RubyGems - devise-security - Versions diffs - 0.15.0 → 0.16.0 - Mend

devise-security 0.15.0 → 0.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (62) hide show

checksums.yaml +4 -4
data/README.md +27 -19
data/app/controllers/devise/password_expired_controller.rb +1 -5
data/config/locales/by.yml +1 -0
data/config/locales/cs.yml +1 -0
data/config/locales/de.yml +1 -0
data/config/locales/en.yml +1 -0
data/config/locales/es.yml +1 -0
data/config/locales/fa.yml +1 -0
data/config/locales/fr.yml +1 -0
data/config/locales/hi.yml +21 -20
data/config/locales/it.yml +1 -0
data/config/locales/ja.yml +1 -0
data/config/locales/nl.yml +1 -0
data/config/locales/pt.yml +1 -0
data/config/locales/ru.yml +1 -0
data/config/locales/tr.yml +1 -0
data/config/locales/uk.yml +1 -0
data/config/locales/zh_CN.yml +1 -0
data/config/locales/zh_TW.yml +1 -0
data/lib/devise-security.rb +6 -3
data/lib/devise-security/controllers/helpers.rb +2 -2
data/lib/devise-security/hooks/session_limitable.rb +10 -6
data/lib/devise-security/models/secure_validatable.rb +15 -1
data/lib/devise-security/version.rb +1 -1
data/lib/generators/devise_security/install_generator.rb +3 -3
data/lib/generators/templates/{devise-security.rb → devise_security.rb} +3 -0
data/test/controllers/test_password_expired_controller.rb +67 -98
data/test/controllers/test_security_question_controller.rb +16 -40
data/test/dummy/config/environments/test.rb +3 -13
data/test/dummy/config/initializers/migration_class.rb +1 -8
data/test/dummy/config/mongoid.yml +1 -1
data/test/dummy/log/development.log +883 -0
data/test/dummy/log/test.log +19890 -0
data/test/integration/test_password_expirable_workflow.rb +0 -4
data/test/orm/mongoid.rb +2 -1
data/test/support/integration_helpers.rb +14 -32
data/test/support/mongoid.yml +1 -1
data/test/test_helper.rb +4 -4
data/test/test_install_generator.rb +1 -1
data/test/test_secure_validatable.rb +76 -0
data/test/tmp/config/initializers/devise-security.rb +3 -0
data/test/tmp/config/locales/devise.security_extension.by.yml +49 -0
data/test/tmp/config/locales/devise.security_extension.cs.yml +41 -0
data/test/tmp/config/locales/devise.security_extension.de.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.en.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.es.yml +10 -9
data/test/tmp/config/locales/devise.security_extension.fa.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.fr.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.hi.yml +42 -0
data/test/tmp/config/locales/devise.security_extension.it.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.ja.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.nl.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.pt.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.ru.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.tr.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.uk.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.zh_CN.yml +1 -0
data/test/tmp/config/locales/devise.security_extension.zh_TW.yml +41 -0
metadata +19 -40
data/lib/devise-security/orm/active_record.rb +0 -20
data/lib/devise-security/schema.rb +0 -66

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9172082dca0b721f493e44d5183a0e660c9dd67d3893bd86b03638b039c34935
-  data.tar.gz: 80b4649313476c6ae926fabf1db2a58abd9c8796fe639927743ab8ba8f53be97
+  metadata.gz: 1d065158ce85c823918ca0fb7ad40382ca9957f7c5e0847e1fec86e1eaed0ffb
+  data.tar.gz: fa07606b583076da6b68ceeddf70f74f80c05f3adf752a057b8f935c9af68fb6
 SHA512:
-  metadata.gz: 10f1e3243f77003658cdc377d13fe56d92fe6cf7713f3a658d01ea61ffc18788ce6508f3d894c664edf6847242e863174696f3ef810527d4d4889212a258baab
-  data.tar.gz: dc5802511d5c406923a541ea1d10f7d3ffff715b9278adc407a1ee87c18659eccf6b1ea9328b06b08cd0f30ae6b523236ff27164ae7c44f5608b7d5c31706fbb
+  metadata.gz: 7f18a70374b20c80908006811184fc4757c4f678e11ff226d60b78ff0a3c1cf2612382185911b23692c6c7ed1553914f1361ab1243948ad1e1ff3ac91fdb5ab7
+  data.tar.gz: 68e392e9f0049659ad62977a0bb31910d4942b26ab24fab11b28e1e875286f2b48e9da20dd952f94bc4ac8350b1cd5199d9984e431d4664c865544a095b274b8

data/README.md CHANGED Viewed

@@ -4,7 +4,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/devise-security/devise-security/badge.svg?branch=master)](https://coveralls.io/github/devise-security/devise-security?branch=master)
 [![Maintainability](https://api.codeclimate.com/v1/badges/ace7cd003a0db8bffa5a/maintainability)](https://codeclimate.com/github/devise-security/devise-security/maintainability)
-A [Devise](https://github.com/plataformatec/devise) extension to add additional
+A [Devise](https://github.com/heartcombo/devise) extension to add additional
 security features required by modern web applications. Forked from
 [Devise Security Extension](https://github.com/phatworx/devise_security_extension)
@@ -37,9 +37,9 @@ automated mass creation and brute forcing of accounts harder)
 ## Getting started
-Devise Security works with Devise on Rails 4.2 onwards. You can add it to your
+Devise Security works with Devise on Rails >= 5.0. You can add it to your
 Gemfile after you successfully set up Devise (see
-[Devise documentation](https://github.com/plataformatec/devise)) with:
+[Devise documentation](https://github.com/heartcombo/devise)) with:
 ```ruby
 gem 'devise-security'
@@ -54,7 +54,7 @@ rails generate devise_security:install
 ```
 The generator adds optional configurations to
-`config/initializers/devise-security.rb`. Enable the modules you wish to use in
+`config/initializers/devise_security.rb`. Enable the modules you wish to use in
 the initializer you are ready to add Devise Security modules on top of Devise
 modules to any of your Devise models:
@@ -124,6 +124,9 @@ Devise.setup do |config|
   # ==> Configuration for :expirable
   # Time period for account expiry from last_activity_at
   # config.expire_after = 90.days
+  # Allow passwords to be equal to email (false, true)
+  # config.allow_passwords_equal_to_email = false
 end
 ```
@@ -187,10 +190,10 @@ documentation there.
 4. Add the captcha in the generated devise views for each controller you have
    activated.
-    ```erb
-    <p><%= captcha_tag %></p>
-    <p><%= text_field_tag :captcha %></p>
-    ```
+   ```erb
+   <p><%= captcha_tag %></p>
+   <p><%= text_field_tag :captcha %></p>
+   ```
 ## Schema
@@ -231,6 +234,20 @@ create_table :the_resources do |t|
 end
 ```
+#### Bypassing session limitable
+Sometimes it's useful to impersonate a user without authentication (e.g.
+[administrator impersonating a user](https://github.com/heartcombo/devise/wiki/How-To:-Sign-in-as-another-user-if-you-are-an-admin)),
+in this case the `session_limitable` strategy will log out the user, and if the
+user logs in while the administrator is still logged in, the administrator will
+be logged out.
+For such cases the following can be used:
+```ruby
+sign_in(User.find(params[:id]), scope: :user, skip_session_limitable: true)
+```
 ### Expirable
 ```ruby
@@ -303,8 +320,8 @@ end
 ## Requirements
-- Devise (<https://github.com/plataformatec/devise>)
-- Rails 4.2 onwards (<http://github.com/rails/rails>)
+- Devise (<https://github.com/heartcombo/devise>)
+- Rails 5.0 onwards (<http://github.com/rails/rails>)
 - recommendations:
   - `autocomplete-off` (<http://github.com/phatworx/autocomplete-off>)
   - `easy_captcha` (<http://github.com/phatworx/easy_captcha>)
@@ -356,13 +373,6 @@ See also
 Standard tests can be invoked using `rake`. To run the tests against the
 `mongoid` ORM, use `DEVISE_ORM=mongoid rake` while `mongodb` is running.
-To locally simulate what travis-ci will run when you push code use:
-```bash
-gem install bundler -v '1.17.3'
-BUNDLER_VERSION=1.17.3 wwtd
-```
 ## Maintenance Policy
 We are committed to maintain support for `devise-security` for all normal or
@@ -371,8 +381,6 @@ security maintenance versions of the Ruby language
 Ruby on Rails framework
 [as per their maintenance policy](https://rubyonrails.org/maintenance/).
-Support for Rails 4.2 will be dropped in version 0.16.0.
 In order to avoid introducing bugs caused by backwardly incompatible Ruby
 language features, it is highly recommended that all development work be done
 using the oldest supported ruby version. The contents of the `.ruby-version`

data/app/controllers/devise/password_expired_controller.rb CHANGED Viewed

@@ -41,11 +41,7 @@ class Devise::PasswordExpiredController < DeviseController
   def resource_params
     permitted_params = [:current_password, :password, :password_confirmation]
-    if params.respond_to?(:permit)
-      params.require(resource_name).permit(*permitted_params)
-    else
-      params[scope].slice(*permitted_params)
-    end
+    params.require(resource_name).permit(*permitted_params)
   end
   def scope

data/config/locales/by.yml CHANGED Viewed

@@ -3,6 +3,7 @@ by:
     messages:
       taken_in_past: 'ужо раней выкарыстоўваўся.'
       equal_to_current_password: 'павінен адрознівацца ад сучаснага пароля.'
+      equal_to_email: 'павінна адрознівацца ад электроннай пошты.'
       password_complexity:
         digit:
           one: 'павінен утрымліваць хоць адну лічбу'

data/config/locales/cs.yml CHANGED Viewed

@@ -3,6 +3,7 @@ cs:
     messages:
       taken_in_past: bylo již použito v minulosti.
       equal_to_current_password: se musí lišit od aktuálního hesla.
+      equal_to_email: musí být jiný než e-mail.
       password_complexity:
         digit:
           one: musí obsahovat alespoň jednu číslici

data/config/locales/de.yml CHANGED Viewed

@@ -3,6 +3,7 @@ de:
     messages:
       taken_in_past: 'wurde bereits in der Vergangenheit verwendet.'
       equal_to_current_password: 'darf nicht dem aktuellen Passwort entsprechen.'
+      equal_to_email: 'darf nicht dem E-mail entsprechen.'
       password_complexity:
         digit:
           one: muss mindestens eine Ziffer enthalten

data/config/locales/en.yml CHANGED Viewed

@@ -3,6 +3,7 @@ en:
     messages:
       taken_in_past: 'was used previously.'
       equal_to_current_password: 'must be different than the current password.'
+      equal_to_email: 'must be different than the email.'
       password_complexity:
         digit:
           one: must contain at least one digit

data/config/locales/es.yml CHANGED Viewed

@@ -3,6 +3,7 @@ es:
     messages:
       taken_in_past: 'la contraseña fue usada previamente, por favor elige otra.'
       equal_to_current_password: 'tiene que ser diferente a la contraseña actual.'
+      equal_to_email: 'tiene que ser diferente al email'
       password_complexity:
         digit:
           one: tiene que contener al menos un dígito

data/config/locales/fa.yml CHANGED Viewed

@@ -3,6 +3,7 @@ fa:
     messages:
       taken_in_past: 'قبلا استفاده شده است'
       equal_to_current_password: 'باید متفاوت با رمز عبور فعلی باشد'
+      equal_to_email: 'باید متفاوت از ایمیل باشد'
       password_complexity:
         digit:
           one: باید حداقل یک رقم داشته باشد

data/config/locales/fr.yml CHANGED Viewed

@@ -3,6 +3,7 @@ fr:
     messages:
       taken_in_past: a été utilisé trop récemment. Veuillez en choisir un autre
       equal_to_current_password: doit être différent de l'actuel
+      equal_to_email: doit être différent de l'e-mail
       password_complexity:
         digit:
           one: doit contenir au moins un chiffre

data/config/locales/hi.yml CHANGED Viewed

@@ -2,40 +2,41 @@
 hi:
   errors:
     messages:
-      taken_in_past: यह पासवर्ड, आपके द्वारा पूर्व मे प्रयोग किया जा चुका है
-      equal_to_current_password: नया पासवर्ड, वर्तमान पासवर्ड से भिन्न होना चाहिए
+      taken_in_past: यह पासवर्ड, आपके द्वारा पूर्व मे प्रयोग किया जा चुका है
+      equal_to_current_password: नया पासवर्ड, वर्तमान पासवर्ड से भिन्न होना चाहिए
+      equal_to_email: ईमेल से अलग होना चाहिए
       password_complexity:
         digit:
-          one: एक अंक होना चाहिए
-          other: कम से कम %{count} अंक होने चाहिए
+          one: एक अंक होना चाहिए
+          other: कम से कम %{count} अंक होने चाहिए
         lower:
-          one: एक लोअर-केस अक्षर होना चाहिए
-          other: कम से कम %{count} अक्षर होने चाहिए
+          one: एक लोअर-केस अक्षर होना चाहिए
+          other: कम से कम %{count} अक्षर होने चाहिए
         symbol:
-          one: एक चिन्ह होना चाहिए
-          other: कम से कम %{count} चिन्ह होने चाहिए
+          one: एक चिन्ह होना चाहिए
+          other: कम से कम %{count} चिन्ह होने चाहिए
         upper:
-          one: एक अपर-केस अक्षर होना चाहिए
-          other: कम से कम %{count} अपर-केस अक्षर होने चाहिए
+          one: एक अपर-केस अक्षर होना चाहिए
+          other: कम से कम %{count} अपर-केस अक्षर होने चाहिए
   devise:
     invalid_captcha: अमान्य कॅप्टचा
     invalid_security_question: अमान्य सुरक्षा उत्तर
     paranoid_verify:
-      code_required: सपोर्ट टीम द्वारा दिया गया कोड डाले
+      code_required: सपोर्ट टीम द्वारा दिया गया कोड डाले
     paranoid_verification_code:
       show:
-        submit_verification_code: वेरिफिकेशन कोड डाले
-        verification_code: वेरिफिकेशन कोड
-        submit: सबमिट
+        submit_verification_code: वेरिफिकेशन कोड डाले
+        verification_code: वेरिफिकेशन कोड
+        submit: सबमिट
     password_expired:
       updated: पासवर्ड अद्यतन किया गया
-      change_required: पासवर्ड अमान्य हो चुका, पासवर्ड बदले
+      change_required: पासवर्ड अमान्य हो चुका, पासवर्ड बदले
       show:
-        renew_your_password: पासवर्ड बदले
+        renew_your_password: पासवर्ड बदले
         current_password: वर्तमान पासवर्ड
-        new_password: नया पासवर्ड
-        new_password_confirmation: नए पासवर्ड की पुष्टि करें
-        change_my_password: पासवर्ड बदले
+        new_password: नया पासवर्ड
+        new_password_confirmation: नए पासवर्ड की पुष्टि करें
+        change_my_password: पासवर्ड बदले
     failure:
-      session_limited: जानकारी, दूसरे ब्राउज़र में उपयोग की गयी थी जारी रखने फिर से साइन-इन करे
+      session_limited: जानकारी, दूसरे ब्राउज़र में उपयोग की गयी थी जारी रखने फिर से साइन-इन करे
       expired: कोई गतिविधि न होने के कारण खाता बंद हो गया, सिस्टम व्यवस्थापक से संपर्क करें

data/config/locales/it.yml CHANGED Viewed

@@ -3,6 +3,7 @@ it:
     messages:
       taken_in_past: "è stata gia' utilizzata in passato!"
       equal_to_current_password: " deve essere differente dalla password corrente!"
+      equal_to_email: "deve essere differente dall'email"
       password_complexity:
         digit:
           one: deve contenere almeno una cifra

data/config/locales/ja.yml CHANGED Viewed

@@ -3,6 +3,7 @@ ja:
     messages:
       taken_in_past: 'は既に使われています。'
       equal_to_current_password: 'は現在のパスワードと異なるものである必要があります。'
+      equal_to_email: 'メールとは異なる必要があります'
       password_complexity:
         digit:
           one: は最低1つの数字を含む必要があります。

data/config/locales/nl.yml CHANGED Viewed

@@ -3,6 +3,7 @@ nl:
     messages:
       taken_in_past: is eerder gebruikt.
       equal_to_current_password: moet verschillen van het huidige wachtwoord.
+      equal_to_email: moet anders zijn dan de e-mail
       password_complexity:
         digit:
           one: moet minimaal 1 cijfer bevatten

data/config/locales/pt.yml CHANGED Viewed

@@ -3,6 +3,7 @@ pt:
     messages:
       taken_in_past: 'foi usada anteriormente.'
       equal_to_current_password: 'deve ser diferente da senha atual.'
+      equal_to_email: 'deve ser diferente do e-mail.'
       password_complexity:
         digit:
           one: deve conter ao menos um dígito

data/config/locales/ru.yml CHANGED Viewed

@@ -3,6 +3,7 @@ ru:
     messages:
       taken_in_past: 'уже ранее использовался.'
       equal_to_current_password: 'должен отличаться от текущего пароля.'
+      equal_to_email: 'должно отличаться от адреса электронной почты.'
       password_complexity:
         digit:
           one: 'должен содержать хотя бы одну цифру'

data/config/locales/tr.yml CHANGED Viewed

@@ -3,6 +3,7 @@ tr:
     messages:
       taken_in_past: "daha önce kullanıldı."
       equal_to_current_password: "mevcut paroladan farklı olmalı."
+      equal_to_email: "e-postadan farklı olmalı."
       password_format: "büyük, küçük harfler ve sayılar içermeli."
   devise:
     invalid_captcha: "Captcha hatalı."

data/config/locales/uk.yml CHANGED Viewed

@@ -3,6 +3,7 @@ uk:
     messages:
       taken_in_past: 'раніше використовувався.'
       equal_to_current_password: 'має відрізнятися від поточного паролю.'
+      equal_to_email: 'має відрізнятися від електронної пошти.'
       password_complexity:
         digit:
           one: 'повинен включати хоча б одну цифру'

data/config/locales/zh_CN.yml CHANGED Viewed

@@ -3,6 +3,7 @@ zh_CN:
     messages:
       taken_in_past: '曾被使用过。'
       equal_to_current_password: '必须与当前密码不同。'
+      equal_to_email: '必须与电子邮件地址不同。'
       password_complexity:
         digit:
           one: 必须包含至少1个数字

data/config/locales/zh_TW.yml CHANGED Viewed

@@ -3,6 +3,7 @@ zh_TW:
     messages:
       taken_in_past: '曾被使用過。'
       equal_to_current_password: '必須與目前密碼不同。'
+      equal_to_email: '必須與電子郵件地址不同。'
       password_complexity:
         digit:
           one: 必須包含至少一個數字

data/lib/devise-security.rb CHANGED Viewed

@@ -79,11 +79,14 @@ module Devise
   # paranoid_verification will regenerate verifacation code after faild attempt
   mattr_accessor :paranoid_code_regenerate_after_attempt
   @@paranoid_code_regenerate_after_attempt = 10
+  # Whether to allow passwords that are equal (case insensitive) to the email
+  mattr_accessor :allow_passwords_equal_to_email
+  @@allow_passwords_equal_to_email = false
 end
-# an security extension for devise
+# a security extension for devise
 module DeviseSecurity
-  autoload :Schema, 'devise-security/schema'
   autoload :Patches, 'devise-security/patches'
   module Controllers
@@ -104,6 +107,6 @@ Devise.add_module :paranoid_verification, controller: :paranoid_verification_cod
 # requires
 require 'devise-security/routes'
 require 'devise-security/rails'
-require "devise-security/orm/#{DEVISE_ORM}"
+require "devise-security/orm/#{DEVISE_ORM}" if DEVISE_ORM == :mongoid
 require 'devise-security/models/database_authenticatable_patch'
 require 'devise-security/models/paranoid_verification'

data/lib/devise-security/controllers/helpers.rb CHANGED Viewed

@@ -88,11 +88,11 @@ module DeviseSecurity
       # redirect for password update with alert message
       def redirect_for_password_change(scope)
-        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', { scope: 'devise.password_expired' })
+        redirect_to change_password_required_path_for(scope), alert: I18n.t('change_required', scope: 'devise.password_expired')
       end
       def redirect_for_paranoid_verification(scope)
-        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', { scope: 'devise.paranoid_verify' })
+        redirect_to paranoid_verification_code_path_for(scope), alert: I18n.t('code_required', scope: 'devise.paranoid_verify')
       end
       # path for change password

data/lib/devise-security/hooks/session_limitable.rb CHANGED Viewed

@@ -7,9 +7,14 @@ Warden::Manager.after_set_user except: :fetch do |record, warden, options|
   if record.devise_modules.include?(:session_limitable) &&
      warden.authenticated?(options[:scope]) &&
      !record.skip_session_limitable?
-    unique_session_id = Devise.friendly_token
-    warden.session(options[:scope])['unique_session_id'] = unique_session_id
-    record.update_unique_session_id!(unique_session_id)
+     if !options[:skip_session_limitable]
+      unique_session_id = Devise.friendly_token
+      warden.session(options[:scope])['unique_session_id'] = unique_session_id
+      record.update_unique_session_id!(unique_session_id)
+     else
+      warden.session(options[:scope])['devise.skip_session_limitable'] = true
+     end
   end
 end
@@ -19,14 +24,13 @@ end
 # page on the next request.
 Warden::Manager.after_set_user only: :fetch do |record, warden, options|
   scope = options[:scope]
-  env   = warden.request.env
   if record.devise_modules.include?(:session_limitable) &&
      warden.authenticated?(scope) &&
      options[:store] != false
     if record.unique_session_id != warden.session(scope)['unique_session_id'] &&
-       !env['devise.skip_session_limitable'] &&
-       !record.skip_session_limitable?
+       !record.skip_session_limitable? &&
+       !warden.session(scope)['devise.skip_session_limitable']
       Rails.logger.warn do
         '[devise-security][session_limitable] session id mismatch: '\
         "expected=#{record.unique_session_id.inspect} "\

data/lib/devise-security/models/secure_validatable.rb CHANGED Viewed

@@ -55,6 +55,9 @@ module Devise
           # don't allow use same password
           validate :current_equal_password_validation
+          # don't allow email to equal password
+          validate :email_not_equal_password_validation unless allow_passwords_equal_to_email
         end
       end
@@ -70,6 +73,17 @@ module Devise
         self.errors.add(:password, :equal_to_current_password) if dummy.valid_password?(password)
       end
+      def email_not_equal_password_validation
+        return if password.blank? || (!new_record? && !will_save_change_to_encrypted_password?)
+        dummy = self.class.new.tap do |user|
+          user.password_salt = password_salt if respond_to?(:password_salt)
+          # whether case_insensitive_keys or strip_whitespace_keys include email or not, any
+          # variation of the email should not be a supported password
+          user.password = email.downcase.strip
+        end
+        self.errors.add(:password, :equal_to_email) if dummy.valid_password?(password.downcase.strip)
+      end
       protected
       # Checks whether a password is needed or not. For validations only.
@@ -84,7 +98,7 @@ module Devise
       end
       module ClassMethods
-        Devise::Models.config(self, :password_complexity, :password_length, :email_validation)
+        Devise::Models.config(self, :password_complexity, :password_length, :email_validation, :allow_passwords_equal_to_email)
         private