devise_security_extension 0.6.2 → 0.7.0

data/README.rdoc

@@ -5,7 +5,7 @@ An enterprise security extension for devise, trying to meet industrial standard
 == Features
 
 * captcha support for sign_up, sign_in, recover and unlock (to make automated mass creation and brute forcing of accounts harder)
- 
+
 === Model modules
 
 * :password_expirable - passwords will expire after a configured time (and will need an update)
@@ -13,6 +13,7 @@ An enterprise security extension for devise, trying to meet industrial standard
 * :password_archivable - save used passwords in an old_passwords table for history checks (don't be able to use a formerly used password)
 * :session_limitable - ensures, that there is only one session usable per account at once
 * :expirable - expires a user account after x days of inactivity (default 90 days)
+* :security_questionable - as accessible substitution for captchas (security question with captcha fallback)
 
 == Installation
 Add to Gemfile
@@ -22,7 +23,7 @@ after bundle install
   rails g devise_security_extension:install
 
 for :secure_validatable you need to add
-  gem 'rails_email_validator' 
+  gem 'rails_email_validator'
 
 == Configuration
 
@@ -39,23 +40,35 @@ for :secure_validatable you need to add
     # Deny old password (true, false, count)
     # config.deny_old_passwords = true
 
-    # captcha integration for recover form 
+    # captcha integration for recover form
     # config.captcha_for_recover = true
-  
+
     # captcha integration for sign up form
     # config.captcha_for_sign_up = true
-  
+
     # captcha integration for sign in form
     # config.captcha_for_sign_in = true
-  
+
     # captcha integration for unlock form
     # config.captcha_for_unlock = true
 
+    # security_question integration for recover form
+    # this automatically enables captchas (captcha_for_recover, as fallback)
+    # config.security_question_for_recover = false
+
+    # security_question integration for unlock form
+    # this automatically enables captchas (captcha_for_unlock, as fallback)
+    # config.security_question_for_unlock = false
+
+    # security_question integration for confirmation form
+    # this automatically enables captchas (captcha_for_confirmation, as fallback)
+    # config.security_question_for_confirmation = false
+
     # ==> Configuration for :expirable
     # Time period for account expiry from last_activity_at
     config.expire_after = 90.days
   end
-    
+
 == Captcha-Support
 
 === Installation
@@ -112,6 +125,33 @@ That's it!
   add_index :the_resources, :last_activity_at
   add_index :the_resources, :expired_at
 
+=== Security questionable
+
+  create_table :security_questions do |t|
+    t.string :locale, :null => false
+    t.string :name, :null => false
+  end
+
+  SecurityQuestion.create! locale: :de, name: 'Wie lautet der Geburstname Ihrer Mutter?'
+  SecurityQuestion.create! locale: :de, name: 'Wo sind sie geboren?'
+  SecurityQuestion.create! locale: :de, name: 'Wie lautet der Name Ihres ersten Haustieres?'
+  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsfilm?'
+  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsbuch?'
+  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingstier?'
+  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblings-Reiseland?'
+
+  add_column :the_resources, :security_question_id, :integer
+  add_column :the_resources, :security_question_answer, :string
+
+or
+
+  create_table :the_resources do |t|
+    # other devise fields
+
+    t.integer :security_question_id
+    t.string :security_question_answer
+  end
+
 == Requirements
 
 * devise (https://github.com/plataformatec/devise)
@@ -129,6 +169,7 @@ That's it!
 * 0.4 captcha support for sign_up, sign_in, recover and unlock
 * 0.5 session_limitable module
 * 0.6 expirable module
+* 0.7 security questionable module for recover and unlock
 
 == Maintainers
 
@@ -138,7 +179,7 @@ That's it!
 * Christoph Chilian (http://github.com/cc-web)
 
 == Contributing to devise_security_extension
- 
+
 * Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
 * Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
 * Fork the project

data/VERSION

@@ -1 +1 @@
-0.6.2
+0.7.0

data/devise_security_extension.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "devise_security_extension"
-  s.version = "0.6.2"
+  s.version = "0.7.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Marco Scholl", "Alexander Dreher"]
-  s.date = "2012-06-12"
+  s.date = "2012-10-11"
   s.description = "An enterprise security extension for devise, trying to meet industrial standard security demands for web applications."
   s.email = "team@phatworx.de"
   s.extra_rdoc_files = [
@@ -39,14 +39,19 @@ Gem::Specification.new do |s|
     "lib/devise_security_extension/models/password_archivable.rb",
     "lib/devise_security_extension/models/password_expirable.rb",
     "lib/devise_security_extension/models/secure_validatable.rb",
+    "lib/devise_security_extension/models/security_question.rb",
+    "lib/devise_security_extension/models/security_questionable.rb",
     "lib/devise_security_extension/models/session_limitable.rb",
     "lib/devise_security_extension/orm/active_record.rb",
     "lib/devise_security_extension/patches.rb",
     "lib/devise_security_extension/patches/confirmations_controller_captcha.rb",
+    "lib/devise_security_extension/patches/confirmations_controller_security_question.rb",
     "lib/devise_security_extension/patches/passwords_controller_captcha.rb",
+    "lib/devise_security_extension/patches/passwords_controller_security_question.rb",
     "lib/devise_security_extension/patches/registrations_controller_captcha.rb",
     "lib/devise_security_extension/patches/sessions_controller_captcha.rb",
     "lib/devise_security_extension/patches/unlocks_controller_captcha.rb",
+    "lib/devise_security_extension/patches/unlocks_controller_security_question.rb",
     "lib/devise_security_extension/rails.rb",
     "lib/devise_security_extension/routes.rb",
     "lib/devise_security_extension/schema.rb",

data/lib/devise_security_extension.rb

@@ -27,23 +27,38 @@ module Devise
   # dependency: need an email validator like rails_email_validator
   mattr_accessor :email_validation
   @@email_validation = true
-  
+
   # captcha integration for recover form
   mattr_accessor :captcha_for_recover
   @@captcha_for_recover = false
-  
+
   # captcha integration for sign up form
   mattr_accessor :captcha_for_sign_up
   @@captcha_for_sign_up = false
-  
+
   # captcha integration for sign in form
   mattr_accessor :captcha_for_sign_in
   @@captcha_for_sign_in = false
-  
+
   # captcha integration for unlock form
   mattr_accessor :captcha_for_unlock
   @@captcha_for_unlock = false
-  
+
+  # security_question integration for recover form
+  # this automatically enables captchas (captcha_for_recover, as fallback)
+  mattr_accessor :security_question_for_recover
+  @@security_question_for_recover = false
+
+  # security_question integration for unlock form
+  # this automatically enables captchas (captcha_for_unlock, as fallback)
+  mattr_accessor :security_question_for_unlock
+  @@security_question_for_unlock = false
+
+  # security_question integration for confirmation form
+  # this automatically enables captchas (captcha_for_confirmation, as fallback)
+  mattr_accessor :security_question_for_confirmation
+  @@security_question_for_confirmation = false
+
   # captcha integration for confirmation form
   mattr_accessor :captcha_for_confirmation
   @@captcha_for_confirmation = false
@@ -71,9 +86,11 @@ Devise.add_module :secure_validatable, :model => 'devise_security_extension/mode
 Devise.add_module :password_archivable, :model => 'devise_security_extension/models/password_archivable'
 Devise.add_module :session_limitable, :model => 'devise_security_extension/models/session_limitable'
 Devise.add_module :expirable, :model => 'devise_security_extension/models/expirable'
+Devise.add_module :security_questionable, :model => 'devise_security_extension/models/security_questionable'
 
 # requires
 require 'devise_security_extension/routes'
 require 'devise_security_extension/rails'
 require 'devise_security_extension/orm/active_record'
 require 'devise_security_extension/models/old_password'
+require 'devise_security_extension/models/security_question'

data/lib/devise_security_extension/hooks/expirable.rb

@@ -4,7 +4,7 @@
 # expired_at to the past (see Devise::Models::Expirable for this)
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && record.active_for_authentication? && 
-      warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activitiy!)
-    record.update_last_activitiy!
+      warden.authenticated?(options[:scope]) && record.respond_to?(:update_last_activity!)
+    record.update_last_activity!
   end
 end

data/lib/devise_security_extension/models/expirable.rb

@@ -19,7 +19,7 @@ module Devise
       extend ActiveSupport::Concern
 
       # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
-      def update_last_activitiy!
+      def update_last_activity!
         self.last_activity_at = Time.now.utc
         save(:validate => false)
       end

data/lib/devise_security_extension/models/security_question.rb

@@ -0,0 +1,3 @@
+class SecurityQuestion < ActiveRecord::Base
+  attr_accessible :locale, :name
+end

data/lib/devise_security_extension/models/security_questionable.rb

@@ -0,0 +1,15 @@
+module Devise
+  module Models
+    # SecurityQuestionable is an accessible add-on for visually handicapped people,
+    # to ship around the captcha with screenreader compatibility.
+    #
+    # You need to add two text_field_tags to the associated form:
+    # :security_question_answer and :captcha
+    #
+    # And add the security_question to the register/edit form.
+    module SecurityQuestionable
+      extend ActiveSupport::Concern
+
+    end
+  end
+end

data/lib/devise_security_extension/patches.rb

@@ -1,18 +1,26 @@
 module DeviseSecurityExtension
   module Patches
+    autoload :UnlocksControllerSecurityQuestion, 'devise_security_extension/patches/unlocks_controller_security_question'
+    autoload :PasswordsControllerSecurityQuestion, 'devise_security_extension/patches/passwords_controller_security_question'
+    autoload :ConfirmationsControllerSecurityQuestion, 'devise_security_extension/patches/confirmations_controller_security_question'
     autoload :UnlocksControllerCaptcha, 'devise_security_extension/patches/unlocks_controller_captcha'
     autoload :PasswordsControllerCaptcha, 'devise_security_extension/patches/passwords_controller_captcha'
     autoload :SessionsControllerCaptcha, 'devise_security_extension/patches/sessions_controller_captcha'
     autoload :RegistrationsControllerCaptcha, 'devise_security_extension/patches/registrations_controller_captcha'
     autoload :ConfirmationsControllerCaptcha, 'devise_security_extension/patches/confirmations_controller_captcha'
-    
+
     class << self
       def apply
-        Devise::PasswordsController.send(:include, Patches::PasswordsControllerCaptcha) if Devise.captcha_for_recover
-        Devise::UnlocksController.send(:include, Patches::UnlocksControllerCaptcha) if Devise.captcha_for_unlock
+        Devise::PasswordsController.send(:include, Patches::PasswordsControllerCaptcha) if Devise.captcha_for_recover or Devise.security_question_for_recover
+        Devise::UnlocksController.send(:include, Patches::UnlocksControllerCaptcha) if Devise.captcha_for_unlock or Devise.security_question_for_unlock
+        Devise::ConfirmationsController.send(:include, Patches::ConfirmationsControllerCaptcha) if Devise.captcha_for_confirmation
+
+        Devise::PasswordsController.send(:include, Patches::PasswordsControllerSecurityQuestion) if Devise.security_question_for_recover
+        Devise::UnlocksController.send(:include, Patches::UnlocksControllerSecurityQuestion) if Devise.security_question_for_unlock
+        Devise::ConfirmationsController.send(:include, Patches::ConfirmationsControllerSecurityQuestion) if Devise.security_question_for_confirmation
+
         Devise::RegistrationsController.send(:include, Patches::RegistrationsControllerCaptcha) if Devise.captcha_for_sign_up
         Devise::SessionsController.send(:include, Patches::SessionsControllerCaptcha) if Devise.captcha_for_sign_in
-        Devise::ConfirmationsController.send(:include, Patches::ConfirmationsControllerCaptcha) if Devise.captcha_for_confirmation
       end
     end
   end

data/lib/devise_security_extension/patches/confirmations_controller_security_question.rb

@@ -0,0 +1,25 @@
+module DeviseSecurityExtension::Patches
+  module ConfirmationsControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if valid_captcha? params[:captcha] or
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_confirmation_instructions(params[resource_name])
+
+          if successfully_sent?(resource)
+            respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_confirmation_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/passwords_controller_security_question.rb

@@ -0,0 +1,24 @@
+module DeviseSecurityExtension::Patches
+  module PasswordsControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if valid_captcha? params[:captcha] or
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_password_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/unlocks_controller_security_question.rb

@@ -0,0 +1,24 @@
+module DeviseSecurityExtension::Patches
+  module UnlocksControllerSecurityQuestion
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        # only find via email, not login
+        resource = resource_class.find_or_initialize_with_error_by(:email, params[resource_name][:email], :not_found)
+
+        if valid_captcha? params[:captcha] or
+           (resource.security_question_answer.present? and resource.security_question_answer == params[:security_question_answer])
+          self.resource = resource_class.send_unlock_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_security_question') if is_navigational_format?
+          respond_with({}, :location => new_unlock_path(resource_name))
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_security_extension
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
   prerelease: 
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-06-12 00:00:00.000000000 Z
+date: 2012-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -139,14 +139,19 @@ files:
 - lib/devise_security_extension/models/password_archivable.rb
 - lib/devise_security_extension/models/password_expirable.rb
 - lib/devise_security_extension/models/secure_validatable.rb
+- lib/devise_security_extension/models/security_question.rb
+- lib/devise_security_extension/models/security_questionable.rb
 - lib/devise_security_extension/models/session_limitable.rb
 - lib/devise_security_extension/orm/active_record.rb
 - lib/devise_security_extension/patches.rb
 - lib/devise_security_extension/patches/confirmations_controller_captcha.rb
+- lib/devise_security_extension/patches/confirmations_controller_security_question.rb
 - lib/devise_security_extension/patches/passwords_controller_captcha.rb
+- lib/devise_security_extension/patches/passwords_controller_security_question.rb
 - lib/devise_security_extension/patches/registrations_controller_captcha.rb
 - lib/devise_security_extension/patches/sessions_controller_captcha.rb
 - lib/devise_security_extension/patches/unlocks_controller_captcha.rb
+- lib/devise_security_extension/patches/unlocks_controller_security_question.rb
 - lib/devise_security_extension/rails.rb
 - lib/devise_security_extension/routes.rb
 - lib/devise_security_extension/schema.rb
@@ -168,7 +173,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 3787897429771212555
+      hash: -2473272848721880190
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: