devise 2.2.4 → 2.2.5

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

@@ -1,3 +1,8 @@
1
+ == 2.2.5
2
+
3
+ * bug fix
4
+ * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
5
+
1
6
  == 2.2.4
2
7
 
3
8
  * enhancements
@@ -221,6 +221,10 @@ module Devise
221
221
  mattr_accessor :omniauth_path_prefix
222
222
  @@omniauth_path_prefix = nil
223
223
 
224
+ # Set if we should clean up the CSRF Token on authentication
225
+ mattr_accessor :clean_up_csrf_token_on_authentication
226
+ @@clean_up_csrf_token_on_authentication = true
227
+
224
228
  def self.encryptor=(value)
225
229
  warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
226
230
  end
@@ -0,0 +1,5 @@
1
+ Warden::Manager.after_authentication do |record, warden, options|
2
+ if Devise.clean_up_csrf_token_on_authentication
3
+ warden.request.session.try(:delete, :_csrf_token)
4
+ end
5
+ end
@@ -1,4 +1,5 @@
1
1
  require 'devise/hooks/activatable'
2
+ require 'devise/hooks/csrf_cleaner'
2
3
 
3
4
  module Devise
4
5
  module Models
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "2.2.4".freeze
2
+ VERSION = "2.2.5".freeze
3
3
  end
@@ -76,6 +76,12 @@ Devise.setup do |config|
76
76
  # passing :skip => :sessions to `devise_for` in your config/routes.rb
77
77
  config.skip_session_storage = [:http_auth]
78
78
 
79
+ # By default, Devise cleans up the CSRF token on authentication to
80
+ # avoid CSRF token fixation attacks. This means that, when using AJAX
81
+ # requests for sign in and sign up, you need to get a new CSRF token
82
+ # from the server. You can disable this option at your own risk.
83
+ # config.clean_up_csrf_token_on_authentication = true
84
+
79
85
  # ==> Configuration for :database_authenticatable
80
86
  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
81
87
  # using other encryptors, it sets how many times you want the password re-encrypted.
@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
327
327
  assert_redirected_to new_user_session_path
328
328
  end
329
329
 
330
+ test 'refreshes _csrf_token' do
331
+ ApplicationController.allow_forgery_protection = true
332
+
333
+ begin
334
+ get new_user_session_path
335
+ token = request.session[:_csrf_token]
336
+
337
+ sign_in_as_user
338
+ assert_not_equal request.session[:_csrf_token], token
339
+ ensure
340
+ ApplicationController.allow_forgery_protection = false
341
+ end
342
+ end
343
+
330
344
  test 'allows session to be set for a given scope' do
331
345
  sign_in_as_user
332
346
  get '/users'
metadata CHANGED
@@ -1,7 +1,8 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.4
4
+ prerelease:
5
+ version: 2.2.5
5
6
  platform: ruby
6
7
  authors:
7
8
  - José Valim
@@ -9,64 +10,72 @@ authors:
9
10
  autorequire:
10
11
  bindir: bin
11
12
  cert_chain: []
12
- date: 2013-05-07 00:00:00.000000000 Z
13
+ date: 2013-08-02 00:00:00.000000000 Z
13
14
  dependencies:
14
15
  - !ruby/object:Gem::Dependency
15
- name: warden
16
- requirement: !ruby/object:Gem::Requirement
16
+ version_requirements: !ruby/object:Gem::Requirement
17
17
  requirements:
18
18
  - - ~>
19
19
  - !ruby/object:Gem::Version
20
20
  version: 1.2.1
21
+ none: false
22
+ name: warden
21
23
  type: :runtime
22
24
  prerelease: false
23
- version_requirements: !ruby/object:Gem::Requirement
25
+ requirement: !ruby/object:Gem::Requirement
24
26
  requirements:
25
27
  - - ~>
26
28
  - !ruby/object:Gem::Version
27
29
  version: 1.2.1
30
+ none: false
28
31
  - !ruby/object:Gem::Dependency
29
- name: orm_adapter
30
- requirement: !ruby/object:Gem::Requirement
32
+ version_requirements: !ruby/object:Gem::Requirement
31
33
  requirements:
32
34
  - - ~>
33
35
  - !ruby/object:Gem::Version
34
36
  version: '0.1'
37
+ none: false
38
+ name: orm_adapter
35
39
  type: :runtime
36
40
  prerelease: false
37
- version_requirements: !ruby/object:Gem::Requirement
41
+ requirement: !ruby/object:Gem::Requirement
38
42
  requirements:
39
43
  - - ~>
40
44
  - !ruby/object:Gem::Version
41
45
  version: '0.1'
46
+ none: false
42
47
  - !ruby/object:Gem::Dependency
43
- name: bcrypt-ruby
44
- requirement: !ruby/object:Gem::Requirement
48
+ version_requirements: !ruby/object:Gem::Requirement
45
49
  requirements:
46
50
  - - ~>
47
51
  - !ruby/object:Gem::Version
48
52
  version: '3.0'
53
+ none: false
54
+ name: bcrypt-ruby
49
55
  type: :runtime
50
56
  prerelease: false
51
- version_requirements: !ruby/object:Gem::Requirement
57
+ requirement: !ruby/object:Gem::Requirement
52
58
  requirements:
53
59
  - - ~>
54
60
  - !ruby/object:Gem::Version
55
61
  version: '3.0'
62
+ none: false
56
63
  - !ruby/object:Gem::Dependency
57
- name: railties
58
- requirement: !ruby/object:Gem::Requirement
64
+ version_requirements: !ruby/object:Gem::Requirement
59
65
  requirements:
60
66
  - - ~>
61
67
  - !ruby/object:Gem::Version
62
68
  version: '3.1'
69
+ none: false
70
+ name: railties
63
71
  type: :runtime
64
72
  prerelease: false
65
- version_requirements: !ruby/object:Gem::Requirement
73
+ requirement: !ruby/object:Gem::Requirement
66
74
  requirements:
67
75
  - - ~>
68
76
  - !ruby/object:Gem::Version
69
77
  version: '3.1'
78
+ none: false
70
79
  description: Flexible authentication solution for Rails with Warden
71
80
  email: contact@plataformatec.com.br
72
81
  executables: []
@@ -117,6 +126,7 @@ files:
117
126
  - lib/devise/delegator.rb
118
127
  - lib/devise/failure_app.rb
119
128
  - lib/devise/hooks/activatable.rb
129
+ - lib/devise/hooks/csrf_cleaner.rb
120
130
  - lib/devise/hooks/forgetable.rb
121
131
  - lib/devise/hooks/lockable.rb
122
132
  - lib/devise/hooks/rememberable.rb
@@ -286,7 +296,6 @@ files:
286
296
  homepage: http://github.com/plataformatec/devise
287
297
  licenses:
288
298
  - MIT
289
- metadata: {}
290
299
  post_install_message:
291
300
  rdoc_options: []
292
301
  require_paths:
@@ -296,16 +305,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
296
305
  - - ! '>='
297
306
  - !ruby/object:Gem::Version
298
307
  version: '0'
308
+ none: false
299
309
  required_rubygems_version: !ruby/object:Gem::Requirement
300
310
  requirements:
301
311
  - - ! '>='
302
312
  - !ruby/object:Gem::Version
303
313
  version: '0'
314
+ none: false
304
315
  requirements: []
305
316
  rubyforge_project: devise
306
- rubygems_version: 2.0.3
317
+ rubygems_version: 1.8.23
307
318
  signing_key:
308
- specification_version: 4
319
+ specification_version: 3
309
320
  summary: Flexible authentication solution for Rails with Warden
310
321
  test_files:
311
322
  - test/controllers/custom_strategy_test.rb
@@ -416,3 +427,4 @@ test_files:
416
427
  - test/test_helper.rb
417
428
  - test/test_helpers_test.rb
418
429
  - test/test_models.rb
430
+ has_rdoc:
checksums.yaml DELETED
@@ -1,15 +0,0 @@
1
- ---
2
- !binary "U0hBMQ==":
3
- metadata.gz: !binary |-
4
- OTViYjg5MzA0NjcxY2Q4OTljYWM5N2M0ZmY5YjhkMWM1Y2U0MjUyZQ==
5
- data.tar.gz: !binary |-
6
- OGIzMDNlZGZjYzA2ODQ5ZTA5NjM5YzcwYzhiOTdlN2QzN2JiMmVlZg==
7
- !binary "U0hBNTEy":
8
- metadata.gz: !binary |-
9
- NDc4MDY5NDFlOTMwNGVlMWVkNGY0NjVlNzZjN2NiMGVmODYzY2M3MjI5OTMz
10
- NTNhYjBkOTRhMDNlNWU1MTFhZWRlOGUyMWUzZDZlNDEzOTZkNGNiYzM3OTMx
11
- ZTE1NjM0MjEzYWJhMjQ1YTYyM2UyZWQwZjkyNjFhZDg2OWZhMjE=
12
- data.tar.gz: !binary |-
13
- MWE3MWZiZjExYWViNjk3ZjEzZWIzMzEwMDFhY2MyNmU1MDlhNzY1MjZmYjZk
14
- N2UxZjRlZGFjZjFiNzVjZDNjZTQxMjNiZTA3MDc4ODYzYzZiZTc0M2IzNDY4
15
- ZGRkZDdjMTNkZThiOTI1NWYzZDgwOTkwMTJiZTIyMjIyYjJhYjk=