devise 2.2.4 → 2.2.5

data/CHANGELOG.rdoc

@@ -1,3 +1,8 @@
+== 2.2.5
+
+* bug fix
+  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+
 == 2.2.4
 
 * enhancements

data/lib/devise.rb

@@ -221,6 +221,10 @@ module Devise
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
 
+  # Set if we should clean up the CSRF Token on authentication
+  mattr_accessor :clean_up_csrf_token_on_authentication
+  @@clean_up_csrf_token_on_authentication = true
+
   def self.encryptor=(value)
     warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
   end

data/lib/devise/hooks/csrf_cleaner.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if Devise.clean_up_csrf_token_on_authentication
+    warden.request.session.try(:delete, :_csrf_token)
+  end
+end

data/lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/hooks/csrf_cleaner'
 
 module Devise
   module Models

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.4".freeze
+  VERSION = "2.2.5".freeze
 end

data/lib/generators/templates/devise.rb

@@ -76,6 +76,12 @@ Devise.setup do |config|
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.

data/test/integration/authenticatable_test.rb

@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
     assert_redirected_to new_user_session_path
   end
 
+  test 'refreshes _csrf_token' do
+    ApplicationController.allow_forgery_protection = true
+
+    begin
+      get new_user_session_path
+      token = request.session[:_csrf_token]
+
+      sign_in_as_user
+      assert_not_equal request.session[:_csrf_token], token
+    ensure
+      ApplicationController.allow_forgery_protection = false
+    end
+  end
+
   test 'allows session to be set for a given scope' do
     sign_in_as_user
     get '/users'

metadata

@@ -1,7 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
-  version: 2.2.4
+  prerelease: 
+  version: 2.2.5
 platform: ruby
 authors:
 - José Valim
@@ -9,64 +10,72 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-07 00:00:00.000000000 Z
+date: 2013-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: warden
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.1
+    none: false
+  name: warden
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.1
+    none: false
 - !ruby/object:Gem::Dependency
-  name: orm_adapter
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
+    none: false
+  name: orm_adapter
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
+    none: false
 - !ruby/object:Gem::Dependency
-  name: bcrypt-ruby
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
+    none: false
+  name: bcrypt-ruby
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
+    none: false
 - !ruby/object:Gem::Dependency
-  name: railties
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
+    none: false
+  name: railties
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
+    none: false
 description: Flexible authentication solution for Rails with Warden
 email: contact@plataformatec.com.br
 executables: []
@@ -117,6 +126,7 @@ files:
 - lib/devise/delegator.rb
 - lib/devise/failure_app.rb
 - lib/devise/hooks/activatable.rb
+- lib/devise/hooks/csrf_cleaner.rb
 - lib/devise/hooks/forgetable.rb
 - lib/devise/hooks/lockable.rb
 - lib/devise/hooks/rememberable.rb
@@ -286,7 +296,6 @@ files:
 homepage: http://github.com/plataformatec/devise
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -296,16 +305,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+  none: false
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+  none: false
 requirements: []
 rubyforge_project: devise
-rubygems_version: 2.0.3
+rubygems_version: 1.8.23
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: Flexible authentication solution for Rails with Warden
 test_files:
 - test/controllers/custom_strategy_test.rb
@@ -416,3 +427,4 @@ test_files:
 - test/test_helper.rb
 - test/test_helpers_test.rb
 - test/test_models.rb
+has_rdoc: 

checksums.yaml

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OTViYjg5MzA0NjcxY2Q4OTljYWM5N2M0ZmY5YjhkMWM1Y2U0MjUyZQ==
-  data.tar.gz: !binary |-
-    OGIzMDNlZGZjYzA2ODQ5ZTA5NjM5YzcwYzhiOTdlN2QzN2JiMmVlZg==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    NDc4MDY5NDFlOTMwNGVlMWVkNGY0NjVlNzZjN2NiMGVmODYzY2M3MjI5OTMz
-    NTNhYjBkOTRhMDNlNWU1MTFhZWRlOGUyMWUzZDZlNDEzOTZkNGNiYzM3OTMx
-    ZTE1NjM0MjEzYWJhMjQ1YTYyM2UyZWQwZjkyNjFhZDg2OWZhMjE=
-  data.tar.gz: !binary |-
-    MWE3MWZiZjExYWViNjk3ZjEzZWIzMzEwMDFhY2MyNmU1MDlhNzY1MjZmYjZk
-    N2UxZjRlZGFjZjFiNzVjZDNjZTQxMjNiZTA3MDc4ODYzYzZiZTc0M2IzNDY4
-    ZGRkZDdjMTNkZThiOTI1NWYzZDgwOTkwMTJiZTIyMjIyYjJhYjk=