devise 1.0.9 → 1.0.10

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

data/CHANGELOG.rdoc CHANGED
@@ -1,3 +1,10 @@
1
+ == 1.0.10
2
+
3
+ * bug fix
4
+ * Use secure compare when comparing passwords
5
+ * Improve email regexp
6
+ * Implement handle_unverified_request for Rails 2.3.11
7
+
1
8
  == 1.0.9
2
9
 
3
10
  * enhancements
data/README.rdoc CHANGED
@@ -36,7 +36,7 @@ Install warden gem if you don't have it installed:
36
36
 
37
37
  Install devise gem:
38
38
 
39
- gem install devise --version=1.0.8
39
+ gem install devise --version=1.0.9
40
40
 
41
41
  Configure warden and devise gems inside your app:
42
42
 
@@ -3,13 +3,13 @@ class RegistrationsController < ApplicationController
3
3
  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
4
4
  include Devise::Controllers::InternalHelpers
5
5
 
6
- # GET /resource/sign_in
6
+ # GET /resource/sign_up
7
7
  def new
8
8
  build_resource
9
9
  render_with_scope :new
10
10
  end
11
11
 
12
- # POST /resource/sign_up
12
+ # POST /resource
13
13
  def create
14
14
  build_resource
15
15
 
@@ -50,4 +50,4 @@ class RegistrationsController < ApplicationController
50
50
  send(:"authenticate_#{resource_name}!")
51
51
  self.resource = send(:"current_#{resource_name}").dup
52
52
  end
53
- end
53
+ end
data/lib/devise.rb CHANGED
@@ -210,6 +210,17 @@ module Devise
210
210
  ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
211
211
  end
212
212
 
213
+ # constant-time comparison algorithm to prevent timing attacks
214
+ def secure_compare(a, b)
215
+ return false unless a.present? && b.present?
216
+ return false unless a.bytesize == b.bytesize
217
+ l = a.unpack "C#{a.bytesize}"
218
+
219
+ res = 0
220
+ b.each_byte { |byte| res |= byte ^ l.shift }
221
+ res == 0
222
+ end
223
+
213
224
  # Make Devise aware of an 3rd party Devise-module. For convenience.
214
225
  #
215
226
  # == Options:
@@ -163,6 +163,20 @@ module Devise
163
163
  redirect_to after_sign_out_path_for(scope)
164
164
  end
165
165
 
166
+ # Sign out all active users or scopes. This helper is useful for signing out all roles
167
+ # in one click. This signs out ALL scopes in warden.
168
+ def sign_out_all_scopes
169
+ Devise.mappings.keys.each { |s| warden.user(s) }
170
+ warden.raw_session.inspect
171
+ warden.logout
172
+ end
173
+
174
+ # Override Rails' handle unverified request to sign out all scopes.
175
+ def handle_unverified_request
176
+ sign_out_all_scopes
177
+ super # call the default behaviour which resets the session
178
+ end
179
+
166
180
  # Define authentication filters and accessor helpers based on mappings.
167
181
  # These filters should be used inside the controllers as before_filters,
168
182
  # so you can control the scope of the user who should be signed in to
@@ -24,9 +24,10 @@ end
24
24
  # won't be remembered again.
25
25
  # Notice that we forget the user if the record is frozen. This usually means the
26
26
  # user was just deleted.
27
- Warden::Manager.before_logout do |record, warden, scope|
27
+ Warden::Manager.before_logout do |record, warden, options|
28
+ scope = options[:scope]
28
29
  if record.respond_to?(:forget_me!)
29
30
  record.forget_me! unless record.frozen?
30
- warden.response.delete_cookie "remember_#{scope}_token"
31
+ warden.response.delete_cookie "remember_#{scope}_token", :path => "/"
31
32
  end
32
33
  end
@@ -55,7 +55,7 @@ module Devise
55
55
 
56
56
  # Verifies whether an incoming_password (ie from sign in) is the user password.
57
57
  def valid_password?(incoming_password)
58
- password_digest(incoming_password) == self.encrypted_password
58
+ Devise.secure_compare(password_digest(incoming_password), self.encrypted_password)
59
59
  end
60
60
 
61
61
  # Checks if a resource is valid upon authentication.
@@ -3,14 +3,16 @@ require 'devise/strategies/http_authenticatable'
3
3
  module Devise
4
4
  module Models
5
5
  # Adds HttpAuthenticatable behavior to your model. It expects that your
6
- # model class responds to authenticate and authentication_keys methods
7
- # (which for example are defined in authenticatable).
6
+ # model class responds to authenticate method
7
+ # (which for example is defined in authenticatable).
8
8
  module HttpAuthenticatable
9
9
  def self.included(base)
10
10
  base.extend ClassMethods
11
11
  end
12
12
 
13
13
  module ClassMethods
14
+ Devise::Models.config(self, :authentication_keys)
15
+
14
16
  # Authenticate an user using http.
15
17
  def authenticate_with_http(username, password)
16
18
  authenticate(authentication_keys.first => username, :password => password)
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "1.0.9".freeze
2
+ VERSION = "1.0.10".freeze
3
3
  end
@@ -67,5 +67,16 @@ class RememberMeTest < ActionController::IntegrationTest
67
67
  get destroy_user_session_path
68
68
  get users_path
69
69
  assert_not warden.authenticated?(:user)
70
+ assert_equal cookies['remember_user_token'], ''
71
+ end
72
+
73
+ test 'cookies are destroyed on unverified requests' do
74
+ swap HomeController, :allow_forgery_protection => true do
75
+ user = create_user_and_remember
76
+ get users_path
77
+ assert warden.authenticated?(:user)
78
+ post root_path, :authenticity_token => 'INVALID'
79
+ assert_not warden.authenticated?(:user)
80
+ end
70
81
  end
71
82
  end
@@ -1,7 +1,7 @@
1
1
  # Be sure to restart your server when you modify this file
2
2
 
3
3
  # Specifies gem version of Rails to use when vendor/rails is not present
4
- RAILS_GEM_VERSION = '2.3.10' unless defined? RAILS_GEM_VERSION
4
+ RAILS_GEM_VERSION = '2.3.11' unless defined? RAILS_GEM_VERSION
5
5
  DEVISE_ORM = :active_record unless defined? DEVISE_ORM
6
6
 
7
7
  # Bootstrap the Rails environment, frameworks, and default configuration
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- hash: 5
4
+ hash: 3
5
5
  prerelease: false
6
6
  segments:
7
7
  - 1
8
8
  - 0
9
- - 9
10
- version: 1.0.9
9
+ - 10
10
+ version: 1.0.10
11
11
  platform: ruby
12
12
  authors:
13
13
  - "Jos\xC3\xA9 Valim"
@@ -16,7 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2010-11-26 00:00:00 +01:00
19
+ date: 2011-02-15 00:00:00 +01:00
20
20
  default_executable:
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency
@@ -188,8 +188,8 @@ homepage: http://github.com/plataformatec/devise
188
188
  licenses: []
189
189
 
190
190
  post_install_message:
191
- rdoc_options:
192
- - --charset=UTF-8
191
+ rdoc_options: []
192
+
193
193
  require_paths:
194
194
  - lib
195
195
  required_ruby_version: !ruby/object:Gem::Requirement