devise 3.5.5 → 3.5.6

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 27090b1b7af510943f0db50b0e362d06eb17bc4f
4
- data.tar.gz: c6ccb8c7c4f6b5291dea73624e0a3e1beff05925
3
+ metadata.gz: 170cbeb51f7e3662d509a920d0dd572ab30f1d8d
4
+ data.tar.gz: 4b7d78a8f00a0de1dd1b76c89f6614196a8bcdaa
5
5
  SHA512:
6
- metadata.gz: 7fb6eb7b780edddbd2c495d01a0f9b059ed65c41bfb245d35c71614eb6a693cee76924292214d381ca95ebaffb5c6076ca93fb9d4fb525a311a57224c399304e
7
- data.tar.gz: 83e870f314f22e6fe46a65b5bfba51d6857915d095e7080b3fdc3d8424fe727280822a1fd0d1aac7c8a1e66fbdeea25d921faee31114e8fea59c9493beb4aab1
6
+ metadata.gz: 28952c389b36c41b41230825f0d24fba90b01a7cb7f9a944e047293338a46f9210e30d456a1e3e3959b813276953ee174887bf1b5511072515be3acd1c65d683
7
+ data.tar.gz: 869c90b6a083ea0e8b60385bc1e1ecbf90469dac0468506b39ca2c96f6545532e3b58ac3310d01bf497c9ec5e8eb66ea7a7ff4715b5c46747edfecf7c332728f
@@ -1,3 +1,8 @@
1
+ ### 3.5.6 - 2016-01-02
2
+
3
+ * bug fixes
4
+ * Fix type coercion of the rememberable timestamp stored on cookies.
5
+
1
6
  ### 3.5.5 - 2016-22-01
2
7
 
3
8
  * bug fixes
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- devise (3.5.5)
4
+ devise (3.5.6)
5
5
  bcrypt (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -153,7 +153,7 @@ GEM
153
153
  thread_safe (0.3.5)
154
154
  tzinfo (1.2.2)
155
155
  thread_safe (~> 0.1)
156
- warden (1.2.4)
156
+ warden (1.2.6)
157
157
  rack (>= 1.0)
158
158
  webrat (0.7.3)
159
159
  nokogiri (>= 1.2.0)
@@ -49,7 +49,7 @@ GIT
49
49
  PATH
50
50
  remote: ..
51
51
  specs:
52
- devise (3.5.3)
52
+ devise (3.5.6)
53
53
  bcrypt (~> 3.0)
54
54
  orm_adapter (~> 0.1)
55
55
  railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
142
142
  polyglot
143
143
  polyglot (>= 0.3.1)
144
144
  tzinfo (0.3.43)
145
- warden (1.2.4)
145
+ warden (1.2.6)
146
146
  rack (>= 1.0)
147
147
  webrat (0.7.3)
148
148
  nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
169
169
  webrat (= 0.7.3)
170
170
 
171
171
  BUNDLED WITH
172
- 1.10.6
172
+ 1.11.2
@@ -1,6 +1,6 @@
1
1
  GIT
2
2
  remote: git://github.com/rails/rails.git
3
- revision: 7ec9c9635bf4d57009135ed11e89d8bf32306d73
3
+ revision: 9be9597e510d185ca7964d0a05b4ea2a7f2d50d1
4
4
  branch: 4-0-stable
5
5
  specs:
6
6
  actionmailer (4.0.13)
@@ -43,7 +43,7 @@ GIT
43
43
  PATH
44
44
  remote: ..
45
45
  specs:
46
- devise (3.5.3)
46
+ devise (3.5.6)
47
47
  bcrypt (~> 3.0)
48
48
  orm_adapter (~> 0.1)
49
49
  railties (>= 3.2.6, < 5)
@@ -54,24 +54,24 @@ PATH
54
54
  GEM
55
55
  remote: https://rubygems.org/
56
56
  specs:
57
- activerecord-deprecated_finders (1.0.3)
57
+ activerecord-deprecated_finders (1.0.4)
58
58
  arel (4.0.2)
59
59
  bcrypt (3.1.10)
60
- bson (2.3.0)
60
+ bson (3.2.6)
61
61
  builder (3.1.4)
62
- connection_pool (2.1.3)
62
+ concurrent-ruby (1.0.0)
63
+ connection_pool (2.2.0)
63
64
  erubis (2.7.0)
64
- faraday (0.9.1)
65
+ faraday (0.9.2)
65
66
  multipart-post (>= 1.2, < 3)
66
- hashie (3.4.0)
67
- hike (1.2.3)
67
+ hashie (3.4.3)
68
68
  i18n (0.7.0)
69
- jwt (1.4.1)
69
+ jwt (1.5.2)
70
70
  mail (2.6.3)
71
71
  mime-types (>= 1.16, < 3)
72
72
  metaclass (0.0.4)
73
- mime-types (2.4.3)
74
- mini_portile (0.6.2)
73
+ mime-types (2.99)
74
+ mini_portile2 (2.0.0)
75
75
  minitest (4.7.5)
76
76
  mocha (1.1.0)
77
77
  metaclass (~> 0.0.1)
@@ -80,15 +80,15 @@ GEM
80
80
  moped (~> 2.0.0)
81
81
  origin (~> 2.1)
82
82
  tzinfo (>= 0.3.37)
83
- moped (2.0.4)
84
- bson (~> 2.2)
83
+ moped (2.0.7)
84
+ bson (~> 3.0)
85
85
  connection_pool (~> 2.0)
86
86
  optionable (~> 0.2.0)
87
- multi_json (1.11.0)
87
+ multi_json (1.11.2)
88
88
  multi_xml (0.5.5)
89
89
  multipart-post (2.0.0)
90
- nokogiri (1.6.6.2)
91
- mini_portile (~> 0.6.0)
90
+ nokogiri (1.6.7.2)
91
+ mini_portile2 (~> 2.0.0.rc2)
92
92
  oauth2 (0.9.4)
93
93
  faraday (>= 0.8, < 0.10)
94
94
  jwt (~> 1.0)
@@ -109,34 +109,31 @@ GEM
109
109
  omniauth (~> 1.0)
110
110
  rack-openid (~> 1.3.1)
111
111
  optionable (0.2.0)
112
- origin (2.1.1)
112
+ origin (2.2.0)
113
113
  orm_adapter (0.5.0)
114
- rack (1.5.2)
114
+ rack (1.5.5)
115
115
  rack-openid (1.3.1)
116
116
  rack (>= 1.1.0)
117
117
  ruby-openid (>= 2.1.8)
118
118
  rack-test (0.6.3)
119
119
  rack (>= 1.0)
120
- rake (10.4.2)
121
- rdoc (4.2.0)
120
+ rake (10.5.0)
121
+ rdoc (4.2.1)
122
122
  responders (1.1.2)
123
123
  railties (>= 3.2, < 4.2)
124
124
  ruby-openid (2.7.0)
125
- sprockets (2.12.3)
126
- hike (~> 1.2)
127
- multi_json (~> 1.0)
128
- rack (~> 1.0)
129
- tilt (~> 1.1, != 1.3.0)
130
- sprockets-rails (2.2.4)
125
+ sprockets (3.5.2)
126
+ concurrent-ruby (~> 1.0)
127
+ rack (> 1, < 3)
128
+ sprockets-rails (2.3.3)
131
129
  actionpack (>= 3.0)
132
130
  activesupport (>= 3.0)
133
131
  sprockets (>= 2.8, < 4.0)
134
- sqlite3 (1.3.10)
132
+ sqlite3 (1.3.11)
135
133
  thor (0.19.1)
136
134
  thread_safe (0.3.5)
137
- tilt (1.4.1)
138
- tzinfo (0.3.43)
139
- warden (1.2.4)
135
+ tzinfo (0.3.46)
136
+ warden (1.2.6)
140
137
  rack (>= 1.0)
141
138
  webrat (0.7.3)
142
139
  nokogiri (>= 1.2.0)
@@ -163,4 +160,4 @@ DEPENDENCIES
163
160
  webrat (= 0.7.3)
164
161
 
165
162
  BUNDLED WITH
166
- 1.10.6
163
+ 1.11.2
@@ -48,7 +48,7 @@ GIT
48
48
  PATH
49
49
  remote: ..
50
50
  specs:
51
- devise (3.5.3)
51
+ devise (3.5.6)
52
52
  bcrypt (~> 3.0)
53
53
  orm_adapter (~> 0.1)
54
54
  railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
142
142
  tilt (1.4.1)
143
143
  tzinfo (1.2.2)
144
144
  thread_safe (~> 0.1)
145
- warden (1.2.4)
145
+ warden (1.2.6)
146
146
  rack (>= 1.0)
147
147
  webrat (0.7.3)
148
148
  nokogiri (>= 1.2.0)
@@ -169,4 +169,4 @@ DEPENDENCIES
169
169
  webrat (= 0.7.3)
170
170
 
171
171
  BUNDLED WITH
172
- 1.10.6
172
+ 1.11.2
@@ -58,7 +58,7 @@ GIT
58
58
  PATH
59
59
  remote: ..
60
60
  specs:
61
- devise (3.5.3)
61
+ devise (3.5.6)
62
62
  bcrypt (~> 3.0)
63
63
  orm_adapter (~> 0.1)
64
64
  railties (>= 3.2.6, < 5)
@@ -146,8 +146,8 @@ GEM
146
146
  loofah (~> 2.0)
147
147
  rake (10.4.2)
148
148
  rdoc (4.2.0)
149
- responders (2.1.0)
150
- railties (>= 4.2.0, < 5)
149
+ responders (2.1.1)
150
+ railties (>= 4.2.0, < 5.1)
151
151
  ruby-openid (2.7.0)
152
152
  sprockets (2.12.3)
153
153
  hike (~> 1.2)
@@ -164,7 +164,7 @@ GEM
164
164
  tilt (1.4.1)
165
165
  tzinfo (1.2.2)
166
166
  thread_safe (~> 0.1)
167
- warden (1.2.4)
167
+ warden (1.2.6)
168
168
  rack (>= 1.0)
169
169
  webrat (0.7.3)
170
170
  nokogiri (>= 1.2.0)
@@ -191,4 +191,4 @@ DEPENDENCIES
191
191
  webrat (= 0.7.3)
192
192
 
193
193
  BUNDLED WITH
194
- 1.10.6
194
+ 1.11.2
@@ -12,8 +12,8 @@ module Devise
12
12
  def remember_me_is_active?(resource)
13
13
  return false unless resource.respond_to?(:remember_me)
14
14
  scope = Devise::Mapping.find_scope!(resource)
15
- cookie = cookies.signed[remember_key(resource, scope)]
16
- resource.class.serialized_in_cookie?(resource, *cookie)
15
+ _, token, generated_at = cookies.signed[remember_key(resource, scope)]
16
+ resource.remember_me?(token, generated_at)
17
17
  end
18
18
 
19
19
  # Remembers the given resource by setting up a cookie
@@ -101,21 +101,47 @@ module Devise
101
101
  def after_remembered
102
102
  end
103
103
 
104
+ def remember_me?(token, generated_at)
105
+ # TODO: Normalize the JSON type coercion along with the Timeoutable hook
106
+ # in a single place https://github.com/plataformatec/devise/blob/ffe9d6d406e79108cf32a2c6a1d0b3828849c40b/lib/devise/hooks/timeoutable.rb#L14-L18
107
+ if generated_at.is_a?(String)
108
+ generated_at = time_from_json(generated_at)
109
+ end
110
+
111
+ # The token is only valid if:
112
+ # 1. we have a date
113
+ # 2. the current time does not pass the expiry period
114
+ # 3. the record has a remember_created_at date
115
+ # 4. the token date is bigger than the remember_created_at
116
+ # 5. the token matches
117
+ generated_at.is_a?(Time) &&
118
+ (self.class.remember_for.ago < generated_at) &&
119
+ (generated_at > (remember_created_at || Time.now).utc) &&
120
+ Devise.secure_compare(rememberable_value, token)
121
+ end
122
+
123
+ private
124
+
125
+ def time_from_json(value)
126
+ if value =~ /\A\d+\.\d+\Z/
127
+ Time.at(value.to_f)
128
+ else
129
+ Time.parse(value) rescue nil
130
+ end
131
+ end
104
132
 
105
133
  module ClassMethods
106
134
  # Create the cookie key using the record id and remember_token
107
135
  def serialize_into_cookie(record)
108
- [record.to_key, record.rememberable_value, Time.now.utc]
136
+ [record.to_key, record.rememberable_value, Time.now.utc.to_f.to_s]
109
137
  end
110
138
 
111
139
  # Recreate the user based on the stored cookie
112
140
  def serialize_from_cookie(*args)
113
- serialize_from_cookie_with_or_without_record(nil, args)
114
- end
141
+ id, token, generated_at = *args
115
142
 
116
- # Check if the given record is the one serialized in cookie
117
- def serialized_in_cookie?(record, *args)
118
- !!serialize_from_cookie_with_or_without_record(record, args)
143
+ record = to_adapter.get(id)
144
+ record if record && record.remember_me?(token, generated_at)
119
145
  end
120
146
 
121
147
  # Generate a token checking if one does not already exist in the database.
@@ -128,26 +154,6 @@ module Devise
128
154
 
129
155
  private
130
156
 
131
- def serialize_from_cookie_with_or_without_record(record, args)
132
- id, token, generated_at = args
133
-
134
- # The token is only valid if:
135
- # 1. we have a date
136
- # 2. the current time does not pass the expiry period
137
- # 3. there is a record with the given id
138
- # 4. the record has a remember_created_at date
139
- # 5. the token date is bigger than the remember_created_at
140
- # 6. the token matches
141
- if generated_at &&
142
- (self.remember_for.ago < generated_at) &&
143
- (record ||= to_adapter.get(id)) && (id == record.to_key) &&
144
- (generated_at > (record.remember_created_at || Time.now).utc) &&
145
- Devise.secure_compare(record.rememberable_value, token)
146
- record
147
- end
148
- end
149
-
150
-
151
157
  # TODO: extend_remember_period is no longer used
152
158
  Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options, :expire_all_remember_me_on_sign_out)
153
159
  end
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.5.5".freeze
2
+ VERSION = "3.5.6".freeze
3
3
  end
@@ -37,7 +37,7 @@ class RememberableTest < ActiveSupport::TestCase
37
37
  id, token, date = User.serialize_into_cookie(user)
38
38
  assert_equal id, user.to_key
39
39
  assert_equal token, user.authenticatable_salt
40
- assert date.is_a?(Time)
40
+ assert date.is_a?(String)
41
41
  end
42
42
 
43
43
  test 'serialize from cookie' do
@@ -46,6 +46,18 @@ class RememberableTest < ActiveSupport::TestCase
46
46
  assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc)
47
47
  end
48
48
 
49
+ test 'serialize from cookie should accept a String with the datetime seconds and microseconds' do
50
+ user = create_user
51
+ user.remember_me!
52
+ assert_equal user, User.serialize_from_cookie(user.to_key, user.authenticatable_salt, Time.now.utc.to_f.to_json)
53
+ end
54
+
55
+ test 'serialize from cookie should return nil with invalid datetime' do
56
+ user = create_user
57
+ user.remember_me!
58
+ assert_nil User.serialize_from_cookie(user.to_key, user.authenticatable_salt, "2013")
59
+ end
60
+
49
61
  test 'serialize from cookie should return nil if no resource is found' do
50
62
  assert_nil resource_class.serialize_from_cookie([0], "123", Time.now.utc)
51
63
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.5
4
+ version: 3.5.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-01-22 00:00:00.000000000 Z
12
+ date: 2016-02-01 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: warden
@@ -383,7 +383,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
383
383
  version: '0'
384
384
  requirements: []
385
385
  rubyforge_project:
386
- rubygems_version: 2.4.5
386
+ rubygems_version: 2.5.1
387
387
  signing_key:
388
388
  specification_version: 4
389
389
  summary: Flexible authentication solution for Rails with Warden