devise_security_extension 0.7.2 → 0.10.0

data/lib/devise_security_extension/models/secure_validatable.rb

@@ -17,17 +17,27 @@ module Devise
         assert_secure_validations_api!(base)
 
         base.class_eval do
+          # validate login in a strict way if not yet validated
+          unless has_uniqueness_validation_of_login?
+            validation_condition = "#{login_attribute}_changed?".to_sym
 
-          # uniq login
-          validates authentication_keys[0], :uniqueness => {:scope => authentication_keys[1..-1], :case_sensitive => (case_insensitive_keys != false)}, :if => :email_changed?
+            validates login_attribute, :uniqueness => {
+                                          :scope          => authentication_keys[1..-1],
+                                          :case_sensitive => !!case_insensitive_keys
+                                        },
+                                        :if => validation_condition
+          end
 
-          # validates email
-          validates :email, :presence => true, :if => :email_required?
-          validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
-          validates :email, :email => email_validation if email_validation # use rails_email_validator or similar
-          
-          # validates password
-          validates :password, :presence => true, :length => password_length, :format => password_regex, :confirmation => true, :if => :password_required?
+          unless devise_validation_enabled?
+            validates :email, :presence => true, :if => :email_required?
+            validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
+
+            validates :password, :presence => true, :length => password_length, :confirmation => true, :if => :password_required?
+          end
+
+          # extra validations
+          validates :email,    :email  => email_validation if email_validation # use rails_email_validator or similar
+          validates :password, :format => { :with => password_regex, :message => :password_format }, :if => :password_required?
 
           # don't allow use same password
           validate :current_equal_password_validation
@@ -62,6 +72,22 @@ module Devise
 
       module ClassMethods
         Devise::Models.config(self, :password_regex, :password_length, :email_validation)
+
+      private
+        def has_uniqueness_validation_of_login?
+          validators.any? do |validator|
+            validator.kind_of?(ActiveRecord::Validations::UniquenessValidator) &&
+              validator.attributes.include?(login_attribute)
+          end
+        end
+
+        def login_attribute
+          authentication_keys[0]
+        end
+
+        def devise_validation_enabled?
+          self.ancestors.map(&:to_s).include? 'Devise::Models::Validatable'
+        end
       end
     end
   end

data/lib/devise_security_extension/models/security_questionable.rb

@@ -3,10 +3,13 @@ module Devise
     # SecurityQuestionable is an accessible add-on for visually handicapped people,
     # to ship around the captcha with screenreader compatibility.
     #
-    # You need to add two text_field_tags to the associated form:
+    # You need to add two text_field_tags to the associated forms (unlock,
+    # password, confirmation):
     # :security_question_answer and :captcha
     #
     # And add the security_question to the register/edit form.
+    # f.select :security_question_id, SecurityQuestion.where(locale: I18n.locale).map{|s| [s.name, s.id]}
+    # f.text_field :security_question_answer
     module SecurityQuestionable
       extend ActiveSupport::Concern
 

data/lib/devise_security_extension/patches/confirmations_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/confirmations_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha])) or
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 

data/lib/devise_security_extension/patches/passwords_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/passwords_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/registrations_controller_captcha.rb

@@ -2,26 +2,29 @@ module DeviseSecurityExtension::Patches
   module RegistrationsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
-        build_resource
+      define_method :create do |&block|
+        build_resource(sign_up_params)
 
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
 
           if resource.save
+            block.call(resource) if block
             if resource.active_for_authentication?
-              set_flash_message :notice, :signed_up if is_navigational_format?
-              sign_in(resource_name, resource)
+              set_flash_message :notice, :signed_up if is_flashing_format?
+              sign_up(resource_name, resource)
               respond_with resource, :location => after_sign_up_path_for(resource)
             else
-              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-              expire_session_data_after_sign_in!
+              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+              expire_data_after_sign_in!
               respond_with resource, :location => after_inactive_sign_up_path_for(resource)
             end
           else
             clean_up_passwords resource
             respond_with resource
           end
-
+          
         else
           resource.errors.add :base, t('devise.invalid_captcha')
           clean_up_passwords resource

data/lib/devise_security_extension/patches/sessions_controller_captcha.rb

@@ -2,14 +2,17 @@ module DeviseSecurityExtension::Patches
   module SessionsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
-        if valid_captcha? params[:captcha]
-          resource = warden.authenticate!(auth_options)
-          set_flash_message(:notice, :signed_in) if is_navigational_format?
+      define_method :create do |&block|
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
+          self.resource = warden.authenticate!(auth_options)
+          set_flash_message(:notice, :signed_in) if is_flashing_format?
           sign_in(resource_name, resource)
+          block.call(resource) if block
           respond_with resource, :location => after_sign_in_path_for(resource)
         else
-          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          flash[:alert] = t('devise.invalid_captcha') if is_flashing_format?
           respond_with({}, :location => new_session_path(resource_name))
         end
       end

data/lib/devise_security_extension/patches/unlocks_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/unlocks_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/routes.rb

@@ -8,6 +8,10 @@ module ActionDispatch::Routing
       resource :password_expired, :only => [:show, :update], :path => mapping.path_names[:password_expired], :controller => controllers[:password_expired]
     end
 
+    # route for handle paranoid verification
+    def devise_verification_code(mapping, controllers)
+      resource :paranoid_verification_code, :only => [:show, :update], :path => mapping.path_names[:verification_code], :controller => controllers[:paranoid_verification_code]
+    end
   end
 end
 

data/lib/devise_security_extension/version.rb

@@ -0,0 +1,3 @@
+module DeviseSecurityExtension
+  VERSION = "0.10.0".freeze
+end

data/lib/devise_security_extension.rb

@@ -1,5 +1,4 @@
-#require 'rails/all'
-require 'active_record/connection_adapters/abstract/schema_definitions'
+require 'active_record'
 require 'active_support/core_ext/integer'
 require 'active_support/ordered_hash'
 require 'active_support/concern'
@@ -15,7 +14,7 @@ module Devise
   mattr_accessor :password_regex
   @@password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
 
-  # How often save old passwords in archive
+  # Number of old passwords in archive
   mattr_accessor :password_archiving_count
   @@password_archiving_count = 5
 
@@ -63,11 +62,19 @@ module Devise
   mattr_accessor :captcha_for_confirmation
   @@captcha_for_confirmation = false
 
+  # captcha integration for confirmation form
+  mattr_accessor :verification_code_generator
+  @@verification_code_generator = -> { SecureRandom.hex[0..4] }
+
   # Time period for account expiry from last_activity_at
   mattr_accessor :expire_after
   @@expire_after = 90.days
   mattr_accessor :delete_expired_after
   @@delete_expired_after = 90.days
+
+  # paranoid_verification will regenerate verifacation code after faild attempt
+  mattr_accessor :paranoid_code_regenerate_after_attempt
+  @@paranoid_code_regenerate_after_attempt = 10
 end
 
 # an security extension for devise
@@ -81,16 +88,19 @@ module DeviseSecurityExtension
 end
 
 # modules
-Devise.add_module :password_expirable, :controller => :password_expirable, :model => 'devise_security_extension/models/password_expirable', :route => :password_expired
-Devise.add_module :secure_validatable, :model => 'devise_security_extension/models/secure_validatable'
-Devise.add_module :password_archivable, :model => 'devise_security_extension/models/password_archivable'
-Devise.add_module :session_limitable, :model => 'devise_security_extension/models/session_limitable'
-Devise.add_module :expirable, :model => 'devise_security_extension/models/expirable'
-Devise.add_module :security_questionable, :model => 'devise_security_extension/models/security_questionable'
+Devise.add_module :password_expirable, controller: :password_expirable, model: 'devise_security_extension/models/password_expirable', route: :password_expired
+Devise.add_module :secure_validatable, model: 'devise_security_extension/models/secure_validatable'
+Devise.add_module :password_archivable, model: 'devise_security_extension/models/password_archivable'
+Devise.add_module :session_limitable, model: 'devise_security_extension/models/session_limitable'
+Devise.add_module :session_non_transferable, model: 'devise_security_extension/models/session_non_transferable'
+Devise.add_module :expirable, model: 'devise_security_extension/models/expirable'
+Devise.add_module :security_questionable, model: 'devise_security_extension/models/security_questionable'
+Devise.add_module :paranoid_verification, controller: :paranoid_verification_code, model: 'devise_security_extension/models/paranoid_verification', route: :verification_code
 
 # requires
 require 'devise_security_extension/routes'
 require 'devise_security_extension/rails'
 require 'devise_security_extension/orm/active_record'
 require 'devise_security_extension/models/old_password'
-require 'devise_security_extension/models/security_question'
+require 'devise_security_extension/models/database_authenticatable_patch'
+require 'devise_security_extension/models/paranoid_verification'

data/lib/generators/devise_security_extension/install_generator.rb

@@ -1,43 +1,26 @@
 module DeviseSecurityExtension
   module Generators
-    # Install Generator
+    # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      source_root File.expand_path("../../templates", __FILE__)
+      LOCALES = %w[ en de it ]
 
-      desc "Install the devise security extension"
+      source_root File.expand_path('../../templates', __FILE__)
+      desc 'Install the devise security extension'
 
-      def add_configs
-        inject_into_file "config/initializers/devise.rb", "\n  # ==> Security Extension\n  # Configure security extension for devise\n\n" +
-        "  # Should the password expire (e.g 3.months)\n" +
-        "  # config.expire_password_after = false\n\n" +
-        "  # Need 1 char of A-Z, a-z and 0-9\n" +
-        "  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/\n\n" +
-        "  # How many passwords to keep in archive\n" +
-        "  # config.password_archiving_count = 5\n\n" +
-        "  # Deny old password (true, false, count)\n" +
-        "  # config.deny_old_passwords = true\n\n" +
-        "  # enable email validation for :secure_validatable. (true, false, validation_options)\n" +
-        "  # dependency: need an email validator like rails_email_validator\n" +
-        "  # config.email_validation = true\n\n" +
-        "  # captcha integration for recover form\n" +
-        "  # config.captcha_for_recover = true\n\n" +
-        "  # captcha integration for sign up form\n" +
-        "  # config.captcha_for_sign_up = true\n\n" +
-        "  # captcha integration for sign in form\n" +
-        "  # config.captcha_for_sign_in = true\n\n" +
-        "  # captcha integration for unlock form\n" +
-        "  # config.captcha_for_unlock = true\n\n" +
-        "  # captcha integration for confirmation form\n" +
-        "  # config.captcha_for_confirmation = true\n\n" +
-        "  # Time period for account expiry from last_activity_at\n" +
-        "  # config.expire_after = 90.days\n\n" +
-        "", :before => /end[ |\n|]+\Z/
+      def copy_initializer
+        template('devise_security_extension.rb',
+                 'config/initializers/devise_security_extension.rb',
+        )
       end
 
-      def copy_locale
-        copy_file "../../../config/locales/en.yml", "config/locales/devise.security_extension.en.yml"
-        copy_file "../../../config/locales/de.yml", "config/locales/devise.security_extension.de.yml"
+      def copy_locales
+        LOCALES.each do |locale|
+          copy_file(
+            "../../../config/locales/#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml",
+          )
+        end
       end
     end
   end
-end
+end

data/lib/generators/templates/devise_security_extension.rb

@@ -0,0 +1,38 @@
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/
+
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+
+  # Deny old password (true, false, count)
+  # config.deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: need an email validator like rails_email_validator
+  # config.email_validation = true
+
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/dummy/app/models/user.rb

@@ -0,0 +1,4 @@
+class User < ActiveRecord::Base
+  devise :database_authenticatable, :password_archivable,
+         :paranoid_verification, :password_expirable
+end

data/test/dummy/config/application.rb

@@ -0,0 +1,24 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+require 'devise_security_extension'
+
+if defined?(Bundler)
+  # If you precompile assets before deploying to production, use this line
+  Bundler.require(*Rails.groups(assets: %w[development test]))
+  # If you want your assets lazily compiled in production, use this line
+  # Bundler.require(:default, :assets, Rails.env)
+end
+
+module RailsApp
+  class Application < Rails::Application
+    config.encoding = 'utf-8'
+
+    config.filter_parameters += [:password]
+
+    config.assets.enabled = true
+
+    config.assets.version = '1.0'
+    config.secret_key_base = 'fuuuuuuuuuuu'
+  end
+end

data/test/dummy/config/boot.rb

@@ -0,0 +1,6 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/test/dummy/config/database.yml

@@ -0,0 +1,7 @@
+development:
+  adapter: sqlite3
+  database: ":memory:"
+
+test:
+  adapter: sqlite3
+  database: ":memory:"

data/test/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+RailsApp::Application.initialize!

data/test/dummy/config/environments/test.rb

@@ -0,0 +1,21 @@
+RailsApp::Application.configure do
+  config.cache_classes = true
+  config.eager_load = false
+
+  config.serve_static_files = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  config.action_dispatch.show_exceptions = false
+
+  config.action_controller.allow_forgery_protection    = false
+
+  config.action_mailer.delivery_method = :test
+
+  config.active_support.deprecation = :stderr
+  I18n.enforce_available_locales = false
+
+  config.active_support.test_order = :sorted
+end

data/test/dummy/config/initializers/devise.rb

@@ -0,0 +1,9 @@
+Devise.setup do |config|
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
+
+  require 'devise/orm/active_record'
+  config.secret_key = 'f08cf11a38906f531d2dfc9a2c2d671aa0021be806c21255d4'
+  config.case_insensitive_keys = [:email]
+
+  config.strip_whitespace_keys = [:email]
+end

data/test/dummy/config/routes.rb

@@ -0,0 +1,6 @@
+RailsApp::Application.routes.draw do
+  devise_for :users
+  resources :foos
+
+  root to: 'foos#index'
+end

data/test/dummy/config/secrets.yml

@@ -0,0 +1,3 @@
+test:
+  secret_token: 'fooooooooooo'
+  secret_key_base: 'fuuuuuuuuuuu'

data/test/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run RailsApp::Application

data/test/dummy/db/migrate/20120508165529_create_tables.rb

@@ -0,0 +1,26 @@
+class CreateTables < ActiveRecord::Migration
+  def self.up
+    create_table :users do |t|
+      t.string :username
+      t.string :facebook_token
+
+      ## Database authenticatable
+      t.string :email,              null: false, default: ''
+      t.string :encrypted_password, null: false, default: ''
+
+      t.datetime :password_changed_at
+      t.timestamps null: false
+    end
+
+    create_table :old_passwords do |t|
+      t.string :encrypted_password
+
+      t.references :password_archivable, polymorphic: true
+    end
+  end
+
+  def self.down
+    drop_table :users
+    drop_table :old_passwords
+  end
+end

data/test/dummy/db/migrate/20150402165590_add_verification_columns.rb

@@ -0,0 +1,11 @@
+class AddVerificationColumns < ActiveRecord::Migration
+  def self.up
+    add_column :users, :paranoid_verification_code, :string
+    add_column :users, :paranoid_verified_at, :datetime
+  end
+
+  def self.down
+    remove_column :users, :paranoid_verification_code
+    remove_column :users, :paranoid_verified_at
+  end
+end

data/test/dummy/db/migrate/20150407162345_add_verification_attempt_column.rb

@@ -0,0 +1,9 @@
+class AddVerificationAttemptColumn < ActiveRecord::Migration
+  def self.up
+    add_column :users, :paranoid_verification_attempt, :integer, default: 0
+  end
+
+  def self.down
+    remove_column :users, :paranoid_verification_attempt
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,10 @@
+ENV['RAILS_ENV'] ||= 'test'
+
+require 'dummy/config/environment'
+require 'minitest/autorun'
+require 'rails/test_help'
+require 'devise_security_extension'
+
+ActiveRecord::Migration.verbose = false
+ActiveRecord::Base.logger = Logger.new(nil)
+ActiveRecord::Migrator.migrate(File.expand_path('../dummy/db/migrate', __FILE__))

data/test/test_install_generator.rb

@@ -0,0 +1,16 @@
+require 'test_helper'
+require 'rails/generators/test_case'
+require 'generators/devise_security_extension/install_generator'
+
+class TestInstallGenerator < Rails::Generators::TestCase
+  tests DeviseSecurityExtension::Generators::InstallGenerator
+  destination File.expand_path('../tmp', __FILE__)
+  setup :prepare_destination
+
+  test 'Assert all files are properly created' do
+    run_generator
+    assert_file 'config/initializers/devise_security_extension.rb'
+    assert_file 'config/locales/devise.security_extension.en.yml'
+    assert_file 'config/locales/devise.security_extension.de.yml'
+  end
+end