devise-security 0.17.0 → 0.18.0

data/lib/devise-security/models/expirable.rb

@@ -34,9 +34,11 @@ module Devise
       # @return [bool]
       def expired?
         # expired_at set (manually, via cron, etc.)
-        return self.expired_at < Time.now.utc unless self.expired_at.nil?
+        return expired_at < Time.now.utc unless expired_at.nil?
+
         # if it is not set, check the last activity against configured expire_after time range
-        return self.last_activity_at < self.class.expire_after.ago unless self.last_activity_at.nil?
+        return last_activity_at < self.class.expire_after.ago unless last_activity_at.nil?
+
         # if last_activity_at is nil as well, the user has to be 'fresh' and is therefore not expired
         false
       end
@@ -58,13 +60,13 @@ module Devise
       #
       # @return [bool]
       def active_for_authentication?
-        super && !self.expired?
+        super && !expired?
       end
 
       # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed
       # for i18n.
       def inactive_message
-        !self.expired? ? super : :expired
+        !expired? ? super : :expired
       end
 
       module ClassMethods
@@ -80,7 +82,6 @@ module Devise
           all.each do |u|
             u.expire! if u.expired? && u.expired_at.nil?
           end
-          return
         end
 
         # Scope method to collect all expired users since +time+ ago

data/lib/devise-security/models/paranoid_verification.rb

@@ -20,7 +20,7 @@ module Devise
         elsif code == paranoid_verification_code
           attempt = 0
           update_without_password paranoid_verification_code: nil,
-                                  paranoid_verified_at: Time.now,
+                                  paranoid_verified_at: Time.zone.now,
                                   paranoid_verification_attempt: attempt
         else
           update_without_password paranoid_verification_attempt: attempt
@@ -32,7 +32,7 @@ module Devise
       end
 
       def generate_paranoid_code
-        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(),
+        update_without_password paranoid_verification_code: Devise.verification_code_generator.call,
                                 paranoid_verification_attempt: 0
       end
     end

data/lib/devise-security/models/password_archivable.rb

@@ -35,7 +35,7 @@ module Devise
         end
       end
 
-      # validate is the password used in the past
+      # validate if the password was used in the past
       # @return [true] if current password was used previously
       # @return [false] if disabled or not previously used
       def password_archive_included?

data/lib/devise-security/models/secure_validatable.rb

@@ -26,7 +26,7 @@ module Devise
           already_validated_email = false
 
           # validate login in a strict way if not yet validated
-          unless has_uniqueness_validation_of_login?
+          unless uniqueness_validation_of_login?
             validation_condition = "#{login_attribute}_changed?".to_sym
 
             validates login_attribute, uniqueness: {
@@ -86,10 +86,11 @@ module Devise
 
       def current_equal_password_validation
         return if new_record? || !will_save_change_to_encrypted_password? || password.blank?
+
         dummy = self.class.new(encrypted_password: encrypted_password_was).tap do |user|
           user.password_salt = password_salt_was if respond_to?(:password_salt)
         end
-        self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
+        errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
       end
 
       def email_not_equal_password_validation
@@ -138,10 +139,10 @@ module Devise
 
         private
 
-        def has_uniqueness_validation_of_login?
+        def uniqueness_validation_of_login?
           validators.any? do |validator|
             validator_orm_klass = DEVISE_ORM == :active_record ? ActiveRecord::Validations::UniquenessValidator : ::Mongoid::Validatable::UniquenessValidator
-            validator.kind_of?(validator_orm_klass) && validator.attributes.include?(login_attribute)
+            validator.is_a?(validator_orm_klass) && validator.attributes.include?(login_attribute)
           end
         end
 
@@ -150,7 +151,7 @@ module Devise
         end
 
         def devise_validation_enabled?
-          self.ancestors.map(&:to_s).include? 'Devise::Models::Validatable'
+          ancestors.map(&:to_s).include? 'Devise::Models::Validatable'
         end
       end
     end

data/lib/devise-security/orm/mongoid.rb

@@ -3,5 +3,5 @@
 ActiveSupport.on_load(:mongoid) do
   require 'orm_adapter/adapters/mongoid'
 
-  Mongoid::Document::ClassMethods.send :include, Devise::Models
+  Mongoid::Document::ClassMethods.include(Devise::Models)
 end

data/lib/devise-security/patches.rb

@@ -6,18 +6,24 @@ module DeviseSecurity
     autoload :ControllerSecurityQuestion, 'devise-security/patches/controller_security_question'
 
     class << self
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/PerceivedComplexity
       def apply
-        Devise::PasswordsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_recover || Devise.security_question_for_recover
-        Devise::UnlocksController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_unlock || Devise.security_question_for_unlock
-        Devise::ConfirmationsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_confirmation
+        Devise::PasswordsController.include(Patches::ControllerCaptcha) if Devise.captcha_for_recover || Devise.security_question_for_recover
+        Devise::UnlocksController.include(Patches::ControllerCaptcha) if Devise.captcha_for_unlock || Devise.security_question_for_unlock
+        Devise::ConfirmationsController.include(Patches::ControllerCaptcha) if Devise.captcha_for_confirmation
 
-        Devise::PasswordsController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_recover
-        Devise::UnlocksController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_unlock
-        Devise::ConfirmationsController.send(:include, Patches::ControllerSecurityQuestion) if Devise.security_question_for_confirmation
+        Devise::PasswordsController.include(Patches::ControllerSecurityQuestion) if Devise.security_question_for_recover
+        Devise::UnlocksController.include(Patches::ControllerSecurityQuestion) if Devise.security_question_for_unlock
+        Devise::ConfirmationsController.include(Patches::ControllerSecurityQuestion) if Devise.security_question_for_confirmation
 
-        Devise::RegistrationsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_up
-        Devise::SessionsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_in
+        Devise::RegistrationsController.include(Patches::ControllerCaptcha) if Devise.captcha_for_sign_up
+        Devise::SessionsController.include(Patches::ControllerCaptcha) if Devise.captcha_for_sign_in
       end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
     end
   end
 end

data/lib/devise-security/routes.rb

@@ -2,17 +2,16 @@
 
 module ActionDispatch::Routing
   class Mapper
-
     protected
 
     # route for handle expired passwords
     def devise_password_expired(mapping, controllers)
-      resource :password_expired, only: [:show, :update], path: mapping.path_names[:password_expired], controller: controllers[:password_expired]
+      resource :password_expired, only: %i[show update], path: mapping.path_names[:password_expired], controller: controllers[:password_expired]
     end
 
     # route for handle paranoid verification
     def devise_verification_code(mapping, controllers)
-      resource :paranoid_verification_code, only: [:show, :update], path: mapping.path_names[:verification_code], controller: controllers[:paranoid_verification_code]
+      resource :paranoid_verification_code, only: %i[show update], path: mapping.path_names[:verification_code], controller: controllers[:paranoid_verification_code]
     end
   end
 end

data/lib/devise-security/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseSecurity
-  VERSION = '0.17.0'
+  VERSION = '0.18.0'
 end

data/lib/devise-security.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
+
 DEVISE_ORM = ENV.fetch('DEVISE_ORM', 'active_record').to_sym unless defined?(DEVISE_ORM)
 
-require DEVISE_ORM.to_s if DEVISE_ORM.in? [:active_record, :mongoid]
+require DEVISE_ORM.to_s if DEVISE_ORM.in? %i[active_record mongoid]
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
 require 'active_support/concern'

data/lib/generators/devise_security/install_generator.rb

@@ -6,20 +6,18 @@ module DeviseSecurity
     class InstallGenerator < Rails::Generators::Base
       LOCALES = %w[by cs de en es fa fr hi it ja nl pt ru tr uk zh_CN zh_TW].freeze
 
-      source_root File.expand_path('../../templates', __FILE__)
+      source_root File.expand_path('../templates', __dir__)
       desc 'Install the devise security extension'
 
       def copy_initializer
-        template('devise_security.rb',
-                 'config/initializers/devise_security.rb',
-        )
+        template('devise_security.rb', 'config/initializers/devise_security.rb')
       end
 
       def copy_locales
         LOCALES.each do |locale|
           copy_file(
             "../../../config/locales/#{locale}.yml",
-            "config/locales/devise.security_extension.#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml"
           )
         end
       end

data/lib/generators/templates/devise_security.rb

@@ -46,4 +46,7 @@ Devise.setup do |config|
 
   # Allow password to equal the email
   # config.allow_passwords_equal_to_email = false
+
+  # paranoid_verification will regenerate verification code after failed attempt
+  # config.paranoid_code_regenerate_after_attempt = 10
 end

data/test/controllers/test_paranoid_verification_code_controller.rb

@@ -6,14 +6,17 @@ class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCas
   include Devise::Test::ControllerHelpers
 
   setup do
+    @controller.class.respond_to :json, :xml
     @request.env['devise.mapping'] = Devise.mappings[:user]
-
     @user = User.create!(
       username: 'hello',
       email: 'hello@path.travel',
       password: 'Password4',
       confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
     )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
 
     sign_in(@user)
   end
@@ -25,6 +28,7 @@ class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCas
   end
 
   test "redirects to root on show if user doesn't need paranoid verification" do
+    @user.update(paranoid_verification_code: nil)
     get :show
     assert_redirected_to :root
   end
@@ -35,10 +39,61 @@ class Devise::ParanoidVerificationCodeControllerTest < ActionController::TestCas
     assert_template :show
   end
 
-  test "redirects to root on update" do
-    patch :update, params: { user: { paranoid_verification_code: 'cookies' } }
+  test 'redirects on update if user not logged in' do
+    sign_out(@user)
+    patch :update
+    assert_redirected_to :root
+  end
+
+  test 'redirects on update if user does not need paranoid verification' do
+    @user.update(paranoid_verification_code: nil)
+    patch :update
     assert_redirected_to :root
+  end
+
+  test 'update paranoid_verification_code with default format' do
+    patch(
+      :update,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_redirected_to root_path
     assert_equal 'Verification code accepted', flash[:notice]
+    assert_equal('text/html', response.media_type)
+  end
+
+  test 'update paranoid_verification_code using JSON format' do
+    patch(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
+  end
+
+  test 'update paranoid_verification_code using XML format' do
+    patch(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
+    assert_response 204
+    assert_equal root_url, response.location
+    assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
   end
 end
 
@@ -47,20 +102,30 @@ class ParanoidVerificationCodeCustomRedirectTest < ActionController::TestCase
   tests Overrides::ParanoidVerificationCodeController
 
   setup do
+    @controller.class.respond_to :json, :xml
     @request.env['devise.mapping'] = Devise.mappings[:paranoid_verification_user]
-
     @user = ParanoidVerificationUser.create!(
       username: 'hello',
       email: 'hello@path.travel',
       password: 'Password4',
       confirmed_at: 5.months.ago,
+      paranoid_verification_code: 'cookies'
     )
+    assert @user.valid?
+    assert @user.need_paranoid_verification?
 
     sign_in(@user)
   end
 
   test 'redirects to custom redirect route on update' do
-    patch :update, params: { paranoid_verification_user: { paranoid_verification_code: 'cookies' } }
+    patch(
+      :update,
+      params: {
+        paranoid_verification_user: {
+          paranoid_verification_code: 'cookies'
+        }
+      }
+    )
 
     assert_redirected_to '/cats'
     assert_equal 'Verification code accepted', flash[:notice]

data/test/controllers/test_password_expired_controller.rb

@@ -13,7 +13,7 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
       email: 'hello@path.travel',
       password: 'Password4',
       password_changed_at: 4.months.ago,
-      confirmed_at: 5.months.ago,
+      confirmed_at: 5.months.ago
     )
     assert @user.valid?
     assert @user.need_change_password?
@@ -51,31 +51,35 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
   end
 
   test 'update password with default format' do
-    put :update,
-        params: {
-          user: {
-            current_password: 'Password4',
-            password: 'Password5',
-            password_confirmation: 'Password5',
-          },
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
         }
+      }
+    )
     assert_redirected_to root_path
-    assert_equal response.media_type, 'text/html'
+    assert_equal('text/html', response.media_type)
   end
 
   test 'password confirmation does not match' do
-    put :update,
-        params: {
-          user: {
-            current_password: 'Password4',
-            password: 'Password5',
-            password_confirmation: 'Password6',
-          },
+    put(
+      :update,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password6'
         }
+      }
+    )
 
     assert_response :success
     assert_template :show
-    assert_equal response.media_type, 'text/html'
+    assert_equal('text/html', response.media_type)
     assert_includes(
       response.body,
       'Password confirmation doesn&#39;t match Password'
@@ -83,30 +87,35 @@ class Devise::PasswordExpiredControllerTest < ActionController::TestCase
   end
 
   test 'update password using JSON format' do
-    put :update,
-        format: :json,
-        params: {
-          user: {
-            current_password: 'Password4',
-            password: 'Password5',
-            password_confirmation: 'Password5',
-          },
+    put(
+      :update,
+      format: :json,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
         }
+      }
+    )
+
     assert_response 204
     assert_equal root_url, response.location
     assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
   end
 
   test 'update password using XML format' do
-    put :update,
-        format: :xml,
-        params: {
-          user: {
-            current_password: 'Password4',
-            password: 'Password5',
-            password_confirmation: 'Password5',
-          },
+    put(
+      :update,
+      format: :xml,
+      params: {
+        user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
         }
+      }
+    )
     assert_response 204
     assert_equal root_url, response.location
     assert_nil response.media_type, 'No Content-Type header should be set for No Content response'
@@ -125,7 +134,7 @@ class PasswordExpiredCustomRedirectTest < ActionController::TestCase
       email: 'hello@path.travel',
       password: 'Password4',
       password_changed_at: 4.months.ago,
-      confirmed_at: 5.months.ago,
+      confirmed_at: 5.months.ago
     )
     assert @user.valid?
     assert @user.need_change_password?
@@ -134,15 +143,22 @@ class PasswordExpiredCustomRedirectTest < ActionController::TestCase
   end
 
   test 'update password with custom redirect route' do
-    put :update,
-        params: {
-          password_expired_user: {
-            current_password: 'Password4',
-            password: 'Password5',
-            password_confirmation: 'Password5',
-          },
+    put(
+      :update,
+      params: {
+        password_expired_user: {
+          current_password: 'Password4',
+          password: 'Password5',
+          password_confirmation: 'Password5'
         }
+      }
+    )
 
     assert_redirected_to '/cookies'
   end
+
+  test 'yield resource to block on update' do
+    put(:update, params: { password_expired_user: { current_password: '123' } })
+    assert @controller.update_block_called?, 'Update failed to yield resource to provided block'
+  end
 end

data/test/controllers/test_security_question_controller.rb

@@ -7,29 +7,38 @@ class TestWithSecurityQuestion < ActionController::TestCase
   tests SecurityQuestion::UnlocksController
 
   setup do
-    @user = SecurityQuestionUser.create!(username: 'hello', email: 'hello@microsoft.com',
-                                         password: 'A1234567z!', security_question_answer: 'Right Answer')
+    @user = SecurityQuestionUser.create!(
+      username: 'hello', email: 'hello@microsoft.com', password: 'A1234567z!', security_question_answer: 'Right Answer'
+    )
     @user.lock_access!
     assert @user.locked_at.present?
     @request.env['devise.mapping'] = Devise.mappings[:security_question_user]
   end
 
   test 'When security question is enabled, it is inserted correctly' do
-    post :create, params: {
-      security_question_user: {
-        email: @user.email,
-      }, security_question_answer: 'wrong answer'
-    }
+    post(
+      :create,
+      params: {
+        security_question_answer: 'wrong answer',
+        security_question_user: {
+          email: @user.email
+        }
+      }
+    )
     assert_equal I18n.t('devise.invalid_security_question'), flash[:alert]
     assert_redirected_to new_security_question_user_unlock_path
   end
 
   test 'When security_question is valid, it runs as normal' do
-    post :create, params: {
-      security_question_user: {
-        email: @user.email,
-      }, security_question_answer: @user.security_question_answer
-    }
+    post(
+      :create,
+      params: {
+        security_question_answer: @user.security_question_answer,
+        security_question_user: {
+          email: @user.email
+        }
+      }
+    )
 
     assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
     assert_redirected_to new_security_question_user_session_path
@@ -41,18 +50,15 @@ class TestWithoutSecurityQuestion < ActionController::TestCase
   tests Devise::UnlocksController
 
   setup do
-    @user = User.create(username: 'hello', email: 'hello@path.travel',
-                        password: '1234', security_question_answer: 'Right Answer')
+    @user = User.create(
+      username: 'hello', email: 'hello@path.travel', password: '1234', security_question_answer: 'Right Answer'
+    )
     @user.lock_access!
     @request.env['devise.mapping'] = Devise.mappings[:user]
   end
 
   test 'When security question is not enabled it is not inserted' do
-    post :create, params: {
-      user: {
-        email: @user.email,
-      },
-    }
+    post :create, params: { user: { email: @user.email } }
 
     assert_equal I18n.t('devise.unlocks.send_instructions'), flash[:notice]
     assert_redirected_to new_user_session_path

data/test/dummy/app/controllers/overrides/password_expired_controller.rb

@@ -1,7 +1,17 @@
 # frozen_string_literal: true
 
 class Overrides::PasswordExpiredController < Devise::PasswordExpiredController
+  def update
+    super do |resource|
+      @update_block_called = true
+    end
+  end
+
   def after_password_expired_update_path_for(_)
     '/cookies'
   end
+
+  def update_block_called?
+    @update_block_called == true
+  end
 end

data/test/dummy/app/models/user.rb

@@ -21,16 +21,17 @@ class User < ApplicationRecord
 
   has_many :widgets
 
-  if DEVISE_ORM == :mongoid
+  case DEVISE_ORM
+  when :mongoid
     require './test/dummy/app/models/mongoid/mappings'
     include ::Mongoid::Mappings
 
     def some_method_calling_mongoid
       Mongoid.logger
     end
-  elsif DEVISE_ORM == :active_record
+  when :active_record
     def some_method_calling_active_record
-      ActiveRecord::Base.transaction {}
+      ActiveRecord::Base.transaction { break; }
     end
   end
 end

data/test/dummy/app/mongoid/user_without_email.rb

@@ -5,7 +5,10 @@ require 'shared_user_without_email'
 class UserWithoutEmail
   include Mongoid::Document
   include Shim
-  include SharedUserWithoutEmail
+
+  devise :database_authenticatable, :lockable, :recoverable,
+         :registerable, :rememberable, :timeoutable,
+         :trackable
 
   field :username, type: String
   field :facebook_token, type: String

data/test/dummy/config/application.rb

@@ -2,7 +2,6 @@
 
 require File.expand_path('boot', __dir__)
 
-require 'action_mailer/railtie'
 require 'action_mailer/railtie'
 require 'rails/test_unit/railtie'
 DEVISE_ORM = ENV.fetch('DEVISE_ORM', 'active_record').to_sym
@@ -22,9 +21,6 @@ module RailsApp
     config.autoload_paths += ["#{config.root}/app/#{DEVISE_ORM}"]
     config.autoload_paths += ["#{config.root}/lib"]
 
-    config.assets.enabled = true
-
-    config.assets.version = '1.0'
     config.secret_key_base = 'foobar'
   end
 end

data/test/dummy/config/environments/test.rb

@@ -23,5 +23,6 @@ RailsApp::Application.configure do
   config.active_support.test_order = :sorted
   config.log_level = :debug
   config.active_record.sqlite3.represent_boolean_as_integer = true if Rails.gem_version.release >= Gem::Version.new('5.2') && Rails.gem_version.release < Gem::Version.new('6.0')
+  config.active_record.legacy_connection_handling = false if Rails.gem_version.release >= Gem::Version.new('6.1')
 end
 ActiveSupport::Deprecation.debug = true

data/test/dummy/config/initializers/devise.rb

@@ -8,10 +8,6 @@ Devise.setup do |config|
   config.secret_key = 'f08cf11a38906f531d2dfc9a2c2d671aa0021be806c21255d4'
   config.case_insensitive_keys = [:email]
   config.strip_whitespace_keys = [:email]
-  config.password_complexity = {
-    digit: 1,
-    lower: 1,
-    upper: 1,
-  }
+  config.password_complexity = { digit: 1, lower: 1, upper: 1 }
   config.password_length = 7..128
 end