RubyGems - devise_security_extension - Versions diffs - 0.4.2 → 0.5.0 - Mend

devise_security_extension 0.4.2 → 0.5.0

Files changed (15) hide show

data/Gemfile +2 -2
data/Gemfile.lock +76 -66
data/README.rdoc +3 -4
data/Rakefile +1 -8
data/VERSION +1 -1
data/config/locales/de.yml +2 -0
data/config/locales/en.yml +2 -0
data/devise_security_extension.gemspec +13 -14
data/lib/devise_security_extension.rb +1 -0
data/lib/devise_security_extension/hooks/session_limitable.rb +28 -0
data/lib/devise_security_extension/models/password_archivable.rb +1 -1
data/lib/devise_security_extension/models/session_limitable.rb +21 -0
data/lib/devise_security_extension/schema.rb +19 -0
data/lib/generators/devise_security_extension/install_generator.rb +1 -1
metadata +19 -30

data/Gemfile CHANGED Viewed

@@ -1,7 +1,7 @@
 source "http://rubygems.org"
 # Add dependencies required to use your gem here.
 # Example:
-gem "rails", ">= 3.0.0"
+gem "rails", ">= 3.1.1"
 gem "devise"
 # Add dependencies to develop your gem here.
@@ -11,5 +11,5 @@ group :development do
   gem "easy_captcha"
   gem "bundler", "~> 1.0.0"
   gem "jeweler", "~> 1.5.2"
-  gem "rcov", ">= 0"
+#  gem "rcov", ">= 0"
 end

data/Gemfile.lock CHANGED Viewed

@@ -1,89 +1,100 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    abstract (1.0.0)
-    actionmailer (3.0.7)
-      actionpack (= 3.0.7)
-      mail (~> 2.2.15)
-    actionpack (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-      builder (~> 2.1.2)
-      erubis (~> 2.6.6)
-      i18n (~> 0.5.0)
-      rack (~> 1.2.1)
-      rack-mount (~> 0.6.14)
-      rack-test (~> 0.5.7)
-      tzinfo (~> 0.3.23)
-    activemodel (3.0.7)
-      activesupport (= 3.0.7)
-      builder (~> 2.1.2)
-      i18n (~> 0.5.0)
-    activerecord (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-      arel (~> 2.0.2)
-      tzinfo (~> 0.3.23)
-    activeresource (3.0.7)
-      activemodel (= 3.0.7)
-      activesupport (= 3.0.7)
-    activesupport (3.0.7)
-    arel (2.0.10)
-    bcrypt-ruby (2.1.4)
-    builder (2.1.2)
-    devise (1.3.4)
-      bcrypt-ruby (~> 2.1.2)
+    actionmailer (3.1.3)
+      actionpack (= 3.1.3)
+      mail (~> 2.3.0)
+    actionpack (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.5)
+      rack-cache (~> 1.1)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.3)
+    activemodel (3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+    activesupport (3.1.3)
+      multi_json (~> 1.0)
+    arel (2.2.1)
+    bcrypt-ruby (3.0.1)
+    builder (3.0.0)
+    devise (1.5.1)
+      bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
-      warden (~> 1.0.3)
-    easy_captcha (0.4.1)
+      warden (~> 1.1)
+    easy_captcha (0.4.5)
       rails (>= 3.0.0)
-      rails (>= 3.0.0)
-      rmagick
-      rmagick
-    erubis (2.6.6)
-      abstract (>= 1.0.0)
+    erubis (2.7.0)
     git (1.2.5)
-    i18n (0.5.0)
+    hike (1.2.1)
+    i18n (0.6.0)
     jeweler (1.5.2)
       bundler (~> 1.0.0)
       git (>= 1.2.5)
       rake
-    mail (2.2.19)
-      activesupport (>= 2.3.6)
+    json (1.6.1)
+    mail (2.3.0)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    mime-types (1.16)
+    mime-types (1.17.2)
+    multi_json (1.0.3)
     orm_adapter (0.0.5)
-    polyglot (0.3.1)
-    rack (1.2.3)
-    rack-mount (0.6.14)
+    polyglot (0.3.3)
+    rack (1.3.5)
+    rack-cache (1.1)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
       rack (>= 1.0.0)
-    rack-test (0.5.7)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.0.7)
-      actionmailer (= 3.0.7)
-      actionpack (= 3.0.7)
-      activerecord (= 3.0.7)
-      activeresource (= 3.0.7)
-      activesupport (= 3.0.7)
+    rails (3.1.3)
+      actionmailer (= 3.1.3)
+      actionpack (= 3.1.3)
+      activerecord (= 3.1.3)
+      activeresource (= 3.1.3)
+      activesupport (= 3.1.3)
       bundler (~> 1.0)
-      railties (= 3.0.7)
+      railties (= 3.1.3)
     rails_email_validator (0.1.4)
       activemodel (>= 3.0.0)
-    railties (3.0.7)
-      actionpack (= 3.0.7)
-      activesupport (= 3.0.7)
+    railties (3.1.3)
+      actionpack (= 3.1.3)
+      activesupport (= 3.1.3)
+      rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
-      thor (~> 0.14.4)
-    rake (0.9.2)
-    rcov (0.9.9)
-    rmagick (2.13.1)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rdoc (3.11)
+      json (~> 1.4)
+    sprockets (2.0.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
     thor (0.14.6)
-    treetop (1.4.9)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.27)
-    warden (1.0.4)
+    tzinfo (0.3.31)
+    warden (1.1.0)
       rack (>= 1.0)
 PLATFORMS
@@ -94,6 +105,5 @@ DEPENDENCIES
   devise
   easy_captcha
   jeweler (~> 1.5.2)
-  rails (>= 3.0.0)
+  rails (>= 3.1.1)
   rails_email_validator
-  rcov

data/README.rdoc CHANGED Viewed

@@ -1,13 +1,13 @@
 = devise_security_extension
-an security extension for devise
+An enterprise security extension for devise, trying to meet industrial standard security demands for web applications.
 == Features
 * expire passwords (update password with current password)
 * strong password validation
-* save old passwords for check new passwords
-* captcha support for sign_up, sign_in, recover and unlock
+* save old passwords to protect users from assigning old/expired passwords again
+* captcha support for sign_up, sign_in, recover and unlock (to make automated mass creation and brute forcing of accounts harder)
 == Installation
 add to Gemfile
@@ -117,4 +117,3 @@ That's all!
 Copyright (c) 2011 Marco Scholl. See LICENSE.txt for
 further details.

data/Rakefile CHANGED Viewed

@@ -29,16 +29,9 @@ Rake::TestTask.new(:test) do |test|
   test.verbose = true
 end
-require 'rcov/rcovtask'
-Rcov::RcovTask.new do |test|
-  test.libs << 'test'
-  test.pattern = 'test/**/test_*.rb'
-  test.verbose = true
-end
 task :default => :test
-require 'rake/rdoctask'
+require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
   version = File.exist?('VERSION') ? File.read('VERSION') : ""

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.4.2
1	+ 0.5.0

data/config/locales/de.yml CHANGED Viewed

@@ -8,3 +8,5 @@ de:
     password_expired:
       updated: "Das neue Passwort wurde übernommen."
       change_required: "Ihr Passwort ist abgelaufen. Bitte vergeben sie ein neues Passwort!"
+    failure:
+      session_limited: 'Ihre Anmeldedaten wurden in einem anderen Browser genutzt. Bitte melden Sie sich erneut an, um in diesem Browser fortzufahren.'

data/config/locales/en.yml CHANGED Viewed

@@ -8,3 +8,5 @@ en:
     password_expired:
       updated: "Your new password is saved."
       change_required: "Your password is expired. Please renew your password!"
+    failure:
+      session_limited: 'Your login credentials were used in another browser. Please sign in again to continue in this browser.'

data/devise_security_extension.gemspec CHANGED Viewed

@@ -4,14 +4,14 @@
 # -*- encoding: utf-8 -*-
 Gem::Specification.new do |s|
-  s.name = %q{devise_security_extension}
-  s.version = "0.4.2"
+  s.name = "devise_security_extension"
+  s.version = "0.5.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Marco Scholl"]
-  s.date = %q{2011-06-24}
-  s.description = %q{a gem for extend devise for more password security}
-  s.email = %q{team@phatworx.de}
+  s.date = "2011-12-27"
+  s.description = "a gem for extend devise for more password security"
+  s.email = "team@phatworx.de"
   s.extra_rdoc_files = [
     "LICENSE.txt",
     "README.rdoc"
@@ -32,10 +32,12 @@ Gem::Specification.new do |s|
     "lib/devise_security_extension.rb",
     "lib/devise_security_extension/controllers/helpers.rb",
     "lib/devise_security_extension/hooks/password_expirable.rb",
+    "lib/devise_security_extension/hooks/session_limitable.rb",
     "lib/devise_security_extension/models/old_password.rb",
     "lib/devise_security_extension/models/password_archivable.rb",
     "lib/devise_security_extension/models/password_expirable.rb",
     "lib/devise_security_extension/models/secure_validatable.rb",
+    "lib/devise_security_extension/models/session_limitable.rb",
     "lib/devise_security_extension/orm/active_record.rb",
     "lib/devise_security_extension/patches.rb",
     "lib/devise_security_extension/patches/controller_captcha.rb",
@@ -46,11 +48,11 @@ Gem::Specification.new do |s|
     "test/helper.rb",
     "test/test_devise_security_extension.rb"
   ]
-  s.homepage = %q{http://github.com/phatworx/devise_security_extension}
+  s.homepage = "http://github.com/phatworx/devise_security_extension"
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = %q{1.6.2}
-  s.summary = %q{an security extension for devise}
+  s.rubygems_version = "1.8.10"
+  s.summary = "an security extension for devise"
   s.test_files = [
     "test/helper.rb",
     "test/test_devise_security_extension.rb"
@@ -60,30 +62,27 @@ Gem::Specification.new do |s|
     s.specification_version = 3
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rails>, [">= 3.0.0"])
+      s.add_runtime_dependency(%q<rails>, [">= 3.1.1"])
       s.add_runtime_dependency(%q<devise>, [">= 0"])
       s.add_development_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_development_dependency(%q<easy_captcha>, [">= 0"])
       s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
-      s.add_development_dependency(%q<rcov>, [">= 0"])
     else
-      s.add_dependency(%q<rails>, [">= 3.0.0"])
+      s.add_dependency(%q<rails>, [">= 3.1.1"])
       s.add_dependency(%q<devise>, [">= 0"])
       s.add_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_dependency(%q<easy_captcha>, [">= 0"])
       s.add_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
-      s.add_dependency(%q<rcov>, [">= 0"])
     end
   else
-    s.add_dependency(%q<rails>, [">= 3.0.0"])
+    s.add_dependency(%q<rails>, [">= 3.1.1"])
     s.add_dependency(%q<devise>, [">= 0"])
     s.add_dependency(%q<rails_email_validator>, [">= 0"])
     s.add_dependency(%q<easy_captcha>, [">= 0"])
     s.add_dependency(%q<bundler>, ["~> 1.0.0"])
     s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
-    s.add_dependency(%q<rcov>, [">= 0"])
   end
 end

data/lib/devise_security_extension.rb CHANGED Viewed

@@ -60,6 +60,7 @@ end
 Devise.add_module :password_expirable, :controller => :password_expirable, :model => 'devise_security_extension/models/password_expirable', :route => :password_expired
 Devise.add_module :secure_validatable, :model => 'devise_security_extension/models/secure_validatable'
 Devise.add_module :password_archivable, :model => 'devise_security_extension/models/password_archivable'
+Devise.add_module :session_limitable, :model => 'devise_security_extension/models/session_limitable'
 # requires
 require 'devise_security_extension/routes'

data/lib/devise_security_extension/hooks/session_limitable.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# After each sign in, update unique_session_id.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
+  if record.respond_to?(:update_unique_session_id!) && warden.authenticated?(options[:scope])
+    unique_session_id = Devise.friendly_token
+    warden.session(options[:scope])['unique_session_id'] = unique_session_id
+    record.update_unique_session_id!(unique_session_id)
+  end
+end
+# Each time a record is fetched from session we check if a new session from another
+# browser was opened for the record or not, based on a unique session identifier.
+# If so, the old account is logged out and redirected to the sign in page on the next request.
+Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
+  scope = options[:scope]
+  if warden.authenticated?(scope)
+    unless record.unique_session_id == warden.session(scope)['unique_session_id']
+      path_checker = Devise::PathChecker.new(warden.env, scope)
+      unless path_checker.signing_out?
+        warden.logout(scope)
+        throw :warden, :scope => scope, :message => :session_limited
+      end
+    end
+  end
+end

data/lib/devise_security_extension/models/password_archivable.rb CHANGED Viewed

@@ -18,7 +18,7 @@ module Devise # :nodoc:
       module InstanceMethods # :nodoc:
         def validate_password_archive
-          self.errors.add(:password, :taken_in_past) if password_archive_included?
+          self.errors.add(:password, :taken_in_past) if encrypted_password_changed? and password_archive_included?
         end
         # validate is the password used in the past

data/lib/devise_security_extension/models/session_limitable.rb ADDED Viewed

@@ -0,0 +1,21 @@
+require 'devise_security_extension/hooks/session_limitable'
+module Devise # :nodoc:
+  module Models # :nodoc:
+    # SessionLimited ensures, that there is only one session usable per account at once.
+    # If someone logs in, and some other is logging in with the same credentials,
+    # the session from the first one is invalidated and not usable anymore.
+    # The first one is redirected to the sign page with a message, telling that
+    # someone used his credentials to sign in.
+    module SessionLimitable
+      extend ActiveSupport::Concern
+      def update_unique_session_id!(unique_session_id)
+        self.unique_session_id = unique_session_id
+        save(:validate => false)
+      end
+    end
+  end
+end

data/lib/devise_security_extension/schema.rb CHANGED Viewed

@@ -36,5 +36,24 @@ module DeviseSecurityExtension
       apply_devise_schema :password_archivable_type, String, :null => false
       apply_devise_schema :created_at, DateTime
     end
+    # Add session_limitable columns in the resource's database table.
+    #
+    # Examples
+    #
+    # # For a new resource migration:
+    # create_table :the_resources do |t|
+    #   t.session_limitable
+    # ...
+    # end
+    #
+    # # or if the resource's table already exists, define a migration and put this in:
+    # change_table :the_resources do |t|
+    #   t.string :unique_session_id, :limit => 20
+    # end
+    #
+    def session_limitable
+      apply_devise_schema :unique_session_id, String, :limit => 20
+    end
   end
 end

data/lib/generators/devise_security_extension/install_generator.rb CHANGED Viewed

@@ -12,7 +12,7 @@ module DeviseSecurityExtension
         "  # config.expire_password_after = false\n\n" +
         "  # Need 1 char of A-Z, a-z and 0-9\n" +
         "  # config.password_regex = /(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])/\n\n" +
-        "  # How often save old passwords in archive\n" +
+        "  # How many passwords to keep in archive\n" +
         "  # config.password_archiving_count = 5\n\n" +
         "  # Deny old password (true, false, count)\n" +
         "  # config.deny_old_passwords = true\n\n" +

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_security_extension
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.5.0
   prerelease:
 platform: ruby
 authors:
@@ -9,23 +9,22 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-06-24 00:00:00.000000000 +02:00
-default_executable:
+date: 2011-12-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &14765580 !ruby/object:Gem::Requirement
+  requirement: &8681980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: 3.1.1
   type: :runtime
   prerelease: false
-  version_requirements: *14765580
+  version_requirements: *8681980
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &14764460 !ruby/object:Gem::Requirement
+  requirement: &8706740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -33,10 +32,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *14764460
+  version_requirements: *8706740
 - !ruby/object:Gem::Dependency
   name: rails_email_validator
-  requirement: &14763380 !ruby/object:Gem::Requirement
+  requirement: &8705420 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +43,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *14763380
+  version_requirements: *8705420
 - !ruby/object:Gem::Dependency
   name: easy_captcha
-  requirement: &14762340 !ruby/object:Gem::Requirement
+  requirement: &8703760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *14762340
+  version_requirements: *8703760
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &14760280 !ruby/object:Gem::Requirement
+  requirement: &8721740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -66,10 +65,10 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *14760280
+  version_requirements: *8721740
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &14758080 !ruby/object:Gem::Requirement
+  requirement: &8719720 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -77,18 +76,7 @@ dependencies:
         version: 1.5.2
   type: :development
   prerelease: false
-  version_requirements: *14758080
-- !ruby/object:Gem::Dependency
-  name: rcov
-  requirement: &14757260 !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: *14757260
+  version_requirements: *8719720
 description: a gem for extend devise for more password security
 email: team@phatworx.de
 executables: []
@@ -112,10 +100,12 @@ files:
 - lib/devise_security_extension.rb
 - lib/devise_security_extension/controllers/helpers.rb
 - lib/devise_security_extension/hooks/password_expirable.rb
+- lib/devise_security_extension/hooks/session_limitable.rb
 - lib/devise_security_extension/models/old_password.rb
 - lib/devise_security_extension/models/password_archivable.rb
 - lib/devise_security_extension/models/password_expirable.rb
 - lib/devise_security_extension/models/secure_validatable.rb
+- lib/devise_security_extension/models/session_limitable.rb
 - lib/devise_security_extension/orm/active_record.rb
 - lib/devise_security_extension/patches.rb
 - lib/devise_security_extension/patches/controller_captcha.rb
@@ -125,7 +115,6 @@ files:
 - lib/generators/devise_security_extension/install_generator.rb
 - test/helper.rb
 - test/test_devise_security_extension.rb
-has_rdoc: true
 homepage: http://github.com/phatworx/devise_security_extension
 licenses:
 - MIT
@@ -141,7 +130,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 60670938341967987
+      hash: -1699892809294021618
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -150,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.6.2
+rubygems_version: 1.8.10
 signing_key:
 specification_version: 3
 summary: an security extension for devise