devise-suspicious_login 0.1.1

data/test/dummy/config/environment.rb

@@ -0,0 +1,2 @@
+require_relative 'application'
+Rails.application.initialize!

data/test/dummy/config/environments/test.rb

@@ -0,0 +1,19 @@
+Rails.application.configure do
+  config.cache_classes = true
+  config.eager_load = false
+
+  config.public_file_server.enabled = true
+  config.public_file_server.headers = { 'Cache-Control' => "public, max-age=#{1.hour.seconds.to_i}" }
+
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  config.action_dispatch.show_exceptions = false
+
+  config.action_controller.allow_forgery_protection = false
+  config.action_mailer.perform_caching = false
+
+  config.action_mailer.delivery_method = :test
+
+  config.active_support.deprecation = :stderr
+end

data/test/dummy/config/initializers/devise.rb

@@ -0,0 +1,13 @@
+Devise.setup do |config|
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
+  require 'devise/orm/active_record'
+
+  config.case_insensitive_keys = [:email]
+  config.strip_whitespace_keys = [:email]
+  config.skip_session_storage = [:http_auth]
+  config.stretches = Rails.env.test? ? 1 : 11
+
+  config.warden do |config|
+    config.default_strategies(:scope => :user).unshift :suspicious_login_token
+  end
+end

data/test/dummy/config/locales/devise.en.yml

@@ -0,0 +1,12 @@
+en:
+  devise:
+    failure:
+      already_authenticated: ""
+      inactive: ""
+      invalid: "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in."
+      locked: "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in."
+      last_attempt: "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in."
+      not_found_in_database: "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in."
+      timeout: "Your session expired. Please log in again to continue."
+      unauthenticated: "You need to log in or sign up before continuing."
+      unconfirmed: ""

data/test/dummy/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+  devise_for :users, :controllers => {home: "/"}
+
+  root :to => 'home#index'
+end

data/test/dummy/config/secrets.yml

@@ -0,0 +1,5 @@
+development:
+  secret_key_base: dev_dev_dev
+
+test:
+  secret_key_base: test_test_test

data/test/dummy/config/spring.rb

@@ -0,0 +1,6 @@
+%w(
+  .ruby-version
+  .rbenv-vars
+  tmp/restart.txt
+  tmp/caching-dev.txt
+).each { |path| Spring.watch(path) }

data/test/dummy/db/migrate/20180910092425_create_tables.rb

@@ -0,0 +1,16 @@
+class CreateTables < ActiveRecord::Migration[5.1]
+  def change
+    create_table :users do |t|
+      t.string :unique_session_id, :limit => 20
+
+      ## Database authenticatable
+      t.string :email,              null: false, default: ''
+      t.string :encrypted_password, null: false, default: ''
+
+      t.datetime :password_changed_at
+      t.timestamps null: false
+    end
+    add_index :users, :password_changed_at
+    add_index :users, :email
+  end
+end

data/test/dummy/db/migrate/20180910094718_add_login_token_columns.rb

@@ -0,0 +1,8 @@
+class AddLoginTokenColumns < ActiveRecord::Migration[5.1]
+  def change
+    change_table :users do |t|
+      add_column :users, :login_token, :string
+      add_column :users, :login_token_sent_at, :datetime
+    end
+  end
+end

data/test/dummy/db/migrate/20180910104707_add_trackable_columns.rb

@@ -0,0 +1,11 @@
+class AddTrackableColumns < ActiveRecord::Migration[5.1]
+  def change
+    change_table :users do |t|
+      add_column :users, :last_sign_in_at, :datetime
+      add_column :users, :current_sign_in_at, :datetime
+      add_column :users, :current_sign_in_ip, :string
+      add_column :users, :last_sign_in_ip, :string
+      add_column :users, :sign_in_count, :integer, default: 0, null: false
+    end
+  end
+end

data/test/dummy/db/migrate/20180919081730_add_recoverable_columns.rb

@@ -0,0 +1,8 @@
+class AddRecoverableColumns < ActiveRecord::Migration[5.1]
+  def change
+    change_table :users do |t|
+      add_column :users, :reset_password_token, :string
+      add_column :users, :reset_password_sent_at, :datetime
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -0,0 +1,38 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2018_09_24_105700) do
+
+  create_table "users", force: :cascade do |t|
+    t.string "unique_session_id", limit: 20
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.datetime "password_changed_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "login_token"
+    t.datetime "login_token_sent_at"
+    t.datetime "last_sign_in_at"
+    t.datetime "current_sign_in_at"
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.integer "sign_in_count", default: 0, null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.string "authentication_token"
+    t.datetime "authentication_token_created_at"
+    t.index ["authentication_token"], name: "index_users_on_authentication_token", unique: true
+    t.index ["email"], name: "index_users_on_email"
+    t.index ["password_changed_at"], name: "index_users_on_password_changed_at"
+  end
+
+end

data/test/factories.rb

@@ -0,0 +1,47 @@
+FactoryBot.define do
+  sequence :email do |n|
+    "email#{n}@example.com"
+  end
+
+  sequence :uid do |n|
+    "12345#{n}"
+  end
+
+  factory :user, aliases: [:new_user] do
+    email
+    password        { 'password' }
+    created_at      { Time.now.utc }
+    updated_at      { Time.now.utc }
+    last_sign_in_ip    { '127.0.0.1' }
+    current_sign_in_ip { '127.0.0.2' }
+
+    factory :user_with_honest_login do
+      last_sign_in_at    { 2.days.ago.utc }
+      current_sign_in_at { 1.day.ago.utc }
+    end
+
+    factory :user_with_dormant_login do
+      last_sign_in_at    { 1.year.ago.utc }
+      current_sign_in_at { 6.months.ago.utc }
+
+      factory :user_with_dormant_login_and_recently_sent_login_token do
+        login_token_sent_at { Time.now.utc }
+        login_token { "TOKEN" }
+      end
+    end
+
+    factory :user_with_suspicious_login do
+      email { 'suspicious@example.org' }
+
+      factory :user_with_suspicious_login_and_recently_sent_login_token do
+        login_token_sent_at { Time.now.utc }
+        login_token { "TOKEN" }
+      end
+
+      factory :user_with_suspicious_login_and_ancient_login_token do
+        login_token_sent_at { 1.day.ago.utc }
+        login_token { "TOKEN" }
+      end
+    end
+  end
+end

data/test/generators/active_record_generator_test.rb

@@ -0,0 +1,40 @@
+require_relative '../test_helper.rb'
+
+if DEVISE_ORM == :active_record
+  require 'generators/active_record/suspicious_login_generator'
+
+  class ActiveRecordGeneratorTest < Rails::Generators::TestCase
+    tests ActiveRecord::Generators::SuspiciousLoginGenerator
+    destination File.expand_path('../../tmp', __FILE__)
+    setup :prepare_destination
+
+    test "update model migration when model exists in test mode" do
+      run_generator %w(foo)
+      assert_file "app/models/foo.rb"
+      run_generator %w(foo)
+      assert_migration "db/migrate/add_devise_suspicious_login_to_foos.rb", /#{Devise.token_field_name}/
+    end
+
+    test "raise error if model is not present when not in test mode" do
+      Rails.env = 'prod'
+      assert_raise SuspiciousLogin::MissingModelError do
+        run_generator %w(foo)
+      end
+      Rails.env = 'test'
+      assert_no_file "app/models/foo.rb"
+    end
+
+    test "append warden strategy to model" do
+      run_generator %w(foo)
+      assert_file "config/initializers/suspicious_login.rb", /manager\.default_strategies\(:scope => :foo\)\.unshift :suspicious_login_token/
+    end
+
+    test "all files are deleted except the model" do
+      run_generator %w(foo)
+      run_generator %w(foo)
+      assert_migration "db/migrate/add_devise_suspicious_login_to_foos.rb"
+      run_generator %w(foo), behavior: :revoke
+      assert_no_migration "db/migrate/add_devise_suspicious_login_to_foos.rb"
+    end
+  end
+end

data/test/generators/install_generator_test.rb

@@ -0,0 +1,15 @@
+require_relative '../test_helper.rb'
+require 'generators/suspicious_login/install_generator'
+
+class InstallGeneratorTest < Rails::Generators::TestCase
+  tests SuspiciousLogin::Generators::InstallGenerator
+  destination File.expand_path("../../tmp", __FILE__)
+  setup :prepare_destination
+
+  test "assert all files created" do
+    run_generator
+    assert_file "config/initializers/suspicious_login.rb", /config\.warden do \|manager\|\n/
+    assert_file "config/locales/suspicious_login.en.yml", /missing_modules:/
+    assert_file "config/application.rb", /require 'suspicious_login'/
+  end
+end

data/test/support/helpers.rb

@@ -0,0 +1,16 @@
+require 'active_support/test_case'
+
+@@default_ip = '127.0.0.4'
+
+class ActiveSupport::TestCase
+  def setup_mailer
+    Devise.mailer = Devise::Mailer
+    ActionMailer::Base.deliveries = []
+  end
+end
+
+class ActionDispatch::Request
+  def remote_ip
+    @@default_ip
+  end
+end

data/test/suspicious_acceptance_test.rb

@@ -0,0 +1,269 @@
+class SuspiciousMailTest < ActionDispatch::IntegrationTest
+  def setup
+    setup_mailer
+    Devise.mailer = Devise::Mailer
+    Devise.mailer_sender = 'test@example.com'
+    Devise.clear_token_on_login = true
+    @@default_ip = '127.0.0.4'
+  end
+
+  def mail
+    @mail ||= begin
+      ActionMailer::Base.deliveries.first
+    end
+  end
+
+  test 'new user' do
+    user = create(:new_user)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to root_path
+    assert_nil mail
+  end
+
+  test 'user with honest login' do
+    user = create(:user_with_honest_login)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to root_path
+    assert_nil mail
+  end
+
+  test 'user with dormant login from same ip' do
+    user = create(:user_with_dormant_login)
+
+    @@default_ip = '127.0.0.1'
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to root_path
+    assert_nil mail
+  end
+
+  test 'user with dormant login from different ip' do
+    user = create(:user_with_dormant_login)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    assert_not_nil mail
+    assert_equal "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in.", flash[:alert]
+  end
+
+  test 'user with suspicious login' do
+    user = create(:user_with_suspicious_login)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    assert_not_nil mail
+    assert_equal "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in.", flash[:alert]
+  end
+
+  test 'user with dormant login from different ip and recently sent login token' do
+    user = create(:user_with_dormant_login_and_recently_sent_login_token)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    assert_nil mail
+    assert_equal "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in.", flash[:alert]
+  end
+
+  test 'user with suspicious login and recently sent login token' do
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    assert_nil mail
+    assert_equal "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in.", flash[:alert]
+  end
+
+  test 'user with suspicious login and no token' do
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+
+    get root_path
+    assert_redirected_to new_user_session_path
+  end
+
+  test 'user with suspicious login and valid token and config.clear_token_on_login=true' do
+    Devise.clear_token_on_login = true
+
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+    params = {
+      login_token: "TOKEN",
+      email: user.email
+    }
+    get root_path(params)
+    assert_response :success
+
+    user = User.find(user.id)
+    assert_nil user[Devise.token_field_name]
+    assert_nil user[Devise.token_created_at_field_name]
+  end
+
+  test 'user with suspicious login and valid token and config.clear_token_on_login=false' do
+    Devise.clear_token_on_login = false
+
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+    params = {
+      login_token: "TOKEN",
+      email: user.email
+    }
+    get root_path(params)
+    assert_response :success
+
+    user = User.find(user.id)
+    assert_equal user[Devise.token_field_name], "TOKEN"
+    assert_not_nil user[Devise.token_created_at_field_name]
+  end
+
+  test 'user with suspicious login and valid but expired token' do
+    Devise.clear_token_on_login = false
+
+    user = create(:user_with_suspicious_login_and_ancient_login_token)
+    params = {
+      login_token: "TOKEN",
+      email: user.email
+    }
+    get root_path(params)
+    assert_redirected_to new_user_session_path
+
+    user = User.find(user.id)
+    assert_equal user[Devise.token_field_name], "TOKEN"
+    assert_not_nil user[Devise.token_created_at_field_name]
+  end
+
+  test 'user with suspicious login and invalid token and config.clear_token_on_login=true' do
+    Devise.clear_token_on_login = true
+
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+    params = {
+      login_token: "WRONG TOKEN",
+      email: user.email
+    }
+    get root_path(params)
+    assert_redirected_to new_user_session_path
+
+    user = User.find(user.id)
+    assert_equal user[Devise.token_field_name], "TOKEN"
+    assert_not_nil user[Devise.token_created_at_field_name]
+  end
+
+  test 'user with suspicious login and invalid token and config.clear_token_on_login=false' do
+    Devise.clear_token_on_login = false
+
+    user = create(:user_with_suspicious_login_and_recently_sent_login_token)
+    params = {
+      login_token: "WRONG TOKEN",
+      email: user.email
+    }
+    get root_path(params)
+    assert_redirected_to new_user_session_path
+
+    user = User.find(user.id)
+    assert_equal user[Devise.token_field_name], "TOKEN"
+    assert_not_nil user[Devise.token_created_at_field_name]
+  end
+
+  test 'multiple failed signins does not update trackable data' do
+    user = create(:user_with_dormant_login)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    last_sign_in_at = user.last_sign_in_at
+    current_sign_in_at = user.current_sign_in_at
+    last_sign_in_ip = user.last_sign_in_ip
+    current_sign_in_ip = user.current_sign_in_ip
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    user.reload
+    assert_equal user.last_sign_in_at, last_sign_in_at
+    assert_equal user.current_sign_in_at, current_sign_in_at
+    assert_equal user.last_sign_in_ip, last_sign_in_ip
+    assert_equal user.current_sign_in_ip, current_sign_in_ip
+
+    post user_session_path, params: params
+    assert_redirected_to new_user_session_path
+    user.reload
+    assert_equal user.last_sign_in_at, last_sign_in_at
+    assert_equal user.current_sign_in_at, current_sign_in_at
+    assert_equal user.last_sign_in_ip, last_sign_in_ip
+    assert_equal user.current_sign_in_ip, current_sign_in_ip
+  end
+
+  test 'successful login updates trackable fields correctly' do
+    user = create(:user_with_honest_login)
+
+    params = {
+      user: {
+        email: user.email,
+        password: "password"
+      }
+    }
+
+    last_sign_in_at = user.last_sign_in_at
+    current_sign_in_at = user.current_sign_in_at
+    last_sign_in_ip = user.last_sign_in_ip
+    current_sign_in_ip = user.current_sign_in_ip
+
+    post user_session_path, params: params
+    assert_redirected_to root_path
+
+    user.reload
+    assert_equal user.last_sign_in_at, current_sign_in_at
+    assert user.current_sign_in_at > current_sign_in_at
+    assert_equal user.last_sign_in_ip, current_sign_in_ip
+    assert_equal user.current_sign_in_ip, '127.0.0.4'
+  end
+end