devise_security_extension 0.9.2 → 0.10.0

data/lib/devise_security_extension/hooks/paranoid_verification.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_set_user do |record, warden, options|
+  if record.respond_to?(:need_paranoid_verification?)
+    warden.session(options[:scope])['paranoid_verify'] = record.need_paranoid_verification?
+  end
+end

data/lib/devise_security_extension/hooks/session_limitable.rb

@@ -19,6 +19,7 @@ Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
 
   if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
     if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
+      warden.raw_session.clear
       warden.logout(scope)
       throw :warden, :scope => scope, :message => :session_limited
     end

data/lib/devise_security_extension/models/paranoid_verification.rb

@@ -0,0 +1,35 @@
+require 'devise_security_extension/hooks/paranoid_verification'
+
+module Devise
+  module Models
+    # PasswordExpirable takes care of change password after
+    module ParanoidVerification
+      extend ActiveSupport::Concern
+
+      def need_paranoid_verification?
+        !!paranoid_verification_code
+      end
+
+      def verify_code(code)
+        attempt = paranoid_verification_attempt
+
+        if (attempt += 1) >= Devise.paranoid_code_regenerate_after_attempt
+          generate_paranoid_code
+        elsif code == paranoid_verification_code
+          attempt = 0
+          update_without_password paranoid_verification_code: nil, paranoid_verified_at: Time.now, paranoid_verification_attempt: attempt
+        else
+          update_without_password paranoid_verification_attempt: attempt
+        end
+      end
+
+      def paranoid_attempts_remaining
+        Devise.paranoid_code_regenerate_after_attempt - paranoid_verification_attempt
+      end
+
+      def generate_paranoid_code
+        update_without_password paranoid_verification_code: Devise.verification_code_generator.call(), paranoid_verification_attempt: 0
+      end
+    end
+  end
+end

data/lib/devise_security_extension/models/password_archivable.rb

@@ -31,14 +31,13 @@ module Devise
           old_passwords_including_cur_change.each do |old_password|
             dummy                    = self.class.new
             dummy.encrypted_password = old_password.encrypted_password
-            dummy.password_salt      = old_password.password_salt if dummy.respond_to?(:password_salt)
             return true if dummy.valid_password?(self.password)
           end
         end
 
         false
       end
-      
+
       def password_changed_to_same?
         pass_change = encrypted_password_change
         pass_change && pass_change.first == pass_change.last
@@ -61,12 +60,9 @@ module Devise
           end
         end
       end
-      
+
       def old_password_params
-        salt_change = if self.respond_to?(:password_salt_change) and not self.password_salt_change.nil?
-          self.password_salt_change.first
-        end
-        { :encrypted_password => self.encrypted_password_change.first, :password_salt => salt_change }
+        { encrypted_password: self.encrypted_password_change.first }
       end
 
       module ClassMethods

data/lib/devise_security_extension/models/password_expirable.rb

@@ -13,8 +13,8 @@ module Devise
 
       # is an password change required?
       def need_change_password?
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
-          self.password_changed_at.nil? or self.password_changed_at < self.class.expire_password_after.ago
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
+          self.password_changed_at.nil? or self.password_changed_at < self.expire_password_after.ago
         else
           false
         end
@@ -22,7 +22,7 @@ module Devise
 
       # set a fake datetime so a password change is needed and save the record
       def need_change_password!
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
           need_change_password
           self.save(:validate => false)
         end
@@ -30,8 +30,8 @@ module Devise
 
       # set a fake datetime so a password change is needed
       def need_change_password
-        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
-          self.password_changed_at = self.class.expire_password_after.ago
+        if self.expire_password_after.is_a? Fixnum or self.expire_password_after.is_a? Float
+          self.password_changed_at = self.expire_password_after.ago
         end
 
         # is date not set it will set default to need set new password next login
@@ -39,6 +39,10 @@ module Devise
 
         self.password_changed_at
       end
+      
+      def expire_password_after
+        self.class.expire_password_after
+      end
 
       private
 

data/lib/devise_security_extension/patches/confirmations_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/confirmations_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha])) or
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 

data/lib/devise_security_extension/patches/passwords_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/passwords_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_reset_password_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/patches/registrations_controller_captcha.rb

@@ -2,13 +2,15 @@ module DeviseSecurityExtension::Patches
   module RegistrationsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
+      define_method :create do |&block|
         build_resource(sign_up_params)
 
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
 
           if resource.save
-            yield resource if block_given?
+            block.call(resource) if block
             if resource.active_for_authentication?
               set_flash_message :notice, :signed_up if is_flashing_format?
               sign_up(resource_name, resource)

data/lib/devise_security_extension/patches/sessions_controller_captcha.rb

@@ -2,12 +2,14 @@ module DeviseSecurityExtension::Patches
   module SessionsControllerCaptcha
     extend ActiveSupport::Concern
     included do
-      define_method :create do
-        if valid_captcha? params[:captcha]
+      define_method :create do |&block|
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = warden.authenticate!(auth_options)
           set_flash_message(:notice, :signed_in) if is_flashing_format?
           sign_in(resource_name, resource)
-          yield resource if block_given?
+          block.call(resource) if block
           respond_with resource, :location => after_sign_in_path_for(resource)
         else
           flash[:alert] = t('devise.invalid_captcha') if is_flashing_format?

data/lib/devise_security_extension/patches/unlocks_controller_captcha.rb

@@ -3,7 +3,9 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        if valid_captcha? params[:captcha]
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)
             respond_with({}, :location => new_session_path(resource_name))

data/lib/devise_security_extension/patches/unlocks_controller_security_question.rb

@@ -6,7 +6,9 @@ module DeviseSecurityExtension::Patches
         # only find via email, not login
         resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
 
-        if valid_captcha? params[:captcha] or
+        if ((defined? verify_recaptcha) && (verify_recaptcha
+        params[:captcha])) or ((defined? valid_captcha?) && (valid_captcha?
+        params[:captcha]))
            (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
           self.resource = resource_class.send_unlock_instructions(params[resource_name])
           if successfully_sent?(resource)

data/lib/devise_security_extension/routes.rb

@@ -8,6 +8,10 @@ module ActionDispatch::Routing
       resource :password_expired, :only => [:show, :update], :path => mapping.path_names[:password_expired], :controller => controllers[:password_expired]
     end
 
+    # route for handle paranoid verification
+    def devise_verification_code(mapping, controllers)
+      resource :paranoid_verification_code, :only => [:show, :update], :path => mapping.path_names[:verification_code], :controller => controllers[:paranoid_verification_code]
+    end
   end
 end
 

data/lib/devise_security_extension/version.rb

@@ -0,0 +1,3 @@
+module DeviseSecurityExtension
+  VERSION = "0.10.0".freeze
+end

data/lib/generators/devise_security_extension/install_generator.rb

@@ -1,43 +1,26 @@
 module DeviseSecurityExtension
   module Generators
-    # Install Generator
+    # Generator for Rails to create or append to a Devise initializer.
     class InstallGenerator < Rails::Generators::Base
-      source_root File.expand_path("../../templates", __FILE__)
+      LOCALES = %w[ en de it ]
 
-      desc "Install the devise security extension"
+      source_root File.expand_path('../../templates', __FILE__)
+      desc 'Install the devise security extension'
 
-      def add_configs
-        inject_into_file "config/initializers/devise.rb", "\n  # ==> Security Extension\n  # Configure security extension for devise\n\n" +
-        "  # Should the password expire (e.g 3.months)\n" +
-        "  # config.expire_password_after = false\n\n" +
-        "  # Need 1 char of A-Z, a-z and 0-9\n" +
-        "  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/\n\n" +
-        "  # How many passwords to keep in archive\n" +
-        "  # config.password_archiving_count = 5\n\n" +
-        "  # Deny old password (true, false, count)\n" +
-        "  # config.deny_old_passwords = true\n\n" +
-        "  # enable email validation for :secure_validatable. (true, false, validation_options)\n" +
-        "  # dependency: need an email validator like rails_email_validator\n" +
-        "  # config.email_validation = true\n\n" +
-        "  # captcha integration for recover form\n" +
-        "  # config.captcha_for_recover = true\n\n" +
-        "  # captcha integration for sign up form\n" +
-        "  # config.captcha_for_sign_up = true\n\n" +
-        "  # captcha integration for sign in form\n" +
-        "  # config.captcha_for_sign_in = true\n\n" +
-        "  # captcha integration for unlock form\n" +
-        "  # config.captcha_for_unlock = true\n\n" +
-        "  # captcha integration for confirmation form\n" +
-        "  # config.captcha_for_confirmation = true\n\n" +
-        "  # Time period for account expiry from last_activity_at\n" +
-        "  # config.expire_after = 90.days\n\n" +
-        "", :before => /end[ |\n|]+\Z/
+      def copy_initializer
+        template('devise_security_extension.rb',
+                 'config/initializers/devise_security_extension.rb',
+        )
       end
 
-      def copy_locale
-        copy_file "../../../config/locales/en.yml", "config/locales/devise.security_extension.en.yml"
-        copy_file "../../../config/locales/de.yml", "config/locales/devise.security_extension.de.yml"
+      def copy_locales
+        LOCALES.each do |locale|
+          copy_file(
+            "../../../config/locales/#{locale}.yml",
+            "config/locales/devise.security_extension.#{locale}.yml",
+          )
+        end
       end
     end
   end
-end
+end

data/lib/generators/templates/devise_security_extension.rb

@@ -0,0 +1,38 @@
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = false
+
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/
+
+  # How many passwords to keep in archive
+  # config.password_archiving_count = 5
+
+  # Deny old password (true, false, count)
+  # config.deny_old_passwords = true
+
+  # enable email validation for :secure_validatable. (true, false, validation_options)
+  # dependency: need an email validator like rails_email_validator
+  # config.email_validation = true
+
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+
+  # captcha integration for confirmation form
+  # config.captcha_for_confirmation = true
+
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/test/dummy/app/models/user.rb

@@ -1,3 +1,4 @@
 class User < ActiveRecord::Base
-  devise :database_authenticatable, :password_archivable
+  devise :database_authenticatable, :password_archivable,
+         :paranoid_verification, :password_expirable
 end

data/test/dummy/config/application.rb

@@ -1,22 +1,24 @@
 require File.expand_path('../boot', __FILE__)
 
 require 'rails/all'
+require 'devise_security_extension'
 
 if defined?(Bundler)
   # If you precompile assets before deploying to production, use this line
-  Bundler.require(*Rails.groups(:assets => %w(development test)))
+  Bundler.require(*Rails.groups(assets: %w[development test]))
   # If you want your assets lazily compiled in production, use this line
   # Bundler.require(:default, :assets, Rails.env)
 end
 
 module RailsApp
   class Application < Rails::Application
-    config.encoding = "utf-8"
+    config.encoding = 'utf-8'
 
     config.filter_parameters += [:password]
 
     config.assets.enabled = true
 
     config.assets.version = '1.0'
+    config.secret_key_base = 'fuuuuuuuuuuu'
   end
 end

data/test/dummy/config/boot.rb

@@ -3,4 +3,4 @@ require 'rubygems'
 # Set up gems listed in the Gemfile.
 ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
 
-require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])
+require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE'])

data/test/dummy/config/environments/test.rb

@@ -2,8 +2,8 @@ RailsApp::Application.configure do
   config.cache_classes = true
   config.eager_load = false
 
-  config.serve_static_assets = true
-  config.static_cache_control = "public, max-age=3600"
+  config.serve_static_files = true
+  config.static_cache_control = 'public, max-age=3600'
 
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
@@ -16,4 +16,6 @@ RailsApp::Application.configure do
 
   config.active_support.deprecation = :stderr
   I18n.enforce_available_locales = false
+
+  config.active_support.test_order = :sorted
 end

data/test/dummy/config/initializers/devise.rb

@@ -1,9 +1,9 @@
 Devise.setup do |config|
-  config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
 
   require 'devise/orm/active_record'
+  config.secret_key = 'f08cf11a38906f531d2dfc9a2c2d671aa0021be806c21255d4'
+  config.case_insensitive_keys = [:email]
 
-  config.case_insensitive_keys = [ :email ]
-
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]
 end

data/test/dummy/config/routes.rb

@@ -0,0 +1,6 @@
+RailsApp::Application.routes.draw do
+  devise_for :users
+  resources :foos
+
+  root to: 'foos#index'
+end