devise_security_extension 0.9.2 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 00cd2d3e3598363842cdb94272e7320adcb521a2
-  data.tar.gz: f55d02e76c5a2db00ddce48999d47dc301171d25
+  metadata.gz: 861a1fcbcd16044ea27b948eafcf016c545d1260
+  data.tar.gz: b0282b6fc0a9f73a511acb11c7f37bd2892f0f84
 SHA512:
-  metadata.gz: ed3323e9e97510d049e382f3a4fd9b2e0973cf9bba70e2377b067e32b4e91ce72462b635a07271a5d24144370f699ab0b571af6774e231e60c863faea66bc893
-  data.tar.gz: 9d5ad1d1afea884d3061e60650e346c5698f1a13b62a273167096e8a824dbeecb4d4a87ed24790015a7ab5050497011d2d2447e4e5866cb7af85645a0cbd552c
+  metadata.gz: c2b2c5cd49063826a3ea60490bb25d07632cb7c8adde652ec8a60f109e60a94ef9ac20e6a859fcc5567b087c6507f249e37bb739db7949cad85a9adb9be60048
+  data.tar.gz: f3ca889418be85fff8cd897de27de8f9555e2c21ca4527fe38cc62874a633ccff9110066e81edc0c3b6c6040b83792f6cb786f73a7020dfb939fe80ad847c4f6

data/.gitignore

@@ -0,0 +1,39 @@
+test/rails_app/log/*
+test/rails_app/tmp/*
+*~
+coverage/*
+*.sqlite3
+.bundle
+rdoc/*
+pkg
+
+# Have editor/IDE/OS specific files you need to ignore? Consider using a global gitignore:
+#
+# * Create a file at ~/.gitignore
+# * Include files you want ignored
+# * Run: git config --global core.excludesfile ~/.gitignore
+#
+# After doing this, these files will be ignored in all your git projects,
+# saving you from having to 'pollute' every project you touch with them
+#
+# Not sure what to needs to be ignored for particular editors/OSes? Here's some ideas to get you started. (Remember, remove the leading # of the line)
+#
+# For MacOS:
+#
+#.DS_Store
+#
+# For TextMate
+#*.tmproj
+#tmtags
+#
+# For emacs:
+#*~
+#\#*
+#.\#*
+#
+# For vim:
+#*.swp
+
+log
+test/tmp/*
+*.gem

data/.rubocop.yml

@@ -0,0 +1,38 @@
+AllCops:
+  Include:
+    - '**/Rakefile'
+    - '**/config.ru'
+    - 'lib/tasks/**/*'
+  Exclude:
+    - Gemfile*
+    - 'db/**/*'
+    - 'config/**/*'
+    - 'bin/**/*'
+    - 'vendor/bundle/**/*'
+    - 'spec/support/**/*' # rspec support helpers have a strange api
+  RunRailsCops: true
+
+# We don't care about method length, since we check method cyclomatic
+# complexity.
+Metrics/MethodLength:
+  Enabled: false
+
+# Trailing commas make for clearer diffs because the last line won't appear
+# to have been changed, as it would if it lacked a comma and had one added.
+Style/TrailingComma:
+  EnforcedStyleForMultiline: comma
+
+# Cop supports --auto-correct.
+# Configuration parameters: PreferredDelimiters.
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    # Using `[]` for string arrays instead of `()`, since normal arrays are
+    # indicated with `[]` not `()`.
+    '%w': '[]'
+    '%W': '[]'
+
+Style/AndOr:
+  # Whether `and` and `or` are banned only in conditionals (conditionals)
+  # or completely (always).
+  # They read better, more like normal English.
+  Enabled: false

data/Gemfile

@@ -1,6 +1,2 @@
-source "http://rubygems.org"
+source "https://rubygems.org"
 gemspec
-# Add dependencies required to use your gem here.
-# Example:
-gem "rails", ">= 3.1.1"
-gem "devise", ">= 2.0.0"

data/Gemfile.lock

@@ -1,52 +1,63 @@
 PATH
   remote: .
   specs:
-    devise_security_extension (0.8.4)
-      devise (>= 2.0.0)
-      rails (>= 3.1.1)
+    devise_security_extension (0.10.0)
+      devise (>= 3.0.0, < 4.0)
+      railties (>= 3.2.6, < 5.0)
 
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    actionmailer (4.0.2)
-      actionpack (= 4.0.2)
-      mail (~> 2.5.4)
-    actionpack (4.0.2)
-      activesupport (= 4.0.2)
-      builder (~> 3.1.0)
-      erubis (~> 2.7.0)
-      rack (~> 1.5.2)
+    actionmailer (4.2.5.1)
+      actionpack (= 4.2.5.1)
+      actionview (= 4.2.5.1)
+      activejob (= 4.2.5.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.5.1)
+      actionview (= 4.2.5.1)
+      activesupport (= 4.2.5.1)
+      rack (~> 1.6)
       rack-test (~> 0.6.2)
-    activemodel (4.0.2)
-      activesupport (= 4.0.2)
-      builder (~> 3.1.0)
-    activerecord (4.0.2)
-      activemodel (= 4.0.2)
-      activerecord-deprecated_finders (~> 1.0.2)
-      activesupport (= 4.0.2)
-      arel (~> 4.0.0)
-    activerecord-deprecated_finders (1.0.3)
-    activesupport (4.0.2)
-      i18n (~> 0.6, >= 0.6.4)
-      minitest (~> 4.2)
-      multi_json (~> 1.3)
-      thread_safe (~> 0.1)
-      tzinfo (~> 0.3.37)
-    addressable (2.3.5)
-    arel (4.0.1)
-    atomic (1.1.14)
-    bcrypt-ruby (3.1.2)
-    builder (3.1.4)
-    descendants_tracker (0.0.3)
-    devise (3.2.2)
-      bcrypt-ruby (~> 3.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.5.1)
+      activesupport (= 4.2.5.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.5.1)
+      activesupport (= 4.2.5.1)
+      globalid (>= 0.3.0)
+    activemodel (4.2.5.1)
+      activesupport (= 4.2.5.1)
+      builder (~> 3.1)
+    activerecord (4.2.5.1)
+      activemodel (= 4.2.5.1)
+      activesupport (= 4.2.5.1)
+      arel (~> 6.0)
+    activesupport (4.2.5.1)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    arel (6.0.3)
+    ast (2.2.0)
+    bcrypt (3.1.10)
+    builder (3.2.2)
+    concurrent-ruby (1.0.0)
+    devise (3.5.6)
+      bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
+      responders
       thread_safe (~> 0.1)
       warden (~> 1.2.3)
     diff-lcs (1.2.5)
-    docile (1.1.2)
-    easy_captcha (0.6.4)
+    docile (1.1.5)
+    easy_captcha (0.6.5)
       bundler (>= 1.1.0)
       rails (>= 3.0.0)
       rmagick (>= 2.13.1)
@@ -54,122 +65,114 @@ GEM
       simplecov (>= 0.3.8)
       yard (>= 0.7.0)
     erubis (2.7.0)
-    faraday (0.9.0)
-      multipart-post (>= 1.2, < 3)
-    git (1.2.6)
-    github_api (0.11.1)
-      addressable (~> 2.3)
-      descendants_tracker (~> 0.0.1)
-      faraday (~> 0.8, < 0.10)
-      hashie (>= 1.2)
-      multi_json (>= 1.7.5, < 2.0)
-      nokogiri (~> 1.6.0)
-      oauth2
-    hashie (2.0.5)
-    highline (1.6.20)
-    hike (1.2.3)
-    i18n (0.6.9)
-    jeweler (2.0.1)
-      builder
-      bundler (>= 1.0)
-      git (>= 1.2.5)
-      github_api
-      highline (>= 1.6.15)
-      nokogiri (>= 1.5.10)
-      rake
-      rdoc
-    json (1.8.1)
-    jwt (0.1.11)
-      multi_json (>= 1.5)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    mime-types (1.25.1)
-    mini_portile (0.5.2)
-    minitest (4.7.5)
-    multi_json (1.8.4)
-    multi_xml (0.5.5)
-    multipart-post (2.0.0)
-    nokogiri (1.6.1)
-      mini_portile (~> 0.5.0)
-    oauth2 (0.9.3)
-      faraday (>= 0.8, < 0.10)
-      jwt (~> 0.1.8)
-      multi_json (~> 1.3)
-      multi_xml (~> 0.5)
-      rack (~> 1.2)
+    globalid (0.3.6)
+      activesupport (>= 4.1.0)
+    i18n (0.7.0)
+    json (1.8.3)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.8.4)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
     orm_adapter (0.5.0)
-    polyglot (0.3.3)
-    rack (1.5.2)
-    rack-test (0.6.2)
+    parser (2.3.0.6)
+      ast (~> 2.2)
+    powerpack (0.1.1)
+    rack (1.6.4)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rails (4.0.2)
-      actionmailer (= 4.0.2)
-      actionpack (= 4.0.2)
-      activerecord (= 4.0.2)
-      activesupport (= 4.0.2)
+    rails (4.2.5.1)
+      actionmailer (= 4.2.5.1)
+      actionpack (= 4.2.5.1)
+      actionview (= 4.2.5.1)
+      activejob (= 4.2.5.1)
+      activemodel (= 4.2.5.1)
+      activerecord (= 4.2.5.1)
+      activesupport (= 4.2.5.1)
       bundler (>= 1.3.0, < 2.0)
-      railties (= 4.0.2)
-      sprockets-rails (~> 2.0.0)
+      railties (= 4.2.5.1)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
     rails_email_validator (0.1.4)
       activemodel (>= 3.0.0)
-    railties (4.0.2)
-      actionpack (= 4.0.2)
-      activesupport (= 4.0.2)
+    railties (4.2.5.1)
+      actionpack (= 4.2.5.1)
+      activesupport (= 4.2.5.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (10.1.1)
-    rdoc (4.1.1)
-      json (~> 1.4)
-    rmagick (2.13.2)
-    rspec-core (2.14.7)
-    rspec-expectations (2.14.4)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.14.4)
-    rspec-rails (2.14.1)
-      actionpack (>= 3.0)
-      activemodel (>= 3.0)
-      activesupport (>= 3.0)
-      railties (>= 3.0)
-      rspec-core (~> 2.14.0)
-      rspec-expectations (~> 2.14.0)
-      rspec-mocks (~> 2.14.0)
-    simplecov (0.8.2)
+    rainbow (2.1.0)
+    rake (10.5.0)
+    responders (2.1.1)
+      railties (>= 4.2.0, < 5.1)
+    rmagick (2.15.4)
+    rspec-core (3.4.3)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-rails (3.4.2)
+      actionpack (>= 3.0, < 4.3)
+      activesupport (>= 3.0, < 4.3)
+      railties (>= 3.0, < 4.3)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.1)
+    rubocop (0.37.2)
+      parser (>= 2.3.0.4, < 3.0)
+      powerpack (~> 0.1)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 0.3)
+    ruby-progressbar (1.7.5)
+    simplecov (0.11.2)
       docile (~> 1.1.0)
-      multi_json
-      simplecov-html (~> 0.8.0)
-    simplecov-html (0.8.0)
-    sprockets (2.10.1)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.0.1)
-      actionpack (>= 3.0)
-      activesupport (>= 3.0)
-      sprockets (~> 2.8)
-    sqlite3 (1.3.9)
-    thor (0.18.1)
-    thread_safe (0.1.3)
-      atomic
-    tilt (1.4.1)
-    treetop (1.4.15)
-      polyglot
-      polyglot (>= 0.3.1)
-    tzinfo (0.3.38)
-    warden (1.2.3)
+      json (~> 1.8)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    sprockets (3.5.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.0.3)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    sqlite3 (1.3.11)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    unicode-display_width (0.3.1)
+    warden (1.2.6)
       rack (>= 1.0)
-    yard (0.8.7.3)
+    yard (0.8.7.6)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  bundler (>= 1.0.0)
-  devise (>= 2.0.0)
+  bundler (>= 1.3.0, < 2.0)
   devise_security_extension!
-  easy_captcha
-  jeweler (~> 2.0.1)
-  rails (>= 3.1.1)
-  rails_email_validator
-  sqlite3
+  easy_captcha (~> 0)
+  minitest
+  rails_email_validator (~> 0)
+  rubocop (~> 0)
+  sqlite3 (~> 1.3.10)
+
+BUNDLED WITH
+   1.11.2

data/README.md

@@ -2,7 +2,7 @@
 
 An enterprise security extension for [Devise](https://github.com/plataformatec/devise), trying to meet industrial standard security demands for web applications.
 
-It is composed of 6 addtional Devise modules:
+It is composed of 7 additional Devise modules:
 
 * `:password_expirable` - passwords will expire after a configured time (and will need an update)
 * `:secure_validatable` - better way to validate a model (email, stronger password validation). Don't use with Devise `:validatable` module!
@@ -10,6 +10,7 @@ It is composed of 6 addtional Devise modules:
 * `:session_limitable` - ensures, that there is only one session usable per account at once
 * `:expirable` - expires a user account after x days of inactivity (default 90 days)
 * `:security_questionable` - as accessible substitution for captchas (security question with captcha fallback)
+* `:paranoid_verification` - admin can generate verification code that user needs to fill in otherwise he wont be able to use the application.
 
 Configuration and database schema for each module below.
 
@@ -33,7 +34,8 @@ After you installed Devise Security Extension you need to run the generator:
 rails generate devise_security_extension:install
 ```
 
-The generator will inject the available configuration options into the **existing** Devise initializer and you MUST take a look at it (and all the Devise configuration as well). When you are done, you are ready to add Devise Security Extension modules on top of Devise modules to any of your Devise models:
+The generator adds optional configurations to `config/initializers/devise.rb`. Enable
+the modules you wish to use in the initializer you are ready to add Devise Security Extension modules on top of Devise modules to any of your Devise models:
 
 ```ruby
 devise :password_expirable, :secure_validatable, :password_archivable, :session_limitable, :expirable
@@ -58,7 +60,7 @@ Devise.setup do |config|
   # Need 1 char of A-Z, a-z and 0-9
   # config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
 
-  # How often save old passwords in archive
+  # Number of old passwords in archive
   # config.password_archiving_count = 5
 
   # Deny old password (true, false, count)
@@ -99,7 +101,7 @@ The captcha support depends on [EasyCaptcha](https://github.com/phatworx/easy_ca
 
 ### Installation
 
-1. Add EasyCaptcha to your `Gemfile` with 
+1. Add EasyCaptcha to your `Gemfile` with
 ```ruby
 gem 'easy_captcha'
 ```
@@ -130,7 +132,6 @@ add_index :the_resources, :password_changed_at
 ```ruby
 create_table :old_passwords do |t|
   t.string :encrypted_password, :null => false
-  t.string :password_salt
   t.string :password_archivable_type, :null => false
   t.integer :password_archivable_id, :null => false
   t.datetime :created_at
@@ -159,7 +160,31 @@ add_index :the_resources, :last_activity_at
 add_index :the_resources, :expired_at
 ```
 
+### Paranoid verifiable
+```ruby
+create_table :the_resources do |t|
+  # other devise fields
+
+  t.string   :paranoid_verification_code
+  t.integer  :paranoid_verification_attempt, default: 0
+  t.datetime :paranoid_verified_at
+end
+add_index :the_resources, :paranoid_verification_code
+add_index :the_resources, :paranoid_verified_at
+```
+
+[Documentation for Paranoid Verifiable module]( https://github.com/phatworx/devise_security_extension/wiki/Paranoid-Verification)
+
 ### Security questionable
+
+```ruby
+# app/models/security_question.rb
+class SecurityQuestion < ActiveRecord::Base
+  validates :locale, presence: true
+  validates :name, presence: true, uniqueness: true
+end
+```
+
 ```ruby
 create_table :security_questions do |t|
   t.string :locale, :null => false
@@ -196,7 +221,7 @@ end
 
 * Devise (https://github.com/plataformatec/devise)
 * Rails 3.2 onwards (http://github.com/rails/rails)
-* recommendations: 
+* recommendations:
   * `autocomplete-off` (http://github.com/phatworx/autocomplete-off)
   * `easy_captcha` (http://github.com/phatworx/easy_captcha)
   * `rails_email_validator` (http://github.com/phatworx/rails_email_validator)
@@ -218,10 +243,11 @@ end
 
 ## Maintainers
 
-* Team Phatworx (http://github.com/phatworx)
-* Alexander Dreher (http://github.com/alexdreher)
-* Christoph Chilian (http://github.com/cc-web)
-* Marco Scholl (http://github.com/traxanos)
+* Team Phatworx (https://github.com/phatworx)
+* Alexander Dreher (https://github.com/alexdreher)
+* Christoph Chilian (https://github.com/cc-web)
+* Marco Scholl (https://github.com/traxanos)
+* Thomas Powell (https://github.com/stringsn88keys)
 
 ## Contributing to devise_security_extension
 
@@ -235,4 +261,4 @@ end
 
 ## Copyright
 
-Copyright (c) 2011-2012 Marco Scholl. See LICENSE.txt for further details.
+Copyright (c) 2011-2015 Marco Scholl. See LICENSE.txt for further details.