devise_masquerade 1.1.0 → 1.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69a694e1d79273ade4a016a4dfd62ce952373a9d3ae7d0a9c75172d270213f21
-  data.tar.gz: 6037a5b54a20e17270926a4ba3c75f9cd0b42126afea5ddb5b85463f291fac9a
+  metadata.gz: 23f626ba1c590f1686660a00804eaa5c5139a210fae80e72168a9f0a322e4be8
+  data.tar.gz: ee1641f8fed338ac83be5935b5e374df60fc7eb003919c120b24052528462302
 SHA512:
-  metadata.gz: b252044c3e04dfc33c642e3ac01b6bc534f1edf08a7a45114987f0ad88fcb12fea0fdc4d40571b349e5b7ea8377a4ed7e2b1be77a0d71efa5fd9a8e8d6eee42d
-  data.tar.gz: 00ddb118dc090eba4faf55c97b7bdc8adede4aaeccc2e8f8ebddc4170afeebdae77f26f15a00393987872e7d2fe099cbdeea276657c1cc9ef12ee8bf167c15a3
+  metadata.gz: 49c892cf2302d56d3d3aafb106d4e2eeba92b6c2f256440aa27a428df620bd16f49e89d5666ef6c2083e44fb260c1cb0beef3e575234cf5c6e91bff8f621dc4d
+  data.tar.gz: 357d959e456fa0d10a748f2c15b4cd0f94f8c21e773c970d52715e752dfd29c4d39f1e5f06fb2cbe11c8b4517c9503203954af1674a4a02c89669ffacbacc5c0

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+patreon: oivoodoo

data/.github/workflows/brakeman-analysis.yml

@@ -0,0 +1,44 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+# This section configures the trigger for the workflow. Feel free to customize depending on your convention
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.7'
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

data/.github/workflows/rubocop-analysis.yml

@@ -0,0 +1,39 @@
+name: "Rubocop"
+
+on: push
+
+jobs:
+  rubocop:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # If running on a self-hosted runner, check it meets the requirements
+    # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6
+
+    # This step is not necessary if you add the gem to your Gemfile
+    - name: Install Code Scanning integration
+      run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install
+
+    - name: Install dependencies
+      run: bundle install
+
+    - name: Rubocop run
+      run: |
+        bash -c "
+          bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif
+          [[ $? -ne 2 ]]
+        "
+
+    - name: Upload Sarif output
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: rubocop.sarif

data/.ruby-version

@@ -1 +1 @@
-2.6.0
+2.7.2

data/.travis.yml

@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 2.5.1
   - 2.6.0
+  - 2.7.2
 gemfile:
   - Gemfile
 script: time ./script/travis.sh

data/Gemfile

@@ -36,4 +36,6 @@ group :test do
   gem 'selenium-webdriver'
   gem 'chromedriver-helper'
   gem 'launchy'
+
+  gem "nokogiri", ">= 1.10.8"
 end

data/Gemfile.lock

@@ -52,8 +52,9 @@ GIT
 PATH
   remote: .
   specs:
-    devise_masquerade (1.1.0)
+    devise_masquerade (1.3.3)
       devise (>= 4.7.0)
+      globalid (>= 0.3.6)
       railties (>= 5.2.0)
 
 GEM
@@ -97,7 +98,7 @@ GEM
     archive-zip (0.12.0)
       io-like (~> 0.3.0)
     backports (3.15.0)
-    bcrypt (3.1.13)
+    bcrypt (3.1.16)
     bson (1.12.5)
     bson_ext (1.12.5)
       bson (~> 1.12.5)
@@ -141,7 +142,7 @@ GEM
     cucumber-tag_expressions (1.1.1)
     cucumber-wire (0.0.1)
     database_cleaner (1.0.1)
-    devise (4.7.1)
+    devise (4.7.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -189,7 +190,7 @@ GEM
     listen (3.2.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    loofah (2.3.0)
+    loofah (2.3.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     lumberjack (1.0.13)
@@ -200,13 +201,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2019.1009)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
+    mini_portile2 (2.5.0)
     minitest (5.12.2)
     multi_json (1.14.1)
     multi_test (0.1.2)
     nenv (0.3.0)
-    nokogiri (1.10.4)
-      mini_portile2 (~> 2.4.0)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
@@ -219,7 +221,8 @@ GEM
       byebug (~> 11.0)
       pry (~> 0.10)
     public_suffix (4.0.1)
-    rack (2.0.7)
+    racc (1.5.2)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
@@ -238,7 +241,7 @@ GEM
     rb-inotify (0.10.0)
       ffi (~> 1.0)
     regexp_parser (1.6.0)
-    responders (3.0.0)
+    responders (3.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
     rubyzip (2.0.0)
@@ -259,8 +262,8 @@ GEM
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    warden (1.2.8)
-      rack (>= 2.0.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     xpath (3.2.0)
       nokogiri (~> 1.8)
     zeitwerk (2.2.0)
@@ -285,6 +288,7 @@ DEPENDENCIES
   guard-cucumber
   guard-rspec (~> 4.7)
   launchy
+  nokogiri (>= 1.10.8)
   pry
   pry-byebug
   rb-fsevent
@@ -300,4 +304,4 @@ DEPENDENCIES
   test-unit
 
 BUNDLED WITH
-   2.0.2
+   2.1.4

data/README.md

@@ -42,7 +42,8 @@ In the model you'll need to add the parameter :masqueradable to the existing com
     devise :invitable, :confirmable, :database_authenticatable, :registerable, :masqueradable
 ```
 
-Add into your application_controller.rb:
+Add into your `application_controller.rb` if you want to have custom way on sign in by using masquerade token otherwise you can still
+use only `masquerade_path` in your view to generate temporary token and link to make `Login As`:
 
 ```ruby
     before_action :masquerade_user!
@@ -178,6 +179,14 @@ in `routes.rb`:
 And check http://localhost:3000/, use for login user1@example.com and
 'password'
 
+## Troubleshooting
+
+Are you working in development mode and wondering why masquerade attempts result in a [Receiving "You are already signed in" flash[:error]](https://github.com/oivoodoo/devise_masquerade/issues/58) message? `Filter chain halted as :require_no_authentication rendered or redirected` showing up in your logfile? Chances are that you need to enable caching:
+
+    rails dev:cache
+
+This is a one-time operation, so you can set it and forget it. Should you ever need to disable caching in development, you can re-run the command as required.
+
 ## Test project
 
     make test

data/app/controllers/devise/masquerades_controller.rb

@@ -1,5 +1,13 @@
 class Devise::MasqueradesController < DeviseController
-  prepend_before_action :authenticate_scope!, :masquerade_authorize!
+  Devise.mappings.each do |name, _|
+    class_eval <<-METHODS, __FILE__, __LINE__ + 1
+      skip_before_action :masquerade_#{name}!, raise: false
+    METHODS
+  end
+  skip_before_action :masquerade!, raise: false
+
+  prepend_before_action :authenticate_scope!, only: :show
+  prepend_before_action :masquerade_authorize!
 
   before_action :save_masquerade_owner_session, only: :show
 
@@ -8,13 +16,16 @@ class Devise::MasqueradesController < DeviseController
   def show
     self.resource = find_resource
 
+    if resource.class != masquerading_resource_class
+      sign_out(send("current_#{masquerading_resource_name}"))
+    end
+
     unless resource
       flash[:error] = "#{masqueraded_resource_class} not found."
       redirect_to(new_user_session_path) and return
     end
 
-    resource.masquerade!
-    request.env["devise.skip_trackable"] = "1"
+    request.env['devise.skip_trackable'] = '1'
 
     masquerade_sign_in(resource)
 
@@ -22,15 +33,13 @@ class Devise::MasqueradesController < DeviseController
   end
 
   def back
-    user_id = session[session_key]
-
-    resource = if user_id.present?
-      masquerading_resource_class.to_adapter.find_first(:id => user_id)
-    else
-      send(:"current_#{masquerading_resource_name}")
+    unless send("#{masqueraded_resource_name}_signed_in?")
+      head(401) and return
     end
 
-    if masquerading_resource_class != masqueraded_resource_class
+    self.resource = find_owner_resource
+
+    if resource.class != masqueraded_resource_class
       sign_out(send("current_#{masqueraded_resource_name}"))
     end
 
@@ -51,7 +60,11 @@ class Devise::MasqueradesController < DeviseController
   end
 
   def find_resource
-    masqueraded_resource_class.to_adapter.find_first(id: params[:id])
+    GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
+  end
+
+  def find_owner_resource
+    GlobalID::Locator.locate_signed(Rails.cache.read(session_key), for: 'masquerade')
   end
 
   def go_back(user, path:)
@@ -69,7 +82,11 @@ class Devise::MasqueradesController < DeviseController
       unless params[:masqueraded_resource_class].blank?
         params[:masqueraded_resource_class].constantize
       else
-        Devise.masqueraded_resource_class || resource_class
+        unless session[session_key_masqueraded_resource_class].blank?
+          session[session_key_masquerading_resource_class].constantize
+        else
+          Devise.masqueraded_resource_class || resource_class
+        end
       end
     end
   end
@@ -83,7 +100,11 @@ class Devise::MasqueradesController < DeviseController
       unless params[:masquerading_resource_class].blank?
         params[:masquerading_resource_class].constantize
       else
-        Devise.masquerading_resource_class || resource_class
+        unless session[session_key_masquerading_resource_class].blank?
+          session[session_key_masquerading_resource_class].constantize
+        else
+          Devise.masquerading_resource_class || resource_class
+        end
       end
     end
   end
@@ -101,19 +122,7 @@ class Devise::MasqueradesController < DeviseController
   end
 
   def after_masquerade_full_path_for(resource)
-    if after_masquerade_path_for(resource) =~ /\?/
-      "#{after_masquerade_path_for(resource)}&#{after_masquerade_param_for(resource)}"
-    else
-      "#{after_masquerade_path_for(resource)}?#{after_masquerade_param_for(resource)}"
-    end
-  end
-
-  def after_masquerade_param_for(resource)
-    [
-      "#{Devise.masquerade_param}=#{resource.masquerade_key}",
-      "masquerading_resource_class=#{masquerading_resource_class}",
-      "masqueraded_resource_class=#{masqueraded_resource_class}",
-    ].join('&')
+    after_masquerade_path_for(resource)
   end
 
   def after_back_masquerade_path_for(resource)
@@ -121,16 +130,33 @@ class Devise::MasqueradesController < DeviseController
   end
 
   def save_masquerade_owner_session
+    resource_gid = send("current_#{masquerading_resource_name}").to_sgid(
+      expires_in: Devise.masquerade_expires_in, for: 'masquerade')
+    # skip sharing owner id via session
+    Rails.cache.write(session_key, resource_gid, expires_in: Devise.masquerade_expires_in)
+
     unless session.key?(session_key)
-      session[session_key] = send("current_#{masquerading_resource_name}").id
+      session[session_key_masquerading_resource_class] = masquerading_resource_class.name
+      session[session_key_masqueraded_resource_class] = masqueraded_resource_class.name
     end
   end
 
   def cleanup_masquerade_owner_session
-    session.delete(session_key)
+    Rails.cache.delete(session_key)
+
+    session.delete(session_key_masqueraded_resource_class)
+    session.delete(session_key_masquerading_resource_class)
   end
 
   def session_key
     "devise_masquerade_#{masqueraded_resource_name}".to_sym
   end
+
+  def session_key_masqueraded_resource_class
+    "devise_masquerade_masqueraded_resource_class"
+  end
+
+  def session_key_masquerading_resource_class
+    "devise_masquerade_masquerading_resource_class"
+  end
 end

data/devise_masquerade.gemspec

@@ -24,4 +24,5 @@ Gem::Specification.new do |gem|
 
   gem.add_runtime_dependency('railties', '>= 5.2.0')
   gem.add_runtime_dependency('devise', '>= 4.7.0')
+  gem.add_runtime_dependency('globalid', '>= 0.3.6')
 end

data/features/step_definitions/url_helpers_steps.rb

@@ -0,0 +1,11 @@
+Then("I should see maquerade url") do
+  page.html.should include('href="/users/masquerade?masquerade=')
+end
+
+When("I am on the users page with extra params") do
+  visit '/extra_params'
+end
+
+Then("I should see maquerade url with extra params") do
+  page.html.should include('href="/users/masquerade?key1=value1&masquerade=')
+end

data/features/url_helpers.feature

@@ -0,0 +1,14 @@
+Feature: Use masquerade path to generate routes on page
+  In order to have the way to render masquerade path
+  As an user
+  I want to be able to see the url and use it
+
+  Scenario: Use masquerade path helper
+    Given I logged in
+    And I have a user for masquerade
+
+    When I am on the users page
+      Then I should see maquerade url
+
+    When I am on the users page with extra params
+      Then I should see maquerade url with extra params

data/lib/devise_masquerade.rb

@@ -10,7 +10,7 @@ module Devise
   @@masquerade_param = 'masquerade'
 
   mattr_accessor :masquerade_expires_in
-  @@masquerade_expires_in = 10.seconds
+  @@masquerade_expires_in = 1.minute
 
   mattr_accessor :masquerade_key_size
   @@masquerade_key_size = 16

data/lib/devise_masquerade/controllers/helpers.rb

@@ -20,7 +20,7 @@ module DeviseMasquerade
             end
             return unless klass
 
-            resource = klass.find_by_masquerade_key(params["#{Devise.masquerade_param}"])
+            resource = GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
 
             if resource
               masquerade_sign_in(resource)
@@ -30,7 +30,7 @@ module DeviseMasquerade
           def masquerade_#{name}!
             return if params["#{Devise.masquerade_param}"].blank?
 
-            resource = ::#{class_name}.find_by_masquerade_key(params["#{Devise.masquerade_param}"])
+            resource = GlobalID::Locator.locate_signed params[Devise.masquerade_param], for: 'masquerade'
 
             if resource
               masquerade_sign_in(resource)
@@ -38,12 +38,12 @@ module DeviseMasquerade
           end
 
           def #{name}_masquerade?
-            session[:"devise_masquerade_#{name}"].present?
+            ::Rails.cache.exist?(:"devise_masquerade_#{name}").present?
           end
 
           def #{name}_masquerade_owner
             return nil unless send(:#{name}_masquerade?)
-            ::#{class_name}.to_adapter.find_first(:id => session[:"devise_masquerade_#{name}"])
+            GlobalID::Locator.locate_signed(::Rails.cache.read(:"devise_masquerade_#{name}"), for: 'masquerade')
           end
 
           private
@@ -53,7 +53,7 @@ module DeviseMasquerade
               if respond_to?(:bypass_sign_in)
                 bypass_sign_in(resource)
               else
-                sign_in(resource, :bypass => true)
+                sign_in(resource, bypass: true)
               end
             else
               sign_in(resource)

data/lib/devise_masquerade/controllers/url_helpers.rb

@@ -1,18 +1,26 @@
+require 'securerandom'
+
 module DeviseMasquerade
   module Controllers
 
     module UrlHelpers
       def masquerade_path(resource, *args)
         scope = Devise::Mapping.find_scope!(resource)
-        opts = args.first || {}
+
+        opts = args.shift || {}
         opts.merge!(masqueraded_resource_class: resource.class.name)
-        send("#{scope}_masquerade_path", resource, opts, *args)
+
+        opts.merge!(Devise.masquerade_param => resource.masquerade_key)
+
+        send("#{scope}_masquerade_index_path", opts, *args)
       end
 
       def back_masquerade_path(resource, *args)
         scope = Devise::Mapping.find_scope!(resource)
+
         opts = args.first || {}
         opts.merge!(masqueraded_resource_class: resource.class.name)
+
         send("back_#{scope}_masquerade_index_path", opts, *args)
       end
     end

data/lib/devise_masquerade/models/masqueradable.rb

@@ -4,35 +4,10 @@ module DeviseMasquerade
       extend ActiveSupport::Concern
 
       included do
-        attr_reader :masquerade_key
-
-        def masquerade!
-          @masquerade_key = SecureRandom.urlsafe_base64(
-            Devise.masquerade_key_size)
-          cache_key = self.class.cache_masquerade_key_by(@masquerade_key)
-          ::Rails.cache.write(
-            cache_key, id, expires_in: Devise.masquerade_expires_in)
+        def masquerade_key
+          to_sgid(expires_in: Devise.masquerade_expires_in, for: 'masquerade')
         end
       end
-
-      module ClassMethods
-        def cache_masquerade_key_by(key)
-          "#{self.name.pluralize.underscore}:#{key}:masquerade"
-        end
-
-        def remove_masquerade_key!(key)
-          ::Rails.cache.delete(cache_masquerade_key_by(key))
-        end
-
-        def find_by_masquerade_key(key)
-          id = ::Rails.cache.read(cache_masquerade_key_by(key))
-
-          # clean up the cached masquerade key value
-          remove_masquerade_key!(key)
-
-          where(id: id).first
-        end
-      end # ClassMethods
     end
   end
 end

data/lib/devise_masquerade/routes.rb

@@ -3,11 +3,12 @@ module DeviseMasquerade
 
     def devise_masquerade(mapping, controllers)
       resources :masquerade,
-        only: :show,
         path: mapping.path_names[:masquerade],
-        controller: controllers[:masquerades] do
+        controller: controllers[:masquerades],
+        only: [] do
 
         collection do
+          get :show
           get :back
         end
       end

data/lib/devise_masquerade/version.rb

@@ -1,3 +1,3 @@
 module DeviseMasquerade
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.3.3'.freeze
 end

data/spec/controllers/admin/dashboard_controller_spec.rb

@@ -8,8 +8,6 @@ describe Admin::DashboardController, type: :controller do
       let!(:mask) { create(:admin_user) }
 
       before do
-        mask.masquerade!
-
         get :index, params: { masquerade: mask.masquerade_key, masqueraded_resource_class: 'Admin::User' }
       end
 

data/spec/controllers/dashboard_controller_spec.rb

@@ -8,8 +8,6 @@ describe DashboardController, type: :controller do
       let!(:mask) { create(:user) }
 
       before do
-        mask.masquerade!
-
         get :index, params: { masquerade: mask.masquerade_key }
       end
 

data/spec/controllers/devise/masquerades_controller_spec.rb

@@ -11,85 +11,89 @@ describe Devise::MasqueradesController, type: :controller do
         let(:mask) { create(:student) }
 
         before do
-          expect(SecureRandom).to receive(:urlsafe_base64) { "secure_key" }
-          get :show, params: { id: mask.to_param, masqueraded_resource_class: mask.class.name }
+          get :show, params: { id: mask.to_param, masqueraded_resource_class: mask.class.name, masquerade: mask.masquerade_key }
         end
 
-        it { expect(session.keys).to include('devise_masquerade_student') }
+        it { expect(Rails.cache.read('devise_masquerade_student')).to be }
 
         it 'should have warden keys defined' do
           expect(session["warden.user.student.key"].first.first).to eq(mask.id)
         end
 
-        it { should redirect_to("/?masquerade=secure_key&masquerading_resource_class=User&masqueraded_resource_class=Student") }
+        it { should redirect_to('/') }
       end
 
       describe '#masquerade user' do
         let(:mask) { create(:user) }
 
         before do
-          expect(SecureRandom).to receive(:urlsafe_base64) { "secure_key" }
-          get :show, params: { id: mask.to_param }
+          get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
         end
 
-        it { expect(session.keys).to include('devise_masquerade_user') }
+        it { expect(Rails.cache.read('devise_masquerade_user')).to be }
         it { expect(session["warden.user.user.key"].first.first).to eq(mask.id) }
-        it { should redirect_to("/?masquerade=secure_key&masquerading_resource_class=User&masqueraded_resource_class=User") }
+        it { should redirect_to('/') }
 
         context 'and back' do
           before { get :back }
 
           it { should redirect_to(masquerade_page) }
           it { expect(current_user.reload).to eq(@user) }
-          it { expect(session.keys).not_to include('devise_masquerade_user') }
+          it { expect(Rails.cache.read('devise_masquerade_user')).not_to be }
         end
+      end
 
-        # Configure masquerade_routes_back setting
-        describe 'config#masquerade_routes_back' do
-          before { Devise.setup { |c| c.masquerade_routes_back = true } }
+      # Configure masquerade_routes_back setting
+      describe 'config#masquerade_routes_back' do
+        let(:mask) { create(:user) }
 
-          after { Devise.masquerade_routes_back = false }
+        before { Devise.setup { |c| c.masquerade_routes_back = true } }
 
-          context 'show' do
-            before { expect(SecureRandom).to receive(:urlsafe_base64) { "secure_key" } }
+        after { Devise.masquerade_routes_back = false }
 
-            context 'with http referrer' do
-              before do
-                @request.env['HTTP_REFERER'] = 'previous_location'
-                get :show, params: { id: mask.to_param }
-              end # before
+        context 'show' do
+          context 'with http referrer' do
+            before do
+              @request.env['HTTP_REFERER'] = 'previous_location'
+              get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
+            end # before
 
-              it { should redirect_to('previous_location') }
-            end # context
+            it { should redirect_to('previous_location') }
+          end # context
 
-            context 'no http referrer' do
-              before do
-                allow_any_instance_of(described_class).to(
-                  receive(:after_masquerade_path_for).and_return("/dashboard?color=red"))
-              end
+          context 'no http referrer' do
+            before do
+              allow_any_instance_of(described_class).to(
+                receive(:after_masquerade_path_for).and_return("/dashboard?color=red"))
+            end
 
-              before { get :show, params: { id: mask.to_param } }
+            before { get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } }
 
-              it { should redirect_to("/dashboard?color=red&masquerade=secure_key&masquerading_resource_class=User&masqueraded_resource_class=User") }
-            end # context
+            it { should redirect_to("/dashboard?color=red") }
           end # context
+        end # context
 
-          context 'and back' do
-            before { get :back }
+        context 'and back' do
+          before do
+            get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
 
-            it { should redirect_to(masquerade_page) }
-          end # context
+            get :back
+          end
 
-          context 'and back fallback if http_referer not present' do
-            before do
-              @request.env['HTTP_REFERER'] = 'previous_location'
-              get :back
-            end
+          it { should redirect_to(masquerade_page) }
+        end # context
 
-            it { should redirect_to('previous_location') }
-          end # context
-        end # describe
-      end
+        context 'and back fallback if http_referer not present' do
+          before do
+            get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
+
+            @request.env['HTTP_REFERER'] = 'previous_location'
+            get :back
+          end
+
+          it { should redirect_to('previous_location') }
+        end # context
+      end # describe
     end
 
     context 'when not logged in' do

data/spec/controllers/masquerades_tests_controller_spec.rb

@@ -13,11 +13,11 @@ describe MasqueradesTestsController, type: :controller do
 
     let(:mask) { create(:user) }
 
-    before { get :show, params: { id: mask.to_param } }
+    before { get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key } }
 
     it { expect(response.status).to eq(403) }
-    it { expect(session.keys).not_to include('devise_masquerade_user') }
-    it { expect(session["warden.user.user.key"].first.first).not_to eq(mask.id) }
+    it { expect(Rails.cache.read('devise_masquerade_user')).not_to be }
+    it { expect(session['warden.user.user.key'].first.first).not_to eq(mask.id) }
   end
 
   context 'access for masquerade' do
@@ -31,12 +31,11 @@ describe MasqueradesTestsController, type: :controller do
     let(:mask) { create(:user) }
 
     before do
-      expect(SecureRandom).to receive(:urlsafe_base64) { "secure_key" }
-      get :show, params: { id: mask.to_param }
+      get :show, params: { id: mask.to_param, masquerade: mask.masquerade_key }
     end
 
     it { expect(response.status).to eq(302) }
-    it { expect(session.keys).to include('devise_masquerade_user') }
-    it { expect(session["warden.user.user.key"].first.first).to eq(mask.id) }
+    it { expect(Rails.cache.read('devise_masquerade_user')).to be }
+    it { expect(session['warden.user.user.key'].first.first).to eq(mask.id) }
   end
 end

data/spec/dummy/app/controllers/dashboard_controller.rb

@@ -4,5 +4,9 @@ class DashboardController < ApplicationController
   def index
     @users = User.where("users.id != ?", current_user.id).all
   end
+
+  def extra_params
+    @users = User.where("users.id != ?", current_user.id).all
+  end
 end
 

data/spec/dummy/app/views/dashboard/extra_params.html.erb

@@ -0,0 +1,7 @@
+<% @users.each do |user| %>
+  <p>
+    <%= user.email %>
+
+    <%= link_to "Login as", masquerade_path(user, key1: 'value1'), class: 'login_as' %>
+  </p>
+<% end %>

data/spec/dummy/app/views/layouts/application.html.erb

@@ -17,7 +17,7 @@
       <% end %>
 
       <% if user_masquerade? %>
-        <%= link_to "Back masquerade", back_masquerade_path(current_user) %>
+        <%= link_to "Back masquerade", back_masquerade_path(User.new) %>
       <% end %>
     <% end %>
 

data/spec/dummy/config/routes.rb

@@ -1,10 +1,12 @@
 Dummy::Application.routes.draw do
-  devise_for :users, controllers: { masquerades: "users/masquerades" }
+  devise_for :users, controllers: { masquerades: 'users/masquerades' }
   devise_for :admin_users, class_name: Admin::User.name
   devise_for :students, class_name: Student.name
 
   root to: 'dashboard#index'
 
+  get '/extra_params', to: 'dashboard#extra_params'
+
   resources :masquerades_tests
   resources :students, only: :index
 

data/spec/models/user_spec.rb

@@ -3,37 +3,10 @@ require 'spec_helper'
 describe User do
   let!(:user) { create(:user) }
 
-  describe '#masquerade!' do
+  describe '#masquerade_key' do
     it 'should cache special key on masquerade' do
-      expect(SecureRandom).to receive(:urlsafe_base64).with(16) { "secure_key" }
-      user.masquerade!
-    end
-  end
-
-  describe '#remove_masquerade_key' do
-    before { allow(SecureRandom).to receive(:urlsafe_base64) { "secure_key" } }
-
-    let(:key) { 'users:secure_key:masquerade' }
-
-    it 'should be possible to remove cached masquerade key' do
-      user.masquerade!
-      expect(Rails.cache.exist?(key)).to eq(true)
-
-      User.remove_masquerade_key!('secure_key')
-      expect(Rails.cache.exist?(key)).to eq(false)
-    end
-  end
-
-  describe '#find_by_masquerade_key' do
-    it 'should be possible to find user by generate masquerade key' do
-      user.masquerade!
-
-      allow(Rails.cache).to receive(:read).with("users:#{user.masquerade_key}:masquerade") { user.id }
-      allow(Rails.cache).to receive(:delete).with("users:#{user.masquerade_key}:masquerade")
-
-      new_user = User.find_by_masquerade_key(user.masquerade_key)
-
-      expect(new_user).to eq(user)
+      expect(user).to receive(:to_sgid).with(expires_in: 1.minute, for: 'masquerade') { "secure_key" }
+      user.masquerade_key
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_masquerade
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.3
 platform: ruby
 authors:
 - Alexandr Korsak
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-22 00:00:00.000000000 Z
+date: 2021-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.7.0
+- !ruby/object:Gem::Dependency
+  name: globalid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.6
 description: devise masquerade library
 email:
 - alex.korsak@gmail.com
@@ -59,6 +73,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/FUNDING.yml"
+- ".github/workflows/brakeman-analysis.yml"
+- ".github/workflows/rubocop-analysis.yml"
 - ".gitignore"
 - ".rspec"
 - ".ruby-version"
@@ -78,7 +95,9 @@ files:
 - features/multiple_masquerading_models.feature
 - features/step_definitions/auth_steps.rb
 - features/step_definitions/back_steps.rb
+- features/step_definitions/url_helpers_steps.rb
 - features/support/env.rb
+- features/url_helpers.feature
 - lib/devise_masquerade.rb
 - lib/devise_masquerade/controllers/helpers.rb
 - lib/devise_masquerade/controllers/url_helpers.rb
@@ -105,6 +124,7 @@ files:
 - spec/dummy/app/models/student.rb
 - spec/dummy/app/models/user.rb
 - spec/dummy/app/views/admin/dashboard/index.html.erb
+- spec/dummy/app/views/dashboard/extra_params.html.erb
 - spec/dummy/app/views/dashboard/index.html.erb
 - spec/dummy/app/views/layouts/application.html.erb
 - spec/dummy/app/views/students/_student.html.erb
@@ -144,7 +164,7 @@ homepage: http://github.com/oivoodoo/devise_masquerade
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -159,8 +179,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: use for login as functionallity on your admin users pages
 test_files:
@@ -168,7 +188,9 @@ test_files:
 - features/multiple_masquerading_models.feature
 - features/step_definitions/auth_steps.rb
 - features/step_definitions/back_steps.rb
+- features/step_definitions/url_helpers_steps.rb
 - features/support/env.rb
+- features/url_helpers.feature
 - spec/controllers/admin/dashboard_controller_spec.rb
 - spec/controllers/dashboard_controller_spec.rb
 - spec/controllers/devise/masquerades_controller_spec.rb
@@ -186,6 +208,7 @@ test_files:
 - spec/dummy/app/models/student.rb
 - spec/dummy/app/models/user.rb
 - spec/dummy/app/views/admin/dashboard/index.html.erb
+- spec/dummy/app/views/dashboard/extra_params.html.erb
 - spec/dummy/app/views/dashboard/index.html.erb
 - spec/dummy/app/views/layouts/application.html.erb
 - spec/dummy/app/views/students/_student.html.erb