RubyGems - devise_security_extension - Versions diffs - 0.9.2 → 0.10.0 - Mend

devise_security_extension 0.9.2 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

checksums.yaml +4 -4
data/.gitignore +39 -0
data/.rubocop.yml +38 -0
data/Gemfile +1 -5
data/Gemfile.lock +144 -141
data/README.md +37 -11
data/Rakefile +13 -29
data/app/controllers/devise/paranoid_verification_code_controller.rb +42 -0
data/app/controllers/devise/password_expired_controller.rb +16 -7
data/app/views/devise/paranoid_verification_code/show.html.erb +10 -0
data/config/locales/de.yml +2 -0
data/config/locales/en.yml +6 -4
data/config/locales/it.yml +10 -0
data/devise_security_extension.gemspec +24 -104
data/lib/devise_security_extension.rb +18 -8
data/lib/devise_security_extension/controllers/helpers.rb +39 -6
data/lib/devise_security_extension/hooks/paranoid_verification.rb +5 -0
data/lib/devise_security_extension/hooks/session_limitable.rb +1 -0
data/lib/devise_security_extension/models/paranoid_verification.rb +35 -0
data/lib/devise_security_extension/models/password_archivable.rb +3 -7
data/lib/devise_security_extension/models/password_expirable.rb +9 -5
data/lib/devise_security_extension/patches/confirmations_controller_captcha.rb +3 -1
data/lib/devise_security_extension/patches/confirmations_controller_security_question.rb +3 -1
data/lib/devise_security_extension/patches/passwords_controller_captcha.rb +3 -1
data/lib/devise_security_extension/patches/passwords_controller_security_question.rb +3 -1
data/lib/devise_security_extension/patches/registrations_controller_captcha.rb +5 -3
data/lib/devise_security_extension/patches/sessions_controller_captcha.rb +5 -3
data/lib/devise_security_extension/patches/unlocks_controller_captcha.rb +3 -1
data/lib/devise_security_extension/patches/unlocks_controller_security_question.rb +3 -1
data/lib/devise_security_extension/routes.rb +4 -0
data/lib/devise_security_extension/version.rb +3 -0
data/lib/generators/devise_security_extension/install_generator.rb +16 -33
data/lib/generators/templates/devise_security_extension.rb +38 -0
data/test/dummy/Rakefile +6 -0
data/test/dummy/app/controllers/application_controller.rb +2 -0
data/test/dummy/app/controllers/foos_controller.rb +0 -0
data/test/dummy/app/models/user.rb +2 -1
data/test/dummy/app/views/foos/index.html.erb +0 -0
data/test/dummy/config/application.rb +4 -2
data/test/dummy/config/boot.rb +1 -1
data/test/dummy/config/environments/test.rb +4 -2
data/test/dummy/config/initializers/devise.rb +4 -4
data/test/dummy/config/routes.rb +6 -0
data/test/dummy/config/secrets.yml +3 -0
data/test/dummy/db/migrate/20120508165529_create_tables.rb +4 -4
data/test/dummy/db/migrate/20150402165590_add_verification_columns.rb +11 -0
data/test/dummy/db/migrate/20150407162345_add_verification_attempt_column.rb +9 -0
data/test/test_helper.rb +10 -0
data/test/test_install_generator.rb +16 -0
data/test/test_paranoid_verification.rb +124 -0
data/test/test_password_archivable.rb +35 -21
data/test/test_password_expired_controller.rb +24 -0
metadata +104 -34
data/VERSION +0 -1
data/lib/devise_security_extension/models/security_question.rb +0 -3
data/test/helper.rb +0 -22
data/test/test_devise_security_extension.rb +0 -6

data/lib/devise_security_extension/hooks/paranoid_verification.rb ADDED

@@ -0,0 +1,5 @@
+Warden::Manager.after_set_user do |record, warden, options|
+  if record.respond_to?(:need_paranoid_verification?)
+    warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?
+  end
+end

data/lib/devise_security_extension/hooks/session_limitable.rb CHANGED

@@ -19,6 +19,7 @@ Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
   if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
     if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+      warden.raw_session.clear
       warden.logout(scope)
       throw :warden, :scope => scope, :message => :session_limited
     end

data/lib/devise_security_extension/models/paranoid_verification.rb ADDED

@@ -0,0 +1,35 @@
+require 'devise_security_extension/hooks/paranoid_verification'
+module Devise
+  module Models
+    # PasswordExpirable takes care of change password after
+    module ParanoidVerification
+      extend ActiveSupport::Concern
+      def need_paranoid_verification?
+        !!paranoid_verification_code
+      end
+      def verify_code(code)
+        attempt = paranoid_verification_attempt
+        if (attempt += 1) >= Devise.paranoid_code_regenerate_after_attempt
+          generate_paranoid_code
+        elsif code == paranoid_verification_code
+          attempt = 0
+          update_without_password paranoid_verification_code: nil, paranoid_verified_at: Time.now, paranoid_verification_attempt: attempt
+        else
+          update_without_password paranoid_verification_attempt: attempt
+        end
+      end
+      def paranoid_attempts_remaining
+        Devise.paranoid_code_regenerate_after_attempt - paranoid_verification_attempt
+      end
+      def generate_paranoid_code
+        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(), paranoid_verification_attempt: 0
+      end
+    end
+  end
+end

data/lib/devise_security_extension/models/password_archivable.rb CHANGED

@@ -31,14 +31,13 @@ module Devise
           old_passwords_including_cur_change.each do |old_password|
             dummy                    = self.class.new
             dummy.encrypted_password = old_password.encrypted_password
-            dummy.password_salt      = old_password.password_salt if dummy.respond_to?(:password_salt)
             return true if dummy.valid_password?(self.password)
           end
         end
         false
       end
       def password_changed_to_same?
         pass_change = encrypted_password_change
         pass_change && pass_change.first == pass_change.last
@@ -61,12 +60,9 @@ module Devise
           end
         end
       end
       def old_password_params
-        salt_change = if self.respond_to?(:password_salt_change) and not self.password_salt_change.nil?
-          self.password_salt_change.first
-        end
-        { :encrypted_password => self.encrypted_password_change.first, :password_salt => salt_change }
+        { encrypted_password: self.encrypted_password_change.first }
       end
       module ClassMethods

data/lib/devise_security_extension/models/password_expirable.rb CHANGED

@@ -13,8 +13,8 @@ module Devise
       # is an password change required?
       def need_change_password?
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
-          self.password_changed_at.nil? or self.password_changed_at < self.class.expire_password_after.ago
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
+          self.password_changed_at.nil? or self.password_changed_at < self.expire_password_after.ago
         else
           false
         end
@@ -22,7 +22,7 @@ module Devise
       # set a fake datetime so a password change is needed and save the record
       def need_change_password!
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
           need_change_password
           self.save(:validate => false)
         end
@@ -30,8 +30,8 @@ module Devise
       # set a fake datetime so a password change is needed
       def need_change_password
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
-          self.password_changed_at = self.class.expire_password_after.ago
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
+          self.password_changed_at = self.expire_password_after.ago
         end
         # is date not set it will set default to need set new password next login
@@ -39,6 +39,10 @@ module Devise
         self.password_changed_at
       end
+      def expire_password_after
+        self.class.expire_password_after
+      end
       private

data/lib/devise_security_extension/patches/confirmations_controller_captcha.rb CHANGED

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/confirmations_controller_security_question.rb CHANGED

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha])) or
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])

data/lib/devise_security_extension/patches/passwords_controller_captcha.rb CHANGED

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/passwords_controller_security_question.rb CHANGED

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/registrations_controller_captcha.rb CHANGED

@@ -2,13 +2,15 @@ module DeviseSecurityExtension::Patches
   module RegistrationsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
+      define_method :create do |&block|
         build_resource(sign_up_params)
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           if resource.save
-            yield resource if block_given?
+            block.call(resource) if block
             if resource.active_for_authentication?
               set_flash_message :notice, :signed_up if is_flashing_format?
               sign_up(resource_name, resource)

data/lib/devise_security_extension/patches/sessions_controller_captcha.rb CHANGED

@@ -2,12 +2,14 @@ module DeviseSecurityExtension::Patches
   module SessionsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
-        if valid_captcha? params[:captcha]
+      define_method :create do |&block|
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = warden.authenticate!(auth_options)
           set_flash_message(:notice, :signed_in) if is_flashing_format?
           sign_in(resource_name, resource)
-          yield resource if block_given?
+          block.call(resource) if block
           respond_with resource, :location => after_sign_in_path_for(resource)
         else
           flash[:alert] = t('devise.invalid_captcha') if is_flashing_format?

data/lib/devise_security_extension/patches/unlocks_controller_captcha.rb CHANGED

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/unlocks_controller_security_question.rb CHANGED

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/routes.rb CHANGED

@@ -8,6 +8,10 @@ module ActionDispatch::Routing
       resource :password_expired, :only => [:show, :update], :path => mapping.path_names[:password_expired], :controller => controllers[:password_expired]
     end
+    # route for handle paranoid verification
+    def devise_verification_code(mapping, controllers)
+      resource :paranoid_verification_code, :only => [:show, :update], :path => mapping.path_names[:verification_code], :controller => controllers[:paranoid_verification_code]
+    end
   end
 end

data/lib/devise_security_extension/version.rb ADDED

@@ -0,0 +1,3 @@
+module DeviseSecurityExtension
+  VERSION = "0.10.0".freeze
+end

data/lib/generators/devise_security_extension/install_generator.rb CHANGED

@@ -1,43 +1,26 @@
 module DeviseSecurityExtension
   module Generators
-    # Install Generator
+    # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      source_root File.expand_path("../../templates", __FILE__)
+      LOCALES = %w[ en de it ]
-      desc "Install the devise security extension"
+      source_root File.expand_path('../../templates', __FILE__)
+      desc 'Install the devise security extension'
-      def add_configs
-        inject_into_file "config/initializers/devise.rb", "\n  # ==> Security Extension\n  # Configure security extension for devise\n\n" +
-        "  # Should the password expire (e.g 3.months)\n" +
-        "  # config.expire_password_after = false\n\n" +
-        "  # Need 1 char of A-Z, a-z and 0-9\n" +
-        "  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/\n\n" +
-        "  # How many passwords to keep in archive\n" +
-        "  # config.password_archiving_count = 5\n\n" +
-        "  # Deny old password (true, false, count)\n" +
-        "  # config.deny_old_passwords = true\n\n" +
-        "  # enable email validation for :secure_validatable. (true, false, validation_options)\n" +
-        "  # dependency: need an email validator like rails_email_validator\n" +
-        "  # config.email_validation = true\n\n" +
-        "  # captcha integration for recover form\n" +
-        "  # config.captcha_for_recover = true\n\n" +
-        "  # captcha integration for sign up form\n" +
-        "  # config.captcha_for_sign_up = true\n\n" +
-        "  # captcha integration for sign in form\n" +
-        "  # config.captcha_for_sign_in = true\n\n" +
-        "  # captcha integration for unlock form\n" +
-        "  # config.captcha_for_unlock = true\n\n" +
-        "  # captcha integration for confirmation form\n" +
-        "  # config.captcha_for_confirmation = true\n\n" +
-        "  # Time period for account expiry from last_activity_at\n" +
-        "  # config.expire_after = 90.days\n\n" +
-        "", :before => /end[ |\n|]+\Z/
+      def copy_initializer
+        template('devise_security_extension.rb',
+                 'config/initializers/devise_security_extension.rb',
+        )
       end
-      def copy_locale
-        copy_file "../../../config/locales/en.yml", "config/locales/devise.security_extension.en.yml"
-        copy_file "../../../config/locales/de.yml", "config/locales/devise.security_extension.de.yml"
+      def copy_locales
+        LOCALES.each do |locale|
+          copy_file(
+            "../../../config/locales/#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml",
+          )
+        end
       end
     end
   end
-end
+end

data/lib/generators/templates/devise_security_extension.rb ADDED

@@ -0,0 +1,38 @@
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+  # Deny old password (true, false, count)
+  # config.deny_old_passwords = true
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: need an email validator like rails_email_validator
+  # config.email_validation = true
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end

data/test/dummy/Rakefile ADDED

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+require File.expand_path('../config/application', __FILE__)
+Rails.application.load_tasks

data/test/dummy/app/controllers/application_controller.rb ADDED

	@@ -0,0 +1,2 @@
1	+ class ApplicationController < ActionController::Base
2	+ end

data/test/dummy/app/controllers/foos_controller.rb ADDED

File without changes

data/test/dummy/app/models/user.rb CHANGED

@@ -1,3 +1,4 @@
 class User < ActiveRecord::Base
-  devise :database_authenticatable, :password_archivable
+  devise :database_authenticatable, :password_archivable,
+         :paranoid_verification, :password_expirable
 end

data/test/dummy/app/views/foos/index.html.erb ADDED

File without changes

data/test/dummy/config/application.rb CHANGED

@@ -1,22 +1,24 @@
 require File.expand_path('../boot', __FILE__)
 require 'rails/all'
+require 'devise_security_extension'
 if defined?(Bundler)
   # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test)))
+  Bundler.require(*Rails.groups(assets: %w[development test]))
   # If you want your assets lazily compiled in production, use this line
   # Bundler.require(:default, :assets, Rails.env)
 end
 module RailsApp
   class Application < Rails::Application
-    config.encoding = "utf-8"
+    config.encoding = 'utf-8'
     config.filter_parameters += [:password]
     config.assets.enabled = true
     config.assets.version = '1.0'
+    config.secret_key_base = 'fuuuuuuuuuuu'
   end
 end

data/test/dummy/config/boot.rb CHANGED

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/test/dummy/config/environments/test.rb CHANGED

@@ -2,8 +2,8 @@ RailsApp::Application.configure do
   config.cache_classes = true
   config.eager_load = false
-  config.serve_static_assets = true
-  config.static_cache_control = "public, max-age=3600"
+  config.serve_static_files = true
+  config.static_cache_control = 'public, max-age=3600'
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
@@ -16,4 +16,6 @@ RailsApp::Application.configure do
   config.active_support.deprecation = :stderr
   I18n.enforce_available_locales = false
+  config.active_support.test_order = :sorted
 end

data/test/dummy/config/initializers/devise.rb CHANGED

@@ -1,9 +1,9 @@
 Devise.setup do |config|
-  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
   require 'devise/orm/active_record'
+  config.secret_key = 'f08cf11a38906f531d2dfc9a2c2d671aa0021be806c21255d4'
+  config.case_insensitive_keys = [:email]
-  config.case_insensitive_keys = [ :email ]
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]
 end

data/test/dummy/config/routes.rb ADDED

@@ -0,0 +1,6 @@
+RailsApp::Application.routes.draw do
+  devise_for :users
+  resources :foos
+  root to: 'foos#index'
+end