devise 1.1.5 → 1.1.6
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- data/CHANGELOG.rdoc +6 -0
- data/Gemfile +1 -1
- data/Gemfile.lock +34 -34
- data/lib/devise.rb +12 -1
- data/lib/devise/controllers/helpers.rb +6 -0
- data/lib/devise/failure_app.rb +6 -2
- data/lib/devise/models/database_authenticatable.rb +1 -1
- data/lib/devise/version.rb +1 -1
- data/lib/generators/templates/devise.rb +1 -1
- data/test/failure_app_test.rb +1 -1
- data/test/integration/rememberable_test.rb +10 -0
- metadata +6 -6
data/CHANGELOG.rdoc
CHANGED
data/Gemfile
CHANGED
data/Gemfile.lock
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
devise (1.1.
|
|
4
|
+
devise (1.1.5)
|
|
5
5
|
bcrypt-ruby (~> 2.1.2)
|
|
6
6
|
warden (~> 1.0.2)
|
|
7
7
|
|
|
@@ -9,33 +9,33 @@ GEM
|
|
|
9
9
|
remote: http://rubygems.org/
|
|
10
10
|
specs:
|
|
11
11
|
abstract (1.0.0)
|
|
12
|
-
actionmailer (3.0.
|
|
13
|
-
actionpack (= 3.0.
|
|
14
|
-
mail (~> 2.2.
|
|
15
|
-
actionpack (3.0.
|
|
16
|
-
activemodel (= 3.0.
|
|
17
|
-
activesupport (= 3.0.
|
|
12
|
+
actionmailer (3.0.4)
|
|
13
|
+
actionpack (= 3.0.4)
|
|
14
|
+
mail (~> 2.2.15)
|
|
15
|
+
actionpack (3.0.4)
|
|
16
|
+
activemodel (= 3.0.4)
|
|
17
|
+
activesupport (= 3.0.4)
|
|
18
18
|
builder (~> 2.1.2)
|
|
19
19
|
erubis (~> 2.6.6)
|
|
20
20
|
i18n (~> 0.4)
|
|
21
21
|
rack (~> 1.2.1)
|
|
22
22
|
rack-mount (~> 0.6.13)
|
|
23
|
-
rack-test (~> 0.5.
|
|
23
|
+
rack-test (~> 0.5.7)
|
|
24
24
|
tzinfo (~> 0.3.23)
|
|
25
|
-
activemodel (3.0.
|
|
26
|
-
activesupport (= 3.0.
|
|
25
|
+
activemodel (3.0.4)
|
|
26
|
+
activesupport (= 3.0.4)
|
|
27
27
|
builder (~> 2.1.2)
|
|
28
28
|
i18n (~> 0.4)
|
|
29
|
-
activerecord (3.0.
|
|
30
|
-
activemodel (= 3.0.
|
|
31
|
-
activesupport (= 3.0.
|
|
29
|
+
activerecord (3.0.4)
|
|
30
|
+
activemodel (= 3.0.4)
|
|
31
|
+
activesupport (= 3.0.4)
|
|
32
32
|
arel (~> 2.0.2)
|
|
33
33
|
tzinfo (~> 0.3.23)
|
|
34
|
-
activeresource (3.0.
|
|
35
|
-
activemodel (= 3.0.
|
|
36
|
-
activesupport (= 3.0.
|
|
37
|
-
activesupport (3.0.
|
|
38
|
-
arel (2.0.
|
|
34
|
+
activeresource (3.0.4)
|
|
35
|
+
activemodel (= 3.0.4)
|
|
36
|
+
activesupport (= 3.0.4)
|
|
37
|
+
activesupport (3.0.4)
|
|
38
|
+
arel (2.0.8)
|
|
39
39
|
bcrypt-ruby (2.1.2)
|
|
40
40
|
bson (1.1.2)
|
|
41
41
|
bson_ext (1.1.2)
|
|
@@ -43,11 +43,11 @@ GEM
|
|
|
43
43
|
columnize (0.3.2)
|
|
44
44
|
erubis (2.6.6)
|
|
45
45
|
abstract (>= 1.0.0)
|
|
46
|
-
i18n (0.
|
|
46
|
+
i18n (0.5.0)
|
|
47
47
|
linecache (0.43)
|
|
48
|
-
mail (2.2.
|
|
48
|
+
mail (2.2.15)
|
|
49
49
|
activesupport (>= 2.3.6)
|
|
50
|
-
i18n (
|
|
50
|
+
i18n (>= 0.4.0)
|
|
51
51
|
mime-types (~> 1.16)
|
|
52
52
|
treetop (~> 1.4.8)
|
|
53
53
|
mime-types (1.16)
|
|
@@ -65,19 +65,19 @@ GEM
|
|
|
65
65
|
rack (1.2.1)
|
|
66
66
|
rack-mount (0.6.13)
|
|
67
67
|
rack (>= 1.0.0)
|
|
68
|
-
rack-test (0.5.
|
|
68
|
+
rack-test (0.5.7)
|
|
69
69
|
rack (>= 1.0)
|
|
70
|
-
rails (3.0.
|
|
71
|
-
actionmailer (= 3.0.
|
|
72
|
-
actionpack (= 3.0.
|
|
73
|
-
activerecord (= 3.0.
|
|
74
|
-
activeresource (= 3.0.
|
|
75
|
-
activesupport (= 3.0.
|
|
70
|
+
rails (3.0.4)
|
|
71
|
+
actionmailer (= 3.0.4)
|
|
72
|
+
actionpack (= 3.0.4)
|
|
73
|
+
activerecord (= 3.0.4)
|
|
74
|
+
activeresource (= 3.0.4)
|
|
75
|
+
activesupport (= 3.0.4)
|
|
76
76
|
bundler (~> 1.0)
|
|
77
|
-
railties (= 3.0.
|
|
78
|
-
railties (3.0.
|
|
79
|
-
actionpack (= 3.0.
|
|
80
|
-
activesupport (= 3.0.
|
|
77
|
+
railties (= 3.0.4)
|
|
78
|
+
railties (3.0.4)
|
|
79
|
+
actionpack (= 3.0.4)
|
|
80
|
+
activesupport (= 3.0.4)
|
|
81
81
|
rake (>= 0.8.7)
|
|
82
82
|
thor (~> 0.14.4)
|
|
83
83
|
rake (0.8.7)
|
|
@@ -90,7 +90,7 @@ GEM
|
|
|
90
90
|
thor (0.14.6)
|
|
91
91
|
treetop (1.4.9)
|
|
92
92
|
polyglot (>= 0.3.1)
|
|
93
|
-
tzinfo (0.3.
|
|
93
|
+
tzinfo (0.3.24)
|
|
94
94
|
warden (1.0.2)
|
|
95
95
|
rack (>= 1.0.0)
|
|
96
96
|
webrat (0.7.2)
|
|
@@ -110,7 +110,7 @@ DEPENDENCIES
|
|
|
110
110
|
mocha
|
|
111
111
|
mongo (= 1.1.2)
|
|
112
112
|
mongoid (= 2.0.0.beta.20)
|
|
113
|
-
rails (~> 3.0.
|
|
113
|
+
rails (~> 3.0.4)
|
|
114
114
|
ruby-debug (>= 0.10.3)
|
|
115
115
|
sqlite3-ruby
|
|
116
116
|
warden (~> 1.0.2)
|
data/lib/devise.rb
CHANGED
|
@@ -83,7 +83,7 @@ module Devise
|
|
|
83
83
|
|
|
84
84
|
# Email regex used to validate email formats. Adapted from authlogic.
|
|
85
85
|
mattr_accessor :email_regexp
|
|
86
|
-
@@email_regexp =
|
|
86
|
+
@@email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
|
|
87
87
|
|
|
88
88
|
# Range validation for password length
|
|
89
89
|
mattr_accessor :password_length
|
|
@@ -290,6 +290,17 @@ module Devise
|
|
|
290
290
|
def self.friendly_token
|
|
291
291
|
ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
|
|
292
292
|
end
|
|
293
|
+
|
|
294
|
+
# constant-time comparison algorithm to prevent timing attacks
|
|
295
|
+
def self.secure_compare(a, b)
|
|
296
|
+
return false unless a.present? && b.present?
|
|
297
|
+
return false unless a.bytesize == b.bytesize
|
|
298
|
+
l = a.unpack "C#{a.bytesize}"
|
|
299
|
+
|
|
300
|
+
res = 0
|
|
301
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
302
|
+
res == 0
|
|
303
|
+
end
|
|
293
304
|
end
|
|
294
305
|
|
|
295
306
|
require 'warden'
|
|
@@ -182,6 +182,12 @@ module Devise
|
|
|
182
182
|
redirect_to after_sign_out_path_for(scope)
|
|
183
183
|
end
|
|
184
184
|
|
|
185
|
+
# Override Rails' handle unverified request to sign out all scopes.
|
|
186
|
+
def handle_unverified_request
|
|
187
|
+
sign_out_all_scopes
|
|
188
|
+
super # call the default behaviour which resets the session
|
|
189
|
+
end
|
|
190
|
+
|
|
185
191
|
# Define authentication filters and accessor helpers based on mappings.
|
|
186
192
|
# These filters should be used inside the controllers as before_filters,
|
|
187
193
|
# so you can control the scope of the user who should be signed in to
|
data/lib/devise/failure_app.rb
CHANGED
|
@@ -68,11 +68,11 @@ module Devise
|
|
|
68
68
|
end
|
|
69
69
|
|
|
70
70
|
def http_auth?
|
|
71
|
-
!Devise.navigational_formats.include?(
|
|
71
|
+
!Devise.navigational_formats.include?(request_format) || (request.xhr? && Devise.http_authenticatable_on_xhr)
|
|
72
72
|
end
|
|
73
73
|
|
|
74
74
|
def http_auth_body
|
|
75
|
-
method = :"to_#{
|
|
75
|
+
method = :"to_#{request_format}"
|
|
76
76
|
{}.respond_to?(method) ? { :error => i18n_message }.send(method) : i18n_message
|
|
77
77
|
end
|
|
78
78
|
|
|
@@ -103,5 +103,9 @@ module Devise
|
|
|
103
103
|
def store_location!
|
|
104
104
|
session[:"#{scope}_return_to"] = attempted_path if request.get? && !http_auth?
|
|
105
105
|
end
|
|
106
|
+
|
|
107
|
+
def request_format
|
|
108
|
+
@request_format ||= request.format.respond_to?(:ref) ? request.format.ref : request.format
|
|
109
|
+
end
|
|
106
110
|
end
|
|
107
111
|
end
|
|
@@ -44,7 +44,7 @@ module Devise
|
|
|
44
44
|
|
|
45
45
|
# Verifies whether an incoming_password (ie from sign in) is the user password.
|
|
46
46
|
def valid_password?(incoming_password)
|
|
47
|
-
password_digest(incoming_password)
|
|
47
|
+
Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
|
|
48
48
|
end
|
|
49
49
|
|
|
50
50
|
# Set password and password confirmation to nil
|
data/lib/devise/version.rb
CHANGED
|
@@ -72,7 +72,7 @@ Devise.setup do |config|
|
|
|
72
72
|
# config.password_length = 6..20
|
|
73
73
|
|
|
74
74
|
# Regex to use to validate the email address
|
|
75
|
-
# config.email_regexp =
|
|
75
|
+
# config.email_regexp = /\A([\w\.%\+\-]+)@([\w\-]+\.)+([\w]{2,})\z/i
|
|
76
76
|
|
|
77
77
|
# ==> Configuration for :timeoutable
|
|
78
78
|
# The time you want to timeout the user session without activity. After this
|
data/test/failure_app_test.rb
CHANGED
|
@@ -13,7 +13,7 @@ class FailureTest < ActiveSupport::TestCase
|
|
|
13
13
|
'REQUEST_METHOD' => 'GET',
|
|
14
14
|
'warden.options' => { :scope => :user },
|
|
15
15
|
'rack.session' => {},
|
|
16
|
-
'action_dispatch.request.formats' => Array(env_params.delete('formats') ||
|
|
16
|
+
'action_dispatch.request.formats' => Array(env_params.delete('formats') || Mime::HTML),
|
|
17
17
|
'rack.input' => "",
|
|
18
18
|
'warden' => OpenStruct.new(:message => nil)
|
|
19
19
|
}.merge!(env_params)
|
|
@@ -48,6 +48,16 @@ class RememberMeTest < ActionController::IntegrationTest
|
|
|
48
48
|
end
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
+
test 'cookies are destroyed on unverified requests' do
|
|
52
|
+
swap ApplicationController, :allow_forgery_protection => true do
|
|
53
|
+
user = create_user_and_remember
|
|
54
|
+
get users_path
|
|
55
|
+
assert warden.authenticated?(:user)
|
|
56
|
+
post root_path, :authenticity_token => 'INVALID'
|
|
57
|
+
assert_not warden.authenticated?(:user)
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
|
|
51
61
|
test 'remember the user before sign in' do
|
|
52
62
|
user = create_user_and_remember
|
|
53
63
|
get users_path
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
hash:
|
|
4
|
+
hash: 31
|
|
5
5
|
prerelease: false
|
|
6
6
|
segments:
|
|
7
7
|
- 1
|
|
8
8
|
- 1
|
|
9
|
-
-
|
|
10
|
-
version: 1.1.
|
|
9
|
+
- 6
|
|
10
|
+
version: 1.1.6
|
|
11
11
|
platform: ruby
|
|
12
12
|
authors:
|
|
13
13
|
- "Jos\xC3\xA9 Valim"
|
|
@@ -16,7 +16,7 @@ autorequire:
|
|
|
16
16
|
bindir: bin
|
|
17
17
|
cert_chain: []
|
|
18
18
|
|
|
19
|
-
date:
|
|
19
|
+
date: 2011-02-15 00:00:00 +01:00
|
|
20
20
|
default_executable:
|
|
21
21
|
dependencies:
|
|
22
22
|
- !ruby/object:Gem::Dependency
|
|
@@ -221,8 +221,8 @@ homepage: http://github.com/plataformatec/devise
|
|
|
221
221
|
licenses: []
|
|
222
222
|
|
|
223
223
|
post_install_message:
|
|
224
|
-
rdoc_options:
|
|
225
|
-
|
|
224
|
+
rdoc_options: []
|
|
225
|
+
|
|
226
226
|
require_paths:
|
|
227
227
|
- lib
|
|
228
228
|
required_ruby_version: !ruby/object:Gem::Requirement
|