devise 1.0.9 → 1.0.10
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- data/CHANGELOG.rdoc +7 -0
- data/README.rdoc +1 -1
- data/app/controllers/registrations_controller.rb +3 -3
- data/lib/devise.rb +11 -0
- data/lib/devise/controllers/helpers.rb +14 -0
- data/lib/devise/hooks/rememberable.rb +3 -2
- data/lib/devise/models/database_authenticatable.rb +1 -1
- data/lib/devise/models/http_authenticatable.rb +4 -2
- data/lib/devise/version.rb +1 -1
- data/test/integration/rememberable_test.rb +11 -0
- data/test/rails_app/config/environment.rb +1 -1
- metadata +6 -6
data/CHANGELOG.rdoc
CHANGED
data/README.rdoc
CHANGED
|
@@ -3,13 +3,13 @@ class RegistrationsController < ApplicationController
|
|
|
3
3
|
prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
|
|
4
4
|
include Devise::Controllers::InternalHelpers
|
|
5
5
|
|
|
6
|
-
# GET /resource/
|
|
6
|
+
# GET /resource/sign_up
|
|
7
7
|
def new
|
|
8
8
|
build_resource
|
|
9
9
|
render_with_scope :new
|
|
10
10
|
end
|
|
11
11
|
|
|
12
|
-
# POST /resource
|
|
12
|
+
# POST /resource
|
|
13
13
|
def create
|
|
14
14
|
build_resource
|
|
15
15
|
|
|
@@ -50,4 +50,4 @@ class RegistrationsController < ApplicationController
|
|
|
50
50
|
send(:"authenticate_#{resource_name}!")
|
|
51
51
|
self.resource = send(:"current_#{resource_name}").dup
|
|
52
52
|
end
|
|
53
|
-
end
|
|
53
|
+
end
|
data/lib/devise.rb
CHANGED
|
@@ -210,6 +210,17 @@ module Devise
|
|
|
210
210
|
ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
|
|
211
211
|
end
|
|
212
212
|
|
|
213
|
+
# constant-time comparison algorithm to prevent timing attacks
|
|
214
|
+
def secure_compare(a, b)
|
|
215
|
+
return false unless a.present? && b.present?
|
|
216
|
+
return false unless a.bytesize == b.bytesize
|
|
217
|
+
l = a.unpack "C#{a.bytesize}"
|
|
218
|
+
|
|
219
|
+
res = 0
|
|
220
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
221
|
+
res == 0
|
|
222
|
+
end
|
|
223
|
+
|
|
213
224
|
# Make Devise aware of an 3rd party Devise-module. For convenience.
|
|
214
225
|
#
|
|
215
226
|
# == Options:
|
|
@@ -163,6 +163,20 @@ module Devise
|
|
|
163
163
|
redirect_to after_sign_out_path_for(scope)
|
|
164
164
|
end
|
|
165
165
|
|
|
166
|
+
# Sign out all active users or scopes. This helper is useful for signing out all roles
|
|
167
|
+
# in one click. This signs out ALL scopes in warden.
|
|
168
|
+
def sign_out_all_scopes
|
|
169
|
+
Devise.mappings.keys.each { |s| warden.user(s) }
|
|
170
|
+
warden.raw_session.inspect
|
|
171
|
+
warden.logout
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
# Override Rails' handle unverified request to sign out all scopes.
|
|
175
|
+
def handle_unverified_request
|
|
176
|
+
sign_out_all_scopes
|
|
177
|
+
super # call the default behaviour which resets the session
|
|
178
|
+
end
|
|
179
|
+
|
|
166
180
|
# Define authentication filters and accessor helpers based on mappings.
|
|
167
181
|
# These filters should be used inside the controllers as before_filters,
|
|
168
182
|
# so you can control the scope of the user who should be signed in to
|
|
@@ -24,9 +24,10 @@ end
|
|
|
24
24
|
# won't be remembered again.
|
|
25
25
|
# Notice that we forget the user if the record is frozen. This usually means the
|
|
26
26
|
# user was just deleted.
|
|
27
|
-
Warden::Manager.before_logout do |record, warden,
|
|
27
|
+
Warden::Manager.before_logout do |record, warden, options|
|
|
28
|
+
scope = options[:scope]
|
|
28
29
|
if record.respond_to?(:forget_me!)
|
|
29
30
|
record.forget_me! unless record.frozen?
|
|
30
|
-
warden.response.delete_cookie "remember_#{scope}_token"
|
|
31
|
+
warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
|
|
31
32
|
end
|
|
32
33
|
end
|
|
@@ -55,7 +55,7 @@ module Devise
|
|
|
55
55
|
|
|
56
56
|
# Verifies whether an incoming_password (ie from sign in) is the user password.
|
|
57
57
|
def valid_password?(incoming_password)
|
|
58
|
-
password_digest(incoming_password)
|
|
58
|
+
Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
# Checks if a resource is valid upon authentication.
|
|
@@ -3,14 +3,16 @@ require 'devise/strategies/http_authenticatable'
|
|
|
3
3
|
module Devise
|
|
4
4
|
module Models
|
|
5
5
|
# Adds HttpAuthenticatable behavior to your model. It expects that your
|
|
6
|
-
# model class responds to authenticate
|
|
7
|
-
# (which for example
|
|
6
|
+
# model class responds to authenticate method
|
|
7
|
+
# (which for example is defined in authenticatable).
|
|
8
8
|
module HttpAuthenticatable
|
|
9
9
|
def self.included(base)
|
|
10
10
|
base.extend ClassMethods
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
module ClassMethods
|
|
14
|
+
Devise::Models.config(self, :authentication_keys)
|
|
15
|
+
|
|
14
16
|
# Authenticate an user using http.
|
|
15
17
|
def authenticate_with_http(username, password)
|
|
16
18
|
authenticate(authentication_keys.first => username, :password => password)
|
data/lib/devise/version.rb
CHANGED
|
@@ -67,5 +67,16 @@ class RememberMeTest < ActionController::IntegrationTest
|
|
|
67
67
|
get destroy_user_session_path
|
|
68
68
|
get users_path
|
|
69
69
|
assert_not warden.authenticated?(:user)
|
|
70
|
+
assert_equal cookies['remember_user_token'], ''
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
test 'cookies are destroyed on unverified requests' do
|
|
74
|
+
swap HomeController, :allow_forgery_protection => true do
|
|
75
|
+
user = create_user_and_remember
|
|
76
|
+
get users_path
|
|
77
|
+
assert warden.authenticated?(:user)
|
|
78
|
+
post root_path, :authenticity_token => 'INVALID'
|
|
79
|
+
assert_not warden.authenticated?(:user)
|
|
80
|
+
end
|
|
70
81
|
end
|
|
71
82
|
end
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Be sure to restart your server when you modify this file
|
|
2
2
|
|
|
3
3
|
# Specifies gem version of Rails to use when vendor/rails is not present
|
|
4
|
-
RAILS_GEM_VERSION = '2.3.
|
|
4
|
+
RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
|
|
5
5
|
DEVISE_ORM = :active_record unless defined? DEVISE_ORM
|
|
6
6
|
|
|
7
7
|
# Bootstrap the Rails environment, frameworks, and default configuration
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 3
|
|
5
5
|
prerelease: false
|
|
6
6
|
segments:
|
|
7
7
|
- 1
|
|
8
8
|
- 0
|
|
9
|
-
-
|
|
10
|
-
version: 1.0.
|
|
9
|
+
- 10
|
|
10
|
+
version: 1.0.10
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- "Jos\xC3\xA9 Valim"
|
|
@@ -16,7 +16,7 @@ autorequire:
|
|
|
16
16
|
bindir: bin
|
|
17
17
|
cert_chain: []
|
|
18
18
|
|
|
19
|
-
date:
|
|
19
|
+
date: 2011-02-15 00:00:00 +01:00
|
|
20
20
|
default_executable:
|
|
21
21
|
dependencies:
|
|
22
22
|
- !ruby/object:Gem::Dependency
|
|
@@ -188,8 +188,8 @@ homepage: http://github.com/plataformatec/devise
|
|
|
188
188
|
licenses: []
|
|
189
189
|
|
|
190
190
|
post_install_message:
|
|
191
|
-
rdoc_options:
|
|
192
|
-
|
|
191
|
+
rdoc_options: []
|
|
192
|
+
|
|
193
193
|
require_paths:
|
|
194
194
|
- lib
|
|
195
195
|
required_ruby_version: !ruby/object:Gem::Requirement
|