::Test::ControllerHelpers
 
   setup do
+    @controller.class.respond_to :json, :xml
     @request.env["devise.mapping"] = Devise.mappings[:user]
     @user = User.create!(
       username: 'hello',
@@ -15,6 +16,8 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
       confirmed_at: 5.months.ago
     )
     assert @user.valid?
+    assert @user.need_change_password?
+
     sign_in(@user)
   end
 
@@ -23,24 +26,116 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
     assert_includes @response.body, 'Renew your password'
   end
 
-  test 'should update password' do
-    if Rails.version < "5"
-      put :update, {
-        user: {
-          current_password: 'Password4',
-          password: 'Password5',
-          password_confirmation: 'Password5'
-        }
-      }
+  test 'update password with default format' do
+    if Rails.gem_version < Gem::Version.new('5.0')
+      put :update,
+          {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            }
+          }
     else
-      put :update, params: {
-        user: {
-          current_password: 'Password4',
-          password: 'Password5',
-          password_confirmation: 'Password5'
-        }
-      }
+      put :update,
+          params: {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            }
+          }
     end
     assert_redirected_to root_path
+    assert_equal response.content_type, 'text/html'
+  end
+
+  test 'password confirmation does not match' do
+    if Rails.gem_version < Gem::Version.new('5.0')
+      put :update,
+          {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password6'
+            }
+          }
+    else
+      put :update,
+          params: {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password6'
+            }
+          }
+    end
+    assert_response :success
+    assert_template :show
+    assert_equal response.content_type, 'text/html'
+  end
+
+  test 'update password using JSON format' do
+    if Rails.gem_version < Gem::Version.new('5.0')
+      # The responders gem that is compatible with Rails 4.2
+      # does not return a 204 No Content for common data formats
+      # This is the previously existing behavior so it is allowed
+      put :update,
+          {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            }
+          },
+          format: :json
+      assert_redirected_to root_path
+      assert_equal response.content_type, 'text/html'
+    else
+      put :update,
+          format: :json,
+          params: {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            }
+          }
+      assert_response 204
+      assert_equal root_url, response.location
+      assert_nil response.content_type, 'No Content-Type header should be set for No Content response'
+    end
+  end
+
+  test 'update password using XML format' do
+    if Rails.gem_version < Gem::Version.new('5.0')
+      # The responders gem that is compatible with Rails 4.2
+      # does not return a 204 No Content for common data formats
+      # This is the previously existing behavior so it is allowed
+      put :update,
+          {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            },
+          },
+          format: :xml
+      assert_redirected_to root_path
+      assert_equal response.content_type, 'text/html'
+    else
+      put :update,
+          format: :xml,
+          params: {
+            user: {
+              current_password: 'Password4',
+              password: 'Password5',
+              password_confirmation: 'Password5'
+            }
+          }
+      assert_response 204
+      assert_equal root_url, response.location
+      assert_nil response.content_type, 'No Content-Type header should be set for No Content response'
+    end
   end
 end

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+// = link_tree ../images
+// = link_directory ../javascripts .js
+// = link_directory ../stylesheets .css

data/test/dummy/config/routes.rb

@@ -3,11 +3,11 @@
 RailsApp::Application.routes.draw do
   devise_for :users
 
-  devise_for :captcha_users, only: [:sessions], controllers: { sessions: "captcha/sessions" }
-  devise_for :security_question_users, only: [:sessions, :unlocks], controllers: { unlocks: "security_question/unlocks" }
+  devise_for :captcha_users, only: [:sessions], controllers: { sessions: 'captcha/sessions' }
+  devise_for :security_question_users, only: [:sessions, :unlocks], controllers: { unlocks: 'security_question/unlocks' }
 
   resources :foos
   resource :widgets
 
-  root to: 'foos#index'
+  root to: 'widgets#show'
 end