RubyGems - devise_security_extension - Versions diffs - 0.7.2 → 0.8.0 - Mend

devise_security_extension 0.7.2 → 0.8.0

Files changed (19) hide show

checksums.yaml +7 -0
data/Gemfile +1 -1
data/Gemfile.lock +120 -88
data/README.md +238 -0
data/VERSION +1 -1
data/app/controllers/devise/password_expired_controller.rb +4 -1
data/config/locales/de.yml +1 -0
data/config/locales/en.yml +1 -0
data/devise_security_extension.gemspec +11 -10
data/lib/devise_security_extension/hooks/session_limitable.rb +2 -2
data/lib/devise_security_extension/models/expirable.rb +1 -2
data/lib/devise_security_extension/models/old_password.rb +0 -2
data/lib/devise_security_extension/models/secure_validatable.rb +35 -9
data/lib/devise_security_extension/models/security_question.rb +1 -1
data/lib/devise_security_extension/models/security_questionable.rb +4 -1
data/lib/devise_security_extension/patches/registrations_controller_captcha.rb +7 -6
data/lib/devise_security_extension/patches/sessions_controller_captcha.rb +4 -3
metadata +24 -41
data/README.rdoc +0 -193

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e458bf8839d5f8355da287f265f4a2285c2c20ef
+  data.tar.gz: 363210e0cc2ae02caaf74f89727557cf971efd7d
+SHA512:
+  metadata.gz: a5dedc51cc6c3625152d3b2836103c5f2d4581322402be436e8aae13dce95818d04c46d9900c1a9a4c3b5a987b140f0719df6ce9d477237097f107e6674fc65c
+  data.tar.gz: 98219b8cd14bc7265cc63a2d52cfba5bdaea28a17b9854999d7fc4b0d44ce2e127f572401cbc07b7060d2d519834fca5dfe1d76fa2973db7f9fcc88b8fea6600

data/Gemfile CHANGED

@@ -10,6 +10,6 @@ group :development do
   gem "rails_email_validator"
   gem "easy_captcha"
   gem "bundler", ">= 1.0.0"
-  gem "jeweler", "~> 1.8.4"
+  gem "jeweler", "~> 2.0.1"
 #  gem "rcov", ">= 0"
 end

data/Gemfile.lock CHANGED

@@ -1,43 +1,45 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.2.9)
-      actionpack (= 3.2.9)
-      mail (~> 2.4.4)
-    actionpack (3.2.9)
-      activemodel (= 3.2.9)
-      activesupport (= 3.2.9)
-      builder (~> 3.0.0)
+    actionmailer (4.0.2)
+      actionpack (= 4.0.2)
+      mail (~> 2.5.4)
+    actionpack (4.0.2)
+      activesupport (= 4.0.2)
+      builder (~> 3.1.0)
       erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.0)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.9)
-      activesupport (= 3.2.9)
-      builder (~> 3.0.0)
-    activerecord (3.2.9)
-      activemodel (= 3.2.9)
-      activesupport (= 3.2.9)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.9)
-      activemodel (= 3.2.9)
-      activesupport (= 3.2.9)
-    activesupport (3.2.9)
-      i18n (~> 0.6)
-      multi_json (~> 1.0)
-    arel (3.0.2)
-    bcrypt-ruby (3.0.1)
-    builder (3.0.4)
-    devise (2.1.2)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    activemodel (4.0.2)
+      activesupport (= 4.0.2)
+      builder (~> 3.1.0)
+    activerecord (4.0.2)
+      activemodel (= 4.0.2)
+      activerecord-deprecated_finders (~> 1.0.2)
+      activesupport (= 4.0.2)
+      arel (~> 4.0.0)
+    activerecord-deprecated_finders (1.0.3)
+    activesupport (4.0.2)
+      i18n (~> 0.6, >= 0.6.4)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    addressable (2.3.5)
+    arel (4.0.1)
+    atomic (1.1.14)
+    bcrypt-ruby (3.1.2)
+    builder (3.1.4)
+    descendants_tracker (0.0.3)
+    devise (3.2.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
-      warden (~> 1.2.1)
-    diff-lcs (1.1.3)
-    easy_captcha (0.5.1)
+      railties (>= 3.2.6, < 5)
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+    diff-lcs (1.2.5)
+    docile (1.1.2)
+    easy_captcha (0.6.4)
       bundler (>= 1.1.0)
       rails (>= 3.0.0)
       rmagick (>= 2.13.1)
@@ -45,81 +47,111 @@ GEM
       simplecov (>= 0.3.8)
       yard (>= 0.7.0)
     erubis (2.7.0)
-    git (1.2.5)
-    hike (1.2.1)
-    i18n (0.6.1)
-    jeweler (1.8.4)
-      bundler (~> 1.0)
+    faraday (0.9.0)
+      multipart-post (>= 1.2, < 3)
+    git (1.2.6)
+    github_api (0.11.1)
+      addressable (~> 2.3)
+      descendants_tracker (~> 0.0.1)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 1.2)
+      multi_json (>= 1.7.5, < 2.0)
+      nokogiri (~> 1.6.0)
+      oauth2
+    hashie (2.0.5)
+    highline (1.6.20)
+    hike (1.2.3)
+    i18n (0.6.9)
+    jeweler (2.0.1)
+      builder
+      bundler (>= 1.0)
       git (>= 1.2.5)
+      github_api
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
       rake
       rdoc
-    journey (1.0.4)
-    json (1.7.5)
-    mail (2.4.4)
-      i18n (>= 0.4.0)
+    json (1.8.1)
+    jwt (0.1.11)
+      multi_json (>= 1.5)
+    mail (2.5.4)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    mime-types (1.19)
-    multi_json (1.3.7)
-    orm_adapter (0.4.0)
+    mime-types (1.25.1)
+    mini_portile (0.5.2)
+    minitest (4.7.5)
+    multi_json (1.8.4)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    nokogiri (1.6.1)
+      mini_portile (~> 0.5.0)
+    oauth2 (0.9.3)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 0.1.8)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    orm_adapter (0.5.0)
     polyglot (0.3.3)
-    rack (1.4.1)
-    rack-cache (1.2)
-      rack (>= 0.4)
-    rack-ssl (1.3.2)
-      rack
+    rack (1.5.2)
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.9)
-      actionmailer (= 3.2.9)
-      actionpack (= 3.2.9)
-      activerecord (= 3.2.9)
-      activeresource (= 3.2.9)
-      activesupport (= 3.2.9)
-      bundler (~> 1.0)
-      railties (= 3.2.9)
+    rails (4.0.2)
+      actionmailer (= 4.0.2)
+      actionpack (= 4.0.2)
+      activerecord (= 4.0.2)
+      activesupport (= 4.0.2)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.0.2)
+      sprockets-rails (~> 2.0.0)
     rails_email_validator (0.1.4)
       activemodel (>= 3.0.0)
-    railties (3.2.9)
-      actionpack (= 3.2.9)
-      activesupport (= 3.2.9)
-      rack-ssl (~> 1.3.2)
+    railties (4.0.2)
+      actionpack (= 4.0.2)
+      activesupport (= 4.0.2)
       rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
-    rake (10.0.2)
-    rdoc (3.12)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.1.1)
+    rdoc (4.1.1)
       json (~> 1.4)
-    rmagick (2.13.1)
-    rspec-core (2.12.0)
-    rspec-expectations (2.12.0)
-      diff-lcs (~> 1.1.3)
-    rspec-mocks (2.12.0)
-    rspec-rails (2.12.0)
+    rmagick (2.13.2)
+    rspec-core (2.14.7)
+    rspec-expectations (2.14.4)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.4)
+    rspec-rails (2.14.1)
       actionpack (>= 3.0)
+      activemodel (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 2.12.0)
-      rspec-expectations (~> 2.12.0)
-      rspec-mocks (~> 2.12.0)
-    simplecov (0.7.1)
-      multi_json (~> 1.0)
-      simplecov-html (~> 0.7.1)
-    simplecov-html (0.7.1)
-    sprockets (2.2.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    simplecov (0.8.2)
+      docile (~> 1.1.0)
+      multi_json
+      simplecov-html (~> 0.8.0)
+    simplecov-html (0.8.0)
+    sprockets (2.10.1)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    thor (0.16.0)
-    tilt (1.3.3)
-    treetop (1.4.12)
+    sprockets-rails (2.0.1)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (~> 2.8)
+    thor (0.18.1)
+    thread_safe (0.1.3)
+      atomic
+    tilt (1.4.1)
+    treetop (1.4.15)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.35)
-    warden (1.2.1)
+    tzinfo (0.3.38)
+    warden (1.2.3)
       rack (>= 1.0)
-    yard (0.8.3)
+    yard (0.8.7.3)
 PLATFORMS
   ruby
@@ -128,6 +160,6 @@ DEPENDENCIES
   bundler (>= 1.0.0)
   devise (>= 2.0.0)
   easy_captcha
-  jeweler (~> 1.8.4)
+  jeweler (~> 2.0.1)
   rails (>= 3.1.1)
   rails_email_validator

data/README.md ADDED

@@ -0,0 +1,238 @@
+# Devise Security Extension
+An enterprise security extension for [Devise](https://github.com/plataformatec/devise), trying to meet industrial standard security demands for web applications.
+It is composed of 6 addtional Devise modules:
+* `:password_expirable` - passwords will expire after a configured time (and will need an update)
+* `:secure_validatable` - better way to validate a model (email, stronger password validation). Don't use with Devise `:validatable` module!
+* `:password_archivable` - save used passwords in an `old_passwords` table for history checks (don't be able to use a formerly used password)
+* `:session_limitable` - ensures, that there is only one session usable per account at once
+* `:expirable` - expires a user account after x days of inactivity (default 90 days)
+* `:security_questionable` - as accessible substitution for captchas (security question with captcha fallback)
+Configuration and database schema for each module below.
+## Additional features
+* **captcha support** for `sign_up`, `sign_in`, `recover` and `unlock` (to make automated mass creation and brute forcing of accounts harder)
+## Getting started
+Devise Security Extension works with Devise on Rails 3.2 onwards. You can add it to your Gemfile after you successfully set up Devise (see [Devise documentation](https://github.com/plataformatec/devise)) with:
+```ruby
+gem 'devise_security_extension'
+```
+Run the bundle command to install it.
+After you installed Devise Security Extension you need to run the generator:
+```console
+rails generate devise_security_extension:install
+```
+The generator will inject the available configuration options into the **existing** Devise initializer and you MUST take a look at it (and all the Devise configuration as well). When you are done, you are ready to add Devise Security Extension modules on top of Devise modules to any of your Devise models:
+```ruby
+devise :password_expirable, :secure_validatable, :password_archivable, :session_limitable, :expirable
+```
+for `:secure_validatable` you need to add
+```ruby
+gem 'rails_email_validator'
+```
+## Configuration
+```ruby
+Devise.setup do |config|
+  # ==> Security Extension
+  # Configure security extension for devise
+  # Should the password expire (e.g 3.months)
+  # config.expire_password_after = 3.months
+  # Need 1 char of A-Z, a-z and 0-9
+  # config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
+  # How often save old passwords in archive
+  # config.password_archiving_count = 5
+  # Deny old password (true, false, count)
+  # config.deny_old_passwords = true
+  # captcha integration for recover form
+  # config.captcha_for_recover = true
+  # captcha integration for sign up form
+  # config.captcha_for_sign_up = true
+  # captcha integration for sign in form
+  # config.captcha_for_sign_in = true
+  # captcha integration for unlock form
+  # config.captcha_for_unlock = true
+  # security_question integration for recover form
+  # this automatically enables captchas (captcha_for_recover, as fallback)
+  # config.security_question_for_recover = false
+  # security_question integration for unlock form
+  # this automatically enables captchas (captcha_for_unlock, as fallback)
+  # config.security_question_for_unlock = false
+  # security_question integration for confirmation form
+  # this automatically enables captchas (captcha_for_confirmation, as fallback)
+  # config.security_question_for_confirmation = false
+  # ==> Configuration for :expirable
+  # Time period for account expiry from last_activity_at
+  # config.expire_after = 90.days
+end
+```
+## Captcha-Support
+The captcha support depends on [EasyCaptcha](https://github.com/phatworx/easy_captcha). See further documention there.
+### Installation
+1. Add EasyCaptcha to your `Gemfile` with
+```ruby
+gem 'easy_captcha'
+```
+2. Run the initializer
+```ruby
+rails generate easy_captcha:install
+```
+3. Enable captcha - see "Configuration" of Devise Security Extension above.
+4. Add the captcha in the generated devise views for each controller you have activated
+```erb
+<p><%= captcha_tag %></p>
+<p><%= text_field_tag :captcha %></p>
+```
+## Schema
+### Password expirable
+```ruby
+create_table :the_resources do |t|
+  # other devise fields
+  t.datetime :password_changed_at
+end
+add_index :the_resources, :password_changed_at
+```
+### Password archivable
+```ruby
+create_table :old_passwords do |t|
+  t.string :encrypted_password, :null => false
+  t.string :password_salt
+  t.string :password_archivable_type, :null => false
+  t.integer :password_archivable_id, :null => false
+  t.datetime :created_at
+end
+add_index :old_passwords, [:password_archivable_type, :password_archivable_id], :name => :index_password_archivable
+```
+### Session limitable
+```ruby
+create_table :the_resources do |t|
+  # other devise fields
+  t.string :unique_session_id, :limit => 20
+end
+```
+### Expirable
+```ruby
+create_table :the_resources do |t|
+  # other devise fields
+  t.datetime :last_activity_at
+  t.datetime :expired_at
+end
+add_index :the_resources, :last_activity_at
+add_index :the_resources, :expired_at
+```
+### Security questionable
+```ruby
+create_table :security_questions do |t|
+  t.string :locale, :null => false
+  t.string :name, :null => false
+end
+SecurityQuestion.create! locale: :de, name: 'Wie lautet der Geburstname Ihrer Mutter?'
+SecurityQuestion.create! locale: :de, name: 'Wo sind sie geboren?'
+SecurityQuestion.create! locale: :de, name: 'Wie lautet der Name Ihres ersten Haustieres?'
+SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsfilm?'
+SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsbuch?'
+SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingstier?'
+SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblings-Reiseland?'
+```
+```ruby
+add_column :the_resources, :security_question_id, :integer
+add_column :the_resources, :security_question_answer, :string
+```
+or
+```ruby
+create_table :the_resources do |t|
+  # other devise fields
+  t.integer :security_question_id
+  t.string :security_question_answer
+end
+```
+## Requirements
+* Devise (https://github.com/plataformatec/devise)
+* Rails 3.2 onwards (http://github.com/rails/rails)
+* recommendations:
+  * `autocomplete-off` (http://github.com/phatworx/autocomplete-off)
+  * `easy_captcha` (http://github.com/phatworx/easy_captcha)
+  * `rails_email_validator` (http://github.com/phatworx/rails_email_validator)
+## Todo
+* see the github issues (feature requests)
+## History
+* 0.1 expire passwords
+* 0.2 strong password validation
+* 0.3 password archivable with validation
+* 0.4 captcha support for sign_up, sign_in, recover and unlock
+* 0.5 session_limitable module
+* 0.6 expirable module
+* 0.7 security questionable module for recover and unlock
+* 0.8 Support for Rails 4 (+ variety of patches)
+## Maintainers
+* Team Phatworx (http://github.com/phatworx)
+* Alexander Dreher (http://github.com/alexdreher)
+* Christoph Chilian (http://github.com/cc-web)
+* Marco Scholl (http://github.com/traxanos)
+## Contributing to devise_security_extension
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+## Copyright
+Copyright (c) 2011-2012 Marco Scholl. See LICENSE.txt for further details.

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.7.2
1	+ 0.8.0

data/app/controllers/devise/password_expired_controller.rb CHANGED

@@ -11,7 +11,7 @@ class Devise::PasswordExpiredController < DeviseController
   end
   def update
-    if resource.update_with_password(params[resource_name])
+    if resource.update_with_password(resource_params)
       warden.session(scope)[:password_expired] = false
       set_flash_message :notice, :updated
       sign_in scope, resource, :bypass => true
@@ -23,6 +23,9 @@ class Devise::PasswordExpiredController < DeviseController
   end
   private
+    def resource_params
+      params.require(resource_name).permit!
+    end
   def scope
     resource_name.to_sym

data/config/locales/de.yml CHANGED

@@ -3,6 +3,7 @@ de:
     messages:
       taken_in_past: "wurde bereits in der Vergangenheit verwendet!"
       equal_to_current_password: "darf nicht dem aktuellen Passwort entsprechen!"
+      password_format: "müssen große, kleine Buchstaben und Ziffern enthalten"
   devise:
     invalid_captcha: "Die Captchaeingabe ist nicht gültig!"
     password_expired:

data/config/locales/en.yml CHANGED

@@ -3,6 +3,7 @@ en:
     messages:
       taken_in_past: "was already taken in the past!"
       equal_to_current_password: "must be different to the current password!"
+      password_format: "must contain big, small letters and digits"
   devise:
     invalid_captcha: "The captcha input is not valid!"
     password_expired:

data/devise_security_extension.gemspec CHANGED

@@ -2,26 +2,28 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
+# stub: devise_security_extension 0.8.0 ruby lib
 Gem::Specification.new do |s|
   s.name = "devise_security_extension"
-  s.version = "0.7.2"
+  s.version = "0.8.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
   s.authors = ["Marco Scholl", "Alexander Dreher"]
-  s.date = "2012-11-22"
+  s.date = "2014-01-31"
   s.description = "An enterprise security extension for devise, trying to meet industrial standard security demands for web applications."
   s.email = "team@phatworx.de"
   s.extra_rdoc_files = [
     "LICENSE.txt",
-    "README.rdoc"
+    "README.md"
   ]
   s.files = [
     ".document",
     "Gemfile",
     "Gemfile.lock",
     "LICENSE.txt",
-    "README.rdoc",
+    "README.md",
     "Rakefile",
     "VERSION",
     "app/controllers/devise/password_expired_controller.rb",
@@ -61,12 +63,11 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/phatworx/devise_security_extension"
   s.licenses = ["MIT"]
-  s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.24"
+  s.rubygems_version = "2.2.1"
   s.summary = "Security extension for devise"
   if s.respond_to? :specification_version then
-    s.specification_version = 3
+    s.specification_version = 4
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<rails>, [">= 3.1.1"])
@@ -74,14 +75,14 @@ Gem::Specification.new do |s|
       s.add_development_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_development_dependency(%q<easy_captcha>, [">= 0"])
       s.add_development_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_development_dependency(%q<jeweler>, ["~> 2.0.1"])
     else
       s.add_dependency(%q<rails>, [">= 3.1.1"])
       s.add_dependency(%q<devise>, [">= 2.0.0"])
       s.add_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_dependency(%q<easy_captcha>, [">= 0"])
       s.add_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+      s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
     end
   else
     s.add_dependency(%q<rails>, [">= 3.1.1"])
@@ -89,7 +90,7 @@ Gem::Specification.new do |s|
     s.add_dependency(%q<rails_email_validator>, [">= 0"])
     s.add_dependency(%q<easy_captcha>, [">= 0"])
     s.add_dependency(%q<bundler>, [">= 1.0.0"])
-    s.add_dependency(%q<jeweler>, ["~> 1.8.4"])
+    s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
   end
 end

data/lib/devise_security_extension/hooks/session_limitable.rb CHANGED

@@ -17,10 +17,10 @@ Warden::Manager.after_set_user :only => :fetch do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
-  if warden.authenticated?(scope) && options[:store] != false
+  if record.respond_to?(:unique_session_id) && warden.authenticated?(scope) && options[:store] != false
     if record.unique_session_id != warden.session(scope)['unique_session_id'] && !env['devise.skip_session_limitable']
       warden.logout(scope)
       throw :warden, :scope => scope, :message => :session_limited
     end
   end
-end
+end

data/lib/devise_security_extension/models/expirable.rb CHANGED

@@ -20,8 +20,7 @@ module Devise
       # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
       def update_last_activity!
-        self.last_activity_at = Time.now.utc
-        save(:validate => false)
+        self.update_column(:last_activity_at, Time.now.utc)
       end
       # Tells if the account has expired

data/lib/devise_security_extension/models/old_password.rb CHANGED

@@ -1,5 +1,3 @@
 class OldPassword < ActiveRecord::Base
   belongs_to :password_archivable, :polymorphic => true
-  attr_accessible :encrypted_password, :password_salt
 end

data/lib/devise_security_extension/models/secure_validatable.rb CHANGED

@@ -17,17 +17,27 @@ module Devise
         assert_secure_validations_api!(base)
         base.class_eval do
+          # validate login in a strict way if not yet validated
+          unless has_uniqueness_validation_of_login?
+            validation_condition = "#{login_attribute}_changed?".to_sym
-          # uniq login
-          validates authentication_keys[0], :uniqueness => {:scope => authentication_keys[1..-1], :case_sensitive => (case_insensitive_keys != false)}, :if => :email_changed?
+            validates login_attribute, :uniqueness => {
+                                          :scope          => authentication_keys[1..-1],
+                                          :case_sensitive => !!case_insensitive_keys
+                                        },
+                                        :if => validation_condition
+          end
-          # validates email
-          validates :email, :presence => true, :if => :email_required?
-          validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
-          validates :email, :email => email_validation if email_validation # use rails_email_validator or similar
-          # validates password
-          validates :password, :presence => true, :length => password_length, :format => password_regex, :confirmation => true, :if => :password_required?
+          unless devise_validation_enabled?
+            validates :email, :presence => true, :if => :email_required?
+            validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
+            validates :password, :presence => true, :length => password_length, :confirmation => true, :if => :password_required?
+          end
+          # extra validations
+          validates :email,    :email  => email_validation if email_validation # use rails_email_validator or similar
+          validates :password, :format => { :with => password_regex, :message => :password_format }, :if => :password_required?
           # don't allow use same password
           validate :current_equal_password_validation
@@ -62,6 +72,22 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :password_regex, :password_length, :email_validation)
+      private
+        def has_uniqueness_validation_of_login?
+          validators.any? do |validator|
+            validator.kind_of?(ActiveRecord::Validations::UniquenessValidator) &&
+              validator.attributes.include?(login_attribute)
+          end
+        end
+        def login_attribute
+          authentication_keys[0]
+        end
+        def devise_validation_enabled?
+          self.ancestors.map(&:to_s).include? 'Devise::Models::Validatable'
+        end
       end
     end
   end

data/lib/devise_security_extension/models/security_question.rb CHANGED

@@ -1,3 +1,3 @@
 class SecurityQuestion < ActiveRecord::Base
-  attr_accessible :locale, :name
 end

data/lib/devise_security_extension/models/security_questionable.rb CHANGED

@@ -3,10 +3,13 @@ module Devise
     # SecurityQuestionable is an accessible add-on for visually handicapped people,
     # to ship around the captcha with screenreader compatibility.
     #
-    # You need to add two text_field_tags to the associated form:
+    # You need to add two text_field_tags to the associated forms (unlock,
+    # password, confirmation):
     # :security_question_answer and :captcha
     #
     # And add the security_question to the register/edit form.
+    # f.select :security_question_id, SecurityQuestion.where(locale: I18n.locale).map{|s| [s.name, s.id]}
+    # f.text_field :security_question_answer
     module SecurityQuestionable
       extend ActiveSupport::Concern

data/lib/devise_security_extension/patches/registrations_controller_captcha.rb CHANGED

@@ -3,25 +3,26 @@ module DeviseSecurityExtension::Patches
     extend ActiveSupport::Concern
     included do
       define_method :create do
-        build_resource
+        build_resource(sign_up_params)
         if valid_captcha? params[:captcha]
           if resource.save
+            yield resource if block_given?
             if resource.active_for_authentication?
-              set_flash_message :notice, :signed_up if is_navigational_format?
-              sign_in(resource_name, resource)
+              set_flash_message :notice, :signed_up if is_flashing_format?
+              sign_up(resource_name, resource)
               respond_with resource, :location => after_sign_up_path_for(resource)
             else
-              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
-              expire_session_data_after_sign_in!
+              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+              expire_data_after_sign_in!
               respond_with resource, :location => after_inactive_sign_up_path_for(resource)
             end
           else
             clean_up_passwords resource
             respond_with resource
           end
         else
           resource.errors.add :base, t('devise.invalid_captcha')
           clean_up_passwords resource

data/lib/devise_security_extension/patches/sessions_controller_captcha.rb CHANGED

@@ -4,12 +4,13 @@ module DeviseSecurityExtension::Patches
     included do
       define_method :create do
         if valid_captcha? params[:captcha]
-          resource = warden.authenticate!(auth_options)
-          set_flash_message(:notice, :signed_in) if is_navigational_format?
+          self.resource = warden.authenticate!(auth_options)
+          set_flash_message(:notice, :signed_in) if is_flashing_format?
           sign_in(resource_name, resource)
+          yield resource if block_given?
           respond_with resource, :location => after_sign_in_path_for(resource)
         else
-          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          flash[:alert] = t('devise.invalid_captcha') if is_flashing_format?
           respond_with({}, :location => new_session_path(resource_name))
         end
       end

metadata CHANGED

@@ -1,8 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_security_extension
 version: !ruby/object:Gem::Version
-  version: 0.7.2
-  prerelease:
+  version: 0.8.0
 platform: ruby
 authors:
 - Marco Scholl
@@ -10,104 +9,92 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-11-22 00:00:00.000000000 Z
+date: 2014-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rails_email_validator
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: easy_captcha
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: jeweler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.4
+        version: 2.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.8.4
+        version: 2.0.1
 description: An enterprise security extension for devise, trying to meet industrial
   standard security demands for web applications.
 email: team@phatworx.de
@@ -115,13 +102,13 @@ executables: []
 extensions: []
 extra_rdoc_files:
 - LICENSE.txt
-- README.rdoc
+- README.md
 files:
-- .document
+- ".document"
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
-- README.rdoc
+- README.md
 - Rakefile
 - VERSION
 - app/controllers/devise/password_expired_controller.rb
@@ -161,29 +148,25 @@ files:
 homepage: http://github.com/phatworx/devise_security_extension
 licenses:
 - MIT
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 2180026344185734924
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.24
+rubygems_version: 2.2.1
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Security extension for devise
 test_files: []

data/README.rdoc DELETED

@@ -1,193 +0,0 @@
-= devise_security_extension
-An enterprise security extension for devise, trying to meet industrial standard security demands for web applications.
-== Features
-* captcha support for sign_up, sign_in, recover and unlock (to make automated mass creation and brute forcing of accounts harder)
-=== Model modules
-* :password_expirable - passwords will expire after a configured time (and will need an update)
-* :secure_validatable - better way to validate a model (email, stronger password validation). Don't use with :validatable!
-* :password_archivable - save used passwords in an old_passwords table for history checks (don't be able to use a formerly used password)
-* :session_limitable - ensures, that there is only one session usable per account at once
-* :expirable - expires a user account after x days of inactivity (default 90 days)
-* :security_questionable - as accessible substitution for captchas (security question with captcha fallback)
-== Installation
-Add to Gemfile
-  gem 'devise_security_extension'
-after bundle install
-  rails g devise_security_extension:install
-for :secure_validatable you need to add
-  gem 'rails_email_validator'
-== Configuration
-  Devise.setup do |config|
-    # Should the password expire (e.g 3.months)
-    # config.expire_password_after = 3.months
-    # Need 1 char of A-Z, a-z and 0-9
-    # config.password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
-    # How often save old passwords in archive
-    # config.password_archiving_count = 5
-    # Deny old password (true, false, count)
-    # config.deny_old_passwords = true
-    # captcha integration for recover form
-    # config.captcha_for_recover = true
-    # captcha integration for sign up form
-    # config.captcha_for_sign_up = true
-    # captcha integration for sign in form
-    # config.captcha_for_sign_in = true
-    # captcha integration for unlock form
-    # config.captcha_for_unlock = true
-    # security_question integration for recover form
-    # this automatically enables captchas (captcha_for_recover, as fallback)
-    # config.security_question_for_recover = false
-    # security_question integration for unlock form
-    # this automatically enables captchas (captcha_for_unlock, as fallback)
-    # config.security_question_for_unlock = false
-    # security_question integration for confirmation form
-    # this automatically enables captchas (captcha_for_confirmation, as fallback)
-    # config.security_question_for_confirmation = false
-    # ==> Configuration for :expirable
-    # Time period for account expiry from last_activity_at
-    config.expire_after = 90.days
-  end
-== Captcha-Support
-=== Installation
-1. add to Gemfile "gem 'easy_captcha'"
-2. install easy_captcha "rails g easy_captcha:install"
-3. enable captcha - see "Configuration"
-4. add captcha source in the devise views for each controller you have activated
-  <p><%= captcha_tag %></p>
-  <p><%= text_field_tag :captcha %></p>
-That's it!
-== Schema
-=== Password expirable
-  create_table :the_resources do |t|
-    # other devise fields
-    t.datetime :password_changed_at
-  end
-  add_index :the_resources, :password_changed_at
-=== Password archivable
-  create_table :old_passwords do |t|
-    t.string :encrypted_password, :null => false
-    t.string :password_salt
-    t.string :password_archivable_type, :null => false
-    t.integer :password_archivable_id, :null => false
-    t.datetime :created_at
-  end
-  add_index :old_passwords, [:password_archivable_type, :password_archivable_id], :name => :index_password_archivable
-=== Session limitable
-  create_table :the_resources do |t|
-    # other devise fields
-    t.string :unique_session_id, :limit => 20
-  end
-=== Expirable
-  create_table :the_resources do |t|
-    # other devise fields
-    t.datetime :last_activity_at
-    t.datetime :expired_at
-  end
-  add_index :the_resources, :last_activity_at
-  add_index :the_resources, :expired_at
-=== Security questionable
-  create_table :security_questions do |t|
-    t.string :locale, :null => false
-    t.string :name, :null => false
-  end
-  SecurityQuestion.create! locale: :de, name: 'Wie lautet der Geburstname Ihrer Mutter?'
-  SecurityQuestion.create! locale: :de, name: 'Wo sind sie geboren?'
-  SecurityQuestion.create! locale: :de, name: 'Wie lautet der Name Ihres ersten Haustieres?'
-  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsfilm?'
-  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingsbuch?'
-  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblingstier?'
-  SecurityQuestion.create! locale: :de, name: 'Was ist Ihr Lieblings-Reiseland?'
-  add_column :the_resources, :security_question_id, :integer
-  add_column :the_resources, :security_question_answer, :string
-or
-  create_table :the_resources do |t|
-    # other devise fields
-    t.integer :security_question_id
-    t.string :security_question_answer
-  end
-== Requirements
-* devise (https://github.com/plataformatec/devise)
-* Rails 3 (http://github.com/rails/rails)
-* recommendation: autocomplete-off (http://github.com/phatworx/autocomplete-off)
-== Todo
-* see the github issues (feature requests)
-== History
-* 0.1 expire passwords
-* 0.2 strong password validation
-* 0.3 password archivable with validation
-* 0.4 captcha support for sign_up, sign_in, recover and unlock
-* 0.5 session_limitable module
-* 0.6 expirable module
-* 0.7 security questionable module for recover and unlock
-== Maintainers
-* Team Phatworx (http://github.com/phatworx)
-* Marco Scholl (http://github.com/traxanos)
-* Alexander Dreher (http://github.com/alexdreher)
-* Christoph Chilian (http://github.com/cc-web)
-== Contributing to devise_security_extension
-* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
-* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
-* Fork the project
-* Start a feature/bugfix branch
-* Commit and push until you are happy with your contribution
-* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
-* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
-== Copyright
-Copyright (c) 2011-2012 Marco Scholl. See LICENSE.txt for further details.