devise-security 0.15.0 → 0.18.0

data/lib/devise-security/validators/password_complexity_validator.rb

@@ -1,35 +1,62 @@
 # frozen_string_literal: true
 
-# Password complexity validator
+# (NIST)[https://pages.nist.gov/800-63-3/sp800-63b.html#appA] does not recommend
+# the use of a password complexity checks because...
+#
+# > Length and complexity requirements beyond those recommended here
+# > significantly increase the difficulty of memorized secrets and increase user
+# > frustration. As a result, users often work around these restrictions in a
+# > way that is counterproductive. Furthermore, other mitigations such as
+# > blacklists, secure hashed storage, and rate limiting are more effective at
+# > preventing modern brute-force attacks. Therefore, no additional complexity
+# > requirements are imposed.
+#
 # Options:
-# - digit:  minimum number of digits in the validated string
-# - digits: minimum number of digits in the validated string
-# - lower:  minimum number of lower-case letters in the validated string
-# - symbol: minimum number of punctuation characters or symbols in the validated string
-# - symbols: minimum number of punctuation characters or symbols in the validated string
-# - upper:  minimum number of upper-case letters in the validated string
+# - `digit | digits`:  minimum number of digits in the validated string. Uses
+#   the `digit` localization key.
+# - `lower`:  minimum number of lower-case letters in the validated string
+# - `symbol | symbols`: minimum number of punctuation characters or symbols in
+#   the validated string. Uses the `symbol` localization key.
+# - `upper`:  minimum number of upper-case letters in the validated string
 class DeviseSecurity::PasswordComplexityValidator < ActiveModel::EachValidator
-  PATTERNS = {
-    digit: /\p{Digit}/,
-    digits: /\p{Digit}/,
-    lower: /\p{Lower}/,
-    symbol: /\p{Punct}|\p{S}/,
-    symbols: /\p{Punct}|\p{S}/,
-    upper: /\p{Upper}/
-  }.freeze
+  # A Hash of the possible valid patterns that can be checked against. The keys
+  # for this Hash are singular symbols corresponding to entries in the
+  # localization files. Override or redefine this method if you want to include
+  # custom patterns (e.g., `letter: /\p{Alpha}/` for all letters).
+  #
+  # @return [Hash<Symbol,Regexp>]
+  def patterns
+    {
+      digit: /\p{Digit}/,
+      lower: /\p{Lower}/,
+      symbol: /\p{Punct}|\p{S}/,
+      upper: /\p{Upper}/
+    }
+  end
 
-  def validate_each(record, attribute, value)
-    active_pattern_keys.each do |key|
-      minimum = [0, options[key].to_i].max
-      pattern = Regexp.new PATTERNS[key]
+  # Validate the complexity of the password. This validation does not check to
+  # ensure the password is not blank. That is the responsibility of other
+  # validations. This validator will also ignore any patterns that are not
+  # explicitly configured to be used or whose minimum limits are less than 1.
+  #
+  # @param record [ActiveModel::Model]
+  # @param attribute [Symbol]
+  # @param password [String]
+  def validate_each(record, attribute, password)
+    return if password.blank?
 
-      unless (value || '').scan(pattern).size >= minimum
-        record.errors.add attribute, :"password_complexity.#{key}", count: minimum
-      end
-    end
-  end
+    options.sort.each do |pattern_name, minimum|
+      normalized_option = pattern_name.to_s.singularize.to_sym
 
-  def active_pattern_keys
-    options.keys & PATTERNS.keys
+      next unless patterns.key?(normalized_option)
+      next unless minimum.positive?
+      next if password.scan(patterns[normalized_option]).size >= minimum
+
+      record.errors.add(
+        attribute,
+        :"password_complexity.#{normalized_option}",
+        count: minimum
+      )
+    end
   end
 end

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.15.0'
+  VERSION = '0.18.0'
 end

data/lib/devise-security.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
+
 DEVISE_ORM = ENV.fetch('DEVISE_ORM', 'active_record').to_sym unless defined?(DEVISE_ORM)
 
-require DEVISE_ORM.to_s if DEVISE_ORM.in? [:active_record, :mongoid]
+require DEVISE_ORM.to_s if DEVISE_ORM.in? %i[active_record mongoid]
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
 require 'active_support/concern'
@@ -9,15 +10,20 @@ require 'devise'
 
 module Devise
   # Number of seconds that passwords are valid (e.g 3.months)
-  # Disable pasword expiration with +false+
+  # Disable password expiration with +false+
   # Expire only on demand with +true+
   mattr_accessor :expire_password_after
   @@expire_password_after = 3.months
 
-  # Validate password for strongness
+  # Validate password complexity
   mattr_accessor :password_complexity
   @@password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
+  # Define the class used to validate password complexity. Set to a Class or a
+  # string which will be used to determine which class to use.
+  mattr_accessor :password_complexity_validator
+  @@password_complexity_validator = 'devise_security/password_complexity_validator'
+
   # Number of old passwords in archive
   mattr_accessor :password_archiving_count
   @@password_archiving_count = 5
@@ -79,11 +85,14 @@ module Devise
   # paranoid_verification will regenerate verifacation code after faild attempt
   mattr_accessor :paranoid_code_regenerate_after_attempt
   @@paranoid_code_regenerate_after_attempt = 10
+
+  # Whether to allow passwords that are equal (case insensitive) to the email
+  mattr_accessor :allow_passwords_equal_to_email
+  @@allow_passwords_equal_to_email = false
 end
 
-# an security extension for devise
+# a security extension for devise
 module DeviseSecurity
-  autoload :Schema, 'devise-security/schema'
   autoload :Patches, 'devise-security/patches'
 
   module Controllers
@@ -104,6 +113,6 @@ Devise.add_module :paranoid_verification, controller: :paranoid_verification_cod
 # requires
 require 'devise-security/routes'
 require 'devise-security/rails'
-require "devise-security/orm/#{DEVISE_ORM}"
+require "devise-security/orm/#{DEVISE_ORM}" if DEVISE_ORM == :mongoid
 require 'devise-security/models/database_authenticatable_patch'
 require 'devise-security/models/paranoid_verification'

data/lib/generators/devise_security/install_generator.rb

@@ -3,23 +3,21 @@
 module DeviseSecurity
   module Generators
     # Generator for Rails to create or append to a Devise initializer.
-    class InstallGenerator < Rails::Generators::Base     
+    class InstallGenerator < Rails::Generators::Base
       LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
-      source_root File.expand_path('../../templates', __FILE__)
+      source_root File.expand_path('../templates', __dir__)
       desc 'Install the devise security extension'
 
       def copy_initializer
-        template('devise-security.rb',
-                 'config/initializers/devise-security.rb',
-        )
+        template('devise_security.rb', 'config/initializers/devise_security.rb')
       end
 
       def copy_locales
         LOCALES.each do |locale|
           copy_file(
             "../../../config/locales/#{locale}.yml",
-            "config/locales/devise.security_extension.#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml"
           )
         end
       end

data/{test/tmp/config/initializers/devise-security.rb → lib/generators/templates/devise_security.rb}

@@ -7,7 +7,9 @@ Devise.setup do |config|
   # Should the password expire (e.g 3.months)
   # config.expire_password_after = false
 
-  # Need 1 char of A-Z, a-z and 0-9
+  # Need 1 char each of: A-Z, a-z, 0-9, and a punctuation mark or symbol
+  # You may use "digits" in place of "digit" and "symbols" in place of
+  # "symbol" based on your preference
   # config.password_complexity = { digit: 1, lower: 1, symbol: 1, upper: 1 }
 
   # How many passwords to keep in archive
@@ -41,4 +43,10 @@ Devise.setup do |config|
 
   # Time period for account expiry from last_activity_at
   # config.expire_after = 90.days
+
+  # Allow password to equal the email
+  # config.allow_passwords_equal_to_email = false
+
+  # paranoid_verification will regenerate verification code after failed attempt
+  # config.paranoid_code_regenerate_after_attempt = 10
 end

data/test/controllers/test_paranoid_verification_code_controller.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    @user = User.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
+    )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
+
+    sign_in(@user)
+  end
+
+  test 'redirects to root on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test "redirects to root on show if user doesn't need paranoid verification" do
+    @user.update(paranoid_verification_code: nil)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'renders show on show if user needs paranoid verification' do
+    @user.update(paranoid_verification_code: 'cookies')
+    get :show
+    assert_template :show
+  end
+
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    patch :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need paranoid verification' do
+    @user.update(paranoid_verification_code: nil)
+    patch :update
+    assert_redirected_to :root
+  end
+
+  test 'update paranoid_verification_code with default format' do
+    patch(
+      :update,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_redirected_to root_path
+    assert_equal 'Verification code accepted', flash[:notice]
+    assert_equal('text/html', response.media_type)
+  end
+
+  test 'update paranoid_verification_code using JSON format' do
+    patch(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+
+  test 'update paranoid_verification_code using XML format' do
+    patch(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+end
+
+class ParanoidVerificationCodeCustomRedirectTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Overrides::ParanoidVerificationCodeController
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:paranoid_verification_user]
+    @user = ParanoidVerificationUser.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
+    )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
+
+    sign_in(@user)
+  end
+
+  test 'redirects to custom redirect route on update' do
+    patch(
+      :update,
+      params: {
+        paranoid_verification_user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+
+    assert_redirected_to '/cats'
+    assert_equal 'Verification code accepted', flash[:notice]
+  end
+end

data/test/controllers/test_password_expired_controller.rb

@@ -7,7 +7,7 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
 
   setup do
     @controller.class.respond_to :json, :xml
-    @request.env["devise.mapping"] = Devise.mappings[:user]
+    @request.env['devise.mapping'] = Devise.mappings[:user]
     @user = User.create!(
       username: 'hello',
       email: 'hello@path.travel',
@@ -21,121 +21,144 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
     sign_in(@user)
   end
 
+  test 'redirects on show if user not logged in' do
+    sign_out(@user)
+    get :show
+    assert_redirected_to :root
+  end
+
+  test 'redirects on show if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    get :show
+    assert_redirected_to :root
+  end
+
   test 'should render show' do
     get :show
     assert_includes @response.body, 'Renew your password'
   end
 
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    put :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need password change' do
+    @user.update(password_changed_at: Time.zone.now)
+    put :update
+    assert_redirected_to :root
+  end
+
   test 'update password with default format' do
-    if Rails.gem_version < Gem::Version.new('5.0')
-      put :update,
-          {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            }
-          }
-    else
-      put :update,
-          params: {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            }
-          }
-    end
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
     assert_redirected_to root_path
-    assert_equal response.content_type, 'text/html'
+    assert_equal('text/html', response.media_type)
   end
 
   test 'password confirmation does not match' do
-    if Rails.gem_version < Gem::Version.new('5.0')
-      put :update,
-          {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password6'
-            }
-          }
-    else
-      put :update,
-          params: {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password6'
-            }
-          }
-    end
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password6'
+        }
+      }
+    )
+
     assert_response :success
     assert_template :show
-    assert_equal response.content_type, 'text/html'
+    assert_equal('text/html', response.media_type)
+    assert_includes(
+      response.body,
+      'Password confirmation doesn&#39;t match Password'
+    )
   end
 
   test 'update password using JSON format' do
-    if Rails.gem_version < Gem::Version.new('5.0')
-      # The responders gem that is compatible with Rails 4.2
-      # does not return a 204 No Content for common data formats
-      # This is the previously existing behavior so it is allowed
-      put :update,
-          {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            }
-          },
-          format: :json
-      assert_redirected_to root_path
-      assert_equal response.content_type, 'text/html'
-    else
-      put :update,
-          format: :json,
-          params: {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            }
-          }
-      assert_response 204
-      assert_equal root_url, response.location
-      assert_nil response.content_type, 'No Content-Type header should be set for No Content response'
-    end
+    put(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
   end
 
   test 'update password using XML format' do
-    if Rails.gem_version < Gem::Version.new('5.0')
-      # The responders gem that is compatible with Rails 4.2
-      # does not return a 204 No Content for common data formats
-      # This is the previously existing behavior so it is allowed
-      put :update,
-          {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            },
-          },
-          format: :xml
-      assert_redirected_to root_path
-      assert_equal response.content_type, 'text/html'
-    else
-      put :update,
-          format: :xml,
-          params: {
-            user: {
-              current_password: 'Password4',
-              password: 'Password5',
-              password_confirmation: 'Password5'
-            }
-          }
-      assert_response 204
-      assert_equal root_url, response.location
-      assert_nil response.content_type, 'No Content-Type header should be set for No Content response'
-    end
+    put(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+end
+
+class PasswordExpiredCustomRedirectTest < ActionController::TestCase
+  include Devise::Test::ControllerHelpers
+  tests Overrides::PasswordExpiredController
+
+  setup do
+    @controller.class.respond_to :json, :xml
+    @request.env['devise.mapping'] = Devise.mappings[:password_expired_user]
+    @user = PasswordExpiredUser.create!(
+      username: 'hello',
+      email: 'hello@path.travel',
+      password: 'Password4',
+      password_changed_at: 4.months.ago,
+      confirmed_at: 5.months.ago
+    )
+    assert @user.valid?
+    assert @user.need_change_password?
+
+    sign_in(@user)
+  end
+
+  test 'update password with custom redirect route' do
+    put(
+      :update,
+      params: {
+        password_expired_user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
+        }
+      }
+    )
+
+    assert_redirected_to '/cookies'
+  end
+
+  test 'yield resource to block on update' do
+    put(:update, params: { password_expired_user: { current_password: '123' } })
+    assert @controller.update_block_called?, 'Update failed to yield resource to provided block'
   end
 end